mustflow 2.84.0 → 2.99.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +11 -2
- package/dist/cli/commands/script-pack.js +14 -0
- package/dist/cli/i18n/en.js +262 -0
- package/dist/cli/i18n/es.js +262 -0
- package/dist/cli/i18n/fr.js +262 -0
- package/dist/cli/i18n/hi.js +262 -0
- package/dist/cli/i18n/ko.js +262 -0
- package/dist/cli/i18n/zh.js +262 -0
- package/dist/cli/lib/repo-map.js +27 -6
- package/dist/cli/lib/run-root-trust.js +15 -1
- package/dist/cli/lib/script-pack-registry.js +397 -0
- package/dist/cli/lib/validation/index.js +2 -2
- package/dist/cli/lib/validation/primitives.js +4 -1
- package/dist/cli/script-packs/code-change-impact.js +178 -0
- package/dist/cli/script-packs/code-dependency-graph.js +181 -0
- package/dist/cli/script-packs/code-import-cycle.js +193 -0
- package/dist/cli/script-packs/docs-link-integrity.js +145 -0
- package/dist/cli/script-packs/repo-approval-gate.js +100 -0
- package/dist/cli/script-packs/repo-env-contract.js +156 -0
- package/dist/cli/script-packs/repo-git-ignore-audit.js +119 -0
- package/dist/cli/script-packs/repo-manifest-lock-drift.js +122 -0
- package/dist/cli/script-packs/repo-merge-conflict-scan.js +123 -0
- package/dist/cli/script-packs/repo-secret-risk-scan.js +147 -0
- package/dist/cli/script-packs/repo-skill-route-audit.js +86 -0
- package/dist/cli/script-packs/repo-version-source.js +92 -0
- package/dist/cli/script-packs/test-performance-report.js +247 -0
- package/dist/cli/script-packs/test-regression-selector.js +167 -0
- package/dist/core/change-impact.js +355 -0
- package/dist/core/change-surface-classification.js +198 -0
- package/dist/core/change-verification.js +32 -5
- package/dist/core/config-loading.js +121 -4
- package/dist/core/dependency-graph.js +490 -0
- package/dist/core/docs-link-integrity.js +443 -0
- package/dist/core/env-contract.js +450 -0
- package/dist/core/import-cycle.js +152 -0
- package/dist/core/line-endings.js +26 -13
- package/dist/core/public-json-contracts.js +167 -0
- package/dist/core/repo-approval-gate.js +116 -0
- package/dist/core/repo-git-ignore-audit.js +302 -0
- package/dist/core/repo-manifest-lock-drift.js +321 -0
- package/dist/core/repo-merge-conflict-scan.js +335 -0
- package/dist/core/repo-version-source.js +82 -0
- package/dist/core/route-outline.js +57 -5
- package/dist/core/script-pack-suggestions.js +97 -1
- package/dist/core/secret-risk-scan.js +440 -0
- package/dist/core/skill-route-audit.js +354 -0
- package/dist/core/test-performance-report.js +697 -0
- package/dist/core/test-regression-selector.js +335 -0
- package/package.json +1 -1
- package/schemas/README.md +54 -0
- package/schemas/change-impact-report.schema.json +184 -0
- package/schemas/commands.schema.json +12 -0
- package/schemas/dependency-graph-report.schema.json +149 -0
- package/schemas/env-contract-report.schema.json +203 -0
- package/schemas/import-cycle-report.schema.json +157 -0
- package/schemas/link-integrity-report.schema.json +176 -0
- package/schemas/repo-approval-gate-report.schema.json +115 -0
- package/schemas/repo-git-ignore-audit-report.schema.json +201 -0
- package/schemas/repo-manifest-lock-drift-report.schema.json +202 -0
- package/schemas/repo-merge-conflict-scan-report.schema.json +169 -0
- package/schemas/repo-version-source-report.schema.json +127 -0
- package/schemas/secret-risk-scan-report.schema.json +152 -0
- package/schemas/skill-route-audit-report.schema.json +144 -0
- package/schemas/test-performance-report.schema.json +319 -0
- package/schemas/test-regression-selector-report.schema.json +187 -0
- package/templates/default/i18n.toml +80 -26
- package/templates/default/locales/en/.mustflow/skills/INDEX.md +51 -9
- package/templates/default/locales/en/.mustflow/skills/api-access-control-review/SKILL.md +48 -27
- package/templates/default/locales/en/.mustflow/skills/api-failure-triage/SKILL.md +270 -0
- package/templates/default/locales/en/.mustflow/skills/architecture-deepening-review/SKILL.md +28 -11
- package/templates/default/locales/en/.mustflow/skills/astro-code-change/SKILL.md +71 -27
- package/templates/default/locales/en/.mustflow/skills/auth-flow-triage/SKILL.md +192 -0
- package/templates/default/locales/en/.mustflow/skills/auth-permission-change/SKILL.md +59 -13
- package/templates/default/locales/en/.mustflow/skills/backend-log-evidence-review/SKILL.md +14 -5
- package/templates/default/locales/en/.mustflow/skills/cache-integrity-review/SKILL.md +30 -15
- package/templates/default/locales/en/.mustflow/skills/change-blast-radius-review/SKILL.md +45 -32
- package/templates/default/locales/en/.mustflow/skills/ci-pipeline-triage/SKILL.md +200 -0
- package/templates/default/locales/en/.mustflow/skills/clarifying-question-gate/SKILL.md +87 -13
- package/templates/default/locales/en/.mustflow/skills/cross-agent-session-reference/SKILL.md +23 -8
- package/templates/default/locales/en/.mustflow/skills/dependency-upgrade-review/SKILL.md +3 -1
- package/templates/default/locales/en/.mustflow/skills/docker-runtime-triage/SKILL.md +191 -0
- package/templates/default/locales/en/.mustflow/skills/github-contribution-quality-gate/SKILL.md +48 -11
- package/templates/default/locales/en/.mustflow/skills/go-code-change/SKILL.md +18 -13
- package/templates/default/locales/en/.mustflow/skills/javascript-code-change/SKILL.md +15 -13
- package/templates/default/locales/en/.mustflow/skills/line-ending-hygiene/SKILL.md +18 -10
- package/templates/default/locales/en/.mustflow/skills/llm-hallucination-control-review/SKILL.md +4 -1
- package/templates/default/locales/en/.mustflow/skills/motion-system-contract-review/SKILL.md +155 -0
- package/templates/default/locales/en/.mustflow/skills/next-action-menu/SKILL.md +177 -0
- package/templates/default/locales/en/.mustflow/skills/node-code-change/SKILL.md +16 -14
- package/templates/default/locales/en/.mustflow/skills/observability-debuggability-review/SKILL.md +15 -7
- package/templates/default/locales/en/.mustflow/skills/payment-integrity-review/SKILL.md +59 -35
- package/templates/default/locales/en/.mustflow/skills/powershell-code-change/SKILL.md +16 -6
- package/templates/default/locales/en/.mustflow/skills/prompt-contract-quality-review/SKILL.md +4 -1
- package/templates/default/locales/en/.mustflow/skills/python-code-change/SKILL.md +19 -10
- package/templates/default/locales/en/.mustflow/skills/rag-pipeline-triage/SKILL.md +206 -0
- package/templates/default/locales/en/.mustflow/skills/routes.toml +69 -9
- package/templates/default/locales/en/.mustflow/skills/rust-code-change/SKILL.md +10 -4
- package/templates/default/locales/en/.mustflow/skills/search-index-integrity-review/SKILL.md +181 -0
- package/templates/default/locales/en/.mustflow/skills/security-privacy-review/SKILL.md +3 -1
- package/templates/default/locales/en/.mustflow/skills/service-boundary-architecture/SKILL.md +37 -23
- package/templates/default/locales/en/.mustflow/skills/test-suite-performance-review/SKILL.md +323 -0
- package/templates/default/locales/en/.mustflow/skills/typescript-code-change/SKILL.md +18 -10
- package/templates/default/locales/en/.mustflow/skills/vector-search-integrity-review/SKILL.md +209 -0
- package/templates/default/locales/en/.mustflow/skills/version-freshness-check/SKILL.md +16 -14
- package/templates/default/manifest.toml +71 -1
|
@@ -2,11 +2,11 @@
|
|
|
2
2
|
mustflow_doc: skill.cache-integrity-review
|
|
3
3
|
locale: en
|
|
4
4
|
canonical: true
|
|
5
|
-
revision:
|
|
5
|
+
revision: 2
|
|
6
6
|
lifecycle: mustflow-owned
|
|
7
7
|
authority: procedure
|
|
8
8
|
name: cache-integrity-review
|
|
9
|
-
description: Apply this skill when code is created, changed, reviewed, or reported and cache behavior can spread stale, wrong, private, overbroad, tenant-crossing, permission-wrong, version-incompatible, or source-overloading values through cache keys, query normalization, key versions, TTL and jitter, soft and hard TTL, stale-while-revalidate, stampede protection, request coalescing, negative caching, invalidation order, list or page caches, tag invalidation, L1/L2 cache layers, Redis fallback, hit
|
|
9
|
+
description: Apply this skill when code is created, changed, reviewed, or reported and cache behavior can spread stale, wrong, private, overbroad, tenant-crossing, permission-wrong, version-incompatible, or source-overloading values through cache keys, query normalization, key versions, TTL and jitter, soft and hard TTL, stale-while-revalidate, stampede protection, request coalescing, negative caching, invalidation order, list or page caches, tag invalidation, L1/L2 cache layers, Redis fallback, cache-status ledgers such as hit, miss, bypass, stale, refresh, error, set-failed, evicted, or expired, origin-cost observability, value size, eviction policy, TTL-less keys, KEYS/SCAN use, hot keys, Redis Cluster hash tags, replica lag, Redis latency, HTTP Vary/no-cache/no-store semantics, permission caches, cache warming, or failure-path cache tests.
|
|
10
10
|
metadata:
|
|
11
11
|
mustflow_schema: "1"
|
|
12
12
|
mustflow_kind: procedure
|
|
@@ -81,9 +81,11 @@ and what happens to the source system when the cache misses or fails?"
|
|
|
81
81
|
- Failure and concurrency contract: miss behavior, concurrent miss behavior, source timeout, Redis
|
|
82
82
|
failure, source failure, negative cache policy, update race behavior, invalidation ordering, and
|
|
83
83
|
stale serve policy.
|
|
84
|
-
- Observability evidence: hit
|
|
85
|
-
|
|
86
|
-
|
|
84
|
+
- Observability evidence: hit, miss, bypass, stale, refresh, negative-hit, set-failed, error,
|
|
85
|
+
eviction, expiry, and fallback metrics; miss cost; hit-rate cost by endpoint or tenant; value
|
|
86
|
+
size; key count; source query time; source call count; origin saturation; Redis client wait,
|
|
87
|
+
round-trip latency, command latency, serialization cost, Slow Log limits, replica lag, shard
|
|
88
|
+
imbalance, and set success.
|
|
87
89
|
- Relevant command-intent contract entries for tests, builds, docs, release checks, and mustflow
|
|
88
90
|
validation.
|
|
89
91
|
|
|
@@ -180,6 +182,8 @@ and what happens to the source system when the cache misses or fails?"
|
|
|
180
182
|
shedding, stale serve, circuit breaker, bulkhead, or another source-protection mechanism.
|
|
181
183
|
- Decide whether cache failure is disposable or correctness-sensitive. Sessions, permissions,
|
|
182
184
|
rate limits, inventory, idempotency, and dedupe caches are not ordinary performance caches.
|
|
185
|
+
- Compare normal cached traffic with an allowed bypass path or known miss path when evidence is
|
|
186
|
+
available. If bypass is faster, fresher, or more correct, the cache policy itself is suspect.
|
|
183
187
|
13. Check Redis keyspace and memory behavior.
|
|
184
188
|
- Review value size, key size, key schema, bounded key cardinality, max memory, eviction policy,
|
|
185
189
|
expired keys, evicted keys, and whether TTL-less keys are turning cache into state storage.
|
|
@@ -187,43 +191,54 @@ and what happens to the source system when the cache misses or fails?"
|
|
|
187
191
|
so TTL-less keys can crowd out real cache behavior.
|
|
188
192
|
- `KEYS *` in application code is a production bomb. Use `SCAN` only from bounded admin or
|
|
189
193
|
maintenance paths with explicit limits.
|
|
190
|
-
14. Check
|
|
194
|
+
14. Check Redis latency, replication, and distribution.
|
|
195
|
+
- Redis Slow Log does not include client round-trip time, connection wait, serialization,
|
|
196
|
+
application loop overhead, DNS, TLS, or network path time. Do not use it as the only latency
|
|
197
|
+
proof.
|
|
198
|
+
- Review replica lag, failover behavior, cold replica warmup, persistence spikes, memory
|
|
199
|
+
fragmentation, client connection pools, shard imbalance, and command mix when a cache incident
|
|
200
|
+
is operational rather than semantic.
|
|
201
|
+
15. Check hot keys and Redis Cluster distribution.
|
|
191
202
|
- Sharding does not save one hot key. Use replicas, local L1, request coalescing, prewarm,
|
|
192
203
|
chunking, or workload-specific splitting where semantics allow it.
|
|
193
204
|
- Redis Cluster hash tags are useful for intentional multi-key locality, but overusing the same
|
|
194
205
|
tag can force too many keys into one slot.
|
|
195
|
-
|
|
206
|
+
16. Check HTTP cache semantics.
|
|
196
207
|
- If responses vary by `Authorization`, `Cookie`, `Accept-Language`, `Accept-Encoding`, content
|
|
197
208
|
negotiation, or user context, verify `Vary` and cache-control behavior.
|
|
198
209
|
- `no-cache` means revalidate before reuse. `no-store` means do not store. Do not use one when
|
|
199
210
|
the other is required.
|
|
200
211
|
- Check freshness, validation, private versus public cacheability, CDN behavior, browser behavior,
|
|
201
212
|
and generated-client or proxy expectations.
|
|
202
|
-
|
|
213
|
+
17. Check permission and entitlement caches as security boundaries.
|
|
203
214
|
- A permission cache, role cache, organization-membership cache, subscription cache, admin cache,
|
|
204
215
|
or entitlement cache must be invalidated by revocation, role change, organization move,
|
|
205
216
|
subscription expiry, ownership change, and emergency access changes.
|
|
206
217
|
- Short TTL alone is not enough for decisions that should fail closed or revoke promptly.
|
|
207
|
-
|
|
218
|
+
18. Check cache warming and cold-start behavior.
|
|
208
219
|
- Deployment, autoscale, failover, and rollback can create synchronized cold caches that push
|
|
209
220
|
traffic to the source.
|
|
210
221
|
- Prewarm only keys with clear ownership and backpressure. Do not build an unbounded warming job
|
|
211
222
|
that becomes the outage.
|
|
212
|
-
|
|
213
|
-
|
|
214
|
-
|
|
215
|
-
|
|
223
|
+
- Load-test or smoke the cold, warm, failover, replica-lag, source-slow, and cache-down scenarios
|
|
224
|
+
when the repository has configured evidence. Otherwise report those as manual operational gaps.
|
|
225
|
+
19. Check observability.
|
|
226
|
+
- Hit rate alone lies. Break down hits, misses, bypasses, stale serves, refreshes, negative hits,
|
|
227
|
+
refresh failures, evictions, expirations, fallback serves, Redis errors, and set failures by
|
|
228
|
+
endpoint, key-pattern, tenant, status-code, and cache layer where useful.
|
|
216
229
|
- Log or measure miss cost: source query time, source call count, value size, generation time,
|
|
217
230
|
and set success.
|
|
231
|
+
- Track hit-rate cost: origin load avoided, origin load caused by misses, miss amplification,
|
|
232
|
+
cache write failures, and whether a high hit rate hides a small set of expensive miss paths.
|
|
218
233
|
- Keep cache metrics labels bounded; put high-cardinality keys in logs or traces only when the
|
|
219
234
|
repository privacy rules allow it.
|
|
220
|
-
|
|
235
|
+
20. Check tests beyond the happy path.
|
|
221
236
|
- "Second call is faster" is not enough.
|
|
222
237
|
- Cover concurrent misses, update during read, delete then recreate, source failure, Redis
|
|
223
238
|
failure, synchronized TTL expiry, old-version cached value, permission change, tenant
|
|
224
239
|
separation, list invalidation, negative-cache classification, deploy rollback, and cache-layer
|
|
225
240
|
bypass when those risks exist.
|
|
226
|
-
|
|
241
|
+
21. Label evidence honestly. If the repository lacks deterministic cache, Redis, CDN, HTTP, browser,
|
|
227
242
|
or load tests, report the missing evidence instead of claiming the cache is safe.
|
|
228
243
|
|
|
229
244
|
<!-- mustflow-section: postconditions -->
|
|
@@ -2,11 +2,11 @@
|
|
|
2
2
|
mustflow_doc: skill.change-blast-radius-review
|
|
3
3
|
locale: en
|
|
4
4
|
canonical: true
|
|
5
|
-
revision:
|
|
5
|
+
revision: 2
|
|
6
6
|
lifecycle: mustflow-owned
|
|
7
7
|
authority: procedure
|
|
8
8
|
name: change-blast-radius-review
|
|
9
|
-
description: Apply this skill when code is created, changed, reviewed, or reported and maintainability needs review by predicting the next-change blast radius, deletion path, policy owner, workflow owner, controller or service responsibility, boolean and option-mode sprawl, scattered domain rules, scattered authorization, state-transition ownership, direct time or randomness, transaction and external-call coupling, retry idempotency, cache-as-truth decisions, config flag combinations, tenant or partner hardcoding, legacy branch isolation, DTO/entity/view model mixing, nullable meaning, swallowed exceptions, low-context logs, implementation-coupled tests, mock-heavy tests, decorative abstraction, premature DRY, hidden ordering dependency, event contract visibility, migration/runtime compatibility, or feature removal boundary.
|
|
9
|
+
description: Apply this skill when code is created, changed, reviewed, or reported and maintainability needs review by predicting the next-change blast radius, historical co-change spread, deletion path, policy owner, workflow owner, controller or service responsibility, boolean and option-mode sprawl, scattered domain rules, scattered authorization, state-transition ownership, direct time or randomness, transaction and external-call coupling, retry idempotency, cache-as-truth decisions, config flag combinations, tenant or partner hardcoding, legacy branch isolation, DTO/entity/view model mixing, nullable meaning, swallowed exceptions, low-context logs, implementation-coupled tests, mock-heavy tests, decorative abstraction, premature DRY, hidden ordering dependency, event contract visibility, migration/runtime compatibility, or feature removal boundary.
|
|
10
10
|
metadata:
|
|
11
11
|
mustflow_schema: "1"
|
|
12
12
|
mustflow_kind: procedure
|
|
@@ -46,6 +46,8 @@ feature is removed, what can I delete?"
|
|
|
46
46
|
logging, tests, abstractions, helpers, or legacy compatibility.
|
|
47
47
|
- A single requirement would force edits across several files, layers, modules, frontend code, SQL,
|
|
48
48
|
jobs, events, cache keys, tests, or docs.
|
|
49
|
+
- Recent PRs, commits, work orders, or review history show that small requirements routinely
|
|
50
|
+
co-change many repositories, services, schemas, pipelines, teams, tests, or docs.
|
|
49
51
|
- A file or service has several unrelated reasons to change under one broad noun such as `Manager`,
|
|
50
52
|
`Helper`, `Processor`, `Handler`, or `Service`.
|
|
51
53
|
- A review needs to decide whether to use `module-boundary-review`, `structure-first-engineering`,
|
|
@@ -72,6 +74,10 @@ feature is removed, what can I delete?"
|
|
|
72
74
|
- User goal, current diff or target files, and the requirement or policy that caused the change.
|
|
73
75
|
- Change-reason ledger: which business rule, user flow, data shape, failure path, compatibility
|
|
74
76
|
rule, tenant exception, or operational behavior would make this code change next.
|
|
77
|
+
- Historical co-change ledger when available: recent PRs or commits touching the same requirement
|
|
78
|
+
family, repositories touched, services touched, DB schemas touched, deployment pipelines touched,
|
|
79
|
+
teams or reviewers involved, tests changed, docs changed, and whether the current design reduced
|
|
80
|
+
or repeated that spread.
|
|
75
81
|
- Blast-radius ledger: controllers, services, repositories, entities, DTOs, frontend conditions,
|
|
76
82
|
SQL, migrations, batches, events, caches, config, tests, docs, and templates touched by one reason.
|
|
77
83
|
- Ownership ledger: source of truth for domain rule, authorization rule, state transition, retry
|
|
@@ -115,123 +121,128 @@ feature is removed, what can I delete?"
|
|
|
115
121
|
- Ask: "If this requirement changes next month, which files move?"
|
|
116
122
|
- If one policy edit needs controller, service, repository, SQL, frontend, batch, cache, and test
|
|
117
123
|
edits, the code is a puzzle, not a boundary.
|
|
118
|
-
2.
|
|
124
|
+
2. Check historical co-change when evidence exists.
|
|
125
|
+
- Look for recent PRs, commits, or work items in the same feature or policy family.
|
|
126
|
+
- Count repositories, services, schemas, pipelines, test suites, docs, and teams touched by small changes.
|
|
127
|
+
- Treat repeated cross-boundary co-change as stronger evidence than a clean-looking folder tree.
|
|
128
|
+
- If history is unavailable or too expensive for the task, report the review as prediction-only instead of pretending the boundary was proven.
|
|
129
|
+
3. Count reasons to change, not lines.
|
|
119
130
|
- A short file can still hold signup, login, points, notification, referral, admin blocking, and
|
|
120
131
|
reporting rules.
|
|
121
132
|
- Split by different change reasons, not by noun labels.
|
|
122
|
-
|
|
133
|
+
4. Keep controllers as doors, not bosses.
|
|
123
134
|
- Controllers should parse requests, call an application boundary, and map the result.
|
|
124
135
|
- Treat controller `if`, `for`, state mutation, external API calls, discount logic, inventory
|
|
125
136
|
checks, or notification orchestration as workflow leakage.
|
|
126
|
-
|
|
137
|
+
5. Reject junk-drawer services.
|
|
127
138
|
- Broad names such as `OrderService`, `UserService`, `Manager`, `Helper`, `Processor`, and
|
|
128
139
|
`Handler` often hide unrelated workflows.
|
|
129
140
|
- Name the actual responsibility or split by workflow owner when changes would not arrive
|
|
130
141
|
together.
|
|
131
|
-
|
|
142
|
+
6. Decode boolean mode flags.
|
|
132
143
|
- `createUser(user, true)` and `sendNotification(user, true, false)` mean one function already
|
|
133
144
|
has hidden modes.
|
|
134
145
|
- Replace modes with named variants, policy objects, strategy objects, or separate functions when
|
|
135
146
|
behavior contracts differ.
|
|
136
|
-
|
|
147
|
+
7. Inspect option objects for combinatorial behavior.
|
|
137
148
|
- Fields such as `skipValidation`, `dryRun`, `force`, `source`, `mode`, `type`, `retry`,
|
|
138
149
|
`legacy`, and `includeInactive` can turn one call into many products.
|
|
139
150
|
- If field combinations change behavior, use explicit mode types or separate boundaries.
|
|
140
|
-
|
|
151
|
+
8. Find the policy source of truth.
|
|
141
152
|
- Repeated rules such as "VIP gets free shipping" across backend, frontend, SQL, batch, and
|
|
142
153
|
cache code are not harmless duplication.
|
|
143
154
|
- Name one owner and make other layers consume facts or capabilities from that owner.
|
|
144
|
-
|
|
155
|
+
9. Centralize authorization policy.
|
|
145
156
|
- Scattered checks such as `role == admin`, `ownerId == user.id`, or membership scans make policy
|
|
146
157
|
changes scary.
|
|
147
158
|
- Use `auth-permission-change` when action permission needs one policy source and denial tests.
|
|
148
|
-
|
|
159
|
+
10. Make state transitions visible.
|
|
149
160
|
- Status values are not enough. Review where `status = ...` happens and which transitions are
|
|
150
161
|
legal.
|
|
151
162
|
- Use `state-machine-pattern` when allowed transitions need to be represented explicitly.
|
|
152
|
-
|
|
163
|
+
11. Pull time, randomness, and generated IDs to a boundary.
|
|
153
164
|
- Direct `new Date()`, `Date.now()`, `LocalDateTime.now()`, UUIDs, random order numbers, random
|
|
154
165
|
filenames, and generated referral codes hide reproducibility and future policy changes.
|
|
155
166
|
- Use explicit time, generator, or identifier inputs from the shell.
|
|
156
|
-
|
|
167
|
+
12. Draw the transaction boundary.
|
|
157
168
|
- When several saves happen, ask what remains if the middle save fails.
|
|
158
169
|
- If the answer is unclear, use `failure-integrity-review` or the relevant database skill before
|
|
159
170
|
changing behavior.
|
|
160
|
-
|
|
171
|
+
13. Separate external calls from committed state.
|
|
161
172
|
- DB save, payment API, DB save, notification API in one flow creates timeout, retry, and
|
|
162
173
|
duplicate-effect traps.
|
|
163
174
|
- Prefer local state plus outbox, idempotency keys, or effect descriptions when the operation
|
|
164
175
|
must survive partial failure.
|
|
165
|
-
|
|
176
|
+
14. Check retry idempotency.
|
|
166
177
|
- `retry(3)`, queues, webhooks, schedulers, and manual replays are dangerous without a duplicate
|
|
167
178
|
rule.
|
|
168
179
|
- Ask what happens when the same event arrives twice.
|
|
169
|
-
|
|
180
|
+
15. Reject cache-as-truth for important decisions.
|
|
170
181
|
- Cache can speed reads, but it should not become the source of truth for authorization, payment
|
|
171
182
|
eligibility, inventory, or other critical decisions.
|
|
172
183
|
- Use `cache-integrity-review` when cache freshness or fallback can mislead the decision.
|
|
173
|
-
|
|
184
|
+
16. Count config flag combinations.
|
|
174
185
|
- Flags such as `enableNewPolicy`, `useLegacyFlow`, `skipValidationForPartner`, and
|
|
175
186
|
`specialCaseTenantIds` can create untested products inside one code path.
|
|
176
187
|
- Name the supported combinations or isolate the variation behind a policy boundary.
|
|
177
|
-
|
|
188
|
+
17. Isolate tenant, partner, country, product, and app-version exceptions.
|
|
178
189
|
- Hardcoded `tenantId`, `partnerCode`, country code, app version, or product ID branches are
|
|
179
190
|
product debt, not just conditionals.
|
|
180
191
|
- Prefer configured capabilities, adapters, policy tables, or explicit exceptions with removal
|
|
181
192
|
owners.
|
|
182
|
-
|
|
193
|
+
18. Keep legacy compatibility out of the new core.
|
|
183
194
|
- `legacy`, `old`, `v1`, `deprecated`, and `temp` branches inside the main path pull old rules
|
|
184
195
|
into new code.
|
|
185
196
|
- Put compatibility in adapters, translators, migration paths, or isolated old-entry boundaries.
|
|
186
|
-
|
|
197
|
+
19. Separate data-object languages.
|
|
187
198
|
- DB entities, API DTOs, view models, external provider payloads, and domain objects should not
|
|
188
199
|
quietly become the same object.
|
|
189
200
|
- If one side changes and another side must follow, name the mapping owner.
|
|
190
|
-
|
|
201
|
+
20. Give nullable values a reason.
|
|
191
202
|
- `null` must not mean absence, unknown, failed calculation, forbidden access, and provider
|
|
192
203
|
timeout at the same time.
|
|
193
204
|
- Use variants, result types, or explicit fields that tell callers why a value is missing.
|
|
194
|
-
|
|
205
|
+
21. Do not hide exceptions as normal data.
|
|
195
206
|
- `catch (e) { return null }`, `catch (e) { log.warn(...) }`, and empty catches make the system
|
|
196
207
|
lie far from the failure.
|
|
197
208
|
- Use visible failure values, typed errors, or explicit degraded modes.
|
|
198
|
-
|
|
209
|
+
22. Make logs traceable, not decorative.
|
|
199
210
|
- Logs like `start` and `failed` without order ID, user ID, request ID, external call ID, tenant,
|
|
200
211
|
or operation name do not help future maintainers.
|
|
201
212
|
- Add safe correlation context when it is the only way to connect the failure path.
|
|
202
|
-
|
|
213
|
+
23. Keep tests attached to behavior.
|
|
203
214
|
- Tests that assert private methods, mock call order, or internal collaborator choreography make
|
|
204
215
|
refactors expensive.
|
|
205
216
|
- Prefer outcomes, state transitions, persisted commands, emitted events, or public results.
|
|
206
|
-
|
|
217
|
+
24. Treat mock count as a change-impact sensor.
|
|
207
218
|
- More than three mocks deserves a responsibility review.
|
|
208
219
|
- Five or more mocks usually means the class absorbs too many change directions.
|
|
209
|
-
|
|
220
|
+
25. Validate abstraction against real volatility.
|
|
210
221
|
- Interfaces, factories, strategies, and abstract classes help only when the variation axis is
|
|
211
222
|
real.
|
|
212
223
|
- Ask whether there are two real implementations now or a known future swap along this exact
|
|
213
224
|
axis.
|
|
214
|
-
|
|
225
|
+
26. Do not DRY together different futures.
|
|
215
226
|
- Removing duplication is harmful when two similar blocks change for different reasons.
|
|
216
227
|
- Keep duplication when it preserves independent policy evolution.
|
|
217
|
-
|
|
228
|
+
27. Make required ordering explicit.
|
|
218
229
|
- Initialization, validation, save, event publication, cache invalidation, notification, and
|
|
219
230
|
cleanup steps can be order-sensitive.
|
|
220
231
|
- If swapping two lines would break correctness, encode the sequence in a named workflow,
|
|
221
232
|
transaction, state transition, or command object.
|
|
222
|
-
|
|
233
|
+
28. Treat events as invisible function calls until proven otherwise.
|
|
223
234
|
- `publish(Event)` hides subscribers, failure behavior, ordering, duplicate delivery, and
|
|
224
235
|
compatibility.
|
|
225
236
|
- Name the event contract, listener expectations, idempotency, and failure handling.
|
|
226
|
-
|
|
237
|
+
29. Pair migrations with runtime compatibility.
|
|
227
238
|
- Schema changes, enum additions, defaults, indexes, and backfills must be checked against old
|
|
228
239
|
code on new schema and new code on old data.
|
|
229
240
|
- Use `database-migration-change` when deploy order or data backfill matters.
|
|
230
|
-
|
|
241
|
+
30. Run the deletion test.
|
|
231
242
|
- Ask: "If this feature disappears, what do I delete?"
|
|
232
243
|
- If flags, columns, conditions, events, caches, batch jobs, UI checks, and tests are scattered,
|
|
233
244
|
the feature is already rooted too deeply.
|
|
234
|
-
|
|
245
|
+
31. Pick the smallest boundary repair.
|
|
235
246
|
- If one owner is missing, introduce that owner.
|
|
236
247
|
- If one mode is hidden, name that mode.
|
|
237
248
|
- If the risk is too broad for the current task, report the exact next-change or deletion path
|
|
@@ -240,7 +251,8 @@ feature is removed, what can I delete?"
|
|
|
240
251
|
<!-- mustflow-section: postconditions -->
|
|
241
252
|
## Postconditions
|
|
242
253
|
|
|
243
|
-
- The next likely policy or workflow change has a named owner
|
|
254
|
+
- The next likely policy or workflow change has a named owner, historical co-change evidence when
|
|
255
|
+
available, and a predictable edit path, or the
|
|
244
256
|
unpredictable spread is explicitly reported.
|
|
245
257
|
- Important side effects, transactions, retries, events, caches, config flags, migrations, and logs
|
|
246
258
|
have clear owners or remaining risks.
|
|
@@ -287,6 +299,7 @@ public contract.
|
|
|
287
299
|
|
|
288
300
|
- Change blast radius reviewed
|
|
289
301
|
- Next likely change and owner
|
|
302
|
+
- Historical co-change evidence, or prediction-only note when unavailable
|
|
290
303
|
- Files, layers, jobs, caches, events, tests, docs, or migrations in the blast radius
|
|
291
304
|
- Policy, authorization, state, transaction, retry, cache, config, tenant, legacy, DTO, nullable,
|
|
292
305
|
log, test, abstraction, ordering, event, migration, or deletion findings
|
|
@@ -0,0 +1,200 @@
|
|
|
1
|
+
---
|
|
2
|
+
mustflow_doc: skill.ci-pipeline-triage
|
|
3
|
+
locale: en
|
|
4
|
+
canonical: true
|
|
5
|
+
revision: 1
|
|
6
|
+
lifecycle: mustflow-owned
|
|
7
|
+
authority: procedure
|
|
8
|
+
name: ci-pipeline-triage
|
|
9
|
+
description: Apply this skill when a CI/CD workflow, pipeline, job, runner, matrix, trigger, cache, artifact, deployment job, required check, or post-deploy verification is failing, skipped, queued, flaky, slow, green despite broken output, or not yet localized to trigger, runner, environment, build, test, artifact, deploy, or verification boundaries.
|
|
10
|
+
metadata:
|
|
11
|
+
mustflow_schema: "1"
|
|
12
|
+
mustflow_kind: procedure
|
|
13
|
+
pack_id: mustflow.core
|
|
14
|
+
skill_id: mustflow.core.ci-pipeline-triage
|
|
15
|
+
command_intents:
|
|
16
|
+
- changes_status
|
|
17
|
+
- changes_diff_summary
|
|
18
|
+
- lint
|
|
19
|
+
- build
|
|
20
|
+
- test_related
|
|
21
|
+
- test
|
|
22
|
+
- docs_validate_fast
|
|
23
|
+
- test_release
|
|
24
|
+
- mustflow_check
|
|
25
|
+
---
|
|
26
|
+
|
|
27
|
+
# CI Pipeline Triage
|
|
28
|
+
|
|
29
|
+
<!-- mustflow-section: purpose -->
|
|
30
|
+
## Purpose
|
|
31
|
+
|
|
32
|
+
Localize CI/CD failures by splitting trigger, runner, environment, build, test, artifact, deploy,
|
|
33
|
+
and verification boundaries before editing code or workflow files.
|
|
34
|
+
|
|
35
|
+
The first question is not "what is the last red log line?" It is "which pipeline boundary first
|
|
36
|
+
changed from the last known-good run, and what evidence would disprove each boundary hypothesis?"
|
|
37
|
+
|
|
38
|
+
<!-- mustflow-section: use-when -->
|
|
39
|
+
## Use When
|
|
40
|
+
|
|
41
|
+
- A CI workflow, pipeline, job, matrix, required check, runner, cache, artifact, deployment step, or
|
|
42
|
+
smoke check fails, hangs, is skipped, is queued too long, passes while output is broken, or becomes
|
|
43
|
+
flaky.
|
|
44
|
+
- A failure is not yet localized to trigger filters, workflow parsing, runner selection, environment
|
|
45
|
+
setup, tool versions, dependency cache, build output, test isolation, artifact transfer,
|
|
46
|
+
deployment permissions, rollout completion, or post-deploy verification.
|
|
47
|
+
- A pipeline suddenly breaks without application-code changes, or only fails on forks, protected
|
|
48
|
+
branches, specific runners, specific regions, specific matrix entries, or reruns.
|
|
49
|
+
|
|
50
|
+
<!-- mustflow-section: do-not-use-when -->
|
|
51
|
+
## Do Not Use When
|
|
52
|
+
|
|
53
|
+
- The failing command is a local configured intent and CI is not involved; use `failure-triage`.
|
|
54
|
+
- The deployment is already localized and the risk is rollout, rollback, probes, migrations, or
|
|
55
|
+
runtime safety; use `deployment-rollout-safety-review`.
|
|
56
|
+
- The task is only test-suite speed after the CI boundary is known; use
|
|
57
|
+
`test-suite-performance-review`.
|
|
58
|
+
- The task requires live production secrets, destructive deploys, cloud-console writes, or
|
|
59
|
+
unconfigured remote commands. Preserve static evidence and report the manual boundary.
|
|
60
|
+
|
|
61
|
+
<!-- mustflow-section: required-inputs -->
|
|
62
|
+
## Required Inputs
|
|
63
|
+
|
|
64
|
+
- Failure classification: pipeline not created, queued, job failed, flaky rerun, succeeded with bad
|
|
65
|
+
service output, deployment failed, or post-deploy verification failed.
|
|
66
|
+
- Run identity ledger: commit SHA, branch or tag, trigger event, workflow file revision, matrix
|
|
67
|
+
entry, runner label and image, architecture, region, toolchain versions, package-manager version,
|
|
68
|
+
execution time, and run or job id.
|
|
69
|
+
- Last-good comparison: last successful commit and first failing commit, including workflow files,
|
|
70
|
+
lockfiles, base images, shared scripts, secrets or permission scopes, runner labels, cache keys,
|
|
71
|
+
feature flags, deployment config, and required-check settings.
|
|
72
|
+
- Boundary ledger: trigger, parsed job graph, matrix expansion, queue time, runner assignment,
|
|
73
|
+
checkout, environment variables, tool setup, dependency restore, build, tests, cache, artifacts,
|
|
74
|
+
deploy, smoke, and final status aggregation.
|
|
75
|
+
- Evidence constraints: redaction needs for secrets, tokens, private URLs, environment values,
|
|
76
|
+
debug logs, artifacts, and diagnostic files.
|
|
77
|
+
|
|
78
|
+
<!-- mustflow-section: preconditions -->
|
|
79
|
+
## Preconditions
|
|
80
|
+
|
|
81
|
+
- The task matches the Use When conditions and does not match the Do Not Use When exclusions.
|
|
82
|
+
- Higher-priority instructions and `.mustflow/config/commands.toml` have been checked.
|
|
83
|
+
- Required CI evidence is available, or missing evidence can be reported without guessing.
|
|
84
|
+
- Secrets and private data are summarized as presence, length, hash, key name, or permission scope;
|
|
85
|
+
never copy raw secret values into logs, fixtures, docs, commits, or final reports.
|
|
86
|
+
|
|
87
|
+
<!-- mustflow-section: allowed-edits -->
|
|
88
|
+
## Allowed Edits
|
|
89
|
+
|
|
90
|
+
- Add or tighten workflow triggers, path filters, matrix guards, version pinning, cache keys,
|
|
91
|
+
artifact manifests, status aggregation, debug evidence collection, secret-safe diagnostics,
|
|
92
|
+
timeout classification, runner labels, concurrency locks, environment validation, smoke checks,
|
|
93
|
+
test isolation, docs, and focused fixtures.
|
|
94
|
+
- Add tests or docs that prove workflow contract behavior, package metadata, template output,
|
|
95
|
+
release checks, artifact identity, or command-contract mapping when the repository owns those
|
|
96
|
+
surfaces.
|
|
97
|
+
- Do not add broad reruns, `continue-on-error`, `allow_failure`, `|| true`, blanket cache wipes,
|
|
98
|
+
floating `latest` references, unbounded debug logging, live deploy commands, or workflow rewrites
|
|
99
|
+
before the failing boundary is localized.
|
|
100
|
+
|
|
101
|
+
<!-- mustflow-section: procedure -->
|
|
102
|
+
## Procedure
|
|
103
|
+
|
|
104
|
+
1. Classify the failure shape: not created, queued, job failed, flaky, green-but-bad-output,
|
|
105
|
+
deployment failed, or verification failed.
|
|
106
|
+
2. Compare the last success with the first failure. Include workflow, lockfile, base image, shared
|
|
107
|
+
script, secret scope, runner, matrix, cache, environment, feature flag, and deployment changes.
|
|
108
|
+
3. Preserve run identity before reruns overwrite the evidence. Record safe run id, commit, trigger,
|
|
109
|
+
runner, matrix, tool versions, queue time, start time, and artifact identity.
|
|
110
|
+
4. Rerun only to test determinism. If the same commit and inputs produce different outcomes, treat
|
|
111
|
+
cache, time, order, network, shared resources, or runner state as first-class suspects.
|
|
112
|
+
5. Check trigger and graph before job logs. Path filters, branch or tag filters, skipped required
|
|
113
|
+
checks, inherited workflows, matrix expansion, `needs`, and conditional steps can prevent the
|
|
114
|
+
intended job from existing.
|
|
115
|
+
6. Check false green paths. Look for `continue-on-error`, allowed failures, shell pipelines that
|
|
116
|
+
ignore non-zero exits, status aggregation that only reads the final notification step, and tests
|
|
117
|
+
that upload failures as artifacts but return success.
|
|
118
|
+
7. Split queue wait from execution time. Long queue time points to runner labels, concurrency
|
|
119
|
+
limits, unavailable images, resource quotas, or protected environment approvals, not build code.
|
|
120
|
+
8. Reproduce in a clean environment only after the boundary is known. Prefer the same image,
|
|
121
|
+
architecture, tool versions, env shape, and lockfile over a developer machine with hidden global
|
|
122
|
+
state.
|
|
123
|
+
9. Pin floating execution inputs. Base images, actions, plugins, package managers, runtime versions,
|
|
124
|
+
and shared script refs need stable identities or an explicit freshness policy.
|
|
125
|
+
10. Inspect environment without leaking values. Compare variable presence, safe hashes, lengths,
|
|
126
|
+
names, permission scopes, timezone, locale, charset, clock, disk, inode, file descriptor,
|
|
127
|
+
process, and memory limits.
|
|
128
|
+
11. Treat external calls as boundary evidence. Separate DNS, proxy, certificate, HTTP status,
|
|
129
|
+
retry count, response time, and credential scope, with secrets redacted.
|
|
130
|
+
12. Replace sleeps with readiness evidence. Service containers, databases, queues, and app servers
|
|
131
|
+
should prove readiness through real health, query, or protocol checks.
|
|
132
|
+
13. Classify cache and artifact separately. Cache is disposable acceleration; artifact is the built
|
|
133
|
+
output passed forward. Cache keys need lockfile, OS, architecture, runtime, and package-manager
|
|
134
|
+
dimensions. Artifacts need file list, size, hash, build SHA, and download verification.
|
|
135
|
+
14. Verify that the tested artifact is the deployed artifact. Rebuilding during deploy can make CI
|
|
136
|
+
test one thing and production receive another.
|
|
137
|
+
15. Check auth and permissions by execution context. Fork PRs, protected branches, environments,
|
|
138
|
+
OIDC identity, package publishing identity, cloud role, and repository token scopes can differ
|
|
139
|
+
across otherwise similar runs.
|
|
140
|
+
16. For deployment jobs, require rollout evidence, readiness, smoke checks, error and latency
|
|
141
|
+
thresholds, and environment concurrency locks instead of treating a zero exit code as success.
|
|
142
|
+
17. Preserve evidence before cleanup. Do not delete runners, caches, artifacts, temporary dirs, or
|
|
143
|
+
diagnostic logs until the boundary and redaction plan are clear.
|
|
144
|
+
18. Apply the smallest localized fix and verify with the narrowest configured intent that covers the
|
|
145
|
+
changed workflow, package, docs, template, or test surface.
|
|
146
|
+
|
|
147
|
+
<!-- mustflow-section: postconditions -->
|
|
148
|
+
## Postconditions
|
|
149
|
+
|
|
150
|
+
- The pipeline failure is localized to trigger, runner, environment, build, test, artifact, deploy,
|
|
151
|
+
verification, or a named evidence gap.
|
|
152
|
+
- Last-good versus first-failure comparison, run identity, false-green risk, cache and artifact
|
|
153
|
+
behavior, permission scope, and rerun determinism are explicit where relevant.
|
|
154
|
+
- Follow-up deployment, test performance, security, command-contract, or package-release work is
|
|
155
|
+
selected only after the CI boundary is localized.
|
|
156
|
+
|
|
157
|
+
<!-- mustflow-section: verification -->
|
|
158
|
+
## Verification
|
|
159
|
+
|
|
160
|
+
Use configured oneshot command intents when available:
|
|
161
|
+
|
|
162
|
+
- `changes_status`
|
|
163
|
+
- `changes_diff_summary`
|
|
164
|
+
- `lint`
|
|
165
|
+
- `build`
|
|
166
|
+
- `test_related`
|
|
167
|
+
- `test`
|
|
168
|
+
- `docs_validate_fast`
|
|
169
|
+
- `test_release`
|
|
170
|
+
- `mustflow_check`
|
|
171
|
+
|
|
172
|
+
Prefer the narrowest configured intent that covers workflow docs, package metadata, template output,
|
|
173
|
+
test fixtures, local reproduced behavior, or release-sensitive pipeline surfaces. Do not infer raw
|
|
174
|
+
CI reruns, deploys, cloud shell commands, or provider dashboard writes outside the command contract.
|
|
175
|
+
|
|
176
|
+
<!-- mustflow-section: failure-handling -->
|
|
177
|
+
## Failure Handling
|
|
178
|
+
|
|
179
|
+
- If run identity, last-good comparison, trigger graph, runner, cache, artifact, or permission
|
|
180
|
+
evidence is missing, report the missing field instead of guessing.
|
|
181
|
+
- If debug logs contain secrets or private data, stop copying raw output and summarize safely.
|
|
182
|
+
- If CI evidence requires remote provider access that is unavailable or unconfigured, report the
|
|
183
|
+
manual evidence boundary and continue with local workflow or static evidence.
|
|
184
|
+
- If the boundary points to tests, deployment, secrets, permissions, artifacts, or command contracts,
|
|
185
|
+
switch to the narrower matching skill before editing that part.
|
|
186
|
+
|
|
187
|
+
<!-- mustflow-section: output-format -->
|
|
188
|
+
## Output Format
|
|
189
|
+
|
|
190
|
+
- CI pipeline triaged
|
|
191
|
+
- Failure shape and localized boundary
|
|
192
|
+
- Run identity and last-good comparison
|
|
193
|
+
- Trigger, runner, environment, build, test, cache, artifact, deploy, and verification findings
|
|
194
|
+
- Hypotheses killed, still open, and selected follow-up boundary
|
|
195
|
+
- Fix applied or recommended
|
|
196
|
+
- Evidence level: provider run evidence, configured-test evidence, static review risk, manual-only,
|
|
197
|
+
missing, or not applicable
|
|
198
|
+
- Command intents run
|
|
199
|
+
- Skipped diagnostics and reasons
|
|
200
|
+
- Remaining CI pipeline risk
|