mustflow 2.39.1 → 2.58.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (94) hide show
  1. package/dist/cli/commands/run/executor.js +16 -0
  2. package/dist/cli/commands/run/process-tree.js +6 -3
  3. package/dist/cli/commands/tech.js +60 -4
  4. package/dist/cli/commands/verify.js +3 -1
  5. package/dist/cli/lib/git-changes.js +11 -1
  6. package/dist/cli/lib/i18n.js +1 -1
  7. package/dist/cli/lib/local-index/index.js +8 -4
  8. package/dist/cli/lib/local-index/populate.js +17 -3
  9. package/dist/cli/lib/local-index/search-read-model.js +9 -7
  10. package/dist/cli/lib/local-index/search-text.js +2 -2
  11. package/dist/cli/lib/local-index/workflow-documents.js +17 -2
  12. package/dist/cli/lib/mustflow-read.js +14 -2
  13. package/dist/cli/lib/npm-version-check.js +36 -0
  14. package/dist/cli/lib/repo-map.js +16 -3
  15. package/dist/cli/lib/templates.js +8 -7
  16. package/dist/cli/lib/validation/constants.js +1 -1
  17. package/dist/core/active-run-locks.js +78 -20
  18. package/dist/core/change-classification.js +4 -0
  19. package/dist/core/command-contract-rules.js +1 -1
  20. package/dist/core/command-contract-validation.js +1 -1
  21. package/dist/core/command-cwd.js +13 -2
  22. package/dist/core/command-effects.js +22 -4
  23. package/dist/core/command-env.js +8 -6
  24. package/dist/core/command-preconditions.js +28 -2
  25. package/dist/core/completion-verdict.js +1 -1
  26. package/dist/core/line-endings.js +8 -4
  27. package/dist/core/safe-filesystem.js +9 -1
  28. package/dist/core/source-anchor-validation.js +7 -1
  29. package/dist/core/source-anchors.js +8 -2
  30. package/dist/core/verification-scheduler.js +8 -2
  31. package/package.json +1 -1
  32. package/templates/default/i18n.toml +330 -1
  33. package/templates/default/locales/en/.mustflow/skills/INDEX.md +302 -5
  34. package/templates/default/locales/en/.mustflow/skills/agent-eval-integrity-review/SKILL.md +160 -0
  35. package/templates/default/locales/en/.mustflow/skills/agent-execution-control-review/SKILL.md +163 -0
  36. package/templates/default/locales/en/.mustflow/skills/ai-generated-code-hardening/SKILL.md +49 -13
  37. package/templates/default/locales/en/.mustflow/skills/api-access-control-review/SKILL.md +298 -0
  38. package/templates/default/locales/en/.mustflow/skills/api-misuse-resistance-review/SKILL.md +297 -0
  39. package/templates/default/locales/en/.mustflow/skills/api-request-performance-review/SKILL.md +189 -0
  40. package/templates/default/locales/en/.mustflow/skills/app-startup-performance-review/SKILL.md +309 -0
  41. package/templates/default/locales/en/.mustflow/skills/backend-log-evidence-review/SKILL.md +213 -0
  42. package/templates/default/locales/en/.mustflow/skills/business-rule-leakage-review/SKILL.md +295 -0
  43. package/templates/default/locales/en/.mustflow/skills/cache-integrity-review/SKILL.md +291 -0
  44. package/templates/default/locales/en/.mustflow/skills/change-blast-radius-review/SKILL.md +297 -0
  45. package/templates/default/locales/en/.mustflow/skills/client-bundle-pruning-review/SKILL.md +160 -0
  46. package/templates/default/locales/en/.mustflow/skills/cloud-cost-guardrail-review/SKILL.md +321 -0
  47. package/templates/default/locales/en/.mustflow/skills/concurrency-invariant-review/SKILL.md +193 -0
  48. package/templates/default/locales/en/.mustflow/skills/core-web-vitals-field-review/SKILL.md +161 -0
  49. package/templates/default/locales/en/.mustflow/skills/credit-ledger-integrity-review/SKILL.md +156 -0
  50. package/templates/default/locales/en/.mustflow/skills/database-json-modeling-review/SKILL.md +171 -0
  51. package/templates/default/locales/en/.mustflow/skills/database-lock-contention-review/SKILL.md +192 -0
  52. package/templates/default/locales/en/.mustflow/skills/database-migration-change/SKILL.md +76 -34
  53. package/templates/default/locales/en/.mustflow/skills/database-query-bottleneck-review/SKILL.md +194 -0
  54. package/templates/default/locales/en/.mustflow/skills/deletion-lifecycle-review/SKILL.md +171 -0
  55. package/templates/default/locales/en/.mustflow/skills/deployment-rollout-safety-review/SKILL.md +321 -0
  56. package/templates/default/locales/en/.mustflow/skills/desktop-auto-update-safety-review/SKILL.md +265 -0
  57. package/templates/default/locales/en/.mustflow/skills/desktop-background-process-stability-review/SKILL.md +318 -0
  58. package/templates/default/locales/en/.mustflow/skills/desktop-memory-footprint-review/SKILL.md +318 -0
  59. package/templates/default/locales/en/.mustflow/skills/error-message-integrity-review/SKILL.md +283 -0
  60. package/templates/default/locales/en/.mustflow/skills/failure-integrity-review/SKILL.md +193 -0
  61. package/templates/default/locales/en/.mustflow/skills/file-upload-security-review/SKILL.md +305 -0
  62. package/templates/default/locales/en/.mustflow/skills/frame-render-performance-review/SKILL.md +159 -0
  63. package/templates/default/locales/en/.mustflow/skills/frontend-accessibility-tree-review/SKILL.md +202 -0
  64. package/templates/default/locales/en/.mustflow/skills/frontend-localization-review/SKILL.md +202 -0
  65. package/templates/default/locales/en/.mustflow/skills/frontend-state-ownership-review/SKILL.md +183 -0
  66. package/templates/default/locales/en/.mustflow/skills/frontend-stress-layout-review/SKILL.md +193 -0
  67. package/templates/default/locales/en/.mustflow/skills/hot-path-performance-review/SKILL.md +159 -0
  68. package/templates/default/locales/en/.mustflow/skills/idempotency-integrity-review/SKILL.md +195 -0
  69. package/templates/default/locales/en/.mustflow/skills/image-delivery-performance-review/SKILL.md +161 -0
  70. package/templates/default/locales/en/.mustflow/skills/incident-triage-review/SKILL.md +185 -0
  71. package/templates/default/locales/en/.mustflow/skills/llm-hallucination-control-review/SKILL.md +155 -0
  72. package/templates/default/locales/en/.mustflow/skills/llm-response-latency-review/SKILL.md +155 -0
  73. package/templates/default/locales/en/.mustflow/skills/llm-service-ux-review/SKILL.md +2 -0
  74. package/templates/default/locales/en/.mustflow/skills/llm-token-cost-control-review/SKILL.md +155 -0
  75. package/templates/default/locales/en/.mustflow/skills/low-end-device-support-review/SKILL.md +340 -0
  76. package/templates/default/locales/en/.mustflow/skills/memory-lifetime-review/SKILL.md +169 -0
  77. package/templates/default/locales/en/.mustflow/skills/mobile-energy-efficiency-review/SKILL.md +329 -0
  78. package/templates/default/locales/en/.mustflow/skills/module-boundary-review/SKILL.md +278 -0
  79. package/templates/default/locales/en/.mustflow/skills/multi-agent-work-coordination/SKILL.md +1 -0
  80. package/templates/default/locales/en/.mustflow/skills/observability-debuggability-review/SKILL.md +208 -0
  81. package/templates/default/locales/en/.mustflow/skills/payment-integrity-review/SKILL.md +155 -0
  82. package/templates/default/locales/en/.mustflow/skills/prompt-contract-quality-review/SKILL.md +158 -0
  83. package/templates/default/locales/en/.mustflow/skills/quadratic-scan-review/SKILL.md +155 -0
  84. package/templates/default/locales/en/.mustflow/skills/queue-processing-integrity-review/SKILL.md +193 -0
  85. package/templates/default/locales/en/.mustflow/skills/race-condition-review/SKILL.md +188 -0
  86. package/templates/default/locales/en/.mustflow/skills/rate-limit-integrity-review/SKILL.md +344 -0
  87. package/templates/default/locales/en/.mustflow/skills/retry-policy-integrity-review/SKILL.md +195 -0
  88. package/templates/default/locales/en/.mustflow/skills/routes.toml +330 -0
  89. package/templates/default/locales/en/.mustflow/skills/security-flow-review/SKILL.md +279 -0
  90. package/templates/default/locales/en/.mustflow/skills/testability-boundary-review/SKILL.md +295 -0
  91. package/templates/default/locales/en/.mustflow/skills/transaction-boundary-integrity-review/SKILL.md +196 -0
  92. package/templates/default/locales/en/.mustflow/skills/type-state-modeling-review/SKILL.md +179 -0
  93. package/templates/default/locales/en/.mustflow/skills/web-render-performance-review/SKILL.md +164 -0
  94. package/templates/default/manifest.toml +386 -1
@@ -0,0 +1,305 @@
1
+ ---
2
+ mustflow_doc: skill.file-upload-security-review
3
+ locale: en
4
+ canonical: true
5
+ revision: 1
6
+ lifecycle: mustflow-owned
7
+ authority: procedure
8
+ name: file-upload-security-review
9
+ description: Apply this skill when code is created, changed, reviewed, or reported and file upload, import, attachment, direct-to-storage upload, remote file fetch, archive extraction, thumbnailing, preview generation, image resizing, document conversion, virus scanning, CDR, file metadata, storage keys, public file URLs, signed upload or download URLs, CDN delivery, file download, uploaded filename display, or upload-related tests need security review across the full file lifecycle.
10
+ metadata:
11
+ mustflow_schema: "1"
12
+ mustflow_kind: procedure
13
+ pack_id: mustflow.core
14
+ skill_id: mustflow.core.file-upload-security-review
15
+ command_intents:
16
+ - changes_status
17
+ - changes_diff_summary
18
+ - lint
19
+ - build
20
+ - test_related
21
+ - test
22
+ - test_audit
23
+ - docs_validate_fast
24
+ - test_release
25
+ - mustflow_check
26
+ ---
27
+
28
+ # File Upload Security Review
29
+
30
+ <!-- mustflow-section: purpose -->
31
+ ## Purpose
32
+
33
+ Review file upload security as a full lifecycle, not as an extension or MIME-type checklist.
34
+
35
+ The review question is not "does the upload route block `.exe`?" It is "what final bytes, filename,
36
+ storage key, parser, visibility state, authorization check, and response headers can this uploaded
37
+ file reach after it enters the system?"
38
+
39
+ <!-- mustflow-section: use-when -->
40
+ ## Use When
41
+
42
+ - Code review, implementation, refactor, docs, tests, or reports touch file uploads, imports,
43
+ attachments, avatars, media libraries, document intake, CSV import or export, remote URL import,
44
+ direct-to-object-storage uploads, signed upload URLs, signed download URLs, file downloads,
45
+ thumbnails, previews, image resizing, metadata extraction, OCR, archive extraction, document
46
+ conversion, antivirus scanning, CDR, storage key generation, CDN delivery, file cleanup, or file
47
+ visibility states.
48
+ - A request, form, client state, queue payload, webhook, storage callback, or object metadata
49
+ supplies a filename, extension, MIME type, content type, path, folder, key, bucket, URL, callback
50
+ URL, content disposition, size, checksum, tenant id, project id, upload id, or visibility flag.
51
+ - A review needs security coverage for dangerous file types, path traversal, web-root execution,
52
+ parser exploits, SVG or HTML rendering, PDF or Office active content, archive extraction, CSV
53
+ formula injection, direct-to-storage race conditions, presigned URL policy, storage overwrite,
54
+ download authorization, response headers, filename injection, resource exhaustion, or upload
55
+ denial-case tests.
56
+
57
+ <!-- mustflow-section: do-not-use-when -->
58
+ ## Do Not Use When
59
+
60
+ - The task is only general source-to-sink security review beyond files; use `security-flow-review`.
61
+ - The task primarily changes API authorization, route guards, role models, or tenant policy; use
62
+ `api-access-control-review` or `auth-permission-change` first, then this skill for file-specific
63
+ surfaces.
64
+ - The task primarily models upload states, retries, or processing lifecycle transitions; use
65
+ `state-machine-pattern` first, then this skill for security-specific file handling.
66
+ - The task primarily changes file metadata persistence, storage/database consistency, or cleanup
67
+ rules; use `database-change-safety` or `adapter-boundary` first when those are the owning concern.
68
+ - The task asks for live exploit traffic, malware collection, credentialed cloud testing, or unsafe
69
+ payload corpus generation. Stay within defensive local code review, safe fixtures, and configured
70
+ tests.
71
+
72
+ <!-- mustflow-section: required-inputs -->
73
+ ## Required Inputs
74
+
75
+ - User goal, current diff or target files, upload surface, and the file security claim being
76
+ reviewed.
77
+ - Upload entrypoint ledger: routes, controllers, forms, mobile clients, SDK calls, GraphQL
78
+ mutations, direct-to-storage URL issuers, storage callbacks, remote URL importers, batch imports,
79
+ admin tools, and test helpers that can create or attach files.
80
+ - File identity ledger: original filename, normalized filename, final storage key, bucket or root,
81
+ database record id, tenant or owner, checksum, size, content type, detected type, extension,
82
+ visibility, status, and cleanup owner.
83
+ - Validation ledger: extension allowlist, decoding and normalization, content-type trust, signature
84
+ checks, parser-based validation, image rewriting, metadata stripping, antivirus, CDR, size limits,
85
+ count limits, quota, rate limits, and failure behavior.
86
+ - Processing ledger: thumbnailing, preview, image resize, OCR, PDF parsing, Office conversion,
87
+ archive extraction, CSV handling, media transcoding, scanner execution, queue jobs, retries,
88
+ sandboxing, timeout, memory, CPU, network, and privilege limits.
89
+ - Serving ledger: download authorization, signed URLs, CDN cache, response `Content-Type`,
90
+ `Content-Disposition`, `X-Content-Type-Options`, CSP or origin isolation, filename display, logs,
91
+ admin preview, email attachments, and public/private transition.
92
+ - Existing tests, abuse cases, security docs, storage policy docs, configured command intents, and
93
+ any unavailable cloud or scanner evidence.
94
+
95
+ <!-- mustflow-section: preconditions -->
96
+ ## Preconditions
97
+
98
+ - The task matches the Use When conditions and does not match the Do Not Use When exclusions.
99
+ - Higher-priority instructions and `.mustflow/config/commands.toml` have been checked for the
100
+ current scope.
101
+ - Required inputs are available, or missing filename, key, parser, visibility, authorization,
102
+ storage, scanner, or serving evidence can be reported without guessing.
103
+ - Treat client-provided filename, extension, MIME type, path, bucket, key, URL, size, checksum,
104
+ tenant, owner, and visibility as untrusted until server-side evidence proves otherwise.
105
+
106
+ <!-- mustflow-section: allowed-edits -->
107
+ ## Allowed Edits
108
+
109
+ - Add or tighten server-side file type allowlists, decoded and normalized filename checks, generated
110
+ storage keys, path containment checks, overwrite protection, upload size and count limits, quota
111
+ checks, quarantine states, scanner gates, parser sandboxing, archive extraction guards, CSV formula
112
+ neutralization, metadata stripping, image rewriting, signed URL constraints, download
113
+ authorization, response headers, filename encoding, audit logs, cleanup rules, and focused
114
+ denial-case tests.
115
+ - Update storage docs, security docs, API examples, role matrices, fixtures, template surfaces, and
116
+ package tests that describe the same file lifecycle contract.
117
+ - Keep changes scoped to file upload, file processing, and file serving boundaries.
118
+ - Do not add broad malware scanners, live external probes, dependency installs, production storage
119
+ operations, offensive payload collections, or unrelated hardening work under this skill.
120
+
121
+ <!-- mustflow-section: procedure -->
122
+ ## Procedure
123
+
124
+ 1. Draw the file lifecycle before judging the first check.
125
+ - Name each step from upload entrypoint to final serving path: receive, normalize, validate,
126
+ store, record metadata, scan, transform, promote, preview, download, delete, and cleanup.
127
+ - Include admin preview, email attachment, export, CDN, search index, and worker paths when they
128
+ can read the uploaded bytes.
129
+ 2. Treat frontend restrictions as usability only.
130
+ - `<input accept>`, client-side size checks, mobile picker filters, and JavaScript extension
131
+ checks do not prove security.
132
+ - Require equivalent server-side validation or report the boundary gap.
133
+ 3. Decode and normalize before extension checks.
134
+ - Check URL encoding, repeated decoding, case, trailing dots or spaces, Unicode confusables,
135
+ null-like separators, double extensions, and platform-specific separators before extension
136
+ allowlist decisions.
137
+ 4. Prefer allowlists over blocklists.
138
+ - Business-required file types should be explicit.
139
+ - Blocklists for `.php`, `.jsp`, `.asp`, `.html`, `.svg`, config files, legacy plugin types, or
140
+ executable server extensions are not enough by themselves.
141
+ 5. Validate the final storage name and key, not only the original filename.
142
+ - Confirm the server generates the stored basename, object key, upload id, and path.
143
+ - Treat `destination`, `folder`, `key`, `path`, `filename`, `bucket`, and callback-provided
144
+ storage locations as attacker-controlled unless derived on the server.
145
+ 6. Prove path containment after normalization and symlink resolution.
146
+ - `path.join(uploadDir, userName)` is not enough.
147
+ - Check real path containment, absolute paths, drive letters, backslashes, `..`, symlinks,
148
+ hardlinks, case-insensitive filesystems, and reserved names when local files are used.
149
+ 7. Bound filenames and storage keys.
150
+ - Check filename length, full path length, database column length, object-storage key length, log
151
+ field length, CDN cache-key length, and error behavior for oversized or malformed names.
152
+ 8. Prevent overwrite and key guessing.
153
+ - Check duplicate names, fixed keys such as `avatar.png`, public key predictability, tenant key
154
+ collisions, and presigned upload reuse.
155
+ - Existing object replacement should require an explicit server-side policy and authorization.
156
+ 9. Keep uploaded bytes outside executable web roots.
157
+ - Prefer private object storage or a non-executable file root served through an authorized
158
+ application handler.
159
+ - Check web server handlers for PHP, CGI, ASP.NET, JSP, SSI, `.htaccess`, `web.config`, and
160
+ similar config-file replacement paths.
161
+ 10. Do not trust request MIME labels.
162
+ - `Content-Type`, `file.mimetype`, `$_FILES['type']`, and client metadata are claims, not
163
+ evidence.
164
+ - Compare them with detected type only as a signal, never as the only security decision.
165
+ 11. Treat magic bytes as necessary but not sufficient.
166
+ - Polyglot files, metadata payloads, trailing content, and container formats can pass simple
167
+ signature checks while still reaching dangerous parsers.
168
+ 12. Re-encode images when possible.
169
+ - Decode and write a new image instead of storing user bytes directly when the product only
170
+ needs raster images.
171
+ - Strip EXIF, comments, thumbnails, ICC surprises, and other metadata unless product policy
172
+ intentionally preserves them.
173
+ 13. Treat SVG and HTML as active content.
174
+ - Do not group SVG with ordinary raster images.
175
+ - If SVG is allowed, require sanitization or rasterization, separate origin or strict CSP,
176
+ attachment disposition, external reference controls, and download/header review.
177
+ 14. Treat PDF and Office documents as active document bundles.
178
+ - Check macros, embedded objects, JavaScript, external links, parser vulnerabilities, preview
179
+ isolation, antivirus or CDR, and whether downloads are safer than inline rendering.
180
+ 15. Review archive extraction as the main feature.
181
+ - For ZIP, tar, and nested archives, validate every entry path after normalization and prove it
182
+ stays inside the extraction root.
183
+ - Bound extracted file count, total uncompressed bytes, compression ratio, nesting depth,
184
+ symlinks, hardlinks, absolute paths, duplicate entries, and processing time.
185
+ 16. Review CSV import and export for formula injection.
186
+ - If user-supplied cells may later be opened in spreadsheets, handle cells beginning with `=`,
187
+ `+`, `-`, `@`, tabs, carriage returns, line feeds, separators, quotes, and confusable
188
+ variants according to local policy.
189
+ 17. Review remote URL import as SSRF plus upload.
190
+ - Check scheme allowlists, redirect chains, DNS rebinding, localhost, private networks,
191
+ link-local metadata endpoints, non-HTTP schemes, credential forwarding, response size,
192
+ timeout, and final file validation.
193
+ 18. Keep scanner and conversion work behind a publication gate.
194
+ - A file that is pending scan, failed scan, pending conversion, or failed conversion should not
195
+ be public, previewable, downloadable, indexed, or emailed unless policy explicitly allows it.
196
+ 19. Sandbox file parsers and scanners.
197
+ - ImageMagick, ffmpeg, LibreOffice, PDF parsers, OCR tools, unzip, antivirus, and CDR engines
198
+ need low privilege, no unnecessary network, timeouts, memory and CPU limits, temporary
199
+ directory isolation, and controlled input paths.
200
+ 20. Validate direct-to-storage uploads in two phases.
201
+ - Before issuing a signed upload URL, authorize the target resource and fix method, bucket, key,
202
+ prefix, content type policy, checksum, size range, overwrite policy, and expiration.
203
+ - After upload completion, verify actual object metadata before promoting it out of quarantine.
204
+ 21. Treat presigned URLs as delegated authority.
205
+ - Check method, bucket, key, prefix, expiry, reuse, checksum, content-length range, content type,
206
+ ACL or public-read flags, revocation behavior, CDN caching, and whether the creator's
207
+ privileges are too broad.
208
+ 22. Enforce tenant boundaries in storage keys and metadata.
209
+ - Server-generated keys should include trusted tenant, organization, project, or resource
210
+ context plus a random id when multi-tenant isolation matters.
211
+ - Reads, writes, deletes, overwrites, cleanup, and promotion must use the same boundary.
212
+ 23. Recheck authorization at download and preview time.
213
+ - Upload permission is not download permission.
214
+ - Check owner, tenant, project membership, billing or entitlement state, deleted state, scanner
215
+ state, visibility, share links, admin scope, and service-account scope before serving bytes.
216
+ 24. Set response headers deliberately.
217
+ - Use safe `Content-Type`; default ambiguous private downloads to `application/octet-stream`.
218
+ - Use `Content-Disposition: attachment` when inline rendering is not required.
219
+ - Add `X-Content-Type-Options: nosniff` and review CSP, origin isolation, and CDN header
220
+ preservation where browser execution risk exists.
221
+ 25. Treat filename display as an injection surface.
222
+ - Escape original filenames in HTML, email, admin tables, JSON-in-script, logs, and support
223
+ views.
224
+ - For `Content-Disposition`, remove CR/LF and encode filenames safely for header context.
225
+ 26. Apply resource limits at every layer.
226
+ - Bound request body size, per-file size, file count, concurrent uploads, chunk count, multipart
227
+ sessions, user quota, tenant quota, daily quota, extracted size, transformed size, preview
228
+ time, and retry volume.
229
+ 27. Revalidate chunked and multipart uploads at assembly time.
230
+ - Check final file size, content type, signature, chunk order, chunk count, checksum, session
231
+ expiration, stale partial cleanup, and final key ownership after assembly.
232
+ 28. Review upload endpoint auth, CSRF, and rate limits.
233
+ - Browser-cookie upload endpoints need CSRF posture.
234
+ - Import, admin upload, remote fetch, and chunk completion endpoints need authentication,
235
+ authorization, anti-automation controls, and audit logs.
236
+ 29. Check storage cleanup without breaking authorization.
237
+ - Find orphaned objects, database rows without objects, failed conversions, stale quarantine,
238
+ abandoned multipart uploads, deleted records waiting for physical removal, and public CDN
239
+ cache invalidation.
240
+ 30. Test denial cases from the attacker's path.
241
+ - Cover disallowed type, spoofed MIME, renamed extension, encoded extension, double extension,
242
+ oversize body, quota exceeded, path traversal, archive escape, zip bomb, SVG active content,
243
+ CSV formula, unauthorized upload target, unauthorized download, pending-scan download,
244
+ presigned overwrite, stale multipart session, and remote URL SSRF where relevant.
245
+
246
+ <!-- mustflow-section: postconditions -->
247
+ ## Postconditions
248
+
249
+ - The file lifecycle names entrypoints, final filename or key, storage root or bucket, metadata
250
+ record, validation gates, processing tools, visibility state, serving path, and cleanup owner.
251
+ - Client-provided filenames, MIME labels, paths, keys, URLs, sizes, checksums, tenants, owners, and
252
+ visibility flags are either ignored, verified, or explicitly reported as risky.
253
+ - File type validation is tied to normalized final names and actual bytes, not only extension or
254
+ request headers.
255
+ - Upload, processing, promotion, preview, download, CDN, email, admin, and cleanup paths are checked
256
+ or explicitly scoped out.
257
+ - Denial-case tests or missing evidence are named from the attacker-controlled file lifecycle.
258
+
259
+ <!-- mustflow-section: verification -->
260
+ ## Verification
261
+
262
+ Use configured oneshot command intents when available:
263
+
264
+ - `changes_status`
265
+ - `changes_diff_summary`
266
+ - `lint`
267
+ - `build`
268
+ - `test_related`
269
+ - `test`
270
+ - `test_audit`
271
+ - `docs_validate_fast`
272
+ - `test_release`
273
+ - `mustflow_check`
274
+
275
+ Prefer the narrowest configured tests that prove file lifecycle denial behavior: disallowed type,
276
+ spoofed MIME, normalized extension bypass, path traversal, archive escape, resource limit,
277
+ unauthorized upload target, unauthorized download, pending-scan access, presigned policy, and remote
278
+ URL rejection.
279
+
280
+ <!-- mustflow-section: failure-handling -->
281
+ ## Failure Handling
282
+
283
+ - If filename, key, storage, parser, scanner, visibility, tenant, authorization, or response-header
284
+ evidence is missing, report the gap instead of claiming the upload path is safe.
285
+ - If the fix requires broad auth model changes, use `auth-permission-change` or
286
+ `api-access-control-review` before editing that scope.
287
+ - If a sensitive filename, URL, token, storage key, signed URL, user content, or malware-like sample
288
+ appears in logs, diffs, fixtures, screenshots, command output, or final reports, stop repeating it
289
+ and use `secret-exposure-response` when it may be sensitive.
290
+ - If a command fails, use `failure-triage` before further edits.
291
+ - If verification would require live storage credentials, production files, malware samples, or
292
+ unsafe network probes, skip that path and report the remaining risk.
293
+
294
+ <!-- mustflow-section: output-format -->
295
+ ## Output Format
296
+
297
+ - File upload security reviewed
298
+ - Upload entrypoints, file identity, storage, validation, processing, serving, and cleanup map
299
+ - Filename, type, path, overwrite, web-root, parser, archive, CSV, remote URL, scanner, signed URL,
300
+ tenant, authorization, header, and resource-limit findings
301
+ - Fixes made or recommendation
302
+ - Denial tests, fixtures, or invariant evidence
303
+ - Command intents run
304
+ - Skipped checks and reasons
305
+ - Remaining file-upload security risk
@@ -0,0 +1,159 @@
1
+ ---
2
+ mustflow_doc: skill.frame-render-performance-review
3
+ locale: en
4
+ canonical: true
5
+ revision: 1
6
+ lifecycle: mustflow-owned
7
+ authority: procedure
8
+ name: frame-render-performance-review
9
+ description: Apply this skill when browser rendering performance, per-frame work, INP, animation smoothness, scroll responsiveness, style recalculation, layout, forced synchronous layout, layout thrashing, paint, compositing, DOM size, CSS selector cost, global class toggles, CSS custom property churn, containment, content-visibility, virtualization, image or media geometry, IntersectionObserver, passive listeners, overscroll behavior, requestAnimationFrame, long tasks, web workers, OffscreenCanvas, ResizeObserver, runtime CSS injection, React memo, context rerenders, deferred rendering, transitions, hydration cost, DevTools rendering traces, or interaction-to-next-paint flame analysis need review.
10
+ metadata:
11
+ mustflow_schema: "1"
12
+ mustflow_kind: procedure
13
+ pack_id: mustflow.core
14
+ skill_id: mustflow.core.frame-render-performance-review
15
+ command_intents:
16
+ - changes_status
17
+ - changes_diff_summary
18
+ - lint
19
+ - build
20
+ - test_related
21
+ - test
22
+ - docs_validate_fast
23
+ - test_release
24
+ - mustflow_check
25
+ ---
26
+
27
+ # Frame Render Performance Review
28
+
29
+ <!-- mustflow-section: purpose -->
30
+ ## Purpose
31
+
32
+ Review browser rendering performance by reducing the work needed for each frame and interaction: JavaScript, style recalculation, layout, paint, compositing, and the next paint after user input.
33
+
34
+ The review question is not "did we add `useMemo`?" It is "what work does the browser have to redo before the next frame, and can the changed code reduce the affected DOM, style, layout, paint, or main-thread scope?"
35
+
36
+ <!-- mustflow-section: use-when -->
37
+ ## Use When
38
+
39
+ - A frontend change affects animation, scrolling, drag, resize, pointer movement, keyboard input, search input, list rendering, charts, maps, canvas, virtualized lists, hydration, or any interaction whose next paint can lag.
40
+ - Code touches DOM reads and writes, `offset*`, `client*`, `scroll*`, `getBoundingClientRect()`, computed styles, inline styles, class toggles, CSS variables, runtime CSS injection, layout-affecting CSS properties, `will-change`, `contain`, `content-visibility`, `contain-intrinsic-size`, `aspect-ratio`, or media dimensions.
41
+ - Code touches scroll listeners, wheel or touch handlers, passive event listener options, `IntersectionObserver`, `ResizeObserver`, `requestAnimationFrame`, timers, long tasks, `scheduler.yield`, web workers, `OffscreenCanvas`, or canvas/chart redraw loops.
42
+ - Code touches React render boundaries, `memo`, `useMemo`, `useCallback`, context providers, `useDeferredValue`, `useTransition`, hydration, lazy islands, or framework-specific rerender behavior with user-perceived responsiveness risk.
43
+ - A review or final report claims smoother rendering, fewer layout shifts, better INP, less jank, faster animation, lower main-thread cost, smaller DOM cost, or improved DevTools rendering traces.
44
+
45
+ <!-- mustflow-section: do-not-use-when -->
46
+ ## Do Not Use When
47
+
48
+ - The task is about first discovery of LCP resources, critical CSS, font loading, first-view data, TTFB, CDN caching, resource hints, or first-render delivery rather than per-frame work; use `web-render-performance-review`.
49
+ - The task is about initial JavaScript bytes, tree-shaking, shared vendor chunks, package imports, polyfills, or bundler pruning rather than runtime frame cost; use `client-bundle-pruning-review`.
50
+ - The task is broad performance budgeting, backend latency, throughput, or p95/p99 service behavior without browser frame impact; use `performance-budget-check`.
51
+ - The task is only visual polish or accessibility with no frame, INP, style, layout, paint, or main-thread performance risk; use `ui-quality-gate`, `css-code-change`, or `html-code-change`.
52
+ - The needed proof requires an unconfigured browser trace, DevTools session, Lighthouse run, RUM report, dev server, profiler, or package-manager script. Report the missing measurement boundary instead of inventing raw commands.
53
+
54
+ <!-- mustflow-section: required-inputs -->
55
+ ## Required Inputs
56
+
57
+ - Interaction and frame ledger: affected interaction, route, viewport, target frame rate, user-visible symptom, expected INP or next-paint boundary, and whether the path runs during startup, scroll, input, animation, resize, or idle.
58
+ - DOM and layout ledger: node count, tree depth, affected subtree, list size, virtualization boundary, layout containment, geometry reads, geometry writes, reserved media slots, and layout-shift evidence.
59
+ - Style and CSS ledger: class or attribute toggles, selector complexity, global state classes, CSS custom property scope, runtime style injection, CSS animations, transitions, `will-change`, `contain`, `content-visibility`, and stacking or containing block side effects.
60
+ - Paint and compositing ledger: animated properties, repaint area, layer promotion, transform and opacity usage, canvas or SVG drawing, image/video/ad slots, shadows, filters, clipping, and expensive visual effects.
61
+ - Event and scheduling ledger: scroll, wheel, touch, pointer, resize, observer, timer, `requestAnimationFrame`, long task, worker, `OffscreenCanvas`, `scheduler.yield`, debounce, throttle, and cancellation behavior.
62
+ - Framework render ledger: component rerender scope, React props stability, context value changes, memo boundaries, deferred updates, transitions, hydration scope, island or partial hydration strategy, and stale async result handling.
63
+ - Evidence ledger: DevTools Rendering or Performance panel findings, paint flashing, layout shift regions, Selector Stats, long task output, INP flame, RUM, trace, screenshot, configured tests, or missing evidence.
64
+
65
+ <!-- mustflow-section: preconditions -->
66
+ ## Preconditions
67
+
68
+ - The task matches the Use When conditions and does not match the Do Not Use When exclusions.
69
+ - Higher-priority instructions and `.mustflow/config/commands.toml` have been checked for the current scope.
70
+ - Required inputs are available from current files, diffs, docs, configured outputs, user-provided evidence, or can be reported as missing without guessing.
71
+ - If changes touch actual HTML, CSS, framework code, canvas, media assets, accessibility, security-sensitive embeds, or package metadata, also use the matching narrower skill.
72
+ - If browser API or framework behavior is version-sensitive, verify against project dependencies or current official documentation before durable docs or code comments rely on it.
73
+
74
+ <!-- mustflow-section: allowed-edits -->
75
+ ## Allowed Edits
76
+
77
+ - Separate DOM reads and writes, batch layout-affecting writes, move animations to transform or opacity, narrow or remove `will-change`, add safe containment, add `content-visibility` with intrinsic size, virtualize large lists, simplify selectors, narrow global class and CSS variable scope, reserve media geometry, replace JS scroll geometry polling with observers, add passive listeners where scroll is not cancelled, use CSS overscroll behavior, move visual updates into `requestAnimationFrame`, split long tasks, move DOM-free heavy work to workers, use `OffscreenCanvas` where supported, use `ResizeObserver`, reduce runtime CSS injection, narrow rerender scope, stabilize props and context values, defer expensive results, narrow hydration, add focused tests, and update directly synchronized docs or templates.
78
+ - Add instrumentation, trace notes, or budget assertions only when the repository already has a pattern or configured command intent.
79
+ - Keep edits local to the affected frame, interaction, component subtree, CSS scope, or scheduling path. Do not migrate frameworks, replace rendering engines, introduce virtualization libraries, add worker infrastructure, or start browser measurement workflows without explicit scope and command-contract support.
80
+ - Do not break accessibility, keyboard behavior, scroll intent, reduced motion, focus management, layout stability, media semantics, localization, authorization, privacy, or correctness merely to reduce frame work.
81
+
82
+ <!-- mustflow-section: procedure -->
83
+ ## Procedure
84
+
85
+ 1. Classify the bottleneck before optimizing. Separate JavaScript long task, style recalculation, layout, paint, compositing, hydration, or framework rerender risk. If no trace exists, label the finding as static frame-risk evidence.
86
+ 2. Keep DOM reads and writes separate. Collect geometry reads such as `offsetHeight`, `scrollTop`, `getBoundingClientRect()`, and computed style first, then batch writes in a later phase or frame to avoid forced synchronous layout.
87
+ 3. Look for layout thrashing inside loops, scroll handlers, resize handlers, animation steps, pointer moves, and render effects. Repeated read/write/read cycles are higher risk than a single geometry read.
88
+ 4. Animate composite-friendly properties first. Prefer `transform` and `opacity` for movement and fade. Treat `width`, `height`, `top`, `left`, `margin`, layout-affecting grid values, and expensive filters as layout or paint suspects.
89
+ 5. Use `will-change` only as a temporary hint. Add it shortly before real animation when evidence supports it, and remove it afterward. Do not leave broad `will-change` on static elements.
90
+ 6. Add containment to independent widgets when safe. Cards, panels, messages, and dashboard tiles can use `contain` to limit layout and paint scope, but check containing block, stacking context, overflow, `position: fixed`, `absolute`, and z-index behavior.
91
+ 7. Use `content-visibility: auto` for large below-fold sections. Pair it with `contain-intrinsic-size` or stable placeholders so skipped rendering does not create scroll jumps.
92
+ 8. Stop offscreen work, not only offscreen rendering. For skipped or hidden charts, maps, canvas, or media widgets, pause redraws, resize loops, observers, polling, and expensive updates while the widget is not visible.
93
+ 9. Virtualize long lists. Large tables, chat logs, feeds, option lists, and grids should keep only the visible window plus buffer in the DOM when item count can grow.
94
+ 10. Reduce DOM depth and breadth where it affects a hot render path. Deep wrapper chains and wide repeated structures increase style and layout propagation even when no single node looks expensive.
95
+ 11. Simplify selectors on hot or broad subtrees. Prefer simple class selectors over selectors that depend on deep descendants, complex siblings, expensive pseudo-classes, or global ancestor state.
96
+ 12. Avoid broad global class toggles. `body` or `html` state changes force wide style invalidation. Use the narrowest subtree root unless the state is truly global, such as theme.
97
+ 13. Scope frequently changing CSS variables close to the affected subtree. Avoid changing `:root` custom properties on pointer move, scroll, drag, or animation. Use non-inheriting registered properties when project support and browser targets allow it.
98
+ 14. Reserve media, ad, and embed geometry. Use width, height, `aspect-ratio`, or stable placeholders so image, video, iframe, and ad loads do not trigger layout shifts and repeated paint.
99
+ 15. Keep LCP media and first-render discovery concerns routed to `web-render-performance-review`. In this skill, focus on whether loaded media shifts layout, repaints broad regions, or forces per-frame work.
100
+ 16. Prefer native lazy loading for below-fold images and iframes when it covers the case. Avoid JS lazy loaders that add scroll handlers, observers, state churn, and rerenders without a project reason.
101
+ 17. Use `IntersectionObserver` for visibility and infinite-scroll triggers. Do not calculate viewport intersection manually on every scroll event unless a browser limitation forces it.
102
+ 18. Use passive wheel, touch, and scroll listeners when the handler does not call `preventDefault()`. Do not mark listeners passive when the gesture intentionally cancels scrolling.
103
+ 19. Use CSS `overscroll-behavior` before JavaScript scroll blocking for modals, drawers, and nested scroll containers. Keep JS scroll locks as the narrow fallback for focus and body-lock requirements.
104
+ 20. Schedule visual writes with `requestAnimationFrame`. Do not use fixed `setTimeout(..., 16)` as a frame clock. Use the animation timestamp so high-refresh displays do not speed up motion.
105
+ 21. Split long tasks. Work longer than one frame or around 50ms should yield between chunks, show urgent UI first, and move non-urgent analytics, cache cleanup, validation, or transformation out of the immediate interaction path.
106
+ 22. Move DOM-free heavy computation off the main thread when the boundary cost is worth it. Filtering, sorting, diffing, crypto, markdown parsing, image preprocessing, and search indexing can move to a worker when data transfer and cancellation are defined.
107
+ 23. Consider `OffscreenCanvas` for heavy canvas rendering when browser targets and architecture support it. Charts, whiteboards, maps, and image editors should not block input and paint if a worker boundary is practical.
108
+ 24. Use `ResizeObserver` for element size changes. Avoid window resize handlers that read every card and write layout back in the same pass.
109
+ 25. Avoid runtime CSS rule churn. Do not inject new style tags or rules during click, hover, drag, pointer move, or repeated list rendering. Use static classes and narrow CSS variables where dynamic values are needed.
110
+ 26. Treat React `memo` as a rerender scope tool, not a cure. It fails when props are fresh objects, arrays, or functions each render. Prefer smaller component boundaries and stable primitive props.
111
+ 27. Split React context by change frequency and audience. A fresh provider object rerenders all consumers of that context; do not put theme, auth, permissions, feature flags, and editor state into one object unless they change together.
112
+ 28. Keep input updates urgent and heavy results deferred. Use deferred rendering or transitions for large filtered lists, charts, panels, or route changes when immediate input feedback matters more than full result freshness.
113
+ 29. Narrow hydration. SSR can still hurt INP when the client hydrates too much at once. Hydrate only interactive islands early and defer low-priority regions by visibility, idle time, or route intent when the framework supports it.
114
+ 30. Verify with the right evidence. Prefer DevTools Performance, paint flashing, layout shift regions, Selector Stats, long tasks, and INP flame evidence when configured or provided. If unavailable, report static risks and skipped measurement reasons.
115
+
116
+ <!-- mustflow-section: postconditions -->
117
+ ## Postconditions
118
+
119
+ - The affected interaction, frame phase, DOM scope, style scope, layout reads/writes, paint or compositing cost, scheduling path, and framework render boundary are explicit where relevant.
120
+ - Forced synchronous layout, layout thrashing, layout-affecting animations, stale `will-change`, missing containment, unsafe `content-visibility`, offscreen background work, oversized DOM, complex selectors, broad global class toggles, root CSS variable churn, unreserved media geometry, JS scroll polling, non-passive listeners, JS scroll blocking, timer-based animation, long tasks, main-thread heavy computation, canvas main-thread cost, resize measurement loops, runtime CSS injection, ineffective memo, broad context rerenders, urgent heavy results, and full hydration cost are fixed or reported.
121
+ - Rendering performance claims are backed by current configured evidence or labeled as static frame-risk, manual-only measurement, or missing evidence.
122
+ - Accessibility, focus, scroll intent, reduced motion, layout stability, privacy, and framework semantics remain intact or are reported as tradeoffs.
123
+
124
+ <!-- mustflow-section: verification -->
125
+ ## Verification
126
+
127
+ Use configured oneshot command intents when available:
128
+
129
+ - `changes_status`
130
+ - `changes_diff_summary`
131
+ - `lint`
132
+ - `build`
133
+ - `test_related`
134
+ - `test`
135
+ - `docs_validate_fast`
136
+ - `test_release`
137
+ - `mustflow_check`
138
+
139
+ Use the narrowest configured test, build, docs, release, or mustflow intent that covers the changed rendering path. Use DevTools, browser traces, Lighthouse, RUM, dev servers, or profiler workflows only when they are configured one-shot intents or explicitly approved by the user.
140
+
141
+ <!-- mustflow-section: failure-handling -->
142
+ ## Failure Handling
143
+
144
+ - If the affected frame phase is unknown, report the unknown before adding memoization, observers, workers, containment, or virtualization.
145
+ - If a configured test or build fails, preserve the failing intent and output tail, then fix only the rendering, CSS, framework, or scheduling boundary exercised by the failure.
146
+ - If the fix needs unconfigured browser measurement, dev servers, worker infrastructure, virtualization dependencies, framework upgrades, or profiler tooling, stop and report the missing product or command-contract decision.
147
+ - If frame performance conflicts with accessibility, scroll intent, focus management, reduced motion, layout stability, or correctness, keep the safer behavior and report the tradeoff.
148
+ - If verification fails after a frame-rendering change, use `failure-triage` before broadening the fix.
149
+
150
+ <!-- mustflow-section: output-format -->
151
+ ## Output Format
152
+
153
+ - Frame rendering surface reviewed
154
+ - Interaction, frame phase, DOM/style/layout/paint/compositing/scheduling/framework ledgers
155
+ - Findings or fixes
156
+ - Evidence level: measured, configured-test evidence, static frame-risk, manual-only, missing, or not applicable
157
+ - Command intents run
158
+ - Skipped browser or rendering measurements and reasons
159
+ - Remaining frame-render performance risk