npm - @cleocode/core - Versions diffs - 2026.4.11 → 2026.4.12 - Mend

@cleocode/core 2026.4.11 → 2026.4.12

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (169) hide show

package/dist/codebase-map/analyzers/architecture.d.ts.map +1 -1
package/dist/codebase-map/analyzers/architecture.js +0 -1
package/dist/codebase-map/analyzers/architecture.js.map +1 -1
package/dist/conduit/local-transport.d.ts +18 -8
package/dist/conduit/local-transport.d.ts.map +1 -1
package/dist/conduit/local-transport.js +23 -13
package/dist/conduit/local-transport.js.map +1 -1
package/dist/config.d.ts.map +1 -1
package/dist/config.js +0 -1
package/dist/config.js.map +1 -1
package/dist/errors.d.ts +19 -0
package/dist/errors.d.ts.map +1 -1
package/dist/errors.js +6 -0
package/dist/errors.js.map +1 -1
package/dist/index.js +175 -68950
package/dist/index.js.map +1 -7
package/dist/init.d.ts +1 -2
package/dist/init.d.ts.map +1 -1
package/dist/init.js +1 -2
package/dist/init.js.map +1 -1
package/dist/internal.d.ts +8 -3
package/dist/internal.d.ts.map +1 -1
package/dist/internal.js +13 -6
package/dist/internal.js.map +1 -1
package/dist/memory/learnings.d.ts +2 -2
package/dist/memory/patterns.d.ts +6 -6
package/dist/output.d.ts +32 -11
package/dist/output.d.ts.map +1 -1
package/dist/output.js +67 -67
package/dist/output.js.map +1 -1
package/dist/paths.js +80 -14
package/dist/paths.js.map +1 -1
package/dist/skills/dynamic-skill-generator.d.ts +0 -2
package/dist/skills/dynamic-skill-generator.d.ts.map +1 -1
package/dist/skills/dynamic-skill-generator.js.map +1 -1
package/dist/store/agent-registry-accessor.d.ts +203 -12
package/dist/store/agent-registry-accessor.d.ts.map +1 -1
package/dist/store/agent-registry-accessor.js +618 -100
package/dist/store/agent-registry-accessor.js.map +1 -1
package/dist/store/api-key-kdf.d.ts +73 -0
package/dist/store/api-key-kdf.d.ts.map +1 -0
package/dist/store/api-key-kdf.js +84 -0
package/dist/store/api-key-kdf.js.map +1 -0
package/dist/store/cleanup-legacy.js +171 -0
package/dist/store/cleanup-legacy.js.map +1 -0
package/dist/store/conduit-sqlite.d.ts +184 -0
package/dist/store/conduit-sqlite.d.ts.map +1 -0
package/dist/store/conduit-sqlite.js +570 -0
package/dist/store/conduit-sqlite.js.map +1 -0
package/dist/store/global-salt.d.ts +78 -0
package/dist/store/global-salt.d.ts.map +1 -0
package/dist/store/global-salt.js +147 -0
package/dist/store/global-salt.js.map +1 -0
package/dist/store/migrate-signaldock-to-conduit.d.ts +81 -0
package/dist/store/migrate-signaldock-to-conduit.d.ts.map +1 -0
package/dist/store/migrate-signaldock-to-conduit.js +555 -0
package/dist/store/migrate-signaldock-to-conduit.js.map +1 -0
package/dist/store/nexus-sqlite.js +28 -3
package/dist/store/nexus-sqlite.js.map +1 -1
package/dist/store/signaldock-sqlite.d.ts +122 -19
package/dist/store/signaldock-sqlite.d.ts.map +1 -1
package/dist/store/signaldock-sqlite.js +401 -251
package/dist/store/signaldock-sqlite.js.map +1 -1
package/dist/store/sqlite-backup.js +122 -4
package/dist/store/sqlite-backup.js.map +1 -1
package/dist/system/backup.d.ts +0 -26
package/dist/system/backup.d.ts.map +1 -1
package/dist/system/runtime.d.ts +0 -2
package/dist/system/runtime.d.ts.map +1 -1
package/dist/system/runtime.js +3 -3
package/dist/system/runtime.js.map +1 -1
package/dist/tasks/add.d.ts +1 -1
package/dist/tasks/add.d.ts.map +1 -1
package/dist/tasks/add.js +98 -23
package/dist/tasks/add.js.map +1 -1
package/dist/tasks/complete.d.ts.map +1 -1
package/dist/tasks/complete.js +4 -1
package/dist/tasks/complete.js.map +1 -1
package/dist/tasks/find.d.ts.map +1 -1
package/dist/tasks/find.js +4 -1
package/dist/tasks/find.js.map +1 -1
package/dist/tasks/labels.d.ts.map +1 -1
package/dist/tasks/labels.js +4 -1
package/dist/tasks/labels.js.map +1 -1
package/dist/tasks/relates.d.ts.map +1 -1
package/dist/tasks/relates.js +16 -4
package/dist/tasks/relates.js.map +1 -1
package/dist/tasks/show.d.ts.map +1 -1
package/dist/tasks/show.js +4 -1
package/dist/tasks/show.js.map +1 -1
package/dist/tasks/update.d.ts.map +1 -1
package/dist/tasks/update.js +32 -6
package/dist/tasks/update.js.map +1 -1
package/dist/validation/engine.d.ts.map +1 -1
package/dist/validation/engine.js +16 -4
package/dist/validation/engine.js.map +1 -1
package/dist/validation/param-utils.d.ts +5 -3
package/dist/validation/param-utils.d.ts.map +1 -1
package/dist/validation/param-utils.js +8 -6
package/dist/validation/param-utils.js.map +1 -1
package/dist/validation/protocols/_shared.d.ts.map +1 -1
package/dist/validation/protocols/_shared.js +13 -6
package/dist/validation/protocols/_shared.js.map +1 -1
package/package.json +7 -7
package/src/adapters/__tests__/manager.test.ts +0 -1
package/src/codebase-map/analyzers/architecture.ts +0 -1
package/src/conduit/__tests__/local-credential-flow.test.ts +20 -18
package/src/conduit/__tests__/local-transport.test.ts +14 -12
package/src/conduit/local-transport.ts +23 -13
package/src/config.ts +0 -1
package/src/errors.ts +24 -0
package/src/hooks/handlers/__tests__/hook-automation-e2e.test.ts +2 -5
package/src/init.ts +1 -2
package/src/internal.ts +49 -2
package/src/lifecycle/cant/lifecycle-rcasd.cant +133 -0
package/src/memory/__tests__/engine-compat.test.ts +2 -2
package/src/memory/__tests__/pipeline-manifest-sqlite.test.ts +4 -4
package/src/observability/__tests__/index.test.ts +4 -4
package/src/observability/__tests__/log-filter.test.ts +4 -4
package/src/output.ts +73 -75
package/src/sessions/__tests__/session-grade.integration.test.ts +1 -1
package/src/sessions/__tests__/session-grade.test.ts +2 -2
package/src/skills/__tests__/dynamic-skill-generator.test.ts +0 -2
package/src/skills/dynamic-skill-generator.ts +0 -2
package/src/store/__tests__/agent-registry-accessor.test.ts +807 -0
package/src/store/__tests__/api-key-kdf.test.ts +113 -0
package/src/store/__tests__/conduit-sqlite.test.ts +413 -0
package/src/store/__tests__/global-salt.test.ts +195 -0
package/src/store/__tests__/migrate-signaldock-to-conduit.test.ts +715 -0
package/src/store/__tests__/signaldock-sqlite.test.ts +652 -0
package/src/store/__tests__/sqlite-backup-global.test.ts +307 -3
package/src/store/__tests__/sqlite-backup.test.ts +5 -1
package/src/store/__tests__/t310-integration.test.ts +1150 -0
package/src/store/agent-registry-accessor.ts +847 -140
package/src/store/api-key-kdf.ts +104 -0
package/src/store/conduit-sqlite.ts +655 -0
package/src/store/global-salt.ts +175 -0
package/src/store/migrate-signaldock-to-conduit.ts +669 -0
package/src/store/signaldock-sqlite.ts +431 -254
package/src/store/sqlite-backup.ts +185 -10
package/src/system/backup.ts +2 -62
package/src/system/runtime.ts +4 -6
package/src/tasks/__tests__/error-hints.test.ts +256 -0
package/src/tasks/add.ts +99 -9
package/src/tasks/complete.ts +4 -1
package/src/tasks/find.ts +4 -1
package/src/tasks/labels.ts +4 -1
package/src/tasks/relates.ts +16 -4
package/src/tasks/show.ts +4 -1
package/src/tasks/update.ts +32 -3
package/src/validation/__tests__/error-hints.test.ts +97 -0
package/src/validation/engine.ts +16 -1
package/src/validation/param-utils.ts +10 -7
package/src/validation/protocols/_shared.ts +14 -6
package/src/validation/protocols/cant/architecture-decision.cant +80 -0
package/src/validation/protocols/cant/artifact-publish.cant +95 -0
package/src/validation/protocols/cant/consensus.cant +74 -0
package/src/validation/protocols/cant/contribution.cant +82 -0
package/src/validation/protocols/cant/decomposition.cant +92 -0
package/src/validation/protocols/cant/implementation.cant +67 -0
package/src/validation/protocols/cant/provenance.cant +88 -0
package/src/validation/protocols/cant/release.cant +96 -0
package/src/validation/protocols/cant/research.cant +66 -0
package/src/validation/protocols/cant/specification.cant +67 -0
package/src/validation/protocols/cant/testing.cant +88 -0
package/src/validation/protocols/cant/validation.cant +65 -0
package/src/validation/protocols/protocols-markdown/decomposition.md +0 -4
package/templates/config.template.json +0 -1
package/templates/global-config.template.json +0 -1

package/src/store/global-salt.ts ADDED Viewed

@@ -0,0 +1,175 @@
+/**
+ * Global-salt subsystem for the CLEO API key KDF.
+ *
+ * @task T348
+ * @epic T310
+ * @why ADR-037 §5 — API key KDF uses machine-key + global-salt + agentId.
+ *      global-salt must persist across process restarts but is machine-local.
+ * @what Atomic first-run generation, memoized read, permission/size validation.
+ */
+import crypto from 'node:crypto';
+import fs from 'node:fs';
+import path from 'node:path';
+import { getCleoHome } from '../paths.js';
+/** Filename for the global salt file under CLEO home. */
+export const GLOBAL_SALT_FILENAME = 'global-salt';
+/** Required size of the global salt in bytes. */
+export const GLOBAL_SALT_SIZE = 32;
+/** Required file permission mode for the global salt file (POSIX). */
+const SALT_FILE_MODE = 0o600;
+/**
+ * In-process memoization. Invalidated only by process restart.
+ * Cleared in tests via `__clearGlobalSaltCache()` (test-only export).
+ */
+let cached: Buffer | null = null;
+/**
+ * Returns the absolute path to the global-salt file.
+ *
+ * @returns Absolute path: `{cleoHome}/global-salt`
+ *
+ * @task T348
+ * @epic T310
+ *
+ * @example
+ * ```typescript
+ * const saltPath = getGlobalSaltPath();
+ * // Linux: "/home/user/.local/share/cleo/global-salt"
+ * ```
+ */
+export function getGlobalSaltPath(): string {
+  return path.join(getCleoHome(), GLOBAL_SALT_FILENAME);
+}
+/**
+ * Returns the 32-byte global salt. Generates and persists atomically on first
+ * call when the file does not exist. Subsequent calls return the memoized value.
+ *
+ * Never overwrites an existing salt — doing so would invalidate every stored
+ * API key derived from it.
+ *
+ * @returns A 32-byte Buffer containing the global salt
+ * @throws {Error} If the salt file exists with wrong size or wrong permissions
+ *
+ * @task T348
+ * @epic T310
+ *
+ * @example
+ * ```typescript
+ * const salt = getGlobalSalt(); // Buffer(32) [...]
+ * ```
+ */
+export function getGlobalSalt(): Buffer {
+  if (cached !== null) return cached;
+  const saltPath = getGlobalSaltPath();
+  const cleoHome = getCleoHome();
+  if (!fs.existsSync(saltPath)) {
+    // First-run generation: ensure the directory exists
+    if (!fs.existsSync(cleoHome)) {
+      fs.mkdirSync(cleoHome, { recursive: true });
+    }
+    const salt = crypto.randomBytes(GLOBAL_SALT_SIZE);
+    // Atomic write: write to tmp file, chmod, then rename into place
+    const tmpPath = `${saltPath}.tmp-${process.pid}-${Date.now()}`;
+    fs.writeFileSync(tmpPath, salt, { mode: SALT_FILE_MODE });
+    // Explicit chmod in case writeFileSync's mode arg is ignored on some FS
+    fs.chmodSync(tmpPath, SALT_FILE_MODE);
+    fs.renameSync(tmpPath, saltPath);
+    cached = salt;
+    return cached;
+  }
+  // Existing file — validate before trusting
+  const stat = fs.statSync(saltPath);
+  if (stat.size !== GLOBAL_SALT_SIZE) {
+    throw new Error(
+      `global-salt at ${saltPath} has wrong size: expected ${GLOBAL_SALT_SIZE} bytes, got ${stat.size}. ` +
+        `Refusing to use a corrupted salt file. Delete the file manually if you intend to regenerate it ` +
+        `(this will invalidate all stored API keys).`,
+    );
+  }
+  // Permission check: only meaningful on POSIX; Windows does not support mode bits
+  if (process.platform !== 'win32') {
+    const mode = stat.mode & 0o777;
+    if (mode !== SALT_FILE_MODE) {
+      throw new Error(
+        `global-salt at ${saltPath} has wrong permissions: expected 0o600, got 0o${mode.toString(8)}. ` +
+          `Fix with: chmod 600 ${saltPath}`,
+      );
+    }
+  }
+  const salt = fs.readFileSync(saltPath);
+  cached = salt;
+  return cached;
+}
+/**
+ * Runtime validation helper for startup integrity checks.
+ *
+ * Throws if the salt file exists but is malformed (wrong size or permissions).
+ * Safe to call when the file does not yet exist — returns silently in that case
+ * because first-run generation is handled lazily by `getGlobalSalt()`.
+ *
+ * @throws {Error} If the salt file exists with wrong size or wrong permissions
+ *
+ * @task T348
+ * @epic T310
+ *
+ * @example
+ * ```typescript
+ * // Called at process startup to catch accidental salt corruption early
+ * validateGlobalSalt();
+ * ```
+ */
+export function validateGlobalSalt(): void {
+  const saltPath = getGlobalSaltPath();
+  if (!fs.existsSync(saltPath)) {
+    // Not yet generated — first-run case; no error
+    return;
+  }
+  const stat = fs.statSync(saltPath);
+  if (stat.size !== GLOBAL_SALT_SIZE) {
+    throw new Error(
+      `global-salt validation failed: size ${stat.size}, expected ${GLOBAL_SALT_SIZE}`,
+    );
+  }
+  if (process.platform !== 'win32') {
+    const mode = stat.mode & 0o777;
+    if (mode !== SALT_FILE_MODE) {
+      throw new Error(
+        `global-salt validation failed: permissions 0o${mode.toString(8)}, expected 0o600`,
+      );
+    }
+  }
+}
+/**
+ * Clears the in-process memoization cache so tests can exercise the
+ * first-call generation path independently.
+ *
+ * @internal TEST ONLY — do NOT export through internal.ts or re-export
+ * from any public barrel. This symbol must never appear in production call paths.
+ *
+ * @task T348
+ * @epic T310
+ */
+export function __clearGlobalSaltCache(): void {
+  cached = null;
+}