mustflow 2.85.4 → 2.99.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (78) hide show
  1. package/dist/cli/commands/script-pack.js +10 -0
  2. package/dist/cli/i18n/en.js +183 -0
  3. package/dist/cli/i18n/es.js +183 -0
  4. package/dist/cli/i18n/fr.js +183 -0
  5. package/dist/cli/i18n/hi.js +183 -0
  6. package/dist/cli/i18n/ko.js +183 -0
  7. package/dist/cli/i18n/zh.js +183 -0
  8. package/dist/cli/lib/script-pack-registry.js +284 -1
  9. package/dist/cli/script-packs/code-change-impact.js +6 -0
  10. package/dist/cli/script-packs/code-import-cycle.js +193 -0
  11. package/dist/cli/script-packs/docs-link-integrity.js +145 -0
  12. package/dist/cli/script-packs/repo-approval-gate.js +100 -0
  13. package/dist/cli/script-packs/repo-git-ignore-audit.js +119 -0
  14. package/dist/cli/script-packs/repo-manifest-lock-drift.js +122 -0
  15. package/dist/cli/script-packs/repo-merge-conflict-scan.js +123 -0
  16. package/dist/cli/script-packs/repo-skill-route-audit.js +86 -0
  17. package/dist/cli/script-packs/repo-version-source.js +92 -0
  18. package/dist/cli/script-packs/test-performance-report.js +247 -0
  19. package/dist/cli/script-packs/test-regression-selector.js +167 -0
  20. package/dist/core/change-impact.js +23 -51
  21. package/dist/core/change-surface-classification.js +198 -0
  22. package/dist/core/docs-link-integrity.js +443 -0
  23. package/dist/core/import-cycle.js +152 -0
  24. package/dist/core/public-json-contracts.js +116 -0
  25. package/dist/core/repo-approval-gate.js +116 -0
  26. package/dist/core/repo-git-ignore-audit.js +302 -0
  27. package/dist/core/repo-manifest-lock-drift.js +321 -0
  28. package/dist/core/repo-merge-conflict-scan.js +335 -0
  29. package/dist/core/repo-version-source.js +82 -0
  30. package/dist/core/script-pack-suggestions.js +77 -1
  31. package/dist/core/skill-route-audit.js +354 -0
  32. package/dist/core/test-performance-report.js +697 -0
  33. package/dist/core/test-regression-selector.js +335 -0
  34. package/package.json +1 -1
  35. package/schemas/README.md +40 -2
  36. package/schemas/change-impact-report.schema.json +35 -1
  37. package/schemas/import-cycle-report.schema.json +157 -0
  38. package/schemas/link-integrity-report.schema.json +176 -0
  39. package/schemas/repo-approval-gate-report.schema.json +115 -0
  40. package/schemas/repo-git-ignore-audit-report.schema.json +201 -0
  41. package/schemas/repo-manifest-lock-drift-report.schema.json +202 -0
  42. package/schemas/repo-merge-conflict-scan-report.schema.json +169 -0
  43. package/schemas/repo-version-source-report.schema.json +127 -0
  44. package/schemas/skill-route-audit-report.schema.json +144 -0
  45. package/schemas/test-performance-report.schema.json +319 -0
  46. package/schemas/test-regression-selector-report.schema.json +187 -0
  47. package/templates/default/i18n.toml +66 -18
  48. package/templates/default/locales/en/.mustflow/skills/INDEX.md +45 -8
  49. package/templates/default/locales/en/.mustflow/skills/api-access-control-review/SKILL.md +48 -27
  50. package/templates/default/locales/en/.mustflow/skills/api-failure-triage/SKILL.md +270 -0
  51. package/templates/default/locales/en/.mustflow/skills/auth-flow-triage/SKILL.md +192 -0
  52. package/templates/default/locales/en/.mustflow/skills/auth-permission-change/SKILL.md +59 -13
  53. package/templates/default/locales/en/.mustflow/skills/backend-log-evidence-review/SKILL.md +14 -5
  54. package/templates/default/locales/en/.mustflow/skills/cache-integrity-review/SKILL.md +30 -15
  55. package/templates/default/locales/en/.mustflow/skills/change-blast-radius-review/SKILL.md +45 -32
  56. package/templates/default/locales/en/.mustflow/skills/ci-pipeline-triage/SKILL.md +200 -0
  57. package/templates/default/locales/en/.mustflow/skills/clarifying-question-gate/SKILL.md +87 -13
  58. package/templates/default/locales/en/.mustflow/skills/docker-runtime-triage/SKILL.md +191 -0
  59. package/templates/default/locales/en/.mustflow/skills/go-code-change/SKILL.md +18 -13
  60. package/templates/default/locales/en/.mustflow/skills/line-ending-hygiene/SKILL.md +18 -10
  61. package/templates/default/locales/en/.mustflow/skills/llm-hallucination-control-review/SKILL.md +4 -1
  62. package/templates/default/locales/en/.mustflow/skills/motion-system-contract-review/SKILL.md +155 -0
  63. package/templates/default/locales/en/.mustflow/skills/next-action-menu/SKILL.md +177 -0
  64. package/templates/default/locales/en/.mustflow/skills/observability-debuggability-review/SKILL.md +15 -7
  65. package/templates/default/locales/en/.mustflow/skills/payment-integrity-review/SKILL.md +59 -35
  66. package/templates/default/locales/en/.mustflow/skills/powershell-code-change/SKILL.md +16 -6
  67. package/templates/default/locales/en/.mustflow/skills/prompt-contract-quality-review/SKILL.md +4 -1
  68. package/templates/default/locales/en/.mustflow/skills/python-code-change/SKILL.md +19 -10
  69. package/templates/default/locales/en/.mustflow/skills/rag-pipeline-triage/SKILL.md +206 -0
  70. package/templates/default/locales/en/.mustflow/skills/routes.toml +54 -0
  71. package/templates/default/locales/en/.mustflow/skills/rust-code-change/SKILL.md +10 -4
  72. package/templates/default/locales/en/.mustflow/skills/search-index-integrity-review/SKILL.md +181 -0
  73. package/templates/default/locales/en/.mustflow/skills/service-boundary-architecture/SKILL.md +37 -23
  74. package/templates/default/locales/en/.mustflow/skills/test-suite-performance-review/SKILL.md +9 -0
  75. package/templates/default/locales/en/.mustflow/skills/typescript-code-change/SKILL.md +14 -9
  76. package/templates/default/locales/en/.mustflow/skills/vector-search-integrity-review/SKILL.md +209 -0
  77. package/templates/default/locales/en/.mustflow/skills/version-freshness-check/SKILL.md +16 -14
  78. package/templates/default/manifest.toml +64 -1
@@ -2,11 +2,11 @@
2
2
  mustflow_doc: skill.api-access-control-review
3
3
  locale: en
4
4
  canonical: true
5
- revision: 1
5
+ revision: 3
6
6
  lifecycle: mustflow-owned
7
7
  authority: procedure
8
8
  name: api-access-control-review
9
- description: Apply this skill when code is created, changed, reviewed, or reported and API security needs access-control review for BOLA or IDOR, object-level authorization, object-property authorization, function-level authorization, broken authentication, tenant isolation, role and relationship checks, mass assignment, DTO exposure, admin or internal APIs, route ordering, GraphQL resolvers, batch APIs, exports, downloads, signed URLs, cache keys, async jobs, webhooks, OAuth or OIDC, JWTs, sessions, cookies, reauthentication, reset tokens, account enumeration, automation defense, or denial-case tests.
9
+ description: Apply this skill when code is created, changed, reviewed, or reported and API security needs access-control review for BOLA or IDOR, object-level authorization, object-property authorization, function-level authorization, payment or refund API authorization, broken authentication, tenant isolation, effective permission decisions, role and relationship checks, mass assignment, DTO exposure, admin or internal APIs, route ordering, GraphQL resolvers, batch APIs, exports, downloads, signed URLs, cache keys, async jobs, webhooks, OAuth or OIDC, JWTs, sessions, cookies, reauthentication, reset tokens, account enumeration, automation defense, or denial-case tests.
10
10
  metadata:
11
11
  mustflow_schema: "1"
12
12
  mustflow_kind: procedure
@@ -43,6 +43,10 @@ perform this action on this object, this field, and this tenant context?"
43
43
  exports, downloads, previews, batch APIs, background jobs, webhooks, auth middleware, sessions,
44
44
  cookies, JWTs, OAuth or OIDC flows, password reset, MFA, admin APIs, internal APIs, cache keys,
45
45
  DTO mapping, tests, or API docs.
46
+ - Payment, refund, transfer, payout, credit, entitlement, or subscription APIs need proof that the
47
+ requester may act on that specific object, amount-bearing operation, tenant, account, or current
48
+ resource state. Use `payment-integrity-review` for money-event correctness and this skill for the
49
+ API object, property, and function authorization proof.
46
50
  - A request, token, body, query string, path parameter, webhook payload, queue payload, or client
47
51
  state supplies `userId`, `accountId`, `tenantId`, `orgId`, `workspaceId`, `projectId`, `role`,
48
52
  `ownerId`, object id, file key, status, price, entitlement, plan, or other authority-bearing data.
@@ -73,6 +77,9 @@ perform this action on this object, this field, and this tenant context?"
73
77
  - Subject-object-action-context ledger: principal, session, token, API key, service account, tenant,
74
78
  organization, workspace, role, relationship, resource, object id, field or property, action,
75
79
  state, and request context.
80
+ - Decision explanation ledger: effective permission, matched policy, explicit deny, inheritance
81
+ path, policy version, data revision, token issue time, and allow or deny reason when the product
82
+ has policy-engine or audit-log support.
76
83
  - Object authorization ledger: list, detail, count, search, export, download, preview, share,
77
84
  update, delete, approve, invite, refund, transfer, admin, batch, worker, and webhook paths that
78
85
  can reach the same object.
@@ -135,101 +142,111 @@ perform this action on this object, this field, and this tenant context?"
135
142
  - `role === "admin"` is usually too small.
136
143
  - Check whether the principal is admin for this organization, owner of this project, seller for
137
144
  this order, billing admin for this account, or allowed to act in this resource state.
138
- 6. Compare list and detail scopes.
145
+ - Prefer effective-permission evidence and policy decision explanations over a raw role list.
146
+ 6. Check default-deny and explicit-deny behavior.
147
+ - No matching policy, unknown role, unknown action, malformed id, parsing failure, policy server
148
+ timeout, and policy-cache miss should not silently allow access.
149
+ - When allow and deny policies both match, the product needs a documented and tested combination
150
+ rule.
151
+ 7. Compare list and detail scopes.
139
152
  - If list filters by current user or tenant but detail, count, search, analytics, export, or
140
153
  download uses only object id, report the gap.
141
- 7. Review write APIs harder than read APIs.
154
+ 8. Review write APIs harder than read APIs.
142
155
  - `PUT`, `PATCH`, `DELETE`, approve, refund, invite, transfer, publish, restore, and role-change
143
156
  operations need write-specific permission, state, amount, and audit checks.
144
157
  - Read permission is not write permission.
145
- 8. Stop mass assignment at the boundary.
158
+ 9. Stop mass assignment at the boundary.
146
159
  - Flag request-body-to-entity binding, raw DTO persistence, GraphQL input passthrough, ORM update
147
160
  data from raw body, and blind spread or object assignment.
148
161
  - Privileged fields such as `role`, `status`, `ownerId`, `tenantId`, `isVerified`, `plan`,
149
162
  `credit`, `deletedAt`, `price`, and `quota` must be derived, guarded, or allowlisted.
150
- 9. Check response DTOs for property-level exposure.
163
+ 10. Check response DTOs for property-level exposure.
151
164
  - Entity-to-JSON responses can leak `passwordHash`, `mfaSecret`, `internalMemo`,
152
165
  `billingCustomerId`, storage keys, provider IDs, deletion reasons, or admin-only fields later.
153
166
  - Use public response mappers and role-aware field policies when field visibility differs.
154
- 10. Treat client-side admin UI as decoration.
167
+ 11. Treat client-side admin UI as decoration.
155
168
  - Hidden buttons, disabled controls, frontend routes, mobile checks, and generated clients are
156
169
  not access control.
157
170
  - Admin and support operations need server-side scope, reason, audit, and denial tests.
158
- 11. Search for temporary public holes.
171
+ 12. Search for temporary public holes.
159
172
  - Inspect `permitAll`, `anonymous`, `skipAuth`, `bypassAuth`, `public`, `internalOnly`,
160
173
  `devOnly`, `TODO auth`, debug endpoints, health endpoints with extra data, and test-only
161
174
  switches that can reach real data or operations.
162
- 12. Review router and middleware order.
175
+ 13. Review router and middleware order.
163
176
  - Dynamic routes like `/:id` can shadow `/me`, `/admin`, or `/settings`.
164
177
  - Prefix middleware can leave sibling paths, nested routers, serverless functions, or framework
165
178
  route groups unauthenticated.
166
- 13. Review GraphQL per resolver.
179
+ 14. Review GraphQL per resolver.
167
180
  - Endpoint-level auth is not enough.
168
181
  - Check `node(id)`, nested fields, connections, edges, aggregates, mutations, and field
169
182
  resolvers for object and property authorization.
170
- 14. Review batch APIs per item.
183
+ 15. Review batch APIs per item.
171
184
  - Bulk create, delete, export, import, and update endpoints must authorize every object.
172
185
  - Define whether one denied item fails the whole request, returns per-item results, or produces
173
186
  a retrievable failure report.
174
- 15. Review export, download, preview, thumbnail, and share paths.
187
+ 16. Review export, download, preview, thumbnail, and share paths.
175
188
  - CRUD may be protected while file delivery, generated previews, thumbnails, CSV exports, and
176
189
  shared links bypass the same policy.
177
- 16. Treat signed storage URLs as outputs of authorization.
190
+ 17. Treat signed storage URLs as outputs of authorization.
178
191
  - S3, GCS, R2, CDN, and private file URLs must be generated only after object authorization.
179
192
  - Check key predictability, URL lifetime, scope, content disposition, cache behavior, revocation,
180
193
  and whether direct object access bypasses policy.
181
- 17. Enforce tenant boundaries in every query and cache.
194
+ 18. Enforce tenant boundaries in every query and cache.
182
195
  - `WHERE id = ?` is weak in multi-tenant code; include tenant, membership, owner, sharing, or
183
196
  database policy constraints.
184
197
  - Cache keys for private data need tenant and permission dimensions, not just object id.
185
- 18. Revalidate asynchronous jobs.
198
+ 19. Revalidate asynchronous jobs.
186
199
  - Queue payloads with only `userId`, `tenantId`, or `fileId` can outlive permission changes.
187
200
  - Workers, retries, admin reruns, scheduled tasks, and webhook-triggered jobs need actor,
188
201
  tenant, resource, state, and current permission or service-principal checks at execution time.
189
- 19. Separate webhook authenticity from authorization.
202
+ 20. Separate webhook authenticity from authorization.
190
203
  - Signature verification proves the provider sent the event.
191
204
  - Ownership mapping proves the event belongs to this tenant, account, customer, installation,
192
205
  repository, subscription, or resource.
193
- 20. Keep OAuth and OIDC purposes distinct.
206
+ 21. Keep OAuth and OIDC purposes distinct.
194
207
  - OIDC ID tokens identify a user for login.
195
208
  - OAuth access tokens authorize delegated API access.
196
209
  - Do not use an ID token as an API permission token or an access token as a login proof without
197
210
  the appropriate validation and intent.
198
- 21. Verify JWTs completely.
211
+ 22. Verify JWTs completely.
199
212
  - Decoding is not verification.
200
213
  - Check signature, algorithm allowlist, issuer, audience, expiry, not-before when used, key
201
214
  source, key rotation, subject, tenant binding, and stale authorization claims.
202
- 22. Treat token claims as snapshots, not eternal truth.
215
+ 23. Treat token claims as snapshots, not eternal truth.
203
216
  - Long-lived `role`, `plan`, `tenantId`, and permission claims can survive demotion, removal,
204
217
  subscription cancellation, suspension, or revocation.
205
218
  - Important decisions should check current server-side state or use short-lived tokens with
206
219
  revocation strategy.
207
- 23. Regenerate session identity after privilege changes.
220
+ 24. Measure revocation and stale-permission windows.
221
+ - User removal, role demotion, organization leave, policy-version changes, subscription state
222
+ changes, and ownership transfers should say how quickly sessions, JWTs, caches, search
223
+ indexes, queued jobs, and signed URLs stop authorizing old access.
224
+ 25. Regenerate session identity after privilege changes.
208
225
  - Login, password change, MFA changes, role changes, user-to-admin transitions, and account
209
226
  recovery should rotate session identifiers or refresh tokens according to local policy.
210
- 24. Check authentication cookies.
227
+ 26. Check authentication cookies.
211
228
  - Cookies carrying session authority need `Secure`, `HttpOnly`, appropriate `SameSite`,
212
229
  domain, path, lifetime, rotation, logout, revocation, and CSRF posture.
213
230
  - Avoid URL-carried session identifiers.
214
- 25. Require reauthentication for sensitive actions.
231
+ 27. Require reauthentication for sensitive actions.
215
232
  - Password change, email change, MFA disable, payment method change, organization ownership
216
233
  transfer, API-key creation, and destructive admin actions should require fresh proof.
217
- 26. Review reset and magic-link tokens.
234
+ 28. Review reset and magic-link tokens.
218
235
  - Tokens need strong randomness, one-time use, short expiration, purpose binding, user binding,
219
236
  safe storage, link-preview protection, session invalidation where needed, and no reuse across
220
237
  unrelated flows.
221
- 27. Compare account-enumeration responses.
238
+ 29. Compare account-enumeration responses.
222
239
  - Login, signup, password reset, magic link, invitation, and email verification should avoid
223
240
  leaking account existence through message, status, timing, or email-sending behavior unless
224
241
  product policy accepts that disclosure.
225
- 28. Treat automation defense as part of authentication.
242
+ 30. Treat automation defense as part of authentication.
226
243
  - Login, OTP, magic link, password reset, invite acceptance, coupon application, email
227
244
  verification, and MFA attempts need rate limits, lockouts, challenge policy, IP/device/user
228
245
  dimensions, and observability.
229
- 29. Separate internal and external identity planes.
246
+ 31. Separate internal and external identity planes.
230
247
  - Backoffice, operator, database, middleware, and support accounts should not flow through the
231
248
  same customer login path unless the product intentionally models and audits that boundary.
232
- 30. Test the denial matrix.
249
+ 32. Test the denial matrix.
233
250
  - Success tests prove little.
234
251
  - For each protected resource, cover anonymous, normal user, other owner, same organization
235
252
  different role, other tenant, admin wrong tenant, revoked user, suspended member, stale token,
@@ -240,6 +257,8 @@ perform this action on this object, this field, and this tenant context?"
240
257
 
241
258
  - The API access-control decision names subject, object, action, field or property, tenant or owner,
242
259
  current state, and trusted context when those apply.
260
+ - Effective permission, matched policy, explicit deny, inheritance path, policy version, data
261
+ revision, token issue time, and revocation window are checked or named as gaps when relevant.
243
262
  - Authentication, object authorization, property authorization, and function authorization are not
244
263
  collapsed into one route guard.
245
264
  - Client-supplied identity and authority fields are either ignored, verified against server-side
@@ -287,6 +306,8 @@ and account-enumeration response parity.
287
306
 
288
307
  - API access control reviewed
289
308
  - Subject, object, action, field, tenant or owner, state, and trusted context
309
+ - Effective permission, decision explanation, policy version, data revision, token age, and
310
+ revocation-window findings
290
311
  - Object, property, and function authorization findings
291
312
  - Authentication, session, token, cookie, OAuth/OIDC, reset, reauthentication, enumeration, and
292
313
  automation findings
@@ -0,0 +1,270 @@
1
+ ---
2
+ mustflow_doc: skill.api-failure-triage
3
+ locale: en
4
+ canonical: true
5
+ revision: 1
6
+ lifecycle: mustflow-owned
7
+ authority: procedure
8
+ name: api-failure-triage
9
+ description: Apply this skill when an API request, SDK call, webhook callback, browser request, mobile call, gateway route, CORS preflight, CDN or load-balancer path, upstream dependency call, or OpenAPI-backed integration is failing, intermittent, slow, returning the wrong status or body, blocked by authentication or authorization, rate-limited, retried, cached incorrectly, or not yet localized to client, network, proxy, app, database, cache, provider, or deployment configuration. Use before api-request-performance-review when the first job is to preserve the failing wire evidence and cut the failure boundary.
10
+ metadata:
11
+ mustflow_schema: "1"
12
+ mustflow_kind: procedure
13
+ pack_id: mustflow.core
14
+ skill_id: mustflow.core.api-failure-triage
15
+ command_intents:
16
+ - changes_status
17
+ - changes_diff_summary
18
+ - lint
19
+ - build
20
+ - test_related
21
+ - test
22
+ - docs_validate_fast
23
+ - test_release
24
+ - mustflow_check
25
+ ---
26
+
27
+ # API Failure Triage
28
+
29
+ <!-- mustflow-section: purpose -->
30
+ ## Purpose
31
+
32
+ Triage API failures by preserving the actual request and cutting the path boundary before editing
33
+ code.
34
+
35
+ The first question is not "which log looks suspicious?" It is "what bytes left the caller, what
36
+ bytes came back, which boundary changed them, and what evidence would disprove each hypothesis?"
37
+
38
+ <!-- mustflow-section: use-when -->
39
+ ## Use When
40
+
41
+ - A user reports that an API call, SDK request, browser request, mobile request, webhook callback,
42
+ backend-for-frontend path, gateway route, CDN path, load-balancer path, or provider integration is
43
+ failing or intermittent.
44
+ - The failure is not yet localized to client code, DNS, TCP, TLS, proxy, CORS preflight, redirect,
45
+ gateway, app handler, database, cache, external provider, rate limiter, retry policy, auth,
46
+ deployment configuration, or OpenAPI drift.
47
+ - Code or docs claim an API failure is a network issue, CORS issue, server issue, auth issue, cache
48
+ issue, provider issue, or retry issue without preserved wire evidence.
49
+ - A fix might otherwise start from logs, framework assumptions, SDK behavior, browser console text,
50
+ or a broad search before one failing request is captured.
51
+
52
+ <!-- mustflow-section: do-not-use-when -->
53
+ ## Do Not Use When
54
+
55
+ - The failing request is already reproduced and the root cause is clear enough for a targeted fix;
56
+ use the narrower code, API contract, cache, retry, auth, database, or failure-integrity skill.
57
+ - The task is only per-request latency optimization after the API path is known; use
58
+ `api-request-performance-review`.
59
+ - The task is only public error wording or error-envelope cleanup; use
60
+ `error-message-integrity-review`.
61
+ - The task is only observability design with no current API failure to localize; use
62
+ `observability-debuggability-review`.
63
+ - Reproduction requires live production secrets, destructive calls, real payments, real user data,
64
+ private logs, or unconfigured external systems. Preserve available static evidence and report the
65
+ manual boundary instead.
66
+
67
+ <!-- mustflow-section: required-inputs -->
68
+ ## Required Inputs
69
+
70
+ - Failure packet: observed time and timezone, request id or trace id when present, caller, client or
71
+ SDK version, API version, method, URL route template, sanitized headers, sanitized body shape,
72
+ status code, response headers, response body shape, total latency, and retry or redirect behavior.
73
+ - Success comparator: a nearby successful request, previous working version, same request with one
74
+ dimension changed, or a documented expected request shape.
75
+ - Boundary ledger: client, browser preflight, SDK middleware, DNS, TCP, TLS, proxy, CDN, WAF,
76
+ gateway, load balancer, app, queue, database, cache, external provider, and response serialization
77
+ boundaries relevant to the path.
78
+ - Timing ledger: name lookup, connection, TLS, first byte, total transfer, app handler time, queue
79
+ time, pool wait, database time, cache time, external dependency time, serialization time, and
80
+ download time when evidence exists.
81
+ - Contract ledger: HTTP method, redirect behavior, content negotiation, content type, encoding,
82
+ status code semantics, error envelope, retryability, idempotency, rate-limit headers, cache
83
+ headers, OpenAPI or generated-client contract, and deployment version.
84
+ - Auth ledger: credential presence, token expiry and not-before time, signature timestamp, clock
85
+ skew, user or service principal, object authorization, tenant scope, and proxy header preservation.
86
+ - Change ledger: deploy, config, secret, feature flag, routing rule, schema migration, provider
87
+ version, generated client, cache policy, rate-limit policy, and environment difference near the
88
+ first bad time.
89
+ - Relevant command-intent contract entries for tests, builds, docs, release checks, and mustflow
90
+ validation.
91
+
92
+ <!-- mustflow-section: preconditions -->
93
+ ## Preconditions
94
+
95
+ - The task matches the Use When conditions and does not match the Do Not Use When exclusions.
96
+ - Higher-priority instructions and `.mustflow/config/commands.toml` have been checked for the
97
+ current scope.
98
+ - Required request, response, boundary, timing, contract, auth, and change evidence is available or
99
+ can be reported as missing without guessing.
100
+ - If the preserved evidence exposes secrets, tokens, cookies, personal data, payment data, private
101
+ URLs, raw bodies, or hidden reasoning, summarize and redact rather than copying it into docs,
102
+ tests, logs, commits, or final reports.
103
+
104
+ <!-- mustflow-section: allowed-edits -->
105
+ ## Allowed Edits
106
+
107
+ - Add or tighten request parsing, content-type handling, status mapping, Problem Details or local
108
+ error-envelope mapping, request ID propagation, trace context, auth checks, proxy header handling,
109
+ timeout classification, retry and idempotency classification, rate-limit response handling, cache
110
+ header handling, OpenAPI contract tests, deployment config comparison tests, and focused
111
+ reproduction fixtures.
112
+ - Add focused tests that preserve the failing wire shape, success/failure comparator, status and
113
+ body contract, auth boundary, retryability, cache behavior, OpenAPI drift, or deployment config
114
+ difference.
115
+ - Do not add broad retries, blanket cache bypasses, CORS wildcards, auth bypasses, status-code
116
+ remapping, proxy header trust, live provider calls, raw production log dumps, or speculative
117
+ framework rewrites before the failing boundary is localized.
118
+ - Do not treat browser console text, SDK exception text, status code alone, or application logs alone
119
+ as the failing request evidence.
120
+
121
+ <!-- mustflow-section: procedure -->
122
+ ## Procedure
123
+
124
+ 1. Preserve one failing request packet.
125
+ - Record method, route template, sanitized headers, sanitized body shape, status, response
126
+ headers, response body shape, total latency, request id, trace id, caller version, API version,
127
+ and observed time basis.
128
+ - If the failure is intermittent, keep the first bad time and a small sample of failing and
129
+ successful packets rather than a raw log dump.
130
+ 2. Compare success and failure at the wire boundary.
131
+ - Compare actual transmitted method, URL encoding, query order and defaults, headers, cookies,
132
+ body shape, null versus empty string, array order, content type, accept header, charset, API
133
+ version, and redirect path.
134
+ - Do not compare only source code or SDK call arguments because middleware, retries, proxies,
135
+ redirects, and defaults can rewrite the request.
136
+ 3. Cut the path into boundaries.
137
+ - Check whether the request reaches each boundary: client, preflight, SDK, DNS, TCP, TLS, proxy,
138
+ CDN, WAF, gateway, load balancer, app handler, queue, database, cache, external provider, and
139
+ response serializer.
140
+ - Prefer evidence that halves the search space. If the app never sees the request, app logs are
141
+ not the first evidence source.
142
+ 4. Split timing before assigning blame.
143
+ - Separate name lookup, connection, TLS, first byte, total download, app handler time, queue time,
144
+ pool wait, database time, cache time, external dependency time, serialization time, and payload
145
+ transfer when available.
146
+ - Average latency is weak evidence. Use endpoint, status, region, client, API version, and
147
+ percentile slices when telemetry exists.
148
+ 5. Check browser-only failures separately.
149
+ - For browser-only symptoms, inspect preflight, allowed method, allowed headers, credentials
150
+ mode, redirect behavior, and whether the failing request happens before the real method is sent.
151
+ - For server-to-server failures, do not diagnose CORS unless a browser boundary is actually
152
+ involved.
153
+ 6. Check redirect and proxy mutation.
154
+ - Verify whether redirects change method, body, host, scheme, authorization, cookies, or signed
155
+ headers.
156
+ - Verify whether proxies preserve `Authorization`, `Host`, forwarded headers, request ids,
157
+ trace context, content length, idempotency keys, and rate-limit headers according to local
158
+ trust policy.
159
+ 7. Check status, body, and content-type consistency.
160
+ - A `200` response with an error body, a `500` for caller validation, a hidden `404` for auth,
161
+ or a JSON content type with an HTML error body can break clients and monitoring.
162
+ - Map API errors to stable codes, request IDs, invalid fields, retryability, and safe support
163
+ evidence when the local contract supports it.
164
+ 8. Split authentication from authorization.
165
+ - Verify credentials were sent, valid, not expired, and signed against the expected time basis.
166
+ - Separately verify whether the authenticated principal can access the target object, property,
167
+ tenant, or function.
168
+ - Treat "same token, different resource id returns another user's data" as an access-control
169
+ incident, not ordinary debugging.
170
+ 9. Check clock and signature time.
171
+ - Review token `exp` or `nbf`, signed request timestamps, webhook timestamps, cache expiry, rate
172
+ limit windows, and server/client clock skew when the failure is intermittent or boundary-time
173
+ sensitive.
174
+ 10. Check retry, timeout, rate limit, and idempotency.
175
+ - Separate connect, TLS, first-byte, read, write, dependency, pool, and total-deadline failures
176
+ when evidence exists.
177
+ - Confirm retries are bounded, jittered, scoped to one layer, and safe for the operation.
178
+ - For side-effecting requests, require a durable idempotency key and result replay or unknown
179
+ outcome reconciliation before retrying.
180
+ - Preserve `429`, rate-limit policy, and retry-after semantics instead of turning throttling into
181
+ generic server failure.
182
+ 11. Check cache and content negotiation.
183
+ - Compare cached and cache-bypassed behavior when allowed by the current command and environment
184
+ boundary.
185
+ - Inspect cache-control, validators, age, vary dimensions, authorization or cookie variance,
186
+ API version, language, query dimensions, and stale or negative-cache behavior.
187
+ 12. Check app-internal cost and dependency fan-out only after the request reaches the app.
188
+ - If the app receives the request, build a compact cost ledger for database, cache, external API,
189
+ serialization, compression, and response size.
190
+ - Use `api-request-performance-review`, database, cache, retry, queue, or observability skills
191
+ for the localized subproblem.
192
+ 13. Check OpenAPI and generated-client drift.
193
+ - Compare deployed behavior with the documented contract: required fields, nullability, enum
194
+ values, status codes, headers, content type, and error envelope.
195
+ - Treat generated client, SDK, or schema drift as a contract issue even when the server and
196
+ client each look locally correct.
197
+ 14. Check deployment and environment diffs.
198
+ - Near the first bad time, compare release id, config, secret names, routing rules, feature
199
+ flags, provider account, migration state, cache policy, rate-limit policy, and generated
200
+ artifacts.
201
+ - Do not blame code before environment and route changes are ruled in or out.
202
+ 15. Maintain a hypothesis table.
203
+ - For each hypothesis, write the expected evidence and the observation that would disprove it.
204
+ - Kill wrong hypotheses quickly. Long log reading without a falsifiable hypothesis is not
205
+ progress.
206
+ 16. Apply the smallest localized fix.
207
+ - Once the boundary is proven, switch to the specific skill for that boundary and edit only the
208
+ owning code, contract, test, doc, template, or config surface.
209
+ - Re-run the original reproduction path or the closest configured intent after the fix.
210
+
211
+ <!-- mustflow-section: postconditions -->
212
+ ## Postconditions
213
+
214
+ - The failing request packet, success comparator, boundary ledger, timing ledger, contract ledger,
215
+ auth ledger, and change ledger are explicit or reported as missing.
216
+ - The failure is localized to a boundary or left as a named evidence gap instead of a guessed cause.
217
+ - Status/body/content-type, CORS/preflight, redirects, proxy headers, authn/authz, clock skew,
218
+ timeout/retry/rate-limit/idempotency, cache headers, OpenAPI drift, and deployment diffs are fixed
219
+ or reported where relevant.
220
+ - Any follow-up skill is selected because the boundary is now localized, not because the first guess
221
+ sounded plausible.
222
+
223
+ <!-- mustflow-section: verification -->
224
+ ## Verification
225
+
226
+ Use configured oneshot command intents when available:
227
+
228
+ - `changes_status`
229
+ - `changes_diff_summary`
230
+ - `lint`
231
+ - `build`
232
+ - `test_related`
233
+ - `test`
234
+ - `docs_validate_fast`
235
+ - `test_release`
236
+ - `mustflow_check`
237
+
238
+ Prefer the narrowest configured test, build, docs, release, or mustflow intent that covers the
239
+ localized API failure boundary. Do not infer raw servers, live providers, database shells, browser
240
+ sessions, packet captures, production logs, load tests, profilers, or network probes outside the
241
+ command contract.
242
+
243
+ <!-- mustflow-section: failure-handling -->
244
+ ## Failure Handling
245
+
246
+ - If the failing request packet cannot be captured, stop speculative edits and report the closest
247
+ safe evidence plus the missing packet fields.
248
+ - If evidence contains secrets or personal data, redact before storing or reporting it.
249
+ - If boundary evidence requires live production access, private dashboards, external provider
250
+ consoles, or unconfigured network diagnostics, report the manual evidence boundary.
251
+ - If a configured command fails, preserve the failing intent and output tail, then fix only the API
252
+ boundary or contract exercised by that failure.
253
+ - If the root cause points to security, payment, rate limit, cache, retry, queue, or deployment risk,
254
+ switch to the narrower matching skill before editing that part.
255
+
256
+ <!-- mustflow-section: output-format -->
257
+ ## Output Format
258
+
259
+ - API failure triaged
260
+ - Failing request packet and success comparator, with redactions
261
+ - Boundary and timing ledger
262
+ - Status/body/content-type, CORS/preflight, redirect/proxy, authn/authz, clock, retry/timeout,
263
+ rate-limit/idempotency, cache, OpenAPI, and deployment-diff findings
264
+ - Hypotheses killed, still open, and selected localized boundary
265
+ - Fix applied or recommended
266
+ - Evidence level: reproduced packet, comparator evidence, configured-test evidence, static review
267
+ risk, manual-only, missing, or not applicable
268
+ - Command intents run
269
+ - Skipped diagnostics and reasons
270
+ - Remaining API-failure risk
@@ -0,0 +1,192 @@
1
+ ---
2
+ mustflow_doc: skill.auth-flow-triage
3
+ locale: en
4
+ canonical: true
5
+ revision: 1
6
+ lifecycle: mustflow-owned
7
+ authority: procedure
8
+ name: auth-flow-triage
9
+ description: Apply this skill when login, signup, logout, session refresh, OAuth or OIDC redirect, PKCE, nonce, state, passkey, MFA, password reset, magic link, cookie, JWT, token exchange, JWKS, IdP callback, account linking, or authorization-after-login behavior is failing, intermittent, browser-only, client-specific, or not yet localized to identity, cookie, token, proxy, session store, provider, clock, rate limit, or permission policy.
10
+ metadata:
11
+ mustflow_schema: "1"
12
+ mustflow_kind: procedure
13
+ pack_id: mustflow.core
14
+ skill_id: mustflow.core.auth-flow-triage
15
+ command_intents:
16
+ - changes_status
17
+ - changes_diff_summary
18
+ - lint
19
+ - build
20
+ - test_related
21
+ - test
22
+ - test_audit
23
+ - docs_validate_fast
24
+ - test_release
25
+ - mustflow_check
26
+ ---
27
+
28
+ # Auth Flow Triage
29
+
30
+ <!-- mustflow-section: purpose -->
31
+ ## Purpose
32
+
33
+ Localize authentication-flow failures without collapsing identity proof, session issuance, token
34
+ validation, browser cookie behavior, external provider callbacks, MFA, and authorization into one
35
+ "login is broken" bucket.
36
+
37
+ <!-- mustflow-section: use-when -->
38
+ ## Use When
39
+
40
+ - Login, signup, logout, refresh, password reset, magic link, MFA, passkey, OAuth, OIDC, SAML-like
41
+ handoff, API-key login, or account-linking behavior fails or behaves differently across clients.
42
+ - A user appears authenticated on one boundary but logged out, forbidden, redirected, or assigned to
43
+ the wrong account on another boundary.
44
+ - The failure may involve cookies, SameSite, CORS credentials, CSRF, proxy headers, redirect URI,
45
+ state, nonce, PKCE, authorization code exchange, JWT claims, JWKS rotation, refresh token
46
+ rotation, session storage, account lockout, rate limit, IdP metadata, passkeys, OTP, clocks, or
47
+ authorization after login.
48
+ - The task is to diagnose or review an auth failure before the exact code owner is known.
49
+
50
+ <!-- mustflow-section: do-not-use-when -->
51
+ ## Do Not Use When
52
+
53
+ - The change is already localized to implementing or changing the permission model; use
54
+ `auth-permission-change`.
55
+ - The task is specifically API object, property, or function authorization review; use
56
+ `api-access-control-review`.
57
+ - The task is only generic API failure triage before any auth-specific signal exists; use
58
+ `api-failure-triage`.
59
+ - The task asks for live credential testing, brute force, phishing simulation, or production token
60
+ collection. Stay within defensive code review, sanitized traces, and configured tests.
61
+
62
+ <!-- mustflow-section: required-inputs -->
63
+ ## Required Inputs
64
+
65
+ - Auth attempt packet: observed time, timezone, trace or request id, client type, route, sanitized
66
+ request and response shape, redirect chain, status codes, user-facing message class, and result.
67
+ - Stage ledger: user lookup, credential verification, external provider round trip, callback,
68
+ token exchange, session issue, cookie write, redirect, authorization decision, and logout or
69
+ revocation when relevant.
70
+ - Token and session ledger: session id hash, token type, issuer, audience, subject, `jti`, `iat`,
71
+ `nbf`, `exp`, key id, refresh-token family state, cookie attributes, session-store key, and
72
+ revocation or rotation state.
73
+ - Browser and proxy ledger: origin, host, forwarded proto and host, redirect URI, cookie domain and
74
+ path, SameSite, Secure, HttpOnly, CORS credentials, CSRF token, and proxy trust boundary.
75
+ - Provider ledger: IdP issuer, discovery metadata, JWKS URI, registered redirect URIs, client id,
76
+ PKCE method, state, nonce, passkey RP ID, WebAuthn origin, MFA method, and provider error class.
77
+ - Denial and privacy ledger: enumeration policy, lockout or rate-limit decision, internal result
78
+ code, public error message, redaction boundary, and denial-case tests.
79
+
80
+ <!-- mustflow-section: preconditions -->
81
+ ## Preconditions
82
+
83
+ - The task matches the Use When conditions and does not match the Do Not Use When exclusions.
84
+ - Higher-priority instructions and `.mustflow/config/commands.toml` have been checked.
85
+ - Secrets, tokens, OTPs, passwords, cookies, raw provider payloads, personal identifiers, and private
86
+ callback URLs are redacted before being written into docs, tests, commits, or reports.
87
+
88
+ <!-- mustflow-section: allowed-edits -->
89
+ ## Allowed Edits
90
+
91
+ - Add or tighten stage-specific result codes, safe trace ids, token validation, cookie settings,
92
+ proxy trust handling, redirect URI checks, PKCE, state, nonce, JWKS refresh behavior, session
93
+ rotation, refresh-token serialization, account-linking checks, passkey origin checks, MFA tests,
94
+ redaction, docs, fixtures, and denial-case tests.
95
+ - Add focused tests that reproduce the sanitized failure stage, token claim mismatch, cookie
96
+ behavior, callback binding, refresh-token race, session fixation boundary, or account-linking
97
+ policy.
98
+ - Do not add auth bypasses, broad CORS wildcards, loose redirect matching, disabled TLS checks,
99
+ widened clock skew, token logging, provider-console assumptions, or live credential probes.
100
+
101
+ <!-- mustflow-section: procedure -->
102
+ ## Procedure
103
+
104
+ 1. Split the symptom by stage before editing: user lookup, credential or passkey verification,
105
+ provider redirect, callback validation, token exchange, session issue, cookie persistence,
106
+ refresh, logout, and authorization-after-login.
107
+ 2. Preserve one sanitized failing attempt plus one success comparator. Compare the actual redirect
108
+ chain, cookies sent and set, status codes, provider error class, token type, and client version.
109
+ 3. Keep public and internal errors separate. Public messages should avoid account enumeration;
110
+ internal evidence should keep stable reason codes such as missing user, credential mismatch,
111
+ disabled account, MFA required, token expired, nonce mismatch, PKCE mismatch, and policy denied.
112
+ 4. Verify clocks before treating tokens as bad. Compare server epoch, token `iat`, `nbf`, `exp`,
113
+ OTP window, signed request timestamp, certificate validity, and applied clock skew.
114
+ 5. For browser-only failures, check actual cookie attributes, CORS credential behavior, CSRF,
115
+ redirect handling, preflight, duplicate cookie names, and whether the callback writes the cookie
116
+ on the host and path the app later uses.
117
+ 6. For proxy-backed apps, verify trusted forwarded headers, external URL calculation, secure cookie
118
+ detection, host allowlists, and callback URL generation. Do not trust arbitrary forwarded headers.
119
+ 7. For OAuth or OIDC, compare the exact registered and transmitted redirect URI, issuer, discovery
120
+ metadata, client id, state, nonce, PKCE method, code-verifier binding, token endpoint, and JWKS.
121
+ 8. For token validation, check signature, algorithm allowlist, key id refresh, issuer, audience,
122
+ authorized party when needed, subject, expiry, not-before, nonce, token type, and stale role or
123
+ permission claims.
124
+ 9. For refresh and logout failures, separate local cookie deletion, server session revocation,
125
+ refresh-token family state, access-token lifetime, IdP SSO session, and provider logout.
126
+ 10. For passkeys and MFA, check challenge one-time use, origin, RP ID, credential id, user handle,
127
+ user-verification flags, OTP reuse, recovery path, reauthentication, and registration or removal
128
+ policy.
129
+ 11. For account linking, use provider `issuer + subject` as the external identity key. Treat email
130
+ equality as weak evidence that requires an authenticated linking flow.
131
+ 12. If authentication succeeds but the user is still blocked, switch to `auth-permission-change` or
132
+ `api-access-control-review` and inspect tenant, resource, role, scope, stale cache, and token
133
+ claim freshness.
134
+ 13. Apply the smallest localized fix and rerun the narrowest configured intent that covers the
135
+ affected auth stage, denial case, docs, template, or package surface.
136
+
137
+ <!-- mustflow-section: postconditions -->
138
+ ## Postconditions
139
+
140
+ - The failing auth stage is localized or named as an evidence gap.
141
+ - Public error wording, internal reason codes, trace ids, session or token identifiers, and redaction
142
+ boundaries are explicit.
143
+ - Cookie, proxy, redirect, token, JWKS, provider metadata, passkey, MFA, refresh, logout, rate limit,
144
+ and authorization-after-login checks are fixed or reported where relevant.
145
+ - Any permission follow-up is routed to the narrower access-control skill instead of hidden inside
146
+ login debugging.
147
+
148
+ <!-- mustflow-section: verification -->
149
+ ## Verification
150
+
151
+ Use configured oneshot command intents when available:
152
+
153
+ - `changes_status`
154
+ - `changes_diff_summary`
155
+ - `lint`
156
+ - `build`
157
+ - `test_related`
158
+ - `test`
159
+ - `test_audit`
160
+ - `docs_validate_fast`
161
+ - `test_release`
162
+ - `mustflow_check`
163
+
164
+ Prefer the narrowest configured tests that cover the failing auth stage and denial behavior. Report
165
+ missing browser cookie, provider callback, JWKS rotation, MFA, passkey, refresh-token race, and
166
+ session-store integration evidence instead of inventing live auth probes.
167
+
168
+ <!-- mustflow-section: failure-handling -->
169
+ ## Failure Handling
170
+
171
+ - If the failing auth attempt cannot be captured safely, report the missing stage evidence instead
172
+ of changing auth code from guesses.
173
+ - If sensitive values appear in evidence, stop repeating them and summarize the shape only.
174
+ - If fixing the failure requires external IdP console changes, provider credentials, production
175
+ tokens, live email or SMS delivery, or browser automation outside the command contract, report the
176
+ manual boundary.
177
+ - If configured verification fails, preserve the failing intent and output tail, then fix only the
178
+ localized auth stage or test contract.
179
+
180
+ <!-- mustflow-section: output-format -->
181
+ ## Output Format
182
+
183
+ - Auth flow triaged
184
+ - Failing stage, sanitized attempt packet, and success comparator
185
+ - Cookie, proxy, redirect, provider, token, JWKS, session, refresh, logout, passkey, MFA, rate limit,
186
+ enumeration, and authorization-after-login findings
187
+ - Fix applied or recommended
188
+ - Evidence level: configured-test evidence, static review risk, manual-only, missing, or not
189
+ applicable
190
+ - Command intents run
191
+ - Skipped auth diagnostics and reasons
192
+ - Remaining auth-flow risk