claude-flow 3.6.23 → 3.6.25

package/v3/@claude-flow/cli/dist/src/mcp-tools/validate-input.js

@@ -104,6 +104,62 @@ export function validateText(value, label, maxLen = 10_000) {
     const sanitized = value.replace(/\0/g, '');
     return { valid: true, sanitized };
 }
+/**
+ * Names that let an attacker pivot a child process before any user code runs:
+ * shared-library injection on Linux/macOS, Node hooks, and command resolution.
+ *
+ * audit_1776853149979: terminal_create previously merged caller-supplied env
+ * straight into execSync's environment for every subsequent command in the
+ * session. Setting LD_PRELOAD or NODE_OPTIONS via that path is functionally
+ * equivalent to remote code execution, so the env input needs an allowlist
+ * shape and a denylist on these specific names.
+ */
+const DENYLISTED_ENV_NAMES = new Set([
+    'LD_PRELOAD',
+    'LD_LIBRARY_PATH',
+    'LD_AUDIT',
+    'DYLD_INSERT_LIBRARIES',
+    'DYLD_LIBRARY_PATH',
+    'DYLD_FALLBACK_LIBRARY_PATH',
+    'DYLD_FORCE_FLAT_NAMESPACE',
+    'NODE_OPTIONS',
+    'NODE_PATH',
+]);
+const ENV_NAME_RE = /^[A-Za-z_][A-Za-z0-9_]{0,127}$/;
+/**
+ * Validate a Record<string,string> of environment variables: enforce POSIX
+ * names, reject hijack-prone names (LD_PRELOAD, NODE_OPTIONS, …), forbid null
+ * bytes in values, and cap value length so a malicious caller can't bloat the
+ * stored session past reasonable bounds.
+ */
+export function validateEnv(value, label = 'env') {
+    if (value === undefined || value === null) {
+        return { valid: true, sanitized: {} };
+    }
+    if (typeof value !== 'object' || Array.isArray(value)) {
+        return { valid: false, sanitized: {}, error: `${label} must be an object of string→string` };
+    }
+    const out = {};
+    for (const [name, rawVal] of Object.entries(value)) {
+        if (!ENV_NAME_RE.test(name)) {
+            return { valid: false, sanitized: {}, error: `${label} key "${name}" is not a valid POSIX env name` };
+        }
+        if (DENYLISTED_ENV_NAMES.has(name)) {
+            return { valid: false, sanitized: {}, error: `${label} key "${name}" is denylisted (loader/runtime hijack)` };
+        }
+        if (typeof rawVal !== 'string') {
+            return { valid: false, sanitized: {}, error: `${label}["${name}"] must be a string` };
+        }
+        if (rawVal.length > 32_768) {
+            return { valid: false, sanitized: {}, error: `${label}["${name}"] exceeds 32768 characters` };
+        }
+        if (rawVal.includes('\0')) {
+            return { valid: false, sanitized: {}, error: `${label}["${name}"] contains a null byte` };
+        }
+        out[name] = rawVal;
+    }
+    return { valid: true, sanitized: out };
+}
 /**
  * Assert validation or throw with a structured error.
  */

package/v3/@claude-flow/cli/dist/src/memory/memory-bridge.js

@@ -252,6 +252,7 @@ async function getRegistry(dbPath) {
                                 // (separate from the main memory.db so the audit trail
                                 // is isolated). Best-effort: if better-sqlite3 isn't
                                 // resolvable in this env, skip cleanly.
+                                let attestationInst = null;
                                 if (!reg.get('attestationLog')) {
                                     try {
                                         const attestationFile = path.join(adbDir, 'dist/src/security/AttestationLog.js');
@@ -267,6 +268,7 @@ async function getRegistry(dbPath) {
                                             const Ctor = mod.AttestationLog;
                                             if (typeof Ctor === 'function') {
                                                 const inst = new Ctor({ db });
+                                                attestationInst = inst;
                                                 if (typeof reg.set === 'function')
                                                     reg.set('attestationLog', inst);
                                                 else
@@ -276,6 +278,36 @@ async function getRegistry(dbPath) {
                                     }
                                     catch { /* better-sqlite3 missing or schema init failed — skip silently */ }
                                 }
+                                // ADR-095 G7 follow-up: GuardedVectorBackend wraps the
+                                // existing vectorBackend with mutationGuard + attestationLog
+                                // for proof-gated state mutations (ADR-060). All three
+                                // dependencies are reachable here — vectorBackend is in
+                                // the baseline init, mutationGuard was just activated, and
+                                // attestationLog is constructed above. Skip if any piece
+                                // is missing rather than constructing with undefined.
+                                if (!reg.get('guardedVectorBackend')) {
+                                    try {
+                                        const gvbFile = path.join(adbDir, 'dist/src/backends/ruvector/GuardedVectorBackend.js');
+                                        if (fs.existsSync(gvbFile)) {
+                                            const inner = reg.get('vectorBackend');
+                                            const guard = reg.get('mutationGuard');
+                                            const log = attestationInst ?? reg.get('attestationLog');
+                                            if (inner && guard) {
+                                                const url = pathToFileURL(gvbFile).href;
+                                                const mod = await import(url);
+                                                const Ctor = mod.GuardedVectorBackend;
+                                                if (typeof Ctor === 'function') {
+                                                    const inst = new Ctor(inner, guard, log);
+                                                    if (typeof reg.set === 'function')
+                                                        reg.set('guardedVectorBackend', inst);
+                                                    else
+                                                        reg._controllers = { ...(reg._controllers || {}), guardedVectorBackend: inst };
+                                                }
+                                            }
+                                        }
+                                    }
+                                    catch { /* GuardedVectorBackend optional */ }
+                                }
                             }
                         }
                         catch { /* G7 wiring optional */ }
@@ -284,9 +316,7 @@ async function getRegistry(dbPath) {
                     // path doesn't tear down the rest of the post-init wiring.
                     await Promise.allSettled([intelligencePromise, agentdbPromise]);
                     // Remaining disabled controllers tracked in ADR-095 G7 for
-                    // per-controller activation ADRs (each needs config / key
-                    // material that we don't pass blindly):
-                    //   - guardedVectorBackend (secured backend — needs key material)
+                    // per-controller activation ADRs:
                     //   - graphAdapter (graph DB adapter — needs graph DB connection)
                 }
                 catch {

package/v3/@claude-flow/cli/dist/src/memory/memory-initializer.js

@@ -10,6 +10,7 @@
  */
 import * as fs from 'fs';
 import * as path from 'path';
+import { readFileMaybeEncrypted, writeFileRestricted } from '../fs-secure.js';
 // ADR-053: Lazy import of AgentDB v3 bridge
 let _bridge;
 async function getBridge() {
@@ -403,7 +404,7 @@ export async function getHNSWIndex(options) {
             try {
                 const initSqlJs = (await import('sql.js')).default;
                 const SQL = await initSqlJs();
-                const fileBuffer = fs.readFileSync(dbPath);
+                const fileBuffer = readFileMaybeEncrypted(dbPath, null);
                 const sqlDb = new SQL.Database(fileBuffer);
                 // Load all entries with embeddings
                 const result = sqlDb.exec(`
@@ -828,7 +829,7 @@ export async function ensureSchemaColumns(dbPath) {
         }
         const initSqlJs = (await import('sql.js')).default;
         const SQL = await initSqlJs();
-        const fileBuffer = fs.readFileSync(dbPath);
+        const fileBuffer = readFileMaybeEncrypted(dbPath, null);
         const db = new SQL.Database(fileBuffer);
         // Get current columns in memory_entries
         const tableInfo = db.exec("PRAGMA table_info(memory_entries)");
@@ -865,7 +866,7 @@ export async function ensureSchemaColumns(dbPath) {
         if (modified) {
             // Save updated database
             const data = db.export();
-            fs.writeFileSync(dbPath, Buffer.from(data));
+            writeFileRestricted(dbPath, Buffer.from(data), { encrypt: true });
         }
         db.close();
         return { success: true, columnsAdded };
@@ -1035,7 +1036,7 @@ export async function initializeMemoryDatabase(options) {
             // Save to file
             const data = db.export();
             const buffer = Buffer.from(data);
-            fs.writeFileSync(dbPath, buffer);
+            writeFileRestricted(dbPath, buffer, { encrypt: true });
             // Close database
             db.close();
             // Also create schema file for reference
@@ -1101,7 +1102,7 @@ export async function initializeMemoryDatabase(options) {
             sqliteHeader[25] = 0x40;
             sqliteHeader[26] = 0x20; // min embedded payload
             sqliteHeader[27] = 0x20; // leaf payload
-            fs.writeFileSync(dbPath, sqliteHeader);
+            writeFileRestricted(dbPath, sqliteHeader, { encrypt: true });
             // ADR-053: Activate ControllerRegistry even on fallback path
             const controllerResult = await activateControllerRegistry(dbPath, verbose);
             return {
@@ -1546,7 +1547,7 @@ export async function verifyMemoryInit(dbPath, options) {
         const SQL = await initSqlJs();
         const fs = await import('fs');
         // Load database
-        const fileBuffer = fs.readFileSync(dbPath);
+        const fileBuffer = readFileMaybeEncrypted(dbPath, null);
         const db = new SQL.Database(fileBuffer);
         // Test 1: Schema verification
         const schemaStart = Date.now();
@@ -1679,7 +1680,7 @@ export async function verifyMemoryInit(dbPath, options) {
         db.run(`DELETE FROM memory_entries WHERE id = ?`, [testId]);
         // Save changes
         const data = db.export();
-        fs.writeFileSync(dbPath, Buffer.from(data));
+        writeFileRestricted(dbPath, Buffer.from(data), { encrypt: true });
         db.close();
         const passed = tests.filter(t => t.passed).length;
         const failed = tests.filter(t => !t.passed).length;
@@ -1740,7 +1741,7 @@ export async function storeEntry(options) {
         await ensureSchemaColumns(dbPath);
         const initSqlJs = (await import('sql.js')).default;
         const SQL = await initSqlJs();
-        const fileBuffer = fs.readFileSync(dbPath);
+        const fileBuffer = readFileMaybeEncrypted(dbPath, null);
         const db = new SQL.Database(fileBuffer);
         const id = `entry_${Date.now()}_${Math.random().toString(36).substring(7)}`;
         const now = Date.now();
@@ -1782,7 +1783,7 @@ export async function storeEntry(options) {
         ]);
         // Save
         const data = db.export();
-        fs.writeFileSync(dbPath, Buffer.from(data));
+        writeFileRestricted(dbPath, Buffer.from(data), { encrypt: true });
         db.close();
         // Add to HNSW index for faster future searches
         if (embeddingJson) {
@@ -1843,7 +1844,7 @@ export async function searchEntries(options) {
                 // Rerank candidates with exact cosine similarity from SQLite
                 const initSqlJs = (await import('sql.js')).default;
                 const SQL = await initSqlJs();
-                const fileBuffer = fs.readFileSync(dbPath);
+                const fileBuffer = readFileMaybeEncrypted(dbPath, null);
                 const db = new SQL.Database(fileBuffer);
                 const reranked = [];
                 for (const candidate of rabitqCandidates) {
@@ -1893,7 +1894,7 @@ export async function searchEntries(options) {
         // Fall back to brute-force SQLite search
         const initSqlJs = (await import('sql.js')).default;
         const SQL = await initSqlJs();
-        const fileBuffer = fs.readFileSync(dbPath);
+        const fileBuffer = readFileMaybeEncrypted(dbPath, null);
         const db = new SQL.Database(fileBuffer);
         // Get entries with embeddings
         const searchStmt = db.prepare(effectiveNamespace !== 'all'
@@ -2004,7 +2005,7 @@ export async function listEntries(options) {
         await ensureSchemaColumns(dbPath);
         const initSqlJs = (await import('sql.js')).default;
         const SQL = await initSqlJs();
-        const fileBuffer = fs.readFileSync(dbPath);
+        const fileBuffer = readFileMaybeEncrypted(dbPath, null);
         const db = new SQL.Database(fileBuffer);
         // Get total count
         const countStmt = namespace
@@ -2089,7 +2090,7 @@ export async function getEntry(options) {
         await ensureSchemaColumns(dbPath);
         const initSqlJs = (await import('sql.js')).default;
         const SQL = await initSqlJs();
-        const fileBuffer = fs.readFileSync(dbPath);
+        const fileBuffer = readFileMaybeEncrypted(dbPath, null);
         const db = new SQL.Database(fileBuffer);
         // Find entry by key
         const getStmt = db.prepare(`
@@ -2120,7 +2121,7 @@ export async function getEntry(options) {
     `, [String(id)]);
         // Save updated database
         const data = db.export();
-        fs.writeFileSync(dbPath, Buffer.from(data));
+        writeFileRestricted(dbPath, Buffer.from(data), { encrypt: true });
         db.close();
         let tags = [];
         if (tagsJson) {
@@ -2200,7 +2201,7 @@ export async function deleteEntry(options) {
         await ensureSchemaColumns(dbPath);
         const initSqlJs = (await import('sql.js')).default;
         const SQL = await initSqlJs();
-        const fileBuffer = fs.readFileSync(dbPath);
+        const fileBuffer = readFileMaybeEncrypted(dbPath, null);
         const db = new SQL.Database(fileBuffer);
         // Check if entry exists first
         const checkStmt = db.prepare(`
@@ -2249,7 +2250,7 @@ export async function deleteEntry(options) {
         const remainingEntries = countResult[0]?.values?.[0]?.[0] || 0;
         // Save updated database
         const data = db.export();
-        fs.writeFileSync(dbPath, Buffer.from(data));
+        writeFileRestricted(dbPath, Buffer.from(data), { encrypt: true });
         db.close();
         // Clean up in-memory HNSW index so ghost vectors don't appear in searches.
         // Remove the entry from the HNSW entries map and invalidate the index.

package/v3/@claude-flow/cli/dist/src/transfer/ipfs/upload.js

@@ -279,6 +279,8 @@ export async function checkContent(cid, gateway = 'https://w3s.link') {
     try {
         const response = await fetch(`${gateway}/ipfs/${cid}`, {
             method: 'HEAD',
+            // audit_1776853149979: HEAD probe should never hang; 10s upper bound.
+            signal: AbortSignal.timeout(10000),
         });
         if (response.ok) {
             const size = parseInt(response.headers.get('content-length') || '0', 10);

package/v3/@claude-flow/cli/dist/src/update/executor.d.ts

@@ -4,6 +4,7 @@
  */
 import { UpdateCheckResult } from './checker.js';
 import { ValidationResult } from './validator.js';
+export declare function isSafePackageSpec(pkg: string, version: string): boolean;
 export interface UpdateHistoryEntry {
     timestamp: string;
     package: string;

package/v3/@claude-flow/cli/dist/src/update/executor.js

@@ -2,11 +2,27 @@
  * Update executor - performs actual package updates
  * Includes rollback capability
  */
-import { execSync } from 'child_process';
+import { execFileSync } from 'child_process';
 import * as fs from 'fs';
 import * as path from 'path';
 import * as os from 'os';
 import { validateUpdate } from './validator.js';
+/**
+ * audit_1776853149979: package name and version come from npm-view output and
+ * the update-history.json file (writable by anyone with FS access). Both
+ * previously interpolated straight into a shell string for `npm install`.
+ * These regexes pre-flight values so a hostile package name can't slip
+ * shell metacharacters through, even though execFileSync below already
+ * eliminates the shell.
+ */
+// First char of the unscoped name forbids `-` to defang CLI-flag confusion
+// when the spec is passed to npm (npm install -evil@1.0.0 looks flag-shaped).
+const SAFE_PKG_RE = /^(@[a-zA-Z0-9_\-]+\/)?[a-zA-Z0-9_][a-zA-Z0-9_\-.]{0,213}$/;
+// semver / dist-tag / range chars only — no shell metas.
+const SAFE_VERSION_RE = /^[a-zA-Z0-9._\-+~^*xX]{1,64}$/;
+export function isSafePackageSpec(pkg, version) {
+    return SAFE_PKG_RE.test(pkg) && SAFE_VERSION_RE.test(version);
+}
 const HISTORY_FILE = path.join(os.homedir(), '.claude-flow', 'update-history.json');
 const MAX_HISTORY_ENTRIES = 100;
 function ensureDir() {
@@ -58,13 +74,25 @@ export async function executeUpdate(update, installedPackages, dryRun = false) {
             validation,
         };
     }
+    // audit_1776853149979: validate package + version regex before any exec.
+    if (!isSafePackageSpec(update.package, update.latestVersion)) {
+        return {
+            success: false,
+            package: update.package,
+            version: update.latestVersion,
+            error: `Refusing to install: package or version contains disallowed characters (pkg="${update.package}", version="${update.latestVersion}")`,
+            validation,
+        };
+    }
     try {
-        // Execute npm install
-        const installCmd = `npm install ${update.package}@${update.latestVersion} --save-exact`;
-        execSync(installCmd, {
+        // audit_1776853149979: switched to execFileSync('npm', argv) — no shell,
+        // so even if validation regressed, metas in update.package would stay
+        // literal in the argv slot.
+        execFileSync('npm', ['install', `${update.package}@${update.latestVersion}`, '--save-exact'], {
             encoding: 'utf-8',
             stdio: 'pipe',
             timeout: 60000, // 1 minute timeout
+            shell: false,
         });
         // Record successful update
         recordUpdate({
@@ -139,13 +167,21 @@ export async function rollbackUpdate(packageName) {
                 : 'No rollback available',
         };
     }
+    // audit_1776853149979: history entries can be tampered with by anyone who
+    // can write update-history.json — gate before exec.
+    if (!isSafePackageSpec(lastUpdate.package, lastUpdate.fromVersion)) {
+        return {
+            success: false,
+            message: `Refusing to rollback: package or version contains disallowed characters (pkg="${lastUpdate.package}", version="${lastUpdate.fromVersion}")`,
+        };
+    }
     try {
-        // Install the previous version
-        const installCmd = `npm install ${lastUpdate.package}@${lastUpdate.fromVersion} --save-exact`;
-        execSync(installCmd, {
+        // execFileSync, no shell.
+        execFileSync('npm', ['install', `${lastUpdate.package}@${lastUpdate.fromVersion}`, '--save-exact'], {
             encoding: 'utf-8',
             stdio: 'pipe',
             timeout: 60000,
+            shell: false,
         });
         // Record the rollback
         recordUpdate({

package/v3/@claude-flow/cli/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@claude-flow/cli",
-  "version": "3.6.23",
+  "version": "3.6.25",
   "type": "module",
   "description": "Ruflo CLI - Enterprise AI agent orchestration with 60+ specialized agents, swarm coordination, MCP server, self-learning hooks, and vector memory for Claude Code",
   "main": "dist/src/index.js",