npm - claude-flow - Versions diffs - 3.7.0-alpha.72 → 3.7.0-alpha.74 - Mend

claude-flow 3.7.0-alpha.72 → 3.7.0-alpha.74

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (25) hide show

package/.claude/agents/github/code-review-swarm.md CHANGED Viewed

@@ -250,7 +250,7 @@ jobs:
   swarm-review:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0

package/.claude/agents/github/issue-tracker.md CHANGED Viewed

@@ -95,7 +95,7 @@ mcp__github__add_issue_comment {
   - Final validation and merge preparation
   ---
-  🤖 Generated with Claude Code using ruv-swarm coordination`
+  `
 }
 // Store progress in swarm memory
@@ -213,9 +213,10 @@ mcp__github__update_issue {
 Updates will be posted automatically by swarm agents during implementation.
 ---
-🤖 Generated with Claude Code
 ```
+<!-- last-updated: 2026-05-21 — ADR-127 -->
 ### Bug Report Template:
 ```markdown
 ## 🐛 Bug Report
@@ -251,7 +252,6 @@ Updates will be posted automatically by swarm agents during implementation.
 - **Tester**: Validation and testing
 ---
-🤖 Generated with Claude Code
 ```
 ## Best Practices

package/.claude/agents/github/release-manager.md CHANGED Viewed

@@ -2,7 +2,7 @@
 name: release-manager
 description: |
   Automated release coordination and deployment with ruv-swarm orchestration for seamless version management, testing, and deployment across multiple packages
-tools: Bash, Read, Write, Edit, TodoWrite, TodoRead, Task, WebFetch, mcp__github__create_pull_request, mcp__github__merge_pull_request, mcp__github__create_branch, mcp__github__push_files, mcp__github__create_issue, mcp__claude-flow__swarm_init, mcp__claude-flow__agent_spawn, mcp__claude-flow__task_orchestrate, mcp__claude-flow__memory_usage
+tools: Bash, Read, Write, Edit, TodoWrite, TodoRead, Task, mcp__github__create_pull_request, mcp__github__merge_pull_request, mcp__github__create_branch, mcp__github__push_files, mcp__github__create_issue, mcp__claude-flow__swarm_init, mcp__claude-flow__agent_spawn, mcp__claude-flow__task_orchestrate, mcp__claude-flow__memory_usage
 ---
 # GitHub Release Manager
@@ -165,10 +165,12 @@ This release was coordinated using ruv-swarm agents:
 This release is production-ready with comprehensive validation and testing.
 ---
-🤖 Generated with Claude Code using ruv-swarm coordination`
+`
 }
 ```
+<!-- last-updated: 2026-05-21 — ADR-127 -->
 ## Batch Release Workflow
 ### Complete Release Pipeline:
@@ -308,9 +310,9 @@ jobs:
   release-validation:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Setup Node.js
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v4
         with:
           node-version: '20'
       - name: Install and Test

package/.claude/agents/github/release-swarm.md CHANGED Viewed

@@ -2,7 +2,7 @@
 name: release-swarm
 description: |
   Orchestrate complex software releases using AI swarms that handle everything from changelog generation to multi-platform deployment
-tools: Bash, Read, Write, Edit, TodoWrite, TodoRead, Task, WebFetch, mcp__github__create_pull_request, mcp__github__merge_pull_request, mcp__github__create_branch, mcp__github__push_files, mcp__github__create_issue, mcp__claude-flow__swarm_init, mcp__claude-flow__agent_spawn, mcp__claude-flow__task_orchestrate, mcp__claude-flow__parallel_execute, mcp__claude-flow__load_balance
+tools: Bash, Read, Write, Edit, TodoWrite, TodoRead, Task, mcp__github__create_pull_request, mcp__github__merge_pull_request, mcp__github__create_branch, mcp__github__push_files, mcp__github__create_issue, mcp__claude-flow__swarm_init, mcp__claude-flow__agent_spawn, mcp__claude-flow__task_orchestrate, mcp__claude-flow__parallel_execute, mcp__claude-flow__load_balance
 ---
 # Release Swarm - Intelligent Release Automation
@@ -280,7 +280,7 @@ jobs:
   release-swarm:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0

package/.claude/agents/github/repo-architect.md CHANGED Viewed

@@ -2,7 +2,7 @@
 name: repo-architect
 description: |
   Repository structure optimization and multi-repo management with ruv-swarm coordination for scalable project architecture and development workflows
-tools: Bash, Read, Write, Edit, LS, Glob, TodoWrite, TodoRead, Task, WebFetch, mcp__github__create_repository, mcp__github__fork_repository, mcp__github__search_repositories, mcp__github__push_files, mcp__github__create_or_update_file, mcp__claude-flow__swarm_init, mcp__claude-flow__agent_spawn, mcp__claude-flow__task_orchestrate, mcp__claude-flow__memory_usage
+tools: Bash, Read, Write, Edit, LS, Glob, TodoWrite, TodoRead, Task, mcp__github__create_repository, mcp__github__fork_repository, mcp__github__search_repositories, mcp__github__push_files, mcp__github__create_or_update_file, mcp__claude-flow__swarm_init, mcp__claude-flow__agent_spawn, mcp__claude-flow__task_orchestrate, mcp__claude-flow__memory_usage
 ---
 # GitHub Repository Architect
@@ -151,8 +151,8 @@ jobs:
   test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-node@v3
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
         with: { node-version: '20' }
       - run: npm install && npm test`,
     message: "ci: Standardize integration workflow across repositories",

package/.claude/agents/github/swarm-issue.md CHANGED Viewed

@@ -266,9 +266,12 @@ jobs:
         uses: ruvnet/swarm-action@v1
         with:
           command: |
-            if [[ "${{ github.event.label.name }}" == "swarm-ready" ]]; then
+            LABEL_NAME_FILE=$(mktemp)
+            printf '%s' "${{ github.event.label.name }}" > "$LABEL_NAME_FILE"
+            if grep -qx 'swarm-ready' "$LABEL_NAME_FILE"; then
               npx ruv-swarm github issue-init ${{ github.event.issue.number }}
             fi
+            rm -f "$LABEL_NAME_FILE"
 ```
 ### Issue Board Integration

package/.claude/agents/github/swarm-pr.md CHANGED Viewed

@@ -51,14 +51,17 @@ jobs:
   swarm-handler:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Handle Swarm Command
         run: |
-          if [[ "${{ github.event.comment.body }}" == /swarm* ]]; then
+          COMMENT_BODY_FILE=$(mktemp)
+          printf '%s' "${{ github.event.comment.body }}" > "$COMMENT_BODY_FILE"
+          if grep -q '^/swarm' "$COMMENT_BODY_FILE"; then
             npx ruv-swarm github handle-comment \
               --pr ${{ github.event.pull_request.number }} \
-              --comment "${{ github.event.comment.body }}"
+              --comment-file "$COMMENT_BODY_FILE"
           fi
+          rm -f "$COMMENT_BODY_FILE"
 ```
 ## PR Label Integration

package/.claude/agents/github/sync-coordinator.md CHANGED Viewed

@@ -144,10 +144,12 @@ This integration uses ruv-swarm agents for:
 - Memory-based state management
 ---
-🤖 Generated with Claude Code using ruv-swarm coordination`
+`
 }
 ```
+<!-- last-updated: 2026-05-21 — ADR-127 -->
 ## Batch Synchronization Example
 ### Complete Package Sync Workflow:

package/.claude/agents/github/workflow-automation.md CHANGED Viewed

@@ -22,7 +22,7 @@ jobs:
   swarm-analysis:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Initialize Swarm
         uses: ruvnet/swarm-action@v1
@@ -70,7 +70,7 @@ jobs:
   detect-and-build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Detect Languages
         id: detect

package/.claude/helpers/github-safe.js CHANGED Viewed

@@ -1,11 +1,21 @@
 #!/usr/bin/env node
 /**
- * Safe GitHub CLI Helper
- * Prevents timeout issues when using gh commands with special characters
- *
+ * Safe GitHub CLI Helper — v1.0.0
+ *
+ * Prevents injection issues when using `gh` commands with untrusted content
+ * (PR bodies, issue bodies, comment bodies) by routing the body through a
+ * temp file and using `--body-file` rather than interpolating into shell args.
+ *
+ * ADR-127 Phase 2 hardening:
+ *   - GITHUB_SAFE_VERSION exported for smoke assertions.
+ *   - Explicit 256KB body cap: rejects oversized bodies before any temp-file
+ *     write, matching the GitHub API `body` field limit.
+ *   - Strict error handling: all execSync calls inside try/catch; cleanup in
+ *     finally; non-zero exit on any error.
+ *   - GITHUB_SAFE_DRY_RUN=1 env-var skips the actual `gh` exec for testing.
+ *
  * Usage:
- *   ./github-safe.js issue comment 123 "Message with `backticks`"
+ *   ./github-safe.js issue comment 123 "Message with \`backticks\`"
  *   ./github-safe.js pr create --title "Title" --body "Complex body"
  */
@@ -15,11 +25,19 @@ import { tmpdir } from 'os';
 import { join } from 'path';
 import { randomBytes } from 'crypto';
+// Version constant — asserted by smoke-github-safe-injection.mjs.
+export const GITHUB_SAFE_VERSION = '1.0.0';
+// Maximum body size allowed (bytes).  The GitHub API enforces 65536 chars for
+// issue/PR bodies; the CLI is more lenient but the 256KB limit is a
+// conservative safety cap that prevents accidental oversized writes.
+const MAX_BODY_BYTES = 256 * 1024;
 const args = process.argv.slice(2);
 if (args.length < 2) {
   console.log(`
-Safe GitHub CLI Helper
+Safe GitHub CLI Helper v${GITHUB_SAFE_VERSION}
 Usage:
   ./github-safe.js issue comment <number> <body>
@@ -27,11 +45,11 @@ Usage:
   ./github-safe.js issue create --title <title> --body <body>
   ./github-safe.js pr create --title <title> --body <body>
-This helper prevents timeout issues with special characters like:
+This helper prevents injection issues with special characters:
 - Backticks in code examples
-- Command substitution \$(...)
-- Directory paths
-- Special shell characters
+- Command substitution $(...)
+- Semicolons and other shell metacharacters
+- Oversized bodies (> 256 KB rejected)
 `);
   process.exit(1);
 }
@@ -39,68 +57,98 @@ This helper prevents timeout issues with special characters like:
 const [command, subcommand, ...restArgs] = args;
 // Handle commands that need body content
-if ((command === 'issue' || command === 'pr') &&
+if ((command === 'issue' || command === 'pr') &&
     (subcommand === 'comment' || subcommand === 'create')) {
   let bodyIndex = -1;
   let body = '';
   if (subcommand === 'comment' && restArgs.length >= 2) {
     // Simple format: github-safe.js issue comment 123 "body"
     body = restArgs[1];
     bodyIndex = 1;
   } else {
-    // Flag format: --body "content"
+    // Flag format: --body "content"
     bodyIndex = restArgs.indexOf('--body');
     if (bodyIndex !== -1 && bodyIndex < restArgs.length - 1) {
       body = restArgs[bodyIndex + 1];
     }
   }
   if (body) {
-    // Use temporary file for body content
+    // Enforce 256KB cap before any file I/O.
+    const bodyBytes = Buffer.byteLength(body, 'utf8');
+    if (bodyBytes > MAX_BODY_BYTES) {
+      console.error(
+        `[ERROR] Body exceeds maximum allowed size (${bodyBytes} bytes > ${MAX_BODY_BYTES} bytes). ` +
+        'GitHub API body fields are capped at 256KB. Truncate the body before passing it to github-safe.js.'
+      );
+      process.exit(1);
+    }
+    // Use temporary file for body content — never interpolate into argv.
     const tmpFile = join(tmpdir(), `gh-body-${randomBytes(8).toString('hex')}.tmp`);
     try {
       writeFileSync(tmpFile, body, 'utf8');
       // Build new command with --body-file
       const newArgs = [...restArgs];
       if (subcommand === 'comment' && bodyIndex === 1) {
-        // Replace body with --body-file
+        // Replace positional body arg with --body-file
         newArgs[1] = '--body-file';
         newArgs.push(tmpFile);
       } else if (bodyIndex !== -1) {
-        // Replace --body with --body-file
+        // Replace --body flag pair with --body-file
         newArgs[bodyIndex] = '--body-file';
         newArgs[bodyIndex + 1] = tmpFile;
       }
-      // Execute safely
+      // Skip actual gh exec in dry-run mode (used by smoke tests).
+      if (process.env.GITHUB_SAFE_DRY_RUN === '1') {
+        const ghArgs = [command, subcommand, ...newArgs];
+        console.log(`[DRY-RUN] gh ${ghArgs.join(' ')}`);
+        process.exit(0);
+      }
       const ghCommand = `gh ${command} ${subcommand} ${newArgs.join(' ')}`;
       console.log(`Executing: ${ghCommand}`);
-      const result = execSync(ghCommand, {
+      execSync(ghCommand, {
         stdio: 'inherit',
-        timeout: 30000 // 30 second timeout
+        timeout: 30000,
       });
     } catch (error) {
-      console.error('Error:', error.message);
+      console.error('[ERROR]', error.message);
       process.exit(1);
     } finally {
-      // Clean up
-      try {
-        unlinkSync(tmpFile);
-      } catch (e) {
-        // Ignore cleanup errors
-      }
+      // Always clean up the temp file.
+      try { unlinkSync(tmpFile); } catch (_) { /* ignore cleanup errors */ }
     }
   } else {
-    // No body content, execute normally
-    execSync(`gh ${args.join(' ')}`, { stdio: 'inherit' });
+    // No body content — execute normally (no injection risk).
+    if (process.env.GITHUB_SAFE_DRY_RUN === '1') {
+      console.log(`[DRY-RUN] gh ${args.join(' ')}`);
+      process.exit(0);
+    }
+    try {
+      execSync(`gh ${args.join(' ')}`, { stdio: 'inherit' });
+    } catch (error) {
+      console.error('[ERROR]', error.message);
+      process.exit(1);
+    }
   }
 } else {
-  // Other commands, execute normally
-  execSync(`gh ${args.join(' ')}`, { stdio: 'inherit' });
+  // Non-body commands — execute normally.
+  if (process.env.GITHUB_SAFE_DRY_RUN === '1') {
+    console.log(`[DRY-RUN] gh ${args.join(' ')}`);
+    process.exit(0);
+  }
+  try {
+    execSync(`gh ${args.join(' ')}`, { stdio: 'inherit' });
+  } catch (error) {
+    console.error('[ERROR]', error.message);
+    process.exit(1);
+  }
 }

package/.claude/helpers/github-setup.sh CHANGED Viewed

@@ -1,27 +1,44 @@
 #!/bin/bash
+# Security rationale: set -euo pipefail ensures that:
+#   -e  — exit immediately if any command fails (no silent failures)
+#   -u  — treat unset variables as errors (prevents empty-string expansion bugs)
+#   -o pipefail — pipeline fails if any command in it fails (not just last)
+# This matches the ADR-127 Phase 2 requirement for github-setup.sh hardening.
+set -euo pipefail
 # Setup GitHub integration for Claude Flow
-echo "🔗 Setting up GitHub integration..."
+echo "Setting up GitHub integration..."
 # Check for gh CLI
 if ! command -v gh &> /dev/null; then
-    echo "⚠️  GitHub CLI (gh) not found"
+    echo "WARNING: GitHub CLI (gh) not found"
     echo "Install from: https://cli.github.com/"
     echo "Continuing without GitHub features..."
 else
-    echo "✅ GitHub CLI found"
-    # Check auth status
-    if gh auth status &> /dev/null; then
-        echo "✅ GitHub authentication active"
+    echo "OK: GitHub CLI found"
+    # Check auth status and scope sufficiency.
+    # `gh auth status` exits non-zero when not authenticated.
+    # We additionally parse for "Token scopes" to verify we have at least
+    # 'repo' scope, which is required for PR/issue operations.
+    if gh auth status 2>&1 | grep -q "Logged in"; then
+        echo "OK: GitHub authentication active"
+        # Verify repo scope is present for PR/issue operations.
+        if gh auth status 2>&1 | grep -q "repo"; then
+            echo "OK: 'repo' scope available"
+        else
+            echo "WARNING: 'repo' scope not confirmed — PR/issue operations may fail"
+            echo "Run: gh auth login --scopes repo,read:org"
+        fi
     else
-        echo "⚠️  Not authenticated with GitHub"
+        echo "WARNING: Not authenticated with GitHub"
         echo "Run: gh auth login"
     fi
 fi
 echo ""
-echo "📦 GitHub swarm commands available:"
+echo "GitHub swarm commands available:"
 echo "  - npx claude-flow github swarm"
 echo "  - npx claude-flow repo analyze"
 echo "  - npx claude-flow pr enhance"

package/.claude/skills/github-code-review/SKILL.md CHANGED Viewed

@@ -489,7 +489,7 @@ jobs:
   swarm-review:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0
@@ -766,7 +766,7 @@ jobs:
   build-and-test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - run: npm install
       - run: npm test
       - run: npm run build

package/.claude/skills/github-multi-repo/SKILL.md CHANGED Viewed

@@ -331,8 +331,8 @@ jobs:
   test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-node@v3
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
         with: { node-version: '20' }
       - run: npm install && npm test`,
       message: "ci: Standardize integration workflow",

package/.claude/skills/github-project-management/SKILL.md CHANGED Viewed

@@ -839,9 +839,10 @@ npx ruv-swarm github review-coordinate \
 Updates will be posted automatically by swarm agents during implementation.
 ---
-🤖 Generated with Claude Code
 ```
+<!-- last-updated: 2026-05-21 — ADR-127 -->
 ### Bug Report Template
 ```markdown
@@ -878,7 +879,6 @@ Updates will be posted automatically by swarm agents during implementation.
 - **Tester**: Validation and testing
 ---
-🤖 Generated with Claude Code
 ```
 ### Feature Request Template
@@ -922,7 +922,6 @@ Updates will be posted automatically by swarm agents during implementation.
 - **Documenter**: Documentation
 ---
-🤖 Generated with Claude Code
 ```
 ### Swarm Task Template

package/.claude/skills/github-release-management/SKILL.md CHANGED Viewed

@@ -685,12 +685,12 @@ jobs:
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
       - name: Setup Node.js
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v4
         with:
           node-version: '20'
           cache: 'npm'

package/.claude/skills/github-workflow-automation/SKILL.md CHANGED Viewed

@@ -166,7 +166,7 @@ jobs:
   swarm-analysis:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Initialize Swarm
         uses: ruvnet/swarm-action@v1
@@ -192,7 +192,7 @@ jobs:
   detect-and-build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Detect Languages
         id: detect
@@ -819,7 +819,7 @@ jobs:
     needs: initialize
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Backend Tests
         run: |
           npx ruv-swarm agents spawn --type tester \
@@ -830,7 +830,7 @@ jobs:
     needs: initialize
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Frontend Tests
         run: |
           npx ruv-swarm agents spawn --type tester \
@@ -841,7 +841,7 @@ jobs:
     needs: initialize
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Security Scan
         run: |
           npx ruv-swarm agents spawn --type security \
@@ -871,7 +871,7 @@ jobs:
     outputs:
       packages: ${{ steps.detect.outputs.packages }}
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0

package/.claude/skills/verification-quality/SKILL.md CHANGED Viewed

@@ -470,7 +470,7 @@ jobs:
   verify:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Install Dependencies
         run: npm install

package/README.md CHANGED Viewed

@@ -1,6 +1,6 @@
 <div align="center">
-[![Ruflo Banner](ruflo/assets/ruflo-small.jpeg)](https://flo.ruv.io/)
+[![Ruflo Banner](ruflo/assets/ruflo-small.jpeg)](https://cognitum.one/agentic-engineering)
 [![Try the UI Beta — flo.ruv.io](https://img.shields.io/badge/_Try_the_UI_Beta-flo.ruv.io-6366f1?style=for-the-badge&logoColor=white&logo=svelte)](https://flo.ruv.io/)
 [![Goal Planner — goal.ruv.io](https://img.shields.io/badge/_Goal_Planner-goal.ruv.io-8b5cf6?style=for-the-badge&logoColor=white&logo=react)](https://goal.ruv.io/)
@@ -16,6 +16,8 @@
 [![Codex Plugin](https://img.shields.io/badge/Codex-Plugin-412991?style=for-the-badge&logoColor=white&logo=data%3Aimage%2Fsvg%2Bxml%3Bbase64%2CPHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHZpZXdCb3g9IjAgMCAyNCAyNCI%2BPHBhdGggZmlsbD0id2hpdGUiIGQ9Ik0yMi4yODIgOS44MjFhNS45ODUgNS45ODUgMCAwIDAtLjUxNi00LjkxIDYuMDQ2IDYuMDQ2IDAgMCAwLTYuNTEtMi45QTYuMDY1IDYuMDY1IDAgMCAwIDQuOTgxIDQuMThhNS45ODUgNS45ODUgMCAwIDAtMy45OTggMi45IDYuMDQ2IDYuMDQ2IDAgMCAwIC43NDMgNy4wOTcgNS45OCA1Ljk4IDAgMCAwIC41MSA0LjkxMSA2LjA1MSA2LjA1MSAwIDAgMCA2LjUxNSAyLjlBNS45ODUgNS45ODUgMCAwIDAgMTMuMjYgMjRhNi4wNTYgNi4wNTYgMCAwIDAgNS43NzItNC4yMDYgNS45OSA1Ljk5IDAgMCAwIDMuOTk4LTIuOSA2LjA1NiA2LjA1NiAwIDAgMC0uNzQ3LTcuMDczek0xMy4yNiAyMi40M2E0LjQ3NiA0LjQ3NiAwIDAgMS0yLjg3Ni0xLjA0bC4xNDItLjA4IDQuNzc4LTIuNzU4YS43OTUuNzk1IDAgMCAwIC4zOTMtLjY4MXYtNi43MzdsMi4wMiAxLjE2OGEuMDcxLjA3MSAwIDAgMSAuMDM4LjA1MnY1LjU4M2E0LjUwNCA0LjUwNCAwIDAgMS00LjQ5NSA0LjQ5NHpNMy42IDE4LjMwNGE0LjQ3IDQuNDcgMCAwIDEtLjUzNS0zLjAxNGwuMTQyLjA4NSA0Ljc4MyAyLjc1OWEuNzcxLjc3MSAwIDAgMCAuNzgxIDBsNS44NDMtMy4zNjl2Mi4zMzJhLjA4LjA4IDAgMCAxLS4wMzMuMDYyTDkuNzQgMTkuOTVhNC41IDQuNSAwIDAgMS02LjE0LTEuNjQ2ek0yLjM0IDcuODk2YTQuNDg1IDQuNDg1IDAgMCAxIDIuMzY2LTEuOTczVjExLjZhLjc2Ni43NjYgMCAwIDAgLjM4OC42NzdsNS44MTUgMy4zNTQtMi4wMiAxLjE2OGEuMDc2LjA3NiAwIDAgMS0uMDcyIDBsLTQuODMtMi43ODZBNC41MDQgNC41MDQgMCAwIDEgMi4zNCA3Ljg3MnptMTYuNTk3IDMuODU1LTUuODMzLTMuMzg3IDIuMDE2LTEuMTY1YS4wNzYuMDc2IDAgMCAxIC4wNzEgMGw0LjgzIDIuNzkxYTQuNDk0IDQuNDk0IDAgMCAxLS42NzYgOC4xMDR2LTUuNjc3YS43OS43OSAwIDAgMC0uNDA3LS42Njd6bTIuMDEtMy4wMjMtLjE0MS0uMDg1LTQuNzc0LTIuNzgyYS43NzYuNzc2IDAgMCAwLS43ODUgMEw5LjQwOSA5LjIzVjYuODk3YS4wNjYuMDY2IDAgMCAxIC4wMjgtLjA2Mmw0LjgzLTIuNzg3YTQuNDk5IDQuNDk5IDAgMCAxIDYuNjggNC42NnpNOC4zMDcgMTIuODYzbC0yLjAyLTEuMTY0YS4wOC4wOCAwIDAgMS0uMDM4LS4wNTdWNi4wNzRhNC40OTkgNC40OTkgMCAwIDEgNy4zNzYtMy40NTRsLS4xNDIuMDgtNC43NzggMi43NThhLjc5NS43OTUgMCAwIDAtLjM5My42ODJ6bTEuMDk3LTIuMzY2IDIuNjAyLTEuNSAyLjYwNyAxLjV2Mi45OTlsLTIuNTk3IDEuNS0yLjYwNy0xLjVaIi8%2BPC9zdmc%2B)](https://www.npmjs.com/package/@claude-flow/codex)
 [![🕸️ RuVector Graph Ai](https://img.shields.io/badge/RuVector_Agentic-DB-06b6d4?style=for-the-badge&logoColor=white&logo=graphql)](https://github.com/ruvnet/ruvector)
+[![RuFlo Agentic Appliance](v3/docs/assets/RuFlo-agentic-appliance.png)](https://cognitum.one/appliance)
 [![ruFlo Summit — Budapest, June 2–3, 2026](v3/docs/assets/ruFlo-Summit.jpg)](https://github.com/ruvnet/ruflo/issues/1967)
 # Ruflo

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "claude-flow",
-  "version": "3.7.0-alpha.72",
+  "version": "3.7.0-alpha.74",
   "description": "Ruflo - Enterprise AI agent orchestration for Claude Code. Deploy 60+ specialized agents in coordinated swarms with self-learning, fault-tolerant consensus, vector memory, and MCP integration",
   "main": "dist/index.js",
   "type": "module",

package/v3/@claude-flow/cli/README.md CHANGED Viewed

@@ -1,6 +1,6 @@
 <div align="center">
-[![Ruflo Banner](ruflo/assets/ruflo-small.jpeg)](https://flo.ruv.io/)
+[![Ruflo Banner](ruflo/assets/ruflo-small.jpeg)](https://cognitum.one/agentic-engineering)
 [![Try the UI Beta — flo.ruv.io](https://img.shields.io/badge/_Try_the_UI_Beta-flo.ruv.io-6366f1?style=for-the-badge&logoColor=white&logo=svelte)](https://flo.ruv.io/)
 [![Goal Planner — goal.ruv.io](https://img.shields.io/badge/_Goal_Planner-goal.ruv.io-8b5cf6?style=for-the-badge&logoColor=white&logo=react)](https://goal.ruv.io/)
@@ -16,6 +16,8 @@
 [![Codex Plugin](https://img.shields.io/badge/Codex-Plugin-412991?style=for-the-badge&logoColor=white&logo=data%3Aimage%2Fsvg%2Bxml%3Bbase64%2CPHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHZpZXdCb3g9IjAgMCAyNCAyNCI%2BPHBhdGggZmlsbD0id2hpdGUiIGQ9Ik0yMi4yODIgOS44MjFhNS45ODUgNS45ODUgMCAwIDAtLjUxNi00LjkxIDYuMDQ2IDYuMDQ2IDAgMCAwLTYuNTEtMi45QTYuMDY1IDYuMDY1IDAgMCAwIDQuOTgxIDQuMThhNS45ODUgNS45ODUgMCAwIDAtMy45OTggMi45IDYuMDQ2IDYuMDQ2IDAgMCAwIC43NDMgNy4wOTcgNS45OCA1Ljk4IDAgMCAwIC41MSA0LjkxMSA2LjA1MSA2LjA1MSAwIDAgMCA2LjUxNSAyLjlBNS45ODUgNS45ODUgMCAwIDAgMTMuMjYgMjRhNi4wNTYgNi4wNTYgMCAwIDAgNS43NzItNC4yMDYgNS45OSA1Ljk5IDAgMCAwIDMuOTk4LTIuOSA2LjA1NiA2LjA1NiAwIDAgMC0uNzQ3LTcuMDczek0xMy4yNiAyMi40M2E0LjQ3NiA0LjQ3NiAwIDAgMS0yLjg3Ni0xLjA0bC4xNDItLjA4IDQuNzc4LTIuNzU4YS43OTUuNzk1IDAgMCAwIC4zOTMtLjY4MXYtNi43MzdsMi4wMiAxLjE2OGEuMDcxLjA3MSAwIDAgMSAuMDM4LjA1MnY1LjU4M2E0LjUwNCA0LjUwNCAwIDAgMS00LjQ5NSA0LjQ5NHpNMy42IDE4LjMwNGE0LjQ3IDQuNDcgMCAwIDEtLjUzNS0zLjAxNGwuMTQyLjA4NSA0Ljc4MyAyLjc1OWEuNzcxLjc3MSAwIDAgMCAuNzgxIDBsNS44NDMtMy4zNjl2Mi4zMzJhLjA4LjA4IDAgMCAxLS4wMzMuMDYyTDkuNzQgMTkuOTVhNC41IDQuNSAwIDAgMS02LjE0LTEuNjQ2ek0yLjM0IDcuODk2YTQuNDg1IDQuNDg1IDAgMCAxIDIuMzY2LTEuOTczVjExLjZhLjc2Ni43NjYgMCAwIDAgLjM4OC42NzdsNS44MTUgMy4zNTQtMi4wMiAxLjE2OGEuMDc2LjA3NiAwIDAgMS0uMDcyIDBsLTQuODMtMi43ODZBNC41MDQgNC41MDQgMCAwIDEgMi4zNCA3Ljg3MnptMTYuNTk3IDMuODU1LTUuODMzLTMuMzg3IDIuMDE2LTEuMTY1YS4wNzYuMDc2IDAgMCAxIC4wNzEgMGw0LjgzIDIuNzkxYTQuNDk0IDQuNDk0IDAgMCAxLS42NzYgOC4xMDR2LTUuNjc3YS43OS43OSAwIDAgMC0uNDA3LS42Njd6bTIuMDEtMy4wMjMtLjE0MS0uMDg1LTQuNzc0LTIuNzgyYS43NzYuNzc2IDAgMCAwLS43ODUgMEw5LjQwOSA5LjIzVjYuODk3YS4wNjYuMDY2IDAgMCAxIC4wMjgtLjA2Mmw0LjgzLTIuNzg3YTQuNDk5IDQuNDk5IDAgMCAxIDYuNjggNC42NnpNOC4zMDcgMTIuODYzbC0yLjAyLTEuMTY0YS4wOC4wOCAwIDAgMS0uMDM4LS4wNTdWNi4wNzRhNC40OTkgNC40OTkgMCAwIDEgNy4zNzYtMy40NTRsLS4xNDIuMDgtNC43NzggMi43NThhLjc5NS43OTUgMCAwIDAtLjM5My42ODJ6bTEuMDk3LTIuMzY2IDIuNjAyLTEuNSAyLjYwNyAxLjV2Mi45OTlsLTIuNTk3IDEuNS0yLjYwNy0xLjVaIi8%2BPC9zdmc%2B)](https://www.npmjs.com/package/@claude-flow/codex)
 [![🕸️ RuVector Graph Ai](https://img.shields.io/badge/RuVector_Agentic-DB-06b6d4?style=for-the-badge&logoColor=white&logo=graphql)](https://github.com/ruvnet/ruvector)
+[![RuFlo Agentic Appliance](v3/docs/assets/RuFlo-agentic-appliance.png)](https://cognitum.one/appliance)
 [![ruFlo Summit — Budapest, June 2–3, 2026](v3/docs/assets/ruFlo-Summit.jpg)](https://github.com/ruvnet/ruflo/issues/1967)
 # Ruflo

package/v3/@claude-flow/cli/dist/src/init/helpers-generator.d.ts CHANGED Viewed

@@ -3,6 +3,7 @@
  * Creates utility scripts in .claude/helpers/
  */
 import type { InitOptions } from './types.js';
+export declare const ATTRIBUTION_FOOTER = "\uD83E\uDD16 Generated with [RuFlo](https://github.com/ruvnet/ruflo)";
 /**
  * Generate pre-commit hook script
  */

package/v3/@claude-flow/cli/dist/src/init/helpers-generator.js CHANGED Viewed

@@ -3,6 +3,12 @@
  * Creates utility scripts in .claude/helpers/
  */
 import { generateStatuslineScript, generateStatuslineHook } from './statusline-generator.js';
+// ADR-127 Phase 4 — attribution is opt-in (#1670 / #2089).
+// When the user passes --attribution (options.attribution === true),
+// this footer is available for injection into generated content such as
+// PR body templates and release notes.  It is NEVER hard-wired into the
+// static command-file templates — those are user-owned content.
+export const ATTRIBUTION_FOOTER = '🤖 Generated with [RuFlo](https://github.com/ruvnet/ruflo)';
 /**
  * Generate pre-commit hook script
  */
@@ -1175,6 +1181,13 @@ export function generateHelpers(options) {
         // Windows-specific scripts
         helpers['daemon-manager.ps1'] = generateWindowsDaemonManager();
         helpers['daemon-manager.cmd'] = generateWindowsBatchWrapper();
+        // ADR-127 Phase 4 — expose the attribution footer as a helper file only
+        // when the user explicitly opts in. The file content is the single-line
+        // string so init-generated PR templates can `cat .claude/helpers/attribution`
+        // and append it conditionally without hard-wiring the string everywhere.
+        if (options.attribution === true) {
+            helpers['attribution'] = ATTRIBUTION_FOOTER + '\n';
+        }
     }
     if (options.components.statusline) {
         helpers['statusline.cjs'] = generateStatuslineScript(options); // .cjs for ES module compatibility

package/v3/@claude-flow/cli/dist/src/init/settings-generator.js CHANGED Viewed

@@ -39,9 +39,15 @@ export function generateSettings(options) {
     // line into the user's commits — that pattern silently inflated GitHub
     // contributor graphs and was hard to undo without rewriting history. Pass
     // `--attribution` (or `attribution: true` in InitOptions) to enable.
+    //
+    // #2078 — when the user DOES opt in, write a no-reply bot email so GitHub
+    // treats this as a tool, not a personal contribution. Personal emails get
+    // added to user repos' contributor graphs even when the trailer is opt-in.
+    // `ruflo-bot@users.noreply.github.com` is GitHub's no-reply convention and
+    // is excluded from contributor graphs / mapped to a tool identity.
     if (options.attribution === true) {
         settings.attribution = {
-            commit: 'Co-Authored-By: RuFlo <ruv@ruv.net>',
+            commit: 'Co-Authored-By: ruflo-bot <ruflo-bot@users.noreply.github.com>',
             pr: '🤖 Generated with [RuFlo](https://github.com/ruvnet/ruflo)',
         };
     }

package/v3/@claude-flow/cli/dist/src/mcp-tools/ruvllm-tools.js CHANGED Viewed

@@ -5,7 +5,23 @@
  * All tools gracefully degrade when the WASM package is not installed.
  */
 import { validateIdentifier, validateText } from './validate-input.js';
+// #2086 — every ruvllm_* MCP handler that touches the WASM runtime calls
+// this. The downstream `createSonaInstant`/`createMicroLora`/`createHnswRouter`
+// helpers all need `initSync({ module: wasmBytes })` to have run, otherwise
+// the WASM exports throw. Doing it here makes the bootstrap invisible to
+// MCP callers — they don't need a separate `ruvllm_init` tool. `_wasmReady`
+// inside `initRuvllmWasm` short-circuits on the second+ call, so the cost
+// after the first invocation is one boolean check.
+//
+// `ruvllm_status` deliberately uses `loadRuvllmWasmModule()` (no init) so a
+// caller diagnosing why nothing works gets `initialized=false` instead of
+// an error from a failed init.
 async function loadRuvllmWasm() {
+    const mod = await loadRuvllmWasmModule();
+    await mod.initRuvllmWasm();
+    return mod;
+}
+async function loadRuvllmWasmModule() {
     return import('../ruvector/ruvllm-wasm.js');
 }
 export const ruvllmWasmTools = [
@@ -15,7 +31,7 @@ export const ruvllmWasmTools = [
         inputSchema: { type: 'object', properties: {} },
         handler: async () => {
             try {
-                const mod = await loadRuvllmWasm();
+                const mod = await loadRuvllmWasmModule();
                 const wasmStatus = await mod.getRuvllmStatus();
                 // Also include native ruvllm CJS backend status (ADR-086)
                 let nativeBackend = { available: false };

package/v3/@claude-flow/cli/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@claude-flow/cli",
-  "version": "3.7.0-alpha.72",
+  "version": "3.7.0-alpha.74",
   "type": "module",
   "description": "Ruflo CLI - Enterprise AI agent orchestration with 60+ specialized agents, swarm coordination, MCP server, self-learning hooks, and vector memory for Claude Code",
   "main": "dist/src/index.js",