mustflow 1.18.0 → 1.18.14

package/templates/default/locales/fr/.mustflow/skills/INDEX.md

@@ -2,7 +2,7 @@
 mustflow_doc: skills.index
 locale: fr
 canonical: false
-revision: 43
+revision: 44
 authority: router
 lifecycle: mustflow-owned
 ---
@@ -43,6 +43,7 @@ Consultez uniquement le document de compétence correspondant à la tâche en co
 | Les fichiers modifiés nécessitent une classification des risques et une sélection de vérification | `.mustflow/skills/diff-risk-review/SKILL.md` | Liste des fichiers modifiés, résumé des différences et objectif de la tâche | Surfaces modifiées et rapport de vérification | Sous- ou sur-vérification | `changes_status`, `changes_diff_summary`, `test`, `test_related`, `test_audit`, `lint`, `build`, `docs_validate`, `mustflow_check` | Niveau de risque, choix de vérification, notes de rollback |
 | Le comportement déclaré doit rester aligné entre code, schémas, modèles, tests et documentation | `.mustflow/skills/contract-sync-check/SKILL.md` | Fichiers modifiés, comportement attendu, source de vérité, surfaces dérivées et entrées du contrat de commande | Source du contrat et surfaces synchronisées requises | Dérive du contrat | `changes_status`, `changes_diff_summary`, `docs_validate_fast`, `test_release`, `mustflow_check` | Source du contrat, surfaces synchronisées, surfaces différées, vérification et risque de dérive |
 | Des dates, versions, comptes, durées, limites, métriques, benchmarks, prix, pourcentages ou autres faits numériques sont créés, édités ou rapportés | `.mustflow/skills/date-number-audit/SKILL.md` | Fait numérique ou date, source de vérité, surfaces dépendantes, attente de précision et entrées du contrat de commande | Énoncés numériques, métadonnées, tests, docs, modèles et rapports | Revendication numérique inventée, obsolète ou non concordante | `changes_status`, `changes_diff_summary`, `docs_validate_fast`, `test_release`, `mustflow_check` | Valeurs auditées, source de vérité, surfaces synchronisées, contrôles ignorés et risque numérique résiduel |
+| Database schema, query, transaction, ORM model, repository/store, index, cache-backed read model, data retention, pagination, concurrency, idempotency, audit log, or persistence boundary is introduced, changed, reviewed, or reported | `.mustflow/skills/database-change-safety/SKILL.md` | Data role, affected tables or stores, read/write path, transaction boundary, migration or rollback expectations, local DB or ORM patterns, changed files, and command contract entries | Schema, migrations, repositories, stores, queries, transactions, indexes, read models, fixtures, tests, docs, and directly synchronized templates | data loss, stale cache, authorization leak, transaction bug, duplicate side effect, slow query, or unverified migration claim | `changes_status`, `changes_diff_summary`, `test_related`, `test`, `lint`, `build`, `docs_validate_fast`, `test_release`, `mustflow_check` | Data role, schema/query/transaction review, migration and rollback status, index/performance notes, security/retention checks, tests, verification, and remaining database risk |
 | Des paquets, runtimes, outils, commandes, services ou capacités de plateforme sont supposés, ajoutés, invoqués ou documentés | `.mustflow/skills/dependency-reality-check/SKILL.md` | Dépendance ou capacité, déclarations du dépôt, version ou revendication de capacité et entrées du contrat de commande | Déclarations de dépendances, imports, métadonnées de commande, tests et docs | Dépendance inventée ou indisponible | `changes_status`, `changes_diff_summary`, `build`, `test_release`, `mustflow_check` | Statut de la dépendance, surfaces synchronisées, vérification et risque résiduel de dépendance |
 
 | Systèmes externes, protocoles, SDK, bases de données, webhooks, files d’attente, fichiers, caches, requêtes ou réponses du framework, modèles d’IA, stockage navigateur ou données fournisseur franchissant la frontière du cœur ou nécessitant une traduction port/adaptateur, un mappage d’erreurs, une gestion de retry, d’idempotence, de sécurité ou d’observabilité | `.mustflow/skills/adapter-boundary/SKILL.md` | Système ou protocole externe, direction inbound/outbound, cas d’usage interne, modèles locaux port/adaptateur, risque fournisseur, fichiers modifiés et entrées du contrat de commande | Ports, adaptateurs, mappeurs, contrôleurs, workers, stores, passerelles, tests, fixtures, câblage d’assemblage et documents ou templates synchronisés directement | Fuite fournisseur, wrapper pass-through, échec externe non classifié, effet secondaire dupliqué, retry non sécurisé, timeout manquant, fuite de secret ou de données personnelles, ou dérive d’intégration non testée | `changes_status`, `changes_diff_summary`, `test_related`, `test`, `lint`, `build`, `docs_validate_fast`, `test_release`, `mustflow_check` | Classification de la frontière, port interne, confinement fournisseur, validation et mappage, gestion timeout/retry/idempotence, notes de sécurité, vérification et risque fournisseur résiduel |

package/templates/default/locales/fr/.mustflow/skills/database-change-safety/SKILL.md

@@ -0,0 +1,155 @@
+---
+mustflow_doc: skill.database-change-safety
+locale: fr
+canonical: false
+revision: 1
+lifecycle: mustflow-owned
+authority: procedure
+name: database-change-safety
+description: Apply this skill when database schema, queries, transactions, ORM models, repositories, stores, indexes, cache-backed read models, retention, pagination, concurrency, idempotency, audit logs, or persistence boundaries are introduced, changed, reviewed, or reported.
+metadata:
+  mustflow_schema: "1"
+  mustflow_kind: procedure
+  pack_id: mustflow.core
+  skill_id: mustflow.core.database-change-safety
+  command_intents:
+    - changes_status
+    - changes_diff_summary
+    - test_related
+    - test
+    - lint
+    - build
+    - docs_validate_fast
+    - test_release
+    - mustflow_check
+---
+
+# Database Change Safety
+
+<!-- mustflow-section: purpose -->
+## Purpose
+
+Keep database-backed behavior explicit, scoped, recoverable where possible, and verifiable without treating database rows, ORM models, generated caches, or read models as domain truth.
+
+Use the smallest persistence boundary that proves the risk. Do not introduce repositories, services, transactions, migrations, outbox machinery, or read models when a direct scoped query or fixture update is enough.
+
+<!-- mustflow-section: use-when -->
+## Use When
+
+- A schema, migration, table, collection, ORM model, query, repository, store, transaction, index, cache, read model, audit log, or retention rule is introduced or changed.
+- Code reads from or writes to a database, browser storage, cache, local SQLite file, external database, or generated data store.
+- A task changes authorization, tenant scoping, pagination, sorting, soft delete, status filters, idempotency, duplicate handling, retry, or concurrency behavior around persisted data.
+- Documentation, tests, or final reports claim that a database change is safe, fast, indexed, migrated, reversible, idempotent, or verified.
+
+<!-- mustflow-section: do-not-use-when -->
+## Do Not Use When
+
+- The change is pure in-memory logic with no persisted, cached, indexed, or generated state.
+- The task only changes external protocol mapping and no database-backed state; use `adapter-boundary`.
+- The task only changes file or template migration behavior and no database or persistence surface; use `migration-safety-check`.
+- The change only documents general database advice without touching or claiming project behavior.
+
+<!-- mustflow-section: required-inputs -->
+## Required Inputs
+
+- Database role: source of truth, rebuildable cache, read model, runtime state, analytics store, external provider, or browser storage.
+- Data owner and affected tables, collections, stores, indexes, caches, generated files, or read models.
+- Read and write paths, query or ORM behavior, authorization scope, tenant or user scope, and retention expectations.
+- Transaction boundary, idempotency, retry, duplicate-delivery, concurrency, migration, rollback, or rebuild expectations.
+- Local database, ORM, repository, fixture, migration, cache, and test patterns.
+- Relevant command-intent contract entries for tests, builds, docs, release checks, and mustflow validation.
+
+<!-- mustflow-section: preconditions -->
+## Preconditions
+
+- The task matches the Use When conditions and does not match the Do Not Use When exclusions.
+- Required inputs are available, or missing inputs can be reported without guessing.
+- Higher-priority instructions and `.mustflow/config/commands.toml` have been checked for the current scope.
+- If database clients, ORM types, rows, browser storage, cache values, or provider data cross into core logic, also use `adapter-boundary`.
+- If hidden construction or global lookup creates the database dependency, also use `dependency-injection`.
+- If schema, data, cache, or generated state changes must move from an old state to a new state, also use `migration-safety-check`.
+- If personal data, authentication, authorization, retention, logs, telemetry, or secret-like values are involved, also use `security-privacy-review`.
+- If index, query-time, startup, package-size, search, count, or read-model performance claims are involved, also use `performance-budget-check`.
+
+<!-- mustflow-section: allowed-edits -->
+## Allowed Edits
+
+- Update schema, query, repository, store, transaction, index, cache, read-model, fixture, test, documentation, and directly synchronized template surfaces tied to the task.
+- Add or tighten constraints, scoping, pagination, ordering, idempotency keys, concurrency guards, retention checks, and redaction behavior when the changed surface justifies it.
+- Mark rollback, migration, performance, privacy, or concurrency gaps as unverified when they cannot be proven.
+- Do not expose database rows, ORM models, query builders, or provider clients as domain objects.
+- Do not treat generated caches or read models as source of truth.
+- Do not add broad repository methods that accept arbitrary filters unless authorization, tenant scope, and caller ownership are explicit.
+- Do not call external APIs inside a database transaction unless a local rule explicitly accepts the coupling and a recovery path exists.
+- Do not store raw logs, secrets, hidden reasoning, full transcripts, unnecessary provider payloads, or unbounded personal data in local state or caches.
+
+<!-- mustflow-section: procedure -->
+## Procedure
+
+1. Classify the database role.
+   - Source of truth: owns current business state.
+   - Rebuildable cache: can be deleted and regenerated from files, provider data, or another source.
+   - Read model: derived for lookup, search, reporting, or dashboard use.
+   - Runtime state: coordinates in-flight work, locks, sessions, jobs, or retries.
+   - Analytics store, external provider, or browser storage: owned outside the core domain boundary.
+2. Identify the data owner and derived surfaces. Name which table, file, provider, event log, configuration, or generated artifact owns each value.
+3. Check schema shape: primary keys, foreign keys, unique constraints, nullable fields, defaults, check constraints, status values, timestamps, soft delete fields, tenant scope, audit fields, and retention rules.
+4. Check query semantics: authorization scope, tenant or user scope, role or visibility filters, deleted or archived rows, draft or unpublished rows, effective dates, null handling, stale-data behavior, and error or absence handling.
+5. Check pagination and ordering. Lists need deterministic ordering; cursor pagination needs a stable tie breaker such as a unique id in addition to a timestamp.
+6. Check transaction boundaries. Keep database writes and external side effects separate by default; use explicit states, an outbox, an action ledger, or reconciliation when both must be coordinated.
+7. Check idempotency, retries, duplicate delivery, and concurrency. Look for webhook duplicates, job retries, import reruns, payment callbacks, optimistic locks, compare-and-swap updates, unique-constraint races, and double state transitions.
+8. Check indexes and workload cost. Match indexes to `WHERE`, `JOIN`, `ORDER BY`, and `GROUP BY` behavior, but account for write cost. Look for N+1 queries, expensive counts, full scans, materialized read-model needs, and search-index boundaries.
+9. Check privacy and retention. Prefer omission or bounded metadata over storing raw payloads. Do not persist secrets, hidden reasoning, full transcripts, unbounded logs, or personal data without a clear product rule and retention path.
+10. Check migration, rollback, and rebuild paths. If a migration claim exists, prove idempotency and recovery with `migration-safety-check` or report the gap. If the store is a cache, name the rebuild source and stale-index detection.
+11. Check tests and fixtures. Reuse or add repository/store tests, migration fixtures, query fixtures, adapter fixtures, permission regressions, idempotency or concurrency regressions, and cache rebuild checks as justified by the risk.
+12. Verify and report. Separate proven behavior from unverified rollback, migration, privacy, performance, live-data, or concurrency risks.
+
+<!-- mustflow-section: postconditions -->
+## Postconditions
+
+- The database role and source of truth are explicit.
+- Database rows, ORM models, generated caches, and read models do not leak into domain truth unless the local architecture intentionally owns that boundary.
+- Queries preserve authorization, tenant or user scope, deterministic ordering, expected absence behavior, and retention rules.
+- Transaction, external side effect, idempotency, duplicate, retry, and concurrency decisions are intentional and reported.
+- Index, query-cost, migration, rollback, rebuild, privacy, and verification claims are tied to evidence or marked as unverified.
+
+<!-- mustflow-section: verification -->
+## Verification
+
+Use configured oneshot command intents when available:
+
+- `changes_status`
+- `changes_diff_summary`
+- `test_related`
+- `test`
+- `lint`
+- `build`
+- `docs_validate_fast`
+- `test_release`
+- `mustflow_check`
+
+Prefer the narrowest configured test, build, docs, release, or mustflow intent that proves the changed persistence surface. Do not infer raw database, migration, package, or benchmark commands.
+
+<!-- mustflow-section: failure-handling -->
+## Failure Handling
+
+- If the source of truth is unclear, stop changing persistence behavior and report the competing owners.
+- If authorization, tenant scope, soft delete, or retention behavior cannot be confirmed, fail closed or report the missing project rule.
+- If rollback, migration idempotency, rebuild, or stale-cache detection cannot be proven, avoid claiming safety and name the remaining recovery risk.
+- If a performance claim lacks a configured measurement path, report it as unmeasured instead of inventing a budget.
+- If sensitive data appears in queries, fixtures, logs, generated state, package contents, or final output, route that surface through `security-privacy-review` before continuing.
+- If the safest fix would require live data access, destructive migration, dependency installation, or unavailable credentials, stop at that boundary and report the skipped check.
+
+<!-- mustflow-section: output-format -->
+## Output Format
+
+- Database role and owner
+- Affected read and write paths
+- Schema, constraint, and query semantics reviewed
+- Authorization, tenant scope, retention, and privacy checks
+- Transaction, idempotency, retry, and concurrency decisions
+- Index, pagination, and performance notes
+- Migration, rollback, dry-run, rebuild, or compatibility status
+- Tests, fixtures, or verification command intents run
+- Skipped checks and reasons
+- Remaining database risk

package/templates/default/locales/hi/.mustflow/skills/INDEX.md

@@ -2,7 +2,7 @@
 mustflow_doc: skills.index
 locale: hi
 canonical: false
-revision: 43
+revision: 44
 authority: router
 lifecycle: mustflow-owned
 ---
@@ -43,6 +43,7 @@ lifecycle: mustflow-owned
 | बदली गई फाइलों को जोखिम वर्गीकरण और सत्यापन चयन की आवश्यकता होती है | `.mustflow/skills/diff-risk-review/SKILL.md` | बदली गई फाइल सूची, अंतर सारांश, और कार्य लक्ष्य | बदली गई सतहें और सत्यापन रिपोर्ट | कम या अधिक सत्यापन | `changes_status`, `changes_diff_summary`, `test`, `test_related`, `test_audit`, `lint`, `build`, `docs_validate`, `mustflow_check` | जोखिम स्तर, सत्यापन विकल्प, रोलबैक नोट्स |
 | घोषित व्यवहार कोड, स्कीमा, टेम्पलेट, परीक्षण, और दस्तावेज़ों में संरेखित रहना चाहिए | `.mustflow/skills/contract-sync-check/SKILL.md` | बदली गई फाइलें, इच्छित व्यवहार, सत्य स्रोत, व्युत्पन्न सतहें, और कमांड अनुबंध प्रविष्टियाँ | अनुबंध स्रोत और आवश्यक सिंक्रनाइज़ सतहें | अनुबंध विचलन | `changes_status`, `changes_diff_summary`, `docs_validate_fast`, `test_release`, `mustflow_check` | अनुबंध स्रोत, सिंक्रनाइज़ सतहें, स्थगित सतहें, सत्यापन, और विचलन जोखिम |
 | तिथियां, संस्करण, गणना, अवधि, सीमाएं, मेट्रिक्स, बेंचमार्क, मूल्य, प्रतिशत, या अन्य संख्यात्मक तथ्य बनाए, संपादित, या रिपोर्ट किए जाते हैं | `.mustflow/skills/date-number-audit/SKILL.md` | तिथि या संख्यात्मक तथ्य, सत्य स्रोत, आश्रित सतहें, सटीकता अपेक्षा, और कमांड अनुबंध प्रविष्टियाँ | संख्यात्मक कथन, मेटाडेटा, परीक्षण, दस्तावेज़, टेम्पलेट, और रिपोर्ट | आविष्कृत, पुराना, या असंगत संख्यात्मक दावा | `changes_status`, `changes_diff_summary`, `docs_validate_fast`, `test_release`, `mustflow_check` | ऑडिट किए गए मान, सत्य स्रोत, सिंक्रनाइज़ सतहें, छोड़ी गई जांच, और शेष संख्यात्मक जोखिम |
+| Database schema, query, transaction, ORM model, repository/store, index, cache-backed read model, data retention, pagination, concurrency, idempotency, audit log, or persistence boundary is introduced, changed, reviewed, or reported | `.mustflow/skills/database-change-safety/SKILL.md` | Data role, affected tables or stores, read/write path, transaction boundary, migration or rollback expectations, local DB or ORM patterns, changed files, and command contract entries | Schema, migrations, repositories, stores, queries, transactions, indexes, read models, fixtures, tests, docs, and directly synchronized templates | data loss, stale cache, authorization leak, transaction bug, duplicate side effect, slow query, or unverified migration claim | `changes_status`, `changes_diff_summary`, `test_related`, `test`, `lint`, `build`, `docs_validate_fast`, `test_release`, `mustflow_check` | Data role, schema/query/transaction review, migration and rollback status, index/performance notes, security/retention checks, tests, verification, and remaining database risk |
 | पैकेज, रनटाइम, टूल, कमांड, सेवाएं, या प्लेटफ़ॉर्म क्षमताएं अनुमानित, जोड़ी गई, बुलाए गए, या दस्तावेजीकृत की गई हैं | `.mustflow/skills/dependency-reality-check/SKILL.md` | निर्भरता या क्षमता, रिपॉजिटरी घोषणाएं, संस्करण या क्षमता दावा, और कमांड अनुबंध प्रविष्टियाँ | निर्भरता घोषणाएं, आयात, कमांड मेटाडेटा, परीक्षण, और दस्तावेज़ | आविष्कृत या अनुपलब्ध निर्भरता | `changes_status`, `changes_diff_summary`, `build`, `test_release`, `mustflow_check` | निर्भरता स्थिति, सिंक्रनाइज़ सतहें, सत्यापन, और शेष निर्भरता जोखिम |
 
 | बाहरी सिस्टम, प्रोटोकॉल, SDK, डेटाबेस, वेबहुक, कतारें, फाइलें, कैश, फ्रेमवर्क अनुरोध या प्रतिक्रिया, AI मॉडल, ब्राउज़र स्टोरेज, या प्रदाता डेटा जो कोर सीमा को पार करते हैं या जिन्हें पोर्ट/एडाप्टर अनुवाद, त्रुटि मैपिंग, पुनः प्रयास, आइडेम्पोटेंसी, सुरक्षा, या अवलोकन हैंडलिंग की आवश्यकता होती है | `.mustflow/skills/adapter-boundary/SKILL.md` | बाहरी सिस्टम या प्रोटोकॉल, इनबाउंड/आउटबाउंड दिशा, आंतरिक उपयोग मामला, स्थानीय पोर्ट/एडाप्टर पैटर्न, प्रदाता जोखिम, बदले गए फाइल, और कमांड कॉन्ट्रैक्ट प्रविष्टियाँ | पोर्ट, एडाप्टर, मैपर, कंट्रोलर, वर्कर, स्टोर, गेटवे, टेस्ट, फिक्स्चर, असेंबली वायरिंग, और सीधे सिंक्रोनाइज़ किए गए डॉक या टेम्पलेट | प्रदाता रिसाव, पास-थ्रू रैपर, अप्रशासित बाहरी विफलता, डुप्लिकेट साइड इफेक्ट, असुरक्षित पुनः प्रयास, लापता टाइमआउट, गुप्त या व्यक्तिगत डेटा रिसाव, या अप्रयुक्त इंटीग्रेशन ड्रिफ्ट | `changes_status`, `changes_diff_summary`, `test_related`, `test`, `lint`, `build`, `docs_validate_fast`, `test_release`, `mustflow_check` | सीमा वर्गीकरण, आंतरिक पोर्ट, प्रदाता नियंत्रण, सत्यापन और मैपिंग, टाइमआउट/पुनः प्रयास/आइडेम्पोटेंसी हैंडलिंग, सुरक्षा नोट्स, सत्यापन, और शेष प्रदाता जोखिम |

package/templates/default/locales/hi/.mustflow/skills/database-change-safety/SKILL.md

@@ -0,0 +1,155 @@
+---
+mustflow_doc: skill.database-change-safety
+locale: hi
+canonical: false
+revision: 1
+lifecycle: mustflow-owned
+authority: procedure
+name: database-change-safety
+description: Apply this skill when database schema, queries, transactions, ORM models, repositories, stores, indexes, cache-backed read models, retention, pagination, concurrency, idempotency, audit logs, or persistence boundaries are introduced, changed, reviewed, or reported.
+metadata:
+  mustflow_schema: "1"
+  mustflow_kind: procedure
+  pack_id: mustflow.core
+  skill_id: mustflow.core.database-change-safety
+  command_intents:
+    - changes_status
+    - changes_diff_summary
+    - test_related
+    - test
+    - lint
+    - build
+    - docs_validate_fast
+    - test_release
+    - mustflow_check
+---
+
+# Database Change Safety
+
+<!-- mustflow-section: purpose -->
+## Purpose
+
+Keep database-backed behavior explicit, scoped, recoverable where possible, and verifiable without treating database rows, ORM models, generated caches, or read models as domain truth.
+
+Use the smallest persistence boundary that proves the risk. Do not introduce repositories, services, transactions, migrations, outbox machinery, or read models when a direct scoped query or fixture update is enough.
+
+<!-- mustflow-section: use-when -->
+## Use When
+
+- A schema, migration, table, collection, ORM model, query, repository, store, transaction, index, cache, read model, audit log, or retention rule is introduced or changed.
+- Code reads from or writes to a database, browser storage, cache, local SQLite file, external database, or generated data store.
+- A task changes authorization, tenant scoping, pagination, sorting, soft delete, status filters, idempotency, duplicate handling, retry, or concurrency behavior around persisted data.
+- Documentation, tests, or final reports claim that a database change is safe, fast, indexed, migrated, reversible, idempotent, or verified.
+
+<!-- mustflow-section: do-not-use-when -->
+## Do Not Use When
+
+- The change is pure in-memory logic with no persisted, cached, indexed, or generated state.
+- The task only changes external protocol mapping and no database-backed state; use `adapter-boundary`.
+- The task only changes file or template migration behavior and no database or persistence surface; use `migration-safety-check`.
+- The change only documents general database advice without touching or claiming project behavior.
+
+<!-- mustflow-section: required-inputs -->
+## Required Inputs
+
+- Database role: source of truth, rebuildable cache, read model, runtime state, analytics store, external provider, or browser storage.
+- Data owner and affected tables, collections, stores, indexes, caches, generated files, or read models.
+- Read and write paths, query or ORM behavior, authorization scope, tenant or user scope, and retention expectations.
+- Transaction boundary, idempotency, retry, duplicate-delivery, concurrency, migration, rollback, or rebuild expectations.
+- Local database, ORM, repository, fixture, migration, cache, and test patterns.
+- Relevant command-intent contract entries for tests, builds, docs, release checks, and mustflow validation.
+
+<!-- mustflow-section: preconditions -->
+## Preconditions
+
+- The task matches the Use When conditions and does not match the Do Not Use When exclusions.
+- Required inputs are available, or missing inputs can be reported without guessing.
+- Higher-priority instructions and `.mustflow/config/commands.toml` have been checked for the current scope.
+- If database clients, ORM types, rows, browser storage, cache values, or provider data cross into core logic, also use `adapter-boundary`.
+- If hidden construction or global lookup creates the database dependency, also use `dependency-injection`.
+- If schema, data, cache, or generated state changes must move from an old state to a new state, also use `migration-safety-check`.
+- If personal data, authentication, authorization, retention, logs, telemetry, or secret-like values are involved, also use `security-privacy-review`.
+- If index, query-time, startup, package-size, search, count, or read-model performance claims are involved, also use `performance-budget-check`.
+
+<!-- mustflow-section: allowed-edits -->
+## Allowed Edits
+
+- Update schema, query, repository, store, transaction, index, cache, read-model, fixture, test, documentation, and directly synchronized template surfaces tied to the task.
+- Add or tighten constraints, scoping, pagination, ordering, idempotency keys, concurrency guards, retention checks, and redaction behavior when the changed surface justifies it.
+- Mark rollback, migration, performance, privacy, or concurrency gaps as unverified when they cannot be proven.
+- Do not expose database rows, ORM models, query builders, or provider clients as domain objects.
+- Do not treat generated caches or read models as source of truth.
+- Do not add broad repository methods that accept arbitrary filters unless authorization, tenant scope, and caller ownership are explicit.
+- Do not call external APIs inside a database transaction unless a local rule explicitly accepts the coupling and a recovery path exists.
+- Do not store raw logs, secrets, hidden reasoning, full transcripts, unnecessary provider payloads, or unbounded personal data in local state or caches.
+
+<!-- mustflow-section: procedure -->
+## Procedure
+
+1. Classify the database role.
+   - Source of truth: owns current business state.
+   - Rebuildable cache: can be deleted and regenerated from files, provider data, or another source.
+   - Read model: derived for lookup, search, reporting, or dashboard use.
+   - Runtime state: coordinates in-flight work, locks, sessions, jobs, or retries.
+   - Analytics store, external provider, or browser storage: owned outside the core domain boundary.
+2. Identify the data owner and derived surfaces. Name which table, file, provider, event log, configuration, or generated artifact owns each value.
+3. Check schema shape: primary keys, foreign keys, unique constraints, nullable fields, defaults, check constraints, status values, timestamps, soft delete fields, tenant scope, audit fields, and retention rules.
+4. Check query semantics: authorization scope, tenant or user scope, role or visibility filters, deleted or archived rows, draft or unpublished rows, effective dates, null handling, stale-data behavior, and error or absence handling.
+5. Check pagination and ordering. Lists need deterministic ordering; cursor pagination needs a stable tie breaker such as a unique id in addition to a timestamp.
+6. Check transaction boundaries. Keep database writes and external side effects separate by default; use explicit states, an outbox, an action ledger, or reconciliation when both must be coordinated.
+7. Check idempotency, retries, duplicate delivery, and concurrency. Look for webhook duplicates, job retries, import reruns, payment callbacks, optimistic locks, compare-and-swap updates, unique-constraint races, and double state transitions.
+8. Check indexes and workload cost. Match indexes to `WHERE`, `JOIN`, `ORDER BY`, and `GROUP BY` behavior, but account for write cost. Look for N+1 queries, expensive counts, full scans, materialized read-model needs, and search-index boundaries.
+9. Check privacy and retention. Prefer omission or bounded metadata over storing raw payloads. Do not persist secrets, hidden reasoning, full transcripts, unbounded logs, or personal data without a clear product rule and retention path.
+10. Check migration, rollback, and rebuild paths. If a migration claim exists, prove idempotency and recovery with `migration-safety-check` or report the gap. If the store is a cache, name the rebuild source and stale-index detection.
+11. Check tests and fixtures. Reuse or add repository/store tests, migration fixtures, query fixtures, adapter fixtures, permission regressions, idempotency or concurrency regressions, and cache rebuild checks as justified by the risk.
+12. Verify and report. Separate proven behavior from unverified rollback, migration, privacy, performance, live-data, or concurrency risks.
+
+<!-- mustflow-section: postconditions -->
+## Postconditions
+
+- The database role and source of truth are explicit.
+- Database rows, ORM models, generated caches, and read models do not leak into domain truth unless the local architecture intentionally owns that boundary.
+- Queries preserve authorization, tenant or user scope, deterministic ordering, expected absence behavior, and retention rules.
+- Transaction, external side effect, idempotency, duplicate, retry, and concurrency decisions are intentional and reported.
+- Index, query-cost, migration, rollback, rebuild, privacy, and verification claims are tied to evidence or marked as unverified.
+
+<!-- mustflow-section: verification -->
+## Verification
+
+Use configured oneshot command intents when available:
+
+- `changes_status`
+- `changes_diff_summary`
+- `test_related`
+- `test`
+- `lint`
+- `build`
+- `docs_validate_fast`
+- `test_release`
+- `mustflow_check`
+
+Prefer the narrowest configured test, build, docs, release, or mustflow intent that proves the changed persistence surface. Do not infer raw database, migration, package, or benchmark commands.
+
+<!-- mustflow-section: failure-handling -->
+## Failure Handling
+
+- If the source of truth is unclear, stop changing persistence behavior and report the competing owners.
+- If authorization, tenant scope, soft delete, or retention behavior cannot be confirmed, fail closed or report the missing project rule.
+- If rollback, migration idempotency, rebuild, or stale-cache detection cannot be proven, avoid claiming safety and name the remaining recovery risk.
+- If a performance claim lacks a configured measurement path, report it as unmeasured instead of inventing a budget.
+- If sensitive data appears in queries, fixtures, logs, generated state, package contents, or final output, route that surface through `security-privacy-review` before continuing.
+- If the safest fix would require live data access, destructive migration, dependency installation, or unavailable credentials, stop at that boundary and report the skipped check.
+
+<!-- mustflow-section: output-format -->
+## Output Format
+
+- Database role and owner
+- Affected read and write paths
+- Schema, constraint, and query semantics reviewed
+- Authorization, tenant scope, retention, and privacy checks
+- Transaction, idempotency, retry, and concurrency decisions
+- Index, pagination, and performance notes
+- Migration, rollback, dry-run, rebuild, or compatibility status
+- Tests, fixtures, or verification command intents run
+- Skipped checks and reasons
+- Remaining database risk

package/templates/default/locales/ko/.mustflow/skills/INDEX.md

@@ -2,7 +2,7 @@
 mustflow_doc: skills.index
 locale: ko
 canonical: false
-revision: 43
+revision: 44
 authority: router
 lifecycle: mustflow-owned
 ---
@@ -49,6 +49,7 @@ refer to `AGENTS.md` and `.mustflow/config/commands.toml` to implement the most
 | Changed files need risk classification and verification selection | `.mustflow/skills/diff-risk-review/SKILL.md` | Changed-file list, diff summary, and task goal | Changed surfaces and verification report | under- or over-verification | `changes_status`, `changes_diff_summary`, `test`, `test_related`, `test_audit`, `lint`, `build`, `docs_validate`, `mustflow_check` | Risk level, verification choice, rollback notes |
 | Declared behavior must stay aligned across code, schemas, templates, tests, and docs | `.mustflow/skills/contract-sync-check/SKILL.md` | Changed files, intended behavior, source of truth, derived surfaces, and command contract entries | Contract source and required synchronized surfaces | contract drift | `changes_status`, `changes_diff_summary`, `docs_validate_fast`, `test_release`, `mustflow_check` | Contract source, synchronized surfaces, deferred surfaces, verification, and drift risk |
 | Dates, versions, counts, durations, limits, metrics, benchmarks, prices, percentages, or other numeric facts are created, edited, or reported | `.mustflow/skills/date-number-audit/SKILL.md` | Date or numeric fact, source of truth, dependent surfaces, precision expectation, and command contract entries | Numeric statements, metadata, tests, docs, templates, and reports | invented, stale, or mismatched numeric claim | `changes_status`, `changes_diff_summary`, `docs_validate_fast`, `test_release`, `mustflow_check` | Audited values, source of truth, synchronized surfaces, skipped checks, and remaining numeric risk |
+| Database schema, query, transaction, ORM model, repository/store, index, cache-backed read model, data retention, pagination, concurrency, idempotency, audit log, or persistence boundary is introduced, changed, reviewed, or reported | `.mustflow/skills/database-change-safety/SKILL.md` | Data role, affected tables or stores, read/write path, transaction boundary, migration or rollback expectations, local DB or ORM patterns, changed files, and command contract entries | Schema, migrations, repositories, stores, queries, transactions, indexes, read models, fixtures, tests, docs, and directly synchronized templates | data loss, stale cache, authorization leak, transaction bug, duplicate side effect, slow query, or unverified migration claim | `changes_status`, `changes_diff_summary`, `test_related`, `test`, `lint`, `build`, `docs_validate_fast`, `test_release`, `mustflow_check` | Data role, schema/query/transaction review, migration and rollback status, index/performance notes, security/retention checks, tests, verification, and remaining database risk |
 | Packages, runtimes, tools, commands, services, or platform capabilities are assumed, added, invoked, or documented | `.mustflow/skills/dependency-reality-check/SKILL.md` | Dependency or capability, repository declarations, version or capability claim, and command contract entries | Dependency declarations, imports, command metadata, tests, and docs | invented or unavailable dependency | `changes_status`, `changes_diff_summary`, `build`, `test_release`, `mustflow_check` | Dependency status, synchronized surfaces, verification, and remaining dependency risk |
 | External systems, protocols, SDKs, databases, webhooks, queues, files, caches, framework requests or responses, AI models, browser storage, or provider data cross the core boundary or need port/adapter translation, error mapping, retry, idempotency, security, or observability handling | `.mustflow/skills/adapter-boundary/SKILL.md` | External system or protocol, inbound/outbound direction, internal use case, local port/adapter patterns, provider risk, changed files, and command contract entries | Ports, adapters, mappers, controllers, workers, stores, gateways, tests, fixtures, assembly wiring, and directly synchronized docs or templates | provider leakage, pass-through wrapper, unclassified external failure, duplicate side effect, unsafe retry, missing timeout, secret or personal-data leak, or untested integration drift | `changes_status`, `changes_diff_summary`, `test_related`, `test`, `lint`, `build`, `docs_validate_fast`, `test_release`, `mustflow_check` | Boundary classification, internal port, provider containment, validation and mapping, timeout/retry/idempotency handling, security notes, verification, and remaining provider risk |
 | Core or application logic creates, imports, resolves, or hides external dependencies such as databases, SDKs, clocks, random generators, configuration, loggers, framework objects, filesystems, queues, AI clients, or payment/email providers | `.mustflow/skills/dependency-injection/SKILL.md` | Target code area, hidden dependency, intended business capability, layer ownership, local port/adapter patterns, changed files, and command contract entries | Core logic signatures, ports, adapters, assembly roots, tests, and directly synchronized docs or templates | hidden global state, untestable business logic, provider leakage, lifecycle drift, or service-locator coupling | `changes_status`, `changes_diff_summary`, `test_related`, `test`, `lint`, `build`, `docs_validate_fast`, `test_release`, `mustflow_check` | Dependency boundary, direct dependencies found, injection style, ports/adapters, assembly boundary, tests or fakes, verification, and remaining dependency leakage |

package/templates/default/locales/ko/.mustflow/skills/database-change-safety/SKILL.md

@@ -0,0 +1,155 @@
+---
+mustflow_doc: skill.database-change-safety
+locale: ko
+canonical: false
+revision: 1
+lifecycle: mustflow-owned
+authority: procedure
+name: database-change-safety
+description: Apply this skill when database schema, queries, transactions, ORM models, repositories, stores, indexes, cache-backed read models, retention, pagination, concurrency, idempotency, audit logs, or persistence boundaries are introduced, changed, reviewed, or reported.
+metadata:
+  mustflow_schema: "1"
+  mustflow_kind: procedure
+  pack_id: mustflow.core
+  skill_id: mustflow.core.database-change-safety
+  command_intents:
+    - changes_status
+    - changes_diff_summary
+    - test_related
+    - test
+    - lint
+    - build
+    - docs_validate_fast
+    - test_release
+    - mustflow_check
+---
+
+# Database Change Safety
+
+<!-- mustflow-section: purpose -->
+## Purpose
+
+Keep database-backed behavior explicit, scoped, recoverable where possible, and verifiable without treating database rows, ORM models, generated caches, or read models as domain truth.
+
+Use the smallest persistence boundary that proves the risk. Do not introduce repositories, services, transactions, migrations, outbox machinery, or read models when a direct scoped query or fixture update is enough.
+
+<!-- mustflow-section: use-when -->
+## Use When
+
+- A schema, migration, table, collection, ORM model, query, repository, store, transaction, index, cache, read model, audit log, or retention rule is introduced or changed.
+- Code reads from or writes to a database, browser storage, cache, local SQLite file, external database, or generated data store.
+- A task changes authorization, tenant scoping, pagination, sorting, soft delete, status filters, idempotency, duplicate handling, retry, or concurrency behavior around persisted data.
+- Documentation, tests, or final reports claim that a database change is safe, fast, indexed, migrated, reversible, idempotent, or verified.
+
+<!-- mustflow-section: do-not-use-when -->
+## Do Not Use When
+
+- The change is pure in-memory logic with no persisted, cached, indexed, or generated state.
+- The task only changes external protocol mapping and no database-backed state; use `adapter-boundary`.
+- The task only changes file or template migration behavior and no database or persistence surface; use `migration-safety-check`.
+- The change only documents general database advice without touching or claiming project behavior.
+
+<!-- mustflow-section: required-inputs -->
+## Required Inputs
+
+- Database role: source of truth, rebuildable cache, read model, runtime state, analytics store, external provider, or browser storage.
+- Data owner and affected tables, collections, stores, indexes, caches, generated files, or read models.
+- Read and write paths, query or ORM behavior, authorization scope, tenant or user scope, and retention expectations.
+- Transaction boundary, idempotency, retry, duplicate-delivery, concurrency, migration, rollback, or rebuild expectations.
+- Local database, ORM, repository, fixture, migration, cache, and test patterns.
+- Relevant command-intent contract entries for tests, builds, docs, release checks, and mustflow validation.
+
+<!-- mustflow-section: preconditions -->
+## Preconditions
+
+- The task matches the Use When conditions and does not match the Do Not Use When exclusions.
+- Required inputs are available, or missing inputs can be reported without guessing.
+- Higher-priority instructions and `.mustflow/config/commands.toml` have been checked for the current scope.
+- If database clients, ORM types, rows, browser storage, cache values, or provider data cross into core logic, also use `adapter-boundary`.
+- If hidden construction or global lookup creates the database dependency, also use `dependency-injection`.
+- If schema, data, cache, or generated state changes must move from an old state to a new state, also use `migration-safety-check`.
+- If personal data, authentication, authorization, retention, logs, telemetry, or secret-like values are involved, also use `security-privacy-review`.
+- If index, query-time, startup, package-size, search, count, or read-model performance claims are involved, also use `performance-budget-check`.
+
+<!-- mustflow-section: allowed-edits -->
+## Allowed Edits
+
+- Update schema, query, repository, store, transaction, index, cache, read-model, fixture, test, documentation, and directly synchronized template surfaces tied to the task.
+- Add or tighten constraints, scoping, pagination, ordering, idempotency keys, concurrency guards, retention checks, and redaction behavior when the changed surface justifies it.
+- Mark rollback, migration, performance, privacy, or concurrency gaps as unverified when they cannot be proven.
+- Do not expose database rows, ORM models, query builders, or provider clients as domain objects.
+- Do not treat generated caches or read models as source of truth.
+- Do not add broad repository methods that accept arbitrary filters unless authorization, tenant scope, and caller ownership are explicit.
+- Do not call external APIs inside a database transaction unless a local rule explicitly accepts the coupling and a recovery path exists.
+- Do not store raw logs, secrets, hidden reasoning, full transcripts, unnecessary provider payloads, or unbounded personal data in local state or caches.
+
+<!-- mustflow-section: procedure -->
+## Procedure
+
+1. Classify the database role.
+   - Source of truth: owns current business state.
+   - Rebuildable cache: can be deleted and regenerated from files, provider data, or another source.
+   - Read model: derived for lookup, search, reporting, or dashboard use.
+   - Runtime state: coordinates in-flight work, locks, sessions, jobs, or retries.
+   - Analytics store, external provider, or browser storage: owned outside the core domain boundary.
+2. Identify the data owner and derived surfaces. Name which table, file, provider, event log, configuration, or generated artifact owns each value.
+3. Check schema shape: primary keys, foreign keys, unique constraints, nullable fields, defaults, check constraints, status values, timestamps, soft delete fields, tenant scope, audit fields, and retention rules.
+4. Check query semantics: authorization scope, tenant or user scope, role or visibility filters, deleted or archived rows, draft or unpublished rows, effective dates, null handling, stale-data behavior, and error or absence handling.
+5. Check pagination and ordering. Lists need deterministic ordering; cursor pagination needs a stable tie breaker such as a unique id in addition to a timestamp.
+6. Check transaction boundaries. Keep database writes and external side effects separate by default; use explicit states, an outbox, an action ledger, or reconciliation when both must be coordinated.
+7. Check idempotency, retries, duplicate delivery, and concurrency. Look for webhook duplicates, job retries, import reruns, payment callbacks, optimistic locks, compare-and-swap updates, unique-constraint races, and double state transitions.
+8. Check indexes and workload cost. Match indexes to `WHERE`, `JOIN`, `ORDER BY`, and `GROUP BY` behavior, but account for write cost. Look for N+1 queries, expensive counts, full scans, materialized read-model needs, and search-index boundaries.
+9. Check privacy and retention. Prefer omission or bounded metadata over storing raw payloads. Do not persist secrets, hidden reasoning, full transcripts, unbounded logs, or personal data without a clear product rule and retention path.
+10. Check migration, rollback, and rebuild paths. If a migration claim exists, prove idempotency and recovery with `migration-safety-check` or report the gap. If the store is a cache, name the rebuild source and stale-index detection.
+11. Check tests and fixtures. Reuse or add repository/store tests, migration fixtures, query fixtures, adapter fixtures, permission regressions, idempotency or concurrency regressions, and cache rebuild checks as justified by the risk.
+12. Verify and report. Separate proven behavior from unverified rollback, migration, privacy, performance, live-data, or concurrency risks.
+
+<!-- mustflow-section: postconditions -->
+## Postconditions
+
+- The database role and source of truth are explicit.
+- Database rows, ORM models, generated caches, and read models do not leak into domain truth unless the local architecture intentionally owns that boundary.
+- Queries preserve authorization, tenant or user scope, deterministic ordering, expected absence behavior, and retention rules.
+- Transaction, external side effect, idempotency, duplicate, retry, and concurrency decisions are intentional and reported.
+- Index, query-cost, migration, rollback, rebuild, privacy, and verification claims are tied to evidence or marked as unverified.
+
+<!-- mustflow-section: verification -->
+## Verification
+
+Use configured oneshot command intents when available:
+
+- `changes_status`
+- `changes_diff_summary`
+- `test_related`
+- `test`
+- `lint`
+- `build`
+- `docs_validate_fast`
+- `test_release`
+- `mustflow_check`
+
+Prefer the narrowest configured test, build, docs, release, or mustflow intent that proves the changed persistence surface. Do not infer raw database, migration, package, or benchmark commands.
+
+<!-- mustflow-section: failure-handling -->
+## Failure Handling
+
+- If the source of truth is unclear, stop changing persistence behavior and report the competing owners.
+- If authorization, tenant scope, soft delete, or retention behavior cannot be confirmed, fail closed or report the missing project rule.
+- If rollback, migration idempotency, rebuild, or stale-cache detection cannot be proven, avoid claiming safety and name the remaining recovery risk.
+- If a performance claim lacks a configured measurement path, report it as unmeasured instead of inventing a budget.
+- If sensitive data appears in queries, fixtures, logs, generated state, package contents, or final output, route that surface through `security-privacy-review` before continuing.
+- If the safest fix would require live data access, destructive migration, dependency installation, or unavailable credentials, stop at that boundary and report the skipped check.
+
+<!-- mustflow-section: output-format -->
+## Output Format
+
+- Database role and owner
+- Affected read and write paths
+- Schema, constraint, and query semantics reviewed
+- Authorization, tenant scope, retention, and privacy checks
+- Transaction, idempotency, retry, and concurrency decisions
+- Index, pagination, and performance notes
+- Migration, rollback, dry-run, rebuild, or compatibility status
+- Tests, fixtures, or verification command intents run
+- Skipped checks and reasons
+- Remaining database risk

package/templates/default/locales/zh/.mustflow/skills/INDEX.md

@@ -2,7 +2,7 @@
 mustflow_doc: skills.index
 locale: zh
 canonical: false
-revision: 43
+revision: 44
 authority: router
 lifecycle: mustflow-owned
 ---
@@ -43,6 +43,7 @@ lifecycle: mustflow-owned
 | 变更文件需要风险分类和验证选择 | `.mustflow/skills/diff-risk-review/SKILL.md` | 变更文件列表，差异摘要和任务目标 | 变更表面及验证报告 | 验证不足或过度 | `changes_status`, `changes_diff_summary`, `test`, `test_related`, `test_audit`, `lint`, `build`, `docs_validate`, `mustflow_check` | 风险等级，验证选择，回滚备注 |
 | 声明行为必须在代码、模式、模板、测试和文档间保持一致 | `.mustflow/skills/contract-sync-check/SKILL.md` | 变更文件，预期行为，事实来源，派生表面及命令契约条目 | 合同源及必需同步表面 | 合同漂移 | `changes_status`, `changes_diff_summary`, `docs_validate_fast`, `test_release`, `mustflow_check` | 合同源，同步表面，延期表面，验证及漂移风险 |
 | 日期、版本、计数、时长、限制、指标、基准、价格、百分比或其他数值事实被创建、编辑或报告 | `.mustflow/skills/date-number-audit/SKILL.md` | 日期或数值事实，事实来源，依赖表面，精度预期及命令契约条目 | 数值声明，元数据，测试，文档，模板及报告 | 虚构、陈旧或不匹配的数值声明 | `changes_status`, `changes_diff_summary`, `docs_validate_fast`, `test_release`, `mustflow_check` | 审计值，事实来源，同步表面，跳过检查及剩余数值风险 |
+| Database schema, query, transaction, ORM model, repository/store, index, cache-backed read model, data retention, pagination, concurrency, idempotency, audit log, or persistence boundary is introduced, changed, reviewed, or reported | `.mustflow/skills/database-change-safety/SKILL.md` | Data role, affected tables or stores, read/write path, transaction boundary, migration or rollback expectations, local DB or ORM patterns, changed files, and command contract entries | Schema, migrations, repositories, stores, queries, transactions, indexes, read models, fixtures, tests, docs, and directly synchronized templates | data loss, stale cache, authorization leak, transaction bug, duplicate side effect, slow query, or unverified migration claim | `changes_status`, `changes_diff_summary`, `test_related`, `test`, `lint`, `build`, `docs_validate_fast`, `test_release`, `mustflow_check` | Data role, schema/query/transaction review, migration and rollback status, index/performance notes, security/retention checks, tests, verification, and remaining database risk |
 | 假设、添加、调用或记录包、运行时、工具、命令、服务或平台能力 | `.mustflow/skills/dependency-reality-check/SKILL.md` | 依赖或能力，仓库声明，版本或能力声明及命令契约条目 | 依赖声明，导入，命令元数据，测试及文档 | 虚构或不可用依赖 | `changes_status`, `changes_diff_summary`, `build`, `test_release`, `mustflow_check` | 依赖状态，同步表面，验证及剩余依赖风险 |
 | 外部系统、协议、SDK、数据库、Webhook、队列、文件、缓存、框架请求或响应、AI 模型、浏览器存储或提供者数据跨越核心边界或需要端口/适配器转换、错误映射、重试、幂等、安全或可观测性处理 | `.mustflow/skills/adapter-boundary/SKILL.md` | 外部系统或协议，入站/出站方向，内部用例，本地端口/适配器模式，提供者风险，变更文件及命令契约条目 | 端口、适配器、映射器、控制器、工作线程、存储、网关、测试、固件、组装连接及直接同步的文档或模板 | 提供者泄漏，透传包装，未分类外部失败，重复副作用，不安全重试，缺失超时，秘密或个人数据泄漏，未测试集成漂移 | `changes_status`, `changes_diff_summary`, `test_related`, `test`, `lint`, `build`, `docs_validate_fast`, `test_release`, `mustflow_check` | 边界分类，内部端口，提供者封装，验证与映射，超时/重试/幂等处理，安全备注，验证及剩余提供者风险 |
 | 核心或应用逻辑创建、导入、解析或隐藏外部依赖，如数据库、SDK、时钟、随机数生成器、配置、日志器、框架对象、文件系统、队列、AI 客户端或支付/邮件提供者 | `.mustflow/skills/dependency-injection/SKILL.md` | 目标代码区域，隐藏依赖，预期业务能力，层所有权，本地端口/适配器模式，变更文件及命令契约条目 | 核心逻辑签名，端口，适配器，组装根，测试及直接同步的文档或模板 | 隐藏全局状态，难测业务逻辑，提供者泄漏，生命周期漂移，服务定位器耦合 | `changes_status`, `changes_diff_summary`, `test_related`, `test`, `lint`, `build`, `docs_validate_fast`, `test_release`, `mustflow_check` | 依赖边界，发现直接依赖，注入风格，端口/适配器，组装边界，测试或替身，验证及剩余依赖泄漏 |