mustflow 2.39.1 → 2.58.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (92) hide show
  1. package/dist/cli/commands/run/executor.js +16 -0
  2. package/dist/cli/commands/run/process-tree.js +6 -3
  3. package/dist/cli/commands/verify.js +3 -1
  4. package/dist/cli/lib/git-changes.js +11 -1
  5. package/dist/cli/lib/i18n.js +1 -1
  6. package/dist/cli/lib/local-index/index.js +8 -4
  7. package/dist/cli/lib/local-index/populate.js +17 -3
  8. package/dist/cli/lib/local-index/search-read-model.js +9 -7
  9. package/dist/cli/lib/local-index/search-text.js +2 -2
  10. package/dist/cli/lib/local-index/workflow-documents.js +17 -2
  11. package/dist/cli/lib/mustflow-read.js +14 -2
  12. package/dist/cli/lib/repo-map.js +16 -3
  13. package/dist/cli/lib/templates.js +8 -7
  14. package/dist/cli/lib/validation/constants.js +1 -1
  15. package/dist/core/active-run-locks.js +78 -20
  16. package/dist/core/change-classification.js +4 -0
  17. package/dist/core/command-contract-rules.js +1 -1
  18. package/dist/core/command-contract-validation.js +1 -1
  19. package/dist/core/command-cwd.js +13 -2
  20. package/dist/core/command-effects.js +22 -4
  21. package/dist/core/command-env.js +8 -6
  22. package/dist/core/command-preconditions.js +28 -2
  23. package/dist/core/completion-verdict.js +1 -1
  24. package/dist/core/line-endings.js +8 -4
  25. package/dist/core/safe-filesystem.js +9 -1
  26. package/dist/core/source-anchor-validation.js +7 -1
  27. package/dist/core/source-anchors.js +8 -2
  28. package/dist/core/verification-scheduler.js +8 -2
  29. package/package.json +1 -1
  30. package/templates/default/i18n.toml +330 -1
  31. package/templates/default/locales/en/.mustflow/skills/INDEX.md +302 -5
  32. package/templates/default/locales/en/.mustflow/skills/agent-eval-integrity-review/SKILL.md +160 -0
  33. package/templates/default/locales/en/.mustflow/skills/agent-execution-control-review/SKILL.md +163 -0
  34. package/templates/default/locales/en/.mustflow/skills/ai-generated-code-hardening/SKILL.md +49 -13
  35. package/templates/default/locales/en/.mustflow/skills/api-access-control-review/SKILL.md +298 -0
  36. package/templates/default/locales/en/.mustflow/skills/api-misuse-resistance-review/SKILL.md +297 -0
  37. package/templates/default/locales/en/.mustflow/skills/api-request-performance-review/SKILL.md +189 -0
  38. package/templates/default/locales/en/.mustflow/skills/app-startup-performance-review/SKILL.md +309 -0
  39. package/templates/default/locales/en/.mustflow/skills/backend-log-evidence-review/SKILL.md +213 -0
  40. package/templates/default/locales/en/.mustflow/skills/business-rule-leakage-review/SKILL.md +295 -0
  41. package/templates/default/locales/en/.mustflow/skills/cache-integrity-review/SKILL.md +291 -0
  42. package/templates/default/locales/en/.mustflow/skills/change-blast-radius-review/SKILL.md +297 -0
  43. package/templates/default/locales/en/.mustflow/skills/client-bundle-pruning-review/SKILL.md +160 -0
  44. package/templates/default/locales/en/.mustflow/skills/cloud-cost-guardrail-review/SKILL.md +321 -0
  45. package/templates/default/locales/en/.mustflow/skills/concurrency-invariant-review/SKILL.md +193 -0
  46. package/templates/default/locales/en/.mustflow/skills/core-web-vitals-field-review/SKILL.md +161 -0
  47. package/templates/default/locales/en/.mustflow/skills/credit-ledger-integrity-review/SKILL.md +156 -0
  48. package/templates/default/locales/en/.mustflow/skills/database-json-modeling-review/SKILL.md +171 -0
  49. package/templates/default/locales/en/.mustflow/skills/database-lock-contention-review/SKILL.md +192 -0
  50. package/templates/default/locales/en/.mustflow/skills/database-migration-change/SKILL.md +76 -34
  51. package/templates/default/locales/en/.mustflow/skills/database-query-bottleneck-review/SKILL.md +194 -0
  52. package/templates/default/locales/en/.mustflow/skills/deletion-lifecycle-review/SKILL.md +171 -0
  53. package/templates/default/locales/en/.mustflow/skills/deployment-rollout-safety-review/SKILL.md +321 -0
  54. package/templates/default/locales/en/.mustflow/skills/desktop-auto-update-safety-review/SKILL.md +265 -0
  55. package/templates/default/locales/en/.mustflow/skills/desktop-background-process-stability-review/SKILL.md +318 -0
  56. package/templates/default/locales/en/.mustflow/skills/desktop-memory-footprint-review/SKILL.md +318 -0
  57. package/templates/default/locales/en/.mustflow/skills/error-message-integrity-review/SKILL.md +283 -0
  58. package/templates/default/locales/en/.mustflow/skills/failure-integrity-review/SKILL.md +193 -0
  59. package/templates/default/locales/en/.mustflow/skills/file-upload-security-review/SKILL.md +305 -0
  60. package/templates/default/locales/en/.mustflow/skills/frame-render-performance-review/SKILL.md +159 -0
  61. package/templates/default/locales/en/.mustflow/skills/frontend-accessibility-tree-review/SKILL.md +202 -0
  62. package/templates/default/locales/en/.mustflow/skills/frontend-localization-review/SKILL.md +202 -0
  63. package/templates/default/locales/en/.mustflow/skills/frontend-state-ownership-review/SKILL.md +183 -0
  64. package/templates/default/locales/en/.mustflow/skills/frontend-stress-layout-review/SKILL.md +193 -0
  65. package/templates/default/locales/en/.mustflow/skills/hot-path-performance-review/SKILL.md +159 -0
  66. package/templates/default/locales/en/.mustflow/skills/idempotency-integrity-review/SKILL.md +195 -0
  67. package/templates/default/locales/en/.mustflow/skills/image-delivery-performance-review/SKILL.md +161 -0
  68. package/templates/default/locales/en/.mustflow/skills/incident-triage-review/SKILL.md +185 -0
  69. package/templates/default/locales/en/.mustflow/skills/llm-hallucination-control-review/SKILL.md +155 -0
  70. package/templates/default/locales/en/.mustflow/skills/llm-response-latency-review/SKILL.md +155 -0
  71. package/templates/default/locales/en/.mustflow/skills/llm-service-ux-review/SKILL.md +2 -0
  72. package/templates/default/locales/en/.mustflow/skills/llm-token-cost-control-review/SKILL.md +155 -0
  73. package/templates/default/locales/en/.mustflow/skills/low-end-device-support-review/SKILL.md +340 -0
  74. package/templates/default/locales/en/.mustflow/skills/memory-lifetime-review/SKILL.md +169 -0
  75. package/templates/default/locales/en/.mustflow/skills/mobile-energy-efficiency-review/SKILL.md +329 -0
  76. package/templates/default/locales/en/.mustflow/skills/module-boundary-review/SKILL.md +278 -0
  77. package/templates/default/locales/en/.mustflow/skills/multi-agent-work-coordination/SKILL.md +1 -0
  78. package/templates/default/locales/en/.mustflow/skills/observability-debuggability-review/SKILL.md +208 -0
  79. package/templates/default/locales/en/.mustflow/skills/payment-integrity-review/SKILL.md +155 -0
  80. package/templates/default/locales/en/.mustflow/skills/prompt-contract-quality-review/SKILL.md +158 -0
  81. package/templates/default/locales/en/.mustflow/skills/quadratic-scan-review/SKILL.md +155 -0
  82. package/templates/default/locales/en/.mustflow/skills/queue-processing-integrity-review/SKILL.md +193 -0
  83. package/templates/default/locales/en/.mustflow/skills/race-condition-review/SKILL.md +188 -0
  84. package/templates/default/locales/en/.mustflow/skills/rate-limit-integrity-review/SKILL.md +344 -0
  85. package/templates/default/locales/en/.mustflow/skills/retry-policy-integrity-review/SKILL.md +195 -0
  86. package/templates/default/locales/en/.mustflow/skills/routes.toml +330 -0
  87. package/templates/default/locales/en/.mustflow/skills/security-flow-review/SKILL.md +279 -0
  88. package/templates/default/locales/en/.mustflow/skills/testability-boundary-review/SKILL.md +295 -0
  89. package/templates/default/locales/en/.mustflow/skills/transaction-boundary-integrity-review/SKILL.md +196 -0
  90. package/templates/default/locales/en/.mustflow/skills/type-state-modeling-review/SKILL.md +179 -0
  91. package/templates/default/locales/en/.mustflow/skills/web-render-performance-review/SKILL.md +164 -0
  92. package/templates/default/manifest.toml +386 -1
@@ -0,0 +1,291 @@
1
+ ---
2
+ mustflow_doc: skill.cache-integrity-review
3
+ locale: en
4
+ canonical: true
5
+ revision: 1
6
+ lifecycle: mustflow-owned
7
+ authority: procedure
8
+ name: cache-integrity-review
9
+ description: Apply this skill when code is created, changed, reviewed, or reported and cache behavior can spread stale, wrong, private, overbroad, tenant-crossing, permission-wrong, version-incompatible, or source-overloading values through cache keys, query normalization, key versions, TTL and jitter, soft and hard TTL, stale-while-revalidate, stampede protection, request coalescing, negative caching, invalidation order, list or page caches, tag invalidation, L1/L2 cache layers, Redis fallback, hit/miss observability, value size, eviction policy, TTL-less keys, KEYS/SCAN use, hot keys, Redis Cluster hash tags, HTTP Vary/no-cache/no-store semantics, permission caches, cache warming, or failure-path cache tests.
10
+ metadata:
11
+ mustflow_schema: "1"
12
+ mustflow_kind: procedure
13
+ pack_id: mustflow.core
14
+ skill_id: mustflow.core.cache-integrity-review
15
+ command_intents:
16
+ - changes_status
17
+ - changes_diff_summary
18
+ - lint
19
+ - build
20
+ - test_related
21
+ - test
22
+ - docs_validate_fast
23
+ - test_release
24
+ - mustflow_check
25
+ ---
26
+
27
+ # Cache Integrity Review
28
+
29
+ <!-- mustflow-section: purpose -->
30
+ ## Purpose
31
+
32
+ Review cache changes as truth and failure-boundary changes, not only as speed changes.
33
+
34
+ A cache is a second truth store. The review question is not only "did the second request get faster?"
35
+ It is "which value can be wrong, who can see it, how long can it survive, how quietly can it spread,
36
+ and what happens to the source system when the cache misses or fails?"
37
+
38
+ <!-- mustflow-section: use-when -->
39
+ ## Use When
40
+
41
+ - Code creates, changes, reviews, or reports cache keys, cache reads, cache writes, cache invalidation,
42
+ cache TTLs, Redis or Memcached use, local in-memory caches, CDN or HTTP cache headers, cache tags,
43
+ cache warming, cache fallback, negative caching, stale-while-revalidate, request coalescing, or
44
+ cache observability.
45
+ - A route, worker, query, permission check, feature flag, entitlement, inventory value, search result,
46
+ listing, feed, recommendation, API response, rendered page, generated artifact, or provider response
47
+ is cached.
48
+ - Cache behavior can vary by tenant, actor, login state, membership tier, country, language, locale,
49
+ A/B test, feature flag, adult verification, inventory policy, authorization, subscription, or
50
+ request headers.
51
+ - A review or final report claims that caching is safe, fast, resilient, correct, isolated, warmed,
52
+ invalidated, observable, or harmless under deploy, rollback, source failure, Redis failure, or
53
+ concurrent updates.
54
+
55
+ <!-- mustflow-section: do-not-use-when -->
56
+ ## Do Not Use When
57
+
58
+ - The only concern is ordinary repeated work with no stale data, authority, invalidation, permission,
59
+ tenant, source-protection, or cache-failure risk; use `hot-path-performance-review`.
60
+ - The only concern is object lifetime, cache size, eviction cleanup, or retained memory without data
61
+ correctness or source-protection risk; use `memory-lifetime-review`.
62
+ - The only concern is HTTP streaming, compression, proxy buffering, or delivery transport behavior;
63
+ use `http-delivery-streaming` first and this skill only for cache reuse correctness.
64
+ - The task is a broad performance budget, profiling, benchmark, or load-test design; use
65
+ `performance-budget-check` first and this skill for cache integrity boundaries.
66
+
67
+ <!-- mustflow-section: required-inputs -->
68
+ ## Required Inputs
69
+
70
+ - Cache surface: local memory, process L1, external L2, Redis, Memcached, CDN, browser cache, HTTP
71
+ cache, ORM query cache, generated state, read model, or framework cache.
72
+ - Source of truth: database, provider, file, auth service, entitlement system, inventory source,
73
+ canonical event stream, generated artifact, or other owner.
74
+ - Cached value shape: detail item, list, page, search result, permission decision, session, rate
75
+ limit, inventory, feature flag, API response, rendered HTML, or derived aggregate.
76
+ - Key dimensions: tenant, actor, viewer context, login state, membership tier, country, language,
77
+ locale, A/B test, feature flag, adult verification, inventory policy, authorization state, headers,
78
+ query parameters, schema version, and value version.
79
+ - Freshness contract: change frequency, stale tolerance, soft TTL, hard TTL, invalidation trigger,
80
+ source protection need, and deploy or rollback compatibility.
81
+ - Failure and concurrency contract: miss behavior, concurrent miss behavior, source timeout, Redis
82
+ failure, source failure, negative cache policy, update race behavior, invalidation ordering, and
83
+ stale serve policy.
84
+ - Observability evidence: hit and miss metrics, miss cost, value size, key count, eviction, expiry,
85
+ tenant or endpoint breakdown, status-code breakdown, source query time, source call count, and set
86
+ success.
87
+ - Relevant command-intent contract entries for tests, builds, docs, release checks, and mustflow
88
+ validation.
89
+
90
+ <!-- mustflow-section: preconditions -->
91
+ ## Preconditions
92
+
93
+ - The task matches the Use When conditions and does not match the Do Not Use When exclusions.
94
+ - Higher-priority instructions and `.mustflow/config/commands.toml` have been checked for the current
95
+ scope.
96
+ - Required inputs are available, or missing cache authority, key, TTL, invalidation, fallback,
97
+ observability, or test evidence can be reported without guessing.
98
+ - If cache behavior affects authentication, authorization, personal data, tenant separation, sessions,
99
+ entitlement, payment, inventory, or admin operations, also use the relevant security, auth, backend,
100
+ database, or failure-integrity skill.
101
+
102
+ <!-- mustflow-section: allowed-edits -->
103
+ ## Allowed Edits
104
+
105
+ - Add or tighten cache key construction, query normalization, key versioning, TTL and jitter,
106
+ soft/hard TTL handling, stale-while-revalidate, request coalescing, singleflight, bounded fallback,
107
+ load shedding, negative-cache policy, invalidation ordering, version checks, tag invalidation,
108
+ cache warming, cache observability, and focused tests tied to the changed cache surface.
109
+ - Split cache policy by success, not-found, permission-denied, temporary failure, stale value, and
110
+ unknown outcome when those outcomes need different behavior.
111
+ - Add tests for tenant separation, permission changes, stale value bounds, concurrent misses, source
112
+ failures, Redis failures, synchronized expiry, old-version cached values, update races, delete and
113
+ recreate flows, and deploy rollback when feasible.
114
+ - Do not add speculative cache layers, global flush buttons, unbounded fallback to the source, broad
115
+ cache bypasses, or TTL guesses without an explicit source-of-truth and stale-tolerance contract.
116
+ - Do not trade authorization, privacy, money, entitlement, inventory, ordering, or user trust for
117
+ hit rate without explicit product acceptance.
118
+
119
+ <!-- mustflow-section: procedure -->
120
+ ## Procedure
121
+
122
+ 1. Name the second truth store. State the source of truth, cached value, allowed stale duration, and
123
+ whether the cached value is disposable or can affect security, money, entitlement, inventory, or
124
+ user-visible facts.
125
+ 2. Check key truth before speed.
126
+ - The key must include every dimension that changes meaning or visibility: tenant, actor, viewer
127
+ context, login state, membership tier, country, language, locale, A/B test, feature flag, adult
128
+ verification, inventory policy, authorization state, and relevant request headers.
129
+ - A key such as `product:{id}` is unsafe when the response varies by the viewer.
130
+ 3. Check query normalization.
131
+ - Sort order-insensitive query parameters, remove defaults, normalize types, define empty value
132
+ handling, and state whether array order is meaningful.
133
+ - Treat raw `JSON.stringify(query)` as suspect until key stability, default handling, and array
134
+ semantics are explicit.
135
+ 4. Check key version and schema version.
136
+ - Cache keys or values need a version when response shape, serialization, permission meaning,
137
+ query semantics, or source fields change.
138
+ - During deploy and rollback, old and new code must either read both formats safely, reject old
139
+ values clearly, or use separate versioned keys.
140
+ 5. Check TTL as a contract.
141
+ - TTL is not a guess like "five minutes". Tie it to data change rate, stale tolerance, and source
142
+ protection.
143
+ - Add TTL jitter when many keys are filled together so synchronized expiry does not become an
144
+ expiry bomb.
145
+ - Separate soft TTL from hard TTL when stale-while-revalidate or stale serve during source failure
146
+ is allowed.
147
+ 6. Check miss collapse and stampede control.
148
+ - A miss path of `get -> source -> set` is incomplete for hot keys.
149
+ - Look for lock, lease, singleflight, request coalescing, bounded regeneration, early refresh,
150
+ prewarm, or another mechanism that stops one expired hot key from sending every caller to the
151
+ source.
152
+ 7. Check negative and failure caching.
153
+ - Negative cache can protect the source for expensive misses, but success, `404`, `403`, temporary
154
+ failure, timeout, and unknown outcome need separate TTLs and separate meanings.
155
+ - Do not let a transient outage become a long-lived "not found" or "not allowed" fact.
156
+ 8. Check invalidation ordering.
157
+ - Delete-before-commit can resurrect old values when another request refills from the old source
158
+ value before the commit lands.
159
+ - Prefer commit-after-delete, outbox-driven invalidation, version compare, write-through, or a
160
+ local pattern that prevents old values from winning after the durable write.
161
+ 9. Check update races.
162
+ - Updating the cache after a write is not automatically safe. A slower older write can overwrite
163
+ a newer value.
164
+ - Use updatedAt, monotonic version, CAS, conditional write, compare-and-set, or cache delete when
165
+ ordering cannot be proven.
166
+ 10. Check list, query, and page caches separately from detail caches.
167
+ - List caches are harder than detail caches because latest, popular, tag, author, search, filter,
168
+ and page keys all change when one entity changes.
169
+ - Page-number caches are vulnerable to insertions and deletions. Prefer cursor keys, baseline
170
+ time, snapshot token, or explicit duplicate and gap behavior for feeds and infinite scroll.
171
+ - If tag-based invalidation is missing for compound queries, expect global flush pressure and
172
+ report the operational cost.
173
+ 11. Check cache layers.
174
+ - Local in-memory cache splits truth per server. L1, L2, and DB each need TTL, invalidation,
175
+ bypass, and failure behavior.
176
+ - Deleting L2 while L1 survives can leave "sometimes stale" bugs that depend on load-balancer
177
+ routing.
178
+ 12. Check cache outage fallback.
179
+ - Redis down plus unbounded DB fallback can kill the source. Fallback needs rate limit, load
180
+ shedding, stale serve, circuit breaker, bulkhead, or another source-protection mechanism.
181
+ - Decide whether cache failure is disposable or correctness-sensitive. Sessions, permissions,
182
+ rate limits, inventory, idempotency, and dedupe caches are not ordinary performance caches.
183
+ 13. Check Redis keyspace and memory behavior.
184
+ - Review value size, key size, key schema, bounded key cardinality, max memory, eviction policy,
185
+ expired keys, evicted keys, and whether TTL-less keys are turning cache into state storage.
186
+ - `noeviction` makes writes fail at memory limit. `volatile-*` policies only evict keys with TTL,
187
+ so TTL-less keys can crowd out real cache behavior.
188
+ - `KEYS *` in application code is a production bomb. Use `SCAN` only from bounded admin or
189
+ maintenance paths with explicit limits.
190
+ 14. Check hot keys and Redis Cluster distribution.
191
+ - Sharding does not save one hot key. Use replicas, local L1, request coalescing, prewarm,
192
+ chunking, or workload-specific splitting where semantics allow it.
193
+ - Redis Cluster hash tags are useful for intentional multi-key locality, but overusing the same
194
+ tag can force too many keys into one slot.
195
+ 15. Check HTTP cache semantics.
196
+ - If responses vary by `Authorization`, `Cookie`, `Accept-Language`, `Accept-Encoding`, content
197
+ negotiation, or user context, verify `Vary` and cache-control behavior.
198
+ - `no-cache` means revalidate before reuse. `no-store` means do not store. Do not use one when
199
+ the other is required.
200
+ - Check freshness, validation, private versus public cacheability, CDN behavior, browser behavior,
201
+ and generated-client or proxy expectations.
202
+ 16. Check permission and entitlement caches as security boundaries.
203
+ - A permission cache, role cache, organization-membership cache, subscription cache, admin cache,
204
+ or entitlement cache must be invalidated by revocation, role change, organization move,
205
+ subscription expiry, ownership change, and emergency access changes.
206
+ - Short TTL alone is not enough for decisions that should fail closed or revoke promptly.
207
+ 17. Check cache warming and cold-start behavior.
208
+ - Deployment, autoscale, failover, and rollback can create synchronized cold caches that push
209
+ traffic to the source.
210
+ - Prewarm only keys with clear ownership and backpressure. Do not build an unbounded warming job
211
+ that becomes the outage.
212
+ 18. Check observability.
213
+ - Hit rate alone lies. Break down hits, misses, stale serves, negative hits, refresh failures,
214
+ evictions, expirations, and set failures by endpoint, key-pattern, tenant, status-code, and
215
+ cache layer where useful.
216
+ - Log or measure miss cost: source query time, source call count, value size, generation time,
217
+ and set success.
218
+ - Keep cache metrics labels bounded; put high-cardinality keys in logs or traces only when the
219
+ repository privacy rules allow it.
220
+ 19. Check tests beyond the happy path.
221
+ - "Second call is faster" is not enough.
222
+ - Cover concurrent misses, update during read, delete then recreate, source failure, Redis
223
+ failure, synchronized TTL expiry, old-version cached value, permission change, tenant
224
+ separation, list invalidation, negative-cache classification, deploy rollback, and cache-layer
225
+ bypass when those risks exist.
226
+ 20. Label evidence honestly. If the repository lacks deterministic cache, Redis, CDN, HTTP, browser,
227
+ or load tests, report the missing evidence instead of claiming the cache is safe.
228
+
229
+ <!-- mustflow-section: postconditions -->
230
+ ## Postconditions
231
+
232
+ - Cache source of truth, value shape, key dimensions, stale tolerance, TTL, invalidation, fallback,
233
+ and observability are explicit or reported as missing.
234
+ - Tenant, viewer, permission, entitlement, feature-flag, locale, query, schema-version, and header
235
+ variance cannot silently share the wrong value.
236
+ - Stampede, synchronized expiry, negative cache, invalidation ordering, update race, list cache,
237
+ page cache, tag invalidation, L1/L2 layering, Redis outage, hot key, Redis Cluster, and HTTP cache
238
+ semantics are fixed or reported where relevant.
239
+ - Permission and entitlement caches fail closed or invalidate promptly where stale values are unsafe.
240
+ - Cache claims are backed by configured evidence or labeled as static review risk, manual-only, or
241
+ missing evidence.
242
+
243
+ <!-- mustflow-section: verification -->
244
+ ## Verification
245
+
246
+ Use configured oneshot command intents when available:
247
+
248
+ - `changes_status`
249
+ - `changes_diff_summary`
250
+ - `lint`
251
+ - `build`
252
+ - `test_related`
253
+ - `test`
254
+ - `docs_validate_fast`
255
+ - `test_release`
256
+ - `mustflow_check`
257
+
258
+ Prefer the narrowest configured test, build, docs, release, or mustflow intent that covers the changed
259
+ cache key, stale-data, invalidation, fallback, or observability contract. Do not infer raw Redis, CDN,
260
+ browser, server, benchmark, or load-test commands outside the command contract.
261
+
262
+ <!-- mustflow-section: failure-handling -->
263
+ ## Failure Handling
264
+
265
+ - If verification fails, preserve the failing intent, failing assertion or output tail, and the cache
266
+ contract it exercised before editing again.
267
+ - If key dimensions, source-of-truth ownership, stale tolerance, invalidation trigger, or permission
268
+ revocation behavior are unknown, report the missing decision instead of adding a cache or guessing a
269
+ TTL.
270
+ - If safe cache behavior requires a tag index, outbox, versioned read model, CAS support, circuit
271
+ breaker, bounded fallback, or operational Redis/CDN evidence outside the current scope, report the
272
+ missing boundary and keep local changes narrow.
273
+ - If deterministic cache proof requires live Redis, CDN, browser, load-test, or production telemetry
274
+ not configured in `.mustflow/config/commands.toml`, complete available local verification and report
275
+ the manual evidence gap.
276
+
277
+ <!-- mustflow-section: output-format -->
278
+ ## Output Format
279
+
280
+ - Cache surface reviewed
281
+ - Source of truth, cached value, key dimensions, stale tolerance, TTL, invalidation, and fallback
282
+ decisions
283
+ - Key normalization, key version, query normalization, viewer context, tenant and permission boundary
284
+ checks
285
+ - Stampede, negative-cache, invalidation-order, update-race, list/page/tag, L1/L2, Redis, hot-key,
286
+ HTTP cache, permission-cache, warming, and observability checks where relevant
287
+ - Cache-integrity fixes made or recommended
288
+ - Evidence level: configured-test evidence, static review risk, manual-only, missing, or not applicable
289
+ - Command intents run
290
+ - Skipped cache diagnostics and reasons
291
+ - Remaining cache-integrity risk
@@ -0,0 +1,297 @@
1
+ ---
2
+ mustflow_doc: skill.change-blast-radius-review
3
+ locale: en
4
+ canonical: true
5
+ revision: 1
6
+ lifecycle: mustflow-owned
7
+ authority: procedure
8
+ name: change-blast-radius-review
9
+ description: Apply this skill when code is created, changed, reviewed, or reported and maintainability needs review by predicting the next-change blast radius, deletion path, policy owner, workflow owner, controller or service responsibility, boolean and option-mode sprawl, scattered domain rules, scattered authorization, state-transition ownership, direct time or randomness, transaction and external-call coupling, retry idempotency, cache-as-truth decisions, config flag combinations, tenant or partner hardcoding, legacy branch isolation, DTO/entity/view model mixing, nullable meaning, swallowed exceptions, low-context logs, implementation-coupled tests, mock-heavy tests, decorative abstraction, premature DRY, hidden ordering dependency, event contract visibility, migration/runtime compatibility, or feature removal boundary.
10
+ metadata:
11
+ mustflow_schema: "1"
12
+ mustflow_kind: procedure
13
+ pack_id: mustflow.core
14
+ skill_id: mustflow.core.change-blast-radius-review
15
+ command_intents:
16
+ - changes_status
17
+ - changes_diff_summary
18
+ - lint
19
+ - build
20
+ - test_related
21
+ - test
22
+ - test_audit
23
+ - docs_validate_fast
24
+ - test_release
25
+ - mustflow_check
26
+ ---
27
+
28
+ # Change Blast Radius Review
29
+
30
+ <!-- mustflow-section: purpose -->
31
+ ## Purpose
32
+
33
+ Review maintainability by predicting where the next change, failure, retry, migration, or deletion
34
+ will spread.
35
+
36
+ The review question is not "is this code clean?" It is "if the policy changes, where do I edit;
37
+ if the flow fails halfway, what state remains; if the event runs twice, is it safe; and if the
38
+ feature is removed, what can I delete?"
39
+
40
+ <!-- mustflow-section: use-when -->
41
+ ## Use When
42
+
43
+ - Code review, implementation, or refactor work touches domain policies, controllers, services,
44
+ use cases, workflows, DTOs, entities, view models, authorization, state transitions, persistence,
45
+ transactions, external APIs, retries, caches, config flags, tenant branches, migrations, events,
46
+ logging, tests, abstractions, helpers, or legacy compatibility.
47
+ - A single requirement would force edits across several files, layers, modules, frontend code, SQL,
48
+ jobs, events, cache keys, tests, or docs.
49
+ - A file or service has several unrelated reasons to change under one broad noun such as `Manager`,
50
+ `Helper`, `Processor`, `Handler`, or `Service`.
51
+ - A review needs to decide whether to use `module-boundary-review`, `structure-first-engineering`,
52
+ `testability-boundary-review`, `failure-integrity-review`, `cache-integrity-review`,
53
+ `auth-permission-change`, `state-machine-pattern`, `strategy-pattern`, `result-option`, or
54
+ `database-migration-change`.
55
+
56
+ <!-- mustflow-section: do-not-use-when -->
57
+ ## Do Not Use When
58
+
59
+ - The only concern is module ownership, import direction, DTO leakage, or co-change evidence; use
60
+ `module-boundary-review` as the primary skill.
61
+ - The task is early implementation structure for a known feature; use `structure-first-engineering`
62
+ first and this skill only for predicted change-spread evidence.
63
+ - The main issue is deterministic tests or hidden test inputs; use `testability-boundary-review`.
64
+ - The main issue is a specific failure path, cache invariant, authorization boundary, migration,
65
+ state machine, strategy, result type, or dependency-injection seam; use the narrower skill first.
66
+ - The change is a tiny pure helper with explicit inputs, deterministic output, no policy, no I/O,
67
+ no shared state, and no meaningful future-change branch.
68
+
69
+ <!-- mustflow-section: required-inputs -->
70
+ ## Required Inputs
71
+
72
+ - User goal, current diff or target files, and the requirement or policy that caused the change.
73
+ - Change-reason ledger: which business rule, user flow, data shape, failure path, compatibility
74
+ rule, tenant exception, or operational behavior would make this code change next.
75
+ - Blast-radius ledger: controllers, services, repositories, entities, DTOs, frontend conditions,
76
+ SQL, migrations, batches, events, caches, config, tests, docs, and templates touched by one reason.
77
+ - Ownership ledger: source of truth for domain rule, authorization rule, state transition, retry
78
+ rule, transaction boundary, cache truth, event contract, log context, and data model language.
79
+ - Deleteability ledger: what files, flags, columns, event handlers, cache keys, tests, and branches
80
+ would need removal if the feature or policy disappears.
81
+ - Test and operations evidence: mocks, call-order assertions, logs, trace IDs, retry/idempotency
82
+ behavior, migration compatibility, and configured command intents.
83
+
84
+ <!-- mustflow-section: preconditions -->
85
+ ## Preconditions
86
+
87
+ - The task matches the Use When conditions and does not match the Do Not Use When exclusions.
88
+ - Higher-priority instructions and `.mustflow/config/commands.toml` have been checked for the
89
+ current scope.
90
+ - Required inputs are available, or missing blast-radius, ownership, deleteability, or operational
91
+ evidence can be reported without guessing.
92
+ - If the review finds a concrete module, failure, cache, authorization, migration, state-machine,
93
+ testability, or pattern issue, use the narrower skill before editing that part.
94
+
95
+ <!-- mustflow-section: allowed-edits -->
96
+ ## Allowed Edits
97
+
98
+ - Move or name ownership for domain policy, authorization, state transitions, workflow sequencing,
99
+ retry/idempotency, transaction boundaries, DTO mapping, cache truth, config interpretation, event
100
+ contracts, logs, migrations, and tests directly tied to the reviewed change-spread risk.
101
+ - Split responsibilities only when the split follows different reasons to change, not because a
102
+ file is long or the names look untidy.
103
+ - Replace boolean mode flags, trash-can option objects, tenant hardcoding, legacy branches, and
104
+ premature shared helpers with explicit concepts, named policies, adapters, or duplicated code
105
+ when that reduces future change spread.
106
+ - Add focused tests that prove a policy owner, state transition, idempotent retry, deletion boundary,
107
+ migration compatibility, or stable observable outcome.
108
+ - Do not add decorative interfaces, broad service layers, generic managers, speculative factories,
109
+ or shared helpers that hide rather than reduce the next-change blast radius.
110
+
111
+ <!-- mustflow-section: procedure -->
112
+ ## Procedure
113
+
114
+ 1. Start with the next likely change.
115
+ - Ask: "If this requirement changes next month, which files move?"
116
+ - If one policy edit needs controller, service, repository, SQL, frontend, batch, cache, and test
117
+ edits, the code is a puzzle, not a boundary.
118
+ 2. Count reasons to change, not lines.
119
+ - A short file can still hold signup, login, points, notification, referral, admin blocking, and
120
+ reporting rules.
121
+ - Split by different change reasons, not by noun labels.
122
+ 3. Keep controllers as doors, not bosses.
123
+ - Controllers should parse requests, call an application boundary, and map the result.
124
+ - Treat controller `if`, `for`, state mutation, external API calls, discount logic, inventory
125
+ checks, or notification orchestration as workflow leakage.
126
+ 4. Reject junk-drawer services.
127
+ - Broad names such as `OrderService`, `UserService`, `Manager`, `Helper`, `Processor`, and
128
+ `Handler` often hide unrelated workflows.
129
+ - Name the actual responsibility or split by workflow owner when changes would not arrive
130
+ together.
131
+ 5. Decode boolean mode flags.
132
+ - `createUser(user, true)` and `sendNotification(user, true, false)` mean one function already
133
+ has hidden modes.
134
+ - Replace modes with named variants, policy objects, strategy objects, or separate functions when
135
+ behavior contracts differ.
136
+ 6. Inspect option objects for combinatorial behavior.
137
+ - Fields such as `skipValidation`, `dryRun`, `force`, `source`, `mode`, `type`, `retry`,
138
+ `legacy`, and `includeInactive` can turn one call into many products.
139
+ - If field combinations change behavior, use explicit mode types or separate boundaries.
140
+ 7. Find the policy source of truth.
141
+ - Repeated rules such as "VIP gets free shipping" across backend, frontend, SQL, batch, and
142
+ cache code are not harmless duplication.
143
+ - Name one owner and make other layers consume facts or capabilities from that owner.
144
+ 8. Centralize authorization policy.
145
+ - Scattered checks such as `role == admin`, `ownerId == user.id`, or membership scans make policy
146
+ changes scary.
147
+ - Use `auth-permission-change` when action permission needs one policy source and denial tests.
148
+ 9. Make state transitions visible.
149
+ - Status values are not enough. Review where `status = ...` happens and which transitions are
150
+ legal.
151
+ - Use `state-machine-pattern` when allowed transitions need to be represented explicitly.
152
+ 10. Pull time, randomness, and generated IDs to a boundary.
153
+ - Direct `new Date()`, `Date.now()`, `LocalDateTime.now()`, UUIDs, random order numbers, random
154
+ filenames, and generated referral codes hide reproducibility and future policy changes.
155
+ - Use explicit time, generator, or identifier inputs from the shell.
156
+ 11. Draw the transaction boundary.
157
+ - When several saves happen, ask what remains if the middle save fails.
158
+ - If the answer is unclear, use `failure-integrity-review` or the relevant database skill before
159
+ changing behavior.
160
+ 12. Separate external calls from committed state.
161
+ - DB save, payment API, DB save, notification API in one flow creates timeout, retry, and
162
+ duplicate-effect traps.
163
+ - Prefer local state plus outbox, idempotency keys, or effect descriptions when the operation
164
+ must survive partial failure.
165
+ 13. Check retry idempotency.
166
+ - `retry(3)`, queues, webhooks, schedulers, and manual replays are dangerous without a duplicate
167
+ rule.
168
+ - Ask what happens when the same event arrives twice.
169
+ 14. Reject cache-as-truth for important decisions.
170
+ - Cache can speed reads, but it should not become the source of truth for authorization, payment
171
+ eligibility, inventory, or other critical decisions.
172
+ - Use `cache-integrity-review` when cache freshness or fallback can mislead the decision.
173
+ 15. Count config flag combinations.
174
+ - Flags such as `enableNewPolicy`, `useLegacyFlow`, `skipValidationForPartner`, and
175
+ `specialCaseTenantIds` can create untested products inside one code path.
176
+ - Name the supported combinations or isolate the variation behind a policy boundary.
177
+ 16. Isolate tenant, partner, country, product, and app-version exceptions.
178
+ - Hardcoded `tenantId`, `partnerCode`, country code, app version, or product ID branches are
179
+ product debt, not just conditionals.
180
+ - Prefer configured capabilities, adapters, policy tables, or explicit exceptions with removal
181
+ owners.
182
+ 17. Keep legacy compatibility out of the new core.
183
+ - `legacy`, `old`, `v1`, `deprecated`, and `temp` branches inside the main path pull old rules
184
+ into new code.
185
+ - Put compatibility in adapters, translators, migration paths, or isolated old-entry boundaries.
186
+ 18. Separate data-object languages.
187
+ - DB entities, API DTOs, view models, external provider payloads, and domain objects should not
188
+ quietly become the same object.
189
+ - If one side changes and another side must follow, name the mapping owner.
190
+ 19. Give nullable values a reason.
191
+ - `null` must not mean absence, unknown, failed calculation, forbidden access, and provider
192
+ timeout at the same time.
193
+ - Use variants, result types, or explicit fields that tell callers why a value is missing.
194
+ 20. Do not hide exceptions as normal data.
195
+ - `catch (e) { return null }`, `catch (e) { log.warn(...) }`, and empty catches make the system
196
+ lie far from the failure.
197
+ - Use visible failure values, typed errors, or explicit degraded modes.
198
+ 21. Make logs traceable, not decorative.
199
+ - Logs like `start` and `failed` without order ID, user ID, request ID, external call ID, tenant,
200
+ or operation name do not help future maintainers.
201
+ - Add safe correlation context when it is the only way to connect the failure path.
202
+ 22. Keep tests attached to behavior.
203
+ - Tests that assert private methods, mock call order, or internal collaborator choreography make
204
+ refactors expensive.
205
+ - Prefer outcomes, state transitions, persisted commands, emitted events, or public results.
206
+ 23. Treat mock count as a change-impact sensor.
207
+ - More than three mocks deserves a responsibility review.
208
+ - Five or more mocks usually means the class absorbs too many change directions.
209
+ 24. Validate abstraction against real volatility.
210
+ - Interfaces, factories, strategies, and abstract classes help only when the variation axis is
211
+ real.
212
+ - Ask whether there are two real implementations now or a known future swap along this exact
213
+ axis.
214
+ 25. Do not DRY together different futures.
215
+ - Removing duplication is harmful when two similar blocks change for different reasons.
216
+ - Keep duplication when it preserves independent policy evolution.
217
+ 26. Make required ordering explicit.
218
+ - Initialization, validation, save, event publication, cache invalidation, notification, and
219
+ cleanup steps can be order-sensitive.
220
+ - If swapping two lines would break correctness, encode the sequence in a named workflow,
221
+ transaction, state transition, or command object.
222
+ 27. Treat events as invisible function calls until proven otherwise.
223
+ - `publish(Event)` hides subscribers, failure behavior, ordering, duplicate delivery, and
224
+ compatibility.
225
+ - Name the event contract, listener expectations, idempotency, and failure handling.
226
+ 28. Pair migrations with runtime compatibility.
227
+ - Schema changes, enum additions, defaults, indexes, and backfills must be checked against old
228
+ code on new schema and new code on old data.
229
+ - Use `database-migration-change` when deploy order or data backfill matters.
230
+ 29. Run the deletion test.
231
+ - Ask: "If this feature disappears, what do I delete?"
232
+ - If flags, columns, conditions, events, caches, batch jobs, UI checks, and tests are scattered,
233
+ the feature is already rooted too deeply.
234
+ 30. Pick the smallest boundary repair.
235
+ - If one owner is missing, introduce that owner.
236
+ - If one mode is hidden, name that mode.
237
+ - If the risk is too broad for the current task, report the exact next-change or deletion path
238
+ that remains unpredictable.
239
+
240
+ <!-- mustflow-section: postconditions -->
241
+ ## Postconditions
242
+
243
+ - The next likely policy or workflow change has a named owner and a predictable edit path, or the
244
+ unpredictable spread is explicitly reported.
245
+ - Important side effects, transactions, retries, events, caches, config flags, migrations, and logs
246
+ have clear owners or remaining risks.
247
+ - Boolean modes, option-object combinations, tenant exceptions, legacy compatibility, and premature
248
+ shared helpers are either tightened or named as future-change traps.
249
+ - Tests and observability focus on outcomes, state, events, idempotency, and public behavior rather
250
+ than private choreography.
251
+ - The deletion path for the changed feature or policy is clearer, or the remaining deletion debt is
252
+ named.
253
+
254
+ <!-- mustflow-section: verification -->
255
+ ## Verification
256
+
257
+ Use configured oneshot command intents when available:
258
+
259
+ - `changes_status`
260
+ - `changes_diff_summary`
261
+ - `lint`
262
+ - `build`
263
+ - `test_related`
264
+ - `test`
265
+ - `test_audit`
266
+ - `docs_validate_fast`
267
+ - `test_release`
268
+ - `mustflow_check`
269
+
270
+ Prefer the narrowest checks that cover the changed owner, behavior, tests, template surface, or
271
+ public contract.
272
+
273
+ <!-- mustflow-section: failure-handling -->
274
+ ## Failure Handling
275
+
276
+ - If the blast radius cannot be predicted from current evidence, report the missing owner, hidden
277
+ dependency, unknown subscriber, migration uncertainty, or deletion path instead of inventing a
278
+ clean boundary.
279
+ - If the review discovers security, cache, failure, migration, testability, or state-machine risk,
280
+ switch to the narrower skill before editing that part.
281
+ - If a boundary repair would change behavior, use `behavior-preserving-refactor` or
282
+ `repro-first-debug` before continuing.
283
+ - If a command fails, use `failure-triage` before further edits.
284
+
285
+ <!-- mustflow-section: output-format -->
286
+ ## Output Format
287
+
288
+ - Change blast radius reviewed
289
+ - Next likely change and owner
290
+ - Files, layers, jobs, caches, events, tests, docs, or migrations in the blast radius
291
+ - Policy, authorization, state, transaction, retry, cache, config, tenant, legacy, DTO, nullable,
292
+ log, test, abstraction, ordering, event, migration, or deletion findings
293
+ - Fixes made or recommendation
294
+ - Tests or behavior evidence
295
+ - Command intents run
296
+ - Skipped checks and reasons
297
+ - Remaining change-spread or deletion risk