ADR-130 Unified Knowledge Graph Backend — Phases 4-6

Completes the full ADR-130 implementation shipping P1-P3 (3.9.0) + P4-P6 (3.10.0).

New in 3.10.0

• P4 — Plugin Adapter: Graph-to-plugin bridge exposing graph_edges reads/writes to the plugin runtime
• P5 — Pathfinder Algorithms: Three graph traversal strategies over the graph_edges SQLite backend:
  • Personalized PageRank (PPR) for relevance-weighted neighbourhood scoring
  • Dynamic MinCut for partitioning agent communication graphs
  • Spectral Sparsification for efficient sparse approximations
• P6 — Benchmark Suite: CI-friendly benchmark measuring:
  • Write throughput: >500 ops/sec (single-session, N=200 edges)
  • k-hop query latency: depth-1 <10ms p99, depth-3 <50ms p99
  • PQ encode <1ms p99, PQ decode <0.5ms p99
  • SQLite footprint: <1 KB/edge

Install

npx @claude-flow/cli@latest
npx claude-flow@latest
npx ruflo@latest

Tracking issue: #2128

ADR-130 — Unified Knowledge Graph Backend (All 6 Phases)

Gives all 4 existing graph layers (graph-node, AgentDB, ruflo-knowledge-graph, ruflo-graph-intelligence) a shared graph_edges sql.js table with PQ-encoded embeddings, two new MCP tools, SONA trajectory hooks, and a plugin adapter contract.

New features

Phase 1 — graph_edges schema + PQ encoder

• graph_edges table with temporal columns: confidence, decay_rate, last_reinforced, witness_id, embedding_ref
• embedding-quantization.ts: Int8 global-scalar PQ (400 bytes/384-dim); inlineCosine() for zero-decode similarity
• graph-edge-writer.ts: thin sql.js accessor with fire-and-forget writes

Phase 2 — agentdb_graph-query MCP tool

• k-hop traversal via recursive CTE (sql-cte backend)
• Personalized PageRank (PPR) power iteration
• Semantic cosine ranking on inline PQ embeddings
• complexityBudget enforcement: maxNodesVisited, maxDepth, maxMillis

Phase 3 — SONA trajectory-to-graph hooks

• hooks_intelligence_trajectory-step: writes trajectory-caused edges fire-and-forget
• hooks_post-task (success=true): writes reinforced-by edges fire-and-forget
• Neither write blocks tool response (<200ms latency preserved)

Phase 4 — Plugin adapter contract

• GraphEdgesSource class: default KnowledgeGraphSource reading from graph_edges
• createAutoGraphAdapter(): zero-boilerplate autoRegister path
• graph_adapter field in plugin.json schema (documented in ruflo-plugin-creator SKILL.md)

Phase 5 — agentdb_graph-pathfinder MCP tool

• 6 algorithm variants: personalized-pagerank, dynamic-mincut, spectral-sparsify, temporal-centrality, connected-component-churn, witness-chain-divergence
• Depth > 5 clamped; non-existent seed returns empty paths not error

Phase 6 — Benchmark + CI

• benchmark-graph.mjs: 6/6 targets met (2345 ops/sec write, 578 bytes/edge, k-hop depth=1 p99=4.9ms)
• 5 new CI jobs in v3-ci.yml gating all phases

Benchmark

Test baseline

1999 passed | 46 skipped — no regression

PR: #2129 | Tracking: #2128

Highlights

ADR-129 — Full rvagent integration (PR #2123)

• 16 new MCP tools for WASM agent gallery & introspection (10 CRUD + 6 query)
• wasm_agent_compose with addMcpTools bridge unlocking all 314 MCP tools to WASM agents
• JsModelProvider real provider routing (replaces the echo-stub bypass)
• Plugin contract: rvagent field on plugin manifest + includePlugins option in compose

Fixes

• #2120 — getBridge() now honors CLAUDE_FLOW_DISABLE_BRIDGE=1, fixing the legacy-DB status backfill regression that caused ruflo memory stats to report 0 entries against pre-status-column databases

Performance (PR #2124 — SOTA comparator benchmarks)

4 production speedups on wasm_agent_compose hot path (all in wasm-agent-tools.ts):

• Plugin manifest cache — 21-plugin overhead: 0.196ms → 0.001ms
• isDestructiveTool fast-path — suffix check before 8-regex battery
• Hoisted Buffer import — eliminates await import('node:buffer') microtask per call
• Memoized loadAgentWasm() — module-level promise singleton for all 20 MCP handlers

Cumulative compose_50_tools: 0.351ms → 0.146ms (2.4× improvement)

Verified SOTA matrix vs LangGraph 1.2.1, AutoGen 0.4.9, CrewAI 0.80.0 on darwin-arm64 + linux-x64:

† CrewAI dispatch proxied (requires real LLM).

Full methodology, Linux numbers, concurrency scale, v3.7→v3.8 delta: https://gist.github.com/ruvnet/298f8c668c8859b369f91734a0e9cbbe

Benchmarks (5-trial median, bench-rvagent.mjs)

• Provider routing: 0.025ms (fake key, router only)
• Compose 100 tools: 0.215ms
• Gallery CRUD cycle: 0.094ms
• Plugin enum (absent): 0.035ms

Witness manifest — ADR-129 P1–P4 fix entries registered (verification/witness-fixes.json, 117/117 verified)

Install

npx ruflo@latest      # or @3.8.0 / @alpha / @v3alpha
npx claude-flow@latest
npx @claude-flow/cli@latest

🤖 Generated with RuFlo

First stable release — the alpha series (3.7.0-alpha.1 → 3.7.0-alpha.81) is now closed. From here on we ship semver-stable: 3.7.0 → 3.7.1 (patch), 3.8.0 (minor), 4.0.0 (breaking).

Highlights

#2120 — memory stats / status fixed for legacy DBs

Reporter @alexandrelealbess on WSL2: ruflo memory stats reported Total Entries: 0 against a 251-row .swarm/memory.db, and ruflo status falsely reported "not initialized".

Versioning policy change

• No more -alpha.N releases. Default npm publish tag is latest.
• Legacy alpha and v3alpha dist-tags continue to point at the latest stable for backward compat — so npx ruflo@alpha and npx claude-flow@v3alpha still work.

CI surface (all guards added on alphas, still active)

5 new regression smokes from the alpha series:

• smoke-agent-execute-providers.mjs (#2042)
• smoke-github-safe-injection.mjs + smoke-github-actions-pins.mjs + smoke-deprecated-actions.mjs (#2089 ADR-127)
• smoke-attribution-opt-in.mjs (#2089 ADR-127)
• smoke-init-bundle-invariants.mjs (#2095 ADR-128)
• smoke-ruvllm-wasm-auto-init.mjs (#2086)
• smoke-memory-stats-legacy-db.mjs (#2120, this release)

Try it

npx ruflo@latest init        # → 3.7.0
# or upgrade in place
npm i -g ruflo@latest

Changelog

See git log v3.7.0-alpha.71...v3.7.0 for the full alpha series. Key fixes that culminated in this release:

• #2120 (alpha.81 → 3.7.0) — memory stats legacy DB NULL status
• #2110 (alpha.80 → alpha.81) — WSL2 daemon triple bug
• #2112 (alpha.79 → alpha.80) — opentelemetry overrides on ruflo wrapper
• #2086 (alpha.71 → alpha.72) — ruvllm WASM auto-init
• #2042 (alpha.77 → alpha.78) — agent_execute provider routing
• #2078 (alpha.78) — opt-in Co-Authored-By trailer
• #2089 / ADR-127 — GitHub stack modernization
• #2095 / ADR-128 — init bundle reduce
• #2068 / ADR-126 — neural-trader substrate integration
• #2061 / ADR-125 — memory consolidation, 2.70x retrieval speedup via RaBitQ quantization

Co-Authored-By: rUv

Consolidated release covering 5 alpha bumps (alpha.72 → alpha.76, May 20–21, 2026). Three packages: @claude-flow/cli, claude-flow (umbrella), ruflo (wrapper). All on latest, alpha, v3alpha dist-tags.

Highlights

ADR-128 — Init bundle reduce + refactor (alpha.76)

• Default agent count: 98 → 17. agents.all default flipped from true to false. Domain-specific subtrees (flow-nexus/, payments/, data/) now opt-in via --all-agents or explicit --agent-category.
• Default command count: 176 → 16. 9 truly-orphan flow-nexus/ commands deleted; 78 ambiguous ones promoted to first-class COMMANDS_MAP keys.
• Skill source-of-truth fix. The cli npm package now ships 34 SKILL.md files inside .claude/skills/. Previously, fresh users got whatever was in ~/.claude/skills/ from prior installs — a stale-state trap. findSourceDir's existing guard at executor.ts:1974 now resolves to the package's bundled skills first.
• 9 forked agents removed from init template (let plugins own them). Largest divergence was memory-specialist.md at 1,049 diff lines vs the ruflo-rag-memory plugin copy.
• New CI smoke smoke-init-bundle-invariants.mjs asserts no orphans, no plugin-init agent overlap, every skill dir has a SKILL.md.

PR #2096 (ADR), PR #2097 (impl), closes #2095.

ADR-127 — .github stack modernization (alpha.74, alpha.75)

• Static-contract smokes for the .github skills/agents/commands surface:
  • smoke-github-safe-injection.mjs — 10 adversarial body cases through both github-safe.js copies (backticks, $(), semicolons, >256KB, empty). Accepts both helper-side rejection and kernel-side E2BIG (Linux argv limit).
  • smoke-github-actions-pins.mjs — asserts every uses: is SHA-pinned or in .github/supply-chain/allowed-deps.json.
  • smoke-deprecated-actions.mjs — scans 5 trees; fails on actions/checkout@v3, actions/setup-node@v3, actions/create-release@*, actions/upload-release-asset@*.
  • smoke-attribution-opt-in.mjs — no hardcoded attribution strings; opt-in template variables only.
• github-safe.js v1.0.0 — exposes GITHUB_SAFE_VERSION, enforces 256 KB body cap.
• swarm-pr.md + swarm-issue.md injection fix — ${{ github.event.comment.body }} now goes through mktemp temp-file indirection (both dogfood and init-template copies).
• All actions/checkout@v3 → @v4 across 5 skills + 13 agents + 19 commands + 5 init-template agents that the initial sed missed (post-publish follow-up in alpha.75).
• .github/supply-chain/allowed-deps.json gains an actions block alongside the existing 5-layer npm audit.

PR #2090 (ADR), PR #2094 (impl), b4e177667 (alpha.75 follow-up), closes #2089.

ADR-126 — Neural-trader substrate integration (alpha.71 in the prior release; substrate is still alpha.76)

Bench/perf/security suite shipped as PR #2081: 4 new benchmarks under plugins/ruflo-neural-trader/benchmarks/ (signal-generation, backtest-throughput, memory-recall, portfolio-cg), an 18% Neumann perf gain in sublinear-adapter.mjs via ping-pong Float64Array buffers, and a 3-layer supply-chain + static-secret audit.

Bug fixes

CI / supply chain additions

5 new smoke jobs gating future regressions, all path-filtered:

• ruvllm-wasm-auto-init-smoke (#2086)
• github-safe-injection-smoke (#2089)
• github-actions-pins-smoke (#2089)
• deprecated-actions-smoke (#2089)
• init-bundle-invariants-smoke (#2095)

Plus tighter scan coverage in smoke-deprecated-actions.mjs (5 trees instead of 3, catches both dogfood and init-template subtrees).

Upstream coordination

ruvnet/neural-trader PRs #132–#138 all merged + workflow fix (PR #139) to replace deprecated actions/{create-release,upload-release-asset}@v1 with native gh release create / gh release upload. Tagged v2.9.0 there (CI publish gated on Actions budget).

Try it

npx ruflo@latest init
# default install now ships 17 agents + 16 commands + 30 skills + helpers
# (vs the 98/176/0 of alpha.71)

Or upgrade in place:

npm i -g ruflo@latest          # 3.7.0-alpha.76
npm i -g @claude-flow/cli@latest

Out of scope, flagged for follow-up

• General plugin-vs-plugin collision when two plugins both ship agents/coder.md. ADR-128 Phase 2 shrank the init-template-vs-plugin surface but didn't solve the plugin-vs-plugin case. Needs its own ticket.
• pull_request_target + secrets.* TOCTOU scan (Layer 6 in supply-chain audit). Informational-only, no hard-fail precedent yet.
• Dependabot / Renovate for uses: refs. Net-new automation pattern, would need its own ADR.

Closed in this release

#2073, #2078, #2086, #2089, #2095. PRs: #2077, #2079, #2080, #2081, #2088, #2090, #2094, #2096, #2097, #2079.

🤖 Generated with RuFlo

TL;DR — Delivers ADR-125 end-to-end. @claude-flow/memory now has a single canonical entry point, a real hybrid default (ADR-009 finally delivered), persistent HNSW that survives restart, a memory-bound consolidator, graceful retrieval degradation with FTS5 fallback, and reproducible benchmarks. All 8 ADR-125 acceptance criteria locked in.

Install / upgrade:

npx ruflo@latest         # umbrella CLI
npx claude-flow@latest   # legacy umbrella
npx @claude-flow/cli@latest

For direct memory-package consumers:

npm install @claude-flow/memory@latest

🧠 New: @claude-flow/memory@3.0.0-alpha.18 — full ADR-125 delivery

Delivered in two coordinated PRs:

• PR A (#2062) — Phases 1+2+6+7 — "deliver ADR-009"
• PR B (#2063) — Phases 3+4+5 — "harden"

What changed

Acceptance criteria — all 8 ✅

Test count delta

pre-ADR-125:    367 tests / 10 files
post PR A:      378 tests / 11 files   (+11 / +1)
post PR B:      403 tests / 15 files   (+25 / +4)
TOTAL:          +36 tests, +5 test files

Backward compatibility

• UnifiedMemoryService remains exported as a @deprecated alias to MemoryService through 3.0.0-rc. No breaking change.
• HnswLite removed from public surface and its module deleted — verified zero external importers across the monorepo. Internal usage by RvfBackend inlined as a private helper.
• RvfBackend removed from public exports (kept as internal).
• semanticSearch no longer throws when embedder unavailable — behavior change for callers that depended on the throw to detect misconfigured embedders. New health.embedder = 'degraded' event surfaces the same signal.

📦 Published packages (npm)

📜 PRs merged since alpha.70

• #2063 — ADR-125 PR B — persistent HNSW + MemoryConsolidator + FTS5 fallback
• #2062 — ADR-125 PR A — canonical MemoryService + real hybrid default + runnable benches

🔮 Deferred to follow-up ADRs (each gets its own decision record)

• ADR-126 Provenance + causal edges (MemoryEntry.source / signedBy, edge types caused-by | supersedes | derived-from)
• ADR-127 PII scan + AIDefence write-interceptor
• ADR-128 Multi-tenant row-level isolation + encryption at rest
• ADR-129 Real-time fs.watch + 3-way merge for AutoMemoryBridge
• ADR-130 Event-sourced memory replay (extends ADR-007)

Full diff: v3.7.0-alpha.70...v3.7.0-alpha.71
Tracking issue: #2061 (closed)

TL;DR — This release ships two coordinated security fixes (a real Ed25519 verifier on the plugin registry, and a Windows ONNX crash fix), the new Browser substrate (ADR-122) for trustworthy agent automation, the new RuFlo Graph Intelligence Engine plugin (ADR-123) for sublinear-time program analysis, and a 5-layer supply-chain audit that took the root package's CVE count from 13 HIGH/CRITICAL to zero.

Install / upgrade:

npx ruflo@latest         # umbrella CLI
npx claude-flow@latest   # legacy umbrella
npx @claude-flow/cli@latest

🔐 Security (please read)

Plugin registry signature verification is now real (CWE-347, #1922)

The plugin registry's Ed25519 signature verifier was a stub — it returned true whenever the served registryPublicKey field started with "ed25519". With requireVerification: true (the default) a network adversary on the path to an IPFS gateway could swap the registry and have a user install attacker-mapped plugin tarballs running with filesystem+network+hooks permissions.

Fixed in this release (PR #2060, thanks to @aaronjmars for the disclosure + patch):

• Real Ed25519 verification using the verifier that already lived at transfer/ipfs/client.ts:325.
• Verifier pins to the caller-supplied trusted public key from DEFAULT_PLUGIN_STORE_CONFIG, NOT the self-asserted registryPublicKey (which an attacker could swap too).
• Call site now awaits and fails closed (falls back to the local demo registry instead of warning-and-continuing).
• New plugin-registry-signature-smoke CI job locks the invariant for every future PR — including PRs from forks now that the pull_request trigger covers [main, develop].

If you've installed plugins from anywhere other than the official Pinata registry on a network you don't fully trust between alpha.69 and now, take a look at what's installed.

Windows ONNX binding crash (#2048)

import('agentic-flow/reasoningbank') crashed on Windows even with VCRedist installed, because router/providers/onnx-local.ts did a top-level await import('onnxruntime-node') that forced the native binding to load at module-import time, before any user code ran.

Fixed: agentic-flow@2.0.13 (upstream PR ruvnet/agentic-flow#155) moves the import into a lazy loadOrt() helper called from initializeSession(). The binding now loads only when an explicit inference call happens. This release bumps agentic-flow ^2.0.12 → ^2.0.13 in the root and v3/@claude-flow/browser (PR #2056).

Supply-chain hardening (#2046)

A new 5-layer audit pipeline (scripts/audit-supply-chain.mjs) runs on every PR:

1. CVE audit with per-package allowlist for triaged-and-tracked findings.
2. Lockfile integrity — every dep must carry a SHA-512 hash.
3. Top-level allowlist — new top-level deps require explicit approval.
4. Typosquat reject — blocks known typo-named packages.
5. Publisher trust snapshot — every release records which npm account published each dep, so silent maintainer takeovers leave a paper trail.

Backed by GitHub's dependency-review-action, a CODEOWNERS review gate on any change to allowed-deps, and 14 npm-overrides that pinned 13 HIGH/CRITICAL CVEs out of the dependency graph. Root npm audit now reports 0 vulnerabilities (was 13).

Pre-bash hook silent-swallow (#2017)

The pre-bash PreToolUse safety hook (which is supposed to refuse rm -rf /, fork bombs, etc.) was exiting 0 on every dangerous payload because of an unhandled TypeError swallowed by the safety timer's outer try/catch. Fixed in alpha.45 and locked in by a new CI smoke that drives real dangerous-command shaped JSON into the hook and asserts it blocks.

🌐 New: Browser substrate (ADR-122, #2043)

@claude-flow/browser is now a trustworthy agent substrate, not just a Playwright wrapper. Every browser run produces a signed trajectory (an RVF container with cookie attestations + page snapshots + risk classifications) that any other agent or auditor can replay. Phases shipped:

The plugin is gated through AIDefence so PII never leaves the browser sandbox unredacted.

Try it:

npx ruflo@latest plugins install @claude-flow/browser
ruflo browser session-record --task \"Sign in to staging dashboard and screenshot the kanban\"

📊 New: RuFlo Graph Intelligence Engine plugin (ADR-123, #2045)

A new ruflo-graph-intelligence npm package that turns sublinear-time graph algorithms (sublinear-time-solver@1.7.0) into 5 practical "wedges" you can run against your codebase or PR queue:

1. Spectral influence — which files in a 50-service monorepo will ripple if you touch this one?
2. Cone-of-influence forensics — given a regression in service-A, which PRs in the last 30 days could have caused it?
3. Portfolio CG — given 12 candidate refactors, which set has the highest expected payoff at the lowest blast radius?
4. AIDefence threat propagation — given a leaked credential, which downstream callsites need rotation first?
5. GOAP-LP planner — when a planner has dozens of candidate actions, which sequence reaches the goal with minimum cost?

Plus a streaming bridge and signed PR artifacts so the graph state can be federated across multiple agents working in the same repo.

npx ruflo-graph-intelligence analyze --target ./src --wedge spectral-influence

Shipped with 104 tests (104/104 passing) and registered in the official plugin marketplace.

🛠️ Quality + reliability

• Knowledge-graph kg-extract fix (#2049) — TypeScript import type and value imports were being conflated, producing phantom runtime cycles. Now classified as separate type-depends-on (weight 0.1) and depends-on (weight 1.0) relations. Locked in by scripts/smoke-kg-extract-type-imports.mjs.
• agentic-flow@2.0.12 upstream patch (ADR-124) — @xenova/transformers moved from dependencies to optionalDependencies so installs that don't need embeddings can --omit=optional for a clean CVE-free tree.
• Witness manifest CI guards (#2021) — refreshes stale markers, regenerates the signed manifest, and adds a fast drift-only check that runs on every push (no full build needed).
• Standalone module READMEs (#2022, alpha.43+44) — @claude-flow/memory, @claude-flow/embeddings, @claude-flow/security are now usable as standalone packages with their own usage docs + npm download badges.
• Memory subsystem consolidation ADR proposed (ADR-125) — Roadmap for the next memory release: single canonical MemoryService API, real HybridBackend default, persistent HNSW (no rebuild on cold start), MemoryConsolidator service, graceful retrieval degradation with FTS5 fallback, runnable benchmarks. Proposed in this release; first delivery PR coming next.

🔄 Migration / upgrade notes

Most users: no action required, just npx ruflo@latest.

If you import @claude-flow/browser programmatically: the new MCP tools (23 of them) are additive — existing imports continue to work, but you'll want to look at the new browser_session_record / browser_session_replay / browser_template_apply MCP tools for the trajectory + session-capsule features.

If you install plugins from a custom IPFS gateway: signature verification is now strict and fails closed. If your custom registry isn't properly Ed25519-signed against the pinned trusted key, it will fall back to the demo registry. See the new contract in v3/@claude-flow/cli/src/plugins/store/discovery.ts:verifyRegistrySignature.

If you run on Windows and previously hit the onnxruntime_binding.node is not a valid Win32 application error: upgrade and try again. If you still hit it, you're explicitly running ONNX inference; npm install --omit=optional will skip the binding entirely and the embedding paths fall back to hash-based.

📦 Published packages (npm)

📜 PRs merged since alpha.44

• #2060 — CWE-347 plugin registry signature verification (closes #1922)
• #2056 — agentic-flow ^2.0.12 → ^2.0.13 Windows ONNX lazy-load (closes #2048)
• #2055 — kg-extract type-import classifier + CI guard (closes #2049)
• #2050 — 5-layer supply-chain audit + dependency-review + CODEOWNERS (closes #2046)
• #2045 — RuFlo Graph Intelligence Engine plugin (ADR-123, closes #2044)
• #2043 — Browser substrate beyond SOTA (ADR-122, closes #2041)
• #2022 — Standalone-use recipes + npm download badges (alpha.43+44)
• #2052 — Remove duplicate lowercase skill.md files
• #2051 — Register ruflo-graph-intelligence in marketplace manifest

Full diff: v3.7.0-alpha.44...v3.7.0-alpha.70

🙏 Special thanks to @aaronjmars for the responsible disclosure + clean patch on #1922, and the careful follow-up on the dependency-CVE backlog.

Closes the chain from ca0a6fa5c (standalone recipes landed in repo but never reached npm). Three threads converge here:

1. @claude-flow/neural unblocked (#2022)

@claude-flow/neural@3.0.0-alpha.8 pinned \"@ruvector/sona\": \"latest\", and @ruvector/sona@0.1.6 shipped as an empty publish (README + package.json only — no index.js, no native bins). Every fresh npm install @claude-flow/neural broke at import time.

Fix: @claude-flow/neural@3.0.0-alpha.9 pins to the exact known-good @ruvector/sona@0.1.5 (which has index.js + 7 platform-specific .node files). Tracking issue #2022 for the upstream sona republish.

Post-publish live check (the bug shape):
```
$ npm install @claude-flow/neural@3.0.0-alpha.9
$ node -e "import('@claude-flow/neural').then(m => console.log(Object.keys(m).slice(0,5)))"
[A2CAlgorithm, BalancedMode, BaseModeImplementation, BatchMode, CuriosityModule]
```

2. Standalone recipes now visible on npmjs.com

The standalone-use sections added in ca0a6fa5c lived only in the repo READMEs. This release bumps and republishes the four modules so npmjs.com finally shows the recipes that prove these packages work without the CLI:

3. npm download badges across the README surface

Every published package README now carries npm/v + npm/dm badges so live download volume is visible. Added to:

• Umbrella root README.md (badges for both ruflo + claude-flow)
• 6 modules that had no npm badges at all (claims, cli-core, plugins, plugin-agent-federation, plugin-iot-cognitum, and cli itself via the root README)
• 3 modules with version-only badges (browser, codex, mcp)
• 14 modules already had both — left untouched

The ruflo/README.md and v3/@claude-flow/cli/README.md auto-copy from root via prepublishOnly, so they inherit the new badge bar.

Versions

Install

```bash
npx ruflo@latest

or

npx @claude-flow/cli@latest doctor
```

Commit: 5b71c7ac1

🤖 Generated with RuFlo

Hotfix on top of alpha.41 — the post-publish live regression check exposed a second-layer bug in the #2015 fix.

What round 1 missed

ruvector@0.2.25 rvf create accepts only:

• -d, --dimension <n> (required)
• -m, --metric <metric> (optional, default cosine)

Round 1 added the required --dimension 384 but left --kind browser-session in place. Commander's required-option check fires before its unknown-option check, so the original bug report (#2015) only ever surfaced the dimension error — there was no way to discover the second layer without actually running the command end-to-end.

The live functional check after publishing alpha.41 surfaced it:

error: unknown option '--kind'

What changed in alpha.42

• Stripped --kind browser-session from all 5 call sites (TS source, compiled dist, replay-spike.sh, browser-agent.md, browser-record/SKILL.md) + ADR prose example.
• Tightened smoke-browser-rvf-create-flags.mjs to police BOTH invariants per line:
  • --dimension / -d is present
  • --kind is absent
• The smoke now uses an explicit PATHS_IN_SCOPE list (round 1's content-anchor was the very flag we just deleted).

Live functional check (everything green)

• ruvector rvf create --dimension 384 (no --kind): exit 0, .rvf file written.
• Published @claude-flow/cli@3.7.0-alpha.42 dist:113: --dimension present, --kind absent.
• #2019 vectorBackend/graphAdapter functional test from alpha.41: still passes against @claude-flow/memory@3.0.0-alpha.16.
• verify.mjs precondition contract from #1880: still holds (exit 2 for source-only, exit 1 for built tree with real regressions).

Packages

All latest / alpha / v3alpha dist-tags updated.

Commit: 905672021

🤖 Generated with RuFlo

Three small but high-impact fixes ship together — each one resolves a recurring failure whose root cause was the same anti-pattern: a try/catch (or missing flag) silently turned a clear precondition failure into a vague "verification failed" / "controller disabled" / "rvf create failed" outcome that downstream consumers couldn't act on.

Fixes

#1880 — scheduled witness verification stops misfiling install/build gaps as regressions

The 12-hour scheduled verification was opening a duplicate "HIGH — verification broken" issue every cron cycle since 2026-05-10 because the runner does a source-only checkout (no @noble/ed25519 install, no npm run build) and verify.mjs lumped that into the same exit 1 bucket as a real signature regression.

verify.mjs now reserves exit 2 strictly for precondition misses:

• @noble/ed25519 not installed → exit 2
• every manifest entry missing AND the manifest references /dist/ paths → exit 2 (source-only checkout, build never ran)

Real failures (signature invalid, specific marker regressed) keep exit 1. The scheduled runner can now distinguish "needs install/build" from "we broke something" and stop filing duplicate issues.

#2019 — vectorBackend no longer permanently disabled with agentdb@3.0.0-alpha.14+

@claude-flow/memory's controller registry called agentdb.getController('vectorBackend'). Upstream agentdb's getController switch only handles memory/reflexion/skills/causal and throws Unknown controller: vectorBackend for everything else — a try/catch silently swallowed the throw, leaving the controller enabled: false even though agentdb.vectorBackend is a real field on the instance (assigned in AgentDB.initialize()).

The registry now probes agentdb[name] directly first and falls back to getController only when the field is absent. Applied to all three accessor paths (initializeController, get, isEnabled). RuntimeConfig gains an optional agentdb field for test injection and consumer-owned AgentDB lifecycles.

#2015 — ruflo-browser browser_session_record actually works

ruvector@0.2.25 makes -d, --dimension <n> required on rvf create. The browser_session_record MCP tool wrapper invoked rvf create … --kind browser-session without the flag, so every call returned { success: false, error: "rvf create failed" }. All five call sites (TS, shell, three markdown recipes) now pass --dimension 384 to match the MiniLM-L6 / AgentDB index default.

New CI guards

Both fixes ship with dedicated regression smokes in v3-ci.yml, wired into witness-verify's needs: so a contract break blocks publish.

• witness-verify-precondition-smoke (#1880) — drives all three shapes (missing dep / all-files-missing / built tree) through verify.mjs and asserts the exit-code contract.
• browser-rvf-create-flags-smoke (#2015) — static scan of every rvf create … --kind browser-session invocation across TS, dist, shell, and markdown — fails on any missing --dimension / -d.

The pre-existing pre-bash-hook-smoke (#2017) gate is unchanged and still wired in.

Packages

All latest / alpha / v3alpha dist-tags updated.

Install

npx @claude-flow/cli@latest doctor
# or
npx ruflo@latest

Regression check (post-publish)

Installed each published artifact fresh from the registry and confirmed:

• @claude-flow/memory@3.0.0-alpha.16 — ControllerRegistry.get('vectorBackend') returns the live instance even when a fake agentdb's getController throws Unknown controller: vectorBackend (the exact bug shape from #2019).
• @claude-flow/cli@3.7.0-alpha.41 — compiled dist/src/mcp-tools/browser-session-tools.js carries '--dimension', '384' in the rvf create shell invocation.

Commit: e4bd9bbcb

🤖 Generated with RuFlo