moflo 4.9.26 → 4.9.27

package/bin/session-start-launcher.mjs

@@ -447,6 +447,24 @@ try {
           'upgraded',
           cachedVersion ? `${cachedVersion} → ${installedVersion}` : `installed ${installedVersion}`,
         );
+        // #981 / #987 — one-time architecture notice. Single-writer routing
+        // means daemon must be running for safe multi-process writes. Sentinel
+        // file ensures the notice fires once per consumer (across upgrades),
+        // not on every version bump. `flo doctor` surfaces the runtime warning
+        // when the daemon is disabled with MCP configured.
+        try {
+          const noticeSentinel = join(mofloDir(projectRoot), 'single-writer-notice-shown');
+          if (cachedVersion && !existsSync(noticeSentinel)) {
+            emitMutation(
+              'single-writer write architecture active',
+              'memory writes route through the daemon (#981) — keep daemon.auto_start: true to prevent multi-process clobber',
+            );
+            try {
+              mkdirSync(mofloDir(projectRoot), { recursive: true });
+              writeFileSync(noticeSentinel, new Date().toISOString());
+            } catch { /* sentinel best-effort — re-emit next session if write fails */ }
+          }
+        } catch { /* never block the upgrade flow on the notice */ }
       } else {
         upgradeNoticeContext = {
           kind: 'repair',

package/dist/src/cli/commands/daemon.js

@@ -90,6 +90,16 @@ const startCommand = {
         }
         // Foreground mode: run in current process (blocks terminal)
         try {
+            // #981 — mark this process as the daemon BEFORE any storeEntry /
+            // deleteEntry call runs in this process. The routing preamble in
+            // memory-initializer reads `process.env.MOFLO_IS_DAEMON` per-call (not
+            // at module-load time) and skips routing when set, breaking the loop
+            // that would otherwise recurse: storeEntry → HTTP → daemon RPC →
+            // storeEntry → HTTP. Setting it here covers both direct `flo daemon
+            // start --foreground` and the background spawn (whose daemonEnv
+            // propagates this via process inheritance — see startBackgroundDaemon
+            // below).
+            process.env.MOFLO_IS_DAEMON = '1';
             // Acquire atomic daemon lock (prevents duplicate daemons).
             // Always acquire here — even when spawned as a child (CLAUDE_FLOW_DAEMON=1)
             // because on Windows the parent's child.pid is the shell PID (cmd.exe),
@@ -327,6 +337,8 @@ async function startBackgroundDaemon(projectRoot, quiet, maxCpuLoad, minFreeMemo
     const daemonEnv = {
         ...process.env,
         CLAUDE_FLOW_DAEMON: '1',
+        // #981 — daemon process must skip its own write-routing client.
+        MOFLO_IS_DAEMON: '1',
         // Prevent macOS SIGHUP kill when terminal closes
         ...(process.platform === 'darwin' ? { NOHUP: '1' } : {}),
     };

package/dist/src/cli/commands/doctor-checks-config.js

@@ -131,17 +131,43 @@ export async function checkMemoryDatabase() {
     }
     return { name: 'Memory Database', status: 'warn', message: 'Not initialized', fix: 'claude-flow memory configure --backend hybrid' };
 }
-export async function checkMcpServers() {
-    const mcpConfigPaths = [
+/**
+ * Standard MCP-config search paths: home (Claude Desktop on macOS/Linux),
+ * XDG config dir, project-local `.mcp.json`, and APPDATA on Windows.
+ *
+ * Shared by `checkMcpServers` (which inspects the FIRST config it finds and
+ * reports on flo presence) and `checkDaemonWriteRouting` (which COUNTS
+ * servers across all paths to detect the multi-process-clobber hazard).
+ */
+function mcpConfigSearchPaths(cwd) {
+    return [
         join(os.homedir(), '.claude/claude_desktop_config.json'),
         join(os.homedir(), '.config/claude/mcp.json'),
-        '.mcp.json',
-        // Windows: Claude Desktop stores config under %APPDATA%\Claude\
+        join(cwd, '.mcp.json'),
         ...(process.platform === 'win32' && process.env.APPDATA
             ? [join(process.env.APPDATA, 'Claude', 'claude_desktop_config.json')]
             : []),
     ];
-    for (const configPath of mcpConfigPaths) {
+}
+/** Sum MCP servers across every reachable config. Malformed configs counted as 0. */
+function countMcpServers(cwd) {
+    let total = 0;
+    for (const configPath of mcpConfigSearchPaths(cwd)) {
+        if (!existsSync(configPath))
+            continue;
+        try {
+            const content = JSON.parse(readFileSync(configPath, 'utf8'));
+            const servers = content.mcpServers || content.servers || {};
+            total += Object.keys(servers).length;
+        }
+        catch {
+            // Skip unreadable / malformed config — checkMcpServers reports it.
+        }
+    }
+    return total;
+}
+export async function checkMcpServers() {
+    for (const configPath of mcpConfigSearchPaths(process.cwd())) {
         if (existsSync(configPath)) {
             try {
                 const content = JSON.parse(readFileSync(configPath, 'utf8'));
@@ -202,6 +228,58 @@ export async function checkMofloYamlCompliance(cwd = process.cwd()) {
         fix: 'Restart Claude Code (yaml-upgrader auto-appends) or `npx moflo init --force`',
     };
 }
+/**
+ * #981 / #987 — surfaces the single-writer-architecture safety net.
+ *
+ * When `daemon.auto_start: false` is set in moflo.yaml AND the consumer has
+ * an MCP server configured, every MCP-process write hits sql.js directly
+ * (no daemon-RPC routing). Pre-#981 multi-process clobber + reader-staleness
+ * hazards reappear in that configuration. Warn — never fail — because
+ * disabling the daemon is a legitimate consumer choice and the config
+ * itself isn't broken.
+ *
+ * Pass: daemon enabled (default) → routing protection active.
+ * Pass: daemon disabled but no MCP server detected → no multi-writer hazard.
+ * Warn: daemon disabled AND MCP server detected → hazard window open.
+ */
+export async function checkDaemonWriteRouting(cwd = process.cwd()) {
+    const name = 'Daemon Write Routing';
+    let daemonEnabled = true; // default-on — matches moflo.yaml default
+    try {
+        const { loadMofloConfig } = await import('../config/moflo-config.js');
+        const config = loadMofloConfig(cwd);
+        daemonEnabled = config?.daemon?.auto_start !== false;
+    }
+    catch {
+        // Unreadable config — assume daemon-enabled and let other checks flag
+        // the config error.
+        daemonEnabled = true;
+    }
+    if (daemonEnabled) {
+        return {
+            name,
+            status: 'pass',
+            message: 'Daemon enabled — multi-process writes route through single writer (#981 protection active)',
+        };
+    }
+    // Daemon disabled — count MCP servers across every reachable config.
+    const mcpServerCount = countMcpServers(cwd);
+    if (mcpServerCount === 0) {
+        return {
+            name,
+            status: 'pass',
+            message: 'Daemon disabled and no MCP server configured — no multi-writer hazard',
+        };
+    }
+    return {
+        name,
+        status: 'warn',
+        message: `Daemon disabled (moflo.yaml) and ${mcpServerCount} MCP server(s) configured — ` +
+            `multi-process sql.js writes can clobber each other (#981). ` +
+            `Set daemon.auto_start: true to restore single-writer protection.`,
+        fix: 'Edit moflo.yaml: daemon.auto_start: true',
+    };
+}
 export async function checkTestDirs() {
     const yamlPath = join(process.cwd(), 'moflo.yaml');
     if (!existsSync(yamlPath)) {

package/dist/src/cli/commands/doctor-registry.js

@@ -9,13 +9,19 @@ import { checkEmbeddingHygiene } from './doctor-embedding-hygiene.js';
 import { checkSwarmFunctional, checkHiveMindFunctional, } from './doctor-checks-swarm.js';
 import { checkMemoryAccessFunctional } from './doctor-checks-memory-access.js';
 import { checkBuildTools, checkClaudeCode, checkDiskSpace, checkGit, checkGitRepo, checkNodeVersion, checkNpmVersion, } from './doctor-checks-runtime.js';
-import { checkConfigFile, checkDaemonStatus, checkMcpServers, checkMemoryDatabase, checkMofloYamlCompliance, checkStatusLine, checkTestDirs, } from './doctor-checks-config.js';
+import { checkConfigFile, checkDaemonStatus, checkDaemonWriteRouting, checkMcpServers, checkMemoryDatabase, checkMofloYamlCompliance, checkStatusLine, checkTestDirs, } from './doctor-checks-config.js';
 import { checkSpellEngine, checkSandboxTier } from './doctor-checks-platform.js';
 import { checkEmbeddings, checkSemanticQuality, } from './doctor-checks-memory.js';
 import { checkIntelligence } from './doctor-checks-intelligence.js';
 import { checkVersionFreshness } from './doctor-version.js';
 import { checkZombieProcesses } from './doctor-zombies.js';
-/** Order matters — top entries surface first under the spinner. */
+/** Order matters — top entries surface first under the spinner.
+ * `checkZombieProcesses` is intentionally NOT in this list — it must run AFTER
+ * the parallel batch settles (see `zombieScanCheck` below and #992). Otherwise
+ * doctor's own subprocess probes (e.g. `checkBuildTools` running `npx tsc
+ * --version`) can be flagged as their own zombies on Windows, where the npx
+ * shim exits before its tsc child finishes.
+ */
 export const allChecks = [
     checkVersionFreshness,
     checkNodeVersion,
@@ -27,6 +33,7 @@ export const allChecks = [
     checkMofloYamlCompliance,
     checkStatusLine,
     checkDaemonStatus,
+    checkDaemonWriteRouting,
     checkMemoryDatabase,
     checkEmbeddings,
     checkEmbeddingHygiene,
@@ -37,7 +44,6 @@ export const allChecks = [
     checkSemanticQuality,
     checkIntelligence,
     checkSpellEngine,
-    checkZombieProcesses,
     checkSubagentHealth,
     checkSpellExecution,
     checkMcpToolInvocation,
@@ -56,6 +62,8 @@ export const allChecks = [
     checkMemoryAccessFunctional,
     checkSandboxTier,
 ];
+/** Sequenced check that runs AFTER `allChecks` settles. Issue #992. */
+export const zombieScanCheck = checkZombieProcesses;
 /** Lookup table for `flo doctor -c <name>`. */
 export const componentMap = {
     'version': checkVersionFreshness,
@@ -69,6 +77,8 @@ export const componentMap = {
     'statusline': checkStatusLine,
     'status-line': checkStatusLine,
     'daemon': checkDaemonStatus,
+    'daemon-write-routing': checkDaemonWriteRouting,
+    'write-routing': checkDaemonWriteRouting,
     'memory': checkMemoryDatabase,
     'embeddings': checkEmbeddings,
     'embedding-hygiene': checkEmbeddingHygiene,

package/dist/src/cli/commands/doctor.js

@@ -11,7 +11,7 @@
  * Created with motailz.com
  */
 import { output } from '../output.js';
-import { allChecks, componentMap } from './doctor-registry.js';
+import { allChecks, componentMap, zombieScanCheck } from './doctor-registry.js';
 import { emitJsonOutput, finalize, formatCheck, maybeAutoInstallClaudeCode, renderSummary, runAutoFix, runKillZombiesBanner, } from './doctor-render.js';
 import { checkEmbeddings } from './doctor-checks-memory.js';
 import { checkMofloYamlCompliance } from './doctor-checks-config.js';
@@ -157,6 +157,20 @@ export const doctorCommand = {
             let checkResults;
             try {
                 checkResults = await Promise.allSettled(checksToRun.map(check => check()));
+                // Issue #992: zombie scan must follow the parallel batch, not race it.
+                // Several parallel checks spawn short-lived subprocesses (notably
+                // `checkBuildTools` running `npx tsc --version`); on Windows the npx
+                // shim exits before its tsc child, leaving a transient orphan that
+                // the zombie scan would otherwise flag as a real leak. Skip in
+                // single-component (`-c`) runs since those are targeted diagnostics.
+                if (!component) {
+                    try {
+                        checkResults.push({ status: 'fulfilled', value: await zombieScanCheck() });
+                    }
+                    catch (reason) {
+                        checkResults.push({ status: 'rejected', reason });
+                    }
+                }
             }
             finally {
                 spinner?.stop();

package/dist/src/cli/epic/runner-adapter.js

@@ -10,6 +10,29 @@
 import * as readline from 'node:readline';
 import { loadSpellEngine, } from '../services/engine-loader.js';
 import { createDashboardMemoryAccessor } from '../services/daemon-dashboard.js';
+/**
+ * Wrap a MemoryAccessor with a write-failure counter so the [epic] summary
+ * can warn when spell progress didn't reach disk (#982). Without this, a
+ * persist failure surfaces only as a `[spell] storeProgress(...) failed`
+ * line buried mid-run, easily missed in shell scrollback.
+ */
+function trackPersistFailures(inner) {
+    const tracker = {
+        failedWrites: 0,
+        async read(ns, key) { return inner.read(ns, key); },
+        async write(ns, key, value) {
+            try {
+                await inner.write(ns, key, value);
+            }
+            catch (err) {
+                tracker.failedWrites++;
+                throw err;
+            }
+        },
+        async search(ns, query) { return inner.search(ns, query); },
+    };
+    return tracker;
+}
 /** Cached memory accessor — created once per process. */
 let memoryAccessor = null;
 /** Prompt the user to accept or decline spell permissions. */
@@ -37,7 +60,8 @@ export async function runEpicSpell(yamlContent, options = {}) {
     // are persisted and visible in the dashboard.
     if (!memoryAccessor) {
         try {
-            memoryAccessor = await createDashboardMemoryAccessor();
+            const inner = await createDashboardMemoryAccessor();
+            memoryAccessor = trackPersistFailures(inner);
             console.log('[epic] Memory accessor ready — spell progress will be persisted');
         }
         catch (err) {
@@ -45,8 +69,26 @@ export async function runEpicSpell(yamlContent, options = {}) {
             console.warn('[epic] ⚠ Spell executions will NOT appear in the dashboard');
         }
     }
+    // memoryAccessor is module-cached, so `failedWrites` is cumulative across
+    // every spell run in this process. Capturing the count BEFORE this run
+    // and computing the delta below isolates "this run's failures" from any
+    // prior run's. Spell runs are sequential per process, so no race.
+    const failuresBefore = memoryAccessor?.failedWrites ?? 0;
     const runOpts = { ...options, projectRoot: process.cwd(), ...(memoryAccessor ? { memory: memoryAccessor } : {}) };
-    const result = await engine.runSpellFromContent(yamlContent, undefined, runOpts);
+    // Print the persist-failure summary on every return path. Without this,
+    // a #982-style failure surfaces only as scattered `[spell] storeProgress
+    // failed` lines mid-run that get lost in scrollback. The summary line is
+    // the user's signal that the dashboard / Luminarium will show empty
+    // history despite a successful-looking spell run.
+    const reportPersistFailures = () => {
+        if (!memoryAccessor)
+            return;
+        const failed = memoryAccessor.failedWrites - failuresBefore;
+        if (failed > 0) {
+            console.warn(`[epic] ⚠ Spell progress was not fully persisted (${failed} write${failed === 1 ? '' : 's'} failed) — run history may be missing from the dashboard.`);
+        }
+    };
+    let result = await engine.runSpellFromContent(yamlContent, undefined, runOpts);
     // Auto-accept permissions on first run: the spell runner already printed
     // the full risk analysis to the console. The user initiated the epic
     // command, so we accept on their behalf and retry immediately.
@@ -55,6 +97,7 @@ export async function runEpicSpell(yamlContent, options = {}) {
     if (hasAcceptanceError) {
         const accepted = await promptAcceptPermissions();
         if (!accepted) {
+            reportPersistFailures();
             return result;
         }
         // Use the already-loaded engine module (dynamic import) for spells internals.
@@ -71,8 +114,9 @@ export async function runEpicSpell(yamlContent, options = {}) {
         const report = analyzeSpellPermissions(parsed.definition, stepRegistry);
         await recordAcceptance(projectRoot, parsed.definition.name, report.permissionHash);
         console.log(`[epic] Permissions accepted for "${parsed.definition.name}" — retrying...\n`);
-        return engine.runSpellFromContent(yamlContent, undefined, runOpts);
+        result = await engine.runSpellFromContent(yamlContent, undefined, runOpts);
     }
+    reportPersistFailures();
     return result;
 }
 //# sourceMappingURL=runner-adapter.js.map

package/dist/src/cli/index.js

@@ -16,9 +16,51 @@ import { VERSION } from './version.js';
 export { VERSION };
 const LONG_RUNNING_COMMANDS = ['mcp', 'daemon'];
 /**
- * Flush stdout/stderr, shut down the memory bridge if it was initialized,
+ * Wait for a writable's userspace buffer to drain, then issue an empty write
+ * whose callback fires after libuv has committed the now-front-of-queue write.
+ *
+ * Issue #996: on Windows async pipes, the empty-write trick alone fires before
+ * prior multi-line writes (e.g. `printBox`) have left libuv's buffer, racing
+ * `process.exit` and either dropping content rows or tripping the libuv
+ * `UV_HANDLE_CLOSING` assertion in `src/win/async.c`.
+ *
+ * Two-stage wait: first await `'drain'` if the userspace buffer is full, then
+ * the empty-write callback for the libuv-level commit. A 250 ms unref'd safety
+ * timeout covers broken pipes where `'drain'` never fires.
+ */
+export function drainStream(stream) {
+    return new Promise((resolve) => {
+        if (!stream.writable || stream.destroyed)
+            return resolve();
+        const finalize = () => {
+            try {
+                stream.write('', () => resolve());
+            }
+            catch {
+                resolve();
+            }
+        };
+        if (stream.writableNeedDrain) {
+            const onDrain = () => {
+                clearTimeout(timer);
+                finalize();
+            };
+            stream.once('drain', onDrain);
+            const timer = setTimeout(() => {
+                stream.removeListener('drain', onDrain);
+                resolve();
+            }, 250);
+            timer.unref();
+        }
+        else {
+            finalize();
+        }
+    });
+}
+/**
+ * Drain stdout/stderr, shut down the memory bridge if it was initialized,
  * then `process.exit(code)`. Prevents the libuv `uv_async_send` assertion
- * on Windows when stdout is an async pipe (issue #504).
+ * on Windows when stdout is an async pipe (issues #504, #996).
  */
 async function drainAndExit(code) {
     try {
@@ -28,12 +70,8 @@ async function drainAndExit(code) {
     catch {
         // Bridge may not have been loaded — that's fine
     }
-    const flush = (stream) => new Promise((resolve) => {
-        if (!stream.writable)
-            return resolve();
-        stream.write('', () => resolve());
-    });
-    await Promise.all([flush(process.stdout), flush(process.stderr)]);
+    process.exitCode = code;
+    await Promise.all([drainStream(process.stdout), drainStream(process.stderr)]);
     process.exit(code);
 }
 /**

package/dist/src/cli/mcp-tools/aidefence-moflodb-store.js

@@ -9,8 +9,14 @@
  * adapter is the seam where the bridge is plugged in. Arbitrary values are
  * JSON-serialised into the bridge's `content` field; namespaces are prefixed
  * with `aidefence:` to isolate from general memory entries.
+ *
+ * #981 / #986 — writes funnel through `storeEntry` / `deleteEntry` so the
+ * single-writer daemon-routing preamble (memory-initializer.ts) covers them.
+ * Calling the bridge directly here would bypass the daemon and resurrect
+ * the multi-process clobber.
  */
-import { bridgeStoreEntry, bridgeSearchEntries, bridgeGetEntry, bridgeDeleteEntry, isBridgeAvailable, } from '../memory/memory-bridge.js';
+import { bridgeSearchEntries, bridgeGetEntry, isBridgeAvailable, } from '../memory/memory-bridge.js';
+import { storeEntry, deleteEntry } from '../memory/memory-initializer.js';
 const NS_PREFIX = 'aidefence:';
 function prefixNs(namespace) {
     return `${NS_PREFIX}${namespace}`;
@@ -30,7 +36,7 @@ function safeParse(raw) {
  */
 export class MofloDbAIDefenceStore {
     async store(params) {
-        await bridgeStoreEntry({
+        await storeEntry({
             namespace: prefixNs(params.namespace),
             key: params.key,
             value: JSON.stringify(params.value),
@@ -64,7 +70,7 @@ export class MofloDbAIDefenceStore {
         return safeParse(result.entry.content);
     }
     async delete(namespace, key) {
-        await bridgeDeleteEntry({
+        await deleteEntry({
             namespace: prefixNs(namespace),
             key,
         });

package/dist/src/cli/memory/bridge-core.js

@@ -68,8 +68,15 @@ export const REQUIRED_BRIDGE_CONTROLLERS = Object.freeze([
 export function getBridgeLastError() {
     return lastBridgeError;
 }
-function logBridgeError(context, err) {
-    if (process.env.MOFLO_BRIDGE_QUIET)
+/**
+ * Log a bridge error. By default `MOFLO_BRIDGE_QUIET` suppresses the line
+ * to keep test output clean for read-path noise. Pass `{ alwaysLog: true }`
+ * for write-path errors that mean data did NOT reach disk — those MUST
+ * always log, since the quiet env var is for read-path noise control,
+ * not for masking data loss (#982 / #854 / #962 anti-pattern).
+ */
+export function logBridgeError(context, err, opts) {
+    if (process.env.MOFLO_BRIDGE_QUIET && !opts?.alwaysLog)
         return;
     const msg = errorDetail(err);
     console.error(`[moflo] ${context}: ${msg}`);
@@ -186,6 +193,17 @@ export function execRows(db, sql, params) {
  * Persist the in-memory sql.js DB back to disk. sql.js is purely in-memory —
  * without an explicit export+writeFileSync after each mutation, writes vanish
  * when the process exits, which breaks store→retrieve across CLI commands.
+ *
+ * Throws on failure (#982). Callers that issued a mutation MUST treat a
+ * persist throw as the mutation having failed: the in-memory DB still has
+ * the new row, but it never reached disk and dies with the process.
+ *
+ * Pre-#982 this swallowed silently and logged once to stderr — the
+ * `bridgeStoreEntry` path then returned `{ success: true }` despite the
+ * data being lost, the success-lie pattern that cost #854 and #962 too.
+ *
+ * Use {@link tryPersistBridgeDb} for the rare best-effort caller (cache
+ * invalidation, idempotent maintenance) that genuinely doesn't care.
  */
 export function persistBridgeDb(db, dbPath) {
     // Mirror the read-side resolution so writes land where reads come from.
@@ -200,7 +218,24 @@ export function persistBridgeDb(db, dbPath) {
         atomicWriteFileSync(target, db.export());
     }
     catch (err) {
-        logBridgeError('bridge persist failed', err);
+        logBridgeError('bridge persist failed', err, { alwaysLog: true });
+        throw err;
+    }
+}
+/**
+ * Best-effort variant of {@link persistBridgeDb}. Returns `{ ok: false }`
+ * on failure instead of throwing. Reserve for callers where a missed
+ * persist is genuinely acceptable (e.g. cache invalidation that the next
+ * mutation will redo). Always-log policy still applies — write failures
+ * cannot be silenced.
+ */
+export function tryPersistBridgeDb(db, dbPath) {
+    try {
+        persistBridgeDb(db, dbPath);
+        return { ok: true };
+    }
+    catch (err) {
+        return { ok: false, error: err instanceof Error ? err : new Error(String(err)) };
     }
 }
 // Kept in sync with MEMORY_SCHEMA_V3.memory_entries in memory-initializer.ts.