mustflow 2.17.0 → 2.18.2

package/dist/cli/i18n/hi.js

@@ -664,8 +664,12 @@ export const hiMessages = {
     "run.error.unsafeIntentDetail": "shell-safe इंटेंट नाम इस्तेमाल करें।",
     "run.error.blockedShellBackground": 'इंटेंट "{intent}" अवरुद्ध है। {detail}',
     "run.error.blockedShellBackgroundDetail": "Shell commands background work शुरू नहीं कर सकतीं।",
+    "run.error.blockedLongRunningCommand": 'इंटेंट "{intent}" अवरुद्ध है। {detail}',
+    "run.error.blockedLongRunningCommandDetail": "argv में finite one-shot command होना चाहिए, development server, watcher, shell wrapper, interpreter loop, या background process नहीं।",
     "run.error.cwdOutsideProject": 'कमांड "{intent}" का cwd अमान्य है: {detail}',
     "run.error.cwdOutsideProjectDetail": "Intent cwd current root के अंदर रहना चाहिए।",
+    "run.error.maxOutputBytes": 'कमांड "{intent}" में max_output_bytes अमान्य है। {detail}',
+    "run.error.maxOutputBytesDetail": "Output limit अनुमत maximum के अंदर रहनी चाहिए।",
     "run.error.conflictingPreviewModes": "--dry-run या --plan-only में से एक इस्तेमाल करें, दोनों नहीं",
     "run.error.timedOut": 'कमांड "{intent}" {seconds} सेकंड बाद time out हुई',
     "run.error.startFailed": 'कमांड "{intent}" शुरू नहीं हो सकी: {message}',
@@ -727,6 +731,7 @@ export const hiMessages = {
     "classify.source.changed": "बदली फ़ाइलें",
     "classify.source.paths": "दिए गए पथ",
     "classify.error.missingInput": "--changed या कम से कम एक पथ दें",
+    "classify.error.changed_files_unavailable": "git status से बदली फ़ाइलें नहीं पढ़ी जा सकीं",
     "classify.error.write_path_outside_root": "Classification report path mustflow root के अंदर रहना चाहिए",
     "impact.help.summary": "फ़ाइल बदले बिना बताएं कि बदले पथ package या template version decision मांगते हैं या नहीं.",
     "impact.help.option.changed": "git status --short --untracked-files=all से पथ पढ़ें",
@@ -741,14 +746,16 @@ export const hiMessages = {
     "impact.label.affectedVersionSources": "Affected version sources",
     "impact.label.affectedSurfaces": "Affected surfaces",
     "impact.error.missingInput": "--changed या कम से कम एक पथ दें",
+    "impact.error.changed_files_unavailable": "git status से बदली फ़ाइलें नहीं पढ़ी जा सकीं",
     "verify.help.summary": "required_after metadata से चुने गए configured verification intents चलाएँ।",
     "verify.help.option.reason": "Verify करने के लिए required_after reason चुनें",
     "verify.help.option.fromClassification": "इस repository के अंदर mf classify report से verification reasons पढ़ें",
-    "verify.help.option.fromPlan": "--from-classification का compatibility alias",
+    "verify.help.option.fromPlan": "--from-classification का deprecated compatibility alias; input अब भी mf classify report होना चाहिए",
     "verify.help.option.changed": "Current Git changes classify करके matching reasons verify करें",
     "verify.help.option.writePlan": "Changed-file classification report लिखने वाला compatibility option",
     "verify.help.option.reproEvidence": "Repository-local JSON summary से structured bug reproduction evidence पढ़ें",
     "verify.help.option.externalEvidence": "Repository-local JSON summary से lower-authority external CI evidence पढ़ें",
+    "verify.help.option.parallel": "Safe और non-conflicting schedule batches को इतने commands तक साथ चलाएं; default 1 है",
     "verify.help.option.planOnly": "Commands चलाए बिना verification plan print करें; --json चाहिए",
     "verify.help.exit.ok": "सभी selected verification intents pass हुए",
     "verify.help.exit.fail": "Verification fail हुआ, partial रहा, blocked रहा, या input invalid था",
@@ -763,11 +770,13 @@ export const hiMessages = {
     "verify.error.planOnlyJson": "--plan-only के लिए --json चाहिए",
     "verify.error.reproEvidenceRequiresRun": "--repro-evidence को --plan-only के साथ इस्तेमाल नहीं किया जा सकता",
     "verify.error.externalEvidenceRequiresRun": "--external-evidence को --plan-only के साथ इस्तेमाल नहीं किया जा सकता",
+    "verify.error.invalidParallel": "--parallel positive integer होना चाहिए",
     "verify.error.invalid_plan_file": "Classification report readable JSON file होना चाहिए",
     "verify.error.unsupported_plan_source": "Verification input mf classify report होना चाहिए",
     "verify.error.plan_root_mismatch": "Classification report इसी mustflow root से आना चाहिए",
     "verify.error.missing_plan_reasons": "Classification report में summary.validationReasons होना चाहिए",
     "verify.error.plan_path_outside_root": "Classification report path mustflow root के अंदर रहना चाहिए",
+    "verify.error.changed_files_unavailable": "git status से बदली फ़ाइलें नहीं पढ़ी जा सकीं",
     "verify.error.invalid_repro_evidence_file": "Repro evidence structured evidence fields वाला readable JSON summary होना चाहिए",
     "verify.error.unsupported_repro_evidence_source": "Repro evidence input को command repro-evidence इस्तेमाल करना चाहिए",
     "verify.error.invalid_external_evidence_file": "External evidence checks वाला readable JSON summary होना चाहिए",

package/dist/cli/i18n/ko.js

@@ -664,8 +664,12 @@ export const koMessages = {
     "run.error.unsafeIntentDetail": "셸에서 안전한 명령 의도 이름을 사용하세요.",
     "run.error.blockedShellBackground": '명령 의도 "{intent}"가 차단되었습니다. {detail}',
     "run.error.blockedShellBackgroundDetail": "셸 명령은 백그라운드 작업을 시작하면 안 됩니다.",
+    "run.error.blockedLongRunningCommand": '명령 의도 "{intent}"가 차단되었습니다. {detail}',
+    "run.error.blockedLongRunningCommandDetail": "argv는 개발 서버, 감시 명령, 셸 래퍼, 인터프리터 반복 작업, 백그라운드 프로세스가 아니라 끝나는 단발성 명령이어야 합니다.",
     "run.error.cwdOutsideProject": '명령 "{intent}"의 실행 위치(cwd)가 올바르지 않습니다: {detail}',
     "run.error.cwdOutsideProjectDetail": "명령 실행 위치(cwd)는 현재 루트 안에 있어야 합니다.",
+    "run.error.maxOutputBytes": '명령 "{intent}"의 max_output_bytes 값이 올바르지 않습니다. {detail}',
+    "run.error.maxOutputBytesDetail": "출력 상한은 허용된 최댓값 안에 있어야 합니다.",
     "run.error.conflictingPreviewModes": "--dry-run과 --plan-only 중 하나만 사용하세요",
     "run.error.timedOut": '명령 "{intent}"가 {seconds}초 뒤 시간 초과되었습니다',
     "run.error.startFailed": '명령 "{intent}"를 시작하지 못했습니다: {message}',
@@ -727,6 +731,7 @@ export const koMessages = {
     "classify.source.changed": "변경 파일",
     "classify.source.paths": "지정한 경로",
     "classify.error.missingInput": "--changed 또는 하나 이상의 경로를 지정하세요",
+    "classify.error.changed_files_unavailable": "git status로 변경 파일을 확인할 수 없습니다",
     "classify.error.write_path_outside_root": "분류 보고서 경로는 mustflow 루트 안에 있어야 합니다",
     "impact.help.summary": "파일을 수정하지 않고 변경 경로가 패키지나 템플릿 버전 결정을 요구하는지 보고합니다.",
     "impact.help.option.changed": "git status --short --untracked-files=all에서 경로를 읽습니다",
@@ -741,14 +746,16 @@ export const koMessages = {
     "impact.label.affectedVersionSources": "영향받은 버전 기준 원본",
     "impact.label.affectedSurfaces": "영향받은 공개 표면",
     "impact.error.missingInput": "--changed 또는 하나 이상의 경로를 지정하세요",
+    "impact.error.changed_files_unavailable": "git status로 변경 파일을 확인할 수 없습니다",
     "verify.help.summary": "required_after 메타데이터로 선택된 설정된 검증 의도를 실행합니다.",
     "verify.help.option.reason": "검증할 required_after 이유를 지정합니다",
     "verify.help.option.fromClassification": "이 저장소 안의 mf classify 보고서에서 검증 이유를 읽습니다",
-    "verify.help.option.fromPlan": "--from-classification과 같은 호환 옵션입니다",
+    "verify.help.option.fromPlan": "--from-classification과 같은 폐기 예정 호환 옵션입니다. 입력은 여전히 mf classify 보고서여야 합니다",
     "verify.help.option.changed": "현재 Git 변경을 분류하고 맞는 검증 이유를 실행합니다",
     "verify.help.option.writePlan": "변경 파일 분류 보고서를 쓰는 호환 옵션입니다",
     "verify.help.option.reproEvidence": "저장소 안의 JSON 요약에서 구조화된 버그 재현 증거를 읽습니다",
     "verify.help.option.externalEvidence": "저장소 안의 JSON 요약에서 낮은 권한의 외부 CI 증거를 읽습니다",
+    "verify.help.option.parallel": "안전하고 서로 충돌하지 않는 예정 실행 묶음을 이 개수까지 함께 실행합니다. 기본값은 1입니다",
     "verify.help.option.planOnly": "명령을 실행하지 않고 검증 계획만 출력합니다. --json이 필요합니다",
     "verify.help.exit.ok": "선택된 모든 검증 의도가 통과했습니다",
     "verify.help.exit.fail": "검증이 실패했거나, 일부만 실행됐거나, 막혔거나, 입력이 올바르지 않습니다",
@@ -763,11 +770,13 @@ export const koMessages = {
     "verify.error.planOnlyJson": "--plan-only에는 --json이 필요합니다",
     "verify.error.reproEvidenceRequiresRun": "--repro-evidence는 --plan-only와 함께 사용할 수 없습니다",
     "verify.error.externalEvidenceRequiresRun": "--external-evidence는 --plan-only와 함께 사용할 수 없습니다",
+    "verify.error.invalidParallel": "--parallel 값은 양의 정수여야 합니다",
     "verify.error.invalid_plan_file": "분류 보고서는 읽을 수 있는 JSON 파일이어야 합니다",
     "verify.error.unsupported_plan_source": "검증 입력은 mf classify 보고서여야 합니다",
     "verify.error.plan_root_mismatch": "분류 보고서는 현재 mustflow 루트에서 나온 것이어야 합니다",
     "verify.error.missing_plan_reasons": "분류 보고서에는 summary.validationReasons가 있어야 합니다",
     "verify.error.plan_path_outside_root": "분류 보고서 경로는 mustflow 루트 안에 있어야 합니다",
+    "verify.error.changed_files_unavailable": "git status로 변경 파일을 확인할 수 없습니다",
     "verify.error.invalid_repro_evidence_file": "재현 증거는 구조화된 증거 필드를 포함한 읽을 수 있는 JSON 요약이어야 합니다",
     "verify.error.unsupported_repro_evidence_source": "재현 증거 입력은 command repro-evidence를 사용해야 합니다",
     "verify.error.invalid_external_evidence_file": "외부 증거는 checks를 포함한 읽을 수 있는 JSON 요약이어야 합니다",

package/dist/cli/i18n/zh.js

@@ -664,8 +664,12 @@ export const zhMessages = {
     "run.error.unsafeIntentDetail": "请使用 shell 安全的意图名称。",
     "run.error.blockedShellBackground": '意图 "{intent}" 已被阻止。{detail}',
     "run.error.blockedShellBackgroundDetail": "Shell 命令不得启动后台工作。",
+    "run.error.blockedLongRunningCommand": '意图 "{intent}" 已被阻止。{detail}',
+    "run.error.blockedLongRunningCommandDetail": "argv 必须描述会结束的单次命令，而不是开发服务器、监听命令、shell 包装器、解释器循环或后台进程。",
     "run.error.cwdOutsideProject": '命令 "{intent}" 的 cwd 无效：{detail}',
     "run.error.cwdOutsideProjectDetail": "意图 cwd 必须位于当前根目录内。",
+    "run.error.maxOutputBytes": '命令 "{intent}" 的 max_output_bytes 无效。{detail}',
+    "run.error.maxOutputBytesDetail": "输出限制必须保持在允许的最大值内。",
     "run.error.conflictingPreviewModes": "只能使用 --dry-run 或 --plan-only，不能同时使用",
     "run.error.timedOut": '命令 "{intent}" 在 {seconds} 秒后超时',
     "run.error.startFailed": '命令 "{intent}" 启动失败：{message}',
@@ -727,6 +731,7 @@ export const zhMessages = {
     "classify.source.changed": "变更文件",
     "classify.source.paths": "指定路径",
     "classify.error.missingInput": "请指定 --changed 或至少一个路径",
+    "classify.error.changed_files_unavailable": "无法通过 git status 检查变更文件",
     "classify.error.write_path_outside_root": "分类报告路径必须位于 mustflow 根目录内",
     "impact.help.summary": "在不修改文件的情况下报告变更路径是否需要包或模板版本决策。",
     "impact.help.option.changed": "从 git status --short --untracked-files=all 读取路径",
@@ -741,14 +746,16 @@ export const zhMessages = {
     "impact.label.affectedVersionSources": "受影响的版本来源",
     "impact.label.affectedSurfaces": "受影响的公开表面",
     "impact.error.missingInput": "请指定 --changed 或至少一个路径",
+    "impact.error.changed_files_unavailable": "无法通过 git status 检查变更文件",
     "verify.help.summary": "运行由 required_after 元数据选出的已配置验证意图。",
     "verify.help.option.reason": "选择要验证的 required_after 原因",
     "verify.help.option.fromClassification": "从此仓库内的 mf classify 报告读取验证原因",
-    "verify.help.option.fromPlan": "--from-classification 的兼容别名",
+    "verify.help.option.fromPlan": "--from-classification 的已弃用兼容别名；输入仍必须是 mf classify 报告",
     "verify.help.option.changed": "分类当前 Git 变更并验证匹配的原因",
     "verify.help.option.writePlan": "写入变更文件分类报告的兼容选项",
     "verify.help.option.reproEvidence": "从仓库本地 JSON 摘要读取结构化的 bug 复现证据",
     "verify.help.option.externalEvidence": "从仓库本地 JSON 摘要读取低权限外部 CI 证据",
+    "verify.help.option.parallel": "最多并行执行这个数量的安全、无冲突计划批次命令；默认值为 1",
     "verify.help.option.planOnly": "仅输出验证计划，不执行命令；需要 --json",
     "verify.help.exit.ok": "选中的所有验证意图均已通过",
     "verify.help.exit.fail": "验证失败、部分完成、被阻止，或输入无效",
@@ -763,11 +770,13 @@ export const zhMessages = {
     "verify.error.planOnlyJson": "--plan-only 需要 --json",
     "verify.error.reproEvidenceRequiresRun": "--repro-evidence 不能与 --plan-only 一起使用",
     "verify.error.externalEvidenceRequiresRun": "--external-evidence 不能与 --plan-only 一起使用",
+    "verify.error.invalidParallel": "--parallel 必须是正整数",
     "verify.error.invalid_plan_file": "分类报告必须是可读取的 JSON 文件",
     "verify.error.unsupported_plan_source": "验证输入必须是 mf classify 报告",
     "verify.error.plan_root_mismatch": "分类报告必须来自当前 mustflow 根目录",
     "verify.error.missing_plan_reasons": "分类报告必须包含 summary.validationReasons",
     "verify.error.plan_path_outside_root": "分类报告路径必须位于 mustflow 根目录内",
+    "verify.error.changed_files_unavailable": "无法通过 git status 检查变更文件",
     "verify.error.invalid_repro_evidence_file": "复现证据必须是包含结构化证据字段的可读取 JSON 摘要",
     "verify.error.unsupported_repro_evidence_source": "复现证据输入必须使用 command repro-evidence",
     "verify.error.invalid_external_evidence_file": "外部证据必须是包含 checks 的可读取 JSON 摘要",

package/dist/cli/lib/git-changes.js

@@ -1,5 +1,13 @@
 import { spawnSync } from 'node:child_process';
 import { parseGitStatusOutput } from '../../core/change-classification.js';
+export class GitChangedFilesError extends Error {
+    result;
+    constructor(result) {
+        super('git_changed_files_unavailable');
+        this.name = 'GitChangedFilesError';
+        this.result = result;
+    }
+}
 export function readGitChangedFiles(projectRoot) {
     const result = spawnSync('git', ['status', '--short', '--untracked-files=all'], {
         cwd: projectRoot,
@@ -7,7 +15,22 @@ export function readGitChangedFiles(projectRoot) {
         windowsHide: true,
     });
     if (result.status !== 0 || typeof result.stdout !== 'string') {
-        return [];
+        const stderr = typeof result.stderr === 'string' ? result.stderr.trim() : '';
+        const message = result.error?.message ??
+            (stderr || (result.status === null ? 'git status did not complete' : `git status exited with code ${result.status}`));
+        return {
+            ok: false,
+            message,
+            status: result.status,
+            stderr,
+        };
+    }
+    return { ok: true, files: parseGitStatusOutput(result.stdout) };
+}
+export function requireGitChangedFiles(projectRoot) {
+    const result = readGitChangedFiles(projectRoot);
+    if (!result.ok) {
+        throw new GitChangedFilesError(result);
     }
-    return parseGitStatusOutput(result.stdout);
+    return result.files;
 }

package/dist/cli/lib/local-index/constants.js

@@ -1,4 +1,4 @@
-export const LOCAL_INDEX_SCHEMA_VERSION = '19';
+export const LOCAL_INDEX_SCHEMA_VERSION = '20';
 export const LOCAL_INDEX_PARSER_VERSION = '1';
 export const DEFAULT_DATABASE_RELATIVE_PATH = '.mustflow/cache/mustflow.sqlite';
 export const LATEST_RUN_STATE_RELATIVE_PATH = '.mustflow/state/runs/latest.json';
@@ -22,6 +22,9 @@ export const SEARCH_MATCH_CONTEXT_AFTER_CHARS = 96;
 export const SEARCH_MATCH_TRUNCATION_MARKER = '...';
 export const SEARCH_NGRAM_MIN_LENGTH = 2;
 export const SEARCH_NGRAM_MAX_LENGTH = 3;
+export const SEARCH_NGRAM_MAX_TOKEN_CHARS = 64;
+export const SEARCH_NGRAM_MAX_GRAMS_PER_TARGET = 512;
+export const SOURCE_INDEX_MAX_FILE_BYTES = 262144;
 export const SEARCH_BACKEND_FTS5 = 'fts5';
 export const SEARCH_BACKEND_TABLE_SCAN = 'table_scan';
 export const TEST_DISABLE_FTS5_ENV = 'MUSTFLOW_TEST_DISABLE_FTS5';

package/dist/cli/lib/local-index/index.js

@@ -7,7 +7,7 @@ import { readTomlFile } from '../toml.js';
 import { collectSourceAnchorIndexRecords, hasHighRiskSourceAnchorRiskTags, } from '../../../core/source-anchor-status.js';
 import { normalizeCommandEffects } from '../../../core/command-effects.js';
 import { listChangeClassificationRuleDescriptors } from '../../../core/change-classification.js';
-import { DEFAULT_DATABASE_RELATIVE_PATH, DEFAULT_PROMPT_CACHE_STABLE_READ, DEFAULT_PROMPT_CACHE_TASK_SOURCES, DEFAULT_PROMPT_CACHE_VOLATILE_SOURCES, INDEX_CONFIG_RELATIVE_PATH, LOCAL_INDEX_CONTENT_MODE, LOCAL_INDEX_EXCLUDED_RAW_DATA_KINDS, LOCAL_INDEX_PARSER_VERSION, LOCAL_INDEX_SCHEMA_VERSION, LOCAL_INDEX_STORE_FULL_CONTENT, LATEST_RUN_STATE_RELATIVE_PATH, MAX_SEARCH_MATCH_SNIPPET_CHARS, MAX_SNIPPET_BYTES_PER_DOCUMENT, MUSTFLOW_RELATIVE_PATH, SEARCH_BACKEND_FTS5, SEARCH_BACKEND_TABLE_SCAN, SEARCH_MATCH_CONTEXT_AFTER_CHARS, SEARCH_MATCH_CONTEXT_BEFORE_CHARS, SEARCH_MATCH_TRUNCATION_MARKER, SEARCH_NGRAM_MAX_LENGTH, SEARCH_NGRAM_MIN_LENGTH, TEST_DISABLE_FTS5_ENV, } from './constants.js';
+import { DEFAULT_DATABASE_RELATIVE_PATH, DEFAULT_PROMPT_CACHE_STABLE_READ, DEFAULT_PROMPT_CACHE_TASK_SOURCES, DEFAULT_PROMPT_CACHE_VOLATILE_SOURCES, INDEX_CONFIG_RELATIVE_PATH, LOCAL_INDEX_CONTENT_MODE, LOCAL_INDEX_EXCLUDED_RAW_DATA_KINDS, LOCAL_INDEX_PARSER_VERSION, LOCAL_INDEX_SCHEMA_VERSION, LOCAL_INDEX_STORE_FULL_CONTENT, LATEST_RUN_STATE_RELATIVE_PATH, MAX_SEARCH_MATCH_SNIPPET_CHARS, MAX_SNIPPET_BYTES_PER_DOCUMENT, MUSTFLOW_RELATIVE_PATH, SEARCH_BACKEND_FTS5, SEARCH_BACKEND_TABLE_SCAN, SEARCH_MATCH_CONTEXT_AFTER_CHARS, SEARCH_MATCH_CONTEXT_BEFORE_CHARS, SEARCH_MATCH_TRUNCATION_MARKER, SEARCH_NGRAM_MAX_GRAMS_PER_TARGET, SEARCH_NGRAM_MAX_LENGTH, SEARCH_NGRAM_MAX_TOKEN_CHARS, SEARCH_NGRAM_MIN_LENGTH, SOURCE_INDEX_MAX_FILE_BYTES, TEST_DISABLE_FTS5_ENV, } from './constants.js';
 import { loadSqlJs } from './sql.js';
 export function getLocalIndexDatabasePath(projectRoot) {
     return path.join(projectRoot, ...DEFAULT_DATABASE_RELATIVE_PATH.split('/'));
@@ -83,11 +83,12 @@ function readPositiveInteger(table, key) {
 }
 function readLocalIndexSourceConfig(projectRoot) {
     const sourceIndexTable = readNestedTable(readIndexToml(projectRoot), 'source_index');
+    const configuredMaxFileBytes = readPositiveInteger(sourceIndexTable, 'max_file_bytes');
     return {
         enabledByDefault: readBoolean(sourceIndexTable, 'enabled_by_default') === true,
         include: readOptionalStringArray(sourceIndexTable, 'include') ?? [],
         exclude: readOptionalStringArray(sourceIndexTable, 'exclude') ?? [],
-        maxFileBytes: readPositiveInteger(sourceIndexTable, 'max_file_bytes'),
+        maxFileBytes: Math.min(configuredMaxFileBytes ?? SOURCE_INDEX_MAX_FILE_BYTES, SOURCE_INDEX_MAX_FILE_BYTES),
         allowedExtensions: readOptionalStringArray(sourceIndexTable, 'allowed_extensions') ?? [],
     };
 }
@@ -321,10 +322,14 @@ function buildSearchNgrams(values) {
     const grams = new Set();
     for (const value of values) {
         for (const token of extractSearchTokens(value)) {
-            const maxLength = Math.min(SEARCH_NGRAM_MAX_LENGTH, token.length);
+            const boundedToken = token.slice(0, SEARCH_NGRAM_MAX_TOKEN_CHARS);
+            const maxLength = Math.min(SEARCH_NGRAM_MAX_LENGTH, boundedToken.length);
             for (let length = SEARCH_NGRAM_MIN_LENGTH; length <= maxLength; length += 1) {
-                for (let index = 0; index <= token.length - length; index += 1) {
-                    grams.add(token.slice(index, index + length));
+                for (let index = 0; index <= boundedToken.length - length; index += 1) {
+                    grams.add(boundedToken.slice(index, index + length));
+                    if (grams.size >= SEARCH_NGRAM_MAX_GRAMS_PER_TARGET) {
+                        return [...grams].sort((left, right) => left.localeCompare(right));
+                    }
                 }
             }
         }
@@ -1650,6 +1655,18 @@ function populateDatabase(database, capabilities, documents, skills, skillRoutes
         'max_snippet_bytes_per_document',
         String(MAX_SNIPPET_BYTES_PER_DOCUMENT),
     ]);
+    database.run('INSERT INTO metadata (key, value) VALUES (?, ?)', [
+        'search_ngram_max_token_chars',
+        String(SEARCH_NGRAM_MAX_TOKEN_CHARS),
+    ]);
+    database.run('INSERT INTO metadata (key, value) VALUES (?, ?)', [
+        'search_ngram_max_grams_per_target',
+        String(SEARCH_NGRAM_MAX_GRAMS_PER_TARGET),
+    ]);
+    database.run('INSERT INTO metadata (key, value) VALUES (?, ?)', [
+        'source_index_max_file_bytes',
+        String(SOURCE_INDEX_MAX_FILE_BYTES),
+    ]);
     database.run('INSERT INTO metadata (key, value) VALUES (?, ?)', [
         'excluded_raw_data_kinds',
         LOCAL_INDEX_EXCLUDED_RAW_DATA_KINDS.join(','),

package/dist/cli/lib/repo-map.js

@@ -1,8 +1,8 @@
 import { spawnSync } from 'node:child_process';
 import { createHash } from 'node:crypto';
-import { existsSync, readdirSync, statSync, writeFileSync } from 'node:fs';
+import { existsSync, lstatSync, readdirSync, realpathSync, statSync, writeFileSync } from 'node:fs';
 import path from 'node:path';
-import { listFilesRecursive, toPosixPath } from './filesystem.js';
+import { toPosixPath } from './filesystem.js';
 import { readTomlFile } from './toml.js';
 const DEFAULT_DEPTH = 3;
 const REPO_MAP_DOC_ID = 'repo-map';
@@ -11,6 +11,8 @@ const REPO_MAP_GENERATOR = 'mustflow';
 const REPO_MAP_RELATIVE_ROOT = '.';
 const REPO_MAP_SOURCE_POLICY = 'anchors_only';
 const REPO_MAP_PRIVACY_MODE = 'minimal';
+const GIT_LS_FILES_TIMEOUT_MS = 5_000;
+const GIT_LS_FILES_MAX_BUFFER_BYTES = 1_048_576;
 const EXCLUDED_SEGMENTS = new Set([
     '.astro',
     '.cache',
@@ -240,25 +242,57 @@ function getRepoMapConfig(projectRoot) {
         },
     };
 }
-function getGitFiles(projectRoot) {
-    const result = spawnSync('git', ['ls-files'], {
+export function listGitFilesForRepoMap(projectRoot, options = {}) {
+    const spawnGit = options.spawnGit ??
+        ((command, args, spawnOptions) => spawnSync(command, [...args], spawnOptions));
+    const result = spawnGit('git', ['ls-files', '-z'], {
         cwd: projectRoot,
         encoding: 'utf8',
+        maxBuffer: options.maxBuffer ?? GIT_LS_FILES_MAX_BUFFER_BYTES,
+        timeout: options.timeout ?? GIT_LS_FILES_TIMEOUT_MS,
+        windowsHide: true,
     });
     if (result.status !== 0 || result.error) {
         return [];
     }
     return result.stdout
-        .split(/\r?\n/)
-        .map((line) => line.trim())
+        .split('\0')
+        .map((line) => toPosixPath(line))
         .filter(Boolean);
 }
-function getRepositoryFiles(projectRoot) {
+function isAnchorCandidatePath(relativePath, priorityPaths) {
+    return priorityPaths.has(relativePath) || Boolean(getAnchorDescription(relativePath));
+}
+function listAnchorCandidateFilesRecursive(rootPath, depth, priorityPaths) {
+    const results = [];
+    function visit(currentPath, directoryDepth) {
+        for (const entry of readdirSync(currentPath, { withFileTypes: true })) {
+            const entryPath = path.join(currentPath, entry.name);
+            const relativePath = toPosixPath(path.relative(rootPath, entryPath));
+            if (entry.isDirectory()) {
+                if (EXCLUDED_SEGMENTS.has(entry.name) || directoryDepth >= depth) {
+                    continue;
+                }
+                visit(entryPath, directoryDepth + 1);
+                continue;
+            }
+            if (entry.isFile() && isAnchorCandidatePath(relativePath, priorityPaths)) {
+                results.push(relativePath);
+            }
+        }
+    }
+    if (!existsSync(rootPath) || !statSync(rootPath).isDirectory()) {
+        return [];
+    }
+    visit(rootPath, 0);
+    return results.sort();
+}
+function getRepositoryFiles(projectRoot, depth, priorityPaths) {
     const files = new Set();
-    for (const relativePath of getGitFiles(projectRoot)) {
+    for (const relativePath of listGitFilesForRepoMap(projectRoot)) {
         files.add(relativePath);
     }
-    for (const relativePath of listFilesRecursive(projectRoot, { ignoredDirectoryNames: EXCLUDED_SEGMENTS })) {
+    for (const relativePath of listAnchorCandidateFilesRecursive(projectRoot, depth, priorityPaths)) {
         files.add(relativePath);
     }
     return Array.from(files);
@@ -306,7 +340,7 @@ function isUnderExcludedPrefix(relativePath, excludedPrefixes) {
     return excludedPrefixes.some((prefix) => relativePath === prefix.slice(0, -1) || relativePath.startsWith(prefix));
 }
 function discoverAnchors(projectRoot, depth, priorityPaths, nestedRepositories, excludedPrefixes) {
-    return getRepositoryFiles(projectRoot)
+    return getRepositoryFiles(projectRoot, depth, priorityPaths)
         .filter(shouldIncludePath)
         .filter((relativePath) => !isUnderNestedRepository(relativePath, nestedRepositories))
         .filter((relativePath) => !isUnderExcludedPrefix(relativePath, excludedPrefixes))
@@ -350,13 +384,9 @@ function renderDirectoryAnchors(anchors) {
 function hasGitMarker(directoryPath) {
     return existsSync(path.join(directoryPath, '.git'));
 }
-function isDirectory(directoryPath) {
-    try {
-        return statSync(directoryPath).isDirectory();
-    }
-    catch {
-        return false;
-    }
+function isRealPathInside(parentRealPath, childRealPath) {
+    const relative = path.relative(parentRealPath, childRealPath);
+    return relative === '' || (!relative.startsWith('..') && !path.isAbsolute(relative));
 }
 function isSafeWorkspaceRoot(projectRoot, workspaceRoot) {
     const absoluteRoot = path.resolve(projectRoot, workspaceRoot);
@@ -371,6 +401,32 @@ function getWorkspaceRootPrefixes(projectRoot, workspaceConfig) {
         .filter((workspaceRoot) => isSafeWorkspaceRoot(projectRoot, workspaceRoot))
         .map((workspaceRoot) => `${toPosixPath(workspaceRoot).replace(/\/+$/, '')}/`);
 }
+function resolveSafeDirectoryTarget(projectRootRealPath, logicalPath, followSymlinks) {
+    try {
+        const stats = lstatSync(logicalPath);
+        if (stats.isSymbolicLink()) {
+            if (!followSymlinks) {
+                return undefined;
+            }
+            const realPath = realpathSync(logicalPath);
+            if (!isRealPathInside(projectRootRealPath, realPath) || !statSync(realPath).isDirectory()) {
+                return undefined;
+            }
+            return { logicalPath, realPath };
+        }
+        if (!stats.isDirectory()) {
+            return undefined;
+        }
+        const realPath = realpathSync(logicalPath);
+        if (!isRealPathInside(projectRootRealPath, realPath)) {
+            return undefined;
+        }
+        return { logicalPath, realPath };
+    }
+    catch {
+        return undefined;
+    }
+}
 function collectNestedRepository(projectRoot, repositoryPath, anchorFiles) {
     const relativeRoot = `${toPosixPath(path.relative(projectRoot, repositoryPath))}/`;
     const existingAnchors = new Set();
@@ -422,31 +478,34 @@ function discoverNestedRepositories(projectRoot, mapConfig, workspaceConfig) {
     }
     const repositories = [];
     const seenRepositoryPaths = new Set();
-    function visit(directoryPath, depth) {
+    const seenDirectoryPaths = new Set();
+    const projectRootRealPath = realpathSync(projectRoot);
+    function visit(directoryTarget, depth) {
         if (repositories.length >= workspaceConfig.maxRepositories || depth > workspaceConfig.maxDepth) {
             return;
         }
-        if (hasGitMarker(directoryPath)) {
-            const resolvedRepositoryPath = path.resolve(directoryPath);
+        if (seenDirectoryPaths.has(directoryTarget.realPath)) {
+            return;
+        }
+        seenDirectoryPaths.add(directoryTarget.realPath);
+        if (hasGitMarker(directoryTarget.logicalPath)) {
+            const resolvedRepositoryPath = directoryTarget.realPath;
             if (!seenRepositoryPaths.has(resolvedRepositoryPath)) {
                 seenRepositoryPaths.add(resolvedRepositoryPath);
-                repositories.push(collectNestedRepository(projectRoot, resolvedRepositoryPath, mapConfig.anchorFiles));
+                repositories.push(collectNestedRepository(projectRoot, directoryTarget.logicalPath, mapConfig.anchorFiles));
             }
             if (workspaceConfig.stopAtRepositoryRoot) {
                 return;
             }
         }
-        for (const entry of readdirSync(directoryPath, { withFileTypes: true })) {
-            if (!entry.isDirectory()) {
-                continue;
-            }
+        for (const entry of readdirSync(directoryTarget.logicalPath, { withFileTypes: true })) {
             if (EXCLUDED_SEGMENTS.has(entry.name)) {
                 continue;
             }
-            if (entry.isSymbolicLink() && !workspaceConfig.followSymlinks) {
-                continue;
+            const childDirectoryTarget = resolveSafeDirectoryTarget(projectRootRealPath, path.join(directoryTarget.logicalPath, entry.name), workspaceConfig.followSymlinks);
+            if (childDirectoryTarget) {
+                visit(childDirectoryTarget, depth + 1);
             }
-            visit(path.join(directoryPath, entry.name), depth + 1);
         }
     }
     for (const workspaceRoot of workspaceConfig.roots) {
@@ -454,10 +513,11 @@ function discoverNestedRepositories(projectRoot, mapConfig, workspaceConfig) {
             continue;
         }
         const absoluteWorkspaceRoot = path.resolve(projectRoot, workspaceRoot);
-        if (!isDirectory(absoluteWorkspaceRoot)) {
+        const workspaceTarget = resolveSafeDirectoryTarget(projectRootRealPath, absoluteWorkspaceRoot, workspaceConfig.followSymlinks);
+        if (!workspaceTarget) {
             continue;
         }
-        visit(absoluteWorkspaceRoot, 0);
+        visit(workspaceTarget, 0);
     }
     return repositories.sort((left, right) => left.relativePath.localeCompare(right.relativePath));
 }

package/dist/cli/lib/run-plan.js

@@ -4,6 +4,7 @@ import { resolveSafeProjectCwd } from '../../core/command-cwd.js';
 import { resolveCommandEnv } from '../../core/command-env.js';
 import { evaluateCommandIntentEligibility, } from '../../core/command-intent-eligibility.js';
 import { isRecord, readPositiveInteger, readString, readStringArray, } from '../../core/config-loading.js';
+import { DEFAULT_COMMAND_MAX_OUTPUT_BYTES, MAX_COMMAND_OUTPUT_BYTES, commandMaxOutputBytesLimitMessage, } from '../../core/command-output-limits.js';
 import { t } from './i18n.js';
 function getSuccessExitCodes(intent) {
     const value = intent.success_exit_codes;
@@ -72,6 +73,24 @@ function getRunPlanMode(commandArgv, intent) {
     }
     return intent.mode === 'shell' ? 'shell' : null;
 }
+function readEffectiveMaxOutputBytes(contract, intent) {
+    return readPositiveInteger(intent, 'max_output_bytes') ??
+        readPositiveInteger(contract.defaults, 'max_output_bytes') ??
+        DEFAULT_COMMAND_MAX_OUTPUT_BYTES;
+}
+function getMaxOutputBytesLimitDetail(contract, intent) {
+    const intentValue = readPositiveInteger(intent, 'max_output_bytes');
+    if (intentValue !== undefined) {
+        return intentValue > MAX_COMMAND_OUTPUT_BYTES ?
+            commandMaxOutputBytesLimitMessage('[commands.intents.<intent>].max_output_bytes') :
+            null;
+    }
+    const defaultValue = readPositiveInteger(contract.defaults, 'max_output_bytes');
+    if (defaultValue !== undefined && defaultValue > MAX_COMMAND_OUTPUT_BYTES) {
+        return commandMaxOutputBytesLimitMessage('[commands.defaults].max_output_bytes');
+    }
+    return null;
+}
 function readRunIntentMetadata(contract, intent) {
     const configuredCwd = readString(intent, 'cwd') ?? readString(contract.defaults, 'default_cwd') ?? '.';
     const commandArgv = readStringArray(intent, 'argv');
@@ -84,7 +103,7 @@ function readRunIntentMetadata(contract, intent) {
         kind: readString(intent, 'kind') ?? null,
         configuredCwd,
         timeoutSeconds: readPositiveInteger(intent, 'timeout_seconds') ?? null,
-        maxOutputBytes: readPositiveInteger(intent, 'max_output_bytes') ?? readPositiveInteger(contract.defaults, 'max_output_bytes') ?? 1_048_576,
+        maxOutputBytes: readEffectiveMaxOutputBytes(contract, intent),
         successExitCodes: getSuccessExitCodes(intent),
         commandArgv,
         shellCommand,
@@ -149,6 +168,10 @@ export function createRunPlan(projectRoot, contract, intentName, options = {}) {
         return createBlockedRunPlan(contract, intentName, rawIntent, eligibility, eligibility.code, eligibility.detail);
     }
     const metadata = readRunIntentMetadata(contract, rawIntent);
+    const maxOutputBytesLimitDetail = getMaxOutputBytesLimitDetail(contract, rawIntent);
+    if (maxOutputBytesLimitDetail) {
+        return createBlockedRunPlan(contract, intentName, rawIntent, eligibility, 'max_output_bytes_exceeds_limit', maxOutputBytesLimitDetail);
+    }
     let cwd;
     try {
         cwd = resolveSafeProjectCwd(projectRoot, metadata.configuredCwd);
@@ -207,7 +230,7 @@ function createSuggestedIntentSnippet(intentName, metadata, reasonCode) {
         return null;
     }
     let commandLines;
-    if (reasonCode === 'blocked_shell_background_pattern') {
+    if (reasonCode === 'blocked_shell_background_pattern' || reasonCode === 'blocked_long_running_command_pattern') {
         commandLines = [`argv = ${formatTomlStringArray(['TODO_REPLACE_WITH_FINITE_COMMAND'])}`];
     }
     else if (metadata?.shellCommand) {

package/dist/cli/lib/validation/index.js

@@ -605,7 +605,8 @@ function validateStrictVersionSources(projectRoot, preferencesToml, versioningTo
     pushStrictIssue(issues, '[release.versioning] is enabled but no version source was detected; add .mustflow/config/versioning.toml or a package/template version source');
 }
 function validateStrictTemplateVersionSync(projectRoot, preferencesToml, issues) {
-    const changedPaths = existsSync(path.join(projectRoot, '.git')) ? readGitChangedFiles(projectRoot) : undefined;
+    const changedPathResult = existsSync(path.join(projectRoot, '.git')) ? readGitChangedFiles(projectRoot) : undefined;
+    const changedPaths = changedPathResult?.ok ? changedPathResult.files : undefined;
     for (const issue of validateTemplateVersionSync(projectRoot, preferencesToml, changedPaths)) {
         if (issue.severity === 'warning') {
             pushStrictWarning(issues, issue.message);

package/dist/core/atomic-state-write.js

@@ -0,0 +1,31 @@
+import { randomBytes } from 'node:crypto';
+import { mkdirSync, renameSync, unlinkSync, writeFileSync } from 'node:fs';
+import path from 'node:path';
+function tempFilePath(targetPath) {
+    const suffix = `${process.pid}-${Date.now()}-${randomBytes(6).toString('hex')}`;
+    return path.join(path.dirname(targetPath), `.${path.basename(targetPath)}.${suffix}.tmp`);
+}
+export function createStateRunId(prefix) {
+    const timestamp = new Date().toISOString().replaceAll(/[:.]/g, '-');
+    return `${prefix}-${timestamp}-${process.pid}-${randomBytes(6).toString('hex')}`;
+}
+export function atomicWriteTextFile(targetPath, content) {
+    mkdirSync(path.dirname(targetPath), { recursive: true });
+    const temporaryPath = tempFilePath(targetPath);
+    try {
+        writeFileSync(temporaryPath, content, { encoding: 'utf8', flag: 'wx' });
+        renameSync(temporaryPath, targetPath);
+    }
+    catch (error) {
+        try {
+            unlinkSync(temporaryPath);
+        }
+        catch {
+            // Best-effort cleanup for a temporary file that may not have been created.
+        }
+        throw error;
+    }
+}
+export function atomicWriteJsonFile(targetPath, value) {
+    atomicWriteTextFile(targetPath, `${JSON.stringify(value, null, 2)}\n`);
+}

package/dist/core/bounded-output.js

@@ -1,3 +1,24 @@
+function isUtf8ContinuationByte(value) {
+    return value !== undefined && (value & 0xc0) === 0x80;
+}
+function findUtf8TailStart(buffer, startOffset) {
+    let start = Math.min(buffer.byteLength, Math.max(0, Math.trunc(startOffset)));
+    while (start < buffer.byteLength && isUtf8ContinuationByte(buffer[start])) {
+        start += 1;
+    }
+    return start;
+}
+export function decodeUtf8Tail(buffer, maxTailBytes) {
+    if (maxTailBytes <= 0) {
+        return { text: '', truncated: buffer.byteLength > 0 };
+    }
+    const rawStart = buffer.byteLength > maxTailBytes ? buffer.byteLength - maxTailBytes : 0;
+    const start = findUtf8TailStart(buffer, rawStart);
+    return {
+        text: buffer.subarray(start).toString('utf8'),
+        truncated: buffer.byteLength > maxTailBytes || start > 0,
+    };
+}
 export class BoundedOutputBuffer {
     #maxTailBytes;
     #chunks = [];
@@ -30,9 +51,10 @@ export class BoundedOutputBuffer {
         }
     }
     toSnapshot() {
+        const tail = decodeUtf8Tail(Buffer.concat(this.#chunks, this.#tailBytes), this.#maxTailBytes);
         return {
             bytes: this.#bytes,
-            tail: Buffer.concat(this.#chunks, this.#tailBytes).toString('utf8'),
+            tail: tail.text,
         };
     }
 }