UNPKG

claude-flow-novice

Version:

Claude Flow Novice - Advanced orchestration platform for multi-agent AI workflows with CFN Loop architecture Includes Local RuVector Accelerator and all CFN skills for complete functionality.

github.com/cfn-dev/claude-flow-novice

cfn-dev/claude-flow-novice

429 lines (360 loc) 21.6 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
# Claude Flow Novice - Backlog Last Updated: 2025-12-01 ## Priority Levels - **P1**: Critical, blocks progress - **P2**: High value, next sprint - **P3**: Nice to have, background worker --- ## Active Items ### P2-001: Fix SERP Pattern Analyst Test Suite (49 failures) **Priority**: P2 (Medium) **Created**: 2025-12-01 **Sprint**: Phase 2 Sprint 4 (deferred) **Epic**: SEO Intelligence Integration **Issue**: Test suite has 49/122 failing tests due to mock setup issues, not implementation bugs. **Location**: - `packages/seo-analysis/src/lib/__tests__/serp-pattern-analyst.test.ts` - `packages/seo-analysis/src/lib/__tests__/competitor-deep-analyst.test.ts` **Root Cause**: - Missing FIRECRAWL_API_KEY in helper method test setup - Incomplete mock responses for DataForSEO/Google API calls - Mock state bleeding between test cases **Solution**: 1. Add `firecrawlApiKey` to all CompetitorDeepAnalystAgent instantiations in tests 2. Align mock responses with actual API contracts 3. Add `setupTestEnvironment()` to all describe blocks 4. Improve test isolation **Acceptance Criteria**: - Test pass rate ≥90% (110/122 passing) - No mock state bleeding between tests - All API key mocks properly configured **Estimated Effort**: 2-4 hours **Deferred By**: Product Owner (DEFER_AND_PROCEED decision, confidence: 0.87) **Reason**: Code quality production-ready (0.93), test failures are environmental only --- ### P2-002: Implement RuVector Client Functions for SEO Onboarding **Priority**: P2 (High Value) **Created**: 2025-12-03 **Sprint**: 1.2 (SEO Onboarding Discovery) **Epic**: SEO Site Onboarding & Keyword Discovery System **Issue**: Sprint 1.1 created RuVector schemas but deferred client implementation due to security priority. **Location**: - `.claude/skills/cfn-seo/ruvector/` (to be created: `ruvector-client.ts`) **Root Cause**: Security fixes (SEC-1.1 through SEC-1.6) took priority over RuVector client implementation. **Solution**: Create `ruvector-client.ts` with three core functions: 1. `upsertSiteProfile(domain: string, profile: SiteProfileMetadata): Promise<void>` - Store/update site profile in `site_profiles` collection - Generate embedding from profile data - Set 180-day TTL 2. `queryCrossSitePatterns(industry: string, limit: number): Promise<CrossSitePatternEntry[]>` - Semantic search across `cross_site_patterns` collection - Filter by industry, sort by confidence score - Return top N patterns 3. `logOnboardingResult(domain: string, results: OnboardingResultsMetadata): Promise<void>` - Store complete onboarding run in `onboarding_results` collection - Include all 7 phase outputs, timestamps, confidence scores - Set 365-day TTL for long-term learning **Acceptance Criteria**: - All 3 functions implemented with full TypeScript type safety - Integration with existing RuVector schemas (onboarding-schemas.ts) - Error handling for network failures, invalid inputs - Unit tests for each function - Integration with Phase 1-3 implementations (Sprint 1.2) **Estimated Effort**: 4-6 hours **Reference Files**: - Schema definitions: `.claude/skills/cfn-seo/ruvector/onboarding-schemas.ts` - Storage schema doc: `.claude/skills/cfn-seo/storage-schema.md` - Epic: `planning/epics/seo-onboarding-discovery/epic.json` --- ### P2-003: Complete Keyword Sanitization (FINDING-002) **Priority**: P2 (Medium) **Created**: 2025-12-01 **Sprint**: Phase 2 Sprint 4 (partial fix) **Epic**: SEO Intelligence Integration **Issue**: HTML escaping for keyword in recommendation descriptions incomplete. **Location**: - `packages/seo-analysis/src/lib/serp-pattern-analyst.ts` (line 1375) **Risk Level**: LOW (output is JSON, risk only if web UI displays without escaping) **Solution**: Implement HTML escaping for keyword parameter in output contexts. **Acceptance Criteria**: - Keyword properly escaped in all recommendation descriptions - Security audit shows 0 medium findings - Safe for production UI deployment **Estimated Effort**: 4 hours **Deployment Status**: - Backend safe (JSON context) - Do NOT deploy to production UI until fixed --- ## Completed Items (Phase 1.2a - 2025-11-23) **[COMPLETED] - Phase 1.2: Environment Variable Whitelisting** - **Sprint**: Phase 1.2a - **Category**: Security - **Description**: Environment variable whitelisting to prevent container variable leakage - **Solution Implemented**: 27-variable whitelist in docker/trigger-dev/entrypoint.sh with injection detection - **Test Results**: 8/8 tests pass (100%) - **Date Completed**: 2025-11-23 - **Related Files**: - docker/trigger-dev/entrypoint.sh (filter_environment_variables function) - tests/trigger-dev/test-security-hardening.sh (comprehensive tests) - docker/trigger-dev/SECURITY.md (documentation) **[COMPLETED] - Phase 1.2: Docker Socket Isolation with Rootless Mode** - **Sprint**: Phase 1.2a - **Category**: Security - **Description**: Docker socket isolation preventing privilege escalation - **Solution Implemented**: socket-proxy service with restrictive policies - **Test Results**: Socket proxy blocks privileged ops, allows spawning (2/2 tests) - **Date Completed**: 2025-11-23 - **Related Files**: - docker/trigger-dev/socket-proxy/docker-compose.yml - tests/trigger-dev/test-security-hardening.sh **[COMPLETED] - Phase 1.2: Docker Secrets Integration for API Keys** - **Sprint**: Phase 1.2a - **Category**: Security - **Description**: Docker secrets integration for API key management - **Solution Implemented**: Docker Compose secrets with fallback env var support - **Test Results**: Secrets loading, environment fallback (2/2 tests) - **Date Completed**: 2025-11-23 - **Related Files**: - docker/trigger-dev/docker-compose.secrets.yml - docker/trigger-dev/entrypoint.sh (secret loading logic) - tests/trigger-dev/test-security-hardening.sh --- ## Active Items ### P0 - Critical **[P0] - Process: Implement verification requirements for claimed com...** - **Sprint Backlogged**: Unknown - **Category**: Technical-Debt - **Description**: Process: Implement verification requirements for claimed completions - **Rationale**: CRITICAL: Developer claimed security fixes without verification, creating credibility issues and security risks - **Proposed Solution**: Require automated testing, security scanning, and peer review for all claimed completions. Implement 'trust but verify' process. - **Tags**: - **Status**: Backlogged - **Date Added**: 2025-11-06 ### P1 - High Priority **[P1] - Migrate to production secrets management (Docker Secrets or ...** - **Sprint Backlogged**: Unknown - **Category**: Technical-Debt - **Description**: Migrate to production secrets management (Docker Secrets or AWS Secrets Manager) - **Rationale**: WSL2 777 permissions acceptable for dev but critical security issue in multi-tenant cloud deployment. Container isolation requires proper secret permissions (600) to prevent cross-container access. - **Proposed Solution**: Option 1: Docker Secrets (in-memory mount at /run/secrets/ with 600 permissions). Option 2: AWS Secrets Manager (runtime API fetch, no filesystem). Option 3: HashiCorp Vault. Required before cloud deployment. - **Tags**: `production`, `cloud`, `secrets`, `docker`, `security` - **Status**: Backlogged - **Date Added**: 2025-11-23 **[P1] - Create memory Redis dashboard for real-time monitoring** - **Sprint Backlogged**: Unknown - **Category**: Feature - **Description**: Create memory Redis dashboard for real-time monitoring - **Rationale**: Need a web dashboard to monitor agent memory usage, container status, and performance metrics from Redis data in production - **Proposed Solution**: Build a web dashboard (React/Node) that connects to Redis to display: - Real-time memory usage per agent - Container status (running/stopped/exited) - Memory alerts and thresholds - Historical performance charts - Agent spawn/destroy events - System resource utilization Implementation: 1. Redis subscriber for real-time updates 2. REST API for historical data 3. React dashboard with charts 4. WebSocket for live updates 5. Docker containerization - **Tags**: `redis`, `dashboard`, `monitoring`, `memory`, `production` - **Status**: Backlogged - **Date Added**: 2025-11-04 ### P2 - Medium Priority **[P2] - Fix SERP Pattern Analyst test suite failures (28/53 passing)** - **Sprint Backlogged**: P2-S3 - **Category**: Technical-Debt - **Description**: Fix SERP Pattern Analyst test suite failures (28/53 passing) - **Rationale**: Pre-existing test failures in serp-pattern-analyst.test.ts discovered during P2-S3 validation. Mock setup issues causing cascading failures in Google Custom Search and DataForSEO integration tests. - **Proposed Solution**: Refactor test mocks to properly isolate API calls; align test expectations with implementation behavior (throw vs fallback); target 90%+ pass rate - **Tags**: `testing`, `serp-analyst`, `technical-debt` - **Status**: Backlogged - **Date Added**: 2025-12-01 **[P2] - Add SHA256 digest pinning for Docker base images (5/7 images...** - **Sprint Backlogged**: Unknown - **Category**: Technical-Debt - **Description**: Add SHA256 digest pinning for Docker base images (5/7 images missing) - **Rationale**: Docker specialist identified missing SHA256 pinning in Phase 1.3b validation. Production best practice for supply chain security and reproducible builds. Current implementation relies on tag-based references which can change over time. - **Proposed Solution**: Update docker/Dockerfile.trigger-dev, docker/Dockerfile.agent, and other relevant Dockerfiles to use SHA256 digest pinning format: FROM image:tag@sha256:<digest>. Verify digests using 'docker pull' and 'docker inspect'. Update CI/CD to validate digest pinning in all production images. - **Tags**: - **Status**: Backlogged - **Date Added**: 2025-11-23 **[P2] - Phase 1.3b: Secret Population and Validation** - **Sprint Backlogged**: Phase 1.3b - **Category**: Security - **Description**: Populate 10 production secrets and validate security gate (Loop 3 security-specialist work) - **Rationale**: Phase 1.2a infrastructure complete. Phase 1.3b requires actual secret values to complete security hardening cycle. - **Proposed Solution**: 1. Populate docker/trigger-dev/secrets/ with 10 required secrets 2. Update docker-compose.secrets.yml with 5 missing secret references 3. Run validation script to confirm 100% pass rate 4. Run pre-deployment security gate (target ≥95%) 5. Verify Phase 1.2a regression tests remain at 100% - **Estimated Effort**: 4-6 hours - **Tags**: `security`, `secrets`, `production`, `phase-1-3b` - **Status**: In Progress (infrastructure validated) - **Date Added**: 2025-11-23 - **Related Files**: - docker/trigger-dev/secrets/ (10 files to populate) - docker/trigger-dev/docker-compose.secrets.yml (5 refs to add) - scripts/security/validate-secrets.sh (validation script) - scripts/security/pre-deployment-security-check.sh (gate) - **Documentation**: docker/trigger-dev/PHASE_1.3b_INFRASTRUCTURE_VALIDATION.md **[P2] - Phase 1.3c: Encrypted Credential Storage** - **Sprint Backlogged**: Phase 1.3c - **Category**: Security - **Description**: Implement Age encryption for at-rest secret storage - **Rationale**: Phase 1.3b secrets populated. Phase 1.3c adds encryption layer for sensitive data at rest. - **Proposed Solution**: 1. Generate Age key pair if not exists 2. Implement encrypted secret storage in docker/trigger-dev/secrets/ 3. Update validation script to test decryption 4. Document key rotation procedures - **Estimated Effort**: 3-4 hours - **Tags**: `security`, `encryption`, `age`, `phase-1-3c` - **Status**: Backlogged - **Date Added**: 2025-11-23 **[P2] - Phase 1.3d: Git History Secret Remediation** - **Sprint Backlogged**: Phase 1.3d - **Category**: Security - **Description**: Remediate secrets found in git history - **Rationale**: Pre-deployment security gate detected potential secrets in git history. Need remediation before production deployment. - **Proposed Solution**: 1. Review and audit git history for actual secrets 2. Rotate any exposed credentials 3. Use git-filter-repo or BFG Repo-Cleaner to remove secrets 4. Document remediation and coordinate with team - **Estimated Effort**: 2-3 hours - **Tags**: `security`, `git`, `secrets`, `remediation`, `phase-1-3d` - **Status**: Backlogged - **Date Added**: 2025-11-23 **[P2] - Sync agent-use-case-registry with dynamic agent discovery sy...** - **Sprint Backlogged**: Unknown - **Category**: Technical-Debt - **Description**: Sync agent-use-case-registry with dynamic agent discovery system - **Rationale**: Currently agent-use-case-registry.cjs is manually maintained and can drift out of sync with actual agents in .claude/agents/, causing confusion when deprecated agents appear in selection but don't exist. This creates maintenance overhead and potential runtime errors. - **Proposed Solution**: Move agent-use-case-registry to database-backed system (similar to skills migration). Auto-populate keywords/domains from agent YAML frontmatter + allow manual overrides. Benefits: (1) Single source of truth (.claude/agents/ files), (2) Auto-sync on agent creation/deletion, (3) Keyword enrichment via DB, (4) Eliminates manual registry maintenance, (5) Prevents stale agent references. Implementation: Create SQLite table with agent_name, keywords[], domains[], priority, auto_discovered (bool), last_synced timestamp. Add sync script that scans .claude/agents/ and updates DB. Migrate existing registry entries with manual_override flag. - **Tags**: - **Status**: Backlogged - **Date Added**: 2025-11-17 **[P2] - ✅ TECH-DEBT-001: Standardize coordination-utils.sh import paths [COMPLETE]** - **Sprint Backlogged**: Unknown - **Category**: Technical-Debt - **Description**: TECH-DEBT-001: Standardize coordination-utils.sh import paths across CFN skills - **Rationale**: System-architect identified inconsistent import patterns for coordination-utils.sh during SEC-003 validation. Three different patterns used across scripts. - **Proposed Solution**: Audit all skills using coordination-utils.sh, establish canonical import pattern (SCRIPT_DIR relative), update all references. Estimated effort: 30 minutes. - **Tags**: - **Status**: ✅ Complete (commit: 04860889b) - **Date Added**: 2025-11-17 - **Date Completed**: 2025-11-17 - **Resolution**: Standardized all 10 scripts to canonical Pattern 1 (${SCRIPT_DIR}/../bootstrap/sqlite-params.sh). 100% consistency achieved, zero breaking changes. **[P2] - SEC-003: Complete SQL injection migration (8 remaining scrip...** - **Sprint Backlogged**: Unknown - **Category**: Technical-Debt - **Description**: SEC-003: Complete SQL injection migration (8 remaining scripts) - **Rationale**: Framework operational and prevents new vulnerabilities. Remaining migrations ensure legacy script safety. - **Proposed Solution**: Migrate 8 scripts using parameterized queries pattern from sqlite-params.sh library. Priority: track-cost-savings.sh (14+ patterns), then 7 additional scripts. Estimated 15-20 hours. Target: 2 weeks. - **Tags**: - **Status**: Backlogged - **Date Added**: 2025-11-17 **[P2] - Fix SQL injection test suite execution hang** - **Sprint Backlogged**: Unknown - **Category**: Technical-Debt - **Description**: Fix SQL injection test suite execution hang - **Rationale**: Test suite (test-sql-injection-final-validation.sh) hangs during execution preventing automated OWASP test coverage verification. Manual code review confirms all 13 scripts are secure, but automated gate compliance (≥0.95 pass rate) cannot be verified. - **Proposed Solution**: Debug test suite execution: (1) Identify why test hangs on first OWASP vector, (2) Fix sqlite_select() function usage in test context, (3) Run full 28-vector suite to completion, (4) Verify ≥95% pass rate. Estimated 2-4 hours. - **Tags**: - **Status**: Backlogged - **Date Added**: 2025-11-17 **[P2] - Fix SQL injection test suite execution infrastructure** - **Sprint Backlogged**: Unknown - **Category**: Technical-Debt - **Description**: Fix SQL injection test suite execution infrastructure - **Rationale**: Test suite hangs during OWASP vector execution. Manual validation confirms security fixes are correct, but automated test verification incomplete. - **Proposed Solution**: Debug sqlite_select() test execution, resolve test suite hang, validate 28 OWASP attack vectors complete successfully. Estimated effort: 2-4 hours. - **Tags**: - **Status**: Backlogged - **Date Added**: 2025-11-17 **[P2] - Quote all 21 variables in docker/coordinator-entrypoint.sh** - **Sprint Backlogged**: Phase 4 - **Category**: Technical-Debt - **Description**: Quote all 21 unquoted variable expansions to prevent word splitting and globbing - **Rationale**: Phase 4 security audit (M-1 MEDIUM) - unquoted variables can cause unexpected behavior with spaces/wildcards - **Proposed Solution**: Quote all variable expansions except in [[ ]] conditionals (e.g., echo "$VAR" instead of echo $VAR) - **Tags**: `security`, `docker`, `shell-scripting`, `phase4` - **Status**: Backlogged - **Date Added**: 2025-11-16 **[P2] - Add strict mode to orchestrate.sh** - **Sprint Backlogged**: Phase 4 - **Category**: Technical-Debt - **Description**: Add set -euo pipefail to .claude/skills/cfn-docker-loop-orchestration/orchestrate.sh - **Rationale**: Phase 4 security audit (M-2 MEDIUM) - missing strict mode allows errors to be silently ignored, unset variables not caught - **Proposed Solution**: Add "set -euo pipefail" in first 5 lines after shebang for exit on error, unset variable detection, pipeline error catching - **Tags**: `security`, `docker`, `shell-scripting`, `phase4` - **Status**: Backlogged - **Date Added**: 2025-11-16 **[P2] - Use mktemp for secure temp file creation** - **Sprint Backlogged**: Phase 4 - **Category**: Technical-Debt - **Description**: Replace hardcoded /tmp paths with mktemp in docker/coordinator-entrypoint.sh - **Rationale**: Phase 4 security audit (M-3 MEDIUM) - predictable filenames create race condition and temp file hijacking risks - **Proposed Solution**: Use mktemp for unpredictable filenames with trap for cleanup (e.g., CONTEXT_FILE=$(mktemp /tmp/task-context.XXXXXX.json)) - **Tags**: `security`, `docker`, `temp-files`, `phase4` - **Status**: Backlogged - **Date Added**: 2025-11-16 ### P3 - Low Priority / Nice-to-Have **[P3] - Fix test suite hardcoded paths causing 94% test failure rate** - **Sprint Backlogged**: Phase 4 - **Category**: Technical-Debt - **Description**: Fix test suite hardcoded paths causing 94% test failure rate - **Rationale**: test-gate-check-security.sh uses hardcoded /home/user/ paths causing tests to fail despite production-ready code. Distinct from shell security implementation which is verified complete. - **Proposed Solution**: Replace hardcoded /home/user/claude-flow-novice/ paths with PROJECT_ROOT pattern: PROJECT_ROOT=$(git rev-parse --show-toplevel). Apply to tests/cfn-v3/helpers/test-gate-check-security.sh and related test files. - **Tags**: `test-infrastructure`, `technical-debt`, `shell-security`, `testing` - **Status**: Backlogged - **Date Added**: 2025-11-17 **[P3] - Security hardening for code quality fixes (ReDoS, query dete...** - **Sprint Backlogged**: Phase 4 - **Category**: Optimization - **Description**: Security hardening for code quality fixes (ReDoS, query detection, UUID collision detection) - **Rationale**: Deferred from Code Quality CFN Loop Iteration 2 - security specialist identified optimization opportunities (consensus 0.78) but no production blockers. Issues #12/#14/#15 are functionally complete with 57/57 tests passing. - **Proposed Solution**: 1. Update ANSI regex from /[[0-9;]*m/g to /[[0-9;]{0,5}m/g (bounded quantifier), 2. Add comprehensive query detection tests for edge cases (nested comments, string literals), 3. Implement UUID collision detection with explicit while-loop check - **Tags**: `security`, `optimization`, `code-quality`, `redos`, `query-detection`, `uuid` - **Status**: Backlogged - **Date Added**: 2025-11-17 **[P3] - Verify coordinator memory limit in docker-compose.yml** - **Sprint Backlogged**: Phase 4 - **Category**: Optimization - **Description**: Ensure cfn-coordinator service has mem_limit: 2g in docker/docker-compose.yml - **Rationale**: Phase 4 security audit (L-1 LOW) - missing or incorrect memory limit can cause host memory exhaustion - **Proposed Solution**: Add or verify mem_limit: 2g in cfn-coordinator service configuration - **Tags**: `docker`, `resource-limits`, `phase4` - **Status**: Backlogged - **Date Added**: 2025-11-16 **[P3] - Ensure agent containers have AutoRemove: true** - **Sprint Backlogged**: Phase 4 - **Category**: Optimization - **Description**: Verify all agent spawning code sets AutoRemove: true in HostConfig - **Rationale**: Phase 4 security audit (L-2 LOW) - missing auto-remove causes disk space exhaustion from orphaned containers - **Proposed Solution**: Review .claude/skills/cfn-docker-loop-orchestration/orchestrate.sh agent spawning and ensure HostConfig.AutoRemove is set - **Tags**: `docker`, `resource-cleanup`, `phase4` - **Status**: Backlogged - **Date Added**: 2025-11-16 ## Completed Items --- ## Item Template **[PRIORITY] - [Item Title]** - **Sprint Backlogged**: Sprint X - **Category**: Feature/Bug/Technical-Debt/Optimization - **Description**: What needs to be done - **Rationale**: Why it was deferred - **Proposed Solution**: How to implement - **Tags**: `tag1`, `tag2`, `tag3` - **Status**: Backlogged - **Date Added**: YYYY-MM-DD