mustflow 2.84.0 → 2.99.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +11 -2
- package/dist/cli/commands/script-pack.js +14 -0
- package/dist/cli/i18n/en.js +262 -0
- package/dist/cli/i18n/es.js +262 -0
- package/dist/cli/i18n/fr.js +262 -0
- package/dist/cli/i18n/hi.js +262 -0
- package/dist/cli/i18n/ko.js +262 -0
- package/dist/cli/i18n/zh.js +262 -0
- package/dist/cli/lib/repo-map.js +27 -6
- package/dist/cli/lib/run-root-trust.js +15 -1
- package/dist/cli/lib/script-pack-registry.js +397 -0
- package/dist/cli/lib/validation/index.js +2 -2
- package/dist/cli/lib/validation/primitives.js +4 -1
- package/dist/cli/script-packs/code-change-impact.js +178 -0
- package/dist/cli/script-packs/code-dependency-graph.js +181 -0
- package/dist/cli/script-packs/code-import-cycle.js +193 -0
- package/dist/cli/script-packs/docs-link-integrity.js +145 -0
- package/dist/cli/script-packs/repo-approval-gate.js +100 -0
- package/dist/cli/script-packs/repo-env-contract.js +156 -0
- package/dist/cli/script-packs/repo-git-ignore-audit.js +119 -0
- package/dist/cli/script-packs/repo-manifest-lock-drift.js +122 -0
- package/dist/cli/script-packs/repo-merge-conflict-scan.js +123 -0
- package/dist/cli/script-packs/repo-secret-risk-scan.js +147 -0
- package/dist/cli/script-packs/repo-skill-route-audit.js +86 -0
- package/dist/cli/script-packs/repo-version-source.js +92 -0
- package/dist/cli/script-packs/test-performance-report.js +247 -0
- package/dist/cli/script-packs/test-regression-selector.js +167 -0
- package/dist/core/change-impact.js +355 -0
- package/dist/core/change-surface-classification.js +198 -0
- package/dist/core/change-verification.js +32 -5
- package/dist/core/config-loading.js +121 -4
- package/dist/core/dependency-graph.js +490 -0
- package/dist/core/docs-link-integrity.js +443 -0
- package/dist/core/env-contract.js +450 -0
- package/dist/core/import-cycle.js +152 -0
- package/dist/core/line-endings.js +26 -13
- package/dist/core/public-json-contracts.js +167 -0
- package/dist/core/repo-approval-gate.js +116 -0
- package/dist/core/repo-git-ignore-audit.js +302 -0
- package/dist/core/repo-manifest-lock-drift.js +321 -0
- package/dist/core/repo-merge-conflict-scan.js +335 -0
- package/dist/core/repo-version-source.js +82 -0
- package/dist/core/route-outline.js +57 -5
- package/dist/core/script-pack-suggestions.js +97 -1
- package/dist/core/secret-risk-scan.js +440 -0
- package/dist/core/skill-route-audit.js +354 -0
- package/dist/core/test-performance-report.js +697 -0
- package/dist/core/test-regression-selector.js +335 -0
- package/package.json +1 -1
- package/schemas/README.md +54 -0
- package/schemas/change-impact-report.schema.json +184 -0
- package/schemas/commands.schema.json +12 -0
- package/schemas/dependency-graph-report.schema.json +149 -0
- package/schemas/env-contract-report.schema.json +203 -0
- package/schemas/import-cycle-report.schema.json +157 -0
- package/schemas/link-integrity-report.schema.json +176 -0
- package/schemas/repo-approval-gate-report.schema.json +115 -0
- package/schemas/repo-git-ignore-audit-report.schema.json +201 -0
- package/schemas/repo-manifest-lock-drift-report.schema.json +202 -0
- package/schemas/repo-merge-conflict-scan-report.schema.json +169 -0
- package/schemas/repo-version-source-report.schema.json +127 -0
- package/schemas/secret-risk-scan-report.schema.json +152 -0
- package/schemas/skill-route-audit-report.schema.json +144 -0
- package/schemas/test-performance-report.schema.json +319 -0
- package/schemas/test-regression-selector-report.schema.json +187 -0
- package/templates/default/i18n.toml +80 -26
- package/templates/default/locales/en/.mustflow/skills/INDEX.md +51 -9
- package/templates/default/locales/en/.mustflow/skills/api-access-control-review/SKILL.md +48 -27
- package/templates/default/locales/en/.mustflow/skills/api-failure-triage/SKILL.md +270 -0
- package/templates/default/locales/en/.mustflow/skills/architecture-deepening-review/SKILL.md +28 -11
- package/templates/default/locales/en/.mustflow/skills/astro-code-change/SKILL.md +71 -27
- package/templates/default/locales/en/.mustflow/skills/auth-flow-triage/SKILL.md +192 -0
- package/templates/default/locales/en/.mustflow/skills/auth-permission-change/SKILL.md +59 -13
- package/templates/default/locales/en/.mustflow/skills/backend-log-evidence-review/SKILL.md +14 -5
- package/templates/default/locales/en/.mustflow/skills/cache-integrity-review/SKILL.md +30 -15
- package/templates/default/locales/en/.mustflow/skills/change-blast-radius-review/SKILL.md +45 -32
- package/templates/default/locales/en/.mustflow/skills/ci-pipeline-triage/SKILL.md +200 -0
- package/templates/default/locales/en/.mustflow/skills/clarifying-question-gate/SKILL.md +87 -13
- package/templates/default/locales/en/.mustflow/skills/cross-agent-session-reference/SKILL.md +23 -8
- package/templates/default/locales/en/.mustflow/skills/dependency-upgrade-review/SKILL.md +3 -1
- package/templates/default/locales/en/.mustflow/skills/docker-runtime-triage/SKILL.md +191 -0
- package/templates/default/locales/en/.mustflow/skills/github-contribution-quality-gate/SKILL.md +48 -11
- package/templates/default/locales/en/.mustflow/skills/go-code-change/SKILL.md +18 -13
- package/templates/default/locales/en/.mustflow/skills/javascript-code-change/SKILL.md +15 -13
- package/templates/default/locales/en/.mustflow/skills/line-ending-hygiene/SKILL.md +18 -10
- package/templates/default/locales/en/.mustflow/skills/llm-hallucination-control-review/SKILL.md +4 -1
- package/templates/default/locales/en/.mustflow/skills/motion-system-contract-review/SKILL.md +155 -0
- package/templates/default/locales/en/.mustflow/skills/next-action-menu/SKILL.md +177 -0
- package/templates/default/locales/en/.mustflow/skills/node-code-change/SKILL.md +16 -14
- package/templates/default/locales/en/.mustflow/skills/observability-debuggability-review/SKILL.md +15 -7
- package/templates/default/locales/en/.mustflow/skills/payment-integrity-review/SKILL.md +59 -35
- package/templates/default/locales/en/.mustflow/skills/powershell-code-change/SKILL.md +16 -6
- package/templates/default/locales/en/.mustflow/skills/prompt-contract-quality-review/SKILL.md +4 -1
- package/templates/default/locales/en/.mustflow/skills/python-code-change/SKILL.md +19 -10
- package/templates/default/locales/en/.mustflow/skills/rag-pipeline-triage/SKILL.md +206 -0
- package/templates/default/locales/en/.mustflow/skills/routes.toml +69 -9
- package/templates/default/locales/en/.mustflow/skills/rust-code-change/SKILL.md +10 -4
- package/templates/default/locales/en/.mustflow/skills/search-index-integrity-review/SKILL.md +181 -0
- package/templates/default/locales/en/.mustflow/skills/security-privacy-review/SKILL.md +3 -1
- package/templates/default/locales/en/.mustflow/skills/service-boundary-architecture/SKILL.md +37 -23
- package/templates/default/locales/en/.mustflow/skills/test-suite-performance-review/SKILL.md +323 -0
- package/templates/default/locales/en/.mustflow/skills/typescript-code-change/SKILL.md +18 -10
- package/templates/default/locales/en/.mustflow/skills/vector-search-integrity-review/SKILL.md +209 -0
- package/templates/default/locales/en/.mustflow/skills/version-freshness-check/SKILL.md +16 -14
- package/templates/default/manifest.toml +71 -1
|
@@ -2,11 +2,11 @@
|
|
|
2
2
|
mustflow_doc: skill.astro-code-change
|
|
3
3
|
locale: en
|
|
4
4
|
canonical: true
|
|
5
|
-
revision:
|
|
5
|
+
revision: 4
|
|
6
6
|
lifecycle: mustflow-owned
|
|
7
7
|
authority: procedure
|
|
8
8
|
name: astro-code-change
|
|
9
|
-
description: Apply this skill when Astro config, pages, layouts, components, islands, hydration directives, content collections, dynamic routes, adapters, MDX, RSS, sitemap, canonical URL, draft, pagination, or build behavior are created or changed.
|
|
9
|
+
description: Apply this skill when Astro config, package metadata, pages, layouts, components, islands, hydration directives, content collections, dynamic routes, adapters, request pipeline, advanced routing, route cache, MDX, Markdown processing, RSS, sitemap, canonical URL, draft, pagination, migration, or build behavior are created or changed.
|
|
10
10
|
metadata:
|
|
11
11
|
mustflow_schema: "1"
|
|
12
12
|
mustflow_kind: procedure
|
|
@@ -28,15 +28,15 @@ metadata:
|
|
|
28
28
|
<!-- mustflow-section: purpose -->
|
|
29
29
|
## Purpose
|
|
30
30
|
|
|
31
|
-
Preserve Astro's static-first model, island hydration boundary, routing contract, content collection schema, canonical URL, RSS, sitemap, adapter, and client bundle boundaries.
|
|
31
|
+
Preserve Astro's static-first model, island hydration boundary, routing contract, request pipeline, content collection schema, canonical URL, RSS, sitemap, adapter, cache, and client bundle boundaries.
|
|
32
32
|
|
|
33
33
|
The default is no-hydration. Add browser JavaScript only after proving that native HTML, CSS, standard links, forms, details/summary, or a small `.astro` script cannot provide the required behavior.
|
|
34
34
|
|
|
35
35
|
<!-- mustflow-section: use-when -->
|
|
36
36
|
## Use When
|
|
37
37
|
|
|
38
|
-
- `astro.config.*`, `src/pages`, `.astro`, content config, live config, collections, layouts, components, MDX, routes, endpoints, adapters, integrations, islands, or hydration directives change.
|
|
39
|
-
- The task adds or changes a page, blog/docs content, interactive UI, SSR/on-demand rendering, framework component, search/filter UI, route behavior, RSS feed, sitemap, canonical URL, draft handling, or pagination.
|
|
38
|
+
- `astro.config.*`, package metadata, `src/pages`, `src/fetch.*`, `.astro`, content config, live config, collections, layouts, components, MDX, Markdown processor config, routes, endpoints, adapters, integrations, islands, route cache, or hydration directives change.
|
|
39
|
+
- The task adds or changes a page, blog/docs content, interactive UI, SSR/on-demand rendering, framework component, search/filter UI, request pipeline behavior, route behavior, RSS feed, sitemap, canonical URL, draft handling, migration, or pagination.
|
|
40
40
|
|
|
41
41
|
<!-- mustflow-section: do-not-use-when -->
|
|
42
42
|
## Do Not Use When
|
|
@@ -47,20 +47,23 @@ The default is no-hydration. Add browser JavaScript only after proving that nati
|
|
|
47
47
|
<!-- mustflow-section: required-inputs -->
|
|
48
48
|
## Required Inputs
|
|
49
49
|
|
|
50
|
-
- Package metadata, Astro version, framework integrations, TypeScript config, pages, layouts, components, content config, content files, integrations, adapter config, env declarations, public assets, and tests.
|
|
51
|
-
- Astro config values that affect routing and
|
|
50
|
+
- Package metadata, current Astro version, target Astro version when migration is intended, framework integrations, TypeScript config, pages, layouts, components, content config, content files, integrations, adapter config, env declarations, public assets, and tests.
|
|
51
|
+
- Astro config values that affect routing, URLs, rendering, request handling, Markdown, and cache: `site`, `base`, `trailingSlash`, `output`, `adapter`, `fetchFile`, `markdown`, `compressHTML`, `cache`, `routeRules`, sitemap integration, MDX integration, and framework integrations.
|
|
52
52
|
- Content collection names, loader bases, schemas, slug/id policy, draft fields, date fields, canonical fields, and route files that turn collection entries into pages.
|
|
53
|
-
- Current output mode, prerender/SSR policy, hydration conventions, route priority, endpoint layout, RSS generation, sitemap generation, and content schema.
|
|
53
|
+
- Current output mode, prerender/SSR policy, hydration conventions, route priority, endpoint layout, request pipeline or middleware layout, RSS generation, sitemap generation, and content schema.
|
|
54
|
+
- Markdown processor decision, remark/rehype/recma plugins, custom Markdown imports, heading id policy, syntax-highlighting expectations, and Markdown or MDX snapshots when content rendering changes.
|
|
55
|
+
- Cache provider, route cache rules, cache-key inputs, invalidation path, deployment topology, and authenticated or personalized routes when `cache` or `routeRules` change.
|
|
54
56
|
- Configured verification intents.
|
|
55
57
|
|
|
56
58
|
<!-- mustflow-section: preconditions -->
|
|
57
59
|
## Preconditions
|
|
58
60
|
|
|
59
61
|
- Read Astro config, content config, and the affected route tree before changing routing, content, canonical, RSS, sitemap, or hydration behavior.
|
|
60
|
-
- Identify
|
|
62
|
+
- Identify current and target Astro major versions before applying migration rules. Apply only the official major upgrade guide deltas crossed by the change, and keep ordinary Astro edits on the version-neutral policies below.
|
|
61
63
|
- Identify build-time versus request-time data before adding data access.
|
|
62
64
|
- Identify which UI truly needs browser JavaScript and which UI truly needs framework state before adding a framework island.
|
|
63
65
|
- Treat file movement under `src/pages`, route parameter changes, and content slug changes as URL contract changes.
|
|
66
|
+
- Treat `src/fetch.ts` and `src/fetch.js` as reserved advanced-routing entrypoint candidates unless `fetchFile` disables or moves that entrypoint.
|
|
64
67
|
|
|
65
68
|
<!-- mustflow-section: allowed-edits -->
|
|
66
69
|
## Allowed Edits
|
|
@@ -73,18 +76,23 @@ The default is no-hydration. Add browser JavaScript only after proving that nati
|
|
|
73
76
|
<!-- mustflow-section: procedure -->
|
|
74
77
|
## Procedure
|
|
75
78
|
|
|
76
|
-
1. Read package metadata and Astro config first. Record Astro
|
|
77
|
-
|
|
78
|
-
|
|
79
|
-
|
|
80
|
-
|
|
81
|
-
|
|
82
|
-
|
|
83
|
-
|
|
84
|
-
|
|
85
|
-
|
|
86
|
-
|
|
87
|
-
|
|
79
|
+
1. Read package metadata and Astro config first. Record current and target Astro versions, framework integrations, `site`, `base`, `trailingSlash`, `output`, adapter, `fetchFile`, `markdown`, `compressHTML`, `cache`, `routeRules`, sitemap integration, MDX integration, and any framework integration.
|
|
80
|
+
2. Apply the Version Gate before using migration guidance:
|
|
81
|
+
- If the task is not changing the Astro major version, do not run stale major-specific deltas as routine review noise.
|
|
82
|
+
- If the task crosses one or more Astro majors, check the official Astro upgrade guide for each crossed major and record which deltas apply.
|
|
83
|
+
- If a version-specific claim cannot be refreshed from official Astro docs, omit it or report it as unchecked instead of writing it as current.
|
|
84
|
+
3. Read `src/content.config.*` when content, docs, blog, RSS, sitemap, canonical, or route generation is involved. Record each collection name, loader base, schema fields, slug/id policy, draft field, and date fields.
|
|
85
|
+
4. Build a route ledger from `src/pages`: static pages, dynamic pages, rest routes, endpoints, prerendered routes, on-demand routes, and possible route-priority collisions.
|
|
86
|
+
5. Classify the change: static route, dynamic route, endpoint, content collection, integration, adapter, SSR/on-demand, request pipeline, island, script, asset, RSS, sitemap, canonical, cache, Markdown, migration, or docs/content.
|
|
87
|
+
6. Apply the hydration policy below before adding or changing any `client:*` directive.
|
|
88
|
+
7. Apply the routing, request pipeline, and rendering policies below before adding dynamic routes, catch-all routes, endpoints, adapter changes, `src/fetch.*`, or `prerender` changes.
|
|
89
|
+
8. Apply the content, SEO, and feed policy below before changing frontmatter, schemas, slugs, drafts, canonical URLs, pagination, RSS, or sitemap behavior.
|
|
90
|
+
9. Apply the cache policy below before changing `cache`, `routeRules`, route-level cache behavior, or cache provider configuration.
|
|
91
|
+
10. Apply the Markdown and compiler policy below before changing Markdown processing, MDX, generated markup, `compressHTML`, HTML snapshots, or whitespace-sensitive content.
|
|
92
|
+
11. Do not put runtime-only data such as logged-in user state, request-local data, private API responses, or live inventory into build-time collections.
|
|
93
|
+
12. Do not enable request-time rendering without the adapter and deployment contract that support it.
|
|
94
|
+
13. Keep `set:html` or raw HTML injection behind a trusted and sanitized content boundary.
|
|
95
|
+
14. Choose configured verification intents that cover content schema, build, routes, hydration, adapter/runtime, cache, Markdown, request pipeline, and bundle risk when available.
|
|
88
96
|
|
|
89
97
|
## Hydration Policy
|
|
90
98
|
|
|
@@ -102,7 +110,7 @@ The default is no-hydration. Add browser JavaScript only after proving that nati
|
|
|
102
110
|
|
|
103
111
|
- In static output, every dynamic route must have `getStaticPaths`.
|
|
104
112
|
- In on-demand or SSR dynamic routes, do not use `getStaticPaths`; read `Astro.params`, perform the request-time lookup, and handle missing entries with an explicit 404 or redirect path.
|
|
105
|
-
- `getStaticPaths` params must match bracket parameter names exactly.
|
|
113
|
+
- `getStaticPaths` params must match bracket parameter names exactly. Route param values are a string contract; rest parameters may use `undefined`.
|
|
106
114
|
- Custom slugs containing `/` require a rest route such as a catch-all route. Do not force slash-containing slugs into a single named parameter route.
|
|
107
115
|
- Treat changes under `src/pages` as public URL changes, including endpoint names and extension-bearing endpoint paths.
|
|
108
116
|
- Check route priority when adding static routes, named parameters, rest parameters, catch-all routes, and endpoints that could claim the same URL.
|
|
@@ -111,6 +119,35 @@ The default is no-hydration. Add browser JavaScript only after proving that nati
|
|
|
111
119
|
- Do not switch the whole project to server output for one page unless the deployment and route contract require it.
|
|
112
120
|
- Do not assume SSR dynamic routes appear in sitemap output automatically.
|
|
113
121
|
|
|
122
|
+
## Request Pipeline Policy
|
|
123
|
+
|
|
124
|
+
- Do not create `src/fetch.ts` or `src/fetch.js` just because a project uses Astro 7 or advanced routing. Add or modify a custom fetch entrypoint only when the request pipeline contract requires it.
|
|
125
|
+
- If `src/fetch.*` already exists, check whether it is an intentional advanced-routing entrypoint, an accidental reserved-name collision, or disabled or moved through `fetchFile`.
|
|
126
|
+
- Prefer preserving Astro's default request pipeline unless there is a named reason to compose handlers directly.
|
|
127
|
+
- When direct handler composition is used, record a request pipeline ledger: trailing slash, redirects, sessions, actions, user middleware, rendering, i18n, cache, and any intentionally omitted stage.
|
|
128
|
+
- Place session handling before any handler that reads or mutates session state.
|
|
129
|
+
|
|
130
|
+
## Cache Policy
|
|
131
|
+
|
|
132
|
+
- Treat `cache` and `routeRules` changes as data-exposure risks, not only performance changes.
|
|
133
|
+
- Do not cache authenticated, personalized, locale-sensitive, cookie-dependent, header-dependent, or query-dependent responses unless the cache key, invalidation, and privacy boundary are explicit.
|
|
134
|
+
- Check whether the deployment is single-instance or multi-instance before relying on in-memory route cache behavior.
|
|
135
|
+
- When route cache behavior changes, use `cache-integrity-review` as an adjunct when available and report `HIT`, `MISS`, `STALE`, or equivalent cache evidence only when verified.
|
|
136
|
+
|
|
137
|
+
## Markdown And Compiler Policy
|
|
138
|
+
|
|
139
|
+
- When an Astro major migration changes Markdown processing, choose explicitly between the current processor and the new default processor. Keep the unified pipeline when remark, rehype, recma, MDX, or custom Markdown plugin compatibility is unproven.
|
|
140
|
+
- Check heading ids, code blocks, syntax highlighting, link rewriting, frontmatter rendering, and Markdown or MDX snapshots when the processor changes.
|
|
141
|
+
- Treat stricter compiler output, invalid HTML nesting, non-void tag closure, CSS serialization, and whitespace between inline elements as user-visible migration risks.
|
|
142
|
+
- When `compressHTML` changes or defaults differ, verify important rendered text does not lose intended spaces between inline elements.
|
|
143
|
+
|
|
144
|
+
## Astro Major Migration Deltas
|
|
145
|
+
|
|
146
|
+
- For v5 to v6 migrations, check removed or changed surfaces before editing call sites: `Astro.glob()` replacement with `import.meta.glob()` or content collections, `.cjs` and `.cts` config removal, `astro:ssr-manifest`, `RouteData.generate()`, old adapter hooks, old `NodeApp` paths, Zod 4 schema effects, and numeric dynamic route params.
|
|
147
|
+
- For v6 to v7 migrations, check `src/fetch.*` or `fetchFile`, direct request handler composition, `cache`, `routeRules`, `advancedRouting`, `logger`, `queuedRendering`, `rustCompiler`, `markdown.processor`, `compressHTML`, removed or changed `@astrojs/db` usage, transition internals, and `getContainerRenderer()` imports from integration roots.
|
|
148
|
+
- For v6 to v7 migrations with custom Vite config, Rollup hooks, or Astro integrations that call Vite APIs, also use `dependency-upgrade-review` when available.
|
|
149
|
+
- Keep each migration delta scoped to the crossed major version. Do not copy old delta checks into ordinary Astro UI, content, or route edits.
|
|
150
|
+
|
|
114
151
|
## Content SEO Feed Policy
|
|
115
152
|
|
|
116
153
|
- Every frontmatter field used by routes, SEO, RSS, sitemap, pagination, filtering, or canonical URLs must be declared in the content collection schema.
|
|
@@ -134,8 +171,12 @@ Reject or revise a change when:
|
|
|
134
171
|
- `client:only` is used because SSR broke, instead of isolating the browser-only dependency.
|
|
135
172
|
- Static output dynamic routes lack `getStaticPaths`.
|
|
136
173
|
- On-demand or SSR dynamic routes use `getStaticPaths`.
|
|
137
|
-
- Route params do not match bracket names, non-rest params are not strings, rest params use values other than strings or `undefined
|
|
174
|
+
- Route params do not match bracket names, non-rest params are not strings, or rest params use values other than strings or `undefined`.
|
|
138
175
|
- A content slug with `/` is mapped through a non-rest route.
|
|
176
|
+
- `src/fetch.*` is added without a named request pipeline requirement, or direct handler composition omits a needed pipeline stage.
|
|
177
|
+
- Route cache is enabled for authenticated, personalized, locale-sensitive, cookie-dependent, header-dependent, or query-dependent responses without an explicit cache key and invalidation boundary.
|
|
178
|
+
- Markdown processor changes skip plugin compatibility or rendered-output checks.
|
|
179
|
+
- Compiler or `compressHTML` changes are accepted without checking invalid HTML nesting, non-void tag closure, CSS serialization, or whitespace-sensitive rendered text when those surfaces are affected.
|
|
139
180
|
- Draft filtering differs between lists, detail pages, RSS, sitemap, or pagination.
|
|
140
181
|
- Canonical URLs are built by ad hoc string concatenation.
|
|
141
182
|
- RSS or sitemap includes drafts, stale paths, wrong trailing slash paths, or paths that the route ledger cannot produce.
|
|
@@ -147,7 +188,7 @@ Reject or revise a change when:
|
|
|
147
188
|
|
|
148
189
|
- Build-time and runtime data are separated.
|
|
149
190
|
- Client JavaScript is limited to needed islands.
|
|
150
|
-
- Route, endpoint, canonical URL, RSS, sitemap, draft, and content schema impact is known.
|
|
191
|
+
- Route, endpoint, request pipeline, cache, canonical URL, RSS, sitemap, draft, Markdown, and content schema impact is known.
|
|
151
192
|
- SSR or adapter changes are verified or reported.
|
|
152
193
|
|
|
153
194
|
<!-- mustflow-section: verification -->
|
|
@@ -162,15 +203,18 @@ Use configured oneshot command intents when available:
|
|
|
162
203
|
- `docs_validate_fast`
|
|
163
204
|
- `mustflow_check`
|
|
164
205
|
|
|
165
|
-
Report missing framework validation, route preview, content schema, RSS, sitemap, canonical, or client bundle verification intents when relevant.
|
|
206
|
+
Report missing framework validation, route preview, request pipeline, cache, Markdown, content schema, RSS, sitemap, canonical, or client bundle verification intents when relevant.
|
|
166
207
|
|
|
167
|
-
When verifiable, report counts for added hydration directives, added island risk, generated public content pages, excluded drafts, RSS items, sitemap URLs,
|
|
208
|
+
When verifiable, report counts for added hydration directives, added island risk, generated public content pages, excluded drafts, RSS items, sitemap URLs, duplicate canonical URLs, route cache rules, and affected Markdown or MDX outputs.
|
|
168
209
|
|
|
169
210
|
<!-- mustflow-section: failure-handling -->
|
|
170
211
|
## Failure Handling
|
|
171
212
|
|
|
172
213
|
- If an island is added only to work around static markup, revisit the markup and content boundary first.
|
|
173
214
|
- If SSR is requested without adapter evidence, stop and report the deployment contract gap.
|
|
215
|
+
- If custom request pipeline work lacks a pipeline ledger, create the ledger before changing unrelated routing or middleware.
|
|
216
|
+
- If cache rules can expose private or personalized data, stop and route through cache integrity review before optimizing performance.
|
|
217
|
+
- If Markdown processor compatibility is unknown, keep the existing processor path or report the migration blocker.
|
|
174
218
|
- If content schema drift appears, fix schema and sample content before adding more pages.
|
|
175
219
|
- If draft, canonical, RSS, sitemap, or pagination drift appears, fix the shared content and route contract before adding new entries.
|
|
176
220
|
- If a route collision appears, resolve the route ledger before changing unrelated rendering code.
|
|
@@ -179,7 +223,7 @@ When verifiable, report counts for added hydration directives, added island risk
|
|
|
179
223
|
## Output Format
|
|
180
224
|
|
|
181
225
|
- Boundary checked
|
|
182
|
-
- Build/runtime, route, endpoint, content, hydration, canonical, RSS, sitemap, and draft notes
|
|
226
|
+
- Build/runtime, route, endpoint, request pipeline, cache, Markdown, content, hydration, canonical, RSS, sitemap, and draft notes
|
|
183
227
|
- Files changed
|
|
184
228
|
- Command intents run
|
|
185
229
|
- Skipped checks and reasons
|
|
@@ -0,0 +1,192 @@
|
|
|
1
|
+
---
|
|
2
|
+
mustflow_doc: skill.auth-flow-triage
|
|
3
|
+
locale: en
|
|
4
|
+
canonical: true
|
|
5
|
+
revision: 1
|
|
6
|
+
lifecycle: mustflow-owned
|
|
7
|
+
authority: procedure
|
|
8
|
+
name: auth-flow-triage
|
|
9
|
+
description: Apply this skill when login, signup, logout, session refresh, OAuth or OIDC redirect, PKCE, nonce, state, passkey, MFA, password reset, magic link, cookie, JWT, token exchange, JWKS, IdP callback, account linking, or authorization-after-login behavior is failing, intermittent, browser-only, client-specific, or not yet localized to identity, cookie, token, proxy, session store, provider, clock, rate limit, or permission policy.
|
|
10
|
+
metadata:
|
|
11
|
+
mustflow_schema: "1"
|
|
12
|
+
mustflow_kind: procedure
|
|
13
|
+
pack_id: mustflow.core
|
|
14
|
+
skill_id: mustflow.core.auth-flow-triage
|
|
15
|
+
command_intents:
|
|
16
|
+
- changes_status
|
|
17
|
+
- changes_diff_summary
|
|
18
|
+
- lint
|
|
19
|
+
- build
|
|
20
|
+
- test_related
|
|
21
|
+
- test
|
|
22
|
+
- test_audit
|
|
23
|
+
- docs_validate_fast
|
|
24
|
+
- test_release
|
|
25
|
+
- mustflow_check
|
|
26
|
+
---
|
|
27
|
+
|
|
28
|
+
# Auth Flow Triage
|
|
29
|
+
|
|
30
|
+
<!-- mustflow-section: purpose -->
|
|
31
|
+
## Purpose
|
|
32
|
+
|
|
33
|
+
Localize authentication-flow failures without collapsing identity proof, session issuance, token
|
|
34
|
+
validation, browser cookie behavior, external provider callbacks, MFA, and authorization into one
|
|
35
|
+
"login is broken" bucket.
|
|
36
|
+
|
|
37
|
+
<!-- mustflow-section: use-when -->
|
|
38
|
+
## Use When
|
|
39
|
+
|
|
40
|
+
- Login, signup, logout, refresh, password reset, magic link, MFA, passkey, OAuth, OIDC, SAML-like
|
|
41
|
+
handoff, API-key login, or account-linking behavior fails or behaves differently across clients.
|
|
42
|
+
- A user appears authenticated on one boundary but logged out, forbidden, redirected, or assigned to
|
|
43
|
+
the wrong account on another boundary.
|
|
44
|
+
- The failure may involve cookies, SameSite, CORS credentials, CSRF, proxy headers, redirect URI,
|
|
45
|
+
state, nonce, PKCE, authorization code exchange, JWT claims, JWKS rotation, refresh token
|
|
46
|
+
rotation, session storage, account lockout, rate limit, IdP metadata, passkeys, OTP, clocks, or
|
|
47
|
+
authorization after login.
|
|
48
|
+
- The task is to diagnose or review an auth failure before the exact code owner is known.
|
|
49
|
+
|
|
50
|
+
<!-- mustflow-section: do-not-use-when -->
|
|
51
|
+
## Do Not Use When
|
|
52
|
+
|
|
53
|
+
- The change is already localized to implementing or changing the permission model; use
|
|
54
|
+
`auth-permission-change`.
|
|
55
|
+
- The task is specifically API object, property, or function authorization review; use
|
|
56
|
+
`api-access-control-review`.
|
|
57
|
+
- The task is only generic API failure triage before any auth-specific signal exists; use
|
|
58
|
+
`api-failure-triage`.
|
|
59
|
+
- The task asks for live credential testing, brute force, phishing simulation, or production token
|
|
60
|
+
collection. Stay within defensive code review, sanitized traces, and configured tests.
|
|
61
|
+
|
|
62
|
+
<!-- mustflow-section: required-inputs -->
|
|
63
|
+
## Required Inputs
|
|
64
|
+
|
|
65
|
+
- Auth attempt packet: observed time, timezone, trace or request id, client type, route, sanitized
|
|
66
|
+
request and response shape, redirect chain, status codes, user-facing message class, and result.
|
|
67
|
+
- Stage ledger: user lookup, credential verification, external provider round trip, callback,
|
|
68
|
+
token exchange, session issue, cookie write, redirect, authorization decision, and logout or
|
|
69
|
+
revocation when relevant.
|
|
70
|
+
- Token and session ledger: session id hash, token type, issuer, audience, subject, `jti`, `iat`,
|
|
71
|
+
`nbf`, `exp`, key id, refresh-token family state, cookie attributes, session-store key, and
|
|
72
|
+
revocation or rotation state.
|
|
73
|
+
- Browser and proxy ledger: origin, host, forwarded proto and host, redirect URI, cookie domain and
|
|
74
|
+
path, SameSite, Secure, HttpOnly, CORS credentials, CSRF token, and proxy trust boundary.
|
|
75
|
+
- Provider ledger: IdP issuer, discovery metadata, JWKS URI, registered redirect URIs, client id,
|
|
76
|
+
PKCE method, state, nonce, passkey RP ID, WebAuthn origin, MFA method, and provider error class.
|
|
77
|
+
- Denial and privacy ledger: enumeration policy, lockout or rate-limit decision, internal result
|
|
78
|
+
code, public error message, redaction boundary, and denial-case tests.
|
|
79
|
+
|
|
80
|
+
<!-- mustflow-section: preconditions -->
|
|
81
|
+
## Preconditions
|
|
82
|
+
|
|
83
|
+
- The task matches the Use When conditions and does not match the Do Not Use When exclusions.
|
|
84
|
+
- Higher-priority instructions and `.mustflow/config/commands.toml` have been checked.
|
|
85
|
+
- Secrets, tokens, OTPs, passwords, cookies, raw provider payloads, personal identifiers, and private
|
|
86
|
+
callback URLs are redacted before being written into docs, tests, commits, or reports.
|
|
87
|
+
|
|
88
|
+
<!-- mustflow-section: allowed-edits -->
|
|
89
|
+
## Allowed Edits
|
|
90
|
+
|
|
91
|
+
- Add or tighten stage-specific result codes, safe trace ids, token validation, cookie settings,
|
|
92
|
+
proxy trust handling, redirect URI checks, PKCE, state, nonce, JWKS refresh behavior, session
|
|
93
|
+
rotation, refresh-token serialization, account-linking checks, passkey origin checks, MFA tests,
|
|
94
|
+
redaction, docs, fixtures, and denial-case tests.
|
|
95
|
+
- Add focused tests that reproduce the sanitized failure stage, token claim mismatch, cookie
|
|
96
|
+
behavior, callback binding, refresh-token race, session fixation boundary, or account-linking
|
|
97
|
+
policy.
|
|
98
|
+
- Do not add auth bypasses, broad CORS wildcards, loose redirect matching, disabled TLS checks,
|
|
99
|
+
widened clock skew, token logging, provider-console assumptions, or live credential probes.
|
|
100
|
+
|
|
101
|
+
<!-- mustflow-section: procedure -->
|
|
102
|
+
## Procedure
|
|
103
|
+
|
|
104
|
+
1. Split the symptom by stage before editing: user lookup, credential or passkey verification,
|
|
105
|
+
provider redirect, callback validation, token exchange, session issue, cookie persistence,
|
|
106
|
+
refresh, logout, and authorization-after-login.
|
|
107
|
+
2. Preserve one sanitized failing attempt plus one success comparator. Compare the actual redirect
|
|
108
|
+
chain, cookies sent and set, status codes, provider error class, token type, and client version.
|
|
109
|
+
3. Keep public and internal errors separate. Public messages should avoid account enumeration;
|
|
110
|
+
internal evidence should keep stable reason codes such as missing user, credential mismatch,
|
|
111
|
+
disabled account, MFA required, token expired, nonce mismatch, PKCE mismatch, and policy denied.
|
|
112
|
+
4. Verify clocks before treating tokens as bad. Compare server epoch, token `iat`, `nbf`, `exp`,
|
|
113
|
+
OTP window, signed request timestamp, certificate validity, and applied clock skew.
|
|
114
|
+
5. For browser-only failures, check actual cookie attributes, CORS credential behavior, CSRF,
|
|
115
|
+
redirect handling, preflight, duplicate cookie names, and whether the callback writes the cookie
|
|
116
|
+
on the host and path the app later uses.
|
|
117
|
+
6. For proxy-backed apps, verify trusted forwarded headers, external URL calculation, secure cookie
|
|
118
|
+
detection, host allowlists, and callback URL generation. Do not trust arbitrary forwarded headers.
|
|
119
|
+
7. For OAuth or OIDC, compare the exact registered and transmitted redirect URI, issuer, discovery
|
|
120
|
+
metadata, client id, state, nonce, PKCE method, code-verifier binding, token endpoint, and JWKS.
|
|
121
|
+
8. For token validation, check signature, algorithm allowlist, key id refresh, issuer, audience,
|
|
122
|
+
authorized party when needed, subject, expiry, not-before, nonce, token type, and stale role or
|
|
123
|
+
permission claims.
|
|
124
|
+
9. For refresh and logout failures, separate local cookie deletion, server session revocation,
|
|
125
|
+
refresh-token family state, access-token lifetime, IdP SSO session, and provider logout.
|
|
126
|
+
10. For passkeys and MFA, check challenge one-time use, origin, RP ID, credential id, user handle,
|
|
127
|
+
user-verification flags, OTP reuse, recovery path, reauthentication, and registration or removal
|
|
128
|
+
policy.
|
|
129
|
+
11. For account linking, use provider `issuer + subject` as the external identity key. Treat email
|
|
130
|
+
equality as weak evidence that requires an authenticated linking flow.
|
|
131
|
+
12. If authentication succeeds but the user is still blocked, switch to `auth-permission-change` or
|
|
132
|
+
`api-access-control-review` and inspect tenant, resource, role, scope, stale cache, and token
|
|
133
|
+
claim freshness.
|
|
134
|
+
13. Apply the smallest localized fix and rerun the narrowest configured intent that covers the
|
|
135
|
+
affected auth stage, denial case, docs, template, or package surface.
|
|
136
|
+
|
|
137
|
+
<!-- mustflow-section: postconditions -->
|
|
138
|
+
## Postconditions
|
|
139
|
+
|
|
140
|
+
- The failing auth stage is localized or named as an evidence gap.
|
|
141
|
+
- Public error wording, internal reason codes, trace ids, session or token identifiers, and redaction
|
|
142
|
+
boundaries are explicit.
|
|
143
|
+
- Cookie, proxy, redirect, token, JWKS, provider metadata, passkey, MFA, refresh, logout, rate limit,
|
|
144
|
+
and authorization-after-login checks are fixed or reported where relevant.
|
|
145
|
+
- Any permission follow-up is routed to the narrower access-control skill instead of hidden inside
|
|
146
|
+
login debugging.
|
|
147
|
+
|
|
148
|
+
<!-- mustflow-section: verification -->
|
|
149
|
+
## Verification
|
|
150
|
+
|
|
151
|
+
Use configured oneshot command intents when available:
|
|
152
|
+
|
|
153
|
+
- `changes_status`
|
|
154
|
+
- `changes_diff_summary`
|
|
155
|
+
- `lint`
|
|
156
|
+
- `build`
|
|
157
|
+
- `test_related`
|
|
158
|
+
- `test`
|
|
159
|
+
- `test_audit`
|
|
160
|
+
- `docs_validate_fast`
|
|
161
|
+
- `test_release`
|
|
162
|
+
- `mustflow_check`
|
|
163
|
+
|
|
164
|
+
Prefer the narrowest configured tests that cover the failing auth stage and denial behavior. Report
|
|
165
|
+
missing browser cookie, provider callback, JWKS rotation, MFA, passkey, refresh-token race, and
|
|
166
|
+
session-store integration evidence instead of inventing live auth probes.
|
|
167
|
+
|
|
168
|
+
<!-- mustflow-section: failure-handling -->
|
|
169
|
+
## Failure Handling
|
|
170
|
+
|
|
171
|
+
- If the failing auth attempt cannot be captured safely, report the missing stage evidence instead
|
|
172
|
+
of changing auth code from guesses.
|
|
173
|
+
- If sensitive values appear in evidence, stop repeating them and summarize the shape only.
|
|
174
|
+
- If fixing the failure requires external IdP console changes, provider credentials, production
|
|
175
|
+
tokens, live email or SMS delivery, or browser automation outside the command contract, report the
|
|
176
|
+
manual boundary.
|
|
177
|
+
- If configured verification fails, preserve the failing intent and output tail, then fix only the
|
|
178
|
+
localized auth stage or test contract.
|
|
179
|
+
|
|
180
|
+
<!-- mustflow-section: output-format -->
|
|
181
|
+
## Output Format
|
|
182
|
+
|
|
183
|
+
- Auth flow triaged
|
|
184
|
+
- Failing stage, sanitized attempt packet, and success comparator
|
|
185
|
+
- Cookie, proxy, redirect, provider, token, JWKS, session, refresh, logout, passkey, MFA, rate limit,
|
|
186
|
+
enumeration, and authorization-after-login findings
|
|
187
|
+
- Fix applied or recommended
|
|
188
|
+
- Evidence level: configured-test evidence, static review risk, manual-only, missing, or not
|
|
189
|
+
applicable
|
|
190
|
+
- Command intents run
|
|
191
|
+
- Skipped auth diagnostics and reasons
|
|
192
|
+
- Remaining auth-flow risk
|
|
@@ -2,11 +2,11 @@
|
|
|
2
2
|
mustflow_doc: skill.auth-permission-change
|
|
3
3
|
locale: en
|
|
4
4
|
canonical: true
|
|
5
|
-
revision:
|
|
5
|
+
revision: 3
|
|
6
6
|
lifecycle: mustflow-owned
|
|
7
7
|
authority: procedure
|
|
8
8
|
name: auth-permission-change
|
|
9
|
-
description: Apply this skill when authentication, authorization, permissions, roles, tenants, sessions, JWTs, OAuth or OIDC, API keys, route guards, admin access, database policies, object-level access control, signed delivery URLs, credentialed event streams, or private cache behavior are created or changed.
|
|
9
|
+
description: Apply this skill when authentication, authorization, permissions, roles, effective permissions, policy decisions, tenants, sessions, JWTs, OAuth or OIDC, API keys, route guards, admin access, database policies, object-level access control, signed delivery URLs, credentialed event streams, or private cache behavior are created or changed.
|
|
10
10
|
metadata:
|
|
11
11
|
mustflow_schema: "1"
|
|
12
12
|
mustflow_kind: procedure
|
|
@@ -54,11 +54,20 @@ Authentication answers who the requester is. Authorization answers what that pri
|
|
|
54
54
|
## Required Inputs
|
|
55
55
|
|
|
56
56
|
- Changed files, user goal, affected actors, protected resources, actions, tenants, roles, and status-code expectations.
|
|
57
|
+
- Permission decision tuple for each changed protected action: subject, action, object, tenant or
|
|
58
|
+
organization, relationship path, request environment, policy version, data revision, token issue
|
|
59
|
+
time, and final allow or deny reason.
|
|
60
|
+
- Effective-permission evidence, not only role names: computed capabilities, inherited
|
|
61
|
+
relationships, explicit denies, wildcard policies, policy-combination rules, and default-deny
|
|
62
|
+
behavior.
|
|
57
63
|
- Auth middleware, framework hooks, gateway checks, session config, cookie config, JWT verifier, OAuth/OIDC callback, API key verifier, and logout or revocation code when relevant.
|
|
58
64
|
- Route guards, client guards, server controllers, resolvers, command handlers, services, policy functions, role or permission tables, database queries, RLS, views, stored procedures, and ORM scopes.
|
|
59
65
|
- Tenant, organization, workspace, project, membership, invite, suspension, ownership, sharing, and admin-support data models.
|
|
60
66
|
- Background jobs, queue payloads, webhooks, import/export flows, search or autocomplete indexes, signed URL generation, storage keys, SSE or streaming channels, WebTransport sessions, WebSocket fallback, CDN cache, proxy cache, and permission caches when they can expose protected data.
|
|
61
67
|
- Audit logs, admin action logs, impersonation records, denied-access logs, API docs, role matrix docs, migrations, and tests.
|
|
68
|
+
- Revocation and cache evidence: token claim freshness, session lifetime, permission-cache key and
|
|
69
|
+
TTL, policy replication delay, search-index or export lag, stale queue payloads, and rollback or
|
|
70
|
+
shadow-evaluation behavior when policy changes.
|
|
62
71
|
- Configured verification intents.
|
|
63
72
|
|
|
64
73
|
<!-- mustflow-section: preconditions -->
|
|
@@ -92,31 +101,58 @@ Authentication answers who the requester is. Authorization answers what that pri
|
|
|
92
101
|
- database queries, tenant scopes, ownership joins, soft-delete filters, RLS, views, stored procedures, and ORM helpers;
|
|
93
102
|
- background jobs, queues, webhooks, import/export, file storage, signed URLs, SSE or streaming channels, WebTransport sessions, WebSocket fallback, search, autocomplete, caches, CDN or proxy cache rules, audit logs, docs, migrations, and tests.
|
|
94
103
|
3. Write the permission decision inputs for each protected action: principal, tenant, resource, action, and context.
|
|
95
|
-
4.
|
|
104
|
+
4. Freeze the authorization decision tuple.
|
|
105
|
+
- Record subject, action, object, tenant, environment, policy version, data revision, token issue
|
|
106
|
+
time, matched policy, inheritance path, and final allow or deny reason.
|
|
107
|
+
- A role label is not the decision. Use effective permissions and relationship paths.
|
|
108
|
+
5. Separate identity from permission:
|
|
96
109
|
- `req.user`, a valid session, verified email, valid JWT, OAuth scope, or API key proves identity only;
|
|
97
110
|
- owner, active member, org admin, global admin, support user, service account, API client, and shared-link viewer need separate authorization rules.
|
|
98
|
-
|
|
99
|
-
|
|
100
|
-
|
|
101
|
-
|
|
111
|
+
6. Prefer one central policy shape, such as a `can(principal, action, resource, context)` function, over route-local `isAdmin`, `isOwner`, or `isMember` fragments.
|
|
112
|
+
7. Require explainable policy decisions.
|
|
113
|
+
- A production-supportable permission engine should expose which policy matched, which condition
|
|
114
|
+
failed, which inherited relationship granted access, and whether an explicit deny won.
|
|
115
|
+
- If the implementation cannot explain allow or deny decisions, report observability risk before
|
|
116
|
+
claiming the policy is maintainable.
|
|
117
|
+
8. Enforce deny by default. New roles, actions, resource types, tenant types, sharing modes, and admin paths must deny until explicitly allowed.
|
|
118
|
+
9. Define policy-combination semantics. Check whether multiple policies combine by union,
|
|
119
|
+
intersection, priority, explicit deny, boundary policy, or tenant override; write tests for
|
|
120
|
+
allow-plus-deny and no-match cases.
|
|
121
|
+
10. Validate every request. Do not rely on login-time checks, client guards, disabled buttons, hidden menus, generated types, OpenAPI docs, or mobile local checks.
|
|
122
|
+
11. Load resources safely before final authorization:
|
|
102
123
|
- include tenant, membership, owner, sharing, and soft-delete constraints in the resource lookup when possible;
|
|
103
124
|
- when existence must be hidden, keep wrong-tenant and missing-resource behavior consistent with the project's 404 policy.
|
|
104
|
-
|
|
125
|
+
12. Check multi-tenant risks:
|
|
105
126
|
- body, query, header, path, JWT claim, or local storage tenant ids must not become trusted tenant context;
|
|
106
127
|
- tenant-scoped queries must include tenant or membership constraints;
|
|
107
128
|
- pending, suspended, removed, revoked, deleted, disabled, and invited states must not be treated as active access;
|
|
108
129
|
- shared links, exports, signed URLs, previews, search, cache, and CDN entries must stay inside the permission model.
|
|
109
130
|
- event streams, WebTransport sessions, WebSocket fallback channels, private downloads, and reconnect URLs must not bypass tenant, resource, role, token expiry, or revocation policy.
|
|
110
|
-
|
|
131
|
+
13. Check session, JWT, OAuth/OIDC, and API key contracts when touched:
|
|
111
132
|
- sessions need expiry, refresh, rotation, logout, revocation, cookie flags, and CSRF posture;
|
|
112
133
|
- JWTs need signature verification, algorithm allowlist, issuer, audience, subject, expiry, not-before, key rotation, and stale-claim handling;
|
|
113
134
|
- OAuth/OIDC needs exact redirect binding, state, nonce, PKCE when relevant, provider account binding, and safe account linking;
|
|
114
135
|
- API keys need hashing, prefix-only display, owner type, scope, tenant/resource constraints, expiry, rotation, revocation, last-used, rate limit, and audit.
|
|
115
|
-
|
|
136
|
+
14. Check permission creators more strictly than ordinary permissions.
|
|
137
|
+
- Role creation, role assignment, invitation, service-account issuance, API-key creation,
|
|
138
|
+
impersonation, support access, and token minting are privilege factories.
|
|
139
|
+
- A low-privilege actor that can attach a high privilege to itself collapses the whole model.
|
|
140
|
+
15. Check revocation time.
|
|
141
|
+
- Demotion, removal, suspension, role deletion, membership expiry, subscription cancellation,
|
|
142
|
+
and ownership transfer should say how long old sessions, JWT claims, caches, search indexes,
|
|
143
|
+
queued jobs, and replicas can keep authorizing the old state.
|
|
144
|
+
- Sensitive actions need server-side recheck, short-lived tokens, revocation lists, or policy
|
|
145
|
+
version gates when stale tokens would be harmful.
|
|
146
|
+
16. Check dependent surfaces: API routes, controllers, services, DB schema, DB queries, RLS, UI navigation, UI actions, API clients, audit logs, notifications, jobs, webhooks, search, file storage, docs, migrations, monitoring, and tests.
|
|
116
147
|
- For credentialed delivery surfaces, check whether EventSource can supply the intended credentials, whether CORS and cookies match the policy, whether signed URLs expire and scope correctly, and whether caches vary on auth, tenant, and private response dimensions.
|
|
117
|
-
|
|
118
|
-
|
|
119
|
-
|
|
148
|
+
17. Require denial-first tests for changed protected actions when the project has a usable test surface. Cover anonymous, expired, revoked, no role, wrong tenant, wrong owner, suspended or removed member, stale token, stale cache, unknown role, unknown action, wildcard policy, explicit deny, shared-link, read-only API key, org admin, global admin, and impersonating admin cases as applicable.
|
|
149
|
+
18. When changing policies, consider shadow evaluation.
|
|
150
|
+
- Compute old and new decisions side by side for representative requests before flipping broad
|
|
151
|
+
policy changes when the product has the infrastructure to do so.
|
|
152
|
+
- Log policy version and data revision for both decisions without exposing secrets or sensitive
|
|
153
|
+
object contents.
|
|
154
|
+
19. Update docs and role matrices when external behavior, status codes, role names, permission names, admin scope, or API errors change.
|
|
155
|
+
20. Report the policy source of truth, effective-permission evidence, decision explanation, server/database enforcement, client UX-only guards, revocation window, test coverage, skipped checks, and remaining permission risk.
|
|
120
156
|
|
|
121
157
|
## Boundary Rules
|
|
122
158
|
|
|
@@ -127,6 +163,10 @@ Authentication answers who the requester is. Authorization answers what that pri
|
|
|
127
163
|
- Admin is scoped. Global admin, org admin, project admin, billing admin, support, and impersonating admin are different roles and need different audit and action rules.
|
|
128
164
|
- Owner is not a wildcard permission. Owners may still lack delete, export, invite, transfer, billing, or admin powers.
|
|
129
165
|
- API keys are principals with scopes and owners, not user sessions with unlimited power.
|
|
166
|
+
- Wildcard permissions are future permissions. Adding a new action under an old wildcard should be
|
|
167
|
+
treated as a permission expansion and reviewed accordingly.
|
|
168
|
+
- Unknown roles, unknown actions, malformed identifiers, and missing relationship data deny by
|
|
169
|
+
default; they are not normalized into a normal user path.
|
|
130
170
|
|
|
131
171
|
## Strongly Forbidden Patterns
|
|
132
172
|
|
|
@@ -142,6 +182,9 @@ Authentication answers who the requester is. Authorization answers what that pri
|
|
|
142
182
|
- Changing 403 to 404, or 404 to 403, without naming the information-disclosure policy.
|
|
143
183
|
- Relaxing permissions without denial-case tests or a written migration and audit plan.
|
|
144
184
|
- Letting role changes ship without permission-cache or token-staleness handling.
|
|
185
|
+
- Shipping a permission engine that cannot explain why a request was allowed or denied.
|
|
186
|
+
- Treating an effective-permission bug as solved because the `role` column looks correct.
|
|
187
|
+
- Treating token-embedded roles as fresh after demotion, removal, or policy version changes.
|
|
145
188
|
- Creating shared links, signed URLs, exports, search results, or CDN responses outside tenant and resource policy.
|
|
146
189
|
- Creating credentialed event streams, WebTransport sessions, WebSocket fallback channels, signed delivery URLs, or private caches outside tenant and resource policy.
|
|
147
190
|
- Logging impersonation without separate actor and subject.
|
|
@@ -153,6 +196,8 @@ Authentication answers who the requester is. Authorization answers what that pri
|
|
|
153
196
|
- Authentication and authorization are separated in code and report language.
|
|
154
197
|
- Every changed protected action has a server-side or database-side permission boundary.
|
|
155
198
|
- Tenant isolation, resource ownership, sharing, admin scope, and status-code behavior are explicit.
|
|
199
|
+
- Effective permissions, policy-combination rules, decision explanation, policy version, data
|
|
200
|
+
revision, and revocation window are explicit when relevant.
|
|
156
201
|
- Client guards are described as UX only.
|
|
157
202
|
- Session, token, OAuth/OIDC, API key, cache, audit, docs, migration, and tests are synchronized when touched.
|
|
158
203
|
- Signed URL, event-stream, WebTransport, WebSocket fallback, CORS, cookie, CDN/proxy cache, and reconnect behavior remains inside the permission model when touched.
|
|
@@ -190,6 +235,7 @@ Prefer the narrowest configured test intent that covers the changed protected ac
|
|
|
190
235
|
- Authentication versus authorization classification
|
|
191
236
|
- Principal, tenant, resource, action, and context affected
|
|
192
237
|
- Policy source of truth
|
|
238
|
+
- Effective permission, policy version, data revision, decision explanation, and revocation window
|
|
193
239
|
- Server/database enforcement notes
|
|
194
240
|
- Client guard UX-only notes
|
|
195
241
|
- Tenant, ownership, sharing, admin, token/session/API-key, cache, and audit notes
|
|
@@ -2,11 +2,11 @@
|
|
|
2
2
|
mustflow_doc: skill.backend-log-evidence-review
|
|
3
3
|
locale: en
|
|
4
4
|
canonical: true
|
|
5
|
-
revision:
|
|
5
|
+
revision: 3
|
|
6
6
|
lifecycle: mustflow-owned
|
|
7
7
|
authority: procedure
|
|
8
8
|
name: backend-log-evidence-review
|
|
9
|
-
description: Apply this skill when backend code is created, changed, reviewed, or reported and request logs, error logs, structured event names, log schema versions, trace/span/request IDs, correlation and causation IDs, outcome or reason fields, external API logs, database write logs, transaction or state-transition logs, retry or timeout logs, queue or batch logs, audit logs, auth or validation logs, cache or lock logs, release/config/feature-flag logs, log levels, duplicate logs, redaction, log-injection safety, sampling, or log searchability need review for whether an operator can reconstruct why a backend request, job, or data change reached its final state.
|
|
9
|
+
description: Apply this skill when backend code is created, changed, reviewed, or reported and request logs, error logs, structured event names, log schema versions, trace/span/request IDs, correlation and causation IDs, outcome or reason fields, external API logs, database write logs, transaction or state-transition logs, retry or timeout logs, queue or batch logs, audit logs, auth or validation logs, cache or lock logs, release/config/feature-flag logs, log pipeline canaries, collector accepted/sent/stored counts, timestamp versus observed timestamp, parser or mapping failures, log levels, duplicate logs, redaction, log-injection safety, sampling, or log searchability need review for whether an operator can reconstruct why a backend request, job, or data change reached its final state and whether the evidence actually survived the logging pipeline.
|
|
10
10
|
metadata:
|
|
11
11
|
mustflow_schema: "1"
|
|
12
12
|
mustflow_kind: procedure
|
|
@@ -39,6 +39,7 @@ The review question is: "If this backend path fails, times out, retries, silentl
|
|
|
39
39
|
- Backend handlers, services, repositories, adapters, workers, schedulers, webhooks, migrations, scripts, or batch jobs add, remove, review, or depend on logs.
|
|
40
40
|
- A change claims that a path is logged, traceable, easy to debug, auditable, operationally safe, or diagnosable from logs.
|
|
41
41
|
- Request start or finish logs, event names, schema versions, severity fields, trace or span IDs, error handling, error wrapping, external API calls, DB writes, transactions, status transitions, early returns, retries, timeouts, queues, async jobs, batches, audit events, auth, validation, cache, distributed locks, idempotency, feature flags, configuration, releases, migrations, or background promises are involved.
|
|
42
|
+
- Log ingestion, parsing, buffering, shipping, storage, searchability, retention, rotation, multiline parsing, canary logs, dropped-log counters, timestamp skew, or log sink visibility affects whether backend evidence can be trusted.
|
|
42
43
|
- A review needs to decide whether logs explain why the system reached a state, not only where the exception was thrown.
|
|
43
44
|
|
|
44
45
|
<!-- mustflow-section: do-not-use-when -->
|
|
@@ -60,6 +61,7 @@ The review question is: "If this backend path fails, times out, retries, silentl
|
|
|
60
61
|
- Error evidence: thrown errors, catches, wrappers, causes, stack preservation, error categories, public versus internal messages, and log boundary ownership.
|
|
61
62
|
- Decision evidence: branches, early returns, validation failures, auth decisions, feature flags, state transitions, cache paths, retry decisions, timeout classes, and fallback decisions.
|
|
62
63
|
- Side-effect evidence: external API calls with dependency name, operation, timeout, latency, status class, retry count, circuit state, and provider request id; DB affected rows; transaction begin/commit/rollback evidence; queue enqueue and consume; idempotency decisions; locks; migrations; batch summaries; release/config/feature-flag events; and configuration snapshots.
|
|
64
|
+
- Pipeline integrity evidence when logs leave the process: generated count, collector accepted count, exporter sent count, stored count, searchable count, canary event id, sequence gaps, duplicate rate, timestamp and observed timestamp drift, queue oldest age, DLQ oldest age, parser failures, mapping conflicts, dropped or sampled counts, rotation or restart boundary, multiline grouping, and storage retention boundary.
|
|
63
65
|
- Safety constraints: secrets, tokens, cookies, auth headers, passwords, raw payloads, personal data, payment data, provider response bodies, full SQL, log injection through control characters or ANSI escapes, high-cardinality indexing cost, sampling policy, and retention policy.
|
|
64
66
|
- Local conventions: logger API, structured field names, severity levels, redaction helpers, error serialization, test helpers, snapshots or fixtures, and configured command intents.
|
|
65
67
|
|
|
@@ -161,7 +163,14 @@ The review question is: "If this backend path fails, times out, retries, silentl
|
|
|
161
163
|
- Normalize or escape user-controlled strings such as filenames, user agents, nicknames, referers, and queries so newlines, tabs, control characters, and ANSI escapes cannot forge log entries.
|
|
162
164
|
- Sink-side masking is not enough when sensitive data has already crossed the process boundary.
|
|
163
165
|
- Tests or static guards should cover sensitive log fields when feasible.
|
|
164
|
-
18.
|
|
166
|
+
18. Review log pipeline survival when the task depends on searchable logs.
|
|
167
|
+
- Compare generated, accepted, sent, stored, and searchable counts by service, environment, version, and event family instead of trusting one total.
|
|
168
|
+
- A synthetic canary log with a unique id and increasing sequence can expose loss, duplication, reorder, and search visibility lag.
|
|
169
|
+
- Distinguish event timestamp from observed timestamp; large drift points to clock skew, buffer delay, backpressure, or collector backlog.
|
|
170
|
+
- Queue size alone is weak. Check queue utilization, oldest queued event age, enqueue failures, exporter failures, receiver refusals, DLQ size, and DLQ oldest age.
|
|
171
|
+
- Parser failures, mapping conflicts, multiline splits, log rotation, container restart, pod deletion, disk buffer exhaustion, and retention or rollover drift can silently erase the evidence operators think they have.
|
|
172
|
+
- If pipeline checks require live collectors, sinks, dashboards, or production search, report them as manual-only instead of claiming log evidence survived.
|
|
173
|
+
19. Require evidence.
|
|
165
174
|
- Prefer focused tests, log fixtures, snapshot assertions, redaction tests, source-level guards, or local logger contract tests for stable event names and fields.
|
|
166
175
|
- Prefer tests that pin `event_name`, schema version, required fields, redaction, bounded reason codes, and message-independent query fields rather than exact prose.
|
|
167
176
|
- If logs depend on runtime middleware, production log routing, sink configuration, or manual log search outside the repository, report that evidence as manual-only.
|
|
@@ -170,7 +179,7 @@ The review question is: "If this backend path fails, times out, retries, silentl
|
|
|
170
179
|
<!-- mustflow-section: postconditions -->
|
|
171
180
|
## Postconditions
|
|
172
181
|
|
|
173
|
-
- The reviewed backend path has a reconstruction question, event contract, request lifecycle evidence, correlation and causation model, decision evidence, side-effect evidence, error and cause preservation, redaction boundary, level ownership, sampling boundary, and evidence level.
|
|
182
|
+
- The reviewed backend path has a reconstruction question, event contract, request lifecycle evidence, correlation and causation model, decision evidence, side-effect evidence, error and cause preservation, pipeline survival boundary, redaction boundary, level ownership, sampling boundary, and evidence level.
|
|
174
183
|
- Missing start or finish logs, message-only contracts, unstable event names, missing schema version, missing trace or span id, missing correlation or causation id, string-only errors, lost causes, missing external-call before and after logs, raw provider body logs, missing affected-row counts, invisible transaction or state transitions, silent early returns, attempt-free retries, duration-free timeouts, enqueue or consume gaps, broken async correlation, empty batch summaries, missing auth or validation reasons, ordinary logs for audit events, cache or lock blind spots, idempotency ambiguity, feature flag opacity, release or config opacity, secret-bearing config logs, migration `done` logs, swallowed async errors, all-info or all-error severity, duplicate error spam, prose-only messages, high-cardinality indexed fields, log injection exposure, unsafe sampling, and missing identifiers are fixed or reported.
|
|
175
184
|
- Named review smells such as broken async request id, auth or validation failures, cache hits or misses, lock acquisition, idempotency outcomes, config startup summaries, release and migration event gaps, migration dry-run and apply logs, message-based dashboards, prose-only log, and sink-side-only masking are fixed or reported when present.
|
|
176
185
|
- Log changes are backed by local logger conventions, tests, fixtures, source review evidence, or labeled as manual-only or missing.
|
|
@@ -205,7 +214,7 @@ Prefer the narrowest configured checks that cover the changed logging contract a
|
|
|
205
214
|
## Output Format
|
|
206
215
|
|
|
207
216
|
- Backend log boundary reviewed
|
|
208
|
-
- Reconstruction question, event contract, request lifecycle, correlation and causation, error and cause preservation, external API, database write, transaction, state transition, early return, retry, timeout, queue or async handoff, batch or migration, audit, auth, validation, cache, lock, idempotency, feature flag, release, config, level ownership, structure, cardinality, sampling, log-injection safety, redaction, and test evidence findings
|
|
217
|
+
- Reconstruction question, event contract, request lifecycle, correlation and causation, error and cause preservation, external API, database write, transaction, state transition, early return, retry, timeout, queue or async handoff, batch or migration, audit, auth, validation, cache, lock, idempotency, feature flag, release, config, pipeline survival, level ownership, structure, cardinality, sampling, log-injection safety, redaction, and test evidence findings
|
|
209
218
|
- Log fixes made or recommended
|
|
210
219
|
- Evidence level: configured-test evidence, log fixture evidence, source review evidence, manual-only, missing, or not applicable
|
|
211
220
|
- Command intents run
|