mustflow 2.22.17 → 2.22.46

package/dist/cli/commands/dashboard.js

@@ -1,4 +1,4 @@
-import { createHash, randomBytes } from 'node:crypto';
+import { createHash, randomBytes, timingSafeEqual } from 'node:crypto';
 import { existsSync, readFileSync, statSync } from 'node:fs';
 import http from 'node:http';
 import path from 'node:path';
@@ -306,8 +306,36 @@ function sendText(response, statusCode, value) {
 function sendBadRequest(response) {
     sendText(response, 400, 'Bad request');
 }
+function isDashboardBadRequestError(error, message) {
+    return (error instanceof SyntaxError ||
+        message === 'Request body is too large.' ||
+        message === 'Invalid review status.' ||
+        message === 'Request body must be a JSON object.' ||
+        message === 'Request body must include an updates array.' ||
+        message === 'Each update must be a JSON object.' ||
+        message === 'Each update must include an id.' ||
+        message === 'Bulk documentation review updates require a separate confirmed flow.' ||
+        message.startsWith('Unknown dashboard preference: ') ||
+        message.endsWith(' is locked in the dashboard.') ||
+        message.endsWith(' is required.') ||
+        message.endsWith(' must be a boolean.') ||
+        message.endsWith(' must be an integer.') ||
+        message.endsWith(' must be a string.') ||
+        message.endsWith(' must not be empty.') ||
+        /^.+ must be at (?:least|most) \d+\.$/u.test(message) ||
+        /^.+ must be one of: .+\.$/u.test(message) ||
+        message.startsWith('status must be ') ||
+        message.startsWith('reviewerKind must be '));
+}
 function isAuthorized(request, token) {
-    return request.headers['x-mustflow-dashboard-token'] === token;
+    const rawToken = request.headers['x-mustflow-dashboard-token'];
+    const candidate = Array.isArray(rawToken) ? rawToken[0] : rawToken;
+    if (typeof candidate !== 'string') {
+        return false;
+    }
+    const expected = Buffer.from(token);
+    const actual = Buffer.from(candidate);
+    return expected.byteLength === actual.byteLength && timingSafeEqual(actual, expected);
 }
 async function readRequestJson(request) {
     const chunks = [];
@@ -841,19 +869,38 @@ export async function runDashboard(args, reporter, lang = 'en') {
             }
             sendText(response, 404, 'Not found');
         }
-        catch {
-            sendBadRequest(response);
+        catch (error) {
+            const message = error instanceof Error ? error.message : String(error);
+            if (isDashboardBadRequestError(error, message)) {
+                sendBadRequest(response);
+                return;
+            }
+            reporter.stderr(message);
+            sendText(response, 500, 'Internal server error');
         }
     });
+    server.headersTimeout = 10_000;
+    server.requestTimeout = 30_000;
+    server.keepAliveTimeout = 1_000;
     return new Promise((resolve) => {
         let resolved = false;
+        const sockets = new Set();
         const close = () => {
             if (resolved) {
                 return;
             }
             resolved = true;
             server.close(() => resolve(0));
+            for (const socket of sockets) {
+                socket.destroy();
+            }
         };
+        server.on('connection', (socket) => {
+            sockets.add(socket);
+            socket.on('close', () => {
+                sockets.delete(socket);
+            });
+        });
         server.on('error', (error) => {
             if (!resolved) {
                 resolved = true;

package/dist/cli/commands/explain.js

@@ -1,7 +1,8 @@
-import { existsSync, readFileSync } from 'node:fs';
+import { existsSync } from 'node:fs';
 import path from 'node:path';
 import { printUsageError, renderHelp } from '../lib/cli-output.js';
 import { t } from '../lib/i18n.js';
+import { MUSTFLOW_JSON_MAX_BYTES, readMustflowTextFile } from '../lib/mustflow-read.js';
 import { resolveMustflowRoot } from '../lib/project-root.js';
 import { explainAssetOptimization, explainCommandIntent, } from '../../core/command-explanation.js';
 import { readCommandContract, readMustflowConfigIfExists } from '../../core/config-loading.js';
@@ -225,7 +226,7 @@ function getLatestFailureExplainOutput(projectRoot) {
     }
     let parsed;
     try {
-        parsed = JSON.parse(readFileSync(latestPath, 'utf8'));
+        parsed = JSON.parse(readMustflowTextFile(projectRoot, LATEST_RUN_RECEIPT_RELATIVE_PATH, { maxBytes: MUSTFLOW_JSON_MAX_BYTES }));
     }
     catch {
         return {

package/dist/cli/commands/help.js

@@ -140,6 +140,5 @@ export function runHelp(args, reporter, lang = 'en') {
         return 0;
     }
     reporter.stderr(renderCliError(t(lang, 'help.error.unknownTopic', { topic }), 'mf help --help', lang));
-    reporter.stdout(getHelpHelp(lang));
     return 1;
 }

package/dist/cli/commands/run.js

@@ -117,6 +117,31 @@ function renderActiveLockConflictMessage(intentName, conflicts, lang) {
         : t(lang, 'run.error.activeLockConflictUnknown');
     return t(lang, 'run.error.activeLockConflict', { intent: intentName, detail });
 }
+function createRunProgressReporter(input) {
+    if (!input.enabled) {
+        return () => undefined;
+    }
+    input.reporter.stderr(t(input.lang, 'run.progress.started', { intent: input.intentName, seconds: input.timeoutSeconds }));
+    const timers = [];
+    for (const ratio of [0.5, 0.8]) {
+        const delayMs = Math.max(1, Math.floor(input.timeoutSeconds * 1000 * ratio));
+        const elapsedSeconds = Math.max(1, Math.round(input.timeoutSeconds * ratio));
+        const timer = setTimeout(() => {
+            input.reporter.stderr(t(input.lang, 'run.progress.timeoutWarning', {
+                intent: input.intentName,
+                seconds: elapsedSeconds,
+                percent: Math.round(ratio * 100),
+            }));
+        }, delayMs);
+        timer.unref?.();
+        timers.push(timer);
+    }
+    return () => {
+        for (const timer of timers) {
+            clearTimeout(timer);
+        }
+    };
+}
 export function getRunHelp(lang = 'en') {
     return renderHelp({
         usage: 'mf run <intent> [options]',
@@ -241,13 +266,25 @@ export async function runRun(args, reporter, lang = 'en', options = {}) {
         let streamedOutput = false;
         const childStartedAtMs = performance.now();
         const startedAt = new Date();
+        const stopRunProgress = createRunProgressReporter({
+            enabled: !json && Boolean(reporter.writeStderr),
+            intentName,
+            timeoutSeconds: plan.timeoutSeconds,
+            reporter,
+            lang,
+        });
         const result = await profiler.measureAsync('child_command', async () => {
-            if (plan.commandArgv) {
+            try {
+                if (plan.commandArgv) {
+                    streamedOutput = !json;
+                    return runArgvCommandStreaming(plan.argvCommand, plan.cwd, env, plan.timeoutSeconds, plan.killAfterSeconds, plan.maxOutputBytes, stdoutTailBytes, stderrTailBytes, reporter, !json, true);
+                }
                 streamedOutput = !json;
-                return runArgvCommandStreaming(plan.argvCommand, plan.cwd, env, plan.timeoutSeconds, plan.killAfterSeconds, plan.maxOutputBytes, stdoutTailBytes, stderrTailBytes, reporter, !json, true);
+                return runShellCommandStreaming(plan.shellCommand, plan.cwd, env, plan.timeoutSeconds, plan.killAfterSeconds, plan.maxOutputBytes, stdoutTailBytes, stderrTailBytes, reporter, !json, true);
+            }
+            finally {
+                stopRunProgress();
             }
-            streamedOutput = !json;
-            return runShellCommandStreaming(plan.shellCommand, plan.cwd, env, plan.timeoutSeconds, plan.killAfterSeconds, plan.maxOutputBytes, stdoutTailBytes, stderrTailBytes, reporter, !json, true);
         });
         const childDurationMs = performance.now() - childStartedAtMs;
         const finishedAt = new Date();

package/dist/cli/i18n/en.js

@@ -665,6 +665,8 @@ Read these files before working:
     "run.help.exit.ok": "The command completed with an allowed exit code",
     "run.help.exit.fail": "The command was invalid, refused, timed out, or failed",
     "run.label.suggestedIntentSnippet": "Suggested command contract snippet",
+    "run.progress.started": "Running {intent} (timeout: {seconds}s)...",
+    "run.progress.timeoutWarning": "Still running {intent}... ({seconds}s elapsed, {percent}% of timeout)",
     "run.error.missingIntent": "Missing command name",
     "run.error.unknownIntent": "Unknown command: {intent}",
     "run.error.statusNotConfigured": 'Command "{intent}" is {status}; only configured commands can be run',

package/dist/cli/i18n/es.js

@@ -665,6 +665,8 @@ Lee estos archivos antes de trabajar:
     "run.help.exit.ok": "El comando se completo con un codigo de salida permitido",
     "run.help.exit.fail": "El comando no era válido, fue rechazado, agotó el tiempo o falló",
     "run.label.suggestedIntentSnippet": "Snippet sugerido para el contrato de comandos",
+    "run.progress.started": "Ejecutando {intent} (timeout: {seconds}s)...",
+    "run.progress.timeoutWarning": "{intent} sigue ejecutándose... ({seconds}s transcurridos, {percent}% del timeout)",
     "run.error.missingIntent": "Falta el nombre del comando",
     "run.error.unknownIntent": "Comando desconocido: {intent}",
     "run.error.statusNotConfigured": 'El comando "{intent}" está en estado {status}; sólo se pueden ejecutar comandos configurados',

package/dist/cli/i18n/fr.js

@@ -665,6 +665,8 @@ Lisez ces fichiers avant de travailler :
     "run.help.exit.ok": "La commande s'est terminée avec un code de sortie autorisé",
     "run.help.exit.fail": "La commande était non valide, refusée, expirée ou a échoué",
     "run.label.suggestedIntentSnippet": "Extrait suggéré de contrat de commande",
+    "run.progress.started": "Exécution de {intent} (timeout : {seconds}s)...",
+    "run.progress.timeoutWarning": "{intent} est toujours en cours... ({seconds}s écoulées, {percent}% du timeout)",
     "run.error.missingIntent": "Nom de commande manquant",
     "run.error.unknownIntent": "Commande inconnue : {intent}",
     "run.error.statusNotConfigured": 'La commande "{intent}" est {status} ; seules les commandes configurées peuvent être exécutées',

package/dist/cli/i18n/hi.js

@@ -665,6 +665,8 @@ export const hiMessages = {
     "run.help.exit.ok": "कमांड अनुमत exit code के साथ पूरी हुई",
     "run.help.exit.fail": "कमांड अमान्य थी, अस्वीकार हुई, timed out हुई या विफल हुई",
     "run.label.suggestedIntentSnippet": "Suggested command contract snippet",
+    "run.progress.started": "{intent} चल रहा है (timeout: {seconds}s)...",
+    "run.progress.timeoutWarning": "{intent} अभी भी चल रहा है... ({seconds}s बीते, timeout का {percent}%)",
     "run.error.missingIntent": "कमांड नाम नहीं दिया गया",
     "run.error.unknownIntent": "अज्ञात कमांड: {intent}",
     "run.error.statusNotConfigured": 'कमांड "{intent}" {status} है; केवल configured कमांड चलाई जा सकती हैं',

package/dist/cli/i18n/ko.js

@@ -665,6 +665,8 @@ export const koMessages = {
     "run.help.exit.ok": "명령이 허용된 종료 코드로 완료되었습니다",
     "run.help.exit.fail": "명령이 잘못되었거나, 거부되었거나, 시간 초과되었거나, 실패했습니다",
     "run.label.suggestedIntentSnippet": "제안 명령 계약 조각",
+    "run.progress.started": "{intent} 실행 중(timeout: {seconds}초)...",
+    "run.progress.timeoutWarning": "{intent} 계속 실행 중... ({seconds}초 경과, timeout의 {percent}%)",
     "run.error.missingIntent": "명령 이름이 없습니다",
     "run.error.unknownIntent": "알 수 없는 명령: {intent}",
     "run.error.statusNotConfigured": '명령 "{intent}"의 상태는 {status}입니다. 설정된 상태(configured)인 명령만 실행할 수 있습니다',

package/dist/cli/i18n/zh.js

@@ -665,6 +665,8 @@ export const zhMessages = {
     "run.help.exit.ok": "命令已以允许的退出码完成",
     "run.help.exit.fail": "命令无效、被拒绝、超时或失败",
     "run.label.suggestedIntentSnippet": "建议的命令契约片段",
+    "run.progress.started": "正在运行 {intent}（超时：{seconds} 秒）...",
+    "run.progress.timeoutWarning": "{intent} 仍在运行...（已用 {seconds} 秒，达到超时的 {percent}%）",
     "run.error.missingIntent": "缺少命令名称",
     "run.error.unknownIntent": "未知命令：{intent}",
     "run.error.statusNotConfigured": '命令 "{intent}" 的状态为 {status}；只能运行已配置的命令',

package/dist/cli/lib/cli-output.js

@@ -32,5 +32,5 @@ export function renderCliError(message, helpCommand, lang = 'en') {
 }
 export function printUsageError(reporter, message, helpCommand, helpText, lang = 'en') {
     reporter.stderr(renderCliError(message, helpCommand, lang));
-    reporter.stdout(helpText);
+    reporter.stderr(helpText);
 }

package/dist/cli/lib/dashboard-html/client-script.js

@@ -146,6 +146,10 @@ function updateSaveState() {
 	document.getElementById("save").disabled = pending.size === 0;
 }
 
+function hasUnsavedChanges() {
+	return pending.size > 0;
+}
+
 function setPending(id, value) {
 	const original = snapshot.settings.find((setting) => setting.id === id)?.value;
 	if (Object.is(original, value)) {
@@ -1899,6 +1903,11 @@ document.getElementById("reload").addEventListener("click", () => {
 document.getElementById("save").addEventListener("click", () => {
 	save().catch((error) => statusText(error.message, "error"));
 });
+window.addEventListener("beforeunload", (event) => {
+	if (!hasUnsavedChanges()) return;
+	event.preventDefault();
+	event.returnValue = "";
+});
 document.getElementById("open-mustflow").addEventListener("click", () => {
 	openMustflowFolder().catch((error) => statusText(error.message, "error"));
 });

package/dist/cli/lib/dashboard-html/styles.js

@@ -9,6 +9,9 @@ export function renderDashboardStyles() {
 	--accent: #8fb4ff;
 	--danger: #ff9a9a;
 	--ok: #9be7ba;
+	--control-bg: #11141a;
+	--control-hover-bg: #171b23;
+	--control-active-bg: #0d1015;
 	--row-bg: rgba(255, 255, 255, 0.018);
 	--row-bg-alt: rgba(255, 255, 255, 0.035);
 	--status-neutral-bg: rgba(174, 182, 197, 0.1);
@@ -16,6 +19,27 @@ export function renderDashboardStyles() {
 	--status-warn-bg: rgba(255, 154, 154, 0.1);
 	font-family: ui-sans-serif, system-ui, -apple-system, BlinkMacSystemFont, "Segoe UI", sans-serif;
 }
+@media (prefers-color-scheme: light) {
+	:root {
+		color-scheme: light;
+		--bg: #f6f8fb;
+		--panel: #ffffff;
+		--line: #d9e0ea;
+		--text: #162033;
+		--muted: #5d6b82;
+		--accent: #285fc2;
+		--danger: #b4232d;
+		--ok: #197a47;
+		--control-bg: #ffffff;
+		--control-hover-bg: #eef3f9;
+		--control-active-bg: #e4ebf5;
+		--row-bg: rgba(40, 95, 194, 0.035);
+		--row-bg-alt: rgba(40, 95, 194, 0.065);
+		--status-neutral-bg: rgba(93, 107, 130, 0.11);
+		--status-ok-bg: rgba(25, 122, 71, 0.11);
+		--status-warn-bg: rgba(180, 35, 45, 0.1);
+	}
+}
 * { box-sizing: border-box; }
 body {
 	margin: 0;
@@ -75,6 +99,11 @@ main {
 	gap: 8px;
 	margin-bottom: 14px;
 	overflow-x: auto;
+	-webkit-overflow-scrolling: touch;
+	scrollbar-width: none;
+}
+.tabs::-webkit-scrollbar {
+	display: none;
 }
 .tab {
 	border-color: transparent;
@@ -120,17 +149,35 @@ input:focus-visible {
 	white-space: nowrap;
 }
 button, select, input {
-	background: #11141a;
+	background: var(--control-bg);
 	border: 1px solid var(--line);
 	border-radius: 6px;
 	color: var(--text);
 	font: inherit;
 	min-height: 38px;
+	transition: background-color 160ms ease, border-color 160ms ease;
 }
 button {
 	cursor: pointer;
 	padding: 0 14px;
 }
+button:not(:disabled):hover,
+select:hover,
+input:hover {
+	background: var(--control-hover-bg);
+	border-color: var(--accent);
+}
+button:not(:disabled):active {
+	background: var(--control-active-bg);
+}
+@media (prefers-reduced-motion: no-preference) {
+	button {
+		transition: background-color 160ms ease, border-color 160ms ease, transform 120ms ease;
+	}
+	button:not(:disabled):active {
+		transform: translateY(1px);
+	}
+}
 button:disabled {
 	cursor: not-allowed;
 	opacity: 0.6;

package/dist/cli/lib/doc-review-ledger.js

@@ -75,7 +75,7 @@ function readLedgerFile(projectRoot) {
     const ledgerPath = path.join(projectRoot, DOC_REVIEW_LEDGER_RELATIVE_PATH);
     const ledgerDirectoryPath = path.dirname(ledgerPath);
     ensureInside(projectRoot, ledgerPath);
-    ensureInsideWithoutSymlinks(projectRoot, ledgerDirectoryPath, { allowMissingLeaf: true });
+    ensureInsideWithoutSymlinks(projectRoot, ledgerDirectoryPath, { allowMissingDescendant: true });
     if (!existsSync(ledgerDirectoryPath)) {
         return { schema_version: '1', documents: [] };
     }