monomind 1.11.13 → 1.12.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (389) hide show
  1. package/.claude/agents/generated/channel-intelligence-director.md +87 -0
  2. package/.claude/agents/generated/chief-growth-officer.md +88 -0
  3. package/.claude/agents/generated/content-seo-strategist.md +90 -0
  4. package/.claude/agents/generated/developer-community-strategist.md +91 -0
  5. package/.claude/agents/generated/outreach-partnership-strategist.md +90 -0
  6. package/.claude/agents/generated/social-media-strategist.md +91 -0
  7. package/.claude/agents/generated/video-visual-strategist.md +90 -0
  8. package/.claude/commands/mastermind/idea.md +1 -1
  9. package/.claude/helpers/auto-memory-hook.mjs +13 -4
  10. package/.claude/helpers/control-start.cjs +5 -0
  11. package/.claude/helpers/event-logger.cjs +114 -0
  12. package/.claude/helpers/handlers/adr-draft-handler.cjs +19 -5
  13. package/.claude/helpers/handlers/agent-start-handler.cjs +13 -4
  14. package/.claude/helpers/handlers/compact-handler.cjs +2 -0
  15. package/.claude/helpers/handlers/edit-handler.cjs +1 -1
  16. package/.claude/helpers/handlers/gates-handler.cjs +3 -0
  17. package/.claude/helpers/handlers/graph-status-handler.cjs +14 -8
  18. package/.claude/helpers/handlers/loops-status-handler.cjs +5 -2
  19. package/.claude/helpers/handlers/route-handler.cjs +13 -6
  20. package/.claude/helpers/handlers/session-handler.cjs +11 -4
  21. package/.claude/helpers/handlers/session-restore-handler.cjs +21 -11
  22. package/.claude/helpers/handlers/task-handler.cjs +13 -5
  23. package/.claude/helpers/intelligence.cjs +7 -2
  24. package/.claude/helpers/loop-tracker.cjs +15 -3
  25. package/.claude/helpers/memory.cjs +6 -1
  26. package/.claude/helpers/router.cjs +5 -2
  27. package/.claude/helpers/session.cjs +2 -0
  28. package/.claude/helpers/statusline.cjs +10 -2
  29. package/.claude/helpers/utils/micro-agents.cjs +20 -4
  30. package/.claude/scheduled_tasks.lock +1 -1
  31. package/.claude/settings.json +92 -1
  32. package/.claude/skills/mastermind/_protocol.md +23 -13
  33. package/.claude/skills/mastermind/architect.md +6 -9
  34. package/.claude/skills/mastermind/build.md +3 -3
  35. package/.claude/skills/mastermind/content.md +3 -3
  36. package/.claude/skills/mastermind/createorg.md +2 -2
  37. package/.claude/skills/mastermind/finance.md +3 -3
  38. package/.claude/skills/mastermind/idea.md +5 -3
  39. package/.claude/skills/mastermind/marketing.md +3 -3
  40. package/.claude/skills/mastermind/monitor.md +2 -2
  41. package/.claude/skills/mastermind/release.md +3 -3
  42. package/.claude/skills/mastermind/research.md +3 -3
  43. package/.claude/skills/mastermind/review.md +3 -3
  44. package/.claude/skills/mastermind/runorg.md +153 -86
  45. package/.claude/skills/mastermind/sales.md +3 -3
  46. package/README.md +286 -129
  47. package/package.json +19 -2
  48. package/packages/@monomind/cli/README.md +286 -129
  49. package/packages/@monomind/cli/bundled-graph/dist/src/build.js +73 -0
  50. package/packages/@monomind/cli/bundled-graph/dist/src/cluster.js +120 -0
  51. package/packages/@monomind/cli/bundled-graph/package.json +57 -0
  52. package/packages/@monomind/cli/dist/src/agents/halt-signal.d.ts +25 -0
  53. package/packages/@monomind/cli/dist/src/agents/halt-signal.js +76 -0
  54. package/packages/@monomind/cli/dist/src/agents/index.d.ts +18 -0
  55. package/packages/@monomind/cli/dist/src/agents/index.js +13 -0
  56. package/packages/@monomind/cli/dist/src/agents/managed-agent.d.ts +41 -0
  57. package/packages/@monomind/cli/dist/src/agents/managed-agent.js +69 -0
  58. package/packages/@monomind/cli/dist/src/agents/prompt-experiment.d.ts +23 -0
  59. package/packages/@monomind/cli/dist/src/agents/prompt-experiment.js +49 -0
  60. package/packages/@monomind/cli/dist/src/agents/prompt-version-manager.d.ts +22 -0
  61. package/packages/@monomind/cli/dist/src/agents/prompt-version-manager.js +80 -0
  62. package/packages/@monomind/cli/dist/src/agents/registry-builder.js +2 -0
  63. package/packages/@monomind/cli/dist/src/agents/registry-query.d.ts +71 -0
  64. package/packages/@monomind/cli/dist/src/agents/registry-query.js +125 -0
  65. package/packages/@monomind/cli/dist/src/agents/score-decay.d.ts +19 -0
  66. package/packages/@monomind/cli/dist/src/agents/score-decay.js +22 -0
  67. package/packages/@monomind/cli/dist/src/agents/shared-instructions-loader.d.ts +13 -0
  68. package/packages/@monomind/cli/dist/src/agents/shared-instructions-loader.js +40 -0
  69. package/packages/@monomind/cli/dist/src/agents/specialization-scorer.d.ts +54 -0
  70. package/packages/@monomind/cli/dist/src/agents/specialization-scorer.js +212 -0
  71. package/packages/@monomind/cli/dist/src/agents/termination-watcher.d.ts +30 -0
  72. package/packages/@monomind/cli/dist/src/agents/termination-watcher.js +84 -0
  73. package/packages/@monomind/cli/dist/src/agents/trigger-index.d.ts +20 -0
  74. package/packages/@monomind/cli/dist/src/agents/trigger-index.js +38 -0
  75. package/packages/@monomind/cli/dist/src/agents/trigger-scanner.d.ts +64 -0
  76. package/packages/@monomind/cli/dist/src/agents/trigger-scanner.js +308 -0
  77. package/packages/@monomind/cli/dist/src/agents/version-diff.d.ts +18 -0
  78. package/packages/@monomind/cli/dist/src/agents/version-diff.js +64 -0
  79. package/packages/@monomind/cli/dist/src/agents/version-store.d.ts +60 -0
  80. package/packages/@monomind/cli/dist/src/agents/version-store.js +235 -0
  81. package/packages/@monomind/cli/dist/src/autopilot-state.js +10 -5
  82. package/packages/@monomind/cli/dist/src/benchmarks/benchmark-runner.js +13 -0
  83. package/packages/@monomind/cli/dist/src/benchmarks/metric-evaluators.js +20 -9
  84. package/packages/@monomind/cli/dist/src/benchmarks/pretrain/index.d.ts +45 -0
  85. package/packages/@monomind/cli/dist/src/benchmarks/pretrain/index.js +404 -0
  86. package/packages/@monomind/cli/dist/src/browser/actions.js +10 -3
  87. package/packages/@monomind/cli/dist/src/browser/browser.js +12 -2
  88. package/packages/@monomind/cli/dist/src/browser/cdp.js +21 -3
  89. package/packages/@monomind/cli/dist/src/browser/har.js +27 -5
  90. package/packages/@monomind/cli/dist/src/commands/agent-wasm.d.ts +14 -0
  91. package/packages/@monomind/cli/dist/src/commands/agent-wasm.js +333 -0
  92. package/packages/@monomind/cli/dist/src/commands/agent.js +11 -8
  93. package/packages/@monomind/cli/dist/src/commands/analyze.js +36 -21
  94. package/packages/@monomind/cli/dist/src/commands/autopilot.js +12 -4
  95. package/packages/@monomind/cli/dist/src/commands/benchmark.js +51 -8
  96. package/packages/@monomind/cli/dist/src/commands/browse.js +5 -2
  97. package/packages/@monomind/cli/dist/src/commands/claims.js +29 -11
  98. package/packages/@monomind/cli/dist/src/commands/cleanup.js +25 -5
  99. package/packages/@monomind/cli/dist/src/commands/config.js +15 -7
  100. package/packages/@monomind/cli/dist/src/commands/daemon.js +6 -0
  101. package/packages/@monomind/cli/dist/src/commands/deployment.js +34 -19
  102. package/packages/@monomind/cli/dist/src/commands/doctor.js +151 -20
  103. package/packages/@monomind/cli/dist/src/commands/guidance.js +15 -2
  104. package/packages/@monomind/cli/dist/src/commands/hive-mind.js +37 -14
  105. package/packages/@monomind/cli/dist/src/commands/hooks.js +42 -25
  106. package/packages/@monomind/cli/dist/src/commands/init.js +9 -4
  107. package/packages/@monomind/cli/dist/src/commands/issues.js +29 -26
  108. package/packages/@monomind/cli/dist/src/commands/mcp.js +11 -5
  109. package/packages/@monomind/cli/dist/src/commands/memory.js +10 -0
  110. package/packages/@monomind/cli/dist/src/commands/migrate.js +5 -5
  111. package/packages/@monomind/cli/dist/src/commands/monograph.js +18 -5
  112. package/packages/@monomind/cli/dist/src/commands/monovector/backup.js +8 -2
  113. package/packages/@monomind/cli/dist/src/commands/monovector/benchmark.js +20 -7
  114. package/packages/@monomind/cli/dist/src/commands/monovector/import.js +15 -0
  115. package/packages/@monomind/cli/dist/src/commands/monovector/migrate.js +4 -1
  116. package/packages/@monomind/cli/dist/src/commands/monovector/optimize.js +11 -0
  117. package/packages/@monomind/cli/dist/src/commands/monovector/setup.js +11 -1
  118. package/packages/@monomind/cli/dist/src/commands/neural.js +1 -1
  119. package/packages/@monomind/cli/dist/src/commands/performance.js +20 -7
  120. package/packages/@monomind/cli/dist/src/commands/platforms.js +90 -8
  121. package/packages/@monomind/cli/dist/src/commands/plugins.js +12 -5
  122. package/packages/@monomind/cli/dist/src/commands/process.js +33 -10
  123. package/packages/@monomind/cli/dist/src/commands/progress.js +5 -3
  124. package/packages/@monomind/cli/dist/src/commands/providers.js +5 -5
  125. package/packages/@monomind/cli/dist/src/commands/replay.js +8 -2
  126. package/packages/@monomind/cli/dist/src/commands/route.js +27 -7
  127. package/packages/@monomind/cli/dist/src/commands/security.js +4 -0
  128. package/packages/@monomind/cli/dist/src/commands/session.js +12 -1
  129. package/packages/@monomind/cli/dist/src/commands/start.js +11 -4
  130. package/packages/@monomind/cli/dist/src/commands/status.js +7 -4
  131. package/packages/@monomind/cli/dist/src/commands/swarm.js +27 -13
  132. package/packages/@monomind/cli/dist/src/commands/task.js +26 -11
  133. package/packages/@monomind/cli/dist/src/commands/tokens.js +7 -2
  134. package/packages/@monomind/cli/dist/src/commands/transfer-store.js +36 -22
  135. package/packages/@monomind/cli/dist/src/commands/ui.js +68 -0
  136. package/packages/@monomind/cli/dist/src/commands/update.js +15 -3
  137. package/packages/@monomind/cli/dist/src/commands/workflow.js +39 -6
  138. package/packages/@monomind/cli/dist/src/consensus/audit-writer.js +18 -7
  139. package/packages/@monomind/cli/dist/src/consensus/index.d.ts +7 -0
  140. package/packages/@monomind/cli/dist/src/consensus/index.js +6 -0
  141. package/packages/@monomind/cli/dist/src/consensus/vote-signer.js +25 -8
  142. package/packages/@monomind/cli/dist/src/context/context-provider.d.ts +44 -0
  143. package/packages/@monomind/cli/dist/src/context/context-provider.js +25 -0
  144. package/packages/@monomind/cli/dist/src/context/git-state-provider.d.ts +12 -0
  145. package/packages/@monomind/cli/dist/src/context/git-state-provider.js +34 -0
  146. package/packages/@monomind/cli/dist/src/context/index.d.ts +12 -0
  147. package/packages/@monomind/cli/dist/src/context/index.js +12 -0
  148. package/packages/@monomind/cli/dist/src/context/project-conventions-provider.d.ts +15 -0
  149. package/packages/@monomind/cli/dist/src/context/project-conventions-provider.js +19 -0
  150. package/packages/@monomind/cli/dist/src/context/prompt-assembler.d.ts +26 -0
  151. package/packages/@monomind/cli/dist/src/context/prompt-assembler.js +93 -0
  152. package/packages/@monomind/cli/dist/src/context/task-history-provider.d.ts +24 -0
  153. package/packages/@monomind/cli/dist/src/context/task-history-provider.js +32 -0
  154. package/packages/@monomind/cli/dist/src/context/user-preferences-provider.d.ts +14 -0
  155. package/packages/@monomind/cli/dist/src/context/user-preferences-provider.js +27 -0
  156. package/packages/@monomind/cli/dist/src/dlq/dlq-reader.d.ts +31 -0
  157. package/packages/@monomind/cli/dist/src/dlq/dlq-reader.js +81 -0
  158. package/packages/@monomind/cli/dist/src/dlq/dlq-writer.d.ts +24 -0
  159. package/packages/@monomind/cli/dist/src/dlq/dlq-writer.js +65 -0
  160. package/packages/@monomind/cli/dist/src/dlq/index.d.ts +10 -0
  161. package/packages/@monomind/cli/dist/src/dlq/index.js +7 -0
  162. package/packages/@monomind/cli/dist/src/eval/dataset-manager.d.ts +33 -0
  163. package/packages/@monomind/cli/dist/src/eval/dataset-manager.js +107 -0
  164. package/packages/@monomind/cli/dist/src/eval/dataset-runner.d.ts +23 -0
  165. package/packages/@monomind/cli/dist/src/eval/dataset-runner.js +59 -0
  166. package/packages/@monomind/cli/dist/src/eval/index.d.ts +10 -0
  167. package/packages/@monomind/cli/dist/src/eval/index.js +7 -0
  168. package/packages/@monomind/cli/dist/src/eval/trace-collector.d.ts +40 -0
  169. package/packages/@monomind/cli/dist/src/eval/trace-collector.js +102 -0
  170. package/packages/@monomind/cli/dist/src/index.js +7 -3
  171. package/packages/@monomind/cli/dist/src/infrastructure/in-memory-repositories.d.ts +68 -0
  172. package/packages/@monomind/cli/dist/src/infrastructure/in-memory-repositories.js +264 -0
  173. package/packages/@monomind/cli/dist/src/init/executor.js +14 -11
  174. package/packages/@monomind/cli/dist/src/init/shared-instructions-generator.js +20 -4
  175. package/packages/@monomind/cli/dist/src/init/statusline-generator.js +33 -12
  176. package/packages/@monomind/cli/dist/src/interactive/interrupt.d.ts +22 -0
  177. package/packages/@monomind/cli/dist/src/interactive/interrupt.js +71 -0
  178. package/packages/@monomind/cli/dist/src/mcp/deprecation-injector.d.ts +25 -0
  179. package/packages/@monomind/cli/dist/src/mcp/deprecation-injector.js +48 -0
  180. package/packages/@monomind/cli/dist/src/mcp/tool-registry.d.ts +61 -0
  181. package/packages/@monomind/cli/dist/src/mcp/tool-registry.js +246 -0
  182. package/packages/@monomind/cli/dist/src/mcp-tools/a2a-tools.js +98 -13
  183. package/packages/@monomind/cli/dist/src/mcp-tools/agent-tools.js +16 -3
  184. package/packages/@monomind/cli/dist/src/mcp-tools/analyze-tools.js +80 -17
  185. package/packages/@monomind/cli/dist/src/mcp-tools/browser-tools.js +84 -22
  186. package/packages/@monomind/cli/dist/src/mcp-tools/claims-tools.js +35 -7
  187. package/packages/@monomind/cli/dist/src/mcp-tools/config-tools.js +82 -17
  188. package/packages/@monomind/cli/dist/src/mcp-tools/coordination-tools.js +37 -4
  189. package/packages/@monomind/cli/dist/src/mcp-tools/daa-tools.js +49 -7
  190. package/packages/@monomind/cli/dist/src/mcp-tools/embeddings-tools.js +45 -18
  191. package/packages/@monomind/cli/dist/src/mcp-tools/github-tools.js +75 -25
  192. package/packages/@monomind/cli/dist/src/mcp-tools/guidance-tools.js +32 -10
  193. package/packages/@monomind/cli/dist/src/mcp-tools/hive-mind-tools.js +91 -20
  194. package/packages/@monomind/cli/dist/src/mcp-tools/hooks-tools.js +188 -29
  195. package/packages/@monomind/cli/dist/src/mcp-tools/memory-tools.js +25 -7
  196. package/packages/@monomind/cli/dist/src/mcp-tools/monograph-compat.js +11 -2
  197. package/packages/@monomind/cli/dist/src/mcp-tools/monograph-tools.js +148 -26
  198. package/packages/@monomind/cli/dist/src/mcp-tools/neural-tools.js +44 -9
  199. package/packages/@monomind/cli/dist/src/mcp-tools/performance-tools.js +45 -10
  200. package/packages/@monomind/cli/dist/src/mcp-tools/progress-tools.js +7 -4
  201. package/packages/@monomind/cli/dist/src/mcp-tools/request-tracker.js +15 -1
  202. package/packages/@monomind/cli/dist/src/mcp-tools/security-tools.js +61 -9
  203. package/packages/@monomind/cli/dist/src/mcp-tools/session-tools.js +45 -14
  204. package/packages/@monomind/cli/dist/src/mcp-tools/swarm-tools.js +15 -3
  205. package/packages/@monomind/cli/dist/src/mcp-tools/system-tools.js +14 -7
  206. package/packages/@monomind/cli/dist/src/mcp-tools/task-tools.js +52 -10
  207. package/packages/@monomind/cli/dist/src/mcp-tools/terminal-tools.js +40 -6
  208. package/packages/@monomind/cli/dist/src/mcp-tools/transfer-tools.js +37 -4
  209. package/packages/@monomind/cli/dist/src/mcp-tools/wasm-agent-tools.d.ts +9 -0
  210. package/packages/@monomind/cli/dist/src/mcp-tools/wasm-agent-tools.js +230 -0
  211. package/packages/@monomind/cli/dist/src/mcp-tools/workflow-tools.js +29 -6
  212. package/packages/@monomind/cli/dist/src/memory/ewc-consolidation.js +26 -10
  213. package/packages/@monomind/cli/dist/src/memory/intelligence.js +80 -19
  214. package/packages/@monomind/cli/dist/src/memory/memory-bridge.js +21 -2
  215. package/packages/@monomind/cli/dist/src/memory/memory-initializer.js +67 -3
  216. package/packages/@monomind/cli/dist/src/memory/sona-optimizer.js +14 -4
  217. package/packages/@monomind/cli/dist/src/model/complexity-scorer.d.ts +21 -0
  218. package/packages/@monomind/cli/dist/src/model/complexity-scorer.js +106 -0
  219. package/packages/@monomind/cli/dist/src/model/index.d.ts +4 -0
  220. package/packages/@monomind/cli/dist/src/model/index.js +4 -0
  221. package/packages/@monomind/cli/dist/src/model/model-settings.d.ts +22 -0
  222. package/packages/@monomind/cli/dist/src/model/model-settings.js +33 -0
  223. package/packages/@monomind/cli/dist/src/model/model-tier-resolver.d.ts +24 -0
  224. package/packages/@monomind/cli/dist/src/model/model-tier-resolver.js +65 -0
  225. package/packages/@monomind/cli/dist/src/monovector/capabilities.d.ts +34 -0
  226. package/packages/@monomind/cli/dist/src/monovector/capabilities.js +37 -0
  227. package/packages/@monomind/cli/dist/src/monovector/command-outcomes.js +43 -7
  228. package/packages/@monomind/cli/dist/src/monovector/coverage-router.js +8 -4
  229. package/packages/@monomind/cli/dist/src/monovector/coverage-tools.js +6 -3
  230. package/packages/@monomind/cli/dist/src/monovector/diff-classifier.js +13 -0
  231. package/packages/@monomind/cli/dist/src/monovector/route-outcomes.d.ts +2 -1
  232. package/packages/@monomind/cli/dist/src/monovector/route-outcomes.js +46 -4
  233. package/packages/@monomind/cli/dist/src/observability/replay-reader.d.ts +1 -1
  234. package/packages/@monomind/cli/dist/src/orchestration/index.d.ts +7 -0
  235. package/packages/@monomind/cli/dist/src/orchestration/index.js +6 -0
  236. package/packages/@monomind/cli/dist/src/orchestration/mode-dispatcher.d.ts +11 -0
  237. package/packages/@monomind/cli/dist/src/orchestration/mode-dispatcher.js +31 -0
  238. package/packages/@monomind/cli/dist/src/orchestration/routing-modes.d.ts +68 -0
  239. package/packages/@monomind/cli/dist/src/orchestration/routing-modes.js +180 -0
  240. package/packages/@monomind/cli/dist/src/plugins/manager.js +8 -3
  241. package/packages/@monomind/cli/dist/src/plugins/store/discovery.js +46 -2
  242. package/packages/@monomind/cli/dist/src/plugins/store/search.js +5 -4
  243. package/packages/@monomind/cli/dist/src/plugins/tests/demo-plugin-store.d.ts +7 -0
  244. package/packages/@monomind/cli/dist/src/plugins/tests/demo-plugin-store.js +126 -0
  245. package/packages/@monomind/cli/dist/src/plugins/tests/standalone-test.d.ts +12 -0
  246. package/packages/@monomind/cli/dist/src/plugins/tests/standalone-test.js +188 -0
  247. package/packages/@monomind/cli/dist/src/plugins/tests/test-plugin-store.d.ts +7 -0
  248. package/packages/@monomind/cli/dist/src/plugins/tests/test-plugin-store.js +206 -0
  249. package/packages/@monomind/cli/dist/src/production/circuit-breaker.js +17 -3
  250. package/packages/@monomind/cli/dist/src/production/error-handler.js +3 -0
  251. package/packages/@monomind/cli/dist/src/production/monitoring.js +20 -3
  252. package/packages/@monomind/cli/dist/src/production/rate-limiter.js +13 -4
  253. package/packages/@monomind/cli/dist/src/production/retry.js +17 -9
  254. package/packages/@monomind/cli/dist/src/routing/embed-worker.js +6 -2
  255. package/packages/@monomind/cli/dist/src/routing/embedder.js +0 -0
  256. package/packages/@monomind/cli/dist/src/routing/llm-caller.js +13 -2
  257. package/packages/@monomind/cli/dist/src/routing/route-layer-factory.js +18 -3
  258. package/packages/@monomind/cli/dist/src/runtime/headless.d.ts +60 -0
  259. package/packages/@monomind/cli/dist/src/runtime/headless.js +284 -0
  260. package/packages/@monomind/cli/dist/src/services/agentic-flow-bridge.d.ts +50 -0
  261. package/packages/@monomind/cli/dist/src/services/agentic-flow-bridge.js +95 -0
  262. package/packages/@monomind/cli/dist/src/services/claim-service.d.ts +1 -0
  263. package/packages/@monomind/cli/dist/src/services/claim-service.js +8 -0
  264. package/packages/@monomind/cli/dist/src/services/config-file-manager.js +14 -2
  265. package/packages/@monomind/cli/dist/src/services/container-worker-pool.d.ts +197 -0
  266. package/packages/@monomind/cli/dist/src/services/container-worker-pool.js +623 -0
  267. package/packages/@monomind/cli/dist/src/services/headless-worker-executor.js +18 -2
  268. package/packages/@monomind/cli/dist/src/services/index.d.ts +13 -0
  269. package/packages/@monomind/cli/dist/src/services/index.js +11 -0
  270. package/packages/@monomind/cli/dist/src/services/worker-daemon.js +53 -12
  271. package/packages/@monomind/cli/dist/src/services/worker-queue.d.ts +201 -0
  272. package/packages/@monomind/cli/dist/src/services/worker-queue.js +594 -0
  273. package/packages/@monomind/cli/dist/src/swarm/communication-graph.d.ts +25 -0
  274. package/packages/@monomind/cli/dist/src/swarm/communication-graph.js +77 -0
  275. package/packages/@monomind/cli/dist/src/swarm/flow-enforcer.d.ts +31 -0
  276. package/packages/@monomind/cli/dist/src/swarm/flow-enforcer.js +61 -0
  277. package/packages/@monomind/cli/dist/src/swarm/flow-visualizer.d.ts +19 -0
  278. package/packages/@monomind/cli/dist/src/swarm/flow-visualizer.js +68 -0
  279. package/packages/@monomind/cli/dist/src/transfer/anonymization/index.d.ts +0 -3
  280. package/packages/@monomind/cli/dist/src/transfer/anonymization/index.js +16 -1
  281. package/packages/@monomind/cli/dist/src/transfer/deploy-seraphine.d.ts +13 -0
  282. package/packages/@monomind/cli/dist/src/transfer/deploy-seraphine.js +205 -0
  283. package/packages/@monomind/cli/dist/src/transfer/export.js +8 -0
  284. package/packages/@monomind/cli/dist/src/transfer/ipfs/upload.js +33 -3
  285. package/packages/@monomind/cli/dist/src/transfer/serialization/cfp.js +9 -3
  286. package/packages/@monomind/cli/dist/src/transfer/storage/gcs.js +37 -3
  287. package/packages/@monomind/cli/dist/src/transfer/store/discovery.js +45 -3
  288. package/packages/@monomind/cli/dist/src/transfer/store/download.js +5 -0
  289. package/packages/@monomind/cli/dist/src/transfer/store/publish.js +13 -1
  290. package/packages/@monomind/cli/dist/src/transfer/store/registry.d.ts +8 -0
  291. package/packages/@monomind/cli/dist/src/transfer/store/registry.js +30 -5
  292. package/packages/@monomind/cli/dist/src/transfer/store/search.js +20 -5
  293. package/packages/@monomind/cli/dist/src/transfer/store/tests/standalone-test.d.ts +12 -0
  294. package/packages/@monomind/cli/dist/src/transfer/store/tests/standalone-test.js +190 -0
  295. package/packages/@monomind/cli/dist/src/transfer/test-seraphine.d.ts +6 -0
  296. package/packages/@monomind/cli/dist/src/transfer/test-seraphine.js +105 -0
  297. package/packages/@monomind/cli/dist/src/transfer/tests/test-store.d.ts +7 -0
  298. package/packages/@monomind/cli/dist/src/transfer/tests/test-store.js +214 -0
  299. package/packages/@monomind/cli/dist/src/update/checker.js +59 -7
  300. package/packages/@monomind/cli/dist/src/update/executor.js +50 -3
  301. package/packages/@monomind/cli/dist/src/update/index.js +18 -1
  302. package/packages/@monomind/cli/dist/src/update/rate-limiter.d.ts +6 -0
  303. package/packages/@monomind/cli/dist/src/update/rate-limiter.js +79 -7
  304. package/packages/@monomind/cli/dist/src/update/validator.js +52 -1
  305. package/packages/@monomind/cli/dist/src/workflow/condition-evaluator.d.ts +10 -0
  306. package/packages/@monomind/cli/dist/src/workflow/condition-evaluator.js +82 -0
  307. package/packages/@monomind/cli/dist/src/workflow/context-resolver.d.ts +12 -0
  308. package/packages/@monomind/cli/dist/src/workflow/context-resolver.js +23 -0
  309. package/packages/@monomind/cli/dist/src/workflow/dag-builder.d.ts +17 -0
  310. package/packages/@monomind/cli/dist/src/workflow/dag-builder.js +129 -0
  311. package/packages/@monomind/cli/dist/src/workflow/dag-executor.d.ts +9 -0
  312. package/packages/@monomind/cli/dist/src/workflow/dag-executor.js +116 -0
  313. package/packages/@monomind/cli/dist/src/workflow/dag-types.d.ts +41 -0
  314. package/packages/@monomind/cli/dist/src/workflow/dag-types.js +8 -0
  315. package/packages/@monomind/cli/dist/src/workflow/dsl-parser.d.ts +12 -0
  316. package/packages/@monomind/cli/dist/src/workflow/dsl-parser.js +20 -0
  317. package/packages/@monomind/cli/dist/src/workflow/dsl-schema.d.ts +165 -0
  318. package/packages/@monomind/cli/dist/src/workflow/dsl-schema.js +82 -0
  319. package/packages/@monomind/cli/dist/src/workflow/index.d.ts +13 -0
  320. package/packages/@monomind/cli/dist/src/workflow/index.js +11 -0
  321. package/packages/@monomind/cli/dist/src/workflow/template-engine.d.ts +11 -0
  322. package/packages/@monomind/cli/dist/src/workflow/template-engine.js +40 -0
  323. package/packages/@monomind/cli/dist/src/workflow/workflow-executor.d.ts +29 -0
  324. package/packages/@monomind/cli/dist/src/workflow/workflow-executor.js +227 -0
  325. package/packages/@monomind/cli/package.json +9 -10
  326. package/packages/@monomind/guidance/dist/adversarial.d.ts +284 -0
  327. package/packages/@monomind/guidance/dist/adversarial.js +572 -0
  328. package/packages/@monomind/guidance/dist/analyzer.d.ts +530 -0
  329. package/packages/@monomind/guidance/dist/analyzer.js +2518 -0
  330. package/packages/@monomind/guidance/dist/artifacts.d.ts +283 -0
  331. package/packages/@monomind/guidance/dist/artifacts.js +356 -0
  332. package/packages/@monomind/guidance/dist/authority.d.ts +290 -0
  333. package/packages/@monomind/guidance/dist/authority.js +558 -0
  334. package/packages/@monomind/guidance/dist/capabilities.d.ts +209 -0
  335. package/packages/@monomind/guidance/dist/capabilities.js +485 -0
  336. package/packages/@monomind/guidance/dist/coherence.d.ts +233 -0
  337. package/packages/@monomind/guidance/dist/coherence.js +372 -0
  338. package/packages/@monomind/guidance/dist/compiler.d.ts +87 -0
  339. package/packages/@monomind/guidance/dist/compiler.js +419 -0
  340. package/packages/@monomind/guidance/dist/conformance-kit.d.ts +225 -0
  341. package/packages/@monomind/guidance/dist/conformance-kit.js +629 -0
  342. package/packages/@monomind/guidance/dist/continue-gate.d.ts +214 -0
  343. package/packages/@monomind/guidance/dist/continue-gate.js +353 -0
  344. package/packages/@monomind/guidance/dist/crypto-utils.d.ts +17 -0
  345. package/packages/@monomind/guidance/dist/crypto-utils.js +24 -0
  346. package/packages/@monomind/guidance/dist/evolution.d.ts +282 -0
  347. package/packages/@monomind/guidance/dist/evolution.js +500 -0
  348. package/packages/@monomind/guidance/dist/gates.d.ts +79 -0
  349. package/packages/@monomind/guidance/dist/gates.js +302 -0
  350. package/packages/@monomind/guidance/dist/gateway.d.ts +206 -0
  351. package/packages/@monomind/guidance/dist/gateway.js +452 -0
  352. package/packages/@monomind/guidance/dist/generators.d.ts +153 -0
  353. package/packages/@monomind/guidance/dist/generators.js +682 -0
  354. package/packages/@monomind/guidance/dist/headless.d.ts +177 -0
  355. package/packages/@monomind/guidance/dist/headless.js +342 -0
  356. package/packages/@monomind/guidance/dist/hooks.d.ts +109 -0
  357. package/packages/@monomind/guidance/dist/hooks.js +347 -0
  358. package/packages/@monomind/guidance/dist/index.d.ts +205 -0
  359. package/packages/@monomind/guidance/dist/index.js +321 -0
  360. package/packages/@monomind/guidance/dist/ledger.d.ts +162 -0
  361. package/packages/@monomind/guidance/dist/ledger.js +375 -0
  362. package/packages/@monomind/guidance/dist/manifest-validator.d.ts +289 -0
  363. package/packages/@monomind/guidance/dist/manifest-validator.js +838 -0
  364. package/packages/@monomind/guidance/dist/memory-gate.d.ts +222 -0
  365. package/packages/@monomind/guidance/dist/memory-gate.js +382 -0
  366. package/packages/@monomind/guidance/dist/meta-governance.d.ts +265 -0
  367. package/packages/@monomind/guidance/dist/meta-governance.js +348 -0
  368. package/packages/@monomind/guidance/dist/optimizer.d.ts +104 -0
  369. package/packages/@monomind/guidance/dist/optimizer.js +329 -0
  370. package/packages/@monomind/guidance/dist/persistence.d.ts +189 -0
  371. package/packages/@monomind/guidance/dist/persistence.js +464 -0
  372. package/packages/@monomind/guidance/dist/proof.d.ts +185 -0
  373. package/packages/@monomind/guidance/dist/proof.js +238 -0
  374. package/packages/@monomind/guidance/dist/retriever.d.ts +116 -0
  375. package/packages/@monomind/guidance/dist/retriever.js +394 -0
  376. package/packages/@monomind/guidance/dist/ruvbot-integration.d.ts +370 -0
  377. package/packages/@monomind/guidance/dist/ruvbot-integration.js +738 -0
  378. package/packages/@monomind/guidance/dist/temporal.d.ts +426 -0
  379. package/packages/@monomind/guidance/dist/temporal.js +658 -0
  380. package/packages/@monomind/guidance/dist/trust.d.ts +283 -0
  381. package/packages/@monomind/guidance/dist/trust.js +473 -0
  382. package/packages/@monomind/guidance/dist/truth-anchors.d.ts +276 -0
  383. package/packages/@monomind/guidance/dist/truth-anchors.js +488 -0
  384. package/packages/@monomind/guidance/dist/types.d.ts +378 -0
  385. package/packages/@monomind/guidance/dist/types.js +10 -0
  386. package/packages/@monomind/guidance/dist/uncertainty.d.ts +372 -0
  387. package/packages/@monomind/guidance/dist/uncertainty.js +619 -0
  388. package/packages/@monomind/guidance/dist/wasm-kernel.d.ts +48 -0
  389. package/packages/@monomind/guidance/dist/wasm-kernel.js +158 -0
@@ -0,0 +1,214 @@
1
+ #!/usr/bin/env npx tsx
2
+ /**
3
+ * Pattern Store Test Suite
4
+ * Tests list, search, download, and publish functionality
5
+ */
6
+ import { createDiscoveryService } from '../store/discovery.js';
7
+ import { searchPatterns, getSearchSuggestions, getTagCloud } from '../store/search.js';
8
+ import { createDownloader } from '../store/download.js';
9
+ import { createPublisher } from '../store/publish.js';
10
+ import { createSeraphineGenesis } from '../models/seraphine.js';
11
+ // Test results tracking
12
+ const results = [];
13
+ function logTest(name, passed, details) {
14
+ results.push({ test: name, passed, details });
15
+ const icon = passed ? '✅' : '❌';
16
+ console.log(`${icon} ${name}${details ? `: ${details}` : ''}`);
17
+ }
18
+ async function runTests() {
19
+ console.log('');
20
+ console.log('╔══════════════════════════════════════════════════════════╗');
21
+ console.log('║ PATTERN STORE TEST SUITE ║');
22
+ console.log('║ Testing List, Search, Download, Publish ║');
23
+ console.log('╚══════════════════════════════════════════════════════════╝');
24
+ console.log('');
25
+ // ==========================================================================
26
+ // 1. DISCOVERY TESTS
27
+ // ==========================================================================
28
+ console.log('─── Discovery Tests ───────────────────────────────────────');
29
+ try {
30
+ const discovery = createDiscoveryService();
31
+ logTest('Discovery service created', true);
32
+ // List registries
33
+ const registries = discovery.listRegistries();
34
+ logTest('List registries', registries.length > 0, `Found ${registries.length} registries`);
35
+ // Discover registry
36
+ const result = await discovery.discoverRegistry();
37
+ logTest('Discover registry', result.success, result.success
38
+ ? `Loaded ${result.registry?.patterns.length || 0} patterns`
39
+ : result.error);
40
+ // Cache test
41
+ if (result.success) {
42
+ const cachedResult = await discovery.discoverRegistry();
43
+ logTest('Cache hit', cachedResult.fromCache, 'Second request from cache');
44
+ }
45
+ console.log('');
46
+ // ==========================================================================
47
+ // 2. SEARCH TESTS
48
+ // ==========================================================================
49
+ console.log('─── Search Tests ──────────────────────────────────────────');
50
+ if (result.success && result.registry) {
51
+ const registry = result.registry;
52
+ // Basic search
53
+ const basicSearch = searchPatterns(registry);
54
+ logTest('Basic search', basicSearch.patterns.length > 0, `Found ${basicSearch.total} patterns`);
55
+ // Query search
56
+ const querySearch = searchPatterns(registry, { query: 'routing' });
57
+ logTest('Query search', true, `Query "routing" found ${querySearch.patterns.length} patterns`);
58
+ // Category filter
59
+ const categorySearch = searchPatterns(registry, { category: 'routing' });
60
+ logTest('Category filter', true, `Category "routing" found ${categorySearch.patterns.length} patterns`);
61
+ // Tag search
62
+ const tagSearch = searchPatterns(registry, { tags: ['genesis'] });
63
+ logTest('Tag search', true, `Tag "genesis" found ${tagSearch.patterns.length} patterns`);
64
+ // Verified filter
65
+ const verifiedSearch = searchPatterns(registry, { verified: true });
66
+ logTest('Verified filter', true, `Verified patterns: ${verifiedSearch.patterns.length}`);
67
+ // Sort by downloads
68
+ const sortedSearch = searchPatterns(registry, {
69
+ sortBy: 'downloads',
70
+ sortOrder: 'desc',
71
+ });
72
+ logTest('Sort by downloads', true, `Top pattern: ${sortedSearch.patterns[0]?.displayName || 'none'}`);
73
+ // Pagination
74
+ const page1 = searchPatterns(registry, { limit: 5, offset: 0 });
75
+ logTest('Pagination', page1.pageSize === 5, `Page 1 with ${page1.patterns.length} patterns, hasMore: ${page1.hasMore}`);
76
+ // Search suggestions
77
+ const suggestions = getSearchSuggestions(registry, 'rou');
78
+ logTest('Search suggestions', suggestions.length >= 0, `Suggestions for "rou": ${suggestions.slice(0, 3).join(', ')}`);
79
+ // Tag cloud
80
+ const tagCloud = getTagCloud(registry);
81
+ logTest('Tag cloud', tagCloud.size > 0, `${tagCloud.size} unique tags`);
82
+ }
83
+ console.log('');
84
+ // ==========================================================================
85
+ // 3. DOWNLOAD TESTS
86
+ // ==========================================================================
87
+ console.log('─── Download Tests ────────────────────────────────────────');
88
+ if (result.success && result.registry && result.registry.patterns.length > 0) {
89
+ const pattern = result.registry.patterns[0];
90
+ const downloader = createDownloader();
91
+ logTest('Downloader created', true);
92
+ // Download with progress
93
+ let progressCalled = false;
94
+ const downloadResult = await downloader.downloadPattern(pattern, {
95
+ verify: true,
96
+ }, (progress) => {
97
+ progressCalled = true;
98
+ });
99
+ logTest('Download pattern', downloadResult.success, downloadResult.success
100
+ ? `Downloaded ${downloadResult.size} bytes`
101
+ : 'Failed');
102
+ logTest('Progress callback', progressCalled, progressCalled ? 'Progress events received' : 'No progress events');
103
+ logTest('Checksum verification', downloadResult.verified !== undefined, `Verified: ${downloadResult.verified}`);
104
+ // Cache stats
105
+ const cacheStats = downloader.getCacheStats();
106
+ logTest('Cache statistics', cacheStats.count >= 0, `${cacheStats.count} items, ${cacheStats.totalSize} bytes`);
107
+ }
108
+ console.log('');
109
+ // ==========================================================================
110
+ // 4. PUBLISH TESTS
111
+ // ==========================================================================
112
+ console.log('─── Publish Tests ─────────────────────────────────────────');
113
+ const cfp = createSeraphineGenesis();
114
+ const publisher = createPublisher();
115
+ logTest('Publisher created', true);
116
+ // Validation
117
+ const validation = publisher.validateForPublish(cfp, {
118
+ name: 'test-pattern',
119
+ displayName: 'Test Pattern',
120
+ description: 'A test pattern for validation',
121
+ categories: ['testing'],
122
+ tags: ['test', 'validation', 'demo'],
123
+ license: 'MIT',
124
+ anonymize: 'standard',
125
+ });
126
+ logTest('Publish validation', validation.length === 0, validation.length === 0 ? 'All validations passed' : validation.join(', '));
127
+ // Preview
128
+ const preview = publisher.createPreview(cfp, {
129
+ name: 'seraphine-genesis',
130
+ displayName: 'Seraphine Genesis',
131
+ description: 'The foundational pattern model',
132
+ categories: ['routing', 'coordination'],
133
+ tags: ['genesis', 'foundational'],
134
+ license: 'MIT',
135
+ anonymize: 'standard',
136
+ });
137
+ logTest('Publish preview', preview !== null, `Preview created for ${preview.name}`);
138
+ // Publish (mock)
139
+ const publishResult = await publisher.publishPattern(cfp, {
140
+ name: 'test-pattern',
141
+ displayName: 'Test Pattern',
142
+ description: 'A test pattern published to IPFS',
143
+ categories: ['testing'],
144
+ tags: ['test', 'demo', 'hello-world'],
145
+ license: 'MIT',
146
+ anonymize: 'standard',
147
+ });
148
+ logTest('Publish to IPFS', publishResult.success, publishResult.success
149
+ ? `CID: ${publishResult.cid.slice(0, 20)}...`
150
+ : publishResult.message);
151
+ console.log('');
152
+ // ==========================================================================
153
+ // 5. INTEGRATION TEST
154
+ // ==========================================================================
155
+ console.log('─── Integration Test ──────────────────────────────────────');
156
+ // Full workflow: discover -> search -> download
157
+ const store = createDiscoveryService();
158
+ const discoverResult = await store.discoverRegistry();
159
+ if (discoverResult.success && discoverResult.registry) {
160
+ const searchResult = searchPatterns(discoverResult.registry, {
161
+ query: 'seraphine',
162
+ });
163
+ if (searchResult.patterns.length > 0) {
164
+ const dl = createDownloader();
165
+ const dlResult = await dl.downloadPattern(searchResult.patterns[0], {
166
+ verify: true,
167
+ });
168
+ logTest('Full workflow', dlResult.success, 'Discover → Search → Download completed');
169
+ }
170
+ else {
171
+ logTest('Full workflow', true, 'Discover → Search completed (no download)');
172
+ }
173
+ }
174
+ }
175
+ catch (error) {
176
+ console.error('Test error:', error);
177
+ logTest('Test suite', false, `Error: ${error}`);
178
+ }
179
+ // ==========================================================================
180
+ // SUMMARY
181
+ // ==========================================================================
182
+ console.log('');
183
+ console.log('═══════════════════════════════════════════════════════════');
184
+ console.log(' TEST SUMMARY ');
185
+ console.log('═══════════════════════════════════════════════════════════');
186
+ console.log('');
187
+ const passed = results.filter(r => r.passed).length;
188
+ const failed = results.filter(r => !r.passed).length;
189
+ const total = results.length;
190
+ console.log(` Total Tests: ${total}`);
191
+ console.log(` ✅ Passed: ${passed}`);
192
+ console.log(` ❌ Failed: ${failed}`);
193
+ console.log('');
194
+ if (failed === 0) {
195
+ console.log(' 🎉 All tests passed!');
196
+ console.log('');
197
+ console.log(' 📦 Store Features Verified:');
198
+ console.log(' - Registry discovery via IPNS');
199
+ console.log(' - Pattern search with filters');
200
+ console.log(' - Download with verification');
201
+ console.log(' - Publish with anonymization');
202
+ console.log('');
203
+ }
204
+ else {
205
+ console.log(' ⚠️ Some tests failed. Please review the output above.');
206
+ }
207
+ process.exit(failed > 0 ? 1 : 0);
208
+ }
209
+ // Run tests
210
+ runTests().catch(error => {
211
+ console.error('Fatal error:', error);
212
+ process.exit(1);
213
+ });
214
+ //# sourceMappingURL=test-store.js.map
@@ -4,7 +4,19 @@
4
4
  */
5
5
  import { createRequire } from 'module';
6
6
  import { execFileSync } from 'child_process';
7
- import * as semver from 'semver';
7
+ // Inline semver shim — avoids external dependency
8
+ const semver = {
9
+ valid: (v) => /^\d+\.\d+\.\d+/.test(v || '') ? v : null,
10
+ eq: (a, b) => a === b,
11
+ major: (v) => parseInt((v || '0').split('.')[0], 10),
12
+ minor: (v) => parseInt((v || '0').split('.')[1] || '0', 10),
13
+ patch: (v) => parseInt(((v || '0').split('.')[2] || '0').replace(/[^0-9].*/, ''), 10),
14
+ gt: (a, b) => {
15
+ const [aMaj, aMin, aPat] = (a || '0').split('.').map(n => parseInt(n, 10) || 0);
16
+ const [bMaj, bMin, bPat] = (b || '0').split('.').map(n => parseInt(n, 10) || 0);
17
+ return aMaj !== bMaj ? aMaj > bMaj : aMin !== bMin ? aMin > bMin : aPat > bPat;
18
+ },
19
+ };
8
20
  import { reserveCheck, recordCheck, getCachedVersions } from './rate-limiter.js';
9
21
  const require = createRequire(import.meta.url);
10
22
  const DEFAULT_CONFIG = {
@@ -45,6 +57,13 @@ const NPM_NAME_RE = /^(@[a-z0-9-~][a-z0-9-._~]*\/)?[a-z0-9-~][a-z0-9-._~]*$/i;
45
57
  function isValidNpmName(name) {
46
58
  return NPM_NAME_RE.test(name) && !name.includes('..') && name.length <= 214;
47
59
  }
60
+ // Cap registry response at 5 MB. The full npm registry payload for a package
61
+ // can include the entire `versions` object (dozens of version entries with
62
+ // dist/scripts/dependencies for each). A spoofed or compromised registry
63
+ // endpoint could stream an arbitrarily large body; AbortSignal.timeout(5000)
64
+ // only enforces a wall-clock deadline and does NOT cap bytes. Without this
65
+ // cap, fetchPackageInfo will buffer an unbounded body into memory (OOM).
66
+ const MAX_REGISTRY_RESPONSE_BYTES = 5 * 1024 * 1024; // 5 MB
48
67
  async function fetchPackageInfo(packageName) {
49
68
  if (!isValidNpmName(packageName))
50
69
  return null;
@@ -56,7 +75,42 @@ async function fetchPackageInfo(packageName) {
56
75
  if (!response.ok) {
57
76
  return null;
58
77
  }
59
- return (await response.json());
78
+ // Reject immediately if Content-Length header exceeds cap
79
+ const contentLength = response.headers.get('content-length');
80
+ if (contentLength) {
81
+ const declared = parseInt(contentLength, 10);
82
+ if (Number.isFinite(declared) && declared > MAX_REGISTRY_RESPONSE_BYTES) {
83
+ return null;
84
+ }
85
+ }
86
+ // Stream body and enforce byte cap — prevents OOM if the server streams
87
+ // a large body that evades the Content-Length check (missing/wrong header).
88
+ if (!response.body)
89
+ return null;
90
+ const reader = response.body.getReader();
91
+ const chunks = [];
92
+ let totalBytes = 0;
93
+ while (true) {
94
+ const { done, value } = await reader.read();
95
+ if (done)
96
+ break;
97
+ if (value) {
98
+ totalBytes += value.byteLength;
99
+ if (totalBytes > MAX_REGISTRY_RESPONSE_BYTES) {
100
+ await reader.cancel();
101
+ return null;
102
+ }
103
+ chunks.push(value);
104
+ }
105
+ }
106
+ const buf = new Uint8Array(totalBytes);
107
+ let offset = 0;
108
+ for (const chunk of chunks) {
109
+ buf.set(chunk, offset);
110
+ offset += chunk.byteLength;
111
+ }
112
+ const text = new TextDecoder('utf-8').decode(buf);
113
+ return JSON.parse(text);
60
114
  }
61
115
  catch {
62
116
  return null;
@@ -66,7 +120,8 @@ function getUpdateType(current, latest) {
66
120
  if (!semver.valid(current) || !semver.valid(latest)) {
67
121
  return 'none';
68
122
  }
69
- if (semver.eq(current, latest)) {
123
+ // Not an upgrade (equal or downgrade)
124
+ if (!semver.gt(latest, current)) {
70
125
  return 'none';
71
126
  }
72
127
  if (semver.major(latest) > semver.major(current)) {
@@ -75,10 +130,7 @@ function getUpdateType(current, latest) {
75
130
  if (semver.minor(latest) > semver.minor(current)) {
76
131
  return 'minor';
77
132
  }
78
- if (semver.patch(latest) > semver.patch(current)) {
79
- return 'patch';
80
- }
81
- return 'none';
133
+ return 'patch';
82
134
  }
83
135
  function shouldAutoUpdate(updateType, priority, config) {
84
136
  if (updateType === 'none')
@@ -6,11 +6,32 @@ import { execFile } from 'child_process';
6
6
  import * as fs from 'fs';
7
7
  import * as path from 'path';
8
8
  import * as os from 'os';
9
- import * as semver from 'semver';
9
+ import { validateUpdate } from './validator.js';
10
+ // Inline semver shim — avoids external dependency (semver is not in package.json)
11
+ const semver = {
12
+ valid: (v) => /^\d+\.\d+\.\d+/.test(v || '') ? v : null,
13
+ };
14
+ /**
15
+ * Validate a npm package name.
16
+ * Allows scoped (@scope/name) and unscoped names; rejects path-traversal,
17
+ * shell metacharacters, and names that are too long to be legitimate.
18
+ * See https://docs.npmjs.com/cli/v9/configuring-npm/package-json#name
19
+ */
20
+ function isValidPackageName(name) {
21
+ if (typeof name !== 'string' || name.length === 0 || name.length > 214)
22
+ return false;
23
+ // Scoped: @scope/name — both parts: lowercase alnum + hyphens + underscores + dots
24
+ if (name.startsWith('@')) {
25
+ return /^@[a-z0-9][a-z0-9_.-]*\/[a-z0-9][a-z0-9_.-]*$/.test(name);
26
+ }
27
+ // Unscoped: must not start with . or _ (legacy rule)
28
+ return /^[a-z0-9][a-z0-9_.-]*$/.test(name);
29
+ }
30
+ /** Max bytes we will read from the on-disk update history file. */
31
+ const MAX_HISTORY_FILE_BYTES = 1 * 1024 * 1024; // 1 MB
10
32
  function execFileAsync(cmd, args) {
11
33
  return new Promise((resolve, reject) => execFile(cmd, args, (err) => (err ? reject(err) : resolve())));
12
34
  }
13
- import { validateUpdate } from './validator.js';
14
35
  const HISTORY_FILE = path.join(os.homedir(), '.monomind', 'update-history.json');
15
36
  const MAX_HISTORY_ENTRIES = 100;
16
37
  function ensureDir() {
@@ -22,8 +43,29 @@ function ensureDir() {
22
43
  export function loadHistory() {
23
44
  try {
24
45
  if (fs.existsSync(HISTORY_FILE)) {
46
+ // Guard against a bloated or attacker-crafted history file causing OOM.
47
+ const stat = fs.statSync(HISTORY_FILE);
48
+ if (stat.size > MAX_HISTORY_FILE_BYTES) {
49
+ return [];
50
+ }
25
51
  const content = fs.readFileSync(HISTORY_FILE, 'utf-8');
26
- return JSON.parse(content);
52
+ const raw = JSON.parse(content);
53
+ if (!Array.isArray(raw))
54
+ return [];
55
+ // Sanitize each entry: reject any entry whose package name or version
56
+ // fails validation so that a tampered history file cannot inject
57
+ // arbitrary arguments into a subsequent npm install via rollbackUpdate().
58
+ return raw.filter((e) => {
59
+ if (typeof e !== 'object' || e === null)
60
+ return false;
61
+ if (typeof e.package !== 'string' || !isValidPackageName(e.package))
62
+ return false;
63
+ if (typeof e.fromVersion !== 'string' || !semver.valid(e.fromVersion))
64
+ return false;
65
+ if (typeof e.toVersion !== 'string' || !semver.valid(e.toVersion))
66
+ return false;
67
+ return true;
68
+ });
27
69
  }
28
70
  }
29
71
  catch {
@@ -68,6 +110,11 @@ export async function executeUpdate(update, installedPackages, dryRun = false) {
68
110
  // Execute npm install — use execFile to avoid shell injection
69
111
  const pkg = update.package;
70
112
  const version = update.latestVersion;
113
+ // Validate both package name and version before constructing the npm arg
114
+ // to prevent argument injection via a crafted UpdateCheckResult.
115
+ if (!isValidPackageName(pkg)) {
116
+ throw new Error(`Invalid package name: ${pkg}`);
117
+ }
71
118
  if (!semver.valid(version)) {
72
119
  throw new Error(`Invalid version: ${version}`);
73
120
  }
@@ -16,7 +16,24 @@ export { executeUpdate, executeMultipleUpdates, rollbackUpdate, getUpdateHistory
16
16
  import { checkForUpdates, DEFAULT_CONFIG, getInstalledVersion } from './checker.js';
17
17
  import { executeMultipleUpdates } from './executor.js';
18
18
  import { getCachedVersions } from './rate-limiter.js';
19
- import * as semver from 'semver';
19
+ // Inline semver shim — avoids external dependency (semver is not listed in package.json)
20
+ const semver = {
21
+ valid: (v) => /^\d+\.\d+\.\d+/.test(v || '') ? v : null,
22
+ gt: (a, b) => {
23
+ const [aMaj, aMin, aPat] = (a || '0').split('.').map(n => parseInt(n, 10) || 0);
24
+ const [bMaj, bMin, bPat] = (b || '0').split('.').map(n => parseInt(n, 10) || 0);
25
+ return aMaj !== bMaj ? aMaj > bMaj : aMin !== bMin ? aMin > bMin : aPat > bPat;
26
+ },
27
+ lte: (a, b) => {
28
+ const [aMaj, aMin, aPat] = (a || '0').split('.').map(n => parseInt(n, 10) || 0);
29
+ const [bMaj, bMin, bPat] = (b || '0').split('.').map(n => parseInt(n, 10) || 0);
30
+ if (aMaj !== bMaj)
31
+ return aMaj < bMaj;
32
+ if (aMin !== bMin)
33
+ return aMin < bMin;
34
+ return aPat <= bPat;
35
+ },
36
+ };
20
37
  /**
21
38
  * Synchronous — reads cached state from last check.
22
39
  * Returns a short inline string for the CLI version tagline, e.g.
@@ -20,6 +20,12 @@ export declare function shouldCheckForUpdates(intervalHours?: number): {
20
20
  * only after a successful reserveCheck, so that limit enforcement and
21
21
  * increment happen in the same synchronous turn (no await gap between
22
22
  * them), preventing two concurrent callers both seeing "allowed".
23
+ *
24
+ * IMPORTANT: performs a single loadState() → check → increment → saveState()
25
+ * cycle to eliminate the TOCTOU window that existed when this function
26
+ * delegated to shouldCheckForUpdates() (which called loadState() itself)
27
+ * and then called loadState() a second time to increment. Two callers
28
+ * sharing that gap could both see allowed=true and both increment.
23
29
  */
24
30
  export declare function reserveCheck(intervalHours?: number): {
25
31
  allowed: boolean;
@@ -8,6 +8,12 @@ import * as os from 'os';
8
8
  const STATE_FILE = path.join(os.homedir(), '.monomind', 'update-state.json');
9
9
  const DEFAULT_INTERVAL_HOURS = 24;
10
10
  const MAX_CHECKS_PER_DAY = 10;
11
+ // Hard cap on how many package version entries we persist. Prevents an
12
+ // attacker who can write to the state file from inflating it unboundedly,
13
+ // and protects recordCheck() from DoS via a huge incoming packageVersions map.
14
+ const MAX_PACKAGE_VERSIONS = 100;
15
+ // Hard cap on the state file size we are willing to read into memory.
16
+ const MAX_STATE_FILE_BYTES = 1 * 1024 * 1024; // 1 MB
11
17
  function ensureDir() {
12
18
  const dir = path.dirname(STATE_FILE);
13
19
  if (!fs.existsSync(dir)) {
@@ -25,8 +31,36 @@ function getDefaultState() {
25
31
  export function loadState() {
26
32
  try {
27
33
  if (fs.existsSync(STATE_FILE)) {
34
+ // Guard against oversized state files (DoS / OOM) before reading
35
+ const stat = fs.statSync(STATE_FILE);
36
+ if (stat.size > MAX_STATE_FILE_BYTES) {
37
+ // State file is unreasonably large — discard and start fresh
38
+ try {
39
+ fs.unlinkSync(STATE_FILE);
40
+ }
41
+ catch { /* ignore */ }
42
+ return getDefaultState();
43
+ }
28
44
  const content = fs.readFileSync(STATE_FILE, 'utf-8');
29
- const state = JSON.parse(content);
45
+ // Block prototype pollution via JSON.parse reviver
46
+ const state = JSON.parse(content, (key, value) => {
47
+ if (key === '__proto__' || key === 'constructor' || key === 'prototype')
48
+ return undefined;
49
+ return value;
50
+ });
51
+ // Validate that packageVersions is a plain object (not an array/primitive)
52
+ if (!state.packageVersions || typeof state.packageVersions !== 'object' || Array.isArray(state.packageVersions)) {
53
+ state.packageVersions = {};
54
+ }
55
+ // Cap the number of package version entries to prevent bloat
56
+ const versionKeys = Object.keys(state.packageVersions);
57
+ if (versionKeys.length > MAX_PACKAGE_VERSIONS) {
58
+ const capped = {};
59
+ for (const k of versionKeys.slice(0, MAX_PACKAGE_VERSIONS)) {
60
+ capped[k] = state.packageVersions[k];
61
+ }
62
+ state.packageVersions = capped;
63
+ }
30
64
  // Reset counter if new day
31
65
  const today = new Date().toISOString().split('T')[0];
32
66
  if (state.date !== today) {
@@ -86,14 +120,41 @@ export function shouldCheckForUpdates(intervalHours = DEFAULT_INTERVAL_HOURS) {
86
120
  * only after a successful reserveCheck, so that limit enforcement and
87
121
  * increment happen in the same synchronous turn (no await gap between
88
122
  * them), preventing two concurrent callers both seeing "allowed".
123
+ *
124
+ * IMPORTANT: performs a single loadState() → check → increment → saveState()
125
+ * cycle to eliminate the TOCTOU window that existed when this function
126
+ * delegated to shouldCheckForUpdates() (which called loadState() itself)
127
+ * and then called loadState() a second time to increment. Two callers
128
+ * sharing that gap could both see allowed=true and both increment.
89
129
  */
90
130
  export function reserveCheck(intervalHours = DEFAULT_INTERVAL_HOURS) {
91
- const decision = shouldCheckForUpdates(intervalHours);
92
- if (!decision.allowed)
93
- return decision;
94
- // Increment immediately, before any async work, so concurrent callers
95
- // see an updated count on their next tick.
131
+ // Fast-path: environment gates that don't need file I/O
132
+ if (process.env.CI === 'true' || process.env.CONTINUOUS_INTEGRATION === 'true') {
133
+ return { allowed: false, reason: 'CI environment detected' };
134
+ }
135
+ if (process.env.MONOMIND_AUTO_UPDATE === 'false') {
136
+ return { allowed: false, reason: 'Auto-update disabled via environment' };
137
+ }
138
+ // Single load — check and increment in one synchronous cycle
96
139
  const state = loadState();
140
+ if (process.env.MONOMIND_FORCE_UPDATE !== 'true') {
141
+ // Daily limit
142
+ if (state.checksToday >= MAX_CHECKS_PER_DAY) {
143
+ return { allowed: false, reason: `Daily check limit (${MAX_CHECKS_PER_DAY}) reached` };
144
+ }
145
+ // Time interval
146
+ if (state.lastCheck) {
147
+ const hoursSinceLastCheck = (Date.now() - new Date(state.lastCheck).getTime()) / (1000 * 60 * 60);
148
+ if (hoursSinceLastCheck < intervalHours) {
149
+ const nextCheck = Math.ceil(intervalHours - hoursSinceLastCheck);
150
+ return {
151
+ allowed: false,
152
+ reason: `Last check was ${Math.floor(hoursSinceLastCheck)}h ago (next check in ~${nextCheck}h)`,
153
+ };
154
+ }
155
+ }
156
+ }
157
+ // Reserve the slot: increment and persist before any async work begins
97
158
  state.checksToday += 1;
98
159
  state.lastCheck = new Date().toISOString();
99
160
  saveState(state);
@@ -102,7 +163,18 @@ export function reserveCheck(intervalHours = DEFAULT_INTERVAL_HOURS) {
102
163
  export function recordCheck(packageVersions) {
103
164
  // Update only package versions; count/timestamp already incremented by reserveCheck
104
165
  const state = loadState();
105
- state.packageVersions = { ...state.packageVersions, ...packageVersions };
166
+ // Merge only string-valued keys to block prototype pollution and type confusion.
167
+ // Also enforce the total cap so a large incoming map cannot bloat the state file.
168
+ const FORBIDDEN = new Set(['__proto__', 'constructor', 'prototype']);
169
+ for (const [k, v] of Object.entries(packageVersions)) {
170
+ if (FORBIDDEN.has(k))
171
+ continue;
172
+ if (typeof k !== 'string' || typeof v !== 'string')
173
+ continue;
174
+ if (Object.keys(state.packageVersions).length >= MAX_PACKAGE_VERSIONS)
175
+ break;
176
+ state.packageVersions[k] = v;
177
+ }
106
178
  saveState(state);
107
179
  }
108
180
  export function getCachedVersions() {
@@ -2,9 +2,42 @@
2
2
  * Package validator for update compatibility
3
3
  * Ensures updates don't break the ecosystem
4
4
  */
5
- import * as semver from 'semver';
5
+ // Inline semver shim — avoids external dependency (semver is not listed in package.json)
6
+ const semver = {
7
+ valid: (v) => /^\d+\.\d+\.\d+/.test(v || '') ? v : null,
8
+ major: (v) => parseInt((v || '0').split('.')[0], 10),
9
+ gt: (a, b) => {
10
+ const [aMaj, aMin, aPat] = (a || '0').split('.').map(n => parseInt(n, 10) || 0);
11
+ const [bMaj, bMin, bPat] = (b || '0').split('.').map(n => parseInt(n, 10) || 0);
12
+ return aMaj !== bMaj ? aMaj > bMaj : aMin !== bMin ? aMin > bMin : aPat > bPat;
13
+ },
14
+ lt: (a, b) => {
15
+ const [aMaj, aMin, aPat] = (a || '0').split('.').map(n => parseInt(n, 10) || 0);
16
+ const [bMaj, bMin, bPat] = (b || '0').split('.').map(n => parseInt(n, 10) || 0);
17
+ return aMaj !== bMaj ? aMaj < bMaj : aMin !== bMin ? aMin < bMin : aPat < bPat;
18
+ },
19
+ };
20
+ // Maximum number of updates accepted in a single validateBulkUpdate call.
21
+ // Without this cap a caller can DoS the validator by passing thousands of
22
+ // update entries — each entry triggers validateUpdate which iterates over
23
+ // COMPATIBILITY_MATRIX and BREAKING_CHANGES.
24
+ const MAX_BULK_UPDATES = 50;
25
+ // Version strings must look like semver (major.minor.patch with optional pre-release)
26
+ // before we use them in string interpolation or comparisons.
27
+ const SEMVER_RE = /^\d+\.\d+\.\d+(-[\w.]+)?(\+[\w.]+)?$/;
28
+ // Package names: scoped (@scope/name) or plain, no shell-special chars.
29
+ const PKG_NAME_RE = /^(@[a-zA-Z0-9][a-zA-Z0-9_.-]*\/)?[a-zA-Z0-9][a-zA-Z0-9_.-]*$/;
30
+ function isSafeVersion(v) {
31
+ return typeof v === 'string' && v.length <= 64 && SEMVER_RE.test(v);
32
+ }
33
+ function isSafePackageName(p) {
34
+ return typeof p === 'string' && p.length <= 200 && PKG_NAME_RE.test(p);
35
+ }
6
36
  // Known compatibility matrix between monomind packages
7
37
  const COMPATIBILITY_MATRIX = {
38
+ '@monomind/cli': {
39
+ '@monomind/security': { minVersion: '3.0.0-alpha.1' },
40
+ },
8
41
  '@monoes/monomindcli': {
9
42
  'monofence-ai': { minVersion: '1.0.0' },
10
43
  },
@@ -35,6 +68,18 @@ export function validateUpdate(packageName, fromVersion, toVersion, installedPac
35
68
  warnings: [],
36
69
  requiredPeerUpdates: [],
37
70
  };
71
+ // Guard inputs: reject untrusted or malformed strings before they flow into
72
+ // error messages or semver comparisons (which assume well-formed input).
73
+ if (!isSafePackageName(packageName)) {
74
+ result.valid = false;
75
+ result.incompatibilities.push('Invalid package name');
76
+ return result;
77
+ }
78
+ if (!isSafeVersion(fromVersion) || !isSafeVersion(toVersion)) {
79
+ result.valid = false;
80
+ result.incompatibilities.push('Invalid version string(s)');
81
+ return result;
82
+ }
38
83
  // Check if this is a major version bump
39
84
  if (semver.valid(fromVersion) && semver.valid(toVersion)) {
40
85
  const fromMajor = semver.major(fromVersion);
@@ -93,6 +138,12 @@ export function validateBulkUpdate(updates, currentPackages) {
93
138
  warnings: [],
94
139
  requiredPeerUpdates: [],
95
140
  };
141
+ // Cap the number of updates to prevent DoS via large arrays
142
+ if (!Array.isArray(updates) || updates.length > MAX_BULK_UPDATES) {
143
+ combinedResult.valid = false;
144
+ combinedResult.incompatibilities.push(`Too many updates: max ${MAX_BULK_UPDATES} allowed per call`);
145
+ return combinedResult;
146
+ }
96
147
  // Create a simulated state after all updates
97
148
  const simulatedPackages = { ...currentPackages };
98
149
  for (const update of updates) {
@@ -0,0 +1,10 @@
1
+ /**
2
+ * Evaluate a simple boolean expression with variable substitution.
3
+ *
4
+ * 1. Replace `{{variable}}` references using the provided context.
5
+ * 2. Reject any expression containing dangerous patterns.
6
+ * 3. Validate that all remaining tokens are safe.
7
+ * 4. Evaluate using `new Function` with strict mode.
8
+ */
9
+ export declare function evaluateCondition(expression: string, context: Record<string, unknown>): boolean;
10
+ //# sourceMappingURL=condition-evaluator.d.ts.map