claude-flow 3.5.77 → 3.5.79
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +1 -1
- package/v3/@claude-flow/cli/dist/src/commands/init.js +7 -3
- package/v3/@claude-flow/cli/dist/src/commands/security.js +1 -1
- package/v3/@claude-flow/cli/dist/src/init/executor.js +10 -0
- package/v3/@claude-flow/cli/dist/src/mcp-server.js +4 -5
- package/v3/@claude-flow/cli/dist/src/mcp-tools/performance-tools.js +2 -6
- package/v3/@claude-flow/cli/dist/src/mcp-tools/types.d.ts +20 -3
- package/v3/@claude-flow/cli/dist/src/mcp-tools/types.js +65 -4
- package/v3/@claude-flow/cli/dist/src/ruvector/coverage-router.js +6 -4
- package/v3/@claude-flow/cli/dist/src/ruvector/diff-classifier.js +4 -3
- package/v3/@claude-flow/cli/dist/src/update/checker.js +5 -4
- package/v3/@claude-flow/cli/package.json +2 -3
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "claude-flow",
|
|
3
|
-
"version": "3.5.
|
|
3
|
+
"version": "3.5.79",
|
|
4
4
|
"description": "Ruflo - Enterprise AI agent orchestration for Claude Code. Deploy 60+ specialized agents in coordinated swarms with self-learning, fault-tolerant consensus, vector memory, and MCP integration",
|
|
5
5
|
"main": "dist/index.js",
|
|
6
6
|
"type": "module",
|
|
@@ -231,8 +231,12 @@ const initAction = async (ctx) => {
|
|
|
231
231
|
}
|
|
232
232
|
output.printBox(summary.join('\n'), 'Summary');
|
|
233
233
|
output.writeln();
|
|
234
|
-
// Show what was created
|
|
235
|
-
if (
|
|
234
|
+
// Show what was created (honest about skip-claude — #1597)
|
|
235
|
+
if (skipClaude) {
|
|
236
|
+
output.printBox('Skipped (--skip-claude): no files written under .claude/ or ~/.claude/', 'Claude Code Integration');
|
|
237
|
+
output.writeln();
|
|
238
|
+
}
|
|
239
|
+
else if (options.components.claudeMd || options.components.settings || options.components.skills || options.components.commands || options.components.agents) {
|
|
236
240
|
output.printBox([
|
|
237
241
|
options.components.claudeMd ? `CLAUDE.md: Swarm guidance & configuration` : '',
|
|
238
242
|
options.components.settings ? `Settings: .claude/settings.json` : '',
|
|
@@ -909,7 +913,7 @@ export const initCommand = {
|
|
|
909
913
|
},
|
|
910
914
|
{
|
|
911
915
|
name: 'skip-claude',
|
|
912
|
-
description: 'Skip .claude/
|
|
916
|
+
description: 'Skip all .claude/ writes including global ~/.claude/CLAUDE.md (runtime only)',
|
|
913
917
|
type: 'boolean',
|
|
914
918
|
default: false,
|
|
915
919
|
},
|
|
@@ -5,6 +5,7 @@
|
|
|
5
5
|
* Created with ❤️ by ruv.io
|
|
6
6
|
*/
|
|
7
7
|
import { output } from '../output.js';
|
|
8
|
+
import { execSync } from 'node:child_process';
|
|
8
9
|
// Scan subcommand
|
|
9
10
|
const scanCommand = {
|
|
10
11
|
name: 'scan',
|
|
@@ -337,7 +338,6 @@ const threatsCommand = {
|
|
|
337
338
|
// Check for .env files committed to git
|
|
338
339
|
const checkEnvInGit = () => {
|
|
339
340
|
try {
|
|
340
|
-
const { execSync } = require('child_process');
|
|
341
341
|
const tracked = execSync('git ls-files --cached', { cwd: rootDir, encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'] });
|
|
342
342
|
const envFiles = tracked.split('\n').filter((f) => /(?:^|\/)\.env(?:\.|$)/.test(f));
|
|
343
343
|
for (const envFile of envFiles) {
|
|
@@ -1663,6 +1663,11 @@ async function writeClaudeMd(targetDir, options, result) {
|
|
|
1663
1663
|
result.created.files.push('CLAUDE.md');
|
|
1664
1664
|
}
|
|
1665
1665
|
// Also write/append global ~/.claude/CLAUDE.md so ruflo tools are used automatically (#1497)
|
|
1666
|
+
// Guarded to never overwrite user content and to respect opt-out env var (#1597).
|
|
1667
|
+
// Opt out entirely with CLAUDE_FLOW_SKIP_GLOBAL_CLAUDE_MD=1.
|
|
1668
|
+
if (process.env.CLAUDE_FLOW_SKIP_GLOBAL_CLAUDE_MD === '1') {
|
|
1669
|
+
return;
|
|
1670
|
+
}
|
|
1666
1671
|
const homeDir = process.env.HOME || process.env.USERPROFILE || '';
|
|
1667
1672
|
if (homeDir) {
|
|
1668
1673
|
const globalClaudeDir = path.join(homeDir, '.claude');
|
|
@@ -1682,8 +1687,13 @@ async function writeClaudeMd(targetDir, options, result) {
|
|
|
1682
1687
|
if (fs.existsSync(globalClaudeMd)) {
|
|
1683
1688
|
const existing = fs.readFileSync(globalClaudeMd, 'utf-8');
|
|
1684
1689
|
if (!existing.includes('Ruflo Integration')) {
|
|
1690
|
+
// Always back up existing user content before any modification (#1597).
|
|
1691
|
+
const timestamp = new Date().toISOString().replace(/[:.]/g, '-');
|
|
1692
|
+
const backupPath = `${globalClaudeMd}.backup-${timestamp}`;
|
|
1693
|
+
fs.copyFileSync(globalClaudeMd, backupPath);
|
|
1685
1694
|
fs.appendFileSync(globalClaudeMd, rufloBlock);
|
|
1686
1695
|
result.created.files.push('~/.claude/CLAUDE.md (appended ruflo block)');
|
|
1696
|
+
result.created.files.push(`~/.claude/CLAUDE.md.backup-${timestamp} (backup of pre-existing content)`);
|
|
1687
1697
|
}
|
|
1688
1698
|
}
|
|
1689
1699
|
else {
|
|
@@ -17,6 +17,8 @@
|
|
|
17
17
|
* @version 3.0.0
|
|
18
18
|
*/
|
|
19
19
|
import { EventEmitter } from 'events';
|
|
20
|
+
import { execFileSync } from 'child_process';
|
|
21
|
+
import { request as httpRequestFn } from 'http';
|
|
20
22
|
import { randomUUID } from 'crypto';
|
|
21
23
|
import * as path from 'path';
|
|
22
24
|
import * as fs from 'fs';
|
|
@@ -572,13 +574,11 @@ export class MCPServerManager extends EventEmitter {
|
|
|
572
574
|
// Verify it's actually a node process (guards against PID reuse)
|
|
573
575
|
// DA-CRIT-3: Use execFileSync to prevent command injection via PID values
|
|
574
576
|
try {
|
|
575
|
-
const { execFileSync } = require('child_process');
|
|
576
577
|
const safePid = String(Math.floor(Math.abs(pid)));
|
|
577
578
|
let cmdline = '';
|
|
578
579
|
try {
|
|
579
580
|
// Try /proc on Linux
|
|
580
|
-
|
|
581
|
-
cmdline = readFileSync(`/proc/${safePid}/cmdline`, 'utf8');
|
|
581
|
+
cmdline = fs.readFileSync(`/proc/${safePid}/cmdline`, 'utf8');
|
|
582
582
|
}
|
|
583
583
|
catch {
|
|
584
584
|
// Fall back to ps on macOS/other
|
|
@@ -608,8 +608,7 @@ export class MCPServerManager extends EventEmitter {
|
|
|
608
608
|
async httpRequest(url, method, timeout) {
|
|
609
609
|
return new Promise((resolve, reject) => {
|
|
610
610
|
const urlObj = new URL(url);
|
|
611
|
-
const
|
|
612
|
-
const req = http.request({
|
|
611
|
+
const req = httpRequestFn({
|
|
613
612
|
hostname: urlObj.hostname,
|
|
614
613
|
port: urlObj.port,
|
|
615
614
|
path: urlObj.pathname,
|
|
@@ -13,7 +13,7 @@
|
|
|
13
13
|
*/
|
|
14
14
|
import { getProjectCwd } from './types.js';
|
|
15
15
|
import { validateIdentifier } from './validate-input.js';
|
|
16
|
-
import { existsSync, readFileSync, writeFileSync, mkdirSync } from 'node:fs';
|
|
16
|
+
import { existsSync, readFileSync, writeFileSync, mkdirSync, unlinkSync, readdirSync } from 'node:fs';
|
|
17
17
|
import { join } from 'node:path';
|
|
18
18
|
import * as os from 'node:os';
|
|
19
19
|
// Storage paths
|
|
@@ -183,7 +183,6 @@ export const performanceTools = [
|
|
|
183
183
|
readFileSync(probeFile);
|
|
184
184
|
diskLatencyMs = Math.round((performance.now() - t0) * 100) / 100;
|
|
185
185
|
try {
|
|
186
|
-
const { unlinkSync } = require('node:fs');
|
|
187
186
|
unlinkSync(probeFile);
|
|
188
187
|
}
|
|
189
188
|
catch { /* best-effort */ }
|
|
@@ -421,7 +420,6 @@ export const performanceTools = [
|
|
|
421
420
|
.sort((a, b) => b.percentOfTotal - a.percentOfTotal);
|
|
422
421
|
// Cleanup probe file
|
|
423
422
|
try {
|
|
424
|
-
const { unlinkSync } = require('node:fs');
|
|
425
423
|
unlinkSync(join(getPerfDir(), '.profile-probe'));
|
|
426
424
|
}
|
|
427
425
|
catch { /* ok */ }
|
|
@@ -472,7 +470,6 @@ export const performanceTools = [
|
|
|
472
470
|
readFileSync(probe);
|
|
473
471
|
diskLatencyBefore = Math.round((performance.now() - t0) * 100) / 100;
|
|
474
472
|
try {
|
|
475
|
-
const { unlinkSync } = require('node:fs');
|
|
476
473
|
unlinkSync(probe);
|
|
477
474
|
}
|
|
478
475
|
catch { /* ok */ }
|
|
@@ -517,10 +514,9 @@ export const performanceTools = [
|
|
|
517
514
|
if (aggressive) {
|
|
518
515
|
try {
|
|
519
516
|
const dir = getPerfDir();
|
|
520
|
-
const { readdirSync, unlinkSync: ul } = require('node:fs');
|
|
521
517
|
const probes = readdirSync(dir).filter((f) => f.startsWith('.'));
|
|
522
518
|
probes.forEach((f) => { try {
|
|
523
|
-
|
|
519
|
+
unlinkSync(join(dir, f));
|
|
524
520
|
}
|
|
525
521
|
catch { /* ok */ } });
|
|
526
522
|
if (probes.length > 0)
|
|
@@ -18,11 +18,28 @@ export interface MCPToolResult {
|
|
|
18
18
|
isError?: boolean;
|
|
19
19
|
}
|
|
20
20
|
/**
|
|
21
|
-
* Returns the effective project working directory.
|
|
22
|
-
*
|
|
23
|
-
*
|
|
21
|
+
* Returns the effective project working directory for storage path resolution.
|
|
22
|
+
*
|
|
23
|
+
* Resolution order (#1577):
|
|
24
|
+
* 1. CLAUDE_FLOW_PROJECT_DIR — explicit ruflo project override
|
|
25
|
+
* 2. CLAUDE_FLOW_CWD — legacy ruflo override set by install script
|
|
26
|
+
* 3. CLAUDE_PROJECT_DIR — Claude Code's native project dir env var
|
|
27
|
+
* 4. INIT_CWD — npm's original invocation dir
|
|
28
|
+
* 5. process.cwd() — if it is not a system directory
|
|
29
|
+
* 6. os.homedir() — safe fallback
|
|
30
|
+
*
|
|
31
|
+
* System directories (e.g. C:\Windows\System32 on Windows, where MCP servers
|
|
32
|
+
* spawned by AI agents commonly inherit cwd) are rejected at every step.
|
|
33
|
+
*
|
|
34
|
+
* Only use this for storage path resolution. When the actual runtime working
|
|
35
|
+
* directory matters (e.g. child process cwd, user-facing status), call
|
|
36
|
+
* process.cwd() directly.
|
|
24
37
|
*/
|
|
25
38
|
export declare function getProjectCwd(): string;
|
|
39
|
+
/**
|
|
40
|
+
* Reset cached value. Intended for tests only.
|
|
41
|
+
*/
|
|
42
|
+
export declare function __resetProjectCwdCache(): void;
|
|
26
43
|
export interface MCPTool {
|
|
27
44
|
name: string;
|
|
28
45
|
description: string;
|
|
@@ -3,12 +3,73 @@
|
|
|
3
3
|
*
|
|
4
4
|
* Local type definitions to avoid external imports outside package boundary.
|
|
5
5
|
*/
|
|
6
|
+
import { homedir } from 'node:os';
|
|
7
|
+
// System directories that must not be used for project storage (#1577).
|
|
8
|
+
// On Windows, MCP servers spawned by AI agents often inherit System32 as cwd
|
|
9
|
+
// — writing there fails with EPERM.
|
|
10
|
+
const SYSTEM_DIR_PREFIXES = [
|
|
11
|
+
'c:\\windows',
|
|
12
|
+
'c:/windows',
|
|
13
|
+
'/windows/system32',
|
|
14
|
+
];
|
|
15
|
+
function isSystemDir(dir) {
|
|
16
|
+
if (!dir)
|
|
17
|
+
return true;
|
|
18
|
+
const lower = dir.toLowerCase().replace(/\\/g, '/');
|
|
19
|
+
return SYSTEM_DIR_PREFIXES.some((p) => lower.startsWith(p.replace(/\\/g, '/')));
|
|
20
|
+
}
|
|
21
|
+
let _cachedProjectCwd;
|
|
6
22
|
/**
|
|
7
|
-
* Returns the effective project working directory.
|
|
8
|
-
*
|
|
9
|
-
*
|
|
23
|
+
* Returns the effective project working directory for storage path resolution.
|
|
24
|
+
*
|
|
25
|
+
* Resolution order (#1577):
|
|
26
|
+
* 1. CLAUDE_FLOW_PROJECT_DIR — explicit ruflo project override
|
|
27
|
+
* 2. CLAUDE_FLOW_CWD — legacy ruflo override set by install script
|
|
28
|
+
* 3. CLAUDE_PROJECT_DIR — Claude Code's native project dir env var
|
|
29
|
+
* 4. INIT_CWD — npm's original invocation dir
|
|
30
|
+
* 5. process.cwd() — if it is not a system directory
|
|
31
|
+
* 6. os.homedir() — safe fallback
|
|
32
|
+
*
|
|
33
|
+
* System directories (e.g. C:\Windows\System32 on Windows, where MCP servers
|
|
34
|
+
* spawned by AI agents commonly inherit cwd) are rejected at every step.
|
|
35
|
+
*
|
|
36
|
+
* Only use this for storage path resolution. When the actual runtime working
|
|
37
|
+
* directory matters (e.g. child process cwd, user-facing status), call
|
|
38
|
+
* process.cwd() directly.
|
|
10
39
|
*/
|
|
11
40
|
export function getProjectCwd() {
|
|
12
|
-
|
|
41
|
+
if (_cachedProjectCwd !== undefined)
|
|
42
|
+
return _cachedProjectCwd;
|
|
43
|
+
const envKeys = [
|
|
44
|
+
'CLAUDE_FLOW_PROJECT_DIR',
|
|
45
|
+
'CLAUDE_FLOW_CWD',
|
|
46
|
+
'CLAUDE_PROJECT_DIR',
|
|
47
|
+
'INIT_CWD',
|
|
48
|
+
];
|
|
49
|
+
for (const key of envKeys) {
|
|
50
|
+
const val = process.env[key];
|
|
51
|
+
if (val && !isSystemDir(val)) {
|
|
52
|
+
_cachedProjectCwd = val;
|
|
53
|
+
return _cachedProjectCwd;
|
|
54
|
+
}
|
|
55
|
+
}
|
|
56
|
+
try {
|
|
57
|
+
const cwd = process.cwd();
|
|
58
|
+
if (!isSystemDir(cwd)) {
|
|
59
|
+
_cachedProjectCwd = cwd;
|
|
60
|
+
return _cachedProjectCwd;
|
|
61
|
+
}
|
|
62
|
+
}
|
|
63
|
+
catch {
|
|
64
|
+
// process.cwd() can throw ENOENT if the cwd was deleted — fall through.
|
|
65
|
+
}
|
|
66
|
+
_cachedProjectCwd = homedir();
|
|
67
|
+
return _cachedProjectCwd;
|
|
68
|
+
}
|
|
69
|
+
/**
|
|
70
|
+
* Reset cached value. Intended for tests only.
|
|
71
|
+
*/
|
|
72
|
+
export function __resetProjectCwdCache() {
|
|
73
|
+
_cachedProjectCwd = undefined;
|
|
13
74
|
}
|
|
14
75
|
//# sourceMappingURL=types.js.map
|
|
@@ -6,6 +6,9 @@
|
|
|
6
6
|
* - TTL-based caching of coverage data
|
|
7
7
|
* - Singleton router instance
|
|
8
8
|
*/
|
|
9
|
+
import * as pathMod from 'node:path';
|
|
10
|
+
import { existsSync } from 'node:fs';
|
|
11
|
+
import { readFile } from 'node:fs/promises';
|
|
9
12
|
// ============================================================================
|
|
10
13
|
// Caching for Performance
|
|
11
14
|
// ============================================================================
|
|
@@ -378,7 +381,8 @@ export async function coverageGaps(options = {}) {
|
|
|
378
381
|
* Returns null if path is invalid or attempts traversal
|
|
379
382
|
*/
|
|
380
383
|
function validateProjectPath(inputPath) {
|
|
381
|
-
|
|
384
|
+
// eslint-disable-next-line @typescript-eslint/no-var-requires -- sync function, top-level import at file head
|
|
385
|
+
const { resolve, normalize, isAbsolute } = pathMod;
|
|
382
386
|
// Default to cwd if not provided
|
|
383
387
|
const basePath = inputPath || process.cwd();
|
|
384
388
|
// Normalize and resolve the path
|
|
@@ -417,9 +421,7 @@ async function loadProjectCoverage(projectRoot, skipCache) {
|
|
|
417
421
|
return cached.report;
|
|
418
422
|
}
|
|
419
423
|
}
|
|
420
|
-
const {
|
|
421
|
-
const { readFile } = require('fs/promises');
|
|
422
|
-
const { join, normalize } = require('path');
|
|
424
|
+
const { join, normalize } = pathMod;
|
|
423
425
|
// Try common coverage locations (all relative to validated root)
|
|
424
426
|
const coverageLocations = [
|
|
425
427
|
['coverage', 'coverage-final.json'],
|
|
@@ -1,6 +1,8 @@
|
|
|
1
1
|
/**
|
|
2
2
|
* Diff Classifier for Change Analysis
|
|
3
3
|
*/
|
|
4
|
+
import { execFileSync, execFile } from 'node:child_process';
|
|
5
|
+
import { promisify } from 'node:util';
|
|
4
6
|
const DEFAULT_CONFIG = {
|
|
5
7
|
maxDiffSize: 10000,
|
|
6
8
|
classifyByImpact: true,
|
|
@@ -344,7 +346,7 @@ export function getGitDiffNumstat(ref = 'HEAD') {
|
|
|
344
346
|
if (cached && Date.now() - cached.timestamp < CACHE_TTL_MS) {
|
|
345
347
|
return cached.files;
|
|
346
348
|
}
|
|
347
|
-
|
|
349
|
+
// execFileSync imported at top level
|
|
348
350
|
try {
|
|
349
351
|
// SECURITY: Use execFileSync with args array instead of shell string
|
|
350
352
|
// This prevents command injection via the ref parameter
|
|
@@ -417,8 +419,7 @@ export async function getGitDiffNumstatAsync(ref = 'HEAD') {
|
|
|
417
419
|
if (cached && Date.now() - cached.timestamp < CACHE_TTL_MS) {
|
|
418
420
|
return cached.files;
|
|
419
421
|
}
|
|
420
|
-
|
|
421
|
-
const { promisify } = require('util');
|
|
422
|
+
// execFile + promisify imported at top level
|
|
422
423
|
const execFileAsync = promisify(execFile);
|
|
423
424
|
try {
|
|
424
425
|
// SECURITY: Use execFile with args array instead of shell string
|
|
@@ -3,6 +3,7 @@
|
|
|
3
3
|
* Queries npm registry and compares versions
|
|
4
4
|
*/
|
|
5
5
|
import * as semver from 'semver';
|
|
6
|
+
import { createRequire } from 'node:module';
|
|
6
7
|
import { shouldCheckForUpdates, recordCheck, getCachedVersions } from './rate-limiter.js';
|
|
7
8
|
const DEFAULT_CONFIG = {
|
|
8
9
|
enabled: true,
|
|
@@ -88,10 +89,10 @@ export function getInstalledVersion(packageName) {
|
|
|
88
89
|
];
|
|
89
90
|
for (const modulePath of possiblePaths) {
|
|
90
91
|
try {
|
|
91
|
-
// Use
|
|
92
|
-
const
|
|
93
|
-
|
|
94
|
-
const pkg =
|
|
92
|
+
// Use createRequire for ESM-compatible package.json loading
|
|
93
|
+
const esmRequire = createRequire(import.meta.url);
|
|
94
|
+
const resolved = esmRequire.resolve(modulePath, { paths: [process.cwd()] });
|
|
95
|
+
const pkg = esmRequire(resolved);
|
|
95
96
|
return pkg.version;
|
|
96
97
|
}
|
|
97
98
|
catch {
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@claude-flow/cli",
|
|
3
|
-
"version": "3.5.
|
|
3
|
+
"version": "3.5.79",
|
|
4
4
|
"type": "module",
|
|
5
5
|
"description": "Ruflo CLI - Enterprise AI agent orchestration with 60+ specialized agents, swarm coordination, MCP server, self-learning hooks, and vector memory for Claude Code",
|
|
6
6
|
"main": "dist/src/index.js",
|
|
@@ -115,8 +115,7 @@
|
|
|
115
115
|
"@ruvector/rvagent-wasm": "^0.1.0",
|
|
116
116
|
"@ruvector/diskann": "^0.1.0",
|
|
117
117
|
"@ruvector/sona": "^0.1.5",
|
|
118
|
-
"agentdb": "^3.0.0-alpha.11"
|
|
119
|
-
"agentic-flow": "^3.0.0-alpha.1"
|
|
118
|
+
"agentdb": "^3.0.0-alpha.11"
|
|
120
119
|
},
|
|
121
120
|
"publishConfig": {
|
|
122
121
|
"access": "public",
|