mustflow 2.103.22 → 2.103.32

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (37) hide show
  1. package/README.md +5 -2
  2. package/dist/cli/commands/check.js +3 -3
  3. package/dist/cli/commands/flow.js +93 -0
  4. package/dist/cli/commands/run/executor.js +28 -3
  5. package/dist/cli/commands/run/windows-command-script.js +23 -0
  6. package/dist/cli/i18n/en.js +11 -0
  7. package/dist/cli/i18n/es.js +11 -0
  8. package/dist/cli/i18n/fr.js +11 -0
  9. package/dist/cli/i18n/hi.js +11 -0
  10. package/dist/cli/i18n/ko.js +11 -0
  11. package/dist/cli/i18n/zh.js +11 -0
  12. package/dist/cli/index.js +1 -0
  13. package/dist/cli/lib/active-command-lock.js +4 -0
  14. package/dist/cli/lib/command-registry.js +7 -0
  15. package/dist/cli/lib/local-index/index.js +70 -0
  16. package/dist/cli/lib/repo-flow-frontmatter.js +35 -0
  17. package/dist/cli/lib/repo-flow.js +209 -0
  18. package/dist/cli/lib/repo-map.js +3 -0
  19. package/dist/cli/lib/run-plan.js +8 -4
  20. package/dist/cli/lib/validation/constants.js +10 -0
  21. package/dist/cli/lib/validation/index.js +73 -1
  22. package/dist/core/check-issues.js +2 -0
  23. package/dist/core/generated-boundary.js +1 -0
  24. package/package.json +2 -1
  25. package/templates/default/i18n.toml +30 -6
  26. package/templates/default/locales/en/.mustflow/skills/INDEX.md +29 -6
  27. package/templates/default/locales/en/.mustflow/skills/astro-code-change/SKILL.md +95 -23
  28. package/templates/default/locales/en/.mustflow/skills/axum-code-change/SKILL.md +219 -0
  29. package/templates/default/locales/en/.mustflow/skills/babylon-code-change/SKILL.md +318 -0
  30. package/templates/default/locales/en/.mustflow/skills/bun-code-change/SKILL.md +27 -12
  31. package/templates/default/locales/en/.mustflow/skills/elysia-code-change/SKILL.md +74 -20
  32. package/templates/default/locales/en/.mustflow/skills/godot-code-change/SKILL.md +272 -0
  33. package/templates/default/locales/en/.mustflow/skills/hono-code-change/SKILL.md +37 -23
  34. package/templates/default/locales/en/.mustflow/skills/routes.toml +28 -4
  35. package/templates/default/locales/en/.mustflow/skills/svelte-code-change/SKILL.md +65 -40
  36. package/templates/default/locales/en/.mustflow/skills/vue-code-change/SKILL.md +305 -0
  37. package/templates/default/manifest.toml +29 -1
@@ -2,7 +2,7 @@
2
2
  mustflow_doc: skills.index
3
3
  locale: en
4
4
  canonical: true
5
- revision: 189
5
+ revision: 197
6
6
  authority: router
7
7
  lifecycle: mustflow-owned
8
8
  ---
@@ -231,6 +231,25 @@ refer to `AGENTS.md` and `.mustflow/config/commands.toml` to implement the most
231
231
  Server Actions, React Compiler, Hooks, Suspense, Actions, forms, refs, context, concurrent
232
232
  rendering, SSR streaming, resource hints, package metadata, or React-related tests are created,
233
233
  changed, reviewed, or upgraded.
234
+ - Use `vue-code-change` as a primary route when Vue, Nuxt, Pinia, Vue Router, Vue SFCs,
235
+ Composition API, reactivity, props, emits, slots, `v-model`, SSR, hydration, lazy hydration,
236
+ Vite/Vue toolchain, or Vue-related tests are created, changed, reviewed, or upgraded.
237
+ - Use `babylon-code-change` as a primary route when Babylon.js, WebGPU or WebGL engine setup,
238
+ Scene lifecycle, cameras, lights, meshes, materials, textures, shaders, glTF or GLB loading,
239
+ Havok or Physics V2, LOD, instancing, thin instances, picking, render loops, Inspector
240
+ debugging, or Babylon-related tests are created, changed, reviewed, or upgraded.
241
+ - Use `svelte-code-change` as a primary route when Svelte, SvelteKit, route files, universal or
242
+ server load, actions, endpoints, hooks, runes, snippets, bindings, SSR, hydration, streaming,
243
+ invalidation, adapters, Vite, TypeScript, packaging, or Svelte-related tests are created,
244
+ changed, reviewed, or upgraded.
245
+ - Use `axum-code-change` as a primary route when Axum routers, handlers, extractors, state,
246
+ extensions, middleware, Tower or Tower-HTTP layers, CORS, cookies, headers, Tokio tasks or locks,
247
+ SQLx pools, rejections, error responses, body limits, WebSockets, or Rust HTTP API tests are
248
+ created, changed, reviewed, or upgraded.
249
+ - Use `godot-code-change` as a primary route when Godot projects, scenes, nodes, GDScript, C#
250
+ scripts, Resources, Autoloads, signals, groups, save/load systems, rendering, physics, UI,
251
+ input, exports, plugins, editor tools, or Godot version migrations are created, changed, reviewed,
252
+ or upgraded.
234
253
  - Use `c-code-change` as a primary route when C source, C-owned headers, native C build metadata,
235
254
  compiler dialects, C standard-version support, C ABI surfaces, generated C bindings, FFI,
236
255
  memory ownership, pointer lifetime, undefined behavior, sanitizer setup, performance-sensitive
@@ -484,7 +503,7 @@ routes. Event routes stay inactive until their event occurs.
484
503
  | C source, C-owned headers, native C build metadata, compiler dialect, C standard version, public C headers, shared or static libraries, ABI surfaces, generated C bindings, FFI, memory ownership, pointer lifetime, undefined behavior, sanitizer configuration, performance-sensitive C paths, tests, or benchmarks are created or changed | `.mustflow/skills/c-code-change/SKILL.md` | Owning target, C standard or dialect, compiler, libc, build front door, changed consumed surface, public API/ABI/FFI/binding surfaces, ownership, pointer provenance, sanitizer, and command contract entries | C source, C headers, build metadata, package metadata, generated bindings, FFI code, tests, benchmarks, warning and sanitizer policy, and directly synchronized docs | target drift, C23 support overclaim, source API break, binary ABI break, pointer provenance bug, lifetime bug, allocation overflow, strict-aliasing violation, sanitizer gap, generated-binding drift, FFI memory bug, unverified performance claim, or portable-release flag break | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Owning target, C standard/dialect/compiler/libc identity, highest compatibility risk, ownership/lifetime/provenance/UB/concurrency/performance notes, public API/ABI/FFI/binding impact, verification, and remaining C risk |
485
504
  | POSIX sh, Bash, shell scripts, shebangs, GitHub Actions `run` blocks, package script shell snippets, grep/sed/awk/find/xargs pipelines, shell quoting, word splitting, globbing, traps, exit-status handling, portability, or shell security behavior are created or changed | `.mustflow/skills/shell-code-change/SKILL.md` | Effective shell, dialect target, invocation path, parser and expansion ledger, dynamic input boundaries, file and stream boundary, cleanup and failure expectations, changed files, and command contract entries | Shell scripts, CI run blocks, package or Make shell snippets, docs examples, shell tests, path-processing pipelines, and directly synchronized docs | sh/Bash dialect drift, hidden CI shell default, word-splitting or globbing bug, newline-unsafe filename flow, `set -e` or pipeline false green, GNU/BSD/BusyBox portability break, GitHub Actions expression injection, secret leak, destructive glob, temp-file race, or CRLF shebang failure | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check`, `line_endings_check` | Shell execution and dialect boundary, parser/expansion utility ledger, POSIX/Bash/GNU/BSD/BusyBox/GitHub Actions decisions, quoting/status/file/temp/security verification, and remaining shell risk |
486
505
  | Node.js runtime code, package manager ownership, module format, package entry metadata, native dependencies, Node test runner behavior, TypeScript execution mode, or deployment runtime support is created or changed | `.mustflow/skills/node-code-change/SKILL.md` | Node version signals, package manager and lockfile owner, module/package metadata, TypeScript loader, test runner, native dependency, deployment target, and command contract entries | Node runtime code, package metadata, lockfiles, scripts, CI or Docker runtime declarations, test runner config, native dependency handling, docs examples, and directly synchronized package surfaces | newest-Node assumption, package manager drift, ESM/CJS break, blocked deep import, native dependency break, Node native TypeScript overclaim, test runner migration risk, deployment mismatch, or permission-model overclaim | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Runtime and package manager decision, module/package entry notes, TypeScript/test runner notes, native/deployment risks, verification, and remaining Node.js risk |
487
- | Bun runtime code, Bun package manager behavior, `bun.lock`, `bunfig.toml`, Bun test runner behavior, Bun bundling, Bun TypeScript execution, or Bun-specific APIs are created or changed | `.mustflow/skills/bun-code-change/SKILL.md` | Bun role signals, `package.json`, Bun and non-Bun lockfiles, `bunfig.toml`, CI/Docker Bun setup, TypeScript config, Bun APIs, native dependency signals, and command contract entries | Bun runtime code, Bun package manager metadata, lockfiles, `bunfig.toml`, scripts, tests, bundler config, TypeScript/declaration pipeline, package metadata, and directly synchronized docs | Bun role confusion, lockfile drift, trusted dependency overgrant, runtime/package-manager conflation, Bun TypeScript typecheck overclaim, Bun build declaration gap, Node compatibility break, shebang mismatch, or native binary break | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Bun role classification, lockfile/trust notes, runtime/type/build/test notes, Node compatibility risks, verification, and remaining Bun risk |
506
+ | Bun runtime code, `Bun.serve`, Elysia-on-Bun server behavior, Bun package manager behavior, `bun.lock`, `bunfig.toml`, Bun test runner behavior, Bun bundling, Bun compile, Bun TypeScript execution, Docker deployment, or Bun-specific APIs are created or changed | `.mustflow/skills/bun-code-change/SKILL.md` | Bun role signals, `package.json`, Bun and non-Bun lockfiles, `bunfig.toml`, CI/Docker Bun setup, TypeScript config, Bun APIs, server timeout and WebSocket settings, compile target, native dependency signals, and command contract entries | Bun runtime code, server config, package manager metadata, lockfiles, `bunfig.toml`, scripts, tests, bundler or compile config, TypeScript/declaration pipeline, Docker/deploy config, package metadata, and directly synchronized docs | Bun role confusion, lockfile drift, trusted dependency overgrant, runtime/package-manager conflation, Bun TypeScript typecheck overclaim, Bun build declaration gap, server timeout or WebSocket backpressure gap, compile target break, Node compatibility break, shebang mismatch, Docker/PORT drift, observability loss, or native binary break | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Bun role classification, lockfile/trust notes, runtime/type/build/test/deploy notes, Node compatibility risks, verification, and remaining Bun risk |
488
507
  | Dockerfiles, `.dockerignore`, Docker Compose files, BuildKit or buildx behavior, container image metadata, tags, entrypoints, health checks, Docker CI workflows, image security scanning, SBOM or provenance settings, registry publishing, or container runtime validation are created or changed | `.mustflow/skills/docker-code-change/SKILL.md` | Docker surfaces, project image shape, base image and platform signals, build context and cache signals, runtime contract, security and supply-chain contract, and command contract entries | Dockerfiles, `.dockerignore`, Compose files, container CI workflow snippets, image metadata, package tests, docs examples, template metadata, and directly synchronized skill routes | cache breakage, secret leak, root runtime, host access escape, dev dependency in final image, mutable tag drift, untrusted CI publish, missing SBOM/provenance, unverified runtime, or false production-readiness claim | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Docker surface classification, image/base/cache/stage decisions, secret/user/runtime/Compose/CI supply-chain notes, verification, and remaining Docker risk |
489
508
  | TypeScript source, declarations, tsconfig, package exports, module resolution, public API, compiler-version behavior, TypeScript 6-to-7 migration surfaces, TypeScript 7 RC or nightly tooling, or TypeScript tests are created or changed | `.mustflow/skills/typescript-code-change/SKILL.md` | TypeScript config, compiler track, package entry metadata, target runtime, changed files, declaration, TS6 API, TS7 RC, and optional TS7 nightly surfaces, and command contract entries | TypeScript source, declarations, compiler config, exports, tests, compiler-track comparison notes, and directly synchronized docs | weakened type safety, module drift, public API drift, unverified declaration output, TypeScript 6 deprecation suppression, TS7 RC over-adoption, TS7 nightly over-adoption, or compiler API track drift | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | Runtime, module, type, public API, compiler-version, RC, nightly, and API-track boundary checked, changes made, verification, and remaining TypeScript risk |
490
509
  | JavaScript source, module format, package entry, browser or Node runtime, dependency usage, Promise handling, bundler config, or JavaScript tests are created or changed | `.mustflow/skills/javascript-code-change/SKILL.md` | Package metadata, module system, runtime target, entrypoints, changed files, and command contract entries | JavaScript source, package exports, bundler config, dependencies, tests, and docs examples | runtime API leakage, ESM/CJS drift, discarded Promise, dependency bloat, or broken package entry | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | Runtime and module boundary checked, async and dependency notes, verification, and remaining JavaScript risk |
@@ -492,9 +511,11 @@ routes. Event routes stay inactive until their event occurs.
492
511
  | PowerShell scripts, modules, command examples, `pwsh` invocations, native-command wrappers, quoting, here-strings, splatting, regex, wildcard, replacement strings, or PowerShell argument passing are created or changed | `.mustflow/skills/powershell-code-change/SKILL.md` | PowerShell version and invocation path, parser layers, native-command boundary, dynamic input boundaries, changed files, and command contract entries | PowerShell scripts, modules, package scripts, CI snippets, docs examples, native-command wrappers, tests, and directly synchronized docs | parser-layer confusion, quote loss, variable over-expansion, metacharacter interpretation, native argv drift, command injection, `--%` overuse, or cross-shell `-Command` breakage | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | PowerShell version and invocation boundary, parser ledger, string/here-string/regex/wildcard/replacement/native argv decisions, verification, and remaining PowerShell risk |
493
512
  | Go source, modules, package APIs, interfaces, errors, goroutines, channels, context propagation, HTTP clients or servers, reverse proxies, JSON encoding, filesystem roots, network addresses, runtime limits, benchmarks, tools, tests, or generated-code boundaries are created or changed | `.mustflow/skills/go-code-change/SKILL.md` | Module files, Go version support, full package files, tests, public API surface, concurrency owner, runtime/deployment context, changed files, and command contract entries | Go packages, module metadata, interfaces, errors, concurrency code, HTTP/proxy code, JSON encoding, filesystem and network helpers, runtime settings, tests, tools, and docs examples | unnecessary abstraction, unsupported Go feature, context loss, goroutine leak, missing timeout, JSON contract drift, filesystem traversal, IPv6 host-port bug, runtime tuning drift, error contract drift, or module drift | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | Package, API, Go version, context, concurrency, runtime, HTTP, JSON, filesystem, tool, and error boundary checked, verification, and remaining Go risk |
494
513
  | Rust source, Cargo metadata, features, traits, errors, ownership, async runtime, unsafe code, tests, examples, benchmarks, release profiles, MSRV, toolchain declarations, standard-library APIs, or public crate APIs are created or changed | `.mustflow/skills/rust-code-change/SKILL.md` | Cargo metadata, feature flags, public exports, async runtime, unsafe invariants, `rust-version`, edition, toolchain, workspace policy, changed files, and command contract entries | Rust source, Cargo metadata, features, errors, traits, tests, examples, benchmarks, profiles, and docs | clone or lock bloat, unsupported Rust feature, feature drift, Cargo resolver drift, async runtime mixing, unsafe invariant loss, release-profile overclaim, or public API breakage | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | Ownership, MSRV, standard-library API, Cargo feature, async, unsafe, release-profile, and public API boundary checked, verification, and remaining Rust risk |
514
+ | Axum apps, routers, handlers, extractors, state, extensions, middleware, Tower or Tower-HTTP layers, CORS, cookies, headers, WebSockets, body limits, rejections, error responses, Tokio tasks or locks, SQLx pools, or Rust HTTP API tests are created, changed, reviewed, or upgraded | `.mustflow/skills/axum-code-change/SKILL.md` | Cargo and Axum-related crate version evidence, router ledger, handler and extractor contracts, state and extension owners, middleware and Tower stack, response envelope, Tokio runtime, SQLx pool and transaction boundaries, changed files, and command contract entries | Axum routers, handlers, extractors, state, extensions, middleware, Tower layers, CORS/cookie/header policy, error and rejection mapping, Tokio task and lock boundaries, SQLx pool setup, tests, and docs examples | stale Axum version claim, route syntax migration drift, auth or body-consuming extractor bug, `State` versus `Extension` leak, inconsistent error envelope, fallible Tower error not mapped to response, CORS-as-auth mistake, cookie confidentiality gap, sensitive header logging, body-limit bypass, unbounded spawn, lock contention, pool starvation, or transaction lifetime leak | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | Axum version, route, handler, extractor, state, response, Tower middleware, CORS/cookie/header/body-limit, Tokio task/lock, SQLx pool, verification, and remaining Axum risk |
515
+ | Godot projects, scenes, nodes, GDScript, C# scripts, Resources, Autoloads, signals, groups, save/load systems, rendering, physics, UI, input, exports, plugins, editor tools, or Godot version migrations are created, changed, reviewed, or upgraded | `.mustflow/skills/godot-code-change/SKILL.md` | Godot version, renderer, platform targets, project settings, input map, autoloads, addons, affected scenes, scripts, Resources, save/load participants, export presets, profiler evidence when performance is claimed, and command contract entries | Godot scenes, nodes, GDScript or C# scripts, Resources, Autoloads, signals, groups, save/load systems, rendering, physics, UI, input, exports, plugins, editor tools, tests, and docs examples | stale Godot version claim, scene-tree reach-through, global-state sprawl, shared Resource mutation, hidden signal flow, save corruption, thread-unsafe SceneTree access, renderer regression, target-device drift, export preset drift, or stale migration advice | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | Godot version, renderer, scene, node, signal, Resource, Autoload, save/load, rendering, physics, UI, input, export, verification, and remaining Godot risk |
495
516
  | Dart source, pub package metadata, null safety, Futures, Streams, isolates, analyzer lints, tests, CLI entry points, or public package APIs are created or changed | `.mustflow/skills/dart-code-change/SKILL.md` | Pub metadata, analyzer config, public exports, async ownership, package layout, changed files, and command contract entries | Dart source, pub metadata, exports, async code, tests, examples, and docs | null-safety bypass, discarded Future, uncanceled Stream, isolate ownership drift, or public API breakage | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | Nullability, async, stream, isolate, and API boundary checked, verification, and remaining Dart risk |
496
- | Hono apps, routes, middleware, validators, RPC clients, bindings, context variables, auth boundaries, or runtime adapters are created or changed | `.mustflow/skills/hono-code-change/SKILL.md` | App entry, runtime adapter, route modules, middleware, binding types, schemas, client types, changed files, and command contract entries | Hono routes, middleware, validators, bindings, RPC types, tests, and docs examples | runtime API mixing, middleware order bug, auth gap, response envelope drift, or broken typed route inference | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | Runtime, middleware, validation, auth, and response boundary checked, verification, and remaining Hono risk |
497
- | Elysia routes, schemas, plugins, decorators, derives, guards, auth, error handling, OpenAPI output, Eden clients, or Bun server behavior are created or changed | `.mustflow/skills/elysia-code-change/SKILL.md` | Server entry, route modules, schemas, plugins, auth, error handling, OpenAPI or Eden surface, changed files, and command contract entries | Elysia routes, schemas, plugins, generated clients, tests, and docs examples | schema/type drift, context inference loss, auth gap, inconsistent error envelope, or stale OpenAPI/Eden output | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | Schema, validation, type inference, auth, error, and client contract checked, verification, and remaining Elysia risk |
517
+ | Hono apps, route chains, middleware order, validators, RPC or typed clients, OpenAPI schema generation, runtime bindings, context variables, auth, CORS, cookie, header, streaming, WebSocket, cache, static asset, or Cloudflare/Bun/Node/Deno/serverless adapter boundaries are created or changed | `.mustflow/skills/hono-code-change/SKILL.md` | App entry, runtime adapter, route modules, middleware order, binding and variable types, schemas, validators, OpenAPI setup, RPC or SDK client types, response contract, changed files, and command contract entries | Hono routes, middleware, validators, bindings, context variables, RPC types, OpenAPI or SDK surfaces, runtime entry files, tests, and docs examples | route-order shadowing, runtime API mixing, middleware order bug, auth/CORS/cookie/header gap, body parser drift, OpenAPI/RPC type drift, response envelope drift, streaming or WebSocket cancellation leak, cache or static path leak, adapter header drift, or broken typed route inference | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | Runtime, adapter, route-order, middleware, validation, auth/CORS/cookie/header, OpenAPI/RPC/SDK, streaming/cache/static, and response boundary checked, verification, and remaining Hono risk |
518
+ | Elysia routes, schemas, Standard Schema validators, plugins, decorators, derives, resolves, guards, macros, auth, error handling, OpenAPI or Scalar docs, Eden Treaty clients, streaming, WebSocket, or Bun-backed server behavior are created or changed | `.mustflow/skills/elysia-code-change/SKILL.md` | Server entry, route modules, schemas, plugins, auth, cookies, CORS, lifecycle hooks, OpenAPI or Eden surface, streaming/WebSocket config, deploy settings, changed files, and command contract entries | Elysia routes, schemas, plugins, generated clients, docs UI or raw OpenAPI config, tests, deploy config, and docs examples | schema/type drift, context inference loss, lifecycle scope gap, auth gap, CORS or OpenAPI exposure, inconsistent error envelope, stale OpenAPI/Eden output, streaming timeout gap, WebSocket backpressure gap, or route path SDK drift | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | Schema, validation, type inference, lifecycle, auth, error, OpenAPI/Eden, runtime/deploy impact checked, verification, and remaining Elysia risk |
498
519
  | Source anchors are added, revised, reviewed, or used to mark a module boundary | `.mustflow/skills/source-anchor-authoring/SKILL.md` | Target files, anchor reason, nearby anchors, source-anchor policy, and validation surface | Source anchors and directly related workflow docs or comments | comment bloat, authority drift, false verification claims, or hidden module pressure | `mustflow_check`, `docs_validate_fast` | Anchor placement decision, field choices, module-boundary handoff, and verification |
499
520
  | Changed files need risk classification and verification selection | `.mustflow/skills/diff-risk-review/SKILL.md` | Changed-file list, diff summary, and task goal | Changed surfaces and verification report | under- or over-verification | `changes_status`, `changes_diff_summary`, `test`, `test_related`, `test_audit`, `lint`, `build`, `docs_validate`, `mustflow_check` | Risk level, verification choice, rollback notes |
500
521
  | Runtime performance, hot paths, user-perceived latency, p95/p99 tail latency, throughput, infrastructure cost, memory, GC pressure, CPU cache locality, allocation churn, bundle size, payload size, HTTP delivery, compression, streaming latency, media loading, build time, filesystem scanning, process spawning, IPC/RPC/DB/API fan-out, N+1 work, repeated filtering/sorting/parsing/serialization, caching, pagination, queues, virtualization, backpressure, or performance claims are planned, edited, reviewed, or reported | `.mustflow/skills/performance-budget-check/SKILL.md` | Performance surface, hot-path shape, input scale, measurement method, baseline and result when available, correctness boundaries, isolation surface, and command contract entries | Data access, lookup indexes, grouping, projection, batching, scheduling, rendering, cache boundaries, queues, concurrency limits, cancellation, measurements, docs, tests, and directly synchronized templates | invented budgets, stale measurements, hidden O(n²), misleading Big-O or data-structure claims, N+1 queries or RPC, unbounded materialization, repeated serialization, object churn, GC pressure, broad rerender, false compression win, buffered stream latency, cache stampede, key explosion, queue backlog, pool exhaustion, stale async result, or speed-over-correctness tradeoff | `changes_status`, `changes_diff_summary`, `build`, `test_related`, `docs_validate_fast`, `test_release`, `mustflow_check` | Hot path, ROI priority, cost multiplier, measurement or complexity evidence, semantic preservation, optimization applied, verification, and remaining performance risk |
@@ -591,9 +612,11 @@ routes. Event routes stay inactive until their event occurs.
591
612
  | Tailwind classes, class composition, theme tokens, variants, arbitrary values, Tailwind config, `@theme`, `@apply`, or migration surfaces are created or changed | `.mustflow/skills/tailwind-code-change/SKILL.md` | Tailwind config or CSS entry, source scanning rules, theme tokens, class helpers, changed files, and command contract entries | Tailwind config, theme tokens, utility classes, component class maps, tests, and docs examples | production class loss, arbitrary-value sprawl, token bypass, weak focus state, or hidden `@apply` drift | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | Class detection, token, responsive, state, and production CSS boundary checked, verification, and remaining Tailwind risk |
592
613
  | UnoCSS config, presets, extraction, shortcuts, rules, variants, safelist, blocklist, attributify, transformers, or utility usage are created or changed | `.mustflow/skills/unocss-code-change/SKILL.md` | UnoCSS config, presets, extraction rules, shortcuts, safelist, blocklist, changed files, and command contract entries | UnoCSS config, utility usage, rules, shortcuts, safelist, blocklist, tests, and docs examples | extractor miss, runtime-only utility, safelist explosion, unbounded shortcut, or production CSS loss | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | Extraction, safelist, shortcut, variant, and production CSS boundary checked, verification, and remaining UnoCSS risk |
593
614
  | Flutter widgets, screens, routing, state management, async UI, platform channels, assets, responsive layout, accessibility, or Flutter tests are created or changed | `.mustflow/skills/flutter-code-change/SKILL.md` | App root, route config, widget tree, state owner, platform files, assets, changed files, and command contract entries | Flutter widgets, routes, state, platform channels, assets, tests, and docs examples | impure build, lifecycle leak, navigation drift, layout breakage, inaccessible UI, or platform boundary drift | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | State, lifecycle, layout, accessibility, platform, and asset boundary checked, verification, and remaining Flutter risk |
594
- | Astro config, package metadata, pages, layouts, components, islands, hydration directives, content collections, routes, adapters, request pipeline, `src/fetch.*`, route cache, MDX, Markdown processing, migration, or Astro build behavior are created or changed | `.mustflow/skills/astro-code-change/SKILL.md` | Astro config, current and target Astro version when migrating, route tree, request pipeline, cache rules, Markdown processor, layouts, content schema, components, adapter config, changed files, and command contract entries | Astro pages, layouts, islands, content collections, adapters, request pipeline, route cache, Markdown, tests, and docs examples | unnecessary hydration, build/runtime data mix, route URL drift, request pipeline omission, cache data exposure, Markdown drift, content schema drift, or adapter mismatch | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | Build/runtime, route, request pipeline, cache, Markdown, content, hydration, and adapter boundary checked, verification, and remaining Astro risk |
615
+ | Astro config, package metadata, pages, layouts, components, client islands, server islands, hydration directives, content or live collections, routes, endpoints, actions, adapters, request pipeline, `src/fetch.*`, route cache, MDX, Markdoc, Markdown processing, Shiki, images, `ClientRouter`, migration, or Astro build behavior are created or changed | `.mustflow/skills/astro-code-change/SKILL.md` | Astro config, current and target Astro version when migrating, route tree, request pipeline, cache rules, Markdown/MDX/Markdoc/Shiki processor, layouts, content schema, components, adapter runtime, server island boundary, changed files, and command contract entries | Astro pages, layouts, client and server islands, content and live collections, adapters, endpoints, actions, request pipeline, route cache, Markdown, Markdoc, Shiki, tests, and docs examples | unnecessary hydration, server island first-HTML drift, build/runtime data mix, stale `output: "hybrid"` migration, route URL drift, request pipeline omission, cache data exposure, Markdown or MDX drift, unsafe Markdoc HTML, content schema drift, loader validation miss, adapter runtime mismatch, or target-preview gap | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | Build/runtime, route, endpoint/action, request pipeline, cache, Markdown/MDX/Markdoc/Shiki, content, hydration, server island, ClientRouter, and adapter boundary checked, verification, and remaining Astro risk |
595
616
  | React, React DOM, React Server Components, Server Actions, React Compiler, Hooks, Suspense, Actions, forms, refs, context, concurrent rendering, SSR streaming, resource hints, package metadata, or React-related tests are created, changed, reviewed, or upgraded | `.mustflow/skills/react-code-change/SKILL.md` | React package evidence, effective React support range, compiler and lint evidence, rendering boundary, state and mutation evidence, changed files, and command contract entries | React source, tests, package metadata, framework config, SSR or RSC boundaries, docs examples, and directly synchronized compatibility surfaces | stale React version claim, CRA reintroduction, React 19 API in React 18-compatible package, effect dependency suppression, memoization folklore, compiler mismatch, context rerender drift, ref compatibility break, Suspense misuse, Action rollback gap, RSC or Server Action boundary confusion, unsafe resource hints, or unverified performance claim | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | React version, compiler, lint, effect, state, memoization, context, ref, form, Suspense, SSR/RSC, resource, verification, and compatibility risks checked |
596
- | Svelte or SvelteKit components, routes, load functions, server actions, stores, runes, SSR boundaries, accessibility warnings, or tests are created or changed | `.mustflow/skills/svelte-code-change/SKILL.md` | Svelte config, route segment files, stores/runes, hooks, app types, changed files, and command contract entries | Svelte components, routes, load/actions, stores, SSR/client boundaries, tests, and docs examples | SSR/client leakage, browser global crash, state owner drift, form degradation, or ignored accessibility warning | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | SSR, server/client, state, form, and accessibility boundary checked, verification, and remaining Svelte risk |
617
+ | Vue, Nuxt, Pinia, Vue Router, Vue SFCs, Composition API, reactivity, props, emits, slots, `v-model`, SSR, hydration, lazy hydration, Vite/Vue toolchain, or Vue-related tests are created, changed, reviewed, or upgraded | `.mustflow/skills/vue-code-change/SKILL.md` | Vue/Nuxt package evidence, effective Vue support range, Vite/vue-tsc/toolchain evidence, component API evidence, reactivity and watcher evidence, SSR/hydration evidence, Pinia/Router ownership evidence, changed files, and command contract entries | Vue SFCs, composables, Pinia stores, Router routes and guards, Nuxt pages/layouts/components/plugins, Vite/Nuxt config, tests, docs examples, package metadata, and directly synchronized compatibility surfaces | stale Vue or Nuxt version claim, missing SFC typecheck, wide reactive subscription, deep watch bomb, unstable computed identity, raw/proxy identity hazard, nested prop mutation, `defineModel` default desync, undeclared emit fallthrough, slot API drift, Pinia destructuring break, broad route watch, SSR request-state leak, hydration mismatch, ClientOnly misuse, lazy hydration on immediate interaction, or unverified performance claim | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Vue version, toolchain, SFC typecheck, reactivity, computed, watcher, component API, composable, Pinia, Router, SSR, hydration, lazy-hydration, performance, verification, and compatibility risks checked |
618
+ | Babylon.js, WebGPU or WebGL engine setup, Scene lifecycle, cameras, lights, meshes, materials, textures, shaders, glTF or GLB loading, AssetContainer usage, loaders, Havok or Physics V2, LOD, instancing, thin instances, picking, render loops, Inspector debugging, or Babylon-related tests are created, changed, reviewed, or upgraded | `.mustflow/skills/babylon-code-change/SKILL.md` | Babylon package evidence, engine and fallback ledger, Scene and render loop owners, asset and decoder ledger, material and shader ledger, LOD/instancing/culling ledger, physics ledger, performance counters, changed files, and command contract entries | Babylon engine setup, Scene lifecycle, loaders, assets, materials, shaders, textures, cameras, lights, shadows, render targets, render loops, observers, LOD, culling, instances, thin instances, picking, Physics V2, Havok, tests, docs, and package metadata | stale Babylon version claim, WebGPU async init race, missing WebGL fallback, WebGPU bundle churn, loader or side-effect import drift, `__root__` mesh confusion, decoder hosting gap, material dirty or shader compile stutter, texture VRAM waste, thin-instance bounding failure, picking CPU tax, observer leak, incomplete disposal, overbroad mesh physics, collision callback overload, or unverified performance claim | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Babylon version, engine/fallback, render loop, Scene lifecycle, asset loading, materials, shaders, textures, LOD/culling/instancing, picking, physics, performance, verification, and remaining Babylon risk |
619
+ | Svelte or SvelteKit components, route files, universal or server load functions, form actions, endpoints, hooks, stores, context, runes, props, snippets, bindings, SSR, hydration, streaming, preload, invalidation, server-only imports, env boundaries, adapters, Vite, TypeScript, packaging, accessibility warnings, or tests are created or changed | `.mustflow/skills/svelte-code-change/SKILL.md` | Svelte config, route segment files, route matchers, stores/runes/context, hooks, app types, adapter config, Vite and TypeScript config, package export metadata, changed files, and command contract entries | Svelte components, route files, load/actions, endpoints, stores/runes/context, SSR/client boundaries, adapter and package surfaces, tests, and docs examples | SSR/client leakage, server-only import leak, browser global crash, hydration marker drift, preload side effect, invalidation miss, streaming header/auth bug, request-state leak, state owner drift, effect-as-derived loop, form degradation, adapter output drift, package export break, or ignored accessibility warning | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | SSR, server/client, route/load/action/invalidation/streaming, state/runes/props/snippets/bindings, adapter/toolchain/package, form, and accessibility boundary checked, verification, and remaining Svelte risk |
597
620
  | Web image assets are added, converted, resized, or replaced | `.mustflow/skills/web-asset-optimization/SKILL.md` | Image asset request and target path | Web image assets | asset quality and size | `asset_optimize`, `build` | Optimized asset notes |
598
621
 
599
622
  ### Architecture Patterns
@@ -2,11 +2,11 @@
2
2
  mustflow_doc: skill.astro-code-change
3
3
  locale: en
4
4
  canonical: true
5
- revision: 4
5
+ revision: 5
6
6
  lifecycle: mustflow-owned
7
7
  authority: procedure
8
8
  name: astro-code-change
9
- description: Apply this skill when Astro config, package metadata, pages, layouts, components, islands, hydration directives, content collections, dynamic routes, adapters, request pipeline, advanced routing, route cache, MDX, Markdown processing, RSS, sitemap, canonical URL, draft, pagination, migration, or build behavior are created or changed.
9
+ description: Apply this skill when Astro config, package metadata, pages, layouts, components, client islands, server islands, hydration directives, content or live collections, dynamic routes, endpoints, actions, adapters, request pipeline, advanced routing, route cache, MDX, Markdoc, Markdown processing, RSS, sitemap, canonical URL, draft, pagination, ClientRouter, migration, or build behavior are created or changed.
10
10
  metadata:
11
11
  mustflow_schema: "1"
12
12
  mustflow_kind: procedure
@@ -28,15 +28,15 @@ metadata:
28
28
  <!-- mustflow-section: purpose -->
29
29
  ## Purpose
30
30
 
31
- Preserve Astro's static-first model, island hydration boundary, routing contract, request pipeline, content collection schema, canonical URL, RSS, sitemap, adapter, cache, and client bundle boundaries.
31
+ Preserve Astro's HTML-first model, static-first default, island hydration boundary, server island boundary, routing contract, request pipeline, content collection schema, canonical URL, RSS, sitemap, adapter, cache, and client bundle boundaries.
32
32
 
33
33
  The default is no-hydration. Add browser JavaScript only after proving that native HTML, CSS, standard links, forms, details/summary, or a small `.astro` script cannot provide the required behavior.
34
34
 
35
35
  <!-- mustflow-section: use-when -->
36
36
  ## Use When
37
37
 
38
- - `astro.config.*`, package metadata, `src/pages`, `src/fetch.*`, `.astro`, content config, live config, collections, layouts, components, MDX, Markdown processor config, routes, endpoints, adapters, integrations, islands, route cache, or hydration directives change.
39
- - The task adds or changes a page, blog/docs content, interactive UI, SSR/on-demand rendering, framework component, search/filter UI, request pipeline behavior, route behavior, RSS feed, sitemap, canonical URL, draft handling, migration, or pagination.
38
+ - `astro.config.*`, package metadata, `src/pages`, `src/fetch.*`, `.astro`, content config, live config, collections, layouts, components, MDX, Markdoc, Markdown processor config, routes, endpoints, actions, adapters, integrations, client islands, server islands, route cache, `ClientRouter`, or hydration directives change.
39
+ - The task adds or changes a page, blog/docs content, interactive UI, SSR/on-demand rendering, framework component, search/filter UI, request pipeline behavior, route behavior, RSS feed, sitemap, canonical URL, draft handling, migration, pagination, image handling, syntax highlighting, or client-side navigation.
40
40
 
41
41
  <!-- mustflow-section: do-not-use-when -->
42
42
  ## Do Not Use When
@@ -50,9 +50,10 @@ The default is no-hydration. Add browser JavaScript only after proving that nati
50
50
  - Package metadata, current Astro version, target Astro version when migration is intended, framework integrations, TypeScript config, pages, layouts, components, content config, content files, integrations, adapter config, env declarations, public assets, and tests.
51
51
  - Astro config values that affect routing, URLs, rendering, request handling, Markdown, and cache: `site`, `base`, `trailingSlash`, `output`, `adapter`, `fetchFile`, `markdown`, `compressHTML`, `cache`, `routeRules`, sitemap integration, MDX integration, and framework integrations.
52
52
  - Content collection names, loader bases, schemas, slug/id policy, draft fields, date fields, canonical fields, and route files that turn collection entries into pages.
53
- - Current output mode, prerender/SSR policy, hydration conventions, route priority, endpoint layout, request pipeline or middleware layout, RSS generation, sitemap generation, and content schema.
54
- - Markdown processor decision, remark/rehype/recma plugins, custom Markdown imports, heading id policy, syntax-highlighting expectations, and Markdown or MDX snapshots when content rendering changes.
53
+ - Current output mode, prerender/SSR policy, hydration conventions, server island usage, route priority, endpoint layout, action usage, request pipeline or middleware layout, RSS generation, sitemap generation, and content schema.
54
+ - Markdown processor decision, MDX optimizer behavior, Markdoc `allowHTML` and tag validation, remark/rehype/recma plugins, custom Markdown imports, heading id policy, syntax-highlighting expectations, Shiki theme/language loading, and Markdown or MDX snapshots when content rendering changes.
55
55
  - Cache provider, route cache rules, cache-key inputs, invalidation path, deployment topology, and authenticated or personalized routes when `cache` or `routeRules` change.
56
+ - Runtime target and preview path when adapters, server islands, actions, sessions, filesystem access, Node APIs, edge runtimes, or CDN HTML transforms are involved.
56
57
  - Configured verification intents.
57
58
 
58
59
  <!-- mustflow-section: preconditions -->
@@ -62,8 +63,10 @@ The default is no-hydration. Add browser JavaScript only after proving that nati
62
63
  - Identify current and target Astro major versions before applying migration rules. Apply only the official major upgrade guide deltas crossed by the change, and keep ordinary Astro edits on the version-neutral policies below.
63
64
  - Identify build-time versus request-time data before adding data access.
64
65
  - Identify which UI truly needs browser JavaScript and which UI truly needs framework state before adding a framework island.
66
+ - Identify whether a dynamic value belongs in build-time content collections, live collections, on-demand routes, server islands, actions, endpoints, or client islands.
65
67
  - Treat file movement under `src/pages`, route parameter changes, and content slug changes as URL contract changes.
66
68
  - Treat `src/fetch.ts` and `src/fetch.js` as reserved advanced-routing entrypoint candidates unless `fetchFile` disables or moves that entrypoint.
69
+ - Treat `output: "hybrid"` as stale migration input. Current source must choose `output: "static"` with route-level `prerender = false`, or `output: "server"` with route-level `prerender = true` where appropriate.
67
70
 
68
71
  <!-- mustflow-section: allowed-edits -->
69
72
  ## Allowed Edits
@@ -72,6 +75,8 @@ The default is no-hydration. Add browser JavaScript only after proving that nati
72
75
  - Use hydration directives only for components that need browser interactivity and cannot be handled with a small non-framework script.
73
76
  - Keep content collection schemas synchronized with frontmatter and collection reads.
74
77
  - Keep server-only secrets and data access out of client islands.
78
+ - Keep SEO-critical copy, primary page meaning, canonical metadata, and accessible fallback semantics in initial HTML rather than delayed islands.
79
+ - Keep adapter/runtime-specific APIs inside routes or adapters that can actually execute them.
75
80
 
76
81
  <!-- mustflow-section: procedure -->
77
82
  ## Procedure
@@ -85,14 +90,16 @@ The default is no-hydration. Add browser JavaScript only after proving that nati
85
90
  4. Build a route ledger from `src/pages`: static pages, dynamic pages, rest routes, endpoints, prerendered routes, on-demand routes, and possible route-priority collisions.
86
91
  5. Classify the change: static route, dynamic route, endpoint, content collection, integration, adapter, SSR/on-demand, request pipeline, island, script, asset, RSS, sitemap, canonical, cache, Markdown, migration, or docs/content.
87
92
  6. Apply the hydration policy below before adding or changing any `client:*` directive.
88
- 7. Apply the routing, request pipeline, and rendering policies below before adding dynamic routes, catch-all routes, endpoints, adapter changes, `src/fetch.*`, or `prerender` changes.
89
- 8. Apply the content, SEO, and feed policy below before changing frontmatter, schemas, slugs, drafts, canonical URLs, pagination, RSS, or sitemap behavior.
90
- 9. Apply the cache policy below before changing `cache`, `routeRules`, route-level cache behavior, or cache provider configuration.
91
- 10. Apply the Markdown and compiler policy below before changing Markdown processing, MDX, generated markup, `compressHTML`, HTML snapshots, or whitespace-sensitive content.
92
- 11. Do not put runtime-only data such as logged-in user state, request-local data, private API responses, or live inventory into build-time collections.
93
- 12. Do not enable request-time rendering without the adapter and deployment contract that support it.
94
- 13. Keep `set:html` or raw HTML injection behind a trusted and sanitized content boundary.
95
- 14. Choose configured verification intents that cover content schema, build, routes, hydration, adapter/runtime, cache, Markdown, request pipeline, and bundle risk when available.
93
+ 7. Apply the server island policy before using `server:defer`, adapter-backed delayed HTML, or personalized server-only fragments.
94
+ 8. Apply the routing, rendering, endpoint, and action policies below before adding dynamic routes, catch-all routes, endpoints, actions, adapter changes, `src/fetch.*`, `output`, or `prerender` changes.
95
+ 9. Apply the content, live collection, SEO, and feed policy below before changing frontmatter, schemas, slugs, drafts, canonical URLs, pagination, RSS, or sitemap behavior.
96
+ 10. Apply the cache policy below before changing `cache`, `routeRules`, route-level cache behavior, server island cache headers, or cache provider configuration.
97
+ 11. Apply the Markdown, Markdoc, Shiki, and compiler policy below before changing Markdown processing, MDX, Markdoc, generated markup, `compressHTML`, HTML snapshots, or whitespace-sensitive content.
98
+ 12. Apply the adapter and runtime policy before relying on Node APIs, edge runtime features, server islands, sessions, actions, image services, or deployment preview behavior.
99
+ 13. Do not put runtime-only data such as logged-in user state, request-local data, private API responses, live inventory, or request query state into build-time collections.
100
+ 14. Do not enable request-time rendering without the adapter, cache, security, and deployment contract that support it.
101
+ 15. Keep `set:html`, raw HTML, Markdoc `allowHTML`, or full-content RSS behind a trusted and sanitized content boundary.
102
+ 16. Choose configured verification intents that cover content schema, build, routes, hydration, adapter/runtime, cache, Markdown, request pipeline, and bundle risk when available.
96
103
 
97
104
  ## Hydration Policy
98
105
 
@@ -101,16 +108,39 @@ The default is no-hydration. Add browser JavaScript only after proving that nati
101
108
  - Add a framework island only after the component needs framework state, lifecycle, or an existing framework component that cannot be replaced safely.
102
109
  - Use `client:load` only for immediately visible controls that must be interactive as soon as the page loads.
103
110
  - Use `client:idle` for non-critical above-fold or near-fold enhancements that may hydrate after initial load.
104
- - Use `client:visible` for below-the-fold or heavy widgets that users may never view.
111
+ - Use `client:visible` for below-the-fold or heavy widgets that users may never view, and set a practical `rootMargin` when hydration would otherwise arrive after the user can interact.
112
+ - Use `client:media` only when the media query is also the interaction contract. Prefer `client:visible` when CSS already controls visibility.
105
113
  - Treat `client:only` as a last-resort exception. It requires an SSR-impossible browser-only dependency or API and a named reason.
106
114
  - Do not use framework islands for ordinary links, breadcrumbs, tag lists, card lists, static tables of contents, prose callouts, pagination, or static search links.
115
+ - Do not place `client:load` on page shells, layouts, broad sections, or framework components whose static children dominate the UI.
116
+ - Do not pass large CMS payloads, product lists, search results, or service responses as island props; they inflate HTML before JavaScript cost is visible.
117
+ - When using multiple UI frameworks, separate renderer boundaries with explicit include/exclude paths and avoid mixing React, Preact, Solid, Vue, Svelte, or other runtimes on one page unless migration or team ownership justifies it.
118
+ - If islands share fast-changing state through globals, storage, custom events, or stores, either name the coordination contract or merge the UI into one island.
119
+ - Treat `is:inline` and `define:vars` in repeated components as duplication risks because they can bypass script bundling and deduplication.
107
120
  - When adding a hydration directive, report the reason and the expected client bundle or island-count impact when verifiable.
108
121
 
122
+ ## Server Island Policy
123
+
124
+ - Use `server:defer` for delayed server-rendered fragments whose absence does not break the first page meaning, such as account chrome, personalization, small recommendations, or region-specific secondary data.
125
+ - Keep SEO-critical copy, product facts, article bodies, primary CTAs, FAQ text, and core page meaning in static or SSR initial HTML.
126
+ - Treat the fallback slot as real first-view UI. Reserve dimensions, preserve accessible names or status semantics, and avoid layout shift when the server island replaces it.
127
+ - Pass small serializable identifiers and options to server islands. Do not pass callbacks, circular objects, broad service responses, or large objects that force POST fallback and lose browser cacheability.
128
+ - Pin `ASTRO_KEY` or equivalent deployment secret when cached HTML, rolling deployments, multi-region deploys, or CDN HTML reuse can outlive the build that encrypted server island props.
129
+ - Do not read the user-facing page URL from `Astro.url` inside a server island. Pass needed page state as props, or use referer-derived logic only when the privacy and cache boundary is explicit.
130
+ - Do not cache personalized server island HTML publicly. Use `private`, `no-store`, or an explicit user-varying cache key for authenticated, cookie-derived, account, price-tier, or permission-dependent fragments.
131
+ - Do not expect a server island to re-render itself after client state changes. Use a client island with actions or endpoints for frequent post-interaction updates.
132
+ - Avoid stacking delayed shells: combining `server:defer` with `client:only` requires a specific browser-only reason and a fallback that remains useful.
133
+ - Use directly imported wrapper components for client directives; do not assume directives work on dynamic tags or components passed through arbitrary props.
134
+
109
135
  ## Routing And Rendering Policy
110
136
 
111
137
  - In static output, every dynamic route must have `getStaticPaths`.
112
138
  - In on-demand or SSR dynamic routes, do not use `getStaticPaths`; read `Astro.params`, perform the request-time lookup, and handle missing entries with an explicit 404 or redirect path.
139
+ - In `output: "static"`, use route-level `export const prerender = false` only for pages or endpoints that truly need request-time rendering and have an adapter. In `output: "server"`, use `prerender = true` only for routes intentionally carved back to static output.
140
+ - Do not use environment-derived dynamic `prerender` values in route files. Route prerender decisions must be static literals or owned by a deliberate integration setup hook.
141
+ - Do not use stale `output: "hybrid"` config in new code or migration examples.
113
142
  - `getStaticPaths` params must match bracket parameter names exactly. Route param values are a string contract; rest parameters may use `undefined`.
143
+ - Keep `getStaticPaths` self-contained. Move shared route-generation data into importable module functions instead of reading parent frontmatter state.
114
144
  - Custom slugs containing `/` require a rest route such as a catch-all route. Do not force slash-containing slugs into a single named parameter route.
115
145
  - Treat changes under `src/pages` as public URL changes, including endpoint names and extension-bearing endpoint paths.
116
146
  - Check route priority when adding static routes, named parameters, rest parameters, catch-all routes, and endpoints that could claim the same URL.
@@ -118,6 +148,9 @@ The default is no-hydration. Add browser JavaScript only after proving that nati
118
148
  - Do not assume adding an adapter makes every page SSR. Keep static output as the default unless the project explicitly chooses server output or route-level on-demand rendering.
119
149
  - Do not switch the whole project to server output for one page unless the deployment and route contract require it.
120
150
  - Do not assume SSR dynamic routes appear in sitemap output automatically.
151
+ - Treat static endpoints as build-time files and server endpoints as request-time handlers. Authentication, mutation, private tokens, webhooks, and DB access belong in server endpoints or actions, not build-time endpoint generation.
152
+ - Prefer Astro actions for typed page-owned mutations when they cover the need; use endpoints for non-page consumers, webhooks, files, public APIs, or custom response contracts.
153
+ - If `<ClientRouter />` is present, review navigation lifecycle, script re-execution, event attachment, prefetch behavior, `astro:page-load`, `astro:after-swap`, `data-astro-reload`, and view-transition state instead of assuming ordinary full-page navigation.
121
154
 
122
155
  ## Request Pipeline Policy
123
156
 
@@ -132,12 +165,19 @@ The default is no-hydration. Add browser JavaScript only after proving that nati
132
165
  - Treat `cache` and `routeRules` changes as data-exposure risks, not only performance changes.
133
166
  - Do not cache authenticated, personalized, locale-sensitive, cookie-dependent, header-dependent, or query-dependent responses unless the cache key, invalidation, and privacy boundary are explicit.
134
167
  - Check whether the deployment is single-instance or multi-instance before relying on in-memory route cache behavior.
168
+ - Do not report route cache behavior from dev mode alone. Cache providers, CDN cache providers, invalidation tags, and server-function bypass behavior need build-preview or deployment-target evidence.
169
+ - If invalidation is required, check that tags, paths, webhook source, stale-while-revalidate policy, and provider support are explicit.
135
170
  - When route cache behavior changes, use `cache-integrity-review` as an adjunct when available and report `HIT`, `MISS`, `STALE`, or equivalent cache evidence only when verified.
136
171
 
137
- ## Markdown And Compiler Policy
172
+ ## Markdown, Markdoc, Shiki, And Compiler Policy
138
173
 
139
174
  - When an Astro major migration changes Markdown processing, choose explicitly between the current processor and the new default processor. Keep the unified pipeline when remark, rehype, recma, MDX, or custom Markdown plugin compatibility is unproven.
140
- - Check heading ids, code blocks, syntax highlighting, link rewriting, frontmatter rendering, and Markdown or MDX snapshots when the processor changes.
175
+ - Check heading ids, code blocks, syntax highlighting, link rewriting, frontmatter rendering, custom component mappings, and Markdown or MDX snapshots when the processor changes.
176
+ - Treat MDX as executable component-capable content. Keep ordinary docs elements static, isolate demos, and avoid hydrating framework runtimes from content files without a specific demo or interaction contract.
177
+ - Treat MDX optimizer changes as rendered-output changes. Check escaped HTML, custom component mappings, and `ignoreElementNames` before accepting faster builds.
178
+ - Treat Markdoc as a constrained content-authoring boundary. Keep tags, attributes, children, transforms, and validation explicit; do not enable `allowHTML` unless the authoring source is trusted and review/lint coverage exists.
179
+ - Do not create Shiki highlighters in hot loops, request handlers, or per-entry render paths. Reuse long-lived highlighters and load only the needed themes and languages.
180
+ - Check image handling in Markdown, MDX, and loaders. Raw `<img>` and SVG are not the same as `astro:assets`; remote image sources need an allowlist and dimensions or another CLS strategy.
141
181
  - Treat stricter compiler output, invalid HTML nesting, non-void tag closure, CSS serialization, and whitespace between inline elements as user-visible migration risks.
142
182
  - When `compressHTML` changes or defaults differ, verify important rendered text does not lose intended spaces between inline elements.
143
183
 
@@ -151,6 +191,13 @@ The default is no-hydration. Add browser JavaScript only after proving that nati
151
191
  ## Content SEO Feed Policy
152
192
 
153
193
  - Every frontmatter field used by routes, SEO, RSS, sitemap, pagination, filtering, or canonical URLs must be declared in the content collection schema.
194
+ - Treat content collections as build-time or live data contracts, not folders that automatically become pages.
195
+ - Use build-time collections for stable docs, blogs, landing copy, image optimization, MDX processing, and high-cache content. Use live collections only when request-time freshness is worth the runtime cost and feature limits.
196
+ - Keep content loader patterns aligned with intended file types such as `.md`, `.mdx`, `.mdoc`, JSON, YAML, or TOML. Do not let new content formats silently disappear from list pages or feeds.
197
+ - Do not trust `getCollection()` order. Sort by explicit date, priority, title, or id before rendering lists, pagination, RSS, sitemap-derived lists, or related content.
198
+ - Centralize published/draft filtering in a shared query helper when multiple pages, feeds, tag pages, search JSON, or sitemap entries consume the same collection.
199
+ - Avoid `render()` in list pages, cards, search indexing, or RSS excerpt generation unless body rendering is the intended cost. Prefer structured excerpt fields and consider `retainBody: false` where the body is not needed.
200
+ - Custom loaders must validate data with the collection schema before `store.set()`, preserve stable ids and digests, avoid unconditional `store.clear()` for large remote sources, and provide `filePath`, `fileURL`, or rendered content metadata when images or Markdown rendering depend on it.
154
201
  - Treat changing a content filename, collection id, or frontmatter slug as a public URL change. Existing public content needs a redirect or explicit canonical decision.
155
202
  - Draft filtering must be consistent across index pages, detail route generation, tag pages, author pages, pagination, RSS, sitemap customization, and custom page lists.
156
203
  - Filter drafts before sorting and paginating content.
@@ -162,34 +209,53 @@ The default is no-hydration. Add browser JavaScript only after proving that nati
162
209
  - Sitemap output must contain public canonical URLs only and must exclude drafts, private routes, noindex routes, and unrelated on-demand paths.
163
210
  - If sitemap custom pages are used, check them against canonical, draft, trailing-slash, base, and locale policy.
164
211
 
212
+ ## Adapter And Runtime Policy
213
+
214
+ - Treat adapters as runtime contracts, not deployment decoration. Choose Node, Cloudflare, Vercel, Netlify, or another adapter before relying on filesystem, native modules, image services, sessions, actions, server islands, or edge-only APIs.
215
+ - For Cloudflare or other edge runtimes, reject Node-only modules, `node:fs`, native packages, or Node SDK assumptions in on-demand routes unless the target runtime explicitly supports them.
216
+ - Distinguish prerender-time Node behavior from request-time edge behavior when an adapter offers separate prerender environment settings.
217
+ - Use Astro integrations for renderers, adapters, middleware, custom client directives, and lifecycle work. Use Vite plugins for transform/bundling work, and check Vite environment names before assuming client, SSR, prerender, and Astro contexts behave the same.
218
+ - Treat integration array order as behavior. Document first/last requirements when integrations modify config, renderers, middleware, or Vite plugins.
219
+ - Custom integrations should use hooks such as config setup, `updateConfig()`, and watch-file APIs instead of mutating global state or caching config across dev reloads.
220
+ - Verify production-like output with the target adapter preview when adapter/runtime behavior changed. `astro dev` alone does not prove CDN minification, workerd, server function, image service, hydration, or cache behavior.
221
+
165
222
  ## Review Rejection Criteria
166
223
 
167
224
  Reject or revise a change when:
168
225
 
169
226
  - A framework island is added without proving framework state or lifecycle is required.
170
227
  - `client:load` is used for content-heavy, below-the-fold, static, or non-urgent UI.
228
+ - A broad layout, page shell, or static content section becomes a framework island without a state/lifecycle reason.
171
229
  - `client:only` is used because SSR broke, instead of isolating the browser-only dependency.
230
+ - A server island contains SEO-critical page meaning, lacks a stable fallback, passes broad props, depends on the page URL without props, or caches personalized HTML publicly.
172
231
  - Static output dynamic routes lack `getStaticPaths`.
173
232
  - On-demand or SSR dynamic routes use `getStaticPaths`.
233
+ - New code or docs introduce `output: "hybrid"` or environment-derived route `prerender` values.
174
234
  - Route params do not match bracket names, non-rest params are not strings, or rest params use values other than strings or `undefined`.
175
235
  - A content slug with `/` is mapped through a non-rest route.
236
+ - A collection entry is expected to become a page without an explicit route, `getStaticPaths`, or on-demand route.
237
+ - A collection list, pagination, RSS, or sitemap depends on default `getCollection()` ordering.
238
+ - Draft filtering is hand-copied instead of centralized across public entrypoints.
176
239
  - `src/fetch.*` is added without a named request pipeline requirement, or direct handler composition omits a needed pipeline stage.
177
240
  - Route cache is enabled for authenticated, personalized, locale-sensitive, cookie-dependent, header-dependent, or query-dependent responses without an explicit cache key and invalidation boundary.
178
241
  - Markdown processor changes skip plugin compatibility or rendered-output checks.
242
+ - MDX optimizer, Markdoc `allowHTML`, custom Markdoc tags, Shiki highlighters, or Markdown image paths change without rendered-output, security, or performance evidence.
179
243
  - Compiler or `compressHTML` changes are accepted without checking invalid HTML nesting, non-void tag closure, CSS serialization, or whitespace-sensitive rendered text when those surfaces are affected.
180
244
  - Draft filtering differs between lists, detail pages, RSS, sitemap, or pagination.
181
245
  - Canonical URLs are built by ad hoc string concatenation.
182
246
  - RSS or sitemap includes drafts, stale paths, wrong trailing slash paths, or paths that the route ledger cannot produce.
183
247
  - A schema-used frontmatter field is read without being declared in the content schema.
184
248
  - Runtime request data is placed into build-time content collections.
249
+ - Adapter-specific Node or edge APIs are used without target runtime evidence.
185
250
 
186
251
  <!-- mustflow-section: postconditions -->
187
252
  ## Postconditions
188
253
 
189
254
  - Build-time and runtime data are separated.
190
255
  - Client JavaScript is limited to needed islands.
191
- - Route, endpoint, request pipeline, cache, canonical URL, RSS, sitemap, draft, Markdown, and content schema impact is known.
192
- - SSR or adapter changes are verified or reported.
256
+ - Server islands preserve first HTML meaning, fallback stability, serialization, cache privacy, and deployment-key behavior.
257
+ - Route, endpoint, action, request pipeline, cache, canonical URL, RSS, sitemap, draft, Markdown, Markdoc, Shiki, image, and content schema impact is known.
258
+ - SSR, adapter, target runtime, and production-preview changes are verified or reported.
193
259
 
194
260
  <!-- mustflow-section: verification -->
195
261
  ## Verification
@@ -203,27 +269,33 @@ Use configured oneshot command intents when available:
203
269
  - `docs_validate_fast`
204
270
  - `mustflow_check`
205
271
 
206
- Report missing framework validation, route preview, request pipeline, cache, Markdown, content schema, RSS, sitemap, canonical, or client bundle verification intents when relevant.
272
+ Report missing framework validation, route preview, request pipeline, cache, Markdown, Markdoc, Shiki, image, content schema, RSS, sitemap, canonical, server island, adapter-runtime, or client bundle verification intents when relevant.
207
273
 
208
- When verifiable, report counts for added hydration directives, added island risk, generated public content pages, excluded drafts, RSS items, sitemap URLs, duplicate canonical URLs, route cache rules, and affected Markdown or MDX outputs.
274
+ When verifiable, report counts for added hydration directives, added client or server island risk, generated public content pages, excluded drafts, RSS items, sitemap URLs, duplicate canonical URLs, route cache rules, and affected Markdown, MDX, Markdoc, Shiki, or image outputs.
209
275
 
210
276
  <!-- mustflow-section: failure-handling -->
211
277
  ## Failure Handling
212
278
 
213
279
  - If an island is added only to work around static markup, revisit the markup and content boundary first.
214
280
  - If SSR is requested without adapter evidence, stop and report the deployment contract gap.
281
+ - If `output: "hybrid"` appears, replace it with a current static/server plus route-level prerender decision before changing unrelated routing.
282
+ - If a server island exposes private data, depends on a deployment key, or changes first-view layout, check fallback, serialization, cache headers, and `ASTRO_KEY` or report the missing deployment contract.
215
283
  - If custom request pipeline work lacks a pipeline ledger, create the ledger before changing unrelated routing or middleware.
216
284
  - If cache rules can expose private or personalized data, stop and route through cache integrity review before optimizing performance.
217
285
  - If Markdown processor compatibility is unknown, keep the existing processor path or report the migration blocker.
286
+ - If MDX or Markdoc authoring opens arbitrary JS or HTML, tighten the content-authoring boundary before adding more components.
287
+ - If a custom loader skips schema parsing, stable ids, digest handling, or image path metadata, fix the loader contract before adding pages.
288
+ - If Shiki setup is slow or memory-heavy, reuse highlighters and restrict theme/language loading before blaming Astro build time.
218
289
  - If content schema drift appears, fix schema and sample content before adding more pages.
219
290
  - If draft, canonical, RSS, sitemap, or pagination drift appears, fix the shared content and route contract before adding new entries.
220
291
  - If a route collision appears, resolve the route ledger before changing unrelated rendering code.
292
+ - If target-runtime preview cannot be run through a configured intent, report the missing adapter/runtime smoke coverage.
221
293
 
222
294
  <!-- mustflow-section: output-format -->
223
295
  ## Output Format
224
296
 
225
297
  - Boundary checked
226
- - Build/runtime, route, endpoint, request pipeline, cache, Markdown, content, hydration, canonical, RSS, sitemap, and draft notes
298
+ - Build/runtime, route, endpoint, action, request pipeline, cache, Markdown, Markdoc, Shiki, image, content, hydration, server island, canonical, RSS, sitemap, ClientRouter, and draft notes
227
299
  - Files changed
228
300
  - Command intents run
229
301
  - Skipped checks and reasons