mustflow 2.99.1 → 2.103.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (24) hide show
  1. package/dist/cli/commands/skill.js +76 -2
  2. package/dist/cli/lib/external-skill-import.js +391 -0
  3. package/dist/cli/lib/local-index/index.js +5 -1
  4. package/dist/core/public-json-contracts.js +16 -0
  5. package/dist/core/skill-route-resolution.js +54 -6
  6. package/package.json +1 -1
  7. package/schemas/README.md +3 -0
  8. package/schemas/skill-import-report.schema.json +97 -0
  9. package/templates/default/i18n.toml +44 -8
  10. package/templates/default/locales/en/.mustflow/docs/agent-workflow.md +11 -1
  11. package/templates/default/locales/en/.mustflow/skills/INDEX.md +27 -2
  12. package/templates/default/locales/en/.mustflow/skills/c-code-change/SKILL.md +371 -0
  13. package/templates/default/locales/en/.mustflow/skills/clarifying-question-gate/SKILL.md +53 -14
  14. package/templates/default/locales/en/.mustflow/skills/completion-evidence-gate/SKILL.md +15 -3
  15. package/templates/default/locales/en/.mustflow/skills/complex-decision-analysis/SKILL.md +236 -0
  16. package/templates/default/locales/en/.mustflow/skills/css-code-change/SKILL.md +74 -24
  17. package/templates/default/locales/en/.mustflow/skills/docs-prose-review/SKILL.md +36 -10
  18. package/templates/default/locales/en/.mustflow/skills/github-contribution-quality-gate/SKILL.md +27 -3
  19. package/templates/default/locales/en/.mustflow/skills/html-code-change/SKILL.md +37 -21
  20. package/templates/default/locales/en/.mustflow/skills/react-code-change/SKILL.md +278 -0
  21. package/templates/default/locales/en/.mustflow/skills/routes.toml +30 -0
  22. package/templates/default/locales/en/.mustflow/skills/shell-code-change/SKILL.md +279 -0
  23. package/templates/default/locales/en/.mustflow/skills/structured-config-change/SKILL.md +170 -0
  24. package/templates/default/manifest.toml +32 -1
@@ -0,0 +1,371 @@
1
+ ---
2
+ mustflow_doc: skill.c-code-change
3
+ locale: en
4
+ canonical: true
5
+ revision: 1
6
+ lifecycle: mustflow-owned
7
+ authority: procedure
8
+ name: c-code-change
9
+ description: Apply this skill when C source, headers, native build metadata, compiler dialect, C standard version, ABI surfaces, generated bindings, FFI, memory ownership, pointer lifetime, undefined behavior, sanitizer configuration, performance-sensitive C paths, tests, or benchmarks are created, changed, reviewed, or upgraded.
10
+ metadata:
11
+ mustflow_schema: "1"
12
+ mustflow_kind: procedure
13
+ pack_id: mustflow.core
14
+ skill_id: mustflow.core.c-code-change
15
+ command_intents:
16
+ - changes_status
17
+ - changes_diff_summary
18
+ - lint
19
+ - build
20
+ - test_related
21
+ - test
22
+ - docs_validate_fast
23
+ - test_release
24
+ - mustflow_check
25
+ ---
26
+
27
+ # C Code Change
28
+
29
+ <!-- mustflow-section: purpose -->
30
+ ## Purpose
31
+
32
+ Preserve C dialect, target-toolchain, build-graph, API, ABI, FFI, ownership,
33
+ lifetime, pointer provenance, undefined-behavior, concurrency, sanitizer, and
34
+ performance contracts while making a focused C change.
35
+
36
+ C correctness is not proven by "it compiled locally." A C change is only safe
37
+ when the effective standard, compiler, libc, target architecture, ownership
38
+ rules, and validation evidence are known or explicitly reported as missing.
39
+
40
+ <!-- mustflow-section: use-when -->
41
+ ## Use When
42
+
43
+ - `.c`, C-owned `.h`, generated C glue, C tests, examples, benchmarks, or
44
+ native C build metadata change.
45
+ - C build metadata changes, including `CMakeLists.txt`, Meson files, Bazel C
46
+ targets, Make or Autotools files, compiler flags, sanitizer flags, warning
47
+ policy, linker flags, exported symbols, package config files, or CI matrices.
48
+ - The task touches C standard version, `c17`, `c23`, `gnu23`, compiler or libc
49
+ compatibility, public C headers, fixed-layout types, generated bindings, FFI,
50
+ ownership, `malloc`, `realloc`, `free`, raw pointers, arrays, strings, integer
51
+ overflow, strict aliasing, alignment, atomics, volatile, performance, or
52
+ benchmark claims.
53
+
54
+ <!-- mustflow-section: do-not-use-when -->
55
+ ## Do Not Use When
56
+
57
+ - C files are read-only context and no C source, header, build, package,
58
+ binding, test, or benchmark surface changes.
59
+ - A `.c` or `.h` file is compiled as C++ and owned by a C++ target; use
60
+ `cpp-code-change`.
61
+ - The task is only formatting, comments, or documentation and does not affect a
62
+ public header, exported symbol, generated binding, FFI surface, build graph,
63
+ warning policy, sanitizer policy, or documented C contract.
64
+ - A generated C file must be regenerated by a declared project command rather
65
+ than edited manually.
66
+
67
+ <!-- mustflow-section: required-inputs -->
68
+ ## Required Inputs
69
+
70
+ - Changed files and consumed-surface classification: private implementation,
71
+ private header, public header, shared library, static library, executable,
72
+ generated binding input, generated binding output, FFI boundary, test,
73
+ benchmark, or build metadata.
74
+ - Owning build target for every changed C source, header, generated file, native
75
+ artifact, and installed header.
76
+ - Target compilation identity: C standard or dialect, compiler family and
77
+ version, libc, ABI, platform, architecture, build type, visibility, linkage,
78
+ dependency source, warning policy, sanitizer policy, and active build front
79
+ door when available.
80
+ - Public headers, exported symbols, public structs, fixed-layout types, macros,
81
+ enum values, constants, generated bindings, FFI functions, ownership/free
82
+ functions, and downstream consumer expectations when any public surface
83
+ changes.
84
+ - Ownership, lifetime, allocator, error, callback, thread-safety,
85
+ synchronization, and performance contracts touched by the change.
86
+ - Configured verification intents from the repository command contract.
87
+
88
+ <!-- mustflow-section: preconditions -->
89
+ ## Preconditions
90
+
91
+ - Determine the owning C target before editing. Do not treat repository-wide
92
+ defaults, editor settings, or the local machine compiler as target authority.
93
+ - Determine whether changed `.h` files are C-only, C/C++ dual-use, generated,
94
+ public, private, or installed.
95
+ - Determine whether the change can affect source API, binary ABI, generated
96
+ binding API, FFI ABI, behavior, memory safety, thread safety, performance,
97
+ package consumers, or only private implementation.
98
+ - Refresh external "latest C", compiler support, sanitizer support, or
99
+ optimization claims before editing docs, package ranges, compatibility text,
100
+ or upgrade guidance. Treat this skill as a procedure, not as a live standards
101
+ database.
102
+ - Use only configured command intents for validation. Do not invent native
103
+ build, test, sanitizer, fuzz, package, or benchmark commands.
104
+
105
+ <!-- mustflow-section: allowed-edits -->
106
+ ## Allowed Edits
107
+
108
+ - Keep edits scoped to the affected C target, build graph, tests, generated
109
+ source of truth, and directly synchronized docs or template surfaces.
110
+ - Prefer explicit ownership, pointer+length or begin/end APIs, checked size
111
+ arithmetic, explicit error channels, and narrow lifetime contracts over
112
+ hidden globals, implicit buffer length, or manual cleanup spread across many
113
+ exits.
114
+ - Prefer additive API and ABI changes when existing consumers must keep working.
115
+ - Add focused tests, compile checks, smoke tests, sanitizer coverage, fuzz
116
+ seeds, or benchmark guards only when they protect the changed C contract and
117
+ are covered by configured intents.
118
+ - Do not hand-edit generated output unless the project explicitly treats it as
119
+ authoritative or the user explicitly requests it with the drift risk
120
+ understood.
121
+ - Do not weaken compiler, warning, sanitizer, ABI, package, test, or
122
+ compatibility checks to make a patch appear complete.
123
+
124
+ <!-- mustflow-section: procedure -->
125
+ ## Procedure
126
+
127
+ 1. **Classify the C boundary.**
128
+ - Read the changed C files plus nearby headers, tests, build files, package
129
+ metadata, install/export metadata, and CI hints.
130
+ - Identify the owning target and active build front door. For CMake, inspect
131
+ target sources, include directories, compile definitions, compile options,
132
+ link libraries, install rules, and interface propagation. For Meson,
133
+ inspect targets, dependencies, options, native or cross files, and install
134
+ surfaces. For Bazel, inspect C target `srcs`, `hdrs`, deps, copts,
135
+ visibility, toolchains, and `select()` branches. For Make or Autotools,
136
+ inspect object rules, included fragments, generated headers, flags,
137
+ libraries, and install surfaces.
138
+ 2. **Record the target compilation identity.**
139
+ - Record C standard or dialect, compiler, libc, platform, architecture, build
140
+ type, warning set, sanitizer set, optimization level, visibility, linkage,
141
+ dependency source, and generated-header source when relevant.
142
+ - As a source-freshness snapshot checked on 2026-06-26, the finalized C
143
+ standard is C23, officially ISO/IEC 9899:2024, and the C23
144
+ `__STDC_VERSION__` value is `202311L`. C2y is draft work, not a finalized
145
+ standard. Re-check official ISO, WG14, GCC, and Clang sources before using
146
+ those facts as current external claims.
147
+ - Do not introduce C23-only features into code that still promises C17, C11,
148
+ MSVC, embedded, older libc, or mixed C/C++ compatibility without target
149
+ evidence and a fallback or configure-time failure.
150
+ 3. **Classify risk by highest consumed surface.**
151
+ - Use `internal_only`, `source_api`, `binary_abi`,
152
+ `static_link_contract`, `generated_binding`, `ffi_boundary`,
153
+ `semantic_compatibility`, or `performance_resource`.
154
+ - Do not downgrade risk because the diff is small, compile-clean, or hidden
155
+ behind macros.
156
+ 4. **Check C23 and dialect-specific changes deliberately.**
157
+ - Before using `bool`, `true`, `false`, `static_assert`, `thread_local`,
158
+ `nullptr`, `nullptr_t`, `_BitInt`, fixed-underlying-type enums, `auto`,
159
+ `typeof`, `typeof_unqual`, `constexpr`, empty initializer `{}`,
160
+ standard attributes, `#embed`, `__has_include`, `#elifdef`, `#warning`,
161
+ `__VA_OPT__`, `<stdckdint.h>`, `<stdbit.h>`, `memset_explicit`, `strdup`,
162
+ `strndup`, `memccpy`, `gmtime_r`, `localtime_r`, `timegm`, `free_sized`,
163
+ `free_aligned_sized`, binary literals, or digit separators, verify
164
+ compiler, libc, CI, package, and downstream support.
165
+ - Treat GCC 15 `gnu23` default behavior and Clang C23 support status as
166
+ toolchain evidence to refresh for the target, not as permission to change
167
+ portable code.
168
+ - K&R function definitions are not valid modern C. Prefer explicit
169
+ prototypes and keep `void f(void)` for no-argument functions in mixed or
170
+ legacy-compatible code even though C23 tightened `void f()` semantics.
171
+ - Two's-complement signed representation does not make signed overflow
172
+ defined. Keep overflow checks explicit.
173
+ 5. **Make ownership and allocation contracts visible.**
174
+ - Classify every pointer as owner, borrowed non-null pointer, borrowed
175
+ nullable pointer, mutable span, immutable span, callback context, handle,
176
+ or transferred owner.
177
+ - Use `malloc(n * sizeof *p)` style only with checked multiplication. Prefer
178
+ `calloc(n, sizeof *p)`, `reallocarray`, or C23 checked integer operations
179
+ when the target supports them.
180
+ - Do not assign `realloc` directly to the original pointer. Use a temporary
181
+ pointer and update the owner only on success.
182
+ - Treat `realloc(p, 0)` as unsafe and, in C23, undefined behavior. Split
183
+ zero-size cases into explicit `free` plus owner-slot update.
184
+ - Match aligned allocation and deallocation families across platforms.
185
+ 6. **Preserve pointer provenance, lifetime, and range rules.**
186
+ - Do not treat a pointer as only an integer address. Keep object lifetime,
187
+ provenance, bounds, and alignment visible.
188
+ - Pointer arithmetic, subtraction, and relational comparison are defined only
189
+ within the same array object or one-past boundary.
190
+ - One-past pointers are sentinels, not storage.
191
+ - Do not use stale pointers after `free`, `realloc`, scope exit, or owner
192
+ transfer. Prefer APIs that update the caller's pointer slot when ownership
193
+ ends.
194
+ - An integer-pointer round trip is not proof that the resulting pointer may
195
+ access an object.
196
+ - For unaligned data or representation moves, use `memcpy` instead of
197
+ pointer casts.
198
+ 7. **Keep effective type and aliasing legal.**
199
+ - Do not type-pun by casting and dereferencing incompatible pointer types.
200
+ Use `memcpy` for representation moves and let the optimizer remove the
201
+ copy when legal.
202
+ - Use character types for byte inspection.
203
+ - Treat `restrict` as an aliasing contract, not a speed decoration. Add it
204
+ only when callers cannot pass overlapping objects.
205
+ - Do not hide aliasing uncertainty behind `volatile`.
206
+ 8. **Make arrays, strings, and I/O lengths explicit.**
207
+ - Pass pointer+length or begin/end pairs for buffers. Do not recover array
208
+ length from a function parameter with `sizeof`.
209
+ - Reserve space for the terminating NUL when a buffer stores a C string.
210
+ - Treat `strncpy` as fixed-width record padding, not as safe string copy.
211
+ - Check `snprintf`, `read`, `write`, `fread`, `fwrite`, `fclose`, allocator,
212
+ parser, and system-call return values.
213
+ - Store `getchar` and similar EOF-capable results in `int`, not `char`.
214
+ - Cast to `unsigned char` before passing plain byte values to `ctype.h`
215
+ functions, unless the value is `EOF`.
216
+ - Use `memmove` when source and destination may overlap; keep `memcpy` only
217
+ for proven non-overlap.
218
+ 9. **Make integer and bit contracts explicit.**
219
+ - Keep size calculations in unsigned size types with checked multiplication
220
+ or addition before allocation.
221
+ - Do not check signed overflow after the overflowing expression has already
222
+ executed.
223
+ - Use unsigned types for masks, shifts, and wraparound semantics.
224
+ - Check shift counts and signed-left-shift assumptions.
225
+ - Treat C23 `<stdckdint.h>` as a useful option only when target support is
226
+ proven.
227
+ 10. **Review macros, declarations, and public headers.**
228
+ - Prefer `static inline` functions over macros when type-generic behavior is
229
+ not required.
230
+ - For macros, check double evaluation, missing parentheses, statement
231
+ expression extensions, `do { } while (0)` style, and side-effect
232
+ arguments.
233
+ - Use exact function pointer typedefs. Do not cast incompatible function
234
+ pointers and call through them.
235
+ - For public headers, review include hygiene, C/C++ compatibility guards
236
+ when required, exported macros, enum values, struct layout, packing,
237
+ alignment, fixed-width types, visibility macros, and allocator ownership.
238
+ 11. **Keep concurrency and volatile separate.**
239
+ - Treat data races as undefined behavior.
240
+ - Use atomics, mutexes, condition variables, or project synchronization
241
+ primitives for shared state.
242
+ - Use `volatile` only for the narrow cases it actually owns, such as
243
+ memory-mapped I/O or signal-adjacent access where the project has a
244
+ policy. It is not thread synchronization.
245
+ - When performance and threading interact, inspect false sharing, cache-line
246
+ layout, allocator contention, and shutdown or cancellation lifetime.
247
+ 12. **Make performance changes evidence-driven.**
248
+ - Require baseline, workload, target metric, profile or benchmark evidence,
249
+ hypothesis, targeted change, remeasurement, and regression guard when
250
+ configured verification exists.
251
+ - Do not claim performance from folklore rewrites such as replacing
252
+ division by shifts, global `-O3`, broad `inline`, or manual loop unrolling
253
+ without measurement.
254
+ - Prefer reducing memory traffic, allocation churn, branch unpredictability,
255
+ aliasing uncertainty, cache misses, false sharing, and unnecessary copies.
256
+ - Evaluate `-O2`, `-O3`, LTO, PGO, visibility, `-march`, `-mtune`, and
257
+ optimization reports as build contracts. Do not use `-Ofast` or
258
+ `-march=native` for portable release builds without explicit target and
259
+ correctness evidence.
260
+ 13. **Verify through configured intents only.**
261
+ - Choose validation by highest-risk surface, not diff size.
262
+ - Report whether configured validation exists for C compile, warning-as-
263
+ error, optimized build, sanitizer build, public-header compile, downstream
264
+ consumer compile, link, unit, integration, ABI or symbol diff, generated
265
+ binding regeneration, FFI smoke, fuzzing, static analysis, cross-compiler
266
+ matrix, and benchmark scenarios when those surfaces change.
267
+
268
+ <!-- mustflow-section: rejection-criteria -->
269
+ ## Review Rejection Criteria
270
+
271
+ Reject or revise the patch when any of these appear without strong local
272
+ evidence and risk reporting:
273
+
274
+ - A changed C file has no identified owning target, active build front door, or
275
+ compilation identity.
276
+ - A public header, exported symbol, generated binding, FFI surface, library
277
+ artifact, dialect, warning policy, sanitizer policy, or ABI surface changes
278
+ without compatibility classification.
279
+ - C23 features are introduced without target compiler, libc, CI, package, and
280
+ downstream support evidence.
281
+ - API or ABI compatibility is claimed without inspecting public headers,
282
+ generated bindings, exported symbols, struct layout, calling convention,
283
+ visibility, allocator boundary, and downstream-style consumer surface when
284
+ relevant.
285
+ - Ownership transfer, allocation size, `realloc`, zero-size allocation,
286
+ aligned allocation, free responsibility, or cleanup-on-failure is ambiguous.
287
+ - Pointer arithmetic, pointer comparison, one-past usage, stale pointer usage,
288
+ integer-pointer round trips, alignment, effective type, or strict aliasing
289
+ depends on "it works on this machine."
290
+ - `restrict`, `volatile`, `inline`, `-O3`, `-Ofast`, `-march=native`,
291
+ `__builtin_expect`, `__builtin_prefetch`, LTO, PGO, or manual unrolling is
292
+ added as a performance claim without contract and evidence.
293
+ - Sanitizer, warning, optimized-build, ABI, FFI, binding, benchmark, or
294
+ cross-toolchain checks are missing but the output claims those properties were
295
+ proven.
296
+
297
+ <!-- mustflow-section: postconditions -->
298
+ ## Postconditions
299
+
300
+ - The owning target, active build graph, and target compilation identity are
301
+ known or the missing boundary is reported.
302
+ - The highest compatibility risk is stated: internal-only, source API, binary
303
+ ABI, static-link contract, generated binding, FFI, semantic compatibility, or
304
+ performance/resource.
305
+ - Ownership, lifetime, pointer provenance, allocator, integer, string, macro,
306
+ error, concurrency, dialect, and performance impacts are intentional and
307
+ evidence-backed.
308
+ - Public headers, exported symbols, generated bindings, FFI surfaces, build
309
+ metadata, tests, docs, and template surfaces are synchronized when they are
310
+ part of the changed contract.
311
+ - Generated files match their source of truth and generator flow, or drift is
312
+ reported.
313
+ - No API, ABI, memory-safety, thread-safety, FFI, binding, sanitizer, or
314
+ performance compatibility is claimed beyond the validation evidence.
315
+
316
+ <!-- mustflow-section: verification -->
317
+ ## Verification
318
+
319
+ Use configured oneshot command intents when available:
320
+
321
+ - `lint`
322
+ - `build`
323
+ - `test_related`
324
+ - `test`
325
+ - `docs_validate_fast`
326
+ - `test_release`
327
+ - `mustflow_check`
328
+
329
+ Report missing C compile, warning-as-error, optimized-build, sanitizer, public-
330
+ header compile, downstream consumer compile, link, ABI or symbol diff,
331
+ generated-binding regeneration, FFI smoke, fuzzing, static analysis,
332
+ cross-compiler, cross-libc, cross-architecture, and benchmark verification when
333
+ those surfaces changed.
334
+
335
+ <!-- mustflow-section: failure-handling -->
336
+ ## Failure Handling
337
+
338
+ - If the owning target or active build front door is unclear, stop the risky
339
+ part and inspect build metadata before editing further.
340
+ - If multiple build graphs own the same changed file and only one can be
341
+ updated, report the stale graph and compatibility risk.
342
+ - If public API or ABI policy is absent, classify the risk explicitly instead of
343
+ assuming semver, SONAME, or package compatibility rules.
344
+ - If generated bindings drift, restore source/output alignment or report the
345
+ generator/source-of-truth gap.
346
+ - If a lifetime, ownership, or aliasing fix creates broad shared ownership,
347
+ hidden global state, or pointer-range ambiguity, revisit the owner boundary
348
+ before continuing.
349
+ - If concurrency changes lack a synchronization proof, stop that part and
350
+ inspect the state owner, guard, lifetime, and shutdown path.
351
+ - If performance measurements are unavailable, report that performance
352
+ compatibility was not proven.
353
+ - If freshness checks are unavailable for C standard, compiler, libc, sanitizer,
354
+ or support-status claims, avoid embedding exact "latest" wording and report
355
+ the gap.
356
+
357
+ <!-- mustflow-section: output-format -->
358
+ ## Output Format
359
+
360
+ - Boundary checked
361
+ - Owning target and compilation identity
362
+ - C standard, dialect, compiler, libc, warning, sanitizer, and optimization
363
+ notes
364
+ - Highest compatibility risk
365
+ - Ownership, lifetime, pointer provenance, UB, integer, string, macro,
366
+ concurrency, or performance impact
367
+ - Public API, ABI, binding, FFI, or build-graph impact
368
+ - Files changed
369
+ - Command intents run
370
+ - Skipped checks and reasons
371
+ - Remaining C risk
@@ -2,7 +2,7 @@
2
2
  mustflow_doc: skill.clarifying-question-gate
3
3
  locale: en
4
4
  canonical: true
5
- revision: 2
5
+ revision: 3
6
6
  lifecycle: mustflow-owned
7
7
  authority: procedure
8
8
  name: clarifying-question-gate
@@ -34,6 +34,12 @@ The goal is not to make the user rewrite the prompt. Normalize the request insid
34
34
  state the interpretation when it matters, and continue unless a high-cost decision still needs
35
35
  confirmation.
36
36
 
37
+ This skill also protects the repository from vague imperative requests such as "fix the bug",
38
+ "clean this up", "make it pretty", "speed it up", "add tests", "fix the build", "make an API",
39
+ or "handle errors". Do not execute the literal wording as permission to patch symptoms. Convert
40
+ the request into a reviewable contract for the target, criteria, scope, affected surfaces,
41
+ verification, and stop-or-ask boundary.
42
+
37
43
  <!-- mustflow-section: use-when -->
38
44
  ## Use When
39
45
 
@@ -49,6 +55,10 @@ confirmation.
49
55
  maintenance burden.
50
56
  - You are about to add a new dependency, service, folder boundary, storage model, framework pattern,
51
57
  persistent state, or broad refactor that the current files do not already require.
58
+ - The request is a terse command that names an activity but not its target behavior, quality
59
+ criteria, impacted contracts, or proof of completion, for example bug fixing, error handling,
60
+ refactoring, test repair, type cleanup, performance work, API work, UI polish, documentation,
61
+ dependency updates, CI repair, or PR preparation.
52
62
  - The request can be safely clarified by a short normalized contract instead of a long back-and-forth.
53
63
 
54
64
  <!-- mustflow-section: do-not-use-when -->
@@ -91,6 +101,13 @@ confirmation.
91
101
  - A normalized task contract when the original request is vague enough to risk drift: goal, current
92
102
  context, change scope, excluded scope, user-visible behavior, constraints, completion evidence,
93
103
  verification, report format, and remaining risks.
104
+ - For terse implementation commands, a normalized execution contract with:
105
+ - the observed target or failure source;
106
+ - the intended behavior or quality criterion;
107
+ - the changed and explicitly excluded surfaces;
108
+ - public contracts, data, security, UX, dependency, or generated outputs that may be affected;
109
+ - the verification plan and evidence that will close the task;
110
+ - the condition that requires stopping, asking, or handing off to a narrower skill.
94
111
  - Source tags for contract entries: `user_confirmed`, `repository_derived`, `safe_assumption`, or
95
112
  `unresolved`.
96
113
 
@@ -141,7 +158,27 @@ confirmation.
141
158
  `instruction-conflict-scope-check`.
142
159
  - `insufficient_evidence`: more repository reading, reproduction, or scoped analysis is needed
143
160
  before asking or implementing.
144
- 5. Build a normalized task contract when the user request is underspecified but executable:
161
+ 5. Normalize terse implementation commands before editing:
162
+ - For bug, error, build, CI, or failing-test requests, identify the observed failure source,
163
+ distinguish implementation defects from test or environment defects, and define the regression
164
+ evidence before changing code.
165
+ - For refactor, cleanup, naming, comment, folder, type, or duplicate-removal requests, preserve
166
+ behavior as the default invariant and name the readability, responsibility, type-safety, or
167
+ dependency-direction criterion being improved.
168
+ - For performance requests, identify the suspected or measured bottleneck, baseline, workload,
169
+ and verification signal before optimizing.
170
+ - For API, response shape, auth, permission, logging, error, cache, database, migration, or
171
+ dependency requests, identify compatibility, data, security, lifecycle, and rollback surfaces
172
+ before implementation.
173
+ - For UI, accessibility, responsive, form, modal, routing, search, filtering, pagination, or
174
+ state-management requests, identify the user path, visible states, failure states, device or
175
+ input constraints, and verification evidence.
176
+ - For docs, README, env var, deploy, release, or PR requests, identify the source of truth,
177
+ affected install or automation surfaces, required verification, and any maintainer-facing
178
+ limitation text.
179
+ - Do not treat "minimal fix" as the default when a symptom-only patch would leave the affected
180
+ flow, contract, or regression coverage broken.
181
+ 6. Build a normalized task contract when the user request is underspecified but executable:
145
182
  - goal;
146
183
  - current context;
147
184
  - change scope;
@@ -154,46 +191,46 @@ confirmation.
154
191
  - remaining risks.
155
192
  Tag each non-obvious contract entry as `user_confirmed`, `repository_derived`,
156
193
  `safe_assumption`, or `unresolved`. Do not add new product requirements while normalizing.
157
- 6. Ask about observable completion before feature shape when success is unclear:
194
+ 7. Ask about observable completion before feature shape when success is unclear:
158
195
  - what behavior proves the task is done;
159
196
  - which user path, command, test, screenshot, migration state, or registry/release state closes it.
160
- 7. Ask about scope only when plausible scopes have different cost or risk:
197
+ 8. Ask about scope only when plausible scopes have different cost or risk:
161
198
  - minimal symptom fix, root-cause fix, or broader cleanup;
162
199
  - prototype, maintainable production path, or release-ready path.
163
- 8. Ask about existing users and data before changing persistence, lifecycle, deletion, migration,
200
+ 9. Ask about existing users and data before changing persistence, lifecycle, deletion, migration,
164
201
  retention, cache, API compatibility, or old-client behavior.
165
- 9. Ask about failure UX before implementing user-visible success flows where failure handling is a
202
+ 10. Ask about failure UX before implementing user-visible success flows where failure handling is a
166
203
  product decision: retry, queue, message, audit/log-only, rollback, partial success, or manual
167
204
  recovery.
168
- 10. Ask about security and authorization before relying on UI hiding, client-side checks, roles,
205
+ 11. Ask about security and authorization before relying on UI hiding, client-side checks, roles,
169
206
  invites, team boundaries, file access, billing state, or admin features.
170
- 11. Ask before adding or swapping dependencies, services, queues, databases, auth providers, design
207
+ 12. Ask before adding or swapping dependencies, services, queues, databases, auth providers, design
171
208
  systems, state managers, or major folder boundaries.
172
- 12. Ask about verification when there is no declared command intent or when the user expects a
209
+ 13. Ask about verification when there is no declared command intent or when the user expects a
173
210
  specific proof beyond the repository's configured checks.
174
- 13. Keep the question set short:
211
+ 14. Keep the question set short:
175
212
  - ask at most three questions at once;
176
213
  - ask only one question when its answer may make later questions irrelevant;
177
214
  - each question must name the decision, the recommended choice, the consequence of that choice,
178
215
  and one meaningful alternative;
179
216
  - avoid open-ended prompts like "how should I implement this?" unless no responsible options can
180
217
  be framed from repository evidence.
181
- 14. Do not ask bad engineering-delegation questions:
218
+ 15. Do not ask bad engineering-delegation questions:
182
219
  - "Should I add tests?"
183
220
  - "Should I handle errors?"
184
221
  - "Should I follow existing style?"
185
222
  - "Should I check current files?"
186
223
  - "Should I preserve existing behavior?"
187
- 15. Use prompt rewriting only as an exception:
224
+ 16. Use prompt rewriting only as an exception:
188
225
  - the user explicitly asks for a prompt, issue, PR body, work order, or handoff for another
189
226
  agent;
190
227
  - the current request is too broken to execute and a normalized contract plus confirmation is the
191
228
  smallest safe next step.
192
229
  Otherwise, show the normalized contract only when it materially reduces drift, then proceed in
193
230
  the same conversation.
194
- 16. If no blocking question remains, proceed without ceremony. State only the assumptions that matter
231
+ 17. If no blocking question remains, proceed without ceremony. State only the assumptions that matter
195
232
  to review or rollback.
196
- 17. If a blocking question remains unanswered, do not implement around it. Offer the smallest safe
233
+ 18. If a blocking question remains unanswered, do not implement around it. Offer the smallest safe
197
234
  non-blocked action, such as read-only analysis, a plan, a reproduction, or a narrow preparatory
198
235
  refactor when another selected skill supports it.
199
236
 
@@ -207,6 +244,8 @@ confirmation.
207
244
  - Safe assumptions are narrow, reversible, and reported.
208
245
  - Any normalized contract preserves the user's original request separately from repository-derived
209
246
  facts and safe assumptions.
247
+ - Terse commands are expanded into target, criterion, scope, affected-surface, verification, and
248
+ stop-or-ask boundaries before implementation.
210
249
  - Prompt rewriting is not used as a substitute for proceeding in the current task.
211
250
  - The final work can be judged against observable success criteria or a reported verification gap.
212
251
 
@@ -2,7 +2,7 @@
2
2
  mustflow_doc: skill.completion-evidence-gate
3
3
  locale: en
4
4
  canonical: true
5
- revision: 3
5
+ revision: 4
6
6
  lifecycle: mustflow-owned
7
7
  authority: procedure
8
8
  name: completion-evidence-gate
@@ -70,6 +70,8 @@ missing, blocked, failed, stale, or only partially relevant.
70
70
  - Optional script-pack discovery evidence when the command contract exposes `script_pack_list`.
71
71
  - Synchronized surfaces expected by the changed contract: source, tests, fixtures, schemas, templates, manifests, docs, release metadata, generated output, and localized copies.
72
72
  - Known remaining risks, unverified assumptions, blocked decisions, and rollback notes.
73
+ - Concrete follow-up candidates, if any, plus whether a bounded `next-action-menu` should be
74
+ included or intentionally omitted.
73
75
 
74
76
  <!-- mustflow-section: preconditions -->
75
77
  ## Preconditions
@@ -118,11 +120,18 @@ missing, blocked, failed, stale, or only partially relevant.
118
120
  - Use `implemented but unverified` when the files changed but no relevant configured verification was run.
119
121
  - Use `blocked` when required evidence cannot be produced without a missing decision, unavailable environment, manual-only command, failed prerequisite, or user approval.
120
122
  - Use `not complete` when a required acceptance criterion is not implemented or verification contradicts the claim.
121
- 7. Write the final report from evidence, not confidence.
123
+ 7. Decide whether a next-action menu is warranted.
124
+ - If there are concrete, evidence-backed follow-up tasks that would make the next user turn
125
+ cheaper, read and apply `next-action-menu` before final reporting.
126
+ - If no useful follow-up exists, the user asked not to include recommendations, or the only next
127
+ actions are speculative or approval-gated, omit the menu and keep the final report concise.
128
+ - Do not treat this gate as automatic host behavior: the menu appears only when the skill is
129
+ selected and its use conditions are met.
130
+ 8. Write the final report from evidence, not confidence.
122
131
  - Name changed files, command intents run, skipped checks with reasons, synchronized or deferred surfaces, and remaining risks.
123
132
  - Do not imply that skipped, manual-only, or missing command intents passed.
124
133
  - Do not hide lower-confidence evidence when direct shell commands were used instead of configured intents.
125
- 8. If the gate reveals missing required work that is safe and in scope, do that work before final reporting. Otherwise report the gap plainly.
134
+ 9. If the gate reveals missing required work that is safe and in scope, do that work before final reporting. Otherwise report the gap plainly.
126
135
 
127
136
  <!-- mustflow-section: postconditions -->
128
137
  ## Postconditions
@@ -131,6 +140,8 @@ missing, blocked, failed, stale, or only partially relevant.
131
140
  - Every user requirement is mapped to proof, a limitation, or an explicit out-of-scope decision.
132
141
  - Skipped, missing, failed, stale, or manual-only verification is visible.
133
142
  - Contract, template, schema, docs, test, and release drift is either resolved or named as remaining risk.
143
+ - Useful follow-up tasks either appear through `next-action-menu` or are intentionally omitted with a
144
+ clear reason when the menu conditions are not met.
134
145
  - No unconfigured command, hidden transcript, broad log, or invented tool result is treated as proof.
135
146
 
136
147
  <!-- mustflow-section: verification -->
@@ -178,4 +189,5 @@ instead of replacing it with an inferred command.
178
189
  - Lower-confidence evidence, if any
179
190
  - Stalled or repeated observations, if any
180
191
  - Remaining risks
192
+ - Next-action menu included or omitted, with reason
181
193
  - Final wording boundary