v3.5.48 — Security, P1 Fixes, WASM CLI

What's New

Security Hardening (v3.5.45)

• Prototype pollution prevention via safeJsonParse() — strips __proto__, constructor, prototype
• NaN/Infinity bypass protection in validateNumber()
• Task source allowlist (VALID_TASK_SOURCES) prevents injection
• Atomic file writes (tmp + rename) for state persistence
• Shared autopilot-state.ts module eliminates 140 lines of duplication

Token Drain Prevention (v3.5.46) — #1427, #1330

• Daemon autoStart defaults to false (opt-in only)
• Session hook startDaemon defaults to false
• Background workers reduced 10 → 3, schedules relaxed (audit 4h, optimize 2h)

P1 Bug Fixes (v3.5.47)

• #1122: HNSW ghost entries — bridge delete path now invalidates HNSW index
• #1117: Orphan processes — worker timeout raised 5min → 16min
• #1111: Headless stdin pipe hang — already fixed (closed)
• #1109: classifyHandoffIfNeeded — Claude Code platform issue (closed)

RuVector WASM CLI Exposure (v3.5.48)

• ADR-067: RuVector WASM utilization audit and improvement plan
• 4 new CLI commands: agent wasm-status, agent wasm-create, agent wasm-prompt, agent wasm-gallery
• Fixed 16 pre-existing ruvllm-wasm test failures (mock constructors)

Test Results

• 28/28 test files pass
• 1725/1725 tests pass, 0 failures

Install

npx @claude-flow/cli@latest
npx claude-flow@latest
npx ruflo@latest