mustflow 2.84.0 → 2.99.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (105) hide show
  1. package/README.md +11 -2
  2. package/dist/cli/commands/script-pack.js +14 -0
  3. package/dist/cli/i18n/en.js +262 -0
  4. package/dist/cli/i18n/es.js +262 -0
  5. package/dist/cli/i18n/fr.js +262 -0
  6. package/dist/cli/i18n/hi.js +262 -0
  7. package/dist/cli/i18n/ko.js +262 -0
  8. package/dist/cli/i18n/zh.js +262 -0
  9. package/dist/cli/lib/repo-map.js +27 -6
  10. package/dist/cli/lib/run-root-trust.js +15 -1
  11. package/dist/cli/lib/script-pack-registry.js +397 -0
  12. package/dist/cli/lib/validation/index.js +2 -2
  13. package/dist/cli/lib/validation/primitives.js +4 -1
  14. package/dist/cli/script-packs/code-change-impact.js +178 -0
  15. package/dist/cli/script-packs/code-dependency-graph.js +181 -0
  16. package/dist/cli/script-packs/code-import-cycle.js +193 -0
  17. package/dist/cli/script-packs/docs-link-integrity.js +145 -0
  18. package/dist/cli/script-packs/repo-approval-gate.js +100 -0
  19. package/dist/cli/script-packs/repo-env-contract.js +156 -0
  20. package/dist/cli/script-packs/repo-git-ignore-audit.js +119 -0
  21. package/dist/cli/script-packs/repo-manifest-lock-drift.js +122 -0
  22. package/dist/cli/script-packs/repo-merge-conflict-scan.js +123 -0
  23. package/dist/cli/script-packs/repo-secret-risk-scan.js +147 -0
  24. package/dist/cli/script-packs/repo-skill-route-audit.js +86 -0
  25. package/dist/cli/script-packs/repo-version-source.js +92 -0
  26. package/dist/cli/script-packs/test-performance-report.js +247 -0
  27. package/dist/cli/script-packs/test-regression-selector.js +167 -0
  28. package/dist/core/change-impact.js +355 -0
  29. package/dist/core/change-surface-classification.js +198 -0
  30. package/dist/core/change-verification.js +32 -5
  31. package/dist/core/config-loading.js +121 -4
  32. package/dist/core/dependency-graph.js +490 -0
  33. package/dist/core/docs-link-integrity.js +443 -0
  34. package/dist/core/env-contract.js +450 -0
  35. package/dist/core/import-cycle.js +152 -0
  36. package/dist/core/line-endings.js +26 -13
  37. package/dist/core/public-json-contracts.js +167 -0
  38. package/dist/core/repo-approval-gate.js +116 -0
  39. package/dist/core/repo-git-ignore-audit.js +302 -0
  40. package/dist/core/repo-manifest-lock-drift.js +321 -0
  41. package/dist/core/repo-merge-conflict-scan.js +335 -0
  42. package/dist/core/repo-version-source.js +82 -0
  43. package/dist/core/route-outline.js +57 -5
  44. package/dist/core/script-pack-suggestions.js +97 -1
  45. package/dist/core/secret-risk-scan.js +440 -0
  46. package/dist/core/skill-route-audit.js +354 -0
  47. package/dist/core/test-performance-report.js +697 -0
  48. package/dist/core/test-regression-selector.js +335 -0
  49. package/package.json +1 -1
  50. package/schemas/README.md +54 -0
  51. package/schemas/change-impact-report.schema.json +184 -0
  52. package/schemas/commands.schema.json +12 -0
  53. package/schemas/dependency-graph-report.schema.json +149 -0
  54. package/schemas/env-contract-report.schema.json +203 -0
  55. package/schemas/import-cycle-report.schema.json +157 -0
  56. package/schemas/link-integrity-report.schema.json +176 -0
  57. package/schemas/repo-approval-gate-report.schema.json +115 -0
  58. package/schemas/repo-git-ignore-audit-report.schema.json +201 -0
  59. package/schemas/repo-manifest-lock-drift-report.schema.json +202 -0
  60. package/schemas/repo-merge-conflict-scan-report.schema.json +169 -0
  61. package/schemas/repo-version-source-report.schema.json +127 -0
  62. package/schemas/secret-risk-scan-report.schema.json +152 -0
  63. package/schemas/skill-route-audit-report.schema.json +144 -0
  64. package/schemas/test-performance-report.schema.json +319 -0
  65. package/schemas/test-regression-selector-report.schema.json +187 -0
  66. package/templates/default/i18n.toml +80 -26
  67. package/templates/default/locales/en/.mustflow/skills/INDEX.md +51 -9
  68. package/templates/default/locales/en/.mustflow/skills/api-access-control-review/SKILL.md +48 -27
  69. package/templates/default/locales/en/.mustflow/skills/api-failure-triage/SKILL.md +270 -0
  70. package/templates/default/locales/en/.mustflow/skills/architecture-deepening-review/SKILL.md +28 -11
  71. package/templates/default/locales/en/.mustflow/skills/astro-code-change/SKILL.md +71 -27
  72. package/templates/default/locales/en/.mustflow/skills/auth-flow-triage/SKILL.md +192 -0
  73. package/templates/default/locales/en/.mustflow/skills/auth-permission-change/SKILL.md +59 -13
  74. package/templates/default/locales/en/.mustflow/skills/backend-log-evidence-review/SKILL.md +14 -5
  75. package/templates/default/locales/en/.mustflow/skills/cache-integrity-review/SKILL.md +30 -15
  76. package/templates/default/locales/en/.mustflow/skills/change-blast-radius-review/SKILL.md +45 -32
  77. package/templates/default/locales/en/.mustflow/skills/ci-pipeline-triage/SKILL.md +200 -0
  78. package/templates/default/locales/en/.mustflow/skills/clarifying-question-gate/SKILL.md +87 -13
  79. package/templates/default/locales/en/.mustflow/skills/cross-agent-session-reference/SKILL.md +23 -8
  80. package/templates/default/locales/en/.mustflow/skills/dependency-upgrade-review/SKILL.md +3 -1
  81. package/templates/default/locales/en/.mustflow/skills/docker-runtime-triage/SKILL.md +191 -0
  82. package/templates/default/locales/en/.mustflow/skills/github-contribution-quality-gate/SKILL.md +48 -11
  83. package/templates/default/locales/en/.mustflow/skills/go-code-change/SKILL.md +18 -13
  84. package/templates/default/locales/en/.mustflow/skills/javascript-code-change/SKILL.md +15 -13
  85. package/templates/default/locales/en/.mustflow/skills/line-ending-hygiene/SKILL.md +18 -10
  86. package/templates/default/locales/en/.mustflow/skills/llm-hallucination-control-review/SKILL.md +4 -1
  87. package/templates/default/locales/en/.mustflow/skills/motion-system-contract-review/SKILL.md +155 -0
  88. package/templates/default/locales/en/.mustflow/skills/next-action-menu/SKILL.md +177 -0
  89. package/templates/default/locales/en/.mustflow/skills/node-code-change/SKILL.md +16 -14
  90. package/templates/default/locales/en/.mustflow/skills/observability-debuggability-review/SKILL.md +15 -7
  91. package/templates/default/locales/en/.mustflow/skills/payment-integrity-review/SKILL.md +59 -35
  92. package/templates/default/locales/en/.mustflow/skills/powershell-code-change/SKILL.md +16 -6
  93. package/templates/default/locales/en/.mustflow/skills/prompt-contract-quality-review/SKILL.md +4 -1
  94. package/templates/default/locales/en/.mustflow/skills/python-code-change/SKILL.md +19 -10
  95. package/templates/default/locales/en/.mustflow/skills/rag-pipeline-triage/SKILL.md +206 -0
  96. package/templates/default/locales/en/.mustflow/skills/routes.toml +69 -9
  97. package/templates/default/locales/en/.mustflow/skills/rust-code-change/SKILL.md +10 -4
  98. package/templates/default/locales/en/.mustflow/skills/search-index-integrity-review/SKILL.md +181 -0
  99. package/templates/default/locales/en/.mustflow/skills/security-privacy-review/SKILL.md +3 -1
  100. package/templates/default/locales/en/.mustflow/skills/service-boundary-architecture/SKILL.md +37 -23
  101. package/templates/default/locales/en/.mustflow/skills/test-suite-performance-review/SKILL.md +323 -0
  102. package/templates/default/locales/en/.mustflow/skills/typescript-code-change/SKILL.md +18 -10
  103. package/templates/default/locales/en/.mustflow/skills/vector-search-integrity-review/SKILL.md +209 -0
  104. package/templates/default/locales/en/.mustflow/skills/version-freshness-check/SKILL.md +16 -14
  105. package/templates/default/manifest.toml +71 -1
@@ -0,0 +1,209 @@
1
+ ---
2
+ mustflow_doc: skill.vector-search-integrity-review
3
+ locale: en
4
+ canonical: true
5
+ revision: 2
6
+ lifecycle: mustflow-owned
7
+ authority: procedure
8
+ name: vector-search-integrity-review
9
+ description: Apply this skill when vector search, semantic search, RAG retrieval mechanics, embeddings, vector databases, ANN indexes, exact versus approximate search, filters, metadata payloads, namespaces, tenants, named vectors, hybrid search, reranking, recall, latency, quantization, HNSW, IVF, pgvector, Qdrant, Milvus, Weaviate, OpenSearch kNN, or retrieval golden-set behavior is created, changed, reviewed, or failing. Use rag-pipeline-triage first when a RAG failure is not yet localized to retrieval versus parsing, context assembly, prompt, generation, citation, or answerability.
10
+ metadata:
11
+ mustflow_schema: "1"
12
+ mustflow_kind: procedure
13
+ pack_id: mustflow.core
14
+ skill_id: mustflow.core.vector-search-integrity-review
15
+ command_intents:
16
+ - changes_status
17
+ - changes_diff_summary
18
+ - lint
19
+ - build
20
+ - test_related
21
+ - test
22
+ - docs_validate_fast
23
+ - test_release
24
+ - mustflow_check
25
+ ---
26
+
27
+ # Vector Search Integrity Review
28
+
29
+ <!-- mustflow-section: purpose -->
30
+ ## Purpose
31
+
32
+ Review vector and semantic search as a retrieval contract, not as "the vector database is good or
33
+ bad."
34
+
35
+ The core question is whether ingestion, embedding, storage, exact search, approximate search,
36
+ filters, reranking, and latency evidence all agree for the same query contract.
37
+
38
+ <!-- mustflow-section: use-when -->
39
+ ## Use When
40
+
41
+ - Code creates or changes embedding generation, preprocessing, chunking, vector schema, collection
42
+ names, namespaces, tenants, named vectors, metadata payloads, filters, search parameters, ANN
43
+ indexes, hybrid search, reranking, retrieval metrics, RAG context selection, or vector DB clients.
44
+ - Search is missing documents, returning wrong results, returning empty filtered results, duplicating
45
+ chunks, leaking tenants, becoming slow, changing quality after model or index changes, or behaving
46
+ differently across replicas.
47
+ - A review needs recall, MRR, golden-set, exact-versus-ANN, filter, metadata index, quantization,
48
+ compaction, shard, consistency, reranker, or embedding-model-version evidence.
49
+
50
+ <!-- mustflow-section: do-not-use-when -->
51
+ ## Do Not Use When
52
+
53
+ - The task is only generic database schema or query performance with no vector, embedding, semantic
54
+ retrieval, or RAG boundary; use the database or performance skill.
55
+ - The task is only LLM answer grounding after retrieval is already proven; use
56
+ `llm-hallucination-control-review`.
57
+ - The task is an end-to-end RAG failure and it is not yet clear whether ingestion, retrieval,
58
+ context assembly, prompt construction, generation, citation validation, or answerability failed;
59
+ use `rag-pipeline-triage` first.
60
+ - The task is only API transport or SDK failure before search boundaries are known; use
61
+ `api-failure-triage`.
62
+ - The task asks for live production vector dumps containing sensitive text, embeddings, customer
63
+ documents, or private prompts. Use redacted hashes, ids, dimensions, norms, and aggregate metrics.
64
+
65
+ <!-- mustflow-section: required-inputs -->
66
+ ## Required Inputs
67
+
68
+ - Retrieval symptom classification: ingestion missing, write not visible, wrong results, empty
69
+ results, low recall, tenant leak, duplicate chunks, stale deletes, slow search, reranker drift, or
70
+ generated answer drift.
71
+ - Query contract ledger: query text or safe fixture id, embedding model and revision, preprocessing
72
+ version, vector dimension, vector norm, metric, collection, namespace, tenant, named vector,
73
+ filters, `top_k`, candidate count, consistency level, ANN parameters, hybrid weights, and reranker
74
+ settings.
75
+ - Ingestion ledger: source id, chunk id, deterministic vector id, embedding version, payload shape,
76
+ write count, unique id count, direct lookup count, indexed count, deleted or tombstoned count, and
77
+ visibility lag.
78
+ - Quality ledger: golden queries, expected ids, acceptable alternatives, exact-search result,
79
+ ANN result, recall at k, MRR, empty rate, duplicate rate, filtered result count, and before/after
80
+ comparison.
81
+ - Performance ledger: cold versus warm latency, p50, p95, p99, queue wait, DB search time, reranker
82
+ time, payload size, filter selectivity, shard distribution, compaction or indexing work, memory,
83
+ disk, and retry behavior.
84
+ - Privacy ledger: raw text, vectors, prompts, document ids, tenant ids, provider payloads, and
85
+ whether evidence can be safely stored as ids, hashes, summaries, or aggregate metrics.
86
+
87
+ <!-- mustflow-section: preconditions -->
88
+ ## Preconditions
89
+
90
+ - The task matches the Use When conditions and does not match the Do Not Use When exclusions.
91
+ - Higher-priority instructions and `.mustflow/config/commands.toml` have been checked.
92
+ - Raw embeddings, raw document text, prompts, and tenant-identifying payloads are not copied into
93
+ docs, tests, commits, or reports unless they are safe synthetic fixtures.
94
+
95
+ <!-- mustflow-section: allowed-edits -->
96
+ ## Allowed Edits
97
+
98
+ - Add or tighten embedding versioning, preprocessing versioning, vector validation, deterministic
99
+ IDs, namespace or tenant selection, metadata indexes, filter construction, exact-search checks,
100
+ ANN parameters, reranker candidate counts, golden-set tests, metrics, docs, fixtures, and
101
+ retrieval contract tests.
102
+ - Add focused synthetic fixtures that encode expected retrieval behavior, filtered retrieval,
103
+ tenant separation, duplicate handling, and exact-versus-ANN comparison.
104
+ - Do not change embedding models, rebuild large indexes, tune ANN parameters, disable filters, widen
105
+ tenants, bypass authorization, or dump production vectors without explicit scope and evidence.
106
+
107
+ <!-- mustflow-section: procedure -->
108
+ ## Procedure
109
+
110
+ 1. Classify the symptom first: ingestion missing, write-not-visible, wrong result, empty result,
111
+ stale delete, duplicate chunks, tenant leak, slow search, reranker drift, or answer generation.
112
+ 2. Build the query contract ledger before tuning. Include model revision, preprocessing, dimension,
113
+ norm, metric, collection, namespace, named vector, filters, `top_k`, ANN parameters, hybrid
114
+ weights, reranker settings, and consistency level.
115
+ 3. Validate vector shape at ingestion and query time. Reject wrong dimension, NaN, infinities,
116
+ all-zero vectors, extreme norms, and model or preprocessing version mismatches.
117
+ 4. Keep embedding model identity exact. Model name alone is not enough; include revision, tokenizer,
118
+ pooling, prefix policy, max length, HTML cleanup, chunking, and normalization.
119
+ 5. Compare exact search with approximate search on the same query and filter. If exact search is
120
+ wrong, stop tuning ANN and inspect embeddings, preprocessing, metric, payload, and expectations.
121
+ 6. Compare filter-free search, filter-only count, filtered exact search, and filtered ANN search.
122
+ Empty filtered results often mean filter construction, metadata typing, payload indexing, or
123
+ post-filter candidate loss rather than bad embeddings.
124
+ 7. Confirm collection, namespace, tenant, alias, and named vector. Directly inspect the problem id
125
+ or safe synthetic id in the same search surface the app uses.
126
+ 8. Check deterministic upsert ids. Source id, chunk index, tenant, and embedding version should not
127
+ accidentally duplicate chunks or overwrite all chunks with one id.
128
+ 9. Separate write success from search visibility. Check direct lookup, exact search, ANN search,
129
+ indexed count, consistency, segment state, and visibility lag.
130
+ 10. Check deletes and updates. Deletion marks, tombstones, compaction, vacuum, stale segments, and
131
+ old chunks can keep appearing after API success.
132
+ 11. Review metric and normalization. Cosine, dot product, and L2 are different contracts unless
133
+ the vectors are intentionally normalized and the index operator matches.
134
+ 12. Tune ANN only after the exact and filter contracts are correct. Evaluate recall and p95 latency
135
+ across parameter sweeps instead of changing one value blindly.
136
+ 13. Treat build-time index parameters as recall ceilings. If search-time parameters cannot recover
137
+ recall, the index may need rebuild policy, not a larger query knob.
138
+ 14. Review quantization and rescoring. Compare full-precision exact results with compressed-index
139
+ candidates and confirm enough candidates reach full-precision reranking.
140
+ 15. For hybrid search, store dense score, sparse or keyword score, normalized score, fusion method,
141
+ and final score. Do not add incompatible raw scores directly without a deliberate combiner.
142
+ 16. For reranking, record pre-rerank and post-rerank ids and ranks. If the right document never
143
+ enters the candidate set, the reranker cannot recover it.
144
+ 17. Avoid deep ANN pagination as a product contract. Use cursor, filters, grouping, or ordinary
145
+ sorted indexes for deep browsing instead of pretending vector search has cheap random offsets.
146
+ 18. Split cold and warm latency, server search time and client wait, vector DB time and reranker
147
+ time, and single-query latency from concurrent load.
148
+ 19. Inspect shard, replica, segment, compaction, flush, indexing, memory, disk, and cache state when
149
+ p99 or intermittent quality varies across nodes.
150
+ 20. Add a golden-set gate when the project has a test surface. Include easy, hard, filtered,
151
+ tenant-scoped, rare-name, synonym, short-query, long-query, and sparse-data cases.
152
+
153
+ <!-- mustflow-section: postconditions -->
154
+ ## Postconditions
155
+
156
+ - The retrieval symptom, query contract, ingestion contract, quality ledger, performance ledger, and
157
+ privacy boundary are explicit.
158
+ - Exact search, ANN, filters, metadata, namespaces, tenants, named vectors, IDs, deletes, metric,
159
+ normalization, quantization, hybrid search, reranking, shards, consistency, and latency are fixed
160
+ or reported where relevant.
161
+ - Search quality claims are backed by golden-set, exact-versus-ANN, configured-test, static review,
162
+ or manual-only evidence.
163
+
164
+ <!-- mustflow-section: verification -->
165
+ ## Verification
166
+
167
+ Use configured oneshot command intents when available:
168
+
169
+ - `changes_status`
170
+ - `changes_diff_summary`
171
+ - `lint`
172
+ - `build`
173
+ - `test_related`
174
+ - `test`
175
+ - `docs_validate_fast`
176
+ - `test_release`
177
+ - `mustflow_check`
178
+
179
+ Prefer the narrowest configured tests that cover retrieval contract, tenant isolation, filters,
180
+ golden-set metrics, deterministic ids, and docs or template surfaces. Report missing vector DB,
181
+ embedding provider, exact-search, ANN recall, reranker, load, or production-index evidence instead
182
+ of inventing live diagnostics.
183
+
184
+ <!-- mustflow-section: failure-handling -->
185
+ ## Failure Handling
186
+
187
+ - If the query contract cannot be reconstructed, report the missing fields before changing model,
188
+ filter, or ANN settings.
189
+ - If evidence contains raw text, embeddings, prompts, personal data, or tenant-identifying data,
190
+ redact to ids, hashes, dimensions, norms, and aggregate metrics.
191
+ - If the fix requires model replacement, re-embedding, index rebuild, production data dump, or live
192
+ vector DB access outside the command contract, report the manual boundary.
193
+ - If configured verification fails, preserve the failing intent and output tail, then fix only the
194
+ localized retrieval contract or test expectation.
195
+
196
+ <!-- mustflow-section: output-format -->
197
+ ## Output Format
198
+
199
+ - Vector search integrity reviewed
200
+ - Retrieval symptom, query contract, ingestion ledger, quality ledger, performance ledger, and
201
+ privacy boundary
202
+ - Exact versus ANN, filter, metadata, namespace, tenant, id, delete, metric, normalization,
203
+ quantization, hybrid, reranker, shard, consistency, and latency findings
204
+ - Fix applied or recommended
205
+ - Evidence level: golden-set evidence, configured-test evidence, static review risk, manual-only,
206
+ missing, or not applicable
207
+ - Command intents run
208
+ - Skipped vector diagnostics and reasons
209
+ - Remaining vector search risk
@@ -2,7 +2,7 @@
2
2
  mustflow_doc: skill.version-freshness-check
3
3
  locale: en
4
4
  canonical: true
5
- revision: 7
5
+ revision: 8
6
6
  lifecycle: mustflow-owned
7
7
  authority: procedure
8
8
  name: version-freshness-check
@@ -34,7 +34,7 @@ Prevent agents from writing stale external version references from memory, while
34
34
 
35
35
  - Generated or edited files introduce explicit external version references, action refs, package ranges, runtime versions, framework majors, Docker image tags, toolchain versions, setup actions, scaffold commands, install commands, or migration examples.
36
36
  - CI workflows, release workflows, Dockerfiles, package metadata, lockfiles, runtime files, framework configuration, README examples, docs, tests, fixtures, or templates mention external versions such as GitHub Actions refs, Node, Bun, Deno, Python, Rust, Tauri, Astro, Next, SvelteKit, Electron, Docker images, package managers, SDKs, plugins, or generators.
37
- - Python wording mentions current/stable/support status, Python 3.14+ standard-library APIs, runtime flags, changed default behavior, security defaults, or examples that depend on `requires-python`.
37
+ - Python wording mentions current/stable/support status, Python 3.14+ or 3.15+ syntax, standard-library APIs, runtime flags, changed default behavior, security defaults, or examples that depend on `requires-python`.
38
38
  - TypeScript wording mentions current/stable/RC/nightly status for TypeScript 6, TypeScript 7, `@typescript/typescript6`, `tsc6`, `typescript@rc`, `@typescript/native-preview`, `tsgo`, compiler API compatibility, or migration readiness.
39
39
  - Go wording mentions current/stable/support status, Go release numbers, `go.mod` language version behavior, `toolchain` behavior, standard-library APIs, `GOEXPERIMENT`, runtime defaults, container behavior, JSON experiments, or examples that depend on a specific Go version.
40
40
  - Rust wording mentions current/stable/support status, Rust release numbers, `rust-version`, edition behavior, `rust-toolchain`, Cargo resolver or workspace behavior, standard-library APIs, compiler lints, target behavior, release profiles, or examples that depend on a specific Rust version.
@@ -94,19 +94,20 @@ Prevent agents from writing stale external version references from memory, while
94
94
  10. For patch, security-minimum, and low-risk minor differences, update only when the declaration, examples, lockfile policy, and verification surface can stay aligned. Otherwise report the proposed change and leave the pinned value unchanged.
95
95
  11. For GitHub Actions and CI tools, review the action source, major tag policy, runtime support, cache behavior, permissions, and organization pinning rule. Do not assume a newer major is safe only because it exists.
96
96
  12. For framework and runtime majors such as Astro, Tauri, Electron, Next, SvelteKit, Node, Bun, Deno, Python, Rust, or Java, check migration notes, config schema, plugin and adapter compatibility, generated files, security model, deployment target, and rollback path before recommending a major change.
97
- 13. For Python standard-library or runtime-behavior claims, refresh official Python documentation before writing durable wording. Check `requires-python`, CI/runtime matrices, and container images before using or recommending version-gated features such as Python 3.14+ `map(strict=True)`, `functools.Placeholder`, `heapq` max-heap helpers, import-timing flag behavior, or changed security defaults.
97
+ 13. For Python standard-library or runtime-behavior claims, refresh official Python documentation before writing durable wording. Check `requires-python`, CI/runtime matrices, and container images before using or recommending Python 3.14+ standard-library APIs or version-gated features such as template string literals, `annotationlib`, Python 3.14+ `map(strict=True)`, `functools.Placeholder`, `heapq` max-heap helpers, import-timing flag behavior, `finally` flow-control warnings, or changed security defaults.
98
98
  14. For Python examples that use newer standard-library APIs, either keep the example behind an explicit runtime floor or provide a supported fallback. Do not call a Python 3.14-only API a general Python best practice when the repository declares lower support.
99
- 15. For TypeScript 6 and 7 claims, refresh official TypeScript sources before writing durable wording. Treat TS6 stable API track (`@typescript/typescript6`, `tsc6`), TS7 RC compiler track (`typescript@rc`, `tsc`), TS7 nightly track (`@typescript/native-preview`, `tsgo`), and future TS7 stable `typescript` behavior as distinct tracks. Do not call RC or nightly output "latest stable TypeScript" just because it is newer.
100
- 16. For TypeScript examples, make the selected track explicit: TS6 API compatibility, TS7 RC compiler verification, TS7 nightly comparison, editor preview, or repository adoption. If the project has compiler API consumers, transformers, framework wrappers, or declaration snapshots, classify the reference as migration-sensitive and keep API consumers on the TS6 API track until support is explicit.
101
- 17. For Go release, toolchain, standard-library, runtime, or experiment claims, refresh official Go release notes or package documentation before writing durable wording. Check the repository's `go` directive, `toolchain` directive, CI/runtime matrix, and container target before using or recommending version-gated features such as expression operands to `new`, `errors.AsType`, `sync.WaitGroup.Go`, `testing/synctest`, `testing.B.Loop`, `os.Root`, `os.OpenInRoot`, `omitzero`, `go.mod` `tool`, `ReverseProxy.Rewrite`, container-aware `GOMAXPROCS`, goroutine leak profiles, `encoding/json/v2`, or `GOEXPERIMENT` APIs.
102
- 18. For Go examples that use newer standard-library APIs or runtime defaults, either keep the example behind an explicit Go version floor or provide a supported fallback. Do not call an experimental `GOEXPERIMENT` feature or a newer `go` directive behavior a general Go best practice when the repository declares lower support.
103
- 19. For Rust release, toolchain, standard-library, Cargo, edition, lint, target, or MSRV claims, refresh official Rust release notes, standard-library docs, the Cargo Book, Rust Reference, or rustc book before writing durable wording. Check `rust-version`, edition, `rust-toolchain.toml`, CI toolchain matrix, target triples, docs.rs metadata, and crate publish policy before using or recommending version-gated features such as let chains, match `if let` guards, `cfg_select!`, `assert_matches!`, `core::range`, `Vec::push_mut`, `HashMap::get_disjoint_mut`, `Option::take_if`, `LazyLock`, `OnceLock`, `workspace.lints`, `resolver = "2"`, Rust 2024 `unsafe_op_in_unsafe_fn`, or release-profile defaults.
104
- 20. For Rust examples that use newer language or standard-library APIs, either keep the example behind an explicit Rust version floor or provide a supported fallback. Use an API-by-API MSRV ledger for features such as `cfg_select!`, match `if let` guards, `core::range` items, `Vec::push_mut`, `assert_matches!`, and `debug_assert_matches!`; do not collapse them into a single "latest Rust" bucket, and do not treat nightly-only behavior or target-specific linker behavior as stable without explicit evidence.
105
- 21. For HTTP standards, browser APIs, proxy defaults, CDN defaults, and transport support claims, prefer official RFCs, standards bodies, MDN or browser vendor docs, and vendor-owned proxy/CDN documentation. Keep WebTransport, compression dictionary transport, zstd content coding, SSE/EventSource, HTTP/2, HTTP/3, QUIC, and proxy-buffering claims track-specific and dated when support is changing.
106
- 22. For HTTP delivery examples that depend on newer or unevenly supported behavior, require feature detection, fallback behavior, or explicit deployment constraints. Do not present WebTransport, dictionary compression, or zstd negotiation as a universal default when the project still needs browsers, proxies, CDNs, or networks that may not support it.
107
- 23. For Docker images, decide whether the project prefers semver tags, distro tags, LTS tags, date tags, or digests. Do not replace a digest or pinned base image with a floating tag unless the repository policy says so.
108
- 24. Synchronize every accepted version decision across package metadata, lockfiles when intentionally updated, CI, Docker, runtime files, docs, examples, templates, tests, and release notes.
109
- 25. Run the narrowest configured verification that covers the changed versioned surface. Use broader verification for major, migration-required, runtime, framework, generated-output, package-publish, Docker, CI, TypeScript compiler-track, Go toolchain or runtime support, Rust toolchain or MSRV support, HTTP delivery compatibility, or security-sensitive changes.
99
+ 15. For Python 3.15+ claims, keep beta, release-candidate, and stable tracks separate. Refresh official docs before using explicit lazy imports, built-in `frozendict`, built-in `sentinel`, unpacking comprehensions, typed `TypedDict` extra items, startup configuration files, or changed encoding behavior in durable examples.
100
+ 16. For TypeScript 6 and 7 claims, refresh official TypeScript sources before writing durable wording. Treat TS6 stable API track (`@typescript/typescript6`, `tsc6`), TS7 RC compiler track (`typescript@rc`, `tsc`), TS7 nightly track (`@typescript/native-preview`, `tsgo`), and future TS7 stable `typescript` behavior as distinct tracks. Do not call RC or nightly output "latest stable TypeScript" just because it is newer.
101
+ 17. For TypeScript examples, make the selected track explicit: TS6 API compatibility, TS7 RC compiler verification, TS7 nightly comparison, editor preview, or repository adoption. If the project has compiler API consumers, transformers, framework wrappers, or declaration snapshots, classify the reference as migration-sensitive and keep API consumers on the TS6 API track until support is explicit. Check exact support before relying on `rootDir` defaults, ambient `types` defaults, import attributes, subpath imports, `import defer`, `using`, or `await using`.
102
+ 18. For Go release, toolchain, standard-library, runtime, or experiment claims, refresh official Go release notes or package documentation before writing durable wording. Check the repository's `go` directive, `toolchain` directive, CI/runtime matrix, and container target before using or recommending version-gated features such as expression operands to `new`, range-over-function iterators, generic type aliases, reflect iterator methods, `errors.AsType`, `sync.WaitGroup.Go`, `testing/synctest`, `testing.B.Loop`, `T.ArtifactDir`, `B.ArtifactDir`, `F.ArtifactDir`, `testing/cryptotest.SetGlobalRandom`, `os.Root`, `os.OpenInRoot`, `omitzero`, `go.mod` `tool`, `ReverseProxy.Rewrite`, container-aware `GOMAXPROCS`, goroutine leak profiles, `encoding/json/v2`, or `GOEXPERIMENT` APIs.
103
+ 19. For Go examples that use newer standard-library APIs or runtime defaults, either keep the example behind an explicit Go version floor or provide a supported fallback. Do not call an experimental `GOEXPERIMENT` feature or a newer `go` directive behavior a general Go best practice when the repository declares lower support.
104
+ 20. For Rust release, toolchain, standard-library, Cargo, edition, lint, target, or MSRV claims, refresh official Rust release notes, standard-library docs, the Cargo Book, Rust Reference, or rustc book before writing durable wording. Check `rust-version`, edition, `rust-toolchain.toml`, CI toolchain matrix, target triples, docs.rs metadata, and crate publish policy before using or recommending version-gated features such as let chains, match `if let` guards, `cfg_select!`, `assert_matches!`, `core::range`, `Vec::push_mut`, `HashMap::get_disjoint_mut`, `Option::take_if`, `LazyLock`, `OnceLock`, `workspace.lints`, `resolver = "2"`, Rust 2024 `unsafe extern`, unsafe attributes, Rust 2024 `unsafe_op_in_unsafe_fn`, temporary drop-scope changes, macro fragment behavior, or release-profile defaults.
105
+ 21. For Rust examples that use newer language or standard-library APIs, either keep the example behind an explicit Rust version floor or provide a supported fallback. Use an API-by-API MSRV ledger for features such as `cfg_select!`, match `if let` guards, `core::range` items, `Vec::push_mut`, `assert_matches!`, and `debug_assert_matches!`; do not collapse them into a single "latest Rust" bucket, and do not treat nightly-only behavior or target-specific linker behavior as stable without explicit evidence.
106
+ 22. For HTTP standards, browser APIs, proxy defaults, CDN defaults, and transport support claims, prefer official RFCs, standards bodies, MDN or browser vendor docs, and vendor-owned proxy/CDN documentation. Keep WebTransport, compression dictionary transport, zstd content coding, SSE/EventSource, HTTP/2, HTTP/3, QUIC, and proxy-buffering claims track-specific and dated when support is changing.
107
+ 23. For HTTP delivery examples that depend on newer or unevenly supported behavior, require feature detection, fallback behavior, or explicit deployment constraints. Do not present WebTransport, dictionary compression, or zstd negotiation as a universal default when the project still needs browsers, proxies, CDNs, or networks that may not support it.
108
+ 24. For Docker images, decide whether the project prefers semver tags, distro tags, LTS tags, date tags, or digests. Do not replace a digest or pinned base image with a floating tag unless the repository policy says so.
109
+ 25. Synchronize every accepted version decision across package metadata, lockfiles when intentionally updated, CI, Docker, runtime files, docs, examples, templates, tests, and release notes.
110
+ 26. Run the narrowest configured verification that covers the changed versioned surface. Use broader verification for major, migration-required, runtime, framework, generated-output, package-publish, Docker, CI, TypeScript compiler-track, Go toolchain or runtime support, Rust toolchain or MSRV support, HTTP delivery compatibility, or security-sensitive changes.
110
111
 
111
112
  <!-- mustflow-section: postconditions -->
112
113
  ## Postconditions
@@ -116,6 +117,7 @@ Prevent agents from writing stale external version references from memory, while
116
117
  - Repository-pinned versions are preserved unless the task, policy, and compatibility classification support changing them.
117
118
  - Major or migration-required changes are either explicitly approved, deferred with a recommendation, or left unchanged with the risk reported.
118
119
  - Python standard-library examples and runtime-default claims match the declared Python support matrix or name the required runtime floor.
120
+ - Python template strings, annotation inspection, explicit lazy imports, immutable mappings, sentinels, and advanced `TypedDict` shape claims are either official-source checked or omitted.
119
121
  - TypeScript 6 stable API, TypeScript 7 RC compiler, TypeScript 7 nightly, and future stable TypeScript tracks are not collapsed into one generic "latest TypeScript" claim.
120
122
  - Go release, `go.mod` language version, standard-library API, runtime-default, and `GOEXPERIMENT` claims match the declared Go support matrix or name the required runtime floor.
121
123
  - Rust release, `rust-version`, edition, standard-library API, Cargo resolver, lint-default, target, and nightly/stable claims match the declared Rust support matrix or name the required API-specific runtime floor.
@@ -1,6 +1,6 @@
1
1
  id = "default"
2
2
  name = "default"
3
- version = "2.84.0"
3
+ version = "2.99.0"
4
4
  description = "Minimal workflow for LLM agents to read, edit, and verify their work in a repository."
5
5
  common_root = "common"
6
6
  locales_root = "locales"
@@ -38,11 +38,16 @@ creates = [
38
38
  ".mustflow/skills/desktop-memory-footprint-review/SKILL.md",
39
39
  ".mustflow/skills/hot-path-performance-review/SKILL.md",
40
40
  ".mustflow/skills/api-request-performance-review/SKILL.md",
41
+ ".mustflow/skills/api-failure-triage/SKILL.md",
42
+ ".mustflow/skills/ci-pipeline-triage/SKILL.md",
43
+ ".mustflow/skills/auth-flow-triage/SKILL.md",
44
+ ".mustflow/skills/docker-runtime-triage/SKILL.md",
41
45
  ".mustflow/skills/web-render-performance-review/SKILL.md",
42
46
  ".mustflow/skills/core-web-vitals-field-review/SKILL.md",
43
47
  ".mustflow/skills/image-delivery-performance-review/SKILL.md",
44
48
  ".mustflow/skills/client-bundle-pruning-review/SKILL.md",
45
49
  ".mustflow/skills/frame-render-performance-review/SKILL.md",
50
+ ".mustflow/skills/motion-system-contract-review/SKILL.md",
46
51
  ".mustflow/skills/app-startup-performance-review/SKILL.md",
47
52
  ".mustflow/skills/desktop-background-process-stability-review/SKILL.md",
48
53
  ".mustflow/skills/desktop-auto-update-safety-review/SKILL.md",
@@ -73,6 +78,7 @@ creates = [
73
78
  ".mustflow/skills/heuristic-candidate-selection/SKILL.md",
74
79
  ".mustflow/skills/clarifying-question-gate/SKILL.md",
75
80
  ".mustflow/skills/completion-evidence-gate/SKILL.md",
81
+ ".mustflow/skills/next-action-menu/SKILL.md",
76
82
  ".mustflow/skills/evidence-stall-breaker/SKILL.md",
77
83
  ".mustflow/skills/command-intent-mapping-gate/SKILL.md",
78
84
  ".mustflow/skills/astro-code-change/SKILL.md",
@@ -116,6 +122,9 @@ creates = [
116
122
  ".mustflow/skills/database-lock-contention-review/SKILL.md",
117
123
  ".mustflow/skills/sqlite-code-change/SKILL.md",
118
124
  ".mustflow/skills/postgresql-code-change/SKILL.md",
125
+ ".mustflow/skills/search-index-integrity-review/SKILL.md",
126
+ ".mustflow/skills/vector-search-integrity-review/SKILL.md",
127
+ ".mustflow/skills/rag-pipeline-triage/SKILL.md",
119
128
  ".mustflow/skills/dependency-injection/SKILL.md",
120
129
  ".mustflow/skills/dependency-reality-check/SKILL.md",
121
130
  ".mustflow/skills/dependency-upgrade-review/SKILL.md",
@@ -127,6 +136,7 @@ creates = [
127
136
  ".mustflow/skills/release-publish-change/SKILL.md",
128
137
  ".mustflow/skills/test-design-guard/SKILL.md",
129
138
  ".mustflow/skills/test-maintenance/SKILL.md",
139
+ ".mustflow/skills/test-suite-performance-review/SKILL.md",
130
140
  ".mustflow/skills/vertical-slice-tdd/SKILL.md",
131
141
  ".mustflow/skills/llm-service-ux-review/SKILL.md",
132
142
  ".mustflow/skills/prompt-contract-quality-review/SKILL.md",
@@ -232,11 +242,16 @@ minimal = [
232
242
  "desktop-memory-footprint-review",
233
243
  "hot-path-performance-review",
234
244
  "api-request-performance-review",
245
+ "api-failure-triage",
246
+ "ci-pipeline-triage",
247
+ "auth-flow-triage",
248
+ "docker-runtime-triage",
235
249
  "web-render-performance-review",
236
250
  "core-web-vitals-field-review",
237
251
  "image-delivery-performance-review",
238
252
  "client-bundle-pruning-review",
239
253
  "frame-render-performance-review",
254
+ "motion-system-contract-review",
240
255
  "app-startup-performance-review",
241
256
  "desktop-background-process-stability-review",
242
257
  "desktop-auto-update-safety-review",
@@ -267,6 +282,7 @@ minimal = [
267
282
  "heuristic-candidate-selection",
268
283
  "clarifying-question-gate",
269
284
  "completion-evidence-gate",
285
+ "next-action-menu",
270
286
  "evidence-stall-breaker",
271
287
  "astro-code-change",
272
288
  "bun-code-change",
@@ -304,6 +320,9 @@ minimal = [
304
320
  "database-lock-contention-review",
305
321
  "sqlite-code-change",
306
322
  "postgresql-code-change",
323
+ "search-index-integrity-review",
324
+ "vector-search-integrity-review",
325
+ "rag-pipeline-triage",
307
326
  "dependency-reality-check",
308
327
  "dependency-upgrade-review",
309
328
  "version-freshness-check",
@@ -337,6 +356,7 @@ minimal = [
337
356
  "support-surface-advisor",
338
357
  "test-design-guard",
339
358
  "test-maintenance",
359
+ "test-suite-performance-review",
340
360
  "vertical-slice-tdd",
341
361
  ]
342
362
  patterns = [
@@ -365,11 +385,16 @@ patterns = [
365
385
  "desktop-memory-footprint-review",
366
386
  "hot-path-performance-review",
367
387
  "api-request-performance-review",
388
+ "api-failure-triage",
389
+ "ci-pipeline-triage",
390
+ "auth-flow-triage",
391
+ "docker-runtime-triage",
368
392
  "web-render-performance-review",
369
393
  "core-web-vitals-field-review",
370
394
  "image-delivery-performance-review",
371
395
  "client-bundle-pruning-review",
372
396
  "frame-render-performance-review",
397
+ "motion-system-contract-review",
373
398
  "app-startup-performance-review",
374
399
  "desktop-background-process-stability-review",
375
400
  "desktop-auto-update-safety-review",
@@ -400,6 +425,7 @@ patterns = [
400
425
  "heuristic-candidate-selection",
401
426
  "clarifying-question-gate",
402
427
  "completion-evidence-gate",
428
+ "next-action-menu",
403
429
  "evidence-stall-breaker",
404
430
  "astro-code-change",
405
431
  "bun-code-change",
@@ -439,6 +465,9 @@ patterns = [
439
465
  "database-lock-contention-review",
440
466
  "sqlite-code-change",
441
467
  "postgresql-code-change",
468
+ "search-index-integrity-review",
469
+ "vector-search-integrity-review",
470
+ "rag-pipeline-triage",
442
471
  "dependency-injection",
443
472
  "dependency-reality-check",
444
473
  "dependency-upgrade-review",
@@ -480,6 +509,7 @@ patterns = [
480
509
  "support-surface-advisor",
481
510
  "test-design-guard",
482
511
  "test-maintenance",
512
+ "test-suite-performance-review",
483
513
  "vertical-slice-tdd",
484
514
  ]
485
515
  oss = [
@@ -509,11 +539,16 @@ oss = [
509
539
  "desktop-memory-footprint-review",
510
540
  "hot-path-performance-review",
511
541
  "api-request-performance-review",
542
+ "api-failure-triage",
543
+ "ci-pipeline-triage",
544
+ "auth-flow-triage",
545
+ "docker-runtime-triage",
512
546
  "web-render-performance-review",
513
547
  "core-web-vitals-field-review",
514
548
  "image-delivery-performance-review",
515
549
  "client-bundle-pruning-review",
516
550
  "frame-render-performance-review",
551
+ "motion-system-contract-review",
517
552
  "app-startup-performance-review",
518
553
  "desktop-background-process-stability-review",
519
554
  "desktop-auto-update-safety-review",
@@ -544,6 +579,7 @@ oss = [
544
579
  "heuristic-candidate-selection",
545
580
  "clarifying-question-gate",
546
581
  "completion-evidence-gate",
582
+ "next-action-menu",
547
583
  "evidence-stall-breaker",
548
584
  "astro-code-change",
549
585
  "bun-code-change",
@@ -585,6 +621,9 @@ oss = [
585
621
  "database-lock-contention-review",
586
622
  "sqlite-code-change",
587
623
  "postgresql-code-change",
624
+ "search-index-integrity-review",
625
+ "vector-search-integrity-review",
626
+ "rag-pipeline-triage",
588
627
  "dependency-injection",
589
628
  "dependency-reality-check",
590
629
  "dependency-upgrade-review",
@@ -641,6 +680,7 @@ oss = [
641
680
  "support-surface-advisor",
642
681
  "test-design-guard",
643
682
  "test-maintenance",
683
+ "test-suite-performance-review",
644
684
  "vertical-slice-tdd",
645
685
  ]
646
686
  team = [
@@ -669,11 +709,16 @@ team = [
669
709
  "desktop-memory-footprint-review",
670
710
  "hot-path-performance-review",
671
711
  "api-request-performance-review",
712
+ "api-failure-triage",
713
+ "ci-pipeline-triage",
714
+ "auth-flow-triage",
715
+ "docker-runtime-triage",
672
716
  "web-render-performance-review",
673
717
  "core-web-vitals-field-review",
674
718
  "image-delivery-performance-review",
675
719
  "client-bundle-pruning-review",
676
720
  "frame-render-performance-review",
721
+ "motion-system-contract-review",
677
722
  "app-startup-performance-review",
678
723
  "desktop-background-process-stability-review",
679
724
  "desktop-auto-update-safety-review",
@@ -704,6 +749,7 @@ team = [
704
749
  "heuristic-candidate-selection",
705
750
  "clarifying-question-gate",
706
751
  "completion-evidence-gate",
752
+ "next-action-menu",
707
753
  "evidence-stall-breaker",
708
754
  "astro-code-change",
709
755
  "bun-code-change",
@@ -744,6 +790,9 @@ team = [
744
790
  "database-lock-contention-review",
745
791
  "sqlite-code-change",
746
792
  "postgresql-code-change",
793
+ "search-index-integrity-review",
794
+ "vector-search-integrity-review",
795
+ "rag-pipeline-triage",
747
796
  "dependency-injection",
748
797
  "dependency-reality-check",
749
798
  "dependency-upgrade-review",
@@ -787,6 +836,7 @@ team = [
787
836
  "support-surface-advisor",
788
837
  "test-design-guard",
789
838
  "test-maintenance",
839
+ "test-suite-performance-review",
790
840
  "vertical-slice-tdd",
791
841
  ]
792
842
  product = [
@@ -814,11 +864,16 @@ product = [
814
864
  "desktop-memory-footprint-review",
815
865
  "hot-path-performance-review",
816
866
  "api-request-performance-review",
867
+ "api-failure-triage",
868
+ "ci-pipeline-triage",
869
+ "auth-flow-triage",
870
+ "docker-runtime-triage",
817
871
  "web-render-performance-review",
818
872
  "core-web-vitals-field-review",
819
873
  "image-delivery-performance-review",
820
874
  "client-bundle-pruning-review",
821
875
  "frame-render-performance-review",
876
+ "motion-system-contract-review",
822
877
  "app-startup-performance-review",
823
878
  "desktop-background-process-stability-review",
824
879
  "desktop-auto-update-safety-review",
@@ -849,6 +904,7 @@ product = [
849
904
  "heuristic-candidate-selection",
850
905
  "clarifying-question-gate",
851
906
  "completion-evidence-gate",
907
+ "next-action-menu",
852
908
  "evidence-stall-breaker",
853
909
  "astro-code-change",
854
910
  "bun-code-change",
@@ -888,6 +944,9 @@ product = [
888
944
  "database-lock-contention-review",
889
945
  "sqlite-code-change",
890
946
  "postgresql-code-change",
947
+ "search-index-integrity-review",
948
+ "vector-search-integrity-review",
949
+ "rag-pipeline-triage",
891
950
  "dependency-injection",
892
951
  "dependency-reality-check",
893
952
  "dependency-upgrade-review",
@@ -933,6 +992,7 @@ product = [
933
992
  "support-surface-advisor",
934
993
  "test-design-guard",
935
994
  "test-maintenance",
995
+ "test-suite-performance-review",
936
996
  "vertical-slice-tdd",
937
997
  "ui-quality-gate",
938
998
  "visual-review-artifact",
@@ -965,11 +1025,16 @@ library = [
965
1025
  "desktop-memory-footprint-review",
966
1026
  "hot-path-performance-review",
967
1027
  "api-request-performance-review",
1028
+ "api-failure-triage",
1029
+ "ci-pipeline-triage",
1030
+ "auth-flow-triage",
1031
+ "docker-runtime-triage",
968
1032
  "web-render-performance-review",
969
1033
  "core-web-vitals-field-review",
970
1034
  "image-delivery-performance-review",
971
1035
  "client-bundle-pruning-review",
972
1036
  "frame-render-performance-review",
1037
+ "motion-system-contract-review",
973
1038
  "app-startup-performance-review",
974
1039
  "desktop-background-process-stability-review",
975
1040
  "desktop-auto-update-safety-review",
@@ -1000,6 +1065,7 @@ library = [
1000
1065
  "heuristic-candidate-selection",
1001
1066
  "clarifying-question-gate",
1002
1067
  "completion-evidence-gate",
1068
+ "next-action-menu",
1003
1069
  "evidence-stall-breaker",
1004
1070
  "astro-code-change",
1005
1071
  "bun-code-change",
@@ -1041,6 +1107,9 @@ library = [
1041
1107
  "database-lock-contention-review",
1042
1108
  "sqlite-code-change",
1043
1109
  "postgresql-code-change",
1110
+ "search-index-integrity-review",
1111
+ "vector-search-integrity-review",
1112
+ "rag-pipeline-triage",
1044
1113
  "dependency-injection",
1045
1114
  "dependency-reality-check",
1046
1115
  "dependency-upgrade-review",
@@ -1094,6 +1163,7 @@ library = [
1094
1163
  "support-surface-advisor",
1095
1164
  "test-design-guard",
1096
1165
  "test-maintenance",
1166
+ "test-suite-performance-review",
1097
1167
  "vertical-slice-tdd",
1098
1168
  ]
1099
1169