mustflow 2.84.0 → 2.85.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (48) hide show
  1. package/README.md +11 -2
  2. package/dist/cli/commands/script-pack.js +4 -0
  3. package/dist/cli/i18n/en.js +79 -0
  4. package/dist/cli/i18n/es.js +79 -0
  5. package/dist/cli/i18n/fr.js +79 -0
  6. package/dist/cli/i18n/hi.js +79 -0
  7. package/dist/cli/i18n/ko.js +79 -0
  8. package/dist/cli/i18n/zh.js +79 -0
  9. package/dist/cli/lib/repo-map.js +27 -6
  10. package/dist/cli/lib/run-root-trust.js +15 -1
  11. package/dist/cli/lib/script-pack-registry.js +114 -0
  12. package/dist/cli/lib/validation/index.js +2 -2
  13. package/dist/cli/lib/validation/primitives.js +4 -1
  14. package/dist/cli/script-packs/code-change-impact.js +172 -0
  15. package/dist/cli/script-packs/code-dependency-graph.js +181 -0
  16. package/dist/cli/script-packs/repo-env-contract.js +156 -0
  17. package/dist/cli/script-packs/repo-secret-risk-scan.js +147 -0
  18. package/dist/core/change-impact.js +383 -0
  19. package/dist/core/change-verification.js +32 -5
  20. package/dist/core/config-loading.js +121 -4
  21. package/dist/core/dependency-graph.js +490 -0
  22. package/dist/core/env-contract.js +450 -0
  23. package/dist/core/line-endings.js +26 -13
  24. package/dist/core/public-json-contracts.js +51 -0
  25. package/dist/core/route-outline.js +57 -5
  26. package/dist/core/script-pack-suggestions.js +21 -1
  27. package/dist/core/secret-risk-scan.js +440 -0
  28. package/package.json +1 -1
  29. package/schemas/README.md +16 -0
  30. package/schemas/change-impact-report.schema.json +150 -0
  31. package/schemas/commands.schema.json +12 -0
  32. package/schemas/dependency-graph-report.schema.json +149 -0
  33. package/schemas/env-contract-report.schema.json +203 -0
  34. package/schemas/secret-risk-scan-report.schema.json +152 -0
  35. package/templates/default/i18n.toml +16 -10
  36. package/templates/default/locales/en/.mustflow/skills/INDEX.md +7 -2
  37. package/templates/default/locales/en/.mustflow/skills/architecture-deepening-review/SKILL.md +28 -11
  38. package/templates/default/locales/en/.mustflow/skills/astro-code-change/SKILL.md +71 -27
  39. package/templates/default/locales/en/.mustflow/skills/cross-agent-session-reference/SKILL.md +23 -8
  40. package/templates/default/locales/en/.mustflow/skills/dependency-upgrade-review/SKILL.md +3 -1
  41. package/templates/default/locales/en/.mustflow/skills/github-contribution-quality-gate/SKILL.md +48 -11
  42. package/templates/default/locales/en/.mustflow/skills/javascript-code-change/SKILL.md +15 -13
  43. package/templates/default/locales/en/.mustflow/skills/node-code-change/SKILL.md +16 -14
  44. package/templates/default/locales/en/.mustflow/skills/routes.toml +15 -9
  45. package/templates/default/locales/en/.mustflow/skills/security-privacy-review/SKILL.md +3 -1
  46. package/templates/default/locales/en/.mustflow/skills/test-suite-performance-review/SKILL.md +314 -0
  47. package/templates/default/locales/en/.mustflow/skills/typescript-code-change/SKILL.md +13 -10
  48. package/templates/default/manifest.toml +8 -1
@@ -2,7 +2,7 @@
2
2
  mustflow_doc: skill.javascript-code-change
3
3
  locale: en
4
4
  canonical: true
5
- revision: 2
5
+ revision: 3
6
6
  lifecycle: mustflow-owned
7
7
  authority: procedure
8
8
  name: javascript-code-change
@@ -84,23 +84,25 @@ Preserve JavaScript module, runtime, package entry, Promise, cleanup, dependency
84
84
  6. Do not use runtime detection as a broad escape hatch in shared code. Prefer explicit runtime entrypoints, adapters, conditional exports, or dependency injection over a file that mixes every runtime branch.
85
85
  7. Keep environment access behind existing server/client env helpers. Do not read raw server secrets from client, shared, browser, or edge code, and do not assume `process.env` exists outside Node-oriented code.
86
86
  8. Do not mix `import`/`export` with `require`/`module.exports` outside an established interop boundary.
87
- 9. Treat package entry metadata as public contract:
87
+ 9. For new Node-owned application, server, or private CLI JavaScript, prefer ESM-only with package `"type": "module"` and ordinary `.js` files when the supported runtime allows it. Use `.mjs` and `.cjs` as explicit override markers for mixed or exceptional files, not as a blanket naming convention.
88
+ 10. In native Node ESM, write relative and absolute imports with the runtime file extension and explicit directory entry file, such as `./server.js` or `./routes/index.js`. Extensionless imports and automatic directory `index.js` lookup are CommonJS or bundler habits unless a declared loader or bundler owns them.
89
+ 11. Treat package entry metadata as public contract:
88
90
  - `type`, file extensions, `main`, `module`, `browser`, `exports`, `types`, `typesVersions`, `files`, `bin`, `sideEffects`, and `engines` affect consumers;
89
91
  - adding `exports` can block deep imports and should be classified as public API sensitive;
90
92
  - conditional exports must keep specific conditions before generic fallbacks;
91
93
  - ESM and CJS branches should expose compatible documented shapes when both are supported;
92
94
  - TypeScript declaration output and docs examples must keep pointing at existing package entry files.
93
- 10. For package entry changes, check source entrypoints, build output layout, docs import examples, TypeScript or declaration settings, bundler config, and consumer-style tests. Report missing Node ESM, Node CJS, browser bundle, edge, Bun, or TypeScript consumer verification when those targets are claimed but no configured intent exists.
94
- 11. Treat build targets as syntax/output compatibility, not as permission to use a runtime API. A browser or edge build target does not make Node filesystem, process, Buffer, or native APIs safe.
95
- 12. Treat implicit globals as failures.
96
- 13. Do not discard Promises. Every Promise-producing call must be awaited, returned, joined, or intentionally supervised by the project's detached-task pattern.
97
- 14. Do not leave `.map(async ...)` unjoined. Join with the established Promise aggregation or bounded-concurrency helper when parallel work is intended.
98
- 15. Do not use unbounded parallelism for large external I/O fan-out. Use the local concurrency limit pattern when the workload touches HTTP, database, filesystem, queue, AI, or other external services.
99
- 16. Propagate cancellation when the operation can outlive a request, job, stream, retry loop, timeout, or user action. Accept and forward `AbortSignal` or the repository's established cancellation token when available.
100
- 17. Do not implement timeout as a caller-only race that leaves the real work running. Timeout behavior must cancel or abort the underlying operation when the API supports it.
101
- 18. Put cleanup in a deterministic path. Timers, event listeners, stream readers, Node streams, temp files, locks, transactions, subscriptions, and shutdown drains need success, failure, timeout, and cancellation cleanup coverage when touched.
102
- 19. Do not build package exports or dependency changes without checking consumers, tests, and docs examples.
103
- 20. Choose configured verification intents that cover lint, build, tests, package entry, runtime behavior, async rejection handling, cancellation, and cleanup when available.
95
+ 12. For package entry changes, check source entrypoints, build output layout, docs import examples, TypeScript or declaration settings, bundler config, and consumer-style tests. Report missing Node ESM, Node CJS, browser bundle, edge, Bun, or TypeScript consumer verification when those targets are claimed but no configured intent exists.
96
+ 13. Treat build targets as syntax/output compatibility, not as permission to use a runtime API. A browser or edge build target does not make Node filesystem, process, Buffer, or native APIs safe.
97
+ 14. Treat implicit globals as failures.
98
+ 15. Do not discard Promises. Every Promise-producing call must be awaited, returned, joined, or intentionally supervised by the project's detached-task pattern.
99
+ 16. Do not leave `.map(async ...)` unjoined. Join with the established Promise aggregation or bounded-concurrency helper when parallel work is intended.
100
+ 17. Do not use unbounded parallelism for large external I/O fan-out. Use the local concurrency limit pattern when the workload touches HTTP, database, filesystem, queue, AI, or other external services.
101
+ 18. Propagate cancellation when the operation can outlive a request, job, stream, retry loop, timeout, or user action. Accept and forward `AbortSignal` or the repository's established cancellation token when available.
102
+ 19. Do not implement timeout as a caller-only race that leaves the real work running. Timeout behavior must cancel or abort the underlying operation when the API supports it.
103
+ 20. Put cleanup in a deterministic path. Timers, event listeners, stream readers, Node streams, temp files, locks, transactions, subscriptions, and shutdown drains need success, failure, timeout, and cancellation cleanup coverage when touched.
104
+ 21. Do not build package exports or dependency changes without checking consumers, tests, and docs examples.
105
+ 22. Choose configured verification intents that cover lint, build, tests, package entry, runtime behavior, async rejection handling, cancellation, and cleanup when available.
104
106
 
105
107
  <!-- mustflow-section: postconditions -->
106
108
  ## Postconditions
@@ -2,7 +2,7 @@
2
2
  mustflow_doc: skill.node-code-change
3
3
  locale: en
4
4
  canonical: true
5
- revision: 1
5
+ revision: 2
6
6
  lifecycle: mustflow-owned
7
7
  authority: procedure
8
8
  name: node-code-change
@@ -85,19 +85,21 @@ Preserve the actual Node.js runtime, module, package manager, TypeScript executi
85
85
  - Yarn PnP, Zero-Install, and immutable installs can make `node_modules` assumptions wrong.
86
86
  - Corepack availability depends on the Node/runtime environment; do not assume it exists in every Node version, image, or CI runner.
87
87
  5. Determine Node module loading from Node rules, not preference or `tsconfig` alone. `.mjs` and `.mts` are ESM, `.cjs` and `.cts` are CommonJS, and `.js` or `.ts` follows the nearest package `type` after the project's loader/build path is considered.
88
- 6. Treat `type`, `main`, `exports`, `imports`, file extensions, and conditional export changes as package entry contract changes. Adding `exports` can block deep imports and should be classified as compatibility-sensitive unless all previously supported paths remain exported or the release is intentionally breaking.
89
- 7. For conditional exports, keep condition order deliberate, include a `default` fallback when multi-runtime or bundler consumers are intended, and avoid splitting `import` and `require` into separate stateful implementations unless dual package hazards are tested.
90
- 8. For `imports`, use `#` aliases only for package-internal paths, and keep TypeScript paths, bundler aliases, test runner aliases, and declaration output aligned.
91
- 9. For JSON imports, `require(esm)`, top-level await, `.mts`, `.cts`, `.d.mts`, and `.d.cts`, verify the minimum Node version, TypeScript module resolution, generated output, and consumer path before changing code.
92
- 10. Do not replace an existing TypeScript pipeline with native Node TypeScript execution unless the task explicitly asks for that migration. Node native TypeScript execution is limited type stripping; it does not typecheck, read `tsconfig`, resolve path aliases, emit declarations, downlevel syntax, transform decorators or enums, or support TSX as a full build pipeline.
93
- 11. If native Node TypeScript execution is intentionally used, keep syntax erasable-only, use `import type` for type-only imports, avoid runtime TypeScript features that require transforms, and keep the configured typecheck/build pipeline for application and library code.
94
- 12. Detect the actual test runner from scripts, config files, dependencies, and CI. Do not migrate Jest, Vitest, Playwright, or another runner to `node:test` just because Node has a built-in runner. Watch, coverage, mock, snapshot, worker, and cleanup behavior are runner-specific.
95
- 13. Treat watch mode and snapshot update modes as development or review actions, not final verification. Use the configured oneshot intents and report when no configured runner-specific intent exists.
96
- 14. Before using Node APIs in deployment code, classify the target as Node server, Docker, serverless Node, edge runtime, static build, or multi-runtime package. Edge runtimes are not full Node.js runtimes.
97
- 15. Inspect native and install-sensitive dependencies when package metadata or runtime imports touch `.node`, `binding.gyp`, `node-gyp`, `preinstall`, `install`, `postinstall`, `prepare`, optional dependencies, peer dependencies, OS, CPU, libc, or Node ABI boundaries.
98
- 16. Treat optional dependencies and optional peers as absent until code handles absence. Do not require optional packages directly without fallback or error handling that matches the existing project pattern.
99
- 17. Treat the Node permission model as a trusted-code seatbelt, not a sandbox for untrusted code. If permission flags are introduced or changed, map required filesystem, network, child process, worker, native addon, WASI, inspector, and temporary directory access explicitly.
100
- 18. Choose configured verification intents that cover lint, build, tests, package metadata, release-sensitive package output, docs examples, and mustflow contract checks when available. Report missing consumer fixture, ESM, CJS, TypeScript consumer, native dependency, deployment, or permission verification.
88
+ 6. For new Node applications, servers, and private CLIs, prefer an explicit ESM-only package with `"type": "module"` and ordinary `.js` source/output files when the supported runtime allows it. Do not rename every file to `.mjs` just to mean ESM; reserve `.mjs` and `.cjs` for exceptional per-file overrides or mixed-module boundaries.
89
+ 7. In native Node ESM code, require fully specified relative and absolute import specifiers, including file extensions and directory indexes such as `./feature/index.js`. Do not carry CommonJS extensionless or directory-main assumptions into Node ESM unless a bundler or loader owns that resolution.
90
+ 8. Treat `type`, `main`, `exports`, `imports`, file extensions, and conditional export changes as package entry contract changes. Adding `exports` can block deep imports and should be classified as compatibility-sensitive unless all previously supported paths remain exported or the release is intentionally breaking.
91
+ 9. For conditional exports, keep condition order deliberate, include a `default` fallback when multi-runtime or bundler consumers are intended, and avoid splitting `import` and `require` into separate stateful implementations unless dual package hazards are tested.
92
+ 10. For `imports`, use `#` aliases only for package-internal paths, and keep TypeScript paths, bundler aliases, test runner aliases, and declaration output aligned.
93
+ 11. For JSON imports, `require(esm)`, top-level await, `.mts`, `.cts`, `.d.mts`, and `.d.cts`, verify the minimum Node version, TypeScript module resolution, generated output, and consumer path before changing code.
94
+ 12. Do not replace an existing TypeScript pipeline with native Node TypeScript execution unless the task explicitly asks for that migration. Node native TypeScript execution is limited type stripping; it does not typecheck, read `tsconfig`, resolve path aliases, emit declarations, downlevel syntax, transform decorators or enums, or support TSX as a full build pipeline.
95
+ 13. If native Node TypeScript execution is intentionally used, keep syntax erasable-only, use `import type` for type-only imports, avoid runtime TypeScript features that require transforms, and keep the configured typecheck/build pipeline for application and library code.
96
+ 14. Detect the actual test runner from scripts, config files, dependencies, and CI. Do not migrate Jest, Vitest, Playwright, or another runner to `node:test` just because Node has a built-in runner. Watch, coverage, mock, snapshot, worker, and cleanup behavior are runner-specific.
97
+ 15. Treat watch mode and snapshot update modes as development or review actions, not final verification. Use the configured oneshot intents and report when no configured runner-specific intent exists.
98
+ 16. Before using Node APIs in deployment code, classify the target as Node server, Docker, serverless Node, edge runtime, static build, or multi-runtime package. Edge runtimes are not full Node.js runtimes.
99
+ 17. Inspect native and install-sensitive dependencies when package metadata or runtime imports touch `.node`, `binding.gyp`, `node-gyp`, `preinstall`, `install`, `postinstall`, `prepare`, optional dependencies, peer dependencies, OS, CPU, libc, or Node ABI boundaries.
100
+ 18. Treat optional dependencies and optional peers as absent until code handles absence. Do not require optional packages directly without fallback or error handling that matches the existing project pattern.
101
+ 19. Treat the Node permission model as a trusted-code seatbelt, not a sandbox for untrusted code. If permission flags are introduced or changed, map required filesystem, network, child process, worker, native addon, WASI, inspector, and temporary directory access explicitly.
102
+ 20. Choose configured verification intents that cover lint, build, tests, package metadata, release-sensitive package output, docs examples, and mustflow contract checks when available. Report missing consumer fixture, ESM, CJS, TypeScript consumer, native dependency, deployment, or permission verification.
101
103
 
102
104
  <!-- mustflow-section: postconditions -->
103
105
  ## Postconditions
@@ -406,7 +406,7 @@ applies_to_reasons = ["code_change", "public_api_change", "test_change", "packag
406
406
  category = "general_code"
407
407
  route_type = "primary"
408
408
  priority = 85
409
- applies_to_reasons = ["code_change", "public_api_change", "test_change", "package_metadata_change"]
409
+ applies_to_reasons = ["code_change", "behavior_change", "public_api_change", "test_change", "migration_change", "security_change", "package_metadata_change", "release_risk"]
410
410
 
411
411
  [routes."docker-code-change"]
412
412
  category = "general_code"
@@ -418,7 +418,7 @@ applies_to_reasons = ["code_change", "public_api_change", "test_change", "securi
418
418
  category = "general_code"
419
419
  route_type = "primary"
420
420
  priority = 82
421
- applies_to_reasons = ["code_change", "public_api_change", "docs_change", "test_change"]
421
+ applies_to_reasons = ["code_change", "behavior_change", "public_api_change", "docs_change", "test_change", "data_change", "migration_change", "performance_change", "security_change", "privacy_change"]
422
422
 
423
423
  [routes."backend-reliability-change"]
424
424
  category = "general_code"
@@ -436,7 +436,7 @@ applies_to_reasons = ["code_change", "behavior_change", "public_api_change", "pe
436
436
  category = "general_code"
437
437
  route_type = "primary"
438
438
  priority = 85
439
- applies_to_reasons = ["code_change", "public_api_change", "test_change", "package_metadata_change"]
439
+ applies_to_reasons = ["code_change", "behavior_change", "public_api_change", "test_change", "data_change", "migration_change", "ui_change", "package_metadata_change"]
440
440
 
441
441
  [routes."javascript-code-change"]
442
442
  category = "general_code"
@@ -652,13 +652,13 @@ applies_to_reasons = ["code_change", "security_change", "migration_change"]
652
652
  category = "data_external"
653
653
  route_type = "primary"
654
654
  priority = 55
655
- applies_to_reasons = ["code_change", "behavior_change", "public_api_change", "cross_cutting_code_change"]
655
+ applies_to_reasons = ["code_change", "behavior_change", "public_api_change", "cross_cutting_code_change", "data_change", "migration_change", "performance_change", "security_change", "privacy_change", "package_metadata_change"]
656
656
 
657
657
  [routes."tauri-code-change"]
658
658
  category = "data_external"
659
659
  route_type = "primary"
660
660
  priority = 90
661
- applies_to_reasons = ["code_change", "security_change", "public_api_change"]
661
+ applies_to_reasons = ["code_change", "behavior_change", "ui_change", "security_change", "privacy_change", "data_change", "public_api_change", "package_metadata_change", "release_risk"]
662
662
 
663
663
  [routes."process-execution-safety"]
664
664
  category = "data_external"
@@ -696,6 +696,12 @@ route_type = "adjunct"
696
696
  priority = 40
697
697
  applies_to_reasons = ["test_change", "behavior_change"]
698
698
 
699
+ [routes."test-suite-performance-review"]
700
+ category = "tests"
701
+ route_type = "primary"
702
+ priority = 58
703
+ applies_to_reasons = ["performance_change", "test_change", "workflow_change", "mustflow_config_change", "package_metadata_change", "unknown_change"]
704
+
699
705
  [routes."test-maintenance"]
700
706
  category = "tests"
701
707
  route_type = "primary"
@@ -880,13 +886,13 @@ applies_to_reasons = ["ui_change", "docs_change", "code_change"]
880
886
  category = "ui_assets"
881
887
  route_type = "primary"
882
888
  priority = 85
883
- applies_to_reasons = ["ui_change", "docs_change", "code_change"]
889
+ applies_to_reasons = ["ui_change", "docs_change", "code_change", "behavior_change", "public_api_change", "migration_change", "package_metadata_change"]
884
890
 
885
891
  [routes."unocss-code-change"]
886
892
  category = "ui_assets"
887
893
  route_type = "primary"
888
894
  priority = 85
889
- applies_to_reasons = ["ui_change", "docs_change", "code_change"]
895
+ applies_to_reasons = ["ui_change", "docs_change", "code_change", "behavior_change", "migration_change", "performance_change", "package_metadata_change"]
890
896
 
891
897
  [routes."flutter-code-change"]
892
898
  category = "ui_assets"
@@ -898,13 +904,13 @@ applies_to_reasons = ["ui_change", "code_change", "public_api_change"]
898
904
  category = "ui_assets"
899
905
  route_type = "primary"
900
906
  priority = 85
901
- applies_to_reasons = ["ui_change", "docs_change", "code_change"]
907
+ applies_to_reasons = ["ui_change", "docs_change", "code_change", "behavior_change", "migration_change", "package_metadata_change"]
902
908
 
903
909
  [routes."svelte-code-change"]
904
910
  category = "ui_assets"
905
911
  route_type = "primary"
906
912
  priority = 85
907
- applies_to_reasons = ["ui_change", "code_change", "public_api_change"]
913
+ applies_to_reasons = ["ui_change", "code_change", "behavior_change", "public_api_change", "data_change", "security_change", "privacy_change", "test_change", "package_metadata_change"]
908
914
 
909
915
  [routes."pattern-scout"]
910
916
  category = "architecture_patterns"
@@ -2,7 +2,7 @@
2
2
  mustflow_doc: skill.security-privacy-review
3
3
  locale: en
4
4
  canonical: true
5
- revision: 22
5
+ revision: 23
6
6
  lifecycle: mustflow-owned
7
7
  authority: procedure
8
8
  name: security-privacy-review
@@ -193,9 +193,11 @@ Catch security, privacy, and disclosure risks introduced by ordinary code, docum
193
193
  32. For filesystem changes, distinguish lexical containment from the real target. Check symlinks, generated state, package contents, and file APIs that may follow links before claiming a path stays inside the repository.
194
194
  33. For code-scanning alerts, group findings by root cause and rule. Fix the underlying pattern, not only the exact flagged line, and separate repository-setting alerts such as branch protection or maintainer activity from code changes.
195
195
  - For incomplete escaping or encoding findings, search the same sink class for adjacent ad hoc sanitizer patterns such as first-occurrence `.replace`, non-global replacement, hand-escaped slashes, quotes, backslashes, path separators, or mixed URL encoders. Replace the pattern with a domain-owned transformation and add a regression test or narrow source-pattern guard when the behavior is release-sensitive.
196
+ - For ReDoS or inefficient-regular-expression findings, identify whether attacker-controlled text, repository files, generated output, logs, Markdown, YAML, or source code can reach the expression. Prefer a bounded parser, token scanner, structured parser, or anchored non-overlapping expression over nested quantifiers, repeated alternatives that can match the same prefix, or optional whitespace loops. Add a long malformed input case or equivalent static guard before claiming the backtracking risk is fixed.
196
197
  34. For workflow scanner alerts, check action pinning, `persist-credentials`, job-level permissions, reusable workflow permissions, fork pull-request secret exposure, artifact upload boundaries, and privileged identity timing before treating the warning as cosmetic.
197
198
  35. For pinned action references, distinguish tag objects from the commit that implements the tag. Verify pinned SHAs against the action repository so scanner tooling does not report an imposter or non-member commit.
198
199
  36. For dependency scanner alerts, separate production dependency manifests from fixtures, examples, generated test repositories, and intentionally vulnerable samples. Narrow the scan scope before treating fixture-only alerts as product vulnerabilities.
200
+ - For lockfile CVEs, inspect the manifest and lockfile together. Identify the direct parent that keeps the vulnerable transitive package in the graph, update the narrowest direct dependency or override needed to reach the fixed range, and confirm the vulnerable package version no longer appears in the resolved graph before claiming the alert is fixed.
199
201
  37. For deployment settings, check debug mode, sample admin accounts, default credentials, public admin panels, open metrics endpoints, public storage, root container users, HTTPS enforcement, and exposed GraphQL or development consoles.
200
202
  38. For runtime and framework security updates, check that supported versions are documented, end-of-life versions are rejected, dependency locks exist where appropriate, security patches can be tested and deployed quickly, and rollback or redeploy can happen without manual dashboard memory. Do not treat a fashionable or high-performance runtime as safe unless the patch path is operationally credible.
201
203
  39. For transport security, check HTTPS/TLS requirements, certificate validation, insecure HTTP downgrade paths, disabled verification flags, and whether sensitive traffic can bypass the secure channel.
@@ -0,0 +1,314 @@
1
+ ---
2
+ mustflow_doc: skill.test-suite-performance-review
3
+ locale: en
4
+ canonical: true
5
+ revision: 1
6
+ lifecycle: mustflow-owned
7
+ authority: procedure
8
+ name: test-suite-performance-review
9
+ description: Apply this skill when test-suite runtime, CI feedback latency, test selection, shard balance, worker scheduling, retry policy, flaky-test handling, fixture setup, database or container test lifecycle, coverage or artifact overhead, test-result caching, test discovery, or test performance claims are planned, edited, reviewed, or reported.
10
+ metadata:
11
+ mustflow_schema: "1"
12
+ mustflow_kind: procedure
13
+ pack_id: mustflow.core
14
+ skill_id: mustflow.core.test-suite-performance-review
15
+ command_intents:
16
+ - changes_status
17
+ - changes_diff_summary
18
+ - build
19
+ - test_related
20
+ - test
21
+ - test_audit
22
+ - docs_validate_fast
23
+ - test_release
24
+ - mustflow_check
25
+ ---
26
+
27
+ # Test Suite Performance Review
28
+
29
+ <!-- mustflow-section: purpose -->
30
+ ## Purpose
31
+
32
+ Make test suites faster without turning the default verification path into wishful thinking.
33
+
34
+ The review question is not "can the suite run in parallel?" It is "where is the wall-clock time
35
+ actually spent, which tests are safe to skip or run later, which workers are waiting, which shared
36
+ resources are saturated, and what evidence keeps a faster path trustworthy?"
37
+
38
+ <!-- mustflow-section: use-when -->
39
+ ## Use When
40
+
41
+ - Test or CI runtime, developer-loop feedback time, shard balance, worker count, test discovery,
42
+ coverage collection, trace or artifact generation, retry policy, flaky-test handling, or test
43
+ result caching is created, changed, reviewed, or reported.
44
+ - A task changes command contracts, CI workflows, test runner configuration, test grouping, test
45
+ selection, test scheduling, package scripts, fixture setup, database setup, container lifecycle,
46
+ browser test behavior, or coverage and report defaults for performance reasons.
47
+ - A report claims tests are faster, optimized, selected, cached, parallelized, sharded, hermetic,
48
+ stable, less flaky, or safer to run on every PR.
49
+ - A test suite is slow because of repeated process startup, full-directory discovery, repeated
50
+ migration or seed work, per-test containers, sleeps, external internet calls, huge artifacts,
51
+ tail shards, or over-broad full-suite execution.
52
+
53
+ <!-- mustflow-section: do-not-use-when -->
54
+ ## Do Not Use When
55
+
56
+ - The task only adds or updates behavior tests; use `test-design-guard` or `test-maintenance`.
57
+ - The task only reviews whether production code is testable; use `testability-boundary-review`.
58
+ - The task is ordinary application hot-path performance with no test runner, fixture, CI, or
59
+ verification-loop behavior; use `performance-budget-check`.
60
+ - The user only wants a one-time local command result and no persistent test or CI behavior changes.
61
+ - The proposed change weakens verification by deleting tests, skipping failed tests, removing
62
+ assertions, disabling coverage gates, or hiding flaky tests without an evidence-based policy.
63
+
64
+ <!-- mustflow-section: required-inputs -->
65
+ ## Required Inputs
66
+
67
+ - Suite surface: local command, CI job, package script, test runner, shard system, coverage job,
68
+ browser test job, database-backed test job, or release gate.
69
+ - Timing ledger: discovery, process startup, shared setup, fixture creation, test body, database or
70
+ container setup, cleanup, coverage, report generation, artifact upload, queue wait, shard tail,
71
+ and idle-worker time when available.
72
+ - Test timing evidence: p50 and p95 per test or file, longest tests, previous failures, flaky
73
+ history, shard start and finish times, worker utilization, retry count, and timeout outliers.
74
+ - Selection ledger: changed files, dependency graph, runtime coverage or touched-file evidence,
75
+ newly added tests, previous failed tests, unsafe-change fallback rules, and scheduled full-suite
76
+ safety net.
77
+ - Isolation ledger: time, randomness, UUIDs, locale, timezone, environment variables, home
78
+ directory, filesystem paths, network, database, containers, queues, browser profiles, caches,
79
+ module state, and runner process reuse.
80
+ - Resource ledger: CPU, memory, DB connections, browser processes, containers, network, filesystem,
81
+ GPU, SQLite or PostgreSQL locks, port allocation, and any scarce resource that needs a token or
82
+ affinity rule.
83
+ - Cache ledger: declared inputs, cache keys, volatile values, hit rate, miss reasons, runner-local
84
+ cache, remote cache, result-cache eligibility, and invalidation behavior.
85
+ - Relevant command-intent entries for tests, builds, docs, release checks, and mustflow validation.
86
+
87
+ <!-- mustflow-section: preconditions -->
88
+ ## Preconditions
89
+
90
+ - The task matches the Use When conditions and does not match the Do Not Use When exclusions.
91
+ - Higher-priority instructions and `.mustflow/config/commands.toml` have been checked for the
92
+ current scope.
93
+ - Required inputs are available, or missing timing, selection, cache, isolation, or resource
94
+ evidence can be reported without guessing.
95
+ - If a change touches production behavior or test coverage meaning, use the matching behavior,
96
+ test-design, security, data, or release skill before accepting the performance change.
97
+ - If test result caching or selected-test execution is introduced, the full-suite fallback and
98
+ scheduled full-suite safety net are defined first.
99
+
100
+ <!-- mustflow-section: allowed-edits -->
101
+ ## Allowed Edits
102
+
103
+ - Add or refine test timing collection, historical duration stores, selected-test manifests,
104
+ dependency-to-test maps, runner scheduling, shard assignment, worker limits, retry classification,
105
+ fixture lifecycle, local stubs, fake timers, cache keys, coverage defaults, and CI report policy.
106
+ - Add or adjust tests, fixtures, docs, command contracts, release checks, and template surfaces
107
+ directly tied to the test-suite performance behavior.
108
+ - Move expensive setup from per-test to per-worker, per-module, or per-session scope only when
109
+ mutable state still has a cheap isolation layer.
110
+ - Do not remove tests, weaken assertions, disable failure artifacts, or mark flaky tests as normal
111
+ success to make a suite look faster.
112
+ - Do not add unbounded parallelism, shared database schemas, cross-test mutable fixtures, or result
113
+ caches when hidden inputs are not declared.
114
+
115
+ <!-- mustflow-section: procedure -->
116
+ ## Procedure
117
+
118
+ 1. Measure before optimizing.
119
+ - Split elapsed time into discovery, process startup, shared setup, fixture creation, test body,
120
+ database or container setup, cleanup, coverage, report generation, artifact upload, queue wait,
121
+ shard tail, and idle-worker time.
122
+ - Report p50 and p95 per test or file when available. Average-only timing hides the last slow
123
+ shard, and the last slow shard decides CI wall time.
124
+ 2. Classify the bottleneck.
125
+ - Discovery bottleneck: full tree scans, broad classpath scans, fixtures and generated files in
126
+ search paths, or missing precomputed test manifests.
127
+ - Startup bottleneck: one process, JVM, Python, Node, browser, container, or dependency-injection
128
+ graph per test instead of a safe persistent worker.
129
+ - Fixture bottleneck: repeated migrations, seed data, model loads, browser profile setup, or
130
+ container creation.
131
+ - Scheduling bottleneck: file-count sharding, no historical duration data, no work stealing,
132
+ huge test files, or worker count beyond the resource optimum.
133
+ - Artifact bottleneck: coverage, screenshots, videos, traces, full logs, HTML reports, or upload
134
+ work paid on every PR path instead of only failure, retry, nightly, or release paths.
135
+ 3. Replace blanket full-suite execution with selected execution only when fallback is explicit.
136
+ - Include affected tests from changed files, new tests, and previous failed tests.
137
+ - Fall back to the full suite for changes to lockfiles, compiler or runtime settings, test runner
138
+ configuration, shared fixtures, migrations, database schema, generated contracts, package
139
+ metadata that affects runtime, or any change the selector cannot understand.
140
+ - Keep a scheduled full-suite path for nightly, release, or pre-merge confidence.
141
+ 4. Do not build impact analysis from imports alone.
142
+ - Combine static dependency evidence with previous runtime evidence such as touched files,
143
+ classes, schemas, config keys, fixtures, resources, and test-to-source mappings.
144
+ - Prefer file or class granularity when method-level tracing costs more than it saves.
145
+ - Treat dynamic imports, reflection, generated code, config-driven branches, and framework magic
146
+ as reasons to widen selection or fall back.
147
+ 5. Run likely failures early.
148
+ - Order previous failed tests, recently changed tests, tests near the changed code, historically
149
+ flaky tests, and long tests before low-risk tests.
150
+ - Use early-fail jobs for fast developer feedback, but keep a separate full-data job that
151
+ continues collecting remaining failures when the workflow needs all failures.
152
+ 6. Cache only hermetic test results.
153
+ - A successful test result can be reused only when the test binary, test code, affected product
154
+ code, fixtures, environment, toolchain, locale, timezone, and declared resources match.
155
+ - Do not include volatile values such as commit SHA, build number, wall-clock time, random temp
156
+ roots, or runner-specific paths in cache keys unless they truly affect output.
157
+ - Do include language version, compiler flags, runtime flags, timezone, locale, dependency lock
158
+ content, fixture versions, and DB schema version when they affect behavior.
159
+ - Track cache hit rate and miss reasons after adding a cache; a cache with invisible misses is
160
+ performance theater.
161
+ 7. Preserve warm local and remote caches.
162
+ - Avoid clearing dependency caches, transformed source caches, test discovery indexes, compiled
163
+ output, and package caches at the start of every CI job.
164
+ - Prefer runner-local SSD caches or content-hash restore over slow network-volume scans.
165
+ 8. Avoid full discovery on every run.
166
+ - Generate or maintain package-level test manifests when the project can do so safely.
167
+ - Exclude fixtures, snapshots, generated output, archived tests, vendored code, and build output
168
+ from discovery paths.
169
+ - For JVM and similar ecosystems, prefer explicit include patterns over broad classpath scanning
170
+ when the runner supports it.
171
+ 9. Reuse workers before increasing worker count.
172
+ - Keep interpreters, JIT, dependency injection, ASTs, browser engines, and database clients warm
173
+ across multiple tests when isolation allows it.
174
+ - Reset static state, module caches, timers, environment, and global fixtures between tests.
175
+ - Replace workers only after measured memory leaks, not by default after every test.
176
+ 10. Size work units for the scheduler.
177
+ - Do not send thousands of tiny remote jobs where queue setup, sandbox setup, input transfer,
178
+ and result collection cost more than the test body.
179
+ - Bundle micro-tests by package, runtime, or fixture affinity while preserving per-test result
180
+ reporting.
181
+ 11. Shard by historical duration, not file count.
182
+ - Use recent successful durations, trimmed means, or exponential moving averages.
183
+ - Assign longest tests first to the currently lightest shard.
184
+ - Give new tests a directory or type median, and cap timeout outliers so one historic failure
185
+ does not poison future placement.
186
+ 12. Add work stealing when static shards still leave idle workers.
187
+ - Let early workers take not-yet-started work from overloaded shards.
188
+ - Keep tests that share expensive setup together unless the tail cost is worse than duplicated
189
+ setup.
190
+ 13. Split huge files below the file level when supported.
191
+ - File-level sharding is fake parallelism when one file contains most of the runtime.
192
+ - Confirm that the runner actually honors case-level sharding; unsupported sharding can cause
193
+ every shard to run the whole suite.
194
+ 14. Schedule by resource tokens and affinity.
195
+ - Tag tests by CPU, memory, DB connections, browser processes, containers, GPU, filesystem, and
196
+ network pressure.
197
+ - Use resource tokens or locks for scarce shared resources instead of disabling all parallelism.
198
+ - Keep expensive fixture groups together when setup reuse beats perfect load balance.
199
+ 15. Tune worker count empirically.
200
+ - Compare worker counts such as 1, 2, 4, and 8 on the same commit.
201
+ - Stop increasing workers when wall time stops improving, memory peaks rise sharply, DB waits
202
+ increase, browser tests swap, or flaky rate rises.
203
+ 16. Make database and container setup worker-scoped.
204
+ - Prefer one DB server or service container per worker, with per-test schemas, databases,
205
+ transactions, savepoints, namespaces, ports, or fixture copies.
206
+ - Do not let all workers share the same mutable schema unless the suite is intentionally
207
+ serialized.
208
+ - Build a migrated and seeded template DB or snapshot once, then clone it per worker when
209
+ migrations or seed data dominate.
210
+ 17. Reset mutable state cheaply.
211
+ - Prefer transaction rollback or savepoints for tests whose side effects stay inside one DB
212
+ connection.
213
+ - Use DB clone, schema clone, or container snapshot for tests that cross processes, queues,
214
+ external workers, sequence assertions, or asynchronous effects.
215
+ - Use tmpfs only for non-persistent state with explicit size limits.
216
+ 18. Replace sleeps with readiness and fake time.
217
+ - Treat fixed sleeps as performance bugs.
218
+ - Wait for real readiness: health endpoints, logs, successful queries, event receipt, or port
219
+ plus protocol-level checks.
220
+ - For timers, retries, expiry, and scheduled work, inject clocks or use fake timers instead of
221
+ waiting in real time.
222
+ 19. Remove external internet from the default CI path.
223
+ - Use local stubs, fixtures, mocks, recorded responses, or contract-specific jobs.
224
+ - Block unrelated images, fonts, analytics, and third-party requests in UI tests unless the test
225
+ is specifically about that delivery behavior.
226
+ 20. Control hidden inputs.
227
+ - Inject time, random seeds, UUID generation, locale, timezone, environment, and current user.
228
+ - Report seed values on failure so a failed run can be reproduced.
229
+ 21. Move expensive evidence off the default path.
230
+ - Collect full coverage, videos, traces, screenshots, full logs, and HTML reports only where
231
+ they pay for themselves: failures, first retry, nightly, release, or dedicated coverage jobs.
232
+ - Merge shard reports after tests finish rather than blocking each shard on heavy reporting.
233
+ 22. Retry narrowly and honestly.
234
+ - Retry only the failed test or case, once, in a fresh worker when possible.
235
+ - Preserve first-failure logs and artifacts.
236
+ - Classify retry success as flaky success, not normal success.
237
+ 23. Use speculative tail duplication only for hermetic shards.
238
+ - If the last shard exceeds its historical p95 while workers are idle, a scheduler may duplicate
239
+ that shard and accept the first result.
240
+ - Do not duplicate non-hermetic tests, tests with side effects, or tests that consume scarce
241
+ external resources.
242
+ 24. Garbage-collect the test portfolio.
243
+ - Track duration, unique behavior coverage, defect-finding history, flaky rate, owner, and last
244
+ meaningful update.
245
+ - Move low-value duplicates from PR paths to nightly paths before deleting them.
246
+ - Quarantine flaky tests with owner and expiry; do not let quarantine become permanent silence.
247
+ 25. Verify the faster path and the fallback path.
248
+ - A selector, cache, shard rule, retry policy, or fixture reuse change is not complete until the
249
+ default fast path and the fallback or full path both have evidence or a reported missing
250
+ command intent.
251
+
252
+ <!-- mustflow-section: postconditions -->
253
+ ## Postconditions
254
+
255
+ - The test-suite bottleneck is classified by timing, selection, scheduling, cache, fixture, DB,
256
+ container, artifact, retry, or resource evidence.
257
+ - The optimization goal is explicit: faster first failure, shorter PR wall time, lower CI cost,
258
+ lower flaky rate, smaller artifact overhead, or faster local feedback.
259
+ - Selected-test execution has a full-suite fallback for unsafe or unknown changes.
260
+ - Caches declare inputs, omit irrelevant volatile values, and report hit rate or miss reasons when
261
+ evidence exists.
262
+ - Worker count, resource tokens, shard placement, fixture affinity, and retry behavior preserve
263
+ test isolation and failure evidence.
264
+ - Any speed claim is measured, complexity-only, or explicitly unverified.
265
+
266
+ <!-- mustflow-section: verification -->
267
+ ## Verification
268
+
269
+ Use configured oneshot command intents when available:
270
+
271
+ - `changes_status`
272
+ - `changes_diff_summary`
273
+ - `build`
274
+ - `test_related`
275
+ - `test`
276
+ - `test_audit`
277
+ - `docs_validate_fast`
278
+ - `test_release`
279
+ - `mustflow_check`
280
+
281
+ Use the narrowest configured test, build, docs, release, or mustflow intent that proves the changed
282
+ test-suite behavior. If the repository exposes a profiling or cached-test intent, use it only when
283
+ the command contract marks it configured, oneshot, and agent-allowed.
284
+
285
+ <!-- mustflow-section: failure-handling -->
286
+ ## Failure Handling
287
+
288
+ - If timing evidence is missing, add bounded measurement or report the missing evidence before
289
+ changing scheduling, caching, or selection policy.
290
+ - If selection cannot understand a change, fall back to the full suite.
291
+ - If a cache key is uncertain, prefer a cache miss over a false hit.
292
+ - If worker reuse causes order dependence, leaked state, or flaky failures, isolate the leaked
293
+ resource before widening reuse.
294
+ - If parallelism makes tests slower, check shared DB, browser, memory, filesystem, and container
295
+ contention before increasing workers again.
296
+ - If a retry hides a real failure, preserve first-failure evidence and classify the result as flaky.
297
+ - If configured verification is missing, report the missing intent instead of inventing raw runner
298
+ commands.
299
+
300
+ <!-- mustflow-section: output-format -->
301
+ ## Output Format
302
+
303
+ - Suite surface and feedback goal
304
+ - Timing breakdown and bottleneck class
305
+ - Selection policy and full-suite fallback
306
+ - Scheduling, sharding, worker, and resource-token decisions
307
+ - Fixture, DB, container, filesystem, time, randomness, network, and isolation notes
308
+ - Cache key, hit-rate, and miss-reason notes
309
+ - Retry and flaky-test policy
310
+ - Coverage, trace, log, screenshot, video, report, and artifact policy
311
+ - Speed evidence: measured, complexity-only, or unverified
312
+ - Command intents run
313
+ - Skipped command intents and reasons
314
+ - Remaining test-suite performance risk
@@ -2,7 +2,7 @@
2
2
  mustflow_doc: skill.typescript-code-change
3
3
  locale: en
4
4
  canonical: true
5
- revision: 4
5
+ revision: 5
6
6
  lifecycle: mustflow-owned
7
7
  authority: procedure
8
8
  name: typescript-code-change
@@ -91,19 +91,22 @@ Preserve TypeScript's type, runtime validation, module, build, and public API bo
91
91
  11. For type tests, prefer `@ts-expect-error` with a short reason. Do not use `@ts-ignore` in implementation code. Implementation `@ts-expect-error` needs an owner, removal condition, and risk report.
92
92
  12. If a public API changes, trace every consumer-visible import specifier, runtime export, type export, declaration output, docs example, type-only export, overload, generic default, interface field, enum or literal member, class member, and package entry condition.
93
93
  13. Treat `exports`, `types`, `typings`, `typesVersions`, package `type`, file extensions, path aliases, declaration import paths, and barrel exports as public API surfaces. Adding or tightening `exports` can break existing deep imports.
94
- 14. If ESM/CJS behavior changes, verify package `type`, `main`, `module`, `browser`, `exports`, condition order, extension rules, generated JS, and generated declaration files together.
95
- 15. Inspect generated declarations when package surfaces change. Declaration files must not leak source-only aliases, private paths, workspace-only package names, unpublished internal paths, or accidental public re-exports.
96
- 16. For TypeScript 6 migration work, treat deprecation warnings as future TypeScript 7 removal risk. `ignoreDeprecations` is a temporary compatibility valve, not proof that the project is ready for 7.0. Prefer removing deprecated options and updating resolver or module choices to match the project runtime.
97
- 17. Treat TypeScript 6 `--stableTypeOrdering` as a migration comparison tool for declaration and error-order differences, not as a permanent performance-neutral default. If it changes errors or declaration output, look for inference or declaration-stability issues instead of snapshotting noise.
98
- 18. For TypeScript 7 migration work, keep the tracks separate:
94
+ 14. For TypeScript that emits code for native Node ESM, prefer `.ts` source plus package `"type": "module"` and `module`/`moduleResolution` set to `NodeNext` or the repository's fixed Node mode. Do not rename every source file to `.mts` just to mean ESM; reserve `.mts` and `.cts` for explicit per-file module overrides or mixed-package boundaries.
95
+ 15. In TypeScript source that targets native Node ESM, write relative imports using the emitted runtime specifier, usually `.js`, such as `import { createApp } from "./app.js"` from `app.ts`. Do not write extensionless relative imports or `.ts` runtime specifiers unless a declared loader, bundler, or runtime explicitly owns that behavior.
96
+ 16. Use `moduleResolution: "Bundler"` only when a bundler such as Vite, esbuild, Rollup, or a framework build system owns final module resolution. Do not use bundler resolution to model code that Node will execute directly without that bundler.
97
+ 17. If ESM/CJS behavior changes, verify package `type`, `main`, `module`, `browser`, `exports`, condition order, extension rules, generated JS, and generated declaration files together.
98
+ 18. Inspect generated declarations when package surfaces change. Declaration files must not leak source-only aliases, private paths, workspace-only package names, unpublished internal paths, or accidental public re-exports.
99
+ 19. For TypeScript 6 migration work, treat deprecation warnings as future TypeScript 7 removal risk. `ignoreDeprecations` is a temporary compatibility valve, not proof that the project is ready for 7.0. Prefer removing deprecated options and updating resolver or module choices to match the project runtime.
100
+ 20. Treat TypeScript 6 `--stableTypeOrdering` as a migration comparison tool for declaration and error-order differences, not as a permanent performance-neutral default. If it changes errors or declaration output, look for inference or declaration-stability issues instead of snapshotting noise.
101
+ 21. For TypeScript 7 migration work, keep the tracks separate:
99
102
  - TS6 stable API track: `@typescript/typescript6` and `tsc6` for compiler API, transformer, ESLint, framework wrapper, and peer-dependency compatibility.
100
103
  - TS7 RC compiler track: `typescript@rc` and `tsc` for RC compiler verification.
101
104
  - TS7 nightly track: `@typescript/native-preview` and `tsgo` for nightly diagnostics only.
102
105
  - Future TS7 stable track: stable `typescript` once upstream publishes TypeScript 7 on the normal stable path.
103
- 19. Keep compiler API consumers, language-service plugins, custom transformers, and framework typecheck wrappers on the TS6 API track until their owners explicitly support the TS7 API surface. Treat TS7 RC `tsc` as compiler verification, not proof that JavaScript compiler API consumers can migrate.
104
- 20. When comparing TS6 `tsc6`, TS7 RC `tsc`, and optional TS7 nightly `tsgo`, classify differences before editing code: real type error, declaration emit order or printback noise, unsupported option, unsupported API, watch or incremental behavior gap, language-service gap, generated-output drift, or framework wrapper mismatch.
105
- 21. Do not treat faster TS7 RC or nightly results as sufficient verification. Keep the repository's existing `tsc`, `tsc6`, or framework typecheck as the compatibility baseline until repository policy explicitly adopts a different compiler track.
106
- 22. Choose the narrowest configured verification intents that cover typecheck, lint, tests, build output, declarations, package contract risk, and downstream-style consumer risk.
106
+ 22. Keep compiler API consumers, language-service plugins, custom transformers, and framework typecheck wrappers on the TS6 API track until their owners explicitly support the TS7 API surface. Treat TS7 RC `tsc` as compiler verification, not proof that JavaScript compiler API consumers can migrate.
107
+ 23. When comparing TS6 `tsc6`, TS7 RC `tsc`, and optional TS7 nightly `tsgo`, classify differences before editing code: real type error, declaration emit order or printback noise, unsupported option, unsupported API, watch or incremental behavior gap, language-service gap, generated-output drift, or framework wrapper mismatch.
108
+ 24. Do not treat faster TS7 RC or nightly results as sufficient verification. Keep the repository's existing `tsc`, `tsc6`, or framework typecheck as the compatibility baseline until repository policy explicitly adopts a different compiler track.
109
+ 25. Choose the narrowest configured verification intents that cover typecheck, lint, tests, build output, declarations, package contract risk, and downstream-style consumer risk.
107
110
 
108
111
  <!-- mustflow-section: assertion-policy -->
109
112
  ## Assertion Policy