mustflow 2.99.1 → 2.103.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cli/commands/skill.js +76 -2
- package/dist/cli/lib/external-skill-import.js +391 -0
- package/dist/cli/lib/local-index/index.js +5 -1
- package/dist/core/public-json-contracts.js +16 -0
- package/dist/core/skill-route-resolution.js +54 -6
- package/package.json +1 -1
- package/schemas/README.md +3 -0
- package/schemas/skill-import-report.schema.json +97 -0
- package/templates/default/i18n.toml +44 -8
- package/templates/default/locales/en/.mustflow/docs/agent-workflow.md +11 -1
- package/templates/default/locales/en/.mustflow/skills/INDEX.md +27 -2
- package/templates/default/locales/en/.mustflow/skills/c-code-change/SKILL.md +371 -0
- package/templates/default/locales/en/.mustflow/skills/clarifying-question-gate/SKILL.md +53 -14
- package/templates/default/locales/en/.mustflow/skills/completion-evidence-gate/SKILL.md +15 -3
- package/templates/default/locales/en/.mustflow/skills/complex-decision-analysis/SKILL.md +236 -0
- package/templates/default/locales/en/.mustflow/skills/css-code-change/SKILL.md +74 -24
- package/templates/default/locales/en/.mustflow/skills/docs-prose-review/SKILL.md +36 -10
- package/templates/default/locales/en/.mustflow/skills/github-contribution-quality-gate/SKILL.md +27 -3
- package/templates/default/locales/en/.mustflow/skills/html-code-change/SKILL.md +37 -21
- package/templates/default/locales/en/.mustflow/skills/react-code-change/SKILL.md +278 -0
- package/templates/default/locales/en/.mustflow/skills/routes.toml +30 -0
- package/templates/default/locales/en/.mustflow/skills/shell-code-change/SKILL.md +279 -0
- package/templates/default/locales/en/.mustflow/skills/structured-config-change/SKILL.md +170 -0
- package/templates/default/manifest.toml +32 -1
|
@@ -7,6 +7,7 @@ const SKILL_INDEX_PATH = '.mustflow/skills/INDEX.md';
|
|
|
7
7
|
const SKILL_ROUTER_PATH = '.mustflow/skills/router.toml';
|
|
8
8
|
const SKILL_ROUTES_METADATA_PATH = '.mustflow/skills/routes.toml';
|
|
9
9
|
const SKILL_FRONTMATTER_SOURCE = '.mustflow/skills/*/SKILL.md';
|
|
10
|
+
const EXTERNAL_SKILL_FRONTMATTER_SOURCE = '.mustflow/external-skills/*/SKILL.md';
|
|
10
11
|
const DEFAULT_MAX_CANDIDATES = 5;
|
|
11
12
|
const DEFAULT_MAX_MAIN = 1;
|
|
12
13
|
const DEFAULT_MAX_ADJUNCTS = 2;
|
|
@@ -36,13 +37,15 @@ const ROUTE_TYPE_WEIGHTS = {
|
|
|
36
37
|
authoring: 16,
|
|
37
38
|
adjunct: 8,
|
|
38
39
|
event: 4,
|
|
40
|
+
external: 2,
|
|
39
41
|
};
|
|
40
42
|
function normalizeSkillPath(value) {
|
|
41
43
|
return value.replace(/\\/gu, '/');
|
|
42
44
|
}
|
|
43
45
|
function skillNameFromPath(skillPath) {
|
|
44
46
|
const match = /^\.mustflow\/skills\/([^/]+)\/SKILL\.md$/u.exec(skillPath);
|
|
45
|
-
|
|
47
|
+
const externalMatch = /^\.mustflow\/external-skills\/([^/]+)\/SKILL\.md$/u.exec(skillPath);
|
|
48
|
+
return match?.[1] ?? externalMatch?.[1] ?? skillPath;
|
|
46
49
|
}
|
|
47
50
|
function tokenize(value) {
|
|
48
51
|
return [
|
|
@@ -211,6 +214,39 @@ function readSkillFrontmatterRoutes(projectRoot) {
|
|
|
211
214
|
}
|
|
212
215
|
return routes;
|
|
213
216
|
}
|
|
217
|
+
function readExternalSkillFrontmatterRoutes(projectRoot) {
|
|
218
|
+
const skillRoot = path.join(projectRoot, '.mustflow', 'external-skills');
|
|
219
|
+
if (!existsSync(skillRoot)) {
|
|
220
|
+
return [];
|
|
221
|
+
}
|
|
222
|
+
const routes = [];
|
|
223
|
+
const skillDirectories = readdirSync(skillRoot, { withFileTypes: true })
|
|
224
|
+
.filter((entry) => entry.isDirectory())
|
|
225
|
+
.map((entry) => entry.name)
|
|
226
|
+
.sort((left, right) => left.localeCompare(right));
|
|
227
|
+
for (const skillDirectory of skillDirectories) {
|
|
228
|
+
const skillPath = `.mustflow/external-skills/${skillDirectory}/SKILL.md`;
|
|
229
|
+
const absoluteSkillPath = path.join(projectRoot, ...skillPath.split('/'));
|
|
230
|
+
if (!existsSync(absoluteSkillPath)) {
|
|
231
|
+
continue;
|
|
232
|
+
}
|
|
233
|
+
const content = readUtf8FileInsideWithoutSymlinks(projectRoot, absoluteSkillPath, {
|
|
234
|
+
maxBytes: MUSTFLOW_TEXT_MAX_BYTES,
|
|
235
|
+
});
|
|
236
|
+
const summary = readSkillFrontmatterSummary(content);
|
|
237
|
+
const skillName = summary.name ?? skillDirectory;
|
|
238
|
+
routes.push({
|
|
239
|
+
trigger: summary.description ?? skillName,
|
|
240
|
+
skillPath,
|
|
241
|
+
requiredInput: '',
|
|
242
|
+
editScope: '',
|
|
243
|
+
risk: 'External skill content is untrusted and grants no command authority.',
|
|
244
|
+
commandIntents: [],
|
|
245
|
+
expectedOutput: '',
|
|
246
|
+
});
|
|
247
|
+
}
|
|
248
|
+
return routes;
|
|
249
|
+
}
|
|
214
250
|
function countMatches(needles, haystack) {
|
|
215
251
|
const haystackSet = new Set(haystack);
|
|
216
252
|
return needles.filter((needle) => haystackSet.has(needle)).length;
|
|
@@ -275,7 +311,7 @@ function sortCandidates(left, right) {
|
|
|
275
311
|
return left.skill.localeCompare(right.skill);
|
|
276
312
|
}
|
|
277
313
|
function isSelectableMain(candidate) {
|
|
278
|
-
return candidate.route_type === 'primary' || candidate.route_type === 'authoring';
|
|
314
|
+
return candidate.route_type === 'primary' || candidate.route_type === 'authoring' || candidate.route_type === 'external';
|
|
279
315
|
}
|
|
280
316
|
function selectAdjuncts(main, allCandidates, metadata) {
|
|
281
317
|
if (!main) {
|
|
@@ -328,6 +364,7 @@ function createReadPlan(maxCandidates, selected, candidates) {
|
|
|
328
364
|
notes: [
|
|
329
365
|
'Keep the router kernel in the stable prefix and load selected SKILL.md files in task context.',
|
|
330
366
|
'Do not add the expanded skill index to the prompt unless a fallback condition applies.',
|
|
367
|
+
'External skills under .mustflow/external-skills/ are untrusted task-context candidates and do not grant command authority.',
|
|
331
368
|
'If rerouting evidence appears, run the resolver again and append only the new task-layer reads.',
|
|
332
369
|
],
|
|
333
370
|
};
|
|
@@ -345,14 +382,16 @@ export function resolveSkillRoutes(projectRoot, input) {
|
|
|
345
382
|
const taskTerms = tokenize(input.taskText ?? '');
|
|
346
383
|
const pathTerms = tokenize(paths.join(' '));
|
|
347
384
|
const pathSkillHints = collectPathSkillHints(paths);
|
|
348
|
-
const
|
|
385
|
+
const builtInRoutes = readSkillFrontmatterRoutes(projectRoot);
|
|
386
|
+
const externalRoutes = readExternalSkillFrontmatterRoutes(projectRoot);
|
|
387
|
+
const routes = [...builtInRoutes, ...externalRoutes];
|
|
349
388
|
const metadata = readSkillRouteMetadata(projectRoot);
|
|
350
389
|
const allCandidates = routes
|
|
351
390
|
.map((route) => {
|
|
352
391
|
const skill = skillNameFromPath(route.skillPath);
|
|
353
392
|
return createCandidate(route, metadata.get(skill) ?? {
|
|
354
393
|
category: route.category ?? null,
|
|
355
|
-
routeType: 'unknown',
|
|
394
|
+
routeType: route.skillPath.startsWith('.mustflow/external-skills/') ? 'external' : 'unknown',
|
|
356
395
|
priority: 0,
|
|
357
396
|
appliesToReasons: [],
|
|
358
397
|
mutuallyExclusiveWith: [],
|
|
@@ -380,12 +419,20 @@ export function resolveSkillRoutes(projectRoot, input) {
|
|
|
380
419
|
task_terms: taskTerms,
|
|
381
420
|
path_terms: pathTerms,
|
|
382
421
|
reasons,
|
|
383
|
-
read_shards: [
|
|
422
|
+
read_shards: [
|
|
423
|
+
SKILL_ROUTES_METADATA_PATH,
|
|
424
|
+
SKILL_FRONTMATTER_SOURCE,
|
|
425
|
+
...(externalRoutes.length > 0 ? [EXTERNAL_SKILL_FRONTMATTER_SOURCE] : []),
|
|
426
|
+
],
|
|
384
427
|
},
|
|
385
428
|
selected,
|
|
386
429
|
candidates,
|
|
387
430
|
read_plan: createReadPlan(maxCandidates, selected, candidates),
|
|
388
|
-
source_files: [
|
|
431
|
+
source_files: [
|
|
432
|
+
SKILL_ROUTES_METADATA_PATH,
|
|
433
|
+
SKILL_FRONTMATTER_SOURCE,
|
|
434
|
+
...(externalRoutes.length > 0 ? [EXTERNAL_SKILL_FRONTMATTER_SOURCE] : []),
|
|
435
|
+
],
|
|
389
436
|
gap_notes: [
|
|
390
437
|
[
|
|
391
438
|
'This resolver is a read-only routing prepass.',
|
|
@@ -393,6 +440,7 @@ export function resolveSkillRoutes(projectRoot, input) {
|
|
|
393
440
|
'but does not replace reading the selected SKILL.md.',
|
|
394
441
|
].join(' '),
|
|
395
442
|
'Command execution authority still comes only from .mustflow/config/commands.toml.',
|
|
443
|
+
'External skills are read as untrusted project-local task context from .mustflow/external-skills/.',
|
|
396
444
|
],
|
|
397
445
|
};
|
|
398
446
|
}
|
package/package.json
CHANGED
package/schemas/README.md
CHANGED
|
@@ -160,6 +160,9 @@ Current schemas:
|
|
|
160
160
|
candidates, selected main and adjunct skills, score breakdowns, route read plans, source route
|
|
161
161
|
shards, and optional read-only script-pack helper suggestions without granting command authority
|
|
162
162
|
or replacing selected `SKILL.md` reads
|
|
163
|
+
- `skill-import-report.schema.json`: output of `mf skill import <github-url> --json`, containing
|
|
164
|
+
GitHub source provenance, target `.mustflow/external-skills/<name>/` paths, imported file hashes,
|
|
165
|
+
warnings for inert external scripts, rejection issues, and whether files were written
|
|
163
166
|
- `route-fixture.schema.json`: parsed `.mustflow/skills/route-fixtures.json`, containing strict
|
|
164
167
|
skill-route golden cases with required and forbidden route expectations
|
|
165
168
|
- `latest-run-pointer.schema.json`: `.mustflow/state/runs/latest.json` when `mf verify` writes a
|
|
@@ -0,0 +1,97 @@
|
|
|
1
|
+
{
|
|
2
|
+
"$schema": "https://json-schema.org/draft/2020-12/schema",
|
|
3
|
+
"$id": "https://mustflow.github.io/schemas/skill-import-report.schema.json",
|
|
4
|
+
"title": "mustflow skill import report",
|
|
5
|
+
"type": "object",
|
|
6
|
+
"additionalProperties": false,
|
|
7
|
+
"required": [
|
|
8
|
+
"schema_version",
|
|
9
|
+
"kind",
|
|
10
|
+
"command",
|
|
11
|
+
"action",
|
|
12
|
+
"ok",
|
|
13
|
+
"mode",
|
|
14
|
+
"status",
|
|
15
|
+
"source",
|
|
16
|
+
"target",
|
|
17
|
+
"files",
|
|
18
|
+
"warnings",
|
|
19
|
+
"issues",
|
|
20
|
+
"wrote_files"
|
|
21
|
+
],
|
|
22
|
+
"properties": {
|
|
23
|
+
"schema_version": { "const": "1" },
|
|
24
|
+
"kind": { "const": "skill_import_report" },
|
|
25
|
+
"command": { "const": "skill" },
|
|
26
|
+
"action": { "const": "import" },
|
|
27
|
+
"ok": { "type": "boolean" },
|
|
28
|
+
"mode": { "type": "string", "enum": ["dry_run", "install"] },
|
|
29
|
+
"status": { "type": "string", "enum": ["preview", "installed", "rejected"] },
|
|
30
|
+
"source": {
|
|
31
|
+
"oneOf": [
|
|
32
|
+
{ "$ref": "#/$defs/source" },
|
|
33
|
+
{ "type": "null" }
|
|
34
|
+
]
|
|
35
|
+
},
|
|
36
|
+
"target": {
|
|
37
|
+
"oneOf": [
|
|
38
|
+
{ "$ref": "#/$defs/target" },
|
|
39
|
+
{ "type": "null" }
|
|
40
|
+
]
|
|
41
|
+
},
|
|
42
|
+
"files": {
|
|
43
|
+
"type": "array",
|
|
44
|
+
"items": { "$ref": "#/$defs/file" }
|
|
45
|
+
},
|
|
46
|
+
"warnings": {
|
|
47
|
+
"type": "array",
|
|
48
|
+
"items": { "type": "string" }
|
|
49
|
+
},
|
|
50
|
+
"issues": {
|
|
51
|
+
"type": "array",
|
|
52
|
+
"items": { "type": "string" }
|
|
53
|
+
},
|
|
54
|
+
"wrote_files": { "type": "boolean" }
|
|
55
|
+
},
|
|
56
|
+
"$defs": {
|
|
57
|
+
"source": {
|
|
58
|
+
"type": "object",
|
|
59
|
+
"additionalProperties": false,
|
|
60
|
+
"required": ["input_url", "host", "owner", "repo", "ref", "skill_path", "source_url"],
|
|
61
|
+
"properties": {
|
|
62
|
+
"input_url": { "type": "string" },
|
|
63
|
+
"host": { "type": "string", "enum": ["github.com", "raw.githubusercontent.com"] },
|
|
64
|
+
"owner": { "type": "string" },
|
|
65
|
+
"repo": { "type": "string" },
|
|
66
|
+
"ref": { "type": "string" },
|
|
67
|
+
"skill_path": { "type": "string" },
|
|
68
|
+
"source_url": { "type": "string" }
|
|
69
|
+
}
|
|
70
|
+
},
|
|
71
|
+
"target": {
|
|
72
|
+
"type": "object",
|
|
73
|
+
"additionalProperties": false,
|
|
74
|
+
"required": ["root", "skill_name", "skill_dir", "provenance_path"],
|
|
75
|
+
"properties": {
|
|
76
|
+
"root": { "const": ".mustflow/external-skills" },
|
|
77
|
+
"skill_name": { "type": "string", "pattern": "^[a-z0-9]+(?:-[a-z0-9]+)*$" },
|
|
78
|
+
"skill_dir": { "type": "string", "pattern": "^\\.mustflow/external-skills/[a-z0-9]+(?:-[a-z0-9]+)*$" },
|
|
79
|
+
"provenance_path": {
|
|
80
|
+
"type": "string",
|
|
81
|
+
"pattern": "^\\.mustflow/external-skills/[a-z0-9]+(?:-[a-z0-9]+)*/mustflow-skill-source\\.json$"
|
|
82
|
+
}
|
|
83
|
+
}
|
|
84
|
+
},
|
|
85
|
+
"file": {
|
|
86
|
+
"type": "object",
|
|
87
|
+
"additionalProperties": false,
|
|
88
|
+
"required": ["relative_path", "kind", "bytes", "sha256"],
|
|
89
|
+
"properties": {
|
|
90
|
+
"relative_path": { "type": "string" },
|
|
91
|
+
"kind": { "type": "string", "enum": ["skill", "asset", "reference", "script"] },
|
|
92
|
+
"bytes": { "type": "integer", "minimum": 0 },
|
|
93
|
+
"sha256": { "type": "string", "pattern": "^sha256:[a-f0-9]{64}$" }
|
|
94
|
+
}
|
|
95
|
+
}
|
|
96
|
+
}
|
|
97
|
+
}
|
|
@@ -40,8 +40,8 @@ translations.hi = { path = "locales/hi/.mustflow/context/PROJECT.md", source_rev
|
|
|
40
40
|
[documents."docs.agent-workflow"]
|
|
41
41
|
source = "locales/en/.mustflow/docs/agent-workflow.md"
|
|
42
42
|
source_locale = "en"
|
|
43
|
-
revision =
|
|
44
|
-
translations.ko = { path = "locales/ko/.mustflow/docs/agent-workflow.md", source_revision = 23, status = "
|
|
43
|
+
revision = 24
|
|
44
|
+
translations.ko = { path = "locales/ko/.mustflow/docs/agent-workflow.md", source_revision = 23, status = "needs_review" }
|
|
45
45
|
translations.zh = { path = "locales/zh/.mustflow/docs/agent-workflow.md", source_revision = 18, status = "needs_review" }
|
|
46
46
|
translations.es = { path = "locales/es/.mustflow/docs/agent-workflow.md", source_revision = 18, status = "needs_review" }
|
|
47
47
|
translations.fr = { path = "locales/fr/.mustflow/docs/agent-workflow.md", source_revision = 18, status = "needs_review" }
|
|
@@ -62,7 +62,7 @@ translations = {}
|
|
|
62
62
|
[documents."skills.index"]
|
|
63
63
|
source = "locales/en/.mustflow/skills/INDEX.md"
|
|
64
64
|
source_locale = "en"
|
|
65
|
-
revision =
|
|
65
|
+
revision = 188
|
|
66
66
|
translations = {}
|
|
67
67
|
|
|
68
68
|
[documents."skill.adapter-boundary"]
|
|
@@ -556,6 +556,12 @@ source_locale = "en"
|
|
|
556
556
|
revision = 4
|
|
557
557
|
translations = {}
|
|
558
558
|
|
|
559
|
+
[documents."skill.clarifying-question-gate"]
|
|
560
|
+
source = "locales/en/.mustflow/skills/clarifying-question-gate/SKILL.md"
|
|
561
|
+
source_locale = "en"
|
|
562
|
+
revision = 3
|
|
563
|
+
translations = {}
|
|
564
|
+
|
|
559
565
|
[documents."skill.heuristic-candidate-selection"]
|
|
560
566
|
source = "locales/en/.mustflow/skills/heuristic-candidate-selection/SKILL.md"
|
|
561
567
|
source_locale = "en"
|
|
@@ -589,7 +595,7 @@ translations = {}
|
|
|
589
595
|
[documents."skill.css-code-change"]
|
|
590
596
|
source = "locales/en/.mustflow/skills/css-code-change/SKILL.md"
|
|
591
597
|
source_locale = "en"
|
|
592
|
-
revision =
|
|
598
|
+
revision = 4
|
|
593
599
|
translations = {}
|
|
594
600
|
|
|
595
601
|
[documents."skill.bun-code-change"]
|
|
@@ -604,6 +610,12 @@ source_locale = "en"
|
|
|
604
610
|
revision = 1
|
|
605
611
|
translations = {}
|
|
606
612
|
|
|
613
|
+
[documents."skill.c-code-change"]
|
|
614
|
+
source = "locales/en/.mustflow/skills/c-code-change/SKILL.md"
|
|
615
|
+
source_locale = "en"
|
|
616
|
+
revision = 1
|
|
617
|
+
translations = {}
|
|
618
|
+
|
|
607
619
|
[documents."skill.dart-code-change"]
|
|
608
620
|
source = "locales/en/.mustflow/skills/dart-code-change/SKILL.md"
|
|
609
621
|
source_locale = "en"
|
|
@@ -643,7 +655,7 @@ translations = {}
|
|
|
643
655
|
[documents."skill.html-code-change"]
|
|
644
656
|
source = "locales/en/.mustflow/skills/html-code-change/SKILL.md"
|
|
645
657
|
source_locale = "en"
|
|
646
|
-
revision =
|
|
658
|
+
revision = 4
|
|
647
659
|
translations = {}
|
|
648
660
|
|
|
649
661
|
[documents."skill.javascript-code-change"]
|
|
@@ -658,6 +670,12 @@ source_locale = "en"
|
|
|
658
670
|
revision = 2
|
|
659
671
|
translations = {}
|
|
660
672
|
|
|
673
|
+
[documents."skill.react-code-change"]
|
|
674
|
+
source = "locales/en/.mustflow/skills/react-code-change/SKILL.md"
|
|
675
|
+
source_locale = "en"
|
|
676
|
+
revision = 1
|
|
677
|
+
translations = {}
|
|
678
|
+
|
|
661
679
|
[documents."skill.python-code-change"]
|
|
662
680
|
source = "locales/en/.mustflow/skills/python-code-change/SKILL.md"
|
|
663
681
|
source_locale = "en"
|
|
@@ -670,6 +688,18 @@ source_locale = "en"
|
|
|
670
688
|
revision = 2
|
|
671
689
|
translations = {}
|
|
672
690
|
|
|
691
|
+
[documents."skill.shell-code-change"]
|
|
692
|
+
source = "locales/en/.mustflow/skills/shell-code-change/SKILL.md"
|
|
693
|
+
source_locale = "en"
|
|
694
|
+
revision = 1
|
|
695
|
+
translations = {}
|
|
696
|
+
|
|
697
|
+
[documents."skill.structured-config-change"]
|
|
698
|
+
source = "locales/en/.mustflow/skills/structured-config-change/SKILL.md"
|
|
699
|
+
source_locale = "en"
|
|
700
|
+
revision = 1
|
|
701
|
+
translations = {}
|
|
702
|
+
|
|
673
703
|
[documents."skill.rust-code-change"]
|
|
674
704
|
source = "locales/en/.mustflow/skills/rust-code-change/SKILL.md"
|
|
675
705
|
source_locale = "en"
|
|
@@ -739,7 +769,7 @@ translations = {}
|
|
|
739
769
|
[documents."skill.completion-evidence-gate"]
|
|
740
770
|
source = "locales/en/.mustflow/skills/completion-evidence-gate/SKILL.md"
|
|
741
771
|
source_locale = "en"
|
|
742
|
-
revision =
|
|
772
|
+
revision = 4
|
|
743
773
|
translations = {}
|
|
744
774
|
|
|
745
775
|
[documents."skill.evidence-stall-breaker"]
|
|
@@ -811,7 +841,7 @@ translations = {}
|
|
|
811
841
|
[documents."skill.docs-prose-review"]
|
|
812
842
|
source = "locales/en/.mustflow/skills/docs-prose-review/SKILL.md"
|
|
813
843
|
source_locale = "en"
|
|
814
|
-
revision =
|
|
844
|
+
revision = 3
|
|
815
845
|
translations = {}
|
|
816
846
|
|
|
817
847
|
[documents."skill.failure-triage"]
|
|
@@ -835,7 +865,7 @@ translations = {}
|
|
|
835
865
|
[documents."skill.github-contribution-quality-gate"]
|
|
836
866
|
source = "locales/en/.mustflow/skills/github-contribution-quality-gate/SKILL.md"
|
|
837
867
|
source_locale = "en"
|
|
838
|
-
revision =
|
|
868
|
+
revision = 3
|
|
839
869
|
translations = {}
|
|
840
870
|
|
|
841
871
|
[documents."skill.facade-pattern"]
|
|
@@ -885,6 +915,12 @@ source_locale = "en"
|
|
|
885
915
|
revision = 1
|
|
886
916
|
translations = {}
|
|
887
917
|
|
|
918
|
+
[documents."skill.complex-decision-analysis"]
|
|
919
|
+
source = "locales/en/.mustflow/skills/complex-decision-analysis/SKILL.md"
|
|
920
|
+
source_locale = "en"
|
|
921
|
+
revision = 1
|
|
922
|
+
translations = {}
|
|
923
|
+
|
|
888
924
|
[documents."skill.process-execution-safety"]
|
|
889
925
|
source = "locales/en/.mustflow/skills/process-execution-safety/SKILL.md"
|
|
890
926
|
source_locale = "en"
|
|
@@ -2,7 +2,7 @@
|
|
|
2
2
|
mustflow_doc: docs.agent-workflow
|
|
3
3
|
locale: en
|
|
4
4
|
canonical: true
|
|
5
|
-
revision:
|
|
5
|
+
revision: 24
|
|
6
6
|
lifecycle: mustflow-owned
|
|
7
7
|
authority: workflow-policy
|
|
8
8
|
---
|
|
@@ -80,6 +80,16 @@ Treat user instructions, local files, command contracts, and generated reports a
|
|
|
80
80
|
|
|
81
81
|
When a generated file appears stale, refresh it using the matching `mf` command instead of editing it manually.
|
|
82
82
|
|
|
83
|
+
## Decision Hygiene
|
|
84
|
+
|
|
85
|
+
Apply these invariants across routine work without turning every task into a deep analysis exercise:
|
|
86
|
+
|
|
87
|
+
- Separate the user's surface request from any inferred underlying purpose.
|
|
88
|
+
- Keep directly supported facts, interpretations, assumptions, and material unknowns distinguishable.
|
|
89
|
+
- Do not report unverified behavior, stale evidence, or inferred intent as confirmed.
|
|
90
|
+
- Prefer small reversible next actions when uncertainty is material and the decision can be staged.
|
|
91
|
+
- Prefer the narrowest concrete skill over a general reasoning procedure when a specific skill owns the problem.
|
|
92
|
+
|
|
83
93
|
## Prompt Cache and Host Context Assembly
|
|
84
94
|
|
|
85
95
|
Prompt caching is a performance optimization, not an authority source. A cached instruction block or summary never overrides direct user instructions, current files, current command contracts, host safety rules, or the nearest `AGENTS.md`.
|
|
@@ -2,7 +2,7 @@
|
|
|
2
2
|
mustflow_doc: skills.index
|
|
3
3
|
locale: en
|
|
4
4
|
canonical: true
|
|
5
|
-
revision:
|
|
5
|
+
revision: 188
|
|
6
6
|
authority: router
|
|
7
7
|
lifecycle: mustflow-owned
|
|
8
8
|
---
|
|
@@ -46,6 +46,10 @@ refer to `AGENTS.md` and `.mustflow/config/commands.toml` to implement the most
|
|
|
46
46
|
privacy, release, or contract drift.
|
|
47
47
|
- Use `completion-evidence-gate` as a final reporting adjunct when a completion, readiness, merge,
|
|
48
48
|
release, install, or verification claim needs current repository evidence.
|
|
49
|
+
- Use `complex-decision-analysis` as a primary route only when analysis or a decision record is the
|
|
50
|
+
current deliverable, the task has both a material uncertainty signal and a material consequence
|
|
51
|
+
signal, and no narrower primary route owns the complete problem. Before implementation, switch to
|
|
52
|
+
the narrowest matching implementation skill.
|
|
49
53
|
- Use `proactive-risk-surfacing` as an event route when current evidence reveals a scope-adjacent
|
|
50
54
|
risk outside the literal request and the agent must decide whether to fix now, report only, ask
|
|
51
55
|
first, or ignore it without broadening into unrelated work.
|
|
@@ -218,6 +222,22 @@ refer to `AGENTS.md` and `.mustflow/config/commands.toml` to implement the most
|
|
|
218
222
|
sort, Unicode normalization, grapheme-safe truncation, RTL or bidi text, font fallback, pseudo
|
|
219
223
|
localization, SSR locale, fallback, backend error-code mapping, rich text, export, share, or
|
|
220
224
|
notification surface review instead of a visible JSX text scan.
|
|
225
|
+
- Use `react-code-change` as a primary route when React, React DOM, React Server Components,
|
|
226
|
+
Server Actions, React Compiler, Hooks, Suspense, Actions, forms, refs, context, concurrent
|
|
227
|
+
rendering, SSR streaming, resource hints, package metadata, or React-related tests are created,
|
|
228
|
+
changed, reviewed, or upgraded.
|
|
229
|
+
- Use `c-code-change` as a primary route when C source, C-owned headers, native C build metadata,
|
|
230
|
+
compiler dialects, C standard-version support, C ABI surfaces, generated C bindings, FFI,
|
|
231
|
+
memory ownership, pointer lifetime, undefined behavior, sanitizer setup, performance-sensitive
|
|
232
|
+
C paths, tests, or benchmarks are created, changed, reviewed, or upgraded.
|
|
233
|
+
- Use `shell-code-change` as a primary route when POSIX sh, Bash, shell scripts, shebangs,
|
|
234
|
+
GitHub Actions `run` blocks, package script shell snippets, grep/sed/awk/find/xargs pipelines,
|
|
235
|
+
shell quoting, word splitting, globbing, traps, exit-status handling, or shell
|
|
236
|
+
portability/security behavior are created, changed, reviewed, or upgraded.
|
|
237
|
+
- Use `structured-config-change` as a primary route when YAML, TOML, JSON-adjacent config,
|
|
238
|
+
Markdown frontmatter, schema-backed config, or GitHub Actions workflow structure outside shell
|
|
239
|
+
`run` blocks needs parser-dialect, schema, defaulting, normalization, or provider-semantics
|
|
240
|
+
review.
|
|
221
241
|
- Use `cache-integrity-review` as an adjunct when cache correctness, key truth, stale data spread,
|
|
222
242
|
invalidation, negative caching, Redis and HTTP cache semantics, permission-cache revocation, or
|
|
223
243
|
cache-outage fallback can mislead users, leak data, or overload source systems.
|
|
@@ -455,6 +475,8 @@ routes. Event routes stay inactive until their event occurs.
|
|
|
455
475
|
| Backend APIs, workers, jobs, queues, caches, database write paths, external service calls, health checks, observability, feature flags, idempotency, retries, outbox/inbox processing, or operational failure handling are created, changed, reviewed, or reported | `.mustflow/skills/backend-reliability-change/SKILL.md` | Backend surface, trigger shape, idempotency boundary, external-call deadline and retry policy, persistence and transaction boundary, queue/cache behavior, observability fields, rollout gate, and command contract entries | Handlers, services, workers, retry policy, timeout policy, idempotency storage, outbox/inbox code, cache boundaries, health endpoints, observability fields, flags, tests, docs, and directly synchronized templates | duplicate side effects, retry storm, unbounded wait, DB uniqueness race, cache stampede, stale cache authority, poison message loop, missing outbox/inbox, raw ORM response, object-level authorization bypass, high-cardinality telemetry, secret or personal-data log leak, broken liveness/readiness, or missing kill switch | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Backend surface, idempotency and retry/timeout decisions, queue/cache/database notes, health-probe split, observability and auth/DTO notes, rollout gate, verification, and remaining backend reliability risk |
|
|
456
476
|
| HTTP delivery, content coding, compression negotiation, CDN or proxy cache behavior, streaming responses, SSE, EventSource, WebTransport, WebSocket fallback, HTTP/2 or HTTP/3 transport behavior, browser transport clients, reverse-proxy buffering, reconnect behavior, or delivery observability is created, changed, reviewed, or reported | `.mustflow/skills/http-delivery-streaming/SKILL.md` | Delivery surface, routes or assets, headers, cache and proxy/CDN path, browser/API clients, fallback behavior, streaming lifecycle, compression or dictionary choice, and observability fields | Route handlers, response headers, CDN/proxy config, browser transport code, streaming adapters, fallback clients, docs, tests, and directly synchronized templates | wrong content decoding, cache poisoning, private data cached publicly, proxy buffering, lost events, reconnect gaps, unsupported transport, unreliable datagram misuse, false compression win, or fallback failure | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `docs_validate_fast`, `test_release`, `mustflow_check` | Delivery ledger, negotiated encodings, cache/proxy behavior, stream/reconnect/fallback behavior, verification, and remaining delivery risk |
|
|
457
477
|
| C++ source, headers, modules, native build metadata, toolchains, package managers, public headers, shared or static libraries, ABI surfaces, generated bindings, FFI, tests, or benchmarks are created or changed | `.mustflow/skills/cpp-code-change/SKILL.md` | Owning target, compilation identity, build front door, changed consumed surface, public API/ABI/FFI/binding surfaces, ownership and lifetime contracts, and command contract entries | C++ source, headers, modules, build metadata, package metadata, generated bindings, FFI code, tests, benchmarks, and directly synchronized docs | target drift, source API break, binary ABI break, undefined behavior, lifetime bug, build-graph drift, generated-binding drift, FFI memory bug, unverified modern C++ feature, or false performance claim | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Owning target, compilation identity, highest compatibility risk, ownership/lifetime/UB/concurrency notes, public API/ABI/FFI/binding impact, verification, and remaining C++ risk |
|
|
478
|
+
| C source, C-owned headers, native C build metadata, compiler dialect, C standard version, public C headers, shared or static libraries, ABI surfaces, generated C bindings, FFI, memory ownership, pointer lifetime, undefined behavior, sanitizer configuration, performance-sensitive C paths, tests, or benchmarks are created or changed | `.mustflow/skills/c-code-change/SKILL.md` | Owning target, C standard or dialect, compiler, libc, build front door, changed consumed surface, public API/ABI/FFI/binding surfaces, ownership, pointer provenance, sanitizer, and command contract entries | C source, C headers, build metadata, package metadata, generated bindings, FFI code, tests, benchmarks, warning and sanitizer policy, and directly synchronized docs | target drift, C23 support overclaim, source API break, binary ABI break, pointer provenance bug, lifetime bug, allocation overflow, strict-aliasing violation, sanitizer gap, generated-binding drift, FFI memory bug, unverified performance claim, or portable-release flag break | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Owning target, C standard/dialect/compiler/libc identity, highest compatibility risk, ownership/lifetime/provenance/UB/concurrency/performance notes, public API/ABI/FFI/binding impact, verification, and remaining C risk |
|
|
479
|
+
| POSIX sh, Bash, shell scripts, shebangs, GitHub Actions `run` blocks, package script shell snippets, grep/sed/awk/find/xargs pipelines, shell quoting, word splitting, globbing, traps, exit-status handling, portability, or shell security behavior are created or changed | `.mustflow/skills/shell-code-change/SKILL.md` | Effective shell, dialect target, invocation path, parser and expansion ledger, dynamic input boundaries, file and stream boundary, cleanup and failure expectations, changed files, and command contract entries | Shell scripts, CI run blocks, package or Make shell snippets, docs examples, shell tests, path-processing pipelines, and directly synchronized docs | sh/Bash dialect drift, hidden CI shell default, word-splitting or globbing bug, newline-unsafe filename flow, `set -e` or pipeline false green, GNU/BSD/BusyBox portability break, GitHub Actions expression injection, secret leak, destructive glob, temp-file race, or CRLF shebang failure | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check`, `line_endings_check` | Shell execution and dialect boundary, parser/expansion utility ledger, POSIX/Bash/GNU/BSD/BusyBox/GitHub Actions decisions, quoting/status/file/temp/security verification, and remaining shell risk |
|
|
458
480
|
| Node.js runtime code, package manager ownership, module format, package entry metadata, native dependencies, Node test runner behavior, TypeScript execution mode, or deployment runtime support is created or changed | `.mustflow/skills/node-code-change/SKILL.md` | Node version signals, package manager and lockfile owner, module/package metadata, TypeScript loader, test runner, native dependency, deployment target, and command contract entries | Node runtime code, package metadata, lockfiles, scripts, CI or Docker runtime declarations, test runner config, native dependency handling, docs examples, and directly synchronized package surfaces | newest-Node assumption, package manager drift, ESM/CJS break, blocked deep import, native dependency break, Node native TypeScript overclaim, test runner migration risk, deployment mismatch, or permission-model overclaim | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Runtime and package manager decision, module/package entry notes, TypeScript/test runner notes, native/deployment risks, verification, and remaining Node.js risk |
|
|
459
481
|
| Bun runtime code, Bun package manager behavior, `bun.lock`, `bunfig.toml`, Bun test runner behavior, Bun bundling, Bun TypeScript execution, or Bun-specific APIs are created or changed | `.mustflow/skills/bun-code-change/SKILL.md` | Bun role signals, `package.json`, Bun and non-Bun lockfiles, `bunfig.toml`, CI/Docker Bun setup, TypeScript config, Bun APIs, native dependency signals, and command contract entries | Bun runtime code, Bun package manager metadata, lockfiles, `bunfig.toml`, scripts, tests, bundler config, TypeScript/declaration pipeline, package metadata, and directly synchronized docs | Bun role confusion, lockfile drift, trusted dependency overgrant, runtime/package-manager conflation, Bun TypeScript typecheck overclaim, Bun build declaration gap, Node compatibility break, shebang mismatch, or native binary break | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Bun role classification, lockfile/trust notes, runtime/type/build/test notes, Node compatibility risks, verification, and remaining Bun risk |
|
|
460
482
|
| Dockerfiles, `.dockerignore`, Docker Compose files, BuildKit or buildx behavior, container image metadata, tags, entrypoints, health checks, Docker CI workflows, image security scanning, SBOM or provenance settings, registry publishing, or container runtime validation are created or changed | `.mustflow/skills/docker-code-change/SKILL.md` | Docker surfaces, project image shape, base image and platform signals, build context and cache signals, runtime contract, security and supply-chain contract, and command contract entries | Dockerfiles, `.dockerignore`, Compose files, container CI workflow snippets, image metadata, package tests, docs examples, template metadata, and directly synchronized skill routes | cache breakage, secret leak, root runtime, host access escape, dev dependency in final image, mutable tag drift, untrusted CI publish, missing SBOM/provenance, unverified runtime, or false production-readiness claim | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Docker surface classification, image/base/cache/stage decisions, secret/user/runtime/Compose/CI supply-chain notes, verification, and remaining Docker risk |
|
|
@@ -496,7 +518,7 @@ routes. Event routes stay inactive until their event occurs.
|
|
|
496
518
|
| Release notes, changelog entries, public change summaries, release preparation copy, or package release wording are drafted or revised | `.mustflow/skills/release-notes-authoring/SKILL.md` | User-provided change summary, current diff summary, release audience, public surfaces, version source, and command contract entries | Release notes, changelog entries, release preparation notes, and directly synchronized docs or package metadata | invented release history, inflated public claims, internal noise, stale version or migration notes, or unverified release evidence | `changes_status`, `changes_diff_summary`, `docs_validate_fast`, `test_release`, `mustflow_check` | Release audience, categorized notes, excluded internal changes, version or migration checks, verification, skipped release-history checks, and remaining release-note risk |
|
|
497
519
|
| Release publishing, package registry publication, remote release channels, Git tags, GitHub Releases, release assets, npm, PyPI, crates.io, Go modules, Docker images, Homebrew formulae or casks, app updater metadata, version bump decisions, artifact inspection, post-publish smoke tests, rollback or yanking plans, or user installation paths are created, changed, reviewed, or reported | `.mustflow/skills/release-publish-change/SKILL.md` | Release target, version, channel, package name, module path, image name, tag, artifact names, expected assets, public contract source, artifact inspection method, remote publication surface, recovery model, and command contract entries | Version metadata, release workflows, package manifests, artifact manifests, changelog or release-preparation docs, package tests, install-smoke expectations, release validation tests, and installed-template metadata | local-only release claim, wrong version bump, stale artifact, registry overwrite assumption, missing asset, bad checksum or signature, moved Go tag, unverified Docker digest, updater metadata breakage, missing user-path smoke test, or false rollback claim | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Release target, version and channel, public API classification, artifact inspection evidence, remote publication state, user-path smoke result, synchronized surfaces, recovery classification, verification, and remaining release-publish risk |
|
|
498
520
|
| Search-friendly ad-supported articles, blog posts, guides, reviews, comparisons, FAQs, or evergreen content are planned, written, edited, reviewed, or reported | `.mustflow/skills/search-ad-content-authoring/SKILL.md` | Search intent, reader task, content type, source freshness needs, monetization constraints, article draft or outline, and command contract entries | Article outlines, headings, paragraphs, tables, lists, FAQs, images, links, disclosures, content docs, templates, tests, and reports | keyword stuffing, thin filler, misleading ad adjacency, stale policy or ranking claims, unsupported revenue claims, accessibility or layout instability, or copied competitor content | `changes_status`, `changes_diff_summary`, `docs_validate_fast`, `test_release`, `mustflow_check` | Search intent, outline shape, content structure checks, source freshness, ad layout and trust checks, omitted or verified claims, verification, and remaining content risk |
|
|
499
|
-
| Documentation review queue entries need prose cleanup | `.mustflow/skills/docs-prose-review/SKILL.md` | Review queue entry or selected document path, review comment if present, target language, reviewer metadata | Selected documentation file and review ledger entry | meaning drift or stale queue state | `docs_validate`, `mustflow_check` | Prose
|
|
521
|
+
| Documentation review queue entries or selected docs need prose cleanup for LLM-like wording, AI-slop signals, low-specificity boilerplate, literal translation, unnatural tone, Korean technical translationese, or domain-term drift | `.mustflow/skills/docs-prose-review/SKILL.md` | Review queue entry or selected document path, review comment if present, target language, audience or genre, domain terminology, reviewer metadata | Selected documentation file and review ledger entry | meaning drift, fake authorship attribution, invented evidence, over-editing, or stale queue state | `docs_validate`, `mustflow_check` | Prose issues fixed, preserved technical meaning, recorded review status, verification notes |
|
|
500
522
|
| Documentation changes affect public or workflow docs | `.mustflow/skills/docs-update/SKILL.md` | Changed behavior or field | Relevant docs only | stale public docs | `docs_validate_fast`, `docs_validate`, `mustflow_check` | Doc changes and skipped checks |
|
|
501
523
|
|
|
502
524
|
### Security and Privacy
|
|
@@ -564,6 +586,7 @@ routes. Event routes stay inactive until their event occurs.
|
|
|
564
586
|
| UnoCSS config, presets, extraction, shortcuts, rules, variants, safelist, blocklist, attributify, transformers, or utility usage are created or changed | `.mustflow/skills/unocss-code-change/SKILL.md` | UnoCSS config, presets, extraction rules, shortcuts, safelist, blocklist, changed files, and command contract entries | UnoCSS config, utility usage, rules, shortcuts, safelist, blocklist, tests, and docs examples | extractor miss, runtime-only utility, safelist explosion, unbounded shortcut, or production CSS loss | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | Extraction, safelist, shortcut, variant, and production CSS boundary checked, verification, and remaining UnoCSS risk |
|
|
565
587
|
| Flutter widgets, screens, routing, state management, async UI, platform channels, assets, responsive layout, accessibility, or Flutter tests are created or changed | `.mustflow/skills/flutter-code-change/SKILL.md` | App root, route config, widget tree, state owner, platform files, assets, changed files, and command contract entries | Flutter widgets, routes, state, platform channels, assets, tests, and docs examples | impure build, lifecycle leak, navigation drift, layout breakage, inaccessible UI, or platform boundary drift | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | State, lifecycle, layout, accessibility, platform, and asset boundary checked, verification, and remaining Flutter risk |
|
|
566
588
|
| Astro config, package metadata, pages, layouts, components, islands, hydration directives, content collections, routes, adapters, request pipeline, `src/fetch.*`, route cache, MDX, Markdown processing, migration, or Astro build behavior are created or changed | `.mustflow/skills/astro-code-change/SKILL.md` | Astro config, current and target Astro version when migrating, route tree, request pipeline, cache rules, Markdown processor, layouts, content schema, components, adapter config, changed files, and command contract entries | Astro pages, layouts, islands, content collections, adapters, request pipeline, route cache, Markdown, tests, and docs examples | unnecessary hydration, build/runtime data mix, route URL drift, request pipeline omission, cache data exposure, Markdown drift, content schema drift, or adapter mismatch | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | Build/runtime, route, request pipeline, cache, Markdown, content, hydration, and adapter boundary checked, verification, and remaining Astro risk |
|
|
589
|
+
| React, React DOM, React Server Components, Server Actions, React Compiler, Hooks, Suspense, Actions, forms, refs, context, concurrent rendering, SSR streaming, resource hints, package metadata, or React-related tests are created, changed, reviewed, or upgraded | `.mustflow/skills/react-code-change/SKILL.md` | React package evidence, effective React support range, compiler and lint evidence, rendering boundary, state and mutation evidence, changed files, and command contract entries | React source, tests, package metadata, framework config, SSR or RSC boundaries, docs examples, and directly synchronized compatibility surfaces | stale React version claim, CRA reintroduction, React 19 API in React 18-compatible package, effect dependency suppression, memoization folklore, compiler mismatch, context rerender drift, ref compatibility break, Suspense misuse, Action rollback gap, RSC or Server Action boundary confusion, unsafe resource hints, or unverified performance claim | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | React version, compiler, lint, effect, state, memoization, context, ref, form, Suspense, SSR/RSC, resource, verification, and compatibility risks checked |
|
|
567
590
|
| Svelte or SvelteKit components, routes, load functions, server actions, stores, runes, SSR boundaries, accessibility warnings, or tests are created or changed | `.mustflow/skills/svelte-code-change/SKILL.md` | Svelte config, route segment files, stores/runes, hooks, app types, changed files, and command contract entries | Svelte components, routes, load/actions, stores, SSR/client boundaries, tests, and docs examples | SSR/client leakage, browser global crash, state owner drift, form degradation, or ignored accessibility warning | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | SSR, server/client, state, form, and accessibility boundary checked, verification, and remaining Svelte risk |
|
|
568
591
|
| Web image assets are added, converted, resized, or replaced | `.mustflow/skills/web-asset-optimization/SKILL.md` | Image asset request and target path | Web image assets | asset quality and size | `asset_optimize`, `build` | Optimized asset notes |
|
|
569
592
|
|
|
@@ -590,6 +613,7 @@ routes. Event routes stay inactive until their event occurs.
|
|
|
590
613
|
| --- | --- | --- | --- | --- | --- | --- |
|
|
591
614
|
| Multiple AI workers, subagents, external agents, parallel task runners, or worktree-based worker roles are planned or used for one repository task | `.mustflow/skills/multi-agent-work-coordination/SKILL.md` | Task goal, worker roles, write permissions, file ownership, workspace isolation, credential boundary, merge owner, and command contract entries | Coordination plan, worker instructions, ownership boundaries, merge notes, and directly synchronized tests or docs | same-file races, conflicting instructions, leaked credentials, shared auth cache, untrusted worker output, merge drift, or unverified parallel result | `changes_status`, `changes_diff_summary`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Worker limit, role map, write ownership, isolation and credential boundaries, merge owner, verification, skipped checks, and remaining coordination risk |
|
|
592
615
|
| Brainstorming, option comparison, outside AI advice, planning notes, or loose proposals need evidence-based apply, defer, reject, or research decisions before implementation | `.mustflow/skills/idea-triage/SKILL.md` | User goal, idea list or recommendation, current repository evidence, constraints, and decision mode | Analysis, roadmap entries, and at most one selected follow-up when requested | idea spam, speculative roadmap, current-behavior claims for deferred work, or ungrounded prioritization | `changes_status`, `changes_diff_summary`, `docs_validate_fast`, `mustflow_check` | Decision mode, evidence, constraints, option decisions, selected next action, verification needs, and remaining uncertainty |
|
|
616
|
+
| Analysis or a decision record is the current deliverable, the problem has both material uncertainty and material consequences, and no narrower primary skill owns the complete problem | `.mustflow/skills/complex-decision-analysis/SKILL.md` | User request, decision horizon, decision owner, repository evidence, existing skill routes, available evidence sources, and limits on freshness, access, authority, verification, or command execution | Evidence-backed decision records, planning artifacts when requested, and exactly one smallest reversible next action before handoff | universal reasoning skill bloat, analysis paralysis, private scratch reasoning, stale evidence, overconfident causal story, hidden high-sensitivity unknown, or implementation without a narrower handoff skill | `changes_status`, `changes_diff_summary`, `docs_validate_fast`, `mustflow_check` | Decision state, problem contract, evidence ledger, baseline, causal model, option comparison, counterargument, decision-reversing evidence, recommendation, smallest reversible next action, handoff skill, verification, and residual risk |
|
|
593
617
|
| Repository improvement, audit, prioritization, stabilization, polish, onboarding, contributor-readiness, production-readiness, or iterative improvement is requested without a single predetermined edit | `.mustflow/skills/repo-improvement-loop/SKILL.md` | User goal, improvement mode, repository evidence, candidate risks, current changed files, and command contract entries | Repository diagnosis, ranked candidates, and at most one scoped improvement cycle unless the user explicitly requests analysis-only | idea spam, ungrounded prioritization, autonomous loop drift, broad rewrite, or unverified improvement claim | `changes_status`, `changes_diff_summary`, `docs_validate_fast`, `test_release`, `mustflow_check` | Mode, evidence inspected, scored candidates, selected improvement, files changed or analysis-only note, verification, next improvement question, and stop reason |
|
|
594
618
|
| Current repository evidence reveals a scope-adjacent bug, missing test, stale synchronized surface, public-contract drift, security or privacy exposure, data-loss risk, brittle error handling, concurrency risk, operational risk, or UX inconsistency outside the literal request | `.mustflow/skills/proactive-risk-surfacing/SKILL.md` | Literal user request, current evidence, risk relationship, severity, expected edit size, authority boundary, and verification options | Fix-or-report decision, small related fixes, focused tests or synchronized surfaces, and final proactive risk notes | scope creep, speculative cleanup, hidden broad refactor, ignored high-severity risk, or false completion claim | `changes_status`, `changes_diff_summary`, `test_related`, `docs_validate_fast`, `test_release`, `mustflow_check` | Candidate decisions: fix now, report only, ask first, or ignore; files changed, verification, and remaining proactive risks |
|
|
595
619
|
| A final report or completion claim needs current evidence for changed files, requirements, command receipts, skipped checks, synchronized surfaces, or remaining risks | `.mustflow/skills/completion-evidence-gate/SKILL.md` | User goal, changed-file evidence, skills used, verification results, skipped checks, synchronized surfaces, and remaining risks | Final report evidence and the smallest missing in-scope evidence surface only | false completion, stale receipts, hidden skipped checks, unsupported readiness claim, or contract drift | `changes_status`, `changes_diff_summary`, `test_related`, `test`, `test_audit`, `lint`, `build`, `docs_validate_fast`, `docs_validate`, `test_release`, `mustflow_check` | Completion status, requirement evidence map, changed and synchronized surfaces, commands run, skipped checks, and final wording boundary |
|
|
@@ -598,6 +622,7 @@ routes. Event routes stay inactive until their event occurs.
|
|
|
598
622
|
| A Codex or Hermes local session ID needs read-only reference for task evidence, restart context, failure diagnosis, or continuation planning across agent applications | `.mustflow/skills/cross-agent-session-reference/SKILL.md` | Session ID, source app evidence, current repository root, user goal, redaction requirements, available official session tools or read-only local storage evidence | Bounded session evidence summaries, continuation prompts, current-repository follow-up work, and directly synchronized reports only | foreign session mutation, transcript-as-authority drift, secret exposure, unrelated history dump, stale storage schema, or dispatching work into another app | `changes_status`, `changes_diff_summary`, `mustflow_check` | Source application confidence, read-only access method, extracted evidence, redactions, current verification, next safe action or ambiguity, and remaining stale-session or privacy risk |
|
|
599
623
|
| Declared behavior must stay aligned across code, schemas, templates, tests, and docs | `.mustflow/skills/contract-sync-check/SKILL.md` | Changed files, intended behavior, source of truth, derived surfaces, and command contract entries | Contract source and required synchronized surfaces | contract drift | `changes_status`, `changes_diff_summary`, `docs_validate_fast`, `test_release`, `mustflow_check` | Contract source, synchronized surfaces, deferred surfaces, verification, and drift risk |
|
|
600
624
|
| `.mustflow/config/commands.toml` command intents, resources, effects, timeouts, output limits, environment policies, lifecycle values, run policies, command-selection metadata, CI/CD reproducibility rules, build/test/migration/deploy verification handoffs, or health-check command surfaces are created, changed, reviewed, or removed | `.mustflow/skills/command-contract-authoring/SKILL.md` | Command goal, current command contract, expected reads and writes, side effects, locks, timeout, output, environment, stdin, dashboard or platform setting dependency, and verification entries | Command contract, template command contracts, workflow docs, skills, tests, and directly synchronized public docs | accidental command authority, inferred command, dashboard-only source of truth, unreproducible deployment, unbounded side effect, missing lock, secret exposure, or long-running command approval | `changes_status`, `changes_diff_summary`, `docs_validate_fast`, `test_release`, `mustflow_check` | Intent authority decision, side-effect model, environment and timeout boundary, CI/CD reproducibility boundary, synchronized surfaces, verification, and remaining command-contract risk |
|
|
625
|
+
| YAML, TOML, JSON-adjacent config, Markdown frontmatter, schema-backed config, GitHub Actions workflow structure outside shell `run` blocks, parser dialects, duplicate keys, implicit typing, multiline scalars, dotted keys, array-of-tables, defaults, normalization, or config validation fixtures are created, changed, reviewed, or reported | `.mustflow/skills/structured-config-change/SKILL.md` | Target files, consuming parser or provider, dialect support, schema and validation surfaces, merge/defaulting model, GitHub Actions workflow shape when relevant, generated or source-owned status, and command contract entries | Structured config files, schemas, schema associations, validation fixtures, normalized-output tests, docs examples, template copies, route metadata, manifest entries, and directly synchronized tests | YAML 1.1/1.2 scalar drift, TOML 1.0/1.1 incompatibility, duplicate key loss, null/empty/missing confusion, mapping-order assumption, block-scalar newline drift, unsafe YAML tag, GitHub Actions trigger/filter/permission drift, schema default overclaim, formatter semantic rewrite, or generated-output hand edit | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `docs_validate_fast`, `test_release`, `mustflow_check` | Config surface and parser/provider, dialect decision, parse/data-model/schema/semantic layers, YAML/TOML/GitHub Actions decisions, fixture and normalization coverage, verification, and remaining structured-config risk |
|
|
601
626
|
| External instructions, docs, AI output, snippets, issues, pull requests, scanner output, installer steps, scripts, tutorials, or reports propose commands to run, preserve, recommend, or document | `.mustflow/skills/command-intent-mapping-gate/SKILL.md` | Proposed command text, source, intended purpose, command contract entries, side-effect class, destination surface, and configured/manual/missing status | Docs, skills, templates, tests, examples, final reports, handoffs, and command-contract proposals that mention command execution | command laundering, raw external command authority, undeclared install/deploy/migration/release step, long-running process, approval bypass, or false verification claim | `changes_status`, `changes_diff_summary`, `docs_validate_fast`, `test_release`, `mustflow_check` | Proposed commands reviewed, mapped to configured intents or marked manual/missing/omitted, raw command authority removed, verification, and remaining command-contract risk |
|
|
602
627
|
| Public JSON, JSONL, schema-backed reports, machine-readable stdout or stderr, exit-code semantics tied to JSON, compatibility fixtures, or documented automation-facing JSON contracts are created, changed, reviewed, or reported | `.mustflow/skills/public-json-contract-change/SKILL.md` | Affected command or report, output modes, stream split, exit-code expectations, schemas, fixtures, docs examples, compatibility policy, consumers, and command contract entries | JSON producer code, schemas, fixtures, docs examples, package metadata, templates, and tests | broken automation, schema drift, stream pollution, exit-code drift, stale backcompat fixture, or hidden breaking change | `changes_status`, `changes_diff_summary`, `test_related`, `docs_validate_fast`, `test_release`, `mustflow_check` | JSON contract source, compatibility classification, synchronized schemas/fixtures/docs/tests/templates, backcompat coverage, verification, and remaining JSON risk |
|
|
603
628
|
| CLI text output, JSON output, exit codes, error messages, warnings, deprecations, help text, command aliases, schema-backed reports, or automation-facing command behavior are created, changed, reviewed, or reported | `.mustflow/skills/cli-output-contract-review/SKILL.md` | Affected command, output modes, exit-code expectations, docs examples, schemas, fixtures, consumers, and command contract entries | CLI output code, schemas, fixtures, docs, README examples, package tests, templates, and reports | broken automation, misleading success, schema drift, undocumented deprecation, stale example, or incompatible output change | `changes_status`, `changes_diff_summary`, `test_related`, `docs_validate_fast`, `test_release`, `mustflow_check` | Output surfaces reviewed, status and exit-code semantics, synchronized schemas/docs/tests/templates, verification, and remaining CLI-output risk |
|