mustflow 2.39.1 → 2.58.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cli/commands/run/executor.js +16 -0
- package/dist/cli/commands/run/process-tree.js +6 -3
- package/dist/cli/commands/tech.js +60 -4
- package/dist/cli/commands/verify.js +3 -1
- package/dist/cli/lib/git-changes.js +11 -1
- package/dist/cli/lib/i18n.js +1 -1
- package/dist/cli/lib/local-index/index.js +8 -4
- package/dist/cli/lib/local-index/populate.js +17 -3
- package/dist/cli/lib/local-index/search-read-model.js +9 -7
- package/dist/cli/lib/local-index/search-text.js +2 -2
- package/dist/cli/lib/local-index/workflow-documents.js +17 -2
- package/dist/cli/lib/mustflow-read.js +14 -2
- package/dist/cli/lib/npm-version-check.js +36 -0
- package/dist/cli/lib/repo-map.js +16 -3
- package/dist/cli/lib/templates.js +8 -7
- package/dist/cli/lib/validation/constants.js +1 -1
- package/dist/core/active-run-locks.js +78 -20
- package/dist/core/change-classification.js +4 -0
- package/dist/core/command-contract-rules.js +1 -1
- package/dist/core/command-contract-validation.js +1 -1
- package/dist/core/command-cwd.js +13 -2
- package/dist/core/command-effects.js +22 -4
- package/dist/core/command-env.js +8 -6
- package/dist/core/command-preconditions.js +28 -2
- package/dist/core/completion-verdict.js +1 -1
- package/dist/core/line-endings.js +8 -4
- package/dist/core/safe-filesystem.js +9 -1
- package/dist/core/source-anchor-validation.js +7 -1
- package/dist/core/source-anchors.js +8 -2
- package/dist/core/verification-scheduler.js +8 -2
- package/package.json +1 -1
- package/templates/default/i18n.toml +330 -1
- package/templates/default/locales/en/.mustflow/skills/INDEX.md +302 -5
- package/templates/default/locales/en/.mustflow/skills/agent-eval-integrity-review/SKILL.md +160 -0
- package/templates/default/locales/en/.mustflow/skills/agent-execution-control-review/SKILL.md +163 -0
- package/templates/default/locales/en/.mustflow/skills/ai-generated-code-hardening/SKILL.md +49 -13
- package/templates/default/locales/en/.mustflow/skills/api-access-control-review/SKILL.md +298 -0
- package/templates/default/locales/en/.mustflow/skills/api-misuse-resistance-review/SKILL.md +297 -0
- package/templates/default/locales/en/.mustflow/skills/api-request-performance-review/SKILL.md +189 -0
- package/templates/default/locales/en/.mustflow/skills/app-startup-performance-review/SKILL.md +309 -0
- package/templates/default/locales/en/.mustflow/skills/backend-log-evidence-review/SKILL.md +213 -0
- package/templates/default/locales/en/.mustflow/skills/business-rule-leakage-review/SKILL.md +295 -0
- package/templates/default/locales/en/.mustflow/skills/cache-integrity-review/SKILL.md +291 -0
- package/templates/default/locales/en/.mustflow/skills/change-blast-radius-review/SKILL.md +297 -0
- package/templates/default/locales/en/.mustflow/skills/client-bundle-pruning-review/SKILL.md +160 -0
- package/templates/default/locales/en/.mustflow/skills/cloud-cost-guardrail-review/SKILL.md +321 -0
- package/templates/default/locales/en/.mustflow/skills/concurrency-invariant-review/SKILL.md +193 -0
- package/templates/default/locales/en/.mustflow/skills/core-web-vitals-field-review/SKILL.md +161 -0
- package/templates/default/locales/en/.mustflow/skills/credit-ledger-integrity-review/SKILL.md +156 -0
- package/templates/default/locales/en/.mustflow/skills/database-json-modeling-review/SKILL.md +171 -0
- package/templates/default/locales/en/.mustflow/skills/database-lock-contention-review/SKILL.md +192 -0
- package/templates/default/locales/en/.mustflow/skills/database-migration-change/SKILL.md +76 -34
- package/templates/default/locales/en/.mustflow/skills/database-query-bottleneck-review/SKILL.md +194 -0
- package/templates/default/locales/en/.mustflow/skills/deletion-lifecycle-review/SKILL.md +171 -0
- package/templates/default/locales/en/.mustflow/skills/deployment-rollout-safety-review/SKILL.md +321 -0
- package/templates/default/locales/en/.mustflow/skills/desktop-auto-update-safety-review/SKILL.md +265 -0
- package/templates/default/locales/en/.mustflow/skills/desktop-background-process-stability-review/SKILL.md +318 -0
- package/templates/default/locales/en/.mustflow/skills/desktop-memory-footprint-review/SKILL.md +318 -0
- package/templates/default/locales/en/.mustflow/skills/error-message-integrity-review/SKILL.md +283 -0
- package/templates/default/locales/en/.mustflow/skills/failure-integrity-review/SKILL.md +193 -0
- package/templates/default/locales/en/.mustflow/skills/file-upload-security-review/SKILL.md +305 -0
- package/templates/default/locales/en/.mustflow/skills/frame-render-performance-review/SKILL.md +159 -0
- package/templates/default/locales/en/.mustflow/skills/frontend-accessibility-tree-review/SKILL.md +202 -0
- package/templates/default/locales/en/.mustflow/skills/frontend-localization-review/SKILL.md +202 -0
- package/templates/default/locales/en/.mustflow/skills/frontend-state-ownership-review/SKILL.md +183 -0
- package/templates/default/locales/en/.mustflow/skills/frontend-stress-layout-review/SKILL.md +193 -0
- package/templates/default/locales/en/.mustflow/skills/hot-path-performance-review/SKILL.md +159 -0
- package/templates/default/locales/en/.mustflow/skills/idempotency-integrity-review/SKILL.md +195 -0
- package/templates/default/locales/en/.mustflow/skills/image-delivery-performance-review/SKILL.md +161 -0
- package/templates/default/locales/en/.mustflow/skills/incident-triage-review/SKILL.md +185 -0
- package/templates/default/locales/en/.mustflow/skills/llm-hallucination-control-review/SKILL.md +155 -0
- package/templates/default/locales/en/.mustflow/skills/llm-response-latency-review/SKILL.md +155 -0
- package/templates/default/locales/en/.mustflow/skills/llm-service-ux-review/SKILL.md +2 -0
- package/templates/default/locales/en/.mustflow/skills/llm-token-cost-control-review/SKILL.md +155 -0
- package/templates/default/locales/en/.mustflow/skills/low-end-device-support-review/SKILL.md +340 -0
- package/templates/default/locales/en/.mustflow/skills/memory-lifetime-review/SKILL.md +169 -0
- package/templates/default/locales/en/.mustflow/skills/mobile-energy-efficiency-review/SKILL.md +329 -0
- package/templates/default/locales/en/.mustflow/skills/module-boundary-review/SKILL.md +278 -0
- package/templates/default/locales/en/.mustflow/skills/multi-agent-work-coordination/SKILL.md +1 -0
- package/templates/default/locales/en/.mustflow/skills/observability-debuggability-review/SKILL.md +208 -0
- package/templates/default/locales/en/.mustflow/skills/payment-integrity-review/SKILL.md +155 -0
- package/templates/default/locales/en/.mustflow/skills/prompt-contract-quality-review/SKILL.md +158 -0
- package/templates/default/locales/en/.mustflow/skills/quadratic-scan-review/SKILL.md +155 -0
- package/templates/default/locales/en/.mustflow/skills/queue-processing-integrity-review/SKILL.md +193 -0
- package/templates/default/locales/en/.mustflow/skills/race-condition-review/SKILL.md +188 -0
- package/templates/default/locales/en/.mustflow/skills/rate-limit-integrity-review/SKILL.md +344 -0
- package/templates/default/locales/en/.mustflow/skills/retry-policy-integrity-review/SKILL.md +195 -0
- package/templates/default/locales/en/.mustflow/skills/routes.toml +330 -0
- package/templates/default/locales/en/.mustflow/skills/security-flow-review/SKILL.md +279 -0
- package/templates/default/locales/en/.mustflow/skills/testability-boundary-review/SKILL.md +295 -0
- package/templates/default/locales/en/.mustflow/skills/transaction-boundary-integrity-review/SKILL.md +196 -0
- package/templates/default/locales/en/.mustflow/skills/type-state-modeling-review/SKILL.md +179 -0
- package/templates/default/locales/en/.mustflow/skills/web-render-performance-review/SKILL.md +164 -0
- package/templates/default/manifest.toml +386 -1
|
@@ -0,0 +1,298 @@
|
|
|
1
|
+
---
|
|
2
|
+
mustflow_doc: skill.api-access-control-review
|
|
3
|
+
locale: en
|
|
4
|
+
canonical: true
|
|
5
|
+
revision: 1
|
|
6
|
+
lifecycle: mustflow-owned
|
|
7
|
+
authority: procedure
|
|
8
|
+
name: api-access-control-review
|
|
9
|
+
description: Apply this skill when code is created, changed, reviewed, or reported and API security needs access-control review for BOLA or IDOR, object-level authorization, object-property authorization, function-level authorization, broken authentication, tenant isolation, role and relationship checks, mass assignment, DTO exposure, admin or internal APIs, route ordering, GraphQL resolvers, batch APIs, exports, downloads, signed URLs, cache keys, async jobs, webhooks, OAuth or OIDC, JWTs, sessions, cookies, reauthentication, reset tokens, account enumeration, automation defense, or denial-case tests.
|
|
10
|
+
metadata:
|
|
11
|
+
mustflow_schema: "1"
|
|
12
|
+
mustflow_kind: procedure
|
|
13
|
+
pack_id: mustflow.core
|
|
14
|
+
skill_id: mustflow.core.api-access-control-review
|
|
15
|
+
command_intents:
|
|
16
|
+
- changes_status
|
|
17
|
+
- changes_diff_summary
|
|
18
|
+
- lint
|
|
19
|
+
- build
|
|
20
|
+
- test_related
|
|
21
|
+
- test
|
|
22
|
+
- test_audit
|
|
23
|
+
- docs_validate_fast
|
|
24
|
+
- test_release
|
|
25
|
+
- mustflow_check
|
|
26
|
+
---
|
|
27
|
+
|
|
28
|
+
# API Access Control Review
|
|
29
|
+
|
|
30
|
+
<!-- mustflow-section: purpose -->
|
|
31
|
+
## Purpose
|
|
32
|
+
|
|
33
|
+
Review API security as an access-control proof, not as a login check.
|
|
34
|
+
|
|
35
|
+
The review question is not "is the user authenticated?" It is "may this principal, at this moment,
|
|
36
|
+
perform this action on this object, this field, and this tenant context?"
|
|
37
|
+
|
|
38
|
+
<!-- mustflow-section: use-when -->
|
|
39
|
+
## Use When
|
|
40
|
+
|
|
41
|
+
- Code review, implementation, or refactor work touches API routes, controllers, handlers,
|
|
42
|
+
resolvers, RPC procedures, service methods, repositories, database queries, storage signers,
|
|
43
|
+
exports, downloads, previews, batch APIs, background jobs, webhooks, auth middleware, sessions,
|
|
44
|
+
cookies, JWTs, OAuth or OIDC flows, password reset, MFA, admin APIs, internal APIs, cache keys,
|
|
45
|
+
DTO mapping, tests, or API docs.
|
|
46
|
+
- A request, token, body, query string, path parameter, webhook payload, queue payload, or client
|
|
47
|
+
state supplies `userId`, `accountId`, `tenantId`, `orgId`, `workspaceId`, `projectId`, `role`,
|
|
48
|
+
`ownerId`, object id, file key, status, price, entitlement, plan, or other authority-bearing data.
|
|
49
|
+
- A review needs API-specific authorization coverage for BOLA or IDOR, broken authentication,
|
|
50
|
+
object-property authorization, function-level authorization, mass assignment, object storage
|
|
51
|
+
access, tenant isolation, GraphQL resolver access, batch authorization, signed URLs, token
|
|
52
|
+
validation, session hardening, account enumeration, automation defense, or denial-case tests.
|
|
53
|
+
|
|
54
|
+
<!-- mustflow-section: do-not-use-when -->
|
|
55
|
+
## Do Not Use When
|
|
56
|
+
|
|
57
|
+
- The task changes the authorization model, role matrix, permission implementation, route guards, or
|
|
58
|
+
session/token code and needs implementation guidance; use `auth-permission-change` first and this
|
|
59
|
+
skill for API-specific review coverage.
|
|
60
|
+
- The task is a broad security source-to-sink review beyond API access control; use
|
|
61
|
+
`security-flow-review`.
|
|
62
|
+
- The task is only public API schema compatibility, pagination shape, status codes, or generated
|
|
63
|
+
client drift; use `api-contract-change` first.
|
|
64
|
+
- The task is only caller ergonomics or API misuse risk without security boundary pressure; use
|
|
65
|
+
`api-misuse-resistance-review`.
|
|
66
|
+
- The task asks for live exploitation, credential guessing, penetration testing traffic, or unsafe
|
|
67
|
+
payload collection. Stay within defensive local code review and tests.
|
|
68
|
+
|
|
69
|
+
<!-- mustflow-section: required-inputs -->
|
|
70
|
+
## Required Inputs
|
|
71
|
+
|
|
72
|
+
- User goal, current diff or target files, API surface, and the access-control claim being reviewed.
|
|
73
|
+
- Subject-object-action-context ledger: principal, session, token, API key, service account, tenant,
|
|
74
|
+
organization, workspace, role, relationship, resource, object id, field or property, action,
|
|
75
|
+
state, and request context.
|
|
76
|
+
- Object authorization ledger: list, detail, count, search, export, download, preview, share,
|
|
77
|
+
update, delete, approve, invite, refund, transfer, admin, batch, worker, and webhook paths that
|
|
78
|
+
can reach the same object.
|
|
79
|
+
- Property authorization ledger: request fields, response fields, updateable fields, hidden fields,
|
|
80
|
+
sensitive fields, computed fields, internal ids, storage keys, provider ids, and privileged
|
|
81
|
+
mutable fields.
|
|
82
|
+
- Function authorization ledger: API route, resolver, RPC procedure, admin function, support tool,
|
|
83
|
+
internal endpoint, queue handler, webhook handler, and storage signer operations.
|
|
84
|
+
- Authentication proof ledger: auth middleware, session store, cookie settings, JWT verifier,
|
|
85
|
+
OAuth/OIDC handling, API key verifier, reset tokens, reauthentication points, account enumeration
|
|
86
|
+
behavior, and automation controls.
|
|
87
|
+
- Existing tests, denial cases, role matrices, API docs, security docs, and configured command
|
|
88
|
+
intents.
|
|
89
|
+
|
|
90
|
+
<!-- mustflow-section: preconditions -->
|
|
91
|
+
## Preconditions
|
|
92
|
+
|
|
93
|
+
- The task matches the Use When conditions and does not match the Do Not Use When exclusions.
|
|
94
|
+
- Higher-priority instructions and `.mustflow/config/commands.toml` have been checked for the
|
|
95
|
+
current scope.
|
|
96
|
+
- Required inputs are available, or missing subject, object, action, tenant, field, token, cache, or
|
|
97
|
+
denial-test evidence can be reported without guessing.
|
|
98
|
+
- Treat client-provided identity, tenant, role, ownership, status, plan, and entitlement values as
|
|
99
|
+
untrusted until server context and persisted relationships prove them.
|
|
100
|
+
|
|
101
|
+
<!-- mustflow-section: allowed-edits -->
|
|
102
|
+
## Allowed Edits
|
|
103
|
+
|
|
104
|
+
- Add or tighten server-side object authorization, tenant-scoped lookups, relationship checks,
|
|
105
|
+
function-level checks, property allowlists, DTO mappers, signed URL scoping, cache-key dimensions,
|
|
106
|
+
worker revalidation, webhook ownership mapping, token verification, session hardening,
|
|
107
|
+
reauthentication gates, enumeration-safe responses, rate limits, audit logs, and denial-case tests.
|
|
108
|
+
- Update route docs, API examples, role matrices, security docs, fixtures, SDK tests, and template
|
|
109
|
+
surfaces that describe the same access-control contract.
|
|
110
|
+
- Keep changes scoped to the reviewed API boundary and its synchronized surfaces.
|
|
111
|
+
- Do not add broad scanners, live external probes, offensive payload collections, unrelated
|
|
112
|
+
hardening, or new command authority under this skill.
|
|
113
|
+
|
|
114
|
+
<!-- mustflow-section: procedure -->
|
|
115
|
+
## Procedure
|
|
116
|
+
|
|
117
|
+
1. Ask the full permission question.
|
|
118
|
+
- Do not stop at "logged in".
|
|
119
|
+
- Ask whether this requester can perform this action on this object, this field, in this tenant,
|
|
120
|
+
in this state, right now.
|
|
121
|
+
2. Treat request-supplied identity as hostile.
|
|
122
|
+
- `userId`, `accountId`, `tenantId`, `orgId`, `workspaceId`, `role`, `ownerId`, `plan`, and
|
|
123
|
+
similar values from body, query, headers, path params, local storage, or token claims are leads,
|
|
124
|
+
not authority.
|
|
125
|
+
- Derive truth from server session, verified token context, database relationships, and current
|
|
126
|
+
persisted state.
|
|
127
|
+
3. Bind authorization to the data lookup.
|
|
128
|
+
- Prefer lookups such as `findByIdAndOwner`, `where id = ? and tenant_id = ?`, or policy-scoped
|
|
129
|
+
repository methods over `findById` followed by a fragile caller-side check.
|
|
130
|
+
- If existence disclosure must be hidden, keep missing and unauthorized behavior consistent.
|
|
131
|
+
4. Separate authentication from authorization.
|
|
132
|
+
- `isAuthenticated`, valid session, API key, or decoded JWT says who is calling.
|
|
133
|
+
- It does not say whether the object, field, tenant, or action is allowed.
|
|
134
|
+
5. Replace role-only checks with relationship and context checks.
|
|
135
|
+
- `role === "admin"` is usually too small.
|
|
136
|
+
- Check whether the principal is admin for this organization, owner of this project, seller for
|
|
137
|
+
this order, billing admin for this account, or allowed to act in this resource state.
|
|
138
|
+
6. Compare list and detail scopes.
|
|
139
|
+
- If list filters by current user or tenant but detail, count, search, analytics, export, or
|
|
140
|
+
download uses only object id, report the gap.
|
|
141
|
+
7. Review write APIs harder than read APIs.
|
|
142
|
+
- `PUT`, `PATCH`, `DELETE`, approve, refund, invite, transfer, publish, restore, and role-change
|
|
143
|
+
operations need write-specific permission, state, amount, and audit checks.
|
|
144
|
+
- Read permission is not write permission.
|
|
145
|
+
8. Stop mass assignment at the boundary.
|
|
146
|
+
- Flag request-body-to-entity binding, raw DTO persistence, GraphQL input passthrough, ORM update
|
|
147
|
+
data from raw body, and blind spread or object assignment.
|
|
148
|
+
- Privileged fields such as `role`, `status`, `ownerId`, `tenantId`, `isVerified`, `plan`,
|
|
149
|
+
`credit`, `deletedAt`, `price`, and `quota` must be derived, guarded, or allowlisted.
|
|
150
|
+
9. Check response DTOs for property-level exposure.
|
|
151
|
+
- Entity-to-JSON responses can leak `passwordHash`, `mfaSecret`, `internalMemo`,
|
|
152
|
+
`billingCustomerId`, storage keys, provider IDs, deletion reasons, or admin-only fields later.
|
|
153
|
+
- Use public response mappers and role-aware field policies when field visibility differs.
|
|
154
|
+
10. Treat client-side admin UI as decoration.
|
|
155
|
+
- Hidden buttons, disabled controls, frontend routes, mobile checks, and generated clients are
|
|
156
|
+
not access control.
|
|
157
|
+
- Admin and support operations need server-side scope, reason, audit, and denial tests.
|
|
158
|
+
11. Search for temporary public holes.
|
|
159
|
+
- Inspect `permitAll`, `anonymous`, `skipAuth`, `bypassAuth`, `public`, `internalOnly`,
|
|
160
|
+
`devOnly`, `TODO auth`, debug endpoints, health endpoints with extra data, and test-only
|
|
161
|
+
switches that can reach real data or operations.
|
|
162
|
+
12. Review router and middleware order.
|
|
163
|
+
- Dynamic routes like `/:id` can shadow `/me`, `/admin`, or `/settings`.
|
|
164
|
+
- Prefix middleware can leave sibling paths, nested routers, serverless functions, or framework
|
|
165
|
+
route groups unauthenticated.
|
|
166
|
+
13. Review GraphQL per resolver.
|
|
167
|
+
- Endpoint-level auth is not enough.
|
|
168
|
+
- Check `node(id)`, nested fields, connections, edges, aggregates, mutations, and field
|
|
169
|
+
resolvers for object and property authorization.
|
|
170
|
+
14. Review batch APIs per item.
|
|
171
|
+
- Bulk create, delete, export, import, and update endpoints must authorize every object.
|
|
172
|
+
- Define whether one denied item fails the whole request, returns per-item results, or produces
|
|
173
|
+
a retrievable failure report.
|
|
174
|
+
15. Review export, download, preview, thumbnail, and share paths.
|
|
175
|
+
- CRUD may be protected while file delivery, generated previews, thumbnails, CSV exports, and
|
|
176
|
+
shared links bypass the same policy.
|
|
177
|
+
16. Treat signed storage URLs as outputs of authorization.
|
|
178
|
+
- S3, GCS, R2, CDN, and private file URLs must be generated only after object authorization.
|
|
179
|
+
- Check key predictability, URL lifetime, scope, content disposition, cache behavior, revocation,
|
|
180
|
+
and whether direct object access bypasses policy.
|
|
181
|
+
17. Enforce tenant boundaries in every query and cache.
|
|
182
|
+
- `WHERE id = ?` is weak in multi-tenant code; include tenant, membership, owner, sharing, or
|
|
183
|
+
database policy constraints.
|
|
184
|
+
- Cache keys for private data need tenant and permission dimensions, not just object id.
|
|
185
|
+
18. Revalidate asynchronous jobs.
|
|
186
|
+
- Queue payloads with only `userId`, `tenantId`, or `fileId` can outlive permission changes.
|
|
187
|
+
- Workers, retries, admin reruns, scheduled tasks, and webhook-triggered jobs need actor,
|
|
188
|
+
tenant, resource, state, and current permission or service-principal checks at execution time.
|
|
189
|
+
19. Separate webhook authenticity from authorization.
|
|
190
|
+
- Signature verification proves the provider sent the event.
|
|
191
|
+
- Ownership mapping proves the event belongs to this tenant, account, customer, installation,
|
|
192
|
+
repository, subscription, or resource.
|
|
193
|
+
20. Keep OAuth and OIDC purposes distinct.
|
|
194
|
+
- OIDC ID tokens identify a user for login.
|
|
195
|
+
- OAuth access tokens authorize delegated API access.
|
|
196
|
+
- Do not use an ID token as an API permission token or an access token as a login proof without
|
|
197
|
+
the appropriate validation and intent.
|
|
198
|
+
21. Verify JWTs completely.
|
|
199
|
+
- Decoding is not verification.
|
|
200
|
+
- Check signature, algorithm allowlist, issuer, audience, expiry, not-before when used, key
|
|
201
|
+
source, key rotation, subject, tenant binding, and stale authorization claims.
|
|
202
|
+
22. Treat token claims as snapshots, not eternal truth.
|
|
203
|
+
- Long-lived `role`, `plan`, `tenantId`, and permission claims can survive demotion, removal,
|
|
204
|
+
subscription cancellation, suspension, or revocation.
|
|
205
|
+
- Important decisions should check current server-side state or use short-lived tokens with
|
|
206
|
+
revocation strategy.
|
|
207
|
+
23. Regenerate session identity after privilege changes.
|
|
208
|
+
- Login, password change, MFA changes, role changes, user-to-admin transitions, and account
|
|
209
|
+
recovery should rotate session identifiers or refresh tokens according to local policy.
|
|
210
|
+
24. Check authentication cookies.
|
|
211
|
+
- Cookies carrying session authority need `Secure`, `HttpOnly`, appropriate `SameSite`,
|
|
212
|
+
domain, path, lifetime, rotation, logout, revocation, and CSRF posture.
|
|
213
|
+
- Avoid URL-carried session identifiers.
|
|
214
|
+
25. Require reauthentication for sensitive actions.
|
|
215
|
+
- Password change, email change, MFA disable, payment method change, organization ownership
|
|
216
|
+
transfer, API-key creation, and destructive admin actions should require fresh proof.
|
|
217
|
+
26. Review reset and magic-link tokens.
|
|
218
|
+
- Tokens need strong randomness, one-time use, short expiration, purpose binding, user binding,
|
|
219
|
+
safe storage, link-preview protection, session invalidation where needed, and no reuse across
|
|
220
|
+
unrelated flows.
|
|
221
|
+
27. Compare account-enumeration responses.
|
|
222
|
+
- Login, signup, password reset, magic link, invitation, and email verification should avoid
|
|
223
|
+
leaking account existence through message, status, timing, or email-sending behavior unless
|
|
224
|
+
product policy accepts that disclosure.
|
|
225
|
+
28. Treat automation defense as part of authentication.
|
|
226
|
+
- Login, OTP, magic link, password reset, invite acceptance, coupon application, email
|
|
227
|
+
verification, and MFA attempts need rate limits, lockouts, challenge policy, IP/device/user
|
|
228
|
+
dimensions, and observability.
|
|
229
|
+
29. Separate internal and external identity planes.
|
|
230
|
+
- Backoffice, operator, database, middleware, and support accounts should not flow through the
|
|
231
|
+
same customer login path unless the product intentionally models and audits that boundary.
|
|
232
|
+
30. Test the denial matrix.
|
|
233
|
+
- Success tests prove little.
|
|
234
|
+
- For each protected resource, cover anonymous, normal user, other owner, same organization
|
|
235
|
+
different role, other tenant, admin wrong tenant, revoked user, suspended member, stale token,
|
|
236
|
+
read-only API key, and service account cases where relevant.
|
|
237
|
+
|
|
238
|
+
<!-- mustflow-section: postconditions -->
|
|
239
|
+
## Postconditions
|
|
240
|
+
|
|
241
|
+
- The API access-control decision names subject, object, action, field or property, tenant or owner,
|
|
242
|
+
current state, and trusted context when those apply.
|
|
243
|
+
- Authentication, object authorization, property authorization, and function authorization are not
|
|
244
|
+
collapsed into one route guard.
|
|
245
|
+
- Client-supplied identity and authority fields are either ignored, verified against server-side
|
|
246
|
+
state, or explicitly reported as risky.
|
|
247
|
+
- List, detail, search, export, download, batch, worker, webhook, signed URL, cache, GraphQL, and
|
|
248
|
+
admin paths are checked or explicitly scoped out.
|
|
249
|
+
- Token, session, cookie, OAuth/OIDC, reset, reauthentication, account-enumeration, and automation
|
|
250
|
+
defenses are checked when touched.
|
|
251
|
+
- Denial-case tests or missing test gaps are named from the attacker's point of view.
|
|
252
|
+
|
|
253
|
+
<!-- mustflow-section: verification -->
|
|
254
|
+
## Verification
|
|
255
|
+
|
|
256
|
+
Use configured oneshot command intents when available:
|
|
257
|
+
|
|
258
|
+
- `changes_status`
|
|
259
|
+
- `changes_diff_summary`
|
|
260
|
+
- `lint`
|
|
261
|
+
- `build`
|
|
262
|
+
- `test_related`
|
|
263
|
+
- `test`
|
|
264
|
+
- `test_audit`
|
|
265
|
+
- `docs_validate_fast`
|
|
266
|
+
- `test_release`
|
|
267
|
+
- `mustflow_check`
|
|
268
|
+
|
|
269
|
+
Prefer the narrowest configured tests that prove denial behavior: wrong owner, wrong tenant, wrong
|
|
270
|
+
role, revoked or suspended actor, stale token, forbidden field update, mass-assignment attempt,
|
|
271
|
+
unauthorized export or download, unauthorized batch item, worker revalidation, webhook ownership,
|
|
272
|
+
and account-enumeration response parity.
|
|
273
|
+
|
|
274
|
+
<!-- mustflow-section: failure-handling -->
|
|
275
|
+
## Failure Handling
|
|
276
|
+
|
|
277
|
+
- If subject, object, action, field, tenant, state, source of truth, or denial evidence is missing,
|
|
278
|
+
report the gap instead of claiming the API is safe.
|
|
279
|
+
- If the fix requires broad auth model changes, use `auth-permission-change` before editing that
|
|
280
|
+
scope.
|
|
281
|
+
- If a sensitive value appears in logs, diffs, fixtures, screenshots, command output, or final
|
|
282
|
+
reports, stop repeating it and use `secret-exposure-response` when it may be a real secret.
|
|
283
|
+
- If a command fails, use `failure-triage` before further edits.
|
|
284
|
+
|
|
285
|
+
<!-- mustflow-section: output-format -->
|
|
286
|
+
## Output Format
|
|
287
|
+
|
|
288
|
+
- API access control reviewed
|
|
289
|
+
- Subject, object, action, field, tenant or owner, state, and trusted context
|
|
290
|
+
- Object, property, and function authorization findings
|
|
291
|
+
- Authentication, session, token, cookie, OAuth/OIDC, reset, reauthentication, enumeration, and
|
|
292
|
+
automation findings
|
|
293
|
+
- List/detail/search/export/download/batch/worker/webhook/signed URL/cache/GraphQL/admin findings
|
|
294
|
+
- Fixes made or recommendation
|
|
295
|
+
- Denial tests or behavior evidence
|
|
296
|
+
- Command intents run
|
|
297
|
+
- Skipped checks and reasons
|
|
298
|
+
- Remaining API access-control risk
|
|
@@ -0,0 +1,297 @@
|
|
|
1
|
+
---
|
|
2
|
+
mustflow_doc: skill.api-misuse-resistance-review
|
|
3
|
+
locale: en
|
|
4
|
+
canonical: true
|
|
5
|
+
revision: 1
|
|
6
|
+
lifecycle: mustflow-owned
|
|
7
|
+
authority: procedure
|
|
8
|
+
name: api-misuse-resistance-review
|
|
9
|
+
description: Apply this skill when code is created, changed, reviewed, or reported and an API, SDK, function boundary, service method, endpoint, command method, DTO, request shape, response shape, pagination contract, idempotency behavior, async job boundary, versioning policy, deprecation path, rate-limit rule, retry rule, observability surface, or caller-facing contract needs review for caller ergonomics, misuse resistance, hidden state machines, ambiguous parameters, internal model leakage, and operation-centered design.
|
|
10
|
+
metadata:
|
|
11
|
+
mustflow_schema: "1"
|
|
12
|
+
mustflow_kind: procedure
|
|
13
|
+
pack_id: mustflow.core
|
|
14
|
+
skill_id: mustflow.core.api-misuse-resistance-review
|
|
15
|
+
command_intents:
|
|
16
|
+
- changes_status
|
|
17
|
+
- changes_diff_summary
|
|
18
|
+
- lint
|
|
19
|
+
- build
|
|
20
|
+
- test_related
|
|
21
|
+
- test
|
|
22
|
+
- test_audit
|
|
23
|
+
- docs_validate_fast
|
|
24
|
+
- test_release
|
|
25
|
+
- mustflow_check
|
|
26
|
+
---
|
|
27
|
+
|
|
28
|
+
# API Misuse Resistance Review
|
|
29
|
+
|
|
30
|
+
<!-- mustflow-section: purpose -->
|
|
31
|
+
## Purpose
|
|
32
|
+
|
|
33
|
+
Review APIs from the caller's side, not from the implementer's convenience.
|
|
34
|
+
|
|
35
|
+
The review question is not "does this endpoint or method work?" It is "can a tired caller use this
|
|
36
|
+
API without memorizing hidden order, internal tables, boolean meanings, null folklore, retry traps,
|
|
37
|
+
or Slack-thread failure semantics?"
|
|
38
|
+
|
|
39
|
+
<!-- mustflow-section: use-when -->
|
|
40
|
+
## Use When
|
|
41
|
+
|
|
42
|
+
- Code review, implementation, or refactor work touches public or internal APIs, service methods,
|
|
43
|
+
SDKs, generated clients, controller methods, RPC procedures, command methods, function signatures,
|
|
44
|
+
request schemas, response DTOs, error envelopes, pagination, filtering, sorting, idempotency,
|
|
45
|
+
retries, async jobs, bulk operations, cache headers, versioning, deprecation, rate limits,
|
|
46
|
+
observability fields, or caller-facing documentation.
|
|
47
|
+
- An API appears technically compatible but may invite caller mistakes through implementation-leaking
|
|
48
|
+
names, ordering requirements, boolean flags, broad options objects, nullable semantics, raw table
|
|
49
|
+
fields, status mutation, PATCH-as-command behavior, time or money primitives, closed enum
|
|
50
|
+
assumptions, overlarge responses, overfragmented calls, internal/external API mixing, or untested
|
|
51
|
+
failure cases.
|
|
52
|
+
- A review needs to decide whether to apply `api-contract-change`, `type-state-modeling-review`,
|
|
53
|
+
`business-rule-leakage-review`, `error-message-integrity-review`, `backend-reliability-change`,
|
|
54
|
+
`cache-integrity-review`, `security-flow-review`, `result-option`, or `state-machine-pattern`.
|
|
55
|
+
|
|
56
|
+
<!-- mustflow-section: do-not-use-when -->
|
|
57
|
+
## Do Not Use When
|
|
58
|
+
|
|
59
|
+
- The main task is API source-of-truth synchronization, status/schema compatibility, generated
|
|
60
|
+
client drift, OpenAPI or protobuf compatibility, or endpoint migration; use `api-contract-change`
|
|
61
|
+
first and this skill only for caller misuse traps.
|
|
62
|
+
- The main task is making impossible domain states unrepresentable in types; use
|
|
63
|
+
`type-state-modeling-review` first.
|
|
64
|
+
- The main task is failure content quality; use `error-message-integrity-review`.
|
|
65
|
+
- The main task is false success, partial state, retry exhaustion, or failure integrity; use
|
|
66
|
+
`failure-integrity-review` or `backend-reliability-change`.
|
|
67
|
+
- The API is private implementation glue with no stable caller, no reusable boundary, no docs, and
|
|
68
|
+
no expected independent evolution.
|
|
69
|
+
|
|
70
|
+
<!-- mustflow-section: required-inputs -->
|
|
71
|
+
## Required Inputs
|
|
72
|
+
|
|
73
|
+
- User goal, current diff or target files, and every changed caller-facing boundary.
|
|
74
|
+
- Caller ledger: human caller, frontend, mobile app, CLI, worker, SDK user, partner integration,
|
|
75
|
+
internal service, batch job, webhook sender, support tool, or generated client.
|
|
76
|
+
- Operation ledger: what the caller is trying to accomplish, the minimal operation name, required
|
|
77
|
+
inputs, optional inputs, side effects, ordering constraints, sync or async completion, and retry
|
|
78
|
+
or cancellation expectations.
|
|
79
|
+
- Shape ledger: names, parameters, option objects, DTO fields, status fields, null and empty values,
|
|
80
|
+
error shape, pagination fields, sorting and filtering fields, money and time units, enum values,
|
|
81
|
+
bulk result shape, cache headers, versioning, deprecation, rate-limit hints, and observability
|
|
82
|
+
identifiers.
|
|
83
|
+
- Existing contract source, local API style, SDK conventions, generated client behavior, docs,
|
|
84
|
+
examples, tests, and configured command intents.
|
|
85
|
+
|
|
86
|
+
<!-- mustflow-section: preconditions -->
|
|
87
|
+
## Preconditions
|
|
88
|
+
|
|
89
|
+
- The task matches the Use When conditions and does not match the Do Not Use When exclusions.
|
|
90
|
+
- Higher-priority instructions and `.mustflow/config/commands.toml` have been checked for the
|
|
91
|
+
current scope.
|
|
92
|
+
- Required inputs are available, or missing caller, operation, shape, or compatibility evidence can
|
|
93
|
+
be reported without guessing.
|
|
94
|
+
- If the review finds concrete schema compatibility, security, state-machine, result-type, cache,
|
|
95
|
+
failure-integrity, or backend reliability risk, use the narrower skill before editing that part.
|
|
96
|
+
|
|
97
|
+
<!-- mustflow-section: allowed-edits -->
|
|
98
|
+
## Allowed Edits
|
|
99
|
+
|
|
100
|
+
- Rename APIs toward caller intent, split hidden modes into separate operations, replace ambiguous
|
|
101
|
+
booleans with named options or distinct methods, narrow option bags, clarify null and patch
|
|
102
|
+
semantics, separate internal and public DTOs, add stable error codes, add idempotency or retry
|
|
103
|
+
metadata, expose async job resources, represent partial failures, tighten pagination, add cache
|
|
104
|
+
and rate-limit hints, and add focused contract tests.
|
|
105
|
+
- Update docs, examples, SDK wrappers, generated client fixtures, API schemas, mocks, changelog
|
|
106
|
+
notes, deprecation notes, and tests that describe the same caller contract.
|
|
107
|
+
- Keep changes scoped to the boundary under review and its synchronized surfaces.
|
|
108
|
+
- Do not silently break existing public callers, widen responses with internal data, turn every
|
|
109
|
+
helper into a public API, or hide a breaking design change behind naming polish.
|
|
110
|
+
|
|
111
|
+
<!-- mustflow-section: procedure -->
|
|
112
|
+
## Procedure
|
|
113
|
+
|
|
114
|
+
1. Read the call site aloud.
|
|
115
|
+
- If the call reads like a wiring diagram, the API is leaking implementation.
|
|
116
|
+
- `createUserWithValidationAndEmailSend` tells the caller to remember internal steps.
|
|
117
|
+
- Prefer operation intent such as `registerUser`, `inviteUser`, `payOrder`, or `startReport`.
|
|
118
|
+
2. Separate purpose from mechanism in names.
|
|
119
|
+
- Names should say what the caller wants, not DB, Redis, Kafka, email, validation, batch, cache,
|
|
120
|
+
queue, or storage details.
|
|
121
|
+
- Keep implementation details in internals, logs, or diagnostics unless the caller genuinely
|
|
122
|
+
controls that mechanism.
|
|
123
|
+
3. Expose hidden state machines.
|
|
124
|
+
- APIs that require `init`, `setConfig`, `connect`, `start`, `flush`, and `close` in one exact
|
|
125
|
+
sequence are unsafe unless the type, builder, lifecycle object, or command model enforces the
|
|
126
|
+
sequence.
|
|
127
|
+
- Ask what happens if a caller skips, repeats, or reorders each step.
|
|
128
|
+
4. Hunt boolean parameters.
|
|
129
|
+
- `getUsers(true)`, `sendEmail(false)`, and `createOrder(order, true, false)` are call-site
|
|
130
|
+
riddles.
|
|
131
|
+
- Replace with named options, separate operations, or domain variants when the boolean changes
|
|
132
|
+
behavior.
|
|
133
|
+
5. Audit option objects as mode bags.
|
|
134
|
+
- `skipValidation`, `sendWelcomeEmail`, `createdByAdmin`, `importMode`, `dryRun`, and
|
|
135
|
+
`temporaryPassword` in one object often means several workflows share one unsafe door.
|
|
136
|
+
- Split by use case when options describe different business operations instead of incidental
|
|
137
|
+
configuration.
|
|
138
|
+
6. Give absence one meaning per boundary.
|
|
139
|
+
- Count `null`, `undefined`, empty string, empty array, omitted field, and default value.
|
|
140
|
+
- If they mean delete, keep, clear, unknown, not loaded, or not applicable differently, model that
|
|
141
|
+
with explicit types, commands, or patch operations.
|
|
142
|
+
7. Stop leaking storage rows as response DTOs.
|
|
143
|
+
- Fields like `deleted_at`, `status_code`, `type_flag`, raw foreign keys, provider IDs, and
|
|
144
|
+
internal timestamps can freeze database design into the API contract.
|
|
145
|
+
- Public DTOs should represent caller concepts, not table plumbing.
|
|
146
|
+
8. Treat error shape as part of usability.
|
|
147
|
+
- A string-only error blocks client branching, retry decisions, localization, support, and
|
|
148
|
+
monitoring.
|
|
149
|
+
- Ensure stable code, readable message, cause category, retryability, and safe request or support
|
|
150
|
+
ID exist where callers need them.
|
|
151
|
+
9. Model failure as carefully as success.
|
|
152
|
+
- Include permission denied, duplicate request, already processed, missing resource, conflict,
|
|
153
|
+
provider timeout, cancelled resource, partial success, and validation failure where relevant.
|
|
154
|
+
- If the response model cannot describe these states, the API will lie later.
|
|
155
|
+
10. Require idempotency for networked creation with side effects.
|
|
156
|
+
- Orders, payments, invites, subscriptions, refunds, and external writes need duplicate-request
|
|
157
|
+
safety because clients cannot know whether a timeout happened before or after commit.
|
|
158
|
+
- Button disabling is not an idempotency strategy.
|
|
159
|
+
11. Make pagination stable under moving data.
|
|
160
|
+
- Offset pagination is unsafe for feeds, orders, notifications, logs, and any list that changes
|
|
161
|
+
while the user pages through it.
|
|
162
|
+
- Cursor pagination still needs an immutable or stable sort key, tie-breaker, page limit, and
|
|
163
|
+
empty-page semantics.
|
|
164
|
+
12. Define sorting and filtering as contracts.
|
|
165
|
+
- A list without default order, tie-breaker, max size, allowed filter set, unknown-filter
|
|
166
|
+
behavior, null ordering, case sensitivity, timezone, and locale behavior is a random API.
|
|
167
|
+
13. Show authorization shape in the API.
|
|
168
|
+
- `updateUser(userId, payload)` hides whether the caller edits self, a team member, or any user
|
|
169
|
+
as an admin.
|
|
170
|
+
- Prefer operation or route shapes that make permission mode visible, such as `updateMyProfile`
|
|
171
|
+
versus `adminUpdateUser`.
|
|
172
|
+
14. Review state changes as commands.
|
|
173
|
+
- `updateOrderStatus(orderId, status)` lets callers request illegal transitions.
|
|
174
|
+
- Prefer command operations such as `payOrder`, `cancelOrder`, `shipOrder`, and `refundOrder`
|
|
175
|
+
where guards and effects have a home.
|
|
176
|
+
15. Keep PATCH from becoming a command bus.
|
|
177
|
+
- Partial field updates should not secretly perform account closure, email verification,
|
|
178
|
+
payment cancellation, invitation acceptance, permission changes, or lifecycle transitions.
|
|
179
|
+
- Important behavior deserves an operation name.
|
|
180
|
+
16. Specify time values fully.
|
|
181
|
+
- Time values need UTC basis or explicit timezone, ISO format, precision, server clock behavior,
|
|
182
|
+
expiration semantics, and display responsibility.
|
|
183
|
+
- Local strings without timezone are delayed bugs.
|
|
184
|
+
17. Keep money out of floating-point shapes.
|
|
185
|
+
- Use minor-unit integers or decimal-safe representations plus currency.
|
|
186
|
+
- Include rounding, tax, fee, discount, and precision rules where the API participates in money
|
|
187
|
+
movement.
|
|
188
|
+
18. Treat external enums as open.
|
|
189
|
+
- Public or provider-facing clients must survive unknown future values.
|
|
190
|
+
- Internal closed enums still need a boundary decision for unknown, deprecated, or provider-only
|
|
191
|
+
statuses.
|
|
192
|
+
19. Draw the sync or async boundary.
|
|
193
|
+
- Image processing, reports, email delivery, bulk imports, external settlement, and long-running
|
|
194
|
+
work need job ID, state query, completion signal, cancellation semantics, timeout behavior,
|
|
195
|
+
and failure reason.
|
|
196
|
+
- `200 OK` must not imply finished when the work only started.
|
|
197
|
+
20. Represent partial failure honestly.
|
|
198
|
+
- Bulk APIs need item-level results and aggregate summary.
|
|
199
|
+
- "All failed" can duplicate successful items on retry; "all succeeded" loses failed items.
|
|
200
|
+
21. Ask whether the response can be cached.
|
|
201
|
+
- GET APIs should define freshness, cache key, user or tenant variance, ETag or Last-Modified,
|
|
202
|
+
cache-control, and invalidation boundaries when the response is expensive or frequently read.
|
|
203
|
+
22. Balance response size and call count by caller task.
|
|
204
|
+
- Overfriendly list APIs that include every relation become slow.
|
|
205
|
+
- Overfragmented APIs that force the frontend to assemble one screen from many calls move backend
|
|
206
|
+
workflow into the client.
|
|
207
|
+
- Shape endpoints around caller tasks, with explicit includes or field selection when useful.
|
|
208
|
+
23. Separate internal and external APIs.
|
|
209
|
+
- Internal APIs can change faster and carry richer operational context.
|
|
210
|
+
- External APIs need slower evolution, compatibility, documentation, and deprecation policy.
|
|
211
|
+
- One shared shape usually damages both.
|
|
212
|
+
24. Treat version labels as policy, not decoration.
|
|
213
|
+
- `/v1` does not protect callers if field meanings, enum behavior, pagination, or errors change
|
|
214
|
+
under the same version.
|
|
215
|
+
- Define what counts as breaking, how long old versions live, how usage is monitored, and how
|
|
216
|
+
migration is communicated.
|
|
217
|
+
25. Make deprecation measurable.
|
|
218
|
+
- A deprecated field or endpoint without usage tracking cannot be removed safely.
|
|
219
|
+
- Capture client, field, endpoint, version, and volume evidence where privacy policy allows.
|
|
220
|
+
26. Define rate limits and retry hints.
|
|
221
|
+
- Limits without `Retry-After`, reset time, retryable classification, and client guidance punish
|
|
222
|
+
well-behaved callers.
|
|
223
|
+
- No limits lets buggy clients harm everyone else.
|
|
224
|
+
27. Make the API observable.
|
|
225
|
+
- Request ID, caller ID, operation, latency, status, error code, downstream result, retry count,
|
|
226
|
+
cache hit, and job ID should be traceable where relevant.
|
|
227
|
+
- If operations cannot be traced, the API cannot be operated.
|
|
228
|
+
28. Test through the caller contract.
|
|
229
|
+
- Success examples alone do not prove an API design.
|
|
230
|
+
- Cover duplicate request, missing resource, permission denied, unknown enum, invalid cursor,
|
|
231
|
+
large page size, timeout, retry, partial success, already processed, and deprecation behavior
|
|
232
|
+
where relevant.
|
|
233
|
+
29. Check SDK ergonomics.
|
|
234
|
+
- If a typed SDK method name, input type, return type, or error handling becomes awkward, the
|
|
235
|
+
original HTTP, RPC, or service shape may be wrong.
|
|
236
|
+
- Generated types should reduce mistakes, not require callers to memorize transport details.
|
|
237
|
+
30. Finish with the first-time caller question.
|
|
238
|
+
- What will a new caller misunderstand?
|
|
239
|
+
- If the likely mistake costs money, permissions, data, duplicate work, broken pagination, stale
|
|
240
|
+
cache, or unretryable failure, fix the API shape instead of adding prose warnings.
|
|
241
|
+
|
|
242
|
+
<!-- mustflow-section: postconditions -->
|
|
243
|
+
## Postconditions
|
|
244
|
+
|
|
245
|
+
- The API expresses caller intent rather than internal implementation sequence.
|
|
246
|
+
- Ordering requirements, lifecycle states, side effects, retries, idempotency, async completion,
|
|
247
|
+
permission modes, cacheability, pagination, filtering, sorting, and deprecation rules are explicit.
|
|
248
|
+
- Parameter shapes, option objects, null semantics, DTO boundaries, time values, money values, enums,
|
|
249
|
+
errors, bulk results, and job states resist common caller mistakes.
|
|
250
|
+
- Internal and external API needs are separated or intentionally aligned with compatibility evidence.
|
|
251
|
+
- Tests, examples, SDKs, schemas, mocks, docs, and observability fields cover the changed caller
|
|
252
|
+
contract where relevant.
|
|
253
|
+
|
|
254
|
+
<!-- mustflow-section: verification -->
|
|
255
|
+
## Verification
|
|
256
|
+
|
|
257
|
+
Use configured oneshot command intents when available:
|
|
258
|
+
|
|
259
|
+
- `changes_status`
|
|
260
|
+
- `changes_diff_summary`
|
|
261
|
+
- `lint`
|
|
262
|
+
- `build`
|
|
263
|
+
- `test_related`
|
|
264
|
+
- `test`
|
|
265
|
+
- `test_audit`
|
|
266
|
+
- `docs_validate_fast`
|
|
267
|
+
- `test_release`
|
|
268
|
+
- `mustflow_check`
|
|
269
|
+
|
|
270
|
+
Prefer tests that exercise the API from the caller's perspective: SDK calls, generated clients,
|
|
271
|
+
contract fixtures, request/response examples, failure states, pagination behavior, duplicate
|
|
272
|
+
requests, rate limits, async job transitions, and docs examples that callers copy.
|
|
273
|
+
|
|
274
|
+
<!-- mustflow-section: failure-handling -->
|
|
275
|
+
## Failure Handling
|
|
276
|
+
|
|
277
|
+
- If the caller, compatibility promise, version policy, or source of truth is unknown, report the
|
|
278
|
+
missing contract instead of guessing.
|
|
279
|
+
- If fixing misuse resistance would break current callers, classify the break and use
|
|
280
|
+
`api-contract-change` before editing the public shape.
|
|
281
|
+
- If a command fails, use `failure-triage` before further edits.
|
|
282
|
+
|
|
283
|
+
<!-- mustflow-section: output-format -->
|
|
284
|
+
## Output Format
|
|
285
|
+
|
|
286
|
+
- API misuse resistance reviewed
|
|
287
|
+
- Caller and operation ledger
|
|
288
|
+
- Names, order requirements, parameters, options, absence semantics, DTO leakage, errors,
|
|
289
|
+
idempotency, pagination, sorting, filtering, auth shape, state commands, PATCH semantics, time,
|
|
290
|
+
money, enum, async, bulk, cache, response size, internal/external, version, deprecation, rate
|
|
291
|
+
limit, observability, SDK, and test findings
|
|
292
|
+
- Fixes made or recommendation
|
|
293
|
+
- Compatibility and synchronized surface notes
|
|
294
|
+
- Tests or behavior evidence
|
|
295
|
+
- Command intents run
|
|
296
|
+
- Skipped checks and reasons
|
|
297
|
+
- Remaining API misuse risk
|