kynjal-cli 3.1.4 → 4.0.1

package/dist/src/appliance/rvfa-signing.js

@@ -0,0 +1,347 @@
+/**
+ * RVFA Ed25519 Code Signing -- Digital signatures for RVFA appliance files.
+ *
+ * Provides tamper detection and publisher identity verification using
+ * Ed25519 (RFC 8032) via Node.js native crypto. Zero external dependencies.
+ *
+ * @module @claude-flow/cli/appliance/rvfa-signing
+ */
+import { generateKeyPairSync, createHash, sign, verify, createPublicKey, createPrivateKey, } from 'node:crypto';
+import { readFile, writeFile, stat, chmod, mkdir } from 'node:fs/promises';
+// ── Constants ────────────────────────────────────────────────
+const PREAMBLE_SIZE = 12; // 4B magic + 4B version + 4B header_len
+const SHA256_SIZE = 32;
+const KEY_FILE_MODE = 0o600;
+// ── Key Management ───────────────────────────────────────────
+/** Compute the fingerprint of a public key: first 16 hex chars of its SHA256. */
+function computeFingerprint(publicKeyPem) {
+    return createHash('sha256')
+        .update(publicKeyPem, 'utf-8')
+        .digest('hex')
+        .slice(0, 16);
+}
+/**
+ * Generate a new Ed25519 key pair for RVFA signing.
+ */
+export async function generateKeyPair() {
+    const { publicKey, privateKey } = generateKeyPairSync('ed25519', {
+        publicKeyEncoding: { type: 'spki', format: 'pem' },
+        privateKeyEncoding: { type: 'pkcs8', format: 'pem' },
+    });
+    const pubBuf = Buffer.from(publicKey, 'utf-8');
+    const privBuf = Buffer.from(privateKey, 'utf-8');
+    const fingerprint = computeFingerprint(publicKey);
+    return { publicKey: pubBuf, privateKey: privBuf, fingerprint };
+}
+/**
+ * Save a key pair to disk as PEM files.
+ *
+ * @param keyPair  The key pair to persist.
+ * @param dir      Directory to write files into.
+ * @param name     Base name for the key files (default: 'rvfa-signing').
+ * @returns Paths to the written public and private key files.
+ */
+export async function saveKeyPair(keyPair, dir, name = 'rvfa-signing') {
+    await mkdir(dir, { recursive: true });
+    const pubPath = `${dir}/${name}.pub`;
+    const privPath = `${dir}/${name}.key`;
+    await writeFile(pubPath, keyPair.publicKey);
+    await writeFile(privPath, keyPair.privateKey, { mode: KEY_FILE_MODE });
+    // Ensure private key has restrictive permissions even on existing files
+    await chmod(privPath, KEY_FILE_MODE);
+    return { publicKeyPath: pubPath, privateKeyPath: privPath };
+}
+/**
+ * Load a key pair from PEM files on disk.
+ *
+ * @param dir   Directory containing the key files.
+ * @param name  Base name for the key files (default: 'rvfa-signing').
+ */
+export async function loadKeyPair(dir, name = 'rvfa-signing') {
+    const pubPath = `${dir}/${name}.pub`;
+    const privPath = `${dir}/${name}.key`;
+    const publicKey = await readFile(pubPath);
+    const privateKey = await readFile(privPath);
+    // Warn if private key permissions are too open
+    const privStat = await stat(privPath);
+    const mode = privStat.mode & 0o777;
+    if (mode & 0o077) {
+        console.warn(`[rvfa-signing] WARNING: Private key ${privPath} has open permissions ` +
+            `(${mode.toString(8)}). Consider running: chmod 600 ${privPath}`);
+    }
+    const fingerprint = computeFingerprint(publicKey.toString('utf-8'));
+    return { publicKey, privateKey, fingerprint };
+}
+/**
+ * Load a public key from a single PEM file.
+ */
+export async function loadPublicKey(path) {
+    return readFile(path);
+}
+// ── Internal Helpers ─────────────────────────────────────────
+/**
+ * Recursively sort object keys for canonical JSON serialization.
+ * Produces deterministic output regardless of insertion order.
+ */
+function canonicalJson(value) {
+    return JSON.stringify(value, (_key, val) => {
+        if (val !== null && typeof val === 'object' && !Array.isArray(val) && !Buffer.isBuffer(val)) {
+            const sorted = {};
+            for (const k of Object.keys(val).sort()) {
+                sorted[k] = val[k];
+            }
+            return sorted;
+        }
+        return val;
+    });
+}
+/**
+ * Parse an RVFA binary into its components without full validation.
+ * Returns the header object, header JSON bytes, section data region, and footer.
+ */
+function parseRvfaBinary(buf) {
+    if (buf.length < PREAMBLE_SIZE + SHA256_SIZE) {
+        throw new Error('Buffer too small to be a valid RVFA file');
+    }
+    const magic = buf.subarray(0, 4).toString('ascii');
+    if (magic !== 'RVFA') {
+        throw new Error(`Invalid RVFA magic: expected "RVFA", got "${magic}"`);
+    }
+    const headerLen = buf.readUInt32LE(8);
+    const headerStart = PREAMBLE_SIZE;
+    const headerEnd = headerStart + headerLen;
+    if (headerEnd > buf.length - SHA256_SIZE) {
+        throw new Error('Header length extends beyond buffer');
+    }
+    const headerJson = buf.subarray(headerStart, headerEnd).toString('utf-8');
+    let header;
+    try {
+        header = JSON.parse(headerJson);
+    }
+    catch {
+        throw new Error('Failed to parse RVFA header JSON');
+    }
+    const footer = buf.subarray(buf.length - SHA256_SIZE);
+    const sectionData = buf.subarray(headerEnd, buf.length - SHA256_SIZE);
+    return { header, headerStart, headerEnd, sectionData, footer };
+}
+/**
+ * Compute the signing digest for an RVFA file.
+ *
+ * The digest is SHA256 of: canonical_header_json (without signature field)
+ *                         + section_data_bytes
+ *                         + footer_32_bytes
+ */
+function computeSigningDigest(header, sectionData, footer) {
+    // Strip signature field from header for digest computation
+    const stripped = { ...header };
+    delete stripped.signature;
+    const canonical = Buffer.from(canonicalJson(stripped), 'utf-8');
+    return createHash('sha256')
+        .update(canonical)
+        .update(sectionData)
+        .update(footer)
+        .digest();
+}
+/** Convert a Buffer or PEM string into a KeyObject. */
+function toPrivateKeyObject(key) {
+    const pem = Buffer.isBuffer(key) ? key.toString('utf-8') : key;
+    return createPrivateKey(pem);
+}
+/** Convert a Buffer or PEM string into a KeyObject. */
+function toPublicKeyObject(key) {
+    const pem = Buffer.isBuffer(key) ? key.toString('utf-8') : key;
+    return createPublicKey(pem);
+}
+/**
+ * Rebuild the RVFA binary with an updated header.
+ *
+ * Preserves the original preamble version, recalculates header length,
+ * and keeps section data and footer intact.
+ */
+function rebuildRvfa(originalBuf, newHeader, sectionData, footer) {
+    const headerJson = Buffer.from(JSON.stringify(newHeader), 'utf-8');
+    // Preamble: magic + version + new header length
+    const preamble = Buffer.alloc(PREAMBLE_SIZE);
+    originalBuf.copy(preamble, 0, 0, 8); // magic + version unchanged
+    preamble.writeUInt32LE(headerJson.length, 8);
+    return Buffer.concat([preamble, headerJson, sectionData, footer]);
+}
+// ── RvfaSigner ───────────────────────────────────────────────
+/**
+ * Signs RVFA appliance files and data with Ed25519.
+ */
+export class RvfaSigner {
+    keyObj;
+    fingerprint;
+    constructor(privateKey) {
+        this.keyObj = toPrivateKeyObject(privateKey);
+        // Derive public key to compute fingerprint
+        const pubPem = createPublicKey(this.keyObj)
+            .export({ type: 'spki', format: 'pem' });
+        this.fingerprint = computeFingerprint(pubPem);
+    }
+    /**
+     * Sign an RVFA appliance file in-place.
+     *
+     * Algorithm:
+     *  1. Read and parse the RVFA binary
+     *  2. Strip any existing signature from the header
+     *  3. Compute SHA256 of [canonical_header + section_data + footer]
+     *  4. Sign the digest with Ed25519
+     *  5. Embed signature metadata into the header
+     *  6. Write the updated binary back to the file
+     *
+     * @param rvfaPath   Path to the .rvf appliance file.
+     * @param signedBy   Optional publisher name.
+     * @returns The signature metadata that was embedded.
+     */
+    async signAppliance(rvfaPath, signedBy) {
+        const buf = await readFile(rvfaPath);
+        const { header, sectionData, footer } = parseRvfaBinary(buf);
+        // Compute digest over header (without signature) + sections + footer
+        const digest = computeSigningDigest(header, sectionData, footer);
+        // Ed25519 sign
+        const sig = sign(null, digest, this.keyObj);
+        const metadata = {
+            algorithm: 'ed25519',
+            publicKeyFingerprint: this.fingerprint,
+            signature: sig.toString('hex'),
+            signedAt: new Date().toISOString(),
+            signedBy,
+            scope: 'full',
+        };
+        // Embed signature in header and rebuild
+        header.signature = metadata;
+        const rebuilt = rebuildRvfa(buf, header, sectionData, footer);
+        await writeFile(rvfaPath, rebuilt);
+        return metadata;
+    }
+    /**
+     * Sign a section footer hash (detached signature).
+     *
+     * @param footerHash  The 32-byte SHA256 footer hash from an RVFA file.
+     * @returns Hex-encoded Ed25519 signature.
+     */
+    async signSections(footerHash) {
+        if (footerHash.length !== SHA256_SIZE) {
+            throw new Error(`Footer hash must be ${SHA256_SIZE} bytes, got ${footerHash.length}`);
+        }
+        const sig = sign(null, footerHash, this.keyObj);
+        return sig.toString('hex');
+    }
+    /**
+     * Sign an RVFP patch file (detached signature).
+     *
+     * @param patchData  The raw patch binary data.
+     * @returns Hex-encoded Ed25519 signature.
+     */
+    async signPatch(patchData) {
+        const digest = createHash('sha256').update(patchData).digest();
+        const sig = sign(null, digest, this.keyObj);
+        return sig.toString('hex');
+    }
+}
+// ── RvfaVerifier ─────────────────────────────────────────────
+/**
+ * Verifies Ed25519 signatures on RVFA appliance files and data.
+ */
+export class RvfaVerifier {
+    keyObj;
+    fingerprint;
+    constructor(publicKey) {
+        this.keyObj = toPublicKeyObject(publicKey);
+        const pem = Buffer.isBuffer(publicKey) ? publicKey.toString('utf-8') : publicKey;
+        this.fingerprint = computeFingerprint(pem);
+    }
+    /**
+     * Verify the Ed25519 signature embedded in an RVFA appliance file.
+     *
+     * @param rvfaPath  Path to the .rvf appliance file.
+     * @returns Verification result with details and any errors.
+     */
+    async verifyAppliance(rvfaPath) {
+        const errors = [];
+        let buf;
+        try {
+            buf = await readFile(rvfaPath);
+        }
+        catch (err) {
+            return { valid: false, errors: [`Failed to read file: ${err.message}`] };
+        }
+        let parsed;
+        try {
+            parsed = parseRvfaBinary(buf);
+        }
+        catch (err) {
+            return { valid: false, errors: [`Invalid RVFA file: ${err.message}`] };
+        }
+        const { header, sectionData, footer } = parsed;
+        // Extract signature metadata from header
+        const sigRaw = header.signature;
+        if (!sigRaw || typeof sigRaw !== 'object') {
+            return { valid: false, errors: ['No signature found in RVFA header'] };
+        }
+        const sigMeta = sigRaw;
+        if (sigMeta.algorithm !== 'ed25519') {
+            errors.push(`Unsupported algorithm: ${String(sigMeta.algorithm)}`);
+            return { valid: false, errors };
+        }
+        if (typeof sigMeta.signature !== 'string' || !sigMeta.signature) {
+            errors.push('Signature field is missing or empty');
+            return { valid: false, errors };
+        }
+        // Recompute the digest the same way the signer did
+        const digest = computeSigningDigest(header, sectionData, footer);
+        // Verify
+        let sigBuf;
+        try {
+            sigBuf = Buffer.from(sigMeta.signature, 'hex');
+        }
+        catch {
+            errors.push('Signature is not valid hex');
+            return { valid: false, errors };
+        }
+        let valid;
+        try {
+            valid = verify(null, digest, this.keyObj, sigBuf);
+        }
+        catch (err) {
+            errors.push(`Verification error: ${err.message}`);
+            return { valid: false, errors };
+        }
+        if (!valid) {
+            errors.push('Ed25519 signature verification failed: data may be tampered');
+        }
+        return {
+            valid,
+            signerFingerprint: sigMeta.publicKeyFingerprint,
+            signedAt: sigMeta.signedAt,
+            signedBy: sigMeta.signedBy,
+            errors,
+        };
+    }
+    /**
+     * Verify a detached Ed25519 signature over arbitrary data.
+     *
+     * @param data       The data that was signed.
+     * @param signature  Hex-encoded Ed25519 signature.
+     */
+    async verifyDetached(data, signature) {
+        const digest = createHash('sha256').update(data).digest();
+        const sigBuf = Buffer.from(signature, 'hex');
+        return verify(null, digest, this.keyObj, sigBuf);
+    }
+    /**
+     * Verify an RVFP patch file signature.
+     *
+     * @param patchData  The raw patch binary data.
+     * @param signature  Hex-encoded Ed25519 signature.
+     */
+    async verifyPatch(patchData, signature) {
+        const digest = createHash('sha256').update(patchData).digest();
+        const sigBuf = Buffer.from(signature, 'hex');
+        return verify(null, digest, this.keyObj, sigBuf);
+    }
+}
+//# sourceMappingURL=rvfa-signing.js.map

package/dist/src/appliance/rvfa-signing.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"rvfa-signing.js","sourceRoot":"","sources":["../../../src/appliance/rvfa-signing.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EACL,mBAAmB,EAAE,UAAU,EAAE,IAAI,EAAE,MAAM,EAC7C,eAAe,EAAE,gBAAgB,GAElC,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,kBAAkB,CAAC;AAG3E,gEAAgE;AAEhE,MAAM,aAAa,GAAG,EAAE,CAAC,CAAC,wCAAwC;AAClE,MAAM,WAAW,GAAG,EAAE,CAAC;AACvB,MAAM,aAAa,GAAG,KAAK,CAAC;AA2B5B,gEAAgE;AAEhE,iFAAiF;AACjF,SAAS,kBAAkB,CAAC,YAAoB;IAC9C,OAAO,UAAU,CAAC,QAAQ,CAAC;SACxB,MAAM,CAAC,YAAY,EAAE,OAAO,CAAC;SAC7B,MAAM,CAAC,KAAK,CAAC;SACb,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AAClB,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe;IACnC,MAAM,EAAE,SAAS,EAAE,UAAU,EAAE,GAAG,mBAAmB,CAAC,SAAS,EAAE;QAC/D,iBAAiB,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE;QAClD,kBAAkB,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE;KACrD,CAAC,CAAC;IAEH,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,SAAmB,EAAE,OAAO,CAAC,CAAC;IACzD,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,UAAoB,EAAE,OAAO,CAAC,CAAC;IAC3D,MAAM,WAAW,GAAG,kBAAkB,CAAC,SAAmB,CAAC,CAAC;IAE5D,OAAO,EAAE,SAAS,EAAE,MAAM,EAAE,UAAU,EAAE,OAAO,EAAE,WAAW,EAAE,CAAC;AACjE,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,OAAoB,EACpB,GAAW,EACX,IAAI,GAAG,cAAc;IAErB,MAAM,KAAK,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAEtC,MAAM,OAAO,GAAG,GAAG,GAAG,IAAI,IAAI,MAAM,CAAC;IACrC,MAAM,QAAQ,GAAG,GAAG,GAAG,IAAI,IAAI,MAAM,CAAC;IAEtC,MAAM,SAAS,CAAC,OAAO,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC;IAC5C,MAAM,SAAS,CAAC,QAAQ,EAAE,OAAO,CAAC,UAAU,EAAE,EAAE,IAAI,EAAE,aAAa,EAAE,CAAC,CAAC;IAEvE,wEAAwE;IACxE,MAAM,KAAK,CAAC,QAAQ,EAAE,aAAa,CAAC,CAAC;IAErC,OAAO,EAAE,aAAa,EAAE,OAAO,EAAE,cAAc,EAAE,QAAQ,EAAE,CAAC;AAC9D,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,GAAW,EACX,IAAI,GAAG,cAAc;IAErB,MAAM,OAAO,GAAG,GAAG,GAAG,IAAI,IAAI,MAAM,CAAC;IACrC,MAAM,QAAQ,GAAG,GAAG,GAAG,IAAI,IAAI,MAAM,CAAC;IAEtC,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,CAAC;IAC1C,MAAM,UAAU,GAAG,MAAM,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAE5C,+CAA+C;IAC/C,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,CAAC;IACtC,MAAM,IAAI,GAAG,QAAQ,CAAC,IAAI,GAAG,KAAK,CAAC;IACnC,IAAI,IAAI,GAAG,KAAK,EAAE,CAAC;QACjB,OAAO,CAAC,IAAI,CACV,uCAAuC,QAAQ,wBAAwB;YACvE,IAAI,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,kCAAkC,QAAQ,EAAE,CACjE,CAAC;IACJ,CAAC;IAED,MAAM,WAAW,GAAG,kBAAkB,CAAC,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;IACpE,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,WAAW,EAAE,CAAC;AAChD,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,IAAY;IAC9C,OAAO,QAAQ,CAAC,IAAI,CAAC,CAAC;AACxB,CAAC;AAED,gEAAgE;AAEhE;;;GAGG;AACH,SAAS,aAAa,CAAC,KAAc;IACnC,OAAO,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,CAAC,IAAI,EAAE,GAAG,EAAE,EAAE;QACzC,IAAI,GAAG,KAAK,IAAI,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YAC5F,MAAM,MAAM,GAA4B,EAAE,CAAC;YAC3C,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,IAAI,CAAC,GAA8B,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC;gBACnE,MAAM,CAAC,CAAC,CAAC,GAAI,GAA+B,CAAC,CAAC,CAAC,CAAC;YAClD,CAAC;YACD,OAAO,MAAM,CAAC;QAChB,CAAC;QACD,OAAO,GAAG,CAAC;IACb,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;;GAGG;AACH,SAAS,eAAe,CAAC,GAAW;IAOlC,IAAI,GAAG,CAAC,MAAM,GAAG,aAAa,GAAG,WAAW,EAAE,CAAC;QAC7C,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;IAC9D,CAAC;IAED,MAAM,KAAK,GAAG,GAAG,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;IACnD,IAAI,KAAK,KAAK,MAAM,EAAE,CAAC;QACrB,MAAM,IAAI,KAAK,CAAC,6CAA6C,KAAK,GAAG,CAAC,CAAC;IACzE,CAAC;IAED,MAAM,SAAS,GAAG,GAAG,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IACtC,MAAM,WAAW,GAAG,aAAa,CAAC;IAClC,MAAM,SAAS,GAAG,WAAW,GAAG,SAAS,CAAC;IAE1C,IAAI,SAAS,GAAG,GAAG,CAAC,MAAM,GAAG,WAAW,EAAE,CAAC;QACzC,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;IACzD,CAAC;IAED,MAAM,UAAU,GAAG,GAAG,CAAC,QAAQ,CAAC,WAAW,EAAE,SAAS,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;IAC1E,IAAI,MAA+B,CAAC;IACpC,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,UAAU,CAA4B,CAAC;IAC7D,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAC;IACtD,CAAC;IAED,MAAM,MAAM,GAAG,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,MAAM,GAAG,WAAW,CAAC,CAAC;IACtD,MAAM,WAAW,GAAG,GAAG,CAAC,QAAQ,CAAC,SAAS,EAAE,GAAG,CAAC,MAAM,GAAG,WAAW,CAAC,CAAC;IAEtE,OAAO,EAAE,MAAM,EAAE,WAAW,EAAE,SAAS,EAAE,WAAW,EAAE,MAAM,EAAE,CAAC;AACjE,CAAC;AAED;;;;;;GAMG;AACH,SAAS,oBAAoB,CAC3B,MAA+B,EAC/B,WAAmB,EACnB,MAAc;IAEd,2DAA2D;IAC3D,MAAM,QAAQ,GAAG,EAAE,GAAG,MAAM,EAAE,CAAC;IAC/B,OAAO,QAAQ,CAAC,SAAS,CAAC;IAE1B,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,QAAQ,CAAC,EAAE,OAAO,CAAC,CAAC;IAEhE,OAAO,UAAU,CAAC,QAAQ,CAAC;SACxB,MAAM,CAAC,SAAS,CAAC;SACjB,MAAM,CAAC,WAAW,CAAC;SACnB,MAAM,CAAC,MAAM,CAAC;SACd,MAAM,EAAE,CAAC;AACd,CAAC;AAED,uDAAuD;AACvD,SAAS,kBAAkB,CAAC,GAAoB;IAC9C,MAAM,GAAG,GAAG,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;IAC/D,OAAO,gBAAgB,CAAC,GAAG,CAAC,CAAC;AAC/B,CAAC;AAED,uDAAuD;AACvD,SAAS,iBAAiB,CAAC,GAAoB;IAC7C,MAAM,GAAG,GAAG,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;IAC/D,OAAO,eAAe,CAAC,GAAG,CAAC,CAAC;AAC9B,CAAC;AAED;;;;;GAKG;AACH,SAAS,WAAW,CAClB,WAAmB,EACnB,SAAkC,EAClC,WAAmB,EACnB,MAAc;IAEd,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,EAAE,OAAO,CAAC,CAAC;IAEnE,gDAAgD;IAChD,MAAM,QAAQ,GAAG,MAAM,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC;IAC7C,WAAW,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,4BAA4B;IACjE,QAAQ,CAAC,aAAa,CAAC,UAAU,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;IAE7C,OAAO,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,CAAC,CAAC,CAAC;AACpE,CAAC;AAED,gEAAgE;AAEhE;;GAEG;AACH,MAAM,OAAO,UAAU;IACJ,MAAM,CAAY;IAClB,WAAW,CAAS;IAErC,YAAY,UAA2B;QACrC,IAAI,CAAC,MAAM,GAAG,kBAAkB,CAAC,UAAU,CAAC,CAAC;QAE7C,2CAA2C;QAC3C,MAAM,MAAM,GAAG,eAAe,CAAC,IAAI,CAAC,MAAM,CAAC;aACxC,MAAM,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,CAAW,CAAC;QACrD,IAAI,CAAC,WAAW,GAAG,kBAAkB,CAAC,MAAM,CAAC,CAAC;IAChD,CAAC;IAED;;;;;;;;;;;;;;OAcG;IACH,KAAK,CAAC,aAAa,CAAC,QAAgB,EAAE,QAAiB;QACrD,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,QAAQ,CAAC,CAAC;QACrC,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,EAAE,GAAG,eAAe,CAAC,GAAG,CAAC,CAAC;QAE7D,qEAAqE;QACrE,MAAM,MAAM,GAAG,oBAAoB,CAAC,MAAM,EAAE,WAAW,EAAE,MAAM,CAAC,CAAC;QAEjE,eAAe;QACf,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;QAE5C,MAAM,QAAQ,GAAsB;YAClC,SAAS,EAAE,SAAS;YACpB,oBAAoB,EAAE,IAAI,CAAC,WAAW;YACtC,SAAS,EAAE,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC;YAC9B,QAAQ,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YAClC,QAAQ;YACR,KAAK,EAAE,MAAM;SACd,CAAC;QAEF,wCAAwC;QACxC,MAAM,CAAC,SAAS,GAAG,QAAQ,CAAC;QAC5B,MAAM,OAAO,GAAG,WAAW,CAAC,GAAG,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,CAAC,CAAC;QAC9D,MAAM,SAAS,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QAEnC,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,YAAY,CAAC,UAAkB;QACnC,IAAI,UAAU,CAAC,MAAM,KAAK,WAAW,EAAE,CAAC;YACtC,MAAM,IAAI,KAAK,CACb,uBAAuB,WAAW,eAAe,UAAU,CAAC,MAAM,EAAE,CACrE,CAAC;QACJ,CAAC;QACD,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,EAAE,UAAU,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;QAChD,OAAO,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;IAC7B,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,SAAS,CAAC,SAAiB;QAC/B,MAAM,MAAM,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,MAAM,EAAE,CAAC;QAC/D,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;QAC5C,OAAO,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;IAC7B,CAAC;CACF;AAED,gEAAgE;AAEhE;;GAEG;AACH,MAAM,OAAO,YAAY;IACN,MAAM,CAAY;IAClB,WAAW,CAAS;IAErC,YAAY,SAA0B;QACpC,IAAI,CAAC,MAAM,GAAG,iBAAiB,CAAC,SAAS,CAAC,CAAC;QAC3C,MAAM,GAAG,GAAG,MAAM,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;QACjF,IAAI,CAAC,WAAW,GAAG,kBAAkB,CAAC,GAAG,CAAC,CAAC;IAC7C,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,eAAe,CAAC,QAAgB;QACpC,MAAM,MAAM,GAAa,EAAE,CAAC;QAE5B,IAAI,GAAW,CAAC;QAChB,IAAI,CAAC;YACH,GAAG,GAAG,MAAM,QAAQ,CAAC,QAAQ,CAAC,CAAC;QACjC,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,wBAAyB,GAAa,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC;QACtF,CAAC;QAED,IAAI,MAA0C,CAAC;QAC/C,IAAI,CAAC;YACH,MAAM,GAAG,eAAe,CAAC,GAAG,CAAC,CAAC;QAChC,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,sBAAuB,GAAa,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC;QACpF,CAAC;QAED,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,EAAE,GAAG,MAAM,CAAC;QAE/C,yCAAyC;QACzC,MAAM,MAAM,GAAG,MAAM,CAAC,SAAS,CAAC;QAChC,IAAI,CAAC,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,EAAE,CAAC;YAC1C,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,mCAAmC,CAAC,EAAE,CAAC;QACzE,CAAC;QAED,MAAM,OAAO,GAAG,MAAiC,CAAC;QAClD,IAAI,OAAO,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;YACpC,MAAM,CAAC,IAAI,CAAC,0BAA0B,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;YACnE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC;QAClC,CAAC;QAED,IAAI,OAAO,OAAO,CAAC,SAAS,KAAK,QAAQ,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,CAAC;YAChE,MAAM,CAAC,IAAI,CAAC,qCAAqC,CAAC,CAAC;YACnD,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC;QAClC,CAAC;QAED,mDAAmD;QACnD,MAAM,MAAM,GAAG,oBAAoB,CAAC,MAAM,EAAE,WAAW,EAAE,MAAM,CAAC,CAAC;QAEjE,SAAS;QACT,IAAI,MAAc,CAAC;QACnB,IAAI,CAAC;YACH,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,SAAmB,EAAE,KAAK,CAAC,CAAC;QAC3D,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,CAAC,IAAI,CAAC,4BAA4B,CAAC,CAAC;YAC1C,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC;QAClC,CAAC;QAED,IAAI,KAAc,CAAC;QACnB,IAAI,CAAC;YACH,KAAK,GAAG,MAAM,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACpD,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,CAAC,IAAI,CAAC,uBAAwB,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;YAC7D,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC;QAClC,CAAC;QAED,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,MAAM,CAAC,IAAI,CAAC,6DAA6D,CAAC,CAAC;QAC7E,CAAC;QAED,OAAO;YACL,KAAK;YACL,iBAAiB,EAAE,OAAO,CAAC,oBAA0C;YACrE,QAAQ,EAAE,OAAO,CAAC,QAA8B;YAChD,QAAQ,EAAE,OAAO,CAAC,QAA8B;YAChD,MAAM;SACP,CAAC;IACJ,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,cAAc,CAAC,IAAY,EAAE,SAAiB;QAClD,MAAM,MAAM,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,CAAC;QAC1D,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC;QAC7C,OAAO,MAAM,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACnD,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,WAAW,CAAC,SAAiB,EAAE,SAAiB;QACpD,MAAM,MAAM,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,MAAM,EAAE,CAAC;QAC/D,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC;QAC7C,OAAO,MAAM,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACnD,CAAC;CACF"}

package/dist/src/commands/agent.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"agent.d.ts","sourceRoot":"","sources":["../../../src/commands/agent.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAiC,MAAM,aAAa,CAAC;AAm3B1E,eAAO,MAAM,YAAY,EAAE,OA8B1B,CAAC;AAoCF,eAAe,YAAY,CAAC"}
+{"version":3,"file":"agent.d.ts","sourceRoot":"","sources":["../../../src/commands/agent.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAiC,MAAM,aAAa,CAAC;AA49B1E,eAAO,MAAM,YAAY,EAAE,OA8B1B,CAAC;AAoCF,eAAe,YAAY,CAAC"}

package/dist/src/commands/agent.js

@@ -5,6 +5,40 @@
 import { output } from '../output.js';
 import { select, confirm, input } from '../prompt.js';
 import { callMCPTool, MCPClientError } from '../mcp-client.js';
+import * as fs from 'fs';
+import * as path from 'path';
+/**
+ * Update swarm-activity.json metrics after agent count changes.
+ * The statusline reads this file to display the swarm agent count.
+ */
+function updateSwarmActivityMetrics(agentCountDelta) {
+    try {
+        const metricsDir = path.join(process.cwd(), '.claude-flow', 'metrics');
+        const activityPath = path.join(metricsDir, 'swarm-activity.json');
+        let data = {
+            timestamp: new Date().toISOString(),
+            swarm: { active: false, agent_count: 0, coordination_active: false },
+        };
+        if (fs.existsSync(activityPath)) {
+            data = JSON.parse(fs.readFileSync(activityPath, 'utf-8'));
+        }
+        else {
+            fs.mkdirSync(metricsDir, { recursive: true });
+        }
+        const swarm = data.swarm ?? {};
+        const currentCount = Math.max(0, swarm.agent_count || 0);
+        const newCount = Math.max(0, currentCount + agentCountDelta);
+        swarm.agent_count = newCount;
+        swarm.active = newCount > 0;
+        swarm.coordination_active = newCount > 0;
+        data.swarm = swarm;
+        data.timestamp = new Date().toISOString();
+        fs.writeFileSync(activityPath, JSON.stringify(data, null, 2));
+    }
+    catch {
+        // Non-critical — don't fail the command if metrics update fails
+    }
+}
 // Available agent types with descriptions
 const AGENT_TYPES = [
     { value: 'coder', label: 'Coder', hint: 'Code development with neural patterns' },
@@ -130,6 +164,8 @@ const spawnCommand = {
             });
             output.writeln();
             output.printSuccess(`Agent ${agentName} spawned successfully`);
+            // Update swarm-activity.json so statusline reflects the new agent count
+            updateSwarmActivityMetrics(1);
             if (ctx.flags.format === 'json') {
                 output.printJson(result);
             }
@@ -350,6 +386,8 @@ const stopCommand = {
                 output.writeln(output.dim('  Releasing resources...'));
             }
             output.printSuccess(`Agent ${agentId} stopped successfully`);
+            // Update swarm-activity.json so statusline reflects the reduced agent count
+            updateSwarmActivityMetrics(-1);
             if (ctx.flags.format === 'json') {
                 output.printJson(result);
             }
@@ -382,26 +420,86 @@ const metricsCommand = {
     action: async (ctx) => {
         const agentId = ctx.args[0];
         const period = ctx.flags.period;
-        // Default metrics (updated by MCP agent/metrics when available)
+        // Collect real metrics from .swarm/ state
+        const { existsSync, readFileSync, readdirSync, statSync } = await import('fs');
+        const { join } = await import('path');
+        let totalAgents = 0;
+        let activeAgents = 0;
+        let tasksCompleted = 0;
+        const typeCounts = {};
+        // Read swarm agent state
+        const swarmDir = join(process.cwd(), '.swarm');
+        const agentsDir = join(swarmDir, 'agents');
+        if (existsSync(agentsDir)) {
+            try {
+                const files = readdirSync(agentsDir).filter(f => f.endsWith('.json'));
+                for (const file of files) {
+                    try {
+                        const data = JSON.parse(readFileSync(join(agentsDir, file), 'utf-8'));
+                        totalAgents++;
+                        const agType = data.type || 'unknown';
+                        if (!typeCounts[agType])
+                            typeCounts[agType] = { count: 0, tasks: 0, success: 0 };
+                        typeCounts[agType].count++;
+                        if (data.status === 'active' || data.status === 'running')
+                            activeAgents++;
+                        if (data.tasksCompleted) {
+                            typeCounts[agType].tasks += data.tasksCompleted;
+                            tasksCompleted += data.tasksCompleted;
+                        }
+                        if (data.successCount)
+                            typeCounts[agType].success += data.successCount;
+                    }
+                    catch { /* skip malformed */ }
+                }
+            }
+            catch { /* no agents dir */ }
+        }
+        // Read swarm activity for additional state
+        const activityFile = join(swarmDir, 'swarm-activity.json');
+        if (existsSync(activityFile)) {
+            try {
+                const activity = JSON.parse(readFileSync(activityFile, 'utf-8'));
+                if (activity.totalAgents && totalAgents === 0)
+                    totalAgents = activity.totalAgents;
+                if (activity.activeAgents && activeAgents === 0)
+                    activeAgents = activity.activeAgents;
+            }
+            catch { /* ignore */ }
+        }
+        // Read memory.db stats
+        let vectorCount = 0;
+        const dbPath = join(swarmDir, 'memory.db');
+        if (existsSync(dbPath)) {
+            try {
+                const dbSize = statSync(dbPath).size;
+                vectorCount = Math.floor(dbSize / 2048);
+            }
+            catch { /* ignore */ }
+        }
+        const byType = Object.entries(typeCounts).map(([type, data]) => ({
+            type,
+            count: data.count,
+            tasks: data.tasks,
+            successRate: data.tasks > 0 ? `${Math.round((data.success / data.tasks) * 100)}%` : 'N/A'
+        }));
+        const avgSuccessRate = tasksCompleted > 0
+            ? `${Math.round(Object.values(typeCounts).reduce((a, d) => a + d.success, 0) / tasksCompleted * 100)}%`
+            : 'N/A';
         const metrics = {
             period,
             summary: {
-                totalAgents: 4,
-                activeAgents: 3,
-                tasksCompleted: 127,
-                avgSuccessRate: '96.2%',
-                totalTokens: 1234567,
-                avgResponseTime: '1.45s'
+                totalAgents,
+                activeAgents,
+                tasksCompleted,
+                avgSuccessRate,
+                vectorCount,
+                note: totalAgents === 0 ? 'No agents spawned yet. Use: agent spawn -t coder' : undefined
             },
-            byType: [
-                { type: 'coder', count: 2, tasks: 45, successRate: '97%' },
-                { type: 'researcher', count: 1, tasks: 32, successRate: '95%' },
-                { type: 'tester', count: 1, tasks: 50, successRate: '98%' }
-            ],
+            byType,
             performance: {
-                flashAttention: '2.8x speedup',
-                memoryReduction: '52%',
-                searchImprovement: '150x faster'
+                memoryVectors: `${vectorCount} vectors`,
+                searchBackend: vectorCount > 0 ? 'HNSW-indexed' : 'none'
             }
         };
         if (ctx.flags.format === 'json') {
@@ -421,8 +519,7 @@ const metricsCommand = {
                 { metric: 'Active Agents', value: metrics.summary.activeAgents },
                 { metric: 'Tasks Completed', value: metrics.summary.tasksCompleted },
                 { metric: 'Success Rate', value: metrics.summary.avgSuccessRate },
-                { metric: 'Total Tokens', value: metrics.summary.totalTokens.toLocaleString() },
-                { metric: 'Avg Response Time', value: metrics.summary.avgResponseTime }
+                { metric: 'Memory Vectors', value: metrics.summary.vectorCount }
             ]
         });
         output.writeln();
@@ -436,12 +533,15 @@ const metricsCommand = {
             ],
             data: metrics.byType
         });
+        if (metrics.summary.note) {
+            output.writeln();
+            output.writeln(output.dim(metrics.summary.note));
+        }
         output.writeln();
-        output.writeln(output.bold('V3 Performance Gains'));
+        output.writeln(output.bold('Memory'));
         output.printList([
-            `Flash Attention: ${output.success(metrics.performance.flashAttention)}`,
-            `Memory Reduction: ${output.success(metrics.performance.memoryReduction)}`,
-            `Search: ${output.success(metrics.performance.searchImprovement)}`
+            `Vectors: ${output.success(metrics.performance.memoryVectors)}`,
+            `Backend: ${output.success(metrics.performance.searchBackend)}`
         ]);
         return { success: true, data: metrics };
     }