@ik-firewall/core 1.0.2 → 2.3.0

package/dist/index.cjs

@@ -1,7 +1,9 @@
 "use strict";
+var __create = Object.create;
 var __defProp = Object.defineProperty;
 var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
 var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
 var __hasOwnProp = Object.prototype.hasOwnProperty;
 var __export = (target, all) => {
   for (var name in all)
@@ -15,6 +17,14 @@ var __copyProps = (to, from, except, desc) => {
   }
   return to;
 };
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 
 // src/index.ts
@@ -48,15 +58,18 @@ if (typeof window === "undefined") {
 var Registry = class _Registry {
   static instance;
   registryPath;
+  usagePath;
   hasWarnedNoFs = false;
   hasWarnedSaveError = false;
   constructor() {
     this.registryPath = "";
+    this.usagePath = "";
     if (typeof process !== "undefined" && process.versions && process.versions.node) {
       try {
         fs = require("fs");
         path = require("path");
         this.registryPath = path.join(process.cwd(), ".ik-adapter", "registry.json");
+        this.usagePath = path.join(process.cwd(), ".ik-adapter", "usage.json");
         this.ensureDirectory();
       } catch (e) {
         if (!this.hasWarnedNoFs) {
@@ -91,8 +104,13 @@ var Registry = class _Registry {
     if (!fs || !this.registryPath) return {};
     try {
       if (fs.existsSync(this.registryPath)) {
-        const data = fs.readFileSync(this.registryPath, "utf8");
-        return JSON.parse(data);
+        const rawData = fs.readFileSync(this.registryPath, "utf8");
+        try {
+          const decoded = Buffer.from(rawData, "base64").toString("utf8");
+          return JSON.parse(decoded);
+        } catch (e) {
+          return JSON.parse(rawData);
+        }
       }
     } catch (error) {
       console.error("[IK_REGISTRY] Load error:", error);
@@ -112,7 +130,9 @@ var Registry = class _Registry {
     }
     try {
       this.ensureDirectory();
-      fs.writeFileSync(this.registryPath, JSON.stringify(data, null, 2), "utf8");
+      const jsonStr = JSON.stringify(data, null, 2);
+      const obfuscated = Buffer.from(jsonStr).toString("base64");
+      fs.writeFileSync(this.registryPath, obfuscated, "utf8");
     } catch (error) {
       if (!this.hasWarnedSaveError) {
         console.error("\n[IK_REGISTRY] \u{1F6A8} ERROR saving registry.json. Your environment likely has a read-only filesystem (e.g. Vercel Serverless).");
@@ -143,17 +163,76 @@ var Registry = class _Registry {
     delete all[instanceId];
     this.save(all);
   }
+  getUsageFilePath() {
+    return this.usagePath;
+  }
+  exists(filePath) {
+    return fs && fs.existsSync(filePath);
+  }
+  loadUsage() {
+    if (!fs || !this.usagePath || !fs.existsSync(this.usagePath)) return [];
+    try {
+      const raw = fs.readFileSync(this.usagePath, "utf8");
+      return JSON.parse(raw);
+    } catch (e) {
+      return [];
+    }
+  }
+  saveUsage(data) {
+    if (!fs || !this.usagePath) return;
+    try {
+      fs.writeFileSync(this.usagePath, JSON.stringify(data, null, 2), "utf8");
+    } catch (e) {
+      console.error("[IK_REGISTRY] Failed to save usage:", e);
+    }
+  }
+  clearUsage() {
+    if (!fs || !this.usagePath) return;
+    try {
+      if (fs.existsSync(this.usagePath)) {
+        fs.unlinkSync(this.usagePath);
+      }
+    } catch (e) {
+    }
+  }
+};
+
+// src/lib/hmac.ts
+var import_node_crypto = __toESM(require("crypto"), 1);
+var IKHmac = class {
+  secret;
+  constructor(secret) {
+    this.secret = secret;
+  }
+  /**
+   * Verifies that a response from the IK-Firewall server is authentic.
+   */
+  verify(data) {
+    if (!data || !data.signature) return false;
+    const { signature, ...rest } = data;
+    const payload = JSON.stringify(rest);
+    const expectedSignature = import_node_crypto.default.createHmac("sha256", this.secret).update(payload).digest("hex");
+    return signature === expectedSignature;
+  }
 };
 
 // src/ConfigManager.ts
 var ConfigManager = class {
   config;
   registry;
-  constructor(initialConfig) {
+  hooks;
+  constructor(initialConfig, hooks) {
     this.config = initialConfig;
+    this.hooks = hooks;
     this.registry = Registry.getInstance();
     this.loadFromRegistry();
   }
+  getRegistry() {
+    return this.registry;
+  }
+  setHooks(hooks) {
+    this.hooks = hooks;
+  }
   loadFromRegistry() {
     const instanceConfigs = this.registry.load();
     this.config.instanceConfigs = {
@@ -161,6 +240,76 @@ var ConfigManager = class {
       ...instanceConfigs
     };
   }
+  /**
+   * Syncs remote configuration (pricing, license status) from the Vercel API.
+   * Runs once every 24 hours (Heartbeat).
+   */
+  async syncRemoteConfig(instanceId) {
+    const now = /* @__PURE__ */ new Date();
+    const instanceConfig = this.config.instanceConfigs?.[instanceId];
+    if (instanceConfig?.lastSyncDate) {
+      const lastSync = new Date(instanceConfig.lastSyncDate);
+      const hoursSinceSync = (now.getTime() - lastSync.getTime()) / (1e3 * 60 * 60);
+      if (hoursSinceSync < 24) {
+        return;
+      }
+    }
+    try {
+      const endpoint = this.config.centralReportEndpoint || "https://ik-firewall.vercel.app/api/v1/sync";
+      const instanceConfig2 = this.config.instanceConfigs?.[instanceId];
+      const registrationEmail = instanceConfig2?.ownerEmail || this.config.ownerEmail;
+      if ((!instanceConfig2?.licenseKey || instanceConfig2.licenseKey.startsWith("TRIAL-")) && registrationEmail) {
+        const success = await this.registerInstance(instanceId, registrationEmail);
+        if (success) {
+          this.hooks?.onStatus?.("\u2728 IK_SYNC: Zero-Config registration successful. License issued.");
+          return;
+        } else {
+          this.hooks?.onStatus?.("\u26A0\uFE0F IK_SYNC: Auto-registration failed. Continuing with local trial.");
+        }
+      }
+      this.hooks?.onStatus?.(`\u{1F4E1} IK_SYNC: Heartbeat to ${endpoint}...`);
+      const response = await fetch(`${endpoint}?licenseKey=${instanceConfig2?.licenseKey || ""}&instanceId=${instanceId}&version=2.2.0`);
+      if (response.ok) {
+        const data = await response.json();
+        if (this.config.hmacSecret) {
+          const verifier = new IKHmac(this.config.hmacSecret);
+          if (!verifier.verify(data)) {
+            console.error("[IK_SYNC] \u{1F6A8} Signature verification failed! Remote config rejected.");
+            return;
+          }
+        }
+        this.setInstanceConfig(instanceId, {
+          billingStatus: data.billingStatus,
+          isVerified: data.isVerified,
+          pricing: data.pricing,
+          lastSyncDate: now.toISOString()
+        });
+        this.hooks?.onStatus?.("\u2705 IK_SYNC: Remote configuration updated and verified.");
+      } else {
+        throw new Error(`Server responded with ${response.status}`);
+      }
+      if (!instanceConfig2?.firstUseDate) {
+        this.setInstanceConfig(instanceId, { firstUseDate: now.toISOString() });
+      }
+    } catch (error) {
+      console.error(`[IK_CONFIG] Remote sync failed (${error.message}). Falling open (Fail-Open mode).`);
+      this.setInstanceConfig(instanceId, {
+        isVerified: true,
+        lastSyncDate: now.toISOString()
+      });
+    }
+    try {
+      const registry = this.registry;
+      if (registry.exists(registry.getUsageFilePath())) {
+        const aggregatedUsage = registry.loadUsage();
+        if (aggregatedUsage.length > 0) {
+          this.hooks?.onStatus?.(`\u{1F4CA} IK_SYNC: Found ${aggregatedUsage.length} pending usage reports. Preparation for Daily Flush...`);
+          this._pendingUsage = aggregatedUsage;
+        }
+      }
+    } catch (e) {
+    }
+  }
   getConfig() {
     return { ...this.config };
   }
@@ -200,6 +349,40 @@ var ConfigManager = class {
     }
     this.updateConfig({ plugins });
   }
+  async registerInstance(instanceId, email) {
+    try {
+      const endpoint = (this.config.centralReportEndpoint || "https://ik-firewall.vercel.app/api/v1").replace(/\/sync$/, "") + "/register";
+      this.hooks?.onStatus?.(`\u{1F680} IK_REGISTRY: Registering new instance for ${email}...`);
+      const response = await fetch(endpoint, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ email, instanceId })
+      });
+      if (response.ok) {
+        const data = await response.json();
+        if (this.config.hmacSecret) {
+          const verifier = new IKHmac(this.config.hmacSecret);
+          if (!verifier.verify(data)) {
+            console.error("[IK_REGISTRY] \u{1F6A8} Registration signature mismatch. Data rejected!");
+            return false;
+          }
+        }
+        this.setInstanceConfig(instanceId, {
+          licenseKey: data.licenseKey,
+          billingStatus: data.status.toLowerCase(),
+          isVerified: true,
+          firstUseDate: (/* @__PURE__ */ new Date()).toISOString(),
+          pricing: data.pricing
+        });
+        this.hooks?.onStatus?.("\u2728 IK_REGISTRY: Instance registered successfully and license issued.");
+        return true;
+      }
+      return false;
+    } catch (error) {
+      console.error("[IK_REGISTRY] Registration failed:", error);
+      return false;
+    }
+  }
   ensureInstanceConfig(instanceId) {
     const all = this.registry.load();
     if (!all[instanceId]) {
@@ -207,7 +390,9 @@ var ConfigManager = class {
         balance: this.config.balance || 0.5,
         aggressiveness: this.config.aggressiveness || 0.5,
         isEnabled: true,
-        contextMode: "FIRST_MESSAGE"
+        contextMode: "FIRST_MESSAGE",
+        ownerEmail: this.config.ownerEmail
+        // Inherit from global if not specific
       });
       this.loadFromRegistry();
     }
@@ -1280,18 +1465,12 @@ var Orchestrator = class {
 };
 
 // src/UsageTracker.ts
-var UsageTracker = class _UsageTracker {
+var UsageTracker = class {
   buffer = [];
   MAX_BUFFER_SIZE = 1;
   // Immediate reporting for Edge/Stateless environments
   hooks;
   config;
-  // Static pricing benchmarks (cost per 1k tokens in USD)
-  static PRICING = {
-    "gpt-4o": { input: 5e-3, output: 0.015 },
-    "gpt-4o-mini": { input: 15e-5, output: 6e-4 },
-    "local": { input: 0, output: 0 }
-  };
   constructor(config, hooks) {
     this.config = config;
     this.hooks = hooks;
@@ -1302,8 +1481,10 @@ var UsageTracker = class _UsageTracker {
   async logInteraction(params) {
     const { instanceId, model, inputTokens, outputTokens, optimizedTokens = 0, cqScore, routingPath, clientOrigin, trace } = params;
     const tokensSaved = optimizedTokens > 0 ? inputTokens - optimizedTokens : 0;
-    const modelPricing = _UsageTracker.PRICING[model] || _UsageTracker.PRICING["gpt-4o-mini"];
-    const costSaved = tokensSaved / 1e3 * modelPricing.input;
+    const instanceConfig = this.config.getConfig().instanceConfigs?.[instanceId];
+    const remotePricing = instanceConfig?.pricing?.[model] || { input: 5e-3, output: 0.015 };
+    const costSaved = tokensSaved / 1e3 * remotePricing.input;
+    const commissionDue = costSaved * 0.2;
     const data = {
       instanceId,
       model_used: model,
@@ -1313,6 +1494,7 @@ var UsageTracker = class _UsageTracker {
       optimized_tokens: optimizedTokens,
       tokens_saved: tokensSaved,
       cost_saved: Number(costSaved.toFixed(6)),
+      commission_due: Number(commissionDue.toFixed(6)),
       timestamp: (/* @__PURE__ */ new Date()).toISOString(),
       is_local: model === "local",
       cq_score: cqScore,
@@ -1321,40 +1503,71 @@ var UsageTracker = class _UsageTracker {
     };
     this.buffer.push(data);
     this.hooks?.onUsageReported?.(data);
-    if (this.buffer.length >= this.MAX_BUFFER_SIZE) {
-      await this.flush();
+    await this.persistToLocalBuffer(data);
+  }
+  /**
+   * Appends usage data to the local .ik-adapter/usage.json file
+   */
+  async persistToLocalBuffer(data) {
+    try {
+      const registry = this.config.getRegistry();
+      const usageFile = registry.getUsageFilePath();
+      let existingUsage = [];
+      if (registry.exists(usageFile)) {
+        existingUsage = registry.loadUsage();
+      }
+      existingUsage.push(data);
+      registry.saveUsage(existingUsage);
+    } catch (e) {
+      console.error("[IK_TRACKER] Failed to persist usage to local buffer:", e);
     }
   }
   /**
    * Send buffered usage data to the central IK billing service
    */
-  async flush() {
-    if (this.buffer.length === 0) return;
-    const endpoint = this.config.get("centralReportEndpoint");
-    if (!endpoint) {
-      console.warn("[IK_TRACKER] No centralReportEndpoint defined. Clearing buffer to prevent memory leak.");
-      this.buffer = [];
-      return;
-    }
+  async flush(aggregatedData) {
+    const usageToFlush = aggregatedData || this.buffer;
+    if (usageToFlush.length === 0) return;
+    const endpoint = this.config.get("centralReportEndpoint") || "https://ik-firewall.vercel.app/api/v1/report";
+    const hmacSecret = this.config.get("hmacSecret");
     try {
-      for (const report of this.buffer) {
-        await fetch(endpoint, {
+      this.hooks?.onStatus?.(`\u{1F4E4} IK_TRACKER: Flushing ${usageToFlush.length} interactions to ${endpoint}...`);
+      const reportsByInstance = {};
+      for (const report of usageToFlush) {
+        if (!reportsByInstance[report.instanceId]) reportsByInstance[report.instanceId] = [];
+        reportsByInstance[report.instanceId].push(report);
+      }
+      for (const [instanceId, reports] of Object.entries(reportsByInstance)) {
+        const instanceConfig = this.config.getConfig().instanceConfigs?.[instanceId];
+        const payload = {
+          licenseKey: instanceConfig?.licenseKey || "",
+          instanceId,
+          reports: reports.map((r) => ({
+            modelName: r.model_used,
+            tokensIn: r.input_tokens,
+            tokensOut: r.output_tokens,
+            tokensSaved: r.tokens_saved,
+            date: r.timestamp
+          }))
+        };
+        if (hmacSecret) {
+          const jsonStr = JSON.stringify(payload);
+          const crypto2 = await import("crypto");
+          payload.signature = crypto2.createHmac("sha256", hmacSecret).update(jsonStr).digest("hex");
+        }
+        const response = await fetch(endpoint, {
           method: "POST",
           headers: { "Content-Type": "application/json" },
-          body: JSON.stringify({
-            instanceId: report.instanceId,
-            model: report.model_used,
-            inputTokens: report.input_tokens,
-            outputTokens: report.output_tokens,
-            optimizedTokens: report.optimized_tokens,
-            cqScore: report.cq_score,
-            routingPath: report.routingPath,
-            clientOrigin: report.clientOrigin,
-            trace: report.trace
-          })
+          body: JSON.stringify(payload)
         });
+        if (!response.ok) {
+          console.error(`[IK_TRACKER] Failed to send aggregate for ${instanceId}: ${response.statusText}`);
+        }
       }
       this.buffer = [];
+      if (aggregatedData) {
+        this.config.getRegistry().clearUsage();
+      }
     } catch (error) {
       console.error("[IK_TRACKER] Failed to flush usage data:", error);
     }
@@ -1364,6 +1577,49 @@ var UsageTracker = class _UsageTracker {
   }
 };
 
+// src/CognitiveEngine.ts
+var CognitiveEngine = class {
+  /**
+   * Sniff Cognitive DNA (CQ Score: 0-100)
+   * Higher score = higher quality, human-like, structured content.
+   */
+  static sniffDNA(input) {
+    if (!input || input.trim().length === 0) return 0;
+    const length = input.length;
+    const words = input.split(/\s+/).filter((w) => w.length > 0);
+    const wordCount = words.length;
+    const sentences = input.split(/[.!?]+/).filter((s) => s.trim().length > 0);
+    const avgSentenceLength = sentences.length > 0 ? wordCount / sentences.length : 0;
+    const sentenceVariety = sentences.length > 1 ? 10 : 0;
+    const uniqueWords = new Set(words.map((w) => w.toLowerCase())).size;
+    const lexicalBreadth = wordCount > 0 ? uniqueWords / wordCount * 40 : 0;
+    const markers = (input.match(/[,;:"'()\[\]]/g) || []).length;
+    const structuralHealth = Math.min(markers / wordCount * 100, 20);
+    const repetitivePenalty = this.calculateRepetitivePenalty(input);
+    let score = lexicalBreadth + structuralHealth + sentenceVariety + (avgSentenceLength > 5 ? 20 : 0);
+    score -= repetitivePenalty;
+    return Math.max(0, Math.min(100, score));
+  }
+  /**
+   * Calculate Crystallization Threshold
+   * Logic: 
+   * Low CQ (Noise) -> Aggressive optimization (Lower threshold, e.g. 0.6)
+   * High CQ (Quality) -> Conservative optimization (Higher threshold, e.g. 0.9)
+   */
+  static calculateThreshold(cqScore) {
+    if (cqScore < 30) return 0.65;
+    if (cqScore < 60) return 0.78;
+    if (cqScore < 85) return 0.88;
+    return 0.95;
+  }
+  static calculateRepetitivePenalty(input) {
+    const chunks = input.match(/.{1,10}/g) || [];
+    const uniqueChunks = new Set(chunks).size;
+    const ratio = chunks.length > 10 ? uniqueChunks / chunks.length : 1;
+    return ratio < 0.5 ? (1 - ratio) * 50 : 0;
+  }
+};
+
 // src/core.ts
 var IKFirewallCore = class _IKFirewallCore {
   static instance;
@@ -1418,55 +1674,75 @@ var IKFirewallCore = class _IKFirewallCore {
       FLUID_THRESHOLD: 4
     }
   };
-  gatekeeper = new HeuristicGatekeeper();
+  gatekeeper;
   configManager;
   sessionDNA = 0;
-  hooks;
   cloudProvider;
   localProvider;
   orchestrator;
   usageTracker;
+  _hooks;
+  defaultConfig;
   constructor(config, hooks, cloudProvider) {
-    const defaultConfig = {
+    this.defaultConfig = {
       aggressiveness: 0.15,
       forcedEfficiency: false,
       precisionBias: _IKFirewallCore.CONSTANTS.PRECISION.BIAS_DEFAULT,
       balance: _IKFirewallCore.CONSTANTS.TONE.STABLE_VAL,
       gatekeeperEnabled: true,
       locale: "en",
-      providerMode: "hybrid",
+      providerMode: process.env.IK_FIREWALL_MODE || "hybrid",
       runtimeStrategy: "internal",
-      localAuditEndpoint: "http://127.0.0.1:8085/v1/chat/completions",
-      fallbackToCloudAudit: false,
+      localAuditEndpoint: process.env.IK_FIREWALL_LOCAL_ENDPOINT || "http://127.0.0.1:8085/v1/chat/completions",
+      centralReportEndpoint: process.env.IK_FIREWALL_CENTRAL_ENDPOINT || "https://ik-firewall.vercel.app/api/v1/sync",
+      ownerEmail: process.env.IK_FIREWALL_EMAIL,
+      hmacSecret: process.env.IK_FIREWALL_SECRET,
+      fallbackToCloudAudit: process.env.IK_FIREWALL_FALLBACK === "true" || false,
       modelConfig: {
         modelType: "1b"
       },
       plugins: []
     };
-    this.configManager = new ConfigManager({ ...defaultConfig, ...config });
-    if (hooks) this.hooks = hooks;
+    this._hooks = hooks;
+    this.configManager = new ConfigManager({ ...this.defaultConfig, ...config }, hooks);
+    this.gatekeeper = new HeuristicGatekeeper();
+    this.sessionDNA = _IKFirewallCore.CONSTANTS.DNA.MIN;
     const activeConfig = this.configManager.getConfig();
     this.localProvider = new LocalProvider(activeConfig.localAuditEndpoint);
     if (cloudProvider) {
-      if (cloudProvider instanceof BaseProvider) {
-        this.cloudProvider = cloudProvider;
-      } else {
-        const mode = activeConfig.providerMode;
-        if (mode === "anthropic") {
-          this.cloudProvider = new AnthropicProvider(cloudProvider);
-        } else if (mode === "deepseek") {
-          this.cloudProvider = new DeepSeekProvider(cloudProvider);
-        } else if (mode === "gemini") {
-          this.cloudProvider = new GeminiProvider(cloudProvider);
-        } else if (mode === "perplexity") {
-          this.cloudProvider = new PerplexityProvider(cloudProvider);
-        } else {
-          this.cloudProvider = new OpenAIProvider(cloudProvider);
-        }
-      }
+      this.cloudProvider = cloudProvider instanceof BaseProvider ? cloudProvider : new OpenAIProvider(cloudProvider);
+    } else if (process.env.OPENAI_API_KEY) {
+      this.cloudProvider = new OpenAIProvider(async (prompt, role) => {
+        const response = await fetch("https://api.openai.com/v1/chat/completions", {
+          method: "POST",
+          headers: {
+            "Authorization": `Bearer ${process.env.OPENAI_API_KEY}`,
+            "Content-Type": "application/json"
+          },
+          body: JSON.stringify({
+            model: role === "audit_layer" ? "gpt-4o-mini" : "gpt-4o",
+            messages: [{ role: "user", content: prompt }],
+            temperature: 0.1
+          })
+        });
+        if (!response.ok) throw new Error(`OpenAI API Error: ${response.statusText}`);
+        const data = await response.json();
+        return {
+          content: data.choices[0].message.content,
+          usage: data.usage
+        };
+      });
     }
     this.orchestrator = new Orchestrator(this.configManager);
-    this.usageTracker = new UsageTracker(this.configManager, this.hooks);
+    this.usageTracker = new UsageTracker(this.configManager, this._hooks);
+  }
+  get hooks() {
+    return this._hooks;
+  }
+  set hooks(newHooks) {
+    this._hooks = newHooks;
+    this.configManager.setHooks(newHooks);
+    this.usageTracker.hooks = newHooks;
   }
   static getInstance(config, hooks) {
     if (!_IKFirewallCore.instance) {
@@ -1578,6 +1854,21 @@ var IKFirewallCore = class _IKFirewallCore {
   async analyze(input, provider, personaName = "professional", locale, instanceId) {
     if (instanceId) {
       this.configManager.ensureInstanceConfig(instanceId);
+      const syncPromise = this.configManager.syncRemoteConfig(instanceId).then(async () => {
+        const pendingUsage = this.configManager._pendingUsage;
+        if (pendingUsage && pendingUsage.length > 0) {
+          await this.usageTracker.flush(pendingUsage);
+          this.configManager._pendingUsage = null;
+        }
+      });
+      await syncPromise;
+    }
+    const mergedConfig = this.configManager.getMergedConfig(instanceId);
+    if (instanceId && mergedConfig?.isVerified === false) {
+      if (mergedConfig?.billingStatus === "blocked") {
+        this.hooks?.onStatus?.("\u26A0\uFE0F [IK_FIREWALL] Subscription inactive. Optimization bypassed (Fail-Safe mode).");
+        return this.getEmptyMetrics();
+      }
     }
     let auditProvider = this.localProvider;
     let overrideProvider = null;
@@ -1612,18 +1903,20 @@ var IKFirewallCore = class _IKFirewallCore {
     const ei = (input.match(/[,;.:-]/g) || []).length / (input.split(" ").length || 1);
     let requiresAuditOverride = false;
     let boundaryMetrics = { boundaryScore: 0, requiresHumanIntervention: false };
-    if (this.getConfig().safeMode) {
-      boundaryMetrics = this.gatekeeper.evaluateBoundaryCommunication(input, this.getConfig().customBoundaryKeywords);
-      if (boundaryMetrics.requiresHumanIntervention) {
+    if (this.getConfig()?.safeMode) {
+      boundaryMetrics = this.gatekeeper.evaluateBoundaryCommunication(input, this.getConfig()?.customBoundaryKeywords);
+      if (boundaryMetrics?.requiresHumanIntervention) {
         requiresAuditOverride = true;
       }
     }
     const skipAudit = !requiresAuditOverride && this.getConfig().gatekeeperEnabled && localInsight.complexityScore < _IKFirewallCore.CONSTANTS.HEURISTICS.COMPLEXITY_SKIP_THRESHOLD;
     if (skipAudit) {
       this.hooks?.onStatus?.("\u26A1 IK_GATEKEEPER: Simple request detected. Skipping Deep Audit.");
-      const metrics2 = this.createHeuristicMetrics(input, dm, ei, uniqueWords, localInsight.intentMode);
-      metrics2.semanticInsights.boundaryScore = boundaryMetrics.boundaryScore;
-      metrics2.semanticInsights.requiresHumanIntervention = boundaryMetrics.requiresHumanIntervention;
+      const metrics2 = this.createHeuristicMetrics(input, dm, ei, uniqueWords, localInsight?.intentMode);
+      if (metrics2.semanticInsights) {
+        metrics2.semanticInsights.boundaryScore = boundaryMetrics.boundaryScore;
+        metrics2.semanticInsights.requiresHumanIntervention = boundaryMetrics.requiresHumanIntervention;
+      }
       this.hooks?.onAuditComplete?.(metrics2);
       return metrics2;
     }
@@ -1638,10 +1931,17 @@ var IKFirewallCore = class _IKFirewallCore {
         throw e;
       }
     }
-    this.sniffDNA(input, metrics, activeLocale);
+    const cqScore = CognitiveEngine.sniffDNA(input);
+    metrics.dm = Math.max(metrics.dm, cqScore / 10);
+    this.applyHardening(input, metrics, activeLocale);
     this.hooks?.onAuditComplete?.(metrics);
     return metrics;
   }
+  applyHardening(input, metrics, locale = "en") {
+    const archetype = metrics.semanticInsights?.archetype || "DYNAMIC";
+    const domain = metrics.semanticInsights?.detectedDomain || "GENERAL";
+    this.setSessionDNA(this.sessionDNA + 5);
+  }
   getEmptyMetrics() {
     return {
       dm: 0,
@@ -1693,39 +1993,17 @@ var IKFirewallCore = class _IKFirewallCore {
       inputLength: input.length
     };
   }
-  sniffDNA(input, metrics, locale = "en") {
-    const archetype = metrics.semanticInsights?.archetype || "DYNAMIC";
-    const domain = metrics.semanticInsights?.detectedDomain || "GENERAL";
-    const meta = Dictionaries.meta[locale] || Dictionaries.meta.en;
-    const patterns = (meta.system_prompt_patterns || "").split(",").map((p) => p.trim()).filter((p) => p.length > 0);
-    const isSystemPrompt = patterns.some((kw) => input.toLowerCase().includes(kw));
-    let dnaShift = 0;
-    if (archetype === "CRYSTAL") {
-      dnaShift += _IKFirewallCore.CONSTANTS.DNA.HARDENING_MODERATE;
-    } else if (archetype === "FLUID") {
-      dnaShift -= _IKFirewallCore.CONSTANTS.DNA.SOFTENING_STEP;
-    } else if (archetype === "NEURAL") {
-      dnaShift -= _IKFirewallCore.CONSTANTS.DNA.SOFTENING_STEP / 2;
-    }
-    if (["LEGAL", "MEDICAL", "FINANCE", "CONSTRUCTION", "ENGINEERING"].includes(domain)) {
-      dnaShift += _IKFirewallCore.CONSTANTS.DNA.HARDENING_DOMAIN;
-    }
-    if (isSystemPrompt) {
-      dnaShift += _IKFirewallCore.CONSTANTS.DNA.HARDENING_MODERATE;
-    }
-    this.setSessionDNA(this.sessionDNA + dnaShift);
-  }
   async analyzeAIAssisted(input, provider, personaName = "professional", instanceId, configOverride) {
     if (instanceId) {
       this.configManager.ensureInstanceConfig(instanceId);
     }
     const activeConfig = this.configManager.getMergedConfig(instanceId, configOverride);
-    const locale = activeConfig.locale || "en";
+    const locale = activeConfig?.locale || "en";
     const cqScore = this.orchestrator.calculateCQ(input);
     let isAuditTask = false;
-    if (activeConfig.safeMode) {
-      const boundaryResult = this.gatekeeper.evaluateBoundaryCommunication(input, activeConfig.customBoundaryKeywords);
-      if (boundaryResult.requiresHumanIntervention) {
+    if (activeConfig?.safeMode) {
+      const boundaryResult = this.gatekeeper.evaluateBoundaryCommunication(input, activeConfig?.customBoundaryKeywords);
+      if (boundaryResult?.requiresHumanIntervention) {
         isAuditTask = true;
       }
     }
@@ -1947,7 +2225,11 @@ Any action outside this scope MUST be rejected and flagged as a boundary violati
       inputLength
     };
   }
-  crystallize(input, metrics, locale = "en") {
+  crystallize(input, metrics, locale = "en", instanceId) {
+    const mergedConfig = this.configManager.getMergedConfig(instanceId);
+    if (instanceId && mergedConfig?.isVerified === false) {
+      return input;
+    }
     const archetype = metrics?.semanticInsights?.archetype || "DYNAMIC";
     const tolerance = metrics?.semanticInsights?.ambiguityTolerance || 0.5;
     const blueprint = metrics?.semanticInsights?.conceptualBlueprint;
@@ -1961,11 +2243,13 @@ Any action outside this scope MUST be rejected and flagged as a boundary violati
       this.hooks?.onStatus?.(`\u{1F6E1}\uFE0F IK_CRYSTALLIZE: Precision domain detected (${domain}). Relaxing noise reduction...`);
       archetypeModifier = -0.3;
     }
+    const cqScore = CognitiveEngine.sniffDNA(input);
+    const cognitiveThreshold = CognitiveEngine.calculateThreshold(cqScore);
     const threshold = Math.min(
       _IKFirewallCore.CONSTANTS.AI.THRESHOLD_MAX,
       Math.max(
         _IKFirewallCore.CONSTANTS.AI.THRESHOLD_MIN,
-        dm / _IKFirewallCore.CONSTANTS.AI.DM_THRESHOLD_DIVISOR + basePreference - aggModifier + archetypeModifier - tolerance * 0.1
+        cognitiveThreshold + archetypeModifier - tolerance * 0.1
       )
     );
     const lengthRatio = blueprint ? blueprint.length / input.length : 1;