mustflow 2.39.1 → 2.58.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (94) hide show
  1. package/dist/cli/commands/run/executor.js +16 -0
  2. package/dist/cli/commands/run/process-tree.js +6 -3
  3. package/dist/cli/commands/tech.js +60 -4
  4. package/dist/cli/commands/verify.js +3 -1
  5. package/dist/cli/lib/git-changes.js +11 -1
  6. package/dist/cli/lib/i18n.js +1 -1
  7. package/dist/cli/lib/local-index/index.js +8 -4
  8. package/dist/cli/lib/local-index/populate.js +17 -3
  9. package/dist/cli/lib/local-index/search-read-model.js +9 -7
  10. package/dist/cli/lib/local-index/search-text.js +2 -2
  11. package/dist/cli/lib/local-index/workflow-documents.js +17 -2
  12. package/dist/cli/lib/mustflow-read.js +14 -2
  13. package/dist/cli/lib/npm-version-check.js +36 -0
  14. package/dist/cli/lib/repo-map.js +16 -3
  15. package/dist/cli/lib/templates.js +8 -7
  16. package/dist/cli/lib/validation/constants.js +1 -1
  17. package/dist/core/active-run-locks.js +78 -20
  18. package/dist/core/change-classification.js +4 -0
  19. package/dist/core/command-contract-rules.js +1 -1
  20. package/dist/core/command-contract-validation.js +1 -1
  21. package/dist/core/command-cwd.js +13 -2
  22. package/dist/core/command-effects.js +22 -4
  23. package/dist/core/command-env.js +8 -6
  24. package/dist/core/command-preconditions.js +28 -2
  25. package/dist/core/completion-verdict.js +1 -1
  26. package/dist/core/line-endings.js +8 -4
  27. package/dist/core/safe-filesystem.js +9 -1
  28. package/dist/core/source-anchor-validation.js +7 -1
  29. package/dist/core/source-anchors.js +8 -2
  30. package/dist/core/verification-scheduler.js +8 -2
  31. package/package.json +1 -1
  32. package/templates/default/i18n.toml +330 -1
  33. package/templates/default/locales/en/.mustflow/skills/INDEX.md +302 -5
  34. package/templates/default/locales/en/.mustflow/skills/agent-eval-integrity-review/SKILL.md +160 -0
  35. package/templates/default/locales/en/.mustflow/skills/agent-execution-control-review/SKILL.md +163 -0
  36. package/templates/default/locales/en/.mustflow/skills/ai-generated-code-hardening/SKILL.md +49 -13
  37. package/templates/default/locales/en/.mustflow/skills/api-access-control-review/SKILL.md +298 -0
  38. package/templates/default/locales/en/.mustflow/skills/api-misuse-resistance-review/SKILL.md +297 -0
  39. package/templates/default/locales/en/.mustflow/skills/api-request-performance-review/SKILL.md +189 -0
  40. package/templates/default/locales/en/.mustflow/skills/app-startup-performance-review/SKILL.md +309 -0
  41. package/templates/default/locales/en/.mustflow/skills/backend-log-evidence-review/SKILL.md +213 -0
  42. package/templates/default/locales/en/.mustflow/skills/business-rule-leakage-review/SKILL.md +295 -0
  43. package/templates/default/locales/en/.mustflow/skills/cache-integrity-review/SKILL.md +291 -0
  44. package/templates/default/locales/en/.mustflow/skills/change-blast-radius-review/SKILL.md +297 -0
  45. package/templates/default/locales/en/.mustflow/skills/client-bundle-pruning-review/SKILL.md +160 -0
  46. package/templates/default/locales/en/.mustflow/skills/cloud-cost-guardrail-review/SKILL.md +321 -0
  47. package/templates/default/locales/en/.mustflow/skills/concurrency-invariant-review/SKILL.md +193 -0
  48. package/templates/default/locales/en/.mustflow/skills/core-web-vitals-field-review/SKILL.md +161 -0
  49. package/templates/default/locales/en/.mustflow/skills/credit-ledger-integrity-review/SKILL.md +156 -0
  50. package/templates/default/locales/en/.mustflow/skills/database-json-modeling-review/SKILL.md +171 -0
  51. package/templates/default/locales/en/.mustflow/skills/database-lock-contention-review/SKILL.md +192 -0
  52. package/templates/default/locales/en/.mustflow/skills/database-migration-change/SKILL.md +76 -34
  53. package/templates/default/locales/en/.mustflow/skills/database-query-bottleneck-review/SKILL.md +194 -0
  54. package/templates/default/locales/en/.mustflow/skills/deletion-lifecycle-review/SKILL.md +171 -0
  55. package/templates/default/locales/en/.mustflow/skills/deployment-rollout-safety-review/SKILL.md +321 -0
  56. package/templates/default/locales/en/.mustflow/skills/desktop-auto-update-safety-review/SKILL.md +265 -0
  57. package/templates/default/locales/en/.mustflow/skills/desktop-background-process-stability-review/SKILL.md +318 -0
  58. package/templates/default/locales/en/.mustflow/skills/desktop-memory-footprint-review/SKILL.md +318 -0
  59. package/templates/default/locales/en/.mustflow/skills/error-message-integrity-review/SKILL.md +283 -0
  60. package/templates/default/locales/en/.mustflow/skills/failure-integrity-review/SKILL.md +193 -0
  61. package/templates/default/locales/en/.mustflow/skills/file-upload-security-review/SKILL.md +305 -0
  62. package/templates/default/locales/en/.mustflow/skills/frame-render-performance-review/SKILL.md +159 -0
  63. package/templates/default/locales/en/.mustflow/skills/frontend-accessibility-tree-review/SKILL.md +202 -0
  64. package/templates/default/locales/en/.mustflow/skills/frontend-localization-review/SKILL.md +202 -0
  65. package/templates/default/locales/en/.mustflow/skills/frontend-state-ownership-review/SKILL.md +183 -0
  66. package/templates/default/locales/en/.mustflow/skills/frontend-stress-layout-review/SKILL.md +193 -0
  67. package/templates/default/locales/en/.mustflow/skills/hot-path-performance-review/SKILL.md +159 -0
  68. package/templates/default/locales/en/.mustflow/skills/idempotency-integrity-review/SKILL.md +195 -0
  69. package/templates/default/locales/en/.mustflow/skills/image-delivery-performance-review/SKILL.md +161 -0
  70. package/templates/default/locales/en/.mustflow/skills/incident-triage-review/SKILL.md +185 -0
  71. package/templates/default/locales/en/.mustflow/skills/llm-hallucination-control-review/SKILL.md +155 -0
  72. package/templates/default/locales/en/.mustflow/skills/llm-response-latency-review/SKILL.md +155 -0
  73. package/templates/default/locales/en/.mustflow/skills/llm-service-ux-review/SKILL.md +2 -0
  74. package/templates/default/locales/en/.mustflow/skills/llm-token-cost-control-review/SKILL.md +155 -0
  75. package/templates/default/locales/en/.mustflow/skills/low-end-device-support-review/SKILL.md +340 -0
  76. package/templates/default/locales/en/.mustflow/skills/memory-lifetime-review/SKILL.md +169 -0
  77. package/templates/default/locales/en/.mustflow/skills/mobile-energy-efficiency-review/SKILL.md +329 -0
  78. package/templates/default/locales/en/.mustflow/skills/module-boundary-review/SKILL.md +278 -0
  79. package/templates/default/locales/en/.mustflow/skills/multi-agent-work-coordination/SKILL.md +1 -0
  80. package/templates/default/locales/en/.mustflow/skills/observability-debuggability-review/SKILL.md +208 -0
  81. package/templates/default/locales/en/.mustflow/skills/payment-integrity-review/SKILL.md +155 -0
  82. package/templates/default/locales/en/.mustflow/skills/prompt-contract-quality-review/SKILL.md +158 -0
  83. package/templates/default/locales/en/.mustflow/skills/quadratic-scan-review/SKILL.md +155 -0
  84. package/templates/default/locales/en/.mustflow/skills/queue-processing-integrity-review/SKILL.md +193 -0
  85. package/templates/default/locales/en/.mustflow/skills/race-condition-review/SKILL.md +188 -0
  86. package/templates/default/locales/en/.mustflow/skills/rate-limit-integrity-review/SKILL.md +344 -0
  87. package/templates/default/locales/en/.mustflow/skills/retry-policy-integrity-review/SKILL.md +195 -0
  88. package/templates/default/locales/en/.mustflow/skills/routes.toml +330 -0
  89. package/templates/default/locales/en/.mustflow/skills/security-flow-review/SKILL.md +279 -0
  90. package/templates/default/locales/en/.mustflow/skills/testability-boundary-review/SKILL.md +295 -0
  91. package/templates/default/locales/en/.mustflow/skills/transaction-boundary-integrity-review/SKILL.md +196 -0
  92. package/templates/default/locales/en/.mustflow/skills/type-state-modeling-review/SKILL.md +179 -0
  93. package/templates/default/locales/en/.mustflow/skills/web-render-performance-review/SKILL.md +164 -0
  94. package/templates/default/manifest.toml +386 -1
@@ -0,0 +1,213 @@
1
+ ---
2
+ mustflow_doc: skill.backend-log-evidence-review
3
+ locale: en
4
+ canonical: true
5
+ revision: 2
6
+ lifecycle: mustflow-owned
7
+ authority: procedure
8
+ name: backend-log-evidence-review
9
+ description: Apply this skill when backend code is created, changed, reviewed, or reported and request logs, error logs, structured event names, log schema versions, trace/span/request IDs, correlation and causation IDs, outcome or reason fields, external API logs, database write logs, transaction or state-transition logs, retry or timeout logs, queue or batch logs, audit logs, auth or validation logs, cache or lock logs, release/config/feature-flag logs, log levels, duplicate logs, redaction, log-injection safety, sampling, or log searchability need review for whether an operator can reconstruct why a backend request, job, or data change reached its final state.
10
+ metadata:
11
+ mustflow_schema: "1"
12
+ mustflow_kind: procedure
13
+ pack_id: mustflow.core
14
+ skill_id: mustflow.core.backend-log-evidence-review
15
+ command_intents:
16
+ - changes_status
17
+ - changes_diff_summary
18
+ - lint
19
+ - build
20
+ - test_related
21
+ - test
22
+ - docs_validate_fast
23
+ - test_release
24
+ - mustflow_check
25
+ ---
26
+
27
+ # Backend Log Evidence Review
28
+
29
+ <!-- mustflow-section: purpose -->
30
+ ## Purpose
31
+
32
+ Review backend logs as evidence for reconstructing a request, job, or data mutation, not as decorative messages near the error line.
33
+
34
+ The review question is: "If this backend path fails, times out, retries, silently skips work, or changes the wrong state at 3 AM, can an operator follow the event trail from entry to exit and explain the branch, dependency result, database effect, retry history, authorization decision, cache path, release/config context, and final outcome without leaking sensitive data?"
35
+
36
+ <!-- mustflow-section: use-when -->
37
+ ## Use When
38
+
39
+ - Backend handlers, services, repositories, adapters, workers, schedulers, webhooks, migrations, scripts, or batch jobs add, remove, review, or depend on logs.
40
+ - A change claims that a path is logged, traceable, easy to debug, auditable, operationally safe, or diagnosable from logs.
41
+ - Request start or finish logs, event names, schema versions, severity fields, trace or span IDs, error handling, error wrapping, external API calls, DB writes, transactions, status transitions, early returns, retries, timeouts, queues, async jobs, batches, audit events, auth, validation, cache, distributed locks, idempotency, feature flags, configuration, releases, migrations, or background promises are involved.
42
+ - A review needs to decide whether logs explain why the system reached a state, not only where the exception was thrown.
43
+
44
+ <!-- mustflow-section: do-not-use-when -->
45
+ ## Do Not Use When
46
+
47
+ - The task is primarily metrics, traces, dashboards, alerts, sampling, or telemetry cardinality; use `observability-debuggability-review` first and this skill only for backend log evidence.
48
+ - The task is primarily public error wording or support-facing error contracts; use `error-message-integrity-review` first and this skill only for internal operator logs.
49
+ - The task is primarily failure propagation, rollback, queue settlement, retry policy, idempotency, transaction integrity, cache correctness, or access control. Use the matching integrity or security skill first and this skill for the logs that prove the path.
50
+ - The code path is a pure deterministic calculation with no request, job, dependency, state change, permission decision, operational boundary, or support need.
51
+ - The repository has no logging convention and the user did not ask to introduce one. Report the missing log-evidence boundary instead of sprinkling ad hoc logs.
52
+
53
+ <!-- mustflow-section: required-inputs -->
54
+ ## Required Inputs
55
+
56
+ - Backend path under review: request route, command handler, worker, scheduler, webhook, migration, script, repository method, or external adapter.
57
+ - Event contract: stable `event_name`, event family, `message` as secondary prose, schema version, severity or level, event timestamp, observed timestamp when collection delay matters, service or resource identity, environment, region, service version, and release or git SHA already available.
58
+ - Correlation model: request id, trace id, span id, correlation id, causation id, job id, message id, batch run id, tenant id, user or actor id, resource id, provider request id, and safe business identifiers already available.
59
+ - Request lifecycle evidence: start log, finish log, status code or result type, outcome, reason code, duration measured from a monotonic clock when possible, main operation name, important input identifiers, and final resource identifiers.
60
+ - Error evidence: thrown errors, catches, wrappers, causes, stack preservation, error categories, public versus internal messages, and log boundary ownership.
61
+ - Decision evidence: branches, early returns, validation failures, auth decisions, feature flags, state transitions, cache paths, retry decisions, timeout classes, and fallback decisions.
62
+ - Side-effect evidence: external API calls with dependency name, operation, timeout, latency, status class, retry count, circuit state, and provider request id; DB affected rows; transaction begin/commit/rollback evidence; queue enqueue and consume; idempotency decisions; locks; migrations; batch summaries; release/config/feature-flag events; and configuration snapshots.
63
+ - Safety constraints: secrets, tokens, cookies, auth headers, passwords, raw payloads, personal data, payment data, provider response bodies, full SQL, log injection through control characters or ANSI escapes, high-cardinality indexing cost, sampling policy, and retention policy.
64
+ - Local conventions: logger API, structured field names, severity levels, redaction helpers, error serialization, test helpers, snapshots or fixtures, and configured command intents.
65
+
66
+ <!-- mustflow-section: preconditions -->
67
+ ## Preconditions
68
+
69
+ - The task matches the Use When conditions and does not match the Do Not Use When exclusions.
70
+ - Higher-priority instructions and `.mustflow/config/commands.toml` have been checked for the current scope.
71
+ - Existing logger wrappers, error conventions, redaction helpers, request-context propagation, and tests have been searched before adding or changing log shapes.
72
+ - Required path, correlation, lifecycle, error, decision, side-effect, safety, and local-convention inputs are available, or missing inputs can be reported without guessing.
73
+ - If log changes touch secrets, personal data, auth, payments, queues, retries, transactions, idempotency, cache, locks, or external providers, also apply the relevant security or integrity skill.
74
+
75
+ <!-- mustflow-section: allowed-edits -->
76
+ ## Allowed Edits
77
+
78
+ - Add or tighten structured log events, stable event names, schema versions, safe identifiers, trace/span/request/correlation/causation IDs, result summaries, outcome and reason fields, duration fields, deployment/resource attributes, affected-row counts, transition fields, retry attempt fields, dependency metadata, queue and batch summary fields, audit fields, and focused tests when local logging patterns exist.
79
+ - Preserve stack traces and error causes by using the repository's logger and error APIs correctly.
80
+ - Replace raw payloads, raw provider bodies, raw SQL, tokens, passwords, cookies, auth headers, personal data, payment data, user-controlled control characters, and high-cardinality indexed values with redacted summaries, stable codes, hashed values, bounded classifications, route templates, query hashes, or safe IDs.
81
+ - Remove or lower duplicate noisy logs only when a higher boundary already logs the same failure with better context.
82
+ - Do not add a new logging vendor, daemon, sink, background worker, live log query, production dashboard dependency, or raw command outside the configured command contract.
83
+ - Do not turn logs into the only correctness mechanism. Logs may prove or reveal a problem; they do not replace durable state, authorization, idempotency, transactions, reconciliation, or tests.
84
+
85
+ <!-- mustflow-section: procedure -->
86
+ ## Procedure
87
+
88
+ 1. Name the reconstruction question.
89
+ - State what an operator must reconstruct: which request entered, which branch ran, which dependency answered, which rows changed, which retry happened, which permission failed, which cache path was used, or which final state was returned.
90
+ - If the log change does not answer a reconstruction question, classify it as decorative.
91
+ - Treat logs as event records. Require a stable `event_name`; keep human prose in `message` as secondary, not as the alert or dashboard contract.
92
+ - Keep event names stable and moderately broad: use `auth.login.failed` plus fields such as `failure_reason`, `client_type`, and `identity_provider` instead of encoding every attribute into the name.
93
+ - Check schema version, severity or level, event timestamp, observed timestamp when useful, service name, service version, git SHA or release id, environment, region, and resource identity when local conventions expose them.
94
+ 2. Check request start logs.
95
+ - A route-only log is weak evidence.
96
+ - Require safe fields such as request id, trace id, span id, correlation id, tenant id, actor or user id when allowed, operation name, route template, route pattern instead of full URL, query key summary or query hash, and key resource identifiers.
97
+ - Avoid raw payloads; keep only identifiers and classified input shape needed to reproduce or search the incident.
98
+ 3. Check request finish logs.
99
+ - Pair start logs with finish logs when the framework does not already provide them.
100
+ - Require status code or result type, outcome, reason code, duration, final state, and created or modified resource identifiers when safe.
101
+ - Distinguish success, expected denial, validation failure, timeout, cancellation, dependency failure, and unexpected exception.
102
+ - Sample high-volume success summaries intentionally, but do not silently sample away failures, security events, payment events, admin actions, state transitions, or audit events.
103
+ 4. Preserve error evidence.
104
+ - Reject `logger.error(error.message)` or string-only logging when it drops stack, cause, code, status, or metadata.
105
+ - Error wrappers should preserve the original cause.
106
+ - Log an unexpected exception once at the boundary that can attach request, tenant, actor, operation, and resource context.
107
+ 5. Review external API call logs.
108
+ - Before calls, capture dependency name, provider, operation or endpoint template, method, timeout, attempt, circuit state, and safe business id.
109
+ - After calls, capture status code or status class, latency, provider request id, retry count, retryability decision, circuit state, and bounded provider error code.
110
+ - Do not dump provider request or response bodies; preserve only safe failure codes and correlation handles.
111
+ 6. Review database write evidence.
112
+ - Important writes should expose matched, affected, modified, inserted, deleted, or returned row counts as local conventions allow.
113
+ - Treat 0 affected rows and unexpectedly high affected rows as review points, not boring implementation details.
114
+ - Prefer query or operation names and table or collection names over raw SQL.
115
+ 7. Review transaction and state-transition logs.
116
+ - Multi-step state changes should leave evidence for begin, important step, commit, rollback, compensation, and after-commit side effects when useful.
117
+ - State transitions should include from state, to state, reason, actor, and resource id.
118
+ - Logs should show whether a path reached commit, rolled back, or stopped before any durable change.
119
+ 8. Review silent early returns.
120
+ - Inspect `return null`, `return false`, empty returns, guard clauses, permission denials, missing data branches, empty collections, and no-op cases.
121
+ - Important early exits need a reason code at debug, info, or warn level according to local severity policy.
122
+ - Avoid logging harmless hot-path absences at noisy levels.
123
+ 9. Review retry and timeout logs.
124
+ - Retry logs should include attempt, max attempts, backoff, next retry decision, error type, dependency name, and final exhaustion reason.
125
+ - Timeout logs should include configured timeout, actual duration when available, timeout class, and whether the operation was cancelled, retried, or surfaced.
126
+ - Separate caller cancellation, upstream deadline, dependency timeout, pool timeout, queue visibility expiry, and shutdown cancellation.
127
+ - Avoid warning on every expected retry attempt when the policy treats those attempts as normal; raise severity at final exhaustion, degradation, or user-impact boundaries.
128
+ 10. Review queue and async handoff logs.
129
+ - Enqueue logs should connect producer, queue name, job or message id, delay, dedupe key, visibility timeout, request id, correlation id, tenant, and causation id when safe.
130
+ - Consume logs should connect consumer, queue name, job or message id, attempt, max attempts, delay or age, processing duration, result, retry, ack or commit outcome, dead-letter reason, and poison-message classification.
131
+ - Preserve correlation across fire-and-forget promises, event listeners, callbacks, workers, emails, webhooks, and background jobs.
132
+ 11. Review batch and migration logs.
133
+ - Batch jobs need total, success, failed, skipped, duration, last-success, and representative failed item identifiers when safe.
134
+ - Data fixes and migrations need dry-run selection counts, apply counts, skip reasons, affected ids or safe samples, and rollback or recovery handles.
135
+ - `done` is not an operational summary.
136
+ 12. Review auth, authorization, and validation logs.
137
+ - Authorization failures should classify actor, required permission, resource, decision, and reason without exposing secrets.
138
+ - Authentication failures should be internally classified without creating account-enumeration or password hints in public responses.
139
+ - Validation failures should summarize field names, failure categories, client or SDK version hints, and safe request identifiers without raw sensitive input.
140
+ - Treat administrator changes, refunds, token issuance, personal-data access, permission changes, and security-sensitive denials as audit events with actor, authority, target, outcome, and tamper-resistant retention expectations instead of ordinary debug logs.
141
+ 13. Review cache, lock, and idempotency logs.
142
+ - Cache paths should expose hit, miss, stale, fill, fallback, TTL, and safe cache-key class where useful.
143
+ - Lock logs should expose lock key class, wait time, TTL, owner class, acquired status, release result, and failure reason.
144
+ - Idempotency logs should distinguish new request, duplicate replay, conflict, previous-result return, in-progress duplicate, and key or payload mismatch.
145
+ 14. Review feature flag, config, and environment logs.
146
+ - Feature flag branches should expose flag name, variant, rule or cohort class, and operation path when safe.
147
+ - Startup config logs should summarize mode, endpoints, timeout values, enabled integrations, region, and feature toggles without secrets.
148
+ - Runtime config reads that affect behavior should be traceable to a safe config identity or version.
149
+ - Releases, migrations, feature-flag changes, and config changes should leave event records such as deployment started or completed, config changed, migration started or completed, and rollout variant updated.
150
+ 15. Review log levels and duplicate ownership.
151
+ - Use info for lifecycle summaries, debug for branch details, warn for recoverable or degraded failures, and error for failed requests, failed jobs, or possible data damage.
152
+ - Avoid logging the same exception as error in controller, service, and repository layers.
153
+ - Internal layers should add context through causes, structured metadata, or lower-level logs without drowning the boundary error.
154
+ 16. Review structure and searchability.
155
+ - Prefer stable event names and structured fields over prose-only messages; do not build alerts, dashboards, or runbook queries from mutable message text.
156
+ - Require domain identifiers: order id, payment id, file id, job id, tenant id, actor id, or resource id where safe and relevant.
157
+ - Check that a single customer issue can be searched by request id, resource id, provider request id, or job id without guessing text fragments.
158
+ - Keep frequently aggregated fields low-cardinality. Use route templates, dependency names, bounded reason enums, and status classes; keep request ids, user ids, order ids, stack traces, full URLs, and arbitrary provider text out of indexed labels unless the storage policy explicitly supports them.
159
+ 17. Review redaction before the log leaves the process.
160
+ - Redact or classify tokens, passwords, auth headers, cookies, raw request bodies, emails, phone numbers, payment data, provider bodies, and full SQL before handing data to the logger.
161
+ - Normalize or escape user-controlled strings such as filenames, user agents, nicknames, referers, and queries so newlines, tabs, control characters, and ANSI escapes cannot forge log entries.
162
+ - Sink-side masking is not enough when sensitive data has already crossed the process boundary.
163
+ - Tests or static guards should cover sensitive log fields when feasible.
164
+ 18. Require evidence.
165
+ - Prefer focused tests, log fixtures, snapshot assertions, redaction tests, source-level guards, or local logger contract tests for stable event names and fields.
166
+ - Prefer tests that pin `event_name`, schema version, required fields, redaction, bounded reason codes, and message-independent query fields rather than exact prose.
167
+ - If logs depend on runtime middleware, production log routing, sink configuration, or manual log search outside the repository, report that evidence as manual-only.
168
+ - Do not claim a path is diagnosable when only happy-path logs exist.
169
+
170
+ <!-- mustflow-section: postconditions -->
171
+ ## Postconditions
172
+
173
+ - The reviewed backend path has a reconstruction question, event contract, request lifecycle evidence, correlation and causation model, decision evidence, side-effect evidence, error and cause preservation, redaction boundary, level ownership, sampling boundary, and evidence level.
174
+ - Missing start or finish logs, message-only contracts, unstable event names, missing schema version, missing trace or span id, missing correlation or causation id, string-only errors, lost causes, missing external-call before and after logs, raw provider body logs, missing affected-row counts, invisible transaction or state transitions, silent early returns, attempt-free retries, duration-free timeouts, enqueue or consume gaps, broken async correlation, empty batch summaries, missing auth or validation reasons, ordinary logs for audit events, cache or lock blind spots, idempotency ambiguity, feature flag opacity, release or config opacity, secret-bearing config logs, migration `done` logs, swallowed async errors, all-info or all-error severity, duplicate error spam, prose-only messages, high-cardinality indexed fields, log injection exposure, unsafe sampling, and missing identifiers are fixed or reported.
175
+ - Named review smells such as broken async request id, auth or validation failures, cache hits or misses, lock acquisition, idempotency outcomes, config startup summaries, release and migration event gaps, migration dry-run and apply logs, message-based dashboards, prose-only log, and sink-side-only masking are fixed or reported when present.
176
+ - Log changes are backed by local logger conventions, tests, fixtures, source review evidence, or labeled as manual-only or missing.
177
+
178
+ <!-- mustflow-section: verification -->
179
+ ## Verification
180
+
181
+ Use configured oneshot command intents when available:
182
+
183
+ - `changes_status`
184
+ - `changes_diff_summary`
185
+ - `lint`
186
+ - `build`
187
+ - `test_related`
188
+ - `test`
189
+ - `docs_validate_fast`
190
+ - `test_release`
191
+ - `mustflow_check`
192
+
193
+ Prefer the narrowest configured checks that cover the changed logging contract and synchronized template surfaces. Do not infer live log searches, production incidents, dashboards, collectors, servers, or manual sink checks outside the command contract.
194
+
195
+ <!-- mustflow-section: failure-handling -->
196
+ ## Failure Handling
197
+
198
+ - If a configured command fails, preserve the failing intent and the log contract it was exercising before editing again.
199
+ - If no logger convention exists, recommend the smallest wrapper or boundary decision instead of scattering inconsistent log calls.
200
+ - If redaction cannot be proven, treat the log change as unsafe until sensitive values are removed before the logger boundary.
201
+ - If a path cannot expose identifiers because of privacy or product policy, report the alternate safe correlation handle or the remaining searchability gap.
202
+ - If deterministic log proof is not configured, complete available verification and report the missing manual or integration evidence.
203
+
204
+ <!-- mustflow-section: output-format -->
205
+ ## Output Format
206
+
207
+ - Backend log boundary reviewed
208
+ - Reconstruction question, event contract, request lifecycle, correlation and causation, error and cause preservation, external API, database write, transaction, state transition, early return, retry, timeout, queue or async handoff, batch or migration, audit, auth, validation, cache, lock, idempotency, feature flag, release, config, level ownership, structure, cardinality, sampling, log-injection safety, redaction, and test evidence findings
209
+ - Log fixes made or recommended
210
+ - Evidence level: configured-test evidence, log fixture evidence, source review evidence, manual-only, missing, or not applicable
211
+ - Command intents run
212
+ - Skipped log diagnostics and reasons
213
+ - Remaining backend-log-evidence risk
@@ -0,0 +1,295 @@
1
+ ---
2
+ mustflow_doc: skill.business-rule-leakage-review
3
+ locale: en
4
+ canonical: true
5
+ revision: 1
6
+ lifecycle: mustflow-owned
7
+ authority: procedure
8
+ name: business-rule-leakage-review
9
+ description: Apply this skill when code is created, changed, reviewed, or reported and business rules may leak into the wrong layer, entrypoint, query, mapper, cache, batch, webhook, report, admin tool, UI guard, status assignment, date calculation, default value, DTO update, exception handler, transaction, event publisher, search index, or external integration. Use for rules involving money, permissions, ownership, state, settlement, discounts, coupons, refunds, inventory, notifications, subscriptions, visibility, eligibility, tenant scope, expiry, price, tax, fees, points, reports, and other product or domain facts that must be enforced consistently across API, admin, mobile, batch, webhook, migration, import, export, support, and direct data paths.
10
+ metadata:
11
+ mustflow_schema: "1"
12
+ mustflow_kind: procedure
13
+ pack_id: mustflow.core
14
+ skill_id: mustflow.core.business-rule-leakage-review
15
+ command_intents:
16
+ - changes_status
17
+ - changes_diff_summary
18
+ - lint
19
+ - build
20
+ - test_related
21
+ - test
22
+ - test_audit
23
+ - docs_validate_fast
24
+ - test_release
25
+ - mustflow_check
26
+ ---
27
+
28
+ # Business Rule Leakage Review
29
+
30
+ <!-- mustflow-section: purpose -->
31
+ ## Purpose
32
+
33
+ Review whether product and business rules are enforced at the real source of truth instead of
34
+ leaking into UI conditions, controllers, ad hoc queries, mappers, batches, webhooks, caches,
35
+ reports, and support tools.
36
+
37
+ The review question is not "is the code clean?" It is "where does the company decide money,
38
+ permission, ownership, state, settlement, discount, inventory, visibility, and eligibility, and can
39
+ every entrypoint bypass or reuse that decision consistently?"
40
+
41
+ <!-- mustflow-section: use-when -->
42
+ ## Use When
43
+
44
+ - Code review, implementation, or refactor work touches money, permission, ownership, state,
45
+ settlement, discount, coupon, refund, inventory, notification, subscription, visibility,
46
+ eligibility, expiry, pricing, tax, fee, point, report, tenant, workspace, organization, or product
47
+ rules.
48
+ - Rules appear in UI guards, controllers, query filters, mappers, DTO defaults, entities, service
49
+ helpers, admin APIs, mobile APIs, batches, webhooks, search indexes, reports, exports, imports,
50
+ support tools, migrations, direct SQL, or tests.
51
+ - A route, batch, webhook, admin tool, or support script can perform the same business action through
52
+ a different entrance.
53
+ - A review needs to decide whether to use `auth-permission-change`, `state-machine-pattern`,
54
+ `failure-integrity-review`, `cache-integrity-review`, `database-query-bottleneck-review`,
55
+ `database-migration-change`, `result-option`, `type-state-modeling-review`,
56
+ `testability-boundary-review`, or `change-blast-radius-review`.
57
+
58
+ <!-- mustflow-section: do-not-use-when -->
59
+ ## Do Not Use When
60
+
61
+ - The only issue is authorization mechanics, role or tenant enforcement, or permission-cache
62
+ behavior; use `auth-permission-change` as the primary skill.
63
+ - The only issue is lifecycle transition modeling; use `state-machine-pattern`.
64
+ - The only issue is false success, rollback, retry, or swallowed failure; use
65
+ `failure-integrity-review`.
66
+ - The only issue is stale or unsafe cache truth; use `cache-integrity-review`.
67
+ - The only issue is broad future change spread or deletion cost; use `change-blast-radius-review`.
68
+ - The code is a pure calculation with explicit inputs and all callers already share one policy
69
+ owner.
70
+
71
+ <!-- mustflow-section: required-inputs -->
72
+ ## Required Inputs
73
+
74
+ - User goal, current diff or target files, and the business rule being created, changed, or reviewed.
75
+ - Rule ledger: money, permission, ownership, state, settlement, discount, coupon, refund, inventory,
76
+ notification, subscription, visibility, eligibility, expiry, pricing, tax, fee, point, report, or
77
+ tenant fact under review.
78
+ - Entrypoint ledger: user API, admin API, mobile API, internal script, migration, batch, webhook,
79
+ support tool, CSV upload, import, export, test endpoint, direct SQL, and data correction path.
80
+ - Enforcement ledger: UI guard, controller, service, domain object, policy object, repository query,
81
+ database constraint or policy, mapper, cache, search index, report query, event handler, and test.
82
+ - Consistency ledger: list/detail scope, create/update path, admin/user path, API/batch path,
83
+ DB/search index path, cache/source path, webhook/manual replay path, and old/new migration path.
84
+ - Evidence for state changes, transaction boundaries, event timing, idempotency, error messages,
85
+ default values, nullable meanings, and configured command intents.
86
+
87
+ <!-- mustflow-section: preconditions -->
88
+ ## Preconditions
89
+
90
+ - The task matches the Use When conditions and does not match the Do Not Use When exclusions.
91
+ - Higher-priority instructions and `.mustflow/config/commands.toml` have been checked for the
92
+ current scope.
93
+ - Required inputs are available, or missing rule, entrypoint, enforcement, or consistency evidence
94
+ can be reported without guessing.
95
+ - If the review finds a concrete auth, state-machine, failure, cache, migration, result, type, or
96
+ testability issue, use the narrower skill before editing that part.
97
+
98
+ <!-- mustflow-section: allowed-edits -->
99
+ ## Allowed Edits
100
+
101
+ - Move business decisions to a named policy, domain, application, transition, or database boundary
102
+ that every relevant entrypoint can reuse.
103
+ - Replace UI-only, controller-only, query-only, mapper-only, report-only, admin-only, or batch-only
104
+ rules with shared enforcement or explicit second-line validation.
105
+ - Add or tighten list/detail consistency, create/update field restrictions, admin/support tool
106
+ validation, webhook verification and deduplication, event timing, outbox usage, idempotency,
107
+ transaction boundaries, default-value ownership, nullable result shapes, search rechecks, and
108
+ report calculation owners.
109
+ - Add focused tests that prove the rule through at least the real policy owner and the highest-risk
110
+ bypass entrypoint.
111
+ - Do not solve leakage by copying the same condition into more places unless the duplicate is an
112
+ explicit defense layer whose owner and drift risk are named.
113
+
114
+ <!-- mustflow-section: procedure -->
115
+ ## Procedure
116
+
117
+ 1. Name the business rule before reading style.
118
+ - Identify the rule that affects money, permission, ownership, state, settlement, discount,
119
+ coupon, refund, inventory, notification, subscription, visibility, eligibility, expiry, pricing,
120
+ tax, fee, points, reports, or tenants.
121
+ - If the rule cannot be named, report that the business source of truth is unclear.
122
+ 2. Trace every entrance to the same action.
123
+ - Check user API, admin API, mobile API, internal scripts, migrations, batches, webhooks, support
124
+ tools, CSV uploads, imports, exports, test endpoints, direct SQL, and data correction paths.
125
+ - Ask whether the same decision is enforced after bypassing the UI or ordinary API route.
126
+ 3. Reject UI-only enforcement.
127
+ - A disabled button is not a rule. Coupons, ownership, cancellation windows, inventory limits,
128
+ and visibility must be enforced server-side or by a shared durable boundary.
129
+ - Follow matching API, batch, admin, mobile, and support paths.
130
+ 4. Keep controllers from judging business eligibility.
131
+ - `if user.role == admin`, refund permission, coupon eligibility, cancellation allowance, and
132
+ inventory decisions in controllers are leakage candidates.
133
+ - Prefer a policy or application boundary used by all controllers.
134
+ 5. Review state changes as business commands.
135
+ - Direct `status = "DONE"` or scattered status assignment can bypass audit logs, settlement,
136
+ inventory restoration, point reversal, notifications, and domain events.
137
+ - Prefer commands such as `completeOrder`, `cancelOrder`, or `refundPayment` with transition
138
+ rules and effects.
139
+ 6. Compare list and detail rules.
140
+ - A list may hide records while detail `findById` still exposes them.
141
+ - Compare ownership, tenant, visibility, expiry, deletion, and permission predicates on list,
142
+ detail, export, search, and autocomplete paths.
143
+ 7. Treat query predicates as policy.
144
+ - `deleted_at is null`, `tenant_id = ?`, `visible = true`, `expires_at > now()`, and
145
+ `status in (...)` are not just filters.
146
+ - Give these predicates one owner or reusable scope so they do not disappear from another query.
147
+ 8. Treat admin paths as business paths.
148
+ - Admin and support tools still need refund, settlement, inventory, account suspension, and
149
+ irreversible-action rules.
150
+ - Verify admin can do what the business allows, not everything the database allows.
151
+ 9. Review batches and schedulers.
152
+ - Expiry, auto-refund, subscription renewal, point expiration, settlement, reminder, cleanup, and
153
+ reconciliation rules often live outside request handlers.
154
+ - Check whether batch logic uses the same policy as online actions and handles stale data.
155
+ 10. Place tests at the rule owner.
156
+ - If `should not allow expired coupon` exists only in controller tests, the rule can vanish when
157
+ routing changes.
158
+ - Prefer domain, policy, service, API, and bypass-entry tests according to where enforcement
159
+ truly belongs.
160
+ 11. Hunt duplicated business constants.
161
+ - Repeated `30`, `7`, `10000`, `0.1`, `3`, and similar values may be trial length, refund days,
162
+ minimum payment, fee rate, retry count, grace period, or limit.
163
+ - Name the rule and centralize or explicitly duplicate with drift protection.
164
+ 12. Review date and timezone policy.
165
+ - Refund windows, coupon expiry, attendance, subscription renewal, and settlement cutoff depend
166
+ on which event time and timezone count.
167
+ - Direct `now()` in business decisions is leakage unless the time policy is captured at the
168
+ boundary.
169
+ 13. Open helper names such as `isActive`, `isValid`, and `canUse`.
170
+ - These names hide whether active means paid, approved, undeleted, unexpired, unsuspended, or
171
+ visible.
172
+ - Split or rename when different callers need different meanings.
173
+ 14. Separate authentication, authorization, ownership, and eligibility.
174
+ - Logged-in, admin, owner, tenant member, coupon eligible, refund approver, and settlement
175
+ operator are different facts.
176
+ - Use `auth-permission-change` when permission or tenant scope is the primary risk.
177
+ 15. Restrict mutable fields after creation.
178
+ - Create paths often validate price, owner, payment state, settlement status, and product facts,
179
+ while update paths accept broad DTOs.
180
+ - Deny updates to immutable business fields by input shape, policy, or database rule.
181
+ 16. Make PATCH semantics explicit.
182
+ - Missing field, explicit `null`, clear value, keep value, reset default, and remove relation are
183
+ different requests.
184
+ - Model partial update intent instead of merging DTOs blindly.
185
+ 17. Keep mappers mechanical.
186
+ - `toResponse`, `fromRequest`, and `mapper` code should not calculate price, filter by
187
+ permission, change state, or decide defaults.
188
+ - If mapping changes business meaning, move the decision to the rule owner.
189
+ 18. Own defaults in one place.
190
+ - `role = USER`, `status = ACTIVE`, `visible = true`, and `quantity = 1` are policy.
191
+ - DB, ORM, API, frontend, fixture, and migration defaults must agree or the creation path changes
192
+ the object identity.
193
+ 19. Check error messages against actual checks.
194
+ - User-facing error text is operational policy documentation.
195
+ - Verify "coupon already used" does not actually mean "expired only", and that hidden checks are
196
+ visible enough for support and operators.
197
+ 20. Do not swallow business failures.
198
+ - Payment, notification, inventory, point, and settlement failures cannot be logged away while
199
+ the order looks successful.
200
+ - Use `failure-integrity-review` when failure can leave false money, state, or entitlement.
201
+ 21. Align transaction boundary with the business action.
202
+ - Order creation, payment reflection, inventory decrement, coupon use, and point grant may be one
203
+ business success unit or several explicit units.
204
+ - State what rolls back, what compensates, and what reconciles after partial failure.
205
+ 22. Review event timing.
206
+ - Publishing `OrderPaidEvent` before durable save, before commit, or without an outbox can make
207
+ subscribers act on facts that roll back.
208
+ - Name whether events are domain facts, integration outbox messages, or best-effort signals.
209
+ 23. Assume duplicate requests.
210
+ - `refund`, `pay`, `useCoupon`, `grantPoint`, notification send, and settlement apply must
211
+ tolerate double-clicks, retries, webhook repeats, and manual replay.
212
+ - Require idempotency keys, unique records, transition guards, or dedupe tables where needed.
213
+ 24. Treat webhooks as external APIs.
214
+ - Verify signature, event identity, duplicate handling, ordering, stale event rejection, and
215
+ current-state guard before mutating internal state.
216
+ - Do not trust provider payloads as the only truth for internal business facts.
217
+ 25. Check out-of-order events.
218
+ - Payment success, order-created, shipment-started, shipment-completed, subscription-canceled,
219
+ and renewal events can arrive out of order.
220
+ - State transitions must inspect current state and reject illegal or stale moves.
221
+ 26. Treat cache invalidation as policy.
222
+ - Permissions, price, inventory, subscription state, and usable coupons cached under the wrong key
223
+ can apply another viewer's rule.
224
+ - Use `cache-integrity-review` when cache freshness or dimensions control the business decision.
225
+ 27. Compare search index and database truth.
226
+ - Search may still show hidden, adult-only, stopped, out-of-stock, region-limited, or deleted
227
+ products.
228
+ - Recheck critical visibility and eligibility on detail and action routes.
229
+ 28. Review reports and settlement harder than services.
230
+ - Read-only report SQL may calculate revenue, refunds, fees, tax, partner settlement, and payout.
231
+ - Treat reporting formulas as business rules with tests and owners, not harmless queries.
232
+ 29. Ask which rules are duplicated in text.
233
+ - Docs, help text, error strings, support macros, admin labels, and API examples may encode
234
+ rules that drift from code.
235
+ - Update or flag public-facing rule text when enforcement changes.
236
+ 30. Finish with the bypass question.
237
+ - Ask: "Is there another entrance that can perform this action without this rule?"
238
+ - If yes, route the entrance through the rule owner, add a guard at the durable boundary, or
239
+ report the remaining bypass explicitly.
240
+
241
+ <!-- mustflow-section: postconditions -->
242
+ ## Postconditions
243
+
244
+ - The business rule has a named source of truth or the missing owner is reported.
245
+ - User, admin, mobile, batch, webhook, support, migration, import/export, search, and direct-data
246
+ paths are checked for bypass risk according to scope.
247
+ - List/detail, create/update, DB/search, cache/source, webhook/manual replay, and old/new migration
248
+ consistency risks are fixed or named.
249
+ - State transitions, transaction boundaries, event timing, idempotency, defaults, nullable meanings,
250
+ and error messages are aligned with the rule or documented as remaining risk.
251
+ - Tests or behavior evidence cover the rule owner and the highest-risk bypass path.
252
+
253
+ <!-- mustflow-section: verification -->
254
+ ## Verification
255
+
256
+ Use configured oneshot command intents when available:
257
+
258
+ - `changes_status`
259
+ - `changes_diff_summary`
260
+ - `lint`
261
+ - `build`
262
+ - `test_related`
263
+ - `test`
264
+ - `test_audit`
265
+ - `docs_validate_fast`
266
+ - `test_release`
267
+ - `mustflow_check`
268
+
269
+ Prefer checks that prove the rule owner and at least one bypass-prone path such as detail lookup,
270
+ admin action, batch, webhook, search result, report query, or update DTO.
271
+
272
+ <!-- mustflow-section: failure-handling -->
273
+ ## Failure Handling
274
+
275
+ - If the rule owner cannot be found, report the missing source of truth instead of adding another
276
+ scattered condition.
277
+ - If an entrypoint cannot be inspected, report that the bypass status is unknown.
278
+ - If fixing leakage would change public behavior, use `repro-first-debug`,
279
+ `behavior-preserving-refactor`, or the narrower domain skill before continuing.
280
+ - If a command fails, use `failure-triage` before further edits.
281
+
282
+ <!-- mustflow-section: output-format -->
283
+ ## Output Format
284
+
285
+ - Business rule leakage reviewed
286
+ - Business rule and source of truth
287
+ - Entrypoints inspected
288
+ - Enforcement locations and bypass risks
289
+ - List/detail, create/update, admin/user, batch/API, webhook, cache, search, report, migration, or
290
+ support-tool consistency notes
291
+ - Fixes made or recommendation
292
+ - Tests or behavior evidence
293
+ - Command intents run
294
+ - Skipped checks and reasons
295
+ - Remaining business-rule leakage risk