mustflow 2.85.4 → 2.99.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cli/commands/script-pack.js +10 -0
- package/dist/cli/i18n/en.js +183 -0
- package/dist/cli/i18n/es.js +183 -0
- package/dist/cli/i18n/fr.js +183 -0
- package/dist/cli/i18n/hi.js +183 -0
- package/dist/cli/i18n/ko.js +183 -0
- package/dist/cli/i18n/zh.js +183 -0
- package/dist/cli/lib/script-pack-registry.js +284 -1
- package/dist/cli/script-packs/code-change-impact.js +6 -0
- package/dist/cli/script-packs/code-import-cycle.js +193 -0
- package/dist/cli/script-packs/docs-link-integrity.js +145 -0
- package/dist/cli/script-packs/repo-approval-gate.js +100 -0
- package/dist/cli/script-packs/repo-git-ignore-audit.js +119 -0
- package/dist/cli/script-packs/repo-manifest-lock-drift.js +122 -0
- package/dist/cli/script-packs/repo-merge-conflict-scan.js +123 -0
- package/dist/cli/script-packs/repo-skill-route-audit.js +86 -0
- package/dist/cli/script-packs/repo-version-source.js +92 -0
- package/dist/cli/script-packs/test-performance-report.js +247 -0
- package/dist/cli/script-packs/test-regression-selector.js +167 -0
- package/dist/core/change-impact.js +23 -51
- package/dist/core/change-surface-classification.js +198 -0
- package/dist/core/docs-link-integrity.js +443 -0
- package/dist/core/import-cycle.js +152 -0
- package/dist/core/public-json-contracts.js +116 -0
- package/dist/core/repo-approval-gate.js +116 -0
- package/dist/core/repo-git-ignore-audit.js +302 -0
- package/dist/core/repo-manifest-lock-drift.js +321 -0
- package/dist/core/repo-merge-conflict-scan.js +335 -0
- package/dist/core/repo-version-source.js +82 -0
- package/dist/core/script-pack-suggestions.js +77 -1
- package/dist/core/skill-route-audit.js +354 -0
- package/dist/core/test-performance-report.js +697 -0
- package/dist/core/test-regression-selector.js +335 -0
- package/package.json +1 -1
- package/schemas/README.md +40 -2
- package/schemas/change-impact-report.schema.json +35 -1
- package/schemas/import-cycle-report.schema.json +157 -0
- package/schemas/link-integrity-report.schema.json +176 -0
- package/schemas/repo-approval-gate-report.schema.json +115 -0
- package/schemas/repo-git-ignore-audit-report.schema.json +201 -0
- package/schemas/repo-manifest-lock-drift-report.schema.json +202 -0
- package/schemas/repo-merge-conflict-scan-report.schema.json +169 -0
- package/schemas/repo-version-source-report.schema.json +127 -0
- package/schemas/skill-route-audit-report.schema.json +144 -0
- package/schemas/test-performance-report.schema.json +319 -0
- package/schemas/test-regression-selector-report.schema.json +187 -0
- package/templates/default/i18n.toml +66 -18
- package/templates/default/locales/en/.mustflow/skills/INDEX.md +45 -8
- package/templates/default/locales/en/.mustflow/skills/api-access-control-review/SKILL.md +48 -27
- package/templates/default/locales/en/.mustflow/skills/api-failure-triage/SKILL.md +270 -0
- package/templates/default/locales/en/.mustflow/skills/auth-flow-triage/SKILL.md +192 -0
- package/templates/default/locales/en/.mustflow/skills/auth-permission-change/SKILL.md +59 -13
- package/templates/default/locales/en/.mustflow/skills/backend-log-evidence-review/SKILL.md +14 -5
- package/templates/default/locales/en/.mustflow/skills/cache-integrity-review/SKILL.md +30 -15
- package/templates/default/locales/en/.mustflow/skills/change-blast-radius-review/SKILL.md +45 -32
- package/templates/default/locales/en/.mustflow/skills/ci-pipeline-triage/SKILL.md +200 -0
- package/templates/default/locales/en/.mustflow/skills/clarifying-question-gate/SKILL.md +87 -13
- package/templates/default/locales/en/.mustflow/skills/docker-runtime-triage/SKILL.md +191 -0
- package/templates/default/locales/en/.mustflow/skills/go-code-change/SKILL.md +18 -13
- package/templates/default/locales/en/.mustflow/skills/line-ending-hygiene/SKILL.md +18 -10
- package/templates/default/locales/en/.mustflow/skills/llm-hallucination-control-review/SKILL.md +4 -1
- package/templates/default/locales/en/.mustflow/skills/motion-system-contract-review/SKILL.md +155 -0
- package/templates/default/locales/en/.mustflow/skills/next-action-menu/SKILL.md +177 -0
- package/templates/default/locales/en/.mustflow/skills/observability-debuggability-review/SKILL.md +15 -7
- package/templates/default/locales/en/.mustflow/skills/payment-integrity-review/SKILL.md +59 -35
- package/templates/default/locales/en/.mustflow/skills/powershell-code-change/SKILL.md +16 -6
- package/templates/default/locales/en/.mustflow/skills/prompt-contract-quality-review/SKILL.md +4 -1
- package/templates/default/locales/en/.mustflow/skills/python-code-change/SKILL.md +19 -10
- package/templates/default/locales/en/.mustflow/skills/rag-pipeline-triage/SKILL.md +206 -0
- package/templates/default/locales/en/.mustflow/skills/routes.toml +54 -0
- package/templates/default/locales/en/.mustflow/skills/rust-code-change/SKILL.md +10 -4
- package/templates/default/locales/en/.mustflow/skills/search-index-integrity-review/SKILL.md +181 -0
- package/templates/default/locales/en/.mustflow/skills/service-boundary-architecture/SKILL.md +37 -23
- package/templates/default/locales/en/.mustflow/skills/test-suite-performance-review/SKILL.md +9 -0
- package/templates/default/locales/en/.mustflow/skills/typescript-code-change/SKILL.md +14 -9
- package/templates/default/locales/en/.mustflow/skills/vector-search-integrity-review/SKILL.md +209 -0
- package/templates/default/locales/en/.mustflow/skills/version-freshness-check/SKILL.md +16 -14
- package/templates/default/manifest.toml +64 -1
|
@@ -2,11 +2,11 @@
|
|
|
2
2
|
mustflow_doc: skill.api-access-control-review
|
|
3
3
|
locale: en
|
|
4
4
|
canonical: true
|
|
5
|
-
revision:
|
|
5
|
+
revision: 3
|
|
6
6
|
lifecycle: mustflow-owned
|
|
7
7
|
authority: procedure
|
|
8
8
|
name: api-access-control-review
|
|
9
|
-
description: Apply this skill when code is created, changed, reviewed, or reported and API security needs access-control review for BOLA or IDOR, object-level authorization, object-property authorization, function-level authorization, broken authentication, tenant isolation, role and relationship checks, mass assignment, DTO exposure, admin or internal APIs, route ordering, GraphQL resolvers, batch APIs, exports, downloads, signed URLs, cache keys, async jobs, webhooks, OAuth or OIDC, JWTs, sessions, cookies, reauthentication, reset tokens, account enumeration, automation defense, or denial-case tests.
|
|
9
|
+
description: Apply this skill when code is created, changed, reviewed, or reported and API security needs access-control review for BOLA or IDOR, object-level authorization, object-property authorization, function-level authorization, payment or refund API authorization, broken authentication, tenant isolation, effective permission decisions, role and relationship checks, mass assignment, DTO exposure, admin or internal APIs, route ordering, GraphQL resolvers, batch APIs, exports, downloads, signed URLs, cache keys, async jobs, webhooks, OAuth or OIDC, JWTs, sessions, cookies, reauthentication, reset tokens, account enumeration, automation defense, or denial-case tests.
|
|
10
10
|
metadata:
|
|
11
11
|
mustflow_schema: "1"
|
|
12
12
|
mustflow_kind: procedure
|
|
@@ -43,6 +43,10 @@ perform this action on this object, this field, and this tenant context?"
|
|
|
43
43
|
exports, downloads, previews, batch APIs, background jobs, webhooks, auth middleware, sessions,
|
|
44
44
|
cookies, JWTs, OAuth or OIDC flows, password reset, MFA, admin APIs, internal APIs, cache keys,
|
|
45
45
|
DTO mapping, tests, or API docs.
|
|
46
|
+
- Payment, refund, transfer, payout, credit, entitlement, or subscription APIs need proof that the
|
|
47
|
+
requester may act on that specific object, amount-bearing operation, tenant, account, or current
|
|
48
|
+
resource state. Use `payment-integrity-review` for money-event correctness and this skill for the
|
|
49
|
+
API object, property, and function authorization proof.
|
|
46
50
|
- A request, token, body, query string, path parameter, webhook payload, queue payload, or client
|
|
47
51
|
state supplies `userId`, `accountId`, `tenantId`, `orgId`, `workspaceId`, `projectId`, `role`,
|
|
48
52
|
`ownerId`, object id, file key, status, price, entitlement, plan, or other authority-bearing data.
|
|
@@ -73,6 +77,9 @@ perform this action on this object, this field, and this tenant context?"
|
|
|
73
77
|
- Subject-object-action-context ledger: principal, session, token, API key, service account, tenant,
|
|
74
78
|
organization, workspace, role, relationship, resource, object id, field or property, action,
|
|
75
79
|
state, and request context.
|
|
80
|
+
- Decision explanation ledger: effective permission, matched policy, explicit deny, inheritance
|
|
81
|
+
path, policy version, data revision, token issue time, and allow or deny reason when the product
|
|
82
|
+
has policy-engine or audit-log support.
|
|
76
83
|
- Object authorization ledger: list, detail, count, search, export, download, preview, share,
|
|
77
84
|
update, delete, approve, invite, refund, transfer, admin, batch, worker, and webhook paths that
|
|
78
85
|
can reach the same object.
|
|
@@ -135,101 +142,111 @@ perform this action on this object, this field, and this tenant context?"
|
|
|
135
142
|
- `role === "admin"` is usually too small.
|
|
136
143
|
- Check whether the principal is admin for this organization, owner of this project, seller for
|
|
137
144
|
this order, billing admin for this account, or allowed to act in this resource state.
|
|
138
|
-
|
|
145
|
+
- Prefer effective-permission evidence and policy decision explanations over a raw role list.
|
|
146
|
+
6. Check default-deny and explicit-deny behavior.
|
|
147
|
+
- No matching policy, unknown role, unknown action, malformed id, parsing failure, policy server
|
|
148
|
+
timeout, and policy-cache miss should not silently allow access.
|
|
149
|
+
- When allow and deny policies both match, the product needs a documented and tested combination
|
|
150
|
+
rule.
|
|
151
|
+
7. Compare list and detail scopes.
|
|
139
152
|
- If list filters by current user or tenant but detail, count, search, analytics, export, or
|
|
140
153
|
download uses only object id, report the gap.
|
|
141
|
-
|
|
154
|
+
8. Review write APIs harder than read APIs.
|
|
142
155
|
- `PUT`, `PATCH`, `DELETE`, approve, refund, invite, transfer, publish, restore, and role-change
|
|
143
156
|
operations need write-specific permission, state, amount, and audit checks.
|
|
144
157
|
- Read permission is not write permission.
|
|
145
|
-
|
|
158
|
+
9. Stop mass assignment at the boundary.
|
|
146
159
|
- Flag request-body-to-entity binding, raw DTO persistence, GraphQL input passthrough, ORM update
|
|
147
160
|
data from raw body, and blind spread or object assignment.
|
|
148
161
|
- Privileged fields such as `role`, `status`, `ownerId`, `tenantId`, `isVerified`, `plan`,
|
|
149
162
|
`credit`, `deletedAt`, `price`, and `quota` must be derived, guarded, or allowlisted.
|
|
150
|
-
|
|
163
|
+
10. Check response DTOs for property-level exposure.
|
|
151
164
|
- Entity-to-JSON responses can leak `passwordHash`, `mfaSecret`, `internalMemo`,
|
|
152
165
|
`billingCustomerId`, storage keys, provider IDs, deletion reasons, or admin-only fields later.
|
|
153
166
|
- Use public response mappers and role-aware field policies when field visibility differs.
|
|
154
|
-
|
|
167
|
+
11. Treat client-side admin UI as decoration.
|
|
155
168
|
- Hidden buttons, disabled controls, frontend routes, mobile checks, and generated clients are
|
|
156
169
|
not access control.
|
|
157
170
|
- Admin and support operations need server-side scope, reason, audit, and denial tests.
|
|
158
|
-
|
|
171
|
+
12. Search for temporary public holes.
|
|
159
172
|
- Inspect `permitAll`, `anonymous`, `skipAuth`, `bypassAuth`, `public`, `internalOnly`,
|
|
160
173
|
`devOnly`, `TODO auth`, debug endpoints, health endpoints with extra data, and test-only
|
|
161
174
|
switches that can reach real data or operations.
|
|
162
|
-
|
|
175
|
+
13. Review router and middleware order.
|
|
163
176
|
- Dynamic routes like `/:id` can shadow `/me`, `/admin`, or `/settings`.
|
|
164
177
|
- Prefix middleware can leave sibling paths, nested routers, serverless functions, or framework
|
|
165
178
|
route groups unauthenticated.
|
|
166
|
-
|
|
179
|
+
14. Review GraphQL per resolver.
|
|
167
180
|
- Endpoint-level auth is not enough.
|
|
168
181
|
- Check `node(id)`, nested fields, connections, edges, aggregates, mutations, and field
|
|
169
182
|
resolvers for object and property authorization.
|
|
170
|
-
|
|
183
|
+
15. Review batch APIs per item.
|
|
171
184
|
- Bulk create, delete, export, import, and update endpoints must authorize every object.
|
|
172
185
|
- Define whether one denied item fails the whole request, returns per-item results, or produces
|
|
173
186
|
a retrievable failure report.
|
|
174
|
-
|
|
187
|
+
16. Review export, download, preview, thumbnail, and share paths.
|
|
175
188
|
- CRUD may be protected while file delivery, generated previews, thumbnails, CSV exports, and
|
|
176
189
|
shared links bypass the same policy.
|
|
177
|
-
|
|
190
|
+
17. Treat signed storage URLs as outputs of authorization.
|
|
178
191
|
- S3, GCS, R2, CDN, and private file URLs must be generated only after object authorization.
|
|
179
192
|
- Check key predictability, URL lifetime, scope, content disposition, cache behavior, revocation,
|
|
180
193
|
and whether direct object access bypasses policy.
|
|
181
|
-
|
|
194
|
+
18. Enforce tenant boundaries in every query and cache.
|
|
182
195
|
- `WHERE id = ?` is weak in multi-tenant code; include tenant, membership, owner, sharing, or
|
|
183
196
|
database policy constraints.
|
|
184
197
|
- Cache keys for private data need tenant and permission dimensions, not just object id.
|
|
185
|
-
|
|
198
|
+
19. Revalidate asynchronous jobs.
|
|
186
199
|
- Queue payloads with only `userId`, `tenantId`, or `fileId` can outlive permission changes.
|
|
187
200
|
- Workers, retries, admin reruns, scheduled tasks, and webhook-triggered jobs need actor,
|
|
188
201
|
tenant, resource, state, and current permission or service-principal checks at execution time.
|
|
189
|
-
|
|
202
|
+
20. Separate webhook authenticity from authorization.
|
|
190
203
|
- Signature verification proves the provider sent the event.
|
|
191
204
|
- Ownership mapping proves the event belongs to this tenant, account, customer, installation,
|
|
192
205
|
repository, subscription, or resource.
|
|
193
|
-
|
|
206
|
+
21. Keep OAuth and OIDC purposes distinct.
|
|
194
207
|
- OIDC ID tokens identify a user for login.
|
|
195
208
|
- OAuth access tokens authorize delegated API access.
|
|
196
209
|
- Do not use an ID token as an API permission token or an access token as a login proof without
|
|
197
210
|
the appropriate validation and intent.
|
|
198
|
-
|
|
211
|
+
22. Verify JWTs completely.
|
|
199
212
|
- Decoding is not verification.
|
|
200
213
|
- Check signature, algorithm allowlist, issuer, audience, expiry, not-before when used, key
|
|
201
214
|
source, key rotation, subject, tenant binding, and stale authorization claims.
|
|
202
|
-
|
|
215
|
+
23. Treat token claims as snapshots, not eternal truth.
|
|
203
216
|
- Long-lived `role`, `plan`, `tenantId`, and permission claims can survive demotion, removal,
|
|
204
217
|
subscription cancellation, suspension, or revocation.
|
|
205
218
|
- Important decisions should check current server-side state or use short-lived tokens with
|
|
206
219
|
revocation strategy.
|
|
207
|
-
|
|
220
|
+
24. Measure revocation and stale-permission windows.
|
|
221
|
+
- User removal, role demotion, organization leave, policy-version changes, subscription state
|
|
222
|
+
changes, and ownership transfers should say how quickly sessions, JWTs, caches, search
|
|
223
|
+
indexes, queued jobs, and signed URLs stop authorizing old access.
|
|
224
|
+
25. Regenerate session identity after privilege changes.
|
|
208
225
|
- Login, password change, MFA changes, role changes, user-to-admin transitions, and account
|
|
209
226
|
recovery should rotate session identifiers or refresh tokens according to local policy.
|
|
210
|
-
|
|
227
|
+
26. Check authentication cookies.
|
|
211
228
|
- Cookies carrying session authority need `Secure`, `HttpOnly`, appropriate `SameSite`,
|
|
212
229
|
domain, path, lifetime, rotation, logout, revocation, and CSRF posture.
|
|
213
230
|
- Avoid URL-carried session identifiers.
|
|
214
|
-
|
|
231
|
+
27. Require reauthentication for sensitive actions.
|
|
215
232
|
- Password change, email change, MFA disable, payment method change, organization ownership
|
|
216
233
|
transfer, API-key creation, and destructive admin actions should require fresh proof.
|
|
217
|
-
|
|
234
|
+
28. Review reset and magic-link tokens.
|
|
218
235
|
- Tokens need strong randomness, one-time use, short expiration, purpose binding, user binding,
|
|
219
236
|
safe storage, link-preview protection, session invalidation where needed, and no reuse across
|
|
220
237
|
unrelated flows.
|
|
221
|
-
|
|
238
|
+
29. Compare account-enumeration responses.
|
|
222
239
|
- Login, signup, password reset, magic link, invitation, and email verification should avoid
|
|
223
240
|
leaking account existence through message, status, timing, or email-sending behavior unless
|
|
224
241
|
product policy accepts that disclosure.
|
|
225
|
-
|
|
242
|
+
30. Treat automation defense as part of authentication.
|
|
226
243
|
- Login, OTP, magic link, password reset, invite acceptance, coupon application, email
|
|
227
244
|
verification, and MFA attempts need rate limits, lockouts, challenge policy, IP/device/user
|
|
228
245
|
dimensions, and observability.
|
|
229
|
-
|
|
246
|
+
31. Separate internal and external identity planes.
|
|
230
247
|
- Backoffice, operator, database, middleware, and support accounts should not flow through the
|
|
231
248
|
same customer login path unless the product intentionally models and audits that boundary.
|
|
232
|
-
|
|
249
|
+
32. Test the denial matrix.
|
|
233
250
|
- Success tests prove little.
|
|
234
251
|
- For each protected resource, cover anonymous, normal user, other owner, same organization
|
|
235
252
|
different role, other tenant, admin wrong tenant, revoked user, suspended member, stale token,
|
|
@@ -240,6 +257,8 @@ perform this action on this object, this field, and this tenant context?"
|
|
|
240
257
|
|
|
241
258
|
- The API access-control decision names subject, object, action, field or property, tenant or owner,
|
|
242
259
|
current state, and trusted context when those apply.
|
|
260
|
+
- Effective permission, matched policy, explicit deny, inheritance path, policy version, data
|
|
261
|
+
revision, token issue time, and revocation window are checked or named as gaps when relevant.
|
|
243
262
|
- Authentication, object authorization, property authorization, and function authorization are not
|
|
244
263
|
collapsed into one route guard.
|
|
245
264
|
- Client-supplied identity and authority fields are either ignored, verified against server-side
|
|
@@ -287,6 +306,8 @@ and account-enumeration response parity.
|
|
|
287
306
|
|
|
288
307
|
- API access control reviewed
|
|
289
308
|
- Subject, object, action, field, tenant or owner, state, and trusted context
|
|
309
|
+
- Effective permission, decision explanation, policy version, data revision, token age, and
|
|
310
|
+
revocation-window findings
|
|
290
311
|
- Object, property, and function authorization findings
|
|
291
312
|
- Authentication, session, token, cookie, OAuth/OIDC, reset, reauthentication, enumeration, and
|
|
292
313
|
automation findings
|
|
@@ -0,0 +1,270 @@
|
|
|
1
|
+
---
|
|
2
|
+
mustflow_doc: skill.api-failure-triage
|
|
3
|
+
locale: en
|
|
4
|
+
canonical: true
|
|
5
|
+
revision: 1
|
|
6
|
+
lifecycle: mustflow-owned
|
|
7
|
+
authority: procedure
|
|
8
|
+
name: api-failure-triage
|
|
9
|
+
description: Apply this skill when an API request, SDK call, webhook callback, browser request, mobile call, gateway route, CORS preflight, CDN or load-balancer path, upstream dependency call, or OpenAPI-backed integration is failing, intermittent, slow, returning the wrong status or body, blocked by authentication or authorization, rate-limited, retried, cached incorrectly, or not yet localized to client, network, proxy, app, database, cache, provider, or deployment configuration. Use before api-request-performance-review when the first job is to preserve the failing wire evidence and cut the failure boundary.
|
|
10
|
+
metadata:
|
|
11
|
+
mustflow_schema: "1"
|
|
12
|
+
mustflow_kind: procedure
|
|
13
|
+
pack_id: mustflow.core
|
|
14
|
+
skill_id: mustflow.core.api-failure-triage
|
|
15
|
+
command_intents:
|
|
16
|
+
- changes_status
|
|
17
|
+
- changes_diff_summary
|
|
18
|
+
- lint
|
|
19
|
+
- build
|
|
20
|
+
- test_related
|
|
21
|
+
- test
|
|
22
|
+
- docs_validate_fast
|
|
23
|
+
- test_release
|
|
24
|
+
- mustflow_check
|
|
25
|
+
---
|
|
26
|
+
|
|
27
|
+
# API Failure Triage
|
|
28
|
+
|
|
29
|
+
<!-- mustflow-section: purpose -->
|
|
30
|
+
## Purpose
|
|
31
|
+
|
|
32
|
+
Triage API failures by preserving the actual request and cutting the path boundary before editing
|
|
33
|
+
code.
|
|
34
|
+
|
|
35
|
+
The first question is not "which log looks suspicious?" It is "what bytes left the caller, what
|
|
36
|
+
bytes came back, which boundary changed them, and what evidence would disprove each hypothesis?"
|
|
37
|
+
|
|
38
|
+
<!-- mustflow-section: use-when -->
|
|
39
|
+
## Use When
|
|
40
|
+
|
|
41
|
+
- A user reports that an API call, SDK request, browser request, mobile request, webhook callback,
|
|
42
|
+
backend-for-frontend path, gateway route, CDN path, load-balancer path, or provider integration is
|
|
43
|
+
failing or intermittent.
|
|
44
|
+
- The failure is not yet localized to client code, DNS, TCP, TLS, proxy, CORS preflight, redirect,
|
|
45
|
+
gateway, app handler, database, cache, external provider, rate limiter, retry policy, auth,
|
|
46
|
+
deployment configuration, or OpenAPI drift.
|
|
47
|
+
- Code or docs claim an API failure is a network issue, CORS issue, server issue, auth issue, cache
|
|
48
|
+
issue, provider issue, or retry issue without preserved wire evidence.
|
|
49
|
+
- A fix might otherwise start from logs, framework assumptions, SDK behavior, browser console text,
|
|
50
|
+
or a broad search before one failing request is captured.
|
|
51
|
+
|
|
52
|
+
<!-- mustflow-section: do-not-use-when -->
|
|
53
|
+
## Do Not Use When
|
|
54
|
+
|
|
55
|
+
- The failing request is already reproduced and the root cause is clear enough for a targeted fix;
|
|
56
|
+
use the narrower code, API contract, cache, retry, auth, database, or failure-integrity skill.
|
|
57
|
+
- The task is only per-request latency optimization after the API path is known; use
|
|
58
|
+
`api-request-performance-review`.
|
|
59
|
+
- The task is only public error wording or error-envelope cleanup; use
|
|
60
|
+
`error-message-integrity-review`.
|
|
61
|
+
- The task is only observability design with no current API failure to localize; use
|
|
62
|
+
`observability-debuggability-review`.
|
|
63
|
+
- Reproduction requires live production secrets, destructive calls, real payments, real user data,
|
|
64
|
+
private logs, or unconfigured external systems. Preserve available static evidence and report the
|
|
65
|
+
manual boundary instead.
|
|
66
|
+
|
|
67
|
+
<!-- mustflow-section: required-inputs -->
|
|
68
|
+
## Required Inputs
|
|
69
|
+
|
|
70
|
+
- Failure packet: observed time and timezone, request id or trace id when present, caller, client or
|
|
71
|
+
SDK version, API version, method, URL route template, sanitized headers, sanitized body shape,
|
|
72
|
+
status code, response headers, response body shape, total latency, and retry or redirect behavior.
|
|
73
|
+
- Success comparator: a nearby successful request, previous working version, same request with one
|
|
74
|
+
dimension changed, or a documented expected request shape.
|
|
75
|
+
- Boundary ledger: client, browser preflight, SDK middleware, DNS, TCP, TLS, proxy, CDN, WAF,
|
|
76
|
+
gateway, load balancer, app, queue, database, cache, external provider, and response serialization
|
|
77
|
+
boundaries relevant to the path.
|
|
78
|
+
- Timing ledger: name lookup, connection, TLS, first byte, total transfer, app handler time, queue
|
|
79
|
+
time, pool wait, database time, cache time, external dependency time, serialization time, and
|
|
80
|
+
download time when evidence exists.
|
|
81
|
+
- Contract ledger: HTTP method, redirect behavior, content negotiation, content type, encoding,
|
|
82
|
+
status code semantics, error envelope, retryability, idempotency, rate-limit headers, cache
|
|
83
|
+
headers, OpenAPI or generated-client contract, and deployment version.
|
|
84
|
+
- Auth ledger: credential presence, token expiry and not-before time, signature timestamp, clock
|
|
85
|
+
skew, user or service principal, object authorization, tenant scope, and proxy header preservation.
|
|
86
|
+
- Change ledger: deploy, config, secret, feature flag, routing rule, schema migration, provider
|
|
87
|
+
version, generated client, cache policy, rate-limit policy, and environment difference near the
|
|
88
|
+
first bad time.
|
|
89
|
+
- Relevant command-intent contract entries for tests, builds, docs, release checks, and mustflow
|
|
90
|
+
validation.
|
|
91
|
+
|
|
92
|
+
<!-- mustflow-section: preconditions -->
|
|
93
|
+
## Preconditions
|
|
94
|
+
|
|
95
|
+
- The task matches the Use When conditions and does not match the Do Not Use When exclusions.
|
|
96
|
+
- Higher-priority instructions and `.mustflow/config/commands.toml` have been checked for the
|
|
97
|
+
current scope.
|
|
98
|
+
- Required request, response, boundary, timing, contract, auth, and change evidence is available or
|
|
99
|
+
can be reported as missing without guessing.
|
|
100
|
+
- If the preserved evidence exposes secrets, tokens, cookies, personal data, payment data, private
|
|
101
|
+
URLs, raw bodies, or hidden reasoning, summarize and redact rather than copying it into docs,
|
|
102
|
+
tests, logs, commits, or final reports.
|
|
103
|
+
|
|
104
|
+
<!-- mustflow-section: allowed-edits -->
|
|
105
|
+
## Allowed Edits
|
|
106
|
+
|
|
107
|
+
- Add or tighten request parsing, content-type handling, status mapping, Problem Details or local
|
|
108
|
+
error-envelope mapping, request ID propagation, trace context, auth checks, proxy header handling,
|
|
109
|
+
timeout classification, retry and idempotency classification, rate-limit response handling, cache
|
|
110
|
+
header handling, OpenAPI contract tests, deployment config comparison tests, and focused
|
|
111
|
+
reproduction fixtures.
|
|
112
|
+
- Add focused tests that preserve the failing wire shape, success/failure comparator, status and
|
|
113
|
+
body contract, auth boundary, retryability, cache behavior, OpenAPI drift, or deployment config
|
|
114
|
+
difference.
|
|
115
|
+
- Do not add broad retries, blanket cache bypasses, CORS wildcards, auth bypasses, status-code
|
|
116
|
+
remapping, proxy header trust, live provider calls, raw production log dumps, or speculative
|
|
117
|
+
framework rewrites before the failing boundary is localized.
|
|
118
|
+
- Do not treat browser console text, SDK exception text, status code alone, or application logs alone
|
|
119
|
+
as the failing request evidence.
|
|
120
|
+
|
|
121
|
+
<!-- mustflow-section: procedure -->
|
|
122
|
+
## Procedure
|
|
123
|
+
|
|
124
|
+
1. Preserve one failing request packet.
|
|
125
|
+
- Record method, route template, sanitized headers, sanitized body shape, status, response
|
|
126
|
+
headers, response body shape, total latency, request id, trace id, caller version, API version,
|
|
127
|
+
and observed time basis.
|
|
128
|
+
- If the failure is intermittent, keep the first bad time and a small sample of failing and
|
|
129
|
+
successful packets rather than a raw log dump.
|
|
130
|
+
2. Compare success and failure at the wire boundary.
|
|
131
|
+
- Compare actual transmitted method, URL encoding, query order and defaults, headers, cookies,
|
|
132
|
+
body shape, null versus empty string, array order, content type, accept header, charset, API
|
|
133
|
+
version, and redirect path.
|
|
134
|
+
- Do not compare only source code or SDK call arguments because middleware, retries, proxies,
|
|
135
|
+
redirects, and defaults can rewrite the request.
|
|
136
|
+
3. Cut the path into boundaries.
|
|
137
|
+
- Check whether the request reaches each boundary: client, preflight, SDK, DNS, TCP, TLS, proxy,
|
|
138
|
+
CDN, WAF, gateway, load balancer, app handler, queue, database, cache, external provider, and
|
|
139
|
+
response serializer.
|
|
140
|
+
- Prefer evidence that halves the search space. If the app never sees the request, app logs are
|
|
141
|
+
not the first evidence source.
|
|
142
|
+
4. Split timing before assigning blame.
|
|
143
|
+
- Separate name lookup, connection, TLS, first byte, total download, app handler time, queue time,
|
|
144
|
+
pool wait, database time, cache time, external dependency time, serialization time, and payload
|
|
145
|
+
transfer when available.
|
|
146
|
+
- Average latency is weak evidence. Use endpoint, status, region, client, API version, and
|
|
147
|
+
percentile slices when telemetry exists.
|
|
148
|
+
5. Check browser-only failures separately.
|
|
149
|
+
- For browser-only symptoms, inspect preflight, allowed method, allowed headers, credentials
|
|
150
|
+
mode, redirect behavior, and whether the failing request happens before the real method is sent.
|
|
151
|
+
- For server-to-server failures, do not diagnose CORS unless a browser boundary is actually
|
|
152
|
+
involved.
|
|
153
|
+
6. Check redirect and proxy mutation.
|
|
154
|
+
- Verify whether redirects change method, body, host, scheme, authorization, cookies, or signed
|
|
155
|
+
headers.
|
|
156
|
+
- Verify whether proxies preserve `Authorization`, `Host`, forwarded headers, request ids,
|
|
157
|
+
trace context, content length, idempotency keys, and rate-limit headers according to local
|
|
158
|
+
trust policy.
|
|
159
|
+
7. Check status, body, and content-type consistency.
|
|
160
|
+
- A `200` response with an error body, a `500` for caller validation, a hidden `404` for auth,
|
|
161
|
+
or a JSON content type with an HTML error body can break clients and monitoring.
|
|
162
|
+
- Map API errors to stable codes, request IDs, invalid fields, retryability, and safe support
|
|
163
|
+
evidence when the local contract supports it.
|
|
164
|
+
8. Split authentication from authorization.
|
|
165
|
+
- Verify credentials were sent, valid, not expired, and signed against the expected time basis.
|
|
166
|
+
- Separately verify whether the authenticated principal can access the target object, property,
|
|
167
|
+
tenant, or function.
|
|
168
|
+
- Treat "same token, different resource id returns another user's data" as an access-control
|
|
169
|
+
incident, not ordinary debugging.
|
|
170
|
+
9. Check clock and signature time.
|
|
171
|
+
- Review token `exp` or `nbf`, signed request timestamps, webhook timestamps, cache expiry, rate
|
|
172
|
+
limit windows, and server/client clock skew when the failure is intermittent or boundary-time
|
|
173
|
+
sensitive.
|
|
174
|
+
10. Check retry, timeout, rate limit, and idempotency.
|
|
175
|
+
- Separate connect, TLS, first-byte, read, write, dependency, pool, and total-deadline failures
|
|
176
|
+
when evidence exists.
|
|
177
|
+
- Confirm retries are bounded, jittered, scoped to one layer, and safe for the operation.
|
|
178
|
+
- For side-effecting requests, require a durable idempotency key and result replay or unknown
|
|
179
|
+
outcome reconciliation before retrying.
|
|
180
|
+
- Preserve `429`, rate-limit policy, and retry-after semantics instead of turning throttling into
|
|
181
|
+
generic server failure.
|
|
182
|
+
11. Check cache and content negotiation.
|
|
183
|
+
- Compare cached and cache-bypassed behavior when allowed by the current command and environment
|
|
184
|
+
boundary.
|
|
185
|
+
- Inspect cache-control, validators, age, vary dimensions, authorization or cookie variance,
|
|
186
|
+
API version, language, query dimensions, and stale or negative-cache behavior.
|
|
187
|
+
12. Check app-internal cost and dependency fan-out only after the request reaches the app.
|
|
188
|
+
- If the app receives the request, build a compact cost ledger for database, cache, external API,
|
|
189
|
+
serialization, compression, and response size.
|
|
190
|
+
- Use `api-request-performance-review`, database, cache, retry, queue, or observability skills
|
|
191
|
+
for the localized subproblem.
|
|
192
|
+
13. Check OpenAPI and generated-client drift.
|
|
193
|
+
- Compare deployed behavior with the documented contract: required fields, nullability, enum
|
|
194
|
+
values, status codes, headers, content type, and error envelope.
|
|
195
|
+
- Treat generated client, SDK, or schema drift as a contract issue even when the server and
|
|
196
|
+
client each look locally correct.
|
|
197
|
+
14. Check deployment and environment diffs.
|
|
198
|
+
- Near the first bad time, compare release id, config, secret names, routing rules, feature
|
|
199
|
+
flags, provider account, migration state, cache policy, rate-limit policy, and generated
|
|
200
|
+
artifacts.
|
|
201
|
+
- Do not blame code before environment and route changes are ruled in or out.
|
|
202
|
+
15. Maintain a hypothesis table.
|
|
203
|
+
- For each hypothesis, write the expected evidence and the observation that would disprove it.
|
|
204
|
+
- Kill wrong hypotheses quickly. Long log reading without a falsifiable hypothesis is not
|
|
205
|
+
progress.
|
|
206
|
+
16. Apply the smallest localized fix.
|
|
207
|
+
- Once the boundary is proven, switch to the specific skill for that boundary and edit only the
|
|
208
|
+
owning code, contract, test, doc, template, or config surface.
|
|
209
|
+
- Re-run the original reproduction path or the closest configured intent after the fix.
|
|
210
|
+
|
|
211
|
+
<!-- mustflow-section: postconditions -->
|
|
212
|
+
## Postconditions
|
|
213
|
+
|
|
214
|
+
- The failing request packet, success comparator, boundary ledger, timing ledger, contract ledger,
|
|
215
|
+
auth ledger, and change ledger are explicit or reported as missing.
|
|
216
|
+
- The failure is localized to a boundary or left as a named evidence gap instead of a guessed cause.
|
|
217
|
+
- Status/body/content-type, CORS/preflight, redirects, proxy headers, authn/authz, clock skew,
|
|
218
|
+
timeout/retry/rate-limit/idempotency, cache headers, OpenAPI drift, and deployment diffs are fixed
|
|
219
|
+
or reported where relevant.
|
|
220
|
+
- Any follow-up skill is selected because the boundary is now localized, not because the first guess
|
|
221
|
+
sounded plausible.
|
|
222
|
+
|
|
223
|
+
<!-- mustflow-section: verification -->
|
|
224
|
+
## Verification
|
|
225
|
+
|
|
226
|
+
Use configured oneshot command intents when available:
|
|
227
|
+
|
|
228
|
+
- `changes_status`
|
|
229
|
+
- `changes_diff_summary`
|
|
230
|
+
- `lint`
|
|
231
|
+
- `build`
|
|
232
|
+
- `test_related`
|
|
233
|
+
- `test`
|
|
234
|
+
- `docs_validate_fast`
|
|
235
|
+
- `test_release`
|
|
236
|
+
- `mustflow_check`
|
|
237
|
+
|
|
238
|
+
Prefer the narrowest configured test, build, docs, release, or mustflow intent that covers the
|
|
239
|
+
localized API failure boundary. Do not infer raw servers, live providers, database shells, browser
|
|
240
|
+
sessions, packet captures, production logs, load tests, profilers, or network probes outside the
|
|
241
|
+
command contract.
|
|
242
|
+
|
|
243
|
+
<!-- mustflow-section: failure-handling -->
|
|
244
|
+
## Failure Handling
|
|
245
|
+
|
|
246
|
+
- If the failing request packet cannot be captured, stop speculative edits and report the closest
|
|
247
|
+
safe evidence plus the missing packet fields.
|
|
248
|
+
- If evidence contains secrets or personal data, redact before storing or reporting it.
|
|
249
|
+
- If boundary evidence requires live production access, private dashboards, external provider
|
|
250
|
+
consoles, or unconfigured network diagnostics, report the manual evidence boundary.
|
|
251
|
+
- If a configured command fails, preserve the failing intent and output tail, then fix only the API
|
|
252
|
+
boundary or contract exercised by that failure.
|
|
253
|
+
- If the root cause points to security, payment, rate limit, cache, retry, queue, or deployment risk,
|
|
254
|
+
switch to the narrower matching skill before editing that part.
|
|
255
|
+
|
|
256
|
+
<!-- mustflow-section: output-format -->
|
|
257
|
+
## Output Format
|
|
258
|
+
|
|
259
|
+
- API failure triaged
|
|
260
|
+
- Failing request packet and success comparator, with redactions
|
|
261
|
+
- Boundary and timing ledger
|
|
262
|
+
- Status/body/content-type, CORS/preflight, redirect/proxy, authn/authz, clock, retry/timeout,
|
|
263
|
+
rate-limit/idempotency, cache, OpenAPI, and deployment-diff findings
|
|
264
|
+
- Hypotheses killed, still open, and selected localized boundary
|
|
265
|
+
- Fix applied or recommended
|
|
266
|
+
- Evidence level: reproduced packet, comparator evidence, configured-test evidence, static review
|
|
267
|
+
risk, manual-only, missing, or not applicable
|
|
268
|
+
- Command intents run
|
|
269
|
+
- Skipped diagnostics and reasons
|
|
270
|
+
- Remaining API-failure risk
|
|
@@ -0,0 +1,192 @@
|
|
|
1
|
+
---
|
|
2
|
+
mustflow_doc: skill.auth-flow-triage
|
|
3
|
+
locale: en
|
|
4
|
+
canonical: true
|
|
5
|
+
revision: 1
|
|
6
|
+
lifecycle: mustflow-owned
|
|
7
|
+
authority: procedure
|
|
8
|
+
name: auth-flow-triage
|
|
9
|
+
description: Apply this skill when login, signup, logout, session refresh, OAuth or OIDC redirect, PKCE, nonce, state, passkey, MFA, password reset, magic link, cookie, JWT, token exchange, JWKS, IdP callback, account linking, or authorization-after-login behavior is failing, intermittent, browser-only, client-specific, or not yet localized to identity, cookie, token, proxy, session store, provider, clock, rate limit, or permission policy.
|
|
10
|
+
metadata:
|
|
11
|
+
mustflow_schema: "1"
|
|
12
|
+
mustflow_kind: procedure
|
|
13
|
+
pack_id: mustflow.core
|
|
14
|
+
skill_id: mustflow.core.auth-flow-triage
|
|
15
|
+
command_intents:
|
|
16
|
+
- changes_status
|
|
17
|
+
- changes_diff_summary
|
|
18
|
+
- lint
|
|
19
|
+
- build
|
|
20
|
+
- test_related
|
|
21
|
+
- test
|
|
22
|
+
- test_audit
|
|
23
|
+
- docs_validate_fast
|
|
24
|
+
- test_release
|
|
25
|
+
- mustflow_check
|
|
26
|
+
---
|
|
27
|
+
|
|
28
|
+
# Auth Flow Triage
|
|
29
|
+
|
|
30
|
+
<!-- mustflow-section: purpose -->
|
|
31
|
+
## Purpose
|
|
32
|
+
|
|
33
|
+
Localize authentication-flow failures without collapsing identity proof, session issuance, token
|
|
34
|
+
validation, browser cookie behavior, external provider callbacks, MFA, and authorization into one
|
|
35
|
+
"login is broken" bucket.
|
|
36
|
+
|
|
37
|
+
<!-- mustflow-section: use-when -->
|
|
38
|
+
## Use When
|
|
39
|
+
|
|
40
|
+
- Login, signup, logout, refresh, password reset, magic link, MFA, passkey, OAuth, OIDC, SAML-like
|
|
41
|
+
handoff, API-key login, or account-linking behavior fails or behaves differently across clients.
|
|
42
|
+
- A user appears authenticated on one boundary but logged out, forbidden, redirected, or assigned to
|
|
43
|
+
the wrong account on another boundary.
|
|
44
|
+
- The failure may involve cookies, SameSite, CORS credentials, CSRF, proxy headers, redirect URI,
|
|
45
|
+
state, nonce, PKCE, authorization code exchange, JWT claims, JWKS rotation, refresh token
|
|
46
|
+
rotation, session storage, account lockout, rate limit, IdP metadata, passkeys, OTP, clocks, or
|
|
47
|
+
authorization after login.
|
|
48
|
+
- The task is to diagnose or review an auth failure before the exact code owner is known.
|
|
49
|
+
|
|
50
|
+
<!-- mustflow-section: do-not-use-when -->
|
|
51
|
+
## Do Not Use When
|
|
52
|
+
|
|
53
|
+
- The change is already localized to implementing or changing the permission model; use
|
|
54
|
+
`auth-permission-change`.
|
|
55
|
+
- The task is specifically API object, property, or function authorization review; use
|
|
56
|
+
`api-access-control-review`.
|
|
57
|
+
- The task is only generic API failure triage before any auth-specific signal exists; use
|
|
58
|
+
`api-failure-triage`.
|
|
59
|
+
- The task asks for live credential testing, brute force, phishing simulation, or production token
|
|
60
|
+
collection. Stay within defensive code review, sanitized traces, and configured tests.
|
|
61
|
+
|
|
62
|
+
<!-- mustflow-section: required-inputs -->
|
|
63
|
+
## Required Inputs
|
|
64
|
+
|
|
65
|
+
- Auth attempt packet: observed time, timezone, trace or request id, client type, route, sanitized
|
|
66
|
+
request and response shape, redirect chain, status codes, user-facing message class, and result.
|
|
67
|
+
- Stage ledger: user lookup, credential verification, external provider round trip, callback,
|
|
68
|
+
token exchange, session issue, cookie write, redirect, authorization decision, and logout or
|
|
69
|
+
revocation when relevant.
|
|
70
|
+
- Token and session ledger: session id hash, token type, issuer, audience, subject, `jti`, `iat`,
|
|
71
|
+
`nbf`, `exp`, key id, refresh-token family state, cookie attributes, session-store key, and
|
|
72
|
+
revocation or rotation state.
|
|
73
|
+
- Browser and proxy ledger: origin, host, forwarded proto and host, redirect URI, cookie domain and
|
|
74
|
+
path, SameSite, Secure, HttpOnly, CORS credentials, CSRF token, and proxy trust boundary.
|
|
75
|
+
- Provider ledger: IdP issuer, discovery metadata, JWKS URI, registered redirect URIs, client id,
|
|
76
|
+
PKCE method, state, nonce, passkey RP ID, WebAuthn origin, MFA method, and provider error class.
|
|
77
|
+
- Denial and privacy ledger: enumeration policy, lockout or rate-limit decision, internal result
|
|
78
|
+
code, public error message, redaction boundary, and denial-case tests.
|
|
79
|
+
|
|
80
|
+
<!-- mustflow-section: preconditions -->
|
|
81
|
+
## Preconditions
|
|
82
|
+
|
|
83
|
+
- The task matches the Use When conditions and does not match the Do Not Use When exclusions.
|
|
84
|
+
- Higher-priority instructions and `.mustflow/config/commands.toml` have been checked.
|
|
85
|
+
- Secrets, tokens, OTPs, passwords, cookies, raw provider payloads, personal identifiers, and private
|
|
86
|
+
callback URLs are redacted before being written into docs, tests, commits, or reports.
|
|
87
|
+
|
|
88
|
+
<!-- mustflow-section: allowed-edits -->
|
|
89
|
+
## Allowed Edits
|
|
90
|
+
|
|
91
|
+
- Add or tighten stage-specific result codes, safe trace ids, token validation, cookie settings,
|
|
92
|
+
proxy trust handling, redirect URI checks, PKCE, state, nonce, JWKS refresh behavior, session
|
|
93
|
+
rotation, refresh-token serialization, account-linking checks, passkey origin checks, MFA tests,
|
|
94
|
+
redaction, docs, fixtures, and denial-case tests.
|
|
95
|
+
- Add focused tests that reproduce the sanitized failure stage, token claim mismatch, cookie
|
|
96
|
+
behavior, callback binding, refresh-token race, session fixation boundary, or account-linking
|
|
97
|
+
policy.
|
|
98
|
+
- Do not add auth bypasses, broad CORS wildcards, loose redirect matching, disabled TLS checks,
|
|
99
|
+
widened clock skew, token logging, provider-console assumptions, or live credential probes.
|
|
100
|
+
|
|
101
|
+
<!-- mustflow-section: procedure -->
|
|
102
|
+
## Procedure
|
|
103
|
+
|
|
104
|
+
1. Split the symptom by stage before editing: user lookup, credential or passkey verification,
|
|
105
|
+
provider redirect, callback validation, token exchange, session issue, cookie persistence,
|
|
106
|
+
refresh, logout, and authorization-after-login.
|
|
107
|
+
2. Preserve one sanitized failing attempt plus one success comparator. Compare the actual redirect
|
|
108
|
+
chain, cookies sent and set, status codes, provider error class, token type, and client version.
|
|
109
|
+
3. Keep public and internal errors separate. Public messages should avoid account enumeration;
|
|
110
|
+
internal evidence should keep stable reason codes such as missing user, credential mismatch,
|
|
111
|
+
disabled account, MFA required, token expired, nonce mismatch, PKCE mismatch, and policy denied.
|
|
112
|
+
4. Verify clocks before treating tokens as bad. Compare server epoch, token `iat`, `nbf`, `exp`,
|
|
113
|
+
OTP window, signed request timestamp, certificate validity, and applied clock skew.
|
|
114
|
+
5. For browser-only failures, check actual cookie attributes, CORS credential behavior, CSRF,
|
|
115
|
+
redirect handling, preflight, duplicate cookie names, and whether the callback writes the cookie
|
|
116
|
+
on the host and path the app later uses.
|
|
117
|
+
6. For proxy-backed apps, verify trusted forwarded headers, external URL calculation, secure cookie
|
|
118
|
+
detection, host allowlists, and callback URL generation. Do not trust arbitrary forwarded headers.
|
|
119
|
+
7. For OAuth or OIDC, compare the exact registered and transmitted redirect URI, issuer, discovery
|
|
120
|
+
metadata, client id, state, nonce, PKCE method, code-verifier binding, token endpoint, and JWKS.
|
|
121
|
+
8. For token validation, check signature, algorithm allowlist, key id refresh, issuer, audience,
|
|
122
|
+
authorized party when needed, subject, expiry, not-before, nonce, token type, and stale role or
|
|
123
|
+
permission claims.
|
|
124
|
+
9. For refresh and logout failures, separate local cookie deletion, server session revocation,
|
|
125
|
+
refresh-token family state, access-token lifetime, IdP SSO session, and provider logout.
|
|
126
|
+
10. For passkeys and MFA, check challenge one-time use, origin, RP ID, credential id, user handle,
|
|
127
|
+
user-verification flags, OTP reuse, recovery path, reauthentication, and registration or removal
|
|
128
|
+
policy.
|
|
129
|
+
11. For account linking, use provider `issuer + subject` as the external identity key. Treat email
|
|
130
|
+
equality as weak evidence that requires an authenticated linking flow.
|
|
131
|
+
12. If authentication succeeds but the user is still blocked, switch to `auth-permission-change` or
|
|
132
|
+
`api-access-control-review` and inspect tenant, resource, role, scope, stale cache, and token
|
|
133
|
+
claim freshness.
|
|
134
|
+
13. Apply the smallest localized fix and rerun the narrowest configured intent that covers the
|
|
135
|
+
affected auth stage, denial case, docs, template, or package surface.
|
|
136
|
+
|
|
137
|
+
<!-- mustflow-section: postconditions -->
|
|
138
|
+
## Postconditions
|
|
139
|
+
|
|
140
|
+
- The failing auth stage is localized or named as an evidence gap.
|
|
141
|
+
- Public error wording, internal reason codes, trace ids, session or token identifiers, and redaction
|
|
142
|
+
boundaries are explicit.
|
|
143
|
+
- Cookie, proxy, redirect, token, JWKS, provider metadata, passkey, MFA, refresh, logout, rate limit,
|
|
144
|
+
and authorization-after-login checks are fixed or reported where relevant.
|
|
145
|
+
- Any permission follow-up is routed to the narrower access-control skill instead of hidden inside
|
|
146
|
+
login debugging.
|
|
147
|
+
|
|
148
|
+
<!-- mustflow-section: verification -->
|
|
149
|
+
## Verification
|
|
150
|
+
|
|
151
|
+
Use configured oneshot command intents when available:
|
|
152
|
+
|
|
153
|
+
- `changes_status`
|
|
154
|
+
- `changes_diff_summary`
|
|
155
|
+
- `lint`
|
|
156
|
+
- `build`
|
|
157
|
+
- `test_related`
|
|
158
|
+
- `test`
|
|
159
|
+
- `test_audit`
|
|
160
|
+
- `docs_validate_fast`
|
|
161
|
+
- `test_release`
|
|
162
|
+
- `mustflow_check`
|
|
163
|
+
|
|
164
|
+
Prefer the narrowest configured tests that cover the failing auth stage and denial behavior. Report
|
|
165
|
+
missing browser cookie, provider callback, JWKS rotation, MFA, passkey, refresh-token race, and
|
|
166
|
+
session-store integration evidence instead of inventing live auth probes.
|
|
167
|
+
|
|
168
|
+
<!-- mustflow-section: failure-handling -->
|
|
169
|
+
## Failure Handling
|
|
170
|
+
|
|
171
|
+
- If the failing auth attempt cannot be captured safely, report the missing stage evidence instead
|
|
172
|
+
of changing auth code from guesses.
|
|
173
|
+
- If sensitive values appear in evidence, stop repeating them and summarize the shape only.
|
|
174
|
+
- If fixing the failure requires external IdP console changes, provider credentials, production
|
|
175
|
+
tokens, live email or SMS delivery, or browser automation outside the command contract, report the
|
|
176
|
+
manual boundary.
|
|
177
|
+
- If configured verification fails, preserve the failing intent and output tail, then fix only the
|
|
178
|
+
localized auth stage or test contract.
|
|
179
|
+
|
|
180
|
+
<!-- mustflow-section: output-format -->
|
|
181
|
+
## Output Format
|
|
182
|
+
|
|
183
|
+
- Auth flow triaged
|
|
184
|
+
- Failing stage, sanitized attempt packet, and success comparator
|
|
185
|
+
- Cookie, proxy, redirect, provider, token, JWKS, session, refresh, logout, passkey, MFA, rate limit,
|
|
186
|
+
enumeration, and authorization-after-login findings
|
|
187
|
+
- Fix applied or recommended
|
|
188
|
+
- Evidence level: configured-test evidence, static review risk, manual-only, missing, or not
|
|
189
|
+
applicable
|
|
190
|
+
- Command intents run
|
|
191
|
+
- Skipped auth diagnostics and reasons
|
|
192
|
+
- Remaining auth-flow risk
|