claude-flow 3.5.70 → 3.5.72

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "claude-flow",
-  "version": "3.5.70",
+  "version": "3.5.72",
   "description": "Ruflo - Enterprise AI agent orchestration for Claude Code. Deploy 60+ specialized agents in coordinated swarms with self-learning, fault-tolerant consensus, vector memory, and MCP integration",
   "main": "dist/index.js",
   "type": "module",

package/v3/@claude-flow/cli/dist/src/commands/plugins.js

@@ -113,12 +113,14 @@ const listCommand = {
             output.writeln(output.dim('─'.repeat(70)));
             // Fetch real ratings from Cloud Function (non-blocking)
             let realRatings = {};
+            let ratingsSource = 'live';
             try {
                 const pluginIds = plugins.map(p => p.name);
                 realRatings = await getBulkRatings(pluginIds, 'plugin');
             }
             catch {
                 // Fall back to static ratings if Cloud Function unavailable
+                ratingsSource = 'unavailable';
             }
             if (ctx.flags.format === 'json') {
                 // Merge real ratings into plugin data
@@ -126,6 +128,7 @@ const listCommand = {
                     ...p,
                     rating: realRatings[p.name]?.average || p.rating,
                     ratingCount: realRatings[p.name]?.count || 0,
+                    ...(ratingsSource === 'unavailable' ? { ratingsSource: 'cached' } : {}),
                 }));
                 output.printJson(pluginsWithRatings);
                 return { success: true, data: pluginsWithRatings };
@@ -157,6 +160,9 @@ const listCommand = {
                 }),
             });
             output.writeln();
+            if (ratingsSource === 'unavailable') {
+                output.writeln(output.dim('(ratings: cached — cloud unavailable)'));
+            }
             output.writeln(output.dim(`Source: ${result.source}${result.fromCache ? ' (cached)' : ''}`));
             if (result.cid) {
                 output.writeln(output.dim(`Registry CID: ${result.cid.slice(0, 30)}...`));

package/v3/@claude-flow/cli/dist/src/commands/security.js

@@ -293,11 +293,201 @@ const threatsCommand = {
     ],
     action: async (ctx) => {
         const model = ctx.flags.model || 'stride';
+        const scope = ctx.flags.scope || '.';
+        const exportFormat = ctx.flags.export;
         output.writeln();
         output.writeln(output.bold(`Threat Model: ${model.toUpperCase()}`));
         output.writeln(output.dim('─'.repeat(50)));
-        output.writeln(output.warning('⚠ Automated threat modeling is not yet implemented.'));
-        output.writeln(output.dim('The table below is a STRIDE reference template, not an analysis of your code.'));
+        const spinner = output.createSpinner({ text: `Scanning ${scope} for threat indicators...`, spinner: 'dots' });
+        spinner.start();
+        const fs = await import('fs');
+        const path = await import('path');
+        const rootDir = path.resolve(scope);
+        const findings = [];
+        const extensions = new Set(['.ts', '.js', '.json', '.yaml', '.yml', '.tsx', '.jsx']);
+        const skipDirs = new Set(['node_modules', 'dist', '.git']);
+        let filesScanned = 0;
+        const MAX_FILES = 500;
+        // Threat indicator patterns mapped to STRIDE categories
+        const threatPatterns = [
+            // Spoofing — weak/missing authentication
+            { pattern: /(?:app|router|server)\s*\.\s*(?:get|post|put|patch|delete)\s*\(\s*['"][^'"]+['"]\s*,\s*(?:async\s+)?\(?(?:req|request)/g, category: 'Spoofing', severity: 'medium', description: 'HTTP endpoint without auth middleware' },
+            // Tampering — code injection vectors
+            { pattern: /\beval\s*\(/g, category: 'Tampering', severity: 'high', description: 'eval() usage — arbitrary code execution risk' },
+            { pattern: /\bexecSync\s*\(/g, category: 'Tampering', severity: 'high', description: 'execSync() usage — command injection risk' },
+            { pattern: /\bexec\s*\(\s*[^)]*\$\{/g, category: 'Tampering', severity: 'high', description: 'exec() with template literal — injection risk' },
+            { pattern: /child_process.*\bexec\b/g, category: 'Tampering', severity: 'medium', description: 'child_process exec import — review for injection' },
+            { pattern: /new\s+Function\s*\(/g, category: 'Tampering', severity: 'high', description: 'new Function() — dynamic code execution risk' },
+            // Repudiation — missing audit/logging
+            // (checked via absence of logging imports, handled separately)
+            // Info Disclosure — secrets and data leaks
+            { pattern: /(?:api[_-]?key|secret|token|password|passwd|credential)\s*[:=]\s*['"][^'"]{8,}['"]/gi, category: 'Info Disclosure', severity: 'high', description: 'Hardcoded credential or secret' },
+            { pattern: /AKIA[0-9A-Z]{16}/g, category: 'Info Disclosure', severity: 'critical', description: 'AWS Access Key ID detected' },
+            { pattern: /gh[ps]_[A-Za-z0-9_]{36,}/g, category: 'Info Disclosure', severity: 'high', description: 'GitHub token detected' },
+            { pattern: /-----BEGIN (?:RSA|EC|DSA|OPENSSH) PRIVATE KEY-----/g, category: 'Info Disclosure', severity: 'critical', description: 'Private key detected' },
+            { pattern: /http:\/\/(?!localhost|127\.0\.0\.1|0\.0\.0\.0)/g, category: 'Info Disclosure', severity: 'medium', description: 'Non-localhost HTTP URL — should use HTTPS' },
+            // DoS — missing rate limiting / resource protection
+            { pattern: /require\s*\(\s*['"]express['"]\s*\)/g, category: 'DoS', severity: 'low', description: 'Express detected — verify rate-limiting is configured' },
+            { pattern: /require\s*\(\s*['"]fastify['"]\s*\)/g, category: 'DoS', severity: 'low', description: 'Fastify detected — verify rate-limiting is configured' },
+            // Elevation of privilege — unsafe deserialization, prototype pollution
+            { pattern: /JSON\.parse\s*\(\s*(?:req\.|request\.)/g, category: 'Elevation', severity: 'medium', description: 'Unsanitized JSON.parse from request — validate input' },
+            { pattern: /\.__proto__/g, category: 'Elevation', severity: 'high', description: '__proto__ access — prototype pollution risk' },
+            { pattern: /Object\.assign\s*\(\s*\{\s*\}\s*,\s*(?:req|request)\./g, category: 'Elevation', severity: 'medium', description: 'Object.assign from request — prototype pollution risk' },
+        ];
+        // Check for .env files committed to git
+        const checkEnvInGit = () => {
+            try {
+                const { execSync } = require('child_process');
+                const tracked = execSync('git ls-files --cached', { cwd: rootDir, encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'] });
+                const envFiles = tracked.split('\n').filter((f) => /(?:^|\/)\.env(?:\.|$)/.test(f));
+                for (const envFile of envFiles) {
+                    findings.push({
+                        category: 'Info Disclosure',
+                        severity: output.error('CRITICAL'),
+                        location: envFile,
+                        description: '.env file tracked in git — secrets may be exposed',
+                    });
+                }
+            }
+            catch { /* not a git repo or git not available */ }
+        };
+        // Recursive file scanner
+        const scanDir = (dir) => {
+            if (filesScanned >= MAX_FILES)
+                return;
+            let entries;
+            try {
+                entries = fs.readdirSync(dir, { withFileTypes: true });
+            }
+            catch {
+                return;
+            }
+            for (const entry of entries) {
+                if (filesScanned >= MAX_FILES)
+                    break;
+                if (skipDirs.has(entry.name) || entry.name.startsWith('.'))
+                    continue;
+                const fullPath = path.join(dir, entry.name);
+                if (entry.isDirectory()) {
+                    scanDir(fullPath);
+                }
+                else if (entry.isFile() && extensions.has(path.extname(entry.name)) && !entry.name.endsWith('.d.ts')) {
+                    filesScanned++;
+                    try {
+                        const stat = fs.statSync(fullPath);
+                        if (stat.size > 1024 * 1024)
+                            continue; // skip files > 1MB
+                        const content = fs.readFileSync(fullPath, 'utf-8');
+                        const lines = content.split('\n');
+                        const relPath = path.relative(rootDir, fullPath);
+                        for (let i = 0; i < lines.length; i++) {
+                            for (const tp of threatPatterns) {
+                                tp.pattern.lastIndex = 0;
+                                if (tp.pattern.test(lines[i])) {
+                                    const sevLabel = tp.severity === 'critical' ? output.error('CRITICAL') :
+                                        tp.severity === 'high' ? output.warning('HIGH') :
+                                            tp.severity === 'medium' ? output.warning('MEDIUM') : output.info('LOW');
+                                    findings.push({
+                                        category: tp.category,
+                                        severity: sevLabel,
+                                        location: `${relPath}:${i + 1}`,
+                                        description: tp.description,
+                                    });
+                                    tp.pattern.lastIndex = 0;
+                                }
+                            }
+                        }
+                    }
+                    catch { /* file read error */ }
+                }
+            }
+        };
+        // Check for missing security middleware in Express/Fastify apps
+        const checkMissingMiddleware = () => {
+            const serverFiles = [];
+            const collectServerFiles = (dir, depth) => {
+                if (depth <= 0 || filesScanned >= MAX_FILES)
+                    return;
+                try {
+                    const entries = fs.readdirSync(dir, { withFileTypes: true });
+                    for (const entry of entries) {
+                        if (skipDirs.has(entry.name) || entry.name.startsWith('.'))
+                            continue;
+                        const fullPath = path.join(dir, entry.name);
+                        if (entry.isDirectory()) {
+                            collectServerFiles(fullPath, depth - 1);
+                        }
+                        else if (/\.(ts|js)$/.test(entry.name) && !entry.name.endsWith('.d.ts')) {
+                            try {
+                                const content = fs.readFileSync(fullPath, 'utf-8');
+                                if (/require\s*\(\s*['"](?:express|fastify)['"]\s*\)/.test(content) || /from\s+['"](?:express|fastify)['"]/.test(content)) {
+                                    serverFiles.push(fullPath);
+                                    const relPath = path.relative(rootDir, fullPath);
+                                    if (!/(?:helmet|lusca)/.test(content)) {
+                                        findings.push({ category: 'Tampering', severity: output.warning('MEDIUM'), location: relPath, description: 'No helmet/lusca security headers middleware' });
+                                    }
+                                    if (!/(?:cors)/.test(content)) {
+                                        findings.push({ category: 'Spoofing', severity: output.info('LOW'), location: relPath, description: 'No CORS middleware detected' });
+                                    }
+                                    if (!/(?:rate.?limit|throttle)/.test(content)) {
+                                        findings.push({ category: 'DoS', severity: output.warning('MEDIUM'), location: relPath, description: 'No rate-limiting middleware detected' });
+                                    }
+                                }
+                            }
+                            catch { /* skip */ }
+                        }
+                    }
+                }
+                catch { /* skip */ }
+            };
+            collectServerFiles(rootDir, 5);
+        };
+        checkEnvInGit();
+        scanDir(rootDir);
+        checkMissingMiddleware();
+        spinner.succeed(`Scanned ${filesScanned} files`);
+        // STRIDE reference framework
+        const strideRef = [
+            { category: 'Spoofing', description: 'Can an attacker impersonate a user or service?', example: 'Strong authentication, mTLS' },
+            { category: 'Tampering', description: 'Can data or code be modified without detection?', example: 'Input validation, integrity checks' },
+            { category: 'Repudiation', description: 'Can actions be performed without accountability?', example: 'Audit logging, signed commits' },
+            { category: 'Info Disclosure', description: 'Can sensitive data leak to unauthorized parties?', example: 'Encryption at rest and in transit' },
+            { category: 'DoS', description: 'Can service availability be degraded?', example: 'Rate limiting, resource quotas' },
+            { category: 'Elevation', description: 'Can privileges be escalated beyond granted level?', example: 'RBAC, principle of least privilege' },
+        ];
+        // Display real findings
+        output.writeln();
+        if (findings.length > 0) {
+            output.writeln(output.bold(`Findings (${findings.length}):`));
+            output.writeln();
+            output.printTable({
+                columns: [
+                    { key: 'category', header: 'STRIDE Category', width: 18 },
+                    { key: 'severity', header: 'Severity', width: 12 },
+                    { key: 'location', header: 'Location', width: 30 },
+                    { key: 'description', header: 'Description', width: 40 },
+                ],
+                data: findings.slice(0, 30),
+            });
+            if (findings.length > 30) {
+                output.writeln(output.dim(`... and ${findings.length - 30} more findings`));
+            }
+            // Summary by STRIDE category
+            const byCat = {};
+            for (const f of findings)
+                byCat[f.category] = (byCat[f.category] || 0) + 1;
+            output.writeln();
+            output.writeln(output.bold('Summary by STRIDE category:'));
+            for (const [cat, count] of Object.entries(byCat).sort((a, b) => b[1] - a[1])) {
+                output.writeln(`  ${cat}: ${count} finding${count === 1 ? '' : 's'}`);
+            }
+        }
+        else {
+            output.writeln(output.success('No threat indicators detected in scanned files.'));
+        }
+        // Always show STRIDE reference
+        output.writeln();
+        output.writeln(output.bold(`${model.toUpperCase()} Reference Framework${findings.length === 0 ? ' (reference only — no issues detected)' : ''}:`));
         output.writeln();
         output.printTable({
             columns: [
@@ -305,18 +495,26 @@ const threatsCommand = {
                 { key: 'description', header: 'What to Assess', width: 40 },
                 { key: 'example', header: 'Example Mitigation', width: 30 },
             ],
-            data: [
-                { category: 'Spoofing', description: 'Can an attacker impersonate a user or service?', example: 'Strong authentication, mTLS' },
-                { category: 'Tampering', description: 'Can data or code be modified without detection?', example: 'Input validation, integrity checks' },
-                { category: 'Repudiation', description: 'Can actions be performed without accountability?', example: 'Audit logging, signed commits' },
-                { category: 'Info Disclosure', description: 'Can sensitive data leak to unauthorized parties?', example: 'Encryption at rest and in transit' },
-                { category: 'DoS', description: 'Can service availability be degraded?', example: 'Rate limiting, resource quotas' },
-                { category: 'Elevation', description: 'Can privileges be escalated beyond granted level?', example: 'RBAC, principle of least privilege' },
-            ],
+            data: strideRef,
         });
+        // Export if requested
+        if (exportFormat && findings.length > 0) {
+            const exportData = {
+                model: model.toUpperCase(),
+                timestamp: new Date().toISOString(),
+                scope,
+                filesScanned,
+                totalFindings: findings.length,
+                findings: findings.map(f => ({ ...f, severity: f.severity.replace(/\x1b\[[0-9;]*m/g, '') })),
+                strideReference: strideRef,
+            };
+            if (exportFormat === 'json') {
+                output.writeln();
+                output.writeln(JSON.stringify(exportData, null, 2));
+            }
+        }
         output.writeln();
-        output.writeln(output.dim('For real threat modeling, review your architecture manually using this framework.'));
-        output.writeln(output.dim('Run "claude-flow security scan" for automated vulnerability detection.'));
+        output.writeln(output.dim(`Files scanned: ${filesScanned} (max ${MAX_FILES})`));
         return { success: true };
     },
 };
@@ -401,33 +599,151 @@ const secretsCommand = {
         { command: 'claude-flow security secrets -a rotate', description: 'Rotate compromised secrets' },
     ],
     action: async (ctx) => {
-        const path = ctx.flags.path || '.';
+        const scanPath = ctx.flags.path || '.';
+        const ignorePatterns = ctx.flags.ignore;
         output.writeln();
         output.writeln(output.bold('Secret Detection'));
         output.writeln(output.dim('─'.repeat(50)));
-        const spinner = output.createSpinner({ text: 'Scanning for secrets...', spinner: 'dots' });
+        const spinner = output.createSpinner({ text: `Scanning ${scanPath} for secrets...`, spinner: 'dots' });
         spinner.start();
-        await new Promise(r => setTimeout(r, 800));
-        spinner.succeed('Scan complete');
-        output.writeln();
-        output.writeln(output.warning('⚠ No real secrets scan performed. Showing example findings.'));
-        output.writeln(output.dim('Run "claude-flow security scan --depth full" for real secret detection.'));
+        const fs = await import('fs');
+        const path = await import('path');
+        const rootDir = path.resolve(scanPath);
+        const skipDirs = new Set(['node_modules', 'dist', '.git']);
+        const extensions = new Set(['.ts', '.js', '.json', '.yaml', '.yml', '.tsx', '.jsx', '.env', '.toml', '.cfg', '.conf', '.ini', '.properties', '.sh', '.bash', '.zsh']);
+        const ignoreList = ignorePatterns ? ignorePatterns.split(',').map(p => p.trim()) : [];
+        const secretPatterns = [
+            { pattern: /AKIA[0-9A-Z]{16}/g, type: 'AWS Access Key', risk: 'Critical', action: 'Rotate immediately' },
+            { pattern: /gh[ps]_[A-Za-z0-9_]{36,}/g, type: 'GitHub Token', risk: 'Critical', action: 'Revoke and rotate' },
+            { pattern: /eyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}/g, type: 'JWT Token', risk: 'High', action: 'Remove from source' },
+            { pattern: /-----BEGIN (?:RSA|EC|DSA|OPENSSH) PRIVATE KEY-----/g, type: 'Private Key', risk: 'Critical', action: 'Remove and regenerate' },
+            { pattern: /(?:mongodb|postgres|mysql|redis):\/\/[^\s'"]+/g, type: 'Connection String', risk: 'High', action: 'Use env variable' },
+            { pattern: /['"](?:sk-|sk_live_|sk_test_)[a-zA-Z0-9]{20,}['"]/g, type: 'API Key (Stripe/OpenAI)', risk: 'Critical', action: 'Rotate immediately' },
+            { pattern: /['"]xox[baprs]-[a-zA-Z0-9-]+['"]/g, type: 'Slack Token', risk: 'High', action: 'Revoke and rotate' },
+            { pattern: /[a-zA-Z0-9_-]*(?:api[_-]?key|secret[_-]?key|auth[_-]?token|access[_-]?token|private[_-]?key)\s*[:=]\s*['"][^'"]{8,}['"]/gi, type: 'Generic Secret/API Key', risk: 'High', action: 'Use env variable' },
+            { pattern: /(?:password|passwd|pwd)\s*[:=]\s*['"][^'"]{8,}['"]/gi, type: 'Hardcoded Password', risk: 'High', action: 'Use secrets manager' },
+        ];
+        const findings = [];
+        let filesScanned = 0;
+        const MAX_FILES = 500;
+        const shouldIgnore = (filePath) => {
+            return ignoreList.some(p => filePath.includes(p));
+        };
+        const scanDir = (dir) => {
+            if (filesScanned >= MAX_FILES)
+                return;
+            let entries;
+            try {
+                entries = fs.readdirSync(dir, { withFileTypes: true });
+            }
+            catch {
+                return;
+            }
+            for (const entry of entries) {
+                if (filesScanned >= MAX_FILES)
+                    break;
+                if (skipDirs.has(entry.name))
+                    continue;
+                // Allow dotfiles like .env but skip .git
+                const fullPath = path.join(dir, entry.name);
+                if (entry.isDirectory()) {
+                    if (entry.name.startsWith('.') && entry.name !== '.env')
+                        continue;
+                    scanDir(fullPath);
+                }
+                else if (entry.isFile()) {
+                    const ext = path.extname(entry.name);
+                    const isEnvFile = entry.name.startsWith('.env');
+                    if (!extensions.has(ext) && !isEnvFile)
+                        continue;
+                    if (entry.name.endsWith('.d.ts'))
+                        continue;
+                    const relPath = path.relative(rootDir, fullPath);
+                    if (shouldIgnore(relPath))
+                        continue;
+                    filesScanned++;
+                    try {
+                        const stat = fs.statSync(fullPath);
+                        if (stat.size > 1024 * 1024)
+                            continue; // skip files > 1MB
+                        const content = fs.readFileSync(fullPath, 'utf-8');
+                        // Quick binary check — skip if null bytes present
+                        if (content.includes('\0'))
+                            continue;
+                        const lines = content.split('\n');
+                        for (let i = 0; i < lines.length; i++) {
+                            const line = lines[i];
+                            for (const sp of secretPatterns) {
+                                sp.pattern.lastIndex = 0;
+                                const match = sp.pattern.exec(line);
+                                if (match) {
+                                    // Mask the matched secret for safe display
+                                    const matched = match[0];
+                                    const masked = matched.length > 12
+                                        ? matched.substring(0, 6) + '***' + matched.substring(matched.length - 3)
+                                        : '***';
+                                    findings.push({
+                                        type: sp.type,
+                                        location: `${relPath}:${i + 1}`,
+                                        risk: sp.risk,
+                                        action: sp.action,
+                                        line: masked,
+                                    });
+                                    sp.pattern.lastIndex = 0;
+                                }
+                            }
+                        }
+                    }
+                    catch { /* file read error */ }
+                }
+            }
+        };
+        scanDir(rootDir);
+        spinner.succeed(`Scanned ${filesScanned} files`);
         output.writeln();
-        output.printTable({
-            columns: [
-                { key: 'type', header: 'Secret Type (Example)', width: 25 },
-                { key: 'location', header: 'Location', width: 30 },
-                { key: 'risk', header: 'Risk', width: 12 },
-                { key: 'action', header: 'Recommended', width: 20 },
-            ],
-            data: [
-                { type: 'AWS Access Key', location: 'example/config.ts:15', risk: output.error('Critical'), action: 'Rotate immediately' },
-                { type: 'GitHub Token', location: 'example/.env:8', risk: output.warning('High'), action: 'Remove from repo' },
-                { type: 'JWT Secret', location: 'example/auth.ts:42', risk: output.warning('High'), action: 'Use env variable' },
-                { type: 'DB Password', location: 'example/compose.yml:23', risk: output.warning('Medium'), action: 'Use secrets mgmt' },
-            ],
-        });
-        return { success: true };
+        if (findings.length > 0) {
+            const criticalCount = findings.filter(f => f.risk === 'Critical').length;
+            const highCount = findings.filter(f => f.risk === 'High').length;
+            const mediumCount = findings.filter(f => f.risk === 'Medium').length;
+            output.printTable({
+                columns: [
+                    { key: 'type', header: 'Secret Type', width: 25 },
+                    { key: 'location', header: 'Location', width: 35 },
+                    { key: 'risk', header: 'Risk', width: 12 },
+                    { key: 'action', header: 'Recommended', width: 22 },
+                ],
+                data: findings.slice(0, 25).map(f => ({
+                    type: f.type,
+                    location: f.location,
+                    risk: f.risk === 'Critical' ? output.error(f.risk) :
+                        f.risk === 'High' ? output.warning(f.risk) :
+                            output.warning(f.risk),
+                    action: f.action,
+                })),
+            });
+            if (findings.length > 25) {
+                output.writeln(output.dim(`... and ${findings.length - 25} more secrets found`));
+            }
+            output.writeln();
+            output.printBox([
+                `Path: ${scanPath}`,
+                `Files scanned: ${filesScanned}`,
+                ``,
+                `Critical: ${criticalCount}  High: ${highCount}  Medium: ${mediumCount}`,
+                `Total secrets found: ${findings.length}`,
+            ].join('\n'), 'Secrets Summary');
+        }
+        else {
+            output.writeln(output.success('No secrets detected.'));
+            output.writeln();
+            output.printBox([
+                `Path: ${scanPath}`,
+                `Files scanned: ${filesScanned}`,
+                ``,
+                `No hardcoded secrets, API keys, tokens, or credentials found.`,
+            ].join('\n'), 'Secrets Summary');
+        }
+        return { success: findings.length === 0 };
     },
 };
 // Defend subcommand (AIDefence integration)

package/v3/@claude-flow/cli/dist/src/commands/swarm.js

@@ -145,16 +145,99 @@ function getSwarmStatus(swarmId) {
             pending: pendingTasks
         },
         metrics: {
-            tokensUsed: 0,
-            avgResponseTime: '--',
-            successRate: totalTasks > 0 ? `${Math.round((completedTasks / totalTasks) * 100)}%` : '--',
-            elapsedTime: '--'
-        },
-        coordination: {
-            consensusRounds: 0,
-            messagesSent: 0,
-            conflictsResolved: 0
+            tokensUsed: swarmState?.tokensUsed ?? null,
+            avgResponseTime: (() => {
+                // Calculate average response time from task files with startedAt/completedAt
+                const taskTimesMs = [];
+                if (fs.existsSync(tasksDir)) {
+                    try {
+                        const taskFiles = fs.readdirSync(tasksDir).filter(f => f.endsWith('.json'));
+                        for (const file of taskFiles) {
+                            try {
+                                const task = JSON.parse(fs.readFileSync(path.join(tasksDir, file), 'utf-8'));
+                                if (task.startedAt && task.completedAt) {
+                                    const elapsed = new Date(task.completedAt).getTime() - new Date(task.startedAt).getTime();
+                                    if (elapsed > 0)
+                                        taskTimesMs.push(elapsed);
+                                }
+                            }
+                            catch { /* skip malformed task files */ }
+                        }
+                    }
+                    catch { /* skip if dir unreadable */ }
+                }
+                if (taskTimesMs.length === 0)
+                    return null;
+                const avgMs = Math.round(taskTimesMs.reduce((a, b) => a + b, 0) / taskTimesMs.length);
+                return avgMs < 1000 ? `${avgMs}ms` : `${(avgMs / 1000).toFixed(1)}s`;
+            })(),
+            successRate: totalTasks > 0 ? `${Math.round((completedTasks / totalTasks) * 100)}%` : null,
+            elapsedTime: (() => {
+                // Calculate from swarm startedAt in state.json
+                const startedAt = swarmState?.startedAt
+                    || swarmState?.initializedAt;
+                if (!startedAt)
+                    return null;
+                const elapsedMs = Date.now() - new Date(startedAt).getTime();
+                if (elapsedMs < 0)
+                    return null;
+                const secs = Math.floor(elapsedMs / 1000);
+                if (secs < 60)
+                    return `${secs}s`;
+                const mins = Math.floor(secs / 60);
+                const remSecs = secs % 60;
+                if (mins < 60)
+                    return `${mins}m ${remSecs}s`;
+                const hrs = Math.floor(mins / 60);
+                const remMins = mins % 60;
+                return `${hrs}h ${remMins}m`;
+            })()
         },
+        coordination: (() => {
+            // Read real coordination counts from .swarm/coordination/ directory
+            const coordDir = path.join(swarmDir, 'coordination');
+            let consensusRounds = 0;
+            let messagesSent = 0;
+            let conflictsResolved = 0;
+            if (fs.existsSync(coordDir)) {
+                try {
+                    const coordFiles = fs.readdirSync(coordDir).filter(f => f.endsWith('.json'));
+                    for (const file of coordFiles) {
+                        try {
+                            const entry = JSON.parse(fs.readFileSync(path.join(coordDir, file), 'utf-8'));
+                            if (entry.type === 'consensus')
+                                consensusRounds++;
+                            else if (entry.type === 'message')
+                                messagesSent++;
+                            else if (entry.type === 'conflict' || entry.type === 'conflict-resolution')
+                                conflictsResolved++;
+                            // Also aggregate pre-counted fields if present
+                            if (typeof entry.consensusRounds === 'number')
+                                consensusRounds += entry.consensusRounds;
+                            if (typeof entry.messagesSent === 'number')
+                                messagesSent += entry.messagesSent;
+                            if (typeof entry.conflictsResolved === 'number')
+                                conflictsResolved += entry.conflictsResolved;
+                        }
+                        catch { /* skip malformed coordination files */ }
+                    }
+                }
+                catch { /* skip if dir unreadable */ }
+            }
+            // Also check state.json for aggregate coordination stats
+            if (swarmState) {
+                const coord = swarmState.coordination;
+                if (coord) {
+                    if (typeof coord.consensusRounds === 'number')
+                        consensusRounds += coord.consensusRounds;
+                    if (typeof coord.messagesSent === 'number')
+                        messagesSent += coord.messagesSent;
+                    if (typeof coord.conflictsResolved === 'number')
+                        conflictsResolved += coord.conflictsResolved;
+                }
+            }
+            return { consensusRounds, messagesSent, conflictsResolved };
+        })(),
         hasActiveSwarm: !!swarmState || totalAgents > 0
     };
 }
@@ -433,8 +516,10 @@ const startCommand = {
         fs.writeFileSync(path.join(swarmDir, 'state.json'), JSON.stringify(executionState, null, 2));
         output.writeln();
         output.printSuccess(`Swarm ${swarmId} initialized with ${totalAgents} agent slots`);
-        output.writeln(output.dim('  Note: Agents are registered but actual task execution requires'));
-        output.writeln(output.dim('  Claude Code Task tool or hive-mind spawn --claude to drive work.'));
+        output.writeln(output.dim('  This CLI coordinates agent state. Execution happens via:'));
+        output.writeln(output.dim('  - Claude Code Agent tool (interactive)'));
+        output.writeln(output.dim('  - claude -p (headless background)'));
+        output.writeln(output.dim('  - hive-mind spawn --claude (autonomous)'));
         output.writeln(output.dim(`  Monitor: claude-flow swarm status ${swarmId}`));
         return { success: true, data: executionState };
     }
@@ -500,10 +585,10 @@ const statusCommand = {
         // Metrics
         output.writeln(output.bold('Performance Metrics'));
         output.printList([
-            `Tokens Used: ${status.metrics.tokensUsed.toLocaleString()}`,
-            `Avg Response Time: ${status.metrics.avgResponseTime}`,
-            `Success Rate: ${status.metrics.successRate}`,
-            `Elapsed Time: ${status.metrics.elapsedTime}`
+            `Tokens Used: ${status.metrics.tokensUsed != null ? status.metrics.tokensUsed.toLocaleString() : output.dim('unknown')}`,
+            `Avg Response Time: ${status.metrics.avgResponseTime ?? output.dim('no data')}`,
+            `Success Rate: ${status.metrics.successRate ?? output.dim('no data')}`,
+            `Elapsed Time: ${status.metrics.elapsedTime ?? output.dim('no data')}`
         ]);
         output.writeln();
         // Coordination stats