openclaw-node-harness 2.1.0 → 2.1.1

package/bin/lane-watchdog.js

@@ -37,6 +37,11 @@ let lastInterventionAt = 0;
 let logWatcher = null;
 let errWatcher = null;
 
+// Incident log dedup: suppress identical messages within 60s
+let lastIncidentMsg = '';
+let lastIncidentAt = 0;
+let suppressedCount = 0;
+
 // Track detected events
 const events = {
   agentTimeout: null,    // timestamp of last "embedded run timeout"
@@ -45,6 +50,22 @@ const events = {
 
 // --- Helpers ---
 function log(msg) {
+  const now = Date.now();
+  // Dedup: suppress identical messages within 60s
+  if (msg === lastIncidentMsg && (now - lastIncidentAt) < 60_000) {
+    suppressedCount++;
+    return;
+  }
+  // If we suppressed duplicates, emit a summary before the new message
+  if (suppressedCount > 0) {
+    const summaryLine = `${new Date().toISOString()} [lane-watchdog] (suppressed ${suppressedCount} duplicate message(s))`;
+    console.log(summaryLine);
+    try { fs.appendFileSync(INCIDENT_LOG, summaryLine + '\n'); } catch { /* best effort */ }
+  }
+  lastIncidentMsg = msg;
+  lastIncidentAt = now;
+  suppressedCount = 0;
+
   const ts = new Date().toISOString();
   const line = `${ts} [lane-watchdog] ${msg}`;
   console.log(line);
@@ -220,8 +241,8 @@ function main() {
   for (const sig of ['SIGTERM', 'SIGINT']) {
     process.on(sig, () => {
       log(`Received ${sig}, shutting down`);
-      if (logWatcher) fs.unwatchFile(GATEWAY_LOG);
-      if (errWatcher) fs.unwatchFile(GATEWAY_ERR_LOG);
+      if (logWatcher) logWatcher.close();
+      if (errWatcher) errWatcher.close();
       process.exit(0);
     });
   }

package/bin/mesh-agent.js

@@ -36,7 +36,7 @@
  */
 
 const { connect, StringCodec } = require('nats');
-const { spawn, execSync } = require('child_process');
+const { spawn, execSync, execFileSync } = require('child_process');
 const os = require('os');
 const path = require('path');
 const fs = require('fs');
@@ -46,7 +46,7 @@ const { loadHarnessRules, runMeshHarness, runPostCommitValidation, formatHarness
 const { findRole, formatRoleForPrompt } = require('../lib/role-loader');
 
 const sc = StringCodec();
-const { NATS_URL } = require('../lib/nats-resolve');
+const { NATS_URL, natsConnectOpts } = require('../lib/nats-resolve');
 const { resolveProvider, resolveModel } = require('../lib/llm-providers');
 const NODE_ID = process.env.MESH_NODE_ID || os.hostname().toLowerCase().replace(/[^a-z0-9-]/g, '-');
 const POLL_INTERVAL = parseInt(process.env.MESH_POLL_INTERVAL || '15000'); // 15s between polls
@@ -198,8 +198,9 @@ function buildInitialPrompt(task) {
   }
 
   if (task.metric) {
+    const safeMetric = isAllowedMetric(task.metric) ? task.metric : '[metric command filtered for security]';
     parts.push(`## Verification`);
-    parts.push(`Run this command to check your work: \`${task.metric}\``);
+    parts.push(`Run this command to check your work: \`${safeMetric}\``);
     parts.push(`Your changes are only accepted if this command exits with code 0.`);
     parts.push('');
   }
@@ -224,7 +225,8 @@ function buildInitialPrompt(task) {
   parts.push('- Make minimal, focused changes. Do not add scope beyond what is asked.');
   parts.push('- If you hit a blocker you cannot resolve, explain what is blocking you clearly.');
   if (task.metric) {
-    parts.push(`- After making changes, run \`${task.metric}\` to verify.`);
+    const safeMetric = isAllowedMetric(task.metric) ? task.metric : '[metric command filtered for security]';
+    parts.push(`- After making changes, run \`${safeMetric}\` to verify.`);
     parts.push('- If verification fails, analyze the failure and iterate on your approach.');
   }
 
@@ -264,8 +266,9 @@ function buildRetryPrompt(task, previousAttempts, attemptNumber) {
   }
 
   if (task.metric) {
+    const safeMetric = isAllowedMetric(task.metric) ? task.metric : '[metric command filtered for security]';
     parts.push(`## Verification`);
-    parts.push(`Run: \`${task.metric}\``);
+    parts.push(`Run: \`${safeMetric}\``);
     parts.push(`Must exit code 0.`);
     parts.push('');
   }
@@ -289,7 +292,8 @@ function buildRetryPrompt(task, previousAttempts, attemptNumber) {
   parts.push('- Read the relevant files before making changes.');
   parts.push('- Make minimal, focused changes.');
   if (task.metric) {
-    parts.push(`- Run \`${task.metric}\` to verify before finishing.`);
+    const safeMetric = isAllowedMetric(task.metric) ? task.metric : '[metric command filtered for security]';
+    parts.push(`- Run \`${safeMetric}\` to verify before finishing.`);
   }
 
   return parts.join('\n');
@@ -305,6 +309,9 @@ const WORKTREE_BASE = process.env.MESH_WORKTREE_BASE || path.join(process.env.HO
  * On failure, returns null (falls back to shared workspace).
  */
 function createWorktree(taskId) {
+  if (!/^[\w][\w.-]{0,127}$/.test(taskId)) {
+    throw new Error(`Invalid taskId: contains unsafe characters`);
+  }
   const worktreePath = path.join(WORKTREE_BASE, taskId);
   const branch = `mesh/${taskId}`;
 
@@ -315,19 +322,19 @@ function createWorktree(taskId) {
     if (fs.existsSync(worktreePath)) {
       log(`Cleaning stale worktree: ${worktreePath}`);
       try {
-        execSync(`git worktree remove --force "${worktreePath}"`, { cwd: WORKSPACE, timeout: 10000 });
+        execFileSync('git', ['worktree', 'remove', '--force', worktreePath], { cwd: WORKSPACE, timeout: 10000 });
       } catch {
         // If git worktree remove fails, manually clean up
         fs.rmSync(worktreePath, { recursive: true, force: true });
       }
       // Also clean up the branch if it exists
       try {
-        execSync(`git branch -D "${branch}"`, { cwd: WORKSPACE, timeout: 5000, stdio: 'ignore' });
+        execFileSync('git', ['branch', '-D', branch], { cwd: WORKSPACE, timeout: 5000, stdio: 'ignore' });
       } catch { /* branch may not exist */ }
     }
 
     // Create new worktree branched off HEAD
-    execSync(`git worktree add -b "${branch}" "${worktreePath}" HEAD`, {
+    execFileSync('git', ['worktree', 'add', '-b', branch, worktreePath, 'HEAD'], {
       cwd: WORKSPACE,
       timeout: 30000,
       stdio: 'pipe',
@@ -375,7 +382,7 @@ function commitAndMergeWorktree(worktreePath, taskId, summary) {
       log(`WARNING: commit message doesn't follow conventional format: "${commitMsg}"`);
     }
 
-    execSync(`git commit -m "${commitMsg.replace(/"/g, '\\"')}"`, {
+    execFileSync('git', ['commit', '-m', commitMsg], {
       cwd: worktreePath, timeout: 10000, stdio: 'pipe',
     });
 
@@ -391,7 +398,7 @@ function commitAndMergeWorktree(worktreePath, taskId, summary) {
     const mergeMsg = `Merge ${branch}: ${taskId}`;
     for (let attempt = 0; attempt < 2; attempt++) {
       try {
-        execSync(`git merge --no-ff "${branch}" -m "${mergeMsg.replace(/"/g, '\\"')}"`, {
+        execFileSync('git', ['merge', '--no-ff', branch, '-m', mergeMsg], {
           cwd: WORKSPACE, timeout: 30000, stdio: 'pipe',
         });
         log(`Merged ${branch} into main${attempt > 0 ? ' (retry succeeded)' : ''}`);
@@ -429,13 +436,13 @@ function cleanupWorktree(worktreePath, keep = false) {
   const branch = `mesh/${taskId}`;
 
   try {
-    execSync(`git worktree remove --force "${worktreePath}"`, {
+    execFileSync('git', ['worktree', 'remove', '--force', worktreePath], {
       cwd: WORKSPACE,
       timeout: 10000,
       stdio: 'pipe',
     });
     if (!keep) {
-      execSync(`git branch -D "${branch}"`, {
+      execFileSync('git', ['branch', '-D', branch], {
         cwd: WORKSPACE,
         timeout: 5000,
         stdio: 'ignore',
@@ -507,9 +514,10 @@ function runLLM(prompt, task, worktreePath) {
 
     let stdout = '';
     let stderr = '';
+    const MAX_OUTPUT = 1024 * 1024; // 1MB cap
 
-    child.stdout.on('data', (d) => { stdout += d.toString(); });
-    child.stderr.on('data', (d) => { stderr += d.toString(); });
+    child.stdout.on('data', (d) => { if (stdout.length < MAX_OUTPUT) stdout += d.toString().slice(0, MAX_OUTPUT - stdout.length); });
+    child.stderr.on('data', (d) => { if (stderr.length < MAX_OUTPUT) stderr += d.toString().slice(0, MAX_OUTPUT - stderr.length); });
 
     child.on('close', (code) => {
       clearInterval(heartbeatTimer);
@@ -525,10 +533,23 @@ function runLLM(prompt, task, worktreePath) {
 
 // ── Metric Evaluation ─────────────────────────────────
 
+const ALLOWED_METRIC_PREFIXES = [
+  'npm test', 'npm run', 'node ', 'pytest', 'cargo test',
+  'go test', 'make test', 'jest', 'vitest', 'mocha',
+];
+
+function isAllowedMetric(cmd) {
+  return ALLOWED_METRIC_PREFIXES.some(prefix => cmd.startsWith(prefix));
+}
+
 /**
  * Run the task's metric command. Returns { passed, output }.
  */
 function evaluateMetric(metric, cwd) {
+  if (!isAllowedMetric(metric)) {
+    log(`WARNING: Metric command blocked by security filter: ${metric}`);
+    return Promise.resolve({ passed: false, output: 'Metric command blocked by security filter' });
+  }
   return new Promise((resolve) => {
     const child = spawn('bash', ['-c', metric], {
       cwd: cwd || WORKSPACE,
@@ -1394,8 +1415,9 @@ async function main() {
   log(`  Poll interval: ${POLL_INTERVAL / 1000}s`);
   log(`  Mode:        ${ONCE ? 'single task' : 'continuous'} ${DRY_RUN ? '(dry run)' : ''}`);
 
+  const natsOpts = natsConnectOpts();
   nc = await connect({
-    servers: NATS_URL,
+    ...natsOpts,
     timeout: 5000,
     reconnect: true,
     maxReconnectAttempts: 10,

package/bin/mesh-bridge.js

@@ -21,7 +21,7 @@ const path = require('path');
 const { readTasks, updateTaskInPlace, isoTimestamp, ACTIVE_TASKS_PATH } = require('../lib/kanban-io');
 
 const sc = StringCodec();
-const { NATS_URL } = require('../lib/nats-resolve');
+const { NATS_URL, natsConnectOpts } = require('../lib/nats-resolve');
 const DISPATCH_INTERVAL = parseInt(process.env.BRIDGE_DISPATCH_INTERVAL || '10000'); // 10s
 const LOG_DIR = path.join(process.env.HOME, '.openclaw', 'workspace', 'memory', 'mesh-logs');
 const WORKSPACE = path.join(process.env.HOME, '.openclaw', 'workspace');
@@ -726,8 +726,9 @@ async function main() {
   log(`  Dispatch interval: ${DISPATCH_INTERVAL / 1000}s`);
   log(`  Mode:             ${DRY_RUN ? 'dry run' : 'live'}`);
 
+  const natsOpts = natsConnectOpts();
   nc = await connect({
-    servers: NATS_URL,
+    ...natsOpts,
     timeout: 5000,
     reconnect: true,
     maxReconnectAttempts: 10,

package/bin/mesh-health-publisher.js

@@ -36,6 +36,12 @@ const IS_MAC = os.platform() === "darwin";
 
 const { ROLE_COMPONENTS } = require('../lib/mesh-roles');
 
+// ── Circuit Breaker State ───────────────────────────────────────────────
+let consecutiveFailures = 0;
+let skipTicksRemaining = 0;
+let lastErrorMsg = '';
+let lastErrorRepeatCount = 0;
+
 // ── Health Gathering ─────────────────────────────────────────────────────
 // All the expensive execSync calls happen here, on our own schedule.
 // No request timeout to race against.
@@ -226,11 +232,45 @@ async function main() {
 
   // Publish immediately, then every interval
   async function publish() {
+    // Circuit breaker: skip ticks during backoff
+    if (skipTicksRemaining > 0) {
+      skipTicksRemaining--;
+      return;
+    }
+
     try {
       const health = gatherHealth();
       await kv.put(NODE_ID, sc.encode(JSON.stringify(health)));
+      // Reset on success
+      if (consecutiveFailures > 0) {
+        console.log(`[health-publisher] recovered after ${consecutiveFailures} consecutive failures`);
+      }
+      consecutiveFailures = 0;
+      lastErrorMsg = '';
+      lastErrorRepeatCount = 0;
     } catch (err) {
-      console.error("[health-publisher] publish failed:", err.message);
+      consecutiveFailures++;
+      const msg = err.message;
+
+      // Log dedup: after 3 identical consecutive errors, log every 10th
+      if (msg === lastErrorMsg) {
+        lastErrorRepeatCount++;
+        if (lastErrorRepeatCount === 3) {
+          console.error(`[health-publisher] suppressing repeated errors (${lastErrorRepeatCount} occurrences): ${msg}`);
+        } else if (lastErrorRepeatCount > 3 && lastErrorRepeatCount % 10 === 0) {
+          console.error(`[health-publisher] suppressing repeated errors (${lastErrorRepeatCount} occurrences): ${msg}`);
+        }
+        // Silently skip logs between dedup thresholds
+      } else {
+        lastErrorMsg = msg;
+        lastErrorRepeatCount = 1;
+        console.error("[health-publisher] publish failed:", msg);
+      }
+
+      // Exponential backoff: skip 2^min(N,6) ticks (max ~64 ticks / ~16 min at 15s)
+      const backoffTicks = Math.pow(2, Math.min(consecutiveFailures, 6));
+      skipTicksRemaining = backoffTicks;
+      console.error(`[health-publisher] backoff: skipping next ${backoffTicks} ticks (failures=${consecutiveFailures})`);
     }
   }
 

package/bin/mesh-task-daemon.js

@@ -2106,6 +2106,11 @@ async function main() {
     clearInterval(budgetTimer);
     clearInterval(stallTimer);
     clearInterval(recruitTimer);
+    if (circlingStepSweepTimer) clearInterval(circlingStepSweepTimer);
+    if (circlingStepTimers) {
+      for (const timer of circlingStepTimers.values()) clearTimeout(timer);
+      circlingStepTimers.clear();
+    }
     for (const sub of subs) sub.unsubscribe();
     await nc.drain();
     process.exit(0);

package/bin/mesh.js

@@ -88,27 +88,16 @@ function remoteNode() {
 
 // ─── Exec safety ─────────────────────────────────────
 
-const DESTRUCTIVE_PATTERNS = [
-  /\brm\s+(-[a-zA-Z]*)?r[a-zA-Z]*f/,      // rm -rf, rm -fr, rm --recursive --force
-  /\brm\s+(-[a-zA-Z]*)?f[a-zA-Z]*r/,       // rm -fr variants
-  /\bmkfs\b/,                                // format filesystem
-  /\bdd\s+.*of=/,                            // raw disk write
-  /\b>\s*\/dev\/[sh]d/,                      // write to raw device
-  /\bcurl\b.*\|\s*(ba)?sh/,                  // curl pipe to shell
-  /\bwget\b.*\|\s*(ba)?sh/,                  // wget pipe to shell
-  /\bchmod\s+(-[a-zA-Z]*\s+)?777\s+\//,     // chmod 777 on root paths
-  /\b:(){ :\|:& };:/,                        // fork bomb
-];
+const { checkDestructivePatterns } = require('../lib/exec-safety');
 
 function checkExecSafety(command) {
-  for (const pattern of DESTRUCTIVE_PATTERNS) {
-    if (pattern.test(command)) {
-      console.error(`BLOCKED: Command matches destructive pattern.`);
-      console.error(`  Command: ${command}`);
-      console.error(`  Pattern: ${pattern}`);
-      console.error(`\nIf this is intentional, SSH into the node and run it directly.`);
-      process.exit(1);
-    }
+  const result = checkDestructivePatterns(command);
+  if (result.blocked) {
+    console.error(`BLOCKED: Command matches destructive pattern.`);
+    console.error(`  Command: ${command}`);
+    console.error(`  Pattern: ${result.pattern}`);
+    console.error(`\nIf this is intentional, SSH into the node and run it directly.`);
+    process.exit(1);
   }
 }
 

package/install.sh

@@ -770,8 +770,9 @@ else
     fi
 
     if [ "$OS" = "macos" ]; then
-      TEMPLATE="$LAUNCHD_TEMPLATES/ai.openclaw.${SVC_NAME}.plist"
-      DEST="$LAUNCHD_DEST/ai.openclaw.${SVC_NAME}.plist"
+      LAUNCHD_SVC_NAME="${SVC_NAME#openclaw-}"
+      TEMPLATE="$LAUNCHD_TEMPLATES/ai.openclaw.${LAUNCHD_SVC_NAME}.plist"
+      DEST="$LAUNCHD_DEST/ai.openclaw.${LAUNCHD_SVC_NAME}.plist"
 
       if [ ! -f "$TEMPLATE" ]; then
         warn "  Template not found: $TEMPLATE"

package/lib/agent-activity.js

@@ -147,7 +147,7 @@ async function readLastEntry(filePath) {
     } else {
       const fh = await open(filePath, 'r');
       try {
-        const buffer = Buffer.allocUnsafe(chunkSize);
+        const buffer = Buffer.alloc(chunkSize);
         await fh.read(buffer, 0, chunkSize, offset);
         content = buffer.toString('utf-8');
       } finally {
@@ -195,7 +195,7 @@ async function parseJsonlTail(filePath, maxBytes = 131072) {
       const fh = await open(filePath, 'r');
       try {
         const length = size - offset;
-        const buffer = Buffer.allocUnsafe(length);
+        const buffer = Buffer.alloc(length);
         await fh.read(buffer, 0, length, offset);
         content = buffer.toString('utf-8');
       } finally {

package/lib/exec-safety.js

@@ -0,0 +1,105 @@
+/**
+ * exec-safety.js — Shared command safety filtering for mesh exec.
+ *
+ * Used by both CLI-side (mesh.js) and server-side (NATS exec handler)
+ * to block destructive or unauthorized commands before execution.
+ *
+ * Two layers:
+ *   1. DESTRUCTIVE_PATTERNS — blocklist of known-dangerous patterns
+ *   2. ALLOWED_PREFIXES — allowlist for server-side execution (opt-in)
+ */
+
+'use strict';
+
+const DESTRUCTIVE_PATTERNS = [
+  /\brm\s+(-[a-zA-Z]*)?r[a-zA-Z]*f/,      // rm -rf, rm -fr, rm --recursive --force
+  /\brm\s+(-[a-zA-Z]*)?f[a-zA-Z]*r/,       // rm -fr variants
+  /\bmkfs\b/,                                // format filesystem
+  /\bdd\s+.*of=/,                            // raw disk write
+  /\b>\s*\/dev\/[sh]d/,                      // write to raw device
+  /\bcurl\b.*\|\s*(ba)?sh/,                  // curl pipe to shell
+  /\bwget\b.*\|\s*(ba)?sh/,                  // wget pipe to shell
+  /\bchmod\s+(-[a-zA-Z]*\s+)?777\s+\//,     // chmod 777 on root paths
+  /\b:(){ :\|:& };:/,                        // fork bomb
+  /\bsudo\b/,                                // sudo escalation
+  /\bsu\s+-?\s/,                             // su user switch
+  /\bpasswd\b/,                              // password change
+  /\buseradd\b|\buserdel\b/,                 // user management
+  /\biptables\b|\bnft\b/,                    // firewall modification
+  /\bsystemctl\s+(stop|disable|mask)/,       // service disruption
+  /\blaunchctl\s+(unload|remove)/,           // macOS service disruption
+  /\bkill\s+-9\s+1\b/,                       // kill init/launchd
+  />\s*\/etc\//,                             // overwrite system config
+  /\beval\b.*\$\(/,                          // eval with command substitution
+];
+
+/**
+ * Allowed command prefixes for server-side NATS exec.
+ * Only commands starting with one of these are permitted.
+ * CLI-side uses blocklist only; server-side uses both blocklist + allowlist.
+ */
+const ALLOWED_EXEC_PREFIXES = [
+  'git ', 'npm ', 'node ', 'npx ', 'python ', 'python3 ',
+  'cat ', 'ls ', 'head ', 'tail ', 'grep ', 'find ', 'wc ',
+  'echo ', 'date ', 'uptime ', 'df ', 'free ', 'ps ',
+  'bash openclaw/', 'bash ~/openclaw/', 'bash ./bin/',
+  'cd ', 'pwd', 'which ', 'env ', 'printenv ',
+  'cargo ', 'go ', 'make ', 'pytest ', 'jest ', 'vitest ',
+];
+
+/**
+ * Check if a command matches any destructive pattern.
+ * @param {string} command
+ * @returns {{ blocked: boolean, pattern?: RegExp }}
+ */
+function checkDestructivePatterns(command) {
+  for (const pattern of DESTRUCTIVE_PATTERNS) {
+    if (pattern.test(command)) {
+      return { blocked: true, pattern };
+    }
+  }
+  return { blocked: false };
+}
+
+/**
+ * Check if a command is allowed by the server-side allowlist.
+ * @param {string} command
+ * @returns {boolean}
+ */
+function isAllowedExecCommand(command) {
+  const trimmed = (command || '').trim();
+  if (!trimmed) return false;
+  return ALLOWED_EXEC_PREFIXES.some(p => trimmed.startsWith(p));
+}
+
+/**
+ * Full server-side validation: blocklist + allowlist.
+ * Returns { allowed: true } or { allowed: false, reason: string }.
+ * @param {string} command
+ * @returns {{ allowed: boolean, reason?: string }}
+ */
+function validateExecCommand(command) {
+  const trimmed = (command || '').trim();
+  if (!trimmed) {
+    return { allowed: false, reason: 'Empty command' };
+  }
+
+  const destructive = checkDestructivePatterns(trimmed);
+  if (destructive.blocked) {
+    return { allowed: false, reason: `Blocked by destructive pattern: ${destructive.pattern}` };
+  }
+
+  if (!isAllowedExecCommand(trimmed)) {
+    return { allowed: false, reason: `Command not in server-side allowlist: ${trimmed.slice(0, 80)}` };
+  }
+
+  return { allowed: true };
+}
+
+module.exports = {
+  DESTRUCTIVE_PATTERNS,
+  ALLOWED_EXEC_PREFIXES,
+  checkDestructivePatterns,
+  isAllowedExecCommand,
+  validateExecCommand,
+};

package/lib/kanban-io.js

@@ -28,47 +28,31 @@ const ACTIVE_TASKS_PATH = path.join(
 // Prevents lost updates when mesh-bridge and memory-daemon write concurrently.
 // See architecture note above for why this is local-only.
 
-function withMkdirLock(filePath, fn) {
+async function withMkdirLock(filePath, fn) {
   const lockDir = filePath + '.lk';
-  const maxWait = 5000; // 5s max wait
+  const maxWait = 5000;
+  const pollInterval = 50;
   const start = Date.now();
 
-  // Acquire: mkdir is atomic on POSIX
-  while (true) {
+  while (Date.now() - start < maxWait) {
     try {
       fs.mkdirSync(lockDir);
-      break; // got the lock
-    } catch (err) {
-      if (err.code !== 'EEXIST') throw err;
-      // Lock held by another process — check for stale lock (>30s)
       try {
-        const lockAge = Date.now() - fs.statSync(lockDir).mtimeMs;
-        if (lockAge > 30000) {
-          // Stale lock — previous holder crashed
-          fs.rmdirSync(lockDir);
-          continue;
-        }
-      } catch { /* stat failed, lock was just released */ continue; }
-
-      if (Date.now() - start > maxWait) {
-        throw new Error(`kanban-io: lock timeout after ${maxWait}ms on ${filePath}`);
+        return await fn();
+      } finally {
+        try { fs.rmdirSync(lockDir); } catch {}
       }
-      // Sleep ~10ms — Atomics.wait is precise but throws on main thread
-      // in some Node.js builds; fall back to busy-spin (rare contention path)
-      try {
-        Atomics.wait(new Int32Array(new SharedArrayBuffer(4)), 0, 0, 10);
-      } catch {
-        const end = Date.now() + 10;
-        while (Date.now() < end) { /* busy-wait fallback */ }
+    } catch (err) {
+      if (err.code === 'EEXIST') {
+        await new Promise(r => setTimeout(r, pollInterval));
+        continue;
       }
+      throw err;
     }
   }
-
-  try {
-    return fn();
-  } finally {
-    try { fs.rmdirSync(lockDir); } catch { /* already released */ }
-  }
+  // Timeout — force acquire (stale lock)
+  try { fs.rmdirSync(lockDir); } catch {}
+  return fn();
 }
 
 // ── Parser ──────────────────────────────────────────

package/lib/llm-providers.js

@@ -21,6 +21,19 @@ const path = require('path');
 const fs = require('fs');
 const os = require('os');
 
+// ── Shell Command Security ─────────────────────────
+const SHELL_PROVIDER_ALLOWED_PREFIXES = [
+  'npm test', 'npm run', 'node ', 'python ', 'pytest', 'cargo test',
+  'go test', 'make', 'jest', 'vitest', 'mocha', 'bash ', 'sh ',
+  'cat ', 'echo ', 'ls ', 'grep ', 'find ', 'git '
+];
+
+function validateShellCommand(cmd) {
+  const trimmed = (cmd || '').trim();
+  if (!trimmed) return false;
+  return SHELL_PROVIDER_ALLOWED_PREFIXES.some(p => trimmed.startsWith(p));
+}
+
 // ── Generic Provider Factory ────────────────────────
 // Most agentic coding CLIs follow a similar pattern:
 //   binary [prompt-flag] "prompt" [model-flag] model [cwd-flag] dir
@@ -167,6 +180,9 @@ const PROVIDERS = {
     buildArgs(prompt, model, task) {
       // Use task.description (the raw command) if available, fall back to prompt
       const cmd = (task && task.description) ? task.description : prompt;
+      if (!validateShellCommand(cmd)) {
+        throw new Error(`Shell provider: command blocked by security filter: ${cmd.slice(0, 80)}`);
+      }
       return ['-c', cmd];
     },
     cleanEnv(env) {

package/lib/mcp-knowledge/core.mjs

@@ -349,14 +349,14 @@ export async function indexWorkspace(db, root, opts = {}) {
     const texts = chunks.map(c => c.text);
     const vectors = await embedBatch(texts);
 
-    // sqlite-vec quirk: rowid must be literal, not bound param with better-sqlite3.
+    // Insert chunks and their vector embeddings
     const doInsert = db.transaction(() => {
       insertDoc.run(file.rel, hash, Date.now(), chunks.length);
       for (let i = 0; i < chunks.length; i++) {
         const snippet = chunks[i].text.slice(0, SNIPPET_LENGTH).replace(/\n/g, ' ');
         const info = insertChunk.run(file.rel, chunks[i].section, chunks[i].text, snippet);
         const vecBuf = Buffer.from(vectors[i].buffer);
-        db.prepare(`INSERT INTO chunk_vectors VALUES (${info.lastInsertRowid}, ?)`).run(vecBuf);
+        db.prepare(`INSERT INTO chunk_vectors VALUES (?, ?)`).run(info.lastInsertRowid, vecBuf);
       }
     });
     doInsert();
@@ -373,6 +373,7 @@ export async function indexWorkspace(db, root, opts = {}) {
 // ─── Search Functions ────────────────────────────────────────────────────────
 
 export async function semanticSearch(db, query, limit = 10) {
+  const safeLimit = Math.max(1, Math.min(100, Math.floor(Number(limit) || 10)));
   const count = db.prepare('SELECT COUNT(*) as c FROM chunk_vectors').get().c;
   if (count === 0) return [];
 
@@ -388,7 +389,7 @@ export async function semanticSearch(db, query, limit = 10) {
       c.snippet
     FROM chunk_vectors cv
     JOIN chunks c ON c.id = cv.rowid
-    WHERE embedding MATCH ? AND k = ${limit}
+    WHERE embedding MATCH ? AND k = ${safeLimit}
     ORDER BY distance
   `).all(vecBuf);
 
@@ -401,6 +402,7 @@ export async function semanticSearch(db, query, limit = 10) {
 }
 
 export async function findRelated(db, docPath, limit = 10) {
+  const safeLimit = Math.max(1, Math.min(100, Math.floor(Number(limit) || 10)));
   const chunkIds = db.prepare('SELECT id FROM chunks WHERE doc_path = ?').all(docPath);
 
   if (chunkIds.length === 0) {
@@ -445,7 +447,7 @@ export async function findRelated(db, docPath, limit = 10) {
       c.snippet
     FROM chunk_vectors cv
     JOIN chunks c ON c.id = cv.rowid
-    WHERE embedding MATCH ? AND k = ${limit * 3}
+    WHERE embedding MATCH ? AND k = ${safeLimit * 3}
     ORDER BY distance
   `).all(vecBuf);
 
@@ -459,7 +461,7 @@ export async function findRelated(db, docPath, limit = 10) {
     }
   }
 
-  return [...seen.values()].slice(0, limit).map(r => ({
+  return [...seen.values()].slice(0, safeLimit).map(r => ({
     path: r.doc_path,
     section: r.section,
     score: parseFloat((1 - r.distance * r.distance / 2).toFixed(4)),

package/lib/mcp-knowledge/server.mjs

@@ -163,7 +163,14 @@ async function startHttp(engine, port, host) {
         // Parse body
         const chunks = [];
         for await (const chunk of req) chunks.push(chunk);
-        const body = JSON.parse(Buffer.concat(chunks).toString());
+        let body;
+        try {
+          body = JSON.parse(Buffer.concat(chunks).toString());
+        } catch (e) {
+          res.writeHead(400, { 'Content-Type': 'application/json' });
+          res.end(JSON.stringify({ error: 'Invalid JSON in request body' }));
+          return;
+        }
 
         await transport.handleRequest(req, res, body);
         return;