claude-flow

v3.10.14 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 4d AI Agents & Assistants

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

agentic-ai agentic-framework agentic-rag agentic-workflow agents ai-agents

+14 more

ai-assistant ai-coding ai-skills autonomous-agents claude-code codex mcp-server multi-agent multi-agent-systems npm skills swarm swarm-intelligence typescript

Summary

AI summary

hooks_task-completed {trainPatterns: true} now invokes the real SONA+EWC++ trajectory pipeline and returns a learning path indicator.

Changes in this release

Type	Severity	Summary	CVE
Security	High	Content sanitization added to task-completed payload (strip ASCII control chars, cap to 4 KB). Content sanitization added to task-completed payload (strip ASCII control chars, cap to 4 KB). Source: llm_adapter@2026-05-30 Confidence: high	—
Feature
Feature	Medium	Multi‑path messaging added; each learning surface reports its path and written stores. Multi‑path messaging added; each learning surface reports its path and written stores. Source: granite4.1:30b@2026-05-30-audit Confidence: low	—
Feature	Low	Added test suite `self-learning-2245.test.ts` with 9 tests covering EASY/MEDIUM/COMPLEX scenarios. Added test suite `self-learning-2245.test.ts` with 9 tests covering EASY/MEDIUM/COMPLEX scenarios. Source: granite4.1:30b@2026-05-30-audit Confidence: low	—
Feature	Low	Added benchmark script `benchmark-self-learning.mjs` producing committed run JSON metrics. Added benchmark script `benchmark-self-learning.mjs` producing committed run JSON metrics. Source: granite4.1:30b@2026-05-30-audit Confidence: low	—
Bugfix
Bugfix	Medium	hooks_task-completed now invokes real SONA+EWC++ pipeline and returns learningPath. hooks_task-completed now invokes real SONA+EWC++ pipeline and returns learningPath. Source: llm_adapter@2026-05-30 Confidence: high	—
Bugfix	Medium	signalsProcessed counter is now correctly incremented and persisted across restarts. signalsProcessed counter is now correctly incremented and persisted across restarts. Source: llm_adapter@2026-05-30 Confidence: high	—
Bugfix	Medium	hooks_pretrain now writes per‑pattern rows into the neural store, making them queryable via `neural_patterns list`. hooks_pretrain now writes per‑pattern rows into the neural store, making them queryable via `neural_patterns list`. Source: llm_adapter@2026-05-30 Confidence: high	—

Full changelog

Wires up the self-learning subsystem the reporter found was reporting success but persisting nothing queryable (#2245). Three CLI-side wirings + honest multi-path output + a proof harness.

What's fixed

hooks_task-completed {trainPatterns: true} now invokes the real SONA + EWC++ trajectory pipeline (was a stub returning patternsLearned: 0). Returns learningPath: 'trajectory-pipeline' | 'recorded-only' so callers know what happened.
signalsProcessed was a dead counter — initialized 3×, read 1×, incremented 0× anywhere. Now wired into bridgeStoreEntry so every memory-bridge write counts. loadPersistedStats also restores patternsLearned + signalsProcessed so a process restart no longer zeroes the learning history.
hooks_pretrain now writes per-pattern rows into the neural store (via new storeNeuralPatterns), so neural_patterns list reflects them. Response surfaces both patternsBundled + patternsIndexed + sources.stores.

Honest multi-path messaging (per the goal-condition)
Every learning-adjacent surface declares the path it took and the store(s) it wrote to. The task-completed description lists the three paths explicitly: (a) trainPatterns:true for one-step learning, (b) hooks_intelligence_trajectory-* for multi-step, (c) memory_store for storage without learning.

Adversarial hardening (#2241 ASI06)
Basic content sanitization on task-completed content before it feeds SONA (strip ASCII control chars, cap to 4 KB).

Proof

__tests__/self-learning-2245.test.ts — 9 tests across EASY / MEDIUM / COMPLEX categories. CI gate.
scripts/benchmark-self-learning.mjs — 5 sections (A–E), writes a committed run JSON. Latest run: signalsProcessed +10, trained=10/10 at ~18 ms/call, pretrain stored=10/listed=10, multi-step persisted=5/sonaUpdate=5. All passed.
Reproduction guide: v3/docs/learning/self-learning-2245-proof.md
ADR: v3/docs/adr/ADR-074-self-learning-wiring-2245.md

Install: npx [email protected]

Tracked for round 2 (not in this release)
Unify the 4 stat aggregators (globalStats / memory_bridge / hooks_metrics / neural_patterns); wire post-edit / post-command to feed the trajectory pipeline; Structured Distillation (#2241) of trajectory content for 11× compression + better MRR.

Security Fixes

ASI06 – Basic content sanitization on `task-completed` (strip ASCII control chars, cap payload to 4 KB)

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track claude-flow

Get notified when new releases ship.

About claude-flow

Deploy multi-agent swarms with coordinated workflows.

All releases →

claude-flow

Summary

Changes in this release

Security Fixes

Related context

Related tools