monomind 1.11.13 → 1.12.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (389) hide show
  1. package/.claude/agents/generated/channel-intelligence-director.md +87 -0
  2. package/.claude/agents/generated/chief-growth-officer.md +88 -0
  3. package/.claude/agents/generated/content-seo-strategist.md +90 -0
  4. package/.claude/agents/generated/developer-community-strategist.md +91 -0
  5. package/.claude/agents/generated/outreach-partnership-strategist.md +90 -0
  6. package/.claude/agents/generated/social-media-strategist.md +91 -0
  7. package/.claude/agents/generated/video-visual-strategist.md +90 -0
  8. package/.claude/commands/mastermind/idea.md +1 -1
  9. package/.claude/helpers/auto-memory-hook.mjs +13 -4
  10. package/.claude/helpers/control-start.cjs +5 -0
  11. package/.claude/helpers/event-logger.cjs +114 -0
  12. package/.claude/helpers/handlers/adr-draft-handler.cjs +19 -5
  13. package/.claude/helpers/handlers/agent-start-handler.cjs +13 -4
  14. package/.claude/helpers/handlers/compact-handler.cjs +2 -0
  15. package/.claude/helpers/handlers/edit-handler.cjs +1 -1
  16. package/.claude/helpers/handlers/gates-handler.cjs +3 -0
  17. package/.claude/helpers/handlers/graph-status-handler.cjs +14 -8
  18. package/.claude/helpers/handlers/loops-status-handler.cjs +5 -2
  19. package/.claude/helpers/handlers/route-handler.cjs +13 -6
  20. package/.claude/helpers/handlers/session-handler.cjs +11 -4
  21. package/.claude/helpers/handlers/session-restore-handler.cjs +21 -11
  22. package/.claude/helpers/handlers/task-handler.cjs +13 -5
  23. package/.claude/helpers/intelligence.cjs +7 -2
  24. package/.claude/helpers/loop-tracker.cjs +15 -3
  25. package/.claude/helpers/memory.cjs +6 -1
  26. package/.claude/helpers/router.cjs +5 -2
  27. package/.claude/helpers/session.cjs +2 -0
  28. package/.claude/helpers/statusline.cjs +10 -2
  29. package/.claude/helpers/utils/micro-agents.cjs +20 -4
  30. package/.claude/scheduled_tasks.lock +1 -1
  31. package/.claude/settings.json +92 -1
  32. package/.claude/skills/mastermind/_protocol.md +23 -13
  33. package/.claude/skills/mastermind/architect.md +6 -9
  34. package/.claude/skills/mastermind/build.md +3 -3
  35. package/.claude/skills/mastermind/content.md +3 -3
  36. package/.claude/skills/mastermind/createorg.md +2 -2
  37. package/.claude/skills/mastermind/finance.md +3 -3
  38. package/.claude/skills/mastermind/idea.md +5 -3
  39. package/.claude/skills/mastermind/marketing.md +3 -3
  40. package/.claude/skills/mastermind/monitor.md +2 -2
  41. package/.claude/skills/mastermind/release.md +3 -3
  42. package/.claude/skills/mastermind/research.md +3 -3
  43. package/.claude/skills/mastermind/review.md +3 -3
  44. package/.claude/skills/mastermind/runorg.md +153 -86
  45. package/.claude/skills/mastermind/sales.md +3 -3
  46. package/README.md +286 -129
  47. package/package.json +19 -2
  48. package/packages/@monomind/cli/README.md +286 -129
  49. package/packages/@monomind/cli/bundled-graph/dist/src/build.js +73 -0
  50. package/packages/@monomind/cli/bundled-graph/dist/src/cluster.js +120 -0
  51. package/packages/@monomind/cli/bundled-graph/package.json +57 -0
  52. package/packages/@monomind/cli/dist/src/agents/halt-signal.d.ts +25 -0
  53. package/packages/@monomind/cli/dist/src/agents/halt-signal.js +76 -0
  54. package/packages/@monomind/cli/dist/src/agents/index.d.ts +18 -0
  55. package/packages/@monomind/cli/dist/src/agents/index.js +13 -0
  56. package/packages/@monomind/cli/dist/src/agents/managed-agent.d.ts +41 -0
  57. package/packages/@monomind/cli/dist/src/agents/managed-agent.js +69 -0
  58. package/packages/@monomind/cli/dist/src/agents/prompt-experiment.d.ts +23 -0
  59. package/packages/@monomind/cli/dist/src/agents/prompt-experiment.js +49 -0
  60. package/packages/@monomind/cli/dist/src/agents/prompt-version-manager.d.ts +22 -0
  61. package/packages/@monomind/cli/dist/src/agents/prompt-version-manager.js +80 -0
  62. package/packages/@monomind/cli/dist/src/agents/registry-builder.js +2 -0
  63. package/packages/@monomind/cli/dist/src/agents/registry-query.d.ts +71 -0
  64. package/packages/@monomind/cli/dist/src/agents/registry-query.js +125 -0
  65. package/packages/@monomind/cli/dist/src/agents/score-decay.d.ts +19 -0
  66. package/packages/@monomind/cli/dist/src/agents/score-decay.js +22 -0
  67. package/packages/@monomind/cli/dist/src/agents/shared-instructions-loader.d.ts +13 -0
  68. package/packages/@monomind/cli/dist/src/agents/shared-instructions-loader.js +40 -0
  69. package/packages/@monomind/cli/dist/src/agents/specialization-scorer.d.ts +54 -0
  70. package/packages/@monomind/cli/dist/src/agents/specialization-scorer.js +212 -0
  71. package/packages/@monomind/cli/dist/src/agents/termination-watcher.d.ts +30 -0
  72. package/packages/@monomind/cli/dist/src/agents/termination-watcher.js +84 -0
  73. package/packages/@monomind/cli/dist/src/agents/trigger-index.d.ts +20 -0
  74. package/packages/@monomind/cli/dist/src/agents/trigger-index.js +38 -0
  75. package/packages/@monomind/cli/dist/src/agents/trigger-scanner.d.ts +64 -0
  76. package/packages/@monomind/cli/dist/src/agents/trigger-scanner.js +308 -0
  77. package/packages/@monomind/cli/dist/src/agents/version-diff.d.ts +18 -0
  78. package/packages/@monomind/cli/dist/src/agents/version-diff.js +64 -0
  79. package/packages/@monomind/cli/dist/src/agents/version-store.d.ts +60 -0
  80. package/packages/@monomind/cli/dist/src/agents/version-store.js +235 -0
  81. package/packages/@monomind/cli/dist/src/autopilot-state.js +10 -5
  82. package/packages/@monomind/cli/dist/src/benchmarks/benchmark-runner.js +13 -0
  83. package/packages/@monomind/cli/dist/src/benchmarks/metric-evaluators.js +20 -9
  84. package/packages/@monomind/cli/dist/src/benchmarks/pretrain/index.d.ts +45 -0
  85. package/packages/@monomind/cli/dist/src/benchmarks/pretrain/index.js +404 -0
  86. package/packages/@monomind/cli/dist/src/browser/actions.js +10 -3
  87. package/packages/@monomind/cli/dist/src/browser/browser.js +12 -2
  88. package/packages/@monomind/cli/dist/src/browser/cdp.js +21 -3
  89. package/packages/@monomind/cli/dist/src/browser/har.js +27 -5
  90. package/packages/@monomind/cli/dist/src/commands/agent-wasm.d.ts +14 -0
  91. package/packages/@monomind/cli/dist/src/commands/agent-wasm.js +333 -0
  92. package/packages/@monomind/cli/dist/src/commands/agent.js +11 -8
  93. package/packages/@monomind/cli/dist/src/commands/analyze.js +36 -21
  94. package/packages/@monomind/cli/dist/src/commands/autopilot.js +12 -4
  95. package/packages/@monomind/cli/dist/src/commands/benchmark.js +51 -8
  96. package/packages/@monomind/cli/dist/src/commands/browse.js +5 -2
  97. package/packages/@monomind/cli/dist/src/commands/claims.js +29 -11
  98. package/packages/@monomind/cli/dist/src/commands/cleanup.js +25 -5
  99. package/packages/@monomind/cli/dist/src/commands/config.js +15 -7
  100. package/packages/@monomind/cli/dist/src/commands/daemon.js +6 -0
  101. package/packages/@monomind/cli/dist/src/commands/deployment.js +34 -19
  102. package/packages/@monomind/cli/dist/src/commands/doctor.js +151 -20
  103. package/packages/@monomind/cli/dist/src/commands/guidance.js +15 -2
  104. package/packages/@monomind/cli/dist/src/commands/hive-mind.js +37 -14
  105. package/packages/@monomind/cli/dist/src/commands/hooks.js +42 -25
  106. package/packages/@monomind/cli/dist/src/commands/init.js +9 -4
  107. package/packages/@monomind/cli/dist/src/commands/issues.js +29 -26
  108. package/packages/@monomind/cli/dist/src/commands/mcp.js +11 -5
  109. package/packages/@monomind/cli/dist/src/commands/memory.js +10 -0
  110. package/packages/@monomind/cli/dist/src/commands/migrate.js +5 -5
  111. package/packages/@monomind/cli/dist/src/commands/monograph.js +18 -5
  112. package/packages/@monomind/cli/dist/src/commands/monovector/backup.js +8 -2
  113. package/packages/@monomind/cli/dist/src/commands/monovector/benchmark.js +20 -7
  114. package/packages/@monomind/cli/dist/src/commands/monovector/import.js +15 -0
  115. package/packages/@monomind/cli/dist/src/commands/monovector/migrate.js +4 -1
  116. package/packages/@monomind/cli/dist/src/commands/monovector/optimize.js +11 -0
  117. package/packages/@monomind/cli/dist/src/commands/monovector/setup.js +11 -1
  118. package/packages/@monomind/cli/dist/src/commands/neural.js +1 -1
  119. package/packages/@monomind/cli/dist/src/commands/performance.js +20 -7
  120. package/packages/@monomind/cli/dist/src/commands/platforms.js +90 -8
  121. package/packages/@monomind/cli/dist/src/commands/plugins.js +12 -5
  122. package/packages/@monomind/cli/dist/src/commands/process.js +33 -10
  123. package/packages/@monomind/cli/dist/src/commands/progress.js +5 -3
  124. package/packages/@monomind/cli/dist/src/commands/providers.js +5 -5
  125. package/packages/@monomind/cli/dist/src/commands/replay.js +8 -2
  126. package/packages/@monomind/cli/dist/src/commands/route.js +27 -7
  127. package/packages/@monomind/cli/dist/src/commands/security.js +4 -0
  128. package/packages/@monomind/cli/dist/src/commands/session.js +12 -1
  129. package/packages/@monomind/cli/dist/src/commands/start.js +11 -4
  130. package/packages/@monomind/cli/dist/src/commands/status.js +7 -4
  131. package/packages/@monomind/cli/dist/src/commands/swarm.js +27 -13
  132. package/packages/@monomind/cli/dist/src/commands/task.js +26 -11
  133. package/packages/@monomind/cli/dist/src/commands/tokens.js +7 -2
  134. package/packages/@monomind/cli/dist/src/commands/transfer-store.js +36 -22
  135. package/packages/@monomind/cli/dist/src/commands/ui.js +68 -0
  136. package/packages/@monomind/cli/dist/src/commands/update.js +15 -3
  137. package/packages/@monomind/cli/dist/src/commands/workflow.js +39 -6
  138. package/packages/@monomind/cli/dist/src/consensus/audit-writer.js +18 -7
  139. package/packages/@monomind/cli/dist/src/consensus/index.d.ts +7 -0
  140. package/packages/@monomind/cli/dist/src/consensus/index.js +6 -0
  141. package/packages/@monomind/cli/dist/src/consensus/vote-signer.js +25 -8
  142. package/packages/@monomind/cli/dist/src/context/context-provider.d.ts +44 -0
  143. package/packages/@monomind/cli/dist/src/context/context-provider.js +25 -0
  144. package/packages/@monomind/cli/dist/src/context/git-state-provider.d.ts +12 -0
  145. package/packages/@monomind/cli/dist/src/context/git-state-provider.js +34 -0
  146. package/packages/@monomind/cli/dist/src/context/index.d.ts +12 -0
  147. package/packages/@monomind/cli/dist/src/context/index.js +12 -0
  148. package/packages/@monomind/cli/dist/src/context/project-conventions-provider.d.ts +15 -0
  149. package/packages/@monomind/cli/dist/src/context/project-conventions-provider.js +19 -0
  150. package/packages/@monomind/cli/dist/src/context/prompt-assembler.d.ts +26 -0
  151. package/packages/@monomind/cli/dist/src/context/prompt-assembler.js +93 -0
  152. package/packages/@monomind/cli/dist/src/context/task-history-provider.d.ts +24 -0
  153. package/packages/@monomind/cli/dist/src/context/task-history-provider.js +32 -0
  154. package/packages/@monomind/cli/dist/src/context/user-preferences-provider.d.ts +14 -0
  155. package/packages/@monomind/cli/dist/src/context/user-preferences-provider.js +27 -0
  156. package/packages/@monomind/cli/dist/src/dlq/dlq-reader.d.ts +31 -0
  157. package/packages/@monomind/cli/dist/src/dlq/dlq-reader.js +81 -0
  158. package/packages/@monomind/cli/dist/src/dlq/dlq-writer.d.ts +24 -0
  159. package/packages/@monomind/cli/dist/src/dlq/dlq-writer.js +65 -0
  160. package/packages/@monomind/cli/dist/src/dlq/index.d.ts +10 -0
  161. package/packages/@monomind/cli/dist/src/dlq/index.js +7 -0
  162. package/packages/@monomind/cli/dist/src/eval/dataset-manager.d.ts +33 -0
  163. package/packages/@monomind/cli/dist/src/eval/dataset-manager.js +107 -0
  164. package/packages/@monomind/cli/dist/src/eval/dataset-runner.d.ts +23 -0
  165. package/packages/@monomind/cli/dist/src/eval/dataset-runner.js +59 -0
  166. package/packages/@monomind/cli/dist/src/eval/index.d.ts +10 -0
  167. package/packages/@monomind/cli/dist/src/eval/index.js +7 -0
  168. package/packages/@monomind/cli/dist/src/eval/trace-collector.d.ts +40 -0
  169. package/packages/@monomind/cli/dist/src/eval/trace-collector.js +102 -0
  170. package/packages/@monomind/cli/dist/src/index.js +7 -3
  171. package/packages/@monomind/cli/dist/src/infrastructure/in-memory-repositories.d.ts +68 -0
  172. package/packages/@monomind/cli/dist/src/infrastructure/in-memory-repositories.js +264 -0
  173. package/packages/@monomind/cli/dist/src/init/executor.js +14 -11
  174. package/packages/@monomind/cli/dist/src/init/shared-instructions-generator.js +20 -4
  175. package/packages/@monomind/cli/dist/src/init/statusline-generator.js +33 -12
  176. package/packages/@monomind/cli/dist/src/interactive/interrupt.d.ts +22 -0
  177. package/packages/@monomind/cli/dist/src/interactive/interrupt.js +71 -0
  178. package/packages/@monomind/cli/dist/src/mcp/deprecation-injector.d.ts +25 -0
  179. package/packages/@monomind/cli/dist/src/mcp/deprecation-injector.js +48 -0
  180. package/packages/@monomind/cli/dist/src/mcp/tool-registry.d.ts +61 -0
  181. package/packages/@monomind/cli/dist/src/mcp/tool-registry.js +246 -0
  182. package/packages/@monomind/cli/dist/src/mcp-tools/a2a-tools.js +98 -13
  183. package/packages/@monomind/cli/dist/src/mcp-tools/agent-tools.js +16 -3
  184. package/packages/@monomind/cli/dist/src/mcp-tools/analyze-tools.js +80 -17
  185. package/packages/@monomind/cli/dist/src/mcp-tools/browser-tools.js +84 -22
  186. package/packages/@monomind/cli/dist/src/mcp-tools/claims-tools.js +35 -7
  187. package/packages/@monomind/cli/dist/src/mcp-tools/config-tools.js +82 -17
  188. package/packages/@monomind/cli/dist/src/mcp-tools/coordination-tools.js +37 -4
  189. package/packages/@monomind/cli/dist/src/mcp-tools/daa-tools.js +49 -7
  190. package/packages/@monomind/cli/dist/src/mcp-tools/embeddings-tools.js +45 -18
  191. package/packages/@monomind/cli/dist/src/mcp-tools/github-tools.js +75 -25
  192. package/packages/@monomind/cli/dist/src/mcp-tools/guidance-tools.js +32 -10
  193. package/packages/@monomind/cli/dist/src/mcp-tools/hive-mind-tools.js +91 -20
  194. package/packages/@monomind/cli/dist/src/mcp-tools/hooks-tools.js +188 -29
  195. package/packages/@monomind/cli/dist/src/mcp-tools/memory-tools.js +25 -7
  196. package/packages/@monomind/cli/dist/src/mcp-tools/monograph-compat.js +11 -2
  197. package/packages/@monomind/cli/dist/src/mcp-tools/monograph-tools.js +148 -26
  198. package/packages/@monomind/cli/dist/src/mcp-tools/neural-tools.js +44 -9
  199. package/packages/@monomind/cli/dist/src/mcp-tools/performance-tools.js +45 -10
  200. package/packages/@monomind/cli/dist/src/mcp-tools/progress-tools.js +7 -4
  201. package/packages/@monomind/cli/dist/src/mcp-tools/request-tracker.js +15 -1
  202. package/packages/@monomind/cli/dist/src/mcp-tools/security-tools.js +61 -9
  203. package/packages/@monomind/cli/dist/src/mcp-tools/session-tools.js +45 -14
  204. package/packages/@monomind/cli/dist/src/mcp-tools/swarm-tools.js +15 -3
  205. package/packages/@monomind/cli/dist/src/mcp-tools/system-tools.js +14 -7
  206. package/packages/@monomind/cli/dist/src/mcp-tools/task-tools.js +52 -10
  207. package/packages/@monomind/cli/dist/src/mcp-tools/terminal-tools.js +40 -6
  208. package/packages/@monomind/cli/dist/src/mcp-tools/transfer-tools.js +37 -4
  209. package/packages/@monomind/cli/dist/src/mcp-tools/wasm-agent-tools.d.ts +9 -0
  210. package/packages/@monomind/cli/dist/src/mcp-tools/wasm-agent-tools.js +230 -0
  211. package/packages/@monomind/cli/dist/src/mcp-tools/workflow-tools.js +29 -6
  212. package/packages/@monomind/cli/dist/src/memory/ewc-consolidation.js +26 -10
  213. package/packages/@monomind/cli/dist/src/memory/intelligence.js +80 -19
  214. package/packages/@monomind/cli/dist/src/memory/memory-bridge.js +21 -2
  215. package/packages/@monomind/cli/dist/src/memory/memory-initializer.js +67 -3
  216. package/packages/@monomind/cli/dist/src/memory/sona-optimizer.js +14 -4
  217. package/packages/@monomind/cli/dist/src/model/complexity-scorer.d.ts +21 -0
  218. package/packages/@monomind/cli/dist/src/model/complexity-scorer.js +106 -0
  219. package/packages/@monomind/cli/dist/src/model/index.d.ts +4 -0
  220. package/packages/@monomind/cli/dist/src/model/index.js +4 -0
  221. package/packages/@monomind/cli/dist/src/model/model-settings.d.ts +22 -0
  222. package/packages/@monomind/cli/dist/src/model/model-settings.js +33 -0
  223. package/packages/@monomind/cli/dist/src/model/model-tier-resolver.d.ts +24 -0
  224. package/packages/@monomind/cli/dist/src/model/model-tier-resolver.js +65 -0
  225. package/packages/@monomind/cli/dist/src/monovector/capabilities.d.ts +34 -0
  226. package/packages/@monomind/cli/dist/src/monovector/capabilities.js +37 -0
  227. package/packages/@monomind/cli/dist/src/monovector/command-outcomes.js +43 -7
  228. package/packages/@monomind/cli/dist/src/monovector/coverage-router.js +8 -4
  229. package/packages/@monomind/cli/dist/src/monovector/coverage-tools.js +6 -3
  230. package/packages/@monomind/cli/dist/src/monovector/diff-classifier.js +13 -0
  231. package/packages/@monomind/cli/dist/src/monovector/route-outcomes.d.ts +2 -1
  232. package/packages/@monomind/cli/dist/src/monovector/route-outcomes.js +46 -4
  233. package/packages/@monomind/cli/dist/src/observability/replay-reader.d.ts +1 -1
  234. package/packages/@monomind/cli/dist/src/orchestration/index.d.ts +7 -0
  235. package/packages/@monomind/cli/dist/src/orchestration/index.js +6 -0
  236. package/packages/@monomind/cli/dist/src/orchestration/mode-dispatcher.d.ts +11 -0
  237. package/packages/@monomind/cli/dist/src/orchestration/mode-dispatcher.js +31 -0
  238. package/packages/@monomind/cli/dist/src/orchestration/routing-modes.d.ts +68 -0
  239. package/packages/@monomind/cli/dist/src/orchestration/routing-modes.js +180 -0
  240. package/packages/@monomind/cli/dist/src/plugins/manager.js +8 -3
  241. package/packages/@monomind/cli/dist/src/plugins/store/discovery.js +46 -2
  242. package/packages/@monomind/cli/dist/src/plugins/store/search.js +5 -4
  243. package/packages/@monomind/cli/dist/src/plugins/tests/demo-plugin-store.d.ts +7 -0
  244. package/packages/@monomind/cli/dist/src/plugins/tests/demo-plugin-store.js +126 -0
  245. package/packages/@monomind/cli/dist/src/plugins/tests/standalone-test.d.ts +12 -0
  246. package/packages/@monomind/cli/dist/src/plugins/tests/standalone-test.js +188 -0
  247. package/packages/@monomind/cli/dist/src/plugins/tests/test-plugin-store.d.ts +7 -0
  248. package/packages/@monomind/cli/dist/src/plugins/tests/test-plugin-store.js +206 -0
  249. package/packages/@monomind/cli/dist/src/production/circuit-breaker.js +17 -3
  250. package/packages/@monomind/cli/dist/src/production/error-handler.js +3 -0
  251. package/packages/@monomind/cli/dist/src/production/monitoring.js +20 -3
  252. package/packages/@monomind/cli/dist/src/production/rate-limiter.js +13 -4
  253. package/packages/@monomind/cli/dist/src/production/retry.js +17 -9
  254. package/packages/@monomind/cli/dist/src/routing/embed-worker.js +6 -2
  255. package/packages/@monomind/cli/dist/src/routing/embedder.js +0 -0
  256. package/packages/@monomind/cli/dist/src/routing/llm-caller.js +13 -2
  257. package/packages/@monomind/cli/dist/src/routing/route-layer-factory.js +18 -3
  258. package/packages/@monomind/cli/dist/src/runtime/headless.d.ts +60 -0
  259. package/packages/@monomind/cli/dist/src/runtime/headless.js +284 -0
  260. package/packages/@monomind/cli/dist/src/services/agentic-flow-bridge.d.ts +50 -0
  261. package/packages/@monomind/cli/dist/src/services/agentic-flow-bridge.js +95 -0
  262. package/packages/@monomind/cli/dist/src/services/claim-service.d.ts +1 -0
  263. package/packages/@monomind/cli/dist/src/services/claim-service.js +8 -0
  264. package/packages/@monomind/cli/dist/src/services/config-file-manager.js +14 -2
  265. package/packages/@monomind/cli/dist/src/services/container-worker-pool.d.ts +197 -0
  266. package/packages/@monomind/cli/dist/src/services/container-worker-pool.js +623 -0
  267. package/packages/@monomind/cli/dist/src/services/headless-worker-executor.js +18 -2
  268. package/packages/@monomind/cli/dist/src/services/index.d.ts +13 -0
  269. package/packages/@monomind/cli/dist/src/services/index.js +11 -0
  270. package/packages/@monomind/cli/dist/src/services/worker-daemon.js +53 -12
  271. package/packages/@monomind/cli/dist/src/services/worker-queue.d.ts +201 -0
  272. package/packages/@monomind/cli/dist/src/services/worker-queue.js +594 -0
  273. package/packages/@monomind/cli/dist/src/swarm/communication-graph.d.ts +25 -0
  274. package/packages/@monomind/cli/dist/src/swarm/communication-graph.js +77 -0
  275. package/packages/@monomind/cli/dist/src/swarm/flow-enforcer.d.ts +31 -0
  276. package/packages/@monomind/cli/dist/src/swarm/flow-enforcer.js +61 -0
  277. package/packages/@monomind/cli/dist/src/swarm/flow-visualizer.d.ts +19 -0
  278. package/packages/@monomind/cli/dist/src/swarm/flow-visualizer.js +68 -0
  279. package/packages/@monomind/cli/dist/src/transfer/anonymization/index.d.ts +0 -3
  280. package/packages/@monomind/cli/dist/src/transfer/anonymization/index.js +16 -1
  281. package/packages/@monomind/cli/dist/src/transfer/deploy-seraphine.d.ts +13 -0
  282. package/packages/@monomind/cli/dist/src/transfer/deploy-seraphine.js +205 -0
  283. package/packages/@monomind/cli/dist/src/transfer/export.js +8 -0
  284. package/packages/@monomind/cli/dist/src/transfer/ipfs/upload.js +33 -3
  285. package/packages/@monomind/cli/dist/src/transfer/serialization/cfp.js +9 -3
  286. package/packages/@monomind/cli/dist/src/transfer/storage/gcs.js +37 -3
  287. package/packages/@monomind/cli/dist/src/transfer/store/discovery.js +45 -3
  288. package/packages/@monomind/cli/dist/src/transfer/store/download.js +5 -0
  289. package/packages/@monomind/cli/dist/src/transfer/store/publish.js +13 -1
  290. package/packages/@monomind/cli/dist/src/transfer/store/registry.d.ts +8 -0
  291. package/packages/@monomind/cli/dist/src/transfer/store/registry.js +30 -5
  292. package/packages/@monomind/cli/dist/src/transfer/store/search.js +20 -5
  293. package/packages/@monomind/cli/dist/src/transfer/store/tests/standalone-test.d.ts +12 -0
  294. package/packages/@monomind/cli/dist/src/transfer/store/tests/standalone-test.js +190 -0
  295. package/packages/@monomind/cli/dist/src/transfer/test-seraphine.d.ts +6 -0
  296. package/packages/@monomind/cli/dist/src/transfer/test-seraphine.js +105 -0
  297. package/packages/@monomind/cli/dist/src/transfer/tests/test-store.d.ts +7 -0
  298. package/packages/@monomind/cli/dist/src/transfer/tests/test-store.js +214 -0
  299. package/packages/@monomind/cli/dist/src/update/checker.js +59 -7
  300. package/packages/@monomind/cli/dist/src/update/executor.js +50 -3
  301. package/packages/@monomind/cli/dist/src/update/index.js +18 -1
  302. package/packages/@monomind/cli/dist/src/update/rate-limiter.d.ts +6 -0
  303. package/packages/@monomind/cli/dist/src/update/rate-limiter.js +79 -7
  304. package/packages/@monomind/cli/dist/src/update/validator.js +52 -1
  305. package/packages/@monomind/cli/dist/src/workflow/condition-evaluator.d.ts +10 -0
  306. package/packages/@monomind/cli/dist/src/workflow/condition-evaluator.js +82 -0
  307. package/packages/@monomind/cli/dist/src/workflow/context-resolver.d.ts +12 -0
  308. package/packages/@monomind/cli/dist/src/workflow/context-resolver.js +23 -0
  309. package/packages/@monomind/cli/dist/src/workflow/dag-builder.d.ts +17 -0
  310. package/packages/@monomind/cli/dist/src/workflow/dag-builder.js +129 -0
  311. package/packages/@monomind/cli/dist/src/workflow/dag-executor.d.ts +9 -0
  312. package/packages/@monomind/cli/dist/src/workflow/dag-executor.js +116 -0
  313. package/packages/@monomind/cli/dist/src/workflow/dag-types.d.ts +41 -0
  314. package/packages/@monomind/cli/dist/src/workflow/dag-types.js +8 -0
  315. package/packages/@monomind/cli/dist/src/workflow/dsl-parser.d.ts +12 -0
  316. package/packages/@monomind/cli/dist/src/workflow/dsl-parser.js +20 -0
  317. package/packages/@monomind/cli/dist/src/workflow/dsl-schema.d.ts +165 -0
  318. package/packages/@monomind/cli/dist/src/workflow/dsl-schema.js +82 -0
  319. package/packages/@monomind/cli/dist/src/workflow/index.d.ts +13 -0
  320. package/packages/@monomind/cli/dist/src/workflow/index.js +11 -0
  321. package/packages/@monomind/cli/dist/src/workflow/template-engine.d.ts +11 -0
  322. package/packages/@monomind/cli/dist/src/workflow/template-engine.js +40 -0
  323. package/packages/@monomind/cli/dist/src/workflow/workflow-executor.d.ts +29 -0
  324. package/packages/@monomind/cli/dist/src/workflow/workflow-executor.js +227 -0
  325. package/packages/@monomind/cli/package.json +9 -10
  326. package/packages/@monomind/guidance/dist/adversarial.d.ts +284 -0
  327. package/packages/@monomind/guidance/dist/adversarial.js +572 -0
  328. package/packages/@monomind/guidance/dist/analyzer.d.ts +530 -0
  329. package/packages/@monomind/guidance/dist/analyzer.js +2518 -0
  330. package/packages/@monomind/guidance/dist/artifacts.d.ts +283 -0
  331. package/packages/@monomind/guidance/dist/artifacts.js +356 -0
  332. package/packages/@monomind/guidance/dist/authority.d.ts +290 -0
  333. package/packages/@monomind/guidance/dist/authority.js +558 -0
  334. package/packages/@monomind/guidance/dist/capabilities.d.ts +209 -0
  335. package/packages/@monomind/guidance/dist/capabilities.js +485 -0
  336. package/packages/@monomind/guidance/dist/coherence.d.ts +233 -0
  337. package/packages/@monomind/guidance/dist/coherence.js +372 -0
  338. package/packages/@monomind/guidance/dist/compiler.d.ts +87 -0
  339. package/packages/@monomind/guidance/dist/compiler.js +419 -0
  340. package/packages/@monomind/guidance/dist/conformance-kit.d.ts +225 -0
  341. package/packages/@monomind/guidance/dist/conformance-kit.js +629 -0
  342. package/packages/@monomind/guidance/dist/continue-gate.d.ts +214 -0
  343. package/packages/@monomind/guidance/dist/continue-gate.js +353 -0
  344. package/packages/@monomind/guidance/dist/crypto-utils.d.ts +17 -0
  345. package/packages/@monomind/guidance/dist/crypto-utils.js +24 -0
  346. package/packages/@monomind/guidance/dist/evolution.d.ts +282 -0
  347. package/packages/@monomind/guidance/dist/evolution.js +500 -0
  348. package/packages/@monomind/guidance/dist/gates.d.ts +79 -0
  349. package/packages/@monomind/guidance/dist/gates.js +302 -0
  350. package/packages/@monomind/guidance/dist/gateway.d.ts +206 -0
  351. package/packages/@monomind/guidance/dist/gateway.js +452 -0
  352. package/packages/@monomind/guidance/dist/generators.d.ts +153 -0
  353. package/packages/@monomind/guidance/dist/generators.js +682 -0
  354. package/packages/@monomind/guidance/dist/headless.d.ts +177 -0
  355. package/packages/@monomind/guidance/dist/headless.js +342 -0
  356. package/packages/@monomind/guidance/dist/hooks.d.ts +109 -0
  357. package/packages/@monomind/guidance/dist/hooks.js +347 -0
  358. package/packages/@monomind/guidance/dist/index.d.ts +205 -0
  359. package/packages/@monomind/guidance/dist/index.js +321 -0
  360. package/packages/@monomind/guidance/dist/ledger.d.ts +162 -0
  361. package/packages/@monomind/guidance/dist/ledger.js +375 -0
  362. package/packages/@monomind/guidance/dist/manifest-validator.d.ts +289 -0
  363. package/packages/@monomind/guidance/dist/manifest-validator.js +838 -0
  364. package/packages/@monomind/guidance/dist/memory-gate.d.ts +222 -0
  365. package/packages/@monomind/guidance/dist/memory-gate.js +382 -0
  366. package/packages/@monomind/guidance/dist/meta-governance.d.ts +265 -0
  367. package/packages/@monomind/guidance/dist/meta-governance.js +348 -0
  368. package/packages/@monomind/guidance/dist/optimizer.d.ts +104 -0
  369. package/packages/@monomind/guidance/dist/optimizer.js +329 -0
  370. package/packages/@monomind/guidance/dist/persistence.d.ts +189 -0
  371. package/packages/@monomind/guidance/dist/persistence.js +464 -0
  372. package/packages/@monomind/guidance/dist/proof.d.ts +185 -0
  373. package/packages/@monomind/guidance/dist/proof.js +238 -0
  374. package/packages/@monomind/guidance/dist/retriever.d.ts +116 -0
  375. package/packages/@monomind/guidance/dist/retriever.js +394 -0
  376. package/packages/@monomind/guidance/dist/ruvbot-integration.d.ts +370 -0
  377. package/packages/@monomind/guidance/dist/ruvbot-integration.js +738 -0
  378. package/packages/@monomind/guidance/dist/temporal.d.ts +426 -0
  379. package/packages/@monomind/guidance/dist/temporal.js +658 -0
  380. package/packages/@monomind/guidance/dist/trust.d.ts +283 -0
  381. package/packages/@monomind/guidance/dist/trust.js +473 -0
  382. package/packages/@monomind/guidance/dist/truth-anchors.d.ts +276 -0
  383. package/packages/@monomind/guidance/dist/truth-anchors.js +488 -0
  384. package/packages/@monomind/guidance/dist/types.d.ts +378 -0
  385. package/packages/@monomind/guidance/dist/types.js +10 -0
  386. package/packages/@monomind/guidance/dist/uncertainty.d.ts +372 -0
  387. package/packages/@monomind/guidance/dist/uncertainty.js +619 -0
  388. package/packages/@monomind/guidance/dist/wasm-kernel.d.ts +48 -0
  389. package/packages/@monomind/guidance/dist/wasm-kernel.js +158 -0
@@ -106,9 +106,9 @@ const claimCommand = {
106
106
  },
107
107
  ],
108
108
  action: async (ctx) => {
109
- const issueId = (ctx.flags.issue || ctx.args[0]);
110
- const agentStr = ctx.flags.agent;
111
- const userStr = ctx.flags.user;
109
+ const issueId = (ctx.flags.issue || ctx.args[0])?.slice(0, 256);
110
+ const agentStr = ctx.flags.agent?.slice(0, 256);
111
+ const userStr = ctx.flags.user?.slice(0, 256);
112
112
  if (!issueId) {
113
113
  output.printError('Issue ID is required');
114
114
  return { success: false, exitCode: 1 };
@@ -120,13 +120,13 @@ const claimCommand = {
120
120
  const claimant = agentStr
121
121
  ? {
122
122
  type: 'agent',
123
- agentType: agentStr.split(':')[0],
124
- agentId: agentStr.split(':')[1] || `${agentStr.split(':')[0]}-1`,
123
+ agentType: agentStr.split(':')[0].slice(0, 64),
124
+ agentId: (agentStr.split(':')[1] || `${agentStr.split(':')[0]}-1`).slice(0, 128),
125
125
  }
126
126
  : {
127
127
  type: 'human',
128
- userId: userStr.split(':')[0],
129
- name: userStr.split(':')[1] || userStr.split(':')[0],
128
+ userId: userStr.split(':')[0].slice(0, 128),
129
+ name: (userStr.split(':')[1] || userStr.split(':')[0]).slice(0, 128),
130
130
  };
131
131
  const service = getClaimService(ctx.cwd);
132
132
  await service.initialize();
@@ -165,9 +165,9 @@ const releaseCommand = {
165
165
  },
166
166
  ],
167
167
  action: async (ctx) => {
168
- const issueId = (ctx.flags.issue || ctx.args[0]);
169
- const agentStr = ctx.flags.agent;
170
- const userStr = ctx.flags.user;
168
+ const issueId = (ctx.flags.issue || ctx.args[0])?.slice(0, 256);
169
+ const agentStr = ctx.flags.agent?.slice(0, 256);
170
+ const userStr = ctx.flags.user?.slice(0, 256);
171
171
  if (!issueId) {
172
172
  output.printError('Issue ID is required');
173
173
  return { success: false, exitCode: 1 };
@@ -179,13 +179,13 @@ const releaseCommand = {
179
179
  const claimant = agentStr
180
180
  ? {
181
181
  type: 'agent',
182
- agentType: agentStr.split(':')[0],
183
- agentId: agentStr.split(':')[1] || `${agentStr.split(':')[0]}-1`,
182
+ agentType: agentStr.split(':')[0].slice(0, 64),
183
+ agentId: (agentStr.split(':')[1] || `${agentStr.split(':')[0]}-1`).slice(0, 128),
184
184
  }
185
185
  : {
186
186
  type: 'human',
187
- userId: userStr.split(':')[0],
188
- name: userStr.split(':')[1] || userStr.split(':')[0],
187
+ userId: userStr.split(':')[0].slice(0, 128),
188
+ name: (userStr.split(':')[1] || userStr.split(':')[0]).slice(0, 128),
189
189
  };
190
190
  const service = getClaimService(ctx.cwd);
191
191
  await service.initialize();
@@ -210,10 +210,10 @@ const handoffCommand = {
210
210
  { name: 'reason', short: 'r', type: 'string', description: 'Handoff reason', default: 'Handoff requested' },
211
211
  ],
212
212
  action: async (ctx) => {
213
- const issueId = (ctx.flags.issue || ctx.args[0]);
214
- const toStr = ctx.flags.to;
215
- const fromStr = ctx.flags.from;
216
- const reason = ctx.flags.reason;
213
+ const issueId = (ctx.flags.issue || ctx.args[0])?.slice(0, 256);
214
+ const toStr = ctx.flags.to?.slice(0, 256);
215
+ const fromStr = ctx.flags.from?.slice(0, 256);
216
+ const reason = (ctx.flags.reason || 'Handoff requested').slice(0, 512);
217
217
  if (!issueId || !toStr) {
218
218
  output.printError('Issue ID and --to are required');
219
219
  return { success: false, exitCode: 1 };
@@ -257,7 +257,7 @@ const statusCommand = {
257
257
  { name: 'note', short: 'n', type: 'string', description: 'Status note' },
258
258
  ],
259
259
  action: async (ctx) => {
260
- const issueId = (ctx.flags.issue || ctx.args[0]);
260
+ const issueId = (ctx.flags.issue || ctx.args[0])?.slice(0, 256);
261
261
  if (!issueId) {
262
262
  output.printError('Issue ID is required');
263
263
  return { success: false, exitCode: 1 };
@@ -265,8 +265,11 @@ const statusCommand = {
265
265
  const service = getClaimService(ctx.cwd);
266
266
  await service.initialize();
267
267
  const newStatus = ctx.flags.set;
268
- const progress = ctx.flags.progress;
269
- const note = ctx.flags.note;
268
+ const rawProgress = ctx.flags.progress;
269
+ const progress = rawProgress !== undefined
270
+ ? Math.max(0, Math.min(100, Math.floor(rawProgress)))
271
+ : undefined;
272
+ const note = ctx.flags.note?.slice(0, 512);
270
273
  try {
271
274
  if (newStatus) {
272
275
  await service.updateStatus(issueId, newStatus, note);
@@ -301,7 +304,7 @@ const stealableCommand = {
301
304
  { name: 'type', short: 't', type: 'string', description: 'Filter by agent type' },
302
305
  ],
303
306
  action: async (ctx) => {
304
- const agentType = ctx.flags.type;
307
+ const agentType = ctx.flags.type?.slice(0, 64);
305
308
  const service = getClaimService(ctx.cwd);
306
309
  await service.initialize();
307
310
  const stealable = await service.getStealable(agentType);
@@ -331,16 +334,16 @@ const stealCommand = {
331
334
  { name: 'agent', short: 'a', type: 'string', description: 'Steal as agent', required: true },
332
335
  ],
333
336
  action: async (ctx) => {
334
- const issueId = (ctx.flags.issue || ctx.args[0]);
335
- const agentStr = ctx.flags.agent;
337
+ const issueId = (ctx.flags.issue || ctx.args[0])?.slice(0, 256);
338
+ const agentStr = (ctx.flags.agent || '').slice(0, 256);
336
339
  if (!issueId) {
337
340
  output.printError('Issue ID is required');
338
341
  return { success: false, exitCode: 1 };
339
342
  }
340
343
  const stealer = {
341
344
  type: 'agent',
342
- agentType: agentStr.split(':')[0],
343
- agentId: agentStr.split(':')[1] || `${agentStr.split(':')[0]}-1`,
345
+ agentType: agentStr.split(':')[0].slice(0, 64),
346
+ agentId: (agentStr.split(':')[1] || `${agentStr.split(':')[0]}-1`).slice(0, 128),
344
347
  };
345
348
  const service = getClaimService(ctx.cwd);
346
349
  await service.initialize();
@@ -88,10 +88,15 @@ const startCommand = {
88
88
  { command: 'monomind mcp start -f', description: 'Force restart (kill existing)' }
89
89
  ],
90
90
  action: async (ctx) => {
91
- const port = ctx.flags.port ?? 3000;
92
- const host = ctx.flags.host ?? 'localhost';
91
+ const rawPort = ctx.flags.port ?? 3000;
92
+ const port = Number.isFinite(rawPort) && rawPort >= 1 && rawPort <= 65535 ? Math.floor(rawPort) : 3000;
93
+ const rawHost = ctx.flags.host ?? 'localhost';
94
+ // Cap host length and reject control chars to prevent injection
95
+ const host = typeof rawHost === 'string' ? rawHost.slice(0, 253).replace(/[\x00-\x1f]/g, '') : 'localhost';
93
96
  const transport = ctx.flags.transport ?? 'stdio';
94
- const tools = ctx.flags.tools || 'all';
97
+ const rawTools = ctx.flags.tools || 'all';
98
+ // Cap tools string to prevent DoS via oversized comma-separated lists
99
+ const tools = typeof rawTools === 'string' ? rawTools.slice(0, 2000) : 'all';
95
100
  const daemon = ctx.flags.daemon ?? false;
96
101
  const force = ctx.flags.force ?? false;
97
102
  output.writeln();
@@ -599,14 +604,15 @@ const logsCommand = {
599
604
  action: async (ctx) => {
600
605
  const lines = ctx.flags.lines || 50;
601
606
  // Try to find and read the actual log file
602
- const { existsSync, readFileSync } = await import('fs');
607
+ const { existsSync, readFileSync, statSync } = await import('fs');
603
608
  const { join } = await import('path');
609
+ const MAX_MCP_LOG_BYTES = 10 * 1024 * 1024; // 10 MB
604
610
  const logPaths = [
605
611
  join(ctx.cwd, '.monomind', 'logs', 'mcp-server.log'),
606
612
  join(ctx.cwd, '.monomind', 'logs', 'daemon.log'),
607
613
  join(ctx.cwd, '.monomind', 'mcp.log'),
608
614
  ];
609
- const logFile = logPaths.find(p => existsSync(p));
615
+ const logFile = logPaths.find(p => existsSync(p) && statSync(p).size <= MAX_MCP_LOG_BYTES);
610
616
  output.writeln();
611
617
  output.writeln(output.bold('MCP Server Logs'));
612
618
  output.writeln(output.dim('─'.repeat(50)));
@@ -511,6 +511,11 @@ const editCommand = {
511
511
  output.printError(`File not found: ${filePath}`);
512
512
  return { success: false, exitCode: 1 };
513
513
  }
514
+ const MAX_MEMORY_FILE_BYTES = 50 * 1024 * 1024; // 50 MB
515
+ if (fs.statSync(filePath).size > MAX_MEMORY_FILE_BYTES) {
516
+ output.printError(`Memory file too large (> 50 MB): ${filePath}`);
517
+ return { success: false, exitCode: 1 };
518
+ }
514
519
  let entries;
515
520
  try {
516
521
  const raw = fs.readFileSync(filePath, 'utf8');
@@ -763,6 +768,11 @@ const deleteCommand = {
763
768
  output.printError(`File not found: ${filePath}`);
764
769
  return { success: false, exitCode: 1 };
765
770
  }
771
+ const MAX_MEMORY_FILE_BYTES = 50 * 1024 * 1024; // 50 MB
772
+ if (fs.statSync(filePath).size > MAX_MEMORY_FILE_BYTES) {
773
+ output.printError(`Memory file too large (> 50 MB): ${filePath}`);
774
+ return { success: false, exitCode: 1 };
775
+ }
766
776
  let entries;
767
777
  try {
768
778
  const raw = fs.readFileSync(filePath, 'utf8');
@@ -47,7 +47,7 @@ const statusCommand = {
47
47
  let hasV2Config = false;
48
48
  let hasv1Config = false;
49
49
  try {
50
- if (fs.existsSync(v2ConfigPath)) {
50
+ if (fs.existsSync(v2ConfigPath) && fs.statSync(v2ConfigPath).size <= MAX_MIGRATE_FILE_BYTES) {
51
51
  const raw = fs.readFileSync(v2ConfigPath, 'utf-8');
52
52
  const parsed = JSON.parse(raw);
53
53
  if (parsed.version === '2' || parsed.version === 2 || !parsed.version) {
@@ -110,7 +110,7 @@ const statusCommand = {
110
110
  const migrationStatePath = path.join(cwd, '.monomind', 'migration-state.json');
111
111
  let migrationState = null;
112
112
  try {
113
- if (fs.existsSync(migrationStatePath)) {
113
+ if (fs.existsSync(migrationStatePath) && fs.statSync(migrationStatePath).size <= MAX_MIGRATE_FILE_BYTES) {
114
114
  const raw = fs.readFileSync(migrationStatePath, 'utf-8');
115
115
  const parsed = JSON.parse(raw);
116
116
  migrationState = parsed.status || 'unknown';
@@ -214,7 +214,7 @@ const runCommand = {
214
214
  if (!target || target === 'config') {
215
215
  const v2ConfigPath = path.join(cwd, 'monomind.config.json');
216
216
  try {
217
- if (fs.existsSync(v2ConfigPath)) {
217
+ if (fs.existsSync(v2ConfigPath) && fs.statSync(v2ConfigPath).size <= MAX_MIGRATE_FILE_BYTES) {
218
218
  const raw = fs.readFileSync(v2ConfigPath, 'utf-8');
219
219
  const parsed = JSON.parse(raw);
220
220
  if (parsed.version === '2' || parsed.version === 2 || !parsed.version) {
@@ -415,7 +415,7 @@ const verifyCommand = {
415
415
  // Check 1: Migration state file exists
416
416
  let migrationState = null;
417
417
  try {
418
- if (fs.existsSync(migrationStatePath)) {
418
+ if (fs.existsSync(migrationStatePath) && fs.statSync(migrationStatePath).size <= MAX_MIGRATE_FILE_BYTES) {
419
419
  const raw = fs.readFileSync(migrationStatePath, 'utf-8');
420
420
  migrationState = JSON.parse(raw);
421
421
  checks.push({ check: 'Migration state file', result: 'passed' });
@@ -432,7 +432,7 @@ const verifyCommand = {
432
432
  // Check 2: v1 config exists and is valid JSON
433
433
  const v1ConfigPath = path.join(v1Dir, 'config.json');
434
434
  try {
435
- if (fs.existsSync(v1ConfigPath)) {
435
+ if (fs.existsSync(v1ConfigPath) && fs.statSync(v1ConfigPath).size <= MAX_MIGRATE_FILE_BYTES) {
436
436
  const raw = fs.readFileSync(v1ConfigPath, 'utf-8');
437
437
  JSON.parse(raw); // validate JSON
438
438
  checks.push({ check: 'v1 config (valid JSON)', result: 'passed' });
@@ -255,16 +255,27 @@ const searchCommand = {
255
255
  { command: 'monomind monograph search -q "pipeline" --mode semantic', description: 'Semantic (embedding) search' },
256
256
  ],
257
257
  action: async (ctx) => {
258
- const query = ctx.flags.query;
259
- const limit = parseInt(ctx.flags.limit || '15', 10);
260
- const label = ctx.flags.label;
261
- const mode = ctx.flags.mode ?? 'hybrid';
258
+ const rawQuery = ctx.flags.query;
259
+ const rawLimit = parseInt(ctx.flags.limit || '15', 10);
260
+ const rawLabel = ctx.flags.label;
261
+ const rawMode = ctx.flags.mode ?? 'hybrid';
262
262
  const root = resolve(ctx.flags.path ?? process.cwd());
263
263
  const dbPath = getDbPath(root);
264
+ // Cap query to prevent SQLite FTS DoS from multi-MB query strings
265
+ const MAX_QUERY_LEN = 2048;
266
+ const query = typeof rawQuery === 'string' ? rawQuery.slice(0, MAX_QUERY_LEN) : '';
264
267
  if (!query) {
265
268
  output.printError('--query is required');
266
269
  return { success: false, exitCode: 1 };
267
270
  }
271
+ // Clamp limit to prevent huge result sets from causing OOM
272
+ const limit = isFinite(rawLimit) && rawLimit > 0 ? Math.min(rawLimit, 500) : 15;
273
+ // Validate mode to an explicit allowlist
274
+ const VALID_MODES = new Set(['bm25', 'semantic', 'hybrid']);
275
+ const mode = VALID_MODES.has(rawMode) ? rawMode : 'hybrid';
276
+ // Cap label to prevent oversized SQL filter values
277
+ const MAX_LABEL_LEN = 64;
278
+ const label = typeof rawLabel === 'string' ? rawLabel.slice(0, MAX_LABEL_LEN) : undefined;
268
279
  if (!existsSync(dbPath)) {
269
280
  output.printWarning('No knowledge graph found. Run: monomind monograph build');
270
281
  return { success: false, exitCode: 1 };
@@ -345,7 +356,9 @@ const statsCommand = {
345
356
  ],
346
357
  action: async (ctx) => {
347
358
  const root = resolve(ctx.flags.path ?? process.cwd());
348
- const top = parseInt(ctx.flags.top || '10', 10);
359
+ const rawTop = parseInt(ctx.flags.top || '10', 10);
360
+ // Clamp top-N to prevent arbitrarily large SQL LIMIT values
361
+ const top = isFinite(rawTop) && rawTop > 0 ? Math.min(rawTop, 200) : 10;
349
362
  const dbPath = getDbPath(root);
350
363
  if (!existsSync(dbPath)) {
351
364
  output.printWarning('No knowledge graph found. Run: monomind monograph build');
@@ -461,7 +461,14 @@ const restoreSubcommand = {
461
461
  output.printError(`File not found: ${inputPath}`);
462
462
  return { success: false, exitCode: 1 };
463
463
  }
464
- // Read file
464
+ // Read file — check size first to avoid OOM on a runaway or corrupt file.
465
+ const fileSize = fs.statSync(inputPath).size;
466
+ const MAX_BACKUP_BYTES = 500 * 1024 * 1024; // 500 MB
467
+ if (fileSize > MAX_BACKUP_BYTES) {
468
+ spinner.fail('Backup file too large');
469
+ output.printError(`Backup file exceeds size limit (${formatBytes(fileSize)} > ${formatBytes(MAX_BACKUP_BYTES)})`);
470
+ return { success: false, exitCode: 1 };
471
+ }
465
472
  let content;
466
473
  if (inputPath.endsWith('.gz')) {
467
474
  const zlib = await import('zlib');
@@ -473,7 +480,6 @@ const restoreSubcommand = {
473
480
  else {
474
481
  content = fs.readFileSync(inputPath, 'utf-8');
475
482
  }
476
- const fileSize = fs.statSync(inputPath).size;
477
483
  spinner.succeed(`Read backup file (${formatBytes(fileSize)})`);
478
484
  // Determine format
479
485
  const isJson = content.trim().startsWith('{');
@@ -151,13 +151,26 @@ export const benchmarkCommand = {
151
151
  ],
152
152
  action: async (ctx) => {
153
153
  const config = getConnectionConfig(ctx);
154
- const numVectors = parseInt(ctx.flags.vectors || '10000', 10);
155
- const dimensions = parseInt(ctx.flags.dimensions || '1536', 10);
156
- const numQueries = parseInt(ctx.flags.queries || '100', 10);
157
- const topK = parseInt(ctx.flags.k || '10', 10);
158
- const metric = ctx.flags.metric || 'cosine';
159
- const indexType = ctx.flags.index || 'hnsw';
160
- const batchSize = parseInt(ctx.flags['batch-size'] || '1000', 10);
154
+ // Clamp numeric inputs to safe ranges to prevent DoS via OOM
155
+ const numVectors = Math.min(Math.max(1, parseInt(ctx.flags.vectors || '10000', 10)), 1_000_000);
156
+ const dimensions = Math.min(Math.max(1, parseInt(ctx.flags.dimensions || '1536', 10)), 65536);
157
+ const numQueries = Math.min(Math.max(1, parseInt(ctx.flags.queries || '100', 10)), 10_000);
158
+ const topK = Math.min(Math.max(1, parseInt(ctx.flags.k || '10', 10)), 10_000);
159
+ // Validate metric and indexType against allowlists to prevent SQL injection
160
+ const VALID_METRICS = ['cosine', 'l2', 'inner'];
161
+ const VALID_INDEX_TYPES = ['hnsw', 'ivfflat', 'none'];
162
+ const rawMetric = ctx.flags.metric || 'cosine';
163
+ const rawIndexType = ctx.flags.index || 'hnsw';
164
+ const metric = VALID_METRICS.includes(rawMetric) ? rawMetric : 'cosine';
165
+ const indexType = VALID_INDEX_TYPES.includes(rawIndexType) ? rawIndexType : 'hnsw';
166
+ const batchSize = Math.min(Math.max(1, parseInt(ctx.flags['batch-size'] || '1000', 10)), 100_000);
167
+ // Validate schema identifier against safe pattern to prevent SQL injection
168
+ const rawSchema = config.schema || 'monomind';
169
+ if (!/^[a-zA-Z_][a-zA-Z0-9_]{0,62}$/.test(rawSchema)) {
170
+ output.printError('Invalid schema name. Only alphanumeric characters and underscores are allowed.');
171
+ return { success: false, exitCode: 1 };
172
+ }
173
+ config.schema = rawSchema;
161
174
  const cleanup = ctx.flags.cleanup !== false;
162
175
  output.writeln();
163
176
  output.writeln(output.bold('MonoVector Performance Benchmark'));
@@ -184,6 +184,21 @@ export const importCommand = {
184
184
  output.printError(`Input file not found: ${inputFile}`);
185
185
  return { success: false, message: 'File not found' };
186
186
  }
187
+ // Symlink guard: a symlink could redirect to /etc/passwd or a huge file.
188
+ // lstatSync checks the link itself, not the target — so symlinks are rejected
189
+ // regardless of what they point to (TOCTOU-safe for the check + read pair).
190
+ const lstat = fs.lstatSync(inputFile);
191
+ if (lstat.isSymbolicLink()) {
192
+ output.printError(`Symlinks are not allowed as input files: ${inputFile}`);
193
+ return { success: false, message: 'Symlink not allowed' };
194
+ }
195
+ // Size guard: without this, a user can pass a multi-GB file and exhaust the
196
+ // Node heap before JSON.parse ever runs, crashing the CLI with an OOM.
197
+ const MAX_IMPORT_FILE_BYTES = 50 * 1024 * 1024; // 50 MB
198
+ if (lstat.size > MAX_IMPORT_FILE_BYTES) {
199
+ output.printError(`Input file too large: ${inputFile} (max 50 MB)`);
200
+ return { success: false, message: 'Input file too large' };
201
+ }
187
202
  try {
188
203
  output.printInfo(`Reading: ${inputFile}`);
189
204
  const content = fs.readFileSync(inputFile, 'utf-8');
@@ -130,10 +130,13 @@ const MIGRATIONS = [
130
130
  `,
131
131
  },
132
132
  ];
133
+ const IDENTIFIER_RE = /^[a-zA-Z_][a-zA-Z0-9_]{0,63}$/;
133
134
  /**
134
135
  * Get PostgreSQL connection config from context
135
136
  */
136
137
  function getConnectionConfig(ctx) {
138
+ const rawSchema = ctx.flags.schema || 'monomind';
139
+ const schema = IDENTIFIER_RE.test(rawSchema) ? rawSchema : 'monomind';
137
140
  return {
138
141
  host: ctx.flags.host || process.env.PGHOST || 'localhost',
139
142
  port: parseInt(ctx.flags.port || process.env.PGPORT || '5432', 10),
@@ -141,7 +144,7 @@ function getConnectionConfig(ctx) {
141
144
  user: ctx.flags.user || process.env.PGUSER || 'postgres',
142
145
  password: ctx.flags.password || process.env.PGPASSWORD || '',
143
146
  ssl: ctx.flags.ssl || process.env.PGSSLMODE === 'require',
144
- schema: ctx.flags.schema || 'monomind',
147
+ schema,
145
148
  };
146
149
  }
147
150
  /**
@@ -121,6 +121,17 @@ export const optimizeCommand = {
121
121
  output.printError('Database name is required. Use --database or -d flag, or set PGDATABASE env.');
122
122
  return { success: false, exitCode: 1 };
123
123
  }
124
+ // Validate schema identifier to prevent SQL injection
125
+ const IDENT_RE = /^[a-zA-Z_][a-zA-Z0-9_]{0,62}$/;
126
+ if (!IDENT_RE.test(config.schema)) {
127
+ output.printError('Invalid schema name. Only alphanumeric characters and underscores are allowed.');
128
+ return { success: false, exitCode: 1 };
129
+ }
130
+ // Validate --index flag if provided
131
+ if (specificIndex !== undefined && !IDENT_RE.test(specificIndex)) {
132
+ output.printError('Invalid index name. Only alphanumeric characters and underscores are allowed.');
133
+ return { success: false, exitCode: 1 };
134
+ }
124
135
  const spinner = output.createSpinner({ text: 'Connecting to PostgreSQL...', spinner: 'dots' });
125
136
  spinner.start();
126
137
  const recommendations = [];
@@ -685,13 +685,23 @@ export const setupCommand = {
685
685
  { command: 'monomind monovector setup --force', description: 'Overwrite existing files' },
686
686
  ],
687
687
  action: async (ctx) => {
688
- const outputDir = ctx.flags.output || './monovector-postgres';
688
+ const rawOutputDir = ctx.flags.output || './monovector-postgres';
689
689
  const printOnly = ctx.flags.print;
690
690
  const force = ctx.flags.force;
691
691
  output.writeln();
692
692
  output.writeln(output.bold('MonoVector PostgreSQL Setup'));
693
693
  output.writeln(output.dim('='.repeat(50)));
694
694
  output.writeln();
695
+ // Guard against path traversal: resolve to absolute and ensure it stays within
696
+ // the current working directory or the user's home directory.
697
+ const resolvedOutput = path.resolve(rawOutputDir);
698
+ const safeBases = [process.cwd(), process.env.HOME || process.env.USERPROFILE || ''].filter(Boolean);
699
+ const withinSafeBase = safeBases.some(base => resolvedOutput.startsWith(base + path.sep) || resolvedOutput === base);
700
+ if (!withinSafeBase) {
701
+ output.printError(`Output path must be within the current directory or home directory: ${resolvedOutput}`);
702
+ return { success: false, exitCode: 1 };
703
+ }
704
+ const outputDir = resolvedOutput;
695
705
  if (printOnly) {
696
706
  // Print to stdout
697
707
  output.writeln(output.bold('=== docker-compose.yml ==='));
@@ -940,7 +940,7 @@ const importCommand = {
940
940
  }
941
941
  const patternsFile = path.join(memoryDir, 'patterns.json');
942
942
  let existingPatterns = [];
943
- if (merge && fs.existsSync(patternsFile)) {
943
+ if (merge && fs.existsSync(patternsFile) && fs.statSync(patternsFile).size <= 50 * 1024 * 1024) {
944
944
  existingPatterns = JSON.parse(fs.readFileSync(patternsFile, 'utf8'));
945
945
  }
946
946
  // Merge or replace
@@ -20,14 +20,18 @@ const benchmarkCommand = {
20
20
  { command: 'monomind performance benchmark -i 1000', description: 'Run with 1000 iterations' },
21
21
  ],
22
22
  action: async (ctx) => {
23
- const suite = ctx.flags.suite || 'all';
23
+ const suiteRaw = ctx.flags.suite || 'all';
24
+ const VALID_SUITES = new Set(['all', 'wasm', 'neural', 'memory', 'search']);
25
+ const suite = VALID_SUITES.has(suiteRaw) ? suiteRaw : 'all';
24
26
  const MAX_ITERATIONS = 10_000;
25
27
  const MAX_WARMUP = 500;
26
28
  const iterationsRaw = parseInt(ctx.flags.iterations || '100', 10);
27
29
  const warmupRaw = parseInt(ctx.flags.warmup || '10', 10);
28
30
  const iterations = Number.isFinite(iterationsRaw) ? Math.min(Math.max(1, iterationsRaw), MAX_ITERATIONS) : 100;
29
31
  const warmup = Number.isFinite(warmupRaw) ? Math.min(Math.max(0, warmupRaw), MAX_WARMUP) : 10;
30
- const outputFormat = ctx.flags.output || 'text';
32
+ const outputFormatRaw = ctx.flags.output || 'text';
33
+ const VALID_OUTPUT_FORMATS = new Set(['text', 'json', 'csv']);
34
+ const outputFormat = VALID_OUTPUT_FORMATS.has(outputFormatRaw) ? outputFormatRaw : 'text';
31
35
  output.writeln();
32
36
  output.writeln(output.bold('Performance Benchmark (Real Measurements)'));
33
37
  output.writeln(output.dim('─'.repeat(60)));
@@ -235,8 +239,11 @@ const profileCommand = {
235
239
  { command: 'monomind performance profile -d 60', description: 'Profile for 60 seconds' },
236
240
  ],
237
241
  action: async (ctx) => {
238
- const type = ctx.flags.type || 'all';
239
- const duration = parseInt(ctx.flags.duration || '30', 10);
242
+ const typeRaw = ctx.flags.type || 'all';
243
+ const VALID_PROFILE_TYPES = new Set(['cpu', 'memory', 'io', 'all']);
244
+ const type = VALID_PROFILE_TYPES.has(typeRaw) ? typeRaw : 'all';
245
+ const durationRaw = parseInt(ctx.flags.duration || '30', 10);
246
+ const duration = Number.isFinite(durationRaw) ? Math.min(Math.max(1, durationRaw), 300) : 30;
240
247
  output.writeln();
241
248
  output.writeln(output.bold('Performance Profiler'));
242
249
  output.writeln(output.dim('─'.repeat(50)));
@@ -308,8 +315,12 @@ const metricsCommand = {
308
315
  { command: 'monomind performance metrics -f prometheus', description: 'Export as Prometheus format' },
309
316
  ],
310
317
  action: async (ctx) => {
311
- const timeframe = ctx.flags.timeframe || '24h';
312
- const format = ctx.flags.format || 'text';
318
+ const timeframeRaw = ctx.flags.timeframe || '24h';
319
+ const VALID_TIMEFRAMES = new Set(['1h', '24h', '7d', '30d']);
320
+ const timeframe = VALID_TIMEFRAMES.has(timeframeRaw) ? timeframeRaw : '24h';
321
+ const formatRaw = ctx.flags.format || 'text';
322
+ const VALID_FORMATS = new Set(['text', 'json', 'prometheus']);
323
+ const format = VALID_FORMATS.has(formatRaw) ? formatRaw : 'text';
313
324
  output.writeln();
314
325
  output.writeln(output.bold(`Performance Metrics (${timeframe})`));
315
326
  output.writeln(output.dim('─'.repeat(50)));
@@ -491,7 +502,9 @@ const optimizeCommand = {
491
502
  { command: 'monomind performance optimize --apply', description: 'Apply all optimizations' },
492
503
  ],
493
504
  action: async (ctx) => {
494
- const target = ctx.flags.target || 'all';
505
+ const targetRaw = ctx.flags.target || 'all';
506
+ const VALID_TARGETS = new Set(['memory', 'cpu', 'latency', 'all']);
507
+ const target = VALID_TARGETS.has(targetRaw) ? targetRaw : 'all';
495
508
  if (ctx.flags.apply) {
496
509
  output.printWarning('Optimization application is not yet implemented. Showing recommendations only.');
497
510
  }