moflo 4.9.22 → 4.9.24

package/dist/src/cli/services/ephemeral-namespace-purge.js

@@ -1,49 +1,53 @@
 /**
- * Idempotent ephemeral-namespace purge for moflo's memory DB (`.moflo/moflo.db`).
+ * Idempotent session-start memory cleanup for moflo's memory DB
+ * (`.moflo/moflo.db`).
  *
- * Story #729 retired four namespaces from the persistent memory layer because
- * they store internal moflo run-tracking — not user knowledge — and embedding
- * them polluted the search index:
+ * Two passes run in a single sql.js open:
  *
- *  - `hive-mind`        (MCP broadcast traffic)
- *  - `tasklist`         (spell run records)
- *  - `epic-state`       (epic progress tracking)
- *  - `test-bridge-fix`  (single-row leftover from a one-off test)
+ * 1. **Hard-purge** namespaces in {@link PURGE_ON_SESSION_START_NAMESPACES} —
+ *    `hive-mind`, `epic-state`, `test-bridge-fix`. These store internal
+ *    run-tracking that does not need to survive a session restart. (#729)
  *
- * This service hard-deletes any rows in those namespaces left over from prior
- * moflo versions, then VACUUMs to reclaim disk. Future writes to these
- * namespaces still land in the DB — but skip embedding generation entirely
- * (see {@link EPHEMERAL_NAMESPACES} in `memory/bridge-embedder.ts`).
+ * 2. **Retention trim** the `tasklist` namespace down to the most recent
+ *    {@link TASKLIST_RETENTION_CAP} rows. `tasklist` is the dashboard's
+ *    "Flo Runs" tab data source (`daemon-dashboard.ts handleSpells`); the
+ *    pre-#968 contract hard-purged it on every session start, leaving the tab
+ *    permanently empty. Trim instead so users see recent history without
+ *    unbounded growth.
+ *
+ * Both passes share the file open + final VACUUM + atomic write, so disk I/O
+ * is the same as before. Writes back to disk only when something changed.
  *
  * Lives in `services/` so it has no dependency on the CLI command machinery.
- * That lets `bin/session-start-launcher.mjs` dynamic-import it and run the
- * purge in foreground BEFORE long-lived sql.js consumers (MCP server, daemon)
- * open the DB — sql.js dumps the whole snapshot on every flush and would
+ * That lets `bin/session-start-launcher.mjs` dynamic-import it and run in
+ * foreground BEFORE long-lived sql.js consumers (MCP server, daemon) open
+ * the DB — sql.js dumps the whole snapshot on every flush and would
  * otherwise clobber our cleanup (see #727's clobber-hazard analysis).
  *
  * @module cli/services/ephemeral-namespace-purge
  */
 /* eslint-disable @typescript-eslint/no-explicit-any */
-import { EPHEMERAL_NAMESPACES } from '../memory/bridge-embedder.js';
+import { PURGE_ON_SESSION_START_NAMESPACES, TASKLIST_RETENTION_CAP, } from '../memory/bridge-embedder.js';
 import { mofloImport } from './moflo-require.js';
 import { atomicWriteFileSync } from './atomic-file-write.js';
 import { memoryDbPath } from './moflo-paths.js';
 /**
- * Hard-delete every row whose namespace is in {@link EPHEMERAL_NAMESPACES}
- * and VACUUM. Returns `{ purged: 0 }` on the happy path: no DB, sql.js
- * unavailable, schema lacks `memory_entries`, or no ephemeral rows present.
- * Errors propagate to the caller (the launcher absorbs them so a failed
- * purge never blocks session start).
+ * Hard-delete rows in {@link PURGE_ON_SESSION_START_NAMESPACES} and trim the
+ * `tasklist` namespace to its retention cap, then VACUUM. Returns
+ * `{ purged: 0, trimmed: 0 }` on the happy path: no DB, sql.js unavailable,
+ * schema lacks `memory_entries`, or nothing to clean. Errors propagate to
+ * the caller (the launcher absorbs them so a failed purge never blocks
+ * session start).
  */
 export async function purgeEphemeralNamespaces(options = {}) {
     const fs = await import('fs');
     const path = await import('path');
     const dbPath = path.resolve(options.dbPath ?? memoryDbPath(process.cwd()));
     if (!fs.existsSync(dbPath))
-        return { purged: 0 };
+        return { purged: 0, trimmed: 0 };
     const initSqlJs = (await mofloImport('sql.js'))?.default;
     if (!initSqlJs)
-        return { purged: 0 };
+        return { purged: 0, trimmed: 0 };
     const SQL = await initSqlJs();
     const buffer = fs.readFileSync(dbPath);
     const db = new SQL.Database(buffer);
@@ -52,21 +56,45 @@ export async function purgeEphemeralNamespaces(options = {}) {
         // a no-op so we don't VACUUM unrelated SQLite files.
         const probe = db.exec(`SELECT name FROM sqlite_master WHERE type='table' AND name='memory_entries' LIMIT 1`);
         if (!probe[0]?.values?.[0])
-            return { purged: 0 };
-        const namespaces = Array.from(EPHEMERAL_NAMESPACES);
+            return { purged: 0, trimmed: 0 };
+        // Single COUNT pass to gate both DELETEs — a clean DB is the steady
+        // state and we don't want two no-op DELETEs (with their query-planner
+        // overhead) on every session start.
+        const namespaces = Array.from(PURGE_ON_SESSION_START_NAMESPACES);
+        const cap = options.tasklistRetentionCap ?? TASKLIST_RETENTION_CAP;
         const placeholders = namespaces.map(() => '?').join(', ');
-        // Single-scan delete + rowsModified: skips a redundant COUNT pass on dirty
-        // DBs and avoids the prepare/bind/step/free overhead on clean ones. VACUUM
-        // (and the disk write) only run when something was actually deleted.
-        db.run(`DELETE FROM memory_entries WHERE namespace IN (${placeholders})`, namespaces);
-        const purged = db.getRowsModified?.() ?? 0;
-        if (purged === 0)
-            return { purged: 0 };
+        const countRows = db.exec(`SELECT
+         (SELECT COUNT(*) FROM memory_entries WHERE namespace IN (${placeholders})) AS purgeable,
+         (SELECT COUNT(*) FROM memory_entries WHERE namespace = 'tasklist') AS tasklistTotal`, namespaces);
+        const counts = countRows[0]?.values?.[0] ?? [0, 0];
+        const purgeable = Number(counts[0] ?? 0);
+        const tasklistTotal = Number(counts[1] ?? 0);
+        let purged = 0;
+        if (purgeable > 0) {
+            db.run(`DELETE FROM memory_entries WHERE namespace IN (${placeholders})`, namespaces);
+            purged = db.getRowsModified?.() ?? 0;
+        }
+        let trimmed = 0;
+        if (tasklistTotal > cap) {
+            // Keep the newest `cap` rows by created_at, falling back to `id DESC`
+            // for legacy rows that predate the created_at-not-null schema (#728-era).
+            db.run(`DELETE FROM memory_entries
+         WHERE namespace = 'tasklist'
+           AND id NOT IN (
+             SELECT id FROM memory_entries
+             WHERE namespace = 'tasklist'
+             ORDER BY created_at DESC, id DESC
+             LIMIT ?
+           )`, [cap]);
+            trimmed = db.getRowsModified?.() ?? 0;
+        }
+        if (purged === 0 && trimmed === 0)
+            return { purged: 0, trimmed: 0 };
         // VACUUM has to run outside any open transaction; sql.js auto-commits
         // each `db.run`, so this is safe to chain.
         db.run('VACUUM');
         atomicWriteFileSync(dbPath, db.export());
-        return { purged };
+        return { purged, trimmed };
     }
     finally {
         db.close();

package/dist/src/cli/services/headless-worker-executor.js

@@ -2,21 +2,14 @@
  * Headless Worker Executor
  * Enables workers to invoke Claude Code in headless mode with configurable sandbox profiles.
  *
- * ADR-020: Headless Worker Integration Architecture
+ * ADR-020: Headless Worker Integration Architecture (#970 dropped the
+ * `audit`/`document`/`predict` workers — those entries from the original
+ * ADR are superseded; the rest still applies).
  * - Integrates with CLAUDE_CODE_HEADLESS and CLAUDE_CODE_SANDBOX_MODE environment variables
  * - Provides process pool for concurrent execution
  * - Builds context from file glob patterns
  * - Supports prompt templates and output parsing
  * - Implements timeout and graceful error handling
- *
- * Key Features:
- * - Process pool with configurable maxConcurrent
- * - Context building from file glob patterns with caching
- * - Prompt template system with context injection
- * - Output parsing (text, json, markdown)
- * - Timeout handling with graceful termination
- * - Execution logging for debugging
- * - Event emission for monitoring
  */
 import { spawn, execSync } from 'child_process';
 import { EventEmitter } from 'events';
@@ -27,17 +20,14 @@ import { errorDetail } from '../shared/utils/error-detail.js';
 // Constants
 // ============================================
 /**
- * Array of headless worker types for runtime checking
+ * Array of headless worker types for runtime checking.
  */
 export const HEADLESS_WORKER_TYPES = [
-    'audit',
     'optimize',
     'testgaps',
-    'document',
     'ultralearn',
     'refactor',
     'deepdive',
-    'predict',
 ];
 /**
  * Array of local worker types
@@ -57,37 +47,11 @@ const MODEL_IDS = {
     haiku: 'claude-haiku-4-5-20251001',
 };
 /**
- * Default headless worker configurations based on ADR-020
+ * Default headless worker configurations based on ADR-020 (the
+ * `audit`/`document`/`predict` entries from the original ADR were dropped
+ * in #970 — see worker-daemon.ts header for rationale).
  */
 export const HEADLESS_WORKER_CONFIGS = {
-    audit: {
-        type: 'audit',
-        mode: 'headless',
-        intervalMs: 30 * 60 * 1000,
-        priority: 'critical',
-        description: 'AI-powered security analysis',
-        enabled: true,
-        headless: {
-            promptTemplate: `Analyze this codebase for security vulnerabilities:
-- Check for hardcoded secrets (API keys, passwords)
-- Identify SQL injection risks
-- Find XSS vulnerabilities
-- Check for insecure dependencies
-- Identify authentication/authorization issues
-
-Provide a JSON report with:
-{
-  "vulnerabilities": [{ "severity": "high|medium|low", "file": "...", "line": N, "description": "..." }],
-  "riskScore": 0-100,
-  "recommendations": ["..."]
-}`,
-            sandbox: 'strict',
-            model: 'haiku',
-            outputFormat: 'json',
-            contextPatterns: ['**/*.ts', '**/*.js', '**/.env*', '**/package.json'],
-            timeoutMs: 5 * 60 * 1000,
-        },
-    },
     optimize: {
         type: 'optimize',
         mode: 'headless',
@@ -134,29 +98,6 @@ For each gap, provide a test skeleton.`,
             timeoutMs: 10 * 60 * 1000,
         },
     },
-    document: {
-        type: 'document',
-        mode: 'headless',
-        intervalMs: 120 * 60 * 1000,
-        priority: 'low',
-        description: 'AI documentation generation',
-        enabled: false,
-        headless: {
-            promptTemplate: `Generate documentation for undocumented code:
-- Add JSDoc comments to functions
-- Create README sections for modules
-- Document API endpoints
-- Add inline comments for complex logic
-- Generate usage examples
-
-Focus on public APIs and exported functions.`,
-            sandbox: 'permissive',
-            model: 'haiku',
-            outputFormat: 'markdown',
-            contextPatterns: ['src/**/*.ts'],
-            timeoutMs: 10 * 60 * 1000,
-        },
-    },
     ultralearn: {
         type: 'ultralearn',
         mode: 'headless',
@@ -232,34 +173,6 @@ Provide comprehensive report.`,
             timeoutMs: 15 * 60 * 1000,
         },
     },
-    predict: {
-        type: 'predict',
-        mode: 'headless',
-        intervalMs: 10 * 60 * 1000,
-        priority: 'low',
-        description: 'Predictive preloading',
-        enabled: false,
-        headless: {
-            promptTemplate: `Based on recent activity, predict what the developer needs:
-- Files likely to be edited next
-- Tests that should be run
-- Documentation to reference
-- Dependencies to check
-
-Provide preload suggestions as JSON:
-{
-  "filesToPreload": ["..."],
-  "testsToRun": ["..."],
-  "docsToReference": ["..."],
-  "confidence": 0.0-1.0
-}`,
-            sandbox: 'strict',
-            model: 'haiku',
-            outputFormat: 'json',
-            contextPatterns: ['.moflo/metrics/*.json'],
-            timeoutMs: 2 * 60 * 1000,
-        },
-    },
 };
 /**
  * Local worker configurations

package/dist/src/cli/services/worker-daemon.js

@@ -1,13 +1,21 @@
 /**
  * Worker Daemon Service
- * Node.js-based background worker system that auto-runs like shell daemons
+ * Node.js-based background worker system that auto-runs like shell daemons.
  *
- * Workers:
- * - map: Codebase mapping (5 min interval)
- * - audit: Security analysis (10 min interval)
+ * Default workers:
+ * - map: Codebase mapping (15 min interval)
  * - optimize: Performance optimization (15 min interval)
  * - consolidate: Memory consolidation (30 min interval)
  * - testgaps: Test coverage analysis (20 min interval)
+ *
+ * Manual-trigger-only workers (disabled by default, no scheduled run):
+ * ultralearn, refactor, deepdive, benchmark, preload.
+ *
+ * The `audit`, `predict`, and `document` workers were removed in #970 —
+ * they were default-disabled with no surfacing layer for findings, and the
+ * dashboard rendered them as "disabled" rows that read as broken. If a
+ * security or doc scan returns it should land as an opt-in `flo doctor`
+ * one-shot with a real findings UI, not as a recurring background worker.
  */
 import { EventEmitter } from 'events';
 import { existsSync, mkdirSync, writeFileSync, readFileSync } from 'fs';
@@ -21,18 +29,32 @@ import { attachSignalHandlers } from '../shared/resilience/signal-handlers.js';
 import { calculateDelay } from '../production/retry.js';
 import { CircuitBreaker } from '../production/circuit-breaker.js';
 import { errorDetail } from '../shared/utils/error-detail.js';
+/**
+ * Runtime allow-list of known {@link WorkerType} values. Used by
+ * `initializeWorkerStates` to silently drop entries from a stale
+ * `daemon-state.json` after a worker is removed from the union (#970).
+ * Keep in sync with the `WorkerType` definition above.
+ */
+const KNOWN_WORKER_TYPES = new Set([
+    'ultralearn',
+    'optimize',
+    'consolidate',
+    'map',
+    'preload',
+    'deepdive',
+    'refactor',
+    'benchmark',
+    'testgaps',
+]);
+function isKnownWorkerType(value) {
+    return typeof value === 'string' && KNOWN_WORKER_TYPES.has(value);
+}
 // Default worker configurations with improved intervals (P0 fix: map 5min -> 15min)
 const DEFAULT_WORKERS = [
     { type: 'map', intervalMs: 15 * 60 * 1000, offsetMs: 0, priority: 'normal', description: 'Codebase mapping', enabled: true },
-    // Default-disabled until the perf regression in #631 is remediated. The
-    // worker averages 238 s/run on real installs, saturating cores back-to-back
-    // when scheduled at the 10-minute interval. Re-enable here when #631 ships.
-    { type: 'audit', intervalMs: 10 * 60 * 1000, offsetMs: 2 * 60 * 1000, priority: 'critical', description: 'Security analysis', enabled: false },
     { type: 'optimize', intervalMs: 15 * 60 * 1000, offsetMs: 4 * 60 * 1000, priority: 'high', description: 'Performance optimization', enabled: true },
     { type: 'consolidate', intervalMs: 30 * 60 * 1000, offsetMs: 6 * 60 * 1000, priority: 'low', description: 'Memory consolidation', enabled: true },
     { type: 'testgaps', intervalMs: 20 * 60 * 1000, offsetMs: 8 * 60 * 1000, priority: 'normal', description: 'Test coverage analysis', enabled: true },
-    { type: 'predict', intervalMs: 10 * 60 * 1000, offsetMs: 0, priority: 'low', description: 'Predictive preloading', enabled: false },
-    { type: 'document', intervalMs: 60 * 60 * 1000, offsetMs: 0, priority: 'low', description: 'Auto-documentation', enabled: false },
 ];
 // Worker timeout (5 minutes max per worker)
 const DEFAULT_WORKER_TIMEOUT_MS = 5 * 60 * 1000;
@@ -326,9 +348,16 @@ export class WorkerDaemon extends EventEmitter {
                 if (typeof saved.config?.workerTimeoutMs === 'number' && saved.config.workerTimeoutMs > 0) {
                     this.config.workerTimeoutMs = saved.config.workerTimeoutMs;
                 }
-                // Restore worker runtime states (runCount, successCount, etc.)
+                // Restore worker runtime states (runCount, successCount, etc.).
+                // Unknown worker types (left over from a prior moflo version where
+                // `audit`/`predict`/`document` existed) are silently dropped — see
+                // KNOWN_WORKER_TYPES + #970 — so consumers upgrading don't crash on
+                // stale state, and the orphan entries don't get re-persisted on the
+                // next saveState.
                 if (saved.workers) {
                     for (const [type, state] of Object.entries(saved.workers)) {
+                        if (!isKnownWorkerType(type))
+                            continue;
                         const savedState = state;
                         const lastRunValue = savedState.lastRun;
                         const restoredState = {
@@ -749,18 +778,12 @@ export class WorkerDaemon extends EventEmitter {
         switch (workerConfig.type) {
             case 'map':
                 return this.runMapWorker();
-            case 'audit':
-                return this.runAuditWorkerLocal();
             case 'optimize':
                 return this.runOptimizeWorkerLocal();
             case 'consolidate':
                 return this.runConsolidateWorker();
             case 'testgaps':
                 return this.runTestGapsWorkerLocal();
-            case 'predict':
-                return this.runPredictWorkerLocal();
-            case 'document':
-                return this.runDocumentWorkerLocal();
             case 'ultralearn':
                 return this.runUltralearnWorkerLocal();
             case 'refactor':
@@ -797,31 +820,6 @@ export class WorkerDaemon extends EventEmitter {
         writeFileSync(metricsFile, JSON.stringify(map, null, 2));
         return map;
     }
-    /**
-     * Local audit worker (fallback when headless unavailable)
-     */
-    async runAuditWorkerLocal() {
-        // Basic security checks
-        const auditFile = join(this.projectRoot, '.moflo', 'metrics', 'security-audit.json');
-        const metricsDir = join(this.projectRoot, '.moflo', 'metrics');
-        if (!existsSync(metricsDir)) {
-            mkdirSync(metricsDir, { recursive: true });
-        }
-        const audit = {
-            timestamp: new Date().toISOString(),
-            mode: 'local',
-            checks: {
-                envFilesProtected: !existsSync(join(this.projectRoot, '.env.local')),
-                gitIgnoreExists: existsSync(join(this.projectRoot, '.gitignore')),
-                noHardcodedSecrets: true, // Would need actual scanning
-            },
-            riskLevel: 'low',
-            recommendations: [],
-            note: 'Install Claude Code CLI for AI-powered security analysis',
-        };
-        writeFileSync(auditFile, JSON.stringify(audit, null, 2));
-        return audit;
-    }
     /**
      * Local optimize worker (fallback when headless unavailable)
      */
@@ -883,30 +881,6 @@ export class WorkerDaemon extends EventEmitter {
         writeFileSync(testGapsFile, JSON.stringify(result, null, 2));
         return result;
     }
-    /**
-     * Local predict worker (fallback when headless unavailable)
-     */
-    async runPredictWorkerLocal() {
-        return {
-            timestamp: new Date().toISOString(),
-            mode: 'local',
-            predictions: [],
-            preloaded: [],
-            note: 'Install Claude Code CLI for AI-powered predictions',
-        };
-    }
-    /**
-     * Local document worker (fallback when headless unavailable)
-     */
-    async runDocumentWorkerLocal() {
-        return {
-            timestamp: new Date().toISOString(),
-            mode: 'local',
-            filesDocumented: 0,
-            suggestedDocs: [],
-            note: 'Install Claude Code CLI for AI-powered documentation generation',
-        };
-    }
     /**
      * Local ultralearn worker (fallback when headless unavailable)
      */

package/dist/src/cli/spells/core/runner.js

@@ -150,6 +150,18 @@ export class SpellCaster {
                     message: err.message,
                 }], definition.name);
         }
+        // Per-spell sandbox requirement (#878) — "more strict wins": the spell
+        // can opt in to sandboxing even when the global config is off, and the
+        // runner refuses to cast if no OS sandbox is active.
+        if (definition.sandbox?.required === true && !effectiveSandbox.useOsSandbox) {
+            return this.failureResult(spellId, startTime, [{
+                    code: 'SANDBOX_REQUIRED',
+                    message: `Spell "${definition.name}" requires an OS sandbox but none is active ` +
+                        `(${effectiveSandbox.displayStatus}). Enable sandboxing by setting ` +
+                        `\`sandbox.enabled: true\` in moflo.yaml (and \`sandbox.tier: auto\` ` +
+                        `or \`full\`), or remove \`sandbox.required: true\` from the spell.`,
+                }], definition.name);
+        }
         return this.executeSteps(definition, resolvedArgs, spellId, options, startTime, effectiveSandbox);
     }
     async dryRun(definition, resolvedArgs, options = {}) {

package/dist/src/cli/spells/scheduler/scheduler.js

@@ -369,15 +369,30 @@ export class SpellScheduler {
                 duration: completedAt - now,
             };
             await this.memory.write(NAMESPACE_EXECUTIONS, executionId, finalRecord);
-            this.emit({
-                type: result.success ? 'schedule:completed' : 'schedule:failed',
-                scheduleId: schedule.id,
-                spellName: schedule.spellName,
-                message: result.success
-                    ? `Completed in ${finalRecord.duration}ms`
-                    : `Failed: ${finalRecord.error}`,
-                timestamp: completedAt,
-            });
+            // SANDBOX_REQUIRED (#878) is a configuration mismatch, not a runtime
+            // failure — surface it as a skip so dashboards/oncall don't page on a
+            // missing sandbox the user can resolve in moflo.yaml.
+            const sandboxRequiredErr = result.errors.find(e => e.code === 'SANDBOX_REQUIRED');
+            if (!result.success && sandboxRequiredErr) {
+                this.emit({
+                    type: 'schedule:skipped',
+                    scheduleId: schedule.id,
+                    spellName: schedule.spellName,
+                    message: sandboxRequiredErr.message,
+                    timestamp: completedAt,
+                });
+            }
+            else {
+                this.emit({
+                    type: result.success ? 'schedule:completed' : 'schedule:failed',
+                    scheduleId: schedule.id,
+                    spellName: schedule.spellName,
+                    message: result.success
+                        ? `Completed in ${finalRecord.duration}ms`
+                        : `Failed: ${finalRecord.error}`,
+                    timestamp: completedAt,
+                });
+            }
         }
         catch (err) {
             const completedAt = Date.now();

package/dist/src/cli/spells/schema/validator.js

@@ -16,7 +16,7 @@
 import { isValidMofloLevel } from '../core/capability-validator.js';
 import { MOFLO_LEVEL_ORDER } from '../types/step-command.types.js';
 import { validateSchedule } from '../scheduler/cron-parser.js';
-import { validateTopLevel, validateArguments, matchesArgumentType } from './validators/top-level.js';
+import { validateTopLevel, validateArguments, matchesArgumentType, validateSandbox } from './validators/top-level.js';
 import { validateSteps } from './validators/steps.js';
 import { validatePrerequisites } from './validators/prerequisites.js';
 import { validateVariableReferences } from './validators/references.js';
@@ -27,6 +27,7 @@ import { detectCircularJumps } from './validators/jumps.js';
 export function validateSpellDefinition(def, options) {
     const errors = [];
     validateTopLevel(def, errors);
+    validateSandbox(def, errors);
     if (def.mofloLevel !== undefined && !isValidMofloLevel(def.mofloLevel)) {
         errors.push({
             path: 'mofloLevel',

package/dist/src/cli/spells/schema/validators/top-level.js

@@ -58,6 +58,24 @@ export function validateArguments(args, errors) {
         }
     }
 }
+/**
+ * Validate the optional `sandbox` block on a spell definition.
+ * Accepts: missing, `{}`, `{ required: boolean }`.
+ * Rejects: non-object value, non-boolean `required`.
+ */
+export function validateSandbox(def, errors) {
+    const sandbox = def.sandbox;
+    if (sandbox === undefined)
+        return;
+    if (sandbox === null || typeof sandbox !== 'object' || Array.isArray(sandbox)) {
+        errors.push({ path: 'sandbox', message: 'sandbox must be an object' });
+        return;
+    }
+    const { required } = sandbox;
+    if (required !== undefined && typeof required !== 'boolean') {
+        errors.push({ path: 'sandbox.required', message: 'sandbox.required must be a boolean' });
+    }
+}
 /** Check whether a value matches a declared ArgumentType. */
 export function matchesArgumentType(value, type) {
     switch (type) {

package/dist/src/cli/version.js

@@ -2,5 +2,5 @@
  * Auto-generated by build. Do not edit manually.
  * Source of truth: root package.json → scripts/sync-version.mjs
  */
-export const VERSION = '4.9.22';
+export const VERSION = '4.9.24';
 //# sourceMappingURL=version.js.map

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "moflo",
-  "version": "4.9.22",
+  "version": "4.9.24",
   "description": "MoFlo — AI agent orchestration for Claude Code. A standalone, opinionated toolkit with semantic memory, learned routing, gates, spells, and the /flo issue-execution skill.",
   "main": "dist/src/cli/index.js",
   "type": "module",
@@ -29,6 +29,7 @@
     "src/cli/spells/definitions/**/*.yaml",
     "!**/*.test.js",
     "!**/*.spec.js",
+    "!**/*.perf.js",
     "!**/__tests__/**",
     ".claude/commands/**/*.md",
     ".claude/agents/**/*.md",
@@ -54,6 +55,7 @@
     "test:ui": "vitest --ui",
     "test:smoke": "node harness/consumer-smoke/run.mjs",
     "test:smoke:populated": "node harness/consumer-smoke/run-populated.mjs",
+    "bench": "vitest run --config vitest.bench.config.ts",
     "lint": "eslint src/ bin/ .claude/scripts/ --ext .ts,.tsx,.mts,.cts,.js,.mjs,.cjs --max-warnings 0",
     "security:audit": "npm audit --omit=dev --audit-level high",
     "security:fix": "npm audit fix",
@@ -82,7 +84,7 @@
     "@typescript-eslint/eslint-plugin": "^7.18.0",
     "@typescript-eslint/parser": "^7.18.0",
     "eslint": "^8.0.0",
-    "moflo": "^4.9.21",
+    "moflo": "^4.9.23",
     "tsx": "^4.21.0",
     "typescript": "^5.9.3",
     "vitest": "^4.0.0"