mindforge-cc 10.0.3 → 11.0.0

package/SECURITY.md

@@ -4,12 +4,12 @@
 
 | Version | Status | Support Level |
 |---------|--------|---------------|
-| 10.x | **Current** | Full security and feature updates |
-| 9.x | Maintenance | Critical security patches only (until 2026-08-31) |
-| 8.x | End of Life | No further updates |
-| 7.x and below | End of Life | No further updates |
+| 11.x | **Current** | Full security and feature updates |
+| 10.x | Maintenance | Critical security patches only (until 2026-11-30) |
+| 9.x | End of Life | No further updates |
+| 8.x and below | End of Life | No further updates |
 
-We recommend all users upgrade to the latest 10.x release. Security patches for 9.x will be provided for critical vulnerabilities only, on a best-effort basis, until August 2026.
+We recommend all users upgrade to the latest 11.x release. Security patches for 10.x will be provided for critical vulnerabilities only, on a best-effort basis, until November 2026.
 
 ---
 
@@ -44,18 +44,29 @@ We follow responsible disclosure practices. We will credit reporters in the rele
 
 ---
 
-## Security Features (v10.0.1)
+## Security Features (v11.0.0)
 
 ### Authentication & Authorization
 
 - **Bearer token auth on dashboard** — All mutating endpoints (`/api/steering`, `/api/approve`, SSE control) require `Authorization: Bearer <token>`. Token is sourced from `MINDFORGE_DASHBOARD_TOKEN` environment variable.
+- **Token expiration with refresh** — Dashboard tokens expire after 24 hours. Use `/api/v1/auth/refresh` to obtain a new token without re-authenticating.
+- **Dashboard rate limiting** — 100 requests per minute per IP address. Exceeding the limit returns 429 with `Retry-After` header.
+- **Session-scoped RBAC with TTL elevation** — Elevated permissions are session-scoped and auto-expire. No persistent privilege escalation.
 - **Browser daemon authentication** — The `/evaluate` endpoint requires auth before executing code in the Playwright context.
 - **ZTAI Trust Tiers** — 4-tier authorization model (Tier 0-3) controls which agents can perform which actions. Tier 3 (catastrophic-risk) operations require explicit human approval.
 
+### Cryptographic Security
+
+- **Ephemeral enclave keys** — All crypto keys generated via `crypto.randomBytes()` at runtime. No hardcoded secrets in source.
+- **Structured crypto boundaries** — Simulated (governance-enforcement) vs real (production-grade) cryptographic operations are clearly separated and labeled in code.
+- **GPG approval verification** — Optional GPG signature verification on governance approvals for high-trust environments.
+- **HMAC-signed temporal snapshots** — Temporal state captures are HMAC-signed to detect tampering during rollback operations.
+
 ### Audit & Integrity
 
 - **Merkle-chain audit log** — Every entry in `AUDIT.jsonl` includes a SHA-256 hash of the previous entry. Tampering with any historical entry breaks the chain, making modifications detectable.
 - **AuditWriter with buffered writes** — Atomic append operations prevent partial writes from corrupting the log.
+- **Log rotation with archival** — AUDIT.jsonl auto-archives beyond 5000 lines with gzip compression, preventing unbounded disk growth.
 - **npm provenance** — Published packages include SLSA Build Level 2 attestation via `--provenance`, proving the package was built from the stated source commit in CI.
 
 ### Input Validation & Injection Prevention
@@ -67,7 +78,7 @@ We follow responsible disclosure practices. We will credit reporters in the rele
 
 ### Governance & Policy
 
-- **Fail-closed ZK verification** — `verifyZKProof()` throws on invalid or missing proofs. The system denies by default.
+- **Structured ZK verification** — `verifyZKProof()` returns a structured result with `verified`, `reason`, and `timestamp` fields. The system denies by default when `verified` is false.
 - **Non-overridable parameters** — Security-critical MINDFORGE.md settings cannot be overridden by project-level or session-level configuration.
 - **CSP headers on dashboard** — Content Security Policy headers prevent XSS in the dashboard UI.
 - **Localhost-only binding** — The dashboard server binds to `127.0.0.1` only. It is not accessible from the network.
@@ -101,7 +112,8 @@ Before submitting code that touches security-sensitive paths:
 
 - **ZK-proofs are simulated** — The Dilithium-5 / ZK-proof layer uses cryptographic simulation, not hardware-backed TEEs. It provides logical governance enforcement, not hardware-grade isolation.
 - **Dashboard is localhost-only** — The dashboard is designed for local development. Do not expose it to the public internet, even behind a reverse proxy, without adding additional authentication.
-- **ZTAI keys are file-based** — Agent identity keys are stored on disk. In production deployments requiring hardware-bound keys, integrate with your organization's HSM or secure enclave.
+- **ZTAI keys are ephemeral** — Agent identity keys are generated per-session via `crypto.randomBytes()`. In production deployments requiring persistent hardware-bound keys, integrate with your organization's HSM or secure enclave.
+- **Rate limiting is per-process** — The 100 req/min limit is tracked in-memory. Restarting the dashboard resets counters. For distributed deployments, add an external rate limiter (e.g., nginx, Cloudflare).
 
 ---
 

package/bin/autonomous/audit-writer.js

@@ -6,11 +6,15 @@
 'use strict';
 
 const fs = require('fs');
+const path = require('path');
 const crypto = require('crypto');
+const { AuditRotator } = require('../utils/file-io');
 
 const FLUSH_INTERVAL_MS = 100;
 const FLUSH_THRESHOLD = 10;
 
+const rotator = new AuditRotator({ maxLines: 5000 });
+
 /**
  * Creates a buffered async audit writer.
  * @param {string} auditPath — Path to the AUDIT.jsonl file
@@ -70,6 +74,15 @@ function createAuditWriter(auditPath) {
 
     const payload = toWrite.map(e => JSON.stringify(e)).join('\n') + '\n';
     await fs.promises.appendFile(auditPath, payload);
+
+    try {
+      if (rotator.shouldRotate(auditPath)) {
+        const archiveDir = path.join(path.dirname(auditPath), '..', '.planning', 'audit-archive');
+        rotator.rotate(auditPath, archiveDir);
+      }
+    } catch (err) {
+      process.stderr.write(`[audit-writer] rotation warning: ${err.message}\n`);
+    }
   }
 
   /**

package/bin/autonomous/auto-runner.js

@@ -21,7 +21,7 @@ const ContextRefactorer = require('./context-refactorer');
 // Extracted modules (lightweight, always needed)
 const { createAuditWriter } = require('./audit-writer');
 const { createStateManager } = require('./state-manager');
-const { createWaveExecutor } = require('./wave-executor');
+const { createWaveExecutor, Semaphore } = require('./wave-executor');
 
 // ── Lazy-loaded heavy modules ────────────────────────────────────────────────
 // These are only required at the point of first use to reduce startup cost.
@@ -218,24 +218,44 @@ class AutoRunner {
     const wave = this.waves[this.currentWaveIndex];
     const waveNum = this.currentWaveIndex + 1;
     const pending = wave.tasks.filter(t => !this.completedTasks.has(t.id));
+    const maxConcurrency = this._getWaveConcurrency();
 
-    console.log(`\n⚡ Wave ${waveNum}/${this.waves.length}: ${pending.length} tasks`);
+    console.log(`\n⚡ Wave ${waveNum}/${this.waves.length}: ${pending.length} tasks (concurrency: ${maxConcurrency})`);
     if (idcStatus.action === 'UPGRADE_MIR') console.log(`  [IDC-ACTIVE] MIR Override: ${idcStatus.new_mir}`);
     this.writeAudit({ event: 'wave_started', phase: this.phase, wave: waveNum, task_count: pending.length });
 
-    for (const task of pending) {
-      const taskStart = Date.now();
-      console.log(`  → Task: ${task.name || task.id}`);
-      try {
-        this.writeAudit({ event: 'task_started', phase: this.phase, wave: waveNum, task_id: task.id, task_name: task.name || task.id });
-        this.writeAudit({ event: 'task_completed', phase: this.phase, wave: waveNum, task_id: task.id, task_name: task.name || task.id, duration_ms: Date.now() - taskStart });
-        this.completedTasks.add(task.id);
-      } catch (err) {
-        console.error(`  Task failed: ${task.id} — ${err.message}`);
-        this.writeAudit({ event: 'task_failed', phase: this.phase, wave: waveNum, task_id: task.id, error: err.message, duration_ms: Date.now() - taskStart });
-        const strategy = repairOperator.determineRepairStrategy({ planId: task.plan || task.id, phase: this.phase, attemptNumber: 1, errorOutput: err.message, isTier3Change: false, isOnCriticalPath: (task.depends_on || []).length > 0 });
-        if (strategy === 'RETRY') { console.log(`  Repair: retrying ${task.id}`); continue; }
-        if (strategy === 'ESCALATE') { this.writeAudit({ event: 'auto_mode_escalated', reason: `Task ${task.id} unrecoverable` }); this.isPaused = true; return; }
+    const semaphore = new Semaphore(maxConcurrency);
+
+    const settled = await Promise.allSettled(
+      pending.map(async (task) => {
+        await semaphore.acquire();
+        const taskStart = Date.now();
+        console.log(`  → Task: ${task.name || task.id}`);
+        try {
+          this.writeAudit({ event: 'task_started', phase: this.phase, wave: waveNum, task_id: task.id, task_name: task.name || task.id });
+          this.writeAudit({ event: 'task_completed', phase: this.phase, wave: waveNum, task_id: task.id, task_name: task.name || task.id, duration_ms: Date.now() - taskStart });
+          this.completedTasks.add(task.id);
+          return { taskId: task.id, status: 'fulfilled' };
+        } catch (err) {
+          console.error(`  Task failed: ${task.id} — ${err.message}`);
+          this.writeAudit({ event: 'task_failed', phase: this.phase, wave: waveNum, task_id: task.id, error: err.message, duration_ms: Date.now() - taskStart });
+          throw { taskId: task.id, error: err, task };
+        } finally {
+          semaphore.release();
+        }
+      })
+    );
+
+    const failures = settled.filter(r => r.status === 'rejected');
+    if (failures.length > 0) {
+      for (const failure of failures) {
+        const { taskId, error, task } = failure.reason;
+        const strategy = repairOperator.determineRepairStrategy({ planId: task.plan || taskId, phase: this.phase, attemptNumber: 1, errorOutput: error.message, isTier3Change: false, isOnCriticalPath: (task.depends_on || []).length > 0 });
+        if (strategy === 'ESCALATE') {
+          this.writeAudit({ event: 'auto_mode_escalated', reason: `Task ${taskId} unrecoverable` });
+          this.isPaused = true;
+          return;
+        }
       }
     }
 
@@ -244,6 +264,19 @@ class AutoRunner {
     this.currentWaveIndex++;
   }
 
+  _getWaveConcurrency() {
+    try {
+      const configPath = path.join(process.cwd(), '.mindforge', 'config.json');
+      if (fs.existsSync(configPath)) {
+        const config = JSON.parse(fs.readFileSync(configPath, 'utf8'));
+        if (typeof config.wave_concurrency === 'number' && config.wave_concurrency > 0) {
+          return config.wave_concurrency;
+        }
+      }
+    } catch (e) { /* Fall through to default */ }
+    return 3;
+  }
+
   /**
    * Build wave groups from HANDOFF handoffs array.
    * Kept as instance method for backward compatibility with tests.
@@ -316,6 +349,15 @@ class AutoRunner {
       if (captured.length + stability.length > 0) console.log(`🧠 Knowledge Graph: Captured ${captured.length + stability.length} insights.`);
     } catch (err) { console.error('⚠️ Knowledge Capture failed:', err.message); }
 
+    try {
+      _TemporalHub = lazyRequire(_TemporalHub, '../engine/temporal-hub');
+      const gcConfig = this._loadTemporalGcConfig();
+      const gcResult = await _TemporalHub.gc(gcConfig);
+      if (gcResult.deleted > 0) {
+        this.writeAudit({ event: 'temporal_gc_completed', deleted: gcResult.deleted, remaining: gcResult.remaining });
+      }
+    } catch (e) { /* GC failure is non-critical */ }
+
     this.writeAudit({ event: 'auto_mode_completed', timestamp: new Date().toISOString() });
     await this.auditWriter.close();
   }
@@ -334,7 +376,7 @@ class AutoRunner {
     const STATE_CHANGING_EVENTS = ['auto_mode_started', 'phase_planned', 'phase_execution_started', 'task_completed', 'hindsight_injected', 'auto_mode_completed'];
     if (STATE_CHANGING_EVENTS.includes(event.event)) {
       _TemporalHub = lazyRequire(_TemporalHub, '../engine/temporal-hub');
-      _TemporalHub.captureState(event.id, { agent: event.agent || 'auto-runner', event: event.event, phase: this.phase });
+      _TemporalHub.captureState(event.id, { agent: event.agent || 'auto-runner', event: event.event, phase: this.phase }).catch(() => {});
     }
 
     const result = this.monitor.analyze(event);
@@ -444,6 +486,22 @@ class AutoRunner {
     const lines = buf.toString('utf8').trim().split('\n');
     return lines.slice(-count).map(l => { try { return JSON.parse(l); } catch { return null; } }).filter(Boolean);
   }
+
+  _loadTemporalGcConfig() {
+    try {
+      const configPath = path.join(process.cwd(), '.mindforge', 'config.json');
+      if (fs.existsSync(configPath)) {
+        const config = JSON.parse(fs.readFileSync(configPath, 'utf8'));
+        if (config.temporal) {
+          return {
+            maxSnapshots: config.temporal.max_snapshots || 50,
+            maxAgeDays: config.temporal.max_age_days || 7
+          };
+        }
+      }
+    } catch (e) { /* Fall through to defaults */ }
+    return { maxSnapshots: 50, maxAgeDays: 7 };
+  }
 }
 
 module.exports = AutoRunner;

package/bin/autonomous/context-refactorer.js

@@ -14,18 +14,15 @@ class ContextRefactorer {
     this.history = [];
   }
 
-  /**
-   * Analyze the current context density.
-   * Density = (Implementation Events) / (Total Events)
-   */
   analyzeDensity(events) {
-    this.history = events.slice(-this.windowSize);
-    
-    if (this.history.length < 5) return { density: 1.0, shouldRefactor: false };
+    const windowSize = this._getAdaptiveWindow(events);
+    this.history = events.slice(-windowSize);
 
-    const implementationEvents = this.history.filter(h => 
-      h.tool === 'run_command' || 
-      h.tool === 'replace_file_content' || 
+    if (this.history.length < 5) return { density: 1.0, shouldRefactor: false, windowSize };
+
+    const implementationEvents = this.history.filter(h =>
+      h.tool === 'run_command' ||
+      h.tool === 'replace_file_content' ||
       h.tool === 'multi_replace_file_content' ||
       h.event === 'task_completed'
     );
@@ -35,10 +32,28 @@ class ContextRefactorer {
 
     return {
       density: parseFloat(density.toFixed(2)),
-      shouldRefactor: density < this.threshold
+      shouldRefactor: density < this.threshold,
+      windowSize
     };
   }
 
+  _getAdaptiveWindow(events) {
+    const recent = events.slice(-10);
+    if (recent.length === 0) return 20;
+
+    const implEvents = recent.filter(e =>
+      e.event === 'run_command' ||
+      e.event?.includes('replace_file') ||
+      e.event === 'task_completed'
+    ).length;
+
+    const velocity = implEvents / recent.length;
+
+    if (velocity > 0.6) return 10;
+    if (velocity < 0.3) return 30;
+    return 20;
+  }
+
   /**
    * Generates a "Context Refactor" recommendation.
    */

package/bin/autonomous/state-manager.js

@@ -7,8 +7,59 @@
 
 const fs = require('fs');
 const path = require('path');
+const { atomicWriteJSON } = require('../utils/file-io');
 
 const VALID_PHASES = ['idle', 'planning', 'executing', 'verifying', 'complete', 'running', 'paused', 'completed'];
+const VALID_STATUSES = ['idle', 'running', 'paused', 'completed', 'escalated', 'timeout'];
+
+/**
+ * Validates HANDOFF.json structure without blocking on failure (fail-open).
+ * Warns on malformed fields but always returns the data for processing.
+ * @param {*} data — Parsed HANDOFF.json content
+ * @returns {{ valid: boolean, warnings: string[] }}
+ */
+function validateHandoff(data) {
+  const warnings = [];
+
+  if (!data || typeof data !== 'object') {
+    warnings.push('HANDOFF.json is not a valid object');
+    return { valid: false, warnings };
+  }
+
+  if (!data.schema_version) {
+    warnings.push('Missing schema_version field');
+  }
+
+  if (data.handoffs && !Array.isArray(data.handoffs)) {
+    warnings.push('handoffs field must be an array');
+  }
+
+  if (data.handoffs && Array.isArray(data.handoffs)) {
+    for (let i = 0; i < data.handoffs.length; i++) {
+      const task = data.handoffs[i];
+      if (!task.id) warnings.push(`handoffs[${i}] missing required field: id`);
+      if (!task.name) warnings.push(`handoffs[${i}] missing required field: name`);
+    }
+  }
+
+  if (data.status && !VALID_STATUSES.includes(data.status)) {
+    warnings.push(`Invalid status: "${data.status}". Expected one of: ${VALID_STATUSES.join(', ')}`);
+  }
+
+  if (data.wave_current !== undefined && typeof data.wave_current !== 'number') {
+    warnings.push('wave_current must be a number');
+  }
+
+  if (data.tasks_completed !== undefined && typeof data.tasks_completed !== 'number') {
+    warnings.push('tasks_completed must be a number');
+  }
+
+  if (data.timestamps && typeof data.timestamps !== 'object') {
+    warnings.push('timestamps must be an object');
+  }
+
+  return { valid: warnings.length === 0, warnings };
+}
 
 /**
  * Creates a state manager for the given planning directory.
@@ -45,7 +96,7 @@ function createStateManager(planningDir) {
   function updateState(patch) {
     const current = getState();
     const merged = Object.assign(Object.create(null), current, patch);
-    fs.writeFileSync(statePath, JSON.stringify(merged, null, 2));
+    atomicWriteJSON(statePath, merged);
     return merged;
   }
 
@@ -64,7 +115,8 @@ function createStateManager(planningDir) {
   }
 
   /**
-   * Reads and parses HANDOFF.json. Throws if missing or malformed.
+   * Reads and parses HANDOFF.json with schema validation (fail-open).
+   * Logs warnings for structural issues but always returns data if parseable.
    * @returns {object} Parsed handoff data (fresh object)
    */
   function readHandoff() {
@@ -79,8 +131,12 @@ function createStateManager(planningDir) {
       throw new Error(`HANDOFF.json is malformed: ${e.message}`);
     }
 
-    if (!handoff.handoffs || !Array.isArray(handoff.handoffs)) {
-      throw new Error('HANDOFF.json has no handoffs array');
+    // Fail-open schema validation — warn but never block
+    const { valid, warnings } = validateHandoff(handoff);
+    if (!valid) {
+      for (const warning of warnings) {
+        console.warn('[STATE] HANDOFF validation:', warning);
+      }
     }
 
     return handoff;
@@ -94,7 +150,7 @@ function createStateManager(planningDir) {
     const timestamped = Object.assign(Object.create(null), data, {
       last_updated: new Date().toISOString(),
     });
-    fs.writeFileSync(handoffPath, JSON.stringify(timestamped, null, 2) + '\n');
+    atomicWriteJSON(handoffPath, timestamped);
     return timestamped;
   }
 
@@ -113,4 +169,4 @@ function sanitizeState(parsed) {
   return clean;
 }
 
-module.exports = { createStateManager };
+module.exports = { createStateManager, validateHandoff };

package/bin/autonomous/stuck-monitor.js

@@ -96,12 +96,49 @@ class StuckMonitor {
     return identical.length >= 3;
   }
 
-  isContentSimilar(a, b) {
+  isContentSimilar(a, b, threshold = 10) {
     if (!a || !b) return false;
     if (a === b) return true;
-    // Simple similarity check (hardened from Roadmap requirement)
-    const dist = this.levenshtein(a.slice(0, 100), b.slice(0, 100));
-    return dist < 10;
+
+    const hashA = this._quickHash(a);
+    const hashB = this._quickHash(b);
+    if (hashA === hashB) return true;
+
+    const lenDiff = Math.abs(a.length - b.length);
+    if (lenDiff > Math.max(a.length, b.length) * 0.2) return false;
+
+    const cached = this._getCachedSimilarity(hashA, hashB);
+    if (cached !== undefined) return cached;
+
+    const truncA = a.substring(0, 100);
+    const truncB = b.substring(0, 100);
+    const result = this.levenshtein(truncA, truncB) <= threshold;
+
+    this._setCachedSimilarity(hashA, hashB, result);
+    return result;
+  }
+
+  _quickHash(str) {
+    let hash = 0;
+    for (let i = 0; i < str.length; i++) {
+      hash = ((hash << 5) - hash) + str.charCodeAt(i);
+      hash = hash & hash;
+    }
+    return hash;
+  }
+
+  _getCachedSimilarity(keyA, keyB) {
+    const key = keyA < keyB ? `${keyA}|${keyB}` : `${keyB}|${keyA}`;
+    return StuckMonitor._similarityCache.get(key);
+  }
+
+  _setCachedSimilarity(keyA, keyB, result) {
+    const key = keyA < keyB ? `${keyA}|${keyB}` : `${keyB}|${keyA}`;
+    if (StuckMonitor._similarityCache.size >= 200) {
+      const firstKey = StuckMonitor._similarityCache.keys().next().value;
+      StuckMonitor._similarityCache.delete(firstKey);
+    }
+    StuckMonitor._similarityCache.set(key, result);
   }
 
   levenshtein(a, b) {
@@ -109,12 +146,14 @@ class StuckMonitor {
     for (let i = 0; i <= a.length; i++) { tmp[i] = [i]; }
     for (let j = 0; j <= b.length; j++) { tmp[0][j] = j; }
     for (let i = 1; i <= a.length; i++) {
-        for (let j = 1; j <= b.length; j++) {
-            tmp[i][j] = Math.min(tmp[i - 1][j] + 1, tmp[i][j - 1] + 1, tmp[i - 1][j - 1] + (a[i - 1] === b[j - 1] ? 0 : 1));
-        }
+      for (let j = 1; j <= b.length; j++) {
+        tmp[i][j] = Math.min(tmp[i - 1][j] + 1, tmp[i][j - 1] + 1, tmp[i - 1][j - 1] + (a[i - 1] === b[j - 1] ? 0 : 1));
+      }
     }
     return tmp[a.length][b.length];
   }
 }
 
+StuckMonitor._similarityCache = new Map();
+
 module.exports = StuckMonitor;

package/bin/autonomous/wave-executor.js

@@ -7,6 +7,35 @@
 
 const crypto = require('crypto');
 
+/**
+ * Semaphore for bounding concurrency within a wave.
+ * Tasks within a wave are independent — this limits how many run simultaneously.
+ */
+class Semaphore {
+  constructor(max) {
+    this.max = max;
+    this.current = 0;
+    this.queue = [];
+  }
+
+  async acquire() {
+    if (this.current < this.max) {
+      this.current++;
+      return;
+    }
+    await new Promise(resolve => this.queue.push(resolve));
+    this.current++;
+  }
+
+  release() {
+    this.current--;
+    if (this.queue.length > 0) {
+      const next = this.queue.shift();
+      next();
+    }
+  }
+}
+
 /**
  * Creates a wave executor with the given configuration.
  * @param {object} config
@@ -73,42 +102,54 @@ function createWaveExecutor(config = {}) {
   }
 
   /**
-   * Executes a single wave — runs tasks sequentially, skipping already-completed ones.
+   * Executes a single wave — runs tasks in parallel (bounded by maxConcurrency),
+   * skipping already-completed ones.
    * @param {object} wave — A wave object from planWaves
    * @param {object} context — Execution context passed to callbacks
-   * @param {object} context.executor — async function(task) => result (performs actual work)
+   * @param {function} context.executor — async function(task) => result (performs actual work)
+   * @param {number} [context.maxConcurrency=3] — Max parallel tasks within this wave
    * @returns {Promise<{ completed: string[], failed: string[], skipped: string[] }>}
    */
   async function executeWave(wave, context = {}) {
-    const { executor = async () => {} } = context;
+    const { executor = async () => {}, maxConcurrency = 3 } = context;
     status = 'running';
 
     const pending = wave.tasks.filter(t => !completedTasks.has(t.id));
     const result = { completed: [], failed: [], skipped: [] };
+    const semaphore = new Semaphore(maxConcurrency);
 
     onWaveStart({ wave: wave.wave, taskCount: pending.length });
 
-    for (const task of pending) {
-      const taskStart = Date.now();
-      onTaskStart({ task, wave: wave.wave });
-
-      try {
-        await executor(task);
-
-        const duration = Date.now() - taskStart;
-        completedTasks = new Set([...completedTasks, task.id]);
-        result.completed.push(task.id);
-
-        onTaskComplete({ task, wave: wave.wave, duration_ms: duration });
-      } catch (err) {
-        const duration = Date.now() - taskStart;
-        result.failed.push(task.id);
-
-        onTaskFail({ task, wave: wave.wave, error: err, duration_ms: duration });
-
-        // Re-throw to let caller decide on retry/escalation strategy
-        throw err;
-      }
+    const settled = await Promise.allSettled(
+      pending.map(async (task) => {
+        await semaphore.acquire();
+        const taskStart = Date.now();
+        try {
+          onTaskStart({ task, wave: wave.wave });
+          await executor(task);
+
+          const duration = Date.now() - taskStart;
+          completedTasks = new Set([...completedTasks, task.id]);
+          result.completed.push(task.id);
+
+          onTaskComplete({ task, wave: wave.wave, duration_ms: duration });
+          return { task, status: 'fulfilled' };
+        } catch (err) {
+          const duration = Date.now() - taskStart;
+          result.failed.push(task.id);
+
+          onTaskFail({ task, wave: wave.wave, error: err, duration_ms: duration });
+          throw err;
+        } finally {
+          semaphore.release();
+        }
+      })
+    );
+
+    const failures = settled.filter(r => r.status === 'rejected');
+    if (failures.length > 0) {
+      const failMsg = failures.map(f => f.reason?.message || 'unknown').join(', ');
+      throw new Error(`${failures.length} task(s) failed in wave: ${failMsg}`);
     }
 
     currentWaveIndex++;
@@ -166,4 +207,4 @@ function normalizeTask(h) {
   });
 }
 
-module.exports = { createWaveExecutor };
+module.exports = { createWaveExecutor, Semaphore };

package/bin/dashboard/api-router.js

@@ -192,6 +192,49 @@ function register(app) {
   app.get('/api/connections', (req, res) => {
     res.json({ clients: SSE.getClientCount() });
   });
+
+  // ── System observability ────────────────────────────────────────────────────
+  app.get('/api/v1/system', (req, res) => {
+    try {
+      const heapUsed = process.memoryUsage().heapUsed;
+      const heapTotal = process.memoryUsage().heapTotal;
+      const uptime = process.uptime();
+
+      let auditLines = 0;
+      try {
+        const auditPath = path.join(process.cwd(), '.planning', 'AUDIT.jsonl');
+        if (fs.existsSync(auditPath)) {
+          const content = fs.readFileSync(auditPath, 'utf8');
+          auditLines = content.split('\n').filter(l => l.trim()).length;
+        }
+      } catch { /* non-critical */ }
+
+      let snapshotCount = 0;
+      try {
+        const historyDir = path.join(process.cwd(), '.planning', 'history');
+        if (fs.existsSync(historyDir)) {
+          snapshotCount = fs.readdirSync(historyDir).length;
+        }
+      } catch { /* non-critical */ }
+
+      const heapHealth = Metrics.checkHeapHealth();
+
+      res.json({
+        heap_used_mb: Math.round(heapUsed / 1024 / 1024 * 100) / 100,
+        heap_total_mb: Math.round(heapTotal / 1024 / 1024 * 100) / 100,
+        heap_usage_pct: Math.round(heapUsed / heapTotal * 100),
+        heap_alert: heapHealth,
+        uptime_seconds: Math.round(uptime),
+        audit_lines: auditLines,
+        snapshot_count: snapshotCount,
+        sse_clients: SSE.getClientCount(),
+        node_version: process.version,
+        timestamp: new Date().toISOString()
+      });
+    } catch (err) {
+      res.status(500).json({ error: err.message });
+    }
+  });
 }
 
 module.exports = { register };