agentic-qe 3.8.14 → 3.9.0

package/dist/context/compaction/tier4-reactive.js

@@ -0,0 +1,129 @@
+/**
+ * Agentic QE v3 - Tier 4: Reactive Compaction (IMP-08)
+ *
+ * Last-resort compaction triggered by 413 errors or context overflow
+ * detection. Aggressively peels the oldest conversation rounds until
+ * the estimated token count drops below the recovery target.
+ *
+ * This tier is destructive — it drops messages entirely (no summary).
+ * It exists to recover from situations where the context window is
+ * critically full and the session would otherwise fail.
+ */
+import { estimateTokensPadded } from '../../mcp/middleware/microcompact';
+// ============================================================================
+// Defaults
+// ============================================================================
+const DEFAULT_RECOVERY_TARGET = 30_000;
+const DEFAULT_MIN_PRESERVED = 4;
+// ============================================================================
+// Tier4Reactive
+// ============================================================================
+export class Tier4Reactive {
+    recoveryTarget;
+    minPreserved;
+    constructor(options = {}) {
+        this.recoveryTarget = options.recoveryTarget ?? DEFAULT_RECOVERY_TARGET;
+        this.minPreserved = options.minPreservedMessages ?? DEFAULT_MIN_PRESERVED;
+    }
+    /**
+     * Aggressively peel oldest messages until under the recovery target.
+     *
+     * Algorithm:
+     *   1. Compute total tokens.
+     *   2. If already under target, return early.
+     *   3. Walk forward from the oldest message, dropping messages until
+     *      remaining tokens are at or below recoveryTarget.
+     *   4. Never drop below minPreservedMessages from the tail.
+     *   5. When dropping a tool_result, also drop its paired tool_use (and vice versa).
+     */
+    compact(messages, trigger = 'context_overflow') {
+        if (messages.length === 0) {
+            return {
+                tier: 4,
+                survivingMessages: [],
+                survivingTokens: 0,
+                droppedCount: 0,
+                tokensSaved: 0,
+                trigger,
+            };
+        }
+        // Annotate tokens
+        const annotated = messages.map(m => ({
+            ...m,
+            estimatedTokens: m.estimatedTokens ?? estimateTokensPadded(m.content),
+        }));
+        const totalTokens = annotated.reduce((s, m) => s + m.estimatedTokens, 0);
+        // Already under target?
+        if (totalTokens <= this.recoveryTarget) {
+            return {
+                tier: 4,
+                survivingMessages: messages,
+                survivingTokens: totalTokens,
+                droppedCount: 0,
+                tokensSaved: 0,
+                trigger,
+            };
+        }
+        // Build pair map: toolUseId -> indices of both tool_use and tool_result
+        const pairMap = new Map();
+        for (let i = 0; i < annotated.length; i++) {
+            const m = annotated[i];
+            if (m.toolUseId) {
+                const existing = pairMap.get(m.toolUseId) ?? [];
+                existing.push(i);
+                pairMap.set(m.toolUseId, existing);
+            }
+        }
+        // Mark messages for dropping
+        const dropped = new Set();
+        let remainingTokens = totalTokens;
+        // The tail we must preserve
+        const preserveFrom = Math.max(0, annotated.length - this.minPreserved);
+        for (let i = 0; i < annotated.length; i++) {
+            if (remainingTokens <= this.recoveryTarget)
+                break;
+            if (i >= preserveFrom)
+                break; // Don't touch the preserved tail
+            if (dropped.has(i))
+                continue;
+            // Drop this message
+            dropped.add(i);
+            remainingTokens -= annotated[i].estimatedTokens;
+            // If part of a pair, drop the partner too
+            if (annotated[i].toolUseId) {
+                const partners = pairMap.get(annotated[i].toolUseId) ?? [];
+                for (const partnerIdx of partners) {
+                    if (!dropped.has(partnerIdx) && partnerIdx < preserveFrom) {
+                        dropped.add(partnerIdx);
+                        remainingTokens -= annotated[partnerIdx].estimatedTokens;
+                    }
+                }
+            }
+        }
+        const surviving = annotated.filter((_, i) => !dropped.has(i));
+        const survivingTokens = surviving.reduce((s, m) => s + m.estimatedTokens, 0);
+        return {
+            tier: 4,
+            survivingMessages: surviving,
+            survivingTokens,
+            droppedCount: dropped.size,
+            tokensSaved: totalTokens - survivingTokens,
+            trigger,
+        };
+    }
+    /**
+     * Convenience: check if a given HTTP status or error message indicates
+     * a context overflow that should trigger reactive compaction.
+     */
+    static isContextOverflow(statusOrMessage) {
+        if (typeof statusOrMessage === 'number') {
+            return statusOrMessage === 413;
+        }
+        const lower = statusOrMessage.toLowerCase();
+        return lower.includes('context_length_exceeded')
+            || lower.includes('maximum context length')
+            || lower.includes('too many tokens')
+            || lower.includes('413');
+    }
+}
+//# sourceMappingURL=tier4-reactive.js.map

package/dist/coordination/consensus/providers/claude-provider.d.ts

@@ -61,6 +61,7 @@ export declare class ClaudeModelProvider extends BaseModelProvider {
     private readonly config;
     private readonly apiKey;
     private readonly baseUrl;
+    private readonly cacheLatch;
     /**
      * Create a new Claude provider
      *

package/dist/coordination/consensus/providers/claude-provider.js

@@ -9,6 +9,7 @@
  */
 import { toErrorMessage, toError } from '../../../shared/error-utils.js';
 import { BaseModelProvider, } from '../model-provider';
+import { PromptCacheLatch } from '../../../shared/prompt-cache-latch.js';
 // ============================================================================
 // Claude Model Provider Implementation
 // ============================================================================
@@ -49,6 +50,8 @@ export class ClaudeModelProvider extends BaseModelProvider {
     config;
     apiKey;
     baseUrl;
+    // IMP-05: Prompt cache latch — stabilizes API params to maximize cache hits
+    cacheLatch = new PromptCacheLatch();
     /**
      * Create a new Claude provider
      *
@@ -87,11 +90,28 @@ export class ClaudeModelProvider extends BaseModelProvider {
         if (this.disposed) {
             throw new Error('Provider has been disposed');
         }
-        const model = options?.model || this.config.defaultModel;
-        const maxTokens = options?.maxTokens || 4096;
+        const requestedModel = options?.model || this.config.defaultModel;
+        const requestedMaxTokens = options?.maxTokens || 4096;
         const temperature = options?.temperature ?? 0.7;
         const timeout = options?.timeout || this.config.defaultTimeout;
-        const systemPrompt = options?.systemPrompt || this.getDefaultSystemPrompt();
+        const requestedSystem = options?.systemPrompt || this.getDefaultSystemPrompt();
+        // IMP-05: Latch stable params to prevent prompt cache busting.
+        // If caller explicitly overrides, reset and re-latch.
+        if (this.cacheLatch.has('model') && this.cacheLatch.get('model') !== requestedModel) {
+            this.cacheLatch.reset('model');
+        }
+        if (this.cacheLatch.has('max_tokens') && this.cacheLatch.get('max_tokens') !== requestedMaxTokens) {
+            this.cacheLatch.reset('max_tokens');
+        }
+        if (this.cacheLatch.has('system') && this.cacheLatch.get('system') !== requestedSystem) {
+            this.cacheLatch.reset('system');
+        }
+        this.cacheLatch.latch('model', requestedModel);
+        this.cacheLatch.latch('max_tokens', requestedMaxTokens);
+        this.cacheLatch.latch('system', requestedSystem);
+        const model = this.cacheLatch.get('model');
+        const maxTokens = this.cacheLatch.get('max_tokens');
+        const systemPrompt = this.cacheLatch.get('system');
         const request = {
             model,
             max_tokens: maxTokens,

package/dist/hooks/cross-phase-hooks.d.ts

@@ -26,6 +26,17 @@ export declare class CrossPhaseHookExecutor {
     private querySignalsForInjection;
     formatSignalsForInjection(signals: CrossPhaseSignal[]): string;
     private getRecommendations;
+    /**
+     * IMP-07: When AQE_HOOKS_MANAGED_ONLY is set, only hooks whose names start
+     * with "managed:" are allowed to execute.  All other hooks are filtered out.
+     */
+    private filterManagedHooks;
+    /**
+     * IMP-07: SSRF guard — if a target string looks like a URL (has a scheme),
+     * validate it against the SSRF blocklist.  Returns true when the URL is
+     * blocked and the caller should abort the action.
+     */
+    private isBlockedUrl;
     private checkConditions;
     private evaluateCondition;
     private getValueFromPath;

package/dist/hooks/cross-phase-hooks.js

@@ -11,6 +11,7 @@ import { readFileSync, existsSync } from 'fs';
 import { join } from 'path';
 import { parse as parseYaml } from 'yaml';
 import { getCrossPhaseMemory, } from '../memory/cross-phase-memory.js';
+import { captureHooksConfigSnapshot, validateHookUrl, classifyHookExit, } from './security/index.js';
 // =============================================================================
 // Hook Executor
 // =============================================================================
@@ -27,17 +28,24 @@ export class CrossPhaseHookExecutor {
     // Initialization
     // ---------------------------------------------------------------------------
     async initialize() {
+        // IMP-07: Policy flag — globally disable all hook execution
+        if (process.env.AQE_HOOKS_DISABLED === 'true') {
+            console.log('[CrossPhaseHooks] All hooks disabled via AQE_HOOKS_DISABLED');
+            return false;
+        }
         if (!existsSync(this.configPath)) {
             console.warn(`[CrossPhaseHooks] Config not found: ${this.configPath}`);
             return false;
         }
         try {
             const content = readFileSync(this.configPath, 'utf-8');
-            this.config = parseYaml(content);
-            if (!this.config.enabled) {
+            const parsed = parseYaml(content);
+            if (!parsed.enabled) {
                 console.log('[CrossPhaseHooks] Hooks disabled in config');
                 return false;
             }
+            // IMP-07: Deep-freeze config so it cannot be mutated at runtime
+            this.config = captureHooksConfigSnapshot(parsed);
             await this.memory.initialize();
             console.log(`[CrossPhaseHooks] Initialized with ${Object.keys(this.config.hooks).length} hooks`);
             return true;
@@ -53,8 +61,11 @@ export class CrossPhaseHookExecutor {
     async onAgentComplete(agentName, result) {
         if (!this.config)
             return;
-        const matchingHooks = Object.entries(this.config.hooks).filter(([_, hook]) => hook.trigger.event === 'agent-complete' &&
-            hook.trigger.agent === agentName);
+        // IMP-07: Runtime kill-switch check
+        if (process.env.AQE_HOOKS_DISABLED === 'true')
+            return;
+        const matchingHooks = this.filterManagedHooks(Object.entries(this.config.hooks).filter(([_, hook]) => hook.trigger.event === 'agent-complete' &&
+            hook.trigger.agent === agentName));
         for (const [hookName, hook] of matchingHooks) {
             if (this.checkConditions(hook.trigger.conditions, result)) {
                 console.log(`[CrossPhaseHooks] Executing hook: ${hookName}`);
@@ -65,9 +76,12 @@ export class CrossPhaseHookExecutor {
     async onPhaseStart(phaseName, context = {}) {
         if (!this.config)
             return {};
+        // IMP-07: Runtime kill-switch check
+        if (process.env.AQE_HOOKS_DISABLED === 'true')
+            return {};
         const injectedSignals = {};
-        const matchingHooks = Object.entries(this.config.hooks).filter(([_, hook]) => hook.trigger.event === 'phase-start' &&
-            hook.trigger.phase === phaseName);
+        const matchingHooks = this.filterManagedHooks(Object.entries(this.config.hooks).filter(([_, hook]) => hook.trigger.event === 'phase-start' &&
+            hook.trigger.phase === phaseName));
         for (const [hookName, hook] of matchingHooks) {
             console.log(`[CrossPhaseHooks] Executing phase-start hook: ${hookName}`);
             for (const action of hook.actions) {
@@ -87,8 +101,11 @@ export class CrossPhaseHookExecutor {
     async onPhaseEnd(phaseName, result) {
         if (!this.config)
             return;
-        const matchingHooks = Object.entries(this.config.hooks).filter(([_, hook]) => hook.trigger.event === 'phase-end' &&
-            hook.trigger.phase === phaseName);
+        // IMP-07: Runtime kill-switch check
+        if (process.env.AQE_HOOKS_DISABLED === 'true')
+            return;
+        const matchingHooks = this.filterManagedHooks(Object.entries(this.config.hooks).filter(([_, hook]) => hook.trigger.event === 'phase-end' &&
+            hook.trigger.phase === phaseName));
         for (const [hookName, hook] of matchingHooks) {
             console.log(`[CrossPhaseHooks] Executing phase-end hook: ${hookName}`);
             await this.executeActions(hook.actions, result);
@@ -103,7 +120,19 @@ export class CrossPhaseHookExecutor {
                 await this.executeAction(action, context);
             }
             catch (err) {
-                console.error(`[CrossPhaseHooks] Action failed:`, err);
+                // IMP-07: Classify exit codes when error carries one
+                const exitCode = err?.exitCode;
+                if (typeof exitCode === 'number') {
+                    const classification = classifyHookExit(exitCode);
+                    if (classification === 'model_blocking') {
+                        console.error(`[CrossPhaseHooks] Model-blocking hook failure (exit ${exitCode}):`, err);
+                        throw err; // Propagate blocking failures
+                    }
+                    console.warn(`[CrossPhaseHooks] Hook ${classification} (exit ${exitCode}):`, err);
+                }
+                else {
+                    console.error(`[CrossPhaseHooks] Action failed:`, err);
+                }
             }
         }
     }
@@ -158,6 +187,9 @@ export class CrossPhaseHookExecutor {
     async executeNotifyAgent(action, context) {
         if (!action.target || !action.message)
             return;
+        // IMP-07: SSRF guard — block if target looks like a URL pointing to private IP
+        if (await this.isBlockedUrl(action.target))
+            return;
         console.log(`[CrossPhaseHooks] Notify ${action.target}: ${action.message}`);
         this.emit('agent-notification', {
             target: action.target,
@@ -169,6 +201,9 @@ export class CrossPhaseHookExecutor {
     async executeInvokeAgent(action, context) {
         if (!action.target)
             return;
+        // IMP-07: SSRF guard — block if target looks like a URL pointing to private IP
+        if (await this.isBlockedUrl(action.target))
+            return;
         console.log(`[CrossPhaseHooks] Invoke agent: ${action.target}`);
         this.emit('agent-invocation', {
             agent: action.target,
@@ -235,6 +270,35 @@ export class CrossPhaseHookExecutor {
     // ---------------------------------------------------------------------------
     // Helpers
     // ---------------------------------------------------------------------------
+    /**
+     * IMP-07: When AQE_HOOKS_MANAGED_ONLY is set, only hooks whose names start
+     * with "managed:" are allowed to execute.  All other hooks are filtered out.
+     */
+    filterManagedHooks(hooks) {
+        if (process.env.AQE_HOOKS_MANAGED_ONLY !== 'true')
+            return hooks;
+        const filtered = hooks.filter(([name]) => name.startsWith('managed:'));
+        if (filtered.length < hooks.length) {
+            console.log(`[CrossPhaseHooks] AQE_HOOKS_MANAGED_ONLY: filtered ${hooks.length - filtered.length} non-managed hooks`);
+        }
+        return filtered;
+    }
+    /**
+     * IMP-07: SSRF guard — if a target string looks like a URL (has a scheme),
+     * validate it against the SSRF blocklist.  Returns true when the URL is
+     * blocked and the caller should abort the action.
+     */
+    async isBlockedUrl(target) {
+        // Only validate strings that look like URLs (contain "://")
+        if (!target.includes('://'))
+            return false;
+        const result = await validateHookUrl(target);
+        if (!result.safe) {
+            console.warn(`[CrossPhaseHooks] SSRF blocked: ${result.reason}`);
+            return true;
+        }
+        return false;
+    }
     checkConditions(conditions, context) {
         if (!conditions || conditions.length === 0)
             return true;

package/dist/hooks/security/config-snapshot.d.ts

@@ -0,0 +1,21 @@
+/**
+ * Hook Configuration Snapshot
+ *
+ * Deep-freezes hook configuration at startup so it cannot be mutated
+ * at runtime. Uses structuredClone to detach from the original, then
+ * recursively freezes every nested object and array.
+ *
+ * @module hooks/security/config-snapshot
+ * @see IMP-07 Hook Security Hardening
+ */
+/**
+ * Deep-freeze an object and all nested objects.
+ * Returns a Readonly<T> that throws on mutation attempts.
+ */
+export declare function deepFreeze<T extends object>(obj: T): Readonly<T>;
+/**
+ * Capture an immutable snapshot of hook configuration.
+ * Uses structuredClone to detach from original, then deep-freezes.
+ */
+export declare function captureHooksConfigSnapshot<T extends object>(config: T): Readonly<T>;
+//# sourceMappingURL=config-snapshot.d.ts.map

package/dist/hooks/security/config-snapshot.js

@@ -0,0 +1,33 @@
+/**
+ * Hook Configuration Snapshot
+ *
+ * Deep-freezes hook configuration at startup so it cannot be mutated
+ * at runtime. Uses structuredClone to detach from the original, then
+ * recursively freezes every nested object and array.
+ *
+ * @module hooks/security/config-snapshot
+ * @see IMP-07 Hook Security Hardening
+ */
+/**
+ * Deep-freeze an object and all nested objects.
+ * Returns a Readonly<T> that throws on mutation attempts.
+ */
+export function deepFreeze(obj) {
+    const props = Object.getOwnPropertyNames(obj);
+    for (const prop of props) {
+        const val = obj[prop];
+        if (val && typeof val === 'object' && !Object.isFrozen(val)) {
+            deepFreeze(val);
+        }
+    }
+    return Object.freeze(obj);
+}
+/**
+ * Capture an immutable snapshot of hook configuration.
+ * Uses structuredClone to detach from original, then deep-freezes.
+ */
+export function captureHooksConfigSnapshot(config) {
+    const snapshot = structuredClone(config);
+    return deepFreeze(snapshot);
+}
+//# sourceMappingURL=config-snapshot.js.map

package/dist/hooks/security/exit-codes.d.ts

@@ -0,0 +1,28 @@
+/**
+ * Hook Exit Code Semantics
+ *
+ * Defines exit-code conventions for hook processes so the runtime
+ * can distinguish success, user-visible errors, and model-blocking
+ * failures that should halt agent execution.
+ *
+ * @module hooks/security/exit-codes
+ * @see IMP-07 Hook Security Hardening
+ */
+export declare const HOOK_EXIT_CODES: {
+    /** Hook completed successfully. */
+    readonly SUCCESS: 0;
+    /** Hook failed with user-visible error (non-blocking). */
+    readonly USER_VISIBLE: 1;
+    /** Hook failed and must block the model from proceeding. */
+    readonly MODEL_BLOCKING: 2;
+};
+export type HookExitCode = typeof HOOK_EXIT_CODES[keyof typeof HOOK_EXIT_CODES];
+/**
+ * Classify a numeric process exit code into a semantic category.
+ *
+ * - 0  -> 'success'
+ * - 2  -> 'model_blocking' (halts agent execution)
+ * - anything else -> 'user_error' (logged, non-blocking)
+ */
+export declare function classifyHookExit(code: number): 'success' | 'user_error' | 'model_blocking';
+//# sourceMappingURL=exit-codes.d.ts.map

package/dist/hooks/security/exit-codes.js

@@ -0,0 +1,33 @@
+/**
+ * Hook Exit Code Semantics
+ *
+ * Defines exit-code conventions for hook processes so the runtime
+ * can distinguish success, user-visible errors, and model-blocking
+ * failures that should halt agent execution.
+ *
+ * @module hooks/security/exit-codes
+ * @see IMP-07 Hook Security Hardening
+ */
+export const HOOK_EXIT_CODES = {
+    /** Hook completed successfully. */
+    SUCCESS: 0,
+    /** Hook failed with user-visible error (non-blocking). */
+    USER_VISIBLE: 1,
+    /** Hook failed and must block the model from proceeding. */
+    MODEL_BLOCKING: 2,
+};
+/**
+ * Classify a numeric process exit code into a semantic category.
+ *
+ * - 0  -> 'success'
+ * - 2  -> 'model_blocking' (halts agent execution)
+ * - anything else -> 'user_error' (logged, non-blocking)
+ */
+export function classifyHookExit(code) {
+    if (code === 0)
+        return 'success';
+    if (code === 2)
+        return 'model_blocking';
+    return 'user_error';
+}
+//# sourceMappingURL=exit-codes.js.map

package/dist/hooks/security/index.d.ts

@@ -0,0 +1,15 @@
+/**
+ * Hook Security Module
+ *
+ * Re-exports all security primitives for the hook system:
+ * - Config snapshot (deep-freeze at startup)
+ * - SSRF guard (private IP / DNS rebinding protection)
+ * - Exit code semantics (success / user_error / model_blocking)
+ *
+ * @module hooks/security
+ * @see IMP-07 Hook Security Hardening
+ */
+export { captureHooksConfigSnapshot, deepFreeze } from './config-snapshot.js';
+export { validateHookUrl, isPrivateIp, type SsrfValidationResult } from './ssrf-guard.js';
+export { HOOK_EXIT_CODES, classifyHookExit, type HookExitCode } from './exit-codes.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/hooks/security/index.js

@@ -0,0 +1,15 @@
+/**
+ * Hook Security Module
+ *
+ * Re-exports all security primitives for the hook system:
+ * - Config snapshot (deep-freeze at startup)
+ * - SSRF guard (private IP / DNS rebinding protection)
+ * - Exit code semantics (success / user_error / model_blocking)
+ *
+ * @module hooks/security
+ * @see IMP-07 Hook Security Hardening
+ */
+export { captureHooksConfigSnapshot, deepFreeze } from './config-snapshot.js';
+export { validateHookUrl, isPrivateIp } from './ssrf-guard.js';
+export { HOOK_EXIT_CODES, classifyHookExit } from './exit-codes.js';
+//# sourceMappingURL=index.js.map

package/dist/hooks/security/ssrf-guard.d.ts

@@ -0,0 +1,25 @@
+/**
+ * SSRF Guard for Hook URLs
+ *
+ * Blocks hooks from hitting private/internal IP ranges.
+ * Validates both direct IP addresses and DNS-resolved addresses
+ * to prevent DNS rebinding attacks.
+ *
+ * @module hooks/security/ssrf-guard
+ * @see IMP-07 Hook Security Hardening
+ */
+export interface SsrfValidationResult {
+    safe: boolean;
+    reason?: string;
+}
+/**
+ * Check if an IP address is in a private/reserved range.
+ */
+export declare function isPrivateIp(ip: string): boolean;
+/**
+ * Validate a hook URL for SSRF safety.
+ * Blocks private IPs both as direct addresses and via DNS resolution.
+ * Disabled via AQE_HOOKS_SSRF_DISABLED=true (dev mode only).
+ */
+export declare function validateHookUrl(url: string): Promise<SsrfValidationResult>;
+//# sourceMappingURL=ssrf-guard.d.ts.map

package/dist/hooks/security/ssrf-guard.js

@@ -0,0 +1,69 @@
+/**
+ * SSRF Guard for Hook URLs
+ *
+ * Blocks hooks from hitting private/internal IP ranges.
+ * Validates both direct IP addresses and DNS-resolved addresses
+ * to prevent DNS rebinding attacks.
+ *
+ * @module hooks/security/ssrf-guard
+ * @see IMP-07 Hook Security Hardening
+ */
+import { isIP } from 'net';
+import { lookup } from 'dns/promises';
+const PRIVATE_RANGES = [
+    /^10\./,
+    /^172\.(1[6-9]|2\d|3[01])\./,
+    /^192\.168\./,
+    /^127\./,
+    /^0\./,
+    /^169\.254\./,
+    /^::1$/,
+    /^fc00:/,
+    /^fe80:/,
+    /^fd[0-9a-f]{2}:/i,
+];
+/**
+ * Check if an IP address is in a private/reserved range.
+ */
+export function isPrivateIp(ip) {
+    return PRIVATE_RANGES.some(r => r.test(ip));
+}
+/**
+ * Validate a hook URL for SSRF safety.
+ * Blocks private IPs both as direct addresses and via DNS resolution.
+ * Disabled via AQE_HOOKS_SSRF_DISABLED=true (dev mode only).
+ */
+export async function validateHookUrl(url) {
+    if (process.env.AQE_HOOKS_SSRF_DISABLED === 'true') {
+        return { safe: true };
+    }
+    let parsed;
+    try {
+        parsed = new URL(url);
+    }
+    catch {
+        return { safe: false, reason: `Invalid URL: ${url}` };
+    }
+    // Strip IPv6 brackets — URL.hostname wraps IPv6 as "[::1]" but
+    // isIP() and our regex patterns expect the bare address "::1".
+    const hostname = parsed.hostname.replace(/^\[|\]$/g, '');
+    // Direct IP check
+    if (isIP(hostname)) {
+        if (isPrivateIp(hostname)) {
+            return { safe: false, reason: `Private IP blocked: ${hostname}` };
+        }
+        return { safe: true };
+    }
+    // DNS resolution check (prevents DNS rebinding)
+    try {
+        const resolved = await lookup(hostname);
+        if (isPrivateIp(resolved.address)) {
+            return { safe: false, reason: `DNS resolves to private IP: ${resolved.address}` };
+        }
+    }
+    catch (err) {
+        return { safe: false, reason: `DNS lookup failed for ${hostname}: ${err.message}` };
+    }
+    return { safe: true };
+}
+//# sourceMappingURL=ssrf-guard.js.map

package/dist/kernel/kernel.js

@@ -15,6 +15,8 @@ import { findProjectRoot } from './unified-memory.js';
 import { initializeUnifiedPersistence } from './unified-persistence.js';
 import * as path from 'path';
 import * as fs from 'fs';
+import { PluginLifecycleManager } from '../plugins/lifecycle';
+import { PluginCache } from '../plugins/cache';
 // Import domain plugin factories
 import { createTestGenerationPlugin } from '../domains/test-generation/plugin';
 import { createTestExecutionPlugin } from '../domains/test-execution/plugin';
@@ -149,6 +151,39 @@ export class QEKernelImpl {
             agentId: 'qe-kernel',
         });
         this._eventBus.registerMiddleware(antiDriftMiddleware);
+        // IMP-09: Discover and register external plugins from cache
+        try {
+            const pluginCacheDir = path.join(dataDir, 'plugins');
+            const pluginCache = new PluginCache({ cacheDir: pluginCacheDir });
+            const pluginLifecycle = new PluginLifecycleManager({ cache: pluginCache });
+            const resolution = pluginLifecycle.resolveLoadOrder();
+            for (const resolved of resolution.ordered) {
+                const manifest = resolved.manifest;
+                const cachedPlugin = pluginCache.get(manifest.name, manifest.version);
+                if (!cachedPlugin)
+                    continue;
+                const entryPointPath = path.join(cachedPlugin.path, manifest.entryPoint);
+                // Register a factory for each domain the plugin provides
+                for (const domain of manifest.domains) {
+                    const domainName = domain;
+                    if (DOMAIN_FACTORIES[domainName])
+                        continue; // don't override built-in domains
+                    const loader = this._plugins;
+                    loader.registerFactory(domainName, async (eventBus, memory) => {
+                        // Dynamically import the plugin entry point at load time
+                        const pluginModule = await import(entryPointPath);
+                        const createPlugin = pluginModule.default ?? pluginModule.createPlugin;
+                        if (typeof createPlugin !== 'function') {
+                            throw new Error(`Plugin "${manifest.name}" entry point must export a default function or "createPlugin" function`);
+                        }
+                        return createPlugin(eventBus, memory, this._coordinator);
+                    });
+                }
+            }
+        }
+        catch {
+            // External plugin loading is best-effort — don't block kernel startup
+        }
         // Load plugins based on configuration
         if (!this._config.lazyLoading) {
             await this._plugins.loadAll();

package/dist/kernel/memory-backend.js

@@ -56,7 +56,9 @@ export class InMemoryBackend {
         return value !== undefined;
     }
     async search(pattern, limit = MEMORY_CONSTANTS.DEFAULT_SEARCH_LIMIT) {
-        const regex = new RegExp(pattern.replace(/\*/g, '.*'));
+        // Escape regex-special chars first, then convert glob wildcards to regex
+        const escaped = pattern.replace(/[.+?^${}()|[\]\\]/g, '\\$&');
+        const regex = new RegExp(escaped.replace(/\*/g, '.*'));
         const results = [];
         for (const key of this.store.keys()) {
             if (regex.test(key)) {