npm - claude-flow - Versions diffs - 3.6.25 → 3.6.27 - Mend

claude-flow 3.6.25 → 3.6.27

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "claude-flow",
-  "version": "3.6.25",
+  "version": "3.6.27",
   "description": "Ruflo - Enterprise AI agent orchestration for Claude Code. Deploy 60+ specialized agents in coordinated swarms with self-learning, fault-tolerant consensus, vector memory, and MCP integration",
   "main": "dist/index.js",
   "type": "module",

package/v3/@claude-flow/cli/dist/src/commands/doctor.js CHANGED Viewed

@@ -8,8 +8,11 @@ import { output } from '../output.js';
 import { existsSync, readFileSync, statSync } from 'fs';
 import { join, dirname } from 'path';
 import { fileURLToPath } from 'url';
+import { createHash } from 'crypto';
 import { execSync, exec } from 'child_process';
 import { promisify } from 'util';
+import { decodeKey, isEncryptionEnabled } from '../encryption/vault.js';
+import { isEncryptedBlob } from '../encryption/vault.js';
 // Promisified exec with proper shell and env inheritance for cross-platform support
 const execAsync = promisify(exec);
 /**
@@ -423,6 +426,89 @@ async function checkAgenticFlow() {
         return { name: 'agentic-flow', status: 'warn', message: 'Check failed' };
     }
 }
+// Check encryption-at-rest status (ADR-096 Phase 5)
+//
+// Reports four facets without disclosing the key itself:
+//   1. Gate status — is CLAUDE_FLOW_ENCRYPT_AT_REST set?
+//   2. Key resolution — does CLAUDE_FLOW_ENCRYPTION_KEY resolve to a valid
+//      32-byte key (env-var path only; keychain/passphrase are deferred)?
+//   3. Key fingerprint — first 16 hex chars of sha256(key) so users can
+//      sanity-check across machines without ever logging the key bytes.
+//   4. High-tier store presence — for sessions/, terminals/, .swarm/memory.db
+//      report whether on-disk bytes carry the RFE1 magic (encrypted) or not.
+async function checkEncryptionAtRest() {
+    if (!isEncryptionEnabled()) {
+        return {
+            name: 'Encryption at Rest',
+            status: 'warn',
+            message: 'Off — session/terminal/memory stores are plaintext (mode 0600 only)',
+            fix: 'export CLAUDE_FLOW_ENCRYPT_AT_REST=1 && export CLAUDE_FLOW_ENCRYPTION_KEY=<64-char-hex>',
+        };
+    }
+    // Gate is on — try to resolve the key. Fail-closed if missing or malformed.
+    const rawKey = process.env.CLAUDE_FLOW_ENCRYPTION_KEY;
+    if (!rawKey) {
+        return {
+            name: 'Encryption at Rest',
+            status: 'fail',
+            message: 'Gate is on but CLAUDE_FLOW_ENCRYPTION_KEY is unset (fail-closed)',
+            fix: 'Generate a key: openssl rand -hex 32 → export CLAUDE_FLOW_ENCRYPTION_KEY=<value>',
+        };
+    }
+    let keyFingerprint;
+    try {
+        const key = decodeKey(rawKey);
+        keyFingerprint = createHash('sha256').update(key).digest('hex').slice(0, 16);
+    }
+    catch (err) {
+        return {
+            name: 'Encryption at Rest',
+            status: 'fail',
+            message: `CLAUDE_FLOW_ENCRYPTION_KEY invalid: ${err instanceof Error ? err.message : String(err)}`,
+            fix: 'Provide a 64-char hex or 44-char base64 key (32 bytes)',
+        };
+    }
+    // Check the three high-tier store paths for RFE1 magic
+    const cwd = process.cwd();
+    const stores = [
+        { label: 'sessions/', path: join(cwd, '.claude-flow', 'sessions') },
+        { label: 'terminals', path: join(cwd, '.claude-flow', 'terminals', 'store.json') },
+        { label: 'memory.db', path: join(cwd, '.swarm', 'memory.db') },
+    ];
+    const status = [];
+    for (const s of stores) {
+        if (!existsSync(s.path)) {
+            status.push(`${s.label}=∅`);
+            continue;
+        }
+        try {
+            const stat = statSync(s.path);
+            if (stat.isDirectory()) {
+                // Sessions: probe the first .json file
+                const { readdirSync } = await import('fs');
+                const files = readdirSync(s.path).filter(f => f.endsWith('.json'));
+                if (files.length === 0) {
+                    status.push(`${s.label}=∅`);
+                    continue;
+                }
+                const first = readFileSync(join(s.path, files[0]));
+                status.push(`${s.label}=${isEncryptedBlob(first) ? 'enc' : 'plain'}`);
+            }
+            else {
+                const buf = readFileSync(s.path);
+                status.push(`${s.label}=${isEncryptedBlob(buf) ? 'enc' : 'plain'}`);
+            }
+        }
+        catch {
+            status.push(`${s.label}=err`);
+        }
+    }
+    return {
+        name: 'Encryption at Rest',
+        status: 'pass',
+        message: `On — key fp:${keyFingerprint}… (${status.join(' ')})`,
+    };
+}
 // Format health check result
 function formatCheck(check) {
     const icon = check.status === 'pass' ? output.success('✓') :
@@ -494,7 +580,8 @@ export const doctorCommand = {
             checkMcpServers,
             checkDiskSpace,
             checkBuildTools,
-            checkAgenticFlow
+            checkAgenticFlow,
+            checkEncryptionAtRest, // ADR-096 Phase 5
         ];
         const componentMap = {
             'version': checkVersionFreshness,
@@ -510,7 +597,8 @@ export const doctorCommand = {
             'mcp': checkMcpServers,
             'disk': checkDiskSpace,
             'typescript': checkBuildTools,
-            'agentic-flow': checkAgenticFlow
+            'agentic-flow': checkAgenticFlow,
+            'encryption': checkEncryptionAtRest, // ADR-096 Phase 5
         };
         let checksToRun = allChecks;
         if (component && componentMap[component]) {

package/v3/@claude-flow/cli/dist/src/commands/providers.js CHANGED Viewed

@@ -11,6 +11,9 @@ const PROVIDER_CATALOG = [
     { name: 'OpenAI', type: 'LLM', models: 'gpt-4o, gpt-4-turbo', envVar: 'OPENAI_API_KEY', configName: 'openai' },
     { name: 'OpenAI', type: 'Embedding', models: 'text-embedding-3-small/large', envVar: 'OPENAI_API_KEY', configName: 'openai' },
     { name: 'Google', type: 'LLM', models: 'gemini-pro, gemini-ultra', envVar: 'GOOGLE_API_KEY', configName: 'google' },
+    // #1725: Ollama Cloud — Tier-2 default per ADR-026 (~$100/mo flat-rate alternative
+    // to per-token pricing). OpenAI-compat API at https://ollama.com/v1/chat/completions.
+    { name: 'Ollama', type: 'LLM', models: 'gpt-oss:120b-cloud, llama3:70b-cloud, qwen2.5-coder:32b-cloud', envVar: 'OLLAMA_API_KEY', configName: 'ollama' },
     { name: 'Transformers.js', type: 'Embedding', models: 'Xenova/all-MiniLM-L6-v2' },
     { name: 'Agentic Flow', type: 'Embedding', models: 'ONNX optimized' },
     { name: 'Mock', type: 'All', models: 'mock-*' },
@@ -30,6 +33,7 @@ function resolveApiKey(providerName, configuredProviders) {
         anthropic: 'ANTHROPIC_API_KEY',
         openai: 'OPENAI_API_KEY',
         google: 'GOOGLE_API_KEY',
+        ollama: 'OLLAMA_API_KEY', // #1725 — Tier-2 routing
     };
     const envVar = envMapping[providerName.toLowerCase()];
     if (envVar && process.env[envVar]) {
@@ -60,6 +64,13 @@ async function testProviderConnectivity(providerName, apiKey) {
             url: `https://generativelanguage.googleapis.com/v1beta/models?key=${apiKey}`,
             headers: {},
         },
+        // #1725 — Ollama Cloud uses an OpenAI-compatible /v1 surface.
+        ollama: {
+            url: 'https://ollama.com/api/tags',
+            headers: {
+                'Authorization': `Bearer ${apiKey}`,
+            },
+        },
     };
     const endpointConfig = endpoints[providerName.toLowerCase()];
     if (!endpointConfig) {

package/v3/@claude-flow/cli/dist/src/mcp-tools/agent-execute-core.d.ts CHANGED Viewed

@@ -47,6 +47,12 @@ export interface AnthropicCallResult {
  * Generic Anthropic Messages API call. No agent registry coupling — used
  * by agent_execute (with the agent's configured model) and by the WASM
  * agent runtime (G4) when the bundled WASM only echoes input.
+ *
+ * #1725 — falls back to Ollama Cloud (Tier-2, OpenAI-compat) when
+ * ANTHROPIC_API_KEY is unset and OLLAMA_API_KEY is present, or when
+ * RUFLO_PROVIDER=ollama is explicitly set. Response shape is normalized
+ * to the Anthropic-flavored AnthropicCallResult so existing callers
+ * don't need to know which provider answered.
  */
 export declare function callAnthropicMessages(input: AnthropicCallInput): Promise<AnthropicCallResult>;
 /**

package/v3/@claude-flow/cli/dist/src/mcp-tools/agent-execute-core.js CHANGED Viewed

@@ -42,11 +42,26 @@ const MODEL_MAP = {
  * Generic Anthropic Messages API call. No agent registry coupling — used
  * by agent_execute (with the agent's configured model) and by the WASM
  * agent runtime (G4) when the bundled WASM only echoes input.
+ *
+ * #1725 — falls back to Ollama Cloud (Tier-2, OpenAI-compat) when
+ * ANTHROPIC_API_KEY is unset and OLLAMA_API_KEY is present, or when
+ * RUFLO_PROVIDER=ollama is explicitly set. Response shape is normalized
+ * to the Anthropic-flavored AnthropicCallResult so existing callers
+ * don't need to know which provider answered.
  */
 export async function callAnthropicMessages(input) {
-    const apiKey = process.env.ANTHROPIC_API_KEY;
-    if (!apiKey) {
-        return { success: false, error: 'ANTHROPIC_API_KEY not set in environment' };
+    const explicitProvider = (process.env.RUFLO_PROVIDER || '').toLowerCase();
+    const ollamaKey = process.env.OLLAMA_API_KEY;
+    const anthropicKey = process.env.ANTHROPIC_API_KEY;
+    const useOllama = explicitProvider === 'ollama' || (!anthropicKey && !!ollamaKey);
+    if (useOllama && ollamaKey) {
+        return callOllamaCompat({ ...input, apiKey: ollamaKey });
+    }
+    if (!anthropicKey) {
+        return {
+            success: false,
+            error: 'No LLM provider configured. Set ANTHROPIC_API_KEY (Tier-3) or OLLAMA_API_KEY (Tier-2 Ollama Cloud — see issue #1725).',
+        };
     }
     const model = input.model || 'claude-3-5-sonnet-latest';
     const startedAt = Date.now();
@@ -56,7 +71,7 @@ export async function callAnthropicMessages(input) {
         const res = await fetch('https://api.anthropic.com/v1/messages', {
             method: 'POST',
             headers: {
-                'x-api-key': apiKey,
+                'x-api-key': anthropicKey,
                 'anthropic-version': '2023-06-01',
                 'content-type': 'application/json',
             },
@@ -102,6 +117,98 @@ export async function callAnthropicMessages(input) {
         };
     }
 }
+/**
+ * Ollama Cloud / OpenAI-compat provider — Tier-2 routing per ADR-026 + #1725.
+ *
+ * Endpoint: https://ollama.com/v1/chat/completions
+ * Auth: Authorization: Bearer <OLLAMA_API_KEY>
+ *
+ * Translates the Anthropic-flavored input shape onto OpenAI chat-completions
+ * and translates the response back so callers never see provider-specific
+ * fields. Logical model names are mapped to Ollama Cloud defaults:
+ *   - 'haiku'  / 'sonnet'  → 'gpt-oss:120b-cloud' (sensible single default)
+ *   - 'opus'              → 'gpt-oss:120b-cloud' (no opus tier on Ollama)
+ *   - explicit 'ollama:<model>' or bare provider-native name → passed through
+ */
+async function callOllamaCompat(input) {
+    const model = resolveOllamaModel(input.model);
+    const startedAt = Date.now();
+    // OLLAMA_BASE_URL lets users point at local/self-hosted endpoints
+    // (e.g. http://ruvultra:11434, http://localhost:11434) instead of
+    // Ollama Cloud. Default is the public cloud endpoint.
+    const base = (process.env.OLLAMA_BASE_URL || 'https://ollama.com').replace(/\/+$/, '');
+    const url = `${base}/v1/chat/completions`;
+    // Self-hosted endpoints typically don't need an Authorization header
+    // (the daemon binds to 11434 with no auth by default), but Ollama Cloud
+    // does. Send the bearer when the key is non-empty AND looks cloud-shaped.
+    const sendAuth = input.apiKey && input.apiKey !== 'local';
+    try {
+        const controller = new AbortController();
+        const timer = setTimeout(() => controller.abort(), input.timeoutMs || 60000);
+        const res = await fetch(url, {
+            method: 'POST',
+            headers: {
+                ...(sendAuth ? { Authorization: `Bearer ${input.apiKey}` } : {}),
+                'content-type': 'application/json',
+            },
+            body: JSON.stringify({
+                model,
+                max_tokens: input.maxTokens || 1024,
+                temperature: typeof input.temperature === 'number' ? input.temperature : 0.7,
+                messages: [
+                    ...(input.systemPrompt
+                        ? [{ role: 'system', content: input.systemPrompt }]
+                        : []),
+                    { role: 'user', content: input.prompt },
+                ],
+            }),
+            signal: controller.signal,
+        });
+        clearTimeout(timer);
+        if (!res.ok) {
+            const errText = await res.text().catch(() => '<unreadable error body>');
+            return { success: false, model, error: `Ollama API error ${res.status} at ${url}: ${errText.slice(0, 400)}` };
+        }
+        const data = (await res.json());
+        const textOut = data.choices?.[0]?.message?.content ?? '';
+        const usage = data.usage ?? {};
+        return {
+            success: true,
+            model: data.model ?? model,
+            messageId: data.id ?? `ollama-${Date.now()}`,
+            stopReason: data.choices?.[0]?.finish_reason ?? 'end_turn',
+            output: textOut,
+            usage: {
+                inputTokens: usage.prompt_tokens ?? 0,
+                outputTokens: usage.completion_tokens ?? 0,
+                totalTokens: usage.total_tokens ?? 0,
+            },
+            durationMs: Date.now() - startedAt,
+        };
+    }
+    catch (err) {
+        return {
+            success: false,
+            model,
+            error: err instanceof Error ? err.message : String(err),
+            durationMs: Date.now() - startedAt,
+        };
+    }
+}
+function resolveOllamaModel(input) {
+    const DEFAULT = 'gpt-oss:120b-cloud';
+    if (!input)
+        return DEFAULT;
+    // Logical → cloud default
+    if (input === 'haiku' || input === 'sonnet' || input === 'opus' || input === 'inherit') {
+        return DEFAULT;
+    }
+    // Explicit provider prefix
+    if (input.startsWith('ollama:'))
+        return input.slice('ollama:'.length);
+    // Bare name with cloud suffix (e.g. 'llama3:70b-cloud') passes through
+    return input;
+}
 /**
  * Resolve a model identifier to an Anthropic model ID. Accepts:
  * - logical names: 'haiku', 'sonnet', 'opus', 'inherit'

package/v3/@claude-flow/cli/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@claude-flow/cli",
-  "version": "3.6.25",
+  "version": "3.6.27",
   "type": "module",
   "description": "Ruflo CLI - Enterprise AI agent orchestration with 60+ specialized agents, swarm coordination, MCP server, self-learning hooks, and vector memory for Claude Code",
   "main": "dist/src/index.js",

package/.claude/scheduled_tasks.lock DELETED Viewed

	@@ -1 +0,0 @@
1	- {"sessionId":"36428a63-dfb2-42a4-a159-cf8be916193e","pid":71027,"procStart":"Sun May 3 23:00:23 2026","acquiredAt":1777849234814}