mustflow 2.84.0 → 2.99.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +11 -2
- package/dist/cli/commands/script-pack.js +14 -0
- package/dist/cli/i18n/en.js +262 -0
- package/dist/cli/i18n/es.js +262 -0
- package/dist/cli/i18n/fr.js +262 -0
- package/dist/cli/i18n/hi.js +262 -0
- package/dist/cli/i18n/ko.js +262 -0
- package/dist/cli/i18n/zh.js +262 -0
- package/dist/cli/lib/repo-map.js +27 -6
- package/dist/cli/lib/run-root-trust.js +15 -1
- package/dist/cli/lib/script-pack-registry.js +397 -0
- package/dist/cli/lib/validation/index.js +2 -2
- package/dist/cli/lib/validation/primitives.js +4 -1
- package/dist/cli/script-packs/code-change-impact.js +178 -0
- package/dist/cli/script-packs/code-dependency-graph.js +181 -0
- package/dist/cli/script-packs/code-import-cycle.js +193 -0
- package/dist/cli/script-packs/docs-link-integrity.js +145 -0
- package/dist/cli/script-packs/repo-approval-gate.js +100 -0
- package/dist/cli/script-packs/repo-env-contract.js +156 -0
- package/dist/cli/script-packs/repo-git-ignore-audit.js +119 -0
- package/dist/cli/script-packs/repo-manifest-lock-drift.js +122 -0
- package/dist/cli/script-packs/repo-merge-conflict-scan.js +123 -0
- package/dist/cli/script-packs/repo-secret-risk-scan.js +147 -0
- package/dist/cli/script-packs/repo-skill-route-audit.js +86 -0
- package/dist/cli/script-packs/repo-version-source.js +92 -0
- package/dist/cli/script-packs/test-performance-report.js +247 -0
- package/dist/cli/script-packs/test-regression-selector.js +167 -0
- package/dist/core/change-impact.js +355 -0
- package/dist/core/change-surface-classification.js +198 -0
- package/dist/core/change-verification.js +32 -5
- package/dist/core/config-loading.js +121 -4
- package/dist/core/dependency-graph.js +490 -0
- package/dist/core/docs-link-integrity.js +443 -0
- package/dist/core/env-contract.js +450 -0
- package/dist/core/import-cycle.js +152 -0
- package/dist/core/line-endings.js +26 -13
- package/dist/core/public-json-contracts.js +167 -0
- package/dist/core/repo-approval-gate.js +116 -0
- package/dist/core/repo-git-ignore-audit.js +302 -0
- package/dist/core/repo-manifest-lock-drift.js +321 -0
- package/dist/core/repo-merge-conflict-scan.js +335 -0
- package/dist/core/repo-version-source.js +82 -0
- package/dist/core/route-outline.js +57 -5
- package/dist/core/script-pack-suggestions.js +97 -1
- package/dist/core/secret-risk-scan.js +440 -0
- package/dist/core/skill-route-audit.js +354 -0
- package/dist/core/test-performance-report.js +697 -0
- package/dist/core/test-regression-selector.js +335 -0
- package/package.json +1 -1
- package/schemas/README.md +54 -0
- package/schemas/change-impact-report.schema.json +184 -0
- package/schemas/commands.schema.json +12 -0
- package/schemas/dependency-graph-report.schema.json +149 -0
- package/schemas/env-contract-report.schema.json +203 -0
- package/schemas/import-cycle-report.schema.json +157 -0
- package/schemas/link-integrity-report.schema.json +176 -0
- package/schemas/repo-approval-gate-report.schema.json +115 -0
- package/schemas/repo-git-ignore-audit-report.schema.json +201 -0
- package/schemas/repo-manifest-lock-drift-report.schema.json +202 -0
- package/schemas/repo-merge-conflict-scan-report.schema.json +169 -0
- package/schemas/repo-version-source-report.schema.json +127 -0
- package/schemas/secret-risk-scan-report.schema.json +152 -0
- package/schemas/skill-route-audit-report.schema.json +144 -0
- package/schemas/test-performance-report.schema.json +319 -0
- package/schemas/test-regression-selector-report.schema.json +187 -0
- package/templates/default/i18n.toml +80 -26
- package/templates/default/locales/en/.mustflow/skills/INDEX.md +51 -9
- package/templates/default/locales/en/.mustflow/skills/api-access-control-review/SKILL.md +48 -27
- package/templates/default/locales/en/.mustflow/skills/api-failure-triage/SKILL.md +270 -0
- package/templates/default/locales/en/.mustflow/skills/architecture-deepening-review/SKILL.md +28 -11
- package/templates/default/locales/en/.mustflow/skills/astro-code-change/SKILL.md +71 -27
- package/templates/default/locales/en/.mustflow/skills/auth-flow-triage/SKILL.md +192 -0
- package/templates/default/locales/en/.mustflow/skills/auth-permission-change/SKILL.md +59 -13
- package/templates/default/locales/en/.mustflow/skills/backend-log-evidence-review/SKILL.md +14 -5
- package/templates/default/locales/en/.mustflow/skills/cache-integrity-review/SKILL.md +30 -15
- package/templates/default/locales/en/.mustflow/skills/change-blast-radius-review/SKILL.md +45 -32
- package/templates/default/locales/en/.mustflow/skills/ci-pipeline-triage/SKILL.md +200 -0
- package/templates/default/locales/en/.mustflow/skills/clarifying-question-gate/SKILL.md +87 -13
- package/templates/default/locales/en/.mustflow/skills/cross-agent-session-reference/SKILL.md +23 -8
- package/templates/default/locales/en/.mustflow/skills/dependency-upgrade-review/SKILL.md +3 -1
- package/templates/default/locales/en/.mustflow/skills/docker-runtime-triage/SKILL.md +191 -0
- package/templates/default/locales/en/.mustflow/skills/github-contribution-quality-gate/SKILL.md +48 -11
- package/templates/default/locales/en/.mustflow/skills/go-code-change/SKILL.md +18 -13
- package/templates/default/locales/en/.mustflow/skills/javascript-code-change/SKILL.md +15 -13
- package/templates/default/locales/en/.mustflow/skills/line-ending-hygiene/SKILL.md +18 -10
- package/templates/default/locales/en/.mustflow/skills/llm-hallucination-control-review/SKILL.md +4 -1
- package/templates/default/locales/en/.mustflow/skills/motion-system-contract-review/SKILL.md +155 -0
- package/templates/default/locales/en/.mustflow/skills/next-action-menu/SKILL.md +177 -0
- package/templates/default/locales/en/.mustflow/skills/node-code-change/SKILL.md +16 -14
- package/templates/default/locales/en/.mustflow/skills/observability-debuggability-review/SKILL.md +15 -7
- package/templates/default/locales/en/.mustflow/skills/payment-integrity-review/SKILL.md +59 -35
- package/templates/default/locales/en/.mustflow/skills/powershell-code-change/SKILL.md +16 -6
- package/templates/default/locales/en/.mustflow/skills/prompt-contract-quality-review/SKILL.md +4 -1
- package/templates/default/locales/en/.mustflow/skills/python-code-change/SKILL.md +19 -10
- package/templates/default/locales/en/.mustflow/skills/rag-pipeline-triage/SKILL.md +206 -0
- package/templates/default/locales/en/.mustflow/skills/routes.toml +69 -9
- package/templates/default/locales/en/.mustflow/skills/rust-code-change/SKILL.md +10 -4
- package/templates/default/locales/en/.mustflow/skills/search-index-integrity-review/SKILL.md +181 -0
- package/templates/default/locales/en/.mustflow/skills/security-privacy-review/SKILL.md +3 -1
- package/templates/default/locales/en/.mustflow/skills/service-boundary-architecture/SKILL.md +37 -23
- package/templates/default/locales/en/.mustflow/skills/test-suite-performance-review/SKILL.md +323 -0
- package/templates/default/locales/en/.mustflow/skills/typescript-code-change/SKILL.md +18 -10
- package/templates/default/locales/en/.mustflow/skills/vector-search-integrity-review/SKILL.md +209 -0
- package/templates/default/locales/en/.mustflow/skills/version-freshness-check/SKILL.md +16 -14
- package/templates/default/manifest.toml +71 -1
|
@@ -0,0 +1,206 @@
|
|
|
1
|
+
---
|
|
2
|
+
mustflow_doc: skill.rag-pipeline-triage
|
|
3
|
+
locale: en
|
|
4
|
+
canonical: true
|
|
5
|
+
revision: 1
|
|
6
|
+
lifecycle: mustflow-owned
|
|
7
|
+
authority: procedure
|
|
8
|
+
name: rag-pipeline-triage
|
|
9
|
+
description: Apply this skill when a RAG, knowledge-base answer, grounded chat, citation answer, retrieval-augmented support bot, or document QA flow is wrong, stale, unsupported, slow, leaking data, over-refusing, or not yet localized to ingestion, parsing, chunking, retrieval, filtering, reranking, context assembly, prompt construction, generation, citation validation, or answerability boundaries.
|
|
10
|
+
metadata:
|
|
11
|
+
mustflow_schema: "1"
|
|
12
|
+
mustflow_kind: procedure
|
|
13
|
+
pack_id: mustflow.core
|
|
14
|
+
skill_id: mustflow.core.rag-pipeline-triage
|
|
15
|
+
command_intents:
|
|
16
|
+
- changes_status
|
|
17
|
+
- changes_diff_summary
|
|
18
|
+
- lint
|
|
19
|
+
- build
|
|
20
|
+
- test_related
|
|
21
|
+
- test
|
|
22
|
+
- docs_validate_fast
|
|
23
|
+
- test_release
|
|
24
|
+
- mustflow_check
|
|
25
|
+
---
|
|
26
|
+
|
|
27
|
+
# RAG Pipeline Triage
|
|
28
|
+
|
|
29
|
+
<!-- mustflow-section: purpose -->
|
|
30
|
+
## Purpose
|
|
31
|
+
|
|
32
|
+
Localize RAG failures by splitting ingestion, retrieval, context assembly, and answer generation
|
|
33
|
+
before changing models, prompts, chunk sizes, or vector settings.
|
|
34
|
+
|
|
35
|
+
The first question is not "is the model bad?" It is "did the correct evidence exist, get retrieved,
|
|
36
|
+
survive filtering and context assembly, and constrain the answer?"
|
|
37
|
+
|
|
38
|
+
<!-- mustflow-section: use-when -->
|
|
39
|
+
## Use When
|
|
40
|
+
|
|
41
|
+
- A RAG answer, knowledge-base answer, grounded support bot, citation answer, document QA flow, or
|
|
42
|
+
retrieval-augmented agent is wrong, stale, unsupported, too slow, leaking data, citing the wrong
|
|
43
|
+
source, refusing answerable questions, or answering unanswerable questions.
|
|
44
|
+
- The failure is not yet localized to source availability, parsing, chunking, embedding, indexing,
|
|
45
|
+
filters, vector or keyword retrieval, hybrid fusion, reranking, context packing, prompt assembly,
|
|
46
|
+
generation, validators, citations, answerability, or access control.
|
|
47
|
+
- A review would otherwise tune the model, top-k, chunk size, reranker, or prompt before proving
|
|
48
|
+
which RAG layer failed.
|
|
49
|
+
|
|
50
|
+
<!-- mustflow-section: do-not-use-when -->
|
|
51
|
+
## Do Not Use When
|
|
52
|
+
|
|
53
|
+
- The failure is already localized to retrieval mechanics, filters, ANN, embeddings, or vector DB
|
|
54
|
+
behavior; use `vector-search-integrity-review`.
|
|
55
|
+
- The failure is already localized to unsupported claims, citations, answerability, evidence IDs, or
|
|
56
|
+
validators; use `llm-hallucination-control-review`.
|
|
57
|
+
- The failure is already localized to prompt structure, tool policy, output schema, or model runtime
|
|
58
|
+
settings; use `prompt-contract-quality-review`.
|
|
59
|
+
- The task asks for production document dumps, raw embeddings, private prompts, customer text, or
|
|
60
|
+
tenant-identifying data. Use ids, hashes, safe synthetic fixtures, aggregate metrics, and redacted
|
|
61
|
+
traces.
|
|
62
|
+
|
|
63
|
+
<!-- mustflow-section: required-inputs -->
|
|
64
|
+
## Required Inputs
|
|
65
|
+
|
|
66
|
+
- Symptom classification: missing correct document, correct document retrieved but unused, stale
|
|
67
|
+
answer, unsupported answer, wrong citation, access-control leak, over-refusal, under-refusal,
|
|
68
|
+
latency, cost, or nondeterministic result.
|
|
69
|
+
- Trace ledger: trace id, original question, normalized question, rewritten query, user or tenant
|
|
70
|
+
context, filters, embedding model version, index version, candidate ids and scores, reranker
|
|
71
|
+
output, final context ids and order, prompt version, model version, answer, citations, validators,
|
|
72
|
+
latency, and cost when safe.
|
|
73
|
+
- Source ledger: authoritative source availability, parsed text, chunk boundaries, metadata, title,
|
|
74
|
+
section path, version, effective dates, stale or deleted documents, duplicates, and conflicting
|
|
75
|
+
sources.
|
|
76
|
+
- Comparison ledger: no-retrieval answer, retrieved-context answer, human-selected gold-context
|
|
77
|
+
answer, exact or keyword search result, vector search result, hybrid result, and expected
|
|
78
|
+
answerability state.
|
|
79
|
+
- Eval ledger: real failed queries, unanswerable questions, stale-doc cases, conflicting-doc cases,
|
|
80
|
+
similar-name cases, IDs and error codes, multilingual or typo cases, multi-hop cases, and
|
|
81
|
+
unauthorized-doc cases.
|
|
82
|
+
- Privacy ledger: raw text, prompts, embeddings, tenant ids, user ids, provider payloads, and which
|
|
83
|
+
evidence can be stored or reported safely.
|
|
84
|
+
|
|
85
|
+
<!-- mustflow-section: preconditions -->
|
|
86
|
+
## Preconditions
|
|
87
|
+
|
|
88
|
+
- The task matches the Use When conditions and does not match the Do Not Use When exclusions.
|
|
89
|
+
- Higher-priority instructions and `.mustflow/config/commands.toml` have been checked.
|
|
90
|
+
- Raw documents, prompts, embeddings, user data, and tenant-identifying payloads are not copied into
|
|
91
|
+
docs, tests, commits, or reports unless they are safe synthetic fixtures.
|
|
92
|
+
|
|
93
|
+
<!-- mustflow-section: allowed-edits -->
|
|
94
|
+
## Allowed Edits
|
|
95
|
+
|
|
96
|
+
- Add or tighten trace fields, fixture queries, parsing checks, chunk metadata, duplicate or stale
|
|
97
|
+
source handling, retrieval comparisons, filter checks, context-packing rules, prompt source
|
|
98
|
+
separation, citation validators, answerability states, dirty eval fixtures, metrics, docs, and
|
|
99
|
+
directly synchronized templates.
|
|
100
|
+
- Add safe synthetic fixtures for missing-doc, correct-doc-unused, stale-doc, conflicting-doc,
|
|
101
|
+
unauthorized-doc, exact-id, keyword, vector, hybrid, reranker, citation, and abstain behavior.
|
|
102
|
+
- Do not change models, re-embed data, rebuild production indexes, widen access filters, disable
|
|
103
|
+
authorization, dump private corpora, or claim quality improvement before the failing layer is
|
|
104
|
+
localized.
|
|
105
|
+
|
|
106
|
+
<!-- mustflow-section: procedure -->
|
|
107
|
+
## Procedure
|
|
108
|
+
|
|
109
|
+
1. Classify the symptom. Separate no source, bad parsing, bad chunking, retrieval miss, filter miss,
|
|
110
|
+
reranker loss, context truncation, prompt misuse, generation drift, false citation, stale answer,
|
|
111
|
+
access leak, latency, cost, and answerability errors.
|
|
112
|
+
2. Preserve one safe end-to-end trace. Keep ids, versions, scores, context order, prompt version,
|
|
113
|
+
model version, validator result, latency, and cost. Redact raw sensitive content.
|
|
114
|
+
3. Prove the answer exists in the source of truth. Do not tune retrieval for an answer that is not in
|
|
115
|
+
the indexed corpus or an allowed tool.
|
|
116
|
+
4. Inspect parsed text before original documents. Tables, PDFs, multi-column pages, code blocks,
|
|
117
|
+
headers, footers, and OCR can be broken even when the original file looks correct.
|
|
118
|
+
5. Inspect chunk boundaries and metadata. Verify title, parent section, version, dates, audience,
|
|
119
|
+
product, source authority, and neighboring context survive into chunks or parent retrieval.
|
|
120
|
+
6. Compare source versions and deletes. Duplicates, obsolete documents, tombstones, and conflicting
|
|
121
|
+
effective dates must not be silently mixed into one answer.
|
|
122
|
+
7. Run the isolation comparison when evidence is available: no retrieval, current retrieved context,
|
|
123
|
+
and human-selected gold context. Gold-context failure points to generation or prompt; current
|
|
124
|
+
context failure with gold success points to retrieval or context assembly.
|
|
125
|
+
8. Compare keyword, vector, hybrid, and exact-id retrieval by data shape. IDs, error codes, SKUs,
|
|
126
|
+
names, dates, and numbers need exact or lexical safeguards; semantic questions may need vector or
|
|
127
|
+
hybrid retrieval.
|
|
128
|
+
9. Check filters before blaming embeddings. Record pre-filter candidate count, post-filter count,
|
|
129
|
+
tenant and permission filters, metadata types, time zones, empty arrays, case sensitivity, and
|
|
130
|
+
stale policy copies.
|
|
131
|
+
10. Check reranker candidate starvation. If the correct source never enters the candidate set, the
|
|
132
|
+
reranker cannot fix it. If it enters and then drops, inspect reranker inputs and scoring.
|
|
133
|
+
11. Check context assembly. Verify `top_k`, score thresholds, source order, truncation, deduping,
|
|
134
|
+
conflict handling, source authority, and whether important evidence is buried or cut off.
|
|
135
|
+
12. Check prompt construction. User input, retrieved text, examples, tool observations, and system or
|
|
136
|
+
developer instructions must remain separated. Retrieved text is data, not authority.
|
|
137
|
+
13. Check answerability and abstain behavior. Track no-evidence, low-confidence, conflicting-source,
|
|
138
|
+
stale-source, access-denied, tool-failed, and needs-human states separately.
|
|
139
|
+
14. Validate citations claim-by-claim. A citation id proves nothing unless the cited chunk supports
|
|
140
|
+
the specific generated claim.
|
|
141
|
+
15. Measure each layer separately. Track parsing success, index freshness, Recall@k, MRR or nDCG,
|
|
142
|
+
rerank survival, context token budget, answer accuracy, citation accuracy, abstain accuracy,
|
|
143
|
+
access leaks, and retrieval/rerank/generation latency and cost.
|
|
144
|
+
16. Use dirty eval cases from real failures. Include typos, abbreviations, multilingual questions,
|
|
145
|
+
unanswerable questions, date-sensitive questions, similar names, product codes, multi-hop
|
|
146
|
+
questions, unauthorized documents, stale documents, and conflicting documents.
|
|
147
|
+
17. Apply the smallest localized fix and switch to the narrower matching skill for retrieval,
|
|
148
|
+
hallucination control, prompt contract, token cost, latency, access control, or prompt-injection
|
|
149
|
+
defense once the boundary is known.
|
|
150
|
+
|
|
151
|
+
<!-- mustflow-section: postconditions -->
|
|
152
|
+
## Postconditions
|
|
153
|
+
|
|
154
|
+
- The RAG failure is localized to ingestion, parsing, chunking, indexing, retrieval, filters,
|
|
155
|
+
reranking, context assembly, prompt construction, generation, citation validation, answerability,
|
|
156
|
+
access control, or a named evidence gap.
|
|
157
|
+
- Trace, source, comparison, eval, metric, and privacy ledgers are explicit where relevant.
|
|
158
|
+
- Model, prompt, chunk, top-k, reranker, or index changes are justified by layer evidence rather than
|
|
159
|
+
by general "RAG quality" claims.
|
|
160
|
+
|
|
161
|
+
<!-- mustflow-section: verification -->
|
|
162
|
+
## Verification
|
|
163
|
+
|
|
164
|
+
Use configured oneshot command intents when available:
|
|
165
|
+
|
|
166
|
+
- `changes_status`
|
|
167
|
+
- `changes_diff_summary`
|
|
168
|
+
- `lint`
|
|
169
|
+
- `build`
|
|
170
|
+
- `test_related`
|
|
171
|
+
- `test`
|
|
172
|
+
- `docs_validate_fast`
|
|
173
|
+
- `test_release`
|
|
174
|
+
- `mustflow_check`
|
|
175
|
+
|
|
176
|
+
Prefer the narrowest configured eval, fixture, schema, docs, package, or release check that proves
|
|
177
|
+
the localized RAG boundary. Report missing retrieval, gold-context, citation, answerability,
|
|
178
|
+
privacy, latency, or production-index evidence instead of inventing live diagnostics.
|
|
179
|
+
|
|
180
|
+
<!-- mustflow-section: failure-handling -->
|
|
181
|
+
## Failure Handling
|
|
182
|
+
|
|
183
|
+
- If the end-to-end trace cannot be reconstructed, report the missing trace fields before tuning
|
|
184
|
+
models, prompts, chunks, filters, or retrieval parameters.
|
|
185
|
+
- If evidence contains raw private text, embeddings, prompts, personal data, or tenant-identifying
|
|
186
|
+
data, redact to ids, hashes, dimensions, scores, snippets from safe fixtures, and aggregate
|
|
187
|
+
metrics.
|
|
188
|
+
- If the fix requires model replacement, re-embedding, index rebuild, private corpus access, or live
|
|
189
|
+
provider calls outside the command contract, report the manual boundary.
|
|
190
|
+
- If retrieved text can inject instructions, pause RAG quality work and apply
|
|
191
|
+
`external-prompt-injection-defense`.
|
|
192
|
+
|
|
193
|
+
<!-- mustflow-section: output-format -->
|
|
194
|
+
## Output Format
|
|
195
|
+
|
|
196
|
+
- RAG pipeline triaged
|
|
197
|
+
- Symptom classification and localized boundary
|
|
198
|
+
- Trace, source, comparison, eval, metric, and privacy ledgers
|
|
199
|
+
- Ingestion, parsing, chunking, retrieval, filter, rerank, context, prompt, generation, citation,
|
|
200
|
+
answerability, access-control, latency, and cost findings
|
|
201
|
+
- Fix applied or recommended
|
|
202
|
+
- Evidence level: end-to-end trace, gold-context comparison, configured-test evidence, static review
|
|
203
|
+
risk, manual-only, missing, or not applicable
|
|
204
|
+
- Command intents run
|
|
205
|
+
- Skipped diagnostics and reasons
|
|
206
|
+
- Remaining RAG pipeline risk
|
|
@@ -78,6 +78,12 @@ route_type = "adjunct"
|
|
|
78
78
|
priority = 85
|
|
79
79
|
applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "public_api_change", "test_change", "docs_change", "mustflow_docs_change", "mustflow_config_change", "package_metadata_change", "release_risk"]
|
|
80
80
|
|
|
81
|
+
[routes."next-action-menu"]
|
|
82
|
+
category = "workflow_contracts"
|
|
83
|
+
route_type = "adjunct"
|
|
84
|
+
priority = 72
|
|
85
|
+
applies_to_reasons = ["unknown_change", "docs_change", "workflow_change", "mustflow_docs_change", "package_metadata_change"]
|
|
86
|
+
|
|
81
87
|
[routes."proactive-risk-surfacing"]
|
|
82
88
|
category = "workflow_contracts"
|
|
83
89
|
route_type = "event"
|
|
@@ -234,6 +240,30 @@ route_type = "adjunct"
|
|
|
234
240
|
priority = 73
|
|
235
241
|
applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "public_api_change", "performance_change", "security_change", "privacy_change", "data_change", "docs_change"]
|
|
236
242
|
|
|
243
|
+
[routes."api-failure-triage"]
|
|
244
|
+
category = "bug_failure"
|
|
245
|
+
route_type = "primary"
|
|
246
|
+
priority = 72
|
|
247
|
+
applies_to_reasons = ["unknown_change", "command_failure", "behavior_change", "public_api_change", "performance_change", "data_change", "docs_change"]
|
|
248
|
+
|
|
249
|
+
[routes."auth-flow-triage"]
|
|
250
|
+
category = "bug_failure"
|
|
251
|
+
route_type = "primary"
|
|
252
|
+
priority = 74
|
|
253
|
+
applies_to_reasons = ["unknown_change", "command_failure", "behavior_change", "security_change", "privacy_change", "data_change", "docs_change"]
|
|
254
|
+
|
|
255
|
+
[routes."docker-runtime-triage"]
|
|
256
|
+
category = "bug_failure"
|
|
257
|
+
route_type = "primary"
|
|
258
|
+
priority = 73
|
|
259
|
+
applies_to_reasons = ["unknown_change", "command_failure", "behavior_change", "performance_change", "data_change", "docs_change"]
|
|
260
|
+
|
|
261
|
+
[routes."ci-pipeline-triage"]
|
|
262
|
+
category = "bug_failure"
|
|
263
|
+
route_type = "primary"
|
|
264
|
+
priority = 75
|
|
265
|
+
applies_to_reasons = ["unknown_change", "command_failure", "workflow_change", "mustflow_config_change", "docs_change", "test_change", "package_metadata_change", "release_risk", "performance_change", "security_change"]
|
|
266
|
+
|
|
237
267
|
[routes."app-startup-performance-review"]
|
|
238
268
|
category = "general_code"
|
|
239
269
|
route_type = "adjunct"
|
|
@@ -406,7 +436,7 @@ applies_to_reasons = ["code_change", "public_api_change", "test_change", "packag
|
|
|
406
436
|
category = "general_code"
|
|
407
437
|
route_type = "primary"
|
|
408
438
|
priority = 85
|
|
409
|
-
applies_to_reasons = ["code_change", "public_api_change", "test_change", "package_metadata_change"]
|
|
439
|
+
applies_to_reasons = ["code_change", "behavior_change", "public_api_change", "test_change", "migration_change", "security_change", "package_metadata_change", "release_risk"]
|
|
410
440
|
|
|
411
441
|
[routes."docker-code-change"]
|
|
412
442
|
category = "general_code"
|
|
@@ -418,7 +448,7 @@ applies_to_reasons = ["code_change", "public_api_change", "test_change", "securi
|
|
|
418
448
|
category = "general_code"
|
|
419
449
|
route_type = "primary"
|
|
420
450
|
priority = 82
|
|
421
|
-
applies_to_reasons = ["code_change", "public_api_change", "docs_change", "test_change"]
|
|
451
|
+
applies_to_reasons = ["code_change", "behavior_change", "public_api_change", "docs_change", "test_change", "data_change", "migration_change", "performance_change", "security_change", "privacy_change"]
|
|
422
452
|
|
|
423
453
|
[routes."backend-reliability-change"]
|
|
424
454
|
category = "general_code"
|
|
@@ -436,7 +466,7 @@ applies_to_reasons = ["code_change", "behavior_change", "public_api_change", "pe
|
|
|
436
466
|
category = "general_code"
|
|
437
467
|
route_type = "primary"
|
|
438
468
|
priority = 85
|
|
439
|
-
applies_to_reasons = ["code_change", "public_api_change", "test_change", "package_metadata_change"]
|
|
469
|
+
applies_to_reasons = ["code_change", "behavior_change", "public_api_change", "test_change", "data_change", "migration_change", "ui_change", "package_metadata_change"]
|
|
440
470
|
|
|
441
471
|
[routes."javascript-code-change"]
|
|
442
472
|
category = "general_code"
|
|
@@ -522,6 +552,12 @@ route_type = "primary"
|
|
|
522
552
|
priority = 67
|
|
523
553
|
applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "docs_change", "public_api_change", "data_change", "security_change", "privacy_change", "package_metadata_change", "release_risk"]
|
|
524
554
|
|
|
555
|
+
[routes."rag-pipeline-triage"]
|
|
556
|
+
category = "general_code"
|
|
557
|
+
route_type = "primary"
|
|
558
|
+
priority = 72
|
|
559
|
+
applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "docs_change", "public_api_change", "data_change", "performance_change", "security_change", "privacy_change", "package_metadata_change", "release_risk"]
|
|
560
|
+
|
|
525
561
|
[routes."llm-token-cost-control-review"]
|
|
526
562
|
category = "general_code"
|
|
527
563
|
route_type = "primary"
|
|
@@ -618,6 +654,18 @@ route_type = "primary"
|
|
|
618
654
|
priority = 86
|
|
619
655
|
applies_to_reasons = ["code_change", "data_change", "migration_change", "behavior_change", "public_api_change", "test_change", "docs_change", "security_change", "performance_change"]
|
|
620
656
|
|
|
657
|
+
[routes."search-index-integrity-review"]
|
|
658
|
+
category = "data_external"
|
|
659
|
+
route_type = "primary"
|
|
660
|
+
priority = 74
|
|
661
|
+
applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "public_api_change", "performance_change", "data_change", "docs_change", "package_metadata_change", "release_risk"]
|
|
662
|
+
|
|
663
|
+
[routes."vector-search-integrity-review"]
|
|
664
|
+
category = "data_external"
|
|
665
|
+
route_type = "primary"
|
|
666
|
+
priority = 73
|
|
667
|
+
applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "public_api_change", "performance_change", "data_change", "docs_change", "package_metadata_change", "release_risk"]
|
|
668
|
+
|
|
621
669
|
[routes."dependency-upgrade-review"]
|
|
622
670
|
category = "data_external"
|
|
623
671
|
route_type = "primary"
|
|
@@ -652,13 +700,13 @@ applies_to_reasons = ["code_change", "security_change", "migration_change"]
|
|
|
652
700
|
category = "data_external"
|
|
653
701
|
route_type = "primary"
|
|
654
702
|
priority = 55
|
|
655
|
-
applies_to_reasons = ["code_change", "behavior_change", "public_api_change", "cross_cutting_code_change"]
|
|
703
|
+
applies_to_reasons = ["code_change", "behavior_change", "public_api_change", "cross_cutting_code_change", "data_change", "migration_change", "performance_change", "security_change", "privacy_change", "package_metadata_change"]
|
|
656
704
|
|
|
657
705
|
[routes."tauri-code-change"]
|
|
658
706
|
category = "data_external"
|
|
659
707
|
route_type = "primary"
|
|
660
708
|
priority = 90
|
|
661
|
-
applies_to_reasons = ["code_change", "security_change", "public_api_change"]
|
|
709
|
+
applies_to_reasons = ["code_change", "behavior_change", "ui_change", "security_change", "privacy_change", "data_change", "public_api_change", "package_metadata_change", "release_risk"]
|
|
662
710
|
|
|
663
711
|
[routes."process-execution-safety"]
|
|
664
712
|
category = "data_external"
|
|
@@ -696,6 +744,12 @@ route_type = "adjunct"
|
|
|
696
744
|
priority = 40
|
|
697
745
|
applies_to_reasons = ["test_change", "behavior_change"]
|
|
698
746
|
|
|
747
|
+
[routes."test-suite-performance-review"]
|
|
748
|
+
category = "tests"
|
|
749
|
+
route_type = "primary"
|
|
750
|
+
priority = 58
|
|
751
|
+
applies_to_reasons = ["performance_change", "test_change", "workflow_change", "mustflow_config_change", "package_metadata_change", "unknown_change"]
|
|
752
|
+
|
|
699
753
|
[routes."test-maintenance"]
|
|
700
754
|
category = "tests"
|
|
701
755
|
route_type = "primary"
|
|
@@ -828,6 +882,12 @@ route_type = "adjunct"
|
|
|
828
882
|
priority = 81
|
|
829
883
|
applies_to_reasons = ["ui_change", "performance_change", "behavior_change", "code_change", "web_asset_change"]
|
|
830
884
|
|
|
885
|
+
[routes."motion-system-contract-review"]
|
|
886
|
+
category = "ui_assets"
|
|
887
|
+
route_type = "adjunct"
|
|
888
|
+
priority = 83
|
|
889
|
+
applies_to_reasons = ["ui_change", "behavior_change", "code_change", "performance_change", "test_change", "docs_change", "web_asset_change"]
|
|
890
|
+
|
|
831
891
|
[routes."frontend-state-ownership-review"]
|
|
832
892
|
category = "ui_assets"
|
|
833
893
|
route_type = "adjunct"
|
|
@@ -880,13 +940,13 @@ applies_to_reasons = ["ui_change", "docs_change", "code_change"]
|
|
|
880
940
|
category = "ui_assets"
|
|
881
941
|
route_type = "primary"
|
|
882
942
|
priority = 85
|
|
883
|
-
applies_to_reasons = ["ui_change", "docs_change", "code_change"]
|
|
943
|
+
applies_to_reasons = ["ui_change", "docs_change", "code_change", "behavior_change", "public_api_change", "migration_change", "package_metadata_change"]
|
|
884
944
|
|
|
885
945
|
[routes."unocss-code-change"]
|
|
886
946
|
category = "ui_assets"
|
|
887
947
|
route_type = "primary"
|
|
888
948
|
priority = 85
|
|
889
|
-
applies_to_reasons = ["ui_change", "docs_change", "code_change"]
|
|
949
|
+
applies_to_reasons = ["ui_change", "docs_change", "code_change", "behavior_change", "migration_change", "performance_change", "package_metadata_change"]
|
|
890
950
|
|
|
891
951
|
[routes."flutter-code-change"]
|
|
892
952
|
category = "ui_assets"
|
|
@@ -898,13 +958,13 @@ applies_to_reasons = ["ui_change", "code_change", "public_api_change"]
|
|
|
898
958
|
category = "ui_assets"
|
|
899
959
|
route_type = "primary"
|
|
900
960
|
priority = 85
|
|
901
|
-
applies_to_reasons = ["ui_change", "docs_change", "code_change"]
|
|
961
|
+
applies_to_reasons = ["ui_change", "docs_change", "code_change", "behavior_change", "migration_change", "package_metadata_change"]
|
|
902
962
|
|
|
903
963
|
[routes."svelte-code-change"]
|
|
904
964
|
category = "ui_assets"
|
|
905
965
|
route_type = "primary"
|
|
906
966
|
priority = 85
|
|
907
|
-
applies_to_reasons = ["ui_change", "code_change", "public_api_change"]
|
|
967
|
+
applies_to_reasons = ["ui_change", "code_change", "behavior_change", "public_api_change", "data_change", "security_change", "privacy_change", "test_change", "package_metadata_change"]
|
|
908
968
|
|
|
909
969
|
[routes."pattern-scout"]
|
|
910
970
|
category = "architecture_patterns"
|
|
@@ -2,7 +2,7 @@
|
|
|
2
2
|
mustflow_doc: skill.rust-code-change
|
|
3
3
|
locale: en
|
|
4
4
|
canonical: true
|
|
5
|
-
revision:
|
|
5
|
+
revision: 6
|
|
6
6
|
lifecycle: mustflow-owned
|
|
7
7
|
authority: procedure
|
|
8
8
|
name: rust-code-change
|
|
@@ -101,9 +101,14 @@ instead of treated as incidental.
|
|
|
101
101
|
- before using newer APIs, build an API-specific MSRV ledger instead of relying on a broad release bucket. Examples that need exact checking include `cfg_select!`, match `if let` guards, `core::range` items, `Vec::push_mut`, `assert_matches!`, and `debug_assert_matches!`;
|
|
102
102
|
- do not use any newer API unless the declared MSRV, edition, CI matrix, docs.rs metadata, and toolchain path support that exact API;
|
|
103
103
|
- keep experimental, nightly-only, target-specific, or edition-specific behavior behind explicit gates or fallbacks instead of calling it general Rust advice.
|
|
104
|
-
5.
|
|
105
|
-
|
|
106
|
-
|
|
104
|
+
5. For Rust 2024 or edition migration work, review semantics instead of treating the edition as formatting:
|
|
105
|
+
- inspect `unsafe extern` blocks, unsafe attributes such as exported symbols or custom sections, `unsafe_op_in_unsafe_fn`, and public unsafe docs together;
|
|
106
|
+
- check `if let` scrutinee temporaries and tail-expression temporaries around locks, `RefCell`, guards, files, network handles, and other `Drop` values;
|
|
107
|
+
- review macro fragment specifiers, especially expression fragments whose accepted syntax changes by edition, and use older-edition fragments only when the macro intentionally rejects newer forms;
|
|
108
|
+
- treat automatic edition rewrites as candidate diffs that still need human review of unsafe, macro, pattern, temporary lifetime, docs, and examples.
|
|
109
|
+
6. Prefer flatter control flow when the MSRV supports it: use `let else` for early validation, let chains for related optional/result guards, and match `if let` guards for state-machine refinements. Remember that guard patterns do not satisfy match exhaustiveness; keep the fallback arm meaningful.
|
|
110
|
+
7. In tests, prefer `assert_matches!` over `assert!(matches!(...))` when the MSRV supports it and the failed value has useful `Debug` output. Import it explicitly from `std` or `core`; do not assume it is in the prelude.
|
|
111
|
+
8. Resolve ownership problems in this order: identify the real owner, shrink borrow scopes, fix function signatures to accept references or slices when ownership is unnecessary, distinguish transfer from sharing, then consider clone or shared ownership only when the semantics require it.
|
|
107
112
|
8. Before adding `clone`, verify it is a cheap handle clone such as `Arc`, `Rc`, or `Bytes`, a small intentional value clone, or a true independent ownership split. Reject large collection clones, loop clones, clone-then-borrow code, and whole-state clones made only to satisfy `spawn`.
|
|
108
113
|
9. Before adding `Arc<Mutex<_>>`, verify multiple owners truly need shared mutable state. For read-mostly snapshots, prefer ownership-preserving choices such as `Arc::make_mut`, immutable swaps, or explicit reload boundaries. Keep critical sections short, document lock order when relevant, and do not hold a lock guard across `.await`, I/O, callbacks, or user code.
|
|
109
114
|
10. Choose initialization primitives by input and failure semantics: use `LazyLock` for no-argument static lazy values that may poison permanently on panic, and `OnceLock` when boot-time or test-time code supplies the value or panic poisoning must not become the recovery policy.
|
|
@@ -135,6 +140,7 @@ Reject or revise the patch when any of these appear without strong local justifi
|
|
|
135
140
|
- New large `clone()` calls, clone-then-borrow code, loop clones, or state clones used only to appease ownership errors.
|
|
136
141
|
- New `Arc<Mutex<AppState>>`-style shared bags, locks held across `.await`, or async I/O resources shared mainly by mutex.
|
|
137
142
|
- New version-gated Rust API usage without API-specific MSRV, `rust-version`, edition, toolchain, CI, or fallback evidence.
|
|
143
|
+
- Rust 2024 edition changes accepted without reviewing unsafe extern blocks, unsafe attributes, `unsafe_op_in_unsafe_fn`, temporary drop scopes, and macro fragment behavior where those surfaces exist.
|
|
138
144
|
- New `LazyLock` initialization for recoverable runtime configuration where permanent panic poisoning would be the wrong failure policy.
|
|
139
145
|
- New `spare_capacity_mut` plus `set_len` without a narrow, proven initialization invariant.
|
|
140
146
|
- New public `impl Trait`, `Deref`, GAT, workspace resolver, feature, or `rust-version` change without public API and compatibility review.
|
|
@@ -0,0 +1,181 @@
|
|
|
1
|
+
---
|
|
2
|
+
mustflow_doc: skill.search-index-integrity-review
|
|
3
|
+
locale: en
|
|
4
|
+
canonical: true
|
|
5
|
+
revision: 1
|
|
6
|
+
lifecycle: mustflow-owned
|
|
7
|
+
authority: procedure
|
|
8
|
+
name: search-index-integrity-review
|
|
9
|
+
description: Apply this skill when keyword search, full-text search, Elasticsearch, OpenSearch, Lucene-style indexes, search APIs, indexing pipelines, aliases, bulk indexing, refresh visibility, analyzers, mappings, synonyms, autocomplete, pagination, shard failures, search quality, or search performance are created, changed, reviewed, or failing. Use vector-search-integrity-review first for vector-only or semantic retrieval mechanics, and use rag-pipeline-triage first when a RAG failure is not yet localized to search retrieval.
|
|
10
|
+
metadata:
|
|
11
|
+
mustflow_schema: "1"
|
|
12
|
+
mustflow_kind: procedure
|
|
13
|
+
pack_id: mustflow.core
|
|
14
|
+
skill_id: mustflow.core.search-index-integrity-review
|
|
15
|
+
command_intents:
|
|
16
|
+
- changes_status
|
|
17
|
+
- changes_diff_summary
|
|
18
|
+
- lint
|
|
19
|
+
- build
|
|
20
|
+
- test_related
|
|
21
|
+
- test
|
|
22
|
+
- docs_validate_fast
|
|
23
|
+
- test_release
|
|
24
|
+
- mustflow_check
|
|
25
|
+
---
|
|
26
|
+
|
|
27
|
+
# Search Index Integrity Review
|
|
28
|
+
|
|
29
|
+
<!-- mustflow-section: purpose -->
|
|
30
|
+
## Purpose
|
|
31
|
+
|
|
32
|
+
Review search as an end-to-end index and query contract, not as "the cluster is green."
|
|
33
|
+
|
|
34
|
+
The core question is whether a source record can be changed, accepted by the indexing path, become visible through the same API users call, rank as expected, stay isolated by tenant and filters, and remain fast under realistic query shapes.
|
|
35
|
+
|
|
36
|
+
<!-- mustflow-section: use-when -->
|
|
37
|
+
## Use When
|
|
38
|
+
|
|
39
|
+
- Code creates or changes search ingestion, indexing jobs, bulk writes, index aliases, refresh policy, index templates, mappings, analyzers, keyword or text fields, synonyms, autocomplete, query builders, filters, sort, pagination, highlighting, source filtering, result shaping, search caches, or search observability.
|
|
40
|
+
- Search is missing documents, returning stale data, returning partial results, ranking the wrong document, showing zero results, leaking tenant data, slowing down, timing out, rejecting writes, or behaving differently through direct search, backend API, and UI.
|
|
41
|
+
- A review needs index visibility, read/write alias, bulk item errors, shard failure, mapping drift, analyzer, synonym, golden-set, p95 or p99 latency, slow-log, query fingerprint, shard fan-out, cache, refresh, segment merge, disk watermark, or search SLO evidence.
|
|
42
|
+
|
|
43
|
+
<!-- mustflow-section: do-not-use-when -->
|
|
44
|
+
## Do Not Use When
|
|
45
|
+
|
|
46
|
+
- The task is only vector, semantic, embedding, ANN, reranking, or vector hybrid mechanics; use `vector-search-integrity-review` first.
|
|
47
|
+
- The task is an end-to-end RAG failure and it is not yet clear whether ingestion, retrieval, context assembly, prompt construction, generation, citation validation, or answerability failed; use `rag-pipeline-triage` first.
|
|
48
|
+
- The task is only API transport, CORS, SDK, gateway, auth, or cache failure before the search boundary is known; use `api-failure-triage`.
|
|
49
|
+
- The task is ordinary database query performance with no search index, analyzer, ranking, alias, or indexing path.
|
|
50
|
+
- The requested evidence would require dumping private queries, customer documents, raw personal data, or production result pages into docs, tests, commits, or reports. Use safe IDs, hashes, synthetic fixtures, aggregate counts, or redacted examples.
|
|
51
|
+
|
|
52
|
+
<!-- mustflow-section: required-inputs -->
|
|
53
|
+
## Required Inputs
|
|
54
|
+
|
|
55
|
+
- Symptom classification: source not indexed, write not visible, wrong alias, partial shard result, wrong exact match, wrong full-text match, ranking drift, zero results, stale delete, tenant leak, autocomplete failure, deep-page failure, slow query, bulk rejection, mapping conflict, or UI/API mismatch.
|
|
56
|
+
- Source-to-search ledger: source id, tenant, category, status, update time, indexing request time, bulk item result, indexed document id, direct lookup result, first search-visible time, rank, delete or tombstone state, and visibility lag.
|
|
57
|
+
- Query contract ledger: user-facing API path, direct search request, API-transformed request, UI result shaping, index or alias, tenant and permission filters, analyzed fields, exact fields, sort, pagination mode, source fields, highlight fields, cache state, and expected result ids.
|
|
58
|
+
- Index contract ledger: read alias, write alias, index templates, mappings, analyzers, normalizers, synonym sets, dynamic mapping policy, refresh policy, shard and replica plan, segment or merge state, disk watermark risk, and rollover or reindex status.
|
|
59
|
+
- Quality ledger: representative queries, expected results, acceptable alternatives, zero-result expectations, Precision@K, Recall@K, MRR or ranking metric, before/after comparison, click or behavior metric limitations, and golden-set fixture status.
|
|
60
|
+
- Performance ledger: cold and warm latency, p50, p95, p99, search server time, API time, UI time, query phase, fetch phase, response size, shard fan-out, thread-pool active/queue/rejected, slow-log or query-profile evidence, cache hit or miss, and retry behavior.
|
|
61
|
+
- Privacy ledger: raw query text, document text, tenant ids, user ids, behavior analytics, search logs, highlights, and whether evidence can be stored safely as synthetic fixtures, ids, hashes, summaries, or aggregate metrics.
|
|
62
|
+
|
|
63
|
+
<!-- mustflow-section: preconditions -->
|
|
64
|
+
## Preconditions
|
|
65
|
+
|
|
66
|
+
- The task matches the Use When conditions and does not match the Do Not Use When exclusions.
|
|
67
|
+
- Higher-priority instructions and `.mustflow/config/commands.toml` have been checked.
|
|
68
|
+
- Existing search adapters, query builders, index templates, mapping fixtures, golden sets, telemetry, and tests have been searched before changing search behavior.
|
|
69
|
+
- Raw private document text, queries, user behavior, and tenant-identifying payloads are not copied into repository artifacts unless they are safe synthetic fixtures.
|
|
70
|
+
|
|
71
|
+
<!-- mustflow-section: allowed-edits -->
|
|
72
|
+
## Allowed Edits
|
|
73
|
+
|
|
74
|
+
- Add or tighten search canaries, indexing ledgers, bulk item error handling, alias checks, mapping and analyzer fixtures, exact-versus-full-text tests, tenant and permission filter tests, golden-set tests, synonym regression tests, pagination guards, query fingerprint metrics, search latency metrics, docs, and directly synchronized templates.
|
|
75
|
+
- Add focused synthetic fixtures that encode expected exact search, full-text search, analyzer behavior, synonym behavior, filtered search, tenant isolation, zero-result behavior, pagination stability, and ranking order.
|
|
76
|
+
- Do not change analyzer, synonym, refresh, alias, shard, cache, or ranking settings blindly. First preserve source-to-search, query-contract, quality, and performance evidence.
|
|
77
|
+
- Do not force every write to refresh immediately unless the product contract explicitly needs synchronous visibility and the indexing cost is accepted.
|
|
78
|
+
- Do not treat search metrics as permission checks. Authorization and tenant filters must remain enforced outside and inside the search query path as the product requires.
|
|
79
|
+
|
|
80
|
+
<!-- mustflow-section: procedure -->
|
|
81
|
+
## Procedure
|
|
82
|
+
|
|
83
|
+
1. Classify the failure before tuning.
|
|
84
|
+
- Separate source missing, indexing rejected, write not visible, wrong alias, direct lookup mismatch, exact-search mismatch, full-text mismatch, ranking drift, partial shard result, API/UI transformation, stale cache, and slow query.
|
|
85
|
+
- If the symptom is only "cluster green but users cannot find it," require source-to-search evidence.
|
|
86
|
+
2. Add or inspect a search canary when the system supports it.
|
|
87
|
+
- A unique canary document should pass through the same write path and user-facing search API as real data.
|
|
88
|
+
- Record accepted time, first visible time, rank, index or alias, tenant or filter context, and not-found evidence.
|
|
89
|
+
3. Check bulk and ingestion outcomes per item.
|
|
90
|
+
- A batch-level success is insufficient. Inspect item-level errors, mapping conflicts, version conflicts, rejected writes, shard failures, retries, and failed ids.
|
|
91
|
+
- Preserve failed source ids or safe hashes so reindex and reconciliation can target real misses.
|
|
92
|
+
4. Reconcile source and index by slices.
|
|
93
|
+
- Compare counts and checksums by tenant, date, category, status, or other ownership boundary.
|
|
94
|
+
- Total count equality can hide one tenant missing and another duplicated.
|
|
95
|
+
5. Split direct lookup, exact search, and full-text search.
|
|
96
|
+
- Direct lookup success with search failure points toward refresh, alias, mapping, analyzer, filter, query, or API transformation.
|
|
97
|
+
- Exact keyword failure and full-text failure are different contracts.
|
|
98
|
+
6. Check read and write aliases.
|
|
99
|
+
- Expand aliases to concrete indexes, write index, filters, routing, rollover state, and reindex targets.
|
|
100
|
+
- A new index receiving writes while search reads the old alias is an indexing visibility bug, not a ranking bug.
|
|
101
|
+
7. Treat partial shard results as correctness evidence.
|
|
102
|
+
- Record `timed_out`, total shards, successful shards, failed shards, and partial-result policy.
|
|
103
|
+
- If partial results are not a valid product state, fail the request instead of silently returning incomplete search.
|
|
104
|
+
8. Compare direct search, backend API, and UI output.
|
|
105
|
+
- Direct search isolates engine behavior.
|
|
106
|
+
- Backend API adds query builders, permission filters, caches, response shaping, and pagination.
|
|
107
|
+
- UI adds sorting, dedupe, local cache, page state, and display filtering.
|
|
108
|
+
9. Inspect mappings and analyzers before changing queries.
|
|
109
|
+
- IDs, emails, status codes, tags, and exact filters usually need keyword-like fields.
|
|
110
|
+
- Human text usually needs text analysis. Use analyzer evidence or fixtures to prove tokenization for punctuation, case, hyphen, Korean spacing, product codes, and mixed alphanumeric text.
|
|
111
|
+
10. Review synonym and ranking changes against a golden set.
|
|
112
|
+
- Synonyms can improve one query and break many others.
|
|
113
|
+
- Compare representative queries before and after; include zero-result, typo, ambiguous, category, brand, long natural-language, and high-value queries.
|
|
114
|
+
11. Explain surprising ranks only for bounded cases.
|
|
115
|
+
- Inspect why one expected document ranked below another for a small failing sample.
|
|
116
|
+
- Do not enable expensive explain or profile behavior for broad production traffic.
|
|
117
|
+
12. Separate query, fetch, API, and UI latency.
|
|
118
|
+
- p50, p95, and p99 must be grouped by search type, index, route, role, tenant class, and query fingerprint where safe.
|
|
119
|
+
- Fetch time, source size, highlight fields, nested fields, and response shaping can dominate score calculation.
|
|
120
|
+
13. Fingerprint query shapes.
|
|
121
|
+
- Remove raw IDs, dates, user text, and tenant secrets before grouping.
|
|
122
|
+
- Store query family, index, role, shard count, cache state, source fields, sort, and filter shape so one feature cannot hide across millions of unique queries.
|
|
123
|
+
14. Check shard fan-out, thread pools, segments, cache, and disk.
|
|
124
|
+
- Search across hundreds of tiny shards, stale segments, merge backlog, cold caches, search queue rejections, hot shards, and disk watermarks can look like application bugs.
|
|
125
|
+
- Separate cold and warm measurements; cached benchmarks are not full search evidence.
|
|
126
|
+
15. Review refresh and visibility policy.
|
|
127
|
+
- Indexing success is not search visibility.
|
|
128
|
+
- Use synchronous visibility only for writes whose user contract needs it; otherwise define acceptable visibility lag and measure it.
|
|
129
|
+
16. Review pagination and result payloads.
|
|
130
|
+
- Avoid deep offset pagination as a default product contract.
|
|
131
|
+
- Use stable tie-breakers for cursor-like pagination, and limit source fields and highlights to what the UI needs.
|
|
132
|
+
17. Keep vector and hybrid boundaries explicit.
|
|
133
|
+
- If dense vectors, ANN, reranking, hybrid score fusion, or Recall@K drives the failure, switch to `vector-search-integrity-review` for that slice.
|
|
134
|
+
- If the bug is ordinary keyword indexing, alias, analyzer, source filtering, or shard partials, keep this skill as the primary route.
|
|
135
|
+
18. Define numeric SLOs and destructive drills when in scope.
|
|
136
|
+
- Useful examples include indexing-to-search-visible p95, search p99, zero-result rate, partial shard failure rate, top-result duplication, golden-set metric, bulk item failure rate, and reindex reconciliation lag.
|
|
137
|
+
- Live node kills, disk pressure, alias mistakes, mapping conflicts, and mass reindex drills are manual unless the command contract declares them.
|
|
138
|
+
|
|
139
|
+
<!-- mustflow-section: postconditions -->
|
|
140
|
+
## Postconditions
|
|
141
|
+
|
|
142
|
+
- The search symptom, source-to-search ledger, query contract, index contract, quality ledger, performance ledger, and privacy boundary are explicit.
|
|
143
|
+
- Bulk item errors, source/index reconciliation, direct lookup, exact search, full-text search, aliases, partial shards, API/UI transformation, mappings, analyzers, synonyms, ranking, pagination, source payload, shard fan-out, thread-pool pressure, cache state, refresh visibility, segments, disk, and SLO evidence are fixed or reported where relevant.
|
|
144
|
+
- Search claims are backed by configured tests, fixtures, golden-set evidence, static review, safe canary evidence, or labeled manual-only or missing.
|
|
145
|
+
|
|
146
|
+
<!-- mustflow-section: verification -->
|
|
147
|
+
## Verification
|
|
148
|
+
|
|
149
|
+
Use configured oneshot command intents when available:
|
|
150
|
+
|
|
151
|
+
- `changes_status`
|
|
152
|
+
- `changes_diff_summary`
|
|
153
|
+
- `lint`
|
|
154
|
+
- `build`
|
|
155
|
+
- `test_related`
|
|
156
|
+
- `test`
|
|
157
|
+
- `docs_validate_fast`
|
|
158
|
+
- `test_release`
|
|
159
|
+
- `mustflow_check`
|
|
160
|
+
|
|
161
|
+
Prefer the narrowest configured tests that cover search contract, tenant isolation, filters, mappings, analyzer fixtures, golden-set metrics, docs, or template surfaces. Report missing live search cluster, slow-log, reindex, canary, load, or production-index evidence instead of inventing live diagnostics.
|
|
162
|
+
|
|
163
|
+
<!-- mustflow-section: failure-handling -->
|
|
164
|
+
## Failure Handling
|
|
165
|
+
|
|
166
|
+
- If the query contract cannot be reconstructed, report the missing source, alias, filter, analyzer, ranking, or API transformation evidence before changing search settings.
|
|
167
|
+
- If evidence contains raw private query text, document text, personal data, behavior analytics, or tenant-identifying data, redact to synthetic fixtures, ids, hashes, safe summaries, or aggregate metrics.
|
|
168
|
+
- If the fix requires live index rebuild, production reindex, alias flip, cluster setting change, slow-log enablement, profile API on real traffic, or destructive drill outside the command contract, report the manual boundary.
|
|
169
|
+
- If configured verification fails, preserve the failing intent and output tail, then fix only the localized search contract or test expectation.
|
|
170
|
+
|
|
171
|
+
<!-- mustflow-section: output-format -->
|
|
172
|
+
## Output Format
|
|
173
|
+
|
|
174
|
+
- Search index integrity reviewed
|
|
175
|
+
- Symptom, source-to-search ledger, query contract, index contract, quality ledger, performance ledger, and privacy boundary
|
|
176
|
+
- Bulk, reconciliation, lookup, exact/full-text, alias, shard, API/UI, mapping, analyzer, synonym, ranking, pagination, payload, shard fan-out, thread-pool, cache, refresh, segment, disk, and SLO findings
|
|
177
|
+
- Fix applied or recommended
|
|
178
|
+
- Evidence level: canary evidence, golden-set evidence, configured-test evidence, static review risk, manual-only, missing, or not applicable
|
|
179
|
+
- Command intents run
|
|
180
|
+
- Skipped search diagnostics and reasons
|
|
181
|
+
- Remaining search-index risk
|
|
@@ -2,7 +2,7 @@
|
|
|
2
2
|
mustflow_doc: skill.security-privacy-review
|
|
3
3
|
locale: en
|
|
4
4
|
canonical: true
|
|
5
|
-
revision:
|
|
5
|
+
revision: 23
|
|
6
6
|
lifecycle: mustflow-owned
|
|
7
7
|
authority: procedure
|
|
8
8
|
name: security-privacy-review
|
|
@@ -193,9 +193,11 @@ Catch security, privacy, and disclosure risks introduced by ordinary code, docum
|
|
|
193
193
|
32. For filesystem changes, distinguish lexical containment from the real target. Check symlinks, generated state, package contents, and file APIs that may follow links before claiming a path stays inside the repository.
|
|
194
194
|
33. For code-scanning alerts, group findings by root cause and rule. Fix the underlying pattern, not only the exact flagged line, and separate repository-setting alerts such as branch protection or maintainer activity from code changes.
|
|
195
195
|
- For incomplete escaping or encoding findings, search the same sink class for adjacent ad hoc sanitizer patterns such as first-occurrence `.replace`, non-global replacement, hand-escaped slashes, quotes, backslashes, path separators, or mixed URL encoders. Replace the pattern with a domain-owned transformation and add a regression test or narrow source-pattern guard when the behavior is release-sensitive.
|
|
196
|
+
- For ReDoS or inefficient-regular-expression findings, identify whether attacker-controlled text, repository files, generated output, logs, Markdown, YAML, or source code can reach the expression. Prefer a bounded parser, token scanner, structured parser, or anchored non-overlapping expression over nested quantifiers, repeated alternatives that can match the same prefix, or optional whitespace loops. Add a long malformed input case or equivalent static guard before claiming the backtracking risk is fixed.
|
|
196
197
|
34. For workflow scanner alerts, check action pinning, `persist-credentials`, job-level permissions, reusable workflow permissions, fork pull-request secret exposure, artifact upload boundaries, and privileged identity timing before treating the warning as cosmetic.
|
|
197
198
|
35. For pinned action references, distinguish tag objects from the commit that implements the tag. Verify pinned SHAs against the action repository so scanner tooling does not report an imposter or non-member commit.
|
|
198
199
|
36. For dependency scanner alerts, separate production dependency manifests from fixtures, examples, generated test repositories, and intentionally vulnerable samples. Narrow the scan scope before treating fixture-only alerts as product vulnerabilities.
|
|
200
|
+
- For lockfile CVEs, inspect the manifest and lockfile together. Identify the direct parent that keeps the vulnerable transitive package in the graph, update the narrowest direct dependency or override needed to reach the fixed range, and confirm the vulnerable package version no longer appears in the resolved graph before claiming the alert is fixed.
|
|
199
201
|
37. For deployment settings, check debug mode, sample admin accounts, default credentials, public admin panels, open metrics endpoints, public storage, root container users, HTTPS enforcement, and exposed GraphQL or development consoles.
|
|
200
202
|
38. For runtime and framework security updates, check that supported versions are documented, end-of-life versions are rejected, dependency locks exist where appropriate, security patches can be tested and deployed quickly, and rollback or redeploy can happen without manual dashboard memory. Do not treat a fashionable or high-performance runtime as safe unless the patch path is operationally credible.
|
|
201
203
|
39. For transport security, check HTTPS/TLS requirements, certificate validation, insecure HTTP downgrade paths, disabled verification flags, and whether sensitive traffic can bypass the secure channel.
|