@visulima/task-runner 1.0.0-alpha.5 → 1.0.0-alpha.7

package/dist/packem_shared/{RemoteCache-BFceSe4a.js → RemoteCache-DSU3lc87.js}

@@ -18,40 +18,45 @@ const __cjs_getBuiltinModule = (module) => {
 };
 
 const {
-  execFile
-} = __cjs_getBuiltinModule("node:child_process");
+  createHmac,
+  timingSafeEqual
+} = __cjs_getBuiltinModule("node:crypto");
 const {
-  createWriteStream
+  createWriteStream,
+  createReadStream
 } = __cjs_getBuiltinModule("node:fs");
 const {
   mkdir,
   rm,
-  stat,
-  readFile
+  stat
 } = __cjs_getBuiltinModule("node:fs/promises");
 const {
   pipeline
 } = __cjs_getBuiltinModule("node:stream/promises");
 import { join } from '@visulima/path';
+import { e as extractTarBrotli, a as extractTarGz, c as createTarBrotli, b as createTarGz } from './archive-UQHAnZUa.js';
 
-const createTarGz = (sourceDirectory, outputPath) => new Promise((resolve, reject) => {
-  execFile("tar", ["-czf", outputPath, "-C", sourceDirectory, "."], (error) => {
-    if (error) {
-      reject(error);
-    } else {
-      resolve();
-    }
-  });
-});
-const extractTarGz = (archivePath, destinationDirectory) => new Promise((resolve, reject) => {
-  execFile("tar", ["-xzf", archivePath, "-C", destinationDirectory], (error) => {
-    if (error) {
-      reject(error);
-    } else {
-      resolve();
-    }
-  });
-});
+const SIGNATURE_HEADER = "X-Artifact-Signature";
+const MIN_SECRET_LENGTH = 16;
+const computeArtifactSignatureStream = async (secret, hash, archivePath) => {
+  const hmac = createHmac("sha256", secret);
+  hmac.update(hash);
+  const source = createReadStream(archivePath);
+  for await (const chunk of source) {
+    hmac.update(chunk);
+  }
+  return hmac.digest("hex");
+};
+const signaturesMatch = (a, b) => {
+  if (a.length !== b.length) {
+    return false;
+  }
+  try {
+    return timingSafeEqual(Buffer.from(a, "hex"), Buffer.from(b, "hex"));
+  } catch {
+    return false;
+  }
+};
 class RemoteCache {
   #url;
   #token;
@@ -60,6 +65,9 @@ class RemoteCache {
   #read;
   #write;
   #onUploadError;
+  #compression;
+  #signingSecret;
+  #verifyOnDownload;
   constructor(options) {
     this.#url = options.url.replace(/\/$/, "");
     this.#token = options.token;
@@ -68,6 +76,17 @@ class RemoteCache {
     this.#read = options.read ?? true;
     this.#write = options.write ?? true;
     this.#onUploadError = options.onUploadError;
+    this.#compression = options.compression ?? "gzip";
+    if (options.signing) {
+      if (options.signing.secret.length < MIN_SECRET_LENGTH) {
+        throw new Error(`Remote cache signing secret must be at least ${String(MIN_SECRET_LENGTH)} characters.`);
+      }
+      this.#signingSecret = options.signing.secret;
+      this.#verifyOnDownload = options.signing.verifyOnDownload ?? false;
+    } else {
+      this.#signingSecret = void 0;
+      this.#verifyOnDownload = false;
+    }
   }
   /**
    * Retrieves a cached artifact from the remote cache.
@@ -89,15 +108,23 @@ class RemoteCache {
       if (!response.ok) {
         return false;
       }
-      await mkdir(localCacheDirectory, { recursive: true });
-      const { body } = response;
-      if (!body) {
+      const receivedSignature = this.#signingSecret ? response.headers.get(SIGNATURE_HEADER.toLowerCase()) ?? response.headers.get(SIGNATURE_HEADER) : null;
+      if (this.#signingSecret && !receivedSignature && this.#verifyOnDownload) {
+        return false;
+      }
+      if (!response.body) {
         return false;
       }
-      const fileStream = createWriteStream(archivePath);
-      await pipeline(body, fileStream);
+      await mkdir(localCacheDirectory, { recursive: true });
+      await pipeline(response.body, createWriteStream(archivePath));
+      if (this.#signingSecret && receivedSignature) {
+        const expected = await computeArtifactSignatureStream(this.#signingSecret, hash, archivePath);
+        if (!signaturesMatch(receivedSignature, expected)) {
+          return false;
+        }
+      }
       await mkdir(entryDirectory, { recursive: true });
-      await extractTarGz(archivePath, entryDirectory);
+      await (this.#compression === "brotli" ? extractTarBrotli(archivePath, entryDirectory) : extractTarGz(archivePath, entryDirectory));
       await rm(archivePath, { force: true });
       return true;
     } catch {
@@ -119,16 +146,29 @@ class RemoteCache {
     const archivePath = join(localCacheDirectory, `.upload-${hash}.tar.gz`);
     try {
       await stat(join(entryDirectory, ".commit"));
-      await createTarGz(entryDirectory, archivePath);
+      await (this.#compression === "brotli" ? createTarBrotli(entryDirectory, archivePath) : createTarGz(entryDirectory, archivePath));
       const artifactUrl = this.#buildUrl(`/v8/artifacts/${hash}`);
-      const archiveContent = await readFile(archivePath);
+      const { size } = await stat(archivePath);
+      const uploadHeaders = {
+        ...this.#buildHeaders(),
+        "Content-Length": String(size),
+        // Advertise the compression format in a custom header so
+        // spec-compatible servers (and the matching download side)
+        // can branch if needed. The body is still an opaque blob
+        // from the server's perspective.
+        "Content-Type": "application/octet-stream",
+        "X-Artifact-Compression": this.#compression
+      };
+      if (this.#signingSecret) {
+        uploadHeaders[SIGNATURE_HEADER] = await computeArtifactSignatureStream(this.#signingSecret, hash, archivePath);
+      }
       const response = await fetch(artifactUrl, {
-        body: archiveContent,
-        headers: {
-          ...this.#buildHeaders(),
-          "Content-Length": String(archiveContent.length),
-          "Content-Type": "application/octet-stream"
-        },
+        body: createReadStream(archivePath),
+        // @ts-expect-error — `duplex` is a Node-specific fetch
+        // option required when the body is a stream. The DOM
+        // `RequestInit` type doesn't include it yet.
+        duplex: "half",
+        headers: uploadHeaders,
         method: "PUT",
         signal: AbortSignal.timeout(this.#timeout)
       });

package/dist/packem_shared/{TaskOrchestrator-lLn-PH1m.js → TaskOrchestrator-rf45vW5c.js}

@@ -1,9 +1,9 @@
 import { d as resolveTaskCwd, a as createFailureResult, e as createXxh3Hasher } from './utils-zO0ZRgtf.js';
-import { join } from '@visulima/path';
-import { FingerprintManager } from './FingerprintManager-Cu-ta9ee.js';
-import { generateRunSummary, writeRunSummary } from './generateRunSummary-qn-_jKwt.js';
-import { computeTaskHash } from './computeTaskHash-B2SVZqgp.js';
-import { TrackedTaskExecutor } from './TrackedTaskExecutor-BGUKFE-7.js';
+import { resolve, join } from '@visulima/path';
+import { FingerprintManager } from './FingerprintManager-CV7U4f4f.js';
+import { generateRunSummary, writeLastRunSummary, writeRunSummary } from './generateRunSummary-BE1jnQ3H.js';
+import { computeTaskHash } from './computeTaskHash-DYqfrDGq.js';
+import { TrackedTaskExecutor } from './TrackedTaskExecutor-CFPpQfXF.js';
 
 const hashFingerprint = (fingerprint) => {
   const hash = createXxh3Hasher();
@@ -26,11 +26,11 @@ const hashFingerprint = (fingerprint) => {
   return hash.digest();
 };
 const createDeferred = () => {
-  let resolve;
+  let resolve2;
   const promise = new Promise((r) => {
-    resolve = r;
+    resolve2 = r;
   });
-  return { promise, resolve };
+  return { promise, resolve: resolve2 };
 };
 class TaskOrchestrator {
   #taskHasher;
@@ -101,9 +101,12 @@ class TaskOrchestrator {
       process.removeListener("SIGTERM", signalHandler);
       this.#lifeCycle.endCommand?.();
     }
-    if (this.#summarize && this.#taskGraph) {
+    if (this.#taskGraph && !this.#aborted) {
       const summary = generateRunSummary(this.#results, this.#taskGraph, this.#startTime);
-      await writeRunSummary(summary, this.#workspaceRoot);
+      await writeLastRunSummary(summary, this.#workspaceRoot);
+      if (this.#summarize) {
+        await writeRunSummary(summary, this.#workspaceRoot);
+      }
     }
     return this.#results;
   }
@@ -243,7 +246,13 @@ class TaskOrchestrator {
       };
       this.#results.set(task.id, result);
       if (code === 0 && task.cache !== false && task.hash) {
-        await this.#cache.put(task.hash, terminalOutput, task.outputs, code);
+        const modified = await this.#detectSelfModifiedInputs(task);
+        if (modified.length > 0) {
+          result.selfModified = true;
+          this.#lifeCycle.printSelfModifyingSkip?.(task, modified);
+        } else {
+          await this.#cache.put(task.hash, terminalOutput, task.outputs, code);
+        }
       }
       return result;
     } catch (error) {
@@ -252,6 +261,28 @@ class TaskOrchestrator {
       return result;
     }
   }
+  /**
+   * Re-hashes every file recorded in `task.hashDetails.nodes` and returns
+   * the workspace-relative paths whose post-execution hash differs from the
+   * pre-execution hash. A non-empty result means the task wrote to its own
+   * tracked inputs and the cache entry would be unsafe to persist.
+   */
+  async #detectSelfModifiedInputs(task) {
+    const nodes = task.hashDetails?.nodes;
+    if (!nodes || typeof this.#taskHasher.rehashFile !== "function") {
+      return [];
+    }
+    const rehash = this.#taskHasher.rehashFile.bind(this.#taskHasher);
+    const entries = Object.entries(nodes);
+    const checks = await Promise.all(
+      entries.map(async ([path, priorHash]) => {
+        const absolute = resolve(this.#workspaceRoot, path);
+        const fresh = await rehash(absolute);
+        return fresh !== void 0 && fresh !== priorHash ? path : void 0;
+      })
+    );
+    return checks.filter((path) => path !== void 0);
+  }
   async #executeTaskWithTracking(task, startTime) {
     if (!this.#fingerprintManager) {
       return this.#executeTask(task, startTime);
@@ -262,12 +293,18 @@ class TaskOrchestrator {
       let code;
       let terminalOutput;
       let fingerprint;
+      let trackerAccessCount = 0;
+      let usedRealTracker = false;
+      let autoWrites;
       const shellCommand = this.#resolveCommand?.(task);
       const canTrack = shellCommand && this.#trackedExecutor?.isTrackingSupported;
       if (canTrack && this.#trackedExecutor) {
         const trackedResult = await this.#trackedExecutor.execute(task, { captureOutput: this.#captureOutput, cwd }, shellCommand);
         code = trackedResult.code;
         terminalOutput = trackedResult.terminalOutput;
+        trackerAccessCount = trackedResult.accesses.length;
+        usedRealTracker = true;
+        autoWrites = trackedResult.accesses.filter((a) => a.type === "write").map((a) => a.path);
         fingerprint = await this.#fingerprintManager.createFingerprint(
           trackedResult.accesses,
           taskCommand,
@@ -309,10 +346,20 @@ class TaskOrchestrator {
       };
       this.#results.set(task.id, result);
       if (code === 0 && task.cache !== false && fingerprint) {
-        const hash = hashFingerprint(fingerprint);
-        Object.assign(task, { hash });
-        await this.#cache.put(hash, terminalOutput, task.outputs, code, fingerprint);
-        await this.#cache.setTaskIndex(task.id, hash);
+        const modified = this.#detectSelfModifiedFingerprint(fingerprint);
+        const emptyFingerprintReason = this.#describeEmptyFingerprint(fingerprint, usedRealTracker, trackerAccessCount);
+        if (modified.length > 0) {
+          result.selfModified = true;
+          this.#lifeCycle.printSelfModifyingSkip?.(task, modified);
+        } else if (emptyFingerprintReason) {
+          result.emptyFingerprint = true;
+          this.#lifeCycle.printEmptyFingerprintWarning?.(task, emptyFingerprintReason);
+        } else {
+          const hash = hashFingerprint(fingerprint);
+          Object.assign(task, { hash });
+          await this.#cache.put(hash, terminalOutput, task.outputs, code, fingerprint, autoWrites);
+          await this.#cache.setTaskIndex(task.id, hash);
+        }
       }
       return result;
     } catch (error) {
@@ -321,6 +368,38 @@ class TaskOrchestrator {
       return result;
     }
   }
+  /**
+   * In auto-fingerprint mode, returns the workspace-relative paths the
+   * task both read *and* wrote during execution. {@link FingerprintManager}
+   * populates `modifiedInputs` from the tracker's `"write"`-typed accesses;
+   * backends that don't yet emit write accesses leave it empty.
+   */
+  // eslint-disable-next-line class-methods-use-this
+  #detectSelfModifiedFingerprint(fingerprint) {
+    return fingerprint.modifiedInputs ?? [];
+  }
+  /**
+   * Returns a human-readable reason string when a fingerprint looks
+   * suspiciously empty (tracker ran but observed no workspace files),
+   * or `undefined` when the fingerprint is trustworthy. Caching is
+   * skipped for empty fingerprints — silently persisting one would
+   * guarantee false cache hits on every subsequent run.
+   *
+   * Only flags results from the real tracker; the glob-based fallback
+   * path legitimately produces wide fingerprints and isn't at risk.
+   */
+  // eslint-disable-next-line class-methods-use-this
+  #describeEmptyFingerprint(fingerprint, usedRealTracker, trackerAccessCount) {
+    if (!usedRealTracker) {
+      return void 0;
+    }
+    const hasAnyAccess = Object.keys(fingerprint.fileHashes).length > 0 || Object.keys(fingerprint.directoryListings).length > 0 || fingerprint.missingFiles.length > 0;
+    if (hasAnyAccess) {
+      return void 0;
+    }
+    const zeroAccesses = trackerAccessCount === 0;
+    return zeroAccesses ? "Tracker observed no workspace file accesses — likely a static binary on a platform without strace. Caching skipped." : "Tracker returned accesses but none fell inside the workspace. Caching skipped to avoid false cache hits.";
+  }
   #dryRunResult(task, startTime) {
     const cacheStatus = task.hash ? `[hash: ${task.hash.slice(0, 12)}...]` : "[no hash]";
     const result = {

package/dist/packem_shared/{TerminalBuffer-CnPyFgPB.js → TerminalBuffer-qVJvbRQZ.js}

@@ -57,7 +57,7 @@ class TerminalBuffer {
     let j = start;
     let params = "";
     while (j < data.length && (data[j] >= "0" && data[j] <= "9" || data[j] === ";")) {
-      params += data[j];
+      params += data[j] ?? "";
       j++;
     }
     if (j >= data.length) {

package/dist/packem_shared/{TrackedTaskExecutor-BGUKFE-7.js → TrackedTaskExecutor-CFPpQfXF.js}

@@ -27,7 +27,7 @@ const {
   rm
 } = __cjs_getBuiltinModule("node:fs/promises");
 import { join } from '@visulima/path';
-import { FileAccessTracker, generatePreloadScript } from './FileAccessTracker-CrtBAt5D.js';
+import { FileAccessTracker, generatePreloadScript } from './FileAccessTracker-CQ5Ot7Hd.js';
 import { u as uniqueId } from './utils-zO0ZRgtf.js';
 
 class TrackedTaskExecutor {

package/dist/packem_shared/archive-UQHAnZUa.js

@@ -0,0 +1,102 @@
+import { createRequire as __cjs_createRequire } from "node:module";
+
+const __cjs_require = __cjs_createRequire(import.meta.url);
+
+const __cjs_getProcess = typeof globalThis !== "undefined" && typeof globalThis.process !== "undefined" ? globalThis.process : process;
+
+const __cjs_getBuiltinModule = (module) => {
+    // Check if we're in Node.js and version supports getBuiltinModule
+    if (typeof __cjs_getProcess !== "undefined" && __cjs_getProcess.versions && __cjs_getProcess.versions.node) {
+        const [major, minor] = __cjs_getProcess.versions.node.split(".").map(Number);
+        // Node.js 20.16.0+ and 22.3.0+
+        if (major > 22 || (major === 22 && minor >= 3) || (major === 20 && minor >= 16)) {
+            return __cjs_getProcess.getBuiltinModule(module);
+        }
+    }
+    // Fallback to createRequire
+    return __cjs_require(module);
+};
+
+const {
+  execFile
+} = __cjs_getBuiltinModule("node:child_process");
+const {
+  createReadStream,
+  createWriteStream
+} = __cjs_getBuiltinModule("node:fs");
+const {
+  rm
+} = __cjs_getBuiltinModule("node:fs/promises");
+const {
+  pipeline
+} = __cjs_getBuiltinModule("node:stream/promises");
+const {
+  createBrotliDecompress,
+  createBrotliCompress,
+  constants
+} = __cjs_getBuiltinModule("node:zlib");
+
+const BROTLI_COMPRESS_OPTIONS = {
+  params: {
+    [constants.BROTLI_PARAM_MODE]: constants.BROTLI_MODE_TEXT,
+    [constants.BROTLI_PARAM_QUALITY]: 4
+  }
+};
+const createTar = (sourceDirectory, outputPath) => new Promise((resolve, reject) => {
+  execFile("tar", ["-cf", outputPath, "-C", sourceDirectory, "."], (error) => {
+    if (error) {
+      reject(error);
+    } else {
+      resolve();
+    }
+  });
+});
+const extractTar = (archivePath, destinationDirectory) => new Promise((resolve, reject) => {
+  execFile("tar", ["-xf", archivePath, "-C", destinationDirectory], (error) => {
+    if (error) {
+      reject(error);
+    } else {
+      resolve();
+    }
+  });
+});
+const createTarGz = (sourceDirectory, outputPath) => new Promise((resolve, reject) => {
+  execFile("tar", ["-czf", outputPath, "-C", sourceDirectory, "."], (error) => {
+    if (error) {
+      reject(error);
+    } else {
+      resolve();
+    }
+  });
+});
+const extractTarGz = (archivePath, destinationDirectory) => new Promise((resolve, reject) => {
+  execFile("tar", ["-xzf", archivePath, "-C", destinationDirectory], (error) => {
+    if (error) {
+      reject(error);
+    } else {
+      resolve();
+    }
+  });
+});
+const createTarBrotli = async (sourceDirectory, outputPath) => {
+  const tarPath = `${outputPath}.tar`;
+  try {
+    await createTar(sourceDirectory, tarPath);
+    await pipeline(createReadStream(tarPath), createBrotliCompress(BROTLI_COMPRESS_OPTIONS), createWriteStream(outputPath));
+  } finally {
+    await rm(tarPath, { force: true }).catch(() => {
+    });
+  }
+};
+const extractTarBrotli = async (archivePath, destinationDirectory) => {
+  const tarPath = `${archivePath}.tar`;
+  try {
+    await pipeline(createReadStream(archivePath), createBrotliDecompress(), createWriteStream(tarPath));
+    await extractTar(tarPath, destinationDirectory);
+  } finally {
+    await rm(tarPath, { force: true }).catch(() => {
+    });
+  }
+};
+
+export { extractTarGz as a, createTarGz as b, createTarBrotli as c, extractTarBrotli as e };

package/dist/packem_shared/{buildForwardDependencyMap-0BJFMMPv.js → buildForwardDependencyMap-DLPgKEto.js}

@@ -33,7 +33,8 @@ const findProjectForFile = (filePath, projects) => {
   let bestLength = 0;
   for (const [name, config] of Object.entries(projects)) {
     const { root } = config;
-    if ((filePath.startsWith(`${root}/`) || filePath === root) && root.length > bestLength) {
+    if ((filePath.startsWith(`${root}/`) || filePath === root) && // Prefer the most specific (longest) match
+    root.length > bestLength) {
       bestMatch = name;
       bestLength = root.length;
     }

package/dist/packem_shared/{computeTaskHash-B2SVZqgp.js → computeTaskHash-DYqfrDGq.js}

@@ -21,12 +21,13 @@ const {
   execFile
 } = __cjs_getBuiltinModule("node:child_process");
 const {
+  stat,
   readFile
 } = __cjs_getBuiltinModule("node:fs/promises");
 import { b as hashStrings, s as sortObjectKeys, c as collectFiles, x as xxh3Hash, e as createXxh3Hasher } from './utils-zO0ZRgtf.js';
 import { join, resolve, relative } from '@visulima/path';
 import { getFrameworkEnvVariables } from './detectFrameworks-CeFzKE6J.js';
-import { LockfileHasher } from './extractPackageName-CbVNW-dr.js';
+import { LockfileHasher } from './extractPackageName-BllKetnz.js';
 import { loadNativeBindings } from './isNativeAvailable-BpD28A6Z.js';
 
 const DEFAULT_GLOBAL_INPUTS = ["package-lock.json", "pnpm-lock.yaml", "yarn.lock", "tsconfig.base.json", "tsconfig.json", ".env"];
@@ -73,7 +74,38 @@ const hashRuntimeValue = async (runtime) => {
   }
   return hashStrings(runtime, output);
 };
+const SHELL_SPECIAL_VARS = /* @__PURE__ */ new Set(["0", "!", "#", "$", "*", "-", "?", "@", "_"]);
+const extractReferencedEnvVars = (command) => {
+  const found = /* @__PURE__ */ new Set();
+  const pattern = /\$(?:\{([^}]+)\}|([A-Z_]\w*))/gi;
+  let match;
+  while ((match = pattern.exec(command)) !== null) {
+    const raw = match[1] ?? match[2];
+    if (!raw) {
+      continue;
+    }
+    const name = raw.split(/[#%:/?+\-=,^]/)[0]?.trim();
+    if (!name || SHELL_SPECIAL_VARS.has(name) || /^\d+$/.test(name)) {
+      continue;
+    }
+    if (!/^[A-Z_]\w*$/i.test(name)) {
+      continue;
+    }
+    found.add(name);
+  }
+  return [...found];
+};
 const isFileSetInput = (input) => "fileset" in input;
+const normalizeFileset = (fileset) => {
+  if (typeof fileset === "string") {
+    return fileset;
+  }
+  const token = fileset.base === "workspace" ? "{workspaceRoot}" : "{projectRoot}";
+  if (fileset.pattern.startsWith("!")) {
+    return `!${token}/${fileset.pattern.slice(1)}`;
+  }
+  return `${token}/${fileset.pattern}`;
+};
 const isRuntimeInput = (input) => "runtime" in input;
 const isEnvironmentInput = (input) => "env" in input;
 const isExternalDependencyInput = (input) => "externalDependencies" in input;
@@ -90,6 +122,8 @@ class InProcessTaskHasher {
   #smartLockfileHashing;
   #lockfileHasher;
   #frameworkInference;
+  #autoEnvVars;
+  #incrementalHasher;
   #globalHash = void 0;
   constructor(options) {
     this.#workspaceRoot = options.workspaceRoot;
@@ -103,6 +137,8 @@ class InProcessTaskHasher {
     this.#smartLockfileHashing = options.smartLockfileHashing ?? false;
     this.#lockfileHasher = this.#smartLockfileHashing ? new LockfileHasher(options.workspaceRoot) : void 0;
     this.#frameworkInference = options.frameworkInference ?? false;
+    this.#autoEnvVars = options.autoEnvVars ?? false;
+    this.#incrementalHasher = options.incrementalHasher;
   }
   async hashTask(task) {
     const commandHash = this.#hashCommand(task);
@@ -117,7 +153,7 @@ class InProcessTaskHasher {
     const negationPatterns = this.#collectNegationPatterns(inputs, task.target.project);
     for (const input of inputs) {
       if (isFileSetInput(input)) {
-        const fileHashes = await this.#hashFileSet(task, input.fileset, negationPatterns);
+        const fileHashes = await this.#hashFileSet(task, normalizeFileset(input.fileset), negationPatterns);
         for (const [filePath, hash] of Object.entries(fileHashes)) {
           nodes[filePath] = hash;
         }
@@ -135,6 +171,17 @@ class InProcessTaskHasher {
     for (const envVariable of this.#envVars) {
       runtime[`env:${envVariable}`] = hashStrings(envVariable, process.env[envVariable] ?? "");
     }
+    if (this.#autoEnvVars) {
+      const command = this.#resolveCommandText(task);
+      if (command) {
+        for (const name of extractReferencedEnvVars(command)) {
+          const key = `env:${name}`;
+          if (runtime[key] === void 0) {
+            runtime[key] = hashStrings(name, process.env[name] ?? "");
+          }
+        }
+      }
+    }
     const project = this.#projects[task.target.project];
     if (project) {
       if (this.#lockfileHasher) {
@@ -177,6 +224,21 @@ class InProcessTaskHasher {
     hash.update(overridesJson);
     return hash.digest();
   }
+  /**
+   * Looks up the command string associated with a task so referenced
+   * env vars can be extracted. Checks `task.overrides.command` first
+   * (consumers like vis stash the resolved command there), then falls
+   * back to the project's target config.
+   */
+  #resolveCommandText(task) {
+    const override = task.overrides["command"];
+    if (typeof override === "string") {
+      return override;
+    }
+    const project = this.#projects[task.target.project];
+    const command = project?.targets?.[task.target.target]?.command ?? this.#targetDefaults[task.target.target]?.command;
+    return typeof command === "string" ? command : void 0;
+  }
   #resolveInputs(task) {
     const project = this.#projects[task.target.project];
     const targetConfig = project?.targets?.[task.target.target];
@@ -216,7 +278,7 @@ class InProcessTaskHasher {
       if (!isFileSetInput(input)) {
         continue;
       }
-      const resolved = input.fileset.replace("{projectRoot}", projectRoot).replace("{workspaceRoot}", ".");
+      const resolved = normalizeFileset(input.fileset).replace("{projectRoot}", projectRoot).replace("{workspaceRoot}", ".");
       if (resolved.startsWith("!")) {
         patterns.push(
           resolved.slice(1).replace(/\/\*\*\/\*$/, "").replace(/\/\*$/, "")
@@ -243,13 +305,30 @@ class InProcessTaskHasher {
     try {
       if (this.#native) {
         const fileHashes = this.#native.hashFilesInDirectory(absoluteBase, this.#workspaceRoot);
+        const incremental = this.#incrementalHasher;
+        const recordPromises = [];
         for (const { hash, path } of fileHashes) {
           const absPath = resolve(this.#workspaceRoot, path);
-          if (!isExcluded(absPath)) {
-            result[path] = hash;
-            this.#fileHashCache.set(absPath, hash);
+          if (isExcluded(absPath)) {
+            continue;
+          }
+          result[path] = hash;
+          this.#fileHashCache.set(absPath, hash);
+          if (incremental) {
+            recordPromises.push(
+              stat(absPath).then((s) => {
+                if (s.isFile()) {
+                  incremental.recordSnapshot(absPath, hash, s.mtimeMs, s.size);
+                }
+                return void 0;
+              }).catch(() => {
+              })
+            );
           }
         }
+        if (recordPromises.length > 0) {
+          await Promise.all(recordPromises);
+        }
         return result;
       }
       const files = await collectFiles(absoluteBase, IGNORED_DIRS);
@@ -272,6 +351,24 @@ class InProcessTaskHasher {
     if (cached) {
       return cached;
     }
+    if (this.#incrementalHasher) {
+      try {
+        const fileStat = await stat(filePath);
+        if (fileStat.isFile()) {
+          const snapshotHit = this.#incrementalHasher.getSnapshotHash(filePath, fileStat.mtimeMs, fileStat.size);
+          if (snapshotHit) {
+            this.#fileHashCache.set(filePath, snapshotHit);
+            return snapshotHit;
+          }
+          const content = await readFile(filePath);
+          const hash = xxh3Hash(content);
+          this.#incrementalHasher.recordSnapshot(filePath, hash, fileStat.mtimeMs, fileStat.size);
+          this.#fileHashCache.set(filePath, hash);
+          return hash;
+        }
+      } catch {
+      }
+    }
     try {
       const content = await readFile(filePath);
       const hash = xxh3Hash(content);
@@ -326,6 +423,25 @@ class InProcessTaskHasher {
     this.#globalHash = void 0;
     this.#lockfileHasher?.clearCache();
   }
+  /**
+   * Reads `filePath` fresh and returns its content hash, bypassing the
+   * in-memory cache used during the initial `hashTask` pass.
+   *
+   * Used to detect tasks that modify their own tracked inputs: compare
+   * a pre-execution hash (from `task.hashDetails.nodes`) against the
+   * post-execution result of this method.
+   * @param filePath Absolute path to the file.
+   * @returns The fresh xxh3 hash, or `undefined` if the file cannot be read.
+   */
+  // eslint-disable-next-line class-methods-use-this
+  async rehashFile(filePath) {
+    try {
+      const content = await readFile(filePath);
+      return xxh3Hash(content);
+    } catch {
+      return void 0;
+    }
+  }
 }
 const computeTaskHash = (hashDetails) => {
   const native = getNativeBindings();