monomind 1.11.13 → 1.12.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (389) hide show
  1. package/.claude/agents/generated/channel-intelligence-director.md +87 -0
  2. package/.claude/agents/generated/chief-growth-officer.md +88 -0
  3. package/.claude/agents/generated/content-seo-strategist.md +90 -0
  4. package/.claude/agents/generated/developer-community-strategist.md +91 -0
  5. package/.claude/agents/generated/outreach-partnership-strategist.md +90 -0
  6. package/.claude/agents/generated/social-media-strategist.md +91 -0
  7. package/.claude/agents/generated/video-visual-strategist.md +90 -0
  8. package/.claude/commands/mastermind/idea.md +1 -1
  9. package/.claude/helpers/auto-memory-hook.mjs +13 -4
  10. package/.claude/helpers/control-start.cjs +5 -0
  11. package/.claude/helpers/event-logger.cjs +114 -0
  12. package/.claude/helpers/handlers/adr-draft-handler.cjs +19 -5
  13. package/.claude/helpers/handlers/agent-start-handler.cjs +13 -4
  14. package/.claude/helpers/handlers/compact-handler.cjs +2 -0
  15. package/.claude/helpers/handlers/edit-handler.cjs +1 -1
  16. package/.claude/helpers/handlers/gates-handler.cjs +3 -0
  17. package/.claude/helpers/handlers/graph-status-handler.cjs +14 -8
  18. package/.claude/helpers/handlers/loops-status-handler.cjs +5 -2
  19. package/.claude/helpers/handlers/route-handler.cjs +13 -6
  20. package/.claude/helpers/handlers/session-handler.cjs +11 -4
  21. package/.claude/helpers/handlers/session-restore-handler.cjs +21 -11
  22. package/.claude/helpers/handlers/task-handler.cjs +13 -5
  23. package/.claude/helpers/intelligence.cjs +7 -2
  24. package/.claude/helpers/loop-tracker.cjs +15 -3
  25. package/.claude/helpers/memory.cjs +6 -1
  26. package/.claude/helpers/router.cjs +5 -2
  27. package/.claude/helpers/session.cjs +2 -0
  28. package/.claude/helpers/statusline.cjs +10 -2
  29. package/.claude/helpers/utils/micro-agents.cjs +20 -4
  30. package/.claude/scheduled_tasks.lock +1 -1
  31. package/.claude/settings.json +92 -1
  32. package/.claude/skills/mastermind/_protocol.md +23 -13
  33. package/.claude/skills/mastermind/architect.md +6 -9
  34. package/.claude/skills/mastermind/build.md +3 -3
  35. package/.claude/skills/mastermind/content.md +3 -3
  36. package/.claude/skills/mastermind/createorg.md +2 -2
  37. package/.claude/skills/mastermind/finance.md +3 -3
  38. package/.claude/skills/mastermind/idea.md +5 -3
  39. package/.claude/skills/mastermind/marketing.md +3 -3
  40. package/.claude/skills/mastermind/monitor.md +2 -2
  41. package/.claude/skills/mastermind/release.md +3 -3
  42. package/.claude/skills/mastermind/research.md +3 -3
  43. package/.claude/skills/mastermind/review.md +3 -3
  44. package/.claude/skills/mastermind/runorg.md +153 -86
  45. package/.claude/skills/mastermind/sales.md +3 -3
  46. package/README.md +286 -129
  47. package/package.json +19 -2
  48. package/packages/@monomind/cli/README.md +286 -129
  49. package/packages/@monomind/cli/bundled-graph/dist/src/build.js +73 -0
  50. package/packages/@monomind/cli/bundled-graph/dist/src/cluster.js +120 -0
  51. package/packages/@monomind/cli/bundled-graph/package.json +57 -0
  52. package/packages/@monomind/cli/dist/src/agents/halt-signal.d.ts +25 -0
  53. package/packages/@monomind/cli/dist/src/agents/halt-signal.js +76 -0
  54. package/packages/@monomind/cli/dist/src/agents/index.d.ts +18 -0
  55. package/packages/@monomind/cli/dist/src/agents/index.js +13 -0
  56. package/packages/@monomind/cli/dist/src/agents/managed-agent.d.ts +41 -0
  57. package/packages/@monomind/cli/dist/src/agents/managed-agent.js +69 -0
  58. package/packages/@monomind/cli/dist/src/agents/prompt-experiment.d.ts +23 -0
  59. package/packages/@monomind/cli/dist/src/agents/prompt-experiment.js +49 -0
  60. package/packages/@monomind/cli/dist/src/agents/prompt-version-manager.d.ts +22 -0
  61. package/packages/@monomind/cli/dist/src/agents/prompt-version-manager.js +80 -0
  62. package/packages/@monomind/cli/dist/src/agents/registry-builder.js +2 -0
  63. package/packages/@monomind/cli/dist/src/agents/registry-query.d.ts +71 -0
  64. package/packages/@monomind/cli/dist/src/agents/registry-query.js +125 -0
  65. package/packages/@monomind/cli/dist/src/agents/score-decay.d.ts +19 -0
  66. package/packages/@monomind/cli/dist/src/agents/score-decay.js +22 -0
  67. package/packages/@monomind/cli/dist/src/agents/shared-instructions-loader.d.ts +13 -0
  68. package/packages/@monomind/cli/dist/src/agents/shared-instructions-loader.js +40 -0
  69. package/packages/@monomind/cli/dist/src/agents/specialization-scorer.d.ts +54 -0
  70. package/packages/@monomind/cli/dist/src/agents/specialization-scorer.js +212 -0
  71. package/packages/@monomind/cli/dist/src/agents/termination-watcher.d.ts +30 -0
  72. package/packages/@monomind/cli/dist/src/agents/termination-watcher.js +84 -0
  73. package/packages/@monomind/cli/dist/src/agents/trigger-index.d.ts +20 -0
  74. package/packages/@monomind/cli/dist/src/agents/trigger-index.js +38 -0
  75. package/packages/@monomind/cli/dist/src/agents/trigger-scanner.d.ts +64 -0
  76. package/packages/@monomind/cli/dist/src/agents/trigger-scanner.js +308 -0
  77. package/packages/@monomind/cli/dist/src/agents/version-diff.d.ts +18 -0
  78. package/packages/@monomind/cli/dist/src/agents/version-diff.js +64 -0
  79. package/packages/@monomind/cli/dist/src/agents/version-store.d.ts +60 -0
  80. package/packages/@monomind/cli/dist/src/agents/version-store.js +235 -0
  81. package/packages/@monomind/cli/dist/src/autopilot-state.js +10 -5
  82. package/packages/@monomind/cli/dist/src/benchmarks/benchmark-runner.js +13 -0
  83. package/packages/@monomind/cli/dist/src/benchmarks/metric-evaluators.js +20 -9
  84. package/packages/@monomind/cli/dist/src/benchmarks/pretrain/index.d.ts +45 -0
  85. package/packages/@monomind/cli/dist/src/benchmarks/pretrain/index.js +404 -0
  86. package/packages/@monomind/cli/dist/src/browser/actions.js +10 -3
  87. package/packages/@monomind/cli/dist/src/browser/browser.js +12 -2
  88. package/packages/@monomind/cli/dist/src/browser/cdp.js +21 -3
  89. package/packages/@monomind/cli/dist/src/browser/har.js +27 -5
  90. package/packages/@monomind/cli/dist/src/commands/agent-wasm.d.ts +14 -0
  91. package/packages/@monomind/cli/dist/src/commands/agent-wasm.js +333 -0
  92. package/packages/@monomind/cli/dist/src/commands/agent.js +11 -8
  93. package/packages/@monomind/cli/dist/src/commands/analyze.js +36 -21
  94. package/packages/@monomind/cli/dist/src/commands/autopilot.js +12 -4
  95. package/packages/@monomind/cli/dist/src/commands/benchmark.js +51 -8
  96. package/packages/@monomind/cli/dist/src/commands/browse.js +5 -2
  97. package/packages/@monomind/cli/dist/src/commands/claims.js +29 -11
  98. package/packages/@monomind/cli/dist/src/commands/cleanup.js +25 -5
  99. package/packages/@monomind/cli/dist/src/commands/config.js +15 -7
  100. package/packages/@monomind/cli/dist/src/commands/daemon.js +6 -0
  101. package/packages/@monomind/cli/dist/src/commands/deployment.js +34 -19
  102. package/packages/@monomind/cli/dist/src/commands/doctor.js +151 -20
  103. package/packages/@monomind/cli/dist/src/commands/guidance.js +15 -2
  104. package/packages/@monomind/cli/dist/src/commands/hive-mind.js +37 -14
  105. package/packages/@monomind/cli/dist/src/commands/hooks.js +42 -25
  106. package/packages/@monomind/cli/dist/src/commands/init.js +9 -4
  107. package/packages/@monomind/cli/dist/src/commands/issues.js +29 -26
  108. package/packages/@monomind/cli/dist/src/commands/mcp.js +11 -5
  109. package/packages/@monomind/cli/dist/src/commands/memory.js +10 -0
  110. package/packages/@monomind/cli/dist/src/commands/migrate.js +5 -5
  111. package/packages/@monomind/cli/dist/src/commands/monograph.js +18 -5
  112. package/packages/@monomind/cli/dist/src/commands/monovector/backup.js +8 -2
  113. package/packages/@monomind/cli/dist/src/commands/monovector/benchmark.js +20 -7
  114. package/packages/@monomind/cli/dist/src/commands/monovector/import.js +15 -0
  115. package/packages/@monomind/cli/dist/src/commands/monovector/migrate.js +4 -1
  116. package/packages/@monomind/cli/dist/src/commands/monovector/optimize.js +11 -0
  117. package/packages/@monomind/cli/dist/src/commands/monovector/setup.js +11 -1
  118. package/packages/@monomind/cli/dist/src/commands/neural.js +1 -1
  119. package/packages/@monomind/cli/dist/src/commands/performance.js +20 -7
  120. package/packages/@monomind/cli/dist/src/commands/platforms.js +90 -8
  121. package/packages/@monomind/cli/dist/src/commands/plugins.js +12 -5
  122. package/packages/@monomind/cli/dist/src/commands/process.js +33 -10
  123. package/packages/@monomind/cli/dist/src/commands/progress.js +5 -3
  124. package/packages/@monomind/cli/dist/src/commands/providers.js +5 -5
  125. package/packages/@monomind/cli/dist/src/commands/replay.js +8 -2
  126. package/packages/@monomind/cli/dist/src/commands/route.js +27 -7
  127. package/packages/@monomind/cli/dist/src/commands/security.js +4 -0
  128. package/packages/@monomind/cli/dist/src/commands/session.js +12 -1
  129. package/packages/@monomind/cli/dist/src/commands/start.js +11 -4
  130. package/packages/@monomind/cli/dist/src/commands/status.js +7 -4
  131. package/packages/@monomind/cli/dist/src/commands/swarm.js +27 -13
  132. package/packages/@monomind/cli/dist/src/commands/task.js +26 -11
  133. package/packages/@monomind/cli/dist/src/commands/tokens.js +7 -2
  134. package/packages/@monomind/cli/dist/src/commands/transfer-store.js +36 -22
  135. package/packages/@monomind/cli/dist/src/commands/ui.js +68 -0
  136. package/packages/@monomind/cli/dist/src/commands/update.js +15 -3
  137. package/packages/@monomind/cli/dist/src/commands/workflow.js +39 -6
  138. package/packages/@monomind/cli/dist/src/consensus/audit-writer.js +18 -7
  139. package/packages/@monomind/cli/dist/src/consensus/index.d.ts +7 -0
  140. package/packages/@monomind/cli/dist/src/consensus/index.js +6 -0
  141. package/packages/@monomind/cli/dist/src/consensus/vote-signer.js +25 -8
  142. package/packages/@monomind/cli/dist/src/context/context-provider.d.ts +44 -0
  143. package/packages/@monomind/cli/dist/src/context/context-provider.js +25 -0
  144. package/packages/@monomind/cli/dist/src/context/git-state-provider.d.ts +12 -0
  145. package/packages/@monomind/cli/dist/src/context/git-state-provider.js +34 -0
  146. package/packages/@monomind/cli/dist/src/context/index.d.ts +12 -0
  147. package/packages/@monomind/cli/dist/src/context/index.js +12 -0
  148. package/packages/@monomind/cli/dist/src/context/project-conventions-provider.d.ts +15 -0
  149. package/packages/@monomind/cli/dist/src/context/project-conventions-provider.js +19 -0
  150. package/packages/@monomind/cli/dist/src/context/prompt-assembler.d.ts +26 -0
  151. package/packages/@monomind/cli/dist/src/context/prompt-assembler.js +93 -0
  152. package/packages/@monomind/cli/dist/src/context/task-history-provider.d.ts +24 -0
  153. package/packages/@monomind/cli/dist/src/context/task-history-provider.js +32 -0
  154. package/packages/@monomind/cli/dist/src/context/user-preferences-provider.d.ts +14 -0
  155. package/packages/@monomind/cli/dist/src/context/user-preferences-provider.js +27 -0
  156. package/packages/@monomind/cli/dist/src/dlq/dlq-reader.d.ts +31 -0
  157. package/packages/@monomind/cli/dist/src/dlq/dlq-reader.js +81 -0
  158. package/packages/@monomind/cli/dist/src/dlq/dlq-writer.d.ts +24 -0
  159. package/packages/@monomind/cli/dist/src/dlq/dlq-writer.js +65 -0
  160. package/packages/@monomind/cli/dist/src/dlq/index.d.ts +10 -0
  161. package/packages/@monomind/cli/dist/src/dlq/index.js +7 -0
  162. package/packages/@monomind/cli/dist/src/eval/dataset-manager.d.ts +33 -0
  163. package/packages/@monomind/cli/dist/src/eval/dataset-manager.js +107 -0
  164. package/packages/@monomind/cli/dist/src/eval/dataset-runner.d.ts +23 -0
  165. package/packages/@monomind/cli/dist/src/eval/dataset-runner.js +59 -0
  166. package/packages/@monomind/cli/dist/src/eval/index.d.ts +10 -0
  167. package/packages/@monomind/cli/dist/src/eval/index.js +7 -0
  168. package/packages/@monomind/cli/dist/src/eval/trace-collector.d.ts +40 -0
  169. package/packages/@monomind/cli/dist/src/eval/trace-collector.js +102 -0
  170. package/packages/@monomind/cli/dist/src/index.js +7 -3
  171. package/packages/@monomind/cli/dist/src/infrastructure/in-memory-repositories.d.ts +68 -0
  172. package/packages/@monomind/cli/dist/src/infrastructure/in-memory-repositories.js +264 -0
  173. package/packages/@monomind/cli/dist/src/init/executor.js +14 -11
  174. package/packages/@monomind/cli/dist/src/init/shared-instructions-generator.js +20 -4
  175. package/packages/@monomind/cli/dist/src/init/statusline-generator.js +33 -12
  176. package/packages/@monomind/cli/dist/src/interactive/interrupt.d.ts +22 -0
  177. package/packages/@monomind/cli/dist/src/interactive/interrupt.js +71 -0
  178. package/packages/@monomind/cli/dist/src/mcp/deprecation-injector.d.ts +25 -0
  179. package/packages/@monomind/cli/dist/src/mcp/deprecation-injector.js +48 -0
  180. package/packages/@monomind/cli/dist/src/mcp/tool-registry.d.ts +61 -0
  181. package/packages/@monomind/cli/dist/src/mcp/tool-registry.js +246 -0
  182. package/packages/@monomind/cli/dist/src/mcp-tools/a2a-tools.js +98 -13
  183. package/packages/@monomind/cli/dist/src/mcp-tools/agent-tools.js +16 -3
  184. package/packages/@monomind/cli/dist/src/mcp-tools/analyze-tools.js +80 -17
  185. package/packages/@monomind/cli/dist/src/mcp-tools/browser-tools.js +84 -22
  186. package/packages/@monomind/cli/dist/src/mcp-tools/claims-tools.js +35 -7
  187. package/packages/@monomind/cli/dist/src/mcp-tools/config-tools.js +82 -17
  188. package/packages/@monomind/cli/dist/src/mcp-tools/coordination-tools.js +37 -4
  189. package/packages/@monomind/cli/dist/src/mcp-tools/daa-tools.js +49 -7
  190. package/packages/@monomind/cli/dist/src/mcp-tools/embeddings-tools.js +45 -18
  191. package/packages/@monomind/cli/dist/src/mcp-tools/github-tools.js +75 -25
  192. package/packages/@monomind/cli/dist/src/mcp-tools/guidance-tools.js +32 -10
  193. package/packages/@monomind/cli/dist/src/mcp-tools/hive-mind-tools.js +91 -20
  194. package/packages/@monomind/cli/dist/src/mcp-tools/hooks-tools.js +188 -29
  195. package/packages/@monomind/cli/dist/src/mcp-tools/memory-tools.js +25 -7
  196. package/packages/@monomind/cli/dist/src/mcp-tools/monograph-compat.js +11 -2
  197. package/packages/@monomind/cli/dist/src/mcp-tools/monograph-tools.js +148 -26
  198. package/packages/@monomind/cli/dist/src/mcp-tools/neural-tools.js +44 -9
  199. package/packages/@monomind/cli/dist/src/mcp-tools/performance-tools.js +45 -10
  200. package/packages/@monomind/cli/dist/src/mcp-tools/progress-tools.js +7 -4
  201. package/packages/@monomind/cli/dist/src/mcp-tools/request-tracker.js +15 -1
  202. package/packages/@monomind/cli/dist/src/mcp-tools/security-tools.js +61 -9
  203. package/packages/@monomind/cli/dist/src/mcp-tools/session-tools.js +45 -14
  204. package/packages/@monomind/cli/dist/src/mcp-tools/swarm-tools.js +15 -3
  205. package/packages/@monomind/cli/dist/src/mcp-tools/system-tools.js +14 -7
  206. package/packages/@monomind/cli/dist/src/mcp-tools/task-tools.js +52 -10
  207. package/packages/@monomind/cli/dist/src/mcp-tools/terminal-tools.js +40 -6
  208. package/packages/@monomind/cli/dist/src/mcp-tools/transfer-tools.js +37 -4
  209. package/packages/@monomind/cli/dist/src/mcp-tools/wasm-agent-tools.d.ts +9 -0
  210. package/packages/@monomind/cli/dist/src/mcp-tools/wasm-agent-tools.js +230 -0
  211. package/packages/@monomind/cli/dist/src/mcp-tools/workflow-tools.js +29 -6
  212. package/packages/@monomind/cli/dist/src/memory/ewc-consolidation.js +26 -10
  213. package/packages/@monomind/cli/dist/src/memory/intelligence.js +80 -19
  214. package/packages/@monomind/cli/dist/src/memory/memory-bridge.js +21 -2
  215. package/packages/@monomind/cli/dist/src/memory/memory-initializer.js +67 -3
  216. package/packages/@monomind/cli/dist/src/memory/sona-optimizer.js +14 -4
  217. package/packages/@monomind/cli/dist/src/model/complexity-scorer.d.ts +21 -0
  218. package/packages/@monomind/cli/dist/src/model/complexity-scorer.js +106 -0
  219. package/packages/@monomind/cli/dist/src/model/index.d.ts +4 -0
  220. package/packages/@monomind/cli/dist/src/model/index.js +4 -0
  221. package/packages/@monomind/cli/dist/src/model/model-settings.d.ts +22 -0
  222. package/packages/@monomind/cli/dist/src/model/model-settings.js +33 -0
  223. package/packages/@monomind/cli/dist/src/model/model-tier-resolver.d.ts +24 -0
  224. package/packages/@monomind/cli/dist/src/model/model-tier-resolver.js +65 -0
  225. package/packages/@monomind/cli/dist/src/monovector/capabilities.d.ts +34 -0
  226. package/packages/@monomind/cli/dist/src/monovector/capabilities.js +37 -0
  227. package/packages/@monomind/cli/dist/src/monovector/command-outcomes.js +43 -7
  228. package/packages/@monomind/cli/dist/src/monovector/coverage-router.js +8 -4
  229. package/packages/@monomind/cli/dist/src/monovector/coverage-tools.js +6 -3
  230. package/packages/@monomind/cli/dist/src/monovector/diff-classifier.js +13 -0
  231. package/packages/@monomind/cli/dist/src/monovector/route-outcomes.d.ts +2 -1
  232. package/packages/@monomind/cli/dist/src/monovector/route-outcomes.js +46 -4
  233. package/packages/@monomind/cli/dist/src/observability/replay-reader.d.ts +1 -1
  234. package/packages/@monomind/cli/dist/src/orchestration/index.d.ts +7 -0
  235. package/packages/@monomind/cli/dist/src/orchestration/index.js +6 -0
  236. package/packages/@monomind/cli/dist/src/orchestration/mode-dispatcher.d.ts +11 -0
  237. package/packages/@monomind/cli/dist/src/orchestration/mode-dispatcher.js +31 -0
  238. package/packages/@monomind/cli/dist/src/orchestration/routing-modes.d.ts +68 -0
  239. package/packages/@monomind/cli/dist/src/orchestration/routing-modes.js +180 -0
  240. package/packages/@monomind/cli/dist/src/plugins/manager.js +8 -3
  241. package/packages/@monomind/cli/dist/src/plugins/store/discovery.js +46 -2
  242. package/packages/@monomind/cli/dist/src/plugins/store/search.js +5 -4
  243. package/packages/@monomind/cli/dist/src/plugins/tests/demo-plugin-store.d.ts +7 -0
  244. package/packages/@monomind/cli/dist/src/plugins/tests/demo-plugin-store.js +126 -0
  245. package/packages/@monomind/cli/dist/src/plugins/tests/standalone-test.d.ts +12 -0
  246. package/packages/@monomind/cli/dist/src/plugins/tests/standalone-test.js +188 -0
  247. package/packages/@monomind/cli/dist/src/plugins/tests/test-plugin-store.d.ts +7 -0
  248. package/packages/@monomind/cli/dist/src/plugins/tests/test-plugin-store.js +206 -0
  249. package/packages/@monomind/cli/dist/src/production/circuit-breaker.js +17 -3
  250. package/packages/@monomind/cli/dist/src/production/error-handler.js +3 -0
  251. package/packages/@monomind/cli/dist/src/production/monitoring.js +20 -3
  252. package/packages/@monomind/cli/dist/src/production/rate-limiter.js +13 -4
  253. package/packages/@monomind/cli/dist/src/production/retry.js +17 -9
  254. package/packages/@monomind/cli/dist/src/routing/embed-worker.js +6 -2
  255. package/packages/@monomind/cli/dist/src/routing/embedder.js +0 -0
  256. package/packages/@monomind/cli/dist/src/routing/llm-caller.js +13 -2
  257. package/packages/@monomind/cli/dist/src/routing/route-layer-factory.js +18 -3
  258. package/packages/@monomind/cli/dist/src/runtime/headless.d.ts +60 -0
  259. package/packages/@monomind/cli/dist/src/runtime/headless.js +284 -0
  260. package/packages/@monomind/cli/dist/src/services/agentic-flow-bridge.d.ts +50 -0
  261. package/packages/@monomind/cli/dist/src/services/agentic-flow-bridge.js +95 -0
  262. package/packages/@monomind/cli/dist/src/services/claim-service.d.ts +1 -0
  263. package/packages/@monomind/cli/dist/src/services/claim-service.js +8 -0
  264. package/packages/@monomind/cli/dist/src/services/config-file-manager.js +14 -2
  265. package/packages/@monomind/cli/dist/src/services/container-worker-pool.d.ts +197 -0
  266. package/packages/@monomind/cli/dist/src/services/container-worker-pool.js +623 -0
  267. package/packages/@monomind/cli/dist/src/services/headless-worker-executor.js +18 -2
  268. package/packages/@monomind/cli/dist/src/services/index.d.ts +13 -0
  269. package/packages/@monomind/cli/dist/src/services/index.js +11 -0
  270. package/packages/@monomind/cli/dist/src/services/worker-daemon.js +53 -12
  271. package/packages/@monomind/cli/dist/src/services/worker-queue.d.ts +201 -0
  272. package/packages/@monomind/cli/dist/src/services/worker-queue.js +594 -0
  273. package/packages/@monomind/cli/dist/src/swarm/communication-graph.d.ts +25 -0
  274. package/packages/@monomind/cli/dist/src/swarm/communication-graph.js +77 -0
  275. package/packages/@monomind/cli/dist/src/swarm/flow-enforcer.d.ts +31 -0
  276. package/packages/@monomind/cli/dist/src/swarm/flow-enforcer.js +61 -0
  277. package/packages/@monomind/cli/dist/src/swarm/flow-visualizer.d.ts +19 -0
  278. package/packages/@monomind/cli/dist/src/swarm/flow-visualizer.js +68 -0
  279. package/packages/@monomind/cli/dist/src/transfer/anonymization/index.d.ts +0 -3
  280. package/packages/@monomind/cli/dist/src/transfer/anonymization/index.js +16 -1
  281. package/packages/@monomind/cli/dist/src/transfer/deploy-seraphine.d.ts +13 -0
  282. package/packages/@monomind/cli/dist/src/transfer/deploy-seraphine.js +205 -0
  283. package/packages/@monomind/cli/dist/src/transfer/export.js +8 -0
  284. package/packages/@monomind/cli/dist/src/transfer/ipfs/upload.js +33 -3
  285. package/packages/@monomind/cli/dist/src/transfer/serialization/cfp.js +9 -3
  286. package/packages/@monomind/cli/dist/src/transfer/storage/gcs.js +37 -3
  287. package/packages/@monomind/cli/dist/src/transfer/store/discovery.js +45 -3
  288. package/packages/@monomind/cli/dist/src/transfer/store/download.js +5 -0
  289. package/packages/@monomind/cli/dist/src/transfer/store/publish.js +13 -1
  290. package/packages/@monomind/cli/dist/src/transfer/store/registry.d.ts +8 -0
  291. package/packages/@monomind/cli/dist/src/transfer/store/registry.js +30 -5
  292. package/packages/@monomind/cli/dist/src/transfer/store/search.js +20 -5
  293. package/packages/@monomind/cli/dist/src/transfer/store/tests/standalone-test.d.ts +12 -0
  294. package/packages/@monomind/cli/dist/src/transfer/store/tests/standalone-test.js +190 -0
  295. package/packages/@monomind/cli/dist/src/transfer/test-seraphine.d.ts +6 -0
  296. package/packages/@monomind/cli/dist/src/transfer/test-seraphine.js +105 -0
  297. package/packages/@monomind/cli/dist/src/transfer/tests/test-store.d.ts +7 -0
  298. package/packages/@monomind/cli/dist/src/transfer/tests/test-store.js +214 -0
  299. package/packages/@monomind/cli/dist/src/update/checker.js +59 -7
  300. package/packages/@monomind/cli/dist/src/update/executor.js +50 -3
  301. package/packages/@monomind/cli/dist/src/update/index.js +18 -1
  302. package/packages/@monomind/cli/dist/src/update/rate-limiter.d.ts +6 -0
  303. package/packages/@monomind/cli/dist/src/update/rate-limiter.js +79 -7
  304. package/packages/@monomind/cli/dist/src/update/validator.js +52 -1
  305. package/packages/@monomind/cli/dist/src/workflow/condition-evaluator.d.ts +10 -0
  306. package/packages/@monomind/cli/dist/src/workflow/condition-evaluator.js +82 -0
  307. package/packages/@monomind/cli/dist/src/workflow/context-resolver.d.ts +12 -0
  308. package/packages/@monomind/cli/dist/src/workflow/context-resolver.js +23 -0
  309. package/packages/@monomind/cli/dist/src/workflow/dag-builder.d.ts +17 -0
  310. package/packages/@monomind/cli/dist/src/workflow/dag-builder.js +129 -0
  311. package/packages/@monomind/cli/dist/src/workflow/dag-executor.d.ts +9 -0
  312. package/packages/@monomind/cli/dist/src/workflow/dag-executor.js +116 -0
  313. package/packages/@monomind/cli/dist/src/workflow/dag-types.d.ts +41 -0
  314. package/packages/@monomind/cli/dist/src/workflow/dag-types.js +8 -0
  315. package/packages/@monomind/cli/dist/src/workflow/dsl-parser.d.ts +12 -0
  316. package/packages/@monomind/cli/dist/src/workflow/dsl-parser.js +20 -0
  317. package/packages/@monomind/cli/dist/src/workflow/dsl-schema.d.ts +165 -0
  318. package/packages/@monomind/cli/dist/src/workflow/dsl-schema.js +82 -0
  319. package/packages/@monomind/cli/dist/src/workflow/index.d.ts +13 -0
  320. package/packages/@monomind/cli/dist/src/workflow/index.js +11 -0
  321. package/packages/@monomind/cli/dist/src/workflow/template-engine.d.ts +11 -0
  322. package/packages/@monomind/cli/dist/src/workflow/template-engine.js +40 -0
  323. package/packages/@monomind/cli/dist/src/workflow/workflow-executor.d.ts +29 -0
  324. package/packages/@monomind/cli/dist/src/workflow/workflow-executor.js +227 -0
  325. package/packages/@monomind/cli/package.json +9 -10
  326. package/packages/@monomind/guidance/dist/adversarial.d.ts +284 -0
  327. package/packages/@monomind/guidance/dist/adversarial.js +572 -0
  328. package/packages/@monomind/guidance/dist/analyzer.d.ts +530 -0
  329. package/packages/@monomind/guidance/dist/analyzer.js +2518 -0
  330. package/packages/@monomind/guidance/dist/artifacts.d.ts +283 -0
  331. package/packages/@monomind/guidance/dist/artifacts.js +356 -0
  332. package/packages/@monomind/guidance/dist/authority.d.ts +290 -0
  333. package/packages/@monomind/guidance/dist/authority.js +558 -0
  334. package/packages/@monomind/guidance/dist/capabilities.d.ts +209 -0
  335. package/packages/@monomind/guidance/dist/capabilities.js +485 -0
  336. package/packages/@monomind/guidance/dist/coherence.d.ts +233 -0
  337. package/packages/@monomind/guidance/dist/coherence.js +372 -0
  338. package/packages/@monomind/guidance/dist/compiler.d.ts +87 -0
  339. package/packages/@monomind/guidance/dist/compiler.js +419 -0
  340. package/packages/@monomind/guidance/dist/conformance-kit.d.ts +225 -0
  341. package/packages/@monomind/guidance/dist/conformance-kit.js +629 -0
  342. package/packages/@monomind/guidance/dist/continue-gate.d.ts +214 -0
  343. package/packages/@monomind/guidance/dist/continue-gate.js +353 -0
  344. package/packages/@monomind/guidance/dist/crypto-utils.d.ts +17 -0
  345. package/packages/@monomind/guidance/dist/crypto-utils.js +24 -0
  346. package/packages/@monomind/guidance/dist/evolution.d.ts +282 -0
  347. package/packages/@monomind/guidance/dist/evolution.js +500 -0
  348. package/packages/@monomind/guidance/dist/gates.d.ts +79 -0
  349. package/packages/@monomind/guidance/dist/gates.js +302 -0
  350. package/packages/@monomind/guidance/dist/gateway.d.ts +206 -0
  351. package/packages/@monomind/guidance/dist/gateway.js +452 -0
  352. package/packages/@monomind/guidance/dist/generators.d.ts +153 -0
  353. package/packages/@monomind/guidance/dist/generators.js +682 -0
  354. package/packages/@monomind/guidance/dist/headless.d.ts +177 -0
  355. package/packages/@monomind/guidance/dist/headless.js +342 -0
  356. package/packages/@monomind/guidance/dist/hooks.d.ts +109 -0
  357. package/packages/@monomind/guidance/dist/hooks.js +347 -0
  358. package/packages/@monomind/guidance/dist/index.d.ts +205 -0
  359. package/packages/@monomind/guidance/dist/index.js +321 -0
  360. package/packages/@monomind/guidance/dist/ledger.d.ts +162 -0
  361. package/packages/@monomind/guidance/dist/ledger.js +375 -0
  362. package/packages/@monomind/guidance/dist/manifest-validator.d.ts +289 -0
  363. package/packages/@monomind/guidance/dist/manifest-validator.js +838 -0
  364. package/packages/@monomind/guidance/dist/memory-gate.d.ts +222 -0
  365. package/packages/@monomind/guidance/dist/memory-gate.js +382 -0
  366. package/packages/@monomind/guidance/dist/meta-governance.d.ts +265 -0
  367. package/packages/@monomind/guidance/dist/meta-governance.js +348 -0
  368. package/packages/@monomind/guidance/dist/optimizer.d.ts +104 -0
  369. package/packages/@monomind/guidance/dist/optimizer.js +329 -0
  370. package/packages/@monomind/guidance/dist/persistence.d.ts +189 -0
  371. package/packages/@monomind/guidance/dist/persistence.js +464 -0
  372. package/packages/@monomind/guidance/dist/proof.d.ts +185 -0
  373. package/packages/@monomind/guidance/dist/proof.js +238 -0
  374. package/packages/@monomind/guidance/dist/retriever.d.ts +116 -0
  375. package/packages/@monomind/guidance/dist/retriever.js +394 -0
  376. package/packages/@monomind/guidance/dist/ruvbot-integration.d.ts +370 -0
  377. package/packages/@monomind/guidance/dist/ruvbot-integration.js +738 -0
  378. package/packages/@monomind/guidance/dist/temporal.d.ts +426 -0
  379. package/packages/@monomind/guidance/dist/temporal.js +658 -0
  380. package/packages/@monomind/guidance/dist/trust.d.ts +283 -0
  381. package/packages/@monomind/guidance/dist/trust.js +473 -0
  382. package/packages/@monomind/guidance/dist/truth-anchors.d.ts +276 -0
  383. package/packages/@monomind/guidance/dist/truth-anchors.js +488 -0
  384. package/packages/@monomind/guidance/dist/types.d.ts +378 -0
  385. package/packages/@monomind/guidance/dist/types.js +10 -0
  386. package/packages/@monomind/guidance/dist/uncertainty.d.ts +372 -0
  387. package/packages/@monomind/guidance/dist/uncertainty.js +619 -0
  388. package/packages/@monomind/guidance/dist/wasm-kernel.d.ts +48 -0
  389. package/packages/@monomind/guidance/dist/wasm-kernel.js +158 -0
@@ -4,8 +4,8 @@
4
4
  *
5
5
  * github.com/monoes/monomind
6
6
  */
7
- import { existsSync, writeFileSync, mkdirSync, readFileSync } from 'fs';
8
- import { join, dirname } from 'path';
7
+ import { existsSync, writeFileSync, mkdirSync, readFileSync, statSync } from 'fs';
8
+ import { join, dirname, resolve } from 'path';
9
9
  import { output } from '../output.js';
10
10
  export const SUPPORTED_PLATFORMS = [
11
11
  'claude', 'gemini', 'cursor', 'vscode', 'copilot',
@@ -43,15 +43,63 @@ Graph is at \`.monomind/monograph.db\`. Rebuild with: \`npx monograph build\`
43
43
  ${MONOMIND_BLOCK_END}
44
44
  `;
45
45
  }
46
+ /**
47
+ * Maximum size for a platform config file we will read or append to.
48
+ * Platform config files (CLAUDE.md, .cursorrules, etc.) are never legitimately
49
+ * larger than a few hundred KB — a 1 MB cap prevents OOM when the flag points
50
+ * at an enormous file such as a binary or a DB dump.
51
+ */
52
+ const MAX_CONFIG_FILE_BYTES = 1 * 1024 * 1024; // 1 MB
53
+ /**
54
+ * Resolve and validate the user-supplied --path flag.
55
+ *
56
+ * SECURITY: the flag is attacker-controlled. Without validation an adversary can
57
+ * pass --path /etc to overwrite system files, or --path "../../.." to escape
58
+ * the project. We resolve to an absolute path and reject anything that isn't
59
+ * a directory (or doesn't exist yet under a parent that does exist).
60
+ * We do NOT further restrict the path to cwd because a legitimate use case is
61
+ * "install into another repo at an absolute path", but we do require the
62
+ * resolved path to be a directory (or the parent to exist) so that the caller
63
+ * cannot aim the flag at a file.
64
+ */
65
+ function resolveRepoPath(rawPath) {
66
+ // Prevent shell-injection via null bytes or unusual separators
67
+ if (rawPath.includes('\0'))
68
+ throw new Error('Invalid path: contains null byte');
69
+ const resolved = resolve(rawPath);
70
+ // If the path exists it must be a directory
71
+ if (existsSync(resolved)) {
72
+ const st = statSync(resolved);
73
+ if (!st.isDirectory())
74
+ throw new Error(`--path must be a directory, got a file: ${resolved}`);
75
+ }
76
+ return resolved;
77
+ }
78
+ /**
79
+ * Validate that fullPath is contained within repoRoot (path traversal defence).
80
+ * relPath comes from our own PLATFORM_CONFIG_FILES map, but we validate anyway
81
+ * to guard against future changes that introduce dynamic paths.
82
+ */
83
+ function assertWithinRoot(fullPath, repoRoot) {
84
+ if (!fullPath.startsWith(repoRoot + '/') && fullPath !== repoRoot) {
85
+ throw new Error(`Path escapes repository root: ${fullPath}`);
86
+ }
87
+ }
46
88
  function installPlatform(platform, repoPath) {
47
89
  const files = PLATFORM_CONFIG_FILES[platform];
48
90
  const instructions = getMonomindInstructions();
49
91
  const written = [];
50
92
  for (const relPath of files) {
51
- const fullPath = join(repoPath, relPath);
93
+ const fullPath = resolve(join(repoPath, relPath));
94
+ assertWithinRoot(fullPath, repoPath);
52
95
  const dir = dirname(fullPath);
53
96
  mkdirSync(dir, { recursive: true });
54
97
  if (existsSync(fullPath)) {
98
+ // Guard against reading oversized files (e.g. the flag points at a data file)
99
+ const fileStat = statSync(fullPath);
100
+ if (fileStat.size > MAX_CONFIG_FILE_BYTES) {
101
+ throw new Error(`Config file too large to read (${fileStat.size} bytes): ${relPath}`);
102
+ }
55
103
  const existing = readFileSync(fullPath, 'utf8');
56
104
  if (existing.includes(MONOMIND_BLOCK_START))
57
105
  continue;
@@ -69,9 +117,15 @@ function uninstallPlatform(platform, repoPath) {
69
117
  const blockRe = new RegExp(`\\n?${MONOMIND_BLOCK_START}[\\s\\S]*?${MONOMIND_BLOCK_END}\\n?`, 'g');
70
118
  const cleaned = [];
71
119
  for (const relPath of files) {
72
- const fullPath = join(repoPath, relPath);
120
+ const fullPath = resolve(join(repoPath, relPath));
121
+ assertWithinRoot(fullPath, repoPath);
73
122
  if (!existsSync(fullPath))
74
123
  continue;
124
+ // Guard against reading oversized files
125
+ const fileStat = statSync(fullPath);
126
+ if (fileStat.size > MAX_CONFIG_FILE_BYTES) {
127
+ throw new Error(`Config file too large to read (${fileStat.size} bytes): ${relPath}`);
128
+ }
75
129
  const content = readFileSync(fullPath, 'utf8');
76
130
  writeFileSync(fullPath, content.replace(blockRe, ''), 'utf8');
77
131
  cleaned.push(relPath);
@@ -81,7 +135,14 @@ function uninstallPlatform(platform, repoPath) {
81
135
  async function handleInstall(ctx) {
82
136
  const platform = ctx.flags['platform'];
83
137
  const all = ctx.flags['all'];
84
- const repoPath = ctx.flags['path'] ?? '.';
138
+ let repoPath;
139
+ try {
140
+ repoPath = resolveRepoPath(ctx.flags['path'] ?? '.');
141
+ }
142
+ catch (err) {
143
+ output.error(`Invalid --path: ${err instanceof Error ? err.message : String(err)}`);
144
+ return { success: false, exitCode: 1 };
145
+ }
85
146
  if (!platform && !all) {
86
147
  output.error('Specify --platform <name> or --all');
87
148
  output.info(`Supported platforms: ${SUPPORTED_PLATFORMS.join(', ')}`);
@@ -98,7 +159,14 @@ async function handleInstall(ctx) {
98
159
  }
99
160
  let totalFiles = 0;
100
161
  for (const p of targets) {
101
- const written = installPlatform(p, repoPath);
162
+ let written;
163
+ try {
164
+ written = installPlatform(p, repoPath);
165
+ }
166
+ catch (err) {
167
+ output.error(`[${p}] Install failed: ${err instanceof Error ? err.message : String(err)}`);
168
+ continue;
169
+ }
102
170
  if (written.length > 0) {
103
171
  output.success(`[${p}] Installed Monograph context → ${written.join(', ')}`);
104
172
  totalFiles += written.length;
@@ -113,7 +181,14 @@ async function handleInstall(ctx) {
113
181
  async function handleUninstall(ctx) {
114
182
  const platform = ctx.flags['platform'];
115
183
  const all = ctx.flags['all'];
116
- const repoPath = ctx.flags['path'] ?? '.';
184
+ let repoPath;
185
+ try {
186
+ repoPath = resolveRepoPath(ctx.flags['path'] ?? '.');
187
+ }
188
+ catch (err) {
189
+ output.error(`Invalid --path: ${err instanceof Error ? err.message : String(err)}`);
190
+ return { success: false, exitCode: 1 };
191
+ }
117
192
  if (!platform && !all) {
118
193
  output.error('Specify --platform <name> or --all');
119
194
  output.info(`Supported platforms: ${SUPPORTED_PLATFORMS.join(', ')}`);
@@ -130,7 +205,14 @@ async function handleUninstall(ctx) {
130
205
  }
131
206
  let totalFiles = 0;
132
207
  for (const p of targets) {
133
- const cleaned = uninstallPlatform(p, repoPath);
208
+ let cleaned;
209
+ try {
210
+ cleaned = uninstallPlatform(p, repoPath);
211
+ }
212
+ catch (err) {
213
+ output.error(`[${p}] Uninstall failed: ${err instanceof Error ? err.message : String(err)}`);
214
+ continue;
215
+ }
134
216
  if (cleaned.length > 0) {
135
217
  output.success(`[${p}] Removed Monograph context from ${cleaned.join(', ')}`);
136
218
  totalFiles += cleaned.length;
@@ -187,14 +187,16 @@ const installCommand = {
187
187
  { command: 'monomind plugins install -n ./my-plugin --dev', description: 'Install local plugin' },
188
188
  ],
189
189
  action: async (ctx) => {
190
- const name = ctx.flags.name;
190
+ const rawName = ctx.flags.name;
191
191
  const version = ctx.flags.version || 'latest';
192
192
  const registryName = ctx.flags.registry;
193
193
  const verify = ctx.flags.verify !== false;
194
- if (!name) {
194
+ if (!rawName) {
195
195
  output.printError('Plugin name is required');
196
196
  return { success: false, exitCode: 1 };
197
197
  }
198
+ // Cap plugin name and version to prevent DoS/injection
199
+ const name = typeof rawName === 'string' ? rawName.slice(0, 214) : '';
198
200
  // Check if it's a local path
199
201
  const isLocalPath = name.startsWith('./') || name.startsWith('/') || name.startsWith('../');
200
202
  output.writeln();
@@ -620,16 +622,21 @@ const searchCommand = {
620
622
  { command: 'monomind plugins search -q security --verified', description: 'Search verified security plugins' },
621
623
  ],
622
624
  action: async (ctx) => {
623
- const query = ctx.flags.query;
625
+ const rawQuery = ctx.flags.query;
624
626
  const category = ctx.flags.category;
625
627
  const type = ctx.flags.type;
626
628
  const verified = ctx.flags.verified;
627
- const limit = ctx.flags.limit || 20;
629
+ const rawLimit = ctx.flags.limit;
628
630
  const registryName = ctx.flags.registry;
629
- if (!query) {
631
+ if (!rawQuery) {
630
632
  output.printError('Search query is required');
631
633
  return { success: false, exitCode: 1 };
632
634
  }
635
+ // Cap query length and limit to prevent DoS
636
+ const query = typeof rawQuery === 'string' ? rawQuery.slice(0, 200) : '';
637
+ const limit = typeof rawLimit === 'number' && Number.isFinite(rawLimit)
638
+ ? Math.max(1, Math.min(Math.floor(rawLimit), 100))
639
+ : 20;
633
640
  const spinner = output.createSpinner({ text: 'Searching plugin registry...', spinner: 'dots' });
634
641
  spinner.start();
635
642
  try {
@@ -2,7 +2,7 @@
2
2
  * CLI Process Management Command
3
3
  * Background process management, daemon mode, and monitoring
4
4
  */
5
- import { writeFileSync, readFileSync, unlinkSync, existsSync, mkdirSync } from 'node:fs';
5
+ import { writeFileSync, readFileSync, statSync, unlinkSync, existsSync, mkdirSync } from 'node:fs';
6
6
  import { dirname, resolve } from 'node:path';
7
7
  // Helper functions for PID file management
8
8
  function writePidFile(pidFile, pid, port) {
@@ -35,13 +35,22 @@ function writePidFile(pidFile, pid, port) {
35
35
  }
36
36
  }
37
37
  }
38
+ const MAX_PID_FILE_BYTES = 4 * 1024; // 4 KB — a PID file should never be this large
38
39
  function readPidFile(pidFile) {
39
40
  try {
40
41
  const path = resolve(pidFile);
41
42
  if (!existsSync(path))
42
43
  return null;
44
+ // Guard against oversized PID files before reading into memory
45
+ if (statSync(path).size > MAX_PID_FILE_BYTES)
46
+ return null;
43
47
  const data = readFileSync(path, 'utf-8');
44
- return JSON.parse(data);
48
+ return JSON.parse(data, (key, value) => {
49
+ // Prototype pollution guard
50
+ if (key === '__proto__' || key === 'constructor' || key === 'prototype')
51
+ return undefined;
52
+ return value;
53
+ });
45
54
  }
46
55
  catch {
47
56
  return null;
@@ -270,9 +279,10 @@ const monitorCommand = {
270
279
  // Try to read agent and task counts from local store files
271
280
  let agentCount = 0;
272
281
  const taskCounts = { running: 0, queued: 0, completed: 0, failed: 0 };
282
+ const MAX_PROCESS_STORE_BYTES = 50 * 1024 * 1024; // 50 MB
273
283
  try {
274
284
  const agentStorePath = resolve('.monomind/agents/store.json');
275
- if (existsSync(agentStorePath)) {
285
+ if (existsSync(agentStorePath) && statSync(agentStorePath).size <= MAX_PROCESS_STORE_BYTES) {
276
286
  const agentStore = JSON.parse(readFileSync(agentStorePath, 'utf-8'));
277
287
  const agents = Array.isArray(agentStore) ? agentStore : Object.values(agentStore.agents || agentStore || {});
278
288
  agentCount = agents.length;
@@ -281,7 +291,7 @@ const monitorCommand = {
281
291
  catch { /* no agent store */ }
282
292
  try {
283
293
  const taskStorePath = resolve('.monomind/tasks/store.json');
284
- if (existsSync(taskStorePath)) {
294
+ if (existsSync(taskStorePath) && statSync(taskStorePath).size <= MAX_PROCESS_STORE_BYTES) {
285
295
  const taskStore = JSON.parse(readFileSync(taskStorePath, 'utf-8'));
286
296
  const tasks = Array.isArray(taskStore) ? taskStore : Object.values(taskStore.tasks || taskStore || {});
287
297
  for (const t of tasks) {
@@ -607,12 +617,22 @@ const logsCommand = {
607
617
  { command: 'monomind process logs --since 1h --grep "error"', description: 'Search logs' },
608
618
  ],
609
619
  action: async (ctx) => {
610
- const source = ctx.flags?.source || 'all';
611
- const tail = ctx.flags?.tail || 50;
620
+ const VALID_SOURCES = new Set(['daemon', 'workers', 'tasks', 'all']);
621
+ const VALID_LEVELS = new Set(['debug', 'info', 'warn', 'error']);
622
+ const MAX_TAIL = 10_000; // cap to prevent huge in-memory slice
623
+ const MAX_GREP_LEN = 256; // cap regex/pattern length
624
+ const MAX_SINCE_LEN = 64; // cap timestamp/duration string
625
+ const rawSource = ctx.flags?.source || 'all';
626
+ const source = VALID_SOURCES.has(rawSource) ? rawSource : 'all';
627
+ const rawTail = Number(ctx.flags?.tail ?? 50);
628
+ const tail = Number.isFinite(rawTail) && rawTail > 0 ? Math.min(rawTail, MAX_TAIL) : 50;
612
629
  const follow = ctx.flags?.follow === true;
613
- const level = ctx.flags?.level || 'info';
614
- const since = ctx.flags?.since;
615
- const grep = ctx.flags?.grep;
630
+ const rawLevel = ctx.flags?.level || 'info';
631
+ const level = VALID_LEVELS.has(rawLevel) ? rawLevel : 'info';
632
+ const rawSince = ctx.flags?.since;
633
+ const since = rawSince ? String(rawSince).slice(0, MAX_SINCE_LEN) : undefined;
634
+ const rawGrep = ctx.flags?.grep;
635
+ const grep = rawGrep ? String(rawGrep).slice(0, MAX_GREP_LEN) : undefined;
616
636
  console.log(`\n📜 Process Logs (${source})\n`);
617
637
  console.log(` Level: ${level}+ | Lines: ${tail}${since ? ` | Since: ${since}` : ''}${grep ? ` | Filter: ${grep}` : ''}`);
618
638
  console.log('─'.repeat(70));
@@ -629,7 +649,10 @@ const logsCommand = {
629
649
  .filter(f => source === 'all' || f.includes(source));
630
650
  for (const file of logFiles) {
631
651
  try {
632
- const content = readFileSync(resolve(logsDir, file), 'utf-8');
652
+ const logFilePath = resolve(logsDir, file);
653
+ if (statSync(logFilePath).size > 10 * 1024 * 1024)
654
+ continue; // skip files > 10 MB
655
+ const content = readFileSync(logFilePath, 'utf-8');
633
656
  const lines = content.split('\n').filter(l => l.trim());
634
657
  for (const line of lines) {
635
658
  // Filter by log level if detectable
@@ -158,7 +158,8 @@ const watchCommand = {
158
158
  },
159
159
  ],
160
160
  action: async (ctx) => {
161
- const interval = ctx.flags.interval || 5000;
161
+ const rawInterval = ctx.flags.interval || 5000;
162
+ const interval = Number.isFinite(rawInterval) ? Math.max(500, Math.min(rawInterval, 3_600_000)) : 5000; // min 500ms, max 1h
162
163
  output.writeln(output.highlight(`Watching progress (interval: ${interval}ms). Press Ctrl+C to stop.`));
163
164
  output.writeln();
164
165
  let lastProgress = 0;
@@ -180,8 +181,9 @@ const watchCommand = {
180
181
  };
181
182
  await check();
182
183
  const timer = setInterval(check, interval);
183
- // Handle Ctrl+C
184
- process.on('SIGINT', () => {
184
+ // Handle Ctrl+C — use once so repeated calls don't accumulate SIGINT handlers
185
+ // (which would trigger MaxListenersExceededWarning and a memory leak).
186
+ process.once('SIGINT', () => {
185
187
  clearInterval(timer);
186
188
  output.writeln();
187
189
  output.writeln(output.dim('Stopped watching.'));
@@ -59,10 +59,10 @@ const configureCommand = {
59
59
  ],
60
60
  action: async (ctx) => {
61
61
  try {
62
- const provider = ctx.flags.provider || (ctx.args && ctx.args[0]) || '';
63
- const apiKey = ctx.flags.key;
64
- const model = ctx.flags.model;
65
- const endpoint = ctx.flags.endpoint;
62
+ const provider = (ctx.flags.provider || (ctx.args && ctx.args[0]) || '').slice(0, 64);
63
+ const apiKey = ctx.flags.key?.slice(0, 256);
64
+ const model = ctx.flags.model?.slice(0, 128);
65
+ const endpoint = ctx.flags.endpoint?.slice(0, 512);
66
66
  if (!provider) {
67
67
  output.printError('Provider name is required. Use -p <name> or pass as first argument.');
68
68
  return { success: false, exitCode: 1 };
@@ -127,7 +127,7 @@ const testCommand = {
127
127
  ],
128
128
  action: async (ctx) => {
129
129
  try {
130
- const provider = ctx.flags.provider || (ctx.args && ctx.args[0]) || '';
130
+ const provider = (ctx.flags.provider || (ctx.args && ctx.args[0]) || '').slice(0, 64);
131
131
  const testAll = ctx.flags.all;
132
132
  output.writeln();
133
133
  output.writeln(output.bold('Provider Connectivity Test'));
@@ -10,7 +10,8 @@ const showSubcommand = {
10
10
  { name: 'json', type: 'boolean', description: 'Output as JSON', default: false },
11
11
  ],
12
12
  action: async (ctx) => {
13
- const sessionId = ctx.args[0];
13
+ // Cap session ID to prevent DoS via oversized string and unbounded output reflection.
14
+ const sessionId = (ctx.args[0] || '').slice(0, 128);
14
15
  if (!sessionId) {
15
16
  output.error('Session ID is required: replay show <sessionId>');
16
17
  return { success: false, message: 'Missing session ID' };
@@ -40,7 +41,12 @@ const listSubcommand = {
40
41
  try {
41
42
  const { ReplayReader } = await import('../observability/replay-reader.js');
42
43
  const reader = new ReplayReader();
43
- const data = await reader.list(ctx.flags['limit']);
44
+ const rawLimit = ctx.flags['limit'];
45
+ // Cap limit to prevent DoS
46
+ const limit = typeof rawLimit === 'number' && Number.isFinite(rawLimit)
47
+ ? Math.max(1, Math.min(Math.floor(rawLimit), 500))
48
+ : 20;
49
+ const data = await reader.list(limit);
44
50
  const asJson = ctx.flags['json'];
45
51
  output.writeln(asJson ? JSON.stringify(data, null, 2) : 'Available replays listed');
46
52
  return { success: true, data };
@@ -90,15 +90,20 @@ const routeTaskCommand = {
90
90
  { command: 'monomind route task "review code" --agent reviewer', description: 'Force specific agent' },
91
91
  ],
92
92
  action: async (ctx) => {
93
- const taskDescription = ctx.args[0];
93
+ const rawTask = ctx.args[0];
94
94
  const forceAgent = ctx.flags.agent;
95
95
  const useExploration = ctx.flags.explore;
96
96
  const jsonOutput = ctx.flags.json;
97
- if (!taskDescription) {
97
+ if (!rawTask) {
98
98
  output.printError('Task description is required');
99
99
  output.writeln(output.dim('Usage: monomind route task "task description"'));
100
100
  return { success: false, exitCode: 1 };
101
101
  }
102
+ if (rawTask.length > 4096) {
103
+ output.printError('Task description too long (max 4096 characters)');
104
+ return { success: false, exitCode: 1 };
105
+ }
106
+ const taskDescription = rawTask;
102
107
  const spinner = output.createSpinner({ text: 'Analyzing task...', spinner: 'dots' });
103
108
  spinner.start();
104
109
  try {
@@ -349,14 +354,24 @@ const feedbackCommand = {
349
354
  { command: 'monomind route feedback -t "write tests" -a tester -r -0.5', description: 'Negative feedback' },
350
355
  ],
351
356
  action: async (ctx) => {
352
- const taskDescription = ctx.flags.task;
357
+ const rawFeedbackTask = ctx.flags.task;
353
358
  const agentId = ctx.flags.agent;
354
359
  const reward = ctx.flags.reward;
355
- const nextTask = ctx.flags['next-task'];
356
- if (!taskDescription || !agentId) {
360
+ const rawNextTask = ctx.flags['next-task'];
361
+ if (!rawFeedbackTask || !agentId) {
357
362
  output.printError('Task description and agent are required');
358
363
  return { success: false, exitCode: 1 };
359
364
  }
365
+ if (rawFeedbackTask.length > 4096) {
366
+ output.printError('Task description too long (max 4096 characters)');
367
+ return { success: false, exitCode: 1 };
368
+ }
369
+ if (agentId.length > 128) {
370
+ output.printError('Agent ID too long (max 128 characters)');
371
+ return { success: false, exitCode: 1 };
372
+ }
373
+ const taskDescription = rawFeedbackTask;
374
+ const nextTask = rawNextTask && rawNextTask.length > 4096 ? undefined : rawNextTask;
360
375
  // Validate agent
361
376
  const agent = getAgentType(agentId);
362
377
  if (!agent) {
@@ -776,13 +791,18 @@ const semanticRouteCommand = {
776
791
  { command: 'monomind route semantic -t "write unit tests" --debug', description: 'Show all route scores' },
777
792
  ],
778
793
  action: async (ctx) => {
779
- const taskDescription = ctx.flags.task;
794
+ const rawSemanticTask = ctx.flags.task;
780
795
  const debug = ctx.flags.debug;
781
796
  const jsonOutput = ctx.flags.json;
782
- if (!taskDescription) {
797
+ if (!rawSemanticTask) {
783
798
  output.printError('Task description is required. Use --task or -t flag.');
784
799
  return { success: false, exitCode: 1 };
785
800
  }
801
+ if (rawSemanticTask.length > 4096) {
802
+ output.printError('Task description too long (max 4096 characters)');
803
+ return { success: false, exitCode: 1 };
804
+ }
805
+ const taskDescription = rawSemanticTask;
786
806
  const spinner = output.createSpinner({ text: 'Computing semantic route...', spinner: 'dots' });
787
807
  spinner.start();
788
808
  try {
@@ -33,6 +33,8 @@ function findSecretsInDir(dir, depthLimit, baseDir, findings) {
33
33
  }
34
34
  else if (entry.isFile() && (/\.(ts|js|json|yml|yaml)$/.test(entry.name) || isDotEnv) && !entry.name.endsWith('.d.ts')) {
35
35
  try {
36
+ if (statSync(fullPath).size > 1024 * 1024)
37
+ continue; // skip files > 1 MB
36
38
  const content = readFileSync(fullPath, 'utf-8');
37
39
  const lines = content.split('\n');
38
40
  for (let i = 0; i < lines.length; i++) {
@@ -185,6 +187,8 @@ const scanCommand = {
185
187
  }
186
188
  else if (entry.isFile() && /\.(ts|js|tsx|jsx)$/.test(entry.name) && !entry.name.endsWith('.d.ts')) {
187
189
  try {
190
+ if (fs.statSync(fullPath).size > 1024 * 1024)
191
+ continue; // skip files > 1 MB
188
192
  const content = fs.readFileSync(fullPath, 'utf-8');
189
193
  const lines = content.split('\n');
190
194
  for (let i = 0; i < lines.length; i++) {
@@ -68,7 +68,11 @@ const listCommand = {
68
68
  action: async (ctx) => {
69
69
  const activeOnly = ctx.flags.active;
70
70
  const includeArchived = ctx.flags.all;
71
- const limit = ctx.flags.limit;
71
+ const rawLimit = ctx.flags.limit;
72
+ // Cap limit to prevent unbounded MCP calls
73
+ const limit = typeof rawLimit === 'number' && Number.isFinite(rawLimit)
74
+ ? Math.max(1, Math.min(Math.floor(rawLimit), 200))
75
+ : 20;
72
76
  try {
73
77
  const result = await callMCPTool('session_list', {
74
78
  status: activeOnly ? 'active' : includeArchived ? 'all' : 'active,saved',
@@ -173,6 +177,13 @@ const saveCommand = {
173
177
  default: ''
174
178
  });
175
179
  }
180
+ // Cap name and description lengths to prevent DoS / oversized storage
181
+ if (typeof sessionName === 'string' && sessionName.length > 200) {
182
+ sessionName = sessionName.slice(0, 200);
183
+ }
184
+ if (typeof description === 'string' && description.length > 2000) {
185
+ description = description.slice(0, 2000);
186
+ }
176
187
  const spinner = output.createSpinner({ text: 'Saving session...' });
177
188
  spinner.start();
178
189
  try {
@@ -72,6 +72,8 @@ function loadConfig(cwd) {
72
72
  const configPath = path.join(cwd, '.monomind', 'config.yaml');
73
73
  if (!fs.existsSync(configPath))
74
74
  return null;
75
+ if (fs.statSync(configPath).size > 1024 * 1024)
76
+ return null; // skip files > 1 MB
75
77
  try {
76
78
  const content = fs.readFileSync(configPath, 'utf-8');
77
79
  return parseSimpleYaml(content);
@@ -97,10 +99,14 @@ const startAction = async (ctx) => {
97
99
  const config = loadConfig(cwd);
98
100
  const swarmConfig = config?.swarm || {};
99
101
  const mcpConfig = config?.mcp || {};
100
- const finalTopology = topology || swarmConfig.topology || DEFAULT_TOPOLOGY;
101
- const maxAgents = swarmConfig.maxAgents || DEFAULT_MAX_AGENTS;
102
+ const VALID_TOPOLOGIES = new Set(['hierarchical-mesh', 'mesh', 'hierarchical', 'ring', 'star']);
103
+ const rawTopology = topology || swarmConfig.topology || DEFAULT_TOPOLOGY;
104
+ const finalTopology = VALID_TOPOLOGIES.has(rawTopology) ? rawTopology : DEFAULT_TOPOLOGY;
105
+ const rawMaxAgents = Number(swarmConfig.maxAgents || DEFAULT_MAX_AGENTS);
106
+ const maxAgents = Number.isFinite(rawMaxAgents) ? Math.max(1, Math.min(rawMaxAgents, 100)) : DEFAULT_MAX_AGENTS;
102
107
  const autoStartMcp = mcpConfig.autoStart !== false && !skipMcp;
103
- const mcpPort = port || mcpConfig.serverPort || DEFAULT_PORT;
108
+ const rawMcpPort = port || Number(mcpConfig.serverPort) || DEFAULT_PORT;
109
+ const mcpPort = Number.isFinite(rawMcpPort) ? Math.max(1, Math.min(rawMcpPort, 65535)) : DEFAULT_PORT;
104
110
  output.writeln();
105
111
  output.writeln(output.bold('Starting Monomind'));
106
112
  output.writeln();
@@ -262,7 +268,8 @@ const stopCommand = {
262
268
  ],
263
269
  action: async (ctx) => {
264
270
  const force = ctx.flags.force;
265
- const timeout = ctx.flags.timeout;
271
+ const rawTimeout = ctx.flags.timeout;
272
+ const timeout = Number.isFinite(rawTimeout) ? Math.max(1, Math.min(rawTimeout, 300)) : 30;
266
273
  output.writeln();
267
274
  output.writeln(output.bold('Stopping MonoMind'));
268
275
  output.writeln();
@@ -259,7 +259,8 @@ function formatHealth(health) {
259
259
  // Main status action
260
260
  const statusAction = async (ctx) => {
261
261
  const watch = ctx.flags.watch;
262
- const interval = ctx.flags.interval || DEFAULT_WATCH_INTERVAL / 1000;
262
+ const rawInterval = ctx.flags.interval || DEFAULT_WATCH_INTERVAL / 1000;
263
+ const interval = Number.isFinite(rawInterval) ? Math.max(1, Math.min(rawInterval, 3600)) : DEFAULT_WATCH_INTERVAL / 1000;
263
264
  const healthCheck = ctx.flags['health-check'];
264
265
  const cwd = ctx.cwd;
265
266
  // Check initialization
@@ -379,14 +380,16 @@ async function watchStatus(intervalSeconds) {
379
380
  await refresh();
380
381
  // Set up interval
381
382
  const intervalId = setInterval(refresh, intervalSeconds * 1000);
382
- // Handle exit
383
+ // Handle exit — use once so repeated calls to watchStatus don't accumulate
384
+ // SIGINT handlers (which would trigger a MaxListenersExceededWarning).
383
385
  return new Promise((resolve) => {
384
- process.on('SIGINT', () => {
386
+ const onSigint = () => {
385
387
  clearInterval(intervalId);
386
388
  output.writeln();
387
389
  output.printInfo('Watch mode stopped');
388
390
  resolve({ success: true });
389
- });
391
+ };
392
+ process.once('SIGINT', onSigint);
390
393
  });
391
394
  }
392
395
  // Agents subcommand
@@ -20,7 +20,10 @@ function getSwarmStatus(swarmId) {
20
20
  let swarmState = null;
21
21
  if (fs.existsSync(swarmStateFile)) {
22
22
  try {
23
- swarmState = JSON.parse(fs.readFileSync(swarmStateFile, 'utf-8'));
23
+ const swarmStatSz = fs.statSync(swarmStateFile).size;
24
+ if (swarmStatSz <= 1_048_576) {
25
+ swarmState = JSON.parse(fs.readFileSync(swarmStateFile, 'utf-8'));
26
+ }
24
27
  }
25
28
  catch {
26
29
  // Ignore parse errors
@@ -36,9 +39,13 @@ function getSwarmStatus(swarmId) {
36
39
  totalAgents = agentFiles.length;
37
40
  for (const file of agentFiles) {
38
41
  try {
39
- const agent = JSON.parse(fs.readFileSync(path.join(agentsDir, file), 'utf-8'));
40
- if (agent.status === 'active' || agent.status === 'running') {
41
- activeAgents++;
42
+ const agentFilePath = path.join(agentsDir, file);
43
+ const agentSz = fs.statSync(agentFilePath).size;
44
+ if (agentSz <= 524_288) {
45
+ const agent = JSON.parse(fs.readFileSync(agentFilePath, 'utf-8'));
46
+ if (agent.status === 'active' || agent.status === 'running') {
47
+ activeAgents++;
48
+ }
42
49
  }
43
50
  }
44
51
  catch {
@@ -83,15 +90,19 @@ function getSwarmStatus(swarmId) {
83
90
  const taskFiles = fs.readdirSync(tasksDir).filter(f => f.endsWith('.json'));
84
91
  for (const file of taskFiles) {
85
92
  try {
86
- const task = JSON.parse(fs.readFileSync(path.join(tasksDir, file), 'utf-8'));
87
- if (task.status === 'completed' || task.status === 'done') {
88
- completedTasks++;
89
- }
90
- else if (task.status === 'in_progress' || task.status === 'running') {
91
- inProgressTasks++;
92
- }
93
- else {
94
- pendingTasks++;
93
+ const taskFilePath = path.join(tasksDir, file);
94
+ const taskSz = fs.statSync(taskFilePath).size;
95
+ if (taskSz <= 524_288) {
96
+ const task = JSON.parse(fs.readFileSync(taskFilePath, 'utf-8'));
97
+ if (task.status === 'completed' || task.status === 'done') {
98
+ completedTasks++;
99
+ }
100
+ else if (task.status === 'in_progress' || task.status === 'running') {
101
+ inProgressTasks++;
102
+ }
103
+ else {
104
+ pendingTasks++;
105
+ }
95
106
  }
96
107
  }
97
108
  catch {
@@ -577,6 +588,9 @@ const stopCommand = {
577
588
  const swarmStateFile = path.join(process.cwd(), '.swarm', 'state.json');
578
589
  if (fs.existsSync(swarmStateFile)) {
579
590
  try {
591
+ const stopStatSz = fs.statSync(swarmStateFile).size;
592
+ if (stopStatSz > 1_048_576)
593
+ throw new Error('swarm state file too large');
580
594
  const state = JSON.parse(fs.readFileSync(swarmStateFile, 'utf-8'));
581
595
  state.status = 'stopped';
582
596
  state.stoppedAt = new Date().toISOString();