mustflow 2.39.1 → 2.58.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (94) hide show
  1. package/dist/cli/commands/run/executor.js +16 -0
  2. package/dist/cli/commands/run/process-tree.js +6 -3
  3. package/dist/cli/commands/tech.js +60 -4
  4. package/dist/cli/commands/verify.js +3 -1
  5. package/dist/cli/lib/git-changes.js +11 -1
  6. package/dist/cli/lib/i18n.js +1 -1
  7. package/dist/cli/lib/local-index/index.js +8 -4
  8. package/dist/cli/lib/local-index/populate.js +17 -3
  9. package/dist/cli/lib/local-index/search-read-model.js +9 -7
  10. package/dist/cli/lib/local-index/search-text.js +2 -2
  11. package/dist/cli/lib/local-index/workflow-documents.js +17 -2
  12. package/dist/cli/lib/mustflow-read.js +14 -2
  13. package/dist/cli/lib/npm-version-check.js +36 -0
  14. package/dist/cli/lib/repo-map.js +16 -3
  15. package/dist/cli/lib/templates.js +8 -7
  16. package/dist/cli/lib/validation/constants.js +1 -1
  17. package/dist/core/active-run-locks.js +78 -20
  18. package/dist/core/change-classification.js +4 -0
  19. package/dist/core/command-contract-rules.js +1 -1
  20. package/dist/core/command-contract-validation.js +1 -1
  21. package/dist/core/command-cwd.js +13 -2
  22. package/dist/core/command-effects.js +22 -4
  23. package/dist/core/command-env.js +8 -6
  24. package/dist/core/command-preconditions.js +28 -2
  25. package/dist/core/completion-verdict.js +1 -1
  26. package/dist/core/line-endings.js +8 -4
  27. package/dist/core/safe-filesystem.js +9 -1
  28. package/dist/core/source-anchor-validation.js +7 -1
  29. package/dist/core/source-anchors.js +8 -2
  30. package/dist/core/verification-scheduler.js +8 -2
  31. package/package.json +1 -1
  32. package/templates/default/i18n.toml +330 -1
  33. package/templates/default/locales/en/.mustflow/skills/INDEX.md +302 -5
  34. package/templates/default/locales/en/.mustflow/skills/agent-eval-integrity-review/SKILL.md +160 -0
  35. package/templates/default/locales/en/.mustflow/skills/agent-execution-control-review/SKILL.md +163 -0
  36. package/templates/default/locales/en/.mustflow/skills/ai-generated-code-hardening/SKILL.md +49 -13
  37. package/templates/default/locales/en/.mustflow/skills/api-access-control-review/SKILL.md +298 -0
  38. package/templates/default/locales/en/.mustflow/skills/api-misuse-resistance-review/SKILL.md +297 -0
  39. package/templates/default/locales/en/.mustflow/skills/api-request-performance-review/SKILL.md +189 -0
  40. package/templates/default/locales/en/.mustflow/skills/app-startup-performance-review/SKILL.md +309 -0
  41. package/templates/default/locales/en/.mustflow/skills/backend-log-evidence-review/SKILL.md +213 -0
  42. package/templates/default/locales/en/.mustflow/skills/business-rule-leakage-review/SKILL.md +295 -0
  43. package/templates/default/locales/en/.mustflow/skills/cache-integrity-review/SKILL.md +291 -0
  44. package/templates/default/locales/en/.mustflow/skills/change-blast-radius-review/SKILL.md +297 -0
  45. package/templates/default/locales/en/.mustflow/skills/client-bundle-pruning-review/SKILL.md +160 -0
  46. package/templates/default/locales/en/.mustflow/skills/cloud-cost-guardrail-review/SKILL.md +321 -0
  47. package/templates/default/locales/en/.mustflow/skills/concurrency-invariant-review/SKILL.md +193 -0
  48. package/templates/default/locales/en/.mustflow/skills/core-web-vitals-field-review/SKILL.md +161 -0
  49. package/templates/default/locales/en/.mustflow/skills/credit-ledger-integrity-review/SKILL.md +156 -0
  50. package/templates/default/locales/en/.mustflow/skills/database-json-modeling-review/SKILL.md +171 -0
  51. package/templates/default/locales/en/.mustflow/skills/database-lock-contention-review/SKILL.md +192 -0
  52. package/templates/default/locales/en/.mustflow/skills/database-migration-change/SKILL.md +76 -34
  53. package/templates/default/locales/en/.mustflow/skills/database-query-bottleneck-review/SKILL.md +194 -0
  54. package/templates/default/locales/en/.mustflow/skills/deletion-lifecycle-review/SKILL.md +171 -0
  55. package/templates/default/locales/en/.mustflow/skills/deployment-rollout-safety-review/SKILL.md +321 -0
  56. package/templates/default/locales/en/.mustflow/skills/desktop-auto-update-safety-review/SKILL.md +265 -0
  57. package/templates/default/locales/en/.mustflow/skills/desktop-background-process-stability-review/SKILL.md +318 -0
  58. package/templates/default/locales/en/.mustflow/skills/desktop-memory-footprint-review/SKILL.md +318 -0
  59. package/templates/default/locales/en/.mustflow/skills/error-message-integrity-review/SKILL.md +283 -0
  60. package/templates/default/locales/en/.mustflow/skills/failure-integrity-review/SKILL.md +193 -0
  61. package/templates/default/locales/en/.mustflow/skills/file-upload-security-review/SKILL.md +305 -0
  62. package/templates/default/locales/en/.mustflow/skills/frame-render-performance-review/SKILL.md +159 -0
  63. package/templates/default/locales/en/.mustflow/skills/frontend-accessibility-tree-review/SKILL.md +202 -0
  64. package/templates/default/locales/en/.mustflow/skills/frontend-localization-review/SKILL.md +202 -0
  65. package/templates/default/locales/en/.mustflow/skills/frontend-state-ownership-review/SKILL.md +183 -0
  66. package/templates/default/locales/en/.mustflow/skills/frontend-stress-layout-review/SKILL.md +193 -0
  67. package/templates/default/locales/en/.mustflow/skills/hot-path-performance-review/SKILL.md +159 -0
  68. package/templates/default/locales/en/.mustflow/skills/idempotency-integrity-review/SKILL.md +195 -0
  69. package/templates/default/locales/en/.mustflow/skills/image-delivery-performance-review/SKILL.md +161 -0
  70. package/templates/default/locales/en/.mustflow/skills/incident-triage-review/SKILL.md +185 -0
  71. package/templates/default/locales/en/.mustflow/skills/llm-hallucination-control-review/SKILL.md +155 -0
  72. package/templates/default/locales/en/.mustflow/skills/llm-response-latency-review/SKILL.md +155 -0
  73. package/templates/default/locales/en/.mustflow/skills/llm-service-ux-review/SKILL.md +2 -0
  74. package/templates/default/locales/en/.mustflow/skills/llm-token-cost-control-review/SKILL.md +155 -0
  75. package/templates/default/locales/en/.mustflow/skills/low-end-device-support-review/SKILL.md +340 -0
  76. package/templates/default/locales/en/.mustflow/skills/memory-lifetime-review/SKILL.md +169 -0
  77. package/templates/default/locales/en/.mustflow/skills/mobile-energy-efficiency-review/SKILL.md +329 -0
  78. package/templates/default/locales/en/.mustflow/skills/module-boundary-review/SKILL.md +278 -0
  79. package/templates/default/locales/en/.mustflow/skills/multi-agent-work-coordination/SKILL.md +1 -0
  80. package/templates/default/locales/en/.mustflow/skills/observability-debuggability-review/SKILL.md +208 -0
  81. package/templates/default/locales/en/.mustflow/skills/payment-integrity-review/SKILL.md +155 -0
  82. package/templates/default/locales/en/.mustflow/skills/prompt-contract-quality-review/SKILL.md +158 -0
  83. package/templates/default/locales/en/.mustflow/skills/quadratic-scan-review/SKILL.md +155 -0
  84. package/templates/default/locales/en/.mustflow/skills/queue-processing-integrity-review/SKILL.md +193 -0
  85. package/templates/default/locales/en/.mustflow/skills/race-condition-review/SKILL.md +188 -0
  86. package/templates/default/locales/en/.mustflow/skills/rate-limit-integrity-review/SKILL.md +344 -0
  87. package/templates/default/locales/en/.mustflow/skills/retry-policy-integrity-review/SKILL.md +195 -0
  88. package/templates/default/locales/en/.mustflow/skills/routes.toml +330 -0
  89. package/templates/default/locales/en/.mustflow/skills/security-flow-review/SKILL.md +279 -0
  90. package/templates/default/locales/en/.mustflow/skills/testability-boundary-review/SKILL.md +295 -0
  91. package/templates/default/locales/en/.mustflow/skills/transaction-boundary-integrity-review/SKILL.md +196 -0
  92. package/templates/default/locales/en/.mustflow/skills/type-state-modeling-review/SKILL.md +179 -0
  93. package/templates/default/locales/en/.mustflow/skills/web-render-performance-review/SKILL.md +164 -0
  94. package/templates/default/manifest.toml +386 -1
@@ -0,0 +1,298 @@
1
+ ---
2
+ mustflow_doc: skill.api-access-control-review
3
+ locale: en
4
+ canonical: true
5
+ revision: 1
6
+ lifecycle: mustflow-owned
7
+ authority: procedure
8
+ name: api-access-control-review
9
+ description: Apply this skill when code is created, changed, reviewed, or reported and API security needs access-control review for BOLA or IDOR, object-level authorization, object-property authorization, function-level authorization, broken authentication, tenant isolation, role and relationship checks, mass assignment, DTO exposure, admin or internal APIs, route ordering, GraphQL resolvers, batch APIs, exports, downloads, signed URLs, cache keys, async jobs, webhooks, OAuth or OIDC, JWTs, sessions, cookies, reauthentication, reset tokens, account enumeration, automation defense, or denial-case tests.
10
+ metadata:
11
+ mustflow_schema: "1"
12
+ mustflow_kind: procedure
13
+ pack_id: mustflow.core
14
+ skill_id: mustflow.core.api-access-control-review
15
+ command_intents:
16
+ - changes_status
17
+ - changes_diff_summary
18
+ - lint
19
+ - build
20
+ - test_related
21
+ - test
22
+ - test_audit
23
+ - docs_validate_fast
24
+ - test_release
25
+ - mustflow_check
26
+ ---
27
+
28
+ # API Access Control Review
29
+
30
+ <!-- mustflow-section: purpose -->
31
+ ## Purpose
32
+
33
+ Review API security as an access-control proof, not as a login check.
34
+
35
+ The review question is not "is the user authenticated?" It is "may this principal, at this moment,
36
+ perform this action on this object, this field, and this tenant context?"
37
+
38
+ <!-- mustflow-section: use-when -->
39
+ ## Use When
40
+
41
+ - Code review, implementation, or refactor work touches API routes, controllers, handlers,
42
+ resolvers, RPC procedures, service methods, repositories, database queries, storage signers,
43
+ exports, downloads, previews, batch APIs, background jobs, webhooks, auth middleware, sessions,
44
+ cookies, JWTs, OAuth or OIDC flows, password reset, MFA, admin APIs, internal APIs, cache keys,
45
+ DTO mapping, tests, or API docs.
46
+ - A request, token, body, query string, path parameter, webhook payload, queue payload, or client
47
+ state supplies `userId`, `accountId`, `tenantId`, `orgId`, `workspaceId`, `projectId`, `role`,
48
+ `ownerId`, object id, file key, status, price, entitlement, plan, or other authority-bearing data.
49
+ - A review needs API-specific authorization coverage for BOLA or IDOR, broken authentication,
50
+ object-property authorization, function-level authorization, mass assignment, object storage
51
+ access, tenant isolation, GraphQL resolver access, batch authorization, signed URLs, token
52
+ validation, session hardening, account enumeration, automation defense, or denial-case tests.
53
+
54
+ <!-- mustflow-section: do-not-use-when -->
55
+ ## Do Not Use When
56
+
57
+ - The task changes the authorization model, role matrix, permission implementation, route guards, or
58
+ session/token code and needs implementation guidance; use `auth-permission-change` first and this
59
+ skill for API-specific review coverage.
60
+ - The task is a broad security source-to-sink review beyond API access control; use
61
+ `security-flow-review`.
62
+ - The task is only public API schema compatibility, pagination shape, status codes, or generated
63
+ client drift; use `api-contract-change` first.
64
+ - The task is only caller ergonomics or API misuse risk without security boundary pressure; use
65
+ `api-misuse-resistance-review`.
66
+ - The task asks for live exploitation, credential guessing, penetration testing traffic, or unsafe
67
+ payload collection. Stay within defensive local code review and tests.
68
+
69
+ <!-- mustflow-section: required-inputs -->
70
+ ## Required Inputs
71
+
72
+ - User goal, current diff or target files, API surface, and the access-control claim being reviewed.
73
+ - Subject-object-action-context ledger: principal, session, token, API key, service account, tenant,
74
+ organization, workspace, role, relationship, resource, object id, field or property, action,
75
+ state, and request context.
76
+ - Object authorization ledger: list, detail, count, search, export, download, preview, share,
77
+ update, delete, approve, invite, refund, transfer, admin, batch, worker, and webhook paths that
78
+ can reach the same object.
79
+ - Property authorization ledger: request fields, response fields, updateable fields, hidden fields,
80
+ sensitive fields, computed fields, internal ids, storage keys, provider ids, and privileged
81
+ mutable fields.
82
+ - Function authorization ledger: API route, resolver, RPC procedure, admin function, support tool,
83
+ internal endpoint, queue handler, webhook handler, and storage signer operations.
84
+ - Authentication proof ledger: auth middleware, session store, cookie settings, JWT verifier,
85
+ OAuth/OIDC handling, API key verifier, reset tokens, reauthentication points, account enumeration
86
+ behavior, and automation controls.
87
+ - Existing tests, denial cases, role matrices, API docs, security docs, and configured command
88
+ intents.
89
+
90
+ <!-- mustflow-section: preconditions -->
91
+ ## Preconditions
92
+
93
+ - The task matches the Use When conditions and does not match the Do Not Use When exclusions.
94
+ - Higher-priority instructions and `.mustflow/config/commands.toml` have been checked for the
95
+ current scope.
96
+ - Required inputs are available, or missing subject, object, action, tenant, field, token, cache, or
97
+ denial-test evidence can be reported without guessing.
98
+ - Treat client-provided identity, tenant, role, ownership, status, plan, and entitlement values as
99
+ untrusted until server context and persisted relationships prove them.
100
+
101
+ <!-- mustflow-section: allowed-edits -->
102
+ ## Allowed Edits
103
+
104
+ - Add or tighten server-side object authorization, tenant-scoped lookups, relationship checks,
105
+ function-level checks, property allowlists, DTO mappers, signed URL scoping, cache-key dimensions,
106
+ worker revalidation, webhook ownership mapping, token verification, session hardening,
107
+ reauthentication gates, enumeration-safe responses, rate limits, audit logs, and denial-case tests.
108
+ - Update route docs, API examples, role matrices, security docs, fixtures, SDK tests, and template
109
+ surfaces that describe the same access-control contract.
110
+ - Keep changes scoped to the reviewed API boundary and its synchronized surfaces.
111
+ - Do not add broad scanners, live external probes, offensive payload collections, unrelated
112
+ hardening, or new command authority under this skill.
113
+
114
+ <!-- mustflow-section: procedure -->
115
+ ## Procedure
116
+
117
+ 1. Ask the full permission question.
118
+ - Do not stop at "logged in".
119
+ - Ask whether this requester can perform this action on this object, this field, in this tenant,
120
+ in this state, right now.
121
+ 2. Treat request-supplied identity as hostile.
122
+ - `userId`, `accountId`, `tenantId`, `orgId`, `workspaceId`, `role`, `ownerId`, `plan`, and
123
+ similar values from body, query, headers, path params, local storage, or token claims are leads,
124
+ not authority.
125
+ - Derive truth from server session, verified token context, database relationships, and current
126
+ persisted state.
127
+ 3. Bind authorization to the data lookup.
128
+ - Prefer lookups such as `findByIdAndOwner`, `where id = ? and tenant_id = ?`, or policy-scoped
129
+ repository methods over `findById` followed by a fragile caller-side check.
130
+ - If existence disclosure must be hidden, keep missing and unauthorized behavior consistent.
131
+ 4. Separate authentication from authorization.
132
+ - `isAuthenticated`, valid session, API key, or decoded JWT says who is calling.
133
+ - It does not say whether the object, field, tenant, or action is allowed.
134
+ 5. Replace role-only checks with relationship and context checks.
135
+ - `role === "admin"` is usually too small.
136
+ - Check whether the principal is admin for this organization, owner of this project, seller for
137
+ this order, billing admin for this account, or allowed to act in this resource state.
138
+ 6. Compare list and detail scopes.
139
+ - If list filters by current user or tenant but detail, count, search, analytics, export, or
140
+ download uses only object id, report the gap.
141
+ 7. Review write APIs harder than read APIs.
142
+ - `PUT`, `PATCH`, `DELETE`, approve, refund, invite, transfer, publish, restore, and role-change
143
+ operations need write-specific permission, state, amount, and audit checks.
144
+ - Read permission is not write permission.
145
+ 8. Stop mass assignment at the boundary.
146
+ - Flag request-body-to-entity binding, raw DTO persistence, GraphQL input passthrough, ORM update
147
+ data from raw body, and blind spread or object assignment.
148
+ - Privileged fields such as `role`, `status`, `ownerId`, `tenantId`, `isVerified`, `plan`,
149
+ `credit`, `deletedAt`, `price`, and `quota` must be derived, guarded, or allowlisted.
150
+ 9. Check response DTOs for property-level exposure.
151
+ - Entity-to-JSON responses can leak `passwordHash`, `mfaSecret`, `internalMemo`,
152
+ `billingCustomerId`, storage keys, provider IDs, deletion reasons, or admin-only fields later.
153
+ - Use public response mappers and role-aware field policies when field visibility differs.
154
+ 10. Treat client-side admin UI as decoration.
155
+ - Hidden buttons, disabled controls, frontend routes, mobile checks, and generated clients are
156
+ not access control.
157
+ - Admin and support operations need server-side scope, reason, audit, and denial tests.
158
+ 11. Search for temporary public holes.
159
+ - Inspect `permitAll`, `anonymous`, `skipAuth`, `bypassAuth`, `public`, `internalOnly`,
160
+ `devOnly`, `TODO auth`, debug endpoints, health endpoints with extra data, and test-only
161
+ switches that can reach real data or operations.
162
+ 12. Review router and middleware order.
163
+ - Dynamic routes like `/:id` can shadow `/me`, `/admin`, or `/settings`.
164
+ - Prefix middleware can leave sibling paths, nested routers, serverless functions, or framework
165
+ route groups unauthenticated.
166
+ 13. Review GraphQL per resolver.
167
+ - Endpoint-level auth is not enough.
168
+ - Check `node(id)`, nested fields, connections, edges, aggregates, mutations, and field
169
+ resolvers for object and property authorization.
170
+ 14. Review batch APIs per item.
171
+ - Bulk create, delete, export, import, and update endpoints must authorize every object.
172
+ - Define whether one denied item fails the whole request, returns per-item results, or produces
173
+ a retrievable failure report.
174
+ 15. Review export, download, preview, thumbnail, and share paths.
175
+ - CRUD may be protected while file delivery, generated previews, thumbnails, CSV exports, and
176
+ shared links bypass the same policy.
177
+ 16. Treat signed storage URLs as outputs of authorization.
178
+ - S3, GCS, R2, CDN, and private file URLs must be generated only after object authorization.
179
+ - Check key predictability, URL lifetime, scope, content disposition, cache behavior, revocation,
180
+ and whether direct object access bypasses policy.
181
+ 17. Enforce tenant boundaries in every query and cache.
182
+ - `WHERE id = ?` is weak in multi-tenant code; include tenant, membership, owner, sharing, or
183
+ database policy constraints.
184
+ - Cache keys for private data need tenant and permission dimensions, not just object id.
185
+ 18. Revalidate asynchronous jobs.
186
+ - Queue payloads with only `userId`, `tenantId`, or `fileId` can outlive permission changes.
187
+ - Workers, retries, admin reruns, scheduled tasks, and webhook-triggered jobs need actor,
188
+ tenant, resource, state, and current permission or service-principal checks at execution time.
189
+ 19. Separate webhook authenticity from authorization.
190
+ - Signature verification proves the provider sent the event.
191
+ - Ownership mapping proves the event belongs to this tenant, account, customer, installation,
192
+ repository, subscription, or resource.
193
+ 20. Keep OAuth and OIDC purposes distinct.
194
+ - OIDC ID tokens identify a user for login.
195
+ - OAuth access tokens authorize delegated API access.
196
+ - Do not use an ID token as an API permission token or an access token as a login proof without
197
+ the appropriate validation and intent.
198
+ 21. Verify JWTs completely.
199
+ - Decoding is not verification.
200
+ - Check signature, algorithm allowlist, issuer, audience, expiry, not-before when used, key
201
+ source, key rotation, subject, tenant binding, and stale authorization claims.
202
+ 22. Treat token claims as snapshots, not eternal truth.
203
+ - Long-lived `role`, `plan`, `tenantId`, and permission claims can survive demotion, removal,
204
+ subscription cancellation, suspension, or revocation.
205
+ - Important decisions should check current server-side state or use short-lived tokens with
206
+ revocation strategy.
207
+ 23. Regenerate session identity after privilege changes.
208
+ - Login, password change, MFA changes, role changes, user-to-admin transitions, and account
209
+ recovery should rotate session identifiers or refresh tokens according to local policy.
210
+ 24. Check authentication cookies.
211
+ - Cookies carrying session authority need `Secure`, `HttpOnly`, appropriate `SameSite`,
212
+ domain, path, lifetime, rotation, logout, revocation, and CSRF posture.
213
+ - Avoid URL-carried session identifiers.
214
+ 25. Require reauthentication for sensitive actions.
215
+ - Password change, email change, MFA disable, payment method change, organization ownership
216
+ transfer, API-key creation, and destructive admin actions should require fresh proof.
217
+ 26. Review reset and magic-link tokens.
218
+ - Tokens need strong randomness, one-time use, short expiration, purpose binding, user binding,
219
+ safe storage, link-preview protection, session invalidation where needed, and no reuse across
220
+ unrelated flows.
221
+ 27. Compare account-enumeration responses.
222
+ - Login, signup, password reset, magic link, invitation, and email verification should avoid
223
+ leaking account existence through message, status, timing, or email-sending behavior unless
224
+ product policy accepts that disclosure.
225
+ 28. Treat automation defense as part of authentication.
226
+ - Login, OTP, magic link, password reset, invite acceptance, coupon application, email
227
+ verification, and MFA attempts need rate limits, lockouts, challenge policy, IP/device/user
228
+ dimensions, and observability.
229
+ 29. Separate internal and external identity planes.
230
+ - Backoffice, operator, database, middleware, and support accounts should not flow through the
231
+ same customer login path unless the product intentionally models and audits that boundary.
232
+ 30. Test the denial matrix.
233
+ - Success tests prove little.
234
+ - For each protected resource, cover anonymous, normal user, other owner, same organization
235
+ different role, other tenant, admin wrong tenant, revoked user, suspended member, stale token,
236
+ read-only API key, and service account cases where relevant.
237
+
238
+ <!-- mustflow-section: postconditions -->
239
+ ## Postconditions
240
+
241
+ - The API access-control decision names subject, object, action, field or property, tenant or owner,
242
+ current state, and trusted context when those apply.
243
+ - Authentication, object authorization, property authorization, and function authorization are not
244
+ collapsed into one route guard.
245
+ - Client-supplied identity and authority fields are either ignored, verified against server-side
246
+ state, or explicitly reported as risky.
247
+ - List, detail, search, export, download, batch, worker, webhook, signed URL, cache, GraphQL, and
248
+ admin paths are checked or explicitly scoped out.
249
+ - Token, session, cookie, OAuth/OIDC, reset, reauthentication, account-enumeration, and automation
250
+ defenses are checked when touched.
251
+ - Denial-case tests or missing test gaps are named from the attacker's point of view.
252
+
253
+ <!-- mustflow-section: verification -->
254
+ ## Verification
255
+
256
+ Use configured oneshot command intents when available:
257
+
258
+ - `changes_status`
259
+ - `changes_diff_summary`
260
+ - `lint`
261
+ - `build`
262
+ - `test_related`
263
+ - `test`
264
+ - `test_audit`
265
+ - `docs_validate_fast`
266
+ - `test_release`
267
+ - `mustflow_check`
268
+
269
+ Prefer the narrowest configured tests that prove denial behavior: wrong owner, wrong tenant, wrong
270
+ role, revoked or suspended actor, stale token, forbidden field update, mass-assignment attempt,
271
+ unauthorized export or download, unauthorized batch item, worker revalidation, webhook ownership,
272
+ and account-enumeration response parity.
273
+
274
+ <!-- mustflow-section: failure-handling -->
275
+ ## Failure Handling
276
+
277
+ - If subject, object, action, field, tenant, state, source of truth, or denial evidence is missing,
278
+ report the gap instead of claiming the API is safe.
279
+ - If the fix requires broad auth model changes, use `auth-permission-change` before editing that
280
+ scope.
281
+ - If a sensitive value appears in logs, diffs, fixtures, screenshots, command output, or final
282
+ reports, stop repeating it and use `secret-exposure-response` when it may be a real secret.
283
+ - If a command fails, use `failure-triage` before further edits.
284
+
285
+ <!-- mustflow-section: output-format -->
286
+ ## Output Format
287
+
288
+ - API access control reviewed
289
+ - Subject, object, action, field, tenant or owner, state, and trusted context
290
+ - Object, property, and function authorization findings
291
+ - Authentication, session, token, cookie, OAuth/OIDC, reset, reauthentication, enumeration, and
292
+ automation findings
293
+ - List/detail/search/export/download/batch/worker/webhook/signed URL/cache/GraphQL/admin findings
294
+ - Fixes made or recommendation
295
+ - Denial tests or behavior evidence
296
+ - Command intents run
297
+ - Skipped checks and reasons
298
+ - Remaining API access-control risk
@@ -0,0 +1,297 @@
1
+ ---
2
+ mustflow_doc: skill.api-misuse-resistance-review
3
+ locale: en
4
+ canonical: true
5
+ revision: 1
6
+ lifecycle: mustflow-owned
7
+ authority: procedure
8
+ name: api-misuse-resistance-review
9
+ description: Apply this skill when code is created, changed, reviewed, or reported and an API, SDK, function boundary, service method, endpoint, command method, DTO, request shape, response shape, pagination contract, idempotency behavior, async job boundary, versioning policy, deprecation path, rate-limit rule, retry rule, observability surface, or caller-facing contract needs review for caller ergonomics, misuse resistance, hidden state machines, ambiguous parameters, internal model leakage, and operation-centered design.
10
+ metadata:
11
+ mustflow_schema: "1"
12
+ mustflow_kind: procedure
13
+ pack_id: mustflow.core
14
+ skill_id: mustflow.core.api-misuse-resistance-review
15
+ command_intents:
16
+ - changes_status
17
+ - changes_diff_summary
18
+ - lint
19
+ - build
20
+ - test_related
21
+ - test
22
+ - test_audit
23
+ - docs_validate_fast
24
+ - test_release
25
+ - mustflow_check
26
+ ---
27
+
28
+ # API Misuse Resistance Review
29
+
30
+ <!-- mustflow-section: purpose -->
31
+ ## Purpose
32
+
33
+ Review APIs from the caller's side, not from the implementer's convenience.
34
+
35
+ The review question is not "does this endpoint or method work?" It is "can a tired caller use this
36
+ API without memorizing hidden order, internal tables, boolean meanings, null folklore, retry traps,
37
+ or Slack-thread failure semantics?"
38
+
39
+ <!-- mustflow-section: use-when -->
40
+ ## Use When
41
+
42
+ - Code review, implementation, or refactor work touches public or internal APIs, service methods,
43
+ SDKs, generated clients, controller methods, RPC procedures, command methods, function signatures,
44
+ request schemas, response DTOs, error envelopes, pagination, filtering, sorting, idempotency,
45
+ retries, async jobs, bulk operations, cache headers, versioning, deprecation, rate limits,
46
+ observability fields, or caller-facing documentation.
47
+ - An API appears technically compatible but may invite caller mistakes through implementation-leaking
48
+ names, ordering requirements, boolean flags, broad options objects, nullable semantics, raw table
49
+ fields, status mutation, PATCH-as-command behavior, time or money primitives, closed enum
50
+ assumptions, overlarge responses, overfragmented calls, internal/external API mixing, or untested
51
+ failure cases.
52
+ - A review needs to decide whether to apply `api-contract-change`, `type-state-modeling-review`,
53
+ `business-rule-leakage-review`, `error-message-integrity-review`, `backend-reliability-change`,
54
+ `cache-integrity-review`, `security-flow-review`, `result-option`, or `state-machine-pattern`.
55
+
56
+ <!-- mustflow-section: do-not-use-when -->
57
+ ## Do Not Use When
58
+
59
+ - The main task is API source-of-truth synchronization, status/schema compatibility, generated
60
+ client drift, OpenAPI or protobuf compatibility, or endpoint migration; use `api-contract-change`
61
+ first and this skill only for caller misuse traps.
62
+ - The main task is making impossible domain states unrepresentable in types; use
63
+ `type-state-modeling-review` first.
64
+ - The main task is failure content quality; use `error-message-integrity-review`.
65
+ - The main task is false success, partial state, retry exhaustion, or failure integrity; use
66
+ `failure-integrity-review` or `backend-reliability-change`.
67
+ - The API is private implementation glue with no stable caller, no reusable boundary, no docs, and
68
+ no expected independent evolution.
69
+
70
+ <!-- mustflow-section: required-inputs -->
71
+ ## Required Inputs
72
+
73
+ - User goal, current diff or target files, and every changed caller-facing boundary.
74
+ - Caller ledger: human caller, frontend, mobile app, CLI, worker, SDK user, partner integration,
75
+ internal service, batch job, webhook sender, support tool, or generated client.
76
+ - Operation ledger: what the caller is trying to accomplish, the minimal operation name, required
77
+ inputs, optional inputs, side effects, ordering constraints, sync or async completion, and retry
78
+ or cancellation expectations.
79
+ - Shape ledger: names, parameters, option objects, DTO fields, status fields, null and empty values,
80
+ error shape, pagination fields, sorting and filtering fields, money and time units, enum values,
81
+ bulk result shape, cache headers, versioning, deprecation, rate-limit hints, and observability
82
+ identifiers.
83
+ - Existing contract source, local API style, SDK conventions, generated client behavior, docs,
84
+ examples, tests, and configured command intents.
85
+
86
+ <!-- mustflow-section: preconditions -->
87
+ ## Preconditions
88
+
89
+ - The task matches the Use When conditions and does not match the Do Not Use When exclusions.
90
+ - Higher-priority instructions and `.mustflow/config/commands.toml` have been checked for the
91
+ current scope.
92
+ - Required inputs are available, or missing caller, operation, shape, or compatibility evidence can
93
+ be reported without guessing.
94
+ - If the review finds concrete schema compatibility, security, state-machine, result-type, cache,
95
+ failure-integrity, or backend reliability risk, use the narrower skill before editing that part.
96
+
97
+ <!-- mustflow-section: allowed-edits -->
98
+ ## Allowed Edits
99
+
100
+ - Rename APIs toward caller intent, split hidden modes into separate operations, replace ambiguous
101
+ booleans with named options or distinct methods, narrow option bags, clarify null and patch
102
+ semantics, separate internal and public DTOs, add stable error codes, add idempotency or retry
103
+ metadata, expose async job resources, represent partial failures, tighten pagination, add cache
104
+ and rate-limit hints, and add focused contract tests.
105
+ - Update docs, examples, SDK wrappers, generated client fixtures, API schemas, mocks, changelog
106
+ notes, deprecation notes, and tests that describe the same caller contract.
107
+ - Keep changes scoped to the boundary under review and its synchronized surfaces.
108
+ - Do not silently break existing public callers, widen responses with internal data, turn every
109
+ helper into a public API, or hide a breaking design change behind naming polish.
110
+
111
+ <!-- mustflow-section: procedure -->
112
+ ## Procedure
113
+
114
+ 1. Read the call site aloud.
115
+ - If the call reads like a wiring diagram, the API is leaking implementation.
116
+ - `createUserWithValidationAndEmailSend` tells the caller to remember internal steps.
117
+ - Prefer operation intent such as `registerUser`, `inviteUser`, `payOrder`, or `startReport`.
118
+ 2. Separate purpose from mechanism in names.
119
+ - Names should say what the caller wants, not DB, Redis, Kafka, email, validation, batch, cache,
120
+ queue, or storage details.
121
+ - Keep implementation details in internals, logs, or diagnostics unless the caller genuinely
122
+ controls that mechanism.
123
+ 3. Expose hidden state machines.
124
+ - APIs that require `init`, `setConfig`, `connect`, `start`, `flush`, and `close` in one exact
125
+ sequence are unsafe unless the type, builder, lifecycle object, or command model enforces the
126
+ sequence.
127
+ - Ask what happens if a caller skips, repeats, or reorders each step.
128
+ 4. Hunt boolean parameters.
129
+ - `getUsers(true)`, `sendEmail(false)`, and `createOrder(order, true, false)` are call-site
130
+ riddles.
131
+ - Replace with named options, separate operations, or domain variants when the boolean changes
132
+ behavior.
133
+ 5. Audit option objects as mode bags.
134
+ - `skipValidation`, `sendWelcomeEmail`, `createdByAdmin`, `importMode`, `dryRun`, and
135
+ `temporaryPassword` in one object often means several workflows share one unsafe door.
136
+ - Split by use case when options describe different business operations instead of incidental
137
+ configuration.
138
+ 6. Give absence one meaning per boundary.
139
+ - Count `null`, `undefined`, empty string, empty array, omitted field, and default value.
140
+ - If they mean delete, keep, clear, unknown, not loaded, or not applicable differently, model that
141
+ with explicit types, commands, or patch operations.
142
+ 7. Stop leaking storage rows as response DTOs.
143
+ - Fields like `deleted_at`, `status_code`, `type_flag`, raw foreign keys, provider IDs, and
144
+ internal timestamps can freeze database design into the API contract.
145
+ - Public DTOs should represent caller concepts, not table plumbing.
146
+ 8. Treat error shape as part of usability.
147
+ - A string-only error blocks client branching, retry decisions, localization, support, and
148
+ monitoring.
149
+ - Ensure stable code, readable message, cause category, retryability, and safe request or support
150
+ ID exist where callers need them.
151
+ 9. Model failure as carefully as success.
152
+ - Include permission denied, duplicate request, already processed, missing resource, conflict,
153
+ provider timeout, cancelled resource, partial success, and validation failure where relevant.
154
+ - If the response model cannot describe these states, the API will lie later.
155
+ 10. Require idempotency for networked creation with side effects.
156
+ - Orders, payments, invites, subscriptions, refunds, and external writes need duplicate-request
157
+ safety because clients cannot know whether a timeout happened before or after commit.
158
+ - Button disabling is not an idempotency strategy.
159
+ 11. Make pagination stable under moving data.
160
+ - Offset pagination is unsafe for feeds, orders, notifications, logs, and any list that changes
161
+ while the user pages through it.
162
+ - Cursor pagination still needs an immutable or stable sort key, tie-breaker, page limit, and
163
+ empty-page semantics.
164
+ 12. Define sorting and filtering as contracts.
165
+ - A list without default order, tie-breaker, max size, allowed filter set, unknown-filter
166
+ behavior, null ordering, case sensitivity, timezone, and locale behavior is a random API.
167
+ 13. Show authorization shape in the API.
168
+ - `updateUser(userId, payload)` hides whether the caller edits self, a team member, or any user
169
+ as an admin.
170
+ - Prefer operation or route shapes that make permission mode visible, such as `updateMyProfile`
171
+ versus `adminUpdateUser`.
172
+ 14. Review state changes as commands.
173
+ - `updateOrderStatus(orderId, status)` lets callers request illegal transitions.
174
+ - Prefer command operations such as `payOrder`, `cancelOrder`, `shipOrder`, and `refundOrder`
175
+ where guards and effects have a home.
176
+ 15. Keep PATCH from becoming a command bus.
177
+ - Partial field updates should not secretly perform account closure, email verification,
178
+ payment cancellation, invitation acceptance, permission changes, or lifecycle transitions.
179
+ - Important behavior deserves an operation name.
180
+ 16. Specify time values fully.
181
+ - Time values need UTC basis or explicit timezone, ISO format, precision, server clock behavior,
182
+ expiration semantics, and display responsibility.
183
+ - Local strings without timezone are delayed bugs.
184
+ 17. Keep money out of floating-point shapes.
185
+ - Use minor-unit integers or decimal-safe representations plus currency.
186
+ - Include rounding, tax, fee, discount, and precision rules where the API participates in money
187
+ movement.
188
+ 18. Treat external enums as open.
189
+ - Public or provider-facing clients must survive unknown future values.
190
+ - Internal closed enums still need a boundary decision for unknown, deprecated, or provider-only
191
+ statuses.
192
+ 19. Draw the sync or async boundary.
193
+ - Image processing, reports, email delivery, bulk imports, external settlement, and long-running
194
+ work need job ID, state query, completion signal, cancellation semantics, timeout behavior,
195
+ and failure reason.
196
+ - `200 OK` must not imply finished when the work only started.
197
+ 20. Represent partial failure honestly.
198
+ - Bulk APIs need item-level results and aggregate summary.
199
+ - "All failed" can duplicate successful items on retry; "all succeeded" loses failed items.
200
+ 21. Ask whether the response can be cached.
201
+ - GET APIs should define freshness, cache key, user or tenant variance, ETag or Last-Modified,
202
+ cache-control, and invalidation boundaries when the response is expensive or frequently read.
203
+ 22. Balance response size and call count by caller task.
204
+ - Overfriendly list APIs that include every relation become slow.
205
+ - Overfragmented APIs that force the frontend to assemble one screen from many calls move backend
206
+ workflow into the client.
207
+ - Shape endpoints around caller tasks, with explicit includes or field selection when useful.
208
+ 23. Separate internal and external APIs.
209
+ - Internal APIs can change faster and carry richer operational context.
210
+ - External APIs need slower evolution, compatibility, documentation, and deprecation policy.
211
+ - One shared shape usually damages both.
212
+ 24. Treat version labels as policy, not decoration.
213
+ - `/v1` does not protect callers if field meanings, enum behavior, pagination, or errors change
214
+ under the same version.
215
+ - Define what counts as breaking, how long old versions live, how usage is monitored, and how
216
+ migration is communicated.
217
+ 25. Make deprecation measurable.
218
+ - A deprecated field or endpoint without usage tracking cannot be removed safely.
219
+ - Capture client, field, endpoint, version, and volume evidence where privacy policy allows.
220
+ 26. Define rate limits and retry hints.
221
+ - Limits without `Retry-After`, reset time, retryable classification, and client guidance punish
222
+ well-behaved callers.
223
+ - No limits lets buggy clients harm everyone else.
224
+ 27. Make the API observable.
225
+ - Request ID, caller ID, operation, latency, status, error code, downstream result, retry count,
226
+ cache hit, and job ID should be traceable where relevant.
227
+ - If operations cannot be traced, the API cannot be operated.
228
+ 28. Test through the caller contract.
229
+ - Success examples alone do not prove an API design.
230
+ - Cover duplicate request, missing resource, permission denied, unknown enum, invalid cursor,
231
+ large page size, timeout, retry, partial success, already processed, and deprecation behavior
232
+ where relevant.
233
+ 29. Check SDK ergonomics.
234
+ - If a typed SDK method name, input type, return type, or error handling becomes awkward, the
235
+ original HTTP, RPC, or service shape may be wrong.
236
+ - Generated types should reduce mistakes, not require callers to memorize transport details.
237
+ 30. Finish with the first-time caller question.
238
+ - What will a new caller misunderstand?
239
+ - If the likely mistake costs money, permissions, data, duplicate work, broken pagination, stale
240
+ cache, or unretryable failure, fix the API shape instead of adding prose warnings.
241
+
242
+ <!-- mustflow-section: postconditions -->
243
+ ## Postconditions
244
+
245
+ - The API expresses caller intent rather than internal implementation sequence.
246
+ - Ordering requirements, lifecycle states, side effects, retries, idempotency, async completion,
247
+ permission modes, cacheability, pagination, filtering, sorting, and deprecation rules are explicit.
248
+ - Parameter shapes, option objects, null semantics, DTO boundaries, time values, money values, enums,
249
+ errors, bulk results, and job states resist common caller mistakes.
250
+ - Internal and external API needs are separated or intentionally aligned with compatibility evidence.
251
+ - Tests, examples, SDKs, schemas, mocks, docs, and observability fields cover the changed caller
252
+ contract where relevant.
253
+
254
+ <!-- mustflow-section: verification -->
255
+ ## Verification
256
+
257
+ Use configured oneshot command intents when available:
258
+
259
+ - `changes_status`
260
+ - `changes_diff_summary`
261
+ - `lint`
262
+ - `build`
263
+ - `test_related`
264
+ - `test`
265
+ - `test_audit`
266
+ - `docs_validate_fast`
267
+ - `test_release`
268
+ - `mustflow_check`
269
+
270
+ Prefer tests that exercise the API from the caller's perspective: SDK calls, generated clients,
271
+ contract fixtures, request/response examples, failure states, pagination behavior, duplicate
272
+ requests, rate limits, async job transitions, and docs examples that callers copy.
273
+
274
+ <!-- mustflow-section: failure-handling -->
275
+ ## Failure Handling
276
+
277
+ - If the caller, compatibility promise, version policy, or source of truth is unknown, report the
278
+ missing contract instead of guessing.
279
+ - If fixing misuse resistance would break current callers, classify the break and use
280
+ `api-contract-change` before editing the public shape.
281
+ - If a command fails, use `failure-triage` before further edits.
282
+
283
+ <!-- mustflow-section: output-format -->
284
+ ## Output Format
285
+
286
+ - API misuse resistance reviewed
287
+ - Caller and operation ledger
288
+ - Names, order requirements, parameters, options, absence semantics, DTO leakage, errors,
289
+ idempotency, pagination, sorting, filtering, auth shape, state commands, PATCH semantics, time,
290
+ money, enum, async, bulk, cache, response size, internal/external, version, deprecation, rate
291
+ limit, observability, SDK, and test findings
292
+ - Fixes made or recommendation
293
+ - Compatibility and synchronized surface notes
294
+ - Tests or behavior evidence
295
+ - Command intents run
296
+ - Skipped checks and reasons
297
+ - Remaining API misuse risk