mindforge-cc 9.0.0 → 10.0.0

package/bin/dashboard/server.js

@@ -8,13 +8,15 @@
  *   /mindforge:dashboard [--port 7339] [--open] [--stop]
  *
  * Security: binds to 127.0.0.1 only (ADR-017 policy).
- * No authentication — localhost-only access is the security model.
+ * Bearer token auth on all mutating endpoints (POST/PUT/DELETE).
+ * Token printed to console at startup and written to .mindforge/.dashboard-token.
  */
 'use strict';
 
 const http   = require('http');
 const path   = require('path');
 const fs     = require('fs');
+const crypto = require('crypto');
 const ARGS   = process.argv.slice(2);
 
 const PORT     = parseInt(ARGS.find((_, i, a) => a[i-1] === '--port') || '7339', 10);
@@ -39,6 +41,39 @@ const RevOpsAPI   = require('./revops-api');
 // ── Express app ───────────────────────────────────────────────────────────────
 const app = express();
 
+// ── Bearer token authentication ──────────────────────────────────────────────
+const DASHBOARD_TOKEN = crypto.randomBytes(32).toString('hex');
+const TOKEN_FILE = path.join(process.cwd(), '.mindforge', '.dashboard-token');
+
+// Write token to file with restrictive permissions (owner-only read/write)
+fs.mkdirSync(path.dirname(TOKEN_FILE), { recursive: true });
+fs.writeFileSync(TOKEN_FILE, DASHBOARD_TOKEN, { mode: 0o600 });
+
+/**
+ * requireAuth — Validates Bearer token on mutating requests (POST/PUT/DELETE).
+ * GET requests pass through unguarded for the dashboard UI.
+ */
+function requireAuth(req, res, next) {
+  if (req.method === 'GET' || req.method === 'OPTIONS') return next();
+
+  const authHeader = req.headers.authorization;
+  if (!authHeader || !authHeader.startsWith('Bearer ')) {
+    return res.status(401).json({
+      error: 'Authentication required. Use the token printed at dashboard startup.'
+    });
+  }
+
+  const provided = authHeader.slice(7);
+  // Constant-time comparison to prevent timing attacks
+  if (!crypto.timingSafeEqual(Buffer.from(provided), Buffer.from(DASHBOARD_TOKEN))) {
+    return res.status(401).json({
+      error: 'Authentication required. Use the token printed at dashboard startup.'
+    });
+  }
+
+  next();
+}
+
 // Security middleware
 app.use((req, res, next) => {
   const addr = req.socket.remoteAddress;
@@ -49,19 +84,18 @@ app.use((req, res, next) => {
   next();
 });
 
-// CORS — only allow requests from localhost origins
+// CORS — restrict to dashboard's own origin only (prevent cross-origin attacks)
+const DASHBOARD_ORIGIN = `http://127.0.0.1:${PORT}`;
 app.use((req, res, next) => {
   const origin = req.headers.origin;
 
-  if (origin && /^https?:\/\/(localhost|127\.0\.0\.1)(:\d+)?$/.test(origin)) {
-    // Explicit localhost origin — set CORS headers
-    res.setHeader('Access-Control-Allow-Origin', origin);
+  if (origin === DASHBOARD_ORIGIN) {
+    res.setHeader('Access-Control-Allow-Origin', DASHBOARD_ORIGIN);
     res.setHeader('Access-Control-Allow-Methods', 'GET, POST, OPTIONS');
-    res.setHeader('Access-Control-Allow-Headers', 'Content-Type');
-    res.setHeader('Vary', 'Origin'); // Important: vary by origin for caching
+    res.setHeader('Access-Control-Allow-Headers', 'Content-Type, Authorization');
+    res.setHeader('Vary', 'Origin');
   }
-  // No origin header (same-origin/curl/postman): don't set CORS headers
-  // This is correct — same-origin requests don't need CORS headers
+  // Reject cross-origin requests from other localhost ports/origins
   if (req.method === 'OPTIONS') return res.status(204).end();
   next();
 });
@@ -71,11 +105,17 @@ app.use(express.json({ limit: '64kb' })); // Limit request body size
 // Security headers
 app.use((req, res, next) => {
   res.setHeader('X-Content-Type-Options', 'nosniff');
-  res.setHeader('X-Frame-Options', 'SAMEORIGIN');
+  res.setHeader('X-Frame-Options', 'DENY');
   res.setHeader('Cache-Control', 'no-store'); // Never cache dashboard responses
+  res.setHeader('Content-Security-Policy', "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; connect-src 'self'");
+  res.setHeader('X-XSS-Protection', '1; mode=block');
+  res.setHeader('Referrer-Policy', 'strict-origin-when-cross-origin');
   next();
 });
 
+// ── Apply requireAuth to mutating API routes ─────────────────────────────────
+app.use('/api', requireAuth);
+
 // ── Static frontend ───────────────────────────────────────────────────────────
 app.get('/', (req, res) => {
   if (!fs.existsSync(FRONTEND)) {
@@ -103,6 +143,8 @@ server.listen(PORT, '127.0.0.1', () => {
   console.log(`    Status:  http://localhost:${PORT}/api/status`);
   console.log(`    Events:  http://localhost:${PORT}/events`);
   console.log(`    PID:     ${process.pid}`);
+  console.log(`[Dashboard] Auth token: ${DASHBOARD_TOKEN}`);
+  console.log(`    Token file: ${TOKEN_FILE}`);
   console.log('\n    Press CTRL+C to stop\n');
 
   if (OPEN_BROWSER) {
@@ -127,6 +169,8 @@ server.on('error', err => {
 function shutdown(signal) {
   console.log(`\n[dashboard] ${signal} received — shutting down`);
   SSE.stop();
+  // Remove sensitive token file on shutdown
+  if (fs.existsSync(TOKEN_FILE)) fs.unlinkSync(TOKEN_FILE);
   server.close(() => {
     if (fs.existsSync(PID_FILE)) fs.unlinkSync(PID_FILE);
     process.exit(0);

package/bin/dashboard/sse-bridge.js

@@ -25,12 +25,19 @@ let _auditInode     = 0; // Track file inode for rotation detection
 let _lastAutoState  = '';
 let _lastApprovals  = '';
 
+// ── Smart polling: mtime tracking ────────────────────────────────────────────
+const _lastMtimes = Object.create(null);
+
 // ── Client management ─────────────────────────────────────────────────────────
 
 function addClient(res) {
+  const wasEmpty = clients.size === 0;
   clients.add(res);
+  if (wasEmpty) startPolling();
+
   res.on('close', () => {
     clients.delete(res);
+    if (clients.size === 0) stopPolling();
   });
 }
 
@@ -106,6 +113,10 @@ function pollAutoState() {
   if (!fs.existsSync(AUTO_STATE_PATH)) return;
 
   try {
+    const mtime = fs.statSync(AUTO_STATE_PATH).mtimeMs;
+    if (mtime === _lastMtimes[AUTO_STATE_PATH]) return; // unchanged
+    _lastMtimes[AUTO_STATE_PATH] = mtime;
+
     const raw = fs.readFileSync(AUTO_STATE_PATH, 'utf8');
     if (raw === _lastAutoState) return;
     _lastAutoState = raw;
@@ -120,6 +131,10 @@ function pollApprovals() {
   if (!fs.existsSync(APPROVAL_DIR)) return;
 
   try {
+    const mtime = fs.statSync(APPROVAL_DIR).mtimeMs;
+    if (mtime === _lastMtimes[APPROVAL_DIR]) return; // unchanged
+    _lastMtimes[APPROVAL_DIR] = mtime;
+
     const files  = fs.readdirSync(APPROVAL_DIR)
       .filter(f => f.startsWith('APPROVAL-') && f.endsWith('.json'))
       .sort();
@@ -139,17 +154,25 @@ function pollApprovals() {
   } catch { /* ignore */ }
 }
 
-// ── Keepalive ─────────────────────────────────────────────────────────────────
+// ── Polling lifecycle (idle-aware) ────────────────────────────────────────────
 
 let _pollInterval  = null;
 let _pingInterval  = null;
+let _initialized   = false;
 
-function start() {
-  // Initialize AUDIT position
-  if (fs.existsSync(AUDIT_PATH)) {
+/**
+ * Start polling only when at least one client is connected.
+ * Idempotent — calling when already polling is a no-op.
+ */
+function startPolling() {
+  if (_pollInterval) return; // Already polling
+
+  // Initialize AUDIT position on first start
+  if (!_initialized && fs.existsSync(AUDIT_PATH)) {
     const stat = fs.statSync(AUDIT_PATH);
     _lastAuditSize = stat.size;
     _auditInode    = stat.ino;
+    _initialized   = true;
   }
 
   // Poll every 2 seconds
@@ -168,11 +191,34 @@ function start() {
   _pingInterval.unref();
 }
 
-function stop() {
+/**
+ * Stop polling when zero clients are connected.
+ * Idempotent — calling when already stopped is a no-op.
+ */
+function stopPolling() {
   if (_pollInterval) { clearInterval(_pollInterval); _pollInterval = null; }
   if (_pingInterval) { clearInterval(_pingInterval); _pingInterval = null; }
 }
 
+/**
+ * Public start — initializes the bridge (legacy compat).
+ * Actual polling begins only when the first client connects.
+ */
+function start() {
+  // Pre-initialize AUDIT position so first client gets instant data
+  if (!_initialized && fs.existsSync(AUDIT_PATH)) {
+    const stat = fs.statSync(AUDIT_PATH);
+    _lastAuditSize = stat.size;
+    _auditInode    = stat.ino;
+    _initialized   = true;
+  }
+  // Polling starts lazily when addClient() is called
+}
+
+function stop() {
+  stopPolling();
+}
+
 function getClientCount() { return clients.size; }
 
 module.exports = { addClient, broadcast, start, stop, getClientCount };

package/bin/engine/learning-manager.js

@@ -169,7 +169,7 @@ if (require.main === module) {
           context: 'CLI Manual Test',
           category: 'Architecture'
         });
-        console.log(`  ${this.colors.dim('│')}  ${this.colors.magenta('🛡️  SOVEREIGN INTELLIGENCE v8.2.0')} — PQAS & Proactive Homing Enabled`);
+        console.log('  │  🛡️  SOVEREIGN INTELLIGENCE v8.2.0 — PQAS & Proactive Homing Enabled');
         const status = await manager.getStatus();
         console.log('📊 Learning System Status:', status);
       } else {

package/bin/engine/mesh-syncer.js

@@ -1,7 +1,7 @@
 /**
  * MindForge v8 — Federated Mesh Synthesis (FMS)
  * Component: Mesh Syncer (Pillar XVI)
- * 
+ *
  * Facilitates secure, signed knowledge handoffs between MindForge nodes.
  */
 'use strict';
@@ -15,10 +15,13 @@ const configManager = require('../governance/config-manager');
 
 class MeshSyncer {
   constructor() {
-    this.nodeId = configManager.get('mesh.node_id', 'unknown-node');
     this.vhInitialized = false;
   }
 
+  get nodeId() {
+    return configManager.get('mesh.node_id', 'unknown-node');
+  }
+
   async ensureInit() {
     if (!this.vhInitialized) {
       await vectorHub.init();
@@ -36,14 +39,18 @@ class MeshSyncer {
     console.log(`[MeshSyncer] Exporting bundle from ${this.nodeId}...`);
 
     // 1. Fetch Traces (Golden ones or since date)
-    let traceQuery = vectorHub.db.selectFrom('traces').selectAll();
+    let traces;
     if (options.since) {
-      traceQuery = traceQuery.where('timestamp', '>', options.since);
+      traces = vectorHub.query(
+        'SELECT * FROM traces WHERE timestamp > ? LIMIT 100',
+        [options.since]
+      );
+    } else {
+      traces = vectorHub.query('SELECT * FROM traces LIMIT 100');
     }
-    const traces = await traceQuery.limit(100).execute();
 
     // 2. Fetch Skills
-    const skills = await vectorHub.db.selectFrom('skills').selectAll().execute();
+    const skills = vectorHub.query('SELECT * FROM skills');
 
     const payload = {
       version: '1.0.0',
@@ -53,14 +60,13 @@ class MeshSyncer {
     };
 
     // 3. Sign the bundle using ZTAI
-    // Note: In v8, we sign the entire payload string to ensure integrity.
     const did = configManager.get('governance.active_did');
     if (!did) {
       throw new Error('[MeshSyncer] No active DID found for signing. Secure identity required.');
     }
 
     const signature = await ztaiManager.signData(did, JSON.stringify(payload));
-    
+
     const bundle = {
       payload,
       signature,
@@ -105,20 +111,18 @@ class MeshSyncer {
     // 3. Merge Skills
     const skills = payload.data.skills || [];
     for (const skill of skills) {
-      await vectorHub.db.insertInto('skills')
-        .values({
-          skill_id: skill.skill_id,
-          name: skill.name,
-          description: skill.description,
-          path: skill.path,
-          success_rate: skill.success_rate,
-          last_verified: new Date().toISOString()
-        })
-        .onConflict(oc => oc.column('skill_id').doUpdateSet({
-            success_rate: Math.max(skill.success_rate || 0, 0.5), // Optimistic merge
-            last_verified: new Date().toISOString()
-        }))
-        .execute();
+      vectorHub.run(
+        `INSERT OR REPLACE INTO skills (skill_id, name, description, path, success_rate, last_verified)
+         VALUES (?, ?, ?, ?, ?, ?)`,
+        [
+          skill.skill_id,
+          skill.name,
+          skill.description,
+          skill.path,
+          Math.max(skill.success_rate || 0, 0.5),
+          new Date().toISOString()
+        ]
+      );
     }
 
     console.log(`[MeshSyncer] Successfully imported ${traces.length} external traces and ${skills.length} skills.`);

package/bin/engine/nexus-tracer.js

@@ -15,6 +15,7 @@ const driftDetector = require('./logic-drift-detector'); // v6.1 Pillar X
 const remediationEngine = require('./remediation-engine'); // v6.1 Pillar X
 const logicValidator = require('./logic-validator'); // v7 Pillar X
 const vectorHub = require('../memory/vector-hub'); // v8 Pillar XV
+const { AuditWriter } = require('../utils/file-io');
 
 class NexusTracer {
   constructor(config = {}) {
@@ -31,8 +32,11 @@ class NexusTracer {
     this.RES_THRESHOLD = configManager.get('governance.res_threshold', 0.8); 
     this.entropyCache = new Map(); 
 
+    // v9: Async Audit Writer (replaces sync appendFileSync)
+    this._auditWriter = new AuditWriter(this.auditPath);
+
     // v6.1: Neural Drift Remediation (NDR)
-    this.DRIFT_SAMPLE_RATE = 1.0; 
+    this.DRIFT_SAMPLE_RATE = 1.0;
 
     // v7: Agentic SBOM with Arbitrage
     this.sbom = {
@@ -292,10 +296,7 @@ class NexusTracer {
     }
 
     try {
-      if (!fs.existsSync(path.dirname(this.auditPath))) {
-        fs.mkdirSync(path.dirname(this.auditPath), { recursive: true });
-      }
-      fs.appendFileSync(this.auditPath, JSON.stringify(entry) + '\n');
+      await this._auditWriter.write(entry);
     } catch (err) {
       console.error(`[NexusTracer] Failed to write audit entry: ${err.message}`);
     }

package/bin/engine/orbital-guardian.js

@@ -1,7 +1,7 @@
 /**
  * MindForge v8 — Orbital Governance
  * Component: Orbital Guardian (Pillar XVIII)
- * 
+ *
  * Manages hardware-bound/biometric attestations for high-blast-radius actions.
  */
 'use strict';
@@ -51,9 +51,11 @@ class OrbitalGuardian {
     };
 
     // 2. Persist to SQLite (Source of truth for v8 Governance Dashboard)
-    await vectorHub.db.insertInto('attestations')
-      .values(attestation)
-      .execute();
+    vectorHub.run(
+      `INSERT INTO attestations (id, request_id, status, attestation_payload, timestamp)
+       VALUES (?, ?, ?, ?, ?)`,
+      [attestation.id, attestation.request_id, attestation.status, attestation.attestation_payload, attestation.timestamp]
+    );
 
     console.log(`[ORBITAL-GUARDIAN] Attestation SUCCESS: ${attestation.id}`);
     return attestation;
@@ -63,14 +65,15 @@ class OrbitalGuardian {
    * Verifies if a request has a valid hardware bypass.
    */
   async verify(requestId) {
+    if (!requestId) return { verified: false };
     await this.ensureInit();
-    
-    const record = await vectorHub.db.selectFrom('attestations')
-      .selectAll()
-      .where('request_id', '=', requestId)
-      .where('status', '=', 'APPROVED')
-      .executeTakeFirst();
 
+    const results = vectorHub.query(
+      'SELECT * FROM attestations WHERE request_id = ? AND status = ? LIMIT 1',
+      [requestId, 'APPROVED']
+    );
+
+    const record = results[0];
     if (!record) return { verified: false };
 
     return {

package/bin/engine/skill-evolver.js

@@ -1,7 +1,7 @@
 /**
  * MindForge v8 — Autonomous Skill Evolution (ASE)
  * Component: Skill Evolver (Pillar XVII)
- * 
+ *
  * Mines successful reasoning patterns to synthesize new reusable skills.
  */
 'use strict';
@@ -32,12 +32,11 @@ class SkillEvolver {
     await this.ensureInit();
     console.log('[ASE] Starting skill evolution cycle...');
 
-    // 1. Mine Golden Traces (Drift < 0.1)
-    const goldenTraces = await vectorHub.db.selectFrom('traces')
-      .selectAll()
-      .where('drift_score', '<', this.threshold)
-      .where('event', '=', 'reasoning_trace')
-      .execute();
+    // 1. Mine Golden Traces (Drift < threshold)
+    const goldenTraces = vectorHub.query(
+      'SELECT * FROM traces WHERE drift_score < ? AND event = ?',
+      [this.threshold, 'reasoning_trace']
+    );
 
     if (goldenTraces.length < this.minCount) {
       console.log(`[ASE] Only ${goldenTraces.length} golden traces found. Threshold is ${this.minCount}. Evolution deferred.`);
@@ -67,12 +66,12 @@ class SkillEvolver {
     const clusters = new Map();
 
     for (const t of traces) {
-      const metadata = JSON.parse(t.metadata || '{}');
       // Group by agent and the first 20 chars of thought as a simple proxy for 'intent'
-      const key = `${t.agent || 'unknown'}:${t.content.substring(0, 20)}`;
-      
+      const content = t.content || '';
+      const key = `${t.agent || 'unknown'}:${content.substring(0, 20)}`;
+
       if (!clusters.has(key)) {
-        clusters.set(key, { traces: [], agent: t.agent, intent: t.content.substring(0, 50) });
+        clusters.set(key, { traces: [], agent: t.agent, intent: content.substring(0, 50) });
       }
       clusters.get(key).traces.push(t);
     }
@@ -85,11 +84,10 @@ class SkillEvolver {
    */
   async _synthesize(cluster) {
     const id = `ev_${crypto.randomBytes(4).toString('hex')}`;
-    const timestamp = new Date().toISOString();
-    
+
     // Abstract the strategy from the trace content
     const summary = cluster.traces.map(t => `- ${t.content}`).join('\n');
-    
+
     return {
       id,
       name: `Synthesized Skill (${cluster.agent}) - ${id}`,

package/bin/engine/temporal-hub.js

@@ -23,9 +23,15 @@ class TemporalHub {
    * @param {object} metadata - Optional context (task_name, session_id)
    */
   static captureState(auditId, metadata = {}) {
+    if (!/^[a-f0-9-]{8,40}$/.test(auditId)) {
+      throw new Error('Invalid audit ID format');
+    }
     if (!fs.existsSync(PLANNING_DIR)) return null;
-    
+
     const snapshotDir = path.join(HISTORY_DIR, auditId);
+    if (!path.resolve(snapshotDir).startsWith(path.resolve(HISTORY_DIR))) {
+      throw new Error('Path traversal detected in audit ID');
+    }
     if (!fs.existsSync(snapshotDir)) {
       fs.mkdirSync(snapshotDir, { recursive: true });
     }
@@ -69,7 +75,13 @@ class TemporalHub {
    * @param {string} auditId 
    */
   static rollbackTo(auditId) {
+    if (!/^[a-f0-9-]{8,40}$/.test(auditId)) {
+      throw new Error('Invalid audit ID format');
+    }
     const snapshotDir = path.join(HISTORY_DIR, auditId);
+    if (!path.resolve(snapshotDir).startsWith(path.resolve(HISTORY_DIR))) {
+      throw new Error('Path traversal detected in audit ID');
+    }
     if (!fs.existsSync(snapshotDir)) {
       throw new Error(`Snapshot ${auditId} not found in history.`);
     }
@@ -116,7 +128,13 @@ class TemporalHub {
    * Read a file from a specific historical snapshot.
    */
   static getSnapshotFile(auditId, filePath) {
+    if (!/^[a-f0-9-]{8,40}$/.test(auditId)) {
+      throw new Error('Invalid audit ID format');
+    }
     const snapPath = path.join(HISTORY_DIR, auditId, path.basename(filePath));
+    if (!path.resolve(snapPath).startsWith(path.resolve(HISTORY_DIR))) {
+      throw new Error('Path traversal detected in audit ID');
+    }
     if (fs.existsSync(snapPath)) {
       return fs.readFileSync(snapPath, 'utf8');
     }
@@ -127,7 +145,13 @@ class TemporalHub {
    * Capture terminal output for a command and associate with audit point.
    */
   static captureTerminal(auditId, stdout, stderr) {
+    if (!/^[a-f0-9-]{8,40}$/.test(auditId)) {
+      throw new Error('Invalid audit ID format');
+    }
     const logDir = path.join(HISTORY_DIR, auditId, 'logs');
+    if (!path.resolve(logDir).startsWith(path.resolve(HISTORY_DIR))) {
+      throw new Error('Path traversal detected in audit ID');
+    }
     if (!fs.existsSync(logDir)) fs.mkdirSync(logDir, { recursive: true });
     
     if (stdout) fs.writeFileSync(path.join(logDir, 'stdout.log'), stdout);

package/bin/governance/policy-engine.js

@@ -8,12 +8,14 @@ const fs = require('node:fs');
 const path = require('node:path');
 const ImpactAnalyzer = require('./impact-analyzer');
 const policyGate = require('./policy-gate-hardened');
+const { AuditWriter } = require('../utils/file-io');
 
 class PolicyEngine {
   constructor(config = {}) {
     this.policiesDir = config.policiesDir || path.join(__dirname, 'policies');
     this.planningDir = config.planningDir || path.join(process.cwd(), '.planning');
     this.auditLogPath = path.join(this.planningDir, 'RISK-AUDIT.jsonl');
+    this._auditWriter = new AuditWriter(this.auditLogPath);
     this.ensurePoliciesDir();
   }
 
@@ -73,7 +75,7 @@ class PolicyEngine {
           // [PQAS] v7: Hardened Biometric Bypass for Risk > 95
           if (impactScore > 95) {
             const gateResult = await policyGate.evaluateBypass(intent, impactScore);
-            if (gateResult.status === 'WAIT_FOR_BIOMETRIC') {
+            if (gateResult.status === 'WAIT_FOR_BIOMETRIC' || gateResult.status === 'WAIT_FOR_ORBITAL') {
               verdict = { 
                 verdict: 'DENY', 
                 reason: gateResult.reason, 
@@ -143,7 +145,7 @@ class PolicyEngine {
   }
 
   logAudit(intent, impactScore, verdict) {
-    const entry = JSON.stringify({
+    this._auditWriter.write({
       timestamp: new Date().toISOString(),
       requestId: verdict.requestId,
       did: intent.did,
@@ -153,9 +155,7 @@ class PolicyEngine {
       impactScore,
       verdict: verdict.verdict,
       reason: verdict.reason
-    }) + '\n';
-    
-    fs.appendFileSync(this.auditLogPath, entry); 
+    });
   }
 
   loadPolicies() {

package/bin/governance/policy-gate-hardened.js

@@ -38,8 +38,8 @@ class PolicyGateHardened {
     }
 
     // 2. Trigger Orbital Challenge
-    return { 
-      status: 'WAIT_FOR_ORBITAL', 
+    return {
+      status: 'WAIT_FOR_ORBITAL',
       reason: 'Hardware/Biometric attestation required for orbital-tier mutation',
       challenge_id: `orb_${Math.random().toString(36).substr(2, 6)}`,
       impact: impactScore

package/bin/governance/quantum-crypto.js

@@ -103,8 +103,16 @@ class QuantumCrypto {
 
   verifyZKProof(proof, intentId) {
     if (!proof.startsWith('zkp_v1_')) return false;
-    // Real verification would check the Merkle root of the execution trace
-    return true; // Simulated success
+    // SECURITY: Real ZK verification is not yet implemented.
+    // Governance gate MUST block by default — fail-closed.
+    console.warn(
+      `[SECURITY][quantum-crypto] verifyZKProof is a STUB — real ZK verification not yet implemented. ` +
+      `Blocking proof for intent="${intentId}". All governance checks will fail until a real verifier is integrated.`
+    );
+    throw new Error(
+      'ZK proof verification is not implemented. Governance gate denies by default. ' +
+      'Integrate a real ZK verifier (e.g., snarkjs/circom) before enabling this path.'
+    );
   }
 }
 

package/bin/memory/identity-synthesizer.js

@@ -18,7 +18,7 @@ class IdentitySynthesizer {
    */
   async bootstrap(answers = {}) {
     const blueprint = this.getGrandBlueprint();
-    
+
     // Inject initialization metadata into the blueprint
     let soulContent = blueprint
       .replace(/{USER_CONTEXT}/g, answers.user || 'Sovereign Agent User')
@@ -33,14 +33,12 @@ class IdentitySynthesizer {
    */
   async evolve() {
     await vectorHub.init();
-    
+
     // 1. Mine recent traces (Golden & Ghost)
-    const traces = await vectorHub.db.selectFrom('traces')
-      .selectAll()
-      .where('event', '=', 'reasoning_trace')
-      .orderBy('timestamp', 'desc')
-      .limit(100)
-      .execute();
+    const traces = vectorHub.query(
+      'SELECT * FROM traces WHERE event = ? ORDER BY timestamp DESC LIMIT 100',
+      ['reasoning_trace']
+    );
 
     if (traces.length === 0) {
       console.log(`[IDENTITY] No execution traces found in celestial.db. Evolution skipped.`);
@@ -49,7 +47,7 @@ class IdentitySynthesizer {
 
     // 2. Extract Decision Heuristics
     const heuristics = this._extractHeuristics(traces);
-    
+
     // 3. Update SOUL.md sections (v8.1 Intelligence Mirroring)
     await this._applyMirroring(heuristics);
   }
@@ -76,11 +74,11 @@ class IdentitySynthesizer {
 
   async _applyMirroring(heuristics) {
     let content = await fs.readFile(this.soulPath, 'utf8');
-    
+
     // Update the Decision Engine section with derived heuristics
     const heuristicMarker = `Decision Mode = ${heuristics.mode} (Derived from traces)`;
     content = content.replace(/Decision Mode = .*/, heuristicMarker);
-    
+
     await fs.writeFile(this.soulPath, content);
     console.log(`[IDENTITY] SOUL.md evolved: Mode shifted to ${heuristics.mode}.`);
   }