mindforge-cc 10.7.0 → 11.0.0

package/bin/autonomous/state-manager.js

@@ -7,8 +7,59 @@
 
 const fs = require('fs');
 const path = require('path');
+const { atomicWriteJSON } = require('../utils/file-io');
 
 const VALID_PHASES = ['idle', 'planning', 'executing', 'verifying', 'complete', 'running', 'paused', 'completed'];
+const VALID_STATUSES = ['idle', 'running', 'paused', 'completed', 'escalated', 'timeout'];
+
+/**
+ * Validates HANDOFF.json structure without blocking on failure (fail-open).
+ * Warns on malformed fields but always returns the data for processing.
+ * @param {*} data — Parsed HANDOFF.json content
+ * @returns {{ valid: boolean, warnings: string[] }}
+ */
+function validateHandoff(data) {
+  const warnings = [];
+
+  if (!data || typeof data !== 'object') {
+    warnings.push('HANDOFF.json is not a valid object');
+    return { valid: false, warnings };
+  }
+
+  if (!data.schema_version) {
+    warnings.push('Missing schema_version field');
+  }
+
+  if (data.handoffs && !Array.isArray(data.handoffs)) {
+    warnings.push('handoffs field must be an array');
+  }
+
+  if (data.handoffs && Array.isArray(data.handoffs)) {
+    for (let i = 0; i < data.handoffs.length; i++) {
+      const task = data.handoffs[i];
+      if (!task.id) warnings.push(`handoffs[${i}] missing required field: id`);
+      if (!task.name) warnings.push(`handoffs[${i}] missing required field: name`);
+    }
+  }
+
+  if (data.status && !VALID_STATUSES.includes(data.status)) {
+    warnings.push(`Invalid status: "${data.status}". Expected one of: ${VALID_STATUSES.join(', ')}`);
+  }
+
+  if (data.wave_current !== undefined && typeof data.wave_current !== 'number') {
+    warnings.push('wave_current must be a number');
+  }
+
+  if (data.tasks_completed !== undefined && typeof data.tasks_completed !== 'number') {
+    warnings.push('tasks_completed must be a number');
+  }
+
+  if (data.timestamps && typeof data.timestamps !== 'object') {
+    warnings.push('timestamps must be an object');
+  }
+
+  return { valid: warnings.length === 0, warnings };
+}
 
 /**
  * Creates a state manager for the given planning directory.
@@ -45,7 +96,7 @@ function createStateManager(planningDir) {
   function updateState(patch) {
     const current = getState();
     const merged = Object.assign(Object.create(null), current, patch);
-    fs.writeFileSync(statePath, JSON.stringify(merged, null, 2));
+    atomicWriteJSON(statePath, merged);
     return merged;
   }
 
@@ -64,7 +115,8 @@ function createStateManager(planningDir) {
   }
 
   /**
-   * Reads and parses HANDOFF.json. Throws if missing or malformed.
+   * Reads and parses HANDOFF.json with schema validation (fail-open).
+   * Logs warnings for structural issues but always returns data if parseable.
    * @returns {object} Parsed handoff data (fresh object)
    */
   function readHandoff() {
@@ -79,8 +131,12 @@ function createStateManager(planningDir) {
       throw new Error(`HANDOFF.json is malformed: ${e.message}`);
     }
 
-    if (!handoff.handoffs || !Array.isArray(handoff.handoffs)) {
-      throw new Error('HANDOFF.json has no handoffs array');
+    // Fail-open schema validation — warn but never block
+    const { valid, warnings } = validateHandoff(handoff);
+    if (!valid) {
+      for (const warning of warnings) {
+        console.warn('[STATE] HANDOFF validation:', warning);
+      }
     }
 
     return handoff;
@@ -94,7 +150,7 @@ function createStateManager(planningDir) {
     const timestamped = Object.assign(Object.create(null), data, {
       last_updated: new Date().toISOString(),
     });
-    fs.writeFileSync(handoffPath, JSON.stringify(timestamped, null, 2) + '\n');
+    atomicWriteJSON(handoffPath, timestamped);
     return timestamped;
   }
 
@@ -113,4 +169,4 @@ function sanitizeState(parsed) {
   return clean;
 }
 
-module.exports = { createStateManager };
+module.exports = { createStateManager, validateHandoff };

package/bin/autonomous/stuck-monitor.js

@@ -96,12 +96,49 @@ class StuckMonitor {
     return identical.length >= 3;
   }
 
-  isContentSimilar(a, b) {
+  isContentSimilar(a, b, threshold = 10) {
     if (!a || !b) return false;
     if (a === b) return true;
-    // Simple similarity check (hardened from Roadmap requirement)
-    const dist = this.levenshtein(a.slice(0, 100), b.slice(0, 100));
-    return dist < 10;
+
+    const hashA = this._quickHash(a);
+    const hashB = this._quickHash(b);
+    if (hashA === hashB) return true;
+
+    const lenDiff = Math.abs(a.length - b.length);
+    if (lenDiff > Math.max(a.length, b.length) * 0.2) return false;
+
+    const cached = this._getCachedSimilarity(hashA, hashB);
+    if (cached !== undefined) return cached;
+
+    const truncA = a.substring(0, 100);
+    const truncB = b.substring(0, 100);
+    const result = this.levenshtein(truncA, truncB) <= threshold;
+
+    this._setCachedSimilarity(hashA, hashB, result);
+    return result;
+  }
+
+  _quickHash(str) {
+    let hash = 0;
+    for (let i = 0; i < str.length; i++) {
+      hash = ((hash << 5) - hash) + str.charCodeAt(i);
+      hash = hash & hash;
+    }
+    return hash;
+  }
+
+  _getCachedSimilarity(keyA, keyB) {
+    const key = keyA < keyB ? `${keyA}|${keyB}` : `${keyB}|${keyA}`;
+    return StuckMonitor._similarityCache.get(key);
+  }
+
+  _setCachedSimilarity(keyA, keyB, result) {
+    const key = keyA < keyB ? `${keyA}|${keyB}` : `${keyB}|${keyA}`;
+    if (StuckMonitor._similarityCache.size >= 200) {
+      const firstKey = StuckMonitor._similarityCache.keys().next().value;
+      StuckMonitor._similarityCache.delete(firstKey);
+    }
+    StuckMonitor._similarityCache.set(key, result);
   }
 
   levenshtein(a, b) {
@@ -109,12 +146,14 @@ class StuckMonitor {
     for (let i = 0; i <= a.length; i++) { tmp[i] = [i]; }
     for (let j = 0; j <= b.length; j++) { tmp[0][j] = j; }
     for (let i = 1; i <= a.length; i++) {
-        for (let j = 1; j <= b.length; j++) {
-            tmp[i][j] = Math.min(tmp[i - 1][j] + 1, tmp[i][j - 1] + 1, tmp[i - 1][j - 1] + (a[i - 1] === b[j - 1] ? 0 : 1));
-        }
+      for (let j = 1; j <= b.length; j++) {
+        tmp[i][j] = Math.min(tmp[i - 1][j] + 1, tmp[i][j - 1] + 1, tmp[i - 1][j - 1] + (a[i - 1] === b[j - 1] ? 0 : 1));
+      }
     }
     return tmp[a.length][b.length];
   }
 }
 
+StuckMonitor._similarityCache = new Map();
+
 module.exports = StuckMonitor;

package/bin/autonomous/wave-executor.js

@@ -7,6 +7,35 @@
 
 const crypto = require('crypto');
 
+/**
+ * Semaphore for bounding concurrency within a wave.
+ * Tasks within a wave are independent — this limits how many run simultaneously.
+ */
+class Semaphore {
+  constructor(max) {
+    this.max = max;
+    this.current = 0;
+    this.queue = [];
+  }
+
+  async acquire() {
+    if (this.current < this.max) {
+      this.current++;
+      return;
+    }
+    await new Promise(resolve => this.queue.push(resolve));
+    this.current++;
+  }
+
+  release() {
+    this.current--;
+    if (this.queue.length > 0) {
+      const next = this.queue.shift();
+      next();
+    }
+  }
+}
+
 /**
  * Creates a wave executor with the given configuration.
  * @param {object} config
@@ -73,42 +102,54 @@ function createWaveExecutor(config = {}) {
   }
 
   /**
-   * Executes a single wave — runs tasks sequentially, skipping already-completed ones.
+   * Executes a single wave — runs tasks in parallel (bounded by maxConcurrency),
+   * skipping already-completed ones.
    * @param {object} wave — A wave object from planWaves
    * @param {object} context — Execution context passed to callbacks
-   * @param {object} context.executor — async function(task) => result (performs actual work)
+   * @param {function} context.executor — async function(task) => result (performs actual work)
+   * @param {number} [context.maxConcurrency=3] — Max parallel tasks within this wave
    * @returns {Promise<{ completed: string[], failed: string[], skipped: string[] }>}
    */
   async function executeWave(wave, context = {}) {
-    const { executor = async () => {} } = context;
+    const { executor = async () => {}, maxConcurrency = 3 } = context;
     status = 'running';
 
     const pending = wave.tasks.filter(t => !completedTasks.has(t.id));
     const result = { completed: [], failed: [], skipped: [] };
+    const semaphore = new Semaphore(maxConcurrency);
 
     onWaveStart({ wave: wave.wave, taskCount: pending.length });
 
-    for (const task of pending) {
-      const taskStart = Date.now();
-      onTaskStart({ task, wave: wave.wave });
-
-      try {
-        await executor(task);
-
-        const duration = Date.now() - taskStart;
-        completedTasks = new Set([...completedTasks, task.id]);
-        result.completed.push(task.id);
-
-        onTaskComplete({ task, wave: wave.wave, duration_ms: duration });
-      } catch (err) {
-        const duration = Date.now() - taskStart;
-        result.failed.push(task.id);
-
-        onTaskFail({ task, wave: wave.wave, error: err, duration_ms: duration });
-
-        // Re-throw to let caller decide on retry/escalation strategy
-        throw err;
-      }
+    const settled = await Promise.allSettled(
+      pending.map(async (task) => {
+        await semaphore.acquire();
+        const taskStart = Date.now();
+        try {
+          onTaskStart({ task, wave: wave.wave });
+          await executor(task);
+
+          const duration = Date.now() - taskStart;
+          completedTasks = new Set([...completedTasks, task.id]);
+          result.completed.push(task.id);
+
+          onTaskComplete({ task, wave: wave.wave, duration_ms: duration });
+          return { task, status: 'fulfilled' };
+        } catch (err) {
+          const duration = Date.now() - taskStart;
+          result.failed.push(task.id);
+
+          onTaskFail({ task, wave: wave.wave, error: err, duration_ms: duration });
+          throw err;
+        } finally {
+          semaphore.release();
+        }
+      })
+    );
+
+    const failures = settled.filter(r => r.status === 'rejected');
+    if (failures.length > 0) {
+      const failMsg = failures.map(f => f.reason?.message || 'unknown').join(', ');
+      throw new Error(`${failures.length} task(s) failed in wave: ${failMsg}`);
     }
 
     currentWaveIndex++;
@@ -166,4 +207,4 @@ function normalizeTask(h) {
   });
 }
 
-module.exports = { createWaveExecutor };
+module.exports = { createWaveExecutor, Semaphore };

package/bin/dashboard/api-router.js

@@ -192,6 +192,49 @@ function register(app) {
   app.get('/api/connections', (req, res) => {
     res.json({ clients: SSE.getClientCount() });
   });
+
+  // ── System observability ────────────────────────────────────────────────────
+  app.get('/api/v1/system', (req, res) => {
+    try {
+      const heapUsed = process.memoryUsage().heapUsed;
+      const heapTotal = process.memoryUsage().heapTotal;
+      const uptime = process.uptime();
+
+      let auditLines = 0;
+      try {
+        const auditPath = path.join(process.cwd(), '.planning', 'AUDIT.jsonl');
+        if (fs.existsSync(auditPath)) {
+          const content = fs.readFileSync(auditPath, 'utf8');
+          auditLines = content.split('\n').filter(l => l.trim()).length;
+        }
+      } catch { /* non-critical */ }
+
+      let snapshotCount = 0;
+      try {
+        const historyDir = path.join(process.cwd(), '.planning', 'history');
+        if (fs.existsSync(historyDir)) {
+          snapshotCount = fs.readdirSync(historyDir).length;
+        }
+      } catch { /* non-critical */ }
+
+      const heapHealth = Metrics.checkHeapHealth();
+
+      res.json({
+        heap_used_mb: Math.round(heapUsed / 1024 / 1024 * 100) / 100,
+        heap_total_mb: Math.round(heapTotal / 1024 / 1024 * 100) / 100,
+        heap_usage_pct: Math.round(heapUsed / heapTotal * 100),
+        heap_alert: heapHealth,
+        uptime_seconds: Math.round(uptime),
+        audit_lines: auditLines,
+        snapshot_count: snapshotCount,
+        sse_clients: SSE.getClientCount(),
+        node_version: process.version,
+        timestamp: new Date().toISOString()
+      });
+    } catch (err) {
+      res.status(500).json({ error: err.message });
+    }
+  });
 }
 
 module.exports = { register };

package/bin/dashboard/metrics-aggregator.js

@@ -326,6 +326,32 @@ function getCosts(windowDays = 7) {
   return stats;
 }
 
+// ── Heap Health ──────────────────────────────────────────────────────────────
+function checkHeapHealth() {
+  const heapUsed = process.memoryUsage().heapUsed;
+  const maxHeap = getMaxOldSpaceSize();
+  const usagePct = Math.round(heapUsed / maxHeap * 100);
+
+  let status = 'healthy';
+  if (usagePct > 85) {
+    status = 'critical';
+  } else if (usagePct > 70) {
+    status = 'warning';
+  }
+
+  return { status, usage_pct: usagePct };
+}
+
+function getMaxOldSpaceSize() {
+  // Parse --max-old-space-size from process args, default 1.4GB
+  const flag = process.execArgv.find(a => a.startsWith('--max-old-space-size'));
+  if (flag) {
+    const mb = parseInt(flag.split('=')[1], 10);
+    if (mb > 0) return mb * 1024 * 1024;
+  }
+  return 1.4 * 1024 * 1024 * 1024;
+}
+
 module.exports = {
   getStatus,
   getAuditEntries,
@@ -333,5 +359,6 @@ module.exports = {
   getApprovals,
   getTeamActivity,
   getMemory,
-  getCosts
+  getCosts,
+  checkHeapHealth
 };

package/bin/dashboard/server.js

@@ -42,12 +42,18 @@ const RevOpsAPI   = require('./revops-api');
 const app = express();
 
 // ── Bearer token authentication ──────────────────────────────────────────────
-const DASHBOARD_TOKEN = crypto.randomBytes(32).toString('hex');
+let currentToken = crypto.randomBytes(32).toString('hex');
 const TOKEN_FILE = path.join(process.cwd(), '.mindforge', '.dashboard-token');
+const TOKEN_EXPIRY_MS = 24 * 60 * 60 * 1000; // 24 hours
+let tokenCreatedAt = Date.now();
+
+function isTokenExpired() {
+  return (Date.now() - tokenCreatedAt) > TOKEN_EXPIRY_MS;
+}
 
 // Write token to file with restrictive permissions (owner-only read/write)
 fs.mkdirSync(path.dirname(TOKEN_FILE), { recursive: true });
-fs.writeFileSync(TOKEN_FILE, DASHBOARD_TOKEN, { mode: 0o600 });
+fs.writeFileSync(TOKEN_FILE, currentToken, { mode: 0o600 });
 
 /**
  * requireAuth — Validates Bearer token on mutating requests (POST/PUT/DELETE).
@@ -56,6 +62,11 @@ fs.writeFileSync(TOKEN_FILE, DASHBOARD_TOKEN, { mode: 0o600 });
 function requireAuth(req, res, next) {
   if (req.method === 'GET' || req.method === 'OPTIONS') return next();
 
+  // Check token expiration first
+  if (isTokenExpired()) {
+    return res.status(401).json({ error: 'token_expired' });
+  }
+
   const authHeader = req.headers.authorization;
   if (!authHeader || !authHeader.startsWith('Bearer ')) {
     return res.status(401).json({
@@ -65,7 +76,9 @@ function requireAuth(req, res, next) {
 
   const provided = authHeader.slice(7);
   // Constant-time comparison to prevent timing attacks
-  if (!crypto.timingSafeEqual(Buffer.from(provided), Buffer.from(DASHBOARD_TOKEN))) {
+  const tokenBuf = Buffer.from(currentToken);
+  const providedBuf = Buffer.from(provided);
+  if (tokenBuf.length !== providedBuf.length || !crypto.timingSafeEqual(providedBuf, tokenBuf)) {
     return res.status(401).json({
       error: 'Authentication required. Use the token printed at dashboard startup.'
     });
@@ -74,6 +87,44 @@ function requireAuth(req, res, next) {
   next();
 }
 
+// ── Rate limiting (100 req/min/IP) ───────────────────────────────────────────
+const rateLimitMap = new Map(); // ip -> { count, resetAt }
+const RATE_LIMIT = 100;
+const RATE_WINDOW_MS = 60000;
+
+function rateLimitMiddleware(req, res, next) {
+  const ip = req.ip || req.connection.remoteAddress;
+  const now = Date.now();
+  let entry = rateLimitMap.get(ip);
+
+  if (!entry || now > entry.resetAt) {
+    entry = { count: 0, resetAt: now + RATE_WINDOW_MS };
+    rateLimitMap.set(ip, entry);
+  }
+
+  entry.count++;
+
+  if (entry.count > RATE_LIMIT) {
+    return res.status(429).json({
+      error: 'rate_limit_exceeded',
+      retry_after_ms: entry.resetAt - now
+    });
+  }
+
+  next();
+}
+
+// Periodically clean stale rate-limit entries to prevent memory growth
+const rateLimitCleanupInterval = setInterval(() => {
+  const now = Date.now();
+  for (const [ip, entry] of rateLimitMap.entries()) {
+    if (now > entry.resetAt) {
+      rateLimitMap.delete(ip);
+    }
+  }
+}, 60000);
+if (rateLimitCleanupInterval.unref) rateLimitCleanupInterval.unref();
+
 // Security middleware
 app.use((req, res, next) => {
   const addr = req.socket.remoteAddress;
@@ -84,6 +135,9 @@ app.use((req, res, next) => {
   next();
 });
 
+// ── Rate limiting — applied after localhost check, before auth ────────────────
+app.use(rateLimitMiddleware);
+
 // CORS — restrict to dashboard's own origin only (prevent cross-origin attacks)
 const DASHBOARD_ORIGIN = `http://127.0.0.1:${PORT}`;
 app.use((req, res, next) => {
@@ -124,6 +178,15 @@ app.get('/', (req, res) => {
   res.sendFile(FRONTEND);
 });
 
+// ── Token refresh endpoint (requires valid existing token) ───────────────────
+app.post('/api/v1/token/refresh', requireAuth, (req, res) => {
+  const newToken = crypto.randomBytes(32).toString('hex');
+  fs.writeFileSync(TOKEN_FILE, newToken, { mode: 0o600 });
+  tokenCreatedAt = Date.now();
+  currentToken = newToken;
+  res.json({ success: true, token: newToken, expires_in_ms: TOKEN_EXPIRY_MS });
+});
+
 // ── Register API routes ───────────────────────────────────────────────────────
 API.register(app);
 app.use('/api/temporal', TemporalAPI);
@@ -143,7 +206,7 @@ server.listen(PORT, '127.0.0.1', () => {
   console.log(`    Status:  http://localhost:${PORT}/api/status`);
   console.log(`    Events:  http://localhost:${PORT}/events`);
   console.log(`    PID:     ${process.pid}`);
-  console.log(`[Dashboard] Auth token: ${DASHBOARD_TOKEN}`);
+  console.log('[Dashboard] Auth token written to token file (not logged for security).');
   console.log(`    Token file: ${TOKEN_FILE}`);
   console.log('\n    Press CTRL+C to stop\n');
 

package/bin/dashboard/sse-bridge.js

@@ -80,14 +80,14 @@ function pollAuditLog() {
     const newSize  = stat.size;
     const newIno   = stat.ino;
 
-    // File rotation detected: inode changed or new file is smaller
-    if (newIno !== _auditInode && _auditInode !== 0) {
-      process.stderr.write(`[sse-bridge] AUDIT.jsonl rotation detected (old ino: ${_auditInode}, new ino: ${newIno})\n`);
+    // File rotation detected: inode changed or file shrunk (truncated after archival)
+    if ((newIno !== _auditInode && _auditInode !== 0) || (newSize < _lastAuditSize)) {
+      process.stderr.write(`[sse-bridge] AUDIT.jsonl rotation detected (size: ${_lastAuditSize} -> ${newSize}, ino: ${_auditInode} -> ${newIno})\n`);
       _lastAuditSize = 0;
     }
     _auditInode = newIno;
 
-    if (newSize <= _lastAuditSize) return; // No new data
+    if (newSize <= _lastAuditSize) return;
 
     // Read only the new bytes appended since last poll
     const fd   = fs.openSync(AUDIT_PATH, 'r');

package/bin/engine/feedback-loop.js

@@ -98,6 +98,14 @@ class WaveFeedbackLoop {
     return { shouldPause: false };
   }
 
+  recordRemediationOutcome(remediationId, outcome) {
+    this.recordPerformance(
+      outcome.strategy,
+      'remediation',
+      outcome.effective
+    );
+  }
+
   reset() {
     this.waveState = { completed: 0, failed: 0, skipped: 0, total: 0 };
   }

package/bin/engine/intelligence-interlock.js

@@ -15,24 +15,41 @@ class IntelligenceInterlock {
     this.UPGRADE_THRESHOLD = 0.50; // v6.3.0 Threshold (Recalibrated for IDC readiness)
   }
 
-  /**
-   * Evaluates if a model upgrade is required based on reasoning drift.
-   * @param {string} spanId 
-   * @param {string} thought 
-   */
   evaluate(spanId, thought) {
-    const analysis = driftDetector.analyze(spanId, thought);
-    
-    if (analysis.drift_score > this.UPGRADE_THRESHOLD) {
-      console.log(`[IDC] Critical Drift Detected (${analysis.drift_score}). Recommending intelligence upgrade for Span ${spanId}.`);
-      return {
-        action: 'UPGRADE_MIR',
-        new_mir: 99, // Force maximum intelligence (Tier 1+)
-        reason: analysis.markers
-      };
+    const driftReport = driftDetector.analyze(spanId, thought);
+    const driftScore = driftReport.drift_score;
+
+    if (driftScore <= this.UPGRADE_THRESHOLD) {
+      return { action: 'CONTINUE', drift_score: driftScore };
+    }
+
+    let tierIncrease;
+    if (driftScore > 0.80) {
+      tierIncrease = 'MAX';
+    } else if (driftScore > 0.65) {
+      tierIncrease = 2;
+    } else {
+      tierIncrease = 1;
     }
 
-    return { action: 'CONTINUE', drift: analysis.drift_score };
+    let costWarning = false;
+    try {
+      const CostTracker = require('../models/cost-tracker');
+      const dailySpend = CostTracker.getDailySpend ? CostTracker.getDailySpend() : 0;
+      const hardLimit = CostTracker.getHardLimit ? CostTracker.getHardLimit() : Infinity;
+      if (dailySpend / hardLimit > 0.8) {
+        costWarning = true;
+        tierIncrease = Math.min(tierIncrease === 'MAX' ? 3 : tierIncrease, 1);
+      }
+    } catch { /* cost tracker unavailable */ }
+
+    return {
+      action: 'UPGRADE_MIR',
+      tier_increase: tierIncrease,
+      drift_score: driftScore,
+      cost_constrained: costWarning,
+      reason: driftReport.markers
+    };
   }
 }
 

package/bin/engine/logic-drift-detector.js

@@ -8,10 +8,11 @@
 'use strict';
 
 const configManager = require('../governance/config-manager');
+const { LRUMap } = require('../utils/index');
 
 class LogicDriftDetector {
   constructor() {
-    this.sessionDriftHistory = new Map(); // spanId -> [scores]
+    this.sessionDriftHistory = new LRUMap(500);
     this.DRIFT_THRESHOLD = configManager.get('governance.drift_threshold', 0.75);
     this.CRITICAL_DRIFT_THRESHOLD = configManager.get('governance.critical_drift_threshold', 0.50);
   }

package/bin/engine/nexus-tracer.js

@@ -16,6 +16,7 @@ const remediationEngine = require('./remediation-engine'); // v6.1 Pillar X
 const logicValidator = require('./logic-validator'); // v7 Pillar X
 const vectorHub = require('../memory/vector-hub'); // v8 Pillar XV
 const { AuditWriter } = require('../utils/file-io');
+const { LRUMap } = require('../utils/index');
 
 class NexusTracer {
   constructor(config = {}) {
@@ -29,8 +30,8 @@ class NexusTracer {
     this.vhInitialized = false;
 
     // v7: Centralized Thresholds
-    this.RES_THRESHOLD = configManager.get('governance.res_threshold', 0.8); 
-    this.entropyCache = new Map(); 
+    this.RES_THRESHOLD = configManager.get('governance.res_threshold', 0.8);
+    this.entropyCache = new LRUMap(1000);
 
     // v9: Async Audit Writer (replaces sync appendFileSync)
     this._auditWriter = new AuditWriter(this.auditPath);