Ruflo v3.5.78 — ESM Stability, Security Hardening & Intelligence Backends
Ruflo v3.5.78
The most stable Ruflo release yet. This release eliminates an entire class of ESM module crashes, hardens security across 6 packages, introduces native intelligence backends, and resolves 10 user-reported critical issues.
34 commits, 145 files changed, ~8,000 lines of improvements since v3.5.59.
Install / Upgrade
npx ruflo@3.5.78 --version # one-shot
npx @claude-flow/cli@3.5.78 doctor # health checkAll three packages updated on npm (alpha, latest, v3alpha):
Critical Bug Fixes
ESM Module Crash Elimination
The entire codebase has been audited and purged of bare require() calls that crash in ESM mode ("type": "module"). 29 total require() calls fixed across two rounds:
| Round | PR / Commit | Files Fixed | Calls Fixed |
|---|---|---|---|
| 1 | #1564 (v3.5.77) | autopilot-state.ts, autopilot.ts, claims.ts |
12 |
| 2 | v3.5.78 | diff-classifier.ts, coverage-router.ts, performance-tools.ts, mcp-server.ts, checker.ts, security.ts |
17 |
Before: ruflo autopilot status, ruflo claims list, diff analysis, coverage routing, performance profiling, security scanning, and update checking all crashed with ReferenceError: require is not defined.
After: Every runtime code path uses proper ESM import statements or the createRequire pattern for native modules.
Closes #1559, #1560, #1561, #1563.
cleanup --force No Longer Destroys User Config (#1557)
Previously, cleanup --force deleted the entire .claude/ directory — wiping agents, skills, commands, settings, memory databases, and worktrees that belong to Claude Code, not Ruflo.
Now: Only Ruflo-owned paths are cleaned (.claude/helpers/), and settings.json is surgically edited to remove only hooks and claudeFlow keys while preserving all user configuration.
CLI One-Shot Commands No Longer Hang (#1552, #1550)
memory store, memory retrieve, config list, and other one-shot commands hung indefinitely due to open handles (MCP listeners, timers, SQLite connections) keeping the event loop alive. Fixed with process.exit(0) after cli.run() resolves.
Daemon Zombie Prevention (#1551)
daemon stop now scans running processes via ps and kills stale daemon instances — not just the PID stored in the PID file. daemon start also cleans up zombies before launching and shows a clear error if a daemon is already running.
Memory Bridge Respects CLAUDE_FLOW_CWD (#1562)
MCP memory tools under Claude Desktop were reading/writing to the wrong directory because auto-memory-bridge.ts hardcoded process.cwd(). Now respects the CLAUDE_FLOW_CWD environment variable.
Security Hardening (PR #1558)
Comprehensive security and performance fixes across 6 packages:
- SQL injection prevention — All sql.js queries converted to parameterized
db.prepare/bindstatements - Command injection prevention — Replaced
execSyncwithexecFileSync(no shell interpretation) throughout - Prototype pollution prevention — JSON reviver strips
__proto__,constructor,prototypekeys - HNSW hash collision safety — Added dual-hash (djb2 + sdbm) and 1,000-probe cap with explicit error on exhaustion
- BoundedSet FIFO eviction — Uses
Mapinsertion order for correct FIFO behavior - Resilient bulk operations —
Promise.allSettledfor operations that shouldn't fail atomically - PID validation —
Number.isIntegerguard before process operations
New Features
Native RuVLLM + Graph-Node Intelligence Backends (ADR-086, ADR-087)
New native intelligence backends for the RuVector system:
- RuVLLM backend — Direct integration with local LLM inference
- Graph-Node backend — Graph-based intelligence routing for complex reasoning chains
DiskANN Vector Search Backend (ADR-077)
Research-grade vector search with:
- 8,000x faster insert than HNSW for large datasets
- Perfect recall on benchmark suites
- SSD-optimized for datasets that exceed RAM
Claude Code ↔ AgentDB Memory Bridge (ADR-076)
Phase 2 MCP tools for bridging Claude Code's auto-memory with AgentDB:
memory_import_claude— Import Claude Code memories with 384-dim ONNX embeddingsmemory_bridge_status— Bridge health monitoringmemory_search_unified— Semantic search across all namespaces
Self-Learning Pipeline (ADR-075)
End-to-end wiring of the self-learning pipeline:
- Pattern recording from successful task completions
- Neural training on discovered patterns
- Cross-session knowledge transfer
saveCheckpoint Resilience (v3.5.75)
Checkpoint save now verifies file existence and falls through to JS fallback on native module failures.
Quality & Honesty
- README honesty audit — Removed fabricated metrics and inflated claims; all stats now reference real benchmarks
- Stub elimination — 9 remaining stub implementations replaced with real scanning, metrics, and health checks
- Comprehensive #1425 remediation — Real quantization, honest performance stubs, input validation at system boundaries
- Statusline accuracy — Replaced all fake heuristics with real data sources from hook activity and AgentDB stats
Issues Closed (10)
| Issue | Title |
|---|---|
| #1559 | Bare require() in ESM modules — autopilot/claims crash |
| #1560 | ESM/CJS regression (dup of #1559) |
| #1561 | Autopilot require is not defined (dup of #1559) |
| #1563 | Autopilot/claims fail on fresh install (dup of #1559) |
| #1557 | cleanup --force deletes entire .claude/ directory |
| #1552 | CLI one-shot commands hang indefinitely |
| #1551 | Daemon processes accumulate as zombies |
| #1550 | Memory subcommands hang (same root cause as #1552) |
| #1562 | Memory commands ignore CLAUDE_FLOW_CWD |
| #1558 | Security & performance fixes across 6 packages |
Stats
34 commits
145 files changed
7,966 insertions(+), 2,333 deletions(-)
29 bare require() calls eliminated
6 packages security-hardened
10 issues resolved
3 npm packages published (alpha, latest, v3alpha)
Full Changelog: v3.5.59...v3.5.78