mustflow 2.99.1 → 2.103.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (24) hide show
  1. package/dist/cli/commands/skill.js +76 -2
  2. package/dist/cli/lib/external-skill-import.js +391 -0
  3. package/dist/cli/lib/local-index/index.js +5 -1
  4. package/dist/core/public-json-contracts.js +16 -0
  5. package/dist/core/skill-route-resolution.js +54 -6
  6. package/package.json +1 -1
  7. package/schemas/README.md +3 -0
  8. package/schemas/skill-import-report.schema.json +97 -0
  9. package/templates/default/i18n.toml +44 -8
  10. package/templates/default/locales/en/.mustflow/docs/agent-workflow.md +11 -1
  11. package/templates/default/locales/en/.mustflow/skills/INDEX.md +27 -2
  12. package/templates/default/locales/en/.mustflow/skills/c-code-change/SKILL.md +371 -0
  13. package/templates/default/locales/en/.mustflow/skills/clarifying-question-gate/SKILL.md +53 -14
  14. package/templates/default/locales/en/.mustflow/skills/completion-evidence-gate/SKILL.md +15 -3
  15. package/templates/default/locales/en/.mustflow/skills/complex-decision-analysis/SKILL.md +236 -0
  16. package/templates/default/locales/en/.mustflow/skills/css-code-change/SKILL.md +74 -24
  17. package/templates/default/locales/en/.mustflow/skills/docs-prose-review/SKILL.md +36 -10
  18. package/templates/default/locales/en/.mustflow/skills/github-contribution-quality-gate/SKILL.md +27 -3
  19. package/templates/default/locales/en/.mustflow/skills/html-code-change/SKILL.md +37 -21
  20. package/templates/default/locales/en/.mustflow/skills/react-code-change/SKILL.md +278 -0
  21. package/templates/default/locales/en/.mustflow/skills/routes.toml +30 -0
  22. package/templates/default/locales/en/.mustflow/skills/shell-code-change/SKILL.md +279 -0
  23. package/templates/default/locales/en/.mustflow/skills/structured-config-change/SKILL.md +170 -0
  24. package/templates/default/manifest.toml +32 -1
@@ -0,0 +1,279 @@
1
+ ---
2
+ mustflow_doc: skill.shell-code-change
3
+ locale: en
4
+ canonical: true
5
+ revision: 1
6
+ lifecycle: mustflow-owned
7
+ authority: procedure
8
+ name: shell-code-change
9
+ description: Apply this skill when POSIX sh, Bash, shell scripts, shebangs, GitHub Actions run blocks, package script shell snippets, grep/sed/awk/find/xargs pipelines, shell quoting, word splitting, globbing, traps, exit-status handling, or shell portability/security behavior are created, changed, reviewed, or upgraded.
10
+ metadata:
11
+ mustflow_schema: "1"
12
+ mustflow_kind: procedure
13
+ pack_id: mustflow.core
14
+ skill_id: mustflow.core.shell-code-change
15
+ command_intents:
16
+ - changes_status
17
+ - changes_diff_summary
18
+ - lint
19
+ - build
20
+ - test_related
21
+ - test
22
+ - docs_validate_fast
23
+ - test_release
24
+ - mustflow_check
25
+ - line_endings_check
26
+ ---
27
+
28
+ # Shell Code Change
29
+
30
+ <!-- mustflow-section: purpose -->
31
+ ## Purpose
32
+
33
+ Preserve shell dialect contracts, expansion safety, file-name safety, exit-status integrity,
34
+ CI runner behavior, and command-injection boundaries when editing shell code or shell-shaped
35
+ documentation.
36
+
37
+ Shell bugs usually come from an unstated execution boundary: a file says `sh` while using Bash,
38
+ a GitHub Actions `run` block is preprocessed by YAML and expression interpolation before the
39
+ runner shell sees it, or a pipeline treats filenames as line-delimited text.
40
+
41
+ <!-- mustflow-section: use-when -->
42
+ ## Use When
43
+
44
+ - `.sh`, `.bash`, `.bats`, installer scripts, release scripts, hook scripts, Docker entrypoints,
45
+ package scripts, Make recipes, or docs examples containing POSIX sh or Bash snippets are created
46
+ or changed.
47
+ - GitHub Actions, CI, or workflow `run` blocks contain shell code, shell options, environment files,
48
+ heredocs, matrix variables, checkout-dependent shell logic, or context interpolation.
49
+ - Code or docs use shell quoting, parameter expansion, command substitution, globbing, word
50
+ splitting, redirection, pipes, traps, `set` options, `test`, `case`, loops, subshells, functions,
51
+ `eval`, `sh -c`, `bash -c`, or sourced files.
52
+ - Shell snippets combine `grep`, `sed`, `awk`, `find`, `xargs`, `sort`, `date`, `stat`, `readlink`,
53
+ `realpath`, `mktemp`, `rm`, `cp`, `mv`, `sudo`, or platform-specific core utilities.
54
+ - A change claims POSIX portability, Bash-only behavior, GNU/Linux behavior, macOS/BSD behavior,
55
+ GitHub-hosted runner behavior, or cross-platform shell compatibility.
56
+ - Shell code handles untrusted input, paths, URLs, commit messages, pull request metadata, branch
57
+ names, environment variables, secrets, temporary files, generated files, or destructive writes.
58
+
59
+ <!-- mustflow-section: do-not-use-when -->
60
+ ## Do Not Use When
61
+
62
+ - The task only maps external command recipes to mustflow command intents; use
63
+ `command-intent-mapping-gate`.
64
+ - The task only changes process spawning, timeout, buffering, environment isolation, or receipt
65
+ handling in product code; use `process-execution-safety`.
66
+ - The task only changes PowerShell syntax or `pwsh` behavior; use `powershell-code-change`.
67
+ - The task only changes path validation or filesystem containment outside shell code; use
68
+ `file-path-cross-platform-change`.
69
+ - The task only changes line-ending policy or investigates CRLF interpreter failures; use
70
+ `line-ending-hygiene`.
71
+ - The shell file is generated and should be regenerated by a configured intent.
72
+
73
+ <!-- mustflow-section: required-inputs -->
74
+ ## Required Inputs
75
+
76
+ - Execution identity: shebang, invoked shell, package-manager shell, Make shell, CI shell, container
77
+ shell, operating system, runner image, and whether the script is executed, sourced, or passed to
78
+ `sh -c` or `bash -c`.
79
+ - Dialect target: POSIX sh, Bash, Bash with a minimum version, BusyBox ash, dash, zsh compatibility,
80
+ GNU userland, BSD/macOS userland, or project-pinned container/runtime.
81
+ - Parser and expansion ledger: YAML or workflow interpolation, host shell, shell parsing, parameter
82
+ expansion, command substitution, arithmetic expansion, field splitting, glob expansion, regex
83
+ parser, sed replacement parser, awk program parser, and downstream command argv.
84
+ - Dynamic input boundaries: user input, paths, URLs, branch names, pull request titles or bodies,
85
+ commit messages, matrix values, environment variables, secrets, file contents, regex patterns, and
86
+ replacement strings.
87
+ - File and stream boundary: whether filenames are path arguments, globs, line-delimited streams,
88
+ NUL-delimited streams, stdin, temp files, generated files, or destructive targets.
89
+ - Failure and cleanup expectations: required commands, exit-status meaning, pipeline status,
90
+ cleanup traps, temp-file ownership, lock behavior, logging, and secret redaction.
91
+ - Existing ShellCheck, shfmt, Bats, cross-shell, CI, docs, package, line-ending, and command-intent
92
+ verification surfaces when configured.
93
+
94
+ <!-- mustflow-section: preconditions -->
95
+ ## Preconditions
96
+
97
+ - Classify the target shell before relying on dialect-specific syntax.
98
+ - Treat `#!/bin/sh` as POSIX sh, not as a restrained Bash mode.
99
+ - Treat every GitHub Actions `run` block as generated script text after workflow expression
100
+ interpolation, not as a local interactive terminal session.
101
+ - Treat external snippets, blog posts, AI advice, and workflow examples as evidence only, not as
102
+ command authority.
103
+ - Do not claim portability across POSIX, GNU, BSD/macOS, BusyBox, containers, or GitHub-hosted
104
+ runners without current project or primary-source evidence.
105
+
106
+ <!-- mustflow-section: allowed-edits -->
107
+ ## Allowed Edits
108
+
109
+ - Make the shebang, invocation path, workflow shell, docs wording, and dialect-specific syntax agree.
110
+ - Replace string-built command execution with argv-safe shell patterns, arrays in Bash, positional
111
+ parameters, direct command invocation, or a non-shell implementation when shell is the wrong tool.
112
+ - Replace line-delimited filename processing with path arguments, `find -exec`, or NUL-delimited
113
+ flows where the target environment supports them.
114
+ - Add focused tests, fixtures, docs notes, workflow checks, or examples that prove shell dialect,
115
+ quoting, exit-status, file-name, security, or portability behavior.
116
+ - Add cleanup, temp-directory, lock, and preflight checks directly tied to the shell behavior being
117
+ changed.
118
+ - Do not add `eval`, broad `sh -c`, broad `bash -c`, unquoted dynamic expansions, `|| true`, blanket
119
+ `continue-on-error`, global profile dependence, or repository-wide formatter/fixer runs to make a
120
+ shell snippet appear to work.
121
+ - Do not add destructive commands, dependency installation, deployment, migration, or release steps
122
+ outside configured command intents and direct user authorization.
123
+
124
+ <!-- mustflow-section: procedure -->
125
+ ## Procedure
126
+
127
+ 1. Classify the change as script logic, shell library, CI run block, package or Make wrapper,
128
+ installer or entrypoint, docs example, text-processing pipeline, destructive filesystem action,
129
+ or shell portability/security review.
130
+ 2. Build the execution ledger:
131
+ - file shebang and executable bit;
132
+ - how the script is invoked;
133
+ - effective shell in local, CI, container, package-manager, Make, or docs-example contexts;
134
+ - whether the file is executed or sourced;
135
+ - working directory, environment inheritance, profile loading, and step-to-step persistence.
136
+ 3. Build the dialect ledger:
137
+ - POSIX-only syntax;
138
+ - Bash-only syntax such as arrays, `[[ ]]`, process substitution, here-strings, Bash regex
139
+ matching, `source`, `mapfile`, `readarray`, `local`, or Bash-specific `shopt`;
140
+ - GNU-only utility options;
141
+ - BSD/macOS or BusyBox differences;
142
+ - declared minimum versions or pinned images.
143
+ 4. If Bash syntax is required, make the shebang, CI shell, docs, package invocation, and tests say
144
+ Bash. If POSIX sh is required, remove Bash-only syntax instead of hoping the target `/bin/sh`
145
+ accepts it.
146
+ 5. Treat `set -e`, `errexit`, `ERR` traps, `nounset`, and `pipefail` as partial tools, not a proof of
147
+ correct failure handling. Review important commands with explicit status handling.
148
+ 6. Remember that `pipefail` is not portable to older POSIX sh targets. If POSIX compatibility matters,
149
+ avoid relying on it for correctness.
150
+ 7. For pipelines, identify whether the last command's status is enough. Preserve individual status
151
+ evidence when the producing command, filtering command, and consuming command have different
152
+ failure meanings.
153
+ 8. Quote parameter expansions by default. Leave expansions unquoted only when intentional field
154
+ splitting or globbing is documented and tested.
155
+ 9. Keep lists as real argument lists. In Bash, prefer arrays for command argv. In POSIX sh, use
156
+ positional parameters, `case`, files, stdin, or another language instead of simulating arrays with
157
+ strings.
158
+ 10. Do not parse human-oriented command output such as directory listings as data input. Use globs,
159
+ `find`, path arguments, or structured command output.
160
+ 11. Handle filenames as path values, not newline-delimited text. Review spaces, tabs, newlines,
161
+ leading dashes, glob characters, quotes, backslashes, empty matches, and missing matches.
162
+ 12. Prefer `find -exec ... {} +` for portable batched path handling. Use NUL-delimited flows only
163
+ when both producer and consumer support them in the declared target environment.
164
+ 13. When using `xargs`, account for default whitespace parsing, no-input behavior, argument length
165
+ limits, batching, parallelism, and exit-code remapping. Do not use default `xargs` for arbitrary
166
+ filenames.
167
+ 14. For `grep`, distinguish no match from error. Do not let an expected no-match status fail CI or
168
+ let a read error look like no match.
169
+ 15. For `sed`, avoid assuming in-place editing syntax is portable. Prefer writing to an owned temp
170
+ file and replacing deliberately when cross-platform behavior or line endings matter.
171
+ 16. For `awk`, pass dynamic values as data variables instead of interpolating shell strings into the
172
+ program text. Keep shell quoting, awk quoting, regex syntax, and replacement semantics separate.
173
+ 17. For `find`, review prune ordering, traversal roots, symlink behavior, destructive actions,
174
+ time predicates, GNU-only predicates, and whether traversal should stop after the first match.
175
+ 18. For `date`, `stat`, `readlink`, `realpath`, `grep -P`, `sed -i`, `find -printf`, `find -maxdepth`,
176
+ `xargs -r`, and similar utilities, decide whether the target is GNU, BSD/macOS, BusyBox, or
177
+ POSIX. Replace nonportable options or declare and verify the dependency.
178
+ 19. Review locale-sensitive behavior for regex ranges, sorting, character classes, byte-oriented
179
+ token parsing, and reproducible packaging. Set locale only when the code truly needs byte or
180
+ deterministic semantics.
181
+ 20. For `test`, `[ ]`, `[[ ]]`, arithmetic, and `case`, choose the construct for the declared
182
+ dialect. Avoid `test` `-a`, `-o`, and parenthesized expression tricks; split conditions with
183
+ shell operators.
184
+ 21. Treat command substitution as scalar capture. Do not use it to preserve file contents, trailing
185
+ newlines, binary-like data, or arbitrary line lists.
186
+ 22. Use `read` with explicit `IFS` and raw mode when preserving line content matters. Account for a
187
+ final line without a trailing newline.
188
+ 23. Review subshell boundaries. Pipeline loops, grouped commands, command substitutions, sourced
189
+ files, and subshells can change whether variables, traps, `cd`, and options persist.
190
+ 24. For temporary files, use owned unpredictable temp files or directories, restrictive permissions
191
+ when sensitive data is involved, and cleanup traps that preserve the original exit status.
192
+ 25. For destructive operations, require non-empty variables, safe prefix or root checks, explicit
193
+ `--` where supported, and a narrow target. Do not run destructive globs against ambiguous roots.
194
+ 26. For GitHub Actions, separate workflow expression interpolation from shell expansion. Pass
195
+ untrusted GitHub context values through environment variables or files, then treat them as data.
196
+ 27. For GitHub Actions environment and output files, account for step lifetime, multiline delimiter
197
+ collisions, reserved variables, and echo portability. Do not assume values written for later
198
+ steps are available in the current shell.
199
+ 28. For GitHub Actions runner behavior, check shell defaults, job containers, checkout depth, fork
200
+ and Dependabot permissions, secrets availability, runner image drift, and platform-specific
201
+ userland before changing shell code.
202
+ 29. Keep secrets out of trace output, logs, process arguments, environment dumps, temp files, and
203
+ diagnostic artifacts. Disable tracing around sensitive commands and redact only as a backup.
204
+ 30. Treat `eval`, dynamic `source`, dynamic `.` loading, `sh -c`, remote shell strings, and workflow
205
+ expression injection as command-injection risks unless the command text is fully trusted and
206
+ bounded.
207
+ 31. If the shell code becomes complex enough to need structured data parsing, concurrency,
208
+ rollback, JSON mutation, long-lived state, or rich error recovery, consider moving the logic to
209
+ a project-supported runtime and leaving shell as a thin launcher.
210
+ 32. Verify with behavior evidence, not only spelling. Useful evidence includes shell lint, format,
211
+ cross-shell execution, Bats or similar tests, CI dry-run or provider evidence, path-shape
212
+ fixtures, line-ending checks, docs validation, package checks, and configured release checks.
213
+
214
+ <!-- mustflow-section: postconditions -->
215
+ ## Postconditions
216
+
217
+ - The effective shell, dialect, invocation path, and portability claim are explicit.
218
+ - Parser and expansion boundaries are separated from downstream regex, sed, awk, find, xargs, and
219
+ GitHub Actions expression boundaries.
220
+ - Dynamic values remain data-bound and are not reinterpreted as shell code.
221
+ - Filename handling survives spaces, newlines, leading dashes, glob characters, and empty matches or
222
+ the unsupported cases are stated.
223
+ - Exit-status, pipeline, cleanup, temp-file, destructive-action, logging, and secret-handling
224
+ behavior are verified or reported as remaining risk.
225
+ - CI shell defaults, runner image, checkout, permissions, and environment-file behavior are checked
226
+ when workflow shell code changes.
227
+
228
+ <!-- mustflow-section: verification -->
229
+ ## Verification
230
+
231
+ Use configured oneshot command intents when available:
232
+
233
+ - `lint`
234
+ - `build`
235
+ - `test_related`
236
+ - `test`
237
+ - `docs_validate_fast`
238
+ - `test_release`
239
+ - `mustflow_check`
240
+ - `line_endings_check`
241
+
242
+ Report missing ShellCheck, shfmt, Bats, cross-shell, POSIX sh, Bash-version, GNU/BSD/BusyBox,
243
+ GitHub Actions, fork-PR, checkout-depth, secret-redaction, path-shape, destructive-dry-run, or
244
+ line-ending verification when those surfaces change.
245
+
246
+ <!-- mustflow-section: failure-handling -->
247
+ ## Failure Handling
248
+
249
+ - If the target shell is unknown, do not introduce dialect-specific syntax without reporting the
250
+ gap or narrowing the invocation.
251
+ - If POSIX portability and Bash convenience conflict, choose one contract explicitly instead of
252
+ writing a hybrid script.
253
+ - If a pipeline passes while an upstream command failed, restructure the status handling before
254
+ adding more output checks.
255
+ - If arbitrary filenames cannot be represented safely by the chosen pipeline, change the data flow
256
+ or state the unsupported filename class.
257
+ - If GNU/BSD/BusyBox behavior differs and cannot be tested, state the platform boundary instead of
258
+ claiming cross-platform support.
259
+ - If GitHub Actions context interpolation can turn untrusted metadata into shell code, move the
260
+ value to a data channel and verify the quoting boundary.
261
+ - If `set -x`, logs, or diagnostic files can expose secrets, stop copying raw output and preserve
262
+ only redacted, bounded evidence.
263
+ - If a docs example suggests raw commands, map it through `command-intent-mapping-gate` before
264
+ treating it as agent-runnable.
265
+ - If CRLF, shebang, or executable-bit failures appear, activate `line-ending-hygiene` and verify
266
+ per-file EOL evidence before normalizing.
267
+
268
+ <!-- mustflow-section: output-format -->
269
+ ## Output Format
270
+
271
+ - Shell execution and dialect boundary
272
+ - Parser, expansion, and downstream utility ledger
273
+ - POSIX, Bash, GNU/BSD/BusyBox, and GitHub Actions compatibility decisions
274
+ - Quoting, word-splitting, globbing, command-substitution, and status-handling decisions
275
+ - Filename, temp-file, cleanup, destructive-action, logging, and secret-handling decisions
276
+ - Files changed
277
+ - Command intents run
278
+ - Skipped checks and reasons
279
+ - Remaining shell portability, security, CI, or line-ending risk
@@ -0,0 +1,170 @@
1
+ ---
2
+ mustflow_doc: skill.structured-config-change
3
+ locale: en
4
+ canonical: true
5
+ revision: 1
6
+ lifecycle: mustflow-owned
7
+ authority: procedure
8
+ name: structured-config-change
9
+ description: Apply this skill when YAML, TOML, JSON-adjacent, frontmatter, schema-backed config files, GitHub Actions workflow structure, parser dialects, duplicate keys, implicit typing, multiline scalars, dotted keys, array-of-tables, defaults, normalization, or config validation fixtures are created, changed, reviewed, or reported.
10
+ metadata:
11
+ mustflow_schema: "1"
12
+ mustflow_kind: procedure
13
+ pack_id: mustflow.core
14
+ skill_id: mustflow.core.structured-config-change
15
+ command_intents:
16
+ - changes_status
17
+ - changes_diff_summary
18
+ - lint
19
+ - build
20
+ - test_related
21
+ - docs_validate_fast
22
+ - test_release
23
+ - mustflow_check
24
+ ---
25
+
26
+ # Structured Config Change
27
+
28
+ <!-- mustflow-section: purpose -->
29
+ ## Purpose
30
+
31
+ Preserve the parser, schema, workflow, and runtime data-model contract of structured configuration files.
32
+
33
+ Structured config is code outside the type system. A syntactically valid YAML or TOML file can still change booleans, nulls, ordering assumptions, workflow triggers, permissions, defaults, or schema validation behavior when a different parser, tool version, formatter, or host platform reads it.
34
+
35
+ <!-- mustflow-section: use-when -->
36
+ ## Use When
37
+
38
+ - YAML, TOML, JSON-adjacent config, Markdown frontmatter, schema-backed config, linter or formatter config, workflow config, template manifest, or repository metadata config is created, changed, reviewed, or reported.
39
+ - Parser version or dialect matters, including YAML 1.1-like versus YAML 1.2-like implicit typing, TOML 1.0 versus TOML 1.1 syntax, JSON Schema dialect, SchemaStore or editor schema behavior, or provider-specific YAML subsets.
40
+ - The change touches duplicate keys, unknown keys, implicit scalar types, null versus empty string, quoted versus unquoted values, block scalars, anchors, aliases, merge keys, custom tags, dotted keys, inline tables, arrays of tables, dates, times, default values, normalization, or validation fixtures.
41
+ - GitHub Actions workflow structure changes outside shell code: workflow file placement, `on`, event filters, `permissions`, `defaults`, `concurrency`, `strategy`, `matrix`, reusable workflows, `with`, `secrets`, expressions, or path and branch filters.
42
+ - A final report claims a config file is valid, portable, parser-compatible, schema-backed, normalized, defaulted, CI-safe, workflow-triggered, or backward compatible.
43
+
44
+ <!-- mustflow-section: do-not-use-when -->
45
+ ## Do Not Use When
46
+
47
+ - The task only adds, removes, renames, validates, documents, or reports environment variables, secrets, config keys, feature flags, deployment variables, or runtime/build-time value exposure. Use `config-env-change`.
48
+ - The task only changes shell syntax inside scripts, package snippets, or GitHub Actions `run` blocks. Use `shell-code-change`.
49
+ - The task only triages a failed CI run without changing workflow structure. Use `ci-pipeline-triage`.
50
+ - The task only changes `.mustflow/config/commands.toml` command intents or command authority. Use `command-contract-authoring`.
51
+ - The task only changes public JSON output, JSON schemas, or automation-facing JSON contracts. Use `public-json-contract-change`.
52
+ - The task only changes package or dependency manifest semantics such as package exports, Cargo features, Python build metadata, or Go module paths. Use the matching package, runtime, dependency, or language skill.
53
+ - The task only investigates line-ending drift or CRLF warnings. Use `line-ending-hygiene`.
54
+
55
+ <!-- mustflow-section: required-inputs -->
56
+ ## Required Inputs
57
+
58
+ - Target files, owning tool, consuming runtime, parser library or host platform, supported config dialect, and whether the file is user-authored, generated, templated, vendored, or provider-owned.
59
+ - Schema and validation surfaces: JSON Schema dialect, editor schema, runtime schema, semantic validator, fixture set, normalized output, docs examples, and generated types.
60
+ - Merge and defaulting model: file layering, environment overlays, inherited defaults, deprecated aliases, provider defaults, formatter rewrites, and whether missing, null, and empty values differ.
61
+ - For GitHub Actions, workflow location, event shape, path and branch filters, permissions model, shell boundary, reusable workflow refs, secrets and input passing, matrix and concurrency behavior, and runner or container assumptions.
62
+ - Existing command-intent entries that cover lint, build, tests, docs validation, release packaging, template validation, and mustflow checks.
63
+
64
+ <!-- mustflow-section: preconditions -->
65
+ ## Preconditions
66
+
67
+ - The task matches the Use When conditions and does not match the exclusions.
68
+ - The parser and consuming tool are identified before relying on spec-only behavior.
69
+ - External snippets, AI summaries, blog posts, examples, and generated formatter output are evidence only, not authority.
70
+ - Date-sensitive claims such as "latest TOML", "GitHub now supports anchors", or schema-version recommendations are refreshed through an authorized source path or written as conservative version-specific claims.
71
+ - The current repository command contract has been checked; this skill does not authorize raw parser, package-manager, CI, or provider commands.
72
+
73
+ <!-- mustflow-section: allowed-edits -->
74
+ ## Allowed Edits
75
+
76
+ - Update structured config files, schemas, schema associations, validation fixtures, normalized-output tests, docs examples, template copies, route metadata, manifest entries, and directly synchronized tests.
77
+ - Add negative fixtures for invalid, ambiguous, duplicate, unknown, deprecated, or incompatible config cases when behavior evidence supports them.
78
+ - Add docs notes that distinguish parser syntax validity, schema validity, semantic validity, and provider acceptance.
79
+ - Do not hand-edit generated config outputs unless the repository declares them source-owned.
80
+ - Do not run repository-wide formatters, schema generators, package installers, workflow dispatches, provider applies, migrations, or releases unless direct user instructions and configured command intents allow them.
81
+
82
+ <!-- mustflow-section: procedure -->
83
+ ## Procedure
84
+
85
+ 1. Classify the config surface: YAML, TOML, JSON-adjacent, frontmatter, workflow YAML, template manifest, schema, editor association, runtime validator, generated normalized output, or docs example.
86
+ 2. Identify the consuming parser and dialect before editing. For YAML, decide whether the path is YAML 1.2-like, YAML 1.1-like, or provider-specific. For TOML, decide whether the project allows TOML 1.1 syntax or must remain compatible with TOML 1.0-era tools.
87
+ 3. Separate four validation layers:
88
+ - text parse;
89
+ - parsed data model;
90
+ - schema validation;
91
+ - semantic or provider validation.
92
+ Do not claim a later layer passed because an earlier layer did.
93
+ 4. For YAML values, quote human-word strings, country codes, identifiers, versions, zip codes, permissions, file modes, strings that begin with special indicators, and values containing `: ` or ` #`. Use `true` and `false` only for booleans.
94
+ 5. For YAML absence states, keep missing, `null`, and empty string distinct. If the loader collapses them, verify that the application contract intentionally accepts that collapse.
95
+ 6. For YAML mappings, reject duplicate keys and avoid relying on mapping order for semantics. Use sequences when order matters.
96
+ 7. For YAML block scalars, choose literal versus folded style deliberately. Use explicit chomping or indentation indicators when final newlines, pasted text, certificates, SQL, Markdown, shell, regex, or templates can change meaning.
97
+ 8. Treat YAML anchors and aliases as authoring conveniences. Do not store runtime meaning in anchor names. Avoid YAML merge key `<<` unless the target parser and provider support it and the behavior is covered by fixtures.
98
+ 9. Treat YAML custom tags and unsafe loaders as security and portability risks. External or user-provided YAML should use safe loading and application-level validation.
99
+ 10. For TOML, remember that strings need quotes, booleans are lowercase, keys are case-sensitive, and indentation is cosmetic.
100
+ 11. For TOML keys, quote literal keys containing dots, spaces, Unicode, numeric-looking segments, domains, versions, metric names, or coordinates. Dotted keys create nested tables.
101
+ 12. For TOML tables, do not redefine keys or tables as overrides. Keep table-owned keys under the intended header and avoid moving root keys below a table header by accident.
102
+ 13. For TOML inline tables, treat them as sealed value objects. Use standard tables for structures that may grow. Do not use TOML 1.1 multiline inline tables or trailing commas unless the repository's parser matrix supports them.
103
+ 14. For TOML arrays of tables, keep each array element and its child tables together. Do not mix static arrays with `[[array-of-tables]]` for the same key.
104
+ 15. For TOML strings, prefer literal strings for Windows paths and regexes when escaping would change meaning. Distinguish offset date-time, local date-time, local date, and local time by the consuming contract.
105
+ 16. For GitHub Actions workflow YAML, verify file placement under `.github/workflows/` and quote glob patterns that begin with `*`, `[`, or `!`.
106
+ 17. For GitHub Actions events, preserve the shape of `on`: scalar, sequence, or mapping. When one event has filters, use mapping form consistently for the combined event set.
107
+ 18. For GitHub Actions filters, treat branch and path filters as conjunctive when both are present. Preserve ordered negative patterns and require at least one positive pattern when using `!` exclusions.
108
+ 19. For GitHub Actions permissions, remember that setting any explicit permission makes unspecified permissions `none`. Review `id-token`, `pull-requests`, `contents`, `packages`, `statuses`, and deployment permissions before reducing the set.
109
+ 20. For GitHub Actions expressions, treat step outputs and many context values as strings until explicitly converted. Do not assume JavaScript comparison or truthiness rules.
110
+ 21. For GitHub Actions secrets and reusable workflows, separate `with`, `secrets`, `env`, and expression contexts. Do not assume secrets can be used directly in every `if` expression or inherited across workflow boundaries.
111
+ 22. For GitHub Actions runner behavior, keep `defaults.run`, explicit shell selection, job containers, matrix `fail-fast`, and `concurrency.cancel-in-progress` visible because they can change whether jobs appear, cancel, or evaluate shell pipelines differently.
112
+ 23. For schema-backed config, validate the parsed data model. Restrict YAML config keys to strings when using JSON Schema or JSON-shaped validators.
113
+ 24. Choose JSON Schema dialect deliberately. Keep `$schema`, `$id`, and `$defs` aligned, vendor remote schemas for CI when possible, and separate editor schemas from runtime rejection schemas when their goals differ.
114
+ 25. Treat JSON Schema `default` as metadata unless the repository's loader explicitly injects defaults. If defaults are injected, merge defaults first and validate the normalized result again.
115
+ 26. Close unknown-key boundaries at the final object boundary. Avoid overusing `additionalProperties: false` inside reusable definitions when composition or extension is expected; use the repository's supported dialect intentionally.
116
+ 27. Add or update positive and negative fixtures. Negative fixtures should cover duplicate keys, ambiguous scalar typing, unknown keys, invalid types, incompatible dialect syntax, mutually exclusive settings, deprecated aliases, and provider-rejected workflow shapes.
117
+ 28. If the product has a config loader, prefer a canonical normalized output or diagnostic path that shows the parsed, defaulted, migrated, redacted config data model.
118
+ 29. Keep broad formatter, mass rewrite, and generated-output changes separate from semantic config changes unless the user explicitly requested an integrated migration.
119
+ 30. Verify with the narrowest configured command intents that cover changed parser, schema, docs, template, package, or workflow surfaces.
120
+
121
+ <!-- mustflow-section: postconditions -->
122
+ ## Postconditions
123
+
124
+ - Parser dialect, consuming tool, schema layer, and semantic validator are identified or explicitly reported as unknown.
125
+ - YAML and TOML values preserve intended scalar types, table ownership, ordering semantics, defaults, and duplicate-key behavior.
126
+ - GitHub Actions workflow changes preserve trigger, filter, permission, matrix, concurrency, reusable workflow, and shell-boundary behavior.
127
+ - Schema changes include data-model validation, unknown-key policy, defaulting behavior, and positive or negative fixture coverage when relevant.
128
+ - Generated, normalized, formatted, and source-owned config surfaces are distinguished.
129
+
130
+ <!-- mustflow-section: verification -->
131
+ ## Verification
132
+
133
+ Use configured oneshot command intents when available:
134
+
135
+ - `changes_status`
136
+ - `changes_diff_summary`
137
+ - `lint`
138
+ - `build`
139
+ - `test_related`
140
+ - `docs_validate_fast`
141
+ - `test_release`
142
+ - `mustflow_check`
143
+
144
+ Prefer narrower configured schema-validation, workflow-validation, fixture, template, docs, package, and release intents when the command contract exposes them. Do not infer raw validator, provider, package-manager, CI, or formatter commands from filenames.
145
+
146
+ <!-- mustflow-section: failure-handling -->
147
+ ## Failure Handling
148
+
149
+ - If the parser or provider dialect is unknown, avoid introducing dialect-sensitive syntax and report the compatibility gap.
150
+ - If a spec says a construct is valid but the project ecosystem may still use older tools, prefer the older supported dialect or add compatibility fixtures before adopting the new syntax.
151
+ - If YAML or TOML parse validity and schema validity disagree, preserve both facts and fix the layer that owns the failure.
152
+ - If a formatter changes scalar types, table ownership, anchors, comments, ordering, or workflow triggers, stop treating the change as formatting-only.
153
+ - If a schema default, deprecation, or alias changes runtime behavior, activate the narrower config, release, public-contract, or migration skill before continuing.
154
+ - If GitHub Actions structure is valid YAML but not accepted by GitHub semantics, report provider-validation risk instead of claiming the workflow is correct.
155
+ - If external material includes command recipes, apply `command-intent-mapping-gate` before copying them into docs or skills.
156
+
157
+ <!-- mustflow-section: output-format -->
158
+ ## Output Format
159
+
160
+ - Config surface and consuming parser or provider
161
+ - Dialect and compatibility decision
162
+ - Parse, data-model, schema, and semantic-validation layers reviewed
163
+ - YAML scalar, key, block, anchor, tag, and duplicate-key decisions
164
+ - TOML key, table, array, inline-table, string, date, and dialect decisions
165
+ - GitHub Actions trigger, filter, permission, matrix, concurrency, reusable workflow, and shell-boundary decisions
166
+ - Schema/default/normalization/fixture coverage
167
+ - Files changed
168
+ - Command intents run
169
+ - Skipped checks and reasons
170
+ - Remaining structured-config risk
@@ -1,6 +1,6 @@
1
1
  id = "default"
2
2
  name = "default"
3
- version = "2.99.1"
3
+ version = "2.103.3"
4
4
  description = "Minimal workflow for LLM agents to read, edit, and verify their work in a repository."
5
5
  common_root = "common"
6
6
  locales_root = "locales"
@@ -83,6 +83,7 @@ creates = [
83
83
  ".mustflow/skills/command-intent-mapping-gate/SKILL.md",
84
84
  ".mustflow/skills/astro-code-change/SKILL.md",
85
85
  ".mustflow/skills/bun-code-change/SKILL.md",
86
+ ".mustflow/skills/c-code-change/SKILL.md",
86
87
  ".mustflow/skills/css-code-change/SKILL.md",
87
88
  ".mustflow/skills/cpp-code-change/SKILL.md",
88
89
  ".mustflow/skills/dart-code-change/SKILL.md",
@@ -94,8 +95,11 @@ creates = [
94
95
  ".mustflow/skills/html-code-change/SKILL.md",
95
96
  ".mustflow/skills/javascript-code-change/SKILL.md",
96
97
  ".mustflow/skills/node-code-change/SKILL.md",
98
+ ".mustflow/skills/react-code-change/SKILL.md",
97
99
  ".mustflow/skills/python-code-change/SKILL.md",
98
100
  ".mustflow/skills/powershell-code-change/SKILL.md",
101
+ ".mustflow/skills/shell-code-change/SKILL.md",
102
+ ".mustflow/skills/structured-config-change/SKILL.md",
99
103
  ".mustflow/skills/rust-code-change/SKILL.md",
100
104
  ".mustflow/skills/runtime-target-selection/SKILL.md",
101
105
  ".mustflow/skills/structure-first-engineering/SKILL.md",
@@ -152,6 +156,7 @@ creates = [
152
156
  ".mustflow/skills/file-path-cross-platform-change/SKILL.md",
153
157
  ".mustflow/skills/frontend-render-stability/SKILL.md",
154
158
  ".mustflow/skills/idea-triage/SKILL.md",
159
+ ".mustflow/skills/complex-decision-analysis/SKILL.md",
155
160
  ".mustflow/skills/facade-pattern/SKILL.md",
156
161
  ".mustflow/skills/instruction-conflict-scope-check/SKILL.md",
157
162
  ".mustflow/skills/failure-triage/SKILL.md",
@@ -286,6 +291,7 @@ minimal = [
286
291
  "evidence-stall-breaker",
287
292
  "astro-code-change",
288
293
  "bun-code-change",
294
+ "c-code-change",
289
295
  "css-code-change",
290
296
  "cpp-code-change",
291
297
  "dart-code-change",
@@ -297,8 +303,10 @@ minimal = [
297
303
  "html-code-change",
298
304
  "javascript-code-change",
299
305
  "node-code-change",
306
+ "react-code-change",
300
307
  "python-code-change",
301
308
  "powershell-code-change",
309
+ "shell-code-change",
302
310
  "rust-code-change",
303
311
  "runtime-target-selection",
304
312
  "svelte-code-change",
@@ -309,6 +317,7 @@ minimal = [
309
317
  "command-contract-authoring",
310
318
  "command-intent-mapping-gate",
311
319
  "config-env-change",
320
+ "structured-config-change",
312
321
  "contract-sync-check",
313
322
  "date-number-audit",
314
323
  "design-implementation-handoff",
@@ -429,6 +438,7 @@ patterns = [
429
438
  "evidence-stall-breaker",
430
439
  "astro-code-change",
431
440
  "bun-code-change",
441
+ "c-code-change",
432
442
  "css-code-change",
433
443
  "cpp-code-change",
434
444
  "dart-code-change",
@@ -440,8 +450,10 @@ patterns = [
440
450
  "html-code-change",
441
451
  "javascript-code-change",
442
452
  "node-code-change",
453
+ "react-code-change",
443
454
  "python-code-change",
444
455
  "powershell-code-change",
456
+ "shell-code-change",
445
457
  "rust-code-change",
446
458
  "runtime-target-selection",
447
459
  "svelte-code-change",
@@ -454,6 +466,7 @@ patterns = [
454
466
  "command-pattern",
455
467
  "composition-over-inheritance",
456
468
  "config-env-change",
469
+ "structured-config-change",
457
470
  "contract-sync-check",
458
471
  "date-number-audit",
459
472
  "design-implementation-handoff",
@@ -583,6 +596,7 @@ oss = [
583
596
  "evidence-stall-breaker",
584
597
  "astro-code-change",
585
598
  "bun-code-change",
599
+ "c-code-change",
586
600
  "css-code-change",
587
601
  "cpp-code-change",
588
602
  "dart-code-change",
@@ -594,8 +608,10 @@ oss = [
594
608
  "html-code-change",
595
609
  "javascript-code-change",
596
610
  "node-code-change",
611
+ "react-code-change",
597
612
  "python-code-change",
598
613
  "powershell-code-change",
614
+ "shell-code-change",
599
615
  "rust-code-change",
600
616
  "runtime-target-selection",
601
617
  "svelte-code-change",
@@ -609,6 +625,7 @@ oss = [
609
625
  "command-pattern",
610
626
  "composition-over-inheritance",
611
627
  "config-env-change",
628
+ "structured-config-change",
612
629
  "contract-sync-check",
613
630
  "cross-platform-filesystem-safety",
614
631
  "date-number-audit",
@@ -753,6 +770,7 @@ team = [
753
770
  "evidence-stall-breaker",
754
771
  "astro-code-change",
755
772
  "bun-code-change",
773
+ "c-code-change",
756
774
  "css-code-change",
757
775
  "cpp-code-change",
758
776
  "dart-code-change",
@@ -764,8 +782,10 @@ team = [
764
782
  "html-code-change",
765
783
  "javascript-code-change",
766
784
  "node-code-change",
785
+ "react-code-change",
767
786
  "python-code-change",
768
787
  "powershell-code-change",
788
+ "shell-code-change",
769
789
  "rust-code-change",
770
790
  "runtime-target-selection",
771
791
  "svelte-code-change",
@@ -778,6 +798,7 @@ team = [
778
798
  "command-pattern",
779
799
  "composition-over-inheritance",
780
800
  "config-env-change",
801
+ "structured-config-change",
781
802
  "contract-sync-check",
782
803
  "cross-platform-filesystem-safety",
783
804
  "date-number-audit",
@@ -811,6 +832,7 @@ team = [
811
832
  "failure-triage",
812
833
  "file-path-cross-platform-change",
813
834
  "idea-triage",
835
+ "complex-decision-analysis",
814
836
  "instruction-conflict-scope-check",
815
837
  "multi-agent-work-coordination",
816
838
  "null-object-pattern",
@@ -908,6 +930,7 @@ product = [
908
930
  "evidence-stall-breaker",
909
931
  "astro-code-change",
910
932
  "bun-code-change",
933
+ "c-code-change",
911
934
  "css-code-change",
912
935
  "cpp-code-change",
913
936
  "dart-code-change",
@@ -919,8 +942,10 @@ product = [
919
942
  "html-code-change",
920
943
  "javascript-code-change",
921
944
  "node-code-change",
945
+ "react-code-change",
922
946
  "python-code-change",
923
947
  "powershell-code-change",
948
+ "shell-code-change",
924
949
  "rust-code-change",
925
950
  "runtime-target-selection",
926
951
  "svelte-code-change",
@@ -933,6 +958,7 @@ product = [
933
958
  "command-pattern",
934
959
  "composition-over-inheritance",
935
960
  "config-env-change",
961
+ "structured-config-change",
936
962
  "contract-sync-check",
937
963
  "date-number-audit",
938
964
  "design-implementation-handoff",
@@ -966,6 +992,7 @@ product = [
966
992
  "file-path-cross-platform-change",
967
993
  "frontend-render-stability",
968
994
  "idea-triage",
995
+ "complex-decision-analysis",
969
996
  "instruction-conflict-scope-check",
970
997
  "llm-service-ux-review",
971
998
  "null-object-pattern",
@@ -1069,6 +1096,7 @@ library = [
1069
1096
  "evidence-stall-breaker",
1070
1097
  "astro-code-change",
1071
1098
  "bun-code-change",
1099
+ "c-code-change",
1072
1100
  "css-code-change",
1073
1101
  "cpp-code-change",
1074
1102
  "dart-code-change",
@@ -1080,8 +1108,10 @@ library = [
1080
1108
  "html-code-change",
1081
1109
  "javascript-code-change",
1082
1110
  "node-code-change",
1111
+ "react-code-change",
1083
1112
  "python-code-change",
1084
1113
  "powershell-code-change",
1114
+ "shell-code-change",
1085
1115
  "rust-code-change",
1086
1116
  "runtime-target-selection",
1087
1117
  "svelte-code-change",
@@ -1095,6 +1125,7 @@ library = [
1095
1125
  "command-pattern",
1096
1126
  "composition-over-inheritance",
1097
1127
  "config-env-change",
1128
+ "structured-config-change",
1098
1129
  "contract-sync-check",
1099
1130
  "cross-platform-filesystem-safety",
1100
1131
  "date-number-audit",