mustflow 2.84.0 → 2.99.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (105) hide show
  1. package/README.md +11 -2
  2. package/dist/cli/commands/script-pack.js +14 -0
  3. package/dist/cli/i18n/en.js +262 -0
  4. package/dist/cli/i18n/es.js +262 -0
  5. package/dist/cli/i18n/fr.js +262 -0
  6. package/dist/cli/i18n/hi.js +262 -0
  7. package/dist/cli/i18n/ko.js +262 -0
  8. package/dist/cli/i18n/zh.js +262 -0
  9. package/dist/cli/lib/repo-map.js +27 -6
  10. package/dist/cli/lib/run-root-trust.js +15 -1
  11. package/dist/cli/lib/script-pack-registry.js +397 -0
  12. package/dist/cli/lib/validation/index.js +2 -2
  13. package/dist/cli/lib/validation/primitives.js +4 -1
  14. package/dist/cli/script-packs/code-change-impact.js +178 -0
  15. package/dist/cli/script-packs/code-dependency-graph.js +181 -0
  16. package/dist/cli/script-packs/code-import-cycle.js +193 -0
  17. package/dist/cli/script-packs/docs-link-integrity.js +145 -0
  18. package/dist/cli/script-packs/repo-approval-gate.js +100 -0
  19. package/dist/cli/script-packs/repo-env-contract.js +156 -0
  20. package/dist/cli/script-packs/repo-git-ignore-audit.js +119 -0
  21. package/dist/cli/script-packs/repo-manifest-lock-drift.js +122 -0
  22. package/dist/cli/script-packs/repo-merge-conflict-scan.js +123 -0
  23. package/dist/cli/script-packs/repo-secret-risk-scan.js +147 -0
  24. package/dist/cli/script-packs/repo-skill-route-audit.js +86 -0
  25. package/dist/cli/script-packs/repo-version-source.js +92 -0
  26. package/dist/cli/script-packs/test-performance-report.js +247 -0
  27. package/dist/cli/script-packs/test-regression-selector.js +167 -0
  28. package/dist/core/change-impact.js +355 -0
  29. package/dist/core/change-surface-classification.js +198 -0
  30. package/dist/core/change-verification.js +32 -5
  31. package/dist/core/config-loading.js +121 -4
  32. package/dist/core/dependency-graph.js +490 -0
  33. package/dist/core/docs-link-integrity.js +443 -0
  34. package/dist/core/env-contract.js +450 -0
  35. package/dist/core/import-cycle.js +152 -0
  36. package/dist/core/line-endings.js +26 -13
  37. package/dist/core/public-json-contracts.js +167 -0
  38. package/dist/core/repo-approval-gate.js +116 -0
  39. package/dist/core/repo-git-ignore-audit.js +302 -0
  40. package/dist/core/repo-manifest-lock-drift.js +321 -0
  41. package/dist/core/repo-merge-conflict-scan.js +335 -0
  42. package/dist/core/repo-version-source.js +82 -0
  43. package/dist/core/route-outline.js +57 -5
  44. package/dist/core/script-pack-suggestions.js +97 -1
  45. package/dist/core/secret-risk-scan.js +440 -0
  46. package/dist/core/skill-route-audit.js +354 -0
  47. package/dist/core/test-performance-report.js +697 -0
  48. package/dist/core/test-regression-selector.js +335 -0
  49. package/package.json +1 -1
  50. package/schemas/README.md +54 -0
  51. package/schemas/change-impact-report.schema.json +184 -0
  52. package/schemas/commands.schema.json +12 -0
  53. package/schemas/dependency-graph-report.schema.json +149 -0
  54. package/schemas/env-contract-report.schema.json +203 -0
  55. package/schemas/import-cycle-report.schema.json +157 -0
  56. package/schemas/link-integrity-report.schema.json +176 -0
  57. package/schemas/repo-approval-gate-report.schema.json +115 -0
  58. package/schemas/repo-git-ignore-audit-report.schema.json +201 -0
  59. package/schemas/repo-manifest-lock-drift-report.schema.json +202 -0
  60. package/schemas/repo-merge-conflict-scan-report.schema.json +169 -0
  61. package/schemas/repo-version-source-report.schema.json +127 -0
  62. package/schemas/secret-risk-scan-report.schema.json +152 -0
  63. package/schemas/skill-route-audit-report.schema.json +144 -0
  64. package/schemas/test-performance-report.schema.json +319 -0
  65. package/schemas/test-regression-selector-report.schema.json +187 -0
  66. package/templates/default/i18n.toml +80 -26
  67. package/templates/default/locales/en/.mustflow/skills/INDEX.md +51 -9
  68. package/templates/default/locales/en/.mustflow/skills/api-access-control-review/SKILL.md +48 -27
  69. package/templates/default/locales/en/.mustflow/skills/api-failure-triage/SKILL.md +270 -0
  70. package/templates/default/locales/en/.mustflow/skills/architecture-deepening-review/SKILL.md +28 -11
  71. package/templates/default/locales/en/.mustflow/skills/astro-code-change/SKILL.md +71 -27
  72. package/templates/default/locales/en/.mustflow/skills/auth-flow-triage/SKILL.md +192 -0
  73. package/templates/default/locales/en/.mustflow/skills/auth-permission-change/SKILL.md +59 -13
  74. package/templates/default/locales/en/.mustflow/skills/backend-log-evidence-review/SKILL.md +14 -5
  75. package/templates/default/locales/en/.mustflow/skills/cache-integrity-review/SKILL.md +30 -15
  76. package/templates/default/locales/en/.mustflow/skills/change-blast-radius-review/SKILL.md +45 -32
  77. package/templates/default/locales/en/.mustflow/skills/ci-pipeline-triage/SKILL.md +200 -0
  78. package/templates/default/locales/en/.mustflow/skills/clarifying-question-gate/SKILL.md +87 -13
  79. package/templates/default/locales/en/.mustflow/skills/cross-agent-session-reference/SKILL.md +23 -8
  80. package/templates/default/locales/en/.mustflow/skills/dependency-upgrade-review/SKILL.md +3 -1
  81. package/templates/default/locales/en/.mustflow/skills/docker-runtime-triage/SKILL.md +191 -0
  82. package/templates/default/locales/en/.mustflow/skills/github-contribution-quality-gate/SKILL.md +48 -11
  83. package/templates/default/locales/en/.mustflow/skills/go-code-change/SKILL.md +18 -13
  84. package/templates/default/locales/en/.mustflow/skills/javascript-code-change/SKILL.md +15 -13
  85. package/templates/default/locales/en/.mustflow/skills/line-ending-hygiene/SKILL.md +18 -10
  86. package/templates/default/locales/en/.mustflow/skills/llm-hallucination-control-review/SKILL.md +4 -1
  87. package/templates/default/locales/en/.mustflow/skills/motion-system-contract-review/SKILL.md +155 -0
  88. package/templates/default/locales/en/.mustflow/skills/next-action-menu/SKILL.md +177 -0
  89. package/templates/default/locales/en/.mustflow/skills/node-code-change/SKILL.md +16 -14
  90. package/templates/default/locales/en/.mustflow/skills/observability-debuggability-review/SKILL.md +15 -7
  91. package/templates/default/locales/en/.mustflow/skills/payment-integrity-review/SKILL.md +59 -35
  92. package/templates/default/locales/en/.mustflow/skills/powershell-code-change/SKILL.md +16 -6
  93. package/templates/default/locales/en/.mustflow/skills/prompt-contract-quality-review/SKILL.md +4 -1
  94. package/templates/default/locales/en/.mustflow/skills/python-code-change/SKILL.md +19 -10
  95. package/templates/default/locales/en/.mustflow/skills/rag-pipeline-triage/SKILL.md +206 -0
  96. package/templates/default/locales/en/.mustflow/skills/routes.toml +69 -9
  97. package/templates/default/locales/en/.mustflow/skills/rust-code-change/SKILL.md +10 -4
  98. package/templates/default/locales/en/.mustflow/skills/search-index-integrity-review/SKILL.md +181 -0
  99. package/templates/default/locales/en/.mustflow/skills/security-privacy-review/SKILL.md +3 -1
  100. package/templates/default/locales/en/.mustflow/skills/service-boundary-architecture/SKILL.md +37 -23
  101. package/templates/default/locales/en/.mustflow/skills/test-suite-performance-review/SKILL.md +323 -0
  102. package/templates/default/locales/en/.mustflow/skills/typescript-code-change/SKILL.md +18 -10
  103. package/templates/default/locales/en/.mustflow/skills/vector-search-integrity-review/SKILL.md +209 -0
  104. package/templates/default/locales/en/.mustflow/skills/version-freshness-check/SKILL.md +16 -14
  105. package/templates/default/manifest.toml +71 -1
@@ -772,16 +772,23 @@ export const zhMessages = {
772
772
  "scriptPack.pack.code.summary": "Source-code orientation utility scripts",
773
773
  "scriptPack.pack.core.summary": "Core built-in utility scripts",
774
774
  "scriptPack.pack.docs.summary": "Documentation reference utility scripts",
775
+ "scriptPack.pack.test.summary": "Test evidence and performance utility scripts",
775
776
  "scriptPack.pack.repo.summary": "Repository-boundary utility scripts",
776
777
  "scriptPack.script.codeOutline.summary": "Scan TypeScript and JavaScript files for symbol headers and line ranges",
778
+ "scriptPack.script.codeDependencyGraph.summary": "Trace relative TypeScript and JavaScript dependency graph edges",
779
+ "scriptPack.script.codeImportCycle.summary": "Detect relative TypeScript and JavaScript import cycles with line evidence",
780
+ "scriptPack.script.codeChangeImpact.summary": "Analyze changed files for impact, script-pack, and verification hints",
777
781
  "scriptPack.script.codeSymbolRead.summary": "Read a bounded source snippet by source anchor, symbol line, or explicit line range",
778
782
  "scriptPack.script.codeRouteOutline.summary": "Scan Hono, Elysia, Axum, and NestJS route methods, paths, handlers, and lifecycle chains",
779
783
  "scriptPack.script.codeExportDiff.summary": "Compare exported source signatures and return metadata across git refs",
780
784
  "scriptPack.script.textBudget.summary": "Check exact text length budgets for files or JSON string fields",
781
785
  "scriptPack.script.referenceDrift.summary": "Check documented command, script-pack, schema, and path references for drift",
786
+ "scriptPack.script.linkIntegrity.summary": "Check Markdown links and anchors for local documentation drift",
782
787
  "scriptPack.script.configChain.summary": "Inspect nearby config files and static config inheritance",
783
788
  "scriptPack.script.generatedBoundary.summary": "Check whether candidate paths cross generated, ignored, protected, vendor, or cache boundaries",
784
789
  "scriptPack.script.relatedFiles.summary": "Map likely related files for source-oriented repository navigation",
790
+ "scriptPack.script.testPerformanceReport.summary": "Summarize retained mf run performance evidence and test-suite bottlenecks",
791
+ "scriptPack.script.testRegressionSelector.summary": "Select likely regression tests and conservative fallback verification",
785
792
  "scriptPack.label.script": "Script",
786
793
  "scriptPack.label.actions": "actions",
787
794
  "scriptPack.label.schema": "schema",
@@ -876,6 +883,20 @@ export const zhMessages = {
876
883
  "referenceDrift.error.missingAction": "Specify a reference-drift action: check",
877
884
  "referenceDrift.error.unknownAction": "Unknown reference-drift action: {action}",
878
885
  "referenceDrift.error.invalidPositiveInteger": "{option} must be a positive safe integer: {value}",
886
+ "linkIntegrity.help.summary": "Check Markdown and MDX links for missing local files and anchors without fetching external URLs.",
887
+ "linkIntegrity.help.option.maxFiles": "Maximum number of document files to inspect. Default: 200",
888
+ "linkIntegrity.help.option.maxFileBytes": "Maximum bytes to read from each document file. Default: 524288",
889
+ "linkIntegrity.help.exit.ok": "All checked local links and anchors resolved",
890
+ "linkIntegrity.help.exit.fail": "A local link or anchor was missing, unreadable, or over a configured limit",
891
+ "linkIntegrity.title": "mustflow link integrity",
892
+ "linkIntegrity.label.files": "Files",
893
+ "linkIntegrity.label.links": "Links",
894
+ "linkIntegrity.label.findings": "Findings",
895
+ "linkIntegrity.label.issues": "Issues",
896
+ "linkIntegrity.clean": "No documentation links were found.",
897
+ "linkIntegrity.error.missingAction": "Specify a link-integrity action: check",
898
+ "linkIntegrity.error.unknownAction": "Unknown link-integrity action: {action}",
899
+ "linkIntegrity.error.invalidPositiveInteger": "{option} must be a positive safe integer: {value}",
879
900
  "textBudget.help.summary": "Check exact text length budgets for files or JSON string fields using grapheme counts by default.",
880
901
  "textBudget.help.option.min": "Require at least this many units",
881
902
  "textBudget.help.option.max": "Require at most this many units",
@@ -912,6 +933,71 @@ export const zhMessages = {
912
933
  "generatedBoundary.error.missingAction": "Specify a generated-boundary action: check",
913
934
  "generatedBoundary.error.unknownAction": "Unknown generated-boundary action: {action}",
914
935
  "generatedBoundary.error.missingPath": "Provide at least one path to check",
936
+ "dependencyGraph.help.summary": "Trace bounded relative import, export, require, and dynamic import edges for TypeScript and JavaScript source files.",
937
+ "dependencyGraph.help.option.maxDepth": "Maximum dependency depth from target files. Default: 2",
938
+ "dependencyGraph.help.option.maxFiles": "Maximum number of source files to scan. Default: 1000",
939
+ "dependencyGraph.help.option.maxFileBytes": "Maximum bytes to read from each source file. Default: 262144",
940
+ "dependencyGraph.help.option.maxNodes": "Maximum number of graph nodes to report. Default: 300",
941
+ "dependencyGraph.help.option.maxEdges": "Maximum number of graph edges to report. Default: 800",
942
+ "dependencyGraph.help.exit.ok": "The dependency graph completed without input or scan-limit findings",
943
+ "dependencyGraph.help.exit.fail": "The dependency graph found invalid input, unreadable paths, or scan limits",
944
+ "dependencyGraph.title": "mustflow dependency graph",
945
+ "dependencyGraph.label.targets": "Targets",
946
+ "dependencyGraph.label.nodes": "Nodes",
947
+ "dependencyGraph.label.edges": "Edges",
948
+ "dependencyGraph.label.cycles": "Cycles",
949
+ "dependencyGraph.label.truncated": "Truncated",
950
+ "dependencyGraph.label.cycleList": "Cycle hints",
951
+ "dependencyGraph.label.findings": "Findings",
952
+ "dependencyGraph.label.issues": "Issues",
953
+ "dependencyGraph.clean": "No relative dependency edges were found.",
954
+ "dependencyGraph.error.missingAction": "Specify a dependency-graph action: scan",
955
+ "dependencyGraph.error.unknownAction": "Unknown dependency-graph action: {action}",
956
+ "dependencyGraph.error.missingPath": "Provide at least one path to scan",
957
+ "dependencyGraph.error.invalidPositiveInteger": "{option} must be a positive safe integer: {value}",
958
+ "importCycle.help.summary": "Detect bounded relative TypeScript and JavaScript import cycles with exact path and line evidence.",
959
+ "importCycle.help.option.maxDepth": "Maximum dependency depth from target files. Default: 20",
960
+ "importCycle.help.option.maxFiles": "Maximum number of source files to scan. Default: 1000",
961
+ "importCycle.help.option.maxFileBytes": "Maximum bytes to read from each source file. Default: 262144",
962
+ "importCycle.help.option.maxNodes": "Maximum number of graph nodes to inspect. Default: 300",
963
+ "importCycle.help.option.maxEdges": "Maximum number of graph edges to inspect. Default: 800",
964
+ "importCycle.help.option.maxCycles": "Maximum number of import cycles to report. Default: 50",
965
+ "importCycle.help.exit.ok": "No import cycles were detected",
966
+ "importCycle.help.exit.fail": "Import cycles, invalid input, unreadable paths, or scan limits were found",
967
+ "importCycle.title": "mustflow import cycle",
968
+ "importCycle.label.targets": "Targets",
969
+ "importCycle.label.nodes": "Nodes",
970
+ "importCycle.label.edges": "Edges",
971
+ "importCycle.label.cycles": "Cycles",
972
+ "importCycle.label.truncated": "Truncated",
973
+ "importCycle.label.cycleList": "Import cycles",
974
+ "importCycle.label.findings": "Findings",
975
+ "importCycle.label.issues": "Issues",
976
+ "importCycle.clean": "No import cycles were found.",
977
+ "importCycle.error.missingAction": "Specify an import-cycle action: check",
978
+ "importCycle.error.unknownAction": "Unknown import-cycle action: {action}",
979
+ "importCycle.error.missingPath": "Provide at least one path to check",
980
+ "importCycle.error.invalidPositiveInteger": "{option} must be a positive safe integer: {value}",
981
+ "changeImpact.help.summary": "Analyze git changes and return bounded file-impact, script-pack, and verification hints.",
982
+ "changeImpact.help.option.base": "Git base ref to compare from. Default: HEAD",
983
+ "changeImpact.help.option.head": "Git head ref to compare to. Omit to compare the base with the working tree.",
984
+ "changeImpact.help.option.maxFiles": "Maximum number of changed files to inspect. Default: 200",
985
+ "changeImpact.help.option.maxImpacts": "Maximum number of impact candidates to report. Default: 300",
986
+ "changeImpact.help.option.maxFileBytes": "Maximum bytes to read from each source file while tracing dependencies. Default: 262144",
987
+ "changeImpact.help.exit.ok": "The change-impact analysis completed without input or scan-limit findings",
988
+ "changeImpact.help.exit.fail": "The change-impact analysis found invalid git input or scan limits",
989
+ "changeImpact.title": "mustflow change impact",
990
+ "changeImpact.label.changedFiles": "Changed files",
991
+ "changeImpact.label.impacts": "Impacts",
992
+ "changeImpact.label.truncated": "Truncated",
993
+ "changeImpact.label.scriptHints": "Script hints",
994
+ "changeImpact.label.verificationHints": "Verification hints",
995
+ "changeImpact.label.findings": "Findings",
996
+ "changeImpact.label.issues": "Issues",
997
+ "changeImpact.clean": "No changed files were found for the selected git range.",
998
+ "changeImpact.error.missingAction": "Specify a change-impact action: analyze",
999
+ "changeImpact.error.unknownAction": "Unknown change-impact action: {action}",
1000
+ "changeImpact.error.invalidPositiveInteger": "{option} must be a positive safe integer: {value}",
915
1001
  "relatedFiles.help.summary": "Map direct imports, importers, sibling files, and nearby config boundaries for source-oriented repository navigation.",
916
1002
  "relatedFiles.help.option.maxFiles": "Maximum number of source or related files to scan. Default: 1000",
917
1003
  "relatedFiles.help.option.maxFileBytes": "Maximum bytes to read from each source file. Default: 262144",
@@ -948,6 +1034,182 @@ export const zhMessages = {
948
1034
  "configChain.error.unknownAction": "Unknown config-chain action: {action}",
949
1035
  "configChain.error.missingPath": "Provide at least one path to inspect",
950
1036
  "configChain.error.invalidPositiveInteger": "{option} must be a positive safe integer: {value}",
1037
+ "testPerformance.help.summary": "Summarize retained mf run performance evidence, slow intents, timeout pressure, " +
1038
+ "selected-test fallback use, and phase bottlenecks.",
1039
+ "testPerformance.help.option.maxSamples": "Maximum number of recent samples to report. Default: 200",
1040
+ "testPerformance.help.option.maxIntents": "Maximum number of intent summaries to report. Default: 30",
1041
+ "testPerformance.help.option.maxTestFiles": "Maximum number of profiled test files to report. Default: 40",
1042
+ "testPerformance.help.option.maxFindings": "Maximum number of findings to report. Default: 80",
1043
+ "testPerformance.help.option.slowMs": "Duration threshold for slow-sample findings in milliseconds. Default: 120000",
1044
+ "testPerformance.help.option.timeoutRatio": "Timeout budget ratio for timeout-pressure findings, from 0 to 1. Default: 0.75",
1045
+ "testPerformance.help.option.phaseMs": "Phase p95 threshold for phase-bottleneck findings in milliseconds. Default: 30000",
1046
+ "testPerformance.help.exit.ok": "The performance report was generated",
1047
+ "testPerformance.help.exit.fail": "Performance evidence could not be read or the input was invalid",
1048
+ "testPerformance.title": "mustflow test performance report",
1049
+ "testPerformance.label.samples": "Samples",
1050
+ "testPerformance.label.intents": "Intents",
1051
+ "testPerformance.label.testFiles": "Test files",
1052
+ "testPerformance.label.findings": "Findings",
1053
+ "testPerformance.label.truncated": "Truncated",
1054
+ "testPerformance.label.slowestIntents": "Slowest intents",
1055
+ "testPerformance.label.slowestTestFiles": "Slowest test files",
1056
+ "testPerformance.label.slowestPhases": "Slowest phases",
1057
+ "testPerformance.label.failures": "failures",
1058
+ "testPerformance.label.profileEvidence": "Profile evidence",
1059
+ "testPerformance.label.profileGeneratedAt": "Generated at",
1060
+ "testPerformance.label.profileAge": "Age",
1061
+ "testPerformance.label.profileFilesShown": "Files shown",
1062
+ "testPerformance.label.profileCoverage": "Coverage",
1063
+ "testPerformance.label.profileFilesTruncated": "Profile files truncated",
1064
+ "testPerformance.label.nextActions": "Next actions",
1065
+ "testPerformance.label.issues": "Issues",
1066
+ "testPerformance.clean": "No run performance evidence was found under .mustflow/state.",
1067
+ "testPerformance.error.missingAction": "Specify a performance-report action: summarize",
1068
+ "testPerformance.error.unknownAction": "Unknown performance-report action: {action}",
1069
+ "testPerformance.error.invalidPositiveInteger": "{option} must be a positive safe integer: {value}",
1070
+ "testPerformance.error.invalidRatio": "{option} must be a number greater than 0 and less than or equal to 1: {value}",
1071
+ "testRegressionSelector.help.summary": "Select likely regression tests from changed files while reporting unsafe fallback surfaces.",
1072
+ "testRegressionSelector.help.option.base": "Git base ref to compare from. Default: HEAD",
1073
+ "testRegressionSelector.help.option.head": "Git head ref to compare to. Omit to compare the worktree",
1074
+ "testRegressionSelector.help.option.maxFiles": "Maximum number of changed files to inspect. Default: 200",
1075
+ "testRegressionSelector.help.option.maxTests": "Maximum number of selected or missing test candidates to report. Default: 100",
1076
+ "testRegressionSelector.help.exit.ok": "The regression selection report was generated",
1077
+ "testRegressionSelector.help.exit.fail": "Regression selection could not inspect the input",
1078
+ "testRegressionSelector.title": "mustflow test regression selector",
1079
+ "testRegressionSelector.label.selectionStatus": "Selection",
1080
+ "testRegressionSelector.label.changedFiles": "Changed files",
1081
+ "testRegressionSelector.label.selectedTests": "Selected tests",
1082
+ "testRegressionSelector.label.fallbacks": "Fallbacks",
1083
+ "testRegressionSelector.label.recommendedIntent": "Recommended intent",
1084
+ "testRegressionSelector.label.runHint": "Run hint",
1085
+ "testRegressionSelector.label.findings": "Findings",
1086
+ "testRegressionSelector.label.issues": "Issues",
1087
+ "testRegressionSelector.clean": "No changed files were found for regression selection.",
1088
+ "testRegressionSelector.error.missingAction": "Specify a regression-selector action: select",
1089
+ "testRegressionSelector.error.unknownAction": "Unknown regression-selector action: {action}",
1090
+ "testRegressionSelector.error.invalidPositiveInteger": "{option} must be a positive safe integer: {value}",
1091
+ "scriptPack.script.envContract.summary": "Scan repository environment-variable contracts without reading secret values",
1092
+ "envContract.help.summary": "Scan code, CI, docs, config, and env examples for environment variable contract drift without printing env values.",
1093
+ "envContract.help.option.maxFiles": "Maximum number of files to inspect. Default: 1000",
1094
+ "envContract.help.option.maxFileBytes": "Maximum bytes to read from each inspected file. Default: 262144",
1095
+ "envContract.help.option.maxKeys": "Maximum number of env keys to report. Default: 300",
1096
+ "envContract.help.exit.ok": "The env contract scan completed without blocking findings",
1097
+ "envContract.help.exit.fail": "The env contract scan found invalid input, unreadable files, or contract findings",
1098
+ "envContract.title": "mustflow env contract",
1099
+ "envContract.label.files": "Files",
1100
+ "envContract.label.keys": "Keys",
1101
+ "envContract.label.findings": "Findings",
1102
+ "envContract.label.truncated": "Truncated",
1103
+ "envContract.label.issues": "Issues",
1104
+ "envContract.clean": "No environment variable references were found.",
1105
+ "envContract.error.missingAction": "Specify an env-contract action: scan",
1106
+ "envContract.error.unknownAction": "Unknown env-contract action: {action}",
1107
+ "envContract.error.invalidPositiveInteger": "{option} must be a positive safe integer: {value}",
1108
+ "scriptPack.script.secretRiskScan.summary": "Scan repository files for plausible secrets without printing secret values",
1109
+ "secretRiskScan.help.summary": "Scan code, docs, config, CI, and examples for plausible hardcoded secrets without printing secret values.",
1110
+ "secretRiskScan.help.option.maxFiles": "Maximum number of files to inspect. Default: 1000",
1111
+ "secretRiskScan.help.option.maxFileBytes": "Maximum bytes to read from each inspected file. Default: 262144",
1112
+ "secretRiskScan.help.option.maxFindings": "Maximum number of findings to report. Default: 200",
1113
+ "secretRiskScan.help.exit.ok": "The secret-risk scan completed without blocking findings",
1114
+ "secretRiskScan.help.exit.fail": "The secret-risk scan found invalid input, unreadable files, or secret-risk findings",
1115
+ "secretRiskScan.title": "mustflow secret risk scan",
1116
+ "secretRiskScan.label.files": "Files",
1117
+ "secretRiskScan.label.findings": "Findings",
1118
+ "secretRiskScan.label.highOrCritical": "High or critical",
1119
+ "secretRiskScan.label.skippedSecretFiles": "Skipped secret files",
1120
+ "secretRiskScan.label.truncated": "Truncated",
1121
+ "secretRiskScan.label.issues": "Issues",
1122
+ "secretRiskScan.clean": "No plausible hardcoded secrets were found.",
1123
+ "secretRiskScan.error.missingAction": "Specify a secret-risk-scan action: scan",
1124
+ "secretRiskScan.error.unknownAction": "Unknown secret-risk-scan action: {action}",
1125
+ "secretRiskScan.error.invalidPositiveInteger": "{option} must be a positive safe integer: {value}",
1126
+ "scriptPack.script.skillRouteAudit.summary": "Audit skill routes, template skill copies, manifest profiles, and i18n metadata for drift",
1127
+ "scriptPack.script.versionSource.summary": "Inspect repository version sources before release metadata changes",
1128
+ "scriptPack.script.approvalGate.summary": "Check planned actions against repository approval policy gates",
1129
+ "scriptPack.script.mergeConflictScan.summary": "Scan repository files for unresolved Git merge conflict markers",
1130
+ "scriptPack.script.gitIgnoreAudit.summary": "Audit Git ignore rules and path visibility evidence",
1131
+ "scriptPack.script.manifestLockDrift.summary": "Check manifest-lock file hashes against current repository files",
1132
+ "skillRouteAudit.help.summary": "Audit mustflow skill route metadata, source skill files, default template skill copies, manifest profiles, and i18n metadata.",
1133
+ "skillRouteAudit.help.exit.ok": "The skill-route audit report was generated",
1134
+ "skillRouteAudit.help.exit.fail": "The skill-route audit command received invalid input or could not read required metadata",
1135
+ "skillRouteAudit.title": "mustflow skill route audit",
1136
+ "skillRouteAudit.label.sourceSkills": "Source skills",
1137
+ "skillRouteAudit.label.routeMetadata": "Route metadata",
1138
+ "skillRouteAudit.label.indexRoutes": "Index routes",
1139
+ "skillRouteAudit.label.templateSkills": "Template skills",
1140
+ "skillRouteAudit.label.findings": "Findings",
1141
+ "skillRouteAudit.clean": "Skill routes, template skill copies, manifest profiles, and i18n metadata are aligned.",
1142
+ "skillRouteAudit.error.missingAction": "Specify a skill-route-audit action: audit",
1143
+ "skillRouteAudit.error.unknownAction": "Unknown skill-route-audit action: {action}",
1144
+ "versionSource.help.summary": "Inspect detected version source files and release versioning preference alignment.",
1145
+ "versionSource.help.exit.ok": "The version-source report was generated without blocking findings",
1146
+ "versionSource.help.exit.fail": "The version-source report found invalid input, unreadable metadata, or missing version sources",
1147
+ "versionSource.title": "mustflow version source",
1148
+ "versionSource.label.versioning": "Versioning preferences",
1149
+ "versionSource.label.sources": "Sources",
1150
+ "versionSource.label.sourceAuthorities": "Source authorities",
1151
+ "versionSource.label.findings": "Findings",
1152
+ "versionSource.label.issues": "Issues",
1153
+ "versionSource.error.missingAction": "Specify a version-source action: inspect",
1154
+ "versionSource.error.unknownAction": "Unknown version-source action: {action}",
1155
+ "approvalGate.help.summary": "Check planned action types against .mustflow/config/mustflow.toml approval gates.",
1156
+ "approvalGate.help.option.action": "Action type to check. May be repeated.",
1157
+ "approvalGate.help.exit.ok": "No requested action requires approval",
1158
+ "approvalGate.help.exit.fail": "A requested action requires approval, metadata was unreadable, or input was invalid",
1159
+ "approvalGate.title": "mustflow approval gate",
1160
+ "approvalGate.label.approvalRequired": "Approval required",
1161
+ "approvalGate.label.configuredRequiredActions": "Configured required actions",
1162
+ "approvalGate.label.decisions": "Decisions",
1163
+ "approvalGate.label.findings": "Findings",
1164
+ "approvalGate.label.issues": "Issues",
1165
+ "approvalGate.error.missingAction": "Specify an approval-gate action: check",
1166
+ "approvalGate.error.unknownAction": "Unknown approval-gate action: {action}",
1167
+ "approvalGate.error.missingActionType": "Specify at least one --action <type>",
1168
+ "mergeConflictScan.help.summary": "Scan changed files or explicit paths for unresolved Git merge conflict markers without printing file content.",
1169
+ "mergeConflictScan.help.option.maxFiles": "Maximum files to scan. Default: 1000",
1170
+ "mergeConflictScan.help.option.maxFileBytes": "Maximum bytes to read from each file. Default: 524288",
1171
+ "mergeConflictScan.help.exit.ok": "No merge conflict markers were detected",
1172
+ "mergeConflictScan.help.exit.fail": "Merge conflict markers were detected, input was invalid, or files could not be scanned",
1173
+ "mergeConflictScan.title": "mustflow merge conflict scan",
1174
+ "mergeConflictScan.label.filesChecked": "Files checked",
1175
+ "mergeConflictScan.label.markersFound": "Markers found",
1176
+ "mergeConflictScan.label.markers": "Markers",
1177
+ "mergeConflictScan.label.findings": "Findings",
1178
+ "mergeConflictScan.label.issues": "Issues",
1179
+ "mergeConflictScan.clean": "No merge conflict markers detected.",
1180
+ "mergeConflictScan.error.missingAction": "Specify a merge-conflict-scan action: check",
1181
+ "mergeConflictScan.error.unknownAction": "Unknown merge-conflict-scan action: {action}",
1182
+ "mergeConflictScan.error.invalidPositiveInteger": "{option} must be a positive integer",
1183
+ "gitIgnoreAudit.help.summary": "Audit explicit paths or changed files against Git ignore rules without reading ignored file content.",
1184
+ "gitIgnoreAudit.help.option.maxPaths": "Maximum paths to audit. Default: 200",
1185
+ "gitIgnoreAudit.help.exit.ok": "No ignored path findings were detected",
1186
+ "gitIgnoreAudit.help.exit.fail": "Ignored paths, invalid input, or Git ignore audit issues were detected",
1187
+ "gitIgnoreAudit.title": "mustflow Git ignore audit",
1188
+ "gitIgnoreAudit.label.pathsChecked": "Paths checked",
1189
+ "gitIgnoreAudit.label.ignoredPaths": "Ignored paths",
1190
+ "gitIgnoreAudit.label.ignoreSources": "Ignore sources",
1191
+ "gitIgnoreAudit.label.paths": "Paths",
1192
+ "gitIgnoreAudit.label.findings": "Findings",
1193
+ "gitIgnoreAudit.label.issues": "Issues",
1194
+ "gitIgnoreAudit.clean": "No Git ignore audit findings detected.",
1195
+ "gitIgnoreAudit.error.missingAction": "Specify a git-ignore-audit action: audit",
1196
+ "gitIgnoreAudit.error.unknownAction": "Unknown git-ignore-audit action: {action}",
1197
+ "gitIgnoreAudit.error.invalidPositiveInteger": "{option} must be a positive integer",
1198
+ "manifestLockDrift.help.summary": "Check .mustflow/config/manifest.lock.toml entries against current file hashes without rewriting the lock.",
1199
+ "manifestLockDrift.help.option.maxEntries": "Maximum lock entries to check. Default: 500",
1200
+ "manifestLockDrift.help.exit.ok": "No manifest-lock drift was detected",
1201
+ "manifestLockDrift.help.exit.fail": "Manifest-lock drift, invalid input, or unreadable lock metadata was detected",
1202
+ "manifestLockDrift.title": "mustflow manifest-lock drift",
1203
+ "manifestLockDrift.label.entriesChecked": "Entries checked",
1204
+ "manifestLockDrift.label.hashMismatches": "Hash mismatches",
1205
+ "manifestLockDrift.label.missingEntries": "Missing entries",
1206
+ "manifestLockDrift.label.entries": "Entries",
1207
+ "manifestLockDrift.label.findings": "Findings",
1208
+ "manifestLockDrift.label.issues": "Issues",
1209
+ "manifestLockDrift.clean": "No manifest-lock drift detected.",
1210
+ "manifestLockDrift.error.missingAction": "Specify a manifest-lock-drift action: check",
1211
+ "manifestLockDrift.error.unknownAction": "Unknown manifest-lock-drift action: {action}",
1212
+ "manifestLockDrift.error.invalidPositiveInteger": "{option} must be a positive integer",
951
1213
  "run.help.summary": "从 .mustflow/config/commands.toml 运行已配置的一次性命令。",
952
1214
  "run.help.option.dryRun": "输出命令计划但不执行",
953
1215
  "run.help.option.planOnly": "--dry-run 的别名",
@@ -661,7 +661,7 @@ function renderSourceQuality(gitLsFilesStatus) {
661
661
  '',
662
662
  ];
663
663
  }
664
- export function generateRepoMap(projectRoot, options = {}) {
664
+ function createRepoMapRenderModel(projectRoot, options = {}) {
665
665
  const depth = options.depth ?? DEFAULT_DEPTH;
666
666
  const config = getRepoMapConfig(projectRoot);
667
667
  const configuredPriorityPaths = config.priorityPaths;
@@ -675,10 +675,6 @@ export function generateRepoMap(projectRoot, options = {}) {
675
675
  const anchorDiscovery = discoverAnchors(projectRoot, depth, priorityPathSet, nestedRepositories, workspaceRootPrefixes);
676
676
  const anchors = anchorDiscovery.anchors;
677
677
  const gitLsFilesStatus = anchorDiscovery.gitLsFilesStatus;
678
- const priorityAnchors = configuredPriorityPaths
679
- .map((relativePath) => anchors.find((anchor) => anchor.relativePath === relativePath))
680
- .filter((anchor) => Boolean(anchor));
681
- const otherAnchors = anchors.filter((anchor) => !priorityPathSet.has(anchor.relativePath));
682
678
  const anchorCount = anchors.length + nestedRepositories.reduce((total, repository) => total + countNestedEntrypoints(repository), 0);
683
679
  const sourceFingerprint = getRepoMapSourceFingerprint({
684
680
  depth,
@@ -688,8 +684,33 @@ export function generateRepoMap(projectRoot, options = {}) {
688
684
  anchors,
689
685
  nestedRepositories,
690
686
  });
687
+ return {
688
+ configuredPriorityPaths,
689
+ priorityPathSet,
690
+ mapConfig,
691
+ nestedRepositories,
692
+ anchors,
693
+ gitLsFilesStatus,
694
+ anchorCount,
695
+ sourceFingerprint,
696
+ };
697
+ }
698
+ export function getExpectedRepoMapSourceFingerprint(projectRoot, options = {}) {
699
+ return createRepoMapRenderModel(projectRoot, options).sourceFingerprint;
700
+ }
701
+ export function generateRepoMap(projectRoot, options = {}) {
702
+ const model = createRepoMapRenderModel(projectRoot, options);
703
+ const configuredPriorityPaths = model.configuredPriorityPaths;
704
+ const priorityPathSet = model.priorityPathSet;
705
+ const nestedRepositories = model.nestedRepositories;
706
+ const anchors = model.anchors;
707
+ const gitLsFilesStatus = model.gitLsFilesStatus;
708
+ const priorityAnchors = configuredPriorityPaths
709
+ .map((relativePath) => anchors.find((anchor) => anchor.relativePath === relativePath))
710
+ .filter((anchor) => Boolean(anchor));
711
+ const otherAnchors = anchors.filter((anchor) => !priorityPathSet.has(anchor.relativePath));
691
712
  return [
692
- ...renderRepoMapFrontmatter(anchorCount, sourceFingerprint, gitLsFilesStatus),
713
+ ...renderRepoMapFrontmatter(model.anchorCount, model.sourceFingerprint, gitLsFilesStatus),
693
714
  '# REPO_MAP.md',
694
715
  '',
695
716
  'This file is an agent navigation map for the current mustflow root. It is not a full file listing.',
@@ -1,4 +1,5 @@
1
1
  import { MANIFEST_LOCK_RELATIVE_PATH, inspectManifestLock } from './manifest-lock.js';
2
+ import { readCommandContractIncludePaths } from '../../core/config-loading.js';
2
3
  export const ALLOW_UNTRUSTED_ROOT_OPTION = '--allow-untrusted-root';
3
4
  const REQUIRED_RUN_TRUST_LOCK_PATHS = [
4
5
  'AGENTS.md',
@@ -17,7 +18,20 @@ export function assessRunRootTrust(projectRoot) {
17
18
  };
18
19
  }
19
20
  const trackedPaths = new Set(readResult.lock.files.map((file) => file.relativePath));
20
- const missingRequiredPath = REQUIRED_RUN_TRUST_LOCK_PATHS.find((relativePath) => !trackedPaths.has(relativePath));
21
+ let requiredPaths = REQUIRED_RUN_TRUST_LOCK_PATHS;
22
+ try {
23
+ requiredPaths = [...REQUIRED_RUN_TRUST_LOCK_PATHS, ...readCommandContractIncludePaths(projectRoot)];
24
+ }
25
+ catch (error) {
26
+ const message = error instanceof Error ? error.message : String(error);
27
+ return {
28
+ trusted: false,
29
+ reason: 'manifest_lock_invalid',
30
+ manifestLockPath: readResult.lockPath,
31
+ detail: message,
32
+ };
33
+ }
34
+ const missingRequiredPath = requiredPaths.find((relativePath) => !trackedPaths.has(relativePath));
21
35
  if (missingRequiredPath) {
22
36
  return {
23
37
  trusted: false,