monomind 1.11.13 → 1.12.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (389) hide show
  1. package/.claude/agents/generated/channel-intelligence-director.md +87 -0
  2. package/.claude/agents/generated/chief-growth-officer.md +88 -0
  3. package/.claude/agents/generated/content-seo-strategist.md +90 -0
  4. package/.claude/agents/generated/developer-community-strategist.md +91 -0
  5. package/.claude/agents/generated/outreach-partnership-strategist.md +90 -0
  6. package/.claude/agents/generated/social-media-strategist.md +91 -0
  7. package/.claude/agents/generated/video-visual-strategist.md +90 -0
  8. package/.claude/commands/mastermind/idea.md +1 -1
  9. package/.claude/helpers/auto-memory-hook.mjs +13 -4
  10. package/.claude/helpers/control-start.cjs +5 -0
  11. package/.claude/helpers/event-logger.cjs +114 -0
  12. package/.claude/helpers/handlers/adr-draft-handler.cjs +19 -5
  13. package/.claude/helpers/handlers/agent-start-handler.cjs +13 -4
  14. package/.claude/helpers/handlers/compact-handler.cjs +2 -0
  15. package/.claude/helpers/handlers/edit-handler.cjs +1 -1
  16. package/.claude/helpers/handlers/gates-handler.cjs +3 -0
  17. package/.claude/helpers/handlers/graph-status-handler.cjs +14 -8
  18. package/.claude/helpers/handlers/loops-status-handler.cjs +5 -2
  19. package/.claude/helpers/handlers/route-handler.cjs +13 -6
  20. package/.claude/helpers/handlers/session-handler.cjs +11 -4
  21. package/.claude/helpers/handlers/session-restore-handler.cjs +21 -11
  22. package/.claude/helpers/handlers/task-handler.cjs +13 -5
  23. package/.claude/helpers/intelligence.cjs +7 -2
  24. package/.claude/helpers/loop-tracker.cjs +15 -3
  25. package/.claude/helpers/memory.cjs +6 -1
  26. package/.claude/helpers/router.cjs +5 -2
  27. package/.claude/helpers/session.cjs +2 -0
  28. package/.claude/helpers/statusline.cjs +10 -2
  29. package/.claude/helpers/utils/micro-agents.cjs +20 -4
  30. package/.claude/scheduled_tasks.lock +1 -1
  31. package/.claude/settings.json +92 -1
  32. package/.claude/skills/mastermind/_protocol.md +23 -13
  33. package/.claude/skills/mastermind/architect.md +6 -9
  34. package/.claude/skills/mastermind/build.md +3 -3
  35. package/.claude/skills/mastermind/content.md +3 -3
  36. package/.claude/skills/mastermind/createorg.md +2 -2
  37. package/.claude/skills/mastermind/finance.md +3 -3
  38. package/.claude/skills/mastermind/idea.md +5 -3
  39. package/.claude/skills/mastermind/marketing.md +3 -3
  40. package/.claude/skills/mastermind/monitor.md +2 -2
  41. package/.claude/skills/mastermind/release.md +3 -3
  42. package/.claude/skills/mastermind/research.md +3 -3
  43. package/.claude/skills/mastermind/review.md +3 -3
  44. package/.claude/skills/mastermind/runorg.md +153 -86
  45. package/.claude/skills/mastermind/sales.md +3 -3
  46. package/README.md +286 -129
  47. package/package.json +19 -2
  48. package/packages/@monomind/cli/README.md +286 -129
  49. package/packages/@monomind/cli/bundled-graph/dist/src/build.js +73 -0
  50. package/packages/@monomind/cli/bundled-graph/dist/src/cluster.js +120 -0
  51. package/packages/@monomind/cli/bundled-graph/package.json +57 -0
  52. package/packages/@monomind/cli/dist/src/agents/halt-signal.d.ts +25 -0
  53. package/packages/@monomind/cli/dist/src/agents/halt-signal.js +76 -0
  54. package/packages/@monomind/cli/dist/src/agents/index.d.ts +18 -0
  55. package/packages/@monomind/cli/dist/src/agents/index.js +13 -0
  56. package/packages/@monomind/cli/dist/src/agents/managed-agent.d.ts +41 -0
  57. package/packages/@monomind/cli/dist/src/agents/managed-agent.js +69 -0
  58. package/packages/@monomind/cli/dist/src/agents/prompt-experiment.d.ts +23 -0
  59. package/packages/@monomind/cli/dist/src/agents/prompt-experiment.js +49 -0
  60. package/packages/@monomind/cli/dist/src/agents/prompt-version-manager.d.ts +22 -0
  61. package/packages/@monomind/cli/dist/src/agents/prompt-version-manager.js +80 -0
  62. package/packages/@monomind/cli/dist/src/agents/registry-builder.js +2 -0
  63. package/packages/@monomind/cli/dist/src/agents/registry-query.d.ts +71 -0
  64. package/packages/@monomind/cli/dist/src/agents/registry-query.js +125 -0
  65. package/packages/@monomind/cli/dist/src/agents/score-decay.d.ts +19 -0
  66. package/packages/@monomind/cli/dist/src/agents/score-decay.js +22 -0
  67. package/packages/@monomind/cli/dist/src/agents/shared-instructions-loader.d.ts +13 -0
  68. package/packages/@monomind/cli/dist/src/agents/shared-instructions-loader.js +40 -0
  69. package/packages/@monomind/cli/dist/src/agents/specialization-scorer.d.ts +54 -0
  70. package/packages/@monomind/cli/dist/src/agents/specialization-scorer.js +212 -0
  71. package/packages/@monomind/cli/dist/src/agents/termination-watcher.d.ts +30 -0
  72. package/packages/@monomind/cli/dist/src/agents/termination-watcher.js +84 -0
  73. package/packages/@monomind/cli/dist/src/agents/trigger-index.d.ts +20 -0
  74. package/packages/@monomind/cli/dist/src/agents/trigger-index.js +38 -0
  75. package/packages/@monomind/cli/dist/src/agents/trigger-scanner.d.ts +64 -0
  76. package/packages/@monomind/cli/dist/src/agents/trigger-scanner.js +308 -0
  77. package/packages/@monomind/cli/dist/src/agents/version-diff.d.ts +18 -0
  78. package/packages/@monomind/cli/dist/src/agents/version-diff.js +64 -0
  79. package/packages/@monomind/cli/dist/src/agents/version-store.d.ts +60 -0
  80. package/packages/@monomind/cli/dist/src/agents/version-store.js +235 -0
  81. package/packages/@monomind/cli/dist/src/autopilot-state.js +10 -5
  82. package/packages/@monomind/cli/dist/src/benchmarks/benchmark-runner.js +13 -0
  83. package/packages/@monomind/cli/dist/src/benchmarks/metric-evaluators.js +20 -9
  84. package/packages/@monomind/cli/dist/src/benchmarks/pretrain/index.d.ts +45 -0
  85. package/packages/@monomind/cli/dist/src/benchmarks/pretrain/index.js +404 -0
  86. package/packages/@monomind/cli/dist/src/browser/actions.js +10 -3
  87. package/packages/@monomind/cli/dist/src/browser/browser.js +12 -2
  88. package/packages/@monomind/cli/dist/src/browser/cdp.js +21 -3
  89. package/packages/@monomind/cli/dist/src/browser/har.js +27 -5
  90. package/packages/@monomind/cli/dist/src/commands/agent-wasm.d.ts +14 -0
  91. package/packages/@monomind/cli/dist/src/commands/agent-wasm.js +333 -0
  92. package/packages/@monomind/cli/dist/src/commands/agent.js +11 -8
  93. package/packages/@monomind/cli/dist/src/commands/analyze.js +36 -21
  94. package/packages/@monomind/cli/dist/src/commands/autopilot.js +12 -4
  95. package/packages/@monomind/cli/dist/src/commands/benchmark.js +51 -8
  96. package/packages/@monomind/cli/dist/src/commands/browse.js +5 -2
  97. package/packages/@monomind/cli/dist/src/commands/claims.js +29 -11
  98. package/packages/@monomind/cli/dist/src/commands/cleanup.js +25 -5
  99. package/packages/@monomind/cli/dist/src/commands/config.js +15 -7
  100. package/packages/@monomind/cli/dist/src/commands/daemon.js +6 -0
  101. package/packages/@monomind/cli/dist/src/commands/deployment.js +34 -19
  102. package/packages/@monomind/cli/dist/src/commands/doctor.js +151 -20
  103. package/packages/@monomind/cli/dist/src/commands/guidance.js +15 -2
  104. package/packages/@monomind/cli/dist/src/commands/hive-mind.js +37 -14
  105. package/packages/@monomind/cli/dist/src/commands/hooks.js +42 -25
  106. package/packages/@monomind/cli/dist/src/commands/init.js +9 -4
  107. package/packages/@monomind/cli/dist/src/commands/issues.js +29 -26
  108. package/packages/@monomind/cli/dist/src/commands/mcp.js +11 -5
  109. package/packages/@monomind/cli/dist/src/commands/memory.js +10 -0
  110. package/packages/@monomind/cli/dist/src/commands/migrate.js +5 -5
  111. package/packages/@monomind/cli/dist/src/commands/monograph.js +18 -5
  112. package/packages/@monomind/cli/dist/src/commands/monovector/backup.js +8 -2
  113. package/packages/@monomind/cli/dist/src/commands/monovector/benchmark.js +20 -7
  114. package/packages/@monomind/cli/dist/src/commands/monovector/import.js +15 -0
  115. package/packages/@monomind/cli/dist/src/commands/monovector/migrate.js +4 -1
  116. package/packages/@monomind/cli/dist/src/commands/monovector/optimize.js +11 -0
  117. package/packages/@monomind/cli/dist/src/commands/monovector/setup.js +11 -1
  118. package/packages/@monomind/cli/dist/src/commands/neural.js +1 -1
  119. package/packages/@monomind/cli/dist/src/commands/performance.js +20 -7
  120. package/packages/@monomind/cli/dist/src/commands/platforms.js +90 -8
  121. package/packages/@monomind/cli/dist/src/commands/plugins.js +12 -5
  122. package/packages/@monomind/cli/dist/src/commands/process.js +33 -10
  123. package/packages/@monomind/cli/dist/src/commands/progress.js +5 -3
  124. package/packages/@monomind/cli/dist/src/commands/providers.js +5 -5
  125. package/packages/@monomind/cli/dist/src/commands/replay.js +8 -2
  126. package/packages/@monomind/cli/dist/src/commands/route.js +27 -7
  127. package/packages/@monomind/cli/dist/src/commands/security.js +4 -0
  128. package/packages/@monomind/cli/dist/src/commands/session.js +12 -1
  129. package/packages/@monomind/cli/dist/src/commands/start.js +11 -4
  130. package/packages/@monomind/cli/dist/src/commands/status.js +7 -4
  131. package/packages/@monomind/cli/dist/src/commands/swarm.js +27 -13
  132. package/packages/@monomind/cli/dist/src/commands/task.js +26 -11
  133. package/packages/@monomind/cli/dist/src/commands/tokens.js +7 -2
  134. package/packages/@monomind/cli/dist/src/commands/transfer-store.js +36 -22
  135. package/packages/@monomind/cli/dist/src/commands/ui.js +68 -0
  136. package/packages/@monomind/cli/dist/src/commands/update.js +15 -3
  137. package/packages/@monomind/cli/dist/src/commands/workflow.js +39 -6
  138. package/packages/@monomind/cli/dist/src/consensus/audit-writer.js +18 -7
  139. package/packages/@monomind/cli/dist/src/consensus/index.d.ts +7 -0
  140. package/packages/@monomind/cli/dist/src/consensus/index.js +6 -0
  141. package/packages/@monomind/cli/dist/src/consensus/vote-signer.js +25 -8
  142. package/packages/@monomind/cli/dist/src/context/context-provider.d.ts +44 -0
  143. package/packages/@monomind/cli/dist/src/context/context-provider.js +25 -0
  144. package/packages/@monomind/cli/dist/src/context/git-state-provider.d.ts +12 -0
  145. package/packages/@monomind/cli/dist/src/context/git-state-provider.js +34 -0
  146. package/packages/@monomind/cli/dist/src/context/index.d.ts +12 -0
  147. package/packages/@monomind/cli/dist/src/context/index.js +12 -0
  148. package/packages/@monomind/cli/dist/src/context/project-conventions-provider.d.ts +15 -0
  149. package/packages/@monomind/cli/dist/src/context/project-conventions-provider.js +19 -0
  150. package/packages/@monomind/cli/dist/src/context/prompt-assembler.d.ts +26 -0
  151. package/packages/@monomind/cli/dist/src/context/prompt-assembler.js +93 -0
  152. package/packages/@monomind/cli/dist/src/context/task-history-provider.d.ts +24 -0
  153. package/packages/@monomind/cli/dist/src/context/task-history-provider.js +32 -0
  154. package/packages/@monomind/cli/dist/src/context/user-preferences-provider.d.ts +14 -0
  155. package/packages/@monomind/cli/dist/src/context/user-preferences-provider.js +27 -0
  156. package/packages/@monomind/cli/dist/src/dlq/dlq-reader.d.ts +31 -0
  157. package/packages/@monomind/cli/dist/src/dlq/dlq-reader.js +81 -0
  158. package/packages/@monomind/cli/dist/src/dlq/dlq-writer.d.ts +24 -0
  159. package/packages/@monomind/cli/dist/src/dlq/dlq-writer.js +65 -0
  160. package/packages/@monomind/cli/dist/src/dlq/index.d.ts +10 -0
  161. package/packages/@monomind/cli/dist/src/dlq/index.js +7 -0
  162. package/packages/@monomind/cli/dist/src/eval/dataset-manager.d.ts +33 -0
  163. package/packages/@monomind/cli/dist/src/eval/dataset-manager.js +107 -0
  164. package/packages/@monomind/cli/dist/src/eval/dataset-runner.d.ts +23 -0
  165. package/packages/@monomind/cli/dist/src/eval/dataset-runner.js +59 -0
  166. package/packages/@monomind/cli/dist/src/eval/index.d.ts +10 -0
  167. package/packages/@monomind/cli/dist/src/eval/index.js +7 -0
  168. package/packages/@monomind/cli/dist/src/eval/trace-collector.d.ts +40 -0
  169. package/packages/@monomind/cli/dist/src/eval/trace-collector.js +102 -0
  170. package/packages/@monomind/cli/dist/src/index.js +7 -3
  171. package/packages/@monomind/cli/dist/src/infrastructure/in-memory-repositories.d.ts +68 -0
  172. package/packages/@monomind/cli/dist/src/infrastructure/in-memory-repositories.js +264 -0
  173. package/packages/@monomind/cli/dist/src/init/executor.js +14 -11
  174. package/packages/@monomind/cli/dist/src/init/shared-instructions-generator.js +20 -4
  175. package/packages/@monomind/cli/dist/src/init/statusline-generator.js +33 -12
  176. package/packages/@monomind/cli/dist/src/interactive/interrupt.d.ts +22 -0
  177. package/packages/@monomind/cli/dist/src/interactive/interrupt.js +71 -0
  178. package/packages/@monomind/cli/dist/src/mcp/deprecation-injector.d.ts +25 -0
  179. package/packages/@monomind/cli/dist/src/mcp/deprecation-injector.js +48 -0
  180. package/packages/@monomind/cli/dist/src/mcp/tool-registry.d.ts +61 -0
  181. package/packages/@monomind/cli/dist/src/mcp/tool-registry.js +246 -0
  182. package/packages/@monomind/cli/dist/src/mcp-tools/a2a-tools.js +98 -13
  183. package/packages/@monomind/cli/dist/src/mcp-tools/agent-tools.js +16 -3
  184. package/packages/@monomind/cli/dist/src/mcp-tools/analyze-tools.js +80 -17
  185. package/packages/@monomind/cli/dist/src/mcp-tools/browser-tools.js +84 -22
  186. package/packages/@monomind/cli/dist/src/mcp-tools/claims-tools.js +35 -7
  187. package/packages/@monomind/cli/dist/src/mcp-tools/config-tools.js +82 -17
  188. package/packages/@monomind/cli/dist/src/mcp-tools/coordination-tools.js +37 -4
  189. package/packages/@monomind/cli/dist/src/mcp-tools/daa-tools.js +49 -7
  190. package/packages/@monomind/cli/dist/src/mcp-tools/embeddings-tools.js +45 -18
  191. package/packages/@monomind/cli/dist/src/mcp-tools/github-tools.js +75 -25
  192. package/packages/@monomind/cli/dist/src/mcp-tools/guidance-tools.js +32 -10
  193. package/packages/@monomind/cli/dist/src/mcp-tools/hive-mind-tools.js +91 -20
  194. package/packages/@monomind/cli/dist/src/mcp-tools/hooks-tools.js +188 -29
  195. package/packages/@monomind/cli/dist/src/mcp-tools/memory-tools.js +25 -7
  196. package/packages/@monomind/cli/dist/src/mcp-tools/monograph-compat.js +11 -2
  197. package/packages/@monomind/cli/dist/src/mcp-tools/monograph-tools.js +148 -26
  198. package/packages/@monomind/cli/dist/src/mcp-tools/neural-tools.js +44 -9
  199. package/packages/@monomind/cli/dist/src/mcp-tools/performance-tools.js +45 -10
  200. package/packages/@monomind/cli/dist/src/mcp-tools/progress-tools.js +7 -4
  201. package/packages/@monomind/cli/dist/src/mcp-tools/request-tracker.js +15 -1
  202. package/packages/@monomind/cli/dist/src/mcp-tools/security-tools.js +61 -9
  203. package/packages/@monomind/cli/dist/src/mcp-tools/session-tools.js +45 -14
  204. package/packages/@monomind/cli/dist/src/mcp-tools/swarm-tools.js +15 -3
  205. package/packages/@monomind/cli/dist/src/mcp-tools/system-tools.js +14 -7
  206. package/packages/@monomind/cli/dist/src/mcp-tools/task-tools.js +52 -10
  207. package/packages/@monomind/cli/dist/src/mcp-tools/terminal-tools.js +40 -6
  208. package/packages/@monomind/cli/dist/src/mcp-tools/transfer-tools.js +37 -4
  209. package/packages/@monomind/cli/dist/src/mcp-tools/wasm-agent-tools.d.ts +9 -0
  210. package/packages/@monomind/cli/dist/src/mcp-tools/wasm-agent-tools.js +230 -0
  211. package/packages/@monomind/cli/dist/src/mcp-tools/workflow-tools.js +29 -6
  212. package/packages/@monomind/cli/dist/src/memory/ewc-consolidation.js +26 -10
  213. package/packages/@monomind/cli/dist/src/memory/intelligence.js +80 -19
  214. package/packages/@monomind/cli/dist/src/memory/memory-bridge.js +21 -2
  215. package/packages/@monomind/cli/dist/src/memory/memory-initializer.js +67 -3
  216. package/packages/@monomind/cli/dist/src/memory/sona-optimizer.js +14 -4
  217. package/packages/@monomind/cli/dist/src/model/complexity-scorer.d.ts +21 -0
  218. package/packages/@monomind/cli/dist/src/model/complexity-scorer.js +106 -0
  219. package/packages/@monomind/cli/dist/src/model/index.d.ts +4 -0
  220. package/packages/@monomind/cli/dist/src/model/index.js +4 -0
  221. package/packages/@monomind/cli/dist/src/model/model-settings.d.ts +22 -0
  222. package/packages/@monomind/cli/dist/src/model/model-settings.js +33 -0
  223. package/packages/@monomind/cli/dist/src/model/model-tier-resolver.d.ts +24 -0
  224. package/packages/@monomind/cli/dist/src/model/model-tier-resolver.js +65 -0
  225. package/packages/@monomind/cli/dist/src/monovector/capabilities.d.ts +34 -0
  226. package/packages/@monomind/cli/dist/src/monovector/capabilities.js +37 -0
  227. package/packages/@monomind/cli/dist/src/monovector/command-outcomes.js +43 -7
  228. package/packages/@monomind/cli/dist/src/monovector/coverage-router.js +8 -4
  229. package/packages/@monomind/cli/dist/src/monovector/coverage-tools.js +6 -3
  230. package/packages/@monomind/cli/dist/src/monovector/diff-classifier.js +13 -0
  231. package/packages/@monomind/cli/dist/src/monovector/route-outcomes.d.ts +2 -1
  232. package/packages/@monomind/cli/dist/src/monovector/route-outcomes.js +46 -4
  233. package/packages/@monomind/cli/dist/src/observability/replay-reader.d.ts +1 -1
  234. package/packages/@monomind/cli/dist/src/orchestration/index.d.ts +7 -0
  235. package/packages/@monomind/cli/dist/src/orchestration/index.js +6 -0
  236. package/packages/@monomind/cli/dist/src/orchestration/mode-dispatcher.d.ts +11 -0
  237. package/packages/@monomind/cli/dist/src/orchestration/mode-dispatcher.js +31 -0
  238. package/packages/@monomind/cli/dist/src/orchestration/routing-modes.d.ts +68 -0
  239. package/packages/@monomind/cli/dist/src/orchestration/routing-modes.js +180 -0
  240. package/packages/@monomind/cli/dist/src/plugins/manager.js +8 -3
  241. package/packages/@monomind/cli/dist/src/plugins/store/discovery.js +46 -2
  242. package/packages/@monomind/cli/dist/src/plugins/store/search.js +5 -4
  243. package/packages/@monomind/cli/dist/src/plugins/tests/demo-plugin-store.d.ts +7 -0
  244. package/packages/@monomind/cli/dist/src/plugins/tests/demo-plugin-store.js +126 -0
  245. package/packages/@monomind/cli/dist/src/plugins/tests/standalone-test.d.ts +12 -0
  246. package/packages/@monomind/cli/dist/src/plugins/tests/standalone-test.js +188 -0
  247. package/packages/@monomind/cli/dist/src/plugins/tests/test-plugin-store.d.ts +7 -0
  248. package/packages/@monomind/cli/dist/src/plugins/tests/test-plugin-store.js +206 -0
  249. package/packages/@monomind/cli/dist/src/production/circuit-breaker.js +17 -3
  250. package/packages/@monomind/cli/dist/src/production/error-handler.js +3 -0
  251. package/packages/@monomind/cli/dist/src/production/monitoring.js +20 -3
  252. package/packages/@monomind/cli/dist/src/production/rate-limiter.js +13 -4
  253. package/packages/@monomind/cli/dist/src/production/retry.js +17 -9
  254. package/packages/@monomind/cli/dist/src/routing/embed-worker.js +6 -2
  255. package/packages/@monomind/cli/dist/src/routing/embedder.js +0 -0
  256. package/packages/@monomind/cli/dist/src/routing/llm-caller.js +13 -2
  257. package/packages/@monomind/cli/dist/src/routing/route-layer-factory.js +18 -3
  258. package/packages/@monomind/cli/dist/src/runtime/headless.d.ts +60 -0
  259. package/packages/@monomind/cli/dist/src/runtime/headless.js +284 -0
  260. package/packages/@monomind/cli/dist/src/services/agentic-flow-bridge.d.ts +50 -0
  261. package/packages/@monomind/cli/dist/src/services/agentic-flow-bridge.js +95 -0
  262. package/packages/@monomind/cli/dist/src/services/claim-service.d.ts +1 -0
  263. package/packages/@monomind/cli/dist/src/services/claim-service.js +8 -0
  264. package/packages/@monomind/cli/dist/src/services/config-file-manager.js +14 -2
  265. package/packages/@monomind/cli/dist/src/services/container-worker-pool.d.ts +197 -0
  266. package/packages/@monomind/cli/dist/src/services/container-worker-pool.js +623 -0
  267. package/packages/@monomind/cli/dist/src/services/headless-worker-executor.js +18 -2
  268. package/packages/@monomind/cli/dist/src/services/index.d.ts +13 -0
  269. package/packages/@monomind/cli/dist/src/services/index.js +11 -0
  270. package/packages/@monomind/cli/dist/src/services/worker-daemon.js +53 -12
  271. package/packages/@monomind/cli/dist/src/services/worker-queue.d.ts +201 -0
  272. package/packages/@monomind/cli/dist/src/services/worker-queue.js +594 -0
  273. package/packages/@monomind/cli/dist/src/swarm/communication-graph.d.ts +25 -0
  274. package/packages/@monomind/cli/dist/src/swarm/communication-graph.js +77 -0
  275. package/packages/@monomind/cli/dist/src/swarm/flow-enforcer.d.ts +31 -0
  276. package/packages/@monomind/cli/dist/src/swarm/flow-enforcer.js +61 -0
  277. package/packages/@monomind/cli/dist/src/swarm/flow-visualizer.d.ts +19 -0
  278. package/packages/@monomind/cli/dist/src/swarm/flow-visualizer.js +68 -0
  279. package/packages/@monomind/cli/dist/src/transfer/anonymization/index.d.ts +0 -3
  280. package/packages/@monomind/cli/dist/src/transfer/anonymization/index.js +16 -1
  281. package/packages/@monomind/cli/dist/src/transfer/deploy-seraphine.d.ts +13 -0
  282. package/packages/@monomind/cli/dist/src/transfer/deploy-seraphine.js +205 -0
  283. package/packages/@monomind/cli/dist/src/transfer/export.js +8 -0
  284. package/packages/@monomind/cli/dist/src/transfer/ipfs/upload.js +33 -3
  285. package/packages/@monomind/cli/dist/src/transfer/serialization/cfp.js +9 -3
  286. package/packages/@monomind/cli/dist/src/transfer/storage/gcs.js +37 -3
  287. package/packages/@monomind/cli/dist/src/transfer/store/discovery.js +45 -3
  288. package/packages/@monomind/cli/dist/src/transfer/store/download.js +5 -0
  289. package/packages/@monomind/cli/dist/src/transfer/store/publish.js +13 -1
  290. package/packages/@monomind/cli/dist/src/transfer/store/registry.d.ts +8 -0
  291. package/packages/@monomind/cli/dist/src/transfer/store/registry.js +30 -5
  292. package/packages/@monomind/cli/dist/src/transfer/store/search.js +20 -5
  293. package/packages/@monomind/cli/dist/src/transfer/store/tests/standalone-test.d.ts +12 -0
  294. package/packages/@monomind/cli/dist/src/transfer/store/tests/standalone-test.js +190 -0
  295. package/packages/@monomind/cli/dist/src/transfer/test-seraphine.d.ts +6 -0
  296. package/packages/@monomind/cli/dist/src/transfer/test-seraphine.js +105 -0
  297. package/packages/@monomind/cli/dist/src/transfer/tests/test-store.d.ts +7 -0
  298. package/packages/@monomind/cli/dist/src/transfer/tests/test-store.js +214 -0
  299. package/packages/@monomind/cli/dist/src/update/checker.js +59 -7
  300. package/packages/@monomind/cli/dist/src/update/executor.js +50 -3
  301. package/packages/@monomind/cli/dist/src/update/index.js +18 -1
  302. package/packages/@monomind/cli/dist/src/update/rate-limiter.d.ts +6 -0
  303. package/packages/@monomind/cli/dist/src/update/rate-limiter.js +79 -7
  304. package/packages/@monomind/cli/dist/src/update/validator.js +52 -1
  305. package/packages/@monomind/cli/dist/src/workflow/condition-evaluator.d.ts +10 -0
  306. package/packages/@monomind/cli/dist/src/workflow/condition-evaluator.js +82 -0
  307. package/packages/@monomind/cli/dist/src/workflow/context-resolver.d.ts +12 -0
  308. package/packages/@monomind/cli/dist/src/workflow/context-resolver.js +23 -0
  309. package/packages/@monomind/cli/dist/src/workflow/dag-builder.d.ts +17 -0
  310. package/packages/@monomind/cli/dist/src/workflow/dag-builder.js +129 -0
  311. package/packages/@monomind/cli/dist/src/workflow/dag-executor.d.ts +9 -0
  312. package/packages/@monomind/cli/dist/src/workflow/dag-executor.js +116 -0
  313. package/packages/@monomind/cli/dist/src/workflow/dag-types.d.ts +41 -0
  314. package/packages/@monomind/cli/dist/src/workflow/dag-types.js +8 -0
  315. package/packages/@monomind/cli/dist/src/workflow/dsl-parser.d.ts +12 -0
  316. package/packages/@monomind/cli/dist/src/workflow/dsl-parser.js +20 -0
  317. package/packages/@monomind/cli/dist/src/workflow/dsl-schema.d.ts +165 -0
  318. package/packages/@monomind/cli/dist/src/workflow/dsl-schema.js +82 -0
  319. package/packages/@monomind/cli/dist/src/workflow/index.d.ts +13 -0
  320. package/packages/@monomind/cli/dist/src/workflow/index.js +11 -0
  321. package/packages/@monomind/cli/dist/src/workflow/template-engine.d.ts +11 -0
  322. package/packages/@monomind/cli/dist/src/workflow/template-engine.js +40 -0
  323. package/packages/@monomind/cli/dist/src/workflow/workflow-executor.d.ts +29 -0
  324. package/packages/@monomind/cli/dist/src/workflow/workflow-executor.js +227 -0
  325. package/packages/@monomind/cli/package.json +9 -10
  326. package/packages/@monomind/guidance/dist/adversarial.d.ts +284 -0
  327. package/packages/@monomind/guidance/dist/adversarial.js +572 -0
  328. package/packages/@monomind/guidance/dist/analyzer.d.ts +530 -0
  329. package/packages/@monomind/guidance/dist/analyzer.js +2518 -0
  330. package/packages/@monomind/guidance/dist/artifacts.d.ts +283 -0
  331. package/packages/@monomind/guidance/dist/artifacts.js +356 -0
  332. package/packages/@monomind/guidance/dist/authority.d.ts +290 -0
  333. package/packages/@monomind/guidance/dist/authority.js +558 -0
  334. package/packages/@monomind/guidance/dist/capabilities.d.ts +209 -0
  335. package/packages/@monomind/guidance/dist/capabilities.js +485 -0
  336. package/packages/@monomind/guidance/dist/coherence.d.ts +233 -0
  337. package/packages/@monomind/guidance/dist/coherence.js +372 -0
  338. package/packages/@monomind/guidance/dist/compiler.d.ts +87 -0
  339. package/packages/@monomind/guidance/dist/compiler.js +419 -0
  340. package/packages/@monomind/guidance/dist/conformance-kit.d.ts +225 -0
  341. package/packages/@monomind/guidance/dist/conformance-kit.js +629 -0
  342. package/packages/@monomind/guidance/dist/continue-gate.d.ts +214 -0
  343. package/packages/@monomind/guidance/dist/continue-gate.js +353 -0
  344. package/packages/@monomind/guidance/dist/crypto-utils.d.ts +17 -0
  345. package/packages/@monomind/guidance/dist/crypto-utils.js +24 -0
  346. package/packages/@monomind/guidance/dist/evolution.d.ts +282 -0
  347. package/packages/@monomind/guidance/dist/evolution.js +500 -0
  348. package/packages/@monomind/guidance/dist/gates.d.ts +79 -0
  349. package/packages/@monomind/guidance/dist/gates.js +302 -0
  350. package/packages/@monomind/guidance/dist/gateway.d.ts +206 -0
  351. package/packages/@monomind/guidance/dist/gateway.js +452 -0
  352. package/packages/@monomind/guidance/dist/generators.d.ts +153 -0
  353. package/packages/@monomind/guidance/dist/generators.js +682 -0
  354. package/packages/@monomind/guidance/dist/headless.d.ts +177 -0
  355. package/packages/@monomind/guidance/dist/headless.js +342 -0
  356. package/packages/@monomind/guidance/dist/hooks.d.ts +109 -0
  357. package/packages/@monomind/guidance/dist/hooks.js +347 -0
  358. package/packages/@monomind/guidance/dist/index.d.ts +205 -0
  359. package/packages/@monomind/guidance/dist/index.js +321 -0
  360. package/packages/@monomind/guidance/dist/ledger.d.ts +162 -0
  361. package/packages/@monomind/guidance/dist/ledger.js +375 -0
  362. package/packages/@monomind/guidance/dist/manifest-validator.d.ts +289 -0
  363. package/packages/@monomind/guidance/dist/manifest-validator.js +838 -0
  364. package/packages/@monomind/guidance/dist/memory-gate.d.ts +222 -0
  365. package/packages/@monomind/guidance/dist/memory-gate.js +382 -0
  366. package/packages/@monomind/guidance/dist/meta-governance.d.ts +265 -0
  367. package/packages/@monomind/guidance/dist/meta-governance.js +348 -0
  368. package/packages/@monomind/guidance/dist/optimizer.d.ts +104 -0
  369. package/packages/@monomind/guidance/dist/optimizer.js +329 -0
  370. package/packages/@monomind/guidance/dist/persistence.d.ts +189 -0
  371. package/packages/@monomind/guidance/dist/persistence.js +464 -0
  372. package/packages/@monomind/guidance/dist/proof.d.ts +185 -0
  373. package/packages/@monomind/guidance/dist/proof.js +238 -0
  374. package/packages/@monomind/guidance/dist/retriever.d.ts +116 -0
  375. package/packages/@monomind/guidance/dist/retriever.js +394 -0
  376. package/packages/@monomind/guidance/dist/ruvbot-integration.d.ts +370 -0
  377. package/packages/@monomind/guidance/dist/ruvbot-integration.js +738 -0
  378. package/packages/@monomind/guidance/dist/temporal.d.ts +426 -0
  379. package/packages/@monomind/guidance/dist/temporal.js +658 -0
  380. package/packages/@monomind/guidance/dist/trust.d.ts +283 -0
  381. package/packages/@monomind/guidance/dist/trust.js +473 -0
  382. package/packages/@monomind/guidance/dist/truth-anchors.d.ts +276 -0
  383. package/packages/@monomind/guidance/dist/truth-anchors.js +488 -0
  384. package/packages/@monomind/guidance/dist/types.d.ts +378 -0
  385. package/packages/@monomind/guidance/dist/types.js +10 -0
  386. package/packages/@monomind/guidance/dist/uncertainty.d.ts +372 -0
  387. package/packages/@monomind/guidance/dist/uncertainty.js +619 -0
  388. package/packages/@monomind/guidance/dist/wasm-kernel.d.ts +48 -0
  389. package/packages/@monomind/guidance/dist/wasm-kernel.js +158 -0
@@ -7,6 +7,11 @@
7
7
  import { output } from '../output.js';
8
8
  import { existsSync, readFileSync, statSync } from 'fs';
9
9
  import { join, dirname } from 'path';
10
+ const MAX_DOCTOR_PKG_BYTES = 1024 * 1024; // 1 MB — package.json / settings.json
11
+ const MAX_DOCTOR_CONFIG_BYTES = 10 * 1024 * 1024; // 10 MB — monomind.config.json / MCP configs
12
+ const MAX_DOCTOR_GITIGNORE_BYTES = 512 * 1024; // 512 KB — .gitignore
13
+ const MAX_DOCTOR_PID_BYTES = 64; // 64 bytes — daemon PID file
14
+ const MAX_DOCTOR_HELPER_BYTES = 2 * 1024 * 1024; // 2 MB — hook helper .cjs bundles
10
15
  import { fileURLToPath } from 'url';
11
16
  import { execSync, exec } from 'child_process';
12
17
  import { homedir } from 'os';
@@ -67,7 +72,7 @@ async function checkConfigFile() {
67
72
  '.monomind.json'
68
73
  ];
69
74
  for (const configPath of jsonPaths) {
70
- if (existsSync(configPath)) {
75
+ if (existsSync(configPath) && statSync(configPath).size <= MAX_DOCTOR_CONFIG_BYTES) {
71
76
  try {
72
77
  const content = readFileSync(configPath, 'utf8');
73
78
  JSON.parse(content);
@@ -95,7 +100,7 @@ async function checkConfigFile() {
95
100
  async function checkDaemonStatus() {
96
101
  try {
97
102
  const pidFile = '.monomind/daemon.pid';
98
- if (existsSync(pidFile)) {
103
+ if (existsSync(pidFile) && statSync(pidFile).size <= MAX_DOCTOR_PID_BYTES) {
99
104
  const pid = readFileSync(pidFile, 'utf8').trim();
100
105
  try {
101
106
  process.kill(parseInt(pid, 10), 0); // Check if process exists
@@ -184,7 +189,7 @@ async function checkMcpServers() {
184
189
  '.mcp.json'
185
190
  ];
186
191
  for (const configPath of mcpConfigPaths) {
187
- if (existsSync(configPath)) {
192
+ if (existsSync(configPath) && statSync(configPath).size <= MAX_DOCTOR_CONFIG_BYTES) {
188
193
  try {
189
194
  const content = JSON.parse(readFileSync(configPath, 'utf8'));
190
195
  const servers = content.mcpServers || content.servers || {};
@@ -202,7 +207,7 @@ async function checkMcpServers() {
202
207
  }
203
208
  }
204
209
  }
205
- return { name: 'MCP Servers', status: 'warn', message: 'No MCP config found', fix: 'claude mcp add monomind npx @monomind/cli@v1alpha mcp start' };
210
+ return { name: 'MCP Servers', status: 'warn', message: 'No MCP config found', fix: 'claude mcp add monomind -- npx -y monomind@latest mcp start' };
206
211
  }
207
212
  // Check disk space (async with proper env inheritance)
208
213
  async function checkDiskSpace() {
@@ -260,11 +265,11 @@ async function checkVersionFreshness() {
260
265
  for (;;) {
261
266
  const candidate = join(dir, 'package.json');
262
267
  try {
263
- if (existsSync(candidate)) {
268
+ if (existsSync(candidate) && statSync(candidate).size <= MAX_DOCTOR_PKG_BYTES) {
264
269
  const pkg = JSON.parse(readFileSync(candidate, 'utf8'));
265
270
  if (pkg.version &&
266
271
  typeof pkg.name === 'string' &&
267
- (pkg.name === '@monomind/cli' || pkg.name === 'monomind')) {
272
+ (pkg.name === '@monomind/cli' || pkg.name === 'monomind' || pkg.name === '@monoes/monomindcli')) {
268
273
  currentVersion = pkg.version;
269
274
  break;
270
275
  }
@@ -287,10 +292,10 @@ async function checkVersionFreshness() {
287
292
  const isNpx = process.argv[1]?.includes('_npx') ||
288
293
  process.env.npm_execpath?.includes('npx') ||
289
294
  process.cwd().includes('_npx');
290
- // Query npm for latest version (using alpha tag since that's what we publish to)
295
+ // Query npm for latest version of the published umbrella package
291
296
  let latestVersion = currentVersion;
292
297
  try {
293
- const npmInfo = await runCommand('npm view @monomind/cli@alpha version', 5000);
298
+ const npmInfo = await runCommand('npm view monomind version', 5000);
294
299
  latestVersion = npmInfo.trim();
295
300
  }
296
301
  catch {
@@ -322,8 +327,8 @@ async function checkVersionFreshness() {
322
327
  (latest.major === current.major && latest.minor === current.minor && latest.patch === current.patch && latest.prerelease > current.prerelease));
323
328
  if (isOutdated) {
324
329
  const fix = isNpx
325
- ? 'rm -rf ~/.npm/_npx/* && npx -y @monomind/cli@latest'
326
- : 'npm update @monomind/cli';
330
+ ? 'rm -rf ~/.npm/_npx/* && npx -y monomind@latest doctor'
331
+ : 'npm update -g monomind';
327
332
  return {
328
333
  name: 'Version Freshness',
329
334
  status: 'warn',
@@ -387,18 +392,39 @@ async function installClaudeCode() {
387
392
  async function checkMonograph() {
388
393
  try {
389
394
  const __filename = fileURLToPath(import.meta.url);
395
+ const _base = dirname(__filename);
396
+ let _globalRoot = '';
397
+ try {
398
+ _globalRoot = execSync('npm root -g', { encoding: 'utf8', timeout: 3000 }).trim();
399
+ }
400
+ catch { /* no npm */ }
390
401
  const candidates = [
391
- join(dirname(__filename), '..', '..', 'node_modules', '@monomind', 'monograph', 'package.json'),
392
- join(dirname(__filename), '..', '..', '..', '..', 'node_modules', '@monomind', 'monograph', 'package.json'),
402
+ // local dev monorepo paths (both old @monomind and published @monoes scope)
403
+ join(_base, '..', '..', 'node_modules', '@monomind', 'monograph', 'package.json'),
404
+ join(_base, '..', '..', '..', '..', 'node_modules', '@monomind', 'monograph', 'package.json'),
405
+ join(_base, '..', '..', 'node_modules', '@monoes', 'monograph', 'package.json'),
406
+ join(_base, '..', '..', '..', '..', 'node_modules', '@monoes', 'monograph', 'package.json'),
407
+ // global install paths
408
+ ...(_globalRoot ? [
409
+ join(_globalRoot, '@monomind', 'monograph', 'package.json'),
410
+ join(_globalRoot, '@monoes', 'monograph', 'package.json'),
411
+ ] : []),
393
412
  ];
394
- if (candidates.some(p => existsSync(p))) {
395
- return { name: 'Monograph', status: 'pass', message: 'available (knowledge graph engine)' };
413
+ const found = candidates.find(p => existsSync(p) && statSync(p).size <= MAX_DOCTOR_PKG_BYTES);
414
+ if (found) {
415
+ try {
416
+ const pkg = JSON.parse(readFileSync(found, 'utf-8'));
417
+ return { name: 'Monograph', status: 'pass', message: `v${pkg.version || '?'} available (knowledge graph engine)` };
418
+ }
419
+ catch {
420
+ return { name: 'Monograph', status: 'pass', message: 'available (knowledge graph engine)' };
421
+ }
396
422
  }
397
423
  return {
398
424
  name: 'Monograph',
399
425
  status: 'warn',
400
426
  message: 'Package not found (knowledge graph disabled)',
401
- fix: 'npm install in project root'
427
+ fix: 'npm install -g monomind@latest # reinstall to get @monoes/monograph'
402
428
  };
403
429
  }
404
430
  catch {
@@ -406,9 +432,45 @@ async function checkMonograph() {
406
432
  name: 'Monograph',
407
433
  status: 'warn',
408
434
  message: 'Package check failed (knowledge graph may be unavailable)',
409
- fix: 'npm install in project root'
435
+ fix: 'npm install -g monomind@latest'
436
+ };
437
+ }
438
+ }
439
+ // Check @monoes/memory (optional HNSW vector search package)
440
+ async function checkMonoesMemory() {
441
+ try {
442
+ const __filename = fileURLToPath(import.meta.url);
443
+ const _base = dirname(__filename);
444
+ let _globalRoot = '';
445
+ try {
446
+ _globalRoot = execSync('npm root -g', { encoding: 'utf8', timeout: 3000 }).trim();
447
+ }
448
+ catch { /* no npm */ }
449
+ const candidates = [
450
+ join(_base, '..', '..', 'node_modules', '@monoes', 'memory', 'package.json'),
451
+ join(_base, '..', '..', '..', '..', 'node_modules', '@monoes', 'memory', 'package.json'),
452
+ ...(_globalRoot ? [join(_globalRoot, '@monoes', 'memory', 'package.json')] : []),
453
+ ];
454
+ const found = candidates.find(p => existsSync(p) && statSync(p).size <= MAX_DOCTOR_PKG_BYTES);
455
+ if (found) {
456
+ try {
457
+ const pkg = JSON.parse(readFileSync(found, 'utf-8'));
458
+ return { name: 'Vector Memory', status: 'pass', message: `@monoes/memory v${pkg.version || '?'} (HNSW search enabled)` };
459
+ }
460
+ catch {
461
+ return { name: 'Vector Memory', status: 'pass', message: '@monoes/memory available (HNSW search enabled)' };
462
+ }
463
+ }
464
+ return {
465
+ name: 'Vector Memory',
466
+ status: 'warn',
467
+ message: '@monoes/memory not installed (vector search disabled — using fallback)',
468
+ fix: 'npm install @monoes/memory'
410
469
  };
411
470
  }
471
+ catch {
472
+ return { name: 'Vector Memory', status: 'warn', message: 'Vector memory check failed' };
473
+ }
412
474
  }
413
475
  // Check agentic-flow v1 integration (filesystem-based to avoid slow WASM/DB init)
414
476
  // Resolve the path to the bundled (npm-installed) copy of a helper file.
@@ -420,10 +482,10 @@ function _resolveBundledHelper(relativePath) {
420
482
  let dir = dirname(thisFile);
421
483
  for (;;) {
422
484
  const candidate = join(dir, 'package.json');
423
- if (existsSync(candidate)) {
485
+ if (existsSync(candidate) && statSync(candidate).size <= MAX_DOCTOR_PKG_BYTES) {
424
486
  try {
425
487
  const pkg = JSON.parse(readFileSync(candidate, 'utf8'));
426
- if (pkg.name === '@monomind/cli' || pkg.name === 'monomind') {
488
+ if (pkg.name === '@monomind/cli' || pkg.name === 'monomind' || pkg.name === '@monoes/monomindcli') {
427
489
  const helperPath = join(dir, relativePath);
428
490
  return existsSync(helperPath) ? helperPath : null;
429
491
  }
@@ -451,11 +513,15 @@ async function _detectStaleHelpers() {
451
513
  const local = join(process.cwd(), '.claude', 'helpers', name);
452
514
  if (!existsSync(local))
453
515
  continue;
516
+ if (statSync(local).size > MAX_DOCTOR_HELPER_BYTES)
517
+ continue; // skip oversized helper
454
518
  const bundled = _resolveBundledHelper(join('.claude', 'helpers', name));
455
519
  if (!bundled) {
456
520
  missing.push(name);
457
521
  continue;
458
522
  }
523
+ if (statSync(bundled).size > MAX_DOCTOR_HELPER_BYTES)
524
+ continue; // skip oversized bundled
459
525
  try {
460
526
  const hashLocal = crypto.createHash('sha256').update(readFileSync(local)).digest('hex');
461
527
  const hashBundled = crypto.createHash('sha256').update(readFileSync(bundled)).digest('hex');
@@ -513,6 +579,9 @@ async function checkAgenticFlow() {
513
579
  fix: 'npm install agentic-flow@latest'
514
580
  };
515
581
  }
582
+ if (statSync(pkgJsonPath).size > MAX_DOCTOR_PKG_BYTES) {
583
+ return { name: 'agentic-flow', status: 'warn', message: 'package.json too large to parse' };
584
+ }
516
585
  const pkg = JSON.parse(readFileSync(pkgJsonPath, 'utf-8'));
517
586
  const version = pkg.version || 'unknown';
518
587
  const exports = pkg.exports || {};
@@ -524,7 +593,7 @@ async function checkAgenticFlow() {
524
593
  return {
525
594
  name: 'agentic-flow',
526
595
  status: 'pass',
527
- message: `v${version} (${features.join(', ')})`
596
+ message: `v${version}${features.length ? ' (' + features.join(', ') + ')' : ' (installed)'}`
528
597
  };
529
598
  }
530
599
  catch {
@@ -579,6 +648,61 @@ async function checkMonoesIntegration() {
579
648
  };
580
649
  }
581
650
  }
651
+ // Patterns that must be covered by .gitignore to prevent leaking session data / machine paths.
652
+ // Uses the surgical approach: ignore specific sensitive subdirs and file globs inside .monomind/
653
+ // rather than the entire directory, so safe content (orgs/, test-fixtures/) can still be tracked.
654
+ const REQUIRED_GITIGNORE_PATTERNS = [
655
+ { pattern: '.monomind/sessions/', reason: 'session files contain cwd and machine paths' },
656
+ { pattern: '.monomind/data/', reason: 'intelligence data with edit file paths' },
657
+ { pattern: '.monomind/metrics/', reason: 'metrics with file path references' },
658
+ { pattern: '.monomind/knowledge/', reason: 'knowledge chunks with local file content' },
659
+ { pattern: '.monomind/*.json', reason: 'root-level runtime JSON (control, registry, routing)' },
660
+ { pattern: '.monomind/*.jsonl', reason: 'root-level event logs (decisions, routing-feedback)' },
661
+ { pattern: '**/.monomind/sessions/', reason: 'nested session files in sub-packages' },
662
+ { pattern: '**/.monomind/*.json', reason: 'nested runtime JSON in sub-packages' },
663
+ { pattern: 'data/sessions/', reason: 'session files with machine paths' },
664
+ { pattern: 'data/mastermind-*.json', reason: 'mastermind session data' },
665
+ { pattern: 'data/mastermind-*.jsonl', reason: 'mastermind event logs' },
666
+ { pattern: '**/.claude-flow/', reason: 'claude-flow runtime data with paths' },
667
+ { pattern: '.hive-mind/', reason: 'hive-mind state with session info' },
668
+ { pattern: '.swarm/', reason: 'swarm state files' },
669
+ ];
670
+ // Check whether a gitignore file covers all required monomind runtime patterns
671
+ async function checkGitignoreCoverage() {
672
+ const gitignorePath = join(process.cwd(), '.gitignore');
673
+ if (!existsSync(gitignorePath)) {
674
+ return {
675
+ name: 'Gitignore Coverage',
676
+ status: 'warn',
677
+ message: 'No .gitignore found — all monomind runtime paths are unprotected',
678
+ fix: 'echo ".monomind/\\n**/.monomind/" >> .gitignore',
679
+ };
680
+ }
681
+ if (statSync(gitignorePath).size > MAX_DOCTOR_GITIGNORE_BYTES) {
682
+ return { name: 'Gitignore Coverage', status: 'warn', message: '.gitignore too large to parse' };
683
+ }
684
+ const content = readFileSync(gitignorePath, 'utf-8');
685
+ const lines = content.split('\n').map(l => l.trim()).filter(l => l && !l.startsWith('#'));
686
+ const missing = REQUIRED_GITIGNORE_PATTERNS.filter(({ pattern }) => {
687
+ // A pattern is "covered" if the gitignore contains it exactly, or a parent glob covers it
688
+ const base = pattern.replace(/\*\*\//g, '').replace(/\*/g, '');
689
+ return !lines.some(l => l === pattern ||
690
+ l === pattern.replace(/\/$/, '') ||
691
+ // e.g. "**/.monomind/" covers ".monomind/"
692
+ (l.includes('**') && base && l.replace(/\*\*\//g, '').replace(/\*/g, '') === base));
693
+ });
694
+ if (missing.length === 0) {
695
+ return { name: 'Gitignore Coverage', status: 'pass', message: 'All monomind runtime paths are gitignored' };
696
+ }
697
+ const missingList = missing.map(m => m.pattern).join(', ');
698
+ const fixLines = missing.map(m => m.pattern).join('\\n');
699
+ return {
700
+ name: 'Gitignore Coverage',
701
+ status: 'warn',
702
+ message: `${missing.length} runtime path(s) not in .gitignore: ${missingList}`,
703
+ fix: `printf "${fixLines}\\n" >> .gitignore`,
704
+ };
705
+ }
582
706
  async function checkGuidanceGates() {
583
707
  const settingsPath = join(process.cwd(), '.claude', 'settings.json');
584
708
  const gatesHandlerPath = join(process.cwd(), '.claude', 'helpers', 'handlers', 'gates-handler.cjs');
@@ -599,6 +723,9 @@ async function checkGuidanceGates() {
599
723
  };
600
724
  }
601
725
  try {
726
+ if (statSync(settingsPath).size > MAX_DOCTOR_CONFIG_BYTES) {
727
+ return { name: 'Guidance Gates', status: 'warn', message: 'settings.json too large to parse' };
728
+ }
602
729
  const settings = JSON.parse(readFileSync(settingsPath, 'utf-8'));
603
730
  const preToolUse = settings?.hooks?.PreToolUse ?? [];
604
731
  const hasPreWrite = preToolUse.some(e => e.matcher === 'Write|Edit|MultiEdit' && e.hooks.some(h => h.command?.includes('pre-write')));
@@ -671,7 +798,7 @@ export const doctorCommand = {
671
798
  {
672
799
  name: 'component',
673
800
  short: 'c',
674
- description: 'Check specific component (version, node, npm, config, daemon, memory, api, git, mcp, claude, disk, typescript, monograph, helpers, monoes, gates)',
801
+ description: 'Check specific component (version, node, npm, config, daemon, memory, api, git, mcp, claude, disk, typescript, monograph, memory-pkg, helpers, agentic-flow, monoes, gates, gitignore)',
675
802
  type: 'string'
676
803
  },
677
804
  {
@@ -714,10 +841,12 @@ export const doctorCommand = {
714
841
  checkDiskSpace,
715
842
  checkBuildTools,
716
843
  checkMonograph,
844
+ checkMonoesMemory,
717
845
  checkHelpersFresh,
718
846
  checkAgenticFlow,
719
847
  checkMonoesIntegration,
720
848
  checkGuidanceGates,
849
+ checkGitignoreCoverage,
721
850
  ];
722
851
  const componentMap = {
723
852
  'version': checkVersionFreshness,
@@ -734,10 +863,12 @@ export const doctorCommand = {
734
863
  'disk': checkDiskSpace,
735
864
  'typescript': checkBuildTools,
736
865
  'monograph': checkMonograph,
866
+ 'memory-pkg': checkMonoesMemory,
737
867
  'helpers': checkHelpersFresh,
738
868
  'agentic-flow': checkAgenticFlow,
739
869
  'monoes': checkMonoesIntegration,
740
870
  'gates': checkGuidanceGates,
871
+ 'gitignore': checkGitignoreCoverage,
741
872
  };
742
873
  let checksToRun = allChecks;
743
874
  if (component && componentMap[component]) {
@@ -461,6 +461,19 @@ const abTestCommand = {
461
461
  output.writeln(output.error(`Tasks file not found: ${tasksPath}`));
462
462
  return { success: false, message: `File not found: ${tasksPath}` };
463
463
  }
464
+ // Size guard: a multi-MB tasks file would be buffered in full before
465
+ // JSON.parse runs. Cap at 10 MB — any legitimate task list is far smaller.
466
+ const { statSync, lstatSync } = await import('node:fs');
467
+ const tasksLstat = lstatSync(tasksPath);
468
+ if (tasksLstat.isSymbolicLink()) {
469
+ output.writeln(output.error(`Symlinks are not allowed as task files: ${tasksPath}`));
470
+ return { success: false, message: 'Symlink not allowed as tasks file' };
471
+ }
472
+ const MAX_TASKS_FILE_BYTES = 10 * 1024 * 1024; // 10 MB
473
+ if (tasksLstat.size > MAX_TASKS_FILE_BYTES) {
474
+ output.writeln(output.error(`Tasks file too large (max 10 MB): ${tasksPath}`));
475
+ return { success: false, message: 'Tasks file too large' };
476
+ }
464
477
  const tasksJson = await readFile(tasksPath, 'utf-8');
465
478
  customTasks = JSON.parse(tasksJson);
466
479
  output.writeln(` Custom tasks: ${output.bold(String(customTasks.length))} loaded from ${tasksPath}`);
@@ -542,7 +555,7 @@ const setupCommand = {
542
555
  output.writeln(output.bold('Guidance Gates Setup'));
543
556
  output.writeln(output.dim('─'.repeat(50)));
544
557
  output.writeln();
545
- const { readFileSync, writeFileSync, existsSync } = await import('node:fs');
558
+ const { readFileSync, writeFileSync, existsSync, statSync } = await import('node:fs');
546
559
  const { join } = await import('node:path');
547
560
  const settingsPath = join(projectDir, '.claude', 'settings.json');
548
561
  const gatesHandlerPath = join(projectDir, '.claude', 'helpers', 'handlers', 'gates-handler.cjs');
@@ -553,7 +566,7 @@ const setupCommand = {
553
566
  }
554
567
  // Load or create settings.json
555
568
  let settings = {};
556
- if (existsSync(settingsPath)) {
569
+ if (existsSync(settingsPath) && statSync(settingsPath).size <= 1024 * 1024) {
557
570
  try {
558
571
  settings = JSON.parse(readFileSync(settingsPath, 'utf-8'));
559
572
  }
@@ -10,7 +10,14 @@ import { select, confirm, input } from '../prompt.js';
10
10
  import { callMCPTool, MCPClientError } from '../mcp-client.js';
11
11
  import { spawn as childSpawn, execSync } from 'child_process';
12
12
  import { mkdir, writeFile } from 'fs/promises';
13
- import { join } from 'path';
13
+ import { join, resolve as resolvePath, sep } from 'path';
14
+ // Input length caps
15
+ const MAX_OBJECTIVE_LEN = 2_000;
16
+ const MAX_TASK_DESC_LEN = 4_000;
17
+ const MAX_MESSAGE_LEN = 2_000;
18
+ const MAX_KEY_LEN = 256;
19
+ const MAX_VALUE_LEN = 65_536;
20
+ const MAX_AGENT_ID_LEN = 128;
14
21
  // Hive topologies
15
22
  const TOPOLOGIES = [
16
23
  { value: 'hierarchical', label: 'Hierarchical', hint: 'Queen-led with worker agents' },
@@ -177,11 +184,21 @@ async function spawnClaudeCodeInstance(swarmId, swarmName, objective, workers, f
177
184
  `Consensus: ${output.highlight(flags.consensus || 'byzantine')}`,
178
185
  `MCP Tools: ${output.success('Full Monomind integration enabled')}`
179
186
  ]);
180
- // Ensure sessions directory exists
181
- const sessionsDir = join('.hive-mind', 'sessions');
187
+ // Ensure sessions directory exists (anchor to process.cwd() so relative paths
188
+ // don't escape when the caller changes directory)
189
+ const baseDir = resolvePath(process.cwd());
190
+ const sessionsDir = resolvePath(baseDir, '.hive-mind', 'sessions');
191
+ // Guard: sessions directory must stay inside cwd
192
+ if (!sessionsDir.startsWith(baseDir + sep) && sessionsDir !== baseDir) {
193
+ throw new Error('Sessions directory path traversal detected');
194
+ }
182
195
  await mkdir(sessionsDir, { recursive: true });
183
196
  const safeSwarmId = swarmId.replace(/[^a-zA-Z0-9_-]/g, '_');
184
197
  const promptFile = join(sessionsDir, `hive-mind-prompt-${safeSwarmId}.txt`);
198
+ // Guard: prompt file must stay inside sessions directory
199
+ if (!resolvePath(promptFile).startsWith(sessionsDir + sep)) {
200
+ throw new Error('Prompt file path traversal detected');
201
+ }
185
202
  await writeFile(promptFile, hiveMindPrompt, 'utf8');
186
203
  output.writeln();
187
204
  output.printSuccess(`Hive Mind prompt saved to: ${promptFile}`);
@@ -295,10 +312,14 @@ async function spawnClaudeCodeInstance(swarmId, swarmName, objective, workers, f
295
312
  spinner.fail('Failed to prepare Claude Code coordination');
296
313
  const errorMessage = error instanceof Error ? error.message : String(error);
297
314
  output.printError(`Error: ${errorMessage}`);
298
- // Try to save prompt as fallback
315
+ // Try to save prompt as fallback — write inside cwd to avoid path issues
299
316
  try {
300
317
  const safeSwarmIdFallback = swarmId.replace(/[^a-zA-Z0-9_-]/g, '_');
301
- const promptFile = `hive-mind-prompt-${safeSwarmIdFallback}-fallback.txt`;
318
+ const fallbackDir = resolvePath(process.cwd());
319
+ const promptFile = join(fallbackDir, `hive-mind-prompt-${safeSwarmIdFallback}-fallback.txt`);
320
+ if (!resolvePath(promptFile).startsWith(fallbackDir + sep)) {
321
+ throw new Error('Fallback path traversal');
322
+ }
302
323
  const workerGroups = groupWorkersByType(workers);
303
324
  const hiveMindPrompt = generateHiveMindPrompt(swarmId, swarmName, objective, workers, workerGroups, flags);
304
325
  await writeFile(promptFile, hiveMindPrompt, 'utf8');
@@ -502,12 +523,13 @@ const spawnCommand = {
502
523
  ],
503
524
  action: async (ctx) => {
504
525
  // Parse count with fallback to default
505
- const count = ctx.flags.count || 1;
526
+ const rawCount = ctx.flags.count || 1;
527
+ const count = Number.isFinite(rawCount) ? Math.max(1, Math.min(rawCount, 50)) : 1;
506
528
  const role = ctx.flags.role || 'worker';
507
529
  const agentType = ctx.flags.type || 'worker';
508
530
  const prefix = ctx.flags.prefix || 'hive-worker';
509
531
  const launchClaude = ctx.flags.claude;
510
- let objective = ctx.flags.objective || ctx.args.join(' ');
532
+ let objective = (ctx.flags.objective || ctx.args.join(' ')).slice(0, MAX_OBJECTIVE_LEN);
511
533
  output.printInfo(`Spawning ${count} ${role} agent(s)...`);
512
534
  try {
513
535
  const result = await callMCPTool('hive-mind_spawn', {
@@ -761,12 +783,13 @@ const taskCommand = {
761
783
  { command: 'monomind hive-mind task -d "Security review" -p critical -c', description: 'Critical task with consensus' }
762
784
  ],
763
785
  action: async (ctx) => {
764
- let description = ctx.flags.description || ctx.args.join(' ');
786
+ let description = (ctx.flags.description || ctx.args.join(' ')).slice(0, MAX_TASK_DESC_LEN);
765
787
  if (!description && ctx.interactive) {
766
788
  description = await input({
767
789
  message: 'Task description:',
768
790
  validate: (v) => v.length > 0 || 'Description is required'
769
791
  });
792
+ description = description.slice(0, MAX_TASK_DESC_LEN);
770
793
  }
771
794
  if (!description) {
772
795
  output.printError('Task description is required');
@@ -888,7 +911,7 @@ const joinCommand = {
888
911
  { name: 'role', short: 'r', description: 'Agent role (worker, specialist, scout)', type: 'string', default: 'worker' }
889
912
  ],
890
913
  action: async (ctx) => {
891
- const agentId = ctx.args[0] || ctx.flags['agent-id'] || ctx.flags.agentId;
914
+ const agentId = (ctx.args[0] || ctx.flags['agent-id'] || ctx.flags.agentId || '').slice(0, MAX_AGENT_ID_LEN);
892
915
  if (!agentId) {
893
916
  output.printError('Agent ID is required. Use --agent-id or -a flag, or provide as argument.');
894
917
  return { success: false, exitCode: 1 };
@@ -914,7 +937,7 @@ const leaveCommand = {
914
937
  description: 'Remove an agent from the hive mind',
915
938
  options: [{ name: 'agent-id', short: 'a', description: 'Agent ID to remove', type: 'string' }],
916
939
  action: async (ctx) => {
917
- const agentId = ctx.args[0] || ctx.flags['agent-id'] || ctx.flags.agentId;
940
+ const agentId = (ctx.args[0] || ctx.flags['agent-id'] || ctx.flags.agentId || '').slice(0, MAX_AGENT_ID_LEN);
918
941
  if (!agentId) {
919
942
  output.printError('Agent ID required.');
920
943
  return { success: false, exitCode: 1 };
@@ -986,13 +1009,13 @@ const broadcastCommand = {
986
1009
  { name: 'from', short: 'f', description: 'Sender agent ID', type: 'string' }
987
1010
  ],
988
1011
  action: async (ctx) => {
989
- const message = ctx.args.join(' ') || ctx.flags.message;
1012
+ const message = (ctx.args.join(' ') || ctx.flags.message || '').slice(0, MAX_MESSAGE_LEN);
990
1013
  if (!message) {
991
1014
  output.printError('Message required. Use --message or -m flag.');
992
1015
  return { success: false, exitCode: 1 };
993
1016
  }
994
1017
  try {
995
- const result = await callMCPTool('hive-mind_broadcast', { message, priority: ctx.flags.priority, fromId: ctx.flags.from });
1018
+ const result = await callMCPTool('hive-mind_broadcast', { message, priority: ctx.flags.priority, fromId: typeof ctx.flags.from === 'string' ? ctx.flags.from.slice(0, MAX_AGENT_ID_LEN) : undefined });
996
1019
  if (!result.success) {
997
1020
  output.printError(result.error || 'Failed');
998
1021
  return { success: false, exitCode: 1 };
@@ -1017,8 +1040,8 @@ const memorySubCommand = {
1017
1040
  ],
1018
1041
  action: async (ctx) => {
1019
1042
  const action = ctx.flags.action || 'list';
1020
- const key = ctx.flags.key;
1021
- const value = ctx.flags.value;
1043
+ const key = typeof ctx.flags.key === 'string' ? ctx.flags.key.slice(0, MAX_KEY_LEN) : undefined;
1044
+ const value = typeof ctx.flags.value === 'string' ? ctx.flags.value.slice(0, MAX_VALUE_LEN) : undefined;
1022
1045
  if ((action === 'get' || action === 'delete') && !key) {
1023
1046
  output.printError('Key required for get/delete.');
1024
1047
  return { success: false, exitCode: 1 };
@@ -27,8 +27,10 @@ function readCoverageFromDisk() {
27
27
  const summaryPath = join(cwd, relPath);
28
28
  if (existsSync(summaryPath)) {
29
29
  try {
30
- const raw = JSON.parse(readFileSync(summaryPath, 'utf-8'));
31
- return parseCoverageSummaryJson(raw, relPath);
30
+ if (statSync(summaryPath).size <= 4_194_304) {
31
+ const raw = JSON.parse(readFileSync(summaryPath, 'utf-8'));
32
+ return parseCoverageSummaryJson(raw, relPath);
33
+ }
32
34
  }
33
35
  catch {
34
36
  // malformed, try next
@@ -40,8 +42,10 @@ function readCoverageFromDisk() {
40
42
  const lcovPath = join(cwd, relPath);
41
43
  if (existsSync(lcovPath)) {
42
44
  try {
43
- const raw = readFileSync(lcovPath, 'utf-8');
44
- return parseLcovInfo(raw, relPath);
45
+ if (statSync(lcovPath).size <= 8_388_608) {
46
+ const raw = readFileSync(lcovPath, 'utf-8');
47
+ return parseLcovInfo(raw, relPath);
48
+ }
45
49
  }
46
50
  catch {
47
51
  // malformed, try next
@@ -52,8 +56,10 @@ function readCoverageFromDisk() {
52
56
  const nycPath = join(cwd, '.nyc_output', 'out.json');
53
57
  if (existsSync(nycPath)) {
54
58
  try {
55
- const raw = JSON.parse(readFileSync(nycPath, 'utf-8'));
56
- return parseCoverageSummaryJson(raw, '.nyc_output/out.json');
59
+ if (statSync(nycPath).size <= 4_194_304) {
60
+ const raw = JSON.parse(readFileSync(nycPath, 'utf-8'));
61
+ return parseCoverageSummaryJson(raw, '.nyc_output/out.json');
62
+ }
57
63
  }
58
64
  catch {
59
65
  // malformed
@@ -1785,9 +1791,11 @@ const intelligenceCommand = {
1785
1791
  try {
1786
1792
  const pStat = statSync(persistence.patternsFile);
1787
1793
  patternsFileSize = pStat.size;
1788
- const pData = JSON.parse(readFileSync(persistence.patternsFile, 'utf-8'));
1789
- if (Array.isArray(pData))
1790
- patternsFileEntries = pData.length;
1794
+ if (patternsFileSize <= 4_194_304) {
1795
+ const pData = JSON.parse(readFileSync(persistence.patternsFile, 'utf-8'));
1796
+ if (Array.isArray(pData))
1797
+ patternsFileEntries = pData.length;
1798
+ }
1791
1799
  }
1792
1800
  catch { /* ignore */ }
1793
1801
  }
@@ -1796,9 +1804,12 @@ const intelligenceCommand = {
1796
1804
  let lastAdaptationFromDisk = null;
1797
1805
  if (persistence.statsExist) {
1798
1806
  try {
1799
- const sData = JSON.parse(readFileSync(persistence.statsFile, 'utf-8'));
1800
- trajectoriesFromDisk = sData?.trajectoriesRecorded ?? 0;
1801
- lastAdaptationFromDisk = sData?.lastAdaptation ?? null;
1807
+ const sStat = statSync(persistence.statsFile);
1808
+ if (sStat.size <= 524_288) {
1809
+ const sData = JSON.parse(readFileSync(persistence.statsFile, 'utf-8'));
1810
+ trajectoriesFromDisk = sData?.trajectoriesRecorded ?? 0;
1811
+ lastAdaptationFromDisk = sData?.lastAdaptation ?? null;
1812
+ }
1802
1813
  }
1803
1814
  catch { /* ignore */ }
1804
1815
  }
@@ -3375,10 +3386,12 @@ const statuslineCommand = {
3375
3386
  for (const lPath of learningJsonPaths) {
3376
3387
  if (fs.existsSync(lPath)) {
3377
3388
  try {
3378
- const data = JSON.parse(fs.readFileSync(lPath, 'utf-8'));
3379
- if (data.intelligence?.score !== undefined) {
3380
- intelligencePct = Math.min(100, Math.floor(data.intelligence.score));
3381
- break;
3389
+ if (fs.statSync(lPath).size <= 524_288) {
3390
+ const data = JSON.parse(fs.readFileSync(lPath, 'utf-8'));
3391
+ if (data.intelligence?.score !== undefined) {
3392
+ intelligencePct = Math.min(100, Math.floor(data.intelligence.score));
3393
+ break;
3394
+ }
3382
3395
  }
3383
3396
  }
3384
3397
  catch { /* ignore */ }
@@ -3500,9 +3513,11 @@ const statuslineCommand = {
3500
3513
  const settingsPath = path.join(process.cwd(), '.claude', 'settings.json');
3501
3514
  if (fs.existsSync(settingsPath)) {
3502
3515
  try {
3503
- const settings = JSON.parse(fs.readFileSync(settingsPath, 'utf-8'));
3504
- if (settings.hooks) {
3505
- hooksStats.enabled = Object.values(settings.hooks).filter((h) => h && typeof h === 'object').length;
3516
+ if (fs.statSync(settingsPath).size <= 524_288) {
3517
+ const settings = JSON.parse(fs.readFileSync(settingsPath, 'utf-8'));
3518
+ if (settings.hooks) {
3519
+ hooksStats.enabled = Object.values(settings.hooks).filter((h) => h && typeof h === 'object').length;
3520
+ }
3506
3521
  }
3507
3522
  }
3508
3523
  catch { /* ignore */ }
@@ -3585,12 +3600,14 @@ const statuslineCommand = {
3585
3600
  const vectorsPath = path.join(process.cwd(), '.monomind', 'vectors.json');
3586
3601
  if (fs.existsSync(vectorsPath) && agentdbStats.vectorCount === 0) {
3587
3602
  try {
3588
- const data = JSON.parse(fs.readFileSync(vectorsPath, 'utf-8'));
3589
- if (Array.isArray(data)) {
3590
- agentdbStats.vectorCount = data.length;
3591
- }
3592
- else if (data.vectors) {
3593
- agentdbStats.vectorCount = Object.keys(data.vectors).length;
3603
+ if (fs.statSync(vectorsPath).size <= 8_388_608) {
3604
+ const data = JSON.parse(fs.readFileSync(vectorsPath, 'utf-8'));
3605
+ if (Array.isArray(data)) {
3606
+ agentdbStats.vectorCount = data.length;
3607
+ }
3608
+ else if (data.vectors) {
3609
+ agentdbStats.vectorCount = Object.keys(data.vectors).length;
3610
+ }
3594
3611
  }
3595
3612
  }
3596
3613
  catch { /* ignore */ }
@@ -99,7 +99,7 @@ const initAction = async (ctx) => {
99
99
  const { spawn } = await import('child_process');
100
100
  const pidFile = path.join(ctx.cwd, '.monomind', 'monograph-watch.pid');
101
101
  let alreadyRunning = false;
102
- if (fs.existsSync(pidFile)) {
102
+ if (fs.existsSync(pidFile) && fs.statSync(pidFile).size <= 32) {
103
103
  const existingPid = parseInt(fs.readFileSync(pidFile, 'utf8').trim(), 10);
104
104
  if (!isNaN(existingPid)) {
105
105
  try {
@@ -738,9 +738,14 @@ const upgradeCommand = {
738
738
  // Try to read control URL for dashboard progress events (best-effort)
739
739
  let controlUrl = 'http://localhost:4242';
740
740
  try {
741
- const ctrlCfg = JSON.parse(fs.readFileSync(path.join(process.cwd(), '.monomind', 'control.json'), 'utf-8'));
742
- if (ctrlCfg.url)
743
- controlUrl = ctrlCfg.url;
741
+ const ctrlPath = path.join(process.cwd(), '.monomind', 'control.json');
742
+ if (fs.existsSync(ctrlPath) && fs.statSync(ctrlPath).size <= 4096) {
743
+ const ctrlCfg = JSON.parse(fs.readFileSync(ctrlPath, 'utf-8'));
744
+ // Only allow localhost/127.0.0.1 URLs to prevent SSRF via attacker-controlled control.json
745
+ if (typeof ctrlCfg.url === 'string' && /^https?:\/\/(localhost|127\.0\.0\.1)(:\d+)?(\/|$)/.test(ctrlCfg.url)) {
746
+ controlUrl = ctrlCfg.url;
747
+ }
748
+ }
744
749
  }
745
750
  catch { }
746
751
  const emitUpgradeProgress = async (projDir, status, current, total) => {