# ColdFusion Rules

Apply only to CFML projects.

Skill routing:
- For CFML implementation, debugging, page bootstrap, MVC migration, xgrid, configuration, security remediation, logs, or CFML review, use `mcp-coldfusion-developer`.
- For ticket + docs + commits + DB + logs reconstruction, use `mcp-technical-analyst` as primary and `mcp-coldfusion-developer` as sidecar.
- For multi-phase execution with code, DB, browser validation, docs, or ticket handoff, use `mcp-master-orchestrator` as primary and `mcp-coldfusion-developer` for the CFML implementation phase.

Coding:
- New logic in `cfscript`; tag syntax only for `.cfm` views.
- Methods: explicit `access`, `returntype`, argument `type`.
- Scope method variables with `local.`; avoid legacy app-scoped prefixes unless required.
- Encode UI output with context-appropriate `EncodeForHTML`, `EncodeForJavascript`, or `EncodeForHTMLAttribute`.
- Never commit `<cfdump>`, `<cfabort>`, debug variables, or temporary exits.
- SQL: no `SELECT *`; use `<cfqueryparam cfsqltype="...">` matching DB column. In Query-of-Queries, bracket scope names.
- Encoding: `.cfc`/`.cfm` must be UTF-8 with BOM; all other files UTF-8 without BOM.

MCP:
- `cf_bridge.evaluate`: passive inspection only; no `cfhttp`, file writes, or DB mutations.
- `cf_bridge.datasources`: verify datasource names before writing queries.
- `logs_list`/`logs_read`: diagnose runtime errors from CF logs.

Verification:
- For audit/review/regression/post-rebase, run `lint_code` read-only first.
- Use `lint_code fix:true` only after remediation is in scope or explicitly requested.
- Report BOM/encoding lint issues found during verification before mutating files.
- For workflow/state-machine changes, verify both transition definitions and runtime selection logic.
