monomind 1.11.13 → 1.12.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (389) hide show
  1. package/.claude/agents/generated/channel-intelligence-director.md +87 -0
  2. package/.claude/agents/generated/chief-growth-officer.md +88 -0
  3. package/.claude/agents/generated/content-seo-strategist.md +90 -0
  4. package/.claude/agents/generated/developer-community-strategist.md +91 -0
  5. package/.claude/agents/generated/outreach-partnership-strategist.md +90 -0
  6. package/.claude/agents/generated/social-media-strategist.md +91 -0
  7. package/.claude/agents/generated/video-visual-strategist.md +90 -0
  8. package/.claude/commands/mastermind/idea.md +1 -1
  9. package/.claude/helpers/auto-memory-hook.mjs +13 -4
  10. package/.claude/helpers/control-start.cjs +5 -0
  11. package/.claude/helpers/event-logger.cjs +114 -0
  12. package/.claude/helpers/handlers/adr-draft-handler.cjs +19 -5
  13. package/.claude/helpers/handlers/agent-start-handler.cjs +13 -4
  14. package/.claude/helpers/handlers/compact-handler.cjs +2 -0
  15. package/.claude/helpers/handlers/edit-handler.cjs +1 -1
  16. package/.claude/helpers/handlers/gates-handler.cjs +3 -0
  17. package/.claude/helpers/handlers/graph-status-handler.cjs +14 -8
  18. package/.claude/helpers/handlers/loops-status-handler.cjs +5 -2
  19. package/.claude/helpers/handlers/route-handler.cjs +13 -6
  20. package/.claude/helpers/handlers/session-handler.cjs +11 -4
  21. package/.claude/helpers/handlers/session-restore-handler.cjs +21 -11
  22. package/.claude/helpers/handlers/task-handler.cjs +13 -5
  23. package/.claude/helpers/intelligence.cjs +7 -2
  24. package/.claude/helpers/loop-tracker.cjs +15 -3
  25. package/.claude/helpers/memory.cjs +6 -1
  26. package/.claude/helpers/router.cjs +5 -2
  27. package/.claude/helpers/session.cjs +2 -0
  28. package/.claude/helpers/statusline.cjs +10 -2
  29. package/.claude/helpers/utils/micro-agents.cjs +20 -4
  30. package/.claude/scheduled_tasks.lock +1 -1
  31. package/.claude/settings.json +92 -1
  32. package/.claude/skills/mastermind/_protocol.md +23 -13
  33. package/.claude/skills/mastermind/architect.md +6 -9
  34. package/.claude/skills/mastermind/build.md +3 -3
  35. package/.claude/skills/mastermind/content.md +3 -3
  36. package/.claude/skills/mastermind/createorg.md +2 -2
  37. package/.claude/skills/mastermind/finance.md +3 -3
  38. package/.claude/skills/mastermind/idea.md +5 -3
  39. package/.claude/skills/mastermind/marketing.md +3 -3
  40. package/.claude/skills/mastermind/monitor.md +2 -2
  41. package/.claude/skills/mastermind/release.md +3 -3
  42. package/.claude/skills/mastermind/research.md +3 -3
  43. package/.claude/skills/mastermind/review.md +3 -3
  44. package/.claude/skills/mastermind/runorg.md +153 -86
  45. package/.claude/skills/mastermind/sales.md +3 -3
  46. package/README.md +286 -129
  47. package/package.json +19 -2
  48. package/packages/@monomind/cli/README.md +286 -129
  49. package/packages/@monomind/cli/bundled-graph/dist/src/build.js +73 -0
  50. package/packages/@monomind/cli/bundled-graph/dist/src/cluster.js +120 -0
  51. package/packages/@monomind/cli/bundled-graph/package.json +57 -0
  52. package/packages/@monomind/cli/dist/src/agents/halt-signal.d.ts +25 -0
  53. package/packages/@monomind/cli/dist/src/agents/halt-signal.js +76 -0
  54. package/packages/@monomind/cli/dist/src/agents/index.d.ts +18 -0
  55. package/packages/@monomind/cli/dist/src/agents/index.js +13 -0
  56. package/packages/@monomind/cli/dist/src/agents/managed-agent.d.ts +41 -0
  57. package/packages/@monomind/cli/dist/src/agents/managed-agent.js +69 -0
  58. package/packages/@monomind/cli/dist/src/agents/prompt-experiment.d.ts +23 -0
  59. package/packages/@monomind/cli/dist/src/agents/prompt-experiment.js +49 -0
  60. package/packages/@monomind/cli/dist/src/agents/prompt-version-manager.d.ts +22 -0
  61. package/packages/@monomind/cli/dist/src/agents/prompt-version-manager.js +80 -0
  62. package/packages/@monomind/cli/dist/src/agents/registry-builder.js +2 -0
  63. package/packages/@monomind/cli/dist/src/agents/registry-query.d.ts +71 -0
  64. package/packages/@monomind/cli/dist/src/agents/registry-query.js +125 -0
  65. package/packages/@monomind/cli/dist/src/agents/score-decay.d.ts +19 -0
  66. package/packages/@monomind/cli/dist/src/agents/score-decay.js +22 -0
  67. package/packages/@monomind/cli/dist/src/agents/shared-instructions-loader.d.ts +13 -0
  68. package/packages/@monomind/cli/dist/src/agents/shared-instructions-loader.js +40 -0
  69. package/packages/@monomind/cli/dist/src/agents/specialization-scorer.d.ts +54 -0
  70. package/packages/@monomind/cli/dist/src/agents/specialization-scorer.js +212 -0
  71. package/packages/@monomind/cli/dist/src/agents/termination-watcher.d.ts +30 -0
  72. package/packages/@monomind/cli/dist/src/agents/termination-watcher.js +84 -0
  73. package/packages/@monomind/cli/dist/src/agents/trigger-index.d.ts +20 -0
  74. package/packages/@monomind/cli/dist/src/agents/trigger-index.js +38 -0
  75. package/packages/@monomind/cli/dist/src/agents/trigger-scanner.d.ts +64 -0
  76. package/packages/@monomind/cli/dist/src/agents/trigger-scanner.js +308 -0
  77. package/packages/@monomind/cli/dist/src/agents/version-diff.d.ts +18 -0
  78. package/packages/@monomind/cli/dist/src/agents/version-diff.js +64 -0
  79. package/packages/@monomind/cli/dist/src/agents/version-store.d.ts +60 -0
  80. package/packages/@monomind/cli/dist/src/agents/version-store.js +235 -0
  81. package/packages/@monomind/cli/dist/src/autopilot-state.js +10 -5
  82. package/packages/@monomind/cli/dist/src/benchmarks/benchmark-runner.js +13 -0
  83. package/packages/@monomind/cli/dist/src/benchmarks/metric-evaluators.js +20 -9
  84. package/packages/@monomind/cli/dist/src/benchmarks/pretrain/index.d.ts +45 -0
  85. package/packages/@monomind/cli/dist/src/benchmarks/pretrain/index.js +404 -0
  86. package/packages/@monomind/cli/dist/src/browser/actions.js +10 -3
  87. package/packages/@monomind/cli/dist/src/browser/browser.js +12 -2
  88. package/packages/@monomind/cli/dist/src/browser/cdp.js +21 -3
  89. package/packages/@monomind/cli/dist/src/browser/har.js +27 -5
  90. package/packages/@monomind/cli/dist/src/commands/agent-wasm.d.ts +14 -0
  91. package/packages/@monomind/cli/dist/src/commands/agent-wasm.js +333 -0
  92. package/packages/@monomind/cli/dist/src/commands/agent.js +11 -8
  93. package/packages/@monomind/cli/dist/src/commands/analyze.js +36 -21
  94. package/packages/@monomind/cli/dist/src/commands/autopilot.js +12 -4
  95. package/packages/@monomind/cli/dist/src/commands/benchmark.js +51 -8
  96. package/packages/@monomind/cli/dist/src/commands/browse.js +5 -2
  97. package/packages/@monomind/cli/dist/src/commands/claims.js +29 -11
  98. package/packages/@monomind/cli/dist/src/commands/cleanup.js +25 -5
  99. package/packages/@monomind/cli/dist/src/commands/config.js +15 -7
  100. package/packages/@monomind/cli/dist/src/commands/daemon.js +6 -0
  101. package/packages/@monomind/cli/dist/src/commands/deployment.js +34 -19
  102. package/packages/@monomind/cli/dist/src/commands/doctor.js +151 -20
  103. package/packages/@monomind/cli/dist/src/commands/guidance.js +15 -2
  104. package/packages/@monomind/cli/dist/src/commands/hive-mind.js +37 -14
  105. package/packages/@monomind/cli/dist/src/commands/hooks.js +42 -25
  106. package/packages/@monomind/cli/dist/src/commands/init.js +9 -4
  107. package/packages/@monomind/cli/dist/src/commands/issues.js +29 -26
  108. package/packages/@monomind/cli/dist/src/commands/mcp.js +11 -5
  109. package/packages/@monomind/cli/dist/src/commands/memory.js +10 -0
  110. package/packages/@monomind/cli/dist/src/commands/migrate.js +5 -5
  111. package/packages/@monomind/cli/dist/src/commands/monograph.js +18 -5
  112. package/packages/@monomind/cli/dist/src/commands/monovector/backup.js +8 -2
  113. package/packages/@monomind/cli/dist/src/commands/monovector/benchmark.js +20 -7
  114. package/packages/@monomind/cli/dist/src/commands/monovector/import.js +15 -0
  115. package/packages/@monomind/cli/dist/src/commands/monovector/migrate.js +4 -1
  116. package/packages/@monomind/cli/dist/src/commands/monovector/optimize.js +11 -0
  117. package/packages/@monomind/cli/dist/src/commands/monovector/setup.js +11 -1
  118. package/packages/@monomind/cli/dist/src/commands/neural.js +1 -1
  119. package/packages/@monomind/cli/dist/src/commands/performance.js +20 -7
  120. package/packages/@monomind/cli/dist/src/commands/platforms.js +90 -8
  121. package/packages/@monomind/cli/dist/src/commands/plugins.js +12 -5
  122. package/packages/@monomind/cli/dist/src/commands/process.js +33 -10
  123. package/packages/@monomind/cli/dist/src/commands/progress.js +5 -3
  124. package/packages/@monomind/cli/dist/src/commands/providers.js +5 -5
  125. package/packages/@monomind/cli/dist/src/commands/replay.js +8 -2
  126. package/packages/@monomind/cli/dist/src/commands/route.js +27 -7
  127. package/packages/@monomind/cli/dist/src/commands/security.js +4 -0
  128. package/packages/@monomind/cli/dist/src/commands/session.js +12 -1
  129. package/packages/@monomind/cli/dist/src/commands/start.js +11 -4
  130. package/packages/@monomind/cli/dist/src/commands/status.js +7 -4
  131. package/packages/@monomind/cli/dist/src/commands/swarm.js +27 -13
  132. package/packages/@monomind/cli/dist/src/commands/task.js +26 -11
  133. package/packages/@monomind/cli/dist/src/commands/tokens.js +7 -2
  134. package/packages/@monomind/cli/dist/src/commands/transfer-store.js +36 -22
  135. package/packages/@monomind/cli/dist/src/commands/ui.js +68 -0
  136. package/packages/@monomind/cli/dist/src/commands/update.js +15 -3
  137. package/packages/@monomind/cli/dist/src/commands/workflow.js +39 -6
  138. package/packages/@monomind/cli/dist/src/consensus/audit-writer.js +18 -7
  139. package/packages/@monomind/cli/dist/src/consensus/index.d.ts +7 -0
  140. package/packages/@monomind/cli/dist/src/consensus/index.js +6 -0
  141. package/packages/@monomind/cli/dist/src/consensus/vote-signer.js +25 -8
  142. package/packages/@monomind/cli/dist/src/context/context-provider.d.ts +44 -0
  143. package/packages/@monomind/cli/dist/src/context/context-provider.js +25 -0
  144. package/packages/@monomind/cli/dist/src/context/git-state-provider.d.ts +12 -0
  145. package/packages/@monomind/cli/dist/src/context/git-state-provider.js +34 -0
  146. package/packages/@monomind/cli/dist/src/context/index.d.ts +12 -0
  147. package/packages/@monomind/cli/dist/src/context/index.js +12 -0
  148. package/packages/@monomind/cli/dist/src/context/project-conventions-provider.d.ts +15 -0
  149. package/packages/@monomind/cli/dist/src/context/project-conventions-provider.js +19 -0
  150. package/packages/@monomind/cli/dist/src/context/prompt-assembler.d.ts +26 -0
  151. package/packages/@monomind/cli/dist/src/context/prompt-assembler.js +93 -0
  152. package/packages/@monomind/cli/dist/src/context/task-history-provider.d.ts +24 -0
  153. package/packages/@monomind/cli/dist/src/context/task-history-provider.js +32 -0
  154. package/packages/@monomind/cli/dist/src/context/user-preferences-provider.d.ts +14 -0
  155. package/packages/@monomind/cli/dist/src/context/user-preferences-provider.js +27 -0
  156. package/packages/@monomind/cli/dist/src/dlq/dlq-reader.d.ts +31 -0
  157. package/packages/@monomind/cli/dist/src/dlq/dlq-reader.js +81 -0
  158. package/packages/@monomind/cli/dist/src/dlq/dlq-writer.d.ts +24 -0
  159. package/packages/@monomind/cli/dist/src/dlq/dlq-writer.js +65 -0
  160. package/packages/@monomind/cli/dist/src/dlq/index.d.ts +10 -0
  161. package/packages/@monomind/cli/dist/src/dlq/index.js +7 -0
  162. package/packages/@monomind/cli/dist/src/eval/dataset-manager.d.ts +33 -0
  163. package/packages/@monomind/cli/dist/src/eval/dataset-manager.js +107 -0
  164. package/packages/@monomind/cli/dist/src/eval/dataset-runner.d.ts +23 -0
  165. package/packages/@monomind/cli/dist/src/eval/dataset-runner.js +59 -0
  166. package/packages/@monomind/cli/dist/src/eval/index.d.ts +10 -0
  167. package/packages/@monomind/cli/dist/src/eval/index.js +7 -0
  168. package/packages/@monomind/cli/dist/src/eval/trace-collector.d.ts +40 -0
  169. package/packages/@monomind/cli/dist/src/eval/trace-collector.js +102 -0
  170. package/packages/@monomind/cli/dist/src/index.js +7 -3
  171. package/packages/@monomind/cli/dist/src/infrastructure/in-memory-repositories.d.ts +68 -0
  172. package/packages/@monomind/cli/dist/src/infrastructure/in-memory-repositories.js +264 -0
  173. package/packages/@monomind/cli/dist/src/init/executor.js +14 -11
  174. package/packages/@monomind/cli/dist/src/init/shared-instructions-generator.js +20 -4
  175. package/packages/@monomind/cli/dist/src/init/statusline-generator.js +33 -12
  176. package/packages/@monomind/cli/dist/src/interactive/interrupt.d.ts +22 -0
  177. package/packages/@monomind/cli/dist/src/interactive/interrupt.js +71 -0
  178. package/packages/@monomind/cli/dist/src/mcp/deprecation-injector.d.ts +25 -0
  179. package/packages/@monomind/cli/dist/src/mcp/deprecation-injector.js +48 -0
  180. package/packages/@monomind/cli/dist/src/mcp/tool-registry.d.ts +61 -0
  181. package/packages/@monomind/cli/dist/src/mcp/tool-registry.js +246 -0
  182. package/packages/@monomind/cli/dist/src/mcp-tools/a2a-tools.js +98 -13
  183. package/packages/@monomind/cli/dist/src/mcp-tools/agent-tools.js +16 -3
  184. package/packages/@monomind/cli/dist/src/mcp-tools/analyze-tools.js +80 -17
  185. package/packages/@monomind/cli/dist/src/mcp-tools/browser-tools.js +84 -22
  186. package/packages/@monomind/cli/dist/src/mcp-tools/claims-tools.js +35 -7
  187. package/packages/@monomind/cli/dist/src/mcp-tools/config-tools.js +82 -17
  188. package/packages/@monomind/cli/dist/src/mcp-tools/coordination-tools.js +37 -4
  189. package/packages/@monomind/cli/dist/src/mcp-tools/daa-tools.js +49 -7
  190. package/packages/@monomind/cli/dist/src/mcp-tools/embeddings-tools.js +45 -18
  191. package/packages/@monomind/cli/dist/src/mcp-tools/github-tools.js +75 -25
  192. package/packages/@monomind/cli/dist/src/mcp-tools/guidance-tools.js +32 -10
  193. package/packages/@monomind/cli/dist/src/mcp-tools/hive-mind-tools.js +91 -20
  194. package/packages/@monomind/cli/dist/src/mcp-tools/hooks-tools.js +188 -29
  195. package/packages/@monomind/cli/dist/src/mcp-tools/memory-tools.js +25 -7
  196. package/packages/@monomind/cli/dist/src/mcp-tools/monograph-compat.js +11 -2
  197. package/packages/@monomind/cli/dist/src/mcp-tools/monograph-tools.js +148 -26
  198. package/packages/@monomind/cli/dist/src/mcp-tools/neural-tools.js +44 -9
  199. package/packages/@monomind/cli/dist/src/mcp-tools/performance-tools.js +45 -10
  200. package/packages/@monomind/cli/dist/src/mcp-tools/progress-tools.js +7 -4
  201. package/packages/@monomind/cli/dist/src/mcp-tools/request-tracker.js +15 -1
  202. package/packages/@monomind/cli/dist/src/mcp-tools/security-tools.js +61 -9
  203. package/packages/@monomind/cli/dist/src/mcp-tools/session-tools.js +45 -14
  204. package/packages/@monomind/cli/dist/src/mcp-tools/swarm-tools.js +15 -3
  205. package/packages/@monomind/cli/dist/src/mcp-tools/system-tools.js +14 -7
  206. package/packages/@monomind/cli/dist/src/mcp-tools/task-tools.js +52 -10
  207. package/packages/@monomind/cli/dist/src/mcp-tools/terminal-tools.js +40 -6
  208. package/packages/@monomind/cli/dist/src/mcp-tools/transfer-tools.js +37 -4
  209. package/packages/@monomind/cli/dist/src/mcp-tools/wasm-agent-tools.d.ts +9 -0
  210. package/packages/@monomind/cli/dist/src/mcp-tools/wasm-agent-tools.js +230 -0
  211. package/packages/@monomind/cli/dist/src/mcp-tools/workflow-tools.js +29 -6
  212. package/packages/@monomind/cli/dist/src/memory/ewc-consolidation.js +26 -10
  213. package/packages/@monomind/cli/dist/src/memory/intelligence.js +80 -19
  214. package/packages/@monomind/cli/dist/src/memory/memory-bridge.js +21 -2
  215. package/packages/@monomind/cli/dist/src/memory/memory-initializer.js +67 -3
  216. package/packages/@monomind/cli/dist/src/memory/sona-optimizer.js +14 -4
  217. package/packages/@monomind/cli/dist/src/model/complexity-scorer.d.ts +21 -0
  218. package/packages/@monomind/cli/dist/src/model/complexity-scorer.js +106 -0
  219. package/packages/@monomind/cli/dist/src/model/index.d.ts +4 -0
  220. package/packages/@monomind/cli/dist/src/model/index.js +4 -0
  221. package/packages/@monomind/cli/dist/src/model/model-settings.d.ts +22 -0
  222. package/packages/@monomind/cli/dist/src/model/model-settings.js +33 -0
  223. package/packages/@monomind/cli/dist/src/model/model-tier-resolver.d.ts +24 -0
  224. package/packages/@monomind/cli/dist/src/model/model-tier-resolver.js +65 -0
  225. package/packages/@monomind/cli/dist/src/monovector/capabilities.d.ts +34 -0
  226. package/packages/@monomind/cli/dist/src/monovector/capabilities.js +37 -0
  227. package/packages/@monomind/cli/dist/src/monovector/command-outcomes.js +43 -7
  228. package/packages/@monomind/cli/dist/src/monovector/coverage-router.js +8 -4
  229. package/packages/@monomind/cli/dist/src/monovector/coverage-tools.js +6 -3
  230. package/packages/@monomind/cli/dist/src/monovector/diff-classifier.js +13 -0
  231. package/packages/@monomind/cli/dist/src/monovector/route-outcomes.d.ts +2 -1
  232. package/packages/@monomind/cli/dist/src/monovector/route-outcomes.js +46 -4
  233. package/packages/@monomind/cli/dist/src/observability/replay-reader.d.ts +1 -1
  234. package/packages/@monomind/cli/dist/src/orchestration/index.d.ts +7 -0
  235. package/packages/@monomind/cli/dist/src/orchestration/index.js +6 -0
  236. package/packages/@monomind/cli/dist/src/orchestration/mode-dispatcher.d.ts +11 -0
  237. package/packages/@monomind/cli/dist/src/orchestration/mode-dispatcher.js +31 -0
  238. package/packages/@monomind/cli/dist/src/orchestration/routing-modes.d.ts +68 -0
  239. package/packages/@monomind/cli/dist/src/orchestration/routing-modes.js +180 -0
  240. package/packages/@monomind/cli/dist/src/plugins/manager.js +8 -3
  241. package/packages/@monomind/cli/dist/src/plugins/store/discovery.js +46 -2
  242. package/packages/@monomind/cli/dist/src/plugins/store/search.js +5 -4
  243. package/packages/@monomind/cli/dist/src/plugins/tests/demo-plugin-store.d.ts +7 -0
  244. package/packages/@monomind/cli/dist/src/plugins/tests/demo-plugin-store.js +126 -0
  245. package/packages/@monomind/cli/dist/src/plugins/tests/standalone-test.d.ts +12 -0
  246. package/packages/@monomind/cli/dist/src/plugins/tests/standalone-test.js +188 -0
  247. package/packages/@monomind/cli/dist/src/plugins/tests/test-plugin-store.d.ts +7 -0
  248. package/packages/@monomind/cli/dist/src/plugins/tests/test-plugin-store.js +206 -0
  249. package/packages/@monomind/cli/dist/src/production/circuit-breaker.js +17 -3
  250. package/packages/@monomind/cli/dist/src/production/error-handler.js +3 -0
  251. package/packages/@monomind/cli/dist/src/production/monitoring.js +20 -3
  252. package/packages/@monomind/cli/dist/src/production/rate-limiter.js +13 -4
  253. package/packages/@monomind/cli/dist/src/production/retry.js +17 -9
  254. package/packages/@monomind/cli/dist/src/routing/embed-worker.js +6 -2
  255. package/packages/@monomind/cli/dist/src/routing/embedder.js +0 -0
  256. package/packages/@monomind/cli/dist/src/routing/llm-caller.js +13 -2
  257. package/packages/@monomind/cli/dist/src/routing/route-layer-factory.js +18 -3
  258. package/packages/@monomind/cli/dist/src/runtime/headless.d.ts +60 -0
  259. package/packages/@monomind/cli/dist/src/runtime/headless.js +284 -0
  260. package/packages/@monomind/cli/dist/src/services/agentic-flow-bridge.d.ts +50 -0
  261. package/packages/@monomind/cli/dist/src/services/agentic-flow-bridge.js +95 -0
  262. package/packages/@monomind/cli/dist/src/services/claim-service.d.ts +1 -0
  263. package/packages/@monomind/cli/dist/src/services/claim-service.js +8 -0
  264. package/packages/@monomind/cli/dist/src/services/config-file-manager.js +14 -2
  265. package/packages/@monomind/cli/dist/src/services/container-worker-pool.d.ts +197 -0
  266. package/packages/@monomind/cli/dist/src/services/container-worker-pool.js +623 -0
  267. package/packages/@monomind/cli/dist/src/services/headless-worker-executor.js +18 -2
  268. package/packages/@monomind/cli/dist/src/services/index.d.ts +13 -0
  269. package/packages/@monomind/cli/dist/src/services/index.js +11 -0
  270. package/packages/@monomind/cli/dist/src/services/worker-daemon.js +53 -12
  271. package/packages/@monomind/cli/dist/src/services/worker-queue.d.ts +201 -0
  272. package/packages/@monomind/cli/dist/src/services/worker-queue.js +594 -0
  273. package/packages/@monomind/cli/dist/src/swarm/communication-graph.d.ts +25 -0
  274. package/packages/@monomind/cli/dist/src/swarm/communication-graph.js +77 -0
  275. package/packages/@monomind/cli/dist/src/swarm/flow-enforcer.d.ts +31 -0
  276. package/packages/@monomind/cli/dist/src/swarm/flow-enforcer.js +61 -0
  277. package/packages/@monomind/cli/dist/src/swarm/flow-visualizer.d.ts +19 -0
  278. package/packages/@monomind/cli/dist/src/swarm/flow-visualizer.js +68 -0
  279. package/packages/@monomind/cli/dist/src/transfer/anonymization/index.d.ts +0 -3
  280. package/packages/@monomind/cli/dist/src/transfer/anonymization/index.js +16 -1
  281. package/packages/@monomind/cli/dist/src/transfer/deploy-seraphine.d.ts +13 -0
  282. package/packages/@monomind/cli/dist/src/transfer/deploy-seraphine.js +205 -0
  283. package/packages/@monomind/cli/dist/src/transfer/export.js +8 -0
  284. package/packages/@monomind/cli/dist/src/transfer/ipfs/upload.js +33 -3
  285. package/packages/@monomind/cli/dist/src/transfer/serialization/cfp.js +9 -3
  286. package/packages/@monomind/cli/dist/src/transfer/storage/gcs.js +37 -3
  287. package/packages/@monomind/cli/dist/src/transfer/store/discovery.js +45 -3
  288. package/packages/@monomind/cli/dist/src/transfer/store/download.js +5 -0
  289. package/packages/@monomind/cli/dist/src/transfer/store/publish.js +13 -1
  290. package/packages/@monomind/cli/dist/src/transfer/store/registry.d.ts +8 -0
  291. package/packages/@monomind/cli/dist/src/transfer/store/registry.js +30 -5
  292. package/packages/@monomind/cli/dist/src/transfer/store/search.js +20 -5
  293. package/packages/@monomind/cli/dist/src/transfer/store/tests/standalone-test.d.ts +12 -0
  294. package/packages/@monomind/cli/dist/src/transfer/store/tests/standalone-test.js +190 -0
  295. package/packages/@monomind/cli/dist/src/transfer/test-seraphine.d.ts +6 -0
  296. package/packages/@monomind/cli/dist/src/transfer/test-seraphine.js +105 -0
  297. package/packages/@monomind/cli/dist/src/transfer/tests/test-store.d.ts +7 -0
  298. package/packages/@monomind/cli/dist/src/transfer/tests/test-store.js +214 -0
  299. package/packages/@monomind/cli/dist/src/update/checker.js +59 -7
  300. package/packages/@monomind/cli/dist/src/update/executor.js +50 -3
  301. package/packages/@monomind/cli/dist/src/update/index.js +18 -1
  302. package/packages/@monomind/cli/dist/src/update/rate-limiter.d.ts +6 -0
  303. package/packages/@monomind/cli/dist/src/update/rate-limiter.js +79 -7
  304. package/packages/@monomind/cli/dist/src/update/validator.js +52 -1
  305. package/packages/@monomind/cli/dist/src/workflow/condition-evaluator.d.ts +10 -0
  306. package/packages/@monomind/cli/dist/src/workflow/condition-evaluator.js +82 -0
  307. package/packages/@monomind/cli/dist/src/workflow/context-resolver.d.ts +12 -0
  308. package/packages/@monomind/cli/dist/src/workflow/context-resolver.js +23 -0
  309. package/packages/@monomind/cli/dist/src/workflow/dag-builder.d.ts +17 -0
  310. package/packages/@monomind/cli/dist/src/workflow/dag-builder.js +129 -0
  311. package/packages/@monomind/cli/dist/src/workflow/dag-executor.d.ts +9 -0
  312. package/packages/@monomind/cli/dist/src/workflow/dag-executor.js +116 -0
  313. package/packages/@monomind/cli/dist/src/workflow/dag-types.d.ts +41 -0
  314. package/packages/@monomind/cli/dist/src/workflow/dag-types.js +8 -0
  315. package/packages/@monomind/cli/dist/src/workflow/dsl-parser.d.ts +12 -0
  316. package/packages/@monomind/cli/dist/src/workflow/dsl-parser.js +20 -0
  317. package/packages/@monomind/cli/dist/src/workflow/dsl-schema.d.ts +165 -0
  318. package/packages/@monomind/cli/dist/src/workflow/dsl-schema.js +82 -0
  319. package/packages/@monomind/cli/dist/src/workflow/index.d.ts +13 -0
  320. package/packages/@monomind/cli/dist/src/workflow/index.js +11 -0
  321. package/packages/@monomind/cli/dist/src/workflow/template-engine.d.ts +11 -0
  322. package/packages/@monomind/cli/dist/src/workflow/template-engine.js +40 -0
  323. package/packages/@monomind/cli/dist/src/workflow/workflow-executor.d.ts +29 -0
  324. package/packages/@monomind/cli/dist/src/workflow/workflow-executor.js +227 -0
  325. package/packages/@monomind/cli/package.json +9 -10
  326. package/packages/@monomind/guidance/dist/adversarial.d.ts +284 -0
  327. package/packages/@monomind/guidance/dist/adversarial.js +572 -0
  328. package/packages/@monomind/guidance/dist/analyzer.d.ts +530 -0
  329. package/packages/@monomind/guidance/dist/analyzer.js +2518 -0
  330. package/packages/@monomind/guidance/dist/artifacts.d.ts +283 -0
  331. package/packages/@monomind/guidance/dist/artifacts.js +356 -0
  332. package/packages/@monomind/guidance/dist/authority.d.ts +290 -0
  333. package/packages/@monomind/guidance/dist/authority.js +558 -0
  334. package/packages/@monomind/guidance/dist/capabilities.d.ts +209 -0
  335. package/packages/@monomind/guidance/dist/capabilities.js +485 -0
  336. package/packages/@monomind/guidance/dist/coherence.d.ts +233 -0
  337. package/packages/@monomind/guidance/dist/coherence.js +372 -0
  338. package/packages/@monomind/guidance/dist/compiler.d.ts +87 -0
  339. package/packages/@monomind/guidance/dist/compiler.js +419 -0
  340. package/packages/@monomind/guidance/dist/conformance-kit.d.ts +225 -0
  341. package/packages/@monomind/guidance/dist/conformance-kit.js +629 -0
  342. package/packages/@monomind/guidance/dist/continue-gate.d.ts +214 -0
  343. package/packages/@monomind/guidance/dist/continue-gate.js +353 -0
  344. package/packages/@monomind/guidance/dist/crypto-utils.d.ts +17 -0
  345. package/packages/@monomind/guidance/dist/crypto-utils.js +24 -0
  346. package/packages/@monomind/guidance/dist/evolution.d.ts +282 -0
  347. package/packages/@monomind/guidance/dist/evolution.js +500 -0
  348. package/packages/@monomind/guidance/dist/gates.d.ts +79 -0
  349. package/packages/@monomind/guidance/dist/gates.js +302 -0
  350. package/packages/@monomind/guidance/dist/gateway.d.ts +206 -0
  351. package/packages/@monomind/guidance/dist/gateway.js +452 -0
  352. package/packages/@monomind/guidance/dist/generators.d.ts +153 -0
  353. package/packages/@monomind/guidance/dist/generators.js +682 -0
  354. package/packages/@monomind/guidance/dist/headless.d.ts +177 -0
  355. package/packages/@monomind/guidance/dist/headless.js +342 -0
  356. package/packages/@monomind/guidance/dist/hooks.d.ts +109 -0
  357. package/packages/@monomind/guidance/dist/hooks.js +347 -0
  358. package/packages/@monomind/guidance/dist/index.d.ts +205 -0
  359. package/packages/@monomind/guidance/dist/index.js +321 -0
  360. package/packages/@monomind/guidance/dist/ledger.d.ts +162 -0
  361. package/packages/@monomind/guidance/dist/ledger.js +375 -0
  362. package/packages/@monomind/guidance/dist/manifest-validator.d.ts +289 -0
  363. package/packages/@monomind/guidance/dist/manifest-validator.js +838 -0
  364. package/packages/@monomind/guidance/dist/memory-gate.d.ts +222 -0
  365. package/packages/@monomind/guidance/dist/memory-gate.js +382 -0
  366. package/packages/@monomind/guidance/dist/meta-governance.d.ts +265 -0
  367. package/packages/@monomind/guidance/dist/meta-governance.js +348 -0
  368. package/packages/@monomind/guidance/dist/optimizer.d.ts +104 -0
  369. package/packages/@monomind/guidance/dist/optimizer.js +329 -0
  370. package/packages/@monomind/guidance/dist/persistence.d.ts +189 -0
  371. package/packages/@monomind/guidance/dist/persistence.js +464 -0
  372. package/packages/@monomind/guidance/dist/proof.d.ts +185 -0
  373. package/packages/@monomind/guidance/dist/proof.js +238 -0
  374. package/packages/@monomind/guidance/dist/retriever.d.ts +116 -0
  375. package/packages/@monomind/guidance/dist/retriever.js +394 -0
  376. package/packages/@monomind/guidance/dist/ruvbot-integration.d.ts +370 -0
  377. package/packages/@monomind/guidance/dist/ruvbot-integration.js +738 -0
  378. package/packages/@monomind/guidance/dist/temporal.d.ts +426 -0
  379. package/packages/@monomind/guidance/dist/temporal.js +658 -0
  380. package/packages/@monomind/guidance/dist/trust.d.ts +283 -0
  381. package/packages/@monomind/guidance/dist/trust.js +473 -0
  382. package/packages/@monomind/guidance/dist/truth-anchors.d.ts +276 -0
  383. package/packages/@monomind/guidance/dist/truth-anchors.js +488 -0
  384. package/packages/@monomind/guidance/dist/types.d.ts +378 -0
  385. package/packages/@monomind/guidance/dist/types.js +10 -0
  386. package/packages/@monomind/guidance/dist/uncertainty.d.ts +372 -0
  387. package/packages/@monomind/guidance/dist/uncertainty.js +619 -0
  388. package/packages/@monomind/guidance/dist/wasm-kernel.d.ts +48 -0
  389. package/packages/@monomind/guidance/dist/wasm-kernel.js +158 -0
@@ -5,7 +5,7 @@
5
5
  * @module v1/cli/commands/benchmark
6
6
  */
7
7
  import { output } from '../output.js';
8
- import { writeFileSync, renameSync, readFileSync, existsSync, mkdirSync } from 'node:fs';
8
+ import { writeFileSync, renameSync, readFileSync, existsSync, mkdirSync, statSync } from 'node:fs';
9
9
  import { join } from 'node:path';
10
10
  import { BenchmarkRunner } from '../benchmarks/benchmark-runner.js';
11
11
  // ============================================================================
@@ -63,9 +63,12 @@ const neuralCommand = {
63
63
  { command: 'monomind benchmark neural -d 768 -n 5000', description: 'Higher dimension, more vectors' },
64
64
  ],
65
65
  action: async (ctx) => {
66
- const iterations = parseInt(ctx.flags.iterations || '100', 10);
67
- const dimension = parseInt(ctx.flags.dimension || '384', 10);
68
- const numVectors = parseInt(ctx.flags.vectors || '1000', 10);
66
+ const iterationsRaw = parseInt(ctx.flags.iterations || '100', 10);
67
+ const iterations = Number.isFinite(iterationsRaw) ? Math.max(1, Math.min(iterationsRaw, 10_000)) : 100;
68
+ const dimensionRaw = parseInt(ctx.flags.dimension || '384', 10);
69
+ const dimension = Number.isFinite(dimensionRaw) ? Math.max(1, Math.min(dimensionRaw, 4096)) : 384;
70
+ const numVectorsRaw = parseInt(ctx.flags.vectors || '1000', 10);
71
+ const numVectors = Number.isFinite(numVectorsRaw) ? Math.max(1, Math.min(numVectorsRaw, 100_000)) : 1000;
69
72
  const outputFormat = ctx.flags.output || 'text';
70
73
  output.writeln();
71
74
  output.writeln(output.bold('Neural Operations Benchmark'));
@@ -228,7 +231,8 @@ const memoryCommand = {
228
231
  { command: 'monomind benchmark memory', description: 'Run memory benchmarks' },
229
232
  ],
230
233
  action: async (ctx) => {
231
- const iterations = parseInt(ctx.flags.iterations || '100', 10);
234
+ const iterationsRaw = parseInt(ctx.flags.iterations || '100', 10);
235
+ const iterations = Number.isFinite(iterationsRaw) ? Math.max(1, Math.min(iterationsRaw, 10_000)) : 100;
232
236
  const outputFormat = ctx.flags.output || 'text';
233
237
  output.writeln();
234
238
  output.writeln(output.bold('Memory Operations Benchmark'));
@@ -384,7 +388,15 @@ const allCommand = {
384
388
  if (!existsSync(resultsDir)) {
385
389
  mkdirSync(resultsDir, { recursive: true });
386
390
  }
387
- const savePath = saveFile.startsWith('/') ? saveFile : join(resultsDir, saveFile);
391
+ // Path traversal guard: resolve within resultsDir regardless of whether saveFile is absolute
392
+ const { resolve: resolvePath, basename } = await import('node:path');
393
+ const safeName = basename(saveFile);
394
+ const savePath = resolvePath(resultsDir, safeName);
395
+ const resolvedResultsDir = resolvePath(resultsDir);
396
+ if (!savePath.startsWith(resolvedResultsDir + '/') && savePath !== resolvedResultsDir) {
397
+ output.writeln(output.error(`Save path must be within ${resultsDir}`));
398
+ return { success: false, message: 'Invalid save path' };
399
+ }
388
400
  const saveTmp2 = savePath + '.tmp';
389
401
  writeFileSync(saveTmp2, JSON.stringify({
390
402
  timestamp: new Date().toISOString(),
@@ -416,14 +428,30 @@ const regressionCommand = {
416
428
  { command: 'monomind benchmark regression -b agent-spawn -a output.txt --pin-baseline', description: 'Evaluate and pin results as new baseline' },
417
429
  ],
418
430
  action: async (ctx) => {
419
- const suiteDir = ctx.flags.suite || '.monomind/benchmarks/definitions';
431
+ const suiteDirRaw = ctx.flags.suite || '.monomind/benchmarks/definitions';
420
432
  const benchmarkId = ctx.flags['benchmark-id'];
421
433
  const agentOutputFile = ctx.flags['agent-output'];
422
434
  const pinBaseline = ctx.flags['pin-baseline'] === true;
423
435
  const outputFormat = ctx.flags.output || 'text';
436
+ // Validate benchmarkId to prevent path traversal in baseline file names
437
+ if (benchmarkId !== undefined) {
438
+ if (!/^[a-zA-Z0-9_-]{1,128}$/.test(benchmarkId)) {
439
+ output.writeln(output.error('Invalid benchmark-id: must contain only alphanumeric, dash, or underscore characters (max 128).'));
440
+ return { success: false, message: 'Invalid benchmark-id' };
441
+ }
442
+ }
424
443
  const runner = new BenchmarkRunner();
425
444
  const baselinesDir = join(process.cwd(), '.monomind', 'benchmarks', 'baselines');
426
- const definitions = runner.loadBenchmarks(join(process.cwd(), suiteDir));
445
+ // Path traversal guard for suiteDir
446
+ const { resolve: resolvePath2 } = await import('node:path');
447
+ const projectRoot = resolvePath2(process.cwd());
448
+ const resolvedSuiteDir = resolvePath2(process.cwd(), suiteDirRaw);
449
+ if (!resolvedSuiteDir.startsWith(projectRoot + '/') && resolvedSuiteDir !== projectRoot) {
450
+ output.writeln(output.error(`Suite directory must be within the project: ${projectRoot}`));
451
+ return { success: false, message: 'Invalid suite directory' };
452
+ }
453
+ const suiteDir = suiteDirRaw;
454
+ const definitions = runner.loadBenchmarks(resolvedSuiteDir);
427
455
  if (definitions.length === 0) {
428
456
  output.writeln(output.dim(`No benchmark definitions found in ${suiteDir}`));
429
457
  output.writeln(output.dim('Create JSON files there to define quality benchmarks.'));
@@ -446,6 +474,15 @@ const regressionCommand = {
446
474
  output.writeln(output.error(`Agent output file not found: ${agentOutputFile}`));
447
475
  return { success: false, message: 'Agent output file not found' };
448
476
  }
477
+ const MAX_AGENT_OUTPUT_BYTES = 10 * 1024 * 1024; // 10 MB
478
+ try {
479
+ const agentOutputStat = statSync(agentOutputFile);
480
+ if (agentOutputStat.size > MAX_AGENT_OUTPUT_BYTES) {
481
+ output.writeln(output.error(`Agent output file too large: ${agentOutputFile} (max 10 MB)`));
482
+ return { success: false, message: 'Agent output file too large' };
483
+ }
484
+ }
485
+ catch { /* existsSync already passed; ignore stat failure */ }
449
486
  const agentOutput = readFileSync(agentOutputFile, 'utf-8');
450
487
  const targetDefs = benchmarkId
451
488
  ? definitions.filter((d) => d.benchmarkId === benchmarkId)
@@ -473,8 +510,14 @@ const regressionCommand = {
473
510
  output.writeln();
474
511
  }
475
512
  // Baseline comparison
513
+ const MAX_BASELINE_BYTES = 5 * 1024 * 1024; // 5 MB
476
514
  const baselinePath = join(baselinesDir, `${benchmarkId ?? 'all'}.json`);
477
515
  if (existsSync(baselinePath)) {
516
+ const baselineStat = statSync(baselinePath);
517
+ if (baselineStat.size > MAX_BASELINE_BYTES) {
518
+ output.writeln(output.error(`Baseline file too large (max 5 MB)`));
519
+ return { success: false, message: 'Baseline file too large' };
520
+ }
478
521
  const baseline = JSON.parse(readFileSync(baselinePath, 'utf-8'));
479
522
  const hasRegression = runner.detectRegression(results, baseline);
480
523
  if (hasRegression) {
@@ -214,13 +214,16 @@ const waitCommand = {
214
214
  const { client, sessionId } = await ensureConnected(_port);
215
215
  const browser = await getBrowser();
216
216
  if (ctx.flags.ms) {
217
- await new Promise((r) => setTimeout(r, ctx.flags.ms));
217
+ const rawMs = ctx.flags.ms;
218
+ const waitMs = Number.isFinite(rawMs) ? Math.max(0, Math.min(rawMs, 60_000)) : 0; // cap at 60s
219
+ await new Promise((r) => setTimeout(r, waitMs));
218
220
  output.printSuccess(`Waited ${ctx.flags.ms}ms`);
219
221
  return { success: true };
220
222
  }
221
223
  if (ctx.flags.fn) {
222
224
  const expr = ctx.flags.fn;
223
- const timeout = ctx.flags.timeout ?? 30000;
225
+ const rawTimeout = ctx.flags.timeout ?? 30000;
226
+ const timeout = Number.isFinite(rawTimeout) ? Math.max(100, Math.min(rawTimeout, 300_000)) : 30000; // cap at 5min
224
227
  const interval = 200;
225
228
  const deadline = Date.now() + timeout;
226
229
  while (Date.now() < deadline) {
@@ -35,7 +35,7 @@ function safeParseJson(content) {
35
35
  function loadClaimsConfig() {
36
36
  const configPaths = getClaimsConfigPaths();
37
37
  for (const configPath of configPaths) {
38
- if (fs.existsSync(configPath)) {
38
+ if (fs.existsSync(configPath) && fs.statSync(configPath).size <= 1024 * 1024) {
39
39
  const content = fs.readFileSync(configPath, 'utf-8');
40
40
  return { config: safeParseJson(content), path: configPath };
41
41
  }
@@ -153,13 +153,19 @@ const checkCommand = {
153
153
  { command: 'monomind claims check -c admin:delete -u user123', description: 'Check user permission' },
154
154
  ],
155
155
  action: async (ctx) => {
156
- const claim = ctx.flags.claim;
157
- const user = ctx.flags.user || 'current';
158
- const resource = ctx.flags.resource;
156
+ const claim = (ctx.flags.claim || '').slice(0, 256);
157
+ const user = (ctx.flags.user || 'current').slice(0, 128);
158
+ const resource = (ctx.flags.resource || '').slice(0, 256);
159
159
  if (!claim) {
160
160
  output.printError('Claim is required');
161
161
  return { success: false, exitCode: 1 };
162
162
  }
163
+ // Block prototype-polluting user or resource keys.
164
+ const PROTO_KEYS = new Set(['__proto__', 'constructor', 'prototype']);
165
+ if (PROTO_KEYS.has(user)) {
166
+ output.printError(`Forbidden user key: "${user}"`);
167
+ return { success: false, exitCode: 1 };
168
+ }
163
169
  output.writeln();
164
170
  output.writeln(output.bold('Claim Check'));
165
171
  output.writeln(output.dim('─'.repeat(40)));
@@ -189,7 +195,7 @@ const checkCommand = {
189
195
  defaultClaims: ['swarm:create', 'swarm:status', 'agent:spawn', 'agent:list', 'memory:read', 'memory:write', 'task:create'],
190
196
  };
191
197
  for (const configPath of claimsConfigPaths) {
192
- if (fs.existsSync(configPath)) {
198
+ if (fs.existsSync(configPath) && fs.statSync(configPath).size <= 1024 * 1024) {
193
199
  const content = fs.readFileSync(configPath, 'utf-8');
194
200
  claimsConfig = { ...claimsConfig, ...safeParseJson(content) };
195
201
  policySource = configPath;
@@ -283,9 +289,9 @@ const grantCommand = {
283
289
  { command: 'monomind claims grant -c agent:spawn -r developer', description: 'Grant to role' },
284
290
  ],
285
291
  action: async (ctx) => {
286
- const claim = ctx.flags.claim;
287
- const user = ctx.flags.user;
288
- const role = ctx.flags.role;
292
+ const claim = (ctx.flags.claim || '').slice(0, 256);
293
+ const user = (ctx.flags.user || '').slice(0, 128);
294
+ const role = (ctx.flags.role || '').slice(0, 64);
289
295
  if (!claim) {
290
296
  output.printError('Claim is required');
291
297
  return { success: false, exitCode: 1 };
@@ -294,6 +300,12 @@ const grantCommand = {
294
300
  output.printError('Either user or role is required');
295
301
  return { success: false, exitCode: 1 };
296
302
  }
303
+ // Block prototype-polluting user or role keys.
304
+ const PROTO_KEYS = new Set(['__proto__', 'constructor', 'prototype']);
305
+ if ((user && PROTO_KEYS.has(user)) || (role && PROTO_KEYS.has(role))) {
306
+ output.printError('Forbidden user or role key');
307
+ return { success: false, exitCode: 1 };
308
+ }
297
309
  try {
298
310
  const { config, path: configPath } = loadClaimsConfig();
299
311
  if (user) {
@@ -343,9 +355,9 @@ const revokeCommand = {
343
355
  { command: 'monomind claims revoke -c admin:* -r guest', description: 'Revoke from role' },
344
356
  ],
345
357
  action: async (ctx) => {
346
- const claim = ctx.flags.claim;
347
- const user = ctx.flags.user;
348
- const role = ctx.flags.role;
358
+ const claim = (ctx.flags.claim || '').slice(0, 256);
359
+ const user = (ctx.flags.user || '').slice(0, 128);
360
+ const role = (ctx.flags.role || '').slice(0, 64);
349
361
  if (!claim) {
350
362
  output.printError('Claim is required');
351
363
  return { success: false, exitCode: 1 };
@@ -354,6 +366,12 @@ const revokeCommand = {
354
366
  output.printError('Either user or role is required');
355
367
  return { success: false, exitCode: 1 };
356
368
  }
369
+ // Block prototype-polluting user or role keys.
370
+ const PROTO_KEYS = new Set(['__proto__', 'constructor', 'prototype']);
371
+ if ((user && PROTO_KEYS.has(user)) || (role && PROTO_KEYS.has(role))) {
372
+ output.printError('Forbidden user or role key');
373
+ return { success: false, exitCode: 1 };
374
+ }
357
375
  try {
358
376
  const { config, path: configPath } = loadClaimsConfig();
359
377
  let removed = false;
@@ -5,7 +5,7 @@
5
5
  * github.com/monoes/monomind
6
6
  */
7
7
  import { output } from '../output.js';
8
- import { existsSync, statSync, rmSync, readdirSync } from 'fs';
8
+ import { existsSync, lstatSync, rmSync, readdirSync } from 'fs';
9
9
  import { join } from 'path';
10
10
  /**
11
11
  * Artifact directories and files that monomind/monomind may create
@@ -30,11 +30,27 @@ const KEEP_CONFIG_PATHS = [
30
30
  join('.claude', 'settings.json'),
31
31
  ];
32
32
  /**
33
- * Calculate the total size of a path (file or directory) in bytes
33
+ * Maximum directory recursion depth for size calculation.
34
+ * Prevents stack overflow on deeply-nested or circular-symlink trees.
34
35
  */
35
- function getSize(fullPath) {
36
+ const MAX_SIZE_DEPTH = 20;
37
+ /**
38
+ * Calculate the total size of a path (file or directory) in bytes.
39
+ *
40
+ * Uses lstatSync (not statSync) so that symlinks are never followed:
41
+ * a symlink counts only the size of the link itself, not its target.
42
+ * This prevents a crafted symlink (e.g. .claude -> /) from causing
43
+ * the cleanup command to recursively traverse the entire filesystem.
44
+ */
45
+ function getSize(fullPath, depth = 0) {
46
+ if (depth > MAX_SIZE_DEPTH)
47
+ return 0;
36
48
  try {
37
- const stat = statSync(fullPath);
49
+ const stat = lstatSync(fullPath);
50
+ if (stat.isSymbolicLink()) {
51
+ // Count only the symlink entry itself; never traverse the target.
52
+ return stat.size;
53
+ }
38
54
  if (stat.isFile()) {
39
55
  return stat.size;
40
56
  }
@@ -42,7 +58,11 @@ function getSize(fullPath) {
42
58
  let total = 0;
43
59
  const entries = readdirSync(fullPath, { withFileTypes: true });
44
60
  for (const entry of entries) {
45
- total += getSize(join(fullPath, entry.name));
61
+ // Skip symlinks at the entry level too — lstatSync below will still
62
+ // catch them, but checking here avoids unnecessary path joins.
63
+ if (!entry.isSymbolicLink()) {
64
+ total += getSize(join(fullPath, entry.name), depth + 1);
65
+ }
46
66
  }
47
67
  return total;
48
68
  }
@@ -69,7 +69,7 @@ const getCommand = {
69
69
  { command: 'monomind config get -k memory.backend', description: 'Get memory backend' }
70
70
  ],
71
71
  action: async (ctx) => {
72
- const key = ctx.flags.key || ctx.args[0];
72
+ const key = (ctx.flags.key || ctx.args[0] || '').slice(0, 256);
73
73
  if (!key) {
74
74
  // Show all config from actual config file (fall back to defaults)
75
75
  const config = configManager.getConfig(ctx.cwd);
@@ -102,6 +102,14 @@ const getCommand = {
102
102
  });
103
103
  return { success: true, data: flatEntries };
104
104
  }
105
+ // Prototype pollution guard — mirrors the same check in setCommand.
106
+ const FORBIDDEN_KEY_SEGMENTS = new Set(['__proto__', 'constructor', 'prototype']);
107
+ for (const seg of key.split('.')) {
108
+ if (FORBIDDEN_KEY_SEGMENTS.has(seg)) {
109
+ output.printError(`Forbidden config key segment: "${seg}"`);
110
+ return { success: false, exitCode: 1 };
111
+ }
112
+ }
105
113
  const value = configManager.get(ctx.cwd, key);
106
114
  if (value === undefined) {
107
115
  output.printError(`Configuration key not found: ${key}`);
@@ -141,8 +149,8 @@ const setCommand = {
141
149
  { command: 'monomind config set -k memory.backend -v agentdb', description: 'Set memory backend' }
142
150
  ],
143
151
  action: async (ctx) => {
144
- const key = ctx.flags.key || ctx.args[0];
145
- const value = ctx.flags.value || ctx.args[1];
152
+ const key = (ctx.flags.key || ctx.args[0] || '').slice(0, 256);
153
+ const value = (ctx.flags.value ?? ctx.args[1] ?? '');
146
154
  if (!key || value === undefined) {
147
155
  output.printError('Both key and value are required');
148
156
  return { success: false, exitCode: 1 };
@@ -203,10 +211,10 @@ const providersCommand = {
203
211
  { name: 'gemini', model: 'gemini-2.0-flash', priority: 4, enabled: false, status: 'Disabled' }
204
212
  ];
205
213
  // Handle mutation flags
206
- const addProvider = ctx.flags.add;
207
- const removeProvider = ctx.flags.remove;
208
- const enableProvider = ctx.flags.enable;
209
- const disableProvider = ctx.flags.disable;
214
+ const addProvider = ctx.flags.add?.slice(0, 64);
215
+ const removeProvider = ctx.flags.remove?.slice(0, 64);
216
+ const enableProvider = ctx.flags.enable?.slice(0, 64);
217
+ const disableProvider = ctx.flags.disable?.slice(0, 64);
210
218
  if (addProvider || removeProvider || enableProvider || disableProvider) {
211
219
  // Read current providers from config
212
220
  let currentProviders = configManager.get(ctx.cwd, 'providers') || [];
@@ -327,6 +327,10 @@ async function killBackgroundDaemon(projectRoot) {
327
327
  return false;
328
328
  }
329
329
  try {
330
+ if (fs.statSync(pidFile).size > 32) {
331
+ fs.unlinkSync(pidFile);
332
+ return false;
333
+ }
330
334
  const pid = parseInt(fs.readFileSync(pidFile, 'utf-8').trim(), 10);
331
335
  if (isNaN(pid)) {
332
336
  fs.unlinkSync(pidFile);
@@ -376,6 +380,8 @@ function getBackgroundDaemonPid(projectRoot) {
376
380
  return null;
377
381
  }
378
382
  try {
383
+ if (fs.statSync(pidFile).size > 32)
384
+ return null;
379
385
  const pid = parseInt(fs.readFileSync(pidFile, 'utf-8').trim(), 10);
380
386
  return isNaN(pid) ? null : pid;
381
387
  }
@@ -19,11 +19,23 @@ function getStatePath(cwd) {
19
19
  function emptyState() {
20
20
  return { environments: {}, history: [], activeDeployment: undefined };
21
21
  }
22
+ const MAX_DEPLOYMENT_STATE_BYTES = 10 * 1024 * 1024; // 10 MB
23
+ // Input length caps to prevent DoS via unbounded strings stored to disk
24
+ const MAX_ENV_NAME_LEN = 128;
25
+ const MAX_VERSION_LEN = 64;
26
+ const MAX_DESCRIPTION_LEN = 1024;
27
+ const MAX_URL_LEN = 2048;
28
+ const MAX_ENV_TYPE_LEN = 64;
29
+ const MAX_HISTORY_LIMIT = 1000;
30
+ const MAX_LOGS_LIMIT = 1000;
22
31
  function loadDeploymentState(cwd) {
23
32
  const filePath = getStatePath(cwd);
24
33
  if (!fs.existsSync(filePath)) {
25
34
  return emptyState();
26
35
  }
36
+ if (fs.statSync(filePath).size > MAX_DEPLOYMENT_STATE_BYTES) {
37
+ return emptyState();
38
+ }
27
39
  try {
28
40
  const raw = fs.readFileSync(filePath, 'utf-8');
29
41
  const parsed = JSON.parse(raw);
@@ -66,6 +78,9 @@ function readProjectVersion(cwd) {
66
78
  if (!fs.existsSync(pkgPath)) {
67
79
  return null;
68
80
  }
81
+ if (fs.statSync(pkgPath).size > 1024 * 1024) {
82
+ return null;
83
+ }
69
84
  try {
70
85
  const pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf-8'));
71
86
  return pkg.version ?? null;
@@ -92,10 +107,10 @@ const deployCommand = {
92
107
  ],
93
108
  action: async (ctx) => {
94
109
  try {
95
- const envName = String(ctx.flags['env'] || 'staging');
110
+ const envName = String(ctx.flags['env'] || 'staging').slice(0, MAX_ENV_NAME_LEN);
96
111
  const dryRun = Boolean(ctx.flags['dry-run']);
97
- const description = ctx.flags['description'] ? String(ctx.flags['description']) : undefined;
98
- let version = ctx.flags['version'] ? String(ctx.flags['version']) : null;
112
+ const description = ctx.flags['description'] ? String(ctx.flags['description']).slice(0, MAX_DESCRIPTION_LEN) : undefined;
113
+ let version = ctx.flags['version'] ? String(ctx.flags['version']).slice(0, MAX_VERSION_LEN) : null;
99
114
  if (!version) {
100
115
  version = readProjectVersion(ctx.cwd) || '0.0.0';
101
116
  }
@@ -181,7 +196,7 @@ const statusCommand = {
181
196
  action: async (ctx) => {
182
197
  try {
183
198
  const state = loadDeploymentState(ctx.cwd);
184
- const filterEnv = ctx.flags['env'] ? String(ctx.flags['env']) : null;
199
+ const filterEnv = ctx.flags['env'] ? String(ctx.flags['env']).slice(0, MAX_ENV_NAME_LEN) : null;
185
200
  output.writeln();
186
201
  output.writeln(output.bold('Deployment Status'));
187
202
  output.writeln();
@@ -277,13 +292,13 @@ const rollbackCommand = {
277
292
  ],
278
293
  action: async (ctx) => {
279
294
  try {
280
- const envName = String(ctx.flags['env'] || '');
295
+ const envName = String(ctx.flags['env'] || '').slice(0, MAX_ENV_NAME_LEN);
281
296
  if (!envName) {
282
297
  output.printError('Environment is required', 'Use --env or -e to specify');
283
298
  return { success: false, exitCode: 1 };
284
299
  }
285
- const targetVersion = ctx.flags['version'] ? String(ctx.flags['version']) : null;
286
- const steps = parseInt(ctx.flags.steps || '1', 10);
300
+ const targetVersion = ctx.flags['version'] ? String(ctx.flags['version']).slice(0, MAX_VERSION_LEN) : null;
301
+ const steps = Math.min(Math.max(parseInt(ctx.flags.steps || '1', 10), 1), 100);
287
302
  if (steps > 1) {
288
303
  output.printWarning(`Multi-step rollback (--steps ${steps}) is not yet implemented. Rolling back 1 step only.`);
289
304
  }
@@ -370,8 +385,8 @@ const historyCommand = {
370
385
  action: async (ctx) => {
371
386
  try {
372
387
  const state = loadDeploymentState(ctx.cwd);
373
- const filterEnv = ctx.flags['env'] ? String(ctx.flags['env']) : null;
374
- const limit = Number(ctx.flags['limit']) || 10;
388
+ const filterEnv = ctx.flags['env'] ? String(ctx.flags['env']).slice(0, MAX_ENV_NAME_LEN) : null;
389
+ const limit = Math.min(Math.max(Number(ctx.flags['limit']) || 10, 1), MAX_HISTORY_LIMIT);
375
390
  let records = [...state.history].reverse();
376
391
  if (filterEnv) {
377
392
  records = records.filter(r => r.environment === filterEnv);
@@ -455,7 +470,7 @@ const environmentsCommand = {
455
470
  return { success: true };
456
471
  }
457
472
  if (action === 'add') {
458
- const name = ctx.flags['name'] ? String(ctx.flags['name']) : null;
473
+ const name = ctx.flags['name'] ? String(ctx.flags['name']).slice(0, MAX_ENV_NAME_LEN) : null;
459
474
  if (!name) {
460
475
  output.printError('Environment name is required', 'Use --name or -n to specify');
461
476
  return { success: false, exitCode: 1 };
@@ -464,8 +479,8 @@ const environmentsCommand = {
464
479
  output.printWarning(`Environment '${name}' already exists`);
465
480
  return { success: false, exitCode: 1 };
466
481
  }
467
- const envType = String(ctx.flags['type'] || 'local');
468
- const url = ctx.flags['url'] ? String(ctx.flags['url']) : undefined;
482
+ const envType = String(ctx.flags['type'] || 'local').slice(0, MAX_ENV_TYPE_LEN);
483
+ const url = ctx.flags['url'] ? String(ctx.flags['url']).slice(0, MAX_URL_LEN) : undefined;
469
484
  state.environments[name] = {
470
485
  name,
471
486
  type: envType,
@@ -481,7 +496,7 @@ const environmentsCommand = {
481
496
  return { success: true };
482
497
  }
483
498
  if (action === 'remove') {
484
- const name = ctx.flags['name'] ? String(ctx.flags['name']) : null;
499
+ const name = ctx.flags['name'] ? String(ctx.flags['name']).slice(0, MAX_ENV_NAME_LEN) : null;
485
500
  if (!name) {
486
501
  output.printError('Environment name is required', 'Use --name or -n to specify');
487
502
  return { success: false, exitCode: 1 };
@@ -524,9 +539,9 @@ const logsCommand = {
524
539
  action: async (ctx) => {
525
540
  try {
526
541
  const state = loadDeploymentState(ctx.cwd);
527
- const filterEnv = ctx.flags['env'] ? String(ctx.flags['env']) : null;
528
- const deploymentId = ctx.flags['deployment'] ? String(ctx.flags['deployment']) : null;
529
- const limit = Number(ctx.flags['lines']) || 50;
542
+ const filterEnv = ctx.flags['env'] ? String(ctx.flags['env']).slice(0, MAX_ENV_NAME_LEN) : null;
543
+ const deploymentId = ctx.flags['deployment'] ? String(ctx.flags['deployment']).slice(0, 64) : null;
544
+ const limit = Math.min(Math.max(Number(ctx.flags['lines']) || 50, 1), MAX_LOGS_LIMIT);
530
545
  output.writeln();
531
546
  output.writeln(output.bold('Deployment Logs'));
532
547
  output.writeln();
@@ -588,9 +603,9 @@ const releaseCommand = {
588
603
  ],
589
604
  action: async (ctx) => {
590
605
  try {
591
- const envName = String(ctx.flags['env'] || 'production');
592
- const description = ctx.flags['description'] ? String(ctx.flags['description']) : undefined;
593
- let version = ctx.flags['version'] ? String(ctx.flags['version']) : null;
606
+ const envName = String(ctx.flags['env'] || 'production').slice(0, MAX_ENV_NAME_LEN);
607
+ const description = ctx.flags['description'] ? String(ctx.flags['description']).slice(0, MAX_DESCRIPTION_LEN) : undefined;
608
+ let version = ctx.flags['version'] ? String(ctx.flags['version']).slice(0, MAX_VERSION_LEN) : null;
594
609
  if (!version) {
595
610
  const pkgVersion = readProjectVersion(ctx.cwd);
596
611
  if (!pkgVersion) {