mustflow 2.84.0 → 2.99.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +11 -2
- package/dist/cli/commands/script-pack.js +14 -0
- package/dist/cli/i18n/en.js +262 -0
- package/dist/cli/i18n/es.js +262 -0
- package/dist/cli/i18n/fr.js +262 -0
- package/dist/cli/i18n/hi.js +262 -0
- package/dist/cli/i18n/ko.js +262 -0
- package/dist/cli/i18n/zh.js +262 -0
- package/dist/cli/lib/repo-map.js +27 -6
- package/dist/cli/lib/run-root-trust.js +15 -1
- package/dist/cli/lib/script-pack-registry.js +397 -0
- package/dist/cli/lib/validation/index.js +2 -2
- package/dist/cli/lib/validation/primitives.js +4 -1
- package/dist/cli/script-packs/code-change-impact.js +178 -0
- package/dist/cli/script-packs/code-dependency-graph.js +181 -0
- package/dist/cli/script-packs/code-import-cycle.js +193 -0
- package/dist/cli/script-packs/docs-link-integrity.js +145 -0
- package/dist/cli/script-packs/repo-approval-gate.js +100 -0
- package/dist/cli/script-packs/repo-env-contract.js +156 -0
- package/dist/cli/script-packs/repo-git-ignore-audit.js +119 -0
- package/dist/cli/script-packs/repo-manifest-lock-drift.js +122 -0
- package/dist/cli/script-packs/repo-merge-conflict-scan.js +123 -0
- package/dist/cli/script-packs/repo-secret-risk-scan.js +147 -0
- package/dist/cli/script-packs/repo-skill-route-audit.js +86 -0
- package/dist/cli/script-packs/repo-version-source.js +92 -0
- package/dist/cli/script-packs/test-performance-report.js +247 -0
- package/dist/cli/script-packs/test-regression-selector.js +167 -0
- package/dist/core/change-impact.js +355 -0
- package/dist/core/change-surface-classification.js +198 -0
- package/dist/core/change-verification.js +32 -5
- package/dist/core/config-loading.js +121 -4
- package/dist/core/dependency-graph.js +490 -0
- package/dist/core/docs-link-integrity.js +443 -0
- package/dist/core/env-contract.js +450 -0
- package/dist/core/import-cycle.js +152 -0
- package/dist/core/line-endings.js +26 -13
- package/dist/core/public-json-contracts.js +167 -0
- package/dist/core/repo-approval-gate.js +116 -0
- package/dist/core/repo-git-ignore-audit.js +302 -0
- package/dist/core/repo-manifest-lock-drift.js +321 -0
- package/dist/core/repo-merge-conflict-scan.js +335 -0
- package/dist/core/repo-version-source.js +82 -0
- package/dist/core/route-outline.js +57 -5
- package/dist/core/script-pack-suggestions.js +97 -1
- package/dist/core/secret-risk-scan.js +440 -0
- package/dist/core/skill-route-audit.js +354 -0
- package/dist/core/test-performance-report.js +697 -0
- package/dist/core/test-regression-selector.js +335 -0
- package/package.json +1 -1
- package/schemas/README.md +54 -0
- package/schemas/change-impact-report.schema.json +184 -0
- package/schemas/commands.schema.json +12 -0
- package/schemas/dependency-graph-report.schema.json +149 -0
- package/schemas/env-contract-report.schema.json +203 -0
- package/schemas/import-cycle-report.schema.json +157 -0
- package/schemas/link-integrity-report.schema.json +176 -0
- package/schemas/repo-approval-gate-report.schema.json +115 -0
- package/schemas/repo-git-ignore-audit-report.schema.json +201 -0
- package/schemas/repo-manifest-lock-drift-report.schema.json +202 -0
- package/schemas/repo-merge-conflict-scan-report.schema.json +169 -0
- package/schemas/repo-version-source-report.schema.json +127 -0
- package/schemas/secret-risk-scan-report.schema.json +152 -0
- package/schemas/skill-route-audit-report.schema.json +144 -0
- package/schemas/test-performance-report.schema.json +319 -0
- package/schemas/test-regression-selector-report.schema.json +187 -0
- package/templates/default/i18n.toml +80 -26
- package/templates/default/locales/en/.mustflow/skills/INDEX.md +51 -9
- package/templates/default/locales/en/.mustflow/skills/api-access-control-review/SKILL.md +48 -27
- package/templates/default/locales/en/.mustflow/skills/api-failure-triage/SKILL.md +270 -0
- package/templates/default/locales/en/.mustflow/skills/architecture-deepening-review/SKILL.md +28 -11
- package/templates/default/locales/en/.mustflow/skills/astro-code-change/SKILL.md +71 -27
- package/templates/default/locales/en/.mustflow/skills/auth-flow-triage/SKILL.md +192 -0
- package/templates/default/locales/en/.mustflow/skills/auth-permission-change/SKILL.md +59 -13
- package/templates/default/locales/en/.mustflow/skills/backend-log-evidence-review/SKILL.md +14 -5
- package/templates/default/locales/en/.mustflow/skills/cache-integrity-review/SKILL.md +30 -15
- package/templates/default/locales/en/.mustflow/skills/change-blast-radius-review/SKILL.md +45 -32
- package/templates/default/locales/en/.mustflow/skills/ci-pipeline-triage/SKILL.md +200 -0
- package/templates/default/locales/en/.mustflow/skills/clarifying-question-gate/SKILL.md +87 -13
- package/templates/default/locales/en/.mustflow/skills/cross-agent-session-reference/SKILL.md +23 -8
- package/templates/default/locales/en/.mustflow/skills/dependency-upgrade-review/SKILL.md +3 -1
- package/templates/default/locales/en/.mustflow/skills/docker-runtime-triage/SKILL.md +191 -0
- package/templates/default/locales/en/.mustflow/skills/github-contribution-quality-gate/SKILL.md +48 -11
- package/templates/default/locales/en/.mustflow/skills/go-code-change/SKILL.md +18 -13
- package/templates/default/locales/en/.mustflow/skills/javascript-code-change/SKILL.md +15 -13
- package/templates/default/locales/en/.mustflow/skills/line-ending-hygiene/SKILL.md +18 -10
- package/templates/default/locales/en/.mustflow/skills/llm-hallucination-control-review/SKILL.md +4 -1
- package/templates/default/locales/en/.mustflow/skills/motion-system-contract-review/SKILL.md +155 -0
- package/templates/default/locales/en/.mustflow/skills/next-action-menu/SKILL.md +177 -0
- package/templates/default/locales/en/.mustflow/skills/node-code-change/SKILL.md +16 -14
- package/templates/default/locales/en/.mustflow/skills/observability-debuggability-review/SKILL.md +15 -7
- package/templates/default/locales/en/.mustflow/skills/payment-integrity-review/SKILL.md +59 -35
- package/templates/default/locales/en/.mustflow/skills/powershell-code-change/SKILL.md +16 -6
- package/templates/default/locales/en/.mustflow/skills/prompt-contract-quality-review/SKILL.md +4 -1
- package/templates/default/locales/en/.mustflow/skills/python-code-change/SKILL.md +19 -10
- package/templates/default/locales/en/.mustflow/skills/rag-pipeline-triage/SKILL.md +206 -0
- package/templates/default/locales/en/.mustflow/skills/routes.toml +69 -9
- package/templates/default/locales/en/.mustflow/skills/rust-code-change/SKILL.md +10 -4
- package/templates/default/locales/en/.mustflow/skills/search-index-integrity-review/SKILL.md +181 -0
- package/templates/default/locales/en/.mustflow/skills/security-privacy-review/SKILL.md +3 -1
- package/templates/default/locales/en/.mustflow/skills/service-boundary-architecture/SKILL.md +37 -23
- package/templates/default/locales/en/.mustflow/skills/test-suite-performance-review/SKILL.md +323 -0
- package/templates/default/locales/en/.mustflow/skills/typescript-code-change/SKILL.md +18 -10
- package/templates/default/locales/en/.mustflow/skills/vector-search-integrity-review/SKILL.md +209 -0
- package/templates/default/locales/en/.mustflow/skills/version-freshness-check/SKILL.md +16 -14
- package/templates/default/manifest.toml +71 -1
|
@@ -2,11 +2,11 @@
|
|
|
2
2
|
mustflow_doc: skill.api-access-control-review
|
|
3
3
|
locale: en
|
|
4
4
|
canonical: true
|
|
5
|
-
revision:
|
|
5
|
+
revision: 3
|
|
6
6
|
lifecycle: mustflow-owned
|
|
7
7
|
authority: procedure
|
|
8
8
|
name: api-access-control-review
|
|
9
|
-
description: Apply this skill when code is created, changed, reviewed, or reported and API security needs access-control review for BOLA or IDOR, object-level authorization, object-property authorization, function-level authorization, broken authentication, tenant isolation, role and relationship checks, mass assignment, DTO exposure, admin or internal APIs, route ordering, GraphQL resolvers, batch APIs, exports, downloads, signed URLs, cache keys, async jobs, webhooks, OAuth or OIDC, JWTs, sessions, cookies, reauthentication, reset tokens, account enumeration, automation defense, or denial-case tests.
|
|
9
|
+
description: Apply this skill when code is created, changed, reviewed, or reported and API security needs access-control review for BOLA or IDOR, object-level authorization, object-property authorization, function-level authorization, payment or refund API authorization, broken authentication, tenant isolation, effective permission decisions, role and relationship checks, mass assignment, DTO exposure, admin or internal APIs, route ordering, GraphQL resolvers, batch APIs, exports, downloads, signed URLs, cache keys, async jobs, webhooks, OAuth or OIDC, JWTs, sessions, cookies, reauthentication, reset tokens, account enumeration, automation defense, or denial-case tests.
|
|
10
10
|
metadata:
|
|
11
11
|
mustflow_schema: "1"
|
|
12
12
|
mustflow_kind: procedure
|
|
@@ -43,6 +43,10 @@ perform this action on this object, this field, and this tenant context?"
|
|
|
43
43
|
exports, downloads, previews, batch APIs, background jobs, webhooks, auth middleware, sessions,
|
|
44
44
|
cookies, JWTs, OAuth or OIDC flows, password reset, MFA, admin APIs, internal APIs, cache keys,
|
|
45
45
|
DTO mapping, tests, or API docs.
|
|
46
|
+
- Payment, refund, transfer, payout, credit, entitlement, or subscription APIs need proof that the
|
|
47
|
+
requester may act on that specific object, amount-bearing operation, tenant, account, or current
|
|
48
|
+
resource state. Use `payment-integrity-review` for money-event correctness and this skill for the
|
|
49
|
+
API object, property, and function authorization proof.
|
|
46
50
|
- A request, token, body, query string, path parameter, webhook payload, queue payload, or client
|
|
47
51
|
state supplies `userId`, `accountId`, `tenantId`, `orgId`, `workspaceId`, `projectId`, `role`,
|
|
48
52
|
`ownerId`, object id, file key, status, price, entitlement, plan, or other authority-bearing data.
|
|
@@ -73,6 +77,9 @@ perform this action on this object, this field, and this tenant context?"
|
|
|
73
77
|
- Subject-object-action-context ledger: principal, session, token, API key, service account, tenant,
|
|
74
78
|
organization, workspace, role, relationship, resource, object id, field or property, action,
|
|
75
79
|
state, and request context.
|
|
80
|
+
- Decision explanation ledger: effective permission, matched policy, explicit deny, inheritance
|
|
81
|
+
path, policy version, data revision, token issue time, and allow or deny reason when the product
|
|
82
|
+
has policy-engine or audit-log support.
|
|
76
83
|
- Object authorization ledger: list, detail, count, search, export, download, preview, share,
|
|
77
84
|
update, delete, approve, invite, refund, transfer, admin, batch, worker, and webhook paths that
|
|
78
85
|
can reach the same object.
|
|
@@ -135,101 +142,111 @@ perform this action on this object, this field, and this tenant context?"
|
|
|
135
142
|
- `role === "admin"` is usually too small.
|
|
136
143
|
- Check whether the principal is admin for this organization, owner of this project, seller for
|
|
137
144
|
this order, billing admin for this account, or allowed to act in this resource state.
|
|
138
|
-
|
|
145
|
+
- Prefer effective-permission evidence and policy decision explanations over a raw role list.
|
|
146
|
+
6. Check default-deny and explicit-deny behavior.
|
|
147
|
+
- No matching policy, unknown role, unknown action, malformed id, parsing failure, policy server
|
|
148
|
+
timeout, and policy-cache miss should not silently allow access.
|
|
149
|
+
- When allow and deny policies both match, the product needs a documented and tested combination
|
|
150
|
+
rule.
|
|
151
|
+
7. Compare list and detail scopes.
|
|
139
152
|
- If list filters by current user or tenant but detail, count, search, analytics, export, or
|
|
140
153
|
download uses only object id, report the gap.
|
|
141
|
-
|
|
154
|
+
8. Review write APIs harder than read APIs.
|
|
142
155
|
- `PUT`, `PATCH`, `DELETE`, approve, refund, invite, transfer, publish, restore, and role-change
|
|
143
156
|
operations need write-specific permission, state, amount, and audit checks.
|
|
144
157
|
- Read permission is not write permission.
|
|
145
|
-
|
|
158
|
+
9. Stop mass assignment at the boundary.
|
|
146
159
|
- Flag request-body-to-entity binding, raw DTO persistence, GraphQL input passthrough, ORM update
|
|
147
160
|
data from raw body, and blind spread or object assignment.
|
|
148
161
|
- Privileged fields such as `role`, `status`, `ownerId`, `tenantId`, `isVerified`, `plan`,
|
|
149
162
|
`credit`, `deletedAt`, `price`, and `quota` must be derived, guarded, or allowlisted.
|
|
150
|
-
|
|
163
|
+
10. Check response DTOs for property-level exposure.
|
|
151
164
|
- Entity-to-JSON responses can leak `passwordHash`, `mfaSecret`, `internalMemo`,
|
|
152
165
|
`billingCustomerId`, storage keys, provider IDs, deletion reasons, or admin-only fields later.
|
|
153
166
|
- Use public response mappers and role-aware field policies when field visibility differs.
|
|
154
|
-
|
|
167
|
+
11. Treat client-side admin UI as decoration.
|
|
155
168
|
- Hidden buttons, disabled controls, frontend routes, mobile checks, and generated clients are
|
|
156
169
|
not access control.
|
|
157
170
|
- Admin and support operations need server-side scope, reason, audit, and denial tests.
|
|
158
|
-
|
|
171
|
+
12. Search for temporary public holes.
|
|
159
172
|
- Inspect `permitAll`, `anonymous`, `skipAuth`, `bypassAuth`, `public`, `internalOnly`,
|
|
160
173
|
`devOnly`, `TODO auth`, debug endpoints, health endpoints with extra data, and test-only
|
|
161
174
|
switches that can reach real data or operations.
|
|
162
|
-
|
|
175
|
+
13. Review router and middleware order.
|
|
163
176
|
- Dynamic routes like `/:id` can shadow `/me`, `/admin`, or `/settings`.
|
|
164
177
|
- Prefix middleware can leave sibling paths, nested routers, serverless functions, or framework
|
|
165
178
|
route groups unauthenticated.
|
|
166
|
-
|
|
179
|
+
14. Review GraphQL per resolver.
|
|
167
180
|
- Endpoint-level auth is not enough.
|
|
168
181
|
- Check `node(id)`, nested fields, connections, edges, aggregates, mutations, and field
|
|
169
182
|
resolvers for object and property authorization.
|
|
170
|
-
|
|
183
|
+
15. Review batch APIs per item.
|
|
171
184
|
- Bulk create, delete, export, import, and update endpoints must authorize every object.
|
|
172
185
|
- Define whether one denied item fails the whole request, returns per-item results, or produces
|
|
173
186
|
a retrievable failure report.
|
|
174
|
-
|
|
187
|
+
16. Review export, download, preview, thumbnail, and share paths.
|
|
175
188
|
- CRUD may be protected while file delivery, generated previews, thumbnails, CSV exports, and
|
|
176
189
|
shared links bypass the same policy.
|
|
177
|
-
|
|
190
|
+
17. Treat signed storage URLs as outputs of authorization.
|
|
178
191
|
- S3, GCS, R2, CDN, and private file URLs must be generated only after object authorization.
|
|
179
192
|
- Check key predictability, URL lifetime, scope, content disposition, cache behavior, revocation,
|
|
180
193
|
and whether direct object access bypasses policy.
|
|
181
|
-
|
|
194
|
+
18. Enforce tenant boundaries in every query and cache.
|
|
182
195
|
- `WHERE id = ?` is weak in multi-tenant code; include tenant, membership, owner, sharing, or
|
|
183
196
|
database policy constraints.
|
|
184
197
|
- Cache keys for private data need tenant and permission dimensions, not just object id.
|
|
185
|
-
|
|
198
|
+
19. Revalidate asynchronous jobs.
|
|
186
199
|
- Queue payloads with only `userId`, `tenantId`, or `fileId` can outlive permission changes.
|
|
187
200
|
- Workers, retries, admin reruns, scheduled tasks, and webhook-triggered jobs need actor,
|
|
188
201
|
tenant, resource, state, and current permission or service-principal checks at execution time.
|
|
189
|
-
|
|
202
|
+
20. Separate webhook authenticity from authorization.
|
|
190
203
|
- Signature verification proves the provider sent the event.
|
|
191
204
|
- Ownership mapping proves the event belongs to this tenant, account, customer, installation,
|
|
192
205
|
repository, subscription, or resource.
|
|
193
|
-
|
|
206
|
+
21. Keep OAuth and OIDC purposes distinct.
|
|
194
207
|
- OIDC ID tokens identify a user for login.
|
|
195
208
|
- OAuth access tokens authorize delegated API access.
|
|
196
209
|
- Do not use an ID token as an API permission token or an access token as a login proof without
|
|
197
210
|
the appropriate validation and intent.
|
|
198
|
-
|
|
211
|
+
22. Verify JWTs completely.
|
|
199
212
|
- Decoding is not verification.
|
|
200
213
|
- Check signature, algorithm allowlist, issuer, audience, expiry, not-before when used, key
|
|
201
214
|
source, key rotation, subject, tenant binding, and stale authorization claims.
|
|
202
|
-
|
|
215
|
+
23. Treat token claims as snapshots, not eternal truth.
|
|
203
216
|
- Long-lived `role`, `plan`, `tenantId`, and permission claims can survive demotion, removal,
|
|
204
217
|
subscription cancellation, suspension, or revocation.
|
|
205
218
|
- Important decisions should check current server-side state or use short-lived tokens with
|
|
206
219
|
revocation strategy.
|
|
207
|
-
|
|
220
|
+
24. Measure revocation and stale-permission windows.
|
|
221
|
+
- User removal, role demotion, organization leave, policy-version changes, subscription state
|
|
222
|
+
changes, and ownership transfers should say how quickly sessions, JWTs, caches, search
|
|
223
|
+
indexes, queued jobs, and signed URLs stop authorizing old access.
|
|
224
|
+
25. Regenerate session identity after privilege changes.
|
|
208
225
|
- Login, password change, MFA changes, role changes, user-to-admin transitions, and account
|
|
209
226
|
recovery should rotate session identifiers or refresh tokens according to local policy.
|
|
210
|
-
|
|
227
|
+
26. Check authentication cookies.
|
|
211
228
|
- Cookies carrying session authority need `Secure`, `HttpOnly`, appropriate `SameSite`,
|
|
212
229
|
domain, path, lifetime, rotation, logout, revocation, and CSRF posture.
|
|
213
230
|
- Avoid URL-carried session identifiers.
|
|
214
|
-
|
|
231
|
+
27. Require reauthentication for sensitive actions.
|
|
215
232
|
- Password change, email change, MFA disable, payment method change, organization ownership
|
|
216
233
|
transfer, API-key creation, and destructive admin actions should require fresh proof.
|
|
217
|
-
|
|
234
|
+
28. Review reset and magic-link tokens.
|
|
218
235
|
- Tokens need strong randomness, one-time use, short expiration, purpose binding, user binding,
|
|
219
236
|
safe storage, link-preview protection, session invalidation where needed, and no reuse across
|
|
220
237
|
unrelated flows.
|
|
221
|
-
|
|
238
|
+
29. Compare account-enumeration responses.
|
|
222
239
|
- Login, signup, password reset, magic link, invitation, and email verification should avoid
|
|
223
240
|
leaking account existence through message, status, timing, or email-sending behavior unless
|
|
224
241
|
product policy accepts that disclosure.
|
|
225
|
-
|
|
242
|
+
30. Treat automation defense as part of authentication.
|
|
226
243
|
- Login, OTP, magic link, password reset, invite acceptance, coupon application, email
|
|
227
244
|
verification, and MFA attempts need rate limits, lockouts, challenge policy, IP/device/user
|
|
228
245
|
dimensions, and observability.
|
|
229
|
-
|
|
246
|
+
31. Separate internal and external identity planes.
|
|
230
247
|
- Backoffice, operator, database, middleware, and support accounts should not flow through the
|
|
231
248
|
same customer login path unless the product intentionally models and audits that boundary.
|
|
232
|
-
|
|
249
|
+
32. Test the denial matrix.
|
|
233
250
|
- Success tests prove little.
|
|
234
251
|
- For each protected resource, cover anonymous, normal user, other owner, same organization
|
|
235
252
|
different role, other tenant, admin wrong tenant, revoked user, suspended member, stale token,
|
|
@@ -240,6 +257,8 @@ perform this action on this object, this field, and this tenant context?"
|
|
|
240
257
|
|
|
241
258
|
- The API access-control decision names subject, object, action, field or property, tenant or owner,
|
|
242
259
|
current state, and trusted context when those apply.
|
|
260
|
+
- Effective permission, matched policy, explicit deny, inheritance path, policy version, data
|
|
261
|
+
revision, token issue time, and revocation window are checked or named as gaps when relevant.
|
|
243
262
|
- Authentication, object authorization, property authorization, and function authorization are not
|
|
244
263
|
collapsed into one route guard.
|
|
245
264
|
- Client-supplied identity and authority fields are either ignored, verified against server-side
|
|
@@ -287,6 +306,8 @@ and account-enumeration response parity.
|
|
|
287
306
|
|
|
288
307
|
- API access control reviewed
|
|
289
308
|
- Subject, object, action, field, tenant or owner, state, and trusted context
|
|
309
|
+
- Effective permission, decision explanation, policy version, data revision, token age, and
|
|
310
|
+
revocation-window findings
|
|
290
311
|
- Object, property, and function authorization findings
|
|
291
312
|
- Authentication, session, token, cookie, OAuth/OIDC, reset, reauthentication, enumeration, and
|
|
292
313
|
automation findings
|
|
@@ -0,0 +1,270 @@
|
|
|
1
|
+
---
|
|
2
|
+
mustflow_doc: skill.api-failure-triage
|
|
3
|
+
locale: en
|
|
4
|
+
canonical: true
|
|
5
|
+
revision: 1
|
|
6
|
+
lifecycle: mustflow-owned
|
|
7
|
+
authority: procedure
|
|
8
|
+
name: api-failure-triage
|
|
9
|
+
description: Apply this skill when an API request, SDK call, webhook callback, browser request, mobile call, gateway route, CORS preflight, CDN or load-balancer path, upstream dependency call, or OpenAPI-backed integration is failing, intermittent, slow, returning the wrong status or body, blocked by authentication or authorization, rate-limited, retried, cached incorrectly, or not yet localized to client, network, proxy, app, database, cache, provider, or deployment configuration. Use before api-request-performance-review when the first job is to preserve the failing wire evidence and cut the failure boundary.
|
|
10
|
+
metadata:
|
|
11
|
+
mustflow_schema: "1"
|
|
12
|
+
mustflow_kind: procedure
|
|
13
|
+
pack_id: mustflow.core
|
|
14
|
+
skill_id: mustflow.core.api-failure-triage
|
|
15
|
+
command_intents:
|
|
16
|
+
- changes_status
|
|
17
|
+
- changes_diff_summary
|
|
18
|
+
- lint
|
|
19
|
+
- build
|
|
20
|
+
- test_related
|
|
21
|
+
- test
|
|
22
|
+
- docs_validate_fast
|
|
23
|
+
- test_release
|
|
24
|
+
- mustflow_check
|
|
25
|
+
---
|
|
26
|
+
|
|
27
|
+
# API Failure Triage
|
|
28
|
+
|
|
29
|
+
<!-- mustflow-section: purpose -->
|
|
30
|
+
## Purpose
|
|
31
|
+
|
|
32
|
+
Triage API failures by preserving the actual request and cutting the path boundary before editing
|
|
33
|
+
code.
|
|
34
|
+
|
|
35
|
+
The first question is not "which log looks suspicious?" It is "what bytes left the caller, what
|
|
36
|
+
bytes came back, which boundary changed them, and what evidence would disprove each hypothesis?"
|
|
37
|
+
|
|
38
|
+
<!-- mustflow-section: use-when -->
|
|
39
|
+
## Use When
|
|
40
|
+
|
|
41
|
+
- A user reports that an API call, SDK request, browser request, mobile request, webhook callback,
|
|
42
|
+
backend-for-frontend path, gateway route, CDN path, load-balancer path, or provider integration is
|
|
43
|
+
failing or intermittent.
|
|
44
|
+
- The failure is not yet localized to client code, DNS, TCP, TLS, proxy, CORS preflight, redirect,
|
|
45
|
+
gateway, app handler, database, cache, external provider, rate limiter, retry policy, auth,
|
|
46
|
+
deployment configuration, or OpenAPI drift.
|
|
47
|
+
- Code or docs claim an API failure is a network issue, CORS issue, server issue, auth issue, cache
|
|
48
|
+
issue, provider issue, or retry issue without preserved wire evidence.
|
|
49
|
+
- A fix might otherwise start from logs, framework assumptions, SDK behavior, browser console text,
|
|
50
|
+
or a broad search before one failing request is captured.
|
|
51
|
+
|
|
52
|
+
<!-- mustflow-section: do-not-use-when -->
|
|
53
|
+
## Do Not Use When
|
|
54
|
+
|
|
55
|
+
- The failing request is already reproduced and the root cause is clear enough for a targeted fix;
|
|
56
|
+
use the narrower code, API contract, cache, retry, auth, database, or failure-integrity skill.
|
|
57
|
+
- The task is only per-request latency optimization after the API path is known; use
|
|
58
|
+
`api-request-performance-review`.
|
|
59
|
+
- The task is only public error wording or error-envelope cleanup; use
|
|
60
|
+
`error-message-integrity-review`.
|
|
61
|
+
- The task is only observability design with no current API failure to localize; use
|
|
62
|
+
`observability-debuggability-review`.
|
|
63
|
+
- Reproduction requires live production secrets, destructive calls, real payments, real user data,
|
|
64
|
+
private logs, or unconfigured external systems. Preserve available static evidence and report the
|
|
65
|
+
manual boundary instead.
|
|
66
|
+
|
|
67
|
+
<!-- mustflow-section: required-inputs -->
|
|
68
|
+
## Required Inputs
|
|
69
|
+
|
|
70
|
+
- Failure packet: observed time and timezone, request id or trace id when present, caller, client or
|
|
71
|
+
SDK version, API version, method, URL route template, sanitized headers, sanitized body shape,
|
|
72
|
+
status code, response headers, response body shape, total latency, and retry or redirect behavior.
|
|
73
|
+
- Success comparator: a nearby successful request, previous working version, same request with one
|
|
74
|
+
dimension changed, or a documented expected request shape.
|
|
75
|
+
- Boundary ledger: client, browser preflight, SDK middleware, DNS, TCP, TLS, proxy, CDN, WAF,
|
|
76
|
+
gateway, load balancer, app, queue, database, cache, external provider, and response serialization
|
|
77
|
+
boundaries relevant to the path.
|
|
78
|
+
- Timing ledger: name lookup, connection, TLS, first byte, total transfer, app handler time, queue
|
|
79
|
+
time, pool wait, database time, cache time, external dependency time, serialization time, and
|
|
80
|
+
download time when evidence exists.
|
|
81
|
+
- Contract ledger: HTTP method, redirect behavior, content negotiation, content type, encoding,
|
|
82
|
+
status code semantics, error envelope, retryability, idempotency, rate-limit headers, cache
|
|
83
|
+
headers, OpenAPI or generated-client contract, and deployment version.
|
|
84
|
+
- Auth ledger: credential presence, token expiry and not-before time, signature timestamp, clock
|
|
85
|
+
skew, user or service principal, object authorization, tenant scope, and proxy header preservation.
|
|
86
|
+
- Change ledger: deploy, config, secret, feature flag, routing rule, schema migration, provider
|
|
87
|
+
version, generated client, cache policy, rate-limit policy, and environment difference near the
|
|
88
|
+
first bad time.
|
|
89
|
+
- Relevant command-intent contract entries for tests, builds, docs, release checks, and mustflow
|
|
90
|
+
validation.
|
|
91
|
+
|
|
92
|
+
<!-- mustflow-section: preconditions -->
|
|
93
|
+
## Preconditions
|
|
94
|
+
|
|
95
|
+
- The task matches the Use When conditions and does not match the Do Not Use When exclusions.
|
|
96
|
+
- Higher-priority instructions and `.mustflow/config/commands.toml` have been checked for the
|
|
97
|
+
current scope.
|
|
98
|
+
- Required request, response, boundary, timing, contract, auth, and change evidence is available or
|
|
99
|
+
can be reported as missing without guessing.
|
|
100
|
+
- If the preserved evidence exposes secrets, tokens, cookies, personal data, payment data, private
|
|
101
|
+
URLs, raw bodies, or hidden reasoning, summarize and redact rather than copying it into docs,
|
|
102
|
+
tests, logs, commits, or final reports.
|
|
103
|
+
|
|
104
|
+
<!-- mustflow-section: allowed-edits -->
|
|
105
|
+
## Allowed Edits
|
|
106
|
+
|
|
107
|
+
- Add or tighten request parsing, content-type handling, status mapping, Problem Details or local
|
|
108
|
+
error-envelope mapping, request ID propagation, trace context, auth checks, proxy header handling,
|
|
109
|
+
timeout classification, retry and idempotency classification, rate-limit response handling, cache
|
|
110
|
+
header handling, OpenAPI contract tests, deployment config comparison tests, and focused
|
|
111
|
+
reproduction fixtures.
|
|
112
|
+
- Add focused tests that preserve the failing wire shape, success/failure comparator, status and
|
|
113
|
+
body contract, auth boundary, retryability, cache behavior, OpenAPI drift, or deployment config
|
|
114
|
+
difference.
|
|
115
|
+
- Do not add broad retries, blanket cache bypasses, CORS wildcards, auth bypasses, status-code
|
|
116
|
+
remapping, proxy header trust, live provider calls, raw production log dumps, or speculative
|
|
117
|
+
framework rewrites before the failing boundary is localized.
|
|
118
|
+
- Do not treat browser console text, SDK exception text, status code alone, or application logs alone
|
|
119
|
+
as the failing request evidence.
|
|
120
|
+
|
|
121
|
+
<!-- mustflow-section: procedure -->
|
|
122
|
+
## Procedure
|
|
123
|
+
|
|
124
|
+
1. Preserve one failing request packet.
|
|
125
|
+
- Record method, route template, sanitized headers, sanitized body shape, status, response
|
|
126
|
+
headers, response body shape, total latency, request id, trace id, caller version, API version,
|
|
127
|
+
and observed time basis.
|
|
128
|
+
- If the failure is intermittent, keep the first bad time and a small sample of failing and
|
|
129
|
+
successful packets rather than a raw log dump.
|
|
130
|
+
2. Compare success and failure at the wire boundary.
|
|
131
|
+
- Compare actual transmitted method, URL encoding, query order and defaults, headers, cookies,
|
|
132
|
+
body shape, null versus empty string, array order, content type, accept header, charset, API
|
|
133
|
+
version, and redirect path.
|
|
134
|
+
- Do not compare only source code or SDK call arguments because middleware, retries, proxies,
|
|
135
|
+
redirects, and defaults can rewrite the request.
|
|
136
|
+
3. Cut the path into boundaries.
|
|
137
|
+
- Check whether the request reaches each boundary: client, preflight, SDK, DNS, TCP, TLS, proxy,
|
|
138
|
+
CDN, WAF, gateway, load balancer, app handler, queue, database, cache, external provider, and
|
|
139
|
+
response serializer.
|
|
140
|
+
- Prefer evidence that halves the search space. If the app never sees the request, app logs are
|
|
141
|
+
not the first evidence source.
|
|
142
|
+
4. Split timing before assigning blame.
|
|
143
|
+
- Separate name lookup, connection, TLS, first byte, total download, app handler time, queue time,
|
|
144
|
+
pool wait, database time, cache time, external dependency time, serialization time, and payload
|
|
145
|
+
transfer when available.
|
|
146
|
+
- Average latency is weak evidence. Use endpoint, status, region, client, API version, and
|
|
147
|
+
percentile slices when telemetry exists.
|
|
148
|
+
5. Check browser-only failures separately.
|
|
149
|
+
- For browser-only symptoms, inspect preflight, allowed method, allowed headers, credentials
|
|
150
|
+
mode, redirect behavior, and whether the failing request happens before the real method is sent.
|
|
151
|
+
- For server-to-server failures, do not diagnose CORS unless a browser boundary is actually
|
|
152
|
+
involved.
|
|
153
|
+
6. Check redirect and proxy mutation.
|
|
154
|
+
- Verify whether redirects change method, body, host, scheme, authorization, cookies, or signed
|
|
155
|
+
headers.
|
|
156
|
+
- Verify whether proxies preserve `Authorization`, `Host`, forwarded headers, request ids,
|
|
157
|
+
trace context, content length, idempotency keys, and rate-limit headers according to local
|
|
158
|
+
trust policy.
|
|
159
|
+
7. Check status, body, and content-type consistency.
|
|
160
|
+
- A `200` response with an error body, a `500` for caller validation, a hidden `404` for auth,
|
|
161
|
+
or a JSON content type with an HTML error body can break clients and monitoring.
|
|
162
|
+
- Map API errors to stable codes, request IDs, invalid fields, retryability, and safe support
|
|
163
|
+
evidence when the local contract supports it.
|
|
164
|
+
8. Split authentication from authorization.
|
|
165
|
+
- Verify credentials were sent, valid, not expired, and signed against the expected time basis.
|
|
166
|
+
- Separately verify whether the authenticated principal can access the target object, property,
|
|
167
|
+
tenant, or function.
|
|
168
|
+
- Treat "same token, different resource id returns another user's data" as an access-control
|
|
169
|
+
incident, not ordinary debugging.
|
|
170
|
+
9. Check clock and signature time.
|
|
171
|
+
- Review token `exp` or `nbf`, signed request timestamps, webhook timestamps, cache expiry, rate
|
|
172
|
+
limit windows, and server/client clock skew when the failure is intermittent or boundary-time
|
|
173
|
+
sensitive.
|
|
174
|
+
10. Check retry, timeout, rate limit, and idempotency.
|
|
175
|
+
- Separate connect, TLS, first-byte, read, write, dependency, pool, and total-deadline failures
|
|
176
|
+
when evidence exists.
|
|
177
|
+
- Confirm retries are bounded, jittered, scoped to one layer, and safe for the operation.
|
|
178
|
+
- For side-effecting requests, require a durable idempotency key and result replay or unknown
|
|
179
|
+
outcome reconciliation before retrying.
|
|
180
|
+
- Preserve `429`, rate-limit policy, and retry-after semantics instead of turning throttling into
|
|
181
|
+
generic server failure.
|
|
182
|
+
11. Check cache and content negotiation.
|
|
183
|
+
- Compare cached and cache-bypassed behavior when allowed by the current command and environment
|
|
184
|
+
boundary.
|
|
185
|
+
- Inspect cache-control, validators, age, vary dimensions, authorization or cookie variance,
|
|
186
|
+
API version, language, query dimensions, and stale or negative-cache behavior.
|
|
187
|
+
12. Check app-internal cost and dependency fan-out only after the request reaches the app.
|
|
188
|
+
- If the app receives the request, build a compact cost ledger for database, cache, external API,
|
|
189
|
+
serialization, compression, and response size.
|
|
190
|
+
- Use `api-request-performance-review`, database, cache, retry, queue, or observability skills
|
|
191
|
+
for the localized subproblem.
|
|
192
|
+
13. Check OpenAPI and generated-client drift.
|
|
193
|
+
- Compare deployed behavior with the documented contract: required fields, nullability, enum
|
|
194
|
+
values, status codes, headers, content type, and error envelope.
|
|
195
|
+
- Treat generated client, SDK, or schema drift as a contract issue even when the server and
|
|
196
|
+
client each look locally correct.
|
|
197
|
+
14. Check deployment and environment diffs.
|
|
198
|
+
- Near the first bad time, compare release id, config, secret names, routing rules, feature
|
|
199
|
+
flags, provider account, migration state, cache policy, rate-limit policy, and generated
|
|
200
|
+
artifacts.
|
|
201
|
+
- Do not blame code before environment and route changes are ruled in or out.
|
|
202
|
+
15. Maintain a hypothesis table.
|
|
203
|
+
- For each hypothesis, write the expected evidence and the observation that would disprove it.
|
|
204
|
+
- Kill wrong hypotheses quickly. Long log reading without a falsifiable hypothesis is not
|
|
205
|
+
progress.
|
|
206
|
+
16. Apply the smallest localized fix.
|
|
207
|
+
- Once the boundary is proven, switch to the specific skill for that boundary and edit only the
|
|
208
|
+
owning code, contract, test, doc, template, or config surface.
|
|
209
|
+
- Re-run the original reproduction path or the closest configured intent after the fix.
|
|
210
|
+
|
|
211
|
+
<!-- mustflow-section: postconditions -->
|
|
212
|
+
## Postconditions
|
|
213
|
+
|
|
214
|
+
- The failing request packet, success comparator, boundary ledger, timing ledger, contract ledger,
|
|
215
|
+
auth ledger, and change ledger are explicit or reported as missing.
|
|
216
|
+
- The failure is localized to a boundary or left as a named evidence gap instead of a guessed cause.
|
|
217
|
+
- Status/body/content-type, CORS/preflight, redirects, proxy headers, authn/authz, clock skew,
|
|
218
|
+
timeout/retry/rate-limit/idempotency, cache headers, OpenAPI drift, and deployment diffs are fixed
|
|
219
|
+
or reported where relevant.
|
|
220
|
+
- Any follow-up skill is selected because the boundary is now localized, not because the first guess
|
|
221
|
+
sounded plausible.
|
|
222
|
+
|
|
223
|
+
<!-- mustflow-section: verification -->
|
|
224
|
+
## Verification
|
|
225
|
+
|
|
226
|
+
Use configured oneshot command intents when available:
|
|
227
|
+
|
|
228
|
+
- `changes_status`
|
|
229
|
+
- `changes_diff_summary`
|
|
230
|
+
- `lint`
|
|
231
|
+
- `build`
|
|
232
|
+
- `test_related`
|
|
233
|
+
- `test`
|
|
234
|
+
- `docs_validate_fast`
|
|
235
|
+
- `test_release`
|
|
236
|
+
- `mustflow_check`
|
|
237
|
+
|
|
238
|
+
Prefer the narrowest configured test, build, docs, release, or mustflow intent that covers the
|
|
239
|
+
localized API failure boundary. Do not infer raw servers, live providers, database shells, browser
|
|
240
|
+
sessions, packet captures, production logs, load tests, profilers, or network probes outside the
|
|
241
|
+
command contract.
|
|
242
|
+
|
|
243
|
+
<!-- mustflow-section: failure-handling -->
|
|
244
|
+
## Failure Handling
|
|
245
|
+
|
|
246
|
+
- If the failing request packet cannot be captured, stop speculative edits and report the closest
|
|
247
|
+
safe evidence plus the missing packet fields.
|
|
248
|
+
- If evidence contains secrets or personal data, redact before storing or reporting it.
|
|
249
|
+
- If boundary evidence requires live production access, private dashboards, external provider
|
|
250
|
+
consoles, or unconfigured network diagnostics, report the manual evidence boundary.
|
|
251
|
+
- If a configured command fails, preserve the failing intent and output tail, then fix only the API
|
|
252
|
+
boundary or contract exercised by that failure.
|
|
253
|
+
- If the root cause points to security, payment, rate limit, cache, retry, queue, or deployment risk,
|
|
254
|
+
switch to the narrower matching skill before editing that part.
|
|
255
|
+
|
|
256
|
+
<!-- mustflow-section: output-format -->
|
|
257
|
+
## Output Format
|
|
258
|
+
|
|
259
|
+
- API failure triaged
|
|
260
|
+
- Failing request packet and success comparator, with redactions
|
|
261
|
+
- Boundary and timing ledger
|
|
262
|
+
- Status/body/content-type, CORS/preflight, redirect/proxy, authn/authz, clock, retry/timeout,
|
|
263
|
+
rate-limit/idempotency, cache, OpenAPI, and deployment-diff findings
|
|
264
|
+
- Hypotheses killed, still open, and selected localized boundary
|
|
265
|
+
- Fix applied or recommended
|
|
266
|
+
- Evidence level: reproduced packet, comparator evidence, configured-test evidence, static review
|
|
267
|
+
risk, manual-only, missing, or not applicable
|
|
268
|
+
- Command intents run
|
|
269
|
+
- Skipped diagnostics and reasons
|
|
270
|
+
- Remaining API-failure risk
|
package/templates/default/locales/en/.mustflow/skills/architecture-deepening-review/SKILL.md
CHANGED
|
@@ -2,11 +2,11 @@
|
|
|
2
2
|
mustflow_doc: skill.architecture-deepening-review
|
|
3
3
|
locale: en
|
|
4
4
|
canonical: true
|
|
5
|
-
revision:
|
|
5
|
+
revision: 3
|
|
6
6
|
lifecycle: mustflow-owned
|
|
7
7
|
authority: procedure
|
|
8
8
|
name: architecture-deepening-review
|
|
9
|
-
description: Apply this skill when architecture, module boundaries, or codebase structure need review before choosing a refactor or abstraction.
|
|
9
|
+
description: Apply this skill when architecture, module boundaries, layered boundaries, or codebase structure need review before choosing a refactor or abstraction.
|
|
10
10
|
metadata:
|
|
11
11
|
mustflow_schema: "1"
|
|
12
12
|
mustflow_kind: procedure
|
|
@@ -36,7 +36,7 @@ This is a review-first skill. It helps decide whether code needs a deeper module
|
|
|
36
36
|
<!-- mustflow-section: use-when -->
|
|
37
37
|
## Use When
|
|
38
38
|
|
|
39
|
-
- The user asks for architecture review, module boundaries, structural improvement, codebase deepening, maintainability review, or testability improvement.
|
|
39
|
+
- The user asks for architecture review, layered architecture review, module boundaries, structural improvement, codebase deepening, maintainability review, or testability improvement.
|
|
40
40
|
- The user asks where a design will break first as it grows, which responsibility boundary is most likely to blur, or whether a module, service, database owner, permission model, deployment unit, or failure boundary is still clear enough.
|
|
41
41
|
- A file, module, service, handler, command, controller, or test suite looks broad enough that the next edit may add another responsibility.
|
|
42
42
|
- Code exposes internal steps to many callers, repeats orchestration, or makes tests hard because policy, I/O, formatting, and dispatch are mixed.
|
|
@@ -58,6 +58,8 @@ This is a review-first skill. It helps decide whether code needs a deeper module
|
|
|
58
58
|
- Target area, current pain, and the user-facing or maintainer-facing reason to inspect architecture.
|
|
59
59
|
- Relevant source files, call sites, exports, tests, fixtures, schemas, templates, or documentation that show current behavior and ownership.
|
|
60
60
|
- Local patterns for modules, boundaries, naming, errors, dependency direction, and tests.
|
|
61
|
+
- Current change-pressure evidence: which business rules, providers, data contracts, permissions, read paths, or operational demands are expected to change independently.
|
|
62
|
+
- Current enforcement evidence: physical modules, package boundaries, import rules, architecture tests, public API surfaces, or reviewer-only conventions that allow or block boundary violations.
|
|
61
63
|
- The data owner, write path, failure mode, and expected 3x, 10x, or 100x growth pressure when the review is about a design rather than only a file split.
|
|
62
64
|
- Current changed-file list when the worktree is already dirty.
|
|
63
65
|
- Relevant command-intent contract entries for verification.
|
|
@@ -87,39 +89,51 @@ This is a review-first skill. It helps decide whether code needs a deeper module
|
|
|
87
89
|
2. Inspect local evidence before judging.
|
|
88
90
|
- Read imports, exports, public functions, call sites, related tests, and nearby module conventions.
|
|
89
91
|
- Prefer evidence from current code and tests over generic architecture advice.
|
|
90
|
-
3.
|
|
92
|
+
3. Reject layer theater before proposing deeper structure.
|
|
93
|
+
- Do not treat `controller`, `service`, `repository`, `domain`, `infra`, or similar folder names
|
|
94
|
+
as architecture evidence by themselves.
|
|
95
|
+
- Check whether one business change forces edits across many technical folders. If yes, rank the
|
|
96
|
+
feature or capability boundary before adding another technical layer.
|
|
97
|
+
- Check whether dependency direction is enforced by modules, packages, import rules, architecture
|
|
98
|
+
tests, or build boundaries. Reviewer memory is weak evidence.
|
|
99
|
+
- Treat caller-owned ports, narrow use-case interfaces, adapter mappings, and explicit public
|
|
100
|
+
module surfaces as stronger boundary evidence than broad infrastructure-owned interfaces.
|
|
101
|
+
- Mark pass-through services, table-shaped repositories, generic CRUD bases, and `common`,
|
|
102
|
+
`shared`, or `utils` growth as smells unless they hide real policy, translation, transaction,
|
|
103
|
+
test, or provider complexity.
|
|
104
|
+
4. Identify one to three candidate boundaries.
|
|
91
105
|
- Each candidate must name the responsibility it would hide or clarify.
|
|
92
106
|
- Reject candidates that only rename, wrap, or move code without lowering caller complexity or test cost.
|
|
93
|
-
|
|
107
|
+
5. Force the design through the ownership and failure questions before scoring.
|
|
94
108
|
- Name the first likely mixed-responsibility boundary. Common early failures are business rules leaking into controllers, repositories, external adapters, UI components, or framework-specific handlers.
|
|
95
109
|
- Name the final owner for important data. The owner is the module that protects the invariant, not necessarily the module that reads the value most often.
|
|
96
110
|
- Separate original state from cache, search index, analytics, summary, AI output, provider response, or other derived state.
|
|
97
111
|
- Identify every direct write path for high-impact fields such as status, role, permission, balance, quota, plan, entitlement, deleted state, payment state, or ownership.
|
|
98
112
|
- Ask whether a failure creates a visible failure state or silently creates false success. High-impact paths such as authorization, payment, entitlement, deletion, and destructive administration should fail closed.
|
|
99
113
|
- Ask whether duplicate requests, retries, webhook redelivery, queue replay, or worker restart can repeat a harmful effect. If yes, require an idempotency, ledger, outbox, or reconciliation boundary before calling the design safe.
|
|
100
|
-
|
|
114
|
+
6. Check growth pressure in concrete stages.
|
|
101
115
|
- At 3x scale, look first for implementation-quality failures: missing indexes, N+1 reads, large responses, synchronous file or image work, repeated external calls, and insufficient connection pools.
|
|
102
116
|
- At 10x scale, look first for ownership and state failures: write hot spots, queue delay, cache invalidation, server-local files, scattered permission rules, external API rate limits, and deployment units that change for unrelated reasons.
|
|
103
117
|
- At 100x scale, look first for partitioning and operational failures: data split boundaries, tenant or region hot spots, retry storms, external dependency isolation, long deploy recovery, missing observability, and manual-only recovery paths.
|
|
104
|
-
|
|
118
|
+
7. Check scaling direction without forcing premature distribution.
|
|
105
119
|
- A small team may start with one larger server or a simple server set, but request handlers should not depend on process memory, local uploads, duplicate cron execution, in-transaction external calls, or server-specific job state.
|
|
106
120
|
- Application servers should be able to become stateless. Databases may start with vertical scaling, but the design should not block read replicas, read models, queue-backed work, or future data partitioning.
|
|
107
121
|
- Horizontal scaling is only real if any server can handle the same request, workers can safely duplicate or retry work, and database writes do not all converge on an uncontrolled hot spot.
|
|
108
|
-
|
|
122
|
+
8. Score each candidate from 1 to 9.
|
|
109
123
|
- User value: whether the structure protects a user-visible or public contract.
|
|
110
124
|
- Maintenance value: whether future changes become smaller or less error-prone.
|
|
111
125
|
- Blast radius: how many callers, files, schemas, templates, or docs would change.
|
|
112
126
|
- Testability: whether behavior can be proven with existing or focused tests.
|
|
113
127
|
- Reversibility: whether the change can be undone without a public migration.
|
|
114
128
|
- Evidence confidence: whether the diagnosis is supported by local code, tests, or repeated change patterns.
|
|
115
|
-
|
|
129
|
+
9. Choose the next action.
|
|
116
130
|
- Recommend one smallest structural move, or explicitly stop at analysis-only when the evidence is not strong enough.
|
|
117
131
|
- If implementation proceeds, use the narrower matching skill before editing that boundary.
|
|
118
|
-
|
|
132
|
+
10. Keep the structure move shallow-to-deep.
|
|
119
133
|
- Start with caller simplification, naming, and responsibility boundaries.
|
|
120
134
|
- Then extract a focused facade, policy, strategy, pure core, adapter, result type, or dependency boundary only when it clearly removes real complexity.
|
|
121
135
|
- Avoid turning a broad file into many vague files with the same responsibilities.
|
|
122
|
-
|
|
136
|
+
11. Verify and report.
|
|
123
137
|
- Run the narrowest configured command intents that cover the changed surface.
|
|
124
138
|
- Report skipped checks, unknown behavior evidence, and any candidate intentionally deferred.
|
|
125
139
|
|
|
@@ -128,6 +142,8 @@ This is a review-first skill. It helps decide whether code needs a deeper module
|
|
|
128
142
|
|
|
129
143
|
- The output contains a ranked architecture candidate list or one scoped structural change.
|
|
130
144
|
- Any chosen change has a named reason tied to lower change cost, lower defect risk, or better testability.
|
|
145
|
+
- Layered-architecture claims are backed by change-pressure, dependency-direction, public-surface,
|
|
146
|
+
and enforcement evidence rather than folder names alone.
|
|
131
147
|
- Important data has a named owner, write path, original-or-derived classification, and failure behavior when the reviewed design touches durable state.
|
|
132
148
|
- Growth pressure is either checked at 3x, 10x, and 100x or explicitly marked not relevant to the current architecture decision.
|
|
133
149
|
- Behavior changes are excluded or explicitly moved to a separate follow-up.
|
|
@@ -164,6 +180,7 @@ Use documentation and release checks only when the review or chosen change touch
|
|
|
164
180
|
|
|
165
181
|
- Review target and current pain
|
|
166
182
|
- Evidence inspected
|
|
183
|
+
- Layering, change-pressure, and boundary-enforcement evidence
|
|
167
184
|
- Data owner, write path, and original-versus-derived state when relevant
|
|
168
185
|
- Failure mode, idempotency, and recovery boundary when relevant
|
|
169
186
|
- 3x, 10x, and 100x growth pressure when relevant
|