@massu/core 1.4.0-soak.0 → 1.4.0

package/commands/README.md

@@ -127,11 +127,8 @@ Pass `--skip-commands` to `massu init` or `massu refresh` to suppress command in
 2. The default `<base>.md` should remain generic (or be regenerated if it was previously stack-specific — see `massu-scaffold-page.md` for the pattern of an embedded multi-stack default).
 3. Add a row to the table in section 5.
 4. Add a test case to `packages/core/src/__tests__/install-commands.test.ts` that exercises the new variant against a fixture config.
-5. Update `docs/internal/2026-04-26-template-variant-audit.md` (the audit doc) with the new label.
 
 ## 7. Reference
 
-- Plan: `/Users/ekoultra/hedge/docs/plans/2026-04-26-massu-stack-aware-command-templates.md`
-- Audit: `docs/internal/2026-04-26-template-variant-audit.md`
 - Implementation: `packages/core/src/commands/install-commands.ts`
 - Tests: `packages/core/src/__tests__/install-commands.test.ts` and `show-template.test.ts`

package/dist/cli.js

@@ -490,7 +490,15 @@ var init_config = __esm({
       enabled: z.boolean().default(false),
       servers: z.array(z.object({
         language: z.string(),
-        command: z.string()
+        command: z.string(),
+        // F-014 (closed 2026-05-06): explicit opt-in to spawn SUID/SGID
+        // binaries. Default false — argv[0] with the SUID bit is rejected
+        // unless this is true. Decision is auditable in the YAML.
+        allow_setuid: z.boolean().default(false),
+        // F-015 (closed 2026-05-06): per-server RSS budget (MB). Watchdog
+        // SIGKILLs the server after sustained breach. Default 1024 MB.
+        // Set to 0 to disable the watchdog for this server.
+        max_rss_mb: z.number().int().nonnegative().default(1024)
       })).default([]),
       autoDetect: z.object({
         viaPortScan: z.boolean().default(false)
@@ -18050,7 +18058,7 @@ var init_paths = __esm({
       "**/.mypy_cache/**",
       // Plan 3a hotfix 2026-05-02: high-churn directories that are never
       // legitimate stack-detection inputs and produced sustained 30-100% CPU
-      // when watched on Hedge (62K files / 42 GB tree).
+      // when watched on a large monorepo (62K files / 42 GB tree).
       "**/.next/**",
       "**/coverage/**",
       "**/logs/**",
@@ -18058,7 +18066,7 @@ var init_paths = __esm({
       // Runtime data dirs. Convention across Python/JS/Rust ecosystems is
       // that `data/` holds runtime artifacts (caches, snapshots, model
       // checkpoints, downloaded fixtures) that change frequently but are
-      // never stack-detection inputs. Hedge had 135K files in
+      // never stack-detection inputs. A large monorepo had 135K files in
       // apps/ai-service/data alone, dwarfing legitimate source. If a
       // project genuinely uses `data/` for source content, opt into
       // `watch.scope: 'full'` and `watch.paths_full_root_opt_in: true`.

package/dist/hooks/auto-learning-pipeline.js

@@ -296,7 +296,15 @@ var LSPConfigSchema = z.object({
   enabled: z.boolean().default(false),
   servers: z.array(z.object({
     language: z.string(),
-    command: z.string()
+    command: z.string(),
+    // F-014 (closed 2026-05-06): explicit opt-in to spawn SUID/SGID
+    // binaries. Default false — argv[0] with the SUID bit is rejected
+    // unless this is true. Decision is auditable in the YAML.
+    allow_setuid: z.boolean().default(false),
+    // F-015 (closed 2026-05-06): per-server RSS budget (MB). Watchdog
+    // SIGKILLs the server after sustained breach. Default 1024 MB.
+    // Set to 0 to disable the watchdog for this server.
+    max_rss_mb: z.number().int().nonnegative().default(1024)
   })).default([]),
   autoDetect: z.object({
     viaPortScan: z.boolean().default(false)

package/dist/hooks/classify-failure.js

@@ -296,7 +296,15 @@ var LSPConfigSchema = z.object({
   enabled: z.boolean().default(false),
   servers: z.array(z.object({
     language: z.string(),
-    command: z.string()
+    command: z.string(),
+    // F-014 (closed 2026-05-06): explicit opt-in to spawn SUID/SGID
+    // binaries. Default false — argv[0] with the SUID bit is rejected
+    // unless this is true. Decision is auditable in the YAML.
+    allow_setuid: z.boolean().default(false),
+    // F-015 (closed 2026-05-06): per-server RSS budget (MB). Watchdog
+    // SIGKILLs the server after sustained breach. Default 1024 MB.
+    // Set to 0 to disable the watchdog for this server.
+    max_rss_mb: z.number().int().nonnegative().default(1024)
   })).default([]),
   autoDetect: z.object({
     viaPortScan: z.boolean().default(false)

package/dist/hooks/cost-tracker.js

@@ -296,7 +296,15 @@ var LSPConfigSchema = z.object({
   enabled: z.boolean().default(false),
   servers: z.array(z.object({
     language: z.string(),
-    command: z.string()
+    command: z.string(),
+    // F-014 (closed 2026-05-06): explicit opt-in to spawn SUID/SGID
+    // binaries. Default false — argv[0] with the SUID bit is rejected
+    // unless this is true. Decision is auditable in the YAML.
+    allow_setuid: z.boolean().default(false),
+    // F-015 (closed 2026-05-06): per-server RSS budget (MB). Watchdog
+    // SIGKILLs the server after sustained breach. Default 1024 MB.
+    // Set to 0 to disable the watchdog for this server.
+    max_rss_mb: z.number().int().nonnegative().default(1024)
   })).default([]),
   autoDetect: z.object({
     viaPortScan: z.boolean().default(false)

package/dist/hooks/fix-detector.js

@@ -296,7 +296,15 @@ var LSPConfigSchema = z.object({
   enabled: z.boolean().default(false),
   servers: z.array(z.object({
     language: z.string(),
-    command: z.string()
+    command: z.string(),
+    // F-014 (closed 2026-05-06): explicit opt-in to spawn SUID/SGID
+    // binaries. Default false — argv[0] with the SUID bit is rejected
+    // unless this is true. Decision is auditable in the YAML.
+    allow_setuid: z.boolean().default(false),
+    // F-015 (closed 2026-05-06): per-server RSS budget (MB). Watchdog
+    // SIGKILLs the server after sustained breach. Default 1024 MB.
+    // Set to 0 to disable the watchdog for this server.
+    max_rss_mb: z.number().int().nonnegative().default(1024)
   })).default([]),
   autoDetect: z.object({
     viaPortScan: z.boolean().default(false)

package/dist/hooks/incident-pipeline.js

@@ -295,7 +295,15 @@ var LSPConfigSchema = z.object({
   enabled: z.boolean().default(false),
   servers: z.array(z.object({
     language: z.string(),
-    command: z.string()
+    command: z.string(),
+    // F-014 (closed 2026-05-06): explicit opt-in to spawn SUID/SGID
+    // binaries. Default false — argv[0] with the SUID bit is rejected
+    // unless this is true. Decision is auditable in the YAML.
+    allow_setuid: z.boolean().default(false),
+    // F-015 (closed 2026-05-06): per-server RSS budget (MB). Watchdog
+    // SIGKILLs the server after sustained breach. Default 1024 MB.
+    // Set to 0 to disable the watchdog for this server.
+    max_rss_mb: z.number().int().nonnegative().default(1024)
   })).default([]),
   autoDetect: z.object({
     viaPortScan: z.boolean().default(false)

package/dist/hooks/post-edit-context.js

@@ -294,7 +294,15 @@ var LSPConfigSchema = z.object({
   enabled: z.boolean().default(false),
   servers: z.array(z.object({
     language: z.string(),
-    command: z.string()
+    command: z.string(),
+    // F-014 (closed 2026-05-06): explicit opt-in to spawn SUID/SGID
+    // binaries. Default false — argv[0] with the SUID bit is rejected
+    // unless this is true. Decision is auditable in the YAML.
+    allow_setuid: z.boolean().default(false),
+    // F-015 (closed 2026-05-06): per-server RSS budget (MB). Watchdog
+    // SIGKILLs the server after sustained breach. Default 1024 MB.
+    // Set to 0 to disable the watchdog for this server.
+    max_rss_mb: z.number().int().nonnegative().default(1024)
   })).default([]),
   autoDetect: z.object({
     viaPortScan: z.boolean().default(false)

package/dist/hooks/post-tool-use.js

@@ -296,7 +296,15 @@ var LSPConfigSchema = z.object({
   enabled: z.boolean().default(false),
   servers: z.array(z.object({
     language: z.string(),
-    command: z.string()
+    command: z.string(),
+    // F-014 (closed 2026-05-06): explicit opt-in to spawn SUID/SGID
+    // binaries. Default false — argv[0] with the SUID bit is rejected
+    // unless this is true. Decision is auditable in the YAML.
+    allow_setuid: z.boolean().default(false),
+    // F-015 (closed 2026-05-06): per-server RSS budget (MB). Watchdog
+    // SIGKILLs the server after sustained breach. Default 1024 MB.
+    // Set to 0 to disable the watchdog for this server.
+    max_rss_mb: z.number().int().nonnegative().default(1024)
   })).default([]),
   autoDetect: z.object({
     viaPortScan: z.boolean().default(false)

package/dist/hooks/pre-compact.js

@@ -296,7 +296,15 @@ var LSPConfigSchema = z.object({
   enabled: z.boolean().default(false),
   servers: z.array(z.object({
     language: z.string(),
-    command: z.string()
+    command: z.string(),
+    // F-014 (closed 2026-05-06): explicit opt-in to spawn SUID/SGID
+    // binaries. Default false — argv[0] with the SUID bit is rejected
+    // unless this is true. Decision is auditable in the YAML.
+    allow_setuid: z.boolean().default(false),
+    // F-015 (closed 2026-05-06): per-server RSS budget (MB). Watchdog
+    // SIGKILLs the server after sustained breach. Default 1024 MB.
+    // Set to 0 to disable the watchdog for this server.
+    max_rss_mb: z.number().int().nonnegative().default(1024)
   })).default([]),
   autoDetect: z.object({
     viaPortScan: z.boolean().default(false)

package/dist/hooks/pre-delete-check.js

@@ -295,7 +295,15 @@ var LSPConfigSchema = z.object({
   enabled: z.boolean().default(false),
   servers: z.array(z.object({
     language: z.string(),
-    command: z.string()
+    command: z.string(),
+    // F-014 (closed 2026-05-06): explicit opt-in to spawn SUID/SGID
+    // binaries. Default false — argv[0] with the SUID bit is rejected
+    // unless this is true. Decision is auditable in the YAML.
+    allow_setuid: z.boolean().default(false),
+    // F-015 (closed 2026-05-06): per-server RSS budget (MB). Watchdog
+    // SIGKILLs the server after sustained breach. Default 1024 MB.
+    // Set to 0 to disable the watchdog for this server.
+    max_rss_mb: z.number().int().nonnegative().default(1024)
   })).default([]),
   autoDetect: z.object({
     viaPortScan: z.boolean().default(false)

package/dist/hooks/quality-event.js

@@ -296,7 +296,15 @@ var LSPConfigSchema = z.object({
   enabled: z.boolean().default(false),
   servers: z.array(z.object({
     language: z.string(),
-    command: z.string()
+    command: z.string(),
+    // F-014 (closed 2026-05-06): explicit opt-in to spawn SUID/SGID
+    // binaries. Default false — argv[0] with the SUID bit is rejected
+    // unless this is true. Decision is auditable in the YAML.
+    allow_setuid: z.boolean().default(false),
+    // F-015 (closed 2026-05-06): per-server RSS budget (MB). Watchdog
+    // SIGKILLs the server after sustained breach. Default 1024 MB.
+    // Set to 0 to disable the watchdog for this server.
+    max_rss_mb: z.number().int().nonnegative().default(1024)
   })).default([]),
   autoDetect: z.object({
     viaPortScan: z.boolean().default(false)

package/dist/hooks/rule-enforcement-pipeline.js

@@ -294,7 +294,15 @@ var LSPConfigSchema = z.object({
   enabled: z.boolean().default(false),
   servers: z.array(z.object({
     language: z.string(),
-    command: z.string()
+    command: z.string(),
+    // F-014 (closed 2026-05-06): explicit opt-in to spawn SUID/SGID
+    // binaries. Default false — argv[0] with the SUID bit is rejected
+    // unless this is true. Decision is auditable in the YAML.
+    allow_setuid: z.boolean().default(false),
+    // F-015 (closed 2026-05-06): per-server RSS budget (MB). Watchdog
+    // SIGKILLs the server after sustained breach. Default 1024 MB.
+    // Set to 0 to disable the watchdog for this server.
+    max_rss_mb: z.number().int().nonnegative().default(1024)
   })).default([]),
   autoDetect: z.object({
     viaPortScan: z.boolean().default(false)

package/dist/hooks/session-end.js

@@ -296,7 +296,15 @@ var LSPConfigSchema = z.object({
   enabled: z.boolean().default(false),
   servers: z.array(z.object({
     language: z.string(),
-    command: z.string()
+    command: z.string(),
+    // F-014 (closed 2026-05-06): explicit opt-in to spawn SUID/SGID
+    // binaries. Default false — argv[0] with the SUID bit is rejected
+    // unless this is true. Decision is auditable in the YAML.
+    allow_setuid: z.boolean().default(false),
+    // F-015 (closed 2026-05-06): per-server RSS budget (MB). Watchdog
+    // SIGKILLs the server after sustained breach. Default 1024 MB.
+    // Set to 0 to disable the watchdog for this server.
+    max_rss_mb: z.number().int().nonnegative().default(1024)
   })).default([]),
   autoDetect: z.object({
     viaPortScan: z.boolean().default(false)

package/dist/hooks/session-start.js

@@ -6072,7 +6072,15 @@ var LSPConfigSchema = z.object({
   enabled: z.boolean().default(false),
   servers: z.array(z.object({
     language: z.string(),
-    command: z.string()
+    command: z.string(),
+    // F-014 (closed 2026-05-06): explicit opt-in to spawn SUID/SGID
+    // binaries. Default false — argv[0] with the SUID bit is rejected
+    // unless this is true. Decision is auditable in the YAML.
+    allow_setuid: z.boolean().default(false),
+    // F-015 (closed 2026-05-06): per-server RSS budget (MB). Watchdog
+    // SIGKILLs the server after sustained breach. Default 1024 MB.
+    // Set to 0 to disable the watchdog for this server.
+    max_rss_mb: z.number().int().nonnegative().default(1024)
   })).default([]),
   autoDetect: z.object({
     viaPortScan: z.boolean().default(false)

package/dist/hooks/user-prompt.js

@@ -296,7 +296,15 @@ var LSPConfigSchema = z.object({
   enabled: z.boolean().default(false),
   servers: z.array(z.object({
     language: z.string(),
-    command: z.string()
+    command: z.string(),
+    // F-014 (closed 2026-05-06): explicit opt-in to spawn SUID/SGID
+    // binaries. Default false — argv[0] with the SUID bit is rejected
+    // unless this is true. Decision is auditable in the YAML.
+    allow_setuid: z.boolean().default(false),
+    // F-015 (closed 2026-05-06): per-server RSS budget (MB). Watchdog
+    // SIGKILLs the server after sustained breach. Default 1024 MB.
+    // Set to 0 to disable the watchdog for this server.
+    max_rss_mb: z.number().int().nonnegative().default(1024)
   })).default([]),
   autoDetect: z.object({
     viaPortScan: z.boolean().default(false)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@massu/core",
-  "version": "1.4.0-soak.0",
+  "version": "1.4.0",
   "type": "module",
   "description": "AI Engineering Governance MCP Server - Session memory, knowledge system, feature registry, code intelligence, rule enforcement, tiered tooling (12 free / 72 total), 55+ workflow commands, 11 agents, 20+ patterns",
   "main": "src/server.ts",
@@ -23,6 +23,8 @@
     "fast-glob": "^3.3.0",
     "proper-lockfile": "^4.1.2",
     "smol-toml": "^1.3.0",
+    "tar": "^7.4.3",
+    "tweetnacl": "^1.0.3",
     "vscode-languageserver-protocol": "^3.17.5",
     "web-tree-sitter": "^0.26.8",
     "yaml": "^2.4.0",
@@ -48,6 +50,7 @@
     "dist/**/*",
     "commands/**/*",
     "agents/**/*",
+    "docs/**/*",
     "patterns/**/*",
     "protocols/**/*",
     "reference/**/*",

package/src/commands/config-refresh.ts

@@ -179,7 +179,7 @@ export function mergeRefresh(existing: AnyConfig, refreshed: AnyConfig): AnyConf
   // paths.aliases is a 2-level-nested user block. Detector always writes
   // { '@': <source-dir> }; user-authored alias map must survive. Spread user
   // over detector so user keys win for any overlap AND user-only keys survive.
-  // (P5-002 discovery — hedge's paths.aliases['@'] was being overwritten.)
+  // (P5-002 discovery — a downstream consumer's paths.aliases['@'] was being overwritten.)
   const existingPaths = existing.paths;
   const outPaths = out.paths;
   if (
@@ -203,9 +203,9 @@ export function mergeRefresh(existing: AnyConfig, refreshed: AnyConfig): AnyConf
 
   // verification is the other 2-level-nested detector-owned block. Semantics
   // mirror migrate.ts:132-138 buildVerificationBlock: user's custom language
-  // sections (e.g., hedge's `gateway`, `ios`, `runtime`, `web`) survive
+  // sections (e.g., a multi-runtime monorepo's `gateway`, `ios`, `runtime`, `web`) survive
   // wholesale; user's command overrides on shared languages (e.g., `python`)
-  // win over detector defaults. (P5-002 discovery — hedge was losing 15
+  // win over detector defaults. (P5-002 discovery — a downstream consumer was losing 15
   // verification command entries across 4 custom language sections plus
   // having 4 python commands overwritten with detector defaults.)
   const existingVer = existing.verification;

package/src/commands/init.ts

@@ -5,7 +5,7 @@
  * `massu init` — One-command, detection-driven project setup.
  *
  * Phase 3 rewrite (2026-04-19): replaces the JS/TS template copier (old
- * detectFramework/generateConfig path, root cause of Hedge-style stale configs)
+ * detectFramework/generateConfig path, root cause of multi-runtime stale-config drift)
  * with a flow that runs the Phase 1 detection engine (`runDetection`) and
  * generates a v2 schema_version=2 `massu.config.yaml` that reflects the
  * actual repo layout (languages, source_dirs, verification commands, domains).

package/src/commands/template-engine.ts

@@ -4,8 +4,6 @@
 /**
  * Massu codebase-aware templating engine — string substitution only.
  *
- * Spec: docs/internal/2026-04-26-codebase-aware-templates-spec.md
- *
  * Grammar (the entire surface):
  *   {{path.to.var}}                       Look up + render
  *   {{path.to.var | default("fallback")}} Look up; use literal on miss

package/src/commands/watch.ts

@@ -72,7 +72,7 @@ function parseFlags(args: string[]): ParsedFlags {
 }
 
 function findClaudeBg(): string | null {
-  // Prefer the well-known Hedge-author install path; fall back to PATH.
+  // Prefer the conventional ~/.claude/bin install path; fall back to PATH.
   const home = process.env.HOME ?? '';
   const fixed = home ? resolve(home, '.claude', 'bin', 'claude-bg') : null;
   if (fixed && existsSync(fixed)) return fixed;

package/src/config.ts

@@ -383,6 +383,14 @@ export const LSPConfigSchema = z.object({
   servers: z.array(z.object({
     language: z.string(),
     command: z.string(),
+    // F-014 (closed 2026-05-06): explicit opt-in to spawn SUID/SGID
+    // binaries. Default false — argv[0] with the SUID bit is rejected
+    // unless this is true. Decision is auditable in the YAML.
+    allow_setuid: z.boolean().default(false),
+    // F-015 (closed 2026-05-06): per-server RSS budget (MB). Watchdog
+    // SIGKILLs the server after sustained breach. Default 1024 MB.
+    // Set to 0 to disable the watchdog for this server.
+    max_rss_mb: z.number().int().nonnegative().default(1024),
   })).default([]),
   autoDetect: z.object({
     viaPortScan: z.boolean().default(false),

package/src/detect/adapters/tree-sitter-loader.ts

@@ -4,8 +4,7 @@
 /**
  * Plan 3b — Phase 1: Tree-sitter WASM grammar loader (Strategy A).
  *
- * Strategy A — locked at Phase 0 (`docs/internal/2026-04-26-ast-lsp-spec.md`
- * §1, §8): grammars are NOT bundled in the npm tarball. The loader downloads
+ * Strategy A: grammars are NOT bundled in the npm tarball. The loader downloads
  * each requested grammar at first use from a pinned URL, verifies SHA-256
  * against a hardcoded manifest, caches under `~/.massu/wasm-cache/`.
  *
@@ -25,12 +24,14 @@
 import { createHash } from 'crypto';
 import {
   mkdirSync,
+  readdirSync,
   readFileSync,
   writeFileSync,
   renameSync,
   unlinkSync,
   lstatSync,
   chmodSync,
+  utimesSync,
 } from 'fs';
 import { homedir } from 'os';
 import { dirname, join } from 'path';
@@ -174,6 +175,118 @@ function getCachedPath(language: TreeSitterLanguage, sha: string): string {
   return join(getCacheDir(), `${language}-${sha}.wasm`);
 }
 
+// ============================================================
+// LRU cache eviction (Phase 3.5 audit F-011 — closed 2026-05-06)
+// ============================================================
+//
+// F-011 was deferred at v1 ("at ~3MB per grammar, full cache footprint is
+// <100MB — not an attack vector"). The 2026-05-06 audit-leak retrospective
+// elevated it: now that the cache path + naming convention are publicly
+// known (the security audit doc was visible for 9 days), opportunistic
+// disk-fill attacks become slightly less hypothetical, AND the cost of
+// retrofitting LRU once Plan 3c expands the supported grammar set is
+// strictly higher than doing it now while only 4 grammars exist.
+//
+// Eviction rule: keep the N most-recently-USED entries (mtime, updated by
+// the cache-hit path on every read). Default cap = 16 — leaves headroom
+// for Plan 3c's 31-grammar expansion plus dev-time version churn, while
+// bounding total cache to ~50MB at 3MB/grammar.
+
+const DEFAULT_CACHE_RETAIN_COUNT = 16;
+
+function getCacheRetainCount(): number {
+  const env = process.env.MASSU_WASM_CACHE_RETAIN;
+  if (env) {
+    const n = Number(env);
+    if (Number.isFinite(n) && n >= 1 && n <= 1024) return Math.floor(n);
+  }
+  return DEFAULT_CACHE_RETAIN_COUNT;
+}
+
+/**
+ * Touch a cache file's mtime to mark "most recently used." Called on every
+ * cache-hit. Best-effort: any failure is silently swallowed — touching is
+ * an optimization signal for eviction, not load-bearing.
+ *
+ * Uses utimes via writeFileSync round-trip would be expensive; instead we
+ * use the same filesystem touch trick as `touch -a`: open + close. On
+ * macOS/Linux Node, `chmodSync` to the same mode does NOT update mtime,
+ * so we do a no-op write of empty content via a tmp marker file. Cheaper
+ * approach: just rely on atime if filesystem records it. Most modern
+ * filesystems are mounted with `relatime` so atime updates only when
+ * older than mtime — which means after our first eviction-relevant
+ * read, atime IS the right signal.
+ *
+ * Decision: use mtime via `utimesSync` — explicit and portable.
+ */
+function touchCacheFile(path: string): void {
+  try {
+    const now = new Date();
+    utimesSync(path, now, now);
+  } catch {
+    // best-effort
+  }
+}
+
+/**
+ * Evict cache entries beyond the retain count, keeping the N most recently
+ * used (by mtime). Called after every successful cache write. Best-effort:
+ * eviction failure never blocks a load.
+ *
+ * Rejects symlinks and non-regular files via lstat — the same defense as
+ * the cache-hit path (F-008 fix). A symlink in the cache dir is logged
+ * as a security warning but not deleted (don't act on attacker-controlled
+ * paths automatically).
+ */
+function evictBeyondRetainCount(retain: number = getCacheRetainCount()): void {
+  const dir = getCacheDir();
+  let entries: string[];
+  try {
+    entries = readdirSync(dir);
+  } catch {
+    return; // Dir doesn't exist yet; nothing to evict.
+  }
+
+  const candidates: { path: string; mtimeMs: number }[] = [];
+  for (const name of entries) {
+    if (!name.endsWith('.wasm')) continue; // Don't touch non-grammar files.
+    const path = join(dir, name);
+    let stat;
+    try {
+      stat = lstatSync(path);
+    } catch {
+      continue;
+    }
+    if (stat.isSymbolicLink() || !stat.isFile()) {
+      // Skip — never automatically delete what could be an attacker-placed
+      // symlink. Surface via stderr; user's cache dir is suspect.
+      console.error(
+        `[tree-sitter-loader] cache eviction skipped non-regular file: ${path} ` +
+          `(possible symlink attack — see Phase 3.5 finding F-008).`,
+      );
+      continue;
+    }
+    candidates.push({ path, mtimeMs: stat.mtimeMs });
+  }
+
+  if (candidates.length <= retain) return;
+
+  // Sort newest-first; everything beyond `retain` is evictable.
+  candidates.sort((a, b) => b.mtimeMs - a.mtimeMs);
+  for (const victim of candidates.slice(retain)) {
+    try {
+      unlinkSync(victim.path);
+    } catch {
+      // best-effort
+    }
+  }
+}
+
+/** Test-injection hook: lets tests force eviction without writing a new grammar. */
+export function _evictCacheForTest(retain?: number): void {
+  evictBeyondRetainCount(retain);
+}
+
 function sha256(bytes: Uint8Array): string {
   return createHash('sha256').update(bytes).digest('hex');
 }
@@ -271,6 +384,9 @@ export async function loadGrammar(
       }
       const lang = await Language.load(bytes);
       loadedGrammars.set(language, lang);
+      // F-011 LRU: mark this entry as most-recently-used so it survives
+      // future evictions.
+      touchCacheFile(cachePath);
       return lang;
     }
   }
@@ -326,6 +442,9 @@ export async function loadGrammar(
       }
       throw e;
     }
+    // F-011 LRU: prune cache to retain count after every successful write.
+    // Best-effort — eviction failure never blocks a load.
+    evictBeyondRetainCount();
   } catch (e) {
     // Cache write failure is non-fatal — we still have `body` in memory and
     // can load directly. Log to stderr per VR-USER-ERROR-MESSAGES style.

package/src/detect/adapters/types.ts

@@ -4,8 +4,7 @@
 /**
  * Plan 3b — Phase 1: AST Adapter contract types.
  *
- * Lives at `packages/core/src/detect/adapters/types.ts` per the spec doc
- * (`docs/internal/2026-04-26-ast-lsp-spec.md` §2). All types are local —
+ * Lives at `packages/core/src/detect/adapters/types.ts`. All types are local —
  * NONE re-exported from `web-tree-sitter`.
  *
  * Adapter authors import from this module only; the runner (`runner.ts`)

package/src/detect/migrate.ts

@@ -192,7 +192,7 @@ export function migrateV1ToV2(
     framework.languages = languageEntries;
   }
   // P1-004: preserve any v1Framework subkey the explicit rebuild didn't emit
-  // (e.g., hedge's `framework.{python, rust, swift, typescript}` language sub-blocks).
+  // (e.g., a multi-runtime monorepo's `framework.{python, rust, swift, typescript}` language sub-blocks).
   preserveNestedSubkeys(v1Framework, framework);
 
   // Paths: preserve user-set fields; fill `source` from detection if user had 'src' default.
@@ -234,13 +234,13 @@ export function migrateV1ToV2(
     if (typeof v1Paths[k] === 'string') paths[k] = v1Paths[k];
   }
   // P1-005: preserve any v1Paths subkey the explicit rebuild didn't emit
-  // (e.g., hedge's 19 custom `paths.*` entries like adr, plans, monorepo_root).
+  // (e.g., a downstream consumer's 19 custom `paths.*` entries like adr, plans, monorepo_root).
   preserveNestedSubkeys(v1Paths, paths);
 
   const verification = buildVerificationBlock(detection, v1Verification);
 
   // P1-006: build project block with nested passthrough so custom subkeys
-  // (e.g., hedge's `project.description`) survive the migration.
+  // (e.g., a downstream consumer's `project.description`) survive the migration.
   const project: Record<string, unknown> = {
     name: typeof v1Project.name === 'string' ? v1Project.name : 'my-project',
     root: typeof v1Project.root === 'string' ? v1Project.root : 'auto',
@@ -265,7 +265,7 @@ export function migrateV1ToV2(
 
   // P1-001: preserve any v1 top-level key not already handled by the explicit
   // migrator. This is the generalization of PRESERVED_FIELDS — custom sections
-  // like `services`, `workflow`, `north_stars` (hedge) now pass through.
+  // like `services`, `workflow`, `north_stars` now pass through.
   //
   // `detection` is intentionally NOT in handledTopLevel: when a v2 config is
   // fed back in (idempotence check at migrate.ts:16), the existing `detection`

package/src/lsp/auto-detect.ts

@@ -77,7 +77,12 @@ export async function findRunningLSPs(
  * passing it to `LSPClient.fromCommand`. The factory rejects relative paths
  * and `..`-containing argv elements.
  */
-function splitCommand(server: { language: string; command: string }): LSPServerSpec {
+function splitCommand(server: {
+  language: string;
+  command: string;
+  allow_setuid?: boolean;
+  max_rss_mb?: number;
+}): LSPServerSpec {
   const cmd = (server.command ?? '').trim();
   // Whitespace split — not a full shell parser. Quoted args with spaces are
   // not supported at v1; users with such commands should run a wrapper script.
@@ -85,5 +90,9 @@ function splitCommand(server: { language: string; command: string }): LSPServerS
   return {
     language: server.language,
     argv,
+    // F-014 / F-015 (closed 2026-05-06): pass through the security knobs
+    // from config so the spawn surface enforces them.
+    allowSetuid: server.allow_setuid ?? false,
+    maxRssMb: server.max_rss_mb ?? undefined,
   };
 }

package/src/lsp/client.ts

@@ -33,8 +33,9 @@
  * ESM imports throughout.
  */
 
-import { spawn, type ChildProcess } from 'child_process';
-import { isAbsolute } from 'path';
+import { spawn, spawnSync, type ChildProcess } from 'child_process';
+import { lstatSync, realpathSync } from 'fs';
+import { isAbsolute, resolve as resolvePath } from 'path';
 import {
   DefinitionResponseSchema,
   DocumentSymbolResponseSchema,
@@ -215,6 +216,166 @@ export interface LSPServerSpec {
   argv: string[];
   /** When true, allow non-absolute argv[0]. Default false (security). */
   allowRelativePath?: boolean;
+  /**
+   * F-014 (closed 2026-05-06): when true, allow argv[0] to be a SUID/SGID
+   * binary (or symlink resolving to one). Default false. SUID binaries
+   * inherit elevated privileges from the kernel at exec time; Node has no
+   * post-spawn way to strip them. The user-trust boundary is at config
+   * time, but a defensive lstat catches accidental misconfigs (e.g.
+   * pointing argv[0] at a system tool).
+   */
+  allowSetuid?: boolean;
+  /**
+   * F-015 (closed 2026-05-06): RSS budget in MB. The watchdog polls
+   * `ps -p <pid> -o rss=` every WATCHDOG_INTERVAL_MS and SIGKILLs the
+   * child if RSS exceeds this budget for two consecutive samples.
+   * Default 1024 (1 GB). Set to 0 to disable the watchdog.
+   */
+  maxRssMb?: number;
+}
+
+// ============================================================
+// Typed errors — F-014, F-015 (closed 2026-05-06)
+// ============================================================
+
+/**
+ * Thrown by `LSPClient.fromCommand` when argv[0] (or its symlink target)
+ * has the SUID/SGID bit set and `spec.allowSetuid: true` was not opted in.
+ *
+ * Why throw rather than silently accept: SUID binaries inherit elevated
+ * privileges from the kernel at exec time. Node cannot strip them
+ * post-spawn. A user who wants this MUST opt in explicitly so the
+ * decision is auditable in their config.
+ */
+export class LspBinaryIsSetuidError extends Error {
+  public readonly path: string;
+  public readonly mode: number;
+  constructor(path: string, mode: number) {
+    super(
+      `LSPClient.fromCommand: refused SUID/SGID binary at "${path}" ` +
+        `(mode=${mode.toString(8)}). The kernel will exec this with ` +
+        `elevated privileges; Node cannot strip that post-spawn. ` +
+        `Set spec.allowSetuid: true to opt in (auditable in config).`,
+    );
+    this.name = 'LspBinaryIsSetuidError';
+    this.path = path;
+    this.mode = mode;
+  }
+}
+
+/**
+ * Constants for the F-015 RSS watchdog. Exported so tests can inspect
+ * (and so a future config can override per-deployment if needed).
+ */
+export const DEFAULT_LSP_MAX_RSS_MB = 1024;
+export const LSP_WATCHDOG_INTERVAL_MS = 30_000;
+/**
+ * Number of consecutive over-budget samples required before SIGKILL.
+ * Avoids killing a server that briefly spikes during indexing — only
+ * sustained over-budget triggers eviction.
+ */
+export const LSP_WATCHDOG_OVERBUDGET_SAMPLES = 2;
+
+/**
+ * F-014 helper: detect SUID/SGID bits on a file. Follows the chain via
+ * lstat then statSync(realpath) so a symlink to a SUID binary is also
+ * caught. Returns null if the file doesn't exist or the stat fails.
+ *
+ * Bit semantics (per stat(2)):
+ *   - 0o4000 = SUID (set-user-ID on execution)
+ *   - 0o2000 = SGID (set-group-ID on execution)
+ */
+export function _detectSetuid(path: string): { hasSetuid: boolean; mode: number; resolvedPath: string } | null {
+  // First lstat — if argv[0] itself is a symlink, follow it via realpath.
+  let resolved = path;
+  try {
+    const linkStat = lstatSync(path);
+    if (linkStat.isSymbolicLink()) {
+      resolved = realpathSync(path);
+    }
+  } catch {
+    return null;
+  }
+  // Now stat the resolved (non-symlink) target.
+  try {
+    const targetStat = lstatSync(resolved);
+    const mode = targetStat.mode;
+    return {
+      hasSetuid: (mode & 0o4000) !== 0 || (mode & 0o2000) !== 0,
+      mode,
+      resolvedPath: resolved,
+    };
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * F-015 helper: probe a child's RSS in MB via `ps -p <pid> -o rss=`.
+ * Returns null if ps fails (e.g., process already gone, or non-POSIX
+ * platform without ps). Best-effort — watchdog treats null as "no
+ * sample, don't count toward over-budget streak."
+ */
+export function _probeChildRssMb(pid: number): number | null {
+  try {
+    const result = spawnSync('ps', ['-o', 'rss=', '-p', String(pid)], {
+      encoding: 'utf-8',
+      timeout: 5_000,
+    });
+    if (result.status !== 0 || !result.stdout) return null;
+    const rssKb = parseInt(result.stdout.trim(), 10);
+    if (!Number.isFinite(rssKb) || rssKb < 0) return null;
+    return Math.round((rssKb / 1024) * 10) / 10;
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * F-015 helper: install an interval-based RSS watchdog on a spawned child.
+ * Returns the watchdog handle (interval id + cleanup) so the caller can
+ * stop it on transport shutdown / process exit.
+ *
+ * The watchdog SIGKILLs the child if RSS exceeds the budget for
+ * `LSP_WATCHDOG_OVERBUDGET_SAMPLES` consecutive samples. Killing emits a
+ * stderr warning naming the LSP language and the breach.
+ */
+export function _startRssWatchdog(
+  child: ChildProcess,
+  language: string,
+  maxRssMb: number,
+  intervalMs: number = LSP_WATCHDOG_INTERVAL_MS,
+): { stop: () => void } {
+  if (maxRssMb <= 0) return { stop: () => { /* disabled */ } };
+  let overBudgetStreak = 0;
+  const tick = (): void => {
+    if (!child.pid || child.killed || child.exitCode !== null) return;
+    const rss = _probeChildRssMb(child.pid);
+    if (rss === null) return; // no sample; don't penalise
+    if (rss > maxRssMb) {
+      overBudgetStreak += 1;
+      process.stderr.write(
+        `[massu/lsp] WARN: ${language} server RSS=${rss}MB > budget ${maxRssMb}MB ` +
+          `(streak=${overBudgetStreak}/${LSP_WATCHDOG_OVERBUDGET_SAMPLES})\n`,
+      );
+      if (overBudgetStreak >= LSP_WATCHDOG_OVERBUDGET_SAMPLES) {
+        process.stderr.write(
+          `[massu/lsp] KILLING ${language} server pid=${child.pid}: ` +
+            `sustained RSS over budget. (F-015 watchdog)\n`,
+        );
+        try { child.kill('SIGKILL'); } catch { /* best-effort */ }
+        clearInterval(handle);
+      }
+    } else {
+      overBudgetStreak = 0;
+    }
+  };
+  const handle = setInterval(tick, intervalMs);
+  // Don't keep the event loop alive solely for the watchdog.
+  if (typeof handle.unref === 'function') handle.unref();
+  return {
+    stop: () => clearInterval(handle),
+  };
 }
 
 // ============================================================
@@ -309,6 +470,20 @@ export class LSPClient {
       );
     }
 
+    // F-014 (closed 2026-05-06): SUID/SGID bit detection. We only check
+    // when argv[0] is absolute (post the relative-path gate) — for
+    // allowRelativePath shapes the user has explicitly accepted that
+    // PATH-resolution semantics apply, including any SUID a binary
+    // resolved from PATH might have. Resolve the path to an absolute
+    // form so the lstat target is unambiguous.
+    if (!spec.allowSetuid) {
+      const absExe = isAbsolute(exe) ? exe : resolvePath(exe);
+      const det = _detectSetuid(absExe);
+      if (det !== null && det.hasSetuid) {
+        throw new LspBinaryIsSetuidError(det.resolvedPath, det.mode);
+      }
+    }
+
     const child = spawn(exe, spec.argv.slice(1), {
       stdio: ['pipe', 'pipe', 'pipe'],
       // Explicitly NO `shell: true` — argv array form is the security
@@ -324,6 +499,17 @@ export class LSPClient {
         LANG: process.env.LANG ?? 'C.UTF-8',
       },
     });
+
+    // F-015 (closed 2026-05-06): RSS watchdog. Polls every 30s, kills
+    // child after sustained over-budget. Disabled when maxRssMb === 0.
+    const maxRssMb = spec.maxRssMb ?? DEFAULT_LSP_MAX_RSS_MB;
+    const watchdog = _startRssWatchdog(child, spec.language, maxRssMb);
+
+    // Stop the watchdog when the child exits naturally so the interval
+    // doesn't outlive the process.
+    child.once('exit', () => watchdog.stop());
+    child.once('error', () => watchdog.stop());
+
     return new LSPClient(createStdioTransport(child), options);
   }
 

package/src/watch/daemon.ts

@@ -329,7 +329,7 @@ export async function startDaemon(projectRoot: string, hooks: DaemonHooks): Prom
     // (throws WatchSurfaceTooLargeError) if the configured globs would
     // monitor more files than `watch.max_watched_files` AND the user has
     // not set `watch.paths_full_root_opt_in: true`. Prevents the misconfig
-    // pattern that produced 30-100% sustained CPU on Hedge.
+    // pattern that produced 30-100% sustained CPU on a large monorepo.
     const cap = cfgYaml.watch?.max_watched_files ?? 10_000;
     const optedIn = cfgYaml.watch?.paths_full_root_opt_in ?? false;
     const t0 = now();

package/src/watch/paths.ts

@@ -49,7 +49,7 @@ export const DEFAULT_EXCLUSIONS = [
   '**/.mypy_cache/**',
   // Plan 3a hotfix 2026-05-02: high-churn directories that are never
   // legitimate stack-detection inputs and produced sustained 30-100% CPU
-  // when watched on Hedge (62K files / 42 GB tree).
+  // when watched on a large monorepo (62K files / 42 GB tree).
   '**/.next/**',
   '**/coverage/**',
   '**/logs/**',
@@ -57,7 +57,7 @@ export const DEFAULT_EXCLUSIONS = [
   // Runtime data dirs. Convention across Python/JS/Rust ecosystems is
   // that `data/` holds runtime artifacts (caches, snapshots, model
   // checkpoints, downloaded fixtures) that change frequently but are
-  // never stack-detection inputs. Hedge had 135K files in
+  // never stack-detection inputs. A large monorepo had 135K files in
   // apps/ai-service/data alone, dwarfing legitimate source. If a
   // project genuinely uses `data/` for source content, opt into
   // `watch.scope: 'full'` and `watch.paths_full_root_opt_in: true`.