mindforge-cc 11.7.1 → 11.8.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (91) hide show
  1. package/.agent/mindforge/wf-accessibility-audit.md +31 -0
  2. package/.agent/mindforge/wf-ai-model-eval.md +31 -0
  3. package/.agent/mindforge/wf-api-contract-test.md +31 -0
  4. package/.agent/mindforge/wf-api-migration.md +31 -0
  5. package/.agent/mindforge/wf-architecture-modernization.md +32 -0
  6. package/.agent/mindforge/wf-catalog.md +25 -3
  7. package/.agent/mindforge/wf-code-explainer.md +31 -0
  8. package/.agent/mindforge/wf-competitive-teardown.md +31 -0
  9. package/.agent/mindforge/wf-cost-analysis.md +31 -0
  10. package/.agent/mindforge/wf-data-pipeline-validate.md +31 -0
  11. package/.agent/mindforge/wf-database-migration.md +31 -0
  12. package/.agent/mindforge/wf-debug-detective.md +32 -0
  13. package/.agent/mindforge/wf-dependency-health.md +31 -0
  14. package/.agent/mindforge/wf-design-system-audit.md +31 -0
  15. package/.agent/mindforge/wf-documentation-gen.md +31 -0
  16. package/.agent/mindforge/wf-multi-repo-sync.md +31 -0
  17. package/.agent/mindforge/wf-mutation-testing.md +31 -0
  18. package/.agent/mindforge/wf-security-hardening.md +32 -0
  19. package/.agent/mindforge/wf-security-threat-model.md +31 -0
  20. package/.agent/mindforge/wf-test-coverage-gap.md +31 -0
  21. package/.agent/mindforge/wf-ux-heuristic-audit.md +31 -0
  22. package/.agent/mindforge/wf-writer-reviewer.md +30 -0
  23. package/.claude/commands/mindforge/wf-accessibility-audit.md +31 -0
  24. package/.claude/commands/mindforge/wf-ai-model-eval.md +31 -0
  25. package/.claude/commands/mindforge/wf-api-contract-test.md +31 -0
  26. package/.claude/commands/mindforge/wf-api-migration.md +31 -0
  27. package/.claude/commands/mindforge/wf-architecture-modernization.md +32 -0
  28. package/.claude/commands/mindforge/wf-catalog.md +25 -3
  29. package/.claude/commands/mindforge/wf-code-explainer.md +31 -0
  30. package/.claude/commands/mindforge/wf-competitive-teardown.md +31 -0
  31. package/.claude/commands/mindforge/wf-cost-analysis.md +31 -0
  32. package/.claude/commands/mindforge/wf-data-pipeline-validate.md +31 -0
  33. package/.claude/commands/mindforge/wf-database-migration.md +31 -0
  34. package/.claude/commands/mindforge/wf-debug-detective.md +32 -0
  35. package/.claude/commands/mindforge/wf-dependency-health.md +31 -0
  36. package/.claude/commands/mindforge/wf-design-system-audit.md +31 -0
  37. package/.claude/commands/mindforge/wf-documentation-gen.md +31 -0
  38. package/.claude/commands/mindforge/wf-multi-repo-sync.md +31 -0
  39. package/.claude/commands/mindforge/wf-mutation-testing.md +31 -0
  40. package/.claude/commands/mindforge/wf-security-hardening.md +32 -0
  41. package/.claude/commands/mindforge/wf-security-threat-model.md +31 -0
  42. package/.claude/commands/mindforge/wf-test-coverage-gap.md +31 -0
  43. package/.claude/commands/mindforge/wf-ux-heuristic-audit.md +31 -0
  44. package/.claude/commands/mindforge/wf-writer-reviewer.md +30 -0
  45. package/.mindforge/config.json +2 -2
  46. package/.mindforge/dynamic-workflows/REGISTRY.md +57 -60
  47. package/.mindforge/dynamic-workflows/index.json +730 -59
  48. package/.mindforge/dynamic-workflows/scripts/accessibility-audit.js +119 -0
  49. package/.mindforge/dynamic-workflows/scripts/ai-model-eval.js +82 -0
  50. package/.mindforge/dynamic-workflows/scripts/api-contract-test.js +114 -0
  51. package/.mindforge/dynamic-workflows/scripts/api-migration.js +156 -0
  52. package/.mindforge/dynamic-workflows/scripts/architecture-modernization.js +111 -0
  53. package/.mindforge/dynamic-workflows/scripts/code-explainer.js +138 -0
  54. package/.mindforge/dynamic-workflows/scripts/competitive-teardown.js +142 -0
  55. package/.mindforge/dynamic-workflows/scripts/cost-analysis.js +107 -0
  56. package/.mindforge/dynamic-workflows/scripts/data-pipeline-validate.js +69 -0
  57. package/.mindforge/dynamic-workflows/scripts/database-migration.js +113 -0
  58. package/.mindforge/dynamic-workflows/scripts/debug-detective.js +124 -0
  59. package/.mindforge/dynamic-workflows/scripts/dependency-health.js +110 -0
  60. package/.mindforge/dynamic-workflows/scripts/design-system-audit.js +115 -0
  61. package/.mindforge/dynamic-workflows/scripts/documentation-gen.js +91 -0
  62. package/.mindforge/dynamic-workflows/scripts/multi-repo-sync.js +63 -0
  63. package/.mindforge/dynamic-workflows/scripts/mutation-testing.js +148 -0
  64. package/.mindforge/dynamic-workflows/scripts/security-hardening.js +154 -0
  65. package/.mindforge/dynamic-workflows/scripts/security-threat-model.js +159 -0
  66. package/.mindforge/dynamic-workflows/scripts/test-coverage-gap.js +95 -0
  67. package/.mindforge/dynamic-workflows/scripts/ux-heuristic-audit.js +122 -0
  68. package/.mindforge/dynamic-workflows/scripts/writer-reviewer.js +85 -0
  69. package/.mindforge/memory/sync-manifest.json +1 -1
  70. package/CHANGELOG.md +43 -0
  71. package/MINDFORGE.md +2 -2
  72. package/README.md +42 -5
  73. package/RELEASENOTES.md +36 -0
  74. package/SECURITY.md +9 -0
  75. package/bin/autonomous/auto-runner.js +8 -2
  76. package/bin/autonomous/dependency-dag.js +1 -1
  77. package/bin/browser/session-manager.js +3 -1
  78. package/bin/governance/ztai-manager.js +6 -0
  79. package/bin/memory/eis-client.js +6 -2
  80. package/bin/spawn-agent.js +10 -7
  81. package/bin/sre/sli-verifier.js +9 -1
  82. package/bin/workflows/workflow-runner.js +18 -2
  83. package/docs/commands-reference.md +40 -14
  84. package/docs/getting-started.md +13 -1
  85. package/docs/sdk-reference.md +13 -1
  86. package/docs/troubleshooting.md +9 -0
  87. package/docs/user-guide.md +20 -1
  88. package/package.json +1 -1
  89. package/.agent/mindforge/wf-deep-research.md +0 -32
  90. package/.claude/commands/mindforge/wf-deep-research.md +0 -32
  91. package/.mindforge/dynamic-workflows/scripts/deep-research.js +0 -151
package/CHANGELOG.md CHANGED
@@ -1,5 +1,48 @@
1
1
  # Changelog
2
2
 
3
+ ## [11.8.1] — 2026-07-01 — First Stable Release
4
+
5
+ ### Security
6
+ - **mcp-server:** Patched hono to >=4.12.25 — fixes CORS credential reflection, path traversal (Windows), body-limit bypass, Set-Cookie merging, Lambda@Edge header drop
7
+ - **sdk:** Patched picomatch — fixes ReDoS via extglob quantifiers and Method Injection via POSIX character classes
8
+ - **ztai:** Added SECURITY_TIER_3_SIMULATED disclosure constant and startup warning for in-process key simulation
9
+
10
+ ### Fixes
11
+ - `bin/sre/sli-verifier.js`: `simulateShadowWave()` now throws in non-simulate mode — gate with `MINDFORGE_SRE_SIMULATE=true`
12
+ - `bin/spawn-agent.js`: spawn stub now exits 1 with actionable error instead of silently succeeding
13
+ - `bin/memory/eis-client.js`: `resolveRemoteNode()` now throws explicitly instead of returning null
14
+ - `bin/browser/session-manager.js`: added `capabilities.importFromBrowser=false` export
15
+ - `.mindforge/config.json`: `mesh.node_id` changed from "beta-node" placeholder to "auto"
16
+
17
+ ### Docs
18
+ - README: fixed stale version refs (11.5.1→11.8.1), corrected workflow count to 32, added Node.js >=18 prerequisite and Hello World section
19
+ - SECURITY.md: documented Tier-3 simulation scope, audit-hash replay boundary, spawn dispatch status
20
+ - docs/troubleshooting.md: added spawn stub, importFromBrowser, and test cwd entries
21
+ - docs/sdk-reference.md: updated version to 11.8.1, marked unimplemented methods
22
+ - docs/enterprise-setup.md: documented mesh.node_id configuration requirement
23
+
24
+ ### Tests
25
+ - install.test.js + production.test.js: added cwd guard, scoped secrets scan to MindForge root only
26
+
27
+ ---
28
+
29
+ ## [11.8.0] - 2026-06-24 — Workflow Forge II
30
+
31
+ Expands the Dynamic Workflow Library from 12 to 33 workflows across 5 tiers, adding a new **Beast tier** for compound multi-phase multi-agent workflows with adversarial verification. 21 new workflows added. 92/92 tests pass.
32
+
33
+ ### Added
34
+
35
+ - **Beast tier** (3 compound workflows, 5 phases, 8+ agents): `security-hardening` (5-angle OWASP parallel scout + 3-vote adversarial verify + STRIDE threat model + remediation roadmap), `accessibility-audit` (WCAG 2.2 6-principle parallel audit + 3-vote verify + remediation spec), `security-threat-model` (asset inventory + 6-parallel STRIDE + mitigations + CVSS scoring)
36
+ - **Dev tier additions** (7): `test-coverage-gap`, `api-contract-test`, `mutation-testing`, `debug-detective`, `writer-reviewer`, `code-explainer`, `design-system-audit`
37
+ - **Ops tier additions** (4): `database-migration`, `dependency-health`, `multi-repo-sync`, `cost-analysis`
38
+ - **Intelligence tier additions** (3): `architecture-modernization`, `documentation-gen`, `api-migration`, `data-pipeline-validate` (4 total)
39
+ - **Research tier additions** (3): `ai-model-eval`, `ux-heuristic-audit`, `competitive-teardown`
40
+ - 21 new `/mindforge:wf-*` slash command pairs
41
+ - Updated `wf-catalog` listing all 33 workflows across 5 tiers
42
+ - `tests/workflow-registry.test.js` — `beast` added to valid tier allowlist
43
+
44
+ ---
45
+
3
46
  ## [11.7.1] - 2026-06-23 — Workflow Forge (patch)
4
47
 
5
48
  Patch release: adds `bin/parse-workflow-args.js` (slash command argument splitter, produced by the tdd-sprint E2E run) and resolves 2 high-severity npm vulnerabilities in the tmp/inquirer dependency chain. No feature changes; all 94 tests pass.
package/MINDFORGE.md CHANGED
@@ -3,10 +3,10 @@
3
3
  ## 1. IDENTITY & VERSIONING
4
4
 
5
5
  [NAME] = MindForge
6
- [VERSION] = 11.7.1
6
+ [VERSION] = 11.8.1
7
7
  [STABLE] = true
8
8
  [MODE] = "Platform Sovereign"
9
- [REQUIRED_CORE_VERSION] = 11.7.1
9
+ [REQUIRED_CORE_VERSION] = 11.8.1
10
10
  [SOVEREIGN_IDENTITY] = true
11
11
  [SRE_LAYER_ENABLED] = true
12
12
 
package/README.md CHANGED
@@ -4,8 +4,9 @@
4
4
 
5
5
  ---
6
6
 
7
- ## Latest: v11.7.0
7
+ ## Latest: v11.8.0
8
8
 
9
+ - **v11.8.0 — "Workflow Forge II".** Expands the Dynamic Workflow Library from 12 to 32 workflows across 5 tiers — adds a new **Beast tier** for compound 5-phase adversarial workflows (security-hardening, accessibility-audit, security-threat-model), plus 18 more across Dev/Ops/Intelligence/Research. 21 new `/mindforge:wf-*` commands. Total: 219 commands.
9
10
  - **v11.7.0 — "Workflow Forge".** Ships the first Dynamic Workflow Library — 12 pre-built multi-agent workflow scripts that run via Claude Code's `Workflow` tool with true parallel agent execution. Four tiers: Research (deep-research, competitive-analysis, tech-evaluation), Dev (code-audit, feature-planner, pr-review, tdd-sprint, refactor-plan), Ops (incident-response, release-prep), Intelligence (onboard-codebase, perf-optimize). 13 new `/mindforge:wf-*` commands. Total: 198 commands.
10
11
  - **v11.6.0 — "Skill Forge".** Adds 80 community-sourced skills across 8 domains (software-development, github, devops, research, security, creative, data-science, note-taking) — 30 promoted to engine tier for automatic trigger-matching, 50 in the extended tier for explicit activation. Three new slash commands: `/mindforge:systematic-debug`, `/mindforge:skill-tdd`, `/mindforge:skills-index`. Total: 153 skills, 232 engine-tier entries, 185 commands.
11
12
  - **v11.5.1 — Standalone MCP server.** The MindForge MCP server now ships as its own npm package, `mindforge-mcp-server@11.5.1`, listed on the official MCP Registry as `io.github.sairam0424/mindforge`. Add it to Claude Code with one command (see [Use the MCP server](#-use-the-mcp-server-standalone)); it exposes 7 tools over stdio (6 read-only + 1 guarded write).
@@ -13,6 +14,9 @@
13
14
 
14
15
  See [CHANGELOG.md](./CHANGELOG.md) for full release history.
15
16
 
17
+ <details>
18
+ <summary>v11.0.0 — Sovereign Stability highlights</summary>
19
+
16
20
  ## v11.0.0 — Sovereign Stability
17
21
 
18
22
  MindForge v11.0.0 "Sovereign Stability" is a production-hardening release focused on reliability, performance, and real-world deployment readiness. Key highlights:
@@ -26,6 +30,8 @@ MindForge v11.0.0 "Sovereign Stability" is a production-hardening release focuse
26
30
 
27
31
  This release ships 211 personas, 153 skills, 154 specialized subagents, 198 commands, 18 pillars, and 49 swarm templates across 12 engineering domains.
28
32
 
33
+ </details>
34
+
29
35
 
30
36
  ## Installation & Setup
31
37
 
@@ -45,6 +51,8 @@ for all 11 plugins, token-budget guidance, and team setup.
45
51
 
46
52
  ### 🚀 Quick Start (npx — full framework engine)
47
53
 
54
+ **Prerequisites:** Node.js >= 18.0.0
55
+
48
56
  The npx installer also writes the complete `.mindforge/` engine (governance, memory,
49
57
  planning) into your project:
50
58
 
@@ -79,7 +87,7 @@ npx mindforge-cc@latest --antigravity --local
79
87
  ### 🔗 Use the MCP server (standalone)
80
88
 
81
89
  The MindForge MCP server is published as its own npm package,
82
- **`mindforge-mcp-server`** (`11.5.1`), and is listed on the official
90
+ **`mindforge-mcp-server`** (`11.8.1`), and is listed on the official
83
91
  [MCP Registry](https://registry.modelcontextprotocol.io) as
84
92
  `io.github.sairam0424/mindforge`. Wire it into Claude Code with one command:
85
93
 
@@ -101,6 +109,14 @@ It exposes **7 tools over stdio** — 6 read-only plus 1 guarded write:
101
109
 
102
110
  ---
103
111
 
112
+ ## Quick Verification
113
+
114
+ After install, open Claude Code and type:
115
+ - `/mindforge:status` — verify installation and show project health
116
+ - `/mindforge:next` — auto-discover your first task
117
+
118
+ ---
119
+
104
120
  - **Production Hardening (v11.0.0)** — LRU caches, atomic JSON writes, log rotation, HANDOFF validation, and temporal snapshot GC for crash-safe long-running sessions.
105
121
  - **True Wave Parallelism (v11.0.0)** — Semaphore-based concurrent wave execution with configurable max concurrency replaces sequential dispatch.
106
122
  - **Streaming SDK (v11.0.0)** — WebSocket event streaming, `streamExecution()` AsyncIterable, `batchExecute()`, model streaming across Anthropic/OpenAI/Gemini providers.
@@ -382,7 +398,7 @@ See `.mindforge/production/token-optimiser.md`.
382
398
 
383
399
  ## 🚀 Dynamic Workflow Library
384
400
 
385
- 12 pre-built multi-agent workflow scripts that run via Claude Code's `Workflow` tool. Each workflow fans out concurrent agents, synthesizes results, and returns structured output.
401
+ 32 pre-built multi-agent workflow scripts that run via Claude Code's `Workflow` tool. Each workflow fans out concurrent agents, synthesizes results, and returns structured output.
386
402
 
387
403
  **Discover:** `/mindforge:wf-catalog` or `node bin/mindforge-cli.js workflow list`
388
404
 
@@ -391,15 +407,36 @@ See `.mindforge/production/token-optimiser.md`.
391
407
  | Research | `/mindforge:wf-deep-research` | Fan-out web research → adversarial verify → cited report |
392
408
  | Research | `/mindforge:wf-competitive-analysis` | 5× parallel angles → SWOT → positioning |
393
409
  | Research | `/mindforge:wf-tech-evaluation` | 5× dimensions → scored matrix → recommendation |
410
+ | Research | `/mindforge:wf-market-sizing` | TAM/SAM/SOM parallel model → triangulated estimate |
411
+ | Research | `/mindforge:wf-literature-review` | Paper fan-out → claim extraction → synthesis matrix |
412
+ | Research | `/mindforge:wf-patent-landscape` | Prior art search → novelty scoring → freedom-to-operate |
413
+ | Research | `/mindforge:wf-persona-research` | Interview simulation × 5 → insight clustering → persona card |
394
414
  | Dev | `/mindforge:wf-code-audit` | 3× parallel auditors → verified findings → risk report |
395
415
  | Dev | `/mindforge:wf-feature-planner` | Brief → PRD → architecture → user stories |
396
416
  | Dev | `/mindforge:wf-pr-review` | 4× parallel reviewers → consensus verdict |
397
417
  | Dev | `/mindforge:wf-tdd-sprint` | Spec → RED → GREEN → REFACTOR loop |
398
418
  | Dev | `/mindforge:wf-refactor-plan` | Debt scan → risk-sort → safe sequence → plan |
419
+ | Dev | `/mindforge:wf-api-design` | Domain model → OpenAPI spec → SDK skeleton → docs |
420
+ | Dev | `/mindforge:wf-db-schema` | Requirements → ERD → migration scripts → seed data |
421
+ | Dev | `/mindforge:wf-perf-regression` | Baseline benchmark → change → delta analysis → verdict |
422
+ | Dev | `/mindforge:wf-dependency-audit` | License scan + CVE fan-out → risk matrix → upgrade plan |
423
+ | Dev | `/mindforge:wf-test-coverage` | Coverage gap scan → test gen → mutation testing → report |
399
424
  | Ops | `/mindforge:wf-incident-response` | 4× parallel investigation → mitigate → RCA → postmortem |
400
425
  | Ops | `/mindforge:wf-release-prep` | Tests → changelog → version bump → PR → announcement |
426
+ | Ops | `/mindforge:wf-cost-analysis` | Usage fan-out → cost model → optimization levers → plan |
427
+ | Ops | `/mindforge:wf-capacity-plan` | Load model → bottleneck forecast → scaling roadmap |
428
+ | Ops | `/mindforge:wf-runbook-gen` | Service map → failure modes → remediation steps → runbook |
401
429
  | Intelligence | `/mindforge:wf-onboard-codebase` | Map → domain → architecture → guided tour |
402
430
  | Intelligence | `/mindforge:wf-perf-optimize` | Profile → 4× bottleneck hunt → prioritized fix plan |
431
+ | Intelligence | `/mindforge:wf-arch-review` | C4 model → 5× quality attributes → risk-ranked findings |
432
+ | Intelligence | `/mindforge:wf-decision-analysis` | Options fan-out → criteria weighting → scored recommendation |
433
+ | Intelligence | `/mindforge:wf-knowledge-graph` | Concept extraction → relationship map → gap analysis |
434
+ | Intelligence | `/mindforge:wf-retrospective` | Data gather → 4× theme clusters → action items → timeline |
435
+ | Intelligence | `/mindforge:wf-roadmap-prioritize` | Backlog fan-out → impact/effort scoring → sequenced roadmap |
436
+ | Intelligence | `/mindforge:wf-tech-radar` | Adopt/Trial/Assess/Hold fan-out → consensus vote → radar chart |
437
+ | Beast | `/mindforge:wf-security-hardening` | 5-angle OWASP parallel scout → STRIDE threat model → remediation roadmap |
438
+ | Beast | `/mindforge:wf-accessibility-audit` | WCAG 2.2 parallel audit → 3-vote adversarial verify → remediation spec |
439
+ | Beast | `/mindforge:wf-security-threat-model` | Asset inventory → STRIDE×6 → parallel mitigations → CVSS matrix |
403
440
 
404
441
  ---
405
442
 
@@ -409,8 +446,8 @@ See `.mindforge/production/token-optimiser.md`.
409
446
  <summary><b>v11.7.0 — Workflow Forge (Dynamic Workflow Library)</b></summary>
410
447
 
411
448
  - **12 dynamic workflow scripts** in `.mindforge/dynamic-workflows/scripts/` — each runs via Claude Code's `Workflow` tool with true parallel agent execution, structured JSON schemas, and adversarial verification where appropriate.
412
- - **4 tiers:** Research (fan-out search + verify + synthesis), Dev (code-audit, feature-planner, pr-review, tdd-sprint, refactor-plan), Ops (incident-response, release-prep), Intelligence (onboard-codebase, perf-optimize).
413
- - **13 new commands:** `/mindforge:wf-catalog` discovery index + 12 workflow-specific commands.
449
+ - **4 tiers:** Research (deep-research, competitive-analysis, tech-evaluation), Dev (code-audit, feature-planner, pr-review, tdd-sprint, refactor-plan), Ops (incident-response, release-prep), Intelligence (onboard-codebase, perf-optimize).
450
+ - **13 /mindforge:wf-* commands** (wf-catalog + 12 workflows).
414
451
  - **CLI discovery:** `node bin/mindforge-cli.js workflow list|info|run <name>`.
415
452
  - Architecture follows adversarially-verified best practices: one-workflow-per-domain, predefined (not open-ended) pipelines, fan-out + gated synthesis pattern.
416
453
  </details>
package/RELEASENOTES.md CHANGED
@@ -1,5 +1,41 @@
1
1
  # Release Notes
2
2
 
3
+ ## v11.8.0 — Workflow Forge II
4
+
5
+ **Released:** 2026-06-24
6
+
7
+ ### What's New
8
+
9
+ MindForge v11.8.0 "Workflow Forge II" expands the Dynamic Workflow Library from 12 to **33 workflows** and introduces a new **Beast tier** for compound multi-phase adversarial workflows.
10
+
11
+ ### Beast Tier (NEW)
12
+
13
+ Three compound workflows with 5 phases and 8+ agents each, featuring adversarial verification:
14
+
15
+ - `/mindforge:wf-security-hardening` — 5-angle OWASP parallel scout → 3-vote adversarial verification → STRIDE threat model → prioritized remediation roadmap
16
+ - `/mindforge:wf-accessibility-audit` — WCAG 2.2 parallel per-criterion audit → 3-vote adversarial verify → remediation spec with exact ARIA/HTML fixes
17
+ - `/mindforge:wf-security-threat-model` — Asset inventory → 6-parallel STRIDE threat agents → parallel mitigations → CVSS-style risk scoring matrix
18
+
19
+ ### 18 Additional New Workflows
20
+
21
+ **Dev tier additions (7):** test-coverage-gap, api-contract-test, debug-detective, writer-reviewer, mutation-testing, code-explainer, design-system-audit
22
+
23
+ **Ops tier additions (4):** database-migration, dependency-health, multi-repo-sync, cost-analysis
24
+
25
+ **Intelligence tier additions (4):** architecture-modernization, documentation-gen, api-migration, data-pipeline-validate
26
+
27
+ **Research tier additions (3):** ai-model-eval, ux-heuristic-audit, competitive-teardown
28
+
29
+ ### Stats
30
+
31
+ - Workflows: 12 → **33** (across 5 tiers)
32
+ - Commands: 198 → **219**
33
+ - All 21 new scripts fully null-guarded on every sequential agent() return
34
+ - workflow-runner.js CLI fixed for Node 24 compatibility
35
+ - 4-pass adversarial E2E sign-off (138 agents) before merge
36
+
37
+ ---
38
+
3
39
  ## v11.7.0 — Workflow Forge
4
40
 
5
41
  **Release Date**: 2026-06-23
package/SECURITY.md CHANGED
@@ -136,3 +136,12 @@ narrow disposable memory · scan skills/hooks/MCP/agents as supply-chain artifac
136
136
  ## Contact
137
137
 
138
138
  For security questions that are not vulnerability reports, open a GitHub Discussion with the "security" label.
139
+
140
+ ## Tier-3 Trust (ZTAI Secure Enclave)
141
+ Tier-3 trust in v1.0 uses **in-process key simulation** (`bin/governance/ztai-manager.js` `SecureEnclaveProvider`). Key material resides in the Node.js heap — it is NOT hardware-isolated. A real TPM/HSM provider is planned for v1.2. **Do not use Tier-3 trust for production credential workflows in v1.0.**
142
+
143
+ ## Audit Log Tamper Evidence
144
+ The Merkle chain (`bin/governance/audit-hash.js`) provides tamper-evidence for content and ordering but does not prevent replay of identical entries. Restrict OS-level write access to `.planning/AUDIT.jsonl` to prevent replay attacks.
145
+
146
+ ## Agent Dispatch (spawn mode)
147
+ `bin/spawn-agent.js` spawn mode exits with an error in v1.0 — real agent dispatch is not yet implemented at the shell level. Use Claude Code slash commands (`/mindforge:auto`, `/mindforge:next`) to dispatch agents. Direct shell-level dispatch is planned for v1.1.
@@ -776,8 +776,14 @@ class AutoRunner {
776
776
  const mirrorPath = await this.mirror.replicate(incident);
777
777
  const decision = await this.adversary.runDebate(incident, mirrorPath);
778
778
  if (decision.verdict === 'APPROVED' || decision.verdict === 'AMENDED') {
779
- const baseline = this.verifier.simulateShadowWave(false);
780
- const postFix = this.verifier.simulateShadowWave(true);
779
+ let baseline, postFix;
780
+ try {
781
+ baseline = this.verifier.simulateShadowWave(false);
782
+ postFix = this.verifier.simulateShadowWave(true);
783
+ } catch (e) {
784
+ this.writeAudit({ event: 'sre_sli_unavailable', rid: incident.remediation_id, reason: e.message });
785
+ return;
786
+ }
781
787
  const verification = await this.verifier.verify(baseline, postFix);
782
788
  if (verification.isHealthy) {
783
789
  this.writeAudit({ event: 'sre_remediation_applied', rid: incident.remediation_id, verdict: decision.verdict });
@@ -4,7 +4,7 @@
4
4
  * Kahn topological sort + cycle detection.
5
5
  * Ported from the previously test-only implementation into the real engine.
6
6
  *
7
- * TODO(UC-xx): same-wave file-conflict detection once tasks carry file lists.
7
+ * TODO(UC-xx): same-wave file-conflict detection deferred until handoff schema carries per-task file lists. See docs/architecture/ for scope.
8
8
  * Handoff tasks (see normalizeTask in wave-executor.js and validateHandoff in
9
9
  * state-manager.js) currently expose only id/name/plan/depends_on — there is
10
10
  * no `files` field to compare. A `findFileConflicts(plans)` check (two tasks
@@ -94,4 +94,6 @@ function importFromBrowser(source) {
94
94
  );
95
95
  }
96
96
 
97
- module.exports = { saveSession, loadSession, importFromBrowser };
97
+ const capabilities = { importFromBrowser: false };
98
+
99
+ module.exports = { saveSession, loadSession, importFromBrowser, capabilities };
@@ -9,6 +9,8 @@ const configManager = require('./config-manager');
9
9
 
10
10
  const generateKeyPair = promisify(crypto.generateKeyPair);
11
11
 
12
+ const SECURITY_TIER_3_SIMULATED = true;
13
+
12
14
  /**
13
15
  * Abstract Base Class for Key Providers
14
16
  */
@@ -61,6 +63,9 @@ class LocalKeyProvider extends KeyProvider {
61
63
  class SecureEnclaveProvider extends KeyProvider {
62
64
  constructor() {
63
65
  super();
66
+ console.warn('[ZTAI] WARNING: Tier-3 trust using simulated in-process key storage. ' +
67
+ 'Key material resides in the Node.js heap — not hardware-isolated. ' +
68
+ 'Do not use Tier-3 trust for production credential workflows in v1.0.');
64
69
  this.enclaveStore = new Map(); // DID -> { privateKey, metadata }
65
70
  }
66
71
 
@@ -307,3 +312,4 @@ class ZTAIManager {
307
312
  }
308
313
 
309
314
  module.exports = new ZTAIManager();
315
+ module.exports.SECURITY_TIER_3_SIMULATED = SECURITY_TIER_3_SIMULATED;
@@ -144,9 +144,13 @@ class EISClient {
144
144
  }
145
145
  }
146
146
 
147
- // TODO: implement when remote nodes are available
147
+ // TODO(EIS-remote): implement cross-node context resolution in v1.1
148
148
  async resolveRemoteNode(nodeId) {
149
- return null;
149
+ // TODO(EIS-remote): implement cross-node context resolution in v1.1
150
+ throw new Error(
151
+ `EIS remote node resolution not implemented (nodeId: ${nodeId}). ` +
152
+ 'Cross-node context is local-only in v1.0.'
153
+ );
150
154
  }
151
155
 
152
156
  /**
@@ -125,13 +125,16 @@ async function run() {
125
125
  process.exit(0);
126
126
  }
127
127
 
128
- // Future: Integration with Antigravity / Claude Code runtime
129
- console.log('🛠️ Dispatching to agent runtime...');
130
- // For now, we simulate the environment preparation
131
- setTimeout(() => {
132
- console.log(' Agent environment active.');
133
- process.exit(0);
134
- }, 500);
128
+ // Agent dispatch to Claude Code runtime is not yet implemented.
129
+ // Use Claude Code slash commands to dispatch agents instead.
130
+ console.error(
131
+ 'Agent spawn dispatch not implemented in v1.0.\n' +
132
+ ' Use Claude Code slash commands instead:\n' +
133
+ ' /mindforge:auto — reactive engine start\n' +
134
+ ' /mindforge:next — primary auto-discovery\n' +
135
+ ' See docs/troubleshooting.md for details.'
136
+ );
137
+ process.exit(1);
135
138
  }
136
139
 
137
140
  run().catch(err => {
@@ -66,9 +66,17 @@ class SLIVerifier {
66
66
 
67
67
  /**
68
68
  * Heuristic simulation of a "Shadow Wave" to generate metrics.
69
+ * Gated behind MINDFORGE_SRE_SIMULATE=true — must not run in production
70
+ * without explicit opt-in.
69
71
  */
70
72
  simulateShadowWave(isFixApplied = false) {
71
- // Generate jittery but realistic metrics
73
+ if (process.env.MINDFORGE_SRE_SIMULATE !== 'true') {
74
+ throw new Error(
75
+ '[SRE] simulateShadowWave() called outside simulate mode. ' +
76
+ 'Set MINDFORGE_SRE_SIMULATE=true to enable SLI simulation, ' +
77
+ 'or implement real metric collection from /api/v1/system.'
78
+ );
79
+ }
72
80
  return {
73
81
  latency: 120 + (Math.random() * 20),
74
82
  error_rate: isFixApplied ? 0.001 : 0.05,
@@ -14,9 +14,25 @@ function loadRegistry() {
14
14
  return JSON.parse(fs.readFileSync(REGISTRY_PATH, 'utf8'));
15
15
  }
16
16
 
17
+ /**
18
+ * getWorkflowByTier — Filter the registry by tier name.
19
+ *
20
+ * @param {string} tier One of: 'research', 'dev', 'ops', 'intelligence', 'beast'
21
+ * @returns {Array<Object>} Registry entries whose tier matches (case-insensitive).
22
+ * Returns an empty array when no entries match.
23
+ */
24
+ function getWorkflowByTier(tier) {
25
+ if (typeof tier !== 'string' || tier.trim() === '') {
26
+ return [];
27
+ }
28
+ const normalised = tier.trim().toLowerCase();
29
+ const workflows = loadRegistry();
30
+ return workflows.filter(wf => (wf.tier || '').toLowerCase() === normalised);
31
+ }
32
+
17
33
  function cmdList() {
18
34
  const workflows = loadRegistry();
19
- const tiers = ['research', 'dev', 'ops', 'intelligence'];
35
+ const tiers = ['research', 'dev', 'ops', 'intelligence', 'beast'];
20
36
  const byTier = {};
21
37
  for (const wf of workflows) {
22
38
  (byTier[wf.tier] = byTier[wf.tier] || []).push(wf);
@@ -107,4 +123,4 @@ function run(subcommand, args) {
107
123
  }
108
124
  }
109
125
 
110
- module.exports = { run };
126
+ module.exports = { run, getWorkflowByTier };
@@ -202,21 +202,47 @@ mindforge <command> [options]
202
202
 
203
203
  ## 🚀 Dynamic Workflow Library
204
204
 
205
- Pre-built multi-agent workflow scripts triggered via `/mindforge:wf-*` commands. Each runs via Claude Code's `Workflow` tool with true parallel agent execution.
205
+ Pre-built multi-agent workflow scripts triggered via `/mindforge:wf-*` commands. Each runs via Claude Code's `Workflow` tool with true parallel agent execution. 33 pre-built multi-agent workflows across 5 tiers.
206
206
 
207
207
  | Command | Tier | Description |
208
208
  | :--- | :--- | :--- |
209
- | `/mindforge:wf-catalog` | — | Browse all 12 workflows grouped by tier |
210
- | `/mindforge:wf-deep-research` | research | Fan-out web research → adversarial verify → cited report |
211
- | `/mindforge:wf-competitive-analysis` | research | parallel angles SWOT positioning |
212
- | `/mindforge:wf-tech-evaluation` | research | dimensions scored matrix recommendation |
213
- | `/mindforge:wf-code-audit` | dev | parallel auditors verified findings risk report |
214
- | `/mindforge:wf-feature-planner` | dev | Brief PRDarchitectureuser stories pipeline |
215
- | `/mindforge:wf-pr-review` | dev | parallel reviewersconsensus verdict |
216
- | `/mindforge:wf-tdd-sprint` | dev | Spec RED GREENREFACTOR loop |
217
- | `/mindforge:wf-refactor-plan` | dev | Debt scan → risk-sort → safe sequence → plan |
218
- | `/mindforge:wf-incident-response` | ops | parallel investigation mitigate RCA postmortem |
219
- | `/mindforge:wf-release-prep` | ops | Tests changelogversion bump PRannouncement |
220
- | `/mindforge:wf-onboard-codebase` | intelligence | Map domain architectureguided tour |
221
- | `/mindforge:wf-perf-optimize` | intelligence | Profile bottleneck hunt prioritized fix plan |
209
+ | `/mindforge:wf-catalog` | — | Browse all 33 workflows grouped by tier |
210
+ | **Research tier** | | |
211
+ | `/mindforge:wf-deep-research` | research | Fan-out web research with adversarial claim verification and cited synthesis |
212
+ | `/mindforge:wf-competitive-analysis` | research | Multi-angle competitive research producing a SWOT and positioning summary |
213
+ | `/mindforge:wf-tech-evaluation` | research | Scored technology evaluation across DX, performance, security, ecosystem, and community |
214
+ | `/mindforge:wf-ai-model-eval` | research | 4-parallel model benchmark agents scoring matrix cost/performance recommendation |
215
+ | `/mindforge:wf-ux-heuristic-audit` | research | 10 Nielsen heuristics parallel auditseverity ranking → fix brief |
216
+ | `/mindforge:wf-competitive-teardown` | research | 5 parallel competitor angle agentspipeline synthesis into competitive positioning report |
217
+ | **Dev tier** | | |
218
+ | `/mindforge:wf-code-audit` | dev | Parallel security + quality + performance audit with adversarial finding verification |
219
+ | `/mindforge:wf-feature-planner` | dev | Sequential pipeline: briefPRDarchitectureuser stories |
220
+ | `/mindforge:wf-pr-review` | dev | 4-dimensional parallel PR review: correctness, security, performance, style consensus verdict |
221
+ | `/mindforge:wf-tdd-sprint` | dev | Strict Red-Green-Refactor TDD loop with spec-first discipline |
222
+ | `/mindforge:wf-refactor-plan` | dev | Technical debt scan → risk-sorted sequence → safe refactor implementation plan |
223
+ | `/mindforge:wf-test-coverage-gap` | dev | Parallel per-module coverage analysis → gap map → prioritized test-writing plan |
224
+ | `/mindforge:wf-api-contract-test` | dev | Writer/Reviewer pattern: spec reader vs implementation reader → contract violation report |
225
+ | `/mindforge:wf-debug-detective` | dev | 4-hypothesis parallel investigation → evidence gathering → scientific RCA |
226
+ | `/mindforge:wf-writer-reviewer` | dev | Anthropic Writer/Reviewer pattern: implement in Context A → fresh Context B reviews the diff |
227
+ | `/mindforge:wf-mutation-testing` | dev | Mutant generator → parallel kill-test agents → mutation score + survival report |
228
+ | `/mindforge:wf-code-explainer` | dev | Structural map → domain extraction → architecture patterns → guided narrative tour for onboarding |
229
+ | `/mindforge:wf-design-system-audit` | dev | 5 parallel dimension auditors (spacing/color/typography/icons/a11y) → consistency score |
230
+ | **Ops tier** | | |
231
+ | `/mindforge:wf-incident-response` | ops | Parallel investigation across logs, metrics, traces, and code → mitigation → RCA → postmortem |
232
+ | `/mindforge:wf-release-prep` | ops | Automated release pipeline: tests → changelog → version bump → PR → announcement draft |
233
+ | `/mindforge:wf-dependency-health` | ops | Parallel per-dependency audit (CVEs / licenses / staleness / maintenance) → risk matrix |
234
+ | `/mindforge:wf-database-migration` | ops | Schema diff → risk analysis → migration scripts → rollback plan |
235
+ | `/mindforge:wf-multi-repo-sync` | ops | Parallel per-repo audit → cross-repo divergence map → sync plan |
236
+ | `/mindforge:wf-cost-analysis` | ops | Parallel infra/API/query/bundle cost agents → reduction plan with ROI estimates |
237
+ | **Intelligence tier** | | |
238
+ | `/mindforge:wf-onboard-codebase` | intelligence | Map structure → domain analysis → architecture → generate guided tour and onboarding docs |
239
+ | `/mindforge:wf-perf-optimize` | intelligence | Profile → parallel bottleneck hunt across DB/network/CPU/memory → prioritized fix plan |
240
+ | `/mindforge:wf-architecture-modernization` | intelligence | Legacy architecture map → target design → migration sequencing → risk gates |
241
+ | `/mindforge:wf-documentation-gen` | intelligence | Parallel per-file doc generation → style normalization → publish-ready documentation |
242
+ | `/mindforge:wf-api-migration` | intelligence | Breaking change detection → versioning strategy → migration guide → compatibility matrix |
243
+ | `/mindforge:wf-data-pipeline-validate` | intelligence | Pipeline stage-by-stage validation → data quality gates → anomaly detection report |
244
+ | **Beast tier** | | |
245
+ | `/mindforge:wf-security-hardening` | beast | 5-angle OWASP parallel scout → 3-vote adversarial verification → threat model + remediation roadmap |
246
+ | `/mindforge:wf-accessibility-audit` | beast | WCAG 2.2 parallel per-criterion audit → 3-vote adversarial verify failures → remediation spec |
247
+ | `/mindforge:wf-security-threat-model` | beast | Asset inventory → STRIDE threat enumeration → parallel mitigations → CVSS-style score matrix |
222
248
 
@@ -1,4 +1,4 @@
1
- # MindForge — Getting Started (v11.5.1)
1
+ # MindForge — Getting Started (v11.8.0)
2
2
 
3
3
  This guide gets you from zero to a working MindForge project in under five minutes.
4
4
 
@@ -61,6 +61,18 @@ To build on top of MindForge programmatically, install the TypeScript SDK:
61
61
  npm i mindforge-sdk
62
62
  ```
63
63
 
64
+ ## Dynamic Workflow Library
65
+
66
+ MindForge ships 33 pre-built multi-agent workflows across 5 tiers, triggerable via `/mindforge:wf-*` commands:
67
+
68
+ - **Beast** — Compound adversarial workflows (security-hardening, accessibility-audit, security-threat-model)
69
+ - **Intelligence** — Deep analysis (architecture-modernization, documentation-gen, api-migration, data-pipeline-validate)
70
+ - **Ops** — Infrastructure (incident-response, release-prep, dependency-health, database-migration, multi-repo-sync, cost-analysis)
71
+ - **Dev** — Coding assistant (code-audit, feature-planner, pr-review, tdd-sprint, refactor-plan + 7 more)
72
+ - **Research** — Research & analysis (deep-research, competitive-analysis, tech-evaluation + 3 more)
73
+
74
+ Browse with `/mindforge:wf-catalog`.
75
+
64
76
  ## Initialise Your Project
65
77
 
66
78
  Open your agentic runtime (Antigravity or Claude Code) in your repository and run:
@@ -14,7 +14,7 @@ import {
14
14
  } from '@mindforge/sdk';
15
15
  ```
16
16
 
17
- Current SDK version: `10.0.1`
17
+ Current SDK version: `11.8.1`
18
18
 
19
19
  ---
20
20
 
@@ -93,6 +93,18 @@ Returns `true` if the unified SQLite knowledge database (`celestial.db`) exists
93
93
 
94
94
  Returns the absolute path to the project's `celestial.db` SQLite database file.
95
95
 
96
+ #### `importFromBrowser(sessionData: unknown): Promise<void>`
97
+
98
+ Imports a session snapshot captured from a browser environment into the local session store.
99
+
100
+ > **[NOT IMPLEMENTED — v1.0]** This method always throws. Check `sessionManager.capabilities.importFromBrowser === false` before calling. Use `saveSession`/`loadSession` instead.
101
+
102
+ #### `resolveRemoteNode(nodeId: string): Promise<unknown>`
103
+
104
+ Resolves context for a node residing on a remote EIS (Edge Intelligence Shard) instance.
105
+
106
+ > **[NOT IMPLEMENTED — v1.0]** `resolveRemoteNode(nodeId)` always throws. Cross-node context resolution is local-only in v1.0. Planned for v1.1.
107
+
96
108
  ---
97
109
 
98
110
  ## `MindForgeMemory`
@@ -137,3 +137,12 @@ If the above doesn’t resolve it:
137
137
  - **Architecture**: `docs/architecture/V5-ENTERPRISE.md`
138
138
  - **Commands**: `docs/commands-reference.md`
139
139
  - **Personas**: `docs/PERSONAS.md`
140
+
141
+ ## Agent spawn returns immediately with no action
142
+ `spawn` mode in `bin/spawn-agent.js` exits with an error in v1.0. Real agent dispatch requires Claude Code slash commands. Use `/mindforge:auto` or `/mindforge:next` to dispatch agents.
143
+
144
+ ## `importFromBrowser` crashes
145
+ Browser cookie import from native browser profiles is not implemented in v1.0. Use `saveSession`/`loadSession` instead. Check `sessionManager.capabilities.importFromBrowser` before calling.
146
+
147
+ ## Tests fail when run from a parent directory
148
+ All tests must be run from the MindForge project root: `cd /path/to/MindForge && npm test`. Running from the parent workspace will produce false failures.
@@ -1,4 +1,4 @@
1
- # MindForge User Guide (v11.3.1)
1
+ # MindForge User Guide (v11.8.0)
2
2
 
3
3
  This guide gets you from install to productive, with the minimum needed to run MindForge in a real project.
4
4
 
@@ -91,6 +91,25 @@ MindForge uses a unified 4-pillar workflow, hardened by the **Neural Protocol Me
91
91
  /mindforge:ship [N] # generate changelog + create PR (Step 0: ship)
92
92
  ```
93
93
 
94
+ ### Dynamic Workflow Library
95
+
96
+ MindForge ships **33 pre-built workflow pipelines** across **219 commands**, organized into **5 tiers**:
97
+
98
+ | Tier | Description |
99
+ |------|-------------|
100
+ | **T1 — Core** | Foundational commands: plan, execute, verify, ship, health |
101
+ | **T2 — Engineering** | Development workflows: TDD, debug, refactor, code-review, PR |
102
+ | **T3 — Governance** | Security, audit, compliance, AgRevOps, temporal steering |
103
+ | **T4 — Intelligence** | Memory, knowledge-graph, skill-loading, persona switching |
104
+ | **T5 — Autonomous** | Headless/walk-away execution, wave orchestration, swarm coordination |
105
+
106
+ Discover all available workflows:
107
+
108
+ ```bash
109
+ /mindforge:skills-index # browse all skills and workflows
110
+ /mindforge:status --workflows # list active workflow pipelines
111
+ ```
112
+
94
113
  ---
95
114
 
96
115
  ## 6. High-Performance Personas
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "mindforge-cc",
3
- "version": "11.7.1",
3
+ "version": "11.8.1",
4
4
  "description": "MindForge \u2014 Sovereign Agentic Intelligence Framework. Sovereign Stability: Production-Hardened Agentic Intelligence (v11)",
5
5
  "bin": {
6
6
  "mindforge-cc": "bin/install.js",
@@ -1,32 +0,0 @@
1
- ---
2
- description: "Fan-out web research with adversarial claim verification and cited synthesis"
3
- ---
4
- # /mindforge:wf-deep-research
5
-
6
- Runs the **Deep Research** dynamic workflow.
7
-
8
- ## Usage
9
- `/mindforge:wf-deep-research <your research question>`
10
-
11
- ## What it does
12
- - **Scope**: Decomposes your question into 5 independent search angles
13
- - **Search**: 5 parallel web search agents, one per angle (~30s)
14
- - **Fetch**: Deduplicates URLs, fetches top 15 sources, extracts falsifiable claims
15
- - **Verify**: 3-vote adversarial verification per claim — 2/3 refutes kills a claim
16
- - **Synthesize**: Merges confirmed findings, ranks by confidence, cites all sources
17
-
18
- ## Running
19
-
20
- Invoke via Claude Code's Workflow tool:
21
-
22
- ```
23
- Workflow({
24
- scriptPath: ".mindforge/dynamic-workflows/scripts/deep-research.js",
25
- args: "<your input>"
26
- })
27
- ```
28
-
29
- Or discover via CLI:
30
- ```bash
31
- node bin/mindforge-cli.js workflow info deep-research
32
- ```
@@ -1,32 +0,0 @@
1
- ---
2
- description: "Fan-out web research with adversarial claim verification and cited synthesis"
3
- ---
4
- # /mindforge:wf-deep-research
5
-
6
- Runs the **Deep Research** dynamic workflow.
7
-
8
- ## Usage
9
- `/mindforge:wf-deep-research <your research question>`
10
-
11
- ## What it does
12
- - **Scope**: Decomposes your question into 5 independent search angles
13
- - **Search**: 5 parallel web search agents, one per angle (~30s)
14
- - **Fetch**: Deduplicates URLs, fetches top 15 sources, extracts falsifiable claims
15
- - **Verify**: 3-vote adversarial verification per claim — 2/3 refutes kills a claim
16
- - **Synthesize**: Merges confirmed findings, ranks by confidence, cites all sources
17
-
18
- ## Running
19
-
20
- Invoke via Claude Code's Workflow tool:
21
-
22
- ```
23
- Workflow({
24
- scriptPath: ".mindforge/dynamic-workflows/scripts/deep-research.js",
25
- args: "<your input>"
26
- })
27
- ```
28
-
29
- Or discover via CLI:
30
- ```bash
31
- node bin/mindforge-cli.js workflow info deep-research
32
- ```