monomind 1.11.13 → 1.12.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (389) hide show
  1. package/.claude/agents/generated/channel-intelligence-director.md +87 -0
  2. package/.claude/agents/generated/chief-growth-officer.md +88 -0
  3. package/.claude/agents/generated/content-seo-strategist.md +90 -0
  4. package/.claude/agents/generated/developer-community-strategist.md +91 -0
  5. package/.claude/agents/generated/outreach-partnership-strategist.md +90 -0
  6. package/.claude/agents/generated/social-media-strategist.md +91 -0
  7. package/.claude/agents/generated/video-visual-strategist.md +90 -0
  8. package/.claude/commands/mastermind/idea.md +1 -1
  9. package/.claude/helpers/auto-memory-hook.mjs +13 -4
  10. package/.claude/helpers/control-start.cjs +5 -0
  11. package/.claude/helpers/event-logger.cjs +114 -0
  12. package/.claude/helpers/handlers/adr-draft-handler.cjs +19 -5
  13. package/.claude/helpers/handlers/agent-start-handler.cjs +13 -4
  14. package/.claude/helpers/handlers/compact-handler.cjs +2 -0
  15. package/.claude/helpers/handlers/edit-handler.cjs +1 -1
  16. package/.claude/helpers/handlers/gates-handler.cjs +3 -0
  17. package/.claude/helpers/handlers/graph-status-handler.cjs +14 -8
  18. package/.claude/helpers/handlers/loops-status-handler.cjs +5 -2
  19. package/.claude/helpers/handlers/route-handler.cjs +13 -6
  20. package/.claude/helpers/handlers/session-handler.cjs +11 -4
  21. package/.claude/helpers/handlers/session-restore-handler.cjs +21 -11
  22. package/.claude/helpers/handlers/task-handler.cjs +13 -5
  23. package/.claude/helpers/intelligence.cjs +7 -2
  24. package/.claude/helpers/loop-tracker.cjs +15 -3
  25. package/.claude/helpers/memory.cjs +6 -1
  26. package/.claude/helpers/router.cjs +5 -2
  27. package/.claude/helpers/session.cjs +2 -0
  28. package/.claude/helpers/statusline.cjs +10 -2
  29. package/.claude/helpers/utils/micro-agents.cjs +20 -4
  30. package/.claude/scheduled_tasks.lock +1 -1
  31. package/.claude/settings.json +92 -1
  32. package/.claude/skills/mastermind/_protocol.md +23 -13
  33. package/.claude/skills/mastermind/architect.md +6 -9
  34. package/.claude/skills/mastermind/build.md +3 -3
  35. package/.claude/skills/mastermind/content.md +3 -3
  36. package/.claude/skills/mastermind/createorg.md +2 -2
  37. package/.claude/skills/mastermind/finance.md +3 -3
  38. package/.claude/skills/mastermind/idea.md +5 -3
  39. package/.claude/skills/mastermind/marketing.md +3 -3
  40. package/.claude/skills/mastermind/monitor.md +2 -2
  41. package/.claude/skills/mastermind/release.md +3 -3
  42. package/.claude/skills/mastermind/research.md +3 -3
  43. package/.claude/skills/mastermind/review.md +3 -3
  44. package/.claude/skills/mastermind/runorg.md +153 -86
  45. package/.claude/skills/mastermind/sales.md +3 -3
  46. package/README.md +286 -129
  47. package/package.json +19 -2
  48. package/packages/@monomind/cli/README.md +286 -129
  49. package/packages/@monomind/cli/bundled-graph/dist/src/build.js +73 -0
  50. package/packages/@monomind/cli/bundled-graph/dist/src/cluster.js +120 -0
  51. package/packages/@monomind/cli/bundled-graph/package.json +57 -0
  52. package/packages/@monomind/cli/dist/src/agents/halt-signal.d.ts +25 -0
  53. package/packages/@monomind/cli/dist/src/agents/halt-signal.js +76 -0
  54. package/packages/@monomind/cli/dist/src/agents/index.d.ts +18 -0
  55. package/packages/@monomind/cli/dist/src/agents/index.js +13 -0
  56. package/packages/@monomind/cli/dist/src/agents/managed-agent.d.ts +41 -0
  57. package/packages/@monomind/cli/dist/src/agents/managed-agent.js +69 -0
  58. package/packages/@monomind/cli/dist/src/agents/prompt-experiment.d.ts +23 -0
  59. package/packages/@monomind/cli/dist/src/agents/prompt-experiment.js +49 -0
  60. package/packages/@monomind/cli/dist/src/agents/prompt-version-manager.d.ts +22 -0
  61. package/packages/@monomind/cli/dist/src/agents/prompt-version-manager.js +80 -0
  62. package/packages/@monomind/cli/dist/src/agents/registry-builder.js +2 -0
  63. package/packages/@monomind/cli/dist/src/agents/registry-query.d.ts +71 -0
  64. package/packages/@monomind/cli/dist/src/agents/registry-query.js +125 -0
  65. package/packages/@monomind/cli/dist/src/agents/score-decay.d.ts +19 -0
  66. package/packages/@monomind/cli/dist/src/agents/score-decay.js +22 -0
  67. package/packages/@monomind/cli/dist/src/agents/shared-instructions-loader.d.ts +13 -0
  68. package/packages/@monomind/cli/dist/src/agents/shared-instructions-loader.js +40 -0
  69. package/packages/@monomind/cli/dist/src/agents/specialization-scorer.d.ts +54 -0
  70. package/packages/@monomind/cli/dist/src/agents/specialization-scorer.js +212 -0
  71. package/packages/@monomind/cli/dist/src/agents/termination-watcher.d.ts +30 -0
  72. package/packages/@monomind/cli/dist/src/agents/termination-watcher.js +84 -0
  73. package/packages/@monomind/cli/dist/src/agents/trigger-index.d.ts +20 -0
  74. package/packages/@monomind/cli/dist/src/agents/trigger-index.js +38 -0
  75. package/packages/@monomind/cli/dist/src/agents/trigger-scanner.d.ts +64 -0
  76. package/packages/@monomind/cli/dist/src/agents/trigger-scanner.js +308 -0
  77. package/packages/@monomind/cli/dist/src/agents/version-diff.d.ts +18 -0
  78. package/packages/@monomind/cli/dist/src/agents/version-diff.js +64 -0
  79. package/packages/@monomind/cli/dist/src/agents/version-store.d.ts +60 -0
  80. package/packages/@monomind/cli/dist/src/agents/version-store.js +235 -0
  81. package/packages/@monomind/cli/dist/src/autopilot-state.js +10 -5
  82. package/packages/@monomind/cli/dist/src/benchmarks/benchmark-runner.js +13 -0
  83. package/packages/@monomind/cli/dist/src/benchmarks/metric-evaluators.js +20 -9
  84. package/packages/@monomind/cli/dist/src/benchmarks/pretrain/index.d.ts +45 -0
  85. package/packages/@monomind/cli/dist/src/benchmarks/pretrain/index.js +404 -0
  86. package/packages/@monomind/cli/dist/src/browser/actions.js +10 -3
  87. package/packages/@monomind/cli/dist/src/browser/browser.js +12 -2
  88. package/packages/@monomind/cli/dist/src/browser/cdp.js +21 -3
  89. package/packages/@monomind/cli/dist/src/browser/har.js +27 -5
  90. package/packages/@monomind/cli/dist/src/commands/agent-wasm.d.ts +14 -0
  91. package/packages/@monomind/cli/dist/src/commands/agent-wasm.js +333 -0
  92. package/packages/@monomind/cli/dist/src/commands/agent.js +11 -8
  93. package/packages/@monomind/cli/dist/src/commands/analyze.js +36 -21
  94. package/packages/@monomind/cli/dist/src/commands/autopilot.js +12 -4
  95. package/packages/@monomind/cli/dist/src/commands/benchmark.js +51 -8
  96. package/packages/@monomind/cli/dist/src/commands/browse.js +5 -2
  97. package/packages/@monomind/cli/dist/src/commands/claims.js +29 -11
  98. package/packages/@monomind/cli/dist/src/commands/cleanup.js +25 -5
  99. package/packages/@monomind/cli/dist/src/commands/config.js +15 -7
  100. package/packages/@monomind/cli/dist/src/commands/daemon.js +6 -0
  101. package/packages/@monomind/cli/dist/src/commands/deployment.js +34 -19
  102. package/packages/@monomind/cli/dist/src/commands/doctor.js +151 -20
  103. package/packages/@monomind/cli/dist/src/commands/guidance.js +15 -2
  104. package/packages/@monomind/cli/dist/src/commands/hive-mind.js +37 -14
  105. package/packages/@monomind/cli/dist/src/commands/hooks.js +42 -25
  106. package/packages/@monomind/cli/dist/src/commands/init.js +9 -4
  107. package/packages/@monomind/cli/dist/src/commands/issues.js +29 -26
  108. package/packages/@monomind/cli/dist/src/commands/mcp.js +11 -5
  109. package/packages/@monomind/cli/dist/src/commands/memory.js +10 -0
  110. package/packages/@monomind/cli/dist/src/commands/migrate.js +5 -5
  111. package/packages/@monomind/cli/dist/src/commands/monograph.js +18 -5
  112. package/packages/@monomind/cli/dist/src/commands/monovector/backup.js +8 -2
  113. package/packages/@monomind/cli/dist/src/commands/monovector/benchmark.js +20 -7
  114. package/packages/@monomind/cli/dist/src/commands/monovector/import.js +15 -0
  115. package/packages/@monomind/cli/dist/src/commands/monovector/migrate.js +4 -1
  116. package/packages/@monomind/cli/dist/src/commands/monovector/optimize.js +11 -0
  117. package/packages/@monomind/cli/dist/src/commands/monovector/setup.js +11 -1
  118. package/packages/@monomind/cli/dist/src/commands/neural.js +1 -1
  119. package/packages/@monomind/cli/dist/src/commands/performance.js +20 -7
  120. package/packages/@monomind/cli/dist/src/commands/platforms.js +90 -8
  121. package/packages/@monomind/cli/dist/src/commands/plugins.js +12 -5
  122. package/packages/@monomind/cli/dist/src/commands/process.js +33 -10
  123. package/packages/@monomind/cli/dist/src/commands/progress.js +5 -3
  124. package/packages/@monomind/cli/dist/src/commands/providers.js +5 -5
  125. package/packages/@monomind/cli/dist/src/commands/replay.js +8 -2
  126. package/packages/@monomind/cli/dist/src/commands/route.js +27 -7
  127. package/packages/@monomind/cli/dist/src/commands/security.js +4 -0
  128. package/packages/@monomind/cli/dist/src/commands/session.js +12 -1
  129. package/packages/@monomind/cli/dist/src/commands/start.js +11 -4
  130. package/packages/@monomind/cli/dist/src/commands/status.js +7 -4
  131. package/packages/@monomind/cli/dist/src/commands/swarm.js +27 -13
  132. package/packages/@monomind/cli/dist/src/commands/task.js +26 -11
  133. package/packages/@monomind/cli/dist/src/commands/tokens.js +7 -2
  134. package/packages/@monomind/cli/dist/src/commands/transfer-store.js +36 -22
  135. package/packages/@monomind/cli/dist/src/commands/ui.js +68 -0
  136. package/packages/@monomind/cli/dist/src/commands/update.js +15 -3
  137. package/packages/@monomind/cli/dist/src/commands/workflow.js +39 -6
  138. package/packages/@monomind/cli/dist/src/consensus/audit-writer.js +18 -7
  139. package/packages/@monomind/cli/dist/src/consensus/index.d.ts +7 -0
  140. package/packages/@monomind/cli/dist/src/consensus/index.js +6 -0
  141. package/packages/@monomind/cli/dist/src/consensus/vote-signer.js +25 -8
  142. package/packages/@monomind/cli/dist/src/context/context-provider.d.ts +44 -0
  143. package/packages/@monomind/cli/dist/src/context/context-provider.js +25 -0
  144. package/packages/@monomind/cli/dist/src/context/git-state-provider.d.ts +12 -0
  145. package/packages/@monomind/cli/dist/src/context/git-state-provider.js +34 -0
  146. package/packages/@monomind/cli/dist/src/context/index.d.ts +12 -0
  147. package/packages/@monomind/cli/dist/src/context/index.js +12 -0
  148. package/packages/@monomind/cli/dist/src/context/project-conventions-provider.d.ts +15 -0
  149. package/packages/@monomind/cli/dist/src/context/project-conventions-provider.js +19 -0
  150. package/packages/@monomind/cli/dist/src/context/prompt-assembler.d.ts +26 -0
  151. package/packages/@monomind/cli/dist/src/context/prompt-assembler.js +93 -0
  152. package/packages/@monomind/cli/dist/src/context/task-history-provider.d.ts +24 -0
  153. package/packages/@monomind/cli/dist/src/context/task-history-provider.js +32 -0
  154. package/packages/@monomind/cli/dist/src/context/user-preferences-provider.d.ts +14 -0
  155. package/packages/@monomind/cli/dist/src/context/user-preferences-provider.js +27 -0
  156. package/packages/@monomind/cli/dist/src/dlq/dlq-reader.d.ts +31 -0
  157. package/packages/@monomind/cli/dist/src/dlq/dlq-reader.js +81 -0
  158. package/packages/@monomind/cli/dist/src/dlq/dlq-writer.d.ts +24 -0
  159. package/packages/@monomind/cli/dist/src/dlq/dlq-writer.js +65 -0
  160. package/packages/@monomind/cli/dist/src/dlq/index.d.ts +10 -0
  161. package/packages/@monomind/cli/dist/src/dlq/index.js +7 -0
  162. package/packages/@monomind/cli/dist/src/eval/dataset-manager.d.ts +33 -0
  163. package/packages/@monomind/cli/dist/src/eval/dataset-manager.js +107 -0
  164. package/packages/@monomind/cli/dist/src/eval/dataset-runner.d.ts +23 -0
  165. package/packages/@monomind/cli/dist/src/eval/dataset-runner.js +59 -0
  166. package/packages/@monomind/cli/dist/src/eval/index.d.ts +10 -0
  167. package/packages/@monomind/cli/dist/src/eval/index.js +7 -0
  168. package/packages/@monomind/cli/dist/src/eval/trace-collector.d.ts +40 -0
  169. package/packages/@monomind/cli/dist/src/eval/trace-collector.js +102 -0
  170. package/packages/@monomind/cli/dist/src/index.js +7 -3
  171. package/packages/@monomind/cli/dist/src/infrastructure/in-memory-repositories.d.ts +68 -0
  172. package/packages/@monomind/cli/dist/src/infrastructure/in-memory-repositories.js +264 -0
  173. package/packages/@monomind/cli/dist/src/init/executor.js +14 -11
  174. package/packages/@monomind/cli/dist/src/init/shared-instructions-generator.js +20 -4
  175. package/packages/@monomind/cli/dist/src/init/statusline-generator.js +33 -12
  176. package/packages/@monomind/cli/dist/src/interactive/interrupt.d.ts +22 -0
  177. package/packages/@monomind/cli/dist/src/interactive/interrupt.js +71 -0
  178. package/packages/@monomind/cli/dist/src/mcp/deprecation-injector.d.ts +25 -0
  179. package/packages/@monomind/cli/dist/src/mcp/deprecation-injector.js +48 -0
  180. package/packages/@monomind/cli/dist/src/mcp/tool-registry.d.ts +61 -0
  181. package/packages/@monomind/cli/dist/src/mcp/tool-registry.js +246 -0
  182. package/packages/@monomind/cli/dist/src/mcp-tools/a2a-tools.js +98 -13
  183. package/packages/@monomind/cli/dist/src/mcp-tools/agent-tools.js +16 -3
  184. package/packages/@monomind/cli/dist/src/mcp-tools/analyze-tools.js +80 -17
  185. package/packages/@monomind/cli/dist/src/mcp-tools/browser-tools.js +84 -22
  186. package/packages/@monomind/cli/dist/src/mcp-tools/claims-tools.js +35 -7
  187. package/packages/@monomind/cli/dist/src/mcp-tools/config-tools.js +82 -17
  188. package/packages/@monomind/cli/dist/src/mcp-tools/coordination-tools.js +37 -4
  189. package/packages/@monomind/cli/dist/src/mcp-tools/daa-tools.js +49 -7
  190. package/packages/@monomind/cli/dist/src/mcp-tools/embeddings-tools.js +45 -18
  191. package/packages/@monomind/cli/dist/src/mcp-tools/github-tools.js +75 -25
  192. package/packages/@monomind/cli/dist/src/mcp-tools/guidance-tools.js +32 -10
  193. package/packages/@monomind/cli/dist/src/mcp-tools/hive-mind-tools.js +91 -20
  194. package/packages/@monomind/cli/dist/src/mcp-tools/hooks-tools.js +188 -29
  195. package/packages/@monomind/cli/dist/src/mcp-tools/memory-tools.js +25 -7
  196. package/packages/@monomind/cli/dist/src/mcp-tools/monograph-compat.js +11 -2
  197. package/packages/@monomind/cli/dist/src/mcp-tools/monograph-tools.js +148 -26
  198. package/packages/@monomind/cli/dist/src/mcp-tools/neural-tools.js +44 -9
  199. package/packages/@monomind/cli/dist/src/mcp-tools/performance-tools.js +45 -10
  200. package/packages/@monomind/cli/dist/src/mcp-tools/progress-tools.js +7 -4
  201. package/packages/@monomind/cli/dist/src/mcp-tools/request-tracker.js +15 -1
  202. package/packages/@monomind/cli/dist/src/mcp-tools/security-tools.js +61 -9
  203. package/packages/@monomind/cli/dist/src/mcp-tools/session-tools.js +45 -14
  204. package/packages/@monomind/cli/dist/src/mcp-tools/swarm-tools.js +15 -3
  205. package/packages/@monomind/cli/dist/src/mcp-tools/system-tools.js +14 -7
  206. package/packages/@monomind/cli/dist/src/mcp-tools/task-tools.js +52 -10
  207. package/packages/@monomind/cli/dist/src/mcp-tools/terminal-tools.js +40 -6
  208. package/packages/@monomind/cli/dist/src/mcp-tools/transfer-tools.js +37 -4
  209. package/packages/@monomind/cli/dist/src/mcp-tools/wasm-agent-tools.d.ts +9 -0
  210. package/packages/@monomind/cli/dist/src/mcp-tools/wasm-agent-tools.js +230 -0
  211. package/packages/@monomind/cli/dist/src/mcp-tools/workflow-tools.js +29 -6
  212. package/packages/@monomind/cli/dist/src/memory/ewc-consolidation.js +26 -10
  213. package/packages/@monomind/cli/dist/src/memory/intelligence.js +80 -19
  214. package/packages/@monomind/cli/dist/src/memory/memory-bridge.js +21 -2
  215. package/packages/@monomind/cli/dist/src/memory/memory-initializer.js +67 -3
  216. package/packages/@monomind/cli/dist/src/memory/sona-optimizer.js +14 -4
  217. package/packages/@monomind/cli/dist/src/model/complexity-scorer.d.ts +21 -0
  218. package/packages/@monomind/cli/dist/src/model/complexity-scorer.js +106 -0
  219. package/packages/@monomind/cli/dist/src/model/index.d.ts +4 -0
  220. package/packages/@monomind/cli/dist/src/model/index.js +4 -0
  221. package/packages/@monomind/cli/dist/src/model/model-settings.d.ts +22 -0
  222. package/packages/@monomind/cli/dist/src/model/model-settings.js +33 -0
  223. package/packages/@monomind/cli/dist/src/model/model-tier-resolver.d.ts +24 -0
  224. package/packages/@monomind/cli/dist/src/model/model-tier-resolver.js +65 -0
  225. package/packages/@monomind/cli/dist/src/monovector/capabilities.d.ts +34 -0
  226. package/packages/@monomind/cli/dist/src/monovector/capabilities.js +37 -0
  227. package/packages/@monomind/cli/dist/src/monovector/command-outcomes.js +43 -7
  228. package/packages/@monomind/cli/dist/src/monovector/coverage-router.js +8 -4
  229. package/packages/@monomind/cli/dist/src/monovector/coverage-tools.js +6 -3
  230. package/packages/@monomind/cli/dist/src/monovector/diff-classifier.js +13 -0
  231. package/packages/@monomind/cli/dist/src/monovector/route-outcomes.d.ts +2 -1
  232. package/packages/@monomind/cli/dist/src/monovector/route-outcomes.js +46 -4
  233. package/packages/@monomind/cli/dist/src/observability/replay-reader.d.ts +1 -1
  234. package/packages/@monomind/cli/dist/src/orchestration/index.d.ts +7 -0
  235. package/packages/@monomind/cli/dist/src/orchestration/index.js +6 -0
  236. package/packages/@monomind/cli/dist/src/orchestration/mode-dispatcher.d.ts +11 -0
  237. package/packages/@monomind/cli/dist/src/orchestration/mode-dispatcher.js +31 -0
  238. package/packages/@monomind/cli/dist/src/orchestration/routing-modes.d.ts +68 -0
  239. package/packages/@monomind/cli/dist/src/orchestration/routing-modes.js +180 -0
  240. package/packages/@monomind/cli/dist/src/plugins/manager.js +8 -3
  241. package/packages/@monomind/cli/dist/src/plugins/store/discovery.js +46 -2
  242. package/packages/@monomind/cli/dist/src/plugins/store/search.js +5 -4
  243. package/packages/@monomind/cli/dist/src/plugins/tests/demo-plugin-store.d.ts +7 -0
  244. package/packages/@monomind/cli/dist/src/plugins/tests/demo-plugin-store.js +126 -0
  245. package/packages/@monomind/cli/dist/src/plugins/tests/standalone-test.d.ts +12 -0
  246. package/packages/@monomind/cli/dist/src/plugins/tests/standalone-test.js +188 -0
  247. package/packages/@monomind/cli/dist/src/plugins/tests/test-plugin-store.d.ts +7 -0
  248. package/packages/@monomind/cli/dist/src/plugins/tests/test-plugin-store.js +206 -0
  249. package/packages/@monomind/cli/dist/src/production/circuit-breaker.js +17 -3
  250. package/packages/@monomind/cli/dist/src/production/error-handler.js +3 -0
  251. package/packages/@monomind/cli/dist/src/production/monitoring.js +20 -3
  252. package/packages/@monomind/cli/dist/src/production/rate-limiter.js +13 -4
  253. package/packages/@monomind/cli/dist/src/production/retry.js +17 -9
  254. package/packages/@monomind/cli/dist/src/routing/embed-worker.js +6 -2
  255. package/packages/@monomind/cli/dist/src/routing/embedder.js +0 -0
  256. package/packages/@monomind/cli/dist/src/routing/llm-caller.js +13 -2
  257. package/packages/@monomind/cli/dist/src/routing/route-layer-factory.js +18 -3
  258. package/packages/@monomind/cli/dist/src/runtime/headless.d.ts +60 -0
  259. package/packages/@monomind/cli/dist/src/runtime/headless.js +284 -0
  260. package/packages/@monomind/cli/dist/src/services/agentic-flow-bridge.d.ts +50 -0
  261. package/packages/@monomind/cli/dist/src/services/agentic-flow-bridge.js +95 -0
  262. package/packages/@monomind/cli/dist/src/services/claim-service.d.ts +1 -0
  263. package/packages/@monomind/cli/dist/src/services/claim-service.js +8 -0
  264. package/packages/@monomind/cli/dist/src/services/config-file-manager.js +14 -2
  265. package/packages/@monomind/cli/dist/src/services/container-worker-pool.d.ts +197 -0
  266. package/packages/@monomind/cli/dist/src/services/container-worker-pool.js +623 -0
  267. package/packages/@monomind/cli/dist/src/services/headless-worker-executor.js +18 -2
  268. package/packages/@monomind/cli/dist/src/services/index.d.ts +13 -0
  269. package/packages/@monomind/cli/dist/src/services/index.js +11 -0
  270. package/packages/@monomind/cli/dist/src/services/worker-daemon.js +53 -12
  271. package/packages/@monomind/cli/dist/src/services/worker-queue.d.ts +201 -0
  272. package/packages/@monomind/cli/dist/src/services/worker-queue.js +594 -0
  273. package/packages/@monomind/cli/dist/src/swarm/communication-graph.d.ts +25 -0
  274. package/packages/@monomind/cli/dist/src/swarm/communication-graph.js +77 -0
  275. package/packages/@monomind/cli/dist/src/swarm/flow-enforcer.d.ts +31 -0
  276. package/packages/@monomind/cli/dist/src/swarm/flow-enforcer.js +61 -0
  277. package/packages/@monomind/cli/dist/src/swarm/flow-visualizer.d.ts +19 -0
  278. package/packages/@monomind/cli/dist/src/swarm/flow-visualizer.js +68 -0
  279. package/packages/@monomind/cli/dist/src/transfer/anonymization/index.d.ts +0 -3
  280. package/packages/@monomind/cli/dist/src/transfer/anonymization/index.js +16 -1
  281. package/packages/@monomind/cli/dist/src/transfer/deploy-seraphine.d.ts +13 -0
  282. package/packages/@monomind/cli/dist/src/transfer/deploy-seraphine.js +205 -0
  283. package/packages/@monomind/cli/dist/src/transfer/export.js +8 -0
  284. package/packages/@monomind/cli/dist/src/transfer/ipfs/upload.js +33 -3
  285. package/packages/@monomind/cli/dist/src/transfer/serialization/cfp.js +9 -3
  286. package/packages/@monomind/cli/dist/src/transfer/storage/gcs.js +37 -3
  287. package/packages/@monomind/cli/dist/src/transfer/store/discovery.js +45 -3
  288. package/packages/@monomind/cli/dist/src/transfer/store/download.js +5 -0
  289. package/packages/@monomind/cli/dist/src/transfer/store/publish.js +13 -1
  290. package/packages/@monomind/cli/dist/src/transfer/store/registry.d.ts +8 -0
  291. package/packages/@monomind/cli/dist/src/transfer/store/registry.js +30 -5
  292. package/packages/@monomind/cli/dist/src/transfer/store/search.js +20 -5
  293. package/packages/@monomind/cli/dist/src/transfer/store/tests/standalone-test.d.ts +12 -0
  294. package/packages/@monomind/cli/dist/src/transfer/store/tests/standalone-test.js +190 -0
  295. package/packages/@monomind/cli/dist/src/transfer/test-seraphine.d.ts +6 -0
  296. package/packages/@monomind/cli/dist/src/transfer/test-seraphine.js +105 -0
  297. package/packages/@monomind/cli/dist/src/transfer/tests/test-store.d.ts +7 -0
  298. package/packages/@monomind/cli/dist/src/transfer/tests/test-store.js +214 -0
  299. package/packages/@monomind/cli/dist/src/update/checker.js +59 -7
  300. package/packages/@monomind/cli/dist/src/update/executor.js +50 -3
  301. package/packages/@monomind/cli/dist/src/update/index.js +18 -1
  302. package/packages/@monomind/cli/dist/src/update/rate-limiter.d.ts +6 -0
  303. package/packages/@monomind/cli/dist/src/update/rate-limiter.js +79 -7
  304. package/packages/@monomind/cli/dist/src/update/validator.js +52 -1
  305. package/packages/@monomind/cli/dist/src/workflow/condition-evaluator.d.ts +10 -0
  306. package/packages/@monomind/cli/dist/src/workflow/condition-evaluator.js +82 -0
  307. package/packages/@monomind/cli/dist/src/workflow/context-resolver.d.ts +12 -0
  308. package/packages/@monomind/cli/dist/src/workflow/context-resolver.js +23 -0
  309. package/packages/@monomind/cli/dist/src/workflow/dag-builder.d.ts +17 -0
  310. package/packages/@monomind/cli/dist/src/workflow/dag-builder.js +129 -0
  311. package/packages/@monomind/cli/dist/src/workflow/dag-executor.d.ts +9 -0
  312. package/packages/@monomind/cli/dist/src/workflow/dag-executor.js +116 -0
  313. package/packages/@monomind/cli/dist/src/workflow/dag-types.d.ts +41 -0
  314. package/packages/@monomind/cli/dist/src/workflow/dag-types.js +8 -0
  315. package/packages/@monomind/cli/dist/src/workflow/dsl-parser.d.ts +12 -0
  316. package/packages/@monomind/cli/dist/src/workflow/dsl-parser.js +20 -0
  317. package/packages/@monomind/cli/dist/src/workflow/dsl-schema.d.ts +165 -0
  318. package/packages/@monomind/cli/dist/src/workflow/dsl-schema.js +82 -0
  319. package/packages/@monomind/cli/dist/src/workflow/index.d.ts +13 -0
  320. package/packages/@monomind/cli/dist/src/workflow/index.js +11 -0
  321. package/packages/@monomind/cli/dist/src/workflow/template-engine.d.ts +11 -0
  322. package/packages/@monomind/cli/dist/src/workflow/template-engine.js +40 -0
  323. package/packages/@monomind/cli/dist/src/workflow/workflow-executor.d.ts +29 -0
  324. package/packages/@monomind/cli/dist/src/workflow/workflow-executor.js +227 -0
  325. package/packages/@monomind/cli/package.json +9 -10
  326. package/packages/@monomind/guidance/dist/adversarial.d.ts +284 -0
  327. package/packages/@monomind/guidance/dist/adversarial.js +572 -0
  328. package/packages/@monomind/guidance/dist/analyzer.d.ts +530 -0
  329. package/packages/@monomind/guidance/dist/analyzer.js +2518 -0
  330. package/packages/@monomind/guidance/dist/artifacts.d.ts +283 -0
  331. package/packages/@monomind/guidance/dist/artifacts.js +356 -0
  332. package/packages/@monomind/guidance/dist/authority.d.ts +290 -0
  333. package/packages/@monomind/guidance/dist/authority.js +558 -0
  334. package/packages/@monomind/guidance/dist/capabilities.d.ts +209 -0
  335. package/packages/@monomind/guidance/dist/capabilities.js +485 -0
  336. package/packages/@monomind/guidance/dist/coherence.d.ts +233 -0
  337. package/packages/@monomind/guidance/dist/coherence.js +372 -0
  338. package/packages/@monomind/guidance/dist/compiler.d.ts +87 -0
  339. package/packages/@monomind/guidance/dist/compiler.js +419 -0
  340. package/packages/@monomind/guidance/dist/conformance-kit.d.ts +225 -0
  341. package/packages/@monomind/guidance/dist/conformance-kit.js +629 -0
  342. package/packages/@monomind/guidance/dist/continue-gate.d.ts +214 -0
  343. package/packages/@monomind/guidance/dist/continue-gate.js +353 -0
  344. package/packages/@monomind/guidance/dist/crypto-utils.d.ts +17 -0
  345. package/packages/@monomind/guidance/dist/crypto-utils.js +24 -0
  346. package/packages/@monomind/guidance/dist/evolution.d.ts +282 -0
  347. package/packages/@monomind/guidance/dist/evolution.js +500 -0
  348. package/packages/@monomind/guidance/dist/gates.d.ts +79 -0
  349. package/packages/@monomind/guidance/dist/gates.js +302 -0
  350. package/packages/@monomind/guidance/dist/gateway.d.ts +206 -0
  351. package/packages/@monomind/guidance/dist/gateway.js +452 -0
  352. package/packages/@monomind/guidance/dist/generators.d.ts +153 -0
  353. package/packages/@monomind/guidance/dist/generators.js +682 -0
  354. package/packages/@monomind/guidance/dist/headless.d.ts +177 -0
  355. package/packages/@monomind/guidance/dist/headless.js +342 -0
  356. package/packages/@monomind/guidance/dist/hooks.d.ts +109 -0
  357. package/packages/@monomind/guidance/dist/hooks.js +347 -0
  358. package/packages/@monomind/guidance/dist/index.d.ts +205 -0
  359. package/packages/@monomind/guidance/dist/index.js +321 -0
  360. package/packages/@monomind/guidance/dist/ledger.d.ts +162 -0
  361. package/packages/@monomind/guidance/dist/ledger.js +375 -0
  362. package/packages/@monomind/guidance/dist/manifest-validator.d.ts +289 -0
  363. package/packages/@monomind/guidance/dist/manifest-validator.js +838 -0
  364. package/packages/@monomind/guidance/dist/memory-gate.d.ts +222 -0
  365. package/packages/@monomind/guidance/dist/memory-gate.js +382 -0
  366. package/packages/@monomind/guidance/dist/meta-governance.d.ts +265 -0
  367. package/packages/@monomind/guidance/dist/meta-governance.js +348 -0
  368. package/packages/@monomind/guidance/dist/optimizer.d.ts +104 -0
  369. package/packages/@monomind/guidance/dist/optimizer.js +329 -0
  370. package/packages/@monomind/guidance/dist/persistence.d.ts +189 -0
  371. package/packages/@monomind/guidance/dist/persistence.js +464 -0
  372. package/packages/@monomind/guidance/dist/proof.d.ts +185 -0
  373. package/packages/@monomind/guidance/dist/proof.js +238 -0
  374. package/packages/@monomind/guidance/dist/retriever.d.ts +116 -0
  375. package/packages/@monomind/guidance/dist/retriever.js +394 -0
  376. package/packages/@monomind/guidance/dist/ruvbot-integration.d.ts +370 -0
  377. package/packages/@monomind/guidance/dist/ruvbot-integration.js +738 -0
  378. package/packages/@monomind/guidance/dist/temporal.d.ts +426 -0
  379. package/packages/@monomind/guidance/dist/temporal.js +658 -0
  380. package/packages/@monomind/guidance/dist/trust.d.ts +283 -0
  381. package/packages/@monomind/guidance/dist/trust.js +473 -0
  382. package/packages/@monomind/guidance/dist/truth-anchors.d.ts +276 -0
  383. package/packages/@monomind/guidance/dist/truth-anchors.js +488 -0
  384. package/packages/@monomind/guidance/dist/types.d.ts +378 -0
  385. package/packages/@monomind/guidance/dist/types.js +10 -0
  386. package/packages/@monomind/guidance/dist/uncertainty.d.ts +372 -0
  387. package/packages/@monomind/guidance/dist/uncertainty.js +619 -0
  388. package/packages/@monomind/guidance/dist/wasm-kernel.d.ts +48 -0
  389. package/packages/@monomind/guidance/dist/wasm-kernel.js +158 -0
@@ -0,0 +1,48 @@
1
+ /**
2
+ * Deprecation Injector (Task 31)
3
+ *
4
+ * Injects deprecation warnings into MCP tool responses when the
5
+ * invoked tool has been marked as deprecated in the ToolRegistry.
6
+ */
7
+ /**
8
+ * Injects deprecation metadata into MCP responses.
9
+ */
10
+ export class DeprecationInjector {
11
+ registry;
12
+ constructor(registry) {
13
+ this.registry = registry;
14
+ }
15
+ /**
16
+ * If `toolName` is deprecated, augment the response with a warning.
17
+ *
18
+ * Returns the original response unmodified when the tool is not
19
+ * deprecated. When deprecated, adds `_deprecation` metadata.
20
+ *
21
+ * Warning format:
22
+ * [DEPRECATED] Tool "<name>" is deprecated. <message>. Use "<successor>" instead.
23
+ */
24
+ inject(response, toolName) {
25
+ const tool = this.registry.getVersion(toolName);
26
+ if (!tool || !tool.deprecated) {
27
+ return response;
28
+ }
29
+ const parts = [`[DEPRECATED] Tool "${toolName}" is deprecated.`];
30
+ if (tool.deprecationMessage) {
31
+ parts.push(tool.deprecationMessage + '.');
32
+ }
33
+ if (tool.successor) {
34
+ parts.push(`Use "${tool.successor}" instead.`);
35
+ }
36
+ const warning = parts.join(' ');
37
+ return {
38
+ ...response,
39
+ _deprecation: {
40
+ warning,
41
+ deprecated: true,
42
+ successor: tool.successor ?? null,
43
+ deprecatedAt: tool.deprecatedAt ?? null,
44
+ },
45
+ };
46
+ }
47
+ }
48
+ //# sourceMappingURL=deprecation-injector.js.map
@@ -0,0 +1,61 @@
1
+ /**
2
+ * Tool Registry (Task 31)
3
+ *
4
+ * Manages semver versioning for MCP tools with deprecation tracking
5
+ * and tool-to-agent impact analysis. Uses JSONL file storage.
6
+ */
7
+ import type { VersionedMCPTool, ToolVersionEntry } from '../../../shared/src/types/tool-version.js';
8
+ /**
9
+ * Registry for versioned MCP tools.
10
+ *
11
+ * Stores tool metadata and version history in a JSONL file.
12
+ * Supports deprecation marking and agent impact analysis.
13
+ */
14
+ export declare class ToolRegistry {
15
+ private tools;
16
+ private history;
17
+ private readonly storagePath;
18
+ constructor(storagePath?: string);
19
+ /**
20
+ * Register a new tool or update an existing one.
21
+ */
22
+ register(tool: VersionedMCPTool): void;
23
+ /**
24
+ * Mark a tool as deprecated with an optional successor.
25
+ */
26
+ deprecate(toolName: string, message: string, successor?: string): void;
27
+ /**
28
+ * Get the current version info for a tool.
29
+ * Returns null if the tool is not registered.
30
+ */
31
+ getVersion(toolName: string): VersionedMCPTool | null;
32
+ /**
33
+ * List all deprecated tools.
34
+ */
35
+ listDeprecated(): VersionedMCPTool[];
36
+ /**
37
+ * Find agents that reference the given tool.
38
+ *
39
+ * Scans agent markdown files under the provided agents directory
40
+ * and returns slugs of agents whose `tools:` frontmatter or body
41
+ * mention the tool name.
42
+ */
43
+ getImpactedAgents(toolName: string, agentsDir?: string): string[];
44
+ /**
45
+ * Get the full version history for a tool, or all tools if no name given.
46
+ */
47
+ getHistory(toolName?: string): ToolVersionEntry[];
48
+ /**
49
+ * Get all registered tools.
50
+ */
51
+ listAll(): VersionedMCPTool[];
52
+ /**
53
+ * Load existing entries from the JSONL file on disk.
54
+ */
55
+ private loadFromDisk;
56
+ /**
57
+ * Append a version history entry and the current tool state to disk.
58
+ */
59
+ private appendEntry;
60
+ }
61
+ //# sourceMappingURL=tool-registry.d.ts.map
@@ -0,0 +1,246 @@
1
+ /**
2
+ * Tool Registry (Task 31)
3
+ *
4
+ * Manages semver versioning for MCP tools with deprecation tracking
5
+ * and tool-to-agent impact analysis. Uses JSONL file storage.
6
+ */
7
+ import { appendFileSync, readFileSync, existsSync, mkdirSync, readdirSync, lstatSync, } from 'fs';
8
+ import { join, dirname, extname, resolve, sep } from 'path';
9
+ /** Default JSONL storage path relative to project root. */
10
+ const DEFAULT_STORAGE_PATH = '.monomind/tool-versions.jsonl';
11
+ /**
12
+ * Registry for versioned MCP tools.
13
+ *
14
+ * Stores tool metadata and version history in a JSONL file.
15
+ * Supports deprecation marking and agent impact analysis.
16
+ */
17
+ export class ToolRegistry {
18
+ tools = new Map();
19
+ history = [];
20
+ storagePath;
21
+ constructor(storagePath = DEFAULT_STORAGE_PATH) {
22
+ const resolvedPath = resolve(storagePath);
23
+ const allowedRoot = process.env.MONOMIND_DATA_DIR
24
+ ? resolve(process.env.MONOMIND_DATA_DIR)
25
+ : resolve(process.cwd());
26
+ if (resolvedPath !== allowedRoot && !resolvedPath.startsWith(allowedRoot + sep)) {
27
+ throw new Error(`Tool registry storagePath escapes allowed root: ${resolvedPath}`);
28
+ }
29
+ this.storagePath = resolvedPath;
30
+ this.loadFromDisk();
31
+ }
32
+ /**
33
+ * Register a new tool or update an existing one.
34
+ */
35
+ register(tool) {
36
+ const existing = this.tools.get(tool.toolName);
37
+ const changeType = existing
38
+ ? 'updated'
39
+ : 'added';
40
+ this.tools.set(tool.toolName, { ...tool });
41
+ const entry = {
42
+ toolName: tool.toolName,
43
+ version: tool.version,
44
+ changeType,
45
+ changedAt: new Date().toISOString(),
46
+ description: changeType === 'added'
47
+ ? `Registered tool ${tool.toolName} v${tool.version}`
48
+ : `Updated tool ${tool.toolName} to v${tool.version}`,
49
+ };
50
+ this.history.push(entry);
51
+ this.appendEntry(entry);
52
+ }
53
+ /**
54
+ * Mark a tool as deprecated with an optional successor.
55
+ */
56
+ deprecate(toolName, message, successor) {
57
+ const tool = this.tools.get(toolName);
58
+ if (!tool) {
59
+ throw new Error(`Tool "${toolName}" not found in registry`);
60
+ }
61
+ tool.deprecated = true;
62
+ tool.deprecationMessage = message;
63
+ tool.deprecatedAt = new Date().toISOString();
64
+ if (successor) {
65
+ tool.successor = successor;
66
+ }
67
+ const entry = {
68
+ toolName,
69
+ version: tool.version,
70
+ changeType: 'deprecated',
71
+ changedAt: tool.deprecatedAt,
72
+ description: message,
73
+ };
74
+ this.history.push(entry);
75
+ this.appendEntry(entry);
76
+ }
77
+ /**
78
+ * Get the current version info for a tool.
79
+ * Returns null if the tool is not registered.
80
+ */
81
+ getVersion(toolName) {
82
+ return this.tools.get(toolName) ?? null;
83
+ }
84
+ /**
85
+ * List all deprecated tools.
86
+ */
87
+ listDeprecated() {
88
+ const result = [];
89
+ for (const tool of this.tools.values()) {
90
+ if (tool.deprecated) {
91
+ result.push({ ...tool });
92
+ }
93
+ }
94
+ return result;
95
+ }
96
+ /**
97
+ * Find agents that reference the given tool.
98
+ *
99
+ * Scans agent markdown files under the provided agents directory
100
+ * and returns slugs of agents whose `tools:` frontmatter or body
101
+ * mention the tool name.
102
+ */
103
+ getImpactedAgents(toolName, agentsDir = 'agents') {
104
+ // Reject empty or short tool names — `content.includes('')` returns true
105
+ // for every file, turning the registry into a directory enumerator.
106
+ if (typeof toolName !== 'string' || toolName.length < 2 || !/^[a-zA-Z0-9_.-]+$/.test(toolName)) {
107
+ return [];
108
+ }
109
+ const impacted = [];
110
+ const mdFiles = collectMdFiles(agentsDir);
111
+ for (const filePath of mdFiles) {
112
+ let content;
113
+ try {
114
+ content = readFileSync(filePath, 'utf-8');
115
+ }
116
+ catch {
117
+ continue;
118
+ }
119
+ if (content.includes(toolName)) {
120
+ // Derive slug from filename (strip .md extension)
121
+ const parts = filePath.split('/');
122
+ const filename = parts[parts.length - 1];
123
+ const slug = filename.replace(/\.md$/, '');
124
+ impacted.push(slug);
125
+ }
126
+ }
127
+ return impacted;
128
+ }
129
+ /**
130
+ * Get the full version history for a tool, or all tools if no name given.
131
+ */
132
+ getHistory(toolName) {
133
+ if (!toolName) {
134
+ return [...this.history];
135
+ }
136
+ return this.history.filter((e) => e.toolName === toolName);
137
+ }
138
+ /**
139
+ * Get all registered tools.
140
+ */
141
+ listAll() {
142
+ return Array.from(this.tools.values()).map((t) => ({ ...t }));
143
+ }
144
+ // ---- Private helpers ----
145
+ /**
146
+ * Load existing entries from the JSONL file on disk.
147
+ */
148
+ loadFromDisk() {
149
+ if (!existsSync(this.storagePath)) {
150
+ return;
151
+ }
152
+ let raw;
153
+ try {
154
+ raw = readFileSync(this.storagePath, 'utf-8');
155
+ }
156
+ catch {
157
+ return;
158
+ }
159
+ const NAME_RE = /^[a-zA-Z0-9_.-]{1,128}$/;
160
+ const STR_MAX = 500;
161
+ for (const line of raw.split('\n')) {
162
+ const trimmed = line.trim();
163
+ if (!trimmed)
164
+ continue;
165
+ try {
166
+ const record = JSON.parse(trimmed);
167
+ if (!record || typeof record !== 'object')
168
+ continue;
169
+ // Validate fields before storage. The JSONL file lives on disk; an
170
+ // attacker with local write access could otherwise plant attacker-controlled
171
+ // strings (e.g. malicious deprecationMessage with markup) that reach
172
+ // downstream renderers (DOT visualizer, deprecation-injector warnings).
173
+ if (record._type === 'tool') {
174
+ if (typeof record.toolName !== 'string' || !NAME_RE.test(record.toolName))
175
+ continue;
176
+ if (record.successor !== undefined && (typeof record.successor !== 'string' || !NAME_RE.test(record.successor)))
177
+ continue;
178
+ if (record.deprecationMessage !== undefined && (typeof record.deprecationMessage !== 'string' || record.deprecationMessage.length > STR_MAX))
179
+ continue;
180
+ this.tools.set(record.toolName, record);
181
+ }
182
+ else if (record._type === 'history') {
183
+ if (typeof record.toolName !== 'string' || !NAME_RE.test(record.toolName))
184
+ continue;
185
+ this.history.push(record);
186
+ }
187
+ }
188
+ catch {
189
+ // Skip malformed lines
190
+ }
191
+ }
192
+ }
193
+ /**
194
+ * Append a version history entry and the current tool state to disk.
195
+ */
196
+ appendEntry(entry) {
197
+ const dir = dirname(this.storagePath);
198
+ if (!existsSync(dir)) {
199
+ mkdirSync(dir, { recursive: true });
200
+ }
201
+ const tool = this.tools.get(entry.toolName);
202
+ const lines = [];
203
+ if (tool) {
204
+ lines.push(JSON.stringify({ _type: 'tool', ...tool }));
205
+ }
206
+ lines.push(JSON.stringify({ _type: 'history', ...entry }));
207
+ appendFileSync(this.storagePath, lines.join('\n') + '\n', 'utf-8');
208
+ }
209
+ }
210
+ /**
211
+ * Recursively collect all `.md` files under a directory.
212
+ */
213
+ function collectMdFiles(root) {
214
+ const results = [];
215
+ let entries;
216
+ try {
217
+ entries = readdirSync(root);
218
+ }
219
+ catch {
220
+ return results;
221
+ }
222
+ for (const entry of entries) {
223
+ const full = join(root, entry);
224
+ let stat;
225
+ try {
226
+ // Use lstatSync so symlinks aren't followed — otherwise a symlink under
227
+ // `agentsDir` could redirect this scan into arbitrary filesystem
228
+ // locations, which combined with `getImpactedAgents` becomes a content
229
+ // oracle that fingerprints arbitrary text files outside the project.
230
+ stat = lstatSync(full);
231
+ }
232
+ catch {
233
+ continue;
234
+ }
235
+ if (stat.isSymbolicLink())
236
+ continue;
237
+ if (stat.isDirectory()) {
238
+ results.push(...collectMdFiles(full));
239
+ }
240
+ else if (stat.isFile() && extname(entry) === '.md') {
241
+ results.push(full);
242
+ }
243
+ }
244
+ return results;
245
+ }
246
+ //# sourceMappingURL=tool-registry.js.map
@@ -9,6 +9,57 @@
9
9
  *
10
10
  * @module v1/cli/mcp-tools/a2a-tools
11
11
  */
12
+ // ===== Input validation helpers =====
13
+ const MAX_AGENT_TYPE_LEN = 64; // slug length — catalogue keys are all < 30 chars
14
+ const MAX_BASE_URL_LEN = 2048; // typical browser URL limit
15
+ const MAX_TASK_ID_LEN = 256;
16
+ const MAX_SESSION_ID_LEN = 256;
17
+ // Allowlist of URL schemes that are safe to embed in returned Agent Card urls.
18
+ // Prevents javascript:, data:, file:// etc. from being reflected back to callers.
19
+ const ALLOWED_URL_SCHEMES = new Set(['http:', 'https:']);
20
+ /**
21
+ * Validate and return an agent type slug.
22
+ * Returns null when the value is not a string or exceeds the max length.
23
+ */
24
+ function validateAgentType(value) {
25
+ if (typeof value !== 'string' || value.length === 0 || value.length > MAX_AGENT_TYPE_LEN)
26
+ return null;
27
+ return value;
28
+ }
29
+ /**
30
+ * Validate and return a base URL.
31
+ * Accepts only http/https schemes and caps length to prevent oversized reflected values.
32
+ * Falls back to the default localhost URL on failure.
33
+ */
34
+ function validateBaseUrl(value, fallback = 'http://localhost:3000') {
35
+ if (typeof value !== 'string' || value.length === 0)
36
+ return fallback;
37
+ if (value.length > MAX_BASE_URL_LEN)
38
+ return fallback;
39
+ try {
40
+ const parsed = new URL(value);
41
+ if (!ALLOWED_URL_SCHEMES.has(parsed.protocol))
42
+ return fallback;
43
+ // Reject URLs with credentials — they should never appear in Agent Card endpoints
44
+ if (parsed.username || parsed.password)
45
+ return fallback;
46
+ }
47
+ catch {
48
+ return fallback;
49
+ }
50
+ return value;
51
+ }
52
+ /**
53
+ * Validate an optional string ID (taskId / sessionId).
54
+ * Returns undefined when the value is absent; null when it is present but invalid.
55
+ */
56
+ function validateOptionalId(value, maxLen) {
57
+ if (value === undefined || value === null)
58
+ return undefined;
59
+ if (typeof value !== 'string' || value.length === 0 || value.length > maxLen)
60
+ return null;
61
+ return value;
62
+ }
12
63
  // ===== Agent type catalogue =====
13
64
  /** Well-known agent types and their A2A card metadata */
14
65
  const AGENT_CARD_CATALOGUE = {
@@ -116,13 +167,16 @@ export const a2aTools = [
116
167
  required: ['agentType'],
117
168
  },
118
169
  handler: async (input) => {
119
- const agentType = input.agentType;
120
- const baseUrl = input.baseUrl || 'http://localhost:3000';
170
+ const agentType = validateAgentType(input.agentType);
171
+ if (!agentType) {
172
+ return { success: false, error: 'agentType is required (non-empty string, max 64 chars)' };
173
+ }
174
+ const baseUrl = validateBaseUrl(input.baseUrl);
121
175
  const card = buildAgentCard(agentType, baseUrl);
122
176
  if (!card) {
123
177
  return {
124
178
  success: false,
125
- error: `Unknown agent type: "${agentType}". Available: ${Object.keys(AGENT_CARD_CATALOGUE).join(', ')}`,
179
+ error: `Unknown agent type. Available: ${Object.keys(AGENT_CARD_CATALOGUE).join(', ')}`,
126
180
  };
127
181
  }
128
182
  return { success: true, agentCard: card, protocol: 'a2a', source: 'https://a2a-protocol.org' };
@@ -146,8 +200,19 @@ export const a2aTools = [
146
200
  },
147
201
  },
148
202
  handler: async (input) => {
149
- const baseUrl = input.baseUrl || 'http://localhost:3000';
150
- const capabilityFilter = input.capabilities;
203
+ const baseUrl = validateBaseUrl(input.baseUrl);
204
+ // Only accept a plain object capability filter to prevent prototype pollution.
205
+ // Object.create(null) maps and class instances are intentionally rejected.
206
+ const rawCap = input.capabilities;
207
+ const capabilityFilter = rawCap !== null &&
208
+ typeof rawCap === 'object' &&
209
+ !Array.isArray(rawCap) &&
210
+ Object.getPrototypeOf(rawCap) === Object.prototype
211
+ ? rawCap
212
+ : undefined;
213
+ const KNOWN_CAPABILITY_KEYS = new Set([
214
+ 'streaming', 'pushNotifications', 'stateTransitionHistory',
215
+ ]);
151
216
  const cards = Object.keys(AGENT_CARD_CATALOGUE)
152
217
  .map(type => buildAgentCard(type, baseUrl))
153
218
  .filter((card) => {
@@ -155,9 +220,12 @@ export const a2aTools = [
155
220
  return false;
156
221
  if (!capabilityFilter)
157
222
  return true;
158
- // Apply capability filter
159
- for (const [key, value] of Object.entries(capabilityFilter)) {
160
- if (card.capabilities[key] !== value)
223
+ // Apply capability filter — only iterate known keys to prevent
224
+ // prototype-chain access via attacker-controlled property names.
225
+ for (const key of KNOWN_CAPABILITY_KEYS) {
226
+ if (!(key in capabilityFilter))
227
+ continue;
228
+ if (card.capabilities[key] !== capabilityFilter[key])
161
229
  return false;
162
230
  }
163
231
  return true;
@@ -203,15 +271,32 @@ export const a2aTools = [
203
271
  required: ['agentType', 'message'],
204
272
  },
205
273
  handler: async (input) => {
206
- const agentType = input.agentType;
274
+ const agentType = validateAgentType(input.agentType);
275
+ if (!agentType) {
276
+ return { success: false, error: 'agentType is required (non-empty string, max 64 chars)' };
277
+ }
207
278
  const message = input.message;
208
- const taskId = input.taskId || `task-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`;
209
- const sessionId = input.sessionId;
210
- const metadata = input.metadata || {};
279
+ const rawTaskId = validateOptionalId(input.taskId, MAX_TASK_ID_LEN);
280
+ if (rawTaskId === null) {
281
+ return { success: false, error: `taskId must be a non-empty string up to ${MAX_TASK_ID_LEN} chars` };
282
+ }
283
+ const taskId = rawTaskId ?? `task-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`;
284
+ const rawSessionId = validateOptionalId(input.sessionId, MAX_SESSION_ID_LEN);
285
+ if (rawSessionId === null) {
286
+ return { success: false, error: `sessionId must be a non-empty string up to ${MAX_SESSION_ID_LEN} chars` };
287
+ }
288
+ const sessionId = rawSessionId;
289
+ // Only accept plain objects for metadata to prevent prototype pollution
290
+ const metadata = input.metadata !== null &&
291
+ typeof input.metadata === 'object' &&
292
+ !Array.isArray(input.metadata) &&
293
+ Object.getPrototypeOf(input.metadata) === Object.prototype
294
+ ? input.metadata
295
+ : {};
211
296
  if (!AGENT_CARD_CATALOGUE[agentType]) {
212
297
  return {
213
298
  success: false,
214
- error: `Unknown agent type: "${agentType}". Run a2a_discover to see available agents.`,
299
+ error: `Unknown agent type. Run a2a_discover to see available agents.`,
215
300
  };
216
301
  }
217
302
  // Return the A2A-compliant task submission envelope
@@ -122,8 +122,18 @@ export const agentTools = [
122
122
  },
123
123
  handler: async (input) => {
124
124
  const store = loadAgentStore();
125
- const agentId = input.agentId || `agent-${Date.now()}-${randomBytes(4).toString('hex')}`;
126
- const agentType = input.agentType;
125
+ // Cap agentId: used as the JSON object key in store.agents[agentId].
126
+ // An oversized key inflates the on-disk store for every spawned agent.
127
+ // Cap agentType/domain: persisted as AgentRecord field values.
128
+ const MAX_AGENT_ID_LEN = 256;
129
+ const MAX_AGENT_TYPE_LEN = 128;
130
+ const MAX_AGENT_DOMAIN_LEN = 256;
131
+ const rawAgentId = input.agentId || `agent-${Date.now()}-${randomBytes(4).toString('hex')}`;
132
+ const agentId = typeof rawAgentId === 'string' && rawAgentId.length > MAX_AGENT_ID_LEN
133
+ ? rawAgentId.slice(0, MAX_AGENT_ID_LEN) : rawAgentId;
134
+ const rawAgentType = input.agentType;
135
+ const agentType = typeof rawAgentType === 'string' && rawAgentType.length > MAX_AGENT_TYPE_LEN
136
+ ? rawAgentType.slice(0, MAX_AGENT_TYPE_LEN) : rawAgentType;
127
137
  if (['__proto__', 'constructor', 'prototype'].includes(agentId)) {
128
138
  return { success: false, agentId, error: 'Forbidden agent ID' };
129
139
  }
@@ -141,6 +151,9 @@ export const agentTools = [
141
151
  }
142
152
  // Get task from either top-level or config (CLI passes it in config.task)
143
153
  const task = input.task || config.task || undefined;
154
+ const rawDomain = input.domain;
155
+ const domain = typeof rawDomain === 'string' && rawDomain.length > MAX_AGENT_DOMAIN_LEN
156
+ ? rawDomain.slice(0, MAX_AGENT_DOMAIN_LEN) : rawDomain;
144
157
  // Determine model using ADR-026 3-tier routing logic
145
158
  const routingResult = await determineAgentModel(agentType, config, task);
146
159
  const agent = {
@@ -151,7 +164,7 @@ export const agentTools = [
151
164
  taskCount: 0,
152
165
  config,
153
166
  createdAt: new Date().toISOString(),
154
- domain: input.domain,
167
+ domain,
155
168
  model: routingResult.model,
156
169
  modelRoutedBy: routingResult.routedBy,
157
170
  };