mustflow 2.84.0 → 2.99.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (105) hide show
  1. package/README.md +11 -2
  2. package/dist/cli/commands/script-pack.js +14 -0
  3. package/dist/cli/i18n/en.js +262 -0
  4. package/dist/cli/i18n/es.js +262 -0
  5. package/dist/cli/i18n/fr.js +262 -0
  6. package/dist/cli/i18n/hi.js +262 -0
  7. package/dist/cli/i18n/ko.js +262 -0
  8. package/dist/cli/i18n/zh.js +262 -0
  9. package/dist/cli/lib/repo-map.js +27 -6
  10. package/dist/cli/lib/run-root-trust.js +15 -1
  11. package/dist/cli/lib/script-pack-registry.js +397 -0
  12. package/dist/cli/lib/validation/index.js +2 -2
  13. package/dist/cli/lib/validation/primitives.js +4 -1
  14. package/dist/cli/script-packs/code-change-impact.js +178 -0
  15. package/dist/cli/script-packs/code-dependency-graph.js +181 -0
  16. package/dist/cli/script-packs/code-import-cycle.js +193 -0
  17. package/dist/cli/script-packs/docs-link-integrity.js +145 -0
  18. package/dist/cli/script-packs/repo-approval-gate.js +100 -0
  19. package/dist/cli/script-packs/repo-env-contract.js +156 -0
  20. package/dist/cli/script-packs/repo-git-ignore-audit.js +119 -0
  21. package/dist/cli/script-packs/repo-manifest-lock-drift.js +122 -0
  22. package/dist/cli/script-packs/repo-merge-conflict-scan.js +123 -0
  23. package/dist/cli/script-packs/repo-secret-risk-scan.js +147 -0
  24. package/dist/cli/script-packs/repo-skill-route-audit.js +86 -0
  25. package/dist/cli/script-packs/repo-version-source.js +92 -0
  26. package/dist/cli/script-packs/test-performance-report.js +247 -0
  27. package/dist/cli/script-packs/test-regression-selector.js +167 -0
  28. package/dist/core/change-impact.js +355 -0
  29. package/dist/core/change-surface-classification.js +198 -0
  30. package/dist/core/change-verification.js +32 -5
  31. package/dist/core/config-loading.js +121 -4
  32. package/dist/core/dependency-graph.js +490 -0
  33. package/dist/core/docs-link-integrity.js +443 -0
  34. package/dist/core/env-contract.js +450 -0
  35. package/dist/core/import-cycle.js +152 -0
  36. package/dist/core/line-endings.js +26 -13
  37. package/dist/core/public-json-contracts.js +167 -0
  38. package/dist/core/repo-approval-gate.js +116 -0
  39. package/dist/core/repo-git-ignore-audit.js +302 -0
  40. package/dist/core/repo-manifest-lock-drift.js +321 -0
  41. package/dist/core/repo-merge-conflict-scan.js +335 -0
  42. package/dist/core/repo-version-source.js +82 -0
  43. package/dist/core/route-outline.js +57 -5
  44. package/dist/core/script-pack-suggestions.js +97 -1
  45. package/dist/core/secret-risk-scan.js +440 -0
  46. package/dist/core/skill-route-audit.js +354 -0
  47. package/dist/core/test-performance-report.js +697 -0
  48. package/dist/core/test-regression-selector.js +335 -0
  49. package/package.json +1 -1
  50. package/schemas/README.md +54 -0
  51. package/schemas/change-impact-report.schema.json +184 -0
  52. package/schemas/commands.schema.json +12 -0
  53. package/schemas/dependency-graph-report.schema.json +149 -0
  54. package/schemas/env-contract-report.schema.json +203 -0
  55. package/schemas/import-cycle-report.schema.json +157 -0
  56. package/schemas/link-integrity-report.schema.json +176 -0
  57. package/schemas/repo-approval-gate-report.schema.json +115 -0
  58. package/schemas/repo-git-ignore-audit-report.schema.json +201 -0
  59. package/schemas/repo-manifest-lock-drift-report.schema.json +202 -0
  60. package/schemas/repo-merge-conflict-scan-report.schema.json +169 -0
  61. package/schemas/repo-version-source-report.schema.json +127 -0
  62. package/schemas/secret-risk-scan-report.schema.json +152 -0
  63. package/schemas/skill-route-audit-report.schema.json +144 -0
  64. package/schemas/test-performance-report.schema.json +319 -0
  65. package/schemas/test-regression-selector-report.schema.json +187 -0
  66. package/templates/default/i18n.toml +80 -26
  67. package/templates/default/locales/en/.mustflow/skills/INDEX.md +51 -9
  68. package/templates/default/locales/en/.mustflow/skills/api-access-control-review/SKILL.md +48 -27
  69. package/templates/default/locales/en/.mustflow/skills/api-failure-triage/SKILL.md +270 -0
  70. package/templates/default/locales/en/.mustflow/skills/architecture-deepening-review/SKILL.md +28 -11
  71. package/templates/default/locales/en/.mustflow/skills/astro-code-change/SKILL.md +71 -27
  72. package/templates/default/locales/en/.mustflow/skills/auth-flow-triage/SKILL.md +192 -0
  73. package/templates/default/locales/en/.mustflow/skills/auth-permission-change/SKILL.md +59 -13
  74. package/templates/default/locales/en/.mustflow/skills/backend-log-evidence-review/SKILL.md +14 -5
  75. package/templates/default/locales/en/.mustflow/skills/cache-integrity-review/SKILL.md +30 -15
  76. package/templates/default/locales/en/.mustflow/skills/change-blast-radius-review/SKILL.md +45 -32
  77. package/templates/default/locales/en/.mustflow/skills/ci-pipeline-triage/SKILL.md +200 -0
  78. package/templates/default/locales/en/.mustflow/skills/clarifying-question-gate/SKILL.md +87 -13
  79. package/templates/default/locales/en/.mustflow/skills/cross-agent-session-reference/SKILL.md +23 -8
  80. package/templates/default/locales/en/.mustflow/skills/dependency-upgrade-review/SKILL.md +3 -1
  81. package/templates/default/locales/en/.mustflow/skills/docker-runtime-triage/SKILL.md +191 -0
  82. package/templates/default/locales/en/.mustflow/skills/github-contribution-quality-gate/SKILL.md +48 -11
  83. package/templates/default/locales/en/.mustflow/skills/go-code-change/SKILL.md +18 -13
  84. package/templates/default/locales/en/.mustflow/skills/javascript-code-change/SKILL.md +15 -13
  85. package/templates/default/locales/en/.mustflow/skills/line-ending-hygiene/SKILL.md +18 -10
  86. package/templates/default/locales/en/.mustflow/skills/llm-hallucination-control-review/SKILL.md +4 -1
  87. package/templates/default/locales/en/.mustflow/skills/motion-system-contract-review/SKILL.md +155 -0
  88. package/templates/default/locales/en/.mustflow/skills/next-action-menu/SKILL.md +177 -0
  89. package/templates/default/locales/en/.mustflow/skills/node-code-change/SKILL.md +16 -14
  90. package/templates/default/locales/en/.mustflow/skills/observability-debuggability-review/SKILL.md +15 -7
  91. package/templates/default/locales/en/.mustflow/skills/payment-integrity-review/SKILL.md +59 -35
  92. package/templates/default/locales/en/.mustflow/skills/powershell-code-change/SKILL.md +16 -6
  93. package/templates/default/locales/en/.mustflow/skills/prompt-contract-quality-review/SKILL.md +4 -1
  94. package/templates/default/locales/en/.mustflow/skills/python-code-change/SKILL.md +19 -10
  95. package/templates/default/locales/en/.mustflow/skills/rag-pipeline-triage/SKILL.md +206 -0
  96. package/templates/default/locales/en/.mustflow/skills/routes.toml +69 -9
  97. package/templates/default/locales/en/.mustflow/skills/rust-code-change/SKILL.md +10 -4
  98. package/templates/default/locales/en/.mustflow/skills/search-index-integrity-review/SKILL.md +181 -0
  99. package/templates/default/locales/en/.mustflow/skills/security-privacy-review/SKILL.md +3 -1
  100. package/templates/default/locales/en/.mustflow/skills/service-boundary-architecture/SKILL.md +37 -23
  101. package/templates/default/locales/en/.mustflow/skills/test-suite-performance-review/SKILL.md +323 -0
  102. package/templates/default/locales/en/.mustflow/skills/typescript-code-change/SKILL.md +18 -10
  103. package/templates/default/locales/en/.mustflow/skills/vector-search-integrity-review/SKILL.md +209 -0
  104. package/templates/default/locales/en/.mustflow/skills/version-freshness-check/SKILL.md +16 -14
  105. package/templates/default/manifest.toml +71 -1
@@ -2,11 +2,11 @@
2
2
  mustflow_doc: skill.cache-integrity-review
3
3
  locale: en
4
4
  canonical: true
5
- revision: 1
5
+ revision: 2
6
6
  lifecycle: mustflow-owned
7
7
  authority: procedure
8
8
  name: cache-integrity-review
9
- description: Apply this skill when code is created, changed, reviewed, or reported and cache behavior can spread stale, wrong, private, overbroad, tenant-crossing, permission-wrong, version-incompatible, or source-overloading values through cache keys, query normalization, key versions, TTL and jitter, soft and hard TTL, stale-while-revalidate, stampede protection, request coalescing, negative caching, invalidation order, list or page caches, tag invalidation, L1/L2 cache layers, Redis fallback, hit/miss observability, value size, eviction policy, TTL-less keys, KEYS/SCAN use, hot keys, Redis Cluster hash tags, HTTP Vary/no-cache/no-store semantics, permission caches, cache warming, or failure-path cache tests.
9
+ description: Apply this skill when code is created, changed, reviewed, or reported and cache behavior can spread stale, wrong, private, overbroad, tenant-crossing, permission-wrong, version-incompatible, or source-overloading values through cache keys, query normalization, key versions, TTL and jitter, soft and hard TTL, stale-while-revalidate, stampede protection, request coalescing, negative caching, invalidation order, list or page caches, tag invalidation, L1/L2 cache layers, Redis fallback, cache-status ledgers such as hit, miss, bypass, stale, refresh, error, set-failed, evicted, or expired, origin-cost observability, value size, eviction policy, TTL-less keys, KEYS/SCAN use, hot keys, Redis Cluster hash tags, replica lag, Redis latency, HTTP Vary/no-cache/no-store semantics, permission caches, cache warming, or failure-path cache tests.
10
10
  metadata:
11
11
  mustflow_schema: "1"
12
12
  mustflow_kind: procedure
@@ -81,9 +81,11 @@ and what happens to the source system when the cache misses or fails?"
81
81
  - Failure and concurrency contract: miss behavior, concurrent miss behavior, source timeout, Redis
82
82
  failure, source failure, negative cache policy, update race behavior, invalidation ordering, and
83
83
  stale serve policy.
84
- - Observability evidence: hit and miss metrics, miss cost, value size, key count, eviction, expiry,
85
- tenant or endpoint breakdown, status-code breakdown, source query time, source call count, and set
86
- success.
84
+ - Observability evidence: hit, miss, bypass, stale, refresh, negative-hit, set-failed, error,
85
+ eviction, expiry, and fallback metrics; miss cost; hit-rate cost by endpoint or tenant; value
86
+ size; key count; source query time; source call count; origin saturation; Redis client wait,
87
+ round-trip latency, command latency, serialization cost, Slow Log limits, replica lag, shard
88
+ imbalance, and set success.
87
89
  - Relevant command-intent contract entries for tests, builds, docs, release checks, and mustflow
88
90
  validation.
89
91
 
@@ -180,6 +182,8 @@ and what happens to the source system when the cache misses or fails?"
180
182
  shedding, stale serve, circuit breaker, bulkhead, or another source-protection mechanism.
181
183
  - Decide whether cache failure is disposable or correctness-sensitive. Sessions, permissions,
182
184
  rate limits, inventory, idempotency, and dedupe caches are not ordinary performance caches.
185
+ - Compare normal cached traffic with an allowed bypass path or known miss path when evidence is
186
+ available. If bypass is faster, fresher, or more correct, the cache policy itself is suspect.
183
187
  13. Check Redis keyspace and memory behavior.
184
188
  - Review value size, key size, key schema, bounded key cardinality, max memory, eviction policy,
185
189
  expired keys, evicted keys, and whether TTL-less keys are turning cache into state storage.
@@ -187,43 +191,54 @@ and what happens to the source system when the cache misses or fails?"
187
191
  so TTL-less keys can crowd out real cache behavior.
188
192
  - `KEYS *` in application code is a production bomb. Use `SCAN` only from bounded admin or
189
193
  maintenance paths with explicit limits.
190
- 14. Check hot keys and Redis Cluster distribution.
194
+ 14. Check Redis latency, replication, and distribution.
195
+ - Redis Slow Log does not include client round-trip time, connection wait, serialization,
196
+ application loop overhead, DNS, TLS, or network path time. Do not use it as the only latency
197
+ proof.
198
+ - Review replica lag, failover behavior, cold replica warmup, persistence spikes, memory
199
+ fragmentation, client connection pools, shard imbalance, and command mix when a cache incident
200
+ is operational rather than semantic.
201
+ 15. Check hot keys and Redis Cluster distribution.
191
202
  - Sharding does not save one hot key. Use replicas, local L1, request coalescing, prewarm,
192
203
  chunking, or workload-specific splitting where semantics allow it.
193
204
  - Redis Cluster hash tags are useful for intentional multi-key locality, but overusing the same
194
205
  tag can force too many keys into one slot.
195
- 15. Check HTTP cache semantics.
206
+ 16. Check HTTP cache semantics.
196
207
  - If responses vary by `Authorization`, `Cookie`, `Accept-Language`, `Accept-Encoding`, content
197
208
  negotiation, or user context, verify `Vary` and cache-control behavior.
198
209
  - `no-cache` means revalidate before reuse. `no-store` means do not store. Do not use one when
199
210
  the other is required.
200
211
  - Check freshness, validation, private versus public cacheability, CDN behavior, browser behavior,
201
212
  and generated-client or proxy expectations.
202
- 16. Check permission and entitlement caches as security boundaries.
213
+ 17. Check permission and entitlement caches as security boundaries.
203
214
  - A permission cache, role cache, organization-membership cache, subscription cache, admin cache,
204
215
  or entitlement cache must be invalidated by revocation, role change, organization move,
205
216
  subscription expiry, ownership change, and emergency access changes.
206
217
  - Short TTL alone is not enough for decisions that should fail closed or revoke promptly.
207
- 17. Check cache warming and cold-start behavior.
218
+ 18. Check cache warming and cold-start behavior.
208
219
  - Deployment, autoscale, failover, and rollback can create synchronized cold caches that push
209
220
  traffic to the source.
210
221
  - Prewarm only keys with clear ownership and backpressure. Do not build an unbounded warming job
211
222
  that becomes the outage.
212
- 18. Check observability.
213
- - Hit rate alone lies. Break down hits, misses, stale serves, negative hits, refresh failures,
214
- evictions, expirations, and set failures by endpoint, key-pattern, tenant, status-code, and
215
- cache layer where useful.
223
+ - Load-test or smoke the cold, warm, failover, replica-lag, source-slow, and cache-down scenarios
224
+ when the repository has configured evidence. Otherwise report those as manual operational gaps.
225
+ 19. Check observability.
226
+ - Hit rate alone lies. Break down hits, misses, bypasses, stale serves, refreshes, negative hits,
227
+ refresh failures, evictions, expirations, fallback serves, Redis errors, and set failures by
228
+ endpoint, key-pattern, tenant, status-code, and cache layer where useful.
216
229
  - Log or measure miss cost: source query time, source call count, value size, generation time,
217
230
  and set success.
231
+ - Track hit-rate cost: origin load avoided, origin load caused by misses, miss amplification,
232
+ cache write failures, and whether a high hit rate hides a small set of expensive miss paths.
218
233
  - Keep cache metrics labels bounded; put high-cardinality keys in logs or traces only when the
219
234
  repository privacy rules allow it.
220
- 19. Check tests beyond the happy path.
235
+ 20. Check tests beyond the happy path.
221
236
  - "Second call is faster" is not enough.
222
237
  - Cover concurrent misses, update during read, delete then recreate, source failure, Redis
223
238
  failure, synchronized TTL expiry, old-version cached value, permission change, tenant
224
239
  separation, list invalidation, negative-cache classification, deploy rollback, and cache-layer
225
240
  bypass when those risks exist.
226
- 20. Label evidence honestly. If the repository lacks deterministic cache, Redis, CDN, HTTP, browser,
241
+ 21. Label evidence honestly. If the repository lacks deterministic cache, Redis, CDN, HTTP, browser,
227
242
  or load tests, report the missing evidence instead of claiming the cache is safe.
228
243
 
229
244
  <!-- mustflow-section: postconditions -->
@@ -2,11 +2,11 @@
2
2
  mustflow_doc: skill.change-blast-radius-review
3
3
  locale: en
4
4
  canonical: true
5
- revision: 1
5
+ revision: 2
6
6
  lifecycle: mustflow-owned
7
7
  authority: procedure
8
8
  name: change-blast-radius-review
9
- description: Apply this skill when code is created, changed, reviewed, or reported and maintainability needs review by predicting the next-change blast radius, deletion path, policy owner, workflow owner, controller or service responsibility, boolean and option-mode sprawl, scattered domain rules, scattered authorization, state-transition ownership, direct time or randomness, transaction and external-call coupling, retry idempotency, cache-as-truth decisions, config flag combinations, tenant or partner hardcoding, legacy branch isolation, DTO/entity/view model mixing, nullable meaning, swallowed exceptions, low-context logs, implementation-coupled tests, mock-heavy tests, decorative abstraction, premature DRY, hidden ordering dependency, event contract visibility, migration/runtime compatibility, or feature removal boundary.
9
+ description: Apply this skill when code is created, changed, reviewed, or reported and maintainability needs review by predicting the next-change blast radius, historical co-change spread, deletion path, policy owner, workflow owner, controller or service responsibility, boolean and option-mode sprawl, scattered domain rules, scattered authorization, state-transition ownership, direct time or randomness, transaction and external-call coupling, retry idempotency, cache-as-truth decisions, config flag combinations, tenant or partner hardcoding, legacy branch isolation, DTO/entity/view model mixing, nullable meaning, swallowed exceptions, low-context logs, implementation-coupled tests, mock-heavy tests, decorative abstraction, premature DRY, hidden ordering dependency, event contract visibility, migration/runtime compatibility, or feature removal boundary.
10
10
  metadata:
11
11
  mustflow_schema: "1"
12
12
  mustflow_kind: procedure
@@ -46,6 +46,8 @@ feature is removed, what can I delete?"
46
46
  logging, tests, abstractions, helpers, or legacy compatibility.
47
47
  - A single requirement would force edits across several files, layers, modules, frontend code, SQL,
48
48
  jobs, events, cache keys, tests, or docs.
49
+ - Recent PRs, commits, work orders, or review history show that small requirements routinely
50
+ co-change many repositories, services, schemas, pipelines, teams, tests, or docs.
49
51
  - A file or service has several unrelated reasons to change under one broad noun such as `Manager`,
50
52
  `Helper`, `Processor`, `Handler`, or `Service`.
51
53
  - A review needs to decide whether to use `module-boundary-review`, `structure-first-engineering`,
@@ -72,6 +74,10 @@ feature is removed, what can I delete?"
72
74
  - User goal, current diff or target files, and the requirement or policy that caused the change.
73
75
  - Change-reason ledger: which business rule, user flow, data shape, failure path, compatibility
74
76
  rule, tenant exception, or operational behavior would make this code change next.
77
+ - Historical co-change ledger when available: recent PRs or commits touching the same requirement
78
+ family, repositories touched, services touched, DB schemas touched, deployment pipelines touched,
79
+ teams or reviewers involved, tests changed, docs changed, and whether the current design reduced
80
+ or repeated that spread.
75
81
  - Blast-radius ledger: controllers, services, repositories, entities, DTOs, frontend conditions,
76
82
  SQL, migrations, batches, events, caches, config, tests, docs, and templates touched by one reason.
77
83
  - Ownership ledger: source of truth for domain rule, authorization rule, state transition, retry
@@ -115,123 +121,128 @@ feature is removed, what can I delete?"
115
121
  - Ask: "If this requirement changes next month, which files move?"
116
122
  - If one policy edit needs controller, service, repository, SQL, frontend, batch, cache, and test
117
123
  edits, the code is a puzzle, not a boundary.
118
- 2. Count reasons to change, not lines.
124
+ 2. Check historical co-change when evidence exists.
125
+ - Look for recent PRs, commits, or work items in the same feature or policy family.
126
+ - Count repositories, services, schemas, pipelines, test suites, docs, and teams touched by small changes.
127
+ - Treat repeated cross-boundary co-change as stronger evidence than a clean-looking folder tree.
128
+ - If history is unavailable or too expensive for the task, report the review as prediction-only instead of pretending the boundary was proven.
129
+ 3. Count reasons to change, not lines.
119
130
  - A short file can still hold signup, login, points, notification, referral, admin blocking, and
120
131
  reporting rules.
121
132
  - Split by different change reasons, not by noun labels.
122
- 3. Keep controllers as doors, not bosses.
133
+ 4. Keep controllers as doors, not bosses.
123
134
  - Controllers should parse requests, call an application boundary, and map the result.
124
135
  - Treat controller `if`, `for`, state mutation, external API calls, discount logic, inventory
125
136
  checks, or notification orchestration as workflow leakage.
126
- 4. Reject junk-drawer services.
137
+ 5. Reject junk-drawer services.
127
138
  - Broad names such as `OrderService`, `UserService`, `Manager`, `Helper`, `Processor`, and
128
139
  `Handler` often hide unrelated workflows.
129
140
  - Name the actual responsibility or split by workflow owner when changes would not arrive
130
141
  together.
131
- 5. Decode boolean mode flags.
142
+ 6. Decode boolean mode flags.
132
143
  - `createUser(user, true)` and `sendNotification(user, true, false)` mean one function already
133
144
  has hidden modes.
134
145
  - Replace modes with named variants, policy objects, strategy objects, or separate functions when
135
146
  behavior contracts differ.
136
- 6. Inspect option objects for combinatorial behavior.
147
+ 7. Inspect option objects for combinatorial behavior.
137
148
  - Fields such as `skipValidation`, `dryRun`, `force`, `source`, `mode`, `type`, `retry`,
138
149
  `legacy`, and `includeInactive` can turn one call into many products.
139
150
  - If field combinations change behavior, use explicit mode types or separate boundaries.
140
- 7. Find the policy source of truth.
151
+ 8. Find the policy source of truth.
141
152
  - Repeated rules such as "VIP gets free shipping" across backend, frontend, SQL, batch, and
142
153
  cache code are not harmless duplication.
143
154
  - Name one owner and make other layers consume facts or capabilities from that owner.
144
- 8. Centralize authorization policy.
155
+ 9. Centralize authorization policy.
145
156
  - Scattered checks such as `role == admin`, `ownerId == user.id`, or membership scans make policy
146
157
  changes scary.
147
158
  - Use `auth-permission-change` when action permission needs one policy source and denial tests.
148
- 9. Make state transitions visible.
159
+ 10. Make state transitions visible.
149
160
  - Status values are not enough. Review where `status = ...` happens and which transitions are
150
161
  legal.
151
162
  - Use `state-machine-pattern` when allowed transitions need to be represented explicitly.
152
- 10. Pull time, randomness, and generated IDs to a boundary.
163
+ 11. Pull time, randomness, and generated IDs to a boundary.
153
164
  - Direct `new Date()`, `Date.now()`, `LocalDateTime.now()`, UUIDs, random order numbers, random
154
165
  filenames, and generated referral codes hide reproducibility and future policy changes.
155
166
  - Use explicit time, generator, or identifier inputs from the shell.
156
- 11. Draw the transaction boundary.
167
+ 12. Draw the transaction boundary.
157
168
  - When several saves happen, ask what remains if the middle save fails.
158
169
  - If the answer is unclear, use `failure-integrity-review` or the relevant database skill before
159
170
  changing behavior.
160
- 12. Separate external calls from committed state.
171
+ 13. Separate external calls from committed state.
161
172
  - DB save, payment API, DB save, notification API in one flow creates timeout, retry, and
162
173
  duplicate-effect traps.
163
174
  - Prefer local state plus outbox, idempotency keys, or effect descriptions when the operation
164
175
  must survive partial failure.
165
- 13. Check retry idempotency.
176
+ 14. Check retry idempotency.
166
177
  - `retry(3)`, queues, webhooks, schedulers, and manual replays are dangerous without a duplicate
167
178
  rule.
168
179
  - Ask what happens when the same event arrives twice.
169
- 14. Reject cache-as-truth for important decisions.
180
+ 15. Reject cache-as-truth for important decisions.
170
181
  - Cache can speed reads, but it should not become the source of truth for authorization, payment
171
182
  eligibility, inventory, or other critical decisions.
172
183
  - Use `cache-integrity-review` when cache freshness or fallback can mislead the decision.
173
- 15. Count config flag combinations.
184
+ 16. Count config flag combinations.
174
185
  - Flags such as `enableNewPolicy`, `useLegacyFlow`, `skipValidationForPartner`, and
175
186
  `specialCaseTenantIds` can create untested products inside one code path.
176
187
  - Name the supported combinations or isolate the variation behind a policy boundary.
177
- 16. Isolate tenant, partner, country, product, and app-version exceptions.
188
+ 17. Isolate tenant, partner, country, product, and app-version exceptions.
178
189
  - Hardcoded `tenantId`, `partnerCode`, country code, app version, or product ID branches are
179
190
  product debt, not just conditionals.
180
191
  - Prefer configured capabilities, adapters, policy tables, or explicit exceptions with removal
181
192
  owners.
182
- 17. Keep legacy compatibility out of the new core.
193
+ 18. Keep legacy compatibility out of the new core.
183
194
  - `legacy`, `old`, `v1`, `deprecated`, and `temp` branches inside the main path pull old rules
184
195
  into new code.
185
196
  - Put compatibility in adapters, translators, migration paths, or isolated old-entry boundaries.
186
- 18. Separate data-object languages.
197
+ 19. Separate data-object languages.
187
198
  - DB entities, API DTOs, view models, external provider payloads, and domain objects should not
188
199
  quietly become the same object.
189
200
  - If one side changes and another side must follow, name the mapping owner.
190
- 19. Give nullable values a reason.
201
+ 20. Give nullable values a reason.
191
202
  - `null` must not mean absence, unknown, failed calculation, forbidden access, and provider
192
203
  timeout at the same time.
193
204
  - Use variants, result types, or explicit fields that tell callers why a value is missing.
194
- 20. Do not hide exceptions as normal data.
205
+ 21. Do not hide exceptions as normal data.
195
206
  - `catch (e) { return null }`, `catch (e) { log.warn(...) }`, and empty catches make the system
196
207
  lie far from the failure.
197
208
  - Use visible failure values, typed errors, or explicit degraded modes.
198
- 21. Make logs traceable, not decorative.
209
+ 22. Make logs traceable, not decorative.
199
210
  - Logs like `start` and `failed` without order ID, user ID, request ID, external call ID, tenant,
200
211
  or operation name do not help future maintainers.
201
212
  - Add safe correlation context when it is the only way to connect the failure path.
202
- 22. Keep tests attached to behavior.
213
+ 23. Keep tests attached to behavior.
203
214
  - Tests that assert private methods, mock call order, or internal collaborator choreography make
204
215
  refactors expensive.
205
216
  - Prefer outcomes, state transitions, persisted commands, emitted events, or public results.
206
- 23. Treat mock count as a change-impact sensor.
217
+ 24. Treat mock count as a change-impact sensor.
207
218
  - More than three mocks deserves a responsibility review.
208
219
  - Five or more mocks usually means the class absorbs too many change directions.
209
- 24. Validate abstraction against real volatility.
220
+ 25. Validate abstraction against real volatility.
210
221
  - Interfaces, factories, strategies, and abstract classes help only when the variation axis is
211
222
  real.
212
223
  - Ask whether there are two real implementations now or a known future swap along this exact
213
224
  axis.
214
- 25. Do not DRY together different futures.
225
+ 26. Do not DRY together different futures.
215
226
  - Removing duplication is harmful when two similar blocks change for different reasons.
216
227
  - Keep duplication when it preserves independent policy evolution.
217
- 26. Make required ordering explicit.
228
+ 27. Make required ordering explicit.
218
229
  - Initialization, validation, save, event publication, cache invalidation, notification, and
219
230
  cleanup steps can be order-sensitive.
220
231
  - If swapping two lines would break correctness, encode the sequence in a named workflow,
221
232
  transaction, state transition, or command object.
222
- 27. Treat events as invisible function calls until proven otherwise.
233
+ 28. Treat events as invisible function calls until proven otherwise.
223
234
  - `publish(Event)` hides subscribers, failure behavior, ordering, duplicate delivery, and
224
235
  compatibility.
225
236
  - Name the event contract, listener expectations, idempotency, and failure handling.
226
- 28. Pair migrations with runtime compatibility.
237
+ 29. Pair migrations with runtime compatibility.
227
238
  - Schema changes, enum additions, defaults, indexes, and backfills must be checked against old
228
239
  code on new schema and new code on old data.
229
240
  - Use `database-migration-change` when deploy order or data backfill matters.
230
- 29. Run the deletion test.
241
+ 30. Run the deletion test.
231
242
  - Ask: "If this feature disappears, what do I delete?"
232
243
  - If flags, columns, conditions, events, caches, batch jobs, UI checks, and tests are scattered,
233
244
  the feature is already rooted too deeply.
234
- 30. Pick the smallest boundary repair.
245
+ 31. Pick the smallest boundary repair.
235
246
  - If one owner is missing, introduce that owner.
236
247
  - If one mode is hidden, name that mode.
237
248
  - If the risk is too broad for the current task, report the exact next-change or deletion path
@@ -240,7 +251,8 @@ feature is removed, what can I delete?"
240
251
  <!-- mustflow-section: postconditions -->
241
252
  ## Postconditions
242
253
 
243
- - The next likely policy or workflow change has a named owner and a predictable edit path, or the
254
+ - The next likely policy or workflow change has a named owner, historical co-change evidence when
255
+ available, and a predictable edit path, or the
244
256
  unpredictable spread is explicitly reported.
245
257
  - Important side effects, transactions, retries, events, caches, config flags, migrations, and logs
246
258
  have clear owners or remaining risks.
@@ -287,6 +299,7 @@ public contract.
287
299
 
288
300
  - Change blast radius reviewed
289
301
  - Next likely change and owner
302
+ - Historical co-change evidence, or prediction-only note when unavailable
290
303
  - Files, layers, jobs, caches, events, tests, docs, or migrations in the blast radius
291
304
  - Policy, authorization, state, transaction, retry, cache, config, tenant, legacy, DTO, nullable,
292
305
  log, test, abstraction, ordering, event, migration, or deletion findings
@@ -0,0 +1,200 @@
1
+ ---
2
+ mustflow_doc: skill.ci-pipeline-triage
3
+ locale: en
4
+ canonical: true
5
+ revision: 1
6
+ lifecycle: mustflow-owned
7
+ authority: procedure
8
+ name: ci-pipeline-triage
9
+ description: Apply this skill when a CI/CD workflow, pipeline, job, runner, matrix, trigger, cache, artifact, deployment job, required check, or post-deploy verification is failing, skipped, queued, flaky, slow, green despite broken output, or not yet localized to trigger, runner, environment, build, test, artifact, deploy, or verification boundaries.
10
+ metadata:
11
+ mustflow_schema: "1"
12
+ mustflow_kind: procedure
13
+ pack_id: mustflow.core
14
+ skill_id: mustflow.core.ci-pipeline-triage
15
+ command_intents:
16
+ - changes_status
17
+ - changes_diff_summary
18
+ - lint
19
+ - build
20
+ - test_related
21
+ - test
22
+ - docs_validate_fast
23
+ - test_release
24
+ - mustflow_check
25
+ ---
26
+
27
+ # CI Pipeline Triage
28
+
29
+ <!-- mustflow-section: purpose -->
30
+ ## Purpose
31
+
32
+ Localize CI/CD failures by splitting trigger, runner, environment, build, test, artifact, deploy,
33
+ and verification boundaries before editing code or workflow files.
34
+
35
+ The first question is not "what is the last red log line?" It is "which pipeline boundary first
36
+ changed from the last known-good run, and what evidence would disprove each boundary hypothesis?"
37
+
38
+ <!-- mustflow-section: use-when -->
39
+ ## Use When
40
+
41
+ - A CI workflow, pipeline, job, matrix, required check, runner, cache, artifact, deployment step, or
42
+ smoke check fails, hangs, is skipped, is queued too long, passes while output is broken, or becomes
43
+ flaky.
44
+ - A failure is not yet localized to trigger filters, workflow parsing, runner selection, environment
45
+ setup, tool versions, dependency cache, build output, test isolation, artifact transfer,
46
+ deployment permissions, rollout completion, or post-deploy verification.
47
+ - A pipeline suddenly breaks without application-code changes, or only fails on forks, protected
48
+ branches, specific runners, specific regions, specific matrix entries, or reruns.
49
+
50
+ <!-- mustflow-section: do-not-use-when -->
51
+ ## Do Not Use When
52
+
53
+ - The failing command is a local configured intent and CI is not involved; use `failure-triage`.
54
+ - The deployment is already localized and the risk is rollout, rollback, probes, migrations, or
55
+ runtime safety; use `deployment-rollout-safety-review`.
56
+ - The task is only test-suite speed after the CI boundary is known; use
57
+ `test-suite-performance-review`.
58
+ - The task requires live production secrets, destructive deploys, cloud-console writes, or
59
+ unconfigured remote commands. Preserve static evidence and report the manual boundary.
60
+
61
+ <!-- mustflow-section: required-inputs -->
62
+ ## Required Inputs
63
+
64
+ - Failure classification: pipeline not created, queued, job failed, flaky rerun, succeeded with bad
65
+ service output, deployment failed, or post-deploy verification failed.
66
+ - Run identity ledger: commit SHA, branch or tag, trigger event, workflow file revision, matrix
67
+ entry, runner label and image, architecture, region, toolchain versions, package-manager version,
68
+ execution time, and run or job id.
69
+ - Last-good comparison: last successful commit and first failing commit, including workflow files,
70
+ lockfiles, base images, shared scripts, secrets or permission scopes, runner labels, cache keys,
71
+ feature flags, deployment config, and required-check settings.
72
+ - Boundary ledger: trigger, parsed job graph, matrix expansion, queue time, runner assignment,
73
+ checkout, environment variables, tool setup, dependency restore, build, tests, cache, artifacts,
74
+ deploy, smoke, and final status aggregation.
75
+ - Evidence constraints: redaction needs for secrets, tokens, private URLs, environment values,
76
+ debug logs, artifacts, and diagnostic files.
77
+
78
+ <!-- mustflow-section: preconditions -->
79
+ ## Preconditions
80
+
81
+ - The task matches the Use When conditions and does not match the Do Not Use When exclusions.
82
+ - Higher-priority instructions and `.mustflow/config/commands.toml` have been checked.
83
+ - Required CI evidence is available, or missing evidence can be reported without guessing.
84
+ - Secrets and private data are summarized as presence, length, hash, key name, or permission scope;
85
+ never copy raw secret values into logs, fixtures, docs, commits, or final reports.
86
+
87
+ <!-- mustflow-section: allowed-edits -->
88
+ ## Allowed Edits
89
+
90
+ - Add or tighten workflow triggers, path filters, matrix guards, version pinning, cache keys,
91
+ artifact manifests, status aggregation, debug evidence collection, secret-safe diagnostics,
92
+ timeout classification, runner labels, concurrency locks, environment validation, smoke checks,
93
+ test isolation, docs, and focused fixtures.
94
+ - Add tests or docs that prove workflow contract behavior, package metadata, template output,
95
+ release checks, artifact identity, or command-contract mapping when the repository owns those
96
+ surfaces.
97
+ - Do not add broad reruns, `continue-on-error`, `allow_failure`, `|| true`, blanket cache wipes,
98
+ floating `latest` references, unbounded debug logging, live deploy commands, or workflow rewrites
99
+ before the failing boundary is localized.
100
+
101
+ <!-- mustflow-section: procedure -->
102
+ ## Procedure
103
+
104
+ 1. Classify the failure shape: not created, queued, job failed, flaky, green-but-bad-output,
105
+ deployment failed, or verification failed.
106
+ 2. Compare the last success with the first failure. Include workflow, lockfile, base image, shared
107
+ script, secret scope, runner, matrix, cache, environment, feature flag, and deployment changes.
108
+ 3. Preserve run identity before reruns overwrite the evidence. Record safe run id, commit, trigger,
109
+ runner, matrix, tool versions, queue time, start time, and artifact identity.
110
+ 4. Rerun only to test determinism. If the same commit and inputs produce different outcomes, treat
111
+ cache, time, order, network, shared resources, or runner state as first-class suspects.
112
+ 5. Check trigger and graph before job logs. Path filters, branch or tag filters, skipped required
113
+ checks, inherited workflows, matrix expansion, `needs`, and conditional steps can prevent the
114
+ intended job from existing.
115
+ 6. Check false green paths. Look for `continue-on-error`, allowed failures, shell pipelines that
116
+ ignore non-zero exits, status aggregation that only reads the final notification step, and tests
117
+ that upload failures as artifacts but return success.
118
+ 7. Split queue wait from execution time. Long queue time points to runner labels, concurrency
119
+ limits, unavailable images, resource quotas, or protected environment approvals, not build code.
120
+ 8. Reproduce in a clean environment only after the boundary is known. Prefer the same image,
121
+ architecture, tool versions, env shape, and lockfile over a developer machine with hidden global
122
+ state.
123
+ 9. Pin floating execution inputs. Base images, actions, plugins, package managers, runtime versions,
124
+ and shared script refs need stable identities or an explicit freshness policy.
125
+ 10. Inspect environment without leaking values. Compare variable presence, safe hashes, lengths,
126
+ names, permission scopes, timezone, locale, charset, clock, disk, inode, file descriptor,
127
+ process, and memory limits.
128
+ 11. Treat external calls as boundary evidence. Separate DNS, proxy, certificate, HTTP status,
129
+ retry count, response time, and credential scope, with secrets redacted.
130
+ 12. Replace sleeps with readiness evidence. Service containers, databases, queues, and app servers
131
+ should prove readiness through real health, query, or protocol checks.
132
+ 13. Classify cache and artifact separately. Cache is disposable acceleration; artifact is the built
133
+ output passed forward. Cache keys need lockfile, OS, architecture, runtime, and package-manager
134
+ dimensions. Artifacts need file list, size, hash, build SHA, and download verification.
135
+ 14. Verify that the tested artifact is the deployed artifact. Rebuilding during deploy can make CI
136
+ test one thing and production receive another.
137
+ 15. Check auth and permissions by execution context. Fork PRs, protected branches, environments,
138
+ OIDC identity, package publishing identity, cloud role, and repository token scopes can differ
139
+ across otherwise similar runs.
140
+ 16. For deployment jobs, require rollout evidence, readiness, smoke checks, error and latency
141
+ thresholds, and environment concurrency locks instead of treating a zero exit code as success.
142
+ 17. Preserve evidence before cleanup. Do not delete runners, caches, artifacts, temporary dirs, or
143
+ diagnostic logs until the boundary and redaction plan are clear.
144
+ 18. Apply the smallest localized fix and verify with the narrowest configured intent that covers the
145
+ changed workflow, package, docs, template, or test surface.
146
+
147
+ <!-- mustflow-section: postconditions -->
148
+ ## Postconditions
149
+
150
+ - The pipeline failure is localized to trigger, runner, environment, build, test, artifact, deploy,
151
+ verification, or a named evidence gap.
152
+ - Last-good versus first-failure comparison, run identity, false-green risk, cache and artifact
153
+ behavior, permission scope, and rerun determinism are explicit where relevant.
154
+ - Follow-up deployment, test performance, security, command-contract, or package-release work is
155
+ selected only after the CI boundary is localized.
156
+
157
+ <!-- mustflow-section: verification -->
158
+ ## Verification
159
+
160
+ Use configured oneshot command intents when available:
161
+
162
+ - `changes_status`
163
+ - `changes_diff_summary`
164
+ - `lint`
165
+ - `build`
166
+ - `test_related`
167
+ - `test`
168
+ - `docs_validate_fast`
169
+ - `test_release`
170
+ - `mustflow_check`
171
+
172
+ Prefer the narrowest configured intent that covers workflow docs, package metadata, template output,
173
+ test fixtures, local reproduced behavior, or release-sensitive pipeline surfaces. Do not infer raw
174
+ CI reruns, deploys, cloud shell commands, or provider dashboard writes outside the command contract.
175
+
176
+ <!-- mustflow-section: failure-handling -->
177
+ ## Failure Handling
178
+
179
+ - If run identity, last-good comparison, trigger graph, runner, cache, artifact, or permission
180
+ evidence is missing, report the missing field instead of guessing.
181
+ - If debug logs contain secrets or private data, stop copying raw output and summarize safely.
182
+ - If CI evidence requires remote provider access that is unavailable or unconfigured, report the
183
+ manual evidence boundary and continue with local workflow or static evidence.
184
+ - If the boundary points to tests, deployment, secrets, permissions, artifacts, or command contracts,
185
+ switch to the narrower matching skill before editing that part.
186
+
187
+ <!-- mustflow-section: output-format -->
188
+ ## Output Format
189
+
190
+ - CI pipeline triaged
191
+ - Failure shape and localized boundary
192
+ - Run identity and last-good comparison
193
+ - Trigger, runner, environment, build, test, cache, artifact, deploy, and verification findings
194
+ - Hypotheses killed, still open, and selected follow-up boundary
195
+ - Fix applied or recommended
196
+ - Evidence level: provider run evidence, configured-test evidence, static review risk, manual-only,
197
+ missing, or not applicable
198
+ - Command intents run
199
+ - Skipped diagnostics and reasons
200
+ - Remaining CI pipeline risk