@hasna/knowledge 0.2.6 → 0.2.8

package/src/cli.ts

@@ -6,11 +6,13 @@
  */
 import { defaultStorePath, loadStore, saveStore, withLock, makeId, makeShortId, ensureStore, type KnowledgeItem } from './store';
 import { ensureKnowledgeWorkspace, readKnowledgeConfig, resolveScopedWorkspace } from './workspace';
-import { getKnowledgeDbStats, migrateKnowledgeDb } from './knowledge-db';
+import { getKnowledgeDbStats, migrateKnowledgeDb, openKnowledgeDb } from './knowledge-db';
 import { createArtifactStore } from './artifact-store';
 import { initializeWikiLayout } from './wiki-layout';
 import { ingestOpenFilesManifest } from './manifest-ingest';
 import { consumeOpenFilesOutbox } from './outbox-consume';
+import { resolveOpenFilesSource } from './source-resolver';
+import { approvalStatus, assertS3ReadAllowed, assertWebSearchAllowed, createApprovalGate, recordAuditEvent, recordRedactionFindings, redactSecrets, resolveSafetyPolicy } from './safety';
 import pkg from '../package.json' with { type: 'json' };
 
 type LogLevel = 'debug' | 'info' | 'warn' | 'error';
@@ -48,6 +50,7 @@ interface Flags {
   tag?: string;
   format?: string;
   completions?: string;
+  purpose?: string;
   noColor?: boolean;
   scope?: string;
   olderThan?: number;
@@ -61,7 +64,7 @@ interface ParseResult {
   flags: Flags;
 }
 
-const COMMANDS = ['add', 'list', 'get', 'delete', 'update', 'archive', 'restore', 'upsert', 'untag', 'export', 'prune', 'dedupe', 'stats', 'paths', 'db', 'wiki', 'ingest', 'reindex', 'help'];
+const COMMANDS = ['add', 'list', 'get', 'delete', 'update', 'archive', 'restore', 'upsert', 'untag', 'export', 'prune', 'dedupe', 'stats', 'paths', 'db', 'wiki', 'source', 'ingest', 'reindex', 'safety', 'help'];
 const COMMAND_ALIASES: Record<string, string> = {
   ls: 'list',
   rm: 'delete',
@@ -96,6 +99,7 @@ function parseArgs(argv: string[]): ParseResult {
       case '--tag': case '-t': flags.tag = argv[i + 1]; i += 1; break;
       case '--format': flags.format = argv[i + 1]; i += 1; break;
       case '--completions': flags.completions = argv[i + 1]; i += 1; break;
+      case '--purpose': flags.purpose = argv[i + 1]; i += 1; break;
       case '--no-color': flags.noColor = true; break;
       case '--scope': flags.scope = argv[i + 1]; i += 1; break;
       case '--older-than': flags.olderThan = Number(argv[i + 1]); i += 1; break;
@@ -164,13 +168,16 @@ Commands:
   paths                        Show resolved workspace/store paths
   db init|stats                Initialize or inspect local knowledge.db
   wiki init                    Initialize scalable wiki/schema/index/log artifacts
+  source resolve <source-ref>  Resolve read-only source content and citation evidence
   ingest manifest <file|s3://> Ingest an open-files manifest into knowledge.db
   reindex outbox <file|s3://>  Consume open-files change events and invalidate chunks
+  safety status|check|approve|audit|redact
   help [command]               Show help
 
 Global Options:
   --json                      Output JSON
   --store <path>              Override store path
+  --purpose <name>            Read-only source purpose (default: knowledge_answer)
   --scope local|global|project  Store scope (default: global ~/.hasna/apps/knowledge/)
   --no-color                  Disable color output
   --completions <shell>       Output completions for bash|zsh|fish
@@ -227,8 +234,10 @@ function printCommandHelp(command: string): void {
   if (command === 'paths') { console.log('Usage: open-knowledge paths [--scope local|global|project] [--json]'); return; }
   if (command === 'db') { console.log('Usage: open-knowledge db init|stats [--scope local|global|project] [--json]'); return; }
   if (command === 'wiki') { console.log('Usage: open-knowledge wiki init [--scope local|global|project] [--json]'); return; }
+  if (command === 'source') { console.log('Usage: open-knowledge source resolve <source-ref> [--purpose knowledge_answer|knowledge_index] [--limit <n>] [--scope local|global|project] [--json]'); return; }
   if (command === 'ingest') { console.log('Usage: open-knowledge ingest manifest <file|s3://bucket/key> [--scope local|global|project] [--json]'); return; }
   if (command === 'reindex') { console.log('Usage: open-knowledge reindex outbox <file|s3://bucket/key> [--scope local|global|project] [--json]'); return; }
+  if (command === 'safety') { console.log('Usage: open-knowledge safety status|check|approve|audit|redact [args] [--scope local|global|project] [--json]'); return; }
   printGlobalHelp();
 }
 
@@ -273,11 +282,11 @@ async function run(argv: string[]): Promise<void> {
   if (flags.completions) {
     const shell = flags.completions;
     if (shell === 'bash') {
-      console.log(`_open_knowledge() { local cur; cur="${"$"}{COMP_WORDS[COMP_CWORD]}"; COMPREPLY=($(compgen -W "add list get update archive restore upsert untag delete export prune dedupe stats paths db wiki ingest reindex help ls rm edit unarchive --json --yes --help --version --desc --page --limit --search --sort --id --store --title --content --url --tag --format --completions --no-color --scope --archived --include-archived" -- "$cur")); }; complete -F _open_knowledge open-knowledge`);
+      console.log(`_open_knowledge() { local cur; cur="${"$"}{COMP_WORDS[COMP_CWORD]}"; COMPREPLY=($(compgen -W "add list get update archive restore upsert untag delete export prune dedupe stats paths db wiki source ingest reindex safety help ls rm edit unarchive --json --yes --help --version --desc --page --limit --search --sort --id --store --title --content --url --tag --format --completions --purpose --no-color --scope --archived --include-archived" -- "$cur")); }; complete -F _open_knowledge open-knowledge`);
     } else if (shell === 'zsh') {
-      console.log(`#compdef open-knowledge\n_open_knowledge() { _arguments -C "1: :(add list get update archive restore upsert untag delete export prune dedupe stats paths db wiki ingest reindex help ls rm edit unarchive)" "(--json)--json" "(--yes)-y" "(--help)--help" "(--version)--version" "(--desc)--desc" "(--archived)--archived" "(--include-archived)--include-archived" "(-p --page)"{-p,--page}"[page number]:number:" "(-l --limit)"{-l,--limit}"[items per page]:number:" "(-s --search)"{-s,--search}"[search text]:text:" "(--sort)--sort"\{created,title\}:" "(--id)--id[item id]:id:" "(--store)--store[store path]:path:" "(--title)--title[new title]:" "(--content)--content[new content]:" "(--url)--url[source url]:" "(-t --tag)"{-t,--tag}"[tag]:tag:" "(--format)--format[json|jsonl]:" "(--completions)--completions[output completions]:shell:(bash zsh fish):" "(--no-color)--no-color[disable color]" "(--scope)--scope"\{local,global,project\}:" }; _open_knowledge`);
+      console.log(`#compdef open-knowledge\n_open_knowledge() { _arguments -C "1: :(add list get update archive restore upsert untag delete export prune dedupe stats paths db wiki source ingest reindex safety help ls rm edit unarchive)" "(--json)--json" "(--yes)-y" "(--help)--help" "(--version)--version" "(--desc)--desc" "(--archived)--archived" "(--include-archived)--include-archived" "(-p --page)"{-p,--page}"[page number]:number:" "(-l --limit)"{-l,--limit}"[items per page]:number:" "(-s --search)"{-s,--search}"[search text]:text:" "(--sort)--sort"\{created,title\}:" "(--id)--id[item id]:id:" "(--store)--store[store path]:path:" "(--title)--title[new title]:" "(--content)--content[new content]:" "(--url)--url[source url]:" "(-t --tag)"{-t,--tag}"[tag]:tag:" "(--format)--format[json|jsonl]:" "(--completions)--completions[output completions]:shell:(bash zsh fish):" "(--purpose)--purpose[purpose]:" "(--no-color)--no-color[disable color]" "(--scope)--scope"\{local,global,project\}:" }; _open_knowledge`);
     } else if (shell === 'fish') {
-      console.log(`complete -c open-knowledge -f; complete -c open-knowledge -a "add list get update archive restore upsert untag delete export prune dedupe stats paths db wiki ingest reindex help ls rm edit unarchive"; complete -c open-knowledge -l json; complete -c open-knowledge -l yes -s y; complete -c open-knowledge -l help -s h; complete -c open-knowledge -l version -s v; complete -c open-knowledge -l desc; complete -c open-knowledge -l archived; complete -c open-knowledge -l include-archived; complete -c open-knowledge -s p -l page; complete -c open-knowledge -s l -l limit; complete -c open-knowledge -s s -l search; complete -c open-knowledge -l sort; complete -c open-knowledge -l id; complete -c open-knowledge -l store; complete -c open-knowledge -l title; complete -c open-knowledge -l content; complete -c open-knowledge -l url; complete -c open-knowledge -s t -l tag; complete -c open-knowledge -l format; complete -c open-knowledge -l completions; complete -c open-knowledge -l no-color; complete -c open-knowledge -l scope -a "local global project"`);
+      console.log(`complete -c open-knowledge -f; complete -c open-knowledge -a "add list get update archive restore upsert untag delete export prune dedupe stats paths db wiki source ingest reindex safety help ls rm edit unarchive"; complete -c open-knowledge -l json; complete -c open-knowledge -l yes -s y; complete -c open-knowledge -l help -s h; complete -c open-knowledge -l version -s v; complete -c open-knowledge -l desc; complete -c open-knowledge -l archived; complete -c open-knowledge -l include-archived; complete -c open-knowledge -s p -l page; complete -c open-knowledge -s l -l limit; complete -c open-knowledge -s s -l search; complete -c open-knowledge -l sort; complete -c open-knowledge -l id; complete -c open-knowledge -l store; complete -c open-knowledge -l title; complete -c open-knowledge -l content; complete -c open-knowledge -l url; complete -c open-knowledge -s t -l tag; complete -c open-knowledge -l format; complete -c open-knowledge -l completions; complete -c open-knowledge -l purpose; complete -c open-knowledge -l no-color; complete -c open-knowledge -l scope -a "local global project"`);
     } else {
       throw new Error("Invalid --completions value. Use 'bash', 'zsh', or 'fish'.");
     }
@@ -347,6 +356,157 @@ async function run(argv: string[]): Promise<void> {
     return;
   }
 
+  if (command === 'safety') {
+    const action = positional[1] ?? 'status';
+    const resolvedWorkspace = ensureKnowledgeWorkspace(workspace.home);
+    const config = readKnowledgeConfig(resolvedWorkspace.configPath);
+    const policy = resolveSafetyPolicy(config, resolvedWorkspace);
+    migrateKnowledgeDb(resolvedWorkspace.knowledgeDbPath);
+    const db = openKnowledgeDb(resolvedWorkspace.knowledgeDbPath);
+    try {
+      if (action === 'status') {
+        output({
+          ok: true,
+          mode: policy.mode,
+          workspace: resolvedWorkspace.home,
+          allow_write_roots: policy.allowWriteRoots,
+          read_only_source_access: policy.readOnlySourceAccess,
+          network: policy.network,
+          redaction: policy.redaction,
+          approvals: policy.approvals,
+          message: `Safety policy: ${policy.mode}`,
+        }, flags.json);
+        return;
+      }
+      if (action === 'check') {
+        const checkAction = positional[2] ?? 'generated_write';
+        const target = positional[3] ?? null;
+        let decision: ReturnType<typeof approvalStatus> | { action: string; target_uri: string | null; approval_required: false; approved: boolean; decision: string };
+        try {
+          if (checkAction === 'web_search') {
+            assertWebSearchAllowed(policy);
+            decision = { action: checkAction, target_uri: target, approval_required: false, approved: true, decision: 'allow' };
+          } else if (checkAction === 's3_read') {
+            if (!target) throw new Error('safety check s3_read requires an s3:// target.');
+            assertS3ReadAllowed(target, policy);
+            decision = { action: checkAction, target_uri: target, approval_required: false, approved: true, decision: 'allow' };
+          } else {
+            decision = approvalStatus(db, policy, checkAction, target);
+          }
+          recordAuditEvent(db, {
+            event_type: 'safety_check',
+            action: checkAction,
+            target_uri: target,
+            decision: decision.decision === 'allow' ? 'allow' : 'requires_approval',
+            metadata: decision,
+          });
+          output({ ok: true, ...decision, message: `Safety check ${decision.decision}` }, flags.json);
+          return;
+        } catch (error) {
+          recordAuditEvent(db, {
+            event_type: 'safety_check',
+            action: checkAction,
+            target_uri: target,
+            decision: 'deny',
+            metadata: { error: error instanceof Error ? error.message : String(error) },
+          });
+          throw error;
+        }
+      }
+      if (action === 'approve') {
+        const approveAction = positional[2] ?? 'generated_write';
+        const target = positional[3] ?? null;
+        const approval = createApprovalGate(db, {
+          action: approveAction,
+          target_uri: target,
+          reason: 'local-cli approval',
+          metadata: { scope: flags.scope ?? 'global' },
+        });
+        recordAuditEvent(db, {
+          event_type: 'approval',
+          action: approveAction,
+          target_uri: target,
+          decision: 'allow',
+          metadata: { approval_id: approval.id },
+        });
+        output({ ok: true, ...approval, action: approveAction, target_uri: target, message: `Approved ${approveAction}` }, flags.json);
+        return;
+      }
+      if (action === 'audit') {
+        const rows = db.query<{
+          id: string;
+          event_type: string;
+          action: string;
+          target_uri: string | null;
+          decision: string;
+          metadata_json: string;
+          created_at: string;
+        }, []>(
+          'SELECT id, event_type, action, target_uri, decision, metadata_json, created_at FROM audit_events ORDER BY created_at DESC LIMIT 50',
+        ).all().map((row) => ({
+          id: row.id,
+          event_type: row.event_type,
+          action: row.action,
+          target_uri: row.target_uri,
+          decision: row.decision,
+          metadata: JSON.parse(row.metadata_json),
+          created_at: row.created_at,
+        }));
+        output({ ok: true, events: rows, message: `${rows.length} audit event(s)` }, flags.json);
+        return;
+      }
+      if (action === 'redact') {
+        const text = positional.slice(2).join(' ');
+        if (!text) throw new Error('Usage: open-knowledge safety redact <text>');
+        const result = redactSecrets(text, policy);
+        if (result.findings.length > 0) {
+          recordRedactionFindings(db, {
+            source_uri: 'safety://redact',
+            findings: result.findings,
+            metadata: { command: 'safety redact' },
+          });
+        }
+        recordAuditEvent(db, {
+          event_type: 'redaction',
+          action: 'safety_redact',
+          target_uri: 'safety://redact',
+          decision: result.findings.length > 0 ? 'redacted' : 'allow',
+          metadata: { findings: result.findings.length },
+        });
+        output({ ok: true, text: result.text, findings: result.findings, message: `Redacted ${result.findings.length} finding(s)` }, flags.json);
+        return;
+      }
+      throw new Error("Invalid safety action. Use 'status', 'check', 'approve', 'audit', or 'redact'.");
+    } finally {
+      db.close();
+    }
+  }
+
+  if (command === 'source') {
+    const action = positional[1] ?? '';
+    if (action !== 'resolve') throw new Error("Invalid source action. Use 'resolve'.");
+    const sourceRef = positional[2];
+    if (!sourceRef) throw new Error('Usage: open-knowledge source resolve <source-ref>');
+    const resolvedWorkspace = ensureKnowledgeWorkspace(workspace.home);
+    const config = readKnowledgeConfig(resolvedWorkspace.configPath);
+    const safetyPolicy = resolveSafetyPolicy(config, resolvedWorkspace);
+    const result = await resolveOpenFilesSource({
+      dbPath: resolvedWorkspace.knowledgeDbPath,
+      sourceRef,
+      purpose: flags.purpose,
+      limit: flags.limit,
+      safetyPolicy,
+    });
+    output({
+      ok: true,
+      ...result,
+      message: result.resolved
+        ? `Resolved ${result.source_ref} (${result.content.chunks_returned}/${result.content.chunks_total} chunks)`
+        : `Source not indexed: ${sourceRef}`,
+    }, flags.json);
+    return;
+  }
+
   if (command === 'ingest') {
     const action = positional[1] ?? '';
     if (action !== 'manifest') throw new Error("Invalid ingest action. Use 'manifest'.");
@@ -354,10 +514,12 @@ async function run(argv: string[]): Promise<void> {
     if (!input) throw new Error('Usage: open-knowledge ingest manifest <file|s3://bucket/key>');
     const resolvedWorkspace = ensureKnowledgeWorkspace(workspace.home);
     const config = readKnowledgeConfig(resolvedWorkspace.configPath);
+    const safetyPolicy = resolveSafetyPolicy(config, resolvedWorkspace);
     const result = await ingestOpenFilesManifest({
       dbPath: resolvedWorkspace.knowledgeDbPath,
       input,
       config,
+      safetyPolicy,
     });
     output({ ok: true, ...result, message: `Ingested ${result.items_seen} manifest item(s)` }, flags.json);
     return;
@@ -370,10 +532,12 @@ async function run(argv: string[]): Promise<void> {
     if (!input) throw new Error('Usage: open-knowledge reindex outbox <file|s3://bucket/key>');
     const resolvedWorkspace = ensureKnowledgeWorkspace(workspace.home);
     const config = readKnowledgeConfig(resolvedWorkspace.configPath);
+    const safetyPolicy = resolveSafetyPolicy(config, resolvedWorkspace);
     const result = await consumeOpenFilesOutbox({
       dbPath: resolvedWorkspace.knowledgeDbPath,
       input,
       config,
+      safetyPolicy,
     });
     output({ ok: true, ...result, message: `Consumed ${result.events_seen} outbox event(s)` }, flags.json);
     return;

package/src/knowledge-db.ts

@@ -1,7 +1,7 @@
 import { Database } from 'bun:sqlite';
 import { ensureParentDir } from './workspace';
 
-export const CURRENT_SCHEMA_VERSION = 2;
+export const CURRENT_SCHEMA_VERSION = 3;
 
 export interface KnowledgeDbStats {
   schema_version: number;
@@ -13,6 +13,9 @@ export interface KnowledgeDbStats {
   indexes: number;
   runs: number;
   run_events: number;
+  redaction_findings: number;
+  audit_events: number;
+  approval_gates: number;
 }
 
 const MIGRATION_1 = `
@@ -199,6 +202,39 @@ INSERT OR IGNORE INTO schema_versions(version, applied_at)
 VALUES (2, datetime('now'));
 `;
 
+const MIGRATION_3 = `
+CREATE TABLE IF NOT EXISTS audit_events (
+  id TEXT PRIMARY KEY,
+  event_type TEXT NOT NULL,
+  action TEXT NOT NULL,
+  target_uri TEXT,
+  decision TEXT NOT NULL,
+  metadata_json TEXT NOT NULL DEFAULT '{}',
+  created_at TEXT NOT NULL
+);
+
+CREATE TABLE IF NOT EXISTS approval_gates (
+  id TEXT PRIMARY KEY,
+  action TEXT NOT NULL,
+  target_uri TEXT,
+  status TEXT NOT NULL,
+  reason TEXT,
+  approved_by TEXT,
+  metadata_json TEXT NOT NULL DEFAULT '{}',
+  created_at TEXT NOT NULL,
+  updated_at TEXT NOT NULL
+);
+
+CREATE INDEX IF NOT EXISTS idx_audit_events_action ON audit_events(action);
+CREATE INDEX IF NOT EXISTS idx_audit_events_target ON audit_events(target_uri);
+CREATE INDEX IF NOT EXISTS idx_audit_events_created ON audit_events(created_at);
+CREATE INDEX IF NOT EXISTS idx_approval_gates_action ON approval_gates(action);
+CREATE INDEX IF NOT EXISTS idx_approval_gates_status ON approval_gates(status);
+
+INSERT OR IGNORE INTO schema_versions(version, applied_at)
+VALUES (3, datetime('now'));
+`;
+
 export function openKnowledgeDb(path: string): Database {
   ensureParentDir(path);
   const db = new Database(path);
@@ -211,6 +247,7 @@ export function migrateKnowledgeDb(path: string): { path: string; schema_version
   try {
     db.exec(MIGRATION_1);
     if (getSchemaVersion(db) < 2) db.exec(MIGRATION_2);
+    if (getSchemaVersion(db) < 3) db.exec(MIGRATION_3);
     return { path, schema_version: getSchemaVersion(db) };
   } finally {
     db.close();
@@ -240,6 +277,9 @@ export function getKnowledgeDbStats(path: string): KnowledgeDbStats {
       indexes: count(db, 'knowledge_indexes'),
       runs: count(db, 'runs'),
       run_events: count(db, 'run_events'),
+      redaction_findings: count(db, 'redaction_findings'),
+      audit_events: count(db, 'audit_events'),
+      approval_gates: count(db, 'approval_gates'),
     };
   } finally {
     db.close();

package/src/manifest-ingest.ts

@@ -5,11 +5,20 @@ import type { Database } from 'bun:sqlite';
 import { migrateKnowledgeDb, openKnowledgeDb } from './knowledge-db';
 import { parseSourceRef, type SourceRef } from './source-ref';
 import type { KnowledgeConfig } from './workspace';
+import {
+  assertS3ReadAllowed,
+  assertWriteAllowed,
+  recordAuditEvent,
+  recordRedactionFindings,
+  redactSecrets,
+  type SafetyPolicy,
+} from './safety';
 
 export interface ManifestIngestOptions {
   dbPath: string;
   input: string;
   config?: KnowledgeConfig;
+  safetyPolicy?: SafetyPolicy;
   now?: Date;
   maxChunkChars?: number;
   chunkOverlapChars?: number;
@@ -23,6 +32,7 @@ export interface ManifestIngestResult {
   revisions_upserted: number;
   chunks_inserted: number;
   chunks_deleted: number;
+  redactions: number;
   skipped: number;
 }
 
@@ -209,11 +219,12 @@ function parseManifestText(text: string): ManifestObject[] {
   });
 }
 
-async function readS3Text(uri: string, config?: KnowledgeConfig): Promise<string> {
+async function readS3Text(uri: string, config?: KnowledgeConfig, safetyPolicy?: SafetyPolicy): Promise<string> {
   const parsed = new URL(uri);
   const bucket = parsed.hostname;
   const key = decodeURIComponent(parsed.pathname.replace(/^\/+/, ''));
   if (!bucket || !key) throw new Error(`Invalid S3 manifest URI: ${uri}`);
+  if (safetyPolicy) assertS3ReadAllowed(uri, safetyPolicy);
   const [{ S3Client, GetObjectCommand }, { fromIni }] = await Promise.all([
     import('@aws-sdk/client-s3'),
     import('@aws-sdk/credential-providers'),
@@ -229,8 +240,8 @@ async function readS3Text(uri: string, config?: KnowledgeConfig): Promise<string
   return await response.Body.transformToString();
 }
 
-async function readManifestInput(input: string, config?: KnowledgeConfig): Promise<string> {
-  if (input.startsWith('s3://')) return readS3Text(input, config);
+async function readManifestInput(input: string, config?: KnowledgeConfig, safetyPolicy?: SafetyPolicy): Promise<string> {
+  if (input.startsWith('s3://')) return readS3Text(input, config, safetyPolicy);
   if (!existsSync(input)) throw new Error(`Manifest not found: ${input}`);
   return readFileSync(input, 'utf8');
 }
@@ -338,9 +349,26 @@ function upsertRevision(db: Database, sourceId: string, item: NormalizedManifest
   return row.id;
 }
 
-function insertChunks(db: Database, sourceRevisionId: string, item: NormalizedManifestItem, now: string, maxChars: number, overlapChars: number): number {
-  if (!item.text || item.status.toLowerCase() === 'deleted') return 0;
-  const chunks = chunkText(item.text, maxChars, overlapChars);
+function insertChunks(db: Database, sourceRevisionId: string, item: NormalizedManifestItem, now: string, maxChars: number, overlapChars: number, safetyPolicy?: SafetyPolicy): { chunksInserted: number; redactions: number } {
+  if (!item.text || item.status.toLowerCase() === 'deleted') return { chunksInserted: 0, redactions: 0 };
+  const redacted = redactSecrets(item.text, safetyPolicy);
+  if (redacted.findings.length > 0) {
+    recordRedactionFindings(db, {
+      source_uri: item.sourceUri,
+      findings: redacted.findings,
+      metadata: { source_ref: item.sourceRef, revision: item.revision },
+      created_at: now,
+    });
+    recordAuditEvent(db, {
+      event_type: 'redaction',
+      action: 'source_text_redact',
+      target_uri: item.sourceUri,
+      decision: 'redacted',
+      metadata: { findings: redacted.findings.length, source_ref: item.sourceRef, revision: item.revision },
+      created_at: now,
+    });
+  }
+  const chunks = chunkText(redacted.text, maxChars, overlapChars);
   for (const chunk of chunks) {
     const chunkId = stableId('chk', `${sourceRevisionId}\u0000${chunk.ordinal}\u0000${chunk.text}`);
     const metadata = {
@@ -373,7 +401,7 @@ function insertChunks(db: Database, sourceRevisionId: string, item: NormalizedMa
       [chunkId, chunk.text, item.title ?? '', item.sourceUri],
     );
   }
-  return chunks.length;
+  return { chunksInserted: chunks.length, redactions: redacted.findings.length };
 }
 
 export async function ingestOpenFilesManifest(options: ManifestIngestOptions): Promise<ManifestIngestResult> {
@@ -383,8 +411,9 @@ export async function ingestOpenFilesManifest(options: ManifestIngestOptions): P
   if (maxChunkChars < 500) throw new Error('maxChunkChars must be at least 500.');
   if (chunkOverlapChars < 0 || chunkOverlapChars >= maxChunkChars) throw new Error('chunkOverlapChars must be less than maxChunkChars.');
 
+  if (options.safetyPolicy) assertWriteAllowed(options.dbPath, options.safetyPolicy);
   migrateKnowledgeDb(options.dbPath);
-  const text = await readManifestInput(options.input, options.config);
+  const text = await readManifestInput(options.input, options.config, options.safetyPolicy);
   const items = parseManifestText(text);
   const db = openKnowledgeDb(options.dbPath);
   try {
@@ -393,7 +422,16 @@ export async function ingestOpenFilesManifest(options: ManifestIngestOptions): P
       const seenRevisions = new Set<string>();
       let chunksInserted = 0;
       let chunksDeleted = 0;
+      let redactions = 0;
       let skipped = 0;
+      recordAuditEvent(db, {
+        event_type: 'source_read',
+        action: options.input.startsWith('s3://') ? 's3_manifest_read' : 'local_manifest_read',
+        target_uri: options.input,
+        decision: 'allow',
+        metadata: { items: items.length, read_only: true },
+        created_at: now,
+      });
       for (const raw of items) {
         const item = normalizeManifestItem(raw, now);
         const sourceId = upsertSource(db, item, now);
@@ -403,8 +441,18 @@ export async function ingestOpenFilesManifest(options: ManifestIngestOptions): P
         if (item.text || item.status.toLowerCase() === 'deleted') {
           chunksDeleted += deleteChunksForRevision(db, revisionId);
         }
-        chunksInserted += insertChunks(db, revisionId, item, now, maxChunkChars, chunkOverlapChars);
+        const inserted = insertChunks(db, revisionId, item, now, maxChunkChars, chunkOverlapChars, options.safetyPolicy);
+        chunksInserted += inserted.chunksInserted;
+        redactions += inserted.redactions;
       }
+      recordAuditEvent(db, {
+        event_type: 'write',
+        action: 'knowledge_manifest_ingest',
+        target_uri: options.dbPath,
+        decision: 'allow',
+        metadata: { items: items.length, sources: seenSources.size, revisions: seenRevisions.size, chunks_inserted: chunksInserted, redactions },
+        created_at: now,
+      });
       return {
         path: options.input,
         db_path: options.dbPath,
@@ -413,6 +461,7 @@ export async function ingestOpenFilesManifest(options: ManifestIngestOptions): P
         revisions_upserted: seenRevisions.size,
         chunks_inserted: chunksInserted,
         chunks_deleted: chunksDeleted,
+        redactions,
         skipped,
       };
     })();

package/src/mcp.js

@@ -7,6 +7,8 @@ import pkg from '../package.json' with { type: 'json' };
 import { defaultStorePath, loadStore, saveStore, makeId, withLock } from './store.ts';
 import { ensureKnowledgeWorkspace, readKnowledgeConfig, resolveScopedWorkspace } from './workspace.ts';
 import { parseSourceRef } from './source-ref.ts';
+import { resolveOpenFilesSource } from './source-resolver.ts';
+import { resolveSafetyPolicy } from './safety.ts';
 
 const storePathField = z.string().optional().describe('Path to the JSON store file');
 const scopeField = z.enum(['local', 'global', 'project']).optional().describe('Workspace scope');
@@ -102,6 +104,29 @@ export function buildServer() {
     }
   });
 
+  registerTool(server, 'ok_resolve_source', 'Resolve source content', 'Resolve an indexed source ref through the read-only open-files boundary and return chunk citation evidence', {
+    source_ref: z.string().describe('Source reference URI, preferably open-files://...'),
+    purpose: z.string().optional().describe('Read-only purpose label, default knowledge_answer'),
+    limit: z.number().optional().describe('Maximum chunks to return, default 10'),
+    scope: scopeField,
+  }, async ({ source_ref, purpose, limit, scope }) => {
+    const workspace = ensureKnowledgeWorkspace(resolveScopedWorkspace(scope).home);
+    const config = readKnowledgeConfig(workspace.configPath);
+    const safetyPolicy = resolveSafetyPolicy(config, workspace);
+    try {
+      const result = await resolveOpenFilesSource({
+        dbPath: workspace.knowledgeDbPath,
+        sourceRef: source_ref,
+        purpose,
+        limit,
+        safetyPolicy,
+      });
+      return jsonText({ ok: true, ...result });
+    } catch (error) {
+      return errorText(error instanceof Error ? error.message : String(error));
+    }
+  });
+
   registerTool(server, 'ok_add', 'Add a knowledge item', 'Add a new item to the knowledge store', {
     title: z.string().describe('Item title'),
     content: z.string().describe('Item content/body'),

package/src/outbox-consume.ts

@@ -5,6 +5,7 @@ import type { Database } from 'bun:sqlite';
 import { migrateKnowledgeDb, openKnowledgeDb } from './knowledge-db';
 import { parseSourceRef, type SourceRef } from './source-ref';
 import type { KnowledgeConfig } from './workspace';
+import { assertS3ReadAllowed, assertWriteAllowed, recordAuditEvent, type SafetyPolicy } from './safety';
 
 type OutboxObject = Record<string, unknown>;
 
@@ -12,6 +13,7 @@ export interface OutboxConsumeOptions {
   dbPath: string;
   input: string;
   config?: KnowledgeConfig;
+  safetyPolicy?: SafetyPolicy;
   now?: Date;
 }
 
@@ -165,11 +167,12 @@ function parseOutboxText(text: string): OutboxObject[] {
   });
 }
 
-async function readS3Text(uri: string, config?: KnowledgeConfig): Promise<string> {
+async function readS3Text(uri: string, config?: KnowledgeConfig, safetyPolicy?: SafetyPolicy): Promise<string> {
   const parsed = new URL(uri);
   const bucket = parsed.hostname;
   const key = decodeURIComponent(parsed.pathname.replace(/^\/+/, ''));
   if (!bucket || !key) throw new Error(`Invalid S3 outbox URI: ${uri}`);
+  if (safetyPolicy) assertS3ReadAllowed(uri, safetyPolicy);
   const [{ S3Client, GetObjectCommand }, { fromIni }] = await Promise.all([
     import('@aws-sdk/client-s3'),
     import('@aws-sdk/credential-providers'),
@@ -185,8 +188,8 @@ async function readS3Text(uri: string, config?: KnowledgeConfig): Promise<string
   return await response.Body.transformToString();
 }
 
-async function readOutboxInput(input: string, config?: KnowledgeConfig): Promise<string> {
-  if (input.startsWith('s3://')) return readS3Text(input, config);
+async function readOutboxInput(input: string, config?: KnowledgeConfig, safetyPolicy?: SafetyPolicy): Promise<string> {
+  if (input.startsWith('s3://')) return readS3Text(input, config, safetyPolicy);
   if (!existsSync(input)) throw new Error(`Outbox not found: ${input}`);
   return readFileSync(input, 'utf8');
 }
@@ -318,8 +321,9 @@ function isPermissionEvent(eventType: string): boolean {
 
 export async function consumeOpenFilesOutbox(options: OutboxConsumeOptions): Promise<OutboxConsumeResult> {
   const now = (options.now ?? new Date()).toISOString();
+  if (options.safetyPolicy) assertWriteAllowed(options.dbPath, options.safetyPolicy);
   migrateKnowledgeDb(options.dbPath);
-  const text = await readOutboxInput(options.input, options.config);
+  const text = await readOutboxInput(options.input, options.config, options.safetyPolicy);
   const events = parseOutboxText(text);
   const db = openKnowledgeDb(options.dbPath);
   const runId = `run_${randomUUID()}`;
@@ -350,6 +354,15 @@ export async function consumeOpenFilesOutbox(options: OutboxConsumeOptions): Pro
       let movedSources = 0;
       let permissionUpdates = 0;
 
+      recordAuditEvent(db, {
+        event_type: 'source_read',
+        action: options.input.startsWith('s3://') ? 's3_outbox_read' : 'local_outbox_read',
+        target_uri: options.input,
+        decision: 'allow',
+        metadata: { events: events.length, read_only: true },
+        created_at: now,
+      });
+
       events.forEach((raw, index) => {
         const event = normalizeEvent(raw, now);
         const sourceId = ensureSource(db, event, now);
@@ -404,6 +417,22 @@ export async function consumeOpenFilesOutbox(options: OutboxConsumeOptions): Pro
         ],
       );
 
+      recordAuditEvent(db, {
+        event_type: 'write',
+        action: 'knowledge_outbox_invalidation',
+        target_uri: options.dbPath,
+        decision: 'allow',
+        metadata: {
+          run_id: runId,
+          events: events.length,
+          sources: sourcesTouched.size,
+          revisions: revisionsTouched.size,
+          chunks_deleted: chunksDeleted,
+          embeddings_deleted: embeddingsDeleted,
+        },
+        created_at: now,
+      });
+
       return {
         path: options.input,
         db_path: options.dbPath,