mustflow 2.103.21 → 2.103.31

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (41) hide show
  1. package/README.md +7 -4
  2. package/dist/cli/commands/flow.js +93 -0
  3. package/dist/cli/commands/run/execution.js +1 -1
  4. package/dist/cli/commands/run/executor.js +28 -3
  5. package/dist/cli/commands/run/windows-command-script.js +23 -0
  6. package/dist/cli/commands/verify.js +4 -1
  7. package/dist/cli/i18n/en.js +11 -0
  8. package/dist/cli/i18n/es.js +11 -0
  9. package/dist/cli/i18n/fr.js +11 -0
  10. package/dist/cli/i18n/hi.js +11 -0
  11. package/dist/cli/i18n/ko.js +11 -0
  12. package/dist/cli/i18n/zh.js +11 -0
  13. package/dist/cli/index.js +1 -0
  14. package/dist/cli/lib/active-command-lock.js +4 -0
  15. package/dist/cli/lib/command-registry.js +7 -0
  16. package/dist/cli/lib/repo-flow-frontmatter.js +35 -0
  17. package/dist/cli/lib/repo-flow.js +209 -0
  18. package/dist/cli/lib/repo-map.js +3 -0
  19. package/dist/cli/lib/run-plan.js +8 -4
  20. package/dist/cli/lib/validation/constants.js +10 -0
  21. package/dist/cli/lib/validation/index.js +54 -1
  22. package/dist/core/generated-boundary.js +1 -0
  23. package/dist/core/retention-policy.js +4 -2
  24. package/dist/core/run-receipt-state.js +247 -0
  25. package/dist/core/run-receipt.js +5 -1
  26. package/package.json +2 -1
  27. package/templates/default/common/.mustflow/config/mustflow.toml +2 -2
  28. package/templates/default/i18n.toml +31 -7
  29. package/templates/default/locales/en/.mustflow/skills/INDEX.md +29 -6
  30. package/templates/default/locales/en/.mustflow/skills/astro-code-change/SKILL.md +95 -23
  31. package/templates/default/locales/en/.mustflow/skills/axum-code-change/SKILL.md +219 -0
  32. package/templates/default/locales/en/.mustflow/skills/babylon-code-change/SKILL.md +318 -0
  33. package/templates/default/locales/en/.mustflow/skills/bun-code-change/SKILL.md +27 -12
  34. package/templates/default/locales/en/.mustflow/skills/clarifying-question-gate/SKILL.md +30 -5
  35. package/templates/default/locales/en/.mustflow/skills/elysia-code-change/SKILL.md +74 -20
  36. package/templates/default/locales/en/.mustflow/skills/godot-code-change/SKILL.md +272 -0
  37. package/templates/default/locales/en/.mustflow/skills/hono-code-change/SKILL.md +37 -23
  38. package/templates/default/locales/en/.mustflow/skills/routes.toml +28 -4
  39. package/templates/default/locales/en/.mustflow/skills/svelte-code-change/SKILL.md +65 -40
  40. package/templates/default/locales/en/.mustflow/skills/vue-code-change/SKILL.md +305 -0
  41. package/templates/default/manifest.toml +29 -1
@@ -0,0 +1,272 @@
1
+ ---
2
+ mustflow_doc: skill.godot-code-change
3
+ locale: en
4
+ canonical: true
5
+ revision: 1
6
+ lifecycle: mustflow-owned
7
+ authority: procedure
8
+ name: godot-code-change
9
+ description: Apply this skill when Godot projects, scenes, nodes, GDScript, C# scripts, Resources, Autoloads, signals, groups, save/load systems, rendering, physics, UI, input, exports, plugins, editor tools, or Godot version migrations are created, changed, reviewed, or upgraded.
10
+ metadata:
11
+ mustflow_schema: "1"
12
+ mustflow_kind: procedure
13
+ pack_id: mustflow.core
14
+ skill_id: mustflow.core.godot-code-change
15
+ command_intents:
16
+ - changes_status
17
+ - changes_diff_summary
18
+ - lint
19
+ - build
20
+ - test_related
21
+ - test
22
+ - docs_validate_fast
23
+ - mustflow_check
24
+ ---
25
+
26
+ # Godot Code Change
27
+
28
+ <!-- mustflow-section: purpose -->
29
+ ## Purpose
30
+
31
+ Preserve Godot scene ownership, node lifecycle, Resource sharing, Autoload boundaries, signal flow,
32
+ save/load integrity, rendering budgets, physics stability, export behavior, and version migration
33
+ assumptions while making focused game or editor-tool changes.
34
+
35
+ Godot work is not "script changes plus some scenes". Many failures come from scene-tree coupling,
36
+ shared Resources mutated as instance state, Autoloads used as global storage, hidden signal
37
+ connections, per-frame tree searches, blocking loads, save files written into `res://`, or renderer
38
+ settings changed without profiling evidence.
39
+
40
+ <!-- mustflow-section: use-when -->
41
+ ## Use When
42
+
43
+ - `project.godot`, `.tscn`, `.tres`, `.res`, `.gd`, `.gdshader`, `.cs`, export presets, addons,
44
+ editor plugins, import settings, input maps, autoloads, groups, scenes, nodes, Resources, or
45
+ Godot-specific tests change.
46
+ - Scene composition, ownership, instancing, inherited scenes, node paths, unique names, exported
47
+ NodePath references, groups, signals, tweens, animations, UI Controls, Containers, camera,
48
+ rendering, physics, input, save/load, or export templates are created, changed, reviewed, or
49
+ upgraded.
50
+ - GDScript typing, `await`, signals, callables, `@onready`, `@export`, `ResourceLoader`,
51
+ `ResourceSaver`, `FileAccess`, `DirAccess`, `ConfigFile`, threaded loading, or Autoload behavior
52
+ affects runtime paths.
53
+ - A Godot 3.x to 4.x migration, Godot 4.x minor upgrade, renderer change, platform export change,
54
+ mobile/XR/input change, or plugin compatibility change is part of the task.
55
+
56
+ <!-- mustflow-section: do-not-use-when -->
57
+ ## Do Not Use When
58
+
59
+ - The repository does not use Godot and only changes general assets, docs, or game design prose.
60
+ - Generic C#, Rust, C++, JavaScript, or shader code changes have no Godot scene, resource, engine,
61
+ export, editor, or runtime lifecycle effect; use the matching language or asset skill instead.
62
+ - The task only updates external version prose; use source-freshness guidance unless this procedure
63
+ itself changes.
64
+ - Generated import files, caches, exported builds, or `.godot/` state should be regenerated by a
65
+ declared command rather than edited.
66
+
67
+ <!-- mustflow-section: required-inputs -->
68
+ ## Required Inputs
69
+
70
+ - Godot version, renderer, platform targets, export presets, project settings, input map, autoload
71
+ list, addon/plugin list, script language mix, and relevant official docs for the version in use.
72
+ - Scene ledger: entry scene, affected `.tscn` files, node ownership, instanced scenes, inherited
73
+ scenes, unique names, NodePaths, groups, signals, animation players, tweens, UI Containers,
74
+ physics nodes, cameras, lights, materials, Resources, and save/load participants.
75
+ - Runtime ledger: `_ready`, `_enter_tree`, `_exit_tree`, `_process`, `_physics_process`, input
76
+ callbacks, threaded loading, timers, deferred calls, scene transitions, queue/free behavior, and
77
+ profiler or frame-time evidence when performance is claimed.
78
+ - Data ledger: user data paths, save schema version, migration path, atomic write strategy,
79
+ Resource cache behavior, config defaults, validation rules, and untrusted file boundaries.
80
+ - Configured verification intents.
81
+
82
+ <!-- mustflow-section: preconditions -->
83
+ ## Preconditions
84
+
85
+ - Read project settings, affected scenes, scripts, Resources, autoload declarations, export presets,
86
+ and tests before editing.
87
+ - Identify the Godot major/minor version before applying version-specific syntax, migration, or
88
+ export guidance. Do not mix stable docs for one branch, latest docs for another branch, and blog
89
+ examples as if they were one source.
90
+ - Apply language-specific skills alongside this skill when C#, C++, Rust/GDExtension, shader, or
91
+ package/tooling behavior changes outside the Godot boundary.
92
+ - Apply security, data, performance, UI, accessibility, or release skills when the change touches
93
+ save-file trust, networked games, monetized state, rendering budgets, UI behavior, or export
94
+ artifacts.
95
+
96
+ <!-- mustflow-section: allowed-edits -->
97
+ ## Allowed Edits
98
+
99
+ - Keep scenes independently instantiable where practical. Parent nodes may coordinate children, but
100
+ child scenes should not hard-code distant parents, sibling internals, or `/root/Main` paths.
101
+ - Keep nodes for objects with lifecycle, transforms, notifications, or scene-tree behavior. Use
102
+ Resources, RefCounted, plain data, or DTOs for definitions and serializable state.
103
+ - Keep Autoloads limited to true process-wide services such as scene transition, save service,
104
+ audio bus control, settings, telemetry facade, or platform integration.
105
+ - Keep runtime-mutated Resources duplicated, local-to-scene, or separated from authoring data.
106
+ - Keep user-writable data under `user://`, not `res://`.
107
+ - Keep version-specific guidance behind a version gate and omit durable exact "latest" claims unless
108
+ refreshed from official sources.
109
+
110
+ <!-- mustflow-section: procedure -->
111
+ ## Procedure
112
+
113
+ 1. Read the Godot version, renderer, export targets, project settings, autoload declarations, input
114
+ map, addon list, affected scenes, scripts, Resources, shaders, import/export files, and tests.
115
+ 2. Apply the Version Gate:
116
+ - identify current Godot major/minor version and whether the project is 3.x, 4.x, or in a
117
+ migration window;
118
+ - use official docs for the branch actually in use before applying syntax, API, renderer, export,
119
+ or migration behavior;
120
+ - treat stable docs, latest docs, release notes, blog posts, and pasted upgrade notes as
121
+ different evidence tracks until reconciled;
122
+ - for 4.x projects, check obsolete 3.x habits such as `yield`, stringly signal connections,
123
+ renderer assumptions, old physics behavior, and global singleton patterns before copying code.
124
+ 3. Build a scene and ownership ledger:
125
+ - entry scene, world/UI split, instanced subscenes, inherited scenes, lifecycle owner, cleanup
126
+ owner, injected dependencies, sibling relationships, NodePaths, groups, signals, and public
127
+ scene contract;
128
+ - reject distant relative paths, `/root/Main` reach-through, sibling-to-sibling hard references,
129
+ and child scenes that cannot run or preview outside one parent unless that coupling is
130
+ intentional and documented.
131
+ 4. Review node lifecycle and runtime order:
132
+ - distinguish `_enter_tree`, `_ready`, `_exit_tree`, `_process`, `_physics_process`, input
133
+ callbacks, timers, deferred calls, and scene transition timing;
134
+ - do not assume a new scene is immediately ready after `change_scene_to_*`;
135
+ - remember that `queue_free()` is deferred deletion, `remove_child()` is detachment, and
136
+ `replace_by()` does not automatically free the old node.
137
+ 5. Review signals, groups, and flow visibility:
138
+ - use signals for events, not hidden remote commands;
139
+ - avoid duplicate connections on scene re-entry and lambdas that cannot be disconnected when
140
+ lifecycle requires cleanup;
141
+ - prefer typed signal/callable patterns for maintained 4.x code;
142
+ - treat `call_group` and `set_group` as broad broadcasts that can stutter when used on many
143
+ nodes; chunk, defer, or queue high-volume work.
144
+ 6. Review Autoload and global state:
145
+ - keep Autoload APIs narrow and service-like;
146
+ - avoid putting player health, enemy state, UI control state, per-level state, or transient
147
+ request data into globals;
148
+ - do not free Autoloads during normal runtime;
149
+ - ensure scene transitions through an Autoload have an explicit ordering contract.
150
+ 7. Review Resources and serialized data:
151
+ - remember that path-loaded Resources are cached shared references;
152
+ - never mutate authoring Resources as per-instance runtime state unless they are duplicated or
153
+ local-to-scene by design;
154
+ - keep item definitions, tuning tables, materials, and animation data separate from player save
155
+ state;
156
+ - avoid using instance overrides as an untracked data-management system.
157
+ 8. Review GDScript and language boundaries:
158
+ - use static typing on long-lived gameplay systems, save DTOs, inventory, combat math, settings,
159
+ networking, and scene-transition managers;
160
+ - avoid per-frame `find_child`, `find_children`, and `find_parent`; cache references with
161
+ `@onready`, unique names, exported references, or dependency injection;
162
+ - use `_process` only for per-frame behavior, `_physics_process` for fixed-step physics, and
163
+ input callbacks for input events.
164
+ 9. Review save/load, config, and file I/O:
165
+ - save state snapshots, not raw node trees;
166
+ - write user data to `user://`;
167
+ - put schema, game/content version, slot id, timestamps, and migration path at the save root;
168
+ - use atomic temp, backup, validate, rename style writes when save loss matters;
169
+ - treat JSON as readable but type-weak; validate parsed data;
170
+ - avoid object deserialization from untrusted files, especially object-enabled Variant loading;
171
+ - use `ConfigFile` for settings, with defaults, validation, apply, and batched save behavior.
172
+ 10. Review loading, threads, and deferred work:
173
+ - use threaded resource requests with status polling before getting the loaded resource;
174
+ - avoid calling blocking loads during gameplay spikes or UI opening;
175
+ - do not touch active SceneTree nodes directly from background threads; use deferred calls or a
176
+ main-thread handoff;
177
+ - guard shared data with a clear ownership or mutex policy.
178
+ 11. Review rendering, UI, physics, and input:
179
+ - require profiler or frame-time evidence before accepting performance claims;
180
+ - for 3D, check visibility ranges, occlusion, HLOD/LOD, far plane, light counts, shadows,
181
+ materials, shader variants, particles, MultiMesh usage, and camera cost;
182
+ - for 2D, check draw calls, canvas layers, custom drawing invalidation, particles, tilemaps,
183
+ collision shapes, and physics tick stability;
184
+ - for UI, keep Container layout separate from animation transforms and avoid wrapper-node
185
+ sprawl when the current version has a cleaner Control transform path;
186
+ - for mobile/gamepad/XR, check input mode, focus loss, virtual controls, safe areas, and export
187
+ target behavior.
188
+ 12. Review export and plugin surfaces:
189
+ - keep export presets, export templates, platform architectures, signing, permissions, splash,
190
+ icon, native plugin, GDExtension, and addon compatibility explicit;
191
+ - do not edit generated imports, cache state, or exported binaries as source;
192
+ - verify release-sensitive export changes with configured package/release checks when available.
193
+ 13. Choose configured verification intents that cover scene loading, script parsing/type checks,
194
+ save/load migration, settings validation, scene transitions, rendering smoke, physics/input
195
+ behavior, export metadata, and package/template sync when available.
196
+
197
+ <!-- mustflow-section: rejection-criteria -->
198
+ ## Review Rejection Criteria
199
+
200
+ Reject or revise a change when:
201
+
202
+ - Godot 3.x syntax, signals, renderer, physics, or singleton patterns are applied to a 4.x project
203
+ without checking the project version.
204
+ - A subscene reaches distant parents, siblings, or `/root/Main` instead of receiving dependencies
205
+ through its parent, exported references, groups, or a service boundary.
206
+ - Autoload becomes a catch-all for gameplay, UI, level, save, and platform state.
207
+ - Runtime code mutates shared authoring Resources as if each instance owns a copy.
208
+ - Save files are written under `res://`, lack a schema version, or deserialize trusted objects from
209
+ user-controlled data.
210
+ - `_process` performs tree searches, heavy polling, loading, group broadcasts, or work that belongs
211
+ in input callbacks, timers, or cached references.
212
+ - Threads touch live SceneTree nodes directly.
213
+ - Scene transition code assumes old and new scenes are available synchronously after the transition
214
+ call.
215
+ - Rendering, physics, or memory changes claim performance wins without profiler, frame-time, or
216
+ target-device evidence.
217
+ - Export preset or platform changes omit target architecture, signing, permission, template, or
218
+ native-plugin impact.
219
+
220
+ <!-- mustflow-section: postconditions -->
221
+ ## Postconditions
222
+
223
+ - Scene ownership, node lifecycle, signals, groups, Autoloads, Resources, save/load, config,
224
+ rendering, physics, input, export, and version assumptions are intentional and reported.
225
+ - Runtime-mutated state is separated from authoring Resources and process-wide services.
226
+ - User-writable files, migrations, atomic writes, and untrusted data boundaries are explicit.
227
+ - Version-specific guidance is refreshed from official sources for the project version or omitted
228
+ from durable claims.
229
+ - Missing scene, save/load, rendering, physics, input, export, or target-device verification is
230
+ reported.
231
+
232
+ <!-- mustflow-section: verification -->
233
+ ## Verification
234
+
235
+ Use configured oneshot command intents when available:
236
+
237
+ - `lint`
238
+ - `build`
239
+ - `test_related`
240
+ - `test`
241
+ - `docs_validate_fast`
242
+ - `mustflow_check`
243
+
244
+ Report missing Godot editor import, script parse, scene load, save migration, renderer smoke,
245
+ physics/input, export preset, target-device, or release verification intents when relevant.
246
+
247
+ <!-- mustflow-section: failure-handling -->
248
+ ## Failure Handling
249
+
250
+ - If scene behavior is unclear, build the scene and ownership ledger before changing scripts.
251
+ - If runtime errors mention missing nodes, inspect NodePaths, unique names, scene instancing,
252
+ lifecycle order, and scene transition timing before adding broader globals.
253
+ - If shared data changes leak across instances, inspect Resource cache, duplication, local-to-scene,
254
+ instance overrides, and authored-versus-runtime state separation.
255
+ - If save/load fails, inspect path choice, schema version, migration, parse errors, type validation,
256
+ atomic write behavior, and untrusted object deserialization.
257
+ - If performance cannot be measured by configured intents, report the missing profiler, scene-load,
258
+ target-device, or export-smoke coverage instead of claiming a performance fix.
259
+ - If official source freshness cannot be checked for a version, release, migration, or export claim,
260
+ omit the claim from durable skill text and report it as unverified snapshot context.
261
+
262
+ <!-- mustflow-section: output-format -->
263
+ ## Output Format
264
+
265
+ - Boundary checked
266
+ - Godot version, renderer, scene, node, signal, Resource, Autoload, and lifecycle notes
267
+ - Save/load, config, file I/O, threaded loading, and untrusted data notes
268
+ - Rendering, physics, UI, input, export, plugin, and target-platform notes
269
+ - Files changed
270
+ - Command intents run
271
+ - Skipped checks and reasons
272
+ - Remaining Godot risk
@@ -2,11 +2,11 @@
2
2
  mustflow_doc: skill.hono-code-change
3
3
  locale: en
4
4
  canonical: true
5
- revision: 1
5
+ revision: 2
6
6
  lifecycle: mustflow-owned
7
7
  authority: procedure
8
8
  name: hono-code-change
9
- description: Apply this skill when Hono apps, routes, middleware, validators, RPC clients, bindings, context variables, auth boundaries, or runtime adapters are created or changed.
9
+ description: Apply this skill when Hono apps, route chains, middleware order, validators, RPC or typed clients, OpenAPI schema generation, runtime bindings, context variables, auth, CORS, cookie, header, streaming, WebSocket, cache, static asset, or Cloudflare, Bun, Node, Deno, edge, or serverless adapter boundaries are created or changed.
10
10
  metadata:
11
11
  mustflow_schema: "1"
12
12
  mustflow_kind: procedure
@@ -28,26 +28,29 @@ metadata:
28
28
  <!-- mustflow-section: purpose -->
29
29
  ## Purpose
30
30
 
31
- Preserve Hono runtime, middleware, validation, context binding, auth, typed route, and response contract boundaries.
31
+ Preserve Hono route registration, runtime adapter, middleware ordering, validation, context binding, auth, typed client, OpenAPI, streaming, cache, static asset, and response contract boundaries.
32
32
 
33
33
  <!-- mustflow-section: use-when -->
34
34
  ## Use When
35
35
 
36
- - `new Hono`, `app.get`, `app.post`, `app.use`, `c.env`, `c.get`, `c.set`, validators, RPC clients, middleware, adapters, or Hono route tests change.
37
- - The task touches Cloudflare Workers, Bun, Node, edge-compatible routes, bindings, variables, auth middleware, or response schemas.
36
+ - `new Hono`, `app.route`, `basePath`, `app.get`, `app.post`, `app.use`, wildcard routes, fallback routes, `c.env`, `c.get`, `c.set`, `c.req.valid`, validators, RPC clients, middleware, adapters, or Hono route tests change.
37
+ - The task touches Cloudflare Workers, Bun, Node, Deno, edge-compatible, serverless, SSR, static file, WebSocket, SSE, streaming, cache, cookie, CORS, CSRF, JWT, JWK, header, body-limit, binding, variable, auth middleware, OpenAPI, or response schema behavior.
38
+ - The task exports or consumes `typeof app`, `typeof routes`, `AppType`, `hc`, `InferRequestType`, `InferResponseType`, `ApplyGlobalResponse`, OpenAPI clients, or generated SDKs from Hono routes.
38
39
 
39
40
  <!-- mustflow-section: do-not-use-when -->
40
41
  ## Do Not Use When
41
42
 
42
43
  - The task only touches framework-agnostic service code behind a Hono handler; use the relevant language or architecture skill.
43
44
  - Another HTTP framework is used instead of Hono.
45
+ - The task only updates external framework version prose; use `source-freshness-check` unless the Hono procedure itself changes.
44
46
 
45
47
  <!-- mustflow-section: required-inputs -->
46
48
  ## Required Inputs
47
49
 
48
- - Package metadata, TypeScript config, runtime adapter config, worker or server entrypoint, routes, middleware, env/binding types, schemas, client types, and tests.
49
- - Target runtime matrix: Cloudflare, Bun, Node, edge-compatible, or single runtime.
50
- - Existing response envelope and error contract.
50
+ - Package metadata, TypeScript config, runtime adapter config, worker or server entrypoint, route modules, middleware registration, env and binding types, context variables, schemas, validators, client type exports, OpenAPI generation, generated SDKs, and tests.
51
+ - Target runtime matrix: Cloudflare Workers or Pages, Bun, Node with `@hono/node-server`, Deno, Lambda or other serverless adapter, edge-compatible, or single runtime.
52
+ - Existing response envelope, status-code contract, error contract, CORS, cookie, header, cache, streaming, WebSocket, static file, body-size, and upload behavior.
53
+ - Official or repository-local source evidence before preserving exact latest-version, patch-note, or adapter-behavior claims.
51
54
 
52
55
  <!-- mustflow-section: preconditions -->
53
56
  ## Preconditions
@@ -55,6 +58,7 @@ Preserve Hono runtime, middleware, validation, context binding, auth, typed rout
55
58
  - Confirm runtime before using platform APIs.
56
59
  - Identify `Bindings` for runtime-provided values and `Variables` for request-local middleware values.
57
60
  - Identify auth, validation, and error response boundaries before adding routes.
61
+ - Refresh official package or vendor sources before preserving exact "latest", release-date, or security-patch claims; otherwise keep those facts out of the skill or mark them as snapshot-only in the report.
58
62
 
59
63
  <!-- mustflow-section: allowed-edits -->
60
64
  ## Allowed Edits
@@ -63,26 +67,33 @@ Preserve Hono runtime, middleware, validation, context binding, auth, typed rout
63
67
  - Register middleware in an order that preserves logging, CORS, security headers, body limits, auth, validation, and handler behavior.
64
68
  - Trust only validated request data in handlers.
65
69
  - Keep success and failure envelopes consistent.
70
+ - Keep route type exports, RPC clients, OpenAPI documents, generated SDKs, tests, and docs synchronized when public API behavior changes.
66
71
 
67
72
  <!-- mustflow-section: procedure -->
68
73
  ## Procedure
69
74
 
70
- 1. Read app entrypoint, runtime adapter, route modules, middleware, schemas, client type exports, and tests.
71
- 2. Map the route boundary: method, path, runtime, auth, params, query, headers, cookies, body, variables, bindings, response statuses, and content types.
72
- 3. Do not put Node-only, Bun-only, or Cloudflare-only APIs in shared routes.
73
- 4. Keep auth middleware above protected routes and wildcard or fallback routes after specific routes.
74
- 5. Separate `Bindings` from `Variables`; do not store request-local state in globals.
75
- 6. Use validator output rather than rereading unvalidated request bodies.
76
- 7. Preserve typed route or RPC inference by keeping handler responses in the framework's typed response path.
77
- 8. Choose configured verification intents that cover type checks, route tests, auth failure, validation failure, and runtime env mocks when available.
75
+ 1. Read app entrypoint, runtime adapter, route modules, middleware, schemas, validator helpers, OpenAPI setup, client type exports, generated clients, and tests.
76
+ 2. Map the route boundary: method, path, registration order, runtime, auth, params, query, headers, cookies, body, variables, bindings, response statuses, content types, cache headers, streaming mode, and public client surface.
77
+ 3. Treat Hono route order as behavior. Keep specific routes before wildcard or fallback routes; check `route()`, `basePath()`, `mount`, optional params, regexp params, static routes, and fallback registration for shadowing or doubled prefixes.
78
+ 4. Keep auth, CORS, CSRF, secure headers, body limit, cookie, JWT, JWK, cache, ETag, compression, and logging middleware in an order that matches the security and observability boundary.
79
+ 5. For CORS with credentials, require an explicit origin allowlist or exact origin callback; do not rely on wildcard origin behavior or loose suffix checks.
80
+ 6. Separate `Bindings` from `Variables`; do not store request-local auth, user, session, tenant, or trace state in globals, module singletons, or runtime-wide mutable objects.
81
+ 7. Use `createMiddleware<{ Variables }>()` or route-local generics for context values that depend on middleware execution. Avoid `ContextVariableMap` unless the value is truly available for every request path.
82
+ 8. Use `c.req.valid(...)` output rather than rereading unvalidated request bodies. Remember that request bodies are one-shot, query and params are strings, header validator keys are lowercase, and `json` or `form` validators need the matching `Content-Type`.
83
+ 9. For multipart uploads, large JSON, webhooks, raw-body signatures, and file routes, check parser shape, body limits, runtime limits, storage limits, repeated-field behavior, and raw request cloning before changing handlers.
84
+ 10. Preserve typed route, RPC, and SDK inference by exporting the route chain actually used by `hc<AppType>()`, keeping handler responses on typed `c.json(payload, status)` paths, and avoiding broad `Context` handler extraction that drops path, validator, or response types.
85
+ 11. Keep runtime validation schema, OpenAPI schema, response schema, generated SDKs, and Hono RPC types from becoming separate truths. Choose one canonical contract and verify drift with tests or snapshots when available.
86
+ 12. Do not put Node-only, Bun-only, Cloudflare-only, Deno-only, Lambda-only, static-serving, connection-info, WebSocket, or filesystem APIs in shared route modules. Keep runtime entry files thin and pass plain config or adapter functions into shared app code.
87
+ 13. For streaming, SSE, WebSocket, cache, ETag, static file, and SSR or JSX routes, check cancellation, abort handling, backpressure, already-started-response errors, header retention, path traversal, cache key and `Vary`, repeated `Set-Cookie`, and adapter header normalization.
88
+ 14. Choose configured verification intents that cover type checks, route tests, auth failure, validation failure, CORS/cookie/header behavior, streaming or WebSocket behavior, OpenAPI or SDK generation, and runtime env mocks when available.
78
89
 
79
90
  <!-- mustflow-section: postconditions -->
80
91
  ## Postconditions
81
92
 
82
93
  - Runtime-specific APIs are isolated.
83
- - Middleware order and auth boundary are clear.
84
- - Request validation and response envelope are preserved.
85
- - Typed route or RPC contract impact is reported.
94
+ - Middleware order, route order, and auth boundary are clear.
95
+ - Request validation, body parsing, header/cookie/CORS/cache, and response envelope behavior are preserved.
96
+ - Typed route, RPC, OpenAPI, generated SDK, and runtime adapter contract impact is reported.
86
97
 
87
98
  <!-- mustflow-section: verification -->
88
99
  ## Verification
@@ -96,21 +107,24 @@ Use configured oneshot command intents when available:
96
107
  - `docs_validate_fast`
97
108
  - `mustflow_check`
98
109
 
99
- Report missing multi-runtime or route-level verification intents when relevant.
110
+ Report missing multi-runtime, route-level, streaming, WebSocket, OpenAPI, SDK, or adapter verification intents when relevant.
100
111
 
101
112
  <!-- mustflow-section: failure-handling -->
102
113
  ## Failure Handling
103
114
 
104
115
  - If runtime target is unclear, inspect adapter and deployment config before editing.
105
116
  - If a route needs a broader permission, binding, or auth change, switch to the relevant security or contract skill.
106
- - If typed route inference breaks, repair schema and response shape before adding more routes.
117
+ - If typed route inference breaks, repair the route chain, validator, schema, and response shape before adding more routes.
118
+ - If official source freshness cannot be checked for a version, release, or security-patch claim, omit the claim from durable skill text and report it as unverified snapshot context.
119
+ - If streaming, WebSocket, cache, static, or adapter-specific behavior cannot be tested by configured intents, report the missing runtime smoke coverage.
107
120
 
108
121
  <!-- mustflow-section: output-format -->
109
122
  ## Output Format
110
123
 
111
124
  - Boundary checked
112
- - Runtime and middleware notes
113
- - Validation and response contract notes
125
+ - Runtime, adapter, route-order, and middleware notes
126
+ - Validation, RPC, OpenAPI, SDK, and response contract notes
127
+ - CORS, cookie, header, cache, streaming, WebSocket, static, or SSR notes when touched
114
128
  - Files changed
115
129
  - Command intents run
116
130
  - Skipped checks and reasons
@@ -528,6 +528,18 @@ route_type = "primary"
528
528
  priority = 85
529
529
  applies_to_reasons = ["code_change", "public_api_change", "test_change"]
530
530
 
531
+ [routes."axum-code-change"]
532
+ category = "general_code"
533
+ route_type = "primary"
534
+ priority = 85
535
+ applies_to_reasons = ["code_change", "behavior_change", "public_api_change", "test_change", "docs_change", "performance_change", "security_change", "privacy_change", "data_change", "package_metadata_change", "release_risk"]
536
+
537
+ [routes."godot-code-change"]
538
+ category = "general_code"
539
+ route_type = "primary"
540
+ priority = 85
541
+ applies_to_reasons = ["code_change", "behavior_change", "public_api_change", "test_change", "docs_change", "performance_change", "security_change", "privacy_change", "data_change", "ui_change", "package_metadata_change", "release_risk"]
542
+
531
543
  [routes."dart-code-change"]
532
544
  category = "general_code"
533
545
  route_type = "primary"
@@ -538,13 +550,13 @@ applies_to_reasons = ["code_change", "public_api_change", "test_change"]
538
550
  category = "general_code"
539
551
  route_type = "primary"
540
552
  priority = 85
541
- applies_to_reasons = ["code_change", "public_api_change", "security_change"]
553
+ applies_to_reasons = ["code_change", "behavior_change", "public_api_change", "test_change", "docs_change", "performance_change", "security_change", "privacy_change", "package_metadata_change", "release_risk"]
542
554
 
543
555
  [routes."elysia-code-change"]
544
556
  category = "general_code"
545
557
  route_type = "primary"
546
558
  priority = 85
547
- applies_to_reasons = ["code_change", "public_api_change", "security_change"]
559
+ applies_to_reasons = ["code_change", "behavior_change", "public_api_change", "test_change", "docs_change", "performance_change", "security_change", "privacy_change", "package_metadata_change", "release_risk"]
548
560
 
549
561
  [routes."source-anchor-authoring"]
550
562
  category = "general_code"
@@ -988,7 +1000,13 @@ applies_to_reasons = ["ui_change", "code_change", "public_api_change"]
988
1000
  category = "ui_assets"
989
1001
  route_type = "primary"
990
1002
  priority = 85
991
- applies_to_reasons = ["ui_change", "docs_change", "code_change", "behavior_change", "migration_change", "package_metadata_change"]
1003
+ applies_to_reasons = ["ui_change", "docs_change", "code_change", "behavior_change", "public_api_change", "data_change", "security_change", "privacy_change", "performance_change", "test_change", "migration_change", "package_metadata_change", "release_risk"]
1004
+
1005
+ [routes."babylon-code-change"]
1006
+ category = "ui_assets"
1007
+ route_type = "primary"
1008
+ priority = 85
1009
+ applies_to_reasons = ["ui_change", "code_change", "behavior_change", "public_api_change", "data_change", "security_change", "privacy_change", "performance_change", "test_change", "docs_change", "migration_change", "package_metadata_change", "release_risk"]
992
1010
 
993
1011
  [routes."react-code-change"]
994
1012
  category = "ui_assets"
@@ -996,11 +1014,17 @@ route_type = "primary"
996
1014
  priority = 85
997
1015
  applies_to_reasons = ["ui_change", "code_change", "behavior_change", "public_api_change", "data_change", "security_change", "privacy_change", "performance_change", "test_change", "package_metadata_change", "release_risk"]
998
1016
 
1017
+ [routes."vue-code-change"]
1018
+ category = "ui_assets"
1019
+ route_type = "primary"
1020
+ priority = 85
1021
+ applies_to_reasons = ["ui_change", "code_change", "behavior_change", "public_api_change", "data_change", "security_change", "privacy_change", "performance_change", "test_change", "package_metadata_change", "release_risk"]
1022
+
999
1023
  [routes."svelte-code-change"]
1000
1024
  category = "ui_assets"
1001
1025
  route_type = "primary"
1002
1026
  priority = 85
1003
- applies_to_reasons = ["ui_change", "code_change", "behavior_change", "public_api_change", "data_change", "security_change", "privacy_change", "test_change", "package_metadata_change"]
1027
+ applies_to_reasons = ["ui_change", "code_change", "behavior_change", "public_api_change", "data_change", "security_change", "privacy_change", "performance_change", "test_change", "docs_change", "migration_change", "package_metadata_change", "release_risk"]
1004
1028
 
1005
1029
  [routes."pattern-scout"]
1006
1030
  category = "architecture_patterns"