npm - monomind - Versions diffs - 1.7.0 → 1.9.0 - Mend

monomind 1.7.0 → 1.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (562) hide show

package/packages/@monomind/cli/dist/src/mcp-server.js CHANGED Viewed

@@ -13,13 +13,38 @@
  * - Health check: <10ms
  * - Graceful shutdown: <5s
  *
- * @module @monoes/cli/mcp-server
+ * @module @monomind/cli/mcp-server
  * @version 3.0.0
  */
 import { EventEmitter } from 'events';
+import { execSync } from 'child_process';
+import * as http from 'http';
 import { randomUUID } from 'crypto';
 import * as path from 'path';
 import * as fs from 'fs';
+/**
+ * Recursively strip prototype-pollution keys from a JSON-RPC message before
+ * downstream tool handlers consume it. Tool handlers commonly do shallow
+ * merges like `{ ...defaults, ...input }`, which would propagate
+ * `__proto__`/`constructor`/`prototype` payloads onto config objects.
+ */
+const FORBIDDEN_PROTO_KEYS = new Set(['__proto__', 'constructor', 'prototype']);
+function sanitizeJsonRpcMessage(value, depth = 0) {
+    if (depth > 16)
+        return null;
+    if (Array.isArray(value))
+        return value.map(v => sanitizeJsonRpcMessage(v, depth + 1));
+    if (value !== null && typeof value === 'object') {
+        const out = {};
+        for (const [k, v] of Object.entries(value)) {
+            if (FORBIDDEN_PROTO_KEYS.has(k))
+                continue;
+            out[k] = sanitizeJsonRpcMessage(v, depth + 1);
+        }
+        return out;
+    }
+    return value;
+}
 import * as os from 'os';
 import { fileURLToPath } from 'url';
 import { dirname } from 'path';
@@ -30,12 +55,22 @@ const __dirname = dirname(__filename);
 /**
  * Default configuration
  */
+/**
+ * Resolve a per-user state directory under $HOME/.monomind. /tmp is shared and
+ * world-traversable; placing the PID/log files there made them symlink-
+ * attackable (a local attacker pre-creates /tmp/monomind-mcp.pid as a symlink
+ * to e.g. ~/.ssh/authorized_keys, then a writeFile clobbers the target).
+ */
+function getDefaultStateDir() {
+    const home = os.homedir();
+    return path.join(home, '.monomind');
+}
 const DEFAULT_OPTIONS = {
     transport: 'stdio',
     host: 'localhost',
     port: 3000,
-    pidFile: path.join(os.tmpdir(), 'monomind-mcp.pid'),
-    logFile: path.join(os.tmpdir(), 'monomind-mcp.log'),
+    pidFile: path.join(getDefaultStateDir(), 'mcp.pid'),
+    logFile: path.join(getDefaultStateDir(), 'mcp.log'),
     tools: 'all',
     daemonize: false,
     timeout: 30000,
@@ -50,6 +85,7 @@ export class MCPServerManager extends EventEmitter {
     process;
     server;
     startTime;
+    _stdioServerStarted = false;
     healthCheckInterval;
     constructor(options = {}) {
         super();
@@ -128,6 +164,13 @@ export class MCPServerManager extends EventEmitter {
                 });
                 this.server = undefined;
             }
+            if (this._mcpServer) {
+                try {
+                    await this._mcpServer.close();
+                }
+                catch { /* ignore */ }
+                this._mcpServer = undefined;
+            }
             // Remove PID file
             await this.removePidFile();
             this.startTime = undefined;
@@ -149,7 +192,7 @@ export class MCPServerManager extends EventEmitter {
             // (e.g., launched by Claude Code via `claude mcp add`).
             const isStdio = !process.stdin.isTTY;
             const envTransport = process.env.MONOMIND_MCP_TRANSPORT;
-            if (isStdio || envTransport === 'stdio' || this.options.transport === 'stdio') {
+            if (isStdio || envTransport === 'stdio' || this._stdioServerStarted) {
                 return {
                     running: true,
                     pid: process.pid,
@@ -233,6 +276,7 @@ export class MCPServerManager extends EventEmitter {
      * Handles stdin/stdout directly like V2 implementation
      */
     async startStdioServer() {
+        this._stdioServerStarted = true;
         // Import the tool registry
         const { listMCPTools, callMCPTool, hasTool } = await import('./mcp-client.js');
         const VERSION = '3.0.0';
@@ -309,31 +353,52 @@ export class MCPServerManager extends EventEmitter {
             for (const line of lines) {
                 if (line.trim()) {
                     try {
-                        const message = JSON.parse(line);
+                        // Sanitize against prototype pollution. JSON.parse on its own does
+                        // not pollute, but downstream tool handlers that shallow-merge
+                        // input into option defaults would propagate `__proto__`,
+                        // `constructor`, or `prototype` keys. Strip them at the boundary.
+                        const message = sanitizeJsonRpcMessage(JSON.parse(line));
                         const response = await this.handleMCPMessage(message, sessionId);
                         if (response) {
                             console.log(JSON.stringify(response));
                         }
                     }
                     catch (error) {
-                        console.error(`[${new Date().toISOString()}] ERROR [monomind-mcp] Failed to parse message:`, error instanceof Error ? error.message : String(error));
+                        // Log-injection defense: stringify message fragment instead of
+                        // letting raw line content land in the log unescaped.
+                        const safeMsg = (error instanceof Error ? error.message : String(error))
+                            .replace(/[\r\n\x00-\x1f\x7f]/g, '?').slice(0, 500);
+                        console.error(`[${new Date().toISOString()}] ERROR [monomind-mcp] Failed to parse message: ${safeMsg}`);
                     }
                 }
             }
         });
-        process.stdin.on('end', () => {
-            console.error(`[${new Date().toISOString()}] INFO [monomind-mcp] (${sessionId}) stdin closed, shutting down...`);
-            process.exit(0);
-        });
-        // Handle process termination
-        process.on('SIGINT', () => {
-            console.error(`[${new Date().toISOString()}] INFO [monomind-mcp] (${sessionId}) Received SIGINT, shutting down...`);
-            process.exit(0);
-        });
-        process.on('SIGTERM', () => {
-            console.error(`[${new Date().toISOString()}] INFO [monomind-mcp] (${sessionId}) Received SIGTERM, shutting down...`);
+        // Centralized graceful shutdown — clears the health-check interval and
+        // removes the PID file before exiting. Without this an abrupt
+        // `process.exit(0)` leaves a stale PID file plus a dangling interval and
+        // unflushed in-flight tool calls.
+        let shuttingDown = false;
+        const shutdown = async (reason) => {
+            if (shuttingDown)
+                return;
+            shuttingDown = true;
+            console.error(`[${new Date().toISOString()}] INFO [monomind-mcp] (${sessionId}) ${reason}, shutting down...`);
+            try {
+                if (this.healthCheckInterval) {
+                    clearInterval(this.healthCheckInterval);
+                    this.healthCheckInterval = undefined;
+                }
+            }
+            catch { /* best-effort */ }
+            try {
+                await this.removePidFile();
+            }
+            catch { /* best-effort */ }
             process.exit(0);
-        });
+        };
+        process.stdin.on('end', () => { void shutdown('stdin closed'); });
+        process.on('SIGINT', () => { void shutdown('Received SIGINT'); });
+        process.on('SIGTERM', () => { void shutdown('Received SIGTERM'); });
         // Mark as ready immediately for stdio
         this.emit('ready');
     }
@@ -378,9 +443,27 @@ export class MCPServerManager extends EventEmitter {
                             })),
                         },
                     };
-                case 'tools/call':
+                case 'tools/call': {
+                    // Strict boundary validation. Without this, `params.name` could be
+                    // an array/object (silently coerced) and `params.arguments` could be
+                    // an array (downstream `Object.keys` returns numeric indices).
+                    if (typeof params.name !== 'string') {
+                        return {
+                            jsonrpc: '2.0',
+                            id: message.id,
+                            error: { code: -32602, message: 'Invalid params.name: must be a string' },
+                        };
+                    }
+                    const rawArgs = params.arguments;
+                    if (rawArgs !== undefined && (typeof rawArgs !== 'object' || rawArgs === null || Array.isArray(rawArgs))) {
+                        return {
+                            jsonrpc: '2.0',
+                            id: message.id,
+                            error: { code: -32602, message: 'Invalid params.arguments: must be an object' },
+                        };
+                    }
                     const toolName = params.name;
-                    const toolParams = (params.arguments || {});
+                    const toolParams = (rawArgs || {});
                     if (!hasTool(toolName)) {
                         return {
                             jsonrpc: '2.0',
@@ -399,15 +482,19 @@ export class MCPServerManager extends EventEmitter {
                     }
                     catch (error) {
                         trackRequest(toolName, false);
+                        const errMsg = process.env.NODE_ENV === 'production'
+                            ? 'Tool execution failed'
+                            : (error instanceof Error ? error.message : 'Tool execution failed');
                         return {
                             jsonrpc: '2.0',
                             id: message.id,
                             error: {
                                 code: -32603,
-                                message: error instanceof Error ? error.message : 'Tool execution failed',
+                                message: errMsg,
                             },
                         };
                     }
+                }
                 case 'notifications/initialized':
                     // Client notification - no response needed
                     console.error(`[${new Date().toISOString()}] INFO [monomind-mcp] (${sessionId}) Client initialized`);
@@ -427,30 +514,66 @@ export class MCPServerManager extends EventEmitter {
             }
         }
         catch (error) {
-            console.error(`[${new Date().toISOString()}] ERROR [monomind-mcp] Error handling ${message.method}:`, error);
+            // Log-injection defense: caller-controlled `message.method` may contain
+            // newlines, ANSI escapes, or other control bytes that forge log lines.
+            // JSON.stringify quotes the string and escapes control chars.
+            const safeMethod = JSON.stringify(message.method);
+            const errMsg = error instanceof Error ? error.message : String(error);
+            console.error(`[${new Date().toISOString()}] ERROR [monomind-mcp] Error handling ${safeMethod}: ${errMsg.replace(/[\r\n]/g, ' ')}`);
+            // Sanitize outgoing error messages — internal Error.message often
+            // contains absolute paths or partial secrets. In production return a
+            // generic message; in dev/debug return the full message for triage.
+            const isProd = process.env.NODE_ENV === 'production';
+            const outMessage = error instanceof Error
+                ? (isProd ? 'Internal error' : error.message)
+                : 'Internal error';
             return {
                 jsonrpc: '2.0',
                 id: message.id,
-                error: {
-                    code: -32603,
-                    message: error instanceof Error ? error.message : 'Internal error',
-                },
+                error: { code: -32603, message: outMessage },
             };
         }
     }
     /**
-     * Start HTTP server in-process
+     * Start HTTP server in-process.
+     *
+     * SECURITY: refuses to bind to non-loopback hosts unless the operator opts
+     * in via MONOMIND_MCP_ALLOW_REMOTE=1 AND provides a bearer token via
+     * MONOMIND_MCP_TOKEN. Without this gate, `--host 0.0.0.0` exposed every
+     * registered tool (including agent_spawn, terminal-tools, system tools) to
+     * any LAN attacker as unauthenticated RCE.
      */
     async startHttpServer() {
+        // Loopback gate
+        const host = this.options.host;
+        const isLoopback = host === 'localhost' || host === '127.0.0.1' || host === '::1' || host === '::ffff:127.0.0.1';
+        const allowRemote = process.env.MONOMIND_MCP_ALLOW_REMOTE === '1';
+        const token = process.env.MONOMIND_MCP_TOKEN;
+        if (!isLoopback && !allowRemote) {
+            throw new Error(`Refusing to bind MCP HTTP transport to non-loopback host "${host}". ` +
+                `Set MONOMIND_MCP_ALLOW_REMOTE=1 and MONOMIND_MCP_TOKEN=<secret> to enable remote access.`);
+        }
+        if (!isLoopback && allowRemote && (!token || token.length < 32)) {
+            throw new Error('Remote MCP transport requires MONOMIND_MCP_TOKEN to be set to a strong secret (>= 32 chars).');
+        }
         // Dynamically import the MCP server package
         // FIX for issue #942: Use proper package import instead of broken relative path
-        const { createMCPServer } = await import('@monoes/mcp');
+        const { createMCPServer } = await import('@monomind/mcp');
         const logger = {
             debug: (msg, data) => this.emit('log', { level: 'debug', msg, data }),
             info: (msg, data) => this.emit('log', { level: 'info', msg, data }),
             warn: (msg, data) => this.emit('log', { level: 'warn', msg, data }),
             error: (msg, data) => this.emit('log', { level: 'error', msg, data }),
         };
+        // SECURITY: actually wire the token into the underlying server's auth
+        // config. The startup gate above only *validates* that a token was set —
+        // without passing it through here, the token was never enforced on
+        // requests. Operators believed their server was protected when it wasn't.
+        // For loopback we still configure auth when a token is set, so users who
+        // explicitly opt-in to bind 0.0.0.0 with a token get end-to-end protection.
+        const authConfig = token && token.length >= 32
+            ? { enabled: true, method: 'token', tokens: [token] }
+            : (isLoopback ? undefined : { enabled: true, method: 'token', tokens: [] });
         const mcpServer = createMCPServer({
             name: 'Monomind MCP Server V1',
             version: '3.0.0',
@@ -459,6 +582,7 @@ export class MCPServerManager extends EventEmitter {
             port: this.options.port,
             enableMetrics: true,
             enableCaching: true,
+            ...(authConfig ? { auth: authConfig } : {}),
         }, logger);
         await mcpServer.start();
         // Store reference for stopping
@@ -521,7 +645,29 @@ export class MCPServerManager extends EventEmitter {
      */
     async writePidFile() {
         const pid = this.process?.pid || process.pid;
-        await fs.promises.writeFile(this.options.pidFile, String(pid), 'utf8');
+        // Ensure the state dir exists (user-private, not /tmp)
+        const dir = path.dirname(this.options.pidFile);
+        await fs.promises.mkdir(dir, { recursive: true, mode: 0o700 });
+        // wx flag = O_CREAT | O_EXCL: fails fast on a pre-existing path including
+        // a symlinked one, so we never follow an attacker-staged link to write
+        // PIDs into ~/.ssh/authorized_keys or similar.
+        try {
+            await fs.promises.writeFile(this.options.pidFile, String(pid), { flag: 'wx', mode: 0o600 });
+        }
+        catch (e) {
+            const code = e.code;
+            if (code === 'EEXIST') {
+                // Stale PID file (the existence-check + isProcessRunning gate above
+                // already passed, so the file belongs to a dead daemon). Replace it
+                // by unlinking-then-creating with O_EXCL again — never write through
+                // an existing path that might be a symlink.
+                await fs.promises.unlink(this.options.pidFile);
+                await fs.promises.writeFile(this.options.pidFile, String(pid), { flag: 'wx', mode: 0o600 });
+            }
+            else {
+                throw e;
+            }
+        }
     }
     /**
      * Read PID file
@@ -569,15 +715,17 @@ export class MCPServerManager extends EventEmitter {
         catch {
             return false;
         }
-        // Verify it's actually a node process (guards against PID reuse)
+        // Verify it's actually our MCP server process (guards against PID reuse by
+        // an unrelated Node.js program that happened to get the same PID).
+        // We require the command line to mention both "node"/"npx" AND "monomind"/"mcp".
         try {
-            const { execSync } = require('child_process');
-            const cmdline = execSync(`cat /proc/${pid}/cmdline 2>/dev/null || ps -p ${pid} -o comm= 2>/dev/null`, {
+            const cmdline = execSync(`cat /proc/${pid}/cmdline 2>/dev/null || ps -p ${pid} -o args= 2>/dev/null`, {
                 encoding: 'utf8',
                 timeout: 1000,
             }).trim();
-            // Must be a node process to be our MCP server
-            return cmdline.includes('node') || cmdline.includes('monomind') || cmdline.includes('npx');
+            const isMonomindMcp = (cmdline.includes('node') || cmdline.includes('npx')) &&
+                (cmdline.includes('monomind') || cmdline.includes('mcp'));
+            return isMonomindMcp;
         }
         catch {
             // If we can't inspect the process (macOS, Windows, permissions), fall back to kill check
@@ -590,7 +738,6 @@ export class MCPServerManager extends EventEmitter {
     async httpRequest(url, method, timeout) {
         return new Promise((resolve, reject) => {
             const urlObj = new URL(url);
-            const http = require('http');
             const req = http.request({
                 hostname: urlObj.hostname,
                 port: urlObj.port,

package/packages/@monomind/cli/dist/src/mcp-tools/agent-tools.js CHANGED Viewed

@@ -4,17 +4,10 @@
  * Tool definitions for agent lifecycle management with file persistence.
  * Includes model routing integration for intelligent model selection.
  */
-import { existsSync, readFileSync, writeFileSync, mkdirSync, appendFileSync } from 'node:fs';
+import { existsSync, readFileSync, writeFileSync, renameSync, mkdirSync, statSync } from 'node:fs';
 import { join } from 'node:path';
+import { randomBytes } from 'node:crypto';
 import { getProjectCwd } from './types.js';
-function logEvent(kind, data) {
-    try {
-        const dir = join(getProjectCwd(), '.monomind', 'swarm');
-        if (!existsSync(dir)) mkdirSync(dir, { recursive: true });
-        const event = { ts: new Date().toISOString(), source: 'mcp', kind, ...data };
-        appendFileSync(join(dir, 'events.jsonl'), JSON.stringify(event) + '\n');
-    } catch { }
-}
 // Storage paths
 const STORAGE_DIR = '.monomind';
 const AGENT_DIR = 'agents';
@@ -31,12 +24,18 @@ function ensureAgentDir() {
         mkdirSync(dir, { recursive: true });
     }
 }
+const MAX_AGENT_STORE_BYTES = 50 * 1024 * 1024;
 function loadAgentStore() {
     try {
         const path = getAgentPath();
         if (existsSync(path)) {
+            if (statSync(path).size > MAX_AGENT_STORE_BYTES)
+                return { agents: {}, version: '3.0.0' };
             const data = readFileSync(path, 'utf-8');
-            return JSON.parse(data);
+            const parsed = JSON.parse(data);
+            if (parsed && typeof parsed === 'object' && Object.prototype.hasOwnProperty.call(parsed, '__proto__'))
+                return { agents: {}, version: '3.0.0' };
+            return parsed;
         }
     }
     catch {
@@ -45,8 +44,21 @@ function loadAgentStore() {
     return { agents: {}, version: '3.0.0' };
 }
 function saveAgentStore(store) {
+    // Cap terminated agents to prevent unbounded growth
+    const MAX_TERMINATED = 500;
+    const terminated = Object.entries(store.agents)
+        .filter(([, a]) => a.status === 'terminated')
+        .sort(([, a], [, b]) => (a.createdAt ?? '').localeCompare(b.createdAt ?? ''));
+    if (terminated.length > MAX_TERMINATED) {
+        for (const [id] of terminated.slice(0, terminated.length - MAX_TERMINATED)) {
+            delete store.agents[id];
+        }
+    }
     ensureAgentDir();
-    writeFileSync(getAgentPath(), JSON.stringify(store, null, 2), 'utf-8');
+    const dest = getAgentPath();
+    const tmp = `${dest}.${process.pid}.${Date.now()}.tmp`;
+    writeFileSync(tmp, JSON.stringify(store, null, 2), 'utf-8');
+    renameSync(tmp, dest);
 }
 // Default model mappings for agent types (can be overridden)
 const AGENT_TYPE_MODEL_DEFAULTS = {
@@ -111,7 +123,7 @@ async function determineAgentModel(agentType, config, task) {
                 };
             }
             return {
-                model: routeResult.model,
+                model: (routeResult.model ?? 'sonnet'),
                 routedBy: 'router',
                 tier: routeResult.tier,
             };
@@ -161,8 +173,18 @@ export const agentTools = [
         },
         handler: async (input) => {
             const store = loadAgentStore();
-            const agentId = input.agentId || `agent-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`;
+            const agentId = input.agentId || `agent-${Date.now()}-${randomBytes(4).toString('hex')}`;
             const agentType = input.agentType;
+            if (['__proto__', 'constructor', 'prototype'].includes(agentId)) {
+                return { success: false, agentId, error: 'Forbidden agent ID' };
+            }
+            if (input.agentId && store.agents[agentId]) {
+                return {
+                    success: false,
+                    agentId,
+                    error: `Agent ${agentId} already exists. Terminate it first or omit agentId to auto-generate.`,
+                };
+            }
             const config = input.config || {};
             // Add explicit model to config if provided
             if (input.model) {
@@ -188,7 +210,7 @@ export const agentTools = [
             saveAgentStore(store);
             // Task 46: AgentSandboxing — register sandbox for isolated agent execution
             try {
-                const { WasmSandbox, DockerSandbox, register } = await import('@monoes/security');
+                const { WasmSandbox, DockerSandbox, register } = await import('@monomind/security');
                 const sandboxType = config.sandbox?.type ?? 'wasm';
                 const sandboxConfig = config.sandbox ?? {};
                 const sandbox = sandboxType === 'docker'
@@ -196,8 +218,7 @@ export const agentTools = [
                     : WasmSandbox.create(agentId, sandboxConfig);
                 register(agentId, sandbox);
             }
-            catch { /* optional — @monoes/security may not be installed */ }
-            logEvent('agent.spawn', { agentId, agentType, model: routingResult.model, routedBy: routingResult.routedBy, domain: input.domain, task });
+            catch { /* optional — @monomind/security may not be installed */ }
             // Include Agent Booster routing info if applicable
             const response = {
                 success: true,
@@ -234,16 +255,17 @@ export const agentTools = [
             required: ['agentId'],
         },
         handler: async (input) => {
-            const store = loadAgentStore();
             const agentId = input.agentId;
-            if (store.agents[agentId]) {
-                const agentType = store.agents[agentId].agentType;
+            if (!agentId || typeof agentId !== 'string' || ['__proto__', 'constructor', 'prototype'].includes(agentId)) {
+                return { success: false, agentId, error: 'Invalid agent ID' };
+            }
+            const store = loadAgentStore();
+            if (Object.hasOwn(store.agents, agentId)) {
                 store.agents[agentId].status = 'terminated';
                 saveAgentStore(store);
-                logEvent('agent.terminate', { agentId, agentType });
                 // Task 46: AgentSandboxing — clean up sandbox on termination
                 try {
-                    const { cleanup } = await import('@monoes/security');
+                    const { cleanup } = await import('@monomind/security');
                     cleanup(agentId);
                 }
                 catch { /* optional */ }
@@ -273,9 +295,12 @@ export const agentTools = [
             required: ['agentId'],
         },
         handler: async (input) => {
-            const store = loadAgentStore();
             const agentId = input.agentId;
-            const agent = store.agents[agentId];
+            if (!agentId || typeof agentId !== 'string' || ['__proto__', 'constructor', 'prototype'].includes(agentId)) {
+                return { agentId, error: 'Invalid agent ID' };
+            }
+            const store = loadAgentStore();
+            const agent = Object.hasOwn(store.agents, agentId) ? store.agents[agentId] : undefined;
             if (agent) {
                 return {
                     agentId: agent.agentId,
@@ -347,7 +372,7 @@ export const agentTools = [
         inputSchema: {
             type: 'object',
             properties: {
-                action: { type: 'string', enum: ['status', 'scale', 'drain', 'fill'], description: 'Pool action' },
+                action: { type: 'string', enum: ['status', 'scale', 'drain'], description: 'Pool action' },
                 targetSize: { type: 'number', description: 'Target pool size (for scale action)' },
                 agentType: { type: 'string', description: 'Agent type filter' },
             },
@@ -372,9 +397,6 @@ export const agentTools = [
                     // CLI expected fields
                     poolId: 'agent-pool-default',
                     currentSize: agents.length,
-                    minSize: input.min || 0,
-                    maxSize: input.max || 100,
-                    autoScale: input.autoScale ?? false,
                     utilization,
                     agents: agents.map(a => ({
                         id: a.agentId,
@@ -391,7 +413,7 @@ export const agentTools = [
                 };
             }
             if (action === 'scale') {
-                const targetSize = input.targetSize || 5;
+                const targetSize = Math.min(Math.max(input.targetSize || 5, 1), 50);
                 const agentType = input.agentType || 'worker';
                 const currentSize = agents.filter(a => a.agentType === agentType).length;
                 const delta = targetSize - currentSize;
@@ -399,7 +421,7 @@ export const agentTools = [
                 const removed = [];
                 if (delta > 0) {
                     for (let i = 0; i < delta; i++) {
-                        const agentId = `agent-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`;
+                        const agentId = `agent-${Date.now()}-${randomBytes(4).toString('hex')}`;
                         store.agents[agentId] = {
                             agentId,
                             agentType,
@@ -467,8 +489,15 @@ export const agentTools = [
             const store = loadAgentStore();
             const agents = Object.values(store.agents).filter(a => a.status !== 'terminated');
             const threshold = input.threshold || 0.5;
-            if (input.agentId) {
-                const agent = store.agents[input.agentId];
+            if (input.agentId !== undefined) {
+                const agentId = input.agentId;
+                if (typeof agentId !== 'string' ||
+                    ['__proto__', 'constructor', 'prototype'].includes(agentId)) {
+                    return { agentId, error: 'Invalid agent ID' };
+                }
+                const agent = Object.hasOwn(store.agents, agentId)
+                    ? store.agents[agentId]
+                    : undefined;
                 if (agent) {
                     return {
                         agentId: agent.agentId,
@@ -479,7 +508,7 @@ export const agentTools = [
                         uptime: Date.now() - new Date(agent.createdAt).getTime(),
                     };
                 }
-                return { agentId: input.agentId, error: 'Agent not found' };
+                return { agentId, error: 'Agent not found' };
             }
             const healthyAgents = agents.filter(a => a.health >= threshold);
             const degradedAgents = agents.filter(a => a.health >= 0.3 && a.health < threshold);
@@ -538,9 +567,12 @@ export const agentTools = [
             required: ['agentId'],
         },
         handler: async (input) => {
-            const store = loadAgentStore();
             const agentId = input.agentId;
-            const agent = store.agents[agentId];
+            if (!agentId || typeof agentId !== 'string' || ['__proto__', 'constructor', 'prototype'].includes(agentId)) {
+                return { success: false, agentId, error: 'Invalid agent ID' };
+            }
+            const store = loadAgentStore();
+            const agent = Object.hasOwn(store.agents, agentId) ? store.agents[agentId] : undefined;
             if (agent) {
                 if (input.status)
                     agent.status = input.status;