mustflow 2.85.4 → 2.99.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (78) hide show
  1. package/dist/cli/commands/script-pack.js +10 -0
  2. package/dist/cli/i18n/en.js +183 -0
  3. package/dist/cli/i18n/es.js +183 -0
  4. package/dist/cli/i18n/fr.js +183 -0
  5. package/dist/cli/i18n/hi.js +183 -0
  6. package/dist/cli/i18n/ko.js +183 -0
  7. package/dist/cli/i18n/zh.js +183 -0
  8. package/dist/cli/lib/script-pack-registry.js +284 -1
  9. package/dist/cli/script-packs/code-change-impact.js +6 -0
  10. package/dist/cli/script-packs/code-import-cycle.js +193 -0
  11. package/dist/cli/script-packs/docs-link-integrity.js +145 -0
  12. package/dist/cli/script-packs/repo-approval-gate.js +100 -0
  13. package/dist/cli/script-packs/repo-git-ignore-audit.js +119 -0
  14. package/dist/cli/script-packs/repo-manifest-lock-drift.js +122 -0
  15. package/dist/cli/script-packs/repo-merge-conflict-scan.js +123 -0
  16. package/dist/cli/script-packs/repo-skill-route-audit.js +86 -0
  17. package/dist/cli/script-packs/repo-version-source.js +92 -0
  18. package/dist/cli/script-packs/test-performance-report.js +247 -0
  19. package/dist/cli/script-packs/test-regression-selector.js +167 -0
  20. package/dist/core/change-impact.js +23 -51
  21. package/dist/core/change-surface-classification.js +198 -0
  22. package/dist/core/docs-link-integrity.js +443 -0
  23. package/dist/core/import-cycle.js +152 -0
  24. package/dist/core/public-json-contracts.js +116 -0
  25. package/dist/core/repo-approval-gate.js +116 -0
  26. package/dist/core/repo-git-ignore-audit.js +302 -0
  27. package/dist/core/repo-manifest-lock-drift.js +321 -0
  28. package/dist/core/repo-merge-conflict-scan.js +335 -0
  29. package/dist/core/repo-version-source.js +82 -0
  30. package/dist/core/script-pack-suggestions.js +77 -1
  31. package/dist/core/skill-route-audit.js +354 -0
  32. package/dist/core/test-performance-report.js +697 -0
  33. package/dist/core/test-regression-selector.js +335 -0
  34. package/package.json +1 -1
  35. package/schemas/README.md +40 -2
  36. package/schemas/change-impact-report.schema.json +35 -1
  37. package/schemas/import-cycle-report.schema.json +157 -0
  38. package/schemas/link-integrity-report.schema.json +176 -0
  39. package/schemas/repo-approval-gate-report.schema.json +115 -0
  40. package/schemas/repo-git-ignore-audit-report.schema.json +201 -0
  41. package/schemas/repo-manifest-lock-drift-report.schema.json +202 -0
  42. package/schemas/repo-merge-conflict-scan-report.schema.json +169 -0
  43. package/schemas/repo-version-source-report.schema.json +127 -0
  44. package/schemas/skill-route-audit-report.schema.json +144 -0
  45. package/schemas/test-performance-report.schema.json +319 -0
  46. package/schemas/test-regression-selector-report.schema.json +187 -0
  47. package/templates/default/i18n.toml +66 -18
  48. package/templates/default/locales/en/.mustflow/skills/INDEX.md +45 -8
  49. package/templates/default/locales/en/.mustflow/skills/api-access-control-review/SKILL.md +48 -27
  50. package/templates/default/locales/en/.mustflow/skills/api-failure-triage/SKILL.md +270 -0
  51. package/templates/default/locales/en/.mustflow/skills/auth-flow-triage/SKILL.md +192 -0
  52. package/templates/default/locales/en/.mustflow/skills/auth-permission-change/SKILL.md +59 -13
  53. package/templates/default/locales/en/.mustflow/skills/backend-log-evidence-review/SKILL.md +14 -5
  54. package/templates/default/locales/en/.mustflow/skills/cache-integrity-review/SKILL.md +30 -15
  55. package/templates/default/locales/en/.mustflow/skills/change-blast-radius-review/SKILL.md +45 -32
  56. package/templates/default/locales/en/.mustflow/skills/ci-pipeline-triage/SKILL.md +200 -0
  57. package/templates/default/locales/en/.mustflow/skills/clarifying-question-gate/SKILL.md +87 -13
  58. package/templates/default/locales/en/.mustflow/skills/docker-runtime-triage/SKILL.md +191 -0
  59. package/templates/default/locales/en/.mustflow/skills/go-code-change/SKILL.md +18 -13
  60. package/templates/default/locales/en/.mustflow/skills/line-ending-hygiene/SKILL.md +18 -10
  61. package/templates/default/locales/en/.mustflow/skills/llm-hallucination-control-review/SKILL.md +4 -1
  62. package/templates/default/locales/en/.mustflow/skills/motion-system-contract-review/SKILL.md +155 -0
  63. package/templates/default/locales/en/.mustflow/skills/next-action-menu/SKILL.md +177 -0
  64. package/templates/default/locales/en/.mustflow/skills/observability-debuggability-review/SKILL.md +15 -7
  65. package/templates/default/locales/en/.mustflow/skills/payment-integrity-review/SKILL.md +59 -35
  66. package/templates/default/locales/en/.mustflow/skills/powershell-code-change/SKILL.md +16 -6
  67. package/templates/default/locales/en/.mustflow/skills/prompt-contract-quality-review/SKILL.md +4 -1
  68. package/templates/default/locales/en/.mustflow/skills/python-code-change/SKILL.md +19 -10
  69. package/templates/default/locales/en/.mustflow/skills/rag-pipeline-triage/SKILL.md +206 -0
  70. package/templates/default/locales/en/.mustflow/skills/routes.toml +54 -0
  71. package/templates/default/locales/en/.mustflow/skills/rust-code-change/SKILL.md +10 -4
  72. package/templates/default/locales/en/.mustflow/skills/search-index-integrity-review/SKILL.md +181 -0
  73. package/templates/default/locales/en/.mustflow/skills/service-boundary-architecture/SKILL.md +37 -23
  74. package/templates/default/locales/en/.mustflow/skills/test-suite-performance-review/SKILL.md +9 -0
  75. package/templates/default/locales/en/.mustflow/skills/typescript-code-change/SKILL.md +14 -9
  76. package/templates/default/locales/en/.mustflow/skills/vector-search-integrity-review/SKILL.md +209 -0
  77. package/templates/default/locales/en/.mustflow/skills/version-freshness-check/SKILL.md +16 -14
  78. package/templates/default/manifest.toml +64 -1
@@ -2,11 +2,11 @@
2
2
  mustflow_doc: skill.auth-permission-change
3
3
  locale: en
4
4
  canonical: true
5
- revision: 2
5
+ revision: 3
6
6
  lifecycle: mustflow-owned
7
7
  authority: procedure
8
8
  name: auth-permission-change
9
- description: Apply this skill when authentication, authorization, permissions, roles, tenants, sessions, JWTs, OAuth or OIDC, API keys, route guards, admin access, database policies, object-level access control, signed delivery URLs, credentialed event streams, or private cache behavior are created or changed.
9
+ description: Apply this skill when authentication, authorization, permissions, roles, effective permissions, policy decisions, tenants, sessions, JWTs, OAuth or OIDC, API keys, route guards, admin access, database policies, object-level access control, signed delivery URLs, credentialed event streams, or private cache behavior are created or changed.
10
10
  metadata:
11
11
  mustflow_schema: "1"
12
12
  mustflow_kind: procedure
@@ -54,11 +54,20 @@ Authentication answers who the requester is. Authorization answers what that pri
54
54
  ## Required Inputs
55
55
 
56
56
  - Changed files, user goal, affected actors, protected resources, actions, tenants, roles, and status-code expectations.
57
+ - Permission decision tuple for each changed protected action: subject, action, object, tenant or
58
+ organization, relationship path, request environment, policy version, data revision, token issue
59
+ time, and final allow or deny reason.
60
+ - Effective-permission evidence, not only role names: computed capabilities, inherited
61
+ relationships, explicit denies, wildcard policies, policy-combination rules, and default-deny
62
+ behavior.
57
63
  - Auth middleware, framework hooks, gateway checks, session config, cookie config, JWT verifier, OAuth/OIDC callback, API key verifier, and logout or revocation code when relevant.
58
64
  - Route guards, client guards, server controllers, resolvers, command handlers, services, policy functions, role or permission tables, database queries, RLS, views, stored procedures, and ORM scopes.
59
65
  - Tenant, organization, workspace, project, membership, invite, suspension, ownership, sharing, and admin-support data models.
60
66
  - Background jobs, queue payloads, webhooks, import/export flows, search or autocomplete indexes, signed URL generation, storage keys, SSE or streaming channels, WebTransport sessions, WebSocket fallback, CDN cache, proxy cache, and permission caches when they can expose protected data.
61
67
  - Audit logs, admin action logs, impersonation records, denied-access logs, API docs, role matrix docs, migrations, and tests.
68
+ - Revocation and cache evidence: token claim freshness, session lifetime, permission-cache key and
69
+ TTL, policy replication delay, search-index or export lag, stale queue payloads, and rollback or
70
+ shadow-evaluation behavior when policy changes.
62
71
  - Configured verification intents.
63
72
 
64
73
  <!-- mustflow-section: preconditions -->
@@ -92,31 +101,58 @@ Authentication answers who the requester is. Authorization answers what that pri
92
101
  - database queries, tenant scopes, ownership joins, soft-delete filters, RLS, views, stored procedures, and ORM helpers;
93
102
  - background jobs, queues, webhooks, import/export, file storage, signed URLs, SSE or streaming channels, WebTransport sessions, WebSocket fallback, search, autocomplete, caches, CDN or proxy cache rules, audit logs, docs, migrations, and tests.
94
103
  3. Write the permission decision inputs for each protected action: principal, tenant, resource, action, and context.
95
- 4. Separate identity from permission:
104
+ 4. Freeze the authorization decision tuple.
105
+ - Record subject, action, object, tenant, environment, policy version, data revision, token issue
106
+ time, matched policy, inheritance path, and final allow or deny reason.
107
+ - A role label is not the decision. Use effective permissions and relationship paths.
108
+ 5. Separate identity from permission:
96
109
  - `req.user`, a valid session, verified email, valid JWT, OAuth scope, or API key proves identity only;
97
110
  - owner, active member, org admin, global admin, support user, service account, API client, and shared-link viewer need separate authorization rules.
98
- 5. Prefer one central policy shape, such as a `can(principal, action, resource, context)` function, over route-local `isAdmin`, `isOwner`, or `isMember` fragments.
99
- 6. Enforce deny by default. New roles, actions, resource types, tenant types, sharing modes, and admin paths must deny until explicitly allowed.
100
- 7. Validate every request. Do not rely on login-time checks, client guards, disabled buttons, hidden menus, generated types, OpenAPI docs, or mobile local checks.
101
- 8. Load resources safely before final authorization:
111
+ 6. Prefer one central policy shape, such as a `can(principal, action, resource, context)` function, over route-local `isAdmin`, `isOwner`, or `isMember` fragments.
112
+ 7. Require explainable policy decisions.
113
+ - A production-supportable permission engine should expose which policy matched, which condition
114
+ failed, which inherited relationship granted access, and whether an explicit deny won.
115
+ - If the implementation cannot explain allow or deny decisions, report observability risk before
116
+ claiming the policy is maintainable.
117
+ 8. Enforce deny by default. New roles, actions, resource types, tenant types, sharing modes, and admin paths must deny until explicitly allowed.
118
+ 9. Define policy-combination semantics. Check whether multiple policies combine by union,
119
+ intersection, priority, explicit deny, boundary policy, or tenant override; write tests for
120
+ allow-plus-deny and no-match cases.
121
+ 10. Validate every request. Do not rely on login-time checks, client guards, disabled buttons, hidden menus, generated types, OpenAPI docs, or mobile local checks.
122
+ 11. Load resources safely before final authorization:
102
123
  - include tenant, membership, owner, sharing, and soft-delete constraints in the resource lookup when possible;
103
124
  - when existence must be hidden, keep wrong-tenant and missing-resource behavior consistent with the project's 404 policy.
104
- 9. Check multi-tenant risks:
125
+ 12. Check multi-tenant risks:
105
126
  - body, query, header, path, JWT claim, or local storage tenant ids must not become trusted tenant context;
106
127
  - tenant-scoped queries must include tenant or membership constraints;
107
128
  - pending, suspended, removed, revoked, deleted, disabled, and invited states must not be treated as active access;
108
129
  - shared links, exports, signed URLs, previews, search, cache, and CDN entries must stay inside the permission model.
109
130
  - event streams, WebTransport sessions, WebSocket fallback channels, private downloads, and reconnect URLs must not bypass tenant, resource, role, token expiry, or revocation policy.
110
- 10. Check session, JWT, OAuth/OIDC, and API key contracts when touched:
131
+ 13. Check session, JWT, OAuth/OIDC, and API key contracts when touched:
111
132
  - sessions need expiry, refresh, rotation, logout, revocation, cookie flags, and CSRF posture;
112
133
  - JWTs need signature verification, algorithm allowlist, issuer, audience, subject, expiry, not-before, key rotation, and stale-claim handling;
113
134
  - OAuth/OIDC needs exact redirect binding, state, nonce, PKCE when relevant, provider account binding, and safe account linking;
114
135
  - API keys need hashing, prefix-only display, owner type, scope, tenant/resource constraints, expiry, rotation, revocation, last-used, rate limit, and audit.
115
- 11. Check dependent surfaces: API routes, controllers, services, DB schema, DB queries, RLS, UI navigation, UI actions, API clients, audit logs, notifications, jobs, webhooks, search, file storage, docs, migrations, monitoring, and tests.
136
+ 14. Check permission creators more strictly than ordinary permissions.
137
+ - Role creation, role assignment, invitation, service-account issuance, API-key creation,
138
+ impersonation, support access, and token minting are privilege factories.
139
+ - A low-privilege actor that can attach a high privilege to itself collapses the whole model.
140
+ 15. Check revocation time.
141
+ - Demotion, removal, suspension, role deletion, membership expiry, subscription cancellation,
142
+ and ownership transfer should say how long old sessions, JWT claims, caches, search indexes,
143
+ queued jobs, and replicas can keep authorizing the old state.
144
+ - Sensitive actions need server-side recheck, short-lived tokens, revocation lists, or policy
145
+ version gates when stale tokens would be harmful.
146
+ 16. Check dependent surfaces: API routes, controllers, services, DB schema, DB queries, RLS, UI navigation, UI actions, API clients, audit logs, notifications, jobs, webhooks, search, file storage, docs, migrations, monitoring, and tests.
116
147
  - For credentialed delivery surfaces, check whether EventSource can supply the intended credentials, whether CORS and cookies match the policy, whether signed URLs expire and scope correctly, and whether caches vary on auth, tenant, and private response dimensions.
117
- 12. Require denial-first tests for changed protected actions when the project has a usable test surface. Cover anonymous, expired, revoked, no role, wrong tenant, wrong owner, suspended or removed member, stale cache, shared-link, read-only API key, org admin, global admin, and impersonating admin cases as applicable.
118
- 13. Update docs and role matrices when external behavior, status codes, role names, permission names, admin scope, or API errors change.
119
- 14. Report the policy source of truth, server/database enforcement, client UX-only guards, test coverage, skipped checks, and remaining permission risk.
148
+ 17. Require denial-first tests for changed protected actions when the project has a usable test surface. Cover anonymous, expired, revoked, no role, wrong tenant, wrong owner, suspended or removed member, stale token, stale cache, unknown role, unknown action, wildcard policy, explicit deny, shared-link, read-only API key, org admin, global admin, and impersonating admin cases as applicable.
149
+ 18. When changing policies, consider shadow evaluation.
150
+ - Compute old and new decisions side by side for representative requests before flipping broad
151
+ policy changes when the product has the infrastructure to do so.
152
+ - Log policy version and data revision for both decisions without exposing secrets or sensitive
153
+ object contents.
154
+ 19. Update docs and role matrices when external behavior, status codes, role names, permission names, admin scope, or API errors change.
155
+ 20. Report the policy source of truth, effective-permission evidence, decision explanation, server/database enforcement, client UX-only guards, revocation window, test coverage, skipped checks, and remaining permission risk.
120
156
 
121
157
  ## Boundary Rules
122
158
 
@@ -127,6 +163,10 @@ Authentication answers who the requester is. Authorization answers what that pri
127
163
  - Admin is scoped. Global admin, org admin, project admin, billing admin, support, and impersonating admin are different roles and need different audit and action rules.
128
164
  - Owner is not a wildcard permission. Owners may still lack delete, export, invite, transfer, billing, or admin powers.
129
165
  - API keys are principals with scopes and owners, not user sessions with unlimited power.
166
+ - Wildcard permissions are future permissions. Adding a new action under an old wildcard should be
167
+ treated as a permission expansion and reviewed accordingly.
168
+ - Unknown roles, unknown actions, malformed identifiers, and missing relationship data deny by
169
+ default; they are not normalized into a normal user path.
130
170
 
131
171
  ## Strongly Forbidden Patterns
132
172
 
@@ -142,6 +182,9 @@ Authentication answers who the requester is. Authorization answers what that pri
142
182
  - Changing 403 to 404, or 404 to 403, without naming the information-disclosure policy.
143
183
  - Relaxing permissions without denial-case tests or a written migration and audit plan.
144
184
  - Letting role changes ship without permission-cache or token-staleness handling.
185
+ - Shipping a permission engine that cannot explain why a request was allowed or denied.
186
+ - Treating an effective-permission bug as solved because the `role` column looks correct.
187
+ - Treating token-embedded roles as fresh after demotion, removal, or policy version changes.
145
188
  - Creating shared links, signed URLs, exports, search results, or CDN responses outside tenant and resource policy.
146
189
  - Creating credentialed event streams, WebTransport sessions, WebSocket fallback channels, signed delivery URLs, or private caches outside tenant and resource policy.
147
190
  - Logging impersonation without separate actor and subject.
@@ -153,6 +196,8 @@ Authentication answers who the requester is. Authorization answers what that pri
153
196
  - Authentication and authorization are separated in code and report language.
154
197
  - Every changed protected action has a server-side or database-side permission boundary.
155
198
  - Tenant isolation, resource ownership, sharing, admin scope, and status-code behavior are explicit.
199
+ - Effective permissions, policy-combination rules, decision explanation, policy version, data
200
+ revision, and revocation window are explicit when relevant.
156
201
  - Client guards are described as UX only.
157
202
  - Session, token, OAuth/OIDC, API key, cache, audit, docs, migration, and tests are synchronized when touched.
158
203
  - Signed URL, event-stream, WebTransport, WebSocket fallback, CORS, cookie, CDN/proxy cache, and reconnect behavior remains inside the permission model when touched.
@@ -190,6 +235,7 @@ Prefer the narrowest configured test intent that covers the changed protected ac
190
235
  - Authentication versus authorization classification
191
236
  - Principal, tenant, resource, action, and context affected
192
237
  - Policy source of truth
238
+ - Effective permission, policy version, data revision, decision explanation, and revocation window
193
239
  - Server/database enforcement notes
194
240
  - Client guard UX-only notes
195
241
  - Tenant, ownership, sharing, admin, token/session/API-key, cache, and audit notes
@@ -2,11 +2,11 @@
2
2
  mustflow_doc: skill.backend-log-evidence-review
3
3
  locale: en
4
4
  canonical: true
5
- revision: 2
5
+ revision: 3
6
6
  lifecycle: mustflow-owned
7
7
  authority: procedure
8
8
  name: backend-log-evidence-review
9
- description: Apply this skill when backend code is created, changed, reviewed, or reported and request logs, error logs, structured event names, log schema versions, trace/span/request IDs, correlation and causation IDs, outcome or reason fields, external API logs, database write logs, transaction or state-transition logs, retry or timeout logs, queue or batch logs, audit logs, auth or validation logs, cache or lock logs, release/config/feature-flag logs, log levels, duplicate logs, redaction, log-injection safety, sampling, or log searchability need review for whether an operator can reconstruct why a backend request, job, or data change reached its final state.
9
+ description: Apply this skill when backend code is created, changed, reviewed, or reported and request logs, error logs, structured event names, log schema versions, trace/span/request IDs, correlation and causation IDs, outcome or reason fields, external API logs, database write logs, transaction or state-transition logs, retry or timeout logs, queue or batch logs, audit logs, auth or validation logs, cache or lock logs, release/config/feature-flag logs, log pipeline canaries, collector accepted/sent/stored counts, timestamp versus observed timestamp, parser or mapping failures, log levels, duplicate logs, redaction, log-injection safety, sampling, or log searchability need review for whether an operator can reconstruct why a backend request, job, or data change reached its final state and whether the evidence actually survived the logging pipeline.
10
10
  metadata:
11
11
  mustflow_schema: "1"
12
12
  mustflow_kind: procedure
@@ -39,6 +39,7 @@ The review question is: "If this backend path fails, times out, retries, silentl
39
39
  - Backend handlers, services, repositories, adapters, workers, schedulers, webhooks, migrations, scripts, or batch jobs add, remove, review, or depend on logs.
40
40
  - A change claims that a path is logged, traceable, easy to debug, auditable, operationally safe, or diagnosable from logs.
41
41
  - Request start or finish logs, event names, schema versions, severity fields, trace or span IDs, error handling, error wrapping, external API calls, DB writes, transactions, status transitions, early returns, retries, timeouts, queues, async jobs, batches, audit events, auth, validation, cache, distributed locks, idempotency, feature flags, configuration, releases, migrations, or background promises are involved.
42
+ - Log ingestion, parsing, buffering, shipping, storage, searchability, retention, rotation, multiline parsing, canary logs, dropped-log counters, timestamp skew, or log sink visibility affects whether backend evidence can be trusted.
42
43
  - A review needs to decide whether logs explain why the system reached a state, not only where the exception was thrown.
43
44
 
44
45
  <!-- mustflow-section: do-not-use-when -->
@@ -60,6 +61,7 @@ The review question is: "If this backend path fails, times out, retries, silentl
60
61
  - Error evidence: thrown errors, catches, wrappers, causes, stack preservation, error categories, public versus internal messages, and log boundary ownership.
61
62
  - Decision evidence: branches, early returns, validation failures, auth decisions, feature flags, state transitions, cache paths, retry decisions, timeout classes, and fallback decisions.
62
63
  - Side-effect evidence: external API calls with dependency name, operation, timeout, latency, status class, retry count, circuit state, and provider request id; DB affected rows; transaction begin/commit/rollback evidence; queue enqueue and consume; idempotency decisions; locks; migrations; batch summaries; release/config/feature-flag events; and configuration snapshots.
64
+ - Pipeline integrity evidence when logs leave the process: generated count, collector accepted count, exporter sent count, stored count, searchable count, canary event id, sequence gaps, duplicate rate, timestamp and observed timestamp drift, queue oldest age, DLQ oldest age, parser failures, mapping conflicts, dropped or sampled counts, rotation or restart boundary, multiline grouping, and storage retention boundary.
63
65
  - Safety constraints: secrets, tokens, cookies, auth headers, passwords, raw payloads, personal data, payment data, provider response bodies, full SQL, log injection through control characters or ANSI escapes, high-cardinality indexing cost, sampling policy, and retention policy.
64
66
  - Local conventions: logger API, structured field names, severity levels, redaction helpers, error serialization, test helpers, snapshots or fixtures, and configured command intents.
65
67
 
@@ -161,7 +163,14 @@ The review question is: "If this backend path fails, times out, retries, silentl
161
163
  - Normalize or escape user-controlled strings such as filenames, user agents, nicknames, referers, and queries so newlines, tabs, control characters, and ANSI escapes cannot forge log entries.
162
164
  - Sink-side masking is not enough when sensitive data has already crossed the process boundary.
163
165
  - Tests or static guards should cover sensitive log fields when feasible.
164
- 18. Require evidence.
166
+ 18. Review log pipeline survival when the task depends on searchable logs.
167
+ - Compare generated, accepted, sent, stored, and searchable counts by service, environment, version, and event family instead of trusting one total.
168
+ - A synthetic canary log with a unique id and increasing sequence can expose loss, duplication, reorder, and search visibility lag.
169
+ - Distinguish event timestamp from observed timestamp; large drift points to clock skew, buffer delay, backpressure, or collector backlog.
170
+ - Queue size alone is weak. Check queue utilization, oldest queued event age, enqueue failures, exporter failures, receiver refusals, DLQ size, and DLQ oldest age.
171
+ - Parser failures, mapping conflicts, multiline splits, log rotation, container restart, pod deletion, disk buffer exhaustion, and retention or rollover drift can silently erase the evidence operators think they have.
172
+ - If pipeline checks require live collectors, sinks, dashboards, or production search, report them as manual-only instead of claiming log evidence survived.
173
+ 19. Require evidence.
165
174
  - Prefer focused tests, log fixtures, snapshot assertions, redaction tests, source-level guards, or local logger contract tests for stable event names and fields.
166
175
  - Prefer tests that pin `event_name`, schema version, required fields, redaction, bounded reason codes, and message-independent query fields rather than exact prose.
167
176
  - If logs depend on runtime middleware, production log routing, sink configuration, or manual log search outside the repository, report that evidence as manual-only.
@@ -170,7 +179,7 @@ The review question is: "If this backend path fails, times out, retries, silentl
170
179
  <!-- mustflow-section: postconditions -->
171
180
  ## Postconditions
172
181
 
173
- - The reviewed backend path has a reconstruction question, event contract, request lifecycle evidence, correlation and causation model, decision evidence, side-effect evidence, error and cause preservation, redaction boundary, level ownership, sampling boundary, and evidence level.
182
+ - The reviewed backend path has a reconstruction question, event contract, request lifecycle evidence, correlation and causation model, decision evidence, side-effect evidence, error and cause preservation, pipeline survival boundary, redaction boundary, level ownership, sampling boundary, and evidence level.
174
183
  - Missing start or finish logs, message-only contracts, unstable event names, missing schema version, missing trace or span id, missing correlation or causation id, string-only errors, lost causes, missing external-call before and after logs, raw provider body logs, missing affected-row counts, invisible transaction or state transitions, silent early returns, attempt-free retries, duration-free timeouts, enqueue or consume gaps, broken async correlation, empty batch summaries, missing auth or validation reasons, ordinary logs for audit events, cache or lock blind spots, idempotency ambiguity, feature flag opacity, release or config opacity, secret-bearing config logs, migration `done` logs, swallowed async errors, all-info or all-error severity, duplicate error spam, prose-only messages, high-cardinality indexed fields, log injection exposure, unsafe sampling, and missing identifiers are fixed or reported.
175
184
  - Named review smells such as broken async request id, auth or validation failures, cache hits or misses, lock acquisition, idempotency outcomes, config startup summaries, release and migration event gaps, migration dry-run and apply logs, message-based dashboards, prose-only log, and sink-side-only masking are fixed or reported when present.
176
185
  - Log changes are backed by local logger conventions, tests, fixtures, source review evidence, or labeled as manual-only or missing.
@@ -205,7 +214,7 @@ Prefer the narrowest configured checks that cover the changed logging contract a
205
214
  ## Output Format
206
215
 
207
216
  - Backend log boundary reviewed
208
- - Reconstruction question, event contract, request lifecycle, correlation and causation, error and cause preservation, external API, database write, transaction, state transition, early return, retry, timeout, queue or async handoff, batch or migration, audit, auth, validation, cache, lock, idempotency, feature flag, release, config, level ownership, structure, cardinality, sampling, log-injection safety, redaction, and test evidence findings
217
+ - Reconstruction question, event contract, request lifecycle, correlation and causation, error and cause preservation, external API, database write, transaction, state transition, early return, retry, timeout, queue or async handoff, batch or migration, audit, auth, validation, cache, lock, idempotency, feature flag, release, config, pipeline survival, level ownership, structure, cardinality, sampling, log-injection safety, redaction, and test evidence findings
209
218
  - Log fixes made or recommended
210
219
  - Evidence level: configured-test evidence, log fixture evidence, source review evidence, manual-only, missing, or not applicable
211
220
  - Command intents run
@@ -2,11 +2,11 @@
2
2
  mustflow_doc: skill.cache-integrity-review
3
3
  locale: en
4
4
  canonical: true
5
- revision: 1
5
+ revision: 2
6
6
  lifecycle: mustflow-owned
7
7
  authority: procedure
8
8
  name: cache-integrity-review
9
- description: Apply this skill when code is created, changed, reviewed, or reported and cache behavior can spread stale, wrong, private, overbroad, tenant-crossing, permission-wrong, version-incompatible, or source-overloading values through cache keys, query normalization, key versions, TTL and jitter, soft and hard TTL, stale-while-revalidate, stampede protection, request coalescing, negative caching, invalidation order, list or page caches, tag invalidation, L1/L2 cache layers, Redis fallback, hit/miss observability, value size, eviction policy, TTL-less keys, KEYS/SCAN use, hot keys, Redis Cluster hash tags, HTTP Vary/no-cache/no-store semantics, permission caches, cache warming, or failure-path cache tests.
9
+ description: Apply this skill when code is created, changed, reviewed, or reported and cache behavior can spread stale, wrong, private, overbroad, tenant-crossing, permission-wrong, version-incompatible, or source-overloading values through cache keys, query normalization, key versions, TTL and jitter, soft and hard TTL, stale-while-revalidate, stampede protection, request coalescing, negative caching, invalidation order, list or page caches, tag invalidation, L1/L2 cache layers, Redis fallback, cache-status ledgers such as hit, miss, bypass, stale, refresh, error, set-failed, evicted, or expired, origin-cost observability, value size, eviction policy, TTL-less keys, KEYS/SCAN use, hot keys, Redis Cluster hash tags, replica lag, Redis latency, HTTP Vary/no-cache/no-store semantics, permission caches, cache warming, or failure-path cache tests.
10
10
  metadata:
11
11
  mustflow_schema: "1"
12
12
  mustflow_kind: procedure
@@ -81,9 +81,11 @@ and what happens to the source system when the cache misses or fails?"
81
81
  - Failure and concurrency contract: miss behavior, concurrent miss behavior, source timeout, Redis
82
82
  failure, source failure, negative cache policy, update race behavior, invalidation ordering, and
83
83
  stale serve policy.
84
- - Observability evidence: hit and miss metrics, miss cost, value size, key count, eviction, expiry,
85
- tenant or endpoint breakdown, status-code breakdown, source query time, source call count, and set
86
- success.
84
+ - Observability evidence: hit, miss, bypass, stale, refresh, negative-hit, set-failed, error,
85
+ eviction, expiry, and fallback metrics; miss cost; hit-rate cost by endpoint or tenant; value
86
+ size; key count; source query time; source call count; origin saturation; Redis client wait,
87
+ round-trip latency, command latency, serialization cost, Slow Log limits, replica lag, shard
88
+ imbalance, and set success.
87
89
  - Relevant command-intent contract entries for tests, builds, docs, release checks, and mustflow
88
90
  validation.
89
91
 
@@ -180,6 +182,8 @@ and what happens to the source system when the cache misses or fails?"
180
182
  shedding, stale serve, circuit breaker, bulkhead, or another source-protection mechanism.
181
183
  - Decide whether cache failure is disposable or correctness-sensitive. Sessions, permissions,
182
184
  rate limits, inventory, idempotency, and dedupe caches are not ordinary performance caches.
185
+ - Compare normal cached traffic with an allowed bypass path or known miss path when evidence is
186
+ available. If bypass is faster, fresher, or more correct, the cache policy itself is suspect.
183
187
  13. Check Redis keyspace and memory behavior.
184
188
  - Review value size, key size, key schema, bounded key cardinality, max memory, eviction policy,
185
189
  expired keys, evicted keys, and whether TTL-less keys are turning cache into state storage.
@@ -187,43 +191,54 @@ and what happens to the source system when the cache misses or fails?"
187
191
  so TTL-less keys can crowd out real cache behavior.
188
192
  - `KEYS *` in application code is a production bomb. Use `SCAN` only from bounded admin or
189
193
  maintenance paths with explicit limits.
190
- 14. Check hot keys and Redis Cluster distribution.
194
+ 14. Check Redis latency, replication, and distribution.
195
+ - Redis Slow Log does not include client round-trip time, connection wait, serialization,
196
+ application loop overhead, DNS, TLS, or network path time. Do not use it as the only latency
197
+ proof.
198
+ - Review replica lag, failover behavior, cold replica warmup, persistence spikes, memory
199
+ fragmentation, client connection pools, shard imbalance, and command mix when a cache incident
200
+ is operational rather than semantic.
201
+ 15. Check hot keys and Redis Cluster distribution.
191
202
  - Sharding does not save one hot key. Use replicas, local L1, request coalescing, prewarm,
192
203
  chunking, or workload-specific splitting where semantics allow it.
193
204
  - Redis Cluster hash tags are useful for intentional multi-key locality, but overusing the same
194
205
  tag can force too many keys into one slot.
195
- 15. Check HTTP cache semantics.
206
+ 16. Check HTTP cache semantics.
196
207
  - If responses vary by `Authorization`, `Cookie`, `Accept-Language`, `Accept-Encoding`, content
197
208
  negotiation, or user context, verify `Vary` and cache-control behavior.
198
209
  - `no-cache` means revalidate before reuse. `no-store` means do not store. Do not use one when
199
210
  the other is required.
200
211
  - Check freshness, validation, private versus public cacheability, CDN behavior, browser behavior,
201
212
  and generated-client or proxy expectations.
202
- 16. Check permission and entitlement caches as security boundaries.
213
+ 17. Check permission and entitlement caches as security boundaries.
203
214
  - A permission cache, role cache, organization-membership cache, subscription cache, admin cache,
204
215
  or entitlement cache must be invalidated by revocation, role change, organization move,
205
216
  subscription expiry, ownership change, and emergency access changes.
206
217
  - Short TTL alone is not enough for decisions that should fail closed or revoke promptly.
207
- 17. Check cache warming and cold-start behavior.
218
+ 18. Check cache warming and cold-start behavior.
208
219
  - Deployment, autoscale, failover, and rollback can create synchronized cold caches that push
209
220
  traffic to the source.
210
221
  - Prewarm only keys with clear ownership and backpressure. Do not build an unbounded warming job
211
222
  that becomes the outage.
212
- 18. Check observability.
213
- - Hit rate alone lies. Break down hits, misses, stale serves, negative hits, refresh failures,
214
- evictions, expirations, and set failures by endpoint, key-pattern, tenant, status-code, and
215
- cache layer where useful.
223
+ - Load-test or smoke the cold, warm, failover, replica-lag, source-slow, and cache-down scenarios
224
+ when the repository has configured evidence. Otherwise report those as manual operational gaps.
225
+ 19. Check observability.
226
+ - Hit rate alone lies. Break down hits, misses, bypasses, stale serves, refreshes, negative hits,
227
+ refresh failures, evictions, expirations, fallback serves, Redis errors, and set failures by
228
+ endpoint, key-pattern, tenant, status-code, and cache layer where useful.
216
229
  - Log or measure miss cost: source query time, source call count, value size, generation time,
217
230
  and set success.
231
+ - Track hit-rate cost: origin load avoided, origin load caused by misses, miss amplification,
232
+ cache write failures, and whether a high hit rate hides a small set of expensive miss paths.
218
233
  - Keep cache metrics labels bounded; put high-cardinality keys in logs or traces only when the
219
234
  repository privacy rules allow it.
220
- 19. Check tests beyond the happy path.
235
+ 20. Check tests beyond the happy path.
221
236
  - "Second call is faster" is not enough.
222
237
  - Cover concurrent misses, update during read, delete then recreate, source failure, Redis
223
238
  failure, synchronized TTL expiry, old-version cached value, permission change, tenant
224
239
  separation, list invalidation, negative-cache classification, deploy rollback, and cache-layer
225
240
  bypass when those risks exist.
226
- 20. Label evidence honestly. If the repository lacks deterministic cache, Redis, CDN, HTTP, browser,
241
+ 21. Label evidence honestly. If the repository lacks deterministic cache, Redis, CDN, HTTP, browser,
227
242
  or load tests, report the missing evidence instead of claiming the cache is safe.
228
243
 
229
244
  <!-- mustflow-section: postconditions -->
@@ -2,11 +2,11 @@
2
2
  mustflow_doc: skill.change-blast-radius-review
3
3
  locale: en
4
4
  canonical: true
5
- revision: 1
5
+ revision: 2
6
6
  lifecycle: mustflow-owned
7
7
  authority: procedure
8
8
  name: change-blast-radius-review
9
- description: Apply this skill when code is created, changed, reviewed, or reported and maintainability needs review by predicting the next-change blast radius, deletion path, policy owner, workflow owner, controller or service responsibility, boolean and option-mode sprawl, scattered domain rules, scattered authorization, state-transition ownership, direct time or randomness, transaction and external-call coupling, retry idempotency, cache-as-truth decisions, config flag combinations, tenant or partner hardcoding, legacy branch isolation, DTO/entity/view model mixing, nullable meaning, swallowed exceptions, low-context logs, implementation-coupled tests, mock-heavy tests, decorative abstraction, premature DRY, hidden ordering dependency, event contract visibility, migration/runtime compatibility, or feature removal boundary.
9
+ description: Apply this skill when code is created, changed, reviewed, or reported and maintainability needs review by predicting the next-change blast radius, historical co-change spread, deletion path, policy owner, workflow owner, controller or service responsibility, boolean and option-mode sprawl, scattered domain rules, scattered authorization, state-transition ownership, direct time or randomness, transaction and external-call coupling, retry idempotency, cache-as-truth decisions, config flag combinations, tenant or partner hardcoding, legacy branch isolation, DTO/entity/view model mixing, nullable meaning, swallowed exceptions, low-context logs, implementation-coupled tests, mock-heavy tests, decorative abstraction, premature DRY, hidden ordering dependency, event contract visibility, migration/runtime compatibility, or feature removal boundary.
10
10
  metadata:
11
11
  mustflow_schema: "1"
12
12
  mustflow_kind: procedure
@@ -46,6 +46,8 @@ feature is removed, what can I delete?"
46
46
  logging, tests, abstractions, helpers, or legacy compatibility.
47
47
  - A single requirement would force edits across several files, layers, modules, frontend code, SQL,
48
48
  jobs, events, cache keys, tests, or docs.
49
+ - Recent PRs, commits, work orders, or review history show that small requirements routinely
50
+ co-change many repositories, services, schemas, pipelines, teams, tests, or docs.
49
51
  - A file or service has several unrelated reasons to change under one broad noun such as `Manager`,
50
52
  `Helper`, `Processor`, `Handler`, or `Service`.
51
53
  - A review needs to decide whether to use `module-boundary-review`, `structure-first-engineering`,
@@ -72,6 +74,10 @@ feature is removed, what can I delete?"
72
74
  - User goal, current diff or target files, and the requirement or policy that caused the change.
73
75
  - Change-reason ledger: which business rule, user flow, data shape, failure path, compatibility
74
76
  rule, tenant exception, or operational behavior would make this code change next.
77
+ - Historical co-change ledger when available: recent PRs or commits touching the same requirement
78
+ family, repositories touched, services touched, DB schemas touched, deployment pipelines touched,
79
+ teams or reviewers involved, tests changed, docs changed, and whether the current design reduced
80
+ or repeated that spread.
75
81
  - Blast-radius ledger: controllers, services, repositories, entities, DTOs, frontend conditions,
76
82
  SQL, migrations, batches, events, caches, config, tests, docs, and templates touched by one reason.
77
83
  - Ownership ledger: source of truth for domain rule, authorization rule, state transition, retry
@@ -115,123 +121,128 @@ feature is removed, what can I delete?"
115
121
  - Ask: "If this requirement changes next month, which files move?"
116
122
  - If one policy edit needs controller, service, repository, SQL, frontend, batch, cache, and test
117
123
  edits, the code is a puzzle, not a boundary.
118
- 2. Count reasons to change, not lines.
124
+ 2. Check historical co-change when evidence exists.
125
+ - Look for recent PRs, commits, or work items in the same feature or policy family.
126
+ - Count repositories, services, schemas, pipelines, test suites, docs, and teams touched by small changes.
127
+ - Treat repeated cross-boundary co-change as stronger evidence than a clean-looking folder tree.
128
+ - If history is unavailable or too expensive for the task, report the review as prediction-only instead of pretending the boundary was proven.
129
+ 3. Count reasons to change, not lines.
119
130
  - A short file can still hold signup, login, points, notification, referral, admin blocking, and
120
131
  reporting rules.
121
132
  - Split by different change reasons, not by noun labels.
122
- 3. Keep controllers as doors, not bosses.
133
+ 4. Keep controllers as doors, not bosses.
123
134
  - Controllers should parse requests, call an application boundary, and map the result.
124
135
  - Treat controller `if`, `for`, state mutation, external API calls, discount logic, inventory
125
136
  checks, or notification orchestration as workflow leakage.
126
- 4. Reject junk-drawer services.
137
+ 5. Reject junk-drawer services.
127
138
  - Broad names such as `OrderService`, `UserService`, `Manager`, `Helper`, `Processor`, and
128
139
  `Handler` often hide unrelated workflows.
129
140
  - Name the actual responsibility or split by workflow owner when changes would not arrive
130
141
  together.
131
- 5. Decode boolean mode flags.
142
+ 6. Decode boolean mode flags.
132
143
  - `createUser(user, true)` and `sendNotification(user, true, false)` mean one function already
133
144
  has hidden modes.
134
145
  - Replace modes with named variants, policy objects, strategy objects, or separate functions when
135
146
  behavior contracts differ.
136
- 6. Inspect option objects for combinatorial behavior.
147
+ 7. Inspect option objects for combinatorial behavior.
137
148
  - Fields such as `skipValidation`, `dryRun`, `force`, `source`, `mode`, `type`, `retry`,
138
149
  `legacy`, and `includeInactive` can turn one call into many products.
139
150
  - If field combinations change behavior, use explicit mode types or separate boundaries.
140
- 7. Find the policy source of truth.
151
+ 8. Find the policy source of truth.
141
152
  - Repeated rules such as "VIP gets free shipping" across backend, frontend, SQL, batch, and
142
153
  cache code are not harmless duplication.
143
154
  - Name one owner and make other layers consume facts or capabilities from that owner.
144
- 8. Centralize authorization policy.
155
+ 9. Centralize authorization policy.
145
156
  - Scattered checks such as `role == admin`, `ownerId == user.id`, or membership scans make policy
146
157
  changes scary.
147
158
  - Use `auth-permission-change` when action permission needs one policy source and denial tests.
148
- 9. Make state transitions visible.
159
+ 10. Make state transitions visible.
149
160
  - Status values are not enough. Review where `status = ...` happens and which transitions are
150
161
  legal.
151
162
  - Use `state-machine-pattern` when allowed transitions need to be represented explicitly.
152
- 10. Pull time, randomness, and generated IDs to a boundary.
163
+ 11. Pull time, randomness, and generated IDs to a boundary.
153
164
  - Direct `new Date()`, `Date.now()`, `LocalDateTime.now()`, UUIDs, random order numbers, random
154
165
  filenames, and generated referral codes hide reproducibility and future policy changes.
155
166
  - Use explicit time, generator, or identifier inputs from the shell.
156
- 11. Draw the transaction boundary.
167
+ 12. Draw the transaction boundary.
157
168
  - When several saves happen, ask what remains if the middle save fails.
158
169
  - If the answer is unclear, use `failure-integrity-review` or the relevant database skill before
159
170
  changing behavior.
160
- 12. Separate external calls from committed state.
171
+ 13. Separate external calls from committed state.
161
172
  - DB save, payment API, DB save, notification API in one flow creates timeout, retry, and
162
173
  duplicate-effect traps.
163
174
  - Prefer local state plus outbox, idempotency keys, or effect descriptions when the operation
164
175
  must survive partial failure.
165
- 13. Check retry idempotency.
176
+ 14. Check retry idempotency.
166
177
  - `retry(3)`, queues, webhooks, schedulers, and manual replays are dangerous without a duplicate
167
178
  rule.
168
179
  - Ask what happens when the same event arrives twice.
169
- 14. Reject cache-as-truth for important decisions.
180
+ 15. Reject cache-as-truth for important decisions.
170
181
  - Cache can speed reads, but it should not become the source of truth for authorization, payment
171
182
  eligibility, inventory, or other critical decisions.
172
183
  - Use `cache-integrity-review` when cache freshness or fallback can mislead the decision.
173
- 15. Count config flag combinations.
184
+ 16. Count config flag combinations.
174
185
  - Flags such as `enableNewPolicy`, `useLegacyFlow`, `skipValidationForPartner`, and
175
186
  `specialCaseTenantIds` can create untested products inside one code path.
176
187
  - Name the supported combinations or isolate the variation behind a policy boundary.
177
- 16. Isolate tenant, partner, country, product, and app-version exceptions.
188
+ 17. Isolate tenant, partner, country, product, and app-version exceptions.
178
189
  - Hardcoded `tenantId`, `partnerCode`, country code, app version, or product ID branches are
179
190
  product debt, not just conditionals.
180
191
  - Prefer configured capabilities, adapters, policy tables, or explicit exceptions with removal
181
192
  owners.
182
- 17. Keep legacy compatibility out of the new core.
193
+ 18. Keep legacy compatibility out of the new core.
183
194
  - `legacy`, `old`, `v1`, `deprecated`, and `temp` branches inside the main path pull old rules
184
195
  into new code.
185
196
  - Put compatibility in adapters, translators, migration paths, or isolated old-entry boundaries.
186
- 18. Separate data-object languages.
197
+ 19. Separate data-object languages.
187
198
  - DB entities, API DTOs, view models, external provider payloads, and domain objects should not
188
199
  quietly become the same object.
189
200
  - If one side changes and another side must follow, name the mapping owner.
190
- 19. Give nullable values a reason.
201
+ 20. Give nullable values a reason.
191
202
  - `null` must not mean absence, unknown, failed calculation, forbidden access, and provider
192
203
  timeout at the same time.
193
204
  - Use variants, result types, or explicit fields that tell callers why a value is missing.
194
- 20. Do not hide exceptions as normal data.
205
+ 21. Do not hide exceptions as normal data.
195
206
  - `catch (e) { return null }`, `catch (e) { log.warn(...) }`, and empty catches make the system
196
207
  lie far from the failure.
197
208
  - Use visible failure values, typed errors, or explicit degraded modes.
198
- 21. Make logs traceable, not decorative.
209
+ 22. Make logs traceable, not decorative.
199
210
  - Logs like `start` and `failed` without order ID, user ID, request ID, external call ID, tenant,
200
211
  or operation name do not help future maintainers.
201
212
  - Add safe correlation context when it is the only way to connect the failure path.
202
- 22. Keep tests attached to behavior.
213
+ 23. Keep tests attached to behavior.
203
214
  - Tests that assert private methods, mock call order, or internal collaborator choreography make
204
215
  refactors expensive.
205
216
  - Prefer outcomes, state transitions, persisted commands, emitted events, or public results.
206
- 23. Treat mock count as a change-impact sensor.
217
+ 24. Treat mock count as a change-impact sensor.
207
218
  - More than three mocks deserves a responsibility review.
208
219
  - Five or more mocks usually means the class absorbs too many change directions.
209
- 24. Validate abstraction against real volatility.
220
+ 25. Validate abstraction against real volatility.
210
221
  - Interfaces, factories, strategies, and abstract classes help only when the variation axis is
211
222
  real.
212
223
  - Ask whether there are two real implementations now or a known future swap along this exact
213
224
  axis.
214
- 25. Do not DRY together different futures.
225
+ 26. Do not DRY together different futures.
215
226
  - Removing duplication is harmful when two similar blocks change for different reasons.
216
227
  - Keep duplication when it preserves independent policy evolution.
217
- 26. Make required ordering explicit.
228
+ 27. Make required ordering explicit.
218
229
  - Initialization, validation, save, event publication, cache invalidation, notification, and
219
230
  cleanup steps can be order-sensitive.
220
231
  - If swapping two lines would break correctness, encode the sequence in a named workflow,
221
232
  transaction, state transition, or command object.
222
- 27. Treat events as invisible function calls until proven otherwise.
233
+ 28. Treat events as invisible function calls until proven otherwise.
223
234
  - `publish(Event)` hides subscribers, failure behavior, ordering, duplicate delivery, and
224
235
  compatibility.
225
236
  - Name the event contract, listener expectations, idempotency, and failure handling.
226
- 28. Pair migrations with runtime compatibility.
237
+ 29. Pair migrations with runtime compatibility.
227
238
  - Schema changes, enum additions, defaults, indexes, and backfills must be checked against old
228
239
  code on new schema and new code on old data.
229
240
  - Use `database-migration-change` when deploy order or data backfill matters.
230
- 29. Run the deletion test.
241
+ 30. Run the deletion test.
231
242
  - Ask: "If this feature disappears, what do I delete?"
232
243
  - If flags, columns, conditions, events, caches, batch jobs, UI checks, and tests are scattered,
233
244
  the feature is already rooted too deeply.
234
- 30. Pick the smallest boundary repair.
245
+ 31. Pick the smallest boundary repair.
235
246
  - If one owner is missing, introduce that owner.
236
247
  - If one mode is hidden, name that mode.
237
248
  - If the risk is too broad for the current task, report the exact next-change or deletion path
@@ -240,7 +251,8 @@ feature is removed, what can I delete?"
240
251
  <!-- mustflow-section: postconditions -->
241
252
  ## Postconditions
242
253
 
243
- - The next likely policy or workflow change has a named owner and a predictable edit path, or the
254
+ - The next likely policy or workflow change has a named owner, historical co-change evidence when
255
+ available, and a predictable edit path, or the
244
256
  unpredictable spread is explicitly reported.
245
257
  - Important side effects, transactions, retries, events, caches, config flags, migrations, and logs
246
258
  have clear owners or remaining risks.
@@ -287,6 +299,7 @@ public contract.
287
299
 
288
300
  - Change blast radius reviewed
289
301
  - Next likely change and owner
302
+ - Historical co-change evidence, or prediction-only note when unavailable
290
303
  - Files, layers, jobs, caches, events, tests, docs, or migrations in the blast radius
291
304
  - Policy, authorization, state, transaction, retry, cache, config, tenant, legacy, DTO, nullable,
292
305
  log, test, abstraction, ordering, event, migration, or deletion findings