mustflow 2.22.17 → 2.22.46

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mustflow",
-  "version": "2.22.17",
+  "version": "2.22.46",
   "description": "Agent workflow documents and CLI for mustflow repository roots.",
   "type": "module",
   "license": "MIT-0",

package/templates/default/i18n.toml

@@ -56,7 +56,7 @@ translations = {}
 [documents."skills.index"]
 source = "locales/en/.mustflow/skills/INDEX.md"
 source_locale = "en"
-revision = 73
+revision = 81
 translations = {}
 
 [documents."skill.adapter-boundary"]
@@ -77,6 +77,12 @@ source_locale = "en"
 revision = 2
 translations = {}
 
+[documents."skill.api-contract-change"]
+source = "locales/en/.mustflow/skills/api-contract-change/SKILL.md"
+source_locale = "en"
+revision = 1
+translations = {}
+
 [documents."skill.behavior-preserving-refactor"]
 source = "locales/en/.mustflow/skills/behavior-preserving-refactor/SKILL.md"
 source_locale = "en"
@@ -107,6 +113,12 @@ source_locale = "en"
 revision = 16
 translations = {}
 
+[documents."skill.database-migration-change"]
+source = "locales/en/.mustflow/skills/database-migration-change/SKILL.md"
+source_locale = "en"
+revision = 1
+translations = {}
+
 [documents."skill.dependency-injection"]
 source = "locales/en/.mustflow/skills/dependency-injection/SKILL.md"
 source_locale = "en"
@@ -119,12 +131,24 @@ source_locale = "en"
 revision = 6
 translations = {}
 
+[documents."skill.dependency-upgrade-review"]
+source = "locales/en/.mustflow/skills/dependency-upgrade-review/SKILL.md"
+source_locale = "en"
+revision = 1
+translations = {}
+
 [documents."skill.line-ending-hygiene"]
 source = "locales/en/.mustflow/skills/line-ending-hygiene/SKILL.md"
 source_locale = "en"
 revision = 1
 translations = {}
 
+[documents."skill.file-path-cross-platform-change"]
+source = "locales/en/.mustflow/skills/file-path-cross-platform-change/SKILL.md"
+source_locale = "en"
+revision = 1
+translations = {}
+
 [documents."skill.diff-risk-review"]
 source = "locales/en/.mustflow/skills/diff-risk-review/SKILL.md"
 source_locale = "en"
@@ -137,6 +161,114 @@ source_locale = "en"
 revision = 2
 translations = {}
 
+[documents."skill.astro-code-change"]
+source = "locales/en/.mustflow/skills/astro-code-change/SKILL.md"
+source_locale = "en"
+revision = 2
+translations = {}
+
+[documents."skill.auth-permission-change"]
+source = "locales/en/.mustflow/skills/auth-permission-change/SKILL.md"
+source_locale = "en"
+revision = 1
+translations = {}
+
+[documents."skill.config-env-change"]
+source = "locales/en/.mustflow/skills/config-env-change/SKILL.md"
+source_locale = "en"
+revision = 1
+translations = {}
+
+[documents."skill.css-code-change"]
+source = "locales/en/.mustflow/skills/css-code-change/SKILL.md"
+source_locale = "en"
+revision = 2
+translations = {}
+
+[documents."skill.dart-code-change"]
+source = "locales/en/.mustflow/skills/dart-code-change/SKILL.md"
+source_locale = "en"
+revision = 2
+translations = {}
+
+[documents."skill.elysia-code-change"]
+source = "locales/en/.mustflow/skills/elysia-code-change/SKILL.md"
+source_locale = "en"
+revision = 1
+translations = {}
+
+[documents."skill.flutter-code-change"]
+source = "locales/en/.mustflow/skills/flutter-code-change/SKILL.md"
+source_locale = "en"
+revision = 1
+translations = {}
+
+[documents."skill.go-code-change"]
+source = "locales/en/.mustflow/skills/go-code-change/SKILL.md"
+source_locale = "en"
+revision = 2
+translations = {}
+
+[documents."skill.hono-code-change"]
+source = "locales/en/.mustflow/skills/hono-code-change/SKILL.md"
+source_locale = "en"
+revision = 1
+translations = {}
+
+[documents."skill.html-code-change"]
+source = "locales/en/.mustflow/skills/html-code-change/SKILL.md"
+source_locale = "en"
+revision = 2
+translations = {}
+
+[documents."skill.javascript-code-change"]
+source = "locales/en/.mustflow/skills/javascript-code-change/SKILL.md"
+source_locale = "en"
+revision = 2
+translations = {}
+
+[documents."skill.python-code-change"]
+source = "locales/en/.mustflow/skills/python-code-change/SKILL.md"
+source_locale = "en"
+revision = 2
+translations = {}
+
+[documents."skill.rust-code-change"]
+source = "locales/en/.mustflow/skills/rust-code-change/SKILL.md"
+source_locale = "en"
+revision = 2
+translations = {}
+
+[documents."skill.svelte-code-change"]
+source = "locales/en/.mustflow/skills/svelte-code-change/SKILL.md"
+source_locale = "en"
+revision = 2
+translations = {}
+
+[documents."skill.tailwind-code-change"]
+source = "locales/en/.mustflow/skills/tailwind-code-change/SKILL.md"
+source_locale = "en"
+revision = 2
+translations = {}
+
+[documents."skill.tauri-code-change"]
+source = "locales/en/.mustflow/skills/tauri-code-change/SKILL.md"
+source_locale = "en"
+revision = 2
+translations = {}
+
+[documents."skill.typescript-code-change"]
+source = "locales/en/.mustflow/skills/typescript-code-change/SKILL.md"
+source_locale = "en"
+revision = 2
+translations = {}
+
+[documents."skill.unocss-code-change"]
+source = "locales/en/.mustflow/skills/unocss-code-change/SKILL.md"
+source_locale = "en"
+revision = 2
+translations = {}
+
 [documents."skill.cli-output-contract-review"]
 source = "locales/en/.mustflow/skills/cli-output-contract-review/SKILL.md"
 source_locale = "en"
@@ -322,6 +454,12 @@ source_locale = "en"
 revision = 2
 translations = {}
 
+[documents."skill.release-publish-change"]
+source = "locales/en/.mustflow/skills/release-publish-change/SKILL.md"
+source_locale = "en"
+revision = 1
+translations = {}
+
 [documents."skill.security-privacy-review"]
 source = "locales/en/.mustflow/skills/security-privacy-review/SKILL.md"
 source_locale = "en"

package/templates/default/locales/en/.mustflow/skills/INDEX.md

@@ -2,7 +2,7 @@
 mustflow_doc: skills.index
 locale: en
 canonical: true
-revision: 73
+revision: 81
 authority: router
 lifecycle: mustflow-owned
 ---
@@ -98,6 +98,15 @@ routes. Event routes stay inactive until their event occurs.
 | --- | --- | --- | --- | --- | --- | --- |
 | Code changes need review before report | `.mustflow/skills/code-review/SKILL.md` | Diff and task goal | Changed files | behavior and regression | `test`, `test_related`, `test_audit`, `lint` | Findings or no-issue note |
 | An unfamiliar codebase area needs an evidence-based map before planning, implementation, or reporting | `.mustflow/skills/codebase-orientation/SKILL.md` | User request, target area, relevant instructions, and current source, test, schema, template, configuration, or documentation files | Read-only orientation notes and any smallest follow-up edit chosen from inspected evidence | stale documentation, wrong ownership boundary, or invented architecture claim | `changes_status`, `changes_diff_summary`, `mustflow_check` | Scope inspected, entrypoints, flow map, ownership boundaries, verification options, risks, unknowns, and smallest safe next step |
+| HTTP, REST, GraphQL, tRPC, Hono RPC, Elysia Eden, gRPC, protobuf, OpenAPI, request/response schema, status code, header, error envelope, pagination, filtering, sorting, search, generated client, SDK, mock, fixture, or API docs contract is created or changed | `.mustflow/skills/api-contract-change/SKILL.md` | API style, contract source of truth, changed operations, request and response schemas, status and headers, error envelope, auth and permission behavior, pagination/filter/sort/search semantics, generated clients, SDKs, mocks, fixtures, callers, docs, and command contract entries | Routes, handlers, resolvers, validators, schemas, generated clients, SDKs, mocks, fixtures, docs, tests, and directly synchronized examples | route-only change, schema drift, generated-client breakage, hidden breaking change, status or error drift, pagination/search semantic drift, auth/permission drift, or stale docs examples | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | API contract source, changed operations, compatibility classification, synchronized client/schema/docs/tests surfaces, verification, and remaining API contract risk |
+| TypeScript source, declarations, tsconfig, package exports, module resolution, public API, or TypeScript tests are created or changed | `.mustflow/skills/typescript-code-change/SKILL.md` | TypeScript config, package entry metadata, target runtime, changed files, and command contract entries | TypeScript source, declarations, compiler config, exports, tests, and directly synchronized docs | weakened type safety, module drift, public API drift, or unverified declaration output | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | Runtime, module, type, and public API boundary checked, changes made, verification, and remaining TypeScript risk |
+| JavaScript source, module format, package entry, browser or Node runtime, dependency usage, Promise handling, bundler config, or JavaScript tests are created or changed | `.mustflow/skills/javascript-code-change/SKILL.md` | Package metadata, module system, runtime target, entrypoints, changed files, and command contract entries | JavaScript source, package exports, bundler config, dependencies, tests, and docs examples | runtime API leakage, ESM/CJS drift, discarded Promise, dependency bloat, or broken package entry | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | Runtime and module boundary checked, async and dependency notes, verification, and remaining JavaScript risk |
+| Python source, package metadata, runtime version, import layout, type checking, linting, CLI entry points, or tests are created or changed | `.mustflow/skills/python-code-change/SKILL.md` | Python version source, packaging files, import layout, lint/type/test config, changed files, and command contract entries | Python source, packaging metadata, imports, type hints, tests, and docs examples | unsupported syntax, import hacks, packaging drift, swallowed errors, or weakened lint/type checks | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | Runtime, packaging, import, and type boundary checked, verification, and remaining Python risk |
+| Go source, modules, package APIs, interfaces, errors, goroutines, channels, context propagation, tests, or generated-code boundaries are created or changed | `.mustflow/skills/go-code-change/SKILL.md` | Module files, full package files, tests, public API surface, concurrency owner, changed files, and command contract entries | Go packages, module metadata, interfaces, errors, concurrency code, tests, and docs examples | unnecessary abstraction, context loss, goroutine leak, error contract drift, or module drift | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | Package, API, context, concurrency, and error boundary checked, verification, and remaining Go risk |
+| Rust source, Cargo metadata, features, traits, errors, ownership, async runtime, unsafe code, tests, examples, or public crate APIs are created or changed | `.mustflow/skills/rust-code-change/SKILL.md` | Cargo metadata, feature flags, public exports, async runtime, unsafe invariants, changed files, and command contract entries | Rust source, Cargo metadata, features, errors, traits, tests, examples, and docs | clone or lock bloat, feature drift, async runtime mixing, unsafe invariant loss, or public API breakage | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | Ownership, feature, async, unsafe, and public API boundary checked, verification, and remaining Rust risk |
+| Dart source, pub package metadata, null safety, Futures, Streams, isolates, analyzer lints, tests, CLI entry points, or public package APIs are created or changed | `.mustflow/skills/dart-code-change/SKILL.md` | Pub metadata, analyzer config, public exports, async ownership, package layout, changed files, and command contract entries | Dart source, pub metadata, exports, async code, tests, examples, and docs | null-safety bypass, discarded Future, uncanceled Stream, isolate ownership drift, or public API breakage | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | Nullability, async, stream, isolate, and API boundary checked, verification, and remaining Dart risk |
+| Hono apps, routes, middleware, validators, RPC clients, bindings, context variables, auth boundaries, or runtime adapters are created or changed | `.mustflow/skills/hono-code-change/SKILL.md` | App entry, runtime adapter, route modules, middleware, binding types, schemas, client types, changed files, and command contract entries | Hono routes, middleware, validators, bindings, RPC types, tests, and docs examples | runtime API mixing, middleware order bug, auth gap, response envelope drift, or broken typed route inference | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | Runtime, middleware, validation, auth, and response boundary checked, verification, and remaining Hono risk |
+| Elysia routes, schemas, plugins, decorators, derives, guards, auth, error handling, OpenAPI output, Eden clients, or Bun server behavior are created or changed | `.mustflow/skills/elysia-code-change/SKILL.md` | Server entry, route modules, schemas, plugins, auth, error handling, OpenAPI or Eden surface, changed files, and command contract entries | Elysia routes, schemas, plugins, generated clients, tests, and docs examples | schema/type drift, context inference loss, auth gap, inconsistent error envelope, or stale OpenAPI/Eden output | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | Schema, validation, type inference, auth, error, and client contract checked, verification, and remaining Elysia risk |
 | Source anchors are added, revised, reviewed, or used to mark a module boundary | `.mustflow/skills/source-anchor-authoring/SKILL.md` | Target files, anchor reason, nearby anchors, source-anchor policy, and validation surface | Source anchors and directly related workflow docs or comments | comment bloat, authority drift, false verification claims, or hidden module pressure | `mustflow_check`, `docs_validate_fast` | Anchor placement decision, field choices, module-boundary handoff, and verification |
 | Changed files need risk classification and verification selection | `.mustflow/skills/diff-risk-review/SKILL.md` | Changed-file list, diff summary, and task goal | Changed surfaces and verification report | under- or over-verification | `changes_status`, `changes_diff_summary`, `test`, `test_related`, `test_audit`, `lint`, `build`, `docs_validate`, `mustflow_check` | Risk level, verification choice, rollback notes |
 | CLI execution duration, build time, bundle size, test scheduling logic, process spawning, or CLI performance claims are planned, edited, or reported | `.mustflow/skills/performance-budget-check/SKILL.md` | Performance surface, budget source, measurement method, and baseline metrics | Budget checks, CLI duration, bundle weight, scheduling optimization notes, measurements, and tests | invented budgets, stale measurements, child-process bottlenecks, or unverified speed claims | `changes_status`, `changes_diff_summary`, `build`, `test_related`, `docs_validate_fast`, `test_release`, `mustflow_check` | Performance surface, budget source, measurements, execution duration, bundle size, and remaining risks |
@@ -119,6 +128,7 @@ routes. Event routes stay inactive until their event occurs.
 | Claims, adoption decisions, research notes, methodology recommendations, tool comparisons, or external summaries depend on current, external, dated, versioned, or otherwise drift-prone sources | `.mustflow/skills/source-freshness-check/SKILL.md` | Stale-sensitive claim or recommendation, source text or page, date or version context, source policy, and intended adoption surface | Source wording, documentation, skill procedures, templates, tests, schemas, and freshness report | stale or unverifiable claim, copied external authority, or unsafe adoption | `changes_status`, `docs_validate_fast`, `mustflow_check` | Checked source boundary, research split, adoption decision, wording changes, skipped refreshes, and stale-source risk |
 | `README.md` is created, restructured, or substantially rewritten | `.mustflow/skills/readme-authoring/SKILL.md` | User request, existing README if any, repository evidence, nearest instructions, and command contracts | `README.md` and directly linked public docs | invented project claims, marketing drift, or loss of human-authored intent | `docs_validate_fast`, `mustflow_check` | Evidence-based README changes, preserved or deferred sections, verification notes |
 | Release notes, changelog entries, public change summaries, release preparation copy, or package release wording are drafted or revised | `.mustflow/skills/release-notes-authoring/SKILL.md` | User-provided change summary, current diff summary, release audience, public surfaces, version source, and command contract entries | Release notes, changelog entries, release preparation notes, and directly synchronized docs or package metadata | invented release history, inflated public claims, internal noise, stale version or migration notes, or unverified release evidence | `changes_status`, `changes_diff_summary`, `docs_validate_fast`, `test_release`, `mustflow_check` | Release audience, categorized notes, excluded internal changes, version or migration checks, verification, skipped release-history checks, and remaining release-note risk |
+| Release publishing, package registry publication, remote release channels, Git tags, GitHub Releases, release assets, npm, PyPI, crates.io, Go modules, Docker images, Homebrew formulae or casks, app updater metadata, version bump decisions, artifact inspection, post-publish smoke tests, rollback or yanking plans, or user installation paths are created, changed, reviewed, or reported | `.mustflow/skills/release-publish-change/SKILL.md` | Release target, version, channel, package name, module path, image name, tag, artifact names, expected assets, public contract source, artifact inspection method, remote publication surface, recovery model, and command contract entries | Version metadata, release workflows, package manifests, artifact manifests, changelog or release-preparation docs, package tests, install-smoke expectations, release validation tests, and installed-template metadata | local-only release claim, wrong version bump, stale artifact, registry overwrite assumption, missing asset, bad checksum or signature, moved Go tag, unverified Docker digest, updater metadata breakage, missing user-path smoke test, or false rollback claim | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Release target, version and channel, public API classification, artifact inspection evidence, remote publication state, user-path smoke result, synchronized surfaces, recovery classification, verification, and remaining release-publish risk |
 | Search-friendly ad-supported articles, blog posts, guides, reviews, comparisons, FAQs, or evergreen content are planned, written, edited, reviewed, or reported | `.mustflow/skills/search-ad-content-authoring/SKILL.md` | Search intent, reader task, content type, source freshness needs, monetization constraints, article draft or outline, and command contract entries | Article outlines, headings, paragraphs, tables, lists, FAQs, images, links, disclosures, content docs, templates, tests, and reports | keyword stuffing, thin filler, misleading ad adjacency, stale policy or ranking claims, unsupported revenue claims, accessibility or layout instability, or copied competitor content | `changes_status`, `changes_diff_summary`, `docs_validate_fast`, `test_release`, `mustflow_check` | Search intent, outline shape, content structure checks, source freshness, ad layout and trust checks, omitted or verified claims, verification, and remaining content risk |
 | Documentation review queue entries need prose cleanup | `.mustflow/skills/docs-prose-review/SKILL.md` | Review queue entry or selected document path, review comment if present, target language, reviewer metadata | Selected documentation file and review ledger entry | meaning drift or stale queue state | `docs_validate`, `mustflow_check` | Prose changes, recorded review status, verification notes |
 | Documentation changes affect public or workflow docs | `.mustflow/skills/docs-update/SKILL.md` | Changed behavior or field | Relevant docs only | stale public docs | `docs_validate_fast`, `docs_validate`, `mustflow_check` | Doc changes and skipped checks |
@@ -127,6 +137,8 @@ routes. Event routes stay inactive until their event occurs.
 
 | Trigger | Skill Document | Required Input | Edit Scope | Risk | Verification Intents | Expected Output |
 | --- | --- | --- | --- | --- | --- | --- |
+| Environment variables, config keys, secrets, public env prefixes, build-time or runtime config, config schemas or parsers, feature flags, deployment variables, CI secrets, Docker or Compose env, Kubernetes ConfigMaps or Secrets, Cloudflare bindings, Vite, Next.js, Astro, SvelteKit, Tauri, Node, Bun, generated env types, `.env` examples, config docs, or config validation behavior are created, changed, reviewed, or reported | `.mustflow/skills/config-env-change/SKILL.md` | Key name, value meaning, sensitivity, visibility, timing, required environments, owner, default, validation shape, config source of truth, read-first surfaces, platform timing, deployment surfaces, generated types, docs, tests, and command contract entries | Config schemas, parser code, runtime loader wiring, generated type expectations, fake-value env examples, deployment docs, tests, CI or deployment variable names, feature flag defaults, redacted validation errors, and deprecation notes | secret leak, public-prefix misuse, build-time/runtime confusion, stale deploy config, missing `.env.example`, unchecked raw env read, boolean truthiness bug, unredacted error, stale feature flag, production fallback from local/test, or missing restart/rebuild/rollout note | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Keys or flags changed, sensitivity, visibility, timing, required action after value change, source of truth, synchronized surfaces, public/private boundary, redaction notes, build/runtime classification, feature flag behavior, verification, and remaining config/env risk |
+| Authentication, authorization, permission, role, tenant, session, JWT, OAuth/OIDC, API key, route guard, admin, impersonation, database policy, object-level access control, or permission cache behavior is created or changed | `.mustflow/skills/auth-permission-change/SKILL.md` | Actors, principals, tenants, resources, actions, context, auth middleware, sessions, tokens, API keys, route guards, server policy, DB policy, role matrix, audit, and tests | Auth middleware, policy functions, controllers, services, jobs, webhooks, database queries, RLS, UI guards, audit logs, docs, migrations, and tests | authentication treated as authorization, client guard trusted as security, object-level authorization bypass, cross-tenant leak, stale token or cache permission, over-broad admin/API-key scope, or missing denial tests | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Auth/authz boundary, principal/tenant/resource/action/context, policy source of truth, server/database enforcement, client UX-only guards, denial coverage, verification, and remaining permission risk |
 | Code, configuration, docs, templates, logs, telemetry, traces, baggage, behavior analytics, credentials, data flows, data residency policy, region or processing-location claims, AI-generated code, authentication, authorization, client-only permission checks, admin operations, audit logs, cache policy, cache-as-authority decisions, claim or policy data, comparison or affiliate data, user-generated content, sessions, tokens, uploads, downloads, signed URLs, API responses, webhooks, job queues, external API call records, external requests, third-party data-use terms, runtime security patch policy, deployment settings, dependencies, cryptography, secure transport, scanner gates, security invariants, or agent configuration affect secrets, personal data, retention, access control, vendor disclosure, or external disclosure | `.mustflow/skills/security-privacy-review/SKILL.md` | Changed files, sensitive surfaces, actor and resource owner, data-owner boundary, data residency and processing-location boundary, runtime patch boundary, AI gateway or budget boundary, server-side authorization rule, file upload/download boundary, API response field boundary, behavior analytics surface, trace or baggage surface, webhook or external-call record surface, admin operation surface, audit-log surface, cache visibility and authority policy, claim or affiliate policy surface, session or token surface, external target, dependency source, third-party data-use or terms surface, cryptography or transport surface, scanner evidence, agent-tool permission, deployment setting, project secret and privacy rules, public or packaged surfaces, and command contract entries | Sensitive data handling, authorization, admin operations, data residency, runtime patchability, AI budget records, behavior analytics, observability identifiers, webhook receipts, external-call records, dead-letter records, audit logs, shared-cache behavior, cache-authority behavior, claim and affiliate disclosure, sessions, tokens, inputs, files, signed URLs, API responses, logs, receipts, generated state, docs, templates, package metadata, deployment settings, and reports | secret leak, personal-data exposure, access-control bypass, client-trusted role or owner value, unsafe admin action, private file exposure, over-broad API response, shared-cache leak, unsafe cache authority, unprovable data location, unpatchable runtime, privacy-heavy telemetry, unsafe baggage propagation, unsafe webhook payload retention, unsafe external request, supply-chain drift, weak cryptography, insecure transport, over-privileged agent, risky third-party terms, or misleading privacy claim | `changes_status`, `changes_diff_summary`, `docs_validate_fast`, `test_release`, `mustflow_check` | Sensitive surfaces reviewed, data residency, runtime patchability, AI hard-limit, behavior analytics, observability, and audit boundaries, webhook, external-call, and dead-letter boundaries, cache authority and disclosure boundaries, assumptions checked, disclosure and retention paths, authorization, file, API response, third-party terms, and external-boundary notes, verification, and remaining security or privacy risk |
 | Security-sensitive behavior changes need abuse-case regression tests | `.mustflow/skills/security-regression-tests/SKILL.md` | Changed boundary, actors, resource ownership, state-changing route, token, file, cryptography, transport, scanner, or invariant behavior, business rule, and expected deny behavior | Test files and related security boundary source | false confidence, happy-path-only coverage, unsafe authorization, token, file, business-rule, cryptography, transport, deployment, or invariant coverage | `test`, `test_related`, `test_audit`, `lint`, `build` | Security boundary, abuse case, defensive test data, tests added or reused, and remaining risks |
 | Outside text, generated content, logs, issues, webpages, pasted prompts, agent rules, MCP/tool configuration, or AI context sources include instructions that could override repository rules, broaden tool access, leak data, or change scope | `.mustflow/skills/external-prompt-injection-defense/SKILL.md` | External text source, direct user request, repository instruction files, conflicting instruction, context sources, tool permission surface, hidden content evidence, and command contract entries | Prompts, fixtures, docs, tests, skills, templates, agent configs, tool configs, and reports that handle untrusted text | prompt injection, context leakage, scope drift, unsafe command authority, or over-broad tool permission | `changes_status`, `changes_diff_summary`, `docs_validate_fast`, `test_release`, `mustflow_check` | External sources reviewed, unsafe instructions neutralized, context and permission boundaries checked, safe requirements adapted, verification, and remaining prompt-injection risk |
@@ -136,8 +148,12 @@ routes. Event routes stay inactive until their event occurs.
 | Trigger | Skill Document | Required Input | Edit Scope | Risk | Verification Intents | Expected Output |
 | --- | --- | --- | --- | --- | --- | --- |
 | Database schema, database engine choice, managed database extension or provider feature, SQLite or PostgreSQL suitability, query, transaction, ORM model, repository/store, index, cache-backed read model, read/write model, content metadata, content blocks, content graph, lifecycle states, versioned records, ledgers, job tables, outbox events, inbox events, idempotency records, processed webhook records, external API call records, provider intent records, manual recovery records, taxonomy, filter URL policies, SEO landing records, claim or fact registries, comparison methodologies, affiliate links, source provenance, verification state, behavior analytics events, core event stores, search document metadata, queue recovery metadata, semantic export/import data, provider id mappings, app-owned identity records, public URL records, data residency records, AI budget or policy records, external-service truth ownership, operational versus analytics data boundaries, cache-as-store decisions, API response projections, public identifiers, data ownership boundaries, admin audit logs, cache invalidation data, user activity state, aggregate cache, hybrid file/database storage, file metadata records, data retention, pagination, concurrency, idempotency, audit log, or persistence boundary is introduced, changed, reviewed, or reported | `.mustflow/skills/database-change-safety/SKILL.md` | Data role, database operating model, managed database dependency model, event role, affected tables or stores, storage split, identity and provider-id mapping model, public URL and file-object model, data location model, AI budget and feature-policy model, block/graph/lifecycle/version/ledger/job/outbox/inbox/webhook/provider-call/taxonomy/filter/claim/source/admin/cache/user-state model, export/import and provider-id mapping model, external-service truth model, search/queue/log/analytics data model, operational versus analytics boundary, API projection boundary, file metadata and object-storage boundary, public id rule, read/write path, transaction boundary, migration or rollback expectations, local DB or ORM patterns, changed files, and command contract entries | Schema, migrations, repositories, stores, queries, transactions, indexes, read models, ledgers, job records, outbox records, inbox records, processed webhook records, external call records, provider intent records, manual recovery records, content metadata, block records, claim records, source records, comparison records, affiliate records, behavior event records, core event records, search source records, projection records, export/import records, provider mapping records, app identity records, public URL records, data residency records, AI budget or feature-policy records, admin audit records, file metadata records, cache records, user-state records, fixtures, tests, docs, and directly synchronized templates | data loss, incomplete export, provider-id lock-in, provider-auth-function lock-in, raw storage URL lock-in, unprovable data location, SaaS-only core fact, stale cache, authorization leak, transaction bug, duplicate side effect, unknown provider outcome, retry drift, missing manual replay record, slow query, N+1 query growth, write-contention blind spot, operational DB reporting overload, file/database drift, provenance drift, search or queue reconstruction gap, aggregate drift, API/DB coupling, cache-invalidation drift, provider-budget-only AI enforcement, or unverified migration claim | `changes_status`, `changes_diff_summary`, `test_related`, `test`, `lint`, `build`, `docs_validate_fast`, `test_release`, `mustflow_check` | Data role, database operating model, source-of-truth split, managed database dependency, app-owned identity, public URL, data residency, AI budget and policy records, schema/query/transaction review, delete lifecycle, versioning, ledger, job/outbox/inbox/webhook/provider-call/manual-recovery model, export/import and provider-id mapping model, external-service truth model, search/queue/log/analytics ownership, read/write model, behavior/audit event boundary, API projection boundary, file metadata boundary, block/graph/lifecycle/taxonomy/filter/claim/source/admin/cache/user-state checks, migration and rollback status, index/performance notes, security/retention checks, tests, verification, and remaining database risk |
+| Database migration files, schema migration history, ORM schema migrations, generated clients, schema dumps, SQL snapshots, backfills, rolling deploy compatibility, expand-and-contract changes, destructive database changes, migration rollback claims, or production database migration procedures are created, changed, reviewed, or reported | `.mustflow/skills/database-migration-change/SKILL.md` | Source schema, target schema, migration files, migration history, generated clients, schema dumps, SQL snapshots, affected queries, deployment shape, database engine, table size or lock assumptions, backfill plan, rollback type, validation query, and command contract entries | Migration files, ORM schemas, generated clients, schema dumps, SQL snapshots, backfill code, validation checks, seeds, fixtures, compatibility code, docs, tests, and directly synchronized examples | data loss, drop-plus-add rename, old/new app incompatibility, unsafe rolling deploy, unbounded backfill, production lock, generated-client drift, migration-history drift, false rollback claim, ORM autogenerate mistake, or destructive contract mixed with expand phase | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Migration phase, old/new schema compatibility, backfill and validation plan, rollback classification, ORM/generated/schema dump surfaces, dependent surfaces, verification, and remaining database-migration risk |
+| Dependency versions, lockfiles, package-manager metadata, workspace constraints, runtime engines, peer dependencies, optional dependencies, security advisory fixes, generated dependency output, framework plugins, CI actions, Docker base images, package manager behavior, or toolchain versions are upgraded, downgraded, pinned, widened, regenerated, reviewed, or reported | `.mustflow/skills/dependency-upgrade-review/SKILL.md` | Dependency name, old and new versions or ranges, direct or transitive path, ecosystem and package manager, declaration files, lockfiles, runtime or toolchain files, advisory or release-note evidence, generated outputs, callers, docs, package output, Docker or CI surfaces, and command contract entries | Package declarations, lockfiles, generated outputs, compatibility code, tests, docs, package metadata, Docker or CI files, and directly synchronized examples | lockfile churn, hidden transitive replacement, peer or engine break, module-format drift, native or optional package break, framework or generator output drift, unsafe broad security update, weakened tests, Docker or CI runtime drift, or unreviewed supply-chain change | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Upgrade reason, ecosystem surface, direct and transitive graph changes, compatibility classification, runtime/peer/engine/module/feature/platform/generated-output risks, synchronized surfaces, verification, and remaining dependency-upgrade risk |
 | Dependency, package, runtime, framework, tool, command, plugin, service, platform capability, supported-version policy, security patch path, ecosystem maturity claim, maintainer-risk assumption, runtime portability claim, edge or serverless compatibility claim, critical-path library choice, package script, lifecycle hook, binary download, lockfile, audit result, or supply-chain-sensitive dependency surface is assumed, added, removed, imported, invoked, installed, audited, or documented | `.mustflow/skills/dependency-reality-check/SKILL.md` | Assumed dependency or capability, declaration files, version or feature expectation, role criticality, supported-version or end-of-life evidence, patchability expectation, runtime compatibility boundary, maintainer and ecosystem evidence when available, lockfile entry, package script or lifecycle hook, audit or provenance evidence, and relevant command intents | Package metadata, lockfiles, imports, scripts, command contracts, docs, tests, runtime policy notes, portability notes, and reports | unavailable dependency, hallucinated or lookalike package, fragile single-maintainer core dependency, experimental technology in a survival path, unsupported runtime, unclear security patch path, runtime-specific API leakage into core logic, stale version claim, lifecycle script risk, audit suppression, lockfile drift, or install guidance mismatch | `changes_status`, `changes_diff_summary`, `build`, `test_release`, `mustflow_check` | Dependency checked, ecosystem and maintainer-risk boundary reviewed, supported-version, patchability, and runtime-portability boundary reviewed, supply-chain surface reviewed, declarations synchronized, verification, and remaining dependency risk |
 | External systems, protocols, SDKs, databases, webhooks, queues, files, object storage, signed upload or download URLs, caches, API response models, framework requests or responses, server actions, route handlers, edge functions, worker handlers, AI models, browser storage, search engines, analytics tools, email platforms, no-code tools, observability backends, trace or request context, or provider data cross the core boundary or need port/adapter translation, error mapping, timeout, retry, circuit-breaker, bulkhead, idempotency, reconciliation, security, core-state ownership, vendor portability, or observability handling | `.mustflow/skills/adapter-boundary/SKILL.md` | External system or protocol, inbound/outbound direction, delivery boundary, internal use case, local port/adapter patterns, provider risk, provider failure policy, core-state ownership risk, vendor portability risk, observability identifier policy, API contract risk, changed files, and command contract entries | Ports, adapters, mappers, controllers, workers, stores, gateways, response mappers, telemetry mappers, timeout and retry policies, circuit breakers, bulkhead boundaries, tests, fixtures, assembly wiring, and directly synchronized docs or templates | provider leakage, framework business-rule leakage, telemetry backend leakage, storage-key leakage, screen-shaped API coupling, pass-through wrapper, SaaS dashboard as truth source, search or analytics policy leakage, queue contract leakage, unclassified external failure, duplicate side effect, unsafe retry, missing timeout, missing circuit breaker, missing bulkhead, unresolved unknown provider outcome, broken identifier propagation, secret or personal-data leak, or untested integration drift | `changes_status`, `changes_diff_summary`, `test_related`, `test`, `lint`, `build`, `docs_validate_fast`, `test_release`, `mustflow_check` | Boundary classification, delivery adapter responsibility, internal port, provider containment, core-state ownership, vendor portability, validation and mapping, API response mapping, observability identifier flow, timeout/retry/circuit-breaker/bulkhead/idempotency handling, reconciliation behavior, security notes, verification, and remaining provider risk |
+| Tauri frontend invokes, Rust commands, capabilities, permissions, scopes, plugins, filesystem, dialog, shell, opener, updater, sidecar, or mobile native permissions are created or changed | `.mustflow/skills/tauri-code-change/SKILL.md` | Frontend call sites, Tauri config, Rust commands, capability and permission files, plugin config, changed files, and command contract entries | Tauri frontend, Rust commands, capabilities, permissions, scopes, plugins, tests, and docs | broad native permission, untrusted IPC input, filesystem escape, shell or updater risk, or WebView/native boundary drift | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | IPC, permission, scope, filesystem, shell, updater, and native boundary checked, verification, and remaining Tauri risk |
+| File path handling, cross-platform path behavior, path helpers, safe filesystem wrappers, temp or cache paths, atomic writes, locks, archive extraction, uploads, downloads, scanners, CLI/API/schema path contracts, snapshots, generated outputs, or package artifact paths are created, changed, reviewed, or reported | `.mustflow/skills/file-path-cross-platform-change/SKILL.md` | Path ledger, trust classes, accepted path representation, base root, path helpers, safe filesystem wrappers, temp/cache helpers, lock policy, archive policy, upload/download policy, scanner policy, CLI/API/schema/snapshot/generated/package surfaces, platform expectations, and command contract entries | Path validators, helpers, wrappers, schemas, CLI/API parsing, snapshots, fixtures, docs, tests, generated-output paths, package artifact paths, archive extraction, scanner bounds, temp/cache handling, locks, and cleanup code | path traversal, base containment bypass, drive-relative path bug, reserved-name bug, case-collision bug, symlink or junction escape, unsafe archive extraction, non-atomic write claim, stale lock, scanner loop, cleanup data loss, path contract drift, or package artifact path drift | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Path contract, path ledger, trust classes, root policy, Windows/macOS/Linux/archive/upload/download/scanner/lock/temp/cache/atomic/cleanup decisions, synchronized contract surfaces, verification, and remaining path risk |
 | File paths, directories, symlinks, real paths, traversal, atomic writes, file copies, generated outputs, temporary files, cleanup, or Windows/POSIX filesystem behavior are created, changed, reviewed, or reported | `.mustflow/skills/cross-platform-filesystem-safety/SKILL.md` | Path inputs, base directory, trust boundary, symlink policy, write or cleanup strategy, platform expectations, and command contract entries | Path validation, file helpers, copy/update/delete code, scan bounds, fixtures, tests, docs, and templates | path traversal, symlink escape, unsafe overwrite, platform-only behavior, stale output, or cleanup data loss | `changes_status`, `changes_diff_summary`, `test_related`, `docs_validate_fast`, `test_release`, `mustflow_check` | Path trust classes, root boundary, symlink/write/delete/scan decisions, platform assumptions, verification, and remaining filesystem risk |
 | Child processes, shell or argv execution, built-in command reruns, timeouts, process trees, output limits, streaming, environment policy, command eligibility, or execution receipts are created, changed, reviewed, or reported | `.mustflow/skills/process-execution-safety/SKILL.md` | Execution path, timeout, output limit, stdin, environment, cwd, process tree behavior, receipt and write-tracking expectations, and command contract entries | Process execution code, process-tree helpers, output buffers, environment creation, eligibility checks, receipts, tests, and docs | runaway process, unbounded output, leaked environment, inconsistent JSON/text execution, false cleanup claim, or unreliable receipt | `changes_status`, `changes_diff_summary`, `test_related`, `test_release`, `mustflow_check` | Execution surface, timeout/output/environment/process-tree boundaries, receipt consistency, tests, verification, and remaining process risk |
 | Core or application logic creates, imports, resolves, or hides external dependencies such as databases, SDKs, clocks, random generators, configuration, loggers, framework objects, filesystems, queues, AI clients, or payment/email providers | `.mustflow/skills/dependency-injection/SKILL.md` | Target code area, hidden dependency, intended business capability, layer ownership, local port/adapter patterns, changed files, and command contract entries | Core logic signatures, ports, adapters, assembly roots, tests, and directly synchronized docs or templates | hidden global state, untestable business logic, provider leakage, lifecycle drift, or service-locator coupling | `changes_status`, `changes_diff_summary`, `test_related`, `test`, `lint`, `build`, `docs_validate_fast`, `test_release`, `mustflow_check` | Dependency boundary, direct dependencies found, injection style, ports/adapters, assembly boundary, tests or fakes, verification, and remaining dependency leakage |
@@ -151,6 +167,13 @@ routes. Event routes stay inactive until their event occurs.
 | A dense plan, suggestion, code explanation, review result, flow map, or decision set would be easier to inspect as a safe static HTML review artifact | `.mustflow/skills/visual-review-artifact/SKILL.md` | User request, artifact goal, target audience, source evidence, output path, and relevant command contract entries | Temporary `.mustflow/state/artifacts/**` output or explicitly requested versioned HTML artifact, plus direct references, docs, or package metadata | unsafe HTML behavior, prompt injection, unverified artifact claim, or mistaken approval authority | `changes_status`, `changes_diff_summary`, `docs_validate_fast`, `test_release`, `mustflow_check` | Artifact kind and path, source evidence, review-only boundary, local interactions, verification, skipped checks, and remaining decision risk |
 | Conversational AI, chat, copilot, prompt, multimodal input, streaming generation, citation, feedback, or conversation-history UI is planned, edited, reviewed, or reported | `.mustflow/skills/llm-service-ux-review/SKILL.md` | LLM service surface, user task, interaction mode, input-to-reset path, latency/source/privacy constraints, and command contract entries | Prompt, attachment, generation, output, citation, feedback, history, reset, error, accessibility, docs, templates, and reports | loss of user control, fake progress, unverifiable source claims, hidden privacy risk, decorative prompt UX, or unverified visual claim | `changes_status`, `changes_diff_summary`, `docs_validate_fast`, `test_release`, `mustflow_check` | LLM UX surface reviewed, input/waiting/output/recovery states checked, control and citation boundaries, skipped checks, and remaining LLM UX risk |
 | User-facing UI, dashboard, settings, navigation, form, copy, responsive layout, accessibility, or visual state changes are planned, edited, reviewed, or reported | `.mustflow/skills/ui-quality-gate/SKILL.md` | Changed UI surface, user task, interaction path, existing patterns, state combinations, localization rules, and command contract entries | UI controls, labels, states, layout constraints, accessibility attributes, localization hooks, docs, templates, and reports | decorative UI drift, inaccessible controls, layout breakage, or unverified visual claim | `changes_status`, `changes_diff_summary`, `docs_validate_fast`, `test_release`, `mustflow_check` | UI surface reviewed, states checked, layout/accessibility/localization notes, skipped visual checks, and remaining UI risk |
+| HTML, templates, component markup, forms, controls, dialogs, navigation, tables, media, metadata, SEO head content, or structured data are created or changed | `.mustflow/skills/html-code-change/SKILL.md` | Page shell, markup patterns, form/control components, metadata source, changed files, and command contract entries | HTML and template markup, metadata, forms, interactive controls, tests, and docs examples | invalid semantics, inaccessible control, broken focus path, metadata drift, or invalid browser markup | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | Semantic, form, focus, metadata, and validation boundary checked, verification, and remaining HTML risk |
+| CSS, Sass, Less, CSS Modules, CSS-in-JS, global styles, design tokens, layout, responsive behavior, focus styles, animation, color, or component styling are created or changed | `.mustflow/skills/css-code-change/SKILL.md` | Global CSS, tokens, component styles, parent layout, browser targets, changed files, and command contract entries | CSS, design tokens, component styles, responsive rules, tests, and docs examples | specificity escalation, token bypass, contrast failure, motion issue, layout shift, or browser incompatibility | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | Cascade, token, responsive, accessibility, and layout-stability boundary checked, verification, and remaining CSS risk |
+| Tailwind classes, class composition, theme tokens, variants, arbitrary values, Tailwind config, `@theme`, `@apply`, or migration surfaces are created or changed | `.mustflow/skills/tailwind-code-change/SKILL.md` | Tailwind config or CSS entry, source scanning rules, theme tokens, class helpers, changed files, and command contract entries | Tailwind config, theme tokens, utility classes, component class maps, tests, and docs examples | production class loss, arbitrary-value sprawl, token bypass, weak focus state, or hidden `@apply` drift | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | Class detection, token, responsive, state, and production CSS boundary checked, verification, and remaining Tailwind risk |
+| UnoCSS config, presets, extraction, shortcuts, rules, variants, safelist, blocklist, attributify, transformers, or utility usage are created or changed | `.mustflow/skills/unocss-code-change/SKILL.md` | UnoCSS config, presets, extraction rules, shortcuts, safelist, blocklist, changed files, and command contract entries | UnoCSS config, utility usage, rules, shortcuts, safelist, blocklist, tests, and docs examples | extractor miss, runtime-only utility, safelist explosion, unbounded shortcut, or production CSS loss | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | Extraction, safelist, shortcut, variant, and production CSS boundary checked, verification, and remaining UnoCSS risk |
+| Flutter widgets, screens, routing, state management, async UI, platform channels, assets, responsive layout, accessibility, or Flutter tests are created or changed | `.mustflow/skills/flutter-code-change/SKILL.md` | App root, route config, widget tree, state owner, platform files, assets, changed files, and command contract entries | Flutter widgets, routes, state, platform channels, assets, tests, and docs examples | impure build, lifecycle leak, navigation drift, layout breakage, inaccessible UI, or platform boundary drift | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | State, lifecycle, layout, accessibility, platform, and asset boundary checked, verification, and remaining Flutter risk |
+| Astro config, pages, layouts, components, islands, hydration directives, content collections, routes, adapters, MDX, or Astro build behavior are created or changed | `.mustflow/skills/astro-code-change/SKILL.md` | Astro config, route tree, layouts, content schema, components, adapter config, changed files, and command contract entries | Astro pages, layouts, islands, content collections, adapters, tests, and docs examples | unnecessary hydration, build/runtime data mix, route URL drift, content schema drift, or adapter mismatch | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | Build/runtime, route, content, hydration, and adapter boundary checked, verification, and remaining Astro risk |
+| Svelte or SvelteKit components, routes, load functions, server actions, stores, runes, SSR boundaries, accessibility warnings, or tests are created or changed | `.mustflow/skills/svelte-code-change/SKILL.md` | Svelte config, route segment files, stores/runes, hooks, app types, changed files, and command contract entries | Svelte components, routes, load/actions, stores, SSR/client boundaries, tests, and docs examples | SSR/client leakage, browser global crash, state owner drift, form degradation, or ignored accessibility warning | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | SSR, server/client, state, form, and accessibility boundary checked, verification, and remaining Svelte risk |
 | Web image assets are added, converted, resized, or replaced | `.mustflow/skills/web-asset-optimization/SKILL.md` | Image asset request and target path | Web image assets | asset quality and size | `asset_optimize`, `build` | Optimized asset notes |
 
 ### Architecture Patterns

package/templates/default/locales/en/.mustflow/skills/api-contract-change/SKILL.md

@@ -0,0 +1,212 @@
+---
+mustflow_doc: skill.api-contract-change
+locale: en
+canonical: true
+revision: 1
+lifecycle: mustflow-owned
+authority: procedure
+name: api-contract-change
+description: Apply this skill when HTTP, REST, GraphQL, tRPC, Hono RPC, Elysia Eden, gRPC, protobuf, OpenAPI, API schemas, generated clients, SDKs, status codes, headers, error envelopes, pagination, filtering, sorting, search, or public API examples are created or changed.
+metadata:
+  mustflow_schema: "1"
+  mustflow_kind: procedure
+  pack_id: mustflow.core
+  skill_id: mustflow.core.api-contract-change
+  command_intents:
+    - changes_status
+    - changes_diff_summary
+    - lint
+    - build
+    - test_related
+    - test
+    - docs_validate_fast
+    - test_release
+    - mustflow_check
+---
+
+# API Contract Change
+
+<!-- mustflow-section: purpose -->
+## Purpose
+
+Treat an API change as a contract change, not as a route or controller edit. The contract includes request schema, response schema, status code, headers, error shape, auth and permission behavior, pagination, filtering, sorting, search semantics, generated clients, SDKs, mocks, fixtures, examples, and documentation.
+
+The goal is to keep runtime behavior, type contracts, generated artifacts, callers, tests, and docs aligned.
+
+<!-- mustflow-section: use-when -->
+## Use When
+
+- HTTP, REST, RPC, GraphQL, tRPC, Hono RPC, Elysia Eden, gRPC, protobuf, OpenAPI, AsyncAPI, webhook, callback, public endpoint, internal endpoint, generated client, SDK, schema, mock, fixture, or API docs behavior changes.
+- Request body, query parameters, path parameters, headers, cookies, response body, status codes, redirects, caching headers, rate-limit headers, error envelopes, validation errors, auth errors, or permission errors change.
+- Pagination, filtering, sorting, search, includes, field selection, sparse fields, expansions, cursor shape, or total-count semantics change.
+- A route is renamed, moved, split, merged, deprecated, versioned, or made more restrictive.
+- A framework-specific API surface changes and may need another skill as a follow-up, such as `hono-code-change`, `elysia-code-change`, `typescript-code-change`, `auth-permission-change`, or `security-regression-tests`.
+
+<!-- mustflow-section: do-not-use-when -->
+## Do Not Use When
+
+- The change is a purely private implementation refactor with no request, response, generated type, client, docs, status, or error behavior change.
+- The task is only authentication or authorization policy with no API contract change; use `auth-permission-change`.
+- The task is only CLI output contract; use `cli-output-contract-review`.
+
+<!-- mustflow-section: required-inputs -->
+## Required Inputs
+
+- Changed route, controller, resolver, handler, schema, validator, generated client, SDK, tests, fixtures, mocks, and docs.
+- Current request and response schema, status code map, headers, error envelope, auth and permission behavior, rate-limit behavior, cache behavior, pagination/filter/sort/search contract, and deprecation/versioning policy.
+- OpenAPI, GraphQL schema, tRPC router, Hono app type, Elysia Eden type surface, protobuf files, generated clients, SDK examples, frontend callers, mobile callers, integration tests, docs examples, and mock servers when present.
+- Current public consumers, backwards-compatibility expectations, supported client versions, and migration or deprecation policy.
+- Configured verification intents.
+
+<!-- mustflow-section: preconditions -->
+## Preconditions
+
+- Classify the API surface before editing: REST/HTTP, GraphQL, tRPC, Hono RPC, Elysia Eden, gRPC/protobuf, webhook, callback, generated SDK, or internal-only API.
+- Identify whether the change is source-compatible, runtime-compatible, behavior-compatible, or breaking for existing callers.
+- Read the schema and generated client source of truth before editing route code.
+- If auth, permission, tenant, object-level access, or API key behavior changes, also apply `auth-permission-change`.
+- If the change needs denied-abuse coverage, also apply `security-regression-tests`.
+
+<!-- mustflow-section: allowed-edits -->
+## Allowed Edits
+
+- Update route code, validators, schemas, generated types, examples, fixtures, mocks, docs, and tests together when they describe the same contract.
+- Add explicit deprecation or compatibility handling when an existing public caller would otherwise break.
+- Add or tighten tests for request validation, response shape, error shape, auth failures, permission failures, pagination, filtering, sorting, search, and generated client behavior.
+- Do not silently weaken validation, widen responses, or change error/status semantics to make a caller compile.
+
+<!-- mustflow-section: procedure -->
+## Procedure
+
+1. Name the contract source of truth: OpenAPI, GraphQL schema, route validator, tRPC router, Hono `AppType`, Elysia app/Eden surface, protobuf definition, hand-written SDK type, or docs-backed public contract.
+2. Build a contract ledger for each changed endpoint or operation:
+   - method or operation name;
+   - path or field name;
+   - request path, query, header, cookie, and body shape;
+   - auth and permission requirement;
+   - response success status and body;
+   - error status and body;
+   - relevant headers;
+   - pagination, filtering, sorting, and search semantics;
+   - generated clients, SDK functions, mocks, fixtures, examples, and docs.
+3. Classify each change:
+   - additive optional field;
+   - required request field added;
+   - request field removed or renamed;
+   - response field removed, renamed, narrowed, widened, or made nullable;
+   - status code changed;
+   - header added, removed, or changed;
+   - error code or envelope changed;
+   - pagination cursor or total semantics changed;
+   - auth/permission requirement changed;
+   - route moved, versioned, deprecated, or removed.
+4. Decide compatibility from the caller's perspective. Treat required inputs, removed outputs, renamed fields, stricter validation, status-code changes, error-envelope changes, pagination token changes, and generated-client signature changes as likely breaking unless a compatibility path exists.
+5. Apply the API style policy below for the relevant protocol or framework.
+6. Apply the response, error, and pagination policy below before changing envelopes, status codes, headers, cursors, filters, sorts, or search.
+7. Apply the dependent surface checklist before finalizing. Do not stop at route/controller changes.
+8. Use framework-specific skills for implementation details when needed after the contract has been classified.
+9. Report the contract source, compatibility classification, synchronized surfaces, skipped surfaces, verification, and remaining caller risk.
+
+## API Style Policy
+
+- REST and HTTP APIs must keep method semantics, status code meanings, headers, content type, cache behavior, redirects, and error envelope stable.
+- OpenAPI changes must include every status/body/header variant that callers rely on. A schema-only success response is not enough when errors are part of the contract.
+- GraphQL must not be forced into a REST envelope. Preserve GraphQL `data`, `errors`, `extensions`, partial response, nullability, and resolver error propagation semantics.
+- GraphQL nullable-to-non-null and non-null-to-null changes are contract changes. Nullability can change whether partial data survives an error.
+- tRPC changes must treat input validators, output validators, error formatter, transformer, router names, procedure kind, and client inference as contract surfaces. Type-checking alone is not enough when HTTP adapters and runtime errors change.
+- Hono RPC changes must keep route chaining, validators, returned `c.json` shape, status, `AppType`, and `hc` client inference aligned. Breaking a chain can silently degrade client types.
+- Elysia Eden changes must check success and error narrowing, schema validation, status handling, `onError`, and Eden client inference from the caller's perspective.
+- gRPC and protobuf changes must never reuse field numbers, must reserve deleted fields and enum values, and must treat type changes, required-like behavior, enum renames, and default-value meaning changes as wire-contract risks.
+- Webhooks and callbacks are APIs. Signature verification, retry behavior, idempotency, event version, payload shape, and error response behavior are part of the contract.
+
+## Response Error Pagination Policy
+
+- Keep a single response envelope per API family unless the framework protocol has its own envelope, such as GraphQL.
+- Do not mix success and error shapes casually. Callers should be able to distinguish success, validation failure, auth failure, permission failure, not found, conflict, rate limit, and server failure consistently.
+- Do not change 401, 403, and policy-driven 404 behavior without checking auth, permission, docs, callers, and audit expectations.
+- Validation errors must preserve stable field paths, machine-readable codes, and human-readable messages when callers depend on them.
+- Pagination must define cursor opacity, sort stability, page size limits, `next` and `previous` meaning, empty page behavior, total-count semantics, and whether filters affect counts.
+- Filtering and sorting must define allowed fields, default sort, null ordering, case sensitivity, timezone or locale behavior, invalid filter behavior, and whether unknown fields are rejected or ignored.
+- Search must define query normalization, tokenization, ranking stability expectations, highlight fields, typo tolerance, permissions, and private-data exclusion.
+- Headers such as cache-control, etag, location, retry-after, rate-limit, pagination links, content-disposition, and deprecation headers are contract surfaces.
+
+## Dependent Surface Checklist
+
+Check every relevant surface before finalizing:
+
+- route/controller/resolver/handler implementation;
+- request validators and response serializers;
+- shared schemas and generated types;
+- OpenAPI, GraphQL schema, protobuf, tRPC router, Hono `AppType`, Elysia Eden surface, or SDK definitions;
+- generated clients and checked-in generated artifacts;
+- frontend, mobile, CLI, worker, webhook, and partner callers;
+- mocks, fixtures, contract tests, integration tests, snapshots, and examples;
+- API docs, README snippets, changelog, migration notes, deprecation notices, role matrix, and status-code docs;
+- auth and permission checks;
+- rate limits, cache keys, cache headers, search indexes, pagination cursors, and background jobs;
+- observability dashboards, audit logs, analytics events, and alerting that parse status or error codes.
+
+## Strongly Forbidden Patterns
+
+- Changing a response shape because the current frontend only reads one field.
+- Returning raw database rows as API responses.
+- Treating TypeScript inference as proof that runtime JSON is compatible.
+- Changing status codes without updating callers, docs, tests, and audit expectations.
+- Treating generated clients as disposable when they are the public API.
+- Mixing GraphQL partial-response semantics with REST success/error envelopes.
+- Adding required request fields in a minor-compatible change without a default or compatibility path.
+- Removing response fields because no local code uses them.
+- Changing pagination cursor shape, default sort, or filter semantics without migration notes.
+- Widening API responses to include internal ids, storage keys, private URLs, provider ids, hidden fields, or admin-only data.
+- Trusting client-provided tenant, role, owner, price, entitlement, or plan values.
+- Updating docs examples without verifying the runtime route and schema still match.
+- Regenerating clients without checking the diff from a caller's perspective.
+
+<!-- mustflow-section: postconditions -->
+## Postconditions
+
+- The API contract source of truth is known.
+- Request, response, status, header, error, auth, permission, pagination, filtering, sorting, and search impacts are classified.
+- Breaking or compatibility-sensitive changes are named.
+- Generated clients, mocks, fixtures, tests, docs, and examples are synchronized or explicitly reported as skipped.
+- Framework-specific protocol semantics are preserved.
+
+<!-- mustflow-section: verification -->
+## Verification
+
+Use configured oneshot command intents when available:
+
+- `changes_status`
+- `changes_diff_summary`
+- `lint`
+- `build`
+- `test_related`
+- `test`
+- `docs_validate_fast`
+- `test_release`
+- `mustflow_check`
+
+Prefer the narrowest configured checks that exercise the changed contract from a caller's perspective. Report missing contract tests, generated-client checks, OpenAPI or schema validation, GraphQL introspection or operation tests, tRPC runtime adapter tests, Hono RPC client inference checks, Elysia Eden client checks, gRPC compatibility checks, docs validation, or mock/fixture refresh when relevant.
+
+<!-- mustflow-section: failure-handling -->
+## Failure Handling
+
+- If the contract source of truth is unclear, stop and report the competing sources instead of editing one surface.
+- If route code and schema disagree, fix the source of truth and synchronized surfaces before adding behavior.
+- If a change is breaking and no versioning, deprecation, migration, or compatibility path exists, report the break instead of hiding it.
+- If generated clients or docs cannot be regenerated or verified, report the skipped surface and caller risk.
+- If auth, permission, tenant, or private-data behavior changes, switch to the matching security skill before finalizing that part.
+
+<!-- mustflow-section: output-format -->
+## Output Format
+
+- Boundary checked
+- API style and contract source of truth
+- Changed operations or endpoints
+- Compatibility classification
+- Request, response, status, header, error, auth, permission, pagination, filter, sort, and search notes
+- Generated client, SDK, mock, fixture, docs, and caller surfaces synchronized
+- Files changed
+- Command intents run
+- Skipped checks and reasons
+- Remaining API contract risk