@visulima/task-runner 1.0.0-alpha.5 → 1.0.0-alpha.6

package/dist/packem_shared/{CompositeLifeCycle-7AtYw1dv.js → CompositeLifeCycle-CSVbRC_5.js}

@@ -59,6 +59,16 @@ class CompositeLifeCycle {
       lc.printCacheMiss?.(task, reasons);
     }
   }
+  onTaskStdout(task, chunk) {
+    for (const lc of this.#lifeCycles) {
+      lc.onTaskStdout?.(task, chunk);
+    }
+  }
+  onTaskStderr(task, chunk) {
+    for (const lc of this.#lifeCycles) {
+      lc.onTaskStderr?.(task, chunk);
+    }
+  }
 }
 class ConsoleLifeCycle {
   #verbose;

package/dist/packem_shared/{FileAccessTracker-CrtBAt5D.js → FileAccessTracker-CQ5Ot7Hd.js}

@@ -47,11 +47,19 @@ const isStraceAvailable = () => {
   return straceAvailable;
 };
 const STRACE_PATTERNS = [
-  { pattern: /openat\(AT_FDCWD,\s*"([^"]+)"/, type: "read" },
-  { pattern: /^(?:\d+\s+)?open\("([^"]+)"/, type: "read" },
-  { pattern: /(?:stat|lstat|newfstatat)\((?:AT_FDCWD,\s*)?"([^"]+)"/, type: "stat" },
-  { pattern: /access\("([^"]+)"/, type: "stat" }
+  { kind: "open", pattern: /openat\(AT_FDCWD,\s*"([^"]+)"/ },
+  { kind: "open", pattern: /^(?:\d+\s+)?open\("([^"]+)"/ },
+  { kind: "creat", pattern: /(?:^|\s)creat\("([^"]+)"/ },
+  { kind: "stat", pattern: /(?:stat|lstat|newfstatat)\((?:AT_FDCWD,\s*)?"([^"]+)"/ },
+  { kind: "stat", pattern: /access\("([^"]+)"/ },
+  { kind: "getdents", pattern: /getdents(?:64)?\(\d+/ }
 ];
+const parseOpenAccessType = (line) => {
+  if (/O_WRONLY|O_RDWR|O_CREAT|O_TRUNC|O_APPEND/.test(line)) {
+    return "write";
+  }
+  return "read";
+};
 class FileAccessTracker {
   #workspaceRoot;
   #excludePatterns;
@@ -93,7 +101,7 @@ class FileAccessTracker {
     const traceDirectory = join(this.#workspaceRoot, "node_modules", ".cache", "task-runner");
     await mkdir(traceDirectory, { recursive: true });
     const traceFile = join(traceDirectory, `strace-${uniqueId()}.log`);
-    const straceCommand = `strace -f -qq -e trace=open,openat,stat,lstat,newfstatat,access,getdents,getdents64 -o ${traceFile} -- ${command}`;
+    const straceCommand = `strace -f -qq -e trace=open,openat,creat,stat,lstat,newfstatat,access,getdents,getdents64,unlink,unlinkat,rename,renameat,renameat2 -o ${traceFile} -- ${command}`;
     return new Promise((_resolve) => {
       const child = exec(
         straceCommand,
@@ -125,14 +133,23 @@ class FileAccessTracker {
   }
   /**
    * Parses strace output to extract file accesses.
+   *
+   * A single path may appear with both `read` and `write` types when a
+   * task reads a file and later rewrites it — self-modifying detection
+   * relies on seeing both, so we dedupe per `(path, type)` rather than
+   * by path alone.
    */
   #parseStraceOutput(traceContent, cwd) {
     const accesses = [];
-    const seenPaths = /* @__PURE__ */ new Set();
+    const seen = /* @__PURE__ */ new Set();
     for (const line of traceContent.split("\n")) {
       const parsed = this.#parseStraceLine(line, cwd);
-      if (parsed && !seenPaths.has(parsed.path)) {
-        seenPaths.add(parsed.path);
+      if (!parsed) {
+        continue;
+      }
+      const key = `${parsed.type}:${parsed.path}`;
+      if (!seen.has(key)) {
+        seen.add(key);
         accesses.push(parsed);
       }
     }
@@ -140,23 +157,46 @@ class FileAccessTracker {
   }
   /**
    * Parses a single strace output line.
-   * Each entry maps a regex to the file access type it represents.
+   * Each entry maps a regex to the file access kind; the actual type
+   * (read vs write) depends on flag inspection for `open`/`openat`.
    */
   #parseStraceLine(line, cwd) {
     const isMissing = line.includes("ENOENT");
-    for (const { pattern, type } of STRACE_PATTERNS) {
+    for (const { kind, pattern } of STRACE_PATTERNS) {
       const match = pattern.exec(line);
-      if (!match?.[1]) {
+      if (!match) {
         continue;
       }
-      let path = match[1];
+      if (kind === "getdents") {
+        return void 0;
+      }
+      const capturedPath = match[1];
+      if (!capturedPath) {
+        continue;
+      }
+      let path = capturedPath;
       if (!path.startsWith("/")) {
         path = resolve(cwd, path);
       }
       if (this.#shouldExclude(path) || !path.startsWith(this.#workspaceRoot)) {
         return void 0;
       }
-      return { path, type: isMissing ? "missing" : type };
+      if (isMissing) {
+        return { path, type: "missing" };
+      }
+      const type = kind === "open" ? parseOpenAccessType(line) : kind === "creat" ? "write" : "stat";
+      return { path, type };
+    }
+    const destructive = /(?:^|\s)(?:unlink|unlinkat|rename|renameat|renameat2)\((?:AT_FDCWD,\s*)?"([^"]+)"/.exec(line);
+    if (destructive?.[1]) {
+      let path = destructive[1];
+      if (!path.startsWith("/")) {
+        path = resolve(cwd, path);
+      }
+      if (this.#shouldExclude(path) || !path.startsWith(this.#workspaceRoot)) {
+        return void 0;
+      }
+      return { path, type: "write" };
     }
     return void 0;
   }
@@ -220,19 +260,31 @@ const patch = (obj, method, type) => {
     };
 };
 
-// Sync
+// Reads / stats / directory listing
 patch(fs, "readFileSync", "read");
 patch(fs, "statSync", "stat");
 patch(fs, "readdirSync", "readdir");
-// Async (callback)
 patch(fs, "readFile", "read");
 patch(fs, "stat", "stat");
 patch(fs, "readdir", "readdir");
-// Async (promises)
 patch(fsp, "readFile", "read");
 patch(fsp, "stat", "stat");
 patch(fsp, "readdir", "readdir");
 
+// Writes and path-mutating ops — needed for self-modifying task detection
+patch(fs, "writeFileSync", "write");
+patch(fs, "appendFileSync", "write");
+patch(fs, "unlinkSync", "write");
+patch(fs, "renameSync", "write");
+patch(fs, "writeFile", "write");
+patch(fs, "appendFile", "write");
+patch(fs, "unlink", "write");
+patch(fs, "rename", "write");
+patch(fsp, "writeFile", "write");
+patch(fsp, "appendFile", "write");
+patch(fsp, "unlink", "write");
+patch(fsp, "rename", "write");
+
 process.on("beforeExit", () => { logStream.end(); });
 `;
 

package/dist/packem_shared/{FingerprintManager-Cu-ta9ee.js → FingerprintManager-CV7U4f4f.js}

@@ -34,6 +34,8 @@ class FingerprintManager {
     const fileHashes = {};
     const missingPaths = /* @__PURE__ */ new Set();
     const directoryListings = {};
+    const readPaths = /* @__PURE__ */ new Set();
+    const writePaths = /* @__PURE__ */ new Set();
     for (const access of accesses) {
       const relativePath = relative(this.#workspaceRoot, access.path);
       switch (access.type) {
@@ -43,6 +45,7 @@ class FingerprintManager {
         }
         case "read":
         case "stat": {
+          readPaths.add(relativePath);
           if (!fileHashes[relativePath]) {
             const hash = await this.#hashFileWithCache(access.path);
             if (hash) {
@@ -62,8 +65,19 @@ class FingerprintManager {
           }
           break;
         }
+        case "write": {
+          writePaths.add(relativePath);
+          break;
+        }
+      }
+    }
+    const modifiedInputs = [];
+    for (const path of writePaths) {
+      if (readPaths.has(path)) {
+        modifiedInputs.push(path);
       }
     }
+    modifiedInputs.sort();
     const commandHash = hashStrings(`${command}:${JSON.stringify(sortObjectKeys(args))}`);
     const envHashes = {};
     const matchedEnvVariables = FingerprintManager.#resolveEnvPatterns(envPatterns, envVariables);
@@ -75,7 +89,14 @@ class FingerprintManager {
       envHashes[key] = hashStrings(`${key}=${value ?? ""}`);
     }
     const missingFiles = [...missingPaths].toSorted();
-    return { commandHash, directoryListings, envHashes, fileHashes, missingFiles };
+    return {
+      commandHash,
+      directoryListings,
+      envHashes,
+      fileHashes,
+      missingFiles,
+      ...modifiedInputs.length > 0 ? { modifiedInputs } : {}
+    };
   }
   /**
    * Validates a stored fingerprint against the current state.

package/dist/packem_shared/{IncrementalFileHasher-Cm_kJY5V.js → IncrementalFileHasher-BRS76-mb.js}

@@ -146,6 +146,32 @@ class IncrementalFileHasher {
   clear() {
     this.#snapshot.clear();
   }
+  /**
+   * Looks up the cached hash for `absolutePath` when its mtime and
+   * size match the snapshot; returns `undefined` otherwise. Callers
+   * that already have a `stat` result (e.g. `InProcessTaskHasher`)
+   * skip an extra syscall by passing it through directly.
+   *
+   * The snapshot is considered loaded on first call — lazy-load is
+   * synchronous-friendly here because the caller already performed
+   * an async `stat` before calling this method.
+   */
+  getSnapshotHash(absolutePath, mtimeMs, size) {
+    const entry = this.#snapshot.get(absolutePath);
+    if (!entry) {
+      return void 0;
+    }
+    return entry.mtimeMs === mtimeMs && entry.size === size ? entry.hash : void 0;
+  }
+  /**
+   * Writes a fresh snapshot entry after the caller has computed the
+   * hash. Pairs with {@link IncrementalFileHasher.getSnapshotHash}
+   * — after a miss, the caller hashes the file and records the
+   * result here so the next run can reuse it.
+   */
+  recordSnapshot(absolutePath, hash, mtimeMs, size) {
+    this.#snapshot.set(absolutePath, { hash, mtimeMs, size });
+  }
 }
 
 export { IncrementalFileHasher };

package/dist/packem_shared/LogReporter-BDt52HLu.js

@@ -0,0 +1,44 @@
+const formatTaskLabel = (task) => `${task.target.project}#${task.target.target}`;
+const prefixLines = (text, label) => {
+  const trailing = text.endsWith("\n") ? "\n" : "";
+  const body = trailing ? text.slice(0, -1) : text;
+  if (body.length === 0) {
+    return trailing;
+  }
+  return `${body.split("\n").map((line) => `[${label}] ${line}`).join("\n")}${trailing}`;
+};
+class LogReporter {
+  #mode;
+  #write;
+  constructor(mode, write = (chunk) => process.stdout.write(chunk)) {
+    this.#mode = mode;
+    this.#write = write;
+  }
+  printTaskTerminalOutput(task, _status, terminalOutput) {
+    if (terminalOutput.length === 0) {
+      return;
+    }
+    if (this.#mode === "interleaved") {
+      this.#write(terminalOutput.endsWith("\n") ? terminalOutput : `${terminalOutput}
+`);
+      return;
+    }
+    const label = formatTaskLabel(task);
+    if (this.#mode === "labeled") {
+      this.#write(prefixLines(terminalOutput.endsWith("\n") ? terminalOutput : `${terminalOutput}
+`, label));
+      return;
+    }
+    const body = terminalOutput.endsWith("\n") ? terminalOutput : `${terminalOutput}
+`;
+    this.#write(`── ${label} ──
+${body}
+`);
+  }
+  // eslint-disable-next-line class-methods-use-this
+  endTasks(_taskResults) {
+  }
+}
+const createLogReporter = (mode, write) => new LogReporter(mode, write);
+
+export { LogReporter, createLogReporter };

package/dist/packem_shared/{RemoteCache-BFceSe4a.js → RemoteCache-DSU3lc87.js}

@@ -18,40 +18,45 @@ const __cjs_getBuiltinModule = (module) => {
 };
 
 const {
-  execFile
-} = __cjs_getBuiltinModule("node:child_process");
+  createHmac,
+  timingSafeEqual
+} = __cjs_getBuiltinModule("node:crypto");
 const {
-  createWriteStream
+  createWriteStream,
+  createReadStream
 } = __cjs_getBuiltinModule("node:fs");
 const {
   mkdir,
   rm,
-  stat,
-  readFile
+  stat
 } = __cjs_getBuiltinModule("node:fs/promises");
 const {
   pipeline
 } = __cjs_getBuiltinModule("node:stream/promises");
 import { join } from '@visulima/path';
+import { e as extractTarBrotli, a as extractTarGz, c as createTarBrotli, b as createTarGz } from './archive-UQHAnZUa.js';
 
-const createTarGz = (sourceDirectory, outputPath) => new Promise((resolve, reject) => {
-  execFile("tar", ["-czf", outputPath, "-C", sourceDirectory, "."], (error) => {
-    if (error) {
-      reject(error);
-    } else {
-      resolve();
-    }
-  });
-});
-const extractTarGz = (archivePath, destinationDirectory) => new Promise((resolve, reject) => {
-  execFile("tar", ["-xzf", archivePath, "-C", destinationDirectory], (error) => {
-    if (error) {
-      reject(error);
-    } else {
-      resolve();
-    }
-  });
-});
+const SIGNATURE_HEADER = "X-Artifact-Signature";
+const MIN_SECRET_LENGTH = 16;
+const computeArtifactSignatureStream = async (secret, hash, archivePath) => {
+  const hmac = createHmac("sha256", secret);
+  hmac.update(hash);
+  const source = createReadStream(archivePath);
+  for await (const chunk of source) {
+    hmac.update(chunk);
+  }
+  return hmac.digest("hex");
+};
+const signaturesMatch = (a, b) => {
+  if (a.length !== b.length) {
+    return false;
+  }
+  try {
+    return timingSafeEqual(Buffer.from(a, "hex"), Buffer.from(b, "hex"));
+  } catch {
+    return false;
+  }
+};
 class RemoteCache {
   #url;
   #token;
@@ -60,6 +65,9 @@ class RemoteCache {
   #read;
   #write;
   #onUploadError;
+  #compression;
+  #signingSecret;
+  #verifyOnDownload;
   constructor(options) {
     this.#url = options.url.replace(/\/$/, "");
     this.#token = options.token;
@@ -68,6 +76,17 @@ class RemoteCache {
     this.#read = options.read ?? true;
     this.#write = options.write ?? true;
     this.#onUploadError = options.onUploadError;
+    this.#compression = options.compression ?? "gzip";
+    if (options.signing) {
+      if (options.signing.secret.length < MIN_SECRET_LENGTH) {
+        throw new Error(`Remote cache signing secret must be at least ${String(MIN_SECRET_LENGTH)} characters.`);
+      }
+      this.#signingSecret = options.signing.secret;
+      this.#verifyOnDownload = options.signing.verifyOnDownload ?? false;
+    } else {
+      this.#signingSecret = void 0;
+      this.#verifyOnDownload = false;
+    }
   }
   /**
    * Retrieves a cached artifact from the remote cache.
@@ -89,15 +108,23 @@ class RemoteCache {
       if (!response.ok) {
         return false;
       }
-      await mkdir(localCacheDirectory, { recursive: true });
-      const { body } = response;
-      if (!body) {
+      const receivedSignature = this.#signingSecret ? response.headers.get(SIGNATURE_HEADER.toLowerCase()) ?? response.headers.get(SIGNATURE_HEADER) : null;
+      if (this.#signingSecret && !receivedSignature && this.#verifyOnDownload) {
+        return false;
+      }
+      if (!response.body) {
         return false;
       }
-      const fileStream = createWriteStream(archivePath);
-      await pipeline(body, fileStream);
+      await mkdir(localCacheDirectory, { recursive: true });
+      await pipeline(response.body, createWriteStream(archivePath));
+      if (this.#signingSecret && receivedSignature) {
+        const expected = await computeArtifactSignatureStream(this.#signingSecret, hash, archivePath);
+        if (!signaturesMatch(receivedSignature, expected)) {
+          return false;
+        }
+      }
       await mkdir(entryDirectory, { recursive: true });
-      await extractTarGz(archivePath, entryDirectory);
+      await (this.#compression === "brotli" ? extractTarBrotli(archivePath, entryDirectory) : extractTarGz(archivePath, entryDirectory));
       await rm(archivePath, { force: true });
       return true;
     } catch {
@@ -119,16 +146,29 @@ class RemoteCache {
     const archivePath = join(localCacheDirectory, `.upload-${hash}.tar.gz`);
     try {
       await stat(join(entryDirectory, ".commit"));
-      await createTarGz(entryDirectory, archivePath);
+      await (this.#compression === "brotli" ? createTarBrotli(entryDirectory, archivePath) : createTarGz(entryDirectory, archivePath));
       const artifactUrl = this.#buildUrl(`/v8/artifacts/${hash}`);
-      const archiveContent = await readFile(archivePath);
+      const { size } = await stat(archivePath);
+      const uploadHeaders = {
+        ...this.#buildHeaders(),
+        "Content-Length": String(size),
+        // Advertise the compression format in a custom header so
+        // spec-compatible servers (and the matching download side)
+        // can branch if needed. The body is still an opaque blob
+        // from the server's perspective.
+        "Content-Type": "application/octet-stream",
+        "X-Artifact-Compression": this.#compression
+      };
+      if (this.#signingSecret) {
+        uploadHeaders[SIGNATURE_HEADER] = await computeArtifactSignatureStream(this.#signingSecret, hash, archivePath);
+      }
       const response = await fetch(artifactUrl, {
-        body: archiveContent,
-        headers: {
-          ...this.#buildHeaders(),
-          "Content-Length": String(archiveContent.length),
-          "Content-Type": "application/octet-stream"
-        },
+        body: createReadStream(archivePath),
+        // @ts-expect-error — `duplex` is a Node-specific fetch
+        // option required when the body is a stream. The DOM
+        // `RequestInit` type doesn't include it yet.
+        duplex: "half",
+        headers: uploadHeaders,
         method: "PUT",
         signal: AbortSignal.timeout(this.#timeout)
       });

package/dist/packem_shared/{TaskOrchestrator-lLn-PH1m.js → TaskOrchestrator-rf45vW5c.js}

@@ -1,9 +1,9 @@
 import { d as resolveTaskCwd, a as createFailureResult, e as createXxh3Hasher } from './utils-zO0ZRgtf.js';
-import { join } from '@visulima/path';
-import { FingerprintManager } from './FingerprintManager-Cu-ta9ee.js';
-import { generateRunSummary, writeRunSummary } from './generateRunSummary-qn-_jKwt.js';
-import { computeTaskHash } from './computeTaskHash-B2SVZqgp.js';
-import { TrackedTaskExecutor } from './TrackedTaskExecutor-BGUKFE-7.js';
+import { resolve, join } from '@visulima/path';
+import { FingerprintManager } from './FingerprintManager-CV7U4f4f.js';
+import { generateRunSummary, writeLastRunSummary, writeRunSummary } from './generateRunSummary-BE1jnQ3H.js';
+import { computeTaskHash } from './computeTaskHash-DYqfrDGq.js';
+import { TrackedTaskExecutor } from './TrackedTaskExecutor-CFPpQfXF.js';
 
 const hashFingerprint = (fingerprint) => {
   const hash = createXxh3Hasher();
@@ -26,11 +26,11 @@ const hashFingerprint = (fingerprint) => {
   return hash.digest();
 };
 const createDeferred = () => {
-  let resolve;
+  let resolve2;
   const promise = new Promise((r) => {
-    resolve = r;
+    resolve2 = r;
   });
-  return { promise, resolve };
+  return { promise, resolve: resolve2 };
 };
 class TaskOrchestrator {
   #taskHasher;
@@ -101,9 +101,12 @@ class TaskOrchestrator {
       process.removeListener("SIGTERM", signalHandler);
       this.#lifeCycle.endCommand?.();
     }
-    if (this.#summarize && this.#taskGraph) {
+    if (this.#taskGraph && !this.#aborted) {
       const summary = generateRunSummary(this.#results, this.#taskGraph, this.#startTime);
-      await writeRunSummary(summary, this.#workspaceRoot);
+      await writeLastRunSummary(summary, this.#workspaceRoot);
+      if (this.#summarize) {
+        await writeRunSummary(summary, this.#workspaceRoot);
+      }
     }
     return this.#results;
   }
@@ -243,7 +246,13 @@ class TaskOrchestrator {
       };
       this.#results.set(task.id, result);
       if (code === 0 && task.cache !== false && task.hash) {
-        await this.#cache.put(task.hash, terminalOutput, task.outputs, code);
+        const modified = await this.#detectSelfModifiedInputs(task);
+        if (modified.length > 0) {
+          result.selfModified = true;
+          this.#lifeCycle.printSelfModifyingSkip?.(task, modified);
+        } else {
+          await this.#cache.put(task.hash, terminalOutput, task.outputs, code);
+        }
       }
       return result;
     } catch (error) {
@@ -252,6 +261,28 @@ class TaskOrchestrator {
       return result;
     }
   }
+  /**
+   * Re-hashes every file recorded in `task.hashDetails.nodes` and returns
+   * the workspace-relative paths whose post-execution hash differs from the
+   * pre-execution hash. A non-empty result means the task wrote to its own
+   * tracked inputs and the cache entry would be unsafe to persist.
+   */
+  async #detectSelfModifiedInputs(task) {
+    const nodes = task.hashDetails?.nodes;
+    if (!nodes || typeof this.#taskHasher.rehashFile !== "function") {
+      return [];
+    }
+    const rehash = this.#taskHasher.rehashFile.bind(this.#taskHasher);
+    const entries = Object.entries(nodes);
+    const checks = await Promise.all(
+      entries.map(async ([path, priorHash]) => {
+        const absolute = resolve(this.#workspaceRoot, path);
+        const fresh = await rehash(absolute);
+        return fresh !== void 0 && fresh !== priorHash ? path : void 0;
+      })
+    );
+    return checks.filter((path) => path !== void 0);
+  }
   async #executeTaskWithTracking(task, startTime) {
     if (!this.#fingerprintManager) {
       return this.#executeTask(task, startTime);
@@ -262,12 +293,18 @@ class TaskOrchestrator {
       let code;
       let terminalOutput;
       let fingerprint;
+      let trackerAccessCount = 0;
+      let usedRealTracker = false;
+      let autoWrites;
       const shellCommand = this.#resolveCommand?.(task);
       const canTrack = shellCommand && this.#trackedExecutor?.isTrackingSupported;
       if (canTrack && this.#trackedExecutor) {
         const trackedResult = await this.#trackedExecutor.execute(task, { captureOutput: this.#captureOutput, cwd }, shellCommand);
         code = trackedResult.code;
         terminalOutput = trackedResult.terminalOutput;
+        trackerAccessCount = trackedResult.accesses.length;
+        usedRealTracker = true;
+        autoWrites = trackedResult.accesses.filter((a) => a.type === "write").map((a) => a.path);
         fingerprint = await this.#fingerprintManager.createFingerprint(
           trackedResult.accesses,
           taskCommand,
@@ -309,10 +346,20 @@ class TaskOrchestrator {
       };
       this.#results.set(task.id, result);
       if (code === 0 && task.cache !== false && fingerprint) {
-        const hash = hashFingerprint(fingerprint);
-        Object.assign(task, { hash });
-        await this.#cache.put(hash, terminalOutput, task.outputs, code, fingerprint);
-        await this.#cache.setTaskIndex(task.id, hash);
+        const modified = this.#detectSelfModifiedFingerprint(fingerprint);
+        const emptyFingerprintReason = this.#describeEmptyFingerprint(fingerprint, usedRealTracker, trackerAccessCount);
+        if (modified.length > 0) {
+          result.selfModified = true;
+          this.#lifeCycle.printSelfModifyingSkip?.(task, modified);
+        } else if (emptyFingerprintReason) {
+          result.emptyFingerprint = true;
+          this.#lifeCycle.printEmptyFingerprintWarning?.(task, emptyFingerprintReason);
+        } else {
+          const hash = hashFingerprint(fingerprint);
+          Object.assign(task, { hash });
+          await this.#cache.put(hash, terminalOutput, task.outputs, code, fingerprint, autoWrites);
+          await this.#cache.setTaskIndex(task.id, hash);
+        }
       }
       return result;
     } catch (error) {
@@ -321,6 +368,38 @@ class TaskOrchestrator {
       return result;
     }
   }
+  /**
+   * In auto-fingerprint mode, returns the workspace-relative paths the
+   * task both read *and* wrote during execution. {@link FingerprintManager}
+   * populates `modifiedInputs` from the tracker's `"write"`-typed accesses;
+   * backends that don't yet emit write accesses leave it empty.
+   */
+  // eslint-disable-next-line class-methods-use-this
+  #detectSelfModifiedFingerprint(fingerprint) {
+    return fingerprint.modifiedInputs ?? [];
+  }
+  /**
+   * Returns a human-readable reason string when a fingerprint looks
+   * suspiciously empty (tracker ran but observed no workspace files),
+   * or `undefined` when the fingerprint is trustworthy. Caching is
+   * skipped for empty fingerprints — silently persisting one would
+   * guarantee false cache hits on every subsequent run.
+   *
+   * Only flags results from the real tracker; the glob-based fallback
+   * path legitimately produces wide fingerprints and isn't at risk.
+   */
+  // eslint-disable-next-line class-methods-use-this
+  #describeEmptyFingerprint(fingerprint, usedRealTracker, trackerAccessCount) {
+    if (!usedRealTracker) {
+      return void 0;
+    }
+    const hasAnyAccess = Object.keys(fingerprint.fileHashes).length > 0 || Object.keys(fingerprint.directoryListings).length > 0 || fingerprint.missingFiles.length > 0;
+    if (hasAnyAccess) {
+      return void 0;
+    }
+    const zeroAccesses = trackerAccessCount === 0;
+    return zeroAccesses ? "Tracker observed no workspace file accesses — likely a static binary on a platform without strace. Caching skipped." : "Tracker returned accesses but none fell inside the workspace. Caching skipped to avoid false cache hits.";
+  }
   #dryRunResult(task, startTime) {
     const cacheStatus = task.hash ? `[hash: ${task.hash.slice(0, 12)}...]` : "[no hash]";
     const result = {

package/dist/packem_shared/{TerminalBuffer-CnPyFgPB.js → TerminalBuffer-qVJvbRQZ.js}

@@ -57,7 +57,7 @@ class TerminalBuffer {
     let j = start;
     let params = "";
     while (j < data.length && (data[j] >= "0" && data[j] <= "9" || data[j] === ";")) {
-      params += data[j];
+      params += data[j] ?? "";
       j++;
     }
     if (j >= data.length) {

package/dist/packem_shared/{TrackedTaskExecutor-BGUKFE-7.js → TrackedTaskExecutor-CFPpQfXF.js}

@@ -27,7 +27,7 @@ const {
   rm
 } = __cjs_getBuiltinModule("node:fs/promises");
 import { join } from '@visulima/path';
-import { FileAccessTracker, generatePreloadScript } from './FileAccessTracker-CrtBAt5D.js';
+import { FileAccessTracker, generatePreloadScript } from './FileAccessTracker-CQ5Ot7Hd.js';
 import { u as uniqueId } from './utils-zO0ZRgtf.js';
 
 class TrackedTaskExecutor {