What is MseeP and the Model Context Protocol?

MseeP is a security-first registry for Model Context Protocol (MCP) servers. The Model Context Protocol (MCP) was developed by Anthropic to enable AI assistants to connect with external data sources and tools. MseeP verifies these MCP servers are safe before you use them.

How can I use an MCP server?

You connect an MCP server to an MCP client (typically an AI or LLM application). The MCP server adds extra capabilities to that client, such as file access, API integrations, or specialized tools. Simply install your chosen MCP client, then add verified MCP servers from MseeP to extend its functionality.

What do I use an MCP server with?

MCP servers work with MCP clients including Claude Desktop (by Anthropic), Claude.ai (Web), Skydeck.ai, Cline, VS Code (with GitHub Copilot), Cursor IDE, Windsurf IDE, Zed, Continue, Cherry Studio, LibreChat, Roo Code, Goose, Groq Desktop, Sage, Refact, n8n, Warp (Terminal), 5ire, fast-agent, ChatMCP, Open MCP Client, Zola, HyperChat, FLUJO, and CLI Inspector. ChatGPT and Google tools are expected to deploy MCP server support soon.

How does MseeP verify MCP server security?

We perform automated security scans on every Model Context Protocol server, including dependency checks, vulnerability assessments, and code analysis. Each MCP server receives a trust rating from 0-5 stars based on security best practices.

Can I submit my MCP server to MseeP?

For open source projects: Make your MCP server public on GitHub with an open source license and include 'MCP Server' or 'mcp-server' in your README file. We'll automatically discover and scan it. For commercial or private MCP server listings, please inquire through our contact form.

Why is MCP server security important?

Model Context Protocol servers can access your system, files, and data through the MCP client. Without proper verification, malicious MCP servers could contain malware, exfiltrate data, or exploit vulnerabilities in your AI applications. MseeP ensures you only use trusted MCP servers.

Which MCP servers are most popular?

Popular verified MCP servers include filesystem access, web browsing, database connectors, and API integrations. Browse our categories to find trusted Model Context Protocol servers for your specific needs, all security-verified by MseeP.

How often are MCP server trust ratings updated?

We continuously monitor all Model Context Protocol servers in our registry. Trust ratings update automatically when new versions are released, dependencies change, or security vulnerabilities are discovered. Watch any MCP server to get notified of rating changes.

Claude Flow - MCP Server

', 'comment');\n// { safe: false, threats: [{type: 'xss', ...}] }\n```\n\n### workflow templates\n\n```typescript\nimport { listworkflows, getworkflow } from '@claude-flow/browser';\n\nlistworkflows(); // ['login-basic', 'login-oauth', 'scrape-table', ...]\nconst template = getworkflow('login-basic');\n// { steps: [{action: 'open'}, {action: 'fill'}, ...], variables: [...] }\n```\n\n\ud83d\udcd6 full documentation\n\n\n\n---\n\n

\ud83d\udce6 release management \u2014 @claude-flow/deployment

\n\nautomated release management, versioning, and ci/cd for ruflo packages.\n\n### features\n\n| feature | description | performance |\n|---------|-------------|-------------|\n| **version bumping** | automatic major/minor/patch/prerelease | instant |\n| **changelog generation** | from conventional commits | <2s |\n| **git integration** | auto-tagging and committing | <1s |\n| **npm publishing** | multi-tag support (alpha, beta, latest) | <5s |\n| **pre-release validation** | lint, test, build, dependency checks | configurable |\n| **dry run mode** | test releases without changes | safe testing |\n\n### quick start\n\n```typescript\nimport { preparerelease, publishtonpm, validate } from '@claude-flow/deployment';\n\n// bump version and generate changelog\nconst result = await preparerelease({\n bumptype: 'patch', // major | minor | patch | prerelease\n generatechangelog: true,\n createtag: true,\n commit: true\n});\n\nconsole.log(`released ${result.newversion}`);\n\n// publish to npm\nawait publishtonpm({\n tag: 'latest',\n access: 'public'\n});\n```\n\n### version bumping examples\n\n```typescript\nimport { releasemanager } from '@claude-flow/deployment';\n\nconst manager = new releasemanager();\n\n// bump patch: 1.0.0 \u2192 1.0.1\nawait manager.preparerelease({ bumptype: 'patch' });\n\n// bump minor: 1.0.0 \u2192 1.1.0\nawait manager.preparerelease({ bumptype: 'minor' });\n\n// bump major: 1.0.0 \u2192 2.0.0\nawait manager.preparerelease({ bumptype: 'major' });\n\n// prerelease: 1.0.0 \u2192 1.0.0-alpha.1\nawait manager.preparerelease({ bumptype: 'prerelease', channel: 'alpha' });\n```\n\n### changelog from conventional commits\n\n```bash\n# commit format: type(scope): message\ngit commit -m \"feat(api): add new endpoint\"\ngit commit -m \"fix(auth): resolve login issue\"\ngit commit -m \"feat(ui): update design breaking change: new layout\"\n```\n\ngenerated:\n```markdown\n## [2.0.0] - 2026-01-15\n\n### breaking changes\n- **ui**: update design breaking change: new layout\n\n### features\n- **api**: add new endpoint\n- **ui**: update design\n\n### bug fixes\n- **auth**: resolve login issue\n```\n\n### complete release workflow\n\n```typescript\nimport { validator, releasemanager, publisher } from '@claude-flow/deployment';\n\nasync function release(version: string, tag: string) {\n // 1. validate\n const validator = new validator();\n const validation = await validator.validate({\n lint: true, test: true, build: true, checkdependencies: true\n });\n if (!validation.valid) throw new error(validation.errors.join(', '));\n\n // 2. prepare release\n const manager = new releasemanager();\n await manager.preparerelease({\n version,\n generatechangelog: true,\n createtag: true,\n commit: true\n });\n\n // 3. publish\n const publisher = new publisher();\n await publisher.publishtonpm({ tag, access: 'public' });\n}\n```\n\n### channel/tag strategy\n\n| channel | version format | use case |\n|---------|----------------|----------|\n| `alpha` | `1.0.0-alpha.1` | early development |\n| `beta` | `1.0.0-beta.1` | feature complete, testing |\n| `rc` | `1.0.0-rc.1` | release candidate |\n| `latest` | `1.0.0` | stable production |\n\n### cli commands\n\n```bash\n# prepare release\nnpx @claude-flow/deployment release --version 2.0.0 --changelog --tag\n\n# publish to npm\nnpx @claude-flow/deployment publish --tag latest --access public\n\n# validate package\nnpx @claude-flow/deployment validate\n\n# dry run (no changes)\nnpx @claude-flow/deployment release --version 2.0.0 --dry-run\n```\n\n

\n\n---\n\n

\ud83d\udcca performance benchmarking \u2014 @claude-flow/performance

\n\nstatistical benchmarking, memory tracking, regression detection, and v3 performance target validation.\n\n### features\n\n| feature | description | performance |\n|---------|-------------|-------------|\n| **statistical analysis** | mean, median, p95, p99, stddev, outlier removal | real-time |\n| **memory tracking** | heap, rss, external, array buffers | per-iteration |\n| **auto-calibration** | adjusts iterations for statistical significance | automatic |\n| **regression detection** | compare against baselines with significance testing | <10ms |\n| **v3 targets** | built-in targets for all performance metrics | preconfigured |\n| **flash attention** | validate 2.49x-7.47x speedup targets | integrated |\n\n### quick start\n\n```typescript\nimport { benchmark, benchmarkrunner, v3_performance_targets } from '@claude-flow/performance';\n\n// single benchmark\nconst result = await benchmark('vector-search', async () => {\n await index.search(queryvector, 10);\n}, { iterations: 100, warmup: 10 });\n\nconsole.log(`mean: ${result.mean}ms, p99: ${result.p99}ms`);\n\n// check against v3 target\nif (result.mean <= v3_performance_targets['vector-search']) {\n console.log('\u2705 target met!');\n}\n```\n\n### v3 performance targets\n\n```typescript\nimport { v3_performance_targets, meetstarget } from '@claude-flow/performance';\n\n// built-in targets\nv3_performance_targets = {\n // startup performance\n 'cli-cold-start': 500, // <500ms (5x faster)\n 'cli-warm-start': 100, // <100ms\n 'mcp-server-init': 400, // <400ms (4.5x faster)\n 'agent-spawn': 200, // <200ms (4x faster)\n\n // memory operations\n 'vector-search': 1, // <1ms (150x faster)\n 'hnsw-indexing': 10, // <10ms\n 'memory-write': 5, // <5ms (10x faster)\n 'cache-hit': 0.1, // <0.1ms\n\n // swarm coordination\n 'agent-coordination': 50, // <50ms\n 'task-decomposition': 20, // <20ms\n 'consensus-latency': 100, // <100ms (5x faster)\n 'message-throughput': 0.1, // <0.1ms per message\n\n // sona learning\n 'sona-adaptation': 0.05 // <0.05ms\n};\n\n// check if target is met\nconst { met, target, ratio } = meetstarget('vector-search', 0.8);\n// { met: true, target: 1, ratio: 0.8 }\n```\n\n### benchmark suite\n\n```typescript\nimport { benchmarkrunner } from '@claude-flow/performance';\n\nconst runner = new benchmarkrunner('memory operations');\n\n// run individual benchmarks\nawait runner.run('vector-search', async () => {\n await index.search(query, 10);\n});\n\nawait runner.run('memory-write', async () => {\n await store.write(entry);\n});\n\n// run all at once\nconst suite = await runner.runall([\n { name: 'search', fn: () => search() },\n { name: 'write', fn: () => write() },\n { name: 'index', fn: () => index() }\n]);\n\n// print formatted results\nrunner.printresults();\n\n// export as json\nconst json = runner.tojson();\n```\n\n### comparison & regression detection\n\n```typescript\nimport { compareresults, printcomparisonreport } from '@claude-flow/performance';\n\n// compare current vs baseline\nconst comparisons = compareresults(baselineresults, currentresults, {\n 'vector-search': 1, // target: <1ms\n 'memory-write': 5, // target: <5ms\n 'cli-startup': 500 // target: <500ms\n});\n\n// print formatted report\nprintcomparisonreport(comparisons);\n\n// programmatic access\nfor (const comp of comparisons) {\n if (!comp.targetmet) {\n console.error(`${comp.benchmark} missed target!`);\n }\n if (comp.significant && !comp.improved) {\n console.warn(`${comp.benchmark} regressed by ${comp.changepercent}%`);\n }\n}\n```\n\n### result structure\n\n```typescript\ninterface benchmarkresult {\n name: string;\n iterations: number;\n mean: number; // average time (ms)\n median: number; // median time (ms)\n p95: number; // 95th percentile\n p99: number; // 99th percentile\n min: number;\n max: number;\n stddev: number; // standard deviation\n opspersecond: number; // operations/second\n memoryusage: {\n heapused: number;\n heaptotal: number;\n external: number;\n arraybuffers: number;\n rss: number;\n };\n memorydelta: number; // memory change during benchmark\n timestamp: number;\n}\n```\n\n### formatting utilities\n\n```typescript\nimport { formatbytes, formattime } from '@claude-flow/performance';\n\nformattime(0.00005); // '50.00 ns'\nformattime(0.5); // '500.00 \u00b5s'\nformattime(5); // '5.00 ms'\nformattime(5000); // '5.00 s'\n\nformatbytes(1024); // '1.00 kb'\nformatbytes(1048576); // '1.00 mb'\nformatbytes(1073741824); // '1.00 gb'\n```\n\n### cli commands\n\n```bash\n# run all benchmarks\nnpm run bench\n\n# run attention benchmarks\nnpm run bench:attention\n\n# run startup benchmarks\nnpm run bench:startup\n\n# performance report\nnpx ruflo@v3alpha performance report\n\n# benchmark specific suite\nnpx ruflo@v3alpha performance benchmark --suite memory\n```\n\n

\n\n---\n\n

\ud83e\uddea testing framework \u2014 @claude-flow/testing

\n\ncomprehensive tdd framework implementing **london school** patterns with behavior verification, shared fixtures, and mock services.\n\n### philosophy: london school tdd\n\n```\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502 london school tdd \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 1. arrange - set up mocks before acting \u2502\n\u2502 2. act - execute the behavior under test \u2502\n\u2502 3. assert - verify behavior (interactions), not state \u2502\n\u2502 \u2502\n\u2502 \"test behavior, not implementation\" \u2502\n\u2502 \"mock external dependencies, test interactions\" \u2502\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n```\n\n### quick start\n\n```typescript\nimport {\n setupv3tests,\n createmockapplication,\n agentconfigs,\n swarmconfigs,\n waitfor,\n} from '@claude-flow/testing';\n\n// configure test environment\nsetupv3tests();\n\ndescribe('mymodule', () => {\n const app = createmockapplication();\n\n beforeeach(() => {\n vi.clearallmocks();\n });\n\n it('should spawn an agent', async () => {\n const result = await app.agentlifecycle.spawn(agentconfigs.queencoordinator);\n\n expect(result.success).tobe(true);\n expect(result.agent.type).tobe('queen-coordinator');\n });\n});\n```\n\n### fixtures\n\n#### agent fixtures\n\n```typescript\nimport {\n agentconfigs,\n createagentconfig,\n createv3swarmagentconfigs,\n createmockagent,\n} from '@claude-flow/testing';\n\n// pre-defined configs\nconst queen = agentconfigs.queencoordinator;\nconst coder = agentconfigs.coder;\n\n// create with overrides\nconst customagent = createagentconfig('coder', {\n name: 'custom coder',\n priority: 90,\n});\n\n// full v3 15-agent swarm\nconst swarmagents = createv3swarmagentconfigs();\n\n// mock agents with vitest mocks\nconst mockagent = createmockagent('security-architect');\nmockagent.execute.mockresolvedvalue({ success: true });\n```\n\n#### memory fixtures\n\n```typescript\nimport {\n memoryentries,\n creatememoryentry,\n generatemockembedding,\n creatememorybatch,\n} from '@claude-flow/testing';\n\n// pre-defined entries\nconst pattern = memoryentries.agentpattern;\nconst securityrule = memoryentries.securityrule;\n\n// generate embeddings\nconst embedding = generatemockembedding(384, 'my-seed');\n\n// create batch for performance testing\nconst batch = creatememorybatch(10000, 'semantic');\n```\n\n#### swarm fixtures\n\n```typescript\nimport {\n swarmconfigs,\n createswarmconfig,\n createswarmtask,\n createmockswarmcoordinator,\n} from '@claude-flow/testing';\n\n// pre-defined configs\nconst v3config = swarmconfigs.v3default;\nconst minimalconfig = swarmconfigs.minimal;\n\n// create with overrides\nconst customconfig = createswarmconfig('v3default', {\n maxagents: 20,\n coordination: {\n consensusprotocol: 'pbft',\n heartbeatinterval: 500,\n },\n});\n\n// mock coordinator\nconst coordinator = createmockswarmcoordinator();\nawait coordinator.initialize(v3config);\n```\n\n#### mcp fixtures\n\n```typescript\nimport {\n mcptools,\n createmcptool,\n createmockmcpclient,\n} from '@claude-flow/testing';\n\n// pre-defined tools\nconst swarminit = mcptools.swarminit;\nconst agentspawn = mcptools.agentspawn;\n\n// mock client\nconst client = createmockmcpclient();\nawait client.connect();\nconst result = await client.calltool('swarm_init', { topology: 'mesh' });\n```\n\n### mock factory\n\n```typescript\nimport {\n createmockapplication,\n createmockeventbus,\n createmocktaskmanager,\n createmocksecurityservice,\n createmockswarmcoordinator,\n} from '@claude-flow/testing';\n\n// full application with all mocks\nconst app = createmockapplication();\n\n// use in tests\nawait app.taskmanager.create({ name: 'test', type: 'coding', payload: {} });\nexpect(app.taskmanager.create).tohavebeencalled();\n\n// access tracked state\nexpect(app.eventbus.publishedevents).tohavelength(1);\nexpect(app.taskmanager.tasks.size).tobe(1);\n```\n\n### async utilities\n\n```typescript\nimport {\n waitfor,\n waituntilchanged,\n retry,\n withtimeout,\n parallellimit,\n} from '@claude-flow/testing';\n\n// wait for condition\nawait waitfor(() => element.isvisible(), { timeout: 5000 });\n\n// wait for value to change\nawait waituntilchanged(() => counter.value, { from: 0 });\n\n// retry with exponential backoff\nconst result = await retry(\n async () => await fetchdata(),\n { maxattempts: 3, backoff: 100 }\n);\n\n// timeout wrapper\nawait withtimeout(async () => await longop(), 5000);\n\n// parallel with concurrency limit\nconst results = await parallellimit(\n items.map(item => () => processitem(item)),\n 5 // max 5 concurrent\n);\n```\n\n### assertions\n\n```typescript\nimport {\n asserteventpublished,\n asserteventorder,\n assertmockscalledinorder,\n assertv3performancetargets,\n assertnosensitivedata,\n} from '@claude-flow/testing';\n\n// event assertions\nasserteventpublished(mockeventbus, 'usercreated', { userid: '123' });\nasserteventorder(mockeventbus.publish, ['usercreated', 'emailsent']);\n\n// mock order\nassertmockscalledinorder([mockvalidate, mocksave, mocknotify]);\n\n// performance targets\nassertv3performancetargets({\n searchspeedup: 160,\n flashattentionspeedup: 3.5,\n memoryreduction: 0.55,\n});\n\n// security\nassertnosensitivedata(mocklogger.logs, ['password', 'token', 'secret']);\n```\n\n### performance testing\n\n```typescript\nimport { createperformancetesthelper, test_config } from '@claude-flow/testing';\n\nconst perf = createperformancetesthelper();\n\nperf.startmeasurement('search');\nawait search(query);\nconst duration = perf.endmeasurement('search');\n\n// get statistics\nconst stats = perf.getstats('search');\nconsole.log(`avg: ${stats.avg}ms, p95: ${stats.p95}ms`);\n\n// v3 targets\nconsole.log(test_config.flash_attention_speedup_min); // 2.49\nconsole.log(test_config.agentdb_search_improvement_max); // 12500\n```\n\n### best practices\n\n| practice | do | don't |\n|----------|-----|-------|\n| **mock dependencies** | `mockrepo.findbyid.mockresolvedvalue(user)` | call real database |\n| **use fixtures** | `agentconfigs.queencoordinator` | inline object literals |\n| **test behavior** | `expect(mocknotifier.notify).tohavebeencalled()` | `expect(service._queue.length).tobe(1)` |\n| **isolate tests** | `vi.clearallmocks()` in `beforeeach` | share state between tests |\n| **verify interactions** | `expect(save).tohavebeencalledbefore(notify)` | assert implementation details |\n\n

\n\n---\n\n## \u2699\ufe0f configuration & reference\n\nenvironment setup, configuration options, and platform support.\n\n

\ud83d\udcbb cross-platform support

\n\n### windows (powershell)\n\n```powershell\nnpx @claude-flow/security@latest audit --platform windows\n$env:claude_flow_mode = \"integration\"\n```\n\n### macos (bash/zsh)\n\n```bash\nnpx @claude-flow/security@latest audit --platform darwin\nexport claude_flow_security_mode=\"strict\"\n```\n\n### linux (bash)\n\n```bash\nnpx @claude-flow/security@latest audit --platform linux\nexport claude_flow_memory_path=\"./data\"\n```\n\n

\n\n---\n\n

\u2699\ufe0f environment variables

\n\n### core configuration\n\n| variable | description | default |\n|----------|-------------|---------|\n| `claude_flow_mode` | operation mode (`development`, `production`, `integration`) | `development` |\n| `claude_flow_env` | environment name for test/dev isolation | - |\n| `claude_flow_data_dir` | root data directory | `./data` |\n| `claude_flow_memory_path` | directory for persistent memory storage | `./data` |\n| `claude_flow_memory_type` | memory backend type (`json`, `sqlite`, `agentdb`, `hybrid`) | `hybrid` |\n| `claude_flow_security_mode` | security level (`strict`, `standard`, `permissive`) | `standard` |\n| `claude_flow_log_level` | logging verbosity (`debug`, `info`, `warn`, `error`) | `info` |\n| `claude_flow_config` | path to configuration file | `./claude-flow.config.json` |\n| `node_env` | node.js environment (`development`, `production`, `test`) | `development` |\n\n### swarm & agents\n\n| variable | description | default |\n|----------|-------------|---------|\n| `claude_flow_max_agents` | default concurrent agent limit | `15` |\n| `claude_flow_topology` | default swarm topology (`hierarchical`, `mesh`, `ring`, `star`) | `hierarchical` |\n| `claude_flow_headless` | run in headless mode (no interactive prompts) | `false` |\n| `claude_code_headless` | claude code headless mode compatibility | `false` |\n\n### mcp server\n\n| variable | description | default |\n|----------|-------------|---------|\n| `claude_flow_mcp_port` | mcp server port | `3000` |\n| `claude_flow_mcp_host` | mcp server host | `localhost` |\n| `claude_flow_mcp_transport` | transport type (`stdio`, `http`, `websocket`) | `stdio` |\n\n### vector search (hnsw)\n\n| variable | description | default |\n|----------|-------------|---------|\n| `claude_flow_hnsw_m` | hnsw index m parameter (connectivity, higher = more accurate) | `16` |\n| `claude_flow_hnsw_ef` | hnsw search ef parameter (accuracy, higher = slower) | `200` |\n| `claude_flow_embedding_dim` | vector embedding dimensions | `384` |\n| `sqljs_wasm_path` | custom path to sql.js wasm binary | - |\n\n### ai provider api keys\n\n| variable | description | required |\n|----------|-------------|----------|\n| `anthropic_api_key` | anthropic api key for claude models | yes (claude) |\n| `openai_api_key` | openai api key for gpt models | optional |\n| `google_gemini_api_key` | google gemini api key | optional |\n| `openrouter_api_key` | openrouter api key (multi-provider) | optional |\n| `ollama_url` | ollama server url for local models | `http://localhost:11434` |\n\n### ipfs/decentralized storage\n\n| variable | description | required |\n|----------|-------------|----------|\n| `web3_storage_token` | web3.storage api token | optional |\n| `w3_token` | alternative web3.storage token | optional |\n| `ipfs_token` | generic ipfs api token | optional |\n| `pinata_api_key` | pinata ipfs api key | optional |\n| `pinata_api_secret` | pinata ipfs api secret | optional |\n| `ipfs_api_url` | local ipfs node api url | `http://localhost:5001` |\n| `ipfs_gateway_url` | ipfs gateway url | `https://ipfs.io` |\n\n### google cloud storage\n\n| variable | description | required |\n|----------|-------------|----------|\n| `gcs_bucket` | google cloud storage bucket name | optional |\n| `google_cloud_bucket` | alternative gcs bucket variable | optional |\n| `gcs_project_id` | gcs project id | optional |\n| `google_cloud_project` | alternative project id variable | optional |\n| `google_application_credentials` | path to gcs service account json | optional |\n| `gcs_prefix` | prefix for stored files | `ruflo-patterns` |\n\n### auto-update system\n\n| variable | description | default |\n|----------|-------------|---------|\n| `claude_flow_auto_update` | enable/disable auto-updates | `true` |\n| `claude_flow_force_update` | force update check | `false` |\n| `ci` | ci environment detection (disables updates) | - |\n| `continuous_integration` | alternative ci detection | - |\n\n### security\n\n| variable | description | required |\n|----------|-------------|----------|\n| `github_token` | github api token for repository operations | optional |\n| `jwt_secret` | jwt secret for authentication | production |\n| `hmac_secret` | hmac secret for request signing | production |\n| `claude_flow_token` | internal authentication token | optional |\n\n### output formatting\n\n| variable | description | default |\n|----------|-------------|---------|\n| `no_color` | disable colored output | - |\n| `force_color` | force colored output | - |\n| `debug` | enable debug output | `false` |\n| `tmpdir` | temporary directory path | `/tmp` |\n\n### example `.env` file\n\n```bash\n# core\nclaude_flow_mode=development\nclaude_flow_log_level=info\nclaude_flow_max_agents=15\n\n# ai providers\nanthropic_api_key=sk-ant-api03-...\nopenai_api_key=sk-...\n\n# mcp server\nclaude_flow_mcp_port=3000\nclaude_flow_mcp_transport=stdio\n\n# memory\nclaude_flow_memory_type=hybrid\nclaude_flow_memory_path=./data\n\n# vector search\nclaude_flow_hnsw_m=16\nclaude_flow_hnsw_ef=200\n\n# optional: ipfs storage\n# pinata_api_key=...\n# pinata_api_secret=...\n\n# optional: google cloud\n# gcs_bucket=my-bucket\n# google_application_credentials=./service-account.json\n```\n\n

\n\n---\n\n

\ud83d\udcc4 configuration reference

\n\n### configuration file location\n\nruflo looks for configuration in this order:\n1. `./claude-flow.config.json` (project root)\n2. `~/.config/ruflo/config.json` (user config)\n3. environment variables (override any file config)\n\n### complete configuration schema\n\n```json\n{\n \"version\": \"3.0.0\",\n\n \"orchestrator\": {\n \"timeout\": 120000,\n \"retryattempts\": 3,\n \"retrydelay\": 5000\n },\n\n \"terminal\": {\n \"emulateenvironment\": true,\n \"defaultshell\": \"/bin/bash\",\n \"workingdirectory\": \"./\",\n \"maxoutputlength\": 10000,\n \"timeout\": 60000\n },\n\n \"memory\": {\n \"type\": \"hybrid\",\n \"path\": \"./data\",\n \"maxentries\": 10000,\n \"ttl\": 86400,\n \"hnsw\": {\n \"m\": 16,\n \"ef\": 200,\n \"efconstruction\": 200\n },\n \"encryption\": {\n \"enabled\": false,\n \"algorithm\": \"aes-256-gcm\"\n }\n },\n\n \"swarm\": {\n \"topology\": \"hierarchical\",\n \"maxagents\": 15,\n \"strategy\": \"specialized\",\n \"heartbeatinterval\": 5000,\n \"taskqueuesize\": 100\n },\n\n \"coordination\": {\n \"mode\": \"hub-spoke\",\n \"maxretries\": 5,\n \"retrydelay\": 10000,\n \"circuitbreaker\": {\n \"enabled\": true,\n \"threshold\": 5,\n \"timeout\": 60000,\n \"resettimeout\": 300000\n }\n },\n\n \"loadbalancing\": {\n \"strategy\": \"round-robin\",\n \"healthcheckinterval\": 30000,\n \"maxload\": 0.8\n },\n\n \"mcp\": {\n \"transport\": \"stdio\",\n \"port\": 3000,\n \"host\": \"localhost\"\n },\n\n \"neural\": {\n \"enabled\": true,\n \"sona\": true,\n \"ewc\": true,\n \"moe\": {\n \"experts\": 8,\n \"topk\": 2\n }\n },\n\n \"security\": {\n \"mode\": \"strict\",\n \"inputvalidation\": true,\n \"pathvalidation\": true,\n \"authentication\": {\n \"required\": false,\n \"method\": \"jwt\"\n },\n \"ratelimit\": {\n \"enabled\": true,\n \"maxrequests\": 1000,\n \"windowms\": 60000\n }\n },\n\n \"logging\": {\n \"level\": \"info\",\n \"format\": \"json\",\n \"destination\": \"console\",\n \"filepath\": \"./logs/ruflo.log\",\n \"maxfilesize\": \"100mb\",\n \"maxfiles\": 10\n },\n\n \"monitoring\": {\n \"enabled\": true,\n \"metricsinterval\": 60000,\n \"alertthresholds\": {\n \"errorrate\": 0.05,\n \"responsetime\": 5000,\n \"memoryusage\": 0.9\n }\n },\n\n \"providers\": {\n \"default\": \"anthropic\",\n \"fallback\": [\"openai\", \"google\"],\n \"anthropic\": {\n \"model\": \"claude-sonnet-4-20250514\",\n \"maxtokens\": 8192\n },\n \"openai\": {\n \"model\": \"gpt-4o\",\n \"maxtokens\": 4096\n }\n },\n\n \"hooks\": {\n \"enabled\": true,\n \"learning\": true,\n \"pretrainonstart\": false\n },\n\n \"update\": {\n \"autocheck\": true,\n \"checkinterval\": 86400000,\n \"allowprerelease\": false\n }\n}\n```\n\n### configuration by use case\n\n

development configuration

\n\n```json\n{\n \"version\": \"3.0.0\",\n \"memory\": { \"type\": \"sqlite\", \"path\": \"./dev-data\" },\n \"swarm\": { \"topology\": \"mesh\", \"maxagents\": 5 },\n \"security\": { \"mode\": \"permissive\" },\n \"logging\": { \"level\": \"debug\", \"destination\": \"console\" },\n \"hooks\": { \"enabled\": true, \"learning\": true }\n}\n```\n

\n\n

production configuration

\n\n```json\n{\n \"version\": \"3.0.0\",\n \"memory\": {\n \"type\": \"hybrid\",\n \"path\": \"/var/lib/ruflo/data\",\n \"encryption\": { \"enabled\": true, \"algorithm\": \"aes-256-gcm\" }\n },\n \"swarm\": { \"topology\": \"hierarchical\", \"maxagents\": 15 },\n \"security\": {\n \"mode\": \"strict\",\n \"ratelimit\": { \"enabled\": true, \"maxrequests\": 100 }\n },\n \"logging\": {\n \"level\": \"warn\",\n \"format\": \"json\",\n \"destination\": \"file\",\n \"filepath\": \"/var/log/ruflo/production.log\"\n },\n \"monitoring\": { \"enabled\": true, \"metricsinterval\": 30000 }\n}\n```\n

\n\n

ci/cd configuration

\n\n```json\n{\n \"version\": \"3.0.0\",\n \"memory\": { \"type\": \"sqlite\", \"path\": \":memory:\" },\n \"swarm\": { \"topology\": \"mesh\", \"maxagents\": 3 },\n \"security\": { \"mode\": \"strict\" },\n \"logging\": { \"level\": \"error\", \"destination\": \"console\" },\n \"update\": { \"autocheck\": false },\n \"hooks\": { \"enabled\": false }\n}\n```\n

\n\n

memory-constrained configuration

\n\n```json\n{\n \"version\": \"3.0.0\",\n \"memory\": {\n \"type\": \"sqlite\",\n \"maxentries\": 1000,\n \"hnsw\": { \"m\": 8, \"ef\": 100 }\n },\n \"swarm\": { \"maxagents\": 3 },\n \"neural\": { \"enabled\": false }\n}\n```\n

\n\n### cli configuration commands\n\n```bash\n# view current configuration\nnpx ruflo@v3alpha config list\n\n# get specific value\nnpx ruflo@v3alpha config get --key memory.type\n\n# set configuration value\nnpx ruflo@v3alpha config set --key swarm.maxagents --value 10\n\n# export configuration\nnpx ruflo@v3alpha config export > my-config.json\n\n# import configuration\nnpx ruflo@v3alpha config import --file my-config.json\n\n# reset to defaults\nnpx ruflo@v3alpha config reset --key swarm\n\n# initialize with wizard\nnpx ruflo@v3alpha init --wizard\n```\n\n

\n\n---\n\n## \ud83d\udcd6 help & resources\n\ntroubleshooting, migration guides, and documentation links.\n\n

\ud83d\udd27 troubleshooting

\n\n### common issues\n\n**mcp server won't start**\n```bash\n# check if port is in use\nlsof -i :3000\n# kill existing process\nkill -9 \n# restart mcp server\nnpx ruflo@v3alpha mcp start\n```\n\n**agent spawn failures**\n```bash\n# check available memory\nfree -m\n# reduce max agents if memory constrained\nexport claude_flow_max_agents=5\n```\n\n**pattern search returning no results**\n```bash\n# verify patterns are stored\nnpx ruflo@v3alpha hooks metrics\n# re-run pretraining if empty\nnpx ruflo@v3alpha hooks pretrain\n```\n\n**windows path issues**\n```powershell\n# use forward slashes or escape backslashes\n$env:claude_flow_memory_path = \"./data\"\n# or use absolute path\n$env:claude_flow_memory_path = \"c:/users/name/ruflo/data\"\n```\n\n**permission denied errors**\n```bash\n# fix npm permissions (linux/macos)\nsudo chown -r $(whoami) ~/.npm\n# or use nvm to manage node.js\n```\n\n**high memory usage**\n```bash\n# enable garbage collection\nnode --expose-gc node_modules/.bin/ruflo\n# reduce hnsw parameters for lower memory\nexport claude_flow_hnsw_m=8\nexport claude_flow_hnsw_ef=100\n```\n\n

\n\n---\n\n

\ud83d\udd04 migration guide (v2 \u2192 v3)

\n\n### why migrate to v3?\n\n```\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502 v2 \u2192 v3 improvements \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 memory search \u2502 150x - 12,500x faster (hnsw) \u2502\n\u2502 pattern matching \u2502 self-learning (reasoningbank) \u2502\n\u2502 security \u2502 cve remediation + strict validation \u2502\n\u2502 modular architecture \u2502 18 @claude-flow/* packages \u2502\n\u2502 agent coordination \u2502 60+ specialized agents \u2502\n\u2502 token efficiency \u2502 32% reduction with optimization \u2502\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n```\n\n### breaking changes\n\n| change | v2 | v3 | impact |\n|--------|----|----|--------|\n| **package structure** | `ruflo` | `@claude-flow/*` (scoped) | update imports |\n| **memory backend** | json files | agentdb + hnsw | faster search |\n| **hooks system** | basic patterns | reasoningbank + sona | self-learning |\n| **security** | manual validation | automatic strict mode | more secure |\n| **cli commands** | flat structure | nested subcommands | new syntax |\n| **config format** | `.ruflo/config.json` | `claude-flow.config.json` | update path |\n\n### step-by-step migration\n\n```bash\n# step 1: backup existing data (critical)\ncp -r ./data ./data-backup-v2\ncp -r ./.ruflo ./.ruflo-backup-v2\n\n# step 2: check migration status\nnpx ruflo@v3alpha migrate status\n\n# step 3: run migration with dry-run first\nnpx ruflo@v3alpha migrate run --dry-run\n\n# step 4: execute migration\nnpx ruflo@v3alpha migrate run --from v2\n\n# step 5: verify migration\nnpx ruflo@v3alpha migrate verify\n\n# step 6: initialize v3 learning\nnpx ruflo@v3alpha hooks pretrain\nnpx ruflo@v3alpha doctor --fix\n```\n\n### command changes reference\n\n| v2 command | v3 command | notes |\n|------------|------------|-------|\n| `ruflo start` | `ruflo mcp start` | mcp is explicit |\n| `ruflo init` | `ruflo init --wizard` | interactive mode |\n| `ruflo spawn ` | `ruflo agent spawn -t ` | nested under `agent` |\n| `ruflo swarm create` | `ruflo swarm init --topology mesh` | explicit topology |\n| `--pattern-store path` | `--memory-backend agentdb` | backend selection |\n| `hooks record` | `hooks post-edit --success true` | explicit success flag |\n| `memory get ` | `memory retrieve --key ` | explicit flag |\n| `memory set ` | `memory store --key --value ` | explicit flags |\n| `neural learn` | `hooks intelligence --mode learn` | under hooks |\n| `config set key value` | `config set --key key --value value` | explicit flags |\n\n### configuration migration\n\n**v2 config (`.ruflo/config.json`)**:\n```json\n{\n \"mode\": \"basic\",\n \"patternstore\": \"./patterns\",\n \"maxagents\": 10\n}\n```\n\n**v3 config (`claude-flow.config.json`)**:\n```json\n{\n \"version\": \"3.0.0\",\n \"memory\": {\n \"type\": \"hybrid\",\n \"path\": \"./data\",\n \"hnsw\": { \"m\": 16, \"ef\": 200 }\n },\n \"swarm\": {\n \"topology\": \"hierarchical\",\n \"maxagents\": 15,\n \"strategy\": \"specialized\"\n },\n \"security\": { \"mode\": \"strict\" },\n \"neural\": { \"enabled\": true, \"sona\": true }\n}\n```\n\n### import changes\n\n```typescript\n// v2 (deprecated)\nimport { claudeflow, agent, memory } from 'ruflo';\n\n// v3 (new)\nimport { claudeflowclient } from '@claude-flow/cli';\nimport { agentdb } from '@claude-flow/memory';\nimport { threatdetector } from '@claude-flow/security';\nimport { hnswindex } from '@claude-flow/embeddings';\n```\n\n### rollback procedure\n\nif migration fails, you can rollback:\n\n```bash\n# check rollback options\nnpx ruflo@v3alpha migrate rollback --list\n\n# rollback to v2\nnpx ruflo@v3alpha migrate rollback --to v2\n\n# restore backup manually if needed\nrm -rf ./data\ncp -r ./data-backup-v2 ./data\n```\n\n### post-migration checklist\n\n- [ ] verify all agents spawn correctly: `npx ruflo@v3alpha agent list`\n- [ ] check memory search works: `npx ruflo@v3alpha memory search -q \"test\"`\n- [ ] confirm mcp server starts: `npx ruflo@v3alpha mcp start`\n- [ ] run doctor diagnostics: `npx ruflo@v3alpha doctor`\n- [ ] test a simple swarm: `npx ruflo@v3alpha swarm init --topology mesh`\n- [ ] bootstrap learning: `npx ruflo@v3alpha hooks pretrain`\n\n### common migration issues\n\n| issue | cause | solution |\n|-------|-------|----------|\n| `module_not_found` | old package references | update imports to `@claude-flow/*` |\n| `config not found` | path change | rename to `claude-flow.config.json` |\n| `memory backend error` | schema change | run `migrate run` to convert |\n| `hooks not working` | new hook names | use new hook commands |\n| `agent spawn fails` | type name changes | check `agent list` for new types |\n\n

\n\n---\n\n

\ud83d\udcda documentation

\n\n### v3 module documentation\n\n| module | description | docs |\n|--------|-------------|------|\n| `@claude-flow/plugins` | plugin sdk with workers, hooks, providers, security | readme |\n| `@claude-flow/hooks` | event-driven lifecycle hooks + reasoningbank | source |\n| `@claude-flow/memory` | agentdb unification with hnsw indexing | source |\n| `@claude-flow/security` | cve remediation & security patterns | source |\n| `@claude-flow/swarm` | 15-agent coordination engine | source |\n| `@claude-flow/cli` | cli modernization | source |\n| `@claude-flow/neural` | sona learning integration | source |\n| `@claude-flow/testing` | tdd london school framework | source |\n| `@claude-flow/mcp` | mcp server & tools | source |\n| `@claude-flow/embeddings` | vector embedding providers | source |\n| `@claude-flow/providers` | llm provider integrations | source |\n| `@claude-flow/integration` | agentic-flow@alpha integration | source |\n| `@claude-flow/performance` | benchmarking & optimization | source |\n| `@claude-flow/deployment` | release & ci/cd | source |\n| `@claude-flow/shared` | shared utilities, types & v3progressservice | source |\n| `@claude-flow/browser` | ai-optimized browser automation with agent-browser | readme |\n\n### additional resources\n\n- v2 documentation\n- architecture decisions (adrs)\n- api reference\n- examples\n\n

\n\n## support\n\n| resource | link |\n|----------|------|\n| \ud83d\udcda documentation | [github.com/ruvnet/claude-flow](https://github.com/ruvnet/claude-flow) |\n| \ud83d\udc1b issues & bugs | [github.com/ruvnet/claude-flow/issues](https://github.com/ruvnet/claude-flow/issues) |\n| \ud83d\udcbc professional implementation | [ruv.io](https://ruv.io) \u2014 enterprise consulting, custom integrations, and production deployment |\n| \ud83d\udcac discord community | [agentics foundation](https://discord.com/invite/dfxmpwkg2d) |\n\n## license\n\nmit - [ruvnet](https://github.com/ruvnet)\n\n[![ruvector](https://img.shields.io/npm/v/ruvector?style=for-the-badge&logo=rust&color=orange&label=ruvector)](https://www.npmjs.com/package/ruvector)\n[![agentic-flow](https://img.shields.io/npm/v/agentic-flow?style=for-the-badge&logo=typescript&color=3178c6&label=agentic-flow)](https://www.npmjs.com/package/agentic-flow)\n[![reddit](https://img.shields.io/reddit/subreddit-subscribers/aipromptprogramming?style=for-the-badge&logo=reddit&color=ff4500&label=r/aipromptprogramming)](https://www.reddit.com/r/aipromptprogramming/)\n\n[![crates.io](https://img.shields.io/badge/crates.io-ruvnet-e6732e?style=for-the-badge&logo=rust&logocolor=white)](https://crates.io/users/ruvnet)", "installation_instructions": null, "categories": [ "Everything", "Top Apps" ], "owners": [], "owner": null, "code_snippets": {}, "evaluation_results": [], "found_via_ownership_request": false, "hosting_eligible": false, "knative_enabled": false, "security_scans": [ { "repo_url": "https://github.com/ruvnet/claude-flow", "repo_name": "claude-flow", "score": 55, "risk_level": "high", "score_explanation": "Score starts at 100, deducts points for security issues, and adds points for security best practices", "scan_id": "f48e674e-38fc-4f0d-a24a-30d308a91d14", "mcp_app_id": "9f3dd1f0-f841-496f-9273-5cb78417e19f", "scan_time": "2025-07-08T15:55:46.861410+00:00", "created_at": "2025-07-08T15:55:46.862172+00:00", "updated_at": "2025-07-08T15:55:46.862172+00:00", "findings": [ { "finding_id": "29fa3017-021b-4ce3-b24e-411544c55bbe", "message": "Use of child_process.exec() with dynamic input detected. This can lead to command injection.", "line": 32, "created_at": "2025-07-08T15:55:46.862172+00:00", "scan_id": "f48e674e-38fc-4f0d-a24a-30d308a91d14", "type": "semgrep", "rule_id": "security-validator.scanner.rules.semgrep.js-exec-command", "severity": "ERROR", "path": "scripts/build-monitor.js", "meta_info": { "lines": " exec('npm run build', (error, stdout, stderr) => {\n const buildOutput = stderr || stdout;\n const errors = this.parseErrors(buildOutput);\n \n const buildResult = {\n timestamp: new Date().toISOString(),\n errorCount: errors.length,\n errors: errors,\n success: errors.length === 0\n };\n\n this.buildHistory.push(buildResult);\n resolve(buildResult);\n });", "pattern": "", "rule_name": "process_execution" } }, { "finding_id": "d4cdc906-dc67-415e-8350-f61dc665fa33", "message": "Use of child_process.exec() with dynamic input detected. This can lead to command injection.", "line": 73, "created_at": "2025-07-08T15:55:46.862172+00:00", "scan_id": "f48e674e-38fc-4f0d-a24a-30d308a91d14", "type": "semgrep", "rule_id": "security-validator.scanner.rules.semgrep.js-exec-command", "severity": "ERROR", "path": "scripts/build-monitor.js", "meta_info": { "lines": " exec('npx ruv-swarm hook pre-search --query \"agent-progress\" --cache-results true', \n (error, stdout) => {\n resolve(stdout || '');\n }\n );", "pattern": "", "rule_name": "process_execution" } }, { "finding_id": "0c81ca9f-7a60-4a9d-bebe-fe0b00d7bc87", "message": "Use of child_process.exec() with dynamic input detected. This can lead to command injection.", "line": 139, "created_at": "2025-07-08T15:55:46.862172+00:00", "scan_id": "f48e674e-38fc-4f0d-a24a-30d308a91d14", "type": "semgrep", "rule_id": "security-validator.scanner.rules.semgrep.js-exec-command", "severity": "ERROR", "path": "scripts/build-monitor.js", "meta_info": { "lines": " exec(`npx ruv-swarm hook notification --message \"BUILD PROGRESS: ${buildResult.errorCount} errors remaining (${this.errorCount - buildResult.errorCount} fixed)\" --telemetry true`);", "pattern": "", "rule_name": "process_execution" } }, { "finding_id": "78c35b18-d8f9-4ef5-8680-605e4d000525", "message": "Use of child_process.exec() with dynamic input detected. This can lead to command injection.", "line": 150, "created_at": "2025-07-08T15:55:46.862172+00:00", "scan_id": "f48e674e-38fc-4f0d-a24a-30d308a91d14", "type": "semgrep", "rule_id": "security-validator.scanner.rules.semgrep.js-exec-command", "severity": "ERROR", "path": "scripts/build-monitor.js", "meta_info": { "lines": " exec(`npx ruv-swarm hook notification --message \"${message}\" --telemetry true`);", "pattern": "", "rule_name": "process_execution" } }, { "finding_id": "40485d3e-b58e-4eae-814e-c9e2bc111c9a", "message": "Use of child_process.exec() with dynamic input detected. This can lead to command injection.", "line": 161, "created_at": "2025-07-08T15:55:46.862172+00:00", "scan_id": "f48e674e-38fc-4f0d-a24a-30d308a91d14", "type": "semgrep", "rule_id": "security-validator.scanner.rules.semgrep.js-exec-command", "severity": "ERROR", "path": "scripts/build-monitor.js", "meta_info": { "lines": " exec(`npx ruv-swarm hook notification --message \"${message}\" --telemetry true`);", "pattern": "", "rule_name": "process_execution" } }, { "finding_id": "dc91135f-6600-4159-b7f3-92f484b777e9", "message": "Use of child_process.exec() with dynamic input detected. This can lead to command injection.", "line": 571, "created_at": "2025-07-08T15:55:46.862172+00:00", "scan_id": "f48e674e-38fc-4f0d-a24a-30d308a91d14", "type": "semgrep", "rule_id": "security-validator.scanner.rules.semgrep.js-exec-command", "severity": "ERROR", "path": "src/cli/simple-commands/swarm-ui.js", "meta_info": { "lines": " exec('pkill -f \"claude-flow swarm\"', (error) => {\n if (error) {\n this.log(`Error stopping swarm: ${error.message}`, 'error');\n } else {\n this.log('Swarm operations stopped');\n }\n });", "pattern": "", "rule_name": "process_execution" } }, { "finding_id": "7a80d0ba-50d1-4e3f-a2af-989d0dcf5b28", "message": "Use of child_process.exec() with dynamic input detected. This can lead to command injection.", "line": 593, "created_at": "2025-07-08T15:55:46.862172+00:00", "scan_id": "f48e674e-38fc-4f0d-a24a-30d308a91d14", "type": "semgrep", "rule_id": "security-validator.scanner.rules.semgrep.js-exec-command", "severity": "ERROR", "path": "src/cli/simple-commands/swarm-ui.js", "meta_info": { "lines": " exec(command, (error, stdout, stderr) => {\n if (error) {\n this.log(`Command error: ${error.message}`, 'error');\n } else {\n if (stdout) this.log(`Output: ${stdout.trim()}`);\n if (stderr) this.log(`Error: ${stderr.trim()}`, 'warn');\n }\n });", "pattern": "", "rule_name": "process_execution" } }, { "finding_id": "9e85171e-fcd5-44fd-b489-5e83834d7f23", "message": "Potential NoSQL injection. Validate and sanitize user input.", "line": 386, "created_at": "2025-07-08T15:55:46.862172+00:00", "scan_id": "f48e674e-38fc-4f0d-a24a-30d308a91d14", "type": "semgrep", "rule_id": "security-validator.scanner.rules.semgrep.nosql-injection", "severity": "ERROR", "path": "examples/05-swarm-apps/rest-api-advanced/src/controllers/user.controller.js", "meta_info": { "lines": " const tokens = await Token.find({\n user: id,\n type: 'refresh',\n })", "pattern": "", "rule_name": "injection" } }, { "finding_id": "de227305-dabd-4a40-8649-2ccdf32c73fb", "message": "Potential NoSQL injection. Validate and sanitize user input.", "line": 529, "created_at": "2025-07-08T15:55:46.862172+00:00", "scan_id": "f48e674e-38fc-4f0d-a24a-30d308a91d14", "type": "semgrep", "rule_id": "security-validator.scanner.rules.semgrep.nosql-injection", "severity": "ERROR", "path": "examples/05-swarm-apps/rest-api-advanced/src/models/product.model.js", "meta_info": { "lines": " return this.find({ status: 'active', visibility: 'visible' })", "pattern": "", "rule_name": "injection" } }, { "finding_id": "d8667bac-79e5-4767-b5a8-9dad82e1fc47", "message": "Potential NoSQL injection. Validate and sanitize user input.", "line": 536, "created_at": "2025-07-08T15:55:46.862172+00:00", "scan_id": "f48e674e-38fc-4f0d-a24a-30d308a91d14", "type": "semgrep", "rule_id": "security-validator.scanner.rules.semgrep.nosql-injection", "severity": "ERROR", "path": "examples/05-swarm-apps/rest-api-advanced/src/models/product.model.js", "meta_info": { "lines": " return this.find({ status: 'active', visibility: 'visible', featured: true })", "pattern": "", "rule_name": "injection" } }, { "finding_id": "2225852f-f5dc-4d9e-adf2-9fb601056692", "message": "Potential NoSQL injection. Validate and sanitize user input.", "line": 547, "created_at": "2025-07-08T15:55:46.862172+00:00", "scan_id": "f48e674e-38fc-4f0d-a24a-30d308a91d14", "type": "semgrep", "rule_id": "security-validator.scanner.rules.semgrep.nosql-injection", "severity": "ERROR", "path": "examples/05-swarm-apps/rest-api-advanced/src/models/product.model.js", "meta_info": { "lines": " return this.find({\n _id: { $ne: productId },\n status: 'active',\n visibility: 'visible',\n $or: [\n { category: product.category },\n { tags: { $in: product.tags } },\n ],\n })", "pattern": "", "rule_name": "injection" } }, { "finding_id": "112c621c-fd66-4928-82ab-bb180e9e5b4b", "message": "Potential NoSQL injection. Validate and sanitize user input.", "line": 26, "created_at": "2025-07-08T15:55:46.862172+00:00", "scan_id": "f48e674e-38fc-4f0d-a24a-30d308a91d14", "type": "semgrep", "rule_id": "security-validator.scanner.rules.semgrep.nosql-injection", "severity": "ERROR", "path": "examples/05-swarm-apps/rest-api-advanced/src/seeders/orders.seeder.js", "meta_info": { "lines": " const products = await Product.find({ status: 'active' }).limit(50);", "pattern": "", "rule_name": "injection" } }, { "finding_id": "77446483-485a-4a1e-b053-4536f72c0fa1", "message": "Potential NoSQL injection. Validate and sanitize user input.", "line": 276, "created_at": "2025-07-08T15:55:46.862172+00:00", "scan_id": "f48e674e-38fc-4f0d-a24a-30d308a91d14", "type": "semgrep", "rule_id": "security-validator.scanner.rules.semgrep.nosql-injection", "severity": "ERROR", "path": "examples/05-swarm-apps/rest-api-advanced/src/services/order.service.js", "meta_info": { "lines": " const orders = await Order.find({ user: userId })", "pattern": "", "rule_name": "injection" } }, { "finding_id": "a7284506-f43c-47e3-853b-2449e4b73a2f", "message": "Potential NoSQL injection. Validate and sanitize user input.", "line": 45, "created_at": "2025-07-08T15:55:46.862172+00:00", "scan_id": "f48e674e-38fc-4f0d-a24a-30d308a91d14", "type": "semgrep", "rule_id": "security-validator.scanner.rules.semgrep.nosql-injection", "severity": "ERROR", "path": "examples/05-swarm-apps/rest-api-advanced/src/services/product.service.js", "meta_info": { "lines": " const products = await Product.find({\n _id: { $in: productIds },\n status: 'active',\n });", "pattern": "", "rule_name": "injection" } }, { "finding_id": "502cf6bc-9fdf-47b9-a234-4a940912fbcb", "message": "Potential NoSQL injection. Validate and sanitize user input.", "line": 115, "created_at": "2025-07-08T15:55:46.862172+00:00", "scan_id": "f48e674e-38fc-4f0d-a24a-30d308a91d14", "type": "semgrep", "rule_id": "security-validator.scanner.rules.semgrep.nosql-injection", "severity": "ERROR", "path": "examples/05-swarm-apps/rest-api-advanced/src/services/product.service.js", "meta_info": { "lines": " const recommendations = await Product.find({\n status: 'active',\n visibility: 'visible',\n })", "pattern": "", "rule_name": "injection" } }, { "finding_id": "4a32a9b5-5185-4695-91bc-71ed17c0d668", "message": "Potential NoSQL injection. Validate and sanitize user input.", "line": 129, "created_at": "2025-07-08T15:55:46.862172+00:00", "scan_id": "f48e674e-38fc-4f0d-a24a-30d308a91d14", "type": "semgrep", "rule_id": "security-validator.scanner.rules.semgrep.nosql-injection", "severity": "ERROR", "path": "examples/05-swarm-apps/rest-api-advanced/src/services/product.service.js", "meta_info": { "lines": " const products = await Product.find({\n tags: { $in: tags },\n status: 'active',\n visibility: 'visible',\n })", "pattern": "", "rule_name": "injection" } }, { "finding_id": "230b6f12-cc9d-4ae4-9657-8b26e141eeb1", "message": "Potential NoSQL injection. Validate and sanitize user input.", "line": 176, "created_at": "2025-07-08T15:55:46.862172+00:00", "scan_id": "f48e674e-38fc-4f0d-a24a-30d308a91d14", "type": "semgrep", "rule_id": "security-validator.scanner.rules.semgrep.nosql-injection", "severity": "ERROR", "path": "examples/05-swarm-apps/rest-api-advanced/src/services/product.service.js", "meta_info": { "lines": " const products = await Product.find({\n 'inventory.trackInventory': true,\n 'inventory.quantity': { $lte: threshold || 10, $gt: 0 },\n status: 'active',\n })", "pattern": "", "rule_name": "injection" } }, { "finding_id": "c7325e24-baaa-472d-b73d-e4ad892a4c05", "message": "Potential NoSQL injection. Validate and sanitize user input.", "line": 191, "created_at": "2025-07-08T15:55:46.862172+00:00", "scan_id": "f48e674e-38fc-4f0d-a24a-30d308a91d14", "type": "semgrep", "rule_id": "security-validator.scanner.rules.semgrep.nosql-injection", "severity": "ERROR", "path": "examples/05-swarm-apps/rest-api-advanced/src/services/product.service.js", "meta_info": { "lines": " const products = await Product.find({\n 'inventory.trackInventory': true,\n 'inventory.quantity': 0,\n 'inventory.allowBackorder': false,\n status: 'active',\n })", "pattern": "", "rule_name": "injection" } } ], "vulnerabilities": [ { "vulnerability_id": "07d11e7f-7ac3-4a4d-a9c2-f218141c26c2", "scan_id": "f48e674e-38fc-4f0d-a24a-30d308a91d14", "fixed_version": "unknown", "description": "[{'source': 1096454, 'name': 'pkg', 'dependency': 'pkg', 'title': 'Pkg Local Privilege Escalation', 'url': 'https://github.com/advisories/GHSA-22r3-9w55-cj54', 'severity': 'moderate', 'cwe': ['CWE-276'], 'cvss': {'score': 6.6, 'vectorString': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N'}, 'range': '<=5.8.1'}]", "created_at": "2025-07-08T15:55:46.862172+00:00", "package_name": "pkg", "vulnerable_version": "unknown", "severity": "moderate", "references": [] } ] } ] } }