threadforge 0.1.0 → 0.1.1

package/bin/forge.js

@@ -26,8 +26,24 @@ const args = process.argv.slice(2);
 const command = args[0];
 
 const FORGE_CONFIG_NAMES = ["forge.config.js", "forge.config.mjs", "threadforge.config.js", "threadforge.config.mjs"];
+const FORGE_PLATFORM_CONFIG_NAMES = ["forge.platform.js", "forge.platform.mjs", "forge.host.js", "forge.host.mjs"];
 
-async function findConfig() {
+function resolveConfigSearchNames(commandName = command) {
+  if (["dev", "start", "build", "status", "stop"].includes(commandName)) {
+    return [...FORGE_CONFIG_NAMES, ...FORGE_PLATFORM_CONFIG_NAMES];
+  }
+  return [...FORGE_CONFIG_NAMES];
+}
+
+function printNoConfigError(commandName = command) {
+  const names = resolveConfigSearchNames(commandName);
+  console.error("  Error: No config file found in current directory.");
+  console.error(`  Searched for: ${names.join(", ")}`);
+  console.error("  Run `forge init` to create one, or use `--config <path>` to specify manually.");
+}
+
+async function findConfig(commandName = command) {
+  const searchNames = resolveConfigSearchNames(commandName);
   const cwd = process.cwd();
 
   // Check for --config flag
@@ -41,7 +57,7 @@ async function findConfig() {
     return resolved;
   }
 
-  for (const name of FORGE_CONFIG_NAMES) {
+  for (const name of searchNames) {
     const fullPath = path.join(cwd, name);
     try {
       await fs.promises.access(fullPath);
@@ -132,11 +148,9 @@ async function startFrontendDevSessions(config) {
 }
 
 async function cmdStart(isDev = false) {
-  const configPath = await findConfig();
+  const configPath = await findConfig(isDev ? "dev" : "start");
   if (!configPath) {
-    console.error("  Error: No config file found in current directory.");
-    console.error(`  Searched for: ${FORGE_CONFIG_NAMES.join(", ")}`);
-    console.error("  Run `forge init` to create one, or use `--config <path>` to specify manually.");
+    printNoConfigError(isDev ? "dev" : "start");
     process.exit(1);
   }
 
@@ -261,7 +275,8 @@ function detectLocalThreadforgeDependency(cwd) {
 
 function resolveInitDependency(cwd, source = "auto") {
   if (source === "npm") {
-    return { spec: "threadforge", label: "npm" };
+    // Use npm dist-tag so generated package.json is directly installable.
+    return { spec: "latest", label: "npm" };
   }
 
   if (source === "github") {
@@ -478,7 +493,7 @@ export default class ApiService extends Service {
 }
 
 async function resolveMetricsPort() {
-  const config = await findConfig().then(async (p) => {
+  const config = await findConfig(command).then(async (p) => {
     if (!p) return null;
     try { return await loadConfig(pathToFileURL(p).href); } catch { return null; }
   });
@@ -663,11 +678,9 @@ function printHelp() {
 }
 
 async function cmdBuild() {
-  const configPath = await findConfig();
+  const configPath = await findConfig("build");
   if (!configPath) {
-    console.error("  Error: No config file found in current directory.");
-    console.error(`  Searched for: ${FORGE_CONFIG_NAMES.join(", ")}`);
-    console.error("  Run `forge init` to create one, or use `--config <path>` to specify manually.");
+    printNoConfigError("build");
     process.exit(1);
   }
 
@@ -759,11 +772,9 @@ async function cmdBuild() {
 }
 
 async function cmdDeploy() {
-  const configPath = await findConfig();
+  const configPath = await findConfig("deploy");
   if (!configPath) {
-    console.error("  Error: No config file found in current directory.");
-    console.error(`  Searched for: ${FORGE_CONFIG_NAMES.join(", ")}`);
-    console.error("  Run `forge init` to create one, or use `--config <path>` to specify manually.");
+    printNoConfigError("deploy");
     process.exit(1);
   }
 
@@ -898,11 +909,9 @@ export default {
 }
 
 async function cmdGenerate() {
-  const configPath = await findConfig();
+  const configPath = await findConfig("generate");
   if (!configPath) {
-    console.error("  Error: No config file found in current directory.");
-    console.error(`  Searched for: ${FORGE_CONFIG_NAMES.join(", ")}`);
-    console.error("  Run `forge init` to create one, or use `--config <path>` to specify manually.");
+    printNoConfigError("generate");
     process.exit(1);
   }
 

package/bin/platform-commands.js

@@ -12,11 +12,9 @@
 
 import fs from "node:fs";
 import path from "node:path";
-import { fileURLToPath, pathToFileURL } from "node:url";
+import { pathToFileURL } from "node:url";
 
 const PLATFORM_CONFIG_NAMES = ["forge.platform.js", "forge.platform.mjs"];
-const __dirname = path.dirname(fileURLToPath(import.meta.url));
-const LOCAL_PKG_PATH = path.resolve(__dirname, "..", "package.json");
 
 async function findPlatformConfig() {
   const cwd = process.cwd();
@@ -39,21 +37,50 @@ async function findPlatformConfig() {
  * @returns {string}
  */
 function computeImportPath(fromDir) {
-  try {
-    if (fs.existsSync(LOCAL_PKG_PATH)) {
-      const pkg = JSON.parse(fs.readFileSync(LOCAL_PKG_PATH, "utf8"));
-      if (pkg.name === "threadforge") {
-        const indexAbsolute = fs.realpathSync(path.resolve(__dirname, "..", "src", "index.js"));
-        const realFrom = fs.realpathSync(fromDir);
-        let rel = path.relative(realFrom, indexAbsolute);
-        if (!rel.startsWith(".")) rel = `./${rel}`;
-        return rel;
-      }
-    }
-  } catch {}
+  void fromDir;
   return "threadforge";
 }
 
+function ensurePlatformPackageJson(cwd) {
+  const pkgPath = path.join(cwd, "package.json");
+  const defaultName = path.basename(cwd);
+  const defaultScripts = {
+    start: "forge platform start",
+    build: "forge build",
+    generate: "forge platform generate",
+  };
+
+  let pkg = {};
+  if (fs.existsSync(pkgPath)) {
+    try {
+      pkg = JSON.parse(fs.readFileSync(pkgPath, "utf8"));
+    } catch (err) {
+      throw new Error(`Invalid package.json: ${err.message}`);
+    }
+  } else {
+    pkg = {
+      name: defaultName,
+      version: "1.0.0",
+    };
+  }
+
+  if (!pkg.type) {
+    pkg.type = "module";
+  }
+
+  if (!pkg.scripts || typeof pkg.scripts !== "object" || Array.isArray(pkg.scripts)) {
+    pkg.scripts = {};
+  }
+
+  for (const [name, command] of Object.entries(defaultScripts)) {
+    if (!pkg.scripts[name]) {
+      pkg.scripts[name] = command;
+    }
+  }
+
+  fs.writeFileSync(pkgPath, `${JSON.stringify(pkg, null, 2)}\n`);
+}
+
 async function loadPlatformConfig() {
   const configPath = await findPlatformConfig();
   if (!configPath) {
@@ -92,6 +119,8 @@ async function cmdPlatformInit() {
   const importPath = computeImportPath(cwd);
   const serviceImportPath = computeImportPath(path.join(cwd, "shared"));
 
+  ensurePlatformPackageJson(cwd);
+
   // Create directories
   for (const dir of ["shared", "apps"]) {
     fs.mkdirSync(path.join(cwd, dir), { recursive: true });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "threadforge",
-  "version": "0.1.0",
+  "version": "0.1.1",
   "description": "Multi-threaded Node.js service runtime framework",
   "type": "module",
   "bin": {
@@ -62,8 +62,12 @@
     "pg": "^8.11.0"
   },
   "peerDependenciesMeta": {
-    "ioredis": { "optional": true },
-    "pg": { "optional": true }
+    "ioredis": {
+      "optional": true
+    },
+    "pg": {
+      "optional": true
+    }
   },
   "devDependencies": {
     "@biomejs/biome": "^2.3.15"

package/shared/identity.js

@@ -0,0 +1,26 @@
+import { Service } from 'threadforge';
+
+export default class IdentityService extends Service {
+  static contract = {
+    expose: ['getUser', 'getUserByEmail', 'createUser', 'listMembers'],
+    routes: [
+      { method: 'POST', path: '/login', handler: 'login' },
+      { method: 'POST', path: '/register', handler: 'register' },
+      { method: 'GET', path: '/users/:id', handler: 'getUserRoute' },
+      { method: 'GET', path: '/users', handler: 'listUsersRoute' },
+    ],
+  };
+
+  async onStart(ctx) {
+    ctx.logger.info('Identity service ready');
+  }
+
+  async login(_body) { return { error: 'Not implemented' }; }
+  async register(_body) { return { error: 'Not implemented' }; }
+  async getUserRoute(_body, params) { return this.getUser(params.id); }
+  async listUsersRoute() { return { error: 'Not implemented' }; }
+  async getUser(_userId) { return { error: 'Not implemented' }; }
+  async getUserByEmail(_email) { return { error: 'Not implemented' }; }
+  async createUser(_data) { return { error: 'Not implemented' }; }
+  async listMembers(_appId) { return { error: 'Not implemented' }; }
+}

package/src/core/EndpointResolver.js

@@ -29,6 +29,10 @@ export class EndpointResolver {
 
     /** @type {Map<string, Object>} per-service routing strategies (optional override) */
     this._strategies = new Map();
+
+    // P-10: Cache wrapped endpoint entries to avoid per-resolve() allocation
+    /** @type {Map<string, Array<{key: string, host: string, port: number, remote: boolean}>>} */
+    this._wrappedCache = new Map();
   }
 
   /**
@@ -123,13 +127,17 @@ export class EndpointResolver {
     // Delegate to configured strategy if present
     const strategy = this._strategies.get(serviceName);
     if (strategy) {
-      // Wrap endpoints as WorkerEntry-compatible objects for RoutingStrategy
-      const entries = endpoints.map(ep => ({
-        key: `${ep.host}:${ep.port}`,
-        host: ep.host,
-        port: ep.port,
-        remote: ep.remote,
-      }));
+      // P-10: Use cached wrapped entries to avoid per-call allocation
+      let entries = this._wrappedCache.get(serviceName);
+      if (!entries) {
+        entries = endpoints.map(ep => ({
+          key: `${ep.host}:${ep.port}`,
+          host: ep.host,
+          port: ep.port,
+          remote: ep.remote,
+        }));
+        this._wrappedCache.set(serviceName, entries);
+      }
       const picked = strategy.pick(entries, callContext);
       if (picked) {
         // Handle broadcast (returns array) — return first for resolve(), use all() for broadcast
@@ -180,6 +188,8 @@ export class EndpointResolver {
     }
 
     this._endpoints.set(serviceName, existing);
+    // P-10: Invalidate wrapped cache when endpoints change
+    this._wrappedCache.delete(serviceName);
   }
 
   /**
@@ -195,6 +205,8 @@ export class EndpointResolver {
     if (!existing) return;
 
     const filtered = existing.filter((e) => !(e.host === host && e.port === port));
+    // P-10: Invalidate wrapped cache when endpoints change
+    this._wrappedCache.delete(serviceName);
     if (filtered.length === 0) {
       this._endpoints.delete(serviceName);
       // CR-IPC-7: Clean up counter when all endpoints removed

package/src/core/ForgeContext.js

@@ -69,8 +69,13 @@ const BIND_ERROR_MESSAGES = {
 function validateInternalSignature(req, method, path) {
   const secret = process.env.FORGE_INTERNAL_SECRET;
   if (!secret) {
-    // In development, allow without signature; in production, reject
-    return process.env.NODE_ENV !== 'production';
+    if (process.env.NODE_ENV === 'production') return false;
+    // M-7: Warn in development when internal endpoints are unsigned
+    if (!validateInternalSignature._warned) {
+      console.warn('[ThreadForge] WARNING: FORGE_INTERNAL_SECRET is not set. Internal endpoints (/__forge/*) accept unsigned requests. Set FORGE_INTERNAL_SECRET or FORGE_ALLOW_UNSIGNED_INTERNAL=true to suppress.');
+      validateInternalSignature._warned = true;
+    }
+    return true;
   }
   const sig = req.headers['x-forge-internal-sig'];
   const ts = req.headers['x-forge-internal-ts'];
@@ -118,7 +123,7 @@ function verifyJwt(token) {
     const header = JSON.parse(Buffer.from(headerB64, 'base64url').toString());
     if (!header || typeof header !== 'object') return null;
     const alg = (header.alg ?? '').toUpperCase();
-    if (alg === 'NONE' || (alg !== 'HS256' && alg !== '')) return null;
+    if (alg !== 'HS256') return null;
   } catch {
     return null;
   }
@@ -1140,6 +1145,11 @@ export class ForgeContext {
    * Gracefully shut down.
    */
   async stop() {
+    // M-13: Stop IngressProtection timers if active
+    if (this.ingress) {
+      this.ingress.stop();
+    }
+
     // Close direct channels
     this.channels.destroy();
 
@@ -1674,14 +1684,13 @@ class Router {
   }
 
   _matchUncached(method, url) {
-    const parsed = new URL(url, "http://localhost");
-    const pathname = parsed.pathname;
-
     // Reject null bytes — path traversal / request smuggling vector
     if (url.includes("\0")) return null;
 
-    // Normalize path to collapse encoded traversals (e.g. ..%2F)
-    let normalized = new URL(pathname, "http://localhost").pathname;
+    const parsed = new URL(url, "http://localhost");
+    // P-3: Reuse the already-parsed pathname instead of constructing a second URL.
+    // URL constructor already normalizes encoded traversals (e.g. ..%2F).
+    let normalized = parsed.pathname;
     // Strip trailing slashes (except root "/")
     if (normalized.length > 1 && normalized.endsWith('/')) {
       normalized = normalized.slice(0, -1);

package/src/core/MessageBus.js

@@ -89,6 +89,16 @@ export class MessageBus extends EventEmitter {
       channel.splice(idx, 1);
     }
 
+    // F-6: Reject pending requests dispatched to the dead worker immediately
+    // instead of making callers wait for the full timeout.
+    for (const [reqId, entry] of this.pendingRequests) {
+      if (entry.targetPid === pidOrThreadId) {
+        clearTimeout(entry.timer);
+        this.pendingRequests.delete(reqId);
+        entry.reject(new Error(`Worker ${pidOrThreadId} for "${serviceName}" exited while handling request`));
+      }
+    }
+
     if (channel.length === 0) {
       this.channels.delete(serviceName);
       this.rrIndex.delete(serviceName);
@@ -193,10 +203,11 @@ export class MessageBus extends EventEmitter {
         reject(new Error(`[MessageBus] Request to "${target}" timed out after ${timeoutMs}ms`));
       }, timeoutMs);
 
-      this.pendingRequests.set(requestId, { resolve, reject, timer });
-
       const idx = this.rrIndex.get(target);
       const worker = channel[idx % channel.length];
+
+      // F-6: Track target PID so pending requests can be rejected on worker death
+      this.pendingRequests.set(requestId, { resolve, reject, timer, targetPid: worker.pid });
       this.rrIndex.set(target, (idx + 1) % 1_000_000_000);
 
       try {

package/src/core/RoutingStrategy.js

@@ -32,6 +32,17 @@ import { createHmac, randomBytes } from "node:crypto";
 
 const HASH_SALT = randomBytes(16).toString("hex");
 
+// P-1: Fast non-cryptographic FNV-1a hash for runtime routing.
+// HMAC-SHA256 is ~100x slower and unnecessary for load distribution.
+function fnv1a(str) {
+  let hash = 0x811c9dc5 | 0; // FNV offset basis
+  for (let i = 0; i < str.length; i++) {
+    hash ^= str.charCodeAt(i);
+    hash = (hash * 0x01000193) | 0; // FNV prime
+  }
+  return hash >>> 0; // Convert to unsigned 32-bit
+}
+
 /**
  * @typedef {Object} WorkerEntry
  * @property {string} key    - "serviceName:workerId"
@@ -178,10 +189,11 @@ export class HashStrategy {
   }
 
   /**
-   * Keyed SHA-256 hash — collision-resistant, prevents hash flooding attacks.
+   * P-1: Fast FNV-1a hash for runtime routing decisions.
+   * Salted to prevent predictable distribution from external input.
    */
   _simpleHash(str) {
-    return createHmac("sha256", HASH_SALT).update(str).digest().readUInt32BE(0);
+    return fnv1a(HASH_SALT + str);
   }
 
   get name() {
@@ -195,6 +207,7 @@ export class LeastPendingStrategy {
   constructor() {
     /** @type {Map<string, number>} key → pending count */
     this._pending = new Map();
+    this._lastWorkerCount = 0;
   }
 
   /**
@@ -204,8 +217,8 @@ export class LeastPendingStrategy {
     if (workers.length === 0) return null;
     if (workers.length === 1) return workers[0];
 
-    // Prune stale entries for workers no longer in the current set
-    if (this._pending.size > 0) {
+    // P-9: Only prune when worker set changes, not on every pick()
+    if (this._pending.size > 0 && workers.length !== this._lastWorkerCount) {
       const activeKeys = new Set(workers.map(w => w.key));
       for (const key of this._pending.keys()) {
         if (!activeKeys.has(key)) {
@@ -213,6 +226,7 @@ export class LeastPendingStrategy {
         }
       }
     }
+    this._lastWorkerCount = workers.length;
 
     let best = workers[0];
     let bestPending = this._pending.get(best.key) ?? 0;

package/src/core/Supervisor.js

@@ -483,7 +483,9 @@ export class Supervisor extends EventEmitter {
     }
 
     // H-5: Track heartbeat responses from workers
-    if (msg?.type === "forge:heartbeat-response") {
+    // Workers respond to forge:health-check with forge:health-response,
+    // so we accept both message types for heartbeat tracking.
+    if (msg?.type === "forge:heartbeat-response" || msg?.type === "forge:health-response") {
       this._lastHeartbeat.set(worker.id, Date.now());
       return;
     }
@@ -1152,9 +1154,16 @@ export class Supervisor extends EventEmitter {
 
   _status() {
     const groups = [];
+    const liveWorkersByService = {};
+
     for (const [groupName, workerIds] of this.groupWorkers) {
       const group = this.groups[groupName];
       const pids = workerIds.map((wid) => cluster.workers[wid]?.process?.pid).filter(Boolean);
+      const liveWorkers = workerIds.length;
+
+      for (const svc of group.services) {
+        liveWorkersByService[svc.name] = liveWorkers;
+      }
 
       groups.push({
         group: groupName,
@@ -1163,11 +1172,45 @@ export class Supervisor extends EventEmitter {
           type: s.type,
           port: s.port,
         })),
-        workers: workerIds.length,
+        workers: liveWorkers,
         pids,
       });
     }
 
+    const topology = this.registry.topology();
+    for (const [serviceName, liveWorkers] of Object.entries(liveWorkersByService)) {
+      const existing = Array.isArray(topology[serviceName]) ? topology[serviceName] : [];
+      let hasLocalEntry = false;
+
+      const updated = existing.map((entry) => {
+        const isLocalEntry = entry?.nodeId === this.registry.nodeId
+          || entry?.transport === "local"
+          || entry?.transport === "colocated";
+
+        if (!isLocalEntry) return entry;
+
+        hasLocalEntry = true;
+        return {
+          ...entry,
+          workers: liveWorkers,
+          status: liveWorkers > 0 ? (entry.status ?? "healthy") : "unhealthy",
+        };
+      });
+
+      if (!hasLocalEntry) {
+        updated.unshift({
+          nodeId: this.registry.nodeId,
+          host: this.registry.host,
+          transport: "local",
+          status: liveWorkers > 0 ? "healthy" : "unhealthy",
+          cpu: 0,
+          workers: liveWorkers,
+        });
+      }
+
+      topology[serviceName] = updated;
+    }
+
     return {
       supervisorPid: process.pid,
       uptime: process.uptime(),
@@ -1184,7 +1227,7 @@ export class Supervisor extends EventEmitter {
         .filter((s) => s.port)
         .map((s) => s.port),
       messageBus: this.messageBus.stats(),
-      topology: this.registry.topology(),
+      topology,
       scalingRecommendations: this.scaleAdvisor.recommendations,
     };
   }

package/src/core/config.js

@@ -523,6 +523,19 @@ export function defineServices(servicesMap, options = {}) {
   // M3: Detect group-level circular dependencies
   detectGroupCycles(services, groups);
 
+  // M-14: Warn on unknown option keys to catch typos early
+  const KNOWN_OPTIONS = new Set([
+    'metricsPort', 'logging', 'watch', 'registryMode', 'host', 'httpBasePort',
+    'ingress', 'plugins', 'frontendPlugins', 'sites',
+    // Internal keys used by platform/host modes
+    '_configUrl', '_isHostMode', '_isPlatformMode', '_hostMeta', '_hostMetaJSON',
+  ]);
+  for (const key of Object.keys(options)) {
+    if (!KNOWN_OPTIONS.has(key) && !key.startsWith('_')) {
+      console.warn(`[ThreadForge] Unknown option "${key}" in defineServices(). Known options: ${[...KNOWN_OPTIONS].filter(k => !k.startsWith('_')).join(', ')}`);
+    }
+  }
+
   // Only pass through known option keys to prevent typos polluting the config
   // A12: Namespace internal fields into _internal sub-object
   const result = {

package/src/decorators/ServiceProxy.js

@@ -590,6 +590,11 @@ function createProxiedMethod(
             signal: AbortSignal.timeout(effectiveTimeout),
           });
 
+          // M-11: Enforce response body size limit to prevent OOM from oversized responses
+          const contentLength = resp.headers.get('content-length');
+          if (contentLength && parseInt(contentLength, 10) > 10 * 1024 * 1024) {
+            throw new Error(`Response from ${targetHost}:${targetPort} exceeds 10MB limit`);
+          }
           const data = await resp.json();
           if (data.error) {
             const err = new Error(data.error);

package/src/index.js

@@ -6,6 +6,8 @@
 
 // Core
 export { defineServices } from "./core/config.js";
+export { defineHost } from "./core/host-config.js";
+export { definePlatform } from "./core/platform-config.js";
 export { ForgeContext } from "./core/ForgeContext.js";
 export { RequestContext } from "./core/RequestContext.js";
 

package/src/plugins/index.js

@@ -98,7 +98,8 @@ export async function _mkRedis(url, ctx) {
   let socket,
     connected = false,
     rq = [],
-    buf = Buffer.alloc(0);
+    bufChunks = [],
+    bufTotalLen = 0;
 
   const CRLF = Buffer.from("\r\n");
 
@@ -137,11 +138,13 @@ export async function _mkRedis(url, ctx) {
         ctx.logger.warn(`Redis socket error: ${err.message}`);
       });
       socket.on("data", (d) => {
-        if (buf.length + d.length > MAX_REDIS_BUFFER) {
+        if (bufTotalLen + d.length > MAX_REDIS_BUFFER) {
           socket.destroy(new Error('Redis response buffer overflow'));
           return;
         }
-        buf = Buffer.concat([buf, d]);
+        // P-7: Accumulate chunks in array, concat only when parsing needs contiguous buffer
+        bufChunks.push(d);
+        bufTotalLen += d.length;
         flush();
       });
       socket.on("close", () => {
@@ -150,7 +153,8 @@ export async function _mkRedis(url, ctx) {
         // Reject pending requests
         const pending = rq.splice(0);
         for (const r of pending) r.no(new Error("Redis connection closed"));
-        buf = Buffer.alloc(0);
+        bufChunks = [];
+        bufTotalLen = 0;
 
         if (intentionalClose) return;
         scheduleReconnect();
@@ -195,13 +199,17 @@ export async function _mkRedis(url, ctx) {
   const MAX_RESP_BULK = 16 * 1024 * 1024; // 16MB
 
   function flush() {
+    // P-7: Concat accumulated chunks into a single buffer for parsing
+    if (bufChunks.length === 0 || rq.length === 0) return;
+    let buf = bufChunks.length === 1 ? bufChunks[0] : Buffer.concat(bufChunks, bufTotalLen);
+    bufChunks = [];
+    bufTotalLen = 0;
     while (buf.length && rq.length) {
       let r;
       try {
         r = parse(buf, 0);
       } catch (err) {
         // Unknown RESP type or parse error — reject current request and reset buffer
-        buf = Buffer.alloc(0);
         rq.shift().no(err);
         return;
       }
@@ -209,6 +217,11 @@ export async function _mkRedis(url, ctx) {
       buf = r.rem;
       rq.shift().ok(r.val);
     }
+    // Keep remaining unparsed data for next flush
+    if (buf.length > 0) {
+      bufChunks.push(buf);
+      bufTotalLen = buf.length;
+    }
   }
   function parse(d, depth) {
     if (!d.length) return null;
@@ -342,7 +355,8 @@ export async function _mkRedis(url, ctx) {
     // ─── Subscription support (lazy separate connection) ───
     _subSocket: null,
     _subConnected: false,
-    _subBuf: Buffer.alloc(0),
+    _subBufChunks: [],
+    _subBufTotalLen: 0,
     _subCallbacks: new Map(),    // channel → Set<callback>
     _psubCallbacks: new Map(),   // pattern → Set<callback>
     _subSubscribedChannels: new Set(),
@@ -369,11 +383,13 @@ export async function _mkRedis(url, ctx) {
         });
         self._subSocket.on("data", (d) => {
           // REL-C1: Guard against unbounded sub buffer growth (same limit as main connection)
-          if (self._subBuf.length + d.length > MAX_REDIS_BUFFER) {
+          if (self._subBufTotalLen + d.length > MAX_REDIS_BUFFER) {
             self._subSocket.destroy(new Error('Redis sub response buffer overflow'));
             return;
           }
-          self._subBuf = Buffer.concat([self._subBuf, d]);
+          // P-8: Chunk-list pattern to avoid O(n^2) Buffer.concat
+          self._subBufChunks.push(d);
+          self._subBufTotalLen += d.length;
           self._flushSub();
         });
         self._subSocket.on("close", () => {
@@ -382,7 +398,8 @@ export async function _mkRedis(url, ctx) {
           self._subSubscribedPatterns.clear();
           const pending = self._subRq.splice(0);
           for (const r of pending) r.no(new Error("Redis sub connection closed"));
-          self._subBuf = Buffer.alloc(0);
+          self._subBufChunks = [];
+          self._subBufTotalLen = 0;
           self._scheduleSubReconnect();
         });
       });
@@ -461,16 +478,20 @@ export async function _mkRedis(url, ctx) {
     },
 
     _flushSub() {
-      while (this._subBuf.length) {
+      // P-8: Concat accumulated chunks for parsing
+      if (this._subBufChunks.length === 0) return;
+      let buf = this._subBufChunks.length === 1 ? this._subBufChunks[0] : Buffer.concat(this._subBufChunks, this._subBufTotalLen);
+      this._subBufChunks = [];
+      this._subBufTotalLen = 0;
+      while (buf.length) {
         let r;
         try {
-          r = parse(this._subBuf, 0);
+          r = parse(buf, 0);
         } catch {
-          this._subBuf = Buffer.alloc(0);
           return;
         }
         if (!r) break;
-        this._subBuf = r.rem;
+        buf = r.rem;
         const val = r.val;
         // Messages are arrays: ["message", channel, data] or ["pmessage", pattern, channel, data]
         if (Array.isArray(val)) {
@@ -504,6 +525,11 @@ export async function _mkRedis(url, ctx) {
         // Other responses (OK from AUTH/SELECT)
         if (this._subRq.length) this._subRq.shift().ok(val);
       }
+      // Keep remaining unparsed data for next flush
+      if (buf.length > 0) {
+        this._subBufChunks.push(buf);
+        this._subBufTotalLen = buf.length;
+      }
     },
 
     async subscribe(channel, callback) {
@@ -542,7 +568,8 @@ export async function _mkRedis(url, ctx) {
         clientRef._psubCallbacks.clear();
         clientRef._subSubscribedChannels.clear();
         clientRef._subSubscribedPatterns.clear();
-        clientRef._subBuf = Buffer.alloc(0);
+        clientRef._subBufChunks = [];
+        clientRef._subBufTotalLen = 0;
         clientRef._subRq.length = 0;
       }
       return new Promise((resolve) => {

package/src/registry/ServiceRegistry.js

@@ -195,10 +195,11 @@ export class ServiceRegistry extends EventEmitter {
    * In multicast/external mode, connects to peers.
    */
   async start() {
-    // Start heartbeat
+    // Start heartbeat with jitter to prevent thundering herd across nodes
+    const jitter = Math.floor(Math.random() * this.heartbeatIntervalMs * 0.2);
     this._heartbeatTimer = setInterval(() => {
       this._sendHeartbeats();
-    }, this.heartbeatIntervalMs);
+    }, this.heartbeatIntervalMs + jitter);
     this._heartbeatTimer.unref();
 
     // Start reaper (remove stale registrations)

package/src/services/worker-bootstrap.js

@@ -521,7 +521,10 @@ async function bootstrap() {
       }
     }
 
-    process.exit(0);
+    // F-3: Allow event loop to drain naturally instead of process.exit(0)
+    // so plugin disconnect and I/O flushes complete. The supervisor manages
+    // worker lifecycle via cluster 'exit' events.
+    if (process.connected) process.disconnect();
   }
 
   // Wire IPC before starting so no messages are lost during startup