claude-flow 3.6.25 → 3.6.26

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "claude-flow",
-  "version": "3.6.25",
+  "version": "3.6.26",
   "description": "Ruflo - Enterprise AI agent orchestration for Claude Code. Deploy 60+ specialized agents in coordinated swarms with self-learning, fault-tolerant consensus, vector memory, and MCP integration",
   "main": "dist/index.js",
   "type": "module",

package/v3/@claude-flow/cli/dist/src/commands/doctor.js

@@ -8,8 +8,11 @@ import { output } from '../output.js';
 import { existsSync, readFileSync, statSync } from 'fs';
 import { join, dirname } from 'path';
 import { fileURLToPath } from 'url';
+import { createHash } from 'crypto';
 import { execSync, exec } from 'child_process';
 import { promisify } from 'util';
+import { decodeKey, isEncryptionEnabled } from '../encryption/vault.js';
+import { isEncryptedBlob } from '../encryption/vault.js';
 // Promisified exec with proper shell and env inheritance for cross-platform support
 const execAsync = promisify(exec);
 /**
@@ -423,6 +426,89 @@ async function checkAgenticFlow() {
         return { name: 'agentic-flow', status: 'warn', message: 'Check failed' };
     }
 }
+// Check encryption-at-rest status (ADR-096 Phase 5)
+//
+// Reports four facets without disclosing the key itself:
+//   1. Gate status — is CLAUDE_FLOW_ENCRYPT_AT_REST set?
+//   2. Key resolution — does CLAUDE_FLOW_ENCRYPTION_KEY resolve to a valid
+//      32-byte key (env-var path only; keychain/passphrase are deferred)?
+//   3. Key fingerprint — first 16 hex chars of sha256(key) so users can
+//      sanity-check across machines without ever logging the key bytes.
+//   4. High-tier store presence — for sessions/, terminals/, .swarm/memory.db
+//      report whether on-disk bytes carry the RFE1 magic (encrypted) or not.
+async function checkEncryptionAtRest() {
+    if (!isEncryptionEnabled()) {
+        return {
+            name: 'Encryption at Rest',
+            status: 'warn',
+            message: 'Off — session/terminal/memory stores are plaintext (mode 0600 only)',
+            fix: 'export CLAUDE_FLOW_ENCRYPT_AT_REST=1 && export CLAUDE_FLOW_ENCRYPTION_KEY=<64-char-hex>',
+        };
+    }
+    // Gate is on — try to resolve the key. Fail-closed if missing or malformed.
+    const rawKey = process.env.CLAUDE_FLOW_ENCRYPTION_KEY;
+    if (!rawKey) {
+        return {
+            name: 'Encryption at Rest',
+            status: 'fail',
+            message: 'Gate is on but CLAUDE_FLOW_ENCRYPTION_KEY is unset (fail-closed)',
+            fix: 'Generate a key: openssl rand -hex 32 → export CLAUDE_FLOW_ENCRYPTION_KEY=<value>',
+        };
+    }
+    let keyFingerprint;
+    try {
+        const key = decodeKey(rawKey);
+        keyFingerprint = createHash('sha256').update(key).digest('hex').slice(0, 16);
+    }
+    catch (err) {
+        return {
+            name: 'Encryption at Rest',
+            status: 'fail',
+            message: `CLAUDE_FLOW_ENCRYPTION_KEY invalid: ${err instanceof Error ? err.message : String(err)}`,
+            fix: 'Provide a 64-char hex or 44-char base64 key (32 bytes)',
+        };
+    }
+    // Check the three high-tier store paths for RFE1 magic
+    const cwd = process.cwd();
+    const stores = [
+        { label: 'sessions/', path: join(cwd, '.claude-flow', 'sessions') },
+        { label: 'terminals', path: join(cwd, '.claude-flow', 'terminals', 'store.json') },
+        { label: 'memory.db', path: join(cwd, '.swarm', 'memory.db') },
+    ];
+    const status = [];
+    for (const s of stores) {
+        if (!existsSync(s.path)) {
+            status.push(`${s.label}=∅`);
+            continue;
+        }
+        try {
+            const stat = statSync(s.path);
+            if (stat.isDirectory()) {
+                // Sessions: probe the first .json file
+                const { readdirSync } = await import('fs');
+                const files = readdirSync(s.path).filter(f => f.endsWith('.json'));
+                if (files.length === 0) {
+                    status.push(`${s.label}=∅`);
+                    continue;
+                }
+                const first = readFileSync(join(s.path, files[0]));
+                status.push(`${s.label}=${isEncryptedBlob(first) ? 'enc' : 'plain'}`);
+            }
+            else {
+                const buf = readFileSync(s.path);
+                status.push(`${s.label}=${isEncryptedBlob(buf) ? 'enc' : 'plain'}`);
+            }
+        }
+        catch {
+            status.push(`${s.label}=err`);
+        }
+    }
+    return {
+        name: 'Encryption at Rest',
+        status: 'pass',
+        message: `On — key fp:${keyFingerprint}… (${status.join(' ')})`,
+    };
+}
 // Format health check result
 function formatCheck(check) {
     const icon = check.status === 'pass' ? output.success('✓') :
@@ -494,7 +580,8 @@ export const doctorCommand = {
             checkMcpServers,
             checkDiskSpace,
             checkBuildTools,
-            checkAgenticFlow
+            checkAgenticFlow,
+            checkEncryptionAtRest, // ADR-096 Phase 5
         ];
         const componentMap = {
             'version': checkVersionFreshness,
@@ -510,7 +597,8 @@ export const doctorCommand = {
             'mcp': checkMcpServers,
             'disk': checkDiskSpace,
             'typescript': checkBuildTools,
-            'agentic-flow': checkAgenticFlow
+            'agentic-flow': checkAgenticFlow,
+            'encryption': checkEncryptionAtRest, // ADR-096 Phase 5
         };
         let checksToRun = allChecks;
         if (component && componentMap[component]) {

package/v3/@claude-flow/cli/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@claude-flow/cli",
-  "version": "3.6.25",
+  "version": "3.6.26",
   "type": "module",
   "description": "Ruflo CLI - Enterprise AI agent orchestration with 60+ specialized agents, swarm coordination, MCP server, self-learning hooks, and vector memory for Claude Code",
   "main": "dist/src/index.js",

package/.claude/scheduled_tasks.lock

@@ -1 +0,0 @@
-{"sessionId":"36428a63-dfb2-42a4-a159-cf8be916193e","pid":71027,"procStart":"Sun May  3 23:00:23 2026","acquiredAt":1777849234814}