mustflow 2.99.2 → 2.103.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (53) hide show
  1. package/dist/cli/commands/run.js +11 -0
  2. package/dist/cli/commands/skill.js +76 -2
  3. package/dist/cli/i18n/en.js +2 -0
  4. package/dist/cli/i18n/es.js +2 -0
  5. package/dist/cli/i18n/fr.js +2 -0
  6. package/dist/cli/i18n/hi.js +2 -0
  7. package/dist/cli/i18n/ko.js +2 -0
  8. package/dist/cli/i18n/zh.js +2 -0
  9. package/dist/cli/lib/external-skill-import.js +455 -0
  10. package/dist/cli/lib/local-index/index.js +5 -1
  11. package/dist/cli/lib/local-index/sql.js +9 -1
  12. package/dist/cli/lib/run-plan.js +37 -0
  13. package/dist/core/change-impact.js +16 -0
  14. package/dist/core/code-outline.js +3 -13
  15. package/dist/core/config-chain.js +3 -13
  16. package/dist/core/dependency-graph.js +3 -13
  17. package/dist/core/docs-link-integrity.js +23 -4
  18. package/dist/core/env-contract.js +3 -13
  19. package/dist/core/export-diff.js +3 -3
  20. package/dist/core/ignored-directories.js +40 -0
  21. package/dist/core/public-json-contracts.js +16 -0
  22. package/dist/core/reference-drift.js +4 -2
  23. package/dist/core/related-files.js +3 -13
  24. package/dist/core/repo-merge-conflict-scan.js +3 -9
  25. package/dist/core/route-outline.js +3 -13
  26. package/dist/core/script-pack-suggestions.js +23 -12
  27. package/dist/core/secret-risk-scan.js +3 -13
  28. package/dist/core/skill-route-resolution.js +74 -6
  29. package/package.json +2 -2
  30. package/schemas/README.md +3 -0
  31. package/schemas/link-integrity-report.schema.json +1 -0
  32. package/schemas/reference-drift-report.schema.json +1 -0
  33. package/schemas/skill-import-report.schema.json +97 -0
  34. package/templates/default/i18n.toml +52 -10
  35. package/templates/default/locales/en/.mustflow/skills/INDEX.md +22 -2
  36. package/templates/default/locales/en/.mustflow/skills/ai-generated-code-hardening/SKILL.md +30 -7
  37. package/templates/default/locales/en/.mustflow/skills/api-request-performance-review/SKILL.md +12 -6
  38. package/templates/default/locales/en/.mustflow/skills/c-code-change/SKILL.md +371 -0
  39. package/templates/default/locales/en/.mustflow/skills/clarifying-question-gate/SKILL.md +53 -14
  40. package/templates/default/locales/en/.mustflow/skills/completion-evidence-gate/SKILL.md +26 -3
  41. package/templates/default/locales/en/.mustflow/skills/css-code-change/SKILL.md +74 -24
  42. package/templates/default/locales/en/.mustflow/skills/docs-prose-review/SKILL.md +36 -10
  43. package/templates/default/locales/en/.mustflow/skills/github-contribution-quality-gate/SKILL.md +27 -3
  44. package/templates/default/locales/en/.mustflow/skills/hot-path-performance-review/SKILL.md +20 -15
  45. package/templates/default/locales/en/.mustflow/skills/html-code-change/SKILL.md +37 -21
  46. package/templates/default/locales/en/.mustflow/skills/next-action-menu/SKILL.md +22 -7
  47. package/templates/default/locales/en/.mustflow/skills/quadratic-scan-review/SKILL.md +21 -19
  48. package/templates/default/locales/en/.mustflow/skills/react-code-change/SKILL.md +324 -0
  49. package/templates/default/locales/en/.mustflow/skills/routes.toml +24 -0
  50. package/templates/default/locales/en/.mustflow/skills/shell-code-change/SKILL.md +279 -0
  51. package/templates/default/locales/en/.mustflow/skills/structured-config-change/SKILL.md +170 -0
  52. package/templates/default/locales/en/.mustflow/skills/vertical-slice-tdd/SKILL.md +22 -8
  53. package/templates/default/manifest.toml +29 -1
@@ -0,0 +1,97 @@
1
+ {
2
+ "$schema": "https://json-schema.org/draft/2020-12/schema",
3
+ "$id": "https://mustflow.github.io/schemas/skill-import-report.schema.json",
4
+ "title": "mustflow skill import report",
5
+ "type": "object",
6
+ "additionalProperties": false,
7
+ "required": [
8
+ "schema_version",
9
+ "kind",
10
+ "command",
11
+ "action",
12
+ "ok",
13
+ "mode",
14
+ "status",
15
+ "source",
16
+ "target",
17
+ "files",
18
+ "warnings",
19
+ "issues",
20
+ "wrote_files"
21
+ ],
22
+ "properties": {
23
+ "schema_version": { "const": "1" },
24
+ "kind": { "const": "skill_import_report" },
25
+ "command": { "const": "skill" },
26
+ "action": { "const": "import" },
27
+ "ok": { "type": "boolean" },
28
+ "mode": { "type": "string", "enum": ["dry_run", "install"] },
29
+ "status": { "type": "string", "enum": ["preview", "installed", "rejected"] },
30
+ "source": {
31
+ "oneOf": [
32
+ { "$ref": "#/$defs/source" },
33
+ { "type": "null" }
34
+ ]
35
+ },
36
+ "target": {
37
+ "oneOf": [
38
+ { "$ref": "#/$defs/target" },
39
+ { "type": "null" }
40
+ ]
41
+ },
42
+ "files": {
43
+ "type": "array",
44
+ "items": { "$ref": "#/$defs/file" }
45
+ },
46
+ "warnings": {
47
+ "type": "array",
48
+ "items": { "type": "string" }
49
+ },
50
+ "issues": {
51
+ "type": "array",
52
+ "items": { "type": "string" }
53
+ },
54
+ "wrote_files": { "type": "boolean" }
55
+ },
56
+ "$defs": {
57
+ "source": {
58
+ "type": "object",
59
+ "additionalProperties": false,
60
+ "required": ["input_url", "host", "owner", "repo", "ref", "skill_path", "source_url"],
61
+ "properties": {
62
+ "input_url": { "type": "string" },
63
+ "host": { "type": "string", "enum": ["github.com", "raw.githubusercontent.com"] },
64
+ "owner": { "type": "string" },
65
+ "repo": { "type": "string" },
66
+ "ref": { "type": "string" },
67
+ "skill_path": { "type": "string" },
68
+ "source_url": { "type": "string" }
69
+ }
70
+ },
71
+ "target": {
72
+ "type": "object",
73
+ "additionalProperties": false,
74
+ "required": ["root", "skill_name", "skill_dir", "provenance_path"],
75
+ "properties": {
76
+ "root": { "const": ".mustflow/external-skills" },
77
+ "skill_name": { "type": "string", "pattern": "^[a-z0-9]+(?:-[a-z0-9]+)*$" },
78
+ "skill_dir": { "type": "string", "pattern": "^\\.mustflow/external-skills/[a-z0-9]+(?:-[a-z0-9]+)*$" },
79
+ "provenance_path": {
80
+ "type": "string",
81
+ "pattern": "^\\.mustflow/external-skills/[a-z0-9]+(?:-[a-z0-9]+)*/mustflow-skill-source\\.json$"
82
+ }
83
+ }
84
+ },
85
+ "file": {
86
+ "type": "object",
87
+ "additionalProperties": false,
88
+ "required": ["relative_path", "kind", "bytes", "sha256"],
89
+ "properties": {
90
+ "relative_path": { "type": "string" },
91
+ "kind": { "type": "string", "enum": ["skill", "asset", "reference", "script"] },
92
+ "bytes": { "type": "integer", "minimum": 0 },
93
+ "sha256": { "type": "string", "pattern": "^sha256:[a-f0-9]{64}$" }
94
+ }
95
+ }
96
+ }
97
+ }
@@ -62,7 +62,7 @@ translations = {}
62
62
  [documents."skills.index"]
63
63
  source = "locales/en/.mustflow/skills/INDEX.md"
64
64
  source_locale = "en"
65
- revision = 183
65
+ revision = 188
66
66
  translations = {}
67
67
 
68
68
  [documents."skill.adapter-boundary"]
@@ -116,7 +116,7 @@ translations = {}
116
116
  [documents."skill.ai-generated-code-hardening"]
117
117
  source = "locales/en/.mustflow/skills/ai-generated-code-hardening/SKILL.md"
118
118
  source_locale = "en"
119
- revision = 2
119
+ revision = 3
120
120
  translations = {}
121
121
 
122
122
  [documents."skill.quality-gaming-guard"]
@@ -194,13 +194,13 @@ translations = {}
194
194
  [documents."skill.hot-path-performance-review"]
195
195
  source = "locales/en/.mustflow/skills/hot-path-performance-review/SKILL.md"
196
196
  source_locale = "en"
197
- revision = 1
197
+ revision = 2
198
198
  translations = {}
199
199
 
200
200
  [documents."skill.api-request-performance-review"]
201
201
  source = "locales/en/.mustflow/skills/api-request-performance-review/SKILL.md"
202
202
  source_locale = "en"
203
- revision = 1
203
+ revision = 2
204
204
  translations = {}
205
205
 
206
206
  [documents."skill.api-failure-triage"]
@@ -326,7 +326,7 @@ translations = {}
326
326
  [documents."skill.quadratic-scan-review"]
327
327
  source = "locales/en/.mustflow/skills/quadratic-scan-review/SKILL.md"
328
328
  source_locale = "en"
329
- revision = 1
329
+ revision = 2
330
330
  translations = {}
331
331
 
332
332
  [documents."skill.type-state-modeling-review"]
@@ -556,12 +556,24 @@ source_locale = "en"
556
556
  revision = 4
557
557
  translations = {}
558
558
 
559
+ [documents."skill.clarifying-question-gate"]
560
+ source = "locales/en/.mustflow/skills/clarifying-question-gate/SKILL.md"
561
+ source_locale = "en"
562
+ revision = 3
563
+ translations = {}
564
+
559
565
  [documents."skill.heuristic-candidate-selection"]
560
566
  source = "locales/en/.mustflow/skills/heuristic-candidate-selection/SKILL.md"
561
567
  source_locale = "en"
562
568
  revision = 1
563
569
  translations = {}
564
570
 
571
+ [documents."skill.idea-triage"]
572
+ source = "locales/en/.mustflow/skills/idea-triage/SKILL.md"
573
+ source_locale = "en"
574
+ revision = 1
575
+ translations = {}
576
+
565
577
  [documents."skill.astro-code-change"]
566
578
  source = "locales/en/.mustflow/skills/astro-code-change/SKILL.md"
567
579
  source_locale = "en"
@@ -589,7 +601,7 @@ translations = {}
589
601
  [documents."skill.css-code-change"]
590
602
  source = "locales/en/.mustflow/skills/css-code-change/SKILL.md"
591
603
  source_locale = "en"
592
- revision = 3
604
+ revision = 4
593
605
  translations = {}
594
606
 
595
607
  [documents."skill.bun-code-change"]
@@ -604,6 +616,12 @@ source_locale = "en"
604
616
  revision = 1
605
617
  translations = {}
606
618
 
619
+ [documents."skill.c-code-change"]
620
+ source = "locales/en/.mustflow/skills/c-code-change/SKILL.md"
621
+ source_locale = "en"
622
+ revision = 1
623
+ translations = {}
624
+
607
625
  [documents."skill.dart-code-change"]
608
626
  source = "locales/en/.mustflow/skills/dart-code-change/SKILL.md"
609
627
  source_locale = "en"
@@ -643,7 +661,7 @@ translations = {}
643
661
  [documents."skill.html-code-change"]
644
662
  source = "locales/en/.mustflow/skills/html-code-change/SKILL.md"
645
663
  source_locale = "en"
646
- revision = 3
664
+ revision = 4
647
665
  translations = {}
648
666
 
649
667
  [documents."skill.javascript-code-change"]
@@ -658,6 +676,12 @@ source_locale = "en"
658
676
  revision = 2
659
677
  translations = {}
660
678
 
679
+ [documents."skill.react-code-change"]
680
+ source = "locales/en/.mustflow/skills/react-code-change/SKILL.md"
681
+ source_locale = "en"
682
+ revision = 2
683
+ translations = {}
684
+
661
685
  [documents."skill.python-code-change"]
662
686
  source = "locales/en/.mustflow/skills/python-code-change/SKILL.md"
663
687
  source_locale = "en"
@@ -670,6 +694,18 @@ source_locale = "en"
670
694
  revision = 2
671
695
  translations = {}
672
696
 
697
+ [documents."skill.shell-code-change"]
698
+ source = "locales/en/.mustflow/skills/shell-code-change/SKILL.md"
699
+ source_locale = "en"
700
+ revision = 1
701
+ translations = {}
702
+
703
+ [documents."skill.structured-config-change"]
704
+ source = "locales/en/.mustflow/skills/structured-config-change/SKILL.md"
705
+ source_locale = "en"
706
+ revision = 1
707
+ translations = {}
708
+
673
709
  [documents."skill.rust-code-change"]
674
710
  source = "locales/en/.mustflow/skills/rust-code-change/SKILL.md"
675
711
  source_locale = "en"
@@ -739,6 +775,12 @@ translations = {}
739
775
  [documents."skill.completion-evidence-gate"]
740
776
  source = "locales/en/.mustflow/skills/completion-evidence-gate/SKILL.md"
741
777
  source_locale = "en"
778
+ revision = 5
779
+ translations = {}
780
+
781
+ [documents."skill.next-action-menu"]
782
+ source = "locales/en/.mustflow/skills/next-action-menu/SKILL.md"
783
+ source_locale = "en"
742
784
  revision = 3
743
785
  translations = {}
744
786
 
@@ -811,7 +853,7 @@ translations = {}
811
853
  [documents."skill.docs-prose-review"]
812
854
  source = "locales/en/.mustflow/skills/docs-prose-review/SKILL.md"
813
855
  source_locale = "en"
814
- revision = 2
856
+ revision = 3
815
857
  translations = {}
816
858
 
817
859
  [documents."skill.failure-triage"]
@@ -835,7 +877,7 @@ translations = {}
835
877
  [documents."skill.github-contribution-quality-gate"]
836
878
  source = "locales/en/.mustflow/skills/github-contribution-quality-gate/SKILL.md"
837
879
  source_locale = "en"
838
- revision = 2
880
+ revision = 3
839
881
  translations = {}
840
882
 
841
883
  [documents."skill.facade-pattern"]
@@ -1050,7 +1092,7 @@ translations = {}
1050
1092
  [documents."skill.vertical-slice-tdd"]
1051
1093
  source = "locales/en/.mustflow/skills/vertical-slice-tdd/SKILL.md"
1052
1094
  source_locale = "en"
1053
- revision = 1
1095
+ revision = 2
1054
1096
  translations = {}
1055
1097
 
1056
1098
  [documents."skill.llm-service-ux-review"]
@@ -2,7 +2,7 @@
2
2
  mustflow_doc: skills.index
3
3
  locale: en
4
4
  canonical: true
5
- revision: 183
5
+ revision: 188
6
6
  authority: router
7
7
  lifecycle: mustflow-owned
8
8
  ---
@@ -222,6 +222,22 @@ refer to `AGENTS.md` and `.mustflow/config/commands.toml` to implement the most
222
222
  sort, Unicode normalization, grapheme-safe truncation, RTL or bidi text, font fallback, pseudo
223
223
  localization, SSR locale, fallback, backend error-code mapping, rich text, export, share, or
224
224
  notification surface review instead of a visible JSX text scan.
225
+ - Use `react-code-change` as a primary route when React, React DOM, React Server Components,
226
+ Server Actions, React Compiler, Hooks, Suspense, Actions, forms, refs, context, concurrent
227
+ rendering, SSR streaming, resource hints, package metadata, or React-related tests are created,
228
+ changed, reviewed, or upgraded.
229
+ - Use `c-code-change` as a primary route when C source, C-owned headers, native C build metadata,
230
+ compiler dialects, C standard-version support, C ABI surfaces, generated C bindings, FFI,
231
+ memory ownership, pointer lifetime, undefined behavior, sanitizer setup, performance-sensitive
232
+ C paths, tests, or benchmarks are created, changed, reviewed, or upgraded.
233
+ - Use `shell-code-change` as a primary route when POSIX sh, Bash, shell scripts, shebangs,
234
+ GitHub Actions `run` blocks, package script shell snippets, grep/sed/awk/find/xargs pipelines,
235
+ shell quoting, word splitting, globbing, traps, exit-status handling, or shell
236
+ portability/security behavior are created, changed, reviewed, or upgraded.
237
+ - Use `structured-config-change` as a primary route when YAML, TOML, JSON-adjacent config,
238
+ Markdown frontmatter, schema-backed config, or GitHub Actions workflow structure outside shell
239
+ `run` blocks needs parser-dialect, schema, defaulting, normalization, or provider-semantics
240
+ review.
225
241
  - Use `cache-integrity-review` as an adjunct when cache correctness, key truth, stale data spread,
226
242
  invalidation, negative caching, Redis and HTTP cache semantics, permission-cache revocation, or
227
243
  cache-outage fallback can mislead users, leak data, or overload source systems.
@@ -459,6 +475,8 @@ routes. Event routes stay inactive until their event occurs.
459
475
  | Backend APIs, workers, jobs, queues, caches, database write paths, external service calls, health checks, observability, feature flags, idempotency, retries, outbox/inbox processing, or operational failure handling are created, changed, reviewed, or reported | `.mustflow/skills/backend-reliability-change/SKILL.md` | Backend surface, trigger shape, idempotency boundary, external-call deadline and retry policy, persistence and transaction boundary, queue/cache behavior, observability fields, rollout gate, and command contract entries | Handlers, services, workers, retry policy, timeout policy, idempotency storage, outbox/inbox code, cache boundaries, health endpoints, observability fields, flags, tests, docs, and directly synchronized templates | duplicate side effects, retry storm, unbounded wait, DB uniqueness race, cache stampede, stale cache authority, poison message loop, missing outbox/inbox, raw ORM response, object-level authorization bypass, high-cardinality telemetry, secret or personal-data log leak, broken liveness/readiness, or missing kill switch | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Backend surface, idempotency and retry/timeout decisions, queue/cache/database notes, health-probe split, observability and auth/DTO notes, rollout gate, verification, and remaining backend reliability risk |
460
476
  | HTTP delivery, content coding, compression negotiation, CDN or proxy cache behavior, streaming responses, SSE, EventSource, WebTransport, WebSocket fallback, HTTP/2 or HTTP/3 transport behavior, browser transport clients, reverse-proxy buffering, reconnect behavior, or delivery observability is created, changed, reviewed, or reported | `.mustflow/skills/http-delivery-streaming/SKILL.md` | Delivery surface, routes or assets, headers, cache and proxy/CDN path, browser/API clients, fallback behavior, streaming lifecycle, compression or dictionary choice, and observability fields | Route handlers, response headers, CDN/proxy config, browser transport code, streaming adapters, fallback clients, docs, tests, and directly synchronized templates | wrong content decoding, cache poisoning, private data cached publicly, proxy buffering, lost events, reconnect gaps, unsupported transport, unreliable datagram misuse, false compression win, or fallback failure | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `docs_validate_fast`, `test_release`, `mustflow_check` | Delivery ledger, negotiated encodings, cache/proxy behavior, stream/reconnect/fallback behavior, verification, and remaining delivery risk |
461
477
  | C++ source, headers, modules, native build metadata, toolchains, package managers, public headers, shared or static libraries, ABI surfaces, generated bindings, FFI, tests, or benchmarks are created or changed | `.mustflow/skills/cpp-code-change/SKILL.md` | Owning target, compilation identity, build front door, changed consumed surface, public API/ABI/FFI/binding surfaces, ownership and lifetime contracts, and command contract entries | C++ source, headers, modules, build metadata, package metadata, generated bindings, FFI code, tests, benchmarks, and directly synchronized docs | target drift, source API break, binary ABI break, undefined behavior, lifetime bug, build-graph drift, generated-binding drift, FFI memory bug, unverified modern C++ feature, or false performance claim | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Owning target, compilation identity, highest compatibility risk, ownership/lifetime/UB/concurrency notes, public API/ABI/FFI/binding impact, verification, and remaining C++ risk |
478
+ | C source, C-owned headers, native C build metadata, compiler dialect, C standard version, public C headers, shared or static libraries, ABI surfaces, generated C bindings, FFI, memory ownership, pointer lifetime, undefined behavior, sanitizer configuration, performance-sensitive C paths, tests, or benchmarks are created or changed | `.mustflow/skills/c-code-change/SKILL.md` | Owning target, C standard or dialect, compiler, libc, build front door, changed consumed surface, public API/ABI/FFI/binding surfaces, ownership, pointer provenance, sanitizer, and command contract entries | C source, C headers, build metadata, package metadata, generated bindings, FFI code, tests, benchmarks, warning and sanitizer policy, and directly synchronized docs | target drift, C23 support overclaim, source API break, binary ABI break, pointer provenance bug, lifetime bug, allocation overflow, strict-aliasing violation, sanitizer gap, generated-binding drift, FFI memory bug, unverified performance claim, or portable-release flag break | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Owning target, C standard/dialect/compiler/libc identity, highest compatibility risk, ownership/lifetime/provenance/UB/concurrency/performance notes, public API/ABI/FFI/binding impact, verification, and remaining C risk |
479
+ | POSIX sh, Bash, shell scripts, shebangs, GitHub Actions `run` blocks, package script shell snippets, grep/sed/awk/find/xargs pipelines, shell quoting, word splitting, globbing, traps, exit-status handling, portability, or shell security behavior are created or changed | `.mustflow/skills/shell-code-change/SKILL.md` | Effective shell, dialect target, invocation path, parser and expansion ledger, dynamic input boundaries, file and stream boundary, cleanup and failure expectations, changed files, and command contract entries | Shell scripts, CI run blocks, package or Make shell snippets, docs examples, shell tests, path-processing pipelines, and directly synchronized docs | sh/Bash dialect drift, hidden CI shell default, word-splitting or globbing bug, newline-unsafe filename flow, `set -e` or pipeline false green, GNU/BSD/BusyBox portability break, GitHub Actions expression injection, secret leak, destructive glob, temp-file race, or CRLF shebang failure | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check`, `line_endings_check` | Shell execution and dialect boundary, parser/expansion utility ledger, POSIX/Bash/GNU/BSD/BusyBox/GitHub Actions decisions, quoting/status/file/temp/security verification, and remaining shell risk |
462
480
  | Node.js runtime code, package manager ownership, module format, package entry metadata, native dependencies, Node test runner behavior, TypeScript execution mode, or deployment runtime support is created or changed | `.mustflow/skills/node-code-change/SKILL.md` | Node version signals, package manager and lockfile owner, module/package metadata, TypeScript loader, test runner, native dependency, deployment target, and command contract entries | Node runtime code, package metadata, lockfiles, scripts, CI or Docker runtime declarations, test runner config, native dependency handling, docs examples, and directly synchronized package surfaces | newest-Node assumption, package manager drift, ESM/CJS break, blocked deep import, native dependency break, Node native TypeScript overclaim, test runner migration risk, deployment mismatch, or permission-model overclaim | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Runtime and package manager decision, module/package entry notes, TypeScript/test runner notes, native/deployment risks, verification, and remaining Node.js risk |
463
481
  | Bun runtime code, Bun package manager behavior, `bun.lock`, `bunfig.toml`, Bun test runner behavior, Bun bundling, Bun TypeScript execution, or Bun-specific APIs are created or changed | `.mustflow/skills/bun-code-change/SKILL.md` | Bun role signals, `package.json`, Bun and non-Bun lockfiles, `bunfig.toml`, CI/Docker Bun setup, TypeScript config, Bun APIs, native dependency signals, and command contract entries | Bun runtime code, Bun package manager metadata, lockfiles, `bunfig.toml`, scripts, tests, bundler config, TypeScript/declaration pipeline, package metadata, and directly synchronized docs | Bun role confusion, lockfile drift, trusted dependency overgrant, runtime/package-manager conflation, Bun TypeScript typecheck overclaim, Bun build declaration gap, Node compatibility break, shebang mismatch, or native binary break | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Bun role classification, lockfile/trust notes, runtime/type/build/test notes, Node compatibility risks, verification, and remaining Bun risk |
464
482
  | Dockerfiles, `.dockerignore`, Docker Compose files, BuildKit or buildx behavior, container image metadata, tags, entrypoints, health checks, Docker CI workflows, image security scanning, SBOM or provenance settings, registry publishing, or container runtime validation are created or changed | `.mustflow/skills/docker-code-change/SKILL.md` | Docker surfaces, project image shape, base image and platform signals, build context and cache signals, runtime contract, security and supply-chain contract, and command contract entries | Dockerfiles, `.dockerignore`, Compose files, container CI workflow snippets, image metadata, package tests, docs examples, template metadata, and directly synchronized skill routes | cache breakage, secret leak, root runtime, host access escape, dev dependency in final image, mutable tag drift, untrusted CI publish, missing SBOM/provenance, unverified runtime, or false production-readiness claim | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Docker surface classification, image/base/cache/stage decisions, secret/user/runtime/Compose/CI supply-chain notes, verification, and remaining Docker risk |
@@ -500,7 +518,7 @@ routes. Event routes stay inactive until their event occurs.
500
518
  | Release notes, changelog entries, public change summaries, release preparation copy, or package release wording are drafted or revised | `.mustflow/skills/release-notes-authoring/SKILL.md` | User-provided change summary, current diff summary, release audience, public surfaces, version source, and command contract entries | Release notes, changelog entries, release preparation notes, and directly synchronized docs or package metadata | invented release history, inflated public claims, internal noise, stale version or migration notes, or unverified release evidence | `changes_status`, `changes_diff_summary`, `docs_validate_fast`, `test_release`, `mustflow_check` | Release audience, categorized notes, excluded internal changes, version or migration checks, verification, skipped release-history checks, and remaining release-note risk |
501
519
  | Release publishing, package registry publication, remote release channels, Git tags, GitHub Releases, release assets, npm, PyPI, crates.io, Go modules, Docker images, Homebrew formulae or casks, app updater metadata, version bump decisions, artifact inspection, post-publish smoke tests, rollback or yanking plans, or user installation paths are created, changed, reviewed, or reported | `.mustflow/skills/release-publish-change/SKILL.md` | Release target, version, channel, package name, module path, image name, tag, artifact names, expected assets, public contract source, artifact inspection method, remote publication surface, recovery model, and command contract entries | Version metadata, release workflows, package manifests, artifact manifests, changelog or release-preparation docs, package tests, install-smoke expectations, release validation tests, and installed-template metadata | local-only release claim, wrong version bump, stale artifact, registry overwrite assumption, missing asset, bad checksum or signature, moved Go tag, unverified Docker digest, updater metadata breakage, missing user-path smoke test, or false rollback claim | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Release target, version and channel, public API classification, artifact inspection evidence, remote publication state, user-path smoke result, synchronized surfaces, recovery classification, verification, and remaining release-publish risk |
502
520
  | Search-friendly ad-supported articles, blog posts, guides, reviews, comparisons, FAQs, or evergreen content are planned, written, edited, reviewed, or reported | `.mustflow/skills/search-ad-content-authoring/SKILL.md` | Search intent, reader task, content type, source freshness needs, monetization constraints, article draft or outline, and command contract entries | Article outlines, headings, paragraphs, tables, lists, FAQs, images, links, disclosures, content docs, templates, tests, and reports | keyword stuffing, thin filler, misleading ad adjacency, stale policy or ranking claims, unsupported revenue claims, accessibility or layout instability, or copied competitor content | `changes_status`, `changes_diff_summary`, `docs_validate_fast`, `test_release`, `mustflow_check` | Search intent, outline shape, content structure checks, source freshness, ad layout and trust checks, omitted or verified claims, verification, and remaining content risk |
503
- | Documentation review queue entries need prose cleanup | `.mustflow/skills/docs-prose-review/SKILL.md` | Review queue entry or selected document path, review comment if present, target language, reviewer metadata | Selected documentation file and review ledger entry | meaning drift or stale queue state | `docs_validate`, `mustflow_check` | Prose changes, recorded review status, verification notes |
521
+ | Documentation review queue entries or selected docs need prose cleanup for LLM-like wording, AI-slop signals, low-specificity boilerplate, literal translation, unnatural tone, Korean technical translationese, or domain-term drift | `.mustflow/skills/docs-prose-review/SKILL.md` | Review queue entry or selected document path, review comment if present, target language, audience or genre, domain terminology, reviewer metadata | Selected documentation file and review ledger entry | meaning drift, fake authorship attribution, invented evidence, over-editing, or stale queue state | `docs_validate`, `mustflow_check` | Prose issues fixed, preserved technical meaning, recorded review status, verification notes |
504
522
  | Documentation changes affect public or workflow docs | `.mustflow/skills/docs-update/SKILL.md` | Changed behavior or field | Relevant docs only | stale public docs | `docs_validate_fast`, `docs_validate`, `mustflow_check` | Doc changes and skipped checks |
505
523
 
506
524
  ### Security and Privacy
@@ -568,6 +586,7 @@ routes. Event routes stay inactive until their event occurs.
568
586
  | UnoCSS config, presets, extraction, shortcuts, rules, variants, safelist, blocklist, attributify, transformers, or utility usage are created or changed | `.mustflow/skills/unocss-code-change/SKILL.md` | UnoCSS config, presets, extraction rules, shortcuts, safelist, blocklist, changed files, and command contract entries | UnoCSS config, utility usage, rules, shortcuts, safelist, blocklist, tests, and docs examples | extractor miss, runtime-only utility, safelist explosion, unbounded shortcut, or production CSS loss | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | Extraction, safelist, shortcut, variant, and production CSS boundary checked, verification, and remaining UnoCSS risk |
569
587
  | Flutter widgets, screens, routing, state management, async UI, platform channels, assets, responsive layout, accessibility, or Flutter tests are created or changed | `.mustflow/skills/flutter-code-change/SKILL.md` | App root, route config, widget tree, state owner, platform files, assets, changed files, and command contract entries | Flutter widgets, routes, state, platform channels, assets, tests, and docs examples | impure build, lifecycle leak, navigation drift, layout breakage, inaccessible UI, or platform boundary drift | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | State, lifecycle, layout, accessibility, platform, and asset boundary checked, verification, and remaining Flutter risk |
570
588
  | Astro config, package metadata, pages, layouts, components, islands, hydration directives, content collections, routes, adapters, request pipeline, `src/fetch.*`, route cache, MDX, Markdown processing, migration, or Astro build behavior are created or changed | `.mustflow/skills/astro-code-change/SKILL.md` | Astro config, current and target Astro version when migrating, route tree, request pipeline, cache rules, Markdown processor, layouts, content schema, components, adapter config, changed files, and command contract entries | Astro pages, layouts, islands, content collections, adapters, request pipeline, route cache, Markdown, tests, and docs examples | unnecessary hydration, build/runtime data mix, route URL drift, request pipeline omission, cache data exposure, Markdown drift, content schema drift, or adapter mismatch | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | Build/runtime, route, request pipeline, cache, Markdown, content, hydration, and adapter boundary checked, verification, and remaining Astro risk |
589
+ | React, React DOM, React Server Components, Server Actions, React Compiler, Hooks, Suspense, Actions, forms, refs, context, concurrent rendering, SSR streaming, resource hints, package metadata, or React-related tests are created, changed, reviewed, or upgraded | `.mustflow/skills/react-code-change/SKILL.md` | React package evidence, effective React support range, compiler and lint evidence, rendering boundary, state and mutation evidence, changed files, and command contract entries | React source, tests, package metadata, framework config, SSR or RSC boundaries, docs examples, and directly synchronized compatibility surfaces | stale React version claim, CRA reintroduction, React 19 API in React 18-compatible package, effect dependency suppression, memoization folklore, compiler mismatch, context rerender drift, ref compatibility break, Suspense misuse, Action rollback gap, RSC or Server Action boundary confusion, unsafe resource hints, or unverified performance claim | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | React version, compiler, lint, effect, state, memoization, context, ref, form, Suspense, SSR/RSC, resource, verification, and compatibility risks checked |
571
590
  | Svelte or SvelteKit components, routes, load functions, server actions, stores, runes, SSR boundaries, accessibility warnings, or tests are created or changed | `.mustflow/skills/svelte-code-change/SKILL.md` | Svelte config, route segment files, stores/runes, hooks, app types, changed files, and command contract entries | Svelte components, routes, load/actions, stores, SSR/client boundaries, tests, and docs examples | SSR/client leakage, browser global crash, state owner drift, form degradation, or ignored accessibility warning | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | SSR, server/client, state, form, and accessibility boundary checked, verification, and remaining Svelte risk |
572
591
  | Web image assets are added, converted, resized, or replaced | `.mustflow/skills/web-asset-optimization/SKILL.md` | Image asset request and target path | Web image assets | asset quality and size | `asset_optimize`, `build` | Optimized asset notes |
573
592
 
@@ -603,6 +622,7 @@ routes. Event routes stay inactive until their event occurs.
603
622
  | A Codex or Hermes local session ID needs read-only reference for task evidence, restart context, failure diagnosis, or continuation planning across agent applications | `.mustflow/skills/cross-agent-session-reference/SKILL.md` | Session ID, source app evidence, current repository root, user goal, redaction requirements, available official session tools or read-only local storage evidence | Bounded session evidence summaries, continuation prompts, current-repository follow-up work, and directly synchronized reports only | foreign session mutation, transcript-as-authority drift, secret exposure, unrelated history dump, stale storage schema, or dispatching work into another app | `changes_status`, `changes_diff_summary`, `mustflow_check` | Source application confidence, read-only access method, extracted evidence, redactions, current verification, next safe action or ambiguity, and remaining stale-session or privacy risk |
604
623
  | Declared behavior must stay aligned across code, schemas, templates, tests, and docs | `.mustflow/skills/contract-sync-check/SKILL.md` | Changed files, intended behavior, source of truth, derived surfaces, and command contract entries | Contract source and required synchronized surfaces | contract drift | `changes_status`, `changes_diff_summary`, `docs_validate_fast`, `test_release`, `mustflow_check` | Contract source, synchronized surfaces, deferred surfaces, verification, and drift risk |
605
624
  | `.mustflow/config/commands.toml` command intents, resources, effects, timeouts, output limits, environment policies, lifecycle values, run policies, command-selection metadata, CI/CD reproducibility rules, build/test/migration/deploy verification handoffs, or health-check command surfaces are created, changed, reviewed, or removed | `.mustflow/skills/command-contract-authoring/SKILL.md` | Command goal, current command contract, expected reads and writes, side effects, locks, timeout, output, environment, stdin, dashboard or platform setting dependency, and verification entries | Command contract, template command contracts, workflow docs, skills, tests, and directly synchronized public docs | accidental command authority, inferred command, dashboard-only source of truth, unreproducible deployment, unbounded side effect, missing lock, secret exposure, or long-running command approval | `changes_status`, `changes_diff_summary`, `docs_validate_fast`, `test_release`, `mustflow_check` | Intent authority decision, side-effect model, environment and timeout boundary, CI/CD reproducibility boundary, synchronized surfaces, verification, and remaining command-contract risk |
625
+ | YAML, TOML, JSON-adjacent config, Markdown frontmatter, schema-backed config, GitHub Actions workflow structure outside shell `run` blocks, parser dialects, duplicate keys, implicit typing, multiline scalars, dotted keys, array-of-tables, defaults, normalization, or config validation fixtures are created, changed, reviewed, or reported | `.mustflow/skills/structured-config-change/SKILL.md` | Target files, consuming parser or provider, dialect support, schema and validation surfaces, merge/defaulting model, GitHub Actions workflow shape when relevant, generated or source-owned status, and command contract entries | Structured config files, schemas, schema associations, validation fixtures, normalized-output tests, docs examples, template copies, route metadata, manifest entries, and directly synchronized tests | YAML 1.1/1.2 scalar drift, TOML 1.0/1.1 incompatibility, duplicate key loss, null/empty/missing confusion, mapping-order assumption, block-scalar newline drift, unsafe YAML tag, GitHub Actions trigger/filter/permission drift, schema default overclaim, formatter semantic rewrite, or generated-output hand edit | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `docs_validate_fast`, `test_release`, `mustflow_check` | Config surface and parser/provider, dialect decision, parse/data-model/schema/semantic layers, YAML/TOML/GitHub Actions decisions, fixture and normalization coverage, verification, and remaining structured-config risk |
606
626
  | External instructions, docs, AI output, snippets, issues, pull requests, scanner output, installer steps, scripts, tutorials, or reports propose commands to run, preserve, recommend, or document | `.mustflow/skills/command-intent-mapping-gate/SKILL.md` | Proposed command text, source, intended purpose, command contract entries, side-effect class, destination surface, and configured/manual/missing status | Docs, skills, templates, tests, examples, final reports, handoffs, and command-contract proposals that mention command execution | command laundering, raw external command authority, undeclared install/deploy/migration/release step, long-running process, approval bypass, or false verification claim | `changes_status`, `changes_diff_summary`, `docs_validate_fast`, `test_release`, `mustflow_check` | Proposed commands reviewed, mapped to configured intents or marked manual/missing/omitted, raw command authority removed, verification, and remaining command-contract risk |
607
627
  | Public JSON, JSONL, schema-backed reports, machine-readable stdout or stderr, exit-code semantics tied to JSON, compatibility fixtures, or documented automation-facing JSON contracts are created, changed, reviewed, or reported | `.mustflow/skills/public-json-contract-change/SKILL.md` | Affected command or report, output modes, stream split, exit-code expectations, schemas, fixtures, docs examples, compatibility policy, consumers, and command contract entries | JSON producer code, schemas, fixtures, docs examples, package metadata, templates, and tests | broken automation, schema drift, stream pollution, exit-code drift, stale backcompat fixture, or hidden breaking change | `changes_status`, `changes_diff_summary`, `test_related`, `docs_validate_fast`, `test_release`, `mustflow_check` | JSON contract source, compatibility classification, synchronized schemas/fixtures/docs/tests/templates, backcompat coverage, verification, and remaining JSON risk |
608
628
  | CLI text output, JSON output, exit codes, error messages, warnings, deprecations, help text, command aliases, schema-backed reports, or automation-facing command behavior are created, changed, reviewed, or reported | `.mustflow/skills/cli-output-contract-review/SKILL.md` | Affected command, output modes, exit-code expectations, docs examples, schemas, fixtures, consumers, and command contract entries | CLI output code, schemas, fixtures, docs, README examples, package tests, templates, and reports | broken automation, misleading success, schema drift, undocumented deprecation, stale example, or incompatible output change | `changes_status`, `changes_diff_summary`, `test_related`, `docs_validate_fast`, `test_release`, `mustflow_check` | Output surfaces reviewed, status and exit-code semantics, synchronized schemas/docs/tests/templates, verification, and remaining CLI-output risk |
@@ -2,11 +2,11 @@
2
2
  mustflow_doc: skill.ai-generated-code-hardening
3
3
  locale: en
4
4
  canonical: true
5
- revision: 2
5
+ revision: 3
6
6
  lifecycle: mustflow-owned
7
7
  authority: procedure
8
8
  name: ai-generated-code-hardening
9
- description: Apply this skill when AI-generated, assistant-authored, vibe-coded, or broad code changes need evidence-backed hardening against symptom-only fixes, pinpoint hardcoding, duplicate helpers or shapes, hidden coupling, weak tests, swallowed errors, excessive complexity, and boundary drift.
9
+ description: Apply this skill when AI-generated, assistant-authored, vibe-coded, or broad code changes need evidence-backed hardening against symptom-only fixes, pinpoint hardcoding, duplicate helpers or shapes, hidden coupling, fake small-sample performance confidence, weak tests, swallowed errors, excessive complexity, and boundary drift.
10
10
  metadata:
11
11
  mustflow_schema: "1"
12
12
  mustflow_kind: procedure
@@ -33,8 +33,8 @@ Use this skill to turn agent-written code from "looks plausible" into maintainab
33
33
  repository code. The goal is not style cleanup. The goal is to catch the failure
34
34
  modes that appear when an agent forgets the repository between sessions: symptom-only
35
35
  patches, pinpoint hardcoding, duplicate helpers, duplicate shapes, hidden coupling,
36
- weak tests, swallowed errors, accidental public surfaces, and oversized functions or
37
- files.
36
+ fake confidence from tiny fixtures, hidden repeated work, weak tests, swallowed errors,
37
+ accidental public surfaces, and oversized functions or files.
38
38
 
39
39
  <!-- mustflow-section: use-when -->
40
40
  ## Use When
@@ -51,6 +51,9 @@ files.
51
51
  re-export drift.
52
52
  - Tests were added or changed and may only check strings, function names, snapshots,
53
53
  mocks, or implementation details instead of observable behavior.
54
+ - The code looks clean on sample data but may hide repeated scans, repeated copying,
55
+ repeated I/O, unbounded fan-out, allocation churn, or response-size growth under
56
+ realistic data.
54
57
  - Error handling, fallback paths, defensive guards, or default values were added in
55
58
  multiple callers instead of one boundary.
56
59
  - New or changed functions/files are becoming hard to review because of excessive
@@ -189,7 +192,23 @@ files.
189
192
  - Split a god file only when the new module has a stable owner, direction, and
190
193
  verification path.
191
194
 
192
- 8. Harden tests against fake confidence.
195
+ 8. Check small-sample performance traps.
196
+ - Treat fixture-sized success as weak evidence when the path handles users,
197
+ orders, comments, logs, rows, files, permissions, relations, or rendered list
198
+ items that can grow.
199
+ - Search AI-authored code for `map`, `filter`, `find`, `findIndex`, `includes`,
200
+ `indexOf`, `reduce`, `sort`, `slice`, `splice`, `shift`, spread accumulation,
201
+ `concat`, `cloneDeep`, `JSON.stringify`, `parse`, `validate`, `sanitize`,
202
+ `normalize`, and helper names such as `isAllowed`, `canAccess`, `resolve`,
203
+ `build`, or `format` in repeated paths.
204
+ - Escalate concrete hidden O(N^2), allocation churn, or request fan-out evidence
205
+ to `quadratic-scan-review`, `hot-path-performance-review`, or
206
+ `api-request-performance-review` instead of burying it as style feedback.
207
+ - Do not claim a performance improvement from static review alone. Mark it as
208
+ static complexity risk unless configured tests, query counts, traces, profiles,
209
+ or benchmarks support the claim.
210
+
211
+ 9. Harden tests against fake confidence.
193
212
  - Verify behavior and side effects, not only function names, strings, snapshots,
194
213
  or the presence of files.
195
214
  - For bug fixes, add at least one nearby negative or sibling case when feasible so
@@ -203,7 +222,7 @@ files.
203
222
  - If production code gained defensive fallback only to satisfy a brittle test,
204
223
  fix the test or move the fallback to the owning boundary.
205
224
 
206
- 9. Use enforcement evidence without inventing enforcement.
225
+ 10. Use enforcement evidence without inventing enforcement.
207
226
  - Run existing configured lint, build, and related test intents when they cover
208
227
  the risk.
209
228
  - If the repository lacks dependency-boundary, complexity, max-depth,
@@ -212,7 +231,7 @@ files.
212
231
  - Never paste outside plugin commands, package-manager commands, or CI recipes
213
232
  into mustflow command contracts without command-contract review.
214
233
 
215
- 10. Decide fix now, defer, or report.
234
+ 11. Decide fix now, defer, or report.
216
235
  - Fix now when the issue is in the touched code, small, directly tied to the
217
236
  current behavior, and verifiable with configured commands.
218
237
  - Defer when the issue needs broad architecture work, new dependencies, new CI
@@ -235,6 +254,8 @@ files.
235
254
  duplicated guard/fallback risk is documented.
236
255
  - Tests exercise behavior and meaningful side effects, with edge and failure paths
237
256
  covered where relevant to the change.
257
+ - Sample-data performance confidence has been checked against realistic data-growth,
258
+ repeated-work, allocation, and I/O fan-out risks where relevant.
238
259
 
239
260
  <!-- mustflow-section: verification -->
240
261
  ## Verification
@@ -281,5 +302,7 @@ Include:
281
302
  found or ruled out.
282
303
  - Error-handling and fallback decisions.
283
304
  - Test hardening: behavior assertions, side effects, edge cases, and mock boundary.
305
+ - Small-sample performance traps: hidden repeated scans, copy churn, repeated I/O,
306
+ unbounded fan-out, or response growth fixed, escalated, or reported.
284
307
  - Configured verification intents run and their result.
285
308
  - Deferred enforcement, lint, or CI guard suggestions, clearly marked as not added.
@@ -2,7 +2,7 @@
2
2
  mustflow_doc: skill.api-request-performance-review
3
3
  locale: en
4
4
  canonical: true
5
- revision: 1
5
+ revision: 2
6
6
  lifecycle: mustflow-owned
7
7
  authority: procedure
8
8
  name: api-request-performance-review
@@ -58,8 +58,8 @@ The core question is: "For one request, how many times do we repeat the same I/O
58
58
  - Request path: endpoint, route, handler, controller, resolver, serializer, mapper, middleware, service method, response builder, and downstream calls under review.
59
59
  - Request cost ledger inputs: route span, DB query count, Redis call count, external API call count, filesystem or object-storage calls, payload size, response bytes, JSON serialization time, DTO mapping time, cache hit or miss, queue time, pool acquire wait, transaction duration, lock wait, and request-path CPU work when available.
60
60
  - Data shape: request parameters, page size, relation counts, tenant or user scope, expected result size, maximum payload, large JSON/TEXT/BLOB fields, and response projection.
61
- - ORM behavior: lazy loading, eager loading, generated SQL, relation access in serializers or templates, Django `select_related` and `prefetch_related`, Rails `includes`, `preload`, `eager_load`, and `strict_loading`, or equivalent framework behavior.
62
- - Database evidence when available: `SELECT *`, app-side filtering or sorting, deep `OFFSET`, `COUNT(*)`, index fit for `WHERE` plus `ORDER BY` plus `LIMIT`, `EXPLAIN`, estimated rows, actual rows, join cardinality, and selectivity.
61
+ - ORM behavior: lazy loading, eager loading, generated SQL, relation access in serializers or templates, `include` versus explicit `select`, relation load strategy, Django `select_related` and `prefetch_related`, Rails `includes`, `preload`, `eager_load`, and `strict_loading`, or equivalent framework behavior.
62
+ - Database evidence when available: actual SQL, query count, repeated `SELECT ... WHERE id = ?`, `SELECT *`, app-side filtering or sorting, deep `OFFSET`, `COUNT(*)`, index fit for `WHERE` plus `ORDER BY` plus `LIMIT`, `EXPLAIN`, scan type, sort method, estimated rows, actual rows, join cardinality, and selectivity.
63
63
  - Cache and Redis evidence: request-scope cache, key dimensions, cache miss path, `MGET`, pipeline behavior, Redis round trips, Redis Slow Log limitations, hot keys, fallback behavior, and stampede controls.
64
64
  - Correctness boundaries: authorization, tenant isolation, ordering, duplicates, pagination stability, consistency, idempotency, timeout, cancellation, partial failure, stale data, and response contract.
65
65
  - Relevant command-intent contract entries for build, tests, docs, release checks, and mustflow validation.
@@ -98,6 +98,8 @@ The core question is: "For one request, how many times do we repeat the same I/O
98
98
  - In Django, choose `select_related` for single-valued relations and `prefetch_related` for multi-valued relations when the route actually needs them.
99
99
  - In Rails, compare `includes`, `preload`, `eager_load`, and `strict_loading`; use strict loading or query-count tests where local patterns support them.
100
100
  - Treat eager loading too much as a separate bug. It can replace N+1 with row explosion, duplicate parents, memory bloat, or huge response mapping.
101
+ - For Prisma-style APIs, do not trust `include` as a performance proof. Compare actual SQL, query count, selected columns, relation load strategy, and response shape.
102
+ - Treat repeated `count`, `exists`, `sum`, `latest`, or `first` queries in list serialization as N+1 candidates; prefer grouped aggregation, batched lookup, or database-side projection when semantics match.
101
103
  5. Check query projection and response projection together.
102
104
  - Flag `SELECT *`, full entity hydration, unbounded DTOs, and list endpoints that fetch large JSON, TEXT, BLOB, image, metadata, audit, or internal columns.
103
105
  - Fetch detail fields only after narrowing the row set when the route returns a list, feed, search result, or admin table.
@@ -111,7 +113,10 @@ The core question is: "For one request, how many times do we repeat the same I/O
111
113
  - Expensive `COUNT(*)` for every request needs a product reason, approximate or cached count policy, or deferred count behavior.
112
114
  8. Match indexes to the whole request query.
113
115
  - Check `WHERE`, `ORDER BY`, and `LIMIT` together instead of asking only whether one predicate has an index.
114
- - Functions around columns, implicit casts, `LOWER(email)`, `DATE(created_at)`, timezone conversion, `%keyword%`, low-selectivity predicates, and mismatched sort order can defeat useful index access.
116
+ - Prefer query-shaped index review over column-name index decoration: composite indexes often need equality predicates first, range or ordering columns next, and stable tie-breakers for pagination.
117
+ - Functions around columns, implicit casts, `LOWER(email)`, `DATE(created_at)`, timezone conversion, `%keyword%`, low-selectivity predicates, and mismatched sort order can defeat useful index access. Expression indexes, range predicates, or search-specific indexes may be needed when the database owns that capability.
118
+ - For soft-delete, tenant, status, or visibility predicates that appear on nearly every request, review partial or filtered indexes where the database supports them.
119
+ - For list projections, check whether a covering or index-only access path is possible before fetching large JSON, TEXT, BLOB, HTML, metadata, or audit columns.
115
120
  - When plan evidence exists, compare `EXPLAIN` estimated rows with actual rows, join cardinality, loops, rows examined, rows returned, buffers, temp files, sort method, and lock or pool wait.
116
121
  9. Keep external calls out of transactions.
117
122
  - Do not hold a DB transaction while waiting for an external API, file upload, object storage, Redis fallback, image processing, logging sink, or user-controlled operation.
@@ -140,13 +145,14 @@ The core question is: "For one request, how many times do we repeat the same I/O
140
145
  17. Label evidence honestly.
141
146
  - Static review can identify likely API latency risks but cannot prove speedup.
142
147
  - A trace from a tiny fixture, warm local cache, or empty database is not representative production evidence.
148
+ - If actual SQL, query-count, or query-plan evidence is missing, say so instead of treating tidy ORM code as proof of efficient database behavior.
143
149
 
144
150
  <!-- mustflow-section: postconditions -->
145
151
  ## Postconditions
146
152
 
147
153
  - The API request boundary and Request cost ledger are explicit.
148
154
  - DB query count, Redis call count, external API call count, cache hit or miss behavior, response bytes, serialization cost, transaction scope, pool acquire wait, and request-path CPU work are fixed, bounded, instrumented, or reported.
149
- - ORM lazy loading, eager-loading overfetch, `SELECT *`, app-side filtering or sorting, deep `OFFSET`, expensive `COUNT(*)`, index mismatch, external call inside transaction, Redis loop, and cache miss amplification are checked where relevant.
155
+ - ORM lazy loading, eager-loading overfetch, repeated count or aggregate queries, actual SQL and query count, `SELECT *`, app-side filtering or sorting, deep `OFFSET`, expensive `COUNT(*)`, index mismatch, composite/partial/expression/covering index fit, external call inside transaction, Redis loop, and cache miss amplification are checked where relevant.
150
156
  - Correctness, authorization, tenant isolation, idempotency, ordering, pagination stability, partial failure, cancellation, timeout, and stale-data behavior remain intact or are reported as tradeoffs.
151
157
  - API performance claims are backed by configured evidence, trace evidence, plan evidence, or labeled as static review risk.
152
158
 
@@ -181,7 +187,7 @@ Use the narrowest configured test, build, docs, release, or mustflow intent that
181
187
 
182
188
  - API request path reviewed
183
189
  - Request cost ledger: route span, DB query count, Redis count, external API calls, filesystem or object-storage calls, payload size, response bytes, JSON serialization time, DTO mapping time, cache hit or miss, queue time, pool acquire wait, transaction duration, lock wait, and request-path CPU work
184
- - ORM lazy loading, eager loading, projection, pagination, count, index fit, app-side filtering or sorting, transaction, pool, Redis, cache miss, serialization, response size, CPU-heavy request work, and observability findings
190
+ - ORM lazy loading, eager loading, actual SQL, query count, projection, pagination, count, index fit, app-side filtering or sorting, transaction, pool, Redis, cache miss, serialization, response size, CPU-heavy request work, and observability findings
185
191
  - API request performance change made or recommended
186
192
  - Evidence level: measured trace, configured-test evidence, plan evidence, static review risk, manual-only, missing, or not applicable
187
193
  - Command intents run