shieldcortex 2.2.0 → 2.4.0

package/dist/defence/audit/queries.js

@@ -11,46 +11,52 @@ export function queryAuditLogs(options = {}) {
     const conditions = [];
     const params = {};
     if (options.startTime) {
-        conditions.push('timestamp >= @startTime');
+        conditions.push('da.timestamp >= @startTime');
         params.startTime = options.startTime;
     }
     if (options.endTime) {
-        conditions.push('timestamp <= @endTime');
+        conditions.push('da.timestamp <= @endTime');
         params.endTime = options.endTime;
     }
     if (options.firewallResult) {
-        conditions.push('firewall_result = @firewallResult');
+        conditions.push('da.firewall_result = @firewallResult');
         params.firewallResult = options.firewallResult;
     }
     if (options.source) {
-        conditions.push('source_type = @source');
+        conditions.push('da.source_type = @source');
         params.source = options.source;
     }
     if (options.memoryId !== undefined) {
-        conditions.push('memory_id = @memoryId');
+        conditions.push('da.memory_id = @memoryId');
         params.memoryId = options.memoryId;
     }
+    if (options.project) {
+        conditions.push('da.project = @project');
+        params.project = options.project;
+    }
     const where = conditions.length > 0 ? `WHERE ${conditions.join(' AND ')}` : '';
     const limit = options.limit ?? 50;
-    const sql = `SELECT * FROM defence_audit ${where} ORDER BY timestamp DESC LIMIT @limit`;
+    const sql = `SELECT da.* FROM defence_audit da ${where} ORDER BY da.timestamp DESC LIMIT @limit`;
     params.limit = limit;
     return db.prepare(sql).all(params);
 }
 /**
  * Get aggregate audit statistics for a time range.
  */
-export function getAuditStats(timeRange) {
+export function getAuditStats(timeRange, project) {
     const db = getDatabase();
     const hoursMap = { '24h': 24, '7d': 168, '30d': 720 };
     const hours = hoursMap[timeRange];
     const since = new Date(Date.now() - hours * 3600_000).toISOString();
+    const projectCond = project ? 'AND da.project = ?' : '';
+    const baseParams = project ? [since, project] : [since];
     // Counts by firewall result
     const counts = db.prepare(`
-    SELECT firewall_result, COUNT(*) as cnt
-    FROM defence_audit
-    WHERE timestamp >= ?
-    GROUP BY firewall_result
-  `).all(since);
+    SELECT da.firewall_result, COUNT(*) as cnt
+    FROM defence_audit da
+    WHERE da.timestamp >= ? ${projectCond}
+    GROUP BY da.firewall_result
+  `).all(...baseParams);
     let totalOperations = 0;
     let allowedCount = 0;
     let blockedCount = 0;
@@ -66,19 +72,19 @@ export function getAuditStats(timeRange) {
     }
     // Top sources
     const topSources = db.prepare(`
-    SELECT source_type as source, COUNT(*) as count
-    FROM defence_audit
-    WHERE timestamp >= ?
-    GROUP BY source_type
+    SELECT da.source_type as source, COUNT(*) as count
+    FROM defence_audit da
+    WHERE da.timestamp >= ? ${projectCond}
+    GROUP BY da.source_type
     ORDER BY count DESC
     LIMIT 10
-  `).all(since);
+  `).all(...baseParams);
     // Threat indicator breakdown
     const rows = db.prepare(`
-    SELECT threat_indicators
-    FROM defence_audit
-    WHERE timestamp >= ? AND threat_indicators != '[]'
-  `).all(since);
+    SELECT da.threat_indicators
+    FROM defence_audit da
+    WHERE da.timestamp >= ? ${projectCond} AND da.threat_indicators != '[]'
+  `).all(...baseParams);
     const threatBreakdown = {};
     for (const row of rows) {
         try {
@@ -100,4 +106,70 @@ export function getAuditStats(timeRange) {
         threatBreakdown,
     };
 }
+// ── Agent Query Functions ──
+/**
+ * Get distinct agents aggregated from audit logs.
+ */
+export function queryAgentRegistry(timeRange = '24h', project) {
+    const db = getDatabase();
+    const hoursMap = { '24h': 24, '7d': 168, '30d': 720 };
+    const since = new Date(Date.now() - hoursMap[timeRange] * 3600_000).toISOString();
+    const projectCond = project ? 'AND project = ?' : '';
+    const params = project ? [since, project] : [since];
+    return db.prepare(`
+    SELECT source_type, source_identifier,
+      COUNT(*) as operation_count,
+      MAX(timestamp) as last_seen,
+      AVG(trust_score) as avg_trust_score,
+      MIN(trust_score) as min_trust_score,
+      MAX(trust_score) as max_trust_score,
+      SUM(CASE WHEN firewall_result != 'ALLOW' THEN 1 ELSE 0 END) as flagged_count
+    FROM defence_audit
+    WHERE timestamp >= ? ${projectCond}
+    GROUP BY source_type, source_identifier
+    ORDER BY operation_count DESC
+  `).all(...params);
+}
+/**
+ * Get trust score timeline for a specific agent.
+ */
+export function queryAgentTimeline(identifier, timeRange = '24h', project) {
+    const db = getDatabase();
+    const hoursMap = { '24h': 24, '7d': 168, '30d': 720 };
+    const since = new Date(Date.now() - hoursMap[timeRange] * 3600_000).toISOString();
+    const projectCond = project ? 'AND project = ?' : '';
+    const params = project ? [identifier, since, project] : [identifier, since];
+    return db.prepare(`
+    SELECT timestamp, trust_score, firewall_result, anomaly_score
+    FROM defence_audit
+    WHERE source_identifier = ? AND timestamp >= ? ${projectCond}
+    ORDER BY timestamp ASC
+  `).all(...params);
+}
+/**
+ * Get paginated audit entries for a specific agent.
+ */
+export function queryAgentOperations(identifier, options = {}) {
+    const db = getDatabase();
+    const conditions = ['source_identifier = @identifier'];
+    const params = { identifier };
+    if (options.firewallResult) {
+        conditions.push('firewall_result = @firewallResult');
+        params.firewallResult = options.firewallResult;
+    }
+    if (options.project) {
+        conditions.push('project = @project');
+        params.project = options.project;
+    }
+    const limit = options.limit ?? 50;
+    const offset = options.offset ?? 0;
+    params.limit = limit;
+    params.offset = offset;
+    return db.prepare(`
+    SELECT * FROM defence_audit
+    WHERE ${conditions.join(' AND ')}
+    ORDER BY timestamp DESC
+    LIMIT @limit OFFSET @offset
+  `).all(params);
+}
 //# sourceMappingURL=queries.js.map

package/dist/defence/audit/queries.js.map

@@ -1 +1 @@
-{"version":3,"file":"queries.js","sourceRoot":"","sources":["../../../src/defence/audit/queries.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,WAAW,EAAE,MAAM,wBAAwB,CAAC;AAwBrD,wBAAwB;AAExB;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,UAA6B,EAAE;IAC5D,MAAM,EAAE,GAAG,WAAW,EAAE,CAAC;IACzB,MAAM,UAAU,GAAa,EAAE,CAAC;IAChC,MAAM,MAAM,GAA4B,EAAE,CAAC;IAE3C,IAAI,OAAO,CAAC,SAAS,EAAE,CAAC;QACtB,UAAU,CAAC,IAAI,CAAC,yBAAyB,CAAC,CAAC;QAC3C,MAAM,CAAC,SAAS,GAAG,OAAO,CAAC,SAAS,CAAC;IACvC,CAAC;IACD,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;QACpB,UAAU,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;QACzC,MAAM,CAAC,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC;IACnC,CAAC;IACD,IAAI,OAAO,CAAC,cAAc,EAAE,CAAC;QAC3B,UAAU,CAAC,IAAI,CAAC,mCAAmC,CAAC,CAAC;QACrD,MAAM,CAAC,cAAc,GAAG,OAAO,CAAC,cAAc,CAAC;IACjD,CAAC;IACD,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;QACnB,UAAU,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;QACzC,MAAM,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IACjC,CAAC;IACD,IAAI,OAAO,CAAC,QAAQ,KAAK,SAAS,EAAE,CAAC;QACnC,UAAU,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;QACzC,MAAM,CAAC,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;IACrC,CAAC;IAED,MAAM,KAAK,GAAG,UAAU,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;IAC/E,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,IAAI,EAAE,CAAC;IAElC,MAAM,GAAG,GAAG,+BAA+B,KAAK,uCAAuC,CAAC;IACxF,MAAM,CAAC,KAAK,GAAG,KAAK,CAAC;IAErB,OAAO,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAiB,CAAC;AACrD,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,aAAa,CAAC,SAA+B;IAC3D,MAAM,EAAE,GAAG,WAAW,EAAE,CAAC;IAEzB,MAAM,QAAQ,GAAG,EAAE,KAAK,EAAE,EAAE,EAAE,IAAI,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC;IACtD,MAAM,KAAK,GAAG,QAAQ,CAAC,SAAS,CAAC,CAAC;IAClC,MAAM,KAAK,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,GAAG,QAAQ,CAAC,CAAC,WAAW,EAAE,CAAC;IAEpE,4BAA4B;IAC5B,MAAM,MAAM,GAAG,EAAE,CAAC,OAAO,CAAC;;;;;GAKzB,CAAC,CAAC,GAAG,CAAC,KAAK,CAA+C,CAAC;IAE5D,IAAI,eAAe,GAAG,CAAC,CAAC;IACxB,IAAI,YAAY,GAAG,CAAC,CAAC;IACrB,IAAI,YAAY,GAAG,CAAC,CAAC;IACrB,IAAI,gBAAgB,GAAG,CAAC,CAAC;IAEzB,KAAK,MAAM,GAAG,IAAI,MAAM,EAAE,CAAC;QACzB,eAAe,IAAI,GAAG,CAAC,GAAG,CAAC;QAC3B,IAAI,GAAG,CAAC,eAAe,KAAK,OAAO;YAAE,YAAY,GAAG,GAAG,CAAC,GAAG,CAAC;aACvD,IAAI,GAAG,CAAC,eAAe,KAAK,OAAO;YAAE,YAAY,GAAG,GAAG,CAAC,GAAG,CAAC;aAC5D,IAAI,GAAG,CAAC,eAAe,KAAK,YAAY;YAAE,gBAAgB,GAAG,GAAG,CAAC,GAAG,CAAC;IAC5E,CAAC;IAED,cAAc;IACd,MAAM,UAAU,GAAG,EAAE,CAAC,OAAO,CAAC;;;;;;;GAO7B,CAAC,CAAC,GAAG,CAAC,KAAK,CAAwC,CAAC;IAErD,6BAA6B;IAC7B,MAAM,IAAI,GAAG,EAAE,CAAC,OAAO,CAAC;;;;GAIvB,CAAC,CAAC,GAAG,CAAC,KAAK,CAAoC,CAAC;IAEjD,MAAM,eAAe,GAA2B,EAAE,CAAC;IACnD,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,IAAI,CAAC;YACH,MAAM,UAAU,GAAa,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC;YAC/D,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;gBACnC,eAAe,CAAC,SAAS,CAAC,GAAG,CAAC,eAAe,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;YACrE,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,sBAAsB;QACxB,CAAC;IACH,CAAC;IAED,OAAO;QACL,eAAe;QACf,YAAY;QACZ,YAAY;QACZ,gBAAgB;QAChB,UAAU;QACV,eAAe;KAChB,CAAC;AACJ,CAAC"}
+{"version":3,"file":"queries.js","sourceRoot":"","sources":["../../../src/defence/audit/queries.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,WAAW,EAAE,MAAM,wBAAwB,CAAC;AA6CrD,wBAAwB;AAExB;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,UAA6B,EAAE;IAC5D,MAAM,EAAE,GAAG,WAAW,EAAE,CAAC;IACzB,MAAM,UAAU,GAAa,EAAE,CAAC;IAChC,MAAM,MAAM,GAA4B,EAAE,CAAC;IAE3C,IAAI,OAAO,CAAC,SAAS,EAAE,CAAC;QACtB,UAAU,CAAC,IAAI,CAAC,4BAA4B,CAAC,CAAC;QAC9C,MAAM,CAAC,SAAS,GAAG,OAAO,CAAC,SAAS,CAAC;IACvC,CAAC;IACD,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;QACpB,UAAU,CAAC,IAAI,CAAC,0BAA0B,CAAC,CAAC;QAC5C,MAAM,CAAC,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC;IACnC,CAAC;IACD,IAAI,OAAO,CAAC,cAAc,EAAE,CAAC;QAC3B,UAAU,CAAC,IAAI,CAAC,sCAAsC,CAAC,CAAC;QACxD,MAAM,CAAC,cAAc,GAAG,OAAO,CAAC,cAAc,CAAC;IACjD,CAAC;IACD,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;QACnB,UAAU,CAAC,IAAI,CAAC,0BAA0B,CAAC,CAAC;QAC5C,MAAM,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IACjC,CAAC;IACD,IAAI,OAAO,CAAC,QAAQ,KAAK,SAAS,EAAE,CAAC;QACnC,UAAU,CAAC,IAAI,CAAC,0BAA0B,CAAC,CAAC;QAC5C,MAAM,CAAC,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;IACrC,CAAC;IAED,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;QACpB,UAAU,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;QACzC,MAAM,CAAC,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC;IACnC,CAAC;IAED,MAAM,KAAK,GAAG,UAAU,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;IAC/E,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,IAAI,EAAE,CAAC;IAElC,MAAM,GAAG,GAAG,qCAAqC,KAAK,0CAA0C,CAAC;IACjG,MAAM,CAAC,KAAK,GAAG,KAAK,CAAC;IAErB,OAAO,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAiB,CAAC;AACrD,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,aAAa,CAAC,SAA+B,EAAE,OAAgB;IAC7E,MAAM,EAAE,GAAG,WAAW,EAAE,CAAC;IAEzB,MAAM,QAAQ,GAAG,EAAE,KAAK,EAAE,EAAE,EAAE,IAAI,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC;IACtD,MAAM,KAAK,GAAG,QAAQ,CAAC,SAAS,CAAC,CAAC;IAClC,MAAM,KAAK,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,GAAG,QAAQ,CAAC,CAAC,WAAW,EAAE,CAAC;IAEpE,MAAM,WAAW,GAAG,OAAO,CAAC,CAAC,CAAC,oBAAoB,CAAC,CAAC,CAAC,EAAE,CAAC;IACxD,MAAM,UAAU,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;IAExD,4BAA4B;IAC5B,MAAM,MAAM,GAAG,EAAE,CAAC,OAAO,CAAC;;;8BAGE,WAAW;;GAEtC,CAAC,CAAC,GAAG,CAAC,GAAG,UAAU,CAA+C,CAAC;IAEpE,IAAI,eAAe,GAAG,CAAC,CAAC;IACxB,IAAI,YAAY,GAAG,CAAC,CAAC;IACrB,IAAI,YAAY,GAAG,CAAC,CAAC;IACrB,IAAI,gBAAgB,GAAG,CAAC,CAAC;IAEzB,KAAK,MAAM,GAAG,IAAI,MAAM,EAAE,CAAC;QACzB,eAAe,IAAI,GAAG,CAAC,GAAG,CAAC;QAC3B,IAAI,GAAG,CAAC,eAAe,KAAK,OAAO;YAAE,YAAY,GAAG,GAAG,CAAC,GAAG,CAAC;aACvD,IAAI,GAAG,CAAC,eAAe,KAAK,OAAO;YAAE,YAAY,GAAG,GAAG,CAAC,GAAG,CAAC;aAC5D,IAAI,GAAG,CAAC,eAAe,KAAK,YAAY;YAAE,gBAAgB,GAAG,GAAG,CAAC,GAAG,CAAC;IAC5E,CAAC;IAED,cAAc;IACd,MAAM,UAAU,GAAG,EAAE,CAAC,OAAO,CAAC;;;8BAGF,WAAW;;;;GAItC,CAAC,CAAC,GAAG,CAAC,GAAG,UAAU,CAAwC,CAAC;IAE7D,6BAA6B;IAC7B,MAAM,IAAI,GAAG,EAAE,CAAC,OAAO,CAAC;;;8BAGI,WAAW;GACtC,CAAC,CAAC,GAAG,CAAC,GAAG,UAAU,CAAoC,CAAC;IAEzD,MAAM,eAAe,GAA2B,EAAE,CAAC;IACnD,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,IAAI,CAAC;YACH,MAAM,UAAU,GAAa,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC;YAC/D,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;gBACnC,eAAe,CAAC,SAAS,CAAC,GAAG,CAAC,eAAe,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;YACrE,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,sBAAsB;QACxB,CAAC;IACH,CAAC;IAED,OAAO;QACL,eAAe;QACf,YAAY;QACZ,YAAY;QACZ,gBAAgB;QAChB,UAAU;QACV,eAAe;KAChB,CAAC;AACJ,CAAC;AAED,8BAA8B;AAE9B;;GAEG;AACH,MAAM,UAAU,kBAAkB,CAAC,YAAkC,KAAK,EAAE,OAAgB;IAC1F,MAAM,EAAE,GAAG,WAAW,EAAE,CAAC;IACzB,MAAM,QAAQ,GAAG,EAAE,KAAK,EAAE,EAAE,EAAE,IAAI,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC;IACtD,MAAM,KAAK,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,QAAQ,CAAC,SAAS,CAAC,GAAG,QAAQ,CAAC,CAAC,WAAW,EAAE,CAAC;IAElF,MAAM,WAAW,GAAG,OAAO,CAAC,CAAC,CAAC,iBAAiB,CAAC,CAAC,CAAC,EAAE,CAAC;IACrD,MAAM,MAAM,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;IAEpD,OAAO,EAAE,CAAC,OAAO,CAAC;;;;;;;;;2BASO,WAAW;;;GAGnC,CAAC,CAAC,GAAG,CAAC,GAAG,MAAM,CAAgB,CAAC;AACnC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,kBAAkB,CAChC,UAAkB,EAClB,YAAkC,KAAK,EACvC,OAAgB;IAEhB,MAAM,EAAE,GAAG,WAAW,EAAE,CAAC;IACzB,MAAM,QAAQ,GAAG,EAAE,KAAK,EAAE,EAAE,EAAE,IAAI,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC;IACtD,MAAM,KAAK,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,QAAQ,CAAC,SAAS,CAAC,GAAG,QAAQ,CAAC,CAAC,WAAW,EAAE,CAAC;IAElF,MAAM,WAAW,GAAG,OAAO,CAAC,CAAC,CAAC,iBAAiB,CAAC,CAAC,CAAC,EAAE,CAAC;IACrD,MAAM,MAAM,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC,UAAU,EAAE,KAAK,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,UAAU,EAAE,KAAK,CAAC,CAAC;IAE5E,OAAO,EAAE,CAAC,OAAO,CAAC;;;qDAGiC,WAAW;;GAE7D,CAAC,CAAC,GAAG,CAAC,GAAG,MAAM,CAAyB,CAAC;AAC5C,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,oBAAoB,CAClC,UAAkB,EAClB,UAAkG,EAAE;IAEpG,MAAM,EAAE,GAAG,WAAW,EAAE,CAAC;IACzB,MAAM,UAAU,GAAa,CAAC,iCAAiC,CAAC,CAAC;IACjE,MAAM,MAAM,GAA4B,EAAE,UAAU,EAAE,CAAC;IAEvD,IAAI,OAAO,CAAC,cAAc,EAAE,CAAC;QAC3B,UAAU,CAAC,IAAI,CAAC,mCAAmC,CAAC,CAAC;QACrD,MAAM,CAAC,cAAc,GAAG,OAAO,CAAC,cAAc,CAAC;IACjD,CAAC;IACD,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;QACpB,UAAU,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC;QACtC,MAAM,CAAC,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC;IACnC,CAAC;IAED,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,IAAI,EAAE,CAAC;IAClC,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,CAAC,CAAC;IACnC,MAAM,CAAC,KAAK,GAAG,KAAK,CAAC;IACrB,MAAM,CAAC,MAAM,GAAG,MAAM,CAAC;IAEvB,OAAO,EAAE,CAAC,OAAO,CAAC;;YAER,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC;;;GAGjC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAiB,CAAC;AACjC,CAAC"}

package/dist/defence/pipeline.d.ts

@@ -5,5 +5,5 @@
  * Fail-open: if any layer throws, the pipeline defaults to ALLOW with a warning.
  */
 import type { DefenceConfig, DefencePipelineResult, DefenceSource } from './types.js';
-export declare function runDefencePipeline(content: string, title: string, source: DefenceSource, config?: DefenceConfig): DefencePipelineResult;
+export declare function runDefencePipeline(content: string, title: string, source: DefenceSource, config?: DefenceConfig, project?: string): DefencePipelineResult;
 //# sourceMappingURL=pipeline.d.ts.map

package/dist/defence/pipeline.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"pipeline.d.ts","sourceRoot":"","sources":["../../src/defence/pipeline.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EACV,aAAa,EACb,qBAAqB,EACrB,aAAa,EAKd,MAAM,YAAY,CAAC;AASpB,wBAAgB,kBAAkB,CAChC,OAAO,EAAE,MAAM,EACf,KAAK,EAAE,MAAM,EACb,MAAM,EAAE,aAAa,EACrB,MAAM,CAAC,EAAE,aAAa,GACrB,qBAAqB,CA2HvB"}
+{"version":3,"file":"pipeline.d.ts","sourceRoot":"","sources":["../../src/defence/pipeline.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EACV,aAAa,EACb,qBAAqB,EACrB,aAAa,EAKd,MAAM,YAAY,CAAC;AAUpB,wBAAgB,kBAAkB,CAChC,OAAO,EAAE,MAAM,EACf,KAAK,EAAE,MAAM,EACb,MAAM,EAAE,aAAa,EACrB,MAAM,CAAC,EAAE,aAAa,EACtB,OAAO,CAAC,EAAE,MAAM,GACf,qBAAqB,CA+IvB"}

package/dist/defence/pipeline.js

@@ -10,7 +10,8 @@ import { analyzeFirewall } from './firewall/index.js';
 import { classifySensitivity } from './sensitivity/index.js';
 import { analyzeFragmentation } from './fragmentation/index.js';
 import { logAudit, createContentHash } from './audit/index.js';
-export function runDefencePipeline(content, title, source, config) {
+import { persistEvent } from '../api/events.js';
+export function runDefencePipeline(content, title, source, config, project) {
     const cfg = config ?? DEFAULT_DEFENCE_CONFIG;
     const startTime = performance.now();
     try {
@@ -54,6 +55,7 @@ export function runDefencePipeline(content, title, source, config) {
         const _contentHash = createContentHash(content);
         const auditId = logAudit({
             memory_id: null,
+            project: project ?? null,
             timestamp: new Date().toISOString(),
             source_type: source.type,
             source_identifier: source.identifier,
@@ -67,6 +69,24 @@ export function runDefencePipeline(content, title, source, config) {
             fragmentation_score: fragmentation?.score ?? null,
             pipeline_duration_ms: durationMs,
         });
+        // 7. Emit defence event for real-time dashboard alerts (BLOCK/QUARANTINE only)
+        if (firewall.result !== 'ALLOW') {
+            try {
+                persistEvent('defence_event', {
+                    source_type: source.type,
+                    source_identifier: source.identifier,
+                    firewall_result: firewall.result,
+                    trust_score: trust.score,
+                    anomaly_score: firewall.anomalyScore,
+                    reason,
+                    threat_indicators: JSON.stringify(firewall.threatIndicators),
+                    timestamp: new Date().toISOString(),
+                });
+            }
+            catch {
+                // Event persistence is best-effort
+            }
+        }
         return {
             allowed,
             firewall,
@@ -82,6 +102,7 @@ export function runDefencePipeline(content, title, source, config) {
         console.error('[defence] Pipeline error, failing open:', err);
         const auditId = logAudit({
             memory_id: null,
+            project: project ?? null,
             timestamp: new Date().toISOString(),
             source_type: source.type,
             source_identifier: source.identifier,

package/dist/defence/pipeline.js.map

@@ -1 +1 @@
-{"version":3,"file":"pipeline.js","sourceRoot":"","sources":["../../src/defence/pipeline.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAWH,OAAO,EAAE,sBAAsB,EAAE,MAAM,YAAY,CAAC;AAEpD,OAAO,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AAC/C,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AACtD,OAAO,EAAE,mBAAmB,EAAE,MAAM,wBAAwB,CAAC;AAC7D,OAAO,EAAE,oBAAoB,EAAE,MAAM,0BAA0B,CAAC;AAChE,OAAO,EAAE,QAAQ,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AAE/D,MAAM,UAAU,kBAAkB,CAChC,OAAe,EACf,KAAa,EACb,MAAqB,EACrB,MAAsB;IAEtB,MAAM,GAAG,GAAG,MAAM,IAAI,sBAAsB,CAAC;IAC7C,MAAM,SAAS,GAAG,WAAW,CAAC,GAAG,EAAE,CAAC;IAEpC,IAAI,CAAC;QACH,iBAAiB;QACjB,MAAM,KAAK,GAAe,WAAW,CAAC,MAAM,CAAC,CAAC;QAE9C,kBAAkB;QAClB,MAAM,QAAQ,GAAqB,eAAe,CAChD,OAAO,EACP,KAAK,EACL,MAAM,EACN,KAAK,CAAC,KAAK,EACX,GAAG,CACJ,CAAC;QAEF,0BAA0B;QAC1B,MAAM,WAAW,GAA8B,mBAAmB,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;QAEnF,wEAAwE;QACxE,IAAI,aAAa,GAAiC,IAAI,CAAC;QACvD,IAAI,GAAG,CAAC,4BAA4B,IAAI,QAAQ,CAAC,MAAM,KAAK,OAAO,EAAE,CAAC;YACpE,aAAa,GAAG,oBAAoB,CAAC,OAAO,EAAE,KAAK,EAAE,GAAG,CAAC,CAAC;QAC5D,CAAC;QAED,8BAA8B;QAC9B,IAAI,OAAgB,CAAC;QACrB,IAAI,MAAc,CAAC;QAEnB,IAAI,QAAQ,CAAC,MAAM,KAAK,OAAO,EAAE,CAAC;YAChC,OAAO,GAAG,KAAK,CAAC;YAChB,MAAM,GAAG,QAAQ,CAAC,MAAM,CAAC;QAC3B,CAAC;aAAM,IAAI,QAAQ,CAAC,MAAM,KAAK,YAAY,EAAE,CAAC;YAC5C,OAAO,GAAG,KAAK,CAAC;YAChB,MAAM,GAAG,gBAAgB,QAAQ,CAAC,MAAM,EAAE,CAAC;QAC7C,CAAC;aAAM,IACL,aAAa,KAAK,IAAI;YACtB,aAAa,CAAC,KAAK,GAAG,GAAG,CAAC,uBAAuB,EACjD,CAAC;YACD,OAAO,GAAG,KAAK,CAAC;YAChB,MAAM,GAAG,oCAAoC,aAAa,CAAC,KAAK,sBAAsB,GAAG,CAAC,uBAAuB,EAAE,CAAC;QACtH,CAAC;aAAM,IAAI,WAAW,CAAC,KAAK,KAAK,YAAY,EAAE,CAAC;YAC9C,OAAO,GAAG,KAAK,CAAC;YAChB,MAAM,GAAG,8CAA8C,WAAW,CAAC,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC;QACpG,CAAC;aAAM,CAAC;YACN,OAAO,GAAG,IAAI,CAAC;YACf,MAAM,GAAG,QAAQ,CAAC,MAAM,CAAC;QAC3B,CAAC;QAED,MAAM,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC,CAAC;QAE7D,eAAe;QACf,MAAM,YAAY,GAAG,iBAAiB,CAAC,OAAO,CAAC,CAAC;QAChD,MAAM,OAAO,GAAG,QAAQ,CAAC;YACvB,SAAS,EAAE,IAAI;YACf,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,WAAW,EAAE,MAAM,CAAC,IAAI;YACxB,iBAAiB,EAAE,MAAM,CAAC,UAAU;YACpC,WAAW,EAAE,KAAK,CAAC,KAAK;YACxB,iBAAiB,EAAE,WAAW,CAAC,KAAK;YACpC,eAAe,EAAE,QAAQ,CAAC,MAAM;YAChC,aAAa,EAAE,QAAQ,CAAC,YAAY;YACpC,iBAAiB,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,gBAAgB,CAAC;YAC5D,gBAAgB,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,eAAe,CAAC;YAC1D,MAAM;YACN,mBAAmB,EAAE,aAAa,EAAE,KAAK,IAAI,IAAI;YACjD,oBAAoB,EAAE,UAAU;SACjC,CAAC,CAAC;QAEH,OAAO;YACL,OAAO;YACP,QAAQ;YACR,aAAa;YACb,WAAW;YACX,KAAK;YACL,OAAO;SACR,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,mCAAmC;QACnC,MAAM,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC,CAAC;QAC7D,OAAO,CAAC,KAAK,CAAC,yCAAyC,EAAE,GAAG,CAAC,CAAC;QAE9D,MAAM,OAAO,GAAG,QAAQ,CAAC;YACvB,SAAS,EAAE,IAAI;YACf,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,WAAW,EAAE,MAAM,CAAC,IAAI;YACxB,iBAAiB,EAAE,MAAM,CAAC,UAAU;YACpC,WAAW,EAAE,CAAC;YACd,iBAAiB,EAAE,QAAQ;YAC3B,eAAe,EAAE,OAAO;YACxB,aAAa,EAAE,CAAC;YAChB,iBAAiB,EAAE,IAAI;YACvB,gBAAgB,EAAE,IAAI;YACtB,MAAM,EAAE,+BAA+B,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE;YACzF,mBAAmB,EAAE,IAAI;YACzB,oBAAoB,EAAE,UAAU;SACjC,CAAC,CAAC;QAEH,OAAO;YACL,OAAO,EAAE,IAAI;YACb,QAAQ,EAAE;gBACR,MAAM,EAAE,OAAO;gBACf,MAAM,EAAE,oCAAoC;gBAC5C,gBAAgB,EAAE,EAAE;gBACpB,YAAY,EAAE,CAAC;gBACf,eAAe,EAAE,EAAE;aACpB;YACD,aAAa,EAAE,IAAI;YACnB,WAAW,EAAE;gBACX,KAAK,EAAE,QAAQ;gBACf,UAAU,EAAE,CAAC;gBACb,gBAAgB,EAAE,EAAE;gBACpB,iBAAiB,EAAE,KAAK;aACzB;YACD,KAAK,EAAE;gBACL,KAAK,EAAE,CAAC;gBACR,MAAM;gBACN,SAAS,EAAE,EAAE;aACd;YACD,OAAO;SACR,CAAC;IACJ,CAAC;AACH,CAAC"}
+{"version":3,"file":"pipeline.js","sourceRoot":"","sources":["../../src/defence/pipeline.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAWH,OAAO,EAAE,sBAAsB,EAAE,MAAM,YAAY,CAAC;AAEpD,OAAO,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AAC/C,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AACtD,OAAO,EAAE,mBAAmB,EAAE,MAAM,wBAAwB,CAAC;AAC7D,OAAO,EAAE,oBAAoB,EAAE,MAAM,0BAA0B,CAAC;AAChE,OAAO,EAAE,QAAQ,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AAC/D,OAAO,EAAE,YAAY,EAAE,MAAM,kBAAkB,CAAC;AAEhD,MAAM,UAAU,kBAAkB,CAChC,OAAe,EACf,KAAa,EACb,MAAqB,EACrB,MAAsB,EACtB,OAAgB;IAEhB,MAAM,GAAG,GAAG,MAAM,IAAI,sBAAsB,CAAC;IAC7C,MAAM,SAAS,GAAG,WAAW,CAAC,GAAG,EAAE,CAAC;IAEpC,IAAI,CAAC;QACH,iBAAiB;QACjB,MAAM,KAAK,GAAe,WAAW,CAAC,MAAM,CAAC,CAAC;QAE9C,kBAAkB;QAClB,MAAM,QAAQ,GAAqB,eAAe,CAChD,OAAO,EACP,KAAK,EACL,MAAM,EACN,KAAK,CAAC,KAAK,EACX,GAAG,CACJ,CAAC;QAEF,0BAA0B;QAC1B,MAAM,WAAW,GAA8B,mBAAmB,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;QAEnF,wEAAwE;QACxE,IAAI,aAAa,GAAiC,IAAI,CAAC;QACvD,IAAI,GAAG,CAAC,4BAA4B,IAAI,QAAQ,CAAC,MAAM,KAAK,OAAO,EAAE,CAAC;YACpE,aAAa,GAAG,oBAAoB,CAAC,OAAO,EAAE,KAAK,EAAE,GAAG,CAAC,CAAC;QAC5D,CAAC;QAED,8BAA8B;QAC9B,IAAI,OAAgB,CAAC;QACrB,IAAI,MAAc,CAAC;QAEnB,IAAI,QAAQ,CAAC,MAAM,KAAK,OAAO,EAAE,CAAC;YAChC,OAAO,GAAG,KAAK,CAAC;YAChB,MAAM,GAAG,QAAQ,CAAC,MAAM,CAAC;QAC3B,CAAC;aAAM,IAAI,QAAQ,CAAC,MAAM,KAAK,YAAY,EAAE,CAAC;YAC5C,OAAO,GAAG,KAAK,CAAC;YAChB,MAAM,GAAG,gBAAgB,QAAQ,CAAC,MAAM,EAAE,CAAC;QAC7C,CAAC;aAAM,IACL,aAAa,KAAK,IAAI;YACtB,aAAa,CAAC,KAAK,GAAG,GAAG,CAAC,uBAAuB,EACjD,CAAC;YACD,OAAO,GAAG,KAAK,CAAC;YAChB,MAAM,GAAG,oCAAoC,aAAa,CAAC,KAAK,sBAAsB,GAAG,CAAC,uBAAuB,EAAE,CAAC;QACtH,CAAC;aAAM,IAAI,WAAW,CAAC,KAAK,KAAK,YAAY,EAAE,CAAC;YAC9C,OAAO,GAAG,KAAK,CAAC;YAChB,MAAM,GAAG,8CAA8C,WAAW,CAAC,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC;QACpG,CAAC;aAAM,CAAC;YACN,OAAO,GAAG,IAAI,CAAC;YACf,MAAM,GAAG,QAAQ,CAAC,MAAM,CAAC;QAC3B,CAAC;QAED,MAAM,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC,CAAC;QAE7D,eAAe;QACf,MAAM,YAAY,GAAG,iBAAiB,CAAC,OAAO,CAAC,CAAC;QAChD,MAAM,OAAO,GAAG,QAAQ,CAAC;YACvB,SAAS,EAAE,IAAI;YACf,OAAO,EAAE,OAAO,IAAI,IAAI;YACxB,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,WAAW,EAAE,MAAM,CAAC,IAAI;YACxB,iBAAiB,EAAE,MAAM,CAAC,UAAU;YACpC,WAAW,EAAE,KAAK,CAAC,KAAK;YACxB,iBAAiB,EAAE,WAAW,CAAC,KAAK;YACpC,eAAe,EAAE,QAAQ,CAAC,MAAM;YAChC,aAAa,EAAE,QAAQ,CAAC,YAAY;YACpC,iBAAiB,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,gBAAgB,CAAC;YAC5D,gBAAgB,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,eAAe,CAAC;YAC1D,MAAM;YACN,mBAAmB,EAAE,aAAa,EAAE,KAAK,IAAI,IAAI;YACjD,oBAAoB,EAAE,UAAU;SACjC,CAAC,CAAC;QAEH,+EAA+E;QAC/E,IAAI,QAAQ,CAAC,MAAM,KAAK,OAAO,EAAE,CAAC;YAChC,IAAI,CAAC;gBACH,YAAY,CAAC,eAAe,EAAE;oBAC5B,WAAW,EAAE,MAAM,CAAC,IAAI;oBACxB,iBAAiB,EAAE,MAAM,CAAC,UAAU;oBACpC,eAAe,EAAE,QAAQ,CAAC,MAAM;oBAChC,WAAW,EAAE,KAAK,CAAC,KAAK;oBACxB,aAAa,EAAE,QAAQ,CAAC,YAAY;oBACpC,MAAM;oBACN,iBAAiB,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,gBAAgB,CAAC;oBAC5D,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;iBACpC,CAAC,CAAC;YACL,CAAC;YAAC,MAAM,CAAC;gBACP,mCAAmC;YACrC,CAAC;QACH,CAAC;QAED,OAAO;YACL,OAAO;YACP,QAAQ;YACR,aAAa;YACb,WAAW;YACX,KAAK;YACL,OAAO;SACR,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,mCAAmC;QACnC,MAAM,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC,CAAC;QAC7D,OAAO,CAAC,KAAK,CAAC,yCAAyC,EAAE,GAAG,CAAC,CAAC;QAE9D,MAAM,OAAO,GAAG,QAAQ,CAAC;YACvB,SAAS,EAAE,IAAI;YACf,OAAO,EAAE,OAAO,IAAI,IAAI;YACxB,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,WAAW,EAAE,MAAM,CAAC,IAAI;YACxB,iBAAiB,EAAE,MAAM,CAAC,UAAU;YACpC,WAAW,EAAE,CAAC;YACd,iBAAiB,EAAE,QAAQ;YAC3B,eAAe,EAAE,OAAO;YACxB,aAAa,EAAE,CAAC;YAChB,iBAAiB,EAAE,IAAI;YACvB,gBAAgB,EAAE,IAAI;YACtB,MAAM,EAAE,+BAA+B,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE;YACzF,mBAAmB,EAAE,IAAI;YACzB,oBAAoB,EAAE,UAAU;SACjC,CAAC,CAAC;QAEH,OAAO;YACL,OAAO,EAAE,IAAI;YACb,QAAQ,EAAE;gBACR,MAAM,EAAE,OAAO;gBACf,MAAM,EAAE,oCAAoC;gBAC5C,gBAAgB,EAAE,EAAE;gBACpB,YAAY,EAAE,CAAC;gBACf,eAAe,EAAE,EAAE;aACpB;YACD,aAAa,EAAE,IAAI;YACnB,WAAW,EAAE;gBACX,KAAK,EAAE,QAAQ;gBACf,UAAU,EAAE,CAAC;gBACb,gBAAgB,EAAE,EAAE;gBACpB,iBAAiB,EAAE,KAAK;aACzB;YACD,KAAK,EAAE;gBACL,KAAK,EAAE,CAAC;gBACR,MAAM;gBACN,SAAS,EAAE,EAAE;aACd;YACD,OAAO;SACR,CAAC;IACJ,CAAC;AACH,CAAC"}

package/dist/defence/quarantine/auto-expire.d.ts

@@ -0,0 +1,15 @@
+/**
+ * Quarantine auto-expiry — rejects unreviewed items after a TTL.
+ *
+ * Safer default: expired items are rejected (discarded), not promoted.
+ * A memory that sat in quarantine for 7 days with nobody reviewing it
+ * shouldn't be promoted to the memory store.
+ */
+/**
+ * Set expires_at on quarantine items that don't have one,
+ * then reject any expired items.
+ *
+ * @returns Number of items expired (rejected)
+ */
+export declare function expireQuarantineItems(ttlDays?: number): number;
+//# sourceMappingURL=auto-expire.d.ts.map

package/dist/defence/quarantine/auto-expire.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auto-expire.d.ts","sourceRoot":"","sources":["../../../src/defence/quarantine/auto-expire.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAIH;;;;;GAKG;AACH,wBAAgB,qBAAqB,CAAC,OAAO,GAAE,MAAU,GAAG,MAAM,CA0BjE"}

package/dist/defence/quarantine/auto-expire.js

@@ -0,0 +1,38 @@
+/**
+ * Quarantine auto-expiry — rejects unreviewed items after a TTL.
+ *
+ * Safer default: expired items are rejected (discarded), not promoted.
+ * A memory that sat in quarantine for 7 days with nobody reviewing it
+ * shouldn't be promoted to the memory store.
+ */
+import { getDatabase } from '../../database/init.js';
+/**
+ * Set expires_at on quarantine items that don't have one,
+ * then reject any expired items.
+ *
+ * @returns Number of items expired (rejected)
+ */
+export function expireQuarantineItems(ttlDays = 7) {
+    const db = getDatabase();
+    // Set expires_at on new items that don't have one
+    db.prepare(`
+    UPDATE quarantine
+    SET expires_at = datetime(created_at, '+' || ? || ' days')
+    WHERE expires_at IS NULL AND status = 'pending'
+  `).run(ttlDays);
+    // Reject expired items
+    const result = db.prepare(`
+    UPDATE quarantine
+    SET status = 'expired',
+        reviewed_by = 'auto-expire',
+        reviewed_at = CURRENT_TIMESTAMP
+    WHERE status = 'pending'
+      AND expires_at IS NOT NULL
+      AND expires_at < datetime('now')
+  `).run();
+    if (result.changes > 0) {
+        console.error(`[quarantine] Auto-expired ${result.changes} item(s) after ${ttlDays} days`);
+    }
+    return result.changes;
+}
+//# sourceMappingURL=auto-expire.js.map

package/dist/defence/quarantine/auto-expire.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auto-expire.js","sourceRoot":"","sources":["../../../src/defence/quarantine/auto-expire.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,WAAW,EAAE,MAAM,wBAAwB,CAAC;AAErD;;;;;GAKG;AACH,MAAM,UAAU,qBAAqB,CAAC,UAAkB,CAAC;IACvD,MAAM,EAAE,GAAG,WAAW,EAAE,CAAC;IAEzB,kDAAkD;IAClD,EAAE,CAAC,OAAO,CAAC;;;;GAIV,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IAEhB,uBAAuB;IACvB,MAAM,MAAM,GAAG,EAAE,CAAC,OAAO,CAAC;;;;;;;;GAQzB,CAAC,CAAC,GAAG,EAAE,CAAC;IAET,IAAI,MAAM,CAAC,OAAO,GAAG,CAAC,EAAE,CAAC;QACvB,OAAO,CAAC,KAAK,CAAC,6BAA6B,MAAM,CAAC,OAAO,kBAAkB,OAAO,OAAO,CAAC,CAAC;IAC7F,CAAC;IAED,OAAO,MAAM,CAAC,OAAO,CAAC;AACxB,CAAC"}

package/dist/defence/trust/access-control.d.ts

@@ -0,0 +1,29 @@
+/**
+ * Memory access control — enforces read/write/delete policies based on trust.
+ *
+ * Access rules:
+ *   Trust ≥ 0.7  → Read all, write direct, delete own
+ *   Trust 0.5–0.7 → Read own + non-restricted, write quarantine, delete own
+ *   Trust < 0.5  → Read own only, write quarantine, delete none
+ *
+ * RESTRICTED memories are always blocked below trust 0.7 (credential isolation).
+ */
+import type { DefenceSource } from '../types.js';
+export interface AccessPolicy {
+    canRead: boolean;
+    canWrite: boolean;
+    canDelete: boolean;
+    writeRequiresQuarantine: boolean;
+    reason: string;
+}
+/** Minimal memory shape needed for access checks */
+export interface AccessCheckMemory {
+    id: number;
+    source?: string | null;
+    sensitivity_level?: string | null;
+}
+/**
+ * Check whether a source has access to a memory for a given operation.
+ */
+export declare function checkAccess(memory: AccessCheckMemory, source: DefenceSource, operation: 'read' | 'write' | 'delete'): AccessPolicy;
+//# sourceMappingURL=access-control.d.ts.map

package/dist/defence/trust/access-control.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"access-control.d.ts","sourceRoot":"","sources":["../../../src/defence/trust/access-control.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAGjD,MAAM,WAAW,YAAY;IAC3B,OAAO,EAAE,OAAO,CAAC;IACjB,QAAQ,EAAE,OAAO,CAAC;IAClB,SAAS,EAAE,OAAO,CAAC;IACnB,uBAAuB,EAAE,OAAO,CAAC;IACjC,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,oDAAoD;AACpD,MAAM,WAAW,iBAAiB;IAChC,EAAE,EAAE,MAAM,CAAC;IACX,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACvB,iBAAiB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CACnC;AAED;;GAEG;AACH,wBAAgB,WAAW,CACzB,MAAM,EAAE,iBAAiB,EACzB,MAAM,EAAE,aAAa,EACrB,SAAS,EAAE,MAAM,GAAG,OAAO,GAAG,QAAQ,GACrC,YAAY,CA+Cd"}

package/dist/defence/trust/access-control.js

@@ -0,0 +1,64 @@
+/**
+ * Memory access control — enforces read/write/delete policies based on trust.
+ *
+ * Access rules:
+ *   Trust ≥ 0.7  → Read all, write direct, delete own
+ *   Trust 0.5–0.7 → Read own + non-restricted, write quarantine, delete own
+ *   Trust < 0.5  → Read own only, write quarantine, delete none
+ *
+ * RESTRICTED memories are always blocked below trust 0.7 (credential isolation).
+ */
+import { scoreSource } from './source-scorer.js';
+/**
+ * Check whether a source has access to a memory for a given operation.
+ */
+export function checkAccess(memory, source, operation) {
+    const trust = scoreSource(source).score;
+    const memorySource = memory.source || 'user:direct';
+    const callerKey = `${source.type}:${source.identifier}`;
+    const isOwner = memorySource === callerKey;
+    const isRestricted = memory.sensitivity_level === 'RESTRICTED';
+    if (operation === 'read') {
+        // RESTRICTED memories: credential isolation
+        if (isRestricted && trust < 0.7) {
+            return deny('Credential isolation: insufficient trust for RESTRICTED data');
+        }
+        // Owner always reads own
+        if (isOwner) {
+            return allow('Owner access');
+        }
+        // High trust: read all
+        if (trust >= 0.7) {
+            return allow('High-trust read access');
+        }
+        // Medium trust: read non-restricted
+        if (trust >= 0.5) {
+            return allow('Shared read access');
+        }
+        // Low trust: own only (already checked above)
+        return deny('Insufficient trust for shared memories (need ≥0.5)');
+    }
+    if (operation === 'write') {
+        if (trust >= 0.7) {
+            return allow('Direct write allowed (high trust)');
+        }
+        return quarantine(`Sub-agent write requires quarantine (trust=${trust.toFixed(3)})`);
+    }
+    if (operation === 'delete') {
+        if (isOwner && trust >= 0.5) {
+            return { canRead: true, canWrite: false, canDelete: true, writeRequiresQuarantine: false, reason: 'Owner deletion' };
+        }
+        return deny('Can only delete own memories (trust ≥0.5)');
+    }
+    return deny('Unknown operation');
+}
+function allow(reason) {
+    return { canRead: true, canWrite: true, canDelete: false, writeRequiresQuarantine: false, reason };
+}
+function deny(reason) {
+    return { canRead: false, canWrite: false, canDelete: false, writeRequiresQuarantine: false, reason };
+}
+function quarantine(reason) {
+    return { canRead: true, canWrite: false, canDelete: false, writeRequiresQuarantine: true, reason };
+}
+//# sourceMappingURL=access-control.js.map

package/dist/defence/trust/access-control.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"access-control.js","sourceRoot":"","sources":["../../../src/defence/trust/access-control.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAGH,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AAiBjD;;GAEG;AACH,MAAM,UAAU,WAAW,CACzB,MAAyB,EACzB,MAAqB,EACrB,SAAsC;IAEtC,MAAM,KAAK,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC,KAAK,CAAC;IACxC,MAAM,YAAY,GAAG,MAAM,CAAC,MAAM,IAAI,aAAa,CAAC;IACpD,MAAM,SAAS,GAAG,GAAG,MAAM,CAAC,IAAI,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC;IACxD,MAAM,OAAO,GAAG,YAAY,KAAK,SAAS,CAAC;IAC3C,MAAM,YAAY,GAAG,MAAM,CAAC,iBAAiB,KAAK,YAAY,CAAC;IAE/D,IAAI,SAAS,KAAK,MAAM,EAAE,CAAC;QACzB,4CAA4C;QAC5C,IAAI,YAAY,IAAI,KAAK,GAAG,GAAG,EAAE,CAAC;YAChC,OAAO,IAAI,CAAC,8DAA8D,CAAC,CAAC;QAC9E,CAAC;QAED,yBAAyB;QACzB,IAAI,OAAO,EAAE,CAAC;YACZ,OAAO,KAAK,CAAC,cAAc,CAAC,CAAC;QAC/B,CAAC;QAED,uBAAuB;QACvB,IAAI,KAAK,IAAI,GAAG,EAAE,CAAC;YACjB,OAAO,KAAK,CAAC,wBAAwB,CAAC,CAAC;QACzC,CAAC;QAED,oCAAoC;QACpC,IAAI,KAAK,IAAI,GAAG,EAAE,CAAC;YACjB,OAAO,KAAK,CAAC,oBAAoB,CAAC,CAAC;QACrC,CAAC;QAED,8CAA8C;QAC9C,OAAO,IAAI,CAAC,oDAAoD,CAAC,CAAC;IACpE,CAAC;IAED,IAAI,SAAS,KAAK,OAAO,EAAE,CAAC;QAC1B,IAAI,KAAK,IAAI,GAAG,EAAE,CAAC;YACjB,OAAO,KAAK,CAAC,mCAAmC,CAAC,CAAC;QACpD,CAAC;QACD,OAAO,UAAU,CAAC,8CAA8C,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;IACvF,CAAC;IAED,IAAI,SAAS,KAAK,QAAQ,EAAE,CAAC;QAC3B,IAAI,OAAO,IAAI,KAAK,IAAI,GAAG,EAAE,CAAC;YAC5B,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,SAAS,EAAE,IAAI,EAAE,uBAAuB,EAAE,KAAK,EAAE,MAAM,EAAE,gBAAgB,EAAE,CAAC;QACvH,CAAC;QACD,OAAO,IAAI,CAAC,2CAA2C,CAAC,CAAC;IAC3D,CAAC;IAED,OAAO,IAAI,CAAC,mBAAmB,CAAC,CAAC;AACnC,CAAC;AAED,SAAS,KAAK,CAAC,MAAc;IAC3B,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,uBAAuB,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC;AACrG,CAAC;AAED,SAAS,IAAI,CAAC,MAAc;IAC1B,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,KAAK,EAAE,SAAS,EAAE,KAAK,EAAE,uBAAuB,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC;AACvG,CAAC;AAED,SAAS,UAAU,CAAC,MAAc;IAChC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,SAAS,EAAE,KAAK,EAAE,uBAAuB,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;AACrG,CAAC"}

package/dist/defence/trust/agent-scorer.d.ts

@@ -0,0 +1,33 @@
+/**
+ * Agent trust scorer — hierarchical trust decay for sub-agents.
+ *
+ * Agents encode their lineage in the identifier using '>' separators:
+ *   "user-spawned"                    → base trust 0.9
+ *   "user-spawned>task-1"             → 0.9 × 0.7 = 0.63
+ *   "user-spawned>task-1>subtask-2"   → 0.9 × 0.7² = 0.44
+ *   "cron"                            → base trust 0.5
+ *   "agent-spawned"                   → base trust 0.3
+ */
+export interface AgentTrustConfig {
+    /** Base trust scores by spawn origin (first segment of identifier) */
+    originScores: Record<string, number>;
+    /** Multiplier applied per hierarchy depth level */
+    decayFactor: number;
+    /** Maximum allowed depth — agents beyond this get score 0 */
+    maxDepth: number;
+}
+export declare const DEFAULT_AGENT_CONFIG: AgentTrustConfig;
+/**
+ * Score an agent based on its hierarchy identifier.
+ * Returns a trust score between 0.0 and 1.0.
+ */
+export declare function scoreAgent(identifier: string, config?: AgentTrustConfig): number;
+/**
+ * Get the depth of an agent in its hierarchy (0 = parent).
+ */
+export declare function getAgentDepth(identifier: string): number;
+/**
+ * Build a human-readable hierarchy showing trust at each level.
+ */
+export declare function buildAgentHierarchy(identifier: string, config?: AgentTrustConfig): string[];
+//# sourceMappingURL=agent-scorer.d.ts.map

package/dist/defence/trust/agent-scorer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"agent-scorer.d.ts","sourceRoot":"","sources":["../../../src/defence/trust/agent-scorer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,MAAM,WAAW,gBAAgB;IAC/B,sEAAsE;IACtE,YAAY,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACrC,mDAAmD;IACnD,WAAW,EAAE,MAAM,CAAC;IACpB,6DAA6D;IAC7D,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,eAAO,MAAM,oBAAoB,EAAE,gBAUlC,CAAC;AAEF;;;GAGG;AACH,wBAAgB,UAAU,CACxB,UAAU,EAAE,MAAM,EAClB,MAAM,GAAE,gBAAuC,GAC9C,MAAM,CAUR;AAED;;GAEG;AACH,wBAAgB,aAAa,CAAC,UAAU,EAAE,MAAM,GAAG,MAAM,CAExD;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CACjC,UAAU,EAAE,MAAM,EAClB,MAAM,GAAE,gBAAuC,GAC9C,MAAM,EAAE,CAWV"}

package/dist/defence/trust/agent-scorer.js

@@ -0,0 +1,55 @@
+/**
+ * Agent trust scorer — hierarchical trust decay for sub-agents.
+ *
+ * Agents encode their lineage in the identifier using '>' separators:
+ *   "user-spawned"                    → base trust 0.9
+ *   "user-spawned>task-1"             → 0.9 × 0.7 = 0.63
+ *   "user-spawned>task-1>subtask-2"   → 0.9 × 0.7² = 0.44
+ *   "cron"                            → base trust 0.5
+ *   "agent-spawned"                   → base trust 0.3
+ */
+export const DEFAULT_AGENT_CONFIG = {
+    originScores: {
+        'user-spawned': 0.9,
+        'user-approved': 0.85,
+        'cron': 0.5,
+        'agent-spawned': 0.3,
+        'web': 0.2,
+    },
+    decayFactor: 0.7,
+    maxDepth: 5,
+};
+/**
+ * Score an agent based on its hierarchy identifier.
+ * Returns a trust score between 0.0 and 1.0.
+ */
+export function scoreAgent(identifier, config = DEFAULT_AGENT_CONFIG) {
+    const parts = identifier.split('>');
+    const origin = parts[0];
+    const depth = parts.length - 1;
+    // Circuit breaker: block agents beyond max depth
+    if (depth > config.maxDepth)
+        return 0;
+    const baseScore = config.originScores[origin] ?? 0.3;
+    return Math.round(baseScore * Math.pow(config.decayFactor, depth) * 1000) / 1000;
+}
+/**
+ * Get the depth of an agent in its hierarchy (0 = parent).
+ */
+export function getAgentDepth(identifier) {
+    return identifier.split('>').length - 1;
+}
+/**
+ * Build a human-readable hierarchy showing trust at each level.
+ */
+export function buildAgentHierarchy(identifier, config = DEFAULT_AGENT_CONFIG) {
+    const parts = identifier.split('>');
+    const hierarchy = [];
+    for (let i = 0; i < parts.length; i++) {
+        const path = parts.slice(0, i + 1).join('>');
+        const score = scoreAgent(path, config);
+        hierarchy.push(`${'  '.repeat(i)}${parts[i]} (trust=${score.toFixed(3)})`);
+    }
+    return hierarchy;
+}
+//# sourceMappingURL=agent-scorer.js.map

package/dist/defence/trust/agent-scorer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"agent-scorer.js","sourceRoot":"","sources":["../../../src/defence/trust/agent-scorer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAWH,MAAM,CAAC,MAAM,oBAAoB,GAAqB;IACpD,YAAY,EAAE;QACZ,cAAc,EAAE,GAAG;QACnB,eAAe,EAAE,IAAI;QACrB,MAAM,EAAE,GAAG;QACX,eAAe,EAAE,GAAG;QACpB,KAAK,EAAE,GAAG;KACX;IACD,WAAW,EAAE,GAAG;IAChB,QAAQ,EAAE,CAAC;CACZ,CAAC;AAEF;;;GAGG;AACH,MAAM,UAAU,UAAU,CACxB,UAAkB,EAClB,SAA2B,oBAAoB;IAE/C,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACpC,MAAM,MAAM,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;IACxB,MAAM,KAAK,GAAG,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC;IAE/B,iDAAiD;IACjD,IAAI,KAAK,GAAG,MAAM,CAAC,QAAQ;QAAE,OAAO,CAAC,CAAC;IAEtC,MAAM,SAAS,GAAG,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,IAAI,GAAG,CAAC;IACrD,OAAO,IAAI,CAAC,KAAK,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,WAAW,EAAE,KAAK,CAAC,GAAG,IAAI,CAAC,GAAG,IAAI,CAAC;AACnF,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,aAAa,CAAC,UAAkB;IAC9C,OAAO,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC;AAC1C,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,mBAAmB,CACjC,UAAkB,EAClB,SAA2B,oBAAoB;IAE/C,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACpC,MAAM,SAAS,GAAa,EAAE,CAAC;IAE/B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,IAAI,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC7C,MAAM,KAAK,GAAG,UAAU,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;QACvC,SAAS,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,WAAW,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;IAC7E,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC"}

package/dist/defence/trust/env-detector.d.ts

@@ -0,0 +1,43 @@
+/**
+ * Environment-Based Source Inference
+ *
+ * Detects caller identity from process environment variables instead of
+ * relying on the MCP client to self-declare. The MCP server process inherits
+ * the parent's environment, which isn't forgeable via MCP tool parameters.
+ *
+ * This addresses Phase 1 limitation: "security is opt-in" — with env detection,
+ * Claude Code agents get correct trust automatically with zero configuration.
+ */
+import type { DefenceSource } from '../types.js';
+export interface EnvDetectionResult {
+    source: DefenceSource;
+    method: 'env:CLAUDE_CODE_ENTRYPOINT' | 'env:CLAUDE_AGENT_CONTEXT' | 'env:SHIELDCORTEX_AGENT_SOURCE' | 'default';
+    confidence: 'high' | 'medium' | 'low';
+}
+/**
+ * Infer caller source from process environment variables.
+ *
+ * Priority order:
+ * 1. SHIELDCORTEX_AGENT_SOURCE — explicit override (e.g. "agent:user-spawned>task-1")
+ * 2. CLAUDE_CODE_ENTRYPOINT=subagent — Claude Code sub-agent
+ * 3. CLAUDE_AGENT_CONTEXT — generic agent context marker
+ * 4. CLAUDE_CODE_ENTRYPOINT present (any value) — direct Claude Code CLI
+ * 5. No recognised env vars → unknown:default (trust 0.5, or 0.3 in strict mode)
+ */
+export declare function inferSourceFromEnvironment(): EnvDetectionResult;
+/**
+ * Resolve the effective source for an MCP tool call.
+ *
+ * If the caller explicitly passes a source, use it.
+ * Otherwise, infer from environment.
+ *
+ * @param declaredSource - Source passed by the MCP client (may be undefined)
+ * @param strictMode - If true, unknown sources get lower trust
+ * @returns The resolved source and whether it was inferred
+ */
+export declare function resolveSource(declaredSource?: DefenceSource, strictMode?: boolean): {
+    source: DefenceSource;
+    inferred: boolean;
+    detection?: EnvDetectionResult;
+};
+//# sourceMappingURL=env-detector.d.ts.map

package/dist/defence/trust/env-detector.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"env-detector.d.ts","sourceRoot":"","sources":["../../../src/defence/trust/env-detector.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAEjD,MAAM,WAAW,kBAAkB;IACjC,MAAM,EAAE,aAAa,CAAC;IACtB,MAAM,EAAE,4BAA4B,GAAG,0BAA0B,GAAG,+BAA+B,GAAG,SAAS,CAAC;IAChH,UAAU,EAAE,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAC;CACvC;AAED;;;;;;;;;GASG;AACH,wBAAgB,0BAA0B,IAAI,kBAAkB,CAoD/D;AAED;;;;;;;;;GASG;AACH,wBAAgB,aAAa,CAC3B,cAAc,CAAC,EAAE,aAAa,EAC9B,UAAU,GAAE,OAAe,GAC1B;IAAE,MAAM,EAAE,aAAa,CAAC;IAAC,QAAQ,EAAE,OAAO,CAAC;IAAC,SAAS,CAAC,EAAE,kBAAkB,CAAA;CAAE,CAqB9E"}