mustflow 2.84.0 → 2.99.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (105) hide show
  1. package/README.md +11 -2
  2. package/dist/cli/commands/script-pack.js +14 -0
  3. package/dist/cli/i18n/en.js +262 -0
  4. package/dist/cli/i18n/es.js +262 -0
  5. package/dist/cli/i18n/fr.js +262 -0
  6. package/dist/cli/i18n/hi.js +262 -0
  7. package/dist/cli/i18n/ko.js +262 -0
  8. package/dist/cli/i18n/zh.js +262 -0
  9. package/dist/cli/lib/repo-map.js +27 -6
  10. package/dist/cli/lib/run-root-trust.js +15 -1
  11. package/dist/cli/lib/script-pack-registry.js +397 -0
  12. package/dist/cli/lib/validation/index.js +2 -2
  13. package/dist/cli/lib/validation/primitives.js +4 -1
  14. package/dist/cli/script-packs/code-change-impact.js +178 -0
  15. package/dist/cli/script-packs/code-dependency-graph.js +181 -0
  16. package/dist/cli/script-packs/code-import-cycle.js +193 -0
  17. package/dist/cli/script-packs/docs-link-integrity.js +145 -0
  18. package/dist/cli/script-packs/repo-approval-gate.js +100 -0
  19. package/dist/cli/script-packs/repo-env-contract.js +156 -0
  20. package/dist/cli/script-packs/repo-git-ignore-audit.js +119 -0
  21. package/dist/cli/script-packs/repo-manifest-lock-drift.js +122 -0
  22. package/dist/cli/script-packs/repo-merge-conflict-scan.js +123 -0
  23. package/dist/cli/script-packs/repo-secret-risk-scan.js +147 -0
  24. package/dist/cli/script-packs/repo-skill-route-audit.js +86 -0
  25. package/dist/cli/script-packs/repo-version-source.js +92 -0
  26. package/dist/cli/script-packs/test-performance-report.js +247 -0
  27. package/dist/cli/script-packs/test-regression-selector.js +167 -0
  28. package/dist/core/change-impact.js +355 -0
  29. package/dist/core/change-surface-classification.js +198 -0
  30. package/dist/core/change-verification.js +32 -5
  31. package/dist/core/config-loading.js +121 -4
  32. package/dist/core/dependency-graph.js +490 -0
  33. package/dist/core/docs-link-integrity.js +443 -0
  34. package/dist/core/env-contract.js +450 -0
  35. package/dist/core/import-cycle.js +152 -0
  36. package/dist/core/line-endings.js +26 -13
  37. package/dist/core/public-json-contracts.js +167 -0
  38. package/dist/core/repo-approval-gate.js +116 -0
  39. package/dist/core/repo-git-ignore-audit.js +302 -0
  40. package/dist/core/repo-manifest-lock-drift.js +321 -0
  41. package/dist/core/repo-merge-conflict-scan.js +335 -0
  42. package/dist/core/repo-version-source.js +82 -0
  43. package/dist/core/route-outline.js +57 -5
  44. package/dist/core/script-pack-suggestions.js +97 -1
  45. package/dist/core/secret-risk-scan.js +440 -0
  46. package/dist/core/skill-route-audit.js +354 -0
  47. package/dist/core/test-performance-report.js +697 -0
  48. package/dist/core/test-regression-selector.js +335 -0
  49. package/package.json +1 -1
  50. package/schemas/README.md +54 -0
  51. package/schemas/change-impact-report.schema.json +184 -0
  52. package/schemas/commands.schema.json +12 -0
  53. package/schemas/dependency-graph-report.schema.json +149 -0
  54. package/schemas/env-contract-report.schema.json +203 -0
  55. package/schemas/import-cycle-report.schema.json +157 -0
  56. package/schemas/link-integrity-report.schema.json +176 -0
  57. package/schemas/repo-approval-gate-report.schema.json +115 -0
  58. package/schemas/repo-git-ignore-audit-report.schema.json +201 -0
  59. package/schemas/repo-manifest-lock-drift-report.schema.json +202 -0
  60. package/schemas/repo-merge-conflict-scan-report.schema.json +169 -0
  61. package/schemas/repo-version-source-report.schema.json +127 -0
  62. package/schemas/secret-risk-scan-report.schema.json +152 -0
  63. package/schemas/skill-route-audit-report.schema.json +144 -0
  64. package/schemas/test-performance-report.schema.json +319 -0
  65. package/schemas/test-regression-selector-report.schema.json +187 -0
  66. package/templates/default/i18n.toml +80 -26
  67. package/templates/default/locales/en/.mustflow/skills/INDEX.md +51 -9
  68. package/templates/default/locales/en/.mustflow/skills/api-access-control-review/SKILL.md +48 -27
  69. package/templates/default/locales/en/.mustflow/skills/api-failure-triage/SKILL.md +270 -0
  70. package/templates/default/locales/en/.mustflow/skills/architecture-deepening-review/SKILL.md +28 -11
  71. package/templates/default/locales/en/.mustflow/skills/astro-code-change/SKILL.md +71 -27
  72. package/templates/default/locales/en/.mustflow/skills/auth-flow-triage/SKILL.md +192 -0
  73. package/templates/default/locales/en/.mustflow/skills/auth-permission-change/SKILL.md +59 -13
  74. package/templates/default/locales/en/.mustflow/skills/backend-log-evidence-review/SKILL.md +14 -5
  75. package/templates/default/locales/en/.mustflow/skills/cache-integrity-review/SKILL.md +30 -15
  76. package/templates/default/locales/en/.mustflow/skills/change-blast-radius-review/SKILL.md +45 -32
  77. package/templates/default/locales/en/.mustflow/skills/ci-pipeline-triage/SKILL.md +200 -0
  78. package/templates/default/locales/en/.mustflow/skills/clarifying-question-gate/SKILL.md +87 -13
  79. package/templates/default/locales/en/.mustflow/skills/cross-agent-session-reference/SKILL.md +23 -8
  80. package/templates/default/locales/en/.mustflow/skills/dependency-upgrade-review/SKILL.md +3 -1
  81. package/templates/default/locales/en/.mustflow/skills/docker-runtime-triage/SKILL.md +191 -0
  82. package/templates/default/locales/en/.mustflow/skills/github-contribution-quality-gate/SKILL.md +48 -11
  83. package/templates/default/locales/en/.mustflow/skills/go-code-change/SKILL.md +18 -13
  84. package/templates/default/locales/en/.mustflow/skills/javascript-code-change/SKILL.md +15 -13
  85. package/templates/default/locales/en/.mustflow/skills/line-ending-hygiene/SKILL.md +18 -10
  86. package/templates/default/locales/en/.mustflow/skills/llm-hallucination-control-review/SKILL.md +4 -1
  87. package/templates/default/locales/en/.mustflow/skills/motion-system-contract-review/SKILL.md +155 -0
  88. package/templates/default/locales/en/.mustflow/skills/next-action-menu/SKILL.md +177 -0
  89. package/templates/default/locales/en/.mustflow/skills/node-code-change/SKILL.md +16 -14
  90. package/templates/default/locales/en/.mustflow/skills/observability-debuggability-review/SKILL.md +15 -7
  91. package/templates/default/locales/en/.mustflow/skills/payment-integrity-review/SKILL.md +59 -35
  92. package/templates/default/locales/en/.mustflow/skills/powershell-code-change/SKILL.md +16 -6
  93. package/templates/default/locales/en/.mustflow/skills/prompt-contract-quality-review/SKILL.md +4 -1
  94. package/templates/default/locales/en/.mustflow/skills/python-code-change/SKILL.md +19 -10
  95. package/templates/default/locales/en/.mustflow/skills/rag-pipeline-triage/SKILL.md +206 -0
  96. package/templates/default/locales/en/.mustflow/skills/routes.toml +69 -9
  97. package/templates/default/locales/en/.mustflow/skills/rust-code-change/SKILL.md +10 -4
  98. package/templates/default/locales/en/.mustflow/skills/search-index-integrity-review/SKILL.md +181 -0
  99. package/templates/default/locales/en/.mustflow/skills/security-privacy-review/SKILL.md +3 -1
  100. package/templates/default/locales/en/.mustflow/skills/service-boundary-architecture/SKILL.md +37 -23
  101. package/templates/default/locales/en/.mustflow/skills/test-suite-performance-review/SKILL.md +323 -0
  102. package/templates/default/locales/en/.mustflow/skills/typescript-code-change/SKILL.md +18 -10
  103. package/templates/default/locales/en/.mustflow/skills/vector-search-integrity-review/SKILL.md +209 -0
  104. package/templates/default/locales/en/.mustflow/skills/version-freshness-check/SKILL.md +16 -14
  105. package/templates/default/manifest.toml +71 -1
@@ -2,11 +2,11 @@
2
2
  mustflow_doc: skill.astro-code-change
3
3
  locale: en
4
4
  canonical: true
5
- revision: 3
5
+ revision: 4
6
6
  lifecycle: mustflow-owned
7
7
  authority: procedure
8
8
  name: astro-code-change
9
- description: Apply this skill when Astro config, pages, layouts, components, islands, hydration directives, content collections, dynamic routes, adapters, MDX, RSS, sitemap, canonical URL, draft, pagination, or build behavior are created or changed.
9
+ description: Apply this skill when Astro config, package metadata, pages, layouts, components, islands, hydration directives, content collections, dynamic routes, adapters, request pipeline, advanced routing, route cache, MDX, Markdown processing, RSS, sitemap, canonical URL, draft, pagination, migration, or build behavior are created or changed.
10
10
  metadata:
11
11
  mustflow_schema: "1"
12
12
  mustflow_kind: procedure
@@ -28,15 +28,15 @@ metadata:
28
28
  <!-- mustflow-section: purpose -->
29
29
  ## Purpose
30
30
 
31
- Preserve Astro's static-first model, island hydration boundary, routing contract, content collection schema, canonical URL, RSS, sitemap, adapter, and client bundle boundaries.
31
+ Preserve Astro's static-first model, island hydration boundary, routing contract, request pipeline, content collection schema, canonical URL, RSS, sitemap, adapter, cache, and client bundle boundaries.
32
32
 
33
33
  The default is no-hydration. Add browser JavaScript only after proving that native HTML, CSS, standard links, forms, details/summary, or a small `.astro` script cannot provide the required behavior.
34
34
 
35
35
  <!-- mustflow-section: use-when -->
36
36
  ## Use When
37
37
 
38
- - `astro.config.*`, `src/pages`, `.astro`, content config, live config, collections, layouts, components, MDX, routes, endpoints, adapters, integrations, islands, or hydration directives change.
39
- - The task adds or changes a page, blog/docs content, interactive UI, SSR/on-demand rendering, framework component, search/filter UI, route behavior, RSS feed, sitemap, canonical URL, draft handling, or pagination.
38
+ - `astro.config.*`, package metadata, `src/pages`, `src/fetch.*`, `.astro`, content config, live config, collections, layouts, components, MDX, Markdown processor config, routes, endpoints, adapters, integrations, islands, route cache, or hydration directives change.
39
+ - The task adds or changes a page, blog/docs content, interactive UI, SSR/on-demand rendering, framework component, search/filter UI, request pipeline behavior, route behavior, RSS feed, sitemap, canonical URL, draft handling, migration, or pagination.
40
40
 
41
41
  <!-- mustflow-section: do-not-use-when -->
42
42
  ## Do Not Use When
@@ -47,20 +47,23 @@ The default is no-hydration. Add browser JavaScript only after proving that nati
47
47
  <!-- mustflow-section: required-inputs -->
48
48
  ## Required Inputs
49
49
 
50
- - Package metadata, Astro version, framework integrations, TypeScript config, pages, layouts, components, content config, content files, integrations, adapter config, env declarations, public assets, and tests.
51
- - Astro config values that affect routing and URLs: `site`, `base`, `trailingSlash`, `output`, `adapter`, sitemap integration, MDX integration, and framework integrations.
50
+ - Package metadata, current Astro version, target Astro version when migration is intended, framework integrations, TypeScript config, pages, layouts, components, content config, content files, integrations, adapter config, env declarations, public assets, and tests.
51
+ - Astro config values that affect routing, URLs, rendering, request handling, Markdown, and cache: `site`, `base`, `trailingSlash`, `output`, `adapter`, `fetchFile`, `markdown`, `compressHTML`, `cache`, `routeRules`, sitemap integration, MDX integration, and framework integrations.
52
52
  - Content collection names, loader bases, schemas, slug/id policy, draft fields, date fields, canonical fields, and route files that turn collection entries into pages.
53
- - Current output mode, prerender/SSR policy, hydration conventions, route priority, endpoint layout, RSS generation, sitemap generation, and content schema.
53
+ - Current output mode, prerender/SSR policy, hydration conventions, route priority, endpoint layout, request pipeline or middleware layout, RSS generation, sitemap generation, and content schema.
54
+ - Markdown processor decision, remark/rehype/recma plugins, custom Markdown imports, heading id policy, syntax-highlighting expectations, and Markdown or MDX snapshots when content rendering changes.
55
+ - Cache provider, route cache rules, cache-key inputs, invalidation path, deployment topology, and authenticated or personalized routes when `cache` or `routeRules` change.
54
56
  - Configured verification intents.
55
57
 
56
58
  <!-- mustflow-section: preconditions -->
57
59
  ## Preconditions
58
60
 
59
61
  - Read Astro config, content config, and the affected route tree before changing routing, content, canonical, RSS, sitemap, or hydration behavior.
60
- - Identify the Astro major version before applying migration rules. Astro v6 changes must be checked against the v6 upgrade guide instead of inferred from older routing or adapter habits.
62
+ - Identify current and target Astro major versions before applying migration rules. Apply only the official major upgrade guide deltas crossed by the change, and keep ordinary Astro edits on the version-neutral policies below.
61
63
  - Identify build-time versus request-time data before adding data access.
62
64
  - Identify which UI truly needs browser JavaScript and which UI truly needs framework state before adding a framework island.
63
65
  - Treat file movement under `src/pages`, route parameter changes, and content slug changes as URL contract changes.
66
+ - Treat `src/fetch.ts` and `src/fetch.js` as reserved advanced-routing entrypoint candidates unless `fetchFile` disables or moves that entrypoint.
64
67
 
65
68
  <!-- mustflow-section: allowed-edits -->
66
69
  ## Allowed Edits
@@ -73,18 +76,23 @@ The default is no-hydration. Add browser JavaScript only after proving that nati
73
76
  <!-- mustflow-section: procedure -->
74
77
  ## Procedure
75
78
 
76
- 1. Read package metadata and Astro config first. Record Astro version, framework integrations, `site`, `base`, `trailingSlash`, `output`, adapter, sitemap integration, MDX integration, and any framework integration.
77
- - For Astro v6 migrations, check removed or changed surfaces before editing call sites: `Astro.glob()` replacement with `import.meta.glob()` or content collections, `.cjs` and `.cts` config removal, `astro:ssr-manifest`, `RouteData.generate()`, old adapter hooks, old `NodeApp` paths, Zod 4 schema effects, and numeric dynamic route params.
78
- 2. Read `src/content.config.*` when content, docs, blog, RSS, sitemap, canonical, or route generation is involved. Record each collection name, loader base, schema fields, slug/id policy, draft field, and date fields.
79
- 3. Build a route ledger from `src/pages`: static pages, dynamic pages, rest routes, endpoints, prerendered routes, on-demand routes, and possible route-priority collisions.
80
- 4. Classify the change: static route, dynamic route, endpoint, content collection, integration, adapter, SSR/on-demand, island, script, asset, RSS, sitemap, canonical, or docs/content.
81
- 5. Apply the hydration policy below before adding or changing any `client:*` directive.
82
- 6. Apply the routing and rendering policy below before adding dynamic routes, catch-all routes, endpoints, adapter changes, or `prerender` changes.
83
- 7. Apply the content, SEO, and feed policy below before changing frontmatter, schemas, slugs, drafts, canonical URLs, pagination, RSS, or sitemap behavior.
84
- 8. Do not put runtime-only data such as logged-in user state, request-local data, private API responses, or live inventory into build-time collections.
85
- 9. Do not enable request-time rendering without the adapter and deployment contract that support it.
86
- 10. Keep `set:html` or raw HTML injection behind a trusted and sanitized content boundary.
87
- 11. Choose configured verification intents that cover content schema, build, routes, hydration, adapter/runtime, and bundle risk when available.
79
+ 1. Read package metadata and Astro config first. Record current and target Astro versions, framework integrations, `site`, `base`, `trailingSlash`, `output`, adapter, `fetchFile`, `markdown`, `compressHTML`, `cache`, `routeRules`, sitemap integration, MDX integration, and any framework integration.
80
+ 2. Apply the Version Gate before using migration guidance:
81
+ - If the task is not changing the Astro major version, do not run stale major-specific deltas as routine review noise.
82
+ - If the task crosses one or more Astro majors, check the official Astro upgrade guide for each crossed major and record which deltas apply.
83
+ - If a version-specific claim cannot be refreshed from official Astro docs, omit it or report it as unchecked instead of writing it as current.
84
+ 3. Read `src/content.config.*` when content, docs, blog, RSS, sitemap, canonical, or route generation is involved. Record each collection name, loader base, schema fields, slug/id policy, draft field, and date fields.
85
+ 4. Build a route ledger from `src/pages`: static pages, dynamic pages, rest routes, endpoints, prerendered routes, on-demand routes, and possible route-priority collisions.
86
+ 5. Classify the change: static route, dynamic route, endpoint, content collection, integration, adapter, SSR/on-demand, request pipeline, island, script, asset, RSS, sitemap, canonical, cache, Markdown, migration, or docs/content.
87
+ 6. Apply the hydration policy below before adding or changing any `client:*` directive.
88
+ 7. Apply the routing, request pipeline, and rendering policies below before adding dynamic routes, catch-all routes, endpoints, adapter changes, `src/fetch.*`, or `prerender` changes.
89
+ 8. Apply the content, SEO, and feed policy below before changing frontmatter, schemas, slugs, drafts, canonical URLs, pagination, RSS, or sitemap behavior.
90
+ 9. Apply the cache policy below before changing `cache`, `routeRules`, route-level cache behavior, or cache provider configuration.
91
+ 10. Apply the Markdown and compiler policy below before changing Markdown processing, MDX, generated markup, `compressHTML`, HTML snapshots, or whitespace-sensitive content.
92
+ 11. Do not put runtime-only data such as logged-in user state, request-local data, private API responses, or live inventory into build-time collections.
93
+ 12. Do not enable request-time rendering without the adapter and deployment contract that support it.
94
+ 13. Keep `set:html` or raw HTML injection behind a trusted and sanitized content boundary.
95
+ 14. Choose configured verification intents that cover content schema, build, routes, hydration, adapter/runtime, cache, Markdown, request pipeline, and bundle risk when available.
88
96
 
89
97
  ## Hydration Policy
90
98
 
@@ -102,7 +110,7 @@ The default is no-hydration. Add browser JavaScript only after proving that nati
102
110
 
103
111
  - In static output, every dynamic route must have `getStaticPaths`.
104
112
  - In on-demand or SSR dynamic routes, do not use `getStaticPaths`; read `Astro.params`, perform the request-time lookup, and handle missing entries with an explicit 404 or redirect path.
105
- - `getStaticPaths` params must match bracket parameter names exactly. Param values must be strings, except rest parameters may use `undefined`; numeric params are invalid in Astro 6.
113
+ - `getStaticPaths` params must match bracket parameter names exactly. Route param values are a string contract; rest parameters may use `undefined`.
106
114
  - Custom slugs containing `/` require a rest route such as a catch-all route. Do not force slash-containing slugs into a single named parameter route.
107
115
  - Treat changes under `src/pages` as public URL changes, including endpoint names and extension-bearing endpoint paths.
108
116
  - Check route priority when adding static routes, named parameters, rest parameters, catch-all routes, and endpoints that could claim the same URL.
@@ -111,6 +119,35 @@ The default is no-hydration. Add browser JavaScript only after proving that nati
111
119
  - Do not switch the whole project to server output for one page unless the deployment and route contract require it.
112
120
  - Do not assume SSR dynamic routes appear in sitemap output automatically.
113
121
 
122
+ ## Request Pipeline Policy
123
+
124
+ - Do not create `src/fetch.ts` or `src/fetch.js` just because a project uses Astro 7 or advanced routing. Add or modify a custom fetch entrypoint only when the request pipeline contract requires it.
125
+ - If `src/fetch.*` already exists, check whether it is an intentional advanced-routing entrypoint, an accidental reserved-name collision, or disabled or moved through `fetchFile`.
126
+ - Prefer preserving Astro's default request pipeline unless there is a named reason to compose handlers directly.
127
+ - When direct handler composition is used, record a request pipeline ledger: trailing slash, redirects, sessions, actions, user middleware, rendering, i18n, cache, and any intentionally omitted stage.
128
+ - Place session handling before any handler that reads or mutates session state.
129
+
130
+ ## Cache Policy
131
+
132
+ - Treat `cache` and `routeRules` changes as data-exposure risks, not only performance changes.
133
+ - Do not cache authenticated, personalized, locale-sensitive, cookie-dependent, header-dependent, or query-dependent responses unless the cache key, invalidation, and privacy boundary are explicit.
134
+ - Check whether the deployment is single-instance or multi-instance before relying on in-memory route cache behavior.
135
+ - When route cache behavior changes, use `cache-integrity-review` as an adjunct when available and report `HIT`, `MISS`, `STALE`, or equivalent cache evidence only when verified.
136
+
137
+ ## Markdown And Compiler Policy
138
+
139
+ - When an Astro major migration changes Markdown processing, choose explicitly between the current processor and the new default processor. Keep the unified pipeline when remark, rehype, recma, MDX, or custom Markdown plugin compatibility is unproven.
140
+ - Check heading ids, code blocks, syntax highlighting, link rewriting, frontmatter rendering, and Markdown or MDX snapshots when the processor changes.
141
+ - Treat stricter compiler output, invalid HTML nesting, non-void tag closure, CSS serialization, and whitespace between inline elements as user-visible migration risks.
142
+ - When `compressHTML` changes or defaults differ, verify important rendered text does not lose intended spaces between inline elements.
143
+
144
+ ## Astro Major Migration Deltas
145
+
146
+ - For v5 to v6 migrations, check removed or changed surfaces before editing call sites: `Astro.glob()` replacement with `import.meta.glob()` or content collections, `.cjs` and `.cts` config removal, `astro:ssr-manifest`, `RouteData.generate()`, old adapter hooks, old `NodeApp` paths, Zod 4 schema effects, and numeric dynamic route params.
147
+ - For v6 to v7 migrations, check `src/fetch.*` or `fetchFile`, direct request handler composition, `cache`, `routeRules`, `advancedRouting`, `logger`, `queuedRendering`, `rustCompiler`, `markdown.processor`, `compressHTML`, removed or changed `@astrojs/db` usage, transition internals, and `getContainerRenderer()` imports from integration roots.
148
+ - For v6 to v7 migrations with custom Vite config, Rollup hooks, or Astro integrations that call Vite APIs, also use `dependency-upgrade-review` when available.
149
+ - Keep each migration delta scoped to the crossed major version. Do not copy old delta checks into ordinary Astro UI, content, or route edits.
150
+
114
151
  ## Content SEO Feed Policy
115
152
 
116
153
  - Every frontmatter field used by routes, SEO, RSS, sitemap, pagination, filtering, or canonical URLs must be declared in the content collection schema.
@@ -134,8 +171,12 @@ Reject or revise a change when:
134
171
  - `client:only` is used because SSR broke, instead of isolating the browser-only dependency.
135
172
  - Static output dynamic routes lack `getStaticPaths`.
136
173
  - On-demand or SSR dynamic routes use `getStaticPaths`.
137
- - Route params do not match bracket names, non-rest params are not strings, rest params use values other than strings or `undefined`, or Astro 6 routes still rely on numeric params.
174
+ - Route params do not match bracket names, non-rest params are not strings, or rest params use values other than strings or `undefined`.
138
175
  - A content slug with `/` is mapped through a non-rest route.
176
+ - `src/fetch.*` is added without a named request pipeline requirement, or direct handler composition omits a needed pipeline stage.
177
+ - Route cache is enabled for authenticated, personalized, locale-sensitive, cookie-dependent, header-dependent, or query-dependent responses without an explicit cache key and invalidation boundary.
178
+ - Markdown processor changes skip plugin compatibility or rendered-output checks.
179
+ - Compiler or `compressHTML` changes are accepted without checking invalid HTML nesting, non-void tag closure, CSS serialization, or whitespace-sensitive rendered text when those surfaces are affected.
139
180
  - Draft filtering differs between lists, detail pages, RSS, sitemap, or pagination.
140
181
  - Canonical URLs are built by ad hoc string concatenation.
141
182
  - RSS or sitemap includes drafts, stale paths, wrong trailing slash paths, or paths that the route ledger cannot produce.
@@ -147,7 +188,7 @@ Reject or revise a change when:
147
188
 
148
189
  - Build-time and runtime data are separated.
149
190
  - Client JavaScript is limited to needed islands.
150
- - Route, endpoint, canonical URL, RSS, sitemap, draft, and content schema impact is known.
191
+ - Route, endpoint, request pipeline, cache, canonical URL, RSS, sitemap, draft, Markdown, and content schema impact is known.
151
192
  - SSR or adapter changes are verified or reported.
152
193
 
153
194
  <!-- mustflow-section: verification -->
@@ -162,15 +203,18 @@ Use configured oneshot command intents when available:
162
203
  - `docs_validate_fast`
163
204
  - `mustflow_check`
164
205
 
165
- Report missing framework validation, route preview, content schema, RSS, sitemap, canonical, or client bundle verification intents when relevant.
206
+ Report missing framework validation, route preview, request pipeline, cache, Markdown, content schema, RSS, sitemap, canonical, or client bundle verification intents when relevant.
166
207
 
167
- When verifiable, report counts for added hydration directives, added island risk, generated public content pages, excluded drafts, RSS items, sitemap URLs, and duplicate canonical URLs.
208
+ When verifiable, report counts for added hydration directives, added island risk, generated public content pages, excluded drafts, RSS items, sitemap URLs, duplicate canonical URLs, route cache rules, and affected Markdown or MDX outputs.
168
209
 
169
210
  <!-- mustflow-section: failure-handling -->
170
211
  ## Failure Handling
171
212
 
172
213
  - If an island is added only to work around static markup, revisit the markup and content boundary first.
173
214
  - If SSR is requested without adapter evidence, stop and report the deployment contract gap.
215
+ - If custom request pipeline work lacks a pipeline ledger, create the ledger before changing unrelated routing or middleware.
216
+ - If cache rules can expose private or personalized data, stop and route through cache integrity review before optimizing performance.
217
+ - If Markdown processor compatibility is unknown, keep the existing processor path or report the migration blocker.
174
218
  - If content schema drift appears, fix schema and sample content before adding more pages.
175
219
  - If draft, canonical, RSS, sitemap, or pagination drift appears, fix the shared content and route contract before adding new entries.
176
220
  - If a route collision appears, resolve the route ledger before changing unrelated rendering code.
@@ -179,7 +223,7 @@ When verifiable, report counts for added hydration directives, added island risk
179
223
  ## Output Format
180
224
 
181
225
  - Boundary checked
182
- - Build/runtime, route, endpoint, content, hydration, canonical, RSS, sitemap, and draft notes
226
+ - Build/runtime, route, endpoint, request pipeline, cache, Markdown, content, hydration, canonical, RSS, sitemap, and draft notes
183
227
  - Files changed
184
228
  - Command intents run
185
229
  - Skipped checks and reasons
@@ -0,0 +1,192 @@
1
+ ---
2
+ mustflow_doc: skill.auth-flow-triage
3
+ locale: en
4
+ canonical: true
5
+ revision: 1
6
+ lifecycle: mustflow-owned
7
+ authority: procedure
8
+ name: auth-flow-triage
9
+ description: Apply this skill when login, signup, logout, session refresh, OAuth or OIDC redirect, PKCE, nonce, state, passkey, MFA, password reset, magic link, cookie, JWT, token exchange, JWKS, IdP callback, account linking, or authorization-after-login behavior is failing, intermittent, browser-only, client-specific, or not yet localized to identity, cookie, token, proxy, session store, provider, clock, rate limit, or permission policy.
10
+ metadata:
11
+ mustflow_schema: "1"
12
+ mustflow_kind: procedure
13
+ pack_id: mustflow.core
14
+ skill_id: mustflow.core.auth-flow-triage
15
+ command_intents:
16
+ - changes_status
17
+ - changes_diff_summary
18
+ - lint
19
+ - build
20
+ - test_related
21
+ - test
22
+ - test_audit
23
+ - docs_validate_fast
24
+ - test_release
25
+ - mustflow_check
26
+ ---
27
+
28
+ # Auth Flow Triage
29
+
30
+ <!-- mustflow-section: purpose -->
31
+ ## Purpose
32
+
33
+ Localize authentication-flow failures without collapsing identity proof, session issuance, token
34
+ validation, browser cookie behavior, external provider callbacks, MFA, and authorization into one
35
+ "login is broken" bucket.
36
+
37
+ <!-- mustflow-section: use-when -->
38
+ ## Use When
39
+
40
+ - Login, signup, logout, refresh, password reset, magic link, MFA, passkey, OAuth, OIDC, SAML-like
41
+ handoff, API-key login, or account-linking behavior fails or behaves differently across clients.
42
+ - A user appears authenticated on one boundary but logged out, forbidden, redirected, or assigned to
43
+ the wrong account on another boundary.
44
+ - The failure may involve cookies, SameSite, CORS credentials, CSRF, proxy headers, redirect URI,
45
+ state, nonce, PKCE, authorization code exchange, JWT claims, JWKS rotation, refresh token
46
+ rotation, session storage, account lockout, rate limit, IdP metadata, passkeys, OTP, clocks, or
47
+ authorization after login.
48
+ - The task is to diagnose or review an auth failure before the exact code owner is known.
49
+
50
+ <!-- mustflow-section: do-not-use-when -->
51
+ ## Do Not Use When
52
+
53
+ - The change is already localized to implementing or changing the permission model; use
54
+ `auth-permission-change`.
55
+ - The task is specifically API object, property, or function authorization review; use
56
+ `api-access-control-review`.
57
+ - The task is only generic API failure triage before any auth-specific signal exists; use
58
+ `api-failure-triage`.
59
+ - The task asks for live credential testing, brute force, phishing simulation, or production token
60
+ collection. Stay within defensive code review, sanitized traces, and configured tests.
61
+
62
+ <!-- mustflow-section: required-inputs -->
63
+ ## Required Inputs
64
+
65
+ - Auth attempt packet: observed time, timezone, trace or request id, client type, route, sanitized
66
+ request and response shape, redirect chain, status codes, user-facing message class, and result.
67
+ - Stage ledger: user lookup, credential verification, external provider round trip, callback,
68
+ token exchange, session issue, cookie write, redirect, authorization decision, and logout or
69
+ revocation when relevant.
70
+ - Token and session ledger: session id hash, token type, issuer, audience, subject, `jti`, `iat`,
71
+ `nbf`, `exp`, key id, refresh-token family state, cookie attributes, session-store key, and
72
+ revocation or rotation state.
73
+ - Browser and proxy ledger: origin, host, forwarded proto and host, redirect URI, cookie domain and
74
+ path, SameSite, Secure, HttpOnly, CORS credentials, CSRF token, and proxy trust boundary.
75
+ - Provider ledger: IdP issuer, discovery metadata, JWKS URI, registered redirect URIs, client id,
76
+ PKCE method, state, nonce, passkey RP ID, WebAuthn origin, MFA method, and provider error class.
77
+ - Denial and privacy ledger: enumeration policy, lockout or rate-limit decision, internal result
78
+ code, public error message, redaction boundary, and denial-case tests.
79
+
80
+ <!-- mustflow-section: preconditions -->
81
+ ## Preconditions
82
+
83
+ - The task matches the Use When conditions and does not match the Do Not Use When exclusions.
84
+ - Higher-priority instructions and `.mustflow/config/commands.toml` have been checked.
85
+ - Secrets, tokens, OTPs, passwords, cookies, raw provider payloads, personal identifiers, and private
86
+ callback URLs are redacted before being written into docs, tests, commits, or reports.
87
+
88
+ <!-- mustflow-section: allowed-edits -->
89
+ ## Allowed Edits
90
+
91
+ - Add or tighten stage-specific result codes, safe trace ids, token validation, cookie settings,
92
+ proxy trust handling, redirect URI checks, PKCE, state, nonce, JWKS refresh behavior, session
93
+ rotation, refresh-token serialization, account-linking checks, passkey origin checks, MFA tests,
94
+ redaction, docs, fixtures, and denial-case tests.
95
+ - Add focused tests that reproduce the sanitized failure stage, token claim mismatch, cookie
96
+ behavior, callback binding, refresh-token race, session fixation boundary, or account-linking
97
+ policy.
98
+ - Do not add auth bypasses, broad CORS wildcards, loose redirect matching, disabled TLS checks,
99
+ widened clock skew, token logging, provider-console assumptions, or live credential probes.
100
+
101
+ <!-- mustflow-section: procedure -->
102
+ ## Procedure
103
+
104
+ 1. Split the symptom by stage before editing: user lookup, credential or passkey verification,
105
+ provider redirect, callback validation, token exchange, session issue, cookie persistence,
106
+ refresh, logout, and authorization-after-login.
107
+ 2. Preserve one sanitized failing attempt plus one success comparator. Compare the actual redirect
108
+ chain, cookies sent and set, status codes, provider error class, token type, and client version.
109
+ 3. Keep public and internal errors separate. Public messages should avoid account enumeration;
110
+ internal evidence should keep stable reason codes such as missing user, credential mismatch,
111
+ disabled account, MFA required, token expired, nonce mismatch, PKCE mismatch, and policy denied.
112
+ 4. Verify clocks before treating tokens as bad. Compare server epoch, token `iat`, `nbf`, `exp`,
113
+ OTP window, signed request timestamp, certificate validity, and applied clock skew.
114
+ 5. For browser-only failures, check actual cookie attributes, CORS credential behavior, CSRF,
115
+ redirect handling, preflight, duplicate cookie names, and whether the callback writes the cookie
116
+ on the host and path the app later uses.
117
+ 6. For proxy-backed apps, verify trusted forwarded headers, external URL calculation, secure cookie
118
+ detection, host allowlists, and callback URL generation. Do not trust arbitrary forwarded headers.
119
+ 7. For OAuth or OIDC, compare the exact registered and transmitted redirect URI, issuer, discovery
120
+ metadata, client id, state, nonce, PKCE method, code-verifier binding, token endpoint, and JWKS.
121
+ 8. For token validation, check signature, algorithm allowlist, key id refresh, issuer, audience,
122
+ authorized party when needed, subject, expiry, not-before, nonce, token type, and stale role or
123
+ permission claims.
124
+ 9. For refresh and logout failures, separate local cookie deletion, server session revocation,
125
+ refresh-token family state, access-token lifetime, IdP SSO session, and provider logout.
126
+ 10. For passkeys and MFA, check challenge one-time use, origin, RP ID, credential id, user handle,
127
+ user-verification flags, OTP reuse, recovery path, reauthentication, and registration or removal
128
+ policy.
129
+ 11. For account linking, use provider `issuer + subject` as the external identity key. Treat email
130
+ equality as weak evidence that requires an authenticated linking flow.
131
+ 12. If authentication succeeds but the user is still blocked, switch to `auth-permission-change` or
132
+ `api-access-control-review` and inspect tenant, resource, role, scope, stale cache, and token
133
+ claim freshness.
134
+ 13. Apply the smallest localized fix and rerun the narrowest configured intent that covers the
135
+ affected auth stage, denial case, docs, template, or package surface.
136
+
137
+ <!-- mustflow-section: postconditions -->
138
+ ## Postconditions
139
+
140
+ - The failing auth stage is localized or named as an evidence gap.
141
+ - Public error wording, internal reason codes, trace ids, session or token identifiers, and redaction
142
+ boundaries are explicit.
143
+ - Cookie, proxy, redirect, token, JWKS, provider metadata, passkey, MFA, refresh, logout, rate limit,
144
+ and authorization-after-login checks are fixed or reported where relevant.
145
+ - Any permission follow-up is routed to the narrower access-control skill instead of hidden inside
146
+ login debugging.
147
+
148
+ <!-- mustflow-section: verification -->
149
+ ## Verification
150
+
151
+ Use configured oneshot command intents when available:
152
+
153
+ - `changes_status`
154
+ - `changes_diff_summary`
155
+ - `lint`
156
+ - `build`
157
+ - `test_related`
158
+ - `test`
159
+ - `test_audit`
160
+ - `docs_validate_fast`
161
+ - `test_release`
162
+ - `mustflow_check`
163
+
164
+ Prefer the narrowest configured tests that cover the failing auth stage and denial behavior. Report
165
+ missing browser cookie, provider callback, JWKS rotation, MFA, passkey, refresh-token race, and
166
+ session-store integration evidence instead of inventing live auth probes.
167
+
168
+ <!-- mustflow-section: failure-handling -->
169
+ ## Failure Handling
170
+
171
+ - If the failing auth attempt cannot be captured safely, report the missing stage evidence instead
172
+ of changing auth code from guesses.
173
+ - If sensitive values appear in evidence, stop repeating them and summarize the shape only.
174
+ - If fixing the failure requires external IdP console changes, provider credentials, production
175
+ tokens, live email or SMS delivery, or browser automation outside the command contract, report the
176
+ manual boundary.
177
+ - If configured verification fails, preserve the failing intent and output tail, then fix only the
178
+ localized auth stage or test contract.
179
+
180
+ <!-- mustflow-section: output-format -->
181
+ ## Output Format
182
+
183
+ - Auth flow triaged
184
+ - Failing stage, sanitized attempt packet, and success comparator
185
+ - Cookie, proxy, redirect, provider, token, JWKS, session, refresh, logout, passkey, MFA, rate limit,
186
+ enumeration, and authorization-after-login findings
187
+ - Fix applied or recommended
188
+ - Evidence level: configured-test evidence, static review risk, manual-only, missing, or not
189
+ applicable
190
+ - Command intents run
191
+ - Skipped auth diagnostics and reasons
192
+ - Remaining auth-flow risk
@@ -2,11 +2,11 @@
2
2
  mustflow_doc: skill.auth-permission-change
3
3
  locale: en
4
4
  canonical: true
5
- revision: 2
5
+ revision: 3
6
6
  lifecycle: mustflow-owned
7
7
  authority: procedure
8
8
  name: auth-permission-change
9
- description: Apply this skill when authentication, authorization, permissions, roles, tenants, sessions, JWTs, OAuth or OIDC, API keys, route guards, admin access, database policies, object-level access control, signed delivery URLs, credentialed event streams, or private cache behavior are created or changed.
9
+ description: Apply this skill when authentication, authorization, permissions, roles, effective permissions, policy decisions, tenants, sessions, JWTs, OAuth or OIDC, API keys, route guards, admin access, database policies, object-level access control, signed delivery URLs, credentialed event streams, or private cache behavior are created or changed.
10
10
  metadata:
11
11
  mustflow_schema: "1"
12
12
  mustflow_kind: procedure
@@ -54,11 +54,20 @@ Authentication answers who the requester is. Authorization answers what that pri
54
54
  ## Required Inputs
55
55
 
56
56
  - Changed files, user goal, affected actors, protected resources, actions, tenants, roles, and status-code expectations.
57
+ - Permission decision tuple for each changed protected action: subject, action, object, tenant or
58
+ organization, relationship path, request environment, policy version, data revision, token issue
59
+ time, and final allow or deny reason.
60
+ - Effective-permission evidence, not only role names: computed capabilities, inherited
61
+ relationships, explicit denies, wildcard policies, policy-combination rules, and default-deny
62
+ behavior.
57
63
  - Auth middleware, framework hooks, gateway checks, session config, cookie config, JWT verifier, OAuth/OIDC callback, API key verifier, and logout or revocation code when relevant.
58
64
  - Route guards, client guards, server controllers, resolvers, command handlers, services, policy functions, role or permission tables, database queries, RLS, views, stored procedures, and ORM scopes.
59
65
  - Tenant, organization, workspace, project, membership, invite, suspension, ownership, sharing, and admin-support data models.
60
66
  - Background jobs, queue payloads, webhooks, import/export flows, search or autocomplete indexes, signed URL generation, storage keys, SSE or streaming channels, WebTransport sessions, WebSocket fallback, CDN cache, proxy cache, and permission caches when they can expose protected data.
61
67
  - Audit logs, admin action logs, impersonation records, denied-access logs, API docs, role matrix docs, migrations, and tests.
68
+ - Revocation and cache evidence: token claim freshness, session lifetime, permission-cache key and
69
+ TTL, policy replication delay, search-index or export lag, stale queue payloads, and rollback or
70
+ shadow-evaluation behavior when policy changes.
62
71
  - Configured verification intents.
63
72
 
64
73
  <!-- mustflow-section: preconditions -->
@@ -92,31 +101,58 @@ Authentication answers who the requester is. Authorization answers what that pri
92
101
  - database queries, tenant scopes, ownership joins, soft-delete filters, RLS, views, stored procedures, and ORM helpers;
93
102
  - background jobs, queues, webhooks, import/export, file storage, signed URLs, SSE or streaming channels, WebTransport sessions, WebSocket fallback, search, autocomplete, caches, CDN or proxy cache rules, audit logs, docs, migrations, and tests.
94
103
  3. Write the permission decision inputs for each protected action: principal, tenant, resource, action, and context.
95
- 4. Separate identity from permission:
104
+ 4. Freeze the authorization decision tuple.
105
+ - Record subject, action, object, tenant, environment, policy version, data revision, token issue
106
+ time, matched policy, inheritance path, and final allow or deny reason.
107
+ - A role label is not the decision. Use effective permissions and relationship paths.
108
+ 5. Separate identity from permission:
96
109
  - `req.user`, a valid session, verified email, valid JWT, OAuth scope, or API key proves identity only;
97
110
  - owner, active member, org admin, global admin, support user, service account, API client, and shared-link viewer need separate authorization rules.
98
- 5. Prefer one central policy shape, such as a `can(principal, action, resource, context)` function, over route-local `isAdmin`, `isOwner`, or `isMember` fragments.
99
- 6. Enforce deny by default. New roles, actions, resource types, tenant types, sharing modes, and admin paths must deny until explicitly allowed.
100
- 7. Validate every request. Do not rely on login-time checks, client guards, disabled buttons, hidden menus, generated types, OpenAPI docs, or mobile local checks.
101
- 8. Load resources safely before final authorization:
111
+ 6. Prefer one central policy shape, such as a `can(principal, action, resource, context)` function, over route-local `isAdmin`, `isOwner`, or `isMember` fragments.
112
+ 7. Require explainable policy decisions.
113
+ - A production-supportable permission engine should expose which policy matched, which condition
114
+ failed, which inherited relationship granted access, and whether an explicit deny won.
115
+ - If the implementation cannot explain allow or deny decisions, report observability risk before
116
+ claiming the policy is maintainable.
117
+ 8. Enforce deny by default. New roles, actions, resource types, tenant types, sharing modes, and admin paths must deny until explicitly allowed.
118
+ 9. Define policy-combination semantics. Check whether multiple policies combine by union,
119
+ intersection, priority, explicit deny, boundary policy, or tenant override; write tests for
120
+ allow-plus-deny and no-match cases.
121
+ 10. Validate every request. Do not rely on login-time checks, client guards, disabled buttons, hidden menus, generated types, OpenAPI docs, or mobile local checks.
122
+ 11. Load resources safely before final authorization:
102
123
  - include tenant, membership, owner, sharing, and soft-delete constraints in the resource lookup when possible;
103
124
  - when existence must be hidden, keep wrong-tenant and missing-resource behavior consistent with the project's 404 policy.
104
- 9. Check multi-tenant risks:
125
+ 12. Check multi-tenant risks:
105
126
  - body, query, header, path, JWT claim, or local storage tenant ids must not become trusted tenant context;
106
127
  - tenant-scoped queries must include tenant or membership constraints;
107
128
  - pending, suspended, removed, revoked, deleted, disabled, and invited states must not be treated as active access;
108
129
  - shared links, exports, signed URLs, previews, search, cache, and CDN entries must stay inside the permission model.
109
130
  - event streams, WebTransport sessions, WebSocket fallback channels, private downloads, and reconnect URLs must not bypass tenant, resource, role, token expiry, or revocation policy.
110
- 10. Check session, JWT, OAuth/OIDC, and API key contracts when touched:
131
+ 13. Check session, JWT, OAuth/OIDC, and API key contracts when touched:
111
132
  - sessions need expiry, refresh, rotation, logout, revocation, cookie flags, and CSRF posture;
112
133
  - JWTs need signature verification, algorithm allowlist, issuer, audience, subject, expiry, not-before, key rotation, and stale-claim handling;
113
134
  - OAuth/OIDC needs exact redirect binding, state, nonce, PKCE when relevant, provider account binding, and safe account linking;
114
135
  - API keys need hashing, prefix-only display, owner type, scope, tenant/resource constraints, expiry, rotation, revocation, last-used, rate limit, and audit.
115
- 11. Check dependent surfaces: API routes, controllers, services, DB schema, DB queries, RLS, UI navigation, UI actions, API clients, audit logs, notifications, jobs, webhooks, search, file storage, docs, migrations, monitoring, and tests.
136
+ 14. Check permission creators more strictly than ordinary permissions.
137
+ - Role creation, role assignment, invitation, service-account issuance, API-key creation,
138
+ impersonation, support access, and token minting are privilege factories.
139
+ - A low-privilege actor that can attach a high privilege to itself collapses the whole model.
140
+ 15. Check revocation time.
141
+ - Demotion, removal, suspension, role deletion, membership expiry, subscription cancellation,
142
+ and ownership transfer should say how long old sessions, JWT claims, caches, search indexes,
143
+ queued jobs, and replicas can keep authorizing the old state.
144
+ - Sensitive actions need server-side recheck, short-lived tokens, revocation lists, or policy
145
+ version gates when stale tokens would be harmful.
146
+ 16. Check dependent surfaces: API routes, controllers, services, DB schema, DB queries, RLS, UI navigation, UI actions, API clients, audit logs, notifications, jobs, webhooks, search, file storage, docs, migrations, monitoring, and tests.
116
147
  - For credentialed delivery surfaces, check whether EventSource can supply the intended credentials, whether CORS and cookies match the policy, whether signed URLs expire and scope correctly, and whether caches vary on auth, tenant, and private response dimensions.
117
- 12. Require denial-first tests for changed protected actions when the project has a usable test surface. Cover anonymous, expired, revoked, no role, wrong tenant, wrong owner, suspended or removed member, stale cache, shared-link, read-only API key, org admin, global admin, and impersonating admin cases as applicable.
118
- 13. Update docs and role matrices when external behavior, status codes, role names, permission names, admin scope, or API errors change.
119
- 14. Report the policy source of truth, server/database enforcement, client UX-only guards, test coverage, skipped checks, and remaining permission risk.
148
+ 17. Require denial-first tests for changed protected actions when the project has a usable test surface. Cover anonymous, expired, revoked, no role, wrong tenant, wrong owner, suspended or removed member, stale token, stale cache, unknown role, unknown action, wildcard policy, explicit deny, shared-link, read-only API key, org admin, global admin, and impersonating admin cases as applicable.
149
+ 18. When changing policies, consider shadow evaluation.
150
+ - Compute old and new decisions side by side for representative requests before flipping broad
151
+ policy changes when the product has the infrastructure to do so.
152
+ - Log policy version and data revision for both decisions without exposing secrets or sensitive
153
+ object contents.
154
+ 19. Update docs and role matrices when external behavior, status codes, role names, permission names, admin scope, or API errors change.
155
+ 20. Report the policy source of truth, effective-permission evidence, decision explanation, server/database enforcement, client UX-only guards, revocation window, test coverage, skipped checks, and remaining permission risk.
120
156
 
121
157
  ## Boundary Rules
122
158
 
@@ -127,6 +163,10 @@ Authentication answers who the requester is. Authorization answers what that pri
127
163
  - Admin is scoped. Global admin, org admin, project admin, billing admin, support, and impersonating admin are different roles and need different audit and action rules.
128
164
  - Owner is not a wildcard permission. Owners may still lack delete, export, invite, transfer, billing, or admin powers.
129
165
  - API keys are principals with scopes and owners, not user sessions with unlimited power.
166
+ - Wildcard permissions are future permissions. Adding a new action under an old wildcard should be
167
+ treated as a permission expansion and reviewed accordingly.
168
+ - Unknown roles, unknown actions, malformed identifiers, and missing relationship data deny by
169
+ default; they are not normalized into a normal user path.
130
170
 
131
171
  ## Strongly Forbidden Patterns
132
172
 
@@ -142,6 +182,9 @@ Authentication answers who the requester is. Authorization answers what that pri
142
182
  - Changing 403 to 404, or 404 to 403, without naming the information-disclosure policy.
143
183
  - Relaxing permissions without denial-case tests or a written migration and audit plan.
144
184
  - Letting role changes ship without permission-cache or token-staleness handling.
185
+ - Shipping a permission engine that cannot explain why a request was allowed or denied.
186
+ - Treating an effective-permission bug as solved because the `role` column looks correct.
187
+ - Treating token-embedded roles as fresh after demotion, removal, or policy version changes.
145
188
  - Creating shared links, signed URLs, exports, search results, or CDN responses outside tenant and resource policy.
146
189
  - Creating credentialed event streams, WebTransport sessions, WebSocket fallback channels, signed delivery URLs, or private caches outside tenant and resource policy.
147
190
  - Logging impersonation without separate actor and subject.
@@ -153,6 +196,8 @@ Authentication answers who the requester is. Authorization answers what that pri
153
196
  - Authentication and authorization are separated in code and report language.
154
197
  - Every changed protected action has a server-side or database-side permission boundary.
155
198
  - Tenant isolation, resource ownership, sharing, admin scope, and status-code behavior are explicit.
199
+ - Effective permissions, policy-combination rules, decision explanation, policy version, data
200
+ revision, and revocation window are explicit when relevant.
156
201
  - Client guards are described as UX only.
157
202
  - Session, token, OAuth/OIDC, API key, cache, audit, docs, migration, and tests are synchronized when touched.
158
203
  - Signed URL, event-stream, WebTransport, WebSocket fallback, CORS, cookie, CDN/proxy cache, and reconnect behavior remains inside the permission model when touched.
@@ -190,6 +235,7 @@ Prefer the narrowest configured test intent that covers the changed protected ac
190
235
  - Authentication versus authorization classification
191
236
  - Principal, tenant, resource, action, and context affected
192
237
  - Policy source of truth
238
+ - Effective permission, policy version, data revision, decision explanation, and revocation window
193
239
  - Server/database enforcement notes
194
240
  - Client guard UX-only notes
195
241
  - Tenant, ownership, sharing, admin, token/session/API-key, cache, and audit notes
@@ -2,11 +2,11 @@
2
2
  mustflow_doc: skill.backend-log-evidence-review
3
3
  locale: en
4
4
  canonical: true
5
- revision: 2
5
+ revision: 3
6
6
  lifecycle: mustflow-owned
7
7
  authority: procedure
8
8
  name: backend-log-evidence-review
9
- description: Apply this skill when backend code is created, changed, reviewed, or reported and request logs, error logs, structured event names, log schema versions, trace/span/request IDs, correlation and causation IDs, outcome or reason fields, external API logs, database write logs, transaction or state-transition logs, retry or timeout logs, queue or batch logs, audit logs, auth or validation logs, cache or lock logs, release/config/feature-flag logs, log levels, duplicate logs, redaction, log-injection safety, sampling, or log searchability need review for whether an operator can reconstruct why a backend request, job, or data change reached its final state.
9
+ description: Apply this skill when backend code is created, changed, reviewed, or reported and request logs, error logs, structured event names, log schema versions, trace/span/request IDs, correlation and causation IDs, outcome or reason fields, external API logs, database write logs, transaction or state-transition logs, retry or timeout logs, queue or batch logs, audit logs, auth or validation logs, cache or lock logs, release/config/feature-flag logs, log pipeline canaries, collector accepted/sent/stored counts, timestamp versus observed timestamp, parser or mapping failures, log levels, duplicate logs, redaction, log-injection safety, sampling, or log searchability need review for whether an operator can reconstruct why a backend request, job, or data change reached its final state and whether the evidence actually survived the logging pipeline.
10
10
  metadata:
11
11
  mustflow_schema: "1"
12
12
  mustflow_kind: procedure
@@ -39,6 +39,7 @@ The review question is: "If this backend path fails, times out, retries, silentl
39
39
  - Backend handlers, services, repositories, adapters, workers, schedulers, webhooks, migrations, scripts, or batch jobs add, remove, review, or depend on logs.
40
40
  - A change claims that a path is logged, traceable, easy to debug, auditable, operationally safe, or diagnosable from logs.
41
41
  - Request start or finish logs, event names, schema versions, severity fields, trace or span IDs, error handling, error wrapping, external API calls, DB writes, transactions, status transitions, early returns, retries, timeouts, queues, async jobs, batches, audit events, auth, validation, cache, distributed locks, idempotency, feature flags, configuration, releases, migrations, or background promises are involved.
42
+ - Log ingestion, parsing, buffering, shipping, storage, searchability, retention, rotation, multiline parsing, canary logs, dropped-log counters, timestamp skew, or log sink visibility affects whether backend evidence can be trusted.
42
43
  - A review needs to decide whether logs explain why the system reached a state, not only where the exception was thrown.
43
44
 
44
45
  <!-- mustflow-section: do-not-use-when -->
@@ -60,6 +61,7 @@ The review question is: "If this backend path fails, times out, retries, silentl
60
61
  - Error evidence: thrown errors, catches, wrappers, causes, stack preservation, error categories, public versus internal messages, and log boundary ownership.
61
62
  - Decision evidence: branches, early returns, validation failures, auth decisions, feature flags, state transitions, cache paths, retry decisions, timeout classes, and fallback decisions.
62
63
  - Side-effect evidence: external API calls with dependency name, operation, timeout, latency, status class, retry count, circuit state, and provider request id; DB affected rows; transaction begin/commit/rollback evidence; queue enqueue and consume; idempotency decisions; locks; migrations; batch summaries; release/config/feature-flag events; and configuration snapshots.
64
+ - Pipeline integrity evidence when logs leave the process: generated count, collector accepted count, exporter sent count, stored count, searchable count, canary event id, sequence gaps, duplicate rate, timestamp and observed timestamp drift, queue oldest age, DLQ oldest age, parser failures, mapping conflicts, dropped or sampled counts, rotation or restart boundary, multiline grouping, and storage retention boundary.
63
65
  - Safety constraints: secrets, tokens, cookies, auth headers, passwords, raw payloads, personal data, payment data, provider response bodies, full SQL, log injection through control characters or ANSI escapes, high-cardinality indexing cost, sampling policy, and retention policy.
64
66
  - Local conventions: logger API, structured field names, severity levels, redaction helpers, error serialization, test helpers, snapshots or fixtures, and configured command intents.
65
67
 
@@ -161,7 +163,14 @@ The review question is: "If this backend path fails, times out, retries, silentl
161
163
  - Normalize or escape user-controlled strings such as filenames, user agents, nicknames, referers, and queries so newlines, tabs, control characters, and ANSI escapes cannot forge log entries.
162
164
  - Sink-side masking is not enough when sensitive data has already crossed the process boundary.
163
165
  - Tests or static guards should cover sensitive log fields when feasible.
164
- 18. Require evidence.
166
+ 18. Review log pipeline survival when the task depends on searchable logs.
167
+ - Compare generated, accepted, sent, stored, and searchable counts by service, environment, version, and event family instead of trusting one total.
168
+ - A synthetic canary log with a unique id and increasing sequence can expose loss, duplication, reorder, and search visibility lag.
169
+ - Distinguish event timestamp from observed timestamp; large drift points to clock skew, buffer delay, backpressure, or collector backlog.
170
+ - Queue size alone is weak. Check queue utilization, oldest queued event age, enqueue failures, exporter failures, receiver refusals, DLQ size, and DLQ oldest age.
171
+ - Parser failures, mapping conflicts, multiline splits, log rotation, container restart, pod deletion, disk buffer exhaustion, and retention or rollover drift can silently erase the evidence operators think they have.
172
+ - If pipeline checks require live collectors, sinks, dashboards, or production search, report them as manual-only instead of claiming log evidence survived.
173
+ 19. Require evidence.
165
174
  - Prefer focused tests, log fixtures, snapshot assertions, redaction tests, source-level guards, or local logger contract tests for stable event names and fields.
166
175
  - Prefer tests that pin `event_name`, schema version, required fields, redaction, bounded reason codes, and message-independent query fields rather than exact prose.
167
176
  - If logs depend on runtime middleware, production log routing, sink configuration, or manual log search outside the repository, report that evidence as manual-only.
@@ -170,7 +179,7 @@ The review question is: "If this backend path fails, times out, retries, silentl
170
179
  <!-- mustflow-section: postconditions -->
171
180
  ## Postconditions
172
181
 
173
- - The reviewed backend path has a reconstruction question, event contract, request lifecycle evidence, correlation and causation model, decision evidence, side-effect evidence, error and cause preservation, redaction boundary, level ownership, sampling boundary, and evidence level.
182
+ - The reviewed backend path has a reconstruction question, event contract, request lifecycle evidence, correlation and causation model, decision evidence, side-effect evidence, error and cause preservation, pipeline survival boundary, redaction boundary, level ownership, sampling boundary, and evidence level.
174
183
  - Missing start or finish logs, message-only contracts, unstable event names, missing schema version, missing trace or span id, missing correlation or causation id, string-only errors, lost causes, missing external-call before and after logs, raw provider body logs, missing affected-row counts, invisible transaction or state transitions, silent early returns, attempt-free retries, duration-free timeouts, enqueue or consume gaps, broken async correlation, empty batch summaries, missing auth or validation reasons, ordinary logs for audit events, cache or lock blind spots, idempotency ambiguity, feature flag opacity, release or config opacity, secret-bearing config logs, migration `done` logs, swallowed async errors, all-info or all-error severity, duplicate error spam, prose-only messages, high-cardinality indexed fields, log injection exposure, unsafe sampling, and missing identifiers are fixed or reported.
175
184
  - Named review smells such as broken async request id, auth or validation failures, cache hits or misses, lock acquisition, idempotency outcomes, config startup summaries, release and migration event gaps, migration dry-run and apply logs, message-based dashboards, prose-only log, and sink-side-only masking are fixed or reported when present.
176
185
  - Log changes are backed by local logger conventions, tests, fixtures, source review evidence, or labeled as manual-only or missing.
@@ -205,7 +214,7 @@ Prefer the narrowest configured checks that cover the changed logging contract a
205
214
  ## Output Format
206
215
 
207
216
  - Backend log boundary reviewed
208
- - Reconstruction question, event contract, request lifecycle, correlation and causation, error and cause preservation, external API, database write, transaction, state transition, early return, retry, timeout, queue or async handoff, batch or migration, audit, auth, validation, cache, lock, idempotency, feature flag, release, config, level ownership, structure, cardinality, sampling, log-injection safety, redaction, and test evidence findings
217
+ - Reconstruction question, event contract, request lifecycle, correlation and causation, error and cause preservation, external API, database write, transaction, state transition, early return, retry, timeout, queue or async handoff, batch or migration, audit, auth, validation, cache, lock, idempotency, feature flag, release, config, pipeline survival, level ownership, structure, cardinality, sampling, log-injection safety, redaction, and test evidence findings
209
218
  - Log fixes made or recommended
210
219
  - Evidence level: configured-test evidence, log fixture evidence, source review evidence, manual-only, missing, or not applicable
211
220
  - Command intents run