mustflow 1.31.0 → 2.16.0

package/templates/default/locales/en/.mustflow/skills/INDEX.md

@@ -2,7 +2,7 @@
 mustflow_doc: skills.index
 locale: en
 canonical: true
-revision: 50
+revision: 54
 authority: router
 lifecycle: mustflow-owned
 ---
@@ -27,12 +27,128 @@ refer to `AGENTS.md` and `.mustflow/config/commands.toml` to implement the most
   command intents.
 - Keep the route table compact: each route states the trigger, required input, edit scope, risk,
   verification intents, and expected output.
+- Keep `.mustflow/skills/routes.toml` aligned with the route table when adding, removing, or
+  reclassifying skill routes. The TOML metadata supports strict validation of route category,
+  route type, priority, and mutually exclusive route references.
+- When a current `mf classify` report or changed-file validation reason list is already available,
+  use it only as a prefilter before scanning the route table. Do not run a new command solely to
+  select skills unless the command contract already authorizes that command.
+
+## Selection Convention
+
+- Choose one primary skill that best describes the main work. Prefer the most specific matching
+  skill over a broad architecture or review skill.
+- Add no more than two adjunct skills for secondary risks such as tests, documentation, security,
+  privacy, release, or contract drift.
+- Treat event-triggered skills as inactive until the event occurs. For example, read
+  `failure-triage` only after a configured command intent or verification step fails.
+- If several primary skills appear to match, choose the one tied to the files and behavior being
+  changed now, then report the skipped plausible skills instead of reading every route.
+
+## Classification Prefilter
+
+Use this table only to reduce the first-pass skill categories. The route category gate below remains
+the source for the first routing step.
+
+| Classification evidence | First-pass skill category |
+| --- | --- |
+| `docs_change`, `copy_change`, `i18n_change`, `release_risk` | Documentation and Release |
+| `test_change`, `test_policy_change`, `behavior_change` | Tests and Regression |
+| `code_change`, `public_api_change`, `unknown_change` | General Code Change, then Architecture Patterns only when structural pressure is concrete |
+| `mustflow_docs_change`, `mustflow_config_change` | Workflow and Contract Maintenance |
+| Security, privacy, data, or external-system paths | Security and Privacy, or Data and External Systems |
+
+## Route Category Gate
+
+Choose one first-pass category before scanning specific routes. This keeps routine docs, bug, and
+test tasks from requiring a full read of architecture-pattern routes. Categories are backed by
+`.mustflow/skills/routes.toml`; keep that metadata aligned with the tables below.
+
+| Category | Use When | Next Step |
+| --- | --- | --- |
+| Bug and Failure | Failures, regressions, confusing behavior, or command failures. | Inspect only this category's specific route table first; add adjunct or event routes only when their trigger appears. |
+| General Code Change | Orientation, implementation, review, and ordinary code-change risk. | Inspect only this category's specific route table first; add adjunct or event routes only when their trigger appears. |
+| Tests and Regression | Test design, maintenance, TDD, and requirement coverage. | Inspect only this category's specific route table first; add adjunct or event routes only when their trigger appears. |
+| Documentation and Release | Documentation, release wording, source freshness, and prose review. | Inspect only this category's specific route table first; add adjunct or event routes only when their trigger appears. |
+| Security and Privacy | Secrets, personal data, external prompt text, and security regression risk. | Inspect only this category's specific route table first; add adjunct or event routes only when their trigger appears. |
+| Data and External Systems | Persistence, adapters, dependency boundaries, migrations, and external systems. | Inspect only this category's specific route table first; add adjunct or event routes only when their trigger appears. |
+| UI and Assets | UI surfaces, review artifacts, package artifacts, and web assets. | Inspect only this category's specific route table first; add adjunct or event routes only when their trigger appears. |
+| Architecture Patterns | Pattern-specific routes; use only after concrete structural pressure appears. | Inspect only this category's specific route table first; add adjunct or event routes only when their trigger appears. |
+| Workflow and Contract Maintenance | mustflow workflow, routes, context, contracts, coordination, and metadata. | Inspect only this category's specific route table first; add adjunct or event routes only when their trigger appears. |
+
+## Specific Routes
+
+After choosing a category, choose one primary route and at most two adjunct routes. Event routes
+stay inactive until their event occurs.
+
+### Bug and Failure
+
+| Trigger | Skill Document | Required Input | Edit Scope | Risk | Verification Intents | Expected Output |
+| --- | --- | --- | --- | --- | --- | --- |
+| A configured command intent or verification step fails | `.mustflow/skills/failure-triage/SKILL.md` | Failing intent and output tail | Failure cause only | misdiagnosis | `mustflow_check`; original failing intent | Root cause, fix, rerun result |
+| A bug or confusing failure needs a fix before the smallest deterministic reproduction or cause is clear | `.mustflow/skills/repro-first-debug/SKILL.md` | Symptom, expected behavior, observed output, failing intent or action, likely changed files, and known flakiness or environment limits | Diagnostic reads, focused reproduction, temporary instrumentation, smallest fix, and symptom-tied regression guard | speculative fix, flaky reproduction, lingering debug output, broad unrelated test, or over-testing | `test_related`, `test_fast`, `mustflow_check` | Symptom, reproduction path or gap, hypotheses, observations, fix, original reproduction rerun, verification, and remaining risk |
+
+### General Code Change
+
+| Trigger | Skill Document | Required Input | Edit Scope | Risk | Verification Intents | Expected Output |
+| --- | --- | --- | --- | --- | --- | --- |
+| Code changes need review before report | `.mustflow/skills/code-review/SKILL.md` | Diff and task goal | Changed files | behavior and regression | `test`, `test_related`, `test_audit`, `lint` | Findings or no-issue note |
+| An unfamiliar codebase area needs an evidence-based map before planning, implementation, or reporting | `.mustflow/skills/codebase-orientation/SKILL.md` | User request, target area, relevant instructions, and current source, test, schema, template, configuration, or documentation files | Read-only orientation notes and any smallest follow-up edit chosen from inspected evidence | stale documentation, wrong ownership boundary, or invented architecture claim | `changes_status`, `changes_diff_summary`, `mustflow_check` | Scope inspected, entrypoints, flow map, ownership boundaries, verification options, risks, unknowns, and smallest safe next step |
+| Changed files need risk classification and verification selection | `.mustflow/skills/diff-risk-review/SKILL.md` | Changed-file list, diff summary, and task goal | Changed surfaces and verification report | under- or over-verification | `changes_status`, `changes_diff_summary`, `test`, `test_related`, `test_audit`, `lint`, `build`, `docs_validate`, `mustflow_check` | Risk level, verification choice, rollback notes |
+| Performance budgets, bundle size, page weight, startup time, command duration, memory use, asset size, throughput, latency, benchmark output, or performance claims are planned, edited, reviewed, or reported | `.mustflow/skills/performance-budget-check/SKILL.md` | Performance surface, budget source, measurement method, environment boundary, and command contract entries | Budget checks, thresholds, measurements, dependency tradeoff notes, tests, docs, package metadata, and reports | invented budgets, stale measurements, hidden performance cost, or unverified speed claim | `changes_status`, `changes_diff_summary`, `build`, `test_related`, `docs_validate_fast`, `test_release`, `mustflow_check` | Performance surface, budget source, measurement boundary, synchronized claims, skipped measurements, and remaining performance risk |
+| New feature, module, folder layout, architecture, scaffold, refactor, routing, data model, or external service integration may require hidden structure decisions before coding | `.mustflow/skills/structure-discovery-gate/SKILL.md` | User request, intended capability, hidden assumptions, named technologies or services, and relevant local patterns | Questions, assumptions, proposed file boundaries, and the smallest resulting implementation | brittle structure, vendor-name leakage, over-questioning, or speculative abstraction | `changes_status`, `changes_diff_summary`, `docs_validate_fast`, `test_release`, `mustflow_check` | Blocking questions, assumptions, proposed files and responsibilities, dependency direction, local pattern, verification, and remaining structure risk |
+
+### Tests and Regression
+
+| Trigger | Skill Document | Required Input | Edit Scope | Risk | Verification Intents | Expected Output |
+| --- | --- | --- | --- | --- | --- | --- |
+| User requirements, acceptance criteria, issue reports, bug reports, product notes, compatibility promises, or examples must be preserved as regression coverage before or during implementation | `.mustflow/skills/requirement-regression-guard/SKILL.md` | Requirement source, observable behavior, existing tests or fixtures, implementation scope, changed files, and command contract entries | Focused tests, fixtures, examples, schemas, docs, and implementation changes directly tied to the requirement | untested requirement, invented acceptance criteria, weakened tests, hidden behavior drift, or unverifiable implementation claim | `changes_status`, `changes_diff_summary`, `test_related`, `test`, `test_audit`, `docs_validate_fast`, `test_release`, `mustflow_check` | Requirement sources, coverage map, guards added or reused, implementation changes, deferred requirements, verification, and remaining regression risk |
+| The user explicitly requests TDD, test-first work, red-green-refactor, RED/GREEN, or one observable behavior slice at a time | `.mustflow/skills/vertical-slice-tdd/SKILL.md` | TDD trigger, first behavior contract, existing tests, expected RED category, baseline status, and command contract entries | One focused test or fixture, the smallest implementation for the current slice, and directly synchronized docs when needed | invalid RED, broad slice, premature refactor, unrelated cleanup, or verification claim without configured command evidence | `changes_status`, `changes_diff_summary`, `test_related`, `test_audit`, `test`, `lint`, `build`, `mustflow_check` | Slice scope, existing coverage, RED category evidence, GREEN verification, refactors after GREEN, deferred slices, and remaining TDD risk |
+| New tests or test cases are designed, TDD RED or GREEN evidence is reported, or test-case choices are made for requirements, bugs, refactors, security boundaries, schemas, templates, or public docs | `.mustflow/skills/test-design-guard/SKILL.md` | Contract source, existing coverage, intended RED evidence, candidate cases, baseline status, and command contract entries | Tests, fixtures, helpers, and directly synchronized contract docs | invalid RED, happy-path-only coverage, speculative edge cases, weak assertions, mock-only confidence, or implementation-detail coupling | `test_related`, `test_audit`, `test`, `lint`, `build`, `test_release`, `mustflow_check` | RED category, selected test shape, evidence-backed cases, rejected speculation, verification objective, commands, and remaining test-design risk |
+| Tests are added, updated, removed, or audited | `.mustflow/skills/test-maintenance/SKILL.md` | Changed behavior or stale-test evidence | Test files and related source | contract drift | `test`, `test_related`, `test_audit`, `snapshot_update`, `lint`, `build` | Test rationale and verification |
+
+### Documentation and Release
+
+| Trigger | Skill Document | Required Input | Edit Scope | Risk | Verification Intents | Expected Output |
+| --- | --- | --- | --- | --- | --- | --- |
+| Claims, adoption decisions, research notes, methodology recommendations, tool comparisons, or external summaries depend on current, external, dated, versioned, or otherwise drift-prone sources | `.mustflow/skills/source-freshness-check/SKILL.md` | Stale-sensitive claim or recommendation, source text or page, date or version context, source policy, and intended adoption surface | Source wording, documentation, skill procedures, templates, tests, schemas, and freshness report | stale or unverifiable claim, copied external authority, or unsafe adoption | `changes_status`, `docs_validate_fast`, `mustflow_check` | Checked source boundary, research split, adoption decision, wording changes, skipped refreshes, and stale-source risk |
+| `README.md` is created, restructured, or substantially rewritten | `.mustflow/skills/readme-authoring/SKILL.md` | User request, existing README if any, repository evidence, nearest instructions, and command contracts | `README.md` and directly linked public docs | invented project claims, marketing drift, or loss of human-authored intent | `docs_validate_fast`, `mustflow_check` | Evidence-based README changes, preserved or deferred sections, verification notes |
+| Release notes, changelog entries, public change summaries, release preparation copy, or package release wording are drafted or revised | `.mustflow/skills/release-notes-authoring/SKILL.md` | User-provided change summary, current diff summary, release audience, public surfaces, version source, and command contract entries | Release notes, changelog entries, release preparation notes, and directly synchronized docs or package metadata | invented release history, inflated public claims, internal noise, stale version or migration notes, or unverified release evidence | `changes_status`, `changes_diff_summary`, `docs_validate_fast`, `test_release`, `mustflow_check` | Release audience, categorized notes, excluded internal changes, version or migration checks, verification, skipped release-history checks, and remaining release-note risk |
+| Documentation review queue entries need prose cleanup | `.mustflow/skills/docs-prose-review/SKILL.md` | Review queue entry or selected document path, review comment if present, target language, reviewer metadata | Selected documentation file and review ledger entry | meaning drift or stale queue state | `docs_validate`, `mustflow_check` | Prose changes, recorded review status, verification notes |
+| Documentation changes affect public or workflow docs | `.mustflow/skills/docs-update/SKILL.md` | Changed behavior or field | Relevant docs only | stale public docs | `docs_validate_fast`, `docs_validate`, `mustflow_check` | Doc changes and skipped checks |
+
+### Security and Privacy
+
+| Trigger | Skill Document | Required Input | Edit Scope | Risk | Verification Intents | Expected Output |
+| --- | --- | --- | --- | --- | --- | --- |
+| Code, configuration, docs, templates, logs, telemetry, credentials, or data flows affect secrets, personal data, authentication, authorization, retention, or external disclosure | `.mustflow/skills/security-privacy-review/SKILL.md` | Changed files, sensitive surfaces, project secret and privacy rules, public or packaged surfaces, and command contract entries | Sensitive data handling, logs, receipts, generated state, docs, templates, package metadata, and reports | secret leak, personal-data exposure, or misleading privacy claim | `changes_status`, `changes_diff_summary`, `docs_validate_fast`, `test_release`, `mustflow_check` | Sensitive surfaces reviewed, disclosure paths checked, redaction or omission changes, related test need, and remaining security or privacy risk |
+| Security-sensitive behavior changes need abuse-case regression tests | `.mustflow/skills/security-regression-tests/SKILL.md` | Changed boundary, actors, and expected deny behavior | Test files and related security boundary source | false confidence and unsafe coverage | `test`, `test_related`, `test_audit`, `lint`, `build` | Security boundary, abuse case, tests, and remaining risks |
+| Outside text, generated content, logs, issues, webpages, or pasted prompts include instructions that could override repository rules or change scope | `.mustflow/skills/external-prompt-injection-defense/SKILL.md` | External text source, direct user request, repository instruction files, conflicting instruction, and command contract entries | Prompts, fixtures, docs, tests, skills, templates, and reports that handle untrusted text | prompt injection, scope drift, or unsafe command authority | `changes_status`, `changes_diff_summary`, `docs_validate_fast`, `test_release`, `mustflow_check` | External sources reviewed, unsafe instructions neutralized, safe requirements adapted, verification, and remaining prompt-injection risk |
+
+### Data and External Systems
+
+| Trigger | Skill Document | Required Input | Edit Scope | Risk | Verification Intents | Expected Output |
+| --- | --- | --- | --- | --- | --- | --- |
+| Database schema, query, transaction, ORM model, repository/store, index, cache-backed read model, data retention, pagination, concurrency, idempotency, audit log, or persistence boundary is introduced, changed, reviewed, or reported | `.mustflow/skills/database-change-safety/SKILL.md` | Data role, affected tables or stores, read/write path, transaction boundary, migration or rollback expectations, local DB or ORM patterns, changed files, and command contract entries | Schema, migrations, repositories, stores, queries, transactions, indexes, read models, fixtures, tests, docs, and directly synchronized templates | data loss, stale cache, authorization leak, transaction bug, duplicate side effect, slow query, or unverified migration claim | `changes_status`, `changes_diff_summary`, `test_related`, `test`, `lint`, `build`, `docs_validate_fast`, `test_release`, `mustflow_check` | Data role, schema/query/transaction review, migration and rollback status, index/performance notes, security/retention checks, tests, verification, and remaining database risk |
+| Packages, runtimes, tools, commands, services, or platform capabilities are assumed, added, invoked, or documented | `.mustflow/skills/dependency-reality-check/SKILL.md` | Dependency or capability, repository declarations, version or capability claim, and command contract entries | Dependency declarations, imports, command metadata, tests, and docs | invented or unavailable dependency | `changes_status`, `changes_diff_summary`, `build`, `test_release`, `mustflow_check` | Dependency status, synchronized surfaces, verification, and remaining dependency risk |
+| External systems, protocols, SDKs, databases, webhooks, queues, files, caches, framework requests or responses, AI models, browser storage, or provider data cross the core boundary or need port/adapter translation, error mapping, retry, idempotency, security, or observability handling | `.mustflow/skills/adapter-boundary/SKILL.md` | External system or protocol, inbound/outbound direction, internal use case, local port/adapter patterns, provider risk, changed files, and command contract entries | Ports, adapters, mappers, controllers, workers, stores, gateways, tests, fixtures, assembly wiring, and directly synchronized docs or templates | provider leakage, pass-through wrapper, unclassified external failure, duplicate side effect, unsafe retry, missing timeout, secret or personal-data leak, or untested integration drift | `changes_status`, `changes_diff_summary`, `test_related`, `test`, `lint`, `build`, `docs_validate_fast`, `test_release`, `mustflow_check` | Boundary classification, internal port, provider containment, validation and mapping, timeout/retry/idempotency handling, security notes, verification, and remaining provider risk |
+| Core or application logic creates, imports, resolves, or hides external dependencies such as databases, SDKs, clocks, random generators, configuration, loggers, framework objects, filesystems, queues, AI clients, or payment/email providers | `.mustflow/skills/dependency-injection/SKILL.md` | Target code area, hidden dependency, intended business capability, layer ownership, local port/adapter patterns, changed files, and command contract entries | Core logic signatures, ports, adapters, assembly roots, tests, and directly synchronized docs or templates | hidden global state, untestable business logic, provider leakage, lifecycle drift, or service-locator coupling | `changes_status`, `changes_diff_summary`, `test_related`, `test`, `lint`, `build`, `docs_validate_fast`, `test_release`, `mustflow_check` | Dependency boundary, direct dependencies found, injection style, ports/adapters, assembly boundary, tests or fakes, verification, and remaining dependency leakage |
+| Code, data, schema, configuration, file layout, template, or generated-state migrations are planned, edited, documented, or reported | `.mustflow/skills/migration-safety-check/SKILL.md` | Source state, target state, migration surface owner, idempotency, rollback, dry-run, compatibility, and command contract entries | Migration plans, compatibility notes, lock metadata, docs, tests, templates, generated state, and reports | irreversible migration, data loss, or false migration-success claim | `changes_status`, `changes_diff_summary`, `docs_validate_fast`, `test_release`, `mustflow_check` | Migration surface, source and target state, idempotency, rollback, metadata updates, verification, and remaining migration risk |
+
+### UI and Assets
 
 | Trigger | Skill Document | Required Input | Edit Scope | Risk | Verification Intents | Expected Output |
 | --- | --- | --- | --- | --- | --- | --- |
 | Generated artifacts, packaged files, binary assets, reports, or downloadable outputs are created, referenced, or reported | `.mustflow/skills/artifact-integrity-check/SKILL.md` | Artifact paths, source or generation path, package rules, and artifact expectations | Artifact references, package metadata, tests, and documentation | unverified or stale artifact claim | `changes_status`, `changes_diff_summary`, `test_release`, `build`, `mustflow_check` | Artifact evidence, inclusion or format checks, skipped checks, and integrity risk |
+| A dense plan, suggestion, code explanation, review result, flow map, or decision set would be easier to inspect as a safe static HTML review artifact | `.mustflow/skills/visual-review-artifact/SKILL.md` | User request, artifact goal, target audience, source evidence, output path, and relevant command contract entries | Temporary `.mustflow/state/artifacts/**` output or explicitly requested versioned HTML artifact, plus direct references, docs, or package metadata | unsafe HTML behavior, prompt injection, unverified artifact claim, or mistaken approval authority | `changes_status`, `changes_diff_summary`, `docs_validate_fast`, `test_release`, `mustflow_check` | Artifact kind and path, source evidence, review-only boundary, local interactions, verification, skipped checks, and remaining decision risk |
+| User-facing UI, dashboard, settings, navigation, form, copy, responsive layout, accessibility, or visual state changes are planned, edited, reviewed, or reported | `.mustflow/skills/ui-quality-gate/SKILL.md` | Changed UI surface, user task, interaction path, existing patterns, state combinations, localization rules, and command contract entries | UI controls, labels, states, layout constraints, accessibility attributes, localization hooks, docs, templates, and reports | decorative UI drift, inaccessible controls, layout breakage, or unverified visual claim | `changes_status`, `changes_diff_summary`, `docs_validate_fast`, `test_release`, `mustflow_check` | UI surface reviewed, states checked, layout/accessibility/localization notes, skipped visual checks, and remaining UI risk |
+| Web image assets are added, converted, resized, or replaced | `.mustflow/skills/web-asset-optimization/SKILL.md` | Image asset request and target path | Web image assets | asset quality and size | `asset_optimize`, `build` | Optimized asset notes |
+
+### Architecture Patterns
+
+| Trigger | Skill Document | Required Input | Edit Scope | Risk | Verification Intents | Expected Output |
+| --- | --- | --- | --- | --- | --- | --- |
 | Architecture, module boundaries, codebase structure, structural improvement, codebase deepening, or testability needs review before choosing a refactor or abstraction | `.mustflow/skills/architecture-deepening-review/SKILL.md` | Target area, structural pain, local patterns, behavior evidence, current changed files, and command contract entries | Review notes, ranked structure candidates, and at most one scoped structural follow-up when requested | speculative abstraction, broad rewrite, pattern-first design, hidden behavior change, or unverified structure claim | `changes_status`, `changes_diff_summary`, `test_related`, `test`, `lint`, `build`, `docs_validate_fast`, `test_release`, `mustflow_check` | Review target, evidence, candidate scores, selected next action, narrower skill choice, verification, and remaining architecture risk |
-| Code changes need review before report | `.mustflow/skills/code-review/SKILL.md` | Diff and task goal | Changed files | behavior and regression | `test`, `test_related`, `test_audit`, `lint` | Findings or no-issue note |
 | Code is being refactored, reorganized, renamed, deduplicated, simplified, or structurally improved while existing behavior should be preserved | `.mustflow/skills/behavior-preserving-refactor/SKILL.md` | Refactoring goal, target area, behavior evidence, local patterns, current changed files, and command contract entries | Small behavior-preserving refactor steps, related tests, and directly synchronized docs or contracts | hidden behavior change, broad cleanup, misleading abstraction, unsafe deduplication, or unverified legacy change | `changes_status`, `changes_diff_summary`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Goal, behavior evidence, structural risks, refactoring ladder, changes made, excluded behavior changes, verification, and remaining risks |
 | Class inheritance, base classes, abstract classes, template methods, protected state, mixins, framework subclasses, or subtype hierarchies are introduced, reviewed, or refactored, especially for behavior reuse or feature variants | `.mustflow/skills/composition-over-inheritance/SKILL.md` | Inheritance surface, reuse goal, change dimensions, local composition patterns, compatibility constraints, current changed files, and command contract entries | Classes, functions, role interfaces, policies, strategies, adapters, decorators, state machines, tests, wrappers, and directly synchronized docs or templates | fragile parent-child coupling, subclass explosion, broken substitutability, hidden protected state, over-composition, or untested behavior-preserving refactor | `changes_status`, `changes_diff_summary`, `test_related`, `test`, `lint`, `build`, `docs_validate_fast`, `test_release`, `mustflow_check` | Inheritance review, keep-or-replace decision, change dimensions, composition pattern, tests, verification, and remaining hierarchy risk |
 | Multiple interchangeable algorithms, policies, calculations, scoring methods, sorting methods, recommendation methods, pricing rules, discount rules, shipping methods, payment methods, notification methods, permission policies, provider choices, feature-flag variants, or repeated branches choose how to do the same kind of work | `.mustflow/skills/strategy-pattern/SKILL.md` | Stable workflow, variants and shared purpose, current branch locations, common input and output shape, selection criteria, local Result, dependency injection, decorator, registry, and test patterns, current changed files, and command contract entries | Strategy function types, interfaces, concrete strategies, selectors, resolvers, registries, decorators, context wiring, tests, and directly synchronized docs or templates | over-abstracted small branch, wrong use-case grouping, context knowing concrete strategies, silent fallback, unsafe user-selected strategy, request-stateful strategy, strategy combination explosion, or untested selector behavior | `changes_status`, `changes_diff_summary`, `test_related`, `test`, `lint`, `build`, `docs_validate_fast`, `test_release`, `mustflow_check` | Strategy classification, shared contract, strategy registry, selector or resolver, default and unsupported-key behavior, tests, verification, and remaining strategy risk |
@@ -42,42 +158,21 @@ refer to `AGENTS.md` and `.mustflow/config/commands.toml` to implement the most
 | Domain objects have lifecycle state, status fields, phase or step fields, allowed actions depend on state, transitions are scattered, external results change state, duplicate events are possible, or state changes need transition tables, guards, effects, history, idempotency, or concurrency control | `.mustflow/skills/state-machine-pattern/SKILL.md` | Entity, state field, state list, event list, terminal states, current state-changing code, guards, context facts, effects, history, idempotency, concurrency risks, local Result and outbox patterns, and command contract entries | State unions, event unions, transition tables, guard functions, pure transition functions, dispatch shell, outbox, transition logs, idempotency records, available-action helpers, tests, and directly synchronized docs or templates | direct state assignment, hidden invalid transition, silent no-op, impure guard, external effect before commit, duplicate webhook damage, state explosion, stale concurrent transition, UI/server rule drift, or untested lifecycle | `changes_status`, `changes_diff_summary`, `test_related`, `test`, `lint`, `build`, `docs_validate_fast`, `test_release`, `mustflow_check` | Lifecycle classification, states and events, transition table, guards and context facts, effects and history, idempotency and concurrency choices, direct assignment cleanup, tests, verification, and remaining state-machine risk |
 | Expected failures, meaningful absence, null or undefined returns, thrown business errors, boolean success flags, raw string errors, repository lookups, validation, parsing, external adapter errors, or boundary error mapping need explicit value-based handling | `.mustflow/skills/result-option/SKILL.md` | Operation semantics, absence and failure cases, local Result/Option/error conventions, layer ownership, public response rules, sensitive data constraints, changed files, and command contract entries | Result and Option helpers, function signatures, typed errors, boundary mappers, repository/service/controller contracts, tests, and directly synchronized docs or templates | hidden null, swallowed error, thrown business failure, ambiguous boolean result, provider error leakage, public error-shape drift, or over-wrapped total function | `changes_status`, `changes_diff_summary`, `test_related`, `test`, `lint`, `build`, `docs_validate_fast`, `test_release`, `mustflow_check` | Return shape decision, error codes and categories, absence handling, boundary conversions, preserved throw paths, tests, verification, and remaining exception or null risk |
 | Repeated null, undefined, None, or nil checks, optional dependencies, disabled integrations, null loggers, null analytics, null caches, optional notifications, no-op collaborators, identity processors, or safe neutral implementations are introduced or refactored | `.mustflow/skills/null-object-pattern/SKILL.md` | Optional collaborator, interface, absence semantics, caller branch needs, neutral output, required side effects, security, money, data, and audit risks, assembly location, local Result, Option, dependency injection, strategy, and test patterns | Interfaces, null, no-op, disabled, identity, empty, deny-all, or failing implementations, assembly wiring, non-null dependency types, tests, and directly synchronized docs or templates | hidden required failure, fake success, authorization bypass, dropped persistence, skipped audit, swallowed initialization error, stateful null object, or caller still nullable | `changes_status`, `changes_diff_summary`, `test_related`, `test`, `lint`, `build`, `docs_validate_fast`, `test_release`, `mustflow_check` | Absence classification, null object decision, neutral implementation, assembly selection, nullable caller cleanup, tests, verification, and remaining hidden-failure risk |
-| User requirements, acceptance criteria, issue reports, bug reports, product notes, compatibility promises, or examples must be preserved as regression coverage before or during implementation | `.mustflow/skills/requirement-regression-guard/SKILL.md` | Requirement source, observable behavior, existing tests or fixtures, implementation scope, changed files, and command contract entries | Focused tests, fixtures, examples, schemas, docs, and implementation changes directly tied to the requirement | untested requirement, invented acceptance criteria, weakened tests, hidden behavior drift, or unverifiable implementation claim | `changes_status`, `changes_diff_summary`, `test_related`, `test`, `test_audit`, `docs_validate_fast`, `test_release`, `mustflow_check` | Requirement sources, coverage map, guards added or reused, implementation changes, deferred requirements, verification, and remaining regression risk |
+| Implementation in an unfamiliar area needs a local precedent before new structure is introduced | `.mustflow/skills/pattern-scout/SKILL.md` | User request, intended file area, nearby examples, and current changed files | Pattern evidence and files needed to follow it | invented parallel structure | `changes_status`, `changes_diff_summary`, `mustflow_check` | Local pattern, applied alignment, intentional deviations, and verification |
+
+### Workflow and Contract Maintenance
+
+| Trigger | Skill Document | Required Input | Edit Scope | Risk | Verification Intents | Expected Output |
+| --- | --- | --- | --- | --- | --- | --- |
 | Multiple AI workers, subagents, external agents, parallel task runners, or worktree-based worker roles are planned or used for one repository task | `.mustflow/skills/multi-agent-work-coordination/SKILL.md` | Task goal, worker roles, write permissions, file ownership, workspace isolation, credential boundary, merge owner, and command contract entries | Coordination plan, worker instructions, ownership boundaries, merge notes, and directly synchronized tests or docs | same-file races, conflicting instructions, leaked credentials, shared auth cache, untrusted worker output, merge drift, or unverified parallel result | `changes_status`, `changes_diff_summary`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Worker limit, role map, write ownership, isolation and credential boundaries, merge owner, verification, skipped checks, and remaining coordination risk |
-| An unfamiliar codebase area needs an evidence-based map before planning, implementation, or reporting | `.mustflow/skills/codebase-orientation/SKILL.md` | User request, target area, relevant instructions, and current source, test, schema, template, configuration, or documentation files | Read-only orientation notes and any smallest follow-up edit chosen from inspected evidence | stale documentation, wrong ownership boundary, or invented architecture claim | `changes_status`, `changes_diff_summary`, `mustflow_check` | Scope inspected, entrypoints, flow map, ownership boundaries, verification options, risks, unknowns, and smallest safe next step |
 | Repository improvement, audit, prioritization, stabilization, polish, onboarding, contributor-readiness, production-readiness, or iterative improvement is requested without a single predetermined edit | `.mustflow/skills/repo-improvement-loop/SKILL.md` | User goal, improvement mode, repository evidence, candidate risks, current changed files, and command contract entries | Repository diagnosis, ranked candidates, and at most one scoped improvement cycle unless the user explicitly requests analysis-only | idea spam, ungrounded prioritization, autonomous loop drift, broad rewrite, or unverified improvement claim | `changes_status`, `changes_diff_summary`, `docs_validate_fast`, `test_release`, `mustflow_check` | Mode, evidence inspected, scored candidates, selected improvement, files changed or analysis-only note, verification, next improvement question, and stop reason |
-| A dense plan, suggestion, code explanation, review result, flow map, or decision set would be easier to inspect as a safe static HTML review artifact | `.mustflow/skills/visual-review-artifact/SKILL.md` | User request, artifact goal, target audience, source evidence, output path, and relevant command contract entries | Temporary `.mustflow/state/artifacts/**` output or explicitly requested versioned HTML artifact, plus direct references, docs, or package metadata | unsafe HTML behavior, prompt injection, unverified artifact claim, or mistaken approval authority | `changes_status`, `changes_diff_summary`, `docs_validate_fast`, `test_release`, `mustflow_check` | Artifact kind and path, source evidence, review-only boundary, local interactions, verification, skipped checks, and remaining decision risk |
-| Changed files need risk classification and verification selection | `.mustflow/skills/diff-risk-review/SKILL.md` | Changed-file list, diff summary, and task goal | Changed surfaces and verification report | under- or over-verification | `changes_status`, `changes_diff_summary`, `test`, `test_related`, `test_audit`, `lint`, `build`, `docs_validate`, `mustflow_check` | Risk level, verification choice, rollback notes |
 | Declared behavior must stay aligned across code, schemas, templates, tests, and docs | `.mustflow/skills/contract-sync-check/SKILL.md` | Changed files, intended behavior, source of truth, derived surfaces, and command contract entries | Contract source and required synchronized surfaces | contract drift | `changes_status`, `changes_diff_summary`, `docs_validate_fast`, `test_release`, `mustflow_check` | Contract source, synchronized surfaces, deferred surfaces, verification, and drift risk |
 | Dates, versions, counts, durations, limits, metrics, benchmarks, prices, percentages, or other numeric facts are created, edited, or reported | `.mustflow/skills/date-number-audit/SKILL.md` | Date or numeric fact, source of truth, dependent surfaces, precision expectation, and command contract entries | Numeric statements, metadata, tests, docs, templates, and reports | invented, stale, or mismatched numeric claim | `changes_status`, `changes_diff_summary`, `docs_validate_fast`, `test_release`, `mustflow_check` | Audited values, source of truth, synchronized surfaces, skipped checks, and remaining numeric risk |
-| Database schema, query, transaction, ORM model, repository/store, index, cache-backed read model, data retention, pagination, concurrency, idempotency, audit log, or persistence boundary is introduced, changed, reviewed, or reported | `.mustflow/skills/database-change-safety/SKILL.md` | Data role, affected tables or stores, read/write path, transaction boundary, migration or rollback expectations, local DB or ORM patterns, changed files, and command contract entries | Schema, migrations, repositories, stores, queries, transactions, indexes, read models, fixtures, tests, docs, and directly synchronized templates | data loss, stale cache, authorization leak, transaction bug, duplicate side effect, slow query, or unverified migration claim | `changes_status`, `changes_diff_summary`, `test_related`, `test`, `lint`, `build`, `docs_validate_fast`, `test_release`, `mustflow_check` | Data role, schema/query/transaction review, migration and rollback status, index/performance notes, security/retention checks, tests, verification, and remaining database risk |
-| Packages, runtimes, tools, commands, services, or platform capabilities are assumed, added, invoked, or documented | `.mustflow/skills/dependency-reality-check/SKILL.md` | Dependency or capability, repository declarations, version or capability claim, and command contract entries | Dependency declarations, imports, command metadata, tests, and docs | invented or unavailable dependency | `changes_status`, `changes_diff_summary`, `build`, `test_release`, `mustflow_check` | Dependency status, synchronized surfaces, verification, and remaining dependency risk |
-| External systems, protocols, SDKs, databases, webhooks, queues, files, caches, framework requests or responses, AI models, browser storage, or provider data cross the core boundary or need port/adapter translation, error mapping, retry, idempotency, security, or observability handling | `.mustflow/skills/adapter-boundary/SKILL.md` | External system or protocol, inbound/outbound direction, internal use case, local port/adapter patterns, provider risk, changed files, and command contract entries | Ports, adapters, mappers, controllers, workers, stores, gateways, tests, fixtures, assembly wiring, and directly synchronized docs or templates | provider leakage, pass-through wrapper, unclassified external failure, duplicate side effect, unsafe retry, missing timeout, secret or personal-data leak, or untested integration drift | `changes_status`, `changes_diff_summary`, `test_related`, `test`, `lint`, `build`, `docs_validate_fast`, `test_release`, `mustflow_check` | Boundary classification, internal port, provider containment, validation and mapping, timeout/retry/idempotency handling, security notes, verification, and remaining provider risk |
-| Core or application logic creates, imports, resolves, or hides external dependencies such as databases, SDKs, clocks, random generators, configuration, loggers, framework objects, filesystems, queues, AI clients, or payment/email providers | `.mustflow/skills/dependency-injection/SKILL.md` | Target code area, hidden dependency, intended business capability, layer ownership, local port/adapter patterns, changed files, and command contract entries | Core logic signatures, ports, adapters, assembly roots, tests, and directly synchronized docs or templates | hidden global state, untestable business logic, provider leakage, lifecycle drift, or service-locator coupling | `changes_status`, `changes_diff_summary`, `test_related`, `test`, `lint`, `build`, `docs_validate_fast`, `test_release`, `mustflow_check` | Dependency boundary, direct dependencies found, injection style, ports/adapters, assembly boundary, tests or fakes, verification, and remaining dependency leakage |
 | Git reports CRLF/LF warnings or tracked text files may need line-ending normalization | `.mustflow/skills/line-ending-hygiene/SKILL.md` | Warning text or changed-file evidence, line-ending policy, changed-file status, and command contract entries | Line-ending policy files, tracked text files, command metadata, tests, and reports | silent working-tree rewrite or policy drift | `line_endings_check`, `changes_status`, `mustflow_check` | Policy found, drift files, normalization status, verification, and remaining line-ending risk |
-| Performance budgets, bundle size, page weight, startup time, command duration, memory use, asset size, throughput, latency, benchmark output, or performance claims are planned, edited, reviewed, or reported | `.mustflow/skills/performance-budget-check/SKILL.md` | Performance surface, budget source, measurement method, environment boundary, and command contract entries | Budget checks, thresholds, measurements, dependency tradeoff notes, tests, docs, package metadata, and reports | invented budgets, stale measurements, hidden performance cost, or unverified speed claim | `changes_status`, `changes_diff_summary`, `build`, `test_related`, `docs_validate_fast`, `test_release`, `mustflow_check` | Performance surface, budget source, measurement boundary, synchronized claims, skipped measurements, and remaining performance risk |
-| The user explicitly requests TDD, test-first work, red-green-refactor, RED/GREEN, or one observable behavior slice at a time | `.mustflow/skills/vertical-slice-tdd/SKILL.md` | TDD trigger, first behavior contract, existing tests, expected RED category, baseline status, and command contract entries | One focused test or fixture, the smallest implementation for the current slice, and directly synchronized docs when needed | invalid RED, broad slice, premature refactor, unrelated cleanup, or verification claim without configured command evidence | `changes_status`, `changes_diff_summary`, `test_related`, `test_audit`, `test`, `lint`, `build`, `mustflow_check` | Slice scope, existing coverage, RED category evidence, GREEN verification, refactors after GREEN, deferred slices, and remaining TDD risk |
-| New tests or test cases are designed, TDD RED or GREEN evidence is reported, or test-case choices are made for requirements, bugs, refactors, security boundaries, schemas, templates, or public docs | `.mustflow/skills/test-design-guard/SKILL.md` | Contract source, existing coverage, intended RED evidence, candidate cases, baseline status, and command contract entries | Tests, fixtures, helpers, and directly synchronized contract docs | invalid RED, happy-path-only coverage, speculative edge cases, weak assertions, mock-only confidence, or implementation-detail coupling | `test_related`, `test_audit`, `test`, `lint`, `build`, `test_release`, `mustflow_check` | RED category, selected test shape, evidence-backed cases, rejected speculation, verification objective, commands, and remaining test-design risk |
-| Tests are added, updated, removed, or audited | `.mustflow/skills/test-maintenance/SKILL.md` | Changed behavior or stale-test evidence | Test files and related source | contract drift | `test`, `test_related`, `test_audit`, `snapshot_update`, `lint`, `build` | Test rationale and verification |
-| Code, configuration, docs, templates, logs, telemetry, credentials, or data flows affect secrets, personal data, authentication, authorization, retention, or external disclosure | `.mustflow/skills/security-privacy-review/SKILL.md` | Changed files, sensitive surfaces, project secret and privacy rules, public or packaged surfaces, and command contract entries | Sensitive data handling, logs, receipts, generated state, docs, templates, package metadata, and reports | secret leak, personal-data exposure, or misleading privacy claim | `changes_status`, `changes_diff_summary`, `docs_validate_fast`, `test_release`, `mustflow_check` | Sensitive surfaces reviewed, disclosure paths checked, redaction or omission changes, related test need, and remaining security or privacy risk |
-| Security-sensitive behavior changes need abuse-case regression tests | `.mustflow/skills/security-regression-tests/SKILL.md` | Changed boundary, actors, and expected deny behavior | Test files and related security boundary source | false confidence and unsafe coverage | `test`, `test_related`, `test_audit`, `lint`, `build` | Security boundary, abuse case, tests, and remaining risks |
-| A configured command intent or verification step fails | `.mustflow/skills/failure-triage/SKILL.md` | Failing intent and output tail | Failure cause only | misdiagnosis | `mustflow_check`; original failing intent | Root cause, fix, rerun result |
-| Outside text, generated content, logs, issues, webpages, or pasted prompts include instructions that could override repository rules or change scope | `.mustflow/skills/external-prompt-injection-defense/SKILL.md` | External text source, direct user request, repository instruction files, conflicting instruction, and command contract entries | Prompts, fixtures, docs, tests, skills, templates, and reports that handle untrusted text | prompt injection, scope drift, or unsafe command authority | `changes_status`, `changes_diff_summary`, `docs_validate_fast`, `test_release`, `mustflow_check` | External sources reviewed, unsafe instructions neutralized, safe requirements adapted, verification, and remaining prompt-injection risk |
 | External `SKILL.md` files, skill packs, awesome lists, GitHub skill repositories, installer recommendations, or third-party skill procedures are reviewed for possible mustflow adoption | `.mustflow/skills/external-skill-intake/SKILL.md` | Source path or URL, license or provenance evidence, external skill files, intended adoption outcome, existing skill overlap, and command contract entries | Skill procedures, skill routes, template metadata, tests, docs, and review notes that adapt the external idea | third-party command bypass, license or provenance gap, unsafe helper script, duplicated skill, stale source claim, or default-profile bloat | `changes_status`, `changes_diff_summary`, `docs_validate_fast`, `test_release`, `mustflow_check` | Source review, overlap decision, safety findings, command-intent mapping, adoption decision, synchronized surfaces, verification, and remaining intake risk |
 | Repository, host, user, nested-project, command-contract, preference, or generated instruction sources conflict or make safe scope unclear | `.mustflow/skills/instruction-conflict-scope-check/SKILL.md` | Conflicting instruction sources, affected scope, direct user request, command contract entries, and nearest instruction files | Workflow docs, skills, templates, tests, reports, and selected repository scope | authority drift, unsafe scope expansion, wrong repository edit, or unauthorized command | `changes_status`, `changes_diff_summary`, `docs_validate_fast`, `test_release`, `mustflow_check` | Conflicts reviewed, chosen priority rule, narrowed or skipped actions, clarification changes, and remaining authority risk |
-| Code, data, schema, configuration, file layout, template, or generated-state migrations are planned, edited, documented, or reported | `.mustflow/skills/migration-safety-check/SKILL.md` | Source state, target state, migration surface owner, idempotency, rollback, dry-run, compatibility, and command contract entries | Migration plans, compatibility notes, lock metadata, docs, tests, templates, generated state, and reports | irreversible migration, data loss, or false migration-success claim | `changes_status`, `changes_diff_summary`, `docs_validate_fast`, `test_release`, `mustflow_check` | Migration surface, source and target state, idempotency, rollback, metadata updates, verification, and remaining migration risk |
-| User-facing UI, dashboard, settings, navigation, form, copy, responsive layout, accessibility, or visual state changes are planned, edited, reviewed, or reported | `.mustflow/skills/ui-quality-gate/SKILL.md` | Changed UI surface, user task, interaction path, existing patterns, state combinations, localization rules, and command contract entries | UI controls, labels, states, layout constraints, accessibility attributes, localization hooks, docs, templates, and reports | decorative UI drift, inaccessible controls, layout breakage, or unverified visual claim | `changes_status`, `changes_diff_summary`, `docs_validate_fast`, `test_release`, `mustflow_check` | UI surface reviewed, states checked, layout/accessibility/localization notes, skipped visual checks, and remaining UI risk |
-| Implementation in an unfamiliar area needs a local precedent before new structure is introduced | `.mustflow/skills/pattern-scout/SKILL.md` | User request, intended file area, nearby examples, and current changed files | Pattern evidence and files needed to follow it | invented parallel structure | `changes_status`, `changes_diff_summary`, `mustflow_check` | Local pattern, applied alignment, intentional deviations, and verification |
-| New feature, module, folder layout, architecture, scaffold, refactor, routing, data model, or external service integration may require hidden structure decisions before coding | `.mustflow/skills/structure-discovery-gate/SKILL.md` | User request, intended capability, hidden assumptions, named technologies or services, and relevant local patterns | Questions, assumptions, proposed file boundaries, and the smallest resulting implementation | brittle structure, vendor-name leakage, over-questioning, or speculative abstraction | `changes_status`, `changes_diff_summary`, `docs_validate_fast`, `test_release`, `mustflow_check` | Blocking questions, assumptions, proposed files and responsibilities, dependency direction, local pattern, verification, and remaining structure risk |
-| A bug or confusing failure needs a fix before the smallest deterministic reproduction or cause is clear | `.mustflow/skills/repro-first-debug/SKILL.md` | Symptom, expected behavior, observed output, failing intent or action, likely changed files, and known flakiness or environment limits | Diagnostic reads, focused reproduction, temporary instrumentation, smallest fix, and symptom-tied regression guard | speculative fix, flaky reproduction, lingering debug output, broad unrelated test, or over-testing | `test_related`, `test_fast`, `mustflow_check` | Symptom, reproduction path or gap, hypotheses, observations, fix, original reproduction rerun, verification, and remaining risk |
-| Claims, adoption decisions, research notes, methodology recommendations, tool comparisons, or external summaries depend on current, external, dated, versioned, or otherwise drift-prone sources | `.mustflow/skills/source-freshness-check/SKILL.md` | Stale-sensitive claim or recommendation, source text or page, date or version context, source policy, and intended adoption surface | Source wording, documentation, skill procedures, templates, tests, schemas, and freshness report | stale or unverifiable claim, copied external authority, or unsafe adoption | `changes_status`, `docs_validate_fast`, `mustflow_check` | Checked source boundary, research split, adoption decision, wording changes, skipped refreshes, and stale-source risk |
 | `.mustflow/context/PROJECT.md` needs cautious project context | `.mustflow/skills/project-context-authoring/SKILL.md` | Supported project facts | `.mustflow/context/PROJECT.md` | authority drift | `mustflow_check` | Updated cautious context |
 | Skill procedures or routes are created or maintained | `.mustflow/skills/skill-authoring/SKILL.md` | Repeated task evidence | `.mustflow/skills/**` | overlap and command drift | `mustflow_check`, `docs_validate` | Skill route and procedure changes |
-| `README.md` is created, restructured, or substantially rewritten | `.mustflow/skills/readme-authoring/SKILL.md` | User request, existing README if any, repository evidence, nearest instructions, and command contracts | `README.md` and directly linked public docs | invented project claims, marketing drift, or loss of human-authored intent | `docs_validate_fast`, `mustflow_check` | Evidence-based README changes, preserved or deferred sections, verification notes |
-| Release notes, changelog entries, public change summaries, release preparation copy, or package release wording are drafted or revised | `.mustflow/skills/release-notes-authoring/SKILL.md` | User-provided change summary, current diff summary, release audience, public surfaces, version source, and command contract entries | Release notes, changelog entries, release preparation notes, and directly synchronized docs or package metadata | invented release history, inflated public claims, internal noise, stale version or migration notes, or unverified release evidence | `changes_status`, `changes_diff_summary`, `docs_validate_fast`, `test_release`, `mustflow_check` | Release audience, categorized notes, excluded internal changes, version or migration checks, verification, skipped release-history checks, and remaining release-note risk |
-| Documentation review queue entries need prose cleanup | `.mustflow/skills/docs-prose-review/SKILL.md` | Review queue entry or selected document path, review comment if present, target language, reviewer metadata | Selected documentation file and review ledger entry | meaning drift or stale queue state | `docs_validate`, `mustflow_check` | Prose changes, recorded review status, verification notes |
-| Web image assets are added, converted, resized, or replaced | `.mustflow/skills/web-asset-optimization/SKILL.md` | Image asset request and target path | Web image assets | asset quality and size | `asset_optimize`, `build` | Optimized asset notes |
-| Documentation changes affect public or workflow docs | `.mustflow/skills/docs-update/SKILL.md` | Changed behavior or field | Relevant docs only | stale public docs | `docs_validate_fast`, `docs_validate`, `mustflow_check` | Doc changes and skipped checks |
 
 When introducing a new skill, link it here and define the specific trigger and route fields.
 Avoid including raw shell commands in skill documents; instead, reference the command intent

package/templates/default/locales/en/.mustflow/skills/routes.toml

@@ -0,0 +1,289 @@
+schema_version = "1"
+
+[routes."artifact-integrity-check"]
+category = "ui_assets"
+route_type = "adjunct"
+priority = 80
+applies_to_reasons = ["package_metadata_change", "release_risk"]
+
+[routes."architecture-deepening-review"]
+category = "architecture_patterns"
+route_type = "primary"
+priority = 70
+applies_to_reasons = ["code_change", "cross_cutting_code_change"]
+
+[routes."code-review"]
+category = "general_code"
+route_type = "primary"
+priority = 50
+applies_to_reasons = ["code_change", "behavior_change"]
+
+[routes."behavior-preserving-refactor"]
+category = "architecture_patterns"
+route_type = "primary"
+priority = 40
+applies_to_reasons = ["code_change", "behavior_change"]
+
+[routes."composition-over-inheritance"]
+category = "architecture_patterns"
+route_type = "primary"
+priority = 80
+applies_to_reasons = ["code_change"]
+
+[routes."strategy-pattern"]
+category = "architecture_patterns"
+route_type = "primary"
+priority = 80
+applies_to_reasons = ["code_change"]
+
+[routes."command-pattern"]
+category = "architecture_patterns"
+route_type = "primary"
+priority = 80
+applies_to_reasons = ["code_change", "behavior_change"]
+
+[routes."facade-pattern"]
+category = "architecture_patterns"
+route_type = "primary"
+priority = 80
+applies_to_reasons = ["code_change"]
+
+[routes."pure-core-imperative-shell"]
+category = "architecture_patterns"
+route_type = "primary"
+priority = 80
+applies_to_reasons = ["code_change", "behavior_change"]
+
+[routes."state-machine-pattern"]
+category = "architecture_patterns"
+route_type = "primary"
+priority = 80
+applies_to_reasons = ["code_change", "behavior_change"]
+
+[routes."result-option"]
+category = "architecture_patterns"
+route_type = "primary"
+priority = 75
+applies_to_reasons = ["code_change", "public_api_change"]
+
+[routes."null-object-pattern"]
+category = "architecture_patterns"
+route_type = "primary"
+priority = 75
+applies_to_reasons = ["code_change"]
+
+[routes."requirement-regression-guard"]
+category = "tests"
+route_type = "adjunct"
+priority = 35
+applies_to_reasons = ["behavior_change", "test_change"]
+
+[routes."multi-agent-work-coordination"]
+category = "workflow_contracts"
+route_type = "adjunct"
+priority = 90
+applies_to_reasons = ["workflow_change"]
+
+[routes."codebase-orientation"]
+category = "general_code"
+route_type = "primary"
+priority = 20
+applies_to_reasons = ["unknown_change", "code_change"]
+
+[routes."repo-improvement-loop"]
+category = "workflow_contracts"
+route_type = "primary"
+priority = 45
+applies_to_reasons = ["mustflow_docs_change", "mustflow_config_change"]
+
+[routes."visual-review-artifact"]
+category = "ui_assets"
+route_type = "adjunct"
+priority = 75
+applies_to_reasons = ["docs_change"]
+
+[routes."diff-risk-review"]
+category = "general_code"
+route_type = "adjunct"
+priority = 30
+applies_to_reasons = ["unknown_change", "code_change"]
+
+[routes."contract-sync-check"]
+category = "workflow_contracts"
+route_type = "adjunct"
+priority = 25
+applies_to_reasons = ["public_api_change", "package_metadata_change", "mustflow_config_change"]
+
+[routes."date-number-audit"]
+category = "workflow_contracts"
+route_type = "adjunct"
+priority = 25
+applies_to_reasons = ["docs_change", "package_metadata_change"]
+
+[routes."database-change-safety"]
+category = "data_external"
+route_type = "primary"
+priority = 55
+applies_to_reasons = ["code_change", "behavior_change"]
+
+[routes."dependency-reality-check"]
+category = "data_external"
+route_type = "adjunct"
+priority = 45
+applies_to_reasons = ["code_change", "docs_change"]
+
+[routes."adapter-boundary"]
+category = "data_external"
+route_type = "primary"
+priority = 55
+applies_to_reasons = ["code_change", "behavior_change"]
+
+[routes."dependency-injection"]
+category = "data_external"
+route_type = "primary"
+priority = 70
+applies_to_reasons = ["code_change"]
+
+[routes."line-ending-hygiene"]
+category = "workflow_contracts"
+route_type = "event"
+priority = 70
+applies_to_reasons = ["formatting_change"]
+
+[routes."performance-budget-check"]
+category = "general_code"
+route_type = "adjunct"
+priority = 70
+applies_to_reasons = ["performance_change"]
+
+[routes."vertical-slice-tdd"]
+category = "tests"
+route_type = "primary"
+priority = 60
+applies_to_reasons = ["test_change", "behavior_change"]
+
+[routes."test-design-guard"]
+category = "tests"
+route_type = "adjunct"
+priority = 40
+applies_to_reasons = ["test_change", "behavior_change"]
+
+[routes."test-maintenance"]
+category = "tests"
+route_type = "primary"
+priority = 45
+applies_to_reasons = ["test_change"]
+
+[routes."security-privacy-review"]
+category = "security_privacy"
+route_type = "adjunct"
+priority = 30
+applies_to_reasons = ["security_change", "privacy_change"]
+
+[routes."security-regression-tests"]
+category = "security_privacy"
+route_type = "adjunct"
+priority = 50
+applies_to_reasons = ["security_change", "test_change"]
+
+[routes."failure-triage"]
+category = "bug_failure"
+route_type = "event"
+priority = 20
+applies_to_reasons = ["command_failure"]
+
+[routes."external-prompt-injection-defense"]
+category = "security_privacy"
+route_type = "adjunct"
+priority = 40
+applies_to_reasons = ["docs_change", "security_change"]
+
+[routes."external-skill-intake"]
+category = "workflow_contracts"
+route_type = "authoring"
+priority = 70
+applies_to_reasons = ["mustflow_docs_change"]
+
+[routes."instruction-conflict-scope-check"]
+category = "workflow_contracts"
+route_type = "adjunct"
+priority = 35
+applies_to_reasons = ["mustflow_docs_change", "mustflow_config_change"]
+
+[routes."migration-safety-check"]
+category = "data_external"
+route_type = "adjunct"
+priority = 60
+applies_to_reasons = ["migration_change"]
+
+[routes."ui-quality-gate"]
+category = "ui_assets"
+route_type = "primary"
+priority = 50
+applies_to_reasons = ["ui_change"]
+
+[routes."pattern-scout"]
+category = "architecture_patterns"
+route_type = "adjunct"
+priority = 30
+applies_to_reasons = ["code_change"]
+
+[routes."structure-discovery-gate"]
+category = "general_code"
+route_type = "primary"
+priority = 35
+applies_to_reasons = ["code_change", "unknown_change"]
+
+[routes."repro-first-debug"]
+category = "bug_failure"
+route_type = "primary"
+priority = 25
+applies_to_reasons = ["behavior_change", "unknown_change"]
+
+[routes."source-freshness-check"]
+category = "docs_release"
+route_type = "adjunct"
+priority = 65
+applies_to_reasons = ["docs_change"]
+
+[routes."project-context-authoring"]
+category = "workflow_contracts"
+route_type = "authoring"
+priority = 65
+applies_to_reasons = ["mustflow_docs_change"]
+
+[routes."skill-authoring"]
+category = "workflow_contracts"
+route_type = "authoring"
+priority = 55
+applies_to_reasons = ["mustflow_docs_change"]
+
+[routes."readme-authoring"]
+category = "docs_release"
+route_type = "primary"
+priority = 50
+applies_to_reasons = ["docs_change"]
+
+[routes."release-notes-authoring"]
+category = "docs_release"
+route_type = "primary"
+priority = 55
+applies_to_reasons = ["release_risk", "docs_change"]
+
+[routes."docs-prose-review"]
+category = "docs_release"
+route_type = "adjunct"
+priority = 70
+applies_to_reasons = ["docs_change", "copy_change"]
+
+[routes."web-asset-optimization"]
+category = "ui_assets"
+route_type = "adjunct"
+priority = 65
+applies_to_reasons = ["image_asset_change", "web_asset_change"]
+
+[routes."docs-update"]
+category = "docs_release"
+route_type = "primary"
+priority = 35
+applies_to_reasons = ["docs_change", "copy_change", "i18n_change"]

package/templates/default/manifest.toml

@@ -1,6 +1,6 @@
 id = "default"
 name = "default"
-version = "1.31.0"
+version = "2.16.0"
 description = "Minimal workflow for LLM agents to read, edit, and verify their work in a repository."
 common_root = "common"
 locales_root = "locales"
@@ -10,6 +10,7 @@ creates = [
   ".mustflow/context/INDEX.md",
   ".mustflow/context/PROJECT.md",
   ".mustflow/skills/INDEX.md",
+  ".mustflow/skills/routes.toml",
   ".mustflow/skills/adapter-boundary/SKILL.md",
   ".mustflow/skills/artifact-integrity-check/SKILL.md",
   ".mustflow/skills/architecture-deepening-review/SKILL.md",
@@ -81,7 +82,7 @@ after_install = [
 
 [profiles]
 default = "minimal"
-available = ["minimal", "oss", "team", "product", "library"]
+available = ["minimal", "patterns", "oss", "team", "product", "library"]
 
 [skill_profiles]
 minimal = [
@@ -89,6 +90,31 @@ minimal = [
   "behavior-preserving-refactor",
   "code-review",
   "codebase-orientation",
+  "contract-sync-check",
+  "date-number-audit",
+  "database-change-safety",
+  "dependency-reality-check",
+  "diff-risk-review",
+  "docs-update",
+  "external-prompt-injection-defense",
+  "failure-triage",
+  "instruction-conflict-scope-check",
+  "pattern-scout",
+  "requirement-regression-guard",
+  "repro-first-debug",
+  "security-privacy-review",
+  "source-freshness-check",
+  "structure-discovery-gate",
+  "test-design-guard",
+  "test-maintenance",
+  "vertical-slice-tdd",
+]
+patterns = [
+  "adapter-boundary",
+  "architecture-deepening-review",
+  "behavior-preserving-refactor",
+  "code-review",
+  "codebase-orientation",
   "command-pattern",
   "composition-over-inheritance",
   "contract-sync-check",
@@ -105,6 +131,7 @@ minimal = [
   "null-object-pattern",
   "pattern-scout",
   "pure-core-imperative-shell",
+  "repo-improvement-loop",
   "result-option",
   "requirement-regression-guard",
   "repro-first-debug",