@meetless/mla 0.1.4

package/dist/lib/failure-telemetry.js

@@ -0,0 +1,444 @@
+"use strict";
+// Agent-failure telemetry: the central sanitizer, the local deadletter, and the
+// F8 (telemetry-upload-failed) detector. The TS half of the
+// notes/20260608-agent-failure-telemetry-sentry-proposal.md §8 contracts.
+//
+// Three §8 invariants live here:
+//   INV-TELEMETRY-METADATA-CLASSIFICATION  -> sanitizeTelemetry (allowlist, fail closed)
+//   INV-DEADLETTER-SAFETY                  -> appendDeadletter / flushDeadletter (0600, bounded, TTL, backoff)
+//   F8 detector                            -> recordTelemetryUploadFailure
+//
+// The Python twin is intel app/core/telemetry_sanitizer.py + failure_telemetry.py.
+// The two MUST classify the same field names the same way; a field that hashes on
+// one plane and ships raw on the other defeats the whole contract.
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.FAILURE_KB_WRITE_BLOCKED = exports.FAILURE_TELEMETRY_UPLOAD_FAILED = exports.DEADLETTER_MAX_ATTEMPTS = exports.DEADLETTER_TTL_MS = exports.DEADLETTER_MAX_BYTES = exports.DEADLETTER_MAX_RECORDS = exports.TELEMETRY_SCHEMA_VERSION = void 0;
+exports.hashBasename = hashBasename;
+exports.sanitizeTelemetry = sanitizeTelemetry;
+exports.deadletterPath = deadletterPath;
+exports.appendDeadletter = appendDeadletter;
+exports.loadDeadletter = loadDeadletter;
+exports.isAttemptDue = isAttemptDue;
+exports.flushDeadletter = flushDeadletter;
+exports.recordTelemetryUploadFailure = recordTelemetryUploadFailure;
+exports.recordKbWriteBlocked = recordKbWriteBlocked;
+const crypto = __importStar(require("crypto"));
+const fs = __importStar(require("fs"));
+const os = __importStar(require("os"));
+const path = __importStar(require("path"));
+const config_1 = require("./config");
+// Schema version stamped on every deadletter record. Bump when the record shape
+// changes so a post-upgrade replay can drop records it no longer understands
+// (INV-DEADLETTER-SAFETY: schema-versioned).
+exports.TELEMETRY_SCHEMA_VERSION = 1;
+// ---------------------------------------------------------------------------
+// INV-TELEMETRY-METADATA-CLASSIFICATION: the single central sanitizer.
+//
+// One choke point. Every telemetry / deadletter payload passes through this
+// before it leaves the process. The table is an ALLOWLIST: any field not
+// classified here is dropped, so an unclassified field fails closed to
+// "not sent" rather than open to "sent raw" (An, 2026-06-08). The next detector
+// author who adds a field MUST add a row, which is the point.
+// ---------------------------------------------------------------------------
+// Always sent verbatim: low-cardinality enums and the cross-system join keys.
+// workspace_id / session_id are server-resolved identifiers, not free text.
+const ALWAYS_SEND = new Set([
+    "failure_class",
+    "severity",
+    "trace_id",
+    "surface",
+    "workspace_id",
+    "session_id",
+    "schema_version",
+    "release",
+    "mla_version",
+    "platform",
+    "environment",
+    "window",
+    "tool", // tool NAME (e.g. "Bash", "Edit") is low-cardinality, not content
+    "posture",
+    "reason_code",
+    "status", // HTTP status code: low-cardinality integer, never content
+    "http_status",
+    "status_code",
+]);
+// Never sent: content and anything that can carry customer / security context.
+// Full paths and raw text are the canonical leak vectors (§8: a path like
+// customers/acme/security-audit/oauth-migration.ts is itself sensitive).
+const NEVER_SEND = new Set([
+    "full_path",
+    "path",
+    "file_path",
+    "query",
+    "query_text",
+    "answer",
+    "answer_text",
+    "prompt",
+    "prompt_text",
+    "tool_output",
+    "tool_input",
+    "doc_body",
+    "content",
+    "code",
+    "stdout",
+    "stderr",
+    "message_text",
+]);
+// File basenames are hashed (not sent raw): keeps the path out of the clear but
+// preserves cross-event correlation via a stable digest. A full path smuggled
+// under one of these keys is reduced to its basename first, then hashed.
+const BASENAME_KEYS = new Set([
+    "file_basename",
+    "basename",
+    "file_name",
+    "filename",
+    "target_basename",
+]);
+// Nested metadata bags that are themselves sanitized field-by-field. Lets a
+// detector pass a `metadata_only_context: { candidate_count: 3 }` without the
+// whole object being dropped, while every field inside it still runs the table.
+const CONTAINER_KEYS = new Set(["context", "metadata_only_context", "metadata"]);
+// Numeric metadata: counts, durations, lengths, byte sizes, attempt counters.
+// Only sent when the value is actually a number, so a string smuggled under a
+// "*_count" key still drops.
+const NUMERIC_METADATA_RE = /(?:_count|_ms|_seconds|_secs|_duration|_len|_length|_bytes|_attempts?|_size|_total|_index|_n)$|^(?:count|attempts|duration_ms|n|index|total)$/i;
+// Hash a basename into a stable, non-reversible short digest. A full path is
+// reduced to its last segment first (split on both separators so a Windows path
+// is handled), so even a misclassified full path cannot leak its parent dirs.
+function hashBasename(value) {
+    const base = value.split(/[\\/]/).filter(Boolean).pop() ?? value;
+    const digest = crypto.createHash("sha256").update(base).digest("hex").slice(0, 16);
+    return `b_${digest}`;
+}
+function isScalar(v) {
+    return typeof v === "string" || typeof v === "number" || typeof v === "boolean";
+}
+function isPlainObject(v) {
+    return v !== null && typeof v === "object" && !Array.isArray(v);
+}
+// The central sanitizer. Drop-by-default. Returns a new object; the input is
+// never mutated. Recurses one level into known container keys so a detector's
+// metadata bag is classified field-by-field, not waved through.
+function sanitizeTelemetry(event) {
+    const out = {};
+    for (const [key, value] of Object.entries(event)) {
+        if (NEVER_SEND.has(key))
+            continue;
+        if (CONTAINER_KEYS.has(key) && isPlainObject(value)) {
+            out[key] = sanitizeTelemetry(value);
+            continue;
+        }
+        if (BASENAME_KEYS.has(key) && typeof value === "string") {
+            out[`${key}_hash`] = hashBasename(value);
+            continue;
+        }
+        if (ALWAYS_SEND.has(key) && isScalar(value)) {
+            out[key] = value;
+            continue;
+        }
+        if (NUMERIC_METADATA_RE.test(key) && typeof value === "number") {
+            out[key] = value;
+            continue;
+        }
+        // Allowlist fail-closed: anything not classified above is dropped.
+    }
+    return out;
+}
+// ---------------------------------------------------------------------------
+// INV-DEADLETTER-SAFETY: the bounded, mode-0600, TTL-governed local store.
+// ---------------------------------------------------------------------------
+exports.DEADLETTER_MAX_RECORDS = 500;
+exports.DEADLETTER_MAX_BYTES = 1_000_000; // 1 MB ceiling
+exports.DEADLETTER_TTL_MS = 7 * 24 * 60 * 60 * 1000; // 7 days
+exports.DEADLETTER_MAX_ATTEMPTS = 5;
+const DEADLETTER_BACKOFF_BASE_MS = 60_000; // 1 minute
+const DEADLETTER_BACKOFF_CAP_MS = 6 * 60 * 60 * 1000; // 6 hours
+const DEADLETTER_FILE_MODE = 0o600;
+const DEADLETTER_DIR_MODE = 0o700;
+// Mirror config.ts HOME resolution but compute per-call so a test can redirect
+// the whole store to a temp dir via MEETLESS_HOME without module-cache games.
+function homeDir(env) {
+    return env.MEETLESS_HOME || path.join(os.homedir(), ".meetless");
+}
+function deadletterPath(env = process.env) {
+    return path.join(homeDir(env), "telemetry-deadletter.jsonl");
+}
+function readRecords(file) {
+    let raw;
+    try {
+        raw = fs.readFileSync(file, "utf8");
+    }
+    catch {
+        return [];
+    }
+    const out = [];
+    for (const line of raw.split("\n")) {
+        const trimmed = line.trim();
+        if (!trimmed)
+            continue;
+        try {
+            const rec = JSON.parse(trimmed);
+            // Drop records from an older/newer schema we cannot safely replay.
+            if (rec && rec.schema_version === exports.TELEMETRY_SCHEMA_VERSION)
+                out.push(rec);
+        }
+        catch {
+            // A torn line (partial write) is skipped, not fatal.
+        }
+    }
+    return out;
+}
+function notExpired(rec, now) {
+    const exp = Date.parse(rec.expires_at);
+    return Number.isNaN(exp) ? true : now < exp;
+}
+// Enforce the count + byte ceilings by dropping OLDEST records first. The file
+// is append-mostly, so position == age; keeping the tail keeps the freshest.
+function enforceBounds(records) {
+    let kept = records;
+    if (kept.length > exports.DEADLETTER_MAX_RECORDS) {
+        kept = kept.slice(kept.length - exports.DEADLETTER_MAX_RECORDS);
+    }
+    let serialized = kept.map((r) => JSON.stringify(r)).join("\n");
+    while (kept.length > 0 && Buffer.byteLength(serialized, "utf8") > exports.DEADLETTER_MAX_BYTES) {
+        kept = kept.slice(1);
+        serialized = kept.map((r) => JSON.stringify(r)).join("\n");
+    }
+    return kept;
+}
+// Atomic-ish rewrite with locked-down perms. Writes the whole set (the store is
+// low-volume: it only grows on an upload failure), then chmods to 0600 even when
+// the file pre-existed with looser perms.
+function writeRecords(file, records) {
+    const dir = path.dirname(file);
+    fs.mkdirSync(dir, { recursive: true, mode: DEADLETTER_DIR_MODE });
+    const body = records.length > 0 ? records.map((r) => JSON.stringify(r)).join("\n") + "\n" : "";
+    fs.writeFileSync(file, body, { mode: DEADLETTER_FILE_MODE });
+    try {
+        fs.chmodSync(file, DEADLETTER_FILE_MODE);
+    }
+    catch {
+        // best-effort on platforms without POSIX perms
+    }
+}
+// Append one failure event. Sanitizes BEFORE write so a replayed record can
+// never carry content the live path would have stripped (§8, An Decision 9).
+// Never throws: a telemetry write must not break the user's command.
+function appendDeadletter(event, opts = {}) {
+    const env = opts.env ?? process.env;
+    const now = opts.now ?? Date.now();
+    try {
+        const sanitized = sanitizeTelemetry(event);
+        const record = {
+            schema_version: exports.TELEMETRY_SCHEMA_VERSION,
+            created_at: new Date(now).toISOString(),
+            expires_at: new Date(now + exports.DEADLETTER_TTL_MS).toISOString(),
+            attempts: 0,
+            last_attempt_at: null,
+            failure_class: String(sanitized.failure_class ?? "unknown"),
+            event: sanitized,
+        };
+        const file = deadletterPath(env);
+        const existing = readRecords(file).filter((r) => notExpired(r, now));
+        const next = enforceBounds([...existing, record]);
+        writeRecords(file, next);
+        return record;
+    }
+    catch {
+        return null;
+    }
+}
+// Non-expired records, oldest first. Drops expired records as a side effect
+// (rewrites the file) so a stale record cannot be retried forever.
+function loadDeadletter(opts = {}) {
+    const env = opts.env ?? process.env;
+    const now = opts.now ?? Date.now();
+    const file = deadletterPath(env);
+    const all = readRecords(file);
+    const live = all.filter((r) => notExpired(r, now));
+    if (live.length !== all.length) {
+        try {
+            writeRecords(file, live);
+        }
+        catch {
+            // best effort
+        }
+    }
+    return live;
+}
+// Exponential backoff gate. A fresh record (0 attempts) is due immediately;
+// thereafter the next attempt waits base * 2^(attempts-1), capped, measured from
+// the last attempt. Keeps a down backend from being hammered on every CLI run.
+function isAttemptDue(rec, now) {
+    if (rec.attempts <= 0 || !rec.last_attempt_at)
+        return true;
+    const last = Date.parse(rec.last_attempt_at);
+    if (Number.isNaN(last))
+        return true;
+    const delay = Math.min(DEADLETTER_BACKOFF_BASE_MS * 2 ** (rec.attempts - 1), DEADLETTER_BACKOFF_CAP_MS);
+    return now >= last + delay;
+}
+// Replay the deadletter through `upload`. Per record:
+//   - expired              -> dropped
+//   - not yet due (backoff) -> kept as-is
+//   - upload ok            -> dropped (sent)
+//   - upload fails         -> attempts++, last_attempt_at=now; at MAX_ATTEMPTS dropped
+// Respects the telemetry kill switch (nothing leaves the machine when off) and
+// never throws.
+async function flushDeadletter(opts) {
+    const env = opts.env ?? process.env;
+    const now = opts.now ?? Date.now();
+    const result = { sent: 0, dropped: 0, kept: 0 };
+    if ((0, config_1.telemetryDisabled)(env)) {
+        // Kill switch on: do not forward anything. Leave the local store intact.
+        return result;
+    }
+    const file = deadletterPath(env);
+    const all = readRecords(file);
+    const survivors = [];
+    for (const rec of all) {
+        if (!notExpired(rec, now)) {
+            result.dropped++;
+            continue;
+        }
+        if (!isAttemptDue(rec, now)) {
+            survivors.push(rec);
+            result.kept++;
+            continue;
+        }
+        try {
+            await opts.upload(rec);
+            result.sent++;
+        }
+        catch {
+            const attempts = rec.attempts + 1;
+            if (attempts >= exports.DEADLETTER_MAX_ATTEMPTS) {
+                result.dropped++;
+            }
+            else {
+                survivors.push({
+                    ...rec,
+                    attempts,
+                    last_attempt_at: new Date(now).toISOString(),
+                });
+                result.kept++;
+            }
+        }
+    }
+    try {
+        writeRecords(file, survivors);
+    }
+    catch {
+        // best effort
+    }
+    return result;
+}
+// ---------------------------------------------------------------------------
+// F8 detector: telemetry upload itself failed.
+//
+// Per INV-SENTRY-NOISE-BUDGET, F8 routes to the LOCAL deadletter + a local
+// warning, NOT to Sentry (unless the backend side later observes it). The CLI
+// has no PostHog key by design, so an F8 on the user's machine is recorded
+// locally; the deadletter IS the store. This is also the self-host posture: on a
+// user-owned backend nothing leaves the machine.
+// ---------------------------------------------------------------------------
+exports.FAILURE_TELEMETRY_UPLOAD_FAILED = "telemetry_upload_failed";
+// Record an F8 failure to the deadletter. Returns the record (for tests/logging)
+// or null when the kill switch is on or the write failed. Never throws.
+function recordTelemetryUploadFailure(ctx, opts = {}) {
+    const env = opts.env ?? process.env;
+    if ((0, config_1.telemetryDisabled)(env))
+        return null;
+    const context = {};
+    if (typeof ctx.status === "number")
+        context.status = ctx.status;
+    if (ctx.reasonCode)
+        context.reason_code = ctx.reasonCode;
+    const event = {
+        failure_class: exports.FAILURE_TELEMETRY_UPLOAD_FAILED,
+        severity: "warning",
+        surface: ctx.surface ?? "mla-cli",
+        metadata_only_context: context,
+    };
+    if (ctx.traceId)
+        event.trace_id = ctx.traceId;
+    if (ctx.workspaceId)
+        event.workspace_id = ctx.workspaceId;
+    if (ctx.sessionId)
+        event.session_id = ctx.sessionId;
+    return appendDeadletter(event, opts);
+}
+// ---------------------------------------------------------------------------
+// F5 detector: a KB write the agent attempted was blocked.
+//
+// The canonical signal is `mla kb add` exiting non-zero because the actor is not
+// the workspace owner (the §13.14 owner-only ACL): the agent tried to write a
+// lesson down and could not. Like F8 this routes to the LOCAL deadletter and a
+// local warning, NOT to Sentry directly (intel SENTRY_ROUTE[F5] = IF_REPEATED;
+// a one-off block is expected friction, a recurrence is the alert). The CLI has
+// no PostHog key by design, so the deadletter IS the store on the user's machine.
+//
+// The failure_class string and "warning" severity MUST match the intel twin
+// (app/core/failure_telemetry.py: FailureClass.KB_WRITE_BLOCKED = "kb_write_blocked",
+// _DEFAULT_SEVERITY[KB_WRITE_BLOCKED] = WARNING); they are the cross-plane key.
+// ---------------------------------------------------------------------------
+exports.FAILURE_KB_WRITE_BLOCKED = "kb_write_blocked";
+// Record an F5 (kb-write-blocked) failure to the deadletter. Returns the record
+// (for tests/logging) or null when the kill switch is on or the write failed.
+// Never throws: detecting a blocked write must not itself break the command.
+function recordKbWriteBlocked(ctx, opts = {}) {
+    const env = opts.env ?? process.env;
+    if ((0, config_1.telemetryDisabled)(env))
+        return null;
+    const context = {};
+    if (typeof ctx.status === "number")
+        context.status = ctx.status;
+    if (ctx.reasonCode)
+        context.reason_code = ctx.reasonCode;
+    const event = {
+        failure_class: exports.FAILURE_KB_WRITE_BLOCKED,
+        severity: "warning",
+        surface: ctx.surface ?? "mla-cli",
+        metadata_only_context: context,
+    };
+    if (ctx.traceId)
+        event.trace_id = ctx.traceId;
+    if (ctx.workspaceId)
+        event.workspace_id = ctx.workspaceId;
+    if (ctx.sessionId)
+        event.session_id = ctx.sessionId;
+    return appendDeadletter(event, opts);
+}

package/dist/lib/git.js

@@ -0,0 +1,200 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.computeRepoFingerprint = computeRepoFingerprint;
+exports.captureGitEvidence = captureGitEvidence;
+const child_process_1 = require("child_process");
+const crypto = __importStar(require("crypto"));
+function gitRun(repo, args) {
+    const r = (0, child_process_1.spawnSync)("git", ["-C", repo, ...args], { encoding: "utf8" });
+    return {
+        ok: r.status === 0,
+        stdout: r.stdout || "",
+        stderr: r.stderr || "",
+    };
+}
+// A NON-identifying, one-way fingerprint of the repository a run executed in,
+// for analytics attribution (spec section 3.7 / T1.10). Hashes the git remote
+// URL (the stable repo identity) when present, else the repo top-level path, so
+// two runs in the same checkout share a fingerprint WITHOUT the raw remote URL
+// or absolute path ever leaving the machine (INV-POSTHOG-PII-1 forbids a raw
+// repoPath). The "r_" prefix + sha256-slice mirror store.ts machineId(). Returns
+// null outside a git repo or when git is unavailable; attribution then carries a
+// null repoFingerprint rather than a fabricated value. Computed once per run at
+// bootstrap, never per event (it shells out to git).
+function computeRepoFingerprint(repo = process.cwd()) {
+    const remote = gitRun(repo, ["config", "--get", "remote.origin.url"]);
+    let seed = remote.ok ? remote.stdout.trim() : "";
+    if (!seed) {
+        const top = gitRun(repo, ["rev-parse", "--show-toplevel"]);
+        seed = top.ok ? top.stdout.trim() : "";
+    }
+    if (!seed)
+        return null;
+    return "r_" + crypto.createHash("sha256").update(seed).digest("hex").slice(0, 24);
+}
+function parseDiffStat(out) {
+    let filesChanged = 0;
+    let insertions = 0;
+    let deletions = 0;
+    const m = out.match(/(\d+)\s+files?\s+changed(?:,\s+(\d+)\s+insertions?\(\+\))?(?:,\s+(\d+)\s+deletions?\(-\))?/);
+    if (m) {
+        filesChanged = parseInt(m[1] || "0", 10);
+        insertions = parseInt(m[2] || "0", 10);
+        deletions = parseInt(m[3] || "0", 10);
+    }
+    return { filesChanged, insertions, deletions };
+}
+function parsePorcelain(out) {
+    const trackedModified = [];
+    const staged = [];
+    const untracked = [];
+    const deleted = [];
+    const renamed = [];
+    const lines = out.split("\n");
+    for (const line of lines) {
+        if (!line)
+            continue;
+        const xy = line.slice(0, 2);
+        const rest = line.slice(3);
+        const X = xy[0];
+        const Y = xy[1];
+        if (X === "?" && Y === "?") {
+            untracked.push(rest);
+            continue;
+        }
+        if (X === "R" || Y === "R") {
+            const parts = rest.split(" -> ");
+            if (parts.length === 2) {
+                renamed.push({ from: parts[0], to: parts[1] });
+            }
+            continue;
+        }
+        if (X === "D" || Y === "D") {
+            deleted.push(rest);
+        }
+        if (X !== " " && X !== "?") {
+            staged.push(rest);
+        }
+        if (Y !== " " && Y !== "?") {
+            trackedModified.push(rest);
+        }
+    }
+    return { trackedModified, staged, untracked, deleted, renamed };
+}
+// Subtract the session-start baseline from the finalize-time porcelain so the
+// review attributes only what the SESSION touched, not ambient dirty state the
+// working tree already carried before the agent started (the 2026-05-31 dogfood
+// bug: a pre-existing `.claude/scheduled_tasks.lock` deletion was blamed on the
+// run). Comparison is exact-line (porcelain `XY␣path`): a line byte-identical to
+// the baseline is ambient and dropped; a line whose status code CHANGED since
+// the baseline means the session acted on it, so it survives.
+//
+// Known, accepted limitation: a file already dirty at session start that the
+// session edits FURTHER with the SAME status code (e.g. " M" -> " M") is treated
+// as ambient. Closing that needs per-path content hashing; the dominant bug
+// (files the session never touched at all) is what this fixes.
+function subtractBaseline(currentPorcelain, baselinePorcelain) {
+    const baselineLines = new Set(baselinePorcelain.split("\n").filter((l) => l.length > 0));
+    return currentPorcelain
+        .split("\n")
+        .filter((l) => l.length > 0 && !baselineLines.has(l))
+        .join("\n");
+}
+function captureGitEvidence(repo, baselinePorcelain) {
+    const errors = [];
+    const branchRes = gitRun(repo, ["branch", "--show-current"]);
+    const branch = branchRes.ok ? branchRes.stdout.trim() : "";
+    if (!branchRes.ok)
+        errors.push("branch:" + branchRes.stderr.trim().slice(0, 100));
+    const topRes = gitRun(repo, ["rev-parse", "--show-toplevel"]);
+    const topLevel = topRes.ok ? topRes.stdout.trim() : "";
+    if (!topRes.ok)
+        errors.push("toplevel:" + topRes.stderr.trim().slice(0, 100));
+    const logRes = gitRun(repo, ["log", "-1", "--oneline"]);
+    const lastCommit = logRes.ok ? logRes.stdout.trim() : "";
+    // -c core.quotePath=false keeps non-ASCII paths in raw UTF-8 instead of the
+    // default C-style octal-quoted form. Without this, a Vietnamese filename
+    // like `Lỗi-không-tìm-thấy.ts` comes back as
+    // `"L\341\273\227i-kh\303\264ng-t\303\254m-th\341\272\245y.ts"`, which then
+    // flows into trackedModified / staged / untracked verbatim, kills the
+    // worker's classifier match, and renders as garbled text in `mla review`.
+    const porcelainRes = gitRun(repo, [
+        "-c",
+        "core.quotePath=false",
+        "status",
+        "--porcelain=v1",
+    ]);
+    // A non-null baseline (even an empty string) switches us to session-scoped
+    // attribution; `undefined`/`null` preserves the original whole-tree behavior.
+    const scoped = baselinePorcelain !== undefined && baselinePorcelain !== null;
+    const effectivePorcelain = scoped && porcelainRes.ok ? subtractBaseline(porcelainRes.stdout, baselinePorcelain) : porcelainRes.stdout;
+    const { trackedModified, staged, untracked, deleted, renamed } = porcelainRes.ok
+        ? parsePorcelain(effectivePorcelain)
+        : { trackedModified: [], staged: [], untracked: [], deleted: [], renamed: [] };
+    if (!porcelainRes.ok)
+        errors.push("status:" + porcelainRes.stderr.trim().slice(0, 100));
+    // When scoped, recompute the diff stats over only the session-attributed
+    // paths so insertion/deletion counts and filesChanged exclude ambient churn.
+    // `git diff --stat -- <paths>` with an empty pathspec would list everything,
+    // so an empty session set is reported as a zeroed stat (the honest answer).
+    const ZERO_STAT = { filesChanged: 0, insertions: 0, deletions: 0 };
+    const renamedPaths = renamed.flatMap((r) => [r.from, r.to]);
+    const unstagedPaths = Array.from(new Set([...trackedModified, ...renamedPaths]));
+    const stagedPaths = Array.from(new Set([...staged, ...renamedPaths]));
+    let diffStat;
+    let diffStatCached;
+    if (scoped) {
+        diffStat = unstagedPaths.length > 0 ? parseDiffStat(gitRun(repo, ["diff", "--stat", "--", ...unstagedPaths]).stdout) : { ...ZERO_STAT };
+        diffStatCached = stagedPaths.length > 0 ? parseDiffStat(gitRun(repo, ["diff", "--cached", "--stat", "--", ...stagedPaths]).stdout) : { ...ZERO_STAT };
+    }
+    else {
+        diffStat = parseDiffStat(gitRun(repo, ["diff", "--stat"]).stdout);
+        diffStatCached = parseDiffStat(gitRun(repo, ["diff", "--cached", "--stat"]).stdout);
+    }
+    return {
+        branch,
+        topLevel,
+        lastCommit,
+        trackedModified,
+        staged,
+        untracked,
+        deleted,
+        renamed,
+        diffStat,
+        diffStatCached,
+        errors,
+    };
+}