mustflow 2.69.0 → 2.74.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +19 -5
- package/dist/cli/commands/api.js +17 -0
- package/dist/cli/commands/evidence.js +71 -0
- package/dist/cli/commands/script-pack.js +124 -0
- package/dist/cli/commands/verify.js +50 -15
- package/dist/cli/commands/workspace.js +2 -0
- package/dist/cli/i18n/en.js +38 -0
- package/dist/cli/i18n/es.js +38 -0
- package/dist/cli/i18n/fr.js +38 -0
- package/dist/cli/i18n/hi.js +38 -0
- package/dist/cli/i18n/ko.js +38 -0
- package/dist/cli/i18n/zh.js +38 -0
- package/dist/cli/index.js +1 -0
- package/dist/cli/lib/agent-context.js +179 -10
- package/dist/cli/lib/command-registry.js +6 -0
- package/dist/cli/lib/dashboard-export.js +1 -0
- package/dist/cli/lib/script-pack-registry.js +27 -0
- package/dist/cli/script-packs/core-text-budget.js +241 -0
- package/dist/core/change-verification.js +10 -0
- package/dist/core/completion-verdict.js +14 -1
- package/dist/core/complexity-budget.js +206 -0
- package/dist/core/conflict-ledger.js +122 -0
- package/dist/core/failure-replay-capsule.js +213 -0
- package/dist/core/public-json-contracts.js +27 -0
- package/dist/core/risk-priced-evidence.js +213 -0
- package/dist/core/script-check-result.js +1 -0
- package/dist/core/text-budget.js +262 -0
- package/dist/core/verification-evidence.js +61 -13
- package/package.json +1 -1
- package/schemas/README.md +23 -11
- package/schemas/change-verification-report.schema.json +29 -0
- package/schemas/context-report.schema.json +58 -2
- package/schemas/dashboard-export.schema.json +42 -1
- package/schemas/diff-risk.schema.json +6 -0
- package/schemas/evidence-report.schema.json +45 -0
- package/schemas/latest-run-pointer.schema.json +50 -1
- package/schemas/script-pack-catalog.schema.json +68 -0
- package/schemas/text-budget-report.schema.json +131 -0
- package/schemas/verification-plan.schema.json +32 -0
- package/schemas/verify-report.schema.json +360 -1
- package/schemas/verify-run-manifest.schema.json +50 -1
- package/schemas/workspace-verification-plan.schema.json +32 -0
- package/templates/default/i18n.toml +8 -2
- package/templates/default/locales/en/.mustflow/skills/INDEX.md +3 -2
- package/templates/default/locales/en/.mustflow/skills/adapter-boundary/SKILL.md +19 -2
- package/templates/default/locales/en/.mustflow/skills/design-implementation-handoff/SKILL.md +250 -0
- package/templates/default/locales/en/.mustflow/skills/routes.toml +7 -1
- package/templates/default/manifest.toml +8 -1
|
@@ -2,11 +2,11 @@
|
|
|
2
2
|
mustflow_doc: skill.adapter-boundary
|
|
3
3
|
locale: en
|
|
4
4
|
canonical: true
|
|
5
|
-
revision:
|
|
5
|
+
revision: 13
|
|
6
6
|
lifecycle: mustflow-owned
|
|
7
7
|
authority: procedure
|
|
8
8
|
name: adapter-boundary
|
|
9
|
-
description: Apply this skill when external systems, protocols, SDKs, databases, managed database features, authentication providers, webhooks, queues, files, object storage, public URL contracts, signed upload or download URLs, CDN transform rules, HTTP delivery transports, SSE, WebTransport, caches, API response models, framework requests or responses, server actions, route handlers, edge functions, worker handlers, AI models, AI gateway usage policy, AI provider cost and usage data, browser storage, search engines, analytics tools, email platforms, no-code tools, observability backends, trace or request context,
|
|
9
|
+
description: Apply this skill when external systems, protocols, SDKs, databases, managed database features, authentication providers, webhooks, queues, files, object storage, public URL contracts, signed upload or download URLs, CDN transform rules, HTTP delivery transports, SSE, WebTransport, caches, API response models, framework requests or responses, server actions, route handlers, edge functions, worker handlers, AI models, AI gateway usage policy, AI provider cost and usage data, browser storage, search engines, analytics tools, email platforms, no-code tools, observability backends, trace or request context, provider data, or a volatile component implementation cross into or out of core logic and need stable ports, adapters, translation, error mapping, timeout, retry, circuit-breaker, bulkhead, idempotency, security, cost attribution, reconciliation, core-state ownership, vendor portability, change isolation, or observability boundaries.
|
|
10
10
|
metadata:
|
|
11
11
|
mustflow_schema: "1"
|
|
12
12
|
mustflow_kind: procedure
|
|
@@ -33,6 +33,8 @@ Keep external-world language, protocols, failures, and operational concerns out
|
|
|
33
33
|
|
|
34
34
|
This skill is not just a wrapper pattern. A good adapter boundary absorbs provider details, validates or maps untrusted input, classifies failures, applies timeouts and retry policy, preserves idempotency where needed, and records safe observability evidence without leaking secrets or personal data.
|
|
35
35
|
|
|
36
|
+
Use the port as a change-isolation contract. Before changing the implementation behind the adapter, name which side is allowed to vary, which consumer contract must stay stable, and what evidence proves the opposite side did not have to change.
|
|
37
|
+
|
|
36
38
|
<!-- mustflow-section: use-when -->
|
|
37
39
|
## Use When
|
|
38
40
|
|
|
@@ -49,6 +51,7 @@ This skill is not just a wrapper pattern. A good adapter boundary absorbs provid
|
|
|
49
51
|
- Provider SDK types, framework request or response objects, database rows, external event objects, raw model responses, or provider error types are visible in domain, application, service, or use-case code.
|
|
50
52
|
- Delivery-layer tools such as server actions, route handlers, Web-standard handlers, edge middleware, CLI commands, cron handlers, workers, or admin actions are about to contain pricing rules, authorization policy, payment state transitions, entitlement decisions, external provider calls, or database transactions directly.
|
|
51
53
|
- A new or changed port, repository, gateway, provider module, controller, worker, webhook handler, mapper, or integration test is needed.
|
|
54
|
+
- A volatile component, provider, persistence detail, delivery surface, or algorithm should change behind a port without forcing callers, consumers, tests, public DTOs, stored data, or neighboring modules to change for the same reason.
|
|
52
55
|
- The boundary needs timeout, retry, rate-limit, idempotency, signature verification, duplicate handling, logging, metrics, redaction, or provider-version decisions.
|
|
53
56
|
- External calls can be slow, rate-limited, duplicated, partially completed, or ambiguous, and the system needs timeout, limited retry, backoff, circuit-breaker, queue isolation, dead-letter, or reconciliation behavior.
|
|
54
57
|
- AI provider calls need a single internal boundary for model selection, prompt assembly, token usage, provider-call identity, request-to-call grouping, pricing snapshot, cache-hit classification, retry cost, plan limits, and redacted observability.
|
|
@@ -60,6 +63,7 @@ This skill is not just a wrapper pattern. A good adapter boundary absorbs provid
|
|
|
60
63
|
## Do Not Use When
|
|
61
64
|
|
|
62
65
|
- The change is a pure calculation, value object, internal formatter, or data-only refactor with no external boundary.
|
|
66
|
+
- The task only needs broad ownership, cohesion, or future-change spread review before deciding whether a port is the right repair; use `module-boundary-review` or `change-blast-radius-review` first.
|
|
63
67
|
- The only problem is hidden construction or global lookup of a dependency; use `dependency-injection` first, then return here only if external data, errors, or protocol behavior also need a boundary.
|
|
64
68
|
- The operation coordinates several already-translated ports, repositories, queues, caches, or providers behind one caller-facing workflow; use `facade-pattern` for that high-level entry point while keeping this skill for each external boundary.
|
|
65
69
|
- The task is a disposable one-off script that is not imported, repeated, tested, used in production, or connected to external systems.
|
|
@@ -69,6 +73,7 @@ This skill is not just a wrapper pattern. A good adapter boundary absorbs provid
|
|
|
69
73
|
## Required Inputs
|
|
70
74
|
|
|
71
75
|
- The external system or protocol and whether it is inbound, outbound, or both.
|
|
76
|
+
- Change-isolation ledger: the volatile side, the stable consumer side, current callers, public contracts, compatibility constraints, and the smallest adapter-only change that should avoid caller edits.
|
|
72
77
|
- The internal use case, domain action, or read model that should receive translated data.
|
|
73
78
|
- Existing local patterns for ports, adapters, repositories, controllers, workers, mappers, result types, retries, idempotency, logging, and tests.
|
|
74
79
|
- Provider-specific risk: write effects, duplicate delivery, unknown statuses, money, time, identifiers, secrets, personal data, files, untrusted URLs, rate limits, or provider version changes.
|
|
@@ -91,6 +96,7 @@ This skill is not just a wrapper pattern. A good adapter boundary absorbs provid
|
|
|
91
96
|
|
|
92
97
|
- Higher-priority instructions and `.mustflow/config/commands.toml` have been checked for the current scope.
|
|
93
98
|
- The boundary direction and owner are clear enough to avoid putting provider names or external protocol terms into core logic.
|
|
99
|
+
- The preserved consumer contract is clear enough to test or report. If a caller-facing type, status, event, DTO, stored shape, or public behavior must change, classify that as a public-contract or migration change instead of hiding it inside an adapter refactor.
|
|
94
100
|
- If the local layout is unfamiliar, use `pattern-scout` or `codebase-orientation` before introducing new folders or naming conventions.
|
|
95
101
|
- If the change also introduces hidden collaborators or concrete construction, use `dependency-injection` for that part of the work.
|
|
96
102
|
- If the change alters HTTP content coding, streaming flush behavior, SSE, WebTransport, WebSocket fallback, CDN/proxy behavior, or browser delivery compatibility, use `http-delivery-streaming` for the transport contract and keep this skill focused on core-boundary containment.
|
|
@@ -105,6 +111,7 @@ This skill is not just a wrapper pattern. A good adapter boundary absorbs provid
|
|
|
105
111
|
- Add mapper, error-mapper, fixture, fake-port, contract-test, and adapter-test files directly needed by the boundary.
|
|
106
112
|
- Add or update assembly-root wiring when a new adapter implementation is introduced.
|
|
107
113
|
- Do not copy provider APIs into ports, return provider SDK objects, expose database rows as domain objects, or add a broad catch-all `ExternalAdapter`.
|
|
114
|
+
- Do not make callers change just because the adapter implementation, provider, storage shape, framework surface, or algorithm changed behind the port. If callers must change, name the missing contract or the intentional breaking change.
|
|
108
115
|
|
|
109
116
|
<!-- mustflow-section: procedure -->
|
|
110
117
|
## Procedure
|
|
@@ -112,12 +119,16 @@ This skill is not just a wrapper pattern. A good adapter boundary absorbs provid
|
|
|
112
119
|
1. Classify the boundary.
|
|
113
120
|
- Inbound: HTTP route, controller, webhook, CLI command, queue consumer, scheduler, browser event, uploaded file, or external data import.
|
|
114
121
|
- Outbound: provider SDK, HTTP API, database, cache, file storage, search engine, message publisher, email/SMS/push provider, payment provider, AI model, or browser storage.
|
|
122
|
+
- Change-isolation: a volatile component or implementation detail is expected to change behind a stable internal port while the consuming side should keep the same contract.
|
|
115
123
|
2. Name the internal capability in business language. Use names such as `PaymentGateway`, `EmailSender`, `ObjectStorage`, `UserStore`, `OrderReader`, `SummaryGenerator`, or `EventPublisher`. Keep provider names such as Stripe, Prisma, SendGrid, S3, OpenAI, or Redis inside adapter implementation names.
|
|
116
124
|
Treat external services as processors or presenters unless the architecture explicitly accepts them as a system of record. A payment provider can process money, an email tool can send messages, a search engine can rank derived documents, and an analytics tool can visualize events, but internal code should still own the facts needed to explain customers, rights, money, files, content, and important events.
|
|
117
125
|
3. Design the port from the consumer's need, not from the provider's API.
|
|
118
126
|
- Keep ports small and split unrelated reasons to change.
|
|
119
127
|
- Use internal input and output types only.
|
|
120
128
|
- Do not include SDK types, ORM model types, HTTP request objects, provider response objects, or provider error classes.
|
|
129
|
+
- Write down the preserved consumer contract before changing implementation code: accepted input, returned output, local error kinds, side effects, timing or ordering expectations, idempotency behavior, and observable public result.
|
|
130
|
+
- Make the adapter absorb representation changes. Provider response fields, table columns, wire envelopes, framework request objects, model output shapes, cache key syntax, or algorithm-specific options should change inside adapter or mapper files before consumer code sees them.
|
|
131
|
+
- If preserving the port would require lying about new behavior, stop and classify the change as a public API, migration, event, or workflow-contract change rather than stretching the adapter.
|
|
121
132
|
- For survival-path providers, define the internal operation first, such as create checkout, grant entitlement, store file, send transactional email, enqueue job, or generate summary. Let adapter implementations translate that operation to Stripe, Supabase, S3, Resend, OpenAI, or another provider.
|
|
122
133
|
- Do not build a fake "replace every vendor tomorrow" abstraction. Keep the boundary thin, but ensure provider names, dashboards, response shapes, and SDK errors do not become the language of the core use case.
|
|
123
134
|
- Abstract product contracts, not every technology. Prefer boundaries such as user identity, permission checks, public URLs, file objects, entitlements, usage metering, AI generation, and billing rights over broad catch-all adapters that still leak provider concepts.
|
|
@@ -131,6 +142,7 @@ This skill is not just a wrapper pattern. A good adapter boundary absorbs provid
|
|
|
131
142
|
- For EventSource, SSE, WebTransport, WebSocket, and HTTP streaming adapters, translate protocol events into internal commands or read-model notifications. Keep event ids, reconnect tokens, datagram sequence numbers, fallback transport names, and proxy quirks out of core domain decisions unless they are explicitly product concepts.
|
|
132
143
|
5. Build outbound adapters as provider translators, not pass-through wrappers.
|
|
133
144
|
- Create provider requests from internal input.
|
|
145
|
+
- Keep adapter-only changes adapter-only. When a provider swap, storage rewrite, framework move, model routing change, or algorithm replacement forces caller edits, treat that as evidence the port mirrored the implementation instead of the consumer need.
|
|
134
146
|
- Set timeouts and retry policy where appropriate.
|
|
135
147
|
- Pass idempotency keys for writes when the provider supports them.
|
|
136
148
|
- Use limited retries with backoff and jitter for transient failures. Do not retry malformed requests, denied authorization, or domain rejections.
|
|
@@ -199,6 +211,8 @@ This skill is not just a wrapper pattern. A good adapter boundary absorbs provid
|
|
|
199
211
|
13. Test at the right layer.
|
|
200
212
|
- Use fake ports in use-case tests; they should not call real external systems.
|
|
201
213
|
- Test adapters with provider fixtures, mock clients, or local test doubles for request mapping, response mapping, error mapping, timeout, retry, idempotency, redaction, and duplicate handling.
|
|
214
|
+
- Add or reuse preserved-consumer tests that prove callers use the port contract and do not import provider SDKs, framework request types, raw rows, adapter-only enums, or mapper internals.
|
|
215
|
+
- When the implementation behind the port changes, run or report tests that compare the old and new adapter behavior at the port boundary, not only tests that exercise the new provider happy path.
|
|
202
216
|
- Add contract or sandbox tests for critical providers when local fixtures cannot catch provider drift.
|
|
203
217
|
14. Verify with the narrowest configured command intents that cover changed source, tests, templates, docs, release metadata, and mustflow checks.
|
|
204
218
|
|
|
@@ -207,6 +221,7 @@ This skill is not just a wrapper pattern. A good adapter boundary absorbs provid
|
|
|
207
221
|
|
|
208
222
|
- Core logic has no provider SDK imports, framework request or response objects, ORM clients, database rows, provider response objects, or provider error classes.
|
|
209
223
|
- Ports are named in internal business language and expose only internal input, output, and error types.
|
|
224
|
+
- Preserved consumer contracts are explicit, and implementation changes behind adapters do not force unrelated caller, DTO, test, workflow, or neighboring-module edits.
|
|
210
225
|
- Provider dashboards, hosted settings, and SDK payloads do not become the only source for core business facts, search policy, queue failure policy, analytics event definitions, email customer state, or file ownership.
|
|
211
226
|
- Public URLs, provider identity claims, image variants, entitlement decisions, and AI policy decisions are represented as product-owned contracts before provider-specific syntax reaches callers.
|
|
212
227
|
- Streaming and delivery transport details such as SSE ids, WebTransport datagrams, content-coding variants, fallback paths, and CDN cache keys are contained at adapter boundaries before core logic receives product-level events or commands.
|
|
@@ -251,6 +266,7 @@ Prefer the narrowest configured test or build intent that proves the affected bo
|
|
|
251
266
|
## Output Format
|
|
252
267
|
|
|
253
268
|
- Boundary classified
|
|
269
|
+
- Change-isolation ledger and preserved consumer contract
|
|
254
270
|
- Internal port or use-case input selected
|
|
255
271
|
- Provider or protocol details contained
|
|
256
272
|
- HTTP delivery, streaming, and fallback transport details contained when relevant
|
|
@@ -263,6 +279,7 @@ Prefer the narrowest configured test or build intent that proves the affected bo
|
|
|
263
279
|
- Security and redaction surfaces checked
|
|
264
280
|
- Observability identifier propagation and backend portability checked when relevant
|
|
265
281
|
- Tests, fixtures, fakes, or contract checks added or reused
|
|
282
|
+
- Evidence that implementation changes stayed behind the port, or the intentional breaking-change boundary
|
|
266
283
|
- Command intents run
|
|
267
284
|
- Skipped checks and reasons
|
|
268
285
|
- Remaining boundary leakage or provider risk
|
|
@@ -0,0 +1,250 @@
|
|
|
1
|
+
---
|
|
2
|
+
mustflow_doc: skill.design-implementation-handoff
|
|
3
|
+
locale: en
|
|
4
|
+
canonical: true
|
|
5
|
+
revision: 1
|
|
6
|
+
lifecycle: mustflow-owned
|
|
7
|
+
authority: procedure
|
|
8
|
+
name: design-implementation-handoff
|
|
9
|
+
description: Apply this skill when creating, reviewing, or using a two-agent design-to-implementation handoff where Agent A produces a specification and implementation plan, Agent B implements from that handoff, and private local planning files such as `.agent/MANIFEST.yaml`, `.agent/PLAN.yaml`, or `.agent/STATE.yaml` must be separated from public tracked product contracts. Use for local/private handoff setup, A-to-B implementation packages, ignored agent planning folders, startup gates, task state ledgers, and completion gates. Do not use for ordinary one-agent task prompts; use task-instruction-authoring instead.
|
|
10
|
+
metadata:
|
|
11
|
+
mustflow_schema: "1"
|
|
12
|
+
mustflow_kind: procedure
|
|
13
|
+
pack_id: mustflow.core
|
|
14
|
+
skill_id: mustflow.core.design-implementation-handoff
|
|
15
|
+
command_intents:
|
|
16
|
+
- changes_status
|
|
17
|
+
- changes_diff_summary
|
|
18
|
+
- docs_validate_fast
|
|
19
|
+
- mustflow_check
|
|
20
|
+
---
|
|
21
|
+
|
|
22
|
+
# Design Implementation Handoff
|
|
23
|
+
|
|
24
|
+
<!-- mustflow-section: purpose -->
|
|
25
|
+
## Purpose
|
|
26
|
+
|
|
27
|
+
Turn an Agent A design and an Agent B implementation request into a small, versioned handoff
|
|
28
|
+
contract that preserves public product behavior while keeping private planning state out of the
|
|
29
|
+
public repository when requested.
|
|
30
|
+
|
|
31
|
+
This skill is for handoff structure, authority, ownership, and evidence. It is not a license to hide
|
|
32
|
+
product behavior, invent missing requirements, or make ignored local files the only source of truth
|
|
33
|
+
for a shipped system.
|
|
34
|
+
|
|
35
|
+
<!-- mustflow-section: use-when -->
|
|
36
|
+
## Use When
|
|
37
|
+
|
|
38
|
+
- Agent A is asked to design, plan, specify, or break down work for Agent B to implement later.
|
|
39
|
+
- Agent B is asked to implement from an existing design package, private planning folder, work plan,
|
|
40
|
+
or local-only agent handoff.
|
|
41
|
+
- A repository needs a small design-to-implementation folder structure such as `spec/SPEC.md` plus
|
|
42
|
+
`.agent/MANIFEST.yaml`, `.agent/PLAN.yaml`, and `.agent/STATE.yaml`.
|
|
43
|
+
- Private agent planning files should be ignored, excluded locally, backed up privately, or protected
|
|
44
|
+
from accidental staging.
|
|
45
|
+
- The task needs a startup gate, version match, unresolved-question gate, task dependency gate,
|
|
46
|
+
allowed-path gate, blocker ledger, deviation ledger, or completion gate for another agent.
|
|
47
|
+
- The design handoff may run locally with ignored files or remotely where ignored local files are not
|
|
48
|
+
automatically available.
|
|
49
|
+
|
|
50
|
+
<!-- mustflow-section: do-not-use-when -->
|
|
51
|
+
## Do Not Use When
|
|
52
|
+
|
|
53
|
+
- The task is only to write a normal coding-agent instruction, issue body, work order, or PR request;
|
|
54
|
+
use `task-instruction-authoring`.
|
|
55
|
+
- The task is ordinary multi-worker coordination without a design package; use
|
|
56
|
+
`multi-agent-work-coordination`.
|
|
57
|
+
- The task is only resuming incomplete work from a compact handoff; use `restricted-handoff-resume`.
|
|
58
|
+
- The task asks to hide product behavior, security requirements, or acceptance criteria that should
|
|
59
|
+
remain reviewable with the code.
|
|
60
|
+
- The user expects a cloud or remote agent to read local ignored files without an explicit attachment,
|
|
61
|
+
private remote, or prompt transfer path.
|
|
62
|
+
|
|
63
|
+
<!-- mustflow-section: required-inputs -->
|
|
64
|
+
## Required Inputs
|
|
65
|
+
|
|
66
|
+
- Target repository root and whether Agent B runs locally in the same workspace, in a cloud clone, or
|
|
67
|
+
in another environment.
|
|
68
|
+
- Privacy mode: public product spec plus private plan, fully private local handoff, or private
|
|
69
|
+
external repository for handoff files.
|
|
70
|
+
- Public behavior source: tracked `spec/SPEC.md`, existing docs, tests, schemas, or a user-supplied
|
|
71
|
+
alternative.
|
|
72
|
+
- Private handoff paths, usually `.agent/MANIFEST.yaml`, `.agent/PLAN.yaml`, and `.agent/STATE.yaml`.
|
|
73
|
+
- Agent A ownership, Agent B ownership, writable paths, read-only paths, allowed implementation
|
|
74
|
+
paths, forbidden paths, task dependencies, and verification expectations.
|
|
75
|
+
- Ignore or exclude policy: shared `.gitignore`, local `.git/info/exclude`, or private repository for
|
|
76
|
+
`.agent`.
|
|
77
|
+
- Completion evidence expected from Agent B: changed files, tests, verification runs, acceptance
|
|
78
|
+
mapping, blockers, deviations, and final verification.
|
|
79
|
+
|
|
80
|
+
<!-- mustflow-section: preconditions -->
|
|
81
|
+
## Preconditions
|
|
82
|
+
|
|
83
|
+
- Treat pasted advice, external examples, and AI-generated designs as reference input, not as current
|
|
84
|
+
repository authority.
|
|
85
|
+
- Decide which facts must be tracked with the public code. Product behavior, acceptance criteria,
|
|
86
|
+
public contracts, migrations, and verification scripts usually belong in tracked files.
|
|
87
|
+
- Decide which facts are private local planning state. Agent task order, temporary decisions,
|
|
88
|
+
progress ledgers, and local handoff state usually belong in `.agent`.
|
|
89
|
+
- Do not create a hidden-only source of truth for behavior that future maintainers must preserve.
|
|
90
|
+
- Do not assume ignored files are available to cloud agents, CI jobs, reviewers, or a fresh clone.
|
|
91
|
+
- Do not run cleanup commands that can delete ignored handoff files.
|
|
92
|
+
|
|
93
|
+
<!-- mustflow-section: allowed-edits -->
|
|
94
|
+
## Allowed Edits
|
|
95
|
+
|
|
96
|
+
- Create or edit tracked public handoff surfaces such as `AGENTS.md`, `spec/SPEC.md`, verification
|
|
97
|
+
scripts, docs, tests, or templates when the user requests a durable repository setup.
|
|
98
|
+
- Create or edit private local handoff files such as `.agent/MANIFEST.yaml`, `.agent/PLAN.yaml`, and
|
|
99
|
+
`.agent/STATE.yaml` when the current environment is allowed to hold private planning files.
|
|
100
|
+
- Add shared ignore rules only when the team should know and share the private path policy.
|
|
101
|
+
- Add local exclude or local hook guidance when the path should remain invisible to the public
|
|
102
|
+
repository.
|
|
103
|
+
- Do not stage, commit, publish, summarize in public docs, or leak private handoff file contents
|
|
104
|
+
unless the user explicitly asks.
|
|
105
|
+
- Do not modify `AGENTS.md`, ignore policy, public specs, or protected handoff paths while acting as
|
|
106
|
+
Agent B unless the handoff explicitly permits a design revision.
|
|
107
|
+
|
|
108
|
+
<!-- mustflow-section: procedure -->
|
|
109
|
+
## Procedure
|
|
110
|
+
|
|
111
|
+
1. Classify the handoff mode.
|
|
112
|
+
- Public spec and private plan: keep durable product behavior in tracked `spec/SPEC.md`; keep
|
|
113
|
+
task order and progress in `.agent`.
|
|
114
|
+
- Fully private local handoff: keep `AGENTS.md`, `SPEC.md`, plan, and state local; require a
|
|
115
|
+
separate private backup or private repository if the work matters.
|
|
116
|
+
- Remote Agent B: attach the private handoff, point B at a private accessible repository, or paste
|
|
117
|
+
the needed handoff into the task context; do not assume local ignored files cross the boundary.
|
|
118
|
+
2. Create the smallest file set that can carry the contract.
|
|
119
|
+
- `AGENTS.md`: reusable implementation-agent rules only, not project feature plans.
|
|
120
|
+
- `spec/SPEC.md`: observable product behavior, non-goals, contracts, failure behavior,
|
|
121
|
+
concurrency, security, edge cases, acceptance criteria, and definition of done.
|
|
122
|
+
- `.agent/MANIFEST.yaml`: handoff status, spec version, plan version, read order, authority map,
|
|
123
|
+
ownership, protected paths, final verification, and completion rules.
|
|
124
|
+
- `.agent/PLAN.yaml`: Agent A-owned task list with dependencies, requirement IDs, acceptance IDs,
|
|
125
|
+
allowed paths, forbidden paths, deliverables, and verification requirements.
|
|
126
|
+
- `.agent/STATE.yaml`: Agent B-owned progress ledger with task states, changed files, tests,
|
|
127
|
+
verification runs, acceptance evidence, blockers, deviations, and final verification.
|
|
128
|
+
3. Keep planning and progress separate.
|
|
129
|
+
- Do not put mutable status fields in `PLAN.yaml`.
|
|
130
|
+
- Do not let `STATE.yaml` override `SPEC.md` or `PLAN.yaml`.
|
|
131
|
+
- Allow only `pending`, `in_progress`, `blocked`, and `verified` task states unless the user
|
|
132
|
+
explicitly extends the state machine.
|
|
133
|
+
4. Write the Agent B startup gate.
|
|
134
|
+
- Read `AGENTS.md`.
|
|
135
|
+
- Check whether the private manifest exists.
|
|
136
|
+
- Read every path in `read_order`.
|
|
137
|
+
- Confirm handoff status is `approved`.
|
|
138
|
+
- Confirm unresolved questions are empty.
|
|
139
|
+
- Confirm manifest, plan, and state versions match.
|
|
140
|
+
- Identify the first pending task whose dependencies are verified.
|
|
141
|
+
- Report that task's requirement IDs, acceptance IDs, allowed paths, forbidden paths, and
|
|
142
|
+
verification expectations before editing.
|
|
143
|
+
5. Write the authority and ownership rules.
|
|
144
|
+
- `spec/SPEC.md` owns required product behavior.
|
|
145
|
+
- `.agent/PLAN.yaml` owns implementation order and task boundaries.
|
|
146
|
+
- `.agent/STATE.yaml` records evidence but does not change the design.
|
|
147
|
+
- Agent A owns spec, manifest, and plan.
|
|
148
|
+
- Agent B owns state, allowed production code, allowed tests, and allowed migrations for the
|
|
149
|
+
current task.
|
|
150
|
+
6. Write the Agent B execution gate.
|
|
151
|
+
- Work on exactly one task.
|
|
152
|
+
- Do not start a task until all dependencies are `verified`.
|
|
153
|
+
- Mark the task `in_progress` before changing files.
|
|
154
|
+
- Stay inside the task's `allowed_paths`.
|
|
155
|
+
- Implement production code and tests together.
|
|
156
|
+
- Run the task's declared verification through the repository command contract when one exists.
|
|
157
|
+
- Record changed files, tests, verification results, and acceptance evidence.
|
|
158
|
+
- Mark the task `verified` only after required verification succeeds.
|
|
159
|
+
7. Write the blocker and deviation rules.
|
|
160
|
+
- If `SPEC.md`, `MANIFEST.yaml`, `PLAN.yaml`, and current code conflict, do not guess.
|
|
161
|
+
- Record a blocker in `STATE.yaml` with requirement IDs, task ID, affected paths, and open
|
|
162
|
+
status.
|
|
163
|
+
- Record every design deviation with reason, impact, and approval status.
|
|
164
|
+
- Treat unapproved deviations as incomplete work.
|
|
165
|
+
8. Choose the private-file protection mechanism.
|
|
166
|
+
- Use shared `.gitignore` only when every clone should ignore `.agent`.
|
|
167
|
+
- Use `.git/info/exclude` when the private path should remain a local-only convention with no
|
|
168
|
+
public trace.
|
|
169
|
+
- If `.agent` is important, recommend a separate private repository or private backup for that
|
|
170
|
+
folder; ignored files have no public repository history.
|
|
171
|
+
- Require evidence that `.agent` files are ignored or excluded and not tracked before completion.
|
|
172
|
+
- Warn that ignored files can still be force-added and can be deleted by cleanup commands that
|
|
173
|
+
remove ignored files.
|
|
174
|
+
9. Add a completion gate.
|
|
175
|
+
- Every plan task is `verified`.
|
|
176
|
+
- Every acceptance criterion maps to source files and test files.
|
|
177
|
+
- The final verification command exits with the required status.
|
|
178
|
+
- No open blocker remains.
|
|
179
|
+
- No unapproved deviation remains.
|
|
180
|
+
- No private `.agent` file is tracked or staged in the public repository.
|
|
181
|
+
10. Review the handoff for common failure modes.
|
|
182
|
+
- Hidden-only product behavior.
|
|
183
|
+
- Version numbers that do not change when Agent A revises the design.
|
|
184
|
+
- `allowed_paths` so broad that Agent B can rewrite the whole repository.
|
|
185
|
+
- Verification commands copied from external advice instead of mapped to the repository command
|
|
186
|
+
contract.
|
|
187
|
+
- Private local files expected by a remote agent.
|
|
188
|
+
- Progress state mixed into the immutable plan.
|
|
189
|
+
- Ignored files with no backup.
|
|
190
|
+
|
|
191
|
+
<!-- mustflow-section: postconditions -->
|
|
192
|
+
## Postconditions
|
|
193
|
+
|
|
194
|
+
- Public product behavior is separated from private agent planning state.
|
|
195
|
+
- Agent A and Agent B ownership boundaries are explicit.
|
|
196
|
+
- Agent B can identify the next executable task without inventing missing decisions.
|
|
197
|
+
- Private handoff files are protected from accidental public tracking according to the selected
|
|
198
|
+
privacy mode.
|
|
199
|
+
- The handoff names its remote-agent limitation when private local files are not automatically
|
|
200
|
+
transferred.
|
|
201
|
+
- Completion requires task verification, acceptance traceability, blocker/deviation closure, and
|
|
202
|
+
private-file tracking checks.
|
|
203
|
+
|
|
204
|
+
<!-- mustflow-section: verification -->
|
|
205
|
+
## Verification
|
|
206
|
+
|
|
207
|
+
Use configured oneshot command intents when available:
|
|
208
|
+
|
|
209
|
+
- `changes_status`
|
|
210
|
+
- `changes_diff_summary`
|
|
211
|
+
- `docs_validate_fast`
|
|
212
|
+
- `mustflow_check`
|
|
213
|
+
|
|
214
|
+
When adding this handoff to a mustflow template or package surface, also use the relevant configured
|
|
215
|
+
template, docs, package, or release checks.
|
|
216
|
+
|
|
217
|
+
For downstream repositories, map any final verification command named in the handoff to that
|
|
218
|
+
repository's command contract. If no configured command exists, record the verification as missing
|
|
219
|
+
or manual instead of inventing a runnable command.
|
|
220
|
+
|
|
221
|
+
<!-- mustflow-section: failure-handling -->
|
|
222
|
+
## Failure Handling
|
|
223
|
+
|
|
224
|
+
- If the user wants all design material hidden, warn that future maintainers and remote agents will
|
|
225
|
+
not see the design unless it is separately attached or privately stored.
|
|
226
|
+
- If product behavior appears only in `.agent`, either move the public behavior contract to a
|
|
227
|
+
tracked spec or report the hidden-source-of-truth risk.
|
|
228
|
+
- If Agent B cannot access `.agent`, downgrade the handoff to explicit user instructions or require
|
|
229
|
+
an attachment/private remote before implementation.
|
|
230
|
+
- If ignore or exclude policy is unclear, choose no public ignore edit and report the local exclude
|
|
231
|
+
option rather than leaking private-path conventions into the repository.
|
|
232
|
+
- If a private handoff file is already tracked, report that ignore rules do not untrack existing
|
|
233
|
+
files and require an explicit untracking or history-cleanup decision before claiming privacy.
|
|
234
|
+
- If version numbers disagree, stop implementation and request or record an Agent A handoff refresh.
|
|
235
|
+
|
|
236
|
+
<!-- mustflow-section: output-format -->
|
|
237
|
+
## Output Format
|
|
238
|
+
|
|
239
|
+
- Handoff mode selected
|
|
240
|
+
- Public tracked contract files
|
|
241
|
+
- Private local handoff files
|
|
242
|
+
- Agent A and Agent B ownership
|
|
243
|
+
- Startup gate and next-task gate
|
|
244
|
+
- Ignore or exclude protection decision
|
|
245
|
+
- Remote-agent transfer limitation
|
|
246
|
+
- Verification and completion gates
|
|
247
|
+
- Files changed
|
|
248
|
+
- Command intents run
|
|
249
|
+
- Skipped checks and reasons
|
|
250
|
+
- Remaining privacy, authority, or handoff risks
|
|
@@ -640,7 +640,7 @@ applies_to_reasons = ["code_change", "security_change", "migration_change"]
|
|
|
640
640
|
category = "data_external"
|
|
641
641
|
route_type = "primary"
|
|
642
642
|
priority = 55
|
|
643
|
-
applies_to_reasons = ["code_change", "behavior_change"]
|
|
643
|
+
applies_to_reasons = ["code_change", "behavior_change", "public_api_change", "cross_cutting_code_change"]
|
|
644
644
|
|
|
645
645
|
[routes."tauri-code-change"]
|
|
646
646
|
category = "data_external"
|
|
@@ -924,6 +924,12 @@ route_type = "authoring"
|
|
|
924
924
|
priority = 62
|
|
925
925
|
applies_to_reasons = ["unknown_change", "docs_change", "workflow_change", "mustflow_docs_change"]
|
|
926
926
|
|
|
927
|
+
[routes."design-implementation-handoff"]
|
|
928
|
+
category = "workflow_contracts"
|
|
929
|
+
route_type = "authoring"
|
|
930
|
+
priority = 64
|
|
931
|
+
applies_to_reasons = ["unknown_change", "docs_change", "workflow_change", "mustflow_docs_change"]
|
|
932
|
+
|
|
927
933
|
[routes."project-context-authoring"]
|
|
928
934
|
category = "workflow_contracts"
|
|
929
935
|
route_type = "authoring"
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
id = "default"
|
|
2
2
|
name = "default"
|
|
3
|
-
version = "2.
|
|
3
|
+
version = "2.74.0"
|
|
4
4
|
description = "Minimal workflow for LLM agents to read, edit, and verify their work in a repository."
|
|
5
5
|
common_root = "common"
|
|
6
6
|
locales_root = "locales"
|
|
@@ -106,6 +106,7 @@ creates = [
|
|
|
106
106
|
".mustflow/skills/contract-sync-check/SKILL.md",
|
|
107
107
|
".mustflow/skills/cross-platform-filesystem-safety/SKILL.md",
|
|
108
108
|
".mustflow/skills/date-number-audit/SKILL.md",
|
|
109
|
+
".mustflow/skills/design-implementation-handoff/SKILL.md",
|
|
109
110
|
".mustflow/skills/database-change-safety/SKILL.md",
|
|
110
111
|
".mustflow/skills/database-migration-change/SKILL.md",
|
|
111
112
|
".mustflow/skills/database-query-bottleneck-review/SKILL.md",
|
|
@@ -292,6 +293,7 @@ minimal = [
|
|
|
292
293
|
"config-env-change",
|
|
293
294
|
"contract-sync-check",
|
|
294
295
|
"date-number-audit",
|
|
296
|
+
"design-implementation-handoff",
|
|
295
297
|
"database-change-safety",
|
|
296
298
|
"database-migration-change",
|
|
297
299
|
"database-query-bottleneck-review",
|
|
@@ -424,6 +426,7 @@ patterns = [
|
|
|
424
426
|
"config-env-change",
|
|
425
427
|
"contract-sync-check",
|
|
426
428
|
"date-number-audit",
|
|
429
|
+
"design-implementation-handoff",
|
|
427
430
|
"database-change-safety",
|
|
428
431
|
"database-migration-change",
|
|
429
432
|
"database-query-bottleneck-review",
|
|
@@ -567,6 +570,7 @@ oss = [
|
|
|
567
570
|
"contract-sync-check",
|
|
568
571
|
"cross-platform-filesystem-safety",
|
|
569
572
|
"date-number-audit",
|
|
573
|
+
"design-implementation-handoff",
|
|
570
574
|
"database-change-safety",
|
|
571
575
|
"database-migration-change",
|
|
572
576
|
"database-query-bottleneck-review",
|
|
@@ -723,6 +727,7 @@ team = [
|
|
|
723
727
|
"contract-sync-check",
|
|
724
728
|
"cross-platform-filesystem-safety",
|
|
725
729
|
"date-number-audit",
|
|
730
|
+
"design-implementation-handoff",
|
|
726
731
|
"database-change-safety",
|
|
727
732
|
"database-migration-change",
|
|
728
733
|
"database-query-bottleneck-review",
|
|
@@ -864,6 +869,7 @@ product = [
|
|
|
864
869
|
"config-env-change",
|
|
865
870
|
"contract-sync-check",
|
|
866
871
|
"date-number-audit",
|
|
872
|
+
"design-implementation-handoff",
|
|
867
873
|
"database-change-safety",
|
|
868
874
|
"database-migration-change",
|
|
869
875
|
"database-query-bottleneck-review",
|
|
@@ -1014,6 +1020,7 @@ library = [
|
|
|
1014
1020
|
"contract-sync-check",
|
|
1015
1021
|
"cross-platform-filesystem-safety",
|
|
1016
1022
|
"date-number-audit",
|
|
1023
|
+
"design-implementation-handoff",
|
|
1017
1024
|
"database-change-safety",
|
|
1018
1025
|
"database-migration-change",
|
|
1019
1026
|
"database-query-bottleneck-review",
|