monomind 1.8.0 → 1.9.1

package/packages/@monomind/cli/dist/src/ruvector/moe-router.js

@@ -15,8 +15,8 @@
  *
  * @module moe-router
  */
-import { existsSync, mkdirSync, readFileSync, writeFileSync } from 'fs';
-import { dirname } from 'path';
+import { existsSync, mkdirSync, readFileSync, writeFileSync, renameSync } from 'fs';
+import { dirname, join } from 'path';
 /**
  * Expert names in order (index corresponds to expert slot)
  */
@@ -445,7 +445,7 @@ export class MoERouter {
      * Load weights from persistence file
      */
     async loadWeights(path) {
-        const weightsPath = path || this.config.weightsPath;
+        const weightsPath = path ? path : join(process.cwd(), this.config.weightsPath);
         try {
             if (!existsSync(weightsPath)) {
                 return false;
@@ -457,11 +457,20 @@ export class MoERouter {
                 console.warn(`[MoE] Incompatible model version: ${model.version}`);
                 return false;
             }
-            // Load weights
-            this.W1 = new Float32Array(model.weights.W1.flat());
-            this.b1 = new Float32Array(model.weights.b1);
-            this.W2 = new Float32Array(model.weights.W2.flat());
-            this.b2 = new Float32Array(model.weights.b2);
+            // Load weights with dimension validation
+            const w1 = new Float32Array(model.weights.W1.flat());
+            const b1 = new Float32Array(model.weights.b1);
+            const w2 = new Float32Array(model.weights.W2.flat());
+            const b2 = new Float32Array(model.weights.b2);
+            if (w1.length !== INPUT_DIM * HIDDEN_DIM || b1.length !== HIDDEN_DIM ||
+                w2.length !== HIDDEN_DIM * NUM_EXPERTS || b2.length !== NUM_EXPERTS) {
+                console.warn('[MoE] Weight dimensions mismatch — reinitializing');
+                return false;
+            }
+            this.W1 = w1;
+            this.b1 = b1;
+            this.W2 = w2;
+            this.b2 = b2;
             // Load stats
             this.updateCount = model.stats.updateCount || 0;
             this.avgReward = model.stats.avgReward || 0;
@@ -478,7 +487,7 @@ export class MoERouter {
      * Save weights to persistence file
      */
     async saveWeights(path) {
-        const weightsPath = path || this.config.weightsPath;
+        const weightsPath = path ? path : join(process.cwd(), this.config.weightsPath);
         try {
             // Ensure directory exists
             const dir = dirname(weightsPath);
@@ -518,7 +527,9 @@ export class MoERouter {
                     expertNames: [...EXPERT_NAMES],
                 },
             };
-            writeFileSync(weightsPath, JSON.stringify(model, null, 2));
+            const tmp = weightsPath + '.tmp';
+            writeFileSync(tmp, JSON.stringify(model, null, 2));
+            renameSync(tmp, weightsPath);
             return true;
         }
         catch (err) {
@@ -595,6 +606,7 @@ export class MoERouter {
 // Singleton Instance
 // ============================================================================
 let moeRouterInstance = null;
+let _moeInitPromise = null;
 /**
  * Get singleton MoE router instance
  *
@@ -604,13 +616,24 @@ let moeRouterInstance = null;
 export function getMoERouter(config) {
     if (!moeRouterInstance) {
         moeRouterInstance = new MoERouter(config);
-        // Initialize in background (load weights)
-        moeRouterInstance.initialize().catch((err) => {
+        _moeInitPromise = moeRouterInstance.initialize().catch((err) => {
             console.warn('[MoE] Failed to initialize router:', err);
         });
     }
     return moeRouterInstance;
 }
+/**
+ * Get singleton MoE router instance, waiting for initialization to complete
+ *
+ * @param config - Optional configuration (only used on first call)
+ * @returns Promise resolving to fully initialized MoE router instance
+ */
+export async function getMoERouterReady(config) {
+    const router = getMoERouter(config);
+    if (_moeInitPromise)
+        await _moeInitPromise;
+    return router;
+}
 /**
  * Reset singleton instance (for testing)
  */

package/packages/@monomind/cli/dist/src/ruvector/q-learning-router.d.ts

@@ -169,7 +169,13 @@ export declare class QLearningRouter {
         visits: number;
     }>;
     /**
-     * Import Q-table from persistence
+     * Import Q-table from persistence with strict validation.
+     * SECURITY: a poisoned `.swarm/q-table.json` (co-located process write,
+     * malicious test fixture) with `qValues: [Infinity, ...]` would otherwise
+     * propagate NaN/Infinity through every argmax + Q-update — the attacker
+     * deterministically chooses every routing decision. Mirror the
+     * ewc-consolidation.ts:loadFromDisk pattern: per-field shape + finite-numeric
+     * + dimension check, drop bad records silently.
      */
     import(data: Record<string, {
         qValues: number[];

package/packages/@monomind/cli/dist/src/ruvector/q-learning-router.js

@@ -13,8 +13,8 @@
  *
  * @module q-learning-router
  */
-import { existsSync, mkdirSync, readFileSync, writeFileSync } from 'fs';
-import { dirname } from 'path';
+import { existsSync, mkdirSync, readFileSync, writeFileSync, renameSync, statSync } from 'fs';
+import { dirname, join } from 'path';
 /**
  * Default configuration
  */
@@ -125,11 +125,15 @@ export class QLearningRouter {
      * Load model from persistence file
      */
     async loadModel(path) {
-        const modelPath = path || this.config.modelPath;
+        const modelPath = path ? path : join(process.cwd(), this.config.modelPath);
         try {
             if (!existsSync(modelPath)) {
                 return false;
             }
+            const MAX_MODEL_SIZE = 20 * 1024 * 1024; // 20 MB
+            const st = statSync(modelPath, { throwIfNoEntry: false });
+            if (!st || st.size > MAX_MODEL_SIZE)
+                return false;
             const data = readFileSync(modelPath, 'utf-8');
             const model = JSON.parse(data);
             // Validate version compatibility
@@ -156,7 +160,7 @@ export class QLearningRouter {
      * Save model to persistence file
      */
     async saveModel(path) {
-        const modelPath = path || this.config.modelPath;
+        const modelPath = path ? path : join(process.cwd(), this.config.modelPath);
         try {
             // Ensure directory exists
             const dir = dirname(modelPath);
@@ -183,7 +187,9 @@ export class QLearningRouter {
                     totalExperiences: this.totalExperiences,
                 },
             };
-            writeFileSync(modelPath, JSON.stringify(model, null, 2));
+            const tmp = modelPath + '.tmp';
+            writeFileSync(tmp, JSON.stringify(model, null, 2));
+            renameSync(tmp, modelPath);
             return true;
         }
         catch (err) {
@@ -197,8 +203,10 @@ export class QLearningRouter {
      */
     route(taskContext, explore = true) {
         const stateKey = this.hashStateOptimized(taskContext);
+        // Check if we should explore using decayed epsilon
+        const shouldExplore = explore && Math.random() < this.epsilon;
         // Check cache first (only for exploitation, not exploration)
-        if (!explore) {
+        if (!shouldExplore) {
             const cached = this.getCachedRoute(stateKey);
             if (cached) {
                 this.cacheHits++;
@@ -206,8 +214,6 @@ export class QLearningRouter {
             }
             this.cacheMisses++;
         }
-        // Check if we should explore using decayed epsilon
-        const shouldExplore = explore && Math.random() < this.epsilon;
         let actionIdx;
         let qValues;
         if (shouldExplore) {
@@ -398,6 +404,7 @@ export class QLearningRouter {
         while (batch.length < batchSize && selected.size < this.replayBuffer.length) {
             let threshold = Math.random() * totalPriority;
             let cumSum = 0;
+            const prevLen = batch.length;
             for (let i = 0; i < this.replayBuffer.length; i++) {
                 if (selected.has(i))
                     continue;
@@ -408,6 +415,8 @@ export class QLearningRouter {
                     break;
                 }
             }
+            if (batch.length === prevLen)
+                break; // nothing was selectable, exit
         }
         return batch;
     }
@@ -492,16 +501,38 @@ export class QLearningRouter {
         return result;
     }
     /**
-     * Import Q-table from persistence
+     * Import Q-table from persistence with strict validation.
+     * SECURITY: a poisoned `.swarm/q-table.json` (co-located process write,
+     * malicious test fixture) with `qValues: [Infinity, ...]` would otherwise
+     * propagate NaN/Infinity through every argmax + Q-update — the attacker
+     * deterministically chooses every routing decision. Mirror the
+     * ewc-consolidation.ts:loadFromDisk pattern: per-field shape + finite-numeric
+     * + dimension check, drop bad records silently.
      */
     import(data) {
         this.qTable.clear();
+        if (!data || typeof data !== 'object')
+            return;
+        let imported = 0;
         for (const [key, entry] of Object.entries(data)) {
+            if (imported >= this.config.maxStates)
+                break;
+            if (typeof key !== 'string' || key.length === 0 || key.length > 256)
+                continue;
+            if (!entry || typeof entry !== 'object' || !Array.isArray(entry.qValues))
+                continue;
+            if (entry.qValues.length !== this.config.numActions)
+                continue;
+            if (!entry.qValues.every(v => typeof v === 'number' && Number.isFinite(v)))
+                continue;
+            if (typeof entry.visits !== 'number' || !Number.isFinite(entry.visits) || entry.visits < 0)
+                continue;
             this.qTable.set(key, {
                 qValues: new Float32Array(entry.qValues),
                 visits: entry.visits,
                 lastUpdate: Date.now(),
             });
+            imported++;
         }
     }
     // Private methods

package/packages/@monomind/cli/dist/src/services/claim-service.d.ts

@@ -139,7 +139,9 @@ export declare class ClaimService extends EventEmitter {
     constructor(projectRoot: string, config?: Partial<WorkStealingConfig>);
     initialize(): Promise<void>;
     private loadClaims;
+    private _saveQueue;
     private saveClaims;
+    private _doSaveClaims;
     claim(issueId: string, claimant: Claimant): Promise<ClaimResult>;
     release(issueId: string, claimant: Claimant): Promise<void>;
     requestHandoff(issueId: string, from: Claimant, to: Claimant, reason: string): Promise<void>;
@@ -148,7 +150,7 @@ export declare class ClaimService extends EventEmitter {
     updateStatus(issueId: string, status: ClaimStatus, note?: string): Promise<void>;
     updateProgress(issueId: string, progress: number): Promise<void>;
     requestReview(issueId: string, reviewers: Claimant[]): Promise<void>;
-    markStealable(issueId: string, info: StealableInfo): Promise<void>;
+    markStealable(issueId: string, info: StealableInfo, claimant?: Claimant): Promise<void>;
     steal(issueId: string, stealer: Claimant): Promise<StealResult>;
     getStealable(agentType?: string): Promise<IssueClaim[]>;
     contestSteal(issueId: string, originalClaimant: Claimant, reason: string): Promise<void>;

package/packages/@monomind/cli/dist/src/services/claim-service.js

@@ -75,13 +75,37 @@ export class ClaimService extends EventEmitter {
             }
         }
     }
+    // Single-flight save lock: serializes concurrent saveClaims() calls so that
+    // two writers cannot collide on the .tmp file or interleave their renames.
+    // Combined with the unique tmp suffix below, this defends against in-process
+    // corruption of claims.json. Cross-process safety still requires fcntl/flock
+    // around the read-modify-write at higher level.
+    _saveQueue = Promise.resolve();
     async saveClaims() {
+        // CRITICAL: do NOT let a single rejection (ENOSPC / EROFS / EACCES)
+        // poison the entire chain. Previously every subsequent saveClaims would
+        // inherit the rejection and silently skip _doSaveClaims, causing the
+        // in-memory Map to drift from disk indefinitely — a permanent
+        // authorization-state desync. Catch the chain link so the next link runs;
+        // re-expose the real rejection to the caller via a separate promise.
+        const next = this._saveQueue
+            .catch(() => undefined)
+            .then(() => this._doSaveClaims());
+        this._saveQueue = next.catch(() => undefined);
+        return next;
+    }
+    async _doSaveClaims() {
         const claimsFile = path.join(this.storagePath, 'claims.json');
         const data = {
             claims: Array.from(this.claims.values()),
             savedAt: new Date().toISOString(),
         };
-        fs.writeFileSync(claimsFile, JSON.stringify(data, null, 2));
+        // Unique tmp filename so a previous in-flight write cannot be clobbered
+        // by a concurrent fs.writeFileSync truncating the same .tmp path.
+        const { randomBytes } = await import('crypto');
+        const tmp = `${claimsFile}.${process.pid}.${Date.now()}.${randomBytes(4).toString('hex')}.tmp`;
+        fs.writeFileSync(tmp, JSON.stringify(data, null, 2));
+        fs.renameSync(tmp, claimsFile);
     }
     // ==========================================================================
     // Core Claiming
@@ -217,6 +241,10 @@ export class ClaimService extends EventEmitter {
         }
         if (status === 'completed') {
             claim.progress = 100;
+            // Evict completed claims after saving to prevent unbounded Map growth
+            await this.saveClaims();
+            this.claims.delete(issueId);
+            return;
         }
         await this.saveClaims();
         this.emitEvent({
@@ -253,11 +281,14 @@ export class ClaimService extends EventEmitter {
     // ==========================================================================
     // Work Stealing
     // ==========================================================================
-    async markStealable(issueId, info) {
+    async markStealable(issueId, info, claimant) {
         const claim = this.claims.get(issueId);
         if (!claim) {
             throw new Error(`Issue ${issueId} is not claimed`);
         }
+        if (claimant !== undefined && !this.isSameClaimant(claim.claimant, claimant)) {
+            throw new Error(`Issue ${issueId} is not owned by ${this.formatClaimant(claimant)}`);
+        }
         claim.status = 'stealable';
         claim.statusChangedAt = new Date();
         claim.context = info.context;

package/packages/@monomind/cli/dist/src/services/config-file-manager.d.ts

@@ -13,7 +13,16 @@ export declare class ConfigFileManager {
     getConfig(cwd: string): Record<string, unknown>;
     /** Get a nested config value by dot-separated key */
     get(cwd: string, key: string): unknown;
-    /** Set a nested config value by dot-separated key */
+    /** Set a nested config value by dot-separated key.
+     * Enforces top-level section allowlist (mirroring importFrom) and recursively
+     * sanitises the value to strip prototype-pollution keys before persistence.
+     *
+     * Re-reads the file from disk inside the write to guard against the
+     * read-modify-write credential-clobber race. Without the re-read, two
+     * concurrent `monomind providers configure` calls would each see the
+     * original config, mutate locally, and the second writer would silently
+     * drop the first writer's API key.
+     */
     set(cwd: string, key: string, value: unknown): void;
     /** Create a new config file with defaults */
     create(cwd: string, overrides?: Record<string, unknown>, force?: boolean): string;
@@ -27,7 +36,12 @@ export declare class ConfigFileManager {
     getConfigPath(): string | null;
     /** Get default config */
     getDefaults(): Record<string, unknown>;
-    /** Atomic write: write to .tmp then rename */
+    /** Atomic write with restrictive 0o600 mode.
+     * SECURITY: this config file may contain API keys (per `commands/providers.ts`).
+     * Without explicit mode the file inherits the umask (typically 0o644 →
+     * world-readable). Set 0o600 on tmp file BEFORE rename, then re-chmod after
+     * rename in case the rename target had a more permissive mode.
+     */
     private writeAtomic;
 }
 /** Parse a string value to the appropriate type */

package/packages/@monomind/cli/dist/src/services/config-file-manager.js

@@ -64,10 +64,14 @@ export class ConfigFileManager {
                 return candidate;
             }
         }
-        // Check env var
+        // Check env var — must resolve within project root
         const envPath = process.env.MONOMIND_CONFIG;
-        if (envPath && fs.existsSync(envPath)) {
-            return path.resolve(envPath);
+        if (envPath) {
+            const resolved = path.resolve(envPath);
+            const projectRoot = path.resolve(cwd);
+            if ((resolved.startsWith(projectRoot + path.sep) || resolved === projectRoot) && fs.existsSync(resolved)) {
+                return resolved;
+            }
         }
         return null;
     }
@@ -80,7 +84,8 @@ export class ConfigFileManager {
         }
         try {
             const content = fs.readFileSync(this.configPath, 'utf-8');
-            this.config = JSON.parse(content);
+            const parsed = JSON.parse(content);
+            this.config = sanitizeConfigObject(parsed);
             return this.config;
         }
         catch {
@@ -100,13 +105,40 @@ export class ConfigFileManager {
         const config = this.getConfig(cwd);
         return getNestedValue(config, key);
     }
-    /** Set a nested config value by dot-separated key */
+    /** Set a nested config value by dot-separated key.
+     * Enforces top-level section allowlist (mirroring importFrom) and recursively
+     * sanitises the value to strip prototype-pollution keys before persistence.
+     *
+     * Re-reads the file from disk inside the write to guard against the
+     * read-modify-write credential-clobber race. Without the re-read, two
+     * concurrent `monomind providers configure` calls would each see the
+     * original config, mutate locally, and the second writer would silently
+     * drop the first writer's API key.
+     */
     set(cwd, key, value) {
-        const config = this.getConfig(cwd);
-        setNestedValue(config, key, value);
-        this.config = config;
-        const targetPath = this.configPath ?? path.resolve(cwd, CONFIG_FILENAMES[0]);
-        this.writeAtomic(targetPath, config);
+        const KNOWN_SET_SECTIONS = new Set(['version', 'agents', 'swarm', 'memory', 'mcp', 'cli', 'hooks']);
+        const topSection = String(key).split('.')[0];
+        if (!KNOWN_SET_SECTIONS.has(topSection)) {
+            throw new Error(`Unknown config section: "${topSection}". Allowed: ${[...KNOWN_SET_SECTIONS].join(', ')}`);
+        }
+        const sanitisedValue = sanitizeConfigObject(value);
+        const targetPath = this.configPath ?? this.findConfig(cwd) ?? path.resolve(cwd, CONFIG_FILENAMES[0]);
+        // Re-read from disk inside the write window so we operate on the latest
+        // bytes, not on a possibly-stale this.config cache. This still isn't
+        // cross-process atomic without an OS-level flock, but combined with the
+        // O_EXCL atomic rename it prevents the most common credential-clobber
+        // window where two CLIs interleave their getConfig→set→write cycles.
+        let onDisk = { ...DEFAULT_CONFIG };
+        if (fs.existsSync(targetPath)) {
+            try {
+                const parsed = JSON.parse(fs.readFileSync(targetPath, 'utf-8'));
+                onDisk = sanitizeConfigObject(parsed);
+            }
+            catch { /* fall through to defaults */ }
+        }
+        setNestedValue(onDisk, key, sanitisedValue);
+        this.writeAtomic(targetPath, onDisk);
+        this.config = onDisk;
         this.configPath = targetPath;
     }
     /** Create a new config file with defaults */
@@ -115,7 +147,7 @@ export class ConfigFileManager {
         if (fs.existsSync(targetPath) && !force) {
             throw new Error(`Config file already exists: ${targetPath}. Use --force to overwrite.`);
         }
-        const config = { ...DEFAULT_CONFIG, ...overrides };
+        const config = { ...DEFAULT_CONFIG, ...(overrides ? sanitizeConfigObject(overrides) : {}) };
         this.writeAtomic(targetPath, config);
         this.config = config;
         this.configPath = targetPath;
@@ -133,6 +165,10 @@ export class ConfigFileManager {
     exportTo(cwd, exportPath) {
         const config = this.getConfig(cwd);
         const resolved = path.resolve(cwd, exportPath);
+        const projectRoot = path.resolve(cwd);
+        if (!resolved.startsWith(projectRoot + path.sep) && resolved !== projectRoot) {
+            throw new Error('Export path must be within the project directory');
+        }
         this.writeAtomic(resolved, config);
     }
     /** Import config from a specific path */
@@ -142,16 +178,26 @@ export class ConfigFileManager {
             throw new Error(`Import file not found: ${resolved}`);
         }
         const content = fs.readFileSync(resolved, 'utf-8');
-        let imported;
+        let importedRaw;
         try {
-            imported = JSON.parse(content);
+            importedRaw = JSON.parse(content);
         }
         catch {
             throw new Error(`Invalid JSON in import file: ${resolved}`);
         }
-        if (typeof imported !== 'object' || imported === null || Array.isArray(imported)) {
+        if (typeof importedRaw !== 'object' || importedRaw === null || Array.isArray(importedRaw)) {
             throw new Error('Import file must contain a JSON object');
         }
+        // Recursively strip prototype-pollution keys at every nesting level —
+        // KNOWN_SECTIONS only validates top-level keys, leaving nested
+        // {agents:{providers:[{__proto__:{...}}]}} unsanitized.
+        const imported = sanitizeConfigObject(importedRaw);
+        const KNOWN_SECTIONS = new Set(['version', 'agents', 'swarm', 'memory', 'mcp', 'cli', 'hooks']);
+        for (const key of Object.keys(imported)) {
+            if (!KNOWN_SECTIONS.has(key)) {
+                throw new Error(`Unknown config section: "${key}"`);
+            }
+        }
         const targetPath = this.configPath ?? path.resolve(cwd, CONFIG_FILENAMES[0]);
         this.writeAtomic(targetPath, imported);
         this.config = imported;
@@ -165,20 +211,57 @@ export class ConfigFileManager {
     getDefaults() {
         return { ...DEFAULT_CONFIG };
     }
-    /** Atomic write: write to .tmp then rename */
+    /** Atomic write with restrictive 0o600 mode.
+     * SECURITY: this config file may contain API keys (per `commands/providers.ts`).
+     * Without explicit mode the file inherits the umask (typically 0o644 →
+     * world-readable). Set 0o600 on tmp file BEFORE rename, then re-chmod after
+     * rename in case the rename target had a more permissive mode.
+     */
     writeAtomic(filePath, data) {
         const dir = path.dirname(filePath);
         if (!fs.existsSync(dir)) {
             fs.mkdirSync(dir, { recursive: true });
         }
-        const tmpPath = filePath + '.tmp';
-        fs.writeFileSync(tmpPath, JSON.stringify(data, null, 2) + '\n');
+        const tmpPath = `${filePath}.${process.pid}.tmp`;
+        fs.writeFileSync(tmpPath, JSON.stringify(data, null, 2) + '\n', { mode: 0o600 });
         fs.renameSync(tmpPath, filePath);
+        try {
+            fs.chmodSync(filePath, 0o600);
+        }
+        catch { /* best effort */ }
     }
 }
+const FORBIDDEN_KEY_SEGMENTS = new Set(['__proto__', 'constructor', 'prototype']);
+/**
+ * Recursively strip prototype-pollution keys from a parsed JSON object before
+ * it lands in this.config or is persisted back to disk. JSON.parse alone does
+ * not pollute, but downstream consumers that shallow-merge config values
+ * (Object.assign, spread) would propagate poisoned keys; persisting them back
+ * to disk also makes the pollution survive restarts.
+ */
+function sanitizeConfigObject(value, depth = 0) {
+    if (depth > 32)
+        return null;
+    if (Array.isArray(value))
+        return value.map(v => sanitizeConfigObject(v, depth + 1));
+    if (value !== null && typeof value === 'object') {
+        const out = {};
+        for (const [k, v] of Object.entries(value)) {
+            if (FORBIDDEN_KEY_SEGMENTS.has(k))
+                continue;
+            out[k] = sanitizeConfigObject(v, depth + 1);
+        }
+        return out;
+    }
+    return value;
+}
 /** Get a nested value by dot-separated key */
 function getNestedValue(obj, key) {
     const parts = key.split('.');
+    for (const part of parts) {
+        if (FORBIDDEN_KEY_SEGMENTS.has(part))
+            return undefined;
+    }
     let current = obj;
     for (const part of parts) {
         if (current === null || current === undefined || typeof current !== 'object') {
@@ -191,6 +274,11 @@ function getNestedValue(obj, key) {
 /** Set a nested value by dot-separated key */
 function setNestedValue(obj, key, value) {
     const parts = key.split('.');
+    for (const part of parts) {
+        if (FORBIDDEN_KEY_SEGMENTS.has(part)) {
+            throw new Error(`Forbidden config key segment: "${part}"`);
+        }
+    }
     let current = obj;
     for (let i = 0; i < parts.length - 1; i++) {
         const part = parts[i];