openclaw-node-harness 2.1.0 → 2.1.1

package/lib/mesh-plans.js

@@ -210,6 +210,14 @@ function assignWaves(subtasks) {
     wave++;
     currentWave = nextWave;
   }
+
+  // Detect cycles: any node with remaining in-degree > 0 is in a cycle
+  for (const [taskId, degree] of inDegree.entries()) {
+    if (degree > 0) {
+      const subtask = idMap.get(taskId);
+      if (subtask) subtask.wave = -1; // blocked by cycle
+    }
+  }
 }
 
 // ── Delegation Decision Tree ───────────────────────
@@ -351,6 +359,28 @@ class PlanStore {
     return JSON.parse(sc.decode(entry.value));
   }
 
+  /**
+   * Compare-and-swap helper: read → mutate → write with optimistic concurrency.
+   * Re-reads and retries on conflict (up to maxRetries).
+   * mutateFn receives the parsed data and must return the updated object, or falsy to skip.
+   */
+  async _updateWithCAS(key, mutateFn, maxRetries = 3) {
+    for (let attempt = 0; attempt < maxRetries; attempt++) {
+      const entry = await this.kv.get(key);
+      if (!entry) return null;
+      const data = JSON.parse(sc.decode(entry.value));
+      const updated = mutateFn(data);
+      if (!updated) return null;
+      try {
+        await this.kv.put(key, sc.encode(JSON.stringify(updated)), { previousSeq: entry.revision });
+        return updated;
+      } catch (err) {
+        if (attempt === maxRetries - 1) throw err;
+        // conflict — retry
+      }
+    }
+  }
+
   async delete(planId) {
     await this.kv.delete(planId);
   }
@@ -389,69 +419,60 @@ class PlanStore {
   // ── Lifecycle ───────────────────────────────────
 
   async submitForReview(planId) {
-    const plan = await this.get(planId);
-    if (!plan) return null;
-    plan.status = PLAN_STATUS.REVIEW;
-    await this.put(plan);
-    return plan;
+    return this._updateWithCAS(planId, (plan) => {
+      plan.status = PLAN_STATUS.REVIEW;
+      return plan;
+    });
   }
 
   async approve(planId, approvedBy = 'gui') {
-    const plan = await this.get(planId);
-    if (!plan) return null;
-    plan.status = PLAN_STATUS.APPROVED;
-    plan.approved_by = approvedBy;
-    plan.approved_at = new Date().toISOString();
-    await this.put(plan);
-    return plan;
+    return this._updateWithCAS(planId, (plan) => {
+      plan.status = PLAN_STATUS.APPROVED;
+      plan.approved_by = approvedBy;
+      plan.approved_at = new Date().toISOString();
+      return plan;
+    });
   }
 
   async startExecuting(planId) {
-    const plan = await this.get(planId);
-    if (!plan) return null;
-    plan.status = PLAN_STATUS.EXECUTING;
-    plan.started_at = new Date().toISOString();
-    await this.put(plan);
-    return plan;
+    return this._updateWithCAS(planId, (plan) => {
+      plan.status = PLAN_STATUS.EXECUTING;
+      plan.started_at = new Date().toISOString();
+      return plan;
+    });
   }
 
   async markCompleted(planId) {
-    const plan = await this.get(planId);
-    if (!plan) return null;
-    plan.status = PLAN_STATUS.COMPLETED;
-    plan.completed_at = new Date().toISOString();
-    await this.put(plan);
-    return plan;
+    return this._updateWithCAS(planId, (plan) => {
+      plan.status = PLAN_STATUS.COMPLETED;
+      plan.completed_at = new Date().toISOString();
+      return plan;
+    });
   }
 
   async markAborted(planId, reason) {
-    const plan = await this.get(planId);
-    if (!plan) return null;
-    plan.status = PLAN_STATUS.ABORTED;
-    plan.completed_at = new Date().toISOString();
-    // Mark all pending subtasks as blocked
-    for (const st of plan.subtasks) {
-      if (st.status === SUBTASK_STATUS.PENDING || st.status === SUBTASK_STATUS.QUEUED) {
-        st.status = SUBTASK_STATUS.BLOCKED;
-        st.result = { success: false, summary: `Plan aborted: ${reason}` };
+    return this._updateWithCAS(planId, (plan) => {
+      plan.status = PLAN_STATUS.ABORTED;
+      plan.completed_at = new Date().toISOString();
+      for (const st of plan.subtasks) {
+        if (st.status === SUBTASK_STATUS.PENDING || st.status === SUBTASK_STATUS.QUEUED) {
+          st.status = SUBTASK_STATUS.BLOCKED;
+          st.result = { success: false, summary: `Plan aborted: ${reason}` };
+        }
       }
-    }
-    await this.put(plan);
-    return plan;
+      return plan;
+    });
   }
 
   // ── Subtask Management ──────────────────────────
 
   async updateSubtask(planId, subtaskId, updates) {
-    const plan = await this.get(planId);
-    if (!plan) return null;
-
-    const st = plan.subtasks.find(s => s.subtask_id === subtaskId);
-    if (!st) return null;
-
-    Object.assign(st, updates);
-    await this.put(plan);
-    return plan;
+    return this._updateWithCAS(planId, (plan) => {
+      const st = plan.subtasks.find(s => s.subtask_id === subtaskId);
+      if (!st) return null;
+      Object.assign(st, updates);
+      return plan;
+    });
   }
 
   /**

package/lib/mesh-tasks.js

@@ -142,6 +142,28 @@ class TaskStore {
     return JSON.parse(sc.decode(entry.value));
   }
 
+  /**
+   * Compare-and-swap helper: read → mutate → write with optimistic concurrency.
+   * Re-reads and retries on conflict (up to maxRetries).
+   * mutateFn receives the parsed data and must return the updated object, or falsy to skip.
+   */
+  async _updateWithCAS(key, mutateFn, maxRetries = 3) {
+    for (let attempt = 0; attempt < maxRetries; attempt++) {
+      const entry = await this.kv.get(key);
+      if (!entry) return null;
+      const data = JSON.parse(sc.decode(entry.value));
+      const updated = mutateFn(data);
+      if (!updated) return null;
+      try {
+        await this.kv.put(key, sc.encode(JSON.stringify(updated)), { previousSeq: entry.revision });
+        return updated;
+      } catch (err) {
+        if (attempt === maxRetries - 1) throw err;
+        // conflict — retry
+      }
+    }
+  }
+
   async delete(taskId) {
     await this.kv.delete(taskId);
   }
@@ -213,39 +235,40 @@ class TaskStore {
     if (claimable.length === 0) return null;
 
     const task = claimable[0];
-    task.status = TASK_STATUS.CLAIMED;
-    task.owner = nodeId;
-    task.claimed_at = new Date().toISOString();
-    const budgetMs = (task.budget_minutes || 30) * 60 * 1000;
-    task.budget_deadline = new Date(Date.now() + budgetMs).toISOString();
-
-    await this.put(task);
-    return task;
+    const result = await this._updateWithCAS(task.task_id, (t) => {
+      // Re-check status under CAS — another node may have claimed it
+      if (t.status !== TASK_STATUS.QUEUED) return null;
+      t.status = TASK_STATUS.CLAIMED;
+      t.owner = nodeId;
+      t.claimed_at = new Date().toISOString();
+      const budgetMs = (t.budget_minutes || 30) * 60 * 1000;
+      t.budget_deadline = new Date(Date.now() + budgetMs).toISOString();
+      return t;
+    });
+    return result;
   }
 
   /**
    * Mark a task as running (agent started work).
    */
   async markRunning(taskId) {
-    const task = await this.get(taskId);
-    if (!task) return null;
-    task.status = TASK_STATUS.RUNNING;
-    task.started_at = new Date().toISOString();
-    await this.put(task);
-    return task;
+    return this._updateWithCAS(taskId, (task) => {
+      task.status = TASK_STATUS.RUNNING;
+      task.started_at = new Date().toISOString();
+      return task;
+    });
   }
 
   /**
    * Mark a task as completed with result.
    */
   async markCompleted(taskId, result) {
-    const task = await this.get(taskId);
-    if (!task) return null;
-    task.status = TASK_STATUS.COMPLETED;
-    task.completed_at = new Date().toISOString();
-    task.result = result;
-    await this.put(task);
-    return task;
+    return this._updateWithCAS(taskId, (task) => {
+      task.status = TASK_STATUS.COMPLETED;
+      task.completed_at = new Date().toISOString();
+      task.result = result;
+      return task;
+    });
   }
 
   /**
@@ -253,70 +276,65 @@ class TaskStore {
    * Stores the result but doesn't transition to completed.
    */
   async markPendingReview(taskId, result) {
-    const task = await this.get(taskId);
-    if (!task) return null;
-    task.status = TASK_STATUS.PENDING_REVIEW;
-    task.result = result;
-    task.review_requested_at = new Date().toISOString();
-    await this.put(task);
-    return task;
+    return this._updateWithCAS(taskId, (task) => {
+      task.status = TASK_STATUS.PENDING_REVIEW;
+      task.result = result;
+      task.review_requested_at = new Date().toISOString();
+      return task;
+    });
   }
 
   /**
    * Approve a pending_review task → completed.
    */
   async markApproved(taskId) {
-    const task = await this.get(taskId);
-    if (!task) return null;
-    if (task.status !== TASK_STATUS.PENDING_REVIEW) return null;
-    task.status = TASK_STATUS.COMPLETED;
-    task.completed_at = new Date().toISOString();
-    task.reviewed_by = 'human';
-    await this.put(task);
-    return task;
+    return this._updateWithCAS(taskId, (task) => {
+      if (task.status !== TASK_STATUS.PENDING_REVIEW) return null;
+      task.status = TASK_STATUS.COMPLETED;
+      task.completed_at = new Date().toISOString();
+      task.reviewed_by = 'human';
+      return task;
+    });
   }
 
   /**
    * Reject a pending_review task → re-queue with reason.
    */
   async markRejected(taskId, reason) {
-    const task = await this.get(taskId);
-    if (!task) return null;
-    if (task.status !== TASK_STATUS.PENDING_REVIEW) return null;
-    task.status = TASK_STATUS.QUEUED;
-    task.rejection_reason = reason;
-    task.result = null; // clear previous result
-    task.review_requested_at = null;
-    await this.put(task);
-    return task;
+    return this._updateWithCAS(taskId, (task) => {
+      if (task.status !== TASK_STATUS.PENDING_REVIEW) return null;
+      task.status = TASK_STATUS.QUEUED;
+      task.rejection_reason = reason;
+      task.result = null;
+      task.review_requested_at = null;
+      return task;
+    });
   }
 
   /**
    * Mark a task as failed with reason.
    */
   async markFailed(taskId, reason, attempts = []) {
-    const task = await this.get(taskId);
-    if (!task) return null;
-    task.status = TASK_STATUS.FAILED;
-    task.completed_at = new Date().toISOString();
-    task.result = { success: false, summary: reason };
-    task.attempts = attempts;
-    await this.put(task);
-    return task;
+    return this._updateWithCAS(taskId, (task) => {
+      task.status = TASK_STATUS.FAILED;
+      task.completed_at = new Date().toISOString();
+      task.result = { success: false, summary: reason };
+      task.attempts = attempts;
+      return task;
+    });
   }
 
   /**
    * Log an attempt on a task (agent tried something, may or may not have worked).
    */
   async logAttempt(taskId, attempt) {
-    const task = await this.get(taskId);
-    if (!task) return null;
-    task.attempts.push({
-      ...attempt,
-      timestamp: new Date().toISOString(),
+    return this._updateWithCAS(taskId, (task) => {
+      task.attempts.push({
+        ...attempt,
+        timestamp: new Date().toISOString(),
+      });
+      return task;
     });
-    await this.put(task);
-    return task;
   }
 
   /**
@@ -324,25 +342,23 @@ class TaskStore {
    * Distinct from failed: failed = "didn't work", released = "we tried everything."
    */
   async markReleased(taskId, reason, attempts = []) {
-    const task = await this.get(taskId);
-    if (!task) return null;
-    task.status = TASK_STATUS.RELEASED;
-    task.completed_at = new Date().toISOString();
-    task.result = { success: false, summary: reason, released: true };
-    if (attempts.length > 0) task.attempts = attempts;
-    await this.put(task);
-    return task;
+    return this._updateWithCAS(taskId, (task) => {
+      task.status = TASK_STATUS.RELEASED;
+      task.completed_at = new Date().toISOString();
+      task.result = { success: false, summary: reason, released: true };
+      if (attempts.length > 0) task.attempts = attempts;
+      return task;
+    });
   }
 
   /**
    * Update last_activity timestamp (agent heartbeat).
    */
   async touchActivity(taskId) {
-    const task = await this.get(taskId);
-    if (!task) return null;
-    task.last_activity = new Date().toISOString();
-    await this.put(task);
-    return task;
+    return this._updateWithCAS(taskId, (task) => {
+      task.last_activity = new Date().toISOString();
+      return task;
+    });
   }
 
   /**

package/lib/nats-resolve.js

@@ -37,7 +37,7 @@ function resolveNatsUrl() {
     if (fs.existsSync(envFile)) {
       const content = fs.readFileSync(envFile, 'utf8');
       const match = content.match(/^\s*OPENCLAW_NATS\s*=\s*(.+)/m);
-      if (match && match[1].trim()) return match[1].trim();
+      if (match && match[1].trim()) return match[1].trim().replace(/^["']|["']$/g, '');
     }
   } catch {
     // File unreadable — fall through silently
@@ -49,7 +49,7 @@ function resolveNatsUrl() {
     if (fs.existsSync(meshConfig)) {
       const content = fs.readFileSync(meshConfig, 'utf8');
       const match = content.match(/^\s*OPENCLAW_NATS\s*=\s*(.+)/m);
-      if (match && match[1].trim()) return match[1].trim();
+      if (match && match[1].trim()) return match[1].trim().replace(/^["']|["']$/g, '');
     }
   } catch {
     // File unreadable — fall through silently
@@ -73,7 +73,7 @@ function resolveNatsToken() {
     if (fs.existsSync(envFile)) {
       const content = fs.readFileSync(envFile, 'utf8');
       const match = content.match(/^\s*OPENCLAW_NATS_TOKEN\s*=\s*(.+)/m);
-      if (match && match[1].trim()) return match[1].trim();
+      if (match && match[1].trim()) return match[1].trim().replace(/^["']|["']$/g, '');
     }
   } catch {}
 
@@ -83,7 +83,7 @@ function resolveNatsToken() {
     if (fs.existsSync(meshConfig)) {
       const content = fs.readFileSync(meshConfig, 'utf8');
       const match = content.match(/^\s*OPENCLAW_NATS_TOKEN\s*=\s*(.+)/m);
-      if (match && match[1].trim()) return match[1].trim();
+      if (match && match[1].trim()) return match[1].trim().replace(/^["']|["']$/g, '');
     }
   } catch {}
 

package/lib/pre-compression-flush.mjs

@@ -74,6 +74,8 @@ export async function shouldFlush(jsonlPath, opts = {}) {
   const { contextWindowTokens = 200000, flushPct = 0.75 } = opts;
   const threshold = Math.floor(contextWindowTokens * flushPct);
 
+  if (!fs.existsSync(jsonlPath)) return { shouldFlush: false, estimatedTokens: 0, pctUsed: 0, threshold };
+
   const stat = fs.statSync(jsonlPath);
   // Quick estimate from file size — ~4 chars/token, but JSONL has overhead (~2x)
   const quickEstimate = Math.ceil(stat.size / (CHARS_PER_TOKEN * 2));

package/lib/session-store.mjs

@@ -398,10 +398,13 @@ export class SessionStore {
    * - Escapes quotes
    */
   #buildFtsQuery(query) {
-    const cleaned = query.replace(/"/g, '""').trim();
-    if (!cleaned) return null;
+    if (!query || !query.trim()) return null;
+    // Escape double quotes, then strip FTS5 operators to prevent query injection
+    const escaped = query.replace(/"/g, '""').trim();
+    const safe = escaped.replace(/[*(){}^]/g, '');
+    if (!safe) return null;
 
-    const words = cleaned.split(/\s+/).filter(w => w.length > 0);
+    const words = safe.split(/\s+/).filter(w => w.length > 0);
     if (words.length === 0) return null;
 
     if (words.length === 1) {

package/mission-control/src/app/api/memory/search/route.ts

@@ -29,14 +29,17 @@ function applyScoreDecay(
  * Daedalus does deeper semantic rewriting inline during his own searches.
  */
 function expandQuery(query: string): string {
+  // Escape double quotes and strip FTS5 operators to prevent query injection
+  const safeQuery = query.replace(/"/g, '""').replace(/[*(){}^]/g, '').trim();
+  if (!safeQuery) return '""';
   // Split into terms and add OR variants for common patterns
-  const terms = query.trim().split(/\s+/);
+  const terms = safeQuery.split(/\s+/);
   if (terms.length === 1) {
     // Single term: use prefix matching
-    return `"${query.replace(/"/g, '""')}"*`;
+    return `"${safeQuery}"*`;
   }
   // Multi-term: quote as phrase + add individual terms with OR for broader recall
-  const phrase = `"${query.replace(/"/g, '""')}"`;
+  const phrase = `"${safeQuery}"`;
   const individual = terms.map((t) => `"${t.replace(/"/g, '""')}"*`).join(" OR ");
   return `(${phrase}) OR (${individual})`;
 }

package/mission-control/src/app/api/souls/[id]/evolution/route.ts

@@ -1,5 +1,6 @@
 import { NextRequest, NextResponse } from "next/server";
 import { getDb } from "@/lib/db";
+import { validatePathParam } from "@/lib/config";
 import { soulEvolutionLog } from "@/lib/db/schema";
 import { eq, desc } from "drizzle-orm";
 import fs from "fs/promises";
@@ -31,7 +32,12 @@ export async function GET(
   { params }: { params: Promise<{ id: string }> }
 ) {
   try {
-    const { id: soulId } = await params;
+    let soulId: string;
+    try {
+      soulId = validatePathParam((await params).id);
+    } catch {
+      return NextResponse.json({ error: "Invalid soul ID" }, { status: 400 });
+    }
     const { searchParams } = new URL(request.url);
     const status = searchParams.get("status") || "pending";
 
@@ -93,7 +99,12 @@ export async function POST(
   { params }: { params: Promise<{ id: string }> }
 ) {
   try {
-    const { id: soulId } = await params;
+    let soulId: string;
+    try {
+      soulId = validatePathParam((await params).id);
+    } catch {
+      return NextResponse.json({ error: "Invalid soul ID" }, { status: 400 });
+    }
     const event: EvolutionEvent = await request.json();
 
     const db = getDb();
@@ -133,7 +144,12 @@ export async function PATCH(
   { params }: { params: Promise<{ id: string }> }
 ) {
   try {
-    const { id: soulId } = await params;
+    let soulId: string;
+    try {
+      soulId = validatePathParam((await params).id);
+    } catch {
+      return NextResponse.json({ error: "Invalid soul ID" }, { status: 400 });
+    }
     const { searchParams } = new URL(request.url);
     const eventId = searchParams.get("eventId");
 
@@ -170,11 +186,12 @@ export async function PATCH(
       }
 
       // Apply change (e.g., update genes.json)
+      const safeTarget = validatePathParam(event.proposedChange.target);
       const targetPath = path.join(
         SOULS_DIR,
         soulId,
         "evolution",
-        event.proposedChange.target
+        safeTarget
       );
 
       if (event.proposedChange.action === "add") {
@@ -189,7 +206,6 @@ export async function PATCH(
       // Sanitize all user-derived inputs: eventId, soulId, reviewedBy, event.summary
       // could all contain shell metacharacters if crafted maliciously.
       const safeBranch = `evolution/${eventId.replace(/[^a-zA-Z0-9._-]/g, "_")}`;
-      const safeTarget = event.proposedChange.target.replace(/[^a-zA-Z0-9._/-]/g, "_");
       const commitMessage = [
         `evolution(${eventId}): ${event.summary}`,
         "",

package/mission-control/src/app/api/souls/[id]/prompt/route.ts

@@ -1,5 +1,6 @@
 import { NextRequest, NextResponse } from "next/server";
 import { getDb } from "@/lib/db";
+import { validatePathParam } from "@/lib/config";
 import { soulSpawns } from "@/lib/db/schema";
 import fs from "fs/promises";
 import path from "path";
@@ -38,7 +39,12 @@ export async function POST(
   { params }: { params: Promise<{ id: string }> }
 ) {
   try {
-    const { id: soulId } = await params;
+    let soulId: string;
+    try {
+      soulId = validatePathParam((await params).id);
+    } catch {
+      return NextResponse.json({ error: "Invalid soul ID" }, { status: 400 });
+    }
     const body: PromptRequest = await request.json();
 
     const soulDir = path.join(SOULS_DIR, soulId);

package/mission-control/src/app/api/souls/[id]/propagate/route.ts

@@ -1,5 +1,6 @@
 import { NextRequest, NextResponse } from "next/server";
 import { getDb } from "@/lib/db";
+import { validatePathParam } from "@/lib/config";
 import { soulEvolutionLog } from "@/lib/db/schema";
 import { eq } from "drizzle-orm";
 import fs from "fs/promises";
@@ -19,9 +20,20 @@ export async function POST(
   { params }: { params: Promise<{ id: string }> }
 ) {
   try {
-    const { id: sourceSoulId } = await params;
+    let sourceSoulId: string;
+    try {
+      sourceSoulId = validatePathParam((await params).id);
+    } catch {
+      return NextResponse.json({ error: "Invalid source soul ID" }, { status: 400 });
+    }
     const body: PropagateRequest = await request.json();
-    const { sourceEventId, targetSoulId } = body;
+    let targetSoulId: string;
+    try {
+      targetSoulId = validatePathParam(body.targetSoulId);
+    } catch {
+      return NextResponse.json({ error: "Invalid target soul ID" }, { status: 400 });
+    }
+    const { sourceEventId } = body;
 
     // Validate target soul exists
     const targetSoulDir = path.join(SOULS_DIR, targetSoulId);

package/mission-control/src/app/api/tasks/[id]/handoff/route.ts

@@ -1,5 +1,6 @@
 import { NextRequest, NextResponse } from "next/server";
 import { getDb } from "@/lib/db";
+import { validatePathParam } from "@/lib/config";
 import { tasks, soulHandoffs } from "@/lib/db/schema";
 import { eq } from "drizzle-orm";
 import fs from "fs/promises";
@@ -27,7 +28,12 @@ export async function POST(
   { params }: { params: Promise<{ id: string }> }
 ) {
   try {
-    const { id: taskId } = await params;
+    let taskId: string;
+    try {
+      taskId = validatePathParam((await params).id);
+    } catch {
+      return NextResponse.json({ error: "Invalid task ID" }, { status: 400 });
+    }
     const body: HandoffRequest = await request.json();
 
     const db = getDb();

package/mission-control/src/app/api/workspace/read/route.ts

@@ -25,6 +25,17 @@ export async function GET(request: NextRequest) {
       return NextResponse.json({ error: "File not found" }, { status: 404 });
     }
 
+    // Defeat symlink traversal: resolve the real path and re-check prefix
+    const realPath = fs.realpathSync(absPath);
+    const realRoot = fs.realpathSync(WORKSPACE_ROOT);
+    if (!realPath.startsWith(realRoot + path.sep) && realPath !== realRoot) {
+      return NextResponse.json({ error: "Path traversal denied" }, { status: 403 });
+    }
+
+    if (!fs.existsSync(realPath)) {
+      return NextResponse.json({ error: "File not found" }, { status: 404 });
+    }
+
     const stat = fs.statSync(absPath);
     if (stat.isDirectory()) {
       return NextResponse.json({ error: "Path is a directory" }, { status: 400 });

package/mission-control/src/lib/config.ts

@@ -65,6 +65,15 @@ export function getProviderModels(provider?: string): Record<CapabilityTier, str
 /** All registered provider names */
 export const AVAILABLE_PROVIDERS = Object.keys(MODEL_MAP);
 
+/** Validates that a URL path parameter is safe for use in file paths. */
+export function validatePathParam(param: string): string {
+  const cleaned = param.trim();
+  if (!cleaned || !/^[\w][\w.-]{0,127}$/.test(cleaned)) {
+    throw new Error(`Invalid path parameter: "${param.slice(0, 40)}"`);
+  }
+  return cleaned;
+}
+
 // ── Node Identity (Distributed MC) ──
 import { hostname } from "os";