@duckmind/deepquark-darwin-arm64 0.9.83 → 0.9.90

package/.deepquark/skills/bundled/knowledge-graph/workflows/HealthReport.md

@@ -0,0 +1,212 @@
+# Health Report Workflow
+
+**Objective:** Get detailed memory decay metrics, lifecycle state distribution, and knowledge graph health information.
+
+---
+
+## Step 1: Announce Workflow
+
+```bash
+~/.claude/Tools/SkillWorkflowNotification HealthReport MadeinozKnowledgeSystem
+```
+
+**Output to user:**
+```
+Running the **HealthReport** workflow from the **MadeinozKnowledgeSystem** skill...
+```
+
+---
+
+## Step 2: Get Knowledge Health Metrics
+
+**Use CLI (primary) for detailed health metrics:**
+
+```bash
+bun run tools/knowledge-cli.ts health_metrics
+```
+
+**Or use MCP tool (fallback only if CLI fails):**
+
+```typescript
+// Get comprehensive health report with decay metrics
+get_knowledge_health({})
+```
+
+**This returns:**
+- Memory counts by lifecycle state (ACTIVE, DORMANT, ARCHIVED, EXPIRED, SOFT_DELETED, PERMANENT)
+- Aggregate statistics (total, average decay, average importance, average stability)
+- Age distribution (under 7 days, 7-30 days, 30-90 days, over 90 days)
+- Last maintenance run information
+
+---
+
+## Step 3: Present Health Report
+
+**Format health information for user:**
+
+```markdown
+📊 **Knowledge Graph Health Report**
+ Memory Decay & Lifecycle Status
+
+---
+
+**🔄 Memory Lifecycle Distribution**
+
+| State | Count | Percentage | Description |
+|-------|-------|------------|-------------|
+| **ACTIVE** | [N] | [X]% | Recently accessed, full relevance |
+| **DORMANT** | [N] | [X]% | Not accessed 30+ days |
+| **ARCHIVED** | [N] | [X]% | Not accessed 90+ days |
+| **EXPIRED** | [N] | [X]% | Marked for deletion |
+| **SOFT_DELETED** | [N] | [X]% | Deleted but recoverable (90 days) |
+| **PERMANENT** | [N] | [X]% | Exempt from decay (importance ≥4, stability ≥4) |
+
+---
+
+**📈 Aggregate Metrics**
+
+**Total Memories:** [N] (excluding soft-deleted)
+
+**Decay Scores:**
+- Average Decay Score: [X.XX] (0.0 = fresh, 1.0 = fully decayed)
+- Decay Rate: [healthy/elevated/concerning]
+
+**Classification:**
+- Average Importance: [X.XX]/5.0 (1=trivial, 5=core)
+- Average Stability: [X.XX]/5.0 (1=volatile, 5=permanent)
+
+---
+
+**📅 Memory Age Distribution**
+
+| Age Bucket | Count | Percentage |
+|------------|-------|------------|
+| **Under 7 days** | [N] | [X]% |
+| **7-30 days** | [N] | [X]% |
+| **30-90 days** | [N] | [X]% |
+| **Over 90 days** | [N] | [X]% |
+
+---
+
+**⚙️ Last Maintenance**
+
+- **Last Run:** [date/time]
+- **Duration:** [X.XX] seconds
+- **Memories Processed:** [N]
+- **State Transitions:** [N]
+- **Decay Scores Updated:** [N]
+- **Soft-Deleted Purged:** [N]
+
+---
+
+**🎯 Health Status**
+
+Overall Status: [🟢 Healthy / 🟡 Warning / 🔴 Action Needed]
+
+**Recommendations:**
+- [Based on metrics above]
+```
+
+---
+
+## Health Indicators
+
+**🟢 Healthy Status:**
+- Average decay score < 0.4
+- Active memories > 50%
+- Dormant + Archived < 30%
+- No expired memories
+- Maintenance ran within last 7 days
+
+**🟡 Warning Status:**
+- Average decay score 0.4-0.6
+- Active memories 30-50%
+- Dormant + Archived 30-50%
+- Few expired memories (< 10)
+- Maintenance ran 7-14 days ago
+
+**🔴 Action Needed:**
+- Average decay score > 0.6
+- Active memories < 30%
+- Dormant + Archived > 50%
+- Many expired memories (> 10)
+- Maintenance not run in 14+ days
+
+---
+
+## Decay Score Interpretation
+
+**What Decay Scores Mean:**
+
+| Score Range | Interpretation | Action |
+|-------------|----------------|--------|
+| 0.0 - 0.2 | Fresh | No action needed |
+| 0.2 - 0.4 | Slightly stale | Consider re-accessing if important |
+| 0.4 - 0.6 | Moderately stale | May transition to DORMANT soon |
+| 0.6 - 0.8 | Significantly stale | Likely DORMANT/ARCHIVED, consider reviewing |
+| 0.8 - 1.0 | Fully decayed | Candidate for archival/deletion |
+
+**Factors Affecting Decay:**
+- **Time since last access** - Primary factor
+- **Stability score** - Higher stability = slower decay
+- **Importance score** - Higher importance = slower decay
+- **Permanent memories** (importance ≥4, stability ≥4) - Never decay
+
+---
+
+## Lifecycle State Transitions
+
+**Automatic Transitions (During Maintenance):**
+
+```
+ACTIVE → DORMANT (30+ days inactive, decay ≥ 0.3)
+   ↓
+DORMANT → ARCHIVED (90+ days inactive, decay ≥ 0.5)
+   ↓
+ARCHIVED → EXPIRED (180+ days inactive, decay ≥ 0.7, importance < 3)
+   ↓
+EXPIRED → SOFT_DELETED (on maintenance run)
+   ↓
+SOFT_DELETED → (purged after 90-day retention)
+```
+
+**Reactivation (On Access):**
+- Any access to DORMANT or ARCHIVED memory → immediately back to ACTIVE
+- Decay score resets to 0.0
+- Last accessed timestamp updated
+
+**Permanent Memories:**
+- Never transition from ACTIVE
+- Decay score always 0.0
+- Exempt from all lifecycle transitions
+
+---
+
+## Maintenance Recommendations
+
+**When to Run Maintenance:**
+
+1. **Scheduled:** Run weekly to recalculate decay scores
+2. **After bulk import:** Classify new memories
+3. **High decay scores:** Recalculate after significant time has passed
+4. **Before cleanup:** Identify expired memories for review
+
+**How to Run Maintenance:**
+
+See `RunMaintenance.md` workflow for detailed instructions.
+
+---
+
+## Integration with Other Workflows
+
+**Before:**
+- GetStatus - Ensure server is healthy before requesting health report
+
+**After:**
+- RunMaintenance - If health shows stale decay scores, run: `bun run tools/knowledge-cli.ts run_maintenance`
+- SearchKnowledge - Review memories in concerning lifecycle states
+
+**Related Workflows:**
+- `RunMaintenance.md` - Update decay scores and transition states
+- `GetStatus.md` - Check server operational health
+- `SearchKnowledge.md` - Find memories in specific lifecycle states

package/.deepquark/skills/bundled/knowledge-graph/workflows/InvestigateEntity.md

@@ -0,0 +1,142 @@
+# Investigative Search Workflow
+
+**Feature 020**: Graph traversal for entity connection analysis
+
+## Triggers
+
+- "investigate entity", "investigate [entity name]"
+- "find connections", "show connections", "entity connections"
+- "graph traversal", "connected entities", "entity network"
+- "threat hunting", "related entities", "link analysis"
+
+## Purpose
+
+Discover entities connected to a target entity through graph traversal, enabling:
+- **Threat Hunting**: Trace malware to threat actors, infrastructure, and campaigns
+- **OSINT Analysis**: Map relationships between accounts, domains, and investigations
+- **Knowledge Exploration**: Find related concepts, people, and organizations
+
+## Usage
+
+### Basic Investigation
+
+```bash
+# Investigate an entity (1-hop by default)
+bun run tools/knowledge-cli.ts investigate "apt28"
+
+# Investigate with deeper traversal
+bun run tools/knowledge-cli.ts investigate "apt28" --depth 2
+bun run tools/knowledge-cli.ts investigate "trinity-mini" --depth 3
+```
+
+### Filter by Relationship Type
+
+```bash
+# Only show specific relationship types
+bun run tools/knowledge-cli.ts investigate "apt28" --relationship-type attributed_to --relationship-type uses
+
+# Combine depth and relationship filters
+bun run tools/knowledge-cli.ts investigate "malware-x" --depth 2 --relationship-type variant_of
+```
+
+## Options
+
+| Option | Description | Default | Range |
+|--------|-------------|---------|-------|
+| `--depth <N>` | Traversal depth (hops from source) | 1 | 1-3 |
+| `--relationship-type` | Filter by relationship type (multiple allowed) | All types | Any valid type |
+
+## Output Format
+
+```
+Entity: [TYPE] name - summary
+Created: [timestamp] | Importance: [score] | Stability: [score]
+
+Connections (2-hop):
+  1. [RELATIONSHIP] target-name [TYPE] (hop 1)
+     → [RELATIONSHIP] next-target [TYPE] (hop 2)
+
+Investigation completed in 234ms
+```
+
+## Relationship Types
+
+**Standard**: related_to, contains, located_at, part_of
+
+**CTI (Feature 018)**:
+- `uses` - Malware uses TTPs
+- `targets` - Campaign targets organization
+- `attributed_to` - Attack attributed to threat actor
+- `exploits` - Malware exploits vulnerability
+- `variant_of` - Malware is variant of parent
+
+**OSINT (Feature 018)**:
+- `owns` - Person owns account
+- `hosted_on` - Domain hosted on infrastructure
+- `investigates` - Investigation investigates entity
+- `links_to` - Indicator links to infrastructure
+
+## Examples
+
+### Example 1: Threat Actor Investigation
+
+User: "Investigate apt28 connections"
+
+```bash
+bun run tools/knowledge-cli.ts investigate "apt28" --depth 2
+```
+
+Output:
+```
+Entity: THREAT_ACTOR APT28 - Russian state-sponsored threat actor
+Created: 2026-01-15 | Importance: 5 | Stability: 5
+
+Connections (2-hop):
+  1. [attributed_to] Sandworm Team [THREAT_ACTOR] (hop 1)
+  2. [uses] Covenant [MALWARE] (hop 1)
+     → [exploits] CVE-2023-1234 [VULNERABILITY] (hop 2)
+  3. [targets] Energy Sector [ORGANIZATION] (hop 1)
+  4. [uses] Sobek [MALWARE] (hop 1)
+     → [variant_of] Sombra [MALWARE] (hop 2)
+
+Investigation completed in 456ms
+```
+
+### Example 2: OSINT Account Analysis
+
+User: "Find connections to @suspicious_user"
+
+```bash
+bun run tools/knowledge-cli.ts investigate "@suspicious_user" --depth 2 --relationship-type owns
+```
+
+### Example 3: Malware Family Tracing
+
+User: "Show what trinity-mini connects to"
+
+```bash
+bun run tools/knowledge-cli.ts investigate "trinity-mini" --depth 3
+```
+
+## Use Cases
+
+| Domain | Example | Depth |
+|--------|---------|-------|
+| **Threat Intel** | Trace malware → threat actor → campaign | 2-3 |
+| **OSINT** | Map account → person → other accounts | 2 |
+| **Due Diligence** | Company → subsidiaries → executives | 2 |
+| **Research** | Concept → related concepts → documents | 1-2 |
+
+## Performance Notes
+
+- **Depth 1**: < 100ms typical
+- **Depth 2**: 100-500ms typical
+- **Depth 3**: 500-2000ms typical (highly connected entities)
+
+**Warning**: Entities with 500+ connections may trigger performance alerts.
+
+## Related Workflows
+
+- **SearchKnowledge** - Find entities by semantic search
+- **SearchFacts** - Find specific relationships
+- **OntologyManagement** - Configure custom entity/relationship types

package/.deepquark/skills/bundled/knowledge-graph/workflows/OntologyManagement.md

@@ -0,0 +1,201 @@
+# Ontology Management Workflow
+
+**Feature 018**: OSINT/CTI custom entity and relationship types
+
+## Triggers
+
+- "list ontology", "custom entity types", "CTI entities", "OSINT entities"
+- "ontology config", "validate ontology", "check ontology"
+- "reload ontology", "refresh ontology types"
+
+## Purpose
+
+Manage custom entity types and relationship types for Cyber Threat Intelligence (CTI) and Open Source Intelligence (OSINT) workflows.
+
+## OSINT/CTI Entity Types
+
+### CTI Entities
+
+| Type | Description | Example |
+|------|-------------|---------|
+| **ThreatActor** | Malicious actors, APT groups | APT28, Sandworm |
+| **Malware** | Malicious software, ransomware | LockBit 3.0, TrickBot |
+| **Vulnerability** | CVE, security flaws | CVE-2023-23397 |
+| **Campaign** | Coordinated threat activities | Operation Winter Vivern |
+| **Indicator** | IoCs, hashes, IPs, domains | 192.168.1.1, malware.exe |
+| **Infrastructure** | C2 servers, attack infrastructure | malicious-c2[.]com |
+| **TTP** | Tactics, Techniques, Procedures | Phishing, Lateral Movement |
+
+### OSINT Entities
+
+| Type | Description | Example |
+|------|-------------|---------|
+| **Account** | Social media, email accounts | @target_user, admin@example.com |
+| **Domain** | Registered domains, DNS | suspicious-domain[.]com |
+| **Email** | Email addresses | target@company.com |
+| **Phone** | Phone numbers, mobile devices | +1-555-0123 |
+| **Image** | Photos, screenshots, media | evidence_screenshot.png |
+| **Investigation** | OSINT investigations, cases | Case-2024-001 |
+
+## Relationship Types
+
+### CTI Relationships
+
+| Relationship | From → To | Example |
+|--------------|-----------|---------|
+| `uses` | ThreatActor/Malware → TTP | APT28 uses Phishing |
+| `targets` | ThreatActor/Campaign → Org | APT28 targets Energy Sector |
+| `attributed_to` | Attack → ThreatActor | Attack attributed to APT28 |
+| `exploits` | Malware → Vulnerability | LockBit exploits CVE-2023-1234 |
+| `variant_of` | Malware → Malware | BlackCat variant of ALPHV |
+| `located_at` | Infrastructure → Location | C2 located_at Russia |
+| `communicates_with` | Infrastructure → Infrastructure | Bot1 communicates_with C2 |
+| `associated_with` | Any → Any | Campaign associated_with ThreatActor |
+
+### OSINT Relationships
+
+| Relationship | From → To | Example |
+|--------------|-----------|---------|
+| `owns` | Person → Account | User owns @twitter_handle |
+| `registered_to` | Domain → Person/Org | Domain registered_to John Doe |
+| `hosted_on` | Domain → Infrastructure | Domain hosted_on 1.2.3.4 |
+| `contacted_via` | Person → Phone/Email | User contacted_via phone |
+| `contains` | Investigation → Evidence | Case contains image |
+| `investigates` | Investigation → Entity | Case investigates ThreatActor |
+| `links_to` | Indicator → Infrastructure | IP links_to Domain |
+| `exposes` | Evidence → Entity | Screenshot exposes Account |
+
+## CLI Commands
+
+### List Ontology Types
+
+```bash
+# Show all custom entity and relationship types
+bun run tools/knowledge-cli.ts ontology:list
+```
+
+Output:
+```
+Custom Entity Types (13):
+  CTI: ThreatActor, Malware, Vulnerability, Campaign, Indicator, Infrastructure, TTP
+  OSINT: Account, Domain, Email, Phone, Image, Investigation
+
+Custom Relationship Types (17):
+  CTI: uses, targets, attributed_to, exploits, variant_of, located_at, communicates_with, associated_with
+  OSINT: owns, registered_to, hosted_on, contacted_via, contains, investigates, links_to, exposes
+
+Configured from: config/ontology-types.yaml
+Template: cti-base (7 entity types, 8 relationship types)
+Loaded: 2026-02-04T12:00:00Z
+```
+
+### Validate Ontology
+
+```bash
+# Validate ontology configuration
+bun run tools/knowledge-cli.ts ontology:validate
+```
+
+Output:
+```
+✓ Ontology configuration is valid
+  - 13 entity types defined
+  - 17 relationship types defined
+  - No duplicate type names
+  - No invalid YAML syntax
+```
+
+### Reload Ontology
+
+```bash
+# Hot-reload ontology configuration (no restart required)
+bun run tools/knowledge-cli.ts ontology:reload
+```
+
+Use after editing `config/ontology-types.yaml` or `config/ontologies/` templates.
+
+## Configuration
+
+Ontology types are configured in `config/ontology-types.yaml`:
+
+```yaml
+custom_entity_types:
+  cti:
+    - ThreatActor
+    - Malware
+    - Vulnerability
+    - Campaign
+    - Indicator
+    - Infrastructure
+    - TTP
+  osint:
+    - Account
+    - Domain
+    - Email
+    - Phone
+    - Image
+    - Investigation
+
+custom_relationship_types:
+  cti:
+    - uses
+    - targets
+    - attributed_to
+    # ... more types
+  osint:
+    - owns
+    - registered_to
+    # ... more types
+```
+
+## Templates
+
+Pre-built ontology templates available in `config/ontologies/`:
+
+| Template | Description | File |
+|----------|-------------|------|
+| `cti-base` | Basic CTI entities (7) | `cti-base.yaml` |
+| `mitre-attack` | MITRE ATT&CK aligned | `mitre-attack.yaml` |
+| `osint-base` | OSINT entities (6) | `osint-base.yaml` |
+
+Switch templates by editing `config/ontology-types.yaml` and reloading.
+
+## Examples
+
+### Example 1: List Available Types
+
+User: "What entity types are available?"
+
+```bash
+bun run tools/knowledge-cli.ts ontology:list
+```
+
+### Example 2: Validate After Edit
+
+User: "Check if my ontology config is valid"
+
+```bash
+bun run tools/knowledge-cli.ts ontology:validate
+```
+
+### Example 3: Apply New Configuration
+
+User: "I added custom types, reload the config"
+
+```bash
+bun run tools/knowledge-cli.ts ontology:reload
+```
+
+## Related Workflows
+
+- **InvestigateEntity** - Use custom entity types for graph traversal
+- **StixImport** - Import STIX 2.1 bundles with custom types
+- **CaptureEpisode** - Episodes automatically extract custom entities
+
+## MCP Tools
+
+| Tool | Description |
+|------|-------------|
+| `list_ontology_types` | List custom entity and relationship types |
+| `validate_ontology` | Validate ontology configuration |
+| `reload_ontology` | Hot-reload ontology from config file |