mustflow 2.103.21 → 2.103.31

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (41) hide show
  1. package/README.md +7 -4
  2. package/dist/cli/commands/flow.js +93 -0
  3. package/dist/cli/commands/run/execution.js +1 -1
  4. package/dist/cli/commands/run/executor.js +28 -3
  5. package/dist/cli/commands/run/windows-command-script.js +23 -0
  6. package/dist/cli/commands/verify.js +4 -1
  7. package/dist/cli/i18n/en.js +11 -0
  8. package/dist/cli/i18n/es.js +11 -0
  9. package/dist/cli/i18n/fr.js +11 -0
  10. package/dist/cli/i18n/hi.js +11 -0
  11. package/dist/cli/i18n/ko.js +11 -0
  12. package/dist/cli/i18n/zh.js +11 -0
  13. package/dist/cli/index.js +1 -0
  14. package/dist/cli/lib/active-command-lock.js +4 -0
  15. package/dist/cli/lib/command-registry.js +7 -0
  16. package/dist/cli/lib/repo-flow-frontmatter.js +35 -0
  17. package/dist/cli/lib/repo-flow.js +209 -0
  18. package/dist/cli/lib/repo-map.js +3 -0
  19. package/dist/cli/lib/run-plan.js +8 -4
  20. package/dist/cli/lib/validation/constants.js +10 -0
  21. package/dist/cli/lib/validation/index.js +54 -1
  22. package/dist/core/generated-boundary.js +1 -0
  23. package/dist/core/retention-policy.js +4 -2
  24. package/dist/core/run-receipt-state.js +247 -0
  25. package/dist/core/run-receipt.js +5 -1
  26. package/package.json +2 -1
  27. package/templates/default/common/.mustflow/config/mustflow.toml +2 -2
  28. package/templates/default/i18n.toml +31 -7
  29. package/templates/default/locales/en/.mustflow/skills/INDEX.md +29 -6
  30. package/templates/default/locales/en/.mustflow/skills/astro-code-change/SKILL.md +95 -23
  31. package/templates/default/locales/en/.mustflow/skills/axum-code-change/SKILL.md +219 -0
  32. package/templates/default/locales/en/.mustflow/skills/babylon-code-change/SKILL.md +318 -0
  33. package/templates/default/locales/en/.mustflow/skills/bun-code-change/SKILL.md +27 -12
  34. package/templates/default/locales/en/.mustflow/skills/clarifying-question-gate/SKILL.md +30 -5
  35. package/templates/default/locales/en/.mustflow/skills/elysia-code-change/SKILL.md +74 -20
  36. package/templates/default/locales/en/.mustflow/skills/godot-code-change/SKILL.md +272 -0
  37. package/templates/default/locales/en/.mustflow/skills/hono-code-change/SKILL.md +37 -23
  38. package/templates/default/locales/en/.mustflow/skills/routes.toml +28 -4
  39. package/templates/default/locales/en/.mustflow/skills/svelte-code-change/SKILL.md +65 -40
  40. package/templates/default/locales/en/.mustflow/skills/vue-code-change/SKILL.md +305 -0
  41. package/templates/default/manifest.toml +29 -1
@@ -2,11 +2,11 @@
2
2
  mustflow_doc: skill.svelte-code-change
3
3
  locale: en
4
4
  canonical: true
5
- revision: 2
5
+ revision: 3
6
6
  lifecycle: mustflow-owned
7
7
  authority: procedure
8
8
  name: svelte-code-change
9
- description: Apply this skill when Svelte or SvelteKit components, routes, load functions, server actions, endpoints, stores, context, runes, SSR boundaries, server-only imports, accessibility warnings, or tests are created or changed.
9
+ description: Apply this skill when Svelte or SvelteKit components, routes, universal or server load functions, form actions, endpoints, hooks, stores, context, runes, props, snippets, bindings, SSR, hydration, streaming, preload, invalidation, server-only imports, env boundaries, adapters, Vite, TypeScript, packaging, accessibility warnings, or tests are created or changed.
10
10
  metadata:
11
11
  mustflow_schema: "1"
12
12
  mustflow_kind: procedure
@@ -28,64 +28,78 @@ metadata:
28
28
  <!-- mustflow-section: purpose -->
29
29
  ## Purpose
30
30
 
31
- Preserve Svelte component reactivity, SvelteKit SSR/server/client boundaries, data secrecy, load/action/endpoint contracts, request-scoped state ownership, accessibility, and generated route behavior. Choose files by data boundary first, not by filename habit.
31
+ Preserve Svelte component reactivity, SvelteKit SSR/server/client execution modes, data secrecy, load/action/endpoint contracts, request-scoped state ownership, hydration, streaming, invalidation, adapter output, accessibility, and generated route behavior. Choose files by data boundary and execution mode first, not by filename habit.
32
32
 
33
33
  <!-- mustflow-section: use-when -->
34
34
  ## Use When
35
35
 
36
- - `.svelte`, `+page`, `+layout`, `+page.server`, `+layout.server`, `+server`, load functions, form actions, endpoints, stores, context, runes, `$app` imports, `$lib/server`, hooks, route params, or Svelte tests change.
37
- - The task touches state management, SSR errors, browser APIs, forms, routing, progressive enhancement, request-local data, server-only imports, private/public environment variables, or Svelte 5 runes.
36
+ - `.svelte`, `.svelte.ts`, `.svelte.js`, `+page`, `+layout`, `+page.server`, `+layout.server`, `+server`, load functions, form actions, endpoints, stores, context, snippets, bindings, runes, `$app` imports, `$lib/server`, hooks, route params, route matchers, or Svelte tests change.
37
+ - The task touches state management, SSR errors, hydration warnings, browser APIs, forms, routing, progressive enhancement, preload, invalidation, request-local data, server-only imports, private/public environment variables, adapters, Vite, TypeScript, package exports, or Svelte 5 runes.
38
+ - The task upgrades, reviews, or writes docs about Svelte, SvelteKit, Vite, `@sveltejs/vite-plugin-svelte`, `svelte-check`, an adapter, `@sveltejs/package`, or generated Svelte library output.
38
39
 
39
40
  <!-- mustflow-section: do-not-use-when -->
40
41
  ## Do Not Use When
41
42
 
42
43
  - The change is plain CSS or HTML with no Svelte or SvelteKit behavior; use the relevant UI foundation skill.
43
44
  - The service code is framework-free and no Svelte boundary changes.
45
+ - The task only updates external framework version prose; use `source-freshness-check` unless the Svelte procedure itself changes.
44
46
 
45
47
  <!-- mustflow-section: required-inputs -->
46
48
  ## Required Inputs
47
49
 
48
- - Package metadata, Svelte config, Vite config, TypeScript config, route segment files, hooks, app types, stores/runes/context, form schema, and tests.
49
- - Svelte version, route data source, secrecy, request scope, mutation type, serialization requirement, SSR/client boundary, browser dependency, and state owner.
50
- - Imports from `$lib/server`, `*.server.*`, `$env/static/private`, `$env/dynamic/private`, DB/filesystem/server SDK modules, cookies, auth headers, and `event.locals`.
50
+ - Package metadata, Svelte config, Vite config, TypeScript config, route segment files, hooks, app types, stores/runes/context, form schema, adapter config, package export metadata, and tests.
51
+ - Svelte and SvelteKit version tracks, route data source, secrecy, request scope, mutation type, serialization requirement, SSR/client boundary, browser dependency, state owner, and adapter target.
52
+ - Imports from `$lib/server`, `*.server.*`, `$env/static/private`, `$env/dynamic/private`, DB/filesystem/server SDK modules, cookies, auth headers, `event.locals`, `$app/state`, `$app/navigation`, `$app/forms`, and browser-only libraries.
53
+ - Official or repository-local source evidence before preserving exact latest-version, release-date, Node/Vite requirement, adapter behavior, or compiler behavior claims.
51
54
  - Configured verification intents.
52
55
 
53
56
  <!-- mustflow-section: preconditions -->
54
57
  ## Preconditions
55
58
 
56
- - For route work, read the sibling `+layout`, `+page`, `+page.server`, and `+server` files as one boundary.
57
- - Classify every data access by origin, secrecy, request scope, mutation, browser dependency, and serialization before choosing a SvelteKit file.
58
- - Treat all route files as potentially server-executed until proven otherwise.
59
+ - For route work, read sibling and parent `+layout`, `+layout.server`, `+page`, `+page.server`, `+server`, hooks, app types, and route matcher files as one boundary.
60
+ - Classify every data access by origin, secrecy, request scope, mutation, browser dependency, serialization, invalidation dependency, and adapter support before choosing a SvelteKit file.
61
+ - Treat universal route files as server-executed and browser-executed until proven otherwise.
62
+ - Refresh official package or vendor sources before preserving exact "latest", Node/Vite minimum, adapter, or release-note claims; otherwise keep those facts out of durable skill text or mark them as snapshot-only in the report.
59
63
 
60
64
  <!-- mustflow-section: allowed-edits -->
61
65
  ## Allowed Edits
62
66
 
63
- - Keep secrets, private environment, database clients, and cookie-authenticated data in server-only files.
64
- - Use browser APIs only behind client-safe lifecycle or environment guards.
67
+ - Keep secrets, private environment, database clients, server SDKs, cookie-authenticated data, and request identity in server-only files.
68
+ - Use browser APIs only behind client-safe lifecycle, dynamic import, event, action, or environment boundaries.
65
69
  - Keep state local unless shared ownership is justified.
66
- - Preserve form actions and progressive enhancement instead of replacing all forms with client-only fetch.
70
+ - Preserve form actions and progressive enhancement instead of replacing page forms with client-only fetch.
67
71
  - Use context for request-scoped component-tree sharing instead of module singletons.
68
- - Use `$derived` for computed display values and `$effect` only for browser-side effects and cleanup.
72
+ - Use `$derived` for computed display values and `$effect` only for browser-side effects, subscriptions, DOM, timers, observers, third-party browser libraries, and cleanup.
73
+ - Keep SvelteKit, Vite, TypeScript, adapter, `svelte-check`, and package export surfaces synchronized when toolchain behavior changes.
69
74
 
70
75
  <!-- mustflow-section: procedure -->
71
76
  ## Procedure
72
77
 
73
- 1. Read route segment files, parent layouts, stores/runes/context, hooks, app types, and tests.
74
- 2. Identify Svelte version and whether the code uses runes or legacy reactivity.
75
- 3. Before choosing a file, classify every data access with: origin, secrecy, request scope, mutation, browser dependency, and serialization.
76
- 4. If data requires DB, filesystem, private env, cookies, auth headers, `event.locals`, server SDKs, or request-local identity, keep it in server-only code: `+page.server`, `+layout.server`, `+server`, `hooks.server`, or `$lib/server`.
77
- 5. If data is public and can be safely fetched by the browser without secrets, universal load is allowed.
78
- 6. If the operation is a page form mutation, prefer `+page.server` actions over a custom JSON endpoint.
79
- 7. If the operation is a public HTTP API, webhook, mobile API, stream, file response, or non-page endpoint, use `+server`.
80
- 8. If the value is UI-only state such as modal open, selected tab, draft input, accordion state, hover state, or local editing state, keep it in component `$state` or local context.
81
- 9. If a value is computed from reactive inputs, use `$derived`. Do not use `$effect` to copy or synchronize derived state.
82
- 10. Use `$effect`, lifecycle hooks, event handlers, actions, or dynamic imports for browser-only APIs and browser-only libraries. Do not touch `window`, `document`, `localStorage`, `matchMedia`, canvas, or browser-only imports in SSR top-level code.
83
- 11. Keep request-specific user/session/auth state out of module-level mutable variables, global stores, exported `$state`, and load/action side effects.
84
- 12. Do not write to stores from load functions.
85
- 13. Keep server load return values intentionally serializable and minimal. Do not pass secrets, raw sessions, tokens, hidden DB fields, or whole service responses to the browser.
86
- 14. Prefer `$app/state` over legacy `$app/stores` in SvelteKit projects that use the newer SvelteKit state API.
87
- 15. Do not hide SSR errors by disabling SSR unless the user explicitly accepts that product and architecture change.
88
- 16. Treat accessibility compiler warnings as real findings unless a local false-positive reason is documented.
78
+ 1. Read route segment files, parent layouts, route matchers, stores/runes/context, hooks, app types, Svelte/Vite/TypeScript config, adapter config, package metadata, and tests.
79
+ 2. Identify Svelte and SvelteKit version tracks and whether the code uses runes, legacy reactivity, or mixed migration mode.
80
+ 3. Before choosing a file, classify every data access with: origin, secrecy, request scope, mutation, browser dependency, serialization, dependency tracking, invalidation trigger, and adapter support.
81
+ 4. Keep DB, filesystem, private env, cookies, auth headers, `event.locals`, server SDKs, and request-local identity in server-only code: `+page.server`, `+layout.server`, `+server`, `hooks.server`, `$lib/server`, or `*.server.*`.
82
+ 5. Treat `+page.ts` and `+layout.ts` as universal. They may run during SSR and later in the browser; do not import browser-only packages, private env, DB clients, or server modules there.
83
+ 6. If `+page.server` and universal `+page` or `+layout` coexist, check that server-load data is intentionally passed through the universal `load` return value when the page component needs it.
84
+ 7. Keep `load` side-effect-free. Do not increment counters, mark reads, mutate stores, write analytics, or change module state from `load`; preload and navigation can run it before the user commits.
85
+ 8. Avoid `await parent()` waterfalls. Start independent fetches before awaiting parent data, and keep auth checks in `hooks.server` or route-specific server load when child data must not execute first.
86
+ 9. Use SvelteKit-provided `fetch` inside load when dependency tracking, SSR response inlining, and hydration reuse matter. For custom clients, register `depends(...)` keys and invalidate the exact URL or dependency key.
87
+ 10. Use page form actions for page-owned mutations. Preserve `fail(...)`, `redirect(303, ...)`, `use:enhance`, `update()`, `applyAction()`, focus reset, and invalidation behavior when enhancing forms.
88
+ 11. Use `+server` for public HTTP APIs, webhooks, mobile APIs, streams, file responses, and custom response contracts. Do not create a JSON endpoint for a normal page form unless there is a non-page consumer.
89
+ 12. For streaming load data, finish auth, redirects, and headers before streaming starts. Handle promise rejections, check adapter and proxy buffering, and stream only data whose late failure does not change page policy.
90
+ 13. Preserve hydration markers and valid HTML structure. Do not use HTML minifiers, CDN rewrites, or edge transforms that remove Svelte hydration comments without verifying hydration.
91
+ 14. If navigation reuses page or layout components, make route-dependent values `$derived` from `data`, `$app/state`, or URL state; use `{#key ...}` only when a real remount boundary is intended.
92
+ 15. Put SSR-affecting filters, search, pagination, sorting, and shareable state in URL search params. Keep temporary UI state local or snapshot-like.
93
+ 16. Use `$state` only for state that should update UI, `$derived`, or `$effect`. Keep large immutable payloads, table rows, CMS payloads, parser outputs, and third-party data as plain values or `$state.raw` with reassignment.
94
+ 17. Do not destructure `$state` or proxy objects when live reactivity is required. Read fields at the use site or derive a narrow value.
95
+ 18. Use `SvelteMap`, `SvelteSet`, `SvelteDate`, `SvelteURL`, or reassignment patterns when reactive special objects are required; do not expect ordinary `Map`, `Set`, `Date`, `URL`, or class internals to be deeply tracked.
96
+ 19. Use `$derived` or `$derived.by` for filtering, sorting, totals, validation results, labels, and view models. Do not use `$effect` to copy or synchronize derived state.
97
+ 20. Keep `$effect` dependencies narrow and synchronous. Read dependencies before `await`, `setTimeout`, or callbacks; use `untrack` for incidental logging, snapshots, or non-dependency reads.
98
+ 21. Return cleanup from effects that create subscriptions, intervals, observers, sockets, editors, charts, canvas loops, or external library instances.
99
+ 22. Treat props as parent-owned. Use callback props for changes and `$bindable` only for narrow form-control-like two-way APIs. Preserve wrapper binding chains or convert them to explicit callbacks.
100
+ 23. In Svelte 5, treat DOM event handlers as props. When spreading rest props through wrappers, intentionally compose external handlers with internal policy instead of relying on spread order.
101
+ 24. Treat snippets as typed render callbacks. Require optional snippet guards, pass row or slot-like data as parameters, and avoid hidden parent-state capture in reusable library components.
102
+ 25. Check SvelteKit, Vite, TypeScript, adapter, and package output as one toolchain boundary. Do not edit generated `.svelte-kit/tsconfig.json`; fix `svelte.config`, `kit.alias`, package exports, `types`, `svelte` conditions, `files`, and CSS side effects at their source.
89
103
 
90
104
  <!-- mustflow-section: data-boundary-policy -->
91
105
  ## Data Boundary Policy
@@ -94,6 +108,7 @@ Preserve Svelte component reactivity, SvelteKit SSR/server/client boundaries, da
94
108
  - Public external APIs and public CMS data may live in universal load only when the browser may call them directly without secrets.
95
109
  - DB, filesystem, private env, server SDKs, cookies, auth headers, sessions, and `event.locals` belong in server-only files.
96
110
  - User-specific data must be read server-side and narrowed before being serialized into `data`.
111
+ - Server load return values must be intentionally serializable and minimal.
97
112
  - Page forms should use form actions by default.
98
113
  - External clients, webhooks, mobile apps, streaming responses, and custom HTTP responses belong in `+server`.
99
114
  - Browser-only values belong in component effects, event handlers, dynamic imports, or browser actions.
@@ -105,18 +120,22 @@ Preserve Svelte component reactivity, SvelteKit SSR/server/client boundaries, da
105
120
  - `+page.server.ts` and `+layout.server.ts` are for server-only page data.
106
121
  - `+page.server.ts` actions are for page-owned form mutations.
107
122
  - `+server.ts` is for HTTP endpoints, webhooks, non-page APIs, streams, files, and custom responses.
123
+ - Route matchers, optional params, rest params, and route groups are public URL and layout/auth behavior, not only folder naming.
108
124
  - Do not create a JSON endpoint for a normal page form unless there is a non-page consumer.
109
125
  - Do not wrap server-only imports in browser guards. Fix the import graph.
110
126
 
111
127
  <!-- mustflow-section: runes-state-policy -->
112
128
  ## Runes And State Policy
113
129
 
114
- - Use `$state` for local interactive UI state.
115
- - Use `$derived` for calculations from props, route data, page state, or local state.
116
- - Use `$effect` only for browser-side effects, subscriptions, DOM, canvas, analytics, third-party browser libraries, and cleanup.
130
+ - Use `$state` for owned interactive UI state.
131
+ - Use `$state.raw` only when reassignment, not internal mutation, is the update model.
132
+ - Use `$state.snapshot` before sending proxy state to serializers, workers, chart libraries, equality tools, or external APIs that should see plain data.
133
+ - Use `$derived` for calculations from props, route data, page state, URL state, or local state.
134
+ - Use `$effect` only for browser-side effects, subscriptions, DOM, canvas, analytics, timers, third-party browser libraries, and cleanup.
117
135
  - Use stores for external streams or manual subscribe/unsubscribe interop, not ordinary component state.
118
136
  - Use context for parent-owned values shared down the component tree, especially request-scoped layout data.
119
137
  - Do not reassign reactive context objects after placing them in context; update their properties or pass getter functions when needed.
138
+ - Use stable keys for changing lists. Do not use array indexes as keys when rows can reorder, insert, delete, transition, or own child state.
120
139
 
121
140
  <!-- mustflow-section: ssr-debug-policy -->
122
141
  ## SSR Debug Policy
@@ -127,7 +146,7 @@ When SSR breaks, inspect in this order:
127
146
  2. `$lib/server`, `*.server.*`, DB, filesystem, admin SDK, or server-only import chains.
128
147
  3. Request-local state stored in module singletons, stores, or exported `$state`.
129
148
  4. Browser API access at module top-level or during SSR render.
130
- 5. Hydration mismatch from time, randomness, locale, timezone, localStorage, or browser-only initial state.
149
+ 5. Hydration mismatch from invalid HTML, removed comments, time, randomness, locale, timezone, localStorage, or browser-only initial state.
131
150
  6. Route-level SSR disabling only after the product accepts an SPA-like shell.
132
151
 
133
152
  <!-- mustflow-section: hard-bans -->
@@ -137,18 +156,21 @@ When SSR breaks, inspect in this order:
137
156
  - Do not move required first-render page data into lifecycle hooks or `$effect`.
138
157
  - Do not import `$lib/server`, `*.server.*`, private env modules, DB clients, filesystem, or admin SDKs from universal/client route files or shared client utilities.
139
158
  - Do not mutate module-scope variables, global stores, or exported `$state` with user/session/request data during SSR, load, or actions.
140
- - Do not use `$effect` to compute derived values.
159
+ - Do not use `$effect` to compute derived values or synchronize state mirrors.
141
160
  - Do not put browser-only library imports at top level when the package touches browser globals during import.
142
161
  - Do not serialize secrets, raw sessions, access tokens, hidden DB fields, or whole service responses through load data.
162
+ - Do not edit generated `.svelte-kit` files as source.
143
163
 
144
164
  <!-- mustflow-section: postconditions -->
145
165
  ## Postconditions
146
166
 
147
167
  - Server/client and SSR boundaries are explicit.
148
- - State owner and derived/effect behavior are clear.
168
+ - Route, load, action, endpoint, invalidation, and streaming behavior are clear.
169
+ - State owner, derived/effect behavior, props ownership, snippets, and binding behavior are clear.
149
170
  - Forms remain progressive unless intentionally changed.
150
171
  - Private data stays server-only and serialized data is intentionally minimal.
151
172
  - Request-scoped sharing uses load data, props, or context instead of module singletons.
173
+ - Adapter, Vite, TypeScript, and package output impacts are reported when touched.
152
174
  - Accessibility warnings are resolved or justified.
153
175
 
154
176
  <!-- mustflow-section: verification -->
@@ -163,7 +185,7 @@ Use configured oneshot command intents when available:
163
185
  - `docs_validate_fast`
164
186
  - `mustflow_check`
165
187
 
166
- Report missing Svelte check, SSR render, form action, or browser verification intents when relevant.
188
+ Report missing Svelte check, SSR render, hydration, form action, browser, adapter, package, or preview-mode verification intents when relevant.
167
189
 
168
190
  <!-- mustflow-section: failure-handling -->
169
191
  ## Failure Handling
@@ -173,13 +195,16 @@ Report missing Svelte check, SSR render, form action, or browser verification in
173
195
  - If accessibility warnings require an ignore, include the specific reason in the code or report.
174
196
  - If server-only imports leak into universal/client files, move the boundary instead of adding runtime guards.
175
197
  - If request-local data is stored globally, move it to server load, actions, context, or persistent storage with user scoping.
198
+ - If exact framework, adapter, Vite, Node, or release claims cannot be refreshed from official sources, omit them from durable skill text and report them as unverified snapshot context.
199
+ - If streaming, hydration, adapter output, package exports, or preview-mode behavior cannot be verified by configured intents, report the missing runtime smoke coverage.
176
200
 
177
201
  <!-- mustflow-section: output-format -->
178
202
  ## Output Format
179
203
 
180
204
  - Boundary checked
181
- - SSR/server/client and state notes
182
- - Form/action/accessibility impact
205
+ - SSR/server/client, route, load, action, invalidation, and streaming notes
206
+ - Runes, state, props, snippet, binding, and accessibility notes
207
+ - Adapter, Vite, TypeScript, and package-output notes when touched
183
208
  - Files changed
184
209
  - Command intents run
185
210
  - Skipped checks and reasons
@@ -0,0 +1,305 @@
1
+ ---
2
+ mustflow_doc: skill.vue-code-change
3
+ locale: en
4
+ canonical: true
5
+ revision: 1
6
+ lifecycle: mustflow-owned
7
+ authority: procedure
8
+ name: vue-code-change
9
+ description: Apply this skill when Vue, Nuxt, Pinia, Vue Router, Vue SFCs, Composition API, reactivity, props, emits, slots, v-model, SSR, hydration, lazy hydration, Vite/Vue toolchain, or Vue-related tests are created, changed, reviewed, or upgraded.
10
+ metadata:
11
+ mustflow_schema: "1"
12
+ mustflow_kind: procedure
13
+ pack_id: mustflow.core
14
+ skill_id: mustflow.core.vue-code-change
15
+ command_intents:
16
+ - changes_status
17
+ - changes_diff_summary
18
+ - lint
19
+ - build
20
+ - test_related
21
+ - test
22
+ - docs_validate_fast
23
+ - test_release
24
+ - mustflow_check
25
+ ---
26
+
27
+ # Vue Code Change
28
+
29
+ <!-- mustflow-section: purpose -->
30
+ ## Purpose
31
+
32
+ Preserve Vue and Nuxt component, reactivity, state, routing, SSR, hydration, lazy-hydration,
33
+ toolchain, and package-version contracts when changing Vue projects. Review Vue code by asking
34
+ which value is being tracked, which component owns it, which runtime renders it first, and whether
35
+ the server and client will agree.
36
+
37
+ <!-- mustflow-section: use-when -->
38
+ ## Use When
39
+
40
+ - `.vue` files, Vue SFC macros, Composition API, Options API, composables, custom directives,
41
+ Pinia stores, Vue Router routes or guards, Nuxt pages/layouts/components/plugins/middleware,
42
+ Vite Vue config, `vue-tsc`, or Vue-related tests change.
43
+ - The task touches reactive state, `ref`, `reactive`, `shallowRef`, `computed`, `watch`,
44
+ `watchEffect`, `defineProps`, reactive props destructure, `defineModel`, `defineEmits`,
45
+ fallthrough attributes, slots, template refs, provide/inject, Teleport, Suspense, SSR,
46
+ hydration, lazy hydration, ClientOnly behavior, or route lazy loading.
47
+ - A contribution proposes Vue performance, hydration, state ownership, component API, Pinia,
48
+ router, Nuxt, Vite, TypeScript, or Vue version support changes.
49
+
50
+ <!-- mustflow-section: do-not-use-when -->
51
+ ## Do Not Use When
52
+
53
+ - The change is framework-free JavaScript or TypeScript with no Vue, Nuxt, Pinia, or router
54
+ boundary; use the language-specific skill.
55
+ - The task is only plain HTML/CSS layout, accessibility, localization, or image delivery with no
56
+ Vue behavior; use the narrower frontend or UI skill.
57
+ - React, Svelte, Astro, Tauri, Flutter, or another framework owns the changed component boundary.
58
+ - The task is only a dependency upgrade across many packages; use dependency and freshness skills
59
+ first, then this skill for Vue-specific code and compatibility surfaces.
60
+
61
+ <!-- mustflow-section: required-inputs -->
62
+ ## Required Inputs
63
+
64
+ - Package and toolchain evidence: nearest `package.json`, lockfile, package manager, `engines`,
65
+ Vite config, Nuxt config, Vue plugin config, TypeScript config, `vue-tsc` setup, test config,
66
+ and CI signals.
67
+ - Effective support range: installed `vue`, `@vue/compiler-sfc`, `@vitejs/plugin-vue`, `nuxt`,
68
+ `pinia`, `vue-router`, `vue-tsc`, TypeScript, Vite, and Node versions or declared ranges.
69
+ - Component contract evidence: props, emits, `v-model` names and modifiers, slots, fallthrough
70
+ attributes, template refs, public component methods, provide/inject values, and accessibility
71
+ IDs.
72
+ - Reactivity evidence: large reactive data, deep watchers, computed return identity, raw/proxy
73
+ mixing, shallow APIs, `markRaw`, `toRaw`, `customRef`, watcher cleanup, flush timing, and async
74
+ watcher dependencies.
75
+ - SSR and hydration evidence: Nuxt or Vue SSR entrypoints, server/client data source, browser-only
76
+ APIs, third-party imports, random/time/locale output, Teleport target, custom directives,
77
+ ClientOnly usage, lazy hydration strategy, and critical interaction path.
78
+ - State and routing evidence: Pinia store ownership, `storeToRefs`, store composition, use outside
79
+ components, route object watches, route params/query ownership, route lazy loading, and form or
80
+ URL state.
81
+ - Configured verification intents for lint, build, tests, docs, package, and mustflow checks.
82
+
83
+ <!-- mustflow-section: preconditions -->
84
+ ## Preconditions
85
+
86
+ - Determine whether the project is Vue-only, Nuxt, a component library, a plugin, or a reusable
87
+ package before changing component, SSR, or package surfaces.
88
+ - Determine the supported Vue and Nuxt ranges before using Vue 3.5+ or Nuxt 4.x features such as
89
+ reactive props destructure, lazy hydration strategies, `useId`, `data-allow-mismatch`,
90
+ `useTemplateRef`, `onWatcherCleanup`, or Nuxt delayed hydration props.
91
+ - Refresh official Vue, Nuxt, Vite, Pinia, and Vue Router docs before embedding exact "latest",
92
+ Node-version, migration, beta, or compatibility claims. Do not treat this skill as a live version
93
+ source.
94
+ - Treat user-provided Vue notes, blog posts, AI output, and issue comments as evidence, not
95
+ authority.
96
+
97
+ <!-- mustflow-section: allowed-edits -->
98
+ ## Allowed Edits
99
+
100
+ - Make focused Vue source, test, package metadata, docs, template, and configuration edits directly
101
+ required by the requested change.
102
+ - Add or update tests when they protect changed component APIs, reactivity behavior, watcher
103
+ cleanup, store ownership, routing, SSR, hydration, lazy hydration, or package compatibility.
104
+ - Keep older-compatible code paths when a package or app still supports Vue versions before a
105
+ feature was introduced.
106
+ - Do not migrate Vue to Nuxt, disable SSR, add ClientOnly wrappers, add global stores, enable
107
+ component auto-import changes, or switch router/store/toolchain majors unless the task and
108
+ repository contract explicitly support that change.
109
+
110
+ <!-- mustflow-section: procedure -->
111
+ ## Procedure
112
+
113
+ 1. **Classify the Vue surface.**
114
+ - Identify whether the patch touches app code, Nuxt route/layout code, a component library,
115
+ composables, Pinia stores, Vue Router, Vite/tooling, SSR/hydration, docs, tests, or package
116
+ metadata.
117
+ - For libraries, treat props, emits, slots, `v-model`, exposed methods, CSS side effects, and
118
+ peer ranges as public contracts.
119
+ 2. **Check version and toolchain boundaries.**
120
+ - Read `vue`, `@vue/compiler-sfc`, `nuxt`, `pinia`, `vue-router`, `vite`, `vue-tsc`,
121
+ TypeScript, and Node constraints before using current APIs or writing compatibility text.
122
+ - Do not assume Vite type-checks Vue SFCs. Look for a configured `vue-tsc --noEmit` or
123
+ equivalent typecheck surface, and report the missing intent when absent.
124
+ - Keep Vue ecosystem upgrades grouped when compatibility is involved: Vue, compiler-sfc,
125
+ Vite plugin, Nuxt, Pinia, Router, vue-tsc, TypeScript, and Node engines can constrain each
126
+ other.
127
+ 3. **Review reactivity by subscription width.**
128
+ - Avoid wrapping large API responses, large tables, log arrays, permission trees, or deeply
129
+ nested JSON in deep `reactive()` unless the UI needs deep mutation tracking.
130
+ - Use `shallowRef` or `shallowReactive` only as a root-state boundary, and update by root
131
+ replacement. Do not bury shallow state inside deep reactive trees.
132
+ - Do not stringify, spread, or debug-print huge reactive objects in render or computed paths;
133
+ that makes the effect subscribe to too much.
134
+ - Keep raw and proxy identities from mixing in `Set`, `Map`, selected rows, memo caches, and
135
+ equality checks. Prefer stable ids over object references.
136
+ 4. **Review computed, watch, and watchEffect contracts.**
137
+ - Keep computed getters pure. Do not perform API calls, DOM writes, analytics, or state
138
+ mutations inside computed getters.
139
+ - Treat computed output as derived read-only state. Mutate the source state, not the computed
140
+ result.
141
+ - Avoid returning fresh objects or arrays from computed values when downstream stability matters;
142
+ compare with the previous value when Vue version support allows old-value reuse.
143
+ - Do not watch large reactive objects directly unless deep behavior is intentional and bounded.
144
+ Prefer getter sources for the exact primitive, id, length, param, or selector that matters.
145
+ - Avoid `deep: true` as a default. Vue 3.5+ supports numeric deep traversal, but the better
146
+ fix is often a narrower getter or `watchEffect` that reads only used fields.
147
+ - In async `watchEffect`, read dependencies before the first `await`. Later reads are not
148
+ dependency-tracked.
149
+ - Add cleanup for watcher fetches, timers, subscriptions, and observers. Use `onWatcherCleanup`
150
+ only in the synchronous part of Vue 3.5+ watchers, or use the callback `onCleanup` argument.
151
+ - Use `flush: 'post'` only when the watcher must read owner DOM after Vue updates it; avoid
152
+ `flush: 'sync'` for high-churn sources such as arrays.
153
+ 5. **Review component API contracts.**
154
+ - Keep props as one-way inputs. Do not mutate nested object or array props from children unless
155
+ the component is explicitly a tightly coupled compound component.
156
+ - Separate controlled and uncontrolled behavior. Use `modelValue` or named `v-model` for
157
+ live parent ownership, `defaultValue` or `initialValue` for one-time initialization, and a
158
+ `resetKey` or explicit action for reset semantics.
159
+ - For Vue 3.5+ reactive props destructure, same-block reads are reactive, but passing a
160
+ destructured prop to `watch` or a composable needs a getter such as `() => foo` or input
161
+ normalization with `toValue`.
162
+ - Avoid mixing boolean props with string modes. Keep booleans for true/false state and string
163
+ unions for variants or modes.
164
+ - Treat `defineModel({ default })` as a possible parent-child desynchronization risk. Prefer
165
+ required models or parent-owned initialization for form components.
166
+ - Declare public emits. Undeclared listeners can fall through to DOM roots and cause duplicate
167
+ or misplaced native event handling.
168
+ - Prefer object event payloads for public component events so future fields can be added without
169
+ positional argument churn.
170
+ - Treat `$attrs` as public API routing, not a dumping ground. With wrappers, bind attrs and
171
+ listeners to the actual interactive element.
172
+ - Treat slot names and slot props as public APIs. Keep `#default`, named slots, and scoped slot
173
+ data explicit.
174
+ 6. **Review render and list performance.**
175
+ - Keep child props stable. Do not pass a changing global value such as `activeId` to every row
176
+ when each child only needs a boolean such as `active`.
177
+ - Use stable primitive keys, not indexes or objects, for reorderable lists.
178
+ - Do not combine `v-if` and `v-for` on the same element. Move filtering to computed output or
179
+ gate the parent container.
180
+ - Copy before sorting or reversing arrays in computed values. Do not mutate source arrays while
181
+ deriving render output.
182
+ - Large lists need pagination, virtualization, route-level splitting, or a documented hard cap.
183
+ - Avoid renderless or provider component stacks inside thousands of list rows when a composable
184
+ or plain helper can own the reusable logic.
185
+ 7. **Review composables and provide/inject.**
186
+ - Design composable inputs to accept plain values, refs, and getters when the use case calls
187
+ for all three. Normalize with `toValue` inside a tracked effect when dependency tracking is
188
+ required.
189
+ - Return refs or `toRefs`-compatible shapes when callers are expected to destructure the result.
190
+ - For provide/inject, prefer readonly state plus explicit mutation functions when descendants
191
+ should not mutate shared state directly.
192
+ - Use template refs and component refs as escape hatches. Prefer props/emits first, and expose
193
+ only intentional public methods with `defineExpose`.
194
+ 8. **Review Pinia and router ownership.**
195
+ - Use `storeToRefs()` for reactive state/getter destructuring; actions may be destructured.
196
+ - Keep page-local UI state out of Pinia unless it must survive navigation or be shared across
197
+ independent surfaces.
198
+ - Do not create mutually recursive setup stores that read each other's state during setup.
199
+ Move cross-store reads into computed values or actions.
200
+ - When using stores outside components, verify Pinia is installed before `useStore()` runs.
201
+ In SSR, pass or use the request's active Pinia instance instead of a shared singleton.
202
+ - Watch specific route params, query fields, or names rather than the entire route object.
203
+ - Use route lazy loading for route components when initial bundle size matters, and verify the
204
+ router major and typed-route integration before changing route tooling.
205
+ 9. **Review SSR and hydration determinism.**
206
+ - Treat SSR as the same app running on server and client. First-render output must be
207
+ deterministic across both sides.
208
+ - Do not store request-specific state in module-scope singletons, exported reactive objects, or
209
+ global stores during SSR. Create app, router, store, and request context per request.
210
+ - Move browser-only APIs, DOM libraries, timers, observers, sockets, analytics, maps, editors,
211
+ and chart initialization behind client-safe lifecycle or dynamic import boundaries.
212
+ - Do not let `Math.random()`, `Date.now()`, timezone, locale, viewport, localStorage, auth
213
+ fallback, or A/B bucket values alter SSR-visible first markup unless the value is serialized
214
+ or intentionally client-only.
215
+ - Check invalid HTML nesting before blaming hydration. Browser parsers can rewrite SSR HTML
216
+ before Vue hydrates it.
217
+ - Use `useId` for SSR-stable form and accessibility IDs when the supported Vue version allows it.
218
+ - Use `data-allow-mismatch` only for narrowly intentional mismatches such as unavoidable dates,
219
+ not as a blanket hydration-warning silencer.
220
+ - For SSR Teleport, use a dedicated target and ensure teleported markup is injected or delayed
221
+ intentionally. Avoid targeting `body` casually.
222
+ - For custom directives that affect SSR-visible attributes, provide an SSR path instead of
223
+ relying only on client DOM hooks.
224
+ 10. **Review Nuxt client-only and lazy hydration boundaries.**
225
+ - Do not use `<ClientOnly>` as a default mismatch fix. It removes default slot content from
226
+ server rendering and can affect first HTML, CSS, SEO, LCP, and layout.
227
+ - Distinguish lazy code loading from lazy hydration. Nuxt `Lazy` component prefixes delay code
228
+ loading; hydration strategies decide when existing SSR HTML becomes interactive.
229
+ - Avoid delayed hydration for above-the-fold controls, forms, navigation, search, login,
230
+ checkout, add-to-cart, or any component users may interact with immediately.
231
+ - For delayed hydration, pick one strategy per component and check Nuxt constraints: SFC usage,
232
+ explicit template props, no broad prop spread, and no direct `#components` import path when
233
+ the strategy depends on auto-imported lazy components.
234
+ - Treat prop changes and shared `v-model` as hydration triggers. Do not put shared model state
235
+ on many lazy-hydrated components without measuring the cascade.
236
+ - Do not use `hydrate-never` on interactive components.
237
+ 11. **Keep public and package surfaces synchronized.**
238
+ - If component APIs, router behavior, store contracts, SSR behavior, hydration behavior,
239
+ package metadata, or toolchain ranges change, synchronize docs, tests, examples, and template
240
+ metadata.
241
+ - Avoid exact latest-version wording unless official sources were refreshed in the current
242
+ task. Prefer support-range wording such as "Vue 3.5+" or "Nuxt 4.x" only when the project
243
+ actually supports that range.
244
+ 12. **Verify through the repository contract.**
245
+ - Run the smallest configured checks that cover Vue code, TypeScript/SFC type checks, build
246
+ output, tests, docs, and release-sensitive template output.
247
+ - Report missing browser, hydration, SSR, Nuxt, Pinia, Router, vue-tsc, performance profiling,
248
+ or package-consumer verification when those surfaces changed.
249
+
250
+ <!-- mustflow-section: postconditions -->
251
+ ## Postconditions
252
+
253
+ - Effective Vue, Nuxt, Pinia, Router, Vite, TypeScript, vue-tsc, and Node compatibility are known
254
+ or explicitly reported as unknown.
255
+ - Reactivity, computed, watcher, component API, composable, store, router, SSR, hydration, and lazy
256
+ hydration boundaries follow the supported version's model.
257
+ - Large data, wide subscriptions, unstable computed identity, raw/proxy mixing, prop mutation,
258
+ broad route watches, stale watcher responses, and ClientOnly misuse are fixed or reported.
259
+ - SSR-visible output is deterministic, intentionally client-only, or narrowly marked as an
260
+ intentional mismatch.
261
+ - Performance claims have profiler, benchmark, render-count, bundle, or configured evidence, or
262
+ are reported as static risk.
263
+
264
+ <!-- mustflow-section: verification -->
265
+ ## Verification
266
+
267
+ Use configured oneshot command intents when available:
268
+
269
+ - `lint`
270
+ - `build`
271
+ - `test_related`
272
+ - `test`
273
+ - `docs_validate_fast`
274
+ - `test_release`
275
+ - `mustflow_check`
276
+
277
+ Report missing Vue SFC typecheck, browser, hydration, SSR, Nuxt route, Pinia store, Router,
278
+ performance, or package-consumer verification when those surfaces changed.
279
+
280
+ <!-- mustflow-section: failure-handling -->
281
+ ## Failure Handling
282
+
283
+ - If version evidence conflicts, do not assume the newest Vue or Nuxt API is available. Preserve
284
+ the older-compatible path or report the compatibility decision.
285
+ - If a reactivity fix makes code faster by dropping required updates, restore the correct owner
286
+ boundary and report the performance tradeoff.
287
+ - If a watcher or route fetch can race, keep the stale-response scenario visible and add cleanup,
288
+ cancellation, request identity, or query-key ownership.
289
+ - If hydration fails, fix deterministic markup, SSR data, browser-only imports, invalid HTML, or
290
+ request-local state before adding ClientOnly or `data-allow-mismatch`.
291
+ - If a Nuxt lazy-hydration change breaks first interaction, remove the delay for that component or
292
+ report the product tradeoff.
293
+ - If configured verification is missing, report the missing intent instead of inventing raw
294
+ package-manager, dev-server, browser, or watcher commands.
295
+
296
+ <!-- mustflow-section: output-format -->
297
+ ## Output Format
298
+
299
+ - Vue surface and supported version checked
300
+ - Toolchain, SFC typecheck, reactivity, computed, watcher, component API, composable, Pinia,
301
+ Router, SSR, hydration, lazy-hydration, and performance notes
302
+ - Files changed
303
+ - Command intents run
304
+ - Skipped checks and reasons
305
+ - Remaining Vue, Nuxt, hydration, toolchain, or verification risk