mustflow 2.39.1 → 2.58.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (94) hide show
  1. package/dist/cli/commands/run/executor.js +16 -0
  2. package/dist/cli/commands/run/process-tree.js +6 -3
  3. package/dist/cli/commands/tech.js +60 -4
  4. package/dist/cli/commands/verify.js +3 -1
  5. package/dist/cli/lib/git-changes.js +11 -1
  6. package/dist/cli/lib/i18n.js +1 -1
  7. package/dist/cli/lib/local-index/index.js +8 -4
  8. package/dist/cli/lib/local-index/populate.js +17 -3
  9. package/dist/cli/lib/local-index/search-read-model.js +9 -7
  10. package/dist/cli/lib/local-index/search-text.js +2 -2
  11. package/dist/cli/lib/local-index/workflow-documents.js +17 -2
  12. package/dist/cli/lib/mustflow-read.js +14 -2
  13. package/dist/cli/lib/npm-version-check.js +36 -0
  14. package/dist/cli/lib/repo-map.js +16 -3
  15. package/dist/cli/lib/templates.js +8 -7
  16. package/dist/cli/lib/validation/constants.js +1 -1
  17. package/dist/core/active-run-locks.js +78 -20
  18. package/dist/core/change-classification.js +4 -0
  19. package/dist/core/command-contract-rules.js +1 -1
  20. package/dist/core/command-contract-validation.js +1 -1
  21. package/dist/core/command-cwd.js +13 -2
  22. package/dist/core/command-effects.js +22 -4
  23. package/dist/core/command-env.js +8 -6
  24. package/dist/core/command-preconditions.js +28 -2
  25. package/dist/core/completion-verdict.js +1 -1
  26. package/dist/core/line-endings.js +8 -4
  27. package/dist/core/safe-filesystem.js +9 -1
  28. package/dist/core/source-anchor-validation.js +7 -1
  29. package/dist/core/source-anchors.js +8 -2
  30. package/dist/core/verification-scheduler.js +8 -2
  31. package/package.json +1 -1
  32. package/templates/default/i18n.toml +330 -1
  33. package/templates/default/locales/en/.mustflow/skills/INDEX.md +302 -5
  34. package/templates/default/locales/en/.mustflow/skills/agent-eval-integrity-review/SKILL.md +160 -0
  35. package/templates/default/locales/en/.mustflow/skills/agent-execution-control-review/SKILL.md +163 -0
  36. package/templates/default/locales/en/.mustflow/skills/ai-generated-code-hardening/SKILL.md +49 -13
  37. package/templates/default/locales/en/.mustflow/skills/api-access-control-review/SKILL.md +298 -0
  38. package/templates/default/locales/en/.mustflow/skills/api-misuse-resistance-review/SKILL.md +297 -0
  39. package/templates/default/locales/en/.mustflow/skills/api-request-performance-review/SKILL.md +189 -0
  40. package/templates/default/locales/en/.mustflow/skills/app-startup-performance-review/SKILL.md +309 -0
  41. package/templates/default/locales/en/.mustflow/skills/backend-log-evidence-review/SKILL.md +213 -0
  42. package/templates/default/locales/en/.mustflow/skills/business-rule-leakage-review/SKILL.md +295 -0
  43. package/templates/default/locales/en/.mustflow/skills/cache-integrity-review/SKILL.md +291 -0
  44. package/templates/default/locales/en/.mustflow/skills/change-blast-radius-review/SKILL.md +297 -0
  45. package/templates/default/locales/en/.mustflow/skills/client-bundle-pruning-review/SKILL.md +160 -0
  46. package/templates/default/locales/en/.mustflow/skills/cloud-cost-guardrail-review/SKILL.md +321 -0
  47. package/templates/default/locales/en/.mustflow/skills/concurrency-invariant-review/SKILL.md +193 -0
  48. package/templates/default/locales/en/.mustflow/skills/core-web-vitals-field-review/SKILL.md +161 -0
  49. package/templates/default/locales/en/.mustflow/skills/credit-ledger-integrity-review/SKILL.md +156 -0
  50. package/templates/default/locales/en/.mustflow/skills/database-json-modeling-review/SKILL.md +171 -0
  51. package/templates/default/locales/en/.mustflow/skills/database-lock-contention-review/SKILL.md +192 -0
  52. package/templates/default/locales/en/.mustflow/skills/database-migration-change/SKILL.md +76 -34
  53. package/templates/default/locales/en/.mustflow/skills/database-query-bottleneck-review/SKILL.md +194 -0
  54. package/templates/default/locales/en/.mustflow/skills/deletion-lifecycle-review/SKILL.md +171 -0
  55. package/templates/default/locales/en/.mustflow/skills/deployment-rollout-safety-review/SKILL.md +321 -0
  56. package/templates/default/locales/en/.mustflow/skills/desktop-auto-update-safety-review/SKILL.md +265 -0
  57. package/templates/default/locales/en/.mustflow/skills/desktop-background-process-stability-review/SKILL.md +318 -0
  58. package/templates/default/locales/en/.mustflow/skills/desktop-memory-footprint-review/SKILL.md +318 -0
  59. package/templates/default/locales/en/.mustflow/skills/error-message-integrity-review/SKILL.md +283 -0
  60. package/templates/default/locales/en/.mustflow/skills/failure-integrity-review/SKILL.md +193 -0
  61. package/templates/default/locales/en/.mustflow/skills/file-upload-security-review/SKILL.md +305 -0
  62. package/templates/default/locales/en/.mustflow/skills/frame-render-performance-review/SKILL.md +159 -0
  63. package/templates/default/locales/en/.mustflow/skills/frontend-accessibility-tree-review/SKILL.md +202 -0
  64. package/templates/default/locales/en/.mustflow/skills/frontend-localization-review/SKILL.md +202 -0
  65. package/templates/default/locales/en/.mustflow/skills/frontend-state-ownership-review/SKILL.md +183 -0
  66. package/templates/default/locales/en/.mustflow/skills/frontend-stress-layout-review/SKILL.md +193 -0
  67. package/templates/default/locales/en/.mustflow/skills/hot-path-performance-review/SKILL.md +159 -0
  68. package/templates/default/locales/en/.mustflow/skills/idempotency-integrity-review/SKILL.md +195 -0
  69. package/templates/default/locales/en/.mustflow/skills/image-delivery-performance-review/SKILL.md +161 -0
  70. package/templates/default/locales/en/.mustflow/skills/incident-triage-review/SKILL.md +185 -0
  71. package/templates/default/locales/en/.mustflow/skills/llm-hallucination-control-review/SKILL.md +155 -0
  72. package/templates/default/locales/en/.mustflow/skills/llm-response-latency-review/SKILL.md +155 -0
  73. package/templates/default/locales/en/.mustflow/skills/llm-service-ux-review/SKILL.md +2 -0
  74. package/templates/default/locales/en/.mustflow/skills/llm-token-cost-control-review/SKILL.md +155 -0
  75. package/templates/default/locales/en/.mustflow/skills/low-end-device-support-review/SKILL.md +340 -0
  76. package/templates/default/locales/en/.mustflow/skills/memory-lifetime-review/SKILL.md +169 -0
  77. package/templates/default/locales/en/.mustflow/skills/mobile-energy-efficiency-review/SKILL.md +329 -0
  78. package/templates/default/locales/en/.mustflow/skills/module-boundary-review/SKILL.md +278 -0
  79. package/templates/default/locales/en/.mustflow/skills/multi-agent-work-coordination/SKILL.md +1 -0
  80. package/templates/default/locales/en/.mustflow/skills/observability-debuggability-review/SKILL.md +208 -0
  81. package/templates/default/locales/en/.mustflow/skills/payment-integrity-review/SKILL.md +155 -0
  82. package/templates/default/locales/en/.mustflow/skills/prompt-contract-quality-review/SKILL.md +158 -0
  83. package/templates/default/locales/en/.mustflow/skills/quadratic-scan-review/SKILL.md +155 -0
  84. package/templates/default/locales/en/.mustflow/skills/queue-processing-integrity-review/SKILL.md +193 -0
  85. package/templates/default/locales/en/.mustflow/skills/race-condition-review/SKILL.md +188 -0
  86. package/templates/default/locales/en/.mustflow/skills/rate-limit-integrity-review/SKILL.md +344 -0
  87. package/templates/default/locales/en/.mustflow/skills/retry-policy-integrity-review/SKILL.md +195 -0
  88. package/templates/default/locales/en/.mustflow/skills/routes.toml +330 -0
  89. package/templates/default/locales/en/.mustflow/skills/security-flow-review/SKILL.md +279 -0
  90. package/templates/default/locales/en/.mustflow/skills/testability-boundary-review/SKILL.md +295 -0
  91. package/templates/default/locales/en/.mustflow/skills/transaction-boundary-integrity-review/SKILL.md +196 -0
  92. package/templates/default/locales/en/.mustflow/skills/type-state-modeling-review/SKILL.md +179 -0
  93. package/templates/default/locales/en/.mustflow/skills/web-render-performance-review/SKILL.md +164 -0
  94. package/templates/default/manifest.toml +386 -1
@@ -2,7 +2,7 @@
2
2
  mustflow_doc: skills.index
3
3
  locale: en
4
4
  canonical: true
5
- revision: 109
5
+ revision: 167
6
6
  authority: router
7
7
  lifecycle: mustflow-owned
8
8
  ---
@@ -50,8 +50,250 @@ refer to `AGENTS.md` and `.mustflow/config/commands.toml` to implement the most
50
50
  risk outside the literal request and the agent must decide whether to fix now, report only, ask
51
51
  first, or ignore it without broadening into unrelated work.
52
52
  - Use `ai-generated-code-hardening` as an adjunct when assistant-authored, AI-generated, or
53
- broad code changes need a repository-evidence pass for duplicate helpers or shapes, hidden
54
- coupling, public-surface drift, swallowed errors, excessive complexity, and weak tests.
53
+ broad code changes need a repository-evidence pass for symptom-only fixes, pinpoint
54
+ hardcoding, same-defect-class siblings, duplicate helpers or shapes, hidden coupling,
55
+ public-surface drift, swallowed errors, excessive complexity, and weak tests.
56
+ - Use `prompt-contract-quality-review` as a primary route when prompts, prompt builders,
57
+ RAG assembly, structured outputs, tool-use instructions, model settings, eval fixtures,
58
+ refusal states, or agent completion definitions need prompt-as-function review for
59
+ input contracts, authority separation, output schemas, fallback states, and eval evidence.
60
+ - Use `llm-hallucination-control-review` as a primary route when LLM answers, RAG responses,
61
+ citations, claim maps, evidence IDs, answerability states, retrieval thresholds, validators,
62
+ abstain behavior, or hallucination metrics need product-controlled grounding review.
63
+ - Use `llm-token-cost-control-review` as a primary route when LLM request assembly, token budgets,
64
+ prompt caching, chat history, RAG context size, tool or schema payloads, model routing, reasoning
65
+ budget, retries, Batch, Flex, predicted outputs, or cost-per-success telemetry need token spend
66
+ review.
67
+ - Use `llm-response-latency-review` as a primary route when LLM response speed, time to first
68
+ token, first useful output, streaming, output length, LLM round trips, tool wait, prompt-cache
69
+ latency, model routing speed, speculative or parallel work, realtime continuation, priority
70
+ tiers, or predicted outputs need latency review.
71
+ - Use `agent-execution-control-review` as a primary route when autonomous or semi-autonomous LLM
72
+ agents, agentic workflows, planners, executors, verifiers, tool contracts, tool-call gates,
73
+ approval or interrupt flows, durable agent state, handoffs, guardrails, loop budgets, retry
74
+ classification, trace evaluation, or outcome metrics need execution-control review.
75
+ - Use `agent-eval-integrity-review` as a primary route when agent evaluation loops, trace or
76
+ trajectory grading, LLM judges, outcome scoring, eval datasets, golden or dirty sets, pass@k or
77
+ pass^k metrics, shadow environments, production-monitoring-to-eval feedback, or agent regression
78
+ gates need final-state and trajectory evidence rather than judge-model opinion.
79
+ - Use `module-boundary-review` as an adjunct when module separation needs change-spread, data-owner,
80
+ policy-owner, failure-owner, import-direction, DTO leakage, shared-helper, public-API, or caller
81
+ sequencing review before deciding whether a boundary is real.
82
+ - Use `change-blast-radius-review` as an adjunct when maintainability review needs to predict the
83
+ next-change spread, feature deletion path, policy owner, workflow owner, config or tenant branch
84
+ spread, event contract visibility, migration/runtime compatibility, or whether a clean-looking
85
+ abstraction actually lowers future edit cost.
86
+ - Use `business-rule-leakage-review` as an adjunct when money, permission, ownership, state,
87
+ settlement, discount, inventory, notification, subscription, visibility, eligibility, report, or
88
+ tenant rules may be enforced in only one UI, controller, query, mapper, batch, webhook, cache,
89
+ admin tool, support path, or report instead of a shared rule owner.
90
+ - Use `payment-integrity-review` as an adjunct when payment, checkout, authorization, capture,
91
+ refund, subscription, provider webhook, fulfillment, entitlement, ledger, coupon, inventory,
92
+ settlement, dispute, chargeback, or payment-provider integration code needs money-event integrity
93
+ review for idempotency, ordering, ownership, amount, currency, retry, reconciliation, or audit
94
+ risk.
95
+ - Use `credit-ledger-integrity-review` as an adjunct when credits, points, wallet balances, reward
96
+ points, prepaid or usage credits, balance deductions, accruals, refunds, expirations,
97
+ reservations, captures, releases, admin adjustments, ledger tables, balance caches, or
98
+ reconciliation jobs need ledger integrity review for idempotency, atomic balance changes,
99
+ concurrency, ordering, ownership, amount precision, policy snapshots, expiry lots, audit, or
100
+ reconciliation risk.
101
+ - Use `api-misuse-resistance-review` as an adjunct when APIs, SDKs, service methods, DTOs, request
102
+ shapes, response shapes, pagination, idempotency, async jobs, versioning, deprecation, rate
103
+ limits, retry rules, observability, or caller-facing docs need caller-ergonomics and misuse-risk
104
+ review rather than only schema compatibility.
105
+ - Use `api-access-control-review` as an adjunct when API security review needs BOLA or IDOR,
106
+ object, property, or function authorization, tenant isolation, request-supplied identity,
107
+ mass assignment, signed URLs, queue revalidation, webhook ownership, token/session hardening,
108
+ account enumeration, automation defense, or denial-case coverage.
109
+ - Use `file-upload-security-review` as an adjunct when file uploads, imports, attachments,
110
+ direct-to-storage uploads, remote file fetches, archive extraction, previews, thumbnails,
111
+ conversions, scanner gates, storage keys, signed URLs, downloads, browser headers, or uploaded
112
+ filename display need full file-lifecycle security review.
113
+ - Use `error-message-integrity-review` as an adjunct when error messages, codes, logs, validation
114
+ failures, parse failures, public/internal error mapping, provider errors, retryability, support
115
+ IDs, structured diagnostics, redaction, or troubleshooting text need recoverability and evidence
116
+ review rather than prose polishing.
117
+ - Use `memory-lifetime-review` as an adjunct when code creates, registers, caches, spawns, opens,
118
+ subscribes, schedules, streams, or otherwise retains values or resources whose cleanup,
119
+ cancellation, eviction, shutdown, or ownership transfer must be reviewed.
120
+ - Use `desktop-memory-footprint-review` as an adjunct when Windows, macOS, Linux, Electron,
121
+ WebView, WPF, WinUI, Win32, Qt, Java Swing or JavaFX, .NET, JVM, Rust, C++, Python, or other
122
+ desktop app code needs scenario-level memory review across working set versus private memory,
123
+ RSS, dirty pages, live set, peak and after-close memory, UI and data virtualization, renderer and
124
+ window count, module loading, image decode size, OS-discardable caches, memory-mapped files,
125
+ pooled buffers, native handles, detached UI trees, duplicate strings, large buffer capacity,
126
+ object graph shape, undo history, inactive views, low-memory signals, and memory budgets.
127
+ - Use `hot-path-performance-review` as an adjunct when code review needs a cheap count of repeated
128
+ ordinary work, boundary crossings, copy or allocation churn, wait points, and lock or pool pressure
129
+ before a broader performance-budget or measurement pass.
130
+ - Use `api-request-performance-review` as an adjunct when API endpoints, handlers, controllers,
131
+ resolvers, serializers, mappers, service methods, or route-level request paths need
132
+ per-request latency review for I/O counts, DB/ORM/Redis/external-call fan-out,
133
+ pagination/count/index fit, transactions, pool wait, cache miss paths, serialization, response
134
+ size, request-path CPU, or trace/span observability rather than only general hot-path repetition.
135
+ - Use `web-render-performance-review` as an adjunct when web frontend routes need first-render,
136
+ Core Web Vitals, LCP, CLS, FCP, TTFB, critical CSS, font, image, iframe, third-party script,
137
+ hydration, first-view data, resource-hint, CDN/cache, route-prefetch, or long-task review.
138
+ - Use `core-web-vitals-field-review` as an adjunct when Core Web Vitals needs field-data,
139
+ RUM, CrUX, Search Console, Lighthouse-versus-field, LCP/INP/CLS percentile, LoAF,
140
+ bfcache, speculation-rules, third-party, tag-manager, or release-regression review.
141
+ - Use `image-delivery-performance-review` as an adjunct when web image review needs LCP image
142
+ discovery, responsive candidate selection, preload and priority hints, intrinsic dimensions,
143
+ image formats and quality budgets, CDN transformation cache keys, `Accept` negotiation,
144
+ metadata handling, SVG safety, or image optimizer abuse controls.
145
+ - Use `client-bundle-pruning-review` as an adjunct when frontend code review needs to reduce
146
+ initial JS or shared vendor weight by fixing tree-shaking blockers, package entrypoints,
147
+ barrels, side-effect metadata, client boundaries, dynamic imports, polyfills, browser targets,
148
+ chunk rules, utility CSS extraction, or inline asset rules.
149
+ - Use `frame-render-performance-review` as an adjunct when frontend code review needs to reduce
150
+ per-frame browser work, INP delay, scroll or animation jank, style recalculation, layout, paint,
151
+ compositing, DOM size, selector cost, event scheduling, long tasks, framework rerender cost, or
152
+ hydration cost.
153
+ - Use `app-startup-performance-review` as an adjunct when installed app startup needs review from
154
+ icon tap or process launch to first frame and fully usable state, including TTID, TTFD,
155
+ `reportFullyDrawn()`, Application or AppDelegate work, auto-init, DI graph creation, SDK
156
+ initialization, static initializers, main-thread disk or network work, cache snapshots, first
157
+ screen cost, startup profiles, native profilers, React Native imports, Flutter startup, splash
158
+ holds, auth or config gates, and post-first-frame work queues.
159
+ - Use `desktop-background-process-stability-review` as an adjunct when Windows services, macOS
160
+ LaunchDaemons or LaunchAgents, Linux systemd units, Electron main or utility processes, WebView
161
+ helpers, tray apps, sync workers, local daemons, auto-start helpers, updaters, desktop background
162
+ jobs, or cross-session desktop processes need crash recovery, durable checkpoints, single-instance
163
+ and data-directory locks, OS-supervisor restart policy, health checks, progress heartbeats, leases,
164
+ idempotent jobs, atomic local writes, shutdown handling, UI and worker lifecycle separation, power
165
+ resume, monotonic time, IPC authorization, deterministic environment, least privilege, early crash
166
+ evidence, update safety, lifecycle tests, or safe mode review.
167
+ - Use `desktop-auto-update-safety-review` as an adjunct when installed desktop app update behavior
168
+ needs review for Electron autoUpdater, electron-builder feeds, Squirrel.Windows, Sparkle appcasts,
169
+ Tauri updater, signed and notarized macOS updates, Windows installers, update metadata pointers,
170
+ immutable artifacts, signatures, hash verification, CDN cache policy, staged rollout, deterministic
171
+ canary buckets, alpha/beta/stable channel separation, update kill switches, single-flight update
172
+ checks, quit-and-install timing, old-version upgrade paths, rollback-forward fixes, update
173
+ telemetry, crash gates, or installed-app update smoke tests.
174
+ - Use `low-end-device-support-review` as an adjunct when Android Go, low-RAM Android, older iOS,
175
+ React Native, Flutter, Tauri mobile, Electron, desktop app shell, or other constrained-device
176
+ support needs low-end capability budgets across target devices, runtime memory class, cold-start
177
+ frequency, peak memory, image decode, SDK diet, network fan-out, disk writes, cache limits,
178
+ concurrency, UI effects, lists, background work, polling, sensors, and bottom-percentile device
179
+ evidence.
180
+ - Use `mobile-energy-efficiency-review` as an adjunct when Android, iOS, React Native, Flutter,
181
+ Tauri mobile, or other mobile app code needs battery and energy review for background work,
182
+ wake locks, exact alarms, Doze, App Standby, push or WebSocket behavior, polling, networking,
183
+ cellular use, location, geofencing, sensors, Bluetooth, rendering, animation, timers, disk I/O,
184
+ Compose recomposition, Low Power Mode, Battery Saver, or platform energy diagnostics.
185
+ - Use `frontend-state-ownership-review` as an adjunct when frontend state can drift across props,
186
+ local state, server cache, URL params, form drafts, global stores, context, persisted storage,
187
+ derived selectors, optimistic updates, query keys, request races, or external subscriptions.
188
+ - Use `frontend-stress-layout-review` as an adjunct when frontend UI needs hostile-content and
189
+ layout-resilience review for parent container width, container queries, long unbroken strings,
190
+ async media, skeletons, empty, error, permission and loading states, scrollbars, mobile
191
+ viewport or keyboard behavior, safe areas, line clamps, i18n or RTL, touch, reduced motion,
192
+ ResizeObserver, portals, z-index layers, tables, charts, browser zoom, cascade layers, or
193
+ reproducible break conditions.
194
+ - Use `frontend-accessibility-tree-review` as an adjunct when frontend accessibility needs
195
+ browser accessibility tree, native HTML semantics, accessible name, visible label, keyboard,
196
+ focus order or return, dialog, form, error, live region, ARIA, hidden content, icon, image alt,
197
+ custom widget, non-text contrast, target size, drag alternative, or automated a11y evidence
198
+ review instead of an "ARIA attributes exist" checklist.
199
+ - Use `frontend-localization-review` as an adjunct when frontend localization needs all
200
+ user-visible strings, message catalogs, full-sentence translation units, interpolation, plural
201
+ and zero cases, grammar or particles, tone, date/time/number/currency/unit formatting, search,
202
+ sort, Unicode normalization, grapheme-safe truncation, RTL or bidi text, font fallback, pseudo
203
+ localization, SSR locale, fallback, backend error-code mapping, rich text, export, share, or
204
+ notification surface review instead of a visible JSX text scan.
205
+ - Use `cache-integrity-review` as an adjunct when cache correctness, key truth, stale data spread,
206
+ invalidation, negative caching, Redis and HTTP cache semantics, permission-cache revocation, or
207
+ cache-outage fallback can mislead users, leak data, or overload source systems.
208
+ - Use `security-flow-review` as an adjunct when security review needs source-to-sink tracing across
209
+ authorization, object ownership, tenant scoping, mass assignment, injection inputs, SSRF, files,
210
+ browser rendering, tokens, fail-open behavior, queued work, races, or supply-chain execution.
211
+ - Use `testability-boundary-review` as an adjunct when review needs to expose hidden decision
212
+ inputs, direct time or randomness, direct I/O, constructor side effects, static or singleton
213
+ state, mock-heavy tests, sleeps, framework magic, reflection-only tests, or other code shapes
214
+ that make important conditions hard to force in tests.
215
+ - Use `quadratic-scan-review` as an adjunct when the suspected performance smell is specifically
216
+ hidden O(N^2) work from repeated scans, membership checks, code joins, helper-body lookups,
217
+ render-time lookup, resolver fan-out, repeated sort, or copy accumulation over growing data.
218
+ - Use `type-state-modeling-review` as an adjunct when code review needs to make impossible
219
+ domain states, invalid ID or unit swaps, nullable/status contradictions, unsafe DTO boundaries,
220
+ or cast-heavy models unrepresentable by type shape.
221
+ - Use `race-condition-review` as an adjunct when shared state can be read, yielded, locked,
222
+ retried, published, queued, cancelled, closed, reused, or observed across interleaving execution
223
+ flows.
224
+ - Use `concurrency-invariant-review` as an adjunct when a review needs to prove shared-state
225
+ ownership, whole-invariant protection, lock and condition-variable discipline, memory visibility,
226
+ duplicated execution, shutdown, thread-local context, async interleavings, or deterministic
227
+ concurrency evidence across changed time orders.
228
+ - Use `failure-integrity-review` as an adjunct when exception or failure handling can make the
229
+ system lie about success, state, data, money, permissions, locks, queues, logs, metrics, or
230
+ user-visible outcomes.
231
+ - Use `backend-log-evidence-review` as an adjunct when backend request, job, worker, scheduler,
232
+ webhook, migration, external API, database write, transaction, state transition, retry, timeout,
233
+ audit, auth, validation, cache, lock, idempotency, feature-flag, release, config, or batch logs
234
+ need review for whether structured events, correlation and causation IDs, outcome/reason fields,
235
+ redaction, sampling, and log schema fields let operators reconstruct why the path reached its
236
+ final state.
237
+ - Use `observability-debuggability-review` as an adjunct when logs, metrics, traces, spans,
238
+ dashboards, alerts, runbooks, sampling, redaction, dependency calls, queues, batch jobs, caches,
239
+ pools, rate limits, feature flags, releases, or partial-success paths need review for whether an
240
+ operator can narrow incidents quickly without high-cardinality metric explosions or unsafe
241
+ telemetry data.
242
+ - Use `incident-triage-review` as an adjunct when an outage, degradation, timeout spike, p95 or
243
+ p99 latency spike, queue backlog, pool saturation, CPU-idle slowness, OOM, disk or inode pressure,
244
+ DNS or network failure, load balancer 5xx, Kubernetes node or pod issue, deployment regression,
245
+ cache stampede, batch spike, Redis slowdown, DB lock wait, connection leak, conntrack or
246
+ ephemeral-port exhaustion, or log flood needs fast evidence elimination across time, scope,
247
+ change, wait, saturation, dependency, and manual-only diagnostic boundaries.
248
+ - Use `deployment-rollout-safety-review` as an adjunct when server, backend, worker, scheduler,
249
+ queue, cron, container, migration, config, feature flag, cache, deployment pipeline, release
250
+ envelope, image digest, deployment history, traffic rollback, canary, rollback, health probe,
251
+ readiness/liveness/startup probe, graceful shutdown, artifact promotion, release observability,
252
+ or post-deploy smoke behavior needs review for whether a deployment can be rolled out, stopped,
253
+ observed, and rolled back safely.
254
+ - Use `cloud-cost-guardrail-review` as an adjunct when cloud accounts, projects, subscriptions,
255
+ Kubernetes, serverless, databases, object storage, block storage, snapshots, NAT, public IP,
256
+ egress, CDN, logs, metrics, traces, autoscaling, quotas, budgets, tags, temporary resources,
257
+ container registries, Marketplace, LLM API, or third-party SaaS usage needs review for whether
258
+ spend can silently explode without account isolation, caps, lifecycle, retention, attribution,
259
+ or automated non-production stop guardrails.
260
+ - Use `rate-limit-integrity-review` as an adjunct when rate limits, throttling, quotas, API usage
261
+ limits, request costs, token buckets, fixed or sliding windows, GCRA, Redis counters, edge,
262
+ gateway, service, tenant, user, API key, route-group, IP, 429, `Retry-After`, `RateLimit`,
263
+ shadow mode, operator reset, async enqueue, cached-hit counting, or concurrency-limit overlap
264
+ need review for protected-resource fit, key design, atomic counting, layered enforcement, and
265
+ client contract.
266
+ - Use `idempotency-integrity-review` as an adjunct when repeated requests, retries, webhooks,
267
+ queue redelivery, schedulers, batch replays, double clicks, provider callbacks, timeout
268
+ recovery, or duplicate business commands can make the same logical operation move state or
269
+ external side effects more than once.
270
+ - Use `retry-policy-integrity-review` as an adjunct when retry loops, SDK or client retry configs,
271
+ backoff, jitter, timeout, deadline, `Retry-After`, retry predicates, layered retries, circuit
272
+ breakers, bulkheads, token buckets, queue redelivery, broker retries, cancellation-aware sleeps,
273
+ or retry observability can amplify failures, duplicate side effects, hide permanent errors,
274
+ exhaust pools, or overload dependencies.
275
+ - Use `queue-processing-integrity-review` as an adjunct when queues, streams, pub/sub handlers,
276
+ workers, task runners, consumers, producers, ack, delete, offset commit, visibility timeout,
277
+ publisher confirm, prefetch, rebalance, DLQ, redelivery, or worker-loss behavior can lose work,
278
+ duplicate work, hide poison messages, reorder state, exhaust consumers, or falsely claim
279
+ processing success.
280
+ - Use `transaction-boundary-integrity-review` as an adjunct when transactions, ORM atomic blocks,
281
+ unit-of-work code, database write paths, framework transaction annotations, isolation levels,
282
+ locks, retries, after-commit side effects, outbox patterns, or transactional tests need review
283
+ for read-decision-write integrity rather than only query speed, generic races, or failure prose.
284
+ - Use `database-query-bottleneck-review` as an adjunct when database review needs to catch query
285
+ bottlenecks from cardinality explosion, N+1 access, overfetching, unstable pagination,
286
+ index-defeating predicates, plan skew, or long transaction scope before live plan evidence.
287
+ - Use `database-json-modeling-review` as an adjunct when database review needs to decide whether
288
+ JSON, jsonb, metadata, settings, raw payload, or dynamic keys should become typed columns,
289
+ child tables, generated/computed columns, JSON indexes, schema versions, or key registries
290
+ instead of being treated as schema-free storage.
291
+ - Use `deletion-lifecycle-review` as an adjunct when data deletion, restore, retention, legal hold,
292
+ purge, tombstone, backup residue, downstream deletion, or tenant offboarding needs lifecycle
293
+ review rather than a single `DELETE`, `is_deleted`, or `deleted_at` check.
294
+ - Use `database-lock-contention-review` as an adjunct when database review needs to catch hot rows,
295
+ lock waits, deadlocks, over-strong row locks, gap or metadata locks, queue claim contention,
296
+ chunking, timeout policy, pool waits, or lock observability rather than only query speed.
55
297
  - Use `command-intent-mapping-gate` when outside text, docs, AI output, snippets, or reports suggest
56
298
  commands before running, preserving, or documenting those commands.
57
299
  - Use `public-json-contract-change` instead of the broader CLI-output route when JSON, JSONL,
@@ -128,7 +370,41 @@ routes. Event routes stay inactive until their event occurs.
128
370
  | Code changes need review before report | `.mustflow/skills/code-review/SKILL.md` | Diff and task goal | Changed files | behavior and regression | `test`, `test_related`, `test_audit`, `lint` | Findings or no-issue note |
129
371
  | An unfamiliar codebase area needs an evidence-based map before planning, implementation, or reporting | `.mustflow/skills/codebase-orientation/SKILL.md` | User request, target area, relevant instructions, and current source, test, schema, template, configuration, or documentation files | Read-only orientation notes and any smallest follow-up edit chosen from inspected evidence | stale documentation, wrong ownership boundary, or invented architecture claim | `changes_status`, `changes_diff_summary`, `mustflow_check` | Scope inspected, entrypoints, flow map, ownership boundaries, verification options, risks, unknowns, and smallest safe next step |
130
372
  | Large-scope code, docs, tests, content, log, data, or refactor work needs cheap-signal candidate selection before reading or editing many files | `.mustflow/skills/heuristic-candidate-selection/SKILL.md` | User goal, target scope, file-role boundaries, cheap signals, exclusions, scoring factors, batch limit, and verification contract | Candidate discovery, scoring, read plan, bounded batch edits, and directly synchronized surfaces | token waste, false positives, generated-file noise, unimportant cleanup, hallucinated source content, oversized diff, or missed high-impact file | `changes_status`, `changes_diff_summary`, `test_related`, `docs_validate_fast`, `test_release`, `mustflow_check` | Selection goal, excluded surfaces, cheap signals, scored candidates, selected batch, skipped/deferred files, verification, and remaining selection risk |
131
- | Assistant-authored, AI-generated, vibe-coded, copied, or broad code changes need a hardening pass for duplicate helpers, duplicate types or shapes, hidden coupling, circular dependencies, re-export discipline, swallowed errors, excessive nesting, god functions or files, edge cases, and behavior-focused tests | `.mustflow/skills/ai-generated-code-hardening/SKILL.md` | User goal, current diff or target files, existing helpers/types/shapes, import and export paths, public entrypoints or barrels, error-handling conventions, edge/failure cases, tests, and configured command intents | Small hardening fixes, deduplication into existing single source of truth, boundary notes, focused tests, and directly synchronized docs or contracts | duplicate abstractions, hidden coupling, circular dependency, accidental public API, string-only tests, over-mocking, fallback sprawl, silent error handling, fan-in/fan-out concentration, or broad rewrite | `changes_status`, `changes_diff_summary`, `test_related`, `test_audit`, `lint`, `build`, `docs_validate_fast`, `test_release`, `mustflow_check` | Sources of truth reused or extended, duplicate/coupling/export/error/complexity/test findings, fixes made, deferred enforcement, verification, and remaining hardening risk |
373
+ | Assistant-authored, AI-generated, vibe-coded, copied, or broad code changes need a hardening pass for symptom-only fixes, pinpoint hardcoding, exact-value branches, same-defect-class sibling inputs or callers, duplicate helpers, duplicate types or shapes, hidden coupling, circular dependencies, re-export discipline, swallowed errors, excessive nesting, god functions or files, edge cases, and behavior-focused tests | `.mustflow/skills/ai-generated-code-hardening/SKILL.md` | User goal, current diff or target files, reported symptom or failing fixture, existing helpers/types/shapes, sibling inputs or callers, import and export paths, public entrypoints or barrels, error-handling conventions, edge/failure cases, tests, and configured command intents | Small hardening fixes, defect-class rule repair, deduplication into existing single source of truth, boundary notes, focused tests, and directly synchronized docs or contracts | symptom-only patch, pinpoint hardcode, exact literal fixture fix, uninspected sibling input, duplicate abstraction, hidden coupling, circular dependency, accidental public API, string-only tests, over-mocking, fallback sprawl, silent error handling, fan-in/fan-out concentration, or broad rewrite | `changes_status`, `changes_diff_summary`, `test_related`, `test_audit`, `lint`, `build`, `docs_validate_fast`, `test_release`, `mustflow_check` | Sources of truth reused or extended, symptom patch and same-class sibling findings, duplicate/coupling/export/error/complexity/test findings, fixes made, deferred enforcement, verification, and remaining hardening risk |
374
+ | Prompts, prompt builders, system or developer messages, RAG prompt assembly, few-shot examples, structured outputs, tool-use instructions, model selection, reasoning-effort settings, eval sets, refusal or fallback handling, prompt versioning, or AI feature completion criteria are created, changed, reviewed, or reported | `.mustflow/skills/prompt-contract-quality-review/SKILL.md` | Prompt contract ledger, input ledger, authority ledger, output schema, tool policy, model/runtime ledger, RAG evidence ledger, eval ledger, changed files, and command contract entries | Prompt builders, prompt templates, schemas, validators, eval fixtures, boundary examples, tool policies, fallback states, completion definitions, docs, tests, and directly synchronized templates | prompt-as-function gap, user input treated as authority, buried RAG evidence, happy-path-only examples, JSON-parse theater, unpinned production model, hidden prompt storage, raw chain-of-thought request, guessed tool parameters, missing failure state, unbounded reasoning/token cost, or vibe-based prompt improvement claim | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Prompt contract reviewed, function boundary, authority and source separation, eval and semantic validation status, model/runtime policy, RAG/tool/failure/completion states, verification, and remaining prompt-contract risk |
375
+ | LLM answers, RAG responses, citations, source grounding, claim extraction, evidence IDs, answerability states, abstain behavior, retrieval thresholds, tool-backed facts, output validators, LLM judges, or hallucination-control metrics are created, changed, reviewed, or reported | `.mustflow/skills/llm-hallucination-control-review/SKILL.md` | Answer contract ledger, evidence ledger, claim ledger, tool ledger, validator ledger, eval ledger, observability ledger, changed files, and command contract entries | Answerability states, abstain states, missing-information states, source-coverage gates, claim maps, evidence-ID requirements, citation validators, retrieval thresholds, chunk metadata, tool-parameter ownership, deterministic calculators, domain validators, eval fixtures, tests, docs, route metadata, and directly synchronized templates | unsupported factual claim, fabricated citation, source ID invention, weak retrieval gate, noisy semantic-only retrieval, chunk context loss, summary-on-summary hallucination, guessed tool parameter, model arithmetic, source-priority conflict, LLM judge overtrust, low-temperature theater, missing abstain path, missing dirty eval, false citation metric gap, or unobservable grounding drift | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Hallucination-control surface reviewed, answerability and abstain states, evidence IDs, claim map, citations, source coverage, validators, retrieval thresholds, tool ownership, evals, metrics, verification, and remaining hallucination-control risk |
376
+ | LLM API calls, prompt assembly, chat history, RAG context, tool schemas, structured output schemas, model routing, reasoning settings, token budgets, provider prompt caching, app-level response caching, retries, batch or flex processing, predicted outputs, image or file inputs, or LLM cost metrics are created, changed, reviewed, or reported | `.mustflow/skills/llm-token-cost-control-review/SKILL.md` | Cost surface ledger, request ledger, cache ledger, context ledger, output ledger, routing ledger, observability ledger, changed files, and command contract entries | Request builders, prompt prefix ordering, canonical serialization, prompt hashes, cache keys, token counters, budget guards, model routers, context trimming, RAG packing, tool and schema payloads, output patch formats, retry repair paths, metrics, logs, tests, docs, route metadata, and directly synchronized templates | prompt-cache prefix drift, volatile field before stable prefix, unmeasured token count, full transcript replay, RAG chunk bloat, oversized tool or JSON schema payload, expensive model default, unbounded reasoning, no visible output after token cap, full-output regeneration, full-context retry replay, app cache key leak, predicted-output cost confusion, image or file token surprise, or per-call cost hiding cost-per-success regression | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | LLM token-cost surface reviewed, cost unit and measurement source, stable prefix and cache behavior, app cache/history/RAG/tool/schema/input choices, routing/reasoning/output/retry/Batch/Flex/prediction choices, observability, verification, and remaining token-cost risk |
377
+ | LLM response latency, time to first token, first useful output, streaming, output length, LLM round trips, tool-call wait, prompt-cache latency, model routing, speculative or parallel execution, realtime continuation, priority tiers, predicted outputs, or user-perceived AI speed are created, changed, reviewed, or reported | `.mustflow/skills/llm-response-latency-review/SKILL.md` | Latency target ledger, request timeline ledger, call graph ledger, output ledger, cache ledger, routing ledger, observability ledger, changed files, and command contract entries | Streaming paths, first-useful-output contracts, request timeline metrics, call graph simplification, parallel or speculative work, model routers, fallback cascades, output caps, schema shortening, prompt-cache prefix ordering, cache keys, realtime continuation, priority-tier routing, timeout and cancellation behavior, tests, docs, route metadata, and directly synchronized templates | slow first token, useless streamed preamble, extra sequential LLM round trip, tool wait blocking first output, cache-prefix drift, unmeasured cache miss, verbose output drift, long JSON key or enum overhead, RAG chunk bloat, router escalation loop, prediction-token mismatch, priority-tier misuse, unsafe speculative work, missing cancellation, or raw prompt telemetry leak | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | LLM response-latency surface reviewed, latency unit and request timeline, round trips, parallel/tool/stream/cancel behavior, output/schema/cache/history/RAG/routing/fallback/prediction/realtime/priority choices, observability, verification, and remaining response-latency risk |
378
+ | Autonomous or semi-autonomous LLM agents, agentic workflows, planners, executors, verifiers, tool contracts, tool-call gates, human approval or interrupt flows, durable agent state, handoffs, guardrails, loop budgets, retry policies, trace evaluation, or agent outcome metrics are created, changed, reviewed, or reported | `.mustflow/skills/agent-execution-control-review/SKILL.md` | Autonomy ledger, stage gate ledger, role separation ledger, tool contract ledger, effect ledger, state and resume ledger, memory and context ledger, handoff and guardrail ledger, loop, retry, and budget ledger, trace and eval outcome ledger, changed files, and command contract entries | Workflow-versus-agent routing, stage gates, planner/executor/verifier boundaries, tool contracts, tool argument ownership, draft/execute separation, idempotency keys, approval records, durable checkpoints, state schema versions, memory partitions, handoff filters, guardrails, loop budgets, retry classification, trace spans, eval fixtures, tests, docs, route metadata, and directly synchronized templates | unnecessary autonomous agent, one model self-certifying success, ungated bad plan, ambiguous tool contract, guessed tool argument, relative-path trap, external effect before approval, missing idempotency key, interrupt replay side effect, stale state schema, over-shared handoff, misplaced guardrail, repeated tool loop, blind retry, final-answer-only eval, or unsafe trace data | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Agent execution-control surface reviewed, workflow-versus-agent decision, autonomy envelope, stage gates, role separation, tool contracts, approval and side-effect replay safety, state/resume/memory/handoff/guardrail/loop/retry/trace/eval checks, verification, and remaining agent execution-control risk |
379
+ | Agent evaluation loops, trace or trajectory grading, LLM judges, verifier agents, outcome scoring, tool-call prechecks or postchecks, eval datasets, golden or dirty sets, pass@k or pass^k metrics, shadow environments, production-monitoring-to-eval pipelines, or agent regression gates are created, changed, reviewed, or reported | `.mustflow/skills/agent-eval-integrity-review/SKILL.md` | Outcome ledger, trace ledger, oracle ledger, tool-boundary ledger, dataset ledger, metric ledger, environment ledger, monitoring ledger, privacy ledger, changed files, and command contract entries | Outcome oracles, trace schemas, trajectory graders, deterministic checkers, model-judge rubrics, human-review sampling, tool prechecks and postchecks, tool-result evidence packets, eval fixtures, golden and dirty sets, shadow-environment adapters, monitoring-to-eval candidate flows, tests, docs, route metadata, and directly synchronized templates | final-answer-only scoring, LLM judge as sole oracle, reasoning claim treated as evidence, self-reflection certifying success, missing final environment state, ungraded unsafe trajectory, missing tool precheck or postcheck, brittle exact tool-order assertion, uncalibrated judge drift, pass@k masking unreliable pass^k, dirty set gating flakiness, raw trace data leak, or production failure not entering evals | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Agent eval-integrity surface reviewed, outcome oracle, final-state and trajectory checks, deterministic/model/human oracle split, tool boundary evidence, golden/dirty/capability/regression metrics, shadow environment, monitoring-to-eval loop, trace privacy, verification, and remaining agent eval-integrity risk |
380
+ | Code review or implementation needs module-boundary triage for change spread, co-change clusters, data ownership, policy ownership, failure ownership, import direction, circular dependencies, DTO leakage, shared/common/utils growth, mock-heavy tests, repeated policy conditions, enum interpretation, repository business logic, anemic domain, domain-to-I/O leakage, transaction boundary mismatch, technical event names, public module API bloat, caller sequencing, premature common helpers, bug/fix distance, config ownership, log responsibility, exception translation, cache invalidation ownership, repeated authorization checks, frontend/backend policy leakage, time policy, batch or worker bypass, or temporary-code accumulation | `.mustflow/skills/module-boundary-review/SKILL.md` | Change reason, changed-file spread, co-change evidence, module graph evidence, ownership evidence, test evidence, and configured command intents | Policy ownership, DTO boundaries, mapper boundaries, module public APIs, import direction, config injection, exception translation, cache invalidation ownership, authorization checks, event facts, worker entrypoints, focused tests, and directly synchronized docs or templates | layer-name theater, role-sliced files that always change together, lower-level modules knowing high-level policy, circular dependency, DTO infection, ownerless shared helper, broad noun module, mock-heavy rule tests, copied policy condition, enum rule scatter, repository-owned business rule, service-only domain, domain I/O coupling, cross-owner transaction, table-change event, exposed internals, caller order dependency, unsafe reuse, repeated temporary branch, bug/fix distance, config chaos, misleading logs, leaked provider or DB errors, stale cache owner drift, copied auth checks, frontend reconstructing backend policy, inconsistent time rules, worker bypass, or random capability loss when a module is removed | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Module boundary reviewed, change-spread and co-change evidence, owner and import findings, boundary fixes or recommendation, evidence level, verification, and remaining module-boundary risk |
381
+ | Code review or implementation needs change-blast-radius triage for maintainability risk from unpredictable next-change spread, one change reason scattered across files, multiple change reasons in one file, controller workflow leakage, junk-drawer service names, boolean mode flags, trash-can option objects, scattered domain rules, scattered authorization, hidden state transitions, direct time or randomness, unclear transaction boundaries, external API and DB coupling, retry without idempotency, cache-as-truth decisions, config flag combinations, tenant or partner hardcoding, legacy branches in the core path, DTO/entity/view model mixing, ambiguous nullable values, swallowed exceptions, low-context logs, implementation-coupled tests, mock-heavy tests, decorative abstractions, premature DRY, hidden ordering dependency, invisible event contracts, migration/runtime compatibility, or hard-to-delete features | `.mustflow/skills/change-blast-radius-review/SKILL.md` | User goal, current diff or target files, change-reason ledger, blast-radius ledger, ownership ledger, deleteability ledger, test and operations evidence, and configured command intents | Policy ownership, workflow boundaries, explicit modes, option-object narrowing, authorization owner, state-transition owner, transaction and retry/idempotency boundaries, cache truth boundary, config and tenant variation isolation, legacy adapters, DTO mapping ownership, result types, traceable logs, behavior-focused tests, event contracts, migration compatibility notes, and directly synchronized docs or templates | clean-code theater, unpredictable edit spread, unrelated reasons in one file, controller as boss, junk-drawer service, boolean maze, option combinatorics, copied policy, copied auth, scattered status writes, hidden time or random, partial data after failure, duplicate side effect, stale cache authority, untested flag product, hardcoded customer branch, legacy core pollution, object-language mixing, nullable ambiguity, false success, useless logs, brittle process tests, five-mock class, decorative interface, wrong DRY, order-sensitive line shuffle, ghost event coupling, deploy gamble, or feature that cannot be deleted cleanly | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `test_audit`, `docs_validate_fast`, `test_release`, `mustflow_check` | Change blast radius reviewed, next likely change and owner, spread and deletion path, maintainability findings, fixes or recommendation, verification, and remaining change-spread risk |
382
+ | Code review or implementation needs business-rule-leakage triage for money, permission, ownership, state, settlement, discount, coupon, refund, inventory, notification, subscription, visibility, eligibility, expiry, price, tax, fee, points, reports, tenant scope, UI-only guards, controller eligibility checks, direct status assignment, query predicates as policy, list/detail scope mismatch, admin path bypass, batch hidden policy, tests at the wrong layer, duplicated business constants, date or timezone policy drift, ambiguous `isActive` or `canUse`, authentication/authorization/eligibility mixing, ownership boundary drift, broad update DTOs, PATCH null semantics, mapper logic, default-value drift, misleading error messages, swallowed business failures, transaction/action mismatch, event timing, duplicate requests, webhook trust, out-of-order events, cache-as-rule, search index drift, report or settlement SQL, public text drift, or other bypass entrances | `.mustflow/skills/business-rule-leakage-review/SKILL.md` | User goal, current diff or target files, rule ledger, entrypoint ledger, enforcement ledger, consistency ledger, state/transaction/event/idempotency/default/error evidence, and configured command intents | Shared policy/domain/application/database rule owner, server-side enforcement, reusable query scopes, list/detail consistency, update field restrictions, PATCH intent models, mechanical mappers, default ownership, visible failures, transaction and event boundaries, idempotency, webhook verification, search/detail rechecks, report calculation owners, focused tests, and directly synchronized docs or templates | clean code with leaked money rule, client-only rule, controller judge, scattered status assignment, missing query predicate, URL detail bypass, admin bypass, batch bypass, misplaced test, magic policy number, timezone cutoff drift, vague helper meaning, auth/eligibility blur, user-vs-tenant ownership hole, mass update, PATCH null corruption, mapper policy, default mismatch, error-text lie, false success, half-committed business action, pre-commit event, duplicate refund or coupon use, trusted webhook, stale event transition, wrong cache viewer, dead search result, settlement query drift, support macro drift, or uninspected entrypoint | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `test_audit`, `docs_validate_fast`, `test_release`, `mustflow_check` | Business rule leakage reviewed, source of truth and entrypoints, enforcement and bypass findings, consistency notes, fixes or recommendation, verification, and remaining rule-leakage risk |
383
+ | Payment, checkout, authorization, capture, refund, partial refund, subscription, invoice, trial, grace period, coupon, promotion, inventory reservation, fulfillment, entitlement, settlement, fee, chargeback, dispute, provider webhook, payment session, payment link, payment-provider integration, admin manual payment change, payment log, PCI-sensitive data handling, or payment-related test needs payment-integrity triage for duplicate, late, out-of-order, wrong-actor, wrong-amount, wrong-currency, timeout, retry, idempotency, ledger, reconciliation, or audit risk | `.mustflow/skills/payment-integrity-review/SKILL.md` | User goal, current diff or target files, money-event ledger, provider interaction ledger, state-transition ledger, idempotency and uniqueness ledger, amount and currency ledger, ownership ledger, fulfillment and entitlement ledger, webhook and retry ledger, audit and sensitive-data ledger, existing tests, and configured command intents | Payment state machines, server-side amount calculation, minor-unit money handling, object ownership checks, idempotency keys, provider ID uniqueness, webhook raw-body signature verification, webhook event dedupe, queue handoff, one-time fulfillment, async payment handling, authorization/capture distinctions, refund/dispute/subscription transitions, inventory and coupon reservation, timeout and retry classification, append-only ledgers, secret and payment-data redaction, admin audit trails, stale payment endpoint cleanup notes, focused nightmare-path tests, and directly synchronized docs or templates | paid-boolean shortcut, client-trusted amount, wrong-owner order/payment/refund/subscription ID, amount drift, float money math, missing idempotency, per-retry UUID idempotency, missing provider uniqueness, duplicate webhook, out-of-order webhook, JSON-parsed webhook signature breakage, disabled webhook signature, success-page-as-proof, double fulfillment, async payment premature fulfillment, authorized-treated-as-captured, double refund, missing dispute handling, subscription period-only active check, inventory oversell, coupon double spend or lost coupon, timeout-treated-as-failure, blind retry, mutable ledger, card data logging, test/live secret mix, unaudited admin override, stale payment API, or happy-path-only payment tests | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `test_audit`, `docs_validate_fast`, `test_release`, `mustflow_check` | Payment integrity reviewed, money-event/provider/state/idempotency/amount/ownership/fulfillment/webhook/audit map, findings, fixes or recommendation, nightmare-path evidence, verification, and remaining payment-integrity risk |
384
+ | Credit, point, wallet balance, reward point, prepaid credit, usage credit, bonus credit, loyalty point, stored-value balance, balance deduction, accrual, refund, reversal, expiration, reservation, capture, release, admin adjustment, transfer, ledger table, balance cache, reconciliation job, settlement report, or credit-related test needs credit-ledger-integrity triage for ledger identity, idempotency, atomic balance changes, concurrency, ordering, ownership, amount precision, rounding, policy snapshots, expiry lots, reservation state, failure recovery, audit evidence, or reconciliation risk | `.mustflow/skills/credit-ledger-integrity-review/SKILL.md` | User goal, current diff or target files, balance surface ledger, ledger-entry ledger, source identity ledger, atomicity ledger, amount and unit ledger, ownership ledger, expiry and lot ledger, reservation ledger, queue and cache ledger, audit and reconciliation ledger, existing tests, and configured command intents | Ledger-entry models, source identifiers, idempotency comparison, conditional balance updates, database constraints, transaction boundaries, row-lock targets, optimistic-lock retry classification, amount validation, rounding policy, non-negative invariants, refund and reversal modeling, partial-use handling, expiry lot allocation, reservation/capture/release transitions, queue idempotency and ordering, cache invalidation, replica-read routing, admin adjustment audit trails, reconciliation checks, evidence logs, focused concurrency and failure tests, and directly synchronized docs or templates | mutable-balance-only path, missing source key, weak idempotency comparison, read-then-update subtraction, unchecked affected rows, split transaction, wrong lock target, optimistic retry double-spend, float credit math, hidden rounding rule, negative or zero amount abuse, app-only non-negative promise, missing unique ledger key, generic balance increase refund, partial refund blind spot, expiry lot loss, expiry batch race, missing reservation state, arbitrary status update, queue reorder damage, duplicate consumer delivery, cache-trusted deduction, replica stale balance, unaudited admin adjustment, request-body wallet ownership, current-price recalculation, missing policy snapshot, no failure injection, no balance-vs-ledger reconciliation, vague deduction log, or happy-path-only credit tests | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `test_audit`, `docs_validate_fast`, `test_release`, `mustflow_check` | Credit ledger integrity reviewed, balance/ledger/source/atomicity/amount/ownership/expiry/reservation/queue/cache/audit/reconciliation map, findings, fixes or recommendation, nightmare-path evidence, verification, and remaining credit-ledger integrity risk |
385
+ | Code review or implementation needs api-misuse-resistance triage for APIs, SDKs, function boundaries, service methods, endpoints, command methods, DTOs, request shapes, response shapes, operation names, call ordering, lifecycle setup, boolean parameters, option bags, null or empty semantics, internal table leakage, string-only errors, success-only failure models, idempotency, pagination, sorting, filtering, authorization shape, status mutation, PATCH command buses, time formats, money amounts, open enums, async jobs, bulk partial failures, cacheability, response size, overfragmented calls, internal/external API mixing, version policy, deprecation telemetry, rate limits, retry hints, observability, SDK ergonomics, or caller contract tests | `.mustflow/skills/api-misuse-resistance-review/SKILL.md` | User goal, current diff or target files, caller ledger, operation ledger, shape ledger, compatibility evidence, existing style, and configured command intents | Operation-centered names, explicit lifecycle or builder boundaries, named options or split operations, narrowed option bags, explicit absence and PATCH semantics, public DTO mapping, stable errors, idempotency metadata, cursor stability, auth-specific operations, command-shaped state changes, time and money units, unknown enum handling, job resources, item-level bulk results, cache and rate-limit hints, observability fields, SDK examples, focused tests, and directly synchronized docs or templates | implementation-leaking name, hidden state machine, boolean riddle, trash-can options, null folklore, DB schema frozen as API, string-only error, success-only design, duplicate side effect, moving-list pagination, random default order, hidden permission mode, illegal status transition, PATCH-as-command bus, timezone ambiguity, floating money, closed external enum, fake synchronous completion, erased partial failure, uncacheable expensive read, all-in-one payload bloat, frontend-as-backend call graph, internal/external contract blur, decorative version number, unmeasured deprecation, retry-hostile rate limit, untraceable operation, awkward SDK, happy-path-only contract test, or first-time caller trap | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `test_audit`, `docs_validate_fast`, `test_release`, `mustflow_check` | API misuse resistance reviewed, caller and operation ledgers, shape and contract findings, fixes or recommendation, compatibility notes, verification, and remaining caller-misuse risk |
386
+ | Code review or implementation needs error-message-integrity triage for error text, error codes, validation messages, parse failures, API or CLI error envelopes, public user messages, internal logs, structured diagnostics, exception wrapping, provider errors, retryable flags, idempotency errors, queue or batch failures, partial failures, permission errors, conflict errors, impossible-state errors, support IDs, redaction, stable machine fields, monitoring fields, or troubleshooting text | `.mustflow/skills/error-message-integrity-review/SKILL.md` | User goal, current diff or target files, error audience ledger, error contract ledger, disclosure ledger, recovery ledger, and configured command intents | Stable error codes, expected/actual fields, failed-operation context, reasons, safe identifiers, public/internal message split, redaction, retryability, idempotency metadata, provider metadata, parse positions, range bounds, conflict facts, partial-failure summaries, structured log fields, focused tests, and directly synchronized docs or templates | empty failed label, invalid-value fog, missing action, result repeated as cause, no work context, public/internal message mixing, sensitive value leak, missing safe identifier, retry ambiguity, try-again-later dodge, unstable string-only code, overbroad error bucket, validation info leak, parse location missing, range without bounds, timezone ambiguity, provider evidence loss, cause destruction, brittle message concatenation, prose-only logs, internal jargon in user text, permission existence leak, should-never-happen message, vague conflict, idempotency uncertainty, missing attempt count, partial failure erased, untested error contract, no 30-second next action, or call-site-specific taxonomy drift | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `test_audit`, `docs_validate_fast`, `test_release`, `mustflow_check` | Error message integrity reviewed, surfaces and audiences, code/message contract, evidence and redaction findings, fixes or recommendation, verification, and remaining error-message risk |
387
+ | Object lifetime, retained references, cleanup symmetry, event listeners, timers, subscriptions, goroutines, threads, workers, streams, native handles, caches, queues, registries, closures, or memory/resource leak risk is created, changed, reviewed, or reported | `.mustflow/skills/memory-lifetime-review/SKILL.md` | Lifetime surface, setup sites, cleanup sites, retainer graph, repetition path, success and error paths, and configured command intents | Teardown, cancellation, ownership, weak-reference, eviction, queue-bound, stream-close, worker-shutdown, lifecycle-symmetry code, focused tests, and directly synchronized docs or templates | long-lived owner retaining short-lived object, setup without cleanup, unstable listener identity, timeout without cancellation, unbounded cache or queue, debug/log retention, leaked goroutine/thread/worker, native handle leak, finalizer-only cleanup, weak-reference cover-up, or missing repeated-lifecycle proof | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Lifetime boundary, setup and cleanup owners, retainer paths, long-lived owners and short-lived objects, repeated-lifecycle proof, verification, and remaining lifetime risk |
388
+ | Desktop app memory footprint needs scenario-level review for Windows, macOS, Linux, Electron, WebView, WPF, WinUI, Win32, Qt, Java Swing or JavaFX, .NET, JVM, Rust, C++, Python, working set versus private memory, RSS, dirty pages, live set, peak and after-close memory, UI virtualization, data virtualization, renderer and window count, module loading, image decode size, OS-discardable caches, memory-mapped files, `madvise`, `EmptyWorkingSet`, .NET LOH, `ArrayPool<T>`, WPF visual trees, GDI or USER handles, detached DOM nodes, hidden windows or tabs, string deduplication, large buffer capacity, struct padding, object graph shape, undo history, inactive views, low-memory signals, or scenario memory budgets | `.mustflow/skills/desktop-memory-footprint-review/SKILL.md` | Scenario ledger, measurement ledger, UI residency ledger, data residency ledger, cache ledger, runtime ledger, existing tests, package surfaces, synchronized docs or templates, and configured command intents | UI virtualization, data virtualization, container recycling, lazy model fetch, renderer or window disposal, feature-entry module loading, image downsampling, cache cost limits, discardable cache behavior, streaming or memory-mapped file access, mapped-range release hints, low-memory handlers, after-close cleanup, undo compaction, object-shape flattening, string or symbol tables, pooled-buffer scope, native handle release, and focused tests | working-set theater, full UI object creation, UI-only virtualization, hidden renderer retention, eager feature module, original-size thumbnail, item-count-only cache, full file read, mapped range held forever, unsafe pooled buffer return, GDI or USER handle leak, detached DOM retention, console measurement artifact, duplicate string bloat, live-set staircase, cleared-but-huge buffer, padded bulk struct, pointer-heavy row model, whole-document undo snapshot, inactive tab kept fully rendered, no-op low-memory handler, or missing after-close evidence | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Desktop memory footprint boundary reviewed, scenario budget, measurement metric, UI/data virtualization, renderer/window, module, media, cache, file, runtime, native handle, UI retention, string, data model, history, inactive view, memory-pressure, after-close evidence, verification, and remaining desktop-memory risk |
389
+ | Code review or implementation needs hot-path triage for repeated ordinary work, external round trips, multi-pass collection chains, hidden quadratic lookup, per-item allocation or serialization, transaction or lock hold time, sequential async waits, unbounded fan-out, cache stampede, queue throughput, retry multiplication, timeout waits, or missing observability before a broader optimization pass | `.mustflow/skills/hot-path-performance-review/SKILL.md` | Hot path, multipliers, per-iteration cost, boundary ledger, data-size and tail-latency evidence, correctness boundaries, and configured command intents | Batching, projection, lookup tables, bounded concurrency, timeout and cancellation wiring, bulk writes, cache-key boundaries, queue backpressure, transaction or lock narrowing, focused tests, and lightweight observability tied to the hot path | repeated I/O in loops, N+1 query, multi-pass array traversal, hidden `O(n^2)` lookup, unbounded `SELECT *`, large offset pagination, index defeat, wide transaction, lock-held slow work, sequential `await`, unbounded `Promise.all`, per-item client creation, cache key explosion, cache stampede, hot-path logging, deep clone, repeated JSON conversion, CPU-heavy request work, queue bottleneck relocation, retry storm, or p95/p99 blind spot | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Hot path reviewed, cost ledger, repeated-boundary and hidden-complexity findings, semantics preserved, evidence level, verification, and remaining hot-path performance risk |
390
+ | API endpoints, handlers, controllers, resolvers, serializers, mappers, service methods, middleware, webhook receivers, backend-for-frontend paths, admin APIs, or route-level request paths need latency review for repeated work inside one request | `.mustflow/skills/api-request-performance-review/SKILL.md` | API request boundary, Request cost ledger, route span, DB query count, Redis count, external API calls, pool acquire wait, transaction scope, cache hit or miss, payload and response bytes, serialization time, ORM behavior, correctness boundaries, and configured command intents | Projection narrowing, query-count or lazy-loading guards, bounded batching, request-scope memoization, Redis `MGET` or pipeline use, app-side filtering or sorting cleanup, transaction narrowing, route-level observability, focused tests, and directly synchronized docs or templates | per-request I/O fan-out, ORM serializer lazy loading, eager-load row explosion, `SELECT *`, app-side filtering after overfetch, deep `OFFSET`, expensive `COUNT(*)`, index mismatch for `WHERE` plus `ORDER BY` plus `LIMIT`, external API inside transaction, pool acquire wait hidden behind fast queries, Redis loop, cache miss amplification, repeated JSON serialization, huge response bytes, CPU-heavy request work, Node flame graph gap, Go pprof gap, MongoDB `explain()` gap, or missing OpenTelemetry span evidence | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | API request path reviewed, Request cost ledger, route-level DB/Redis/external/cache/serialization/CPU findings, evidence level, verification, and remaining API request performance risk |
391
+ | Code review or implementation needs cache-integrity triage for cache key truth, viewer context, query normalization, key versioning, TTL and jitter, soft and hard TTL, stale-while-revalidate, stampede protection, negative caching, invalidation ordering, update races, list or page caches, tag invalidation, local L1 and external L2 caches, Redis fallback, value size, eviction policy, TTL-less keys, `KEYS *`, hot keys, Redis Cluster hash tags, HTTP `Vary`, `no-cache`, `no-store`, permission caches, cache warming, observability, or cache failure tests | `.mustflow/skills/cache-integrity-review/SKILL.md` | Cache surface, source of truth, cached value, key dimensions, freshness contract, failure and concurrency contract, observability evidence, and configured command intents | Cache key construction, query normalization, key versioning, TTL and jitter, soft or hard TTL behavior, stale serve, singleflight or request coalescing, negative-cache policy, invalidation order, version checks, tag invalidation, bounded fallback, cache warming, observability, focused tests, and directly synchronized docs or templates | stale data spread, tenant or permission leak, wrong viewer response, cache key collision or explosion, old schema read after deploy, synchronized expiry bomb, thundering herd, temporary failure cached as truth, delete-before-commit resurrection, stale overwrite, list invalidation drift, page duplicate or gap, global flush pressure, L1/L2 split brain, Redis outage killing DB, hit-rate-only blind spot, oversized values, eviction surprise, stateful TTL-less cache, production `KEYS *`, hot-key overload, broken cluster distribution, wrong HTTP cache reuse, stale auth cache, cold-start source surge, or happy-path-only cache test | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Cache surface reviewed, source truth and key dimensions, TTL/invalidation/fallback decisions, Redis/HTTP/permission/cache-layer checks, evidence level, verification, and remaining cache-integrity risk |
392
+ | Code review or implementation specifically needs to catch hidden O(N^2), pairwise work, repeated membership checks, map/filter/find/includes chains, code joins by ID, duplicate removal with index search, sorted-array linear search, repeated sort, reducer spread, string concatenation, JSON comparison, helper-hidden full-list scans, ORM lazy loading, GraphQL resolver fan-out, render-time lookup, tree or graph parent-child scans, event-history scans, interval all-pairs checks, or incremental updates that recompute whole state | `.mustflow/skills/quadratic-scan-review/SKILL.md` | Outer work, inner work, data shape, join or membership key, semantic contract, evidence level, and configured command intents | Set or Map lookup, grouping maps, parent-to-children maps, composite keys, sorted merge, single-pass aggregation, database-side joins, focused behavior tests, and bounded complexity notes tied to the repeated scan | disguised nested loop, same collection rescanned per item, array membership over growing data, ID join without index, duplicate-removal O(N^2), sorted linear search, sort inside loop, copy accumulation, JSON stringify comparison, helper-body scan, ORM N+1, resolver fan-out, render jank, graph traversal slowdown, event-history rescan, interval all-pairs leak, or small-list excuse without a hard cap | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Repeated path, outer and inner counts, data-growth classification, hidden scan findings, chosen index or intentional all-pairs decision, semantics preserved, evidence level, verification, and remaining quadratic-scan risk |
393
+ | Code review or implementation needs type modeling to make impossible states unrepresentable, including branded IDs, unit and currency types, boolean flag clusters, broad string statuses, nullable state fields, raw external data, partial update inputs, DTO/domain/response mixing, broad maps, `any`, casts, non-null assertions, Result error variants, non-empty collections, permission capabilities, lifecycle timestamps, or exhaustiveness | `.mustflow/skills/type-state-modeling-review/SKILL.md` | Domain invariant, current type surface, construction path, boundary map, exhaustiveness surface, and configured command intents | Branded types, newtypes, wrappers, literal unions, sealed or discriminated variants, parsers, constructors, validators, DTO boundary splits, focused tests, and directly synchronized docs or templates | swapped IDs, unit or currency confusion, contradictory boolean flags, status drift, optional-field invalid state, raw DTO leakage, unsafe `Partial<T>`, domain/API/DB coupling, broad `Record<string, unknown>`, `any` spread, cast cover-up, non-null assertion crash, untyped Result errors, empty collection invariant leak, permission boolean drift, lifecycle timestamp contradiction, or missed exhaustive case | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Type surface reviewed, impossible states found or ruled out, boundary and construction path tightened, exhaustiveness and tests checked, verification, and remaining impossible-state risk |
394
+ | Code review or implementation needs race-condition triage for shared state observed across interleaving execution flows, including check-then-act, read-modify-write, stale reads after `await`, I/O, callbacks or events, lock scope or global lock order, `tryLock`, timeout, retry, cache miss fill, lazy initialization, double-checked locking, atomics, memory ordering, DB transaction isolation, conditional updates, unique constraints, distributed locks, idempotency, filesystem exists/open, atomic create or rename, outbox ordering, queue duplicates or reordering, concurrent same-user work, shutdown, cancellation, timers, close/send races, shared collections, iterator snapshots, object reuse, fake immutability, sleep-based race tests, log ordering, or status values without transitions | `.mustflow/skills/race-condition-review/SKILL.md` | Shared state surface, invariant, interleaving points, synchronization or transaction boundary, retry and idempotency policy, event, queue, timer, cancellation and shutdown paths, collection or object ownership, evidence level, and configured command intents | Atomic conditional update, atomic create, compare-and-swap, lock scope or lock-order fix, unique constraint, row lock, idempotency guard, singleflight, outbox or inbox guard, state transition guard, snapshot iteration, ownership split, focused concurrency tests, and directly synchronized docs or templates | check-then-act, lost update, stale read after await, torn invariant, callback under lock, deadlock, retry duplication, cache stampede, double init, unsafe atomic assumption, isolation mismatch, app-only uniqueness, broken distributed lock, duplicate side effect, event/state split brain, queue duplicate or out-of-order damage, shutdown drop, cancellation completion race, old timer update, double close, send after close, shared collection mutation, pooled object corruption, fake immutable mutation, sleep-test false confidence, log-order lie, or state value race | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Shared state and invariant reviewed, interleaving ledger, atomicity and synchronization findings, stale-read and ordering checks, tests or evidence level, verification, and remaining race-condition risk |
395
+ | Code review or implementation needs concurrency-invariant triage for shared ownership and primitive discipline when correctness depends on time-order changes, including hidden writes in getters, lazy initialization, check-then-act, read-modify-write, exact lock identity, lock scope, lock order, callbacks under lock, condition-variable `while` predicates, lost notifications, atomics mixed with ordinary state, CAS ABA, double-checked locking, object publication before construction completes, fake immutability, concurrent collection iteration, cache stampede, application-only uniqueness, transaction isolation, distributed lock lease expiry, fencing tokens, idempotency keys, duplicate queue delivery, explicit state-machine transitions, scheduler overlap, shutdown drain, resource release after acquire, thread-local leakage, async `await` interleavings, or sleep-based concurrency tests | `.mustflow/skills/concurrency-invariant-review/SKILL.md` | Shared state inventory, owner decision, invariant, time-order table, lock identity and order, condition predicate, atomic and memory-visibility story, transaction and distributed lease boundary, duplicate execution rule, shutdown and thread-local context, test evidence, and configured command intents | Single-writer ownership, immutable snapshot, scoped lock, global lock order, condition predicate loop, atomic conditional write, transaction or row lock, unique constraint, idempotency record, fencing token, queue dedupe, state transition guard, scheduler ownership, shutdown drain, context cleanup, deterministic interleaving test, and directly synchronized docs or templates | ownerless shared state, read-only helper hidden write, torn invariant, different locks guarding one fact, too-narrow lock, too-wide lock, deadlock order, callback under lock, lost notification, spurious wakeup, atomic-only cover-up, ABA, unsafe publication, half-constructed object, fake immutable mutation, collection mutation during iteration, cache stampede, duplicate insert across service instances, isolation mismatch, expired distributed lock owner, duplicate side effect, queue redelivery damage, status backtracking, scheduler double-run, dropped in-flight work, leaked permit, thread-local tenant leak, stale value after await, or sleep-test false confidence | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Shared inventory and owners reviewed, invariant and time-order table, primitive-discipline findings, fixes or recommendations, deterministic evidence level, verification, and remaining concurrency-invariant risk |
396
+ | Code review or implementation needs failure-integrity triage for exception or failure handling that can produce false success, swallowed exceptions, log-and-continue paths, ambiguous `null`, `false`, or empty defaults, `finally` masking, transaction commit after caught failure, external side-effect ordering bugs, retry without idempotency, missing timeouts, cancellation swallowing, unobserved async failures, queue ack/nack mistakes, lost causes, leaked internal errors, mixed business and system failures, partial state, lock or resource leaks on failure paths, unsafe parsing defaults, fail-open authorization, unsafe cache or fallback defaults, unstable public error messages, or missing failure-path observability | `.mustflow/skills/failure-integrity-review/SKILL.md` | Failure surface, truth surface, state-change ledger, error classification, transaction and side-effect boundary, retry, timeout, cancellation, queue, cleanup, public error, redaction, observability, and configured command intents | Failure propagation, typed error value, rollback or compensation, idempotency guard, timeout and retry budget, cancellation propagation, ack/nack and dead-letter policy, cause preservation, stable public error code, safe logging or metrics, fail-closed behavior, resource cleanup, focused failure-path tests, and directly synchronized docs or templates | broad catch, swallowed exception, false success, false empty data, cleanup masking original error, partial commit, unknown provider outcome, duplicate side effect, retry storm, hung dependency, ignored cancellation, unobserved background failure, dropped queue message, poison message loop, lost stack cause, internal error leak, client string-branching, business/system failure confusion, stuck processing state, unreleased lock, unclosed handle, dangerous default value, fail-open permission, unsafe fallback, invisible compensation failure, or no operator signal | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Failure surface and lie reviewed, state-change and truth ledger, swallowed or false-success findings, rollback/retry/fallback/observability decisions, tests or evidence level, verification, and remaining failure-integrity risk |
397
+ | Code review or implementation needs backend-log-evidence triage for backend request, worker, scheduler, webhook, migration, script, service, repository, or external adapter logs that must explain why a request, job, or data change reached its final state, including event names, schema versions, start and finish logs, trace/span/request IDs, correlation and causation IDs, outcome and reason fields, error causes and stacks, external API before and after logs, DB affected rows, transaction begin/commit/rollback, state transitions, silent early returns, retries, timeouts, queue enqueue and consume, async context propagation, batch summaries, audit events, auth or validation failures, cache hits or misses, lock acquisition, idempotency outcomes, feature flags, release/config startup summaries, migration dry-run and apply logs, severity levels, duplicate logs, structured fields, safe identifiers, sampling, cardinality, log-injection safety, or redaction | `.mustflow/skills/backend-log-evidence-review/SKILL.md` | Backend path, event contract, correlation and causation model, request lifecycle evidence, error evidence, decision evidence, side-effect evidence, sampling and safety constraints, local logger conventions, tests or fixtures, and configured command intents | Structured log events, stable event names, schema versions, safe identifiers, trace/span/request/correlation/causation IDs, request start and finish summaries, result type, outcome, reason code, duration, deployment/resource attributes, error object logging, cause preservation, dependency request IDs, affected-row counts, transition fields, retry attempts, timeout classes, queue and batch IDs, audit fields, auth and validation reason codes, cache and lock result fields, idempotency classifications, feature flag variants, release and config summaries, cardinality controls, redaction guards, focused tests, and directly synchronized docs or templates | route-only start log, no finish log, missing duration, message-based dashboard, missing schema version, missing trace or span id, missing causation id, string-only error, lost cause or stack, external API logged only after failure, raw provider body log, missing affected-row count, invisible transaction boundary, status assignment without from/to state, silent guard return, attempt-free retry log, timeout without actual duration, enqueue without consume evidence, broken async request id, batch started/finished only, audit event mixed with debug log, missing auth reason, validation 400 with no safe field summary, cache blind spot, lock wait hidden, idempotency ambiguity, feature flag opacity, release or config opacity, secret-bearing config log, migration `done`, swallowed background error, all-info severity, duplicate error spam, prose-only log, high-cardinality indexed field, log injection exposure, unsafe sampling, missing domain identifier, or sink-side-only masking | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Backend log boundary reviewed, reconstruction question, event/lifecycle/correlation/causation/error/side-effect/decision/cardinality/sampling/redaction findings, evidence level, verification, and remaining backend-log-evidence risk |
398
+ | Code review or implementation needs observability-debuggability triage for logs, metrics, traces, spans, structured events, telemetry context, dashboards, alerts, runbooks, sampling, redaction, dependency calls, queues, batch jobs, caches, pools, rate limits, feature flags, releases, migrations, or partial-success paths where operators need to narrow incidents quickly without high-cardinality metric explosions, missing denominator counters, lost trace context, or sensitive telemetry leakage | `.mustflow/skills/observability-debuggability-review/SKILL.md` | Incident question, signal inventory, request or job identity, metric model, trace and event model, log model, operational domain, privacy and retention constraints, verification evidence, and configured command intents | Structured event names, safe reason codes, total and failure counters, latency distributions, low-cardinality labels, trace and span context, dependency and operation names, async propagation, per-attempt telemetry, queue or batch lag signals, pool saturation metrics, release and feature attribution, telemetry self-metrics, redaction, focused tests, and directly synchronized docs or templates | success-only log, no denominator, average-only latency, mixed success and error latency, raw URL label, raw user label, raw SQL telemetry, high-cardinality metric label, missing trace or span id, broken async trace propagation, attempt and operation collapse, generic timeout bucket, missing dependency name, missing idempotency or message evidence, missing queue age, missing batch last-success timestamp, missing pool saturation, missing release attribution, decorative metric, alert without action, dropped telemetry invisible, sampling drops errors, unsafe baggage, or sink-side-only masking | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Observability boundary reviewed, incident question and signal ledger, metric/trace/log/cardinality/privacy findings, evidence level, verification, and remaining observability-debuggability risk |
399
+ | Code review, runbook work, or incident report needs incident-triage review for outages, degradations, timeout spikes, p95 or p99 latency spikes, queue backlog, pool saturation, CPU-idle slowness, memory pressure, OOM, disk or inode pressure, DNS or network failure, load balancer 5xx, Kubernetes node or pod issues, deployment regression, cache stampede, cron or batch spikes, Redis slowdown, DB lock waits, connection leaks, ephemeral-port exhaustion, conntrack saturation, or log floods where operators need to narrow the first bad time, affected slice, recent change, wait class, dependency, and manual-only diagnostics before reading every log | `.mustflow/skills/incident-triage-review/SKILL.md` | Incident frame, time evidence, scope axes, saturation and wait evidence, dependency evidence, change evidence, safety constraints, repository runbook or telemetry evidence, and configured command intents | Runbook steps, alert metadata, incident evidence checklists, telemetry contract notes, dashboard descriptions, test fixtures, docs, and directly synchronized templates that preserve first-bad-time, scope split, change ledger, wait classification, dependency split, success-versus-failure comparison, and manual-only diagnostic boundaries | average-only latency, all-logs-first triage, deployment dismissal, success-only comparison, proxy/app 5xx mixing, app-log-only OOM review, CPU-idle slowness ambiguity, DB-index reflex, pool-wait blindness, queue-lag understatement, cache-hit-rate overtrust, ping-only network checks, pod-only Kubernetes review, disk-capacity-only checks, log-volume blind spots, private incident-log capture, or raw live diagnostic commands treated as agent-authorized | `changes_status`, `changes_diff_summary`, `docs_validate_fast`, `test_release`, `mustflow_check` | Incident boundary reviewed, first bad time and affected scope, change/success-failure/latency/resource/wait/dependency evidence, elimination ledger, manual-only diagnostics, verification, and remaining incident-triage risk |
400
+ | Code review, implementation, runbook work, or release preparation needs deployment-rollout safety review for server, backend, worker, scheduler, queue, cron, container, VM, serverless, DB migration, config, feature flag, cache, deployment pipeline, release envelope, image digest, deployment history, traffic rollback, canary, rollback, health check, readiness/liveness/startup probe, graceful shutdown, artifact promotion, release observability, or post-deploy smoke behavior where the deploy must be rolled out, stopped, observed, and rolled back safely | `.mustflow/skills/deployment-rollout-safety-review/SKILL.md` | Deployment resource ledger, release envelope, artifact identity, environment promotion path, deployment model, compatibility matrix, config diff, migration order, rollback history, traffic rollback path, cache and message compatibility, probe model, shutdown and drain behavior, canary cohort, version-split telemetry, stop conditions, rollback limits, synthetic transactions, post-deploy metrics, and configured command intents | Runbooks, release checklists, pipeline metadata, smoke tests, probe tests, config validation, feature-flag defaults, cache-key versions, worker-drain handling, deployment attribution, rollback compatibility notes, focused tests, and directly synchronized templates | unknown blast radius, missing release id, mutable latest tag, tag without digest, per-environment rebuild drift, deleted rollout history, cold old version, traffic rollback tied to rebuild, code and migration lockstep, destructive rollback SQL overclaim, missing PITR practice, config in-place mutation, missing startup config validation, process-only health check, readiness/liveness/startup probe collapse, liveness restart loop, ungraceful shutdown, load balancer drain shorter than app shutdown, worker work loss, non-idempotent queue retry, N-1 message incompatibility, unknown event poison message, missing external compensation, API N-1 or N+1 break, missing kill switch, unsafe flag fallback, vague canary cohort, global-average canary metrics, no automatic stop condition, read-only smoke, log format alert breakage, blanket cache flush, scheduler duplicate execution, CRD or operator downgrade break, missing deployment lock, production command without dry-run, or code-only rollback overclaim | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Deployment rollout boundary reviewed, resource ledger and release envelope, artifact identity, config/migration/cache/queue/API/probe/shutdown/canary/rollback/observation findings, verification, and remaining deployment-rollout risk |
401
+ | Code review, implementation, runbook work, or infrastructure review needs cloud-cost-guardrail review for cloud accounts, projects, subscriptions, environments, Kubernetes namespaces, serverless, databases, object storage, block storage, snapshots, NAT, private endpoints, public IPs, egress, CDN, logs, metrics, traces, autoscaling, quotas, budgets, tags, temporary resources, container registries, Marketplace, LLM APIs, external APIs, or third-party SaaS where spend must be attributed, capped, lifecycle-managed, alerted, and safely stoppable before a silent bill explosion | `.mustflow/skills/cloud-cost-guardrail-review/SKILL.md` | Cost surface ledger, budget actual and forecast thresholds, automated non-production action path, account or project isolation, quota and cap model, tag taxonomy, temporary resource expiration, network cost model, telemetry cost model, storage lifecycle model, commitment baseline, Marketplace or LLM usage limits, and configured command intents | Cost guardrail docs, infrastructure policy files, review checklists, tag schemas, quota notes, budget-action runbooks, cleanup rules, retention defaults, autoscale caps, Kubernetes ResourceQuota and LimitRange notes, registry lifecycle policies, provider usage caps, focused tests, and directly synchronized templates | notification-only budget, imagined hard spending limit, mixed prod and dev account, over-wide service quota, missing owner tag, tag-key chaos, no expires_at, stopped VM with NAT or DB still running, unbounded autoscale, missing Kubernetes ResourceQuota, inflated requests growing nodes, cloud-native service through NAT, untracked egress, cross-AZ surprise, idle public IPv4, no CDN cache cost control, log ingest flood, infinite retention, high-cardinality metric label, unbounded flow or audit logs, object lifecycle missing, cold-storage minimum-duration trap, stale block volume type, snapshot landfill, sticky DB storage growth, unbounded registry images, premature commitment, stateful spot misuse, unmonitored Marketplace or LLM spend, or no safe cost stop runbook | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Cloud cost boundary reviewed, cost surface ledger, budget and action model, isolation/quota/tag/autoscale/Kubernetes/network/telemetry/storage/registry/commitment/spot/Marketplace/LLM/SaaS guardrail findings, manual-only provider checks, verification, and remaining cloud-cost risk |
402
+ | Code review or implementation needs rate-limit integrity triage for rate limits, throttling, quotas, API usage limits, request costs, token bucket, leaky bucket, fixed window, sliding window counter, sliding window log, GCRA, Redis counters, Lua or EVAL updates, CDN or WAF limits, gateway limits, service limits, tenant, user, API key, route group, IP, 429, `Retry-After`, `RateLimit`, shadow mode, operator reset, async enqueue, cached-hit counting, or concurrency-limit overlap that must protect a named resource without bypass, unfairness, counter drift, storage growth, retry storms, or misleading client hints | `.mustflow/skills/rate-limit-integrity-review/SKILL.md` | Protected resource ledger, cost-weighted request ledger, layer model, key model, algorithm and storage model, failure mode model, response contract, observability and operator evidence, and configured command intents | Protected-resource definitions, request cost weights, per-key policy, layered limit placement, route-template keys, atomic counter updates, TTLs, storage-time use, fail-open or fail-closed policy, blocked-decision cache, shadow mode, 429 response shape, observability fields, operator lookup or reset behavior, focused tests, and directly synchronized docs or templates | algorithm-first limiter, request-count-only quota, IP-only authenticated key, raw URL key explosion, missing identity-header policy, fixed-window boundary burst, costly sliding-window log on hot paths, non-atomic Redis read-modify-write, missing counter TTL, Redis Cluster hash-slot failure, app-server clock reset drift, process-local global quota, approximate edge limit treated as precise, hidden fail-open, free failed responses, rate versus concurrency confusion, unhelpful or leaky 429, synchronized retry wave, unsafe allow-decision cache, no shadow-mode ramp, missing policy id logs, raw Redis reset, unlimited async enqueue, cached CDN hit ambiguity, or rate limit treated as authorization or hard cost control | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Rate-limit policy boundary reviewed, protected resource and cost/layer/key/storage/fail-mode/response/operator model mapped, evidence level, verification, and remaining rate-limit-integrity risk |
403
+ | Code review or implementation needs idempotency-integrity triage for repeated requests, retries, duplicate POST/PATCH/DELETE calls, webhooks, provider callbacks, queue redelivery, scheduler or batch reruns, double clicks, app restarts, timeout recovery, external API callbacks, or duplicate business commands that can apply the same logical operation more than once | `.mustflow/skills/idempotency-integrity-review/SKILL.md` | Operation identity ledger, side-effect ledger, durable dedupe evidence, duplicate response policy, concurrency and recovery evidence, queue/webhook/scheduler/batch evidence, test evidence, and configured command intents | Durable idempotency records, request body hash checks, user and tenant binding, operation-type and target-resource binding, unique constraints, atomic insert-or-return behavior, state guards, affected-row checks, inbox and outbox records, applied-event ledgers, provider result lookup, response replay, processing lease recovery, focused duplicate tests, and directly synchronized docs or templates | POST-only assumption, idempotency key without durable storage, key not bound to payload or actor, memory-only or Redis-TTL-only dedupe, app-only `exists` then `insert`, missing unique index, duplicate success response drift, failed-attempt caching mistake, timeout treated as failure, external API before local operation record, provider idempotency used as internal proof, unconditional status update, duplicate increment, DELETE side-effect replay, GET hidden mutation, queue ack before durable commit, queue redelivery damage, webhook replay or stale event overwrite, scheduler rerun duplication, missing outbox or inbox, double compensation, stuck `PROCESSING`, lock-only proof, frontend-only debounce, or missing duplicate-path tests | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Idempotency boundary reviewed, logical operation and duplicate sources mapped, operation identity/payload/response/recovery evidence, durable dedupe and side-effect findings, tests or evidence level, verification, and remaining idempotency-integrity risk |
404
+ | Code review or implementation needs retry-policy integrity triage for retry loops, SDK retry configs, client middleware, `while true`, `for (;;)`, recursive retry, `maxAttempts`, `maxRetries`, `maxElapsedTime`, deadline, timeout, sleep, backoff, jitter, `Retry-After`, retry predicates, layered retries, circuit breakers, bulkheads, token buckets, queue redelivery, broker retry, cancellation-aware sleep, or retry observability that can amplify failures, duplicate side effects, hide permanent errors, exhaust pools, or overload dependencies | `.mustflow/skills/retry-policy-integrity-review/SKILL.md` | Retry surface, layered retry ledger, attempt budget, retry predicate, side-effect and idempotency ledger, backoff and jitter policy, overload and throttling evidence, observability and test evidence, and configured command intents | Bounded attempts, max elapsed time, per-attempt timeout, total deadline, cancellation propagation, retry predicates, exponential backoff with jitter, `Retry-After` parsing and clamping, idempotency key reuse, dependency-specific policy, retry wrapper diagnostics, per-attempt logs and metrics, focused retry tests, and directly synchronized docs or templates | retry amplification, infinite retry, capped backoff without stop condition, timeout gap for DNS, TLS, pool wait, streaming, or parsing, fixed-sleep herd behavior, broad catch-and-retry, permanent error retry, unknown-outcome replay, new idempotency key per attempt, key not bound to actor or payload, retry inside transaction or lock, pool starvation, unlimited parallel retry, stale per-key failure counter, global limiter unfairness, wrong circuit breaker or bulkhead order, wrapper losing cause/status/retry-after/request id, committed-response retry, non-replayable streaming body retry, app-plus-broker retry multiplication, cancellation-ignoring sleep, generic dependency policy, missing retry metrics, or happy-path-only retry tests | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Retry policy boundary reviewed, layer multiplication and attempt budget mapped, timeout/backoff/predicate/idempotency/throttling findings, evidence level, verification, and remaining retry-policy-integrity risk |
405
+ | Code review or implementation needs queue-processing integrity triage for queues, streams, pub/sub handlers, workers, task runners, consumers, producers, webhook handoffs, DLQ replayers, retry workers, ack, nack, reject, delete, visibility timeout, offset commit, publisher confirm, prefetch, batch commit, rebalance, FIFO message group, deduplication, or worker-loss behavior that can lose messages, duplicate side effects, hide poison messages, reorder state, exhaust consumers, or falsely claim processing success | `.mustflow/skills/queue-processing-integrity-review/SKILL.md` | Broker and delivery model, success boundary, producer boundary, consumer state ledger, failure and retry policy, concurrency and ordering evidence, observability evidence, test evidence, and configured command intents | Settlement timing, publisher confirmation, outbox or inbox record, durable message key, conditional state transition, bounded retry and DLQ policy, visibility extension, prefetch and concurrency bounds, rebalance handling, shutdown drain, focused queue replay tests, and directly synchronized docs or templates | ack-before-work, catch-and-ack, finally-ack, auto-ack, stale receipt handle, premature offset commit, batch partial-failure skip, unbounded requeue, poison-message loop, unsafe visibility timeout, in-flight saturation, FIFO group misuse, worker-loss false success, producer publish split, side-effect duplication, missing rebalance fence, unlimited parallelism, DLQ bucket without replay policy, or missing decision-point observability | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Queue processing boundary reviewed, broker model and settlement evidence, producer/consumer/retry/DLQ/order/concurrency findings, evidence level, verification, and remaining queue-processing-integrity risk |
406
+ | Code review or implementation needs transaction-boundary integrity triage for transactions, ORM atomic blocks, unit-of-work code, database write paths, service workflows, command handlers, webhook processors, queue consumers, framework transaction annotations, isolation levels, lock usage, rollback behavior, after-commit side effects, outbox patterns, retry handling, or transactional tests that can break a business invariant even when a transaction exists | `.mustflow/skills/transaction-boundary-integrity-review/SKILL.md` | Business invariant, transaction boundary, decision ledger, durable guard evidence, framework behavior, side-effect ledger, failure and retry evidence, test evidence, and configured command intents | Whole read-decision-write transaction boundaries, durable constraints, atomic upsert or conditional update, affected-row checks, version checks, correct lock target, transaction narrowing, after-commit or outbox side effects, idempotent retry classification, focused tests, and directly synchronized docs or templates | app-only `exists()` or `count` guard, stale read-decision-write, absent-row `FOR UPDATE` gap, `SKIP LOCKED` consistency misuse, READ COMMITTED snapshot myth, REPEATABLE READ engine mismatch, SERIALIZABLE without full retry, deadlock or serialization failure treated as plain 500, swallowed rollback trigger, Spring `rollbackFor` miss, self-invocation bypass, `readOnly` write assumption, inner rollback-only surprise, `REQUIRES_NEW` pool pressure, `NESTED` savepoint confusion, Django nested `atomic()` durability myth, pre-commit email/cache/queue side effect, HTTP API inside transaction, Hibernate flush-as-commit confusion, SQLAlchemy implicit transaction surprise, missing optimistic lock, advisory lock scope leak, wrong transaction manager, or transactional test hiding commit behavior | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Transaction boundary reviewed, invariant and decision ledger, durable-guard/lock/isolation/retry/rollback/side-effect findings, evidence level, verification, and remaining transaction-boundary integrity risk |
407
+ | Code review or implementation needs testability-boundary triage for hidden decision inputs, direct time or randomness, direct I/O, constructor side effects, static or singleton state, oversized private logic, branch policy sprawl, boolean mode flags, broad option objects, implicit environment or request context, void side effects, swallowed errors, log-only outcomes, cache order dependence, ORM lazy loading, transaction and external-call coupling, hidden event publication, fire-and-forget async work, real-time retry waits, nondeterministic collection order, hidden defaults, mixed validation and policy, scattered authorization, framework magic, smart controllers, conditional DTO mapping, mock-heavy classes, call-order assertions, inheritance coupling, or reflection-only tests | `.mustflow/skills/testability-boundary-review/SKILL.md` | User goal, current diff or target files, behavior or decision under test, decision-input ledger, side-effect ledger, observability ledger, test friction evidence, and configured command intents | Explicit inputs, fixed clocks or generators, dependency seams, pure decision cores, shell and adapter boundaries, policy or strategy tables, observable results, deterministic ordering, focused tests, and directly synchronized docs or templates | hidden time/random, constructor work, global state, fat private method, boolean mode flags, broad option object, void side effect, swallowed or log-only failure, cache order dependence, ORM lazy loading, transaction/external call coupling, hidden event publication, fire-and-forget sleeps, real-time retry wait, nondeterministic order, hidden defaults, mixed validation/policy, scattered auth, framework magic, smart controller, conditional DTO policy, five or more mocks, fragile call-order tests, deep inheritance, or reflection-only tests | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `test_audit`, `docs_validate_fast`, `test_release`, `mustflow_check` | Testability boundary reviewed, decision inputs and side effects exposed, observability fixed or recommended, test friction evidence, verification, and remaining testability risk |
132
408
  | A coding task has missing intent, scope, domain, data, security, UX, dependency, architecture, or verification decisions that cannot be safely inferred from repository evidence | `.mustflow/skills/clarifying-question-gate/SKILL.md` | User request, inspected repository evidence, unresolved decisions, reversibility classification, recommended option, and tradeoffs | Blocking questions, safe assumptions, and the smallest safe implementation boundary | over-questioning, lazy questions, expensive wrong assumptions, user-owned decision drift, data loss, auth bypass, public-contract drift, dependency bloat, or unverifiable completion | `changes_status`, `changes_diff_summary`, `mustflow_check` | Repository evidence inspected, blocking questions with recommendations, safe assumptions, selected scope, verification, and remaining ambiguity |
133
409
  | A task chooses, migrates, rewrites, or justifies a primary language, runtime, framework, compile target, or execution environment | `.mustflow/skills/runtime-target-selection/SKILL.md` | Current runtime surfaces, target options, product or system need, environment constraints, migration boundary, smoke targets, and performance or reliability claims | Decision records, skill procedures, route metadata, migration plans, command-contract proposals, tests, fixtures, docs, and smallest selected migration scaffold | language-preference rewrite, unsupported runtime target, unusable build loop, cache or artifact blowup, missing smoke target, deployment drift, or false performance claim | `changes_status`, `changes_diff_summary`, `docs_validate_fast`, `test_related`, `test_release`, `mustflow_check` | Decision boundary, candidate targets, environment and build-loop evidence, smoke targets, migration boundary, calibrated claims, verification, and remaining runtime-target risk |
134
410
  | Non-trivial code work needs early structure decisions around domain rules, public contracts, external I/O, operational safety, failure handling, concurrency, data flow, or future change cost | `.mustflow/skills/structure-first-engineering/SKILL.md` | User request, target files, project context, core boundary, data flow, expected failures, public contracts, I/O surfaces, and verification contract | Risk block, focused boundaries, DTOs, adapters, pure functions, error models, tests, and directly synchronized docs or contracts | under-designed hard boundary, speculative abstraction, vague service layer, mixed I/O and domain rules, hidden partial failure, or untestable behavior | `changes_status`, `changes_diff_summary`, `test_related`, `test`, `lint`, `build`, `docs_validate_fast`, `test_release`, `mustflow_check` | Work risk, structure decision, data flow, failure model, I/O and concurrency boundaries, tests, verification, and remaining structure risk |
@@ -151,6 +427,11 @@ routes. Event routes stay inactive until their event occurs.
151
427
  | Source anchors are added, revised, reviewed, or used to mark a module boundary | `.mustflow/skills/source-anchor-authoring/SKILL.md` | Target files, anchor reason, nearby anchors, source-anchor policy, and validation surface | Source anchors and directly related workflow docs or comments | comment bloat, authority drift, false verification claims, or hidden module pressure | `mustflow_check`, `docs_validate_fast` | Anchor placement decision, field choices, module-boundary handoff, and verification |
152
428
  | Changed files need risk classification and verification selection | `.mustflow/skills/diff-risk-review/SKILL.md` | Changed-file list, diff summary, and task goal | Changed surfaces and verification report | under- or over-verification | `changes_status`, `changes_diff_summary`, `test`, `test_related`, `test_audit`, `lint`, `build`, `docs_validate`, `mustflow_check` | Risk level, verification choice, rollback notes |
153
429
  | Runtime performance, hot paths, user-perceived latency, p95/p99 tail latency, throughput, infrastructure cost, memory, GC pressure, CPU cache locality, allocation churn, bundle size, payload size, HTTP delivery, compression, streaming latency, media loading, build time, filesystem scanning, process spawning, IPC/RPC/DB/API fan-out, N+1 work, repeated filtering/sorting/parsing/serialization, caching, pagination, queues, virtualization, backpressure, or performance claims are planned, edited, reviewed, or reported | `.mustflow/skills/performance-budget-check/SKILL.md` | Performance surface, hot-path shape, input scale, measurement method, baseline and result when available, correctness boundaries, isolation surface, and command contract entries | Data access, lookup indexes, grouping, projection, batching, scheduling, rendering, cache boundaries, queues, concurrency limits, cancellation, measurements, docs, tests, and directly synchronized templates | invented budgets, stale measurements, hidden O(n²), misleading Big-O or data-structure claims, N+1 queries or RPC, unbounded materialization, repeated serialization, object churn, GC pressure, broad rerender, false compression win, buffered stream latency, cache stampede, key explosion, queue backlog, pool exhaustion, stale async result, or speed-over-correctness tradeoff | `changes_status`, `changes_diff_summary`, `build`, `test_related`, `docs_validate_fast`, `test_release`, `mustflow_check` | Hot path, ROI priority, cost multiplier, measurement or complexity evidence, semantic preservation, optimization applied, verification, and remaining performance risk |
430
+ | Installed app startup needs launch-path review for Android, iOS, React Native, Flutter, Tauri mobile, Electron, desktop app shells, cold start, warm start, hot start, splash, first frame, fully usable state, TTID, TTFD, `reportFullyDrawn()`, Android Vitals, Xcode Organizer, Instruments, Application or AppDelegate work, ContentProvider auto-init, AndroidX App Startup, dependency injection graph creation, SDK initialization, static initializers, main-thread disk or network work, cached startup snapshots, auth or config gates, launch migrations, first-screen layout or assets, custom fonts, Baseline Profile, Startup Profile, Macrobenchmark, Perfetto, Hermes, import graphs, deferred components, shader warmup, on-demand modules, and post-first-frame work queues | `.mustflow/skills/app-startup-performance-review/SKILL.md` | Startup scope ledger, measurement ledger, launch critical-path ledger, main-thread blocking ledger, first usable state ledger, first-screen render ledger, deferred work ledger, platform optimization ledger, existing tests, package surfaces, synchronized docs or templates, and configured command intents | Application or AppDelegate cleanup, auto-init control, lazy or scoped DI and SDK setup, static initializer cleanup, main-thread I/O removal, cache snapshot startup, auth or config gate deferral, maintenance-work scheduling, first-screen simplification, asset and font reductions, Android startup profiles, iOS launch tooling, hybrid import or preload cleanup, deferred queue ownership, startup tests, and directly synchronized docs or templates | splash masking, early `reportFullyDrawn()` metric gaming, debug-only measurement, simulator-only or flagship-only startup claims, app delegate warehouse, ContentProvider surprise init, eager DI graph construction, SDK auto-init, static initializer cost, main-thread disk or network, network-first startup dependency, launch migration or cleanup stall, heavy first screen, oversized launch asset, custom font bloat, React Native top-level import bloat, Flutter shader surprise, unowned deferred work, or missing release/device/profiler evidence | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | App startup boundary reviewed, first frame and fully usable state, measurement evidence, critical path findings, lazy-init and defer decisions, platform tooling, verification, and remaining app-startup performance risk |
431
+ | Desktop background process stability needs recovery review for Windows services, SCM failure actions, preshutdown handlers, service SIDs, Session 0 boundaries, scheduled tasks, macOS LaunchDaemons or LaunchAgents, launchd daemon or agent placement, launchd-managed helpers, Linux systemd user or system units, restart policy, start-rate limits, Electron main or utility processes, WebView helpers, tray apps, sync workers, local daemons, auto-start helpers, updaters, crash recovery, durable checkpoints, single-instance locks, data-directory locks, stale locks, OS supervisor configuration, restart backoff, PID-only health checks, progress heartbeats, job leases, idempotent jobs, atomic file writes, shutdown-only persistence, exit-code semantics, UI and worker lifecycle separation, sleep or resume, monotonic time, local IPC authorization, environment and working-directory determinism, least privilege, early logs, crash reporting, update drain, lifecycle tests, or safe mode | `.mustflow/skills/desktop-background-process-stability-review/SKILL.md` | Process ledger, recovery ledger, instance ledger, supervisor ledger, health ledger, lifecycle ledger, security ledger, existing tests, telemetry or crash evidence, package surfaces, synchronized docs or templates, and configured command intents | Durable checkpoints, startup recovery, stale-lock cleanup, data-directory locks, early single-instance lock acquisition, lease states, idempotency keys, atomic write-temp/flush/fsync/rename paths, progress health checks, heartbeats with job and offset fields, supervisor restart backoff and start-rate limits, user-stop versus crash-restart state, UI/worker process split, launchd daemon/agent placement, Session 0 IPC separation, sleep/resume revalidation, monotonic timers, IPC ACLs and schema versions, explicit environment, least-privilege service configuration, early crash/log setup, update drain, safe mode, lifecycle tests, and directly synchronized docs or templates | immortal-process fantasy, memory-only progress, restart that re-enters corruption, late single-instance lock, process lock mistaken for resource lock, one processing boolean, duplicate side effect after lease recovery, half-written local JSON, shutdown-hook-only persistence, hand-rolled mini supervisor, unbounded crash loop, user stop ignored by scheduled restart, PID-as-health, `last_seen_at` heartbeat theater, UI and worker lifecycle tangle, service UI from Session 0, daemon/agent mismatch, daemonizing under launchd, boot-order network assumption, wall-clock lease timer, trusted localhost IPC, inherited PATH or working directory, overprivileged helper, missing early startup logs, crash reporter started too late, one-shot migration, update deletes rollback path too early, untested sleep/resume, or no safe mode | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Desktop background process stability boundary reviewed, process/recovery/instance/supervisor/health/heartbeat/lease/atomic-write/shutdown/platform/power/time/IPC/environment/privilege/logging/crash/update/lifecycle/safe-mode findings, verification, and remaining desktop background stability risk |
432
+ | Desktop automatic update safety needs review for Electron autoUpdater, electron-builder feeds, Squirrel.Windows first-run locks, Sparkle appcasts, Tauri updater, macOS signed or notarized updates, Windows installers, Linux desktop packages, update endpoints, immutable artifacts, `.sig`, `.blockmap`, `latest.yml`, `latest.json`, `appcast.xml`, metadata pointer order, CDN cache policy, staged rollout, deterministic canary buckets, alpha/beta/stable channels, update kill switches, remote disable policy, signatures, hash verification, signing-key custody, key rotation, certificate expiry, notarization gates, single-flight update checks, quit-and-install timing, skipped-version upgrade paths, same-version republish recovery, updater telemetry, crash gates, or installed-app update smoke tests | `.mustflow/skills/desktop-auto-update-safety-review/SKILL.md` | Updater stack ledger, state-machine ledger, artifact ledger, trust ledger, rollout ledger, installed-client ledger, observability ledger, current updater code or release metadata, package surfaces, synchronized docs or templates, and configured command intents | Check/download/verify/stage/apply/relaunch state machines, immutable artifact names, artifact-before-metadata publishing order, latest pointer cache rules, signature and hash verification, signing-key custody, key rotation practice, certificate and notarization gates, physical channel separation, deterministic staged rollout, jitter and backoff, server-side no-update kill switch, single-flight update checks, Squirrel first-run delay, quit-and-install safety, installed old-version upgrade matrix, idempotent local migrations, old artifact retention, update telemetry, crash-free rollout gates, and directly synchronized docs or templates | remote code execution treated as convenience, mutable published artifact, metadata-before-artifact 404 wave, stale CDN latest pointer, hash or signature mismatch, release-server private key, unpracticed key rotation, certificate expiry surprise, stable client reading beta feed, random per-request canary, no kill switch, broken updater requires updater update, duplicate `checkForUpdates()` downloads, first-run installer lock, forced restart data loss, dev-mode updater test, skipped-version migration break, same-version hotfix fantasy, deleted old delta, download-complete-as-success, or missing installed-app smoke evidence | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Desktop auto-update boundary reviewed, updater stack/state/artifact/trust/rollout/installed-client/migration/telemetry/kill-switch findings, verification, skipped updater diagnostics, and remaining desktop auto-update risk |
433
+ | Low-end or constrained-device support needs capability-budget review for Android Go, low-RAM Android, older iOS, React Native, Flutter, Tauri mobile, Electron, desktop app shells, runtime memory class, `isLowRamDevice()`, `getMemoryClass()`, cold-start frequency, peak memory, LMK, iOS dirty memory, `onTrimMemory()`, memory warnings, image decode sizes, GIF or Lottie cost, list virtualization, Compose recomposition, SwiftUI body work, main-thread work, frozen frames, blur, shadow, gradient, SDK diet, remote config defaults, network fan-out, disk writes, cache limits, DB paging and indexes, background work, polling, sensors, permissions, bottom-percentile device measurement, or product-level p90 budgets | `.mustflow/skills/low-end-device-support-review/SKILL.md` | Target-device ledger, measurement ledger, product budget ledger, startup and first-screen ledger, memory-pressure ledger, rendering and list ledger, data, network, and disk ledger, SDK and background ledger, existing tests, package surfaces, synchronized docs or templates, and configured command intents | Runtime capability detection, low-end mode switches, cache bounds, image decode sizing, first-screen local defaults, skeleton or cached data paths, SDK deferral, remote config fallback, API field reduction, request fan-out limits, screen-level concurrency queues, list virtualization, animation reduction, memory-warning cleanup, disk-write batching, database paging and indexes, background-work constraints, polling removal, sensor stop paths, low-end telemetry, focused tests, and directly synchronized docs or templates | model blacklist shortcut, splash masking, missing local defaults, hidden ContentProvider auto-init, eager SDK setup, remote-config blocking, first-screen API fan-out, main-thread decode or parsing, frozen frames, layout-property animation, repeated blur or shadow, peak memory spike, no-op memory warning, unbounded cache, original-size thumbnail decode, GIF decoration, unstable list key, heavy Compose or SwiftUI body work, overfetching DB query, giant JSON rewrite, polling, sensor left on, first-run SDK bloat, or missing weak-device evidence | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Low-end device support boundary reviewed, target-device baseline, budgets, capability detection, startup, memory, rendering, list, data, network, disk, background, sensor, SDK, degradation, evidence level, verification, and remaining low-end support risk |
434
+ | Mobile app code needs energy-efficiency triage for Android, iOS, React Native, Flutter, Tauri mobile, background work, WorkManager, JobScheduler, BackgroundTasks, foreground services, `beginBackgroundTask`, wake locks, exact alarms, Doze, App Standby, push, WebSockets, polling, network batching, cellular or constrained networks, location, geofencing, sensors, Bluetooth, rendering, animation, timers, disk I/O, Compose recomposition, Low Power Mode, Battery Saver, or platform energy diagnostics where the app may wake the phone, radio, GPS, sensors, GPU, CPU, or storage without enough user value | `.mustflow/skills/mobile-energy-efficiency-review/SKILL.md` | Energy evidence ledger, user-value ledger, background work ledger, wakeup and radio ledger, location, sensor, and Bluetooth ledger, rendering and UI ledger, timer and storage ledger, platform power-mode ledger, observability and test evidence, and configured command intents | Lifecycle cancellation, WorkManager or JobScheduler constraints, BackgroundTasks usage, wake lock timeout and release paths, exact alarm justification, push priority, network batching, connectivity callbacks, cellular and constrained-network policy, location accuracy and interval, geofence responsiveness, background-location stop behavior, sensor or BLE stop behavior, render throttling, animation stop, frame-rate lowering, timer tolerance, disk I/O batching, low-power degradation, focused tests, and directly synchronized docs or templates | unmeasured battery claim, visible-only work kept after screen disappear, unbounded background service, exact periodic sync fantasy, exact alarm misuse, wake lock without timeout or release, high-priority push for invisible prefetch, app-owned background WebSocket, polling, many tiny network requests, cellular treated as Wi-Fi, high-accuracy location by default, forgotten continuous location, instant geofence marketing, background location left enabled, route tracking without batching, sensor or BLE scan leak, offscreen animation, overdraw, blur or shadow overuse, high FPS decoration, infinite loader, unstable Compose model, zero-tolerance timer, per-keystroke disk write, low-power blindness, or missing start/stop telemetry | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Mobile energy boundary reviewed, measurement/user-value/background/wakeup/network/location/sensor/render/timer/storage/low-power findings, evidence level, verification, and remaining mobile-energy risk |
154
435
  | New feature, ambiguous or complex design request, pre-implementation design gate, module, folder layout, architecture, scaffold, refactor, routing, data model, frontend/backend/database/infrastructure choice, database engine choice, managed database extension choice, auth identity ownership, public URL contract, data residency policy, runtime patchability, runtime portability, global-ready locale/country/currency/timezone/money model, server-side authorization boundary, file upload or storage strategy, API response contract, content-heavy product, semantic content blocks, filter URL policy, admin operation model, cache strategy, content lifecycle, asset strategy, claim or fact registry, content graph, source collection flow, user-state layer, core/application/delivery/infra boundary, framework-magic boundary, core versus auxiliary path boundary, operational versus analytics boundary, HTTP-to-worker boundary, job or outbox model, backup/restore assumption, vendor or platform exit path, external-service truth ownership, search/queue/log/analytics portability, operational reproducibility, observability identifier flow, deployment-state portability, CI/CD dashboard dependency, ecosystem or maintainer-risk placement, multi-server state boundary, vertical-to-horizontal scaling boundary, AI usage cost boundary, AI gateway hard-limit boundary, pricing-growth boundary, failure-isolation boundary, or external service integration may require hidden structure decisions before coding | `.mustflow/skills/structure-discovery-gate/SKILL.md` | User request, intended capability, design gate classification, restated requirement, success criteria, non-goals, compatibility boundaries, hidden assumptions, named technologies or services, future content/API/rendering/data assumptions, database operating-shape assumptions, managed database feature assumptions, identity and provider-id assumptions, public URL assumptions, data location assumptions, runtime patch and portability assumptions, delivery/application/core/infra assumptions, global data assumptions, authorization assumptions, file-storage assumptions, source/provenance assumptions, lifecycle/asset/claim assumptions, user-state assumptions, admin/cache assumptions, core path and auxiliary path assumptions, async work assumptions, restore assumptions, vendor exit and replacement assumptions, external-service source-of-truth assumptions, search/queue/log/analytics reconstruction assumptions, operating-state reproduction assumptions, observability identifier assumptions, CI/CD reproducibility assumptions, dependency ecosystem and maintainer assumptions, pricing value/cost unit assumptions, failure-policy assumptions, AI gateway or cost assumptions, and relevant local patterns | Questions, assumptions, proposed file boundaries, and the smallest resulting implementation | brittle structure, vendor-name leakage, migration debt, lock-in debt, provider-id leakage, raw storage URL leakage, weak data location proof, unpatchable runtime, runtime-specific core logic, framework business-rule coupling, SaaS-only core state, weak search or queue reconstruction, weak global data model, weak server authorization, process-memory state leak, untracked AI cost, provider-budget-only AI protection, value/cost pricing mismatch, hidden dashboard deployment state, fragile single-maintainer core dependency, hidden operating state, broken traceability, file/storage drift, screen-shaped API coupling, core-path coupling, retry or worker coupling, unbounded failure radius, over-questioning, or speculative abstraction | `changes_status`, `changes_diff_summary`, `docs_validate_fast`, `test_release`, `mustflow_check` | Design gate classification, restated requirement, success criteria, blocking questions, recommended defaults, assumptions, proposed files and responsibilities, upfront versus deferred structure decisions, borrowed service versus owned contract boundary, dependency direction, database, identity, public URL, data residency, runtime patchability and portability, global data, authorization, file-storage, API, vendor exit, external-service truth ownership, search/queue/log/analytics portability, operational reproducibility, CI/CD reproducibility, dependency risk, observability identity flow, pricing value/cost boundary, AI gateway boundary, core/application/delivery/infra boundaries, core and auxiliary boundaries, async work boundary, local pattern, verification, and remaining structure risk |
155
436
 
156
437
  ### Tests and Regression
@@ -180,6 +461,9 @@ routes. Event routes stay inactive until their event occurs.
180
461
  | --- | --- | --- | --- | --- | --- | --- |
181
462
  | Environment variables, config keys, secrets, public env prefixes, build-time or runtime config, config schemas or parsers, feature flags, deployment variables, CI secrets, Docker or Compose env, Kubernetes ConfigMaps or Secrets, Cloudflare bindings, Vite, Next.js, Astro, SvelteKit, Tauri, Node, Bun, generated env types, `.env` examples, config docs, or config validation behavior are created, changed, reviewed, or reported | `.mustflow/skills/config-env-change/SKILL.md` | Key name, value meaning, sensitivity, visibility, timing, required environments, owner, default, validation shape, config source of truth, read-first surfaces, platform timing, deployment surfaces, generated types, docs, tests, and command contract entries | Config schemas, parser code, runtime loader wiring, generated type expectations, fake-value env examples, deployment docs, tests, CI or deployment variable names, feature flag defaults, redacted validation errors, and deprecation notes | secret leak, public-prefix misuse, build-time/runtime confusion, stale deploy config, missing `.env.example`, unchecked raw env read, boolean truthiness bug, unredacted error, stale feature flag, production fallback from local/test, or missing restart/rebuild/rollout note | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Keys or flags changed, sensitivity, visibility, timing, required action after value change, source of truth, synchronized surfaces, public/private boundary, redaction notes, build/runtime classification, feature flag behavior, verification, and remaining config/env risk |
182
463
  | Authentication, authorization, permission, role, tenant, session, JWT, OAuth/OIDC, API key, route guard, admin, impersonation, database policy, object-level access control, or permission cache behavior is created or changed | `.mustflow/skills/auth-permission-change/SKILL.md` | Actors, principals, tenants, resources, actions, context, auth middleware, sessions, tokens, API keys, route guards, server policy, DB policy, role matrix, audit, and tests | Auth middleware, policy functions, controllers, services, jobs, webhooks, database queries, RLS, UI guards, audit logs, docs, migrations, and tests | authentication treated as authorization, client guard trusted as security, object-level authorization bypass, cross-tenant leak, stale token or cache permission, over-broad admin/API-key scope, or missing denial tests | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Auth/authz boundary, principal/tenant/resource/action/context, policy source of truth, server/database enforcement, client UX-only guards, denial coverage, verification, and remaining permission risk |
464
+ | API security review needs api-access-control triage for BOLA or IDOR, broken authentication, object-level authorization, object-property authorization, function-level authorization, request-supplied user, tenant, role, or owner identifiers, tenant isolation, scoped admin, list/detail mismatch, write permissions, mass assignment, DTO exposure, client-only admin, temporary public holes, router order, GraphQL resolvers, batch APIs, exports, downloads, previews, signed storage URLs, cache keys, async job revalidation, webhook ownership mapping, OAuth or OIDC confusion, JWT verification, stale token claims, session rotation, cookie flags, reauthentication, reset tokens, account enumeration, automation defense, internal identity planes, or denial-case matrices | `.mustflow/skills/api-access-control-review/SKILL.md` | User goal, current diff or target files, subject-object-action-context ledger, object authorization ledger, property authorization ledger, function authorization ledger, authentication proof ledger, denial evidence, and configured command intents | Server-side object checks, tenant-scoped lookups, relationship checks, function-level checks, property allowlists, DTO mappers, signed URL scoping, cache-key dimensions, worker revalidation, webhook ownership mapping, token/session/cookie hardening, reauthentication gates, enumeration-safe responses, rate limits, audit logs, focused denial tests, and directly synchronized docs or templates | login-as-authorization, request-owned identity trust, findById before owner check, role-only admin, list/detail authorization drift, read/write permission confusion, mass assignment, entity DTO leak, client-only admin, permitAll leak, route shadowing, resolver bypass, batch item bypass, export/download bypass, signed URL bypass, tenantless query or cache, stale queue permission, webhook ownership confusion, OAuth/OIDC token confusion, decoded-but-unverified JWT, stale token claim, session fixation, weak cookie, missing reauth, reusable reset token, account enumeration, automation abuse, internal account exposure, or happy-path-only auth tests | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `test_audit`, `docs_validate_fast`, `test_release`, `mustflow_check` | API access control reviewed, subject/object/action/field/tenant map, object/property/function/auth findings, fixes or recommendation, denial evidence, verification, and remaining API access-control risk |
465
+ | File upload, import, attachment, direct-to-storage upload, remote file fetch, archive extraction, thumbnail, preview, image resize, OCR, media transcode, document conversion, antivirus scan, CDR, file metadata, storage key, public file URL, signed upload URL, signed download URL, CDN delivery, file download, uploaded filename display, or file lifecycle test needs file-upload-security triage across validation, storage, processing, serving, and cleanup | `.mustflow/skills/file-upload-security-review/SKILL.md` | User goal, current diff or target files, upload entrypoint ledger, file identity ledger, validation ledger, processing ledger, serving ledger, existing tests or abuse cases, storage policy evidence, and configured command intents | Server-side type allowlists, decoded and normalized filename checks, generated storage keys, path containment checks, overwrite protection, upload size and count limits, quota checks, quarantine states, scanner gates, parser sandboxing, archive extraction guards, CSV formula neutralization, metadata stripping, image rewriting, signed URL constraints, download authorization, response headers, filename encoding, audit logs, cleanup rules, focused denial tests, and directly synchronized docs or templates | client-only file restriction, trusted MIME label, extension check before normalization, blocklist-only type policy, original-name-only validation, user-controlled storage key, path traversal, long-name exception leak, overwrite or key guessing, executable web-root storage, web-server handler execution, magic-byte theater, polyglot file, metadata payload, active SVG or HTML, unsafe PDF or Office preview, Zip Slip, decompression bomb, CSV formula injection, remote fetch SSRF, scan-after-publication gap, unsandboxed parser, weak presigned URL policy, direct-to-storage pre-scan publication, tenant key collision, missing download authorization, unsafe response header, filename XSS or header injection, chunk assembly bypass, quota bypass, orphan file leak, or happy-path-only upload tests | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `test_audit`, `docs_validate_fast`, `test_release`, `mustflow_check` | File upload security reviewed, upload/file identity/storage/validation/processing/serving/cleanup map, findings, fixes or recommendation, denial evidence, verification, and remaining file-upload security risk |
466
+ | Code review or implementation needs security-flow triage by tracing values from source to sink across authorization, object ownership, tenant scoping, IDOR or BOLA risk, list/detail/export scope, state-changing permissions, mass assignment, admin-only surfaces, cache keys, sort/filter/field injection inputs, ORM raw paths, shell wrappers, SSRF, file upload and extraction, path traversal, XSS, CSRF, OAuth, reset tokens, JWTs, cookies, cryptography, logs, fail-open error handling, queued work, race conditions, or supply-chain and CI/CD paths | `.mustflow/skills/security-flow-review/SKILL.md` | User goal, current diff or target files, security claim, source-to-sink map, actor and resource map, read and write surfaces, framework escape hatches, existing tests or scanner findings, and configured command intents | Server-side ownership checks, tenant-scoped queries, allowlisted updates, cache-key dimensions, URL and path validation, parser or renderer boundaries, upload and extraction limits, token validation, cookie flags, fail-closed error handling, queue revalidation, idempotency, focused tests, and directly synchronized docs or templates | dangerous-keyword theater, authentication treated as authorization, UUID-as-lock assumption, list/detail scope drift, export over-disclosure, state change via raw body status, mass assignment, frontend-only admin gate, cache viewer leak, ORDER BY injection, ORM raw escape hatch, shell wrapper injection, SSRF, unsafe upload preview, Zip Slip, decompression bomb, path traversal, XSS, CSRF, weak OAuth state, reset-token reuse, stale JWT claims, broad cookie domain, custom crypto, token or PII logging, missing security logs, fail-open permission, stale queued permission, duplicate money or entitlement effect, postinstall or CI secret exposure | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Security flow reviewed, source/sink/actor/resource/tenant map, authorization and ownership notes, input/file/network/browser/token/cookie/crypto/log/fail-open/async/race/cache/supply-chain findings, fixes or recommendation, tests or invariant evidence, verification, and remaining security-flow risk |
183
467
  | Code, configuration, docs, templates, logs, telemetry, traces, baggage, behavior analytics, credentials, data flows, data residency policy, region or processing-location claims, AI-generated code, authentication, authorization, client-only permission checks, admin operations, audit logs, cache policy, cache-as-authority decisions, claim or policy data, comparison or affiliate data, user-generated content, sessions, tokens, uploads, downloads, signed URLs, API responses, webhooks, job queues, external API call records, external requests, third-party data-use terms, runtime security patch policy, deployment settings, dependencies, cryptography, secure transport, scanner gates, security invariants, or agent configuration affect secrets, personal data, retention, access control, vendor disclosure, or external disclosure | `.mustflow/skills/security-privacy-review/SKILL.md` | Changed files, sensitive surfaces, actor and resource owner, data-owner boundary, data residency and processing-location boundary, runtime patch boundary, AI gateway or budget boundary, server-side authorization rule, file upload/download boundary, API response field boundary, behavior analytics surface, trace or baggage surface, webhook or external-call record surface, admin operation surface, audit-log surface, cache visibility and authority policy, claim or affiliate policy surface, session or token surface, external target, dependency source, third-party data-use or terms surface, cryptography or transport surface, scanner evidence, agent-tool permission, deployment setting, project secret and privacy rules, public or packaged surfaces, and command contract entries | Sensitive data handling, authorization, admin operations, data residency, runtime patchability, AI budget records, behavior analytics, observability identifiers, webhook receipts, external-call records, dead-letter records, audit logs, shared-cache behavior, cache-authority behavior, claim and affiliate disclosure, sessions, tokens, inputs, files, signed URLs, API responses, logs, receipts, generated state, docs, templates, package metadata, deployment settings, and reports | secret leak, personal-data exposure, access-control bypass, client-trusted role or owner value, unsafe admin action, private file exposure, over-broad API response, shared-cache leak, unsafe cache authority, unprovable data location, unpatchable runtime, privacy-heavy telemetry, unsafe baggage propagation, unsafe webhook payload retention, unsafe external request, supply-chain drift, weak cryptography, insecure transport, over-privileged agent, risky third-party terms, or misleading privacy claim | `changes_status`, `changes_diff_summary`, `docs_validate_fast`, `test_release`, `mustflow_check` | Sensitive surfaces reviewed, data residency, runtime patchability, AI hard-limit, behavior analytics, observability, and audit boundaries, webhook, external-call, and dead-letter boundaries, cache authority and disclosure boundaries, assumptions checked, disclosure and retention paths, authorization, file, API response, third-party terms, and external-boundary notes, verification, and remaining security or privacy risk |
184
468
  | Real or plausible secrets, tokens, credentials, private keys, passwords, session values, service-account values, connection strings, signing secrets, webhook secrets, certificate keys, recovery codes, or production-like credential material appear in files, artifacts, logs, command output, screenshots, fixtures, docs, templates, package output, caches, run receipts, or final reports | `.mustflow/skills/secret-exposure-response/SKILL.md` | Exposure surface, secret type without value, tracked/generated/public/package status, allowed remediation scope, rotation or revocation boundary, and command contract entries | Redaction, omission, placeholder replacement, docs, fixtures, templates, examples, package inputs, generated artifacts, and final report wording | repeated exposure, false fake-value claim, redaction mistaken for revocation, package leak, screenshot leak, history exposure, or secret printed in reports | `changes_status`, `changes_diff_summary`, `docs_validate_fast`, `test_release`, `mustflow_check` | Exposure surfaces reviewed, secret value omitted, remediation made, remaining rotation/revocation/history/external risks, verification, and remaining exposure risk |
185
469
  | Security-sensitive behavior changes need abuse-case regression tests | `.mustflow/skills/security-regression-tests/SKILL.md` | Changed boundary, actors, resource ownership, state-changing route, token, file, cryptography, transport, scanner, or invariant behavior, business rule, and expected deny behavior | Test files and related security boundary source | false confidence, happy-path-only coverage, unsafe authorization, token, file, business-rule, cryptography, transport, deployment, or invariant coverage | `test`, `test_related`, `test_audit`, `lint`, `build` | Security boundary, abuse case, defensive test data, tests added or reused, and remaining risks |
@@ -191,7 +475,11 @@ routes. Event routes stay inactive until their event occurs.
191
475
  | Trigger | Skill Document | Required Input | Edit Scope | Risk | Verification Intents | Expected Output |
192
476
  | --- | --- | --- | --- | --- | --- | --- |
193
477
  | Database schema, database engine choice, managed database extension or provider feature, SQLite or PostgreSQL suitability, query, transaction, ORM model, repository/store, index, cache-backed read model, read/write model, content metadata, content blocks, content graph, lifecycle states, versioned records, ledgers, job tables, outbox events, inbox events, idempotency records, processed webhook records, external API call records, provider intent records, manual recovery records, taxonomy, filter URL policies, SEO landing records, claim or fact registries, comparison methodologies, affiliate links, source provenance, verification state, behavior analytics events, core event stores, search document metadata, queue recovery metadata, semantic export/import data, provider id mappings, app-owned identity records, public URL records, data residency records, AI budget or policy records, external-service truth ownership, operational versus analytics data boundaries, cache-as-store decisions, API response projections, public identifiers, data ownership boundaries, admin audit logs, cache invalidation data, user activity state, aggregate cache, hybrid file/database storage, file metadata records, data retention, pagination, concurrency, idempotency, audit log, or persistence boundary is introduced, changed, reviewed, or reported | `.mustflow/skills/database-change-safety/SKILL.md` | Data role, database operating model, managed database dependency model, event role, affected tables or stores, storage split, identity and provider-id mapping model, public URL and file-object model, data location model, AI budget and feature-policy model, block/graph/lifecycle/version/ledger/job/outbox/inbox/webhook/provider-call/taxonomy/filter/claim/source/admin/cache/user-state model, export/import and provider-id mapping model, external-service truth model, search/queue/log/analytics data model, operational versus analytics boundary, API projection boundary, file metadata and object-storage boundary, public id rule, read/write path, transaction boundary, migration or rollback expectations, local DB or ORM patterns, changed files, and command contract entries | Schema, migrations, repositories, stores, queries, transactions, indexes, read models, ledgers, job records, outbox records, inbox records, processed webhook records, external call records, provider intent records, manual recovery records, content metadata, block records, claim records, source records, comparison records, affiliate records, behavior event records, core event records, search source records, projection records, export/import records, provider mapping records, app identity records, public URL records, data residency records, AI budget or feature-policy records, admin audit records, file metadata records, cache records, user-state records, fixtures, tests, docs, and directly synchronized templates | data loss, incomplete export, provider-id lock-in, provider-auth-function lock-in, raw storage URL lock-in, unprovable data location, SaaS-only core fact, stale cache, authorization leak, transaction bug, duplicate side effect, unknown provider outcome, retry drift, missing manual replay record, slow query, N+1 query growth, write-contention blind spot, operational DB reporting overload, file/database drift, provenance drift, search or queue reconstruction gap, aggregate drift, API/DB coupling, cache-invalidation drift, provider-budget-only AI enforcement, or unverified migration claim | `changes_status`, `changes_diff_summary`, `test_related`, `test`, `lint`, `build`, `docs_validate_fast`, `test_release`, `mustflow_check` | Data role, database operating model, source-of-truth split, managed database dependency, app-owned identity, public URL, data residency, AI budget and policy records, schema/query/transaction review, delete lifecycle, versioning, ledger, job/outbox/inbox/webhook/provider-call/manual-recovery model, export/import and provider-id mapping model, external-service truth model, search/queue/log/analytics ownership, read/write model, behavior/audit event boundary, API projection boundary, file metadata boundary, block/graph/lifecycle/taxonomy/filter/claim/source/admin/cache/user-state checks, migration and rollback status, index/performance notes, security/retention checks, tests, verification, and remaining database risk |
194
- | Database migration files, schema migration history, ORM schema migrations, generated clients, schema dumps, SQL snapshots, backfills, rolling deploy compatibility, expand-and-contract changes, destructive database changes, migration rollback claims, or production database migration procedures are created, changed, reviewed, or reported | `.mustflow/skills/database-migration-change/SKILL.md` | Source schema, target schema, migration files, migration history, generated clients, schema dumps, SQL snapshots, affected queries, deployment shape, database engine, table size or lock assumptions, backfill plan, rollback type, validation query, and command contract entries | Migration files, ORM schemas, generated clients, schema dumps, SQL snapshots, backfill code, validation checks, seeds, fixtures, compatibility code, docs, tests, and directly synchronized examples | data loss, drop-plus-add rename, old/new app incompatibility, unsafe rolling deploy, unbounded backfill, production lock, generated-client drift, migration-history drift, false rollback claim, ORM autogenerate mistake, or destructive contract mixed with expand phase | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Migration phase, old/new schema compatibility, backfill and validation plan, rollback classification, ORM/generated/schema dump surfaces, dependent surfaces, verification, and remaining database-migration risk |
478
+ | Database migration files, schema migration history, ORM schema migrations, generated clients, schema dumps, SQL snapshots, online DDL, indexes, constraints, backfills, rolling deploy compatibility, expand-and-contract changes, destructive database changes, migration rollback or roll-forward claims, cut-over plans, lock or timeout policy, replication lag risk, migration observability, or production database migration procedures are created, changed, reviewed, or reported | `.mustflow/skills/database-migration-change/SKILL.md` | Source schema, target schema, migration files, migration history, generated clients, schema dumps, SQL snapshots, affected queries, deployment shape, database engine, table size, lock and online-DDL assumptions, backfill cursor, rollback or roll-forward type, validation and observability queries, and command contract entries | Migration files, ORM schemas, generated clients, schema dumps, SQL snapshots, backfill code, validation checks, observability notes, seeds, fixtures, compatibility code, docs, tests, and directly synchronized examples | data loss, drop-plus-add rename, old/new app incompatibility, unsafe rolling deploy, unbounded or offset backfill, production lock, silent online-DDL table rewrite, replication lag, uncontrolled cut-over, generated-client drift, migration-history drift, false rollback claim, ORM autogenerate mistake, or destructive contract mixed with expand phase | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Migration phase, old/new schema compatibility, expand/backfill/switch/contract plan, backfill and validation plan, lock/timeout/replication/cut-over/observability classification, rollback or roll-forward classification, ORM/generated/schema dump surfaces, dependent surfaces, verification, and remaining database-migration risk |
479
+ | Database query review needs to catch bottlenecks visible in the diff, including join fan-out, N+1 calls, over-eager loading, `SELECT *`, unstable `LIMIT`, large `OFFSET`, composite index mismatch, range predicate order, functions or casts on indexed columns, parameter type mismatch, wildcard search, cross-column `OR`, large `IN`, `COUNT(*) > 0`, `NOT IN` with NULL, `LEFT JOIN` filters, aggregation after fan-out, latest-row subqueries, wide sort/group/distinct, JSON filters, missing tenant or soft-delete scope, plan/statistics skew, missing-index advice, or long transactions | `.mustflow/skills/database-query-bottleneck-review/SKILL.md` | Query surface, cardinality shape, repetition shape, index and plan evidence, database and ORM context, correctness boundaries, and configured command intents | Projection narrowing, stable ordering, keyset pagination, batching, explicit loading, database-side joins or aggregation, transaction narrowing, focused tests, and engine-specific index or statistics changes only through matching engine skills | cardinality explosion, ORM N+1, eager-load overfetch, covering-index defeat, nondeterministic page, linear offset scan, composite index stop point missed, function-wrapped column scan, implicit cast, wildcard table scan, OR plan instability, huge IN planning cost, wasted count, NULL logic bug, accidental inner join, DISTINCT hiding fan-out, per-parent latest query, temp sort on wide rows, JSON path scan, tenant-wide scan, stale statistics, bad cached plan, index write-amplification, plan-forcing theater, or lock wait from long transaction | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Query path reviewed, cardinality and repetition ledger, projection/pagination/index/plan/transaction findings, evidence level, verification, and remaining database bottleneck risk |
480
+ | Database JSON, `jsonb`, `json`, metadata, extra, options, settings, attributes, properties, payload, raw payload, event context, dynamic fields, JSON path filters or sorts, generated columns, computed columns, expression indexes, GIN indexes, `jsonb_path_ops`, JSON search indexes, `JSON_VALUE`, `JSON_EXTRACT`, `ISJSON`, schemaVersion, JSON key registries, raw provider payloads, arrays of objects, unbounded maps, or JSON-to-column promotion decisions are introduced, changed, reviewed, or reported | `.mustflow/skills/database-json-modeling-review/SKILL.md` | JSON column role, database engine, key inventory, query and behavior paths, raw-versus-operational split, cardinality and shape, migration compatibility expectations, tests, fixtures, docs, and configured command intents | JSON field contracts, promoted typed columns, child tables, generated/computed columns, check constraints, expression/JSON indexes, key registries, schema versions, repositories, migrations, tests, fixtures, docs, and directly synchronized templates | business state hidden in metadata, status or permission key buried in JSON, tenant or retention key not enforceable, raw payload mistaken for truth, JSON path scan, unbounded object arrays, mutable/static evidence mixed, cross-domain blob, unknown key drift, malformed value drift, engine-specific JSON index overclaim, generated-column migration surprise, old/new writer incompatibility, or missing promotion criteria | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | JSON surface reviewed, role and key inventory, promotion decisions, raw payload versus operational truth split, engine-specific validation/index notes, migration/backfill/compatibility status, evidence level, verification, and remaining JSON modeling risk |
481
+ | Data deletion, soft delete, hard delete, purge, restore, undelete, account deletion, tenant deletion, retention, legal hold, erasure, anonymization, pseudonymization, tombstones, backup residue, PITR, WAL, binlog, transaction logs, object storage cleanup, search or cache deletion, analytics or warehouse deletion, downstream deletion events, bulk delete jobs, partition drops, admin dry runs, or deletion audit behavior is introduced, changed, reviewed, or reported | `.mustflow/skills/deletion-lifecycle-review/SKILL.md` | Deletion class, entity and dependency graph, state model, query and uniqueness model, recovery model, purge and retention model, privacy and audit model, downstream systems, backup/log residue assumptions, and configured command intents | Deletion states, lifecycle columns, constraints, partial indexes, scopes, tombstone tables, purge and restore jobs, downstream deletion records, idempotent workers, audit records, fixtures, tests, docs, and directly synchronized templates | deleted data leaking through queries, `is_deleted` theater, soft-deleted row blocking active uniqueness, unsafe cascade, lost restore scope, id reuse security bug, missing tombstone, legal hold bypass, audit evidence purged, personal data copied into audit logs, backup erasure overclaim, stuck downstream deletion, unbounded bulk delete, tenant offboarding outage, partition-retention drift, or false irreversible-delete claim | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Deletion surface reviewed, deletion class and state model, dependency and downstream graph, visibility/uniqueness/identity/cascade/legal/audit/restore/purge/backup decisions, evidence level, verification, and remaining deletion lifecycle risk |
482
+ | Database lock contention review needs to catch blocking visible in the diff, including hot rows, mutable counter caches, balance or stock updates, reservation flows, queue table claiming, `SELECT ... FOR UPDATE`, weaker row-lock choices, optimistic version checks, conditional updates, lock order, deadlock retry, MySQL/InnoDB gap or next-key locks, PostgreSQL row-lock variants, SQL Server lock escalation, long transactions, external calls inside transactions, DDL or metadata lock waits, idle-in-transaction blockers, lock timeout policy, connection-pool waits, or lock observability | `.mustflow/skills/database-lock-contention-review/SKILL.md` | Contended resource, workload concentration, database engine and isolation, lock path, index and predicate shape, transaction width, queue claim model, batch size, timeout and retry policy, observability evidence, and configured command intents | Data-shape changes such as ledgers, reservations, sharded counters, materialized summaries, conditional updates, weaker locks, stable lock order, chunked batches, queue shards, timeout policy, focused tests, docs, and directly synchronized templates | hot-row serialization, parent-counter bottleneck, select-then-update race, over-strong `FOR UPDATE`, missing lock-footprint index, gap-lock insert block, metadata-lock surprise, unordered multi-row deadlock, unchunked write outage, queue head contention, hidden FK parent lock, idle transaction blocking DDL, infinite lock wait, pool starvation, unsafe deadlock retry, or missing blocker/waiter evidence | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Lock-contention surface reviewed, contended resource and workload ledger, lock strength/order/index/queue/batch/DDL/timeout/pool/observability findings, evidence level, verification, and remaining database lock-contention risk |
195
483
  | SQLite-specific schema, query, transaction, migration, indexing, extension, WAL, local-file persistence, embedded database, mobile database, browser OPFS/WASM SQLite, cache index, or SQLite runtime behavior is created, changed, reviewed, or reported | `.mustflow/skills/sqlite-code-change/SKILL.md` | SQLite role, runtime and binding, file ownership, storage medium, concurrency shape, schema/type rules, query/index evidence, migration and recovery needs, changed files, and command contract entries | SQLite schema, queries, connection setup, transactions, pragmas, indexes, migrations, fixtures, tests, docs, and directly synchronized templates | wrong runtime assumption, file-lock surprise, WAL overclaim, network filesystem risk, disabled foreign keys, weak type constraints, unsafe raw SQL, query-plan overclaim, sidecar-file data loss, failed migration rebuild, or unverified backup/restore | `changes_status`, `changes_diff_summary`, `test_related`, `test`, `lint`, `build`, `docs_validate_fast`, `test_release`, `mustflow_check` | SQLite runtime, storage, WAL/concurrency, schema/type/constraint, query/index, migration, backup/restore, verification, and remaining SQLite risk |
196
484
  | PostgreSQL-specific schema, query, transaction, migration, indexing, extension, role, row-level security, connection pooling, replication, backup, restore, managed Postgres, or Postgres runtime behavior is created, changed, reviewed, or reported | `.mustflow/skills/postgresql-code-change/SKILL.md` | PostgreSQL role, version, provider, extension inventory, topology, pooler, schema/type rules, query-plan evidence, transaction/retry rules, migration and recovery needs, changed files, and command contract entries | PostgreSQL schema, queries, migrations, generated SQL, connection setup, pool settings, roles, RLS policies, extensions, tests, docs, and directly synchronized templates | version drift, provider constraint miss, connection storm, lock or rewrite surprise, unsafe online DDL claim, bad pooler assumption, RLS bypass, search-path risk, extension drift, stale replica read, query-plan overclaim, or unverified restore | `changes_status`, `changes_diff_summary`, `test_related`, `test`, `lint`, `build`, `docs_validate_fast`, `test_release`, `mustflow_check` | PostgreSQL version/topology, pooling, lock/transaction, schema/type/RLS/role, query/index/statistics, backup/restore, verification, and remaining PostgreSQL risk |
197
485
  | Dependency versions, lockfiles, package-manager metadata, workspace constraints, runtime engines, peer dependencies, optional dependencies, security advisory fixes, generated dependency output, framework plugins, TypeScript compiler tracks, CI actions, Docker base images, package manager behavior, or toolchain versions are upgraded, downgraded, pinned, widened, regenerated, reviewed, or reported | `.mustflow/skills/dependency-upgrade-review/SKILL.md` | Dependency name, old and new versions or ranges, direct or transitive path, ecosystem and package manager, declaration files, lockfiles, runtime or toolchain files, advisory or release-note evidence, generated outputs, callers, docs, package output, Docker, CI, or TypeScript compiler-track surfaces, and command contract entries | Package declarations, lockfiles, generated outputs, compatibility code, tests, docs, package metadata, Docker or CI files, TypeScript compiler-track notes, and directly synchronized examples | lockfile churn, hidden transitive replacement, peer or engine break, module-format drift, native or optional package break, framework or generator output drift, unsafe broad security update, weakened tests, Docker or CI runtime drift, native-preview over-adoption, or unreviewed supply-chain change | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Upgrade reason, ecosystem surface, direct and transitive graph changes, compatibility classification, runtime/peer/engine/module/feature/platform/generated-output/compiler-track risks, synchronized surfaces, verification, and remaining dependency-upgrade risk |
@@ -212,6 +500,15 @@ routes. Event routes stay inactive until their event occurs.
212
500
  | Generated artifacts, packaged files, binary assets, reports, or downloadable outputs are created, referenced, or reported | `.mustflow/skills/artifact-integrity-check/SKILL.md` | Artifact paths, source or generation path, package rules, and artifact expectations | Artifact references, package metadata, tests, and documentation | unverified or stale artifact claim | `changes_status`, `changes_diff_summary`, `test_release`, `build`, `mustflow_check` | Artifact evidence, inclusion or format checks, skipped checks, and integrity risk |
213
501
  | A dense plan, suggestion, code explanation, review result, flow map, or decision set would be easier to inspect as a safe static HTML review artifact | `.mustflow/skills/visual-review-artifact/SKILL.md` | User request, artifact goal, target audience, source evidence, output path, and relevant command contract entries | Temporary `.mustflow/state/artifacts/**` output or explicitly requested versioned HTML artifact, plus direct references, docs, or package metadata | unsafe HTML behavior, prompt injection, unverified artifact claim, or mistaken approval authority | `changes_status`, `changes_diff_summary`, `docs_validate_fast`, `test_release`, `mustflow_check` | Artifact kind and path, source evidence, review-only boundary, local interactions, verification, skipped checks, and remaining decision risk |
214
502
  | Conversational AI, chat, copilot, prompt, multimodal input, streaming generation, citation, feedback, or conversation-history UI is planned, edited, reviewed, or reported | `.mustflow/skills/llm-service-ux-review/SKILL.md` | LLM service surface, user task, interaction mode, input-to-reset path, latency/source/privacy constraints, and command contract entries | Prompt, attachment, generation, output, citation, feedback, history, reset, error, accessibility, docs, templates, and reports | loss of user control, fake progress, unverifiable source claims, hidden privacy risk, decorative prompt UX, or unverified visual claim | `changes_status`, `changes_diff_summary`, `docs_validate_fast`, `test_release`, `mustflow_check` | LLM UX surface reviewed, input/waiting/output/recovery states checked, control and citation boundaries, skipped checks, and remaining LLM UX risk |
503
+ | Core Web Vitals, real-user web performance, CrUX, Search Console, Lighthouse-versus-field discrepancy, RUM instrumentation, LCP, INP, CLS, FID replacement, LCP subparts, interaction latency, Long Animation Frames, long tasks, bfcache, speculation rules, third-party scripts, tag managers, ads, web fonts, responsive hero media, layout shifts, or deployment performance regression needs field-data triage rather than a one-off lab score | `.mustflow/skills/core-web-vitals-field-review/SKILL.md` | User goal, current diff or target files, metric contract, field evidence ledger, LCP ledger, INP ledger, CLS ledger, lab and diagnostics ledger, current official threshold evidence when needed, and configured command intents | RUM instrumentation, metric payloads, route grouping, p75 reporting, field-versus-lab wording, LCP candidate attribution, Server-Timing, Resource Timing, LoAF or long-task capture, bfcache diagnostics, safe speculation rules, focused tests, and narrower render/image/frame/bundle fixes when selected | Lighthouse trophy claim, stale FID dashboard, averaged Web Vitals, hidden mobile failure, missing p75 split, uninstrumented RUM, lazy LCP media, undiscovered hero, render-blocked LCP, INP blocked by hydration or third-party scripts, GTM tag drift, long task without attribution, CLS from ads or skeleton mismatch, bfcache blocker, unsafe prerender side effect, single bundle-size budget, or unmonitored deploy regression | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Core Web Vitals field review, evidence level, threshold and percentile contract, mobile/desktop split, LCP/INP/CLS ledgers, fixes or recommendations, verification, and remaining CWV field risk |
504
+ | Web page, frontend route, landing page, ecommerce page, dashboard, SSR/RSC/SPA route, hero image, LCP candidate, above-the-fold CSS, font, image, iframe, third-party script, chat widget, client bundle, hydration boundary, route prefetch, first-view data fetch, HTML streaming, CDN cache, resource hint, compression, content-visibility, long task, or Core Web Vitals test needs web-render-performance triage for first-render performance, LCP, CLS, FCP, TTFB, render-blocking CSS, asset priority, JavaScript execution cost, or cache and delivery risk | `.mustflow/skills/web-render-performance-review/SKILL.md` | User goal, current diff or target files, first viewport and LCP candidate ledger, critical resource discovery ledger, CSS/render-blocking ledger, font loading ledger, image/video/iframe ledger, third-party script ledger, JavaScript bundle and hydration ledger, data and HTML delivery ledger, cache/compression/resource-hint ledger, main-thread/long-task ledger, measurement or test evidence, and configured command intents | LCP image loading priority, preload and preconnect hints, critical CSS, route CSS splitting, font-display and font preload policy, font subsetting, responsive images, image CDN usage, lazy image and iframe dimensions, third-party script gating, chat widget loading, client/server component boundaries, dynamic imports, code splitting, modulepreload, first-view data fetching, streaming HTML, static shell and dynamic hole split, TTFB instrumentation, CDN and cache headers, compression, content-visibility, long task scheduling, route prefetch behavior, focused tests, and directly synchronized docs or templates | lazy LCP image, undiscovered background hero, fetchpriority everywhere, render-blocking global CSS, common/vendor CSS bloat, font FOIT or CLS, over-preloaded fonts, unsubset Korean or CJK font, oversized image, missing srcset or sizes, lazy image CLS, eager offscreen iframe, global third-party script, first-paint chat SDK, broad use-client boundary, eager modal/chart/editor/map import, tiny-chunk waterfall, modulepreload spam, client-effect first data, all-or-nothing HTML wait, personalized whole-page dynamic render, TTFB handwave, uncacheable static HTML, wrong immutable/no-store cache header, missing text compression, Early Hints or preconnect spam, below-fold DOM layout cost, long main-thread task, overbroad Link prefetch, or lab-only perf claim | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Web render performance reviewed, viewport/resource/CSS/font/media/third-party/JS/data/cache/main-thread map, findings, fixes or recommendation, measurement or test evidence, verification, and remaining web-render performance risk |
505
+ | Web image, hero image, LCP image, product image, feed image, gallery, avatar, thumbnail, carousel image, CSS background hero, `img`, `picture`, `source`, `srcset`, `sizes`, framework image component, responsive preload, `imagesrcset`, `imagesizes`, `fetchpriority`, `loading`, `decoding`, intrinsic dimensions, DPR bucket, width bucket, AVIF/WebP/JPEG/PNG/SVG fallback, quality budget, blur placeholder, base64 inline image, image CDN transformation, derivative cache key, content-hash URL, `Accept` negotiation, image proxy allowlist, EXIF orientation, ICC profile, uploaded SVG handling, `elementtiming`, Resource Timing, DevTools image waterfall, or RUM image evidence needs image-delivery-performance triage for discovery, priority, candidate size, layout stability, cacheability, quality, or abuse risk | `.mustflow/skills/image-delivery-performance-review/SKILL.md` | User goal, current diff or target files, image role ledger, discovery and priority ledger, responsive candidate ledger, layout stability ledger, format and quality ledger, pipeline and metadata ledger, CDN and cache ledger, safety and abuse ledger, image measurement evidence or gap, and configured command intents | Image markup, `picture` source order, `srcset`, `sizes`, `loading`, `decoding`, `fetchpriority`, responsive preload, `imagesrcset`, `imagesizes`, intrinsic dimensions, `aspect-ratio`, placeholders, CSS background preload hints, framework image props, width and DPR buckets, format fallback policy, quality settings, metadata handling, cache headers, derivative cache key rules, `Accept` forwarding, remote image allowlists, transform limits, focused tests, and directly synchronized docs or templates | lazy LCP image, priority inflation, hidden background image discovery, responsive preload missing `imagesrcset` or `imagesizes`, multi-format preload, wrong `sizes`, framework fill without sizes, lazy image missing dimensions, unbounded 3x variants, arbitrary width bucket, CDN cache-key confetti, wrong format by content type, weak JPEG fallback, global quality constant, missing byte budget, EXIF rotation bug, color-profile loss, unsafe SVG serving, meaningful image hidden as CSS background, first-view lazy loading, giant lazy gallery, wrong `decoding` hint, oversized blur placeholder, base64 HTML bloat, missing content-hash URL, lost original, dropped `Accept` header, public image proxy, unbounded remote transform, Lighthouse-only claim, or duplicate image download | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Image delivery performance reviewed, image role/discovery/priority/candidate/layout/format/quality/cache/pipeline/safety map, findings, fixes or recommendation, measurement or static image-delivery evidence, verification, and remaining image-delivery performance risk |
506
+ | Frontend app, client package, route, design system, component library, import graph, package entrypoint, bundler config, shared vendor chunk, first-route JS, tree shaking, ESM/CJS dependency, barrel file, package exports, sideEffects metadata, PURE annotation, Next use-client boundary, Server Component split, dynamic import, React lazy, Angular defer, Vue route lazy loading, import modularization, icon import, date locale, syntax highlighter, markdown renderer, code editor, Node polyfill, browser target, Babel polyfill, dev-only branch, console stripping, Rollup manualChunks, Vite modulepreload, Tailwind extraction, safelist, or inline asset rule needs client-bundle-pruning triage for dead-code elimination, dependency bloat, initial JS, shared vendor, or route chunk risk | `.mustflow/skills/client-bundle-pruning-review/SKILL.md` | User goal, current diff or target files, bundle target ledger, entry and import graph ledger, dependency format ledger, framework boundary ledger, heavy-feature ledger, polyfill and target ledger, bundle budget or analyzer evidence, and configured command intents | Import paths, package entrypoints, subpath exports, barrel usage, ESM package choices, package `sideEffects`, Rollup `moduleSideEffects`, PURE annotations, client/server boundaries, dynamic imports, framework deferral boundaries, package import modularization, icon/date/highlighter/editor imports, Node polyfill fallbacks, browser and Babel targets, dev-only constants, logging wrapper behavior, manual chunk rules, modulepreload policy, Tailwind extraction shapes, asset inline thresholds, focused tests, and directly synchronized docs or templates | total-dist theater, no initial-JS budget, CJS package on client path, broad utility import, hot-path barrel, package-root import dragging design system, missing subpath export, unsafe `sideEffects: false`, CSS or polyfill shaken away, global `moduleSideEffects: false`, missing PURE hint, false PURE annotation, page-level `use client`, server-safe parser in client bundle, dynamic import with variable path, lazy component declared in render, eager modal/chart/editor/map/search/PDF import, library import before user intent, Angular defer leak, Vue eager route, unverified import modularization, icon catalog import, all date locales, all highlighter languages, Node polyfill bundle, old browser-target helper bloat, whole `core-js` import, dev branch not folded, unsafe console drop, one giant vendor chunk, modulepreload spam, dynamic Tailwind class miss, broad safelist, large inline SVG/font/image, or unmeasured bundle claim | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Client bundle pruning reviewed, first-route/shared-vendor/import/dependency/client-boundary/polyfill/chunk/CSS/asset map, findings, fixes or recommendation, measurement or test evidence, verification, and remaining client-bundle pruning risk |
507
+ | Frontend route, component, animation, scroll path, input path, list, table, chart, map, canvas, media slot, modal, drawer, hydration boundary, DOM read/write path, CSS selector, class toggle, CSS custom property, containment, content-visibility, virtualization, observer, event listener, requestAnimationFrame loop, long task, worker boundary, ResizeObserver path, runtime CSS injection, React memo boundary, context provider, deferred update, transition, or DevTools rendering trace needs frame-render-performance triage for INP, animation smoothness, scroll responsiveness, style recalculation, layout, paint, compositing, main-thread, or hydration risk | `.mustflow/skills/frame-render-performance-review/SKILL.md` | User goal, current diff or target files, interaction and frame ledger, DOM and layout ledger, style and CSS ledger, paint and compositing ledger, event and scheduling ledger, framework render ledger, rendering evidence or measurement gap, and configured command intents | DOM read/write batching, layout-affecting writes, transform/opacity animations, will-change scope, containment, content-visibility and contain-intrinsic-size, virtualization, selector simplification, state-class scope, CSS variable scope, media geometry reservation, native lazy loading, IntersectionObserver, passive listeners, overscroll-behavior, requestAnimationFrame scheduling, long-task chunking, worker and OffscreenCanvas boundaries, ResizeObserver, runtime CSS rule reduction, React prop and context stability, deferred and transition updates, hydration narrowing, focused tests, and directly synchronized docs or templates | forced synchronous layout, layout thrashing, width/height/top/left animation, stale will-change, missing containment, unsafe contain side effect, content-visibility scroll jump, offscreen chart or canvas work, oversized DOM, deep wrapper tree, expensive selector, body/html state blast, root CSS variable churn, unreserved media slot, LCP concern misrouted as frame fix, JS lazy loader overhead, scroll polling, non-passive wheel/touch handler, JS scroll lock, setTimeout frame clock, long task, main-thread heavy compute, canvas blocking input, resize measurement loop, runtime style injection, ineffective memo, broad context rerender, urgent heavy result render, full hydration INP cost, Lighthouse-score-only claim, or unmeasured rendering win | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Frame render performance reviewed, interaction/DOM/style/layout/paint/compositing/event/framework map, findings, fixes or recommendation, measurement or static frame-risk evidence, verification, and remaining frame-render performance risk |
508
+ | Frontend component, route, store, query, form, router state, context provider, persisted store, external subscription, optimistic mutation, search/filter/pagination interaction, selected item, list key, or hydration path can duplicate, derive, overwrite, or race the same value across props, local state, server cache, URL params, form drafts, global app context, selectors, storage, or external stores | `.mustflow/skills/frontend-state-ownership-review/SKILL.md` | User goal, current diff or target files, framework and state-library signals, state owner ledger, state class map, synchronization surfaces, identity and collection surfaces, evidence level, and configured command intents | State owner cleanup, derived selectors, nearest-owner move, status or mode union, grouped action, selected ID lookup, query key dimensions, invalidation scope, request cancellation, optimistic rollback, URL-state routing, form draft reset, context split or memoization, persisted-state versioning, reset keys, external subscription wrapper, focused tests, and directly synchronized docs or templates | props-to-state drift, duplicated derived state, effect-derived one-render lag, contradictory booleans, partial grouped-state tear, selected object staleness, server data copied into global store, URL state fork, form draft overwrite, optimistic update without rollback, stale request overwrite, incomplete query key, broad invalidation, index-key local-state swap, raw setter sprawl, context value rerender storm, state too high or too low, non-serializable persisted store, hydration mismatch, unsafe external subscription snapshot, or unverified state owner | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Frontend state surface reviewed, owner ledger and state class map, duplicate or derived state findings, query/URL/form/optimistic/race/context/persistence decisions, tests or evidence level, verification, and remaining state-ownership risk |
509
+ | Frontend UI, design system component, dashboard, form, card, list, table, chart, media slot, modal, drawer, toast, bottom CTA, portal, or responsive surface needs stress-layout review against hostile content, narrow parent containers, async media, skeletons, empty or error states, permission variants, scrollbars, mobile viewport and keyboard behavior, safe areas, line clamps, i18n or RTL, touch input, reduced motion, observer loops, portal edge placement, z-index layers, browser zoom, cascade layers, or reproducible break conditions | `.mustflow/skills/frontend-stress-layout-review/SKILL.md` | User goal, current diff or target files, framework and styling signals, stress fixture ledger, parent container ledger, geometry contract ledger, interaction and state ledger, evidence level, and configured command intents | Stress fixtures, stories, tests, parent-container-aware constraints, container queries, `min-width: 0`, `minmax(0, 1fr)`, `overflow-wrap: anywhere`, reserved media dimensions, `aspect-ratio`, skeleton geometry, empty and error states, permission variants, stable scroll containers, `scrollbar-gutter: stable`, mobile viewport and keyboard constraints, `safe-area-inset-*`, explicit `line-height`, logical properties, touch-accessible affordances, `prefers-reduced-motion`, observer scope, portal placement, z-index tokens, table and chart stress handling, zoom-safe geometry, cascade layer fixes, and directly synchronized docs or templates | happy-path fixture blindness, parent-width overflow, flex or grid min-content blowout, unbroken text overflow, async media or font layout shift, skeleton mismatch, collapsed empty state, error-state overlap, permission action wrapping, late `display: none` layout jump, scrollbar width wrap, fragile `100vh`, keyboard-covered CTA, unsafe-area overlap, line-clamp/action collision, localization or RTL breakage, hover-only control, layout-affecting hover or animation, ResizeObserver loop, clipped portal, z-index arms race, unusable wide table, chart zero-width mount, browser zoom clipping, CSS specificity loss, or vague non-reproducible visual complaint | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Frontend stress layout reviewed, stress fixture and parent-container ledgers, reproducible break conditions, fixes or recommendation, evidence level, verification, and remaining stress-layout risk |
510
+ | Frontend UI, design-system component, form, dialog, menu, tab, combobox, custom select, table, card, media, icon button, image, toast, live update, drag interaction, focus style, keyboard handler, `onClick`, `role`, `tabIndex`, `aria-*`, `alt`, hidden content, visually hidden text, or automated accessibility claim needs accessibility-tree review for native semantics, accessible names, visible label consistency, keyboard navigation, focus order and return, forms, errors, status messages, ARIA references, icon or image alternatives, custom widget contracts, non-text contrast, target size, drag alternatives, or a11y evidence limits | `.mustflow/skills/frontend-accessibility-tree-review/SKILL.md` | User goal, current diff or target files, framework and component-library signals, semantic ledger, keyboard ledger, assistive-technology ledger, form ledger, interaction ledger, evidence level, and configured command intents | Native HTML element selection, button/link semantics, `href` cleanup, keyboard parity, tabindex cleanup, focus-visible styling, obscured focus fixes, dialog focus management, icon-only accessible names, visible-label-aligned names, `aria-labelledby` and `aria-describedby` id references, `aria-hidden` cleanup, SVG icon defaults, image `alt`, label and fieldset wiring, `aria-invalid`, error descriptions, submit-failure focus, live regions, ARIA pattern keyboard behavior, custom select constraints, non-text contrast, target-size fixes, drag alternatives, focused tests, accessibility snapshots, and directly synchronized docs or templates | ARIA costume over broken semantics, clickable div, fake link, `href="#"`, missing Enter or Space behavior, tabIndex sprawl, positive tabindex, invisible focus, focus hidden behind sticky layers, modal focus leak, unnamed icon button, visible text fighting `aria-label`, broken `aria-labelledby`, interactive child hidden by `aria-hidden`, duplicate SVG announcement, useless image alt, placeholder-only field, missing legend, color-only error, disconnected error text, submit failure silence, unannounced async status, menu or combobox keyboard mismatch, unnecessary custom select, offscreen focus trap, non-text contrast failure, tiny pointer target, drag-only operation, axe-only proof, or accessibility-tree evidence gap | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Frontend accessibility tree reviewed, semantic/keyboard/focus/name/form/status/widget evidence, findings, fixes or recommendation, automated-evidence limits, verification, and remaining accessibility-tree risk |
511
+ | Frontend UI, product copy, forms, validation messages, empty states, toasts, dialogs, metadata, SEO or Open Graph text, charts, canvas, SVG text, emails, push notifications, share text, exports, downloads, PDFs, CSVs, calendar invites, translation keys, `t(...)`, ICU messages, placeholders, `aria-label`, `title`, `alt`, browser `confirm`, date/time/relative-time formatting, numbers, currency, units, search, sort, collation, Unicode normalization, grapheme truncation, RTL, bidirectional text, font fallback, pseudo localization, SSR locale, hydration, fallback, backend error-code mapping, or localized rich text needs localization review beyond visible JSX text | `.mustflow/skills/frontend-localization-review/SKILL.md` | User goal, current diff or target files, framework and i18n library signals, supported locale policy, string exposure ledger, message-shape ledger, format ledger, text-processing ledger, direction and layout ledger, runtime locale ledger, evidence level, and configured command intents | Message catalog wiring, full-sentence keys, named interpolation, context-specific messages, plural and zero handling, grammar-safe dynamic values, tone consistency, locale-aware formatters, display/storage value split, collation and search normalization, grapheme-safe truncation, RTL and `dir="auto"` handling, logical direction fixes, icon mirroring decisions, font fallback checks, pseudo-localization fixtures, SSR locale agreement, missing-key handling, backend error-code mapping, component interpolation for rich text, export and notification text coverage, focused tests, and directly synchronized docs or templates | visible-JSX-only scan, hardcoded placeholder or metadata, concatenated translation fragments, reused dictionary key, `Delete {item}` grammar trap, English-only plural, missing zero state, broken Korean particle or inflection, mixed tone, manual date string, time-zone shifted deadline, hydration relative-time mismatch, comma-only number format, locale-agnostic input parse, language/region/currency conflation, default `sort()`, unsafe lowercasing, accent or Unicode normalization miss, emoji-splitting `.length`, wrong ellipsis owner, RTL afterthought, missing `dir="auto"`, blanket icon mirroring, fixed-width translated button, missing glyph fallback, no pseudo localization, single-locale screenshot proof, server/client locale mismatch, silent English fallback, raw HTML in translations, raw backend prose, untranslated export, or static-only localization claim | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Frontend localization reviewed, string exposure and message-shape ledgers, formatting/search/sort/RTL/SSR/export checks, fixes or recommendation, evidence level, verification, and remaining localization risk |
215
512
  | Frontend navigation flicker, theme flash, FOUC, hydration flash, blank first render, unstable loading shell, route transition jank, state loss across navigation, or first-paint instability is reported, created, edited, reviewed, or verified | `.mustflow/skills/frontend-render-stability/SKILL.md` | Symptom, affected routes, framework and version signals, root shell, links/router, theme init, root CSS, font/media loading, data-loading owner, and configured verification entries | Root HTML, layouts, router links/config, early theme scripts, root CSS, theme tokens, skeletons, hydration boundaries, route data loaders, directly tied tests, docs, and templates | masked full document reload, late theme application, hydration mismatch, client-only first data, loading layout shift, duplicate view-transition names, reduced-motion regression, or false visual proof | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `docs_validate_fast`, `mustflow_check` | Symptom phase, evidence inspected, instability layer found or ruled out, framework-specific skills used, files changed, verification, skipped visual checks, and remaining render-stability risk |
216
513
  | User-facing UI, dashboard, settings, navigation, form, copy, responsive layout, accessibility, visual geometry, interaction flow, or visual state changes are planned, edited, reviewed, or reported | `.mustflow/skills/ui-quality-gate/SKILL.md` | Changed UI surface, user task, interaction path, existing patterns, state combinations, localization rules, content stress cases, geometry-sensitive component facts, and command contract entries | UI controls, labels, states, layout constraints, geometry contracts, accessibility attributes, localization hooks, task-flow recovery, docs, templates, and reports | decorative UI drift, inaccessible controls, icon/text misalignment, overflow or layout breakage, missing empty/error/permission recovery, or unverified visual claim | `changes_status`, `changes_diff_summary`, `docs_validate_fast`, `test_release`, `mustflow_check` | UI surface reviewed, states checked, geometry/layout/accessibility/localization/recovery notes, skipped visual checks, and remaining UI risk |
217
514
  | HTML, templates, component markup, forms, controls, dialogs, navigation, tables, media, metadata, SEO head content, or structured data are created or changed | `.mustflow/skills/html-code-change/SKILL.md` | Page shell, markup patterns, form/control components, metadata source, changed files, and command contract entries | HTML and template markup, metadata, forms, interactive controls, tests, and docs examples | invalid semantics, inaccessible control, broken focus path, metadata drift, or invalid browser markup | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | Semantic, form, focus, metadata, and validation boundary checked, verification, and remaining HTML risk |