prism-mcp-server 8.0.3 → 9.0.5

package/README.md

@@ -12,7 +12,7 @@
 
 **Your AI agent forgets everything between sessions. Prism fixes that — then teaches it to think.**
 
-Prism v8.0 is a true **Cognitive Architecture** inspired by human brain mechanics. The new **Synapse Engine** replaces flat vector search with pure multi-hop graph propagation — your agent now follows causal trains of thought across memory, forms principles from experience, and knows when it lacks information. **Your agents don't just remember; they think.**
+Prism v7.8 is a true **Cognitive Architecture** inspired by human brain mechanics. Beyond flat vector search, your agent now forms principles from experience, follows causal trains of thought, and possesses the self-awareness to know when it lacks information. **Your agents don't just remember; they learn.**
 
 ```bash
 npx -y prism-mcp-server
@@ -20,7 +20,7 @@ npx -y prism-mcp-server
 
 Works with **Claude Desktop · Claude Code · Cursor · Windsurf · Cline · Gemini · Antigravity** — **any MCP client.**
 
-## Table of Contents
+## 📖 Table of Contents
 
 - [Why Prism?](#why-prism)
 - [Quick Start](#quick-start)
@@ -28,8 +28,7 @@ Works with **Claude Desktop · Claude Code · Cursor · Windsurf · Cline · Gem
 - [Setup Guides](#setup-guides)
 - [Universal Import: Bring Your History](#universal-import-bring-your-history)
 - [What Makes Prism Different](#what-makes-prism-different)
-- [Synapse Engine (v8.0)](#synapse-engine-v80)
-- [Cognitive Architecture (v7.8)](#cognitive-architecture-v78)
+- [Cognitive Architecture (v7.8)](#-cognitive-architecture-v78)
 - [Data Privacy & Egress](#data-privacy--egress)
 - [Use Cases](#use-cases)
 - [What's New](#whats-new)
@@ -53,15 +52,15 @@ Every time you start a new conversation with an AI coding assistant, it starts f
 
 Prism has three pillars:
 
-1. **🧠 Cognitive Memory** — Memories are ranked like a human brain: recently and frequently accessed context surfaces first, while stale context fades naturally via ACT-R activation decay. Raw experience consolidates into semantic principles through Hebbian learning. The result is retrieval quality that no flat vector search can match. *(See [Cognitive Architecture](#cognitive-architecture-v78) and [Scientific Foundation](#scientific-foundation).)*
+1. **🧠 Cognitive Memory** — Memories are ranked like a human brain: recently and frequently accessed context surfaces first, while stale context fades naturally via ACT-R activation decay. Raw experience consolidates into semantic principles through Hebbian learning. The result is retrieval quality that no flat vector search can match. *(See [Cognitive Architecture](#-cognitive-architecture-v78) and [Scientific Foundation](#-scientific-foundation).)*
 
-2. **⚡ Synapse Engine (GraphRAG)** — When your agent searches for "Error X", the Synapse Engine doesn't just find logs mentioning "Error X". Multi-hop energy propagation traverses the causal graph — dampened by fan effect, bounded by lateral inhibition — and surfaces "Workaround Y" connected to "Architecture Decision Z". Nodes discovered exclusively via graph traversal are tagged `[🌐 Synapse]` so you can *see* the engine working. *(See [Synapse Engine](#synapse-engine-v80).)*
+2. **🔗 Multi-Hop Reasoning** — When your agent searches for "Error X", Prism doesn't just find logs mentioning "Error X". Spreading activation traverses the causal graph and brings back "Workaround Y", which is connected to "Architecture Decision Z" — a literal train of thought. *(See [Cognitive Architecture](#-cognitive-architecture-v78).)*
 
-3. **🏭 Autonomous Execution (Dark Factory)** — When you're ready, Prism can run coding tasks end-to-end with a fail-closed pipeline where an adversarial evaluator catches bugs the generator missed — before you ever see the PR. *(See [Dark Factory](#dark-factory--adversarial-autonomous-pipelines).)*
+3. **🏭 Autonomous Execution (Dark Factory)** — When you're ready, Prism can run coding tasks end-to-end with a fail-closed pipeline where an adversarial evaluator catches bugs the generator missed — before you ever see the PR. *(See [Dark Factory](#-dark-factory--adversarial-autonomous-pipelines).)*
 
 ---
 
-## Quick Start
+## 🚀 Quick Start
 
 ### Prerequisites
 
@@ -135,7 +134,7 @@ Then open `http://localhost:3001` instead.
 
 ---
 
-## The Magic Moment
+## ✨ The Magic Moment
 
 > **Session 1** (Monday evening):
 > ```
@@ -156,7 +155,7 @@ Then open `http://localhost:3001` instead.
 
 ---
 
-## Setup Guides
+## 📖 Setup Guides
 
 <details>
 <summary><strong>Claude Desktop</strong></summary>
@@ -379,7 +378,7 @@ Prism can be deployed natively to cloud platforms like [Render](https://render.c
 
 ---
 
-## Universal Import: Bring Your History
+## 📥 Universal Import: Bring Your History
 
 Switching to Prism? Don't leave months of AI session history behind. Prism can **ingest historical sessions from Claude Code, Gemini, and OpenAI** and give your Mind Palace an instant head start — no manual re-entry required.
 
@@ -412,7 +411,7 @@ npx -y prism-mcp-server universal-import --format gemini --path ./gemini_history
 
 ---
 
-## What Makes Prism Different
+## ✨ What Makes Prism Different
 
 
 ### 🧠 Your Agent Learns From Mistakes
@@ -455,59 +454,46 @@ OpenTelemetry spans for every MCP tool call, LLM hop, and background worker. Rou
 ### 🌐 Autonomous Web Scholar
 Prism researches while you sleep. A background pipeline searches the web, scrapes articles, synthesizes findings via LLM, and injects results directly into your semantic memory — fully searchable on your next session. Brave Search → Firecrawl scrape → LLM synthesis → Prism ledger. Task-aware, Hivemind-integrated, and zero-config when API keys are missing (falls back to Yahoo + Readability).
 
-### Dark Factory — Adversarial Autonomous Pipelines
+### 🏭 Dark Factory — Adversarial Autonomous Pipelines
 When you trigger a Dark Factory pipeline, Prism doesn't just run your task — it fights itself to produce high-quality output. A `PLAN_CONTRACT` step locks a machine-parseable rubric before any code is written. After execution, an **Adversarial Evaluator** (in a fully isolated context) scores the output against the rubric. It cannot pass the Generator without providing exact file and line evidence for every failing criterion. Failed evaluations inject the critique directly into the Generator's retry prompt so it's never flying blind. The result: security issues, regressions, and lazy debug logs caught autonomously — before you ever see the PR. → [See it in action](examples/adversarial-eval-demo/README.md)
 
 ---
 
-## Synapse Engine (v8.0)
+## 🤖 Autonomous Cognitive OS (v9.0)
 
-> *Standard RAG retrieves documents. GraphRAG traverses relationships. The Synapse Engine does both — a pure, storage-agnostic multi-hop propagation engine that turns your agent's memory into an associative reasoning network.*
+> *Memory isn't just about storing data; it's about economics and emotion. Prism v9.0 transforms passive memory into a living Cognitive Operating System that forces agents to learn compression and develop intuition.*
 
-The Synapse Engine (v8.0) replaces the legacy SQL-coupled spreading activation with a **pure functional graph propagation core** inspired by ACT-R cognitive architecture. It is Prism's native, low-latency GraphRAG solution — no external graph database required.
+Most AI agents have an infinite memory budget. They dump massive, repetitive logs into vector databases until they bankrupt your API budget and choke their own context windows. Prism v9.0 fixes this by introducing **Token-Economic Reinforcement Learning** and **Affect-Tagged Memory**.
 
-### Before vs After
+### 💰 Memory-as-an-Economy (The Surprisal Gate)
+Prism assigns every project a strict **Cognitive Budget** (e.g., 2,000 tokens) that persists across sessions. Every time the agent saves a memory, it costs tokens. 
 
-| | **v7.x (Standard RAG)** | **v8.0 (Synapse Engine)** |
-|---|---|---|
-| **Query** | "Tell me about Project Apollo" | "Tell me about Project Apollo" |
-| **Retrieval** | Returns the design doc (1 hop, cosine match) | Returns the design doc → follows `caused_by` edge to a developer's debugging session → discovers an old Slack thread about a critical auth bug |
-| **Agent output** | Summarizes the design doc | Summarizes the design doc **and warns about the unresolved auth issue** |
-| **Discovery tag** | — | `[🌐 Synapse]` marks the auth bug node, proving the engine found context the user didn't ask for |
+But not all memories are priced equally. Prism intercepts the save and runs a **Vector-Based Surprisal** calculation against recent memories:
+*   **High Surprisal (Novel thought):** Costs 0.5× tokens. The agent is rewarded for new insights.
+*   **Low Surprisal (Boilerplate):** Costs 2.0× tokens. The agent is penalized for repeating itself.
+*   **Universal Basic Income (UBI):** The budget recovers passively over time (+100 tokens/hour). 
 
-### How It Works
+If an agent is too verbose, it goes into **Cognitive Debt**. You don't need to prompt the agent to "be concise." The physics of the system force the LLM to learn data compression to avoid bankruptcy.
 
-```
-  Query: "Project Apollo status"
-              │
-  ┌───────────┼───────────────┐
-  ▼           ▼               ▼
-[Design    [Sprint          [Deployment
-  Doc]      Retro]            Log]
-  │ 1.0       │ 0.8            │ 0.6    ← semantic anchors
-  │           │                │
-  ▼           ▼                ▼
-[Dev       [Auth Bug      [Perf         ← Synapse discovered
-  Profile    Thread  🌐]    Regression 🌐]   (multi-hop)
-  0.42]      0.38]          0.31]
-```
+### 🎭 Affect-Tagged Memory (Giving AI a "Gut Feeling")
+Vector math measures *semantic similarity*, not *sentiment*. If an agent searches for "Authentication Architecture," standard RAG will return two past approaches—it doesn't know that Approach A caused a 3-day production outage, while Approach B worked perfectly.
 
-**Key design decisions:**
+*   **Affective Salience:** Prism automatically tags experience events with a `valence` score (-1.0 for failure, +1.0 for success).
+*   **Emotional Retrieval:** At retrieval time, the absolute magnitude (`|valence|`) significantly boosts the memory's ranking score. Extreme failures and extreme successes surface to the top.
+*   **UX Warnings:** If an agent retrieves memories that are historically negative, Prism intercepts the prompt injection: `⚠️ Caution: This topic is strongly correlated with historical failures. Review past decisions before proceeding.` Your AI now has a "gut feeling" about bad code.
 
-| Mechanism | Purpose |
-|---|---|
-| **Dampened Fan Effect** (`1/ln(degree+e)`) | Prevents hub nodes from flooding results |
-| **Asymmetric Propagation** (fwd 100%, back 50%) | Preserves causal directionality |
-| **Cyclic Loop Prevention** (`visitedEdges` set) | Prevents infinite energy amplification |
-| **Sigmoid Normalization** | Structural scores can't overwhelm semantic base |
-| **Lateral Inhibition** | Caps output to top-K most energized nodes |
-| **Hybrid Scoring** (70% semantic / 30% structural) | Base relevance always matters |
+### The Paradigm Shift
 
-> 💡 Synapse is **non-fatal** — if the graph traversal fails for any reason, search gracefully returns the original semantic matches. Zero risk of degraded search.
+| Feature | Standard RAG / Agents | Prism v9.0 |
+| :--- | :--- | :--- |
+| **Storage Limit** | Infinite (bloats context) | Bounded Token Economy |
+| **Data Quality** | Saves repetitive boilerplate | Surprisal Gate penalizes redundancy |
+| **Sentiment** | Treats all data as neutral facts | Affect-Tagged (Warns agent of past trauma) |
+| **Recovery** | Manual deletion | Universal Basic Income (UBI) over time |
 
 ---
 
-## Cognitive Architecture (v7.8)
+## 🧠 Cognitive Architecture (v7.8)
 
 > *Prism v7.8 is our biggest leap forward yet. We have moved beyond flat vector search and implemented a true Cognitive Architecture inspired by human brain mechanics. With the new ACT-R Spreading Activation Engine, Episodic-to-Semantic memory consolidation, and Uncertainty-Aware Rejection Gates, Prism doesn't just store logs anymore — it forms principles, follows causal trains of thought, and possesses the self-awareness to know when it lacks information.*
 
@@ -572,7 +558,7 @@ Standard RAG (Retrieval-Augmented Generation) is now a commodity. Everyone has v
 
 ---
 
-## Data Privacy & Egress
+## 🔒 Data Privacy & Egress
 
 **Where is my data stored?**
 
@@ -603,7 +589,7 @@ Prism will recreate the directory with empty databases on next startup.
 
 ---
 
-## Use Cases
+## 🎯 Use Cases
 
 - **Long-running feature work** — Save state at end of day, restore full context next morning. No re-explaining.
 - **Multi-agent collaboration** — Dev, QA, and PM agents share real-time context without stepping on each other's memory.
@@ -632,7 +618,7 @@ Then continue a specific thread with a follow-up message to the selected agent,
 
 ---
 
-## Adversarial Evaluation in Action
+## ⚔️ Adversarial Evaluation in Action
 
 > **Split-Brain Anti-Sycophancy** — the signature feature of v7.4.0.
 
@@ -737,12 +723,11 @@ The Generator strips the `console.log`, resubmits, and the next `EVALUATE` retur
 
 ---
 
-## What's New
+## 🆕 What's New
 
-> **Current release: v8.0.0 — Synapse Engine**
+> **Current release: v7.8.2 — Cognitive Architecture**
 
-- ⚡ **v8.0.0 — Synapse Engine:** Pure, storage-agnostic multi-hop graph propagation engine replaces the legacy SQL-coupled spreading activation. O(T × M) bounded ACT-R energy propagation with dampened fan effect, asymmetric bidirectional flow, cyclic loop prevention, and sigmoid normalization. Full integration into both SQLite and Supabase backends. 5 new config knobs. Battle-hardened with NaN guards, config clamping, non-fatal enrichment, and 16 passing tests. **Memory search now follows the causal graph, not just keywords.** → [Synapse Engine](#synapse-engine-v80)
-- 🧠 **v7.8.x — Cognitive Architecture:** Episodic-to-Semantic consolidation (Hebbian learning), ACT-R Spreading Activation with multi-hop causal reasoning, Uncertainty-Aware Rejection Gate, and Dynamic Fast Weight Decay. Validated by **LoCoMo-Plus benchmark**. → [Cognitive Architecture](#cognitive-architecture-v78)
+- 🧠 **v7.8.0 — Cognitive Architecture:** The biggest leap forward yet. Moved beyond flat vector search into a true cognitive architecture inspired by human brain mechanics. Episodic-to-Semantic memory consolidation (Hebbian learning), ACT-R Spreading Activation with multi-hop causal reasoning, Uncertainty-Aware Rejection Gate (your agent can say "I don't know"), and Dynamic Fast Weight Decay (semantic memories outlive episodic chatter by 2×). **Your agents don't just remember; they learn.** → [Cognitive Architecture](#-cognitive-architecture-v78)
 - 🌐 **v7.7.0 — Cloud-Native SSE Transport:** Full unauthenticated and authenticated Server-Sent Events MCP support for seamless network deployments.
 - 🩺 **v7.5.0 — Intent Health Dashboard + Security Hardening:** Real-time 0–100 project health scoring (staleness × TODO load × decisions). 10 XSS injection vectors patched. Algorithm hardened with NaN guards and score ceiling.
 - ⚔️ **v7.4.0 — Adversarial Evaluation:** Split-brain anti-sycophancy pipeline. Generator and evaluator in isolated roles with evidence-bound findings.
@@ -752,7 +737,7 @@ The Generator strips the `console.log`, resubmits, and the next `EVALUATE` retur
 
 ---
 
-## How Prism Compares
+## ⚔️ How Prism Compares
 
 Standard memory servers (like Mem0, Zep, or the baseline Anthropic MCP) act as passive filing cabinets — they wait for the LLM to search them. **Prism is an active cognitive architecture.** Designed specifically for the **Model Context Protocol (MCP)**, Prism doesn't just store vectors — it consolidates experience into principles, traverses causal graphs for multi-hop reasoning, and rejects queries it can't confidently answer.
 
@@ -804,7 +789,7 @@ Every other AI coding pipeline has a fatal flaw: it asks the same model that wro
 
 ---
 
-## Tool Reference
+## 🔧 Tool Reference
 
 Prism ships 30+ tools, but **90% of your workflow uses just three:**
 
@@ -986,11 +971,6 @@ Requires `PRISM_DARK_FACTORY_ENABLED=true`.
 | `PRISM_ACTR_WEIGHT_ACTIVATION` | No | Composite score ACT-R activation weight (default: `0.3`) |
 | `PRISM_ACTR_ACCESS_LOG_RETENTION_DAYS` | No | Days before access logs are pruned by background scheduler (default: `90`) |
 | `PRISM_DARK_FACTORY_ENABLED` | No | `"true"` to enable Dark Factory autonomous pipeline tools (`session_start_pipeline`, `session_check_pipeline_status`, `session_abort_pipeline`) |
-| `PRISM_SYNAPSE_ENABLED` | No | `"true"` (default) to enable Synapse Engine graph propagation in search results |
-| `PRISM_SYNAPSE_ITERATIONS` | No | Propagation iterations (default: `3`). Higher = deeper graph traversal |
-| `PRISM_SYNAPSE_SPREAD_FACTOR` | No | Energy decay multiplier per hop (default: `0.8`). Range: 0.0–1.0 |
-| `PRISM_SYNAPSE_LATERAL_INHIBITION` | No | Max nodes returned by Synapse (default: `7`, min: `1`) |
-| `PRISM_SYNAPSE_SOFT_CAP` | No | Max candidate pool size during propagation (default: `20`, min: `1`) |
 
 </details>
 
@@ -1018,11 +998,10 @@ Prism is a **stdio-based MCP server** that manages persistent agent memory. Here
 │  └──────┬───────┘  └──────────────┘  └────────────────┘  │
 │         ↕                                                │
 │  ┌────────────────────────────────────────────────────┐  │
-│  │  Cognitive Engine (v8.0)                           │  │
-│  │  • Synapse Engine (pure multi-hop propagation)    │  │
+│  │  Cognitive Engine (v7.8)                           │  │
+│  │  • ACT-R Spreading Activation (multi-hop)         │  │
 │  │  • Episodic → Semantic Consolidation (Hebbian)    │  │
 │  │  • Uncertainty-Aware Rejection Gate               │  │
-│  │  • LoCoMo-Plus Benchmark Validation               │  │
 │  │  • Dynamic Fast Weight Decay (dual-rate)          │  │
 │  │  • HDC Cognitive Routing (XOR binding)            │  │
 │  └──────┬─────────────────────────────────────────────┘  │
@@ -1066,7 +1045,7 @@ Prism is a **stdio-based MCP server** that manages persistent agent memory. Here
 
 ### Auto-Load Architecture
 
-Each MCP client has its own mechanism for ensuring Prism context loads on session start. See the platform-specific [Setup Guides](#setup-guides) above for detailed instructions:
+Each MCP client has its own mechanism for ensuring Prism context loads on session start. See the platform-specific [Setup Guides](#-setup-guides) above for detailed instructions:
 
 - **Claude Code** — Lifecycle hooks (`SessionStart` / `Stop`)
 - **Gemini / Antigravity** — Three-layer architecture (User Rules + AGENTS.md + Startup Skill)
@@ -1077,7 +1056,7 @@ All platforms benefit from the **server-side fallback** (v5.2.1): if `session_lo
 
 ---
 
-## Scientific Foundation
+## 🧬 Scientific Foundation
 
 Prism has evolved from smart session logging into a **cognitive memory architecture** — grounded in real research, not marketing. Every retrieval decision is backed by peer-reviewed models from cognitive psychology, neuroscience, and distributed computing.
 
@@ -1111,22 +1090,19 @@ Prism has evolved from smart session logging into a **cognitive memory architect
 | **v7.8** | Multi-Hop Causal Reasoning — spreading activation traverses `caused_by`/`led_to` edges with damped fan effect (`1/ln(fan+e)`) and lateral inhibition | ACT-R spreading activation (Anderson), Collins & Loftus (1975) | ✅ Shipped |
 | **v7.8** | Uncertainty-Aware Rejection Gate — dual-signal (similarity floor + gap distance) safety layer prevents hallucination from low-confidence retrievals | Metacognition research, uncertainty quantification | ✅ Shipped |
 | **v7.8** | Dynamic Fast Weight Decay — `is_rollup` semantic nodes decay 50% slower (`ageModifier = 0.5`) than episodic entries, creating Long-Term Context anchors | ACT-R base-level activation with differential decay rates | ✅ Shipped |
-| **v7.8** | LoCoMo Benchmark Harness — deterministic integration suite (`tests/benchmarks/locomo.ts`, 20 assertions) benchmarking multi-hop compaction structures via `MockLLM` | Long-Context Memory evaluation (cognitive benchmarking) | ✅ Shipped |
-| **v7.8** | LoCoMo-Plus Benchmark — 16-assertion suite (`tests/benchmarks/locomo-plus.ts`) adapted from arXiv 2602.10715 validating cue–trigger semantic disconnect bridging via graph traversal and Hebbian consolidation; reports Precision@1/3/5/10 and MRR | LoCoMo-Plus (Li et al., ARR 2026), cue–trigger disconnect research | ✅ Shipped |
 | **v7.x** | Affect-Tagged Memory — sentiment shapes what gets recalled | Affect-modulated retrieval (neuroscience) | 🔭 Horizon |
 | **v8+** | Zero-Search Retrieval — no index, no ANN, just ask the vector | Holographic Reduced Representations | 🔭 Horizon |
 
-> Informed by Anderson's ACT-R (Adaptive Control of Thought—Rational), Collins & Loftus spreading activation networks (1975), Kanerva's SDM (1988), Hebb's learning rule, Li et al. LoCoMo-Plus (ARR 2026), and LeCun's "Why AI Systems Don't Learn" (Dupoux, LeCun, Malik).
+> Informed by Anderson's ACT-R (Adaptive Control of Thought—Rational), Collins & Loftus spreading activation networks (1975), Kanerva's SDM (1988), Hebb's learning rule, and LeCun's "Why AI Systems Don't Learn" (Dupoux, LeCun, Malik).
 
 ---
 
-## Milestones & Roadmap
+## 📦 Milestones & Roadmap
 
-> **Current: v8.0.0** — Synapse Engine ([CHANGELOG](CHANGELOG.md))
+> **Current: v7.8.2** — Cognitive Architecture ([CHANGELOG](CHANGELOG.md))
 
 | Release | Headline |
 |---------|----------|
-| **v8.0** | ⚡ Synapse Engine — Pure multi-hop GraphRAG propagation, storage-agnostic, NaN-hardened, `[🌐 Synapse]` discovery tags |
 | **v7.8** | 🧠 Cognitive Architecture — Hebbian consolidation, multi-hop reasoning, rejection gate, dynamic decay |
 | **v7.7** | 🌐 Cloud-Native SSE Transport |
 | **v7.5** | 🩺 Intent Health Dashboard + Security Hardening |
@@ -1145,7 +1121,7 @@ Prism has evolved from smart session logging into a **cognitive memory architect
 👉 **[Full ROADMAP.md →](ROADMAP.md)**
 
 
-## Troubleshooting FAQ
+## ❓ Troubleshooting FAQ
 
 **Q: Why is the dashboard project selector stuck on "Loading projects..."?**
 A: Fixed in v7.3.3. The root cause was a multi-layer quote-escaping trap in the `abortPipeline` onclick handler that generated a `SyntaxError` in the browser, silently killing the entire dashboard IIFE. Update to v7.3.3+ (`npx -y prism-mcp-server`). If still stuck, check that Supabase env values are properly set (unresolved placeholders like `${SUPABASE_URL}` cause `/api/projects` to return empty). Prism auto-falls back to local SQLite when Supabase is misconfigured.

package/dist/config.js

@@ -268,17 +268,3 @@ export const PRISM_DARK_FACTORY_ENABLED = process.env.PRISM_DARK_FACTORY_ENABLED
 export const PRISM_DARK_FACTORY_POLL_MS = parseInt(process.env.PRISM_DARK_FACTORY_POLL_MS || "30000", 10);
 /** Default max wall-clock time per pipeline (ms). Default: 15 minutes. */
 export const PRISM_DARK_FACTORY_MAX_RUNTIME_MS = parseInt(process.env.PRISM_DARK_FACTORY_MAX_RUNTIME_MS || "900000", 10);
-// ─── v8.0: Synapse — Spreading Activation Engine ──────────────
-// Multi-hop energy propagation through memory_links graph.
-// Enabled by default. Set PRISM_SYNAPSE_ENABLED=false to fall back
-// to 1-hop candidateScopedSpreadingActivation (v7.0 behavior).
-/** Master switch for the Synapse engine. Enabled by default (opt-out). */
-export const PRISM_SYNAPSE_ENABLED = (process.env.PRISM_SYNAPSE_ENABLED ?? "true") !== "false";
-/** Number of propagation iterations (depth). Higher = deeper traversal, more latency. (Default: 3) */
-export const PRISM_SYNAPSE_ITERATIONS = parseInt(process.env.PRISM_SYNAPSE_ITERATIONS || "3", 10);
-/** Energy attenuation per hop. Must be < 1.0 for convergence. (Default: 0.8) */
-export const PRISM_SYNAPSE_SPREAD_FACTOR = parseFloat(process.env.PRISM_SYNAPSE_SPREAD_FACTOR || "0.8");
-/** Hard cap on final output nodes (lateral inhibition). (Default: 7) */
-export const PRISM_SYNAPSE_LATERAL_INHIBITION = parseInt(process.env.PRISM_SYNAPSE_LATERAL_INHIBITION || "7", 10);
-/** Soft cap on active nodes per iteration (prevents explosion). (Default: 20) */
-export const PRISM_SYNAPSE_SOFT_CAP = parseInt(process.env.PRISM_SYNAPSE_SOFT_CAP || "20", 10);

package/dist/darkfactory/runner.js

@@ -599,13 +599,6 @@ async function runnerTick() {
             const harnessPath = path.join(path.resolve(spec.workingDirectory), 'verification_harness.json');
             if (fs.existsSync(harnessPath)) {
                 try {
-                    // MED-5 FIX: Guard against LLM-generated files that are malformed or
-                    // excessively large. Cap at 1MB to prevent heap exhaustion.
-                    const MAX_HARNESS_SIZE = 1_000_000;
-                    const stat = fs.statSync(harnessPath);
-                    if (stat.size > MAX_HARNESS_SIZE) {
-                        throw new Error(`Verification harness too large (${stat.size} bytes, max ${MAX_HARNESS_SIZE}). Possible corrupt LLM output.`);
-                    }
                     const rawHarness = fs.readFileSync(harnessPath, 'utf8');
                     const harnessData = JSON.parse(rawHarness);
                     // GAP-5 fix: Persist the harness so CLI drift detection works for DarkFactory runs

package/dist/darkfactory/safetyController.js

@@ -45,16 +45,8 @@ export class SafetyController {
         if (!spec.workingDirectory)
             return true;
         // Resolve symlinks and protect against ../ escapes.
-        let resolvedTarget = path.resolve(targetPath);
-        let resolvedWorkspace = path.resolve(spec.workingDirectory);
-        // EDGE-2 FIX: macOS (HFS+/APFS) and Windows (NTFS) use case-insensitive
-        // filesystems by default. Without case normalization, "/App/Workspace"
-        // and "/app/workspace" are treated as different paths — allowing a scope
-        // escape via case mismatch.
-        if (process.platform === 'darwin' || process.platform === 'win32') {
-            resolvedTarget = resolvedTarget.toLowerCase();
-            resolvedWorkspace = resolvedWorkspace.toLowerCase();
-        }
+        const resolvedTarget = path.resolve(targetPath);
+        const resolvedWorkspace = path.resolve(spec.workingDirectory);
         // Path Traversal Guard: A naive startsWith() check is vulnerable to
         // prefix collisions — e.g. /app/workspace-hacked passes startsWith('/app/workspace').
         // We require EITHER exact match OR the target starts with workspace + path separator.

package/dist/dashboard/authUtils.js

@@ -2,6 +2,7 @@
  * Dashboard authentication helpers extracted from server.ts for direct unit testing.
  */
 import { randomBytes } from "crypto";
+import { createRemoteJWKSet, jwtVerify } from "jose";
 // ─────────────────────────────────────────────────────────────────
 // TIMING-SAFE COMPARISON
 // ─────────────────────────────────────────────────────────────────
@@ -34,6 +35,18 @@ export function generateToken() {
     return randomBytes(32).toString("hex");
 }
 // ─────────────────────────────────────────────────────────────────
+// JWKS SETUP
+// ─────────────────────────────────────────────────────────────────
+let jwksCache = null;
+export function initJWKS(uri) {
+    try {
+        jwksCache = createRemoteJWKSet(new URL(uri));
+    }
+    catch (err) {
+        console.error(`Failed to initialize JWKS from ${uri}:`, err);
+    }
+}
+// ─────────────────────────────────────────────────────────────────
 // AUTHENTICATION CHECK
 // ─────────────────────────────────────────────────────────────────
 /**
@@ -47,9 +60,25 @@ export function generateToken() {
  * Side effect: expired session tokens are lazily cleaned up when
  * encountered, preventing unbounded memory growth.
  */
-export function isAuthenticated(req, config) {
+export async function isAuthenticated(req, config) {
     if (!config.authEnabled)
         return true;
+    // Check Bearer Token (JWKS)
+    const authHeader = req.headers.authorization || "";
+    if (authHeader.startsWith("Bearer ") && jwksCache) {
+        try {
+            const token = authHeader.slice(7);
+            const { payload } = await jwtVerify(token, jwksCache);
+            // Attach agent_id to the request for traceability if needed downstream
+            req.agent_id = payload.agent_id || payload.sub;
+            return true;
+        }
+        catch (err) {
+            // Verification failed — let it fall through or return false
+            // console.error("JWT verification failed:", err);
+            return false;
+        }
+    }
     // Check session cookie first
     const cookies = req.headers.cookie || "";
     const match = cookies.match(/prism_session=([a-f0-9]{64})/);
@@ -63,7 +92,6 @@ export function isAuthenticated(req, config) {
             config.activeSessions.delete(token);
     }
     // Check Basic Auth header
-    const authHeader = req.headers.authorization || "";
     if (authHeader.startsWith("Basic ")) {
         try {
             const decoded = Buffer.from(authHeader.slice(6), "base64").toString("utf-8");

package/dist/dashboard/server.js

@@ -32,7 +32,7 @@ import { getLLMProvider } from "../utils/llm/factory.js";
 import { buildVaultDirectory } from "../utils/vaultExporter.js";
 import { redactSettings } from "../tools/commonHelpers.js";
 import { handleGraphRoutes } from "./graphRouter.js";
-import { safeCompare, generateToken, isAuthenticated, createRateLimiter, } from "./authUtils.js";
+import { safeCompare, generateToken, isAuthenticated, createRateLimiter, initJWKS, } from "./authUtils.js";
 const PORT = parseInt(process.env.PRISM_DASHBOARD_PORT || "3000", 10);
 /** Read HTTP request body as string (Buffer-based to avoid GC thrash on large imports) */
 function readBody(req) {
@@ -76,7 +76,12 @@ export async function startDashboardServer() {
      */
     const AUTH_USER = process.env.PRISM_DASHBOARD_USER || "";
     const AUTH_PASS = process.env.PRISM_DASHBOARD_PASS || "";
-    const AUTH_ENABLED = AUTH_USER.length > 0 && AUTH_PASS.length > 0;
+    const AUTH_JWKS_URI = process.env.PRISM_JWKS_URI || process.env.AUTH_JWKS_URI || "";
+    // Auth is enabled if basic auth is configured OR if JWKS is configured
+    const AUTH_ENABLED = (AUTH_USER.length > 0 && AUTH_PASS.length > 0) || AUTH_JWKS_URI.length > 0;
+    if (AUTH_JWKS_URI) {
+        initJWKS(AUTH_JWKS_URI);
+    }
     const SESSION_TTL_MS = 24 * 60 * 60 * 1000; // 24 hours
     const activeSessions = new Map(); // token → expiry timestamp
     // Auth config object — injectable for testing via authUtils.ts
@@ -301,10 +306,11 @@ return false;}
                 return res.end(JSON.stringify({ error: err.message || "Failed to generate server card" }));
             }
         }
-        // ─── v5.1: Auth gate — block unauthenticated requests ───
-        if (AUTH_ENABLED && !isAuthenticated(req, authConfig)) {
-            // For API calls, return 401 JSON
-            if (reqUrl.pathname.startsWith("/api/") || reqUrl.pathname === "/sse" || reqUrl.pathname === "/messages") {
+        // ─── AUTHENTICATION GATE ───
+        // Basic Auth & Session & JWKS
+        if (AUTH_ENABLED && !(await isAuthenticated(req, authConfig))) {
+            // If it's an API request, return 401 JSON
+            if (reqUrl.pathname.startsWith('/api/') || reqUrl.pathname === "/sse" || reqUrl.pathname === "/messages") {
                 res.writeHead(401, { "Content-Type": "application/json" });
                 return res.end(JSON.stringify({ error: "Authentication required" }));
             }
@@ -445,7 +451,6 @@ return false;}
                             let cursorId = undefined;
                             let iterations = 0;
                             const MAX_ITERATIONS = 100; // safety cap: 100 × 50 = 5000 entries max
-                            let lastBackfillError = undefined;
                             while (hasMore && iterations < MAX_ITERATIONS) {
                                 iterations++;
                                 const result = await backfillEmbeddingsHandler({ dry_run: false, limit: 50, _cursor_id: cursorId });
@@ -453,8 +458,6 @@ return false;}
                                 if (bStats) {
                                     repairedCount += bStats.repaired;
                                     failedCount += bStats.failed;
-                                    if (bStats.error)
-                                        lastBackfillError = bStats.error;
                                     if (bStats.last_id)
                                         cursorId = bStats.last_id;
                                     else
@@ -467,10 +470,8 @@ return false;}
                                 }
                             }
                             cleanupMessages.push(`Repaired ${repairedCount} embeddings`);
-                            if (failedCount > 0) {
-                                const errMsg = lastBackfillError ? ` (${lastBackfillError})` : '';
-                                cleanupMessages.push(`Failed to repair ${failedCount} embeddings${errMsg}`);
-                            }
+                            if (failedCount > 0)
+                                cleanupMessages.push(`Failed to repair ${failedCount} embeddings`);
                         }
                         catch (err) {
                             console.error("[Dashboard] Failed to backfill embeddings:", err);

package/dist/dashboard/ui.js

@@ -1253,9 +1253,7 @@ Example:\n## Dev Rules\n- Always write tests first\n- Use TypeScript strict mode
               onchange="onEmbeddingProviderChange(this.value)">
               <option value="auto">🔄 Auto (same as Text Provider)</option>
               <option value="gemini">🔵 Gemini</option>
-              <option value="openai">🟢 OpenAI</option>
-              <option value="voyage">🔮 Voyage AI</option>
-              <option value="ollama">🟠 Ollama (Local)</option>
+              <option value="openai">🟢 OpenAI / Ollama</option>
             </select>
           </div>
 
@@ -1263,7 +1261,7 @@ Example:\n## Dev Rules\n- Always write tests first\n- Use TypeScript strict mode
           <div id="anthropic-embed-warning" style="display:none;margin-top:0.5rem;padding:0.5rem 0.75rem;background:rgba(251,146,60,0.1);border:1px solid rgba(251,146,60,0.3);border-radius:6px;font-size:0.78rem;color:#fb923c;line-height:1.5">
             ⚠️ <strong>Anthropic has no native embedding API.</strong>
             Auto mode will route embeddings to <strong>Gemini</strong>.
-            Set Embedding Provider to <strong>Ollama (Local)</strong> for free local embeddings, or <strong>Voyage AI</strong> for the Anthropic-recommended cloud pairing.
+            Set Embedding Provider to <strong>OpenAI / Ollama</strong> to use a local model (e.g. <code>nomic-embed-text</code>).
           </div>
 
           <!-- OpenAI embedding model field (shown when embedding_provider = openai) -->
@@ -1271,7 +1269,7 @@ Example:\n## Dev Rules\n- Always write tests first\n- Use TypeScript strict mode
             <div class="setting-row">
               <div>
                 <div class="setting-label">Embedding Model</div>
-                <div class="setting-desc">Must output 768 dims. Default: text-embedding-3-small</div>
+                <div class="setting-desc">Must output 768 dims. Ollama: nomic-embed-text · OpenAI: text-embedding-3-small</div>
               </div>
               <input type="text" id="input-openai-embedding-model"
                 placeholder="text-embedding-3-small"
@@ -1281,61 +1279,9 @@ Example:\n## Dev Rules\n- Always write tests first\n- Use TypeScript strict mode
             </div>
           </div>
 
-          <!-- Voyage AI embedding fields (shown when embedding_provider = voyage) -->
-          <div id="embed-fields-voyage" style="display:none">
-            <div class="setting-row">
-              <div>
-                <div class="setting-label">Voyage API Key</div>
-                <div class="setting-desc">Get one free at <a href="https://dash.voyageai.com" target="_blank" style="color:var(--accent)">dash.voyageai.com</a></div>
-              </div>
-              <input type="password" id="input-voyage-api-key"
-                placeholder="pa-…"
-                style="padding: 0.2rem 0.5rem; background: var(--bg-hover); color: var(--text-primary); border: 1px solid var(--border-color); border-radius: 4px; font-size: 0.85rem; font-family: var(--font-mono); width: 180px;"
-                onchange="saveBootSetting('VOYAGE_API_KEY', this.value)"
-                oninput="clearTimeout(this._pv); var self=this; this._pv=setTimeout(function(){saveBootSetting('VOYAGE_API_KEY',self.value)},800)" />
-            </div>
-            <div class="setting-row">
-              <div>
-                <div class="setting-label">Voyage Model</div>
-                <div class="setting-desc">voyage-code-3 (code) · voyage-3 (general). Both MRL → 768 dims.</div>
-              </div>
-              <input type="text" id="input-voyage-model"
-                placeholder="voyage-code-3"
-                style="padding: 0.2rem 0.5rem; background: var(--bg-hover); color: var(--text-primary); border: 1px solid var(--border-color); border-radius: 4px; font-size: 0.85rem; font-family: var(--font-mono); width: 160px;"
-                onchange="saveBootSetting('voyage_model', this.value)"
-                oninput="clearTimeout(this._pvm); var self=this; this._pvm=setTimeout(function(){saveBootSetting('voyage_model',self.value)},800)" />
-            </div>
-          </div>
-
-          <!-- Ollama embedding fields (shown when embedding_provider = ollama) -->
-          <div id="embed-fields-ollama" style="display:none">
-            <div class="setting-row">
-              <div>
-                <div class="setting-label">Ollama Base URL</div>
-                <div class="setting-desc">Where Ollama is running locally</div>
-              </div>
-              <input type="text" id="input-ollama-base-url"
-                placeholder="http://localhost:11434"
-                style="padding: 0.2rem 0.5rem; background: var(--bg-hover); color: var(--text-primary); border: 1px solid var(--border-color); border-radius: 4px; font-size: 0.85rem; font-family: var(--font-mono); width: 220px;"
-                onchange="saveBootSetting('ollama_base_url', this.value)"
-                oninput="clearTimeout(this._pou); var self=this; this._pou=setTimeout(function(){saveBootSetting('ollama_base_url',self.value)},800)" />
-            </div>
-            <div class="setting-row">
-              <div>
-                <div class="setting-label">Embedding Model</div>
-                <div class="setting-desc">Must output 768 dims. <code>nomic-embed-text</code> recommended.</div>
-              </div>
-              <input type="text" id="input-ollama-model"
-                placeholder="nomic-embed-text"
-                style="padding: 0.2rem 0.5rem; background: var(--bg-hover); color: var(--text-primary); border: 1px solid var(--border-color); border-radius: 4px; font-size: 0.85rem; font-family: var(--font-mono); width: 180px;"
-                onchange="saveBootSetting('ollama_model', this.value)"
-                oninput="clearTimeout(this._pom); var self=this; this._pom=setTimeout(function(){saveBootSetting('ollama_model',self.value)},800)" />
-            </div>
-          </div>
-
           <div style="margin-top:1rem;padding:0.6rem 0.8rem;background:rgba(139,92,246,0.08);border:1px solid rgba(139,92,246,0.2);border-radius:6px;font-size:0.78rem;color:var(--text-secondary);line-height:1.5">
-            💡 <strong>Zero-cost setup:</strong> Text Provider → <code>Anthropic</code>, Embedding Provider → <code>Ollama (Local)</code>.<br>
-            Use Claude for reasoning &amp; <code>nomic-embed-text</code> (free, local, 768-dim native) for embeddings.
+            💡 <strong>Cost-optimized setup:</strong> Text Provider → <code>Anthropic</code>, Embedding Provider → <code>OpenAI / Ollama</code>.<br>
+            Use Claude 3.5 Sonnet for reasoning &amp; <code>nomic-embed-text</code> (free, local) for embeddings.
           </div>
 
           <span class="setting-saved" id="savedToastProviders">Saved ✓</span>
@@ -3189,10 +3135,8 @@ function onTextProviderChange(value) {
 // Called when the EMBEDDING provider dropdown changes.
 function onEmbeddingProviderChange(value) {
     var textVal = document.getElementById('select-text-provider').value;
-    // Show provider-specific fields based on the selected embedding provider
+    // Show the OpenAI embedding model field only when embedding=openai
     document.getElementById('embed-fields-openai').style.display = value === 'openai' ? '' : 'none';
-    document.getElementById('embed-fields-voyage').style.display = value === 'voyage' ? '' : 'none';
-    document.getElementById('embed-fields-ollama').style.display = value === 'ollama' ? '' : 'none';
     refreshAnthropicWarning(textVal, value);
     saveBootSetting('embedding_provider', value);
 }
@@ -3230,17 +3174,7 @@ function loadAiProviderSettings() {
                     if (embedSel)
                         embedSel.value = embedProvider;
                     document.getElementById('embed-fields-openai').style.display = embedProvider === 'openai' ? '' : 'none';
-                    document.getElementById('embed-fields-voyage').style.display = embedProvider === 'voyage' ? '' : 'none';
-                    document.getElementById('embed-fields-ollama').style.display = embedProvider === 'ollama' ? '' : 'none';
                     refreshAnthropicWarning(textProvider, embedProvider);
-                    var vKey = document.getElementById('input-voyage-api-key');
-                    if (vKey) vKey.placeholder = s.VOYAGE_API_KEY ? '(key saved — paste to update)' : 'pa-…';
-                    var vMod = document.getElementById('input-voyage-model');
-                    if (vMod && s.voyage_model) vMod.value = s.voyage_model;
-                    var olUrl = document.getElementById('input-ollama-base-url');
-                    if (olUrl && s.ollama_base_url) olUrl.value = s.ollama_base_url;
-                    var olMod = document.getElementById('input-ollama-model');
-                    if (olMod && s.ollama_model) olMod.value = s.ollama_model;
                     gKey = document.getElementById('input-google-api-key');
                     if (gKey)
                         gKey.placeholder = s.GOOGLE_API_KEY ? '(key saved — paste to update)' : 'AIza…';