mustflow 2.84.0 → 2.99.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (105) hide show
  1. package/README.md +11 -2
  2. package/dist/cli/commands/script-pack.js +14 -0
  3. package/dist/cli/i18n/en.js +262 -0
  4. package/dist/cli/i18n/es.js +262 -0
  5. package/dist/cli/i18n/fr.js +262 -0
  6. package/dist/cli/i18n/hi.js +262 -0
  7. package/dist/cli/i18n/ko.js +262 -0
  8. package/dist/cli/i18n/zh.js +262 -0
  9. package/dist/cli/lib/repo-map.js +27 -6
  10. package/dist/cli/lib/run-root-trust.js +15 -1
  11. package/dist/cli/lib/script-pack-registry.js +397 -0
  12. package/dist/cli/lib/validation/index.js +2 -2
  13. package/dist/cli/lib/validation/primitives.js +4 -1
  14. package/dist/cli/script-packs/code-change-impact.js +178 -0
  15. package/dist/cli/script-packs/code-dependency-graph.js +181 -0
  16. package/dist/cli/script-packs/code-import-cycle.js +193 -0
  17. package/dist/cli/script-packs/docs-link-integrity.js +145 -0
  18. package/dist/cli/script-packs/repo-approval-gate.js +100 -0
  19. package/dist/cli/script-packs/repo-env-contract.js +156 -0
  20. package/dist/cli/script-packs/repo-git-ignore-audit.js +119 -0
  21. package/dist/cli/script-packs/repo-manifest-lock-drift.js +122 -0
  22. package/dist/cli/script-packs/repo-merge-conflict-scan.js +123 -0
  23. package/dist/cli/script-packs/repo-secret-risk-scan.js +147 -0
  24. package/dist/cli/script-packs/repo-skill-route-audit.js +86 -0
  25. package/dist/cli/script-packs/repo-version-source.js +92 -0
  26. package/dist/cli/script-packs/test-performance-report.js +247 -0
  27. package/dist/cli/script-packs/test-regression-selector.js +167 -0
  28. package/dist/core/change-impact.js +355 -0
  29. package/dist/core/change-surface-classification.js +198 -0
  30. package/dist/core/change-verification.js +32 -5
  31. package/dist/core/config-loading.js +121 -4
  32. package/dist/core/dependency-graph.js +490 -0
  33. package/dist/core/docs-link-integrity.js +443 -0
  34. package/dist/core/env-contract.js +450 -0
  35. package/dist/core/import-cycle.js +152 -0
  36. package/dist/core/line-endings.js +26 -13
  37. package/dist/core/public-json-contracts.js +167 -0
  38. package/dist/core/repo-approval-gate.js +116 -0
  39. package/dist/core/repo-git-ignore-audit.js +302 -0
  40. package/dist/core/repo-manifest-lock-drift.js +321 -0
  41. package/dist/core/repo-merge-conflict-scan.js +335 -0
  42. package/dist/core/repo-version-source.js +82 -0
  43. package/dist/core/route-outline.js +57 -5
  44. package/dist/core/script-pack-suggestions.js +97 -1
  45. package/dist/core/secret-risk-scan.js +440 -0
  46. package/dist/core/skill-route-audit.js +354 -0
  47. package/dist/core/test-performance-report.js +697 -0
  48. package/dist/core/test-regression-selector.js +335 -0
  49. package/package.json +1 -1
  50. package/schemas/README.md +54 -0
  51. package/schemas/change-impact-report.schema.json +184 -0
  52. package/schemas/commands.schema.json +12 -0
  53. package/schemas/dependency-graph-report.schema.json +149 -0
  54. package/schemas/env-contract-report.schema.json +203 -0
  55. package/schemas/import-cycle-report.schema.json +157 -0
  56. package/schemas/link-integrity-report.schema.json +176 -0
  57. package/schemas/repo-approval-gate-report.schema.json +115 -0
  58. package/schemas/repo-git-ignore-audit-report.schema.json +201 -0
  59. package/schemas/repo-manifest-lock-drift-report.schema.json +202 -0
  60. package/schemas/repo-merge-conflict-scan-report.schema.json +169 -0
  61. package/schemas/repo-version-source-report.schema.json +127 -0
  62. package/schemas/secret-risk-scan-report.schema.json +152 -0
  63. package/schemas/skill-route-audit-report.schema.json +144 -0
  64. package/schemas/test-performance-report.schema.json +319 -0
  65. package/schemas/test-regression-selector-report.schema.json +187 -0
  66. package/templates/default/i18n.toml +80 -26
  67. package/templates/default/locales/en/.mustflow/skills/INDEX.md +51 -9
  68. package/templates/default/locales/en/.mustflow/skills/api-access-control-review/SKILL.md +48 -27
  69. package/templates/default/locales/en/.mustflow/skills/api-failure-triage/SKILL.md +270 -0
  70. package/templates/default/locales/en/.mustflow/skills/architecture-deepening-review/SKILL.md +28 -11
  71. package/templates/default/locales/en/.mustflow/skills/astro-code-change/SKILL.md +71 -27
  72. package/templates/default/locales/en/.mustflow/skills/auth-flow-triage/SKILL.md +192 -0
  73. package/templates/default/locales/en/.mustflow/skills/auth-permission-change/SKILL.md +59 -13
  74. package/templates/default/locales/en/.mustflow/skills/backend-log-evidence-review/SKILL.md +14 -5
  75. package/templates/default/locales/en/.mustflow/skills/cache-integrity-review/SKILL.md +30 -15
  76. package/templates/default/locales/en/.mustflow/skills/change-blast-radius-review/SKILL.md +45 -32
  77. package/templates/default/locales/en/.mustflow/skills/ci-pipeline-triage/SKILL.md +200 -0
  78. package/templates/default/locales/en/.mustflow/skills/clarifying-question-gate/SKILL.md +87 -13
  79. package/templates/default/locales/en/.mustflow/skills/cross-agent-session-reference/SKILL.md +23 -8
  80. package/templates/default/locales/en/.mustflow/skills/dependency-upgrade-review/SKILL.md +3 -1
  81. package/templates/default/locales/en/.mustflow/skills/docker-runtime-triage/SKILL.md +191 -0
  82. package/templates/default/locales/en/.mustflow/skills/github-contribution-quality-gate/SKILL.md +48 -11
  83. package/templates/default/locales/en/.mustflow/skills/go-code-change/SKILL.md +18 -13
  84. package/templates/default/locales/en/.mustflow/skills/javascript-code-change/SKILL.md +15 -13
  85. package/templates/default/locales/en/.mustflow/skills/line-ending-hygiene/SKILL.md +18 -10
  86. package/templates/default/locales/en/.mustflow/skills/llm-hallucination-control-review/SKILL.md +4 -1
  87. package/templates/default/locales/en/.mustflow/skills/motion-system-contract-review/SKILL.md +155 -0
  88. package/templates/default/locales/en/.mustflow/skills/next-action-menu/SKILL.md +177 -0
  89. package/templates/default/locales/en/.mustflow/skills/node-code-change/SKILL.md +16 -14
  90. package/templates/default/locales/en/.mustflow/skills/observability-debuggability-review/SKILL.md +15 -7
  91. package/templates/default/locales/en/.mustflow/skills/payment-integrity-review/SKILL.md +59 -35
  92. package/templates/default/locales/en/.mustflow/skills/powershell-code-change/SKILL.md +16 -6
  93. package/templates/default/locales/en/.mustflow/skills/prompt-contract-quality-review/SKILL.md +4 -1
  94. package/templates/default/locales/en/.mustflow/skills/python-code-change/SKILL.md +19 -10
  95. package/templates/default/locales/en/.mustflow/skills/rag-pipeline-triage/SKILL.md +206 -0
  96. package/templates/default/locales/en/.mustflow/skills/routes.toml +69 -9
  97. package/templates/default/locales/en/.mustflow/skills/rust-code-change/SKILL.md +10 -4
  98. package/templates/default/locales/en/.mustflow/skills/search-index-integrity-review/SKILL.md +181 -0
  99. package/templates/default/locales/en/.mustflow/skills/security-privacy-review/SKILL.md +3 -1
  100. package/templates/default/locales/en/.mustflow/skills/service-boundary-architecture/SKILL.md +37 -23
  101. package/templates/default/locales/en/.mustflow/skills/test-suite-performance-review/SKILL.md +323 -0
  102. package/templates/default/locales/en/.mustflow/skills/typescript-code-change/SKILL.md +18 -10
  103. package/templates/default/locales/en/.mustflow/skills/vector-search-integrity-review/SKILL.md +209 -0
  104. package/templates/default/locales/en/.mustflow/skills/version-freshness-check/SKILL.md +16 -14
  105. package/templates/default/manifest.toml +71 -1
@@ -2,11 +2,11 @@
2
2
  mustflow_doc: skill.api-access-control-review
3
3
  locale: en
4
4
  canonical: true
5
- revision: 1
5
+ revision: 3
6
6
  lifecycle: mustflow-owned
7
7
  authority: procedure
8
8
  name: api-access-control-review
9
- description: Apply this skill when code is created, changed, reviewed, or reported and API security needs access-control review for BOLA or IDOR, object-level authorization, object-property authorization, function-level authorization, broken authentication, tenant isolation, role and relationship checks, mass assignment, DTO exposure, admin or internal APIs, route ordering, GraphQL resolvers, batch APIs, exports, downloads, signed URLs, cache keys, async jobs, webhooks, OAuth or OIDC, JWTs, sessions, cookies, reauthentication, reset tokens, account enumeration, automation defense, or denial-case tests.
9
+ description: Apply this skill when code is created, changed, reviewed, or reported and API security needs access-control review for BOLA or IDOR, object-level authorization, object-property authorization, function-level authorization, payment or refund API authorization, broken authentication, tenant isolation, effective permission decisions, role and relationship checks, mass assignment, DTO exposure, admin or internal APIs, route ordering, GraphQL resolvers, batch APIs, exports, downloads, signed URLs, cache keys, async jobs, webhooks, OAuth or OIDC, JWTs, sessions, cookies, reauthentication, reset tokens, account enumeration, automation defense, or denial-case tests.
10
10
  metadata:
11
11
  mustflow_schema: "1"
12
12
  mustflow_kind: procedure
@@ -43,6 +43,10 @@ perform this action on this object, this field, and this tenant context?"
43
43
  exports, downloads, previews, batch APIs, background jobs, webhooks, auth middleware, sessions,
44
44
  cookies, JWTs, OAuth or OIDC flows, password reset, MFA, admin APIs, internal APIs, cache keys,
45
45
  DTO mapping, tests, or API docs.
46
+ - Payment, refund, transfer, payout, credit, entitlement, or subscription APIs need proof that the
47
+ requester may act on that specific object, amount-bearing operation, tenant, account, or current
48
+ resource state. Use `payment-integrity-review` for money-event correctness and this skill for the
49
+ API object, property, and function authorization proof.
46
50
  - A request, token, body, query string, path parameter, webhook payload, queue payload, or client
47
51
  state supplies `userId`, `accountId`, `tenantId`, `orgId`, `workspaceId`, `projectId`, `role`,
48
52
  `ownerId`, object id, file key, status, price, entitlement, plan, or other authority-bearing data.
@@ -73,6 +77,9 @@ perform this action on this object, this field, and this tenant context?"
73
77
  - Subject-object-action-context ledger: principal, session, token, API key, service account, tenant,
74
78
  organization, workspace, role, relationship, resource, object id, field or property, action,
75
79
  state, and request context.
80
+ - Decision explanation ledger: effective permission, matched policy, explicit deny, inheritance
81
+ path, policy version, data revision, token issue time, and allow or deny reason when the product
82
+ has policy-engine or audit-log support.
76
83
  - Object authorization ledger: list, detail, count, search, export, download, preview, share,
77
84
  update, delete, approve, invite, refund, transfer, admin, batch, worker, and webhook paths that
78
85
  can reach the same object.
@@ -135,101 +142,111 @@ perform this action on this object, this field, and this tenant context?"
135
142
  - `role === "admin"` is usually too small.
136
143
  - Check whether the principal is admin for this organization, owner of this project, seller for
137
144
  this order, billing admin for this account, or allowed to act in this resource state.
138
- 6. Compare list and detail scopes.
145
+ - Prefer effective-permission evidence and policy decision explanations over a raw role list.
146
+ 6. Check default-deny and explicit-deny behavior.
147
+ - No matching policy, unknown role, unknown action, malformed id, parsing failure, policy server
148
+ timeout, and policy-cache miss should not silently allow access.
149
+ - When allow and deny policies both match, the product needs a documented and tested combination
150
+ rule.
151
+ 7. Compare list and detail scopes.
139
152
  - If list filters by current user or tenant but detail, count, search, analytics, export, or
140
153
  download uses only object id, report the gap.
141
- 7. Review write APIs harder than read APIs.
154
+ 8. Review write APIs harder than read APIs.
142
155
  - `PUT`, `PATCH`, `DELETE`, approve, refund, invite, transfer, publish, restore, and role-change
143
156
  operations need write-specific permission, state, amount, and audit checks.
144
157
  - Read permission is not write permission.
145
- 8. Stop mass assignment at the boundary.
158
+ 9. Stop mass assignment at the boundary.
146
159
  - Flag request-body-to-entity binding, raw DTO persistence, GraphQL input passthrough, ORM update
147
160
  data from raw body, and blind spread or object assignment.
148
161
  - Privileged fields such as `role`, `status`, `ownerId`, `tenantId`, `isVerified`, `plan`,
149
162
  `credit`, `deletedAt`, `price`, and `quota` must be derived, guarded, or allowlisted.
150
- 9. Check response DTOs for property-level exposure.
163
+ 10. Check response DTOs for property-level exposure.
151
164
  - Entity-to-JSON responses can leak `passwordHash`, `mfaSecret`, `internalMemo`,
152
165
  `billingCustomerId`, storage keys, provider IDs, deletion reasons, or admin-only fields later.
153
166
  - Use public response mappers and role-aware field policies when field visibility differs.
154
- 10. Treat client-side admin UI as decoration.
167
+ 11. Treat client-side admin UI as decoration.
155
168
  - Hidden buttons, disabled controls, frontend routes, mobile checks, and generated clients are
156
169
  not access control.
157
170
  - Admin and support operations need server-side scope, reason, audit, and denial tests.
158
- 11. Search for temporary public holes.
171
+ 12. Search for temporary public holes.
159
172
  - Inspect `permitAll`, `anonymous`, `skipAuth`, `bypassAuth`, `public`, `internalOnly`,
160
173
  `devOnly`, `TODO auth`, debug endpoints, health endpoints with extra data, and test-only
161
174
  switches that can reach real data or operations.
162
- 12. Review router and middleware order.
175
+ 13. Review router and middleware order.
163
176
  - Dynamic routes like `/:id` can shadow `/me`, `/admin`, or `/settings`.
164
177
  - Prefix middleware can leave sibling paths, nested routers, serverless functions, or framework
165
178
  route groups unauthenticated.
166
- 13. Review GraphQL per resolver.
179
+ 14. Review GraphQL per resolver.
167
180
  - Endpoint-level auth is not enough.
168
181
  - Check `node(id)`, nested fields, connections, edges, aggregates, mutations, and field
169
182
  resolvers for object and property authorization.
170
- 14. Review batch APIs per item.
183
+ 15. Review batch APIs per item.
171
184
  - Bulk create, delete, export, import, and update endpoints must authorize every object.
172
185
  - Define whether one denied item fails the whole request, returns per-item results, or produces
173
186
  a retrievable failure report.
174
- 15. Review export, download, preview, thumbnail, and share paths.
187
+ 16. Review export, download, preview, thumbnail, and share paths.
175
188
  - CRUD may be protected while file delivery, generated previews, thumbnails, CSV exports, and
176
189
  shared links bypass the same policy.
177
- 16. Treat signed storage URLs as outputs of authorization.
190
+ 17. Treat signed storage URLs as outputs of authorization.
178
191
  - S3, GCS, R2, CDN, and private file URLs must be generated only after object authorization.
179
192
  - Check key predictability, URL lifetime, scope, content disposition, cache behavior, revocation,
180
193
  and whether direct object access bypasses policy.
181
- 17. Enforce tenant boundaries in every query and cache.
194
+ 18. Enforce tenant boundaries in every query and cache.
182
195
  - `WHERE id = ?` is weak in multi-tenant code; include tenant, membership, owner, sharing, or
183
196
  database policy constraints.
184
197
  - Cache keys for private data need tenant and permission dimensions, not just object id.
185
- 18. Revalidate asynchronous jobs.
198
+ 19. Revalidate asynchronous jobs.
186
199
  - Queue payloads with only `userId`, `tenantId`, or `fileId` can outlive permission changes.
187
200
  - Workers, retries, admin reruns, scheduled tasks, and webhook-triggered jobs need actor,
188
201
  tenant, resource, state, and current permission or service-principal checks at execution time.
189
- 19. Separate webhook authenticity from authorization.
202
+ 20. Separate webhook authenticity from authorization.
190
203
  - Signature verification proves the provider sent the event.
191
204
  - Ownership mapping proves the event belongs to this tenant, account, customer, installation,
192
205
  repository, subscription, or resource.
193
- 20. Keep OAuth and OIDC purposes distinct.
206
+ 21. Keep OAuth and OIDC purposes distinct.
194
207
  - OIDC ID tokens identify a user for login.
195
208
  - OAuth access tokens authorize delegated API access.
196
209
  - Do not use an ID token as an API permission token or an access token as a login proof without
197
210
  the appropriate validation and intent.
198
- 21. Verify JWTs completely.
211
+ 22. Verify JWTs completely.
199
212
  - Decoding is not verification.
200
213
  - Check signature, algorithm allowlist, issuer, audience, expiry, not-before when used, key
201
214
  source, key rotation, subject, tenant binding, and stale authorization claims.
202
- 22. Treat token claims as snapshots, not eternal truth.
215
+ 23. Treat token claims as snapshots, not eternal truth.
203
216
  - Long-lived `role`, `plan`, `tenantId`, and permission claims can survive demotion, removal,
204
217
  subscription cancellation, suspension, or revocation.
205
218
  - Important decisions should check current server-side state or use short-lived tokens with
206
219
  revocation strategy.
207
- 23. Regenerate session identity after privilege changes.
220
+ 24. Measure revocation and stale-permission windows.
221
+ - User removal, role demotion, organization leave, policy-version changes, subscription state
222
+ changes, and ownership transfers should say how quickly sessions, JWTs, caches, search
223
+ indexes, queued jobs, and signed URLs stop authorizing old access.
224
+ 25. Regenerate session identity after privilege changes.
208
225
  - Login, password change, MFA changes, role changes, user-to-admin transitions, and account
209
226
  recovery should rotate session identifiers or refresh tokens according to local policy.
210
- 24. Check authentication cookies.
227
+ 26. Check authentication cookies.
211
228
  - Cookies carrying session authority need `Secure`, `HttpOnly`, appropriate `SameSite`,
212
229
  domain, path, lifetime, rotation, logout, revocation, and CSRF posture.
213
230
  - Avoid URL-carried session identifiers.
214
- 25. Require reauthentication for sensitive actions.
231
+ 27. Require reauthentication for sensitive actions.
215
232
  - Password change, email change, MFA disable, payment method change, organization ownership
216
233
  transfer, API-key creation, and destructive admin actions should require fresh proof.
217
- 26. Review reset and magic-link tokens.
234
+ 28. Review reset and magic-link tokens.
218
235
  - Tokens need strong randomness, one-time use, short expiration, purpose binding, user binding,
219
236
  safe storage, link-preview protection, session invalidation where needed, and no reuse across
220
237
  unrelated flows.
221
- 27. Compare account-enumeration responses.
238
+ 29. Compare account-enumeration responses.
222
239
  - Login, signup, password reset, magic link, invitation, and email verification should avoid
223
240
  leaking account existence through message, status, timing, or email-sending behavior unless
224
241
  product policy accepts that disclosure.
225
- 28. Treat automation defense as part of authentication.
242
+ 30. Treat automation defense as part of authentication.
226
243
  - Login, OTP, magic link, password reset, invite acceptance, coupon application, email
227
244
  verification, and MFA attempts need rate limits, lockouts, challenge policy, IP/device/user
228
245
  dimensions, and observability.
229
- 29. Separate internal and external identity planes.
246
+ 31. Separate internal and external identity planes.
230
247
  - Backoffice, operator, database, middleware, and support accounts should not flow through the
231
248
  same customer login path unless the product intentionally models and audits that boundary.
232
- 30. Test the denial matrix.
249
+ 32. Test the denial matrix.
233
250
  - Success tests prove little.
234
251
  - For each protected resource, cover anonymous, normal user, other owner, same organization
235
252
  different role, other tenant, admin wrong tenant, revoked user, suspended member, stale token,
@@ -240,6 +257,8 @@ perform this action on this object, this field, and this tenant context?"
240
257
 
241
258
  - The API access-control decision names subject, object, action, field or property, tenant or owner,
242
259
  current state, and trusted context when those apply.
260
+ - Effective permission, matched policy, explicit deny, inheritance path, policy version, data
261
+ revision, token issue time, and revocation window are checked or named as gaps when relevant.
243
262
  - Authentication, object authorization, property authorization, and function authorization are not
244
263
  collapsed into one route guard.
245
264
  - Client-supplied identity and authority fields are either ignored, verified against server-side
@@ -287,6 +306,8 @@ and account-enumeration response parity.
287
306
 
288
307
  - API access control reviewed
289
308
  - Subject, object, action, field, tenant or owner, state, and trusted context
309
+ - Effective permission, decision explanation, policy version, data revision, token age, and
310
+ revocation-window findings
290
311
  - Object, property, and function authorization findings
291
312
  - Authentication, session, token, cookie, OAuth/OIDC, reset, reauthentication, enumeration, and
292
313
  automation findings
@@ -0,0 +1,270 @@
1
+ ---
2
+ mustflow_doc: skill.api-failure-triage
3
+ locale: en
4
+ canonical: true
5
+ revision: 1
6
+ lifecycle: mustflow-owned
7
+ authority: procedure
8
+ name: api-failure-triage
9
+ description: Apply this skill when an API request, SDK call, webhook callback, browser request, mobile call, gateway route, CORS preflight, CDN or load-balancer path, upstream dependency call, or OpenAPI-backed integration is failing, intermittent, slow, returning the wrong status or body, blocked by authentication or authorization, rate-limited, retried, cached incorrectly, or not yet localized to client, network, proxy, app, database, cache, provider, or deployment configuration. Use before api-request-performance-review when the first job is to preserve the failing wire evidence and cut the failure boundary.
10
+ metadata:
11
+ mustflow_schema: "1"
12
+ mustflow_kind: procedure
13
+ pack_id: mustflow.core
14
+ skill_id: mustflow.core.api-failure-triage
15
+ command_intents:
16
+ - changes_status
17
+ - changes_diff_summary
18
+ - lint
19
+ - build
20
+ - test_related
21
+ - test
22
+ - docs_validate_fast
23
+ - test_release
24
+ - mustflow_check
25
+ ---
26
+
27
+ # API Failure Triage
28
+
29
+ <!-- mustflow-section: purpose -->
30
+ ## Purpose
31
+
32
+ Triage API failures by preserving the actual request and cutting the path boundary before editing
33
+ code.
34
+
35
+ The first question is not "which log looks suspicious?" It is "what bytes left the caller, what
36
+ bytes came back, which boundary changed them, and what evidence would disprove each hypothesis?"
37
+
38
+ <!-- mustflow-section: use-when -->
39
+ ## Use When
40
+
41
+ - A user reports that an API call, SDK request, browser request, mobile request, webhook callback,
42
+ backend-for-frontend path, gateway route, CDN path, load-balancer path, or provider integration is
43
+ failing or intermittent.
44
+ - The failure is not yet localized to client code, DNS, TCP, TLS, proxy, CORS preflight, redirect,
45
+ gateway, app handler, database, cache, external provider, rate limiter, retry policy, auth,
46
+ deployment configuration, or OpenAPI drift.
47
+ - Code or docs claim an API failure is a network issue, CORS issue, server issue, auth issue, cache
48
+ issue, provider issue, or retry issue without preserved wire evidence.
49
+ - A fix might otherwise start from logs, framework assumptions, SDK behavior, browser console text,
50
+ or a broad search before one failing request is captured.
51
+
52
+ <!-- mustflow-section: do-not-use-when -->
53
+ ## Do Not Use When
54
+
55
+ - The failing request is already reproduced and the root cause is clear enough for a targeted fix;
56
+ use the narrower code, API contract, cache, retry, auth, database, or failure-integrity skill.
57
+ - The task is only per-request latency optimization after the API path is known; use
58
+ `api-request-performance-review`.
59
+ - The task is only public error wording or error-envelope cleanup; use
60
+ `error-message-integrity-review`.
61
+ - The task is only observability design with no current API failure to localize; use
62
+ `observability-debuggability-review`.
63
+ - Reproduction requires live production secrets, destructive calls, real payments, real user data,
64
+ private logs, or unconfigured external systems. Preserve available static evidence and report the
65
+ manual boundary instead.
66
+
67
+ <!-- mustflow-section: required-inputs -->
68
+ ## Required Inputs
69
+
70
+ - Failure packet: observed time and timezone, request id or trace id when present, caller, client or
71
+ SDK version, API version, method, URL route template, sanitized headers, sanitized body shape,
72
+ status code, response headers, response body shape, total latency, and retry or redirect behavior.
73
+ - Success comparator: a nearby successful request, previous working version, same request with one
74
+ dimension changed, or a documented expected request shape.
75
+ - Boundary ledger: client, browser preflight, SDK middleware, DNS, TCP, TLS, proxy, CDN, WAF,
76
+ gateway, load balancer, app, queue, database, cache, external provider, and response serialization
77
+ boundaries relevant to the path.
78
+ - Timing ledger: name lookup, connection, TLS, first byte, total transfer, app handler time, queue
79
+ time, pool wait, database time, cache time, external dependency time, serialization time, and
80
+ download time when evidence exists.
81
+ - Contract ledger: HTTP method, redirect behavior, content negotiation, content type, encoding,
82
+ status code semantics, error envelope, retryability, idempotency, rate-limit headers, cache
83
+ headers, OpenAPI or generated-client contract, and deployment version.
84
+ - Auth ledger: credential presence, token expiry and not-before time, signature timestamp, clock
85
+ skew, user or service principal, object authorization, tenant scope, and proxy header preservation.
86
+ - Change ledger: deploy, config, secret, feature flag, routing rule, schema migration, provider
87
+ version, generated client, cache policy, rate-limit policy, and environment difference near the
88
+ first bad time.
89
+ - Relevant command-intent contract entries for tests, builds, docs, release checks, and mustflow
90
+ validation.
91
+
92
+ <!-- mustflow-section: preconditions -->
93
+ ## Preconditions
94
+
95
+ - The task matches the Use When conditions and does not match the Do Not Use When exclusions.
96
+ - Higher-priority instructions and `.mustflow/config/commands.toml` have been checked for the
97
+ current scope.
98
+ - Required request, response, boundary, timing, contract, auth, and change evidence is available or
99
+ can be reported as missing without guessing.
100
+ - If the preserved evidence exposes secrets, tokens, cookies, personal data, payment data, private
101
+ URLs, raw bodies, or hidden reasoning, summarize and redact rather than copying it into docs,
102
+ tests, logs, commits, or final reports.
103
+
104
+ <!-- mustflow-section: allowed-edits -->
105
+ ## Allowed Edits
106
+
107
+ - Add or tighten request parsing, content-type handling, status mapping, Problem Details or local
108
+ error-envelope mapping, request ID propagation, trace context, auth checks, proxy header handling,
109
+ timeout classification, retry and idempotency classification, rate-limit response handling, cache
110
+ header handling, OpenAPI contract tests, deployment config comparison tests, and focused
111
+ reproduction fixtures.
112
+ - Add focused tests that preserve the failing wire shape, success/failure comparator, status and
113
+ body contract, auth boundary, retryability, cache behavior, OpenAPI drift, or deployment config
114
+ difference.
115
+ - Do not add broad retries, blanket cache bypasses, CORS wildcards, auth bypasses, status-code
116
+ remapping, proxy header trust, live provider calls, raw production log dumps, or speculative
117
+ framework rewrites before the failing boundary is localized.
118
+ - Do not treat browser console text, SDK exception text, status code alone, or application logs alone
119
+ as the failing request evidence.
120
+
121
+ <!-- mustflow-section: procedure -->
122
+ ## Procedure
123
+
124
+ 1. Preserve one failing request packet.
125
+ - Record method, route template, sanitized headers, sanitized body shape, status, response
126
+ headers, response body shape, total latency, request id, trace id, caller version, API version,
127
+ and observed time basis.
128
+ - If the failure is intermittent, keep the first bad time and a small sample of failing and
129
+ successful packets rather than a raw log dump.
130
+ 2. Compare success and failure at the wire boundary.
131
+ - Compare actual transmitted method, URL encoding, query order and defaults, headers, cookies,
132
+ body shape, null versus empty string, array order, content type, accept header, charset, API
133
+ version, and redirect path.
134
+ - Do not compare only source code or SDK call arguments because middleware, retries, proxies,
135
+ redirects, and defaults can rewrite the request.
136
+ 3. Cut the path into boundaries.
137
+ - Check whether the request reaches each boundary: client, preflight, SDK, DNS, TCP, TLS, proxy,
138
+ CDN, WAF, gateway, load balancer, app handler, queue, database, cache, external provider, and
139
+ response serializer.
140
+ - Prefer evidence that halves the search space. If the app never sees the request, app logs are
141
+ not the first evidence source.
142
+ 4. Split timing before assigning blame.
143
+ - Separate name lookup, connection, TLS, first byte, total download, app handler time, queue time,
144
+ pool wait, database time, cache time, external dependency time, serialization time, and payload
145
+ transfer when available.
146
+ - Average latency is weak evidence. Use endpoint, status, region, client, API version, and
147
+ percentile slices when telemetry exists.
148
+ 5. Check browser-only failures separately.
149
+ - For browser-only symptoms, inspect preflight, allowed method, allowed headers, credentials
150
+ mode, redirect behavior, and whether the failing request happens before the real method is sent.
151
+ - For server-to-server failures, do not diagnose CORS unless a browser boundary is actually
152
+ involved.
153
+ 6. Check redirect and proxy mutation.
154
+ - Verify whether redirects change method, body, host, scheme, authorization, cookies, or signed
155
+ headers.
156
+ - Verify whether proxies preserve `Authorization`, `Host`, forwarded headers, request ids,
157
+ trace context, content length, idempotency keys, and rate-limit headers according to local
158
+ trust policy.
159
+ 7. Check status, body, and content-type consistency.
160
+ - A `200` response with an error body, a `500` for caller validation, a hidden `404` for auth,
161
+ or a JSON content type with an HTML error body can break clients and monitoring.
162
+ - Map API errors to stable codes, request IDs, invalid fields, retryability, and safe support
163
+ evidence when the local contract supports it.
164
+ 8. Split authentication from authorization.
165
+ - Verify credentials were sent, valid, not expired, and signed against the expected time basis.
166
+ - Separately verify whether the authenticated principal can access the target object, property,
167
+ tenant, or function.
168
+ - Treat "same token, different resource id returns another user's data" as an access-control
169
+ incident, not ordinary debugging.
170
+ 9. Check clock and signature time.
171
+ - Review token `exp` or `nbf`, signed request timestamps, webhook timestamps, cache expiry, rate
172
+ limit windows, and server/client clock skew when the failure is intermittent or boundary-time
173
+ sensitive.
174
+ 10. Check retry, timeout, rate limit, and idempotency.
175
+ - Separate connect, TLS, first-byte, read, write, dependency, pool, and total-deadline failures
176
+ when evidence exists.
177
+ - Confirm retries are bounded, jittered, scoped to one layer, and safe for the operation.
178
+ - For side-effecting requests, require a durable idempotency key and result replay or unknown
179
+ outcome reconciliation before retrying.
180
+ - Preserve `429`, rate-limit policy, and retry-after semantics instead of turning throttling into
181
+ generic server failure.
182
+ 11. Check cache and content negotiation.
183
+ - Compare cached and cache-bypassed behavior when allowed by the current command and environment
184
+ boundary.
185
+ - Inspect cache-control, validators, age, vary dimensions, authorization or cookie variance,
186
+ API version, language, query dimensions, and stale or negative-cache behavior.
187
+ 12. Check app-internal cost and dependency fan-out only after the request reaches the app.
188
+ - If the app receives the request, build a compact cost ledger for database, cache, external API,
189
+ serialization, compression, and response size.
190
+ - Use `api-request-performance-review`, database, cache, retry, queue, or observability skills
191
+ for the localized subproblem.
192
+ 13. Check OpenAPI and generated-client drift.
193
+ - Compare deployed behavior with the documented contract: required fields, nullability, enum
194
+ values, status codes, headers, content type, and error envelope.
195
+ - Treat generated client, SDK, or schema drift as a contract issue even when the server and
196
+ client each look locally correct.
197
+ 14. Check deployment and environment diffs.
198
+ - Near the first bad time, compare release id, config, secret names, routing rules, feature
199
+ flags, provider account, migration state, cache policy, rate-limit policy, and generated
200
+ artifacts.
201
+ - Do not blame code before environment and route changes are ruled in or out.
202
+ 15. Maintain a hypothesis table.
203
+ - For each hypothesis, write the expected evidence and the observation that would disprove it.
204
+ - Kill wrong hypotheses quickly. Long log reading without a falsifiable hypothesis is not
205
+ progress.
206
+ 16. Apply the smallest localized fix.
207
+ - Once the boundary is proven, switch to the specific skill for that boundary and edit only the
208
+ owning code, contract, test, doc, template, or config surface.
209
+ - Re-run the original reproduction path or the closest configured intent after the fix.
210
+
211
+ <!-- mustflow-section: postconditions -->
212
+ ## Postconditions
213
+
214
+ - The failing request packet, success comparator, boundary ledger, timing ledger, contract ledger,
215
+ auth ledger, and change ledger are explicit or reported as missing.
216
+ - The failure is localized to a boundary or left as a named evidence gap instead of a guessed cause.
217
+ - Status/body/content-type, CORS/preflight, redirects, proxy headers, authn/authz, clock skew,
218
+ timeout/retry/rate-limit/idempotency, cache headers, OpenAPI drift, and deployment diffs are fixed
219
+ or reported where relevant.
220
+ - Any follow-up skill is selected because the boundary is now localized, not because the first guess
221
+ sounded plausible.
222
+
223
+ <!-- mustflow-section: verification -->
224
+ ## Verification
225
+
226
+ Use configured oneshot command intents when available:
227
+
228
+ - `changes_status`
229
+ - `changes_diff_summary`
230
+ - `lint`
231
+ - `build`
232
+ - `test_related`
233
+ - `test`
234
+ - `docs_validate_fast`
235
+ - `test_release`
236
+ - `mustflow_check`
237
+
238
+ Prefer the narrowest configured test, build, docs, release, or mustflow intent that covers the
239
+ localized API failure boundary. Do not infer raw servers, live providers, database shells, browser
240
+ sessions, packet captures, production logs, load tests, profilers, or network probes outside the
241
+ command contract.
242
+
243
+ <!-- mustflow-section: failure-handling -->
244
+ ## Failure Handling
245
+
246
+ - If the failing request packet cannot be captured, stop speculative edits and report the closest
247
+ safe evidence plus the missing packet fields.
248
+ - If evidence contains secrets or personal data, redact before storing or reporting it.
249
+ - If boundary evidence requires live production access, private dashboards, external provider
250
+ consoles, or unconfigured network diagnostics, report the manual evidence boundary.
251
+ - If a configured command fails, preserve the failing intent and output tail, then fix only the API
252
+ boundary or contract exercised by that failure.
253
+ - If the root cause points to security, payment, rate limit, cache, retry, queue, or deployment risk,
254
+ switch to the narrower matching skill before editing that part.
255
+
256
+ <!-- mustflow-section: output-format -->
257
+ ## Output Format
258
+
259
+ - API failure triaged
260
+ - Failing request packet and success comparator, with redactions
261
+ - Boundary and timing ledger
262
+ - Status/body/content-type, CORS/preflight, redirect/proxy, authn/authz, clock, retry/timeout,
263
+ rate-limit/idempotency, cache, OpenAPI, and deployment-diff findings
264
+ - Hypotheses killed, still open, and selected localized boundary
265
+ - Fix applied or recommended
266
+ - Evidence level: reproduced packet, comparator evidence, configured-test evidence, static review
267
+ risk, manual-only, missing, or not applicable
268
+ - Command intents run
269
+ - Skipped diagnostics and reasons
270
+ - Remaining API-failure risk
@@ -2,11 +2,11 @@
2
2
  mustflow_doc: skill.architecture-deepening-review
3
3
  locale: en
4
4
  canonical: true
5
- revision: 2
5
+ revision: 3
6
6
  lifecycle: mustflow-owned
7
7
  authority: procedure
8
8
  name: architecture-deepening-review
9
- description: Apply this skill when architecture, module boundaries, or codebase structure need review before choosing a refactor or abstraction.
9
+ description: Apply this skill when architecture, module boundaries, layered boundaries, or codebase structure need review before choosing a refactor or abstraction.
10
10
  metadata:
11
11
  mustflow_schema: "1"
12
12
  mustflow_kind: procedure
@@ -36,7 +36,7 @@ This is a review-first skill. It helps decide whether code needs a deeper module
36
36
  <!-- mustflow-section: use-when -->
37
37
  ## Use When
38
38
 
39
- - The user asks for architecture review, module boundaries, structural improvement, codebase deepening, maintainability review, or testability improvement.
39
+ - The user asks for architecture review, layered architecture review, module boundaries, structural improvement, codebase deepening, maintainability review, or testability improvement.
40
40
  - The user asks where a design will break first as it grows, which responsibility boundary is most likely to blur, or whether a module, service, database owner, permission model, deployment unit, or failure boundary is still clear enough.
41
41
  - A file, module, service, handler, command, controller, or test suite looks broad enough that the next edit may add another responsibility.
42
42
  - Code exposes internal steps to many callers, repeats orchestration, or makes tests hard because policy, I/O, formatting, and dispatch are mixed.
@@ -58,6 +58,8 @@ This is a review-first skill. It helps decide whether code needs a deeper module
58
58
  - Target area, current pain, and the user-facing or maintainer-facing reason to inspect architecture.
59
59
  - Relevant source files, call sites, exports, tests, fixtures, schemas, templates, or documentation that show current behavior and ownership.
60
60
  - Local patterns for modules, boundaries, naming, errors, dependency direction, and tests.
61
+ - Current change-pressure evidence: which business rules, providers, data contracts, permissions, read paths, or operational demands are expected to change independently.
62
+ - Current enforcement evidence: physical modules, package boundaries, import rules, architecture tests, public API surfaces, or reviewer-only conventions that allow or block boundary violations.
61
63
  - The data owner, write path, failure mode, and expected 3x, 10x, or 100x growth pressure when the review is about a design rather than only a file split.
62
64
  - Current changed-file list when the worktree is already dirty.
63
65
  - Relevant command-intent contract entries for verification.
@@ -87,39 +89,51 @@ This is a review-first skill. It helps decide whether code needs a deeper module
87
89
  2. Inspect local evidence before judging.
88
90
  - Read imports, exports, public functions, call sites, related tests, and nearby module conventions.
89
91
  - Prefer evidence from current code and tests over generic architecture advice.
90
- 3. Identify one to three candidate boundaries.
92
+ 3. Reject layer theater before proposing deeper structure.
93
+ - Do not treat `controller`, `service`, `repository`, `domain`, `infra`, or similar folder names
94
+ as architecture evidence by themselves.
95
+ - Check whether one business change forces edits across many technical folders. If yes, rank the
96
+ feature or capability boundary before adding another technical layer.
97
+ - Check whether dependency direction is enforced by modules, packages, import rules, architecture
98
+ tests, or build boundaries. Reviewer memory is weak evidence.
99
+ - Treat caller-owned ports, narrow use-case interfaces, adapter mappings, and explicit public
100
+ module surfaces as stronger boundary evidence than broad infrastructure-owned interfaces.
101
+ - Mark pass-through services, table-shaped repositories, generic CRUD bases, and `common`,
102
+ `shared`, or `utils` growth as smells unless they hide real policy, translation, transaction,
103
+ test, or provider complexity.
104
+ 4. Identify one to three candidate boundaries.
91
105
  - Each candidate must name the responsibility it would hide or clarify.
92
106
  - Reject candidates that only rename, wrap, or move code without lowering caller complexity or test cost.
93
- 4. Force the design through the ownership and failure questions before scoring.
107
+ 5. Force the design through the ownership and failure questions before scoring.
94
108
  - Name the first likely mixed-responsibility boundary. Common early failures are business rules leaking into controllers, repositories, external adapters, UI components, or framework-specific handlers.
95
109
  - Name the final owner for important data. The owner is the module that protects the invariant, not necessarily the module that reads the value most often.
96
110
  - Separate original state from cache, search index, analytics, summary, AI output, provider response, or other derived state.
97
111
  - Identify every direct write path for high-impact fields such as status, role, permission, balance, quota, plan, entitlement, deleted state, payment state, or ownership.
98
112
  - Ask whether a failure creates a visible failure state or silently creates false success. High-impact paths such as authorization, payment, entitlement, deletion, and destructive administration should fail closed.
99
113
  - Ask whether duplicate requests, retries, webhook redelivery, queue replay, or worker restart can repeat a harmful effect. If yes, require an idempotency, ledger, outbox, or reconciliation boundary before calling the design safe.
100
- 5. Check growth pressure in concrete stages.
114
+ 6. Check growth pressure in concrete stages.
101
115
  - At 3x scale, look first for implementation-quality failures: missing indexes, N+1 reads, large responses, synchronous file or image work, repeated external calls, and insufficient connection pools.
102
116
  - At 10x scale, look first for ownership and state failures: write hot spots, queue delay, cache invalidation, server-local files, scattered permission rules, external API rate limits, and deployment units that change for unrelated reasons.
103
117
  - At 100x scale, look first for partitioning and operational failures: data split boundaries, tenant or region hot spots, retry storms, external dependency isolation, long deploy recovery, missing observability, and manual-only recovery paths.
104
- 6. Check scaling direction without forcing premature distribution.
118
+ 7. Check scaling direction without forcing premature distribution.
105
119
  - A small team may start with one larger server or a simple server set, but request handlers should not depend on process memory, local uploads, duplicate cron execution, in-transaction external calls, or server-specific job state.
106
120
  - Application servers should be able to become stateless. Databases may start with vertical scaling, but the design should not block read replicas, read models, queue-backed work, or future data partitioning.
107
121
  - Horizontal scaling is only real if any server can handle the same request, workers can safely duplicate or retry work, and database writes do not all converge on an uncontrolled hot spot.
108
- 7. Score each candidate from 1 to 9.
122
+ 8. Score each candidate from 1 to 9.
109
123
  - User value: whether the structure protects a user-visible or public contract.
110
124
  - Maintenance value: whether future changes become smaller or less error-prone.
111
125
  - Blast radius: how many callers, files, schemas, templates, or docs would change.
112
126
  - Testability: whether behavior can be proven with existing or focused tests.
113
127
  - Reversibility: whether the change can be undone without a public migration.
114
128
  - Evidence confidence: whether the diagnosis is supported by local code, tests, or repeated change patterns.
115
- 5. Choose the next action.
129
+ 9. Choose the next action.
116
130
  - Recommend one smallest structural move, or explicitly stop at analysis-only when the evidence is not strong enough.
117
131
  - If implementation proceeds, use the narrower matching skill before editing that boundary.
118
- 6. Keep the structure move shallow-to-deep.
132
+ 10. Keep the structure move shallow-to-deep.
119
133
  - Start with caller simplification, naming, and responsibility boundaries.
120
134
  - Then extract a focused facade, policy, strategy, pure core, adapter, result type, or dependency boundary only when it clearly removes real complexity.
121
135
  - Avoid turning a broad file into many vague files with the same responsibilities.
122
- 7. Verify and report.
136
+ 11. Verify and report.
123
137
  - Run the narrowest configured command intents that cover the changed surface.
124
138
  - Report skipped checks, unknown behavior evidence, and any candidate intentionally deferred.
125
139
 
@@ -128,6 +142,8 @@ This is a review-first skill. It helps decide whether code needs a deeper module
128
142
 
129
143
  - The output contains a ranked architecture candidate list or one scoped structural change.
130
144
  - Any chosen change has a named reason tied to lower change cost, lower defect risk, or better testability.
145
+ - Layered-architecture claims are backed by change-pressure, dependency-direction, public-surface,
146
+ and enforcement evidence rather than folder names alone.
131
147
  - Important data has a named owner, write path, original-or-derived classification, and failure behavior when the reviewed design touches durable state.
132
148
  - Growth pressure is either checked at 3x, 10x, and 100x or explicitly marked not relevant to the current architecture decision.
133
149
  - Behavior changes are excluded or explicitly moved to a separate follow-up.
@@ -164,6 +180,7 @@ Use documentation and release checks only when the review or chosen change touch
164
180
 
165
181
  - Review target and current pain
166
182
  - Evidence inspected
183
+ - Layering, change-pressure, and boundary-enforcement evidence
167
184
  - Data owner, write path, and original-versus-derived state when relevant
168
185
  - Failure mode, idempotency, and recovery boundary when relevant
169
186
  - 3x, 10x, and 100x growth pressure when relevant