Files
ruvnet--RuView/CLAUDE.md
T
rUv e6f26e9ac9 docs(adr): deep review of the RuView npm surface — ADR-263/264/265 optimization strategies (#1229)
* docs(adr): deep review of the RuView npm surface — ADR-263/264/265 optimization strategies

ADR-263 — @ruvnet/ruview@0.1.0 harness review (O1–O9):
- HIGH: claim-check CLI fails open on empty input (no --text/--file -> PASS exit 0)
- HIGH: MCP stdio server head-of-line blocking (spawnSync verify/calibrate up to 600s)
- MEASURED: optionalDependencies triple the cold npx install (4 pkgs/620kB/71 files
  vs 1 pkg/172kB/22 files with --omit=optional) for a path that never imports them
- maxBuffer truncation, python -c port interpolation, version drift, duplicate skills,
  guardrail METRIC_TERMS substring false positives ('map'/'F1' — found by dogfooding
  claim-check on these very ADRs), zero CI

ADR-264 — @ruvnet/rvagent@0.1.0 + @ruv/ruview-cli review (O1–O9), verified against
the published registry tarball:
- HIGH: exports.require -> dist/index.cjs which is never built nor published
- MEASURED: 44 dead source-map files = 62,698B of the 188kB unpacked payload
- stdio-only server described as dual-transport; mixed dot/underscore tool names;
  double Zod validation + hand-duplicated advertised schemas; 2-fd leak per training
  job; unbounded body in the unwired HTTP scaffold; dead detectCogBinary candidates;
  ruview bin-name collision

ADR-265 — cross-cutting npm distribution strategy: npm-packages.yml CI matrix
(test + pack-content/size gate + tarball-install smoke test), publish-from-CI-only
with npm provenance, version single-sourcing from package.json, bin/namespace
ownership (ruview bin belongs to @ruvnet/ruview), claim-check on package READMEs.

Docs only — no runtime code changed. Index/CHANGELOG/CLAUDE.md/README counts updated.

Co-Authored-By: claude-flow <ruv@ruv.net>
Claude-Session: https://claude.ai/code/session_01WrGfTGKv1oWZ6iwXZACULz

* fix(npm): implement ADR-263/264/265 — harness fail-closed + async MCP, rvagent packaging/transport/naming, npm CI+provenance gate

ADR-263 (@ruvnet/ruview 0.2.0), O1-O9:
- claim-check fails closed on empty input (CLI exit 2, empty_text tool error)
- MCP stdio server dispatches tools/call asynchronously (promise-based spawn);
  ping answers while a 3s fake verify runs — pinned by new e2e test
- optionalDependencies dropped: cold npx installs exactly 1 package
  (MEASURED: was 4 pkgs/620kB/71 files via npm i in a clean prefix)
- bounded rolling output tails replace spawnSync 1MiB maxBuffer
- node_monitor port passed via sys.argv, never spliced into python -c source
- serverInfo.version read from package.json; resources/prompts stubs
- skills single-sourced: prepack sync script generates .claude/skills/ copies
- which() = memoized dep-free PATH scan
- tools underscore-canonical (ruview_claim_check, ...) + dotted aliases
- guardrail precision: word-boundary map/f1/auc/iou, code-span + F1/O2 label
  scrubbing, quantitative-claims-only; packaging reproducer hints
- 30/30 tests (was 17), incl. concurrency e2e + fail-open regression pins

ADR-264 (@ruvnet/rvagent 0.2.0), O1-O9:
- exports fixed: types-first, phantom dist/index.cjs require target removed
- tarball map-free: 127,704B unpacked / 46 files / 0 maps (MEASURED,
  npm pack --dry-run; was 188kB incl. 44 maps referencing unshipped src)
- Streamable HTTP actually wired behind RVAGENT_HTTP_PORT: one transport +
  one MCP server per session (mcp-session-id routing), 1MiB body cap (413),
  port-aware localhost origin gate; dual-transport description now true
- tools renamed underscore-canonical with dotted router-only aliases
- single Zod validation gate; advertised inputSchema generated from the same
  Zod source (zod-to-json-schema)
- train_count: parent log fds closed (was leaking 2/job); job records
  persisted to <jobsDir>/<id>.json (job_status survives restarts); bounded
  log-tail reads
- detectCogBinary probes its candidates instead of dead-coding them
- version from package.json; @types/express dropped; @types/jest -> 29
- README rewritten to match reality (no phantom subcommands/policy layer)
- 99/99 jest tests (incl. new session/body-cap suite + previously-broken
  manifest suite); stdio handshake + HTTP session flow smoke-tested live

ADR-265 D1-D4:
- .github/workflows/npm-packages.yml: 3-package x Node 20/22 gate — tests,
  version-literal grep (D3), pack-content/size gate, tarball-install smoke
  test (catches the ADR-264 F1 class), README claim-check (D4)
- .github/workflows/ruview-npm-release.yml: publish from CI only with
  npm publish --provenance
- @ruv/ruview-cli bin renamed ruview-cli (ruview bin belongs to
  @ruvnet/ruview); version single-sourced
- ci.yml NODE_VERSION 18 -> 20

ADR statuses updated to Accepted/implemented; harness manifest re-pinned;
ADR-263/264/265 + both package READMEs pass claim-check.

Co-Authored-By: claude-flow <ruv@ruv.net>
Claude-Session: https://claude.ai/code/session_01WrGfTGKv1oWZ6iwXZACULz

* perf(rvagent): lazy-load HTTP transport + memoize generated tool schemas

stdio time-to-first-response ~242ms -> ~189ms (-22%; MEASURED, median of
repeated initialize round-trips against dist/index.js in this container).

- ./http-transport.js now imported lazily inside the RVAGENT_HTTP_PORT
  branch: it chain-loads the MCP SDK streamableHttp module (~48ms MEASURED
  via per-module import() timing) which the default stdio path never uses
- toolInputJsonSchema memoized per tool: schemas are static for the process
  lifetime; under the session-per-server HTTP model every session calls
  tools/list, so stop re-walking the Zod tree each time

No behavior change: 99/99 jest tests; HTTP session flow re-smoke-tested
through the lazy import path (initialize -> 200 + mcp-session-id).

Profiled @ruvnet/ruview too and left it alone: 50ms CLI startup vs ~29ms
bare 'node -e ""' floor on the same box (MEASURED) — already near the
interpreter floor with zero dependencies.

Co-Authored-By: claude-flow <ruv@ruv.net>
Claude-Session: https://claude.ai/code/session_01WrGfTGKv1oWZ6iwXZACULz

* ci(ruview-cli): pass jest --passWithNoTests so the private no-test package doesn't fail the npm-packages matrix

Co-Authored-By: claude-flow <ruv@ruv.net>

* fix(npm): address 10 verified review findings in harness + rvagent before 0.2.0 publish

harness/ruview (@ruvnet/ruview):
- guardrails: digit gate now sees numbers inside code spans; F1-style
  metric tokens followed by ':' or a nearby number are no longer scrubbed
  (fail-open regressions in the honesty gate)
- mcp-server: tools/call requests serialize through a FIFO promise chain
  (hardware/mutating tools never overlap) while ping/tools/list stay
  immediate; stdin close drains in-flight responses before exit
- tools: which() no longer memoizes negative lookups

tools/ruview-mcp (@ruvnet/rvagent):
- index: realpath invoked-directly guard — library import no longer
  connects a stdio transport to the consumer's process
- http-transport: explicit allowedOrigins is exact-match only (localhost
  any-port convenience applies only with no configured allowlist);
  session map gains maxSessions=64 + 5min idle TTL sweep
- train-count: job records persist the child pid and reconcile stale
  'running' status after a server restart (exit-code marker or dead pid)
- config: cog binary candidates ordered by process.arch

.github/workflows/ruview-npm-release.yml: port the full ADR-265 D1 gate
(version-literal check, unpacked-size budget, tarball-install smoke test)
from npm-packages.yml so the publish path enforces what the header claims.

Tests: harness 30→36, rvagent 99→112, all passing.

Co-Authored-By: claude-flow <ruv@ruv.net>

---------

Co-authored-by: Claude <noreply@anthropic.com>
2026-07-02 13:11:15 -04:00

21 KiB
Raw Blame History

Claude Code Configuration — WiFi-DensePose + Claude Flow V3

Project: wifi-densepose

WiFi-based human pose estimation using Channel State Information (CSI). Dual codebase: Python v1 (v1/) and Rust port (v2/).

Key Rust Crates

Crate Description
wifi-densepose-core Core types, traits, error types, CSI frame primitives
wifi-densepose-signal SOTA signal processing + RuvSense multistatic sensing (16 modules)
wifi-densepose-nn Neural network inference (ONNX, PyTorch, Candle backends)
wifi-densepose-train Training pipeline with ruvector integration + ruview_metrics; MAE pretraining recipe (mae.rs, ADR-152 §2.3) + WiFlow-STD port (wiflow_std/, tch-gated)
wifi-densepose-mat Mass Casualty Assessment Tool — disaster survivor detection
wifi-densepose-hardware ESP32 aggregator, TDM protocol, channel hopping firmware; ieee80211bf/ 802.11bf forward-compat protocol model (ADR-153)
wifi-densepose-ruvector RuVector v2.0.4 integration + cross-viewpoint fusion (5 modules)
wifi-densepose-wasm WebAssembly bindings for browser deployment
wifi-densepose-cli CLI tool (wifi-densepose binary) — calibrate/calibrate-serve/enroll/train-room/room-watch + MAT (MAT gated behind the mat feature; build --no-default-features for the aarch64/appliance calibration binary)
wifi-densepose-calibration ADR-151 per-room calibration & specialist training — baseline → enroll → extract → train → bank of small specialists (presence/posture/breathing/heartbeat/restlessness/anomaly) + multistatic fusion; pure Rust, edge-deployable
wifi-densepose-sensing-server Lightweight Axum server for WiFi sensing UI
wifi-densepose-wifiscan Multi-BSSID WiFi scanning (ADR-022)
wifi-densepose-vitals ESP32 CSI-grade vital sign extraction (ADR-021)
nvsim Deterministic NV-diamond magnetometer pipeline simulator (ADR-089) — standalone leaf, WASM-ready
vendor/rvcsi (submodule) rvCSI — edge RF sensing runtime (ADR-095/096): 9 crates (rvcsi-core/-dsp/-events/-adapter-file/-adapter-nexmon/-ruvector/-runtime/-node/-cli). Lives in its own repo (github.com/ruvnet/rvcsi), vendored here under vendor/rvcsi, published to crates.io as rvcsi-* 0.3.x and to npm as @ruv/rvcsi. Not a v2/ workspace member — depend on the published crates (or the submodule's crates/rvcsi-* paths). Normalized CsiFrame/CsiWindow/CsiEvent schema, validate-before-FFI, reusable DSP, typed confidence-scored events, the napi-c Nexmon shim (real nexmon_csi .pcap from a Raspberry Pi 5 / 4 / 3B+ — BCM43455c0), the napi-rs SDK, the rvcsi CLI, a Claude Code plugin.
vendor/rufield (submodule) RuField MFS — the open spec for camera-free multimodal field sensing (ADR-260). A common FieldEvent/FieldTensor/FusionGraph/PrivacyClass/ProvenanceReceipt model above WiFi CSI/CIR/BFLD, UWB, BLE Channel Sounding, mmWave radar, ultrasound, subsonic, infrared, and quantum sensors. Lives in its own repo (github.com/ruvnet/rufield), vendored here under vendor/rufield. Not a v2/ workspace member. v0.1 reference stack = 7 crates (rufield-core/-provenance/-privacy/-adapters/-fusion/-bench/-viewer), 72 tests/0 failed; rufield-viewer is an Axum + vanilla-JS read-only dashboard (cargo run -p rufield-viewer) completing ADR-260 §27.9. The WiFi-CSI modality is now real-replay-backed via CsiReplayAdapter (ingests real captured .csi.jsonl → fused presence/breathing inferences; replay-from-file, unlabeled CSI-variance proxy, not validated accuracy); mmWave/thermal + all synthetic-bench F1 numbers remain SYNTHETIC (no live hardware — live streaming + labeled accuracy are roadmap).
wifi-densepose-rufield ADR-262 P1 anti-corruption bridge — converts RuView WiFi-CSI sensing output (SensingSnapshot mirroring SensingUpdate + TrustedOutput, owned primitives, no dep on wifi-densepose-sensing-server) into signed RuField FieldEvents (Modality::WifiCsi, real timestamp_ns, sha256 + ed25519 provenance, synthetic=false). The single coupling point between RuView and the standalone RuField MFS spec (§5.4); path-deps the vendor/rufield submodule crates (rufield-core/-provenance/-privacy/-fusion). Critical §3.3 privacy mapping (map_privacy): maps RuView class → RuField P0P5 by information content, never byte value, fail-closed (Derived → P4/P5, never P1; demoted floors to ≥ P2). 15 tests / 0 failed (round-trip / is_fusable / fusion-ingest / privacy-safety / determinism). P1 plumbing — not wired into the live server (P3), no accuracy claim.
ruview-swarm Drone swarm control system (ADR-148) — hierarchical-mesh topology, Raft consensus, MARL, CSI sensing payload, MAVLink/PX4 compat, Ruflo AI-agent integration

RuvSense Modules (signal/src/ruvsense/)

Module Purpose
multiband.rs Multi-band CSI frame fusion, cross-channel coherence
phase_align.rs Iterative LO phase offset estimation, circular mean
multistatic.rs Attention-weighted fusion, geometric diversity
coherence.rs Z-score coherence scoring, DriftProfile
coherence_gate.rs Accept/PredictOnly/Reject/Recalibrate gate decisions
pose_tracker.rs 17-keypoint Kalman tracker with AETHER re-ID embeddings
field_model.rs SVD room eigenstructure, perturbation extraction
tomography.rs RF tomography, ISTA L1 solver, voxel grid
longitudinal.rs Welford stats, biomechanics drift detection
intention.rs Pre-movement lead signals (200-500ms)
cross_room.rs Environment fingerprinting, transition graph
gesture.rs DTW template matching gesture classifier
adversarial.rs Physically impossible signal detection, multi-link consistency
cir.rs ADR-134 CSI→CIR via ISTA L1 sparse recovery (NeumannSolver warm-start)
calibration.rs ADR-135 empty-room baseline (Welford amplitude + von Mises phase, drift trigger)

Cross-Viewpoint Fusion (ruvector/src/viewpoint/)

Module Purpose
attention.rs CrossViewpointAttention, GeometricBias, softmax with G_bias
geometry.rs GeometricDiversityIndex, Cramer-Rao bounds, Fisher Information
coherence.rs Phase phasor coherence, hysteresis gate
fusion.rs MultistaticArray aggregate root, domain events

RuVector v2.0.4 Integration (ADR-016 complete, ADR-017 proposed)

All 5 ruvector crates integrated in workspace:

  • ruvector-mincutmetrics.rs (DynamicPersonMatcher) + subcarrier_selection.rs
  • ruvector-attn-mincutmodel.rs (apply_antenna_attention) + spectrogram.rs
  • ruvector-temporal-tensordataset.rs (CompressedCsiBuffer) + breathing.rs
  • ruvector-solversubcarrier.rs (sparse interpolation 114→56) + triangulation.rs
  • ruvector-attentionmodel.rs (apply_spatial_attention) + bvp.rs

Architecture Decisions

182 ADRs in docs/adr/ (numbered ADR-001 through ADR-265, with gaps). Key ones:

  • ADR-014: SOTA signal processing (Accepted)
  • ADR-015: MM-Fi + Wi-Pose training datasets (Accepted)
  • ADR-016: RuVector training pipeline integration (Accepted — complete)
  • ADR-017: RuVector signal + MAT integration (Proposed — next target)
  • ADR-024: Contrastive CSI embedding / AETHER (Accepted)
  • ADR-027: Cross-environment domain generalization / MERIDIAN (Accepted)
  • ADR-028: ESP32 capability audit + witness verification (Accepted)
  • ADR-029: RuvSense multistatic sensing mode (Proposed)
  • ADR-030: RuvSense persistent field model (Proposed)
  • ADR-031: RuView sensing-first RF mode (Proposed)
  • ADR-032: Multistatic mesh security hardening (Proposed)
  • ADR-148: Drone swarm control system / ruview-swarm (In Progress)
  • ADR-152: WiFi-Pose SOTA 2026 intake — geometry conditioning, WiFlow-STD benchmark (measurement (a) complete: claims MEASURED-EQUIVALENT at ~96% PCK@20), MAE recipe (Proposed; §2.12.3, 2.6 implemented)
  • ADR-153: IEEE 802.11bf-2025 forward-compatibility protocol model (Accepted — amends ADR-152 §2.4)
  • ADR-182: npx ruview harness minted via MetaHarness (Accepted — P1+P2 shipped as @ruvnet/ruview)
  • ADR-263: @ruvnet/ruview npm harness deep review + optimization strategy (Proposed)
  • ADR-264: @ruvnet/rvagent MCP server + @ruv/ruview-cli deep review + optimization strategy (Proposed)
  • ADR-265: RuView npm distribution strategy — CI gate, provenance, version single-sourcing (Proposed)

Supported Hardware

Device Port Chip Role Cost
ESP32-S3 (8MB flash) COM9 (ruvzen, was COM7) Xtensa dual-core WiFi CSI sensing node ~$9
ESP32-S3 SuperMini (4MB) Xtensa dual-core WiFi CSI (compact) ~$6
ESP32-C6 + Seeed MR60BHA2 COM12 (ruvzen, was COM4) RISC-V + 60 GHz FMCW mmWave HR/BR/presence + WiFi CSI ~$15
HLK-LD2410 24 GHz FMCW Presence + distance ~$3

Not supported: ESP32 (original), ESP32-C3 — single-core, can't run CSI DSP pipeline.

Build & Test Commands (this repo)

# Rust — full workspace tests (1,031+ tests, ~2 min)
cd v2
cargo test --workspace --no-default-features

# Rust — single crate check (no GPU needed)
cargo check -p wifi-densepose-train --no-default-features

# Python — deterministic proof verification (SHA-256)
python archive/v1/data/proof/verify.py

# Python — test suite
cd archive/v1 && python -m pytest tests/ -x -q

ESP32 Firmware Build (Windows — Python subprocess required)

# Build 8MB firmware (real WiFi CSI mode, no mocks)
# See CLAUDE.local.md for the full Python subprocess command
# Key: must strip MSYSTEM env vars for ESP-IDF v5.4 on Git Bash

# Build 4MB firmware
cp sdkconfig.defaults.4mb sdkconfig.defaults
# then same build process

# Flash to COM7
# [python, idf_py, '-p', 'COM7', 'flash']

# Provision WiFi
python firmware/esp32-csi-node/provision.py --port COM7 \
  --ssid "YourWiFi" --password "secret" --target-ip 192.168.1.20

# Monitor serial
python -m serial.tools.miniterm COM7 115200

Firmware Release Process

  1. Build 8MB from sdkconfig.defaults.template (no mock)
  2. Build 4MB from sdkconfig.defaults.4mb (no mock)
  3. Save 6 binaries: esp32-csi-node.bin, bootloader.bin, partition-table.bin, ota_data_initial.bin, esp32-csi-node-4mb.bin, partition-table-4mb.bin
  4. Tag: git tag v0.X.Y-esp32 && git push origin v0.X.Y-esp32
  5. Release: gh release create v0.X.Y-esp32 <binaries> --title "..." --notes-file ...
  6. Verify on real hardware (COM7) before publishing
  7. CRITICAL: Always test with real WiFi CSI, not mock mode — mock missed the Kconfig threshold bug

Crate Publishing Order

Crates must be published in dependency order:

  1. wifi-densepose-core (no internal deps)
  2. wifi-densepose-vitals (no internal deps)
  3. wifi-densepose-wifiscan (no internal deps)
  4. wifi-densepose-hardware (no internal deps)
  5. wifi-densepose-signal (depends on core)
  6. wifi-densepose-nn (no internal deps, workspace only)
  7. wifi-densepose-ruvector (no internal deps, workspace only)
  8. wifi-densepose-train (depends on signal, nn)
  9. wifi-densepose-mat (depends on core, signal, nn)
  10. wifi-densepose-wasm (depends on mat)
  11. wifi-densepose-sensing-server (depends on wifiscan)
  12. wifi-densepose-cli (depends on mat)

Validation & Witness Verification (ADR-028)

After any significant code change, run the full validation:

# 1. Rust tests — must be 1,031+ passed, 0 failed
cd v2
cargo test --workspace --no-default-features

# 2. Python proof — must print VERDICT: PASS
cd ..
python archive/v1/data/proof/verify.py

# 3. Generate witness bundle (includes both above + firmware hashes)
bash scripts/generate-witness-bundle.sh

# 4. Self-verify the bundle — must be 7/7 PASS
cd dist/witness-bundle-ADR028-*/
bash VERIFY.sh

If the Python proof hash changes (e.g., numpy/scipy version update):

# Regenerate the expected hash, then verify it passes
python archive/v1/data/proof/verify.py --generate-hash
python archive/v1/data/proof/verify.py

Witness bundle contents (dist/witness-bundle-ADR028-<sha>.tar.gz):

  • WITNESS-LOG-028.md — 33-row attestation matrix with evidence per capability
  • ADR-028-esp32-capability-audit.md — Full audit findings
  • proof/verify.py + expected_features.sha256 — Deterministic pipeline proof
  • test-results/rust-workspace-tests.log — Full cargo test output
  • firmware-manifest/source-hashes.txt — SHA-256 of all 7 ESP32 firmware files
  • crate-manifest/versions.txt — All 15 crates with versions
  • VERIFY.sh — One-command self-verification for recipients

Key proof artifacts:

  • archive/v1/data/proof/verify.py — Trust Kill Switch: feeds reference signal through production pipeline, hashes output
  • archive/v1/data/proof/expected_features.sha256 — Published expected hash
  • archive/v1/data/proof/sample_csi_data.json — 1,000 synthetic CSI frames (seed=42)
  • docs/WITNESS-LOG-028.md — 11-step reproducible verification procedure
  • docs/adr/ADR-028-esp32-capability-audit.md — Complete audit record

Branch

Default branch: main Active feature branch: ruvsense-full-implementation (PR #77)


Behavioral Rules (Always Enforced)

  • Do what has been asked; nothing more, nothing less
  • NEVER create files unless they're absolutely necessary for achieving your goal
  • ALWAYS prefer editing an existing file to creating a new one
  • NEVER proactively create documentation files (*.md) or README files unless explicitly requested
  • NEVER save working files, text/mds, or tests to the root folder
  • Never continuously check status after spawning a swarm — wait for results
  • ALWAYS read a file before editing it
  • NEVER commit secrets, credentials, or .env files

File Organization

  • NEVER save to root folder — use the directories below
  • docs/adr/ — Architecture Decision Records (43 ADRs)
  • docs/ddd/ — Domain-Driven Design models
  • v2/crates/ — Rust workspace crates (15 crates)
  • v2/crates/wifi-densepose-signal/src/ruvsense/ — RuvSense multistatic modules (14 files)
  • v2/crates/wifi-densepose-ruvector/src/viewpoint/ — Cross-viewpoint fusion (5 files)
  • v2/crates/wifi-densepose-hardware/src/esp32/ — ESP32 TDM protocol
  • firmware/esp32-csi-node/main/ — ESP32 C firmware (channel hopping, NVS config, TDM)
  • archive/v1/src/ — Python source (core, hardware, services, api)
  • archive/v1/data/proof/ — Deterministic CSI proof bundles
  • .claude-flow/ — Claude Flow coordination state (committed for team sharing)
  • .claude/ — Claude Code settings, agents, memory (committed for team sharing)

Project Architecture

  • Follow Domain-Driven Design with bounded contexts
  • Keep files under 500 lines
  • Use typed interfaces for all public APIs
  • Prefer TDD London School (mock-first) for new code
  • Use event sourcing for state changes
  • Ensure input validation at system boundaries

Project Config

  • Topology: hierarchical-mesh
  • Max Agents: 15
  • Memory: hybrid
  • HNSW: Enabled
  • Neural: Enabled

Pre-Merge Checklist

Before merging any PR, verify each item applies and is addressed:

  1. Rust tests passcargo test --workspace --no-default-features (1,031+ passed, 0 failed)
  2. Python proof passespython archive/v1/data/proof/verify.py (VERDICT: PASS)
  3. README.md — Update platform tables, crate descriptions, hardware tables, feature summaries if scope changed
  4. CLAUDE.md — Update crate table, ADR list, module tables, version if scope changed
  5. CHANGELOG.md — Add entry under [Unreleased] with what was added/fixed/changed
  6. User guide (docs/user-guide.md) — Update if new data sources, CLI flags, or setup steps were added
  7. ADR index — Update ADR count in README docs table if a new ADR was created
  8. Witness bundle — Regenerate if tests or proof hash changed: bash scripts/generate-witness-bundle.sh
  9. Docker Hub image — Only rebuild if Dockerfile, dependencies, or runtime behavior changed
  10. Crate publishing — Only needed if a crate is published to crates.io and its public API changed
  11. .gitignore — Add any new build artifacts or binaries
  12. Security audit — Run security review for new modules touching hardware/network boundaries

Build & Test

# Build
npm run build

# Test
npm test

# Lint
npm run lint
  • ALWAYS run tests after making code changes
  • ALWAYS verify build succeeds before committing

Security Rules

  • NEVER hardcode API keys, secrets, or credentials in source files
  • NEVER commit .env files or any file containing secrets
  • Always validate user input at system boundaries
  • Always sanitize file paths to prevent directory traversal
  • Run npx @claude-flow/cli@latest security scan after security-related changes
  • All operations MUST be concurrent/parallel in a single message
  • Use Claude Code's Task tool for spawning agents, not just MCP
  • ALWAYS batch ALL todos in ONE TodoWrite call (5-10+ minimum)
  • ALWAYS spawn ALL agents in ONE message with full instructions via Task tool
  • ALWAYS batch ALL file reads/writes/edits in ONE message
  • ALWAYS batch ALL Bash commands in ONE message

Swarm Orchestration

  • MUST initialize the swarm using CLI tools when starting complex tasks
  • MUST spawn concurrent agents using Claude Code's Task tool
  • Never use CLI tools alone for execution — Task tool agents do the actual work
  • MUST call CLI tools AND Task tool in ONE message for complex work

3-Tier Model Routing (ADR-026)

Tier Handler Latency Cost Use Cases
1 Agent Booster (WASM) <1ms $0 Simple transforms (var→const, add types) — Skip LLM
2 Haiku ~500ms $0.0002 Simple tasks, low complexity (<30%)
3 Sonnet/Opus 2-5s $0.003-0.015 Complex reasoning, architecture, security (>30%)
  • Always check for [AGENT_BOOSTER_AVAILABLE] or [TASK_MODEL_RECOMMENDATION] before spawning agents
  • Use Edit tool directly when [AGENT_BOOSTER_AVAILABLE]

Swarm Configuration & Anti-Drift

  • ALWAYS use hierarchical topology for coding swarms
  • Keep maxAgents at 6-8 for tight coordination
  • Use specialized strategy for clear role boundaries
  • Use raft consensus for hive-mind (leader maintains authoritative state)
  • Run frequent checkpoints via post-task hooks
  • Keep shared memory namespace for all agents
npx @claude-flow/cli@latest swarm init --topology hierarchical --max-agents 8 --strategy specialized

Swarm Execution Rules

  • ALWAYS use run_in_background: true for all agent Task calls
  • ALWAYS put ALL agent Task calls in ONE message for parallel execution
  • After spawning, STOP — do NOT add more tool calls or check status
  • Never poll TaskOutput or check swarm status — trust agents to return
  • When agent results arrive, review ALL results before proceeding

V3 CLI Commands

Core Commands

Command Subcommands Description
init 4 Project initialization
agent 8 Agent lifecycle management
swarm 6 Multi-agent swarm coordination
memory 11 AgentDB memory with HNSW search
task 6 Task creation and lifecycle
session 7 Session state management
hooks 17 Self-learning hooks + 12 workers
hive-mind 6 Byzantine fault-tolerant consensus

Quick CLI Examples

npx @claude-flow/cli@latest init --wizard
npx @claude-flow/cli@latest agent spawn -t coder --name my-coder
npx @claude-flow/cli@latest swarm init --v3-mode
npx @claude-flow/cli@latest memory search --query "authentication patterns"
npx @claude-flow/cli@latest doctor --fix

Available Agents (60+ Types)

Core Development

coder, reviewer, tester, planner, researcher

Specialized

security-architect, security-auditor, memory-specialist, performance-engineer

Swarm Coordination

hierarchical-coordinator, mesh-coordinator, adaptive-coordinator

GitHub & Repository

pr-manager, code-review-swarm, issue-tracker, release-manager

SPARC Methodology

sparc-coord, sparc-coder, specification, pseudocode, architecture

Memory Commands Reference

# Store (REQUIRED: --key, --value; OPTIONAL: --namespace, --ttl, --tags)
npx @claude-flow/cli@latest memory store --key "pattern-auth" --value "JWT with refresh" --namespace patterns

# Search (REQUIRED: --query; OPTIONAL: --namespace, --limit, --threshold)
npx @claude-flow/cli@latest memory search --query "authentication patterns"

# List (OPTIONAL: --namespace, --limit)
npx @claude-flow/cli@latest memory list --namespace patterns --limit 10

# Retrieve (REQUIRED: --key; OPTIONAL: --namespace)
npx @claude-flow/cli@latest memory retrieve --key "pattern-auth" --namespace patterns

Quick Setup

claude mcp add claude-flow -- npx -y @claude-flow/cli@latest
npx @claude-flow/cli@latest daemon start
npx @claude-flow/cli@latest doctor --fix

Claude Code vs CLI Tools

  • Claude Code's Task tool handles ALL execution: agents, file ops, code generation, git
  • CLI tools handle coordination via Bash: swarm init, memory, hooks, routing
  • NEVER use CLI tools as a substitute for Task tool agents

Support