mindforge-cc 10.0.3 → 11.0.0

package/.mindforge/skills/zero-trust-architecture/SKILL.md

@@ -0,0 +1,166 @@
+---
+name: zero-trust-architecture
+version: 1.0.0
+min_mindforge_version: 10.1.1
+status: stable
+triggers: zero trust architecture, never trust always verify, micro-segmentation, identity-aware proxy, continuous verification, zero trust network, BeyondCorp, least privilege access, device posture, zero trust identity, mTLS everywhere, zero trust perimeter
+compose: auth-patterns
+---
+
+# Skill — Zero Trust Architecture
+
+## When this skill activates
+Any task involving network security architecture where traditional perimeter-based
+security is being replaced or augmented by identity-centric, continuous verification
+models. Includes mTLS implementation, micro-segmentation, identity-aware proxies,
+and BeyondCorp-style access patterns.
+
+## Mandatory actions when this skill is active
+
+### Before writing any code
+1. Inventory all communication flows (service-to-service, user-to-service, external).
+2. Define identity model (who/what can talk to whom under what conditions).
+3. Map trust boundaries — there are no trusted zones, only verified identities.
+4. Determine device posture requirements for user-facing access.
+
+### During implementation
+- Authenticate every request regardless of network origin.
+- Implement mTLS for all service-to-service communication.
+- Apply least privilege — grant minimum permissions needed, no more.
+- Never trust network location as a security signal.
+- Pass identity claims downstream (not just "authenticated: yes").
+- Re-verify identity on privilege escalation or sensitive operations.
+- Log all access decisions for audit.
+
+### After implementation
+- Verify default-deny is enforced (no open paths by accident).
+- Test that compromising one service doesn't grant lateral movement.
+- Confirm certificate rotation works automatically.
+- Validate device posture checks block non-compliant devices.
+- Audit that all flows are identity-verified.
+
+## Core Principles
+
+### The Three Pillars
+1. **Never trust, always verify** — Every request is treated as if from an open network.
+2. **Least privilege access** — Grant minimum permissions, scope tightly, time-bound when possible.
+3. **Assume breach** — Design as if attackers are already inside. Limit blast radius.
+
+### Trust Signals (Combined, Not Individual)
+- Identity (who is this? verified cryptographically).
+- Device (is this device healthy? patched? managed?).
+- Context (where, when, what resource, what action?).
+- Risk score (is this behavior anomalous?).
+
+## Identity-Aware Proxy
+
+### Pattern
+```
+User → Identity-Aware Proxy → Authenticate → Check Policy → Backend Service
+                                    ↓
+                            [Identity Provider]
+                            [Policy Engine]
+                            [Device Trust Store]
+```
+
+### Implementation
+- Proxy sits at the edge (or service mesh ingress).
+- Authenticates user via OIDC/SAML.
+- Checks policy engine for authorization.
+- Injects verified identity headers to backend.
+- Backend trusts proxy-injected headers (not user-supplied).
+
+### Tools
+- Google IAP, Cloudflare Access, Ory Oathkeeper, Pomerium.
+
+## Mutual TLS (mTLS)
+
+### Why
+- Encrypts traffic between services (confidentiality).
+- Cryptographically verifies both client and server identity (authentication).
+- Prevents unauthorized services from communicating.
+
+### Implementation
+- Use service mesh (Istio, Linkerd) for automatic mTLS.
+- Rotate certificates automatically (short-lived: 24h recommended).
+- Use SPIFFE/SPIRE for workload identity.
+- Never disable mTLS verification in production.
+
+### Certificate Management
+- Auto-issue via cert-manager or service mesh CA.
+- Short-lived certificates (hours, not years).
+- Automated rotation with zero downtime.
+- Certificate revocation for compromised services.
+
+## Micro-Segmentation
+
+### Approach
+1. Start with default-deny between all services.
+2. Declare allowed communication flows explicitly.
+3. Enforce at network layer (NetworkPolicy) AND application layer (authz).
+4. Segment by sensitivity level (PII services isolated from general services).
+
+### Example Policy
+```yaml
+# Only payment-service can talk to payment-db
+source: payment-service
+destination: payment-db
+port: 5432
+action: ALLOW
+
+# Everything else to payment-db
+source: *
+destination: payment-db
+action: DENY
+```
+
+## Device Posture
+
+### Checks Before Granting Access
+- OS version current (within N patches).
+- Disk encryption enabled.
+- Firewall active.
+- No known malware detected.
+- MDM-managed (for corporate devices).
+- Screen lock enabled.
+
+### Degraded Access
+- Non-compliant device → read-only access or blocked entirely.
+- Unknown device → step-up authentication required.
+- Jailbroken/rooted → zero access to sensitive resources.
+
+## Continuous Verification
+
+### Re-verify When
+- Session exceeds time threshold (e.g., every 1 hour).
+- User requests privilege escalation.
+- Anomalous behavior detected (impossible travel, unusual time).
+- Accessing higher-sensitivity resource than current level.
+- Device posture changes mid-session.
+
+### Risk-Based Response
+- Low risk → continue session.
+- Medium risk → step-up auth (MFA prompt).
+- High risk → terminate session, require full re-authentication.
+
+## BeyondCorp Model
+
+### Key Differences from VPN
+| Traditional VPN | BeyondCorp (Zero Trust) |
+|----------------|------------------------|
+| VPN = trusted zone | No trusted zone exists |
+| Once in, full access | Every request verified |
+| Network location = trust | Identity + device + context = trust |
+| Perimeter defense | Defense in depth everywhere |
+| Hard outside, soft inside | Uniformly hardened |
+
+## Self-check
+- [ ] All service-to-service communication uses mTLS.
+- [ ] Default-deny network policy in place.
+- [ ] Identity verified on every request (not just at edge).
+- [ ] Least privilege enforced (no over-permissioned service accounts).
+- [ ] Device posture checked for user access.
+- [ ] Continuous verification triggers defined.
+- [ ] Certificate rotation is automatic and tested.
+- [ ] Lateral movement prevented (compromise one service != access to others).
+- [ ] All access decisions logged for audit.

package/CHANGELOG.md

@@ -1,5 +1,245 @@
 # Changelog
 
+## [11.0.0] - 2026-05-28 — "Sovereign Stability"
+
+### Breaking Changes
+
+- `verifyZKProof()` returns structured `{ verified, reason }` instead of throwing
+- `signPQ()` returns `{ signature, simulated, algorithm }` object instead of raw string
+- Wave task execution order within waves is no longer deterministic
+- SDK bumped to 11.0.0 with new type exports
+- Dashboard tokens now expire after 24 hours
+- `TemporalHub.captureState()` and `rollbackTo()` are now async
+
+### Added
+
+- LRUMap utility class for bounded caches with eviction callbacks
+- Atomic JSON write primitives (write-to-temp, fsync, rename)
+- AUDIT.jsonl log rotation with gzip archival (max 5000 lines)
+- HANDOFF.json structural validation (fail-open)
+- Temporal snapshot garbage collection (retain 50, expire > 7 days)
+- BM25 scoring with document-length normalization
+- Persistent index cache (mtime-based invalidation)
+- Persistent adjacency index for knowledge graph
+- Correction effectiveness tracking in self-corrective synthesizer
+- Full remediation strategy implementations (CONTEXT_COMPRESSION, GOLDEN_TRACE_INJECTION, REASONING_RESTART)
+- Graduated intelligence interlock (+1/+2/MAX tier) with cost-awareness
+- 3-tier stuck detection (hash → length → truncated Levenshtein)
+- Adaptive context window (10/20/30 based on velocity)
+- Configurable external ZK verifier module path
+- Ephemeral SRE enclave keys (crypto.randomBytes)
+- Time-limited RBAC role elevation with auto-expiry
+- Session-scoped ZTAI agent registry
+- Dashboard rate limiting (100 req/min/IP) and token expiration (24h)
+- /api/v1/token/refresh endpoint
+- Optional GPG approval verification
+- GET /api/v1/system observability endpoint (heap, uptime, audit stats)
+- checkHeapHealth() with warning/critical thresholds
+- Remediation effectiveness persistence
+- Model router dynamic reload (mtime-based, 60s interval)
+- P95 latency ring buffer for cloud broker
+- EIS client with real fetch + 3-retry exponential backoff
+- Semaphore-based parallel wave execution (max concurrency configurable)
+- WebSocketEventStream with auto-reconnect
+- SDK streamExecution() with AsyncIterable<StreamChunk>
+- SDK batchExecute() with concurrent task execution
+- SDK validateRuntimeConfig()
+- Model streaming support (Anthropic, OpenAI, Gemini providers)
+- Migration script (bin/migrations/10.7.0-to-11.0.0.js)
+
+### Changed
+
+- sessionDriftHistory bounded to 500 entries via LRUMap
+- entropyCache bounded to 1000 entries via LRUMap
+- Cloud broker failure tracking uses 5-minute sliding window
+- Self-corrective synthesizer window expanded from 10 → 50 events
+- Context refactorer uses adaptive window instead of fixed 20
+
+### Fixed
+
+- Memory leaks from unbounded Maps in long-running sessions
+- Data corruption risk on process crash during state file writes
+- Disk exhaustion from unbounded AUDIT.jsonl and snapshot growth
+- Hardcoded SRE enclave private key (security issue)
+
+---
+
+## [10.7.0] - 2026-05-27 — "Platform Sovereign"
+
+### Added (v10.7.0)
+
+- **10 new core skills** — internal-developer-platform, self-serve-infrastructure, platform-reliability, developer-productivity-metrics, api-marketplace, build-system-optimization, secrets-platform, environment-management, platform-observability, migration-platform.
+- **6 new commands** — `/mindforge:platform`, `/mindforge:build-opt`, `/mindforge:secrets-mgmt`, `/mindforge:environments`, `/mindforge:observability-platform`, `/mindforge:migration-mgmt`.
+- **6 new personas** — platform-lead, build-engineer, environment-engineer, productivity-analyst, secrets-engineer, migration-architect.
+- **1 new swarm template** — PlatformSwarmV2 (HITL platform engineering + migration).
+- **200 core skills milestone** — Full coverage across 12 domains.
+- **Swarm templates v15.0.0** — 49 total templates.
+
+---
+
+## [10.6.0] - 2026-05-27 — "Data Alchemy"
+
+### Added (v10.6.0)
+
+- **10 new core skills** — causal-inference, feature-engineering, ml-monitoring, data-governance, stream-processing, data-lakehouse, experiment-platform, data-mesh, real-time-analytics, data-privacy-engineering.
+- **6 new commands** — `/mindforge:causal`, `/mindforge:lakehouse`, `/mindforge:data-mesh`, `/mindforge:stream`, `/mindforge:privacy-eng`, `/mindforge:realtime-analytics`.
+- **6 new personas** — causal-scientist, data-mesh-architect, stream-engineer, lakehouse-architect, privacy-engineer, analytics-engineer.
+- **1 new swarm template** — DataAlchemySwarm (HITL data architecture + privacy).
+
+---
+
+## [10.5.0] - 2026-05-27 — "AI Frontier"
+
+### Added (v10.5.0)
+
+- **10 new core skills** — multimodal-ai, ai-safety-alignment, synthetic-data-generation, model-evaluation, embedding-systems, llm-orchestration, knowledge-graphs, ml-feature-store, ai-cost-management, autonomous-agents.
+- **8 new commands** — `/mindforge:multimodal`, `/mindforge:ai-safety`, `/mindforge:embeddings`, `/mindforge:llm-route`, `/mindforge:knowledge-graph`, `/mindforge:feature-store`, `/mindforge:ai-cost`, `/mindforge:agent-design`.
+- **8 new personas** — multimodal-engineer, ai-safety-engineer, embedding-architect, llm-orchestrator, knowledge-engineer, feature-store-engineer, ai-economist, agent-architect.
+- **1 new swarm template** — AIFrontierSwarm (HITL AI system architecture + safety).
+
+---
+
+## [10.4.0] - 2026-05-27 — "Cross-Platform"
+
+### Added (v10.4.0)
+
+- **10 new core skills** — react-native-patterns, flutter-architecture, offline-first-design, progressive-web-app, mobile-performance, cross-platform-testing, app-store-deployment, mobile-security, responsive-native, push-notification-architecture.
+- **6 new commands** — `/mindforge:mobile`, `/mindforge:react-native`, `/mindforge:flutter`, `/mindforge:offline`, `/mindforge:pwa`, `/mindforge:push-notify`.
+- **6 new personas** — mobile-architect, react-native-engineer, flutter-engineer, offline-specialist, mobile-security-engineer, pwa-architect.
+- **1 new swarm template** — MobileSwarm (HITL cross-platform architecture).
+
+---
+
+## [10.3.0] - 2026-05-27 — "Leader's Edge"
+
+### Added (v10.3.0)
+
+- **10 new core skills** — technical-leadership, mentoring-patterns, stakeholder-communication, conflict-resolution, incident-communication, hiring-engineering, delegation-patterns, meeting-architecture, performance-reviews, change-management.
+- **6 new commands** — `/mindforge:lead`, `/mindforge:communicate`, `/mindforge:hire`, `/mindforge:delegate`, `/mindforge:meeting-design`, `/mindforge:change`.
+- **6 new personas** — tech-lead-coach, communication-architect, hiring-strategist, change-agent, meeting-designer, mentorship-lead.
+- **1 new swarm template** — LeadershipSwarm (HITL engineering leadership).
+
+---
+
+## [10.2.0] - 2026-05-27 — "Industry Forge"
+
+### Added (v10.2.0)
+
+- **10 new core skills** — healthcare-systems, fintech-patterns, ecommerce-architecture, gaming-backend, edtech-platform, saas-multi-tenant, media-streaming, iot-platform, marketplace-trust, logistics-optimization.
+- **8 new commands** — `/mindforge:healthcare`, `/mindforge:fintech`, `/mindforge:ecommerce`, `/mindforge:gaming`, `/mindforge:edtech`, `/mindforge:iot`, `/mindforge:marketplace`, `/mindforge:logistics`.
+- **8 new personas** — healthcare-engineer, fintech-architect, ecommerce-engineer, gaming-engineer, edtech-architect, iot-architect, marketplace-engineer, logistics-architect.
+- **1 new swarm template** — IndustryVerticalSwarm (HITL domain-specific architecture).
+- **150 core skills milestone** — Industry vertical coverage added.
+
+---
+
+## [10.1.1] - 2026-05-26 — "Scale & Edge"
+
+### Added (v10.1.1)
+
+- **10 new core skills** — edge-computing, serverless-patterns, container-security, zero-trust-architecture, ai-agent-deployment, distributed-consensus, data-pipeline-design, dns-architecture, cdn-optimization, database-sharding-advanced.
+- **6 new commands** — `/mindforge:edge`, `/mindforge:serverless`, `/mindforge:zero-trust`, `/mindforge:agent-deploy`, `/mindforge:data-pipeline`, `/mindforge:cdn`.
+- **6 new personas** — edge-engineer, zero-trust-engineer, agent-ops-engineer, consensus-engineer, data-pipeline-architect, cdn-architect.
+- **2 new swarm templates** — EdgeScaleSwarm (HITL edge + CDN), DistributedSwarm (HITL consensus + pipelines).
+- **140 core skills milestone** — Comprehensive coverage of emerging technology and massive-scale patterns.
+- **Swarm templates v14.0.0** — Bump from v13.0.0 with 2 new templates (total: 43 swarm templates).
+
+---
+
+## [10.1.0] - 2026-05-26 — "Strategic Intelligence"
+
+### Added (v10.1.0)
+
+- **20 new core skills** — build-vs-buy, technology-radar, architecture-tradeoff-analysis, technical-interview-design, post-incident-learning, team-topology-design, sprint-retrospective-facilitation, knowledge-sharing-systems, estimation-techniques, on-call-design, experiment-design, analytics-instrumentation, notification-system-design, payment-integration, email-deliverability, agent-memory-design, agent-evaluation-framework, multi-turn-conversation-design, agent-tool-selection, human-in-the-loop-design.
+- **10 new commands** — `/mindforge:build-vs-buy`, `/mindforge:tech-radar`, `/mindforge:team-topology`, `/mindforge:retro`, `/mindforge:experiment`, `/mindforge:analytics`, `/mindforge:payments`, `/mindforge:agent-memory`, `/mindforge:agent-eval`, `/mindforge:hitl`.
+- **8 new personas** — decision-architect, team-coach, knowledge-curator, experiment-designer, payments-engineer, agent-memory-designer, agent-evaluator, hitl-architect.
+- **3 new swarm templates** — DecisionSwarm (HITL decision quality), TeamDesignSwarm (HITL team topology), AgentMetaSwarm (autonomous self-improvement).
+- **130 core skills milestone** — Category expansion into decision science, team engineering, product patterns, and agent meta-intelligence.
+- **Minor version bump (10.1.0)** — Represents category expansion beyond pure engineering into strategy and meta-intelligence.
+- **Swarm templates v13.0.0** — Bump from v12.0.0 with 3 new templates (total: 41 swarm templates).
+
+---
+
+## [10.0.9] - 2026-05-26 — "Full Spectrum"
+
+### Added (v10.0.9)
+
+- **20 new core skills** — streaming-architecture, queue-design, real-time-sync, cost-estimation, technical-debt-management, capacity-planning, graceful-degradation, idempotency-patterns, rate-limiting-design, code-generation-patterns, dependency-management, git-workflow-design, i18n-architecture, a11y-testing, multi-tenancy-patterns, audit-logging, database-performance, bundle-optimization, graphql-patterns, pagination-patterns.
+- **10 new commands** — `/mindforge:stream`, `/mindforge:queue`, `/mindforge:finops`, `/mindforge:tech-debt`, `/mindforge:degrade`, `/mindforge:idempotent`, `/mindforge:rate-limit`, `/mindforge:i18n`, `/mindforge:multi-tenant`, `/mindforge:graphql`.
+- **8 new personas** — streaming-engineer, finops-analyst, debt-manager, resilience-engineer, codegen-specialist, i18n-architect, multi-tenancy-architect, graphql-designer.
+- **3 new swarm templates** — StreamingSwarm (HITL real-time), ResilienceSwarm (autonomous failure engineering), GovernanceSwarm (HITL data governance).
+- **110 core skills milestone** — Comprehensive coverage across all major software engineering domains achieved.
+- **Swarm templates v12.0.0** — Bump from v11.0.0 with 3 new templates (total: 38 swarm templates).
+
+---
+
+## [10.0.8] - 2026-05-26 — "Deep Patterns"
+
+### Added (v10.0.8)
+
+- **20 new core skills** — contract-testing, load-testing, mutation-testing, visual-regression-testing, monorepo-management, cli-design, developer-onboarding, error-handling-architecture, caching-strategies, migration-strategies, connection-pooling, event-driven-architecture, api-gateway-patterns, websocket-patterns, feature-flag-management, secrets-rotation, compliance-as-code, rag-architecture, fine-tuning-workflow, llm-cost-optimization.
+- **10 new commands** — `/mindforge:contract-test`, `/mindforge:load-test`, `/mindforge:monorepo`, `/mindforge:cli`, `/mindforge:cache`, `/mindforge:events`, `/mindforge:secrets`, `/mindforge:rag`, `/mindforge:feature-flags`, `/mindforge:compliance`.
+- **8 new personas** — contract-tester, dx-engineer, cache-architect, event-architect, compliance-engineer, ml-ops-engineer, platform-engineer, api-gateway-designer.
+- **3 new swarm templates** — TestingDeepSwarm (autonomous deep testing), PlatformSwarm (HITL platform engineering), MLOpsSwarm (HITL ML operations).
+- **90 core skills milestone** — Production-depth coverage for testing, caching, events, secrets, compliance, RAG, and cost optimization.
+- **Swarm templates v11.0.0** — Bump from v10.0.0 with 3 new templates (total: 35 swarm templates).
+
+---
+
+## [10.0.7] - 2026-05-26 — "Meta Engineer"
+
+### Added (v10.0.7)
+
+- **20 new core skills** — prompt-engineering, context-engineering, agent-orchestration-patterns, tool-design, guardrails-and-safety, observability-stack, ci-cd-pipeline, infrastructure-as-code, incident-management, chaos-engineering, data-modeling, api-versioning, search-implementation, design-system, state-management, responsive-patterns, auth-patterns, supply-chain-security, technical-writing, code-review-methodology.
+- **10 new commands** — `/mindforge:prompt`, `/mindforge:context-budget`, `/mindforge:orchestrate`, `/mindforge:observability`, `/mindforge:pipeline`, `/mindforge:data-model`, `/mindforge:design-tokens`, `/mindforge:auth-flow`, `/mindforge:write-rfc`, `/mindforge:review-guide`.
+- **8 new personas** — prompt-architect, agent-orchestrator, sre-lead, pipeline-engineer, data-architect, design-system-lead, auth-engineer, technical-writer-lead.
+- **3 new swarm templates** — PromptEngineeringSwarm (HITL AI engineering), SRESwarm (HITL reliability), FrontendSwarm (autonomous design system).
+- **70 core skills milestone** — Framework now covers AI engineering, DevOps, reliability, data, frontend, advanced security, and technical communication.
+- **Swarm templates v10.0.0** — Bump from v9.0.0 with 3 new templates (total: 32 swarm templates).
+
+---
+
+## [10.0.6] - 2026-05-26 — "Complete Arsenal"
+
+### Added (v10.0.6)
+
+- **17 new core skills** — microservices-patterns, cqrs-event-sourcing, system-design, business-analyst, product-manager, market-researcher, typescript-advanced, python-performance, react-performance, k8s-deployment, writing-plans, writing-skills, using-git-worktrees, code-tour, autonomous-agent-harness, mcp-server-patterns, proofreader.
+- **10 new commands** — `/mindforge:microservices`, `/mindforge:system-design`, `/mindforge:brd`, `/mindforge:product-spec`, `/mindforge:market-research`, `/mindforge:code-tour`, `/mindforge:mcp-server`, `/mindforge:proofread`, `/mindforge:worktrees`, `/mindforge:plan-write`.
+- **8 new personas** — business-analyst, product-owner, market-analyst, mcp-designer, proofreader, system-designer, worktree-manager, code-narrator.
+- **3 new swarm templates** — ArchDesignSwarm (HITL system design), ProductSwarm (HITL product strategy), DocumentationSwarm (autonomous content quality).
+- **Swarm templates v9.0.0** — Bump from v8.0.0 with 3 new templates (total: 29 swarm templates).
+- **50 core skills milestone** — Framework now covers architecture, business, languages, workflow, infrastructure, and documentation domains.
+
+---
+
+## [10.0.5] - 2026-05-26 — "Forge Master"
+
+### Added (v10.0.5)
+
+- **5 new core skills** — skill-creator-meta, deployment-workflow, dmux-workflows, vibe-security, instinct-clustering.
+- **5 new commands** — `/mindforge:create-skill`, `/mindforge:deploy`, `/mindforge:dmux`, `/mindforge:vibe-check`, `/mindforge:cluster-instincts`.
+- **5 new personas** — skill-smith, deployment-captain, dmux-orchestrator, vibe-checker, saga-orchestrator.
+- **2 new swarm templates** — DeploymentSwarm (HITL staged rollout), ForgeSwarm (autonomous skill creation).
+- **De-slop gate** — Phase 6.5 in verification-loop: informational de-slop scan before shipping (non-blocking).
+- **Cross-model eval spec** — `.mindforge/engine/cross-model-eval.md` for routing same task to 2 models and comparing outputs.
+- **Swarm templates v8.0.0** — Bump from v7.0.0 with 2 new templates (total: 26 swarm templates).
+
+---
+
+## [10.0.4] - 2026-05-26 — "Santa's Eval"
+
+### Added (v10.0.4)
+
+- **8 new core skills** — santa-method, eval-harness, quality-audit, testing-anti-patterns, defense-in-depth, codebase-onboarding, rfc-pipeline, de-sloppify.
+- **6 new commands** — `/mindforge:santa`, `/mindforge:eval`, `/mindforge:quality-audit`, `/mindforge:rfc`, `/mindforge:onboard`, `/mindforge:de-slop`.
+- **6 new personas** — eval-judge, rfc-architect, anti-pattern-hunter, onboarding-navigator, de-sloppifier, quality-scorer.
+- **3 new swarm templates** — EvalSwarm (autonomous eval gate), OnboardingSwarm (autonomous codebase discovery), RFCSwarm (HITL spec decomposition).
+- **Proactive Skill Suggestion Engine** — Signal-based skill detection (file/error/task patterns) with confidence threshold (0.7), cooldown tracking, and debounce logic.
+- **Eval storage** — `.mindforge/evals/` directory for persisting eval configs, rubrics, and results.
+- **Swarm templates v7.0.0** — Bump from v6.0.0 with 3 new templates (total: 24 swarm templates).
+
+---
+
 ## [10.0.3] - 2026-05-25 — "Council Awakens"
 
 ### Added (v10.0.3)

package/MINDFORGE.md

@@ -1,12 +1,12 @@
-# MINDFORGE.md — Parameter Registry (v10.0.3)
+# MINDFORGE.md — Parameter Registry (v11.0.0)
 
 ## 1. IDENTITY & VERSIONING
 
 [NAME]    = MindForge
-[VERSION] = 10.0.3-COUNCIL
+[VERSION] = 11.0.0
 [STABLE]  = true
-[MODE]    = \"Council Awakens\"
-[REQUIRED_CORE_VERSION] = 10.0.3
+[MODE]    = "Platform Sovereign"
+[REQUIRED_CORE_VERSION] = 11.0.0
 [SOVEREIGN_IDENTITY] = true
 [SRE_LAYER_ENABLED]  = true
 

package/README.md

@@ -1,12 +1,21 @@
 # MindForge
 
-**An agentic intelligence framework for Claude Code** — orchestrates multi-agent workflows with governance, memory, and autonomous execution. Install once, get structured AI-driven development with built-in quality gates.
+**An agentic intelligence framework for Claude Code** — orchestrates multi-agent workflows with governance, memory, and autonomous execution. Production-hardened with true parallelism, streaming SDK, and zero-trust security. Install once, get structured AI-driven development with built-in quality gates.
 
 ---
 
-## v10.0.3 — Council Awakens
+## v11.0.0 — Sovereign Stability
 
-MindForge v10.0.3 "Council Awakens" introduces the Council decision framework, Instinct Engine, Cost-Aware Routing, 6-phase Verification Loop, and Multi-LLM Consult. This release adds 10 skills (20 core total), 8 commands (71 total), 9 personas (117 total), 3 swarm templates (21 total), and 5 engine subsystems — expanding MindForge's autonomous governance and multi-agent reasoning capabilities.
+MindForge v11.0.0 "Sovereign Stability" is a production-hardening release focused on reliability, performance, and real-world deployment readiness. Key highlights:
+
+- **Memory-safe operations** — LRU-bounded caches, atomic writes, log rotation, and snapshot garbage collection eliminate resource leaks in long-running sessions.
+- **True wave parallelism** — Semaphore-based concurrent execution with configurable max concurrency replaces sequential task dispatch.
+- **Streaming SDK** — WebSocket event streaming, `streamExecution()` with AsyncIterable, and `batchExecute()` for high-throughput integrations.
+- **Hardened security** — Ephemeral enclave keys, session-scoped agent isolation, time-limited RBAC elevation, dashboard rate limiting, and structured ZK proof returns.
+- **Production observability** — `/api/v1/system` health endpoint, P95 latency tracking, heap health monitoring, and real EIS client with retry logic.
+- **Graduated intelligence** — Adaptive tier escalation (+1/+2/MAX) with cost-awareness, 3-tier stuck detection, and adaptive context windows.
+
+This release ships 200+ skills, 400+ personas, 18 pillars, and 49 swarm templates across 12 engineering domains.
 
 
 ## Installation & Setup
@@ -45,6 +54,12 @@ npx mindforge-cc@latest --antigravity --local
 
 ---
 
+- **Production Hardening (v11.0.0)** — LRU caches, atomic JSON writes, log rotation, HANDOFF validation, and temporal snapshot GC for crash-safe long-running sessions.
+- **True Wave Parallelism (v11.0.0)** — Semaphore-based concurrent wave execution with configurable max concurrency replaces sequential dispatch.
+- **Streaming SDK (v11.0.0)** — WebSocket event streaming, `streamExecution()` AsyncIterable, `batchExecute()`, model streaming across Anthropic/OpenAI/Gemini providers.
+- **Graduated Intelligence (v11.0.0)** — Adaptive tier escalation (+1/+2/MAX) with cost-awareness, 3-tier stuck detection, and adaptive context windows (10/20/30).
+- **Security Hardening (v11.0.0)** — Ephemeral enclave keys, session-scoped ZTAI, time-limited RBAC elevation, dashboard rate limiting (100 req/min/IP), token expiration.
+- **Observability (v11.0.0)** — `/api/v1/system` health endpoint, P95 latency ring buffer, heap health monitoring, real EIS client with exponential backoff.
 - **Grounded Wave Execution (v9.0.0)** — AutoRunner reads HANDOFF.json wave groups, dispatches tasks with audit tracing, persists progress, and resumes on restart (Pillar XXIV).
 - **Model Topology Modernization (v9.0.0)** — All model references updated to the Claude 4.x family: claude-opus-4-7, claude-sonnet-4-6, claude-haiku-4-5 (Pillar XXV).
 - **Unified Memory Architecture (v9.0.0)** — Knowledge and graph edges consolidated into SQLite (celestial.db) with FTS5 search. Four JSONL stores replaced by one queryable store (Pillar XXVI).
@@ -272,7 +287,7 @@ MindForge supports multiple interaction models to fit your engineering workflow:
 ```bash
 /mindforge:update
 /mindforge:update --apply
-/mindforge:migrate --from v0.6.0 --to v1.0.0
+/mindforge:migrate --from v10.7.0 --to v11.0.0
 ```
 
 ---
@@ -320,6 +335,36 @@ See `.mindforge/production/token-optimiser.md`.
 
 ## 📜 Framework Evolution & Version History
 
+<details>
+<summary><b>v11.0.0 — Sovereign Stability (Production Hardening)</b></summary>
+
+- **Phase 1: Foundation** — LRU-bounded caches, atomic JSON writes, AUDIT.jsonl log rotation, HANDOFF.json structural validation, temporal snapshot garbage collection.
+- **Phase 2: Intelligence** — BM25 scoring with document-length normalization, full remediation strategy implementations, graduated intelligence interlock (+1/+2/MAX), 3-tier stuck detection, adaptive context windows.
+- **Phase 3: Security** — Structured ZK proof returns, ephemeral SRE enclave keys, session-scoped ZTAI agent registry, time-limited RBAC elevation, dashboard rate limiting and token expiration, optional GPG approval verification.
+- **Phase 4: Observability** — Async temporal I/O, `/api/v1/system` health endpoint, P95 latency ring buffer, heap health monitoring, EIS client de-stub with real fetch and retry logic.
+- **Phase 5: SDK/Distributed** — Semaphore-based wave parallelism, WebSocket event streaming with auto-reconnect, `batchExecute()`, model streaming (Anthropic/OpenAI/Gemini), migration script from v10.7.0.
+</details>
+
+<details>
+<summary><b>v10.x — The 200-Skills Expansion (Council → Platform Sovereign)</b></summary>
+
+- **Council Awakens (v10.0.3)**: Council decision framework, Instinct Engine, Cost-Aware Routing, 6-phase Verification Loop, Multi-LLM Consult.
+- **Skills Expansion (v10.0.4–v10.7.0)**: From 20 to 200+ core skills across 12 domains — AI/ML, data engineering, platform engineering, mobile, leadership, industry verticals, and more.
+- **400+ Personas**: Comprehensive specialist coverage with domain-expert identity protocols.
+- **49 Swarm Templates**: Task-aware parallel specialist clusters covering every engineering discipline.
+</details>
+
+<details>
+<summary><b>v9.x — Grounded Execution & SQLite Persistence</b></summary>
+
+- **Grounded Wave Execution (Pillar XXIV)**: AutoRunner reads HANDOFF.json wave groups with audit tracing and restart persistence.
+- **Model Topology Modernization (Pillar XXV)**: Claude 4.x family (opus-4-7, sonnet-4-6, haiku-4-5).
+- **Unified Memory Architecture (Pillar XXVI)**: SQLite (celestial.db) with FTS5 search replacing JSONL stores.
+- **Schema Migration Engine (Pillar XXVII)**: Versioned migration tracking with transaction-wrapped imports.
+- **Integration Test Chain (Pillar XXVIII)**: 27-assertion end-to-end pipeline validation.
+</details>
+
+<details>
 <summary><b>v8.1.x — Sovereign Identity (Pillar XIX)</b></summary>
 
 - **Pillar XIX: Sovereign Identity Synthesis**: Autonomous creation and evolution of `SOUL.md` from execution traces.

package/RELEASENOTES.md

@@ -1,3 +1,83 @@
+# Release Notes — v11.0.0 "Sovereign Stability"
+
+**Release Date**: 2026-05-28  
+**Type**: Major (breaking changes)  
+**Upgrade Path**: Run `node bin/migrations/10.7.0-to-11.0.0.js`
+
+## Highlights
+
+MindForge v11.0.0 is a production-hardening release that addresses systemic stability, intelligence, security, and SDK capabilities. It eliminates memory leaks, adds crash-safe writes, upgrades semantic search from TF-IDF to BM25, completes previously-stubbed subsystems, and introduces true parallel execution.
+
+## What's New
+
+### Foundation Hardening
+- **Bounded caches** — LRUMap prevents unbounded memory growth in drift detector, entropy cache, and failure tracking
+- **Atomic writes** — State files use write-to-temp → fsync → rename (crash-safe)
+- **Log rotation** — AUDIT.jsonl auto-archives beyond 5000 lines with gzip compression
+- **Schema validation** — HANDOFF.json validated on load (fail-open with warnings)
+- **Snapshot GC** — Temporal history auto-cleaned (retain 50, expire > 7 days)
+
+### Intelligence Upgrades
+- **BM25 scoring** — Document-length-normalized search replacing raw TF-IDF
+- **Persistent caching** — Index and adjacency caches eliminate O(n) rebuilds
+- **Complete remediation** — All three strategies fully implemented (no more stubs)
+- **Adaptive systems** — Intelligence tier, context window, and stuck detection all auto-tune
+
+### Security Hardening
+- **Ephemeral enclave keys** — No more hardcoded secrets in source
+- **Structured crypto boundaries** — Simulated vs real clearly marked
+- **Session isolation** — RBAC elevation with TTL, session-scoped identity
+- **Dashboard security** — Token expiration, rate limiting, refresh endpoint
+
+### Observability
+- **System metrics** — `/api/v1/system` with heap monitoring and alerts
+- **P95 latency tracking** — Real measurements replace hardcoded values
+- **Effectiveness tracking** — Remediations measured for closed-loop improvement
+- **Dynamic config reload** — Model router refreshes on MINDFORGE.md changes
+
+### SDK & Distributed
+- **True parallelism** — Wave tasks execute concurrently via semaphore
+- **WebSocket streaming** — Real-time event delivery with auto-reconnect
+- **Batch execution** — Execute multiple tasks with concurrency control
+- **Model streaming** — Anthropic, OpenAI, and Gemini streaming support
+
+## Breaking Changes
+
+| Change | Impact | Migration |
+|--------|--------|-----------|
+| `verifyZKProof()` returns structured result | Code catching throws will miss denials | Check `result.verified` instead |
+| `signPQ()` returns object | Code using return value as string will break | Destructure `{ signature }` from result |
+| Wave execution non-deterministic | Task order within waves no longer guaranteed | Do not rely on execution order |
+| `captureState()`/`rollbackTo()` now async | Callers must await these methods | Add `await` at all call sites |
+| Dashboard tokens expire after 24h | Long-lived tokens stop working | Use `/api/v1/auth/refresh` endpoint |
+| SDK bumped to 11.0.0 | New exports, removed deprecated paths | Update `mindforge-sdk@11.0.0` |
+
+See upgrade guide at `docs/upgrade.md` for full migration steps.
+
+## Migration
+
+```bash
+node bin/migrations/10.7.0-to-11.0.0.js
+```
+
+The migration script:
+1. Backs up `.mindforge/config.json`
+2. Adds new config sections (temporal, rate_limiting, session, wave_execution)
+3. Archives old AUDIT.jsonl entries if > 5000 lines
+4. Runs temporal snapshot GC
+5. Bumps schema versions
+
+---
+
+## Previous Releases
+
+- [v10.0.3 — Council Awakens](https://github.com/sairam0424/MindForge/releases/tag/v10.0.3)
+- [v10.0.1 — Bedrock Fortified](https://github.com/sairam0424/MindForge/releases/tag/v10.0.1)
+- [v9.0.0 — Bedrock Meridian](https://github.com/sairam0424/MindForge/releases/tag/v9.0.0)
+
+---
+---
+
 # Release Notes — v10.0.3 "Council Awakens"
 
 **Release Date**: 2026-05-25