mustflow 2.17.0 → 2.18.0

package/README.md

@@ -354,7 +354,7 @@ Runnable work is declared in `.mustflow/config/commands.toml` so agents do not g
 - `run_policy = "agent_allowed"`
 - `stdin = "closed"`
 
-Development servers, watch modes, browser UIs, interactive commands, and background processes do not run directly.
+Development servers, watch modes, browser UIs, interactive commands, and background processes do not run directly. `mf run` also rejects obvious long-running `argv` shapes, such as shell-wrapper background payloads, interpreter loops, package-manager development scripts, watchers, and development servers declared as one-shot commands.
 
 Use `mf verify --reason <event> --plan-only --json` to inspect matching verification intents, command eligibility, remaining gaps, and missing runnable coverage without executing commands. Use `mf run <intent> --dry-run --json` to inspect one resolved command intent without spawning a process or writing a run receipt. Plan-only verification includes a `decision_graph` that connects changed surfaces, classification reasons, command candidates, eligibility checks, effects, and gaps. When `.mustflow/cache/mustflow.sqlite` is fresh, scheduled entries also include read-only `effectGraph` metadata for write locks and lock conflicts. These graph rows are marked `explanation_only` and never grant command authority; `.mustflow/config/commands.toml` remains the only runnable command source.
 

package/dist/cli/commands/classify.js

@@ -2,7 +2,7 @@ import { mkdirSync, writeFileSync } from 'node:fs';
 import path from 'node:path';
 import { createChangeClassificationReport, } from '../../core/change-classification.js';
 import { printUsageError, renderHelp } from '../lib/cli-output.js';
-import { readGitChangedFiles } from '../lib/git-changes.js';
+import { requireGitChangedFiles } from '../lib/git-changes.js';
 import { t } from '../lib/i18n.js';
 import { resolveMustflowRoot } from '../lib/project-root.js';
 const CLASSIFY_SCHEMA_VERSION = '1';
@@ -67,7 +67,7 @@ function parseClassifyArgs(args) {
     return { json, changed, writePath, paths };
 }
 export function createClassifyOutput(projectRoot, source, paths) {
-    const files = source === 'changed' ? readGitChangedFiles(projectRoot) : paths;
+    const files = source === 'changed' ? requireGitChangedFiles(projectRoot) : paths;
     return {
         schema_version: CLASSIFY_SCHEMA_VERSION,
         command: 'classify',
@@ -136,7 +136,17 @@ export function runClassify(args, reporter, lang = 'en') {
         return 1;
     }
     const projectRoot = resolveMustflowRoot();
-    const output = createClassifyOutput(projectRoot, parsed.changed ? 'changed' : 'paths', parsed.paths);
+    let output;
+    try {
+        output = createClassifyOutput(projectRoot, parsed.changed ? 'changed' : 'paths', parsed.paths);
+    }
+    catch (error) {
+        const message = error instanceof Error && error.message === 'git_changed_files_unavailable'
+            ? t(lang, 'classify.error.changed_files_unavailable')
+            : t(lang, 'cli.common.invalidInput');
+        printUsageError(reporter, message, 'mf classify --help', getClassifyHelp(lang), lang);
+        return 1;
+    }
     if (parsed.writePath) {
         try {
             writeClassifyOutput(projectRoot, parsed.writePath, output);

package/dist/cli/commands/dashboard.js

@@ -682,7 +682,8 @@ async function renderStatusResponse(projectRoot) {
     const activeDocuments = listDocReviewEntries(projectRoot);
     const rawCommandContract = readDashboardCommandContract(projectRoot);
     const commandContract = await renderCommandContractResponse(projectRoot, rawCommandContract);
-    const gitChangedFiles = readGitChangedFiles(projectRoot);
+    const gitChangedFilesResult = readGitChangedFiles(projectRoot);
+    const gitChangedFiles = gitChangedFilesResult.ok ? gitChangedFilesResult.files : [];
     const packageMetadata = readPackageMetadata();
     const verification = createDashboardVerificationSnapshot(projectRoot, rawCommandContract, commandContract.intents, gitChangedFiles, manifest.changedFiles, manifest.missingFiles);
     const readModel = await readLatestLocalVerificationReadModelQueries(projectRoot);

package/dist/cli/commands/impact.js

@@ -3,7 +3,7 @@ import { createChangeClassificationReport } from '../../core/change-classificati
 import { summarizeVersionImpact } from '../../core/version-impact.js';
 import { printUsageError, renderHelp } from '../lib/cli-output.js';
 import { isRecord } from '../lib/command-contract.js';
-import { readGitChangedFiles } from '../lib/git-changes.js';
+import { requireGitChangedFiles } from '../lib/git-changes.js';
 import { t } from '../lib/i18n.js';
 import { resolveMustflowRoot } from '../lib/project-root.js';
 import { readTomlFile } from '../lib/toml.js';
@@ -56,7 +56,7 @@ function readPreferences(projectRoot) {
 }
 function createImpactOutput(projectRoot, parsed) {
     const source = parsed.changed ? 'changed' : 'paths';
-    const files = parsed.changed ? readGitChangedFiles(projectRoot) : parsed.paths;
+    const files = parsed.changed ? requireGitChangedFiles(projectRoot) : parsed.paths;
     const classificationReport = createChangeClassificationReport(source, files);
     const versionSources = detectVersionSources(projectRoot);
     return {
@@ -110,7 +110,17 @@ export function runImpact(args, reporter, lang = 'en') {
         printUsageError(reporter, t(lang, 'impact.error.missingInput'), 'mf impact --help', getImpactHelp(lang), lang);
         return 1;
     }
-    const output = createImpactOutput(resolveMustflowRoot(), parsed);
+    let output;
+    try {
+        output = createImpactOutput(resolveMustflowRoot(), parsed);
+    }
+    catch (error) {
+        const message = error instanceof Error && error.message === 'git_changed_files_unavailable'
+            ? t(lang, 'impact.error.changed_files_unavailable')
+            : t(lang, 'cli.common.invalidInput');
+        printUsageError(reporter, message, 'mf impact --help', getImpactHelp(lang), lang);
+        return 1;
+    }
     if (parsed.json) {
         reporter.stdout(JSON.stringify(output, null, 2));
         return 0;

package/dist/cli/commands/run.js

@@ -24,7 +24,7 @@ function emitOutput(reporter, output, stream) {
     }
     reporter[stream](text);
 }
-function terminateProcessTree(pid) {
+function signalProcessTree(pid, signal) {
     if (!pid || pid <= 0) {
         return;
     }
@@ -33,20 +33,73 @@ function terminateProcessTree(pid) {
             stdio: 'ignore',
             windowsHide: true,
         });
+        if (signal === 'SIGKILL') {
+            try {
+                process.kill(pid, signal);
+            }
+            catch {
+                // taskkill may already have terminated the direct child.
+            }
+        }
         return;
     }
     try {
-        process.kill(-pid, 'SIGTERM');
+        process.kill(-pid, signal);
     }
     catch {
         try {
-            process.kill(pid, 'SIGTERM');
+            process.kill(pid, signal);
         }
         catch {
             // The child may already be gone after Node's spawn timeout handling.
         }
     }
 }
+function signalProcessTreeNonBlocking(pid, signal) {
+    if (!pid || pid <= 0) {
+        return;
+    }
+    if (process.platform === 'win32') {
+        const killer = spawn('taskkill', ['/PID', String(pid), '/T', '/F'], {
+            stdio: 'ignore',
+            windowsHide: true,
+            detached: true,
+        });
+        killer.unref();
+        if (signal === 'SIGKILL') {
+            try {
+                process.kill(pid, signal);
+            }
+            catch {
+                // taskkill may already have terminated the direct child.
+            }
+        }
+        return;
+    }
+    try {
+        process.kill(-pid, signal);
+    }
+    catch {
+        try {
+            process.kill(pid, signal);
+        }
+        catch {
+            // The child may already be gone after the timeout fired.
+        }
+    }
+}
+function terminateProcessTree(pid) {
+    signalProcessTree(pid, 'SIGTERM');
+}
+function forceTerminateProcessTree(pid) {
+    signalProcessTree(pid, 'SIGKILL');
+}
+function terminateProcessTreeNonBlocking(pid) {
+    signalProcessTreeNonBlocking(pid, 'SIGTERM');
+}
+function forceTerminateProcessTreeNonBlocking(pid) {
+    signalProcessTreeNonBlocking(pid, 'SIGKILL');
+}
 function getKillMethod() {
     return process.platform === 'win32' ? 'taskkill_process_tree' : 'process_group_sigterm';
 }
@@ -178,14 +231,14 @@ function writeStreamChunk(reporter, stream, chunk) {
             reporter.writeStdout(chunk);
             return;
         }
-        reporter.stdout(chunk.toString().trimEnd());
+        reporter.stdout(chunk.toString());
         return;
     }
     if (reporter.writeStderr) {
         reporter.writeStderr(chunk);
         return;
     }
-    reporter.stderr(chunk.toString().trimEnd());
+    reporter.stderr(chunk.toString());
 }
 function runArgvCommandStreaming(command, cwd, env, timeoutSeconds, stdoutTailBytes, stderrTailBytes, reporter) {
     return new Promise((resolve) => {
@@ -214,8 +267,8 @@ function runArgvCommandStreaming(command, cwd, env, timeoutSeconds, stdoutTailBy
                 clearTimeout(timeout);
             }
             resolve({
-                status,
-                signal,
+                status: timedOut ? null : status,
+                signal: timedOut ? null : signal,
                 error: timedOut ? Object.assign(new Error('Command timed out'), { code: 'ETIMEDOUT' }) : childError,
                 stdout: stdout.toSnapshot(),
                 stderr: stderr.toSnapshot(),
@@ -238,7 +291,12 @@ function runArgvCommandStreaming(command, cwd, env, timeoutSeconds, stdoutTailBy
         });
         timeout = setTimeout(() => {
             timedOut = true;
-            terminateProcessTree(childPid);
+            child.stdout?.destroy();
+            child.stderr?.destroy();
+            child.unref();
+            terminateProcessTreeNonBlocking(childPid);
+            forceTerminateProcessTreeNonBlocking(childPid);
+            finish(null, null);
         }, timeoutSeconds * 1000);
     });
 }
@@ -282,8 +340,8 @@ function runShellCommandStreaming(command, cwd, env, timeoutSeconds, stdoutTailB
                 clearTimeout(timeout);
             }
             resolve({
-                status,
-                signal,
+                status: timedOut ? null : status,
+                signal: timedOut ? null : signal,
                 error: timedOut ? Object.assign(new Error('Command timed out'), { code: 'ETIMEDOUT' }) : childError,
                 stdout: stdout.toSnapshot(),
                 stderr: stderr.toSnapshot(),
@@ -306,7 +364,12 @@ function runShellCommandStreaming(command, cwd, env, timeoutSeconds, stdoutTailB
         });
         timeout = setTimeout(() => {
             timedOut = true;
-            terminateProcessTree(childPid);
+            child.stdout?.destroy();
+            child.stderr?.destroy();
+            child.unref();
+            terminateProcessTreeNonBlocking(childPid);
+            forceTerminateProcessTreeNonBlocking(childPid);
+            finish(null, null);
         }, timeoutSeconds * 1000);
     });
 }
@@ -356,12 +419,24 @@ function reportRunPlanFailure(plan, reporter, lang) {
                 detail: getRunPlanDetail(plan, lang, 'run.error.blockedShellBackgroundDetail'),
             });
             break;
+        case 'blocked_long_running_command_pattern':
+            message = t(lang, 'run.error.blockedLongRunningCommand', {
+                intent: plan.intentName,
+                detail: getRunPlanDetail(plan, lang, 'run.error.blockedLongRunningCommandDetail'),
+            });
+            break;
         case 'cwd_outside_project':
             message = t(lang, 'run.error.cwdOutsideProject', {
                 intent: plan.intentName,
                 detail: getRunPlanDetail(plan, lang, 'run.error.cwdOutsideProjectDetail'),
             });
             break;
+        case 'max_output_bytes_exceeds_limit':
+            message = t(lang, 'run.error.maxOutputBytes', {
+                intent: plan.intentName,
+                detail: getRunPlanDetail(plan, lang, 'run.error.maxOutputBytesDetail'),
+            });
+            break;
         case 'intent_not_table':
         default:
             message = t(lang, 'run.error.unknownIntent', { intent: plan.intentName });

package/dist/cli/commands/verify.js

@@ -764,6 +764,8 @@ export function planErrorMessageKey(code) {
             return 'verify.error.unsupported_plan_source';
         case 'plan_root_mismatch':
             return 'verify.error.plan_root_mismatch';
+        case 'git_changed_files_unavailable':
+            return 'verify.error.changed_files_unavailable';
         default:
             return 'verify.error.invalid_plan_file';
     }
@@ -1293,6 +1295,7 @@ function writeVerifyRunReceipts(projectRoot, output, report, sourceAnchorRisks,
         reasons: outputWithReceiptPaths.reasons,
         plan_source: outputWithReceiptPaths.plan_source,
         verification_plan_id: outputWithReceiptPaths.verification_plan_id,
+        execution_status: outputWithReceiptPaths.execution_status,
         status: outputWithReceiptPaths.status,
         completion_verdict: outputWithReceiptPaths.completion_verdict,
         evidence_model: outputWithReceiptPaths.evidence_model,
@@ -1312,6 +1315,7 @@ function writeVerifyRunReceipts(projectRoot, output, report, sourceAnchorRisks,
         reasons: outputWithReceiptPaths.reasons,
         plan_source: outputWithReceiptPaths.plan_source,
         verification_plan_id: outputWithReceiptPaths.verification_plan_id,
+        execution_status: outputWithReceiptPaths.execution_status,
         status: outputWithReceiptPaths.status,
         completion_verdict: outputWithReceiptPaths.completion_verdict,
         evidence_model: outputWithReceiptPaths.evidence_model,
@@ -1403,6 +1407,7 @@ async function createVerifyOutput(input, planSource, projectRoot, lang, reproEvi
         reasons: input.reasons,
         plan_source: planSource,
         verification_plan_id: verificationPlanId,
+        execution_status: status,
         status,
         completion_verdict: completionVerdict,
         evidence_model: evidenceModel,
@@ -1538,6 +1543,9 @@ export async function runVerify(args, reporter, lang = 'en') {
     let reproEvidence = null;
     let externalChecks = [];
     try {
+        if (parsed.writePlan) {
+            resolvePlanPath(projectRoot, parsed.writePlan);
+        }
         if (parsed.changed) {
             const changedInput = createInputFromChanged(projectRoot);
             input = changedInput.input;
@@ -1587,5 +1595,5 @@ export async function runVerify(args, reporter, lang = 'en') {
     else {
         reporter.stdout(renderVerifyOutput(output, lang));
     }
-    return output.status === 'passed' ? 0 : 1;
+    return output.completion_verdict.status === 'verified' ? 0 : 1;
 }

package/dist/cli/i18n/en.js

@@ -664,8 +664,12 @@ Read these files before working:
     "run.error.unsafeIntentDetail": "Use a shell-safe intent name.",
     "run.error.blockedShellBackground": 'Intent "{intent}" is blocked. {detail}',
     "run.error.blockedShellBackgroundDetail": "Shell commands must not spawn background work.",
+    "run.error.blockedLongRunningCommand": 'Intent "{intent}" is blocked. {detail}',
+    "run.error.blockedLongRunningCommandDetail": "Command argv must describe a finite one-shot command, not a development server, watcher, shell wrapper, interpreter loop, or background process.",
     "run.error.cwdOutsideProject": 'Command "{intent}" has an invalid cwd: {detail}',
     "run.error.cwdOutsideProjectDetail": "Intent cwd must stay inside the current root.",
+    "run.error.maxOutputBytes": 'Command "{intent}" has invalid max_output_bytes. {detail}',
+    "run.error.maxOutputBytesDetail": "The output limit must stay within the allowed maximum.",
     "run.error.conflictingPreviewModes": "Use either --dry-run or --plan-only, not both",
     "run.error.timedOut": 'Command "{intent}" timed out after {seconds} seconds',
     "run.error.startFailed": 'Command "{intent}" failed to start: {message}',
@@ -727,6 +731,7 @@ Read these files before working:
     "classify.source.changed": "changed files",
     "classify.source.paths": "explicit paths",
     "classify.error.missingInput": "Specify --changed or at least one path",
+    "classify.error.changed_files_unavailable": "Unable to inspect changed files with git status",
     "classify.error.write_path_outside_root": "Classification report path must stay inside the mustflow root",
     "impact.help.summary": "Report whether changed paths require a package or template version decision without modifying files.",
     "impact.help.option.changed": "Read paths from git status --short --untracked-files=all",
@@ -741,6 +746,7 @@ Read these files before working:
     "impact.label.affectedVersionSources": "Affected version sources",
     "impact.label.affectedSurfaces": "Affected surfaces",
     "impact.error.missingInput": "Specify --changed or at least one path",
+    "impact.error.changed_files_unavailable": "Unable to inspect changed files with git status",
     "verify.help.summary": "Run configured verification intents selected by required_after metadata.",
     "verify.help.option.reason": "Select the required_after reason to verify",
     "verify.help.option.fromClassification": "Read verification reasons from an mf classify report inside this repository",
@@ -768,6 +774,7 @@ Read these files before working:
     "verify.error.plan_root_mismatch": "Classification report must come from this mustflow root",
     "verify.error.missing_plan_reasons": "Classification report must include summary.validationReasons",
     "verify.error.plan_path_outside_root": "Classification report path must stay inside the mustflow root",
+    "verify.error.changed_files_unavailable": "Unable to inspect changed files with git status",
     "verify.error.invalid_repro_evidence_file": "Repro evidence must be a readable JSON summary with structured evidence fields",
     "verify.error.unsupported_repro_evidence_source": "Repro evidence input must use command repro-evidence",
     "verify.error.invalid_external_evidence_file": "External evidence must be a readable JSON summary with checks",

package/dist/cli/i18n/es.js

@@ -664,8 +664,12 @@ Lee estos archivos antes de trabajar:
     "run.error.unsafeIntentDetail": "Usa un nombre de intención seguro para shell.",
     "run.error.blockedShellBackground": 'La intención "{intent}" está bloqueada. {detail}',
     "run.error.blockedShellBackgroundDetail": "Los comandos de shell no deben iniciar trabajo en segundo plano.",
+    "run.error.blockedLongRunningCommand": 'La intención "{intent}" está bloqueada. {detail}',
+    "run.error.blockedLongRunningCommandDetail": "argv debe describir un comando finito de una sola ejecución, no un servidor de desarrollo, watcher, envoltorio de shell, bucle de intérprete o proceso en segundo plano.",
     "run.error.cwdOutsideProject": 'El comando "{intent}" tiene un cwd no válido: {detail}',
     "run.error.cwdOutsideProjectDetail": "El cwd de la intención debe permanecer dentro de la raíz actual.",
+    "run.error.maxOutputBytes": 'El comando "{intent}" tiene max_output_bytes no válido. {detail}',
+    "run.error.maxOutputBytesDetail": "El límite de salida debe permanecer dentro del máximo permitido.",
     "run.error.conflictingPreviewModes": "Usa --dry-run o --plan-only, no ambos",
     "run.error.timedOut": 'El comando "{intent}" agotó el tiempo después de {seconds} segundos',
     "run.error.startFailed": 'No se pudo iniciar el comando "{intent}": {message}',
@@ -727,6 +731,7 @@ Lee estos archivos antes de trabajar:
     "classify.source.changed": "archivos cambiados",
     "classify.source.paths": "rutas explicitas",
     "classify.error.missingInput": "Indica --changed o al menos una ruta",
+    "classify.error.changed_files_unavailable": "No se pudieron inspeccionar los archivos cambiados con git status",
     "classify.error.write_path_outside_root": "La ruta del informe de clasificacion debe permanecer dentro de la raiz mustflow",
     "impact.help.summary": "Informa si las rutas cambiadas requieren una decision de version de paquete o plantilla sin modificar archivos.",
     "impact.help.option.changed": "Lee rutas desde git status --short --untracked-files=all",
@@ -741,6 +746,7 @@ Lee estos archivos antes de trabajar:
     "impact.label.affectedVersionSources": "Fuentes de version afectadas",
     "impact.label.affectedSurfaces": "Superficies afectadas",
     "impact.error.missingInput": "Indica --changed o al menos una ruta",
+    "impact.error.changed_files_unavailable": "No se pudieron inspeccionar los archivos cambiados con git status",
     "verify.help.summary": "Ejecuta intenciones de verificación configuradas seleccionadas por metadatos required_after.",
     "verify.help.option.reason": "Selecciona la razón required_after que se debe verificar",
     "verify.help.option.fromClassification": "Lee razones de verificación desde un informe de mf classify dentro de este repositorio",
@@ -768,6 +774,7 @@ Lee estos archivos antes de trabajar:
     "verify.error.plan_root_mismatch": "El informe de clasificación debe provenir de esta raíz mustflow",
     "verify.error.missing_plan_reasons": "El informe de clasificación debe incluir summary.validationReasons",
     "verify.error.plan_path_outside_root": "La ruta del informe de clasificación debe permanecer dentro de la raíz mustflow",
+    "verify.error.changed_files_unavailable": "No se pudieron inspeccionar los archivos cambiados con git status",
     "verify.error.invalid_repro_evidence_file": "La evidencia de reproducción debe ser un resumen JSON legible con campos de evidencia estructurados",
     "verify.error.unsupported_repro_evidence_source": "La entrada de evidencia de reproducción debe usar command repro-evidence",
     "verify.error.invalid_external_evidence_file": "La evidencia externa debe ser un resumen JSON legible con checks",

package/dist/cli/i18n/fr.js

@@ -664,8 +664,12 @@ Lisez ces fichiers avant de travailler :
     "run.error.unsafeIntentDetail": "Utilisez un nom d’intention sûr pour le shell.",
     "run.error.blockedShellBackground": 'L’intention "{intent}" est bloquée. {detail}',
     "run.error.blockedShellBackgroundDetail": "Les commandes shell ne doivent pas lancer de travail en arrière-plan.",
+    "run.error.blockedLongRunningCommand": 'L’intention "{intent}" est bloquée. {detail}',
+    "run.error.blockedLongRunningCommandDetail": "argv doit décrire une commande ponctuelle finie, pas un serveur de développement, un watcher, un wrapper shell, une boucle d'interpréteur ou un processus en arrière-plan.",
     "run.error.cwdOutsideProject": 'La commande "{intent}" a un cwd non valide : {detail}',
     "run.error.cwdOutsideProjectDetail": "Le cwd de l’intention doit rester dans la racine actuelle.",
+    "run.error.maxOutputBytes": 'La commande "{intent}" a une valeur max_output_bytes non valide. {detail}',
+    "run.error.maxOutputBytesDetail": "La limite de sortie doit rester dans le maximum autorisé.",
     "run.error.conflictingPreviewModes": "Utilisez --dry-run ou --plan-only, pas les deux",
     "run.error.timedOut": 'La commande "{intent}" a expiré après {seconds} secondes',
     "run.error.startFailed": 'Impossible de démarrer la commande "{intent}" : {message}',
@@ -727,6 +731,7 @@ Lisez ces fichiers avant de travailler :
     "classify.source.changed": "fichiers modifies",
     "classify.source.paths": "chemins explicites",
     "classify.error.missingInput": "Indiquez --changed ou au moins un chemin",
+    "classify.error.changed_files_unavailable": "Impossible d'inspecter les fichiers modifies avec git status",
     "classify.error.write_path_outside_root": "Le chemin du rapport de classification doit rester dans la racine mustflow",
     "impact.help.summary": "Signale si les chemins modifies exigent une decision de version de paquet ou de modele sans modifier les fichiers.",
     "impact.help.option.changed": "Lire les chemins depuis git status --short --untracked-files=all",
@@ -741,6 +746,7 @@ Lisez ces fichiers avant de travailler :
     "impact.label.affectedVersionSources": "Sources de version affectees",
     "impact.label.affectedSurfaces": "Surfaces affectees",
     "impact.error.missingInput": "Indiquez --changed ou au moins un chemin",
+    "impact.error.changed_files_unavailable": "Impossible d'inspecter les fichiers modifies avec git status",
     "verify.help.summary": "Exécute les intentions de vérification configurées sélectionnées par les métadonnées required_after.",
     "verify.help.option.reason": "Sélectionne la raison required_after à vérifier",
     "verify.help.option.fromClassification": "Lit les raisons de vérification depuis un rapport mf classify dans ce dépôt",
@@ -768,6 +774,7 @@ Lisez ces fichiers avant de travailler :
     "verify.error.plan_root_mismatch": "Le rapport de classification doit venir de cette racine mustflow",
     "verify.error.missing_plan_reasons": "Le rapport de classification doit inclure summary.validationReasons",
     "verify.error.plan_path_outside_root": "Le chemin du rapport de classification doit rester dans la racine mustflow",
+    "verify.error.changed_files_unavailable": "Impossible d'inspecter les fichiers modifies avec git status",
     "verify.error.invalid_repro_evidence_file": "La preuve de reproduction doit être un résumé JSON lisible avec des champs de preuve structurés",
     "verify.error.unsupported_repro_evidence_source": "L'entrée de preuve de reproduction doit utiliser command repro-evidence",
     "verify.error.invalid_external_evidence_file": "La preuve externe doit être un résumé JSON lisible avec checks",

package/dist/cli/i18n/hi.js

@@ -664,8 +664,12 @@ export const hiMessages = {
     "run.error.unsafeIntentDetail": "shell-safe इंटेंट नाम इस्तेमाल करें।",
     "run.error.blockedShellBackground": 'इंटेंट "{intent}" अवरुद्ध है। {detail}',
     "run.error.blockedShellBackgroundDetail": "Shell commands background work शुरू नहीं कर सकतीं।",
+    "run.error.blockedLongRunningCommand": 'इंटेंट "{intent}" अवरुद्ध है। {detail}',
+    "run.error.blockedLongRunningCommandDetail": "argv में finite one-shot command होना चाहिए, development server, watcher, shell wrapper, interpreter loop, या background process नहीं।",
     "run.error.cwdOutsideProject": 'कमांड "{intent}" का cwd अमान्य है: {detail}',
     "run.error.cwdOutsideProjectDetail": "Intent cwd current root के अंदर रहना चाहिए।",
+    "run.error.maxOutputBytes": 'कमांड "{intent}" में max_output_bytes अमान्य है। {detail}',
+    "run.error.maxOutputBytesDetail": "Output limit अनुमत maximum के अंदर रहनी चाहिए।",
     "run.error.conflictingPreviewModes": "--dry-run या --plan-only में से एक इस्तेमाल करें, दोनों नहीं",
     "run.error.timedOut": 'कमांड "{intent}" {seconds} सेकंड बाद time out हुई',
     "run.error.startFailed": 'कमांड "{intent}" शुरू नहीं हो सकी: {message}',
@@ -727,6 +731,7 @@ export const hiMessages = {
     "classify.source.changed": "बदली फ़ाइलें",
     "classify.source.paths": "दिए गए पथ",
     "classify.error.missingInput": "--changed या कम से कम एक पथ दें",
+    "classify.error.changed_files_unavailable": "git status से बदली फ़ाइलें नहीं पढ़ी जा सकीं",
     "classify.error.write_path_outside_root": "Classification report path mustflow root के अंदर रहना चाहिए",
     "impact.help.summary": "फ़ाइल बदले बिना बताएं कि बदले पथ package या template version decision मांगते हैं या नहीं.",
     "impact.help.option.changed": "git status --short --untracked-files=all से पथ पढ़ें",
@@ -741,6 +746,7 @@ export const hiMessages = {
     "impact.label.affectedVersionSources": "Affected version sources",
     "impact.label.affectedSurfaces": "Affected surfaces",
     "impact.error.missingInput": "--changed या कम से कम एक पथ दें",
+    "impact.error.changed_files_unavailable": "git status से बदली फ़ाइलें नहीं पढ़ी जा सकीं",
     "verify.help.summary": "required_after metadata से चुने गए configured verification intents चलाएँ।",
     "verify.help.option.reason": "Verify करने के लिए required_after reason चुनें",
     "verify.help.option.fromClassification": "इस repository के अंदर mf classify report से verification reasons पढ़ें",
@@ -768,6 +774,7 @@ export const hiMessages = {
     "verify.error.plan_root_mismatch": "Classification report इसी mustflow root से आना चाहिए",
     "verify.error.missing_plan_reasons": "Classification report में summary.validationReasons होना चाहिए",
     "verify.error.plan_path_outside_root": "Classification report path mustflow root के अंदर रहना चाहिए",
+    "verify.error.changed_files_unavailable": "git status से बदली फ़ाइलें नहीं पढ़ी जा सकीं",
     "verify.error.invalid_repro_evidence_file": "Repro evidence structured evidence fields वाला readable JSON summary होना चाहिए",
     "verify.error.unsupported_repro_evidence_source": "Repro evidence input को command repro-evidence इस्तेमाल करना चाहिए",
     "verify.error.invalid_external_evidence_file": "External evidence checks वाला readable JSON summary होना चाहिए",

package/dist/cli/i18n/ko.js

@@ -664,8 +664,12 @@ export const koMessages = {
     "run.error.unsafeIntentDetail": "셸에서 안전한 명령 의도 이름을 사용하세요.",
     "run.error.blockedShellBackground": '명령 의도 "{intent}"가 차단되었습니다. {detail}',
     "run.error.blockedShellBackgroundDetail": "셸 명령은 백그라운드 작업을 시작하면 안 됩니다.",
+    "run.error.blockedLongRunningCommand": '명령 의도 "{intent}"가 차단되었습니다. {detail}',
+    "run.error.blockedLongRunningCommandDetail": "argv는 개발 서버, 감시 명령, 셸 래퍼, 인터프리터 반복 작업, 백그라운드 프로세스가 아니라 끝나는 단발성 명령이어야 합니다.",
     "run.error.cwdOutsideProject": '명령 "{intent}"의 실행 위치(cwd)가 올바르지 않습니다: {detail}',
     "run.error.cwdOutsideProjectDetail": "명령 실행 위치(cwd)는 현재 루트 안에 있어야 합니다.",
+    "run.error.maxOutputBytes": '명령 "{intent}"의 max_output_bytes 값이 올바르지 않습니다. {detail}',
+    "run.error.maxOutputBytesDetail": "출력 상한은 허용된 최댓값 안에 있어야 합니다.",
     "run.error.conflictingPreviewModes": "--dry-run과 --plan-only 중 하나만 사용하세요",
     "run.error.timedOut": '명령 "{intent}"가 {seconds}초 뒤 시간 초과되었습니다',
     "run.error.startFailed": '명령 "{intent}"를 시작하지 못했습니다: {message}',
@@ -727,6 +731,7 @@ export const koMessages = {
     "classify.source.changed": "변경 파일",
     "classify.source.paths": "지정한 경로",
     "classify.error.missingInput": "--changed 또는 하나 이상의 경로를 지정하세요",
+    "classify.error.changed_files_unavailable": "git status로 변경 파일을 확인할 수 없습니다",
     "classify.error.write_path_outside_root": "분류 보고서 경로는 mustflow 루트 안에 있어야 합니다",
     "impact.help.summary": "파일을 수정하지 않고 변경 경로가 패키지나 템플릿 버전 결정을 요구하는지 보고합니다.",
     "impact.help.option.changed": "git status --short --untracked-files=all에서 경로를 읽습니다",
@@ -741,6 +746,7 @@ export const koMessages = {
     "impact.label.affectedVersionSources": "영향받은 버전 기준 원본",
     "impact.label.affectedSurfaces": "영향받은 공개 표면",
     "impact.error.missingInput": "--changed 또는 하나 이상의 경로를 지정하세요",
+    "impact.error.changed_files_unavailable": "git status로 변경 파일을 확인할 수 없습니다",
     "verify.help.summary": "required_after 메타데이터로 선택된 설정된 검증 의도를 실행합니다.",
     "verify.help.option.reason": "검증할 required_after 이유를 지정합니다",
     "verify.help.option.fromClassification": "이 저장소 안의 mf classify 보고서에서 검증 이유를 읽습니다",
@@ -768,6 +774,7 @@ export const koMessages = {
     "verify.error.plan_root_mismatch": "분류 보고서는 현재 mustflow 루트에서 나온 것이어야 합니다",
     "verify.error.missing_plan_reasons": "분류 보고서에는 summary.validationReasons가 있어야 합니다",
     "verify.error.plan_path_outside_root": "분류 보고서 경로는 mustflow 루트 안에 있어야 합니다",
+    "verify.error.changed_files_unavailable": "git status로 변경 파일을 확인할 수 없습니다",
     "verify.error.invalid_repro_evidence_file": "재현 증거는 구조화된 증거 필드를 포함한 읽을 수 있는 JSON 요약이어야 합니다",
     "verify.error.unsupported_repro_evidence_source": "재현 증거 입력은 command repro-evidence를 사용해야 합니다",
     "verify.error.invalid_external_evidence_file": "외부 증거는 checks를 포함한 읽을 수 있는 JSON 요약이어야 합니다",

package/dist/cli/i18n/zh.js

@@ -664,8 +664,12 @@ export const zhMessages = {
     "run.error.unsafeIntentDetail": "请使用 shell 安全的意图名称。",
     "run.error.blockedShellBackground": '意图 "{intent}" 已被阻止。{detail}',
     "run.error.blockedShellBackgroundDetail": "Shell 命令不得启动后台工作。",
+    "run.error.blockedLongRunningCommand": '意图 "{intent}" 已被阻止。{detail}',
+    "run.error.blockedLongRunningCommandDetail": "argv 必须描述会结束的单次命令，而不是开发服务器、监听命令、shell 包装器、解释器循环或后台进程。",
     "run.error.cwdOutsideProject": '命令 "{intent}" 的 cwd 无效：{detail}',
     "run.error.cwdOutsideProjectDetail": "意图 cwd 必须位于当前根目录内。",
+    "run.error.maxOutputBytes": '命令 "{intent}" 的 max_output_bytes 无效。{detail}',
+    "run.error.maxOutputBytesDetail": "输出限制必须保持在允许的最大值内。",
     "run.error.conflictingPreviewModes": "只能使用 --dry-run 或 --plan-only，不能同时使用",
     "run.error.timedOut": '命令 "{intent}" 在 {seconds} 秒后超时',
     "run.error.startFailed": '命令 "{intent}" 启动失败：{message}',
@@ -727,6 +731,7 @@ export const zhMessages = {
     "classify.source.changed": "变更文件",
     "classify.source.paths": "指定路径",
     "classify.error.missingInput": "请指定 --changed 或至少一个路径",
+    "classify.error.changed_files_unavailable": "无法通过 git status 检查变更文件",
     "classify.error.write_path_outside_root": "分类报告路径必须位于 mustflow 根目录内",
     "impact.help.summary": "在不修改文件的情况下报告变更路径是否需要包或模板版本决策。",
     "impact.help.option.changed": "从 git status --short --untracked-files=all 读取路径",
@@ -741,6 +746,7 @@ export const zhMessages = {
     "impact.label.affectedVersionSources": "受影响的版本来源",
     "impact.label.affectedSurfaces": "受影响的公开表面",
     "impact.error.missingInput": "请指定 --changed 或至少一个路径",
+    "impact.error.changed_files_unavailable": "无法通过 git status 检查变更文件",
     "verify.help.summary": "运行由 required_after 元数据选出的已配置验证意图。",
     "verify.help.option.reason": "选择要验证的 required_after 原因",
     "verify.help.option.fromClassification": "从此仓库内的 mf classify 报告读取验证原因",
@@ -768,6 +774,7 @@ export const zhMessages = {
     "verify.error.plan_root_mismatch": "分类报告必须来自当前 mustflow 根目录",
     "verify.error.missing_plan_reasons": "分类报告必须包含 summary.validationReasons",
     "verify.error.plan_path_outside_root": "分类报告路径必须位于 mustflow 根目录内",
+    "verify.error.changed_files_unavailable": "无法通过 git status 检查变更文件",
     "verify.error.invalid_repro_evidence_file": "复现证据必须是包含结构化证据字段的可读取 JSON 摘要",
     "verify.error.unsupported_repro_evidence_source": "复现证据输入必须使用 command repro-evidence",
     "verify.error.invalid_external_evidence_file": "外部证据必须是包含 checks 的可读取 JSON 摘要",

package/dist/cli/lib/git-changes.js

@@ -1,5 +1,13 @@
 import { spawnSync } from 'node:child_process';
 import { parseGitStatusOutput } from '../../core/change-classification.js';
+export class GitChangedFilesError extends Error {
+    result;
+    constructor(result) {
+        super('git_changed_files_unavailable');
+        this.name = 'GitChangedFilesError';
+        this.result = result;
+    }
+}
 export function readGitChangedFiles(projectRoot) {
     const result = spawnSync('git', ['status', '--short', '--untracked-files=all'], {
         cwd: projectRoot,
@@ -7,7 +15,22 @@ export function readGitChangedFiles(projectRoot) {
         windowsHide: true,
     });
     if (result.status !== 0 || typeof result.stdout !== 'string') {
-        return [];
+        const stderr = typeof result.stderr === 'string' ? result.stderr.trim() : '';
+        const message = result.error?.message ??
+            (stderr || (result.status === null ? 'git status did not complete' : `git status exited with code ${result.status}`));
+        return {
+            ok: false,
+            message,
+            status: result.status,
+            stderr,
+        };
+    }
+    return { ok: true, files: parseGitStatusOutput(result.stdout) };
+}
+export function requireGitChangedFiles(projectRoot) {
+    const result = readGitChangedFiles(projectRoot);
+    if (!result.ok) {
+        throw new GitChangedFilesError(result);
     }
-    return parseGitStatusOutput(result.stdout);
+    return result.files;
 }

package/dist/cli/lib/local-index/constants.js

@@ -1,4 +1,4 @@
-export const LOCAL_INDEX_SCHEMA_VERSION = '19';
+export const LOCAL_INDEX_SCHEMA_VERSION = '20';
 export const LOCAL_INDEX_PARSER_VERSION = '1';
 export const DEFAULT_DATABASE_RELATIVE_PATH = '.mustflow/cache/mustflow.sqlite';
 export const LATEST_RUN_STATE_RELATIVE_PATH = '.mustflow/state/runs/latest.json';
@@ -22,6 +22,9 @@ export const SEARCH_MATCH_CONTEXT_AFTER_CHARS = 96;
 export const SEARCH_MATCH_TRUNCATION_MARKER = '...';
 export const SEARCH_NGRAM_MIN_LENGTH = 2;
 export const SEARCH_NGRAM_MAX_LENGTH = 3;
+export const SEARCH_NGRAM_MAX_TOKEN_CHARS = 64;
+export const SEARCH_NGRAM_MAX_GRAMS_PER_TARGET = 512;
+export const SOURCE_INDEX_MAX_FILE_BYTES = 262144;
 export const SEARCH_BACKEND_FTS5 = 'fts5';
 export const SEARCH_BACKEND_TABLE_SCAN = 'table_scan';
 export const TEST_DISABLE_FTS5_ENV = 'MUSTFLOW_TEST_DISABLE_FTS5';