Patch release shipping the @dskarasev community bug batch from PR #2375 — three related runtime references to the deprecated claude-flow@v3alpha (or claude-flow@alpha) dist-tag that survived the claude-flow → ruflo rename. Each was silently routing users / workers / detection at a pre-rename build that lacks autopilot, browser, wasm-agent, and other current MCP tools.

Fixes

#2369 — legacy MCP key detection + Scenario A warning

Scenario A (the silent-failure mode): if a user's project directory already has an .mcp.json from a pre-rename install, writeMCPConfig was early-returning with a generic skipped message. The user was left with an MCP server pointed at a pre-rename build and zero indication anything was wrong — "autopilot tools missing after init" was the most common downstream symptom. Now: writeMCPConfig parses the existing file, detects stale keys, and surfaces:

.mcp.json (existing file uses deprecated key 'claude-flow@alpha' —
autopilot/browser/wasm-agent tools will be missing; delete .mcp.json
and re-run, or re-run with --force to overwrite)

Scenario B (the original report): detectExistingRufloMCP only recognised 'claude-flow' and 'ruflo' as already-registered keys, so a stale claude-flow@alpha entry in a parent directory wasn't detected. Init would walk past it and write a NEW claude-flow-keyed entry — both servers then ran simultaneously under different prefixes (mcp__claude-flow@alpha__* and mcp__claude-flow__*), producing duplicate-tool noise. Now: both legacy keys are recognised in both the top-level mcpServers and project-scoped registration paths.

#2370 — swarm.ts MCP-down hint

swarm_init failure hint changed from:

claude mcp add claude-flow npx claude-flow@v3alpha mcp start

to:

claude mcp add claude-flow -- npx -y ruflo@latest mcp start

The -- separator avoids claude-mcp flag ambiguity; the -y forces a fresh fetch so npx doesn't pick a stale local install.

#2371 — ContainerWorkerPool worker spawn

buildWorkerCommand() was returning ['npx', 'claude-flow@v3alpha', 'daemon', 'trigger', ...]. Two problems: the deprecated dist-tag, and the missing -y meaning npx could silently fall back to any locally-installed claude-flow (e.g. 2.7.35) without fetching the published version. Container workers were running pre-rename builds without knowing. Now: ['npx', '-y', 'ruflo@latest', 'daemon', 'trigger', ...].

Tests

v3/@claude-flow/cli/__tests__/stale-mcp-key-2369.test.ts — 10 tests pin all three runtime contracts plus a comment-stripped sanity sweep over the entire cli/src/ tree (legitimate legacy-key recognition lists excepted) so a future grep-and-replace can't silently re-introduce the deprecated dist-tag.

All 11 existing init-wizard-bugs tests still pass — no regression in the surrounding init paths.

Still open from today's triage

• #2373 (HIGH agentic-flow/transport/loader missing from @latest) — in-repo half already in v3.10.44 (PR #2364 capped the federation plugin peer). Remaining fix is upstream ruvnet/agentic-flow#153. Commented on the issue.
• #2372 — user question about the project, not a code bug.

Install / upgrade

npx ruflo@latest init # 3.10.46
npx @claude-flow/cli@latest # 3.10.46

All three packages (@claude-flow/cli, claude-flow, ruflo) and all three dist-tags (latest, alpha, v3alpha) verified at 3.10.46.

Diff

main...v3.10.45 — PR #2375 plus the release bump.

Thanks @dskarasev for the rigorous per-bug write-up with proposed fixes!

🤖 Generated with RuFlo

Contributors

• @dskarasev

Patch release shipping the completion of the hive-mind permissions fix from v3.10.44's held PR.

Fix

#2301 — hive-mind --dangerously-skip-permissions now also honors --no-auto-permissions

Background: the arg parser converts kebab-case CLI flags to camelCase and stores only the normalized key. The original predicate in hive-mind.ts read only the kebab form for both the activation and deny halves, so:

• --dangerously-skip-permissions silently no-op'd (closed #2269 originally)
• --no-auto-permissions silently no-op'd (uncovered when validating the v3.10.44 batch)

The earlier patch (PR #2301 in JOhnsonKC201's branch) correctly fixed the activation half by accepting both kebab + camelCase keys, but the deny half still missed: the parser does NOT produce noAutoPermissions: true for --no-auto-permissions — it uses yargs-style negation and stores autoPermissions: false.

Net effect of the partial fix: after activation worked, --dangerously-skip-permissions --no-auto-permissions would have skipped permissions anyway — strictly more permissive than the pre-fix state where activation never even fired.

This release adds the third deny clause:

const skipPermissions =
 (flags['dangerously-skip-permissions'] === true || flags.dangerouslySkipPermissions === true) &&
 !(flags['no-auto-permissions'] || flags.noAutoPermissions || flags.autoPermissions === false);

Three new regression tests pin the contract:

• parser produces autoPermissions: false for --no-auto-permissions
• predicate denies on the parser-produced shape { dangerouslySkipPermissions: true, autoPermissions: false }
• autoPermissions: true is NOT a deny signal (only === false is)

Test suite: 9/9 pass. Closes #2269.

Co-authored: @JOhnsonKC201 (original PR), @rvrheenen (reporter who supplied the patch).

Install / upgrade

npx ruflo@latest init # 3.10.45
npx @claude-flow/cli@latest # 3.10.45

All three packages (@claude-flow/cli, claude-flow, ruflo) and all three dist-tags (latest, alpha, v3alpha) verified at 3.10.45.

Diff

main...v3.10.44 — PR #2301 plus the release bump.

🤖 Generated with RuFlo

Contributors

• @rvrheenen
• @JOhnsonKC201

Patch release bundling two fixes that landed since 3.10.43.

Fixes

#2348 — break embedder-rescue mutual recursion (#2312)

v3-ci.yml's trajectory-graph-edges smoke had been disabled (continue-on-error: true) since the test process OOM'd at 4 GB on the Linux runner. Bisection ruled out the suspected SONA endTrajectory / EWC path. The actual cause was a closed cycle:

generateEmbedding (bridge-first)
 → bridgeGenerateEmbedding
 → agentdb.embedder.embed ← monkey-patched by rescueAgentdbEmbedder
 → generateEmbedding ← cycle closes here

Microtask-driven, so no stack overflow — just monotonic heap growth to V8's limit, then SIGABRT. memory-bridge.ts's rescueAgentdbEmbedder now delegates to a new generateLocalEmbedding export (bridge-free leaf chain) rather than the bridge-first generateEmbedding. The rescue probe is also tightened — previously it accepted any non-zero vector as "real," which the deterministic hash fallback also satisfies, so it cheerfully "rescued" a mock with another mock. New probe requires backend === 'onnx'.

The CI gate is re-enabled (continue-on-error: true removed).

#2366 — Windows plugin install/uninstall/upgrade (community contribution)

On Windows, PluginManager failed every npm lifecycle command with two distinct Node failure modes:

• spawn npm ENOENT — npm on Windows is a bash shim with no .exe, so execFile('npm', ...) can't resolve it.
• spawn EINVAL — Node refuses to spawn .cmd/.bat files directly since 18.20.2 / 20.12.2 (CVE-2024-27980).

All three call sites (install, uninstall, upgrade) now route through a runNpm helper that invokes cmd.exe /d /s /c npm <args> on Windows. POSIX path is unchanged. Argument safety is maintained by the existing validatePackageName regex gate plus Node's array-form argument quoting — security-audited for cmd.exe metacharacter injection (the version-spec characters ^, <, >, = that the regex allows are inert inside Node's quoted args under cmd /s).

Community PR by @danielsOink — thanks!

Held from this batch

• #2301 (community, hive-mind --dangerously-skip-permissions) — fix for the kebab→camel parser drop is correct on the activation half but the --no-auto-permissions deny case fails locally: the parser uses yargs-style negation (autoPermissions: false) which the predicate doesn't read. Comment posted on the PR with the proposed third-clause fix; will land in the next batch.
• #2342 (vitest 1.x → 4.1.8 for GHSA-5xrq-8626-4rwp) — CONFLICTING against current main; needs rebase + author confirmation of test-suite compatibility with the major version jump.

Install / upgrade

npx ruflo@latest init # 3.10.44
npx @claude-flow/cli@latest # 3.10.44

All three packages (@claude-flow/cli, claude-flow, ruflo) and all three dist-tags (latest, alpha, v3alpha) verified at 3.10.44.

Diff

main...v3.10.43 — PRs #2348, #2366 plus the release bump.

🤖 Generated with RuFlo

Contributors

• @danielsOink

Patch release bundling four bug fixes landed since 3.10.42.

Fixes

#2358 — agent_execute 400s every current frontier Anthropic model (HIGH)

callAnthropicMessages() always sent temperature (default 0.7), but Fable 5, Opus 4.8, and Opus 4.7 removed temperature / top_p / top_k. Every request returned 400 invalid_request_error: temperature: Extra inputs are not permitted. Invisible on Claude-Max (no key → provider check short-circuits before fetch); fatal on a raw ANTHROPIC_API_KEY. New modelRejectsSamplingParams(model) predicate gates the field; Sonnet 4.6 / Haiku 4.5 / Opus ≤ 4.6 unchanged. Closes #2357 Finding A. (HF-teamdev — first-time contributor, thank you for the file:line-cited finding map.)

#2365 — OpenRouter slugs refreshed to current 4.x family

The OpenAI-compat path still referenced the Oct-2025 retired model IDs:

• default model: anthropic/claude-3.5-sonnet → anthropic/claude-sonnet-4-6
• haiku alias: anthropic/claude-3.5-haiku → anthropic/claude-haiku-4-5
• sonnet/inherit alias: anthropic/claude-3.5-sonnet → anthropic/claude-sonnet-4-6
• opus alias: anthropic/claude-3-opus → anthropic/claude-opus-4-8

OPENROUTER_DEFAULT_MODEL still wins for callers who want to pin a specific slug. Closes #2357 Finding C.

#2361 — daemon self-terminating TTL + global status + HNSW/init footguns

Community PR by @shaal addressing @pacphi's ruflo-machine-ref investigation. The daemon used to run interval workers (audit ~30m, optimize/testgaps ~60m, ...) forever, each spawning a headless claude --print sweep. Audited evidence traced a Max-plan quota burned in 1–2 days to 6 immortal daemons (oldest 19 days) and a recurrence to 17 per-project daemons (34,533 total worker runs — ~94% of token spend was background machinery). This release adds: self-terminating TTL, idle shutdown, daemon status --all (global, not just current workspace), honest HNSW reporting, init footgun guards. Closes #2360.

#2364 — federation plugin: cap agentic-flow peer to <2.0.13

Upstream agentic-flow@2.0.13 dropped the ./transport/loader subpath. Runtime impact was bounded — midstream-aware-loader.ts wraps the dynamic import in try/catch and falls back to midstream-native — but the peer range previously said >=2.0.12-fix.8 and silently accepted 2.0.13. Tightened to >=2.0.12-fix.8 <2.0.13 so npm install warns about the incompat instead of hiding it behind a silent fallback.

Still open from #2357

• Finding B (Fable routing tier RFC, PR #2359) — behavior-neutral, 21/21 tests green, awaiting maintainer decision before the June 22 Max-plan API-credits window. Review comment on the PR lays out the three design calls.

Install / upgrade

npx ruflo@latest init # 3.10.43
npx @claude-flow/cli@latest # 3.10.43

All three packages (@claude-flow/cli, claude-flow, ruflo) and all three dist-tags (latest, alpha, v3alpha) verified at 3.10.43.

Diff

main...v3.10.42 — PRs #2358, #2361, #2364, #2365 plus the release bump.

🤖 Generated with RuFlo

Contributors

• @shaal
• @pacphi

Patch release fixing three reproducible community bugs reported by @grym3s, batched in the style of v3.10.41 / PR #2346.

Fixes

#2352 — hooks post-edit: Windows paths rejected, failure printed as [OK]

• validatePath used the general SHELL_META set which includes \, so every absolute Windows path (E:\Repos\...) failed with "shell metacharacters". Claude Code hook events deliver absolute paths in tool_input.file_path, so every forwarded post-edit call failed silently on Windows.
• The CLI action printed [OK] Outcome recorded for ... whenever the MCP call returned at all, masking the failure. Now checks result.success, surfaces the error, and exits non-zero.

#2351 — trajectory-end: step-less feedback never distilled

When trajectory-end is called with feedback but no recorded steps (the common LLM-agent case), the feedback was persisted with the trajectory but never embedded as a searchable pattern — patternsExtracted always reported 0 and pattern-search never surfaced it. Now routes the trimmed feedback through bridge.bridgeStorePattern (or store-fallback) with modest default confidence, tagged trajectory-feedback. New feedbackDistilled.{patternId, controller} field on the response.

#2350 — init hooks: subcommand wrote no hooks block to settings.json

The settings generator gates the hooks block on components.helpers (the hook commands point at the helper script). The init hooks subcommand had helpers: false, so the one subcommand whose purpose is "Initialize only hooks configuration" produced settings.json with no hooks key while reporting "N hooks enabled". Helpers now ship with the subcommand.

Install / upgrade

npx ruflo@latest init # 3.10.42
npx @claude-flow/cli@latest # 3.10.42

All three packages (@claude-flow/cli, claude-flow, ruflo) and all three dist-tags (latest, alpha, v3alpha) are pinned to 3.10.42.

Tests

• New validate-input-path-2352.test.ts — 22 tests pin Windows-path acceptance, POSIX still works, all shell metacharacters and traversal still rejected.
• All existing validate-input, init-wizard-bugs, hooks-intelligence-learning, hooks-post-task tests still pass.

Diff

PR #2355 · main...v3.10.42

🤖 Generated with RuFlo

Contributors

• @grym3s

Three community bug fixes plus the ADR-147 nested-subagent infrastructure landed since v3.10.40. PATCH bump — no API breaks.

Community bug fixes (PR #2346)

fix(statusline): resolve installed CLI bin + bump cache TTL 10s→60s (#2337)

Thanks @shaal for the detailed report with %CPU measurements. The statusline was calling npx --yes @claude-flow/cli@latest hooks statusline --json on every render — the @latest tag forced npm registry re-resolution per call. With ~6 concurrent sessions on a 12-core box: load average 40-65, each npm exec consuming 55-90% of a core.

Fix: new resolveCliBin() finds an installed bin/cli.js (project / monorepo / plugin marketplace / global node_modules — covers ~/.npm-global and similar custom-prefix layouts) and invokes it via process.execPath directly. Falls back to npx --prefer-offline @claude-flow/cli (no @latest) when nothing's installed. Cache TTL 10s→60s. Applied to both the dogfood helper and the ruflo init generator template.

fix(hive-mind): await spawned claude before returning (#2297)

Thanks @clement-livdeo for the XTVERSION-on-prompt diagnostic — that single string nailed the root cause: the parent process exited immediately after spawn, the child claude lost its controlling terminal mid-init, and the terminal's capability-query response leaked onto the next shell prompt.

Fix: spawnClaudeCodeInstance() now awaits the child's exit (or error) before returning. The existing claudeProcess.on('exit', ...) log lines actually print now, and the non-interactive (-p / --non-interactive) path completes only after Claude Code does.

fix(session): atomic writes to current.json + corrupted-file self-heal (#2307)

Thanks @BIWizzard for the diff — same class as #1707 / #1637 which were fixed elsewhere with atomic writes; session.js was missed in that sweep. Per-fd-offset semantics in writeFileSync meant a shorter payload could overwrite the start of a longer one without shrinking the file, leaving the longer payload's tail dangling past the end (valid JSON + trailing garbage).

Fix: all 5 session-file writes go through a new atomicWrite() (temp file + rename()). restore() wraps JSON.parse in try/catch so existing corrupt files self-heal by starting a fresh session instead of throwing.

Infrastructure

ADR-147 — nested subagent depth=5 integration (PR #2336)

Captures Boris Cherny's nested-subagent announcement with full empirical block, the ruflo agent files (8 new agents + 1 skill) that opt into nested spawning via tools: [Task, ...], P2 stage 1 (CLI flags + MCP schema for capturing parent_agent_id in the post-task hook), and a regression probe in scripts/probe-nested-spawn-depth.mjs.

Empirically determined: declaring tools: [Task] in YAML is necessary but not sufficient in CLI 2.1.169 — the runtime applies a hardcoded denylist that strips Task at parent→child spawn time. Documented in the ADR with the spawn-tree the day the upstream denylist lifts.

Security baseline (PR #2340)

docs/security/socket-baseline.md documents every category in the Socket.dev alert page for claude-flow@3.10.40 — what's protected by root overrides, what's not cleanly fixable from inside claude-flow (consumer-side npm overrides only apply at the dep-tree root), what's inherent to a CLI agent platform (filesystem/network/shell access etc.), and the false positives (Socket's "did you mean z-schema?" suggestion against zod). Also removes the broken pages.yml workflow that had failed 10+ consecutive runs.

Open follow-ups from the same triage pass

• #2305 — embedding model/dimension ignored at runtime (architectural; awaiting reporter's config-chain design as PR)
• #2296 — 7 controllers null from version skew between @claude-flow/memory@3.0.0-alpha.19 and agentdb@3.0.0-alpha.16 (needs coordinated package republish)

Install

npx ruflo@latest
# or
npx claude-flow@latest
# or
npm install @claude-flow/cli@latest

All three packages at 3.10.41 across all dist-tags (latest, alpha, v3alpha).

🤖 Generated with RuFlo

Contributors

• @shaal
• @clement-livdeo
• @BIWizzard

Patch release rolling up four community merges and one drift-guard regen.

Merged

• #2330 — docs(router): make model-router docs match shipped impl (Option A for #2329) — reconciles model-router.ts header, ADR-026, and the hooks-tools.ts implementation tag with the actually-shipped router (lexical complexity heuristic + Thompson Beta-Bernoulli bandit, not the FastGRNN/Tiny-Dancer neural design @rcraw flagged). Private member tinyDancerRouter → baseRouter in EnhancedModelRouter; public getStats() field kept as tinyDancerStats for telemetry-schema stability. Option B (real @ruvector/tiny-dancer wiring) deferred until a trained FastGRNN safetensors artifact exists.
• #2331 — fix(statusline): resolve version for custom npm prefix + populate AgentDB/Tests/Hooks/Integration segments (@Tomi2k). Two real bugs:
  • Custom npm prefix (~/.npm-global) probe was missing → version fell back to hard-coded '3.6'. Now probes npm_config_prefix, PREFIX, and the common ~/.npm-global default alongside the binDir-relative paths.
  • AgentDB / Tests / Hooks / Integration segments rendered permanent 0/none because hooks statusline --json only returns user/v3Progress/security/swarm/system. Adds 4 local-overlay helpers (getLocalAgentDB, getLocalTests, getLocalHooks, getLocalIntegration) wired through applyLocalOverlays(). Read-only sqlite3 query (mode=ro), bounded depth-4 directory walk, all catches degrade to zeros.
• #2328 — docs: fix typo 'ruvflo' -> 'ruflo' in install instructions (@antonbozko-cell). Trivial 3-character fix across 3 READMEs.
• #2306 — fix(init): correct MCP allow rule mcp__claude-flow__:* -> mcp__claude-flow__* (@S23Web3). Removed a stray colon that made the permission rule invalid. (Already merged yesterday; included here for changelog completeness.)

Closed (duplicate)

• PR #2325 (@mamd69) — also proposed a fix for #2302 but with mcp__ruflo__*, which would silently break MCP permissions because the server is registered as claude-flow (see v3/@claude-flow/cli/src/init/mcp-generator.ts:113-130). Closed with thanks; #2306 already shipped the correct fix.

Drift-guard regen

Committed .claude/helpers/statusline.cjs snapshot was stale relative to #2331's generator changes — regenerated, statusline-cost-display.test.ts drift guard passes 8/8.

Packages

Security review

All four merged PRs were diff-audited before merge: no network exfil, no secret reads, no eval/Function/child_process surprises, no postinstall hooks, no obfuscation, no dependency additions. #2331's new sqlite3 invocation uses mode=ro with statically-formed SQL (no injection vector) and is wrapped in a degrade-to-zero catch.

Contributors

• @Tomi2k
• @rcraw
• @S23Web3
• @mamd69
• @antonbozko-cell

First implementation landed from the dream-cycle research cluster (#2316-#2324). Adds entity matching as a third RRF arm in hybridSearch alongside dense (HNSW/RaBitQ) and sparse (FTS5/BM25), plus per-result signal provenance.

What's new

@claude-flow/memory 3.0.0-alpha.20 — entity arm + signal provenance in the hybridSearch controller:

• entity-tagger.ts — regex extractor for emails, URLs, file paths (POSIX + Windows), quoted phrases, proper-noun 2-grams. Deliberately conservative: false negatives OK, false positives would dilute RRF.
• hybridSearch now runs three arms in parallel: dense + sparse + entity (per-token keyword scan, gated on extractEntities(query).length > 0). Empty entity set drops the arm rather than passing [] to dilute fusion.
• signals: ('vector' | 'bm25' | 'entity')[] on every fused result. Computed by pre-fusion set membership; lets callers debug which arms surfaced an entry without re-running the search.

Capability smoke (end-to-end against built dist)

Corpus: 30 generic "authentication" entries + 1 "Alice Smith" needle. Query: "Alice Smith authentication":

score=0.0477 signals=["vector","bm25","entity"] key=alice-needle ← #1
score=0.0323 signals=["vector","bm25"] key=generic-1
score=0.0323 signals=["vector","bm25"] key=generic-0
score=0.0313 signals=["vector","bm25"] key=generic-3
score=0.0301 signals=["vector","bm25"] key=generic-2

Alice ranks #1 with full triplet provenance — runners-up only fire on vector + sparse. ~47% RRF score boost from the entity signal.

Packages

@claude-flow/cli's @claude-flow/memory dep pinned to ^3.0.0-alpha.20 so wrapper users get the entity arm automatically. v3/pnpm-lock.yaml regen included (lesson from #2311 — bumping a workspace dep without lockfile regen breaks pnpm install --frozen-lockfile).

What this implements vs the dream-cycle ADR

ADR-147 (#2317) split the work as P1 "wire FTS5 + RRF fusion" and P2 "entity arm + provenance". The investigation found P1 was already shipped in controller-registry.ts:713 before the ADR was filed — applyRRF(k=60) + applyMMR(λ=0.7) over dense + sparse was already in. This release lands the actual gap, P2.

Tracking note for the dream-cycle process posted on #2324.

Tests

• 12 new entity-tagger.test.ts (regex pinning — generic prose returns empty, and/or → empty, "a" over "b" → empty, single capitalized words → empty)
• 2 new graceful-retrieval.test.ts ADR-147 assertions (signal provenance on every fused result; needle-in-haystack)
• Full memory suite: 416/420 (4 pre-existing Windows-env failures in agent-memory-scope, auto-memory-bridge, benchmark — untouched files)

Out of scope (follow-ups)

• Dedicated SQL entity index — current per-entity searchKeyword calls are fine for typical query entity counts (1-3); unbounded if a query mentions 20+. A future ADR can add an entity_index table for hard-bound latency.
• Async writes by default (ADR-147 P3) — orthogonal; consolidator already handles HNSW background rebuild.
• LoCoMo benchmark publication (ADR-147 P4) — needs harness wiring + dataset access; separate workstream.

Three HIGH-severity verification-cluster fixes from #2311, #2274, #2312, and #2275.

Fixed

#2311 — @claude-flow/security standalone TypeScript build (was breaking v3-ci.yml on main)
integrity-verifier.ts imported @noble/ed25519 but the dep was never declared on the package itself (root override didn't propagate — same lesson as #2112). Added directly to v3/@claude-flow/security/package.json. Unblocks the ToolOutputGuardrail smoke (ADR-131) job and the broader pipeline outage tracked in #2275.

#2274 — verify.mjs crashed on @noble/ed25519 v2 (witness integrity unverifiable)
verify.mjs:175 unconditionally assigned ed.etc.sha512Sync; on the v2 patch releases that freeze etc, this throws TypeError: Cannot add property sha512Sync, object is not extensible and skips every signature check. Wrapped in if (!ed.etc.sha512Sync) plus a try/catch — sha512Sync is already wired internally on v2, so the shim is only needed on v1. Validated against macOS, Linux, and Windows manifests on this checkout: Ed25519 signature valid: yes on all three, regressed=0 missing=0.

#2312 — smoke-trajectory-graph-edges.mjs OOM (ADR-130 P3 job, exit 134)
TEST 2's post-task chain (intelligence.recordTrajectory → @ruvector/ruvllm SonaCoordinator) blows past the default 4 GB heap. Bumped NODE_OPTIONS=--max-old-space-size=6144 on the CI step so the job completes; the underlying allocation profile in @ruvector/ruvllm is tracked as a follow-up.

Packages

@claude-flow/cli's @claude-flow/security dep now pins ^3.0.0-alpha.10 so the wrapper users pick up the noble dep automatically.

Not in this release

• #2286 — npx @claude-flow/cli@alpha --version 60s timeout is install-bandwidth + postinstall, not CLI startup. The --version fast-path has been in place since 3.10.33 (commit 4c01443) and exits before any heavy import. Verification harness measures cold npx -y which includes downloading the tarball + 300+ deps; nothing to fix in code.
• #2319 — agentic-flow ./transport/loader export missing is an upstream issue (ruvnet/agentic-flow#153, plus a broken @fix dist-tag install). Cannot be fixed from this side until upstream lands the loader export in the stable ^2 release.

v3.10.34 — Security ADR P1 implementations (ADR-144, ADR-145, ADR-146)

Three independent P1 components landing the first concrete code from the three security ADRs filed earlier today (ADR-144 / ADR-145 / ADR-146). Each is OFF by default — strict mode becomes default in v4.0 — so existing pipelines keep their exact behaviour.

ADR-144 P1 — AgentAuthorizationPropagator (closes #2248 P1)

Action-layer security. New module: @claude-flow/security/authorization/propagator.

• AuthScope envelope (principal, granted tools/servers, delegation depth, expiry)
• wrapOutbound: monotonically-reducing scope — newly granted tools must be a subset of the holder's; depth decrements by ≥1; expiry checked
• checkToolCall: typed decisions (tool-not-in-scope / server-not-in-scope / scope-expired / delegation-depth-exhausted) — never throws, telemetry-friendly
• verifyServerAuth: fail-closed on missing / empty credentials (P1 permissive accept for non-empty; P4 wires the real validator)
• Provenance buffer ring-bounded, ready for the P5 telemetry sink
• makeLegacyPermissiveScope migration shim for legacy callers

18 unit tests covering every invariant. Verified against published 3.10.34:

granted reduced from 3 to 1 — depth 2
escalation refused: scope-cannot-grow

ADR-145 P1 — PluginIntegrityVerifier (closes #2254 P1)

Install-layer security. New module: @claude-flow/security/plugins/integrity-verifier. Plus a placeholder v3/@claude-flow/cli/src/plugins/trust/trust-anchors.json for the official-plugin signing key (to be filled in P1.1 when the publish flow is wired).

• Canonical JSON serialisation (deterministic key order) + SHA-256 manifest hash
• Ed25519 detached signature verification via @noble/ed25519 (probe-and-fall-back — mirrors verify.mjs #1880 pattern so untrusted environments skip rather than throw)
• Trust-anchor allowlist with exact + wildcard scope matching + expiry
• Structured VerificationStatus: pass / signature-missing / signature-invalid / manifest-hash-mismatch / unknown-signer / signer-expired
• Stage-2 semantic-intent scan (SCH defence) lands in P2

13 unit tests including the round-trip sign→verify and tamper-flip cases. Verified end-to-end:

canonicalize a-then-b == b-then-a: true
hashManifest deterministic: true
unsigned manifest → signature-missing

ADR-146 P2 — Guardrail call site in MCP dispatch (closes #2149 follow-up P2)

Content-layer security. Wires the ADR-131 ToolOutputGuardrail class into the single MCP dispatch chokepoint at mcp-client.ts::callMCPTool.

• Lazy-resolves @claude-flow/security so the cold-import cost doesn't hit every CLI invocation; falls back to no-op if the module isn't installed (third-party consumers of @claude-flow/cli)
• Walks the result object one level deep — matches the flat-record shape of every existing tool. Deeper traversal would change the p99 latency contract.
• Rejected fields replaced with a typed marker: <rejected-by-guardrail tool="X" category=Y> so callers can surface the rejection rather than silently dropping content
• Off by default. CLAUDE_FLOW_STRICT_GUARDRAIL=true turns it on; precedence is documented inline so the env-var audit passes without an escape-hatch entry.

4 wiring tests (legacy passthrough, strict-mode reject of known injection, strict-mode passthrough on safe content, non-object results pass through). Verified end-to-end:

$ CLAUDE_FLOW_STRICT_GUARDRAIL=true npx ruflo ...
action: reject (on known indirect-injection payload)

Layering — three orthogonal boundaries

Install boundary ADR-145 → Is the code trustworthy enough to load?
Memory-write ADR-145 → Is this agent allowed to write here? (P3+)
Action boundary ADR-144 → Is this agent allowed to act, on this server, now?
Content boundary ADR-131 / ADR-146 → Does this content contain hijack instructions?

Each ADR has its own phased rollout (P1 here; P2-P5 follow). All three flip to default-on in v4.0.

Install

npx ruflo@latest --version # → ruflo v3.10.34 (33 ms — #2256 fast path intact)

All 9 dist-tag pointers (latest / alpha / v3alpha across @claude-flow/cli, claude-flow, ruflo) at 3.10.34. @claude-flow/security published as 3.0.0-alpha.9 with all three dist-tags repointed.

What didn't change

• --version cold-start: still 33 ms (the #2256 fast path in bin/cli.js and ruflo/bin/ruflo.js is unaffected)
• MCP stdio cleanliness: still pure JSON-RPC on stdout (ADR-146 P2 deliberately doesn't touch stderr routing)
• All 4 audits + 2 regression smokes still pass locally — guards added in 3.10.33 (YAML lint + router regex) continue to cover their cases