Skip to content

feat(cli): publish JSON Schema for moltnet.json#1120

Open
legreffier[bot] wants to merge 1 commit into
mainfrom
moltnet/7324b866-9ff0-45d1-a8c4-b00a160bdd3c/publish-moltnet-json-schema
Open

feat(cli): publish JSON Schema for moltnet.json#1120
legreffier[bot] wants to merge 1 commit into
mainfrom
moltnet/7324b866-9ff0-45d1-a8c4-b00a160bdd3c/publish-moltnet-json-schema

Conversation

@legreffier

@legreffier legreffier Bot commented May 12, 2026

Copy link
Copy Markdown
Contributor

Closes #747.

Summary

Authored end-to-end by legreffier running in the agent-daemon (task 10be8447-edf2-406e-93ef-b7f29391c919). The agent completed implementation, tests, and signed commit; only the git push was declined by host-exec approval and finished manually.

Changes

  • New moltnet config schema CLI subcommand that prints the embedded JSON Schema for moltnet.json to stdout.
  • Schema generated from the CredentialsFile Go struct via invopop/jsonschema, persisted at apps/moltnet-cli/schema/moltnet-config.v1.json, embedded via //go:embed so the binary stays self-contained.
  • WriteConfigTo now stamps generated moltnet.json files with a \$schema pointer to the published URL.
  • Tests cover schema generation, embedded-vs-generated parity, and config-write \$schema stamping.

Diary

  • ad8666b5-a748-4f2e-a306-1a6b6d02d2e5 — accountable-commit entry signed by the agent.
  • Correlation id: 7324b866-9ff0-45d1-a8c4-b00a160bdd3c.

Notes for reviewers

  • The schema URL https://api.themolt.net/schemas/moltnet-config/v1.json is referenced but not yet hosted. Hosting the schema (or pointing at the GitHub-raw URL) is a follow-up.
  • This is the first real end-to-end agent-daemon-authored PR; review with normal scrutiny — happy to close if anything misses the mark.

@legreffier
feat(cli): publish JSON Schema for moltnet.json
646d348 
MoltNet-Diary: ad8666b5-a748-4f2e-a306-1a6b6d02d2e5
Moltnet-Correlation-Id: 7324b866-9ff0-45d1-a8c4-b00a160bdd3c
@github-actions

github-actions Bot commented May 12, 2026

Copy link
Copy Markdown
Contributor

✅ CLI go.mod matches internal Go module releases

apps/moltnet-cli/go.mod is aligned with the versions tracked in .release-please-manifest.json.

@github-actions

github-actions Bot commented May 12, 2026

Copy link
Copy Markdown
Contributor

🚨 Dependency Audit — Vulnerabilities found

Full report 
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ critical            │ fast-jwt: Incomplete fix for CVE-2023-48223: JWT       │
│                     │ Algorithm Confusion via Whitespace-Prefixed RSA Public │
│                     │ Key                                                    │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ fast-jwt                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <=6.1.0                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=6.2.0                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__mcp-server>@getlarge/fastify-mcp>@fastify/       │
│                     │ jwt>fast-jwt                                           │
│                     │                                                        │
│                     │ libs__auth>fast-jwt                                    │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-mvf2-f6gm-w987      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ critical            │ fast-jwt: Cache Confusion via cacheKeyBuilder          │
│                     │ Collisions Can Return Claims From a Different Token    │
│                     │ (Identity/Authorization Mixup)                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ fast-jwt                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=0.0.1 <6.2.0                                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=6.2.0                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__mcp-server>@getlarge/fastify-mcp>@fastify/       │
│                     │ jwt>fast-jwt                                           │
│                     │                                                        │
│                     │ libs__auth>fast-jwt                                    │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-rp9m-7r4c-75qg      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ critical            │ Arbitrary code execution in protobufjs                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ protobufjs                                             │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <7.5.5                                                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=7.5.5                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__mcp-server>pino-opentelemetry-transport>otlp-    │
│                     │ logger>@opentelemetry/exporter-logs-otlp-grpc>@grpc/   │
│                     │ grpc-js>@grpc/proto-loader>protobufjs                  │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-xq3m-2v4x-88gg      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ critical            │ Arbitrary code execution in protobufjs                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ protobufjs                                             │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=8.0.0 <8.0.1                                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=8.0.1                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__agent-daemon>@opentelemetry/exporter-trace-otlp- │
│                     │ proto>@opentelemetry/otlp-transformer>protobufjs       │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-xq3m-2v4x-88gg      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ critical            │ fast-jwt: JWT auth bypass due to empty HMAC secret     │
│                     │ accepted by async key resolver                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ fast-jwt                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <=6.2.3                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=6.2.4                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__mcp-server>@getlarge/fastify-mcp>@fastify/       │
│                     │ jwt>fast-jwt                                           │
│                     │                                                        │
│                     │ libs__auth>fast-jwt                                    │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-gmvf-9v4p-v8jc      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ critical            │ Malware in @mistralai/mistralai                        │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ @mistralai/mistralai                                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=0                                                    │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ <0.0.0                                                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__agent-daemon>@earendil-works/pi-ai>@mistralai/   │
│                     │ mistralai                                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-3q49-cfcf-g5fm      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ fast-jwt accepts unknown `crit` header extensions (RFC │
│                     │ 7515 violation)                                        │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ fast-jwt                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <=6.1.0                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ <0.0.0                                                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__mcp-server>@getlarge/fastify-mcp>@fastify/       │
│                     │ jwt>fast-jwt                                           │
│                     │                                                        │
│                     │ libs__auth>fast-jwt                                    │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-hm7r-c7qw-ghp6      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ Fastify has a Body Schema Validation Bypass via        │
│                     │ Leading Space in Content-Type Header                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ fastify                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=5.3.2 <=5.8.4                                        │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=5.8.5                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__mcp-server>fastify                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-247c-9743-5963      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ fast-uri vulnerable to path traversal via              │
│                     │ percent-encoded dot segments                           │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ fast-uri                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <=3.1.0                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=3.1.1                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__agent-daemon>@earendil-works/pi-ai>@google/      │
│                     │ genai>@modelcontextprotocol/sdk>ajv>fast-uri           │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-q3j6-qgpj-74h6      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ fast-uri vulnerable to host confusion via              │
│                     │ percent-encoded authority delimiters                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ fast-uri                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <=3.1.1                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=3.1.2                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__agent-daemon>@earendil-works/pi-ai>@google/      │
│                     │ genai>@modelcontextprotocol/sdk>ajv>fast-uri           │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-v39h-62p7-jpjc      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ Hono missing validation of cookie name on write path   │
│                     │ in setCookie()                                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ hono                                                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <4.12.12                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=4.12.12                                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__agent-daemon>@earendil-works/pi-ai>@google/      │
│                     │ genai>@modelcontextprotocol/sdk>hono                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-26pp-8wgv-hjvm      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ Hono: Non-breaking space prefix bypass in cookie name  │
│                     │ handling in getCookie()                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ hono                                                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <4.12.12                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=4.12.12                                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__agent-daemon>@earendil-works/pi-ai>@google/      │
│                     │ genai>@modelcontextprotocol/sdk>hono                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-r5rp-j6wh-rvv4      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ Hono: Path traversal in toSSG() allows writing files   │
│                     │ outside the output directory                           │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ hono                                                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=4.0.0 <=4.12.11                                      │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=4.12.12                                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__agent-daemon>@earendil-works/pi-ai>@google/      │
│                     │ genai>@modelcontextprotocol/sdk>hono                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-xf4j-xp2r-rqqx      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ Hono: Middleware bypass via repeated slashes in        │
│                     │ serveStatic                                            │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ hono                                                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <4.12.12                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=4.12.12                                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__agent-daemon>@earendil-works/pi-ai>@google/      │
│                     │ genai>@modelcontextprotocol/sdk>hono                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-wmmm-f939-6g9c      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ @hono/node-server: Middleware bypass via repeated      │
│                     │ slashes in serveStatic                                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ @hono/node-server                                      │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <1.19.13                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=1.19.13                                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__agent-daemon>@earendil-works/pi-ai>@google/      │
│                     │ genai>@modelcontextprotocol/sdk>@hono/node-server      │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-92pp-h63x-v22m      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ fast-jwt has a ReDoS when using RegExp in allowed*     │
│                     │ leading to CPU exhaustion during token verification    │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ fast-jwt                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=5.0.0 <=6.2.0                                        │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=6.2.1                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__mcp-server>@getlarge/fastify-mcp>@fastify/       │
│                     │ jwt>fast-jwt                                           │
│                     │                                                        │
│                     │ libs__auth>fast-jwt                                    │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-cjw9-ghj4-fwxf      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ fast-jwt: Stateful RegExp (/g or /y) causes            │
│                     │ non-deterministic allowed-claim validation (logical    │
│                     │ DoS)                                                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ fast-jwt                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <6.2.1                                                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=6.2.1                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__mcp-server>@getlarge/fastify-mcp>@fastify/       │
│                     │ jwt>fast-jwt                                           │
│                     │                                                        │
│                     │ libs__auth>fast-jwt                                    │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-3j8v-cgw4-2g6q      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ hono Improperly Handles JSX Attribute Names Allows     │
│                     │ HTML Injection in hono/jsx SSR                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ hono                                                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <4.12.14                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=4.12.14                                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__agent-daemon>@earendil-works/pi-ai>@google/      │
│                     │ genai>@modelcontextprotocol/sdk>hono                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-458j-xx4x-4375      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ Hono has incorrect IP matching in ipRestriction() for  │
│                     │ IPv4-mapped IPv6 addresses                             │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ hono                                                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <4.12.12                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=4.12.12                                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__agent-daemon>@earendil-works/pi-ai>@google/      │
│                     │ genai>@modelcontextprotocol/sdk>hono                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-xpcf-pg52-r92g      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ ip-address has XSS in Address6 HTML-emitting methods   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ ip-address                                             │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <=10.1.0                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=10.1.1                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__agent-daemon>@earendil-works/pi-ai>@google/      │
│                     │ genai>@modelcontextprotocol/sdk>express-rate-limit>ip- │
│                     │ address                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-v2v4-37r5-5v8g      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ Hono: bodyLimit() can be bypassed for chunked /        │
│                     │ unknown-length requests                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ hono                                                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <4.12.16                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=4.12.16                                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__agent-daemon>@earendil-works/pi-ai>@google/      │
│                     │ genai>@modelcontextprotocol/sdk>hono                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-9vqf-7f2p-gf9v      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ hono/jsx has Unvalidated JSX Tag Names that May Allow  │
│                     │ HTML Injection                                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ hono                                                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <4.12.16                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=4.12.16                                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__agent-daemon>@earendil-works/pi-ai>@google/      │
│                     │ genai>@modelcontextprotocol/sdk>hono                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-69xw-7hcm-h432      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ Hono has CSS Declaration Injection via Style Object    │
│                     │ Values in JSX SSR                                      │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ hono                                                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <4.12.18                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=4.12.18                                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__agent-daemon>@earendil-works/pi-ai>@google/      │
│                     │ genai>@modelcontextprotocol/sdk>hono                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-qp7p-654g-cw7p      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ Hono's Cache Middleware ignores Vary: Authorization /  │
│                     │ Vary: Cookie leading to cross-user cache leakage       │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ hono                                                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <4.12.18                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=4.12.18                                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__agent-daemon>@earendil-works/pi-ai>@google/      │
│                     │ genai>@modelcontextprotocol/sdk>hono                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-p77w-8qqv-26rm      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ low                 │ Elliptic Uses a Cryptographic Primitive with a Risky   │
│                     │ Implementation                                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ elliptic                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <=6.6.1                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ <0.0.0                                                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ libs__auth>get-jwks>jwk-to-pem>elliptic                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-848j-6mx2-7j84      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ low                 │ Hono has improper validation of NumericDate claims     │
│                     │ (exp, nbf, iat) in JWT verify()                        │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ hono                                                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <4.12.18                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=4.12.18                                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__agent-daemon>@earendil-works/pi-ai>@google/      │
│                     │ genai>@modelcontextprotocol/sdk>hono                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-hm8q-7f3q-5f36      │
└─────────────────────┴────────────────────────────────────────────────────────┘
32 vulnerabilities found
Severity: 2 low | 16 moderate | 5 high | 9 critical

@github-actions

github-actions Bot commented May 12, 2026

Copy link
Copy Markdown
Contributor

⚠️ Knip — Unused code or dependencies found

Run pnpm run knip locally to see details, or pnpm run knip:fix to auto-fix some of them.

Full report 
�[93m�[4mUnused files�[24m�[39m (31)
apps/console/e2e/seed-diary-browser.ts                                                     
apps/landing/src/hooks/useFeedSSE.ts                                                       
apps/mcp-server/src/schemas/index.ts                                                       
apps/rest-api/src/migrate.ts                                                               
apps/rest-api/src/sse/public-feed-poller.ts                                                
apps/rest-api/src/sse/sse-writer.ts                                                        
evals/moltnet-practices/auth-middleware-early-return/fixtures/auth-plugin.ts               
evals/moltnet-practices/auth-middleware-early-return/fixtures/team-resolver.ts             
evals/moltnet-practices/e2e-raw-fetch-vs-api-client/fixtures/sdk.gen.ts                    
evals/moltnet-practices/repository-tenant-scope-bypass/fixtures/consolidate-workflow.ts    
evals/moltnet-practices/repository-tenant-scope-bypass/fixtures/diary-entry.repository.ts  
evals/moltnet-practices/rest-error-boundary/fixtures/pack-routes.ts                        
evals/moltnet-practices/rest-error-boundary/fixtures/verification-routes.ts                
evals/moltnet-practices/webhook-auth-status-code/fixtures/hooks.ts                         
examples/compile-context.ts                                                                
examples/diary-create.ts                                                                   
examples/diary-search.ts                                                                   
examples/register.ts                                                                       
examples/sign-entry.ts                                                                     
libs/context-distill/__tests__/benchmarks/cluster.bench.ts                                 
libs/context-distill/__tests__/benchmarks/compile.bench.ts                                 
test-fixtures/generate-ssh-vectors.mjs                                                     
test-fixtures/generate-x25519-vectors.mjs                                                  
tools/db/backfill-content-hashes.ts                                                        
tools/db/backfill-diary-team-links.ts                                                      
tools/db/backfill-keto-subject-set.ts                                                      
tools/db/backfill-personal-teams.ts                                                        
tools/db/backfill-team-relations-plural.ts                                                 
tools/db/cleanup-legacy-diary-tuples.ts                                                    
tools/src/tasks/seed-judge-fixture.ts                                                      
tools/src/verify-task-context.ts                                                           
�[93m�[4mUnused dependencies�[24m�[39m (38)
@earendil-works/gondolin                     apps/agent-daemon/package.json:32:6        
pino-pretty                                  apps/agent-daemon/package.json:45:6        
@moltnet/models                              apps/console/package.json:10:6             
@fastify/otel                                apps/mcp-server/package.json:30:6          
@opentelemetry/exporter-metrics-otlp-proto   apps/mcp-server/package.json:32:6          
@opentelemetry/exporter-trace-otlp-proto     apps/mcp-server/package.json:33:6          
@opentelemetry/instrumentation               apps/mcp-server/package.json:34:6          
@opentelemetry/instrumentation-dns           apps/mcp-server/package.json:35:6          
@opentelemetry/instrumentation-http          apps/mcp-server/package.json:36:6          
@opentelemetry/instrumentation-net           apps/mcp-server/package.json:37:6          
@opentelemetry/instrumentation-pino          apps/mcp-server/package.json:38:6          
@opentelemetry/instrumentation-pg            apps/mcp-server/package.json:39:6          
@opentelemetry/instrumentation-runtime-node  apps/mcp-server/package.json:40:6          
@opentelemetry/instrumentation-undici        apps/mcp-server/package.json:41:6          
@opentelemetry/resources                     apps/mcp-server/package.json:42:6          
@opentelemetry/sdk-metrics                   apps/mcp-server/package.json:43:6          
@opentelemetry/sdk-trace-base                apps/mcp-server/package.json:44:6          
@opentelemetry/sdk-trace-node                apps/mcp-server/package.json:45:6          
@opentelemetry/semantic-conventions          apps/mcp-server/package.json:46:6          
pino                                         apps/mcp-server/package.json:50:6          
pino-opentelemetry-transport                 apps/mcp-server/package.json:51:6          
thread-stream                                apps/mcp-server/package.json:52:6          
multiformats                                 apps/rest-api/package.json:32:6            
@huggingface/transformers                    apps/rest-api/package.json:34:6            
@opentelemetry/exporter-metrics-otlp-proto   apps/rest-api/package.json:44:6            
@opentelemetry/instrumentation               apps/rest-api/package.json:46:6            
@opentelemetry/resources                     apps/rest-api/package.json:54:6            
@opentelemetry/sdk-metrics                   apps/rest-api/package.json:55:6            
@opentelemetry/sdk-trace-base                apps/rest-api/package.json:56:6            
@opentelemetry/sdk-trace-node                apps/rest-api/package.json:57:6            
@opentelemetry/semantic-conventions          apps/rest-api/package.json:58:6            
pino-pretty                                  apps/rest-api/package.json:66:6            
thread-stream                                apps/rest-api/package.json:67:6            
@noble/hashes                                libs/context-pack-service/package.json:19:6
@moltnet/auth                                tools/package.json:35:6                    
@moltnet/models                              tools/package.json:42:6                    
drizzle-orm                                  tools/package.json:50:6                    
fastq                                        tools/package.json:51:6                    
�[93m�[4mUnused devDependencies�[24m�[39m (5)
drizzle-orm     apps/mcp-server/package.json:58:6   
pino-pretty     apps/mcp-server/package.json:59:6   
vitest          libs/bootstrap/package.json:24:6    
testcontainers  libs/diary-service/package.json:29:6
@types/figlet   tools/package.json:57:6             
�[93m�[4mReferenced optional peerDependencies�[24m�[39m (1)
ink  libs/design-system/package.json
�[93m�[4mUnlisted dependencies�[24m�[39m (3)
@moltnet/database  evals/moltnet-practices/e2e-raw-fetch-vs-api-client/fixtures/governance.e2e.test.ts:19:46
pg                 libs/diary-service/__tests__/diary-service.dbos.integration.test.ts:21:27                
�[90m�[39m�[97m@nx/js�[39m�[90m/typescript�[39m  nx.json                                                                                  
�[93m�[4mUnlisted binaries�[24m�[39m (6)
python3                                             .github/workflows/ci.yml     
clawhub                                             .github/workflows/release.yml
go                                                  package.json                 
gofmt                                               package.json                 
packages/openclaw-skill/scripts/publish-clawhub.sh  package.json                 
packages/openclaw-skill/scripts/package.sh          package.json                 
�[93m�[4mUnused exports�[24m�[39m (73)
COMMON_REQUIRED_FLAGS                       apps/agent-daemon/src/lib/help.ts:3:14                         
COMMON_OPTIONAL_FLAGS                       apps/agent-daemon/src/lib/help.ts:10:14                        
ENTRY_TYPE_OPTIONS                          apps/console/src/diaries/utils.ts:22:14                        
API_BASE_URL                                apps/landing/src/api.ts:16:14                                  
handleDiaryTags                   function  apps/mcp-server/src/diary-tools.ts:464:23                      
handleGrantCreate                 function  apps/mcp-server/src/grant-tools.ts:38:23                       
handleGrantRevoke                 function  apps/mcp-server/src/grant-tools.ts:70:23                       
handleGrantList                   function  apps/mcp-server/src/grant-tools.ts:102:23                      
handleMoltnetInfo                 function  apps/mcp-server/src/info-tools.ts:24:23                        
handlePacksUpdate                 function  apps/mcp-server/src/pack-tools.ts:295:23                       
handleRenderedPacksUpdate         function  apps/mcp-server/src/pack-tools.ts:385:23                       
handlePacksDiff                   function  apps/mcp-server/src/pack-tools.ts:487:23                       
handleSignMessage                 function  apps/mcp-server/src/prompts.ts:212:23                          
CustomPackEntrySelectionSchema              apps/mcp-server/src/schemas/pack-schemas.ts:107:14             
handleTeamsList                   function  apps/mcp-server/src/team-tools.ts:62:23                        
handleTeamMembersList             function  apps/mcp-server/src/team-tools.ts:84:23                        
handleTeamsCreate                 function  apps/mcp-server/src/team-tools.ts:109:23                       
handleTeamsJoin                   function  apps/mcp-server/src/team-tools.ts:132:23                       
handleTeamsDelete                 function  apps/mcp-server/src/team-tools.ts:155:23                       
handleTeamsInviteCreate           function  apps/mcp-server/src/team-tools.ts:178:23                       
handleTeamsInviteList             function  apps/mcp-server/src/team-tools.ts:211:23                       
handleTeamsInviteDelete           function  apps/mcp-server/src/team-tools.ts:236:23                       
handleTeamsMemberRemove           function  apps/mcp-server/src/team-tools.ts:264:23                       
ServerConfigSchema                          apps/rest-api/src/config.ts:26:14                              
DatabaseConfigSchema                        apps/rest-api/src/config.ts:38:14                              
WebhookConfigSchema                         apps/rest-api/src/config.ts:43:14                              
RecoveryConfigSchema                        apps/rest-api/src/config.ts:47:14                              
OryConfigSchema                             apps/rest-api/src/config.ts:51:14                              
ObservabilityConfigSchema                   apps/rest-api/src/config.ts:62:14                              
EmbeddingConfigSchema                       apps/rest-api/src/config.ts:98:14                              
SecurityConfigSchema                        apps/rest-api/src/config.ts:105:14                             
loadEmbeddingConfig               function  apps/rest-api/src/config.ts:264:17                             
loadPackGcConfig                  function  apps/rest-api/src/config.ts:274:17                             
loadTaskOrphanSweeperConfig       function  apps/rest-api/src/config.ts:284:17                             
acceptsProblemJson                          apps/rest-api/src/problems/index.ts:2:3                        
findProblemTypeByCode                       apps/rest-api/src/problems/index.ts:8:3                        
findProblemTypeByStatus                     apps/rest-api/src/problems/index.ts:9:3                        
getTypeUri                                  apps/rest-api/src/problems/index.ts:10:3                       
problemTypes                                apps/rest-api/src/problems/index.ts:12:3                       
DiaryTagCountSchema                         apps/rest-api/src/schemas/diary.ts:58:14                       
PublicAuthorSchema                          apps/rest-api/src/schemas/diary.ts:123:14                      
ContextPackEntrySchema                      apps/rest-api/src/schemas/packs.ts:9:14                        
TaskTypeDescriptorSchema                    apps/rest-api/src/schemas/tasks.ts:213:14                      
inflateRowCreator                 function  apps/rest-api/src/utils/auth-principal.ts:142:23               
resolvePrincipal                            apps/rest-api/src/utils/auth-principal.ts:191:10               
consolidateQueue                            apps/rest-api/src/workflows/context-distill-workflows.ts:58:14 
compileQueue                                apps/rest-api/src/workflows/context-distill-workflows.ts:63:14 
HumanOnboardingError              class     apps/rest-api/src/workflows/human-onboarding-workflow.ts:36:14 
compileQueue                                apps/rest-api/src/workflows/index.ts:2:3                       
consolidateQueue                            apps/rest-api/src/workflows/index.ts:4:3                       
contextDistillWorkflows                     apps/rest-api/src/workflows/index.ts:7:3                       
diaryTransferWorkflow                       apps/rest-api/src/workflows/index.ts:14:3                      
TRANSFER_DECISION_EVENT                     apps/rest-api/src/workflows/index.ts:17:3                      
HumanOnboardingError                        apps/rest-api/src/workflows/index.ts:22:3                      
DEFAULT_WORKFLOW_TIMEOUT_MS                 apps/rest-api/src/workflows/index.ts:56:3                      
runWorkflow                                 apps/rest-api/src/workflows/index.ts:57:3                      
FOUNDING_ACCEPT_EVENT                       apps/rest-api/src/workflows/index.ts:61:3                      
TeamFoundingTimeoutError                    apps/rest-api/src/workflows/index.ts:67:3                      
teamFoundingWorkflow                        apps/rest-api/src/workflows/index.ts:68:3                      
DEFAULT_WORKFLOW_TIMEOUT_MS                 apps/rest-api/src/workflows/run-workflow.ts:14:14              
TeamFoundingTimeoutError          class     apps/rest-api/src/workflows/team-founding-workflow.ts:32:14    
registerBuiltInSubagentContracts  function  libs/agent-runtime/src/built-in-contract-registrations.ts:29:17
DBOSWorkflowConflictError                   libs/database/src/dbos.ts:154:3                                
DEFAULT_DISPATCH_TIMEOUT_SECONDS            libs/database/src/workflows/task-workflows.ts:124:14           
DEFAULT_RUNNING_TIMEOUT_SECONDS             libs/database/src/workflows/task-workflows.ts:128:14           
MAX_PUBLIC_CONTENT_LENGTH                   libs/diary-service/src/diary-service.ts:53:14                  
makeClient                        function  packages/legreffier-cli/src/api.ts:78:17                       
formatPortIssues                  function  packages/legreffier-cli/src/phases/portValidate.ts:213:17      
gitMergeBase                      function  tools/src/tasksmith/gh-client.ts:151:23                        
gitShowFileAtRef                  function  tools/src/tasksmith/gh-client.ts:206:23                        
SEED_INSTRUCTION                            tools/src/tasksmith/task-extractor.ts:538:10                   
verifyTask                        function  tools/src/tasksmith/verify.ts:356:23                           
cleanupPrArtifacts                function  tools/src/tasksmith/verify.ts:480:23                           
�[93m�[4mUnused exported types�[24m�[39m (46)
MailRecord                 interface  apps/console/e2e/helpers/mailslurper.ts:3:18                      
MoltnetInfoInput           type       apps/mcp-server/src/schemas/info-schemas.ts:19:13                 
IssueVoucherInput          type       apps/mcp-server/src/schemas/vouch-schemas.ts:22:13                
ListVouchersInput          type       apps/mcp-server/src/schemas/vouch-schemas.ts:25:13                
TrustGraphInput            type       apps/mcp-server/src/schemas/vouch-schemas.ts:28:13                
CorsPluginOptions          interface  apps/rest-api/src/plugins/cors.ts:11:18                           
RateLimitPluginOptions     interface  apps/rest-api/src/plugins/rate-limit.ts:14:18                     
ProblemType                type       apps/rest-api/src/problems/index.ts:11:8                          
AgentPrincipal             type       apps/rest-api/src/schemas/principal.ts:37:8                       
HumanPrincipal             type       apps/rest-api/src/schemas/principal.ts:39:8                       
PrincipalIdentity          type       apps/rest-api/src/schemas/principal.ts:41:8                       
CreateTaskInput            type       apps/rest-api/src/services/task.service.ts:2:8                    
AuthContext                type       apps/rest-api/src/types.ts:14:3                                   
PermissionChecker          type       apps/rest-api/src/types.ts:15:3                                   
RelationshipReader         type       apps/rest-api/src/types.ts:16:3                                   
RelationshipWriter         type       apps/rest-api/src/types.ts:17:3                                   
CompileWorkflowInput       type       apps/rest-api/src/workflows/index.ts:3:8                          
ConsolidateWorkflowInput   type       apps/rest-api/src/workflows/index.ts:5:8                          
ContextDistillDeps         type       apps/rest-api/src/workflows/index.ts:6:8                          
DiaryTransferDeps          type       apps/rest-api/src/workflows/index.ts:12:8                         
DiaryTransferResult        type       apps/rest-api/src/workflows/index.ts:13:8                         
TransferDecision           type       apps/rest-api/src/workflows/index.ts:18:8                         
HumanOnboardingDeps        type       apps/rest-api/src/workflows/index.ts:21:8                         
HumanOnboardingResult      type       apps/rest-api/src/workflows/index.ts:23:8                         
LegreffierOnboardingDeps   type       apps/rest-api/src/workflows/index.ts:34:8                         
MaintenanceDeps            type       apps/rest-api/src/workflows/index.ts:43:8                         
RegistrationDeps           type       apps/rest-api/src/workflows/index.ts:48:8                         
RegistrationResult         type       apps/rest-api/src/workflows/index.ts:49:8                         
RunWorkflowOptions         type       apps/rest-api/src/workflows/index.ts:58:8                         
FoundingMember             type       apps/rest-api/src/workflows/index.ts:62:8                         
TeamFoundingDeps           type       apps/rest-api/src/workflows/index.ts:65:8                         
TeamFoundingResult         type       apps/rest-api/src/workflows/index.ts:66:8                         
AdoptionState              interface  docs/.vitepress/theme/auth/useAdoption.ts:38:18                   
AdoptionStageKey           type       docs/.vitepress/theme/auth/useAdoption.ts:284:13                  
AdoptionStage              interface  docs/.vitepress/theme/auth/useAdoption.ts:292:18                  
DocsTeam                   interface  docs/.vitepress/theme/auth/useTeamSelection.ts:9:18               
SessionResolverLogger      interface  libs/auth/src/session-resolver.ts:24:18                           
GroupCreator               interface  libs/database/src/repositories/group.repository.ts:15:18          
CommandRegistrar           type       libs/pi-extension/src/commands/index.ts:5:3                       
SessionMeta                type       libs/pi-extension/src/commands/index.ts:7:3                       
RateLimitRetryOptions      type       libs/sdk/src/retry.ts:5:15                                        
AgentAdapter               type       packages/legreffier-cli/src/adapters/index.ts:11:15               
AgentAdapterOptions        type       packages/legreffier-cli/src/adapters/index.ts:11:29               
ResolveInstallationStatus  type       packages/legreffier-cli/src/phases/portResolveInstallation.ts:6:13
VerifyInstallationStatus   type       packages/legreffier-cli/src/phases/portVerifyInstallation.ts:4:13 
InitPhase                  type       packages/legreffier-cli/src/state.ts:4:13                         
�[93m�[4mUnused exported enum members�[24m�[39m (1)
Impose  TaskPermission  libs/auth/src/keto-constants.ts:135:3
�[93m�[4mUnused catalog entries�[24m�[39m (4)
@anthropic-ai/claude-agent-sdk  default  pnpm-workspace.yaml:22:4 
@fastify/static                 default  pnpm-workspace.yaml:32:4 
@openai/codex-sdk               default  pnpm-workspace.yaml:53:4 
zod                             default  pnpm-workspace.yaml:132:3
�[33m�[4mConfiguration hints�[24m (4)�[39m
. �[90m(root)�[39m                …p.config.ts  �[90mAdd �[97mentry�[90m and/or refine �[97mproject�[90m files in �[97mworkspaces["."]�[90m (15 unused files)�[39m        
tools                   …p.config.ts  �[90mAdd �[97mentry�[90m and/or refine �[97mproject�[90m files in �[97mworkspaces["tools"]�[90m (8 unused files)�[39m     
apps/rest-api           …p.config.ts  �[90mAdd �[97mentry�[90m and/or refine �[97mproject�[90m files in �[97mworkspaces["apps/rest-api"]�[90m (3 unused fi…�[39m
libs/context-distill    …p.config.ts  �[90mAdd �[97mentry�[90m and/or refine �[97mproject�[90m files in �[97mworkspaces["libs/context-distill"]�[90m (2 un…�[39m
 ELIFECYCLE  Command failed with exit code 1.

This was referenced May 12, 2026
Closed
Closed
Closed
Merged
@legreffier

legreffier Bot commented May 12, 2026

Copy link
Copy Markdown
Contributor Author

Auto-merge gate evaluation (pr-merge-gates-v1)

  • gate_line_count — FAIL: gh pr diff 1120 | wc -l = 542 raw diff lines; excluded apps/moltnet-cli/go.sum + go.work.sum contribute 78 lines; counted total = 464 (>300).
  • gate_no_protobuf — PASS: gh pr diff 1120 --name-only | grep -E '\.proto$' returned no matches.
  • gate_no_infra — PASS: changed files are limited to apps/moltnet-cli/* plus go.work.sum; no infra/, docker-compose*.yaml, Dockerfile*, .github/*, fly.toml, .fly/, nx.json, or release-please config paths.
  • gate_no_auth — PASS: no changed path contains auth, crypto, signing, jwt, token, ory, or keto, and none of the explicit auth paths are touched.
  • gate_no_audit_logging — PASS: no changes under libs/diary-service/, apps/rest-api/src/routes/diary-entries*, apps/rest-api/src/routes/signing*, libs/pi-extension/src/moltnet/tools.ts, or libs/crypto-service/.
  • gate_no_agent_runtime_rules — PASS: no changes to AGENTS.md, CLAUDE.md, nested agent-rule files, libs/pi-extension/src/runtime/runtime-instructor.ts, .claude/rules/, .claude/skills/legreffier/, or .agents/skills/legreffier/.

See rubrics/pr-merge-gates.json.

Verdict: 1 gate failed

@legreffier legreffier Bot mentioned this pull request May 12, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

feat(cli): publish JSON Schema for moltnet.json

0 participants