mustflow 2.39.1 → 2.58.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (94) hide show
  1. package/dist/cli/commands/run/executor.js +16 -0
  2. package/dist/cli/commands/run/process-tree.js +6 -3
  3. package/dist/cli/commands/tech.js +60 -4
  4. package/dist/cli/commands/verify.js +3 -1
  5. package/dist/cli/lib/git-changes.js +11 -1
  6. package/dist/cli/lib/i18n.js +1 -1
  7. package/dist/cli/lib/local-index/index.js +8 -4
  8. package/dist/cli/lib/local-index/populate.js +17 -3
  9. package/dist/cli/lib/local-index/search-read-model.js +9 -7
  10. package/dist/cli/lib/local-index/search-text.js +2 -2
  11. package/dist/cli/lib/local-index/workflow-documents.js +17 -2
  12. package/dist/cli/lib/mustflow-read.js +14 -2
  13. package/dist/cli/lib/npm-version-check.js +36 -0
  14. package/dist/cli/lib/repo-map.js +16 -3
  15. package/dist/cli/lib/templates.js +8 -7
  16. package/dist/cli/lib/validation/constants.js +1 -1
  17. package/dist/core/active-run-locks.js +78 -20
  18. package/dist/core/change-classification.js +4 -0
  19. package/dist/core/command-contract-rules.js +1 -1
  20. package/dist/core/command-contract-validation.js +1 -1
  21. package/dist/core/command-cwd.js +13 -2
  22. package/dist/core/command-effects.js +22 -4
  23. package/dist/core/command-env.js +8 -6
  24. package/dist/core/command-preconditions.js +28 -2
  25. package/dist/core/completion-verdict.js +1 -1
  26. package/dist/core/line-endings.js +8 -4
  27. package/dist/core/safe-filesystem.js +9 -1
  28. package/dist/core/source-anchor-validation.js +7 -1
  29. package/dist/core/source-anchors.js +8 -2
  30. package/dist/core/verification-scheduler.js +8 -2
  31. package/package.json +1 -1
  32. package/templates/default/i18n.toml +330 -1
  33. package/templates/default/locales/en/.mustflow/skills/INDEX.md +302 -5
  34. package/templates/default/locales/en/.mustflow/skills/agent-eval-integrity-review/SKILL.md +160 -0
  35. package/templates/default/locales/en/.mustflow/skills/agent-execution-control-review/SKILL.md +163 -0
  36. package/templates/default/locales/en/.mustflow/skills/ai-generated-code-hardening/SKILL.md +49 -13
  37. package/templates/default/locales/en/.mustflow/skills/api-access-control-review/SKILL.md +298 -0
  38. package/templates/default/locales/en/.mustflow/skills/api-misuse-resistance-review/SKILL.md +297 -0
  39. package/templates/default/locales/en/.mustflow/skills/api-request-performance-review/SKILL.md +189 -0
  40. package/templates/default/locales/en/.mustflow/skills/app-startup-performance-review/SKILL.md +309 -0
  41. package/templates/default/locales/en/.mustflow/skills/backend-log-evidence-review/SKILL.md +213 -0
  42. package/templates/default/locales/en/.mustflow/skills/business-rule-leakage-review/SKILL.md +295 -0
  43. package/templates/default/locales/en/.mustflow/skills/cache-integrity-review/SKILL.md +291 -0
  44. package/templates/default/locales/en/.mustflow/skills/change-blast-radius-review/SKILL.md +297 -0
  45. package/templates/default/locales/en/.mustflow/skills/client-bundle-pruning-review/SKILL.md +160 -0
  46. package/templates/default/locales/en/.mustflow/skills/cloud-cost-guardrail-review/SKILL.md +321 -0
  47. package/templates/default/locales/en/.mustflow/skills/concurrency-invariant-review/SKILL.md +193 -0
  48. package/templates/default/locales/en/.mustflow/skills/core-web-vitals-field-review/SKILL.md +161 -0
  49. package/templates/default/locales/en/.mustflow/skills/credit-ledger-integrity-review/SKILL.md +156 -0
  50. package/templates/default/locales/en/.mustflow/skills/database-json-modeling-review/SKILL.md +171 -0
  51. package/templates/default/locales/en/.mustflow/skills/database-lock-contention-review/SKILL.md +192 -0
  52. package/templates/default/locales/en/.mustflow/skills/database-migration-change/SKILL.md +76 -34
  53. package/templates/default/locales/en/.mustflow/skills/database-query-bottleneck-review/SKILL.md +194 -0
  54. package/templates/default/locales/en/.mustflow/skills/deletion-lifecycle-review/SKILL.md +171 -0
  55. package/templates/default/locales/en/.mustflow/skills/deployment-rollout-safety-review/SKILL.md +321 -0
  56. package/templates/default/locales/en/.mustflow/skills/desktop-auto-update-safety-review/SKILL.md +265 -0
  57. package/templates/default/locales/en/.mustflow/skills/desktop-background-process-stability-review/SKILL.md +318 -0
  58. package/templates/default/locales/en/.mustflow/skills/desktop-memory-footprint-review/SKILL.md +318 -0
  59. package/templates/default/locales/en/.mustflow/skills/error-message-integrity-review/SKILL.md +283 -0
  60. package/templates/default/locales/en/.mustflow/skills/failure-integrity-review/SKILL.md +193 -0
  61. package/templates/default/locales/en/.mustflow/skills/file-upload-security-review/SKILL.md +305 -0
  62. package/templates/default/locales/en/.mustflow/skills/frame-render-performance-review/SKILL.md +159 -0
  63. package/templates/default/locales/en/.mustflow/skills/frontend-accessibility-tree-review/SKILL.md +202 -0
  64. package/templates/default/locales/en/.mustflow/skills/frontend-localization-review/SKILL.md +202 -0
  65. package/templates/default/locales/en/.mustflow/skills/frontend-state-ownership-review/SKILL.md +183 -0
  66. package/templates/default/locales/en/.mustflow/skills/frontend-stress-layout-review/SKILL.md +193 -0
  67. package/templates/default/locales/en/.mustflow/skills/hot-path-performance-review/SKILL.md +159 -0
  68. package/templates/default/locales/en/.mustflow/skills/idempotency-integrity-review/SKILL.md +195 -0
  69. package/templates/default/locales/en/.mustflow/skills/image-delivery-performance-review/SKILL.md +161 -0
  70. package/templates/default/locales/en/.mustflow/skills/incident-triage-review/SKILL.md +185 -0
  71. package/templates/default/locales/en/.mustflow/skills/llm-hallucination-control-review/SKILL.md +155 -0
  72. package/templates/default/locales/en/.mustflow/skills/llm-response-latency-review/SKILL.md +155 -0
  73. package/templates/default/locales/en/.mustflow/skills/llm-service-ux-review/SKILL.md +2 -0
  74. package/templates/default/locales/en/.mustflow/skills/llm-token-cost-control-review/SKILL.md +155 -0
  75. package/templates/default/locales/en/.mustflow/skills/low-end-device-support-review/SKILL.md +340 -0
  76. package/templates/default/locales/en/.mustflow/skills/memory-lifetime-review/SKILL.md +169 -0
  77. package/templates/default/locales/en/.mustflow/skills/mobile-energy-efficiency-review/SKILL.md +329 -0
  78. package/templates/default/locales/en/.mustflow/skills/module-boundary-review/SKILL.md +278 -0
  79. package/templates/default/locales/en/.mustflow/skills/multi-agent-work-coordination/SKILL.md +1 -0
  80. package/templates/default/locales/en/.mustflow/skills/observability-debuggability-review/SKILL.md +208 -0
  81. package/templates/default/locales/en/.mustflow/skills/payment-integrity-review/SKILL.md +155 -0
  82. package/templates/default/locales/en/.mustflow/skills/prompt-contract-quality-review/SKILL.md +158 -0
  83. package/templates/default/locales/en/.mustflow/skills/quadratic-scan-review/SKILL.md +155 -0
  84. package/templates/default/locales/en/.mustflow/skills/queue-processing-integrity-review/SKILL.md +193 -0
  85. package/templates/default/locales/en/.mustflow/skills/race-condition-review/SKILL.md +188 -0
  86. package/templates/default/locales/en/.mustflow/skills/rate-limit-integrity-review/SKILL.md +344 -0
  87. package/templates/default/locales/en/.mustflow/skills/retry-policy-integrity-review/SKILL.md +195 -0
  88. package/templates/default/locales/en/.mustflow/skills/routes.toml +330 -0
  89. package/templates/default/locales/en/.mustflow/skills/security-flow-review/SKILL.md +279 -0
  90. package/templates/default/locales/en/.mustflow/skills/testability-boundary-review/SKILL.md +295 -0
  91. package/templates/default/locales/en/.mustflow/skills/transaction-boundary-integrity-review/SKILL.md +196 -0
  92. package/templates/default/locales/en/.mustflow/skills/type-state-modeling-review/SKILL.md +179 -0
  93. package/templates/default/locales/en/.mustflow/skills/web-render-performance-review/SKILL.md +164 -0
  94. package/templates/default/manifest.toml +386 -1
@@ -0,0 +1,193 @@
1
+ ---
2
+ mustflow_doc: skill.frontend-stress-layout-review
3
+ locale: en
4
+ canonical: true
5
+ revision: 1
6
+ lifecycle: mustflow-owned
7
+ authority: procedure
8
+ name: frontend-stress-layout-review
9
+ description: Apply this skill when frontend UI is created, changed, reviewed, or reported and layout resilience must be checked against hostile content, narrow parent containers, long strings, async media, skeletons, empty and error states, permission variants, scrollbars, mobile viewport and keyboard behavior, safe areas, line clamps, localization, touch input, motion preferences, observers, portals, z-index layers, tables, charts, browser zoom, cascade layers, or reproducible break conditions.
10
+ metadata:
11
+ mustflow_schema: "1"
12
+ mustflow_kind: procedure
13
+ pack_id: mustflow.core
14
+ skill_id: mustflow.core.frontend-stress-layout-review
15
+ command_intents:
16
+ - changes_status
17
+ - changes_diff_summary
18
+ - lint
19
+ - build
20
+ - test_related
21
+ - test
22
+ - docs_validate_fast
23
+ - test_release
24
+ - mustflow_check
25
+ ---
26
+
27
+ # Frontend Stress Layout Review
28
+
29
+ <!-- mustflow-section: purpose -->
30
+ ## Purpose
31
+
32
+ Review frontend layout by testing the screen with the data and environment that real users bring, not the friendly fixture that makes the design look correct.
33
+
34
+ The core question is: "What exact parent size, content shape, loading order, permission set, device condition, or browser setting breaks this UI?" A good review names a reproducible break condition, then either fixes the layout contract or reports the missing stress fixture.
35
+
36
+ <!-- mustflow-section: use-when -->
37
+ ## Use When
38
+
39
+ - Frontend UI, design system components, dashboards, forms, cards, lists, tables, charts, modals, drawers, toasts, tab bars, bottom CTAs, media slots, portals, or responsive layouts are created, changed, reviewed, or reported.
40
+ - The UI can receive long names, unbroken IDs, URLs, emails, numbers, translated labels, RTL text, missing data, partial data, async images, delayed fonts, third-party widgets, permission-dependent actions, loading skeletons, errors, or empty state data.
41
+ - The affected surface is embedded inside a parent container whose width, height, overflow, transform, zoom, iframe boundary, or scroll container may differ from the viewport.
42
+ - A review or final report claims the UI is responsive, stable, polished, mobile-safe, table-safe, chart-safe, localized, accessible on touch, or visually verified.
43
+ - A bug report says "the UI breaks", "text overlaps", "card jumps", "button wraps weirdly", "modal is clipped", "table is unusable", "chart disappears", "mobile keyboard covers it", or "only happens in production data".
44
+
45
+ <!-- mustflow-section: do-not-use-when -->
46
+ ## Do Not Use When
47
+
48
+ - The task is only first-render performance, LCP discovery, CLS field metrics, INP, bundle size, or per-frame browser work; use the matching web performance, Core Web Vitals, image delivery, bundle pruning, or frame render performance skill first.
49
+ - The task is only state source-of-truth drift, request races, form draft ownership, or query-key correctness; use `frontend-state-ownership-review`.
50
+ - The task is only semantic HTML, CSS syntax, utility extraction, or framework-specific code shape with no layout-stress risk; use the narrower HTML, CSS, utility, or framework skill.
51
+ - No user-facing UI surface, visual state, embedded component, or rendered artifact is affected.
52
+ - Verification would require an unconfigured dev server, browser, screenshot suite, or design tool. Report the missing visual verification boundary instead of inventing raw commands.
53
+
54
+ <!-- mustflow-section: required-inputs -->
55
+ ## Required Inputs
56
+
57
+ - User goal, changed UI surface, current diff or target files, framework and styling system signals, and configured command intents.
58
+ - Stress fixture ledger: shortest, longest, unbroken, translated, RTL, empty, null, partial, permission-limited, error, loading, delayed-media, and delayed-font data cases relevant to the surface.
59
+ - Parent container ledger: viewport sizes, embedded parent widths, grid and flex ancestors, overflow ancestors, scroll containers, transformed parents, iframe or zoom contexts, and container query support or absence.
60
+ - Geometry contract ledger: intrinsic media dimensions, `aspect-ratio`, skeleton geometry, line-height, line clamps, min and max sizes, scrollbars, sticky regions, safe-area offsets, keyboard-open height, and reserved layout space.
61
+ - Interaction and state ledger: hover, focus, active, disabled, pending, loading, touch-only, reduced-motion, permission variants, retry buttons, bulk actions, sticky headers, selection bars, portals, menus, dialogs, and tooltips.
62
+ - Evidence level: static CSS and markup evidence, component fixture evidence, screenshot or browser evidence, design-system story evidence, configured tests, or missing stress evidence.
63
+
64
+ <!-- mustflow-section: preconditions -->
65
+ ## Preconditions
66
+
67
+ - The task matches the Use When conditions and does not match the Do Not Use When exclusions.
68
+ - Higher-priority instructions and `.mustflow/config/commands.toml` have been checked for the current scope.
69
+ - Existing local patterns for responsive constraints, story fixtures, component tests, design tokens, portals, z-index layers, tables, charts, and empty/error/loading states have been searched before adding a new pattern.
70
+ - If a layout stress issue is caused by state ownership, rendering performance, image delivery, accessibility, security, or data contracts, also apply the narrower matching skill for that boundary.
71
+
72
+ <!-- mustflow-section: allowed-edits -->
73
+ ## Allowed Edits
74
+
75
+ - Add or refine stress fixtures, stories, tests, or review notes for hostile content, narrow containers, empty/error/loading/permission states, mobile keyboard, safe areas, RTL, zoom, tables, charts, portals, and scrollbars.
76
+ - Add responsive constraints such as `min-width: 0`, `minmax(0, 1fr)`, max sizes, `overflow-wrap: anywhere`, stable table scroll wrappers, reserved media dimensions, `aspect-ratio`, `scrollbar-gutter: stable`, explicit `line-height`, logical properties, and safe-area-aware spacing when they match project patterns.
77
+ - Replace viewport-only assumptions with parent-container-aware layout, container queries, intrinsic constraints, or component-level size contracts when the component can be embedded in multiple shells.
78
+ - Fix skeleton, empty, error, permission, pending, disabled, hover, touch, reduced-motion, portal, z-index, table, or chart states only inside the affected UI surface and directly synchronized docs or tests.
79
+ - Do not redesign the product, change design tokens broadly, rewrite the layout system, add a visual testing framework, start a dev server, or introduce browser automation unless the current repository already authorizes that path.
80
+
81
+ <!-- mustflow-section: procedure -->
82
+ ## Procedure
83
+
84
+ 1. Build the stress fixture ledger first.
85
+ - Include nice data, empty data, partial data, null-ish data, permission-limited data, API error data, retryable error data, long translated labels, RTL text, long unbroken strings, large numbers, long table headers, single-point charts, all-zero charts, null chart points, and delayed media or font cases when relevant.
86
+ - If no stress fixture exists, report that absence instead of trusting the default screenshot or happy-path story.
87
+ 2. Review parent container width before viewport width.
88
+ - Components often break inside sidebars, split panes, cards, drawers, CMS slots, iframes, and grid cells even when the viewport is wide.
89
+ - Prefer component constraints and container queries when the layout depends on parent size rather than global viewport breakpoints.
90
+ 3. Check flex and grid shrink contracts.
91
+ - Flex and grid children that contain text, tables, charts, media, or nested rows usually need `min-width: 0` so they can shrink instead of overflowing.
92
+ - Grid tracks that should shrink often need `minmax(0, 1fr)` instead of a bare `1fr`.
93
+ 4. Attack text with hostile content.
94
+ - Test long unbroken IDs, URLs, emails, Korean or CJK text, long English words, translated button labels, narrow columns, and large numbers.
95
+ - Use `overflow-wrap: anywhere`, truncation, wrapping, or explicit min and max sizes according to the component contract.
96
+ 5. Reserve async media and widget space.
97
+ - Images, videos, maps, charts, ads, embeds, custom fonts, and third-party widgets should not resize the page after load.
98
+ - Use intrinsic `width` and `height`, `aspect-ratio`, stable placeholders, or skeleton geometry that matches final content. Keep CLS-sensitive changes routed to the Core Web Vitals skill when field metrics are part of the claim.
99
+ 6. Make skeletons honest.
100
+ - Skeleton blocks must have approximately the same geometry as final content: line count, media box, button area, card height, table row height, chart frame, and list gaps.
101
+ - A pretty skeleton that collapses or expands differently is a layout bug wearing makeup.
102
+ 7. Put empty and error states inside the real component contract.
103
+ - Empty states should preserve the parent layout, scroll behavior, minimum height, actions, and alignment expected by the loaded component.
104
+ - Error states need API fail, permission denied, partial failure, retry pending, and retry failed shapes when those states are possible.
105
+ 8. Review permission and action variants.
106
+ - Different roles can change button counts, hidden actions, disabled actions, bulk bars, admin controls, menus, and CTA placement.
107
+ - Do not let late `display: none` toggles, conditional blocks, or role-based controls shift the primary content unexpectedly.
108
+ 9. Account for scrollbars.
109
+ - Scrollbar appearance can steal width and wrap text, especially in tables, panels, sidebars, and modals.
110
+ - Use stable scroll containers or `scrollbar-gutter: stable` when the supported browser target and design allow it.
111
+ 10. Reject fragile viewport-height math.
112
+ - Hard-coded `calc(100vh - 64px)` shells break when headers wrap, banners appear, browser chrome changes, or mobile keyboards open.
113
+ - Prefer dynamic viewport units, parent flex sizing, measured shell contracts, or safe fallback constraints already used by the project.
114
+ 11. Test mobile viewport, keyboard, and safe area.
115
+ - Mobile `100vh` can include or exclude browser UI depending on platform and moment.
116
+ - Inputs, bottom CTAs, tab bars, sheets, toasts, and sticky footers must survive keyboard-open screens and `safe-area-inset-*`.
117
+ 12. Check line clamps and row height.
118
+ - Clamped titles, metadata, badges, avatars, and action buttons can fight each other inside cards and rows.
119
+ - Explicit `line-height` on buttons, chips, badges, tabs, labels, and inputs avoids accidental height drift from fonts or localization.
120
+ 13. Review localization and writing direction.
121
+ - Use logical properties where layout depends on start/end rather than left/right.
122
+ - Check RTL, translated labels, locale number/date formatting, and wider fallback fonts before claiming the layout is internationalized.
123
+ 14. Review interaction variants.
124
+ - Buttons need icon-only, icon+text, loading, pending, disabled, long-label, two-line, and touch target states where relevant.
125
+ - Hover-only affordances must also work on touch, keyboard, and reduced-motion contexts, and hover should not resize the card.
126
+ 15. Keep motion layout-safe.
127
+ - Animate `transform` and `opacity` when possible instead of `top`, `left`, `width`, or `height`.
128
+ - Respect `prefers-reduced-motion` for motion that can distract, disorient, or hide state changes.
129
+ 16. Watch observer feedback loops.
130
+ - `ResizeObserver` callbacks that write size-affecting styles can trigger loops or jitter.
131
+ - Separate measurement from writes and keep observer scope narrow.
132
+ 17. Stress portals and layers.
133
+ - Menus, comboboxes, popovers, dialogs, sheets, and tooltips must survive viewport edges, scroll containers, transformed parents, overflow hidden ancestors, iframes, browser zoom, and nested portals.
134
+ - Use named z-index layer tokens instead of one-off `9999` values.
135
+ 18. Stress tables.
136
+ - Test twelve columns, long headers, empty cells, long IDs, negative and large numbers, multiple row actions, horizontal scroll, sticky headers, sticky first columns, selection checkboxes, and bulk action bars.
137
+ - Preserve keyboard, screen reader, and scroll behavior while preventing layout collapse.
138
+ 19. Stress charts.
139
+ - Test empty data, one point, all zeros, negative values, null points, long labels, huge legends, large y-axis numbers, narrow containers, and width-zero mount moments.
140
+ - Avoid chart initialization that permanently measures a hidden or zero-width container.
141
+ 20. Test browser zoom and cascade reality.
142
+ - At 125%, 150%, and 200% zoom, fixed-height buttons, clipped labels, and cramped tables expose brittle geometry.
143
+ - Check CSS specificity and `@layer` ordering so fixes actually win without starting a selector arms race.
144
+ 21. Name the reproducible break condition.
145
+ - A review comment should include the triggering data, parent size, state, role, device condition, zoom, or loading order.
146
+ - "Looks off" is weak; "In a 320px parent with a 64-character order ID and two permission actions, the row action group overlaps the amount" is actionable.
147
+
148
+ <!-- mustflow-section: postconditions -->
149
+ ## Postconditions
150
+
151
+ - The affected UI surface has an explicit stress fixture ledger or the missing fixtures are reported.
152
+ - Parent container width, flex and grid shrinking, long content, async media, skeletons, empty and error states, permission variants, scrollbars, viewport height, mobile keyboard, safe areas, line clamps, localization, touch input, reduced motion, observer loops, portals, z-index layers, tables, charts, browser zoom, and cascade ordering are fixed, ruled out, or reported where relevant.
153
+ - Layout-stability claims distinguish static evidence, configured test evidence, screenshot or browser evidence, manual-only evidence, and missing evidence.
154
+ - Any review finding names a reproducible break condition rather than only a subjective visual complaint.
155
+
156
+ <!-- mustflow-section: verification -->
157
+ ## Verification
158
+
159
+ Use configured oneshot command intents when available:
160
+
161
+ - `changes_status`
162
+ - `changes_diff_summary`
163
+ - `lint`
164
+ - `build`
165
+ - `test_related`
166
+ - `test`
167
+ - `docs_validate_fast`
168
+ - `test_release`
169
+ - `mustflow_check`
170
+
171
+ Use the narrowest configured component, story, visual, unit, build, docs, release, or mustflow intent that covers the changed layout-stress boundary. Use browser screenshots, dev servers, design tools, or visual regression suites only when they are configured one-shot intents or explicitly approved by the user.
172
+
173
+ <!-- mustflow-section: failure-handling -->
174
+ ## Failure Handling
175
+
176
+ - If the break condition cannot be reproduced from current data, fixtures, or configured evidence, report the missing fixture or measurement boundary before changing unrelated layout code.
177
+ - If a fix only works for the viewport but not the parent container, treat the component contract as unresolved.
178
+ - If reserved space for images, skeletons, charts, or widgets conflicts with content semantics or accessibility, keep the semantic path and report the layout tradeoff.
179
+ - If a configured test or build fails after a layout-stress change, preserve the failing intent and output tail, then use `failure-triage` before broadening the fix.
180
+ - If verification requires new browser automation, a running dev server, or visual regression infrastructure, report the missing command-contract support instead of inventing a workflow.
181
+
182
+ <!-- mustflow-section: output-format -->
183
+ ## Output Format
184
+
185
+ - Frontend stress layout surface reviewed
186
+ - Stress fixture ledger
187
+ - Parent container, shrink, text, media, state, permission, scrollbar, mobile viewport, keyboard, safe area, localization, touch, motion, observer, portal, z-index, table, chart, zoom, and cascade checks where relevant
188
+ - Reproducible break conditions found, fixed, or ruled out
189
+ - Layout changes or recommendations
190
+ - Evidence level: configured-test, screenshot or browser evidence, static layout-risk, manual-only, missing, or not applicable
191
+ - Command intents run
192
+ - Skipped visual checks and reasons
193
+ - Remaining frontend stress-layout risk
@@ -0,0 +1,159 @@
1
+ ---
2
+ mustflow_doc: skill.hot-path-performance-review
3
+ locale: en
4
+ canonical: true
5
+ revision: 1
6
+ lifecycle: mustflow-owned
7
+ authority: procedure
8
+ name: hot-path-performance-review
9
+ description: Apply this skill when code is created, changed, reviewed, or reported and the main performance risk is ordinary work repeated many times, such as repeated I/O, repeated scans, hidden quadratic lookup, per-item allocation, lock hold time, sequential async waits, unbounded fan-out, or missing observability for hot paths.
10
+ metadata:
11
+ mustflow_schema: "1"
12
+ mustflow_kind: procedure
13
+ pack_id: mustflow.core
14
+ skill_id: mustflow.core.hot-path-performance-review
15
+ command_intents:
16
+ - changes_status
17
+ - changes_diff_summary
18
+ - lint
19
+ - build
20
+ - test_related
21
+ - test
22
+ - docs_validate_fast
23
+ - test_release
24
+ - mustflow_check
25
+ ---
26
+
27
+ # Hot Path Performance Review
28
+
29
+ <!-- mustflow-section: purpose -->
30
+ ## Purpose
31
+
32
+ Catch performance bottlenecks caused by small ordinary operations running many times, waiting on slow boundaries, copying too much data, or holding shared resources too long.
33
+
34
+ The review question is not only "which line looks slow?" It is "how often does this run, what does each run allocate or fetch, does it cross an external boundary, and does it block a shared resource while waiting?"
35
+
36
+ <!-- mustflow-section: use-when -->
37
+ ## Use When
38
+
39
+ - Code is created, changed, reviewed, or reported and the likely risk is repeated work, data-size growth, external round trips, lock or pool wait, allocation churn, serialization cost, cache behavior, queue throughput, retries, timeouts, or missing hot-path instrumentation.
40
+ - A loop, mapper, reducer, stream, LINQ pipeline, iterator chain, ORM access, request handler, worker, queue consumer, renderer, export, report, import, sync, or batch job processes many items.
41
+ - Code calls a database, ORM relation, Redis, filesystem, HTTP API, RPC, object storage, child process, provider SDK, logger, metrics sink, parser, formatter, serializer, compressor, cryptographic function, image processor, or lock from a repeated path.
42
+ - A review or final report claims that a path is fast enough, scalable, bounded, batched, cached, parallel, safe under p95 or p99 load, or not worth optimizing.
43
+
44
+ <!-- mustflow-section: do-not-use-when -->
45
+ ## Do Not Use When
46
+
47
+ - The task is a full performance optimization, benchmark design, latency budget, profiling, bundle-budget, media-delivery, or p95/p99 measurement project; use `performance-budget-check` as the main route.
48
+ - The task only changes cleanup, cancellation, retained references, native handles, or resource lifetime without throughput or latency risk; use `memory-lifetime-review`.
49
+ - The task only changes database schema or query correctness with no hot-path or repeated-access concern; use the matching database skill.
50
+ - The only concern is vague "make it faster" wording without code paths, input scale, repeated execution, external boundaries, or measurement evidence to inspect.
51
+
52
+ <!-- mustflow-section: required-inputs -->
53
+ ## Required Inputs
54
+
55
+ - Hot path: the request, loop, render, job, export, import, queue consumer, sync, report, or command path under review.
56
+ - Multipliers: requests, rows, items, files, users, tenants, retries, pages, renders, workers, queue messages, shards, or nested loops that multiply the work.
57
+ - Per-iteration cost: external calls, queries, filesystem reads, allocations, clones, DTO conversions, JSON parse/stringify, logging, formatting, regex, sorting, hashing, image or crypto work, and lock hold time.
58
+ - Boundary ledger: DB, network, cache, filesystem, IPC, provider SDK, queue, logger, metrics sink, transaction, pool, mutex, thread, goroutine, task, or UI main thread crossed by the path.
59
+ - Data-size and tail-latency evidence when available: p50, p95, p99, row count, payload size, allocation count, query count, round-trip count, queue depth, pool wait, lock wait, cache hit rate, retry count, or timeout behavior.
60
+ - Correctness boundaries: order, duplicates, idempotency, authorization, tenant isolation, consistency, partial failure, stale data, cancellation, retry semantics, and error behavior.
61
+ - Relevant command-intent contract entries for build, tests, docs, release checks, and mustflow validation.
62
+
63
+ <!-- mustflow-section: preconditions -->
64
+ ## Preconditions
65
+
66
+ - The task matches the Use When conditions and does not match the Do Not Use When exclusions.
67
+ - Higher-priority instructions and `.mustflow/config/commands.toml` have been checked for the current scope.
68
+ - Required inputs are available, or missing inputs can be reported without guessing.
69
+ - If a real optimization, measurement plan, benchmark, profiling change, latency budget, or performance claim is being implemented, also use `performance-budget-check`.
70
+ - If cache, queue, retry, timeout, health, worker, external call, or operational behavior changes, also use `backend-reliability-change`.
71
+ - If database query shape, index fit, transaction scope, pagination, or migration behavior changes, also use the matching database skill.
72
+ - If personal data, authorization variance, tenant keys, logs, or telemetry are part of the performance path, also use `security-privacy-review`.
73
+
74
+ <!-- mustflow-section: allowed-edits -->
75
+ ## Allowed Edits
76
+
77
+ - Add or tighten batching, projection, lookup tables, bounded concurrency, timeout or cancellation wiring, bulk writes, cache-key boundaries, queue backpressure, transaction or lock narrowing, and focused hot-path tests tied to the task.
78
+ - Add lightweight observability for query count, external-call count, payload size, cache hit rate, queue depth, retry count, pool wait, lock wait, or function timing when repository evidence supports it.
79
+ - Replace repeated scans, per-item clients, unbounded materialization, per-item logging, or repeated parsing with existing project patterns.
80
+ - Do not add speculative caches, broad rewrites, unbounded parallelism, new infrastructure, or benchmark-only code without evidence for the hot path and invalidation boundary.
81
+ - Do not trade correctness, authorization, privacy, ordering, durability, partial-failure behavior, or user trust for speed without explicit product acceptance.
82
+
83
+ <!-- mustflow-section: procedure -->
84
+ ## Procedure
85
+
86
+ 1. Count the path before judging it. State how many times the code can run after multiplying by requests, rows, items, retries, renders, jobs, pages, tenants, and nested loops.
87
+ 2. Build a cost ledger with five columns: iteration count, data size, round-trip count, wait time, and copy or allocation count.
88
+ 3. Check repeated external access first.
89
+ - A loop around DB, ORM, Redis, HTTP, RPC, filesystem, object storage, IPC, provider SDK, logging sink, or child process is the first suspect.
90
+ - ORM relation access can be a query even when it looks like a property read; treat lazy loading as guilty until query count evidence says otherwise.
91
+ 4. Check multi-pass collection code. `map`, `filter`, `reduce`, `forEach`, LINQ, streams, iterator chains, and comprehensions can traverse data several times. Count passes and intermediate arrays before admiring the one-liner.
92
+ 5. Check hidden quadratic lookup. A loop containing `includes`, `contains`, `find`, `indexOf`, `some`, `filter`, list membership, row-wise DataFrame work, or another linear scan is often `O(n^2)`. Prefer `Set`, `Map`, lookup tables, sorted merge, or database-side join when semantics match.
93
+ 6. Preserve semantics when changing data structures. State order, duplicates, first or last winner, missing IDs, stable sort, tie-breakers, and authorization visibility before replacing arrays with maps or sets.
94
+ 7. Check database shape.
95
+ - Avoid unbounded `SELECT *`, full entity hydration, large JSON/TEXT/BLOB columns, `findAll`, row-by-row saves, and per-item relation access.
96
+ - Check whether predicates can use indexes. Functions around indexed columns, leading wildcard search, unselective filters, implicit casts, and mismatched sort order often defeat indexes.
97
+ - Treat large `OFFSET ... LIMIT ...` pages as linearly expensive unless the product truly needs arbitrary jumps. Prefer stable keyset or cursor pagination when possible.
98
+ 8. Check transaction and lock hold time. Do not hold DB transactions, mutexes, synchronized blocks, distributed locks, or global locks across network calls, file uploads, JSON conversion, logs, long computation, or user-controlled waits.
99
+ 9. Check async shape. Sequential `await` in a loop is still serial work. Independent I/O usually needs bounded concurrency, while `Promise.all` over thousands of items, unbounded goroutines, unbounded futures, or thread-pool bypasses can melt the shared resource.
100
+ 10. Reuse expensive clients and sessions. Per-request or per-item HTTP clients, DB clients, ORM clients, SDK clients, connection pools, TLS handshakes, regexes, date formatters, and thread pools are performance traps unless the API requires that lifecycle.
101
+ 11. Check cache honesty. A cache needs a bounded key space, invalidation or TTL, max size, authorization dimensions, negative-cache policy, stale behavior, and cache stampede protection such as locking, singleflight, early refresh, or request coalescing.
102
+ 12. Check logging and telemetry in hot paths. Repeated debug logs, eager log-string creation, whole-object serialization, high-cardinality metrics, and JSON formatting for discarded logs can dominate CPU and I/O during incidents.
103
+ 13. Check string, JSON, DTO, and clone churn. Repeated string concatenation, `JSON.parse(JSON.stringify(...))`, `cloneDeep`, broad object spread, deep copy, repeated DTO-to-DTO conversion, and repeated serialization can move the bottleneck into "clean" mapping code.
104
+ 14. Check large value passing and materialization. In value-copy languages or APIs, large structs, arrays, buffers, spread copies, full file reads, full JSON loads, and eager `collect` calls can turn neat code into memory traffic.
105
+ 15. Check regex, parsing, formatting, and locale work. Nested or ambiguous regexes, repeated date parsing, timezone conversion, numeric or locale formatting, and per-row formatter creation should be reviewed with worst-case input in mind.
106
+ 16. Check CPU-heavy work in request or UI paths. Image resizing, compression, encryption, hashing, diffing, report generation, spreadsheet export, and search indexing may need batching, worker offload, queueing, or streaming, but only with clear backpressure and failure behavior.
107
+ 17. Check queues and workers. Moving work to a queue only moves the bottleneck unless consumers batch DB writes, bulk external calls where safe, bound retries, apply jitter, define poison-message handling, and expose backlog.
108
+ 18. Check retry and timeout multiplication. A request with several calls, long timeouts, and several retries can become a tail-latency monster. Count worst-case wait and verify idempotency before adding more attempts.
109
+ 19. Review tail behavior, not just average. p50 can look fine while p95 or p99 holds locks, connections, workers, or thread-pool slots long enough to hurt everyone else.
110
+ 20. Add observability before large optimization when evidence is missing. Prefer query count, external-call count, payload bytes, allocation count, cache hit rate, queue backlog, pool wait, lock wait, retry count, and span timing over guessing.
111
+ 21. Rank the likely payoff. Usually fix repeated external round trips, N+1 access, hidden quadratic scans, overfetching, wide transactions, lock hold time, unbounded fan-out, and missing timeouts before micro-optimizing arithmetic.
112
+ 22. Label evidence honestly. If there is no configured benchmark or production trace, report the finding as static complexity or hot-path risk, not measured speedup.
113
+
114
+ <!-- mustflow-section: postconditions -->
115
+ ## Postconditions
116
+
117
+ - Hot path, cost multipliers, data size, round-trip count, wait points, and copy or allocation points are explicit.
118
+ - N+1 queries, repeated external calls, hidden quadratic scans, unbounded materialization, sequential waits, unbounded fan-out, per-item client creation, broad logging, repeated serialization, and lock or transaction hold time are fixed or reported.
119
+ - Cache, queue, retry, timeout, batching, bulk-write, concurrency, pagination, projection, index-fit, and observability behavior are explicit where relevant.
120
+ - Correctness, authorization, tenant isolation, ordering, duplicates, partial failure, cancellation, and stale-data behavior remain intact or are called out as tradeoffs.
121
+ - Performance claims are backed by configured evidence or labeled as static review risk.
122
+
123
+ <!-- mustflow-section: verification -->
124
+ ## Verification
125
+
126
+ Use configured oneshot command intents when available:
127
+
128
+ - `changes_status`
129
+ - `changes_diff_summary`
130
+ - `lint`
131
+ - `build`
132
+ - `test_related`
133
+ - `test`
134
+ - `docs_validate_fast`
135
+ - `test_release`
136
+ - `mustflow_check`
137
+
138
+ Use the narrowest configured test, build, docs, release, or mustflow intent that covers the changed hot path. Do not infer raw benchmark, profiler, database, server, browser, load-test, or package-manager commands.
139
+
140
+ <!-- mustflow-section: failure-handling -->
141
+ ## Failure Handling
142
+
143
+ - If a configured test or build fails, preserve the failing intent and output tail, then fix only the behavior or contract exercised by the failure.
144
+ - If the hot path, multiplier, or data-size boundary is unknown, report the missing evidence instead of adding caches, workers, or concurrency complexity.
145
+ - If optimization conflicts with correctness, authorization, privacy, durability, or ordering, keep correctness and report the tradeoff.
146
+ - If measurement requires unconfigured benchmark, profiler, production trace, database, browser, load-test, or server access, report it as manual evidence instead of running raw commands.
147
+
148
+ <!-- mustflow-section: output-format -->
149
+ ## Output Format
150
+
151
+ - Hot path reviewed
152
+ - Cost ledger: iteration count, data size, round trips, wait time, copy or allocation count
153
+ - Repeated external access, N+1, hidden quadratic scans, and multi-pass collection findings
154
+ - DB, pagination, index-fit, transaction, lock, async, client reuse, cache, queue, retry, timeout, logging, serialization, clone, regex, parsing, formatting, and CPU-heavy work checked where relevant
155
+ - Optimization or review recommendation
156
+ - Evidence level: measured, configured-test evidence, static complexity risk, manual-only, missing, or not applicable
157
+ - Command intents run
158
+ - Skipped measurements and reasons
159
+ - Remaining hot-path performance risk
@@ -0,0 +1,195 @@
1
+ ---
2
+ mustflow_doc: skill.idempotency-integrity-review
3
+ locale: en
4
+ canonical: true
5
+ revision: 1
6
+ lifecycle: mustflow-owned
7
+ authority: procedure
8
+ name: idempotency-integrity-review
9
+ description: Apply this skill when code is created, changed, reviewed, or reported and repeated requests, retries, webhooks, queue redelivery, schedulers, batch replays, double clicks, external callbacks, timeout recovery, or duplicate business commands could make the same logical operation move money, inventory, credits, coupons, notifications, shipments, state transitions, durable records, or external side effects more than once.
10
+ metadata:
11
+ mustflow_schema: "1"
12
+ mustflow_kind: procedure
13
+ pack_id: mustflow.core
14
+ skill_id: mustflow.core.idempotency-integrity-review
15
+ command_intents:
16
+ - changes_status
17
+ - changes_diff_summary
18
+ - lint
19
+ - build
20
+ - test_related
21
+ - test
22
+ - docs_validate_fast
23
+ - test_release
24
+ - mustflow_check
25
+ ---
26
+
27
+ # Idempotency Integrity Review
28
+
29
+ <!-- mustflow-section: purpose -->
30
+ ## Purpose
31
+
32
+ Review idempotency as duplicate intent integrity, not as an HTTP method checklist.
33
+
34
+ The review question is not "is this POST protected?" It is "if the same business intent is delivered twice, late, concurrently, after a timeout, or after the caller missed the first response, what internal state or external side effect moves twice?"
35
+
36
+ <!-- mustflow-section: use-when -->
37
+ ## Use When
38
+
39
+ - Code creates, changes, reviews, or reports POST, PATCH, DELETE, webhook, callback, queue consumer, scheduler, batch, retry, timeout recovery, mobile app retry, browser refresh, double-click, provider callback, external API call, or background job behavior.
40
+ - The operation can charge, capture, refund, withdraw, grant points, deduct credits, deduct stock, issue coupons, send email, create shipments, grant entitlements, change status, publish events, acknowledge messages, or call providers.
41
+ - Idempotency keys, event IDs, message IDs, request IDs, operation IDs, provider object IDs, inbox or outbox records, dedupe tables, processing states, retry libraries, locks, or duplicate request responses are introduced, changed, reviewed, or claimed safe.
42
+ - A review or final report claims an operation is idempotent, retry-safe, duplicate-safe, exactly-once, safe to replay, safe to reprocess, safe after timeout, protected by frontend disabling, protected by Redis, protected by a lock, or protected by provider idempotency.
43
+
44
+ <!-- mustflow-section: do-not-use-when -->
45
+ ## Do Not Use When
46
+
47
+ - The task is primarily payment-provider, checkout, refund, subscription, settlement, chargeback, or fulfillment integrity; use `payment-integrity-review` first and this skill only for generic duplicate-intent details not covered there.
48
+ - The task is primarily credit, point, wallet, balance, stored-value, ledger, expiry, or reservation integrity; use `credit-ledger-integrity-review` first and this skill only for generic duplicate-intent details not covered there.
49
+ - The task is primarily read -> decision -> write atomicity, isolation, locks, rollback, transaction propagation, or after-commit ordering; use `transaction-boundary-integrity-review` first and this skill as the duplicate-delivery adjunct.
50
+ - The task is primarily stale shared state, lock scope, or generic interleaving with no duplicate logical operation or retry surface; use `race-condition-review` or `concurrency-invariant-review`.
51
+ - The task is primarily swallowed failures, false success, timeout honesty, queue ack/nack honesty, fallback defaults, or public error contracts; use `failure-integrity-review`.
52
+ - The operation is a pure read with no hidden write, usage charge, read receipt, analytics commitment, cache mutation that matters, external call, or durable side effect.
53
+
54
+ <!-- mustflow-section: required-inputs -->
55
+ ## Required Inputs
56
+
57
+ - Operation identity ledger: logical operation, actor, tenant, target resource, business operation type, request body hash, idempotency key, event ID, message ID, provider object ID, batch key, scheduler run key, and retry source.
58
+ - Side-effect ledger: every charge, refund, balance change, stock change, coupon issue, shipment, email, notification, entitlement, status transition, file write, queue publish, cache change, provider call, and audit entry.
59
+ - Durable dedupe evidence: unique constraints, idempotency table, inbox table, outbox table, applied event table, ledger source key, conditional update, state guard, provider idempotency key, and response record.
60
+ - Duplicate response policy: cached success response, duplicate conflict response, in-progress response, payload mismatch response, failed validation response, unknown outcome recovery, and caller-visible retry contract.
61
+ - Concurrency and recovery evidence: simultaneous duplicate requests, process restart, TTL expiry, `PROCESSING` stuck state, lease, heartbeat, retry budget, timeout classification, provider lookup, reconciliation, and lock fallback.
62
+ - Queue, webhook, scheduler, and batch evidence: ack timing, redelivery semantics, event ordering, signature checks, event storage, per-aggregate ordering, reprocessing rules, and run-level uniqueness.
63
+ - Test evidence: duplicate request tests, concurrent duplicate tests, timeout-then-retry tests, external-success-internal-failure tests, DB-success-response-failure tests, duplicate webhook tests, stale event tests, ack-failure tests, and configured command intents.
64
+
65
+ <!-- mustflow-section: preconditions -->
66
+ ## Preconditions
67
+
68
+ - The task matches the Use When conditions and does not match the Do Not Use When exclusions.
69
+ - Higher-priority instructions and `.mustflow/config/commands.toml` have been checked for the current scope.
70
+ - Required inputs are available, or missing operation identity, durable dedupe, response replay, timeout recovery, queue, webhook, scheduler, batch, or test evidence can be reported without guessing.
71
+ - Existing local patterns for idempotency keys, operation IDs, inbox, outbox, provider keys, ledgers, locks, retries, processing leases, duplicate responses, and reconciliation have been searched before adding new shapes.
72
+ - If the duplicate operation affects money, credits, permissions, personal data, inventory, orders, external providers, or durable events, also apply the relevant payment, credit, security, transaction, state-machine, cache, or failure skill.
73
+
74
+ <!-- mustflow-section: allowed-edits -->
75
+ ## Allowed Edits
76
+
77
+ - Add or tighten durable idempotency records, request body hash comparison, user and tenant binding, operation-type binding, target-resource binding, unique constraints, atomic insert-or-return behavior, state guards, affected-row checks, inbox records, outbox records, applied-event ledgers, provider result lookup, response replay, processing lease recovery, and focused duplicate tests.
78
+ - Move external side effects behind durable operation records or outbox records when local style supports it.
79
+ - Make retry classification explicit for validation failure, transient failure, timeout with unknown outcome, provider success with local failure, local success with missing response, duplicate in progress, and duplicate completed.
80
+ - Do not treat frontend button disabling, debounce, in-memory flags, Redis TTL alone, provider idempotency alone, or distributed locks alone as final proof of idempotency.
81
+ - Do not make duplicate protection by returning a different success shape unless the caller contract can safely reconcile it.
82
+
83
+ <!-- mustflow-section: procedure -->
84
+ ## Procedure
85
+
86
+ 1. Name the logical operation, not only the endpoint.
87
+ - POST, PATCH, DELETE, webhook, queue consumer, scheduler, batch replay, retry wrapper, and callback handlers can all carry the same duplicate-intent risk.
88
+ - Ask what "same intent" means in business terms: same order payment attempt, same refund, same point grant, same coupon redemption, same shipment, same notification, same state transition, same imported row, or same provider event.
89
+ 2. Start at the side effect.
90
+ - Find calls and writes named like `charge`, `capture`, `refund`, `withdraw`, `grantPoint`, `deductStock`, `issueCoupon`, `sendEmail`, `createShipment`, `publish`, `ack`, `markPaid`, `fulfill`, and local equivalents.
91
+ - For each side effect, ask what happens if the exact surrounding handler runs twice, runs concurrently, or runs after the first response is lost.
92
+ 3. Review idempotency key scope.
93
+ - A key is not enough unless it is bound to actor, tenant, operation type, target resource, and request body hash or equivalent semantic fingerprint.
94
+ - Duplicate key plus changed amount, resource, user, tenant, product, operation, or payload should become a stable mismatch response, not a new operation or silent old response.
95
+ - Do not accept memory-only stores, process-local maps, or Redis TTL alone for operations that can be retried after restart, failover, delayed callback, or TTL expiry.
96
+ 4. Require durable uniqueness at the operation boundary.
97
+ - App-only `if exists return` followed by `insert` is a race. Use a unique constraint, atomic insert, upsert, conditional write, or durable ledger key.
98
+ - Review migrations or schema definitions, not just service code, for keys such as `order_id`, `payment_id`, `refund_id`, `event_id`, `message_id`, `idempotency_key`, `campaign_id + user_id`, and `settlement_date + merchant_id`.
99
+ 5. Check response replay.
100
+ - Idempotency is often needed because the caller did not receive the first response.
101
+ - A duplicate completed request should usually return the original response or an equivalent stable result the caller can reconcile.
102
+ - A duplicate in-progress request should have an explicit wait, poll, retry-later, or conflict response contract.
103
+ 6. Classify failed attempts.
104
+ - Validation failures, authorization failures, duplicate-key payload mismatches, technical failures before side effects, unknown outcomes after side effects, and durable completed failures need different caching and retry rules.
105
+ - Caching every failure can block recovery. Re-executing every failure can duplicate side effects.
106
+ 7. Treat timeouts as unknown outcomes.
107
+ - A timeout after submitting a provider request is not proof of failure.
108
+ - Before retrying charge, refund, shipment, SMS, email, entitlement, or external creation calls, look up provider state by operation key, provider object ID, or idempotency key, then continue from the known result.
109
+ 8. Check external API ordering.
110
+ - External API call before durable local operation record creates duplicate risk when the local process times out or crashes before saving success.
111
+ - Provider idempotency can protect the provider call while internal follow-up work still duplicates. Internal idempotency remains required.
112
+ 9. Review state transitions as conditional operations.
113
+ - `UPDATE ... SET status = PAID WHERE id = ?` is weaker than `WHERE id = ? AND status = PENDING` or an equivalent state-machine guard.
114
+ - Late duplicate events should not overwrite terminal, newer, or higher-order states without version, event time, sequence, or transition-order checks.
115
+ 10. Review increments and ledger entries.
116
+ - `+=`, balance increases, point grants, stock deductions, usage counters, retry counters, and mutable totals duplicate naturally.
117
+ - Require an applied-event table, source ledger key, unique entry identity, conditional update, or state transition that records the event already moved the number.
118
+ 11. Review deletion and "read" endpoints for hidden side effects.
119
+ - DELETE may be final-state idempotent while refund, notification, inventory restoration, audit, or permission side effects still duplicate.
120
+ - GET endpoints that mark read, accept invites, decrement quota, create download usage, or mutate analytics are not harmless reads under crawler, preview, refresh, or retry behavior.
121
+ 12. Review queues and consumers as at-least-once by default.
122
+ - Consumer code should assume duplicate messages, delayed redelivery, concurrent workers, ack failure after commit, and process death after side effects.
123
+ - Store message ID, event ID, business key, or source ledger key in an inbox or applied-event table before applying irreversible effects.
124
+ 13. Review ack timing.
125
+ - Ack before durable commit can lose work.
126
+ - Ack after durable commit can redeliver work.
127
+ - Prefer accepting redelivery and making the handler idempotent, with dead-letter and retry evidence for poison messages.
128
+ 14. Review webhook handlers as replay surfaces.
129
+ - External providers resend callbacks when they miss acceptable responses.
130
+ - Store event IDs or provider object/type pairs, verify signatures, bind the event to the expected business object, and guard state transitions against duplicates and stale event order.
131
+ 15. Review schedulers and batches.
132
+ - Jobs are rerun after deploys, crashes, partial failures, and manual operator actions.
133
+ - Use business keys such as `settlement_date + merchant_id`, `campaign_id + user_id`, import file row identity, period key, or run source ID instead of loose "already processed yesterday" checks.
134
+ 16. Review outbox and inbox pairing.
135
+ - DB change plus message publish can split when either side succeeds alone.
136
+ - Use an outbox for durable outgoing effects and an inbox or applied-event record for incoming duplicate delivery when the workflow crosses process boundaries.
137
+ 17. Review saga compensation.
138
+ - Compensation actions such as cancel, refund, release stock, revoke entitlement, or restore credits also need idempotency keys tied to the original action.
139
+ - Double compensation can be worse than the original failure.
140
+ 18. Review `PROCESSING` and lease recovery.
141
+ - A `PROCESSING` row without lease, heartbeat, timeout, owner, or reconciliation can permanently block retries after a crash.
142
+ - A stale processing record should recover by verifying side effects and either completing, failing safely, or allowing one fenced owner to continue.
143
+ 19. Review locks as helpers, not proof.
144
+ - Distributed locks can expire, split ownership, or pause through stop-the-world events.
145
+ - Keep durable uniqueness, conditional writes, state guards, idempotency records, or fencing tokens as the final defense.
146
+ 20. Check grep bait near the operation.
147
+ - Review code around `Idempotency-Key`, `request_id`, `event_id`, `message_id`, `operation_id`, `dedupe`, `inbox`, `outbox`, `retry`, `timeout`, `Promise.all`, `ack`, `nack`, `visibility timeout`, `webhook`, `scheduler`, `batch`, `cron`, `PROCESSING`, `SUCCEEDED`, `FAILED`, `lock`, `Redis`, `send`, `publish`, `charge`, `refund`, `grant`, `deduct`, `createShipment`, and `cache`.
148
+ - These terms are anchors, not automatic bugs.
149
+ 21. Require duplicate-path evidence.
150
+ - Good tests include same request twice, concurrent duplicate requests, first response lost, external success followed by DB failure, DB success followed by response failure, webhook replay, stale event replay, consumer commit followed by ack failure, batch rerun, processing-stuck recovery, and duplicate key with changed payload.
151
+ - If deterministic proof is not configured, report static risk and missing manual or integration evidence instead of approving the path.
152
+
153
+ <!-- mustflow-section: postconditions -->
154
+ ## Postconditions
155
+
156
+ - The logical operation, duplicate sources, side effects, durable operation key, payload binding, response replay contract, timeout recovery, processing recovery, queue or webhook dedupe, scheduler or batch dedupe, outbox or inbox boundary, and duplicate-path tests are explicit.
157
+ - Duplicate business requests, changed-payload key reuse, concurrent `exists` then `insert`, duplicate increments, stale state overwrites, provider timeout retries, pre-record external calls, duplicate webhook delivery, queue redelivery, scheduler reruns, double compensation, stuck processing rows, weak locks, and frontend-only guards are fixed or reported.
158
+ - Duplicate safety claims are backed by configured tests, schema evidence, framework evidence, provider documentation matched to current code, or labeled as static review risk.
159
+
160
+ <!-- mustflow-section: verification -->
161
+ ## Verification
162
+
163
+ Use configured oneshot command intents when available:
164
+
165
+ - `changes_status`
166
+ - `changes_diff_summary`
167
+ - `lint`
168
+ - `build`
169
+ - `test_related`
170
+ - `test`
171
+ - `docs_validate_fast`
172
+ - `test_release`
173
+ - `mustflow_check`
174
+
175
+ Prefer the narrowest configured test, build, docs, release, or mustflow intent that covers the changed idempotency boundary and synchronized template surfaces. Do not infer raw load tests, live provider calls, queue servers, database shells, webhook tunnels, schedulers, watchers, or manual replay commands outside the command contract.
176
+
177
+ <!-- mustflow-section: failure-handling -->
178
+ ## Failure Handling
179
+
180
+ - If a configured command fails, preserve the failing intent, failing assertion or output tail, and the duplicate-intent invariant it exercised before editing again.
181
+ - If the logical operation identity cannot be named, report that the path is not reviewable for idempotency yet.
182
+ - If duplicate prevention depends only on frontend disabling, in-memory flags, cache TTL, provider idempotency, distributed locks, or app-only checks, report the missing durable idempotency gate.
183
+ - If a safe fix requires a schema migration, durable idempotency store, inbox, outbox, reconciliation worker, provider lookup, saga state, or integration replay harness outside the current scope, report the missing durable boundary.
184
+ - If deterministic duplicate proof is not configured, report the missing manual evidence and complete the configured checks that are available.
185
+
186
+ <!-- mustflow-section: output-format -->
187
+ ## Output Format
188
+
189
+ - Idempotency boundary reviewed
190
+ - Logical operation, duplicate sources, operation identity, side effects, durable dedupe, payload binding, response replay, failure caching, timeout recovery, external provider, state-transition, increment or ledger, DELETE or hidden-read side-effect, queue, webhook, scheduler or batch, outbox/inbox, compensation, processing lease, lock, and test evidence findings
191
+ - Idempotency fixes made or recommended
192
+ - Evidence level: configured-test evidence, schema evidence, provider or framework evidence, static review risk, manual-only, missing, or not applicable
193
+ - Command intents run
194
+ - Skipped idempotency diagnostics and reasons
195
+ - Remaining idempotency-integrity risk