mustflow 2.17.0 → 2.18.2

package/dist/core/check-issues.js

@@ -4,14 +4,17 @@ const CHECK_ISSUE_ID_RULES = [
     ['mustflow.command_contract.configured_missing_lifecycle', /^Configured intent [^\s]+ must define lifecycle$/u],
     ['mustflow.command_contract.configured_missing_run_policy', /^Configured intent [^\s]+ must define run_policy$/u],
     ['mustflow.command_contract.oneshot_missing_timeout', /^Oneshot intent [^\s]+ must define timeout_seconds$/u],
+    ['mustflow.command_contract.max_output_bytes_exceeds_limit', /^\[commands\.(?:defaults|intents\.[^\]]+)\]\.max_output_bytes must be less than or equal to \d+$/u],
     ['mustflow.command_contract.oneshot_stdin_not_closed', /^Oneshot intent [^\s]+ must set stdin = "closed"$/u],
     ['mustflow.command_contract.long_running_agent_allowed', /^Long-running intent [^\s]+ must not use run_policy = "agent_allowed"$/u],
     ['mustflow.command_contract.executable_source_missing', /^Configured intent [^\s]+ must define argv or mode = "shell" with cmd$/u],
     ['mustflow.command_contract.shell_background_pattern', /^Shell intent [^\s]+ contains a blocked long-running or background pattern$/u],
+    ['mustflow.command_contract.long_running_command_pattern', /^Intent [^\s]+ contains a blocked long-running or background command pattern$/u],
     ['mustflow.command_contract.success_exit_codes_invalid', /^\[commands\.intents\.[^\]]+\]\.success_exit_codes must be an integer array$/u],
     ['mustflow.command_contract.effects_invalid', /^(?:Strict: )?(?:\[commands\.(?:resources|intents\.[^\]]+\.effects)[^\]]*\]|Command effect for intent [^\s]+ must define path, paths, or lock)/u],
     ['mustflow.command_contract.effect_path_escape', /^Strict: Command effect path must stay inside the current root:/u],
     ['mustflow.command_contract.shared_writes_without_effects', /^Strict warning: configured agent-runnable intents .+ share path:.+ through writes without explicit effects or resource locks$/u],
+    ['mustflow.command_contract.broad_env_inheritance', /^Strict warning: configured agent-runnable intent [^\s]+ (?:implicitly inherits the host environment|uses env_policy = "inherit")/u],
     ['mustflow.prompt_cache.required', /^Strict: \[prompt_cache\] table is required$/u],
     ['mustflow.prompt_cache.volatile_in_stable', /^Strict: \[prompt_cache\.layers\.stable\]\.read must not include volatile path /u],
     ['mustflow.refresh.hash_method_required', /^Strict: \[refresh\]\.default_method should be "hash_check" for cache-friendly refresh$/u],

package/dist/core/command-contract-rules.js

@@ -1,16 +1,39 @@
+import path from 'node:path';
 import { readString, readStringArray } from './config-loading.js';
 const SAFE_COMMAND_INTENT_NAME_PATTERN = /^[A-Za-z0-9_-]+$/u;
+const SHELL_WRAPPER_COMMANDS = new Set(['sh', 'bash', 'zsh', 'dash', 'ksh', 'cmd', 'powershell', 'pwsh']);
+const SHELL_EVALUATION_FLAGS = new Set(['-c', '/c', '-command', '-commandwithargs']);
+const INTERPRETER_EVALUATION_FLAGS = new Map([
+    ['node', new Set(['-e', '--eval'])],
+    ['python', new Set(['-c'])],
+    ['python3', new Set(['-c'])],
+    ['py', new Set(['-c'])],
+    ['ruby', new Set(['-e'])],
+    ['perl', new Set(['-e'])],
+]);
+const PACKAGE_SCRIPT_RUNNERS = new Set(['bun', 'npm', 'pnpm', 'yarn']);
+const LONG_RUNNING_PACKAGE_SCRIPTS = new Set(['dev', 'start', 'serve', 'watch', 'preview']);
+const LONG_RUNNING_EXECUTABLES = new Set(['nodemon', 'pm2', 'serve', 'http-server', 'live-server', 'webpack-dev-server']);
 export const BACKGROUND_SHELL_PATTERNS = [
-    /\s&\s*$/u,
+    /(?:^|[^&])&(?!&)\s*$/u,
     /\bnohup\b/iu,
     /\bdisown\b/iu,
     /\bStart-Process\b/iu,
-    /\bstart\s+/iu,
+    /(?:^|[;&|]\s*)start\s+/iu,
     /\bxdg-open\b/iu,
     /\bopen\s+/iu,
     /\bchrome(?:\.exe)?\b/iu,
     /\bchromium(?:\.exe)?\b/iu,
 ];
+export const LONG_RUNNING_COMMAND_TEXT_PATTERNS = [
+    /\b(?:npm|pnpm|bun|yarn)\s+(?:run\s+)?(?:dev|start|serve|watch|preview)\b/iu,
+    /\b(?:nohup|disown)\b/iu,
+    /(?:^|[^&])&(?!&)\s*$/u,
+    /\bsetInterval\s*\(/u,
+    /\bwhile\s*(?:\(\s*true\s*\)|true)\b/iu,
+    /\bserve_forever\s*\(/iu,
+    /\bcreateServer\s*\([^)]*\)\s*\.listen\s*\(/u,
+];
 export function commandIntentNameIsSafe(intentName) {
     return SAFE_COMMAND_INTENT_NAME_PATTERN.test(intentName);
 }
@@ -25,3 +48,82 @@ export function shellCommandHasBlockedBackgroundPattern(command) {
 export function commandIntentHasBlockedShellBackgroundPattern(intent) {
     return intent.mode === 'shell' && typeof intent.cmd === 'string' && shellCommandHasBlockedBackgroundPattern(intent.cmd);
 }
+function normalizeExecutableName(value) {
+    return path.basename(value).replace(/\.(?:cmd|exe|ps1)$/iu, '').toLowerCase();
+}
+function findFlagPayload(argv, flags) {
+    for (let index = 1; index < argv.length - 1; index += 1) {
+        if (flags.has(argv[index].toLowerCase())) {
+            return argv[index + 1];
+        }
+    }
+    return null;
+}
+function commandTextHasLongRunningPattern(command) {
+    return LONG_RUNNING_COMMAND_TEXT_PATTERNS.some((pattern) => pattern.test(command));
+}
+function readPackageScriptName(command, args) {
+    if (!PACKAGE_SCRIPT_RUNNERS.has(command)) {
+        return null;
+    }
+    if (args[0] === 'run' && args[1] && !args[1].startsWith('-')) {
+        return args[1];
+    }
+    if (args[0] && LONG_RUNNING_PACKAGE_SCRIPTS.has(args[0])) {
+        return args[0];
+    }
+    return null;
+}
+function argvHasBlockedLongRunningPattern(argv) {
+    const [rawCommand = '', ...args] = argv;
+    const command = normalizeExecutableName(rawCommand);
+    const shellPayload = SHELL_WRAPPER_COMMANDS.has(command) ? findFlagPayload(argv, SHELL_EVALUATION_FLAGS) : null;
+    if (shellPayload && (shellCommandHasBlockedBackgroundPattern(shellPayload) || commandTextHasLongRunningPattern(shellPayload))) {
+        return `shell wrapper payload contains a blocked long-running or background pattern: ${shellPayload}`;
+    }
+    const interpreterFlags = INTERPRETER_EVALUATION_FLAGS.get(command);
+    const interpreterPayload = interpreterFlags ? findFlagPayload(argv, interpreterFlags) : null;
+    if (interpreterPayload && commandTextHasLongRunningPattern(interpreterPayload)) {
+        return `interpreter evaluation payload contains a blocked long-running pattern: ${interpreterPayload}`;
+    }
+    const packageScriptName = readPackageScriptName(command, args);
+    if (packageScriptName && LONG_RUNNING_PACKAGE_SCRIPTS.has(packageScriptName)) {
+        return `package-manager script "${packageScriptName}" is commonly long-running`;
+    }
+    if (LONG_RUNNING_EXECUTABLES.has(command)) {
+        return `executable "${command}" is commonly long-running`;
+    }
+    if (command === 'vite' && !args.includes('build')) {
+        return 'vite without build is commonly a development server';
+    }
+    if (command === 'next' && ['dev', 'start'].includes(args[0] ?? '')) {
+        return `next ${args[0]} is commonly long-running`;
+    }
+    if (command === 'webpack' && (args.includes('--watch') || args.includes('-w') || args.includes('serve'))) {
+        return 'webpack watch or serve mode is commonly long-running';
+    }
+    if (command === 'tsc' && (args.includes('--watch') || args.includes('-w'))) {
+        return 'tsc watch mode is long-running';
+    }
+    return null;
+}
+export function commandIntentBlockedCommandPattern(intent) {
+    if (intent.mode === 'shell' && typeof intent.cmd === 'string' && shellCommandHasBlockedBackgroundPattern(intent.cmd)) {
+        return {
+            code: 'shell_background_pattern',
+            detail: 'Shell command contains a blocked long-running or background pattern.',
+        };
+    }
+    const argv = readStringArray(intent, 'argv');
+    if (!argv) {
+        return null;
+    }
+    const detail = argvHasBlockedLongRunningPattern(argv);
+    if (!detail) {
+        return null;
+    }
+    return {
+        code: 'long_running_command_pattern',
+        detail: `Argv command contains a blocked long-running or background pattern: ${detail}.`,
+    };
+}

package/dist/core/command-contract-validation.js

@@ -1,10 +1,14 @@
 import { COMMAND_LIFECYCLES, COMMAND_RUN_POLICIES, LONG_RUNNING_LIFECYCLES, isRecord, } from './config-loading.js';
-import { COMMAND_ENV_POLICIES } from './command-env.js';
+import { COMMAND_ENV_POLICIES, DEFAULT_COMMAND_ENV_POLICY } from './command-env.js';
 import { COMMAND_EFFECT_CONCURRENCY, COMMAND_EFFECT_MODES, COMMAND_EFFECT_TYPES, validateCommandEffectLockWarnings, validateCommandEffects, } from './command-effects.js';
-import { commandIntentHasBlockedShellBackgroundPattern, commandIntentHasCommandSource, commandIntentNameIsSafe, } from './command-contract-rules.js';
+import { commandIntentBlockedCommandPattern, commandIntentHasBlockedShellBackgroundPattern, commandIntentHasCommandSource, commandIntentNameIsSafe, } from './command-contract-rules.js';
+import { MAX_COMMAND_OUTPUT_BYTES, commandMaxOutputBytesLimitMessage } from './command-output-limits.js';
 function commandContractIssue(message) {
     return { message };
 }
+function commandContractWarning(message) {
+    return { message, severity: 'warning' };
+}
 function hasOwn(table, key) {
     return Object.prototype.hasOwnProperty.call(table, key);
 }
@@ -46,6 +50,12 @@ function validatePositiveIntegerField(table, key, label, issues) {
         issues.push(commandContractIssue(`${label} must be a positive integer`));
     }
 }
+function validateMaxOutputBytesField(table, key, label, issues) {
+    validatePositiveIntegerField(table, key, label, issues);
+    if (isPositiveInteger(table[key]) && Number(table[key]) > MAX_COMMAND_OUTPUT_BYTES) {
+        issues.push(commandContractIssue(commandMaxOutputBytesLimitMessage(label)));
+    }
+}
 function validateAllowedStringField(table, key, label, allowedValues, issues) {
     if (!hasOwn(table, key)) {
         return;
@@ -70,7 +80,7 @@ function validateCommandDefaults(commandsToml, issues) {
     validateAllowedStringField(defaults, 'env_policy', '[commands.defaults].env_policy', COMMAND_ENV_POLICIES, issues);
     validateStringArrayField(defaults, 'env_allowlist', '[commands.defaults].env_allowlist', issues);
     validatePositiveIntegerField(defaults, 'default_timeout_seconds', '[commands.defaults].default_timeout_seconds', issues);
-    validatePositiveIntegerField(defaults, 'max_output_bytes', '[commands.defaults].max_output_bytes', issues);
+    validateMaxOutputBytesField(defaults, 'max_output_bytes', '[commands.defaults].max_output_bytes', issues);
     validatePositiveIntegerField(defaults, 'kill_after_seconds', '[commands.defaults].kill_after_seconds', issues);
 }
 function validateCommandResources(commandsToml, issues) {
@@ -148,6 +158,7 @@ function validateCommandIntent(intentName, intent, issues) {
     validateAllowedStringField(intent, 'run_policy', `[commands.intents.${intentName}].run_policy`, COMMAND_RUN_POLICIES, issues);
     validateAllowedStringField(intent, 'env_policy', `[commands.intents.${intentName}].env_policy`, COMMAND_ENV_POLICIES, issues);
     validateStringArrayField(intent, 'env_allowlist', `[commands.intents.${intentName}].env_allowlist`, issues);
+    validateMaxOutputBytesField(intent, 'max_output_bytes', `[commands.intents.${intentName}].max_output_bytes`, issues);
     validateCommandIntentSelection(intentName, intent, issues);
     if (intent.status !== 'configured') {
         return;
@@ -178,6 +189,10 @@ function validateCommandIntent(intentName, intent, issues) {
     if (commandIntentHasBlockedShellBackgroundPattern(intent)) {
         issues.push(commandContractIssue(`Shell intent ${intentName} contains a blocked long-running or background pattern`));
     }
+    const blockedCommandPattern = commandIntentBlockedCommandPattern(intent);
+    if (blockedCommandPattern?.code === 'long_running_command_pattern') {
+        issues.push(commandContractIssue(`Intent ${intentName} contains a blocked long-running or background command pattern`));
+    }
     if (hasOwn(intent, 'success_exit_codes')) {
         const value = intent.success_exit_codes;
         if (!Array.isArray(value) || value.length === 0 || value.some((entry) => !Number.isInteger(entry))) {
@@ -186,6 +201,50 @@ function validateCommandIntent(intentName, intent, issues) {
     }
     validateCommandIntentEffects(intentName, intent, issues);
 }
+function readValidCommandEnvPolicy(table) {
+    if (!table || !hasOwn(table, 'env_policy')) {
+        return undefined;
+    }
+    const value = table.env_policy;
+    return typeof value === 'string' && COMMAND_ENV_POLICIES.has(value)
+        ? value
+        : undefined;
+}
+function getEffectiveCommandEnvPolicy(defaults, intent) {
+    const intentPolicy = readValidCommandEnvPolicy(intent);
+    if (intentPolicy) {
+        return { policy: intentPolicy, source: 'intent' };
+    }
+    const defaultPolicy = readValidCommandEnvPolicy(defaults);
+    if (defaultPolicy) {
+        return { policy: defaultPolicy, source: 'defaults' };
+    }
+    return { policy: DEFAULT_COMMAND_ENV_POLICY, source: 'implicit' };
+}
+function validateCommandEnvInheritanceWarnings(commandsToml) {
+    const issues = [];
+    if (!commandsToml || !isRecord(commandsToml.intents)) {
+        return issues;
+    }
+    const defaults = isRecord(commandsToml.defaults) ? commandsToml.defaults : undefined;
+    for (const [intentName, intent] of Object.entries(commandsToml.intents)) {
+        if (!isRecord(intent) || intent.status !== 'configured' || intent.run_policy !== 'agent_allowed') {
+            continue;
+        }
+        const envPolicy = getEffectiveCommandEnvPolicy(defaults, intent);
+        if (envPolicy.policy !== 'inherit') {
+            continue;
+        }
+        const networkScope = intent.network === true ? ' with network = true' : '';
+        const migration = 'set env_policy = "minimal" or "allowlist" unless broad host state is required';
+        if (envPolicy.source === 'implicit') {
+            issues.push(commandContractWarning(`configured agent-runnable intent ${intentName} implicitly inherits the host environment${networkScope}; ${migration}`));
+            continue;
+        }
+        issues.push(commandContractWarning(`configured agent-runnable intent ${intentName} uses env_policy = "inherit"${networkScope}; ${migration}`));
+    }
+    return issues;
+}
 /**
  * mf:anchor core.command-contract-validation
  * purpose: Validate command intent declarations that gate agent-executable repository commands.
@@ -216,15 +275,18 @@ export function validateCommandContractConfig(commandsToml) {
 }
 export function validateCommandContractStrictDefaults(projectRoot, commandsToml) {
     const issues = [];
-    if (!commandsToml || !isRecord(commandsToml.defaults)) {
+    if (!commandsToml) {
         return issues;
     }
-    if (!hasOwn(commandsToml.defaults, 'max_output_bytes')) {
-        issues.push(commandContractIssue('[commands.defaults].max_output_bytes is required'));
-    }
-    if (!hasOwn(commandsToml.defaults, 'on_timeout')) {
-        issues.push(commandContractIssue('[commands.defaults].on_timeout is required'));
+    if (isRecord(commandsToml.defaults)) {
+        if (!hasOwn(commandsToml.defaults, 'max_output_bytes')) {
+            issues.push(commandContractIssue('[commands.defaults].max_output_bytes is required'));
+        }
+        if (!hasOwn(commandsToml.defaults, 'on_timeout')) {
+            issues.push(commandContractIssue('[commands.defaults].on_timeout is required'));
+        }
     }
+    issues.push(...validateCommandEnvInheritanceWarnings(commandsToml));
     issues.push(...validateCommandEffects(projectRoot, commandsToml));
     issues.push(...validateCommandEffectLockWarnings(commandsToml));
     return issues;

package/dist/core/command-intent-eligibility.js

@@ -1,5 +1,5 @@
 import { isRecord, readString } from './config-loading.js';
-import { commandIntentHasBlockedShellBackgroundPattern, commandIntentHasCommandSource, commandIntentNameIsSafe, } from './command-contract-rules.js';
+import { commandIntentBlockedCommandPattern, commandIntentHasBlockedShellBackgroundPattern, commandIntentHasCommandSource, commandIntentNameIsSafe, } from './command-contract-rules.js';
 export function evaluateCommandIntentEligibility(intentName, rawIntent) {
     if (!commandIntentNameIsSafe(intentName)) {
         return {
@@ -68,6 +68,14 @@ export function evaluateCommandIntentEligibility(intentName, rawIntent) {
             detail: 'Shell command contains a blocked long-running or background pattern.',
         };
     }
+    const blockedPattern = commandIntentBlockedCommandPattern(rawIntent);
+    if (blockedPattern?.code === 'long_running_command_pattern') {
+        return {
+            ok: false,
+            code: 'blocked_long_running_command_pattern',
+            detail: blockedPattern.detail,
+        };
+    }
     return {
         ok: true,
         code: 'ok',

package/dist/core/command-output-limits.js

@@ -0,0 +1,5 @@
+export const DEFAULT_COMMAND_MAX_OUTPUT_BYTES = 1_048_576;
+export const MAX_COMMAND_OUTPUT_BYTES = 16 * 1024 * 1024;
+export function commandMaxOutputBytesLimitMessage(label) {
+    return `${label} must be less than or equal to ${MAX_COMMAND_OUTPUT_BYTES}`;
+}

package/dist/core/completion-verdict.js

@@ -244,7 +244,8 @@ export function createDashboardCompletionVerdict(input) {
     const receiptBinding = input.receiptBinding ?? emptyReceiptBindingEvidence();
     const latestRunFailed = input.latestRunStatus === 'failed' ||
         input.latestRunStatus === 'timed_out' ||
-        input.latestRunStatus === 'start_failed';
+        input.latestRunStatus === 'start_failed' ||
+        input.latestRunStatus === 'output_limit_exceeded';
     let status = 'unverified';
     let primaryReason = 'dashboard_does_not_execute_verification';
     const blockers = [];

package/dist/core/contract-lint.js

@@ -2,7 +2,8 @@ import { existsSync, readFileSync } from 'node:fs';
 import path from 'node:path';
 import { COMMAND_LIFECYCLES, COMMAND_RUN_POLICIES, LONG_RUNNING_LIFECYCLES, isRecord, readPositiveInteger, readString, readStringArray, } from './config-loading.js';
 import { evaluateCommandIntentEligibility, } from './command-intent-eligibility.js';
-import { commandIntentHasBlockedShellBackgroundPattern, commandIntentHasCommandSource, commandIntentNameIsSafe, } from './command-contract-rules.js';
+import { commandIntentBlockedCommandPattern, commandIntentHasBlockedShellBackgroundPattern, commandIntentHasCommandSource, commandIntentNameIsSafe, } from './command-contract-rules.js';
+import { MAX_COMMAND_OUTPUT_BYTES } from './command-output-limits.js';
 import { commandEffectsConflict, normalizeCommandEffects } from './command-effects.js';
 import { listChangeClassificationValidationReasons } from './change-classification.js';
 import { parseSkillIndexRoutes } from './skill-route-alignment.js';
@@ -309,6 +310,10 @@ function lintIntent(name, value, issues) {
     if (lifecycle === 'oneshot' && readPositiveInteger(value, 'timeout_seconds') === undefined) {
         pushIssue(issues, 'error', 'oneshot_missing_timeout', name, `Oneshot intent ${name} must define timeout_seconds.`);
     }
+    const maxOutputBytes = readPositiveInteger(value, 'max_output_bytes');
+    if (maxOutputBytes !== undefined && maxOutputBytes > MAX_COMMAND_OUTPUT_BYTES) {
+        pushIssue(issues, 'error', 'max_output_bytes_exceeds_limit', name, `Intent ${name} max_output_bytes must be less than or equal to ${MAX_COMMAND_OUTPUT_BYTES}.`);
+    }
     if (lifecycle === 'oneshot' && readString(value, 'stdin') !== 'closed') {
         pushIssue(issues, 'error', 'oneshot_stdin_not_closed', name, `Oneshot intent ${name} must set stdin to closed.`);
     }
@@ -321,6 +326,10 @@ function lintIntent(name, value, issues) {
     if (commandIntentHasBlockedShellBackgroundPattern(value)) {
         pushIssue(issues, 'error', 'shell_background_pattern', name, `Shell intent ${name} contains a blocked long-running or background pattern.`);
     }
+    const blockedCommandPattern = commandIntentBlockedCommandPattern(value);
+    if (blockedCommandPattern?.code === 'long_running_command_pattern') {
+        pushIssue(issues, 'error', 'long_running_command_pattern', name, `Intent ${name} contains a blocked long-running or background command pattern.`);
+    }
     if (!successExitCodesAreValid(value)) {
         pushIssue(issues, 'error', 'invalid_success_exit_codes', name, `Intent ${name} success_exit_codes must be an integer array.`);
     }

package/dist/core/public-json-contracts.js

@@ -135,7 +135,7 @@ const PUBLIC_JSON_SCHEMA_CONTRACTS = [
     {
         id: 'verify-run-manifest',
         schemaFile: 'verify-run-manifest.schema.json',
-        producer: '.mustflow/state/runs/verify-latest/manifest.json',
+        producer: '.mustflow/state/runs/verify-*/manifest.json',
         packaged: true,
         documented: true,
     },

package/dist/core/run-receipt.js

@@ -1,6 +1,7 @@
-import { mkdirSync, writeFileSync } from 'node:fs';
 import { createHash } from 'node:crypto';
 import path from 'node:path';
+import { atomicWriteJsonFile, createStateRunId } from './atomic-state-write.js';
+import { decodeUtf8Tail } from './bounded-output.js';
 import { DEFAULT_RUN_RECEIPT_TAIL_BYTES } from './retention-policy.js';
 import { redactSecretLikeText } from './secret-redaction.js';
 const RUN_RECEIPT_SCHEMA_VERSION = '1';
@@ -11,13 +12,7 @@ function toPosixPath(value) {
 }
 function truncateTextByBytes(text, maxBytes) {
     const buffer = Buffer.from(text, 'utf8');
-    if (buffer.byteLength <= maxBytes) {
-        return { text, truncated: false };
-    }
-    return {
-        text: buffer.subarray(buffer.byteLength - maxBytes).toString('utf8'),
-        truncated: true,
-    };
+    return decodeUtf8Tail(buffer, maxBytes);
 }
 function recordRedaction(state, field, result) {
     if (!result.redacted) {
@@ -62,8 +57,11 @@ function summarizeOutput(output, maxOutputBytes, tailBytes, field, state) {
         redaction_kinds: redaction.redactionKinds,
     };
 }
-function getReceiptRelativePath() {
-    return toPosixPath(path.join(RUN_RECEIPT_DIR, LATEST_RUN_RECEIPT));
+export function createRunReceiptRelativePath() {
+    return toPosixPath(path.join(RUN_RECEIPT_DIR, createStateRunId('run'), 'receipt.json'));
+}
+function getReceiptRelativePath(receiptPath) {
+    return receiptPath ?? toPosixPath(path.join(RUN_RECEIPT_DIR, LATEST_RUN_RECEIPT));
 }
 function stableJson(value) {
     if (Array.isArray(value)) {
@@ -100,6 +98,9 @@ function getErrorKind(status, exitCode) {
     if (status === 'start_failed') {
         return 'start_failed';
     }
+    if (status === 'output_limit_exceeded') {
+        return 'output_limit_exceeded';
+    }
     if (status === 'failed' && exitCode !== null) {
         return 'exit_code';
     }
@@ -240,6 +241,7 @@ export function createRunReceipt(input) {
         signal: input.signal,
         error,
         kill_method: input.killMethod,
+        ...(input.termination ? { termination: input.termination } : {}),
         stdout,
         stderr,
         write_drift: input.writeDrift,
@@ -272,12 +274,17 @@ export function createRunReceipt(input) {
             redaction_kinds: [...redactionState.kinds].sort(),
             fields: [...redactionState.fields].sort(),
         },
-        receipt_path: getReceiptRelativePath(),
+        receipt_path: getReceiptRelativePath(input.receiptPath),
     };
 }
 export function writeRunReceipt(projectRoot, receipt) {
     const receiptDir = path.join(projectRoot, RUN_RECEIPT_DIR);
     const latestPath = path.join(receiptDir, LATEST_RUN_RECEIPT);
-    mkdirSync(receiptDir, { recursive: true });
-    writeFileSync(latestPath, `${JSON.stringify(receipt, null, 2)}\n`);
+    const receiptPath = path.resolve(projectRoot, receipt.receipt_path);
+    const relativeToRunDir = path.relative(receiptDir, receiptPath);
+    if (relativeToRunDir.startsWith('..') || path.isAbsolute(relativeToRunDir)) {
+        throw new Error(`Run receipt path must stay inside ${RUN_RECEIPT_DIR}`);
+    }
+    atomicWriteJsonFile(receiptPath, receipt);
+    atomicWriteJsonFile(latestPath, receipt);
 }

package/dist/core/source-anchors.js

@@ -1,4 +1,4 @@
-import { existsSync, readdirSync, readFileSync, statSync } from 'node:fs';
+import { existsSync, readdirSync, readFileSync, realpathSync, statSync } from 'node:fs';
 import path from 'node:path';
 import { SECRET_LIKE_PATTERNS, textContainsSecretLike } from './secret-redaction.js';
 export const SOURCE_ANCHOR_EXTENSIONS = new Set(['.cjs', '.go', '.js', '.jsx', '.mjs', '.py', '.rs', '.ts', '.tsx']);
@@ -49,23 +49,94 @@ export const SOURCE_ANCHOR_SECRET_LIKE_PATTERNS = SECRET_LIKE_PATTERNS;
 function toPosixPath(value) {
     return value.split(path.sep).join('/');
 }
-function listFilesRecursive(root, ignoredDirectoryNames, current = root) {
+function pathIsInsideRoot(rootRealPath, candidateRealPath) {
+    const relative = path.relative(rootRealPath, candidateRealPath);
+    return relative.length === 0 || (!relative.startsWith('..') && !path.isAbsolute(relative));
+}
+function shouldIncludeSourceAnchorFile(relativePath, options) {
+    if (!options.allowedExtensions.has(path.posix.extname(relativePath))) {
+        return false;
+    }
+    if (options.excludeGeneratedOrVendor && sourceAnchorPathIsGeneratedOrVendor(relativePath)) {
+        return false;
+    }
+    if (options.include.length > 0 && !matchesAnyGlob(relativePath, options.include)) {
+        return false;
+    }
+    if (options.exclude.length > 0 && matchesAnyGlob(relativePath, options.exclude)) {
+        return false;
+    }
+    return true;
+}
+function fileIsWithinSizeLimit(filePath, maxFileBytes) {
+    if (typeof maxFileBytes !== 'number' || !Number.isFinite(maxFileBytes) || maxFileBytes <= 0) {
+        return true;
+    }
+    try {
+        return statSync(filePath).size <= maxFileBytes;
+    }
+    catch {
+        return false;
+    }
+}
+function listFilesRecursive(root, options, current = root) {
     if (!existsSync(current)) {
         return [];
     }
+    const currentRealPath = realpathSync(current);
+    if (!pathIsInsideRoot(options.rootRealPath, currentRealPath) || options.visitedRealDirectories.has(currentRealPath)) {
+        return [];
+    }
+    options.visitedRealDirectories.add(currentRealPath);
     const files = [];
-    for (const entry of readdirSync(current)) {
-        const entryPath = path.join(current, entry);
-        const stat = statSync(entryPath);
-        if (stat.isDirectory()) {
-            if (ignoredDirectoryNames.has(entry)) {
+    const entries = readdirSync(current, { withFileTypes: true }).sort((left, right) => left.name.localeCompare(right.name));
+    for (const entry of entries) {
+        const entryPath = path.join(current, entry.name);
+        if (options.ignoredDirectoryNames.has(entry.name)) {
+            continue;
+        }
+        if (entry.isDirectory()) {
+            files.push(...listFilesRecursive(root, options, entryPath));
+            continue;
+        }
+        if (entry.isSymbolicLink()) {
+            if (!options.followSymlinks) {
                 continue;
             }
-            files.push(...listFilesRecursive(root, ignoredDirectoryNames, entryPath));
+            let realPath;
+            try {
+                realPath = realpathSync(entryPath);
+            }
+            catch {
+                continue;
+            }
+            if (!pathIsInsideRoot(options.rootRealPath, realPath)) {
+                continue;
+            }
+            let stat;
+            try {
+                stat = statSync(entryPath);
+            }
+            catch {
+                continue;
+            }
+            if (stat.isDirectory()) {
+                files.push(...listFilesRecursive(root, options, entryPath));
+                continue;
+            }
+            if (stat.isFile()) {
+                const relativePath = toPosixPath(path.relative(root, entryPath));
+                if (shouldIncludeSourceAnchorFile(relativePath, options) && fileIsWithinSizeLimit(entryPath, options.maxFileBytes)) {
+                    files.push(relativePath);
+                }
+            }
             continue;
         }
-        if (stat.isFile()) {
-            files.push(path.relative(root, entryPath));
+        if (entry.isFile()) {
+            const relativePath = toPosixPath(path.relative(root, entryPath));
+            if (shouldIncludeSourceAnchorFile(relativePath, options) && fileIsWithinSizeLimit(entryPath, options.maxFileBytes)) {
+                files.push(relativePath);
+            }
         }
     }
     return files.sort((left, right) => left.localeCompare(right));
@@ -127,25 +198,26 @@ function normalizeAllowedExtensions(allowedExtensions) {
 function mergeIgnoredDirectoryNames(ignoredDirectoryNames) {
     return new Set([...(ignoredDirectoryNames ?? []), ...SOURCE_ANCHOR_DEFAULT_EXCLUDED_PATH_PARTS]);
 }
-function fileIsWithinSizeLimit(root, relativePath, maxFileBytes) {
-    if (typeof maxFileBytes !== 'number' || !Number.isFinite(maxFileBytes) || maxFileBytes <= 0) {
-        return true;
-    }
-    const filePath = path.join(root, ...relativePath.split('/'));
-    return statSync(filePath).size <= maxFileBytes;
-}
 export function listSourceAnchorFiles(root, options = {}) {
+    if (!existsSync(root)) {
+        return [];
+    }
     const ignoredDirectoryNames = mergeIgnoredDirectoryNames(options.ignoredDirectoryNames);
     const allowedExtensions = normalizeAllowedExtensions(options.allowedExtensions);
     const include = (options.include ?? []).map((pattern) => globToRegExp(pattern));
     const exclude = (options.exclude ?? []).map((pattern) => globToRegExp(pattern));
-    return listFilesRecursive(root, ignoredDirectoryNames)
-        .map((relativePath) => toPosixPath(relativePath))
-        .filter((relativePath) => allowedExtensions.has(path.posix.extname(relativePath)))
-        .filter((relativePath) => options.excludeGeneratedOrVendor !== true || !sourceAnchorPathIsGeneratedOrVendor(relativePath))
-        .filter((relativePath) => include.length === 0 || matchesAnyGlob(relativePath, include))
-        .filter((relativePath) => exclude.length === 0 || !matchesAnyGlob(relativePath, exclude))
-        .filter((relativePath) => fileIsWithinSizeLimit(root, relativePath, options.maxFileBytes));
+    const rootRealPath = realpathSync(root);
+    return listFilesRecursive(root, {
+        ignoredDirectoryNames,
+        allowedExtensions,
+        include,
+        exclude,
+        excludeGeneratedOrVendor: options.excludeGeneratedOrVendor === true,
+        maxFileBytes: options.maxFileBytes,
+        followSymlinks: options.followSymlinks === true,
+        rootRealPath,
+        visitedRealDirectories: new Set(),
+    });
 }
 export function stripSourceAnchorCommentPrefix(line) {
     return line

package/dist/core/verification-evidence.js

@@ -28,7 +28,10 @@ function resultForIntent(results, intent) {
 function requirementOutcome(input) {
     if (input.selectedIntents.some((intent) => {
         const result = resultForIntent(input.results, intent);
-        return result?.status === 'failed' || result?.status === 'timed_out' || result?.status === 'start_failed';
+        return (result?.status === 'failed' ||
+            result?.status === 'timed_out' ||
+            result?.status === 'start_failed' ||
+            result?.status === 'output_limit_exceeded');
     })) {
         return 'contradicted';
     }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mustflow",
-  "version": "2.17.0",
+  "version": "2.18.2",
   "description": "Agent workflow documents and CLI for mustflow repository roots.",
   "type": "module",
   "license": "MIT-0",

package/schemas/README.md

@@ -35,10 +35,10 @@ Current schemas:
   `mf explain verify --reason <event> --json`, `mf explain retention --json`, `mf explain skills --json`,
   and `mf explain surface --json`. Verify explanations include the shared `decisionGraph` evidence model.
 - `verify-report.schema.json`: output of `mf verify --reason <event> --json`, including an
-  evidence-based completion verdict and evidence model with a conservative coverage matrix for the
-  selected receipts and skipped checks
-- `verify-run-manifest.schema.json`: `.mustflow/state/runs/verify-latest/manifest.json`, including
-  the same completion verdict, evidence model, and coverage matrix as the verify report
+  explicit execution aggregate, evidence-based completion verdict, and evidence model with a
+  conservative coverage matrix for the selected receipts and skipped checks
+- `verify-run-manifest.schema.json`: `.mustflow/state/runs/verify-*/manifest.json`, including
+  the same execution aggregate, completion verdict, evidence model, and coverage matrix as the verify report
 - `change-verification-report.schema.json`: output of `mf verify --reason <event> --plan-only --json` and  
   `mf verify --from-classification <classify-report.json> --plan-only --json`, including the `decision_graph` that links
   changed surfaces, classification reasons, command candidates, eligibility, selected or not-selected state,

package/schemas/change-verification-report.schema.json

@@ -251,7 +251,8 @@
         "missing_timeout",
         "missing_command_source",
         "unsafe_intent_name",
-        "blocked_shell_background_pattern"
+        "blocked_shell_background_pattern",
+        "blocked_long_running_command_pattern"
       ]
     },
     "verificationCandidate": {

package/schemas/contract-lint-report.schema.json

@@ -139,7 +139,8 @@
                             "missing_timeout",
                             "missing_command_source",
                             "unsafe_intent_name",
-                            "blocked_shell_background_pattern"
+                            "blocked_shell_background_pattern",
+                            "blocked_long_running_command_pattern"
                           ]
                         },
                         "runnable": { "type": "boolean" },