mustflow 2.25.0 → 2.25.2

package/README.md

@@ -404,6 +404,8 @@ mf run maintainer_check_node
 mf run docs_validate_fast
 mf run docs_validate
 mf run mustflow_check
+mf run release_npm_version_available
+mf run release_npm_published_verify
 ```
 
 The Bun scripts remain available for human maintainers and release packaging. `test_fast` runs the fast CLI regression baseline, `test_related` selects tests from changed files and falls back to the fast baseline, and both use 8 Node test workers by default. Set `MUSTFLOW_TEST_CONCURRENCY=1`, `2`, or another positive integer to tune those workers on local machines. `test_release` keeps package metadata and packaging checks out of routine local edits. `test_coverage` runs the fast CLI baseline through Node's built-in coverage report with no enforced threshold; set `MUSTFLOW_TEST_COVERAGE_CONCURRENCY=1`, `2`, or another positive integer to adjust its worker count. `lint` and test-audit are configured as narrow repository-local gates. `docs_validate_fast` checks documentation navigation and localized content links without building the entire static site; `docs_validate` performs the full static documentation build, search index, and sitemap gate for release-sensitive changes.
@@ -416,7 +418,7 @@ Run the full release check before publishing:
 bun run release:check
 ```
 
-`release:check` validates the CLI, builds the documentation site, packs the npm tarball, installs it into a temporary project, and runs the public `mf` workflow. Maintainer npm publishing uses the `Publish npm package` GitHub Actions workflow from a published GitHub Release. The release tag must match the `package.json` version, with an optional leading `v`. npm Trusted Publishing must be configured for the workflow before maintainers publish through it.
+`release:check` validates the CLI, builds the documentation site, packs the npm tarball, installs it into a temporary project, and runs the public `mf` workflow. Maintainer npm publishing uses the `Publish npm package` GitHub Actions workflow from a published GitHub Release. The release tag must match the `package.json` version, with an optional leading `v`. Run `mf run release_npm_version_available` before creating the tag and `mf run release_npm_published_verify` after the publish workflow completes. npm Trusted Publishing must be configured for the workflow before maintainers publish through it.
 
 ## Documentation site
 

package/dist/cli/i18n/hi.js

@@ -577,7 +577,7 @@ export const hiMessages = {
     "doctor.diagnostic.localIndex": "स्थानीय इंडेक्स",
     "doctor.diagnostic.latestRun": "नवीनतम रन",
     "docs.help.summary": "LLM creation या modification के बाद prose review की जरूरत वाले documents track करें.",
-    "docs.help.option.all": "Approved और ignored documents भी शामिल करें",
+    "docs.help.option.all": "स्वीकृत और अनदेखे documents भी शामिल करें",
     "docs.help.option.status": "Review status से filter करें",
     "docs.help.option.reason": "Document को review क्यों चाहिए यह record करें",
     "docs.help.option.origin": "Review need का source record करें, जैसे llm_modified",
@@ -595,12 +595,12 @@ export const hiMessages = {
     "docs.review.wrote": "लिखा",
     "docs.review.added": "जोड़ा",
     "docs.review.commented": "टिप्पणी जोड़ी गई",
-    "docs.review.marked.approved": "Approved",
+    "docs.review.marked.approved": "स्वीकृत",
     "docs.review.marked.needs_human": "needs_human mark किया",
-    "docs.review.marked.ignored": "Ignored",
+    "docs.review.marked.ignored": "अनदेखा किया गया",
     "docs.error.missingTopic": "docs topic missing है",
     "docs.error.unknownTopic": "Unknown docs topic: {topic}",
-    "docs.error.unknownAction": "Unknown docs review action: {action}",
+    "docs.error.unknownAction": "अज्ञात docs review action: {action}",
     "docs.error.missingPath": "Document path missing है",
     "docs.error.missingComment": "Review comment missing है",
     "docs.error.emptyComment": "Review comment खाली नहीं हो सकता",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mustflow",
-  "version": "2.25.0",
+  "version": "2.25.2",
   "description": "Agent workflow documents and CLI for mustflow repository roots.",
   "type": "module",
   "license": "MIT-0",

package/templates/default/common/.mustflow/config/commands.toml

@@ -19,6 +19,10 @@ kill_after_seconds = 5
 env_policy = "minimal"
 env_allowlist = []
 
+[resources.local_index_cache]
+description = "Generated mustflow SQLite local index under .mustflow/cache/."
+concurrency = "exclusive_writer"
+
 [intents.test]
 status = "unknown"
 description = "Run the test suite."
@@ -200,6 +204,23 @@ network = false
 destructive = false
 required_after = ["clean_mustflow_update_plan", "template_update_apply"]
 
+[intents.local_index]
+status = "configured"
+kind = "mustflow_builtin"
+lifecycle = "oneshot"
+run_policy = "agent_allowed"
+description = "Create or refresh the generated mustflow SQLite local index."
+argv = ["mf", "index"]
+cwd = "."
+timeout_seconds = 300
+stdin = "closed"
+success_exit_codes = [0]
+writes = [".mustflow/cache/**"]
+effects = [{ type = "write", mode = "replace", path = ".mustflow/cache/**", lock = "local_index_cache", concurrency = "exclusive" }]
+network = false
+destructive = false
+required_after = ["structure_change", "directory_change"]
+
 [intents.repo_map]
 status = "configured"
 kind = "mustflow_builtin"

package/templates/default/i18n.toml

@@ -56,7 +56,7 @@ translations = {}
 [documents."skills.index"]
 source = "locales/en/.mustflow/skills/INDEX.md"
 source_locale = "en"
-revision = 82
+revision = 87
 translations = {}
 
 [documents."skill.adapter-boundary"]
@@ -146,13 +146,13 @@ translations = {}
 [documents."skill.line-ending-hygiene"]
 source = "locales/en/.mustflow/skills/line-ending-hygiene/SKILL.md"
 source_locale = "en"
-revision = 1
+revision = 2
 translations = {}
 
 [documents."skill.file-path-cross-platform-change"]
 source = "locales/en/.mustflow/skills/file-path-cross-platform-change/SKILL.md"
 source_locale = "en"
-revision = 1
+revision = 4
 translations = {}
 
 [documents."skill.diff-risk-review"]
@@ -191,6 +191,12 @@ source_locale = "en"
 revision = 2
 translations = {}
 
+[documents."skill.cpp-code-change"]
+source = "locales/en/.mustflow/skills/cpp-code-change/SKILL.md"
+source_locale = "en"
+revision = 1
+translations = {}
+
 [documents."skill.dart-code-change"]
 source = "locales/en/.mustflow/skills/dart-code-change/SKILL.md"
 source_locale = "en"
@@ -302,7 +308,7 @@ translations = {}
 [documents."skill.cross-platform-filesystem-safety"]
 source = "locales/en/.mustflow/skills/cross-platform-filesystem-safety/SKILL.md"
 source_locale = "en"
-revision = 3
+revision = 6
 translations = {}
 
 [documents."skill.pure-core-imperative-shell"]
@@ -347,6 +353,12 @@ source_locale = "en"
 revision = 2
 translations = {}
 
+[documents."skill.github-contribution-quality-gate"]
+source = "locales/en/.mustflow/skills/github-contribution-quality-gate/SKILL.md"
+source_locale = "en"
+revision = 1
+translations = {}
+
 [documents."skill.facade-pattern"]
 source = "locales/en/.mustflow/skills/facade-pattern/SKILL.md"
 source_locale = "en"
@@ -391,7 +403,7 @@ translations = {}
 [documents."skill.process-execution-safety"]
 source = "locales/en/.mustflow/skills/process-execution-safety/SKILL.md"
 source_locale = "en"
-revision = 1
+revision = 4
 translations = {}
 
 [documents."skill.repo-improvement-loop"]

package/templates/default/locales/en/.mustflow/skills/INDEX.md

@@ -2,7 +2,7 @@
 mustflow_doc: skills.index
 locale: en
 canonical: true
-revision: 82
+revision: 87
 authority: router
 lifecycle: mustflow-owned
 ---
@@ -100,6 +100,7 @@ routes. Event routes stay inactive until their event occurs.
 | An unfamiliar codebase area needs an evidence-based map before planning, implementation, or reporting | `.mustflow/skills/codebase-orientation/SKILL.md` | User request, target area, relevant instructions, and current source, test, schema, template, configuration, or documentation files | Read-only orientation notes and any smallest follow-up edit chosen from inspected evidence | stale documentation, wrong ownership boundary, or invented architecture claim | `changes_status`, `changes_diff_summary`, `mustflow_check` | Scope inspected, entrypoints, flow map, ownership boundaries, verification options, risks, unknowns, and smallest safe next step |
 | A coding task has missing intent, scope, domain, data, security, UX, dependency, architecture, or verification decisions that cannot be safely inferred from repository evidence | `.mustflow/skills/clarifying-question-gate/SKILL.md` | User request, inspected repository evidence, unresolved decisions, reversibility classification, recommended option, and tradeoffs | Blocking questions, safe assumptions, and the smallest safe implementation boundary | over-questioning, lazy questions, expensive wrong assumptions, user-owned decision drift, data loss, auth bypass, public-contract drift, dependency bloat, or unverifiable completion | `changes_status`, `changes_diff_summary`, `mustflow_check` | Repository evidence inspected, blocking questions with recommendations, safe assumptions, selected scope, verification, and remaining ambiguity |
 | HTTP, REST, GraphQL, tRPC, Hono RPC, Elysia Eden, gRPC, protobuf, OpenAPI, request/response schema, status code, header, error envelope, pagination, filtering, sorting, search, generated client, SDK, mock, fixture, or API docs contract is created or changed | `.mustflow/skills/api-contract-change/SKILL.md` | API style, contract source of truth, changed operations, request and response schemas, status and headers, error envelope, auth and permission behavior, pagination/filter/sort/search semantics, generated clients, SDKs, mocks, fixtures, callers, docs, and command contract entries | Routes, handlers, resolvers, validators, schemas, generated clients, SDKs, mocks, fixtures, docs, tests, and directly synchronized examples | route-only change, schema drift, generated-client breakage, hidden breaking change, status or error drift, pagination/search semantic drift, auth/permission drift, or stale docs examples | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | API contract source, changed operations, compatibility classification, synchronized client/schema/docs/tests surfaces, verification, and remaining API contract risk |
+| C++ source, headers, modules, native build metadata, toolchains, package managers, public headers, shared or static libraries, ABI surfaces, generated bindings, FFI, tests, or benchmarks are created or changed | `.mustflow/skills/cpp-code-change/SKILL.md` | Owning target, compilation identity, build front door, changed consumed surface, public API/ABI/FFI/binding surfaces, ownership and lifetime contracts, and command contract entries | C++ source, headers, modules, build metadata, package metadata, generated bindings, FFI code, tests, benchmarks, and directly synchronized docs | target drift, source API break, binary ABI break, undefined behavior, lifetime bug, build-graph drift, generated-binding drift, FFI memory bug, unverified modern C++ feature, or false performance claim | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Owning target, compilation identity, highest compatibility risk, ownership/lifetime/UB/concurrency notes, public API/ABI/FFI/binding impact, verification, and remaining C++ risk |
 | TypeScript source, declarations, tsconfig, package exports, module resolution, public API, or TypeScript tests are created or changed | `.mustflow/skills/typescript-code-change/SKILL.md` | TypeScript config, package entry metadata, target runtime, changed files, and command contract entries | TypeScript source, declarations, compiler config, exports, tests, and directly synchronized docs | weakened type safety, module drift, public API drift, or unverified declaration output | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | Runtime, module, type, and public API boundary checked, changes made, verification, and remaining TypeScript risk |
 | JavaScript source, module format, package entry, browser or Node runtime, dependency usage, Promise handling, bundler config, or JavaScript tests are created or changed | `.mustflow/skills/javascript-code-change/SKILL.md` | Package metadata, module system, runtime target, entrypoints, changed files, and command contract entries | JavaScript source, package exports, bundler config, dependencies, tests, and docs examples | runtime API leakage, ESM/CJS drift, discarded Promise, dependency bloat, or broken package entry | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | Runtime and module boundary checked, async and dependency notes, verification, and remaining JavaScript risk |
 | Python source, package metadata, runtime version, import layout, type checking, linting, CLI entry points, or tests are created or changed | `.mustflow/skills/python-code-change/SKILL.md` | Python version source, packaging files, import layout, lint/type/test config, changed files, and command contract entries | Python source, packaging metadata, imports, type hints, tests, and docs examples | unsupported syntax, import hacks, packaging drift, swallowed errors, or weakened lint/type checks | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | Runtime, packaging, import, and type boundary checked, verification, and remaining Python risk |
@@ -155,9 +156,9 @@ routes. Event routes stay inactive until their event occurs.
 | Generated or edited code, configuration, CI workflows, package metadata, install instructions, examples, Docker images, framework setup, runtime declarations, toolchain declarations, or migration-sensitive snippets introduce explicit external version references, action refs, package ranges, runtime versions, framework majors, Docker image tags, or scaffold commands that may be stale | `.mustflow/skills/version-freshness-check/SKILL.md` | Versioned reference, owning files, repository version policy, approved freshness source, compatibility context, migration risk, and command contract entries | Package metadata, lockfiles, CI workflows, Dockerfiles, runtime files, framework config, docs, examples, templates, tests, and version-decision reports | stale default version, false latest claim, accidental major migration, repository policy mismatch, unsupported generated example, floating-tag drift, or unverified security/support claim | `changes_status`, `changes_diff_summary`, `build`, `test_related`, `docs_validate_fast`, `test_release`, `mustflow_check` | Versioned surfaces checked, repository policy and freshness source, selected version track, compatibility classification, approval need, synchronized surfaces, verification, and remaining version-freshness risk |
 | External systems, protocols, SDKs, databases, webhooks, queues, files, object storage, signed upload or download URLs, caches, API response models, framework requests or responses, server actions, route handlers, edge functions, worker handlers, AI models, browser storage, search engines, analytics tools, email platforms, no-code tools, observability backends, trace or request context, or provider data cross the core boundary or need port/adapter translation, error mapping, timeout, retry, circuit-breaker, bulkhead, idempotency, reconciliation, security, core-state ownership, vendor portability, or observability handling | `.mustflow/skills/adapter-boundary/SKILL.md` | External system or protocol, inbound/outbound direction, delivery boundary, internal use case, local port/adapter patterns, provider risk, provider failure policy, core-state ownership risk, vendor portability risk, observability identifier policy, API contract risk, changed files, and command contract entries | Ports, adapters, mappers, controllers, workers, stores, gateways, response mappers, telemetry mappers, timeout and retry policies, circuit breakers, bulkhead boundaries, tests, fixtures, assembly wiring, and directly synchronized docs or templates | provider leakage, framework business-rule leakage, telemetry backend leakage, storage-key leakage, screen-shaped API coupling, pass-through wrapper, SaaS dashboard as truth source, search or analytics policy leakage, queue contract leakage, unclassified external failure, duplicate side effect, unsafe retry, missing timeout, missing circuit breaker, missing bulkhead, unresolved unknown provider outcome, broken identifier propagation, secret or personal-data leak, or untested integration drift | `changes_status`, `changes_diff_summary`, `test_related`, `test`, `lint`, `build`, `docs_validate_fast`, `test_release`, `mustflow_check` | Boundary classification, delivery adapter responsibility, internal port, provider containment, core-state ownership, vendor portability, validation and mapping, API response mapping, observability identifier flow, timeout/retry/circuit-breaker/bulkhead/idempotency handling, reconciliation behavior, security notes, verification, and remaining provider risk |
 | Tauri frontend invokes, Rust commands, capabilities, permissions, scopes, plugins, filesystem, dialog, shell, opener, updater, sidecar, or mobile native permissions are created or changed | `.mustflow/skills/tauri-code-change/SKILL.md` | Frontend call sites, Tauri config, Rust commands, capability and permission files, plugin config, changed files, and command contract entries | Tauri frontend, Rust commands, capabilities, permissions, scopes, plugins, tests, and docs | broad native permission, untrusted IPC input, filesystem escape, shell or updater risk, or WebView/native boundary drift | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | IPC, permission, scope, filesystem, shell, updater, and native boundary checked, verification, and remaining Tauri risk |
-| File path handling, cross-platform path behavior, path helpers, safe filesystem wrappers, temp or cache paths, atomic writes, locks, archive extraction, uploads, downloads, scanners, CLI/API/schema path contracts, snapshots, generated outputs, or package artifact paths are created, changed, reviewed, or reported | `.mustflow/skills/file-path-cross-platform-change/SKILL.md` | Path ledger, trust classes, accepted path representation, base root, path helpers, safe filesystem wrappers, temp/cache helpers, lock policy, archive policy, upload/download policy, scanner policy, CLI/API/schema/snapshot/generated/package surfaces, platform expectations, and command contract entries | Path validators, helpers, wrappers, schemas, CLI/API parsing, snapshots, fixtures, docs, tests, generated-output paths, package artifact paths, archive extraction, scanner bounds, temp/cache handling, locks, and cleanup code | path traversal, base containment bypass, drive-relative path bug, reserved-name bug, case-collision bug, symlink or junction escape, unsafe archive extraction, non-atomic write claim, stale lock, scanner loop, cleanup data loss, path contract drift, or package artifact path drift | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Path contract, path ledger, trust classes, root policy, Windows/macOS/Linux/archive/upload/download/scanner/lock/temp/cache/atomic/cleanup decisions, synchronized contract surfaces, verification, and remaining path risk |
-| File paths, directories, symlinks, real paths, traversal, atomic writes, file copies, generated outputs, temporary files, cleanup, or Windows/POSIX filesystem behavior are created, changed, reviewed, or reported | `.mustflow/skills/cross-platform-filesystem-safety/SKILL.md` | Path inputs, base directory, trust boundary, symlink policy, write or cleanup strategy, platform expectations, and command contract entries | Path validation, file helpers, copy/update/delete code, scan bounds, fixtures, tests, docs, and templates | path traversal, symlink escape, unsafe overwrite, platform-only behavior, stale output, or cleanup data loss | `changes_status`, `changes_diff_summary`, `test_related`, `docs_validate_fast`, `test_release`, `mustflow_check` | Path trust classes, root boundary, symlink/write/delete/scan decisions, platform assumptions, verification, and remaining filesystem risk |
-| Child processes, shell or argv execution, built-in command reruns, timeouts, process trees, output limits, streaming, environment policy, command eligibility, or execution receipts are created, changed, reviewed, or reported | `.mustflow/skills/process-execution-safety/SKILL.md` | Execution path, timeout, output limit, stdin, environment, cwd, process tree behavior, receipt and write-tracking expectations, and command contract entries | Process execution code, process-tree helpers, output buffers, environment creation, eligibility checks, receipts, tests, and docs | runaway process, unbounded output, leaked environment, inconsistent JSON/text execution, false cleanup claim, or unreliable receipt | `changes_status`, `changes_diff_summary`, `test_related`, `test_release`, `mustflow_check` | Execution surface, timeout/output/environment/process-tree boundaries, receipt consistency, tests, verification, and remaining process risk |
+| File path handling, cross-platform path behavior, path helpers, safe filesystem wrappers, clone or checkout destinations, scaffold roots, temp or cache paths, atomic writes, locks, archive extraction, uploads, downloads, scanners, CLI/API/schema path contracts, snapshots, generated outputs, or package artifact paths are created, changed, reviewed, or reported | `.mustflow/skills/file-path-cross-platform-change/SKILL.md` | Path ledger, trust classes, accepted path representation, base root, path helpers, safe filesystem wrappers, clone/checkout/scaffold/install/extract outputs, staging and promotion policy, temp/cache helpers, lock policy, archive policy, upload/download policy, scanner policy, CLI/API/schema/snapshot/generated/package surfaces, platform expectations, failure taxonomy, and command contract entries | Path validators, helpers, wrappers, schemas, CLI/API parsing, snapshots, fixtures, docs, tests, generated-output paths, package artifact paths, clone or scaffold destinations, archive extraction, scanner bounds, temp/cache handling, locks, and cleanup code | path traversal, base containment bypass, drive-relative path bug, reserved-name bug, case-collision bug, Unicode-collision bug, Git checkout path-length failure misreported as network or auth, unsafe archive extraction, non-atomic write claim, stale lock, scanner loop, partial-output cleanup data loss, user-selected destination deletion, path contract drift, or package artifact path drift | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Path contract, path ledger, trust classes, root policy, preflight/staging/promotion decisions, Windows/macOS/Linux/archive/upload/download/scanner/lock/temp/cache/atomic/cleanup decisions, failure taxonomy, synchronized contract surfaces, verification, and remaining path risk |
+| File paths, directories, symlinks, real paths, traversal, atomic writes, file copies, generated outputs, temporary files, clone or checkout materialization, cleanup, or Windows/POSIX filesystem behavior are created, changed, reviewed, or reported | `.mustflow/skills/cross-platform-filesystem-safety/SKILL.md` | Path inputs, base directory, trust boundary, symlink policy, write or cleanup strategy, clone/checkout/scaffold/install/extract path budget, app-owned staging boundary, platform expectations, failure taxonomy, and command contract entries | Path validation, file helpers, copy/update/delete code, clone/scaffold/archive cleanup code, scan bounds, fixtures, tests, docs, and templates | path traversal, symlink escape, unsafe overwrite, platform-only behavior, stale output, path-length or filename-length misclassification, watcher/resource misclassification, or cleanup data loss | `changes_status`, `changes_diff_summary`, `test_related`, `docs_validate_fast`, `test_release`, `mustflow_check` | Path trust classes, root boundary, symlink/write/delete/scan decisions, preflight and staging boundaries, clone/scaffold/extract classification, platform assumptions, verification, and remaining filesystem risk |
+| Child processes, shell or argv execution, built-in command reruns, Git/package-manager/scaffolder failures, timeouts, process trees, output limits, streaming, environment policy, command eligibility, failure classification, command-line length limits, or execution receipts are created, changed, reviewed, or reported | `.mustflow/skills/process-execution-safety/SKILL.md` | Execution path, timeout, output limit, stdin, argv and shell command-length budget, environment, cwd, process tree behavior, failure taxonomy, receipt and write-tracking expectations, and command contract entries | Process execution code, process-tree helpers, output buffers, environment creation, eligibility checks, failure classifiers, receipts, tests, and docs | runaway process, unbounded output, leaked environment, argv-too-long failure, shell-command-too-long failure, inconsistent JSON/text execution, false cleanup claim, Git checkout path failure misreported as network or auth, blind retry, diagnostic loss, or unreliable receipt | `changes_status`, `changes_diff_summary`, `test_related`, `test_release`, `mustflow_check` | Execution surface, timeout/output/environment/process-tree boundaries, argv and shell length handling, failure classification, diagnostic preservation, receipt consistency, tests, verification, and remaining process risk |
 | Core or application logic creates, imports, resolves, or hides external dependencies such as databases, SDKs, clocks, random generators, configuration, loggers, framework objects, filesystems, queues, AI clients, or payment/email providers | `.mustflow/skills/dependency-injection/SKILL.md` | Target code area, hidden dependency, intended business capability, layer ownership, local port/adapter patterns, changed files, and command contract entries | Core logic signatures, ports, adapters, assembly roots, tests, and directly synchronized docs or templates | hidden global state, untestable business logic, provider leakage, lifecycle drift, or service-locator coupling | `changes_status`, `changes_diff_summary`, `test_related`, `test`, `lint`, `build`, `docs_validate_fast`, `test_release`, `mustflow_check` | Dependency boundary, direct dependencies found, injection style, ports/adapters, assembly boundary, tests or fakes, verification, and remaining dependency leakage |
 | Code, data, schema, configuration, file layout, template, content frontmatter, file-to-database, URL, slug, lifecycle, asset, claim or fact extraction, API projection compatibility, public identifier changes, provider id mappings, event-schema changes, observability identifier continuity, deployment-state reproduction, generated-state, backup or restore proof, semantic export, import, platform exit, or cache migrations are planned, edited, documented, or reported | `.mustflow/skills/migration-safety-check/SKILL.md` | Source state, target state, migration surface owner, identity, lifecycle, asset, claim, export/import reconstruction shape, URL continuity, API projection expectations, public id mapping, provider id mapping, event schema versioning, observability identifier continuity, deployment-state reproduction, cache key versioning, restore evidence, idempotency, rollback, dry-run, compatibility, and command contract entries | Migration plans, compatibility notes, lock metadata, docs, tests, templates, generated state, redirects, assets, exports, imports, deployment notes, observability continuity notes, caches, restore notes, and reports | irreversible migration, data loss, incomplete export, broken links, identity drift, provider-id lock-in, lost asset originals, API contract break, event-schema ambiguity, broken traceability, dashboard-only operating state, cache-key drift, untested restore, or false migration-success claim | `changes_status`, `changes_diff_summary`, `docs_validate_fast`, `test_release`, `mustflow_check` | Migration surface, source and target state, identity, lifecycle, asset, claim, URL, API, event, observability, deployment-state, cache, restore, and export/import continuity, idempotency, rollback, metadata updates, verification, and remaining migration risk |
 
@@ -205,8 +206,9 @@ routes. Event routes stay inactive until their event occurs.
 | `.mustflow/config/commands.toml` command intents, resources, effects, timeouts, output limits, environment policies, lifecycle values, run policies, command-selection metadata, CI/CD reproducibility rules, build/test/migration/deploy verification handoffs, or health-check command surfaces are created, changed, reviewed, or removed | `.mustflow/skills/command-contract-authoring/SKILL.md` | Command goal, current command contract, expected reads and writes, side effects, locks, timeout, output, environment, stdin, dashboard or platform setting dependency, and verification entries | Command contract, template command contracts, workflow docs, skills, tests, and directly synchronized public docs | accidental command authority, inferred command, dashboard-only source of truth, unreproducible deployment, unbounded side effect, missing lock, secret exposure, or long-running command approval | `changes_status`, `changes_diff_summary`, `docs_validate_fast`, `test_release`, `mustflow_check` | Intent authority decision, side-effect model, environment and timeout boundary, CI/CD reproducibility boundary, synchronized surfaces, verification, and remaining command-contract risk |
 | CLI text output, JSON output, exit codes, error messages, warnings, deprecations, help text, command aliases, schema-backed reports, or automation-facing command behavior are created, changed, reviewed, or reported | `.mustflow/skills/cli-output-contract-review/SKILL.md` | Affected command, output modes, exit-code expectations, docs examples, schemas, fixtures, consumers, and command contract entries | CLI output code, schemas, fixtures, docs, README examples, package tests, templates, and reports | broken automation, misleading success, schema drift, undocumented deprecation, stale example, or incompatible output change | `changes_status`, `changes_diff_summary`, `test_related`, `docs_validate_fast`, `test_release`, `mustflow_check` | Output surfaces reviewed, status and exit-code semantics, synchronized schemas/docs/tests/templates, verification, and remaining CLI-output risk |
 | Dates, versions, counts, durations, limits, metrics, benchmarks, prices, percentages, or other numeric facts are created, edited, or reported | `.mustflow/skills/date-number-audit/SKILL.md` | Date or numeric fact, source of truth, dependent surfaces, precision expectation, and command contract entries | Numeric statements, metadata, tests, docs, templates, and reports | invented, stale, or mismatched numeric claim | `changes_status`, `changes_diff_summary`, `docs_validate_fast`, `test_release`, `mustflow_check` | Audited values, source of truth, synchronized surfaces, skipped checks, and remaining numeric risk |
-| Git reports CRLF/LF warnings or tracked text files may need line-ending normalization | `.mustflow/skills/line-ending-hygiene/SKILL.md` | Warning text or changed-file evidence, line-ending policy, changed-file status, and command contract entries | Line-ending policy files, tracked text files, command metadata, tests, and reports | silent working-tree rewrite or policy drift | `line_endings_check`, `changes_status`, `mustflow_check` | Policy found, drift files, normalization status, verification, and remaining line-ending risk |
+| Git reports CRLF/LF warnings, Docker or shell scripts fail with CRLF interpreter errors, `.gitattributes` policy is proposed, or tracked text files may need line-ending normalization | `.mustflow/skills/line-ending-hygiene/SKILL.md` | Warning or runtime error text, changed-file evidence, line-ending policy, requested scope, changed-file status, and command contract entries | Line-ending policy files when explicitly requested, tracked text files when explicitly normalized, command metadata, tests, and reports | silent working-tree rewrite, hidden repository-wide policy change, unrelated renormalization, or policy drift | `line_endings_check`, `changes_status`, `mustflow_check` | Policy found or deferred, drift files, normalization status, verification, and remaining line-ending risk |
 | External `SKILL.md` files, skill packs, awesome lists, GitHub skill repositories, installer recommendations, or third-party skill procedures are reviewed for possible mustflow adoption | `.mustflow/skills/external-skill-intake/SKILL.md` | Source path or URL, license or provenance evidence, external skill files, intended adoption outcome, existing skill overlap, and command contract entries | Skill procedures, skill routes, template metadata, tests, docs, and review notes that adapt the external idea | third-party command bypass, license or provenance gap, unsafe helper script, duplicated skill, stale source claim, or default-profile bloat | `changes_status`, `changes_diff_summary`, `docs_validate_fast`, `test_release`, `mustflow_check` | Source review, overlap decision, safety findings, command-intent mapping, adoption decision, synchronized surfaces, verification, and remaining intake risk |
+| GitHub issue, pull request, review thread, or maintainer-facing comment content is drafted, opened, revised, or answered | `.mustflow/skills/github-contribution-quality-gate/SKILL.md` | Target repository, intended GitHub action, repository rules and templates, duplicate search, evidence, verification level, and desired result | Issue, pull request, review reply, or comment draft plus posting gate report | maintainer time waste, duplicate report, unsupported claim, public security leak, unverified AI content, or wrong support channel | `changes_status`, `changes_diff_summary`, `mustflow_check` | Gate decision, repository rules found, duplicate and context check, evidence, missing evidence, draft, and final self-check |
 | Repository, host, user, nested-project, command-contract, preference, or generated instruction sources conflict or make safe scope unclear | `.mustflow/skills/instruction-conflict-scope-check/SKILL.md` | Conflicting instruction sources, affected scope, direct user request, command contract entries, and nearest instruction files | Workflow docs, skills, templates, tests, reports, and selected repository scope | authority drift, unsafe scope expansion, wrong repository edit, or unauthorized command | `changes_status`, `changes_diff_summary`, `docs_validate_fast`, `test_release`, `mustflow_check` | Conflicts reviewed, chosen priority rule, narrowed or skipped actions, clarification changes, and remaining authority risk |
 | `.mustflow/context/PROJECT.md` needs cautious project context | `.mustflow/skills/project-context-authoring/SKILL.md` | Supported project facts | `.mustflow/context/PROJECT.md` | authority drift | `mustflow_check` | Updated cautious context |
 | Skill procedures or routes are created or maintained | `.mustflow/skills/skill-authoring/SKILL.md` | Repeated task evidence | `.mustflow/skills/**` | overlap and command drift | `mustflow_check`, `docs_validate` | Skill route and procedure changes |

package/templates/default/locales/en/.mustflow/skills/cpp-code-change/SKILL.md

@@ -0,0 +1,181 @@
+---
+mustflow_doc: skill.cpp-code-change
+locale: en
+canonical: true
+revision: 1
+lifecycle: mustflow-owned
+authority: procedure
+name: cpp-code-change
+description: Apply this skill when C++ source, headers, modules, native build metadata, toolchains, package managers, ABI surfaces, generated bindings, FFI, tests, or benchmarks are created or changed.
+metadata:
+  mustflow_schema: "1"
+  mustflow_kind: procedure
+  pack_id: mustflow.core
+  skill_id: mustflow.core.cpp-code-change
+  command_intents:
+    - changes_status
+    - changes_diff_summary
+    - lint
+    - build
+    - test_related
+    - test
+    - docs_validate_fast
+    - test_release
+    - mustflow_check
+---
+
+# C++ Code Change
+
+<!-- mustflow-section: purpose -->
+## Purpose
+
+Preserve C++ target identity, ownership, lifetime, undefined-behavior, build-graph, API, ABI, FFI, generated-binding, modern-language, concurrency, and performance contracts while making a focused change.
+
+A C++ change is successful only when the affected target and consumed surface are understood. Local compile success alone does not prove C++ correctness, compatibility, ABI safety, memory safety, or performance.
+
+<!-- mustflow-section: use-when -->
+## Use When
+
+- `.c`, `.cc`, `.cpp`, `.cxx`, `.h`, `.hh`, `.hpp`, `.hxx`, `.ipp`, `.tpp`, `.ixx`, `.cppm`, C++ tests, examples, benchmarks, modules, or generated C++ glue change.
+- C++ build metadata changes, including `CMakeLists.txt`, `CMakePresets.json`, toolchain files, `meson.build`, `meson_options.txt`, Meson native or cross files, `BUILD`, `BUILD.bazel`, `.bazelrc`, `WORKSPACE`, `MODULE.bazel`, `Makefile`, `.mk`, Autotools files, `conanfile.py`, `conanfile.txt`, `conan.lock`, Conan profiles, `vcpkg.json`, `vcpkg-configuration.json`, triplets, package config files, or pkg-config files.
+- The task touches C++ standard version, compiler, standard library, ABI mode, platform branches, generated bindings, shared or static library artifacts, exported symbols, public headers, FFI, ownership, raw pointers, references, smart pointers, views, iterators, allocators, exceptions, errors, templates, concepts, coroutines, modules, atomics, locks, sanitizers, fuzzing, or benchmarks.
+
+<!-- mustflow-section: do-not-use-when -->
+## Do Not Use When
+
+- C++ files are read-only context and no C++ source, header, build, package, binding, test, or benchmark surface changes.
+- The task is only formatting, comments, or documentation and does not affect a public header, exported symbol, generated binding, FFI surface, build graph, or documented C++ contract.
+- A generated C++ file must be regenerated by a declared project command rather than edited manually.
+- The change is purely C source with no C++ target, C++ compiler, C++ ABI, C++ build metadata, or C++ consumer boundary involved.
+
+<!-- mustflow-section: required-inputs -->
+## Required Inputs
+
+- Changed files and their consumed surface classification: private implementation, private header, public header, module interface, shared library, static library, executable, generated binding input, generated binding output, FFI boundary, test, benchmark, or build metadata.
+- Owning build target for every changed C++ source, header, module, generated file, and native artifact.
+- Target-specific compilation identity: C++ standard, compiler family and version, standard library, ABI mode, exception and RTTI mode, build type, platform, architecture, visibility policy, linkage mode, dependency source, and active build front door when available.
+- Relevant CMake, Meson, Bazel, Make, Autotools, Conan, vcpkg, pkg-config, CI, package, and install/export metadata.
+- Public headers, exported symbols, public types, public constants, macros, enum values, generated bindings, FFI functions, target-language surfaces, and downstream consumer expectations when any public surface changes.
+- Ownership, lifetime, allocator, error, exception, callback, thread-safety, synchronization, and performance contracts touched by the change.
+- Configured verification intents from the repository command contract.
+
+<!-- mustflow-section: preconditions -->
+## Preconditions
+
+- Determine the owning build target before editing. Do not treat repository-wide defaults, editor settings, or the local machine compiler as target authority.
+- Determine whether the change can affect source API, binary ABI, generated binding API, FFI ABI, behavior, memory safety, thread safety, performance, package consumers, or only private implementation.
+- Classify compatibility risk by the highest-risk consumed surface touched by the change. Do not downgrade risk because the diff is small, private-looking, or compile-clean.
+- If C++ standard, compiler, standard library, ABI mode, platform, dependency source, active build front door, or owning target cannot be determined, report the missing boundary and avoid changes that depend on it.
+- Use only configured command intents for validation. Do not invent native build, test, sanitizer, fuzz, package, or benchmark commands.
+
+<!-- mustflow-section: allowed-edits -->
+## Allowed Edits
+
+- Keep edits scoped to the affected C++ target, build graph, tests, generated-binding source of truth, and directly synchronized docs or template surfaces.
+- Prefer RAII, rule of zero, value semantics, explicit ownership transfer, explicit borrowed views, and narrow lifetime contracts over raw ownership or hidden sharing.
+- Prefer additive API and ABI changes when existing consumers must keep working.
+- Add focused tests, compile checks, smoke tests, or benchmark guards only when they protect the changed C++ contract and are covered by configured intents.
+- Do not hand-edit generated output unless the project explicitly treats it as authoritative or the user explicitly requests it with the drift risk understood.
+- Do not weaken compiler, warning, sanitizer, ABI, package, test, or compatibility checks to make a patch appear complete.
+
+<!-- mustflow-section: procedure -->
+## Procedure
+
+1. Read the repository instructions and configured command intents, then inspect the changed C++ files plus nearby source, headers, tests, build files, package metadata, and CI hints.
+2. Identify the owning target for each changed file. For CMake, inspect target sources, include directories, compile definitions, compile features, options, link libraries, install/export surfaces, and public/private/interface propagation. For Meson, inspect targets, dependencies, include directories, options, cross/native files, and install surfaces. For Bazel, inspect `cc_library`, `cc_binary`, `cc_test`, `srcs`, `hdrs`, `deps`, `implementation_deps`, `defines`, `local_defines`, `visibility`, toolchains, and `select()` branches. For Make or Autotools, inspect object rules, included fragments, flags, libraries, generated headers, and install surfaces.
+3. Identify the active build front door. If several active graphs own the same changed file, keep them synchronized or report the unsupported or stale graph explicitly.
+4. Record the target compilation identity: C++ standard, compiler, standard library, ABI mode, platform, architecture, build type, exception and RTTI mode, visibility, linkage, dependency source, and generated-header source when relevant.
+5. Classify risk by highest consumed surface:
+   - `internal_only`: private implementation or private helper only.
+   - `source_api`: public header, exported type, namespace, macro, enum, overload, template, inline function, default argument, include path, or package consumer compile surface.
+   - `binary_abi`: shared library symbol, public object layout, vtable, RTTI, calling convention, visibility, allocator boundary, exception boundary, struct packing, alignment, or ABI flag.
+   - `static_link_contract`: static artifact, object compatibility, compile flags, PIC, LTO, link order, duplicate symbol, ODR, or consumer relink surface.
+   - `generated_binding`: generator input, generated output, wrapper API, target-language package surface, ownership mapping, nullability, or exception/error mapping.
+   - `ffi_boundary`: `extern "C"`, callback, raw buffer, fixed layout, allocator, ownership/free function, error ABI, calling convention, or cross-language thread ownership.
+   - `semantic_compatibility`: behavior, ownership, lifetime, error, ordering, threading, range, default, or resource contract changed without a signature change.
+   - `performance_resource`: hot path, allocation, lock contention, inlining, template instantiation, serialization, binary size, latency, throughput, or memory footprint.
+6. For ownership and lifetime changes, classify every affected value as owner, borrowed non-null reference, borrowed nullable pointer, view, iterator, handle, shared owner, weak observer, or moved-from value. Check raw pointer ownership, reference escape, lambda capture, async or callback storage, move-after-use, `unique_ptr::release`, duplicate `shared_ptr` ownership, custom deleters, container invalidation, member initialization order, and RAII cleanup on failure paths.
+7. For undefined-behavior risk, inspect dangling pointers and references, iterator invalidation, uninitialized memory, out-of-bounds access, signed overflow, bad shifts, strict aliasing, alignment, object lifetime, invalid downcasts, non-virtual base deletion, data races, C string length mistakes, and `string_view` or `span` lifetime.
+8. For public headers, review function signatures, overload sets, namespaces, includes, macros, type aliases, enum values, constants, templates, inline functions, public class layout, virtual functions, base classes, alignment, default arguments, exported concepts, deduced return types, modules, and standard-library types exposed as API or ABI.
+9. For shared libraries, review exported symbol names, symbol visibility, version scripts, import/export macros, SONAME or equivalent policy, name mangling, calling convention, public object layout, vtable layout, RTTI, exception behavior, allocator ownership, dependency ABI, and standard-library ABI flags.
+10. For static libraries, review rebuild and relink contracts, public headers, object compatibility, compiler and standard-library assumptions, build flags, PIC, LTO, ODR risk, duplicate symbols, and consumer link behavior. Do not treat static libraries as ABI-free.
+11. For generated bindings, identify the source of truth, generator version when available, generated output, target-language API, smoke tests, and ownership/error/nullability mapping. Reject source/output drift unless the drift is explicitly intended and verified.
+12. For FFI, prefer a stable C ABI unless the project explicitly marks the boundary unstable. Use fixed-size types, explicit layout, explicit ownership and release functions, explicit error reporting, explicit calling convention, null handling, callback lifetime rules, and thread ownership. Do not leak C++ exceptions, STL types, templates, overloaded functions, implicit ownership, or compiler-specific C++ ABI across FFI without an explicit unstable-boundary policy.
+13. For template, concepts, overload, ADL, and SFINAE changes, verify positive and negative compile behavior when configured checks exist. Review which overloads are added, removed, or silently selected differently. Use return-type, constraint, and ADL fixtures when the repository has that pattern.
+14. For error handling, classify failures as programmer bug, recoverable input or environment failure, resource failure, or invariant violation. Preserve the layer's existing channel: exceptions, error codes, project Result, `std::expected`, assertions, or logging. Do not mix two public failure channels for the same failure without a boundary reason. Treat `noexcept` as a termination contract, not a performance hint.
+15. For concurrency, list shared mutable state, owner thread, guard mutex, atomic invariant, lifetime rule, lock ordering, callback execution, shutdown path, and join or wait path. Do not introduce unguarded shared mutation, locks held across callbacks or blocking I/O, unexplained memory orders, detached lifetime, or relaxed atomics without proof.
+16. For modern C++ features, reject changes justified only as modern, shorter, or cleaner-looking. A feature is allowed only when it removes a concrete failure mode, narrows state, clarifies lifetime or ownership, improves misuse resistance, or has measured performance value. Check public-surface exposure, compiler support, standard-library support, build-system support, CI support, and fallback or configure-time failure before adopting C++20 or C++23 features.
+17. Treat `std::span`, `std::string_view`, ranges views, iterator/sentinel pairs, and coroutine captures as borrowed views. Never store or return them unless owner lifetime is explicit and verified.
+18. For performance work, require baseline, workload, target metric, profile evidence, hypothesis, targeted change, remeasurement, and regression guard when configured verification exists. Do not claim performance from syntax changes, `std::move`, `string_view`, ranges, modules, coroutines, or `constexpr` without evidence or a clear complexity argument.
+19. Choose configured validation by highest-risk surface. All C++ changes need compile-equivalent validation when available. Public headers need downstream-style compile or public-header validation when available. Library artifacts need link validation when available. Shared ABI changes need ABI or exported-symbol validation when available. Generated bindings need regeneration and target-language smoke validation when available. FFI changes need boundary smoke and memory validation when available. Hot-path changes need benchmark validation when available.
+
+<!-- mustflow-section: rejection-criteria -->
+## Review Rejection Criteria
+
+Reject or revise the patch when any of these appear without strong local evidence and risk reporting:
+
+- A changed C++ file has no identified owning target, active build front door, or compilation identity.
+- A public header, exported symbol, generated binding, FFI surface, or library artifact changes without compatibility classification.
+- API compatibility is claimed without inspecting public headers, generated bindings, or downstream-style consumer compile surface.
+- ABI compatibility is claimed after exported symbols, object layout, vtable layout, calling convention, visibility, or FFI layout changed without ABI or equivalent binary-compatibility evidence.
+- A raw pointer, reference, view, iterator, or callback is stored or returned without owner lifetime evidence.
+- `std::string_view`, `std::span`, ranges views, coroutine captures, or iterator pairs outlive their owner or cross mutation/reallocation boundaries without proof.
+- `std::move`, `unique_ptr::release`, `shared_ptr`, custom deleters, or manual cleanup obscure ownership transfer.
+- New manual `new`, `delete`, `malloc`, `free`, close, unlock, or release paths appear where RAII can express the ownership.
+- A `noexcept` function calls code that may throw without an intentional termination policy.
+- Public API exposes C++20 or C++23 features without consumer compiler, standard-library, build-system, and fallback review.
+- Performance improvement is claimed without baseline, workload, measurement, or complexity evidence.
+- Sanitizer, ABI, FFI, binding, benchmark, or downstream checks are missing but the output claims those properties were proven.
+
+<!-- mustflow-section: postconditions -->
+## Postconditions
+
+- The owning target, active build graph, and target compilation identity are known or the missing boundary is reported.
+- The highest compatibility risk is stated: internal-only, source API, binary ABI, static-link contract, generated binding, FFI, semantic compatibility, or performance/resource.
+- Ownership, lifetime, allocator, error, concurrency, and modern-feature impacts are intentional and evidence-backed.
+- Public headers, exported symbols, generated bindings, FFI surfaces, build metadata, tests, docs, and template surfaces are synchronized when they are part of the changed contract.
+- Generated files match their source of truth and generator flow, or drift is reported.
+- No API, ABI, memory-safety, thread-safety, FFI, binding, or performance compatibility is claimed beyond the validation evidence.
+
+<!-- mustflow-section: verification -->
+## Verification
+
+Use configured oneshot command intents when available:
+
+- `lint`
+- `build`
+- `test_related`
+- `test`
+- `docs_validate_fast`
+- `test_release`
+- `mustflow_check`
+
+Choose validation by highest-risk surface, not by diff size.
+
+Report whether configured validation exists for C++ compile, public-header compile, downstream consumer compile, link, unit, integration, API diff, ABI diff, generated-binding regeneration, target-language smoke, FFI smoke, sanitizer, valgrind or equivalent memory analysis, fuzzing, benchmark, and package-consume scenarios when those surfaces change.
+
+When a required validation intent is unavailable, record the missing intent, why it matters, the weaker validation that was run, and the remaining compatibility risk. Do not invent a command or claim compatibility was proven.
+
+<!-- mustflow-section: failure-handling -->
+## Failure Handling
+
+- If the owning target or active build front door is unclear, stop the risky part and inspect build metadata before editing further.
+- If multiple build graphs own the same changed file and only one can be updated, report the stale graph and compatibility risk.
+- If public API or ABI policy is absent, classify the risk explicitly instead of assuming semver, SONAME, or package compatibility rules.
+- If generated bindings drift, restore source/output alignment or report the generator/source-of-truth gap.
+- If an ownership or lifetime fix creates broad shared ownership, manual cleanup, or hidden view lifetime, revisit the owner boundary before continuing.
+- If concurrency changes lack a synchronization proof, stop that part and inspect the state owner, guard, lifetime, and shutdown path.
+- If performance measurements are unavailable, report that performance compatibility was not proven.
+
+<!-- mustflow-section: output-format -->
+## Output Format
+
+- Boundary checked
+- Owning target and compilation identity
+- Highest compatibility risk
+- Ownership, lifetime, UB, concurrency, modern-feature, or performance impact
+- Public API, ABI, binding, FFI, or build-graph impact
+- Files changed
+- Command intents run
+- Skipped checks and reasons
+- Remaining C++ risk

package/templates/default/locales/en/.mustflow/skills/cross-platform-filesystem-safety/SKILL.md

@@ -2,11 +2,11 @@
 mustflow_doc: skill.cross-platform-filesystem-safety
 locale: en
 canonical: true
-revision: 3
+revision: 6
 lifecycle: mustflow-owned
 authority: procedure
 name: cross-platform-filesystem-safety
-description: Apply this skill when file paths, directories, symlinks, reparse points, real paths, path traversal, reserved names, null bytes, atomic file writes, temporary files, file copies, generated outputs, Windows/POSIX path behavior, line endings, file permissions, durable writes, or filesystem cleanup are created, changed, reviewed, or reported.
+description: Apply this skill when file paths, directories, symlinks, reparse points, real paths, path traversal, reserved names, null bytes, atomic file writes, temporary files, file copies, generated outputs, clone or checkout materialization, Windows/POSIX path behavior, line endings, file permissions, durable writes, failure classification, or filesystem cleanup are created, changed, reviewed, or reported.
 metadata:
   mustflow_schema: "1"
   mustflow_kind: procedure
@@ -33,6 +33,7 @@ Keep filesystem behavior safe across Windows and POSIX while preventing path tra
 
 - Code creates, reads, writes, deletes, copies, moves, normalizes, scans, watches, or reports files or directories.
 - A change handles user-provided paths, repository-relative paths, real paths, symlinks, Windows reparse points or junctions, temporary files, generated output, backups, manifests, locks, caches, or latest pointers.
+- Code materializes large or externally sourced trees such as Git checkouts, cloned repositories, project scaffolds, dependency trees, archive extractions, template installs, generated snapshots, or package artifacts.
 - Behavior must work on Windows and POSIX path separators, drive roots, case differences, reserved names, maximum path lengths, executable extensions, line endings, permissions, or rename semantics.
 - A test or final report claims a path is inside the project, symlink-safe, traversal-safe, race-safe, atomic, idempotent, cleanup-safe, or cross-platform.
 
@@ -49,6 +50,8 @@ Keep filesystem behavior safe across Windows and POSIX while preventing path tra
 - Affected path inputs, output paths, base directory, trust boundary, and whether each path is user-controlled, template-controlled, generated, or repository-owned.
 - Current filesystem helpers, path validation rules, symlink policy, case-sensitivity policy, write strategy, cleanup strategy, temporary-file strategy, permission strategy, and platform expectations.
 - Expected behavior for missing paths, existing files, directories, symlinks, dangling symlinks, reparse points or junctions, path traversal, null bytes, Windows namespace prefixes, Windows reserved names, alternate data streams, trailing spaces or dots, collisions, long paths, large files, and permissions errors.
+- Path-length, filename-length, collision, staging, promotion, and cleanup expectations for clone, checkout, scaffold, install, archive, and generated-tree flows, including the deepest known entry path when available.
+- Failure classification expectations for filesystem and platform errors such as Windows path length, POSIX `ENAMETOOLONG`, reserved names, case collisions, Unicode aliases, file locks, permissions, quota, cross-device moves, missing executable bits, line endings, watcher limits, and descriptor limits.
 - Whether atomicity requires best-effort rename, same-directory temporary files on the same volume, file fsync, parent directory fsync, Windows replacement behavior, or reader-safe latest pointers.
 - Relevant command-intent entries for tests, docs, release, and mustflow validation.
 
@@ -69,6 +72,7 @@ Keep filesystem behavior safe across Windows and POSIX while preventing path tra
 - Do not accept null bytes, Windows device names, namespace bypass prefixes, alternate data streams, or platform-invalid path segments as ordinary filenames.
 - Do not recursively delete, overwrite, or copy broad directories unless the target is resolved, bounded, and intentionally owned by the task.
 - Do not claim operating-system mitigations such as Windows RedirectionGuard unless the application actually enables and verifies the mitigation in the relevant process boundary.
+- Do not change system-wide or user-wide settings such as Windows registry long-path flags, global Git config, Developer Mode, WSL mount metadata, Linux sysctl limits, Docker Desktop storage backends, antivirus exclusions, or shell profile files from this skill. Report the missing prerequisite or require an explicit configured setup command.
 
 <!-- mustflow-section: procedure -->
 ## Procedure
@@ -77,26 +81,37 @@ Keep filesystem behavior safe across Windows and POSIX while preventing path tra
 2. Reject impossible or dangerous path text early. Check null bytes, empty segments, absolute paths where relative paths are required, Windows device names such as `CON` or `NUL`, namespace prefixes such as `\\?\`, alternate data streams using colon segments, trailing dots or spaces when Windows compatibility matters, and platform-invalid characters before writing.
 3. Establish the base boundary. Use normalized repository-relative paths for storage and real-path checks for filesystem safety when symlinks may be present.
 4. Use Unicode normalization for validation only when detecting platform aliases such as superscript Windows device-name variants. Do not rewrite or persist normalized filenames unless the repository policy explicitly says so.
-5. Check containment with path-aware logic. Prefer relative-path or resolved-path containment helpers over raw string prefixes, and include a path-separator boundary so partial path traversal cannot let sibling names masquerade as children.
-6. Check case behavior explicitly. Windows and many macOS volumes preserve case but compare case-insensitively by default; POSIX commonly compares case-sensitively. State whether the code preserves spelling, rejects conflicting names, or relies on the host filesystem.
-7. Check symlink, reparse point, and junction behavior explicitly. Decide whether they are rejected, followed only within the root, or treated as ordinary path entries. Test dangling, outside-target, loop, and junction-like cases when relevant.
-8. Close time-of-check to time-of-use gaps where practical. Prefer opening or writing through safe helpers that reject symlinks at the final operation, then verify the opened target when the platform and helper support it.
-9. Treat high-level path APIs as incomplete defenses when the runtime cannot expose descriptor-relative open, no-follow, or opened-file verification. Do not claim race-free behavior from resolve-then-open code alone.
-10. Check traversal and root handling across platforms. Account for absolute paths, drive letters, UNC-like paths, mixed separators, empty paths, dot segments, reserved names, long paths, and case sensitivity where relevant.
-11. For writes, prefer same-directory temporary-file then rename or replace behavior when readers may observe the file. Keep the temporary file on the same volume, use unpredictable names, least-privilege creation permissions, and safe no-follow writes when the project already has that helper.
-12. Treat atomic writes as platform-specific. POSIX rename semantics, Windows replacement behavior, cross-filesystem moves, network filesystems, fsync availability, and directory fsync support differ; report best-effort guarantees honestly.
-13. When durable writes matter, include the full durability sequence where the platform supports it: write the temporary file, flush the file data, close it, rename or replace it, then flush the parent directory entry. If parent directory fsync is unavailable, downgrade the durability claim.
-14. For copies and updates, close the check-then-write gap as much as the platform and existing helpers allow. Do not report symlink safety if the final write can still follow a changed symlink.
-15. For privileged Windows services, check whether reparse-point traversal mitigations belong at process startup. If the code cannot enable or verify them, report the remaining junction risk instead of claiming system-level protection.
-16. For deletes and cleanup, verify the resolved absolute target is inside the intended generated or temporary directory and narrow the deletion scope.
-17. For scans, bound recursion, generated/vendor exclusions, file size, symlink traversal, reparse-point traversal, loop detection, and maximum path length or depth where relevant.
-18. Keep path output stable for users and automation. Report repository-relative paths unless an absolute path is necessary for local diagnosis.
-19. Add focused tests for the highest-risk path shapes instead of broad platform speculation.
+5. For externally sourced trees, use a `preflight -> dangerous operation -> classifier -> safe cleanup` pipeline. Estimate the materialized path budget before writing, including destination root, project directory, generated subdirectories, deepest known repository or archive entry, Windows path-length behavior, POSIX path and component limits, byte limits, case collisions, reserved names, and safety headroom.
+6. For Git clone and checkout materialization, prefer an app-owned staging directory and no-checkout or metadata-first flow when feasible. Inspect repository entries before checkout, check them against the final destination, then promote the result only after success. Do not delete a user-selected final destination when checkout fails.
+7. For Windows Git checkout or clone materialization, prefer a per-invocation `core.longpaths=true` setting when product code invokes Git. Do not mutate global Git config from application code unless the user explicitly chose that setup action. Long-path support still depends on operating-system, Git, filesystem, and downstream tool behavior, so checkout failures must remain classifiable.
+8. For symlink-heavy repositories on Windows, detect whether checkout produced real links or plain-text symlink stubs before running build logic. Report missing Developer Mode, `core.symlinks`, or native symlink support as an environment prerequisite; do not silently replace file symlinks with junctions or copies unless the repository contract explicitly supports that compatibility mode.
+9. For POSIX, do not assume that forward slashes make paths safe. Check `ENAMETOOLONG`, byte-based per-component name limits, mount permissions, executable bits, case-sensitive import paths, symlink loops, file descriptor limits, watcher limits, quota, and cross-device rename behavior.
+10. Check containment with path-aware logic. Prefer relative-path or resolved-path containment helpers over raw string prefixes, and include a path-separator boundary so partial path traversal cannot let sibling names masquerade as children.
+11. Check case behavior explicitly. Windows and many macOS volumes preserve case but compare case-insensitively by default; POSIX commonly compares case-sensitively. State whether the code preserves spelling, rejects conflicting names, or relies on the host filesystem.
+12. Check collisions before materializing Git trees, archives, generated files, uploaded names, or dependency trees. Include case-only collisions, Unicode normalization aliases, reserved Windows names with extensions, trailing dot or space aliases, duplicate archive entries, and byte-limit collisions from multibyte names.
+13. Check symlink, reparse point, and junction behavior explicitly. Decide whether they are rejected, followed only within the root, or treated as ordinary path entries. Test dangling, outside-target, loop, text-stub, and junction-like cases when relevant.
+14. Close time-of-check to time-of-use gaps where practical. Prefer opening or writing through safe helpers that reject symlinks at the final operation, then verify the opened target when the platform and helper support it.
+15. Treat high-level path APIs as incomplete defenses when the runtime cannot expose descriptor-relative open, no-follow, or opened-file verification. Do not claim race-free behavior from resolve-then-open code alone.
+16. Check traversal and root handling across platforms. Account for absolute paths, drive letters, UNC-like paths, mixed separators, empty paths, dot segments, reserved names, long paths, and case sensitivity where relevant.
+17. Classify filesystem failures before generic network, auth, or unknown failures. Use stable categories such as `path_too_long`, `filename_too_long`, `byte_limit_exceeded`, `invalid_path`, `reserved_name`, `case_collision`, `unicode_collision`, `symlink_escape`, `permission_denied`, `file_locked`, `cross_device_move`, `disk_full_or_quota`, `executable_bit_missing`, `line_ending_mismatch`, `watcher_limit`, and `descriptor_limit`.
+18. For writes, prefer same-directory temporary-file then rename or replace behavior when readers may observe the file. Keep the temporary file on the same volume, use unpredictable names, least-privilege creation permissions, and safe no-follow writes when the project already has that helper.
+19. Treat atomic writes as platform-specific. POSIX rename semantics, Windows replacement behavior, cross-filesystem moves, network filesystems, fsync availability, and directory fsync support differ; report best-effort guarantees honestly.
+20. When durable writes matter, include the full durability sequence where the platform supports it: write the temporary file, flush the file data, close it, rename or replace it, then flush the parent directory entry. If parent directory fsync is unavailable, downgrade the durability claim.
+21. For copies and updates, close the check-then-write gap as much as the platform and existing helpers allow. Do not report symlink safety if the final write can still follow a changed symlink.
+22. For privileged Windows services, check whether reparse-point traversal mitigations belong at process startup. If the code cannot enable or verify them, report the remaining junction risk instead of claiming system-level protection.
+23. For host environment limitations such as long-path registry flags, Developer Mode, WSL metadata mounts, Linux inotify/sysctl limits, Docker Desktop volume backend, or antivirus locks, classify and report the environment prerequisite. Do not perform privileged host repair from ordinary file logic.
+24. Distinguish disk and quota errors from watch or descriptor exhaustion. In a watcher or scanner path, `ENOSPC` may mean an inotify watch limit rather than a full disk, and `EMFILE` or similar failures may indicate a per-process or per-user file-descriptor limit.
+25. For deletes and cleanup, verify the resolved absolute target is inside the intended generated or temporary directory and narrow the deletion scope. Preserve bounded diagnostic evidence before deleting partial clone, checkout, scaffold, install, extraction, or generated output. Cleanup may remove only app-owned staging or generated-state paths, never the user-selected destination that the operation was supposed to populate.
+26. For scans, bound recursion, generated/vendor exclusions, file size, symlink traversal, reparse-point traversal, loop detection, and maximum path length or depth where relevant.
+27. Keep path output stable for users and automation. Report repository-relative paths unless an absolute path is necessary for local diagnosis.
+28. Add focused tests for the highest-risk path shapes and failure categories instead of broad platform speculation.
 
 <!-- mustflow-section: postconditions -->
 ## Postconditions
 
 - Path boundaries, invalid-name policy, case policy, symlink and reparse-point policy, write strategy, cleanup strategy, durability expectations, and platform assumptions are explicit.
+- Clone, checkout, scaffold, install, extraction, and generated-tree flows have preflight, staging, promotion, path-length, byte-limit, symlink-stub, collision, diagnostic-preservation, cleanup, and failure-taxonomy policies.
+- Host setting prerequisites are reported without unapproved registry, global config, WSL, sysctl, Docker Desktop, antivirus, or shell-profile mutation.
 - Dangerous file operations are bounded to known repository-owned or generated locations.
 - Atomicity and race-safety claims are scoped to what the current helpers and platform can actually guarantee.
 - Any untested platform behavior is reported as remaining risk instead of claimed safe.
@@ -122,8 +137,10 @@ Use release checks when template files, package artifacts, or installed workflow
 - If the platform cannot prove symlink-safe behavior, fail closed or document the exact remaining gap.
 - If atomic replace, file fsync, parent directory fsync, no-follow open, or final-target verification is not available on the platform, downgrade the claim to best-effort and keep the write boundary narrow.
 - If Unicode normalization, Windows namespace prefixes, alternate data streams, or reparse points could change the effective target, fail closed or report the exact unhandled path class.
+- If clone, checkout, scaffold, install, extraction, or generated-tree materialization fails, classify filesystem and platform causes before reporting network, token, auth, dependency, or unknown causes.
+- If a fix requires elevated host settings or global user configuration, stop at a clear prerequisite report unless an explicit configured command intent and user request authorize the setup.
 - If a test depends on platform-specific symlink support or permissions, state the platform boundary and keep assertions narrow.
-- If cleanup might remove user data, do not proceed without a tighter generated-state boundary.
+- If cleanup might remove user data, do not proceed without a tighter app-owned staging or generated-state boundary.
 
 <!-- mustflow-section: output-format -->
 ## Output Format
@@ -131,6 +148,8 @@ Use release checks when template files, package artifacts, or installed workflow
 - Filesystem surface reviewed
 - Path trust classes, invalid-name handling, case policy, and root boundary
 - Null byte, reserved-name, Unicode normalization, namespace prefix, alternate data stream, symlink, reparse-point, traversal, race, atomic write, durability, permission, copy, delete, scan, and cleanup decisions
+- Clone, checkout, scaffold, install, extraction, preflight, staging, promotion, path-length, collision, failure-taxonomy, and diagnostic-preservation decisions
+- Host-setting prerequisites reported or deferred
 - Windows/POSIX assumptions and skipped platform checks
 - Tests or fixtures added or reused
 - Command intents run