monomind 1.8.0 → 1.9.0

package/packages/@monomind/cli/dist/src/plugins/manager.js

@@ -17,6 +17,21 @@ function validatePackageName(spec) {
         throw new Error(`Invalid package name: ${spec}`);
     }
 }
+const VALID_VERSION_RE = /^[a-zA-Z0-9._\-^~>=<*]+$/;
+function validateVersion(version) {
+    if (!VALID_VERSION_RE.test(version) || version.length > 50) {
+        throw new Error(`Invalid version specifier: ${version}`);
+    }
+}
+/** Forbidden manifest keys (prototype pollution defense) */
+const FORBIDDEN_PLUGIN_KEYS = new Set(['__proto__', 'constructor', 'prototype']);
+function isValidPluginKey(name) {
+    return typeof name === 'string'
+        && name.length > 0
+        && name.length <= 214
+        && !FORBIDDEN_PLUGIN_KEYS.has(name)
+        && VALID_PACKAGE_RE.test(name);
+}
 // ============================================================================
 // Plugin Manager
 // ============================================================================
@@ -60,7 +75,13 @@ export class PluginManager {
         try {
             if (fs.existsSync(this.config.manifestPath)) {
                 const content = fs.readFileSync(this.config.manifestPath, 'utf-8');
-                return JSON.parse(content);
+                const parsed = JSON.parse(content);
+                if (Object.prototype.hasOwnProperty.call(parsed, '__proto__') ||
+                    Object.prototype.hasOwnProperty.call(parsed, 'constructor') ||
+                    Object.prototype.hasOwnProperty.call(parsed, 'prototype')) {
+                    throw new Error('Manifest contains forbidden keys');
+                }
+                return parsed;
             }
         }
         catch (error) {
@@ -77,7 +98,10 @@ export class PluginManager {
             return;
         this.manifest.lastUpdated = new Date().toISOString();
         await this.ensureDirectory(path.dirname(this.config.manifestPath));
-        fs.writeFileSync(this.config.manifestPath, JSON.stringify(this.manifest, null, 2), 'utf-8');
+        // Atomic write to prevent corruption on crash
+        const tmp = this.config.manifestPath + '.tmp';
+        fs.writeFileSync(tmp, JSON.stringify(this.manifest, null, 2), 'utf-8');
+        fs.renameSync(tmp, this.config.manifestPath);
     }
     // =========================================================================
     // Installation
@@ -89,10 +113,21 @@ export class PluginManager {
         if (!this.manifest) {
             await this.initialize();
         }
+        if (!isValidPluginKey(packageName)) {
+            return { success: false, error: `Invalid package name: ${packageName}` };
+        }
+        if (version) {
+            try {
+                validateVersion(version);
+            }
+            catch {
+                return { success: false, error: `Invalid version specifier: ${version}` };
+            }
+        }
         const versionSpec = version ? `${packageName}@${version}` : packageName;
         try {
             // Check if already installed
-            if (this.manifest.plugins[packageName]) {
+            if (Object.hasOwn(this.manifest.plugins, packageName)) {
                 return {
                     success: false,
                     error: `Plugin ${packageName} is already installed. Use upgrade to update.`,
@@ -103,9 +138,11 @@ export class PluginManager {
             await this.ensureDirectory(installDir);
             // Validate package name to prevent injection (S-3)
             validatePackageName(versionSpec);
-            // Use npm to install (array form prevents shell injection)
+            // Use npm to install. --ignore-scripts blocks pre/post-install lifecycle hooks
+            // from the plugin package, which would otherwise execute arbitrary code at
+            // install time (the canonical npm supply-chain attack vector).
             console.log(`[PluginManager] Installing ${versionSpec}...`);
-            await execFileAsync('npm', ['install', '--prefix', this.config.pluginsDir, versionSpec], { timeout: 120000 });
+            await execFileAsync('npm', ['install', '--ignore-scripts', '--prefix', this.config.pluginsDir, versionSpec], { timeout: 120000 });
             // Get installed version
             const packageJsonPath = path.join(installDir, packageName, 'package.json');
             let installedVersion = version || 'latest';
@@ -116,8 +153,8 @@ export class PluginManager {
                 installedVersion = pkg.version;
                 // Check for monomind plugin metadata
                 if (pkg['monomind']) {
-                    commands = pkg['monomind'].commands || [];
-                    hooks = pkg['monomind'].hooks || [];
+                    commands = Array.isArray(pkg['monomind'].commands) ? pkg['monomind'].commands : [];
+                    hooks = Array.isArray(pkg['monomind'].hooks) ? pkg['monomind'].hooks : [];
                 }
             }
             // Create plugin entry
@@ -152,6 +189,14 @@ export class PluginManager {
         }
         try {
             const absolutePath = path.resolve(sourcePath);
+            // Restrict local installs to paths under cwd or $HOME to prevent path traversal
+            const cwd = process.cwd();
+            const home = process.env.HOME ?? process.env.USERPROFILE ?? '';
+            const underCwd = absolutePath.startsWith(cwd + path.sep) || absolutePath === cwd;
+            const underHome = home && (absolutePath.startsWith(home + path.sep) || absolutePath === home);
+            if (!underCwd && !underHome) {
+                return { success: false, error: `Local path must be within the current directory or home: ${absolutePath}` };
+            }
             if (!fs.existsSync(absolutePath)) {
                 return { success: false, error: `Path does not exist: ${absolutePath}` };
             }
@@ -162,8 +207,11 @@ export class PluginManager {
             }
             const pkg = JSON.parse(fs.readFileSync(packageJsonPath, 'utf-8'));
             const packageName = pkg.name;
+            if (!isValidPluginKey(packageName)) {
+                return { success: false, error: `Invalid package.json: name is missing or invalid` };
+            }
             // Check if already installed
-            if (this.manifest.plugins[packageName]) {
+            if (Object.hasOwn(this.manifest.plugins, packageName)) {
                 return {
                     success: false,
                     error: `Plugin ${packageName} is already installed`,
@@ -202,7 +250,12 @@ export class PluginManager {
         if (!this.manifest) {
             await this.initialize();
         }
-        const plugin = this.manifest.plugins[packageName];
+        if (!isValidPluginKey(packageName)) {
+            return { success: false, error: `Invalid package name` };
+        }
+        const plugin = Object.hasOwn(this.manifest.plugins, packageName)
+            ? this.manifest.plugins[packageName]
+            : undefined;
         if (!plugin) {
             return { success: false, error: `Plugin ${packageName} is not installed` };
         }
@@ -210,7 +263,7 @@ export class PluginManager {
             // For npm-installed plugins, remove from node_modules
             if (plugin.source === 'npm') {
                 validatePackageName(packageName);
-                await execFileAsync('npm', ['uninstall', '--prefix', this.config.pluginsDir, packageName], { timeout: 60000 });
+                await execFileAsync('npm', ['uninstall', '--ignore-scripts', '--prefix', this.config.pluginsDir, packageName], { timeout: 60000 });
             }
             // Remove from manifest
             delete this.manifest.plugins[packageName];
@@ -234,7 +287,12 @@ export class PluginManager {
         if (!this.manifest) {
             await this.initialize();
         }
-        const plugin = this.manifest.plugins[packageName];
+        if (!isValidPluginKey(packageName)) {
+            return { success: false, error: `Invalid package name` };
+        }
+        const plugin = Object.hasOwn(this.manifest.plugins, packageName)
+            ? this.manifest.plugins[packageName]
+            : undefined;
         if (!plugin) {
             return { success: false, error: `Plugin ${packageName} is not installed` };
         }
@@ -249,7 +307,12 @@ export class PluginManager {
         if (!this.manifest) {
             await this.initialize();
         }
-        const plugin = this.manifest.plugins[packageName];
+        if (!isValidPluginKey(packageName)) {
+            return { success: false, error: `Invalid package name` };
+        }
+        const plugin = Object.hasOwn(this.manifest.plugins, packageName)
+            ? this.manifest.plugins[packageName]
+            : undefined;
         if (!plugin) {
             return { success: false, error: `Plugin ${packageName} is not installed` };
         }
@@ -264,7 +327,12 @@ export class PluginManager {
         if (!this.manifest) {
             await this.initialize();
         }
-        const plugin = this.manifest.plugins[packageName];
+        if (!isValidPluginKey(packageName)) {
+            return { success: false, error: `Invalid package name` };
+        }
+        const plugin = Object.hasOwn(this.manifest.plugins, packageName)
+            ? this.manifest.plugins[packageName]
+            : undefined;
         if (!plugin) {
             return { success: false, error: `Plugin ${packageName} is not installed` };
         }
@@ -298,7 +366,9 @@ export class PluginManager {
         if (!this.manifest) {
             await this.initialize();
         }
-        return packageName in this.manifest.plugins;
+        if (!isValidPluginKey(packageName))
+            return false;
+        return Object.hasOwn(this.manifest.plugins, packageName);
     }
     /**
      * Get a specific installed plugin
@@ -307,7 +377,11 @@ export class PluginManager {
         if (!this.manifest) {
             await this.initialize();
         }
-        return this.manifest.plugins[packageName];
+        if (!isValidPluginKey(packageName))
+            return undefined;
+        return Object.hasOwn(this.manifest.plugins, packageName)
+            ? this.manifest.plugins[packageName]
+            : undefined;
     }
     // =========================================================================
     // Upgrade
@@ -319,7 +393,20 @@ export class PluginManager {
         if (!this.manifest) {
             await this.initialize();
         }
-        const existing = this.manifest.plugins[packageName];
+        if (!isValidPluginKey(packageName)) {
+            return { success: false, error: `Invalid package name` };
+        }
+        if (version) {
+            try {
+                validateVersion(version);
+            }
+            catch {
+                return { success: false, error: `Invalid version specifier: ${version}` };
+            }
+        }
+        const existing = Object.hasOwn(this.manifest.plugins, packageName)
+            ? this.manifest.plugins[packageName]
+            : undefined;
         if (!existing) {
             return { success: false, error: `Plugin ${packageName} is not installed` };
         }
@@ -330,8 +417,9 @@ export class PluginManager {
             const versionSpec = version ? `${packageName}@${version}` : `${packageName}@latest`;
             // Validate package name to prevent injection (S-3)
             validatePackageName(versionSpec);
-            // Reinstall with new version (array form prevents shell injection)
-            await execFileAsync('npm', ['install', '--prefix', this.config.pluginsDir, versionSpec], { timeout: 120000 });
+            // Reinstall with new version. --ignore-scripts blocks pre/post-install
+            // lifecycle hooks from the plugin package.
+            await execFileAsync('npm', ['install', '--ignore-scripts', '--prefix', this.config.pluginsDir, versionSpec], { timeout: 120000 });
             // Update manifest
             const installDir = path.join(this.config.pluginsDir, 'node_modules');
             const packageJsonPath = path.join(installDir, packageName, 'package.json');
@@ -360,7 +448,12 @@ export class PluginManager {
         if (!this.manifest) {
             await this.initialize();
         }
-        const plugin = this.manifest.plugins[packageName];
+        if (!isValidPluginKey(packageName)) {
+            return { success: false, error: `Invalid package name` };
+        }
+        const plugin = Object.hasOwn(this.manifest.plugins, packageName)
+            ? this.manifest.plugins[packageName]
+            : undefined;
         if (!plugin) {
             return { success: false, error: `Plugin ${packageName} is not installed` };
         }

package/packages/@monomind/cli/dist/src/plugins/store/discovery.d.ts

@@ -54,7 +54,7 @@ export declare class PluginDiscoveryService {
      */
     private getDemoPluginsWithStats;
     /**
-     * Verify registry signature
+     * Verify registry signature using real Ed25519
      */
     private verifyRegistrySignature;
     /**

package/packages/@monomind/cli/dist/src/plugins/store/discovery.js

@@ -104,8 +104,8 @@ export class PluginDiscoveryService {
             };
         }
         console.log(`[PluginDiscovery] Resolving ${registry.name} via IPNS...`);
-        // Check cache first
-        const cached = this.cache.get(registry.ipnsName);
+        // Check cache first — key by registry.name (not ipnsName which can be shared)
+        const cached = this.cache.get(registry.name);
         if (cached && Date.now() - cached.timestamp < this.config.cacheExpiry) {
             console.log(`[PluginDiscovery] Cache hit for ${registry.name}`);
             return {
@@ -138,15 +138,17 @@ export class PluginDiscoveryService {
             if (!registryData) {
                 return this.createDemoRegistryAsync(registry);
             }
-            // Verify registry signature if required
+            // Verify registry signature if required — treat failure as fatal to prevent
+            // a tampered registry from being served when requireVerification is enabled.
             if (this.config.requireVerification && registryData.registrySignature) {
-                const verified = this.verifyRegistrySignature(registryData, registry.publicKey);
+                const verified = await this.verifyRegistrySignature(registryData, registry.publicKey);
                 if (!verified) {
-                    console.warn(`[PluginDiscovery] Registry signature verification failed`);
+                    console.error(`[PluginDiscovery] Registry signature verification failed — falling back to demo registry`);
+                    return this.createDemoRegistryAsync(registry);
                 }
             }
-            // Cache the result
-            this.cache.set(registry.ipnsName, {
+            // Cache the result — key by registry.name so separate registries don't share a slot
+            this.cache.set(registry.name, {
                 registry: registryData,
                 timestamp: Date.now(),
             });
@@ -197,17 +199,17 @@ export class PluginDiscoveryService {
             totalPlugins: plugins.length,
             totalDownloads: plugins.reduce((sum, p) => sum + p.downloads, 0),
             totalAuthors: 1,
-            featured: ['@monoes/plugin-agentic-qe', '@monoes/plugin-prime-radiant', '@monoes/security', '@monoes/claims', '@monoes/teammate-plugin'],
-            trending: ['@monoes/plugin-agentic-qe', '@monoes/plugin-prime-radiant'],
-            newest: ['@monoes/plugin-agentic-qe', '@monoes/plugin-prime-radiant'],
-            official: ['@monoes/plugin-agentic-qe', '@monoes/plugin-prime-radiant', '@monoes/security', '@monoes/claims'],
+            featured: ['@monomind/plugin-agentic-qe', '@monomind/plugin-prime-radiant', '@monomind/security', '@monomind/claims', '@monomind/teammate-plugin'],
+            trending: ['@monomind/plugin-agentic-qe', '@monomind/plugin-prime-radiant'],
+            newest: ['@monomind/plugin-agentic-qe', '@monomind/plugin-prime-radiant'],
+            official: ['@monomind/plugin-agentic-qe', '@monomind/plugin-prime-radiant', '@monomind/security', '@monomind/claims'],
             compatibilityMatrix: [
-                { pluginId: '@monoes/neural', pluginVersion: '3.0.0', monomindVersions: ['3.x'], tested: true },
-                { pluginId: '@monoes/security', pluginVersion: '3.0.0', monomindVersions: ['3.x'], tested: true },
+                { pluginId: '@monomind/neural', pluginVersion: '3.0.0', monomindVersions: ['3.x'], tested: true },
+                { pluginId: '@monomind/security', pluginVersion: '3.0.0', monomindVersions: ['3.x'], tested: true },
             ],
         };
         // Cache the demo registry
-        this.cache.set(registry.ipnsName, {
+        this.cache.set(registry.name, {
             registry: demoRegistry,
             timestamp: Date.now(),
         });
@@ -242,8 +244,8 @@ export class PluginDiscoveryService {
         };
         return [
             {
-                id: '@monoes/neural',
-                name: '@monoes/neural',
+                id: '@monomind/neural',
+                name: '@monomind/neural',
                 displayName: 'Neural Patterns',
                 description: 'Neural pattern training and inference with WASM SIMD acceleration, MoE routing, and Flash Attention optimization',
                 version: '3.0.0',
@@ -261,7 +263,7 @@ export class PluginDiscoveryService {
                 lastUpdated: baseTime,
                 createdAt: '2024-01-01T00:00:00Z',
                 minMonomindVersion: '3.0.0',
-                dependencies: [{ name: '@monoes/core', version: '^3.0.0' }],
+                dependencies: [{ name: '@monomind/core', version: '^3.0.0' }],
                 type: 'core',
                 hooks: ['neural:train', 'neural:inference', 'pattern:learn'],
                 commands: ['neural train', 'neural predict', 'neural patterns'],
@@ -271,8 +273,8 @@ export class PluginDiscoveryService {
                 trustLevel: 'official',
             },
             {
-                id: '@monoes/security',
-                name: '@monoes/security',
+                id: '@monomind/security',
+                name: '@monomind/security',
                 displayName: 'Security Scanner',
                 description: 'Security scanning, CVE detection, and compliance auditing with threat modeling',
                 version: '3.0.0',
@@ -290,7 +292,7 @@ export class PluginDiscoveryService {
                 lastUpdated: baseTime,
                 createdAt: '2024-01-15T00:00:00Z',
                 minMonomindVersion: '3.0.0',
-                dependencies: [{ name: '@monoes/core', version: '^3.0.0' }],
+                dependencies: [{ name: '@monomind/core', version: '^3.0.0' }],
                 type: 'command',
                 hooks: ['security:scan', 'security:audit'],
                 commands: ['security scan', 'security audit', 'security cve', 'security threats'],
@@ -307,8 +309,8 @@ export class PluginDiscoveryService {
                 },
             },
             {
-                id: '@monoes/embeddings',
-                name: '@monoes/embeddings',
+                id: '@monomind/embeddings',
+                name: '@monomind/embeddings',
                 displayName: 'Vector Embeddings',
                 description: 'Vector embeddings service with sql.js, document chunking, and hyperbolic embeddings',
                 version: '3.0.0',
@@ -327,7 +329,7 @@ export class PluginDiscoveryService {
                 createdAt: '2024-02-01T00:00:00Z',
                 minMonomindVersion: '3.0.0',
                 dependencies: [
-                    { name: '@monoes/core', version: '^3.0.0' },
+                    { name: '@monomind/core', version: '^3.0.0' },
                     { name: 'sql.js', version: '^1.8.0' },
                 ],
                 type: 'core',
@@ -339,8 +341,8 @@ export class PluginDiscoveryService {
                 trustLevel: 'official',
             },
             {
-                id: '@monoes/claims',
-                name: '@monoes/claims',
+                id: '@monomind/claims',
+                name: '@monomind/claims',
                 displayName: 'Claims Authorization',
                 description: 'Claims-based authorization system for fine-grained access control',
                 version: '3.0.0',
@@ -358,7 +360,7 @@ export class PluginDiscoveryService {
                 lastUpdated: baseTime,
                 createdAt: '2024-02-15T00:00:00Z',
                 minMonomindVersion: '3.0.0',
-                dependencies: [{ name: '@monoes/core', version: '^3.0.0' }],
+                dependencies: [{ name: '@monomind/core', version: '^3.0.0' }],
                 type: 'core',
                 hooks: ['claims:check', 'claims:grant'],
                 commands: ['claims check', 'claims grant', 'claims revoke', 'claims list'],
@@ -368,8 +370,8 @@ export class PluginDiscoveryService {
                 trustLevel: 'official',
             },
             {
-                id: '@monoes/performance',
-                name: '@monoes/performance',
+                id: '@monomind/performance',
+                name: '@monomind/performance',
                 displayName: 'Performance Profiler',
                 description: 'Performance profiling, benchmarking, and optimization recommendations',
                 version: '3.0.0',
@@ -387,7 +389,7 @@ export class PluginDiscoveryService {
                 lastUpdated: baseTime,
                 createdAt: '2024-03-01T00:00:00Z',
                 minMonomindVersion: '3.0.0',
-                dependencies: [{ name: '@monoes/core', version: '^3.0.0' }],
+                dependencies: [{ name: '@monomind/core', version: '^3.0.0' }],
                 type: 'command',
                 hooks: ['performance:start', 'performance:stop'],
                 commands: ['performance benchmark', 'performance profile', 'performance metrics'],
@@ -416,7 +418,7 @@ export class PluginDiscoveryService {
                 lastUpdated: baseTime,
                 createdAt: '2024-06-01T00:00:00Z',
                 minMonomindVersion: '3.0.0',
-                dependencies: [{ name: '@monoes/core', version: '^3.0.0' }],
+                dependencies: [{ name: '@monomind/core', version: '^3.0.0' }],
                 type: 'integration',
                 hooks: ['analytics:track', 'analytics:report'],
                 commands: ['analytics dashboard', 'analytics export'],
@@ -445,7 +447,7 @@ export class PluginDiscoveryService {
                 lastUpdated: baseTime,
                 createdAt: '2024-08-01T00:00:00Z',
                 minMonomindVersion: '3.0.0',
-                dependencies: [{ name: '@monoes/core', version: '^3.0.0' }],
+                dependencies: [{ name: '@monomind/core', version: '^3.0.0' }],
                 type: 'agent',
                 hooks: ['agent:spawn', 'agent:complete'],
                 commands: ['agents custom list', 'agents custom spawn'],
@@ -475,7 +477,7 @@ export class PluginDiscoveryService {
                 createdAt: '2024-09-01T00:00:00Z',
                 minMonomindVersion: '3.0.0',
                 dependencies: [
-                    { name: '@monoes/core', version: '^3.0.0' },
+                    { name: '@monomind/core', version: '^3.0.0' },
                     { name: '@slack/web-api', version: '^6.0.0' },
                 ],
                 type: 'integration',
@@ -488,8 +490,8 @@ export class PluginDiscoveryService {
             },
             // Plugin SDK - Unified Plugin SDK for creating plugins
             {
-                id: '@monoes/plugins',
-                name: '@monoes/plugins',
+                id: '@monomind/plugins',
+                name: '@monomind/plugins',
                 displayName: 'Plugin SDK',
                 description: 'Unified Plugin SDK for Monomind - Worker, Hook, and Provider Integration. Create, test, and publish MonoMind plugins.',
                 version: '3.0.0-alpha.2',
@@ -508,7 +510,7 @@ export class PluginDiscoveryService {
                 createdAt: '2024-04-01T00:00:00Z',
                 minMonomindVersion: '3.0.0',
                 dependencies: [
-                    { name: '@monoes/core', version: '^3.0.0' },
+                    { name: '@monomind/core', version: '^3.0.0' },
                 ],
                 type: 'core',
                 hooks: [
@@ -533,8 +535,8 @@ export class PluginDiscoveryService {
             },
             // Agentic QE - AI-powered quality engineering
             {
-                id: '@monoes/plugin-agentic-qe',
-                name: '@monoes/plugin-agentic-qe',
+                id: '@monomind/plugin-agentic-qe',
+                name: '@monomind/plugin-agentic-qe',
                 displayName: 'Agentic Quality Engineering',
                 description: 'AI-powered quality engineering with 58 agents that write tests, find bugs, predict defects, scan security, and perform chaos engineering safely.',
                 version: '3.0.0-alpha.3',
@@ -553,7 +555,7 @@ export class PluginDiscoveryService {
                 createdAt: '2026-01-20T00:00:00Z',
                 minMonomindVersion: '3.0.0',
                 dependencies: [
-                    { name: '@monoes/core', version: '^3.0.0' },
+                    { name: '@monomind/core', version: '^3.0.0' },
                 ],
                 type: 'integration',
                 hooks: [
@@ -593,8 +595,8 @@ export class PluginDiscoveryService {
             },
             // Prime Radiant - Mathematical coherence and consensus verification
             {
-                id: '@monoes/plugin-prime-radiant',
-                name: '@monoes/plugin-prime-radiant',
+                id: '@monomind/plugin-prime-radiant',
+                name: '@monomind/plugin-prime-radiant',
                 displayName: 'Prime Radiant',
                 description: 'Mathematical AI that catches contradictions, verifies consensus, prevents hallucinations, and analyzes swarm stability using sheaf cohomology and spectral graph theory.',
                 version: '0.1.5',
@@ -613,7 +615,7 @@ export class PluginDiscoveryService {
                 createdAt: '2026-01-20T00:00:00Z',
                 minMonomindVersion: '3.0.0',
                 dependencies: [
-                    { name: '@monoes/core', version: '^3.0.0' },
+                    { name: '@monomind/core', version: '^3.0.0' },
                 ],
                 type: 'integration',
                 hooks: [
@@ -651,8 +653,8 @@ export class PluginDiscoveryService {
             },
             // Gas Town Bridge - Multi-agent orchestrator integration
             {
-                id: '@monoes/plugin-gastown-bridge',
-                name: '@monoes/plugin-gastown-bridge',
+                id: '@monomind/plugin-gastown-bridge',
+                name: '@monomind/plugin-gastown-bridge',
                 displayName: 'Gas Town Bridge',
                 description: 'Gas Town orchestrator integration with WASM-accelerated formula parsing, Beads sync, convoy management, and graph analysis (352x faster).',
                 version: '0.1.0',
@@ -670,7 +672,7 @@ export class PluginDiscoveryService {
                 lastUpdated: baseTime,
                 createdAt: '2026-01-24T00:00:00Z',
                 minMonomindVersion: '3.0.0',
-                dependencies: [{ name: '@monoes/core', version: '^3.0.0' }],
+                dependencies: [{ name: '@monomind/core', version: '^3.0.0' }],
                 type: 'integration',
                 hooks: ['gastown:sync', 'gastown:formula', 'gastown:convoy'],
                 commands: ['gastown beads', 'gastown convoy', 'gastown formula', 'gastown sync'],
@@ -688,8 +690,8 @@ export class PluginDiscoveryService {
             },
             // Teammate Plugin - Claude Code v2.1.19+ integration
             {
-                id: '@monoes/teammate-plugin',
-                name: '@monoes/teammate-plugin',
+                id: '@monomind/teammate-plugin',
+                name: '@monomind/teammate-plugin',
                 displayName: 'Teammate Plugin',
                 description: 'Native TeammateTool integration for Claude Code v2.1.19+. Multi-agent team orchestration with plan approval workflows, delegation, messaging, and BMSSP-optimized topology routing. 21 MCP tools.',
                 version: '1.0.0-alpha.1',
@@ -708,7 +710,7 @@ export class PluginDiscoveryService {
                 createdAt: '2026-01-25T00:00:00Z',
                 minMonomindVersion: '3.0.0',
                 dependencies: [
-                    { name: '@monoes/core', version: '^3.0.0' },
+                    { name: '@monomind/core', version: '^3.0.0' },
                     { name: 'eventemitter3', version: '^5.0.1' },
                 ],
                 type: 'integration',
@@ -735,17 +737,17 @@ export class PluginDiscoveryService {
         const basePlugins = this.getDemoPlugins();
         // Only fetch stats for real npm packages
         const realNpmPackages = [
-            '@monoes/plugin-agentic-qe',
-            '@monoes/plugin-prime-radiant',
-            '@monoes/claims',
-            '@monoes/security',
-            '@monoes/plugins',
-            '@monoes/embeddings',
-            '@monoes/neural',
-            '@monoes/performance',
-            '@monoes/teammate-plugin',
+            '@monomind/plugin-agentic-qe',
+            '@monomind/plugin-prime-radiant',
+            '@monomind/claims',
+            '@monomind/security',
+            '@monomind/plugins',
+            '@monomind/embeddings',
+            '@monomind/neural',
+            '@monomind/performance',
+            '@monomind/teammate-plugin',
             // Gas Town Bridge
-            '@monoes/plugin-gastown-bridge',
+            '@monomind/plugin-gastown-bridge',
         ];
         // Fetch stats in parallel
         const statsPromises = realNpmPackages.map(pkg => fetchNpmStats(pkg));
@@ -784,14 +786,30 @@ export class PluginDiscoveryService {
         });
     }
     /**
-     * Verify registry signature
+     * Verify registry signature using real Ed25519
      */
-    verifyRegistrySignature(registry, expectedPublicKey) {
-        if (!registry.registrySignature || !registry.registryPublicKey) {
+    async verifyRegistrySignature(registry, expectedPublicKey) {
+        if (!registry.registrySignature || !registry.registryPublicKey)
+            return false;
+        if (registry.registryPublicKey !== expectedPublicKey)
+            return false;
+        const sigHex = registry.registrySignature.replace(/^ed25519:/, '');
+        const pubKeyHex = registry.registryPublicKey.replace(/^ed25519:/, '');
+        if (sigHex.length !== 128 || pubKeyHex.length !== 64)
+            return false;
+        const content = JSON.stringify({
+            version: registry.version,
+            updatedAt: registry.updatedAt,
+            plugins: registry.plugins.map(p => ({ id: p.id, cid: p.cid, checksum: p.checksum, version: p.version })),
+            totalPlugins: registry.totalPlugins,
+        });
+        try {
+            const ed = await import('@noble/ed25519');
+            return await ed.verifyAsync(Buffer.from(sigHex, 'hex'), Buffer.from(content), Buffer.from(pubKeyHex, 'hex'));
+        }
+        catch {
             return false;
         }
-        // In production: Verify Ed25519 signature
-        return registry.registryPublicKey.startsWith(expectedPublicKey.split(':')[0]);
     }
     /**
      * List available registries

package/packages/@monomind/cli/dist/src/production/circuit-breaker.js

@@ -6,7 +6,7 @@
  * - Open: Failing fast, not calling service
  * - Half-Open: Testing if service recovered
  *
- * @module @monoes/cli/production/circuit-breaker
+ * @module @monomind/cli/production/circuit-breaker
  */
 // ============================================================================
 // Default Configuration
@@ -115,6 +115,9 @@ export class CircuitBreaker {
         // If half-open and we fail, go back to open
         if (this.state === 'half-open') {
             this.transitionTo('open');
+            if (this.config.onOpen) {
+                this.config.onOpen(this.failures.length);
+            }
         }
     }
     /**
@@ -210,11 +213,15 @@ export class CircuitBreaker {
 // Circuit Breaker Registry
 // ============================================================================
 const circuitBreakers = new Map();
+const MAX_CIRCUIT_BREAKERS = 1000;
 /**
  * Get or create a circuit breaker by name
  */
 export function getCircuitBreaker(name, config) {
     if (!circuitBreakers.has(name)) {
+        if (circuitBreakers.size >= MAX_CIRCUIT_BREAKERS) {
+            throw new Error(`Circuit breaker registry full (max ${MAX_CIRCUIT_BREAKERS})`);
+        }
         circuitBreakers.set(name, new CircuitBreaker(config));
     }
     return circuitBreakers.get(name);