ref(bash): codify dynamic-scope safety for outvar helpers

[Chemaclass]

Summary

• Hot-path helpers in src/runner.sh return via dedicated global slots (_BASHUNIT_RUNNER_*_OUT) instead of stdout. No $(...) fork, no eval, no shadowing risk — caller-named locals are simply never touched.
• Spy state in src/test_doubles.sh is namespaced under _BASHUNIT_SPY_*, so a test that uses a local foo_times_file=... cannot collide with the framework's _BASHUNIT_SPY_foo_TIMES_FILE.
• .claude/rules/bash-style.md documents three patterns in priority order:
  1. Preferred: dedicated global return slot.
  2. For helpers that build dynamic names: namespace the constructed name.
  3. Last resort: outvar-by-name with __bu_ prefix + regression test (none in tree).
• Regression tests in tests/unit/runner_test.sh confirm helpers do not touch caller-named locals.

Why

Bash local is dynamically scoped, so any helper that touches caller-named variables (via eval "$name=...", printf -v, ${!name} or export "$name"=...) can silently corrupt a caller that picks a natural name. The fix is to avoid that pattern entirely: return through a fixed framework-owned slot, or namespace the names we construct.

Test plan

• ./bashunit tests/unit/ green (839 passed, 1m20s)
• ./bashunit --parallel tests/ green (1074 passed, 46.58s)
• make sa clean
• make lint clean
• Bash 3.0+ compat preserved (no declare -n, no printf -v)

Closes #674

[Chemaclass]

Good catch on the audit gap. Extended in 60a31d1:

• bashunit::mock and bashunit::spy now also use the __bu_ prefix on all internal locals. Both helpers take a caller-named command and write derived globals via export "${variable}_times_file"=.... If a caller has a local matching that constructed name, export NAME=value updates the local in-place (dynamic scoping) instead of creating a clean env binding — same hazard class as the indirect-read sites.
• Rule note in .claude/rules/bash-style.md widened to cover the full test_doubles.sh surface (mock/spy/unmock + the assert_have_been_called family), not just the read direction.

Final audit state across src/*.sh:

File	Pattern	Status
src/runner.sh	eval outvar	__bu_ prefix (PR #672)
src/test_doubles.sh	export + ${!var}	__bu_ prefix (this PR)
src/coverage.sh	intentional dynamic-scope	documented exception, kept
src/helpers.sh unset_if_exists	unset "$1"	no internal locals — safe
src/env.sh:298-299	${!key}	iterates hardcoded BASHUNIT_* names — no caller-provided names, safe
src/assert*.sh, src/main.sh	eval "$cmd"	command-string execution, not outvar pattern — safe

make sa clean, make lint clean, unit suite 848 passed.

[Chemaclass]

Switched to simpler option after review.

runner.sh hot-path helpers now return via dedicated global slots, no eval, no prefix:

• _BASHUNIT_RUNNER_FIELD_OUT (extract_encoded_field)
• _BASHUNIT_RUNNER_TOTAL_OUT (compute_total_assertions)
• _BASHUNIT_RUNNER_TYPE_OUT (extract_subshell_type)
• _BASHUNIT_RUNNER_OUTPUT_OUT (format_subshell_output)

Internal locals back to natural names (input, val, subshell_output, etc.). Same perf as the eval-outvar version (no $(...) fork) and the dynamic-scope hazard is structurally gone — helper never touches caller-named variables.

test_doubles.sh — the real fix was on the constructed global names, not on helper locals. Internal locals restored to natural names; spy state moved from ${variable}_times_file to _BASHUNIT_SPY_${variable}_TIMES_FILE. A caller doing local foo_times_file=... can't collide with _BASHUNIT_SPY_foo_TIMES_FILE.

Rule in bash-style.md rewritten as three patterns in priority order:

1. Preferred: dedicated global return slot (the new runner pattern + the existing _BASHUNIT_BRANCH_ARMS_OUT in coverage.sh)
2. For helpers that build dynamic names: namespace the constructed name (_BASHUNIT_SPY_*)
3. Last-resort outvar-by-name with __bu_ prefix on locals + regression test (none in tree right now)