mustflow 2.103.22 → 2.103.32

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (37) hide show
  1. package/README.md +5 -2
  2. package/dist/cli/commands/check.js +3 -3
  3. package/dist/cli/commands/flow.js +93 -0
  4. package/dist/cli/commands/run/executor.js +28 -3
  5. package/dist/cli/commands/run/windows-command-script.js +23 -0
  6. package/dist/cli/i18n/en.js +11 -0
  7. package/dist/cli/i18n/es.js +11 -0
  8. package/dist/cli/i18n/fr.js +11 -0
  9. package/dist/cli/i18n/hi.js +11 -0
  10. package/dist/cli/i18n/ko.js +11 -0
  11. package/dist/cli/i18n/zh.js +11 -0
  12. package/dist/cli/index.js +1 -0
  13. package/dist/cli/lib/active-command-lock.js +4 -0
  14. package/dist/cli/lib/command-registry.js +7 -0
  15. package/dist/cli/lib/local-index/index.js +70 -0
  16. package/dist/cli/lib/repo-flow-frontmatter.js +35 -0
  17. package/dist/cli/lib/repo-flow.js +209 -0
  18. package/dist/cli/lib/repo-map.js +3 -0
  19. package/dist/cli/lib/run-plan.js +8 -4
  20. package/dist/cli/lib/validation/constants.js +10 -0
  21. package/dist/cli/lib/validation/index.js +73 -1
  22. package/dist/core/check-issues.js +2 -0
  23. package/dist/core/generated-boundary.js +1 -0
  24. package/package.json +2 -1
  25. package/templates/default/i18n.toml +30 -6
  26. package/templates/default/locales/en/.mustflow/skills/INDEX.md +29 -6
  27. package/templates/default/locales/en/.mustflow/skills/astro-code-change/SKILL.md +95 -23
  28. package/templates/default/locales/en/.mustflow/skills/axum-code-change/SKILL.md +219 -0
  29. package/templates/default/locales/en/.mustflow/skills/babylon-code-change/SKILL.md +318 -0
  30. package/templates/default/locales/en/.mustflow/skills/bun-code-change/SKILL.md +27 -12
  31. package/templates/default/locales/en/.mustflow/skills/elysia-code-change/SKILL.md +74 -20
  32. package/templates/default/locales/en/.mustflow/skills/godot-code-change/SKILL.md +272 -0
  33. package/templates/default/locales/en/.mustflow/skills/hono-code-change/SKILL.md +37 -23
  34. package/templates/default/locales/en/.mustflow/skills/routes.toml +28 -4
  35. package/templates/default/locales/en/.mustflow/skills/svelte-code-change/SKILL.md +65 -40
  36. package/templates/default/locales/en/.mustflow/skills/vue-code-change/SKILL.md +305 -0
  37. package/templates/default/manifest.toml +29 -1
@@ -2,11 +2,11 @@
2
2
  mustflow_doc: skill.hono-code-change
3
3
  locale: en
4
4
  canonical: true
5
- revision: 1
5
+ revision: 2
6
6
  lifecycle: mustflow-owned
7
7
  authority: procedure
8
8
  name: hono-code-change
9
- description: Apply this skill when Hono apps, routes, middleware, validators, RPC clients, bindings, context variables, auth boundaries, or runtime adapters are created or changed.
9
+ description: Apply this skill when Hono apps, route chains, middleware order, validators, RPC or typed clients, OpenAPI schema generation, runtime bindings, context variables, auth, CORS, cookie, header, streaming, WebSocket, cache, static asset, or Cloudflare, Bun, Node, Deno, edge, or serverless adapter boundaries are created or changed.
10
10
  metadata:
11
11
  mustflow_schema: "1"
12
12
  mustflow_kind: procedure
@@ -28,26 +28,29 @@ metadata:
28
28
  <!-- mustflow-section: purpose -->
29
29
  ## Purpose
30
30
 
31
- Preserve Hono runtime, middleware, validation, context binding, auth, typed route, and response contract boundaries.
31
+ Preserve Hono route registration, runtime adapter, middleware ordering, validation, context binding, auth, typed client, OpenAPI, streaming, cache, static asset, and response contract boundaries.
32
32
 
33
33
  <!-- mustflow-section: use-when -->
34
34
  ## Use When
35
35
 
36
- - `new Hono`, `app.get`, `app.post`, `app.use`, `c.env`, `c.get`, `c.set`, validators, RPC clients, middleware, adapters, or Hono route tests change.
37
- - The task touches Cloudflare Workers, Bun, Node, edge-compatible routes, bindings, variables, auth middleware, or response schemas.
36
+ - `new Hono`, `app.route`, `basePath`, `app.get`, `app.post`, `app.use`, wildcard routes, fallback routes, `c.env`, `c.get`, `c.set`, `c.req.valid`, validators, RPC clients, middleware, adapters, or Hono route tests change.
37
+ - The task touches Cloudflare Workers, Bun, Node, Deno, edge-compatible, serverless, SSR, static file, WebSocket, SSE, streaming, cache, cookie, CORS, CSRF, JWT, JWK, header, body-limit, binding, variable, auth middleware, OpenAPI, or response schema behavior.
38
+ - The task exports or consumes `typeof app`, `typeof routes`, `AppType`, `hc`, `InferRequestType`, `InferResponseType`, `ApplyGlobalResponse`, OpenAPI clients, or generated SDKs from Hono routes.
38
39
 
39
40
  <!-- mustflow-section: do-not-use-when -->
40
41
  ## Do Not Use When
41
42
 
42
43
  - The task only touches framework-agnostic service code behind a Hono handler; use the relevant language or architecture skill.
43
44
  - Another HTTP framework is used instead of Hono.
45
+ - The task only updates external framework version prose; use `source-freshness-check` unless the Hono procedure itself changes.
44
46
 
45
47
  <!-- mustflow-section: required-inputs -->
46
48
  ## Required Inputs
47
49
 
48
- - Package metadata, TypeScript config, runtime adapter config, worker or server entrypoint, routes, middleware, env/binding types, schemas, client types, and tests.
49
- - Target runtime matrix: Cloudflare, Bun, Node, edge-compatible, or single runtime.
50
- - Existing response envelope and error contract.
50
+ - Package metadata, TypeScript config, runtime adapter config, worker or server entrypoint, route modules, middleware registration, env and binding types, context variables, schemas, validators, client type exports, OpenAPI generation, generated SDKs, and tests.
51
+ - Target runtime matrix: Cloudflare Workers or Pages, Bun, Node with `@hono/node-server`, Deno, Lambda or other serverless adapter, edge-compatible, or single runtime.
52
+ - Existing response envelope, status-code contract, error contract, CORS, cookie, header, cache, streaming, WebSocket, static file, body-size, and upload behavior.
53
+ - Official or repository-local source evidence before preserving exact latest-version, patch-note, or adapter-behavior claims.
51
54
 
52
55
  <!-- mustflow-section: preconditions -->
53
56
  ## Preconditions
@@ -55,6 +58,7 @@ Preserve Hono runtime, middleware, validation, context binding, auth, typed rout
55
58
  - Confirm runtime before using platform APIs.
56
59
  - Identify `Bindings` for runtime-provided values and `Variables` for request-local middleware values.
57
60
  - Identify auth, validation, and error response boundaries before adding routes.
61
+ - Refresh official package or vendor sources before preserving exact "latest", release-date, or security-patch claims; otherwise keep those facts out of the skill or mark them as snapshot-only in the report.
58
62
 
59
63
  <!-- mustflow-section: allowed-edits -->
60
64
  ## Allowed Edits
@@ -63,26 +67,33 @@ Preserve Hono runtime, middleware, validation, context binding, auth, typed rout
63
67
  - Register middleware in an order that preserves logging, CORS, security headers, body limits, auth, validation, and handler behavior.
64
68
  - Trust only validated request data in handlers.
65
69
  - Keep success and failure envelopes consistent.
70
+ - Keep route type exports, RPC clients, OpenAPI documents, generated SDKs, tests, and docs synchronized when public API behavior changes.
66
71
 
67
72
  <!-- mustflow-section: procedure -->
68
73
  ## Procedure
69
74
 
70
- 1. Read app entrypoint, runtime adapter, route modules, middleware, schemas, client type exports, and tests.
71
- 2. Map the route boundary: method, path, runtime, auth, params, query, headers, cookies, body, variables, bindings, response statuses, and content types.
72
- 3. Do not put Node-only, Bun-only, or Cloudflare-only APIs in shared routes.
73
- 4. Keep auth middleware above protected routes and wildcard or fallback routes after specific routes.
74
- 5. Separate `Bindings` from `Variables`; do not store request-local state in globals.
75
- 6. Use validator output rather than rereading unvalidated request bodies.
76
- 7. Preserve typed route or RPC inference by keeping handler responses in the framework's typed response path.
77
- 8. Choose configured verification intents that cover type checks, route tests, auth failure, validation failure, and runtime env mocks when available.
75
+ 1. Read app entrypoint, runtime adapter, route modules, middleware, schemas, validator helpers, OpenAPI setup, client type exports, generated clients, and tests.
76
+ 2. Map the route boundary: method, path, registration order, runtime, auth, params, query, headers, cookies, body, variables, bindings, response statuses, content types, cache headers, streaming mode, and public client surface.
77
+ 3. Treat Hono route order as behavior. Keep specific routes before wildcard or fallback routes; check `route()`, `basePath()`, `mount`, optional params, regexp params, static routes, and fallback registration for shadowing or doubled prefixes.
78
+ 4. Keep auth, CORS, CSRF, secure headers, body limit, cookie, JWT, JWK, cache, ETag, compression, and logging middleware in an order that matches the security and observability boundary.
79
+ 5. For CORS with credentials, require an explicit origin allowlist or exact origin callback; do not rely on wildcard origin behavior or loose suffix checks.
80
+ 6. Separate `Bindings` from `Variables`; do not store request-local auth, user, session, tenant, or trace state in globals, module singletons, or runtime-wide mutable objects.
81
+ 7. Use `createMiddleware<{ Variables }>()` or route-local generics for context values that depend on middleware execution. Avoid `ContextVariableMap` unless the value is truly available for every request path.
82
+ 8. Use `c.req.valid(...)` output rather than rereading unvalidated request bodies. Remember that request bodies are one-shot, query and params are strings, header validator keys are lowercase, and `json` or `form` validators need the matching `Content-Type`.
83
+ 9. For multipart uploads, large JSON, webhooks, raw-body signatures, and file routes, check parser shape, body limits, runtime limits, storage limits, repeated-field behavior, and raw request cloning before changing handlers.
84
+ 10. Preserve typed route, RPC, and SDK inference by exporting the route chain actually used by `hc<AppType>()`, keeping handler responses on typed `c.json(payload, status)` paths, and avoiding broad `Context` handler extraction that drops path, validator, or response types.
85
+ 11. Keep runtime validation schema, OpenAPI schema, response schema, generated SDKs, and Hono RPC types from becoming separate truths. Choose one canonical contract and verify drift with tests or snapshots when available.
86
+ 12. Do not put Node-only, Bun-only, Cloudflare-only, Deno-only, Lambda-only, static-serving, connection-info, WebSocket, or filesystem APIs in shared route modules. Keep runtime entry files thin and pass plain config or adapter functions into shared app code.
87
+ 13. For streaming, SSE, WebSocket, cache, ETag, static file, and SSR or JSX routes, check cancellation, abort handling, backpressure, already-started-response errors, header retention, path traversal, cache key and `Vary`, repeated `Set-Cookie`, and adapter header normalization.
88
+ 14. Choose configured verification intents that cover type checks, route tests, auth failure, validation failure, CORS/cookie/header behavior, streaming or WebSocket behavior, OpenAPI or SDK generation, and runtime env mocks when available.
78
89
 
79
90
  <!-- mustflow-section: postconditions -->
80
91
  ## Postconditions
81
92
 
82
93
  - Runtime-specific APIs are isolated.
83
- - Middleware order and auth boundary are clear.
84
- - Request validation and response envelope are preserved.
85
- - Typed route or RPC contract impact is reported.
94
+ - Middleware order, route order, and auth boundary are clear.
95
+ - Request validation, body parsing, header/cookie/CORS/cache, and response envelope behavior are preserved.
96
+ - Typed route, RPC, OpenAPI, generated SDK, and runtime adapter contract impact is reported.
86
97
 
87
98
  <!-- mustflow-section: verification -->
88
99
  ## Verification
@@ -96,21 +107,24 @@ Use configured oneshot command intents when available:
96
107
  - `docs_validate_fast`
97
108
  - `mustflow_check`
98
109
 
99
- Report missing multi-runtime or route-level verification intents when relevant.
110
+ Report missing multi-runtime, route-level, streaming, WebSocket, OpenAPI, SDK, or adapter verification intents when relevant.
100
111
 
101
112
  <!-- mustflow-section: failure-handling -->
102
113
  ## Failure Handling
103
114
 
104
115
  - If runtime target is unclear, inspect adapter and deployment config before editing.
105
116
  - If a route needs a broader permission, binding, or auth change, switch to the relevant security or contract skill.
106
- - If typed route inference breaks, repair schema and response shape before adding more routes.
117
+ - If typed route inference breaks, repair the route chain, validator, schema, and response shape before adding more routes.
118
+ - If official source freshness cannot be checked for a version, release, or security-patch claim, omit the claim from durable skill text and report it as unverified snapshot context.
119
+ - If streaming, WebSocket, cache, static, or adapter-specific behavior cannot be tested by configured intents, report the missing runtime smoke coverage.
107
120
 
108
121
  <!-- mustflow-section: output-format -->
109
122
  ## Output Format
110
123
 
111
124
  - Boundary checked
112
- - Runtime and middleware notes
113
- - Validation and response contract notes
125
+ - Runtime, adapter, route-order, and middleware notes
126
+ - Validation, RPC, OpenAPI, SDK, and response contract notes
127
+ - CORS, cookie, header, cache, streaming, WebSocket, static, or SSR notes when touched
114
128
  - Files changed
115
129
  - Command intents run
116
130
  - Skipped checks and reasons
@@ -528,6 +528,18 @@ route_type = "primary"
528
528
  priority = 85
529
529
  applies_to_reasons = ["code_change", "public_api_change", "test_change"]
530
530
 
531
+ [routes."axum-code-change"]
532
+ category = "general_code"
533
+ route_type = "primary"
534
+ priority = 85
535
+ applies_to_reasons = ["code_change", "behavior_change", "public_api_change", "test_change", "docs_change", "performance_change", "security_change", "privacy_change", "data_change", "package_metadata_change", "release_risk"]
536
+
537
+ [routes."godot-code-change"]
538
+ category = "general_code"
539
+ route_type = "primary"
540
+ priority = 85
541
+ applies_to_reasons = ["code_change", "behavior_change", "public_api_change", "test_change", "docs_change", "performance_change", "security_change", "privacy_change", "data_change", "ui_change", "package_metadata_change", "release_risk"]
542
+
531
543
  [routes."dart-code-change"]
532
544
  category = "general_code"
533
545
  route_type = "primary"
@@ -538,13 +550,13 @@ applies_to_reasons = ["code_change", "public_api_change", "test_change"]
538
550
  category = "general_code"
539
551
  route_type = "primary"
540
552
  priority = 85
541
- applies_to_reasons = ["code_change", "public_api_change", "security_change"]
553
+ applies_to_reasons = ["code_change", "behavior_change", "public_api_change", "test_change", "docs_change", "performance_change", "security_change", "privacy_change", "package_metadata_change", "release_risk"]
542
554
 
543
555
  [routes."elysia-code-change"]
544
556
  category = "general_code"
545
557
  route_type = "primary"
546
558
  priority = 85
547
- applies_to_reasons = ["code_change", "public_api_change", "security_change"]
559
+ applies_to_reasons = ["code_change", "behavior_change", "public_api_change", "test_change", "docs_change", "performance_change", "security_change", "privacy_change", "package_metadata_change", "release_risk"]
548
560
 
549
561
  [routes."source-anchor-authoring"]
550
562
  category = "general_code"
@@ -988,7 +1000,13 @@ applies_to_reasons = ["ui_change", "code_change", "public_api_change"]
988
1000
  category = "ui_assets"
989
1001
  route_type = "primary"
990
1002
  priority = 85
991
- applies_to_reasons = ["ui_change", "docs_change", "code_change", "behavior_change", "migration_change", "package_metadata_change"]
1003
+ applies_to_reasons = ["ui_change", "docs_change", "code_change", "behavior_change", "public_api_change", "data_change", "security_change", "privacy_change", "performance_change", "test_change", "migration_change", "package_metadata_change", "release_risk"]
1004
+
1005
+ [routes."babylon-code-change"]
1006
+ category = "ui_assets"
1007
+ route_type = "primary"
1008
+ priority = 85
1009
+ applies_to_reasons = ["ui_change", "code_change", "behavior_change", "public_api_change", "data_change", "security_change", "privacy_change", "performance_change", "test_change", "docs_change", "migration_change", "package_metadata_change", "release_risk"]
992
1010
 
993
1011
  [routes."react-code-change"]
994
1012
  category = "ui_assets"
@@ -996,11 +1014,17 @@ route_type = "primary"
996
1014
  priority = 85
997
1015
  applies_to_reasons = ["ui_change", "code_change", "behavior_change", "public_api_change", "data_change", "security_change", "privacy_change", "performance_change", "test_change", "package_metadata_change", "release_risk"]
998
1016
 
1017
+ [routes."vue-code-change"]
1018
+ category = "ui_assets"
1019
+ route_type = "primary"
1020
+ priority = 85
1021
+ applies_to_reasons = ["ui_change", "code_change", "behavior_change", "public_api_change", "data_change", "security_change", "privacy_change", "performance_change", "test_change", "package_metadata_change", "release_risk"]
1022
+
999
1023
  [routes."svelte-code-change"]
1000
1024
  category = "ui_assets"
1001
1025
  route_type = "primary"
1002
1026
  priority = 85
1003
- applies_to_reasons = ["ui_change", "code_change", "behavior_change", "public_api_change", "data_change", "security_change", "privacy_change", "test_change", "package_metadata_change"]
1027
+ applies_to_reasons = ["ui_change", "code_change", "behavior_change", "public_api_change", "data_change", "security_change", "privacy_change", "performance_change", "test_change", "docs_change", "migration_change", "package_metadata_change", "release_risk"]
1004
1028
 
1005
1029
  [routes."pattern-scout"]
1006
1030
  category = "architecture_patterns"
@@ -2,11 +2,11 @@
2
2
  mustflow_doc: skill.svelte-code-change
3
3
  locale: en
4
4
  canonical: true
5
- revision: 2
5
+ revision: 3
6
6
  lifecycle: mustflow-owned
7
7
  authority: procedure
8
8
  name: svelte-code-change
9
- description: Apply this skill when Svelte or SvelteKit components, routes, load functions, server actions, endpoints, stores, context, runes, SSR boundaries, server-only imports, accessibility warnings, or tests are created or changed.
9
+ description: Apply this skill when Svelte or SvelteKit components, routes, universal or server load functions, form actions, endpoints, hooks, stores, context, runes, props, snippets, bindings, SSR, hydration, streaming, preload, invalidation, server-only imports, env boundaries, adapters, Vite, TypeScript, packaging, accessibility warnings, or tests are created or changed.
10
10
  metadata:
11
11
  mustflow_schema: "1"
12
12
  mustflow_kind: procedure
@@ -28,64 +28,78 @@ metadata:
28
28
  <!-- mustflow-section: purpose -->
29
29
  ## Purpose
30
30
 
31
- Preserve Svelte component reactivity, SvelteKit SSR/server/client boundaries, data secrecy, load/action/endpoint contracts, request-scoped state ownership, accessibility, and generated route behavior. Choose files by data boundary first, not by filename habit.
31
+ Preserve Svelte component reactivity, SvelteKit SSR/server/client execution modes, data secrecy, load/action/endpoint contracts, request-scoped state ownership, hydration, streaming, invalidation, adapter output, accessibility, and generated route behavior. Choose files by data boundary and execution mode first, not by filename habit.
32
32
 
33
33
  <!-- mustflow-section: use-when -->
34
34
  ## Use When
35
35
 
36
- - `.svelte`, `+page`, `+layout`, `+page.server`, `+layout.server`, `+server`, load functions, form actions, endpoints, stores, context, runes, `$app` imports, `$lib/server`, hooks, route params, or Svelte tests change.
37
- - The task touches state management, SSR errors, browser APIs, forms, routing, progressive enhancement, request-local data, server-only imports, private/public environment variables, or Svelte 5 runes.
36
+ - `.svelte`, `.svelte.ts`, `.svelte.js`, `+page`, `+layout`, `+page.server`, `+layout.server`, `+server`, load functions, form actions, endpoints, stores, context, snippets, bindings, runes, `$app` imports, `$lib/server`, hooks, route params, route matchers, or Svelte tests change.
37
+ - The task touches state management, SSR errors, hydration warnings, browser APIs, forms, routing, progressive enhancement, preload, invalidation, request-local data, server-only imports, private/public environment variables, adapters, Vite, TypeScript, package exports, or Svelte 5 runes.
38
+ - The task upgrades, reviews, or writes docs about Svelte, SvelteKit, Vite, `@sveltejs/vite-plugin-svelte`, `svelte-check`, an adapter, `@sveltejs/package`, or generated Svelte library output.
38
39
 
39
40
  <!-- mustflow-section: do-not-use-when -->
40
41
  ## Do Not Use When
41
42
 
42
43
  - The change is plain CSS or HTML with no Svelte or SvelteKit behavior; use the relevant UI foundation skill.
43
44
  - The service code is framework-free and no Svelte boundary changes.
45
+ - The task only updates external framework version prose; use `source-freshness-check` unless the Svelte procedure itself changes.
44
46
 
45
47
  <!-- mustflow-section: required-inputs -->
46
48
  ## Required Inputs
47
49
 
48
- - Package metadata, Svelte config, Vite config, TypeScript config, route segment files, hooks, app types, stores/runes/context, form schema, and tests.
49
- - Svelte version, route data source, secrecy, request scope, mutation type, serialization requirement, SSR/client boundary, browser dependency, and state owner.
50
- - Imports from `$lib/server`, `*.server.*`, `$env/static/private`, `$env/dynamic/private`, DB/filesystem/server SDK modules, cookies, auth headers, and `event.locals`.
50
+ - Package metadata, Svelte config, Vite config, TypeScript config, route segment files, hooks, app types, stores/runes/context, form schema, adapter config, package export metadata, and tests.
51
+ - Svelte and SvelteKit version tracks, route data source, secrecy, request scope, mutation type, serialization requirement, SSR/client boundary, browser dependency, state owner, and adapter target.
52
+ - Imports from `$lib/server`, `*.server.*`, `$env/static/private`, `$env/dynamic/private`, DB/filesystem/server SDK modules, cookies, auth headers, `event.locals`, `$app/state`, `$app/navigation`, `$app/forms`, and browser-only libraries.
53
+ - Official or repository-local source evidence before preserving exact latest-version, release-date, Node/Vite requirement, adapter behavior, or compiler behavior claims.
51
54
  - Configured verification intents.
52
55
 
53
56
  <!-- mustflow-section: preconditions -->
54
57
  ## Preconditions
55
58
 
56
- - For route work, read the sibling `+layout`, `+page`, `+page.server`, and `+server` files as one boundary.
57
- - Classify every data access by origin, secrecy, request scope, mutation, browser dependency, and serialization before choosing a SvelteKit file.
58
- - Treat all route files as potentially server-executed until proven otherwise.
59
+ - For route work, read sibling and parent `+layout`, `+layout.server`, `+page`, `+page.server`, `+server`, hooks, app types, and route matcher files as one boundary.
60
+ - Classify every data access by origin, secrecy, request scope, mutation, browser dependency, serialization, invalidation dependency, and adapter support before choosing a SvelteKit file.
61
+ - Treat universal route files as server-executed and browser-executed until proven otherwise.
62
+ - Refresh official package or vendor sources before preserving exact "latest", Node/Vite minimum, adapter, or release-note claims; otherwise keep those facts out of durable skill text or mark them as snapshot-only in the report.
59
63
 
60
64
  <!-- mustflow-section: allowed-edits -->
61
65
  ## Allowed Edits
62
66
 
63
- - Keep secrets, private environment, database clients, and cookie-authenticated data in server-only files.
64
- - Use browser APIs only behind client-safe lifecycle or environment guards.
67
+ - Keep secrets, private environment, database clients, server SDKs, cookie-authenticated data, and request identity in server-only files.
68
+ - Use browser APIs only behind client-safe lifecycle, dynamic import, event, action, or environment boundaries.
65
69
  - Keep state local unless shared ownership is justified.
66
- - Preserve form actions and progressive enhancement instead of replacing all forms with client-only fetch.
70
+ - Preserve form actions and progressive enhancement instead of replacing page forms with client-only fetch.
67
71
  - Use context for request-scoped component-tree sharing instead of module singletons.
68
- - Use `$derived` for computed display values and `$effect` only for browser-side effects and cleanup.
72
+ - Use `$derived` for computed display values and `$effect` only for browser-side effects, subscriptions, DOM, timers, observers, third-party browser libraries, and cleanup.
73
+ - Keep SvelteKit, Vite, TypeScript, adapter, `svelte-check`, and package export surfaces synchronized when toolchain behavior changes.
69
74
 
70
75
  <!-- mustflow-section: procedure -->
71
76
  ## Procedure
72
77
 
73
- 1. Read route segment files, parent layouts, stores/runes/context, hooks, app types, and tests.
74
- 2. Identify Svelte version and whether the code uses runes or legacy reactivity.
75
- 3. Before choosing a file, classify every data access with: origin, secrecy, request scope, mutation, browser dependency, and serialization.
76
- 4. If data requires DB, filesystem, private env, cookies, auth headers, `event.locals`, server SDKs, or request-local identity, keep it in server-only code: `+page.server`, `+layout.server`, `+server`, `hooks.server`, or `$lib/server`.
77
- 5. If data is public and can be safely fetched by the browser without secrets, universal load is allowed.
78
- 6. If the operation is a page form mutation, prefer `+page.server` actions over a custom JSON endpoint.
79
- 7. If the operation is a public HTTP API, webhook, mobile API, stream, file response, or non-page endpoint, use `+server`.
80
- 8. If the value is UI-only state such as modal open, selected tab, draft input, accordion state, hover state, or local editing state, keep it in component `$state` or local context.
81
- 9. If a value is computed from reactive inputs, use `$derived`. Do not use `$effect` to copy or synchronize derived state.
82
- 10. Use `$effect`, lifecycle hooks, event handlers, actions, or dynamic imports for browser-only APIs and browser-only libraries. Do not touch `window`, `document`, `localStorage`, `matchMedia`, canvas, or browser-only imports in SSR top-level code.
83
- 11. Keep request-specific user/session/auth state out of module-level mutable variables, global stores, exported `$state`, and load/action side effects.
84
- 12. Do not write to stores from load functions.
85
- 13. Keep server load return values intentionally serializable and minimal. Do not pass secrets, raw sessions, tokens, hidden DB fields, or whole service responses to the browser.
86
- 14. Prefer `$app/state` over legacy `$app/stores` in SvelteKit projects that use the newer SvelteKit state API.
87
- 15. Do not hide SSR errors by disabling SSR unless the user explicitly accepts that product and architecture change.
88
- 16. Treat accessibility compiler warnings as real findings unless a local false-positive reason is documented.
78
+ 1. Read route segment files, parent layouts, route matchers, stores/runes/context, hooks, app types, Svelte/Vite/TypeScript config, adapter config, package metadata, and tests.
79
+ 2. Identify Svelte and SvelteKit version tracks and whether the code uses runes, legacy reactivity, or mixed migration mode.
80
+ 3. Before choosing a file, classify every data access with: origin, secrecy, request scope, mutation, browser dependency, serialization, dependency tracking, invalidation trigger, and adapter support.
81
+ 4. Keep DB, filesystem, private env, cookies, auth headers, `event.locals`, server SDKs, and request-local identity in server-only code: `+page.server`, `+layout.server`, `+server`, `hooks.server`, `$lib/server`, or `*.server.*`.
82
+ 5. Treat `+page.ts` and `+layout.ts` as universal. They may run during SSR and later in the browser; do not import browser-only packages, private env, DB clients, or server modules there.
83
+ 6. If `+page.server` and universal `+page` or `+layout` coexist, check that server-load data is intentionally passed through the universal `load` return value when the page component needs it.
84
+ 7. Keep `load` side-effect-free. Do not increment counters, mark reads, mutate stores, write analytics, or change module state from `load`; preload and navigation can run it before the user commits.
85
+ 8. Avoid `await parent()` waterfalls. Start independent fetches before awaiting parent data, and keep auth checks in `hooks.server` or route-specific server load when child data must not execute first.
86
+ 9. Use SvelteKit-provided `fetch` inside load when dependency tracking, SSR response inlining, and hydration reuse matter. For custom clients, register `depends(...)` keys and invalidate the exact URL or dependency key.
87
+ 10. Use page form actions for page-owned mutations. Preserve `fail(...)`, `redirect(303, ...)`, `use:enhance`, `update()`, `applyAction()`, focus reset, and invalidation behavior when enhancing forms.
88
+ 11. Use `+server` for public HTTP APIs, webhooks, mobile APIs, streams, file responses, and custom response contracts. Do not create a JSON endpoint for a normal page form unless there is a non-page consumer.
89
+ 12. For streaming load data, finish auth, redirects, and headers before streaming starts. Handle promise rejections, check adapter and proxy buffering, and stream only data whose late failure does not change page policy.
90
+ 13. Preserve hydration markers and valid HTML structure. Do not use HTML minifiers, CDN rewrites, or edge transforms that remove Svelte hydration comments without verifying hydration.
91
+ 14. If navigation reuses page or layout components, make route-dependent values `$derived` from `data`, `$app/state`, or URL state; use `{#key ...}` only when a real remount boundary is intended.
92
+ 15. Put SSR-affecting filters, search, pagination, sorting, and shareable state in URL search params. Keep temporary UI state local or snapshot-like.
93
+ 16. Use `$state` only for state that should update UI, `$derived`, or `$effect`. Keep large immutable payloads, table rows, CMS payloads, parser outputs, and third-party data as plain values or `$state.raw` with reassignment.
94
+ 17. Do not destructure `$state` or proxy objects when live reactivity is required. Read fields at the use site or derive a narrow value.
95
+ 18. Use `SvelteMap`, `SvelteSet`, `SvelteDate`, `SvelteURL`, or reassignment patterns when reactive special objects are required; do not expect ordinary `Map`, `Set`, `Date`, `URL`, or class internals to be deeply tracked.
96
+ 19. Use `$derived` or `$derived.by` for filtering, sorting, totals, validation results, labels, and view models. Do not use `$effect` to copy or synchronize derived state.
97
+ 20. Keep `$effect` dependencies narrow and synchronous. Read dependencies before `await`, `setTimeout`, or callbacks; use `untrack` for incidental logging, snapshots, or non-dependency reads.
98
+ 21. Return cleanup from effects that create subscriptions, intervals, observers, sockets, editors, charts, canvas loops, or external library instances.
99
+ 22. Treat props as parent-owned. Use callback props for changes and `$bindable` only for narrow form-control-like two-way APIs. Preserve wrapper binding chains or convert them to explicit callbacks.
100
+ 23. In Svelte 5, treat DOM event handlers as props. When spreading rest props through wrappers, intentionally compose external handlers with internal policy instead of relying on spread order.
101
+ 24. Treat snippets as typed render callbacks. Require optional snippet guards, pass row or slot-like data as parameters, and avoid hidden parent-state capture in reusable library components.
102
+ 25. Check SvelteKit, Vite, TypeScript, adapter, and package output as one toolchain boundary. Do not edit generated `.svelte-kit/tsconfig.json`; fix `svelte.config`, `kit.alias`, package exports, `types`, `svelte` conditions, `files`, and CSS side effects at their source.
89
103
 
90
104
  <!-- mustflow-section: data-boundary-policy -->
91
105
  ## Data Boundary Policy
@@ -94,6 +108,7 @@ Preserve Svelte component reactivity, SvelteKit SSR/server/client boundaries, da
94
108
  - Public external APIs and public CMS data may live in universal load only when the browser may call them directly without secrets.
95
109
  - DB, filesystem, private env, server SDKs, cookies, auth headers, sessions, and `event.locals` belong in server-only files.
96
110
  - User-specific data must be read server-side and narrowed before being serialized into `data`.
111
+ - Server load return values must be intentionally serializable and minimal.
97
112
  - Page forms should use form actions by default.
98
113
  - External clients, webhooks, mobile apps, streaming responses, and custom HTTP responses belong in `+server`.
99
114
  - Browser-only values belong in component effects, event handlers, dynamic imports, or browser actions.
@@ -105,18 +120,22 @@ Preserve Svelte component reactivity, SvelteKit SSR/server/client boundaries, da
105
120
  - `+page.server.ts` and `+layout.server.ts` are for server-only page data.
106
121
  - `+page.server.ts` actions are for page-owned form mutations.
107
122
  - `+server.ts` is for HTTP endpoints, webhooks, non-page APIs, streams, files, and custom responses.
123
+ - Route matchers, optional params, rest params, and route groups are public URL and layout/auth behavior, not only folder naming.
108
124
  - Do not create a JSON endpoint for a normal page form unless there is a non-page consumer.
109
125
  - Do not wrap server-only imports in browser guards. Fix the import graph.
110
126
 
111
127
  <!-- mustflow-section: runes-state-policy -->
112
128
  ## Runes And State Policy
113
129
 
114
- - Use `$state` for local interactive UI state.
115
- - Use `$derived` for calculations from props, route data, page state, or local state.
116
- - Use `$effect` only for browser-side effects, subscriptions, DOM, canvas, analytics, third-party browser libraries, and cleanup.
130
+ - Use `$state` for owned interactive UI state.
131
+ - Use `$state.raw` only when reassignment, not internal mutation, is the update model.
132
+ - Use `$state.snapshot` before sending proxy state to serializers, workers, chart libraries, equality tools, or external APIs that should see plain data.
133
+ - Use `$derived` for calculations from props, route data, page state, URL state, or local state.
134
+ - Use `$effect` only for browser-side effects, subscriptions, DOM, canvas, analytics, timers, third-party browser libraries, and cleanup.
117
135
  - Use stores for external streams or manual subscribe/unsubscribe interop, not ordinary component state.
118
136
  - Use context for parent-owned values shared down the component tree, especially request-scoped layout data.
119
137
  - Do not reassign reactive context objects after placing them in context; update their properties or pass getter functions when needed.
138
+ - Use stable keys for changing lists. Do not use array indexes as keys when rows can reorder, insert, delete, transition, or own child state.
120
139
 
121
140
  <!-- mustflow-section: ssr-debug-policy -->
122
141
  ## SSR Debug Policy
@@ -127,7 +146,7 @@ When SSR breaks, inspect in this order:
127
146
  2. `$lib/server`, `*.server.*`, DB, filesystem, admin SDK, or server-only import chains.
128
147
  3. Request-local state stored in module singletons, stores, or exported `$state`.
129
148
  4. Browser API access at module top-level or during SSR render.
130
- 5. Hydration mismatch from time, randomness, locale, timezone, localStorage, or browser-only initial state.
149
+ 5. Hydration mismatch from invalid HTML, removed comments, time, randomness, locale, timezone, localStorage, or browser-only initial state.
131
150
  6. Route-level SSR disabling only after the product accepts an SPA-like shell.
132
151
 
133
152
  <!-- mustflow-section: hard-bans -->
@@ -137,18 +156,21 @@ When SSR breaks, inspect in this order:
137
156
  - Do not move required first-render page data into lifecycle hooks or `$effect`.
138
157
  - Do not import `$lib/server`, `*.server.*`, private env modules, DB clients, filesystem, or admin SDKs from universal/client route files or shared client utilities.
139
158
  - Do not mutate module-scope variables, global stores, or exported `$state` with user/session/request data during SSR, load, or actions.
140
- - Do not use `$effect` to compute derived values.
159
+ - Do not use `$effect` to compute derived values or synchronize state mirrors.
141
160
  - Do not put browser-only library imports at top level when the package touches browser globals during import.
142
161
  - Do not serialize secrets, raw sessions, access tokens, hidden DB fields, or whole service responses through load data.
162
+ - Do not edit generated `.svelte-kit` files as source.
143
163
 
144
164
  <!-- mustflow-section: postconditions -->
145
165
  ## Postconditions
146
166
 
147
167
  - Server/client and SSR boundaries are explicit.
148
- - State owner and derived/effect behavior are clear.
168
+ - Route, load, action, endpoint, invalidation, and streaming behavior are clear.
169
+ - State owner, derived/effect behavior, props ownership, snippets, and binding behavior are clear.
149
170
  - Forms remain progressive unless intentionally changed.
150
171
  - Private data stays server-only and serialized data is intentionally minimal.
151
172
  - Request-scoped sharing uses load data, props, or context instead of module singletons.
173
+ - Adapter, Vite, TypeScript, and package output impacts are reported when touched.
152
174
  - Accessibility warnings are resolved or justified.
153
175
 
154
176
  <!-- mustflow-section: verification -->
@@ -163,7 +185,7 @@ Use configured oneshot command intents when available:
163
185
  - `docs_validate_fast`
164
186
  - `mustflow_check`
165
187
 
166
- Report missing Svelte check, SSR render, form action, or browser verification intents when relevant.
188
+ Report missing Svelte check, SSR render, hydration, form action, browser, adapter, package, or preview-mode verification intents when relevant.
167
189
 
168
190
  <!-- mustflow-section: failure-handling -->
169
191
  ## Failure Handling
@@ -173,13 +195,16 @@ Report missing Svelte check, SSR render, form action, or browser verification in
173
195
  - If accessibility warnings require an ignore, include the specific reason in the code or report.
174
196
  - If server-only imports leak into universal/client files, move the boundary instead of adding runtime guards.
175
197
  - If request-local data is stored globally, move it to server load, actions, context, or persistent storage with user scoping.
198
+ - If exact framework, adapter, Vite, Node, or release claims cannot be refreshed from official sources, omit them from durable skill text and report them as unverified snapshot context.
199
+ - If streaming, hydration, adapter output, package exports, or preview-mode behavior cannot be verified by configured intents, report the missing runtime smoke coverage.
176
200
 
177
201
  <!-- mustflow-section: output-format -->
178
202
  ## Output Format
179
203
 
180
204
  - Boundary checked
181
- - SSR/server/client and state notes
182
- - Form/action/accessibility impact
205
+ - SSR/server/client, route, load, action, invalidation, and streaming notes
206
+ - Runes, state, props, snippet, binding, and accessibility notes
207
+ - Adapter, Vite, TypeScript, and package-output notes when touched
183
208
  - Files changed
184
209
  - Command intents run
185
210
  - Skipped checks and reasons