claude-flow 3.10.0 → 3.10.3

package/.claude-plugin/hooks/hooks.json

@@ -1,5 +1,7 @@
 {
   "_note": "#1921 — hook commands invoke scripts/ruflo-hook.sh (resilient shim): prefers a locally-installed `ruflo`/`claude-flow` binary, falls back to `npx --prefer-offline`, and always exits 0 so a CLI/install failure (e.g. arborist `Invalid Version` on npm 10.8.x) never surfaces an error in Claude Code or blocks a turn. The trailing `|| true` guards the case where $CLAUDE_PLUGIN_ROOT is unset (older Claude Code) — the hook then no-ops silently. DO NOT revert to a bare `npx <pkg>@alpha hooks …` per fire.",
+  "_platform": "posix",
+  "_platform_note": "#2132 — This hooks.json uses /bin/bash, POSIX pipelines (jq, xargs, tr), and .sh scripts. It is intentionally POSIX-only (Mac/Linux). On Windows, ruflo init writes a .claude/settings.json that overrides these entries with node-based equivalents via plugins/ruflo-core/scripts/ruflo-hook.cjs. The audit exempts files with _platform:posix from the cross-platform check.",
   "hooks": {
     "PreToolUse": [
       {

package/.claude-plugin/scripts/ruflo-hook.cjs

@@ -0,0 +1,166 @@
+#!/usr/bin/env node
+/**
+ * ruflo-hook.cjs — cross-platform Node.js port of ruflo-hook.sh (#2132)
+ *
+ * The bash shim (ruflo-hook.sh) works on Mac/Linux but fails on native
+ * Windows (exit 126 — "cannot execute binary file"). This .cjs shim
+ * provides identical behaviour via Node.js child_process so Windows users
+ * get working hooks without WSL or Git Bash.
+ *
+ * Mac/Linux continue to use ruflo-hook.sh via the plugin hooks.json files
+ * (unchanged). On Windows, ruflo init writes a .claude/settings.json that
+ * overrides those entries with node-based equivalents pointing here.
+ *
+ * Behaviour mirrors ruflo-hook.sh:
+ *   1. Reads hook JSON payload from stdin.
+ *   2. Prefers a locally installed `ruflo` or `claude-flow` binary.
+ *   3. Falls back to `npx --prefer-offline ruflo@latest`.
+ *   4. Always exits 0 — hook subcommands are best-effort telemetry.
+ *   5. Swallows all stderr — nothing should surface to Claude Code.
+ *
+ * Usage: node ruflo-hook.cjs <hook-subcommand> [args...]
+ *   e.g. node ruflo-hook.cjs post-edit --file "x.ts" --train-patterns
+ */
+
+'use strict';
+
+const { spawnSync, execSync } = require('child_process');
+const fs = require('fs');
+const path = require('path');
+
+/** Exit 0 unconditionally — hooks must never block a turn */
+function done() {
+  process.exit(0);
+}
+
+/** Resolve stdin to a JSON object, or null if not parseable */
+function readStdinJson() {
+  try {
+    let buf = '';
+    // Read synchronously — hooks fire synchronously in Claude Code
+    const fd = fs.openSync('/dev/stdin', 'r');
+    const chunk = Buffer.alloc(64 * 1024);
+    let bytesRead;
+    while ((bytesRead = fs.readSync(fd, chunk, 0, chunk.length, null)) > 0) {
+      buf += chunk.slice(0, bytesRead).toString('utf8');
+    }
+    fs.closeSync(fd);
+    return buf.trim() ? JSON.parse(buf) : null;
+  } catch {
+    return null;
+  }
+}
+
+/** Read stdin via process.stdin in sync mode (Windows-safe alternative) */
+function readStdinSync() {
+  try {
+    // On Windows /dev/stdin doesn't exist; use fd 0 directly
+    const chunk = Buffer.alloc(64 * 1024);
+    let buf = '';
+    let bytesRead;
+    while (true) {
+      try {
+        bytesRead = fs.readSync(0 /* STDIN_FILENO */, chunk, 0, chunk.length, null);
+        if (bytesRead === 0) break;
+        buf += chunk.slice(0, bytesRead).toString('utf8');
+      } catch {
+        break;
+      }
+    }
+    return buf.trim() ? JSON.parse(buf) : null;
+  } catch {
+    return null;
+  }
+}
+
+/** Check if a binary is available on PATH */
+function commandExists(cmd) {
+  try {
+    const result = execSync(
+      process.platform === 'win32' ? `where ${cmd}` : `command -v ${cmd}`,
+      { encoding: 'utf8', stdio: ['ignore', 'pipe', 'ignore'] }
+    );
+    return result.trim().length > 0;
+  } catch {
+    return false;
+  }
+}
+
+/** Build the argv for the ruflo/claude-flow/npx invocation */
+function buildArgs(subcommand, extraArgs) {
+  // The `hooks` word is prepended here, matching ruflo-hook.sh convention.
+  return ['hooks', subcommand, ...extraArgs];
+}
+
+/**
+ * Spawn the CLI with the hook subcommand.
+ * Passes the raw stdin payload as the child's stdin so the CLI can read
+ * the hook event JSON if needed (same as the bash pipe).
+ *
+ * Returns true on success (exit 0), false otherwise.
+ */
+function invokeHook(bin, binArgs, hookArgs, stdinData) {
+  const args = [...binArgs, ...hookArgs];
+
+  // On Windows, shell: true is needed to resolve .cmd shims in node_modules
+  const useShell = process.platform === 'win32';
+
+  const result = spawnSync(bin, args, {
+    shell: useShell,
+    input: stdinData || '',
+    encoding: 'utf8',
+    stdio: ['pipe', 'ignore', 'ignore'],  // swallow all output
+    timeout: 30_000,
+  });
+
+  return result.status === 0;
+}
+
+function main() {
+  const args = process.argv.slice(2);
+  if (args.length === 0) {
+    // No subcommand — no-op, same as bash version
+    done();
+  }
+
+  const [subcommand, ...rest] = args;
+
+  // Read stdin (the hook event payload) — best effort
+  let stdinData = '';
+  try {
+    stdinData = fs.readFileSync(0 /* fd 0 = stdin */, 'utf8');
+  } catch {
+    // stdin may not be available when invoked directly for testing
+    stdinData = '';
+  }
+
+  const hookArgs = buildArgs(subcommand, rest);
+
+  // Priority 1: locally installed ruflo binary
+  if (commandExists('ruflo')) {
+    invokeHook('ruflo', [], hookArgs, stdinData);
+    done();
+  }
+
+  // Priority 2: locally installed claude-flow binary
+  if (commandExists('claude-flow')) {
+    invokeHook('claude-flow', [], hookArgs, stdinData);
+    done();
+  }
+
+  // Priority 3: npx --prefer-offline fallback (avoids cold registry resolve).
+  //
+  // SKIP this when RUFLO_HOOK_SKIP_NPX=1 — used by CI smokes that test
+  // the shim's *control flow* without exercising npm install network paths.
+  // Without the skip, npx can take 30+s on a cold runner (no warm cache,
+  // no offline tarball), exceeding the smoke's 15s timeout and producing
+  // a spurious failure even though the shim itself works correctly.
+  // The bash version doesn't hit this because it backgrounded the work.
+  if (process.env.RUFLO_HOOK_SKIP_NPX !== '1') {
+    invokeHook('npx', ['--prefer-offline', '--yes', 'ruflo@latest'], hookArgs, stdinData);
+  }
+
+  done();
+}
+
+main();

package/README.md

@@ -382,6 +382,7 @@ Four docs for four audiences:
 | **[User Guide](docs/USERGUIDE.md)** | Daily reference — every command, every config flag, every plugin. The *how-do-I* doc. |
 | **[Benchmarks](https://gist.github.com/ruvnet/298f8c668c8859b369f91734a0e9cbbe)** | v3.8.0 SOTA matrix vs LangGraph / AutoGen / CrewAI on darwin-arm64 + linux-x64. ruflo wins cold start, single turn, RSS by 1.3×–1953×. The *is-it-fast* doc. |
 | **[Verification](verification.md)** | Cryptographically prove your installed bytes match the signed witness — `ruflo verify`. The *trust-but-verify* doc. |
+| **[Team Gateway Checklist](docs/TEAM-GATEWAY-CHECKLIST.md)** | Before-merge gates, dual-mode handoff, memory namespace sharing, and witness manifest entry per merge. The *safer-team-workflows* doc. |
 
 Benchmark internals (for reproduction): [`sota-workload-spec.md`](https://github.com/ruvnet/ruflo/blob/perf/sota-comparator-benchmarks/docs/benchmarks/sota-workload-spec.md) · [`SOTA-PROGRESS.md`](https://github.com/ruvnet/ruflo/blob/perf/sota-comparator-benchmarks/docs/benchmarks/SOTA-PROGRESS.md) · [raw matrix JSON: darwin](https://github.com/ruvnet/ruflo/blob/perf/sota-comparator-benchmarks/docs/benchmarks/sota-matrix.json) · [linux](https://github.com/ruvnet/ruflo/blob/perf/sota-comparator-benchmarks/docs/benchmarks/sota-matrix-linux.json)
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "claude-flow",
-  "version": "3.10.0",
+  "version": "3.10.3",
   "description": "Ruflo - Enterprise AI agent orchestration for Claude Code. Deploy 60+ specialized agents in coordinated swarms with self-learning, fault-tolerant consensus, vector memory, and MCP integration",
   "main": "dist/index.js",
   "type": "module",

package/v3/@claude-flow/cli/README.md

@@ -382,6 +382,7 @@ Four docs for four audiences:
 | **[User Guide](docs/USERGUIDE.md)** | Daily reference — every command, every config flag, every plugin. The *how-do-I* doc. |
 | **[Benchmarks](https://gist.github.com/ruvnet/298f8c668c8859b369f91734a0e9cbbe)** | v3.8.0 SOTA matrix vs LangGraph / AutoGen / CrewAI on darwin-arm64 + linux-x64. ruflo wins cold start, single turn, RSS by 1.3×–1953×. The *is-it-fast* doc. |
 | **[Verification](verification.md)** | Cryptographically prove your installed bytes match the signed witness — `ruflo verify`. The *trust-but-verify* doc. |
+| **[Team Gateway Checklist](docs/TEAM-GATEWAY-CHECKLIST.md)** | Before-merge gates, dual-mode handoff, memory namespace sharing, and witness manifest entry per merge. The *safer-team-workflows* doc. |
 
 Benchmark internals (for reproduction): [`sota-workload-spec.md`](https://github.com/ruvnet/ruflo/blob/perf/sota-comparator-benchmarks/docs/benchmarks/sota-workload-spec.md) · [`SOTA-PROGRESS.md`](https://github.com/ruvnet/ruflo/blob/perf/sota-comparator-benchmarks/docs/benchmarks/SOTA-PROGRESS.md) · [raw matrix JSON: darwin](https://github.com/ruvnet/ruflo/blob/perf/sota-comparator-benchmarks/docs/benchmarks/sota-matrix.json) · [linux](https://github.com/ruvnet/ruflo/blob/perf/sota-comparator-benchmarks/docs/benchmarks/sota-matrix-linux.json)
 

package/v3/@claude-flow/cli/dist/src/commands/analyze.js

@@ -238,7 +238,6 @@ const diffCommand = {
         }
     },
 };
-// Code subcommand (placeholder for future code analysis)
 const codeCommand = {
     name: 'code',
     description: 'Static code analysis and quality assessment',

package/v3/@claude-flow/cli/dist/src/commands/memory.js

@@ -12,6 +12,14 @@ const BACKENDS = [
     { value: 'hybrid', label: 'Hybrid', hint: 'SQLite + AgentDB (recommended)' },
     { value: 'memory', label: 'In-Memory', hint: 'Fast but non-persistent' }
 ];
+// #2105: shared --path option for memory subcommands.
+// Precedence: --path > CLAUDE_FLOW_DB_PATH env var > default root
+const DB_PATH_OPTION = {
+    name: 'path',
+    description: 'Override DB file path (also: CLAUDE_FLOW_DB_PATH env var). ' +
+        'Precedence: --path > CLAUDE_FLOW_DB_PATH > CLAUDE_FLOW_MEMORY_PATH/memory.db > cwd/.swarm/memory.db',
+    type: 'string',
+};
 // Store command
 const storeCommand = {
     name: 'store',
@@ -59,7 +67,8 @@ const storeCommand = {
             description: 'Update if key exists (insert or replace)',
             type: 'boolean',
             default: false
-        }
+        },
+        DB_PATH_OPTION
     ],
     examples: [
         { command: 'claude-flow memory store -k "api/auth" -v "JWT implementation"', description: 'Store text' },
@@ -101,7 +110,8 @@ const storeCommand = {
         output.printInfo(`Storing in ${namespace}/${key}...`);
         // Use direct sql.js storage with automatic embedding generation
         try {
-            const { storeEntry } = await import('../memory/memory-initializer.js');
+            const { storeEntry, resolveDbPath: _rdbStore } = await import('../memory/memory-initializer.js');
+            const dbPath = _rdbStore(ctx.flags.path);
             if (asVector) {
                 output.writeln(output.dim('  Generating embedding vector...'));
             }
@@ -112,7 +122,8 @@ const storeCommand = {
                 generateEmbeddingFlag: true, // Always generate embeddings for semantic search
                 tags,
                 ttl,
-                upsert
+                upsert,
+                dbPath
             });
             if (!result.success) {
                 output.printError(result.error || 'Failed to store');
@@ -175,7 +186,8 @@ const retrieveCommand = {
             description: 'Print only the stored value to stdout (no wrapper)',
             type: 'boolean',
             default: false
-        }
+        },
+        DB_PATH_OPTION
     ],
     action: async (ctx) => {
         const key = ctx.flags.key || ctx.args[0];
@@ -186,8 +198,9 @@ const retrieveCommand = {
         }
         // Use sql.js directly for consistent data access
         try {
-            const { getEntry } = await import('../memory/memory-initializer.js');
-            const result = await getEntry({ key, namespace });
+            const { getEntry, resolveDbPath: _rdbRetrieve } = await import('../memory/memory-initializer.js');
+            const dbPathRetrieve = _rdbRetrieve(ctx.flags.path);
+            const result = await getEntry({ key, namespace, dbPath: dbPathRetrieve });
             if (!result.success) {
                 output.printError(`Failed to retrieve: ${result.error}`);
                 return { success: false, exitCode: 1 };
@@ -283,7 +296,8 @@ const searchCommand = {
             description: 'Use SmartRetrieval pipeline (query expansion, RRF, MMR, recency)',
             type: 'boolean',
             default: false
-        }
+        },
+        DB_PATH_OPTION
     ],
     examples: [
         { command: 'claude-flow memory search -q "authentication patterns"', description: 'Semantic search' },
@@ -331,7 +345,8 @@ const searchCommand = {
         output.writeln();
         // Use direct sql.js search with vector similarity
         try {
-            const { searchEntries } = await import('../memory/memory-initializer.js');
+            const { searchEntries, resolveDbPath: _rdbSearch } = await import('../memory/memory-initializer.js');
+            const dbPathSearch = _rdbSearch(ctx.flags.path);
             const useSmart = (ctx.flags.smart || ctx.flags.s);
             let results;
             let searchTimeMs;
@@ -365,6 +380,7 @@ const searchCommand = {
                         namespace: req.namespace || namespace,
                         limit: req.limit || limit * 3,
                         threshold: req.threshold ?? threshold,
+                        dbPath: dbPathSearch,
                     });
                     return {
                         results: r.results.map(e => ({
@@ -397,7 +413,8 @@ const searchCommand = {
                     query,
                     namespace,
                     limit,
-                    threshold
+                    threshold,
+                    dbPath: dbPathSearch
                 });
                 if (!searchResult.success) {
                     output.printError(searchResult.error || 'Search failed');
@@ -470,15 +487,17 @@ const listCommand = {
             description: 'Maximum entries',
             type: 'number',
             default: 20
-        }
+        },
+        DB_PATH_OPTION
     ],
     action: async (ctx) => {
         const namespace = ctx.flags.namespace;
         const limit = ctx.flags.limit;
         // Use sql.js directly for consistent data access
         try {
-            const { listEntries } = await import('../memory/memory-initializer.js');
-            const listResult = await listEntries({ namespace, limit, offset: 0 });
+            const { listEntries, resolveDbPath: _rdbList } = await import('../memory/memory-initializer.js');
+            const dbPathList = _rdbList(ctx.flags.path);
+            const listResult = await listEntries({ namespace, limit, offset: 0, dbPath: dbPathList });
             if (!listResult.success) {
                 output.printError(`Failed to list: ${listResult.error}`);
                 return { success: false, exitCode: 1 };
@@ -567,7 +586,8 @@ const deleteCommand = {
             description: 'Skip confirmation',
             type: 'boolean',
             default: false
-        }
+        },
+        DB_PATH_OPTION
     ],
     examples: [
         { command: 'claude-flow memory delete -k "mykey"', description: 'Delete entry with default namespace' },
@@ -595,8 +615,9 @@ const deleteCommand = {
         }
         // Use sql.js directly for consistent data access (Issue #980)
         try {
-            const { deleteEntry } = await import('../memory/memory-initializer.js');
-            const result = await deleteEntry({ key, namespace });
+            const { deleteEntry, resolveDbPath: _rdbDelete } = await import('../memory/memory-initializer.js');
+            const dbPathDelete = _rdbDelete(ctx.flags.path);
+            const result = await deleteEntry({ key, namespace, dbPath: dbPathDelete });
             if (!result.success) {
                 output.printError(result.error || 'Failed to delete');
                 return { success: false, exitCode: 1 };
@@ -620,6 +641,7 @@ const deleteCommand = {
 const statsCommand = {
     name: 'stats',
     description: 'Show memory statistics',
+    options: [DB_PATH_OPTION],
     action: async (ctx) => {
         // Call MCP memory/stats tool for real statistics
         try {

package/v3/@claude-flow/cli/dist/src/init/executor.js

@@ -14,7 +14,7 @@ import { detectPlatform, DEFAULT_INIT_OPTIONS } from './types.js';
 import { generateSettingsJson, generateSettings } from './settings-generator.js';
 import { generateMCPJson } from './mcp-generator.js';
 import { generateStatuslineScript } from './statusline-generator.js';
-import { generatePreCommitHook, generatePostCommitHook, generateSessionManager, generateAgentRouter, generateMemoryHelper, generateHookHandler, generateIntelligenceStub, generateAutoMemoryHook, } from './helpers-generator.js';
+import { generatePreCommitHook, generatePostCommitHook, generateSessionManager, generateAgentRouter, generateMemoryHelper, generateHookHandler, generateIntelligenceStub, generateAutoMemoryHook, generateRufloHookCjs, } from './helpers-generator.js';
 import { generateClaudeMd } from './claudemd-generator.js';
 /**
  * Skills to copy based on configuration
@@ -1057,6 +1057,11 @@ async function writeHelpers(targetDir, options, result) {
     const helpersDir = path.join(targetDir, '.claude', 'helpers');
     // Find source helpers directory (works for npm package and local dev)
     const sourceHelpersDir = findSourceHelpersDir(options.sourceBaseDir);
+    // On Windows: emit a notice before writing helpers — the settings.json
+    // hooks will use node-based commands instead of bash shims (#2132).
+    if (process.platform === 'win32') {
+        console.log('Detected Windows — adding cross-platform hook overrides to .claude/settings.json (#2132)');
+    }
     // Try to copy existing helpers from source first
     if (sourceHelpersDir && fs.existsSync(sourceHelpersDir)) {
         const helperFiles = fs.readdirSync(sourceHelpersDir);
@@ -1080,6 +1085,18 @@ async function writeHelpers(targetDir, options, result) {
                 result.skipped.push(`.claude/helpers/${file}`);
             }
         }
+        // #2132: Always generate ruflo-hook.cjs regardless of source copy path.
+        // The source helpers dir may not contain this file (it lives in
+        // plugins/ruflo-core/scripts/, not .claude/helpers/), but it must
+        // always be present so Windows users can use the node-based shim.
+        const rufloHookDest = path.join(helpersDir, 'ruflo-hook.cjs');
+        if (!fs.existsSync(rufloHookDest) || options.force) {
+            fs.writeFileSync(rufloHookDest, generateRufloHookCjs(), 'utf-8');
+            result.created.files.push('.claude/helpers/ruflo-hook.cjs');
+        }
+        else {
+            result.skipped.push('.claude/helpers/ruflo-hook.cjs');
+        }
         if (copiedCount > 0) {
             return; // Skip generating if we copied from source
         }
@@ -1094,6 +1111,10 @@ async function writeHelpers(targetDir, options, result) {
         'hook-handler.cjs': generateHookHandler(),
         'intelligence.cjs': generateIntelligenceStub(),
         'auto-memory-hook.mjs': generateAutoMemoryHook(),
+        // #2132: cross-platform Node.js port of ruflo-hook.sh — always deployed so
+        // Windows users have a working shim even if the plugin's hooks.json bash
+        // commands are overridden via settings.json.
+        'ruflo-hook.cjs': generateRufloHookCjs(),
     };
     for (const [name, content] of Object.entries(helpers)) {
         const filePath = path.join(helpersDir, name);

package/v3/@claude-flow/cli/dist/src/init/helpers-generator.d.ts

@@ -58,4 +58,14 @@ export declare function generateCrossPlatformSessionManager(): string;
  * Generate all helper files
  */
 export declare function generateHelpers(options: InitOptions): Record<string, string>;
+/**
+ * Generate cross-platform Node.js port of ruflo-hook.sh (#2132).
+ *
+ * The bash shim works on Mac/Linux but fails on native Windows (exit 126).
+ * This .cjs version is always deployed to .claude/helpers/ so:
+ *   - Windows: settings.json overrides plugin bash hooks with node-based cmds
+ *   - Mac/Linux: plugin hooks.json still uses .sh (faster, battle-tested)
+ *   - Both: .claude/helpers/ruflo-hook.cjs available as a canonical cross-platform shim
+ */
+export declare function generateRufloHookCjs(): string;
 //# sourceMappingURL=helpers-generator.d.ts.map

package/v3/@claude-flow/cli/dist/src/init/helpers-generator.js

@@ -1195,4 +1195,75 @@ export function generateHelpers(options) {
     }
     return helpers;
 }
+/**
+ * Generate cross-platform Node.js port of ruflo-hook.sh (#2132).
+ *
+ * The bash shim works on Mac/Linux but fails on native Windows (exit 126).
+ * This .cjs version is always deployed to .claude/helpers/ so:
+ *   - Windows: settings.json overrides plugin bash hooks with node-based cmds
+ *   - Mac/Linux: plugin hooks.json still uses .sh (faster, battle-tested)
+ *   - Both: .claude/helpers/ruflo-hook.cjs available as a canonical cross-platform shim
+ */
+export function generateRufloHookCjs() {
+    return `#!/usr/bin/env node
+/**
+ * ruflo-hook.cjs — cross-platform Node.js port of ruflo-hook.sh (#2132)
+ *
+ * Deployed to .claude/helpers/ during ruflo init. On Windows, the
+ * generated .claude/settings.json hooks point here instead of the
+ * plugin's bash-only ruflo-hook.sh.
+ *
+ * Always exits 0 — hook subcommands are best-effort telemetry and must
+ * never block a Claude Code turn.
+ */
+
+'use strict';
+
+const { spawnSync, execSync } = require('child_process');
+const fs = require('fs');
+
+function done() { process.exit(0); }
+
+function commandExists(cmd) {
+  try {
+    const r = execSync(
+      process.platform === 'win32' ? 'where ' + cmd : 'command -v ' + cmd,
+      { encoding: 'utf8', stdio: ['ignore', 'pipe', 'ignore'] }
+    );
+    return r.trim().length > 0;
+  } catch { return false; }
+}
+
+function invokeHook(bin, binArgs, hookArgs, stdinData) {
+  const args = [...binArgs, ...hookArgs];
+  const result = spawnSync(bin, args, {
+    shell: process.platform === 'win32',
+    input: stdinData || '',
+    encoding: 'utf8',
+    stdio: ['pipe', 'ignore', 'ignore'],
+    timeout: 30_000,
+  });
+  return result.status === 0;
+}
+
+function main() {
+  const args = process.argv.slice(2);
+  if (args.length === 0) done();
+
+  const [subcommand, ...rest] = args;
+
+  let stdinData = '';
+  try { stdinData = fs.readFileSync(0, 'utf8'); } catch { stdinData = ''; }
+
+  const hookArgs = ['hooks', subcommand, ...rest];
+
+  if (commandExists('ruflo')) { invokeHook('ruflo', [], hookArgs, stdinData); done(); }
+  if (commandExists('claude-flow')) { invokeHook('claude-flow', [], hookArgs, stdinData); done(); }
+  invokeHook('npx', ['--prefer-offline', '--yes', 'ruflo@latest'], hookArgs, stdinData);
+  done();
+}
+
+main();
+`;
+}
 //# sourceMappingURL=helpers-generator.js.map

package/v3/@claude-flow/cli/dist/src/mcp-tools/coordination-tools.js

@@ -667,7 +667,7 @@ export const coordinationTools = [
                 topology: store.topology.type,
                 // Honest stub: no executor wired up yet. Don't lie about completion time.
                 executor: 'none',
-                _note: 'coordination_orchestrate currently records the orchestration request but does not execute it. For real multi-agent execution use agent_spawn + the Task tool, or hive-mind_spawn for queen-led coordination.',
+                _note: 'coordination_orchestrate currently records the orchestration request but does not execute it. For real multi-agent execution use agent_spawn + the Task tool, or hive-mind_spawn for queen-led coordination. Real executor tracked in issue #2140.',
             };
         },
     },

package/v3/@claude-flow/cli/dist/src/memory/embedding-quantization.js

@@ -87,9 +87,18 @@ export function decodeEmbedding(embeddingRef) {
         const b64 = embeddingRef.slice(INLINE_PREFIX.length);
         const raw = Buffer.from(b64, 'base64');
         const view = new DataView(raw.buffer, raw.byteOffset, raw.byteLength);
+        if (raw.byteLength < 16)
+            return null; // too short for the header
         if (view.getUint32(0, true) !== PQ_MAGIC)
             return null;
         const dims = view.getUint32(4, true);
+        // Validate claimed dims against actual buffer size (#security-review-v3.10):
+        //   (a) dims=0 or buffer too short -> malformed blob, reject.
+        //   (b) dims > 8192 -> oversized allocation guard (DoS via crafted blob).
+        //       Normal production blobs are 384-dim; 8192 is a generous upper bound
+        //       for any supported model without allowing unbounded allocations.
+        if (dims === 0 || dims > 8192 || raw.byteLength < 16 + dims)
+            return null;
         const gMin = view.getFloat32(8, true);
         const gMax = view.getFloat32(12, true);
         const range = gMax - gMin;

package/v3/@claude-flow/cli/dist/src/memory/memory-initializer.d.ts

@@ -11,6 +11,15 @@
 export declare function getMemoryRoot(): string;
 /** For tests + the `memory configure` flow that mutates the config at runtime. */
 export declare function _resetMemoryRootCache(): void;
+/**
+ * #2105: Resolve the full path to the SQLite memory database.
+ * Precedence (highest to lowest):
+ *   1. cliFlag             - explicit --path flag passed by a subcommand
+ *   2. CLAUDE_FLOW_DB_PATH - full file-path override (new in #2105)
+ *   3. getMemoryRoot()/memory.db - directory from CLAUDE_FLOW_MEMORY_PATH /
+ *                                  config / default cwd/.swarm
+ */
+export declare function resolveDbPath(cliFlag?: string): string;
 /**
  * Enhanced schema with pattern confidence, temporal decay, versioning
  * Vector embeddings enabled for semantic search

package/v3/@claude-flow/cli/dist/src/memory/memory-initializer.js

@@ -66,6 +66,24 @@ export function getMemoryRoot() {
 export function _resetMemoryRootCache() {
     _memoryRootCache = undefined;
 }
+/**
+ * #2105: Resolve the full path to the SQLite memory database.
+ * Precedence (highest to lowest):
+ *   1. cliFlag             - explicit --path flag passed by a subcommand
+ *   2. CLAUDE_FLOW_DB_PATH - full file-path override (new in #2105)
+ *   3. getMemoryRoot()/memory.db - directory from CLAUDE_FLOW_MEMORY_PATH /
+ *                                  config / default cwd/.swarm
+ */
+export function resolveDbPath(cliFlag) {
+    if (cliFlag && cliFlag.trim().length > 0) {
+        return path.resolve(cliFlag);
+    }
+    const envDb = process.env.CLAUDE_FLOW_DB_PATH;
+    if (envDb && envDb.trim().length > 0) {
+        return path.resolve(envDb);
+    }
+    return path.join(getMemoryRoot(), 'memory.db');
+}
 // ADR-053: Lazy import of AgentDB v3 bridge
 let _bridge;
 async function getBridge() {

package/v3/@claude-flow/cli/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@claude-flow/cli",
-  "version": "3.10.0",
+  "version": "3.10.3",
   "type": "module",
   "description": "Ruflo CLI - Enterprise AI agent orchestration with 60+ specialized agents, swarm coordination, MCP server, self-learning hooks, and vector memory for Claude Code",
   "main": "dist/src/index.js",
@@ -102,10 +102,7 @@
     "@noble/ed25519": "^2.1.0",
     "@ruvector/rabitq-wasm": "^0.1.0",
     "semver": "^7.6.0",
-    "yaml": "^2.8.0",
-    "@claude-flow/memory": "^3.0.0-alpha.17",
-    "@claude-flow/embeddings": "^3.0.0-alpha.18",
-    "@claude-flow/security": "^3.0.0-alpha.8"
+    "yaml": "^2.8.0"
   },
   "optionalDependencies": {
     "@claude-flow/aidefence": "^3.0.2",
@@ -129,5 +126,8 @@
   "publishConfig": {
     "access": "public",
     "tag": "latest"
+  },
+  "overrides": {
+    "protobufjs": ">=7.5.6"
   }
 }