@massu/core 1.4.0-soak.0 → 1.5.0

package/src/lib/fileLock.ts

@@ -0,0 +1,203 @@
+// Copyright (c) 2026 Massu. All rights reserved.
+// Licensed under BSL 1.1 - see LICENSE file for details.
+
+/**
+ * Generic synchronous file-lock primitive built on `proper-lockfile`.
+ *
+ * Plan 3c gap-59 deliverable. Single source of truth for "acquire-lock,
+ * run fn, release on every exit path" across the codebase. Both
+ * `lib/installLock.ts:withInstallLock` (Plan 3a installAll serialization)
+ * AND `security/manifest-cache.ts:refreshManifest` (Plan 3c manifest
+ * cache writes) MUST delegate to `withFileLockSync` here — there is NO
+ * parallel lock implementation in the codebase per CR-46 / Rule 0
+ * (single-source-of-truth for lock semantics).
+ *
+ * What this primitive provides:
+ * 1. mkdirSync the lock parent dir if absent (fresh-repo / fresh-home case).
+ * 2. proper-lockfile.lockSync acquires the lock; we wrap the manual retry
+ *    loop because lockSync rejects retries>0 (`Cannot use retries with
+ *    the sync api` per node_modules/proper-lockfile/lib/adapter.js).
+ * 3. Surface ELOCKED (POSIX) and EBUSY (Windows) as the same FileLockBusyError.
+ * 4. Persist the lock-holder PID alongside the lock as `<lockPath>.pid` so
+ *    the next contender can include it in a user-friendly error message.
+ * 5. Default 30s block-then-bail per Plan 3a §190; configurable per-callsite.
+ * 6. `errorFactory` opt lets callers customize the busy-error class so
+ *    domain-specific helpers (`InstallLockBusyError`, future Phase 5
+ *    `ManifestCacheBusyError`) can extend the base type without each
+ *    re-implementing the lock logic.
+ *
+ * NOT provided by this primitive:
+ * - Async variant (`withFileLockAsync`). The current Phase 5 cache-write
+ *   path resolves the async fetch BEFORE acquiring the lock, so the lock
+ *   is held only during the brief sync atomicWrite. Async-while-holding-
+ *   the-lock would deadlock under contention; the design is "fetch first,
+ *   then lock-for-write only".
+ * - Reentrancy. `proper-lockfile.lockSync` is non-reentrant; calling
+ *   withFileLockSync recursively from inside its own `fn` will fail with
+ *   ELOCKED. Plan 3a observed and documented this in
+ *   __tests__/watch/config-refresh-autoyes.test.ts:129.
+ */
+
+import { mkdirSync, readFileSync, rmSync, writeFileSync } from 'fs';
+import { dirname } from 'path';
+import * as lockfile from 'proper-lockfile';
+
+export interface FileLockOpts {
+  /** Default 30s — proper-lockfile considers a lock stale after this elapses. */
+  staleMs?: number;
+  /**
+   * How long the manual retry loop should block waiting for the holder to
+   * release before bailing with the busy error. Default 30s.
+   * Pass `0` to bail immediately (used in tests).
+   */
+  blockMs?: number;
+  /** Sleep granularity inside the retry loop. Default 100ms. */
+  pollIntervalMs?: number;
+  /**
+   * Backwards-compat: legacy callers pass `retries: 0` to mean "do not
+   * block". When set to a positive integer, used by tests that want to
+   * exercise a specific retry count instead of the default time-based loop.
+   */
+  retries?: number;
+  /** Override clock (test seam). */
+  now?: () => number;
+  /** Override sleep (test seam). Defaults to a busy-wait spinloop. */
+  sleep?: (ms: number) => void;
+  /**
+   * Optional custom busy-error factory. When provided, the default
+   * FileLockBusyError throw is replaced with whatever this factory returns.
+   * Domain-specific callers (installLock, manifest-cache) use this to
+   * keep their own user-facing error types and messages.
+   */
+  errorFactory?: (
+    lockPath: string,
+    holderPid: number | null,
+    retryAfterSeconds: number,
+    causeCode: string | undefined,
+  ) => Error;
+}
+
+export class FileLockBusyError extends Error {
+  constructor(
+    public lockPath: string,
+    public holderPid: number | null,
+    public retryAfterSeconds: number,
+    public causeCode?: string,
+  ) {
+    const pidPart = holderPid != null ? `(PID=${holderPid})` : '(PID=unknown)';
+    super(`File lock at ${lockPath} held by another process ${pidPart} — try again in ${retryAfterSeconds}s`);
+    this.name = 'FileLockBusyError';
+  }
+}
+
+/**
+ * Best-effort: read the PID of the current lock holder from the
+ * `<lockPath>.pid` sidecar file. Returns null on any read error.
+ */
+export function readLockHolderPid(lockPath: string): number | null {
+  try {
+    const raw = readFileSync(`${lockPath}.pid`, 'utf-8').trim();
+    const pid = Number.parseInt(raw, 10);
+    if (!Number.isFinite(pid) || pid <= 0) return null;
+    return pid;
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * CR-9 audit L3 fix: REQUIRES SharedArrayBuffer + Atomics for the sync
+ * wait. The prior fallback (a tight `while (Date.now() < end)` spinloop)
+ * burned 100% CPU on environments without Atomics — typically sandboxed
+ * serverless runtimes — making contended manifest refreshes a DoS
+ * surface against the host. With this throw, callers running on
+ * Atomics-less environments fail loudly + early instead of silently
+ * spinning.
+ */
+export function busyWaitSync(ms: number): void {
+  if (typeof SharedArrayBuffer === 'undefined' || typeof Atomics === 'undefined') {
+    throw new Error(
+      `withFileLockSync requires SharedArrayBuffer + Atomics for its retry-loop wait. ` +
+      `This Node runtime does not provide them — refusing to fall back to a CPU spinloop. ` +
+      `If you hit this in a sandboxed serverless env, the fix is to perform the ` +
+      `lock-protected operation in a host runtime that supports Atomics.`,
+    );
+  }
+  const sab = new SharedArrayBuffer(4);
+  const view = new Int32Array(sab);
+  Atomics.wait(view, 0, 0, ms);
+}
+
+/**
+ * Acquire the lock at `lockPath`, run `fn`, release on every exit path.
+ * Synchronous all the way through. See module-level doc for guarantees.
+ *
+ * Throws:
+ * - The result of `opts.errorFactory(...)` if provided AND lock is busy
+ *   beyond `blockMs`. Otherwise throws FileLockBusyError.
+ * - Any non-ELOCKED/EBUSY filesystem error from proper-lockfile is
+ *   re-thrown unchanged.
+ */
+export function withFileLockSync<T>(lockPath: string, fn: () => T, opts: FileLockOpts = {}): T {
+  // Ensure the lock's parent directory exists. Fresh repos / fresh user-home
+  // .massu/ may not have the parent yet.
+  mkdirSync(dirname(lockPath), { recursive: true });
+
+  const staleMs = opts.staleMs ?? 30_000;
+  const blockMs = opts.retries === 0 ? 0 : (opts.blockMs ?? 30_000);
+  const pollIntervalMs = opts.pollIntervalMs ?? 100;
+  const now = opts.now ?? Date.now;
+  const sleep = opts.sleep ?? busyWaitSync;
+  const makeBusyError =
+    opts.errorFactory ??
+    ((path, pid, retrySeconds, code) => new FileLockBusyError(path, pid, retrySeconds, code));
+
+  let release: (() => void) | null = null;
+  const deadline = now() + blockMs;
+
+  for (;;) {
+    try {
+      release = lockfile.lockSync(lockPath, {
+        stale: staleMs,
+        retries: 0,
+        realpath: false,
+      });
+      try {
+        writeFileSync(`${lockPath}.pid`, String(process.pid), 'utf-8');
+      } catch {
+        // best-effort
+      }
+      break;
+    } catch (err) {
+      const e = err as NodeJS.ErrnoException;
+      const code = e.code;
+      if (code !== 'ELOCKED' && code !== 'EBUSY') {
+        throw err;
+      }
+      if (now() >= deadline) {
+        const holderPid = readLockHolderPid(lockPath);
+        const remainingMs = Math.max(0, deadline - now());
+        const retryAfterSeconds = blockMs === 0
+          ? Math.round(staleMs / 1000)
+          : Math.round(remainingMs / 1000);
+        throw makeBusyError(lockPath, holderPid, retryAfterSeconds, code);
+      }
+      sleep(pollIntervalMs);
+    }
+  }
+
+  try {
+    return fn();
+  } finally {
+    try {
+      if (release) release();
+    } catch {
+      // best-effort
+    }
+    try {
+      rmSync(`${lockPath}.pid`, { force: true });
+    } catch {
+      // best-effort
+    }
+  }
+}

package/src/lib/installLock.ts

@@ -8,49 +8,29 @@
  * `runConfigRefresh` path AND the watcher auto-trigger. Without
  * serialization, two concurrent callers can race on `.claude/commands/`
  * file writes. proper-lockfile gives us atomic mkdir-based locks that
- * work cross-platform; we wrap it to:
+ * work cross-platform.
  *
- *   1. mkdirSync the lock dir (fresh repos may not have `.massu/`)
- *   2. surface ELOCKED (POSIX) and EBUSY (Windows) as the same error
- *   3. keep installAll() synchronous (lockSync, not lock)
+ * Plan 3c gap-59 / Rule 0 single-source-of-truth refactor (commit pending,
+ * 2026-05-07): the proper-lockfile-wrapping logic + manual retry loop +
+ * .pid sidecar bookkeeping now lives in `lib/fileLock.ts:withFileLockSync`.
+ * This file is a thin domain-specific wrapper that:
+ *   1. Computes the project-root-anchored lockPath
+ *   2. Delegates to withFileLockSync via an `errorFactory` that returns
+ *      `InstallLockBusyError` (preserving the exact error message format
+ *      Plan 3a §243 specified and the install-lock tests assert)
  *
- * Plan §190 retry behavior: "second caller blocks up to 30s, then bails".
- * proper-lockfile's `lockSync` REJECTS `retries>0` (see node_modules/
- * proper-lockfile/lib/adapter.js: `Cannot use retries with the sync api`).
- * We implement the retry-block manually via a `lockfile.checkSync` /
- * `lockSync` loop with a busy-wait sleep.
- *
- * iter-3 (third pass, G3-iter3-1+2): align error message with plan §243
- * format `"installAll already running (PID=X) — try again in <N>s"` AND
- * add the manual retry-block loop.
+ * Plan 3a §190 retry behavior preserved: "second caller blocks up to 30s,
+ * then bails". InstallLockBusyError instances continue to expose
+ * `lockPath`, `holderPid`, `retryAfterSeconds`, `causeCode` — backwards-
+ * compatible for any caller that does `instanceof InstallLockBusyError`.
  */
 
-import { mkdirSync, readFileSync, rmSync, writeFileSync } from 'fs';
-import { dirname, resolve } from 'path';
-import * as lockfile from 'proper-lockfile';
+import { resolve } from 'path';
+import { withFileLockSync, type FileLockOpts } from './fileLock.js';
 
-export interface InstallLockOpts {
-  /** Default 30s — proper-lockfile considers a lock stale after this elapses. */
-  staleMs?: number;
-  /**
-   * How long the manual retry loop should block waiting for the holder to
-   * release before bailing with `InstallLockBusyError`. Default 30s per
-   * plan §190 ("second caller blocks up to 30s, then bails").
-   * Pass `0` to bail immediately (used in tests).
-   */
-  blockMs?: number;
-  /** Sleep granularity inside the retry loop. Default 100ms. */
-  pollIntervalMs?: number;
-  /**
-   * Backwards-compat: legacy callers pass `retries: 0` to mean "do not
-   * block". When set to a positive integer, used by tests that want to
-   * exercise a specific retry count instead of the default time-based loop.
-   */
-  retries?: number;
-  /** Override clock (test seam). */
-  now?: () => number;
-  /** Override sleep (test seam). Defaults to a busy-wait spinloop. */
-  sleep?: (ms: number) => void;
+export interface InstallLockOpts extends FileLockOpts {
+  // No additional fields — all options come from FileLockOpts. This alias
+  // preserves the public surface for any caller that imported `InstallLockOpts`.
 }
 
 export class InstallLockBusyError extends Error {
@@ -67,113 +47,20 @@ export class InstallLockBusyError extends Error {
 }
 
 /**
- * Best-effort: read the PID of the current lock holder. proper-lockfile
- * stores the lock as a directory at `<lockPath>` containing nothing PID-
- * identifying, so we look at our own sidecar `<lockPath>.pid` file (written
- * by the lock acquirer below). On any read error we return null so the
- * error message degrades gracefully to `(PID=unknown)`.
- */
-function readHolderPid(lockPath: string): number | null {
-  try {
-    const raw = readFileSync(`${lockPath}.pid`, 'utf-8').trim();
-    const pid = Number.parseInt(raw, 10);
-    if (!Number.isFinite(pid) || pid <= 0) return null;
-    return pid;
-  } catch {
-    return null;
-  }
-}
-
-function busyWaitSync(ms: number): void {
-  const end = Date.now() + ms;
-  // Atomics.wait against a SharedArrayBuffer is the cleanest portable sync
-  // sleep; fall back to a tight loop if SharedArrayBuffer is unavailable
-  // (older runtimes / sandboxed envs).
-  if (typeof SharedArrayBuffer !== 'undefined' && typeof Atomics !== 'undefined') {
-    const sab = new SharedArrayBuffer(4);
-    const view = new Int32Array(sab);
-    Atomics.wait(view, 0, 0, ms);
-    return;
-  }
-  while (Date.now() < end) {
-    // Spin — this should never run on modern Node, kept as belt-and-suspenders.
-  }
-}
-
-/**
- * Acquire the lock, run `fn`, release on every exit path.
- * Synchronous all the way through so installAll() keeps its sync signature.
+ * Acquire the install lock for `projectRoot`, run `fn`, release on every
+ * exit path. Throws `InstallLockBusyError` when the lock is held beyond
+ * `blockMs`. See `lib/fileLock.ts:withFileLockSync` for the underlying
+ * primitive.
  */
 export function withInstallLock<T>(projectRoot: string, fn: () => T, opts: InstallLockOpts = {}): T {
   const lockPath = resolve(projectRoot, '.massu', 'installAll.lock');
-  // iter-3 G3-A11: ensure parent dir exists (fresh repo case).
-  mkdirSync(dirname(lockPath), { recursive: true });
-
-  const staleMs = opts.staleMs ?? 30_000;
-  // `retries: 0` legacy path = bail immediately, no wait.
-  // Otherwise default to plan §190's 30s block.
-  const blockMs = opts.retries === 0
-    ? 0
-    : (opts.blockMs ?? 30_000);
-  const pollIntervalMs = opts.pollIntervalMs ?? 100;
-  const now = opts.now ?? Date.now;
-  const sleep = opts.sleep ?? busyWaitSync;
-
-  let release: (() => void) | null = null;
-  const deadline = now() + blockMs;
-  let lastErr: NodeJS.ErrnoException | null = null;
-
-  // Manual retry loop. proper-lockfile.lockSync forbids retries>0, so we
-  // wrap it ourselves: try → on ELOCKED/EBUSY, sleep → try again until
-  // deadline. This satisfies plan §190 "second caller blocks up to 30s".
-  for (;;) {
-    try {
-      release = lockfile.lockSync(lockPath, {
-        stale: staleMs,
-        retries: 0,
-        realpath: false,
-      });
-      // Persist our PID alongside the lock so the next contender can include
-      // it in the user-friendly error per plan §243 format.
-      try {
-        writeFileSync(`${lockPath}.pid`, String(process.pid), 'utf-8');
-      } catch {
-        // best-effort
-      }
-      break;
-    } catch (err) {
-      lastErr = err as NodeJS.ErrnoException;
-      const code = lastErr.code;
-      if (code !== 'ELOCKED' && code !== 'EBUSY') {
-        throw err;
-      }
-      if (now() >= deadline) {
-        const holderPid = readHolderPid(lockPath);
-        const remainingMs = Math.max(0, deadline - now());
-        // Surface a hint about how long the *next* poll cycle should wait.
-        // When `blockMs=0` the user got bail-immediately semantics; report
-        // the staleness window so they know the lock auto-releases in N s.
-        const retryAfterSeconds = blockMs === 0
-          ? Math.round(staleMs / 1000)
-          : Math.round(remainingMs / 1000);
-        throw new InstallLockBusyError(lockPath, holderPid, retryAfterSeconds, code);
-      }
-      sleep(pollIntervalMs);
-    }
-  }
-
-  try {
-    return fn();
-  } finally {
-    try {
-      if (release) release();
-    } catch {
-      // best-effort
-    }
-    try {
-      rmSync(`${lockPath}.pid`, { force: true });
-    } catch {
-      // best-effort
-    }
-  }
+  return withFileLockSync(
+    lockPath,
+    fn,
+    {
+      ...opts,
+      errorFactory: (path, pid, retrySeconds, code) =>
+        new InstallLockBusyError(path, pid, retrySeconds, code),
+    },
+  );
 }

package/src/lsp/auto-detect.ts

@@ -77,7 +77,12 @@ export async function findRunningLSPs(
  * passing it to `LSPClient.fromCommand`. The factory rejects relative paths
  * and `..`-containing argv elements.
  */
-function splitCommand(server: { language: string; command: string }): LSPServerSpec {
+function splitCommand(server: {
+  language: string;
+  command: string;
+  allow_setuid?: boolean;
+  max_rss_mb?: number;
+}): LSPServerSpec {
   const cmd = (server.command ?? '').trim();
   // Whitespace split — not a full shell parser. Quoted args with spaces are
   // not supported at v1; users with such commands should run a wrapper script.
@@ -85,5 +90,9 @@ function splitCommand(server: { language: string; command: string }): LSPServerS
   return {
     language: server.language,
     argv,
+    // F-014 / F-015 (closed 2026-05-06): pass through the security knobs
+    // from config so the spawn surface enforces them.
+    allowSetuid: server.allow_setuid ?? false,
+    maxRssMb: server.max_rss_mb ?? undefined,
   };
 }

package/src/lsp/client.ts

@@ -33,8 +33,9 @@
  * ESM imports throughout.
  */
 
-import { spawn, type ChildProcess } from 'child_process';
-import { isAbsolute } from 'path';
+import { spawn, spawnSync, type ChildProcess } from 'child_process';
+import { lstatSync, realpathSync } from 'fs';
+import { isAbsolute, resolve as resolvePath } from 'path';
 import {
   DefinitionResponseSchema,
   DocumentSymbolResponseSchema,
@@ -215,6 +216,166 @@ export interface LSPServerSpec {
   argv: string[];
   /** When true, allow non-absolute argv[0]. Default false (security). */
   allowRelativePath?: boolean;
+  /**
+   * F-014 (closed 2026-05-06): when true, allow argv[0] to be a SUID/SGID
+   * binary (or symlink resolving to one). Default false. SUID binaries
+   * inherit elevated privileges from the kernel at exec time; Node has no
+   * post-spawn way to strip them. The user-trust boundary is at config
+   * time, but a defensive lstat catches accidental misconfigs (e.g.
+   * pointing argv[0] at a system tool).
+   */
+  allowSetuid?: boolean;
+  /**
+   * F-015 (closed 2026-05-06): RSS budget in MB. The watchdog polls
+   * `ps -p <pid> -o rss=` every WATCHDOG_INTERVAL_MS and SIGKILLs the
+   * child if RSS exceeds this budget for two consecutive samples.
+   * Default 1024 (1 GB). Set to 0 to disable the watchdog.
+   */
+  maxRssMb?: number;
+}
+
+// ============================================================
+// Typed errors — F-014, F-015 (closed 2026-05-06)
+// ============================================================
+
+/**
+ * Thrown by `LSPClient.fromCommand` when argv[0] (or its symlink target)
+ * has the SUID/SGID bit set and `spec.allowSetuid: true` was not opted in.
+ *
+ * Why throw rather than silently accept: SUID binaries inherit elevated
+ * privileges from the kernel at exec time. Node cannot strip them
+ * post-spawn. A user who wants this MUST opt in explicitly so the
+ * decision is auditable in their config.
+ */
+export class LspBinaryIsSetuidError extends Error {
+  public readonly path: string;
+  public readonly mode: number;
+  constructor(path: string, mode: number) {
+    super(
+      `LSPClient.fromCommand: refused SUID/SGID binary at "${path}" ` +
+        `(mode=${mode.toString(8)}). The kernel will exec this with ` +
+        `elevated privileges; Node cannot strip that post-spawn. ` +
+        `Set spec.allowSetuid: true to opt in (auditable in config).`,
+    );
+    this.name = 'LspBinaryIsSetuidError';
+    this.path = path;
+    this.mode = mode;
+  }
+}
+
+/**
+ * Constants for the F-015 RSS watchdog. Exported so tests can inspect
+ * (and so a future config can override per-deployment if needed).
+ */
+export const DEFAULT_LSP_MAX_RSS_MB = 1024;
+export const LSP_WATCHDOG_INTERVAL_MS = 30_000;
+/**
+ * Number of consecutive over-budget samples required before SIGKILL.
+ * Avoids killing a server that briefly spikes during indexing — only
+ * sustained over-budget triggers eviction.
+ */
+export const LSP_WATCHDOG_OVERBUDGET_SAMPLES = 2;
+
+/**
+ * F-014 helper: detect SUID/SGID bits on a file. Follows the chain via
+ * lstat then statSync(realpath) so a symlink to a SUID binary is also
+ * caught. Returns null if the file doesn't exist or the stat fails.
+ *
+ * Bit semantics (per stat(2)):
+ *   - 0o4000 = SUID (set-user-ID on execution)
+ *   - 0o2000 = SGID (set-group-ID on execution)
+ */
+export function _detectSetuid(path: string): { hasSetuid: boolean; mode: number; resolvedPath: string } | null {
+  // First lstat — if argv[0] itself is a symlink, follow it via realpath.
+  let resolved = path;
+  try {
+    const linkStat = lstatSync(path);
+    if (linkStat.isSymbolicLink()) {
+      resolved = realpathSync(path);
+    }
+  } catch {
+    return null;
+  }
+  // Now stat the resolved (non-symlink) target.
+  try {
+    const targetStat = lstatSync(resolved);
+    const mode = targetStat.mode;
+    return {
+      hasSetuid: (mode & 0o4000) !== 0 || (mode & 0o2000) !== 0,
+      mode,
+      resolvedPath: resolved,
+    };
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * F-015 helper: probe a child's RSS in MB via `ps -p <pid> -o rss=`.
+ * Returns null if ps fails (e.g., process already gone, or non-POSIX
+ * platform without ps). Best-effort — watchdog treats null as "no
+ * sample, don't count toward over-budget streak."
+ */
+export function _probeChildRssMb(pid: number): number | null {
+  try {
+    const result = spawnSync('ps', ['-o', 'rss=', '-p', String(pid)], {
+      encoding: 'utf-8',
+      timeout: 5_000,
+    });
+    if (result.status !== 0 || !result.stdout) return null;
+    const rssKb = parseInt(result.stdout.trim(), 10);
+    if (!Number.isFinite(rssKb) || rssKb < 0) return null;
+    return Math.round((rssKb / 1024) * 10) / 10;
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * F-015 helper: install an interval-based RSS watchdog on a spawned child.
+ * Returns the watchdog handle (interval id + cleanup) so the caller can
+ * stop it on transport shutdown / process exit.
+ *
+ * The watchdog SIGKILLs the child if RSS exceeds the budget for
+ * `LSP_WATCHDOG_OVERBUDGET_SAMPLES` consecutive samples. Killing emits a
+ * stderr warning naming the LSP language and the breach.
+ */
+export function _startRssWatchdog(
+  child: ChildProcess,
+  language: string,
+  maxRssMb: number,
+  intervalMs: number = LSP_WATCHDOG_INTERVAL_MS,
+): { stop: () => void } {
+  if (maxRssMb <= 0) return { stop: () => { /* disabled */ } };
+  let overBudgetStreak = 0;
+  const tick = (): void => {
+    if (!child.pid || child.killed || child.exitCode !== null) return;
+    const rss = _probeChildRssMb(child.pid);
+    if (rss === null) return; // no sample; don't penalise
+    if (rss > maxRssMb) {
+      overBudgetStreak += 1;
+      process.stderr.write(
+        `[massu/lsp] WARN: ${language} server RSS=${rss}MB > budget ${maxRssMb}MB ` +
+          `(streak=${overBudgetStreak}/${LSP_WATCHDOG_OVERBUDGET_SAMPLES})\n`,
+      );
+      if (overBudgetStreak >= LSP_WATCHDOG_OVERBUDGET_SAMPLES) {
+        process.stderr.write(
+          `[massu/lsp] KILLING ${language} server pid=${child.pid}: ` +
+            `sustained RSS over budget. (F-015 watchdog)\n`,
+        );
+        try { child.kill('SIGKILL'); } catch { /* best-effort */ }
+        clearInterval(handle);
+      }
+    } else {
+      overBudgetStreak = 0;
+    }
+  };
+  const handle = setInterval(tick, intervalMs);
+  // Don't keep the event loop alive solely for the watchdog.
+  if (typeof handle.unref === 'function') handle.unref();
+  return {
+    stop: () => clearInterval(handle),
+  };
 }
 
 // ============================================================
@@ -309,6 +470,20 @@ export class LSPClient {
       );
     }
 
+    // F-014 (closed 2026-05-06): SUID/SGID bit detection. We only check
+    // when argv[0] is absolute (post the relative-path gate) — for
+    // allowRelativePath shapes the user has explicitly accepted that
+    // PATH-resolution semantics apply, including any SUID a binary
+    // resolved from PATH might have. Resolve the path to an absolute
+    // form so the lstat target is unambiguous.
+    if (!spec.allowSetuid) {
+      const absExe = isAbsolute(exe) ? exe : resolvePath(exe);
+      const det = _detectSetuid(absExe);
+      if (det !== null && det.hasSetuid) {
+        throw new LspBinaryIsSetuidError(det.resolvedPath, det.mode);
+      }
+    }
+
     const child = spawn(exe, spec.argv.slice(1), {
       stdio: ['pipe', 'pipe', 'pipe'],
       // Explicitly NO `shell: true` — argv array form is the security
@@ -324,6 +499,17 @@ export class LSPClient {
         LANG: process.env.LANG ?? 'C.UTF-8',
       },
     });
+
+    // F-015 (closed 2026-05-06): RSS watchdog. Polls every 30s, kills
+    // child after sustained over-budget. Disabled when maxRssMb === 0.
+    const maxRssMb = spec.maxRssMb ?? DEFAULT_LSP_MAX_RSS_MB;
+    const watchdog = _startRssWatchdog(child, spec.language, maxRssMb);
+
+    // Stop the watchdog when the child exits naturally so the interval
+    // doesn't outlive the process.
+    child.once('exit', () => watchdog.stop());
+    child.once('error', () => watchdog.stop());
+
     return new LSPClient(createStdioTransport(child), options);
   }
 

package/src/memory-file-ingest.ts

@@ -42,6 +42,7 @@ export function ingestMemoryFile(
 
   if (frontmatterMatch) {
     try {
+      // pattern-scanner-allow: yaml-parse — reason: parses YAML FRONTMATTER from markdown memory files (NOT massu.config.yaml). This is document metadata parsing, not application config access; getConfig() does not apply.
       const fm = parseYaml(frontmatterMatch[1]) as Record<string, unknown>;
       name = (fm.name as string) ?? basename;
       description = (fm.description as string) ?? '';