diff --git a/KNOWN_ISSUES.md b/KNOWN_ISSUES.md
index 229431b..b926bf4 100644
--- a/KNOWN_ISSUES.md
+++ b/KNOWN_ISSUES.md
@@ -14,13 +14,13 @@ The MITM proxy matches intercepted API traffic to cascade IDs by scanning for `m
 
 ---
 
-### 2. Domain Certificate Cache Is Unbounded
+### ~~2. Domain Certificate Cache Is Unbounded~~ ✅ FIXED
 
 **File:** `src/mitm/ca.rs` — `domain_cache`
 
-The `domain_cache` (`HashMap<String, Arc<ServerConfig>>`) grows without bound. Each unique domain gets a cached entry containing a full `ServerConfig` with an RSA key pair. In practice, only ~5–10 domains are intercepted so this is unlikely to matter, but there's no eviction.
+~~The `domain_cache` (`HashMap<String, Arc<ServerConfig>>`) grows without bound.~~
 
-**Fix:** Set a max cache size (e.g., 100 entries) with LRU eviction, or use a TTL since leaf certs are generated with a 1-year validity.
+**Fixed:** Added a 64-entry cap with clear-on-overflow. In practice only ~5-10 domains are ever intercepted, so this is a safety valve. Full LRU would be overkill.
 
 ---
 
diff --git a/src/mitm/ca.rs b/src/mitm/ca.rs
index eda8edf..000b656 100644
--- a/src/mitm/ca.rs
+++ b/src/mitm/ca.rs
@@ -207,9 +207,12 @@ impl MitmCa {
 
         let config = Arc::new(config);
 
-        // Cache it
+        // Cache it (cap at 64 entries — in practice only ~5-10 domains are seen)
         {
             let mut cache = self.domain_cache.write().await;
+            if cache.len() >= 64 {
+                cache.clear();
+            }
             cache.insert(domain.to_string(), config.clone());
         }