@claude-flow/shared 3.0.0-alpha.7 → 3.0.0-alpha.8
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.claude-flow/daemon-state.json +135 -0
- package/.claude-flow/data/pending-insights.jsonl +2 -0
- package/.claude-flow/data/ranked-context.json +5 -0
- package/.claude-flow/logs/daemon.log +45 -0
- package/.claude-flow/logs/headless/audit_1777379186972_h5un5x_prompt.log +3210 -0
- package/.claude-flow/logs/headless/audit_1777379186972_h5un5x_result.log +117 -0
- package/.claude-flow/logs/headless/audit_1777379816437_w0eaul_prompt.log +3210 -0
- package/.claude-flow/logs/headless/audit_1777379816437_w0eaul_result.log +53 -0
- package/.claude-flow/logs/headless/audit_1777380440097_621y8m_prompt.log +3210 -0
- package/.claude-flow/logs/headless/audit_1777380440097_621y8m_result.log +75 -0
- package/.claude-flow/logs/headless/optimize_1777379306973_an4lmy_prompt.log +3504 -0
- package/.claude-flow/logs/headless/optimize_1777379306973_an4lmy_result.log +166 -0
- package/.claude-flow/logs/headless/optimize_1777380274732_apxz3s_prompt.log +3504 -0
- package/.claude-flow/logs/headless/optimize_1777380274732_apxz3s_result.log +219 -0
- package/.claude-flow/logs/headless/testgaps_1777379546969_dvf2a1_prompt.log +3189 -0
- package/.claude-flow/logs/headless/testgaps_1777379546969_dvf2a1_result.log +155 -0
- package/.claude-flow/metrics/codebase-map.json +11 -0
- package/.claude-flow/metrics/consolidation.json +6 -0
- package/.claude-flow/sessions/current.json +13 -0
- package/.swarm/hnsw.index +0 -0
- package/.swarm/hnsw.metadata.json +1 -0
- package/.swarm/memory.db +0 -0
- package/.swarm/memory.db-shm +0 -0
- package/.swarm/memory.db-wal +0 -0
- package/.swarm/schema.sql +305 -0
- package/dist/core/config/schema.d.ts +96 -96
- package/dist/events/event-store.d.ts.map +1 -1
- package/dist/events/event-store.js +20 -9
- package/dist/events/event-store.js.map +1 -1
- package/dist/hooks/executor.d.ts.map +1 -1
- package/dist/hooks/executor.js +7 -4
- package/dist/hooks/executor.js.map +1 -1
- package/dist/hooks/verify-exports.test.js +6 -6
- package/dist/hooks/verify-exports.test.js.map +1 -1
- package/dist/mcp/server.d.ts.map +1 -1
- package/dist/mcp/server.js +3 -6
- package/dist/mcp/server.js.map +1 -1
- package/dist/mcp/types.d.ts +4 -6
- package/dist/mcp/types.d.ts.map +1 -1
- package/dist/mcp/types.js.map +1 -1
- package/package.json +3 -2
- package/ruvector.db +0 -0
- package/src/events/event-store.ts +18 -9
- package/src/hooks/executor.ts +7 -5
- package/src/hooks/verify-exports.test.ts +6 -6
- package/src/mcp/server.ts +3 -6
- package/src/mcp/types.ts +4 -6
- package/tsconfig.tsbuildinfo +1 -1
- package/.agentic-flow/intelligence.json +0 -16
- package/__tests__/coverage/base.css +0 -224
- package/__tests__/coverage/block-navigation.js +0 -87
- package/__tests__/coverage/coverage-final.json +0 -50
- package/__tests__/coverage/favicon.png +0 -0
- package/__tests__/coverage/index.html +0 -326
- package/__tests__/coverage/lcov-report/base.css +0 -224
- package/__tests__/coverage/lcov-report/block-navigation.js +0 -87
- package/__tests__/coverage/lcov-report/favicon.png +0 -0
- package/__tests__/coverage/lcov-report/index.html +0 -326
- package/__tests__/coverage/lcov-report/prettify.css +0 -1
- package/__tests__/coverage/lcov-report/prettify.js +0 -2
- package/__tests__/coverage/lcov-report/sort-arrow-sprite.png +0 -0
- package/__tests__/coverage/lcov-report/sorter.js +0 -210
- package/__tests__/coverage/lcov-report/src/core/config/defaults.ts.html +0 -706
- package/__tests__/coverage/lcov-report/src/core/config/index.html +0 -161
- package/__tests__/coverage/lcov-report/src/core/config/loader.ts.html +0 -898
- package/__tests__/coverage/lcov-report/src/core/config/schema.ts.html +0 -649
- package/__tests__/coverage/lcov-report/src/core/config/validator.ts.html +0 -712
- package/__tests__/coverage/lcov-report/src/core/event-bus.ts.html +0 -793
- package/__tests__/coverage/lcov-report/src/core/index.html +0 -116
- package/__tests__/coverage/lcov-report/src/core/interfaces/event.interface.ts.html +0 -886
- package/__tests__/coverage/lcov-report/src/core/interfaces/index.html +0 -116
- package/__tests__/coverage/lcov-report/src/core/orchestrator/event-coordinator.ts.html +0 -451
- package/__tests__/coverage/lcov-report/src/core/orchestrator/health-monitor.ts.html +0 -727
- package/__tests__/coverage/lcov-report/src/core/orchestrator/index.html +0 -176
- package/__tests__/coverage/lcov-report/src/core/orchestrator/lifecycle-manager.ts.html +0 -874
- package/__tests__/coverage/lcov-report/src/core/orchestrator/session-manager.ts.html +0 -922
- package/__tests__/coverage/lcov-report/src/core/orchestrator/task-manager.ts.html +0 -1036
- package/__tests__/coverage/lcov-report/src/events/domain-events.ts.html +0 -1837
- package/__tests__/coverage/lcov-report/src/events/event-store.ts.html +0 -1849
- package/__tests__/coverage/lcov-report/src/events/example-usage.ts.html +0 -964
- package/__tests__/coverage/lcov-report/src/events/index.html +0 -176
- package/__tests__/coverage/lcov-report/src/events/projections.ts.html +0 -1768
- package/__tests__/coverage/lcov-report/src/events/state-reconstructor.ts.html +0 -1132
- package/__tests__/coverage/lcov-report/src/events.ts.html +0 -1186
- package/__tests__/coverage/lcov-report/src/hooks/example-usage.ts.html +0 -1582
- package/__tests__/coverage/lcov-report/src/hooks/executor.ts.html +0 -1222
- package/__tests__/coverage/lcov-report/src/hooks/index.html +0 -191
- package/__tests__/coverage/lcov-report/src/hooks/registry.ts.html +0 -1084
- package/__tests__/coverage/lcov-report/src/hooks/safety/bash-safety.ts.html +0 -1897
- package/__tests__/coverage/lcov-report/src/hooks/safety/file-organization.ts.html +0 -1504
- package/__tests__/coverage/lcov-report/src/hooks/safety/git-commit.ts.html +0 -1954
- package/__tests__/coverage/lcov-report/src/hooks/safety/index.html +0 -146
- package/__tests__/coverage/lcov-report/src/hooks/session-hooks.ts.html +0 -1762
- package/__tests__/coverage/lcov-report/src/hooks/task-hooks.ts.html +0 -1624
- package/__tests__/coverage/lcov-report/src/hooks/types.ts.html +0 -1156
- package/__tests__/coverage/lcov-report/src/index.html +0 -176
- package/__tests__/coverage/lcov-report/src/mcp/connection-pool.ts.html +0 -1399
- package/__tests__/coverage/lcov-report/src/mcp/index.html +0 -176
- package/__tests__/coverage/lcov-report/src/mcp/server.ts.html +0 -2407
- package/__tests__/coverage/lcov-report/src/mcp/session-manager.ts.html +0 -1369
- package/__tests__/coverage/lcov-report/src/mcp/tool-registry.ts.html +0 -1783
- package/__tests__/coverage/lcov-report/src/mcp/transport/http.ts.html +0 -1756
- package/__tests__/coverage/lcov-report/src/mcp/transport/index.html +0 -146
- package/__tests__/coverage/lcov-report/src/mcp/transport/stdio.ts.html +0 -1057
- package/__tests__/coverage/lcov-report/src/mcp/transport/websocket.ts.html +0 -1537
- package/__tests__/coverage/lcov-report/src/mcp/types.ts.html +0 -1780
- package/__tests__/coverage/lcov-report/src/plugin-interface.ts.html +0 -2074
- package/__tests__/coverage/lcov-report/src/plugin-loader.ts.html +0 -1999
- package/__tests__/coverage/lcov-report/src/plugin-registry.ts.html +0 -1897
- package/__tests__/coverage/lcov-report/src/plugins/official/hive-mind-plugin.ts.html +0 -1075
- package/__tests__/coverage/lcov-report/src/plugins/official/index.html +0 -131
- package/__tests__/coverage/lcov-report/src/plugins/official/maestro-plugin.ts.html +0 -1609
- package/__tests__/coverage/lcov-report/src/resilience/bulkhead.ts.html +0 -916
- package/__tests__/coverage/lcov-report/src/resilience/circuit-breaker.ts.html +0 -1063
- package/__tests__/coverage/lcov-report/src/resilience/index.html +0 -161
- package/__tests__/coverage/lcov-report/src/resilience/rate-limiter.ts.html +0 -1345
- package/__tests__/coverage/lcov-report/src/resilience/retry.ts.html +0 -757
- package/__tests__/coverage/lcov-report/src/security/index.html +0 -131
- package/__tests__/coverage/lcov-report/src/security/input-validation.ts.html +0 -880
- package/__tests__/coverage/lcov-report/src/security/secure-random.ts.html +0 -562
- package/__tests__/coverage/lcov-report/src/types/index.html +0 -131
- package/__tests__/coverage/lcov-report/src/types/swarm.types.ts.html +0 -850
- package/__tests__/coverage/lcov-report/src/types/task.types.ts.html +0 -700
- package/__tests__/coverage/lcov-report/src/types.ts.html +0 -1186
- package/__tests__/coverage/lcov-report/src/utils/index.html +0 -116
- package/__tests__/coverage/lcov-report/src/utils/secure-logger.ts.html +0 -856
- package/__tests__/coverage/lcov.info +0 -19877
- package/__tests__/coverage/prettify.css +0 -1
- package/__tests__/coverage/prettify.js +0 -2
- package/__tests__/coverage/sort-arrow-sprite.png +0 -0
- package/__tests__/coverage/sorter.js +0 -210
- package/__tests__/coverage/src/core/config/defaults.ts.html +0 -706
- package/__tests__/coverage/src/core/config/index.html +0 -161
- package/__tests__/coverage/src/core/config/loader.ts.html +0 -898
- package/__tests__/coverage/src/core/config/schema.ts.html +0 -649
- package/__tests__/coverage/src/core/config/validator.ts.html +0 -712
- package/__tests__/coverage/src/core/event-bus.ts.html +0 -793
- package/__tests__/coverage/src/core/index.html +0 -116
- package/__tests__/coverage/src/core/interfaces/event.interface.ts.html +0 -886
- package/__tests__/coverage/src/core/interfaces/index.html +0 -116
- package/__tests__/coverage/src/core/orchestrator/event-coordinator.ts.html +0 -451
- package/__tests__/coverage/src/core/orchestrator/health-monitor.ts.html +0 -727
- package/__tests__/coverage/src/core/orchestrator/index.html +0 -176
- package/__tests__/coverage/src/core/orchestrator/lifecycle-manager.ts.html +0 -874
- package/__tests__/coverage/src/core/orchestrator/session-manager.ts.html +0 -922
- package/__tests__/coverage/src/core/orchestrator/task-manager.ts.html +0 -1036
- package/__tests__/coverage/src/events/domain-events.ts.html +0 -1837
- package/__tests__/coverage/src/events/event-store.ts.html +0 -1849
- package/__tests__/coverage/src/events/example-usage.ts.html +0 -964
- package/__tests__/coverage/src/events/index.html +0 -176
- package/__tests__/coverage/src/events/projections.ts.html +0 -1768
- package/__tests__/coverage/src/events/state-reconstructor.ts.html +0 -1132
- package/__tests__/coverage/src/events.ts.html +0 -1186
- package/__tests__/coverage/src/hooks/example-usage.ts.html +0 -1582
- package/__tests__/coverage/src/hooks/executor.ts.html +0 -1222
- package/__tests__/coverage/src/hooks/index.html +0 -191
- package/__tests__/coverage/src/hooks/registry.ts.html +0 -1084
- package/__tests__/coverage/src/hooks/safety/bash-safety.ts.html +0 -1897
- package/__tests__/coverage/src/hooks/safety/file-organization.ts.html +0 -1504
- package/__tests__/coverage/src/hooks/safety/git-commit.ts.html +0 -1954
- package/__tests__/coverage/src/hooks/safety/index.html +0 -146
- package/__tests__/coverage/src/hooks/session-hooks.ts.html +0 -1762
- package/__tests__/coverage/src/hooks/task-hooks.ts.html +0 -1624
- package/__tests__/coverage/src/hooks/types.ts.html +0 -1156
- package/__tests__/coverage/src/index.html +0 -176
- package/__tests__/coverage/src/mcp/connection-pool.ts.html +0 -1399
- package/__tests__/coverage/src/mcp/index.html +0 -176
- package/__tests__/coverage/src/mcp/server.ts.html +0 -2407
- package/__tests__/coverage/src/mcp/session-manager.ts.html +0 -1369
- package/__tests__/coverage/src/mcp/tool-registry.ts.html +0 -1783
- package/__tests__/coverage/src/mcp/transport/http.ts.html +0 -1756
- package/__tests__/coverage/src/mcp/transport/index.html +0 -146
- package/__tests__/coverage/src/mcp/transport/stdio.ts.html +0 -1057
- package/__tests__/coverage/src/mcp/transport/websocket.ts.html +0 -1537
- package/__tests__/coverage/src/mcp/types.ts.html +0 -1780
- package/__tests__/coverage/src/plugin-interface.ts.html +0 -2074
- package/__tests__/coverage/src/plugin-loader.ts.html +0 -1999
- package/__tests__/coverage/src/plugin-registry.ts.html +0 -1897
- package/__tests__/coverage/src/plugins/official/hive-mind-plugin.ts.html +0 -1075
- package/__tests__/coverage/src/plugins/official/index.html +0 -131
- package/__tests__/coverage/src/plugins/official/maestro-plugin.ts.html +0 -1609
- package/__tests__/coverage/src/resilience/bulkhead.ts.html +0 -916
- package/__tests__/coverage/src/resilience/circuit-breaker.ts.html +0 -1063
- package/__tests__/coverage/src/resilience/index.html +0 -161
- package/__tests__/coverage/src/resilience/rate-limiter.ts.html +0 -1345
- package/__tests__/coverage/src/resilience/retry.ts.html +0 -757
- package/__tests__/coverage/src/security/index.html +0 -131
- package/__tests__/coverage/src/security/input-validation.ts.html +0 -880
- package/__tests__/coverage/src/security/secure-random.ts.html +0 -562
- package/__tests__/coverage/src/types/index.html +0 -131
- package/__tests__/coverage/src/types/swarm.types.ts.html +0 -850
- package/__tests__/coverage/src/types/task.types.ts.html +0 -700
- package/__tests__/coverage/src/types.ts.html +0 -1186
- package/__tests__/coverage/src/utils/index.html +0 -116
- package/__tests__/coverage/src/utils/secure-logger.ts.html +0 -856
|
@@ -0,0 +1,53 @@
|
|
|
1
|
+
[2026-04-28T12:37:20.067Z] RESULT
|
|
2
|
+
============================================================
|
|
3
|
+
{
|
|
4
|
+
"success": true,
|
|
5
|
+
"output": "# Security Analysis Report\n\nAfter analyzing the provided codebase, I've identified the security posture and potential vulnerabilities.\n\n```json\n{\n \"vulnerabilities\": [\n {\n \"severity\": \"medium\",\n \"file\": \"src/core/config/loader.ts\",\n \"line\": 55,\n \"description\": \"JSON file parsing without size validation. loadJsonConfig() reads entire file and parses JSON without checking file size, potentially vulnerable to JSON bomb/DoS attacks (though file system typically limits this).\"\n },\n {\n \"severity\": \"low\",\n \"file\": \"src/core/config/loader.ts\",\n \"line\": 80,\n \"description\": \"Missing radix parameter in some parseInt calls - not present in the visible code, but best practice would be explicit radix=10 for all string-to-number conversions. Current code at line 93 uses parseInt(..., 10) correctly.\"\n },\n {\n \"severity\": \"low\",\n \"file\": \"src/core/config/schema.ts\",\n \"line\": 15,\n \"description\": \"Agent capability names validated as simple strings without alphanumeric constraints. Could allow injection of special characters in capability names, though impact is low in this context.\"\n },\n {\n \"severity\": \"low\",\n \"file\": \"src/core/interfaces/memory.interface.ts\",\n \"line\": 45,\n \"description\": \"Metadata field allows arbitrary Record<string, unknown> without constraints. Could potentially store unbounded data if not enforced at the backend level.\"\n }\n ],\n \"riskScore\": 28,\n \"recommendations\": [\n \"Add file size validation in loadJsonConfig() - enforce maximum JSON file size (e.g., 10MB) before parsing to prevent JSON bomb attacks\",\n \"Implement input sanitization for arbitrary metadata fields before storing in memory backends\",\n \"Add rate limiting to configuration loader to prevent rapid repeated file reads\",\n \"Use JSON.parse() with reviver function to validate structure before full parsing\",\n \"Document and enforce maximum payload sizes for all network communication (MCP tools, agent messages)\",\n \"Consider adding a security audit for the event bus to ensure malicious events cannot cause DoS\",\n \"Add validation for agent capability names - restrict to alphanumeric + hyphens/underscores\",\n \"Implement size limits for memory entry values in IMemoryBackend implementations\",\n \"Ensure all file paths in configuration are validated against path traversal attacks\",\n \"Add explicit error handling for corrupted configuration files (current code uses generic JSON.parse error)\"\n ]\n}\n```\n\n## Additional Findings\n\n### Positive Security Measures\n✅ **Secure Logger** (`src/utils/secure-logger.js`): Excellent implementation with proper sanitization of passwords, tokens, API keys, and file paths \n✅ **Type Safety**: Comprehensive use of TypeScript and Zod validation schemas \n✅ **Configuration Validation**: All configs validated against schemas before use \n✅ **Secure Event IDs**: Uses `randomBytes()` for cryptographically secure event ID generation \n✅ **Test Coverage**: Strong test files demonstrating security awareness (bash safety, file organization enforcement) \n\n### Areas for Improvement\n⚠️ **No visible authentication/authorization enforcement** - while interfaces reference these, no implementation shown \n⚠️ **Missing rate limiting** - especially important for file I/O and event processing \n⚠️ **No encryption at rest** - memory backends don't explicitly mention encryption \n⚠️ **Limited error context** - error messages could expose internal details in some cases\n",
|
|
6
|
+
"parsedOutput": {
|
|
7
|
+
"vulnerabilities": [
|
|
8
|
+
{
|
|
9
|
+
"severity": "medium",
|
|
10
|
+
"file": "src/core/config/loader.ts",
|
|
11
|
+
"line": 55,
|
|
12
|
+
"description": "JSON file parsing without size validation. loadJsonConfig() reads entire file and parses JSON without checking file size, potentially vulnerable to JSON bomb/DoS attacks (though file system typically limits this)."
|
|
13
|
+
},
|
|
14
|
+
{
|
|
15
|
+
"severity": "low",
|
|
16
|
+
"file": "src/core/config/loader.ts",
|
|
17
|
+
"line": 80,
|
|
18
|
+
"description": "Missing radix parameter in some parseInt calls - not present in the visible code, but best practice would be explicit radix=10 for all string-to-number conversions. Current code at line 93 uses parseInt(..., 10) correctly."
|
|
19
|
+
},
|
|
20
|
+
{
|
|
21
|
+
"severity": "low",
|
|
22
|
+
"file": "src/core/config/schema.ts",
|
|
23
|
+
"line": 15,
|
|
24
|
+
"description": "Agent capability names validated as simple strings without alphanumeric constraints. Could allow injection of special characters in capability names, though impact is low in this context."
|
|
25
|
+
},
|
|
26
|
+
{
|
|
27
|
+
"severity": "low",
|
|
28
|
+
"file": "src/core/interfaces/memory.interface.ts",
|
|
29
|
+
"line": 45,
|
|
30
|
+
"description": "Metadata field allows arbitrary Record<string, unknown> without constraints. Could potentially store unbounded data if not enforced at the backend level."
|
|
31
|
+
}
|
|
32
|
+
],
|
|
33
|
+
"riskScore": 28,
|
|
34
|
+
"recommendations": [
|
|
35
|
+
"Add file size validation in loadJsonConfig() - enforce maximum JSON file size (e.g., 10MB) before parsing to prevent JSON bomb attacks",
|
|
36
|
+
"Implement input sanitization for arbitrary metadata fields before storing in memory backends",
|
|
37
|
+
"Add rate limiting to configuration loader to prevent rapid repeated file reads",
|
|
38
|
+
"Use JSON.parse() with reviver function to validate structure before full parsing",
|
|
39
|
+
"Document and enforce maximum payload sizes for all network communication (MCP tools, agent messages)",
|
|
40
|
+
"Consider adding a security audit for the event bus to ensure malicious events cannot cause DoS",
|
|
41
|
+
"Add validation for agent capability names - restrict to alphanumeric + hyphens/underscores",
|
|
42
|
+
"Implement size limits for memory entry values in IMemoryBackend implementations",
|
|
43
|
+
"Ensure all file paths in configuration are validated against path traversal attacks",
|
|
44
|
+
"Add explicit error handling for corrupted configuration files (current code uses generic JSON.parse error)"
|
|
45
|
+
]
|
|
46
|
+
},
|
|
47
|
+
"durationMs": 23630,
|
|
48
|
+
"model": "haiku",
|
|
49
|
+
"sandboxMode": "strict",
|
|
50
|
+
"workerType": "audit",
|
|
51
|
+
"timestamp": "2026-04-28T12:37:20.067Z",
|
|
52
|
+
"executionId": "audit_1777379816437_w0eaul"
|
|
53
|
+
}
|