mustflow 2.85.4 → 2.99.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (78) hide show
  1. package/dist/cli/commands/script-pack.js +10 -0
  2. package/dist/cli/i18n/en.js +183 -0
  3. package/dist/cli/i18n/es.js +183 -0
  4. package/dist/cli/i18n/fr.js +183 -0
  5. package/dist/cli/i18n/hi.js +183 -0
  6. package/dist/cli/i18n/ko.js +183 -0
  7. package/dist/cli/i18n/zh.js +183 -0
  8. package/dist/cli/lib/script-pack-registry.js +284 -1
  9. package/dist/cli/script-packs/code-change-impact.js +6 -0
  10. package/dist/cli/script-packs/code-import-cycle.js +193 -0
  11. package/dist/cli/script-packs/docs-link-integrity.js +145 -0
  12. package/dist/cli/script-packs/repo-approval-gate.js +100 -0
  13. package/dist/cli/script-packs/repo-git-ignore-audit.js +119 -0
  14. package/dist/cli/script-packs/repo-manifest-lock-drift.js +122 -0
  15. package/dist/cli/script-packs/repo-merge-conflict-scan.js +123 -0
  16. package/dist/cli/script-packs/repo-skill-route-audit.js +86 -0
  17. package/dist/cli/script-packs/repo-version-source.js +92 -0
  18. package/dist/cli/script-packs/test-performance-report.js +247 -0
  19. package/dist/cli/script-packs/test-regression-selector.js +167 -0
  20. package/dist/core/change-impact.js +23 -51
  21. package/dist/core/change-surface-classification.js +198 -0
  22. package/dist/core/docs-link-integrity.js +443 -0
  23. package/dist/core/import-cycle.js +152 -0
  24. package/dist/core/public-json-contracts.js +116 -0
  25. package/dist/core/repo-approval-gate.js +116 -0
  26. package/dist/core/repo-git-ignore-audit.js +302 -0
  27. package/dist/core/repo-manifest-lock-drift.js +321 -0
  28. package/dist/core/repo-merge-conflict-scan.js +335 -0
  29. package/dist/core/repo-version-source.js +82 -0
  30. package/dist/core/script-pack-suggestions.js +77 -1
  31. package/dist/core/skill-route-audit.js +354 -0
  32. package/dist/core/test-performance-report.js +697 -0
  33. package/dist/core/test-regression-selector.js +335 -0
  34. package/package.json +1 -1
  35. package/schemas/README.md +40 -2
  36. package/schemas/change-impact-report.schema.json +35 -1
  37. package/schemas/import-cycle-report.schema.json +157 -0
  38. package/schemas/link-integrity-report.schema.json +176 -0
  39. package/schemas/repo-approval-gate-report.schema.json +115 -0
  40. package/schemas/repo-git-ignore-audit-report.schema.json +201 -0
  41. package/schemas/repo-manifest-lock-drift-report.schema.json +202 -0
  42. package/schemas/repo-merge-conflict-scan-report.schema.json +169 -0
  43. package/schemas/repo-version-source-report.schema.json +127 -0
  44. package/schemas/skill-route-audit-report.schema.json +144 -0
  45. package/schemas/test-performance-report.schema.json +319 -0
  46. package/schemas/test-regression-selector-report.schema.json +187 -0
  47. package/templates/default/i18n.toml +66 -18
  48. package/templates/default/locales/en/.mustflow/skills/INDEX.md +45 -8
  49. package/templates/default/locales/en/.mustflow/skills/api-access-control-review/SKILL.md +48 -27
  50. package/templates/default/locales/en/.mustflow/skills/api-failure-triage/SKILL.md +270 -0
  51. package/templates/default/locales/en/.mustflow/skills/auth-flow-triage/SKILL.md +192 -0
  52. package/templates/default/locales/en/.mustflow/skills/auth-permission-change/SKILL.md +59 -13
  53. package/templates/default/locales/en/.mustflow/skills/backend-log-evidence-review/SKILL.md +14 -5
  54. package/templates/default/locales/en/.mustflow/skills/cache-integrity-review/SKILL.md +30 -15
  55. package/templates/default/locales/en/.mustflow/skills/change-blast-radius-review/SKILL.md +45 -32
  56. package/templates/default/locales/en/.mustflow/skills/ci-pipeline-triage/SKILL.md +200 -0
  57. package/templates/default/locales/en/.mustflow/skills/clarifying-question-gate/SKILL.md +87 -13
  58. package/templates/default/locales/en/.mustflow/skills/docker-runtime-triage/SKILL.md +191 -0
  59. package/templates/default/locales/en/.mustflow/skills/go-code-change/SKILL.md +18 -13
  60. package/templates/default/locales/en/.mustflow/skills/line-ending-hygiene/SKILL.md +18 -10
  61. package/templates/default/locales/en/.mustflow/skills/llm-hallucination-control-review/SKILL.md +4 -1
  62. package/templates/default/locales/en/.mustflow/skills/motion-system-contract-review/SKILL.md +155 -0
  63. package/templates/default/locales/en/.mustflow/skills/next-action-menu/SKILL.md +177 -0
  64. package/templates/default/locales/en/.mustflow/skills/observability-debuggability-review/SKILL.md +15 -7
  65. package/templates/default/locales/en/.mustflow/skills/payment-integrity-review/SKILL.md +59 -35
  66. package/templates/default/locales/en/.mustflow/skills/powershell-code-change/SKILL.md +16 -6
  67. package/templates/default/locales/en/.mustflow/skills/prompt-contract-quality-review/SKILL.md +4 -1
  68. package/templates/default/locales/en/.mustflow/skills/python-code-change/SKILL.md +19 -10
  69. package/templates/default/locales/en/.mustflow/skills/rag-pipeline-triage/SKILL.md +206 -0
  70. package/templates/default/locales/en/.mustflow/skills/routes.toml +54 -0
  71. package/templates/default/locales/en/.mustflow/skills/rust-code-change/SKILL.md +10 -4
  72. package/templates/default/locales/en/.mustflow/skills/search-index-integrity-review/SKILL.md +181 -0
  73. package/templates/default/locales/en/.mustflow/skills/service-boundary-architecture/SKILL.md +37 -23
  74. package/templates/default/locales/en/.mustflow/skills/test-suite-performance-review/SKILL.md +9 -0
  75. package/templates/default/locales/en/.mustflow/skills/typescript-code-change/SKILL.md +14 -9
  76. package/templates/default/locales/en/.mustflow/skills/vector-search-integrity-review/SKILL.md +209 -0
  77. package/templates/default/locales/en/.mustflow/skills/version-freshness-check/SKILL.md +16 -14
  78. package/templates/default/manifest.toml +64 -1
@@ -2,7 +2,7 @@
2
2
  mustflow_doc: skill.go-code-change
3
3
  locale: en
4
4
  canonical: true
5
- revision: 3
5
+ revision: 4
6
6
  lifecycle: mustflow-owned
7
7
  authority: procedure
8
8
  name: go-code-change
@@ -35,7 +35,7 @@ Preserve Go package, module, API, error, context, concurrency, runtime, HTTP, JS
35
35
 
36
36
  - `.go`, `go.mod`, `go.sum`, `go.work`, build tags, generated code, public package API, tests, benchmarks, goroutines, channels, context propagation, HTTP clients or servers, reverse proxies, JSON encoding, filesystem access, network addresses, runtime tuning, tools, or module dependencies change.
37
37
  - The task touches interfaces, error wrapping, package structure, concurrency ownership, cancellation, timeout policy, memory limits, race-sensitive code, benchmark measurement, or module dependencies.
38
- - Code or docs use Go-version-gated features such as expression operands to `new`, `errors.AsType`, `sync.WaitGroup.Go`, `testing/synctest`, `testing.B.Loop`, `os.Root` or `os.OpenInRoot`, `omitzero`, `go.mod` `tool`, `go fix` modernizers, `encoding/json/v2`, experimental `GOEXPERIMENT` features, or newer runtime defaults.
38
+ - Code or docs use Go-version-gated features such as expression operands to `new`, range-over-function iterators, generic type aliases, reflect iterators, `errors.AsType`, `sync.WaitGroup.Go`, `testing/synctest`, `testing.B.Loop`, `T.ArtifactDir`, `B.ArtifactDir`, `F.ArtifactDir`, `testing/cryptotest.SetGlobalRandom`, `os.Root` or `os.OpenInRoot`, `omitzero`, `go.mod` `tool`, `go fix` modernizers, `encoding/json/v2`, experimental `GOEXPERIMENT` features, or newer runtime defaults.
39
39
 
40
40
  <!-- mustflow-section: do-not-use-when -->
41
41
  ## Do Not Use When
@@ -79,7 +79,7 @@ Preserve Go package, module, API, error, context, concurrency, runtime, HTTP, JS
79
79
  2. Classify the change as package API, internal implementation, dependency, error behavior, context flow, concurrency, HTTP or proxy behavior, JSON encoding, filesystem safety, runtime or deployment behavior, benchmark, tooling, or test-only.
80
80
  3. Check the Go version contract before using newer syntax or APIs:
81
81
  - treat the `go` directive as a language and module compatibility switch, not decoration;
82
- - do not use `new(expr)`, `errors.AsType`, `sync.WaitGroup.Go`, `testing/synctest`, `testing.B.Loop`, `os.Root`, `os.OpenInRoot`, `omitzero`, `go.mod` `tool`, `go fix` modernizers, `encoding/json/v2`, or any `GOEXPERIMENT` feature unless the repository's supported Go version and build path allow it;
82
+ - do not use `new(expr)`, range-over-function iterators, generic type aliases, reflect iterator methods, `errors.AsType`, `sync.WaitGroup.Go`, `testing/synctest`, `testing.B.Loop`, `T.ArtifactDir`, `B.ArtifactDir`, `F.ArtifactDir`, `testing/cryptotest.SetGlobalRandom`, `os.Root`, `os.OpenInRoot`, `omitzero`, `go.mod` `tool`, `go fix` modernizers, `encoding/json/v2`, or any `GOEXPERIMENT` feature unless the repository's supported Go version and build path allow it;
83
83
  - distinguish stable standard-library APIs from experimental APIs that require `GOEXPERIMENT`;
84
84
  - when `go.mod` or `go.work` changes, report language-version, module-graph, toolchain, and downstream support impact.
85
85
  4. Check package boundaries before adding a package or interface:
@@ -125,36 +125,40 @@ Preserve Go package, module, API, error, context, concurrency, runtime, HTTP, JS
125
125
  - receivers do not close borrowed input channels;
126
126
  - multiple senders require a coordinator that closes only after all senders finish;
127
127
  - cancellable pipelines must avoid permanently blocking upstream goroutines when downstream stops early.
128
- 12. Keep timeout policy at request, command, API, or operation boundaries. Do not hide arbitrary sleeps or timeouts in reusable helpers unless that helper explicitly owns the policy.
129
- 13. Check HTTP and proxy defaults:
128
+ 12. Use iterator functions only for pull-style traversal, not hidden concurrency. Honor the `yield` return value immediately, call the `stop` function from pull iterators, keep resource ownership visible, and keep channels for actual concurrent communication or backpressure.
129
+ 13. Keep timeout policy at request, command, API, or operation boundaries. Do not hide arbitrary sleeps or timeouts in reusable helpers unless that helper explicitly owns the policy.
130
+ 14. Check HTTP and proxy defaults:
130
131
  - set deliberate `http.Client` and `http.Server` timeouts for network-facing code; zero timeout means no limit in important cases;
131
132
  - reuse clients and transports instead of creating them per request;
132
133
  - prefer reverse-proxy rewrite hooks over deprecated or unsafe director-style mutation when the supported Go version allows it;
133
134
  - keep hop-by-hop header, forwarded-host, scheme, cancellation, streaming, and error-mapping behavior explicit.
134
- 14. Keep JSON contracts honest:
135
+ 15. Keep JSON contracts honest:
135
136
  - choose `omitempty` versus `omitzero` deliberately, especially for `time.Time`, numeric zero, boolean false, and optional fields;
136
137
  - use `SetEscapeHTML(false)` only when the JSON is not embedded into HTML and callers expect raw `<`, `>`, or `&`;
137
138
  - treat `encoding/json/v2` and `jsontext` as experimental unless the repository explicitly opts into the relevant experiment and migration tests.
138
- 15. Check filesystem and network address helpers:
139
+ 16. Check filesystem and network address helpers:
139
140
  - use traversal-resistant root APIs when accepting user-controlled relative paths and the supported Go version provides them;
140
141
  - do not treat `filepath.Join` plus prefix checks as sufficient against symlinks and TOCTOU;
141
142
  - prefer `net/netip` for comparable IP addresses and map keys when supported;
142
143
  - use `net.JoinHostPort` instead of string formatting for host and port assembly so IPv6 works.
143
- 16. Check runtime and deployment behavior when relevant:
144
+ 17. Check runtime and deployment behavior when relevant:
144
145
  - set `GOMEMLIMIT` or `debug.SetMemoryLimit` before tuning `GOGC` for container memory pressure, leaving headroom for non-Go memory such as cgo, mmap, and the kernel;
145
146
  - question manual `GOMAXPROCS` pins in containers on Go versions with container-aware defaults;
146
147
  - use PGO only with representative profiles and keep `default.pgo` ownership clear;
147
148
  - treat goroutine leak profiling, SIMD, JSON v2, and other experiments as opt-in evidence-gathering, not default production assumptions;
148
149
  - remember that `-race` only finds races on executed paths and carries significant overhead.
149
- 17. Keep tests and benchmarks deterministic:
150
+ 18. Keep tests and benchmarks deterministic:
150
151
  - do not use elapsed real time to wait for goroutine progress; use explicit synchronization, owned lifecycle waits, fake time, `testing/synctest` when supported, or the repository's established concurrency test helper;
151
- - prefer `testing.B.Loop` for new benchmarks when the supported Go version allows it, and keep setup, cleanup, allocation measurement, and compiler optimization boundaries honest.
152
- 18. Keep Go tools and modernization explicit:
152
+ - prefer `testing.B.Loop` for new benchmarks when the supported Go version allows it, and keep setup, cleanup, allocation measurement, and compiler optimization boundaries honest;
153
+ - use test artifact directories for files that should survive a test run only when the supported Go version and test invocation preserve artifacts; otherwise use the repository's existing temporary-file or golden-output policy;
154
+ - for deterministic crypto tests, prefer the standard cryptographic test hook when the supported Go version provides it instead of overriding global readers in production code paths.
155
+ 19. Keep Go tools and modernization explicit:
153
156
  - prefer the `tool` directive over `tools.go` pinning only when the repository's supported Go version allows it;
154
157
  - use `go fix` modernizers as reviewed migrations, not silent drive-by rewrites;
158
+ - update code generators, schema generators, lint helpers, and reflection-heavy tooling for generic aliases, alias node behavior, and reflect iterator methods only with fixture coverage;
155
159
  - prefer standard-library helpers such as `min`, `max`, `clear`, `slices`, `maps`, and `cmp` over new local utility packages when the supported Go version allows them.
156
- 19. If dependency metadata changes, keep module files and dependent tests synchronized. Do not raise the `go` directive, add toolchain requirements, change module path, or introduce direct dependencies unless the task requires it and the final report calls out the support impact.
157
- 20. Choose configured verification intents that cover formatting, tests, race-sensitive behavior, lint, API drift, module drift, docs, and release metadata when available.
160
+ 20. If dependency metadata changes, keep module files and dependent tests synchronized. Do not raise the `go` directive, add toolchain requirements, change module path, or introduce direct dependencies unless the task requires it and the final report calls out the support impact.
161
+ 21. Choose configured verification intents that cover formatting, tests, race-sensitive behavior, lint, API drift, module drift, docs, and release metadata when available.
158
162
 
159
163
  <!-- mustflow-section: postconditions -->
160
164
  ## Postconditions
@@ -187,6 +191,7 @@ For concurrency-sensitive changes, report whether a configured race or equivalen
187
191
  - If a new package becomes a shared bucket, move behavior back to the owning package or name the concrete capability.
188
192
  - If a provider-side interface appears only for mocking, delete it or move a minimal interface to the consumer.
189
193
  - If tests need sleeps for concurrency, prefer deterministic synchronization or report the gap.
194
+ - If an iterator function ignores `yield` returning false, a pull iterator omits `stop`, or a channel is replaced by an iterator while concurrency or backpressure remains required, restore the ownership contract before accepting the change.
190
195
  - If a goroutine has no owner, stop condition, wait path, cancellation path, or error path, do not add it.
191
196
  - If a newer Go feature is useful but the repository's `go` directive or CI matrix is lower, keep a fallback, defer the change, or report the required version bump instead of sneaking in the feature.
192
197
  - If HTTP clients, servers, or proxies have no timeout or cancellation boundary, stop and make the missing policy explicit before calling the path production-ready.
@@ -2,7 +2,7 @@
2
2
  mustflow_doc: skill.line-ending-hygiene
3
3
  locale: en
4
4
  canonical: true
5
- revision: 2
5
+ revision: 3
6
6
  lifecycle: mustflow-owned
7
7
  authority: procedure
8
8
  name: line-ending-hygiene
@@ -23,7 +23,7 @@ metadata:
23
23
  <!-- mustflow-section: purpose -->
24
24
  ## Purpose
25
25
 
26
- Detect line-ending drift without silently rewriting a repository, and normalize only when a repository policy and explicit user request make it safe.
26
+ Detect line-ending drift without silently rewriting a repository, distinguish current working-tree drift from Git conversion warnings, and normalize only when a repository policy and explicit user request make it safe.
27
27
 
28
28
  <!-- mustflow-section: use-when -->
29
29
  ## Use When
@@ -32,6 +32,7 @@ Detect line-ending drift without silently rewriting a repository, and normalize
32
32
  - A diff or formatter appears to rewrite files only because of line endings.
33
33
  - Docker, Linux, WSL, CI, or shell execution fails with `bad interpreter`, `bash\r`, `env: ...\r`, `exec format error`, or similar CRLF-related symptoms.
34
34
  - A proposal suggests creating `.gitattributes`, running renormalization, or rewriting tracked files to fix cross-platform line endings.
35
+ - A PowerShell, formatter, scaffold, generated update, or mechanical rewrite is suspected of changing line endings.
35
36
  - A user asks why line-ending warnings appear.
36
37
  - A user asks to normalize tracked files to the repository line-ending policy.
37
38
 
@@ -47,6 +48,7 @@ Detect line-ending drift without silently rewriting a repository, and normalize
47
48
 
48
49
  - The warning text or changed-file evidence.
49
50
  - Current `.gitattributes` or equivalent repository line-ending policy.
51
+ - Per-file EOL evidence from Git when available, including index EOL, working-tree EOL, and attribute result.
50
52
  - Current changed-file status.
51
53
  - Whether the request is diagnosis-only, policy authoring, or explicit tracked-file normalization.
52
54
  - The configured command intents for line-ending checks and manual normalization.
@@ -66,25 +68,30 @@ Detect line-ending drift without silently rewriting a repository, and normalize
66
68
  - Do not rewrite binary files, generated archives, dependency folders, or unrelated source files.
67
69
  - Do not change formatting, indentation, or content while handling line endings.
68
70
  - Do not create `.gitattributes`, run repository-wide renormalization, or commit line-ending changes as an automatic fallback from a build, Docker, clone, scaffold, or script failure.
71
+ - Do not change local Git EOL configuration or run repository-wide renormalization in a dirty worktree unless the user explicitly requests that scope and reviews the resulting diff.
69
72
 
70
73
  <!-- mustflow-section: procedure -->
71
74
  ## Procedure
72
75
 
73
76
  1. Inspect the changed-file status before deciding whether line endings are the actual issue.
74
- 2. Use the `line_endings_check` intent when it is configured and agent-runnable.
75
- 3. If no LF policy is declared, report the missing policy instead of normalizing files.
76
- 4. If a runtime error mentions CRLF symptoms, classify it as a line-ending/platform issue before treating it as a missing executable, missing dependency, Docker image problem, or shell bug.
77
- 5. If drift is found, report the affected tracked files and whether normalization was only previewed.
78
- 6. If a policy file needs to be created or changed, keep that as an explicit policy change with reviewable scope. Do not smuggle a new repository-wide policy into an unrelated bug fix.
79
- 7. Use normalization only after an explicit user request, and treat `line_endings_normalize` as manual-only unless the repository declares otherwise.
80
- 8. After any normalization, re-run the line-ending check and a relevant validation intent for the touched scope.
81
- 9. Keep the final report focused on policy, files changed, checks run, and remaining risk.
77
+ 2. Inspect the repository EOL policy before blaming a specific write command. A root `.gitattributes` rule such as `* text=auto eol=lf` is the durable source of truth; local Git settings are secondary evidence.
78
+ 3. Inspect per-file EOL evidence for any named file before assigning cause. Treat `i/lf w/lf attr/text=auto eol=lf` as currently clean. Treat `w/crlf` or mixed working-tree evidence as actual drift. Treat Git's "LF will be replaced by CRLF" wording as a future-conversion warning from configuration, not proof that the working tree is already CRLF.
79
+ 4. Use the `line_endings_check` intent when it is configured and agent-runnable.
80
+ 5. If no LF policy is declared, report the missing policy instead of normalizing files.
81
+ 6. If a runtime error mentions CRLF symptoms, classify it as a line-ending/platform issue before treating it as a missing executable, missing dependency, Docker image problem, or shell bug.
82
+ 7. If a PowerShell or formatter rewrite is involved, separate the read step from the write step. Reading a file does not prove it changed line endings; the writer API, Git checkout policy, previous edits, or generated output may be the actual source.
83
+ 8. If drift is found, report the affected tracked files and whether normalization was only previewed.
84
+ 9. If a policy file needs to be created or changed, keep that as an explicit policy change with reviewable scope. Do not smuggle a new repository-wide policy into an unrelated bug fix.
85
+ 10. Use normalization only after an explicit user request, and treat `line_endings_normalize` as manual-only unless the repository declares otherwise.
86
+ 11. After any normalization, re-run the line-ending check and a relevant validation intent for the touched scope.
87
+ 12. Keep the final report focused on policy, per-file EOL evidence, files changed, checks run, and remaining risk.
82
88
 
83
89
  <!-- mustflow-section: postconditions -->
84
90
  ## Postconditions
85
91
 
86
92
  - The agent has not silently rewritten the working tree.
87
93
  - The agent has not silently created or changed a repository-wide line-ending policy.
94
+ - The agent has not attributed a line-ending warning to a specific tool without per-file EOL evidence.
88
95
  - Any normalization is tied to a declared repository policy.
89
96
  - Remaining CRLF, mixed line endings, missing policy, or manual-only command gaps are reported.
90
97
 
@@ -112,6 +119,7 @@ If normalization touched code, documentation, templates, or release surfaces, al
112
119
  ## Output Format
113
120
 
114
121
  - Line-ending policy found
122
+ - Per-file EOL evidence inspected
115
123
  - Policy changes made or deferred
116
124
  - Files with CRLF or mixed line endings
117
125
  - Files normalized
@@ -2,7 +2,7 @@
2
2
  mustflow_doc: skill.llm-hallucination-control-review
3
3
  locale: en
4
4
  canonical: true
5
- revision: 1
5
+ revision: 2
6
6
  lifecycle: mustflow-owned
7
7
  authority: procedure
8
8
  name: llm-hallucination-control-review
@@ -44,6 +44,9 @@ Keep unsupported factual claims from leaving an LLM feature by turning answerabi
44
44
  ## Do Not Use When
45
45
 
46
46
  - The task is mainly prompt wording, prompt builder structure, output schema shape, model settings, few-shot examples, or agent completion wording; use `prompt-contract-quality-review`.
47
+ - The task is an end-to-end RAG failure and it is not yet clear whether ingestion, retrieval,
48
+ context assembly, prompt construction, generation, citation validation, or answerability failed;
49
+ use `rag-pipeline-triage` first.
47
50
  - The main risk is token spend, provider prompt-cache hit rate, chat-history bloat, RAG context size, model routing cost, reasoning budget, retry replay, or cost observability; use `llm-token-cost-control-review`.
48
51
  - The main risk is time to first token, first useful output, streaming latency, LLM round trips, tool wait, prompt-cache latency, model routing speed, realtime continuation, priority tier, predicted-output latency, or user-perceived response speed; use `llm-response-latency-review`.
49
52
  - The main risk is autonomous agent execution control, tool-call approval, durable resume behavior, planner/executor/verifier separation, handoffs, guardrail placement, loop budgets, retry classification, or trace outcome evaluation; use `agent-execution-control-review`.
@@ -0,0 +1,155 @@
1
+ ---
2
+ mustflow_doc: skill.motion-system-contract-review
3
+ locale: en
4
+ canonical: true
5
+ revision: 1
6
+ lifecycle: mustflow-owned
7
+ authority: procedure
8
+ name: motion-system-contract-review
9
+ description: Apply this skill when UI motion, animation, transition, microinteraction, motion design systems, WAAPI, CSS animation or transition, Framer Motion, GSAP, view transition, hover/press/focus animation, reduced-motion behavior, animation interruption, or motion state settlement is planned, edited, reviewed, or reported.
10
+ metadata:
11
+ mustflow_schema: "1"
12
+ mustflow_kind: procedure
13
+ pack_id: mustflow.core
14
+ skill_id: mustflow.core.motion-system-contract-review
15
+ command_intents:
16
+ - changes_status
17
+ - changes_diff_summary
18
+ - lint
19
+ - build
20
+ - test_related
21
+ - test
22
+ - docs_validate_fast
23
+ - test_release
24
+ - mustflow_check
25
+ ---
26
+
27
+ # Motion System Contract Review
28
+
29
+ <!-- mustflow-section: purpose -->
30
+ ## Purpose
31
+
32
+ Review UI motion as an explicit state-transition contract instead of decorative prose.
33
+ Motion must not own product state. It may visualize a state change, but the logical state,
34
+ async result, permission, selection, route, or persisted value must be owned outside the animation.
35
+
36
+ <!-- mustflow-section: use-when -->
37
+ ## Use When
38
+
39
+ - UI motion, animation, transition, microinteraction, motion recipe, or design-system motion token work is created, edited, reviewed, or reported.
40
+ - The work mentions CSS `animation`, CSS `transition`, `@keyframes`, `animation-fill-mode`, Web Animations API, Framer Motion, GSAP, View Transitions, or component-library motion props.
41
+ - Hover, press, focus, drag, route transition, viewport entry, loading, async success, async failure, toast, dialog, carousel, skeleton, or list reorder motion behavior is part of the change.
42
+ - Reduced motion, interruption, cancellation, settlement, timeline tracks, transform, opacity, filter, layout animation, additive composition, or channel collision needs review.
43
+ - Natural-language animation directions need conversion into observable roles, semantic events, logical from-state and to-state, timeline tracks, and failure policies.
44
+
45
+ <!-- mustflow-section: do-not-use-when -->
46
+ ## Do Not Use When
47
+
48
+ - The task is only per-frame rendering jank, style recalculation, layout thrash, paint cost, or INP delay after the motion contract is already clear; use `frame-render-performance-review`.
49
+ - The task is only first-paint, navigation flicker, hydration flash, blank first render, or state loss across navigation; use `frontend-render-stability`.
50
+ - The task is only general UI polish, layout stress, copy, or visual state coverage without motion-specific behavior; use `ui-quality-gate` or `frontend-stress-layout-review`.
51
+ - The task is only semantic HTML, keyboard operation, focus management, accessible names, or accessibility-tree evidence; use `frontend-accessibility-tree-review`.
52
+ - The change has no user-facing motion, transition, animated state change, or animation-adjacent behavior.
53
+
54
+ <!-- mustflow-section: required-inputs -->
55
+ ## Required Inputs
56
+
57
+ - Motion slot, surface, component, route, or design-system recipe being changed.
58
+ - Source role, target roles, semantic event, and whether the event is interaction, component-state, signal, viewport, or timer driven.
59
+ - Logical from-state and to-state, including the source of truth for each state.
60
+ - Timeline tracks with target, channel, range, keyframes, easing, duration, delay, and composition mode when available.
61
+ - Interruption policy for same event, opposite event, unrelated event, route change, unmount, and async cancellation.
62
+ - Settlement policy that explains what durable state is applied after motion completes and which animation effects are cleared.
63
+ - Reduced motion policy and the fallback behavior for no-animation or low-motion users.
64
+ - Binding approach for targets, such as component refs, roles, slots, data attributes, or brittle CSS selectors.
65
+ - Async signal ownership for loading, success, failure, retry, optimistic update, and rollback feedback.
66
+ - Evidence level: static contract review, unit or integration test, story fixture, browser runtime proof, DevTools trace, or reported gap.
67
+
68
+ <!-- mustflow-section: preconditions -->
69
+ ## Preconditions
70
+
71
+ - The motion behavior is tied to a user-visible state, event, or feedback path.
72
+ - The nearest workflow instructions and configured command intents have been checked.
73
+ - Nearby frontend, accessibility, render performance, and state ownership skills have been considered for overlap.
74
+ - The review can inspect enough code, design-system config, docs, story fixtures, or tests to distinguish logical state from animation effects.
75
+
76
+ <!-- mustflow-section: allowed-edits -->
77
+ ## Allowed Edits
78
+
79
+ - Update motion recipes, component motion props, CSS keyframes, transition declarations, animation lifecycle handlers, reduced-motion rules, story fixtures, tests, and directly synchronized docs or templates.
80
+ - Replace brittle selector binding with explicit role/ref/slot/data binding when the local pattern supports it.
81
+ - Add or tighten state, signal, interruption, settlement, reduced-motion, and failure policies near the motion owner.
82
+ - Add focused tests or fixtures that prove state ownership, async signal timing, interruption behavior, reduced motion, and settlement.
83
+ - Do not introduce a new animation framework, global motion DSL, or design-system schema unless the task explicitly asks for that broader architecture.
84
+ - Do not make animation completion the only owner of business, navigation, permission, payment, async result, or persistence state.
85
+ - Do not claim runtime visual proof from a static code review.
86
+
87
+ <!-- mustflow-section: procedure -->
88
+ ## Procedure
89
+
90
+ 1. Convert animation prose into a contract ledger. Natural-language instructions such as "click makes it pop" are not the source of truth. Record the motion slot, roles, event, from-state, to-state, tracks, policies, and evidence.
91
+ 2. Identify the logical state owner before evaluating the animation. Name whether state lives in component state, URL, server cache, form draft, store, DOM attribute, design-system primitive, async signal, or browser capability.
92
+ 3. Classify the trigger event as interaction, component-state, signal, viewport, or timer. Do not let a timer pretend to be a real success, failure, permission, or completion signal.
93
+ 4. For async success and failure motion, require actual result signals. Loading shimmer, success check, error shake, retry pulse, optimistic success, and rollback motion must follow real async state, not elapsed time alone.
94
+ 5. Require explicit from-state and to-state values. If either side is unknown, report the gap before reviewing easing or visual style.
95
+ 6. Model the timeline as tracks. For each track, record target role, channel, range, keyframes, easing, duration, delay, fill, and composition.
96
+ 7. Check same target and channel overlap. Two tracks writing the same channel over the same time range are a collision unless additive composition is explicit and allowed by the motion profile.
97
+ 8. Treat additive composition as opt-in. Confirm all involved tracks, tokens, and runtime APIs support additive behavior. Reject accidental accumulate behavior when the platform or library semantics are unclear.
98
+ 9. Keep layout channels off by default. Prefer `transform` and `opacity`; challenge width, height, top, left, margin, padding, grid, or text-flow animation unless there is a measured and accessible reason.
99
+ 10. Define interruption policy for same, opposite, and unrelated events. Decide whether to restart, reverse, finish, cancel, queue, merge, or ignore. Include route change, unmount, gesture cancel, and rapid repeat input.
100
+ 11. Define settlement policy. On completion, apply durable target state through the state owner, then remove temporary animation effects, inline styles, classes, handles, timers, and observers.
101
+ 12. Do not use `animation-fill-mode: forwards`, WAAPI fill, or library fill behavior as durable UI state. Fill may visually bridge the end of a track, but it must not be the source of truth after settlement.
102
+ 13. Require reduced motion behavior. Respect `prefers-reduced-motion` and product settings where present. Replace motion with instant state, opacity-only feedback, shorter duration, or non-motion affordances as appropriate.
103
+ 14. Check input capability and parity. Hover motion requires hover and fine-pointer capability and must not be the only access path; keyboard, touch, and assistive interaction paths need equivalent state or feedback.
104
+ 15. Prefer role/ref binding over brittle selectors. Recipes should bind to component slots, refs, semantic roles, or stable data hooks, not `nth-child`, layout-depth selectors, or visual-only class chains.
105
+ 16. Define lifecycle and failure behavior. Development may throw on impossible recipes, but production should skip-effect-and-report animation failures while preserving the core UI action.
106
+ 17. Separate contract review from runtime proof. Report whether evidence is static, test-backed, story-backed, browser-observed, or missing.
107
+
108
+ <!-- mustflow-section: postconditions -->
109
+ ## Postconditions
110
+
111
+ - Motion intent has a state-transition contract, not only animation prose.
112
+ - Logical state owner, semantic event class, from-state, to-state, tracks, interruption, settlement, reduced motion, binding, lifecycle, and failure policies are named.
113
+ - Any same target/channel collision, false async signal, fill-mode state lie, layout-channel risk, hover-only behavior, selector-binding drift, or missing reduced-motion path is fixed or reported.
114
+ - Verification and evidence level are reported honestly.
115
+
116
+ <!-- mustflow-section: verification -->
117
+ ## Verification
118
+
119
+ Use configured oneshot command intents when available:
120
+
121
+ - `changes_status`
122
+ - `changes_diff_summary`
123
+ - `lint`
124
+ - `build`
125
+ - `test_related`
126
+ - `test`
127
+ - `docs_validate_fast`
128
+ - `test_release`
129
+ - `mustflow_check`
130
+
131
+ Use focused tests, story fixtures, or browser checks only when the repository command contract exposes them as configured oneshot commands or the user explicitly authorizes that verification path.
132
+
133
+ <!-- mustflow-section: failure-handling -->
134
+ ## Failure Handling
135
+
136
+ - If the logical state owner cannot be found, stop motion-specific edits and report the missing state owner before changing animation timing.
137
+ - If from-state or to-state is unknown, keep the motion conservative and record the unknown transition instead of inventing a recipe.
138
+ - If async success or failure is timer-driven, route the issue to the async state owner and avoid success/failure motion until real signals exist.
139
+ - If reduced-motion behavior is missing, add an explicit policy or report it as a release-blocking accessibility risk for user-facing motion.
140
+ - If a same target/channel collision exists and additive composition is unsupported or unclear, remove, sequence, or split the conflicting tracks.
141
+ - If runtime proof is unavailable, report static contract evidence and the skipped visual verification instead of claiming the animation works.
142
+
143
+ <!-- mustflow-section: output-format -->
144
+ ## Output Format
145
+
146
+ - Motion surfaces reviewed
147
+ - State owner and semantic event class
148
+ - From-state and to-state contract
149
+ - Timeline tracks and channel collision result
150
+ - Interruption, settlement, reduced-motion, lifecycle, and failure policies
151
+ - Binding approach and selector drift risk
152
+ - Async signal and false-feedback risk
153
+ - Verification run
154
+ - Skipped checks and reasons
155
+ - Remaining motion contract risk
@@ -0,0 +1,177 @@
1
+ ---
2
+ mustflow_doc: skill.next-action-menu
3
+ locale: en
4
+ canonical: true
5
+ revision: 1
6
+ lifecycle: mustflow-owned
7
+ authority: procedure
8
+ name: next-action-menu
9
+ description: Apply this skill when a final report, completion note, repository improvement loop, or follow-up workflow should offer a bounded numbered next-action menu that a user can select with a single digit in the next turn.
10
+ metadata:
11
+ mustflow_schema: "1"
12
+ mustflow_kind: procedure
13
+ pack_id: mustflow.core
14
+ skill_id: mustflow.core.next-action-menu
15
+ command_intents:
16
+ - changes_status
17
+ - changes_diff_summary
18
+ - docs_validate_fast
19
+ - test_release
20
+ - mustflow_check
21
+ ---
22
+
23
+ # Next Action Menu
24
+
25
+ <!-- mustflow-section: purpose -->
26
+ ## Purpose
27
+
28
+ Turn useful follow-up work into a compact, selectable menu after a task is reported complete or
29
+ paused.
30
+
31
+ The menu should make the next turn cheaper for the user without pretending that a digit can bypass
32
+ scope, approval, verification, command contracts, release gates, or safety rules.
33
+
34
+ <!-- mustflow-section: use-when -->
35
+ ## Use When
36
+
37
+ - A final report, completion note, handoff, or repository improvement cycle has one or more useful
38
+ follow-up tasks.
39
+ - The user repeatedly asks for "next recommended work", "continue", "proceed", or selects follow-up
40
+ items after previous completion reports.
41
+ - The agent needs to present a bounded backlog that can be selected by a single digit in the next
42
+ user turn.
43
+ - Follow-up tasks differ in value, risk, or urgency enough that ranking helps the user choose.
44
+
45
+ <!-- mustflow-section: do-not-use-when -->
46
+ ## Do Not Use When
47
+
48
+ - The current answer is a tiny direct response with no meaningful follow-up.
49
+ - There are no evidence-backed next actions, or all plausible next actions are speculative.
50
+ - The user asked not to include recommendations, menus, or follow-up prompts.
51
+ - The next action requires a blocking product, security, privacy, legal, release, migration,
52
+ destructive, dependency, credential, deployment, or payment decision that has not been authorized.
53
+ Report the decision gate instead of offering it as a one-digit action.
54
+ - Another interface already owns selection state and has a stricter picker, ticket, or work-order
55
+ contract.
56
+
57
+ <!-- mustflow-section: required-inputs -->
58
+ ## Required Inputs
59
+
60
+ - The completed or paused task goal and the evidence gathered during the task.
61
+ - Current changed-file, verification, skipped-check, and remaining-risk evidence.
62
+ - The skills used and any next-step candidates produced by those skills.
63
+ - Command contract limits, approval requirements, and release or publish constraints that affect
64
+ follow-up actions.
65
+ - A freshness boundary for the menu: which final report or latest assistant answer the selection
66
+ belongs to.
67
+
68
+ <!-- mustflow-section: preconditions -->
69
+ ## Preconditions
70
+
71
+ - The task matches the Use When conditions and does not match the Do Not Use When exclusions.
72
+ - Completion evidence has been calibrated when the menu follows changed files or verification claims.
73
+ - Follow-up items are grounded in current repository evidence, user direction, or explicit skipped
74
+ checks.
75
+ - High-risk actions remain gated by the user's direct authorization and the repository command
76
+ contract.
77
+
78
+ <!-- mustflow-section: allowed-edits -->
79
+ ## Allowed Edits
80
+
81
+ - Prefer no edits. This skill normally shapes final reporting and next-turn interpretation.
82
+ - Update workflow docs, skill procedures, templates, or tests only when the menu behavior itself is
83
+ being added, changed, or synchronized.
84
+ - Do not add autonomous loops, background workers, hidden state files, transcript logs, or persistent
85
+ task queues solely to remember menu items.
86
+ - Do not convert a menu choice into a command permission, release approval, push approval, deploy
87
+ approval, destructive action, or dependency-install approval.
88
+
89
+ <!-- mustflow-section: procedure -->
90
+ ## Procedure
91
+
92
+ 1. Decide whether a menu is useful.
93
+ - Include a menu only when at least one concrete follow-up task is valuable.
94
+ - Do not fabricate filler items to reach a fixed row count.
95
+ 2. Build at most nine items.
96
+ - Use digits `1` through `9`.
97
+ - Use fewer than nine rows when fewer real next actions exist.
98
+ - Keep each item a bounded task instruction, not a vague theme such as "improve quality".
99
+ 3. Rank items by user value, risk reduction, unblock value, confidence, and effort.
100
+ 4. Assign a recommendation score:
101
+ - `A`: high-value, low-ambiguity, safe to start next under current scope.
102
+ - `B`: valuable and reasonably clear, with manageable verification.
103
+ - `C`: useful but less urgent, broader, or dependent on more evidence.
104
+ - `D`: defer unless the user specifically wants this branch.
105
+ - `E`: low value or blocked by notable uncertainty.
106
+ - `F`: not recommended now; include only when explicitly useful as a warning or rejected option.
107
+ 5. Render the menu as a Markdown table after the completion evidence and skill-selection note when
108
+ the host format allows it.
109
+ - Use four columns: number, next task title, description, and recommendation score.
110
+ - In Korean final reports, use `추천도` for the recommendation-score column label.
111
+ - Keep descriptions short enough to scan but specific enough to execute.
112
+ - Localize column labels to the report language when appropriate.
113
+ 6. Mark gated items plainly.
114
+ - Commit, push, publish, deploy, release, destructive cleanup, dependency upgrade, credential
115
+ work, migration, billing, auth, privacy, or cross-repository edits may appear only when they are
116
+ genuinely plausible follow-ups.
117
+ - The description must state the gate, such as explicit user approval, configured command intent,
118
+ owner decision, or manual verification.
119
+ 7. Interpret a single-digit next user message as a menu selection only when all conditions hold:
120
+ - the immediately relevant previous assistant final report contained a next-action menu;
121
+ - the digit maps to an item in that menu;
122
+ - the menu is still fresh for the current repository, branch, and task context;
123
+ - the selected item does not bypass approvals, command contracts, or safety rules.
124
+ 8. If a digit is stale, ambiguous, unmapped, or conflicts with newer user instructions, do not guess.
125
+ Ask for clarification or report that no active menu item can be selected.
126
+ 9. After a valid selection, treat the selected row as the new user task, then re-run normal
127
+ instruction refresh, skill selection, repository evidence gathering, and verification selection.
128
+ 10. If the selected row is high-risk or gated, stop at the gate and ask for the missing approval or
129
+ decision before performing that action.
130
+
131
+ <!-- mustflow-section: postconditions -->
132
+ ## Postconditions
133
+
134
+ - The menu offers only real, bounded next actions.
135
+ - Single-digit follow-up behavior is convenient but cannot override newer user instructions, safety
136
+ rules, or command contracts.
137
+ - High-risk actions are visibly gated instead of hidden behind a number.
138
+ - The next selected task can be executed as a normal mustflow task with fresh instruction and skill
139
+ selection.
140
+
141
+ <!-- mustflow-section: verification -->
142
+ ## Verification
143
+
144
+ Use configured oneshot command intents when available:
145
+
146
+ - `changes_status`
147
+ - `changes_diff_summary`
148
+ - `docs_validate_fast`
149
+ - `test_release`
150
+ - `mustflow_check`
151
+
152
+ Use narrower configured checks when the menu behavior changes code, tests, templates, or public docs.
153
+
154
+ <!-- mustflow-section: failure-handling -->
155
+ ## Failure Handling
156
+
157
+ - If there are no concrete next actions, omit the menu instead of padding it.
158
+ - If every valuable next action is gated, show the gate and do not present the digit as sufficient
159
+ approval.
160
+ - If a selected digit no longer matches current state, ask for confirmation before acting.
161
+ - If follow-up items become broad backlog planning, switch to `repo-improvement-loop` or
162
+ `idea-triage`.
163
+ - If a menu item would require task-instruction repair before execution, use
164
+ `clarifying-question-gate` or `task-instruction-authoring` before implementation.
165
+
166
+ <!-- mustflow-section: output-format -->
167
+ ## Output Format
168
+
169
+ - Menu included or omitted, with reason
170
+ - Numbered next-action rows, when included
171
+ - Recommendation scores and gate labels
172
+ - Active-menu freshness boundary
173
+ - Selected digit interpretation, when applicable
174
+ - Skills used for the selected follow-up task
175
+ - Command intents run
176
+ - Skipped checks and reasons
177
+ - Remaining selection, approval, or stale-context risk
@@ -2,11 +2,11 @@
2
2
  mustflow_doc: skill.observability-debuggability-review
3
3
  locale: en
4
4
  canonical: true
5
- revision: 1
5
+ revision: 2
6
6
  lifecycle: mustflow-owned
7
7
  authority: procedure
8
8
  name: observability-debuggability-review
9
- description: Apply this skill when code is created, changed, reviewed, or reported and logs, metrics, traces, spans, events, dashboards, alerts, runbooks, telemetry context, sampling, redaction, external dependency calls, queues, batch jobs, caches, pools, rate limits, feature flags, releases, or partial-success paths need review for whether an operator can narrow an incident quickly without high-cardinality metric explosions, missing denominators, lost trace context, or unsafe telemetry data.
9
+ description: Apply this skill when code is created, changed, reviewed, or reported and logs, metrics, traces, spans, events, dashboards, alerts, runbooks, telemetry context, collectors, exporters, telemetry queues, canaries, sampling, redaction, external dependency calls, queues, batch jobs, caches, pools, rate limits, feature flags, releases, or partial-success paths need review for whether an operator can narrow an incident quickly without high-cardinality metric explosions, missing denominators, lost trace context, silent telemetry loss, or unsafe telemetry data.
10
10
  metadata:
11
11
  mustflow_schema: "1"
12
12
  mustflow_kind: procedure
@@ -39,6 +39,7 @@ The review question is not "does the code emit telemetry?" It is "when this path
39
39
  - Code creates, changes, reviews, or reports logs, structured events, metrics, spans, traces, trace context, baggage, telemetry attributes, dashboards, alerts, runbooks, sampling, redaction, observability exporters, or custom collectors.
40
40
  - HTTP handlers, API clients, database calls, cache layers, queues, workers, cron jobs, batch jobs, pipelines, webhook handlers, payment or order flows, file processing, feature flags, experiments, rate limits, pools, or external dependencies need incident evidence.
41
41
  - Code claims a path is observable, debuggable, monitored, traced, metered, alerted, operationally safe, SLO-ready, dashboard-ready, or easy to troubleshoot.
42
+ - The telemetry pipeline itself can drop, delay, sample, parse-fail, mis-route, or hide logs, metrics, traces, events, or dashboards while product systems appear healthy.
42
43
  - A change adds retries, timeouts, cancellation, queue settlement, idempotency, external side effects, partial completion, fallback behavior, cache fallback, rate limiting, or release gating where telemetry can hide or reveal the real failure.
43
44
 
44
45
  <!-- mustflow-section: do-not-use-when -->
@@ -60,6 +61,7 @@ The review question is not "does the code emit telemetry?" It is "when this path
60
61
  - Trace and event model: span boundaries, parent-child relationships, async propagation, queue or worker propagation, external call spans, per-attempt spans, span events, feature flag attributes, release attributes, and sampling policy.
61
62
  - Log model: event names, stable error categories, reason codes, severity, structured fields, safe identifiers, redaction, public versus internal message split, and whether matching counters exist for repeated log events.
62
63
  - Operational domains: HTTP golden signals, dependency health, DB queries, transactions, queues, batch jobs, pipelines, caches, pools, rate limits, feature flags, releases, migrations, partial-success and compensation paths.
64
+ - Telemetry pipeline evidence: generated signals, accepted signals, dropped signals, export failures, queue utilization, queue oldest age, retry backlog, scrape failures, collector restarts, ingestion canary lag, parser or mapping failures, searchable count, DLQ oldest age, sampling keeps and drops, storage retention, and dashboard read-path status.
63
65
  - Privacy and retention constraints: secrets, tokens, cookies, authorization headers, raw request bodies, personal data, payment data, prompt or document text, baggage propagation, telemetry sink boundary, and retention policy.
64
66
  - Verification evidence: existing tests, schema checks, telemetry fixtures, instrumentation tests, runbook docs, dashboard definitions, alert rules, configured command intents, and any manual-only production evidence boundary.
65
67
 
@@ -150,15 +152,21 @@ The review question is not "does the code emit telemetry?" It is "when this path
150
152
  17. Check telemetry self-observability.
151
153
  - Exporters, collectors, custom metric collectors, log sinks, trace queues, and sampling pipelines need dropped, failed, queued, scrape error, and export latency evidence when they can blind operators.
152
154
  - If telemetry failure can hide product failure, treat missing self-metrics as an operational risk.
153
- 18. Check sampling policy.
155
+ 18. Check signal pipeline loss and read-path visibility.
156
+ - Compare produced, accepted, exported, stored, and query-visible signal counts when the path depends on logs, metrics, traces, or events for diagnosis.
157
+ - Use canary events or synthetic heartbeats when "no telemetry" could mean no traffic, collector failure, broken parser, dropped queue, retention gap, or dashboard read failure.
158
+ - Track event timestamp versus observed timestamp, queue oldest age, DLQ oldest age, parser or mapping failures by service and version, and duplicate or sequence-gap evidence.
159
+ - Separate telemetry write-path health from read-path health. A sink can store data that dashboards cannot query, and dashboards can be healthy while new signals are not arriving.
160
+ - If collector, sink, dashboard, or production telemetry checks are outside repository commands, report the manual-only boundary.
161
+ 19. Check sampling policy.
154
162
  - Head sampling can drop rare errors and slow traces.
155
163
  - Error, slow, retry-exhausted, high-latency, partial-success, DLQ, and compensation-failure traces often need keep rules, tail sampling, or explicit event evidence.
156
164
  - If sampling is outside the repository, report the manual-only evidence boundary instead of assuming critical traces are retained.
157
- 19. Check privacy before telemetry leaves the process.
165
+ 20. Check privacy before telemetry leaves the process.
158
166
  - Redact or classify tokens, passwords, authorization headers, cookies, raw bodies, emails, phone numbers, payment data, personal identifiers, prompt text, confidential document text, provider payloads, and full SQL before logger, metric, trace, baggage, or exporter entry.
159
167
  - Baggage should be small, safe, low-lifetime, and intentional. Do not use it as a general request metadata bag.
160
168
  - Report sink-side masking as insufficient when sensitive data can already leave the process unredacted.
161
- 20. Require telemetry tests or contract evidence where feasible.
169
+ 21. Require telemetry tests or contract evidence where feasible.
162
170
  - Good tests assert stable event names, bounded label values, denominator counters, trace-context propagation, redaction, sampling flags, feature flag attributes, release attributes, and failure-category mapping.
163
171
  - Source-level guards can prevent raw URL or user id metric labels when runtime telemetry tests are not available.
164
172
  - If dashboards, alerts, production traces, or load evidence are manual-only, complete available checks and report the evidence gap.
@@ -166,7 +174,7 @@ The review question is not "does the code emit telemetry?" It is "when this path
166
174
  <!-- mustflow-section: postconditions -->
167
175
  ## Postconditions
168
176
 
169
- - The changed path has an incident question, signal ledger, metric model, trace and log correlation model, cardinality boundary, privacy boundary, and evidence level.
177
+ - The changed path has an incident question, signal ledger, metric model, trace and log correlation model, telemetry pipeline survival boundary, cardinality boundary, privacy boundary, and evidence level.
170
178
  - Missing denominators, average-only latency, success-only logs, uncorrelated logs, raw URL labels, raw user labels, raw SQL telemetry, lost async trace context, attempt and operation collapse, generic timeout or cancellation buckets, missing dependency names, missing queue age, missing batch last-success timestamp, missing pool saturation, missing release attribution, decorative metrics, unsafe baggage, telemetry self-blindness, and sampling that drops critical failures are fixed or reported.
171
179
  - Observability claims are backed by configured tests, schema or fixture evidence, local telemetry conventions, dashboard or alert files, static review evidence, or labeled as manual-only or missing.
172
180
 
@@ -200,7 +208,7 @@ Prefer the narrowest configured test, build, docs, release, or mustflow intent t
200
208
  ## Output Format
201
209
 
202
210
  - Observability boundary reviewed
203
- - Incident question, signal ledger, metric model, trace and log correlation, cardinality, identity propagation, attempts versus operation, timeout or cancellation classification, external dependency, DB and transaction, idempotency and partial success, queue or batch, cache, pool saturation, rate limit, feature or release attribution, alert or runbook, telemetry self-observability, sampling, privacy, and test evidence findings
211
+ - Incident question, signal ledger, metric model, trace and log correlation, cardinality, identity propagation, attempts versus operation, timeout or cancellation classification, external dependency, DB and transaction, idempotency and partial success, queue or batch, cache, pool saturation, rate limit, feature or release attribution, alert or runbook, telemetry self-observability, signal pipeline survival, sampling, privacy, and test evidence findings
204
212
  - Observability fixes made or recommended
205
213
  - Evidence level: configured-test evidence, telemetry fixture evidence, dashboard or alert file evidence, static review risk, manual-only, missing, or not applicable
206
214
  - Command intents run