moltblock 0.11.5 → 0.11.7

package/dist/cli.js

@@ -70,7 +70,22 @@ async function main() {
     });
     await program.parseAsync(process.argv);
 }
+/** Sanitize error messages to strip sensitive data before logging. */
+function sanitizeError(err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    return msg
+        .replace(/[A-Za-z0-9_\-]{20,}/g, "[REDACTED]")
+        .replace(/https?:\/\/[^\s]+/g, (url) => {
+        try {
+            const u = new URL(url);
+            return `${u.protocol}//${u.hostname}/...`;
+        }
+        catch {
+            return "[REDACTED_URL]";
+        }
+    });
+}
 main().catch((err) => {
-    console.error(err);
+    console.error(`Error: ${sanitizeError(err)}`);
     process.exit(1);
 });

package/dist/config.js

@@ -67,7 +67,12 @@ export const ModelBindingSchema = z.object({
 function isAllowedConfigPath(filePath) {
     const resolved = path.resolve(filePath);
     const allowed = [path.resolve(process.cwd()), path.resolve(os.homedir()), path.resolve(os.tmpdir())];
-    return allowed.some((dir) => resolved.startsWith(dir + path.sep) || resolved === dir);
+    return allowed.some((dir) => {
+        if (resolved === dir)
+            return true;
+        const rel = path.relative(dir, resolved);
+        return !!rel && !rel.startsWith("..") && !path.isAbsolute(rel);
+    });
 }
 /**
  * Resolve moltblock config file: MOLTBLOCK_CONFIG env, then ./moltblock.json, ./.moltblock/moltblock.json, ~/.moltblock/moltblock.json.

package/dist/index.d.ts

@@ -1,7 +1,7 @@
 /**
  * Moltblock — framework for evolving composite intelligences (Entities).
  */
-export declare const VERSION = "0.11.5";
+export declare const VERSION = "0.11.7";
 export type { ModelBinding, BindingEntry, AgentConfig, MoltblockConfig, ChatMessage, VerifiedMemoryEntry, CheckpointEntry, OutcomeEntry, InboxEntry, StrategySuggestion, ReceivedArtifact, GovernanceConfig, } from "./types.js";
 export { WorkingMemory } from "./memory.js";
 export { signArtifact, verifyArtifact, artifactHash } from "./signing.js";

package/dist/index.js

@@ -1,7 +1,7 @@
 /**
  * Moltblock — framework for evolving composite intelligences (Entities).
  */
-export const VERSION = "0.11.5";
+export const VERSION = "0.11.7";
 // Memory
 export { WorkingMemory } from "./memory.js";
 // Signing

package/dist/signing.js

@@ -42,14 +42,9 @@ function getSecret(entityId) {
             return key;
         }
         catch {
-            // Weak deterministic fallback requires explicit opt-in
-            if (process.env["MOLTBLOCK_INSECURE_DEV_SIGNING"] !== "1") {
-                throw new Error(`No MOLTBLOCK_SIGNING_KEY set and filesystem unavailable. ` +
-                    `Set MOLTBLOCK_SIGNING_KEY for signing, or set MOLTBLOCK_INSECURE_DEV_SIGNING=1 to allow weak dev fallback.`);
-            }
-            console.warn(`Warning: Using weak default signing key for entity "${entityId}". ` +
-                `Set MOLTBLOCK_SIGNING_KEY for secure artifact signing.`);
-            return Buffer.from(`dev-only-insecure-key-${entityId}`, "utf-8");
+            // No weak deterministic fallback — require explicit key material
+            throw new Error(`No MOLTBLOCK_SIGNING_KEY set and filesystem unavailable for dev key generation. ` +
+                `Set MOLTBLOCK_SIGNING_KEY or MOLTBLOCK_SIGNING_KEY_${entityId.toUpperCase()} environment variable.`);
         }
     }
     const keyBytes = Buffer.from(envKey, "utf-8");

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "moltblock",
-  "version": "0.11.5",
+  "version": "0.11.7",
   "description": "Framework for building evolving composite AI intelligences (Entities)",
   "type": "module",
   "main": "dist/index.js",

package/skill/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: moltblock - Trust Layer for AI Agents
 description: Verification gating for AI-generated artifacts. Policy checks to catch dangerous patterns before execution.
-version: 0.11.5
+version: 0.11.7
 homepage: https://github.com/moltblock/moltblock
 repository: https://github.com/moltblock/moltblock
 metadata:
@@ -10,9 +10,9 @@ metadata:
       anyBins:
         - npx
         - node
-      config:
-        - moltblock.json
-        - ~/.moltblock/moltblock.json
+    optionalConfig:
+      - moltblock.json
+      - ~/.moltblock/moltblock.json
     primaryEnv: OPENAI_API_KEY
     optionalEnv:
       - ANTHROPIC_API_KEY
@@ -21,7 +21,7 @@ metadata:
     homepage: https://github.com/moltblock/moltblock
     install:
       - kind: node
-        package: moltblock@0.11.5
+        package: moltblock@0.11.7
         bins: [moltblock]
 ---
 
@@ -34,9 +34,10 @@ Moltblock provides verification gating for AI-generated artifacts. It runs polic
 **What moltblock does:**
 - Generates artifacts via LLM API calls, then runs policy checks against the output
 - Returns a structured verification result (pass/fail with evidence)
-- Reads its own config files (`moltblock.json`, `~/.moltblock/moltblock.json`) if present
+- Optionally reads config files (`moltblock.json`, `~/.moltblock/moltblock.json`) if present — no config is required
 - API keys are read from environment variables at runtime and sent only to the configured LLM provider endpoint
-- **No code execution occurs** — moltblock only performs policy checks on generated artifacts
+- **When used as a skill (without `--test`):** only policy checks run — no code is generated, written to disk, or executed
+- **The `--test` flag** (developer-only, not exposed to agents via this skill) additionally runs code verification via vitest in an isolated temp directory
 
 ## When to Use
 
@@ -53,7 +54,7 @@ Verify a task before execution.
 ### Usage
 
 ```bash
-npx moltblock@0.11.5 "<task description>" --provider <provider> --json
+npx moltblock@0.11.7 "<task description>" --provider <provider> --json
 ```
 
 ### Parameters
@@ -77,7 +78,7 @@ Moltblock auto-detects the LLM provider from whichever API key is set. If no key
 
 ```bash
 # Verify a task
-npx moltblock@0.11.5 "implement a function that validates email addresses" --json
+npx moltblock@0.11.7 "implement a function that validates email addresses" --json
 ```
 
 ### Output (JSON mode)
@@ -98,13 +99,13 @@ npx moltblock@0.11.5 "implement a function that validates email addresses" --jso
 Use directly with npx (recommended, no install needed):
 
 ```bash
-npx moltblock@0.11.5 "your task" --json
+npx moltblock@0.11.7 "your task" --json
 ```
 
 Or install globally:
 
 ```bash
-npm install -g moltblock@0.11.5
+npm install -g moltblock@0.11.7
 ```
 
 ## Configuration
@@ -135,9 +136,13 @@ See the [full configuration docs](https://github.com/moltblock/moltblock#configu
 
 ## Security
 
-When used as a skill, moltblock performs **policy checks only** — no code is generated, written to disk, or executed. The tool analyzes task descriptions against configurable policy rules and returns a pass/fail verification result.
+**Skill surface (agent-facing):** When invoked via `npx moltblock "<task>" --json`, the tool makes LLM API calls and runs regex-based policy checks against the generated output. No code is written to disk or executed. Task descriptions and generated artifacts are transmitted to the configured LLM provider endpoint.
 
-The CLI additionally supports a `--test` flag for direct user invocation that executes code verification via vitest. This flag is not exposed to agents through this skill and should only be used directly by developers in sandboxed environments. See the [CLI documentation](https://github.com/moltblock/moltblock#security) for details.
+**Developer-only CLI surface:** The CLI supports a `--test <path>` flag that additionally runs code verification via vitest in an isolated temp directory. This flag is **not exposed to agents** through this skill and is documented here only for transparency. It should only be used directly by developers in sandboxed environments.
+
+**npm install behavior:** The package has no `postinstall` scripts. `better-sqlite3` (a dependency) uses `prebuild-install` to download prebuilt native binaries — no compilation occurs unless prebuilds are unavailable. Inspect via `npm pack --dry-run` or review the [source on GitHub](https://github.com/moltblock/moltblock).
+
+**API key scope:** Consider using a limited-scope API key dedicated to verification rather than a key with broader permissions.
 
 ## Disclaimer