mustflow 2.84.0 → 2.85.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +11 -2
- package/dist/cli/commands/script-pack.js +4 -0
- package/dist/cli/i18n/en.js +79 -0
- package/dist/cli/i18n/es.js +79 -0
- package/dist/cli/i18n/fr.js +79 -0
- package/dist/cli/i18n/hi.js +79 -0
- package/dist/cli/i18n/ko.js +79 -0
- package/dist/cli/i18n/zh.js +79 -0
- package/dist/cli/lib/repo-map.js +27 -6
- package/dist/cli/lib/run-root-trust.js +15 -1
- package/dist/cli/lib/script-pack-registry.js +114 -0
- package/dist/cli/lib/validation/index.js +2 -2
- package/dist/cli/lib/validation/primitives.js +4 -1
- package/dist/cli/script-packs/code-change-impact.js +172 -0
- package/dist/cli/script-packs/code-dependency-graph.js +181 -0
- package/dist/cli/script-packs/repo-env-contract.js +156 -0
- package/dist/cli/script-packs/repo-secret-risk-scan.js +147 -0
- package/dist/core/change-impact.js +383 -0
- package/dist/core/change-verification.js +32 -5
- package/dist/core/config-loading.js +121 -4
- package/dist/core/dependency-graph.js +490 -0
- package/dist/core/env-contract.js +450 -0
- package/dist/core/line-endings.js +26 -13
- package/dist/core/public-json-contracts.js +51 -0
- package/dist/core/route-outline.js +57 -5
- package/dist/core/script-pack-suggestions.js +21 -1
- package/dist/core/secret-risk-scan.js +440 -0
- package/package.json +1 -1
- package/schemas/README.md +16 -0
- package/schemas/change-impact-report.schema.json +150 -0
- package/schemas/commands.schema.json +12 -0
- package/schemas/dependency-graph-report.schema.json +149 -0
- package/schemas/env-contract-report.schema.json +203 -0
- package/schemas/secret-risk-scan-report.schema.json +152 -0
- package/templates/default/i18n.toml +16 -10
- package/templates/default/locales/en/.mustflow/skills/INDEX.md +7 -2
- package/templates/default/locales/en/.mustflow/skills/architecture-deepening-review/SKILL.md +28 -11
- package/templates/default/locales/en/.mustflow/skills/astro-code-change/SKILL.md +71 -27
- package/templates/default/locales/en/.mustflow/skills/cross-agent-session-reference/SKILL.md +23 -8
- package/templates/default/locales/en/.mustflow/skills/dependency-upgrade-review/SKILL.md +3 -1
- package/templates/default/locales/en/.mustflow/skills/github-contribution-quality-gate/SKILL.md +48 -11
- package/templates/default/locales/en/.mustflow/skills/javascript-code-change/SKILL.md +15 -13
- package/templates/default/locales/en/.mustflow/skills/node-code-change/SKILL.md +16 -14
- package/templates/default/locales/en/.mustflow/skills/routes.toml +15 -9
- package/templates/default/locales/en/.mustflow/skills/security-privacy-review/SKILL.md +3 -1
- package/templates/default/locales/en/.mustflow/skills/test-suite-performance-review/SKILL.md +314 -0
- package/templates/default/locales/en/.mustflow/skills/typescript-code-change/SKILL.md +13 -10
- package/templates/default/manifest.toml +8 -1
|
@@ -47,6 +47,18 @@
|
|
|
47
47
|
"resources": {
|
|
48
48
|
"type": "object",
|
|
49
49
|
"additionalProperties": { "$ref": "#/$defs/resource" }
|
|
50
|
+
},
|
|
51
|
+
"include": {
|
|
52
|
+
"type": "object",
|
|
53
|
+
"additionalProperties": false,
|
|
54
|
+
"required": ["files"],
|
|
55
|
+
"properties": {
|
|
56
|
+
"files": {
|
|
57
|
+
"type": "array",
|
|
58
|
+
"items": { "type": "string", "pattern": "^commands/(?:[A-Za-z0-9._-]+/)*[A-Za-z0-9._-]+\\.toml$" },
|
|
59
|
+
"uniqueItems": true
|
|
60
|
+
}
|
|
61
|
+
}
|
|
50
62
|
}
|
|
51
63
|
},
|
|
52
64
|
"$defs": {
|
|
@@ -0,0 +1,149 @@
|
|
|
1
|
+
{
|
|
2
|
+
"$schema": "https://json-schema.org/draft/2020-12/schema",
|
|
3
|
+
"$id": "https://mustflow.github.io/schemas/dependency-graph-report.schema.json",
|
|
4
|
+
"title": "mustflow dependency-graph report",
|
|
5
|
+
"type": "object",
|
|
6
|
+
"additionalProperties": false,
|
|
7
|
+
"required": [
|
|
8
|
+
"schema_version",
|
|
9
|
+
"command",
|
|
10
|
+
"pack_id",
|
|
11
|
+
"script_id",
|
|
12
|
+
"script_ref",
|
|
13
|
+
"action",
|
|
14
|
+
"status",
|
|
15
|
+
"ok",
|
|
16
|
+
"mustflow_root",
|
|
17
|
+
"policy",
|
|
18
|
+
"input_hash",
|
|
19
|
+
"targets",
|
|
20
|
+
"nodes",
|
|
21
|
+
"edges",
|
|
22
|
+
"cycles",
|
|
23
|
+
"truncated",
|
|
24
|
+
"findings",
|
|
25
|
+
"issues"
|
|
26
|
+
],
|
|
27
|
+
"properties": {
|
|
28
|
+
"schema_version": { "const": "1" },
|
|
29
|
+
"command": { "const": "script-pack" },
|
|
30
|
+
"pack_id": { "const": "code" },
|
|
31
|
+
"script_id": { "const": "dependency-graph" },
|
|
32
|
+
"script_ref": { "const": "code/dependency-graph" },
|
|
33
|
+
"action": { "const": "scan" },
|
|
34
|
+
"status": { "enum": ["passed", "failed", "error"] },
|
|
35
|
+
"ok": { "type": "boolean" },
|
|
36
|
+
"mustflow_root": { "type": "string" },
|
|
37
|
+
"policy": { "$ref": "#/$defs/policy" },
|
|
38
|
+
"input_hash": { "$ref": "#/$defs/sha256" },
|
|
39
|
+
"targets": { "type": "array", "items": { "$ref": "#/$defs/target" } },
|
|
40
|
+
"nodes": { "type": "array", "items": { "$ref": "#/$defs/node" } },
|
|
41
|
+
"edges": { "type": "array", "items": { "$ref": "#/$defs/edge" } },
|
|
42
|
+
"cycles": {
|
|
43
|
+
"type": "array",
|
|
44
|
+
"items": {
|
|
45
|
+
"type": "array",
|
|
46
|
+
"items": { "type": "string" }
|
|
47
|
+
}
|
|
48
|
+
},
|
|
49
|
+
"truncated": { "type": "boolean" },
|
|
50
|
+
"findings": { "type": "array", "items": { "$ref": "#/$defs/finding" } },
|
|
51
|
+
"issues": { "type": "array", "items": { "type": "string" } }
|
|
52
|
+
},
|
|
53
|
+
"$defs": {
|
|
54
|
+
"sha256": { "type": "string", "pattern": "^sha256:[a-f0-9]{64}$" },
|
|
55
|
+
"stringArray": { "type": "array", "items": { "type": "string" } },
|
|
56
|
+
"language": {
|
|
57
|
+
"enum": [
|
|
58
|
+
"typescript",
|
|
59
|
+
"tsx",
|
|
60
|
+
"javascript",
|
|
61
|
+
"jsx",
|
|
62
|
+
"javascript-module",
|
|
63
|
+
"javascript-commonjs",
|
|
64
|
+
"json",
|
|
65
|
+
"other"
|
|
66
|
+
]
|
|
67
|
+
},
|
|
68
|
+
"targetKind": { "enum": ["file", "directory", "missing", "other", "unknown"] },
|
|
69
|
+
"edgeKind": { "enum": ["static_import", "static_export", "dynamic_import", "require"] },
|
|
70
|
+
"policy": {
|
|
71
|
+
"type": "object",
|
|
72
|
+
"additionalProperties": false,
|
|
73
|
+
"required": [
|
|
74
|
+
"max_file_bytes",
|
|
75
|
+
"max_files",
|
|
76
|
+
"max_depth",
|
|
77
|
+
"max_nodes",
|
|
78
|
+
"max_edges",
|
|
79
|
+
"extensions",
|
|
80
|
+
"ignored_directories"
|
|
81
|
+
],
|
|
82
|
+
"properties": {
|
|
83
|
+
"max_file_bytes": { "type": "integer", "minimum": 1 },
|
|
84
|
+
"max_files": { "type": "integer", "minimum": 1 },
|
|
85
|
+
"max_depth": { "type": "integer", "minimum": 1 },
|
|
86
|
+
"max_nodes": { "type": "integer", "minimum": 1 },
|
|
87
|
+
"max_edges": { "type": "integer", "minimum": 1 },
|
|
88
|
+
"extensions": { "$ref": "#/$defs/stringArray" },
|
|
89
|
+
"ignored_directories": { "$ref": "#/$defs/stringArray" }
|
|
90
|
+
}
|
|
91
|
+
},
|
|
92
|
+
"target": {
|
|
93
|
+
"type": "object",
|
|
94
|
+
"additionalProperties": false,
|
|
95
|
+
"required": ["input", "path", "exists", "kind", "language"],
|
|
96
|
+
"properties": {
|
|
97
|
+
"input": { "type": "string" },
|
|
98
|
+
"path": { "type": "string" },
|
|
99
|
+
"exists": { "type": ["boolean", "null"] },
|
|
100
|
+
"kind": { "$ref": "#/$defs/targetKind" },
|
|
101
|
+
"language": { "$ref": "#/$defs/language" }
|
|
102
|
+
}
|
|
103
|
+
},
|
|
104
|
+
"node": {
|
|
105
|
+
"type": "object",
|
|
106
|
+
"additionalProperties": false,
|
|
107
|
+
"required": ["path", "language", "target", "depth", "import_count", "importer_count"],
|
|
108
|
+
"properties": {
|
|
109
|
+
"path": { "type": "string" },
|
|
110
|
+
"language": { "$ref": "#/$defs/language" },
|
|
111
|
+
"target": { "type": "boolean" },
|
|
112
|
+
"depth": { "type": "integer", "minimum": 0 },
|
|
113
|
+
"import_count": { "type": "integer", "minimum": 0 },
|
|
114
|
+
"importer_count": { "type": "integer", "minimum": 0 }
|
|
115
|
+
}
|
|
116
|
+
},
|
|
117
|
+
"edge": {
|
|
118
|
+
"type": "object",
|
|
119
|
+
"additionalProperties": false,
|
|
120
|
+
"required": ["source_path", "target_path", "specifier", "line", "kind"],
|
|
121
|
+
"properties": {
|
|
122
|
+
"source_path": { "type": "string" },
|
|
123
|
+
"target_path": { "type": "string" },
|
|
124
|
+
"specifier": { "type": "string" },
|
|
125
|
+
"line": { "type": "integer", "minimum": 1 },
|
|
126
|
+
"kind": { "$ref": "#/$defs/edgeKind" }
|
|
127
|
+
}
|
|
128
|
+
},
|
|
129
|
+
"finding": {
|
|
130
|
+
"type": "object",
|
|
131
|
+
"additionalProperties": false,
|
|
132
|
+
"required": ["code", "severity", "message", "path"],
|
|
133
|
+
"properties": {
|
|
134
|
+
"code": {
|
|
135
|
+
"enum": [
|
|
136
|
+
"dependency_graph_path_outside_root",
|
|
137
|
+
"dependency_graph_unreadable_path",
|
|
138
|
+
"dependency_graph_max_files_exceeded",
|
|
139
|
+
"dependency_graph_max_nodes_exceeded",
|
|
140
|
+
"dependency_graph_max_edges_exceeded"
|
|
141
|
+
]
|
|
142
|
+
},
|
|
143
|
+
"severity": { "enum": ["low", "medium", "high", "critical"] },
|
|
144
|
+
"message": { "type": "string" },
|
|
145
|
+
"path": { "type": "string" }
|
|
146
|
+
}
|
|
147
|
+
}
|
|
148
|
+
}
|
|
149
|
+
}
|
|
@@ -0,0 +1,203 @@
|
|
|
1
|
+
{
|
|
2
|
+
"$schema": "https://json-schema.org/draft/2020-12/schema",
|
|
3
|
+
"$id": "https://mustflow.github.io/schemas/env-contract-report.schema.json",
|
|
4
|
+
"title": "mustflow env-contract report",
|
|
5
|
+
"type": "object",
|
|
6
|
+
"additionalProperties": false,
|
|
7
|
+
"required": [
|
|
8
|
+
"schema_version",
|
|
9
|
+
"command",
|
|
10
|
+
"pack_id",
|
|
11
|
+
"script_id",
|
|
12
|
+
"script_ref",
|
|
13
|
+
"action",
|
|
14
|
+
"status",
|
|
15
|
+
"ok",
|
|
16
|
+
"mustflow_root",
|
|
17
|
+
"policy",
|
|
18
|
+
"input_hash",
|
|
19
|
+
"targets",
|
|
20
|
+
"summary",
|
|
21
|
+
"keys",
|
|
22
|
+
"truncated",
|
|
23
|
+
"findings",
|
|
24
|
+
"issues"
|
|
25
|
+
],
|
|
26
|
+
"properties": {
|
|
27
|
+
"schema_version": { "const": "1" },
|
|
28
|
+
"command": { "const": "script-pack" },
|
|
29
|
+
"pack_id": { "const": "repo" },
|
|
30
|
+
"script_id": { "const": "env-contract" },
|
|
31
|
+
"script_ref": { "const": "repo/env-contract" },
|
|
32
|
+
"action": { "const": "scan" },
|
|
33
|
+
"status": { "enum": ["passed", "failed", "error"] },
|
|
34
|
+
"ok": { "type": "boolean" },
|
|
35
|
+
"mustflow_root": { "type": "string" },
|
|
36
|
+
"policy": { "$ref": "#/$defs/policy" },
|
|
37
|
+
"input_hash": { "$ref": "#/$defs/sha256" },
|
|
38
|
+
"targets": {
|
|
39
|
+
"type": "array",
|
|
40
|
+
"items": { "$ref": "#/$defs/target" }
|
|
41
|
+
},
|
|
42
|
+
"summary": { "$ref": "#/$defs/summary" },
|
|
43
|
+
"keys": {
|
|
44
|
+
"type": "array",
|
|
45
|
+
"items": { "$ref": "#/$defs/envKey" }
|
|
46
|
+
},
|
|
47
|
+
"truncated": { "type": "boolean" },
|
|
48
|
+
"findings": {
|
|
49
|
+
"type": "array",
|
|
50
|
+
"items": { "$ref": "#/$defs/finding" }
|
|
51
|
+
},
|
|
52
|
+
"issues": {
|
|
53
|
+
"type": "array",
|
|
54
|
+
"items": { "type": "string" }
|
|
55
|
+
}
|
|
56
|
+
},
|
|
57
|
+
"$defs": {
|
|
58
|
+
"sha256": {
|
|
59
|
+
"type": "string",
|
|
60
|
+
"pattern": "^sha256:[a-f0-9]{64}$"
|
|
61
|
+
},
|
|
62
|
+
"stringArray": {
|
|
63
|
+
"type": "array",
|
|
64
|
+
"items": { "type": "string" }
|
|
65
|
+
},
|
|
66
|
+
"policy": {
|
|
67
|
+
"type": "object",
|
|
68
|
+
"additionalProperties": false,
|
|
69
|
+
"required": [
|
|
70
|
+
"max_file_bytes",
|
|
71
|
+
"max_files",
|
|
72
|
+
"max_keys",
|
|
73
|
+
"extensions",
|
|
74
|
+
"env_example_names",
|
|
75
|
+
"skipped_secret_names",
|
|
76
|
+
"ignored_directories"
|
|
77
|
+
],
|
|
78
|
+
"properties": {
|
|
79
|
+
"max_file_bytes": { "type": "integer", "minimum": 1 },
|
|
80
|
+
"max_files": { "type": "integer", "minimum": 1 },
|
|
81
|
+
"max_keys": { "type": "integer", "minimum": 1 },
|
|
82
|
+
"extensions": { "$ref": "#/$defs/stringArray" },
|
|
83
|
+
"env_example_names": { "$ref": "#/$defs/stringArray" },
|
|
84
|
+
"skipped_secret_names": { "$ref": "#/$defs/stringArray" },
|
|
85
|
+
"ignored_directories": { "$ref": "#/$defs/stringArray" }
|
|
86
|
+
}
|
|
87
|
+
},
|
|
88
|
+
"target": {
|
|
89
|
+
"type": "object",
|
|
90
|
+
"additionalProperties": false,
|
|
91
|
+
"required": ["input", "path", "exists", "kind"],
|
|
92
|
+
"properties": {
|
|
93
|
+
"input": { "type": "string" },
|
|
94
|
+
"path": { "type": "string" },
|
|
95
|
+
"exists": { "type": ["boolean", "null"] },
|
|
96
|
+
"kind": { "enum": ["file", "directory", "missing", "other", "unknown"] }
|
|
97
|
+
}
|
|
98
|
+
},
|
|
99
|
+
"summary": {
|
|
100
|
+
"type": "object",
|
|
101
|
+
"additionalProperties": false,
|
|
102
|
+
"required": [
|
|
103
|
+
"target_count",
|
|
104
|
+
"file_count",
|
|
105
|
+
"key_count",
|
|
106
|
+
"code_key_count",
|
|
107
|
+
"example_key_count",
|
|
108
|
+
"documented_key_count",
|
|
109
|
+
"ci_key_count"
|
|
110
|
+
],
|
|
111
|
+
"properties": {
|
|
112
|
+
"target_count": { "type": "integer", "minimum": 0 },
|
|
113
|
+
"file_count": { "type": "integer", "minimum": 0 },
|
|
114
|
+
"key_count": { "type": "integer", "minimum": 0 },
|
|
115
|
+
"code_key_count": { "type": "integer", "minimum": 0 },
|
|
116
|
+
"example_key_count": { "type": "integer", "minimum": 0 },
|
|
117
|
+
"documented_key_count": { "type": "integer", "minimum": 0 },
|
|
118
|
+
"ci_key_count": { "type": "integer", "minimum": 0 }
|
|
119
|
+
}
|
|
120
|
+
},
|
|
121
|
+
"surface": {
|
|
122
|
+
"enum": ["code", "config", "ci", "docs", "example"]
|
|
123
|
+
},
|
|
124
|
+
"referenceKind": {
|
|
125
|
+
"enum": [
|
|
126
|
+
"process_env_dot",
|
|
127
|
+
"process_env_bracket",
|
|
128
|
+
"process_env_destructure",
|
|
129
|
+
"bun_env_dot",
|
|
130
|
+
"import_meta_env",
|
|
131
|
+
"env_example",
|
|
132
|
+
"ci_secret",
|
|
133
|
+
"ci_var",
|
|
134
|
+
"ci_env",
|
|
135
|
+
"documented"
|
|
136
|
+
]
|
|
137
|
+
},
|
|
138
|
+
"reference": {
|
|
139
|
+
"type": "object",
|
|
140
|
+
"additionalProperties": false,
|
|
141
|
+
"required": ["key", "path", "line", "surface", "kind"],
|
|
142
|
+
"properties": {
|
|
143
|
+
"key": { "type": "string" },
|
|
144
|
+
"path": { "type": "string" },
|
|
145
|
+
"line": { "type": "integer", "minimum": 1 },
|
|
146
|
+
"surface": { "$ref": "#/$defs/surface" },
|
|
147
|
+
"kind": { "$ref": "#/$defs/referenceKind" }
|
|
148
|
+
}
|
|
149
|
+
},
|
|
150
|
+
"envKey": {
|
|
151
|
+
"type": "object",
|
|
152
|
+
"additionalProperties": false,
|
|
153
|
+
"required": [
|
|
154
|
+
"key",
|
|
155
|
+
"used_in_code",
|
|
156
|
+
"declared_in_example",
|
|
157
|
+
"referenced_in_ci",
|
|
158
|
+
"documented",
|
|
159
|
+
"secret_like",
|
|
160
|
+
"public_like",
|
|
161
|
+
"source_count",
|
|
162
|
+
"sources"
|
|
163
|
+
],
|
|
164
|
+
"properties": {
|
|
165
|
+
"key": { "type": "string" },
|
|
166
|
+
"used_in_code": { "type": "boolean" },
|
|
167
|
+
"declared_in_example": { "type": "boolean" },
|
|
168
|
+
"referenced_in_ci": { "type": "boolean" },
|
|
169
|
+
"documented": { "type": "boolean" },
|
|
170
|
+
"secret_like": { "type": "boolean" },
|
|
171
|
+
"public_like": { "type": "boolean" },
|
|
172
|
+
"source_count": { "type": "integer", "minimum": 0 },
|
|
173
|
+
"sources": {
|
|
174
|
+
"type": "array",
|
|
175
|
+
"items": { "$ref": "#/$defs/reference" }
|
|
176
|
+
}
|
|
177
|
+
}
|
|
178
|
+
},
|
|
179
|
+
"finding": {
|
|
180
|
+
"type": "object",
|
|
181
|
+
"additionalProperties": false,
|
|
182
|
+
"required": ["code", "severity", "message", "path"],
|
|
183
|
+
"properties": {
|
|
184
|
+
"code": {
|
|
185
|
+
"enum": [
|
|
186
|
+
"env_contract_path_outside_root",
|
|
187
|
+
"env_contract_unreadable_path",
|
|
188
|
+
"env_contract_secret_file_skipped",
|
|
189
|
+
"env_contract_max_files_exceeded",
|
|
190
|
+
"env_contract_max_keys_exceeded",
|
|
191
|
+
"env_contract_missing_example",
|
|
192
|
+
"env_contract_unused_example",
|
|
193
|
+
"env_contract_secret_like_public_name"
|
|
194
|
+
]
|
|
195
|
+
},
|
|
196
|
+
"severity": { "enum": ["low", "medium", "high", "critical"] },
|
|
197
|
+
"message": { "type": "string" },
|
|
198
|
+
"path": { "type": "string" },
|
|
199
|
+
"key": { "type": "string" }
|
|
200
|
+
}
|
|
201
|
+
}
|
|
202
|
+
}
|
|
203
|
+
}
|
|
@@ -0,0 +1,152 @@
|
|
|
1
|
+
{
|
|
2
|
+
"$schema": "https://json-schema.org/draft/2020-12/schema",
|
|
3
|
+
"$id": "https://mustflow.github.io/schemas/secret-risk-scan-report.schema.json",
|
|
4
|
+
"title": "mustflow secret-risk-scan report",
|
|
5
|
+
"type": "object",
|
|
6
|
+
"additionalProperties": false,
|
|
7
|
+
"required": [
|
|
8
|
+
"schema_version",
|
|
9
|
+
"command",
|
|
10
|
+
"pack_id",
|
|
11
|
+
"script_id",
|
|
12
|
+
"script_ref",
|
|
13
|
+
"action",
|
|
14
|
+
"status",
|
|
15
|
+
"ok",
|
|
16
|
+
"mustflow_root",
|
|
17
|
+
"policy",
|
|
18
|
+
"input_hash",
|
|
19
|
+
"targets",
|
|
20
|
+
"summary",
|
|
21
|
+
"truncated",
|
|
22
|
+
"findings",
|
|
23
|
+
"issues"
|
|
24
|
+
],
|
|
25
|
+
"properties": {
|
|
26
|
+
"schema_version": { "const": "1" },
|
|
27
|
+
"command": { "const": "script-pack" },
|
|
28
|
+
"pack_id": { "const": "repo" },
|
|
29
|
+
"script_id": { "const": "secret-risk-scan" },
|
|
30
|
+
"script_ref": { "const": "repo/secret-risk-scan" },
|
|
31
|
+
"action": { "const": "scan" },
|
|
32
|
+
"status": { "enum": ["passed", "failed", "error"] },
|
|
33
|
+
"ok": { "type": "boolean" },
|
|
34
|
+
"mustflow_root": { "type": "string" },
|
|
35
|
+
"policy": { "$ref": "#/$defs/policy" },
|
|
36
|
+
"input_hash": { "$ref": "#/$defs/sha256" },
|
|
37
|
+
"targets": {
|
|
38
|
+
"type": "array",
|
|
39
|
+
"items": { "$ref": "#/$defs/target" }
|
|
40
|
+
},
|
|
41
|
+
"summary": { "$ref": "#/$defs/summary" },
|
|
42
|
+
"truncated": { "type": "boolean" },
|
|
43
|
+
"findings": {
|
|
44
|
+
"type": "array",
|
|
45
|
+
"items": { "$ref": "#/$defs/finding" }
|
|
46
|
+
},
|
|
47
|
+
"issues": {
|
|
48
|
+
"type": "array",
|
|
49
|
+
"items": { "type": "string" }
|
|
50
|
+
}
|
|
51
|
+
},
|
|
52
|
+
"$defs": {
|
|
53
|
+
"sha256": {
|
|
54
|
+
"type": "string",
|
|
55
|
+
"pattern": "^sha256:[a-f0-9]{64}$"
|
|
56
|
+
},
|
|
57
|
+
"fingerprint": {
|
|
58
|
+
"type": "string",
|
|
59
|
+
"pattern": "^sha256:[a-f0-9]{16}$"
|
|
60
|
+
},
|
|
61
|
+
"stringArray": {
|
|
62
|
+
"type": "array",
|
|
63
|
+
"items": { "type": "string" }
|
|
64
|
+
},
|
|
65
|
+
"policy": {
|
|
66
|
+
"type": "object",
|
|
67
|
+
"additionalProperties": false,
|
|
68
|
+
"required": [
|
|
69
|
+
"max_file_bytes",
|
|
70
|
+
"max_files",
|
|
71
|
+
"max_findings",
|
|
72
|
+
"extensions",
|
|
73
|
+
"skipped_secret_names",
|
|
74
|
+
"ignored_directories"
|
|
75
|
+
],
|
|
76
|
+
"properties": {
|
|
77
|
+
"max_file_bytes": { "type": "integer", "minimum": 1 },
|
|
78
|
+
"max_files": { "type": "integer", "minimum": 1 },
|
|
79
|
+
"max_findings": { "type": "integer", "minimum": 1 },
|
|
80
|
+
"extensions": { "$ref": "#/$defs/stringArray" },
|
|
81
|
+
"skipped_secret_names": { "$ref": "#/$defs/stringArray" },
|
|
82
|
+
"ignored_directories": { "$ref": "#/$defs/stringArray" }
|
|
83
|
+
}
|
|
84
|
+
},
|
|
85
|
+
"target": {
|
|
86
|
+
"type": "object",
|
|
87
|
+
"additionalProperties": false,
|
|
88
|
+
"required": ["input", "path", "exists", "kind"],
|
|
89
|
+
"properties": {
|
|
90
|
+
"input": { "type": "string" },
|
|
91
|
+
"path": { "type": "string" },
|
|
92
|
+
"exists": { "type": ["boolean", "null"] },
|
|
93
|
+
"kind": { "enum": ["file", "directory", "missing", "other", "unknown"] }
|
|
94
|
+
}
|
|
95
|
+
},
|
|
96
|
+
"summary": {
|
|
97
|
+
"type": "object",
|
|
98
|
+
"additionalProperties": false,
|
|
99
|
+
"required": [
|
|
100
|
+
"target_count",
|
|
101
|
+
"file_count",
|
|
102
|
+
"finding_count",
|
|
103
|
+
"skipped_secret_file_count",
|
|
104
|
+
"high_or_critical_count"
|
|
105
|
+
],
|
|
106
|
+
"properties": {
|
|
107
|
+
"target_count": { "type": "integer", "minimum": 0 },
|
|
108
|
+
"file_count": { "type": "integer", "minimum": 0 },
|
|
109
|
+
"finding_count": { "type": "integer", "minimum": 0 },
|
|
110
|
+
"skipped_secret_file_count": { "type": "integer", "minimum": 0 },
|
|
111
|
+
"high_or_critical_count": { "type": "integer", "minimum": 0 }
|
|
112
|
+
}
|
|
113
|
+
},
|
|
114
|
+
"detector": {
|
|
115
|
+
"enum": [
|
|
116
|
+
"private_key_block",
|
|
117
|
+
"bearer_token",
|
|
118
|
+
"provider_token",
|
|
119
|
+
"generic_assignment",
|
|
120
|
+
"realistic_env_example",
|
|
121
|
+
"secret_file_skipped"
|
|
122
|
+
]
|
|
123
|
+
},
|
|
124
|
+
"finding": {
|
|
125
|
+
"type": "object",
|
|
126
|
+
"additionalProperties": false,
|
|
127
|
+
"required": ["code", "severity", "message", "path"],
|
|
128
|
+
"properties": {
|
|
129
|
+
"code": {
|
|
130
|
+
"enum": [
|
|
131
|
+
"secret_risk_path_outside_root",
|
|
132
|
+
"secret_risk_unreadable_path",
|
|
133
|
+
"secret_risk_secret_file_skipped",
|
|
134
|
+
"secret_risk_max_files_exceeded",
|
|
135
|
+
"secret_risk_max_findings_exceeded",
|
|
136
|
+
"secret_risk_private_key_block",
|
|
137
|
+
"secret_risk_bearer_token",
|
|
138
|
+
"secret_risk_provider_token",
|
|
139
|
+
"secret_risk_generic_assignment",
|
|
140
|
+
"secret_risk_realistic_env_example"
|
|
141
|
+
]
|
|
142
|
+
},
|
|
143
|
+
"severity": { "enum": ["low", "medium", "high", "critical"] },
|
|
144
|
+
"message": { "type": "string" },
|
|
145
|
+
"path": { "type": "string" },
|
|
146
|
+
"line": { "type": "integer", "minimum": 1 },
|
|
147
|
+
"detector": { "$ref": "#/$defs/detector" },
|
|
148
|
+
"fingerprint": { "$ref": "#/$defs/fingerprint" }
|
|
149
|
+
}
|
|
150
|
+
}
|
|
151
|
+
}
|
|
152
|
+
}
|
|
@@ -62,7 +62,7 @@ translations = {}
|
|
|
62
62
|
[documents."skills.index"]
|
|
63
63
|
source = "locales/en/.mustflow/skills/INDEX.md"
|
|
64
64
|
source_locale = "en"
|
|
65
|
-
revision =
|
|
65
|
+
revision = 177
|
|
66
66
|
translations = {}
|
|
67
67
|
|
|
68
68
|
[documents."skill.adapter-boundary"]
|
|
@@ -80,7 +80,7 @@ translations = {}
|
|
|
80
80
|
[documents."skill.architecture-deepening-review"]
|
|
81
81
|
source = "locales/en/.mustflow/skills/architecture-deepening-review/SKILL.md"
|
|
82
82
|
source_locale = "en"
|
|
83
|
-
revision =
|
|
83
|
+
revision = 3
|
|
84
84
|
translations = {}
|
|
85
85
|
|
|
86
86
|
[documents."skill.api-contract-change"]
|
|
@@ -469,7 +469,7 @@ translations = {}
|
|
|
469
469
|
[documents."skill.dependency-upgrade-review"]
|
|
470
470
|
source = "locales/en/.mustflow/skills/dependency-upgrade-review/SKILL.md"
|
|
471
471
|
source_locale = "en"
|
|
472
|
-
revision =
|
|
472
|
+
revision = 5
|
|
473
473
|
translations = {}
|
|
474
474
|
|
|
475
475
|
[documents."skill.version-freshness-check"]
|
|
@@ -517,7 +517,7 @@ translations = {}
|
|
|
517
517
|
[documents."skill.astro-code-change"]
|
|
518
518
|
source = "locales/en/.mustflow/skills/astro-code-change/SKILL.md"
|
|
519
519
|
source_locale = "en"
|
|
520
|
-
revision =
|
|
520
|
+
revision = 4
|
|
521
521
|
translations = {}
|
|
522
522
|
|
|
523
523
|
[documents."skill.auth-permission-change"]
|
|
@@ -601,13 +601,13 @@ translations = {}
|
|
|
601
601
|
[documents."skill.javascript-code-change"]
|
|
602
602
|
source = "locales/en/.mustflow/skills/javascript-code-change/SKILL.md"
|
|
603
603
|
source_locale = "en"
|
|
604
|
-
revision =
|
|
604
|
+
revision = 3
|
|
605
605
|
translations = {}
|
|
606
606
|
|
|
607
607
|
[documents."skill.node-code-change"]
|
|
608
608
|
source = "locales/en/.mustflow/skills/node-code-change/SKILL.md"
|
|
609
609
|
source_locale = "en"
|
|
610
|
-
revision =
|
|
610
|
+
revision = 2
|
|
611
611
|
translations = {}
|
|
612
612
|
|
|
613
613
|
[documents."skill.python-code-change"]
|
|
@@ -667,7 +667,7 @@ translations = {}
|
|
|
667
667
|
[documents."skill.typescript-code-change"]
|
|
668
668
|
source = "locales/en/.mustflow/skills/typescript-code-change/SKILL.md"
|
|
669
669
|
source_locale = "en"
|
|
670
|
-
revision =
|
|
670
|
+
revision = 5
|
|
671
671
|
translations = {}
|
|
672
672
|
|
|
673
673
|
[documents."skill.unocss-code-change"]
|
|
@@ -787,7 +787,7 @@ translations = {}
|
|
|
787
787
|
[documents."skill.github-contribution-quality-gate"]
|
|
788
788
|
source = "locales/en/.mustflow/skills/github-contribution-quality-gate/SKILL.md"
|
|
789
789
|
source_locale = "en"
|
|
790
|
-
revision =
|
|
790
|
+
revision = 2
|
|
791
791
|
translations = {}
|
|
792
792
|
|
|
793
793
|
[documents."skill.facade-pattern"]
|
|
@@ -918,7 +918,7 @@ translations = {}
|
|
|
918
918
|
[documents."skill.security-privacy-review"]
|
|
919
919
|
source = "locales/en/.mustflow/skills/security-privacy-review/SKILL.md"
|
|
920
920
|
source_locale = "en"
|
|
921
|
-
revision =
|
|
921
|
+
revision = 23
|
|
922
922
|
translations = {}
|
|
923
923
|
|
|
924
924
|
[documents."skill.security-regression-tests"]
|
|
@@ -966,7 +966,7 @@ translations = {}
|
|
|
966
966
|
[documents."skill.cross-agent-session-reference"]
|
|
967
967
|
source = "locales/en/.mustflow/skills/cross-agent-session-reference/SKILL.md"
|
|
968
968
|
source_locale = "en"
|
|
969
|
-
revision =
|
|
969
|
+
revision = 2
|
|
970
970
|
translations = {}
|
|
971
971
|
|
|
972
972
|
[documents."skill.secret-exposure-response"]
|
|
@@ -987,6 +987,12 @@ source_locale = "en"
|
|
|
987
987
|
revision = 5
|
|
988
988
|
translations = {}
|
|
989
989
|
|
|
990
|
+
[documents."skill.test-suite-performance-review"]
|
|
991
|
+
source = "locales/en/.mustflow/skills/test-suite-performance-review/SKILL.md"
|
|
992
|
+
source_locale = "en"
|
|
993
|
+
revision = 1
|
|
994
|
+
translations = {}
|
|
995
|
+
|
|
990
996
|
[documents."skill.vertical-slice-tdd"]
|
|
991
997
|
source = "locales/en/.mustflow/skills/vertical-slice-tdd/SKILL.md"
|
|
992
998
|
source_locale = "en"
|
|
@@ -2,7 +2,7 @@
|
|
|
2
2
|
mustflow_doc: skills.index
|
|
3
3
|
locale: en
|
|
4
4
|
canonical: true
|
|
5
|
-
revision:
|
|
5
|
+
revision: 177
|
|
6
6
|
authority: router
|
|
7
7
|
lifecycle: mustflow-owned
|
|
8
8
|
---
|
|
@@ -212,6 +212,10 @@ refer to `AGENTS.md` and `.mustflow/config/commands.toml` to implement the most
|
|
|
212
212
|
inputs, direct time or randomness, direct I/O, constructor side effects, static or singleton
|
|
213
213
|
state, mock-heavy tests, sleeps, framework magic, reflection-only tests, or other code shapes
|
|
214
214
|
that make important conditions hard to force in tests.
|
|
215
|
+
- Use `test-suite-performance-review` as a primary route when test-suite runtime, CI feedback
|
|
216
|
+
latency, selected-test execution, shard balance, worker scheduling, fixture or database setup,
|
|
217
|
+
retry policy, flaky-test handling, result caching, discovery, coverage, or artifact overhead
|
|
218
|
+
needs optimization without weakening verification.
|
|
215
219
|
- Use `quadratic-scan-review` as an adjunct when the suspected performance smell is specifically
|
|
216
220
|
hidden O(N^2) work from repeated scans, membership checks, code joins, helper-body lookups,
|
|
217
221
|
render-time lookup, resolver fan-out, repeated sort, or copy accumulation over growing data.
|
|
@@ -447,6 +451,7 @@ routes. Event routes stay inactive until their event occurs.
|
|
|
447
451
|
| User requirements, acceptance criteria, issue reports, bug reports, product notes, compatibility promises, or examples must be preserved as regression coverage before or during implementation | `.mustflow/skills/requirement-regression-guard/SKILL.md` | Requirement source, observable behavior, existing tests or fixtures, implementation scope, changed files, and command contract entries | Focused tests, fixtures, examples, schemas, docs, and implementation changes directly tied to the requirement | untested requirement, invented acceptance criteria, weakened tests, hidden behavior drift, or unverifiable implementation claim | `changes_status`, `changes_diff_summary`, `test_related`, `test`, `test_audit`, `docs_validate_fast`, `test_release`, `mustflow_check` | Requirement sources, coverage map, guards added or reused, implementation changes, deferred requirements, verification, and remaining regression risk |
|
|
448
452
|
| The user explicitly requests TDD, test-first work, red-green-refactor, RED/GREEN, or one observable behavior slice at a time | `.mustflow/skills/vertical-slice-tdd/SKILL.md` | TDD trigger, first behavior contract, existing tests, expected RED category, baseline status, and command contract entries | One focused test or fixture, the smallest implementation for the current slice, and directly synchronized docs when needed | invalid RED, broad slice, premature refactor, unrelated cleanup, or verification claim without configured command evidence | `changes_status`, `changes_diff_summary`, `test_related`, `test_audit`, `test`, `lint`, `build`, `mustflow_check` | Slice scope, existing coverage, RED category evidence, GREEN verification, refactors after GREEN, deferred slices, and remaining TDD risk |
|
|
449
453
|
| New tests or test cases are designed, TDD RED or GREEN evidence is reported, or test-case choices are made for requirements, bugs, refactors, security boundaries, schemas, templates, or public docs | `.mustflow/skills/test-design-guard/SKILL.md` | Contract source, existing coverage, intended RED evidence, candidate cases, baseline status, and command contract entries | Tests, fixtures, helpers, and directly synchronized contract docs | invalid RED, happy-path-only coverage, speculative edge cases, weak assertions, mock-only confidence, or implementation-detail coupling | `test_related`, `test_audit`, `test`, `lint`, `build`, `test_release`, `mustflow_check` | RED category, selected test shape, evidence-backed cases, rejected speculation, verification objective, commands, and remaining test-design risk |
|
|
454
|
+
| Test-suite runtime, CI feedback latency, test selection, shard balance, worker scheduling, retry policy, flaky-test handling, fixture setup, database or container test lifecycle, coverage or artifact overhead, test-result caching, test discovery, or test performance claims are planned, edited, reviewed, or reported | `.mustflow/skills/test-suite-performance-review/SKILL.md` | Suite surface, timing ledger, p50 and p95 evidence, selection ledger, isolation ledger, resource ledger, cache ledger, and command contract entries | Test timing collection, selected-test manifests, dependency-to-test maps, shard and worker scheduling, fixture lifecycle, DB/container setup, fake timers, stubs, cache keys, coverage defaults, CI reports, docs, and directly synchronized templates | faster-but-weaker verification, selector without full fallback, import-only impact analysis, cache false hit, volatile cache key, cold-cache theater, full discovery scan, per-test process startup, file-count sharding, idle workers, resource contention, shared DB schema, fixed sleeps, external internet dependency, hidden time/random/locale input, artifact tax, retry hiding real failure, or permanent flaky quarantine | `changes_status`, `changes_diff_summary`, `build`, `test_related`, `test`, `test_audit`, `docs_validate_fast`, `test_release`, `mustflow_check` | Suite surface, feedback goal, timing bottleneck, selection and fallback policy, scheduling and resource-token decisions, fixture and isolation notes, cache and retry policy, artifact policy, speed evidence, verification, and remaining test-suite performance risk |
|
|
450
455
|
| Tests are added, updated, removed, or audited | `.mustflow/skills/test-maintenance/SKILL.md` | Changed behavior or stale-test evidence | Test files and related source | contract drift | `test`, `test_related`, `test_audit`, `snapshot_update`, `lint`, `build` | Test rationale and verification |
|
|
451
456
|
|
|
452
457
|
### Documentation and Release
|
|
@@ -522,7 +527,7 @@ routes. Event routes stay inactive until their event occurs.
|
|
|
522
527
|
| Tailwind classes, class composition, theme tokens, variants, arbitrary values, Tailwind config, `@theme`, `@apply`, or migration surfaces are created or changed | `.mustflow/skills/tailwind-code-change/SKILL.md` | Tailwind config or CSS entry, source scanning rules, theme tokens, class helpers, changed files, and command contract entries | Tailwind config, theme tokens, utility classes, component class maps, tests, and docs examples | production class loss, arbitrary-value sprawl, token bypass, weak focus state, or hidden `@apply` drift | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | Class detection, token, responsive, state, and production CSS boundary checked, verification, and remaining Tailwind risk |
|
|
523
528
|
| UnoCSS config, presets, extraction, shortcuts, rules, variants, safelist, blocklist, attributify, transformers, or utility usage are created or changed | `.mustflow/skills/unocss-code-change/SKILL.md` | UnoCSS config, presets, extraction rules, shortcuts, safelist, blocklist, changed files, and command contract entries | UnoCSS config, utility usage, rules, shortcuts, safelist, blocklist, tests, and docs examples | extractor miss, runtime-only utility, safelist explosion, unbounded shortcut, or production CSS loss | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | Extraction, safelist, shortcut, variant, and production CSS boundary checked, verification, and remaining UnoCSS risk |
|
|
524
529
|
| Flutter widgets, screens, routing, state management, async UI, platform channels, assets, responsive layout, accessibility, or Flutter tests are created or changed | `.mustflow/skills/flutter-code-change/SKILL.md` | App root, route config, widget tree, state owner, platform files, assets, changed files, and command contract entries | Flutter widgets, routes, state, platform channels, assets, tests, and docs examples | impure build, lifecycle leak, navigation drift, layout breakage, inaccessible UI, or platform boundary drift | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | State, lifecycle, layout, accessibility, platform, and asset boundary checked, verification, and remaining Flutter risk |
|
|
525
|
-
| Astro config, pages, layouts, components, islands, hydration directives, content collections, routes, adapters, MDX, or Astro build behavior are created or changed | `.mustflow/skills/astro-code-change/SKILL.md` | Astro config, route tree, layouts, content schema, components, adapter config, changed files, and command contract entries | Astro pages, layouts, islands, content collections, adapters, tests, and docs examples | unnecessary hydration, build/runtime data mix, route URL drift, content schema drift, or adapter mismatch | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | Build/runtime, route, content, hydration, and adapter boundary checked, verification, and remaining Astro risk |
|
|
530
|
+
| Astro config, package metadata, pages, layouts, components, islands, hydration directives, content collections, routes, adapters, request pipeline, `src/fetch.*`, route cache, MDX, Markdown processing, migration, or Astro build behavior are created or changed | `.mustflow/skills/astro-code-change/SKILL.md` | Astro config, current and target Astro version when migrating, route tree, request pipeline, cache rules, Markdown processor, layouts, content schema, components, adapter config, changed files, and command contract entries | Astro pages, layouts, islands, content collections, adapters, request pipeline, route cache, Markdown, tests, and docs examples | unnecessary hydration, build/runtime data mix, route URL drift, request pipeline omission, cache data exposure, Markdown drift, content schema drift, or adapter mismatch | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | Build/runtime, route, request pipeline, cache, Markdown, content, hydration, and adapter boundary checked, verification, and remaining Astro risk |
|
|
526
531
|
| Svelte or SvelteKit components, routes, load functions, server actions, stores, runes, SSR boundaries, accessibility warnings, or tests are created or changed | `.mustflow/skills/svelte-code-change/SKILL.md` | Svelte config, route segment files, stores/runes, hooks, app types, changed files, and command contract entries | Svelte components, routes, load/actions, stores, SSR/client boundaries, tests, and docs examples | SSR/client leakage, browser global crash, state owner drift, form degradation, or ignored accessibility warning | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | SSR, server/client, state, form, and accessibility boundary checked, verification, and remaining Svelte risk |
|
|
527
532
|
| Web image assets are added, converted, resized, or replaced | `.mustflow/skills/web-asset-optimization/SKILL.md` | Image asset request and target path | Web image assets | asset quality and size | `asset_optimize`, `build` | Optimized asset notes |
|
|
528
533
|
|