shieldcortex 2.19.1 → 2.20.0

package/dist/server.js

@@ -26,6 +26,7 @@ import { resolveSource } from './defence/trust/env-detector.js';
 import { logAudit } from './defence/audit/logger.js';
 import { scanToolResponse, shouldScanToolResponse } from './defence/tool-response-scanner.js';
 import { getToolResponseScanConfig } from './cloud/config.js';
+import { isKillSwitchActive, getKillSwitchMeta, assertOperationAllowed, activateKillSwitch, deactivateKillSwitch, KillSwitchError, } from './api/control.js';
 // Shared source schema for access control on MCP tools
 const sourceParam = z.object({
     type: z.enum(['user', 'cli', 'hook', 'email', 'web', 'agent', 'file', 'api', 'tool_response']),
@@ -96,6 +97,55 @@ function resolveToolSource(declaredSource, toolName) {
     }
     return source;
 }
+/**
+ * Wrap an MCP tool handler to enforce kill switch lockdown.
+ * If the kill switch is active and the operation kind is blocked,
+ * returns a lockdown error instead of executing the handler.
+ */
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+function withKillSwitchGuard(kind, handler) {
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    return async (...handlerArgs) => {
+        try {
+            assertOperationAllowed(kind);
+        }
+        catch (e) {
+            if (e instanceof KillSwitchError) {
+                const meta = e.meta;
+                return {
+                    content: [{
+                            type: 'text',
+                            text: `## KILL SWITCH ACTIVE\n\nAll operations are locked down.\n\n` +
+                                `**Triggered:** ${meta?.triggeredAt ?? 'unknown'}\n` +
+                                `**Source:** ${meta?.source ?? 'unknown'}\n` +
+                                (meta?.phrase ? `**Phrase:** "${meta.phrase}"\n` : '') +
+                                `\nUse \`iron_dome_resume\` to resume after investigation.`,
+                        }],
+                    isError: true,
+                };
+            }
+            throw e;
+        }
+        return handler(...handlerArgs);
+    };
+}
+/**
+ * Check text for kill phrase and trigger kill switch if detected.
+ * Returns true if kill switch was activated.
+ */
+function checkAndTriggerKillSwitch(text, source) {
+    if (isKillSwitchActive())
+        return false; // already active
+    try {
+        // Lazy import to avoid circular deps
+        const ironDome = require('./defence/iron-dome/index.js');
+        const result = ironDome.checkKillPhrase(text);
+        return result.triggered;
+    }
+    catch {
+        return false;
+    }
+}
 /**
  * Create and configure the MCP server
  */
@@ -151,13 +201,22 @@ Content is scanned through the defence pipeline before storage. Suspicious conte
         transferable: z.boolean().optional()
             .describe('Whether this memory can be transferred to other projects'),
         source: sourceParam,
-    }, { title: 'Store Memory', readOnlyHint: false, destructiveHint: false, idempotentHint: false }, async (args) => {
+    }, { title: 'Store Memory', readOnlyHint: false, destructiveHint: false, idempotentHint: false }, withKillSwitchGuard('memory_write', async (args) => {
+        // Check for kill phrase in content before storing
+        const textToCheck = `${args.title ?? ''} ${args.content ?? ''}`;
+        if (checkAndTriggerKillSwitch(textToCheck, 'remember')) {
+            const meta = getKillSwitchMeta();
+            return {
+                content: [{ type: 'text', text: `## KILL SWITCH ACTIVATED\n\nKill phrase detected in memory content. All operations locked down.\n\nTriggered: ${meta?.triggeredAt}\nUse \`iron_dome_resume\` to resume after investigation.` }],
+                isError: true,
+            };
+        }
         const source = resolveToolSource(args.source, 'remember');
         const result = await executeRemember({ ...args, source });
         return {
             content: [{ type: 'text', text: formatRememberResult(result) }],
         };
-    });
+    }));
     // Recall - Search and retrieve memories
     server.tool('recall', `Search and retrieve memories. Use this to:
 - Find relevant context ("What do I know about auth?")
@@ -183,13 +242,13 @@ Modes: search (query-based), recent (by time), important (by salience)`, {
         mode: z.enum(['search', 'recent', 'important']).optional().default('search')
             .describe('Recall mode'),
         source: sourceParam,
-    }, { title: 'Search Memories', readOnlyHint: true, destructiveHint: false, idempotentHint: true }, withResponseScan('recall', async (args) => {
+    }, { title: 'Search Memories', readOnlyHint: true, destructiveHint: false, idempotentHint: true }, withKillSwitchGuard('memory_read', withResponseScan('recall', async (args) => {
         const source = resolveToolSource(args.source, 'recall');
         const result = await executeRecall({ ...args, source });
         return {
             content: [{ type: 'text', text: formatRecallResult(result, true) }],
         };
-    }));
+    })));
     // Forget - Delete memories
     server.tool('forget', `Delete memories. Use dryRun: true to preview, confirm: true for bulk.`, {
         id: z.number().optional().describe('Memory ID to delete'),
@@ -207,13 +266,13 @@ Modes: search (query-based), recent (by time), important (by salience)`, {
         confirm: z.boolean().optional().default(false)
             .describe('Confirm bulk delete'),
         source: sourceParam,
-    }, { title: 'Delete Memories', readOnlyHint: false, destructiveHint: true, idempotentHint: false }, async (args) => {
+    }, { title: 'Delete Memories', readOnlyHint: false, destructiveHint: true, idempotentHint: false }, withKillSwitchGuard('memory_write', async (args) => {
         const source = resolveToolSource(args.source, 'forget');
         const result = await executeForget({ ...args, source });
         return {
             content: [{ type: 'text', text: formatForgetResult(result) }],
         };
-    });
+    }));
     // Get Context - THE KEY TOOL
     server.tool('get_context', `Get relevant context from memory. THE KEY TOOL for maintaining context.
 
@@ -224,7 +283,7 @@ Returns: architecture decisions, patterns, pending items, recent activity.`, {
         format: z.enum(['summary', 'detailed', 'raw']).optional().default('summary')
             .describe('Output format'),
         source: sourceParam,
-    }, { title: 'Get Project Context', readOnlyHint: true, destructiveHint: false, idempotentHint: true }, withResponseScan('get_context', async (args) => {
+    }, { title: 'Get Project Context', readOnlyHint: true, destructiveHint: false, idempotentHint: true }, withKillSwitchGuard('memory_read', withResponseScan('get_context', async (args) => {
         const source = resolveToolSource(args.source, 'get_context');
         const result = await executeGetContext({ ...args, source });
         return {
@@ -233,11 +292,11 @@ Returns: architecture decisions, patterns, pending items, recent activity.`, {
                     text: result.success ? result.context : `Error: ${result.error}`
                 }],
         };
-    }));
+    })));
     // Start Session
     server.tool('start_session', 'Start a new coding session. Returns relevant context.', {
         project: z.string().optional().describe('Project scope. Auto-detected if not provided. Use "*" for global.'),
-    }, { title: 'Start Session', readOnlyHint: false, destructiveHint: false, idempotentHint: false }, async (args) => {
+    }, { title: 'Start Session', readOnlyHint: false, destructiveHint: false, idempotentHint: false }, withKillSwitchGuard('memory_write', async (args) => {
         const result = await executeStartSession(args);
         return {
             content: [{
@@ -247,12 +306,12 @@ Returns: architecture decisions, patterns, pending items, recent activity.`, {
                         : `Error: ${result.error}`
                 }],
         };
-    });
+    }));
     // End Session
     server.tool('end_session', 'End session and trigger consolidation.', {
         sessionId: z.number().describe('Session ID'),
         summary: z.string().optional().describe('Session summary'),
-    }, { title: 'End Session', readOnlyHint: false, destructiveHint: false, idempotentHint: true }, async (args) => {
+    }, { title: 'End Session', readOnlyHint: false, destructiveHint: false, idempotentHint: true }, withKillSwitchGuard('memory_write', async (args) => {
         const result = executeEndSession(args);
         if (!result.success) {
             return { content: [{ type: 'text', text: `Error: ${result.error}` }] };
@@ -264,12 +323,12 @@ Returns: architecture decisions, patterns, pending items, recent activity.`, {
                     text: `Session ended. Consolidation: ${r.consolidated} promoted, ${r.decayed} decayed, ${r.deleted} deleted.`
                 }],
         };
-    });
+    }));
     // Consolidate
     server.tool('consolidate', 'Run memory consolidation (like brain sleep). Promotes STM to LTM, decays old memories. Use dryRun to preview.', {
         force: z.boolean().optional().default(false).describe('Force consolidation'),
         dryRun: z.boolean().optional().default(false).describe('Preview what would happen without doing it'),
-    }, { title: 'Run Memory Consolidation', readOnlyHint: false, destructiveHint: false, idempotentHint: false }, async (args) => {
+    }, { title: 'Run Memory Consolidation', readOnlyHint: false, destructiveHint: false, idempotentHint: false }, withKillSwitchGuard('consolidation', async (args) => {
         const result = executeConsolidate(args);
         if (!result.success) {
             return { content: [{ type: 'text', text: `Error: ${result.error}` }] };
@@ -301,11 +360,11 @@ Returns: architecture decisions, patterns, pending items, recent activity.`, {
                     text: `Consolidation: ${r.consolidated} promoted, ${r.decayed} updated, ${r.deleted} deleted.`
                 }],
         };
-    });
+    }));
     // Stats
     server.tool('memory_stats', 'Get memory statistics.', {
         project: z.string().optional().describe('Project scope. Auto-detected if not provided. Use "*" for all projects.'),
-    }, { title: 'Memory Statistics', readOnlyHint: true, destructiveHint: false, idempotentHint: true }, async (args) => {
+    }, { title: 'Memory Statistics', readOnlyHint: true, destructiveHint: false, idempotentHint: true }, withKillSwitchGuard('status', async (args) => {
         const result = executeStats(args);
         return {
             content: [{
@@ -313,12 +372,12 @@ Returns: architecture decisions, patterns, pending items, recent activity.`, {
                     text: result.success ? formatStats(result.stats) : `Error: ${result.error}`
                 }],
         };
-    });
+    }));
     // Get Memory by ID
     server.tool('get_memory', 'Get a specific memory by ID.', {
         id: z.number().describe('Memory ID'),
         source: sourceParam,
-    }, { title: 'Get Memory by ID', readOnlyHint: true, destructiveHint: false, idempotentHint: true }, withResponseScan('get_memory', async (args) => {
+    }, { title: 'Get Memory by ID', readOnlyHint: true, destructiveHint: false, idempotentHint: true }, withKillSwitchGuard('memory_read', withResponseScan('get_memory', async (args) => {
         const source = resolveToolSource(args.source, 'get_memory');
         const result = executeGetMemory({ ...args, source });
         return {
@@ -327,11 +386,11 @@ Returns: architecture decisions, patterns, pending items, recent activity.`, {
                     text: result.success ? formatMemory(result.memory, true) : `Error: ${result.error}`
                 }],
         };
-    }));
+    })));
     // Export memories
     server.tool('export_memories', 'Export memories as JSON for backup.', {
         project: z.string().optional().describe('Project scope. Auto-detected if not provided. Use "*" for all projects.'),
-    }, { title: 'Export Memories', readOnlyHint: true, destructiveHint: false, idempotentHint: true }, withResponseScan('export_memories', async (args) => {
+    }, { title: 'Export Memories', readOnlyHint: true, destructiveHint: false, idempotentHint: true }, withKillSwitchGuard('memory_read', withResponseScan('export_memories', async (args) => {
         const result = executeExport(args);
         return {
             content: [{
@@ -341,11 +400,29 @@ Returns: architecture decisions, patterns, pending items, recent activity.`, {
                         : `Error: ${result.error}`
                 }],
         };
-    }));
+    })));
     // Import memories
     server.tool('import_memories', 'Import memories from JSON.', {
         data: z.string().describe('JSON data'),
-    }, { title: 'Import Memories', readOnlyHint: false, destructiveHint: false, idempotentHint: false }, async (args) => {
+    }, { title: 'Import Memories', readOnlyHint: false, destructiveHint: false, idempotentHint: false }, withKillSwitchGuard('memory_write', async (args) => {
+        // Check imported content for kill phrase
+        try {
+            const parsed = JSON.parse(args.data);
+            const entries = Array.isArray(parsed) ? parsed : (parsed.memories ?? []);
+            for (const entry of entries) {
+                const text = `${entry.title ?? ''} ${entry.content ?? ''}`;
+                if (checkAndTriggerKillSwitch(text, 'import_memories')) {
+                    const meta = getKillSwitchMeta();
+                    return {
+                        content: [{ type: 'text', text: `## KILL SWITCH ACTIVATED\n\nKill phrase detected in imported content. All operations locked down.\n\nTriggered: ${meta?.triggeredAt}\nUse \`iron_dome_resume\` to resume after investigation.` }],
+                        isError: true,
+                    };
+                }
+            }
+        }
+        catch {
+            // JSON parse failures will be caught by executeImport
+        }
         const result = executeImport(args);
         return {
             content: [{
@@ -355,11 +432,11 @@ Returns: architecture decisions, patterns, pending items, recent activity.`, {
                         : `Error: ${result.error}`
                 }],
         };
-    });
+    }));
     // Get Related Memories
     server.tool('get_related', 'Get memories related to a specific memory. Shows connections and relationships.', {
         id: z.number().describe('Memory ID to find relationships for'),
-    }, { title: 'Get Related Memories', readOnlyHint: true, destructiveHint: false, idempotentHint: true }, withResponseScan('get_related', async (args) => {
+    }, { title: 'Get Related Memories', readOnlyHint: true, destructiveHint: false, idempotentHint: true }, withKillSwitchGuard('memory_read', withResponseScan('get_related', async (args) => {
         const related = getRelatedMemories(args.id);
         if (related.length === 0) {
             return { content: [{ type: 'text', text: 'No related memories found.' }] };
@@ -371,7 +448,7 @@ Returns: architecture decisions, patterns, pending items, recent activity.`, {
             lines.push(`  ID: ${r.memory.id} | ${r.memory.category} | ${(r.memory.salience * 100).toFixed(0)}% salience`);
         }
         return { content: [{ type: 'text', text: lines.join('\n') }] };
-    }));
+    })));
     // Link Memories
     server.tool('link_memories', 'Create a relationship link between two memories.', {
         sourceId: z.number().describe('Source memory ID'),
@@ -380,17 +457,17 @@ Returns: architecture decisions, patterns, pending items, recent activity.`, {
             .describe('Type of relationship'),
         strength: z.number().min(0).max(1).optional().default(0.5)
             .describe('Relationship strength (0-1)'),
-    }, { title: 'Link Memories', readOnlyHint: false, destructiveHint: false, idempotentHint: true }, async (args) => {
+    }, { title: 'Link Memories', readOnlyHint: false, destructiveHint: false, idempotentHint: true }, withKillSwitchGuard('memory_write', async (args) => {
         const link = createMemoryLink(args.sourceId, args.targetId, args.relationship, args.strength);
         if (!link) {
             return { content: [{ type: 'text', text: 'Failed to create link. Memories may not exist or link already exists.' }] };
         }
         return { content: [{ type: 'text', text: `✓ Linked memory ${args.sourceId} → ${args.targetId} (${args.relationship})` }] };
-    });
+    }));
     // Set Project - Switch active project context
     server.tool('set_project', `Switch active project context. Use "${GLOBAL_PROJECT_SENTINEL}" for global/all projects.`, {
         project: z.string().describe(`Project name, or "${GLOBAL_PROJECT_SENTINEL}" for global scope`),
-    }, { title: 'Switch Project', readOnlyHint: false, destructiveHint: false, idempotentHint: true }, async (args) => {
+    }, { title: 'Switch Project', readOnlyHint: false, destructiveHint: false, idempotentHint: true }, withKillSwitchGuard('config', async (args) => {
         const oldProject = getActiveProject();
         setActiveProject(args.project === GLOBAL_PROJECT_SENTINEL ? null : args.project);
         const newProject = getActiveProject();
@@ -400,8 +477,8 @@ Returns: architecture decisions, patterns, pending items, recent activity.`, {
                     text: `Project context changed: ${oldProject || 'global'} → ${newProject || 'global'}`
                 }]
         };
-    });
-    // Get Project - Show current project scope
+    }));
+    // Get Project - Show current project scope (status — allowed during lockdown)
     server.tool('get_project', 'Show current project scope and detection info.', {}, { title: 'Show Current Project', readOnlyHint: true, destructiveHint: false, idempotentHint: true }, async () => {
         const info = getProjectContextInfo();
         const lines = [
@@ -432,7 +509,7 @@ but you can use this tool to check for new contradictions at any time.`, {
             .describe('Minimum contradiction score (0-1, default 0.4)'),
         limit: z.number().min(1).max(50).optional().default(10)
             .describe('Maximum results to return'),
-    }, { title: 'Detect Contradictions', readOnlyHint: true, destructiveHint: false, idempotentHint: true }, withResponseScan('detect_contradictions', async (args) => {
+    }, { title: 'Detect Contradictions', readOnlyHint: true, destructiveHint: false, idempotentHint: true }, withKillSwitchGuard('consolidation', withResponseScan('detect_contradictions', async (args) => {
         const project = args.project ?? getActiveProject() ?? undefined;
         const contradictions = detectContradictions({
             project,
@@ -455,7 +532,7 @@ but you can use this tool to check for new contradictions at any time.`, {
         }
         lines.push(`\n*Found ${contradictions.length} potential contradiction(s). Use \`get_related\` to see linked contradictions.*`);
         return { content: [{ type: 'text', text: lines.join('\n') }] };
-    }));
+    })));
     // ============================================
     // KNOWLEDGE GRAPH TOOLS
     // ============================================
@@ -464,19 +541,19 @@ but you can use this tool to check for new contradictions at any time.`, {
         entity: z.string().describe('Entity name to start from'),
         depth: z.number().optional().describe('Max traversal depth (default 2)'),
         predicates: z.array(z.string()).optional().describe('Filter by predicate types'),
-    }, { title: 'Knowledge Graph Query', readOnlyHint: true, destructiveHint: false, idempotentHint: true }, withResponseScan('graph_query', async (args) => handleGraphQuery(args)));
+    }, { title: 'Knowledge Graph Query', readOnlyHint: true, destructiveHint: false, idempotentHint: true }, withKillSwitchGuard('graph', withResponseScan('graph_query', async (args) => handleGraphQuery(args))));
     // Graph Entities - List known entities
     server.tool('graph_entities', 'List known entities in the knowledge graph, optionally filtered by type.', {
         type: z.string().optional().describe('Filter by entity type (person, tool, concept, file, language, service, pattern)'),
         minMentions: z.number().optional().describe('Minimum memory references (default 1)'),
         limit: z.number().optional().describe('Max results (default 50)'),
-    }, { title: 'List Graph Entities', readOnlyHint: true, destructiveHint: false, idempotentHint: true }, withResponseScan('graph_entities', async (args) => handleGraphEntities(args)));
+    }, { title: 'List Graph Entities', readOnlyHint: true, destructiveHint: false, idempotentHint: true }, withKillSwitchGuard('graph', withResponseScan('graph_entities', async (args) => handleGraphEntities(args))));
     // Graph Explain - Find paths between entities
     server.tool('graph_explain', 'Explain the relationship between two entities by finding paths connecting them in the knowledge graph.', {
         from: z.string().describe('Source entity name'),
         to: z.string().describe('Target entity name'),
         maxDepth: z.number().optional().describe('Max path length (default 4)'),
-    }, { title: 'Explain Entity Relationship', readOnlyHint: true, destructiveHint: false, idempotentHint: true }, withResponseScan('graph_explain', async (args) => handleGraphExplain(args)));
+    }, { title: 'Explain Entity Relationship', readOnlyHint: true, destructiveHint: false, idempotentHint: true }, withKillSwitchGuard('graph', withResponseScan('graph_explain', async (args) => handleGraphExplain(args))));
     // ============================================
     // DEFENCE TOOLS
     // ============================================
@@ -499,7 +576,7 @@ but you can use this tool to check for new contradictions at any time.`, {
         quarantineId: z.number().optional().describe('ID for approve/reject'),
         sourceIdentifier: z.string().optional().describe('Source identifier for batch approve (e.g. "user-spawned>task-1")'),
         notes: z.string().optional(),
-    }, { title: 'Review Quarantined Memories', readOnlyHint: false, destructiveHint: false, idempotentHint: false }, async (args) => {
+    }, { title: 'Review Quarantined Memories', readOnlyHint: false, destructiveHint: false, idempotentHint: false }, withKillSwitchGuard('memory_write', async (args) => {
         const db = (await import('./database/init.js')).getDatabase();
         if (args.action === 'list') {
             const items = db.prepare('SELECT * FROM quarantine WHERE status = ? ORDER BY created_at DESC LIMIT 50').all('pending');
@@ -545,8 +622,8 @@ but you can use this tool to check for new contradictions at any time.`, {
             return { content: [{ type: 'text', text: `Batch approved ${items.length} items from "${args.sourceIdentifier}" (${promoted} promoted to memory).` }] };
         }
         return { content: [{ type: 'text', text: 'Invalid action or missing required parameters.' }] };
-    });
-    // Defence Stats
+    }));
+    // Defence Stats (allowed during lockdown)
     server.tool('defence_stats', 'Get defence system statistics', {
         timeRange: z.enum(['24h', '7d', '30d']).default('24h'),
     }, { title: 'Defence Statistics', readOnlyHint: true, destructiveHint: false, idempotentHint: true }, async (args) => {
@@ -573,6 +650,14 @@ Runs injection detection (40+ patterns) and credential leak scanning (25+ provid
         mode: z.enum(['advisory', 'enforce']).optional()
             .describe('Scan mode: advisory (log only) or enforce (can redact). Default: advisory'),
     }, { title: 'Scan Tool Response', readOnlyHint: true, destructiveHint: false, idempotentHint: true }, async (args) => {
+        // Check for kill phrase in scanned content
+        if (checkAndTriggerKillSwitch(args.content, 'scan_tool_response')) {
+            const meta = getKillSwitchMeta();
+            return {
+                content: [{ type: 'text', text: `## KILL SWITCH ACTIVATED\n\nKill phrase detected in tool response. All operations locked down.\n\nTriggered: ${meta?.triggeredAt}\nUse \`iron_dome_resume\` to resume after investigation.` }],
+                isError: true,
+            };
+        }
         const scan = scanToolResponse(args.toolName, args.content, args.mode);
         const lines = [
             `## Tool Response Scan: ${args.toolName}`,
@@ -664,15 +749,29 @@ Runs injection detection (40+ patterns) and credential leak scanning (25+ provid
     // ============================================
     // IRON DOME TOOLS
     // ============================================
-    // Iron Dome Status
-    server.tool('iron_dome_status', 'Check if Iron Dome is active, show config summary including profile, trusted channels, and approval rules.', {}, { title: 'Iron Dome Status', readOnlyHint: true, destructiveHint: false, idempotentHint: true }, async () => {
+    // Iron Dome Status (allowed during lockdown — forensic access)
+    server.tool('iron_dome_status', 'Check if Iron Dome is active and show kill switch state. Shows config summary including profile, trusted channels, and approval rules.', {}, { title: 'Iron Dome Status', readOnlyHint: true, destructiveHint: false, idempotentHint: true }, async () => {
         const { getIronDomeStatus } = await import('./defence/iron-dome/index.js');
         const status = getIronDomeStatus();
+        const killMeta = getKillSwitchMeta();
         const lines = [
             `## Iron Dome Status`,
             '',
-            `**Active:** ${status.enabled ? 'Yes' : 'No'}`,
         ];
+        // Kill switch state (most important — show first)
+        if (isKillSwitchActive() && killMeta) {
+            lines.push(`**KILL SWITCH: ACTIVE**`);
+            lines.push(`**Triggered:** ${killMeta.triggeredAt}`);
+            lines.push(`**Source:** ${killMeta.source}`);
+            if (killMeta.phrase)
+                lines.push(`**Phrase:** "${killMeta.phrase}"`);
+            if (killMeta.memoryCountAtTrigger != null)
+                lines.push(`**Memories at trigger:** ${killMeta.memoryCountAtTrigger}`);
+            lines.push('');
+            lines.push('> All operations are locked down. Use `iron_dome_resume` to resume.');
+            lines.push('');
+        }
+        lines.push(`**Iron Dome Active:** ${status.enabled ? 'Yes' : 'No'}`);
         if (status.enabled) {
             const c = status.config;
             lines.push(`**Profile:** ${c.profile ?? 'custom'}`);
@@ -740,7 +839,7 @@ Runs injection detection (40+ patterns) and credential leak scanning (25+ provid
     server.tool('iron_dome_activate', 'Activate Iron Dome with a profile. Profiles: school (GDPR strict), enterprise (financial protection), personal (lighter touch), paranoid (everything requires approval).', {
         profile: z.enum(['school', 'enterprise', 'personal', 'paranoid']).optional()
             .describe('Security profile to activate'),
-    }, { title: 'Activate Iron Dome', readOnlyHint: false, destructiveHint: false, idempotentHint: true }, async (args) => {
+    }, { title: 'Activate Iron Dome', readOnlyHint: false, destructiveHint: false, idempotentHint: true }, withKillSwitchGuard('config', async (args) => {
         const { activateIronDome } = await import('./defence/iron-dome/index.js');
         const config = activateIronDome(args.profile);
         const lines = [
@@ -753,12 +852,50 @@ Runs injection detection (40+ patterns) and credential leak scanning (25+ provid
             `**Auto-Approve:** ${config.autoApprove.join(', ')}`,
         ];
         return { content: [{ type: 'text', text: lines.join('\n') }] };
+    }));
+    // ============================================
+    // IRON DOME EMERGENCY TOOLS
+    // ============================================
+    // Emergency Stop — NOT guarded (must always work)
+    server.tool('iron_dome_emergency_stop', 'Emergency kill switch — immediately locks down ALL agent operations. Use when you detect suspicious activity. Reversible via iron_dome_resume.', {}, { title: 'Emergency Stop', readOnlyHint: false, destructiveHint: true, idempotentHint: true }, async () => {
+        activateKillSwitch({ source: 'mcp_tool' });
+        const meta = getKillSwitchMeta();
+        return {
+            content: [{
+                    type: 'text',
+                    text: `## KILL SWITCH ACTIVATED\n\nAll operations locked down.\n\n` +
+                        `**Triggered:** ${meta?.triggeredAt}\n` +
+                        `**Source:** MCP tool\n\n` +
+                        `Memory creation, recall, graph queries, and all other operations are blocked.\n` +
+                        `Use \`iron_dome_resume\` with a reason to resume after investigation.`,
+                }],
+        };
+    });
+    // Resume — NOT guarded (this IS the unlock)
+    server.tool('iron_dome_resume', 'Resume agent operations after kill switch investigation. Only use after confirming the threat has been addressed.', {
+        reason: z.string().describe('Why operations are being resumed (required for audit trail)'),
+    }, { title: 'Resume Operations', readOnlyHint: false, destructiveHint: false, idempotentHint: true }, async (args) => {
+        if (!isKillSwitchActive()) {
+            return {
+                content: [{ type: 'text', text: 'Kill switch is not active. No action needed.' }],
+            };
+        }
+        deactivateKillSwitch(args.reason);
+        return {
+            content: [{
+                    type: 'text',
+                    text: `## Operations Resumed\n\nKill switch deactivated.\n**Reason:** ${args.reason}\n\nAll tools are now operational. Iron Dome continues protecting.`,
+                }],
+        };
     });
     // ============================================
     // RESOURCES
     // ============================================
-    // Project context resource
+    // Project context resource (blocked during kill switch)
     server.resource('memory://context', 'memory://context', async () => {
+        if (isKillSwitchActive()) {
+            return { contents: [{ uri: 'memory://context', mimeType: 'text/plain', text: '[KILL SWITCH ACTIVE] Memory access blocked.' }] };
+        }
         const summary = await generateContextSummary();
         return {
             contents: [{
@@ -768,8 +905,11 @@ Runs injection detection (40+ patterns) and credential leak scanning (25+ provid
                 }],
         };
     });
-    // Important memories resource
+    // Important memories resource (blocked during kill switch)
     server.resource('memory://important', 'memory://important', async () => {
+        if (isKillSwitchActive()) {
+            return { contents: [{ uri: 'memory://important', mimeType: 'text/plain', text: '[KILL SWITCH ACTIVE] Memory access blocked.' }] };
+        }
         const memories = getHighPriorityMemories(20);
         const text = memories.map(m => `## ${m.title}\n${m.content}\n*${m.category} | ${(m.salience * 100).toFixed(0)}% salience*\n`).join('\n');
         return {
@@ -780,8 +920,11 @@ Runs injection detection (40+ patterns) and credential leak scanning (25+ provid
                 }],
         };
     });
-    // Recent memories resource
+    // Recent memories resource (blocked during kill switch)
     server.resource('memory://recent', 'memory://recent', async () => {
+        if (isKillSwitchActive()) {
+            return { contents: [{ uri: 'memory://recent', mimeType: 'text/plain', text: '[KILL SWITCH ACTIVE] Memory access blocked.' }] };
+        }
         const memories = getRecentMemories(15);
         const text = memories.map(m => `- **${m.title}** (${m.category}): ${m.content.slice(0, 100)}...`).join('\n');
         return {
@@ -795,8 +938,13 @@ Runs injection detection (40+ patterns) and credential leak scanning (25+ provid
     // ============================================
     // PROMPTS
     // ============================================
-    // Context restoration prompt
+    // Context restoration prompt (blocked during kill switch)
     server.prompt('restore_context', 'Restore context after compaction or at session start', async () => {
+        if (isKillSwitchActive()) {
+            return {
+                messages: [{ role: 'user', content: { type: 'text', text: '[KILL SWITCH ACTIVE] Context restoration blocked. Use iron_dome_resume to resume.' } }],
+            };
+        }
         const summary = await generateContextSummary();
         const context = formatContextSummary(summary);
         return {