mustflow 2.85.4 → 2.99.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cli/commands/script-pack.js +10 -0
- package/dist/cli/i18n/en.js +183 -0
- package/dist/cli/i18n/es.js +183 -0
- package/dist/cli/i18n/fr.js +183 -0
- package/dist/cli/i18n/hi.js +183 -0
- package/dist/cli/i18n/ko.js +183 -0
- package/dist/cli/i18n/zh.js +183 -0
- package/dist/cli/lib/script-pack-registry.js +284 -1
- package/dist/cli/script-packs/code-change-impact.js +6 -0
- package/dist/cli/script-packs/code-import-cycle.js +193 -0
- package/dist/cli/script-packs/docs-link-integrity.js +145 -0
- package/dist/cli/script-packs/repo-approval-gate.js +100 -0
- package/dist/cli/script-packs/repo-git-ignore-audit.js +119 -0
- package/dist/cli/script-packs/repo-manifest-lock-drift.js +122 -0
- package/dist/cli/script-packs/repo-merge-conflict-scan.js +123 -0
- package/dist/cli/script-packs/repo-skill-route-audit.js +86 -0
- package/dist/cli/script-packs/repo-version-source.js +92 -0
- package/dist/cli/script-packs/test-performance-report.js +247 -0
- package/dist/cli/script-packs/test-regression-selector.js +167 -0
- package/dist/core/change-impact.js +23 -51
- package/dist/core/change-surface-classification.js +198 -0
- package/dist/core/docs-link-integrity.js +443 -0
- package/dist/core/import-cycle.js +152 -0
- package/dist/core/public-json-contracts.js +116 -0
- package/dist/core/repo-approval-gate.js +116 -0
- package/dist/core/repo-git-ignore-audit.js +302 -0
- package/dist/core/repo-manifest-lock-drift.js +321 -0
- package/dist/core/repo-merge-conflict-scan.js +335 -0
- package/dist/core/repo-version-source.js +82 -0
- package/dist/core/script-pack-suggestions.js +77 -1
- package/dist/core/skill-route-audit.js +354 -0
- package/dist/core/test-performance-report.js +697 -0
- package/dist/core/test-regression-selector.js +335 -0
- package/package.json +1 -1
- package/schemas/README.md +40 -2
- package/schemas/change-impact-report.schema.json +35 -1
- package/schemas/import-cycle-report.schema.json +157 -0
- package/schemas/link-integrity-report.schema.json +176 -0
- package/schemas/repo-approval-gate-report.schema.json +115 -0
- package/schemas/repo-git-ignore-audit-report.schema.json +201 -0
- package/schemas/repo-manifest-lock-drift-report.schema.json +202 -0
- package/schemas/repo-merge-conflict-scan-report.schema.json +169 -0
- package/schemas/repo-version-source-report.schema.json +127 -0
- package/schemas/skill-route-audit-report.schema.json +144 -0
- package/schemas/test-performance-report.schema.json +319 -0
- package/schemas/test-regression-selector-report.schema.json +187 -0
- package/templates/default/i18n.toml +66 -18
- package/templates/default/locales/en/.mustflow/skills/INDEX.md +45 -8
- package/templates/default/locales/en/.mustflow/skills/api-access-control-review/SKILL.md +48 -27
- package/templates/default/locales/en/.mustflow/skills/api-failure-triage/SKILL.md +270 -0
- package/templates/default/locales/en/.mustflow/skills/auth-flow-triage/SKILL.md +192 -0
- package/templates/default/locales/en/.mustflow/skills/auth-permission-change/SKILL.md +59 -13
- package/templates/default/locales/en/.mustflow/skills/backend-log-evidence-review/SKILL.md +14 -5
- package/templates/default/locales/en/.mustflow/skills/cache-integrity-review/SKILL.md +30 -15
- package/templates/default/locales/en/.mustflow/skills/change-blast-radius-review/SKILL.md +45 -32
- package/templates/default/locales/en/.mustflow/skills/ci-pipeline-triage/SKILL.md +200 -0
- package/templates/default/locales/en/.mustflow/skills/clarifying-question-gate/SKILL.md +87 -13
- package/templates/default/locales/en/.mustflow/skills/docker-runtime-triage/SKILL.md +191 -0
- package/templates/default/locales/en/.mustflow/skills/go-code-change/SKILL.md +18 -13
- package/templates/default/locales/en/.mustflow/skills/line-ending-hygiene/SKILL.md +18 -10
- package/templates/default/locales/en/.mustflow/skills/llm-hallucination-control-review/SKILL.md +4 -1
- package/templates/default/locales/en/.mustflow/skills/motion-system-contract-review/SKILL.md +155 -0
- package/templates/default/locales/en/.mustflow/skills/next-action-menu/SKILL.md +177 -0
- package/templates/default/locales/en/.mustflow/skills/observability-debuggability-review/SKILL.md +15 -7
- package/templates/default/locales/en/.mustflow/skills/payment-integrity-review/SKILL.md +59 -35
- package/templates/default/locales/en/.mustflow/skills/powershell-code-change/SKILL.md +16 -6
- package/templates/default/locales/en/.mustflow/skills/prompt-contract-quality-review/SKILL.md +4 -1
- package/templates/default/locales/en/.mustflow/skills/python-code-change/SKILL.md +19 -10
- package/templates/default/locales/en/.mustflow/skills/rag-pipeline-triage/SKILL.md +206 -0
- package/templates/default/locales/en/.mustflow/skills/routes.toml +54 -0
- package/templates/default/locales/en/.mustflow/skills/rust-code-change/SKILL.md +10 -4
- package/templates/default/locales/en/.mustflow/skills/search-index-integrity-review/SKILL.md +181 -0
- package/templates/default/locales/en/.mustflow/skills/service-boundary-architecture/SKILL.md +37 -23
- package/templates/default/locales/en/.mustflow/skills/test-suite-performance-review/SKILL.md +9 -0
- package/templates/default/locales/en/.mustflow/skills/typescript-code-change/SKILL.md +14 -9
- package/templates/default/locales/en/.mustflow/skills/vector-search-integrity-review/SKILL.md +209 -0
- package/templates/default/locales/en/.mustflow/skills/version-freshness-check/SKILL.md +16 -14
- package/templates/default/manifest.toml +64 -1
|
@@ -2,11 +2,11 @@
|
|
|
2
2
|
mustflow_doc: skill.auth-permission-change
|
|
3
3
|
locale: en
|
|
4
4
|
canonical: true
|
|
5
|
-
revision:
|
|
5
|
+
revision: 3
|
|
6
6
|
lifecycle: mustflow-owned
|
|
7
7
|
authority: procedure
|
|
8
8
|
name: auth-permission-change
|
|
9
|
-
description: Apply this skill when authentication, authorization, permissions, roles, tenants, sessions, JWTs, OAuth or OIDC, API keys, route guards, admin access, database policies, object-level access control, signed delivery URLs, credentialed event streams, or private cache behavior are created or changed.
|
|
9
|
+
description: Apply this skill when authentication, authorization, permissions, roles, effective permissions, policy decisions, tenants, sessions, JWTs, OAuth or OIDC, API keys, route guards, admin access, database policies, object-level access control, signed delivery URLs, credentialed event streams, or private cache behavior are created or changed.
|
|
10
10
|
metadata:
|
|
11
11
|
mustflow_schema: "1"
|
|
12
12
|
mustflow_kind: procedure
|
|
@@ -54,11 +54,20 @@ Authentication answers who the requester is. Authorization answers what that pri
|
|
|
54
54
|
## Required Inputs
|
|
55
55
|
|
|
56
56
|
- Changed files, user goal, affected actors, protected resources, actions, tenants, roles, and status-code expectations.
|
|
57
|
+
- Permission decision tuple for each changed protected action: subject, action, object, tenant or
|
|
58
|
+
organization, relationship path, request environment, policy version, data revision, token issue
|
|
59
|
+
time, and final allow or deny reason.
|
|
60
|
+
- Effective-permission evidence, not only role names: computed capabilities, inherited
|
|
61
|
+
relationships, explicit denies, wildcard policies, policy-combination rules, and default-deny
|
|
62
|
+
behavior.
|
|
57
63
|
- Auth middleware, framework hooks, gateway checks, session config, cookie config, JWT verifier, OAuth/OIDC callback, API key verifier, and logout or revocation code when relevant.
|
|
58
64
|
- Route guards, client guards, server controllers, resolvers, command handlers, services, policy functions, role or permission tables, database queries, RLS, views, stored procedures, and ORM scopes.
|
|
59
65
|
- Tenant, organization, workspace, project, membership, invite, suspension, ownership, sharing, and admin-support data models.
|
|
60
66
|
- Background jobs, queue payloads, webhooks, import/export flows, search or autocomplete indexes, signed URL generation, storage keys, SSE or streaming channels, WebTransport sessions, WebSocket fallback, CDN cache, proxy cache, and permission caches when they can expose protected data.
|
|
61
67
|
- Audit logs, admin action logs, impersonation records, denied-access logs, API docs, role matrix docs, migrations, and tests.
|
|
68
|
+
- Revocation and cache evidence: token claim freshness, session lifetime, permission-cache key and
|
|
69
|
+
TTL, policy replication delay, search-index or export lag, stale queue payloads, and rollback or
|
|
70
|
+
shadow-evaluation behavior when policy changes.
|
|
62
71
|
- Configured verification intents.
|
|
63
72
|
|
|
64
73
|
<!-- mustflow-section: preconditions -->
|
|
@@ -92,31 +101,58 @@ Authentication answers who the requester is. Authorization answers what that pri
|
|
|
92
101
|
- database queries, tenant scopes, ownership joins, soft-delete filters, RLS, views, stored procedures, and ORM helpers;
|
|
93
102
|
- background jobs, queues, webhooks, import/export, file storage, signed URLs, SSE or streaming channels, WebTransport sessions, WebSocket fallback, search, autocomplete, caches, CDN or proxy cache rules, audit logs, docs, migrations, and tests.
|
|
94
103
|
3. Write the permission decision inputs for each protected action: principal, tenant, resource, action, and context.
|
|
95
|
-
4.
|
|
104
|
+
4. Freeze the authorization decision tuple.
|
|
105
|
+
- Record subject, action, object, tenant, environment, policy version, data revision, token issue
|
|
106
|
+
time, matched policy, inheritance path, and final allow or deny reason.
|
|
107
|
+
- A role label is not the decision. Use effective permissions and relationship paths.
|
|
108
|
+
5. Separate identity from permission:
|
|
96
109
|
- `req.user`, a valid session, verified email, valid JWT, OAuth scope, or API key proves identity only;
|
|
97
110
|
- owner, active member, org admin, global admin, support user, service account, API client, and shared-link viewer need separate authorization rules.
|
|
98
|
-
|
|
99
|
-
|
|
100
|
-
|
|
101
|
-
|
|
111
|
+
6. Prefer one central policy shape, such as a `can(principal, action, resource, context)` function, over route-local `isAdmin`, `isOwner`, or `isMember` fragments.
|
|
112
|
+
7. Require explainable policy decisions.
|
|
113
|
+
- A production-supportable permission engine should expose which policy matched, which condition
|
|
114
|
+
failed, which inherited relationship granted access, and whether an explicit deny won.
|
|
115
|
+
- If the implementation cannot explain allow or deny decisions, report observability risk before
|
|
116
|
+
claiming the policy is maintainable.
|
|
117
|
+
8. Enforce deny by default. New roles, actions, resource types, tenant types, sharing modes, and admin paths must deny until explicitly allowed.
|
|
118
|
+
9. Define policy-combination semantics. Check whether multiple policies combine by union,
|
|
119
|
+
intersection, priority, explicit deny, boundary policy, or tenant override; write tests for
|
|
120
|
+
allow-plus-deny and no-match cases.
|
|
121
|
+
10. Validate every request. Do not rely on login-time checks, client guards, disabled buttons, hidden menus, generated types, OpenAPI docs, or mobile local checks.
|
|
122
|
+
11. Load resources safely before final authorization:
|
|
102
123
|
- include tenant, membership, owner, sharing, and soft-delete constraints in the resource lookup when possible;
|
|
103
124
|
- when existence must be hidden, keep wrong-tenant and missing-resource behavior consistent with the project's 404 policy.
|
|
104
|
-
|
|
125
|
+
12. Check multi-tenant risks:
|
|
105
126
|
- body, query, header, path, JWT claim, or local storage tenant ids must not become trusted tenant context;
|
|
106
127
|
- tenant-scoped queries must include tenant or membership constraints;
|
|
107
128
|
- pending, suspended, removed, revoked, deleted, disabled, and invited states must not be treated as active access;
|
|
108
129
|
- shared links, exports, signed URLs, previews, search, cache, and CDN entries must stay inside the permission model.
|
|
109
130
|
- event streams, WebTransport sessions, WebSocket fallback channels, private downloads, and reconnect URLs must not bypass tenant, resource, role, token expiry, or revocation policy.
|
|
110
|
-
|
|
131
|
+
13. Check session, JWT, OAuth/OIDC, and API key contracts when touched:
|
|
111
132
|
- sessions need expiry, refresh, rotation, logout, revocation, cookie flags, and CSRF posture;
|
|
112
133
|
- JWTs need signature verification, algorithm allowlist, issuer, audience, subject, expiry, not-before, key rotation, and stale-claim handling;
|
|
113
134
|
- OAuth/OIDC needs exact redirect binding, state, nonce, PKCE when relevant, provider account binding, and safe account linking;
|
|
114
135
|
- API keys need hashing, prefix-only display, owner type, scope, tenant/resource constraints, expiry, rotation, revocation, last-used, rate limit, and audit.
|
|
115
|
-
|
|
136
|
+
14. Check permission creators more strictly than ordinary permissions.
|
|
137
|
+
- Role creation, role assignment, invitation, service-account issuance, API-key creation,
|
|
138
|
+
impersonation, support access, and token minting are privilege factories.
|
|
139
|
+
- A low-privilege actor that can attach a high privilege to itself collapses the whole model.
|
|
140
|
+
15. Check revocation time.
|
|
141
|
+
- Demotion, removal, suspension, role deletion, membership expiry, subscription cancellation,
|
|
142
|
+
and ownership transfer should say how long old sessions, JWT claims, caches, search indexes,
|
|
143
|
+
queued jobs, and replicas can keep authorizing the old state.
|
|
144
|
+
- Sensitive actions need server-side recheck, short-lived tokens, revocation lists, or policy
|
|
145
|
+
version gates when stale tokens would be harmful.
|
|
146
|
+
16. Check dependent surfaces: API routes, controllers, services, DB schema, DB queries, RLS, UI navigation, UI actions, API clients, audit logs, notifications, jobs, webhooks, search, file storage, docs, migrations, monitoring, and tests.
|
|
116
147
|
- For credentialed delivery surfaces, check whether EventSource can supply the intended credentials, whether CORS and cookies match the policy, whether signed URLs expire and scope correctly, and whether caches vary on auth, tenant, and private response dimensions.
|
|
117
|
-
|
|
118
|
-
|
|
119
|
-
|
|
148
|
+
17. Require denial-first tests for changed protected actions when the project has a usable test surface. Cover anonymous, expired, revoked, no role, wrong tenant, wrong owner, suspended or removed member, stale token, stale cache, unknown role, unknown action, wildcard policy, explicit deny, shared-link, read-only API key, org admin, global admin, and impersonating admin cases as applicable.
|
|
149
|
+
18. When changing policies, consider shadow evaluation.
|
|
150
|
+
- Compute old and new decisions side by side for representative requests before flipping broad
|
|
151
|
+
policy changes when the product has the infrastructure to do so.
|
|
152
|
+
- Log policy version and data revision for both decisions without exposing secrets or sensitive
|
|
153
|
+
object contents.
|
|
154
|
+
19. Update docs and role matrices when external behavior, status codes, role names, permission names, admin scope, or API errors change.
|
|
155
|
+
20. Report the policy source of truth, effective-permission evidence, decision explanation, server/database enforcement, client UX-only guards, revocation window, test coverage, skipped checks, and remaining permission risk.
|
|
120
156
|
|
|
121
157
|
## Boundary Rules
|
|
122
158
|
|
|
@@ -127,6 +163,10 @@ Authentication answers who the requester is. Authorization answers what that pri
|
|
|
127
163
|
- Admin is scoped. Global admin, org admin, project admin, billing admin, support, and impersonating admin are different roles and need different audit and action rules.
|
|
128
164
|
- Owner is not a wildcard permission. Owners may still lack delete, export, invite, transfer, billing, or admin powers.
|
|
129
165
|
- API keys are principals with scopes and owners, not user sessions with unlimited power.
|
|
166
|
+
- Wildcard permissions are future permissions. Adding a new action under an old wildcard should be
|
|
167
|
+
treated as a permission expansion and reviewed accordingly.
|
|
168
|
+
- Unknown roles, unknown actions, malformed identifiers, and missing relationship data deny by
|
|
169
|
+
default; they are not normalized into a normal user path.
|
|
130
170
|
|
|
131
171
|
## Strongly Forbidden Patterns
|
|
132
172
|
|
|
@@ -142,6 +182,9 @@ Authentication answers who the requester is. Authorization answers what that pri
|
|
|
142
182
|
- Changing 403 to 404, or 404 to 403, without naming the information-disclosure policy.
|
|
143
183
|
- Relaxing permissions without denial-case tests or a written migration and audit plan.
|
|
144
184
|
- Letting role changes ship without permission-cache or token-staleness handling.
|
|
185
|
+
- Shipping a permission engine that cannot explain why a request was allowed or denied.
|
|
186
|
+
- Treating an effective-permission bug as solved because the `role` column looks correct.
|
|
187
|
+
- Treating token-embedded roles as fresh after demotion, removal, or policy version changes.
|
|
145
188
|
- Creating shared links, signed URLs, exports, search results, or CDN responses outside tenant and resource policy.
|
|
146
189
|
- Creating credentialed event streams, WebTransport sessions, WebSocket fallback channels, signed delivery URLs, or private caches outside tenant and resource policy.
|
|
147
190
|
- Logging impersonation without separate actor and subject.
|
|
@@ -153,6 +196,8 @@ Authentication answers who the requester is. Authorization answers what that pri
|
|
|
153
196
|
- Authentication and authorization are separated in code and report language.
|
|
154
197
|
- Every changed protected action has a server-side or database-side permission boundary.
|
|
155
198
|
- Tenant isolation, resource ownership, sharing, admin scope, and status-code behavior are explicit.
|
|
199
|
+
- Effective permissions, policy-combination rules, decision explanation, policy version, data
|
|
200
|
+
revision, and revocation window are explicit when relevant.
|
|
156
201
|
- Client guards are described as UX only.
|
|
157
202
|
- Session, token, OAuth/OIDC, API key, cache, audit, docs, migration, and tests are synchronized when touched.
|
|
158
203
|
- Signed URL, event-stream, WebTransport, WebSocket fallback, CORS, cookie, CDN/proxy cache, and reconnect behavior remains inside the permission model when touched.
|
|
@@ -190,6 +235,7 @@ Prefer the narrowest configured test intent that covers the changed protected ac
|
|
|
190
235
|
- Authentication versus authorization classification
|
|
191
236
|
- Principal, tenant, resource, action, and context affected
|
|
192
237
|
- Policy source of truth
|
|
238
|
+
- Effective permission, policy version, data revision, decision explanation, and revocation window
|
|
193
239
|
- Server/database enforcement notes
|
|
194
240
|
- Client guard UX-only notes
|
|
195
241
|
- Tenant, ownership, sharing, admin, token/session/API-key, cache, and audit notes
|
|
@@ -2,11 +2,11 @@
|
|
|
2
2
|
mustflow_doc: skill.backend-log-evidence-review
|
|
3
3
|
locale: en
|
|
4
4
|
canonical: true
|
|
5
|
-
revision:
|
|
5
|
+
revision: 3
|
|
6
6
|
lifecycle: mustflow-owned
|
|
7
7
|
authority: procedure
|
|
8
8
|
name: backend-log-evidence-review
|
|
9
|
-
description: Apply this skill when backend code is created, changed, reviewed, or reported and request logs, error logs, structured event names, log schema versions, trace/span/request IDs, correlation and causation IDs, outcome or reason fields, external API logs, database write logs, transaction or state-transition logs, retry or timeout logs, queue or batch logs, audit logs, auth or validation logs, cache or lock logs, release/config/feature-flag logs, log levels, duplicate logs, redaction, log-injection safety, sampling, or log searchability need review for whether an operator can reconstruct why a backend request, job, or data change reached its final state.
|
|
9
|
+
description: Apply this skill when backend code is created, changed, reviewed, or reported and request logs, error logs, structured event names, log schema versions, trace/span/request IDs, correlation and causation IDs, outcome or reason fields, external API logs, database write logs, transaction or state-transition logs, retry or timeout logs, queue or batch logs, audit logs, auth or validation logs, cache or lock logs, release/config/feature-flag logs, log pipeline canaries, collector accepted/sent/stored counts, timestamp versus observed timestamp, parser or mapping failures, log levels, duplicate logs, redaction, log-injection safety, sampling, or log searchability need review for whether an operator can reconstruct why a backend request, job, or data change reached its final state and whether the evidence actually survived the logging pipeline.
|
|
10
10
|
metadata:
|
|
11
11
|
mustflow_schema: "1"
|
|
12
12
|
mustflow_kind: procedure
|
|
@@ -39,6 +39,7 @@ The review question is: "If this backend path fails, times out, retries, silentl
|
|
|
39
39
|
- Backend handlers, services, repositories, adapters, workers, schedulers, webhooks, migrations, scripts, or batch jobs add, remove, review, or depend on logs.
|
|
40
40
|
- A change claims that a path is logged, traceable, easy to debug, auditable, operationally safe, or diagnosable from logs.
|
|
41
41
|
- Request start or finish logs, event names, schema versions, severity fields, trace or span IDs, error handling, error wrapping, external API calls, DB writes, transactions, status transitions, early returns, retries, timeouts, queues, async jobs, batches, audit events, auth, validation, cache, distributed locks, idempotency, feature flags, configuration, releases, migrations, or background promises are involved.
|
|
42
|
+
- Log ingestion, parsing, buffering, shipping, storage, searchability, retention, rotation, multiline parsing, canary logs, dropped-log counters, timestamp skew, or log sink visibility affects whether backend evidence can be trusted.
|
|
42
43
|
- A review needs to decide whether logs explain why the system reached a state, not only where the exception was thrown.
|
|
43
44
|
|
|
44
45
|
<!-- mustflow-section: do-not-use-when -->
|
|
@@ -60,6 +61,7 @@ The review question is: "If this backend path fails, times out, retries, silentl
|
|
|
60
61
|
- Error evidence: thrown errors, catches, wrappers, causes, stack preservation, error categories, public versus internal messages, and log boundary ownership.
|
|
61
62
|
- Decision evidence: branches, early returns, validation failures, auth decisions, feature flags, state transitions, cache paths, retry decisions, timeout classes, and fallback decisions.
|
|
62
63
|
- Side-effect evidence: external API calls with dependency name, operation, timeout, latency, status class, retry count, circuit state, and provider request id; DB affected rows; transaction begin/commit/rollback evidence; queue enqueue and consume; idempotency decisions; locks; migrations; batch summaries; release/config/feature-flag events; and configuration snapshots.
|
|
64
|
+
- Pipeline integrity evidence when logs leave the process: generated count, collector accepted count, exporter sent count, stored count, searchable count, canary event id, sequence gaps, duplicate rate, timestamp and observed timestamp drift, queue oldest age, DLQ oldest age, parser failures, mapping conflicts, dropped or sampled counts, rotation or restart boundary, multiline grouping, and storage retention boundary.
|
|
63
65
|
- Safety constraints: secrets, tokens, cookies, auth headers, passwords, raw payloads, personal data, payment data, provider response bodies, full SQL, log injection through control characters or ANSI escapes, high-cardinality indexing cost, sampling policy, and retention policy.
|
|
64
66
|
- Local conventions: logger API, structured field names, severity levels, redaction helpers, error serialization, test helpers, snapshots or fixtures, and configured command intents.
|
|
65
67
|
|
|
@@ -161,7 +163,14 @@ The review question is: "If this backend path fails, times out, retries, silentl
|
|
|
161
163
|
- Normalize or escape user-controlled strings such as filenames, user agents, nicknames, referers, and queries so newlines, tabs, control characters, and ANSI escapes cannot forge log entries.
|
|
162
164
|
- Sink-side masking is not enough when sensitive data has already crossed the process boundary.
|
|
163
165
|
- Tests or static guards should cover sensitive log fields when feasible.
|
|
164
|
-
18.
|
|
166
|
+
18. Review log pipeline survival when the task depends on searchable logs.
|
|
167
|
+
- Compare generated, accepted, sent, stored, and searchable counts by service, environment, version, and event family instead of trusting one total.
|
|
168
|
+
- A synthetic canary log with a unique id and increasing sequence can expose loss, duplication, reorder, and search visibility lag.
|
|
169
|
+
- Distinguish event timestamp from observed timestamp; large drift points to clock skew, buffer delay, backpressure, or collector backlog.
|
|
170
|
+
- Queue size alone is weak. Check queue utilization, oldest queued event age, enqueue failures, exporter failures, receiver refusals, DLQ size, and DLQ oldest age.
|
|
171
|
+
- Parser failures, mapping conflicts, multiline splits, log rotation, container restart, pod deletion, disk buffer exhaustion, and retention or rollover drift can silently erase the evidence operators think they have.
|
|
172
|
+
- If pipeline checks require live collectors, sinks, dashboards, or production search, report them as manual-only instead of claiming log evidence survived.
|
|
173
|
+
19. Require evidence.
|
|
165
174
|
- Prefer focused tests, log fixtures, snapshot assertions, redaction tests, source-level guards, or local logger contract tests for stable event names and fields.
|
|
166
175
|
- Prefer tests that pin `event_name`, schema version, required fields, redaction, bounded reason codes, and message-independent query fields rather than exact prose.
|
|
167
176
|
- If logs depend on runtime middleware, production log routing, sink configuration, or manual log search outside the repository, report that evidence as manual-only.
|
|
@@ -170,7 +179,7 @@ The review question is: "If this backend path fails, times out, retries, silentl
|
|
|
170
179
|
<!-- mustflow-section: postconditions -->
|
|
171
180
|
## Postconditions
|
|
172
181
|
|
|
173
|
-
- The reviewed backend path has a reconstruction question, event contract, request lifecycle evidence, correlation and causation model, decision evidence, side-effect evidence, error and cause preservation, redaction boundary, level ownership, sampling boundary, and evidence level.
|
|
182
|
+
- The reviewed backend path has a reconstruction question, event contract, request lifecycle evidence, correlation and causation model, decision evidence, side-effect evidence, error and cause preservation, pipeline survival boundary, redaction boundary, level ownership, sampling boundary, and evidence level.
|
|
174
183
|
- Missing start or finish logs, message-only contracts, unstable event names, missing schema version, missing trace or span id, missing correlation or causation id, string-only errors, lost causes, missing external-call before and after logs, raw provider body logs, missing affected-row counts, invisible transaction or state transitions, silent early returns, attempt-free retries, duration-free timeouts, enqueue or consume gaps, broken async correlation, empty batch summaries, missing auth or validation reasons, ordinary logs for audit events, cache or lock blind spots, idempotency ambiguity, feature flag opacity, release or config opacity, secret-bearing config logs, migration `done` logs, swallowed async errors, all-info or all-error severity, duplicate error spam, prose-only messages, high-cardinality indexed fields, log injection exposure, unsafe sampling, and missing identifiers are fixed or reported.
|
|
175
184
|
- Named review smells such as broken async request id, auth or validation failures, cache hits or misses, lock acquisition, idempotency outcomes, config startup summaries, release and migration event gaps, migration dry-run and apply logs, message-based dashboards, prose-only log, and sink-side-only masking are fixed or reported when present.
|
|
176
185
|
- Log changes are backed by local logger conventions, tests, fixtures, source review evidence, or labeled as manual-only or missing.
|
|
@@ -205,7 +214,7 @@ Prefer the narrowest configured checks that cover the changed logging contract a
|
|
|
205
214
|
## Output Format
|
|
206
215
|
|
|
207
216
|
- Backend log boundary reviewed
|
|
208
|
-
- Reconstruction question, event contract, request lifecycle, correlation and causation, error and cause preservation, external API, database write, transaction, state transition, early return, retry, timeout, queue or async handoff, batch or migration, audit, auth, validation, cache, lock, idempotency, feature flag, release, config, level ownership, structure, cardinality, sampling, log-injection safety, redaction, and test evidence findings
|
|
217
|
+
- Reconstruction question, event contract, request lifecycle, correlation and causation, error and cause preservation, external API, database write, transaction, state transition, early return, retry, timeout, queue or async handoff, batch or migration, audit, auth, validation, cache, lock, idempotency, feature flag, release, config, pipeline survival, level ownership, structure, cardinality, sampling, log-injection safety, redaction, and test evidence findings
|
|
209
218
|
- Log fixes made or recommended
|
|
210
219
|
- Evidence level: configured-test evidence, log fixture evidence, source review evidence, manual-only, missing, or not applicable
|
|
211
220
|
- Command intents run
|
|
@@ -2,11 +2,11 @@
|
|
|
2
2
|
mustflow_doc: skill.cache-integrity-review
|
|
3
3
|
locale: en
|
|
4
4
|
canonical: true
|
|
5
|
-
revision:
|
|
5
|
+
revision: 2
|
|
6
6
|
lifecycle: mustflow-owned
|
|
7
7
|
authority: procedure
|
|
8
8
|
name: cache-integrity-review
|
|
9
|
-
description: Apply this skill when code is created, changed, reviewed, or reported and cache behavior can spread stale, wrong, private, overbroad, tenant-crossing, permission-wrong, version-incompatible, or source-overloading values through cache keys, query normalization, key versions, TTL and jitter, soft and hard TTL, stale-while-revalidate, stampede protection, request coalescing, negative caching, invalidation order, list or page caches, tag invalidation, L1/L2 cache layers, Redis fallback, hit
|
|
9
|
+
description: Apply this skill when code is created, changed, reviewed, or reported and cache behavior can spread stale, wrong, private, overbroad, tenant-crossing, permission-wrong, version-incompatible, or source-overloading values through cache keys, query normalization, key versions, TTL and jitter, soft and hard TTL, stale-while-revalidate, stampede protection, request coalescing, negative caching, invalidation order, list or page caches, tag invalidation, L1/L2 cache layers, Redis fallback, cache-status ledgers such as hit, miss, bypass, stale, refresh, error, set-failed, evicted, or expired, origin-cost observability, value size, eviction policy, TTL-less keys, KEYS/SCAN use, hot keys, Redis Cluster hash tags, replica lag, Redis latency, HTTP Vary/no-cache/no-store semantics, permission caches, cache warming, or failure-path cache tests.
|
|
10
10
|
metadata:
|
|
11
11
|
mustflow_schema: "1"
|
|
12
12
|
mustflow_kind: procedure
|
|
@@ -81,9 +81,11 @@ and what happens to the source system when the cache misses or fails?"
|
|
|
81
81
|
- Failure and concurrency contract: miss behavior, concurrent miss behavior, source timeout, Redis
|
|
82
82
|
failure, source failure, negative cache policy, update race behavior, invalidation ordering, and
|
|
83
83
|
stale serve policy.
|
|
84
|
-
- Observability evidence: hit
|
|
85
|
-
|
|
86
|
-
|
|
84
|
+
- Observability evidence: hit, miss, bypass, stale, refresh, negative-hit, set-failed, error,
|
|
85
|
+
eviction, expiry, and fallback metrics; miss cost; hit-rate cost by endpoint or tenant; value
|
|
86
|
+
size; key count; source query time; source call count; origin saturation; Redis client wait,
|
|
87
|
+
round-trip latency, command latency, serialization cost, Slow Log limits, replica lag, shard
|
|
88
|
+
imbalance, and set success.
|
|
87
89
|
- Relevant command-intent contract entries for tests, builds, docs, release checks, and mustflow
|
|
88
90
|
validation.
|
|
89
91
|
|
|
@@ -180,6 +182,8 @@ and what happens to the source system when the cache misses or fails?"
|
|
|
180
182
|
shedding, stale serve, circuit breaker, bulkhead, or another source-protection mechanism.
|
|
181
183
|
- Decide whether cache failure is disposable or correctness-sensitive. Sessions, permissions,
|
|
182
184
|
rate limits, inventory, idempotency, and dedupe caches are not ordinary performance caches.
|
|
185
|
+
- Compare normal cached traffic with an allowed bypass path or known miss path when evidence is
|
|
186
|
+
available. If bypass is faster, fresher, or more correct, the cache policy itself is suspect.
|
|
183
187
|
13. Check Redis keyspace and memory behavior.
|
|
184
188
|
- Review value size, key size, key schema, bounded key cardinality, max memory, eviction policy,
|
|
185
189
|
expired keys, evicted keys, and whether TTL-less keys are turning cache into state storage.
|
|
@@ -187,43 +191,54 @@ and what happens to the source system when the cache misses or fails?"
|
|
|
187
191
|
so TTL-less keys can crowd out real cache behavior.
|
|
188
192
|
- `KEYS *` in application code is a production bomb. Use `SCAN` only from bounded admin or
|
|
189
193
|
maintenance paths with explicit limits.
|
|
190
|
-
14. Check
|
|
194
|
+
14. Check Redis latency, replication, and distribution.
|
|
195
|
+
- Redis Slow Log does not include client round-trip time, connection wait, serialization,
|
|
196
|
+
application loop overhead, DNS, TLS, or network path time. Do not use it as the only latency
|
|
197
|
+
proof.
|
|
198
|
+
- Review replica lag, failover behavior, cold replica warmup, persistence spikes, memory
|
|
199
|
+
fragmentation, client connection pools, shard imbalance, and command mix when a cache incident
|
|
200
|
+
is operational rather than semantic.
|
|
201
|
+
15. Check hot keys and Redis Cluster distribution.
|
|
191
202
|
- Sharding does not save one hot key. Use replicas, local L1, request coalescing, prewarm,
|
|
192
203
|
chunking, or workload-specific splitting where semantics allow it.
|
|
193
204
|
- Redis Cluster hash tags are useful for intentional multi-key locality, but overusing the same
|
|
194
205
|
tag can force too many keys into one slot.
|
|
195
|
-
|
|
206
|
+
16. Check HTTP cache semantics.
|
|
196
207
|
- If responses vary by `Authorization`, `Cookie`, `Accept-Language`, `Accept-Encoding`, content
|
|
197
208
|
negotiation, or user context, verify `Vary` and cache-control behavior.
|
|
198
209
|
- `no-cache` means revalidate before reuse. `no-store` means do not store. Do not use one when
|
|
199
210
|
the other is required.
|
|
200
211
|
- Check freshness, validation, private versus public cacheability, CDN behavior, browser behavior,
|
|
201
212
|
and generated-client or proxy expectations.
|
|
202
|
-
|
|
213
|
+
17. Check permission and entitlement caches as security boundaries.
|
|
203
214
|
- A permission cache, role cache, organization-membership cache, subscription cache, admin cache,
|
|
204
215
|
or entitlement cache must be invalidated by revocation, role change, organization move,
|
|
205
216
|
subscription expiry, ownership change, and emergency access changes.
|
|
206
217
|
- Short TTL alone is not enough for decisions that should fail closed or revoke promptly.
|
|
207
|
-
|
|
218
|
+
18. Check cache warming and cold-start behavior.
|
|
208
219
|
- Deployment, autoscale, failover, and rollback can create synchronized cold caches that push
|
|
209
220
|
traffic to the source.
|
|
210
221
|
- Prewarm only keys with clear ownership and backpressure. Do not build an unbounded warming job
|
|
211
222
|
that becomes the outage.
|
|
212
|
-
|
|
213
|
-
|
|
214
|
-
|
|
215
|
-
|
|
223
|
+
- Load-test or smoke the cold, warm, failover, replica-lag, source-slow, and cache-down scenarios
|
|
224
|
+
when the repository has configured evidence. Otherwise report those as manual operational gaps.
|
|
225
|
+
19. Check observability.
|
|
226
|
+
- Hit rate alone lies. Break down hits, misses, bypasses, stale serves, refreshes, negative hits,
|
|
227
|
+
refresh failures, evictions, expirations, fallback serves, Redis errors, and set failures by
|
|
228
|
+
endpoint, key-pattern, tenant, status-code, and cache layer where useful.
|
|
216
229
|
- Log or measure miss cost: source query time, source call count, value size, generation time,
|
|
217
230
|
and set success.
|
|
231
|
+
- Track hit-rate cost: origin load avoided, origin load caused by misses, miss amplification,
|
|
232
|
+
cache write failures, and whether a high hit rate hides a small set of expensive miss paths.
|
|
218
233
|
- Keep cache metrics labels bounded; put high-cardinality keys in logs or traces only when the
|
|
219
234
|
repository privacy rules allow it.
|
|
220
|
-
|
|
235
|
+
20. Check tests beyond the happy path.
|
|
221
236
|
- "Second call is faster" is not enough.
|
|
222
237
|
- Cover concurrent misses, update during read, delete then recreate, source failure, Redis
|
|
223
238
|
failure, synchronized TTL expiry, old-version cached value, permission change, tenant
|
|
224
239
|
separation, list invalidation, negative-cache classification, deploy rollback, and cache-layer
|
|
225
240
|
bypass when those risks exist.
|
|
226
|
-
|
|
241
|
+
21. Label evidence honestly. If the repository lacks deterministic cache, Redis, CDN, HTTP, browser,
|
|
227
242
|
or load tests, report the missing evidence instead of claiming the cache is safe.
|
|
228
243
|
|
|
229
244
|
<!-- mustflow-section: postconditions -->
|
|
@@ -2,11 +2,11 @@
|
|
|
2
2
|
mustflow_doc: skill.change-blast-radius-review
|
|
3
3
|
locale: en
|
|
4
4
|
canonical: true
|
|
5
|
-
revision:
|
|
5
|
+
revision: 2
|
|
6
6
|
lifecycle: mustflow-owned
|
|
7
7
|
authority: procedure
|
|
8
8
|
name: change-blast-radius-review
|
|
9
|
-
description: Apply this skill when code is created, changed, reviewed, or reported and maintainability needs review by predicting the next-change blast radius, deletion path, policy owner, workflow owner, controller or service responsibility, boolean and option-mode sprawl, scattered domain rules, scattered authorization, state-transition ownership, direct time or randomness, transaction and external-call coupling, retry idempotency, cache-as-truth decisions, config flag combinations, tenant or partner hardcoding, legacy branch isolation, DTO/entity/view model mixing, nullable meaning, swallowed exceptions, low-context logs, implementation-coupled tests, mock-heavy tests, decorative abstraction, premature DRY, hidden ordering dependency, event contract visibility, migration/runtime compatibility, or feature removal boundary.
|
|
9
|
+
description: Apply this skill when code is created, changed, reviewed, or reported and maintainability needs review by predicting the next-change blast radius, historical co-change spread, deletion path, policy owner, workflow owner, controller or service responsibility, boolean and option-mode sprawl, scattered domain rules, scattered authorization, state-transition ownership, direct time or randomness, transaction and external-call coupling, retry idempotency, cache-as-truth decisions, config flag combinations, tenant or partner hardcoding, legacy branch isolation, DTO/entity/view model mixing, nullable meaning, swallowed exceptions, low-context logs, implementation-coupled tests, mock-heavy tests, decorative abstraction, premature DRY, hidden ordering dependency, event contract visibility, migration/runtime compatibility, or feature removal boundary.
|
|
10
10
|
metadata:
|
|
11
11
|
mustflow_schema: "1"
|
|
12
12
|
mustflow_kind: procedure
|
|
@@ -46,6 +46,8 @@ feature is removed, what can I delete?"
|
|
|
46
46
|
logging, tests, abstractions, helpers, or legacy compatibility.
|
|
47
47
|
- A single requirement would force edits across several files, layers, modules, frontend code, SQL,
|
|
48
48
|
jobs, events, cache keys, tests, or docs.
|
|
49
|
+
- Recent PRs, commits, work orders, or review history show that small requirements routinely
|
|
50
|
+
co-change many repositories, services, schemas, pipelines, teams, tests, or docs.
|
|
49
51
|
- A file or service has several unrelated reasons to change under one broad noun such as `Manager`,
|
|
50
52
|
`Helper`, `Processor`, `Handler`, or `Service`.
|
|
51
53
|
- A review needs to decide whether to use `module-boundary-review`, `structure-first-engineering`,
|
|
@@ -72,6 +74,10 @@ feature is removed, what can I delete?"
|
|
|
72
74
|
- User goal, current diff or target files, and the requirement or policy that caused the change.
|
|
73
75
|
- Change-reason ledger: which business rule, user flow, data shape, failure path, compatibility
|
|
74
76
|
rule, tenant exception, or operational behavior would make this code change next.
|
|
77
|
+
- Historical co-change ledger when available: recent PRs or commits touching the same requirement
|
|
78
|
+
family, repositories touched, services touched, DB schemas touched, deployment pipelines touched,
|
|
79
|
+
teams or reviewers involved, tests changed, docs changed, and whether the current design reduced
|
|
80
|
+
or repeated that spread.
|
|
75
81
|
- Blast-radius ledger: controllers, services, repositories, entities, DTOs, frontend conditions,
|
|
76
82
|
SQL, migrations, batches, events, caches, config, tests, docs, and templates touched by one reason.
|
|
77
83
|
- Ownership ledger: source of truth for domain rule, authorization rule, state transition, retry
|
|
@@ -115,123 +121,128 @@ feature is removed, what can I delete?"
|
|
|
115
121
|
- Ask: "If this requirement changes next month, which files move?"
|
|
116
122
|
- If one policy edit needs controller, service, repository, SQL, frontend, batch, cache, and test
|
|
117
123
|
edits, the code is a puzzle, not a boundary.
|
|
118
|
-
2.
|
|
124
|
+
2. Check historical co-change when evidence exists.
|
|
125
|
+
- Look for recent PRs, commits, or work items in the same feature or policy family.
|
|
126
|
+
- Count repositories, services, schemas, pipelines, test suites, docs, and teams touched by small changes.
|
|
127
|
+
- Treat repeated cross-boundary co-change as stronger evidence than a clean-looking folder tree.
|
|
128
|
+
- If history is unavailable or too expensive for the task, report the review as prediction-only instead of pretending the boundary was proven.
|
|
129
|
+
3. Count reasons to change, not lines.
|
|
119
130
|
- A short file can still hold signup, login, points, notification, referral, admin blocking, and
|
|
120
131
|
reporting rules.
|
|
121
132
|
- Split by different change reasons, not by noun labels.
|
|
122
|
-
|
|
133
|
+
4. Keep controllers as doors, not bosses.
|
|
123
134
|
- Controllers should parse requests, call an application boundary, and map the result.
|
|
124
135
|
- Treat controller `if`, `for`, state mutation, external API calls, discount logic, inventory
|
|
125
136
|
checks, or notification orchestration as workflow leakage.
|
|
126
|
-
|
|
137
|
+
5. Reject junk-drawer services.
|
|
127
138
|
- Broad names such as `OrderService`, `UserService`, `Manager`, `Helper`, `Processor`, and
|
|
128
139
|
`Handler` often hide unrelated workflows.
|
|
129
140
|
- Name the actual responsibility or split by workflow owner when changes would not arrive
|
|
130
141
|
together.
|
|
131
|
-
|
|
142
|
+
6. Decode boolean mode flags.
|
|
132
143
|
- `createUser(user, true)` and `sendNotification(user, true, false)` mean one function already
|
|
133
144
|
has hidden modes.
|
|
134
145
|
- Replace modes with named variants, policy objects, strategy objects, or separate functions when
|
|
135
146
|
behavior contracts differ.
|
|
136
|
-
|
|
147
|
+
7. Inspect option objects for combinatorial behavior.
|
|
137
148
|
- Fields such as `skipValidation`, `dryRun`, `force`, `source`, `mode`, `type`, `retry`,
|
|
138
149
|
`legacy`, and `includeInactive` can turn one call into many products.
|
|
139
150
|
- If field combinations change behavior, use explicit mode types or separate boundaries.
|
|
140
|
-
|
|
151
|
+
8. Find the policy source of truth.
|
|
141
152
|
- Repeated rules such as "VIP gets free shipping" across backend, frontend, SQL, batch, and
|
|
142
153
|
cache code are not harmless duplication.
|
|
143
154
|
- Name one owner and make other layers consume facts or capabilities from that owner.
|
|
144
|
-
|
|
155
|
+
9. Centralize authorization policy.
|
|
145
156
|
- Scattered checks such as `role == admin`, `ownerId == user.id`, or membership scans make policy
|
|
146
157
|
changes scary.
|
|
147
158
|
- Use `auth-permission-change` when action permission needs one policy source and denial tests.
|
|
148
|
-
|
|
159
|
+
10. Make state transitions visible.
|
|
149
160
|
- Status values are not enough. Review where `status = ...` happens and which transitions are
|
|
150
161
|
legal.
|
|
151
162
|
- Use `state-machine-pattern` when allowed transitions need to be represented explicitly.
|
|
152
|
-
|
|
163
|
+
11. Pull time, randomness, and generated IDs to a boundary.
|
|
153
164
|
- Direct `new Date()`, `Date.now()`, `LocalDateTime.now()`, UUIDs, random order numbers, random
|
|
154
165
|
filenames, and generated referral codes hide reproducibility and future policy changes.
|
|
155
166
|
- Use explicit time, generator, or identifier inputs from the shell.
|
|
156
|
-
|
|
167
|
+
12. Draw the transaction boundary.
|
|
157
168
|
- When several saves happen, ask what remains if the middle save fails.
|
|
158
169
|
- If the answer is unclear, use `failure-integrity-review` or the relevant database skill before
|
|
159
170
|
changing behavior.
|
|
160
|
-
|
|
171
|
+
13. Separate external calls from committed state.
|
|
161
172
|
- DB save, payment API, DB save, notification API in one flow creates timeout, retry, and
|
|
162
173
|
duplicate-effect traps.
|
|
163
174
|
- Prefer local state plus outbox, idempotency keys, or effect descriptions when the operation
|
|
164
175
|
must survive partial failure.
|
|
165
|
-
|
|
176
|
+
14. Check retry idempotency.
|
|
166
177
|
- `retry(3)`, queues, webhooks, schedulers, and manual replays are dangerous without a duplicate
|
|
167
178
|
rule.
|
|
168
179
|
- Ask what happens when the same event arrives twice.
|
|
169
|
-
|
|
180
|
+
15. Reject cache-as-truth for important decisions.
|
|
170
181
|
- Cache can speed reads, but it should not become the source of truth for authorization, payment
|
|
171
182
|
eligibility, inventory, or other critical decisions.
|
|
172
183
|
- Use `cache-integrity-review` when cache freshness or fallback can mislead the decision.
|
|
173
|
-
|
|
184
|
+
16. Count config flag combinations.
|
|
174
185
|
- Flags such as `enableNewPolicy`, `useLegacyFlow`, `skipValidationForPartner`, and
|
|
175
186
|
`specialCaseTenantIds` can create untested products inside one code path.
|
|
176
187
|
- Name the supported combinations or isolate the variation behind a policy boundary.
|
|
177
|
-
|
|
188
|
+
17. Isolate tenant, partner, country, product, and app-version exceptions.
|
|
178
189
|
- Hardcoded `tenantId`, `partnerCode`, country code, app version, or product ID branches are
|
|
179
190
|
product debt, not just conditionals.
|
|
180
191
|
- Prefer configured capabilities, adapters, policy tables, or explicit exceptions with removal
|
|
181
192
|
owners.
|
|
182
|
-
|
|
193
|
+
18. Keep legacy compatibility out of the new core.
|
|
183
194
|
- `legacy`, `old`, `v1`, `deprecated`, and `temp` branches inside the main path pull old rules
|
|
184
195
|
into new code.
|
|
185
196
|
- Put compatibility in adapters, translators, migration paths, or isolated old-entry boundaries.
|
|
186
|
-
|
|
197
|
+
19. Separate data-object languages.
|
|
187
198
|
- DB entities, API DTOs, view models, external provider payloads, and domain objects should not
|
|
188
199
|
quietly become the same object.
|
|
189
200
|
- If one side changes and another side must follow, name the mapping owner.
|
|
190
|
-
|
|
201
|
+
20. Give nullable values a reason.
|
|
191
202
|
- `null` must not mean absence, unknown, failed calculation, forbidden access, and provider
|
|
192
203
|
timeout at the same time.
|
|
193
204
|
- Use variants, result types, or explicit fields that tell callers why a value is missing.
|
|
194
|
-
|
|
205
|
+
21. Do not hide exceptions as normal data.
|
|
195
206
|
- `catch (e) { return null }`, `catch (e) { log.warn(...) }`, and empty catches make the system
|
|
196
207
|
lie far from the failure.
|
|
197
208
|
- Use visible failure values, typed errors, or explicit degraded modes.
|
|
198
|
-
|
|
209
|
+
22. Make logs traceable, not decorative.
|
|
199
210
|
- Logs like `start` and `failed` without order ID, user ID, request ID, external call ID, tenant,
|
|
200
211
|
or operation name do not help future maintainers.
|
|
201
212
|
- Add safe correlation context when it is the only way to connect the failure path.
|
|
202
|
-
|
|
213
|
+
23. Keep tests attached to behavior.
|
|
203
214
|
- Tests that assert private methods, mock call order, or internal collaborator choreography make
|
|
204
215
|
refactors expensive.
|
|
205
216
|
- Prefer outcomes, state transitions, persisted commands, emitted events, or public results.
|
|
206
|
-
|
|
217
|
+
24. Treat mock count as a change-impact sensor.
|
|
207
218
|
- More than three mocks deserves a responsibility review.
|
|
208
219
|
- Five or more mocks usually means the class absorbs too many change directions.
|
|
209
|
-
|
|
220
|
+
25. Validate abstraction against real volatility.
|
|
210
221
|
- Interfaces, factories, strategies, and abstract classes help only when the variation axis is
|
|
211
222
|
real.
|
|
212
223
|
- Ask whether there are two real implementations now or a known future swap along this exact
|
|
213
224
|
axis.
|
|
214
|
-
|
|
225
|
+
26. Do not DRY together different futures.
|
|
215
226
|
- Removing duplication is harmful when two similar blocks change for different reasons.
|
|
216
227
|
- Keep duplication when it preserves independent policy evolution.
|
|
217
|
-
|
|
228
|
+
27. Make required ordering explicit.
|
|
218
229
|
- Initialization, validation, save, event publication, cache invalidation, notification, and
|
|
219
230
|
cleanup steps can be order-sensitive.
|
|
220
231
|
- If swapping two lines would break correctness, encode the sequence in a named workflow,
|
|
221
232
|
transaction, state transition, or command object.
|
|
222
|
-
|
|
233
|
+
28. Treat events as invisible function calls until proven otherwise.
|
|
223
234
|
- `publish(Event)` hides subscribers, failure behavior, ordering, duplicate delivery, and
|
|
224
235
|
compatibility.
|
|
225
236
|
- Name the event contract, listener expectations, idempotency, and failure handling.
|
|
226
|
-
|
|
237
|
+
29. Pair migrations with runtime compatibility.
|
|
227
238
|
- Schema changes, enum additions, defaults, indexes, and backfills must be checked against old
|
|
228
239
|
code on new schema and new code on old data.
|
|
229
240
|
- Use `database-migration-change` when deploy order or data backfill matters.
|
|
230
|
-
|
|
241
|
+
30. Run the deletion test.
|
|
231
242
|
- Ask: "If this feature disappears, what do I delete?"
|
|
232
243
|
- If flags, columns, conditions, events, caches, batch jobs, UI checks, and tests are scattered,
|
|
233
244
|
the feature is already rooted too deeply.
|
|
234
|
-
|
|
245
|
+
31. Pick the smallest boundary repair.
|
|
235
246
|
- If one owner is missing, introduce that owner.
|
|
236
247
|
- If one mode is hidden, name that mode.
|
|
237
248
|
- If the risk is too broad for the current task, report the exact next-change or deletion path
|
|
@@ -240,7 +251,8 @@ feature is removed, what can I delete?"
|
|
|
240
251
|
<!-- mustflow-section: postconditions -->
|
|
241
252
|
## Postconditions
|
|
242
253
|
|
|
243
|
-
- The next likely policy or workflow change has a named owner
|
|
254
|
+
- The next likely policy or workflow change has a named owner, historical co-change evidence when
|
|
255
|
+
available, and a predictable edit path, or the
|
|
244
256
|
unpredictable spread is explicitly reported.
|
|
245
257
|
- Important side effects, transactions, retries, events, caches, config flags, migrations, and logs
|
|
246
258
|
have clear owners or remaining risks.
|
|
@@ -287,6 +299,7 @@ public contract.
|
|
|
287
299
|
|
|
288
300
|
- Change blast radius reviewed
|
|
289
301
|
- Next likely change and owner
|
|
302
|
+
- Historical co-change evidence, or prediction-only note when unavailable
|
|
290
303
|
- Files, layers, jobs, caches, events, tests, docs, or migrations in the blast radius
|
|
291
304
|
- Policy, authorization, state, transaction, retry, cache, config, tenant, legacy, DTO, nullable,
|
|
292
305
|
log, test, abstraction, ordering, event, migration, or deletion findings
|