mustflow 2.18.0 → 2.18.3

package/dist/cli/i18n/zh.js

@@ -750,11 +750,12 @@ export const zhMessages = {
     "verify.help.summary": "运行由 required_after 元数据选出的已配置验证意图。",
     "verify.help.option.reason": "选择要验证的 required_after 原因",
     "verify.help.option.fromClassification": "从此仓库内的 mf classify 报告读取验证原因",
-    "verify.help.option.fromPlan": "--from-classification 的兼容别名",
+    "verify.help.option.fromPlan": "--from-classification 的已弃用兼容别名；输入仍必须是 mf classify 报告",
     "verify.help.option.changed": "分类当前 Git 变更并验证匹配的原因",
     "verify.help.option.writePlan": "写入变更文件分类报告的兼容选项",
     "verify.help.option.reproEvidence": "从仓库本地 JSON 摘要读取结构化的 bug 复现证据",
     "verify.help.option.externalEvidence": "从仓库本地 JSON 摘要读取低权限外部 CI 证据",
+    "verify.help.option.parallel": "最多并行执行这个数量的安全、无冲突计划批次命令；默认值为 1",
     "verify.help.option.planOnly": "仅输出验证计划，不执行命令；需要 --json",
     "verify.help.exit.ok": "选中的所有验证意图均已通过",
     "verify.help.exit.fail": "验证失败、部分完成、被阻止，或输入无效",
@@ -769,6 +770,7 @@ export const zhMessages = {
     "verify.error.planOnlyJson": "--plan-only 需要 --json",
     "verify.error.reproEvidenceRequiresRun": "--repro-evidence 不能与 --plan-only 一起使用",
     "verify.error.externalEvidenceRequiresRun": "--external-evidence 不能与 --plan-only 一起使用",
+    "verify.error.invalidParallel": "--parallel 必须是正整数",
     "verify.error.invalid_plan_file": "分类报告必须是可读取的 JSON 文件",
     "verify.error.unsupported_plan_source": "验证输入必须是 mf classify 报告",
     "verify.error.plan_root_mismatch": "分类报告必须来自当前 mustflow 根目录",

package/dist/cli/index.js

@@ -2,7 +2,7 @@
 import { realpathSync } from 'node:fs';
 import path from 'node:path';
 import { fileURLToPath } from 'node:url';
-import { COMMAND_DEFINITIONS } from './lib/command-registry.js';
+import { COMMAND_DEFINITIONS, findCommandDefinition } from './lib/command-registry.js';
 import { renderCliError, renderHelp } from './lib/cli-output.js';
 import { DEFAULT_CLI_LANG, SUPPORTED_CLI_LANGS, isCliLang, t } from './lib/i18n.js';
 import { consoleReporter } from './lib/reporter.js';
@@ -102,77 +102,11 @@ export async function runCli(argv, reporter = consoleReporter) {
         reporter.stdout(getTopLevelHelp(parsed.lang));
         return 0;
     }
-    if (command === '--version' || command === '-v' || command === 'version') {
-        return (await import('./commands/version.js')).runVersion(args, reporter, parsed.lang);
-    }
-    if (command === 'init') {
-        return (await import('./commands/init.js')).runInit(args, reporter, parsed.lang);
-    }
-    if (command === 'adapters') {
-        return (await import('./commands/adapters.js')).runAdapters(args, reporter, parsed.lang);
-    }
-    if (command === 'check') {
-        return (await import('./commands/check.js')).runCheck(args, reporter, parsed.lang);
-    }
-    if (command === 'classify') {
-        return (await import('./commands/classify.js')).runClassify(args, reporter, parsed.lang);
-    }
-    if (command === 'contract-lint') {
-        return (await import('./commands/contract-lint.js')).runContractLint(args, reporter, parsed.lang);
-    }
-    if (command === 'status') {
-        return (await import('./commands/status.js')).runStatus(args, reporter, parsed.lang);
-    }
-    if (command === 'update') {
-        return (await import('./commands/update.js')).runUpdate(args, reporter, parsed.lang);
-    }
-    if (command === 'upgrade') {
-        return (await import('./commands/upgrade.js')).runUpgrade(args, reporter, parsed.lang);
-    }
-    if (command === 'map') {
-        return (await import('./commands/map.js')).runMap(args, reporter, parsed.lang);
-    }
-    if (command === 'line-endings') {
-        return (await import('./commands/line-endings.js')).runLineEndings(args, reporter, parsed.lang);
-    }
-    if (command === 'run') {
-        return (await import('./commands/run.js')).runRun(args, reporter, parsed.lang);
-    }
-    if (command === 'context') {
-        return (await import('./commands/context.js')).runContext(args, reporter, parsed.lang);
-    }
-    if (command === 'doctor') {
-        return (await import('./commands/doctor.js')).runDoctor(args, reporter, parsed.lang);
-    }
-    if (command === 'docs') {
-        return (await import('./commands/docs.js')).runDocs(args, reporter, parsed.lang);
-    }
-    if (command === 'handoff') {
-        return (await import('./commands/handoff.js')).runHandoff(args, reporter, parsed.lang);
-    }
-    if (command === 'index') {
-        return (await import('./commands/index.js')).runIndex(args, reporter, parsed.lang);
-    }
-    if (command === 'search') {
-        return (await import('./commands/search.js')).runSearch(args, reporter, parsed.lang);
-    }
-    if (command === 'dashboard') {
-        return (await import('./commands/dashboard.js')).runDashboard(args, reporter, parsed.lang);
-    }
-    if (command === 'version-sources') {
-        return (await import('./commands/version-sources.js')).runVersionSources(args, reporter, parsed.lang);
-    }
-    if (command === 'verify') {
-        return (await import('./commands/verify.js')).runVerify(args, reporter, parsed.lang);
-    }
-    if (command === 'explain') {
-        return (await import('./commands/explain.js')).runExplain(args, reporter, parsed.lang);
-    }
-    if (command === 'impact') {
-        return (await import('./commands/impact.js')).runImpact(args, reporter, parsed.lang);
-    }
-    if (command === 'help') {
-        return (await import('./commands/help.js')).runHelp(args, reporter, parsed.lang);
+    const commandId = command === '--version' || command === '-v' ? 'version' : command;
+    const commandDefinition = findCommandDefinition(commandId);
+    if (commandDefinition) {
+        const runner = await commandDefinition.loadRunner();
+        return runner(args, reporter, parsed.lang);
     }
     reporter.stderr(renderCliError(t(parsed.lang, 'cli.error.unknownCommand', { command }), 'mf --help', parsed.lang));
     reporter.stdout(getTopLevelHelp(parsed.lang));

package/dist/cli/lib/command-registry.js

@@ -3,120 +3,147 @@ export const COMMAND_DEFINITIONS = [
         id: 'adapters',
         usage: 'mf adapters',
         summaryKey: 'command.adapters.summary',
+        loadRunner: async () => (await import('../commands/adapters.js')).runAdapters,
     },
     {
         id: 'init',
         usage: 'mf init',
         summaryKey: 'command.init.summary',
+        loadRunner: async () => (await import('../commands/init.js')).runInit,
     },
     {
         id: 'check',
         usage: 'mf check',
         summaryKey: 'command.check.summary',
+        loadRunner: async () => (await import('../commands/check.js')).runCheck,
     },
     {
         id: 'classify',
         usage: 'mf classify',
         summaryKey: 'command.classify.summary',
+        loadRunner: async () => (await import('../commands/classify.js')).runClassify,
     },
     {
         id: 'contract-lint',
         usage: 'mf contract-lint',
         summaryKey: 'command.contractLint.summary',
+        loadRunner: async () => (await import('../commands/contract-lint.js')).runContractLint,
     },
     {
         id: 'status',
         usage: 'mf status',
         summaryKey: 'command.status.summary',
+        loadRunner: async () => (await import('../commands/status.js')).runStatus,
     },
     {
         id: 'update',
         usage: 'mf update',
         summaryKey: 'command.update.summary',
+        loadRunner: async () => (await import('../commands/update.js')).runUpdate,
     },
     {
         id: 'upgrade',
         usage: 'mf upgrade',
         summaryKey: 'command.upgrade.summary',
+        loadRunner: async () => (await import('../commands/upgrade.js')).runUpgrade,
     },
     {
         id: 'map',
         usage: 'mf map',
         summaryKey: 'command.map.summary',
+        loadRunner: async () => (await import('../commands/map.js')).runMap,
     },
     {
         id: 'line-endings',
         usage: 'mf line-endings',
         summaryKey: 'command.lineEndings.summary',
+        loadRunner: async () => (await import('../commands/line-endings.js')).runLineEndings,
     },
     {
         id: 'run',
         usage: 'mf run',
         summaryKey: 'command.run.summary',
+        loadRunner: async () => (await import('../commands/run.js')).runRun,
     },
     {
         id: 'context',
         usage: 'mf context',
         summaryKey: 'command.context.summary',
+        loadRunner: async () => (await import('../commands/context.js')).runContext,
     },
     {
         id: 'doctor',
         usage: 'mf doctor',
         summaryKey: 'command.doctor.summary',
+        loadRunner: async () => (await import('../commands/doctor.js')).runDoctor,
     },
     {
         id: 'docs',
         usage: 'mf docs',
         summaryKey: 'command.docs.summary',
+        loadRunner: async () => (await import('../commands/docs.js')).runDocs,
     },
     {
         id: 'handoff',
         usage: 'mf handoff',
         summaryKey: 'command.handoff.summary',
+        loadRunner: async () => (await import('../commands/handoff.js')).runHandoff,
     },
     {
         id: 'index',
         usage: 'mf index',
         summaryKey: 'command.index.summary',
+        loadRunner: async () => (await import('../commands/index.js')).runIndex,
     },
     {
         id: 'search',
         usage: 'mf search',
         summaryKey: 'command.search.summary',
+        loadRunner: async () => (await import('../commands/search.js')).runSearch,
     },
     {
         id: 'dashboard',
         usage: 'mf dashboard',
         summaryKey: 'command.dashboard.summary',
+        loadRunner: async () => (await import('../commands/dashboard.js')).runDashboard,
     },
     {
         id: 'version',
         usage: 'mf version',
         summaryKey: 'command.version.summary',
+        loadRunner: async () => (await import('../commands/version.js')).runVersion,
     },
     {
         id: 'version-sources',
         usage: 'mf version-sources',
         summaryKey: 'command.versionSources.summary',
+        loadRunner: async () => (await import('../commands/version-sources.js')).runVersionSources,
     },
     {
         id: 'verify',
         usage: 'mf verify',
         summaryKey: 'command.verify.summary',
+        loadRunner: async () => (await import('../commands/verify.js')).runVerify,
     },
     {
         id: 'explain',
         usage: 'mf explain',
         summaryKey: 'command.explain.summary',
+        loadRunner: async () => (await import('../commands/explain.js')).runExplain,
     },
     {
         id: 'impact',
         usage: 'mf impact',
         summaryKey: 'command.impact.summary',
+        loadRunner: async () => (await import('../commands/impact.js')).runImpact,
     },
     {
         id: 'help',
         usage: 'mf help',
         summaryKey: 'command.help.summary',
+        loadRunner: async () => (await import('../commands/help.js')).runHelp,
     },
 ];
+export function findCommandDefinition(command) {
+    return COMMAND_DEFINITIONS.find((definition) => definition.id === command);
+}

package/dist/cli/lib/repo-map.js

@@ -11,6 +11,8 @@ const REPO_MAP_GENERATOR = 'mustflow';
 const REPO_MAP_RELATIVE_ROOT = '.';
 const REPO_MAP_SOURCE_POLICY = 'anchors_only';
 const REPO_MAP_PRIVACY_MODE = 'minimal';
+const GIT_LS_FILES_TIMEOUT_MS = 5_000;
+const GIT_LS_FILES_MAX_BUFFER_BYTES = 1_048_576;
 const EXCLUDED_SEGMENTS = new Set([
     '.astro',
     '.cache',
@@ -240,10 +242,15 @@ function getRepoMapConfig(projectRoot) {
         },
     };
 }
-function getGitFiles(projectRoot) {
-    const result = spawnSync('git', ['ls-files', '-z'], {
+export function listGitFilesForRepoMap(projectRoot, options = {}) {
+    const spawnGit = options.spawnGit ??
+        ((command, args, spawnOptions) => spawnSync(command, [...args], spawnOptions));
+    const result = spawnGit('git', ['ls-files', '-z'], {
         cwd: projectRoot,
         encoding: 'utf8',
+        maxBuffer: options.maxBuffer ?? GIT_LS_FILES_MAX_BUFFER_BYTES,
+        timeout: options.timeout ?? GIT_LS_FILES_TIMEOUT_MS,
+        windowsHide: true,
     });
     if (result.status !== 0 || result.error) {
         return [];
@@ -282,7 +289,7 @@ function listAnchorCandidateFilesRecursive(rootPath, depth, priorityPaths) {
 }
 function getRepositoryFiles(projectRoot, depth, priorityPaths) {
     const files = new Set();
-    for (const relativePath of getGitFiles(projectRoot)) {
+    for (const relativePath of listGitFilesForRepoMap(projectRoot)) {
         files.add(relativePath);
     }
     for (const relativePath of listAnchorCandidateFilesRecursive(projectRoot, depth, priorityPaths)) {

package/dist/core/atomic-state-write.js

@@ -0,0 +1,31 @@
+import { randomBytes } from 'node:crypto';
+import { mkdirSync, renameSync, unlinkSync, writeFileSync } from 'node:fs';
+import path from 'node:path';
+function tempFilePath(targetPath) {
+    const suffix = `${process.pid}-${Date.now()}-${randomBytes(6).toString('hex')}`;
+    return path.join(path.dirname(targetPath), `.${path.basename(targetPath)}.${suffix}.tmp`);
+}
+export function createStateRunId(prefix) {
+    const timestamp = new Date().toISOString().replaceAll(/[:.]/g, '-');
+    return `${prefix}-${timestamp}-${process.pid}-${randomBytes(6).toString('hex')}`;
+}
+export function atomicWriteTextFile(targetPath, content) {
+    mkdirSync(path.dirname(targetPath), { recursive: true });
+    const temporaryPath = tempFilePath(targetPath);
+    try {
+        writeFileSync(temporaryPath, content, { encoding: 'utf8', flag: 'wx' });
+        renameSync(temporaryPath, targetPath);
+    }
+    catch (error) {
+        try {
+            unlinkSync(temporaryPath);
+        }
+        catch {
+            // Best-effort cleanup for a temporary file that may not have been created.
+        }
+        throw error;
+    }
+}
+export function atomicWriteJsonFile(targetPath, value) {
+    atomicWriteTextFile(targetPath, `${JSON.stringify(value, null, 2)}\n`);
+}

package/dist/core/bounded-output.js

@@ -1,3 +1,24 @@
+function isUtf8ContinuationByte(value) {
+    return value !== undefined && (value & 0xc0) === 0x80;
+}
+function findUtf8TailStart(buffer, startOffset) {
+    let start = Math.min(buffer.byteLength, Math.max(0, Math.trunc(startOffset)));
+    while (start < buffer.byteLength && isUtf8ContinuationByte(buffer[start])) {
+        start += 1;
+    }
+    return start;
+}
+export function decodeUtf8Tail(buffer, maxTailBytes) {
+    if (maxTailBytes <= 0) {
+        return { text: '', truncated: buffer.byteLength > 0 };
+    }
+    const rawStart = buffer.byteLength > maxTailBytes ? buffer.byteLength - maxTailBytes : 0;
+    const start = findUtf8TailStart(buffer, rawStart);
+    return {
+        text: buffer.subarray(start).toString('utf8'),
+        truncated: buffer.byteLength > maxTailBytes || start > 0,
+    };
+}
 export class BoundedOutputBuffer {
     #maxTailBytes;
     #chunks = [];
@@ -30,9 +51,10 @@ export class BoundedOutputBuffer {
         }
     }
     toSnapshot() {
+        const tail = decodeUtf8Tail(Buffer.concat(this.#chunks, this.#tailBytes), this.#maxTailBytes);
         return {
             bytes: this.#bytes,
-            tail: Buffer.concat(this.#chunks, this.#tailBytes).toString('utf8'),
+            tail: tail.text,
         };
     }
 }

package/dist/core/check-issues.js

@@ -14,6 +14,7 @@ const CHECK_ISSUE_ID_RULES = [
     ['mustflow.command_contract.effects_invalid', /^(?:Strict: )?(?:\[commands\.(?:resources|intents\.[^\]]+\.effects)[^\]]*\]|Command effect for intent [^\s]+ must define path, paths, or lock)/u],
     ['mustflow.command_contract.effect_path_escape', /^Strict: Command effect path must stay inside the current root:/u],
     ['mustflow.command_contract.shared_writes_without_effects', /^Strict warning: configured agent-runnable intents .+ share path:.+ through writes without explicit effects or resource locks$/u],
+    ['mustflow.command_contract.broad_env_inheritance', /^Strict warning: configured agent-runnable intent [^\s]+ (?:implicitly inherits the host environment|uses env_policy = "inherit")/u],
     ['mustflow.prompt_cache.required', /^Strict: \[prompt_cache\] table is required$/u],
     ['mustflow.prompt_cache.volatile_in_stable', /^Strict: \[prompt_cache\.layers\.stable\]\.read must not include volatile path /u],
     ['mustflow.refresh.hash_method_required', /^Strict: \[refresh\]\.default_method should be "hash_check" for cache-friendly refresh$/u],

package/dist/core/command-contract-validation.js

@@ -1,11 +1,14 @@
 import { COMMAND_LIFECYCLES, COMMAND_RUN_POLICIES, LONG_RUNNING_LIFECYCLES, isRecord, } from './config-loading.js';
-import { COMMAND_ENV_POLICIES } from './command-env.js';
+import { COMMAND_ENV_POLICIES, DEFAULT_COMMAND_ENV_POLICY } from './command-env.js';
 import { COMMAND_EFFECT_CONCURRENCY, COMMAND_EFFECT_MODES, COMMAND_EFFECT_TYPES, validateCommandEffectLockWarnings, validateCommandEffects, } from './command-effects.js';
 import { commandIntentBlockedCommandPattern, commandIntentHasBlockedShellBackgroundPattern, commandIntentHasCommandSource, commandIntentNameIsSafe, } from './command-contract-rules.js';
 import { MAX_COMMAND_OUTPUT_BYTES, commandMaxOutputBytesLimitMessage } from './command-output-limits.js';
 function commandContractIssue(message) {
     return { message };
 }
+function commandContractWarning(message) {
+    return { message, severity: 'warning' };
+}
 function hasOwn(table, key) {
     return Object.prototype.hasOwnProperty.call(table, key);
 }
@@ -198,6 +201,50 @@ function validateCommandIntent(intentName, intent, issues) {
     }
     validateCommandIntentEffects(intentName, intent, issues);
 }
+function readValidCommandEnvPolicy(table) {
+    if (!table || !hasOwn(table, 'env_policy')) {
+        return undefined;
+    }
+    const value = table.env_policy;
+    return typeof value === 'string' && COMMAND_ENV_POLICIES.has(value)
+        ? value
+        : undefined;
+}
+function getEffectiveCommandEnvPolicy(defaults, intent) {
+    const intentPolicy = readValidCommandEnvPolicy(intent);
+    if (intentPolicy) {
+        return { policy: intentPolicy, source: 'intent' };
+    }
+    const defaultPolicy = readValidCommandEnvPolicy(defaults);
+    if (defaultPolicy) {
+        return { policy: defaultPolicy, source: 'defaults' };
+    }
+    return { policy: DEFAULT_COMMAND_ENV_POLICY, source: 'implicit' };
+}
+function validateCommandEnvInheritanceWarnings(commandsToml) {
+    const issues = [];
+    if (!commandsToml || !isRecord(commandsToml.intents)) {
+        return issues;
+    }
+    const defaults = isRecord(commandsToml.defaults) ? commandsToml.defaults : undefined;
+    for (const [intentName, intent] of Object.entries(commandsToml.intents)) {
+        if (!isRecord(intent) || intent.status !== 'configured' || intent.run_policy !== 'agent_allowed') {
+            continue;
+        }
+        const envPolicy = getEffectiveCommandEnvPolicy(defaults, intent);
+        if (envPolicy.policy !== 'inherit') {
+            continue;
+        }
+        const networkScope = intent.network === true ? ' with network = true' : '';
+        const migration = 'set env_policy = "minimal" or "allowlist" unless broad host state is required';
+        if (envPolicy.source === 'implicit') {
+            issues.push(commandContractWarning(`configured agent-runnable intent ${intentName} implicitly inherits the host environment${networkScope}; ${migration}`));
+            continue;
+        }
+        issues.push(commandContractWarning(`configured agent-runnable intent ${intentName} uses env_policy = "inherit"${networkScope}; ${migration}`));
+    }
+    return issues;
+}
 /**
  * mf:anchor core.command-contract-validation
  * purpose: Validate command intent declarations that gate agent-executable repository commands.
@@ -228,15 +275,18 @@ export function validateCommandContractConfig(commandsToml) {
 }
 export function validateCommandContractStrictDefaults(projectRoot, commandsToml) {
     const issues = [];
-    if (!commandsToml || !isRecord(commandsToml.defaults)) {
+    if (!commandsToml) {
         return issues;
     }
-    if (!hasOwn(commandsToml.defaults, 'max_output_bytes')) {
-        issues.push(commandContractIssue('[commands.defaults].max_output_bytes is required'));
-    }
-    if (!hasOwn(commandsToml.defaults, 'on_timeout')) {
-        issues.push(commandContractIssue('[commands.defaults].on_timeout is required'));
+    if (isRecord(commandsToml.defaults)) {
+        if (!hasOwn(commandsToml.defaults, 'max_output_bytes')) {
+            issues.push(commandContractIssue('[commands.defaults].max_output_bytes is required'));
+        }
+        if (!hasOwn(commandsToml.defaults, 'on_timeout')) {
+            issues.push(commandContractIssue('[commands.defaults].on_timeout is required'));
+        }
     }
+    issues.push(...validateCommandEnvInheritanceWarnings(commandsToml));
     issues.push(...validateCommandEffects(projectRoot, commandsToml));
     issues.push(...validateCommandEffectLockWarnings(commandsToml));
     return issues;

package/dist/core/completion-verdict.js

@@ -244,7 +244,8 @@ export function createDashboardCompletionVerdict(input) {
     const receiptBinding = input.receiptBinding ?? emptyReceiptBindingEvidence();
     const latestRunFailed = input.latestRunStatus === 'failed' ||
         input.latestRunStatus === 'timed_out' ||
-        input.latestRunStatus === 'start_failed';
+        input.latestRunStatus === 'start_failed' ||
+        input.latestRunStatus === 'output_limit_exceeded';
     let status = 'unverified';
     let primaryReason = 'dashboard_does_not_execute_verification';
     const blockers = [];

package/dist/core/public-json-contracts.js

@@ -135,7 +135,7 @@ const PUBLIC_JSON_SCHEMA_CONTRACTS = [
     {
         id: 'verify-run-manifest',
         schemaFile: 'verify-run-manifest.schema.json',
-        producer: '.mustflow/state/runs/verify-latest/manifest.json',
+        producer: '.mustflow/state/runs/verify-*/manifest.json',
         packaged: true,
         documented: true,
     },

package/dist/core/run-receipt.js

@@ -1,6 +1,7 @@
-import { mkdirSync, writeFileSync } from 'node:fs';
 import { createHash } from 'node:crypto';
 import path from 'node:path';
+import { atomicWriteJsonFile, createStateRunId } from './atomic-state-write.js';
+import { decodeUtf8Tail } from './bounded-output.js';
 import { DEFAULT_RUN_RECEIPT_TAIL_BYTES } from './retention-policy.js';
 import { redactSecretLikeText } from './secret-redaction.js';
 const RUN_RECEIPT_SCHEMA_VERSION = '1';
@@ -11,13 +12,7 @@ function toPosixPath(value) {
 }
 function truncateTextByBytes(text, maxBytes) {
     const buffer = Buffer.from(text, 'utf8');
-    if (buffer.byteLength <= maxBytes) {
-        return { text, truncated: false };
-    }
-    return {
-        text: buffer.subarray(buffer.byteLength - maxBytes).toString('utf8'),
-        truncated: true,
-    };
+    return decodeUtf8Tail(buffer, maxBytes);
 }
 function recordRedaction(state, field, result) {
     if (!result.redacted) {
@@ -62,8 +57,11 @@ function summarizeOutput(output, maxOutputBytes, tailBytes, field, state) {
         redaction_kinds: redaction.redactionKinds,
     };
 }
-function getReceiptRelativePath() {
-    return toPosixPath(path.join(RUN_RECEIPT_DIR, LATEST_RUN_RECEIPT));
+export function createRunReceiptRelativePath() {
+    return toPosixPath(path.join(RUN_RECEIPT_DIR, createStateRunId('run'), 'receipt.json'));
+}
+function getReceiptRelativePath(receiptPath) {
+    return receiptPath ?? toPosixPath(path.join(RUN_RECEIPT_DIR, LATEST_RUN_RECEIPT));
 }
 function stableJson(value) {
     if (Array.isArray(value)) {
@@ -100,6 +98,9 @@ function getErrorKind(status, exitCode) {
     if (status === 'start_failed') {
         return 'start_failed';
     }
+    if (status === 'output_limit_exceeded') {
+        return 'output_limit_exceeded';
+    }
     if (status === 'failed' && exitCode !== null) {
         return 'exit_code';
     }
@@ -240,6 +241,7 @@ export function createRunReceipt(input) {
         signal: input.signal,
         error,
         kill_method: input.killMethod,
+        ...(input.termination ? { termination: input.termination } : {}),
         stdout,
         stderr,
         write_drift: input.writeDrift,
@@ -272,12 +274,17 @@ export function createRunReceipt(input) {
             redaction_kinds: [...redactionState.kinds].sort(),
             fields: [...redactionState.fields].sort(),
         },
-        receipt_path: getReceiptRelativePath(),
+        receipt_path: getReceiptRelativePath(input.receiptPath),
     };
 }
 export function writeRunReceipt(projectRoot, receipt) {
     const receiptDir = path.join(projectRoot, RUN_RECEIPT_DIR);
     const latestPath = path.join(receiptDir, LATEST_RUN_RECEIPT);
-    mkdirSync(receiptDir, { recursive: true });
-    writeFileSync(latestPath, `${JSON.stringify(receipt, null, 2)}\n`);
+    const receiptPath = path.resolve(projectRoot, receipt.receipt_path);
+    const relativeToRunDir = path.relative(receiptDir, receiptPath);
+    if (relativeToRunDir.startsWith('..') || path.isAbsolute(relativeToRunDir)) {
+        throw new Error(`Run receipt path must stay inside ${RUN_RECEIPT_DIR}`);
+    }
+    atomicWriteJsonFile(receiptPath, receipt);
+    atomicWriteJsonFile(latestPath, receipt);
 }