diff --git a/api/wevia-auto-heal.php b/api/wevia-auto-heal.php
index 1454eba70..d3c14a26c 100644
--- a/api/wevia-auto-heal.php
+++ b/api/wevia-auto-heal.php
@@ -1,8 +1,14 @@
 <?php
+// V88 hardened: raise threshold 50→180 + disable self-kill
 header("Content-Type: application/json");
+@set_time_limit(20);
 $w = intval(trim(shell_exec("pgrep -c php-fpm 2>/dev/null")));
 $act = "none";
-if($w > 50) { shell_exec("killall -9 php-fpm8.5; sleep 2; systemctl start php8.5-fpm &"); $act = "RESTART_$w"; }
+// V88: Was "$w > 50" + killall -9 (self-kill!) → now $w > 180 (total max 140)
+if($w > 180) { 
+    shell_exec("sudo -n systemctl reload php8.5-fpm 2>&1 > /tmp/fpm-reload-v88.log &");
+    $act = "RELOAD_$w"; 
+}
 $pages = ["tools-hub.html","apps.html","enterprise-model.html","agents-archi.html","nonreg.html"];
 $miss = []; foreach($pages as $p) if(!file_exists("/var/www/html/$p")) $miss[] = $p;
-echo json_encode(["ok"=>$w<50&&empty($miss),"workers"=>$w,"pages"=>count($pages)-count($miss)."/".count($pages),"missing"=>$miss,"action"=>$act,"ts"=>date("H:i:s")]);
+echo json_encode(["ok"=>$w<=180&&empty($miss),"workers"=>$w,"pages"=>count($pages)-count($miss)."/".count($pages),"missing"=>$miss,"action"=>$act,"ts"=>date("H:i:s")]);
diff --git a/api/wevia-master-autoheal.php b/api/wevia-master-autoheal.php
index d1a8913b7..3be86c23b 100644
--- a/api/wevia-master-autoheal.php
+++ b/api/wevia-master-autoheal.php
@@ -1,14 +1,18 @@
 <?php
+// V88 hardened: limits + error capture to prevent FCGI recv() reset
+@set_time_limit(60);
+@ini_set('memory_limit', '256M');
+@ini_set('max_execution_time', 60);
 header('Content-Type:application/json');
 $log='/var/log/wevia-autoheal.log';
 
 function tc($url,$payload,$name){
-    $ch=curl_init($url);curl_setopt_array($ch,[CURLOPT_POST=>1,CURLOPT_POSTFIELDS=>json_encode($payload),CURLOPT_HTTPHEADER=>['Content-Type:application/json'],CURLOPT_RETURNTRANSFER=>1,CURLOPT_TIMEOUT=>10,CURLOPT_SSL_VERIFYPEER=>0]);
+    $ch=curl_init($url);curl_setopt_array($ch,[CURLOPT_POST=>1,CURLOPT_POSTFIELDS=>json_encode($payload),CURLOPT_HTTPHEADER=>['Content-Type:application/json'],CURLOPT_RETURNTRANSFER=>1,CURLOPT_TIMEOUT=>5,CURLOPT_CONNECTTIMEOUT=>3,CURLOPT_SSL_VERIFYPEER=>0]);
     $r=curl_exec($ch);$c=curl_getinfo($ch,CURLINFO_HTTP_CODE);curl_close($ch);
     return['name'=>$name,'code'=>$c,'ok'=>$c>=200&&$c<400&&strlen($r)>5,'size'=>strlen($r)];
 }
 function th($url,$name){
-    $ch=curl_init($url);curl_setopt_array($ch,[CURLOPT_RETURNTRANSFER=>1,CURLOPT_TIMEOUT=>8,CURLOPT_SSL_VERIFYPEER=>0]);
+    $ch=curl_init($url);curl_setopt_array($ch,[CURLOPT_RETURNTRANSFER=>1,CURLOPT_TIMEOUT=>5,CURLOPT_CONNECTTIMEOUT=>3,CURLOPT_SSL_VERIFYPEER=>0]);
     $r=curl_exec($ch);$c=curl_getinfo($ch,CURLINFO_HTTP_CODE);curl_close($ch);
     return['name'=>$name,'code'=>$c,'ok'=>$c>=200&&$c<400,'size'=>strlen($r)];
 }
@@ -31,6 +35,5 @@ $t=[
 ];
 $fails=array_filter($t,fn($s)=>!$s['ok']);
 $ts=date('c');
-file_put_contents($log,"[$ts] ".count($t)."T ".count($fails)."F ".implode(',',array_map(fn($f)=>$f['name'],array_values($fails)))."
-",FILE_APPEND);
+@file_put_contents($log,"[$ts] ".count($t)."T ".count($fails)."F ".implode(',',array_map(fn($f)=>$f['name'],array_values($fails)))."\n",FILE_APPEND);
 echo json_encode(['ts'=>$ts,'total'=>count($t),'pass'=>count($t)-count($fails),'fail'=>count($fails),'services'=>$t]);
diff --git a/api/wevia-security-fortress.php b/api/wevia-security-fortress.php
index bacdf0bd0..9247a794f 100644
--- a/api/wevia-security-fortress.php
+++ b/api/wevia-security-fortress.php
@@ -1,4 +1,7 @@
 <?php
+// V88 hardened
+@set_time_limit(30);
+@ini_set("memory_limit", "128M");
 header('Content-Type: application/json');
 $action = $_GET['action'] ?? 'full';
 $results = ['timestamp' => date('Y-m-d H:i:s'), 'agent' => 'security-fortress', 'checks' => []];