mustflow 2.108.2 → 2.108.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (34) hide show
  1. package/README.md +3 -0
  2. package/dist/cli/commands/script-pack.js +3 -0
  3. package/dist/cli/i18n/en.js +37 -0
  4. package/dist/cli/i18n/es.js +37 -0
  5. package/dist/cli/i18n/fr.js +37 -0
  6. package/dist/cli/i18n/hi.js +37 -0
  7. package/dist/cli/i18n/ko.js +37 -0
  8. package/dist/cli/i18n/zh.js +37 -0
  9. package/dist/cli/lib/command-registry.js +3 -0
  10. package/dist/cli/lib/script-pack-registry.js +84 -0
  11. package/dist/cli/script-packs/repo-automation-surface.js +88 -0
  12. package/dist/cli/script-packs/repo-dependency-surface.js +87 -0
  13. package/dist/cli/script-packs/repo-toolchain-provenance.js +90 -0
  14. package/dist/core/public-json-contracts.js +27 -0
  15. package/dist/core/repo-automation-surface.js +376 -0
  16. package/dist/core/repo-dependency-surface.js +282 -0
  17. package/dist/core/repo-toolchain-provenance.js +421 -0
  18. package/dist/core/script-pack-suggestions.js +33 -1
  19. package/package.json +1 -1
  20. package/schemas/README.md +10 -0
  21. package/schemas/repo-automation-surface-report.schema.json +148 -0
  22. package/schemas/repo-dependency-surface-report.schema.json +121 -0
  23. package/schemas/repo-toolchain-provenance-report.schema.json +124 -0
  24. package/templates/default/i18n.toml +18 -6
  25. package/templates/default/locales/en/.mustflow/skills/INDEX.md +15 -5
  26. package/templates/default/locales/en/.mustflow/skills/go-code-change/SKILL.md +98 -22
  27. package/templates/default/locales/en/.mustflow/skills/python-code-change/SKILL.md +86 -27
  28. package/templates/default/locales/en/.mustflow/skills/routes.toml +16 -4
  29. package/templates/default/locales/en/.mustflow/skills/rust-code-change/SKILL.md +51 -32
  30. package/templates/default/locales/en/.mustflow/skills/split-refactor-residual-path-review/SKILL.md +176 -0
  31. package/templates/default/locales/en/.mustflow/skills/typescript-code-change/SKILL.md +47 -29
  32. package/templates/default/locales/en/.mustflow/skills/ui-state-resurrection-review/SKILL.md +218 -0
  33. package/templates/default/locales/en/.mustflow/skills/version-freshness-check/SKILL.md +14 -13
  34. package/templates/default/manifest.toml +15 -1
@@ -0,0 +1,121 @@
1
+ {
2
+ "$schema": "https://json-schema.org/draft/2020-12/schema",
3
+ "$id": "https://mustflow.github.io/schemas/repo-dependency-surface-report.schema.json",
4
+ "title": "mustflow repo dependency-surface report",
5
+ "type": "object",
6
+ "additionalProperties": false,
7
+ "required": [
8
+ "schema_version",
9
+ "command",
10
+ "pack_id",
11
+ "script_id",
12
+ "script_ref",
13
+ "action",
14
+ "status",
15
+ "ok",
16
+ "mustflow_root",
17
+ "input",
18
+ "input_hash",
19
+ "summary",
20
+ "surfaces",
21
+ "findings",
22
+ "issues"
23
+ ],
24
+ "properties": {
25
+ "schema_version": { "const": "1" },
26
+ "command": { "const": "script-pack" },
27
+ "pack_id": { "const": "repo" },
28
+ "script_id": { "const": "dependency-surface" },
29
+ "script_ref": { "const": "repo/dependency-surface" },
30
+ "action": { "const": "inspect" },
31
+ "status": { "enum": ["passed", "failed", "error"] },
32
+ "ok": { "type": "boolean" },
33
+ "mustflow_root": { "type": "string" },
34
+ "input": { "$ref": "#/$defs/input" },
35
+ "input_hash": { "$ref": "#/$defs/sha256" },
36
+ "summary": { "$ref": "#/$defs/summary" },
37
+ "surfaces": { "type": "array", "items": { "$ref": "#/$defs/surface" } },
38
+ "findings": { "type": "array", "items": { "$ref": "#/$defs/finding" } },
39
+ "issues": { "type": "array", "items": { "type": "string" } }
40
+ },
41
+ "$defs": {
42
+ "sha256": { "type": "string", "pattern": "^sha256:[a-f0-9]{64}$" },
43
+ "input": {
44
+ "type": "object",
45
+ "additionalProperties": false,
46
+ "required": ["scanned_paths", "max_file_bytes"],
47
+ "properties": {
48
+ "scanned_paths": { "type": "array", "items": { "type": "string", "minLength": 1 } },
49
+ "max_file_bytes": { "type": "integer", "minimum": 1 }
50
+ }
51
+ },
52
+ "summary": {
53
+ "type": "object",
54
+ "additionalProperties": false,
55
+ "required": [
56
+ "surface_count",
57
+ "manifest_count",
58
+ "lockfile_count",
59
+ "update_config_count",
60
+ "audit_config_count",
61
+ "ecosystem_count",
62
+ "finding_count"
63
+ ],
64
+ "properties": {
65
+ "surface_count": { "type": "integer", "minimum": 0 },
66
+ "manifest_count": { "type": "integer", "minimum": 0 },
67
+ "lockfile_count": { "type": "integer", "minimum": 0 },
68
+ "update_config_count": { "type": "integer", "minimum": 0 },
69
+ "audit_config_count": { "type": "integer", "minimum": 0 },
70
+ "ecosystem_count": { "type": "integer", "minimum": 0 },
71
+ "finding_count": { "type": "integer", "minimum": 0 }
72
+ }
73
+ },
74
+ "surface": {
75
+ "type": "object",
76
+ "additionalProperties": false,
77
+ "required": ["id", "ecosystem", "kind", "path", "line", "name", "evidence"],
78
+ "properties": {
79
+ "id": { "type": "string", "minLength": 1 },
80
+ "ecosystem": { "enum": ["go", "javascript", "python", "rust"] },
81
+ "kind": {
82
+ "enum": [
83
+ "audit_config",
84
+ "dependency_update_config",
85
+ "lockfile",
86
+ "manifest",
87
+ "package_manager_config",
88
+ "workspace_config"
89
+ ]
90
+ },
91
+ "path": { "type": "string", "minLength": 1 },
92
+ "line": { "type": ["integer", "null"], "minimum": 1 },
93
+ "name": { "type": "string", "minLength": 1 },
94
+ "evidence": { "type": "string", "minLength": 1 }
95
+ }
96
+ },
97
+ "finding": {
98
+ "type": "object",
99
+ "additionalProperties": false,
100
+ "required": ["code", "severity", "message", "path", "json_pointer", "metric", "actual", "expected"],
101
+ "properties": {
102
+ "code": {
103
+ "enum": [
104
+ "conflicting_javascript_lockfiles",
105
+ "manifest_without_lockfile",
106
+ "update_automation_without_policy",
107
+ "lockfile_without_manifest",
108
+ "dependency_surface_without_update_automation"
109
+ ]
110
+ },
111
+ "severity": { "enum": ["low", "medium", "high", "critical"] },
112
+ "message": { "type": "string" },
113
+ "path": { "type": "string", "minLength": 1 },
114
+ "json_pointer": { "type": ["string", "null"] },
115
+ "metric": { "type": ["string", "null"] },
116
+ "actual": { "type": ["number", "null"] },
117
+ "expected": { "type": ["number", "null"] }
118
+ }
119
+ }
120
+ }
121
+ }
@@ -0,0 +1,124 @@
1
+ {
2
+ "$schema": "https://json-schema.org/draft/2020-12/schema",
3
+ "$id": "https://mustflow.github.io/schemas/repo-toolchain-provenance-report.schema.json",
4
+ "title": "mustflow repo toolchain-provenance report",
5
+ "type": "object",
6
+ "additionalProperties": false,
7
+ "required": [
8
+ "schema_version",
9
+ "command",
10
+ "pack_id",
11
+ "script_id",
12
+ "script_ref",
13
+ "action",
14
+ "status",
15
+ "ok",
16
+ "mustflow_root",
17
+ "input",
18
+ "input_hash",
19
+ "summary",
20
+ "sources",
21
+ "lockfiles",
22
+ "findings",
23
+ "issues"
24
+ ],
25
+ "properties": {
26
+ "schema_version": { "const": "1" },
27
+ "command": { "const": "script-pack" },
28
+ "pack_id": { "const": "repo" },
29
+ "script_id": { "const": "toolchain-provenance" },
30
+ "script_ref": { "const": "repo/toolchain-provenance" },
31
+ "action": { "const": "inspect" },
32
+ "status": { "enum": ["passed", "failed", "error"] },
33
+ "ok": { "type": "boolean" },
34
+ "mustflow_root": { "type": "string" },
35
+ "input": { "$ref": "#/$defs/input" },
36
+ "input_hash": { "$ref": "#/$defs/sha256" },
37
+ "summary": { "$ref": "#/$defs/summary" },
38
+ "sources": { "type": "array", "items": { "$ref": "#/$defs/source" } },
39
+ "lockfiles": { "type": "array", "items": { "type": "string", "minLength": 1 } },
40
+ "findings": { "type": "array", "items": { "$ref": "#/$defs/finding" } },
41
+ "issues": { "type": "array", "items": { "type": "string" } }
42
+ },
43
+ "$defs": {
44
+ "sha256": { "type": "string", "pattern": "^sha256:[a-f0-9]{64}$" },
45
+ "input": {
46
+ "type": "object",
47
+ "additionalProperties": false,
48
+ "required": ["scanned_paths", "max_file_bytes"],
49
+ "properties": {
50
+ "scanned_paths": { "type": "array", "items": { "type": "string", "minLength": 1 } },
51
+ "max_file_bytes": { "type": "integer", "minimum": 1 }
52
+ }
53
+ },
54
+ "summary": {
55
+ "type": "object",
56
+ "additionalProperties": false,
57
+ "required": [
58
+ "source_count",
59
+ "runtime_count",
60
+ "package_manager_count",
61
+ "lockfile_count",
62
+ "ci_source_count",
63
+ "finding_count"
64
+ ],
65
+ "properties": {
66
+ "source_count": { "type": "integer", "minimum": 0 },
67
+ "runtime_count": { "type": "integer", "minimum": 0 },
68
+ "package_manager_count": { "type": "integer", "minimum": 0 },
69
+ "lockfile_count": { "type": "integer", "minimum": 0 },
70
+ "ci_source_count": { "type": "integer", "minimum": 0 },
71
+ "finding_count": { "type": "integer", "minimum": 0 }
72
+ }
73
+ },
74
+ "source": {
75
+ "type": "object",
76
+ "additionalProperties": false,
77
+ "required": ["kind", "source_kind", "path", "line", "key", "value"],
78
+ "properties": {
79
+ "kind": { "enum": ["bun", "docker", "go", "node", "package_manager", "python", "rust"] },
80
+ "source_kind": {
81
+ "enum": [
82
+ "ci_workflow",
83
+ "dockerfile",
84
+ "go_mod",
85
+ "mise_toml",
86
+ "node_version_file",
87
+ "package_json",
88
+ "python_version_file",
89
+ "pyproject_toml",
90
+ "rust_toolchain",
91
+ "tool_versions"
92
+ ]
93
+ },
94
+ "path": { "type": "string", "minLength": 1 },
95
+ "line": { "type": ["integer", "null"], "minimum": 1 },
96
+ "key": { "type": "string", "minLength": 1 },
97
+ "value": { "type": "string", "minLength": 1 }
98
+ }
99
+ },
100
+ "finding": {
101
+ "type": "object",
102
+ "additionalProperties": false,
103
+ "required": ["code", "severity", "message", "path", "json_pointer", "metric", "actual", "expected"],
104
+ "properties": {
105
+ "code": {
106
+ "enum": [
107
+ "conflicting_node_version_sources",
108
+ "conflicting_package_manager_lockfiles",
109
+ "package_manager_without_lockfile",
110
+ "toolchain_declared_without_package_manager",
111
+ "runtime_declared_in_ci_only"
112
+ ]
113
+ },
114
+ "severity": { "enum": ["low", "medium", "high", "critical"] },
115
+ "message": { "type": "string" },
116
+ "path": { "type": "string", "minLength": 1 },
117
+ "json_pointer": { "type": ["string", "null"] },
118
+ "metric": { "type": ["string", "null"] },
119
+ "actual": { "type": ["number", "null"] },
120
+ "expected": { "type": ["number", "null"] }
121
+ }
122
+ }
123
+ }
124
+ }
@@ -62,7 +62,7 @@ translations = {}
62
62
  [documents."skills.index"]
63
63
  source = "locales/en/.mustflow/skills/INDEX.md"
64
64
  source_locale = "en"
65
- revision = 207
65
+ revision = 214
66
66
  translations = {}
67
67
 
68
68
  [documents."skill.adapter-boundary"]
@@ -113,6 +113,12 @@ source_locale = "en"
113
113
  revision = 12
114
114
  translations = {}
115
115
 
116
+ [documents."skill.split-refactor-residual-path-review"]
117
+ source = "locales/en/.mustflow/skills/split-refactor-residual-path-review/SKILL.md"
118
+ source_locale = "en"
119
+ revision = 1
120
+ translations = {}
121
+
116
122
  [documents."skill.code-review"]
117
123
  source = "locales/en/.mustflow/skills/code-review/SKILL.md"
118
124
  source_locale = "en"
@@ -329,6 +335,12 @@ source_locale = "en"
329
335
  revision = 1
330
336
  translations = {}
331
337
 
338
+ [documents."skill.ui-state-resurrection-review"]
339
+ source = "locales/en/.mustflow/skills/ui-state-resurrection-review/SKILL.md"
340
+ source_locale = "en"
341
+ revision = 3
342
+ translations = {}
343
+
332
344
  [documents."skill.frontend-stress-layout-review"]
333
345
  source = "locales/en/.mustflow/skills/frontend-stress-layout-review/SKILL.md"
334
346
  source_locale = "en"
@@ -571,7 +583,7 @@ translations = {}
571
583
  [documents."skill.version-freshness-check"]
572
584
  source = "locales/en/.mustflow/skills/version-freshness-check/SKILL.md"
573
585
  source_locale = "en"
574
- revision = 8
586
+ revision = 9
575
587
  translations = {}
576
588
 
577
589
  [documents."skill.line-ending-hygiene"]
@@ -709,7 +721,7 @@ translations = {}
709
721
  [documents."skill.go-code-change"]
710
722
  source = "locales/en/.mustflow/skills/go-code-change/SKILL.md"
711
723
  source_locale = "en"
712
- revision = 4
724
+ revision = 7
713
725
  translations = {}
714
726
 
715
727
  [documents."skill.godot-code-change"]
@@ -763,7 +775,7 @@ translations = {}
763
775
  [documents."skill.python-code-change"]
764
776
  source = "locales/en/.mustflow/skills/python-code-change/SKILL.md"
765
777
  source_locale = "en"
766
- revision = 4
778
+ revision = 5
767
779
  translations = {}
768
780
 
769
781
  [documents."skill.powershell-code-change"]
@@ -787,7 +799,7 @@ translations = {}
787
799
  [documents."skill.rust-code-change"]
788
800
  source = "locales/en/.mustflow/skills/rust-code-change/SKILL.md"
789
801
  source_locale = "en"
790
- revision = 6
802
+ revision = 7
791
803
  translations = {}
792
804
 
793
805
  [documents."skill.runtime-target-selection"]
@@ -835,7 +847,7 @@ translations = {}
835
847
  [documents."skill.typescript-code-change"]
836
848
  source = "locales/en/.mustflow/skills/typescript-code-change/SKILL.md"
837
849
  source_locale = "en"
838
- revision = 6
850
+ revision = 7
839
851
  translations = {}
840
852
 
841
853
  [documents."skill.unocss-code-change"]
@@ -2,7 +2,7 @@
2
2
  mustflow_doc: skills.index
3
3
  locale: en
4
4
  canonical: true
5
- revision: 207
5
+ revision: 214
6
6
  authority: router
7
7
  lifecycle: mustflow-owned
8
8
  ---
@@ -93,6 +93,9 @@ refer to `AGENTS.md` and `.mustflow/config/commands.toml` to implement the most
93
93
  - Use `module-boundary-review` as an adjunct when module separation needs change-spread, data-owner,
94
94
  policy-owner, failure-owner, import-direction, DTO leakage, shared-helper, public-API, or caller
95
95
  sequencing review before deciding whether a boundary is real.
96
+ - Use `split-refactor-residual-path-review` as an adjunct when a split or extraction claims a
97
+ handler, listener, state mutation, event processor, side effect, or cleanup responsibility moved
98
+ and the review must prove the old file or fallback path cannot still process the same event.
96
99
  - Use `change-blast-radius-review` as an adjunct when maintainability review needs to predict the
97
100
  next-change spread, feature deletion path, policy owner, workflow owner, config or tenant branch
98
101
  spread, event contract visibility, migration/runtime compatibility, or whether a clean-looking
@@ -239,6 +242,11 @@ refer to `AGENTS.md` and `.mustflow/config/commands.toml` to implement the most
239
242
  - Use `frontend-state-ownership-review` as an adjunct when frontend state can drift across props,
240
243
  local state, server cache, URL params, form drafts, global stores, context, persisted storage,
241
244
  derived selectors, optimistic updates, query keys, request races, or external subscriptions.
245
+ - Use `ui-state-resurrection-review` as an adjunct when a closed, completed, cleared, deleted,
246
+ finalized, or dismissed UI surface such as a panel, tab, route, chat stream, draft, task view,
247
+ layout slot, modal, drawer, or notification reappears after reload, restart, reconnect, remount,
248
+ persisted-store hydration, cache restore, replay, migration, crash recovery, cross-tab broadcast,
249
+ cloud sync, or events such as `message.complete`.
242
250
  - Use `frontend-stress-layout-review` as an adjunct when frontend UI needs hostile-content and
243
251
  layout-resilience review for parent container width, container queries, long unbroken strings,
244
252
  async media, skeletons, empty, error, permission and loading states, scrollbars, mobile
@@ -562,12 +570,12 @@ routes. Event routes stay inactive until their event occurs.
562
570
  | Node.js runtime code, package manager ownership, module format, package entry metadata, native dependencies, Node test runner behavior, TypeScript execution mode, or deployment runtime support is created or changed | `.mustflow/skills/node-code-change/SKILL.md` | Node version signals, package manager and lockfile owner, module/package metadata, TypeScript loader, test runner, native dependency, deployment target, and command contract entries | Node runtime code, package metadata, lockfiles, scripts, CI or Docker runtime declarations, test runner config, native dependency handling, docs examples, and directly synchronized package surfaces | newest-Node assumption, package manager drift, ESM/CJS break, blocked deep import, native dependency break, Node native TypeScript overclaim, test runner migration risk, deployment mismatch, or permission-model overclaim | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Runtime and package manager decision, module/package entry notes, TypeScript/test runner notes, native/deployment risks, verification, and remaining Node.js risk |
563
571
  | Bun runtime code, `Bun.serve`, Elysia-on-Bun server behavior, Bun package manager behavior, `bun.lock`, `bunfig.toml`, Bun test runner behavior, Bun bundling, Bun compile, Bun TypeScript execution, Docker deployment, or Bun-specific APIs are created or changed | `.mustflow/skills/bun-code-change/SKILL.md` | Bun role signals, `package.json`, Bun and non-Bun lockfiles, `bunfig.toml`, CI/Docker Bun setup, TypeScript config, Bun APIs, server timeout and WebSocket settings, compile target, native dependency signals, and command contract entries | Bun runtime code, server config, package manager metadata, lockfiles, `bunfig.toml`, scripts, tests, bundler or compile config, TypeScript/declaration pipeline, Docker/deploy config, package metadata, and directly synchronized docs | Bun role confusion, lockfile drift, trusted dependency overgrant, runtime/package-manager conflation, Bun TypeScript typecheck overclaim, Bun build declaration gap, server timeout or WebSocket backpressure gap, compile target break, Node compatibility break, shebang mismatch, Docker/PORT drift, observability loss, or native binary break | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Bun role classification, lockfile/trust notes, runtime/type/build/test/deploy notes, Node compatibility risks, verification, and remaining Bun risk |
564
572
  | Dockerfiles, `.dockerignore`, Docker Compose files, BuildKit or buildx behavior, container image metadata, tags, entrypoints, health checks, Docker CI workflows, image security scanning, SBOM or provenance settings, registry publishing, or container runtime validation are created or changed | `.mustflow/skills/docker-code-change/SKILL.md` | Docker surfaces, project image shape, base image and platform signals, build context and cache signals, runtime contract, security and supply-chain contract, and command contract entries | Dockerfiles, `.dockerignore`, Compose files, container CI workflow snippets, image metadata, package tests, docs examples, template metadata, and directly synchronized skill routes | cache breakage, secret leak, root runtime, host access escape, dev dependency in final image, mutable tag drift, untrusted CI publish, missing SBOM/provenance, unverified runtime, or false production-readiness claim | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Docker surface classification, image/base/cache/stage decisions, secret/user/runtime/Compose/CI supply-chain notes, verification, and remaining Docker risk |
565
- | TypeScript source, declarations, tsconfig, package exports, module resolution, public API, compiler-version behavior, TypeScript 6-to-7 migration surfaces, TypeScript 7 RC or nightly tooling, or TypeScript tests are created or changed | `.mustflow/skills/typescript-code-change/SKILL.md` | TypeScript config, compiler track, package entry metadata, target runtime, changed files, declaration, TS6 API, TS7 RC, and optional TS7 nightly surfaces, and command contract entries | TypeScript source, declarations, compiler config, exports, tests, compiler-track comparison notes, and directly synchronized docs | weakened type safety, module drift, public API drift, unverified declaration output, TypeScript 6 deprecation suppression, TS7 RC over-adoption, TS7 nightly over-adoption, or compiler API track drift | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | Runtime, module, type, public API, compiler-version, RC, nightly, and API-track boundary checked, changes made, verification, and remaining TypeScript risk |
573
+ | TypeScript source, declarations, tsconfig, package exports, module resolution, project references, type-check performance, public API, compiler-version behavior, TypeScript 6-to-7 migration surfaces, TypeScript 7 RC or nightly tooling, runtime data validation, or TypeScript tests are created or changed | `.mustflow/skills/typescript-code-change/SKILL.md` | TypeScript config, compiler track, package entry metadata, target runtime, changed files, declaration, project references, package graph, TS6 API, TS7 RC, and optional TS7 nightly surfaces, and command contract entries | TypeScript source, declarations, compiler config, exports, tests, project-reference and type-graph notes, compiler-track comparison notes, and directly synchronized docs | weakened type safety, module drift, public API drift, DTO/domain drift, runtime validation gap, type-graph bloat, path alias boundary bypass, unverified declaration output, TypeScript 6 deprecation suppression, TS7 RC over-adoption, TS7 nightly over-adoption, or compiler API track drift | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | Runtime, module, type, public API, project-reference, type-performance, compiler-version, RC, nightly, and API-track boundary checked, changes made, verification, and remaining TypeScript risk |
566
574
  | JavaScript source, module format, package entry, browser or Node runtime, dependency usage, Promise handling, bundler config, or JavaScript tests are created or changed | `.mustflow/skills/javascript-code-change/SKILL.md` | Package metadata, module system, runtime target, entrypoints, changed files, and command contract entries | JavaScript source, package exports, bundler config, dependencies, tests, and docs examples | runtime API leakage, ESM/CJS drift, discarded Promise, dependency bloat, or broken package entry | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | Runtime and module boundary checked, async and dependency notes, verification, and remaining JavaScript risk |
567
- | Python source, package metadata, runtime version, import layout, type checking, linting, CLI entry points, or tests are created or changed | `.mustflow/skills/python-code-change/SKILL.md` | Python version source, packaging files, import layout, lint/type/test config, changed files, and command contract entries | Python source, packaging metadata, imports, type hints, tests, and docs examples | unsupported syntax, import hacks, packaging drift, swallowed errors, or weakened lint/type checks | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | Runtime, packaging, import, and type boundary checked, verification, and remaining Python risk |
575
+ | Python source, package metadata, runtime version, import layout, architecture boundaries, type checking, async tasks, exception/logging/retry behavior, collection performance, pytest fixtures or mocks, linting, CLI entry points, or tests are created or changed | `.mustflow/skills/python-code-change/SKILL.md` | Python version source, packaging files, build backend or package-manager owner, import layout, architecture boundary, lint/type/test config, async/failure/performance surface, changed files, and command contract entries | Python source, packaging metadata, imports, type hints, adapters, async ownership, exception/logging/retry code, collection hot paths, tests, and docs examples | unsupported syntax, import hacks, packaging drift, framework or ORM leakage into domain code, false type safety, unowned task, swallowed cancellation, retry storm, hidden fallback, copy-heavy hot path, fixture state leak, bare mock lie, or weakened lint/type checks | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | Runtime, packaging, import, architecture, type, async, failure, performance, and test boundary checked, verification, and remaining Python risk |
568
576
  | PowerShell scripts, modules, command examples, `pwsh` invocations, native-command wrappers, quoting, here-strings, splatting, regex, wildcard, replacement strings, or PowerShell argument passing are created or changed | `.mustflow/skills/powershell-code-change/SKILL.md` | PowerShell version and invocation path, parser layers, native-command boundary, dynamic input boundaries, changed files, and command contract entries | PowerShell scripts, modules, package scripts, CI snippets, docs examples, native-command wrappers, tests, and directly synchronized docs | parser-layer confusion, quote loss, variable over-expansion, metacharacter interpretation, native argv drift, command injection, `--%` overuse, or cross-shell `-Command` breakage | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | PowerShell version and invocation boundary, parser ledger, string/here-string/regex/wildcard/replacement/native argv decisions, verification, and remaining PowerShell risk |
569
- | Go source, modules, package APIs, interfaces, errors, goroutines, channels, context propagation, HTTP clients or servers, reverse proxies, JSON encoding, filesystem roots, network addresses, runtime limits, benchmarks, tools, tests, or generated-code boundaries are created or changed | `.mustflow/skills/go-code-change/SKILL.md` | Module files, Go version support, full package files, tests, public API surface, concurrency owner, runtime/deployment context, changed files, and command contract entries | Go packages, module metadata, interfaces, errors, concurrency code, HTTP/proxy code, JSON encoding, filesystem and network helpers, runtime settings, tests, tools, and docs examples | unnecessary abstraction, unsupported Go feature, context loss, goroutine leak, missing timeout, JSON contract drift, filesystem traversal, IPv6 host-port bug, runtime tuning drift, error contract drift, or module drift | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | Package, API, Go version, context, concurrency, runtime, HTTP, JSON, filesystem, tool, and error boundary checked, verification, and remaining Go risk |
570
- | Rust source, Cargo metadata, features, traits, errors, ownership, async runtime, unsafe code, tests, examples, benchmarks, release profiles, MSRV, toolchain declarations, standard-library APIs, or public crate APIs are created or changed | `.mustflow/skills/rust-code-change/SKILL.md` | Cargo metadata, feature flags, public exports, async runtime, unsafe invariants, `rust-version`, edition, toolchain, workspace policy, changed files, and command contract entries | Rust source, Cargo metadata, features, errors, traits, tests, examples, benchmarks, profiles, and docs | clone or lock bloat, unsupported Rust feature, feature drift, Cargo resolver drift, async runtime mixing, unsafe invariant loss, release-profile overclaim, or public API breakage | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | Ownership, MSRV, standard-library API, Cargo feature, async, unsafe, release-profile, and public API boundary checked, verification, and remaining Rust risk |
577
+ | Go source, modules, workspaces, package APIs, package layout, `internal` boundaries, interfaces, structs, errors, goroutines, channels, context propagation, HTTP clients or servers, Gin engines, router groups, middleware chains, request binding, validation, graceful shutdown, reverse proxies, JSON encoding, filesystem roots, network addresses, runtime limits, profiling, benchmarks, tools, tests, or generated-code boundaries are created or changed | `.mustflow/skills/go-code-change/SKILL.md` | Module files, workspace policy, Go version support, full package files, tests, public API surface, package ownership, concurrency owner, runtime/deployment context, Gin or framework version and route/middleware/binding context, changed files, and command contract entries | Go packages, module and workspace metadata, internal boundaries, interfaces, structs, errors, concurrency code, HTTP/shutdown/proxy code, Gin route, middleware, context, binding and validation code, JSON encoding, filesystem and network helpers, runtime settings, profiling and benchmarks, tests, tools, and docs examples | unnecessary abstraction, module boundary drift, unsupported Go feature, context loss, goroutine leak, missing timeout, unsafe shutdown, Gin context reuse bug, unsafe middleware order, trusted-proxy drift, binding or validation bypass, body-size mistake, JSON contract drift, filesystem traversal, IPv6 host-port bug, runtime tuning drift, performance folklore, error contract drift, or dependency drift | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | Package, API, module/workspace, Go version, context, concurrency, runtime, HTTP/shutdown, Gin route/middleware/context/binding, JSON, filesystem, profiling, tool, and error boundary checked, verification, and remaining Go risk |
578
+ | Rust source, Cargo metadata, features, traits, errors, ownership, borrowing, lifetimes, `Clone`, `Rc`, `Arc`, `Mutex`, `RefCell`, async tasks, channels, cancellation, unsafe code, allocation, zero-copy, tests, examples, benchmarks, release profiles, MSRV, toolchain declarations, standard-library APIs, or public crate APIs are created or changed | `.mustflow/skills/rust-code-change/SKILL.md` | Cargo metadata, feature flags, public exports, ownership map, error convention, async runtime, task and channel policy, unsafe invariants, allocation or benchmark evidence, `rust-version`, edition, toolchain, workspace policy, changed files, and command contract entries | Rust source, Cargo metadata, features, errors, traits, ownership signatures, async task/channel code, tests, examples, benchmarks, profiles, and docs | clone or shared-state aliasing, lifetime debt, error opacity, unsupported Rust feature, feature drift, Cargo resolver drift, async runtime mixing, task or channel leak, zero-copy retention bug, allocation folklore, unsafe invariant loss, release-profile overclaim, or public API breakage | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | Ownership, MSRV, standard-library API, Cargo feature, error, async task/channel/cancellation, allocation, unsafe, release-profile, and public API boundary checked, verification, and remaining Rust risk |
571
579
  | Axum apps, routers, handlers, extractors, state, extensions, middleware, Tower or Tower-HTTP layers, CORS, cookies, headers, WebSockets, body limits, rejections, error responses, Tokio tasks or locks, SQLx pools, or Rust HTTP API tests are created, changed, reviewed, or upgraded | `.mustflow/skills/axum-code-change/SKILL.md` | Cargo and Axum-related crate version evidence, router ledger, handler and extractor contracts, state and extension owners, middleware and Tower stack, response envelope, Tokio runtime, SQLx pool and transaction boundaries, changed files, and command contract entries | Axum routers, handlers, extractors, state, extensions, middleware, Tower layers, CORS/cookie/header policy, error and rejection mapping, Tokio task and lock boundaries, SQLx pool setup, tests, and docs examples | stale Axum version claim, route syntax migration drift, auth or body-consuming extractor bug, `State` versus `Extension` leak, inconsistent error envelope, fallible Tower error not mapped to response, CORS-as-auth mistake, cookie confidentiality gap, sensitive header logging, body-limit bypass, unbounded spawn, lock contention, pool starvation, or transaction lifetime leak | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | Axum version, route, handler, extractor, state, response, Tower middleware, CORS/cookie/header/body-limit, Tokio task/lock, SQLx pool, verification, and remaining Axum risk |
572
580
  | Godot projects, scenes, nodes, GDScript, C# scripts, Resources, Autoloads, signals, groups, save/load systems, rendering, physics, UI, input, exports, plugins, editor tools, or Godot version migrations are created, changed, reviewed, or upgraded | `.mustflow/skills/godot-code-change/SKILL.md` | Godot version, renderer, platform targets, project settings, input map, autoloads, addons, affected scenes, scripts, Resources, save/load participants, export presets, profiler evidence when performance is claimed, and command contract entries | Godot scenes, nodes, GDScript or C# scripts, Resources, Autoloads, signals, groups, save/load systems, rendering, physics, UI, input, exports, plugins, editor tools, tests, and docs examples | stale Godot version claim, scene-tree reach-through, global-state sprawl, shared Resource mutation, hidden signal flow, save corruption, thread-unsafe SceneTree access, renderer regression, target-device drift, export preset drift, or stale migration advice | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | Godot version, renderer, scene, node, signal, Resource, Autoload, save/load, rendering, physics, UI, input, export, verification, and remaining Godot risk |
573
581
  | Dart source, pub package metadata, null safety, Futures, Streams, isolates, analyzer lints, tests, CLI entry points, or public package APIs are created or changed | `.mustflow/skills/dart-code-change/SKILL.md` | Pub metadata, analyzer config, public exports, async ownership, package layout, changed files, and command contract entries | Dart source, pub metadata, exports, async code, tests, examples, and docs | null-safety bypass, discarded Future, uncanceled Stream, isolate ownership drift, or public API breakage | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | Nullability, async, stream, isolate, and API boundary checked, verification, and remaining Dart risk |
@@ -662,6 +670,7 @@ routes. Event routes stay inactive until their event occurs.
662
670
  | Frontend route, component, animation, scroll path, input path, list, table, chart, map, canvas, media slot, modal, drawer, hydration boundary, DOM read/write path, CSS selector, class toggle, CSS custom property, containment, content-visibility, virtualization, observer, event listener, requestAnimationFrame loop, long task, worker boundary, ResizeObserver path, runtime CSS injection, React memo boundary, context provider, deferred update, transition, or DevTools rendering trace needs frame-render-performance triage for INP, animation smoothness, scroll responsiveness, style recalculation, layout, paint, compositing, main-thread, or hydration risk | `.mustflow/skills/frame-render-performance-review/SKILL.md` | User goal, current diff or target files, interaction and frame ledger, DOM and layout ledger, style and CSS ledger, paint and compositing ledger, event and scheduling ledger, framework render ledger, rendering evidence or measurement gap, and configured command intents | DOM read/write batching, layout-affecting writes, transform/opacity animations, will-change scope, containment, content-visibility and contain-intrinsic-size, virtualization, selector simplification, state-class scope, CSS variable scope, media geometry reservation, native lazy loading, IntersectionObserver, passive listeners, overscroll-behavior, requestAnimationFrame scheduling, long-task chunking, worker and OffscreenCanvas boundaries, ResizeObserver, runtime CSS rule reduction, React prop and context stability, deferred and transition updates, hydration narrowing, focused tests, and directly synchronized docs or templates | forced synchronous layout, layout thrashing, width/height/top/left animation, stale will-change, missing containment, unsafe contain side effect, content-visibility scroll jump, offscreen chart or canvas work, oversized DOM, deep wrapper tree, expensive selector, body/html state blast, root CSS variable churn, unreserved media slot, LCP concern misrouted as frame fix, JS lazy loader overhead, scroll polling, non-passive wheel/touch handler, JS scroll lock, setTimeout frame clock, long task, main-thread heavy compute, canvas blocking input, resize measurement loop, runtime style injection, ineffective memo, broad context rerender, urgent heavy result render, full hydration INP cost, Lighthouse-score-only claim, or unmeasured rendering win | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Frame render performance reviewed, interaction/DOM/style/layout/paint/compositing/event/framework map, findings, fixes or recommendation, measurement or static frame-risk evidence, verification, and remaining frame-render performance risk |
663
671
  | UI motion, animation, transition, microinteraction, motion recipe, motion design system, CSS animation or transition, WAAPI, Framer Motion, GSAP, View Transition, hover, press, focus, drag, viewport entry, loading, async success, async failure, reduced motion, interruption, cancellation, settlement, timeline track, transform, opacity, filter, layout animation, or additive composition is planned, edited, reviewed, or reported | `.mustflow/skills/motion-system-contract-review/SKILL.md` | User goal, current diff or target files, motion slot, source and target roles, semantic event class, logical from-state and to-state, timeline tracks, interruption policy, settlement policy, reduced-motion policy, binding approach, async signal owner, evidence level, and configured command intents | Motion recipes, component motion props, CSS keyframes and transitions, animation lifecycle handlers, reduced-motion rules, state and signal policies, role/ref/slot/data binding, story fixtures, focused tests, and directly synchronized docs or templates | motion owns product state, false success or failure feedback, timer pretending to be a signal, missing from-state or to-state, same target and channel collision, unsupported additive composition, layout-channel animation, `animation-fill-mode` state lie, missing reduced motion, hover-only access, brittle selector binding, production animation failure blocking core action, or unverified visual proof | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Motion contract reviewed, state/event/track/interruption/settlement/reduced-motion/binding ledgers, async and collision findings, evidence level, verification, and remaining motion contract risk |
664
672
  | Frontend component, route, store, query, form, router state, context provider, persisted store, external subscription, optimistic mutation, search/filter/pagination interaction, selected item, list key, or hydration path can duplicate, derive, overwrite, or race the same value across props, local state, server cache, URL params, form drafts, global app context, selectors, storage, or external stores | `.mustflow/skills/frontend-state-ownership-review/SKILL.md` | User goal, current diff or target files, framework and state-library signals, state owner ledger, state class map, synchronization surfaces, identity and collection surfaces, evidence level, and configured command intents | State owner cleanup, derived selectors, nearest-owner move, status or mode union, grouped action, selected ID lookup, query key dimensions, invalidation scope, request cancellation, optimistic rollback, URL-state routing, form draft reset, context split or memoization, persisted-state versioning, reset keys, external subscription wrapper, focused tests, and directly synchronized docs or templates | props-to-state drift, duplicated derived state, effect-derived one-render lag, contradictory booleans, partial grouped-state tear, selected object staleness, server data copied into global store, URL state fork, form draft overwrite, optimistic update without rollback, stale request overwrite, incomplete query key, broad invalidation, index-key local-state swap, raw setter sprawl, context value rerender storm, state too high or too low, non-serializable persisted store, hydration mismatch, unsafe external subscription snapshot, or unverified state owner | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Frontend state surface reviewed, owner ledger and state class map, duplicate or derived state findings, query/URL/form/optimistic/race/context/persistence decisions, tests or evidence level, verification, and remaining state-ownership risk |
673
+ | Closed, completed, cleared, deleted, finalized, or dismissed UI state such as panels, tabs, route state, workspace layout, chat or streaming messages, drafts, task views, notifications, modals, drawers, or selected items reappears after reload, restart, reconnect, route remount, persisted-store rehydration, query-cache restore, service-worker cache restore, cross-tab broadcast, server or cloud sync, migration, crash recovery, or events such as `message.complete` | `.mustflow/skills/ui-state-resurrection-review/SKILL.md` | Symptom timeline, identity ledger, lifecycle truth fields, source ledger, finalize ledger, read and write paths, storage snapshots, hydration or replay paths, sync or migration evidence, and configured command intents | Finalize actions, provenance logs, identity keys, pending-command IDs, idempotency keys, lifecycle selectors, pending-write cancellation, persisted-state partialization, query-cache cleanup, tombstones, watermarks, generation IDs, hydration merge filters, stale replay rejection, server layout invalidation, sync conflict handling, migration defaults, focused tests, and directly synchronized docs or templates | render-layer scapegoat, stale persisted record regaining authority, active and finished stored as competing truths, delayed write after clear, blind hydration merge, pending command loss, missing idempotency key, `message.complete` as memory-only clear, missing tombstone, replay older than completion, stale HTTP snapshot, overbroad storage or query key, wrong user or workspace state reuse, cross-tab or cross-device stale overwrite, crash recovery outranking normal session, migration reopening closed state, broad storage wipe, or symptom-only hide flag | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | UI state resurrection reviewed, new-versus-restored verdict, storage/source ledger, lifecycle timeline, active/finished/pending projection decision, finalize/tombstone/watermark decisions, tests or reproduction evidence, verification, and remaining resurrection risk |
665
674
  | Frontend UI, design system component, dashboard, form, card, list, table, chart, media slot, modal, drawer, toast, bottom CTA, portal, or responsive surface needs stress-layout review against hostile content, narrow parent containers, async media, skeletons, empty or error states, permission variants, scrollbars, mobile viewport and keyboard behavior, safe areas, line clamps, i18n or RTL, touch input, reduced motion, observer loops, portal edge placement, z-index layers, browser zoom, cascade layers, or reproducible break conditions | `.mustflow/skills/frontend-stress-layout-review/SKILL.md` | User goal, current diff or target files, framework and styling signals, stress fixture ledger, parent container ledger, geometry contract ledger, interaction and state ledger, evidence level, and configured command intents | Stress fixtures, stories, tests, parent-container-aware constraints, container queries, `min-width: 0`, `minmax(0, 1fr)`, `overflow-wrap: anywhere`, reserved media dimensions, `aspect-ratio`, skeleton geometry, empty and error states, permission variants, stable scroll containers, `scrollbar-gutter: stable`, mobile viewport and keyboard constraints, `safe-area-inset-*`, explicit `line-height`, logical properties, touch-accessible affordances, `prefers-reduced-motion`, observer scope, portal placement, z-index tokens, table and chart stress handling, zoom-safe geometry, cascade layer fixes, and directly synchronized docs or templates | happy-path fixture blindness, parent-width overflow, flex or grid min-content blowout, unbroken text overflow, async media or font layout shift, skeleton mismatch, collapsed empty state, error-state overlap, permission action wrapping, late `display: none` layout jump, scrollbar width wrap, fragile `100vh`, keyboard-covered CTA, unsafe-area overlap, line-clamp/action collision, localization or RTL breakage, hover-only control, layout-affecting hover or animation, ResizeObserver loop, clipped portal, z-index arms race, unusable wide table, chart zero-width mount, browser zoom clipping, CSS specificity loss, or vague non-reproducible visual complaint | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Frontend stress layout reviewed, stress fixture and parent-container ledgers, reproducible break conditions, fixes or recommendation, evidence level, verification, and remaining stress-layout risk |
666
675
  | Frontend UI, design-system component, form, dialog, menu, tab, combobox, custom select, table, card, media, icon button, image, toast, live update, drag interaction, focus style, keyboard handler, `onClick`, `role`, `tabIndex`, `aria-*`, `alt`, hidden content, visually hidden text, or automated accessibility claim needs accessibility-tree review for native semantics, accessible names, visible label consistency, keyboard navigation, focus order and return, forms, errors, status messages, ARIA references, icon or image alternatives, custom widget contracts, non-text contrast, target size, drag alternatives, or a11y evidence limits | `.mustflow/skills/frontend-accessibility-tree-review/SKILL.md` | User goal, current diff or target files, framework and component-library signals, semantic ledger, keyboard ledger, assistive-technology ledger, form ledger, interaction ledger, evidence level, and configured command intents | Native HTML element selection, button/link semantics, `href` cleanup, keyboard parity, tabindex cleanup, focus-visible styling, obscured focus fixes, dialog focus management, icon-only accessible names, visible-label-aligned names, `aria-labelledby` and `aria-describedby` id references, `aria-hidden` cleanup, SVG icon defaults, image `alt`, label and fieldset wiring, `aria-invalid`, error descriptions, submit-failure focus, live regions, ARIA pattern keyboard behavior, custom select constraints, non-text contrast, target-size fixes, drag alternatives, focused tests, accessibility snapshots, and directly synchronized docs or templates | ARIA costume over broken semantics, clickable div, fake link, `href="#"`, missing Enter or Space behavior, tabIndex sprawl, positive tabindex, invisible focus, focus hidden behind sticky layers, modal focus leak, unnamed icon button, visible text fighting `aria-label`, broken `aria-labelledby`, interactive child hidden by `aria-hidden`, duplicate SVG announcement, useless image alt, placeholder-only field, missing legend, color-only error, disconnected error text, submit failure silence, unannounced async status, menu or combobox keyboard mismatch, unnecessary custom select, offscreen focus trap, non-text contrast failure, tiny pointer target, drag-only operation, axe-only proof, or accessibility-tree evidence gap | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Frontend accessibility tree reviewed, semantic/keyboard/focus/name/form/status/widget evidence, findings, fixes or recommendation, automated-evidence limits, verification, and remaining accessibility-tree risk |
667
676
  | Frontend component library, design system package, UI kit, shared component package, token system, primitive layer, compound component, variant API, theming surface, Storybook or docs contract, package export, public CSS variable, data attribute, slot, ref target, controlled or uncontrolled component API, visual regression suite, codemod, SemVer policy, or breaking-change plan is created, changed, reviewed, or reported | `.mustflow/skills/frontend-component-library-review/SKILL.md` | User goal, target package or library, framework signals, consumer audience, current diff or target files, package API ledger, token ledger, primitive behavior ledger, component contract ledger, state contract ledger, variant and theming ledger, docs and test ledger, release ledger, and configured command intents | Package exports and deep-import policy, peer dependencies, side-effect CSS, token source and generated CSS variables or types, primitive focus and keyboard contracts, component props and slots, stable data attributes, CSS variable hooks, controlled and uncontrolled state pairs, semantic variant axes, impossible-combination guards, theme-axis separation, documented DOM ownership, Storybook stories as executable specs, type/export tests, role/name behavior tests, accessibility evidence, representative visual regression matrix, SSR and hydration checks, bundle checks, deprecation warnings, migration docs, codemods, changelog, route metadata, and directly synchronized templates | pretty-button pile, Figma-copy repo, raw hex or raw Figma token leak, token source and generated output drift, semantic token bypass, theme logic spread across components, primitive behavior gap, ARIA costume, app store or router coupling, mixed controlled and uncontrolled ownership, prop-list dump, impossible variant combo, unsafe `as` or `asChild`, `className` escape hatch as system policy, incidental DOM selector contract, undocumented deep import reliance, docs-as-gallery, props-table-only docs, snapshot-only tests, axe-only proof, visual matrix explosion, tree-shaking drag, missing codemod, SemVer underclassification, or unverified reusable-library claim | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Frontend component library reviewed, package API/token/primitive/component/state/variant/theme/docs/test/release ledgers, findings, fixes or recommendation, breaking-change and migration classification, evidence level, narrower skills used or deferred, verification, and remaining component-library contract risk |
@@ -690,6 +699,7 @@ routes. Event routes stay inactive until their event occurs.
690
699
  | Service boundaries, modular-monolith boundaries, bounded contexts, team ownership, data ownership, source-of-truth maps, event or queue boundaries, multi-tenant isolation, failure flows, independent deployment, operational recovery, disaster recovery, cost, toil, or large-scale architecture split decisions are designed, reviewed, or changed | `.mustflow/skills/service-boundary-architecture/SKILL.md` | Candidate domains, owners, data truth map, communication paths, shared database or cache coupling, failure flows, boundary proof ledger, idempotency, queue/retry/dead-letter behavior, cache consistency, tenant/auth/audit boundaries, observability, deployment, migration, retention, operations tools, and command contract entries | Architecture docs, decision records, context files, boundary source, API/event/queue/cache/read-model contracts, operational runbooks, tests, and directly synchronized docs or templates | noun-first service split, shared database coupling, unknown data owner, repeated cross-team co-change, independent-deploy theater, dependency cycle, happy-path-only design, retry storm, queue backlog with no owner, cache as accidental authority, tenant leak, command-like events, missing observability, unsafe migration, weak health probe, untested graceful shutdown, version incompatibility, untested restore or DR, or manual recovery without audit | `changes_status`, `changes_diff_summary`, `test_related`, `test`, `lint`, `build`, `docs_validate_fast`, `test_release`, `mustflow_check` | Boundary checked, data owners, co-change/deploy/dependency proof, failure/idempotency/queue/cache/event notes, tenant/auth/retention/observability/deployment/health/recovery/cost/toil notes, verification, and remaining service-boundary risk |
691
700
  | Multi-product platform, app factory, many-small-services architecture, shared account portal, Product Registry, shared auth, billing, credits, entitlements, admin console, deployment factory, analytics spine, logging, i18n, common UI, templates, or operations automation must support many product apps without per-service copy-paste | `.mustflow/skills/small-service-platform-architecture-review/SKILL.md` | User goal, target product count, product types, Product Registry ledger, identity ledger, money and access ledger, operations ledger, app factory ledger, observability and analytics ledger, shared product surface ledger, current diff or target files, and configured command intents | Product Registry, shared account portal, identity and organization model, billing catalog, entitlement service, credit ledger, usage meters, admin and support console, app generator, thin app shells, shared packages, CI/CD, deployment templates, analytics event schema, logging/tracing, notification, i18n, legal, consent, shared UI, file/job/integration services, feature flags, AI Gateway, license service, runbooks, tests, docs, route metadata, and directly synchronized templates | per-service auth or billing copy, Stripe or provider dashboard as only authority, missing Product Registry, plan-string feature gates, balance-only credits, no reservation lifecycle, direct database support surgery, template copy drift, no account portal, no first-value-created event, logs without app or tenant identity, missing webhook replay, missing backup or restore proof, product-specific privacy facts hidden in code, operations by memory, or unverified 100-service readiness claim | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Platform surface reviewed, Product Registry/identity/billing/credit/entitlement/admin/app-factory/deployment/analytics/observability/shared-surface/security/privacy/operations/phase ledgers, shared versus app-specific ownership decisions, specialist skills applied or deferred, evidence level, verification, and remaining small-service platform architecture risk |
692
701
  | Code is being refactored, reorganized, renamed, deduplicated, simplified, or structurally improved while existing behavior should be preserved | `.mustflow/skills/behavior-preserving-refactor/SKILL.md` | Refactoring goal, target area, behavior evidence, local patterns, current changed files, and command contract entries | Small behavior-preserving refactor steps, related tests, and directly synchronized docs or contracts | hidden behavior change, broad cleanup, misleading abstraction, unsafe deduplication, or unverified legacy change | `changes_status`, `changes_diff_summary`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Goal, behavior evidence, structural risks, refactoring ladder, changes made, excluded behavior changes, verification, and remaining risks |
702
+ | File-splitting, handler extraction, event-ownership relocation, state-mutation relocation, listener moves, route or middleware extraction, worker or consumer moves, or component split refactors need proof that old execution paths no longer handle the same responsibility | `.mustflow/skills/split-refactor-residual-path-review/SKILL.md` | Refactor claim, diff shape, residual keyword ledger, old and new entrypoints, event or state ownership ledger, feature-flag and fallback paths, lifecycle ledger, test ledger, and command contract entries | Old handlers, effects, subscriptions, dispatches, emits, mutations, imports, fallbacks, API calls, cache updates, analytics calls, cleanup code, real-entrypoint tests, duplicate-execution tests, lifecycle tests, ordering tests, and static boundary guards directly tied to the moved responsibility | partial extraction, old path still alive, duplicate listener, double dispatch, stale state overwrite, flag-off legacy path, new module not wired to real entrypoint, missing cleanup, order regression, overbroad boundary rule, or unit-test-only proof | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `test_audit`, `docs_validate_fast`, `test_release`, `mustflow_check` | Split refactor reviewed, moved responsibility, old versus new owner, residual path findings, event/state/side-effect/lifecycle/ordering evidence, tests or static guard, verification, and remaining residual-path risk |
693
703
  | Class inheritance, base classes, abstract classes, template methods, protected state, mixins, framework subclasses, or subtype hierarchies are introduced, reviewed, or refactored, especially for behavior reuse or feature variants | `.mustflow/skills/composition-over-inheritance/SKILL.md` | Inheritance surface, reuse goal, change dimensions, local composition patterns, compatibility constraints, current changed files, and command contract entries | Classes, functions, role interfaces, policies, strategies, adapters, decorators, state machines, tests, wrappers, and directly synchronized docs or templates | fragile parent-child coupling, subclass explosion, broken substitutability, hidden protected state, over-composition, or untested behavior-preserving refactor | `changes_status`, `changes_diff_summary`, `test_related`, `test`, `lint`, `build`, `docs_validate_fast`, `test_release`, `mustflow_check` | Inheritance review, keep-or-replace decision, change dimensions, composition pattern, tests, verification, and remaining hierarchy risk |
694
704
  | Multiple interchangeable algorithms, policies, calculations, scoring methods, sorting methods, recommendation methods, pricing rules, discount rules, shipping methods, payment methods, notification methods, permission policies, provider choices, feature-flag variants, or repeated branches choose how to do the same kind of work | `.mustflow/skills/strategy-pattern/SKILL.md` | Stable workflow, variants and shared purpose, current branch locations, common input and output shape, selection criteria, local Result, dependency injection, decorator, registry, and test patterns, current changed files, and command contract entries | Strategy function types, interfaces, concrete strategies, selectors, resolvers, registries, decorators, context wiring, tests, and directly synchronized docs or templates | over-abstracted small branch, wrong use-case grouping, context knowing concrete strategies, silent fallback, unsafe user-selected strategy, request-stateful strategy, strategy combination explosion, or untested selector behavior | `changes_status`, `changes_diff_summary`, `test_related`, `test`, `lint`, `build`, `docs_validate_fast`, `test_release`, `mustflow_check` | Strategy classification, shared contract, strategy registry, selector or resolver, default and unsupported-key behavior, tests, verification, and remaining strategy risk |
695
705
  | State-changing user or system intents, command data objects, command handlers, command buses, payment, credit, point, inventory, entitlement, subscription, permission, document, prompt, AI budget reservation, agent loop execution, idempotency, authorization, transactions, outbox events, audit logs, retries, concurrency, long-running jobs, queue message contracts, provider intent records, HTTP work acceptance, core-state changes with auxiliary analytics, email, AI, search, statistics, cache rebuild, webhook follow-up, cron or worker execution, manual recovery, or external side effects need one traceable execution unit | `.mustflow/skills/command-pattern/SKILL.md` | User or system intent, source boundary, payload, actor and context, request/trace/correlation/causation/job/webhook identifiers, affected resources, core state to commit, auxiliary work to defer, acceptable delay or loss, work-acceptance response policy, queue contract, provider intent and recovery policy, local Result, repository, gateway, unit-of-work, outbox, job, idempotency, audit, retry, AI policy decision, agent caps, and test patterns | Command payloads, command context, handlers, command bus wiring when justified, idempotency, outbox, job records, provider intent records, audit, retry, transaction, ledger or action records, controller or worker adapters, auxiliary worker handoff, queue envelope and replay rules, AI policy decisions, tests, and directly synchronized docs or templates | command ceremony for reads, giant handler, hidden domain policy, unsafe duplicate side effect, transaction and external-call coupling, broken async traceability, auxiliary dependency blocking core state, missing durable job record, missing provider intent record, missing audit trail, retry without idempotency, unversioned queue message, one worker pool starving unrelated work, unwatched dead-letter state, unbounded AI agent loop, or untested command boundary | `changes_status`, `changes_diff_summary`, `test_related`, `test`, `lint`, `build`, `docs_validate_fast`, `test_release`, `mustflow_check` | Command classification, payload and context shape, request/trace/causation/job identifier choices, handler dependencies, domain delegation, core versus auxiliary split, transaction, ledger, outbox, job, provider intent, queue envelope, idempotency, retry, audit, concurrency, worker, dead-letter, manual replay, reconciliation, and AI policy choices, tests, verification, and remaining command safety risk |