mindforge-cc 5.1.0 → 5.3.0

package/CHANGELOG.md

@@ -1,5 +1,33 @@
 # Changelog
 
+## [5.3.0] — Dynamic Blast Radius — 2026-03-28
+
+🚀 **MindForge v5.3.0 — Pillar II Implementation (APO v2)**
+
+This update introduces real-time risk assessment for agentic actions, preventing high-impact regressions through dynamic guardrails.
+
+### Pillar II: Dynamic Blast Radius (v5.3.0)
+
+- **Impact Scoring Engine**: Implemented `impact-analyzer.js` to calculate the "Blast Radius" (0-100) of every intent based on action severity and target sensitivity.
+- **Max-Impact Policy Enforcement**: Updated `policy-engine.js` to enforce `max_impact` thresholds, allowing granular control over destructive operations.
+- **Fail-Safe Security**: Integrated "Default Deny" posture if impact analysis fails, defaulting to score 100 (CRITICAL).
+
+## [5.2.0] — Semantic Vector Consensus — 2026-03-28
+
+🚀 **MindForge v5.2.0 — Pillar I Implementation (FIM v2)**
+
+This update transcends simple timestamp-based synchronization, moving to a vector-space consensus model for organizational knowledge.
+
+### Pillar I: Semantic Vector Consensus (v5.2.0)
+
+- **Hybrid Semantic Synthesis**: Refactored `federated-sync.js` to use `EmbeddingEngine` cosine similarity for knowledge merging.
+- **4-Branch Resolution Protocol**:
+    - **LWW (> 0.9)**: Auto-resolve near-identical entries.
+    - **Autonomous ADS Merge (0.75 - 0.9)**: Proactive synthesis of overlapping knowledge.
+    - **Nexus Handover (0.6 - 0.75)**: Human-agent conflict resolution.
+    - **Topic Isolation (< 0.6)**: Prevention of ID collisions for disparate content.
+- **Resilient Sync Architecture**: Hardened synchronization loop with robust error handling and TF-IDF fallback.
+
 ## [5.1.0] — The Beast Addition — 2026-03-28
 
 🚀 **MindForge v5.1.0 — Evolution of the Agentic Protocol Mesh**
@@ -79,12 +107,17 @@ This landmark release transforms MindForge into a distributed, governable, and c
 - **RBAC Manager**: Implemented `rbac-manager.js` for mapping DIDs to project roles and binding permissions to ZTAI Trust Tiers.
 - **Policy Interceptor**: Deep integration into `auto-runner.js`, enforcing a pre-flight governance gate before every autonomous wave.
 - **Default Enterprise Policies**: Shipped with initial security guardrails for engine and infrastructure protection.
+- **Dynamic Blast Radius (v5.3.0)**: Integrated `ImpactAnalyzer` to calculate and enforce risk-based thresholds for autonomous actions.
 
 ### Hardening ("Beast" Mode v5.0.0-alpha.1)
 
 - **ZTAI Interlock**: All mesh and policy operations now utilize the hardware-enclave (simulated) signing engine for Tier 3 principals.
 - **Dynamic Intent Extraction**: Autonomous intents are now derived in real-time from active session identities.
-- **Conflict Resolution (LWW)**: Hardened the federated sync with Last-Write-Wins conflict resolution logic.
+- **Conflict Resolution (v5.2.0)**: Uses **Hybrid Semantic Synthesis** (Pillar I v5.2.0). 
+  - **Similarity > 0.9**: Near-identical; auto-resolve via **Last-Write-Wins (LWW)**.
+  - **0.75 - 0.9**: Semantic Overlap; triggers **Autonomous ADS Merging**.
+  - **0.6 - 0.75**: Conflict; triggers **Nexus Handover (DHH)** for human steering.
+  - **< 0.6**: Topic Collision; isolates entries into unique IDs to prevent data loss.
 
 ---
 
@@ -305,7 +338,7 @@ This release fixes documentation asset synchronization and repairs logic corrupt
 
 ---
 
-## [2.1.2] — Beast Mode Branding & CI Fix — 2026-03-25
+## [2.1.2]*Status: V5.2.0 Semantic Consensus Implemented & Verified (2026-03-28)*
 
 🚀 **MindForge v2.1.2 — Beast Mode Branding & CI Fix**
 
@@ -539,9 +572,10 @@ This major release transforms MindForge from a Claude-centric framework into a u
 
 - Gate 3 (secret detection) now runs PRE-COMMIT in auto mode
 - Pre-flight dirty check excludes `.planning/` state files
-- DECOMPOSE: dependency chain correctly updated in downstream plans
-- S01 stuck detection requires consecutive failures
-- S03 error normalization preserves module/package names
+- DECOMPOSE:- **Deny**: The action is blocked, and the violation is logged to `AUDIT.jsonl`.
+- **Blast Radius Denial (v5.3.0)**: Action is blocked if the `Impact Score` exceeds the policy `max_impact` threshold.
+- **Escalate**: The action requires a higher-tier DID signature or explicit HITL (Human-in-the-Loop) approval.
+eserves module/package names
 - Steering injection guard validates all instructions
 - SIGTERM handler waits for task cleanup before saving state
 

package/RELEASENOTES.md

@@ -1,3 +1,25 @@
+# MindForge v5.3.0 — Dynamic Blast Radius
+## Top Summary
+The v5.3.0 release introduces real-time impact analysis and automated risk-based guardrails for agentic actions, preventing architectural regressions and accidental deletions.
+
+## Highlights
+- **Impact Scoring Engine**: Real-time evaluation of action severity and target namespace sensitivity.
+- **Fail-Safe Policy Enforcement**: Default-deny posture for critical operations exceeding impact thresholds.
+- **Dynamic Governance**: Extensible `max_impact` rules integrated into the Policy Engine.
+
+---
+
+# MindForge v5.2.0 — Semantic Vector Consensus
+## Top Summary
+The v5.2.0 release upgrades the Federated Intelligence Mesh (FIM) from simple LWW logic to a Hybrid Semantic Synthesis model, enabling intelligent knowledge merging across the organization.
+
+## Highlights
+- **Vector-Space Consensus**: Uses cosine similarity to resolve knowledge conflicts between federated agents.
+- **4-Branch Resolution Protocol**: Automated merging, human-in-the-loop handover, and topic isolation based on semantic distance.
+- **ADS Integration**: Proactive synthesis of overlapping insights using the Autonomous Design System engine.
+
+---
+
 # MindForge v5.1.0 — The Beast Addition
 ## Top Summary
 The v5.1.0 release integrates 14 advanced agentic protocols and high-performance session hooks, sanitizing and hardening them for the MindForge ecosystem.

package/bin/gov-audit.js

@@ -0,0 +1,38 @@
+/**
+ * MindForge v5.3.0 — Governance Visual Audit Simulation
+ * Tests the ImpactAnalyzer and PolicyEngine against a suite of intents.
+ */
+'use strict';
+
+const ImpactAnalyzer = require('./governance/impact-analyzer');
+const PolicyEngine = require('./governance/policy-engine');
+const fs = require('node:fs');
+const path = require('node:path');
+
+const engine = new PolicyEngine();
+
+const INTENTS = [
+  { action: 'READ', resource: 'docs/README.md', did: 'agent_01' },
+  { action: 'WRITE', resource: 'src/main.js', did: 'agent_02' },
+  { action: 'DELETE', resource: '.mindforge/vault.key', did: 'agent_03' },
+  { action: 'EXECUTE', resource: 'bin/install.sh', did: 'agent_04' },
+  { action: 'WRITE', resource: 'config/.env', did: 'agent_05' },
+  { action: 'READ', resource: 'security/audit.log', did: 'agent_01' }
+];
+
+console.log('--- MindForge v5.3.0 Governance Audit Simulation ---');
+console.log('| Action | Resource | Impact | Risk Tier | Verdict | Reason |');
+console.log('|--------|----------|--------|-----------|---------|--------|');
+
+INTENTS.forEach(intent => {
+  const impact = ImpactAnalyzer.analyze({
+    action: intent.action,
+    target: intent.resource
+  });
+  const tier = ImpactAnalyzer.getRiskTier(impact);
+  const result = engine.evaluate(intent);
+  
+  console.log(`| ${intent.action} | ${intent.resource} | ${impact}/100 | ${tier} | ${result.verdict} | ${result.reason} |`);
+});
+
+console.log('--- Simulation Complete ---');

package/bin/governance/impact-analyzer.js

@@ -0,0 +1,57 @@
+/**
+ * MindForge v5.3.0 — Impact Analyzer (Dynamic Blast Radius)
+ * Calculates the 'Blast Radius' score of a proposed intent.
+ */
+'use strict';
+
+class ImpactAnalyzer {
+  static SENSITIVE_NAMESPACES = [
+    '.mindforge',
+    'bin/',
+    'config/',
+    '.env',
+    'security/'
+  ];
+
+  static ACTION_SCORES = {
+    'READ': 1,
+    'WRITE': 5,
+    'DELETE': 10,
+    'EXECUTE': 8,
+    'GRANT': 15
+  };
+
+  /**
+   * Scores an intent based on action type and target path sensitivity.
+   * Score Range: 0 - 100
+   */
+  static analyze(intent) {
+    const { action, target, namespace } = intent;
+    
+    let score = this.ACTION_SCORES[action] || 5;
+    
+    // Check for sensitive namespace overlap
+    const isSensitive = this.SENSITIVE_NAMESPACES.some(ns => 
+      (target && target.includes(ns)) || (namespace && namespace.includes(ns))
+    );
+
+    if (isSensitive) {
+      score *= 4; // Quadruple impact for sensitive areas
+    }
+
+    // Cap the score at 100
+    return Math.min(score, 100);
+  }
+
+  /**
+   * Returns a risk tier based on the score.
+   */
+  static getRiskTier(score) {
+    if (score < 20) return 'LOW';
+    if (score < 50) return 'MEDIUM';
+    if (score < 80) return 'HIGH';
+    return 'CRITICAL';
+  }
+}
+
+module.exports = ImpactAnalyzer;

package/bin/governance/policy-engine.js

@@ -6,6 +6,7 @@
 
 const fs   = require('node:fs');
 const path = require('node:path');
+const ImpactAnalyzer = require('./impact-analyzer');
 
 class PolicyEngine {
   constructor(config = {}) {
@@ -32,6 +33,22 @@ class PolicyEngine {
     const requestId = `pol_${Date.now()}_${Math.random().toString(36).slice(2, 7)}`;
     console.log(`[APO-EVAL] [${requestId}] Evaluating intent: ${intent.action} on ${intent.resource} by ${intent.did}`);
 
+    // Pillar II (v5.3.0): Dynamic Impact Scoring
+    let impactScore = 100; // Default to CRITICAL impact if analysis fails (Fail-Safe)
+    let riskTier = 'UNKNOWN';
+
+    try {
+      impactScore = ImpactAnalyzer.analyze({
+        action: intent.action,
+        target: intent.resource,
+        namespace: intent.namespace // Optional namespace context
+      });
+      riskTier = ImpactAnalyzer.getRiskTier(impactScore);
+      console.log(`[APO-BLAST] [${requestId}] Calculated Blast Radius: ${impactScore}/100 [Tier: ${riskTier}]`);
+    } catch (err) {
+      console.error(`[APO-ERR] [${requestId}] Impact analysis failed. Defaulting to high-impact restriction.`, err);
+    }
+
     const policies = this.loadPolicies();
     
     // Default Deny if no policies found
@@ -46,7 +63,21 @@ class PolicyEngine {
       }
     }
 
-    // 2. Check for explicit PERMIT rules
+    // 2. Pillar II (v5.3.0): Dynamic Blast Radius Enforcement
+    // Check if the current intent impact exceeds the policy's max_impact or agent's trust tier
+    for (const policy of policies) {
+      if (this.matches(policy, intent)) {
+        if (policy.max_impact && impactScore > policy.max_impact) {
+          return { 
+            verdict: 'DENY', 
+            reason: `Dynamic Blast Radius Violation: Intent impact (${impactScore}) exceeds policy limit (${policy.max_impact})`, 
+            requestId 
+          };
+        }
+      }
+    }
+
+    // 3. Check for explicit PERMIT rules
     for (const policy of policies) {
       if (policy.effect === 'PERMIT' && this.matches(policy, intent)) {
         return { verdict: 'PERMIT', reason: `Authorized by ${policy.id}`, requestId };

package/bin/memory/federated-sync.js

@@ -9,6 +9,8 @@ const path  = require('node:path');
 const Store = require('./knowledge-store');
 const EISClient = require('./eis-client');
 const crypto = require('node:crypto');
+const EmbeddingEngine = require('./embedding-engine');
+const adsEngine = require('../review/ads-engine');
 
 class FederatedSync {
   constructor(config = {}) {
@@ -92,16 +94,94 @@ class FederatedSync {
     for (const remote of remoteEntries) {
       const local = existingById.get(remote.id);
       
-      // Conflict Resolution: Remote Wins if timestamp is newer
-      if (!local || new Date(remote.timestamp) > new Date(local.timestamp)) {
+      if (!local) {
         fs.appendFileSync(globalPath, JSON.stringify(remote) + '\n');
         mergedCount++;
+        continue;
       }
+
+      // Pillar I (v5.2.0): Hybrid Semantic synthesis
+      let similarity = 0;
+      try {
+        similarity = EmbeddingEngine.cosineSimilarity(
+          EmbeddingEngine.computeTfIdfVector(EmbeddingEngine.tokenize(local.content), {}, 1),
+          EmbeddingEngine.computeTfIdfVector(EmbeddingEngine.tokenize(remote.content), {}, 1)
+        );
+      } catch (err) {
+        console.error(`[FIM-ERR] Semantic analysis failed for ${local.id}. Falling back to LWW.`, err);
+        // Fallback to basic LWW (Last-Write-Wins)
+        if (new Date(remote.timestamp) > new Date(local.timestamp)) {
+          this.writeToGlobalKB(remote, globalPath);
+        }
+        continue;
+      }
+
+      this.triggerHybridSynthesis(local, remote, similarity, globalPath);
+      mergedCount++;
     }
     
     return mergedCount;
   }
 
+  /**
+   * Hybrid Synthesis Logic (Pillar I v5.2.0)
+   */
+  async triggerHybridSynthesis(local, remote, similarity, globalPath) {
+    console.log(`[FIM-SYNC] Analyzing semantic overlap for ${local.id} (Similarity: ${similarity.toFixed(4)})`);
+
+    // 1. LWW (Similarity > 0.9) - Near identical
+    if (similarity > 0.9) {
+      if (new Date(remote.timestamp) > new Date(local.timestamp)) {
+        this.writeToGlobalKB(remote, globalPath);
+        console.log(`  └─ [LWW] Auto-resolved via timestamp.`);
+      }
+      return;
+    }
+
+    // 2. Autonomous Merge (0.75 - 0.9) - Semantic Overlap
+    if (similarity > 0.75) {
+      console.log(`  └─ [ADS] Triggering Autonomous Knowledge Synthesis...`);
+      const merged = await this.triggerADSMerging(local, remote);
+      this.writeToGlobalKB(merged, globalPath);
+      return;
+    }
+
+    // 3. Human Stewardship (0.6 - 0.75) - Probable Disagreement
+    if (similarity > 0.6) {
+      console.log(`  └─ [DHH] High disagreement. Triggering Nexus Handover...`);
+      this.localStore.markConflict(local.id, remote);
+      return;
+    }
+
+    // 4. Collision Isolation (< 0.6) - Topic Mismatch
+    console.log(`  └─ [ISO] Semantic collision (Topic mismatch). Isolating entries.`);
+    this.writeToGlobalKB({ ...remote, id: `${remote.id}_collision_${Date.now()}` }, globalPath);
+  }
+
+  async triggerADSMerging(local, remote) {
+    const result = await adsEngine.runADSSynthesis({
+      phaseNum: 'SYNC',
+      goal: `Synthesize a unified knowledge entry for topic: ${local.topic || local.id}`,
+      context: `Local Entry: ${local.content}\n\nRemote Entry: ${remote.content}`,
+      sessionId: 'fim-sync-v5.2.0'
+    });
+
+    // Extract the final plan/content from ADS result
+    const mergedContent = fs.readFileSync(path.join(process.cwd(), '.planning', 'PLAN.md'), 'utf8');
+    
+    return {
+      ...remote,
+      content: mergedContent,
+      confidence: 1.0,
+      synthesis_id: result.ads_id,
+      timestamp: new Date().toISOString()
+    };
+  }
+
+  writeToGlobalKB(entry, globalPath) {
+    fs.appendFileSync(globalPath, JSON.stringify(entry) + '\n');
+  }
+
   isRecentlySynced(id) {
     // Simple check against local sync-history log
     if (!fs.existsSync(this.syncHistoryPath)) return false;

package/docs/INTELLIGENCE-MESH.md

@@ -15,7 +15,11 @@ The V5 mesh is built on three core pillars residing in `bin/memory/`:
 ### B. Federated Sync (`federated-sync.js`)
 - **Role**: High-performance synchronization engine between local stores and the organizational mesh.
 - **Delta Sync**: Tracks the `last_sync` timestamp to only pull new organizational insights, significantly reducing latency and compute costs.
-- **Conflict Resolution**: Uses **LWW (Last-Write-Wins)** logic with cryptographic version checks to handle concurrent updates from different agents.
+- **Conflict Resolution**: Uses **Hybrid Semantic Synthesis** (Pillar I v5.2.0). 
+  - **Similarity > 0.9**: Near-identical; auto-resolve via **Last-Write-Wins (LWW)**.
+  - **0.75 - 0.9**: Semantic Overlap; triggers **Autonomous ADS Merging**.
+  - **0.6 - 0.75**: Conflict; triggers **Nexus Handover (DHH)** for human steering.
+  - **< 0.6**: Topic Collision; isolates entries into unique IDs to prevent data loss.
 
 ### C. Knowledge Graph Bridge (`knowledge-graph.js`)
 - **Role**: Unified memory interface that resolves both local project nodes and remote federated nodes.
@@ -32,4 +36,4 @@ The V5 mesh is built on three core pillars residing in `bin/memory/`:
 - **Elimination of Redundancy**: Multi-thousand-token research chains are executed once and shared universally across the mesh.
 
 ---
-*Status: V5 "Beast" Mode Implemented & Verified (2026-03-28)*
+*Status: V5.2.0 Semantic Consensus Implemented & Verified (2026-03-28)*

package/docs/governance-guide.md

@@ -18,6 +18,7 @@ Before the `AutoRunner` begins a new execution wave, it extracts the acting agen
 The `PolicyEngine` evaluates this intent against organizational **Policy-as-Code (PaC)** definitions (typically stored in `bin/governance/policies/`).
 - **Permit**: The action is allowed and execution proceeds.
 - **Deny**: The action is blocked, and the violation is logged to `AUDIT.jsonl`.
+- **Blast Radius Denial (v5.3.0)**: Action is blocked if the `Impact Score` exceeds the policy `max_impact` threshold.
 - **Escalate**: The action requires a higher-tier DID signature or explicit HITL (Human-in-the-Loop) approval.
 
 ## 3. Trust Tier Architecture (ZTAI Hardened)
@@ -48,6 +49,13 @@ MindForge v5.1.0 ships with default policies including:
 - **`gate_tier_3_engine`**: Blocks all modifications to `bin/autonomous/` unless signed by a Tier 3 DID.
 - **`protect_security_namespace`**: Limits access to `/security` and `/governance` to Tier 2+ specialists.
 - **`mesh_integrity_lock`**: Ensures only high-confidence agents can push to the **Federated Intelligence Mesh**.
+- **`enforce_blast_radius` (v5.3.0)**: Dynamic policy that limits `DELETE` impact to <30 for Tier 1 agents.
+
+## 7. Dynamic Blast Radius (v5.3.0)
+The **ImpactAnalyzer** calculates a score (0-100) for every intent:
+- **Action Type**: `DELETE` (10), `WRITE` (5), `READ` (1).
+- **Sensitivity**: 4x multiplier for `.mindforge/`, `bin/`, and `config/` namespaces.
+- **Fail-Safe**: Defaults to Score 100 (CRITICAL) if analysis fails.
 
 ---
-*Status: V5.1.0 "Beast Addition" Governance Implemented & Verified (2026-03-28)*
+*Status: V5.3.0 Dynamic Blast Radius Implemented & Verified (2026-03-28)*

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mindforge-cc",
-  "version": "5.1.0",
+  "version": "5.3.0",
   "description": "MindForge - Enterprise Agentic Framework for Claude Code and Antigravity",
   "bin": {
     "mindforge-cc": "bin/install.js"