monomind 1.7.0 → 1.9.0

package/packages/@monomind/cli/bin/cli.js

@@ -4,35 +4,81 @@
  *
  * Monomind Command Line Interface
  *
- * Auto-detects MCP mode when stdin is piped and no args provided.
- * This allows: echo '{"jsonrpc":"2.0",...}' | npx @monomind/cli
+ * MCP mode requires explicit `mcp start` subcommand or MONOMIND_MCP_AUTODETECT=1.
+ * Usage: npx @monomind/cli mcp start
  */
 
 import { randomUUID } from 'crypto';
 
-// Check if we should run in MCP server mode
-// Conditions:
-//   1. stdin is being piped AND no CLI arguments provided (auto-detect)
-//   2. stdin is being piped AND args are "mcp start" (explicit, e.g. npx monomind@alpha mcp start)
+// Check if we should run in MCP server mode.
+// SECURITY: only accept explicit `mcp start` plus piped stdin, OR the explicit
+// `MONOMIND_MCP_AUTODETECT=1` opt-in for the legacy "no args + non-TTY" path.
+// Previously any `monomind` invocation with redirected stdin (CI pipes, xargs,
+// editor integrations) silently flipped into MCP server mode and accepted
+// JSON-RPC tools/call — privilege escalation by environment.
 const cliArgs = process.argv.slice(2);
 const isExplicitMCP = cliArgs.length >= 1 && cliArgs[0] === 'mcp' && (cliArgs.length === 1 || cliArgs[1] === 'start');
-const isMCPMode = !process.stdin.isTTY && (process.argv.length === 2 || isExplicitMCP);
+const allowAutoDetect = process.env.MONOMIND_MCP_AUTODETECT === '1';
+const isMCPMode = !process.stdin.isTTY && (isExplicitMCP || (allowAutoDetect && process.argv.length === 2));
 
 if (isMCPMode) {
   // Run MCP server mode
   const { listMCPTools, callMCPTool, hasTool } = await import('../dist/src/mcp-client.js');
 
-  const VERSION = '3.0.0';
+  // Read version from package.json instead of hardcoding (prevents stale
+  // version drift between bin entry and the published package).
+  let VERSION = '0.0.0';
+  try {
+    const { readFileSync } = await import('fs');
+    const { fileURLToPath } = await import('url');
+    const { dirname, join } = await import('path');
+    const pkgPath = join(dirname(fileURLToPath(import.meta.url)), '..', 'package.json');
+    const pkg = JSON.parse(readFileSync(pkgPath, 'utf-8'));
+    if (typeof pkg.version === 'string') VERSION = pkg.version;
+  } catch { /* fall back to 0.0.0 */ }
   const sessionId = `mcp-${Date.now()}-${randomUUID().slice(0, 8)}`;
 
-  console.error(
-    `[${new Date().toISOString()}] INFO [monomind-mcp] (${sessionId}) Starting in stdio mode`
-  );
+  // Don't leak nodeVersion/platform/arch/pid to stderr by default; gate behind
+  // MONOMIND_LOG_LEVEL=debug to reduce fingerprinting in shared log aggregators.
+  if (process.env.MONOMIND_LOG_LEVEL === 'debug') {
+    console.error(
+      `[${new Date().toISOString()}] INFO [monomind-mcp] (${sessionId}) Starting in stdio mode (node=${process.version} platform=${process.platform} arch=${process.arch})`
+    );
+  } else {
+    console.error(
+      `[${new Date().toISOString()}] INFO [monomind-mcp] (${sessionId}) Starting in stdio mode`
+    );
+  }
+
+  // Top-level safety nets — without these, an unhandled async error in a tool
+  // handler crashes the process with no observable cleanup.
+  process.on('uncaughtException', (err) => {
+    console.error(`[${new Date().toISOString()}] FATAL [monomind-mcp] uncaughtException: ${err && err.message ? err.message : String(err)}`);
+    process.exit(1);
+  });
+  process.on('unhandledRejection', (reason) => {
+    const msg = reason instanceof Error ? reason.message : String(reason);
+    console.error(`[${new Date().toISOString()}] FATAL [monomind-mcp] unhandledRejection: ${msg}`);
+    process.exit(1);
+  });
+  const shutdown = (sig) => {
+    console.error(`[${new Date().toISOString()}] INFO [monomind-mcp] (${sessionId}) ${sig} received, shutting down`);
+    process.exit(0);
+  };
+  process.on('SIGINT', () => shutdown('SIGINT'));
+  process.on('SIGTERM', () => shutdown('SIGTERM'));
 
+  // Cap on accumulated input buffer so a peer pumping a single multi-GB line
+  // (or a slow trickle without newlines) cannot OOM-kill the process.
+  const MAX_BUFFER_BYTES = 10 * 1024 * 1024;
   let buffer = '';
   process.stdin.setEncoding('utf8');
   process.stdin.on('data', async (chunk) => {
     buffer += chunk;
+    if (buffer.length > MAX_BUFFER_BYTES) {
+      console.error(`[${new Date().toISOString()}] FATAL [monomind-mcp] input exceeds ${MAX_BUFFER_BYTES} bytes`);
+      process.exit(1);
+    }
     let lines = buffer.split('\n');
     buffer = lines.pop() || '';
 
@@ -146,11 +192,30 @@ if (isMCPMode) {
     }
   }
 } else {
-  // Run normal CLI mode
+  // Run normal CLI mode.
+  // Install top-level handlers so an asynchronous error fired from an event-
+  // loop callback does not bypass the synchronous .catch below. Default Node
+  // handler prints the full stack to stderr — which on this codebase includes
+  // attacker-influenced bytes from registry/config error messages and full
+  // filesystem paths. Sanitize before logging and exit non-zero.
+  const safeMsg = (m) =>
+    String(m == null ? '' : m).replace(/[\x00-\x1f\x7f-\x9f]/g, '?').slice(0, 1000);
+  process.on('uncaughtException', (err) => {
+    console.error(`[${new Date().toISOString()}] FATAL [monomind] uncaughtException: ${safeMsg(err && err.message)}`);
+    if (process.env.DEBUG) console.error(err && err.stack);
+    process.exit(1);
+  });
+  process.on('unhandledRejection', (reason) => {
+    const msg = reason instanceof Error ? reason.message : String(reason);
+    console.error(`[${new Date().toISOString()}] FATAL [monomind] unhandledRejection: ${safeMsg(msg)}`);
+    if (process.env.DEBUG && reason instanceof Error) console.error(reason.stack);
+    process.exit(1);
+  });
+
   const { CLI } = await import('../dist/src/index.js');
   const cli = new CLI();
   cli.run().catch((error) => {
-    console.error('Fatal error:', error.message);
+    console.error('Fatal error:', safeMsg(error && error.message));
     process.exit(1);
   });
 }

package/packages/@monomind/cli/dist/src/agents/halt-signal.js

@@ -6,14 +6,23 @@
  * can query whether a halt has been issued.
  */
 import { randomUUID } from 'crypto';
-import { existsSync, mkdirSync, appendFileSync, readFileSync } from 'fs';
-import { join, dirname } from 'path';
-const DEFAULT_FILE = () => join(process.cwd(), 'data', 'halt-signals.jsonl');
+import { existsSync, mkdirSync, appendFileSync, readFileSync, statSync } from 'fs';
+import { join, dirname, resolve, sep } from 'path';
+const ALLOWED_ROOT = () => resolve(process.env.MONOMIND_DATA_DIR ?? process.cwd());
+const DEFAULT_FILE = () => join(ALLOWED_ROOT(), 'data', 'halt-signals.jsonl');
+function safeHaltFilePath(filePath) {
+    const allowedRoot = ALLOWED_ROOT();
+    const resolved = resolve(filePath);
+    if (resolved !== allowedRoot && !resolved.startsWith(allowedRoot + sep)) {
+        throw new Error(`Halt signal file path escapes allowed directory: ${filePath}`);
+    }
+    return resolved;
+}
 /**
  * Broadcast a halt signal for a swarm.
  */
 export function broadcast(swarmId, sourceAgentId, reason, filePath) {
-    const target = filePath ?? DEFAULT_FILE();
+    const target = filePath ? safeHaltFilePath(filePath) : DEFAULT_FILE();
     const dir = dirname(target);
     if (!existsSync(dir)) {
         mkdirSync(dir, { recursive: true });
@@ -32,10 +41,22 @@ export function broadcast(swarmId, sourceAgentId, reason, filePath) {
  * Check whether any halt signal exists for the given swarm.
  */
 export function isHalted(swarmId, filePath) {
-    const target = filePath ?? DEFAULT_FILE();
+    const target = filePath ? safeHaltFilePath(filePath) : DEFAULT_FILE();
     if (!existsSync(target)) {
         return false;
     }
+    // Size cap. isHalted is on the swarm-coordination hot path; without this
+    // cap a planted multi-GB file (or unbounded broadcast accumulation over
+    // weeks) reliably OOMs the CLI on the next call. Treat oversized halt
+    // logs as "no halt" — fail-safe in the swarm-termination flow.
+    try {
+        const stat = statSync(target);
+        if (stat.size > 10 * 1024 * 1024)
+            return false;
+    }
+    catch {
+        return false;
+    }
     const raw = readFileSync(target, 'utf-8').trim();
     if (!raw)
         return false;
@@ -43,8 +64,13 @@ export function isHalted(swarmId, filePath) {
         .split('\n')
         .filter(Boolean)
         .some((line) => {
-        const rec = JSON.parse(line);
-        return rec.swarmId === swarmId;
+        try {
+            const rec = JSON.parse(line);
+            return rec.swarmId === swarmId;
+        }
+        catch {
+            return false;
+        }
     });
 }
 //# sourceMappingURL=halt-signal.js.map

package/packages/@monomind/cli/dist/src/agents/managed-agent.js

@@ -8,10 +8,13 @@ export async function spawnAndAwait(agentSlug, task, runner, options = {}) {
     const startedAt = Date.now();
     const taskId = `managed-${Date.now().toString(36)}-${randomBytes(4).toString('hex')}`;
     try {
+        let timeoutHandle;
         const output = await Promise.race([
             runner(agentSlug, taskId, task),
-            new Promise((_, reject) => setTimeout(() => reject(new Error(`Timeout after ${timeoutMs}ms`)), timeoutMs)),
-        ]);
+            new Promise((_, reject) => {
+                timeoutHandle = setTimeout(() => reject(new Error(`Timeout after ${timeoutMs}ms`)), timeoutMs);
+            }),
+        ]).finally(() => clearTimeout(timeoutHandle));
         return {
             agentSlug, taskId, output, status: 'success',
             durationMs: Date.now() - startedAt,

package/packages/@monomind/cli/dist/src/agents/prompt-experiment.d.ts

@@ -5,9 +5,9 @@
  * routes to the candidate or control version. Falls back to the active version
  * when no experiment is running.
  *
- * @module @monoes/cli/agents/prompt-experiment
+ * @module @monomind/cli/agents/prompt-experiment
  */
-import type { PromptVersionStore } from '../../../memory/src/prompt-version-store.js';
+type PromptVersionStore = any;
 export interface ResolvedPrompt {
     prompt: string;
     version: string;
@@ -19,4 +19,5 @@ export declare class PromptExperimentRouter {
     constructor(store: PromptVersionStore);
     resolvePromptForSpawn(agentSlug: string): ResolvedPrompt;
 }
+export {};
 //# sourceMappingURL=prompt-experiment.d.ts.map

package/packages/@monomind/cli/dist/src/agents/prompt-experiment.js

@@ -5,7 +5,7 @@
  * routes to the candidate or control version. Falls back to the active version
  * when no experiment is running.
  *
- * @module @monoes/cli/agents/prompt-experiment
+ * @module @monomind/cli/agents/prompt-experiment
  */
 export class PromptExperimentRouter {
     store;

package/packages/@monomind/cli/dist/src/agents/prompt-version-manager.d.ts

@@ -4,9 +4,11 @@
  * Provides publish-from-file, promote, rollback, and experiment
  * start/stop workflows on top of PromptVersionStore.
  *
- * @module @monoes/cli/agents/prompt-version-manager
+ * @module @monomind/cli/agents/prompt-version-manager
  */
-import type { PromptVersionStore, PromptVersion, PromptExperiment } from '../../../memory/src/prompt-version-store.js';
+type PromptVersionStore = any;
+type PromptVersion = any;
+type PromptExperiment = any;
 export declare class PromptVersionManager {
     private readonly store;
     constructor(store: PromptVersionStore);
@@ -16,4 +18,5 @@ export declare class PromptVersionManager {
     startExperiment(experiment: PromptExperiment): void;
     stopExperiment(agentSlug: string, promoteWinner?: boolean): void;
 }
+export {};
 //# sourceMappingURL=prompt-version-manager.d.ts.map

package/packages/@monomind/cli/dist/src/agents/prompt-version-manager.js

@@ -4,16 +4,39 @@
  * Provides publish-from-file, promote, rollback, and experiment
  * start/stop workflows on top of PromptVersionStore.
  *
- * @module @monoes/cli/agents/prompt-version-manager
+ * @module @monomind/cli/agents/prompt-version-manager
  */
 import * as fs from 'node:fs';
+import * as path from 'node:path';
 export class PromptVersionManager {
     store;
     constructor(store) {
         this.store = store;
     }
     publishFromFile(agentSlug, filePath, newVersion, changelog) {
-        const prompt = fs.readFileSync(filePath, 'utf-8');
+        // Symlink-aware containment: path.resolve does NOT follow symlinks, so
+        // a symlink under cwd pointing at /etc/shadow would have passed the
+        // prefix-check below. Use realpathSync on both sides and reject symlinks
+        // at the leaf so the resolved file is provably inside the project.
+        const allowedRoot = fs.realpathSync(process.cwd());
+        const requested = path.resolve(filePath);
+        if (!fs.existsSync(requested)) {
+            throw new Error(`filePath does not exist: ${requested}`);
+        }
+        if (fs.lstatSync(requested).isSymbolicLink()) {
+            throw new Error('filePath must not be a symlink');
+        }
+        const resolved = fs.realpathSync(requested);
+        const rel = path.relative(allowedRoot, resolved);
+        if (rel.startsWith('..') || path.isAbsolute(rel)) {
+            throw new Error(`filePath must be inside the project directory: ${allowedRoot}`);
+        }
+        const MAX_PROMPT_BYTES = 1 * 1024 * 1024;
+        const fileSize = fs.statSync(resolved).size;
+        if (fileSize > MAX_PROMPT_BYTES) {
+            throw new Error(`filePath exceeds maximum allowed size (${MAX_PROMPT_BYTES} bytes): ${resolved}`);
+        }
+        const prompt = fs.readFileSync(resolved, 'utf-8');
         const version = {
             agentSlug,
             version: newVersion,
@@ -47,8 +70,7 @@ export class PromptVersionManager {
         if (!experiment) {
             throw new Error(`No active experiment for "${agentSlug}"`);
         }
-        // Default winner is control
-        const winnerId = experiment.control;
+        const winnerId = (experiment.winner ?? experiment.control);
         this.store.concludeExperiment(agentSlug, winnerId);
         if (promoteWinner) {
             this.store.setActive(agentSlug, winnerId);

package/packages/@monomind/cli/dist/src/agents/specialization-scorer.js

@@ -4,9 +4,11 @@
  * JSONL-based per-agent-per-task-type scoring with time-decay.
  * Enables monomind to prefer historically successful agents for specific task types.
  */
-import { existsSync, mkdirSync, readFileSync, writeFileSync } from 'fs';
+import { existsSync, mkdirSync, readFileSync, writeFileSync, renameSync, statSync } from 'fs';
+import { randomBytes } from 'crypto';
 import { dirname } from 'path';
 import { calculateDecayFactor } from './score-decay.js';
+import { parseJsonl } from '../utils/parse-jsonl.js';
 /** Key used to identify a unique agent+taskType pair in the JSONL store. */
 function scoreKey(agentSlug, taskType) {
     return `${agentSlug}::${taskType}`;
@@ -34,17 +36,23 @@ export class SpecializationScorer {
         if (!existsSync(this.filePath)) {
             return [];
         }
-        const raw = readFileSync(this.filePath, 'utf-8').trim();
-        if (!raw)
-            return [];
-        return raw
-            .split('\n')
-            .filter(Boolean)
-            .map((line) => JSON.parse(line));
+        // 10MB cap. readAll is on the routing hot path; without this cap a
+        // bloated scorer file (planted or grown via repeated recordOutcome calls
+        // with diverse agentSlug::taskType keys) crashes the CLI on every route.
+        const stat = statSync(this.filePath);
+        if (stat.size > 10 * 1024 * 1024) {
+            throw new Error('Scorer store exceeds 10MB; run compaction');
+        }
+        const raw = readFileSync(this.filePath, 'utf-8');
+        return parseJsonl(raw).filter((r) => r !== null && typeof r === 'object' && !Array.isArray(r) &&
+            Object.getPrototypeOf(r) === Object.prototype);
     }
     writeAll(records) {
         const lines = records.map((r) => JSON.stringify(r));
-        writeFileSync(this.filePath, lines.join('\n') + '\n', 'utf-8');
+        // Unique tmp filename so concurrent recordOutcome calls don't collide.
+        const tmp = `${this.filePath}.${process.pid}.${randomBytes(8).toString('hex')}.tmp`;
+        writeFileSync(tmp, lines.join('\n') + '\n', 'utf-8');
+        renameSync(tmp, this.filePath);
     }
     // ---------------------------------------------------------------------------
     // Public API

package/packages/@monomind/cli/dist/src/agents/trigger-scanner.d.ts

@@ -9,11 +9,12 @@
  * - `inject` matches accumulate as additional candidates.
  * - Invalid regex patterns are silently skipped.
  */
-import type { TriggerPattern, TriggerMatch, TriggerIndex } from '../../../../@monoes/shared/src/types/trigger.js';
+import type { TriggerPattern, TriggerMatch, TriggerIndex } from '../../../../@monomind/shared/src/types/trigger.js';
 export declare class TriggerScanner {
     private compiled;
     private patterns;
     private totalAgentsScanned;
+    private buildingIndex;
     constructor(patterns?: TriggerPattern[]);
     /**
      * Test all patterns against `taskDescription` and return matches.
@@ -29,7 +30,8 @@ export declare class TriggerScanner {
      * Reads each `.md` file, extracts YAML frontmatter, and looks for
      * `triggers:` entries with `pattern`, `mode`, and optional `priority`.
      */
-    buildIndex(agentDir: string): TriggerIndex;
+    buildIndex(agentDir: string, allowedRoot?: string): TriggerIndex;
+    private _buildIndex;
     /** Add a pattern to the index at runtime. */
     addPattern(pattern: TriggerPattern): void;
     /**
@@ -43,7 +45,7 @@ export declare class TriggerScanner {
     get size(): number;
     private compileAndAdd;
     private sortByPriority;
-    /** Recursively collect `.md` files. */
+    /** Recursively collect `.md` files (symlinks skipped, visited inodes tracked). */
     private collectMdFiles;
     /** Derive slug from filename. */
     private slugFromPath;

package/packages/@monomind/cli/dist/src/agents/trigger-scanner.js

@@ -9,12 +9,13 @@
  * - `inject` matches accumulate as additional candidates.
  * - Invalid regex patterns are silently skipped.
  */
-import { readFileSync, readdirSync, statSync } from 'fs';
-import { join, extname } from 'path';
+import { readFileSync, readdirSync, lstatSync, statSync, realpathSync } from 'fs';
+import { join, extname, resolve, sep } from 'path';
 export class TriggerScanner {
     compiled = [];
     patterns = [];
     totalAgentsScanned = 0;
+    buildingIndex = false;
     constructor(patterns = []) {
         for (const p of patterns) {
             this.compileAndAdd(p);
@@ -59,14 +60,48 @@ export class TriggerScanner {
      * Reads each `.md` file, extracts YAML frontmatter, and looks for
      * `triggers:` entries with `pattern`, `mode`, and optional `priority`.
      */
-    buildIndex(agentDir) {
+    buildIndex(agentDir, allowedRoot) {
+        if (this.buildingIndex) {
+            throw new Error('buildIndex is already running; concurrent invocations are not safe');
+        }
+        this.buildingIndex = true;
+        try {
+            return this._buildIndex(agentDir, allowedRoot);
+        }
+        finally {
+            this.buildingIndex = false;
+        }
+    }
+    _buildIndex(agentDir, allowedRoot) {
+        if (allowedRoot) {
+            let resolvedDir;
+            let resolvedRoot;
+            try {
+                resolvedDir = realpathSync(resolve(agentDir));
+            }
+            catch {
+                resolvedDir = resolve(agentDir);
+            }
+            try {
+                resolvedRoot = realpathSync(resolve(allowedRoot));
+            }
+            catch {
+                resolvedRoot = resolve(allowedRoot);
+            }
+            if (!resolvedDir.startsWith(resolvedRoot + sep) && resolvedDir !== resolvedRoot) {
+                throw new Error(`Agent directory escapes workspace: ${resolvedDir}`);
+            }
+        }
         const mdFiles = this.collectMdFiles(agentDir);
         this.patterns = [];
         this.compiled = [];
         this.totalAgentsScanned = mdFiles.length;
+        const MAX_AGENT_FILE_BYTES = 1 * 1024 * 1024;
         for (const filePath of mdFiles) {
             let content;
             try {
+                if (statSync(filePath).size > MAX_AGENT_FILE_BYTES)
+                    continue;
                 content = readFileSync(filePath, 'utf-8');
             }
             catch {
@@ -118,6 +153,14 @@ export class TriggerScanner {
     // Internal helpers
     // ---------------------------------------------------------------------------
     compileAndAdd(pattern) {
+        if (pattern.pattern.length > 200)
+            return;
+        // Reject patterns with nested/repeated quantifiers (ReDoS vectors)
+        // Covers: (a+)+, (a|b+)+, (a?){n}, ((a)+)+, [a-z]+{n}
+        if (/(\(.*[+*?].*\)|[+*?]){2,}|\{[0-9,]+\}.*[+*?]|(\[[^\]]*\]|\.)[+*?][+*?]/.test(pattern.pattern))
+            return;
+        if (/\([^)]*([+*][^)]*){2,}\)/.test(pattern.pattern))
+            return;
         try {
             const regex = new RegExp(pattern.pattern, 'i');
             this.patterns.push(pattern);
@@ -134,8 +177,8 @@ export class TriggerScanner {
         this.patterns = indexed.map((x) => x.p);
         this.compiled = indexed.map((x) => x.c);
     }
-    /** Recursively collect `.md` files. */
-    collectMdFiles(dir) {
+    /** Recursively collect `.md` files (symlinks skipped, visited inodes tracked). */
+    collectMdFiles(dir, visited = new Set()) {
         const results = [];
         let entries;
         try {
@@ -146,17 +189,22 @@ export class TriggerScanner {
         }
         for (const entry of entries) {
             const full = join(dir, entry);
-            let stat;
+            let lstat;
             try {
-                stat = statSync(full);
+                lstat = lstatSync(full);
             }
             catch {
                 continue;
             }
-            if (stat.isDirectory()) {
-                results.push(...this.collectMdFiles(full));
+            if (lstat.isSymbolicLink())
+                continue;
+            if (lstat.isDirectory()) {
+                if (visited.has(lstat.ino))
+                    continue;
+                visited.add(lstat.ino);
+                results.push(...this.collectMdFiles(full, visited));
             }
-            else if (stat.isFile() && extname(entry) === '.md') {
+            else if (lstat.isFile() && extname(entry) === '.md') {
                 results.push(full);
             }
         }

package/packages/@monomind/cli/dist/src/agents/version-store.d.ts

@@ -17,7 +17,6 @@ export declare class AgentVersionStore {
     constructor(dirPath: string);
     private readAll;
     private writeAll;
-    private appendRecord;
     /**
      * Save a new version for the given agent slug.
      *

package/packages/@monomind/cli/dist/src/agents/version-store.js

@@ -4,10 +4,11 @@
  * JSONL-based append-only storage for agent definition versions.
  * Supports save, list, get, rollback, and diff operations.
  */
-import { createHash, randomUUID } from 'crypto';
-import { existsSync, mkdirSync, readFileSync, writeFileSync, appendFileSync } from 'fs';
+import { createHash, randomUUID, randomBytes } from 'crypto';
+import { existsSync, mkdirSync, readFileSync, writeFileSync, renameSync, statSync } from 'fs';
 import { join } from 'path';
 import { computeUnifiedDiff } from './version-diff.js';
+import { parseJsonl } from '../utils/parse-jsonl.js';
 function toStored(r) {
     return {
         id: r.id,
@@ -63,21 +64,41 @@ export class AgentVersionStore {
         if (!existsSync(this.filePath)) {
             return [];
         }
-        const raw = readFileSync(this.filePath, 'utf-8').trim();
-        if (!raw)
-            return [];
-        return raw
-            .split('\n')
-            .filter(Boolean)
-            .map((line) => fromStored(JSON.parse(line)));
+        const stat = statSync(this.filePath);
+        if (stat.size > 10 * 1024 * 1024) {
+            throw new Error('Version store exceeds size limit; run compaction');
+        }
+        const raw = readFileSync(this.filePath, 'utf-8');
+        // Drop any record whose stored contentHash does not match the SHA-256 of
+        // its content. saveVersion advertises tamper-evidence by computing the
+        // hash; without this verification step, an attacker who can write the
+        // JSONL file can swap `content` with a poisoned agent prompt while
+        // leaving `contentHash` unchanged, and the next getCurrent() returns
+        // the tampered prompt verbatim into the LLM context.
+        const records = parseJsonl(raw);
+        const verified = [];
+        for (const r of records) {
+            if (typeof r?.content !== 'string' ||
+                typeof r?.contentHash !== 'string' ||
+                typeof r?.id !== 'string' ||
+                typeof r?.slug !== 'string' ||
+                typeof r?.version !== 'string' ||
+                typeof r?.changelog !== 'string' ||
+                typeof r?.capturedBy !== 'string' ||
+                typeof r?.capturedAt !== 'string')
+                continue;
+            const actual = createHash('sha256').update(r.content).digest('hex');
+            if (actual !== r.contentHash)
+                continue; // silently drop tampered record
+            verified.push(r);
+        }
+        return verified.map(fromStored);
     }
     writeAll(records) {
         const lines = records.map((r) => JSON.stringify(toStored(r)));
-        writeFileSync(this.filePath, lines.join('\n') + '\n', 'utf-8');
-    }
-    appendRecord(record) {
-        const line = JSON.stringify(toStored(record)) + '\n';
-        appendFileSync(this.filePath, line, 'utf-8');
+        const tmp = `${this.filePath}.${process.pid}.${randomBytes(8).toString('hex')}.tmp`;
+        writeFileSync(tmp, lines.join('\n') + '\n', 'utf-8');
+        renameSync(tmp, this.filePath);
     }
     // ---------------------------------------------------------------------------
     // Public API
@@ -89,19 +110,20 @@ export class AgentVersionStore {
      * the same slug as non-current, and appends the new record.
      */
     saveVersion(slug, content, version, changelog, opts = {}) {
+        const MAX_CONTENT_BYTES = 512 * 1024;
+        if (Buffer.byteLength(content, 'utf-8') > MAX_CONTENT_BYTES) {
+            throw new Error(`content exceeds maximum allowed size (${MAX_CONTENT_BYTES} bytes)`);
+        }
         const contentHash = createHash('sha256').update(content).digest('hex');
-        // Mark previous versions as non-current (rewrite file)
+        // SINGLE-WRITER CONTRACT: version-store is written only by the daemon process.
+        // Concurrent saveVersion() calls from multiple processes would race on readAll/writeAll.
+        // If multi-writer access is needed in future, introduce an advisory lock here.
         const existing = this.readAll();
-        let changed = false;
         for (const rec of existing) {
             if (rec.slug === slug && rec.isCurrent) {
                 rec.isCurrent = false;
-                changed = true;
             }
         }
-        if (changed) {
-            this.writeAll(existing);
-        }
         const record = {
             id: randomUUID(),
             slug,
@@ -115,7 +137,8 @@ export class AgentVersionStore {
             capturedBy: opts.capturedBy ?? 'system',
             isCurrent: true,
         };
-        this.appendRecord(record);
+        existing.push(record);
+        this.writeAll(existing);
         return record;
     }
     /**