monomind 1.11.13 → 1.12.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (389) hide show
  1. package/.claude/agents/generated/channel-intelligence-director.md +87 -0
  2. package/.claude/agents/generated/chief-growth-officer.md +88 -0
  3. package/.claude/agents/generated/content-seo-strategist.md +90 -0
  4. package/.claude/agents/generated/developer-community-strategist.md +91 -0
  5. package/.claude/agents/generated/outreach-partnership-strategist.md +90 -0
  6. package/.claude/agents/generated/social-media-strategist.md +91 -0
  7. package/.claude/agents/generated/video-visual-strategist.md +90 -0
  8. package/.claude/commands/mastermind/idea.md +1 -1
  9. package/.claude/helpers/auto-memory-hook.mjs +13 -4
  10. package/.claude/helpers/control-start.cjs +5 -0
  11. package/.claude/helpers/event-logger.cjs +114 -0
  12. package/.claude/helpers/handlers/adr-draft-handler.cjs +19 -5
  13. package/.claude/helpers/handlers/agent-start-handler.cjs +13 -4
  14. package/.claude/helpers/handlers/compact-handler.cjs +2 -0
  15. package/.claude/helpers/handlers/edit-handler.cjs +1 -1
  16. package/.claude/helpers/handlers/gates-handler.cjs +3 -0
  17. package/.claude/helpers/handlers/graph-status-handler.cjs +14 -8
  18. package/.claude/helpers/handlers/loops-status-handler.cjs +5 -2
  19. package/.claude/helpers/handlers/route-handler.cjs +13 -6
  20. package/.claude/helpers/handlers/session-handler.cjs +11 -4
  21. package/.claude/helpers/handlers/session-restore-handler.cjs +21 -11
  22. package/.claude/helpers/handlers/task-handler.cjs +13 -5
  23. package/.claude/helpers/intelligence.cjs +7 -2
  24. package/.claude/helpers/loop-tracker.cjs +15 -3
  25. package/.claude/helpers/memory.cjs +6 -1
  26. package/.claude/helpers/router.cjs +5 -2
  27. package/.claude/helpers/session.cjs +2 -0
  28. package/.claude/helpers/statusline.cjs +10 -2
  29. package/.claude/helpers/utils/micro-agents.cjs +20 -4
  30. package/.claude/scheduled_tasks.lock +1 -1
  31. package/.claude/settings.json +92 -1
  32. package/.claude/skills/mastermind/_protocol.md +23 -13
  33. package/.claude/skills/mastermind/architect.md +6 -9
  34. package/.claude/skills/mastermind/build.md +3 -3
  35. package/.claude/skills/mastermind/content.md +3 -3
  36. package/.claude/skills/mastermind/createorg.md +2 -2
  37. package/.claude/skills/mastermind/finance.md +3 -3
  38. package/.claude/skills/mastermind/idea.md +5 -3
  39. package/.claude/skills/mastermind/marketing.md +3 -3
  40. package/.claude/skills/mastermind/monitor.md +2 -2
  41. package/.claude/skills/mastermind/release.md +3 -3
  42. package/.claude/skills/mastermind/research.md +3 -3
  43. package/.claude/skills/mastermind/review.md +3 -3
  44. package/.claude/skills/mastermind/runorg.md +153 -86
  45. package/.claude/skills/mastermind/sales.md +3 -3
  46. package/README.md +286 -129
  47. package/package.json +19 -2
  48. package/packages/@monomind/cli/README.md +286 -129
  49. package/packages/@monomind/cli/bundled-graph/dist/src/build.js +73 -0
  50. package/packages/@monomind/cli/bundled-graph/dist/src/cluster.js +120 -0
  51. package/packages/@monomind/cli/bundled-graph/package.json +57 -0
  52. package/packages/@monomind/cli/dist/src/agents/halt-signal.d.ts +25 -0
  53. package/packages/@monomind/cli/dist/src/agents/halt-signal.js +76 -0
  54. package/packages/@monomind/cli/dist/src/agents/index.d.ts +18 -0
  55. package/packages/@monomind/cli/dist/src/agents/index.js +13 -0
  56. package/packages/@monomind/cli/dist/src/agents/managed-agent.d.ts +41 -0
  57. package/packages/@monomind/cli/dist/src/agents/managed-agent.js +69 -0
  58. package/packages/@monomind/cli/dist/src/agents/prompt-experiment.d.ts +23 -0
  59. package/packages/@monomind/cli/dist/src/agents/prompt-experiment.js +49 -0
  60. package/packages/@monomind/cli/dist/src/agents/prompt-version-manager.d.ts +22 -0
  61. package/packages/@monomind/cli/dist/src/agents/prompt-version-manager.js +80 -0
  62. package/packages/@monomind/cli/dist/src/agents/registry-builder.js +2 -0
  63. package/packages/@monomind/cli/dist/src/agents/registry-query.d.ts +71 -0
  64. package/packages/@monomind/cli/dist/src/agents/registry-query.js +125 -0
  65. package/packages/@monomind/cli/dist/src/agents/score-decay.d.ts +19 -0
  66. package/packages/@monomind/cli/dist/src/agents/score-decay.js +22 -0
  67. package/packages/@monomind/cli/dist/src/agents/shared-instructions-loader.d.ts +13 -0
  68. package/packages/@monomind/cli/dist/src/agents/shared-instructions-loader.js +40 -0
  69. package/packages/@monomind/cli/dist/src/agents/specialization-scorer.d.ts +54 -0
  70. package/packages/@monomind/cli/dist/src/agents/specialization-scorer.js +212 -0
  71. package/packages/@monomind/cli/dist/src/agents/termination-watcher.d.ts +30 -0
  72. package/packages/@monomind/cli/dist/src/agents/termination-watcher.js +84 -0
  73. package/packages/@monomind/cli/dist/src/agents/trigger-index.d.ts +20 -0
  74. package/packages/@monomind/cli/dist/src/agents/trigger-index.js +38 -0
  75. package/packages/@monomind/cli/dist/src/agents/trigger-scanner.d.ts +64 -0
  76. package/packages/@monomind/cli/dist/src/agents/trigger-scanner.js +308 -0
  77. package/packages/@monomind/cli/dist/src/agents/version-diff.d.ts +18 -0
  78. package/packages/@monomind/cli/dist/src/agents/version-diff.js +64 -0
  79. package/packages/@monomind/cli/dist/src/agents/version-store.d.ts +60 -0
  80. package/packages/@monomind/cli/dist/src/agents/version-store.js +235 -0
  81. package/packages/@monomind/cli/dist/src/autopilot-state.js +10 -5
  82. package/packages/@monomind/cli/dist/src/benchmarks/benchmark-runner.js +13 -0
  83. package/packages/@monomind/cli/dist/src/benchmarks/metric-evaluators.js +20 -9
  84. package/packages/@monomind/cli/dist/src/benchmarks/pretrain/index.d.ts +45 -0
  85. package/packages/@monomind/cli/dist/src/benchmarks/pretrain/index.js +404 -0
  86. package/packages/@monomind/cli/dist/src/browser/actions.js +10 -3
  87. package/packages/@monomind/cli/dist/src/browser/browser.js +12 -2
  88. package/packages/@monomind/cli/dist/src/browser/cdp.js +21 -3
  89. package/packages/@monomind/cli/dist/src/browser/har.js +27 -5
  90. package/packages/@monomind/cli/dist/src/commands/agent-wasm.d.ts +14 -0
  91. package/packages/@monomind/cli/dist/src/commands/agent-wasm.js +333 -0
  92. package/packages/@monomind/cli/dist/src/commands/agent.js +11 -8
  93. package/packages/@monomind/cli/dist/src/commands/analyze.js +36 -21
  94. package/packages/@monomind/cli/dist/src/commands/autopilot.js +12 -4
  95. package/packages/@monomind/cli/dist/src/commands/benchmark.js +51 -8
  96. package/packages/@monomind/cli/dist/src/commands/browse.js +5 -2
  97. package/packages/@monomind/cli/dist/src/commands/claims.js +29 -11
  98. package/packages/@monomind/cli/dist/src/commands/cleanup.js +25 -5
  99. package/packages/@monomind/cli/dist/src/commands/config.js +15 -7
  100. package/packages/@monomind/cli/dist/src/commands/daemon.js +6 -0
  101. package/packages/@monomind/cli/dist/src/commands/deployment.js +34 -19
  102. package/packages/@monomind/cli/dist/src/commands/doctor.js +151 -20
  103. package/packages/@monomind/cli/dist/src/commands/guidance.js +15 -2
  104. package/packages/@monomind/cli/dist/src/commands/hive-mind.js +37 -14
  105. package/packages/@monomind/cli/dist/src/commands/hooks.js +42 -25
  106. package/packages/@monomind/cli/dist/src/commands/init.js +9 -4
  107. package/packages/@monomind/cli/dist/src/commands/issues.js +29 -26
  108. package/packages/@monomind/cli/dist/src/commands/mcp.js +11 -5
  109. package/packages/@monomind/cli/dist/src/commands/memory.js +10 -0
  110. package/packages/@monomind/cli/dist/src/commands/migrate.js +5 -5
  111. package/packages/@monomind/cli/dist/src/commands/monograph.js +18 -5
  112. package/packages/@monomind/cli/dist/src/commands/monovector/backup.js +8 -2
  113. package/packages/@monomind/cli/dist/src/commands/monovector/benchmark.js +20 -7
  114. package/packages/@monomind/cli/dist/src/commands/monovector/import.js +15 -0
  115. package/packages/@monomind/cli/dist/src/commands/monovector/migrate.js +4 -1
  116. package/packages/@monomind/cli/dist/src/commands/monovector/optimize.js +11 -0
  117. package/packages/@monomind/cli/dist/src/commands/monovector/setup.js +11 -1
  118. package/packages/@monomind/cli/dist/src/commands/neural.js +1 -1
  119. package/packages/@monomind/cli/dist/src/commands/performance.js +20 -7
  120. package/packages/@monomind/cli/dist/src/commands/platforms.js +90 -8
  121. package/packages/@monomind/cli/dist/src/commands/plugins.js +12 -5
  122. package/packages/@monomind/cli/dist/src/commands/process.js +33 -10
  123. package/packages/@monomind/cli/dist/src/commands/progress.js +5 -3
  124. package/packages/@monomind/cli/dist/src/commands/providers.js +5 -5
  125. package/packages/@monomind/cli/dist/src/commands/replay.js +8 -2
  126. package/packages/@monomind/cli/dist/src/commands/route.js +27 -7
  127. package/packages/@monomind/cli/dist/src/commands/security.js +4 -0
  128. package/packages/@monomind/cli/dist/src/commands/session.js +12 -1
  129. package/packages/@monomind/cli/dist/src/commands/start.js +11 -4
  130. package/packages/@monomind/cli/dist/src/commands/status.js +7 -4
  131. package/packages/@monomind/cli/dist/src/commands/swarm.js +27 -13
  132. package/packages/@monomind/cli/dist/src/commands/task.js +26 -11
  133. package/packages/@monomind/cli/dist/src/commands/tokens.js +7 -2
  134. package/packages/@monomind/cli/dist/src/commands/transfer-store.js +36 -22
  135. package/packages/@monomind/cli/dist/src/commands/ui.js +68 -0
  136. package/packages/@monomind/cli/dist/src/commands/update.js +15 -3
  137. package/packages/@monomind/cli/dist/src/commands/workflow.js +39 -6
  138. package/packages/@monomind/cli/dist/src/consensus/audit-writer.js +18 -7
  139. package/packages/@monomind/cli/dist/src/consensus/index.d.ts +7 -0
  140. package/packages/@monomind/cli/dist/src/consensus/index.js +6 -0
  141. package/packages/@monomind/cli/dist/src/consensus/vote-signer.js +25 -8
  142. package/packages/@monomind/cli/dist/src/context/context-provider.d.ts +44 -0
  143. package/packages/@monomind/cli/dist/src/context/context-provider.js +25 -0
  144. package/packages/@monomind/cli/dist/src/context/git-state-provider.d.ts +12 -0
  145. package/packages/@monomind/cli/dist/src/context/git-state-provider.js +34 -0
  146. package/packages/@monomind/cli/dist/src/context/index.d.ts +12 -0
  147. package/packages/@monomind/cli/dist/src/context/index.js +12 -0
  148. package/packages/@monomind/cli/dist/src/context/project-conventions-provider.d.ts +15 -0
  149. package/packages/@monomind/cli/dist/src/context/project-conventions-provider.js +19 -0
  150. package/packages/@monomind/cli/dist/src/context/prompt-assembler.d.ts +26 -0
  151. package/packages/@monomind/cli/dist/src/context/prompt-assembler.js +93 -0
  152. package/packages/@monomind/cli/dist/src/context/task-history-provider.d.ts +24 -0
  153. package/packages/@monomind/cli/dist/src/context/task-history-provider.js +32 -0
  154. package/packages/@monomind/cli/dist/src/context/user-preferences-provider.d.ts +14 -0
  155. package/packages/@monomind/cli/dist/src/context/user-preferences-provider.js +27 -0
  156. package/packages/@monomind/cli/dist/src/dlq/dlq-reader.d.ts +31 -0
  157. package/packages/@monomind/cli/dist/src/dlq/dlq-reader.js +81 -0
  158. package/packages/@monomind/cli/dist/src/dlq/dlq-writer.d.ts +24 -0
  159. package/packages/@monomind/cli/dist/src/dlq/dlq-writer.js +65 -0
  160. package/packages/@monomind/cli/dist/src/dlq/index.d.ts +10 -0
  161. package/packages/@monomind/cli/dist/src/dlq/index.js +7 -0
  162. package/packages/@monomind/cli/dist/src/eval/dataset-manager.d.ts +33 -0
  163. package/packages/@monomind/cli/dist/src/eval/dataset-manager.js +107 -0
  164. package/packages/@monomind/cli/dist/src/eval/dataset-runner.d.ts +23 -0
  165. package/packages/@monomind/cli/dist/src/eval/dataset-runner.js +59 -0
  166. package/packages/@monomind/cli/dist/src/eval/index.d.ts +10 -0
  167. package/packages/@monomind/cli/dist/src/eval/index.js +7 -0
  168. package/packages/@monomind/cli/dist/src/eval/trace-collector.d.ts +40 -0
  169. package/packages/@monomind/cli/dist/src/eval/trace-collector.js +102 -0
  170. package/packages/@monomind/cli/dist/src/index.js +7 -3
  171. package/packages/@monomind/cli/dist/src/infrastructure/in-memory-repositories.d.ts +68 -0
  172. package/packages/@monomind/cli/dist/src/infrastructure/in-memory-repositories.js +264 -0
  173. package/packages/@monomind/cli/dist/src/init/executor.js +14 -11
  174. package/packages/@monomind/cli/dist/src/init/shared-instructions-generator.js +20 -4
  175. package/packages/@monomind/cli/dist/src/init/statusline-generator.js +33 -12
  176. package/packages/@monomind/cli/dist/src/interactive/interrupt.d.ts +22 -0
  177. package/packages/@monomind/cli/dist/src/interactive/interrupt.js +71 -0
  178. package/packages/@monomind/cli/dist/src/mcp/deprecation-injector.d.ts +25 -0
  179. package/packages/@monomind/cli/dist/src/mcp/deprecation-injector.js +48 -0
  180. package/packages/@monomind/cli/dist/src/mcp/tool-registry.d.ts +61 -0
  181. package/packages/@monomind/cli/dist/src/mcp/tool-registry.js +246 -0
  182. package/packages/@monomind/cli/dist/src/mcp-tools/a2a-tools.js +98 -13
  183. package/packages/@monomind/cli/dist/src/mcp-tools/agent-tools.js +16 -3
  184. package/packages/@monomind/cli/dist/src/mcp-tools/analyze-tools.js +80 -17
  185. package/packages/@monomind/cli/dist/src/mcp-tools/browser-tools.js +84 -22
  186. package/packages/@monomind/cli/dist/src/mcp-tools/claims-tools.js +35 -7
  187. package/packages/@monomind/cli/dist/src/mcp-tools/config-tools.js +82 -17
  188. package/packages/@monomind/cli/dist/src/mcp-tools/coordination-tools.js +37 -4
  189. package/packages/@monomind/cli/dist/src/mcp-tools/daa-tools.js +49 -7
  190. package/packages/@monomind/cli/dist/src/mcp-tools/embeddings-tools.js +45 -18
  191. package/packages/@monomind/cli/dist/src/mcp-tools/github-tools.js +75 -25
  192. package/packages/@monomind/cli/dist/src/mcp-tools/guidance-tools.js +32 -10
  193. package/packages/@monomind/cli/dist/src/mcp-tools/hive-mind-tools.js +91 -20
  194. package/packages/@monomind/cli/dist/src/mcp-tools/hooks-tools.js +188 -29
  195. package/packages/@monomind/cli/dist/src/mcp-tools/memory-tools.js +25 -7
  196. package/packages/@monomind/cli/dist/src/mcp-tools/monograph-compat.js +11 -2
  197. package/packages/@monomind/cli/dist/src/mcp-tools/monograph-tools.js +148 -26
  198. package/packages/@monomind/cli/dist/src/mcp-tools/neural-tools.js +44 -9
  199. package/packages/@monomind/cli/dist/src/mcp-tools/performance-tools.js +45 -10
  200. package/packages/@monomind/cli/dist/src/mcp-tools/progress-tools.js +7 -4
  201. package/packages/@monomind/cli/dist/src/mcp-tools/request-tracker.js +15 -1
  202. package/packages/@monomind/cli/dist/src/mcp-tools/security-tools.js +61 -9
  203. package/packages/@monomind/cli/dist/src/mcp-tools/session-tools.js +45 -14
  204. package/packages/@monomind/cli/dist/src/mcp-tools/swarm-tools.js +15 -3
  205. package/packages/@monomind/cli/dist/src/mcp-tools/system-tools.js +14 -7
  206. package/packages/@monomind/cli/dist/src/mcp-tools/task-tools.js +52 -10
  207. package/packages/@monomind/cli/dist/src/mcp-tools/terminal-tools.js +40 -6
  208. package/packages/@monomind/cli/dist/src/mcp-tools/transfer-tools.js +37 -4
  209. package/packages/@monomind/cli/dist/src/mcp-tools/wasm-agent-tools.d.ts +9 -0
  210. package/packages/@monomind/cli/dist/src/mcp-tools/wasm-agent-tools.js +230 -0
  211. package/packages/@monomind/cli/dist/src/mcp-tools/workflow-tools.js +29 -6
  212. package/packages/@monomind/cli/dist/src/memory/ewc-consolidation.js +26 -10
  213. package/packages/@monomind/cli/dist/src/memory/intelligence.js +80 -19
  214. package/packages/@monomind/cli/dist/src/memory/memory-bridge.js +21 -2
  215. package/packages/@monomind/cli/dist/src/memory/memory-initializer.js +67 -3
  216. package/packages/@monomind/cli/dist/src/memory/sona-optimizer.js +14 -4
  217. package/packages/@monomind/cli/dist/src/model/complexity-scorer.d.ts +21 -0
  218. package/packages/@monomind/cli/dist/src/model/complexity-scorer.js +106 -0
  219. package/packages/@monomind/cli/dist/src/model/index.d.ts +4 -0
  220. package/packages/@monomind/cli/dist/src/model/index.js +4 -0
  221. package/packages/@monomind/cli/dist/src/model/model-settings.d.ts +22 -0
  222. package/packages/@monomind/cli/dist/src/model/model-settings.js +33 -0
  223. package/packages/@monomind/cli/dist/src/model/model-tier-resolver.d.ts +24 -0
  224. package/packages/@monomind/cli/dist/src/model/model-tier-resolver.js +65 -0
  225. package/packages/@monomind/cli/dist/src/monovector/capabilities.d.ts +34 -0
  226. package/packages/@monomind/cli/dist/src/monovector/capabilities.js +37 -0
  227. package/packages/@monomind/cli/dist/src/monovector/command-outcomes.js +43 -7
  228. package/packages/@monomind/cli/dist/src/monovector/coverage-router.js +8 -4
  229. package/packages/@monomind/cli/dist/src/monovector/coverage-tools.js +6 -3
  230. package/packages/@monomind/cli/dist/src/monovector/diff-classifier.js +13 -0
  231. package/packages/@monomind/cli/dist/src/monovector/route-outcomes.d.ts +2 -1
  232. package/packages/@monomind/cli/dist/src/monovector/route-outcomes.js +46 -4
  233. package/packages/@monomind/cli/dist/src/observability/replay-reader.d.ts +1 -1
  234. package/packages/@monomind/cli/dist/src/orchestration/index.d.ts +7 -0
  235. package/packages/@monomind/cli/dist/src/orchestration/index.js +6 -0
  236. package/packages/@monomind/cli/dist/src/orchestration/mode-dispatcher.d.ts +11 -0
  237. package/packages/@monomind/cli/dist/src/orchestration/mode-dispatcher.js +31 -0
  238. package/packages/@monomind/cli/dist/src/orchestration/routing-modes.d.ts +68 -0
  239. package/packages/@monomind/cli/dist/src/orchestration/routing-modes.js +180 -0
  240. package/packages/@monomind/cli/dist/src/plugins/manager.js +8 -3
  241. package/packages/@monomind/cli/dist/src/plugins/store/discovery.js +46 -2
  242. package/packages/@monomind/cli/dist/src/plugins/store/search.js +5 -4
  243. package/packages/@monomind/cli/dist/src/plugins/tests/demo-plugin-store.d.ts +7 -0
  244. package/packages/@monomind/cli/dist/src/plugins/tests/demo-plugin-store.js +126 -0
  245. package/packages/@monomind/cli/dist/src/plugins/tests/standalone-test.d.ts +12 -0
  246. package/packages/@monomind/cli/dist/src/plugins/tests/standalone-test.js +188 -0
  247. package/packages/@monomind/cli/dist/src/plugins/tests/test-plugin-store.d.ts +7 -0
  248. package/packages/@monomind/cli/dist/src/plugins/tests/test-plugin-store.js +206 -0
  249. package/packages/@monomind/cli/dist/src/production/circuit-breaker.js +17 -3
  250. package/packages/@monomind/cli/dist/src/production/error-handler.js +3 -0
  251. package/packages/@monomind/cli/dist/src/production/monitoring.js +20 -3
  252. package/packages/@monomind/cli/dist/src/production/rate-limiter.js +13 -4
  253. package/packages/@monomind/cli/dist/src/production/retry.js +17 -9
  254. package/packages/@monomind/cli/dist/src/routing/embed-worker.js +6 -2
  255. package/packages/@monomind/cli/dist/src/routing/embedder.js +0 -0
  256. package/packages/@monomind/cli/dist/src/routing/llm-caller.js +13 -2
  257. package/packages/@monomind/cli/dist/src/routing/route-layer-factory.js +18 -3
  258. package/packages/@monomind/cli/dist/src/runtime/headless.d.ts +60 -0
  259. package/packages/@monomind/cli/dist/src/runtime/headless.js +284 -0
  260. package/packages/@monomind/cli/dist/src/services/agentic-flow-bridge.d.ts +50 -0
  261. package/packages/@monomind/cli/dist/src/services/agentic-flow-bridge.js +95 -0
  262. package/packages/@monomind/cli/dist/src/services/claim-service.d.ts +1 -0
  263. package/packages/@monomind/cli/dist/src/services/claim-service.js +8 -0
  264. package/packages/@monomind/cli/dist/src/services/config-file-manager.js +14 -2
  265. package/packages/@monomind/cli/dist/src/services/container-worker-pool.d.ts +197 -0
  266. package/packages/@monomind/cli/dist/src/services/container-worker-pool.js +623 -0
  267. package/packages/@monomind/cli/dist/src/services/headless-worker-executor.js +18 -2
  268. package/packages/@monomind/cli/dist/src/services/index.d.ts +13 -0
  269. package/packages/@monomind/cli/dist/src/services/index.js +11 -0
  270. package/packages/@monomind/cli/dist/src/services/worker-daemon.js +53 -12
  271. package/packages/@monomind/cli/dist/src/services/worker-queue.d.ts +201 -0
  272. package/packages/@monomind/cli/dist/src/services/worker-queue.js +594 -0
  273. package/packages/@monomind/cli/dist/src/swarm/communication-graph.d.ts +25 -0
  274. package/packages/@monomind/cli/dist/src/swarm/communication-graph.js +77 -0
  275. package/packages/@monomind/cli/dist/src/swarm/flow-enforcer.d.ts +31 -0
  276. package/packages/@monomind/cli/dist/src/swarm/flow-enforcer.js +61 -0
  277. package/packages/@monomind/cli/dist/src/swarm/flow-visualizer.d.ts +19 -0
  278. package/packages/@monomind/cli/dist/src/swarm/flow-visualizer.js +68 -0
  279. package/packages/@monomind/cli/dist/src/transfer/anonymization/index.d.ts +0 -3
  280. package/packages/@monomind/cli/dist/src/transfer/anonymization/index.js +16 -1
  281. package/packages/@monomind/cli/dist/src/transfer/deploy-seraphine.d.ts +13 -0
  282. package/packages/@monomind/cli/dist/src/transfer/deploy-seraphine.js +205 -0
  283. package/packages/@monomind/cli/dist/src/transfer/export.js +8 -0
  284. package/packages/@monomind/cli/dist/src/transfer/ipfs/upload.js +33 -3
  285. package/packages/@monomind/cli/dist/src/transfer/serialization/cfp.js +9 -3
  286. package/packages/@monomind/cli/dist/src/transfer/storage/gcs.js +37 -3
  287. package/packages/@monomind/cli/dist/src/transfer/store/discovery.js +45 -3
  288. package/packages/@monomind/cli/dist/src/transfer/store/download.js +5 -0
  289. package/packages/@monomind/cli/dist/src/transfer/store/publish.js +13 -1
  290. package/packages/@monomind/cli/dist/src/transfer/store/registry.d.ts +8 -0
  291. package/packages/@monomind/cli/dist/src/transfer/store/registry.js +30 -5
  292. package/packages/@monomind/cli/dist/src/transfer/store/search.js +20 -5
  293. package/packages/@monomind/cli/dist/src/transfer/store/tests/standalone-test.d.ts +12 -0
  294. package/packages/@monomind/cli/dist/src/transfer/store/tests/standalone-test.js +190 -0
  295. package/packages/@monomind/cli/dist/src/transfer/test-seraphine.d.ts +6 -0
  296. package/packages/@monomind/cli/dist/src/transfer/test-seraphine.js +105 -0
  297. package/packages/@monomind/cli/dist/src/transfer/tests/test-store.d.ts +7 -0
  298. package/packages/@monomind/cli/dist/src/transfer/tests/test-store.js +214 -0
  299. package/packages/@monomind/cli/dist/src/update/checker.js +59 -7
  300. package/packages/@monomind/cli/dist/src/update/executor.js +50 -3
  301. package/packages/@monomind/cli/dist/src/update/index.js +18 -1
  302. package/packages/@monomind/cli/dist/src/update/rate-limiter.d.ts +6 -0
  303. package/packages/@monomind/cli/dist/src/update/rate-limiter.js +79 -7
  304. package/packages/@monomind/cli/dist/src/update/validator.js +52 -1
  305. package/packages/@monomind/cli/dist/src/workflow/condition-evaluator.d.ts +10 -0
  306. package/packages/@monomind/cli/dist/src/workflow/condition-evaluator.js +82 -0
  307. package/packages/@monomind/cli/dist/src/workflow/context-resolver.d.ts +12 -0
  308. package/packages/@monomind/cli/dist/src/workflow/context-resolver.js +23 -0
  309. package/packages/@monomind/cli/dist/src/workflow/dag-builder.d.ts +17 -0
  310. package/packages/@monomind/cli/dist/src/workflow/dag-builder.js +129 -0
  311. package/packages/@monomind/cli/dist/src/workflow/dag-executor.d.ts +9 -0
  312. package/packages/@monomind/cli/dist/src/workflow/dag-executor.js +116 -0
  313. package/packages/@monomind/cli/dist/src/workflow/dag-types.d.ts +41 -0
  314. package/packages/@monomind/cli/dist/src/workflow/dag-types.js +8 -0
  315. package/packages/@monomind/cli/dist/src/workflow/dsl-parser.d.ts +12 -0
  316. package/packages/@monomind/cli/dist/src/workflow/dsl-parser.js +20 -0
  317. package/packages/@monomind/cli/dist/src/workflow/dsl-schema.d.ts +165 -0
  318. package/packages/@monomind/cli/dist/src/workflow/dsl-schema.js +82 -0
  319. package/packages/@monomind/cli/dist/src/workflow/index.d.ts +13 -0
  320. package/packages/@monomind/cli/dist/src/workflow/index.js +11 -0
  321. package/packages/@monomind/cli/dist/src/workflow/template-engine.d.ts +11 -0
  322. package/packages/@monomind/cli/dist/src/workflow/template-engine.js +40 -0
  323. package/packages/@monomind/cli/dist/src/workflow/workflow-executor.d.ts +29 -0
  324. package/packages/@monomind/cli/dist/src/workflow/workflow-executor.js +227 -0
  325. package/packages/@monomind/cli/package.json +9 -10
  326. package/packages/@monomind/guidance/dist/adversarial.d.ts +284 -0
  327. package/packages/@monomind/guidance/dist/adversarial.js +572 -0
  328. package/packages/@monomind/guidance/dist/analyzer.d.ts +530 -0
  329. package/packages/@monomind/guidance/dist/analyzer.js +2518 -0
  330. package/packages/@monomind/guidance/dist/artifacts.d.ts +283 -0
  331. package/packages/@monomind/guidance/dist/artifacts.js +356 -0
  332. package/packages/@monomind/guidance/dist/authority.d.ts +290 -0
  333. package/packages/@monomind/guidance/dist/authority.js +558 -0
  334. package/packages/@monomind/guidance/dist/capabilities.d.ts +209 -0
  335. package/packages/@monomind/guidance/dist/capabilities.js +485 -0
  336. package/packages/@monomind/guidance/dist/coherence.d.ts +233 -0
  337. package/packages/@monomind/guidance/dist/coherence.js +372 -0
  338. package/packages/@monomind/guidance/dist/compiler.d.ts +87 -0
  339. package/packages/@monomind/guidance/dist/compiler.js +419 -0
  340. package/packages/@monomind/guidance/dist/conformance-kit.d.ts +225 -0
  341. package/packages/@monomind/guidance/dist/conformance-kit.js +629 -0
  342. package/packages/@monomind/guidance/dist/continue-gate.d.ts +214 -0
  343. package/packages/@monomind/guidance/dist/continue-gate.js +353 -0
  344. package/packages/@monomind/guidance/dist/crypto-utils.d.ts +17 -0
  345. package/packages/@monomind/guidance/dist/crypto-utils.js +24 -0
  346. package/packages/@monomind/guidance/dist/evolution.d.ts +282 -0
  347. package/packages/@monomind/guidance/dist/evolution.js +500 -0
  348. package/packages/@monomind/guidance/dist/gates.d.ts +79 -0
  349. package/packages/@monomind/guidance/dist/gates.js +302 -0
  350. package/packages/@monomind/guidance/dist/gateway.d.ts +206 -0
  351. package/packages/@monomind/guidance/dist/gateway.js +452 -0
  352. package/packages/@monomind/guidance/dist/generators.d.ts +153 -0
  353. package/packages/@monomind/guidance/dist/generators.js +682 -0
  354. package/packages/@monomind/guidance/dist/headless.d.ts +177 -0
  355. package/packages/@monomind/guidance/dist/headless.js +342 -0
  356. package/packages/@monomind/guidance/dist/hooks.d.ts +109 -0
  357. package/packages/@monomind/guidance/dist/hooks.js +347 -0
  358. package/packages/@monomind/guidance/dist/index.d.ts +205 -0
  359. package/packages/@monomind/guidance/dist/index.js +321 -0
  360. package/packages/@monomind/guidance/dist/ledger.d.ts +162 -0
  361. package/packages/@monomind/guidance/dist/ledger.js +375 -0
  362. package/packages/@monomind/guidance/dist/manifest-validator.d.ts +289 -0
  363. package/packages/@monomind/guidance/dist/manifest-validator.js +838 -0
  364. package/packages/@monomind/guidance/dist/memory-gate.d.ts +222 -0
  365. package/packages/@monomind/guidance/dist/memory-gate.js +382 -0
  366. package/packages/@monomind/guidance/dist/meta-governance.d.ts +265 -0
  367. package/packages/@monomind/guidance/dist/meta-governance.js +348 -0
  368. package/packages/@monomind/guidance/dist/optimizer.d.ts +104 -0
  369. package/packages/@monomind/guidance/dist/optimizer.js +329 -0
  370. package/packages/@monomind/guidance/dist/persistence.d.ts +189 -0
  371. package/packages/@monomind/guidance/dist/persistence.js +464 -0
  372. package/packages/@monomind/guidance/dist/proof.d.ts +185 -0
  373. package/packages/@monomind/guidance/dist/proof.js +238 -0
  374. package/packages/@monomind/guidance/dist/retriever.d.ts +116 -0
  375. package/packages/@monomind/guidance/dist/retriever.js +394 -0
  376. package/packages/@monomind/guidance/dist/ruvbot-integration.d.ts +370 -0
  377. package/packages/@monomind/guidance/dist/ruvbot-integration.js +738 -0
  378. package/packages/@monomind/guidance/dist/temporal.d.ts +426 -0
  379. package/packages/@monomind/guidance/dist/temporal.js +658 -0
  380. package/packages/@monomind/guidance/dist/trust.d.ts +283 -0
  381. package/packages/@monomind/guidance/dist/trust.js +473 -0
  382. package/packages/@monomind/guidance/dist/truth-anchors.d.ts +276 -0
  383. package/packages/@monomind/guidance/dist/truth-anchors.js +488 -0
  384. package/packages/@monomind/guidance/dist/types.d.ts +378 -0
  385. package/packages/@monomind/guidance/dist/types.js +10 -0
  386. package/packages/@monomind/guidance/dist/uncertainty.d.ts +372 -0
  387. package/packages/@monomind/guidance/dist/uncertainty.js +619 -0
  388. package/packages/@monomind/guidance/dist/wasm-kernel.d.ts +48 -0
  389. package/packages/@monomind/guidance/dist/wasm-kernel.js +158 -0
@@ -17,6 +17,21 @@ const require = createRequire(import.meta.url);
17
17
  let monofenceInstance = null;
18
18
  // Track if we've attempted install this session
19
19
  let installAttempted = false;
20
+ // ── Security input bounds ─────────────────────────────────────────────────────
21
+ // MonoFence runs multiple regex patterns over the entire input string (O(n × P)
22
+ // complexity where P is the pattern count). Uncapped input enables ReDoS-style
23
+ // denial-of-service. 64 KB is more than enough for any real threat-scan
24
+ // payload while preventing CPU exhaustion from megabyte-scale inputs.
25
+ const MAX_SECURITY_INPUT_LEN = 64 * 1024; // 64 KB
26
+ const MAX_SECURITY_K = 100;
27
+ const MAX_SECURITY_VERDICT_LEN = 512;
28
+ const MAX_SECURITY_THREAT_TYPE_LEN = 256;
29
+ const MAX_SECURITY_MITIGATION_STRATEGY_LEN = 512;
30
+ function capSecurityInput(raw, fieldName = 'input') {
31
+ if (typeof raw !== 'string')
32
+ throw new Error(`${fieldName} must be a string`);
33
+ return raw.length > MAX_SECURITY_INPUT_LEN ? raw.slice(0, MAX_SECURITY_INPUT_LEN) : raw;
34
+ }
20
35
  /**
21
36
  * Get or create MonoFence instance (throws if unavailable)
22
37
  */
@@ -79,7 +94,13 @@ const monofenceScanTool = {
79
94
  required: ['input'],
80
95
  },
81
96
  handler: async (args) => {
82
- const input = args.input;
97
+ let input;
98
+ try {
99
+ input = capSecurityInput(args.input);
100
+ }
101
+ catch (e) {
102
+ return { content: [{ type: 'text', text: JSON.stringify({ error: e.message }) }], isError: true };
103
+ }
83
104
  const quick = args.quick;
84
105
  try {
85
106
  const defender = await getMonoFence();
@@ -153,9 +174,16 @@ const monofenceAnalyzeTool = {
153
174
  required: ['input'],
154
175
  },
155
176
  handler: async (args) => {
156
- const input = args.input;
177
+ let input;
178
+ try {
179
+ input = capSecurityInput(args.input);
180
+ }
181
+ catch (e) {
182
+ return { content: [{ type: 'text', text: JSON.stringify({ error: e.message }) }], isError: true };
183
+ }
157
184
  const searchSimilar = args.searchSimilar !== false;
158
- const k = args.k || 5;
185
+ const rawK = args.k || 5;
186
+ const k = Number.isFinite(rawK) && rawK > 0 ? Math.min(Math.floor(rawK), MAX_SECURITY_K) : 5;
159
187
  try {
160
188
  const defender = await getMonoFence();
161
189
  const result = await defender.detect(input);
@@ -282,11 +310,23 @@ const monofenceLearnTool = {
282
310
  required: ['input', 'wasAccurate'],
283
311
  },
284
312
  handler: async (args) => {
285
- const input = args.input;
313
+ let input;
314
+ try {
315
+ input = capSecurityInput(args.input);
316
+ }
317
+ catch (e) {
318
+ return { content: [{ type: 'text', text: JSON.stringify({ error: e.message }) }], isError: true };
319
+ }
286
320
  const wasAccurate = args.wasAccurate;
287
- const verdict = args.verdict;
288
- const threatType = args.threatType;
289
- const mitigationStrategy = args.mitigationStrategy;
321
+ const rawVerdict = args.verdict;
322
+ const verdict = typeof rawVerdict === 'string' && rawVerdict.length > MAX_SECURITY_VERDICT_LEN
323
+ ? rawVerdict.slice(0, MAX_SECURITY_VERDICT_LEN) : rawVerdict;
324
+ const rawThreatType = args.threatType;
325
+ const threatType = typeof rawThreatType === 'string' && rawThreatType.length > MAX_SECURITY_THREAT_TYPE_LEN
326
+ ? rawThreatType.slice(0, MAX_SECURITY_THREAT_TYPE_LEN) : rawThreatType;
327
+ const rawMitigationStrategy = args.mitigationStrategy;
328
+ const mitigationStrategy = typeof rawMitigationStrategy === 'string' && rawMitigationStrategy.length > MAX_SECURITY_MITIGATION_STRATEGY_LEN
329
+ ? rawMitigationStrategy.slice(0, MAX_SECURITY_MITIGATION_STRATEGY_LEN) : rawMitigationStrategy;
290
330
  const mitigationSuccess = args.mitigationSuccess;
291
331
  try {
292
332
  const defender = await getMonoFence();
@@ -344,7 +384,13 @@ const monofenceIsSafeTool = {
344
384
  required: ['input'],
345
385
  },
346
386
  handler: async (args) => {
347
- const input = args.input;
387
+ let input;
388
+ try {
389
+ input = capSecurityInput(args.input);
390
+ }
391
+ catch (e) {
392
+ return { content: [{ type: 'text', text: JSON.stringify({ error: e.message }) }], isError: true };
393
+ }
348
394
  try {
349
395
  await getMonoFence(); // triggers auto-install if package is missing
350
396
  const { isSafe } = await import('monofence-ai');
@@ -384,7 +430,13 @@ const monofenceHasPIITool = {
384
430
  required: ['input'],
385
431
  },
386
432
  handler: async (args) => {
387
- const input = args.input;
433
+ let input;
434
+ try {
435
+ input = capSecurityInput(args.input);
436
+ }
437
+ catch (e) {
438
+ return { content: [{ type: 'text', text: JSON.stringify({ error: e.message }) }], isError: true };
439
+ }
388
440
  try {
389
441
  const defender = await getMonoFence();
390
442
  const hasPII = defender.hasPII(input);
@@ -131,6 +131,19 @@ export const sessionTools = [
131
131
  },
132
132
  handler: async (input) => {
133
133
  const sessionId = `session-${Date.now()}-${randomBytes(6).toString('hex')}`;
134
+ // Cap name and description: both are persisted verbatim to the session
135
+ // JSON file on disk. Without a cap, an attacker can inflate the session
136
+ // store by supplying a very long name or description.
137
+ const MAX_SESSION_NAME_LEN = 256;
138
+ const MAX_SESSION_DESC_LEN = 4 * 1024;
139
+ const rawSessionName = input.name;
140
+ const sessionName = typeof rawSessionName === 'string' && rawSessionName.length > MAX_SESSION_NAME_LEN
141
+ ? rawSessionName.slice(0, MAX_SESSION_NAME_LEN)
142
+ : rawSessionName;
143
+ const rawSessionDesc = input.description;
144
+ const sessionDesc = typeof rawSessionDesc === 'string' && rawSessionDesc.length > MAX_SESSION_DESC_LEN
145
+ ? rawSessionDesc.slice(0, MAX_SESSION_DESC_LEN)
146
+ : rawSessionDesc;
134
147
  // Load related data based on options
135
148
  const data = loadRelatedStores({
136
149
  includeMemory: input.includeMemory,
@@ -146,8 +159,8 @@ export const sessionTools = [
146
159
  };
147
160
  const session = {
148
161
  sessionId,
149
- name: input.name,
150
- description: input.description,
162
+ name: sessionName,
163
+ description: sessionDesc,
151
164
  savedAt: new Date().toISOString(),
152
165
  stats,
153
166
  data: Object.keys(data).length > 0 ? data : undefined,
@@ -211,17 +224,25 @@ export const sessionTools = [
211
224
  const { storeEntry } = await import('../memory/memory-initializer.js');
212
225
  const memoryData = session.data.memory;
213
226
  if (memoryData.entries) {
227
+ // Cap individual key and value lengths before writing to the DB.
228
+ // A malicious or corrupted session file could contain arbitrarily
229
+ // long strings; without caps these flow straight into the HNSW
230
+ // embedder and SQL layer, causing OOM or DoS.
231
+ const MAX_RESTORE_KEY = 1_000;
232
+ const MAX_RESTORE_VALUE = 100_000;
233
+ const MAX_RESTORE_NS = 200;
214
234
  for (const entry of Object.values(memoryData.entries)) {
215
- const key = entry.key || entry.id || '';
216
- const value = entry.value || entry.content || '';
217
- if (key && value) {
218
- await storeEntry({
219
- key,
220
- value,
221
- namespace: entry.namespace || 'restored',
222
- upsert: true,
223
- });
224
- }
235
+ let key = entry.key || entry.id || '';
236
+ let value = entry.value || entry.content || '';
237
+ if (!key || !value)
238
+ continue;
239
+ if (key.length > MAX_RESTORE_KEY)
240
+ key = key.slice(0, MAX_RESTORE_KEY);
241
+ if (value.length > MAX_RESTORE_VALUE)
242
+ value = value.slice(0, MAX_RESTORE_VALUE);
243
+ const rawNs = entry.namespace || 'restored';
244
+ const namespace = rawNs.length > MAX_RESTORE_NS ? rawNs.slice(0, MAX_RESTORE_NS) : rawNs;
245
+ await storeEntry({ key, value, namespace, upsert: true });
225
246
  }
226
247
  }
227
248
  }
@@ -353,14 +374,24 @@ export const sessionTools = [
353
374
  const session = loadSession(sessionId);
354
375
  if (session) {
355
376
  const path = getSessionPath(sessionId);
356
- const stat = statSync(path);
377
+ // Guard against TOCTOU: the file could be deleted between loadSession()
378
+ // and statSync(). Catch ENOENT (and any other fs error) so the MCP
379
+ // handler never throws an unhandled exception; callers get a clean
380
+ // response instead of a server-side crash.
381
+ let fileSize = 0;
382
+ try {
383
+ fileSize = statSync(path).size;
384
+ }
385
+ catch {
386
+ // File deleted or inaccessible after loadSession succeeded
387
+ }
357
388
  return {
358
389
  sessionId: session.sessionId,
359
390
  name: session.name,
360
391
  description: session.description,
361
392
  savedAt: session.savedAt,
362
393
  stats: session.stats,
363
- fileSize: stat.size,
394
+ fileSize,
364
395
  hasData: {
365
396
  memory: !!session.data?.memory,
366
397
  tasks: !!session.data?.tasks,
@@ -64,7 +64,13 @@ export const swarmTools = [
64
64
  handler: async (input) => {
65
65
  const topology = input.topology || 'hierarchical-mesh';
66
66
  const maxAgents = Math.min(Math.max(input.maxAgents || 8, 1), 50);
67
- const strategy = input.strategy || 'specialized';
67
+ // Cap strategy and config string fields: all are persisted in the swarm
68
+ // JSON store. topology is already validated against VALID_TOPOLOGIES so
69
+ // an invalid long value is rejected; the others have no validation.
70
+ const MAX_SWARM_FIELD_LEN = 256;
71
+ const rawStrategy = input.strategy || 'specialized';
72
+ const strategy = typeof rawStrategy === 'string' && rawStrategy.length > MAX_SWARM_FIELD_LEN
73
+ ? rawStrategy.slice(0, MAX_SWARM_FIELD_LEN) : rawStrategy;
68
74
  const config = (input.config || {});
69
75
  if (!VALID_TOPOLOGIES.has(topology)) {
70
76
  return {
@@ -85,9 +91,15 @@ export const swarmTools = [
85
91
  topology,
86
92
  maxAgents,
87
93
  strategy,
88
- communicationProtocol: config.communicationProtocol || 'message-bus',
94
+ communicationProtocol: (() => {
95
+ const raw = config.communicationProtocol || 'message-bus';
96
+ return typeof raw === 'string' && raw.length > MAX_SWARM_FIELD_LEN ? raw.slice(0, MAX_SWARM_FIELD_LEN) : raw;
97
+ })(),
89
98
  autoScaling: config.autoScaling ?? true,
90
- consensusMechanism: config.consensusMechanism || 'majority',
99
+ consensusMechanism: (() => {
100
+ const raw = config.consensusMechanism || 'majority';
101
+ return typeof raw === 'string' && raw.length > MAX_SWARM_FIELD_LEN ? raw.slice(0, MAX_SWARM_FIELD_LEN) : raw;
102
+ })(),
91
103
  },
92
104
  createdAt: now,
93
105
  updatedAt: now,
@@ -9,7 +9,7 @@
9
9
  * - os module for system information
10
10
  */
11
11
  import { getProjectCwd } from './types.js';
12
- import { existsSync, readFileSync, writeFileSync, renameSync, mkdirSync } from 'node:fs';
12
+ import { existsSync, readFileSync, statSync, writeFileSync, renameSync, mkdirSync } from 'node:fs';
13
13
  import { join, dirname } from 'node:path';
14
14
  import { fileURLToPath } from 'node:url';
15
15
  import * as os from 'node:os';
@@ -43,10 +43,11 @@ function ensureSystemDir() {
43
43
  mkdirSync(dir, { recursive: true });
44
44
  }
45
45
  }
46
+ const MAX_SYSTEM_STORE_BYTES = 50 * 1024 * 1024; // 50 MB
46
47
  function loadMetrics() {
47
48
  try {
48
49
  const path = getMetricsPath();
49
- if (existsSync(path)) {
50
+ if (existsSync(path) && statSync(path).size <= MAX_SYSTEM_STORE_BYTES) {
50
51
  return JSON.parse(readFileSync(path, 'utf-8'));
51
52
  }
52
53
  }
@@ -128,7 +129,9 @@ export const systemTools = [
128
129
  },
129
130
  handler: async (input) => {
130
131
  const store = loadMetrics();
131
- const category = input.category || 'all';
132
+ const VALID_CATEGORIES = new Set(['all', 'cpu', 'memory', 'agents', 'tasks', 'requests']);
133
+ const rawCategory = input.category || 'all';
134
+ const category = VALID_CATEGORIES.has(rawCategory) ? rawCategory : 'all';
132
135
  // Get REAL system metrics via Node.js APIs
133
136
  const memUsage = process.memoryUsage();
134
137
  const loadAvg = os.loadavg();
@@ -182,7 +185,7 @@ export const systemTools = [
182
185
  if (_metricsSource === 'none') {
183
186
  try {
184
187
  const agentStorePath = join(getProjectCwd(), STORAGE_DIR, 'agents', 'store.json');
185
- if (existsSync(agentStorePath)) {
188
+ if (existsSync(agentStorePath) && statSync(agentStorePath).size <= MAX_SYSTEM_STORE_BYTES) {
186
189
  const agentStore = JSON.parse(readFileSync(agentStorePath, 'utf-8'));
187
190
  const agents = Object.values(agentStore.agents || {});
188
191
  agentCounts = {
@@ -195,7 +198,7 @@ export const systemTools = [
195
198
  catch { /* agent store not available */ }
196
199
  try {
197
200
  const taskStorePath = join(getProjectCwd(), STORAGE_DIR, 'tasks', 'store.json');
198
- if (existsSync(taskStorePath)) {
201
+ if (existsSync(taskStorePath) && statSync(taskStorePath).size <= MAX_SYSTEM_STORE_BYTES) {
199
202
  const taskStore = JSON.parse(readFileSync(taskStorePath, 'utf-8'));
200
203
  const tasks = Object.values(taskStore.tasks || {});
201
204
  taskCounts = {
@@ -438,7 +441,11 @@ export const systemTools = [
438
441
  if (!input.confirm) {
439
442
  return { success: false, error: 'Reset requires confirmation' };
440
443
  }
441
- const component = input.component || 'metrics';
444
+ // Validate component against the allowed set to prevent unbounded string
445
+ // reflection in the response message.
446
+ const VALID_COMPONENTS = new Set(['all', 'metrics', 'agents', 'tasks']);
447
+ const rawComponent = input.component || 'metrics';
448
+ const component = VALID_COMPONENTS.has(rawComponent) ? rawComponent : 'metrics';
442
449
  // Reset metrics to defaults
443
450
  const defaultMetrics = {
444
451
  startTime: new Date().toISOString(),
@@ -530,7 +537,7 @@ export const systemTools = [
530
537
  const storePath = join(getProjectCwd(), '.monomind', 'tasks', 'store.json');
531
538
  let tasks = [];
532
539
  try {
533
- if (existsSync(storePath)) {
540
+ if (existsSync(storePath) && statSync(storePath).size <= MAX_SYSTEM_STORE_BYTES) {
534
541
  const data = readFileSync(storePath, 'utf-8');
535
542
  const store = JSON.parse(data);
536
543
  tasks = Object.values(store.tasks || {});
@@ -71,15 +71,36 @@ export const taskTools = [
71
71
  handler: async (input) => {
72
72
  const store = loadTaskStore();
73
73
  const taskId = `task-${Date.now()}-${randomBytes(4).toString('hex')}`;
74
+ // Cap all string fields: they are persisted verbatim to the task JSON store.
75
+ const MAX_TASK_TYPE_LEN = 128;
76
+ const MAX_TASK_DESC_LEN = 64 * 1024; // 64 KB — realistic task descriptions
77
+ const MAX_TASK_ASSIGNEE_LEN = 256;
78
+ const MAX_TASK_ASSIGNEES = 100;
79
+ const MAX_TASK_TAG_LEN = 128;
80
+ const MAX_TASK_TAGS = 50;
81
+ const rawTaskType = input.type;
82
+ const taskType = typeof rawTaskType === 'string' && rawTaskType.length > MAX_TASK_TYPE_LEN
83
+ ? rawTaskType.slice(0, MAX_TASK_TYPE_LEN) : rawTaskType;
84
+ const rawTaskDesc = input.description;
85
+ const taskDesc = typeof rawTaskDesc === 'string' && rawTaskDesc.length > MAX_TASK_DESC_LEN
86
+ ? rawTaskDesc.slice(0, MAX_TASK_DESC_LEN) : rawTaskDesc;
87
+ const rawAssignTo = input.assignTo || [];
88
+ const assignedTo = Array.isArray(rawAssignTo)
89
+ ? rawAssignTo.slice(0, MAX_TASK_ASSIGNEES).map(a => typeof a === 'string' && a.length > MAX_TASK_ASSIGNEE_LEN ? a.slice(0, MAX_TASK_ASSIGNEE_LEN) : a)
90
+ : [];
91
+ const rawTags = input.tags || [];
92
+ const tags = Array.isArray(rawTags)
93
+ ? rawTags.slice(0, MAX_TASK_TAGS).map(t => typeof t === 'string' && t.length > MAX_TASK_TAG_LEN ? t.slice(0, MAX_TASK_TAG_LEN) : t)
94
+ : [];
74
95
  const task = {
75
96
  taskId,
76
- type: input.type,
77
- description: input.description,
97
+ type: taskType,
98
+ description: taskDesc,
78
99
  priority: input.priority || 'normal',
79
100
  status: 'pending',
80
101
  progress: 0,
81
- assignedTo: input.assignTo || [],
82
- tags: input.tags || [],
102
+ assignedTo,
103
+ tags,
83
104
  createdAt: new Date().toISOString(),
84
105
  startedAt: null,
85
106
  completedAt: null,
@@ -172,8 +193,13 @@ export const taskTools = [
172
193
  }
173
194
  // Sort by creation date (newest first)
174
195
  tasks.sort((a, b) => new Date(b.createdAt).getTime() - new Date(a.createdAt).getTime());
175
- // Apply limit
176
- const limit = input.limit || 50;
196
+ // Apply limit — cap to 1 000 to prevent returning the entire task store
197
+ // in one response, which could cause OOM on large deployments.
198
+ const MAX_TASK_LIMIT = 1_000;
199
+ const rawLimit = typeof input.limit === 'number' ? input.limit : 50;
200
+ const limit = Number.isFinite(rawLimit) && rawLimit > 0
201
+ ? Math.min(Math.floor(rawLimit), MAX_TASK_LIMIT)
202
+ : 50;
177
203
  tasks = tasks.slice(0, limit);
178
204
  return {
179
205
  tasks: tasks.map(t => ({
@@ -225,7 +251,7 @@ export const taskTools = [
225
251
  const agentStorePath = join(getProjectCwd(), STORAGE_DIR, 'agents', 'store.json');
226
252
  try {
227
253
  let agentStore = { agents: {} };
228
- if (existsSync(agentStorePath)) {
254
+ if (existsSync(agentStorePath) && statSync(agentStorePath).size <= MAX_TASK_STORE_BYTES) {
229
255
  const agentRaw = JSON.parse(readFileSync(agentStorePath, 'utf-8'));
230
256
  if (agentRaw && typeof agentRaw === 'object' && !Object.prototype.hasOwnProperty.call(agentRaw, '__proto__')) {
231
257
  agentStore = agentRaw;
@@ -298,7 +324,15 @@ export const taskTools = [
298
324
  task.progress = Math.min(100, Math.max(0, input.progress));
299
325
  }
300
326
  if (input.assignTo) {
301
- task.assignedTo = input.assignTo;
327
+ // Cap array and element lengths — task_create already does this;
328
+ // task_update must apply the same guards so the on-disk store
329
+ // cannot be inflated via the update path.
330
+ const MAX_TASK_ASSIGNEE_LEN = 256;
331
+ const MAX_TASK_ASSIGNEES = 100;
332
+ const rawAssignTo = input.assignTo;
333
+ task.assignedTo = Array.isArray(rawAssignTo)
334
+ ? rawAssignTo.slice(0, MAX_TASK_ASSIGNEES).map(a => typeof a === 'string' && a.length > MAX_TASK_ASSIGNEE_LEN ? a.slice(0, MAX_TASK_ASSIGNEE_LEN) : a)
335
+ : task.assignedTo;
302
336
  }
303
337
  saveTaskStore(store);
304
338
  return {
@@ -343,7 +377,7 @@ export const taskTools = [
343
377
  const agentStorePath = join(getProjectCwd(), STORAGE_DIR, 'agents', 'store.json');
344
378
  let agentStore = { agents: {} };
345
379
  try {
346
- if (existsSync(agentStorePath)) {
380
+ if (existsSync(agentStorePath) && statSync(agentStorePath).size <= MAX_TASK_STORE_BYTES) {
347
381
  agentStore = JSON.parse(readFileSync(agentStorePath, 'utf-8'));
348
382
  }
349
383
  }
@@ -426,7 +460,15 @@ export const taskTools = [
426
460
  if (task) {
427
461
  task.status = 'cancelled';
428
462
  task.completedAt = new Date().toISOString();
429
- task.result = { cancelReason: input.reason || 'Cancelled by user' };
463
+ // Cap reason: persisted verbatim to the task store on disk.
464
+ // Without a cap an attacker can inflate the store with an arbitrarily
465
+ // large cancellation reason string.
466
+ const MAX_CANCEL_REASON_LEN = 1024;
467
+ const rawReason = input.reason;
468
+ const cancelReason = typeof rawReason === 'string' && rawReason.length > MAX_CANCEL_REASON_LEN
469
+ ? rawReason.slice(0, MAX_CANCEL_REASON_LEN)
470
+ : (rawReason || 'Cancelled by user');
471
+ task.result = { cancelReason };
430
472
  saveTaskStore(store);
431
473
  return {
432
474
  success: true,
@@ -1,6 +1,7 @@
1
1
  import { getProjectCwd } from './types.js';
2
- import { existsSync, readFileSync, writeFileSync, renameSync, mkdirSync } from 'node:fs';
3
- import { join } from 'node:path';
2
+ import { existsSync, readFileSync, statSync, writeFileSync, renameSync, mkdirSync } from 'node:fs';
3
+ import { join, resolve } from 'node:path';
4
+ import { homedir } from 'node:os';
4
5
  import { execSync } from 'node:child_process';
5
6
  import { randomBytes } from 'node:crypto';
6
7
  // Storage paths
@@ -19,10 +20,11 @@ function ensureTerminalDir() {
19
20
  mkdirSync(dir, { recursive: true });
20
21
  }
21
22
  }
23
+ const MAX_TERMINAL_STORE_BYTES = 10 * 1024 * 1024; // 10 MB
22
24
  function loadTerminalStore() {
23
25
  try {
24
26
  const path = getTerminalPath();
25
- if (existsSync(path)) {
27
+ if (existsSync(path) && statSync(path).size <= MAX_TERMINAL_STORE_BYTES) {
26
28
  return JSON.parse(readFileSync(path, 'utf-8'));
27
29
  }
28
30
  }
@@ -74,14 +76,40 @@ export const terminalTools = [
74
76
  safeEnv[k] = String(v);
75
77
  }
76
78
  }
79
+ // Validate workingDir: must exist, be a directory, and not escape to
80
+ // system-sensitive paths. Fall back to project cwd if invalid.
81
+ let resolvedWorkingDir = getProjectCwd();
82
+ if (input.workingDir && typeof input.workingDir === 'string') {
83
+ const candidate = resolve(input.workingDir);
84
+ const projectCwd = getProjectCwd();
85
+ const home = homedir();
86
+ // Allow paths under project cwd or user home directory only.
87
+ const isUnderProject = candidate === projectCwd || candidate.startsWith(projectCwd + '/') || candidate.startsWith(projectCwd + '\\');
88
+ const isUnderHome = candidate === home || candidate.startsWith(home + '/') || candidate.startsWith(home + '\\');
89
+ if ((isUnderProject || isUnderHome) && existsSync(candidate)) {
90
+ try {
91
+ if (statSync(candidate).isDirectory()) {
92
+ resolvedWorkingDir = candidate;
93
+ }
94
+ }
95
+ catch {
96
+ // Leave resolvedWorkingDir as default
97
+ }
98
+ }
99
+ }
77
100
  const id = `term-${Date.now()}-${randomBytes(4).toString('hex')}`;
101
+ // Cap session name: stored in terminal JSON store on disk.
102
+ const MAX_TERMINAL_NAME_LEN = 256;
103
+ const rawTerminalName = input.name || `Terminal ${Object.keys(store.sessions).length + 1}`;
104
+ const terminalName = typeof rawTerminalName === 'string' && rawTerminalName.length > MAX_TERMINAL_NAME_LEN
105
+ ? rawTerminalName.slice(0, MAX_TERMINAL_NAME_LEN) : rawTerminalName;
78
106
  const session = {
79
107
  id,
80
- name: input.name || `Terminal ${Object.keys(store.sessions).length + 1}`,
108
+ name: terminalName,
81
109
  status: 'active',
82
110
  createdAt: new Date().toISOString(),
83
111
  lastActivity: new Date().toISOString(),
84
- workingDir: input.workingDir || getProjectCwd(),
112
+ workingDir: resolvedWorkingDir,
85
113
  history: [],
86
114
  env: safeEnv,
87
115
  };
@@ -114,7 +142,13 @@ export const terminalTools = [
114
142
  handler: async (input) => {
115
143
  const store = loadTerminalStore();
116
144
  const sessionId = input.sessionId;
117
- const command = input.command;
145
+ // Cap command: the metacharacter regex check at line 220 is O(n), and the
146
+ // raw command is stored verbatim in session history (up to 200 entries).
147
+ // A realistic shell command is well under 64 KB; cap there.
148
+ const MAX_TERMINAL_COMMAND_LEN = 64 * 1024;
149
+ const rawCommand = input.command;
150
+ const command = typeof rawCommand === 'string' && rawCommand.length > MAX_TERMINAL_COMMAND_LEN
151
+ ? rawCommand.slice(0, MAX_TERMINAL_COMMAND_LEN) : rawCommand;
118
152
  const FORBIDDEN_KEYS = new Set(['__proto__', 'constructor', 'prototype']);
119
153
  // Reject inherited keys (incl. toString/hasOwnProperty/etc.) so a tampered
120
154
  // store.json can't redirect bracket access into Object.prototype.
@@ -59,7 +59,13 @@ export const transferTools = [
59
59
  handler: async (input) => {
60
60
  try {
61
61
  const { detectPII } = await import('../transfer/anonymization/index.js');
62
- const result = detectPII(input.content);
62
+ // detectPII runs multiple PII regexes over the entire string — O(n × patterns).
63
+ // Cap to 1 MB to prevent ReDoS-style DoS from oversized content.
64
+ const MAX_PII_CONTENT_LEN = 1024 * 1024; // 1 MB
65
+ const rawContent = input.content;
66
+ const content = typeof rawContent === 'string' && rawContent.length > MAX_PII_CONTENT_LEN
67
+ ? rawContent.slice(0, MAX_PII_CONTENT_LEN) : rawContent;
68
+ const result = detectPII(content);
63
69
  return createResult(result);
64
70
  }
65
71
  catch (error) {
@@ -88,7 +94,13 @@ export const transferTools = [
88
94
  handler: async (input) => {
89
95
  try {
90
96
  const { resolveIPNS } = await import('../transfer/ipfs/client.js');
91
- const result = await resolveIPNS(input.name);
97
+ // Cap IPNS name length — uncapped strings may trigger O(n) path parsing
98
+ // inside the IPFS client or be reflected in error messages.
99
+ const MAX_IPNS_NAME_LEN = 512;
100
+ const rawName = input.name;
101
+ const name = typeof rawName === 'string' && rawName.length > MAX_IPNS_NAME_LEN
102
+ ? rawName.slice(0, MAX_IPNS_NAME_LEN) : rawName;
103
+ const result = await resolveIPNS(name);
92
104
  return createResult({ success: true, cid: result });
93
105
  }
94
106
  catch (error) {
@@ -132,7 +144,18 @@ export const transferTools = [
132
144
  handler: async (input) => {
133
145
  try {
134
146
  const store = await getPatternStore();
135
- const results = store.search(input);
147
+ // Cap query and limit to prevent DoS via large string or result set.
148
+ const MAX_TRANSFER_QUERY_LEN = 4 * 1024;
149
+ const MAX_TRANSFER_LIMIT = 500;
150
+ const inp = input;
151
+ const cappedInput = {
152
+ ...inp,
153
+ query: typeof inp.query === 'string' && inp.query.length > MAX_TRANSFER_QUERY_LEN
154
+ ? inp.query.slice(0, MAX_TRANSFER_QUERY_LEN) : inp.query,
155
+ limit: typeof inp.limit === 'number' && Number.isFinite(inp.limit)
156
+ ? Math.min(Math.floor(Math.max(inp.limit, 1)), MAX_TRANSFER_LIMIT) : inp.limit,
157
+ };
158
+ const results = store.search(cappedInput);
136
159
  return createResult(results);
137
160
  }
138
161
  catch (error) {
@@ -296,7 +319,17 @@ export const transferTools = [
296
319
  if (!result.success || !result.registry) {
297
320
  return createResult({ error: result.error || 'Failed to discover registry' }, true);
298
321
  }
299
- const opts = input;
322
+ // Cap query and limit before forwarding to searchPlugins.
323
+ const MAX_PLUGIN_QUERY_LEN = 4 * 1024;
324
+ const MAX_PLUGIN_LIMIT = 500;
325
+ const rawOpts = input;
326
+ const opts = {
327
+ ...rawOpts,
328
+ query: typeof rawOpts.query === 'string' && rawOpts.query.length > MAX_PLUGIN_QUERY_LEN
329
+ ? rawOpts.query.slice(0, MAX_PLUGIN_QUERY_LEN) : rawOpts.query,
330
+ limit: typeof rawOpts.limit === 'number' && Number.isFinite(rawOpts.limit)
331
+ ? Math.min(Math.floor(Math.max(rawOpts.limit, 1)), MAX_PLUGIN_LIMIT) : rawOpts.limit,
332
+ };
300
333
  const searchResult = searchPlugins(result.registry, opts);
301
334
  return createResult(searchResult);
302
335
  }
@@ -0,0 +1,9 @@
1
+ /**
2
+ * WASM Agent MCP Tools
3
+ *
4
+ * Exposes @monoes/rvagent-wasm operations via MCP protocol.
5
+ * All tools gracefully degrade when the WASM package is not installed.
6
+ */
7
+ import type { MCPTool } from './types.js';
8
+ export declare const wasmAgentTools: MCPTool[];
9
+ //# sourceMappingURL=wasm-agent-tools.d.ts.map