fix: eliminate 17 remaining bare require() calls in ESM modules (v3.5.78)

Replace runtime require() with ESM imports across 6 files:
- diff-classifier.ts: child_process, util → top-level imports
- coverage-router.ts: fs, path, fs/promises → top-level imports
- performance-tools.ts: unlinkSync, readdirSync → extend existing import
- mcp-server.ts: execFileSync, readFileSync, http → use existing imports
- update/checker.ts: require.resolve → createRequire pattern
- security.ts: execSync → top-level import

Same bug class as #1559 — bare require() crashes in ESM packages.

Co-Authored-By: claude-flow <ruv@ruv.net>

Author: Reuven

package.json

@@ -1,6 +1,6 @@
 {
   "name": "claude-flow",
-  "version": "3.5.77",
+  "version": "3.5.78",
   "description": "Ruflo - Enterprise AI agent orchestration for Claude Code. Deploy 60+ specialized agents in coordinated swarms with self-learning, fault-tolerant consensus, vector memory, and MCP integration",
   "main": "dist/index.js",
   "type": "module",

ruflo/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ruflo",
-  "version": "3.5.77",
+  "version": "3.5.78",
   "description": "Ruflo - Enterprise AI agent orchestration platform. Deploy 60+ specialized agents in coordinated swarms with self-learning, fault-tolerant consensus, vector memory, and MCP integration",
   "main": "bin/ruflo.js",
   "type": "module",

v3/@claude-flow/cli/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@claude-flow/cli",
-  "version": "3.5.77",
+  "version": "3.5.78",
   "type": "module",
   "description": "Ruflo CLI - Enterprise AI agent orchestration with 60+ specialized agents, swarm coordination, MCP server, self-learning hooks, and vector memory for Claude Code",
   "main": "dist/src/index.js",

v3/@claude-flow/cli/src/commands/security.ts

@@ -7,6 +7,7 @@
 
 import type { Command, CommandContext, CommandResult } from '../types.js';
 import { output } from '../output.js';
+import { execSync } from 'node:child_process';
 
 // Scan subcommand
 const scanCommand: Command = {
@@ -353,7 +354,6 @@ const threatsCommand: Command = {
     // Check for .env files committed to git
     const checkEnvInGit = () => {
       try {
-        const { execSync } = require('child_process');
         const tracked = execSync('git ls-files --cached', { cwd: rootDir, encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'] });
         const envFiles = tracked.split('\n').filter((f: string) => /(?:^|\/)\.env(?:\.|$)/.test(f));
         for (const envFile of envFiles) {

v3/@claude-flow/cli/src/mcp-server.ts

@@ -18,8 +18,8 @@
  */
 
 import { EventEmitter } from 'events';
-import { spawn, ChildProcess } from 'child_process';
-import { createServer, Server } from 'http';
+import { spawn, ChildProcess, execFileSync } from 'child_process';
+import { createServer, Server, request as httpRequestFn } from 'http';
 import { randomUUID } from 'crypto';
 import * as path from 'path';
 import * as fs from 'fs';
@@ -713,13 +713,11 @@ export class MCPServerManager extends EventEmitter {
     // Verify it's actually a node process (guards against PID reuse)
     // DA-CRIT-3: Use execFileSync to prevent command injection via PID values
     try {
-      const { execFileSync } = require('child_process') as typeof import('child_process');
       const safePid = String(Math.floor(Math.abs(pid)));
       let cmdline = '';
       try {
         // Try /proc on Linux
-        const { readFileSync } = require('fs') as typeof import('fs');
-        cmdline = readFileSync(`/proc/${safePid}/cmdline`, 'utf8');
+        cmdline = fs.readFileSync(`/proc/${safePid}/cmdline`, 'utf8');
       } catch {
         // Fall back to ps on macOS/other
         try {
@@ -750,9 +748,8 @@ export class MCPServerManager extends EventEmitter {
   ): Promise<any> {
     return new Promise((resolve, reject) => {
       const urlObj = new URL(url);
-      const http = require('http');
 
-      const req = http.request(
+      const req = httpRequestFn(
         {
           hostname: urlObj.hostname,
           port: urlObj.port,

v3/@claude-flow/cli/src/mcp-tools/performance-tools.ts

@@ -14,7 +14,7 @@
 
 import { type MCPTool, getProjectCwd } from './types.js';
 import { validateIdentifier } from './validate-input.js';
-import { existsSync, readFileSync, writeFileSync, mkdirSync } from 'node:fs';
+import { existsSync, readFileSync, writeFileSync, mkdirSync, unlinkSync, readdirSync } from 'node:fs';
 import { join } from 'node:path';
 import * as os from 'node:os';
 
@@ -222,7 +222,7 @@ export const performanceTools: MCPTool[] = [
         writeFileSync(probeFile, payload);
         readFileSync(probeFile);
         diskLatencyMs = Math.round((performance.now() - t0) * 100) / 100;
-        try { const { unlinkSync } = require('node:fs'); unlinkSync(probeFile); } catch { /* best-effort */ }
+        try { unlinkSync(probeFile); } catch { /* best-effort */ }
       } catch { /* disk probe failed, leave -1 */ }
 
       // Check stored benchmark history for slow operations
@@ -464,7 +464,7 @@ export const performanceTools: MCPTool[] = [
         .sort((a, b) => b.percentOfTotal - a.percentOfTotal);
 
       // Cleanup probe file
-      try { const { unlinkSync } = require('node:fs'); unlinkSync(join(getPerfDir(), '.profile-probe')); } catch { /* ok */ }
+      try { unlinkSync(join(getPerfDir(), '.profile-probe')); } catch { /* ok */ }
 
       return {
         success: true,
@@ -514,7 +514,7 @@ export const performanceTools: MCPTool[] = [
         writeFileSync(probe, Buffer.alloc(4096, 0x42));
         readFileSync(probe);
         diskLatencyBefore = Math.round((performance.now() - t0) * 100) / 100;
-        try { const { unlinkSync } = require('node:fs'); unlinkSync(probe); } catch { /* ok */ }
+        try { unlinkSync(probe); } catch { /* ok */ }
       } catch { /* ok */ }
 
       const optimizations: Array<{ action: string; applied: boolean; effect?: string; recommendation?: string }> = [];
@@ -559,9 +559,8 @@ export const performanceTools: MCPTool[] = [
       if (aggressive) {
         try {
           const dir = getPerfDir();
-          const { readdirSync, unlinkSync: ul } = require('node:fs');
           const probes = readdirSync(dir).filter((f: string) => f.startsWith('.'));
-          probes.forEach((f: string) => { try { ul(join(dir, f)); } catch { /* ok */ } });
+          probes.forEach((f: string) => { try { unlinkSync(join(dir, f)); } catch { /* ok */ } });
           if (probes.length > 0) optimizations.push({ action: 'clear-probe-files', applied: true, effect: `Removed ${probes.length} probe file(s)` });
         } catch { /* ok */ }
       }

v3/@claude-flow/cli/src/ruvector/coverage-router.ts

@@ -7,6 +7,10 @@
  * - Singleton router instance
  */
 
+import * as pathMod from 'node:path';
+import { existsSync } from 'node:fs';
+import { readFile } from 'node:fs/promises';
+
 // ============================================================================
 // Caching for Performance
 // ============================================================================
@@ -488,7 +492,8 @@ export async function coverageGaps(
  * Returns null if path is invalid or attempts traversal
  */
 function validateProjectPath(inputPath: string | undefined): string | null {
-  const { resolve, normalize, isAbsolute } = require('path');
+  // eslint-disable-next-line @typescript-eslint/no-var-requires -- sync function, top-level import at file head
+  const { resolve, normalize, isAbsolute } = pathMod;
 
   // Default to cwd if not provided
   const basePath = inputPath || process.cwd();
@@ -536,9 +541,7 @@ async function loadProjectCoverage(projectRoot?: string, skipCache?: boolean): P
     }
   }
 
-  const { existsSync } = require('fs');
-  const { readFile } = require('fs/promises');
-  const { join, normalize } = require('path');
+  const { join, normalize } = pathMod;
 
   // Try common coverage locations (all relative to validated root)
   const coverageLocations = [

v3/@claude-flow/cli/src/ruvector/diff-classifier.ts

@@ -2,6 +2,9 @@
  * Diff Classifier for Change Analysis
  */
 
+import { execFileSync, execFile } from 'node:child_process';
+import { promisify } from 'node:util';
+
 export interface DiffClassifierConfig {
   maxDiffSize: number;
   classifyByImpact: boolean;
@@ -396,7 +399,7 @@ export function getGitDiffNumstat(ref: string = 'HEAD'): DiffFile[] {
     return cached.files;
   }
 
-  const { execFileSync } = require('child_process');
+  // execFileSync imported at top level
   try {
     // SECURITY: Use execFileSync with args array instead of shell string
     // This prevents command injection via the ref parameter
@@ -471,8 +474,7 @@ export async function getGitDiffNumstatAsync(ref: string = 'HEAD'): Promise<Diff
     return cached.files;
   }
 
-  const { execFile } = require('child_process');
-  const { promisify } = require('util');
+  // execFile + promisify imported at top level
   const execFileAsync = promisify(execFile);
 
   try {

v3/@claude-flow/cli/src/update/checker.ts

@@ -4,6 +4,7 @@
  */
 
 import * as semver from 'semver';
+import { createRequire } from 'node:module';
 import { shouldCheckForUpdates, recordCheck, getCachedVersions } from './rate-limiter.js';
 
 export interface UpdateCheckResult {
@@ -138,10 +139,10 @@ export function getInstalledVersion(packageName: string): string | null {
 
     for (const modulePath of possiblePaths) {
       try {
-        // Use dynamic import with require for package.json
-        const resolved = require.resolve(modulePath, { paths: [process.cwd()] });
-        // eslint-disable-next-line @typescript-eslint/no-var-requires
-        const pkg = require(resolved);
+        // Use createRequire for ESM-compatible package.json loading
+        const esmRequire = createRequire(import.meta.url);
+        const resolved = esmRequire.resolve(modulePath, { paths: [process.cwd()] });
+        const pkg = esmRequire(resolved);
         return pkg.version;
       } catch {
         continue;