mustflow 2.84.0 → 2.85.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (48) hide show
  1. package/README.md +11 -2
  2. package/dist/cli/commands/script-pack.js +4 -0
  3. package/dist/cli/i18n/en.js +79 -0
  4. package/dist/cli/i18n/es.js +79 -0
  5. package/dist/cli/i18n/fr.js +79 -0
  6. package/dist/cli/i18n/hi.js +79 -0
  7. package/dist/cli/i18n/ko.js +79 -0
  8. package/dist/cli/i18n/zh.js +79 -0
  9. package/dist/cli/lib/repo-map.js +27 -6
  10. package/dist/cli/lib/run-root-trust.js +15 -1
  11. package/dist/cli/lib/script-pack-registry.js +114 -0
  12. package/dist/cli/lib/validation/index.js +2 -2
  13. package/dist/cli/lib/validation/primitives.js +4 -1
  14. package/dist/cli/script-packs/code-change-impact.js +172 -0
  15. package/dist/cli/script-packs/code-dependency-graph.js +181 -0
  16. package/dist/cli/script-packs/repo-env-contract.js +156 -0
  17. package/dist/cli/script-packs/repo-secret-risk-scan.js +147 -0
  18. package/dist/core/change-impact.js +383 -0
  19. package/dist/core/change-verification.js +32 -5
  20. package/dist/core/config-loading.js +121 -4
  21. package/dist/core/dependency-graph.js +490 -0
  22. package/dist/core/env-contract.js +450 -0
  23. package/dist/core/line-endings.js +26 -13
  24. package/dist/core/public-json-contracts.js +51 -0
  25. package/dist/core/route-outline.js +57 -5
  26. package/dist/core/script-pack-suggestions.js +21 -1
  27. package/dist/core/secret-risk-scan.js +440 -0
  28. package/package.json +1 -1
  29. package/schemas/README.md +16 -0
  30. package/schemas/change-impact-report.schema.json +150 -0
  31. package/schemas/commands.schema.json +12 -0
  32. package/schemas/dependency-graph-report.schema.json +149 -0
  33. package/schemas/env-contract-report.schema.json +203 -0
  34. package/schemas/secret-risk-scan-report.schema.json +152 -0
  35. package/templates/default/i18n.toml +16 -10
  36. package/templates/default/locales/en/.mustflow/skills/INDEX.md +7 -2
  37. package/templates/default/locales/en/.mustflow/skills/architecture-deepening-review/SKILL.md +28 -11
  38. package/templates/default/locales/en/.mustflow/skills/astro-code-change/SKILL.md +71 -27
  39. package/templates/default/locales/en/.mustflow/skills/cross-agent-session-reference/SKILL.md +23 -8
  40. package/templates/default/locales/en/.mustflow/skills/dependency-upgrade-review/SKILL.md +3 -1
  41. package/templates/default/locales/en/.mustflow/skills/github-contribution-quality-gate/SKILL.md +48 -11
  42. package/templates/default/locales/en/.mustflow/skills/javascript-code-change/SKILL.md +15 -13
  43. package/templates/default/locales/en/.mustflow/skills/node-code-change/SKILL.md +16 -14
  44. package/templates/default/locales/en/.mustflow/skills/routes.toml +15 -9
  45. package/templates/default/locales/en/.mustflow/skills/security-privacy-review/SKILL.md +3 -1
  46. package/templates/default/locales/en/.mustflow/skills/test-suite-performance-review/SKILL.md +314 -0
  47. package/templates/default/locales/en/.mustflow/skills/typescript-code-change/SKILL.md +13 -10
  48. package/templates/default/manifest.toml +8 -1
@@ -47,6 +47,18 @@
47
47
  "resources": {
48
48
  "type": "object",
49
49
  "additionalProperties": { "$ref": "#/$defs/resource" }
50
+ },
51
+ "include": {
52
+ "type": "object",
53
+ "additionalProperties": false,
54
+ "required": ["files"],
55
+ "properties": {
56
+ "files": {
57
+ "type": "array",
58
+ "items": { "type": "string", "pattern": "^commands/(?:[A-Za-z0-9._-]+/)*[A-Za-z0-9._-]+\\.toml$" },
59
+ "uniqueItems": true
60
+ }
61
+ }
50
62
  }
51
63
  },
52
64
  "$defs": {
@@ -0,0 +1,149 @@
1
+ {
2
+ "$schema": "https://json-schema.org/draft/2020-12/schema",
3
+ "$id": "https://mustflow.github.io/schemas/dependency-graph-report.schema.json",
4
+ "title": "mustflow dependency-graph report",
5
+ "type": "object",
6
+ "additionalProperties": false,
7
+ "required": [
8
+ "schema_version",
9
+ "command",
10
+ "pack_id",
11
+ "script_id",
12
+ "script_ref",
13
+ "action",
14
+ "status",
15
+ "ok",
16
+ "mustflow_root",
17
+ "policy",
18
+ "input_hash",
19
+ "targets",
20
+ "nodes",
21
+ "edges",
22
+ "cycles",
23
+ "truncated",
24
+ "findings",
25
+ "issues"
26
+ ],
27
+ "properties": {
28
+ "schema_version": { "const": "1" },
29
+ "command": { "const": "script-pack" },
30
+ "pack_id": { "const": "code" },
31
+ "script_id": { "const": "dependency-graph" },
32
+ "script_ref": { "const": "code/dependency-graph" },
33
+ "action": { "const": "scan" },
34
+ "status": { "enum": ["passed", "failed", "error"] },
35
+ "ok": { "type": "boolean" },
36
+ "mustflow_root": { "type": "string" },
37
+ "policy": { "$ref": "#/$defs/policy" },
38
+ "input_hash": { "$ref": "#/$defs/sha256" },
39
+ "targets": { "type": "array", "items": { "$ref": "#/$defs/target" } },
40
+ "nodes": { "type": "array", "items": { "$ref": "#/$defs/node" } },
41
+ "edges": { "type": "array", "items": { "$ref": "#/$defs/edge" } },
42
+ "cycles": {
43
+ "type": "array",
44
+ "items": {
45
+ "type": "array",
46
+ "items": { "type": "string" }
47
+ }
48
+ },
49
+ "truncated": { "type": "boolean" },
50
+ "findings": { "type": "array", "items": { "$ref": "#/$defs/finding" } },
51
+ "issues": { "type": "array", "items": { "type": "string" } }
52
+ },
53
+ "$defs": {
54
+ "sha256": { "type": "string", "pattern": "^sha256:[a-f0-9]{64}$" },
55
+ "stringArray": { "type": "array", "items": { "type": "string" } },
56
+ "language": {
57
+ "enum": [
58
+ "typescript",
59
+ "tsx",
60
+ "javascript",
61
+ "jsx",
62
+ "javascript-module",
63
+ "javascript-commonjs",
64
+ "json",
65
+ "other"
66
+ ]
67
+ },
68
+ "targetKind": { "enum": ["file", "directory", "missing", "other", "unknown"] },
69
+ "edgeKind": { "enum": ["static_import", "static_export", "dynamic_import", "require"] },
70
+ "policy": {
71
+ "type": "object",
72
+ "additionalProperties": false,
73
+ "required": [
74
+ "max_file_bytes",
75
+ "max_files",
76
+ "max_depth",
77
+ "max_nodes",
78
+ "max_edges",
79
+ "extensions",
80
+ "ignored_directories"
81
+ ],
82
+ "properties": {
83
+ "max_file_bytes": { "type": "integer", "minimum": 1 },
84
+ "max_files": { "type": "integer", "minimum": 1 },
85
+ "max_depth": { "type": "integer", "minimum": 1 },
86
+ "max_nodes": { "type": "integer", "minimum": 1 },
87
+ "max_edges": { "type": "integer", "minimum": 1 },
88
+ "extensions": { "$ref": "#/$defs/stringArray" },
89
+ "ignored_directories": { "$ref": "#/$defs/stringArray" }
90
+ }
91
+ },
92
+ "target": {
93
+ "type": "object",
94
+ "additionalProperties": false,
95
+ "required": ["input", "path", "exists", "kind", "language"],
96
+ "properties": {
97
+ "input": { "type": "string" },
98
+ "path": { "type": "string" },
99
+ "exists": { "type": ["boolean", "null"] },
100
+ "kind": { "$ref": "#/$defs/targetKind" },
101
+ "language": { "$ref": "#/$defs/language" }
102
+ }
103
+ },
104
+ "node": {
105
+ "type": "object",
106
+ "additionalProperties": false,
107
+ "required": ["path", "language", "target", "depth", "import_count", "importer_count"],
108
+ "properties": {
109
+ "path": { "type": "string" },
110
+ "language": { "$ref": "#/$defs/language" },
111
+ "target": { "type": "boolean" },
112
+ "depth": { "type": "integer", "minimum": 0 },
113
+ "import_count": { "type": "integer", "minimum": 0 },
114
+ "importer_count": { "type": "integer", "minimum": 0 }
115
+ }
116
+ },
117
+ "edge": {
118
+ "type": "object",
119
+ "additionalProperties": false,
120
+ "required": ["source_path", "target_path", "specifier", "line", "kind"],
121
+ "properties": {
122
+ "source_path": { "type": "string" },
123
+ "target_path": { "type": "string" },
124
+ "specifier": { "type": "string" },
125
+ "line": { "type": "integer", "minimum": 1 },
126
+ "kind": { "$ref": "#/$defs/edgeKind" }
127
+ }
128
+ },
129
+ "finding": {
130
+ "type": "object",
131
+ "additionalProperties": false,
132
+ "required": ["code", "severity", "message", "path"],
133
+ "properties": {
134
+ "code": {
135
+ "enum": [
136
+ "dependency_graph_path_outside_root",
137
+ "dependency_graph_unreadable_path",
138
+ "dependency_graph_max_files_exceeded",
139
+ "dependency_graph_max_nodes_exceeded",
140
+ "dependency_graph_max_edges_exceeded"
141
+ ]
142
+ },
143
+ "severity": { "enum": ["low", "medium", "high", "critical"] },
144
+ "message": { "type": "string" },
145
+ "path": { "type": "string" }
146
+ }
147
+ }
148
+ }
149
+ }
@@ -0,0 +1,203 @@
1
+ {
2
+ "$schema": "https://json-schema.org/draft/2020-12/schema",
3
+ "$id": "https://mustflow.github.io/schemas/env-contract-report.schema.json",
4
+ "title": "mustflow env-contract report",
5
+ "type": "object",
6
+ "additionalProperties": false,
7
+ "required": [
8
+ "schema_version",
9
+ "command",
10
+ "pack_id",
11
+ "script_id",
12
+ "script_ref",
13
+ "action",
14
+ "status",
15
+ "ok",
16
+ "mustflow_root",
17
+ "policy",
18
+ "input_hash",
19
+ "targets",
20
+ "summary",
21
+ "keys",
22
+ "truncated",
23
+ "findings",
24
+ "issues"
25
+ ],
26
+ "properties": {
27
+ "schema_version": { "const": "1" },
28
+ "command": { "const": "script-pack" },
29
+ "pack_id": { "const": "repo" },
30
+ "script_id": { "const": "env-contract" },
31
+ "script_ref": { "const": "repo/env-contract" },
32
+ "action": { "const": "scan" },
33
+ "status": { "enum": ["passed", "failed", "error"] },
34
+ "ok": { "type": "boolean" },
35
+ "mustflow_root": { "type": "string" },
36
+ "policy": { "$ref": "#/$defs/policy" },
37
+ "input_hash": { "$ref": "#/$defs/sha256" },
38
+ "targets": {
39
+ "type": "array",
40
+ "items": { "$ref": "#/$defs/target" }
41
+ },
42
+ "summary": { "$ref": "#/$defs/summary" },
43
+ "keys": {
44
+ "type": "array",
45
+ "items": { "$ref": "#/$defs/envKey" }
46
+ },
47
+ "truncated": { "type": "boolean" },
48
+ "findings": {
49
+ "type": "array",
50
+ "items": { "$ref": "#/$defs/finding" }
51
+ },
52
+ "issues": {
53
+ "type": "array",
54
+ "items": { "type": "string" }
55
+ }
56
+ },
57
+ "$defs": {
58
+ "sha256": {
59
+ "type": "string",
60
+ "pattern": "^sha256:[a-f0-9]{64}$"
61
+ },
62
+ "stringArray": {
63
+ "type": "array",
64
+ "items": { "type": "string" }
65
+ },
66
+ "policy": {
67
+ "type": "object",
68
+ "additionalProperties": false,
69
+ "required": [
70
+ "max_file_bytes",
71
+ "max_files",
72
+ "max_keys",
73
+ "extensions",
74
+ "env_example_names",
75
+ "skipped_secret_names",
76
+ "ignored_directories"
77
+ ],
78
+ "properties": {
79
+ "max_file_bytes": { "type": "integer", "minimum": 1 },
80
+ "max_files": { "type": "integer", "minimum": 1 },
81
+ "max_keys": { "type": "integer", "minimum": 1 },
82
+ "extensions": { "$ref": "#/$defs/stringArray" },
83
+ "env_example_names": { "$ref": "#/$defs/stringArray" },
84
+ "skipped_secret_names": { "$ref": "#/$defs/stringArray" },
85
+ "ignored_directories": { "$ref": "#/$defs/stringArray" }
86
+ }
87
+ },
88
+ "target": {
89
+ "type": "object",
90
+ "additionalProperties": false,
91
+ "required": ["input", "path", "exists", "kind"],
92
+ "properties": {
93
+ "input": { "type": "string" },
94
+ "path": { "type": "string" },
95
+ "exists": { "type": ["boolean", "null"] },
96
+ "kind": { "enum": ["file", "directory", "missing", "other", "unknown"] }
97
+ }
98
+ },
99
+ "summary": {
100
+ "type": "object",
101
+ "additionalProperties": false,
102
+ "required": [
103
+ "target_count",
104
+ "file_count",
105
+ "key_count",
106
+ "code_key_count",
107
+ "example_key_count",
108
+ "documented_key_count",
109
+ "ci_key_count"
110
+ ],
111
+ "properties": {
112
+ "target_count": { "type": "integer", "minimum": 0 },
113
+ "file_count": { "type": "integer", "minimum": 0 },
114
+ "key_count": { "type": "integer", "minimum": 0 },
115
+ "code_key_count": { "type": "integer", "minimum": 0 },
116
+ "example_key_count": { "type": "integer", "minimum": 0 },
117
+ "documented_key_count": { "type": "integer", "minimum": 0 },
118
+ "ci_key_count": { "type": "integer", "minimum": 0 }
119
+ }
120
+ },
121
+ "surface": {
122
+ "enum": ["code", "config", "ci", "docs", "example"]
123
+ },
124
+ "referenceKind": {
125
+ "enum": [
126
+ "process_env_dot",
127
+ "process_env_bracket",
128
+ "process_env_destructure",
129
+ "bun_env_dot",
130
+ "import_meta_env",
131
+ "env_example",
132
+ "ci_secret",
133
+ "ci_var",
134
+ "ci_env",
135
+ "documented"
136
+ ]
137
+ },
138
+ "reference": {
139
+ "type": "object",
140
+ "additionalProperties": false,
141
+ "required": ["key", "path", "line", "surface", "kind"],
142
+ "properties": {
143
+ "key": { "type": "string" },
144
+ "path": { "type": "string" },
145
+ "line": { "type": "integer", "minimum": 1 },
146
+ "surface": { "$ref": "#/$defs/surface" },
147
+ "kind": { "$ref": "#/$defs/referenceKind" }
148
+ }
149
+ },
150
+ "envKey": {
151
+ "type": "object",
152
+ "additionalProperties": false,
153
+ "required": [
154
+ "key",
155
+ "used_in_code",
156
+ "declared_in_example",
157
+ "referenced_in_ci",
158
+ "documented",
159
+ "secret_like",
160
+ "public_like",
161
+ "source_count",
162
+ "sources"
163
+ ],
164
+ "properties": {
165
+ "key": { "type": "string" },
166
+ "used_in_code": { "type": "boolean" },
167
+ "declared_in_example": { "type": "boolean" },
168
+ "referenced_in_ci": { "type": "boolean" },
169
+ "documented": { "type": "boolean" },
170
+ "secret_like": { "type": "boolean" },
171
+ "public_like": { "type": "boolean" },
172
+ "source_count": { "type": "integer", "minimum": 0 },
173
+ "sources": {
174
+ "type": "array",
175
+ "items": { "$ref": "#/$defs/reference" }
176
+ }
177
+ }
178
+ },
179
+ "finding": {
180
+ "type": "object",
181
+ "additionalProperties": false,
182
+ "required": ["code", "severity", "message", "path"],
183
+ "properties": {
184
+ "code": {
185
+ "enum": [
186
+ "env_contract_path_outside_root",
187
+ "env_contract_unreadable_path",
188
+ "env_contract_secret_file_skipped",
189
+ "env_contract_max_files_exceeded",
190
+ "env_contract_max_keys_exceeded",
191
+ "env_contract_missing_example",
192
+ "env_contract_unused_example",
193
+ "env_contract_secret_like_public_name"
194
+ ]
195
+ },
196
+ "severity": { "enum": ["low", "medium", "high", "critical"] },
197
+ "message": { "type": "string" },
198
+ "path": { "type": "string" },
199
+ "key": { "type": "string" }
200
+ }
201
+ }
202
+ }
203
+ }
@@ -0,0 +1,152 @@
1
+ {
2
+ "$schema": "https://json-schema.org/draft/2020-12/schema",
3
+ "$id": "https://mustflow.github.io/schemas/secret-risk-scan-report.schema.json",
4
+ "title": "mustflow secret-risk-scan report",
5
+ "type": "object",
6
+ "additionalProperties": false,
7
+ "required": [
8
+ "schema_version",
9
+ "command",
10
+ "pack_id",
11
+ "script_id",
12
+ "script_ref",
13
+ "action",
14
+ "status",
15
+ "ok",
16
+ "mustflow_root",
17
+ "policy",
18
+ "input_hash",
19
+ "targets",
20
+ "summary",
21
+ "truncated",
22
+ "findings",
23
+ "issues"
24
+ ],
25
+ "properties": {
26
+ "schema_version": { "const": "1" },
27
+ "command": { "const": "script-pack" },
28
+ "pack_id": { "const": "repo" },
29
+ "script_id": { "const": "secret-risk-scan" },
30
+ "script_ref": { "const": "repo/secret-risk-scan" },
31
+ "action": { "const": "scan" },
32
+ "status": { "enum": ["passed", "failed", "error"] },
33
+ "ok": { "type": "boolean" },
34
+ "mustflow_root": { "type": "string" },
35
+ "policy": { "$ref": "#/$defs/policy" },
36
+ "input_hash": { "$ref": "#/$defs/sha256" },
37
+ "targets": {
38
+ "type": "array",
39
+ "items": { "$ref": "#/$defs/target" }
40
+ },
41
+ "summary": { "$ref": "#/$defs/summary" },
42
+ "truncated": { "type": "boolean" },
43
+ "findings": {
44
+ "type": "array",
45
+ "items": { "$ref": "#/$defs/finding" }
46
+ },
47
+ "issues": {
48
+ "type": "array",
49
+ "items": { "type": "string" }
50
+ }
51
+ },
52
+ "$defs": {
53
+ "sha256": {
54
+ "type": "string",
55
+ "pattern": "^sha256:[a-f0-9]{64}$"
56
+ },
57
+ "fingerprint": {
58
+ "type": "string",
59
+ "pattern": "^sha256:[a-f0-9]{16}$"
60
+ },
61
+ "stringArray": {
62
+ "type": "array",
63
+ "items": { "type": "string" }
64
+ },
65
+ "policy": {
66
+ "type": "object",
67
+ "additionalProperties": false,
68
+ "required": [
69
+ "max_file_bytes",
70
+ "max_files",
71
+ "max_findings",
72
+ "extensions",
73
+ "skipped_secret_names",
74
+ "ignored_directories"
75
+ ],
76
+ "properties": {
77
+ "max_file_bytes": { "type": "integer", "minimum": 1 },
78
+ "max_files": { "type": "integer", "minimum": 1 },
79
+ "max_findings": { "type": "integer", "minimum": 1 },
80
+ "extensions": { "$ref": "#/$defs/stringArray" },
81
+ "skipped_secret_names": { "$ref": "#/$defs/stringArray" },
82
+ "ignored_directories": { "$ref": "#/$defs/stringArray" }
83
+ }
84
+ },
85
+ "target": {
86
+ "type": "object",
87
+ "additionalProperties": false,
88
+ "required": ["input", "path", "exists", "kind"],
89
+ "properties": {
90
+ "input": { "type": "string" },
91
+ "path": { "type": "string" },
92
+ "exists": { "type": ["boolean", "null"] },
93
+ "kind": { "enum": ["file", "directory", "missing", "other", "unknown"] }
94
+ }
95
+ },
96
+ "summary": {
97
+ "type": "object",
98
+ "additionalProperties": false,
99
+ "required": [
100
+ "target_count",
101
+ "file_count",
102
+ "finding_count",
103
+ "skipped_secret_file_count",
104
+ "high_or_critical_count"
105
+ ],
106
+ "properties": {
107
+ "target_count": { "type": "integer", "minimum": 0 },
108
+ "file_count": { "type": "integer", "minimum": 0 },
109
+ "finding_count": { "type": "integer", "minimum": 0 },
110
+ "skipped_secret_file_count": { "type": "integer", "minimum": 0 },
111
+ "high_or_critical_count": { "type": "integer", "minimum": 0 }
112
+ }
113
+ },
114
+ "detector": {
115
+ "enum": [
116
+ "private_key_block",
117
+ "bearer_token",
118
+ "provider_token",
119
+ "generic_assignment",
120
+ "realistic_env_example",
121
+ "secret_file_skipped"
122
+ ]
123
+ },
124
+ "finding": {
125
+ "type": "object",
126
+ "additionalProperties": false,
127
+ "required": ["code", "severity", "message", "path"],
128
+ "properties": {
129
+ "code": {
130
+ "enum": [
131
+ "secret_risk_path_outside_root",
132
+ "secret_risk_unreadable_path",
133
+ "secret_risk_secret_file_skipped",
134
+ "secret_risk_max_files_exceeded",
135
+ "secret_risk_max_findings_exceeded",
136
+ "secret_risk_private_key_block",
137
+ "secret_risk_bearer_token",
138
+ "secret_risk_provider_token",
139
+ "secret_risk_generic_assignment",
140
+ "secret_risk_realistic_env_example"
141
+ ]
142
+ },
143
+ "severity": { "enum": ["low", "medium", "high", "critical"] },
144
+ "message": { "type": "string" },
145
+ "path": { "type": "string" },
146
+ "line": { "type": "integer", "minimum": 1 },
147
+ "detector": { "$ref": "#/$defs/detector" },
148
+ "fingerprint": { "$ref": "#/$defs/fingerprint" }
149
+ }
150
+ }
151
+ }
152
+ }
@@ -62,7 +62,7 @@ translations = {}
62
62
  [documents."skills.index"]
63
63
  source = "locales/en/.mustflow/skills/INDEX.md"
64
64
  source_locale = "en"
65
- revision = 175
65
+ revision = 177
66
66
  translations = {}
67
67
 
68
68
  [documents."skill.adapter-boundary"]
@@ -80,7 +80,7 @@ translations = {}
80
80
  [documents."skill.architecture-deepening-review"]
81
81
  source = "locales/en/.mustflow/skills/architecture-deepening-review/SKILL.md"
82
82
  source_locale = "en"
83
- revision = 2
83
+ revision = 3
84
84
  translations = {}
85
85
 
86
86
  [documents."skill.api-contract-change"]
@@ -469,7 +469,7 @@ translations = {}
469
469
  [documents."skill.dependency-upgrade-review"]
470
470
  source = "locales/en/.mustflow/skills/dependency-upgrade-review/SKILL.md"
471
471
  source_locale = "en"
472
- revision = 4
472
+ revision = 5
473
473
  translations = {}
474
474
 
475
475
  [documents."skill.version-freshness-check"]
@@ -517,7 +517,7 @@ translations = {}
517
517
  [documents."skill.astro-code-change"]
518
518
  source = "locales/en/.mustflow/skills/astro-code-change/SKILL.md"
519
519
  source_locale = "en"
520
- revision = 3
520
+ revision = 4
521
521
  translations = {}
522
522
 
523
523
  [documents."skill.auth-permission-change"]
@@ -601,13 +601,13 @@ translations = {}
601
601
  [documents."skill.javascript-code-change"]
602
602
  source = "locales/en/.mustflow/skills/javascript-code-change/SKILL.md"
603
603
  source_locale = "en"
604
- revision = 2
604
+ revision = 3
605
605
  translations = {}
606
606
 
607
607
  [documents."skill.node-code-change"]
608
608
  source = "locales/en/.mustflow/skills/node-code-change/SKILL.md"
609
609
  source_locale = "en"
610
- revision = 1
610
+ revision = 2
611
611
  translations = {}
612
612
 
613
613
  [documents."skill.python-code-change"]
@@ -667,7 +667,7 @@ translations = {}
667
667
  [documents."skill.typescript-code-change"]
668
668
  source = "locales/en/.mustflow/skills/typescript-code-change/SKILL.md"
669
669
  source_locale = "en"
670
- revision = 4
670
+ revision = 5
671
671
  translations = {}
672
672
 
673
673
  [documents."skill.unocss-code-change"]
@@ -787,7 +787,7 @@ translations = {}
787
787
  [documents."skill.github-contribution-quality-gate"]
788
788
  source = "locales/en/.mustflow/skills/github-contribution-quality-gate/SKILL.md"
789
789
  source_locale = "en"
790
- revision = 1
790
+ revision = 2
791
791
  translations = {}
792
792
 
793
793
  [documents."skill.facade-pattern"]
@@ -918,7 +918,7 @@ translations = {}
918
918
  [documents."skill.security-privacy-review"]
919
919
  source = "locales/en/.mustflow/skills/security-privacy-review/SKILL.md"
920
920
  source_locale = "en"
921
- revision = 22
921
+ revision = 23
922
922
  translations = {}
923
923
 
924
924
  [documents."skill.security-regression-tests"]
@@ -966,7 +966,7 @@ translations = {}
966
966
  [documents."skill.cross-agent-session-reference"]
967
967
  source = "locales/en/.mustflow/skills/cross-agent-session-reference/SKILL.md"
968
968
  source_locale = "en"
969
- revision = 1
969
+ revision = 2
970
970
  translations = {}
971
971
 
972
972
  [documents."skill.secret-exposure-response"]
@@ -987,6 +987,12 @@ source_locale = "en"
987
987
  revision = 5
988
988
  translations = {}
989
989
 
990
+ [documents."skill.test-suite-performance-review"]
991
+ source = "locales/en/.mustflow/skills/test-suite-performance-review/SKILL.md"
992
+ source_locale = "en"
993
+ revision = 1
994
+ translations = {}
995
+
990
996
  [documents."skill.vertical-slice-tdd"]
991
997
  source = "locales/en/.mustflow/skills/vertical-slice-tdd/SKILL.md"
992
998
  source_locale = "en"
@@ -2,7 +2,7 @@
2
2
  mustflow_doc: skills.index
3
3
  locale: en
4
4
  canonical: true
5
- revision: 175
5
+ revision: 177
6
6
  authority: router
7
7
  lifecycle: mustflow-owned
8
8
  ---
@@ -212,6 +212,10 @@ refer to `AGENTS.md` and `.mustflow/config/commands.toml` to implement the most
212
212
  inputs, direct time or randomness, direct I/O, constructor side effects, static or singleton
213
213
  state, mock-heavy tests, sleeps, framework magic, reflection-only tests, or other code shapes
214
214
  that make important conditions hard to force in tests.
215
+ - Use `test-suite-performance-review` as a primary route when test-suite runtime, CI feedback
216
+ latency, selected-test execution, shard balance, worker scheduling, fixture or database setup,
217
+ retry policy, flaky-test handling, result caching, discovery, coverage, or artifact overhead
218
+ needs optimization without weakening verification.
215
219
  - Use `quadratic-scan-review` as an adjunct when the suspected performance smell is specifically
216
220
  hidden O(N^2) work from repeated scans, membership checks, code joins, helper-body lookups,
217
221
  render-time lookup, resolver fan-out, repeated sort, or copy accumulation over growing data.
@@ -447,6 +451,7 @@ routes. Event routes stay inactive until their event occurs.
447
451
  | User requirements, acceptance criteria, issue reports, bug reports, product notes, compatibility promises, or examples must be preserved as regression coverage before or during implementation | `.mustflow/skills/requirement-regression-guard/SKILL.md` | Requirement source, observable behavior, existing tests or fixtures, implementation scope, changed files, and command contract entries | Focused tests, fixtures, examples, schemas, docs, and implementation changes directly tied to the requirement | untested requirement, invented acceptance criteria, weakened tests, hidden behavior drift, or unverifiable implementation claim | `changes_status`, `changes_diff_summary`, `test_related`, `test`, `test_audit`, `docs_validate_fast`, `test_release`, `mustflow_check` | Requirement sources, coverage map, guards added or reused, implementation changes, deferred requirements, verification, and remaining regression risk |
448
452
  | The user explicitly requests TDD, test-first work, red-green-refactor, RED/GREEN, or one observable behavior slice at a time | `.mustflow/skills/vertical-slice-tdd/SKILL.md` | TDD trigger, first behavior contract, existing tests, expected RED category, baseline status, and command contract entries | One focused test or fixture, the smallest implementation for the current slice, and directly synchronized docs when needed | invalid RED, broad slice, premature refactor, unrelated cleanup, or verification claim without configured command evidence | `changes_status`, `changes_diff_summary`, `test_related`, `test_audit`, `test`, `lint`, `build`, `mustflow_check` | Slice scope, existing coverage, RED category evidence, GREEN verification, refactors after GREEN, deferred slices, and remaining TDD risk |
449
453
  | New tests or test cases are designed, TDD RED or GREEN evidence is reported, or test-case choices are made for requirements, bugs, refactors, security boundaries, schemas, templates, or public docs | `.mustflow/skills/test-design-guard/SKILL.md` | Contract source, existing coverage, intended RED evidence, candidate cases, baseline status, and command contract entries | Tests, fixtures, helpers, and directly synchronized contract docs | invalid RED, happy-path-only coverage, speculative edge cases, weak assertions, mock-only confidence, or implementation-detail coupling | `test_related`, `test_audit`, `test`, `lint`, `build`, `test_release`, `mustflow_check` | RED category, selected test shape, evidence-backed cases, rejected speculation, verification objective, commands, and remaining test-design risk |
454
+ | Test-suite runtime, CI feedback latency, test selection, shard balance, worker scheduling, retry policy, flaky-test handling, fixture setup, database or container test lifecycle, coverage or artifact overhead, test-result caching, test discovery, or test performance claims are planned, edited, reviewed, or reported | `.mustflow/skills/test-suite-performance-review/SKILL.md` | Suite surface, timing ledger, p50 and p95 evidence, selection ledger, isolation ledger, resource ledger, cache ledger, and command contract entries | Test timing collection, selected-test manifests, dependency-to-test maps, shard and worker scheduling, fixture lifecycle, DB/container setup, fake timers, stubs, cache keys, coverage defaults, CI reports, docs, and directly synchronized templates | faster-but-weaker verification, selector without full fallback, import-only impact analysis, cache false hit, volatile cache key, cold-cache theater, full discovery scan, per-test process startup, file-count sharding, idle workers, resource contention, shared DB schema, fixed sleeps, external internet dependency, hidden time/random/locale input, artifact tax, retry hiding real failure, or permanent flaky quarantine | `changes_status`, `changes_diff_summary`, `build`, `test_related`, `test`, `test_audit`, `docs_validate_fast`, `test_release`, `mustflow_check` | Suite surface, feedback goal, timing bottleneck, selection and fallback policy, scheduling and resource-token decisions, fixture and isolation notes, cache and retry policy, artifact policy, speed evidence, verification, and remaining test-suite performance risk |
450
455
  | Tests are added, updated, removed, or audited | `.mustflow/skills/test-maintenance/SKILL.md` | Changed behavior or stale-test evidence | Test files and related source | contract drift | `test`, `test_related`, `test_audit`, `snapshot_update`, `lint`, `build` | Test rationale and verification |
451
456
 
452
457
  ### Documentation and Release
@@ -522,7 +527,7 @@ routes. Event routes stay inactive until their event occurs.
522
527
  | Tailwind classes, class composition, theme tokens, variants, arbitrary values, Tailwind config, `@theme`, `@apply`, or migration surfaces are created or changed | `.mustflow/skills/tailwind-code-change/SKILL.md` | Tailwind config or CSS entry, source scanning rules, theme tokens, class helpers, changed files, and command contract entries | Tailwind config, theme tokens, utility classes, component class maps, tests, and docs examples | production class loss, arbitrary-value sprawl, token bypass, weak focus state, or hidden `@apply` drift | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | Class detection, token, responsive, state, and production CSS boundary checked, verification, and remaining Tailwind risk |
523
528
  | UnoCSS config, presets, extraction, shortcuts, rules, variants, safelist, blocklist, attributify, transformers, or utility usage are created or changed | `.mustflow/skills/unocss-code-change/SKILL.md` | UnoCSS config, presets, extraction rules, shortcuts, safelist, blocklist, changed files, and command contract entries | UnoCSS config, utility usage, rules, shortcuts, safelist, blocklist, tests, and docs examples | extractor miss, runtime-only utility, safelist explosion, unbounded shortcut, or production CSS loss | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | Extraction, safelist, shortcut, variant, and production CSS boundary checked, verification, and remaining UnoCSS risk |
524
529
  | Flutter widgets, screens, routing, state management, async UI, platform channels, assets, responsive layout, accessibility, or Flutter tests are created or changed | `.mustflow/skills/flutter-code-change/SKILL.md` | App root, route config, widget tree, state owner, platform files, assets, changed files, and command contract entries | Flutter widgets, routes, state, platform channels, assets, tests, and docs examples | impure build, lifecycle leak, navigation drift, layout breakage, inaccessible UI, or platform boundary drift | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | State, lifecycle, layout, accessibility, platform, and asset boundary checked, verification, and remaining Flutter risk |
525
- | Astro config, pages, layouts, components, islands, hydration directives, content collections, routes, adapters, MDX, or Astro build behavior are created or changed | `.mustflow/skills/astro-code-change/SKILL.md` | Astro config, route tree, layouts, content schema, components, adapter config, changed files, and command contract entries | Astro pages, layouts, islands, content collections, adapters, tests, and docs examples | unnecessary hydration, build/runtime data mix, route URL drift, content schema drift, or adapter mismatch | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | Build/runtime, route, content, hydration, and adapter boundary checked, verification, and remaining Astro risk |
530
+ | Astro config, package metadata, pages, layouts, components, islands, hydration directives, content collections, routes, adapters, request pipeline, `src/fetch.*`, route cache, MDX, Markdown processing, migration, or Astro build behavior are created or changed | `.mustflow/skills/astro-code-change/SKILL.md` | Astro config, current and target Astro version when migrating, route tree, request pipeline, cache rules, Markdown processor, layouts, content schema, components, adapter config, changed files, and command contract entries | Astro pages, layouts, islands, content collections, adapters, request pipeline, route cache, Markdown, tests, and docs examples | unnecessary hydration, build/runtime data mix, route URL drift, request pipeline omission, cache data exposure, Markdown drift, content schema drift, or adapter mismatch | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | Build/runtime, route, request pipeline, cache, Markdown, content, hydration, and adapter boundary checked, verification, and remaining Astro risk |
526
531
  | Svelte or SvelteKit components, routes, load functions, server actions, stores, runes, SSR boundaries, accessibility warnings, or tests are created or changed | `.mustflow/skills/svelte-code-change/SKILL.md` | Svelte config, route segment files, stores/runes, hooks, app types, changed files, and command contract entries | Svelte components, routes, load/actions, stores, SSR/client boundaries, tests, and docs examples | SSR/client leakage, browser global crash, state owner drift, form degradation, or ignored accessibility warning | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | SSR, server/client, state, form, and accessibility boundary checked, verification, and remaining Svelte risk |
527
532
  | Web image assets are added, converted, resized, or replaced | `.mustflow/skills/web-asset-optimization/SKILL.md` | Image asset request and target path | Web image assets | asset quality and size | `asset_optimize`, `build` | Optimized asset notes |
528
533