cerebrex 0.9.0 → 0.9.1

package/LICENSE

@@ -0,0 +1,130 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship made available under
+      the License, as indicated by a copyright notice that is included in
+      or attached to the work (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other transformations
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean, as submitted to the Licensor for inclusion
+      in the Work by You, including the original version of the Work and any
+      modifications or additions to that Work or Derivative Works of the Work.
+
+      "Contributor" shall mean Licensor and any Legal Entity on behalf of
+      whom a Contribution has been received by the Licensor.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by the combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a cross-claim
+      or counterclaim in a lawsuit) alleging that the Work or any
+      Contribution embodied within the Work constitutes direct or contributory
+      patent infringement, then any patent licenses granted to You under
+      this License for that Work shall terminate as of the date such
+      litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or Derivative
+          Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file, You must include a
+          readable copy of the attribution notices contained within such
+          NOTICE file, in the Derivative Works that You distribute.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      including "CerebreX", "A Real Cool Co.", and associated logos,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort, contract, or otherwise, shall any Contributor be
+      liable for damages, including any direct, indirect, special,
+      incidental, or exemplary damages arising out of this License or
+      out of the use or inability to use the Work.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may offer and charge a fee
+      for acceptance of support, warranty, indemnity, or other liability
+      obligations and rights consistent with this License.
+
+   END OF TERMS AND CONDITIONS
+
+   Copyright 2026 A Real Cool Co. — Josef Douglas Charles McClammey
+   Licensed under the Apache License, Version 2.0.
+   You may not use this file except in compliance with the License.
+   You may obtain a copy of the License at:
+       http://www.apache.org/licenses/LICENSE-2.0

package/README.md

@@ -0,0 +1,470 @@
+<div align="center">
+
+# CerebreX
+
+### The Open-Source Agent Infrastructure OS
+
+[![License](https://img.shields.io/badge/license-Apache%202.0-blue.svg)](./LICENSE)
+[![CI](https://github.com/arealcoolco/CerebreX/actions/workflows/ci.yml/badge.svg)](https://github.com/arealcoolco/CerebreX/actions/workflows/ci.yml)
+[![npm version](https://img.shields.io/npm/v/cerebrex.svg)](https://www.npmjs.com/package/cerebrex)
+[![GitHub Stars](https://img.shields.io/github/stars/arealcoolco/CerebreX?style=social)](https://github.com/arealcoolco/CerebreX)
+[![Issues](https://img.shields.io/github/issues/arealcoolco/CerebreX)](https://github.com/arealcoolco/CerebreX/issues)
+
+**Build. Test. Remember. Coordinate. Publish.**
+The complete infrastructure layer for AI agents — in one CLI.
+
+[🚀 Quickstart](#-quickstart) · [🗂 Structure](#-monorepo-structure) · [🛣 Roadmap](#-roadmap) · [🐛 Issues](https://github.com/arealcoolco/CerebreX/issues)
+
+</div>
+
+---
+
+> **Status: v0.9.1 — Security hardening patch: risk gate integrated, JWT auth on token endpoint, KAIROS backoff + validation**
+> `npm install -g cerebrex` — or download a self-contained binary from [GitHub Releases](https://github.com/arealcoolco/CerebreX/releases) (no Node.js required)
+>
+> **Live:** Registry UI → `https://registry.therealcool.site`
+> **Live:** Trace Explorer → `https://registry.therealcool.site/ui/trace`
+> **Live:** Website + Whitepaper → `https://therealcool.site`
+
+---
+
+## What is CerebreX?
+
+CerebreX is an open-source **Agent Infrastructure OS** — the complete toolchain developers need to build reliable, observable, and secure AI agents.
+
+Eight modules. One CLI. One registry. One coordination layer.
+
+| Module | Command | Status | What It Does |
+|--------|---------|--------|-------------|
+| 🔨 **FORGE** | `cerebrex build` | ✅ Working | Generate production MCP servers from any OpenAPI spec |
+| 🔍 **TRACE** | `cerebrex trace` | ✅ Working | Record agent execution + visual web dashboard |
+| 🧠 **MEMEX** | `cerebrex memex` | ✅ Working | Local + three-layer cloud memory (KV + R2 + D1) with SHA-256 integrity |
+| 🔑 **AUTH** | `cerebrex auth` | ✅ Working | Secure token storage + risk classification gate on every agent action |
+| 📦 **REGISTRY** | `cerebrex publish` | ✅ Working | Publish and install MCP servers (live registry + web UI) |
+| 🐝 **HIVE** | `cerebrex hive` | ✅ Working | Multi-agent coordination — JWT auth, swarm strategies, risk-gated workers |
+| ⏰ **KAIROS** | *(cloud worker)* | ✅ Working | Autonomous agent daemon — Durable Objects, 5-min tick loop, append-only log |
+| 📋 **ULTRAPLAN** | *(cloud API)* | ✅ Working | Opus deep-thinking plan → human approval → parallel task execution |
+
+---
+
+## ⚡ Quickstart
+
+```bash
+npm install -g cerebrex
+cerebrex --help
+```
+
+Or build from source (requires [Bun](https://bun.sh)):
+
+```bash
+git clone https://github.com/arealcoolco/CerebreX.git
+cd CerebreX/cerebrex
+bun install
+cd packages/types && bun run build && cd ../..
+cd packages/core && bun run build && cd ../..
+cd packages/registry-client && bun run build && cd ../..
+cd apps/cli && bun run build
+node dist/index.js --help
+```
+
+---
+
+## 🔨 FORGE — MCP Server Generation
+
+Generate a production-ready MCP server from any OpenAPI spec:
+
+```bash
+# From a URL
+cerebrex build --spec https://petstore3.swagger.io/api/v3/openapi.json --output ./my-server
+
+# From a local file
+cerebrex build --spec ./openapi.yaml --output ./my-server
+```
+
+Output is a Cloudflare Workers project with:
+- Zod input validation on every tool
+- MCP-compliant stdio/SSE/Streamable HTTP transports
+- Ready for `wrangler deploy`
+
+---
+
+## 🔍 TRACE — Agent Execution Recording
+
+```bash
+# Start recording (runs in foreground, default port 7432)
+cerebrex trace start --session my-agent --port 7432
+
+# From your agent, push steps:
+# POST http://localhost:7432/step
+# Body: { "type": "tool_call", "toolName": "listPets", "inputs": {}, "latencyMs": 42 }
+
+# Stop and save
+cerebrex trace stop --session my-agent
+
+# View in terminal
+cerebrex trace view --session my-agent
+
+# View in visual web dashboard (opens browser)
+cerebrex trace view --session my-agent --web
+
+# Or use the hosted Trace Explorer (no CLI required)
+# https://registry.therealcool.site/ui/trace
+
+# List all saved sessions
+cerebrex trace list
+```
+
+Traces are saved to `~/.cerebrex/traces/`.
+
+---
+
+## 🧠 MEMEX — Persistent Agent Memory
+
+```bash
+# Store a value
+cerebrex memex set "user-pref" "dark mode" --namespace ui
+
+# Retrieve it
+cerebrex memex get "user-pref" --namespace ui
+
+# List all memory
+cerebrex memex list
+
+# With TTL (auto-expires after 3600 seconds)
+cerebrex memex set "session-ctx" "..." --ttl 3600
+
+# Delete a key
+cerebrex memex delete "user-pref" --namespace ui
+
+# List all namespaces
+cerebrex memex namespaces
+```
+
+All writes are SHA-256 checksummed. Reads verify integrity before returning.
+Storage: `~/.cerebrex/memex/<namespace>.json` — local, no cloud required.
+
+---
+
+## 🔑 AUTH — Secure Credentials
+
+```bash
+cerebrex auth login     # store token at ~/.cerebrex/.credentials (mode 0600)
+cerebrex auth status    # check current auth state
+cerebrex auth logout    # remove stored token
+```
+
+`CEREBREX_TOKEN` env var always takes precedence over stored credentials.
+
+---
+
+## 📦 REGISTRY — Publish & Install MCP Servers
+
+Registry API: `https://registry.therealcool.site`
+Registry UI: `https://registry.therealcool.site` (browser)
+
+```bash
+cerebrex auth login                              # authenticate first
+cerebrex validate ./my-server                   # validate before publishing
+cerebrex validate ./my-server --strict          # + OWASP checks
+cerebrex publish --dir ./my-server              # publish to registry
+cerebrex install my-mcp-server                  # install from registry
+```
+
+---
+
+## 🐝 HIVE — Multi-Agent Coordination
+
+```bash
+# 1 — Initialize and start the coordinator
+cerebrex hive init --name my-hive
+cerebrex hive start                     # runs on port 7433
+
+# 2 — Register agents and get JWTs
+cerebrex hive register --id researcher --name "Researcher" --capabilities search,fetch
+cerebrex hive register --id writer     --name "Writer"     --capabilities write,summarize
+
+# 3 — Start workers (each in its own terminal — they poll and execute automatically)
+cerebrex hive worker --id researcher --token <JWT>
+cerebrex hive worker --id writer     --token <JWT> --handler ./writer-handler.mjs
+
+# Risk-gated workers — HIGH-risk tasks are blocked by default
+cerebrex hive worker --id researcher --token <JWT>                  # blocks fetch, deploy, send
+cerebrex hive worker --id researcher --token <JWT> --allow-high-risk # permits all task types
+cerebrex hive worker --id researcher --token <JWT> --block-medium-risk # LOW only
+
+# 4 — Send tasks — workers pick them up and execute
+cerebrex hive send --agent researcher --type fetch    --payload '{"url":"https://api.example.com/data"}' --token <JWT>
+cerebrex hive send --agent writer     --type memex-get --payload '{"key":"research-results"}' --token <JWT>
+
+# 5 — Watch it live
+cerebrex hive status
+```
+
+**Built-in task types** (no `--handler` file required):
+
+| Type | Payload | Risk | What it does |
+|------|---------|------|-------------|
+| `noop` | anything | LOW | Completes immediately |
+| `echo` | anything | LOW | Returns payload as result |
+| `memex-get` | `{ key, namespace? }` | LOW | Reads from local MEMEX |
+| `memex-set` | `{ key, value, namespace?, ttl? }` | MEDIUM | Writes to local MEMEX |
+| `fetch` | `{ url, method?, headers?, body? }` | MEDIUM | Makes an HTTP request |
+
+**Custom handlers** — drop in a JS module when you need more:
+
+```js
+// researcher-handler.mjs
+export async function execute(task) {
+  if (task.type === 'search') {
+    const res = await fetch(`https://api.example.com/search?q=${task.payload.query}`);
+    return { results: await res.json() };
+  }
+  throw new Error(`Unknown task type: ${task.type}`);
+}
+```
+
+```bash
+cerebrex hive worker --id researcher --token <JWT> --handler ./researcher-handler.mjs
+```
+
+**Swarm strategies** — launch multi-agent presets in one command:
+
+```bash
+# List all strategies and presets
+cerebrex hive strategies
+
+# Run a named preset
+cerebrex hive swarm research-and-recommend "What is the best vector database in 2026?"
+cerebrex hive swarm code-review-pipeline   "Review the auth module for security issues"
+cerebrex hive swarm best-solution          "How should we implement rate limiting?"
+cerebrex hive swarm product-spec           "Design a real-time collaboration feature"
+cerebrex hive swarm content-pipeline       "Write a technical blog post about MCP"
+cerebrex hive swarm contract-audit         "Audit this API contract for breaking changes"
+```
+
+| Strategy | How it works | Best for |
+|----------|-------------|---------|
+| `parallel` | All agents receive the same task via `Promise.all` | Independent subtasks |
+| `pipeline` | Sequential refinement chain — each agent builds on the last | Research → Draft → Edit |
+| `competitive` | Agents race; Opus picks the winner | Finding the optimal answer |
+
+**With TRACE observability** — every task shows up in the visual dashboard:
+
+```bash
+cerebrex trace start --session my-run
+cerebrex hive worker --id researcher --token <JWT> --trace-port 7432 --trace-session my-run
+cerebrex trace view --session my-run --web
+```
+
+HIVE runs a local HTTP coordinator with JWT-signed agent authentication.
+State is persisted to `~/.cerebrex/hive/state.json`.
+
+---
+
+## ⏰ KAIROS — Autonomous Agent Daemon
+
+KAIROS is a cloud-native daemon built on Cloudflare Durable Objects. Each agent gets its own persistent process that wakes on a 5-minute tick, consults Claude to decide whether to act, and logs every decision to an append-only audit trail.
+
+```bash
+# Start a daemon for an agent (via the KAIROS REST API)
+POST /v1/agents/my-agent/daemon/start
+
+# Stop it
+POST /v1/agents/my-agent/daemon/stop
+
+# View the immutable tick history
+GET /v1/agents/my-agent/daemon/log
+
+# Queue a task for the daemon to pick up
+POST /v1/agents/my-agent/tasks
+{ "type": "fetch", "payload": { "url": "https://api.example.com/data" } }
+```
+
+**How it works:**
+
+1. The `KairosDaemon` Durable Object wakes every 5 minutes (configurable via `TICK_INTERVAL_MS`)
+2. It calls Claude with context: agent ID, tick number, pending task count
+3. Claude decides whether to act (queue a proactive task) or stay quiet
+4. The decision, reasoning, and result are written to an append-only D1 log — agents cannot delete their own history
+5. If the Claude API is slow or errors repeatedly, the daemon backs off exponentially (1 min → 30 min cap) before resetting on the next success
+
+---
+
+## 📋 ULTRAPLAN — Deep-Thinking Planning
+
+Submit a high-level goal; Claude Opus produces a comprehensive execution plan; you review and approve it; all tasks queue simultaneously.
+
+```bash
+# Submit a goal
+POST /v1/ultraplan
+{ "goal": "Build a competitive analysis of the top 5 vector databases for our use case" }
+# → { planId: "abc123", status: "planning", message: "Opus is thinking..." }
+
+# Poll until ready (usually 30-60 seconds)
+GET /v1/ultraplan/abc123
+# → { status: "pending", plan: { summary, rationale, tasks, risks, success_criteria } }
+
+# Approve — all tasks queue simultaneously
+POST /v1/ultraplan/abc123/approve
+
+# Or reject
+POST /v1/ultraplan/abc123/reject
+```
+
+The plan JSON contains:
+- `summary` — one-line description
+- `rationale` — why this approach
+- `tasks[]` — array of `{ type, description, payload, priority }` ready to queue
+- `risks[]` — things that could go wrong
+- `success_criteria[]` — how to know the goal was achieved
+
+Goals are capped at 50,000 bytes to prevent runaway Opus calls.
+
+---
+
+## 🌐 Web UI
+
+The CerebreX registry includes a browser-based UI served directly from the Worker — no install required.
+
+| URL | What It Does |
+|-----|-------------|
+| `/` | Registry browser — search packages, view details, copy install commands |
+| `/ui/trace` | Hosted Trace Explorer — drag-and-drop JSON trace files, full visual timeline |
+
+---
+
+## 🗂 Monorepo Structure
+
+```
+CerebreX/
+├── apps/
+│   ├── cli/              # cerebrex CLI — the main published package
+│   │   ├── src/
+│   │   │   ├── commands/ # build, trace, memex, auth, hive, other-commands
+│   │   │   └── core/     # forge/, trace/, memex/ engines + dashboard
+│   │   └── dist/         # built output (git-ignored, built by CI)
+│   └── dashboard/        # Standalone trace explorer HTML
+│       └── src/index.html
+├── workers/
+│   ├── registry/         # Cloudflare Worker — live registry backend + Web UI
+│   │   ├── src/index.ts  # REST API (D1 + KV) + embedded HTML pages
+│   │   ├── schema.sql    # D1 database schema
+│   │   └── wrangler.toml
+│   ├── memex/            # Cloudflare Worker — MEMEX v2 three-layer cloud memory
+│   │   ├── src/index.ts  # KV index + R2 topics + D1 transcripts + autoDream cron
+│   │   ├── migrations/   # D1 schema for agents + transcripts tables
+│   │   └── wrangler.toml
+│   └── kairos/           # Cloudflare Worker — KAIROS daemon + ULTRAPLAN
+│       ├── src/index.ts  # KairosDaemon Durable Object + task queue + ULTRAPLAN
+│       ├── migrations/   # D1 schema for daemon_log, tasks, ultraplans
+│       └── wrangler.toml
+├── packages/
+│   ├── core/             # @cerebrex/core — shared utilities
+│   ├── types/            # @cerebrex/types — shared TypeScript types
+│   ├── registry-client/  # @cerebrex/registry — registry API client
+│   └── system-prompt/    # @cerebrex/system-prompt — master system prompt + MEMEX loader
+├── .github/
+│   └── workflows/
+│       ├── ci.yml              # build + typecheck on push/PR
+│       ├── publish.yml         # npm publish on GitHub release
+│       ├── deploy-registry.yml # auto-deploy registry Worker
+│       ├── deploy-memex.yml    # auto-deploy MEMEX Worker
+│       ├── deploy-kairos.yml   # auto-deploy KAIROS Worker
+│       └── build-binaries.yml  # build standalone binaries on release
+└── turbo.json
+```
+
+---
+
+## 🔒 Security
+
+Built security-first, aligned with the [OWASP Top 10 for Agentic Applications (2025)](https://genai.owasp.org).
+
+| Control | Where | What it does |
+|---------|-------|-------------|
+| **SHA-256 Memory Integrity** | Local MEMEX | All writes checksummed; reads verify before returning |
+| **Timing-Safe Auth** | MEMEX + KAIROS workers | Constant-time XOR comparison prevents timing oracle attacks on API keys |
+| **Risk Classification Gate** | HIVE worker | Every task classified LOW/MEDIUM/HIGH before execution; HIGH blocked by default |
+| **Authenticated Token Issuance** | HIVE coordinator | `POST /token` requires `registration_secret` matching hive config — no unauthenticated token requests |
+| **JWT Hardening** | HIVE coordinator | `sub` claim required + non-empty; exp/nbf/iat all validated |
+| **Input Validation** | Zod (FORGE) + regex (KAIROS/MEMEX) | agentId and topic names restricted to `[a-zA-Z0-9_-]` 1–128 chars — prevents path traversal |
+| **Size Limits** | MEMEX + KAIROS | Transcripts ≤1MB, topics ≤512KB, index ≤25KB, ULTRAPLAN goals ≤50KB |
+| **Zero Hardcoded Secrets** | FORGE validator | Scans generated code and blocks deploy if secrets are hardcoded |
+| **Secure Credentials** | Auth CLI | Tokens stored at `~/.cerebrex/.credentials` (mode 0600); `icacls` hardening on Windows |
+| **Daemon Backoff** | KAIROS | Exponential backoff on consecutive API errors (1 min → 30 min) prevents runaway loops |
+| **Append-Only Audit Log** | KAIROS | Every daemon tick written to D1; agents cannot delete their own history |
+| **Rate Limiting** | MEMEX Worker | `/consolidate` rate-limited to 1 per hour per agent via KV TTL |
+
+Found a vulnerability? Please read our [Security Policy](./SECURITY.md) and report it privately.
+
+---
+
+## 🤝 Contributing
+
+Contributions are welcome. CerebreX is a solo-built open-source project — PRs, issues, and feedback all help.
+
+```bash
+git clone https://github.com/arealcoolco/CerebreX.git
+cd CerebreX/cerebrex
+bun install
+cd packages/types && bun run build && cd ../..
+cd packages/core && bun run build && cd ../..
+cd packages/registry-client && bun run build && cd ../..
+cd apps/cli && bun run build
+# Open a PR against main
+```
+
+---
+
+## 🛣 Roadmap
+
+- [x] FORGE — MCP server generation from OpenAPI *(v0.1)*
+- [x] TRACE — Real HTTP event server, step recording + replay *(v0.2)*
+- [x] MEMEX — Persistent agent memory, SHA-256 integrity, TTL *(v0.2)*
+- [x] AUTH — Secure token storage, `cerebrex auth login/logout/status` *(v0.2)*
+- [x] VALIDATE — Real MCP + OWASP compliance checks *(v0.2)*
+- [x] CI/CD — GitHub Actions build + npm publish pipeline *(v0.2)*
+- [x] npm package live — `npm install -g cerebrex` *(v0.2.1)*
+- [x] Web dashboard — Visual trace explorer (`cerebrex trace view --web`) *(v0.3)*
+- [x] Registry backend — Cloudflare Worker + D1 + KV *(v0.3)*
+- [x] HIVE — Multi-agent JWT coordination (init/start/register/status/send) *(v0.3)*
+- [x] Web UI — Registry browser + hosted trace explorer (Worker-embedded) *(v0.4)*
+- [x] Website live — `therealcool.site` — whitepaper, manifesto, proof of work *(v0.7)*
+- [x] HIVE cloud API — create/manage hives from anywhere via registry backend *(v0.7)*
+- [x] 8 official MCP packages — memex, hive, fetch, datetime, kvstore, github, nasa, openweathermap *(v0.7)*
+- [x] Token self-service — `POST /v1/auth/tokens` — users can create scoped tokens *(v0.7)*
+- [x] Rate limiting — per-IP + per-token write limits on MEMEX + HIVE *(v0.7)*
+- [x] HIVE worker — `cerebrex hive worker` — agents that poll, execute, and report back *(v0.7.2)*
+- [x] Built-in task handlers — fetch, memex-set, memex-get, echo, noop *(v0.7.2)*
+- [x] Custom handler modules — `--handler ./my-handler.mjs` for domain-specific logic *(v0.7.2)*
+- [x] TRACE + HIVE integration — `--trace-port` + `--trace-session` on workers *(v0.7.2)*
+- [x] Standalone binaries — `cerebrex-linux-x64`, `cerebrex-linux-arm64`, `cerebrex-windows-x64.exe` attached to every release *(v0.8)*
+- [x] Windows `tar` fix + credential `icacls` hardening *(v0.8)*
+- [x] Update checker — cached background check, 24h TTL *(v0.8)*
+- [x] PWA — `registry.therealcool.site` installable on Android, Chrome OS, iOS Safari *(v0.8)*
+- [x] MEMEX v2 — three-layer cloud memory (KV + R2 + D1) + autoDream nightly consolidation *(v0.9)*
+- [x] KAIROS — autonomous agent daemon (Durable Objects, 5-min tick loop, append-only log) *(v0.9)*
+- [x] ULTRAPLAN — Opus deep-thinking plan → human approval → parallel task execution *(v0.9)*
+- [x] AUTH risk gate — LOW/MEDIUM/HIGH classification on every agent action *(v0.9)*
+- [x] HIVE swarm strategies — parallel, pipeline, competitive + 6 built-in presets *(v0.9)*
+- [x] `@cerebrex/system-prompt` — master system prompt package + live MEMEX context loader *(v0.9)*
+- [x] Security hardening — risk gate wired into HIVE worker, JWT /token endpoint authenticated, KAIROS exponential backoff + JSON validation, agentId injection prevention *(v0.9.1)*
+- [ ] Agent test runner — `cerebrex test` with replay + assertions *(v1.0)*
+- [ ] Custom domain *(next)*
+- [ ] Enterprise tier + on-prem *(v1.0)*
+
+---
+
+## 📄 License
+
+CerebreX is open source under the [Apache 2.0 License](./LICENSE).
+
+---
+
+<div align="center">
+
+Built by [A Real Cool Co.](https://therealcool.site) · Gulf Coast, Mississippi
+
+*"The developer who builds the standard wins the ecosystem."*
+
+</div>