claude-flow 3.5.70 → 3.5.71

package/v3/@claude-flow/cli/dist/src/mcp-tools/hive-mind-tools.js

@@ -6,6 +6,7 @@
 import { existsSync, readFileSync, writeFileSync, mkdirSync } from 'node:fs';
 import { join } from 'node:path';
 import { getProjectCwd } from './types.js';
+import { validateIdentifier, validateText } from './validate-input.js';
 // Storage paths
 const STORAGE_DIR = '.claude-flow';
 const HIVE_DIR = 'hive-mind';
@@ -158,6 +159,16 @@ export const hiveMindTools = [
             if (!state.initialized) {
                 return { success: false, error: 'Hive-mind not initialized. Run hive-mind/init first.' };
             }
+            if (input.agentType) {
+                const v = validateIdentifier(input.agentType, 'agentType');
+                if (!v.valid)
+                    return { success: false, error: v.error };
+            }
+            if (input.prefix) {
+                const v = validateIdentifier(input.prefix, 'prefix');
+                if (!v.valid)
+                    return { success: false, error: v.error };
+            }
             const count = Math.min(Math.max(1, input.count || 1), 20); // Cap at 20
             const role = input.role || 'worker';
             const agentType = input.agentType || 'worker';
@@ -211,6 +222,11 @@ export const hiveMindTools = [
             },
         },
         handler: async (input) => {
+            if (input.queenId) {
+                const v = validateIdentifier(input.queenId, 'queenId');
+                if (!v.valid)
+                    return { success: false, error: v.error };
+            }
             const state = loadHiveState();
             const hiveId = `hive-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`;
             const queenId = input.queenId || `queen-${Date.now()}`;
@@ -354,6 +370,11 @@ export const hiveMindTools = [
         handler: async (input) => {
             const state = loadHiveState();
             const agentId = input.agentId;
+            {
+                const v = validateIdentifier(agentId, 'agentId');
+                if (!v.valid)
+                    return { success: false, error: v.error };
+            }
             if (!state.initialized) {
                 return { success: false, error: 'Hive-mind not initialized' };
             }
@@ -384,6 +405,11 @@ export const hiveMindTools = [
         handler: async (input) => {
             const state = loadHiveState();
             const agentId = input.agentId;
+            {
+                const v = validateIdentifier(agentId, 'agentId');
+                if (!v.valid)
+                    return { success: false, agentId, error: v.error };
+            }
             const index = state.workers.indexOf(agentId);
             if (index > -1) {
                 state.workers.splice(index, 1);
@@ -419,6 +445,21 @@ export const hiveMindTools = [
             required: ['action'],
         },
         handler: async (input) => {
+            if (input.proposalId) {
+                const v = validateIdentifier(input.proposalId, 'proposalId');
+                if (!v.valid)
+                    return { action: input.action, error: v.error };
+            }
+            if (input.voterId) {
+                const v = validateIdentifier(input.voterId, 'voterId');
+                if (!v.valid)
+                    return { action: input.action, error: v.error };
+            }
+            if (input.type) {
+                const v = validateText(input.type, 'type');
+                if (!v.valid)
+                    return { action: input.action, error: v.error };
+            }
             const state = loadHiveState();
             const action = input.action;
             const strategy = input.strategy || 'raft';
@@ -687,6 +728,16 @@ export const hiveMindTools = [
             if (!state.initialized) {
                 return { success: false, error: 'Hive-mind not initialized' };
             }
+            {
+                const v = validateText(input.message, 'message');
+                if (!v.valid)
+                    return { success: false, error: v.error };
+            }
+            if (input.fromId) {
+                const v = validateIdentifier(input.fromId, 'fromId');
+                if (!v.valid)
+                    return { success: false, error: v.error };
+            }
             const messageId = `msg-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`;
             // Store in shared memory
             const messages = state.sharedMemory.broadcasts || [];
@@ -781,6 +832,11 @@ export const hiveMindTools = [
             required: ['action'],
         },
         handler: async (input) => {
+            if (input.key) {
+                const v = validateIdentifier(input.key, 'key');
+                if (!v.valid)
+                    return { action: input.action, error: v.error };
+            }
             const state = loadHiveState();
             const action = input.action;
             const key = input.key;

package/v3/@claude-flow/cli/dist/src/mcp-tools/hooks-tools.js

@@ -5,6 +5,7 @@
 import { mkdirSync, writeFileSync, existsSync, readFileSync, statSync, unlinkSync, readdirSync } from 'fs';
 import { dirname, join, resolve } from 'path';
 import { getProjectCwd } from './types.js';
+import { validateIdentifier, validateText, validatePath } from './validate-input.js';
 // Real vector search functions - lazy loaded to avoid circular imports
 let searchEntriesFn = null;
 async function getRealSearchFunction() {
@@ -578,6 +579,11 @@ export const hooksPreEdit = {
     handler: async (params) => {
         const filePath = params.filePath;
         const operation = params.operation || 'update';
+        {
+            const v = validatePath(filePath, 'filePath');
+            if (!v.valid)
+                return { success: false, error: v.error };
+        }
         const suggestedAgents = suggestAgentsForFile(filePath);
         const ext = getFileExtension(filePath);
         return {
@@ -616,6 +622,16 @@ export const hooksPostEdit = {
         const filePath = params.filePath;
         const success = params.success !== false;
         const agent = params.agent;
+        {
+            const v = validatePath(filePath, 'filePath');
+            if (!v.valid)
+                return { success: false, error: v.error };
+        }
+        if (agent) {
+            const v = validateIdentifier(agent, 'agent');
+            if (!v.valid)
+                return { success: false, error: v.error };
+        }
         // Wire recordFeedback through bridge (issue #1209)
         let feedbackResult = null;
         try {
@@ -656,6 +672,11 @@ export const hooksPreCommand = {
     },
     handler: async (params) => {
         const command = params.command;
+        {
+            const v = validateText(command, 'command');
+            if (!v.valid)
+                return { success: false, error: v.error };
+        }
         const assessment = assessCommandRisk(command);
         const riskLevel = assessment.level >= 0.8 ? 'critical'
             : assessment.level >= 0.6 ? 'high'
@@ -692,6 +713,11 @@ export const hooksPostCommand = {
         const command = params.command;
         const exitCode = params.exitCode || 0;
         const success = exitCode === 0;
+        {
+            const v = validateText(command, 'command');
+            if (!v.valid)
+                return { success: false, error: v.error };
+        }
         // Persist command outcome via AgentDB
         let _storedIn = 'none';
         try {
@@ -744,6 +770,16 @@ export const hooksRoute = {
         const task = params.task;
         const context = params.context;
         const useSemanticRouter = params.useSemanticRouter !== false;
+        {
+            const v = validateText(task, 'task');
+            if (!v.valid)
+                return { success: false, error: v.error };
+        }
+        if (context) {
+            const v = validateText(context, 'context');
+            if (!v.valid)
+                return { success: false, error: v.error };
+        }
         // Phase 5: Try AgentDB's SemanticRouter / LearningSystem first
         if (useSemanticRouter) {
             try {
@@ -1011,6 +1047,21 @@ export const hooksPreTask = {
         const taskId = params.taskId;
         const description = params.description;
         const filePath = params.filePath;
+        {
+            const v = validateIdentifier(taskId, 'taskId');
+            if (!v.valid)
+                return { success: false, error: v.error };
+        }
+        {
+            const v = validateText(description, 'description');
+            if (!v.valid)
+                return { success: false, error: v.error };
+        }
+        if (filePath) {
+            const v = validatePath(filePath, 'filePath');
+            if (!v.valid)
+                return { success: false, error: v.error };
+        }
         const suggestion = suggestAgentsForTask(description);
         // Determine complexity
         const descLower = description.toLowerCase();
@@ -1099,6 +1150,16 @@ export const hooksPostTask = {
         const agent = params.agent;
         const quality = params.quality || (success ? 0.85 : 0.3);
         const startTime = Date.now();
+        {
+            const v = validateIdentifier(taskId, 'taskId');
+            if (!v.valid)
+                return { success: false, error: v.error };
+        }
+        if (agent) {
+            const v = validateIdentifier(agent, 'agent');
+            if (!v.valid)
+                return { success: false, error: v.error };
+        }
         // Phase 3: Wire recordFeedback through bridge → LearningSystem + ReasoningBank
         let feedbackResult = null;
         try {
@@ -1234,6 +1295,11 @@ export const hooksExplain = {
     },
     handler: async (params) => {
         const task = params.task;
+        {
+            const v = validateText(task, 'task');
+            if (!v.valid)
+                return { success: false, error: v.error };
+        }
         const suggestion = suggestAgentsForTask(task);
         const taskLower = task.toLowerCase();
         // Determine matched patterns
@@ -1469,6 +1535,16 @@ export const hooksTransfer = {
         const sourcePath = params.sourcePath;
         const minConfidence = params.minConfidence || 0.7;
         const filter = params.filter;
+        {
+            const v = validatePath(sourcePath, 'sourcePath');
+            if (!v.valid)
+                return { success: false, error: v.error };
+        }
+        if (filter) {
+            const v = validateIdentifier(filter, 'filter');
+            if (!v.valid)
+                return { success: false, error: v.error };
+        }
         // Try to load patterns from source project's memory store
         const sourceMemoryPath = join(resolve(sourcePath), MEMORY_DIR, MEMORY_FILE);
         let sourceStore = { entries: {}, version: '3.0.0' };
@@ -1540,6 +1616,11 @@ export const hooksSessionStart = {
         const sessionId = params.sessionId || `session-${Date.now()}`;
         const restoreLatest = params.restoreLatest;
         const shouldStartDaemon = params.startDaemon === true;
+        if (params.sessionId) {
+            const v = validateIdentifier(params.sessionId, 'sessionId');
+            if (!v.valid)
+                return { success: false, error: v.error };
+        }
         // Auto-regenerate statusline if outdated (fixes older installs)
         // Checks for the old fake heuristic: "Math.floor(sizeKB / 2)"
         try {
@@ -1765,6 +1846,11 @@ export const hooksSessionRestore = {
         const requestedId = params.sessionId || 'latest';
         const restoreAgents = params.restoreAgents !== false;
         const restoreTasks = params.restoreTasks !== false;
+        if (params.sessionId) {
+            const v = validateIdentifier(params.sessionId, 'sessionId');
+            if (!v.valid)
+                return { success: false, error: v.error };
+        }
         const originalSessionId = requestedId === 'latest' ? `session-${Date.now() - 86400000}` : requestedId;
         const newSessionId = `session-${Date.now()}`;
         // Get real memory entry count
@@ -1804,6 +1890,16 @@ export const hooksNotify = {
         const message = params.message;
         const target = params.target || 'all';
         const priority = params.priority || 'normal';
+        {
+            const v = validateText(message, 'message');
+            if (!v.valid)
+                return { success: false, error: v.error };
+        }
+        if (params.target) {
+            const v = validateIdentifier(target, 'target');
+            if (!v.valid)
+                return { success: false, error: v.error };
+        }
         return {
             notificationId: `notify-${Date.now()}`,
             message,
@@ -2036,6 +2132,16 @@ export const hooksTrajectoryStart = {
     handler: async (params) => {
         const task = params.task;
         const agent = params.agent || 'coder';
+        {
+            const v = validateText(task, 'task');
+            if (!v.valid)
+                return { success: false, error: v.error };
+        }
+        if (params.agent) {
+            const v = validateIdentifier(params.agent, 'agent');
+            if (!v.valid)
+                return { success: false, error: v.error };
+        }
         const trajectoryId = `traj-${Date.now()}-${Math.random().toString(36).substring(7)}`;
         const startedAt = new Date().toISOString();
         // Create real trajectory entry in memory
@@ -2078,6 +2184,16 @@ export const hooksTrajectoryStep = {
         const quality = params.quality || 0.85;
         const timestamp = new Date().toISOString();
         const stepId = `step-${Date.now()}`;
+        {
+            const v = validateIdentifier(trajectoryId, 'trajectoryId');
+            if (!v.valid)
+                return { success: false, error: v.error };
+        }
+        {
+            const v = validateText(action, 'action');
+            if (!v.valid)
+                return { success: false, error: v.error };
+        }
         // Add step to real trajectory if it exists
         const trajectory = activeTrajectories.get(trajectoryId);
         if (trajectory) {
@@ -2115,6 +2231,11 @@ export const hooksTrajectoryEnd = {
     },
     handler: async (params) => {
         const trajectoryId = params.trajectoryId;
+        {
+            const v = validateIdentifier(trajectoryId, 'trajectoryId');
+            if (!v.valid)
+                return { success: false, error: v.error };
+        }
         const success = params.success !== false;
         const feedback = params.feedback;
         const endedAt = new Date().toISOString();
@@ -2253,6 +2374,16 @@ export const hooksPatternStore = {
         const confidence = params.confidence || 0.8;
         const metadata = params.metadata;
         const timestamp = new Date().toISOString();
+        {
+            const v = validateText(pattern, 'pattern');
+            if (!v.valid)
+                return { success: false, error: v.error };
+        }
+        if (params.type) {
+            const v = validateIdentifier(params.type, 'type');
+            if (!v.valid)
+                return { success: false, error: v.error };
+        }
         const patternId = `pattern-${Date.now()}-${Math.random().toString(36).substring(7)}`;
         // Phase 3: Try ReasoningBank via bridge first
         let reasoningResult = null;
@@ -2319,6 +2450,16 @@ export const hooksPatternSearch = {
         const topK = params.topK || 5;
         const minConfidence = params.minConfidence || 0.3;
         const namespace = params.namespace || 'pattern';
+        {
+            const v = validateText(query, 'query');
+            if (!v.valid)
+                return { success: false, error: v.error };
+        }
+        if (params.namespace) {
+            const v = validateIdentifier(params.namespace, 'namespace');
+            if (!v.valid)
+                return { success: false, error: v.error };
+        }
         // Phase 3: Try ReasoningBank search via bridge first
         try {
             const bridge = await import('../memory/memory-bridge.js');
@@ -2654,6 +2795,11 @@ export const hooksIntelligenceAttention = {
         const mode = params.mode || 'flash';
         const topK = params.topK || 5;
         const startTime = performance.now();
+        {
+            const v = validateText(query, 'query');
+            if (!v.valid)
+                return { success: false, error: v.error };
+        }
         let implementation = 'placeholder';
         const results = [];
         if (mode === 'moe') {
@@ -3017,6 +3163,11 @@ export const hooksWorkerDispatch = {
         const context = params.context || 'default';
         const priority = params.priority || WORKER_CONFIGS[trigger]?.priority || 'normal';
         const background = params.background !== false;
+        if (params.context) {
+            const v = validateText(params.context, 'context');
+            if (!v.valid)
+                return { success: false, error: v.error };
+        }
         if (!WORKER_CONFIGS[trigger]) {
             return {
                 success: false,
@@ -3092,6 +3243,11 @@ export const hooksWorkerStatus = {
     handler: async (params) => {
         const workerId = params.workerId;
         const includeCompleted = params.includeCompleted !== false;
+        if (workerId) {
+            const v = validateIdentifier(workerId, 'workerId');
+            if (!v.valid)
+                return { success: false, error: v.error };
+        }
         if (workerId) {
             const worker = activeWorkers.get(workerId);
             if (!worker) {
@@ -3147,6 +3303,11 @@ export const hooksWorkerDetect = {
         const prompt = params.prompt;
         const autoDispatch = params.autoDispatch;
         const minConfidence = params.minConfidence || 0.5;
+        {
+            const v = validateText(prompt, 'prompt');
+            if (!v.valid)
+                return { success: false, error: v.error };
+        }
         const detection = detectWorkerTriggers(prompt);
         const result = {
             prompt: prompt.slice(0, 200) + (prompt.length > 200 ? '...' : ''),
@@ -3219,6 +3380,11 @@ export const hooksModelRoute = {
     },
     handler: async (params) => {
         const task = params.task;
+        {
+            const v = validateText(task, 'task');
+            if (!v.valid)
+                return { success: false, error: v.error };
+        }
         const router = await getModelRouterInstance();
         if (!router) {
             // Fallback to simple heuristic
@@ -3262,6 +3428,11 @@ export const hooksModelOutcome = {
         const task = params.task;
         const model = params.model;
         const outcome = params.outcome;
+        {
+            const v = validateText(task, 'task');
+            if (!v.valid)
+                return { success: false, error: v.error };
+        }
         const router = await getModelRouterInstance();
         if (router) {
             router.recordOutcome(task, model, outcome);
@@ -3325,6 +3496,11 @@ export const hooksWorkerCancel = {
     },
     handler: async (params) => {
         const workerId = params.workerId;
+        {
+            const v = validateIdentifier(workerId, 'workerId');
+            if (!v.valid)
+                return { success: false, error: v.error };
+        }
         const worker = activeWorkers.get(workerId);
         if (!worker) {
             return {

package/v3/@claude-flow/cli/dist/src/mcp-tools/memory-tools.js

@@ -11,6 +11,7 @@
  */
 import { existsSync, mkdirSync, readFileSync, unlinkSync, writeFileSync } from 'fs';
 import { join, resolve } from 'path';
+import { validateIdentifier } from './validate-input.js';
 // Paths
 const MEMORY_DIR = '.claude-flow/memory';
 const LEGACY_MEMORY_FILE = 'store.json';
@@ -231,7 +232,7 @@ export const memoryTools = [
             const { getEntry } = await getMemoryFunctions();
             const key = input.key;
             const namespace = input.namespace || 'default';
-            validateMemoryInput(key);
+            validateMemoryInput(key, undefined, undefined, namespace);
             try {
                 const result = await getEntry({ key, namespace });
                 if (result.found && result.entry) {
@@ -356,7 +357,7 @@ export const memoryTools = [
             const { deleteEntry } = await getMemoryFunctions();
             const key = input.key;
             const namespace = input.namespace || 'default';
-            validateMemoryInput(key);
+            validateMemoryInput(key, undefined, undefined, namespace);
             try {
                 const result = await deleteEntry({ key, namespace });
                 return {
@@ -397,6 +398,11 @@ export const memoryTools = [
             const namespace = input.namespace;
             const limit = input.limit || 50;
             const offset = input.offset || 0;
+            if (namespace) {
+                const vNs = validateIdentifier(namespace, 'namespace');
+                if (!vNs.valid)
+                    throw new Error(vNs.error);
+            }
             try {
                 const result = await listEntries({
                     namespace,
@@ -533,6 +539,11 @@ export const memoryTools = [
             const { storeEntry } = await getMemoryFunctions();
             const { homedir } = await import('os');
             const ns = input.namespace || 'claude-memories';
+            if (input.namespace) {
+                const vNs = validateIdentifier(ns, 'namespace');
+                if (!vNs.valid)
+                    return { success: false, imported: 0, error: vNs.error };
+            }
             const allProjects = input.allProjects;
             const claudeProjectsDir = join(homedir(), '.claude', 'projects');
             // Find memory files
@@ -703,6 +714,11 @@ export const memoryTools = [
             const query = input.query;
             const limit = input.limit || 10;
             const ns = input.namespace;
+            if (ns) {
+                const vNs = validateIdentifier(ns, 'namespace');
+                if (!vNs.valid)
+                    return { success: false, query, results: [], total: 0, error: vNs.error };
+            }
             // Search all namespaces unless filtered
             const namespaces = ns ? [ns] : ['default', 'claude-memories', 'auto-memory', 'patterns', 'tasks', 'feedback'];
             const allResults = [];

package/v3/@claude-flow/cli/dist/src/mcp-tools/neural-tools.js

@@ -12,6 +12,7 @@
  * Note: For production neural features, use @claude-flow/neural module
  */
 import { getProjectCwd } from './types.js';
+import { validateIdentifier, validateText } from './validate-input.js';
 import { existsSync, readFileSync, writeFileSync, mkdirSync } from 'node:fs';
 import { join } from 'node:path';
 // Try to import real embeddings — prefer agentic-flow v3 ReasoningBank, then @claude-flow/embeddings
@@ -147,6 +148,11 @@ export const neuralTools = [
             required: ['modelType'],
         },
         handler: async (input) => {
+            if (input.modelId) {
+                const v = validateIdentifier(input.modelId, 'modelId');
+                if (!v.valid)
+                    return { success: false, error: v.error };
+            }
             const store = loadNeuralStore();
             const modelId = input.modelId || `model-${Date.now()}-${Math.random().toString(36).slice(2, 6)}`;
             const modelType = input.modelType;
@@ -225,6 +231,16 @@ export const neuralTools = [
             required: ['input'],
         },
         handler: async (input) => {
+            {
+                const v = validateText(input.input, 'input');
+                if (!v.valid)
+                    return { success: false, error: v.error };
+            }
+            if (input.modelId) {
+                const v = validateIdentifier(input.modelId, 'modelId');
+                if (!v.valid)
+                    return { success: false, error: v.error };
+            }
             const store = loadNeuralStore();
             const modelId = input.modelId;
             const inputText = input.input;
@@ -285,6 +301,26 @@ export const neuralTools = [
             },
         },
         handler: async (input) => {
+            if (input.patternId) {
+                const v = validateIdentifier(input.patternId, 'patternId');
+                if (!v.valid)
+                    return { success: false, error: v.error };
+            }
+            if (input.name) {
+                const v = validateText(input.name, 'name');
+                if (!v.valid)
+                    return { success: false, error: v.error };
+            }
+            if (input.type) {
+                const v = validateIdentifier(input.type, 'type');
+                if (!v.valid)
+                    return { success: false, error: v.error };
+            }
+            if (input.query) {
+                const v = validateText(input.query, 'query');
+                if (!v.valid)
+                    return { success: false, error: v.error };
+            }
             const store = loadNeuralStore();
             const action = input.action || 'list';
             if (action === 'list') {
@@ -385,6 +421,11 @@ export const neuralTools = [
             },
         },
         handler: async (input) => {
+            if (input.modelId) {
+                const v = validateIdentifier(input.modelId, 'modelId');
+                if (!v.valid)
+                    return { success: false, error: v.error };
+            }
             const store = loadNeuralStore();
             const method = input.method || 'quantize';
             const targetReduction = input.targetSize || 0.5;
@@ -490,6 +531,11 @@ export const neuralTools = [
             },
         },
         handler: async (input) => {
+            if (input.modelId) {
+                const v = validateIdentifier(input.modelId, 'modelId');
+                if (!v.valid)
+                    return { success: false, error: v.error };
+            }
             const store = loadNeuralStore();
             if (input.modelId) {
                 const model = store.models[input.modelId];
@@ -540,6 +586,11 @@ export const neuralTools = [
             },
         },
         handler: async (input) => {
+            if (input.modelId) {
+                const v = validateIdentifier(input.modelId, 'modelId');
+                if (!v.valid)
+                    return { success: false, error: v.error };
+            }
             const store = loadNeuralStore();
             const target = input.target || 'balanced';
             const patterns = Object.values(store.patterns);

package/v3/@claude-flow/cli/dist/src/mcp-tools/performance-tools.js

@@ -12,6 +12,7 @@
  * Note: Some optimization suggestions are illustrative
  */
 import { getProjectCwd } from './types.js';
+import { validateIdentifier } from './validate-input.js';
 import { existsSync, readFileSync, writeFileSync, mkdirSync } from 'node:fs';
 import { join } from 'node:path';
 import * as os from 'node:os';
@@ -158,6 +159,11 @@ export const performanceTools = [
             },
         },
         handler: async (_input) => {
+            if (_input.component) {
+                const v = validateIdentifier(_input.component, 'component');
+                if (!v.valid)
+                    return { success: false, error: v.error };
+            }
             const loadAvg = os.loadavg();
             const cpus = os.cpus();
             const cpuPercent = Math.min((loadAvg[0] / cpus.length) * 100, 100);
@@ -346,6 +352,11 @@ export const performanceTools = [
             },
         },
         handler: async (input) => {
+            if (input.target) {
+                const v = validateIdentifier(input.target, 'target');
+                if (!v.valid)
+                    return { success: false, error: v.error };
+            }
             const target = input.target || 'all';
             const durationSec = Math.min(input.duration || 1, 10);
             const durationMs = durationSec * 1000;