mustflow 2.74.2 → 2.74.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cli/commands/script-pack.js +132 -3
- package/dist/cli/i18n/en.js +30 -3
- package/dist/cli/i18n/es.js +30 -3
- package/dist/cli/i18n/fr.js +30 -3
- package/dist/cli/i18n/hi.js +30 -3
- package/dist/cli/i18n/ko.js +30 -3
- package/dist/cli/i18n/zh.js +30 -3
- package/dist/cli/lib/script-pack-registry.js +53 -0
- package/dist/cli/script-packs/repo-generated-boundary.js +94 -0
- package/dist/core/generated-boundary.js +231 -0
- package/dist/core/public-json-contracts.js +35 -0
- package/dist/core/script-pack-suggestions.js +199 -0
- package/package.json +1 -1
- package/schemas/README.md +8 -1
- package/schemas/generated-boundary-report.schema.json +148 -0
- package/schemas/script-pack-catalog.schema.json +32 -0
- package/schemas/script-pack-suggestion-report.schema.json +159 -0
- package/templates/default/common/.mustflow/config/commands.toml +32 -0
- package/templates/default/i18n.toml +17 -17
- package/templates/default/locales/en/.mustflow/skills/INDEX.md +4 -4
- package/templates/default/locales/en/.mustflow/skills/astro-code-change/SKILL.md +5 -3
- package/templates/default/locales/en/.mustflow/skills/completion-evidence-gate/SKILL.md +4 -1
- package/templates/default/locales/en/.mustflow/skills/dependency-upgrade-review/SKILL.md +7 -7
- package/templates/default/locales/en/.mustflow/skills/elysia-code-change/SKILL.md +15 -8
- package/templates/default/locales/en/.mustflow/skills/external-skill-intake/SKILL.md +10 -5
- package/templates/default/locales/en/.mustflow/skills/public-json-contract-change/SKILL.md +5 -2
- package/templates/default/locales/en/.mustflow/skills/rate-limit-integrity-review/SKILL.md +7 -4
- package/templates/default/locales/en/.mustflow/skills/repo-improvement-loop/SKILL.md +6 -2
- package/templates/default/locales/en/.mustflow/skills/rust-code-change/SKILL.md +4 -3
- package/templates/default/locales/en/.mustflow/skills/skill-authoring/SKILL.md +3 -1
- package/templates/default/locales/en/.mustflow/skills/skill-refresh/SKILL.md +19 -2
- package/templates/default/locales/en/.mustflow/skills/tailwind-code-change/SKILL.md +12 -9
- package/templates/default/locales/en/.mustflow/skills/template-install-surface-sync/SKILL.md +6 -3
- package/templates/default/locales/en/.mustflow/skills/typescript-code-change/SKILL.md +22 -17
- package/templates/default/locales/en/.mustflow/skills/unocss-code-change/SKILL.md +16 -5
- package/templates/default/locales/en/.mustflow/skills/version-freshness-check/SKILL.md +8 -8
- package/templates/default/manifest.toml +1 -1
|
@@ -2,7 +2,7 @@
|
|
|
2
2
|
mustflow_doc: skill.completion-evidence-gate
|
|
3
3
|
locale: en
|
|
4
4
|
canonical: true
|
|
5
|
-
revision:
|
|
5
|
+
revision: 3
|
|
6
6
|
lifecycle: mustflow-owned
|
|
7
7
|
authority: procedure
|
|
8
8
|
name: completion-evidence-gate
|
|
@@ -67,6 +67,7 @@ missing, blocked, failed, stale, or only partially relevant.
|
|
|
67
67
|
- Requirement, bug, issue, or external-advice sources that influenced the work.
|
|
68
68
|
- Command intents run, exit status, and whether the evidence came from `mf run` receipts or lower-confidence direct shell output.
|
|
69
69
|
- Command intents skipped, missing, unknown, manual-only, failed, timed out, or judged not applicable.
|
|
70
|
+
- Optional script-pack discovery evidence when the command contract exposes `script_pack_list`.
|
|
70
71
|
- Synchronized surfaces expected by the changed contract: source, tests, fixtures, schemas, templates, manifests, docs, release metadata, generated output, and localized copies.
|
|
71
72
|
- Known remaining risks, unverified assumptions, blocked decisions, and rollback notes.
|
|
72
73
|
|
|
@@ -108,6 +109,8 @@ missing, blocked, failed, stale, or only partially relevant.
|
|
|
108
109
|
`evidence-stall-breaker` when that pattern affected the task.
|
|
109
110
|
5. Check synchronization coverage.
|
|
110
111
|
- For behavior or contract changes, verify whether code, tests, schemas, templates, manifests, docs, fixtures, examples, package metadata, release notes, and localized copies agree.
|
|
112
|
+
- When `.mustflow/config/commands.toml` exposes `script_pack_list`, use it as read-only discovery before choosing optional script-pack checks for the changed surfaces.
|
|
113
|
+
- Treat `repo/generated-boundary` as a useful candidate before or after path-sensitive edits, but run any selected script only when the repository command contract and script metadata allow it.
|
|
111
114
|
- Use `contract-sync-check`, `cli-output-contract-review`, `api-contract-change`, `release-publish-change`, or a narrower skill when a missing surface needs real follow-up work.
|
|
112
115
|
6. Calibrate completion language.
|
|
113
116
|
- Use `verified` only when the relevant configured checks passed and every required surface is covered.
|
|
@@ -2,7 +2,7 @@
|
|
|
2
2
|
mustflow_doc: skill.dependency-upgrade-review
|
|
3
3
|
locale: en
|
|
4
4
|
canonical: true
|
|
5
|
-
revision:
|
|
5
|
+
revision: 4
|
|
6
6
|
lifecycle: mustflow-owned
|
|
7
7
|
authority: procedure
|
|
8
8
|
name: dependency-upgrade-review
|
|
@@ -40,7 +40,7 @@ Review dependency upgrades as runtime, build, security, package, and generated-o
|
|
|
40
40
|
- A task claims a dependency change is "only patch", "only devDependency", "safe minor", "security-only", "transitive only", "lockfile only", or "no runtime change".
|
|
41
41
|
- A dependency update touches installation, publish output, generated clients, SDKs, native binaries, browser bundles, serverless or edge runtime, ESM/CJS/module format, Python markers, Go module graph, Cargo features, JVM dependency mediation, .NET target frameworks, Ruby/PHP/Swift lockfiles, Docker images, or CI actions.
|
|
42
42
|
- A Python runtime support floor, CI matrix, container image, `requires-python`, standard-library feature expectation, or security-default expectation changes as part of an upgrade.
|
|
43
|
-
- A TypeScript upgrade touches TypeScript 6 transition deprecations, TypeScript 7
|
|
43
|
+
- A TypeScript upgrade touches TypeScript 6 transition deprecations, TS6 stable API compatibility, TypeScript 7 RC compiler verification, TypeScript 7 nightly comparison, `@typescript/typescript6`, `tsc6`, `typescript@rc`, `@typescript/native-preview`, `tsgo`, compiler API consumers, declaration emit, framework typecheck wrappers, or editor language-service behavior.
|
|
44
44
|
|
|
45
45
|
<!-- mustflow-section: do-not-use-when -->
|
|
46
46
|
## Do Not Use When
|
|
@@ -96,8 +96,8 @@ Review dependency upgrades as runtime, build, security, package, and generated-o
|
|
|
96
96
|
11. Treat framework, plugin, code generator, formatter, linter, bundler, ORM, protobuf, OpenAPI, GraphQL, database driver, and test-runner upgrades as behavior changes when their output, config schema, plugin API, CLI flags, or generated code can change.
|
|
97
97
|
12. For Python runtime upgrades, treat `requires-python`, CI matrices, base images, dependency markers, wheels, packaging output, standard-library API availability, and security-default changes as one compatibility contract. Review version-gated standard-library usage and changed defaults before assuming the upgrade is only a dependency resolution change.
|
|
98
98
|
13. For Python upgrades that adopt newer standard-library behavior, call out affected paths such as archive extraction, subprocess handling, async lifecycle, import/resource loading, typing surfaces, data-class shapes, and diagnostic flags. Keep fallbacks or compatibility wording when the repository still supports older interpreters.
|
|
99
|
-
14. For TypeScript upgrades, classify the compiler track explicitly: stable
|
|
100
|
-
15. For TypeScript 6, review deprecations as future TypeScript 7 removals. For
|
|
99
|
+
14. For TypeScript upgrades, classify the compiler track explicitly: TS6 stable API track through `@typescript/typescript6` and `tsc6`, TS7 RC compiler track through `typescript@rc` and `tsc`, TS7 nightly track through `@typescript/native-preview` and `tsgo`, future TS7 stable track through the stable `typescript` package, editor extension preview, or framework-owned wrapper. Do not treat a nightly package as a stable replacement for the `typescript` package unless the repository policy says so.
|
|
100
|
+
15. For TypeScript 6, review deprecations as future TypeScript 7 removals. For TS7 RC, review compiler parity, declaration emit, watch/incremental, generated-output, and framework wrapper risks. For TS7 nightly, use `tsgo` only as an optional comparison path. Keep compiler API, transformer, ESLint, language-service plugin, and framework wrapper consumers on the TS6 API track until their owners explicitly support the TS7 API surface.
|
|
101
101
|
16. For new dependencies introduced by the upgrade, invoke the `dependency-reality-check` decision path: license, maintainer risk, provenance, lifecycle scripts, binary downloads, package age, transitive size, supply-chain risk, and replacement path.
|
|
102
102
|
17. For Docker base images and CI actions, review them as dependencies. Check image/action source, version pinning policy, digest use when required, runtime version changes, security patch reason, cache impact, and deployment smoke coverage.
|
|
103
103
|
18. Synchronize dependent surfaces: generated code, snapshots, mocks, fixtures, examples, SDK clients, OpenAPI or GraphQL artifacts, README install guidance, migration docs, changelog, Docker/CI docs, and package publish metadata.
|
|
@@ -112,7 +112,7 @@ Review dependency upgrades as runtime, build, security, package, and generated-o
|
|
|
112
112
|
- Direct and transitive changes are understood, not hidden behind lockfile volume.
|
|
113
113
|
- Runtime engine, peer dependency, optional/platform package, feature, module-format, generated-output, and publish-surface risks are classified.
|
|
114
114
|
- Python runtime upgrades classify standard-library availability, changed defaults, packaging output, and security-behavior impact.
|
|
115
|
-
- TypeScript compiler-track changes distinguish stable compiler
|
|
115
|
+
- TypeScript compiler-track changes distinguish TS6 stable API compatibility, TS7 RC compiler verification, TS7 nightly comparison work, and future TS7 stable adoption.
|
|
116
116
|
- Security fixes are narrow unless the user explicitly accepted a broader modernization.
|
|
117
117
|
- Tests and scanners were not weakened to pass the upgrade.
|
|
118
118
|
|
|
@@ -142,7 +142,7 @@ Prefer the narrowest configured intent that proves the actual upgraded dependenc
|
|
|
142
142
|
- If tests fail after an upgrade, do not delete tests, skip tests, loosen assertions, lower coverage, disable scanners, or widen permissions unless the behavior contract intentionally changed and the report says so.
|
|
143
143
|
- If a security upgrade requires broad modernization, split the minimum patch from the modernization when possible.
|
|
144
144
|
- If generated output changes, regenerate from the official generator path and explain the generated diff. Do not hand-edit generated dependency output.
|
|
145
|
-
- If
|
|
145
|
+
- If TS7 RC or nightly verification is introduced, keep the repository's stable, TS6 API, or framework verification unless the repository explicitly adopts the new track and all compiler API, framework wrapper, declaration, and generated-output risks are covered.
|
|
146
146
|
- If configured verification is missing, report the missing command intent instead of inferring a package-manager command.
|
|
147
147
|
|
|
148
148
|
<!-- mustflow-section: output-format -->
|
|
@@ -154,7 +154,7 @@ Prefer the narrowest configured intent that proves the actual upgraded dependenc
|
|
|
154
154
|
- Compatibility classification: patch, minor, major, pre-1.0, security, toolchain, generated-output, Docker, or CI action
|
|
155
155
|
- Runtime, peer, engine, module, feature, platform, generated-output, and publish-surface risks
|
|
156
156
|
- Python runtime, standard-library, packaging, and changed-default risks when relevant
|
|
157
|
-
- TypeScript compiler-track and
|
|
157
|
+
- TypeScript compiler-track, RC, nightly, and API compatibility risks when relevant
|
|
158
158
|
- Security advisory and fixed-range notes when relevant
|
|
159
159
|
- Surfaces synchronized
|
|
160
160
|
- Command intents run
|
|
@@ -2,11 +2,11 @@
|
|
|
2
2
|
mustflow_doc: skill.elysia-code-change
|
|
3
3
|
locale: en
|
|
4
4
|
canonical: true
|
|
5
|
-
revision:
|
|
5
|
+
revision: 2
|
|
6
6
|
lifecycle: mustflow-owned
|
|
7
7
|
authority: procedure
|
|
8
8
|
name: elysia-code-change
|
|
9
|
-
description: Apply this skill when Elysia routes, schemas, plugins, decorators, derives, guards, auth, error handling, OpenAPI output, Eden clients, or Bun server behavior are created or changed.
|
|
9
|
+
description: Apply this skill when Elysia routes, schemas, plugins, decorators, derives, resolves, guards, auth, error handling, OpenAPI output, Eden clients, or Bun server behavior are created or changed.
|
|
10
10
|
metadata:
|
|
11
11
|
mustflow_schema: "1"
|
|
12
12
|
mustflow_kind: procedure
|
|
@@ -33,7 +33,7 @@ Preserve Elysia schema-first runtime validation, type inference, plugin, auth, e
|
|
|
33
33
|
<!-- mustflow-section: use-when -->
|
|
34
34
|
## Use When
|
|
35
35
|
|
|
36
|
-
- `new Elysia`, route methods, `t.Object`, request or response schemas, `.use`, `.guard`, `.derive`, `.decorate`, `.onError`, auth middleware, OpenAPI, Eden, or Bun server tests change.
|
|
36
|
+
- `new Elysia`, route methods, `t.Object`, request or response schemas, `.use`, `.guard`, `.derive`, `.resolve`, `.decorate`, `.onError`, auth middleware, OpenAPI, Eden, or Bun server tests change.
|
|
37
37
|
- The task adds API routes, plugins, validators, error envelopes, authentication, or generated client contracts.
|
|
38
38
|
|
|
39
39
|
<!-- mustflow-section: do-not-use-when -->
|
|
@@ -59,7 +59,8 @@ Preserve Elysia schema-first runtime validation, type inference, plugin, auth, e
|
|
|
59
59
|
|
|
60
60
|
- Define request and response schemas with the route.
|
|
61
61
|
- Keep framework context at the route boundary and move only framework-free business logic into services.
|
|
62
|
-
- Preserve plugin, decorator, derive, and store inference through Elysia chaining.
|
|
62
|
+
- Preserve plugin, decorator, derive, resolve, and store inference through Elysia chaining.
|
|
63
|
+
- Use `.derive` only for intentional pre-validation context shaping. Use `.resolve` by default for auth, session, user, tenant, permission, or other request-derived values that depend on validated headers, body, query, or params.
|
|
63
64
|
- Keep OpenAPI and Eden clients aligned with route schemas when present.
|
|
64
65
|
|
|
65
66
|
<!-- mustflow-section: procedure -->
|
|
@@ -70,9 +71,14 @@ Preserve Elysia schema-first runtime validation, type inference, plugin, auth, e
|
|
|
70
71
|
3. Add or update schemas for every external input and meaningful response status.
|
|
71
72
|
4. Do not annotate handlers with broad `any`, duplicated manual interfaces, or imported `Context` types that erase inference.
|
|
72
73
|
5. Keep request-specific state out of module-level mutable globals.
|
|
73
|
-
6.
|
|
74
|
-
|
|
75
|
-
|
|
74
|
+
6. For request-derived context, choose the lifecycle hook by validation dependency:
|
|
75
|
+
- use `.derive` only when transforming raw request context before validation is intentional;
|
|
76
|
+
- use `.guard()` to apply schema and auth-related validation around a route group;
|
|
77
|
+
- use `.resolve()` inside the validated chain for user, session, tenant, permission, or other values that depend on validated input;
|
|
78
|
+
- check the order between `.resolve()` and `beforeHandle` before relying on a value in an auth or permission hook.
|
|
79
|
+
7. Centralize expected error envelope and auth failure behavior.
|
|
80
|
+
8. If OpenAPI or Eden is used, confirm the generated contract follows the schema change.
|
|
81
|
+
9. Choose configured verification intents that cover types, server boot, route happy path, validation failure, auth failure, OpenAPI, and Eden inference when available.
|
|
76
82
|
|
|
77
83
|
<!-- mustflow-section: postconditions -->
|
|
78
84
|
## Postconditions
|
|
@@ -80,7 +86,7 @@ Preserve Elysia schema-first runtime validation, type inference, plugin, auth, e
|
|
|
80
86
|
- Schemas, runtime validation, and inferred types remain one contract.
|
|
81
87
|
- Error and auth responses are consistent.
|
|
82
88
|
- OpenAPI and Eden impact is known.
|
|
83
|
-
- No route relies on unvalidated input or erased context types.
|
|
89
|
+
- No route relies on unvalidated input, pre-validation auth context, or erased context types.
|
|
84
90
|
|
|
85
91
|
<!-- mustflow-section: verification -->
|
|
86
92
|
## Verification
|
|
@@ -101,6 +107,7 @@ Report missing route, OpenAPI, or Eden verification intents when relevant.
|
|
|
101
107
|
|
|
102
108
|
- If schema and manual types diverge, make schema the source of truth or report the competing contract.
|
|
103
109
|
- If plugin inference breaks after extraction, return context-sensitive code to the Elysia chain or narrow the extraction.
|
|
110
|
+
- If auth or session state is derived before validation through `.derive`, move it to a validated `.guard()` plus `.resolve()` chain or report the validation-order risk.
|
|
104
111
|
- If auth behavior is unclear, stop the route change and inspect or request the auth contract.
|
|
105
112
|
|
|
106
113
|
<!-- mustflow-section: output-format -->
|
|
@@ -2,11 +2,11 @@
|
|
|
2
2
|
mustflow_doc: skill.external-skill-intake
|
|
3
3
|
locale: en
|
|
4
4
|
canonical: true
|
|
5
|
-
revision:
|
|
5
|
+
revision: 3
|
|
6
6
|
lifecycle: mustflow-owned
|
|
7
7
|
authority: procedure
|
|
8
8
|
name: external-skill-intake
|
|
9
|
-
description: Apply this skill when reviewing third-party SKILL.md files, skill packs, awesome lists, or skill installer recommendations before adapting them into mustflow.
|
|
9
|
+
description: Apply this skill when reviewing third-party SKILL.md files, skill packs, awesome lists, GitHub CLI `gh skill` flows, or skill installer recommendations before adapting them into mustflow.
|
|
10
10
|
metadata:
|
|
11
11
|
mustflow_schema: "1"
|
|
12
12
|
mustflow_kind: procedure
|
|
@@ -36,6 +36,7 @@ External web-testing and session-handoff ideas need extra care: they may be usef
|
|
|
36
36
|
|
|
37
37
|
- The user provides an outside `SKILL.md`, skill folder, skill pack, awesome list, or GitHub skill repository.
|
|
38
38
|
- The task asks whether mustflow should adopt, import, translate, install, or mirror an external skill.
|
|
39
|
+
- The task reviews a GitHub CLI `gh skill` search, preview, install, update, list, or publish workflow as external skill input.
|
|
39
40
|
- A proposed skill includes helper scripts, references, assets, command recipes, external services, dependencies, permissions, or tool-specific policy.
|
|
40
41
|
- A skill recommendation from another agent needs to be converted into a mustflow-native procedure.
|
|
41
42
|
- An external skill suggests Playwright-style web testing, browser sessions, development servers, session handoffs, progress files, or agent memory records.
|
|
@@ -53,7 +54,7 @@ External web-testing and session-handoff ideas need extra care: they may be usef
|
|
|
53
54
|
|
|
54
55
|
- External source identity: repository, URL, local path, package name, author or organization, and checked date or revision when available.
|
|
55
56
|
- License or provenance evidence, or an explicit note that it was not visible.
|
|
56
|
-
- External skill shape: `SKILL.md`, helper `scripts/`, `references/`, `assets/`, generated artifacts, package assumptions, and
|
|
57
|
+
- External skill shape: `SKILL.md`, helper `scripts/`, `references/`, `assets/`, generated artifacts, package assumptions, install instructions, and any `gh skill` provenance metadata such as repository, ref, commit, or tree SHA.
|
|
57
58
|
- Intended mustflow outcome: reject, defer, update an existing skill, create a new mustflow-native skill, or keep only a research note.
|
|
58
59
|
- Existing mustflow skills that may overlap, plus the profile where any adopted procedure would belong.
|
|
59
60
|
- Prerequisites for adoption, such as a bounded one-shot verification intent or a restricted handoff ledger model.
|
|
@@ -66,6 +67,7 @@ External web-testing and session-handoff ideas need extra care: they may be usef
|
|
|
66
67
|
- Confirm that the user's direct request, nearest `AGENTS.md`, and `.mustflow/config/commands.toml` define the active scope.
|
|
67
68
|
- Refresh upstream source claims when the adoption decision depends on current repository contents, package behavior, license text, or tool capabilities.
|
|
68
69
|
- Do not run an external installer, helper script, package command, or service workflow as part of intake unless the repository command contract explicitly permits it.
|
|
70
|
+
- Treat `gh skill preview` output as review evidence only. Do not install, update, force-update, or publish skills from a mustflow repository task unless an explicit task and command boundary authorizes that lifecycle.
|
|
69
71
|
- Defer web-app testing skills until mustflow has a configured one-shot intent that starts, tests, and stops the target within that command boundary.
|
|
70
72
|
- Defer session-handoff skills unless they can use a restricted ledger shape: goal, scope, touched files, verification plan, command intents run or skipped, remaining risks, and next restart point.
|
|
71
73
|
|
|
@@ -83,7 +85,9 @@ External web-testing and session-handoff ideas need extra care: they may be usef
|
|
|
83
85
|
|
|
84
86
|
1. Separate the user's request from external instructions, recommendations, installer commands, and generated advice.
|
|
85
87
|
2. Record provenance: source, path, author or organization, license visibility, checked date or revision, and whether the source was refreshed in this task.
|
|
86
|
-
3. Inspect the external skill shape: sections, triggers, helper files, references, assets, generated outputs, dependencies, command recipes,
|
|
88
|
+
3. Inspect the external skill shape: sections, triggers, helper files, references, assets, generated outputs, dependencies, command recipes, target agent assumptions, and installed provenance metadata.
|
|
89
|
+
- For GitHub CLI skill intake, model the lifecycle as preview -> provenance check -> tag or commit pin decision -> scripts/references/assets inspection -> host and scope decision.
|
|
90
|
+
- Treat installed repository, ref, and tree SHA metadata as evidence for reproducibility, not as proof that the content is safe.
|
|
87
91
|
4. Identify unsafe or incompatible capabilities: raw shell commands, network access, credential use, destructive operations, background services, long-running watchers, browser automation, external SaaS actions, or policy overrides.
|
|
88
92
|
5. Treat web-testing recommendations as deferred unless they map to a configured one-shot verification intent such as a future docs-site or dashboard smoke check. Do not tell agents to start a development server, watcher, browser session, or local server directly from a skill.
|
|
89
93
|
6. Treat session-handoff recommendations as deferred unless they fit the restricted ledger fields. Do not create a free-form handoff skill that stores hidden reasoning, full chat logs, raw terminal output, secrets, personal data, or autonomous worker state.
|
|
@@ -121,6 +125,7 @@ Use `test_related` or `test_audit` when tests, profile selection, template insta
|
|
|
121
125
|
|
|
122
126
|
- If license or provenance is unclear, do not copy the external text or helper files; summarize the idea and report the gap.
|
|
123
127
|
- If the external skill grants command permission, embeds raw commands, or depends on an installer, convert the need into configured command-intent requirements or reject it.
|
|
128
|
+
- If a `gh skill update --dry-run` style check is useful, keep it read-only evidence. Never make `--force` an automatic path for mustflow-owned or locally modified skills because it can overwrite local changes.
|
|
124
129
|
- If the useful idea duplicates an installed mustflow skill, update the existing skill or route instead of adding a new one.
|
|
125
130
|
- If the source cannot be refreshed and freshness matters, keep the decision conservative and report the stale-source boundary.
|
|
126
131
|
- If adapting the skill would require broad localization, dependency, or runtime changes, defer the adoption and capture the narrower prerequisite.
|
|
@@ -136,6 +141,6 @@ Use `test_related` or `test_audit` when tests, profile selection, template insta
|
|
|
136
141
|
- Unsafe or incompatible capabilities found
|
|
137
142
|
- Adoption decision
|
|
138
143
|
- mustflow-native changes made or deferred
|
|
139
|
-
- Deferred prerequisites such as bounded web-smoke intent
|
|
144
|
+
- Deferred prerequisites such as bounded web-smoke intent, restricted handoff ledger, or explicit external skill lifecycle boundary
|
|
140
145
|
- Command intents run
|
|
141
146
|
- Remaining intake risks
|
|
@@ -2,7 +2,7 @@
|
|
|
2
2
|
mustflow_doc: skill.public-json-contract-change
|
|
3
3
|
locale: en
|
|
4
4
|
canonical: true
|
|
5
|
-
revision:
|
|
5
|
+
revision: 2
|
|
6
6
|
lifecycle: mustflow-owned
|
|
7
7
|
authority: procedure
|
|
8
8
|
name: public-json-contract-change
|
|
@@ -61,6 +61,7 @@ Protect automation consumers from silent JSON, JSONL, stream, schema, fixture, a
|
|
|
61
61
|
- The task matches the Use When conditions and does not match the Do Not Use When exclusions.
|
|
62
62
|
- Existing JSON tests, schemas, docs examples, package fixtures, and compatibility fixtures have been inspected before changing the contract.
|
|
63
63
|
- Command execution remains governed by `.mustflow/config/commands.toml`; this skill does not authorize raw commands.
|
|
64
|
+
- If `.mustflow/config/commands.toml` exposes `script_pack_list`, it may be used only as read-only discovery for optional script-pack checks.
|
|
64
65
|
|
|
65
66
|
<!-- mustflow-section: allowed-edits -->
|
|
66
67
|
## Allowed Edits
|
|
@@ -87,7 +88,9 @@ Protect automation consumers from silent JSON, JSONL, stream, schema, fixture, a
|
|
|
87
88
|
10. Use snapshot and golden-output files only as review aids. Add or preserve assertions for field presence, primitive types, enum values, null versus missing semantics, stream split, exit code, and schema validation where existing test structure supports it.
|
|
88
89
|
11. Synchronize schemas, fixtures, examples, package file lists, docs, templates, and release notes when the contract changes. If a surface is intentionally stale or deferred, record why.
|
|
89
90
|
12. Route version impact through the repository versioning policy when the change is breaking, deprecating, package-visible, or template-visible.
|
|
90
|
-
13.
|
|
91
|
+
13. Before final verification, use `script_pack_list` when the command contract exposes it to discover optional JSON, schema, or repository-boundary script-pack checks relevant to the changed public contract.
|
|
92
|
+
14. Run selected scripts only when both the repository command contract and the script metadata allow the action.
|
|
93
|
+
15. Verify with the narrowest configured command intents that cover JSON contract, docs, package, and mustflow metadata changes.
|
|
91
94
|
|
|
92
95
|
<!-- mustflow-section: postconditions -->
|
|
93
96
|
## Postconditions
|
|
@@ -2,7 +2,7 @@
|
|
|
2
2
|
mustflow_doc: skill.rate-limit-integrity-review
|
|
3
3
|
locale: en
|
|
4
4
|
canonical: true
|
|
5
|
-
revision:
|
|
5
|
+
revision: 2
|
|
6
6
|
lifecycle: mustflow-owned
|
|
7
7
|
authority: procedure
|
|
8
8
|
name: rate-limit-integrity-review
|
|
@@ -209,9 +209,12 @@ contract, observability, and operator escape hatch?"
|
|
|
209
209
|
- Emit a machine-readable error code and `Retry-After` when a well-behaved client can wait.
|
|
210
210
|
- If `Retry-After` and `RateLimit` hints disagree, `Retry-After` should govern immediate client
|
|
211
211
|
behavior.
|
|
212
|
-
-
|
|
213
|
-
`
|
|
214
|
-
|
|
212
|
+
- `RateLimit` and `RateLimit-Policy` are defined by the active IETF Internet-Draft
|
|
213
|
+
`draft-ietf-httpapi-ratelimit-headers-11`, intended for Standards Track but not yet an RFC.
|
|
214
|
+
Treat their structured field details as draft-revision-specific, and refresh the draft before
|
|
215
|
+
writing durable standards claims.
|
|
216
|
+
- `RateLimit` and `RateLimit-Policy` may coexist with legacy `X-RateLimit-*`, but do not assume
|
|
217
|
+
every client or proxy gives legacy headers the same meaning.
|
|
215
218
|
- Do not reveal exact internal capacity, shard counts, provider quotas, attack thresholds, or
|
|
216
219
|
sensitive account state in public responses.
|
|
217
220
|
- During active abuse, silent drop, generic denial, or coarser hints can be safer than a perfect
|
|
@@ -2,7 +2,7 @@
|
|
|
2
2
|
mustflow_doc: skill.repo-improvement-loop
|
|
3
3
|
locale: en
|
|
4
4
|
canonical: true
|
|
5
|
-
revision:
|
|
5
|
+
revision: 2
|
|
6
6
|
lifecycle: mustflow-owned
|
|
7
7
|
authority: procedure
|
|
8
8
|
name: repo-improvement-loop
|
|
@@ -61,6 +61,7 @@ The goal is not to generate many interesting ideas. The goal is to find the high
|
|
|
61
61
|
- Higher-priority instructions and `.mustflow/config/commands.toml` have been checked for the current scope.
|
|
62
62
|
- If unfamiliar areas are involved, enough repository evidence has been inspected to avoid inventing architecture, entrypoints, or user flows.
|
|
63
63
|
- If external AI output, issue text, webpages, or pasted recommendations are used, `external-prompt-injection-defense` has been applied first.
|
|
64
|
+
- If `.mustflow/config/commands.toml` exposes `script_pack_list`, it may be used only as read-only discovery for optional script-pack checks.
|
|
64
65
|
|
|
65
66
|
<!-- mustflow-section: allowed-edits -->
|
|
66
67
|
## Allowed Edits
|
|
@@ -80,6 +81,8 @@ The goal is not to generate many interesting ideas. The goal is to find the high
|
|
|
80
81
|
- Use recursive mode only as one bounded cycle at a time unless a larger explicit budget is provided.
|
|
81
82
|
2. Inspect repository evidence before scoring candidates.
|
|
82
83
|
- Read the smallest set of current files needed to understand project purpose, user path, command contracts, tests, release surface, and existing work in progress.
|
|
84
|
+
- When the command contract exposes `script_pack_list`, use it to discover relevant read-only script-pack helpers before selecting or verifying a candidate improvement.
|
|
85
|
+
- Prefer `repo/generated-boundary` as a candidate helper when an improvement might touch generated output, protected paths, vendor files, caches, or files outside the project root.
|
|
83
86
|
- If the area is unfamiliar, use `codebase-orientation` before proposing changes.
|
|
84
87
|
3. Generate repository-specific improvement questions.
|
|
85
88
|
- High-leverage: Which small change creates the largest user or maintainer benefit?
|
|
@@ -102,7 +105,8 @@ The goal is not to generate many interesting ideas. The goal is to find the high
|
|
|
102
105
|
- Use `pattern-scout` when local precedent is needed before adding a new shape.
|
|
103
106
|
- Use `contract-sync-check` when behavior, templates, manifests, schemas, tests, or public docs must stay aligned.
|
|
104
107
|
7. Verify the selected improvement with the narrowest configured command intents that cover the changed surfaces.
|
|
105
|
-
8.
|
|
108
|
+
8. Run selected script-pack helpers only when the repository command contract and script metadata allow them.
|
|
109
|
+
9. Report the cycle and name the next improvement question revealed by the work.
|
|
106
110
|
|
|
107
111
|
<!-- mustflow-section: postconditions -->
|
|
108
112
|
## Postconditions
|
|
@@ -2,7 +2,7 @@
|
|
|
2
2
|
mustflow_doc: skill.rust-code-change
|
|
3
3
|
locale: en
|
|
4
4
|
canonical: true
|
|
5
|
-
revision:
|
|
5
|
+
revision: 5
|
|
6
6
|
lifecycle: mustflow-owned
|
|
7
7
|
authority: procedure
|
|
8
8
|
name: rust-code-change
|
|
@@ -98,7 +98,8 @@ instead of treated as incidental.
|
|
|
98
98
|
environment and verification choices that must be reported when they dominate iteration cost.
|
|
99
99
|
4. Determine the Rust version contract before using newer syntax or standard-library APIs:
|
|
100
100
|
- treat `rust-version`, edition, `rust-toolchain.toml`, CI matrix, docs.rs metadata, and downstream compatibility notes as the MSRV evidence ledger;
|
|
101
|
-
-
|
|
101
|
+
- before using newer APIs, build an API-specific MSRV ledger instead of relying on a broad release bucket. Examples that need exact checking include `cfg_select!`, match `if let` guards, `core::range` items, `Vec::push_mut`, `assert_matches!`, and `debug_assert_matches!`;
|
|
102
|
+
- do not use any newer API unless the declared MSRV, edition, CI matrix, docs.rs metadata, and toolchain path support that exact API;
|
|
102
103
|
- keep experimental, nightly-only, target-specific, or edition-specific behavior behind explicit gates or fallbacks instead of calling it general Rust advice.
|
|
103
104
|
5. Prefer flatter control flow when the MSRV supports it: use `let else` for early validation, let chains for related optional/result guards, and match `if let` guards for state-machine refinements. Remember that guard patterns do not satisfy match exhaustiveness; keep the fallback arm meaningful.
|
|
104
105
|
6. In tests, prefer `assert_matches!` over `assert!(matches!(...))` when the MSRV supports it and the failed value has useful `Debug` output. Import it explicitly from `std` or `core`; do not assume it is in the prelude.
|
|
@@ -133,7 +134,7 @@ Reject or revise the patch when any of these appear without strong local justifi
|
|
|
133
134
|
|
|
134
135
|
- New large `clone()` calls, clone-then-borrow code, loop clones, or state clones used only to appease ownership errors.
|
|
135
136
|
- New `Arc<Mutex<AppState>>`-style shared bags, locks held across `.await`, or async I/O resources shared mainly by mutex.
|
|
136
|
-
- New Rust
|
|
137
|
+
- New version-gated Rust API usage without API-specific MSRV, `rust-version`, edition, toolchain, CI, or fallback evidence.
|
|
137
138
|
- New `LazyLock` initialization for recoverable runtime configuration where permanent panic poisoning would be the wrong failure policy.
|
|
138
139
|
- New `spare_capacity_mut` plus `set_len` without a narrow, proven initialization invariant.
|
|
139
140
|
- New public `impl Trait`, `Deref`, GAT, workspace resolver, feature, or `rust-version` change without public API and compatibility review.
|
|
@@ -2,7 +2,7 @@
|
|
|
2
2
|
mustflow_doc: skill.skill-authoring
|
|
3
3
|
locale: en
|
|
4
4
|
canonical: true
|
|
5
|
-
revision:
|
|
5
|
+
revision: 9
|
|
6
6
|
lifecycle: mustflow-owned
|
|
7
7
|
authority: procedure
|
|
8
8
|
name: skill-authoring
|
|
@@ -75,6 +75,7 @@ Create narrow, repeatable mustflow skill procedures without turning skills into
|
|
|
75
75
|
8. Reference command intent names only. Do not include raw shell command blocks or claim that the skill authorizes command execution.
|
|
76
76
|
9. Update `.mustflow/skills/INDEX.md` with a compact route that includes trigger, required input, edit scope, risk, verification intents, and expected output.
|
|
77
77
|
10. If the skill is installed by a template, update the canonical skill copy plus installation metadata, package tests, and public docs that list installed files. Do not fan out routine skill edits into every localized skill copy by default; localized skill copies may be absent, and non-source template locales should fall back to the canonical source-locale skill text unless locale-specific skill text is intentionally maintained and translation review is available.
|
|
78
|
+
11. If a portable Agent Skills artifact is part of the task, create or validate it as a derived export, not as the mustflow-native canonical source. Use portable-only top-level fields and string-to-string metadata. A `gh skill publish --dry-run` check may validate the export artifact when available, but `gh skill publish --fix` must be limited to the export directory because it can remove installed provenance metadata and mustflow-native fields.
|
|
78
79
|
|
|
79
80
|
<!-- mustflow-section: postconditions -->
|
|
80
81
|
## Postconditions
|
|
@@ -109,6 +110,7 @@ If the skill changes tests or behavior-sensitive template output, also use the r
|
|
|
109
110
|
- Quality gate result and overlap decision
|
|
110
111
|
- Command intents referenced
|
|
111
112
|
- Template or localization metadata updated
|
|
113
|
+
- Portable export validation result when relevant
|
|
112
114
|
- Command intents run
|
|
113
115
|
- Skipped command intents and reasons
|
|
114
116
|
- Remaining overlap, translation, or validation risks
|
|
@@ -2,7 +2,7 @@
|
|
|
2
2
|
mustflow_doc: skill.skill-refresh
|
|
3
3
|
locale: en
|
|
4
4
|
canonical: true
|
|
5
|
-
revision:
|
|
5
|
+
revision: 2
|
|
6
6
|
lifecycle: mustflow-owned
|
|
7
7
|
authority: procedure
|
|
8
8
|
name: skill-refresh
|
|
@@ -65,7 +65,7 @@ source freshness, routing metadata, helper-file alignment, and verification evid
|
|
|
65
65
|
- Existing behavior contract: trigger, non-trigger, required inputs, allowed edits, outputs,
|
|
66
66
|
command intents, forbidden actions, runtime assumptions, and package boundaries.
|
|
67
67
|
- Runtime target: mustflow-native, Codex-native, Claude-native, portable Agent Skills compatible,
|
|
68
|
-
or intentionally product-specific.
|
|
68
|
+
GitHub CLI `gh skill` lifecycle, or intentionally product-specific.
|
|
69
69
|
- Source ledger: repository-owned sources, official upstream sources, external recommendations,
|
|
70
70
|
checked date or revision, and any source that could not be refreshed.
|
|
71
71
|
- Package ledger: `scripts/`, `references/`, `assets/`, relative links, UI metadata, route metadata,
|
|
@@ -97,6 +97,8 @@ source freshness, routing metadata, helper-file alignment, and verification evid
|
|
|
97
97
|
- Do not copy external prose verbatim without a provenance and license decision.
|
|
98
98
|
- Do not add product-specific fields to a portable skill unless the runtime mode intentionally
|
|
99
99
|
supports them.
|
|
100
|
+
- Do not make a mustflow-native canonical skill pretend to be portable by deleting mustflow
|
|
101
|
+
lifecycle metadata. Export portable Agent Skills as a derived profile instead.
|
|
100
102
|
- Do not write research logs, broad changelogs, or freshness ledgers into the executable skill
|
|
101
103
|
package unless they are required inputs for the skill's operation.
|
|
102
104
|
|
|
@@ -136,6 +138,15 @@ source freshness, routing metadata, helper-file alignment, and verification evid
|
|
|
136
138
|
6. Decide runtime mode before editing frontmatter or fields. Keep mustflow-native metadata for
|
|
137
139
|
mustflow skills. For cross-runtime skills, separate portable guidance from Codex-native,
|
|
138
140
|
Claude-native, or other product-specific extensions instead of mixing incompatible fields.
|
|
141
|
+
- mustflow-native canonical skills may keep `mustflow_doc`, `locale`, `canonical`, `revision`,
|
|
142
|
+
`lifecycle`, `authority`, and structured `metadata.command_intents`.
|
|
143
|
+
- portable Agent Skills exports should contain only portable top-level fields such as `name`,
|
|
144
|
+
`description`, optional `license`, optional `compatibility`, optional string-to-string
|
|
145
|
+
`metadata`, and optional `allowed-tools`.
|
|
146
|
+
- When exporting portable skills, serialize mustflow-only fields into namespaced string metadata
|
|
147
|
+
only when useful, convert arrays such as `command_intents` to JSON strings or omit them, and
|
|
148
|
+
run portable validation only against the exported artifact.
|
|
149
|
+
- Do not run portable fixers against canonical mustflow sources.
|
|
139
150
|
7. Treat `description` as routing code. Put the strongest positive trigger and the most important
|
|
140
151
|
exclusion near the front. Avoid generic descriptions that overlap with broad authoring, docs, or
|
|
141
152
|
review skills.
|
|
@@ -157,6 +168,10 @@ source freshness, routing metadata, helper-file alignment, and verification evid
|
|
|
157
168
|
laundering, hidden network use, credential access, absolute paths, home-directory scanning,
|
|
158
169
|
prompt injection, symlink escape, broad file writes, or mismatch between prose and script
|
|
159
170
|
behavior.
|
|
171
|
+
For GitHub CLI skill flows, compare installed tree SHA, current upstream tree SHA, and local
|
|
172
|
+
modifications as a three-way refresh problem. Treat `gh skill update --dry-run` as read-only
|
|
173
|
+
evidence when available, and never make `--force` automatic for mustflow-owned or modified
|
|
174
|
+
skills.
|
|
160
175
|
13. Preserve user edits through a three-way mindset:
|
|
161
176
|
- old baseline;
|
|
162
177
|
- current user-edited skill;
|
|
@@ -209,6 +224,8 @@ package output, public docs, or release-sensitive template output changed.
|
|
|
209
224
|
|
|
210
225
|
- If the target runtime cannot be identified, keep the refresh portable and report product-specific
|
|
211
226
|
claims as deferred.
|
|
227
|
+
- If portable Agent Skills compatibility is requested, validate a derived export profile instead of
|
|
228
|
+
weakening the mustflow-native canonical schema.
|
|
212
229
|
- If a source cannot be refreshed and the claim is high drift, omit the claim or mark it as
|
|
213
230
|
snapshot-only instead of embedding it as current.
|
|
214
231
|
- If route overlap is detected, tighten `description`, Use When, and Do Not Use When before adding
|
|
@@ -2,7 +2,7 @@
|
|
|
2
2
|
mustflow_doc: skill.tailwind-code-change
|
|
3
3
|
locale: en
|
|
4
4
|
canonical: true
|
|
5
|
-
revision:
|
|
5
|
+
revision: 4
|
|
6
6
|
lifecycle: mustflow-owned
|
|
7
7
|
authority: procedure
|
|
8
8
|
name: tailwind-code-change
|
|
@@ -34,7 +34,7 @@ Preserve Tailwind static class detection, design tokens, bounded variants, respo
|
|
|
34
34
|
## Use When
|
|
35
35
|
|
|
36
36
|
- Tailwind `class`, `className`, `@apply`, `@theme`, `@source`, `@reference`, config, source scanning, safelist, theme tokens, variants, arbitrary values, or component class composition change.
|
|
37
|
-
- The task touches Tailwind v3/v4 migration, CSS-first configuration, token addition, responsive modifiers, state modifiers, `clsx`/`cn`, CVA-style variant helpers, `source(none)`, `@source inline`, `@source not inline`, or production CSS generation risk.
|
|
37
|
+
- The task touches Tailwind v3/v4 migration, CSS-first configuration, token addition, responsive modifiers, state modifiers, `clsx`/`cn`, CVA-style variant helpers, `source(none)`, `@source inline()`, `@source not inline()`, path `@source`, path `@source not`, or production CSS generation risk.
|
|
38
38
|
- Component APIs accept status, tone, intent, size, column count, color, spacing, or class-related props that affect Tailwind utilities.
|
|
39
39
|
|
|
40
40
|
<!-- mustflow-section: do-not-use-when -->
|
|
@@ -57,7 +57,8 @@ Preserve Tailwind static class detection, design tokens, bounded variants, respo
|
|
|
57
57
|
|
|
58
58
|
- Confirm how Tailwind detects source classes before changing class composition, helper-file location, or CSS entry imports.
|
|
59
59
|
- Identify whether the project is using Tailwind v3 config safelists or Tailwind v4 CSS source directives.
|
|
60
|
-
- Identify whether Tailwind v4 source detection is automatic, disabled with `source(none)`, extended with `@source`, or narrowed with `@source not inline`.
|
|
60
|
+
- Identify whether Tailwind v4 source detection is automatic, disabled with `source(none)`, extended with path `@source`, narrowed with path `@source not`, expanded with candidate `@source inline()`, or narrowed with candidate `@source not inline()`.
|
|
61
|
+
- For Tailwind v4 migration, check browser support floors before recommending v4. If the project still supports browsers below Safari 16.4, Chrome 111, or Firefox 128, keep v3.4 as the safer maintenance track unless project policy changes.
|
|
61
62
|
- Identify tokens, variant helpers, and semantic visual states before adding arbitrary values or raw colors.
|
|
62
63
|
- Confirm whether affected components are local one-offs, shared components, or public design-system surfaces.
|
|
63
64
|
|
|
@@ -67,8 +68,9 @@ Preserve Tailwind static class detection, design tokens, bounded variants, respo
|
|
|
67
68
|
- Use full static class strings that the build can detect.
|
|
68
69
|
- Use existing theme tokens before arbitrary values or raw colors.
|
|
69
70
|
- Use static maps, component extraction, or variant helpers for finite repeated variants.
|
|
70
|
-
- Use safelists or `@source inline` only for finite class candidates that cannot appear in scanned source.
|
|
71
|
-
- Use `@source not inline`
|
|
71
|
+
- Use safelists or `@source inline()` only for finite class candidates that cannot appear in scanned source.
|
|
72
|
+
- Use `@source not inline()` to block known false-positive class candidates when generated CSS would otherwise include unwanted utilities.
|
|
73
|
+
- Use path `@source` to add scan sources and path `@source not` to exclude scan sources. Do not confuse those with candidate safelist or blocklist directives.
|
|
72
74
|
- Use `@reference` when component-scoped styles need access to Tailwind theme variables, custom utilities, or variants without duplicating emitted CSS.
|
|
73
75
|
- Use inline styles plus CSS variables for unbounded runtime values such as tenant, database, or user-provided colors.
|
|
74
76
|
- Keep hover, focus-visible, disabled, aria/data, dark, and motion variants aligned with existing component behavior.
|
|
@@ -78,12 +80,12 @@ Preserve Tailwind static class detection, design tokens, bounded variants, respo
|
|
|
78
80
|
|
|
79
81
|
1. Read Tailwind config or CSS entry, scanning rules, theme tokens, helpers, and nearby components.
|
|
80
82
|
2. Classify the change: token, utility usage, dynamic variant, component extraction, responsive state, accessibility state, or migration.
|
|
81
|
-
3. For Tailwind v4, classify CSS-first configuration before touching utility usage: `@theme`, `@utility`, `@variant`, `@custom-variant`, `@source`, `@source inline`, `@source not inline`, `source(none)`, and `@reference`. Do not apply v3 config instincts to a v4 CSS entry without checking the project pattern.
|
|
83
|
+
3. For Tailwind v4, classify CSS-first configuration before touching utility usage: `@theme`, `@utility`, `@variant`, `@custom-variant`, path `@source`, path `@source not`, candidate `@source inline()`, candidate `@source not inline()`, `source(none)`, and `@reference`. Do not apply v3 config instincts to a v4 CSS entry without checking the project pattern.
|
|
82
84
|
4. Treat every Tailwind class as a complete build-time token. Reject runtime interpolation, concatenation, array joins, or fragment assembly for utilities such as color, spacing, grid count, span, tone, or arbitrary values.
|
|
83
85
|
5. For finite choices, use a static map with semantic keys and full class strings. Good keys describe UI meaning such as `danger`, `muted`, `compact`, or `featured`; bad keys store Tailwind fragments such as `red`, `600`, or `cols-3` for later assembly.
|
|
84
86
|
6. Use a CVA-style variant helper only when a shared component has multiple variant axes, defaults, or compound variants. The helper must still contain full static class strings.
|
|
85
87
|
7. Use safelists only as a last resort for finite candidates that cannot be present in source files. Tailwind v4 projects should express this through the project's CSS source policy; Tailwind v3 maintenance projects may use config safelists when that is the existing pattern. Do not safelist broad palettes or unbounded ranges to avoid fixing a bad component API.
|
|
86
|
-
8. Keep `@source inline` bounded, named, and close to the CSS entry policy. If `source(none)` disables automatic detection, require explicit source includes for every package, app, and external component source that owns utilities. Use `@source not inline` for known false
|
|
88
|
+
8. Keep `@source inline()` bounded, named, and close to the CSS entry policy. If `source(none)` disables automatic detection, require explicit path `@source` includes for every package, app, and external component source that owns utilities. Use `@source not inline()` for known false-positive class candidates, and path `@source not` for excluded scan locations, instead of relying on accidental absence.
|
|
87
89
|
9. Use inline style plus a CSS variable bridge for unbounded runtime values from databases, APIs, tenants, CMS content, or user input. Do not try to mint Tailwind class names from unbounded values.
|
|
88
90
|
10. Treat arbitrary values as escape hatches. Allow them for one-off asset alignment, complex grid templates, complex calculations, local CSS variable assignment, or values that cannot be expressed with regular utilities.
|
|
89
91
|
11. Reject arbitrary raw colors in component markup, arbitrary spacing that approximates existing scale values, arbitrary container widths, arbitrary radius or shadow used as a hidden token, and repeated arbitrary values. Repeated values must be promoted to a semantic design token or component variant.
|
|
@@ -106,7 +108,7 @@ Preserve Tailwind static class detection, design tokens, bounded variants, respo
|
|
|
106
108
|
- Dynamic visual state must be represented by exactly one of: static map entry, variant helper entry, explicit safelist entry, or CSS variable bridge.
|
|
107
109
|
- Status, tone, intent, size, density, and column props are closed sets until proven otherwise. Model them as finite typed variants, not string fragments.
|
|
108
110
|
- Production CSS is the contract. If a class only exists after runtime string construction, assume production CSS may omit it.
|
|
109
|
-
- `@source inline`, `@source not inline`, and `source(none)` are part of the production CSS generation contract. Review them as carefully as code that uses utilities.
|
|
111
|
+
- Path `@source`, path `@source not`, candidate `@source inline()`, candidate `@source not inline()`, and `source(none)` are part of the production CSS generation contract. Review them as carefully as code that uses utilities.
|
|
110
112
|
|
|
111
113
|
<!-- mustflow-section: token-policy -->
|
|
112
114
|
## Token Policy
|
|
@@ -130,7 +132,8 @@ Reject the change when:
|
|
|
130
132
|
- Component-scoped `@apply` or `@variant` relies on Tailwind globals without the needed `@reference` boundary.
|
|
131
133
|
- A public component exposes unconstrained Tailwind class fragments.
|
|
132
134
|
- A safelist covers broad palettes, broad numeric ranges, or unknown runtime values.
|
|
133
|
-
- `@source inline` covers broad palettes, broad numeric ranges, or unknown runtime values.
|
|
135
|
+
- `@source inline()` covers broad palettes, broad numeric ranges, or unknown runtime values.
|
|
136
|
+
- Tailwind v4 is recommended while the project still promises browsers below the v4 floor such as Safari 16.4, Chrome 111, or Firefox 128.
|
|
134
137
|
- `source(none)` is used without explicit source includes for all utility-owning files.
|
|
135
138
|
- `space-*` is used where wrapped or reordered children require `gap`.
|
|
136
139
|
- Conflicting utilities are present on the same element.
|
package/templates/default/locales/en/.mustflow/skills/template-install-surface-sync/SKILL.md
CHANGED
|
@@ -2,7 +2,7 @@
|
|
|
2
2
|
mustflow_doc: skill.template-install-surface-sync
|
|
3
3
|
locale: en
|
|
4
4
|
canonical: true
|
|
5
|
-
revision:
|
|
5
|
+
revision: 2
|
|
6
6
|
lifecycle: mustflow-owned
|
|
7
7
|
authority: procedure
|
|
8
8
|
name: template-install-surface-sync
|
|
@@ -61,6 +61,7 @@ Keep the source repository's mustflow workflow files, install templates, manifes
|
|
|
61
61
|
- Canonical source locale and template locale policy are known.
|
|
62
62
|
- Existing template manifest and nearby tests have been inspected before adding or removing installed files.
|
|
63
63
|
- Command execution remains governed by `.mustflow/config/commands.toml`; this skill does not authorize raw commands.
|
|
64
|
+
- If `.mustflow/config/commands.toml` exposes `script_pack_list`, it may be used only as read-only discovery for optional script-pack checks.
|
|
64
65
|
|
|
65
66
|
<!-- mustflow-section: allowed-edits -->
|
|
66
67
|
## Allowed Edits
|
|
@@ -85,8 +86,10 @@ Keep the source repository's mustflow workflow files, install templates, manifes
|
|
|
85
86
|
8. Check install/update behavior. If new files, profile membership, conflict policy, or managed targets change, inspect init/update tests and package tests that assert installed output, manifest lock behavior, backups, or diff previews.
|
|
86
87
|
9. Check package and release surfaces. Installed template files must be included in package output and covered by release-sensitive tests when the package includes templates.
|
|
87
88
|
10. Check public docs and examples only when they list installed files, profiles, init/update behavior, or workflow expectations.
|
|
88
|
-
11.
|
|
89
|
-
12.
|
|
89
|
+
11. When the command contract exposes `script_pack_list`, use it to discover optional script-pack helpers before editing or verifying template surfaces. `repo/generated-boundary` is useful for checking candidate template, manifest, generated-output, vendor, cache, or protected paths.
|
|
90
|
+
12. Keep generated files generated. Refresh generated maps or package output only with configured intents, and report generated surfaces that are stale but outside the current allowed command set.
|
|
91
|
+
13. Run selected script-pack helpers only when the repository command contract and script metadata allow them.
|
|
92
|
+
14. Verify with related tests first, then release and docs checks when package, template, manifest, or docs surfaces changed.
|
|
90
93
|
|
|
91
94
|
<!-- mustflow-section: postconditions -->
|
|
92
95
|
## Postconditions
|