mustflow 2.39.1 → 2.58.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cli/commands/run/executor.js +16 -0
- package/dist/cli/commands/run/process-tree.js +6 -3
- package/dist/cli/commands/tech.js +60 -4
- package/dist/cli/commands/verify.js +3 -1
- package/dist/cli/lib/git-changes.js +11 -1
- package/dist/cli/lib/i18n.js +1 -1
- package/dist/cli/lib/local-index/index.js +8 -4
- package/dist/cli/lib/local-index/populate.js +17 -3
- package/dist/cli/lib/local-index/search-read-model.js +9 -7
- package/dist/cli/lib/local-index/search-text.js +2 -2
- package/dist/cli/lib/local-index/workflow-documents.js +17 -2
- package/dist/cli/lib/mustflow-read.js +14 -2
- package/dist/cli/lib/npm-version-check.js +36 -0
- package/dist/cli/lib/repo-map.js +16 -3
- package/dist/cli/lib/templates.js +8 -7
- package/dist/cli/lib/validation/constants.js +1 -1
- package/dist/core/active-run-locks.js +78 -20
- package/dist/core/change-classification.js +4 -0
- package/dist/core/command-contract-rules.js +1 -1
- package/dist/core/command-contract-validation.js +1 -1
- package/dist/core/command-cwd.js +13 -2
- package/dist/core/command-effects.js +22 -4
- package/dist/core/command-env.js +8 -6
- package/dist/core/command-preconditions.js +28 -2
- package/dist/core/completion-verdict.js +1 -1
- package/dist/core/line-endings.js +8 -4
- package/dist/core/safe-filesystem.js +9 -1
- package/dist/core/source-anchor-validation.js +7 -1
- package/dist/core/source-anchors.js +8 -2
- package/dist/core/verification-scheduler.js +8 -2
- package/package.json +1 -1
- package/templates/default/i18n.toml +330 -1
- package/templates/default/locales/en/.mustflow/skills/INDEX.md +302 -5
- package/templates/default/locales/en/.mustflow/skills/agent-eval-integrity-review/SKILL.md +160 -0
- package/templates/default/locales/en/.mustflow/skills/agent-execution-control-review/SKILL.md +163 -0
- package/templates/default/locales/en/.mustflow/skills/ai-generated-code-hardening/SKILL.md +49 -13
- package/templates/default/locales/en/.mustflow/skills/api-access-control-review/SKILL.md +298 -0
- package/templates/default/locales/en/.mustflow/skills/api-misuse-resistance-review/SKILL.md +297 -0
- package/templates/default/locales/en/.mustflow/skills/api-request-performance-review/SKILL.md +189 -0
- package/templates/default/locales/en/.mustflow/skills/app-startup-performance-review/SKILL.md +309 -0
- package/templates/default/locales/en/.mustflow/skills/backend-log-evidence-review/SKILL.md +213 -0
- package/templates/default/locales/en/.mustflow/skills/business-rule-leakage-review/SKILL.md +295 -0
- package/templates/default/locales/en/.mustflow/skills/cache-integrity-review/SKILL.md +291 -0
- package/templates/default/locales/en/.mustflow/skills/change-blast-radius-review/SKILL.md +297 -0
- package/templates/default/locales/en/.mustflow/skills/client-bundle-pruning-review/SKILL.md +160 -0
- package/templates/default/locales/en/.mustflow/skills/cloud-cost-guardrail-review/SKILL.md +321 -0
- package/templates/default/locales/en/.mustflow/skills/concurrency-invariant-review/SKILL.md +193 -0
- package/templates/default/locales/en/.mustflow/skills/core-web-vitals-field-review/SKILL.md +161 -0
- package/templates/default/locales/en/.mustflow/skills/credit-ledger-integrity-review/SKILL.md +156 -0
- package/templates/default/locales/en/.mustflow/skills/database-json-modeling-review/SKILL.md +171 -0
- package/templates/default/locales/en/.mustflow/skills/database-lock-contention-review/SKILL.md +192 -0
- package/templates/default/locales/en/.mustflow/skills/database-migration-change/SKILL.md +76 -34
- package/templates/default/locales/en/.mustflow/skills/database-query-bottleneck-review/SKILL.md +194 -0
- package/templates/default/locales/en/.mustflow/skills/deletion-lifecycle-review/SKILL.md +171 -0
- package/templates/default/locales/en/.mustflow/skills/deployment-rollout-safety-review/SKILL.md +321 -0
- package/templates/default/locales/en/.mustflow/skills/desktop-auto-update-safety-review/SKILL.md +265 -0
- package/templates/default/locales/en/.mustflow/skills/desktop-background-process-stability-review/SKILL.md +318 -0
- package/templates/default/locales/en/.mustflow/skills/desktop-memory-footprint-review/SKILL.md +318 -0
- package/templates/default/locales/en/.mustflow/skills/error-message-integrity-review/SKILL.md +283 -0
- package/templates/default/locales/en/.mustflow/skills/failure-integrity-review/SKILL.md +193 -0
- package/templates/default/locales/en/.mustflow/skills/file-upload-security-review/SKILL.md +305 -0
- package/templates/default/locales/en/.mustflow/skills/frame-render-performance-review/SKILL.md +159 -0
- package/templates/default/locales/en/.mustflow/skills/frontend-accessibility-tree-review/SKILL.md +202 -0
- package/templates/default/locales/en/.mustflow/skills/frontend-localization-review/SKILL.md +202 -0
- package/templates/default/locales/en/.mustflow/skills/frontend-state-ownership-review/SKILL.md +183 -0
- package/templates/default/locales/en/.mustflow/skills/frontend-stress-layout-review/SKILL.md +193 -0
- package/templates/default/locales/en/.mustflow/skills/hot-path-performance-review/SKILL.md +159 -0
- package/templates/default/locales/en/.mustflow/skills/idempotency-integrity-review/SKILL.md +195 -0
- package/templates/default/locales/en/.mustflow/skills/image-delivery-performance-review/SKILL.md +161 -0
- package/templates/default/locales/en/.mustflow/skills/incident-triage-review/SKILL.md +185 -0
- package/templates/default/locales/en/.mustflow/skills/llm-hallucination-control-review/SKILL.md +155 -0
- package/templates/default/locales/en/.mustflow/skills/llm-response-latency-review/SKILL.md +155 -0
- package/templates/default/locales/en/.mustflow/skills/llm-service-ux-review/SKILL.md +2 -0
- package/templates/default/locales/en/.mustflow/skills/llm-token-cost-control-review/SKILL.md +155 -0
- package/templates/default/locales/en/.mustflow/skills/low-end-device-support-review/SKILL.md +340 -0
- package/templates/default/locales/en/.mustflow/skills/memory-lifetime-review/SKILL.md +169 -0
- package/templates/default/locales/en/.mustflow/skills/mobile-energy-efficiency-review/SKILL.md +329 -0
- package/templates/default/locales/en/.mustflow/skills/module-boundary-review/SKILL.md +278 -0
- package/templates/default/locales/en/.mustflow/skills/multi-agent-work-coordination/SKILL.md +1 -0
- package/templates/default/locales/en/.mustflow/skills/observability-debuggability-review/SKILL.md +208 -0
- package/templates/default/locales/en/.mustflow/skills/payment-integrity-review/SKILL.md +155 -0
- package/templates/default/locales/en/.mustflow/skills/prompt-contract-quality-review/SKILL.md +158 -0
- package/templates/default/locales/en/.mustflow/skills/quadratic-scan-review/SKILL.md +155 -0
- package/templates/default/locales/en/.mustflow/skills/queue-processing-integrity-review/SKILL.md +193 -0
- package/templates/default/locales/en/.mustflow/skills/race-condition-review/SKILL.md +188 -0
- package/templates/default/locales/en/.mustflow/skills/rate-limit-integrity-review/SKILL.md +344 -0
- package/templates/default/locales/en/.mustflow/skills/retry-policy-integrity-review/SKILL.md +195 -0
- package/templates/default/locales/en/.mustflow/skills/routes.toml +330 -0
- package/templates/default/locales/en/.mustflow/skills/security-flow-review/SKILL.md +279 -0
- package/templates/default/locales/en/.mustflow/skills/testability-boundary-review/SKILL.md +295 -0
- package/templates/default/locales/en/.mustflow/skills/transaction-boundary-integrity-review/SKILL.md +196 -0
- package/templates/default/locales/en/.mustflow/skills/type-state-modeling-review/SKILL.md +179 -0
- package/templates/default/locales/en/.mustflow/skills/web-render-performance-review/SKILL.md +164 -0
- package/templates/default/manifest.toml +386 -1
package/templates/default/locales/en/.mustflow/skills/database-query-bottleneck-review/SKILL.md
ADDED
|
@@ -0,0 +1,194 @@
|
|
|
1
|
+
---
|
|
2
|
+
mustflow_doc: skill.database-query-bottleneck-review
|
|
3
|
+
locale: en
|
|
4
|
+
canonical: true
|
|
5
|
+
revision: 2
|
|
6
|
+
lifecycle: mustflow-owned
|
|
7
|
+
authority: procedure
|
|
8
|
+
name: database-query-bottleneck-review
|
|
9
|
+
description: Apply this skill when code is created, changed, reviewed, or reported and database query performance risk can be spotted from the diff, including join fan-out, N+1 calls, over-eager loading, SELECT *, unstable LIMIT, OFFSET pagination, composite index fit, range predicates, functions on indexed columns, parameter type mismatch, wildcard search, OR predicates, large IN lists, COUNT for existence, NOT IN with NULL, LEFT JOIN filters, pre-aggregation, latest-row queries, wide sort/group/distinct, JSON filters, tenant and soft-delete scope, estimated-versus-actual row drift, statistics, plan-cache skew, missing-index recommendations, plan forcing, and long transactions.
|
|
10
|
+
metadata:
|
|
11
|
+
mustflow_schema: "1"
|
|
12
|
+
mustflow_kind: procedure
|
|
13
|
+
pack_id: mustflow.core
|
|
14
|
+
skill_id: mustflow.core.database-query-bottleneck-review
|
|
15
|
+
command_intents:
|
|
16
|
+
- changes_status
|
|
17
|
+
- changes_diff_summary
|
|
18
|
+
- lint
|
|
19
|
+
- build
|
|
20
|
+
- test_related
|
|
21
|
+
- test
|
|
22
|
+
- docs_validate_fast
|
|
23
|
+
- test_release
|
|
24
|
+
- mustflow_check
|
|
25
|
+
---
|
|
26
|
+
|
|
27
|
+
# Database Query Bottleneck Review
|
|
28
|
+
|
|
29
|
+
<!-- mustflow-section: purpose -->
|
|
30
|
+
## Purpose
|
|
31
|
+
|
|
32
|
+
Find database bottleneck candidates from code shape before reaching for live execution plans.
|
|
33
|
+
|
|
34
|
+
The review question is: "How many rows can this request touch, how many times can it repeat, and can the available indexes follow the same path as the query?" Execution plans are evidence, but PR diffs often already reveal cardinality explosion, unbounded scans, index defeat, N+1 access, unstable pagination, and long transaction waits.
|
|
35
|
+
|
|
36
|
+
<!-- mustflow-section: use-when -->
|
|
37
|
+
## Use When
|
|
38
|
+
|
|
39
|
+
- Code is created, changed, reviewed, or reported and the risk is database query latency, row explosion, index mismatch, ORM query shape, resolver fan-out, transaction wait, pagination cost, or plan instability.
|
|
40
|
+
- A list, feed, search, report, dashboard, export, admin table, GraphQL resolver, serializer, worker, queue consumer, background sync, import, API endpoint, repository, ORM model, query builder, raw SQL, stored procedure, or database-backed cache path is introduced or changed.
|
|
41
|
+
- Code or docs claim a query is indexed, fast, paginated, batched, preloaded, eager-loaded, tenant-scoped, safe for large data, or covered by an execution plan.
|
|
42
|
+
- The database engine is unknown or mixed, and the review must stay engine-agnostic while preserving hooks for PostgreSQL, SQLite, MySQL, SQL Server, or ORM-specific follow-up.
|
|
43
|
+
|
|
44
|
+
<!-- mustflow-section: do-not-use-when -->
|
|
45
|
+
## Do Not Use When
|
|
46
|
+
|
|
47
|
+
- The task changes database ownership, schema, migrations, persistence boundaries, data lifecycle, restore, export, or cache-as-store behavior; use `database-change-safety` or `database-migration-change` first and this skill only for query bottleneck adjunct review.
|
|
48
|
+
- The task is PostgreSQL-specific, SQLite-specific, MySQL-specific, SQL Server-specific, or engine-feature-specific; use the matching engine skill first and this skill only for generic query-shape checks.
|
|
49
|
+
- The task is a full measurement, benchmark, profiling, p95 or p99 performance budget, or production-tuning project; use `performance-budget-check` first.
|
|
50
|
+
- The only database path is a tiny hard-capped lookup table, static seed list, or one-off admin maintenance query whose bounded size and manual nature are explicit.
|
|
51
|
+
|
|
52
|
+
<!-- mustflow-section: required-inputs -->
|
|
53
|
+
## Required Inputs
|
|
54
|
+
|
|
55
|
+
- Query surface: raw SQL, ORM call, query builder, repository method, resolver, serializer, worker, import/export path, report, dashboard, or transaction block under review.
|
|
56
|
+
- Cardinality shape: starting rows, join fan-out, relation counts, tenant or user scope, filter selectivity, sort/group/distinct width, pagination depth, and data skew assumptions when known.
|
|
57
|
+
- Repetition shape: loops, resolvers, serializers, lazy relations, per-item queries, queue consumers, retries, workers, pages, tenants, or nested calls that multiply query count.
|
|
58
|
+
- Index and plan evidence when available: indexes, constraints, query plans, estimated and actual rows, loops, buffers, temp files, statistics freshness, extended statistics, covering-index expectations, plan-cache behavior, and missing-index recommendations.
|
|
59
|
+
- Database and ORM context: engine, version when known, ORM eager or lazy loading behavior, generated SQL, parameter binding types, transaction defaults, connection pool limits, and read replica or plan cache behavior.
|
|
60
|
+
- Correctness boundaries: tenant isolation, authorization, soft delete, retention, stable ordering, duplicate handling, null semantics, consistency, stale data, partial failure, and transaction semantics.
|
|
61
|
+
- Relevant command-intent contract entries for build, tests, docs, release checks, and mustflow validation.
|
|
62
|
+
|
|
63
|
+
<!-- mustflow-section: preconditions -->
|
|
64
|
+
## Preconditions
|
|
65
|
+
|
|
66
|
+
- The task matches the Use When conditions and does not match the Do Not Use When exclusions.
|
|
67
|
+
- Higher-priority instructions and `.mustflow/config/commands.toml` have been checked for the current scope.
|
|
68
|
+
- Required inputs are available, or missing row-count, index, ORM, or engine evidence can be reported without guessing.
|
|
69
|
+
- If the query changes persisted behavior, migrations, authorization, tenant scope, privacy, or public API output, also apply the relevant database, security, migration, or API skill.
|
|
70
|
+
- If engine-specific claims are made, use the matching engine skill before claiming feature support or plan behavior.
|
|
71
|
+
|
|
72
|
+
<!-- mustflow-section: allowed-edits -->
|
|
73
|
+
## Allowed Edits
|
|
74
|
+
|
|
75
|
+
- Narrow projection, add stable ordering, convert offset pagination to keyset or cursor pagination, batch per-item queries, replace lazy relation access with explicit loading, push joins and aggregation to the database, pre-aggregate before joining, and shorten transactions when semantics are clear.
|
|
76
|
+
- Add or adjust index declarations, generated columns, expression indexes, partial indexes, composite index order, query hints, statistics notes, or plan evidence only when the repository owns that surface and the engine-specific skill supports the change.
|
|
77
|
+
- Add focused tests or fixtures for query count, stable ordering, tenant scope, authorization, pagination, null semantics, duplicate handling, and generated SQL when local patterns support them.
|
|
78
|
+
- Do not add speculative indexes, caches, denormalization, materialized views, plan forcing, read replicas, or search infrastructure without workload evidence and ownership of write cost, freshness, and invalidation.
|
|
79
|
+
- Do not trade correctness, tenant isolation, authorization, null semantics, stable pagination, or transaction safety for a faster-looking query.
|
|
80
|
+
|
|
81
|
+
<!-- mustflow-section: procedure -->
|
|
82
|
+
## Procedure
|
|
83
|
+
|
|
84
|
+
1. Start with cardinality, not SQL prettiness. Multiply parent rows by child rows and joined relation counts. A path like user to orders to items to options can explode before any single predicate looks suspicious.
|
|
85
|
+
2. Count query repetition.
|
|
86
|
+
- Treat DB calls inside `for`, `map`, `forEach`, streams, serializers, resolvers, template rendering, and queue consumers as N+1 candidates.
|
|
87
|
+
- Open helper and ORM relation bodies; property access can be a query when lazy loading is enabled.
|
|
88
|
+
3. Check eager loading with suspicion.
|
|
89
|
+
- Eager loading, `includes`, `preload`, `join fetch`, and `select_related` can replace N+1 with overfetching.
|
|
90
|
+
- Verify the screen, API, worker, or report needs the loaded relations and columns.
|
|
91
|
+
4. Check projection width.
|
|
92
|
+
- Flag unbounded `SELECT *`, full entity hydration, wide DTOs, large JSON, TEXT, BLOB, image, metadata, and audit columns in list or sort paths.
|
|
93
|
+
- Prefer thin keys and required columns first, then fetch detail columns only after narrowing the row set.
|
|
94
|
+
5. Check deterministic ordering.
|
|
95
|
+
- `LIMIT` without stable `ORDER BY` is not a real pagination contract.
|
|
96
|
+
- `ORDER BY` with `LIMIT` needs an index-compatible ordering or the database may sort a large working set to return a few rows.
|
|
97
|
+
6. Check offset pagination.
|
|
98
|
+
- Large `OFFSET ... LIMIT ...` usually means the database counts and discards earlier rows.
|
|
99
|
+
- Prefer keyset or cursor pagination with a stable tie-breaker such as `(created_at, id)` when arbitrary page jumps are not a product requirement.
|
|
100
|
+
7. Match composite indexes to query shape.
|
|
101
|
+
- Review equality predicates, range predicates, join keys, sort keys, and grouping keys in order.
|
|
102
|
+
- Do not assume "all WHERE columns are in the index" means the index is useful.
|
|
103
|
+
- Identify where the index stops narrowing and starts scanning, especially after range predicates.
|
|
104
|
+
8. Look for index defeat.
|
|
105
|
+
- Functions or casts around columns, such as `LOWER(email)`, `DATE(created_at)`, `CAST(id AS text)`, timezone conversion, arithmetic, or JSON extraction can prevent ordinary index use.
|
|
106
|
+
- Use normalized stored values, generated columns, expression indexes, or query rewrites when the engine and workload justify them.
|
|
107
|
+
9. Check parameter and type mismatch.
|
|
108
|
+
- UUID versus text, integer versus string, timezone-aware versus local timestamp, decimal versus float, collation mismatch, and enum/string mismatch can distort plans or force casts.
|
|
109
|
+
- Bind parameters in the column's native type where the driver and ORM allow it.
|
|
110
|
+
10. Classify search patterns.
|
|
111
|
+
- Prefix search and contains search are different workloads.
|
|
112
|
+
- Leading wildcard `LIKE '%term%'`, case-insensitive search, trigram, full-text, search-engine, and separate search-table paths need explicit ownership.
|
|
113
|
+
11. Check `OR`, `IN`, and existence shapes.
|
|
114
|
+
- `OR` across different columns can confuse index choice; consider separate queries or `UNION ALL` only when duplicate and ordering semantics are clear.
|
|
115
|
+
- Very large `IN` lists can hurt parsing, planning, network transfer, and cache behavior; consider temp tables, array parameters, table-valued parameters, bulk insert plus join, or batching.
|
|
116
|
+
- Use `EXISTS` for existence checks instead of `COUNT(*) > 0` when exact counts are unnecessary.
|
|
117
|
+
12. Check negative logic and null semantics.
|
|
118
|
+
- `NOT IN` with NULLs can return surprising results; prefer `NOT EXISTS` or explicit NULL policy.
|
|
119
|
+
- `LEFT JOIN` followed by `WHERE right_table.col = ...` often turns into an inner join. Decide whether null-preserving behavior belongs in the join condition or the result filter.
|
|
120
|
+
13. Aggregate before join fan-out.
|
|
121
|
+
- Avoid joining several one-to-many tables and grouping only at the end when each table can be pre-aggregated to the needed grain first.
|
|
122
|
+
- Check whether `DISTINCT` is hiding accidental duplicate multiplication instead of solving the query shape.
|
|
123
|
+
14. Check latest-row and per-parent subqueries.
|
|
124
|
+
- A correlated subquery that asks for the latest child row per parent can become one lookup per parent.
|
|
125
|
+
- Prefer window functions, `DISTINCT ON`, lateral joins, grouped max joins, or precomputed current rows when the engine and semantics support them.
|
|
126
|
+
15. Keep sorts, groups, and distinct narrow.
|
|
127
|
+
- Sorting, grouping, or de-duplicating wide rows with large text, JSON, or blob columns burns memory and temp storage.
|
|
128
|
+
- Narrow to keys first, then join or fetch large columns after the winning rows are known.
|
|
129
|
+
16. Treat JSON filters as schema decisions.
|
|
130
|
+
- A frequently queried JSON path is no longer "just metadata".
|
|
131
|
+
- Promote it to a real column, generated column, expression index, GIN-style index, or search surface when query volume and engine support justify it.
|
|
132
|
+
17. Check tenant and soft-delete scope.
|
|
133
|
+
- Multi-tenant reads, updates, deletes, counts, and background jobs need tenant or account scope unless a cross-tenant operation is explicit and bounded.
|
|
134
|
+
- Soft-delete predicates such as `deleted_at IS NULL` often belong in partial indexes, default scopes, and tests, but default scopes must not hide admin or retention semantics.
|
|
135
|
+
18. Separate planner evidence from wishful thinking.
|
|
136
|
+
- Compare estimated rows and actual rows when plan evidence exists; large gaps point to stale statistics, missing extended statistics, correlation mistakes, or data-skew problems, not only missing indexes.
|
|
137
|
+
- Treat `EXPLAIN` without runtime evidence as a hypothesis. Prefer representative runtime evidence such as PostgreSQL `EXPLAIN ANALYZE`, MySQL `EXPLAIN ANALYZE`, SQL Server actual execution plans, Query Store history, ORM query-count traces, or production telemetry when the repository has safe access to it.
|
|
138
|
+
- Check loops, rows examined, rows returned, buffers, temp files, sort method, lock waits, pool waits, and query count when available.
|
|
139
|
+
19. Treat plan cache, parameter skew, and missing-index advice carefully.
|
|
140
|
+
- Prepared statements and cached plans can regress when parameter values are skewed by tenant, status, country, or time.
|
|
141
|
+
- Missing-index recommendations are candidates, not commands; check overlap with existing indexes, write amplification, sort coverage, filtered or partial-index fit, and composite merge opportunities.
|
|
142
|
+
- Plan forcing is a last resort with monitoring and fallback, not proof that the query shape is healthy. It can freeze yesterday's good plan into tomorrow's outage when data shape changes.
|
|
143
|
+
20. Check transaction scope.
|
|
144
|
+
- Long transactions, row locks, `SELECT FOR UPDATE`, external API calls, file upload waits, network calls, serialization, logging, and user-controlled waits inside a transaction can make a fast query produce slow service behavior.
|
|
145
|
+
- Shorten the transaction and move external effects after commit through outbox, job, or reconciliation patterns when needed.
|
|
146
|
+
21. Label evidence honestly.
|
|
147
|
+
- Static diff review can identify likely bottlenecks but cannot prove actual latency.
|
|
148
|
+
- Use plan or production evidence only when representative parameters, data size, cache state, and engine version are known.
|
|
149
|
+
|
|
150
|
+
<!-- mustflow-section: postconditions -->
|
|
151
|
+
## Postconditions
|
|
152
|
+
|
|
153
|
+
- Query cardinality, repetition count, projection width, pagination shape, index-fit assumptions, and transaction scope are explicit.
|
|
154
|
+
- N+1 access, over-eager loading, `SELECT *`, unstable `LIMIT`, large offset pagination, join fan-out, wide sort/group/distinct, bad existence checks, null-sensitive negative logic, unbounded `IN`, and long transactions are fixed or reported.
|
|
155
|
+
- Index, statistics, extended-statistics, plan-cache, search, JSON, tenant, soft-delete, plan-forcing, and engine-specific claims are tied to evidence or marked as unverified.
|
|
156
|
+
- Correctness, tenant isolation, authorization, ordering, null semantics, duplicates, stale data, and partial failure remain intact or are reported as tradeoffs.
|
|
157
|
+
|
|
158
|
+
<!-- mustflow-section: verification -->
|
|
159
|
+
## Verification
|
|
160
|
+
|
|
161
|
+
Use configured oneshot command intents when available:
|
|
162
|
+
|
|
163
|
+
- `changes_status`
|
|
164
|
+
- `changes_diff_summary`
|
|
165
|
+
- `lint`
|
|
166
|
+
- `build`
|
|
167
|
+
- `test_related`
|
|
168
|
+
- `test`
|
|
169
|
+
- `docs_validate_fast`
|
|
170
|
+
- `test_release`
|
|
171
|
+
- `mustflow_check`
|
|
172
|
+
|
|
173
|
+
Use the narrowest configured test, build, docs, release, or mustflow intent that covers the changed query path. Do not infer raw database shells, live query plans, migrations, profilers, load tests, or package-manager commands outside the command contract.
|
|
174
|
+
|
|
175
|
+
<!-- mustflow-section: failure-handling -->
|
|
176
|
+
## Failure Handling
|
|
177
|
+
|
|
178
|
+
- If row counts, index definitions, generated SQL, or ORM loading behavior are unknown, report static risk rather than claiming a query is safe or slow.
|
|
179
|
+
- If a query change needs engine-specific feature support, stop at the generic recommendation and use the matching engine skill before editing.
|
|
180
|
+
- If an index would improve reads but hurt writes or migrations, report the tradeoff and require workload evidence.
|
|
181
|
+
- If the safe fix requires live database access, destructive migration, provider console action, or unconfigured plan commands, report the manual boundary instead of running raw commands.
|
|
182
|
+
- If a configured test or build fails, preserve the failing intent and output tail, then fix only the query behavior or contract exercised by the failure.
|
|
183
|
+
|
|
184
|
+
<!-- mustflow-section: output-format -->
|
|
185
|
+
## Output Format
|
|
186
|
+
|
|
187
|
+
- Query path reviewed
|
|
188
|
+
- Cardinality and repetition ledger
|
|
189
|
+
- Projection, ordering, pagination, join fan-out, eager or lazy loading, index fit, search, JSON, tenant or soft-delete, plan evidence, estimated-versus-actual rows, statistics, plan-cache, missing-index, plan-forcing, and transaction checks where relevant
|
|
190
|
+
- Query, index, batching, pagination, projection, aggregation, or transaction change made or recommended
|
|
191
|
+
- Evidence level: static diff risk, configured-test evidence, plan evidence, measured production evidence, manual-only, missing, or not applicable
|
|
192
|
+
- Command intents run
|
|
193
|
+
- Skipped database measurements and reasons
|
|
194
|
+
- Remaining database bottleneck risk
|
|
@@ -0,0 +1,171 @@
|
|
|
1
|
+
---
|
|
2
|
+
mustflow_doc: skill.deletion-lifecycle-review
|
|
3
|
+
locale: en
|
|
4
|
+
canonical: true
|
|
5
|
+
revision: 1
|
|
6
|
+
lifecycle: mustflow-owned
|
|
7
|
+
authority: procedure
|
|
8
|
+
name: deletion-lifecycle-review
|
|
9
|
+
description: Apply this skill when code, schema, migrations, APIs, admin tools, jobs, storage, caches, search indexes, analytics, logs, backups, docs, tests, or reviews introduce, change, or assess delete, soft delete, hard delete, purge, restore, undelete, account deletion, tenant deletion, retention, legal hold, erasure, anonymization, pseudonymization, tombstone, backup recovery, PITR, WAL, binlog, transaction-log, downstream deletion, or deletion audit behavior.
|
|
10
|
+
metadata:
|
|
11
|
+
mustflow_schema: "1"
|
|
12
|
+
mustflow_kind: procedure
|
|
13
|
+
pack_id: mustflow.core
|
|
14
|
+
skill_id: mustflow.core.deletion-lifecycle-review
|
|
15
|
+
command_intents:
|
|
16
|
+
- changes_status
|
|
17
|
+
- changes_diff_summary
|
|
18
|
+
- test_related
|
|
19
|
+
- test
|
|
20
|
+
- lint
|
|
21
|
+
- build
|
|
22
|
+
- docs_validate_fast
|
|
23
|
+
- test_release
|
|
24
|
+
- mustflow_check
|
|
25
|
+
---
|
|
26
|
+
|
|
27
|
+
# Deletion Lifecycle Review
|
|
28
|
+
|
|
29
|
+
<!-- mustflow-section: purpose -->
|
|
30
|
+
## Purpose
|
|
31
|
+
|
|
32
|
+
Keep deletion behavior from pretending that hiding a row, flipping a boolean, or running `DELETE FROM` is the whole contract.
|
|
33
|
+
|
|
34
|
+
The review question is: "Which kind of deletion is this, who can reverse it, what must survive for law or operations, what must disappear from every user-visible surface, and what evidence proves each downstream system caught up?" Treat deletion as a lifecycle with state, events, retention windows, recovery evidence, irreversible purge boundaries, backup residue, and audit limits.
|
|
35
|
+
|
|
36
|
+
<!-- mustflow-section: use-when -->
|
|
37
|
+
## Use When
|
|
38
|
+
|
|
39
|
+
- Code, schema, migrations, repositories, APIs, admin tools, UI actions, jobs, workers, tests, docs, or reviews create or change delete, soft delete, hard delete, purge, restore, undelete, account deletion, tenant deletion, data retention, legal hold, erasure, anonymization, pseudonymization, or tombstone behavior.
|
|
40
|
+
- A table, model, or query adds or depends on `is_deleted`, `deleted_at`, `deleted_by`, `delete_reason`, `delete_source`, `restore_deadline_at`, `restored_at`, `restored_by`, `purged_at`, `scheduled_for_purge_at`, `legal_hold`, `retention_until`, or similar fields.
|
|
41
|
+
- A feature must remove data from search indexes, caches, object storage, generated files, data warehouses, analytics tools, email tools, CRM, billing providers, webhooks, queues, exports, or backups.
|
|
42
|
+
- A delete flow interacts with PITR, backup retention, WAL, binlog, transaction logs, object-lock storage, restore drills, partition drops, bulk delete jobs, tenant offboarding, or operational dry-run approval.
|
|
43
|
+
- A task claims that data is deleted, recoverable, irreversible, anonymized, retained for legal reasons, hidden from users, removed from downstream systems, or safe to restore.
|
|
44
|
+
|
|
45
|
+
<!-- mustflow-section: do-not-use-when -->
|
|
46
|
+
## Do Not Use When
|
|
47
|
+
|
|
48
|
+
- The task only removes source code, files, feature flags, dead branches, or generated artifacts from the repository and no product data, persisted state, user data, audit record, backup, or downstream store is involved.
|
|
49
|
+
- The task only changes queue message settlement terms such as ack, nack, reject, or delete with no data deletion lifecycle; use `queue-processing-integrity-review`.
|
|
50
|
+
- The task only changes database query performance around soft-delete predicates; use `database-query-bottleneck-review` first and this skill only when lifecycle, restore, purge, retention, or downstream deletion semantics are present.
|
|
51
|
+
- The task only changes generic schema ownership with no deletion, retention, restore, purge, or legal-hold behavior; use `database-change-safety`.
|
|
52
|
+
- The task is only a migration rollout question; use `database-migration-change` or `migration-safety-check` first and this skill as an adjunct for delete-state compatibility.
|
|
53
|
+
|
|
54
|
+
<!-- mustflow-section: required-inputs -->
|
|
55
|
+
## Required Inputs
|
|
56
|
+
|
|
57
|
+
- Deletion class: hide from normal views, user-restorable soft delete, operator-restorable recovery, legal-retention hold, anonymization or pseudonymization, cryptographic erasure, hard purge, tenant offboarding, or bulk retention purge.
|
|
58
|
+
- Entity and dependency graph: parent rows, child rows, ownership relationships, business records, audit logs, files, search documents, caches, analytics, warehouse tables, external services, exports, backups, and public identifiers.
|
|
59
|
+
- State model: allowed states, allowed transitions, actor, source, reason, request id, timestamp policy, restore deadline, purge deadline, legal hold rules, and terminal states.
|
|
60
|
+
- Query and uniqueness model: default visibility, admin visibility, global scopes, row-level security, repository filters, partial unique indexes, active-only indexes, deleted-id reuse policy, and public URL or webhook identity rules.
|
|
61
|
+
- Recovery model: who can restore, restore scope, point-in-time recovery assumptions, sidecar restore instance workflow, related rows and external resources to revive, audit evidence, and restore drill expectations.
|
|
62
|
+
- Purge and retention model: hard-delete timing, legal basis for retention, backup residue window, tombstone shape, downstream delete events, idempotent workers, retries, dry-run approval, batch size, partition strategy, and observability.
|
|
63
|
+
- Privacy and audit model: personal data separation, anonymization or pseudonymization, sensitive audit redaction, append-only logs, legal hold ownership, and cryptographic erase key ownership where relevant.
|
|
64
|
+
- Relevant command-intent contract entries for tests, docs, release checks, and mustflow validation.
|
|
65
|
+
|
|
66
|
+
<!-- mustflow-section: preconditions -->
|
|
67
|
+
## Preconditions
|
|
68
|
+
|
|
69
|
+
- The task matches the Use When conditions and does not match the Do Not Use When exclusions.
|
|
70
|
+
- Required inputs are available, or missing deletion class, dependency graph, restore, purge, legal, backup, or downstream evidence can be reported without guessing.
|
|
71
|
+
- Higher-priority instructions and `.mustflow/config/commands.toml` have been checked for the current scope.
|
|
72
|
+
- If deletion affects personal data, authentication, authorization, tenant scope, audit logs, security events, backups, or legal claims, also use the relevant security, privacy, database, adapter, or migration skill.
|
|
73
|
+
- If deletion behavior is a state machine, also use `state-machine-pattern` when editing executable state-transition code.
|
|
74
|
+
- If deletion is asynchronous or crosses external systems, also use idempotency, queue, observability, or transaction-boundary skills as needed for the changed path.
|
|
75
|
+
|
|
76
|
+
<!-- mustflow-section: allowed-edits -->
|
|
77
|
+
## Allowed Edits
|
|
78
|
+
|
|
79
|
+
- Add or change deletion states, columns, constraints, partial indexes, repositories, scopes, policies, tombstone tables, purge jobs, restore jobs, downstream deletion events, audit records, tests, fixtures, docs, and directly synchronized template surfaces tied to the task.
|
|
80
|
+
- Replace a lone `is_deleted` or unscoped `deleted_at` behavior with explicit lifecycle fields when the changed surface justifies it.
|
|
81
|
+
- Add dry-run, batch cursor, idempotency key, legal-hold guard, restore ledger, purge ledger, and downstream progress tracking when required by the changed deletion path.
|
|
82
|
+
- Do not use `ON DELETE CASCADE` for business records unless ownership is proven and audit, retention, restore, and legal obligations are unaffected.
|
|
83
|
+
- Do not store sensitive pre-delete values in audit logs solely to prove deletion happened.
|
|
84
|
+
- Do not claim irreversible erasure while backups, logs, downstream stores, exports, or encryption keys can still reconstruct the data unless that residual window is explicit.
|
|
85
|
+
|
|
86
|
+
<!-- mustflow-section: procedure -->
|
|
87
|
+
## Procedure
|
|
88
|
+
|
|
89
|
+
1. Classify the deletion.
|
|
90
|
+
- Hidden from ordinary views: data remains current enough for admin or recovery paths but must not appear in user-facing lists, search, recommendations, exports, or APIs.
|
|
91
|
+
- User-restorable soft delete: the user can undo within a defined window.
|
|
92
|
+
- Operator recovery: staff can recover from mistake, compromise, or incident with stronger audit and approval.
|
|
93
|
+
- Legal hold or mandatory retention: data must stay for a legal, financial, security, or dispute reason even when user-facing identity is removed.
|
|
94
|
+
- Anonymization or pseudonymization: personal identifiers are detached while required business facts remain.
|
|
95
|
+
- Hard purge or cryptographic erasure: data is made unrecoverable within a stated operational and backup boundary.
|
|
96
|
+
2. Build the deletion graph.
|
|
97
|
+
- List parent rows, child rows, join rows, files, generated artifacts, cache entries, search documents, analytics rows, warehouse rows, webhook states, provider ids, exports, and backups.
|
|
98
|
+
- Separate true owned children from business records that must survive, such as orders, invoices, ledger entries, tax records, audit logs, usage records, and security events.
|
|
99
|
+
- Reject broad cascade deletes when ownership, restore, legal retention, and audit survival are unclear.
|
|
100
|
+
3. Check the state machine.
|
|
101
|
+
- Prefer explicit states such as `active`, `pending_deletion`, `soft_deleted`, `restore_requested`, `scheduled_for_purge`, `legal_hold`, `purging`, and `purged` when more than one delete outcome exists.
|
|
102
|
+
- Record delete and restore events with actor, source, reason, request id, server UTC timestamp, and any user-local timestamp needed for support.
|
|
103
|
+
- Keep restore events distinct from clearing `deleted_at`; preserve who restored, why, and which deletion event was reversed.
|
|
104
|
+
- Prevent contradictory states such as restored and purged at the same time, legal hold plus purge, or deleted rows still eligible for normal workflow actions.
|
|
105
|
+
4. Check query, identity, and uniqueness behavior.
|
|
106
|
+
- Do not rely on every caller remembering `deleted_at IS NULL`. Use repository boundaries, global scopes, views, row-level policies, or other local enforcement patterns.
|
|
107
|
+
- Add active-only unique indexes or equivalent constraints when soft-deleted rows should not block future active records.
|
|
108
|
+
- Never reuse exposed ids, order numbers, account ids, tenant ids, webhook ids, or storage keys after deletion.
|
|
109
|
+
- Keep tombstones for hard-deleted entities when duplicate webhooks, retries, imports, sync jobs, caches, or external providers need to know the entity used to exist.
|
|
110
|
+
5. Check restore semantics.
|
|
111
|
+
- Define what is restored: core row only, permissions, memberships, subscriptions, files, search visibility, notification settings, tokens, provider mappings, generated records, and external-service state.
|
|
112
|
+
- Do not treat PITR as a single-record undo button. If point-in-time recovery is relevant, define whether it restores a separate instance, extracts rows, reconciles relationships, and replays current-state differences.
|
|
113
|
+
- Store enough recovery anchors, such as UTC event time, request id, transaction id, logical sequence, or provider event id, without leaking sensitive data.
|
|
114
|
+
6. Check purge, retention, and legal boundaries.
|
|
115
|
+
- Define `scheduled_for_purge_at`, `purged_at`, purge actor or job id, legal hold owner, retention basis, backup residue window, and downstream completion criteria.
|
|
116
|
+
- Separate personal data from business facts so legal retention does not force keeping unnecessary identifiers.
|
|
117
|
+
- Consider cryptographic erase only when key ownership, key scope, backup copies, and remaining metadata are explicit.
|
|
118
|
+
- Make backup and log retention honest: operational deletion can be immediate while backups age out later.
|
|
119
|
+
7. Check downstream deletion.
|
|
120
|
+
- Emit or record deletion work for search, cache, object storage, generated files, analytics, warehouses, email tools, CRM, billing providers, external integrations, exports, and webhooks where relevant.
|
|
121
|
+
- Make workers idempotent, resumable, observable, and safe to retry.
|
|
122
|
+
- Track per-system pending, success, failure, skipped, and blocked states when deletion crosses systems.
|
|
123
|
+
8. Check bulk and tenant deletion.
|
|
124
|
+
- Use dry-run counts and approval for admin deletion tools.
|
|
125
|
+
- Process large deletes in bounded batches with a stable cursor and resume point.
|
|
126
|
+
- Prefer partition drop or detach for date-retention logs when the schema supports it.
|
|
127
|
+
- For tenant deletion, verify `tenant_id` leading indexes, partition strategy, cross-tenant references, shared resources, and rate limits before deleting large populations.
|
|
128
|
+
9. Check audit and privacy.
|
|
129
|
+
- Keep deletion audit append-only and separate from rows that may be purged.
|
|
130
|
+
- Log decisions, actor, request id, result, and reason codes without copying full personal data into audit logs.
|
|
131
|
+
- Redact or hash sensitive identifiers when audit evidence does not require raw values.
|
|
132
|
+
|
|
133
|
+
<!-- mustflow-section: postconditions -->
|
|
134
|
+
## Postconditions
|
|
135
|
+
|
|
136
|
+
- The deletion class, state transitions, restore path, purge path, retention boundary, legal hold behavior, and backup residue window are explicit.
|
|
137
|
+
- Deleted data cannot leak through ordinary queries, admin views, search, caches, generated artifacts, exports, or downstream systems without that exception being intentional and documented.
|
|
138
|
+
- Hard purge and erasure claims are tied to tombstones, audit survival, downstream completion, backup/log age-out, or cryptographic erase evidence.
|
|
139
|
+
- Existing rows, old/new writers, migrations, batch jobs, restore drills, and operator dry-runs are addressed when affected.
|
|
140
|
+
- Remaining deletion lifecycle risk is named instead of hidden behind `is_deleted`.
|
|
141
|
+
|
|
142
|
+
<!-- mustflow-section: verification -->
|
|
143
|
+
## Verification
|
|
144
|
+
|
|
145
|
+
- Run the narrowest configured tests covering deletion states, default visibility, restore, purge, legal hold, partial unique indexes, cascade boundaries, tombstones, downstream deletion jobs, idempotency, batch resume, audit redaction, and template packaging changed by the task.
|
|
146
|
+
- Use configured docs and release checks when skill text, routes, templates, package metadata, or user-facing docs change.
|
|
147
|
+
- Prefer tests that prove deleted rows stay hidden from ordinary paths, active uniqueness still works, restores rebuild expected relationships, purges keep tombstones, legal holds block purge, and downstream deletion work is resumable.
|
|
148
|
+
- If backup, PITR, object-lock, legal, or external-provider behavior cannot be exercised locally, report that evidence as manual-only or missing instead of claiming it passed.
|
|
149
|
+
|
|
150
|
+
<!-- mustflow-section: failure-handling -->
|
|
151
|
+
## Failure Handling
|
|
152
|
+
|
|
153
|
+
- If the deletion class is unknown, stop before implementing hard delete or purge and report the missing policy.
|
|
154
|
+
- If legal retention conflicts with user erasure, preserve the legal boundary, remove unnecessary personal identifiers, and report the policy decision needed.
|
|
155
|
+
- If a broad cascade would delete business records or audit evidence, block the cascade and require an explicit per-entity deletion plan.
|
|
156
|
+
- If downstream systems cannot confirm deletion, record pending or failed state and avoid claiming completion.
|
|
157
|
+
- If a configured test or build fails, preserve the failing intent and output tail, then fix only the deletion lifecycle contract or synchronized surface exercised by the failure.
|
|
158
|
+
|
|
159
|
+
<!-- mustflow-section: output-format -->
|
|
160
|
+
## Output Format
|
|
161
|
+
|
|
162
|
+
Report:
|
|
163
|
+
|
|
164
|
+
- Deletion surface reviewed
|
|
165
|
+
- Deletion class and state model
|
|
166
|
+
- Entity, file, cache, search, analytics, external-service, export, backup, and tombstone graph
|
|
167
|
+
- Visibility, uniqueness, identity reuse, cascade, legal hold, audit, restore, purge, backup, and downstream deletion decisions
|
|
168
|
+
- Batch, tenant, partition, dry-run, idempotency, and observability notes
|
|
169
|
+
- Tests and command intents run
|
|
170
|
+
- Evidence level: static diff risk, configured-test evidence, migration evidence, restore drill evidence, external-system evidence, manual-only, missing, or not applicable
|
|
171
|
+
- Remaining deletion lifecycle risk
|