Claude can slay dragons, but it needs the flo state

An update on what’s new in MoFlo — the open-source npm package that upgrades Claude Code with full project knowledge, persistent memory, sandboxed automation, and a swarm of agents that actually stay wired together.

GitHub: github.com/eric-cielo/moflo
npm: npmjs.com/package/moflo — npm install --save-dev moflo

Coding with Claude Code feels a lot like sending adventurers into a dungeon. On a good day, the dragon dies and you walk out with the loot. On a bad day, your heroes forget the map between rooms, pick fights they can’t win, and burn half their potions rediscovering a corridor they cleared yesterday.

MoFlo is the buff stack. It gives Claude:

Access to all of your project guidance, patterns, code, and intel, quickly
Memory that survives sessions
A party of specialist agents that coordinate instead of battling each other
Sandboxing so the dragon can’t escape into your filesystem

The last few releases have been a heavy refactor of the engine room. There was significant rework and, yes, some associated churn. Now we’re stronger and lighter than ever, and it’s worth showing what changed.

What you actually do

npm install --save-dev moflo
flo init

Inside a Claude session you’ll mostly notice 3 things: it stops re-exploring files it already knows, it routes work to the right specialist, and when you say /flo 42 it picks up GitHub issue 42 and drives it to a PR — sandboxed, tested, simplified, and tracked in the task list.

One database to rule them all: MoFlo DB

The biggest invisible upgrade is the storage layer. Memory, swarm coordination, hive-mind state, AIDefence threat patterns, learned routing outcomes — all of it now lives in a single sql.js + HNSW store at .moflo/moflo.db.

It consumes everything that matters — project guidance, reusable patterns, code maps (exports, classes, functions, types), test-to-source mappings, and a continuously updated stream of learnings from both Claude and the humans on the team. A correction you make once, a convention you write down, a routing decision that worked: all of it lands in the same index and shows up the next time it’s relevant.
HNSW vector indexing — semantic search runs 150x to 12,500x faster than brute-force cosine, depending on project size.
Neural embeddings by default — fastembed with the all-MiniLM-L6-v2 384-dim model, ONNX runtime, native Rust tokenizer. Hash-based “fake” embeddings are gone. If a search returns a result, it’s because the meaning matched, not because the bytes did.
One store, many consumers — the embeddings cache, knowledge graph, RVF/SONA learning store, and the auto-memory bridge all share the same database file. Backups are a single cp.

This matters because the entire MoFlo experience — the memory-first gates, the learned task routing, the “/flo” issue-to-PR workflow — sits on top of this index. Making it fast and unified is what lets the upper layers stop being clever and just be useful.

Swarm and hive-mind, rewritten from the ground up

The multi-agent layer has been rebuilt around a single canonical engine: UnifiedSwarmCoordinator. Every coordination MCP tool now routes through it, with a write-through persistence adapter so state survives crashes, restarts, and process boundaries.

agent_spawn, agent_list, agent_status, agent_terminate, agent_pool, agent_health — all driven by the coordinator.
swarm_init, swarm_status, swarm_health, swarm_scale — same engine, same source of truth.
A new task_* family (7 MCP tools) handles distribution, execution, cancellation, and status through the coordinator’s task orchestrator.
Hive-mind sits on top: hive-mind_* routes through a MessageBus with a write-through adapter, and workers register against the shared coordinator. The Queen delegates, the workers swarm, every message is durable.
End-to-end system tests exercise the whole wired path, and flo doctor ships functional tripwires that fail loudly if any of it ever drifts.

For a developer, the headline is simple: when you ask Claude to send a 5-agent party at a feature, the party shows up, divides the work, and reports back through a single coherent state machine — no parallel work stomping on shared files, no agents that quietly forgot what they were doing.

Spells: scripted automation with real sandboxing

MoFlo’s automation primitive is a spell — a YAML or JSON file that composes step commands (bash, github, browser, memory, agent, condition, loop, parallel, IMAP, Slack, MCP) into a runnable workflow. Spells back the /flo issue runner, the epic orchestrator, scheduled jobs, and any custom automation you write.

Because spells can run unattended, they ship with 3 independent layers of defense:

Command denylist — catastrophic patterns (rm -rf /, git push --force main, chmod -R 777, fork bombs, curl | sh) are blocked before any step executes, on every platform.
Capability gateway — every step declares the capabilities it needs (fs:read, fs:write, net, shell, memory, credentials, browser, agent). The runner blocks any I/O the step didn’t declare. Spell authors can narrow a default but never expand it.
OS-level process isolation — bash steps are wrapped automatically: bwrap on Linux, sandbox-exec on macOS, Docker on Windows. Read-only root, network blocked unless declared, PID isolation, writable mounts only on paths the step asked for.

The contract for an agent running inside a spell is brutally simple: do what the step says, nothing more. A CAPABILITY_DENIED error is intentional, not a problem to engineer around. That’s what makes a scheduled spell safe to deploy at 3 a.m.

AIDefence: a guard at the prompt boundary

AIDefence is now bundled in the same tarball, sharing the same MoFlo DB. It exposes 6 MCP tools (aidefence_scan, aidefence_analyze, aidefence_stats, aidefence_learn, aidefence_is_safe, aidefence_has_pii) with sub-millisecond detection on 50+ built-in patterns: prompt injection, jailbreak attempts, role-switching, encoding tricks, PII leaks (emails, SSNs, API keys, credit cards).

It’s self-learning. When you mark a detection accurate or note which mitigation worked, that feedback lands in the same HNSW store and tunes future detections. New threats become old patterns over time.

Lighter, leaner, fewer moving parts

Earlier MoFlo (and its upstream cousins) carried a workspace of @moflo/* packages and optional native dependencies — agentdb, agentic-flow, ruvector, ONNX, sharp — that quietly pulled in roughly a gigabyte of runtime when fully installed. That made sense once. It doesn’t anymore.

Workspace collapse folded all related packages into a single moflo tarball. One package, one version, one install.
AgentDB and agentic-flow are out (shipped in 4.8.80, smoke-harness-enforced in CI). Their roles were absorbed by MoFlo DB.
Install size dropped from ~1 GB of fully-functional runtime to ~82 MB, with no functional regression. Embeddings are mandatory and always work; there is no peer-optional dance.

The whole stack runs locally — Node.js 22+, WASM and Rust/NAPI bindings, no GPU required, no cloud calls except to Claude itself. It’s a devDependency; you never install it globally.

Why this update matters

The dragon metaphor isn’t just whimsy. The biggest failures of agentic coding aren’t the model being wrong — they’re orchestration failures: forgotten context, parallel agents stepping on each other, automation that escapes its lane, dependencies that bloat the install until nobody trusts the upgrade button. Every change above is aimed at one of those.

MoFlo is, and will stay, free and open source. If your Claude Code sessions feel like they’re starting cold every morning, or your automated workflows feel one bad command away from disaster, this is the buff stack worth trying.

Ready to level up Claude? It’s as simple as installing MoFlo.

npm: npmjs.com/package/moflo — npm install --save-dev moflo

GitHub: github.com/eric-cielo/moflo

Cielo Limitada