monomind 1.7.0 → 1.9.0

package/packages/@monomind/cli/dist/src/services/ruvector-training.js

@@ -13,11 +13,19 @@
  *
  * github.com/nokhodian/monomind
  */
+const ALLOWED_RUVECTOR_PACKAGES = new Set([
+    '@ruvector/learning-wasm',
+    '@ruvector/attention',
+    '@ruvector/sona',
+]);
 /**
  * ESM/CJS interop helper — handles `.default` for CJS modules.
  * Uses `'default' in mod` check which is safer than `mod.default || mod`.
  */
 async function importWithInterop(packageName) {
+    if (!ALLOWED_RUVECTOR_PACKAGES.has(packageName)) {
+        throw new Error(`Disallowed dynamic import: ${packageName}`);
+    }
     const mod = await import(packageName);
     return ('default' in mod) ? mod.default : mod;
 }

package/packages/@monomind/cli/dist/src/services/worker-daemon.d.ts

@@ -127,7 +127,10 @@ export declare class WorkerDaemon extends EventEmitter {
      */
     private checkExistingDaemon;
     /**
-     * Write PID file for singleton enforcement.
+     * Write PID file with O_EXCL for atomic singleton enforcement (closes the
+     * TOCTOU window between checkExistingDaemon and writePidFile that previously
+     * allowed two concurrent `daemon start` calls to both succeed).
+     * Returns true on success, false if another daemon raced us.
      */
     private writePidFile;
     /**

package/packages/@monomind/cli/dist/src/services/worker-daemon.js

@@ -10,9 +10,9 @@
  * - testgaps: Test coverage analysis (20 min interval)
  */
 import { EventEmitter } from 'events';
-import { existsSync, mkdirSync, writeFileSync, readFileSync, appendFileSync, unlinkSync } from 'fs';
+import { existsSync, mkdirSync, writeFileSync, renameSync, readFileSync, appendFileSync, unlinkSync } from 'fs';
 import { cpus } from 'os';
-import { join } from 'path';
+import { join, resolve } from 'path';
 import { HeadlessWorkerExecutor, isHeadlessWorker, } from './headless-worker-executor.js';
 // Default worker configurations with improved intervals (P0 fix: map 5min -> 15min)
 const DEFAULT_WORKERS = [
@@ -47,9 +47,14 @@ export class WorkerDaemon extends EventEmitter {
     originalConfig;
     constructor(projectRoot, config) {
         super();
-        this.projectRoot = projectRoot;
+        // Resolve and validate projectRoot. Without this an attacker who can pass
+        // a crafted projectRoot (env var, untrusted CLI flag, MCP tool argument)
+        // gets arbitrary file write via the derived pidFile, logFile, stateFile,
+        // and metrics paths.
+        const resolved = resolve(projectRoot);
+        this.projectRoot = resolved;
         this.originalConfig = config;
-        const monomindDir = join(projectRoot, '.monomind');
+        const monomindDir = join(resolved, '.monomind');
         // Read daemon config from .monomind/config.json (Layer B)
         const fileConfig = this.readDaemonConfigFromFile(monomindDir);
         // CPU-proportional smart default instead of hardcoded 2.0
@@ -212,9 +217,9 @@ export class WorkerDaemon extends EventEmitter {
             await this.stop();
             process.exit(0);
         };
-        process.on('SIGTERM', shutdown);
-        process.on('SIGINT', shutdown);
-        process.on('SIGHUP', shutdown);
+        process.once('SIGTERM', shutdown);
+        process.once('SIGINT', shutdown);
+        process.once('SIGHUP', shutdown);
     }
     /**
      * Check if system resources allow worker execution
@@ -295,16 +300,28 @@ export class WorkerDaemon extends EventEmitter {
                     this.config.workerTimeoutMs = saved.config.workerTimeoutMs;
                 }
                 // Restore worker runtime states (runCount, successCount, etc.)
-                if (saved.workers) {
+                // Validate keys against an allowlist to defeat prototype-pollution
+                // attempts and reject unknown worker types injected into the file.
+                if (saved.workers && typeof saved.workers === 'object') {
+                    const VALID_TYPES = new Set(this.config.workers.map(w => w.type));
+                    const FORBIDDEN = new Set(['__proto__', 'constructor', 'prototype']);
+                    const finiteNonNeg = (v) => {
+                        if (typeof v !== 'number' || !Number.isFinite(v) || v < 0)
+                            return 0;
+                        return Math.floor(v);
+                    };
                     for (const [type, state] of Object.entries(saved.workers)) {
+                        if (FORBIDDEN.has(type) || !VALID_TYPES.has(type))
+                            continue;
                         const savedState = state;
                         const lastRunValue = savedState.lastRun;
+                        const lastRunDate = typeof lastRunValue === 'string' ? new Date(lastRunValue) : undefined;
                         this.workers.set(type, {
-                            runCount: savedState.runCount || 0,
-                            successCount: savedState.successCount || 0,
-                            failureCount: savedState.failureCount || 0,
-                            averageDurationMs: savedState.averageDurationMs || 0,
-                            lastRun: lastRunValue ? new Date(lastRunValue) : undefined,
+                            runCount: finiteNonNeg(savedState.runCount),
+                            successCount: finiteNonNeg(savedState.successCount),
+                            failureCount: finiteNonNeg(savedState.failureCount),
+                            averageDurationMs: finiteNonNeg(savedState.averageDurationMs),
+                            lastRun: lastRunDate && !isNaN(lastRunDate.getTime()) ? lastRunDate : undefined,
                             nextRun: undefined,
                             isRunning: false,
                         });
@@ -359,13 +376,39 @@ export class WorkerDaemon extends EventEmitter {
         }
     }
     /**
-     * Write PID file for singleton enforcement.
+     * Write PID file with O_EXCL for atomic singleton enforcement (closes the
+     * TOCTOU window between checkExistingDaemon and writePidFile that previously
+     * allowed two concurrent `daemon start` calls to both succeed).
+     * Returns true on success, false if another daemon raced us.
      */
     writePidFile() {
         const dir = join(this.projectRoot, '.monomind');
         if (!existsSync(dir))
             mkdirSync(dir, { recursive: true });
-        writeFileSync(this.pidFile, String(process.pid), 'utf-8');
+        try {
+            // wx flag = O_CREAT | O_EXCL — atomic create-or-fail
+            writeFileSync(this.pidFile, String(process.pid), { flag: 'wx' });
+            return true;
+        }
+        catch (e) {
+            const code = e.code;
+            if (code === 'EEXIST') {
+                // Recheck liveness — file may belong to a dead daemon we missed
+                const racePid = this.checkExistingDaemon();
+                if (racePid === null) {
+                    // Stale file was just removed by checkExistingDaemon, retry once
+                    try {
+                        writeFileSync(this.pidFile, String(process.pid), { flag: 'wx' });
+                        return true;
+                    }
+                    catch {
+                        return false;
+                    }
+                }
+                return false;
+            }
+            throw e;
+        }
     }
     /**
      * Remove PID file on shutdown.
@@ -391,9 +434,16 @@ export class WorkerDaemon extends EventEmitter {
             this.emit('warning', `Daemon already running (PID: ${existingPid})`);
             return;
         }
+        // Atomic PID file write — fails if another daemon raced us past
+        // checkExistingDaemon. Without this two `daemon start` calls could both
+        // pass the existence check then both clobber the PID file.
+        if (!this.writePidFile()) {
+            this.log('info', 'Another daemon won the PID race — aborting start');
+            this.emit('warning', 'Another daemon instance is starting/running');
+            return;
+        }
         this.running = true;
         this.startedAt = new Date();
-        this.writePidFile();
         this.emit('started', { pid: process.pid, startedAt: this.startedAt });
         // Schedule all enabled workers
         for (const workerConfig of this.config.workers) {
@@ -473,10 +523,18 @@ export class WorkerDaemon extends EventEmitter {
      * Execute a worker with concurrency control (P0 fix)
      */
     async executeWorkerWithConcurrencyControl(workerConfig) {
+        // Dedup: under sustained resource pressure each scheduler tick re-pushes
+        // the same WorkerType. Without dedup, high-priority workers (audit) crowd
+        // out low-priority ones (consolidate) — starvation. Skip the push if the
+        // type is already pending.
+        const pushPending = (type) => {
+            if (!this.pendingWorkers.includes(type))
+                this.pendingWorkers.push(type);
+        };
         // Check concurrency limit
         if (this.runningWorkers.size >= this.config.maxConcurrent) {
             this.log('info', `Worker ${workerConfig.type} deferred: max concurrent (${this.config.maxConcurrent}) reached`);
-            this.pendingWorkers.push(workerConfig.type);
+            pushPending(workerConfig.type);
             this.emit('worker:deferred', { type: workerConfig.type, reason: 'max_concurrent' });
             return null;
         }
@@ -484,7 +542,7 @@ export class WorkerDaemon extends EventEmitter {
         const resourceCheck = await this.canRunWorker();
         if (!resourceCheck.allowed) {
             this.log('info', `Worker ${workerConfig.type} deferred: ${resourceCheck.reason}`);
-            this.pendingWorkers.push(workerConfig.type);
+            pushPending(workerConfig.type);
             this.emit('worker:deferred', { type: workerConfig.type, reason: resourceCheck.reason });
             return null;
         }
@@ -504,11 +562,15 @@ export class WorkerDaemon extends EventEmitter {
         this.log('info', `Starting worker: ${workerConfig.type} (${this.runningWorkers.size}/${this.config.maxConcurrent} concurrent)`);
         try {
             // Execute worker logic with timeout (P1 fix)
-            // Pass cleanup callback to kill orphan child processes on timeout (#1117)
+            // Pass cleanup callback to kill only this worker's child process on timeout.
+            // cancelAll() was too broad — it would kill concurrent healthy workers.
             const output = await this.runWithTimeout(() => this.runWorkerLogic(workerConfig), this.config.workerTimeoutMs, `Worker ${workerConfig.type} timed out after ${this.config.workerTimeoutMs / 1000}s`, () => {
-                // On timeout, cancel any headless execution to prevent orphan processes
                 if (this.headlessExecutor) {
-                    this.headlessExecutor.cancelAll();
+                    // Try exact-ID cancel first; fall back to type-based cancel which
+                    // avoids killing unrelated concurrent workers (cancelByType).
+                    if (!this.headlessExecutor.cancel(workerId)) {
+                        this.headlessExecutor.cancelByType(workerConfig.type);
+                    }
                 }
             });
             const durationMs = Date.now() - startTime;
@@ -670,7 +732,9 @@ export class WorkerDaemon extends EventEmitter {
             },
             scannedAt: Date.now(),
         };
-        writeFileSync(metricsFile, JSON.stringify(map, null, 2));
+        const metricsFileTmp1 = metricsFile + '.tmp';
+        writeFileSync(metricsFileTmp1, JSON.stringify(map, null, 2));
+        renameSync(metricsFileTmp1, metricsFile);
         return map;
     }
     /**
@@ -695,7 +759,9 @@ export class WorkerDaemon extends EventEmitter {
             recommendations: [],
             note: 'Install Claude Code CLI for AI-powered security analysis',
         };
-        writeFileSync(auditFile, JSON.stringify(audit, null, 2));
+        const auditFileTmp = auditFile + '.tmp';
+        writeFileSync(auditFileTmp, JSON.stringify(audit, null, 2));
+        renameSync(auditFileTmp, auditFile);
         return audit;
     }
     /**
@@ -719,7 +785,9 @@ export class WorkerDaemon extends EventEmitter {
             },
             note: 'Install Claude Code CLI for AI-powered optimization suggestions',
         };
-        writeFileSync(optimizeFile, JSON.stringify(perf, null, 2));
+        const optimizeFileTmp = optimizeFile + '.tmp';
+        writeFileSync(optimizeFileTmp, JSON.stringify(perf, null, 2));
+        renameSync(optimizeFileTmp, optimizeFile);
         return perf;
     }
     async runConsolidateWorker() {
@@ -774,7 +842,9 @@ export class WorkerDaemon extends EventEmitter {
             duplicatesRemoved: 0,
             mode: 'raptor',
         };
-        writeFileSync(consolidateFile, JSON.stringify(result, null, 2));
+        const consolidateFileTmp = consolidateFile + '.tmp';
+        writeFileSync(consolidateFileTmp, JSON.stringify(result, null, 2));
+        renameSync(consolidateFileTmp, consolidateFile);
         return result;
     }
     /**
@@ -795,7 +865,9 @@ export class WorkerDaemon extends EventEmitter {
             gaps: [],
             note: 'Install Claude Code CLI for AI-powered test gap analysis',
         };
-        writeFileSync(testGapsFile, JSON.stringify(result, null, 2));
+        const testGapsFileTmp = testGapsFile + '.tmp';
+        writeFileSync(testGapsFileTmp, JSON.stringify(result, null, 2));
+        renameSync(testGapsFileTmp, testGapsFile);
         return result;
     }
     /**
@@ -876,7 +948,9 @@ export class WorkerDaemon extends EventEmitter {
                 uptime: process.uptime(),
             },
         };
-        writeFileSync(benchmarkFile, JSON.stringify(result, null, 2));
+        const benchmarkFileTmp = benchmarkFile + '.tmp';
+        writeFileSync(benchmarkFileTmp, JSON.stringify(result, null, 2));
+        renameSync(benchmarkFileTmp, benchmarkFile);
         return result;
     }
     /**
@@ -898,6 +972,14 @@ export class WorkerDaemon extends EventEmitter {
         if (!workerConfig) {
             throw new Error(`Unknown worker type: ${type}`);
         }
+        const result = await this.executeWorkerWithConcurrencyControl(workerConfig);
+        if (result !== null)
+            return result;
+        // Concurrency limit reached — execute directly for explicit manual trigger.
+        // Remove from pendingWorkers to avoid double execution when finally fires.
+        const pendingIdx = this.pendingWorkers.indexOf(workerConfig.type);
+        if (pendingIdx !== -1)
+            this.pendingWorkers.splice(pendingIdx, 1);
         return this.executeWorker(workerConfig);
     }
     /**
@@ -942,7 +1024,9 @@ export class WorkerDaemon extends EventEmitter {
             savedAt: new Date().toISOString(),
         };
         try {
-            writeFileSync(this.config.stateFile, JSON.stringify(state, null, 2));
+            const tmp = this.config.stateFile + '.tmp';
+            writeFileSync(tmp, JSON.stringify(state, null, 2));
+            renameSync(tmp, this.config.stateFile);
         }
         catch (error) {
             this.log('error', `Failed to save state: ${error}`);

package/packages/@monomind/cli/dist/src/services/worker-queue.d.ts

@@ -102,7 +102,10 @@ export declare class WorkerQueue extends EventEmitter {
     private store;
     private workerId;
     private heartbeatTimer?;
+    private visibilityTimer?;
+    private retryTimers;
     private processingTasks;
+    private taskGenerations;
     private isShuttingDown;
     private maxConcurrent;
     private initialized;
@@ -111,6 +114,10 @@ export declare class WorkerQueue extends EventEmitter {
      * Initialize the queue (starts cleanup timers)
      */
     initialize(): Promise<void>;
+    /**
+     * Requeue processing tasks that exceeded the visibility timeout (crashed workers).
+     */
+    private startVisibilityReaper;
     /**
      * Enqueue a new task
      */
@@ -126,11 +133,11 @@ export declare class WorkerQueue extends EventEmitter {
     /**
      * Complete a task with result
      */
-    complete(taskId: string, result: HeadlessExecutionResult): Promise<void>;
+    complete(taskId: string, result: HeadlessExecutionResult, leaseGen?: number): Promise<void>;
     /**
      * Fail a task with error
      */
-    fail(taskId: string, error: string, retryable?: boolean): Promise<void>;
+    fail(taskId: string, error: string, retryable?: boolean, leaseGen?: number): Promise<void>;
     /**
      * Get task status
      */

package/packages/@monomind/cli/dist/src/services/worker-queue.js

@@ -161,7 +161,16 @@ export class WorkerQueue extends EventEmitter {
     store;
     workerId;
     heartbeatTimer;
+    visibilityTimer;
+    retryTimers = new Set();
     processingTasks = new Set();
+    // Per-task lease generation. When the visibility reaper requeues a task
+    // because of timeout, the generation is bumped. The original (still-running)
+    // handler's complete()/fail() call carries the old generation and is
+    // rejected — first-finisher wins, the loser drops. This prevents
+    // double-execution side effects on non-idempotent workers (audit reports,
+    // GitHub posts, memory writes).
+    taskGenerations = new Map();
     isShuttingDown = false;
     maxConcurrent = 1;
     initialized = false;
@@ -178,9 +187,51 @@ export class WorkerQueue extends EventEmitter {
         if (this.initialized)
             return;
         this.store.startCleanup();
+        this.startVisibilityReaper();
         this.initialized = true;
         this.emit('initialized', { workerId: this.workerId });
     }
+    /**
+     * Requeue processing tasks that exceeded the visibility timeout (crashed workers).
+     */
+    startVisibilityReaper() {
+        this.visibilityTimer = setInterval(() => {
+            // Skip running the reaper while we're shutting down so it can't requeue
+            // tasks back into a queue that is about to be torn down.
+            if (this.isShuttingDown)
+                return;
+            const now = Date.now();
+            for (const taskId of this.processingTasks) {
+                const task = this.store.getTask(taskId);
+                if (!task) {
+                    this.processingTasks.delete(taskId);
+                    continue;
+                }
+                const startedMs = task.startedAt ? task.startedAt.getTime() : 0;
+                if (now - startedMs > this.config.visibilityTimeoutMs) {
+                    this.processingTasks.delete(taskId);
+                    if (task.retryCount < task.maxRetries) {
+                        task.retryCount++;
+                        task.status = 'pending';
+                        task.startedAt = undefined;
+                        task.workerId = undefined;
+                        this.store.setTask(taskId, task);
+                        const queueName = this.getQueueName(task.workerType);
+                        this.store.pushToQueue(queueName, taskId, PRIORITY_SCORES[task.priority]);
+                        this.emit('taskRetrying', { taskId, retryCount: task.retryCount, delay: 0 });
+                    }
+                    else {
+                        task.status = 'failed';
+                        task.completedAt = new Date();
+                        task.error = 'Visibility timeout exceeded';
+                        this.store.setTask(taskId, task);
+                        this.emit('taskFailed', { taskId, error: task.error });
+                    }
+                }
+            }
+        }, Math.max(5000, this.config.visibilityTimeoutMs / 4));
+        this.visibilityTimer.unref();
+    }
     // ============================================
     // Public API - Task Management
     // ============================================
@@ -241,6 +292,12 @@ export class WorkerQueue extends EventEmitter {
                     task.workerId = this.workerId;
                     this.store.setTask(taskId, task);
                     this.processingTasks.add(taskId);
+                    // Bump lease generation. Stamp on the in-memory task so the
+                    // handler's later complete()/fail() can compare and detect a
+                    // reap-and-redequeue cycle.
+                    const gen = (this.taskGenerations.get(taskId) ?? 0) + 1;
+                    this.taskGenerations.set(taskId, gen);
+                    task.__leaseGen = gen;
                     this.emit('taskDequeued', { taskId, workerType });
                     return task;
                 }
@@ -251,12 +308,18 @@ export class WorkerQueue extends EventEmitter {
     /**
      * Complete a task with result
      */
-    async complete(taskId, result) {
+    async complete(taskId, result, leaseGen) {
         const task = this.store.getTask(taskId);
         if (!task) {
             this.emit('warning', { message: `Task ${taskId} not found for completion` });
             return;
         }
+        // Reject stale leases: if the reaper requeued this task and another
+        // worker has already taken it (bumping the generation), drop our result.
+        if (leaseGen !== undefined && this.taskGenerations.get(taskId) !== leaseGen) {
+            this.emit('warning', { message: `Task ${taskId} complete() rejected: lease expired` });
+            return;
+        }
         task.status = 'completed';
         task.completedAt = new Date();
         task.result = result;
@@ -269,12 +332,16 @@ export class WorkerQueue extends EventEmitter {
     /**
      * Fail a task with error
      */
-    async fail(taskId, error, retryable = true) {
+    async fail(taskId, error, retryable = true, leaseGen) {
         const task = this.store.getTask(taskId);
         if (!task) {
             this.emit('warning', { message: `Task ${taskId} not found for failure` });
             return;
         }
+        if (leaseGen !== undefined && this.taskGenerations.get(taskId) !== leaseGen) {
+            this.emit('warning', { message: `Task ${taskId} fail() rejected: lease expired` });
+            return;
+        }
         this.processingTasks.delete(taskId);
         // Check if we should retry
         if (retryable && task.retryCount < task.maxRetries) {
@@ -284,12 +351,19 @@ export class WorkerQueue extends EventEmitter {
             task.workerId = undefined;
             task.error = error;
             this.store.setTask(taskId, task);
-            // Re-queue with delay (exponential backoff)
+            // Re-queue with delay (exponential backoff). Track the timer so shutdown
+            // can clear it — otherwise pending retries fire after shutdown and push
+            // tasks back into a torn-down queue.
             const delay = Math.min(30000, 1000 * Math.pow(2, task.retryCount));
-            setTimeout(() => {
+            const retryTimer = setTimeout(() => {
+                this.retryTimers.delete(retryTimer);
+                if (this.isShuttingDown)
+                    return;
                 const queueName = this.getQueueName(task.workerType);
                 this.store.pushToQueue(queueName, taskId, PRIORITY_SCORES[task.priority]);
             }, delay);
+            retryTimer.unref();
+            this.retryTimers.add(retryTimer);
             this.emit('taskRetrying', { taskId, retryCount: task.retryCount, delay });
         }
         else {
@@ -469,8 +543,15 @@ export class WorkerQueue extends EventEmitter {
         for (const taskId of this.processingTasks) {
             await this.fail(taskId, 'Worker shutdown', false);
         }
-        // Stop store cleanup
+        // Stop store cleanup and timers
         this.store.stopCleanup();
+        if (this.visibilityTimer) {
+            clearInterval(this.visibilityTimer);
+            this.visibilityTimer = undefined;
+        }
+        for (const t of this.retryTimers)
+            clearTimeout(t);
+        this.retryTimers.clear();
         await this.unregisterWorker();
         this.initialized = false;
         this.emit('shutdown', {});

package/packages/@monomind/cli/dist/src/suggest.js

@@ -15,6 +15,15 @@ export function levenshteinDistance(a, b) {
         return n;
     if (n === 0)
         return m;
+    // Bound input length — the Wagner-Fischer matrix is O(m × n) memory.
+    // Without this cap, any caller that passes a long stdin-derived string
+    // (shell completion of a malformed command, untrusted CLI arg) can OOM
+    // the process. For ranking purposes the worst-case distance is `max(m,n)`,
+    // so returning that is safe.
+    const MAX_LEN = 256;
+    if (m > MAX_LEN || n > MAX_LEN || Math.abs(m - n) > 64) {
+        return Math.max(m, n);
+    }
     // Create distance matrix
     const d = Array(m + 1).fill(null).map(() => Array(n + 1).fill(0));
     // Initialize first column

package/packages/@monomind/cli/dist/src/swarm/flow-enforcer.d.ts

@@ -11,16 +11,18 @@ export declare class FlowEnforcer {
     private readonly swarmId;
     private readonly enforce;
     private readonly violations;
+    private static readonly MAX_VIOLATIONS;
     constructor(graph: CommunicationGraph, swarmId: string, enforceMode: boolean);
     /**
      * Check whether a message is authorized and record any violation.
      *
-     * - Authorized: returns { authorized: true }
-     * - Unauthorized + enforce=true: returns { authorized: false, violation } (blocked)
-     * - Unauthorized + enforce=false: returns { authorized: true, violation } (logged)
+     * Returns BOTH `authorized` (the policy decision) and `enforced` (whether the
+     * decision is actually applied). Callers must read both — taking action based
+     * solely on `authorized` would let `enforce=false` silently bypass the policy.
      */
     checkAndRecord(fromSlug: string, toSlug: string, messageContent: string): {
         authorized: boolean;
+        enforced: boolean;
         violation?: FlowViolation;
     };
     /** Return all recorded violations */

package/packages/@monomind/cli/dist/src/swarm/flow-enforcer.js

@@ -10,6 +10,7 @@ export class FlowEnforcer {
     swarmId;
     enforce;
     violations = [];
+    static MAX_VIOLATIONS = 1000;
     constructor(graph, swarmId, enforceMode) {
         this.graph = graph;
         this.swarmId = swarmId;
@@ -18,26 +19,37 @@ export class FlowEnforcer {
     /**
      * Check whether a message is authorized and record any violation.
      *
-     * - Authorized: returns { authorized: true }
-     * - Unauthorized + enforce=true: returns { authorized: false, violation } (blocked)
-     * - Unauthorized + enforce=false: returns { authorized: true, violation } (logged)
+     * Returns BOTH `authorized` (the policy decision) and `enforced` (whether the
+     * decision is actually applied). Callers must read both — taking action based
+     * solely on `authorized` would let `enforce=false` silently bypass the policy.
      */
     checkAndRecord(fromSlug, toSlug, messageContent) {
         if (this.graph.isAuthorized(fromSlug, toSlug)) {
-            return { authorized: true };
+            return { authorized: true, enforced: this.enforce };
         }
         const violation = {
             violationId: randomUUID(),
             swarmId: this.swarmId,
             fromAgentSlug: fromSlug,
             toAgentSlug: toSlug,
+            // Truncated preview only; for sensitive traffic, redact via a hook before
+            // it reaches this enforcer. Cap means an attacker can't fill memory with
+            // long messages either.
             messagePreview: messageContent.slice(0, 120),
             detectedAt: new Date().toISOString(),
             action: this.enforce ? 'blocked' : 'logged',
         };
+        // FIFO eviction so a sustained attack can't grow violations to GB-scale.
+        if (this.violations.length >= FlowEnforcer.MAX_VIOLATIONS) {
+            this.violations.shift();
+        }
         this.violations.push(violation);
         return {
-            authorized: !this.enforce,
+            // Policy decision: NOT authorized. Whether the caller blocks the send is
+            // governed by `enforced`, which is exposed separately so callers cannot
+            // accidentally treat audit-mode as "permitted".
+            authorized: false,
+            enforced: this.enforce,
             violation,
         };
     }

package/packages/@monomind/cli/dist/src/swarm/flow-visualizer.d.ts

@@ -11,6 +11,9 @@ import type { FlowEdge } from '../../../shared/src/types/communication-flow.js';
 export declare function toAscii(edges: FlowEdge[], title?: string): string;
 /**
  * Render edges as a DOT language digraph (Graphviz compatible).
+ * Slugs are escaped so a malicious slug cannot inject DOT attributes
+ * (e.g., URL="javascript:..." would be rendered as a clickable link
+ * by Graphviz's SVG output without escaping).
  */
 export declare function toDOT(edges: FlowEdge[], graphName?: string): string;
 //# sourceMappingURL=flow-visualizer.d.ts.map