mustflow 2.103.22 → 2.103.32
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +5 -2
- package/dist/cli/commands/check.js +3 -3
- package/dist/cli/commands/flow.js +93 -0
- package/dist/cli/commands/run/executor.js +28 -3
- package/dist/cli/commands/run/windows-command-script.js +23 -0
- package/dist/cli/i18n/en.js +11 -0
- package/dist/cli/i18n/es.js +11 -0
- package/dist/cli/i18n/fr.js +11 -0
- package/dist/cli/i18n/hi.js +11 -0
- package/dist/cli/i18n/ko.js +11 -0
- package/dist/cli/i18n/zh.js +11 -0
- package/dist/cli/index.js +1 -0
- package/dist/cli/lib/active-command-lock.js +4 -0
- package/dist/cli/lib/command-registry.js +7 -0
- package/dist/cli/lib/local-index/index.js +70 -0
- package/dist/cli/lib/repo-flow-frontmatter.js +35 -0
- package/dist/cli/lib/repo-flow.js +209 -0
- package/dist/cli/lib/repo-map.js +3 -0
- package/dist/cli/lib/run-plan.js +8 -4
- package/dist/cli/lib/validation/constants.js +10 -0
- package/dist/cli/lib/validation/index.js +73 -1
- package/dist/core/check-issues.js +2 -0
- package/dist/core/generated-boundary.js +1 -0
- package/package.json +2 -1
- package/templates/default/i18n.toml +30 -6
- package/templates/default/locales/en/.mustflow/skills/INDEX.md +29 -6
- package/templates/default/locales/en/.mustflow/skills/astro-code-change/SKILL.md +95 -23
- package/templates/default/locales/en/.mustflow/skills/axum-code-change/SKILL.md +219 -0
- package/templates/default/locales/en/.mustflow/skills/babylon-code-change/SKILL.md +318 -0
- package/templates/default/locales/en/.mustflow/skills/bun-code-change/SKILL.md +27 -12
- package/templates/default/locales/en/.mustflow/skills/elysia-code-change/SKILL.md +74 -20
- package/templates/default/locales/en/.mustflow/skills/godot-code-change/SKILL.md +272 -0
- package/templates/default/locales/en/.mustflow/skills/hono-code-change/SKILL.md +37 -23
- package/templates/default/locales/en/.mustflow/skills/routes.toml +28 -4
- package/templates/default/locales/en/.mustflow/skills/svelte-code-change/SKILL.md +65 -40
- package/templates/default/locales/en/.mustflow/skills/vue-code-change/SKILL.md +305 -0
- package/templates/default/manifest.toml +29 -1
|
@@ -2,11 +2,11 @@
|
|
|
2
2
|
mustflow_doc: skill.hono-code-change
|
|
3
3
|
locale: en
|
|
4
4
|
canonical: true
|
|
5
|
-
revision:
|
|
5
|
+
revision: 2
|
|
6
6
|
lifecycle: mustflow-owned
|
|
7
7
|
authority: procedure
|
|
8
8
|
name: hono-code-change
|
|
9
|
-
description: Apply this skill when Hono apps,
|
|
9
|
+
description: Apply this skill when Hono apps, route chains, middleware order, validators, RPC or typed clients, OpenAPI schema generation, runtime bindings, context variables, auth, CORS, cookie, header, streaming, WebSocket, cache, static asset, or Cloudflare, Bun, Node, Deno, edge, or serverless adapter boundaries are created or changed.
|
|
10
10
|
metadata:
|
|
11
11
|
mustflow_schema: "1"
|
|
12
12
|
mustflow_kind: procedure
|
|
@@ -28,26 +28,29 @@ metadata:
|
|
|
28
28
|
<!-- mustflow-section: purpose -->
|
|
29
29
|
## Purpose
|
|
30
30
|
|
|
31
|
-
Preserve Hono runtime, middleware, validation, context binding, auth, typed
|
|
31
|
+
Preserve Hono route registration, runtime adapter, middleware ordering, validation, context binding, auth, typed client, OpenAPI, streaming, cache, static asset, and response contract boundaries.
|
|
32
32
|
|
|
33
33
|
<!-- mustflow-section: use-when -->
|
|
34
34
|
## Use When
|
|
35
35
|
|
|
36
|
-
- `new Hono`, `app.get`, `app.post`, `app.use`, `c.env`, `c.get`, `c.set`, validators, RPC clients, middleware, adapters, or Hono route tests change.
|
|
37
|
-
- The task touches Cloudflare Workers, Bun, Node, edge-compatible
|
|
36
|
+
- `new Hono`, `app.route`, `basePath`, `app.get`, `app.post`, `app.use`, wildcard routes, fallback routes, `c.env`, `c.get`, `c.set`, `c.req.valid`, validators, RPC clients, middleware, adapters, or Hono route tests change.
|
|
37
|
+
- The task touches Cloudflare Workers, Bun, Node, Deno, edge-compatible, serverless, SSR, static file, WebSocket, SSE, streaming, cache, cookie, CORS, CSRF, JWT, JWK, header, body-limit, binding, variable, auth middleware, OpenAPI, or response schema behavior.
|
|
38
|
+
- The task exports or consumes `typeof app`, `typeof routes`, `AppType`, `hc`, `InferRequestType`, `InferResponseType`, `ApplyGlobalResponse`, OpenAPI clients, or generated SDKs from Hono routes.
|
|
38
39
|
|
|
39
40
|
<!-- mustflow-section: do-not-use-when -->
|
|
40
41
|
## Do Not Use When
|
|
41
42
|
|
|
42
43
|
- The task only touches framework-agnostic service code behind a Hono handler; use the relevant language or architecture skill.
|
|
43
44
|
- Another HTTP framework is used instead of Hono.
|
|
45
|
+
- The task only updates external framework version prose; use `source-freshness-check` unless the Hono procedure itself changes.
|
|
44
46
|
|
|
45
47
|
<!-- mustflow-section: required-inputs -->
|
|
46
48
|
## Required Inputs
|
|
47
49
|
|
|
48
|
-
- Package metadata, TypeScript config, runtime adapter config, worker or server entrypoint,
|
|
49
|
-
- Target runtime matrix: Cloudflare, Bun, Node, edge-compatible, or single runtime.
|
|
50
|
-
- Existing response envelope
|
|
50
|
+
- Package metadata, TypeScript config, runtime adapter config, worker or server entrypoint, route modules, middleware registration, env and binding types, context variables, schemas, validators, client type exports, OpenAPI generation, generated SDKs, and tests.
|
|
51
|
+
- Target runtime matrix: Cloudflare Workers or Pages, Bun, Node with `@hono/node-server`, Deno, Lambda or other serverless adapter, edge-compatible, or single runtime.
|
|
52
|
+
- Existing response envelope, status-code contract, error contract, CORS, cookie, header, cache, streaming, WebSocket, static file, body-size, and upload behavior.
|
|
53
|
+
- Official or repository-local source evidence before preserving exact latest-version, patch-note, or adapter-behavior claims.
|
|
51
54
|
|
|
52
55
|
<!-- mustflow-section: preconditions -->
|
|
53
56
|
## Preconditions
|
|
@@ -55,6 +58,7 @@ Preserve Hono runtime, middleware, validation, context binding, auth, typed rout
|
|
|
55
58
|
- Confirm runtime before using platform APIs.
|
|
56
59
|
- Identify `Bindings` for runtime-provided values and `Variables` for request-local middleware values.
|
|
57
60
|
- Identify auth, validation, and error response boundaries before adding routes.
|
|
61
|
+
- Refresh official package or vendor sources before preserving exact "latest", release-date, or security-patch claims; otherwise keep those facts out of the skill or mark them as snapshot-only in the report.
|
|
58
62
|
|
|
59
63
|
<!-- mustflow-section: allowed-edits -->
|
|
60
64
|
## Allowed Edits
|
|
@@ -63,26 +67,33 @@ Preserve Hono runtime, middleware, validation, context binding, auth, typed rout
|
|
|
63
67
|
- Register middleware in an order that preserves logging, CORS, security headers, body limits, auth, validation, and handler behavior.
|
|
64
68
|
- Trust only validated request data in handlers.
|
|
65
69
|
- Keep success and failure envelopes consistent.
|
|
70
|
+
- Keep route type exports, RPC clients, OpenAPI documents, generated SDKs, tests, and docs synchronized when public API behavior changes.
|
|
66
71
|
|
|
67
72
|
<!-- mustflow-section: procedure -->
|
|
68
73
|
## Procedure
|
|
69
74
|
|
|
70
|
-
1. Read app entrypoint, runtime adapter, route modules, middleware, schemas, client type exports, and tests.
|
|
71
|
-
2. Map the route boundary: method, path, runtime, auth, params, query, headers, cookies, body, variables, bindings, response statuses, and
|
|
72
|
-
3.
|
|
73
|
-
4. Keep auth
|
|
74
|
-
5.
|
|
75
|
-
6.
|
|
76
|
-
7.
|
|
77
|
-
8.
|
|
75
|
+
1. Read app entrypoint, runtime adapter, route modules, middleware, schemas, validator helpers, OpenAPI setup, client type exports, generated clients, and tests.
|
|
76
|
+
2. Map the route boundary: method, path, registration order, runtime, auth, params, query, headers, cookies, body, variables, bindings, response statuses, content types, cache headers, streaming mode, and public client surface.
|
|
77
|
+
3. Treat Hono route order as behavior. Keep specific routes before wildcard or fallback routes; check `route()`, `basePath()`, `mount`, optional params, regexp params, static routes, and fallback registration for shadowing or doubled prefixes.
|
|
78
|
+
4. Keep auth, CORS, CSRF, secure headers, body limit, cookie, JWT, JWK, cache, ETag, compression, and logging middleware in an order that matches the security and observability boundary.
|
|
79
|
+
5. For CORS with credentials, require an explicit origin allowlist or exact origin callback; do not rely on wildcard origin behavior or loose suffix checks.
|
|
80
|
+
6. Separate `Bindings` from `Variables`; do not store request-local auth, user, session, tenant, or trace state in globals, module singletons, or runtime-wide mutable objects.
|
|
81
|
+
7. Use `createMiddleware<{ Variables }>()` or route-local generics for context values that depend on middleware execution. Avoid `ContextVariableMap` unless the value is truly available for every request path.
|
|
82
|
+
8. Use `c.req.valid(...)` output rather than rereading unvalidated request bodies. Remember that request bodies are one-shot, query and params are strings, header validator keys are lowercase, and `json` or `form` validators need the matching `Content-Type`.
|
|
83
|
+
9. For multipart uploads, large JSON, webhooks, raw-body signatures, and file routes, check parser shape, body limits, runtime limits, storage limits, repeated-field behavior, and raw request cloning before changing handlers.
|
|
84
|
+
10. Preserve typed route, RPC, and SDK inference by exporting the route chain actually used by `hc<AppType>()`, keeping handler responses on typed `c.json(payload, status)` paths, and avoiding broad `Context` handler extraction that drops path, validator, or response types.
|
|
85
|
+
11. Keep runtime validation schema, OpenAPI schema, response schema, generated SDKs, and Hono RPC types from becoming separate truths. Choose one canonical contract and verify drift with tests or snapshots when available.
|
|
86
|
+
12. Do not put Node-only, Bun-only, Cloudflare-only, Deno-only, Lambda-only, static-serving, connection-info, WebSocket, or filesystem APIs in shared route modules. Keep runtime entry files thin and pass plain config or adapter functions into shared app code.
|
|
87
|
+
13. For streaming, SSE, WebSocket, cache, ETag, static file, and SSR or JSX routes, check cancellation, abort handling, backpressure, already-started-response errors, header retention, path traversal, cache key and `Vary`, repeated `Set-Cookie`, and adapter header normalization.
|
|
88
|
+
14. Choose configured verification intents that cover type checks, route tests, auth failure, validation failure, CORS/cookie/header behavior, streaming or WebSocket behavior, OpenAPI or SDK generation, and runtime env mocks when available.
|
|
78
89
|
|
|
79
90
|
<!-- mustflow-section: postconditions -->
|
|
80
91
|
## Postconditions
|
|
81
92
|
|
|
82
93
|
- Runtime-specific APIs are isolated.
|
|
83
|
-
- Middleware order and auth boundary are clear.
|
|
84
|
-
- Request validation and response envelope are preserved.
|
|
85
|
-
- Typed route
|
|
94
|
+
- Middleware order, route order, and auth boundary are clear.
|
|
95
|
+
- Request validation, body parsing, header/cookie/CORS/cache, and response envelope behavior are preserved.
|
|
96
|
+
- Typed route, RPC, OpenAPI, generated SDK, and runtime adapter contract impact is reported.
|
|
86
97
|
|
|
87
98
|
<!-- mustflow-section: verification -->
|
|
88
99
|
## Verification
|
|
@@ -96,21 +107,24 @@ Use configured oneshot command intents when available:
|
|
|
96
107
|
- `docs_validate_fast`
|
|
97
108
|
- `mustflow_check`
|
|
98
109
|
|
|
99
|
-
Report missing multi-runtime
|
|
110
|
+
Report missing multi-runtime, route-level, streaming, WebSocket, OpenAPI, SDK, or adapter verification intents when relevant.
|
|
100
111
|
|
|
101
112
|
<!-- mustflow-section: failure-handling -->
|
|
102
113
|
## Failure Handling
|
|
103
114
|
|
|
104
115
|
- If runtime target is unclear, inspect adapter and deployment config before editing.
|
|
105
116
|
- If a route needs a broader permission, binding, or auth change, switch to the relevant security or contract skill.
|
|
106
|
-
- If typed route inference breaks, repair schema and response shape before adding more routes.
|
|
117
|
+
- If typed route inference breaks, repair the route chain, validator, schema, and response shape before adding more routes.
|
|
118
|
+
- If official source freshness cannot be checked for a version, release, or security-patch claim, omit the claim from durable skill text and report it as unverified snapshot context.
|
|
119
|
+
- If streaming, WebSocket, cache, static, or adapter-specific behavior cannot be tested by configured intents, report the missing runtime smoke coverage.
|
|
107
120
|
|
|
108
121
|
<!-- mustflow-section: output-format -->
|
|
109
122
|
## Output Format
|
|
110
123
|
|
|
111
124
|
- Boundary checked
|
|
112
|
-
- Runtime and middleware notes
|
|
113
|
-
- Validation and response contract notes
|
|
125
|
+
- Runtime, adapter, route-order, and middleware notes
|
|
126
|
+
- Validation, RPC, OpenAPI, SDK, and response contract notes
|
|
127
|
+
- CORS, cookie, header, cache, streaming, WebSocket, static, or SSR notes when touched
|
|
114
128
|
- Files changed
|
|
115
129
|
- Command intents run
|
|
116
130
|
- Skipped checks and reasons
|
|
@@ -528,6 +528,18 @@ route_type = "primary"
|
|
|
528
528
|
priority = 85
|
|
529
529
|
applies_to_reasons = ["code_change", "public_api_change", "test_change"]
|
|
530
530
|
|
|
531
|
+
[routes."axum-code-change"]
|
|
532
|
+
category = "general_code"
|
|
533
|
+
route_type = "primary"
|
|
534
|
+
priority = 85
|
|
535
|
+
applies_to_reasons = ["code_change", "behavior_change", "public_api_change", "test_change", "docs_change", "performance_change", "security_change", "privacy_change", "data_change", "package_metadata_change", "release_risk"]
|
|
536
|
+
|
|
537
|
+
[routes."godot-code-change"]
|
|
538
|
+
category = "general_code"
|
|
539
|
+
route_type = "primary"
|
|
540
|
+
priority = 85
|
|
541
|
+
applies_to_reasons = ["code_change", "behavior_change", "public_api_change", "test_change", "docs_change", "performance_change", "security_change", "privacy_change", "data_change", "ui_change", "package_metadata_change", "release_risk"]
|
|
542
|
+
|
|
531
543
|
[routes."dart-code-change"]
|
|
532
544
|
category = "general_code"
|
|
533
545
|
route_type = "primary"
|
|
@@ -538,13 +550,13 @@ applies_to_reasons = ["code_change", "public_api_change", "test_change"]
|
|
|
538
550
|
category = "general_code"
|
|
539
551
|
route_type = "primary"
|
|
540
552
|
priority = 85
|
|
541
|
-
applies_to_reasons = ["code_change", "public_api_change", "security_change"]
|
|
553
|
+
applies_to_reasons = ["code_change", "behavior_change", "public_api_change", "test_change", "docs_change", "performance_change", "security_change", "privacy_change", "package_metadata_change", "release_risk"]
|
|
542
554
|
|
|
543
555
|
[routes."elysia-code-change"]
|
|
544
556
|
category = "general_code"
|
|
545
557
|
route_type = "primary"
|
|
546
558
|
priority = 85
|
|
547
|
-
applies_to_reasons = ["code_change", "public_api_change", "security_change"]
|
|
559
|
+
applies_to_reasons = ["code_change", "behavior_change", "public_api_change", "test_change", "docs_change", "performance_change", "security_change", "privacy_change", "package_metadata_change", "release_risk"]
|
|
548
560
|
|
|
549
561
|
[routes."source-anchor-authoring"]
|
|
550
562
|
category = "general_code"
|
|
@@ -988,7 +1000,13 @@ applies_to_reasons = ["ui_change", "code_change", "public_api_change"]
|
|
|
988
1000
|
category = "ui_assets"
|
|
989
1001
|
route_type = "primary"
|
|
990
1002
|
priority = 85
|
|
991
|
-
applies_to_reasons = ["ui_change", "docs_change", "code_change", "behavior_change", "migration_change", "package_metadata_change"]
|
|
1003
|
+
applies_to_reasons = ["ui_change", "docs_change", "code_change", "behavior_change", "public_api_change", "data_change", "security_change", "privacy_change", "performance_change", "test_change", "migration_change", "package_metadata_change", "release_risk"]
|
|
1004
|
+
|
|
1005
|
+
[routes."babylon-code-change"]
|
|
1006
|
+
category = "ui_assets"
|
|
1007
|
+
route_type = "primary"
|
|
1008
|
+
priority = 85
|
|
1009
|
+
applies_to_reasons = ["ui_change", "code_change", "behavior_change", "public_api_change", "data_change", "security_change", "privacy_change", "performance_change", "test_change", "docs_change", "migration_change", "package_metadata_change", "release_risk"]
|
|
992
1010
|
|
|
993
1011
|
[routes."react-code-change"]
|
|
994
1012
|
category = "ui_assets"
|
|
@@ -996,11 +1014,17 @@ route_type = "primary"
|
|
|
996
1014
|
priority = 85
|
|
997
1015
|
applies_to_reasons = ["ui_change", "code_change", "behavior_change", "public_api_change", "data_change", "security_change", "privacy_change", "performance_change", "test_change", "package_metadata_change", "release_risk"]
|
|
998
1016
|
|
|
1017
|
+
[routes."vue-code-change"]
|
|
1018
|
+
category = "ui_assets"
|
|
1019
|
+
route_type = "primary"
|
|
1020
|
+
priority = 85
|
|
1021
|
+
applies_to_reasons = ["ui_change", "code_change", "behavior_change", "public_api_change", "data_change", "security_change", "privacy_change", "performance_change", "test_change", "package_metadata_change", "release_risk"]
|
|
1022
|
+
|
|
999
1023
|
[routes."svelte-code-change"]
|
|
1000
1024
|
category = "ui_assets"
|
|
1001
1025
|
route_type = "primary"
|
|
1002
1026
|
priority = 85
|
|
1003
|
-
applies_to_reasons = ["ui_change", "code_change", "behavior_change", "public_api_change", "data_change", "security_change", "privacy_change", "test_change", "package_metadata_change"]
|
|
1027
|
+
applies_to_reasons = ["ui_change", "code_change", "behavior_change", "public_api_change", "data_change", "security_change", "privacy_change", "performance_change", "test_change", "docs_change", "migration_change", "package_metadata_change", "release_risk"]
|
|
1004
1028
|
|
|
1005
1029
|
[routes."pattern-scout"]
|
|
1006
1030
|
category = "architecture_patterns"
|
|
@@ -2,11 +2,11 @@
|
|
|
2
2
|
mustflow_doc: skill.svelte-code-change
|
|
3
3
|
locale: en
|
|
4
4
|
canonical: true
|
|
5
|
-
revision:
|
|
5
|
+
revision: 3
|
|
6
6
|
lifecycle: mustflow-owned
|
|
7
7
|
authority: procedure
|
|
8
8
|
name: svelte-code-change
|
|
9
|
-
description: Apply this skill when Svelte or SvelteKit components, routes, load functions,
|
|
9
|
+
description: Apply this skill when Svelte or SvelteKit components, routes, universal or server load functions, form actions, endpoints, hooks, stores, context, runes, props, snippets, bindings, SSR, hydration, streaming, preload, invalidation, server-only imports, env boundaries, adapters, Vite, TypeScript, packaging, accessibility warnings, or tests are created or changed.
|
|
10
10
|
metadata:
|
|
11
11
|
mustflow_schema: "1"
|
|
12
12
|
mustflow_kind: procedure
|
|
@@ -28,64 +28,78 @@ metadata:
|
|
|
28
28
|
<!-- mustflow-section: purpose -->
|
|
29
29
|
## Purpose
|
|
30
30
|
|
|
31
|
-
Preserve Svelte component reactivity, SvelteKit SSR/server/client
|
|
31
|
+
Preserve Svelte component reactivity, SvelteKit SSR/server/client execution modes, data secrecy, load/action/endpoint contracts, request-scoped state ownership, hydration, streaming, invalidation, adapter output, accessibility, and generated route behavior. Choose files by data boundary and execution mode first, not by filename habit.
|
|
32
32
|
|
|
33
33
|
<!-- mustflow-section: use-when -->
|
|
34
34
|
## Use When
|
|
35
35
|
|
|
36
|
-
- `.svelte`, `+page`, `+layout`, `+page.server`, `+layout.server`, `+server`, load functions, form actions, endpoints, stores, context, runes, `$app` imports, `$lib/server`, hooks, route params, or Svelte tests change.
|
|
37
|
-
- The task touches state management, SSR errors, browser APIs, forms, routing, progressive enhancement, request-local data, server-only imports, private/public environment variables, or Svelte 5 runes.
|
|
36
|
+
- `.svelte`, `.svelte.ts`, `.svelte.js`, `+page`, `+layout`, `+page.server`, `+layout.server`, `+server`, load functions, form actions, endpoints, stores, context, snippets, bindings, runes, `$app` imports, `$lib/server`, hooks, route params, route matchers, or Svelte tests change.
|
|
37
|
+
- The task touches state management, SSR errors, hydration warnings, browser APIs, forms, routing, progressive enhancement, preload, invalidation, request-local data, server-only imports, private/public environment variables, adapters, Vite, TypeScript, package exports, or Svelte 5 runes.
|
|
38
|
+
- The task upgrades, reviews, or writes docs about Svelte, SvelteKit, Vite, `@sveltejs/vite-plugin-svelte`, `svelte-check`, an adapter, `@sveltejs/package`, or generated Svelte library output.
|
|
38
39
|
|
|
39
40
|
<!-- mustflow-section: do-not-use-when -->
|
|
40
41
|
## Do Not Use When
|
|
41
42
|
|
|
42
43
|
- The change is plain CSS or HTML with no Svelte or SvelteKit behavior; use the relevant UI foundation skill.
|
|
43
44
|
- The service code is framework-free and no Svelte boundary changes.
|
|
45
|
+
- The task only updates external framework version prose; use `source-freshness-check` unless the Svelte procedure itself changes.
|
|
44
46
|
|
|
45
47
|
<!-- mustflow-section: required-inputs -->
|
|
46
48
|
## Required Inputs
|
|
47
49
|
|
|
48
|
-
- Package metadata, Svelte config, Vite config, TypeScript config, route segment files, hooks, app types, stores/runes/context, form schema, and tests.
|
|
49
|
-
- Svelte version, route data source, secrecy, request scope, mutation type, serialization requirement, SSR/client boundary, browser dependency, and
|
|
50
|
-
- Imports from `$lib/server`, `*.server.*`, `$env/static/private`, `$env/dynamic/private`, DB/filesystem/server SDK modules, cookies, auth headers,
|
|
50
|
+
- Package metadata, Svelte config, Vite config, TypeScript config, route segment files, hooks, app types, stores/runes/context, form schema, adapter config, package export metadata, and tests.
|
|
51
|
+
- Svelte and SvelteKit version tracks, route data source, secrecy, request scope, mutation type, serialization requirement, SSR/client boundary, browser dependency, state owner, and adapter target.
|
|
52
|
+
- Imports from `$lib/server`, `*.server.*`, `$env/static/private`, `$env/dynamic/private`, DB/filesystem/server SDK modules, cookies, auth headers, `event.locals`, `$app/state`, `$app/navigation`, `$app/forms`, and browser-only libraries.
|
|
53
|
+
- Official or repository-local source evidence before preserving exact latest-version, release-date, Node/Vite requirement, adapter behavior, or compiler behavior claims.
|
|
51
54
|
- Configured verification intents.
|
|
52
55
|
|
|
53
56
|
<!-- mustflow-section: preconditions -->
|
|
54
57
|
## Preconditions
|
|
55
58
|
|
|
56
|
-
- For route work, read
|
|
57
|
-
- Classify every data access by origin, secrecy, request scope, mutation, browser dependency, and
|
|
58
|
-
- Treat
|
|
59
|
+
- For route work, read sibling and parent `+layout`, `+layout.server`, `+page`, `+page.server`, `+server`, hooks, app types, and route matcher files as one boundary.
|
|
60
|
+
- Classify every data access by origin, secrecy, request scope, mutation, browser dependency, serialization, invalidation dependency, and adapter support before choosing a SvelteKit file.
|
|
61
|
+
- Treat universal route files as server-executed and browser-executed until proven otherwise.
|
|
62
|
+
- Refresh official package or vendor sources before preserving exact "latest", Node/Vite minimum, adapter, or release-note claims; otherwise keep those facts out of durable skill text or mark them as snapshot-only in the report.
|
|
59
63
|
|
|
60
64
|
<!-- mustflow-section: allowed-edits -->
|
|
61
65
|
## Allowed Edits
|
|
62
66
|
|
|
63
|
-
- Keep secrets, private environment, database clients,
|
|
64
|
-
- Use browser APIs only behind client-safe lifecycle or environment
|
|
67
|
+
- Keep secrets, private environment, database clients, server SDKs, cookie-authenticated data, and request identity in server-only files.
|
|
68
|
+
- Use browser APIs only behind client-safe lifecycle, dynamic import, event, action, or environment boundaries.
|
|
65
69
|
- Keep state local unless shared ownership is justified.
|
|
66
|
-
- Preserve form actions and progressive enhancement instead of replacing
|
|
70
|
+
- Preserve form actions and progressive enhancement instead of replacing page forms with client-only fetch.
|
|
67
71
|
- Use context for request-scoped component-tree sharing instead of module singletons.
|
|
68
|
-
- Use `$derived` for computed display values and `$effect` only for browser-side effects and cleanup.
|
|
72
|
+
- Use `$derived` for computed display values and `$effect` only for browser-side effects, subscriptions, DOM, timers, observers, third-party browser libraries, and cleanup.
|
|
73
|
+
- Keep SvelteKit, Vite, TypeScript, adapter, `svelte-check`, and package export surfaces synchronized when toolchain behavior changes.
|
|
69
74
|
|
|
70
75
|
<!-- mustflow-section: procedure -->
|
|
71
76
|
## Procedure
|
|
72
77
|
|
|
73
|
-
1. Read route segment files, parent layouts, stores/runes/context, hooks, app types, and tests.
|
|
74
|
-
2. Identify Svelte version and whether the code uses runes or
|
|
75
|
-
3. Before choosing a file, classify every data access with: origin, secrecy, request scope, mutation, browser dependency, and
|
|
76
|
-
4.
|
|
77
|
-
5.
|
|
78
|
-
6. If
|
|
79
|
-
7.
|
|
80
|
-
8.
|
|
81
|
-
9.
|
|
82
|
-
10. Use
|
|
83
|
-
11.
|
|
84
|
-
12.
|
|
85
|
-
13.
|
|
86
|
-
14.
|
|
87
|
-
15.
|
|
88
|
-
16.
|
|
78
|
+
1. Read route segment files, parent layouts, route matchers, stores/runes/context, hooks, app types, Svelte/Vite/TypeScript config, adapter config, package metadata, and tests.
|
|
79
|
+
2. Identify Svelte and SvelteKit version tracks and whether the code uses runes, legacy reactivity, or mixed migration mode.
|
|
80
|
+
3. Before choosing a file, classify every data access with: origin, secrecy, request scope, mutation, browser dependency, serialization, dependency tracking, invalidation trigger, and adapter support.
|
|
81
|
+
4. Keep DB, filesystem, private env, cookies, auth headers, `event.locals`, server SDKs, and request-local identity in server-only code: `+page.server`, `+layout.server`, `+server`, `hooks.server`, `$lib/server`, or `*.server.*`.
|
|
82
|
+
5. Treat `+page.ts` and `+layout.ts` as universal. They may run during SSR and later in the browser; do not import browser-only packages, private env, DB clients, or server modules there.
|
|
83
|
+
6. If `+page.server` and universal `+page` or `+layout` coexist, check that server-load data is intentionally passed through the universal `load` return value when the page component needs it.
|
|
84
|
+
7. Keep `load` side-effect-free. Do not increment counters, mark reads, mutate stores, write analytics, or change module state from `load`; preload and navigation can run it before the user commits.
|
|
85
|
+
8. Avoid `await parent()` waterfalls. Start independent fetches before awaiting parent data, and keep auth checks in `hooks.server` or route-specific server load when child data must not execute first.
|
|
86
|
+
9. Use SvelteKit-provided `fetch` inside load when dependency tracking, SSR response inlining, and hydration reuse matter. For custom clients, register `depends(...)` keys and invalidate the exact URL or dependency key.
|
|
87
|
+
10. Use page form actions for page-owned mutations. Preserve `fail(...)`, `redirect(303, ...)`, `use:enhance`, `update()`, `applyAction()`, focus reset, and invalidation behavior when enhancing forms.
|
|
88
|
+
11. Use `+server` for public HTTP APIs, webhooks, mobile APIs, streams, file responses, and custom response contracts. Do not create a JSON endpoint for a normal page form unless there is a non-page consumer.
|
|
89
|
+
12. For streaming load data, finish auth, redirects, and headers before streaming starts. Handle promise rejections, check adapter and proxy buffering, and stream only data whose late failure does not change page policy.
|
|
90
|
+
13. Preserve hydration markers and valid HTML structure. Do not use HTML minifiers, CDN rewrites, or edge transforms that remove Svelte hydration comments without verifying hydration.
|
|
91
|
+
14. If navigation reuses page or layout components, make route-dependent values `$derived` from `data`, `$app/state`, or URL state; use `{#key ...}` only when a real remount boundary is intended.
|
|
92
|
+
15. Put SSR-affecting filters, search, pagination, sorting, and shareable state in URL search params. Keep temporary UI state local or snapshot-like.
|
|
93
|
+
16. Use `$state` only for state that should update UI, `$derived`, or `$effect`. Keep large immutable payloads, table rows, CMS payloads, parser outputs, and third-party data as plain values or `$state.raw` with reassignment.
|
|
94
|
+
17. Do not destructure `$state` or proxy objects when live reactivity is required. Read fields at the use site or derive a narrow value.
|
|
95
|
+
18. Use `SvelteMap`, `SvelteSet`, `SvelteDate`, `SvelteURL`, or reassignment patterns when reactive special objects are required; do not expect ordinary `Map`, `Set`, `Date`, `URL`, or class internals to be deeply tracked.
|
|
96
|
+
19. Use `$derived` or `$derived.by` for filtering, sorting, totals, validation results, labels, and view models. Do not use `$effect` to copy or synchronize derived state.
|
|
97
|
+
20. Keep `$effect` dependencies narrow and synchronous. Read dependencies before `await`, `setTimeout`, or callbacks; use `untrack` for incidental logging, snapshots, or non-dependency reads.
|
|
98
|
+
21. Return cleanup from effects that create subscriptions, intervals, observers, sockets, editors, charts, canvas loops, or external library instances.
|
|
99
|
+
22. Treat props as parent-owned. Use callback props for changes and `$bindable` only for narrow form-control-like two-way APIs. Preserve wrapper binding chains or convert them to explicit callbacks.
|
|
100
|
+
23. In Svelte 5, treat DOM event handlers as props. When spreading rest props through wrappers, intentionally compose external handlers with internal policy instead of relying on spread order.
|
|
101
|
+
24. Treat snippets as typed render callbacks. Require optional snippet guards, pass row or slot-like data as parameters, and avoid hidden parent-state capture in reusable library components.
|
|
102
|
+
25. Check SvelteKit, Vite, TypeScript, adapter, and package output as one toolchain boundary. Do not edit generated `.svelte-kit/tsconfig.json`; fix `svelte.config`, `kit.alias`, package exports, `types`, `svelte` conditions, `files`, and CSS side effects at their source.
|
|
89
103
|
|
|
90
104
|
<!-- mustflow-section: data-boundary-policy -->
|
|
91
105
|
## Data Boundary Policy
|
|
@@ -94,6 +108,7 @@ Preserve Svelte component reactivity, SvelteKit SSR/server/client boundaries, da
|
|
|
94
108
|
- Public external APIs and public CMS data may live in universal load only when the browser may call them directly without secrets.
|
|
95
109
|
- DB, filesystem, private env, server SDKs, cookies, auth headers, sessions, and `event.locals` belong in server-only files.
|
|
96
110
|
- User-specific data must be read server-side and narrowed before being serialized into `data`.
|
|
111
|
+
- Server load return values must be intentionally serializable and minimal.
|
|
97
112
|
- Page forms should use form actions by default.
|
|
98
113
|
- External clients, webhooks, mobile apps, streaming responses, and custom HTTP responses belong in `+server`.
|
|
99
114
|
- Browser-only values belong in component effects, event handlers, dynamic imports, or browser actions.
|
|
@@ -105,18 +120,22 @@ Preserve Svelte component reactivity, SvelteKit SSR/server/client boundaries, da
|
|
|
105
120
|
- `+page.server.ts` and `+layout.server.ts` are for server-only page data.
|
|
106
121
|
- `+page.server.ts` actions are for page-owned form mutations.
|
|
107
122
|
- `+server.ts` is for HTTP endpoints, webhooks, non-page APIs, streams, files, and custom responses.
|
|
123
|
+
- Route matchers, optional params, rest params, and route groups are public URL and layout/auth behavior, not only folder naming.
|
|
108
124
|
- Do not create a JSON endpoint for a normal page form unless there is a non-page consumer.
|
|
109
125
|
- Do not wrap server-only imports in browser guards. Fix the import graph.
|
|
110
126
|
|
|
111
127
|
<!-- mustflow-section: runes-state-policy -->
|
|
112
128
|
## Runes And State Policy
|
|
113
129
|
|
|
114
|
-
- Use `$state` for
|
|
115
|
-
- Use `$
|
|
116
|
-
- Use `$
|
|
130
|
+
- Use `$state` for owned interactive UI state.
|
|
131
|
+
- Use `$state.raw` only when reassignment, not internal mutation, is the update model.
|
|
132
|
+
- Use `$state.snapshot` before sending proxy state to serializers, workers, chart libraries, equality tools, or external APIs that should see plain data.
|
|
133
|
+
- Use `$derived` for calculations from props, route data, page state, URL state, or local state.
|
|
134
|
+
- Use `$effect` only for browser-side effects, subscriptions, DOM, canvas, analytics, timers, third-party browser libraries, and cleanup.
|
|
117
135
|
- Use stores for external streams or manual subscribe/unsubscribe interop, not ordinary component state.
|
|
118
136
|
- Use context for parent-owned values shared down the component tree, especially request-scoped layout data.
|
|
119
137
|
- Do not reassign reactive context objects after placing them in context; update their properties or pass getter functions when needed.
|
|
138
|
+
- Use stable keys for changing lists. Do not use array indexes as keys when rows can reorder, insert, delete, transition, or own child state.
|
|
120
139
|
|
|
121
140
|
<!-- mustflow-section: ssr-debug-policy -->
|
|
122
141
|
## SSR Debug Policy
|
|
@@ -127,7 +146,7 @@ When SSR breaks, inspect in this order:
|
|
|
127
146
|
2. `$lib/server`, `*.server.*`, DB, filesystem, admin SDK, or server-only import chains.
|
|
128
147
|
3. Request-local state stored in module singletons, stores, or exported `$state`.
|
|
129
148
|
4. Browser API access at module top-level or during SSR render.
|
|
130
|
-
5. Hydration mismatch from time, randomness, locale, timezone, localStorage, or browser-only initial state.
|
|
149
|
+
5. Hydration mismatch from invalid HTML, removed comments, time, randomness, locale, timezone, localStorage, or browser-only initial state.
|
|
131
150
|
6. Route-level SSR disabling only after the product accepts an SPA-like shell.
|
|
132
151
|
|
|
133
152
|
<!-- mustflow-section: hard-bans -->
|
|
@@ -137,18 +156,21 @@ When SSR breaks, inspect in this order:
|
|
|
137
156
|
- Do not move required first-render page data into lifecycle hooks or `$effect`.
|
|
138
157
|
- Do not import `$lib/server`, `*.server.*`, private env modules, DB clients, filesystem, or admin SDKs from universal/client route files or shared client utilities.
|
|
139
158
|
- Do not mutate module-scope variables, global stores, or exported `$state` with user/session/request data during SSR, load, or actions.
|
|
140
|
-
- Do not use `$effect` to compute derived values.
|
|
159
|
+
- Do not use `$effect` to compute derived values or synchronize state mirrors.
|
|
141
160
|
- Do not put browser-only library imports at top level when the package touches browser globals during import.
|
|
142
161
|
- Do not serialize secrets, raw sessions, access tokens, hidden DB fields, or whole service responses through load data.
|
|
162
|
+
- Do not edit generated `.svelte-kit` files as source.
|
|
143
163
|
|
|
144
164
|
<!-- mustflow-section: postconditions -->
|
|
145
165
|
## Postconditions
|
|
146
166
|
|
|
147
167
|
- Server/client and SSR boundaries are explicit.
|
|
148
|
-
-
|
|
168
|
+
- Route, load, action, endpoint, invalidation, and streaming behavior are clear.
|
|
169
|
+
- State owner, derived/effect behavior, props ownership, snippets, and binding behavior are clear.
|
|
149
170
|
- Forms remain progressive unless intentionally changed.
|
|
150
171
|
- Private data stays server-only and serialized data is intentionally minimal.
|
|
151
172
|
- Request-scoped sharing uses load data, props, or context instead of module singletons.
|
|
173
|
+
- Adapter, Vite, TypeScript, and package output impacts are reported when touched.
|
|
152
174
|
- Accessibility warnings are resolved or justified.
|
|
153
175
|
|
|
154
176
|
<!-- mustflow-section: verification -->
|
|
@@ -163,7 +185,7 @@ Use configured oneshot command intents when available:
|
|
|
163
185
|
- `docs_validate_fast`
|
|
164
186
|
- `mustflow_check`
|
|
165
187
|
|
|
166
|
-
Report missing Svelte check, SSR render, form action, or
|
|
188
|
+
Report missing Svelte check, SSR render, hydration, form action, browser, adapter, package, or preview-mode verification intents when relevant.
|
|
167
189
|
|
|
168
190
|
<!-- mustflow-section: failure-handling -->
|
|
169
191
|
## Failure Handling
|
|
@@ -173,13 +195,16 @@ Report missing Svelte check, SSR render, form action, or browser verification in
|
|
|
173
195
|
- If accessibility warnings require an ignore, include the specific reason in the code or report.
|
|
174
196
|
- If server-only imports leak into universal/client files, move the boundary instead of adding runtime guards.
|
|
175
197
|
- If request-local data is stored globally, move it to server load, actions, context, or persistent storage with user scoping.
|
|
198
|
+
- If exact framework, adapter, Vite, Node, or release claims cannot be refreshed from official sources, omit them from durable skill text and report them as unverified snapshot context.
|
|
199
|
+
- If streaming, hydration, adapter output, package exports, or preview-mode behavior cannot be verified by configured intents, report the missing runtime smoke coverage.
|
|
176
200
|
|
|
177
201
|
<!-- mustflow-section: output-format -->
|
|
178
202
|
## Output Format
|
|
179
203
|
|
|
180
204
|
- Boundary checked
|
|
181
|
-
- SSR/server/client and
|
|
182
|
-
-
|
|
205
|
+
- SSR/server/client, route, load, action, invalidation, and streaming notes
|
|
206
|
+
- Runes, state, props, snippet, binding, and accessibility notes
|
|
207
|
+
- Adapter, Vite, TypeScript, and package-output notes when touched
|
|
183
208
|
- Files changed
|
|
184
209
|
- Command intents run
|
|
185
210
|
- Skipped checks and reasons
|