mindforge-cc 5.3.0 → 5.6.0

package/CHANGELOG.md

@@ -1,5 +1,51 @@
 # Changelog
 
+## [5.6.0] - 2026-03-28
+### Added
+- **Pillar IV: Supply Chain Trust (Binary Runtime Attestation)**.
+- Cryptographic skill signing in `SkillRegistry` via ZTAIManager Tier 3 Enclaves.
+- JIT Attestation in `SkillValidator` to verify skill integrity before agent execution.
+- `SIGNATURES.json` tracking for all enterprise-grade skills.
+
+## [5.5.0] - 2026-03-28
+### Added
+- **Pillar III: Predictive Agentic Reliability (Reasoning Entropy Monitoring)**.
+- Reasoning Entropy Scoring (RES) in `NexusTracer` to detect semantic stagnation and loops.
+- Proactive Self-Healing trigger for high-similarity thought sequences.
+- Steering Vector generation in `TemporalHindsight` to break agentic deadlocks.
+
+## [5.4.0] — Beast Mode Hardening — 2026-03-28
+
+# Release Notes - MindForge v5.6.0 "Sentinel Execution"
+
+MindForge v5.6.0 introduces the final pillars of the Hyper-Enterprise roadmap: Proactive Reliability and Zero-Trust Skill Execution.
+
+## Highlights
+- **Reasoning Entropy Monitoring (PAR)**: Proactively prevents token-burning reasoning loops.
+- **Binary Runtime Attestation (ZTS)**: Cryptographically ensures that skills have not been tampered with before they are loaded by the agent.
+
+---
+
+## [5.6.0] - Sentinel Execution
+- Implemented JIT Attestation for Skill Registry.
+- Added Skill Signing utility in `mindforge-cc sign`.
+
+## [5.5.0] - Predictive Reliability
+- Implemented RES (Reasoning Entropy Scoring) in Nexus Tracer.
+- Added Steering Vector injection for proactive loop breaking.
+
+🚀 **MindForge v5.4.0 — Enterprise Resilience (Hardened Edition)**
+
+This update elevates the v5.3.0 "Hyper-Enterprise" features to maximum robustness ("Beast Mode"), implementing critical safety systems and advanced observability.
+
+### 🛡️ Beast Mode Hardening (v5.4.0)
+
+- **Circuit Breaker Pattern**: Implemented a stateful `CircuitBreaker` in `federated-sync.js` to prevent network floods. Automatically disables mesh sync for 1 hour after 3 consecutive EIS failures.
+- **Critical-Path Protection**: Automated "Blast Radius" score of 100 in `impact-analyzer.js` for sensitive files (`.env`, `*.pem`, `id_rsa`, `package-lock.json`, etc.).
+- **Recursive Depth Penalty**: Introduced a 1.5x impact multiplier for actions deeper than 5 directory levels, preventing mass-scale silent modifications.
+- **Failure Telemetry**: Added `sync-history.jsonl` and `sync-telemetry.jsonl` for detailed conflict resolution and error auditability.
+- **Resilient Execution**: Raised default scores for `EXECUTE` and `GRANT` actions to increase governance oversight.
+
 ## [5.3.0] — Dynamic Blast Radius — 2026-03-28
 
 🚀 **MindForge v5.3.0 — Pillar II Implementation (APO v2)**

package/RELEASENOTES.md

@@ -1,3 +1,15 @@
+# MindForge v5.4.0 — Beast Mode Hardening
+## Top Summary
+The v5.4.0 release elevates the "Hyper-Enterprise" features to maximum robustness ("Beast Mode"), implementing critical safety systems, automated blast-radius protection for sensitive files, and advanced failure telemetry.
+
+## Highlights
+- **Circuit Breaker Pattern**: Stateful resilience in `federated-sync.js` to prevent network floods during outages.
+- **Critical-Path Protection**: Automated "Blast Radius" score of 100 for high-risk files (secrets, locks, audits).
+- **Depth-Aware Governance**: 1.5x impact multiplier for deep directory modifications to prevent mass-scale silent regressions.
+- **Enhanced Observability**: Detailed conflict resolution and sync telemetry logs for enterprise auditing.
+
+---
+
 # MindForge v5.3.0 — Dynamic Blast Radius
 ## Top Summary
 The v5.3.0 release introduces real-time impact analysis and automated risk-based guardrails for agentic actions, preventing architectural regressions and accidental deletions.

package/bin/engine/nexus-tracer.js

@@ -21,6 +21,10 @@ class NexusTracer {
     this.enableZtai = config.enableZtai !== false;
     this.sreManager = new SREManager();
 
+    // v5 Pillar III: Reasoning Entropy Monitoring (RES)
+    this.RES_THRESHOLD = 0.8; // Similarity threshold for stagnation
+    this.entropyCache = new Map(); // spanId -> [thoughtHistories]
+
     // v5 Pillar IV: Agentic SBOM
     this.sbom = {
       manifest_version: '1.0.0',
@@ -123,12 +127,74 @@ class NexusTracer {
       sanitizedThought = this.sreManager.sanitizeThoughtChain(thought, span.attributes.enclave_id);
     }
 
+    // v5 Pillar III: PES (Proactive Equilibrium Scoring)
+    const entropy = this.calculateEntropy(spanId, sanitizedThought);
+    const isStagnant = entropy > this.RES_THRESHOLD;
+
     this._recordEvent('reasoning_trace', {
       span_id: spanId,
       agent,
       thought: sanitizedThought,
-      resolution
+      resolution,
+      entropy: parseFloat(entropy.toFixed(4)),
+      is_stagnant: isStagnant
     });
+
+    if (isStagnant) {
+      const history = this.entropyCache.get(spanId) || [];
+      const stagnationCount = history.filter(h => h.entropy > this.RES_THRESHOLD).length;
+
+      if (stagnationCount >= 3) {
+        this._recordEvent('vulnerability_detected', {
+          span_id: spanId,
+          type: 'REASONING_LOOP',
+          severity: 'HIGH',
+          description: 'Agent reasoning entropy dropped below threshold (stagnation detected). Triggering proactive RCA.',
+          entropy_score: entropy
+        });
+        
+        // Signal proactive recovery
+        this.recordSelfHeal(spanId, {
+          type: 'PROACTIVE_RCA',
+          cause: 'REASONING_STAGNATION',
+          suggestion: 'Entropy threshold exceeded. Switch reasoning strategy.'
+        });
+      }
+    }
+  }
+
+  /**
+   * Calculates "Reasoning Entropy" (Similarity to previous thoughts).
+   * Range 0.0 (High Entropy/New) to 1.0 (Low Entropy/Repetitive).
+   */
+  calculateEntropy(spanId, currentThought) {
+    if (!this.entropyCache.has(spanId)) {
+      this.entropyCache.set(spanId, []);
+    }
+    const history = this.entropyCache.get(spanId);
+    
+    if (history.length === 0) {
+      history.push({ thought: currentThought, entropy: 0 });
+      return 0;
+    }
+
+    // Simple Jaccard Similarity approach for stagnation detection
+    const getTokens = (str) => new Set(str.toLowerCase().split(/\s+/).filter(t => t.length > 3));
+    const currentTokens = getTokens(currentThought);
+    
+    let maxSimilarity = 0;
+    for (const prev of history) {
+      const prevTokens = getTokens(prev.thought);
+      const intersection = new Set([...currentTokens].filter(x => prevTokens.has(x)));
+      const union = new Set([...currentTokens, ...prevTokens]);
+      const similarity = union.size === 0 ? 0 : intersection.size / union.size;
+      if (similarity > maxSimilarity) maxSimilarity = similarity;
+    }
+
+    history.push({ thought: currentThought, entropy: maxSimilarity });
+    if (history.length > 5) history.shift(); // Sliding window of 5 thoughts
+
+    return maxSimilarity;
   }
 
   /**

package/bin/engine/temporal-hindsight.js

@@ -83,6 +83,33 @@ class TemporalHindsight {
       autoApplyStatus: 'PENDING_SIGNATURE',
     };
   }
+
+  /**
+   * v5 Pillar III: Proactive Loop Recovery
+   * Generates a "Steering Vector" to break agentic Reasoning Stagnation.
+   */
+  handleProactiveRecovery(traceId, entropyScore) {
+    console.log(`[TemporalHindsight] Proactive Recovery triggered for trace ${traceId} (Entropy: ${entropyScore})`);
+    
+    const steeringVectors = [
+      "CRITICAL: Stagnation detected. You have repeated similar reasoning steps 3 times. STOP your current approach and decompose the problem into smaller, independent sub-tasks.",
+      "STATIONARY LOOP: Your recent thoughts show high similarity. Change your technical layer—if you were editing code, try running a diagnostic command instead.",
+      "REASONING DEADLOCK: Entropy too low. Request human intervention or switch to the 'Architect' persona to re-evaluate the plan.",
+      "DIVERGENCE ALERT: Proactive reset. Clear your context window of the last 3 reasoning steps and start fresh from the last successful checkpoint."
+    ];
+
+    // Pick a vector based on entropy severity
+    const index = Math.min(Math.floor(entropyScore * steeringVectors.length), steeringVectors.length - 1);
+    
+    return {
+      timestamp: new Date().toISOString(),
+      trace_id: traceId,
+      event: 'STEERING_VECTOR_GENERATED',
+      entropy: entropyScore,
+      instruction: steeringVectors[index],
+      action: 'INJECT_SYSTEM_PROMPT'
+    };
+  }
 }
 
 module.exports = TemporalHindsight;

package/bin/governance/impact-analyzer.js

@@ -1,15 +1,25 @@
 /**
- * MindForge v5.3.0 — Impact Analyzer (Dynamic Blast Radius)
+ * MindForge v5.4.0 — Impact Analyzer (Hardened Edition)
  * Calculates the 'Blast Radius' score of a proposed intent.
  */
 'use strict';
 
 class ImpactAnalyzer {
+  static CRITICAL_PATHS = [
+    '.env',
+    'id_rsa',
+    '*.pem',
+    'package-lock.json',
+    'yarn.lock',
+    'AUDIT.jsonl',
+    'STATE.md'
+  ];
+
   static SENSITIVE_NAMESPACES = [
     '.mindforge',
     'bin/',
     'config/',
-    '.env',
+    '.agent/',
     'security/'
   ];
 
@@ -17,30 +27,44 @@ class ImpactAnalyzer {
     'READ': 1,
     'WRITE': 5,
     'DELETE': 10,
-    'EXECUTE': 8,
-    'GRANT': 15
+    'EXECUTE': 15, // Raised from 8
+    'GRANT': 20    // Raised from 15
   };
 
   /**
-   * Scores an intent based on action type and target path sensitivity.
+   * Scores an intent based on action type, target path sensitivity, and recursion depth.
    * Score Range: 0 - 100
    */
   static analyze(intent) {
     const { action, target, namespace } = intent;
     
+    // 1. Critical Path Protection (Score 100)
+    const isCritical = this.CRITICAL_PATHS.some(cp => 
+      (target && (target.endsWith(cp) || target.includes(`/${cp}`)))
+    );
+
+    if (isCritical && (action === 'WRITE' || action === 'DELETE')) {
+      return 100; // Automatic CRITICAL block
+    }
+
     let score = this.ACTION_SCORES[action] || 5;
     
-    // Check for sensitive namespace overlap
+    // 2. Sensitive Namespace Multiplier
     const isSensitive = this.SENSITIVE_NAMESPACES.some(ns => 
       (target && target.includes(ns)) || (namespace && namespace.includes(ns))
     );
 
     if (isSensitive) {
-      score *= 4; // Quadruple impact for sensitive areas
+      score *= 4; 
+    }
+
+    // 3. Recursive Depth Penalty (Beast Mode)
+    if (target && target.split('/').length > 5) {
+      score *= 1.5; // Deeper actions are riskier (mass-scale silent mods)
     }
 
     // Cap the score at 100
-    return Math.min(score, 100);
+    return Math.min(Math.round(score), 100);
   }
 
   /**

package/bin/memory/federated-sync.js

@@ -17,6 +17,56 @@ class FederatedSync {
     this.client = new EISClient(config);
     this.localStore = Store;
     this.syncHistoryPath = path.join(Store.getPaths().MEMORY_DIR, 'sync-history.jsonl');
+    this.circuitBreakerPath = path.join(Store.getPaths().MEMORY_DIR, 'circuit-breaker.json');
+    this.MAX_FAILURES = 3;
+    this.COOLDOWN_MS = 3600000; // 1 hour
+  }
+
+  /**
+   * [BEAST] Checks if the circuit is open.
+   */
+  isCircuitOpen() {
+    if (!fs.existsSync(this.circuitBreakerPath)) return false;
+    try {
+      const state = JSON.parse(fs.readFileSync(this.circuitBreakerPath, 'utf8'));
+      if (state.status === 'OPEN' && (Date.now() - state.trippedAt < this.COOLDOWN_MS)) {
+        return true;
+      }
+      // Reset if cooldown passed
+      if (state.status === 'OPEN') {
+        this.resetCircuit();
+      }
+      return false;
+    } catch {
+      return false;
+    }
+  }
+
+  tripCircuit(reason) {
+    console.warn(`[BEAST] ⚠️ Circuit Breaker TRIPPED: ${reason}. Mesh sync disabled for 1hr.`);
+    const state = { status: 'OPEN', trippedAt: Date.now(), reason };
+    fs.writeFileSync(this.circuitBreakerPath, JSON.stringify(state, null, 2));
+  }
+
+  resetCircuit() {
+    if (fs.existsSync(this.circuitBreakerPath)) {
+      fs.unlinkSync(this.circuitBreakerPath);
+    }
+  }
+
+  handleSyncFailure(err) {
+    const statsPath = path.join(this.localStore.getPaths().MEMORY_DIR, 'sync-stats.json');
+    let stats = { failures: 0 };
+    if (fs.existsSync(statsPath)) {
+      stats = JSON.parse(fs.readFileSync(statsPath, 'utf8'));
+    }
+    stats.failures = (stats.failures || 0) + 1;
+    stats.last_error = err.message;
+    fs.writeFileSync(statsPath, JSON.stringify(stats, null, 2));
+
+    if (stats.failures >= this.MAX_FAILURES) {
+      this.tripCircuit(err.message);
+    }
   }
 
   /**
@@ -24,37 +74,58 @@ class FederatedSync {
    * This pushes local high-confidence entries and pulls new organizational knowledge.
    */
   async fullSync() {
-    console.log('🔄 Initiating Federated Intelligence Sync (Pillar 1)...');
-    
-    // 1. Get promotable entries (Tiers 1-3)
-    const localEntries = this.localStore.readAll(false).filter(e => e.confidence > 0.8 && !e.deprecated);
-    
-    // 2. Filter out already synced entries
-    const unsynced = localEntries.filter(e => !e.global && !this.isRecentlySynced(e.id));
-    
-    // 3. Push to EIS
-    if (unsynced.length > 0) {
-      const auth = await this.client.getAuthHeader('push', 'kb/global');
-      const results = await this.client.push(unsynced, { headers: auth });
-      this.logSyncEvent(results);
+    if (this.isCircuitOpen()) {
+      console.warn('🛑 Federated Intelligence Sync: Circuit is OPEN. Skipping network calls.');
+      return { status: 'CIRCUIT_OPEN' };
     }
+
+    console.log('🔄 Initiating Federated Intelligence Sync (v5.4.0 BEAST)...');
     
-    // 4. [HARDEN] Delta Pull from EIS
-    const lastSync = this.getLastSyncTimestamp();
-    const authPull = await this.client.getAuthHeader('pull', 'kb/global');
-    const remoteEntries = await this.client.pull({ 
-      orgId: this.client.orgId,
-      since: lastSync,
-      headers: authPull 
-    });
+    try {
+      // 1. Get promotable entries (Tiers 1-3)
+      const localEntries = this.localStore.readAll(false).filter(e => e.confidence > 0.8 && !e.deprecated);
+      
+      // 2. Filter out already synced entries
+      const unsynced = localEntries.filter(e => !e.global && !this.isRecentlySynced(e.id));
+      
+      // 3. Push to EIS
+      if (unsynced.length > 0) {
+        const auth = await this.client.getAuthHeader('push', 'kb/global');
+        const results = await this.client.push(unsynced, { headers: auth });
+        this.logSyncEvent(results);
+      }
+      
+      // 4. [HARDEN] Delta Pull from EIS
+      const lastSync = this.getLastSyncTimestamp();
+      const authPull = await this.client.getAuthHeader('pull', 'kb/global');
+      const remoteEntries = await this.client.pull({ 
+        orgId: this.client.orgId,
+        since: lastSync,
+        headers: authPull 
+      });
 
-    if (remoteEntries.length > 0) {
-      this.mergeRemoteKnowledge(remoteEntries);
+      if (remoteEntries.length > 0) {
+        this.mergeRemoteKnowledge(remoteEntries);
+      }
+      
+      this.updateLastSyncTimestamp();
+      this.resetFailures(); // Reset on success
+      console.log(`✅ Federated Intelligence Mesh: Sync complete. (Delta since ${lastSync})`);
+      return { pushed: unsynced.length, pulled: remoteEntries.length };
+    } catch (err) {
+      console.error('❌ Federated Intelligence Sync FAILED:', err.message);
+      this.handleSyncFailure(err);
+      throw err;
+    }
+  }
+
+  resetFailures() {
+    const statsPath = path.join(this.localStore.getPaths().MEMORY_DIR, 'sync-stats.json');
+    if (fs.existsSync(statsPath)) {
+      const stats = JSON.parse(fs.readFileSync(statsPath, 'utf8'));
+      stats.failures = 0;
+      fs.writeFileSync(statsPath, JSON.stringify(stats, null, 2));
     }
-    
-    this.updateLastSyncTimestamp();
-    console.log(`✅ Federated Intelligence Mesh: Sync complete. (Delta since ${lastSync})`);
-    return { pushed: unsynced.length, pulled: remoteEntries.length };
   }
 
   getLastSyncTimestamp() {
@@ -133,6 +204,7 @@ class FederatedSync {
     if (similarity > 0.9) {
       if (new Date(remote.timestamp) > new Date(local.timestamp)) {
         this.writeToGlobalKB(remote, globalPath);
+        this.logConflictTelemetry(local.id, 'LWW', similarity);
         console.log(`  └─ [LWW] Auto-resolved via timestamp.`);
       }
       return;
@@ -143,6 +215,7 @@ class FederatedSync {
       console.log(`  └─ [ADS] Triggering Autonomous Knowledge Synthesis...`);
       const merged = await this.triggerADSMerging(local, remote);
       this.writeToGlobalKB(merged, globalPath);
+      this.logConflictTelemetry(local.id, 'ADS_MERGE', similarity);
       return;
     }
 
@@ -150,12 +223,25 @@ class FederatedSync {
     if (similarity > 0.6) {
       console.log(`  └─ [DHH] High disagreement. Triggering Nexus Handover...`);
       this.localStore.markConflict(local.id, remote);
+      this.logConflictTelemetry(local.id, 'DHH_HANDOVER', similarity);
       return;
     }
 
     // 4. Collision Isolation (< 0.6) - Topic Mismatch
     console.log(`  └─ [ISO] Semantic collision (Topic mismatch). Isolating entries.`);
     this.writeToGlobalKB({ ...remote, id: `${remote.id}_collision_${Date.now()}` }, globalPath);
+    this.logConflictTelemetry(local.id, 'COLLISION_ISOLATION', similarity);
+  }
+
+  logConflictTelemetry(id, resolution, similarity) {
+    const telePath = path.join(this.localStore.getPaths().MEMORY_DIR, 'sync-telemetry.jsonl');
+    const entry = JSON.stringify({
+      id,
+      resolution,
+      similarity,
+      timestamp: new Date().toISOString()
+    }) + '\n';
+    fs.appendFileSync(telePath, entry);
   }
 
   async triggerADSMerging(local, remote) {

package/bin/skill-registry.js

@@ -19,7 +19,7 @@ function main() {
   }
 
   // Handle cases where the action might be missing if called incorrectly
-  const validActions = ['install', 'register', 'audit'];
+  const validActions = ['install', 'register', 'audit', 'sign'];
   if (!validActions.includes(ACTION)) {
     console.error(`❌ Invalid or missing action: ${ACTION}`);
     console.error(`   Expected one of: ${validActions.join(', ')}`);
@@ -36,12 +36,77 @@ function main() {
     case 'audit':
       handleAudit();
       break;
+    case 'sign':
+      handleSign();
+      break;
     default:
       console.error(`❌ Unknown action: ${ACTION}`);
       process.exit(1);
   }
 }
 
+async function handleSign() {
+  const skillName = ARGS[1];
+  const ztai = require('./governance/ztai-manager');
+  const crypto = require('node:crypto');
+
+  if (!skillName) {
+    console.error('❌ Missing skill name to sign');
+    process.exit(1);
+  }
+
+  // Find the skill file
+  const bases = [
+    '.mindforge/skills',
+    '.mindforge/org/skills',
+    '.mindforge/project-skills'
+  ];
+  
+  let targetPath = null;
+  for (const base of bases) {
+    const p = path.join(process.cwd(), base, skillName, 'SKILL.md');
+    if (fs.existsSync(p)) {
+      targetPath = p;
+      break;
+    }
+  }
+
+  if (!targetPath) {
+    console.error(`❌ Skill ${skillName} not found in any registry path.`);
+    process.exit(1);
+  }
+
+  console.log(`🛡️  Signing skill: ${skillName}...`);
+  const content = fs.readFileSync(targetPath, 'utf8');
+  const hash = crypto.createHash('sha256').update(content).digest('hex');
+
+  try {
+    // We use a dedicated System DID for skill signing (Tier 3)
+    const systemDid = await ztai.registerAgent('MindForge-System-Secretary', 3);
+    const signature = await ztai.signData(systemDid, hash);
+
+    const sigPath = path.join(process.cwd(), '.mindforge', 'org', 'skills', 'SIGNATURES.json');
+    let signatures = {};
+    if (fs.existsSync(sigPath)) {
+      signatures = JSON.parse(fs.readFileSync(sigPath, 'utf8'));
+    }
+
+    signatures[skillName] = {
+      hash,
+      signature,
+      did: systemDid,
+      timestamp: new Date().toISOString()
+    };
+
+    fs.writeFileSync(sigPath, JSON.stringify(signatures, null, 2));
+    console.log(`✅ Skill ${skillName} signed and registered in SIGNATURES.json`);
+    process.exit(0);
+  } catch (err) {
+    console.error(`❌ Signing failed: ${err.message}`);
+    process.exit(1);
+  }
+}
+
 function handleInstall() {
   const skillName = ARGS[1];
   const tierFlag = ARGS.indexOf('--tier');

package/bin/skill-validator.js

@@ -38,7 +38,33 @@ function main() {
   console.log('─'.repeat(60));
 
   const content = fs.readFileSync(filePath, 'utf8');
-  const results = { schema: [], content: [], quality: [], valid: true };
+  const results = { schema: [], content: [], quality: [], valid: true, attestation: { ok: true, msg: 'No signature found (optional)' } };
+
+  // ── Level 0: Binary Runtime Attestation (v5 Pillar IV) ──────────────────────
+  const sigPath = path.join(process.cwd(), '.mindforge', 'org', 'skills', 'SIGNATURES.json');
+  if (fs.existsSync(sigPath)) {
+    const crypto = require('node:crypto');
+    const ztai = require('./governance/ztai-manager');
+    const signatures = JSON.parse(fs.readFileSync(sigPath, 'utf8'));
+    const skillNameCandidate = path.basename(path.dirname(filePath));
+    const sigRecord = signatures[skillNameCandidate];
+
+    if (sigRecord) {
+      const currentHash = crypto.createHash('sha256').update(content).digest('hex');
+      const isHashValid = currentHash === sigRecord.hash;
+      const isSigValid = ztai.verifySignature(sigRecord.did, currentHash, sigRecord.signature);
+
+      if (!isHashValid || !isSigValid) {
+        results.attestation = { ok: false, msg: `INTEGRITY FAILURE: Signature mismatch [Hash: ${isHashValid}, Sig: ${isSigValid}]` };
+        results.valid = false;
+      } else {
+        results.attestation = { ok: true, msg: `VERIFIED: Signed by ${sigRecord.did}` };
+      }
+    } else if (ARGS.includes('--enterprise')) {
+      results.attestation = { ok: false, msg: 'REQUIRED: No signature found for this skill in Enterprise Mode' };
+      results.valid = false;
+    }
+  }
 
   // ── Level 1: Schema ─────────────────────────────────────────────────────────
   const fmMatch = content.match(/^---\n([\s\S]*?)\n---/);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mindforge-cc",
-  "version": "5.3.0",
+  "version": "5.6.0",
   "description": "MindForge - Enterprise Agentic Framework for Claude Code and Antigravity",
   "bin": {
     "mindforge-cc": "bin/install.js"