monomind 1.11.13 → 1.12.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (389) hide show
  1. package/.claude/agents/generated/channel-intelligence-director.md +87 -0
  2. package/.claude/agents/generated/chief-growth-officer.md +88 -0
  3. package/.claude/agents/generated/content-seo-strategist.md +90 -0
  4. package/.claude/agents/generated/developer-community-strategist.md +91 -0
  5. package/.claude/agents/generated/outreach-partnership-strategist.md +90 -0
  6. package/.claude/agents/generated/social-media-strategist.md +91 -0
  7. package/.claude/agents/generated/video-visual-strategist.md +90 -0
  8. package/.claude/commands/mastermind/idea.md +1 -1
  9. package/.claude/helpers/auto-memory-hook.mjs +13 -4
  10. package/.claude/helpers/control-start.cjs +5 -0
  11. package/.claude/helpers/event-logger.cjs +114 -0
  12. package/.claude/helpers/handlers/adr-draft-handler.cjs +19 -5
  13. package/.claude/helpers/handlers/agent-start-handler.cjs +13 -4
  14. package/.claude/helpers/handlers/compact-handler.cjs +2 -0
  15. package/.claude/helpers/handlers/edit-handler.cjs +1 -1
  16. package/.claude/helpers/handlers/gates-handler.cjs +3 -0
  17. package/.claude/helpers/handlers/graph-status-handler.cjs +14 -8
  18. package/.claude/helpers/handlers/loops-status-handler.cjs +5 -2
  19. package/.claude/helpers/handlers/route-handler.cjs +13 -6
  20. package/.claude/helpers/handlers/session-handler.cjs +11 -4
  21. package/.claude/helpers/handlers/session-restore-handler.cjs +21 -11
  22. package/.claude/helpers/handlers/task-handler.cjs +13 -5
  23. package/.claude/helpers/intelligence.cjs +7 -2
  24. package/.claude/helpers/loop-tracker.cjs +15 -3
  25. package/.claude/helpers/memory.cjs +6 -1
  26. package/.claude/helpers/router.cjs +5 -2
  27. package/.claude/helpers/session.cjs +2 -0
  28. package/.claude/helpers/statusline.cjs +10 -2
  29. package/.claude/helpers/utils/micro-agents.cjs +20 -4
  30. package/.claude/scheduled_tasks.lock +1 -1
  31. package/.claude/settings.json +92 -1
  32. package/.claude/skills/mastermind/_protocol.md +23 -13
  33. package/.claude/skills/mastermind/architect.md +6 -9
  34. package/.claude/skills/mastermind/build.md +3 -3
  35. package/.claude/skills/mastermind/content.md +3 -3
  36. package/.claude/skills/mastermind/createorg.md +2 -2
  37. package/.claude/skills/mastermind/finance.md +3 -3
  38. package/.claude/skills/mastermind/idea.md +5 -3
  39. package/.claude/skills/mastermind/marketing.md +3 -3
  40. package/.claude/skills/mastermind/monitor.md +2 -2
  41. package/.claude/skills/mastermind/release.md +3 -3
  42. package/.claude/skills/mastermind/research.md +3 -3
  43. package/.claude/skills/mastermind/review.md +3 -3
  44. package/.claude/skills/mastermind/runorg.md +153 -86
  45. package/.claude/skills/mastermind/sales.md +3 -3
  46. package/README.md +286 -129
  47. package/package.json +19 -2
  48. package/packages/@monomind/cli/README.md +286 -129
  49. package/packages/@monomind/cli/bundled-graph/dist/src/build.js +73 -0
  50. package/packages/@monomind/cli/bundled-graph/dist/src/cluster.js +120 -0
  51. package/packages/@monomind/cli/bundled-graph/package.json +57 -0
  52. package/packages/@monomind/cli/dist/src/agents/halt-signal.d.ts +25 -0
  53. package/packages/@monomind/cli/dist/src/agents/halt-signal.js +76 -0
  54. package/packages/@monomind/cli/dist/src/agents/index.d.ts +18 -0
  55. package/packages/@monomind/cli/dist/src/agents/index.js +13 -0
  56. package/packages/@monomind/cli/dist/src/agents/managed-agent.d.ts +41 -0
  57. package/packages/@monomind/cli/dist/src/agents/managed-agent.js +69 -0
  58. package/packages/@monomind/cli/dist/src/agents/prompt-experiment.d.ts +23 -0
  59. package/packages/@monomind/cli/dist/src/agents/prompt-experiment.js +49 -0
  60. package/packages/@monomind/cli/dist/src/agents/prompt-version-manager.d.ts +22 -0
  61. package/packages/@monomind/cli/dist/src/agents/prompt-version-manager.js +80 -0
  62. package/packages/@monomind/cli/dist/src/agents/registry-builder.js +2 -0
  63. package/packages/@monomind/cli/dist/src/agents/registry-query.d.ts +71 -0
  64. package/packages/@monomind/cli/dist/src/agents/registry-query.js +125 -0
  65. package/packages/@monomind/cli/dist/src/agents/score-decay.d.ts +19 -0
  66. package/packages/@monomind/cli/dist/src/agents/score-decay.js +22 -0
  67. package/packages/@monomind/cli/dist/src/agents/shared-instructions-loader.d.ts +13 -0
  68. package/packages/@monomind/cli/dist/src/agents/shared-instructions-loader.js +40 -0
  69. package/packages/@monomind/cli/dist/src/agents/specialization-scorer.d.ts +54 -0
  70. package/packages/@monomind/cli/dist/src/agents/specialization-scorer.js +212 -0
  71. package/packages/@monomind/cli/dist/src/agents/termination-watcher.d.ts +30 -0
  72. package/packages/@monomind/cli/dist/src/agents/termination-watcher.js +84 -0
  73. package/packages/@monomind/cli/dist/src/agents/trigger-index.d.ts +20 -0
  74. package/packages/@monomind/cli/dist/src/agents/trigger-index.js +38 -0
  75. package/packages/@monomind/cli/dist/src/agents/trigger-scanner.d.ts +64 -0
  76. package/packages/@monomind/cli/dist/src/agents/trigger-scanner.js +308 -0
  77. package/packages/@monomind/cli/dist/src/agents/version-diff.d.ts +18 -0
  78. package/packages/@monomind/cli/dist/src/agents/version-diff.js +64 -0
  79. package/packages/@monomind/cli/dist/src/agents/version-store.d.ts +60 -0
  80. package/packages/@monomind/cli/dist/src/agents/version-store.js +235 -0
  81. package/packages/@monomind/cli/dist/src/autopilot-state.js +10 -5
  82. package/packages/@monomind/cli/dist/src/benchmarks/benchmark-runner.js +13 -0
  83. package/packages/@monomind/cli/dist/src/benchmarks/metric-evaluators.js +20 -9
  84. package/packages/@monomind/cli/dist/src/benchmarks/pretrain/index.d.ts +45 -0
  85. package/packages/@monomind/cli/dist/src/benchmarks/pretrain/index.js +404 -0
  86. package/packages/@monomind/cli/dist/src/browser/actions.js +10 -3
  87. package/packages/@monomind/cli/dist/src/browser/browser.js +12 -2
  88. package/packages/@monomind/cli/dist/src/browser/cdp.js +21 -3
  89. package/packages/@monomind/cli/dist/src/browser/har.js +27 -5
  90. package/packages/@monomind/cli/dist/src/commands/agent-wasm.d.ts +14 -0
  91. package/packages/@monomind/cli/dist/src/commands/agent-wasm.js +333 -0
  92. package/packages/@monomind/cli/dist/src/commands/agent.js +11 -8
  93. package/packages/@monomind/cli/dist/src/commands/analyze.js +36 -21
  94. package/packages/@monomind/cli/dist/src/commands/autopilot.js +12 -4
  95. package/packages/@monomind/cli/dist/src/commands/benchmark.js +51 -8
  96. package/packages/@monomind/cli/dist/src/commands/browse.js +5 -2
  97. package/packages/@monomind/cli/dist/src/commands/claims.js +29 -11
  98. package/packages/@monomind/cli/dist/src/commands/cleanup.js +25 -5
  99. package/packages/@monomind/cli/dist/src/commands/config.js +15 -7
  100. package/packages/@monomind/cli/dist/src/commands/daemon.js +6 -0
  101. package/packages/@monomind/cli/dist/src/commands/deployment.js +34 -19
  102. package/packages/@monomind/cli/dist/src/commands/doctor.js +151 -20
  103. package/packages/@monomind/cli/dist/src/commands/guidance.js +15 -2
  104. package/packages/@monomind/cli/dist/src/commands/hive-mind.js +37 -14
  105. package/packages/@monomind/cli/dist/src/commands/hooks.js +42 -25
  106. package/packages/@monomind/cli/dist/src/commands/init.js +9 -4
  107. package/packages/@monomind/cli/dist/src/commands/issues.js +29 -26
  108. package/packages/@monomind/cli/dist/src/commands/mcp.js +11 -5
  109. package/packages/@monomind/cli/dist/src/commands/memory.js +10 -0
  110. package/packages/@monomind/cli/dist/src/commands/migrate.js +5 -5
  111. package/packages/@monomind/cli/dist/src/commands/monograph.js +18 -5
  112. package/packages/@monomind/cli/dist/src/commands/monovector/backup.js +8 -2
  113. package/packages/@monomind/cli/dist/src/commands/monovector/benchmark.js +20 -7
  114. package/packages/@monomind/cli/dist/src/commands/monovector/import.js +15 -0
  115. package/packages/@monomind/cli/dist/src/commands/monovector/migrate.js +4 -1
  116. package/packages/@monomind/cli/dist/src/commands/monovector/optimize.js +11 -0
  117. package/packages/@monomind/cli/dist/src/commands/monovector/setup.js +11 -1
  118. package/packages/@monomind/cli/dist/src/commands/neural.js +1 -1
  119. package/packages/@monomind/cli/dist/src/commands/performance.js +20 -7
  120. package/packages/@monomind/cli/dist/src/commands/platforms.js +90 -8
  121. package/packages/@monomind/cli/dist/src/commands/plugins.js +12 -5
  122. package/packages/@monomind/cli/dist/src/commands/process.js +33 -10
  123. package/packages/@monomind/cli/dist/src/commands/progress.js +5 -3
  124. package/packages/@monomind/cli/dist/src/commands/providers.js +5 -5
  125. package/packages/@monomind/cli/dist/src/commands/replay.js +8 -2
  126. package/packages/@monomind/cli/dist/src/commands/route.js +27 -7
  127. package/packages/@monomind/cli/dist/src/commands/security.js +4 -0
  128. package/packages/@monomind/cli/dist/src/commands/session.js +12 -1
  129. package/packages/@monomind/cli/dist/src/commands/start.js +11 -4
  130. package/packages/@monomind/cli/dist/src/commands/status.js +7 -4
  131. package/packages/@monomind/cli/dist/src/commands/swarm.js +27 -13
  132. package/packages/@monomind/cli/dist/src/commands/task.js +26 -11
  133. package/packages/@monomind/cli/dist/src/commands/tokens.js +7 -2
  134. package/packages/@monomind/cli/dist/src/commands/transfer-store.js +36 -22
  135. package/packages/@monomind/cli/dist/src/commands/ui.js +68 -0
  136. package/packages/@monomind/cli/dist/src/commands/update.js +15 -3
  137. package/packages/@monomind/cli/dist/src/commands/workflow.js +39 -6
  138. package/packages/@monomind/cli/dist/src/consensus/audit-writer.js +18 -7
  139. package/packages/@monomind/cli/dist/src/consensus/index.d.ts +7 -0
  140. package/packages/@monomind/cli/dist/src/consensus/index.js +6 -0
  141. package/packages/@monomind/cli/dist/src/consensus/vote-signer.js +25 -8
  142. package/packages/@monomind/cli/dist/src/context/context-provider.d.ts +44 -0
  143. package/packages/@monomind/cli/dist/src/context/context-provider.js +25 -0
  144. package/packages/@monomind/cli/dist/src/context/git-state-provider.d.ts +12 -0
  145. package/packages/@monomind/cli/dist/src/context/git-state-provider.js +34 -0
  146. package/packages/@monomind/cli/dist/src/context/index.d.ts +12 -0
  147. package/packages/@monomind/cli/dist/src/context/index.js +12 -0
  148. package/packages/@monomind/cli/dist/src/context/project-conventions-provider.d.ts +15 -0
  149. package/packages/@monomind/cli/dist/src/context/project-conventions-provider.js +19 -0
  150. package/packages/@monomind/cli/dist/src/context/prompt-assembler.d.ts +26 -0
  151. package/packages/@monomind/cli/dist/src/context/prompt-assembler.js +93 -0
  152. package/packages/@monomind/cli/dist/src/context/task-history-provider.d.ts +24 -0
  153. package/packages/@monomind/cli/dist/src/context/task-history-provider.js +32 -0
  154. package/packages/@monomind/cli/dist/src/context/user-preferences-provider.d.ts +14 -0
  155. package/packages/@monomind/cli/dist/src/context/user-preferences-provider.js +27 -0
  156. package/packages/@monomind/cli/dist/src/dlq/dlq-reader.d.ts +31 -0
  157. package/packages/@monomind/cli/dist/src/dlq/dlq-reader.js +81 -0
  158. package/packages/@monomind/cli/dist/src/dlq/dlq-writer.d.ts +24 -0
  159. package/packages/@monomind/cli/dist/src/dlq/dlq-writer.js +65 -0
  160. package/packages/@monomind/cli/dist/src/dlq/index.d.ts +10 -0
  161. package/packages/@monomind/cli/dist/src/dlq/index.js +7 -0
  162. package/packages/@monomind/cli/dist/src/eval/dataset-manager.d.ts +33 -0
  163. package/packages/@monomind/cli/dist/src/eval/dataset-manager.js +107 -0
  164. package/packages/@monomind/cli/dist/src/eval/dataset-runner.d.ts +23 -0
  165. package/packages/@monomind/cli/dist/src/eval/dataset-runner.js +59 -0
  166. package/packages/@monomind/cli/dist/src/eval/index.d.ts +10 -0
  167. package/packages/@monomind/cli/dist/src/eval/index.js +7 -0
  168. package/packages/@monomind/cli/dist/src/eval/trace-collector.d.ts +40 -0
  169. package/packages/@monomind/cli/dist/src/eval/trace-collector.js +102 -0
  170. package/packages/@monomind/cli/dist/src/index.js +7 -3
  171. package/packages/@monomind/cli/dist/src/infrastructure/in-memory-repositories.d.ts +68 -0
  172. package/packages/@monomind/cli/dist/src/infrastructure/in-memory-repositories.js +264 -0
  173. package/packages/@monomind/cli/dist/src/init/executor.js +14 -11
  174. package/packages/@monomind/cli/dist/src/init/shared-instructions-generator.js +20 -4
  175. package/packages/@monomind/cli/dist/src/init/statusline-generator.js +33 -12
  176. package/packages/@monomind/cli/dist/src/interactive/interrupt.d.ts +22 -0
  177. package/packages/@monomind/cli/dist/src/interactive/interrupt.js +71 -0
  178. package/packages/@monomind/cli/dist/src/mcp/deprecation-injector.d.ts +25 -0
  179. package/packages/@monomind/cli/dist/src/mcp/deprecation-injector.js +48 -0
  180. package/packages/@monomind/cli/dist/src/mcp/tool-registry.d.ts +61 -0
  181. package/packages/@monomind/cli/dist/src/mcp/tool-registry.js +246 -0
  182. package/packages/@monomind/cli/dist/src/mcp-tools/a2a-tools.js +98 -13
  183. package/packages/@monomind/cli/dist/src/mcp-tools/agent-tools.js +16 -3
  184. package/packages/@monomind/cli/dist/src/mcp-tools/analyze-tools.js +80 -17
  185. package/packages/@monomind/cli/dist/src/mcp-tools/browser-tools.js +84 -22
  186. package/packages/@monomind/cli/dist/src/mcp-tools/claims-tools.js +35 -7
  187. package/packages/@monomind/cli/dist/src/mcp-tools/config-tools.js +82 -17
  188. package/packages/@monomind/cli/dist/src/mcp-tools/coordination-tools.js +37 -4
  189. package/packages/@monomind/cli/dist/src/mcp-tools/daa-tools.js +49 -7
  190. package/packages/@monomind/cli/dist/src/mcp-tools/embeddings-tools.js +45 -18
  191. package/packages/@monomind/cli/dist/src/mcp-tools/github-tools.js +75 -25
  192. package/packages/@monomind/cli/dist/src/mcp-tools/guidance-tools.js +32 -10
  193. package/packages/@monomind/cli/dist/src/mcp-tools/hive-mind-tools.js +91 -20
  194. package/packages/@monomind/cli/dist/src/mcp-tools/hooks-tools.js +188 -29
  195. package/packages/@monomind/cli/dist/src/mcp-tools/memory-tools.js +25 -7
  196. package/packages/@monomind/cli/dist/src/mcp-tools/monograph-compat.js +11 -2
  197. package/packages/@monomind/cli/dist/src/mcp-tools/monograph-tools.js +148 -26
  198. package/packages/@monomind/cli/dist/src/mcp-tools/neural-tools.js +44 -9
  199. package/packages/@monomind/cli/dist/src/mcp-tools/performance-tools.js +45 -10
  200. package/packages/@monomind/cli/dist/src/mcp-tools/progress-tools.js +7 -4
  201. package/packages/@monomind/cli/dist/src/mcp-tools/request-tracker.js +15 -1
  202. package/packages/@monomind/cli/dist/src/mcp-tools/security-tools.js +61 -9
  203. package/packages/@monomind/cli/dist/src/mcp-tools/session-tools.js +45 -14
  204. package/packages/@monomind/cli/dist/src/mcp-tools/swarm-tools.js +15 -3
  205. package/packages/@monomind/cli/dist/src/mcp-tools/system-tools.js +14 -7
  206. package/packages/@monomind/cli/dist/src/mcp-tools/task-tools.js +52 -10
  207. package/packages/@monomind/cli/dist/src/mcp-tools/terminal-tools.js +40 -6
  208. package/packages/@monomind/cli/dist/src/mcp-tools/transfer-tools.js +37 -4
  209. package/packages/@monomind/cli/dist/src/mcp-tools/wasm-agent-tools.d.ts +9 -0
  210. package/packages/@monomind/cli/dist/src/mcp-tools/wasm-agent-tools.js +230 -0
  211. package/packages/@monomind/cli/dist/src/mcp-tools/workflow-tools.js +29 -6
  212. package/packages/@monomind/cli/dist/src/memory/ewc-consolidation.js +26 -10
  213. package/packages/@monomind/cli/dist/src/memory/intelligence.js +80 -19
  214. package/packages/@monomind/cli/dist/src/memory/memory-bridge.js +21 -2
  215. package/packages/@monomind/cli/dist/src/memory/memory-initializer.js +67 -3
  216. package/packages/@monomind/cli/dist/src/memory/sona-optimizer.js +14 -4
  217. package/packages/@monomind/cli/dist/src/model/complexity-scorer.d.ts +21 -0
  218. package/packages/@monomind/cli/dist/src/model/complexity-scorer.js +106 -0
  219. package/packages/@monomind/cli/dist/src/model/index.d.ts +4 -0
  220. package/packages/@monomind/cli/dist/src/model/index.js +4 -0
  221. package/packages/@monomind/cli/dist/src/model/model-settings.d.ts +22 -0
  222. package/packages/@monomind/cli/dist/src/model/model-settings.js +33 -0
  223. package/packages/@monomind/cli/dist/src/model/model-tier-resolver.d.ts +24 -0
  224. package/packages/@monomind/cli/dist/src/model/model-tier-resolver.js +65 -0
  225. package/packages/@monomind/cli/dist/src/monovector/capabilities.d.ts +34 -0
  226. package/packages/@monomind/cli/dist/src/monovector/capabilities.js +37 -0
  227. package/packages/@monomind/cli/dist/src/monovector/command-outcomes.js +43 -7
  228. package/packages/@monomind/cli/dist/src/monovector/coverage-router.js +8 -4
  229. package/packages/@monomind/cli/dist/src/monovector/coverage-tools.js +6 -3
  230. package/packages/@monomind/cli/dist/src/monovector/diff-classifier.js +13 -0
  231. package/packages/@monomind/cli/dist/src/monovector/route-outcomes.d.ts +2 -1
  232. package/packages/@monomind/cli/dist/src/monovector/route-outcomes.js +46 -4
  233. package/packages/@monomind/cli/dist/src/observability/replay-reader.d.ts +1 -1
  234. package/packages/@monomind/cli/dist/src/orchestration/index.d.ts +7 -0
  235. package/packages/@monomind/cli/dist/src/orchestration/index.js +6 -0
  236. package/packages/@monomind/cli/dist/src/orchestration/mode-dispatcher.d.ts +11 -0
  237. package/packages/@monomind/cli/dist/src/orchestration/mode-dispatcher.js +31 -0
  238. package/packages/@monomind/cli/dist/src/orchestration/routing-modes.d.ts +68 -0
  239. package/packages/@monomind/cli/dist/src/orchestration/routing-modes.js +180 -0
  240. package/packages/@monomind/cli/dist/src/plugins/manager.js +8 -3
  241. package/packages/@monomind/cli/dist/src/plugins/store/discovery.js +46 -2
  242. package/packages/@monomind/cli/dist/src/plugins/store/search.js +5 -4
  243. package/packages/@monomind/cli/dist/src/plugins/tests/demo-plugin-store.d.ts +7 -0
  244. package/packages/@monomind/cli/dist/src/plugins/tests/demo-plugin-store.js +126 -0
  245. package/packages/@monomind/cli/dist/src/plugins/tests/standalone-test.d.ts +12 -0
  246. package/packages/@monomind/cli/dist/src/plugins/tests/standalone-test.js +188 -0
  247. package/packages/@monomind/cli/dist/src/plugins/tests/test-plugin-store.d.ts +7 -0
  248. package/packages/@monomind/cli/dist/src/plugins/tests/test-plugin-store.js +206 -0
  249. package/packages/@monomind/cli/dist/src/production/circuit-breaker.js +17 -3
  250. package/packages/@monomind/cli/dist/src/production/error-handler.js +3 -0
  251. package/packages/@monomind/cli/dist/src/production/monitoring.js +20 -3
  252. package/packages/@monomind/cli/dist/src/production/rate-limiter.js +13 -4
  253. package/packages/@monomind/cli/dist/src/production/retry.js +17 -9
  254. package/packages/@monomind/cli/dist/src/routing/embed-worker.js +6 -2
  255. package/packages/@monomind/cli/dist/src/routing/embedder.js +0 -0
  256. package/packages/@monomind/cli/dist/src/routing/llm-caller.js +13 -2
  257. package/packages/@monomind/cli/dist/src/routing/route-layer-factory.js +18 -3
  258. package/packages/@monomind/cli/dist/src/runtime/headless.d.ts +60 -0
  259. package/packages/@monomind/cli/dist/src/runtime/headless.js +284 -0
  260. package/packages/@monomind/cli/dist/src/services/agentic-flow-bridge.d.ts +50 -0
  261. package/packages/@monomind/cli/dist/src/services/agentic-flow-bridge.js +95 -0
  262. package/packages/@monomind/cli/dist/src/services/claim-service.d.ts +1 -0
  263. package/packages/@monomind/cli/dist/src/services/claim-service.js +8 -0
  264. package/packages/@monomind/cli/dist/src/services/config-file-manager.js +14 -2
  265. package/packages/@monomind/cli/dist/src/services/container-worker-pool.d.ts +197 -0
  266. package/packages/@monomind/cli/dist/src/services/container-worker-pool.js +623 -0
  267. package/packages/@monomind/cli/dist/src/services/headless-worker-executor.js +18 -2
  268. package/packages/@monomind/cli/dist/src/services/index.d.ts +13 -0
  269. package/packages/@monomind/cli/dist/src/services/index.js +11 -0
  270. package/packages/@monomind/cli/dist/src/services/worker-daemon.js +53 -12
  271. package/packages/@monomind/cli/dist/src/services/worker-queue.d.ts +201 -0
  272. package/packages/@monomind/cli/dist/src/services/worker-queue.js +594 -0
  273. package/packages/@monomind/cli/dist/src/swarm/communication-graph.d.ts +25 -0
  274. package/packages/@monomind/cli/dist/src/swarm/communication-graph.js +77 -0
  275. package/packages/@monomind/cli/dist/src/swarm/flow-enforcer.d.ts +31 -0
  276. package/packages/@monomind/cli/dist/src/swarm/flow-enforcer.js +61 -0
  277. package/packages/@monomind/cli/dist/src/swarm/flow-visualizer.d.ts +19 -0
  278. package/packages/@monomind/cli/dist/src/swarm/flow-visualizer.js +68 -0
  279. package/packages/@monomind/cli/dist/src/transfer/anonymization/index.d.ts +0 -3
  280. package/packages/@monomind/cli/dist/src/transfer/anonymization/index.js +16 -1
  281. package/packages/@monomind/cli/dist/src/transfer/deploy-seraphine.d.ts +13 -0
  282. package/packages/@monomind/cli/dist/src/transfer/deploy-seraphine.js +205 -0
  283. package/packages/@monomind/cli/dist/src/transfer/export.js +8 -0
  284. package/packages/@monomind/cli/dist/src/transfer/ipfs/upload.js +33 -3
  285. package/packages/@monomind/cli/dist/src/transfer/serialization/cfp.js +9 -3
  286. package/packages/@monomind/cli/dist/src/transfer/storage/gcs.js +37 -3
  287. package/packages/@monomind/cli/dist/src/transfer/store/discovery.js +45 -3
  288. package/packages/@monomind/cli/dist/src/transfer/store/download.js +5 -0
  289. package/packages/@monomind/cli/dist/src/transfer/store/publish.js +13 -1
  290. package/packages/@monomind/cli/dist/src/transfer/store/registry.d.ts +8 -0
  291. package/packages/@monomind/cli/dist/src/transfer/store/registry.js +30 -5
  292. package/packages/@monomind/cli/dist/src/transfer/store/search.js +20 -5
  293. package/packages/@monomind/cli/dist/src/transfer/store/tests/standalone-test.d.ts +12 -0
  294. package/packages/@monomind/cli/dist/src/transfer/store/tests/standalone-test.js +190 -0
  295. package/packages/@monomind/cli/dist/src/transfer/test-seraphine.d.ts +6 -0
  296. package/packages/@monomind/cli/dist/src/transfer/test-seraphine.js +105 -0
  297. package/packages/@monomind/cli/dist/src/transfer/tests/test-store.d.ts +7 -0
  298. package/packages/@monomind/cli/dist/src/transfer/tests/test-store.js +214 -0
  299. package/packages/@monomind/cli/dist/src/update/checker.js +59 -7
  300. package/packages/@monomind/cli/dist/src/update/executor.js +50 -3
  301. package/packages/@monomind/cli/dist/src/update/index.js +18 -1
  302. package/packages/@monomind/cli/dist/src/update/rate-limiter.d.ts +6 -0
  303. package/packages/@monomind/cli/dist/src/update/rate-limiter.js +79 -7
  304. package/packages/@monomind/cli/dist/src/update/validator.js +52 -1
  305. package/packages/@monomind/cli/dist/src/workflow/condition-evaluator.d.ts +10 -0
  306. package/packages/@monomind/cli/dist/src/workflow/condition-evaluator.js +82 -0
  307. package/packages/@monomind/cli/dist/src/workflow/context-resolver.d.ts +12 -0
  308. package/packages/@monomind/cli/dist/src/workflow/context-resolver.js +23 -0
  309. package/packages/@monomind/cli/dist/src/workflow/dag-builder.d.ts +17 -0
  310. package/packages/@monomind/cli/dist/src/workflow/dag-builder.js +129 -0
  311. package/packages/@monomind/cli/dist/src/workflow/dag-executor.d.ts +9 -0
  312. package/packages/@monomind/cli/dist/src/workflow/dag-executor.js +116 -0
  313. package/packages/@monomind/cli/dist/src/workflow/dag-types.d.ts +41 -0
  314. package/packages/@monomind/cli/dist/src/workflow/dag-types.js +8 -0
  315. package/packages/@monomind/cli/dist/src/workflow/dsl-parser.d.ts +12 -0
  316. package/packages/@monomind/cli/dist/src/workflow/dsl-parser.js +20 -0
  317. package/packages/@monomind/cli/dist/src/workflow/dsl-schema.d.ts +165 -0
  318. package/packages/@monomind/cli/dist/src/workflow/dsl-schema.js +82 -0
  319. package/packages/@monomind/cli/dist/src/workflow/index.d.ts +13 -0
  320. package/packages/@monomind/cli/dist/src/workflow/index.js +11 -0
  321. package/packages/@monomind/cli/dist/src/workflow/template-engine.d.ts +11 -0
  322. package/packages/@monomind/cli/dist/src/workflow/template-engine.js +40 -0
  323. package/packages/@monomind/cli/dist/src/workflow/workflow-executor.d.ts +29 -0
  324. package/packages/@monomind/cli/dist/src/workflow/workflow-executor.js +227 -0
  325. package/packages/@monomind/cli/package.json +9 -10
  326. package/packages/@monomind/guidance/dist/adversarial.d.ts +284 -0
  327. package/packages/@monomind/guidance/dist/adversarial.js +572 -0
  328. package/packages/@monomind/guidance/dist/analyzer.d.ts +530 -0
  329. package/packages/@monomind/guidance/dist/analyzer.js +2518 -0
  330. package/packages/@monomind/guidance/dist/artifacts.d.ts +283 -0
  331. package/packages/@monomind/guidance/dist/artifacts.js +356 -0
  332. package/packages/@monomind/guidance/dist/authority.d.ts +290 -0
  333. package/packages/@monomind/guidance/dist/authority.js +558 -0
  334. package/packages/@monomind/guidance/dist/capabilities.d.ts +209 -0
  335. package/packages/@monomind/guidance/dist/capabilities.js +485 -0
  336. package/packages/@monomind/guidance/dist/coherence.d.ts +233 -0
  337. package/packages/@monomind/guidance/dist/coherence.js +372 -0
  338. package/packages/@monomind/guidance/dist/compiler.d.ts +87 -0
  339. package/packages/@monomind/guidance/dist/compiler.js +419 -0
  340. package/packages/@monomind/guidance/dist/conformance-kit.d.ts +225 -0
  341. package/packages/@monomind/guidance/dist/conformance-kit.js +629 -0
  342. package/packages/@monomind/guidance/dist/continue-gate.d.ts +214 -0
  343. package/packages/@monomind/guidance/dist/continue-gate.js +353 -0
  344. package/packages/@monomind/guidance/dist/crypto-utils.d.ts +17 -0
  345. package/packages/@monomind/guidance/dist/crypto-utils.js +24 -0
  346. package/packages/@monomind/guidance/dist/evolution.d.ts +282 -0
  347. package/packages/@monomind/guidance/dist/evolution.js +500 -0
  348. package/packages/@monomind/guidance/dist/gates.d.ts +79 -0
  349. package/packages/@monomind/guidance/dist/gates.js +302 -0
  350. package/packages/@monomind/guidance/dist/gateway.d.ts +206 -0
  351. package/packages/@monomind/guidance/dist/gateway.js +452 -0
  352. package/packages/@monomind/guidance/dist/generators.d.ts +153 -0
  353. package/packages/@monomind/guidance/dist/generators.js +682 -0
  354. package/packages/@monomind/guidance/dist/headless.d.ts +177 -0
  355. package/packages/@monomind/guidance/dist/headless.js +342 -0
  356. package/packages/@monomind/guidance/dist/hooks.d.ts +109 -0
  357. package/packages/@monomind/guidance/dist/hooks.js +347 -0
  358. package/packages/@monomind/guidance/dist/index.d.ts +205 -0
  359. package/packages/@monomind/guidance/dist/index.js +321 -0
  360. package/packages/@monomind/guidance/dist/ledger.d.ts +162 -0
  361. package/packages/@monomind/guidance/dist/ledger.js +375 -0
  362. package/packages/@monomind/guidance/dist/manifest-validator.d.ts +289 -0
  363. package/packages/@monomind/guidance/dist/manifest-validator.js +838 -0
  364. package/packages/@monomind/guidance/dist/memory-gate.d.ts +222 -0
  365. package/packages/@monomind/guidance/dist/memory-gate.js +382 -0
  366. package/packages/@monomind/guidance/dist/meta-governance.d.ts +265 -0
  367. package/packages/@monomind/guidance/dist/meta-governance.js +348 -0
  368. package/packages/@monomind/guidance/dist/optimizer.d.ts +104 -0
  369. package/packages/@monomind/guidance/dist/optimizer.js +329 -0
  370. package/packages/@monomind/guidance/dist/persistence.d.ts +189 -0
  371. package/packages/@monomind/guidance/dist/persistence.js +464 -0
  372. package/packages/@monomind/guidance/dist/proof.d.ts +185 -0
  373. package/packages/@monomind/guidance/dist/proof.js +238 -0
  374. package/packages/@monomind/guidance/dist/retriever.d.ts +116 -0
  375. package/packages/@monomind/guidance/dist/retriever.js +394 -0
  376. package/packages/@monomind/guidance/dist/ruvbot-integration.d.ts +370 -0
  377. package/packages/@monomind/guidance/dist/ruvbot-integration.js +738 -0
  378. package/packages/@monomind/guidance/dist/temporal.d.ts +426 -0
  379. package/packages/@monomind/guidance/dist/temporal.js +658 -0
  380. package/packages/@monomind/guidance/dist/trust.d.ts +283 -0
  381. package/packages/@monomind/guidance/dist/trust.js +473 -0
  382. package/packages/@monomind/guidance/dist/truth-anchors.d.ts +276 -0
  383. package/packages/@monomind/guidance/dist/truth-anchors.js +488 -0
  384. package/packages/@monomind/guidance/dist/types.d.ts +378 -0
  385. package/packages/@monomind/guidance/dist/types.js +10 -0
  386. package/packages/@monomind/guidance/dist/uncertainty.d.ts +372 -0
  387. package/packages/@monomind/guidance/dist/uncertainty.js +619 -0
  388. package/packages/@monomind/guidance/dist/wasm-kernel.d.ts +48 -0
  389. package/packages/@monomind/guidance/dist/wasm-kernel.js +158 -0
@@ -5,6 +5,16 @@
5
5
  import { output } from '../output.js';
6
6
  import { select, confirm, input, multiSelect } from '../prompt.js';
7
7
  import { callMCPTool, MCPClientError } from '../mcp-client.js';
8
+ // Input length caps
9
+ const MAX_TASK_ID_LEN = 128;
10
+ const MAX_DESCRIPTION_LEN = 4_000;
11
+ const MAX_REASON_LEN = 512;
12
+ const MAX_TAGS = 20;
13
+ const MAX_TAG_LEN = 64;
14
+ const MAX_DEPS = 50;
15
+ const MAX_DEP_LEN = 128;
16
+ const MAX_ASSIGN_LEN = 128;
17
+ const MAX_LIMIT = 1_000;
8
18
  // Task types
9
19
  const TASK_TYPES = [
10
20
  { value: 'implementation', label: 'Implementation', hint: 'Feature implementation' },
@@ -135,6 +145,8 @@ const createCommand = {
135
145
  output.printInfo('Use --type and --description flags, or run in interactive mode');
136
146
  return { success: false, exitCode: 1 };
137
147
  }
148
+ // Cap description length
149
+ description = description.slice(0, MAX_DESCRIPTION_LEN);
138
150
  if (!priority && ctx.interactive) {
139
151
  priority = await select({
140
152
  message: 'Select priority:',
@@ -142,10 +154,12 @@ const createCommand = {
142
154
  default: 'normal'
143
155
  });
144
156
  }
145
- // Parse tags and dependencies
146
- const tags = ctx.flags.tags ? ctx.flags.tags.split(',').map(t => t.trim()) : [];
157
+ // Parse and cap tags and dependencies
158
+ const tags = ctx.flags.tags
159
+ ? ctx.flags.tags.split(',').map(t => t.trim().slice(0, MAX_TAG_LEN)).filter(Boolean).slice(0, MAX_TAGS)
160
+ : [];
147
161
  const dependencies = ctx.flags.dependencies
148
- ? ctx.flags.dependencies.split(',').map(d => d.trim())
162
+ ? ctx.flags.dependencies.split(',').map(d => d.trim().slice(0, MAX_DEP_LEN)).filter(Boolean).slice(0, MAX_DEPS)
149
163
  : [];
150
164
  output.writeln();
151
165
  output.printInfo(`Creating ${taskType} task...`);
@@ -154,7 +168,7 @@ const createCommand = {
154
168
  type: taskType,
155
169
  description,
156
170
  priority: priority || 'normal',
157
- assignedTo: ctx.flags.assign ? [ctx.flags.assign] : undefined,
171
+ assignedTo: ctx.flags.assign ? [ctx.flags.assign.slice(0, MAX_ASSIGN_LEN)] : undefined,
158
172
  parentId: ctx.flags.parent,
159
173
  dependencies,
160
174
  tags,
@@ -246,7 +260,7 @@ const listCommand = {
246
260
  ],
247
261
  action: async (ctx) => {
248
262
  const status = ctx.flags.all ? 'all' : ctx.flags.status || 'pending,running';
249
- const limit = ctx.flags.limit;
263
+ const limit = Math.min(Math.max(1, ctx.flags.limit || 20), MAX_LIMIT);
250
264
  try {
251
265
  const result = await callMCPTool('task_list', {
252
266
  status,
@@ -321,12 +335,13 @@ const statusCommand = {
321
335
  }
322
336
  ],
323
337
  action: async (ctx) => {
324
- let taskId = ctx.args[0] || ctx.flags.id;
338
+ let taskId = (ctx.args[0] || ctx.flags.id || '').slice(0, MAX_TASK_ID_LEN);
325
339
  if (!taskId && ctx.interactive) {
326
340
  taskId = await input({
327
341
  message: 'Enter task ID:',
328
342
  validate: (v) => v.length > 0 || 'Task ID is required'
329
343
  });
344
+ taskId = taskId.slice(0, MAX_TASK_ID_LEN);
330
345
  }
331
346
  if (!taskId) {
332
347
  output.printError('Task ID is required');
@@ -448,9 +463,9 @@ const cancelCommand = {
448
463
  }
449
464
  ],
450
465
  action: async (ctx) => {
451
- const taskId = ctx.args[0];
466
+ const taskId = (ctx.args[0] || '').slice(0, MAX_TASK_ID_LEN);
452
467
  const force = ctx.flags.force;
453
- const reason = ctx.flags.reason;
468
+ const reason = typeof ctx.flags.reason === 'string' ? ctx.flags.reason.slice(0, MAX_REASON_LEN) : undefined;
454
469
  if (!taskId) {
455
470
  output.printError('Task ID is required');
456
471
  return { success: false, exitCode: 1 };
@@ -508,7 +523,7 @@ const assignCommand = {
508
523
  }
509
524
  ],
510
525
  action: async (ctx) => {
511
- const taskId = ctx.args[0];
526
+ const taskId = (ctx.args[0] || '').slice(0, MAX_TASK_ID_LEN);
512
527
  const agentIds = ctx.flags.agent;
513
528
  const unassign = ctx.flags.unassign;
514
529
  if (!taskId) {
@@ -560,7 +575,7 @@ const assignCommand = {
560
575
  try {
561
576
  const result = await callMCPTool('task_assign', {
562
577
  taskId,
563
- agentIds: unassign ? [] : agentIds.split(',').map(id => id.trim()),
578
+ agentIds: unassign ? [] : agentIds.split(',').map(id => id.trim().slice(0, MAX_ASSIGN_LEN)).filter(Boolean).slice(0, 20),
564
579
  unassign
565
580
  });
566
581
  output.writeln();
@@ -600,7 +615,7 @@ const retryCommand = {
600
615
  }
601
616
  ],
602
617
  action: async (ctx) => {
603
- const taskId = ctx.args[0];
618
+ const taskId = (ctx.args[0] || '').slice(0, MAX_TASK_ID_LEN);
604
619
  const resetState = ctx.flags['reset-state'];
605
620
  if (!taskId) {
606
621
  output.printError('Task ID is required');
@@ -15,6 +15,11 @@ function loadTracker() {
15
15
  const require = createRequire(import.meta.url);
16
16
  return require(getTrackerPath());
17
17
  }
18
+ const VALID_PERIODS = new Set(['today', 'week', '30days', 'month']);
19
+ function validatePeriod(raw) {
20
+ const s = typeof raw === 'string' ? raw : 'today';
21
+ return VALID_PERIODS.has(s) ? s : 'today';
22
+ }
18
23
  const dashboardSubcommand = {
19
24
  name: 'dashboard',
20
25
  description: 'Launch interactive token usage dashboard',
@@ -23,7 +28,7 @@ const dashboardSubcommand = {
23
28
  { name: 'no-interactive', type: 'boolean', description: 'Render once and exit', default: false },
24
29
  ],
25
30
  action: async (ctx) => {
26
- const period = ctx.flags['period'] || 'today';
31
+ const period = validatePeriod(ctx.flags['period']);
27
32
  const noInteractive = ctx.flags['no-interactive'];
28
33
  try {
29
34
  const tracker = loadTracker();
@@ -49,7 +54,7 @@ const summarySubcommand = {
49
54
  { name: 'json', type: 'boolean', description: 'Output as JSON', default: false },
50
55
  ],
51
56
  action: async (ctx) => {
52
- const period = ctx.flags['period'] || 'today';
57
+ const period = validatePeriod(ctx.flags['period']);
53
58
  const asJson = ctx.flags['json'];
54
59
  try {
55
60
  const tracker = loadTracker();
@@ -23,12 +23,12 @@ export const storeListCommand = {
23
23
  { command: 'monomind hooks transfer store list --featured', description: 'List featured patterns' },
24
24
  ],
25
25
  action: async (ctx) => {
26
- const registryName = ctx.flags.registry;
27
- const category = ctx.flags.category;
26
+ const registryName = ctx.flags.registry?.slice(0, 128);
27
+ const category = ctx.flags.category?.slice(0, 128);
28
28
  const featured = ctx.flags.featured;
29
29
  const trending = ctx.flags.trending;
30
30
  const newest = ctx.flags.newest;
31
- const limit = ctx.flags.limit || 20;
31
+ const limit = Math.max(1, Math.min(200, ctx.flags.limit || 20));
32
32
  const spinner = output.createSpinner({ text: 'Discovering registry...', spinner: 'dots' });
33
33
  spinner.start();
34
34
  try {
@@ -120,7 +120,7 @@ export const storeSearchCommand = {
120
120
  { command: 'monomind hooks transfer store search -q "react" --language typescript', description: 'Search with filters' },
121
121
  ],
122
122
  action: async (ctx) => {
123
- const query = (ctx.args[0] || ctx.flags.query);
123
+ const query = (ctx.args[0] || ctx.flags.query)?.slice(0, 256);
124
124
  if (!query) {
125
125
  output.printError('Search query is required. Use --query or -q flag.');
126
126
  return { success: false, exitCode: 1 };
@@ -136,13 +136,13 @@ export const storeSearchCommand = {
136
136
  }
137
137
  const searchOptions = {
138
138
  query,
139
- category: ctx.flags.category,
140
- language: ctx.flags.language,
141
- framework: ctx.flags.framework,
142
- tags: ctx.flags.tags ? ctx.flags.tags.split(',') : undefined,
139
+ category: ctx.flags.category?.slice(0, 128),
140
+ language: ctx.flags.language?.slice(0, 64),
141
+ framework: ctx.flags.framework?.slice(0, 64),
142
+ tags: ctx.flags.tags ? ctx.flags.tags.slice(0, 512).split(',').map(t => t.trim().slice(0, 64)).slice(0, 20) : undefined,
143
143
  minRating: ctx.flags['min-rating'],
144
144
  verified: ctx.flags.verified,
145
- limit: ctx.flags.limit || 20,
145
+ limit: Math.max(1, Math.min(200, ctx.flags.limit || 20)),
146
146
  };
147
147
  const searchResult = searchPatterns(result.registry, searchOptions);
148
148
  spinner.succeed(`Found ${searchResult.total} patterns`);
@@ -188,7 +188,7 @@ export const storeDownloadCommand = {
188
188
  { command: 'monomind hooks transfer store download -n seraphine-genesis --import', description: 'Download and import' },
189
189
  ],
190
190
  action: async (ctx) => {
191
- const patternName = (ctx.args[0] || ctx.flags.name);
191
+ const patternName = (ctx.args[0] || ctx.flags.name)?.slice(0, 256);
192
192
  if (!patternName) {
193
193
  output.printError('Pattern name is required. Use --name or -n flag.');
194
194
  return { success: false, exitCode: 1 };
@@ -261,8 +261,8 @@ export const storePublishCommand = {
261
261
  ],
262
262
  action: async (ctx) => {
263
263
  const inputPath = ctx.flags.input;
264
- const name = ctx.flags.name;
265
- const description = ctx.flags.description;
264
+ const name = ctx.flags.name?.slice(0, 128);
265
+ const description = ctx.flags.description?.slice(0, 1024);
266
266
  if (!inputPath || !name || !description) {
267
267
  output.printError('Input path, name, and description are required.');
268
268
  return { success: false, exitCode: 1 };
@@ -270,13 +270,27 @@ export const storePublishCommand = {
270
270
  const spinner = output.createSpinner({ text: 'Preparing pattern...', spinner: 'dots' });
271
271
  spinner.start();
272
272
  try {
273
- // Read and parse CFP file
273
+ // Read and parse CFP file with path containment and size cap.
274
+ // Without this, --input /etc/passwd leaks arbitrary files and a
275
+ // multi-GB planted CFP OOM-kills the process.
276
+ const nodePath = await import('node:path');
277
+ const projectRoot = nodePath.resolve(process.cwd());
278
+ const fullInputPath = nodePath.resolve(process.cwd(), inputPath);
279
+ if (!fullInputPath.startsWith(projectRoot + nodePath.sep) && fullInputPath !== projectRoot) {
280
+ spinner.fail(`Input path must resolve within the project directory: ${projectRoot}`);
281
+ return { success: false, exitCode: 1 };
282
+ }
274
283
  const fs = await import('fs');
275
- if (!fs.existsSync(inputPath)) {
276
- spinner.fail(`File not found: ${inputPath}`);
284
+ if (!fs.existsSync(fullInputPath)) {
285
+ spinner.fail(`File not found: ${fullInputPath}`);
286
+ return { success: false, exitCode: 1 };
287
+ }
288
+ const stat = fs.statSync(fullInputPath);
289
+ if (stat.size > 50 * 1024 * 1024) {
290
+ spinner.fail(`CFP file too large: ${stat.size} bytes (max 50MB)`);
277
291
  return { success: false, exitCode: 1 };
278
292
  }
279
- const content = fs.readFileSync(inputPath, 'utf-8');
293
+ const content = fs.readFileSync(fullInputPath, 'utf-8');
280
294
  const cfp = JSON.parse(content);
281
295
  spinner.setText('Publishing to IPFS...');
282
296
  const publisher = createPublisher();
@@ -284,12 +298,12 @@ export const storePublishCommand = {
284
298
  name,
285
299
  displayName: name.replace(/-/g, ' ').replace(/\b\w/g, c => c.toUpperCase()),
286
300
  description,
287
- categories: ctx.flags.categories.split(',').map(s => s.trim()),
288
- tags: ctx.flags.tags.split(',').map(s => s.trim()),
289
- license: ctx.flags.license || 'MIT',
301
+ categories: ctx.flags.categories.slice(0, 512).split(',').map(s => s.trim().slice(0, 64)).slice(0, 20),
302
+ tags: ctx.flags.tags.slice(0, 512).split(',').map(s => s.trim().slice(0, 64)).slice(0, 20),
303
+ license: (ctx.flags.license || 'MIT').slice(0, 64),
290
304
  anonymize: ctx.flags.anonymize || 'strict',
291
- language: ctx.flags.language,
292
- framework: ctx.flags.framework,
305
+ language: ctx.flags.language?.slice(0, 64),
306
+ framework: ctx.flags.framework?.slice(0, 64),
293
307
  });
294
308
  if (!result.success) {
295
309
  spinner.fail('Publish failed');
@@ -326,7 +340,7 @@ export const storeInfoCommand = {
326
340
  { command: 'monomind hooks transfer store info -n seraphine-genesis', description: 'Show pattern info' },
327
341
  ],
328
342
  action: async (ctx) => {
329
- const patternName = (ctx.args[0] || ctx.flags.name);
343
+ const patternName = (ctx.args[0] || ctx.flags.name)?.slice(0, 256);
330
344
  if (!patternName) {
331
345
  output.printError('Pattern name is required. Use --name or -n flag.');
332
346
  return { success: false, exitCode: 1 };
@@ -0,0 +1,68 @@
1
+ /**
2
+ * monomind ui — Live dashboard command
3
+ * Starts a local HTTP server serving the Neural Control Room dashboard.
4
+ */
5
+ import * as path from 'path';
6
+ import * as os from 'os';
7
+
8
+ export const uiCommand = {
9
+ name: 'ui',
10
+ description: 'Start the live Monomind dashboard (Neural Control Room)',
11
+ category: 'core',
12
+ async action(ctx) {
13
+ return this.execute(ctx.args || [], ctx.flags || {});
14
+ },
15
+ async execute(args = [], options = {}) {
16
+ const port = parseInt(options.port || options.p || '4242', 10);
17
+ const noOpen = options['no-open'] || options['no-browser'] || false;
18
+ const projectDir = options.dir || process.env.CLAUDE_PROJECT_DIR || process.cwd();
19
+
20
+ console.log('\x1b[36m◆ Monomind Neural Control Room\x1b[0m');
21
+ console.log('\x1b[2mStarting dashboard server...\x1b[0m\n');
22
+
23
+ try {
24
+ const { fileURLToPath } = await import('url');
25
+ const { dirname } = await import('path');
26
+ const { createRequire } = await import('module');
27
+ const serverPath = new URL('../ui/server.mjs', import.meta.url);
28
+ const { startServer } = await import(serverPath.href);
29
+
30
+ const result = await startServer({
31
+ port,
32
+ projectDir,
33
+ openBrowser: !noOpen,
34
+ });
35
+
36
+ console.log(`\x1b[32m✓ Dashboard running at \x1b[1m${result.url}\x1b[0m`);
37
+ console.log(`\x1b[2m Project: ${projectDir}\x1b[0m`);
38
+ console.log(`\x1b[2m Press Ctrl+C to stop\x1b[0m\n`);
39
+
40
+ // Keep alive
41
+ await new Promise((resolve) => {
42
+ process.on('SIGINT', resolve);
43
+ process.on('SIGTERM', resolve);
44
+ });
45
+ } catch (err) {
46
+ console.error(`\x1b[31m✗ Failed to start dashboard: ${err.message}\x1b[0m`);
47
+ if (process.env.DEBUG) console.error(err.stack);
48
+ process.exit(1);
49
+ }
50
+ },
51
+ help() {
52
+ return `
53
+ \x1b[1mUsage:\x1b[0m monomind ui [options]
54
+
55
+ \x1b[1mOptions:\x1b[0m
56
+ --port, -p <number> Port to listen on (default: 4242)
57
+ --no-open Don't open browser automatically
58
+ --dir <path> Project directory to monitor (default: cwd)
59
+
60
+ \x1b[1mExamples:\x1b[0m
61
+ monomind ui
62
+ monomind ui --port 8080
63
+ monomind ui --no-open --dir /path/to/project
64
+ `.trim();
65
+ },
66
+ };
67
+
68
+ export default uiCommand;
@@ -151,7 +151,11 @@ const allCommand = {
151
151
  output.writeln();
152
152
  output.printError(`${failed.length} package(s) failed:`);
153
153
  for (const r of failed) {
154
- output.writeln(` ${output.error('✗')} ${r.package}: ${r.error}`);
154
+ // Sanitize error: strip filesystem paths and cap length before display
155
+ const safeErr = typeof r.error === 'string'
156
+ ? r.error.replace(/\/[^\s:]+(\/|(?=\s|:|$))/g, '<path>/').slice(0, 200)
157
+ : 'update failed';
158
+ output.writeln(` ${output.error('✗')} ${r.package}: ${safeErr}`);
155
159
  }
156
160
  }
157
161
  return { success: failed.length === 0 };
@@ -177,7 +181,9 @@ const historyCommand = {
177
181
  output.printSuccess('Update history cleared');
178
182
  return { success: true };
179
183
  }
180
- const limit = parseInt(flags.limit || '20', 10);
184
+ const rawLimit = parseInt(flags.limit || '20', 10);
185
+ // Cap to prevent unbounded history reads
186
+ const limit = Number.isFinite(rawLimit) ? Math.max(1, Math.min(rawLimit, 1000)) : 20;
181
187
  const history = getUpdateHistory(limit);
182
188
  if (history.length === 0) {
183
189
  output.printInfo('No update history available');
@@ -218,7 +224,13 @@ const rollbackCommand = {
218
224
  ],
219
225
  async action(ctx) {
220
226
  const { flags } = ctx;
221
- const packageName = flags.package;
227
+ // Cap packageName to 200 chars — npm package names are at most 214 chars
228
+ // (npm spec), but a malicious value could otherwise flow into rollbackUpdate
229
+ // which may reflect it in error messages or use it to key lookup tables.
230
+ const rawPackageName = flags.package;
231
+ const packageName = typeof rawPackageName === 'string'
232
+ ? rawPackageName.slice(0, 200)
233
+ : undefined;
222
234
  output.printInfo(packageName ? `Rolling back ${packageName}...` : 'Rolling back last update...');
223
235
  const result = await rollbackUpdate(packageName);
224
236
  if (result.success) {
@@ -74,12 +74,34 @@ const runCommand = {
74
74
  ],
75
75
  action: async (ctx) => {
76
76
  let template = ctx.flags.template;
77
- const file = ctx.flags.file;
78
- const task = ctx.flags.task || ctx.args[0];
77
+ const rawFile = ctx.flags.file;
78
+ const rawTask = ctx.flags.task || ctx.args[0];
79
79
  const parallel = ctx.flags.parallel;
80
- const maxAgents = ctx.flags['max-agents'];
81
- const timeout = ctx.flags.timeout;
80
+ const rawMaxAgents = ctx.flags['max-agents'];
81
+ const rawTimeout = ctx.flags.timeout;
82
82
  const dryRun = ctx.flags['dry-run'];
83
+ // Cap/validate inputs to prevent DoS and injection
84
+ const task = typeof rawTask === 'string' ? rawTask.slice(0, 4000) : undefined;
85
+ const maxAgents = typeof rawMaxAgents === 'number' && Number.isFinite(rawMaxAgents)
86
+ ? Math.max(1, Math.min(Math.floor(rawMaxAgents), 50))
87
+ : 5;
88
+ const timeout = typeof rawTimeout === 'number' && Number.isFinite(rawTimeout)
89
+ ? Math.max(1, Math.min(Math.floor(rawTimeout), 1440))
90
+ : 30;
91
+ // Validate file path to prevent path traversal when a file is given
92
+ let file;
93
+ if (rawFile) {
94
+ const pathMod = await import('path');
95
+ const effectiveCwd = ctx.cwd || process.cwd();
96
+ const absFile = pathMod.isAbsolute(rawFile) ? rawFile : pathMod.resolve(effectiveCwd, rawFile);
97
+ const resolvedFile = pathMod.resolve(absFile);
98
+ const resolvedCwd = pathMod.resolve(effectiveCwd);
99
+ if (!resolvedFile.startsWith(resolvedCwd + pathMod.sep) && resolvedFile !== resolvedCwd) {
100
+ output.printError('Workflow file path must be within the working directory.');
101
+ return { success: false, exitCode: 1 };
102
+ }
103
+ file = resolvedFile;
104
+ }
83
105
  if (!template && !file && ctx.interactive) {
84
106
  template = await select({
85
107
  message: 'Select workflow template:',
@@ -184,12 +206,23 @@ const validateCommand = {
184
206
  { command: 'monomind workflow validate -f ./workflow.json --strict', description: 'Strict validation' }
185
207
  ],
186
208
  action: async (ctx) => {
187
- const file = ctx.flags.file || ctx.args[0];
209
+ const rawFile = ctx.flags.file || ctx.args[0];
188
210
  const strict = ctx.flags.strict;
189
- if (!file) {
211
+ if (!rawFile) {
190
212
  output.printError('Workflow file is required. Use --file or -f');
191
213
  return { success: false, exitCode: 1 };
192
214
  }
215
+ // Path traversal guard: file must stay within working directory
216
+ const pathMod = await import('path');
217
+ const effectiveCwd = ctx.cwd || process.cwd();
218
+ const absFile = pathMod.isAbsolute(rawFile) ? rawFile : pathMod.resolve(effectiveCwd, rawFile);
219
+ const resolvedFile = pathMod.resolve(absFile);
220
+ const resolvedCwd = pathMod.resolve(effectiveCwd);
221
+ if (!resolvedFile.startsWith(resolvedCwd + pathMod.sep) && resolvedFile !== resolvedCwd) {
222
+ output.printError('Workflow file path must be within the working directory.');
223
+ return { success: false, exitCode: 1 };
224
+ }
225
+ const file = resolvedFile;
193
226
  output.printInfo(`Validating: ${file}`);
194
227
  try {
195
228
  const result = await callMCPTool('workflow_validate', {
@@ -29,13 +29,22 @@ export class AuditWriter {
29
29
  * and persist both the audit record and individual votes to JSONL.
30
30
  */
31
31
  record(input) {
32
- const key = deriveSigningKey(input.swarmId, input.sessionSecret);
32
+ // Cap string fields to prevent unbounded JSONL writes (OOM)
33
+ const MAX_STR = 256;
34
+ const decisionId = String(input.decisionId ?? '').slice(0, MAX_STR);
35
+ const swarmId = String(input.swarmId ?? '').slice(0, MAX_STR);
36
+ const topic = String(input.topic ?? '').slice(0, MAX_STR);
37
+ const sessionSecret = String(input.sessionSecret ?? '').slice(0, MAX_STR);
38
+ // Cap votes array to prevent JSONL record inflation
39
+ const MAX_VOTES = 500;
40
+ const votes = Array.isArray(input.votes) ? input.votes.slice(0, MAX_VOTES) : [];
41
+ const key = deriveSigningKey(swarmId, sessionSecret);
33
42
  // Sign each vote
34
- const signedVotes = input.votes.map((v) => ({
43
+ const signedVotes = votes.map((v) => ({
35
44
  agentId: v.agentId,
36
45
  agentSlug: v.agentSlug,
37
46
  vote: v.vote,
38
- signature: signVote(v.agentId, v.vote, input.decisionId, key),
47
+ signature: signVote(v.agentId, v.vote, decisionId, key),
39
48
  votedAt: v.votedAt,
40
49
  }));
41
50
  // Compute quorum proof
@@ -51,10 +60,10 @@ export class AuditWriter {
51
60
  const endMs = new Date(input.completedAt).getTime();
52
61
  const durationMs = isNaN(startMs) || isNaN(endMs) ? null : endMs - startMs;
53
62
  const recordWithoutSig = {
54
- decisionId: input.decisionId,
55
- swarmId: input.swarmId,
63
+ decisionId,
64
+ swarmId,
56
65
  protocol: input.protocol,
57
- topic: input.topic,
66
+ topic,
58
67
  decision: input.decision,
59
68
  votes: signedVotes,
60
69
  quorumProof,
@@ -84,7 +93,9 @@ export class AuditWriter {
84
93
  listDecisions(swarmId, limit) {
85
94
  const records = this.readLines(this.auditPath);
86
95
  const filtered = swarmId ? records.filter((r) => r.swarmId === swarmId) : records;
87
- return limit !== undefined ? filtered.slice(0, limit) : filtered;
96
+ // Cap at 10 000 to prevent unbounded memory return
97
+ const effectiveLimit = limit !== undefined ? Math.min(Math.max(0, limit), 10_000) : 10_000;
98
+ return filtered.slice(0, effectiveLimit);
88
99
  }
89
100
  /**
90
101
  * Re-verify all vote signatures in a decision.
@@ -0,0 +1,7 @@
1
+ /**
2
+ * Consensus module barrel export (Task 36)
3
+ */
4
+ export { deriveSigningKey, signVote, verifyVote } from './vote-signer.js';
5
+ export { AuditWriter } from './audit-writer.js';
6
+ export type { RecordInput } from './audit-writer.js';
7
+ //# sourceMappingURL=index.d.ts.map
@@ -0,0 +1,6 @@
1
+ /**
2
+ * Consensus module barrel export (Task 36)
3
+ */
4
+ export { deriveSigningKey, signVote, verifyVote } from './vote-signer.js';
5
+ export { AuditWriter } from './audit-writer.js';
6
+ //# sourceMappingURL=index.js.map
@@ -4,25 +4,37 @@
4
4
  * HMAC-SHA256 signing and verification for consensus votes.
5
5
  */
6
6
  import { createHmac, timingSafeEqual } from 'crypto';
7
+ /** Max depth for canonicalize() to prevent stack overflow on deeply nested objects. */
8
+ const MAX_CANONICALIZE_DEPTH = 32;
9
+ /** Cap string inputs to prevent OOM when hashing very long strings. */
10
+ const MAX_INPUT_LEN = 1024;
11
+ /** Cap votes array to prevent OOM in weightedTally. */
12
+ const MAX_VOTES = 1000;
7
13
  /**
8
14
  * Derive a signing key from a swarmId and session secret using HMAC-SHA256.
9
15
  */
10
16
  export function deriveSigningKey(swarmId, sessionSecret) {
11
- return createHmac('sha256', sessionSecret).update(swarmId).digest();
17
+ return createHmac('sha256', sessionSecret.slice(0, MAX_INPUT_LEN)).update(swarmId.slice(0, MAX_INPUT_LEN)).digest();
12
18
  }
13
19
  /**
14
20
  * Sign a vote, producing a hex-encoded HMAC-SHA256 signature.
15
21
  */
16
- function canonicalize(val) {
22
+ function canonicalize(val, depth = 0) {
23
+ // Guard against deeply-nested objects that would overflow the call stack.
24
+ if (depth > MAX_CANONICALIZE_DEPTH)
25
+ return '"[MaxDepth]"';
17
26
  if (val === null || typeof val !== 'object')
18
27
  return JSON.stringify(val);
19
28
  if (Array.isArray(val))
20
- return '[' + val.map(canonicalize).join(',') + ']';
21
- const sorted = Object.keys(val).sort().map(k => JSON.stringify(k) + ':' + canonicalize(val[k]));
29
+ return '[' + val.map(item => canonicalize(item, depth + 1)).join(',') + ']';
30
+ const sorted = Object.keys(val).sort().map(k => JSON.stringify(k) + ':' + canonicalize(val[k], depth + 1));
22
31
  return '{' + sorted.join(',') + '}';
23
32
  }
24
33
  export function signVote(agentId, vote, decisionId, key) {
25
- const payload = JSON.stringify({ agentId, vote: canonicalize(vote), decisionId });
34
+ // Cap string fields to prevent OOM when hashing attacker-supplied inputs.
35
+ const safeAgentId = agentId.slice(0, MAX_INPUT_LEN);
36
+ const safeDecisionId = decisionId.slice(0, MAX_INPUT_LEN);
37
+ const payload = JSON.stringify({ agentId: safeAgentId, vote: canonicalize(vote), decisionId: safeDecisionId });
26
38
  return createHmac('sha256', key).update(payload).digest('hex');
27
39
  }
28
40
  /**
@@ -35,10 +47,12 @@ export function signVote(agentId, vote, decisionId, key) {
35
47
  * Source: https://arxiv.org/abs/2511.10400 (CP-WBFT — AAAI 2026)
36
48
  */
37
49
  export function weightedTally(votes) {
50
+ // Cap votes array to prevent OOM from an oversized input.
51
+ const safeVotes = votes.length > MAX_VOTES ? votes.slice(0, MAX_VOTES) : votes;
38
52
  let weightedApproval = 0;
39
53
  let weightedRejection = 0;
40
54
  let totalWeight = 0;
41
- for (const { vote, confidence } of votes) {
55
+ for (const { vote, confidence } of safeVotes) {
42
56
  const w = Math.max(0, Math.min(1, confidence)); // clamp to [0,1]
43
57
  totalWeight += w;
44
58
  if (vote) {
@@ -49,8 +63,8 @@ export function weightedTally(votes) {
49
63
  }
50
64
  }
51
65
  return {
52
- approved: votes.filter(v => v.vote).length,
53
- rejected: votes.filter(v => !v.vote).length,
66
+ approved: safeVotes.filter(v => v.vote).length,
67
+ rejected: safeVotes.filter(v => !v.vote).length,
54
68
  weightedApproval,
55
69
  weightedRejection,
56
70
  quorum: totalWeight > 0 && weightedApproval / totalWeight > 0.5,
@@ -61,6 +75,9 @@ export function weightedTally(votes) {
61
75
  * Returns true when the signature is valid.
62
76
  */
63
77
  export function verifyVote(agentId, vote, decisionId, signature, key) {
78
+ // Guard: odd-length or non-hex signature string causes Buffer.from to throw.
79
+ if (!/^[0-9a-fA-F]{64}$/.test(signature))
80
+ return false;
64
81
  const expected = signVote(agentId, vote, decisionId, key);
65
82
  const sigBuf = Buffer.from(signature, 'hex');
66
83
  const expBuf = Buffer.from(expected, 'hex');
@@ -0,0 +1,44 @@
1
+ /**
2
+ * Context Provider — interfaces and base class for dynamic prompt assembly.
3
+ *
4
+ * Each provider contributes a named section of context to the assembled prompt.
5
+ * Providers are prioritised (0-100) and budget-aware via token estimation.
6
+ */
7
+ export interface RunContext {
8
+ agentSlug: string;
9
+ taskDescription: string;
10
+ sessionId: string;
11
+ swarmId?: string;
12
+ workingDir?: string;
13
+ metadata: Record<string, unknown>;
14
+ }
15
+ export interface ContextSection {
16
+ name: string;
17
+ content: string;
18
+ tokenCount: number;
19
+ priority: number;
20
+ required: boolean;
21
+ }
22
+ export interface ContextProvider {
23
+ readonly name: string;
24
+ readonly priority: number;
25
+ readonly maxTokens: number;
26
+ readonly required: boolean;
27
+ provide(ctx: RunContext): Promise<string>;
28
+ }
29
+ /**
30
+ * Convenience base class that implements the ContextProvider contract and
31
+ * supplies a rough token-truncation helper (approx 4 chars per token).
32
+ */
33
+ export declare abstract class BaseContextProvider implements ContextProvider {
34
+ abstract readonly name: string;
35
+ abstract readonly priority: number;
36
+ readonly maxTokens: number;
37
+ readonly required: boolean;
38
+ /**
39
+ * Truncate `text` so that it fits within `maxTokens` (4 chars/token).
40
+ */
41
+ protected truncateToTokens(text: string, maxTokens: number): string;
42
+ abstract provide(ctx: RunContext): Promise<string>;
43
+ }
44
+ //# sourceMappingURL=context-provider.d.ts.map
@@ -0,0 +1,25 @@
1
+ /**
2
+ * Context Provider — interfaces and base class for dynamic prompt assembly.
3
+ *
4
+ * Each provider contributes a named section of context to the assembled prompt.
5
+ * Providers are prioritised (0-100) and budget-aware via token estimation.
6
+ */
7
+ /**
8
+ * Convenience base class that implements the ContextProvider contract and
9
+ * supplies a rough token-truncation helper (approx 4 chars per token).
10
+ */
11
+ export class BaseContextProvider {
12
+ maxTokens = 500;
13
+ required = false;
14
+ /**
15
+ * Truncate `text` so that it fits within `maxTokens` (4 chars/token).
16
+ */
17
+ truncateToTokens(text, maxTokens) {
18
+ const maxChars = maxTokens * 4;
19
+ if (text.length <= maxChars) {
20
+ return text;
21
+ }
22
+ return text.slice(0, maxChars);
23
+ }
24
+ }
25
+ //# sourceMappingURL=context-provider.js.map