mustflow 2.99.1 → 2.103.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cli/commands/skill.js +76 -2
- package/dist/cli/lib/external-skill-import.js +391 -0
- package/dist/cli/lib/local-index/index.js +5 -1
- package/dist/core/public-json-contracts.js +16 -0
- package/dist/core/skill-route-resolution.js +54 -6
- package/package.json +1 -1
- package/schemas/README.md +3 -0
- package/schemas/skill-import-report.schema.json +97 -0
- package/templates/default/i18n.toml +44 -8
- package/templates/default/locales/en/.mustflow/docs/agent-workflow.md +11 -1
- package/templates/default/locales/en/.mustflow/skills/INDEX.md +27 -2
- package/templates/default/locales/en/.mustflow/skills/c-code-change/SKILL.md +371 -0
- package/templates/default/locales/en/.mustflow/skills/clarifying-question-gate/SKILL.md +53 -14
- package/templates/default/locales/en/.mustflow/skills/completion-evidence-gate/SKILL.md +15 -3
- package/templates/default/locales/en/.mustflow/skills/complex-decision-analysis/SKILL.md +236 -0
- package/templates/default/locales/en/.mustflow/skills/css-code-change/SKILL.md +74 -24
- package/templates/default/locales/en/.mustflow/skills/docs-prose-review/SKILL.md +36 -10
- package/templates/default/locales/en/.mustflow/skills/github-contribution-quality-gate/SKILL.md +27 -3
- package/templates/default/locales/en/.mustflow/skills/html-code-change/SKILL.md +37 -21
- package/templates/default/locales/en/.mustflow/skills/react-code-change/SKILL.md +278 -0
- package/templates/default/locales/en/.mustflow/skills/routes.toml +30 -0
- package/templates/default/locales/en/.mustflow/skills/shell-code-change/SKILL.md +279 -0
- package/templates/default/locales/en/.mustflow/skills/structured-config-change/SKILL.md +170 -0
- package/templates/default/manifest.toml +32 -1
|
@@ -0,0 +1,371 @@
|
|
|
1
|
+
---
|
|
2
|
+
mustflow_doc: skill.c-code-change
|
|
3
|
+
locale: en
|
|
4
|
+
canonical: true
|
|
5
|
+
revision: 1
|
|
6
|
+
lifecycle: mustflow-owned
|
|
7
|
+
authority: procedure
|
|
8
|
+
name: c-code-change
|
|
9
|
+
description: Apply this skill when C source, headers, native build metadata, compiler dialect, C standard version, ABI surfaces, generated bindings, FFI, memory ownership, pointer lifetime, undefined behavior, sanitizer configuration, performance-sensitive C paths, tests, or benchmarks are created, changed, reviewed, or upgraded.
|
|
10
|
+
metadata:
|
|
11
|
+
mustflow_schema: "1"
|
|
12
|
+
mustflow_kind: procedure
|
|
13
|
+
pack_id: mustflow.core
|
|
14
|
+
skill_id: mustflow.core.c-code-change
|
|
15
|
+
command_intents:
|
|
16
|
+
- changes_status
|
|
17
|
+
- changes_diff_summary
|
|
18
|
+
- lint
|
|
19
|
+
- build
|
|
20
|
+
- test_related
|
|
21
|
+
- test
|
|
22
|
+
- docs_validate_fast
|
|
23
|
+
- test_release
|
|
24
|
+
- mustflow_check
|
|
25
|
+
---
|
|
26
|
+
|
|
27
|
+
# C Code Change
|
|
28
|
+
|
|
29
|
+
<!-- mustflow-section: purpose -->
|
|
30
|
+
## Purpose
|
|
31
|
+
|
|
32
|
+
Preserve C dialect, target-toolchain, build-graph, API, ABI, FFI, ownership,
|
|
33
|
+
lifetime, pointer provenance, undefined-behavior, concurrency, sanitizer, and
|
|
34
|
+
performance contracts while making a focused C change.
|
|
35
|
+
|
|
36
|
+
C correctness is not proven by "it compiled locally." A C change is only safe
|
|
37
|
+
when the effective standard, compiler, libc, target architecture, ownership
|
|
38
|
+
rules, and validation evidence are known or explicitly reported as missing.
|
|
39
|
+
|
|
40
|
+
<!-- mustflow-section: use-when -->
|
|
41
|
+
## Use When
|
|
42
|
+
|
|
43
|
+
- `.c`, C-owned `.h`, generated C glue, C tests, examples, benchmarks, or
|
|
44
|
+
native C build metadata change.
|
|
45
|
+
- C build metadata changes, including `CMakeLists.txt`, Meson files, Bazel C
|
|
46
|
+
targets, Make or Autotools files, compiler flags, sanitizer flags, warning
|
|
47
|
+
policy, linker flags, exported symbols, package config files, or CI matrices.
|
|
48
|
+
- The task touches C standard version, `c17`, `c23`, `gnu23`, compiler or libc
|
|
49
|
+
compatibility, public C headers, fixed-layout types, generated bindings, FFI,
|
|
50
|
+
ownership, `malloc`, `realloc`, `free`, raw pointers, arrays, strings, integer
|
|
51
|
+
overflow, strict aliasing, alignment, atomics, volatile, performance, or
|
|
52
|
+
benchmark claims.
|
|
53
|
+
|
|
54
|
+
<!-- mustflow-section: do-not-use-when -->
|
|
55
|
+
## Do Not Use When
|
|
56
|
+
|
|
57
|
+
- C files are read-only context and no C source, header, build, package,
|
|
58
|
+
binding, test, or benchmark surface changes.
|
|
59
|
+
- A `.c` or `.h` file is compiled as C++ and owned by a C++ target; use
|
|
60
|
+
`cpp-code-change`.
|
|
61
|
+
- The task is only formatting, comments, or documentation and does not affect a
|
|
62
|
+
public header, exported symbol, generated binding, FFI surface, build graph,
|
|
63
|
+
warning policy, sanitizer policy, or documented C contract.
|
|
64
|
+
- A generated C file must be regenerated by a declared project command rather
|
|
65
|
+
than edited manually.
|
|
66
|
+
|
|
67
|
+
<!-- mustflow-section: required-inputs -->
|
|
68
|
+
## Required Inputs
|
|
69
|
+
|
|
70
|
+
- Changed files and consumed-surface classification: private implementation,
|
|
71
|
+
private header, public header, shared library, static library, executable,
|
|
72
|
+
generated binding input, generated binding output, FFI boundary, test,
|
|
73
|
+
benchmark, or build metadata.
|
|
74
|
+
- Owning build target for every changed C source, header, generated file, native
|
|
75
|
+
artifact, and installed header.
|
|
76
|
+
- Target compilation identity: C standard or dialect, compiler family and
|
|
77
|
+
version, libc, ABI, platform, architecture, build type, visibility, linkage,
|
|
78
|
+
dependency source, warning policy, sanitizer policy, and active build front
|
|
79
|
+
door when available.
|
|
80
|
+
- Public headers, exported symbols, public structs, fixed-layout types, macros,
|
|
81
|
+
enum values, constants, generated bindings, FFI functions, ownership/free
|
|
82
|
+
functions, and downstream consumer expectations when any public surface
|
|
83
|
+
changes.
|
|
84
|
+
- Ownership, lifetime, allocator, error, callback, thread-safety,
|
|
85
|
+
synchronization, and performance contracts touched by the change.
|
|
86
|
+
- Configured verification intents from the repository command contract.
|
|
87
|
+
|
|
88
|
+
<!-- mustflow-section: preconditions -->
|
|
89
|
+
## Preconditions
|
|
90
|
+
|
|
91
|
+
- Determine the owning C target before editing. Do not treat repository-wide
|
|
92
|
+
defaults, editor settings, or the local machine compiler as target authority.
|
|
93
|
+
- Determine whether changed `.h` files are C-only, C/C++ dual-use, generated,
|
|
94
|
+
public, private, or installed.
|
|
95
|
+
- Determine whether the change can affect source API, binary ABI, generated
|
|
96
|
+
binding API, FFI ABI, behavior, memory safety, thread safety, performance,
|
|
97
|
+
package consumers, or only private implementation.
|
|
98
|
+
- Refresh external "latest C", compiler support, sanitizer support, or
|
|
99
|
+
optimization claims before editing docs, package ranges, compatibility text,
|
|
100
|
+
or upgrade guidance. Treat this skill as a procedure, not as a live standards
|
|
101
|
+
database.
|
|
102
|
+
- Use only configured command intents for validation. Do not invent native
|
|
103
|
+
build, test, sanitizer, fuzz, package, or benchmark commands.
|
|
104
|
+
|
|
105
|
+
<!-- mustflow-section: allowed-edits -->
|
|
106
|
+
## Allowed Edits
|
|
107
|
+
|
|
108
|
+
- Keep edits scoped to the affected C target, build graph, tests, generated
|
|
109
|
+
source of truth, and directly synchronized docs or template surfaces.
|
|
110
|
+
- Prefer explicit ownership, pointer+length or begin/end APIs, checked size
|
|
111
|
+
arithmetic, explicit error channels, and narrow lifetime contracts over
|
|
112
|
+
hidden globals, implicit buffer length, or manual cleanup spread across many
|
|
113
|
+
exits.
|
|
114
|
+
- Prefer additive API and ABI changes when existing consumers must keep working.
|
|
115
|
+
- Add focused tests, compile checks, smoke tests, sanitizer coverage, fuzz
|
|
116
|
+
seeds, or benchmark guards only when they protect the changed C contract and
|
|
117
|
+
are covered by configured intents.
|
|
118
|
+
- Do not hand-edit generated output unless the project explicitly treats it as
|
|
119
|
+
authoritative or the user explicitly requests it with the drift risk
|
|
120
|
+
understood.
|
|
121
|
+
- Do not weaken compiler, warning, sanitizer, ABI, package, test, or
|
|
122
|
+
compatibility checks to make a patch appear complete.
|
|
123
|
+
|
|
124
|
+
<!-- mustflow-section: procedure -->
|
|
125
|
+
## Procedure
|
|
126
|
+
|
|
127
|
+
1. **Classify the C boundary.**
|
|
128
|
+
- Read the changed C files plus nearby headers, tests, build files, package
|
|
129
|
+
metadata, install/export metadata, and CI hints.
|
|
130
|
+
- Identify the owning target and active build front door. For CMake, inspect
|
|
131
|
+
target sources, include directories, compile definitions, compile options,
|
|
132
|
+
link libraries, install rules, and interface propagation. For Meson,
|
|
133
|
+
inspect targets, dependencies, options, native or cross files, and install
|
|
134
|
+
surfaces. For Bazel, inspect C target `srcs`, `hdrs`, deps, copts,
|
|
135
|
+
visibility, toolchains, and `select()` branches. For Make or Autotools,
|
|
136
|
+
inspect object rules, included fragments, generated headers, flags,
|
|
137
|
+
libraries, and install surfaces.
|
|
138
|
+
2. **Record the target compilation identity.**
|
|
139
|
+
- Record C standard or dialect, compiler, libc, platform, architecture, build
|
|
140
|
+
type, warning set, sanitizer set, optimization level, visibility, linkage,
|
|
141
|
+
dependency source, and generated-header source when relevant.
|
|
142
|
+
- As a source-freshness snapshot checked on 2026-06-26, the finalized C
|
|
143
|
+
standard is C23, officially ISO/IEC 9899:2024, and the C23
|
|
144
|
+
`__STDC_VERSION__` value is `202311L`. C2y is draft work, not a finalized
|
|
145
|
+
standard. Re-check official ISO, WG14, GCC, and Clang sources before using
|
|
146
|
+
those facts as current external claims.
|
|
147
|
+
- Do not introduce C23-only features into code that still promises C17, C11,
|
|
148
|
+
MSVC, embedded, older libc, or mixed C/C++ compatibility without target
|
|
149
|
+
evidence and a fallback or configure-time failure.
|
|
150
|
+
3. **Classify risk by highest consumed surface.**
|
|
151
|
+
- Use `internal_only`, `source_api`, `binary_abi`,
|
|
152
|
+
`static_link_contract`, `generated_binding`, `ffi_boundary`,
|
|
153
|
+
`semantic_compatibility`, or `performance_resource`.
|
|
154
|
+
- Do not downgrade risk because the diff is small, compile-clean, or hidden
|
|
155
|
+
behind macros.
|
|
156
|
+
4. **Check C23 and dialect-specific changes deliberately.**
|
|
157
|
+
- Before using `bool`, `true`, `false`, `static_assert`, `thread_local`,
|
|
158
|
+
`nullptr`, `nullptr_t`, `_BitInt`, fixed-underlying-type enums, `auto`,
|
|
159
|
+
`typeof`, `typeof_unqual`, `constexpr`, empty initializer `{}`,
|
|
160
|
+
standard attributes, `#embed`, `__has_include`, `#elifdef`, `#warning`,
|
|
161
|
+
`__VA_OPT__`, `<stdckdint.h>`, `<stdbit.h>`, `memset_explicit`, `strdup`,
|
|
162
|
+
`strndup`, `memccpy`, `gmtime_r`, `localtime_r`, `timegm`, `free_sized`,
|
|
163
|
+
`free_aligned_sized`, binary literals, or digit separators, verify
|
|
164
|
+
compiler, libc, CI, package, and downstream support.
|
|
165
|
+
- Treat GCC 15 `gnu23` default behavior and Clang C23 support status as
|
|
166
|
+
toolchain evidence to refresh for the target, not as permission to change
|
|
167
|
+
portable code.
|
|
168
|
+
- K&R function definitions are not valid modern C. Prefer explicit
|
|
169
|
+
prototypes and keep `void f(void)` for no-argument functions in mixed or
|
|
170
|
+
legacy-compatible code even though C23 tightened `void f()` semantics.
|
|
171
|
+
- Two's-complement signed representation does not make signed overflow
|
|
172
|
+
defined. Keep overflow checks explicit.
|
|
173
|
+
5. **Make ownership and allocation contracts visible.**
|
|
174
|
+
- Classify every pointer as owner, borrowed non-null pointer, borrowed
|
|
175
|
+
nullable pointer, mutable span, immutable span, callback context, handle,
|
|
176
|
+
or transferred owner.
|
|
177
|
+
- Use `malloc(n * sizeof *p)` style only with checked multiplication. Prefer
|
|
178
|
+
`calloc(n, sizeof *p)`, `reallocarray`, or C23 checked integer operations
|
|
179
|
+
when the target supports them.
|
|
180
|
+
- Do not assign `realloc` directly to the original pointer. Use a temporary
|
|
181
|
+
pointer and update the owner only on success.
|
|
182
|
+
- Treat `realloc(p, 0)` as unsafe and, in C23, undefined behavior. Split
|
|
183
|
+
zero-size cases into explicit `free` plus owner-slot update.
|
|
184
|
+
- Match aligned allocation and deallocation families across platforms.
|
|
185
|
+
6. **Preserve pointer provenance, lifetime, and range rules.**
|
|
186
|
+
- Do not treat a pointer as only an integer address. Keep object lifetime,
|
|
187
|
+
provenance, bounds, and alignment visible.
|
|
188
|
+
- Pointer arithmetic, subtraction, and relational comparison are defined only
|
|
189
|
+
within the same array object or one-past boundary.
|
|
190
|
+
- One-past pointers are sentinels, not storage.
|
|
191
|
+
- Do not use stale pointers after `free`, `realloc`, scope exit, or owner
|
|
192
|
+
transfer. Prefer APIs that update the caller's pointer slot when ownership
|
|
193
|
+
ends.
|
|
194
|
+
- An integer-pointer round trip is not proof that the resulting pointer may
|
|
195
|
+
access an object.
|
|
196
|
+
- For unaligned data or representation moves, use `memcpy` instead of
|
|
197
|
+
pointer casts.
|
|
198
|
+
7. **Keep effective type and aliasing legal.**
|
|
199
|
+
- Do not type-pun by casting and dereferencing incompatible pointer types.
|
|
200
|
+
Use `memcpy` for representation moves and let the optimizer remove the
|
|
201
|
+
copy when legal.
|
|
202
|
+
- Use character types for byte inspection.
|
|
203
|
+
- Treat `restrict` as an aliasing contract, not a speed decoration. Add it
|
|
204
|
+
only when callers cannot pass overlapping objects.
|
|
205
|
+
- Do not hide aliasing uncertainty behind `volatile`.
|
|
206
|
+
8. **Make arrays, strings, and I/O lengths explicit.**
|
|
207
|
+
- Pass pointer+length or begin/end pairs for buffers. Do not recover array
|
|
208
|
+
length from a function parameter with `sizeof`.
|
|
209
|
+
- Reserve space for the terminating NUL when a buffer stores a C string.
|
|
210
|
+
- Treat `strncpy` as fixed-width record padding, not as safe string copy.
|
|
211
|
+
- Check `snprintf`, `read`, `write`, `fread`, `fwrite`, `fclose`, allocator,
|
|
212
|
+
parser, and system-call return values.
|
|
213
|
+
- Store `getchar` and similar EOF-capable results in `int`, not `char`.
|
|
214
|
+
- Cast to `unsigned char` before passing plain byte values to `ctype.h`
|
|
215
|
+
functions, unless the value is `EOF`.
|
|
216
|
+
- Use `memmove` when source and destination may overlap; keep `memcpy` only
|
|
217
|
+
for proven non-overlap.
|
|
218
|
+
9. **Make integer and bit contracts explicit.**
|
|
219
|
+
- Keep size calculations in unsigned size types with checked multiplication
|
|
220
|
+
or addition before allocation.
|
|
221
|
+
- Do not check signed overflow after the overflowing expression has already
|
|
222
|
+
executed.
|
|
223
|
+
- Use unsigned types for masks, shifts, and wraparound semantics.
|
|
224
|
+
- Check shift counts and signed-left-shift assumptions.
|
|
225
|
+
- Treat C23 `<stdckdint.h>` as a useful option only when target support is
|
|
226
|
+
proven.
|
|
227
|
+
10. **Review macros, declarations, and public headers.**
|
|
228
|
+
- Prefer `static inline` functions over macros when type-generic behavior is
|
|
229
|
+
not required.
|
|
230
|
+
- For macros, check double evaluation, missing parentheses, statement
|
|
231
|
+
expression extensions, `do { } while (0)` style, and side-effect
|
|
232
|
+
arguments.
|
|
233
|
+
- Use exact function pointer typedefs. Do not cast incompatible function
|
|
234
|
+
pointers and call through them.
|
|
235
|
+
- For public headers, review include hygiene, C/C++ compatibility guards
|
|
236
|
+
when required, exported macros, enum values, struct layout, packing,
|
|
237
|
+
alignment, fixed-width types, visibility macros, and allocator ownership.
|
|
238
|
+
11. **Keep concurrency and volatile separate.**
|
|
239
|
+
- Treat data races as undefined behavior.
|
|
240
|
+
- Use atomics, mutexes, condition variables, or project synchronization
|
|
241
|
+
primitives for shared state.
|
|
242
|
+
- Use `volatile` only for the narrow cases it actually owns, such as
|
|
243
|
+
memory-mapped I/O or signal-adjacent access where the project has a
|
|
244
|
+
policy. It is not thread synchronization.
|
|
245
|
+
- When performance and threading interact, inspect false sharing, cache-line
|
|
246
|
+
layout, allocator contention, and shutdown or cancellation lifetime.
|
|
247
|
+
12. **Make performance changes evidence-driven.**
|
|
248
|
+
- Require baseline, workload, target metric, profile or benchmark evidence,
|
|
249
|
+
hypothesis, targeted change, remeasurement, and regression guard when
|
|
250
|
+
configured verification exists.
|
|
251
|
+
- Do not claim performance from folklore rewrites such as replacing
|
|
252
|
+
division by shifts, global `-O3`, broad `inline`, or manual loop unrolling
|
|
253
|
+
without measurement.
|
|
254
|
+
- Prefer reducing memory traffic, allocation churn, branch unpredictability,
|
|
255
|
+
aliasing uncertainty, cache misses, false sharing, and unnecessary copies.
|
|
256
|
+
- Evaluate `-O2`, `-O3`, LTO, PGO, visibility, `-march`, `-mtune`, and
|
|
257
|
+
optimization reports as build contracts. Do not use `-Ofast` or
|
|
258
|
+
`-march=native` for portable release builds without explicit target and
|
|
259
|
+
correctness evidence.
|
|
260
|
+
13. **Verify through configured intents only.**
|
|
261
|
+
- Choose validation by highest-risk surface, not diff size.
|
|
262
|
+
- Report whether configured validation exists for C compile, warning-as-
|
|
263
|
+
error, optimized build, sanitizer build, public-header compile, downstream
|
|
264
|
+
consumer compile, link, unit, integration, ABI or symbol diff, generated
|
|
265
|
+
binding regeneration, FFI smoke, fuzzing, static analysis, cross-compiler
|
|
266
|
+
matrix, and benchmark scenarios when those surfaces change.
|
|
267
|
+
|
|
268
|
+
<!-- mustflow-section: rejection-criteria -->
|
|
269
|
+
## Review Rejection Criteria
|
|
270
|
+
|
|
271
|
+
Reject or revise the patch when any of these appear without strong local
|
|
272
|
+
evidence and risk reporting:
|
|
273
|
+
|
|
274
|
+
- A changed C file has no identified owning target, active build front door, or
|
|
275
|
+
compilation identity.
|
|
276
|
+
- A public header, exported symbol, generated binding, FFI surface, library
|
|
277
|
+
artifact, dialect, warning policy, sanitizer policy, or ABI surface changes
|
|
278
|
+
without compatibility classification.
|
|
279
|
+
- C23 features are introduced without target compiler, libc, CI, package, and
|
|
280
|
+
downstream support evidence.
|
|
281
|
+
- API or ABI compatibility is claimed without inspecting public headers,
|
|
282
|
+
generated bindings, exported symbols, struct layout, calling convention,
|
|
283
|
+
visibility, allocator boundary, and downstream-style consumer surface when
|
|
284
|
+
relevant.
|
|
285
|
+
- Ownership transfer, allocation size, `realloc`, zero-size allocation,
|
|
286
|
+
aligned allocation, free responsibility, or cleanup-on-failure is ambiguous.
|
|
287
|
+
- Pointer arithmetic, pointer comparison, one-past usage, stale pointer usage,
|
|
288
|
+
integer-pointer round trips, alignment, effective type, or strict aliasing
|
|
289
|
+
depends on "it works on this machine."
|
|
290
|
+
- `restrict`, `volatile`, `inline`, `-O3`, `-Ofast`, `-march=native`,
|
|
291
|
+
`__builtin_expect`, `__builtin_prefetch`, LTO, PGO, or manual unrolling is
|
|
292
|
+
added as a performance claim without contract and evidence.
|
|
293
|
+
- Sanitizer, warning, optimized-build, ABI, FFI, binding, benchmark, or
|
|
294
|
+
cross-toolchain checks are missing but the output claims those properties were
|
|
295
|
+
proven.
|
|
296
|
+
|
|
297
|
+
<!-- mustflow-section: postconditions -->
|
|
298
|
+
## Postconditions
|
|
299
|
+
|
|
300
|
+
- The owning target, active build graph, and target compilation identity are
|
|
301
|
+
known or the missing boundary is reported.
|
|
302
|
+
- The highest compatibility risk is stated: internal-only, source API, binary
|
|
303
|
+
ABI, static-link contract, generated binding, FFI, semantic compatibility, or
|
|
304
|
+
performance/resource.
|
|
305
|
+
- Ownership, lifetime, pointer provenance, allocator, integer, string, macro,
|
|
306
|
+
error, concurrency, dialect, and performance impacts are intentional and
|
|
307
|
+
evidence-backed.
|
|
308
|
+
- Public headers, exported symbols, generated bindings, FFI surfaces, build
|
|
309
|
+
metadata, tests, docs, and template surfaces are synchronized when they are
|
|
310
|
+
part of the changed contract.
|
|
311
|
+
- Generated files match their source of truth and generator flow, or drift is
|
|
312
|
+
reported.
|
|
313
|
+
- No API, ABI, memory-safety, thread-safety, FFI, binding, sanitizer, or
|
|
314
|
+
performance compatibility is claimed beyond the validation evidence.
|
|
315
|
+
|
|
316
|
+
<!-- mustflow-section: verification -->
|
|
317
|
+
## Verification
|
|
318
|
+
|
|
319
|
+
Use configured oneshot command intents when available:
|
|
320
|
+
|
|
321
|
+
- `lint`
|
|
322
|
+
- `build`
|
|
323
|
+
- `test_related`
|
|
324
|
+
- `test`
|
|
325
|
+
- `docs_validate_fast`
|
|
326
|
+
- `test_release`
|
|
327
|
+
- `mustflow_check`
|
|
328
|
+
|
|
329
|
+
Report missing C compile, warning-as-error, optimized-build, sanitizer, public-
|
|
330
|
+
header compile, downstream consumer compile, link, ABI or symbol diff,
|
|
331
|
+
generated-binding regeneration, FFI smoke, fuzzing, static analysis,
|
|
332
|
+
cross-compiler, cross-libc, cross-architecture, and benchmark verification when
|
|
333
|
+
those surfaces changed.
|
|
334
|
+
|
|
335
|
+
<!-- mustflow-section: failure-handling -->
|
|
336
|
+
## Failure Handling
|
|
337
|
+
|
|
338
|
+
- If the owning target or active build front door is unclear, stop the risky
|
|
339
|
+
part and inspect build metadata before editing further.
|
|
340
|
+
- If multiple build graphs own the same changed file and only one can be
|
|
341
|
+
updated, report the stale graph and compatibility risk.
|
|
342
|
+
- If public API or ABI policy is absent, classify the risk explicitly instead of
|
|
343
|
+
assuming semver, SONAME, or package compatibility rules.
|
|
344
|
+
- If generated bindings drift, restore source/output alignment or report the
|
|
345
|
+
generator/source-of-truth gap.
|
|
346
|
+
- If a lifetime, ownership, or aliasing fix creates broad shared ownership,
|
|
347
|
+
hidden global state, or pointer-range ambiguity, revisit the owner boundary
|
|
348
|
+
before continuing.
|
|
349
|
+
- If concurrency changes lack a synchronization proof, stop that part and
|
|
350
|
+
inspect the state owner, guard, lifetime, and shutdown path.
|
|
351
|
+
- If performance measurements are unavailable, report that performance
|
|
352
|
+
compatibility was not proven.
|
|
353
|
+
- If freshness checks are unavailable for C standard, compiler, libc, sanitizer,
|
|
354
|
+
or support-status claims, avoid embedding exact "latest" wording and report
|
|
355
|
+
the gap.
|
|
356
|
+
|
|
357
|
+
<!-- mustflow-section: output-format -->
|
|
358
|
+
## Output Format
|
|
359
|
+
|
|
360
|
+
- Boundary checked
|
|
361
|
+
- Owning target and compilation identity
|
|
362
|
+
- C standard, dialect, compiler, libc, warning, sanitizer, and optimization
|
|
363
|
+
notes
|
|
364
|
+
- Highest compatibility risk
|
|
365
|
+
- Ownership, lifetime, pointer provenance, UB, integer, string, macro,
|
|
366
|
+
concurrency, or performance impact
|
|
367
|
+
- Public API, ABI, binding, FFI, or build-graph impact
|
|
368
|
+
- Files changed
|
|
369
|
+
- Command intents run
|
|
370
|
+
- Skipped checks and reasons
|
|
371
|
+
- Remaining C risk
|
|
@@ -2,7 +2,7 @@
|
|
|
2
2
|
mustflow_doc: skill.clarifying-question-gate
|
|
3
3
|
locale: en
|
|
4
4
|
canonical: true
|
|
5
|
-
revision:
|
|
5
|
+
revision: 3
|
|
6
6
|
lifecycle: mustflow-owned
|
|
7
7
|
authority: procedure
|
|
8
8
|
name: clarifying-question-gate
|
|
@@ -34,6 +34,12 @@ The goal is not to make the user rewrite the prompt. Normalize the request insid
|
|
|
34
34
|
state the interpretation when it matters, and continue unless a high-cost decision still needs
|
|
35
35
|
confirmation.
|
|
36
36
|
|
|
37
|
+
This skill also protects the repository from vague imperative requests such as "fix the bug",
|
|
38
|
+
"clean this up", "make it pretty", "speed it up", "add tests", "fix the build", "make an API",
|
|
39
|
+
or "handle errors". Do not execute the literal wording as permission to patch symptoms. Convert
|
|
40
|
+
the request into a reviewable contract for the target, criteria, scope, affected surfaces,
|
|
41
|
+
verification, and stop-or-ask boundary.
|
|
42
|
+
|
|
37
43
|
<!-- mustflow-section: use-when -->
|
|
38
44
|
## Use When
|
|
39
45
|
|
|
@@ -49,6 +55,10 @@ confirmation.
|
|
|
49
55
|
maintenance burden.
|
|
50
56
|
- You are about to add a new dependency, service, folder boundary, storage model, framework pattern,
|
|
51
57
|
persistent state, or broad refactor that the current files do not already require.
|
|
58
|
+
- The request is a terse command that names an activity but not its target behavior, quality
|
|
59
|
+
criteria, impacted contracts, or proof of completion, for example bug fixing, error handling,
|
|
60
|
+
refactoring, test repair, type cleanup, performance work, API work, UI polish, documentation,
|
|
61
|
+
dependency updates, CI repair, or PR preparation.
|
|
52
62
|
- The request can be safely clarified by a short normalized contract instead of a long back-and-forth.
|
|
53
63
|
|
|
54
64
|
<!-- mustflow-section: do-not-use-when -->
|
|
@@ -91,6 +101,13 @@ confirmation.
|
|
|
91
101
|
- A normalized task contract when the original request is vague enough to risk drift: goal, current
|
|
92
102
|
context, change scope, excluded scope, user-visible behavior, constraints, completion evidence,
|
|
93
103
|
verification, report format, and remaining risks.
|
|
104
|
+
- For terse implementation commands, a normalized execution contract with:
|
|
105
|
+
- the observed target or failure source;
|
|
106
|
+
- the intended behavior or quality criterion;
|
|
107
|
+
- the changed and explicitly excluded surfaces;
|
|
108
|
+
- public contracts, data, security, UX, dependency, or generated outputs that may be affected;
|
|
109
|
+
- the verification plan and evidence that will close the task;
|
|
110
|
+
- the condition that requires stopping, asking, or handing off to a narrower skill.
|
|
94
111
|
- Source tags for contract entries: `user_confirmed`, `repository_derived`, `safe_assumption`, or
|
|
95
112
|
`unresolved`.
|
|
96
113
|
|
|
@@ -141,7 +158,27 @@ confirmation.
|
|
|
141
158
|
`instruction-conflict-scope-check`.
|
|
142
159
|
- `insufficient_evidence`: more repository reading, reproduction, or scoped analysis is needed
|
|
143
160
|
before asking or implementing.
|
|
144
|
-
5.
|
|
161
|
+
5. Normalize terse implementation commands before editing:
|
|
162
|
+
- For bug, error, build, CI, or failing-test requests, identify the observed failure source,
|
|
163
|
+
distinguish implementation defects from test or environment defects, and define the regression
|
|
164
|
+
evidence before changing code.
|
|
165
|
+
- For refactor, cleanup, naming, comment, folder, type, or duplicate-removal requests, preserve
|
|
166
|
+
behavior as the default invariant and name the readability, responsibility, type-safety, or
|
|
167
|
+
dependency-direction criterion being improved.
|
|
168
|
+
- For performance requests, identify the suspected or measured bottleneck, baseline, workload,
|
|
169
|
+
and verification signal before optimizing.
|
|
170
|
+
- For API, response shape, auth, permission, logging, error, cache, database, migration, or
|
|
171
|
+
dependency requests, identify compatibility, data, security, lifecycle, and rollback surfaces
|
|
172
|
+
before implementation.
|
|
173
|
+
- For UI, accessibility, responsive, form, modal, routing, search, filtering, pagination, or
|
|
174
|
+
state-management requests, identify the user path, visible states, failure states, device or
|
|
175
|
+
input constraints, and verification evidence.
|
|
176
|
+
- For docs, README, env var, deploy, release, or PR requests, identify the source of truth,
|
|
177
|
+
affected install or automation surfaces, required verification, and any maintainer-facing
|
|
178
|
+
limitation text.
|
|
179
|
+
- Do not treat "minimal fix" as the default when a symptom-only patch would leave the affected
|
|
180
|
+
flow, contract, or regression coverage broken.
|
|
181
|
+
6. Build a normalized task contract when the user request is underspecified but executable:
|
|
145
182
|
- goal;
|
|
146
183
|
- current context;
|
|
147
184
|
- change scope;
|
|
@@ -154,46 +191,46 @@ confirmation.
|
|
|
154
191
|
- remaining risks.
|
|
155
192
|
Tag each non-obvious contract entry as `user_confirmed`, `repository_derived`,
|
|
156
193
|
`safe_assumption`, or `unresolved`. Do not add new product requirements while normalizing.
|
|
157
|
-
|
|
194
|
+
7. Ask about observable completion before feature shape when success is unclear:
|
|
158
195
|
- what behavior proves the task is done;
|
|
159
196
|
- which user path, command, test, screenshot, migration state, or registry/release state closes it.
|
|
160
|
-
|
|
197
|
+
8. Ask about scope only when plausible scopes have different cost or risk:
|
|
161
198
|
- minimal symptom fix, root-cause fix, or broader cleanup;
|
|
162
199
|
- prototype, maintainable production path, or release-ready path.
|
|
163
|
-
|
|
200
|
+
9. Ask about existing users and data before changing persistence, lifecycle, deletion, migration,
|
|
164
201
|
retention, cache, API compatibility, or old-client behavior.
|
|
165
|
-
|
|
202
|
+
10. Ask about failure UX before implementing user-visible success flows where failure handling is a
|
|
166
203
|
product decision: retry, queue, message, audit/log-only, rollback, partial success, or manual
|
|
167
204
|
recovery.
|
|
168
|
-
|
|
205
|
+
11. Ask about security and authorization before relying on UI hiding, client-side checks, roles,
|
|
169
206
|
invites, team boundaries, file access, billing state, or admin features.
|
|
170
|
-
|
|
207
|
+
12. Ask before adding or swapping dependencies, services, queues, databases, auth providers, design
|
|
171
208
|
systems, state managers, or major folder boundaries.
|
|
172
|
-
|
|
209
|
+
13. Ask about verification when there is no declared command intent or when the user expects a
|
|
173
210
|
specific proof beyond the repository's configured checks.
|
|
174
|
-
|
|
211
|
+
14. Keep the question set short:
|
|
175
212
|
- ask at most three questions at once;
|
|
176
213
|
- ask only one question when its answer may make later questions irrelevant;
|
|
177
214
|
- each question must name the decision, the recommended choice, the consequence of that choice,
|
|
178
215
|
and one meaningful alternative;
|
|
179
216
|
- avoid open-ended prompts like "how should I implement this?" unless no responsible options can
|
|
180
217
|
be framed from repository evidence.
|
|
181
|
-
|
|
218
|
+
15. Do not ask bad engineering-delegation questions:
|
|
182
219
|
- "Should I add tests?"
|
|
183
220
|
- "Should I handle errors?"
|
|
184
221
|
- "Should I follow existing style?"
|
|
185
222
|
- "Should I check current files?"
|
|
186
223
|
- "Should I preserve existing behavior?"
|
|
187
|
-
|
|
224
|
+
16. Use prompt rewriting only as an exception:
|
|
188
225
|
- the user explicitly asks for a prompt, issue, PR body, work order, or handoff for another
|
|
189
226
|
agent;
|
|
190
227
|
- the current request is too broken to execute and a normalized contract plus confirmation is the
|
|
191
228
|
smallest safe next step.
|
|
192
229
|
Otherwise, show the normalized contract only when it materially reduces drift, then proceed in
|
|
193
230
|
the same conversation.
|
|
194
|
-
|
|
231
|
+
17. If no blocking question remains, proceed without ceremony. State only the assumptions that matter
|
|
195
232
|
to review or rollback.
|
|
196
|
-
|
|
233
|
+
18. If a blocking question remains unanswered, do not implement around it. Offer the smallest safe
|
|
197
234
|
non-blocked action, such as read-only analysis, a plan, a reproduction, or a narrow preparatory
|
|
198
235
|
refactor when another selected skill supports it.
|
|
199
236
|
|
|
@@ -207,6 +244,8 @@ confirmation.
|
|
|
207
244
|
- Safe assumptions are narrow, reversible, and reported.
|
|
208
245
|
- Any normalized contract preserves the user's original request separately from repository-derived
|
|
209
246
|
facts and safe assumptions.
|
|
247
|
+
- Terse commands are expanded into target, criterion, scope, affected-surface, verification, and
|
|
248
|
+
stop-or-ask boundaries before implementation.
|
|
210
249
|
- Prompt rewriting is not used as a substitute for proceeding in the current task.
|
|
211
250
|
- The final work can be judged against observable success criteria or a reported verification gap.
|
|
212
251
|
|
|
@@ -2,7 +2,7 @@
|
|
|
2
2
|
mustflow_doc: skill.completion-evidence-gate
|
|
3
3
|
locale: en
|
|
4
4
|
canonical: true
|
|
5
|
-
revision:
|
|
5
|
+
revision: 4
|
|
6
6
|
lifecycle: mustflow-owned
|
|
7
7
|
authority: procedure
|
|
8
8
|
name: completion-evidence-gate
|
|
@@ -70,6 +70,8 @@ missing, blocked, failed, stale, or only partially relevant.
|
|
|
70
70
|
- Optional script-pack discovery evidence when the command contract exposes `script_pack_list`.
|
|
71
71
|
- Synchronized surfaces expected by the changed contract: source, tests, fixtures, schemas, templates, manifests, docs, release metadata, generated output, and localized copies.
|
|
72
72
|
- Known remaining risks, unverified assumptions, blocked decisions, and rollback notes.
|
|
73
|
+
- Concrete follow-up candidates, if any, plus whether a bounded `next-action-menu` should be
|
|
74
|
+
included or intentionally omitted.
|
|
73
75
|
|
|
74
76
|
<!-- mustflow-section: preconditions -->
|
|
75
77
|
## Preconditions
|
|
@@ -118,11 +120,18 @@ missing, blocked, failed, stale, or only partially relevant.
|
|
|
118
120
|
- Use `implemented but unverified` when the files changed but no relevant configured verification was run.
|
|
119
121
|
- Use `blocked` when required evidence cannot be produced without a missing decision, unavailable environment, manual-only command, failed prerequisite, or user approval.
|
|
120
122
|
- Use `not complete` when a required acceptance criterion is not implemented or verification contradicts the claim.
|
|
121
|
-
7.
|
|
123
|
+
7. Decide whether a next-action menu is warranted.
|
|
124
|
+
- If there are concrete, evidence-backed follow-up tasks that would make the next user turn
|
|
125
|
+
cheaper, read and apply `next-action-menu` before final reporting.
|
|
126
|
+
- If no useful follow-up exists, the user asked not to include recommendations, or the only next
|
|
127
|
+
actions are speculative or approval-gated, omit the menu and keep the final report concise.
|
|
128
|
+
- Do not treat this gate as automatic host behavior: the menu appears only when the skill is
|
|
129
|
+
selected and its use conditions are met.
|
|
130
|
+
8. Write the final report from evidence, not confidence.
|
|
122
131
|
- Name changed files, command intents run, skipped checks with reasons, synchronized or deferred surfaces, and remaining risks.
|
|
123
132
|
- Do not imply that skipped, manual-only, or missing command intents passed.
|
|
124
133
|
- Do not hide lower-confidence evidence when direct shell commands were used instead of configured intents.
|
|
125
|
-
|
|
134
|
+
9. If the gate reveals missing required work that is safe and in scope, do that work before final reporting. Otherwise report the gap plainly.
|
|
126
135
|
|
|
127
136
|
<!-- mustflow-section: postconditions -->
|
|
128
137
|
## Postconditions
|
|
@@ -131,6 +140,8 @@ missing, blocked, failed, stale, or only partially relevant.
|
|
|
131
140
|
- Every user requirement is mapped to proof, a limitation, or an explicit out-of-scope decision.
|
|
132
141
|
- Skipped, missing, failed, stale, or manual-only verification is visible.
|
|
133
142
|
- Contract, template, schema, docs, test, and release drift is either resolved or named as remaining risk.
|
|
143
|
+
- Useful follow-up tasks either appear through `next-action-menu` or are intentionally omitted with a
|
|
144
|
+
clear reason when the menu conditions are not met.
|
|
134
145
|
- No unconfigured command, hidden transcript, broad log, or invented tool result is treated as proof.
|
|
135
146
|
|
|
136
147
|
<!-- mustflow-section: verification -->
|
|
@@ -178,4 +189,5 @@ instead of replacing it with an inferred command.
|
|
|
178
189
|
- Lower-confidence evidence, if any
|
|
179
190
|
- Stalled or repeated observations, if any
|
|
180
191
|
- Remaining risks
|
|
192
|
+
- Next-action menu included or omitted, with reason
|
|
181
193
|
- Final wording boundary
|