feat: hardening sprint — auth enforcement, graph resilience, infrastructure docs

Rust backend: strengthen auth middleware, rate limiting, validation; harden
graph_service_supervisor, message_tracker, task_orchestrator actors; improve
neo4j adapters, MCP relay, websocket handlers, binary protocol.

Client: refactor bots components and polling service, slim useSolidPod/
useSolidResource hooks, update graph worker force layout, fix settings store,
harden nostrAuthService and BinaryWebSocketProtocol, update WASM bridge.

Docs: add ADR-011 (auth enforcement), ADR-012 (websocket store decomposition),
ADR-013 (render performance), DDD bounded contexts, infrastructure inventory,
PRD sprint hardening. Add audit and blob assembly scripts.

Co-Authored-By: claude-flow <ruv@ruv.net>

Author: Roo Code

client/src/features/bots/components/AgentDetailPanel.tsx

@@ -1,7 +1,7 @@
 import React, { useState, useEffect } from 'react';
 import { useBotsData } from '../contexts/BotsDataContext';
 import { Card } from '../../design-system/components/Card';
-import { Select } from '../../design-system/components/Select';
+import { Select, SelectTrigger, SelectValue, SelectContent, SelectItem } from '../../design-system/components/Select';
 import { Button } from '../../design-system/components/Button';
 import { Input } from '../../design-system/components/Input';
 import type { BotsAgent } from '../types/BotsTypes';
@@ -100,12 +100,16 @@ export const AgentDetailPanel: React.FC<AgentDetailPanelProps> = ({
             value={selectedAgent?.id || ''}
             onValueChange={handleAgentChange}
           >
-            <option value="">Select Agent</option>
-            {botsData.agents.map(agent => (
-              <option key={agent.id} value={agent.id}>
-                {agent.name || agent.id} ({agent.type})
-              </option>
-            ))}
+            <SelectTrigger>
+              <SelectValue placeholder="Select Agent" />
+            </SelectTrigger>
+            <SelectContent>
+              {botsData.agents.map(agent => (
+                <SelectItem key={agent.id} value={agent.id}>
+                  {agent.name || agent.id} ({agent.type})
+                </SelectItem>
+              ))}
+            </SelectContent>
           </Select>
           </div>
         </div>

client/src/features/bots/components/AgentTelemetryStream.tsx

@@ -6,45 +6,6 @@ import { createLogger } from '../../../utils/loggerConfig';
 
 const logger = createLogger('AgentTelemetryStream');
 
-// Load GOAP widget script dynamically
-const loadGoapWidget = () => {
-  if (typeof window === 'undefined' || document.getElementById('goap-widget-script')) return;
-
-  (window as unknown as Record<string, unknown>).GOAPWidgetConfig = {
-    primaryColor: '#ff8800',
-    accentColor: '#fbbf24',
-    backgroundColor: '#1a1a1a',
-    cardBackgroundColor: '#262626',
-    cardBorderColor: '#ff8800',
-    textColor: '#ff8800',
-    secondaryTextColor: '#fbbf24',
-    successColor: '#22c55e',
-    title: 'Goal-Oriented Action Planning',
-    description: 'AI-powered research planning using A* pathfinding and dynamic agent coordination',
-    brandName: 'JunkieJarvis',
-    defaultGoal: 'Research Knowledge Graphs and Human Scale Spring Force Systems',
-    fontFamily: 'monospace',
-    borderRadius: '0.5rem',
-    animationSpeed: 'fast',
-    cardSpacing: '0.5rem',
-    showMetrics: true,
-    showStats: true,
-    compactMode: true,
-    enableAI: true,
-    aiModel: 'google/gemini-2.5-flash'
-  };
-
-  const script = document.createElement('script');
-  script.id = 'goap-widget-script';
-  script.src = 'https://goal.ruv.io/widget.js';
-  script.async = true;
-  script.crossOrigin = 'anonymous';
-  script.onerror = () => {
-    logger.warn('[GOAP] Widget script failed to load (may be blocked by COEP/CSP policy)');
-  };
-  document.body.appendChild(script);
-};
-
 interface TelemetryMessage {
   timestamp: number;
   agentId: string;
@@ -67,14 +28,6 @@ export const AgentTelemetryStream: React.FC = () => {
     }
   }, [messages]);
 
-  
-  useEffect(() => {
-    if (activeTab === 'goap') {
-      loadGoapWidget();
-    }
-  }, [activeTab]);
-
-  
   useEffect(() => {
     const pollTelemetry = async () => {
       try {

client/src/features/bots/components/BotsControlPanel.tsx

@@ -1,4 +1,4 @@
-import React, { useState, useEffect } from 'react';
+import React, { useState, useEffect, useRef } from 'react';
 import { Html } from '@react-three/drei';
 import {
   configurationMapper,
@@ -24,6 +24,8 @@ export const BotsControlPanel: React.FC<BotsControlPanelProps> = ({
   const [activeTab, setActiveTab] = useState<'colors' | 'animation' | 'physics' | 'rendering'>('colors');
   const [isCollapsed, setIsCollapsed] = useState(false);
   const [agentCount, setAgentCount] = useState(12);
+  const swarmWsRef = useRef<WebSocket | null>(null);
+  const swarmWsTimerRef = useRef<ReturnType<typeof setTimeout> | null>(null);
 
   useEffect(() => {
 
@@ -35,6 +37,14 @@ export const BotsControlPanel: React.FC<BotsControlPanelProps> = ({
 
     return () => {
       configurationMapper.unsubscribe(id);
+      if (swarmWsRef.current) {
+        swarmWsRef.current.close();
+        swarmWsRef.current = null;
+      }
+      if (swarmWsTimerRef.current) {
+        clearTimeout(swarmWsTimerRef.current);
+        swarmWsTimerRef.current = null;
+      }
     };
   }, [onConfigChange]);
 
@@ -110,16 +120,25 @@ export const BotsControlPanel: React.FC<BotsControlPanelProps> = ({
   };
 
   const startSwarmMonitoring = (swarmId: string) => {
-    
-    const ws = new WebSocket(`/ws/swarm-status/${swarmId}`);
+    // Close any previous swarm WebSocket
+    if (swarmWsRef.current) {
+      swarmWsRef.current.close();
+      swarmWsRef.current = null;
+    }
+    if (swarmWsTimerRef.current) {
+      clearTimeout(swarmWsTimerRef.current);
+      swarmWsTimerRef.current = null;
+    }
+
+    const proto = window.location.protocol === 'https:' ? 'wss:' : 'ws:';
+    const ws = new WebSocket(`${proto}//${window.location.host}/ws/swarm-status/${swarmId}`);
+    swarmWsRef.current = ws;
 
     ws.onmessage = (event) => {
       const statusUpdate = JSON.parse(event.data);
       logger.info('Swarm status update:', statusUpdate);
 
-      
       if (statusUpdate.status === 'active') {
-        
         logger.info(`Swarm ${swarmId} is now active with ${statusUpdate.activeWorkers} workers`);
       } else if (statusUpdate.status === 'failed') {
         logger.error(`Swarm ${swarmId} failed:`, statusUpdate.error);
@@ -131,13 +150,14 @@ export const BotsControlPanel: React.FC<BotsControlPanelProps> = ({
       logger.error('Swarm monitoring WebSocket error:', error);
     };
 
-    
-    
-    setTimeout(() => {
+    swarmWsTimerRef.current = setTimeout(() => {
       if (ws.readyState === WebSocket.OPEN) {
         ws.close();
       }
-    }, 60000); 
+      if (swarmWsRef.current === ws) {
+        swarmWsRef.current = null;
+      }
+    }, 60000);
   };
 
   const showSpawnError = (type: string, message: string) => {

client/src/features/bots/components/BotsVisualization.tsx

@@ -21,6 +21,9 @@ const QUEEN_GOLD = new THREE.Color('#FFD700');
 const ADDITIVE_BLENDING = THREE.AdditiveBlending;
 const BACK_SIDE = THREE.BackSide;
 
+// Preallocated particle base-T values (module scope to avoid per-render allocation)
+const PARTICLE_BASE_T = [0.15, 0.4, 0.65, 0.9] as const;
+
 // Lightweight line component using standard BufferGeometry (NOT InstancedBufferGeometry).
 // drei's <Line> uses Line2/LineGeometry which extends InstancedBufferGeometry — its default
 // instanceCount=Infinity crashes WebGPU's drawIndexed(). This is a three.js Line2/troika
@@ -504,6 +507,7 @@ const BotsNode: React.FC<BotsNodeProps> = ({ agent, position, index, color }) =>
   const lastPositionRef = useRef<THREE.Vector3 | undefined>(undefined);
   const currentPositionRef = useRef<THREE.Vector3>(position.clone());
   const targetPositionRef = useRef<THREE.Vector3>(position.clone());
+  const elapsedTimeRef = useRef(0);
   const settings = useSettingsStore(state => state.settings);
 
 
@@ -609,6 +613,7 @@ const BotsNode: React.FC<BotsNodeProps> = ({ agent, position, index, color }) =>
     groupRef.current.position.copy(currentPositionRef.current);
 
     const elapsedTime = state.clock.elapsedTime;
+    elapsedTimeRef.current = elapsedTime;
     const activity = agent.activity ?? 0;
     const healthPulse = agent.health ? (agent.health / 100) : 0.5;
     const tokenGlow = agent.tokenRate ? Math.min(agent.tokenRate / 20, 2) : 0;
@@ -878,8 +883,8 @@ const BotsNode: React.FC<BotsNodeProps> = ({ agent, position, index, color }) =>
           ].map((_, i) => {
             const angle = (i / 8) * Math.PI * 2;
             const radius = clampedSize * 2;
-            const x = Math.cos(angle + Date.now() * 0.001) * radius;
-            const z = Math.sin(angle + Date.now() * 0.001) * radius;
+            const x = Math.cos(angle + elapsedTimeRef.current) * radius;
+            const z = Math.sin(angle + elapsedTimeRef.current) * radius;
             return (
               <mesh key={i} position={[x, 0, z]}>
                 <sphereGeometry args={[0.03, 6, 6]} />
@@ -1191,6 +1196,15 @@ const BotsEdgeComponent: React.FC<BotsEdgeProps> = ({
   targetAgent 
 }) => {
   const [isActive, setIsActive] = useState(false);
+  const particleVecs = useRef([
+    new THREE.Vector3(), new THREE.Vector3(),
+    new THREE.Vector3(), new THREE.Vector3(),
+  ]);
+  const elapsedRef = useRef(0);
+
+  useFrame((state) => {
+    elapsedRef.current = state.clock.elapsedTime;
+  });
 
   useEffect(() => {
     const checkActivity = () => {
@@ -1228,14 +1242,14 @@ const BotsEdgeComponent: React.FC<BotsEdgeProps> = ({
 
   const shouldAnimate = isActive && (avgTokenRate > 15 || edge.messageCount > 50);
   const animationSpeed = Math.min(avgTokenRate / 10, 3) + Math.min(edge.messageCount / 100, 2);
-  const dashOffset = shouldAnimate ? -Date.now() * 0.001 * animationSpeed : 0;
+  const dashOffset = shouldAnimate ? -elapsedRef.current * animationSpeed : 0;
 
   const shouldPulse = avgTokenRate > 40 || edge.messageCount > 200;
-  const pulseIntensity = shouldPulse ? Math.sin(Date.now() * 0.005) * 0.3 + 1 : 1;
+  const pulseIntensity = shouldPulse ? Math.sin(elapsedRef.current * 5) * 0.3 + 1 : 1;
 
   // Organic curve: compute a midpoint with slight perpendicular offset for tendril effect
   const distance = sourcePos.distanceTo(targetPos);
-  const now = Date.now() * 0.001;
+  const now = elapsedRef.current;
   const organicCurvePoints = useMemo(() => {
     const mid = new THREE.Vector3().copy(sourcePos).add(targetPos).multiplyScalar(0.5);
     const dir = new THREE.Vector3().subVectors(targetPos, sourcePos).normalize();
@@ -1288,14 +1302,17 @@ const BotsEdgeComponent: React.FC<BotsEdgeProps> = ({
       {/* Organic data particles flowing along tendril */}
       {isActive && shouldAnimate && (
         <group>
-          {[0.15, 0.4, 0.65, 0.9].map((baseT, i) => {
+          {PARTICLE_BASE_T.map((baseT, i) => {
             // Slightly varied speed per particle for organic feel
             const speedVar = 1 + (i * 0.13);
             const t = (baseT + (now * animationSpeed * speedVar * 0.15)) % 1;
-            // Lerp along the curve (source -> mid -> target based on t)
-            const particlePos = t < 0.5
-              ? _tempVec3A.clone().lerpVectors(sourcePos, organicCurvePoints[1], t * 2)
-              : _tempVec3A.clone().lerpVectors(organicCurvePoints[1], targetPos, (t - 0.5) * 2);
+            // Lerp along the curve using preallocated vectors (no per-render clone allocation)
+            const particlePos = particleVecs.current[i];
+            if (t < 0.5) {
+              particlePos.lerpVectors(sourcePos, organicCurvePoints[1], t * 2);
+            } else {
+              particlePos.lerpVectors(organicCurvePoints[1], targetPos, (t - 0.5) * 2);
+            }
             // Slight size variation per particle
             const sizeVar = 0.04 + Math.sin(now * 2 + i * 1.5) * 0.015;
             return (

client/src/features/bots/services/AgentPollingService.ts

@@ -79,6 +79,7 @@ export class AgentPollingService {
   private activityLevel: 'active' | 'idle' = 'idle';
   private lastActivityCheck: number = 0;
   private performanceMonitor: PollingPerformanceMonitor;
+  private subscriberCount: number = 0;
 
   private constructor() {
     this.config = {
@@ -111,26 +112,33 @@ export class AgentPollingService {
     }
   }
 
-  
   public start(): void {
-    if (this.isPolling) {
-      logger.warn('Polling already active');
-      return;
+    this.subscriberCount++;
+    if (this.subscriberCount === 1) {
+      if (this.isPolling) {
+        logger.warn('Polling already active');
+        return;
+      }
+      logger.debug('Starting agent swarm polling');
+      this.isPolling = true;
+      this.poll();
+    } else {
+      logger.debug(`Polling subscriber added (count: ${this.subscriberCount})`);
     }
-
-    logger.debug('Starting agent swarm polling');
-    this.isPolling = true;
-    this.poll();
   }
 
-  
   public stop(): void {
-    if (this.pollingTimer) {
-      clearTimeout(this.pollingTimer);
-      this.pollingTimer = null;
+    this.subscriberCount = Math.max(0, this.subscriberCount - 1);
+    if (this.subscriberCount === 0) {
+      if (this.pollingTimer) {
+        clearTimeout(this.pollingTimer);
+        this.pollingTimer = null;
+      }
+      this.isPolling = false;
+      logger.debug('Agent swarm polling stopped');
+    } else {
+      logger.debug(`Polling subscriber removed (count: ${this.subscriberCount})`);
     }
-    this.isPolling = false;
-    logger.debug('Agent swarm polling stopped');
   }
 
 

client/src/features/design-system/patterns/MarkdownRenderer.tsx

@@ -44,10 +44,18 @@ const InteractiveCodeBlock = ({ language, code, className }: { language: string;
 
 // Interactive link component
 const InteractiveLink = ({ href, children, ...props }: { href?: string, children: React.ReactNode }) => {
-  const isExternal = href?.startsWith('http');
+  const safeHref = (() => {
+    try {
+      const u = new URL(href!, window.location.origin);
+      return ['http:', 'https:', 'mailto:'].includes(u.protocol) ? u.href : '#';
+    } catch {
+      return '#';
+    }
+  })();
+  const isExternal = safeHref.startsWith('http');
   return (
     <a
-      href={href}
+      href={safeHref}
       target={isExternal ? "_blank" : undefined}
       rel={isExternal ? "noopener noreferrer" : undefined}
       className="text-primary hover:underline inline-flex items-center gap-1"

client/src/features/graph/components/ClusterHulls.tsx

@@ -1,4 +1,4 @@
-import React, { useRef, useMemo, useState } from 'react';
+import React, { useRef, useMemo, useEffect, useState } from 'react';
 import { useFrame } from '@react-three/fiber';
 import * as THREE from 'three';
 import { ConvexGeometry } from 'three/examples/jsm/geometries/ConvexGeometry.js';
@@ -179,11 +179,13 @@ export const ClusterHulls: React.FC<ClusterHullsProps> = ({
 
   // ---- Cleanup previous geometries when entries change ----
   const prevGeometries = useRef<THREE.BufferGeometry[]>([]);
-  useMemo(() => {
-    for (const geo of prevGeometries.current) {
-      geo.dispose();
-    }
+  useEffect(() => {
     prevGeometries.current = hullEntries.map((e) => e.geometry);
+    return () => {
+      for (const geo of prevGeometries.current) {
+        geo.dispose();
+      }
+    };
   }, [hullEntries]);
 
   if (!enabled) return null;