mustflow 2.108.3 → 2.112.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,176 @@
1
+ ---
2
+ mustflow_doc: skill.split-refactor-residual-path-review
3
+ locale: en
4
+ canonical: true
5
+ revision: 1
6
+ lifecycle: mustflow-owned
7
+ authority: procedure
8
+ name: split-refactor-residual-path-review
9
+ description: Apply this skill when a refactor splits files, extracts handlers, moves event ownership, relocates state mutations, or claims a responsibility moved, and the review must prove old execution paths, listeners, effects, dispatches, imports, feature-flag fallbacks, tests, and lifecycle cleanup no longer keep the previous behavior alive.
10
+ metadata:
11
+ mustflow_schema: "1"
12
+ mustflow_kind: procedure
13
+ pack_id: mustflow.core
14
+ skill_id: mustflow.core.split-refactor-residual-path-review
15
+ command_intents:
16
+ - changes_status
17
+ - changes_diff_summary
18
+ - lint
19
+ - build
20
+ - test_related
21
+ - test
22
+ - test_audit
23
+ - docs_validate_fast
24
+ - test_release
25
+ - mustflow_check
26
+ ---
27
+
28
+ # Split Refactor Residual Path Review
29
+
30
+ <!-- mustflow-section: purpose -->
31
+ ## Purpose
32
+
33
+ Review file-splitting and responsibility-moving refactors by proving the old path lost authority.
34
+
35
+ The main question is not "was a nicer new module added?" It is "can the old file, handler, listener, effect, dispatch, mutation, route, middleware, consumer, or fallback still process the same event or state change?"
36
+
37
+ <!-- mustflow-section: use-when -->
38
+ ## Use When
39
+
40
+ - A PR or local diff splits a file, extracts a component, handler, reducer, service, route, listener, worker, middleware, controller, or event processor.
41
+ - A responsibility is claimed to move from one owner to another, especially event receive, event interpretation, state mutation, side effect, API request, cache update, analytics emission, or cleanup ownership.
42
+ - A previous bug may reappear because old conditions, callbacks, effects, subscriptions, imports, feature flags, fallbacks, or tests still exercise the old path.
43
+ - Review needs to distinguish a true move from code duplication, partial extraction, or a new module that is not connected to the real entrypoint.
44
+
45
+ <!-- mustflow-section: do-not-use-when -->
46
+ ## Do Not Use When
47
+
48
+ - The task is a broad behavior-preserving refactor with no file split, handler relocation, state mutation relocation, or old-path risk; use `behavior-preserving-refactor`.
49
+ - The main concern is general module ownership, import direction, DTO leakage, or policy owner placement; use `module-boundary-review`.
50
+ - The task only asks for changed-file risk classification and verification selection; use `diff-risk-review`.
51
+ - The change is a pure rename or formatting-only move with no runtime entrypoint, listener, state, side effect, feature flag, or test routing impact.
52
+
53
+ <!-- mustflow-section: required-inputs -->
54
+ ## Required Inputs
55
+
56
+ - Refactor claim: what responsibility moved, from where, to where, and what behavior should remain unchanged.
57
+ - Current diff shape: added files, deleted lines, moved code, old files that remain, imports changed, and tests changed.
58
+ - Residual keyword ledger: old bug keywords, event names, action types, handler names, API calls, state field names, feature flag names, selector names, cache keys, analytics names, route names, job names, and middleware names.
59
+ - Entry and ownership ledger: event receiver, interpreter, state mutator, side-effect owner, external request owner, cleanup owner, and public entrypoints before and after the split.
60
+ - Lifecycle ledger: mount, unmount, remount, route change, modal close, tab switch, reconnect, retry, worker restart, consumer rebalance, or job replay behavior when relevant.
61
+ - Test ledger: existing regression tests, new module unit tests, real-entrypoint integration tests, duplicate-execution tests, cleanup tests, ordering tests, and static boundary rules.
62
+
63
+ <!-- mustflow-section: preconditions -->
64
+ ## Preconditions
65
+
66
+ - The task matches the Use When conditions and does not match the Do Not Use When exclusions.
67
+ - Higher-priority instructions and `.mustflow/config/commands.toml` have been checked for the current scope.
68
+ - Existing local patterns for file moves, handler ownership, event routing, state mutations, lifecycle cleanup, feature flags, and tests have been searched before recommending a new pattern.
69
+ - If the residual path affects payments, auth, notifications, persistence, cache truth, concurrency, or UI resurrection, also apply the narrower matching skill for that boundary.
70
+
71
+ <!-- mustflow-section: allowed-edits -->
72
+ ## Allowed Edits
73
+
74
+ - Remove old handlers, conditions, effects, subscriptions, dispatches, emits, mutations, imports, fallback branches, direct API calls, cache updates, analytics calls, or cleanup logic that still own the moved responsibility.
75
+ - Convert the old owner into a pure adapter, delegator, or view when the new owner should interpret and mutate state.
76
+ - Add or tighten boundary guards such as import restrictions, module boundary rules, lint rules, dependency rules, or package exports that prevent the old owner from importing moved event types or handlers.
77
+ - Add focused tests for real entrypoint routing, old-path non-execution, single execution, lifecycle cleanup, ordering, feature-flag fallbacks, and regression scenarios tied to the moved responsibility.
78
+ - Do not keep duplicate old and new paths "for safety" unless the product contract explicitly requires parallel behavior and the diff names the compatibility sunset.
79
+
80
+ <!-- mustflow-section: procedure -->
81
+ ## Procedure
82
+
83
+ 1. Start with the diff shape.
84
+ - Compare added files with deleted old responsibility.
85
+ - Treat a refactor that mostly adds new code while barely deleting old conditions, effects, handlers, cleanup, or side effects as suspected duplication.
86
+ - Separate mechanical moves from semantic changes before judging correctness.
87
+ 2. Name the moved responsibility.
88
+ - State exactly what moved: receive event, interpret event, update state, perform external request, emit analytics, update cache, route command, validate input, cleanup listener, or publish event.
89
+ - If the responsibility cannot be named, use `behavior-preserving-refactor` or `module-boundary-review` before editing.
90
+ 3. Search residual paths.
91
+ - Search old bug keywords, event names, action types, handler names, API calls, state fields, feature flags, selectors, cache keys, analytics names, route names, job names, middleware names, and callback names.
92
+ - Inspect neighborhoods around `onClick`, `onChange`, `addEventListener`, `subscribe`, `dispatch`, `emit`, `useEffect`, `watch`, `listener`, `handler`, `middleware`, `controller`, `route`, `consumer`, `job`, and `callback`.
93
+ - Treat old imports of moved event types, handlers, mutation helpers, or state fields as evidence that the move may be incomplete.
94
+ 4. Check single ownership of the event path.
95
+ - The old location may pass data through or render output, but it should not still decide what the event means.
96
+ - Event receiving, event interpretation, state mutation, and external side effects should not be split halfway between old and new owners unless a named compatibility adapter explains why.
97
+ - If both old and new owners listen to the same event, identify whether one is dead, delegated, compatibility-only, or a duplicate-execution bug.
98
+ 5. Trace state mutation authority.
99
+ - Follow reducers, store mutations, local setters, optimistic updates, query-cache writes, form sync, repository writes, job state, and side-effect acknowledgements.
100
+ - Reject designs where the new owner changes state and the old owner later recomputes, overwrites, or replays the old value.
101
+ 6. Check feature flags and fallback paths.
102
+ - Review flag on, flag off, legacy mode, mobile, SSR, permission-denied, empty data, error retry, offline, reconnect, old route, and tenant or partner branches.
103
+ - All supported branches should route the responsibility to the same owner, or the diff should explicitly classify the divergence.
104
+ 7. Check dependency direction.
105
+ - A new event owner should not import old UI internals, container-only constants, private helpers, or test-only wiring from the old location.
106
+ - Move stable contracts to a shared domain, type, adapter, or public module surface only when that reduces ownership ambiguity.
107
+ 8. Review tests for real routing, not only new module correctness.
108
+ - A unit test that calls the new module directly is not enough when the real user or system event may still enter the old path.
109
+ - Prefer tests where the real click, route, message, API request, worker event, queue message, or dispatch enters the app and reaches the new owner.
110
+ - Keep or add the old bug reproduction as a regression guard when the refactor is meant to prevent recurrence.
111
+ 9. Add duplicate-execution tests when side effects matter.
112
+ - Assert one click, request, dispatch, event, analytics call, notification, charge, save, cache update, or job replay is handled once.
113
+ - Check counts, idempotency keys, emitted events, persistence writes, and external calls rather than only final visible state.
114
+ 10. Add lifecycle and cleanup evidence.
115
+ - Test or inspect mount, unmount, remount, route change, modal close, tab switch, reconnect, consumer restart, and job replay when listeners or subscriptions moved.
116
+ - Ensure the subscription and cleanup moved together; a split subscription and old cleanup is usually unstable.
117
+ 11. Check ordering.
118
+ - Preserve important sequences such as validate, normalize, update, persist, notify, cleanup, ack, and publish.
119
+ - If swapping two steps would break correctness, encode that sequence in one owner or a test that observes the ordering.
120
+ 12. Add structural guardrails when the old path is easy to reintroduce.
121
+ - Prefer `no-restricted-imports`, dependency-cruiser, module boundary rules, package exports, or local lint rules over a comment that asks humans to remember.
122
+ - Guard only the moved responsibility; do not create broad architecture rules unrelated to the current refactor.
123
+ 13. Decide the outcome.
124
+ - If old and new paths both execute, fix the residual path when in scope.
125
+ - If the residual path is intentional compatibility, document the sunset and tests.
126
+ - If evidence is insufficient, report the missing entrypoint, lifecycle, flag, ordering, or static-boundary proof.
127
+
128
+ <!-- mustflow-section: postconditions -->
129
+ ## Postconditions
130
+
131
+ - The old location either no longer owns the moved responsibility, is a pure delegator, or has a documented compatibility role.
132
+ - Real entrypoints route through the new owner.
133
+ - Duplicate listeners, dispatches, state mutations, external requests, cache writes, analytics calls, and cleanup ownership are removed or reported.
134
+ - Feature flags, fallback branches, lifecycle cleanup, ordering, and tests prove the old path cannot silently revive the previous behavior.
135
+
136
+ <!-- mustflow-section: verification -->
137
+ ## Verification
138
+
139
+ Use configured oneshot command intents when available:
140
+
141
+ - `changes_status`
142
+ - `changes_diff_summary`
143
+ - `lint`
144
+ - `build`
145
+ - `test_related`
146
+ - `test`
147
+ - `test_audit`
148
+ - `docs_validate_fast`
149
+ - `test_release`
150
+ - `mustflow_check`
151
+
152
+ Use the narrowest configured test, lint, build, docs, release, or mustflow intent that covers the moved responsibility, static boundary guard, template surface, or public contract.
153
+
154
+ <!-- mustflow-section: failure-handling -->
155
+ ## Failure Handling
156
+
157
+ - If the old responsibility cannot be located, stop and report the missing residual keyword, entrypoint, or ownership evidence.
158
+ - If tests only call the new module directly, report the real-entrypoint gap before claiming the refactor prevents regression.
159
+ - If removing the old path changes behavior, split the work into a behavior-preserving refactor and a separate behavior change or bug fix.
160
+ - If a boundary rule would block valid callers, narrow the rule to the moved responsibility instead of weakening the review.
161
+ - If a configured command fails, preserve the failing intent and use `failure-triage` before unrelated edits.
162
+
163
+ <!-- mustflow-section: output-format -->
164
+ ## Output Format
165
+
166
+ - Split refactor surface reviewed
167
+ - Moved responsibility and old versus new owner
168
+ - Diff-shape evidence: additions, deletions, moved code, old imports, and old conditions
169
+ - Residual path search terms and findings
170
+ - Event, state mutation, side-effect, feature-flag, lifecycle, cleanup, and ordering evidence
171
+ - Tests added, updated, missing, or intentionally deferred
172
+ - Static boundary guard added or intentionally avoided
173
+ - Fixes made or recommendation
174
+ - Command intents run
175
+ - Skipped checks and reasons
176
+ - Remaining residual-path risk
@@ -0,0 +1,328 @@
1
+ ---
2
+ mustflow_doc: skill.technology-stack-selection
3
+ locale: en
4
+ canonical: true
5
+ revision: 1
6
+ lifecycle: mustflow-owned
7
+ authority: procedure
8
+ name: technology-stack-selection
9
+ description: Apply this skill when choosing, adding, replacing, upgrading, rejecting, or standardizing a technology stack, framework, runtime, database, cache, queue, auth provider, payment provider, AI provider, SDK, hosting platform, deployment tool, build tool, ORM, observability tool, or vendor integration, especially when the decision affects migration path, rollback path, ecosystem maturity, maintainer risk, debugging surface, lock-in, CI/CD cost, deployment cost, operating toil, or solo-maintainer survivability.
10
+ metadata:
11
+ mustflow_schema: "1"
12
+ mustflow_kind: procedure
13
+ pack_id: mustflow.core
14
+ skill_id: mustflow.core.technology-stack-selection
15
+ command_intents:
16
+ - changes_status
17
+ - changes_diff_summary
18
+ - docs_validate_fast
19
+ - test_related
20
+ - test_release
21
+ - mustflow_check
22
+ ---
23
+
24
+ # Technology Stack Selection
25
+
26
+ <!-- mustflow-section: purpose -->
27
+ ## Purpose
28
+
29
+ Choose technology by whether the project can operate, debug, deploy, upgrade, pay for, and
30
+ replace it for the full expected life of the product.
31
+
32
+ This skill prevents agents from accepting technology because it is fashionable, fast in a
33
+ benchmark, convenient for a demo, popular in another company's architecture, or attractive to the
34
+ developer. For indie, solo, and small-team projects, the core question is whether the stack can
35
+ keep earning value while the maintainer is tired, busy, away from the codebase, or handling an
36
+ incident without a dedicated platform team.
37
+
38
+ Treat survival-path decisions as failure-survivability decisions, not feature-implementation
39
+ decisions.
40
+
41
+ <!-- mustflow-section: use-when -->
42
+ ## Use When
43
+
44
+ - A task chooses, compares, adopts, replaces, upgrades, rejects, or standardizes a technology,
45
+ framework, runtime, database, queue, cache, auth provider, payment provider, AI provider, SDK,
46
+ hosting platform, deployment tool, build tool, ORM, observability tool, package ecosystem, or
47
+ vendor integration.
48
+ - A technology is proposed for authentication, authorization, billing, payment, durable data,
49
+ permissions, deployment, backup, restore, queueing, file storage, customer money, customer data,
50
+ security, or another survival path.
51
+ - The decision depends on migration path, rollback path, local reproducibility, CI/CD cost,
52
+ deployment cost, operating toil, observability cost, backup and restore cost, maintainer capacity,
53
+ hiring availability, lock-in, data export, ecosystem maturity, or debugging surface.
54
+ - A new or experimental technology may belong in a differentiating edge feature, internal tool,
55
+ read-only path, derived-data path, analytics surface, search layer, recommendation layer, AI
56
+ layer, or feature-flagged experiment.
57
+ - A stack choice is being justified for solo, indie, small-team, funded-startup, open-source,
58
+ library, or enterprise contexts where the same technology can be appropriate in one context and
59
+ dangerous in another.
60
+
61
+ <!-- mustflow-section: do-not-use-when -->
62
+ ## Do Not Use When
63
+
64
+ - The task only edits code within an already selected technology and no new dependency, runtime,
65
+ vendor, data contract, deployment path, or operational surface is being chosen. Use the matching
66
+ implementation skill.
67
+ - The task only checks whether a dependency exists, is declared, or is safe to import. Use
68
+ `dependency-reality-check`.
69
+ - The task only chooses a primary language, runtime, compile target, or execution environment. Use
70
+ `runtime-target-selection` first, then this skill only for broader stack and operations tradeoffs.
71
+ - A user or repository owner has already mandated the technology. In that case, use this skill only
72
+ to document constraints, guardrails, migration, rollback, observability, and verification.
73
+ - The task asks for an unconstrained brainstorming list with no adoption decision. Use
74
+ `idea-triage` or `complex-decision-analysis` when those narrower conditions match.
75
+
76
+ <!-- mustflow-section: required-inputs -->
77
+ ## Required Inputs
78
+
79
+ - Decision scope: affected product surface, repository, packages, services, data, deployment,
80
+ users, operators, and time horizon.
81
+ - Candidate technologies: name, intended role, version range when relevant, adoption type, and
82
+ whether the candidate is a new stack, replacement, upgrade, or vendor migration.
83
+ - Baseline and boring default: current choice, no-change option, most conventional low-risk option,
84
+ current pain, current costs, known failure modes, and existing team knowledge.
85
+ - Criticality: `experiment`, `internal_tool`, `customer_facing`, `production_core`, or
86
+ `irreversible_core`.
87
+ - Reversibility class: `code_only`, `config`, `build_pipeline`, `runtime_dependency`,
88
+ `persistent_data`, `public_api`, `customer_workflow`, `vendor_contract`, `security_boundary`, or
89
+ `money_or_permission`.
90
+ - Team and maintainer capacity: solo, indie, small team, funded startup, enterprise, open-source
91
+ maintainer count, on-call owner, runbook owner, training cost, and hiring or support availability.
92
+ - Evidence: repository patterns, official docs, changelogs, migration guides, security advisories,
93
+ issue trackers, production incidents, prototypes, CI results, command receipts, pricing pages, and
94
+ support or SLA evidence when available.
95
+ - Success and failure criteria: what must improve, what must not regress, what would stop the
96
+ adoption, and what evidence would reverse the recommendation.
97
+
98
+ <!-- mustflow-section: preconditions -->
99
+ ## Preconditions
100
+
101
+ - Higher-priority instructions and `.mustflow/config/commands.toml` have been checked for the
102
+ current scope.
103
+ - External AI output, blog posts, vendor marketing, popularity signals, benchmark claims, and
104
+ famous-company usage are evidence candidates only, not authority.
105
+ - Current external facts such as versions, prices, license terms, platform limits, and release
106
+ status are refreshed through an authorized source path or marked as unverified when they affect
107
+ the decision.
108
+ - The status quo and a boring default are included unless the user explicitly fixed the option set.
109
+ - A narrower implementation skill will be selected before editing implementation files.
110
+
111
+ <!-- mustflow-section: allowed-edits -->
112
+ ## Allowed Edits
113
+
114
+ - Create or update technology decision records, architecture notes, migration plans, rollback
115
+ plans, runbook notes, route metadata, skill procedures, template metadata, tests, and docs that
116
+ directly support the stack decision.
117
+ - Add only the smallest reversible implementation scaffold when the user requests implementation
118
+ and the decision has passed this skill's gates.
119
+ - Do not install dependencies, run package managers, start services, run benchmarks, perform
120
+ migrations, deploy, open vendor dashboards, or change cloud resources unless the repository
121
+ command contract and user request explicitly allow that action.
122
+ - Do not let a score total, popularity, benchmark, developer experience, or novelty override a hard
123
+ rejection gate.
124
+
125
+ <!-- mustflow-section: core-definitions -->
126
+ ## Core Definitions
127
+
128
+ `survival_path` means a path where failure can block accounts, money, permissions, durable data,
129
+ deployment, backup, recovery, customer trust, or the maintainer's ability to keep the product alive.
130
+ Typical surfaces include auth, authorization, payment, billing, database, deployment, backup,
131
+ restore, queues, file storage, secrets, customer money, customer data, and operational recovery.
132
+
133
+ `migration_path` means a staged move from the baseline to the candidate while keeping the product or
134
+ workflow usable. It covers code, data, configuration, deployment, tests, cutover, ownership, and the
135
+ middle state. A big-bang rewrite is not a migration path.
136
+
137
+ `rollback_path` means a rehearsable return to the previous stable state or a safe degraded state. It
138
+ covers data compatibility, schema compatibility, feature flags, routing, backups, cutover timing,
139
+ customer impact, and the point after which rollback becomes unsafe. Backup alone is not rollback.
140
+
141
+ `ecosystem_maturity` means the candidate and its surrounding tools can survive ordinary production
142
+ use: docs, changelogs, migration guides, security response, integrations, testing tools, debugging
143
+ tools, production failure knowledge, release cadence, and available operators.
144
+
145
+ `maintainer_risk` means the risk that the candidate becomes abandoned, unsupported, vendor-captured,
146
+ relicensed, incompatibly changed, underfunded, or dependent on too few people.
147
+
148
+ `debugging_surface` means the layers and opaque states a maintainer must inspect during failure:
149
+ generated code, runtime magic, plugins, hidden cache, async queues, network boundaries, vendor
150
+ dashboards, local reproducibility, logs, traces, metrics, error codes, and request correlation.
151
+
152
+ <!-- mustflow-section: hard-rejection-criteria -->
153
+ ## Hard Rejection Criteria
154
+
155
+ Reject a candidate for `production_core` or `irreversible_core` when any condition is true:
156
+
157
+ - No staged migration path exists.
158
+ - The only migration path is a big-bang rewrite.
159
+ - Rollback depends on luck, manual data surgery, unbounded downtime, or customer-visible data loss.
160
+ - The candidate writes persistent data, events, files, auth state, money records, permission
161
+ records, cache keys, or public API contracts that the previous system cannot read or safely ignore.
162
+ - The candidate is beta, experimental, preview-only, unstable, deprecated, or vendor-opaque for a
163
+ customer-facing or core surface.
164
+ - Maintainer risk concentrates on one person, one abandoned project, one unfunded package, or one
165
+ vendor-controlled API without an adapter, fork, export, or replacement plan.
166
+ - The ecosystem lacks current docs, migration guides, security response, basic integrations, or
167
+ searchable operational failure knowledge for the intended use.
168
+ - Debugging crosses opaque generated code, hidden runtime state, async infrastructure, or remote
169
+ vendor behavior without local reproduction, logs, traces, metrics, request IDs, and an error
170
+ taxonomy.
171
+ - The team cannot operate the technology and has no owner, training plan, runbook, or support plan.
172
+ - License, pricing, data retention, region, privacy, compliance, or security constraints conflict
173
+ with the project.
174
+ - The candidate solves taste, novelty, resume value, or aesthetic discomfort rather than a real
175
+ product, operational, security, performance, or maintenance bottleneck.
176
+ - A local reversible problem would become a global architecture commitment.
177
+
178
+ Do not average scores until hard rejection criteria have been applied.
179
+
180
+ <!-- mustflow-section: scoring-rubric -->
181
+ ## Scoring Rubric
182
+
183
+ Score each non-rejected candidate from 0 to 5:
184
+
185
+ - `0`: no evidence, impossible, or actively unsafe.
186
+ - `1`: theoretical, undocumented, or dependent on heroic manual work.
187
+ - `2`: possible with high manual cost, fragile assumptions, or large downtime.
188
+ - `3`: usable with known limits, documented mitigation, and acceptable blast radius.
189
+ - `4`: documented, staged, testable, rehearsable, observable, and owned.
190
+ - `5`: boring, standard, widely proven, easy to operate, easy to replace, and compatible with the
191
+ project.
192
+
193
+ Required dimensions:
194
+
195
+ - Migration path
196
+ - Rollback path
197
+ - Ecosystem maturity
198
+ - Maintainer health
199
+ - Debuggability
200
+ - Operating surface and toil
201
+ - Cost predictability
202
+ - Data ownership and export
203
+ - Security and privacy fit
204
+
205
+ For `experiment` or `internal_tool`, scores of 2 or 3 can be acceptable when the candidate is
206
+ isolated, timeboxed, feature-flagged, and easy to remove.
207
+
208
+ For `customer_facing`, require no hard rejection and at least 3 in migration, rollback, ecosystem,
209
+ maintainer health, and debuggability.
210
+
211
+ For `production_core`, require no hard rejection, at least 4 in migration, rollback, debuggability,
212
+ operating surface, and data ownership, and at least 3 in ecosystem and maintainer health.
213
+
214
+ For `irreversible_core`, require no hard rejection, at least 4 in every dimension, a named owner,
215
+ and a rehearsed recovery path.
216
+
217
+ <!-- mustflow-section: procedure -->
218
+ ## Procedure
219
+
220
+ 1. Define the decision contract: what is being chosen, what is not being chosen, baseline, boring
221
+ default, owner, time horizon, and affected survival paths.
222
+ 2. Classify criticality and reversibility. Raise the evidence bar for persistent data, public APIs,
223
+ auth, payment, permission, deployment, backup, restore, and customer workflows.
224
+ 3. Build the option set. Include the status quo and boring default. Compare no more than three
225
+ additional candidates unless the user asks for a broader survey.
226
+ 4. Build the evidence ledger. Separate facts, inferences, assumptions, and unknowns. Prefer current
227
+ primary evidence over social proof, benchmark marketing, generated advice, or repeated citations.
228
+ 5. Evaluate maintainer life. For solo or indie work, prefer the smallest operating surface: one
229
+ understandable app path, managed boring infrastructure, simple CI/CD, automatic backups,
230
+ observable failures, and cheap rollback. Treat maintainer time as a real cost.
231
+ 6. Place experimentation at the edge. New or experimental technology belongs in replaceable parts,
232
+ read-only paths, derived-data paths, internal tools, feature-flagged features, analytics, search,
233
+ recommendation, or AI differentiators that can fail without corrupting the source of truth.
234
+ 7. Assess migration path for each candidate: source, target, compatibility layer, data conversion,
235
+ dual-run or shadow mode, cutover, validation, owner, blast radius, and stop condition.
236
+ 8. Assess rollback path for each candidate: trigger, steps, data preservation, schema compatibility,
237
+ feature flag or routing control, backup and restore limits, customer impact, irreversible cutoff,
238
+ and rehearsal requirement.
239
+ 9. Assess ecosystem maturity and maintainer risk: docs, changelog, release cadence, security
240
+ response, issue and PR handling, governance, funding, license stability, support, and exit path.
241
+ 10. Assess debugging surface: local reproduction, logs, traces, metrics, request IDs, error codes,
242
+ generated code, runtime magic, caches, queues, network boundaries, vendor dashboards, and blind
243
+ spots.
244
+ 11. Assess cost and operating surface: fixed cost, variable cost, CI/CD cost, observability cost,
245
+ backup and restore cost, failure-spike cost, egress, retry storms, log volume, billing meters,
246
+ and monthly maintainer labor.
247
+ 12. Apply hard rejection criteria before scoring. Do not rescue a hard-failed candidate with
248
+ popularity, performance, developer experience, or future promises.
249
+ 13. Score remaining candidates with one sentence of evidence for each dimension. Avoid invented
250
+ weights unless the user provided a decision model.
251
+ 14. Attack the leading candidate. State the strongest reason not to choose it and the smallest
252
+ evidence that would reverse the recommendation.
253
+ 15. Choose exactly one decision state: `adopt`, `adopt_with_constraints`, `experiment_first`,
254
+ `defer`, `reject`, or `reject_until_evidence_exists`.
255
+ 16. Define the next action. For adoption, specify the smallest safe rollout, guardrails, migration,
256
+ rollback, observability, owner, verification, and stop condition. For experiment, specify the
257
+ question, timebox, success criteria, failure criteria, cleanup path, and decision-reversing
258
+ evidence.
259
+ 17. Hand off to implementation only after selecting the narrower implementation skill and carrying
260
+ forward accepted constraints, migration steps, rollback steps, observability, and verification.
261
+
262
+ <!-- mustflow-section: postconditions -->
263
+ ## Postconditions
264
+
265
+ - The recommendation is based on survivability, reversibility, debugging, operating cost, and team
266
+ capacity, not novelty.
267
+ - Survival-path choices prefer boring proven technology unless the candidate proves a stronger
268
+ recovery and operating story.
269
+ - Experimental technology is isolated from source-of-truth data, money, permissions, and deployment
270
+ unless the project explicitly accepts the risk and can roll back.
271
+ - Hard rejection criteria are applied before any score comparison.
272
+ - Migration, rollback, observability, owner, and stop conditions are explicit.
273
+
274
+ <!-- mustflow-section: verification -->
275
+ ## Verification
276
+
277
+ Use configured oneshot command intents when available:
278
+
279
+ - `changes_status`
280
+ - `changes_diff_summary`
281
+ - `docs_validate_fast`
282
+ - `test_related`
283
+ - `test_release`
284
+ - `mustflow_check`
285
+
286
+ Use `docs_validate_fast` when a decision record, architecture note, skill, template, or mustflow doc
287
+ changes. Use `test_related` or `test_release` when installed template behavior, package output, or
288
+ tests change. Use `mustflow_check` when mustflow-owned skills, routes, indexes, templates, or command
289
+ contracts change.
290
+
291
+ Report missing benchmark, migration, deployment, restore, cloud, vendor, pricing, or observability
292
+ verification instead of inventing raw commands.
293
+
294
+ <!-- mustflow-section: failure-handling -->
295
+ ## Failure Handling
296
+
297
+ - If the user provides only a favorite technology and no baseline, compare it with the status quo
298
+ and a boring default.
299
+ - If evidence is missing for a production-core decision, return `reject_until_evidence_exists` or
300
+ `experiment_first`, not `adopt`.
301
+ - If rollback is weak, constrain the candidate to experiment, edge usage, or non-core usage.
302
+ - If a mature candidate creates a large debugging surface, require observability and local
303
+ reproduction before adoption.
304
+ - If maintainer risk is concentrated, require an adapter, fork plan, vendor alternative, or deferral.
305
+ - If cost cannot be estimated across normal, success, and failure-spike scenarios, mark cost
306
+ predictability as unresolved.
307
+ - If every option fails hard constraints, return `defer`, `reject`, or
308
+ `reject_until_evidence_exists` and name what would need to change.
309
+
310
+ <!-- mustflow-section: output-format -->
311
+ ## Output Format
312
+
313
+ - Skill selection and overlap decision
314
+ - Decision state: `adopt`, `adopt_with_constraints`, `experiment_first`, `defer`, `reject`, or
315
+ `reject_until_evidence_exists`
316
+ - Decision scope, baseline, boring default, criticality, reversibility class, owner, and time horizon
317
+ - Candidate matrix with hard-gate result, scores, evidence, mitigations, and verdict
318
+ - Survival-path impact and experimental-edge placement
319
+ - Migration path
320
+ - Rollback path
321
+ - Debugging surface
322
+ - Cost and operating-surface notes
323
+ - Hard rejections and exact criteria
324
+ - Guardrails, owner, runbook, observability, security, privacy, and data-export requirements
325
+ - Experiment plan when the decision is `experiment_first`
326
+ - Command intents run
327
+ - Skipped verification and reasons
328
+ - Remaining risk and decision-reversing evidence