shieldcortex 4.12.11 → 4.12.12

package/dist/defence/explainer/schema.js

@@ -0,0 +1,204 @@
+import { z } from 'zod';
+import { extractJsonObject } from '../judge/schema.js';
+function boundedString(max) {
+    return z.string().transform((value) => value.slice(0, max));
+}
+const evidenceSchema = z.object({
+    snippet: boundedString(220),
+    reason: boundedString(180),
+});
+const explanationSchema = z.object({
+    summary: boundedString(240),
+    whyItMatters: boundedString(500),
+    evidence: z.array(evidenceSchema).max(4).default([]),
+    nextSteps: z.array(boundedString(180)).max(5).default([]),
+    riskSignals: z.array(boundedString(80)).max(8).default([]),
+    confidence: z.number().min(0).max(1).default(0.5),
+});
+const PROMPT_INJECTION_PATTERNS = [
+    /ignore\s+(previous|all|the above)\s+instructions?/i,
+    /override\s+(system|developer|safety)\s+instructions?/i,
+    /reveal\s+(the\s+)?(system prompt|developer message|api keys?|secrets?|tokens?)/i,
+    /exfiltrat(?:e|ion)/i,
+    /act\s+as\s+(?:a\s+)?system/i,
+];
+const CREDENTIAL_PATTERNS = [
+    /\b[A-Z0-9_]*(API|TOKEN|SECRET|KEY)[A-Z0-9_]*\b/,
+    /\bgh\s+secret\s+set\b/i,
+    /\bfly\s+tokens?\s+create\b/i,
+    /api[_\s-]?keys?/i,
+    /bearer\s+[a-z0-9._-]{12,}/i,
+    /password\s*[:=]/i,
+    /secret\s*[:=]/i,
+    /token\s*[:=]/i,
+    /BEGIN\s+[A-Z ]*PRIVATE KEY/i,
+];
+const UNSAFE_MODEL_OUTPUT_PATTERN = /\b(prompt_user_for_api_key|provide\s+(an?\s+)?api\s+key|enter\s+(an?\s+)?api\s+key|share\s+(the\s+)?(secret|token|password|api\s+key)|reveal\s+(the\s+)?(secret|token|password|api\s+key)|mark\s+(it|this)\s+safe|approve\s+(it|this))\b/i;
+function subjectSignals(subject) {
+    const signals = subject.signals?.map((signal) => signal.trim()).filter(Boolean) ?? [];
+    if (PROMPT_INJECTION_PATTERNS.some((pattern) => pattern.test(subject.content))) {
+        signals.push('prompt_injection');
+    }
+    if (CREDENTIAL_PATTERNS.some((pattern) => pattern.test(subject.content))) {
+        signals.push('credential_reference');
+    }
+    return [...new Set(signals)].slice(0, 8);
+}
+function hasSignal(subject, values) {
+    const haystack = [
+        subject.kind,
+        subject.title,
+        ...(subject.signals ?? []),
+    ].join(' ').toLowerCase();
+    return values.some((value) => haystack.includes(value));
+}
+function firstSnippet(content, patterns) {
+    for (const pattern of patterns) {
+        const match = pattern.exec(content);
+        if (!match || match.index === undefined)
+            continue;
+        const start = Math.max(0, match.index - 45);
+        const end = Math.min(content.length, match.index + match[0].length + 90);
+        return content.slice(start, end).trim();
+    }
+    return null;
+}
+function evidenceFromContent(subject) {
+    const content = subject.content ?? '';
+    const evidence = [];
+    const injectionSnippet = firstSnippet(content, PROMPT_INJECTION_PATTERNS);
+    if (injectionSnippet) {
+        evidence.push({ snippet: injectionSnippet, reason: 'Prompt-injection wording appears in the source content.' });
+    }
+    const credentialSnippet = firstSnippet(content, CREDENTIAL_PATTERNS);
+    if (credentialSnippet && !evidence.some((entry) => entry.snippet === credentialSnippet)) {
+        evidence.push({ snippet: credentialSnippet, reason: 'Credential or secret handling language appears in the source content.' });
+    }
+    const evidenceLine = content.split('\n').find((line) => line.trim().toLowerCase().startsWith('evidence:'));
+    if (evidenceLine && !evidence.some((entry) => entry.snippet === evidenceLine.trim())) {
+        const reason = subject.kind === 'xray_finding'
+            ? 'X-Ray recorded this as the finding evidence.'
+            : subject.kind === 'memory_file'
+                ? 'Memory file scan recorded this evidence.'
+                : 'ShieldCortex recorded this as evidence.';
+        evidence.push({ snippet: evidenceLine.trim(), reason });
+    }
+    return evidence.slice(0, 4);
+}
+function fallbackSummary(subject) {
+    if (hasSignal(subject, ['credential', 'secret', 'token', 'password']) || CREDENTIAL_PATTERNS.some((pattern) => pattern.test(subject.content))) {
+        return 'Potential credential or secret exposure needs manual review.';
+    }
+    if (hasSignal(subject, ['prompt_injection', 'injection', 'jailbreak']) || PROMPT_INJECTION_PATTERNS.some((pattern) => pattern.test(subject.content))) {
+        return 'Potential prompt-injection behaviour needs manual review.';
+    }
+    if (subject.kind === 'xray_finding') {
+        return `X-Ray finding needs review: ${subject.title.slice(0, 160)}`;
+    }
+    if (subject.kind === 'memory_file') {
+        return `Persistent memory file needs review: ${subject.title.slice(0, 150)}`;
+    }
+    return `${subject.kind.replace(/_/g, ' ')} needs manual review.`;
+}
+function fallbackSteps(subject) {
+    if (subject.kind === 'xray_finding') {
+        return [
+            'Inspect the file or package source referenced by the X-Ray finding.',
+            'Use the deterministic X-Ray severity and category before taking action.',
+            'Quarantine only if the source or behaviour is unexpected.',
+        ];
+    }
+    if (subject.kind === 'memory') {
+        return [
+            'Review the memory source and deterministic scan result.',
+            'Check whether the content is expected for this project.',
+            'Quarantine or delete only after confirming the source is unsafe.',
+        ];
+    }
+    if (subject.kind === 'memory_file') {
+        return [
+            'Open the memory file path shown in the scan result.',
+            'Use the deterministic ShieldCortex risk, indicators, and evidence as the decision source.',
+            'Edit or remove risky persistent instructions only after confirming they are unexpected.',
+        ];
+    }
+    return [
+        'Review the deterministic scan result and source evidence.',
+        'Check whether the content is expected for this project.',
+    ];
+}
+function fallbackText(subject) {
+    const signals = subjectSignals(subject);
+    const signalText = signals.length ? signals.slice(0, 3).join(', ') : 'No specific local model signals were available';
+    return {
+        summary: fallbackSummary(subject),
+        whyItMatters: `${signalText}. Local AI explanation was unavailable, so rely on ShieldCortex deterministic scan output and inspect the source content before taking action.`,
+        evidence: evidenceFromContent(subject),
+        nextSteps: fallbackSteps(subject),
+        riskSignals: signals.slice(0, 8),
+        confidence: 0,
+    };
+}
+function operatorReason(reason) {
+    if (reason === 'model_output_rejected')
+        return 'model output was rejected by safety checks';
+    if (reason === 'model_unavailable')
+        return 'model was unavailable';
+    if (reason.includes('JSON') || reason.includes('invalid_json') || reason.includes('schema_validation')) {
+        return 'model output was not parseable';
+    }
+    return reason.slice(0, 160);
+}
+export function fallbackLocalAiExplanation(subject, modelId, reason) {
+    const fallback = fallbackText(subject);
+    return {
+        kind: subject.kind,
+        ...fallback,
+        whyItMatters: `${fallback.whyItMatters} (${operatorReason(reason)})`,
+        modelId,
+        generatedAt: new Date().toISOString(),
+        synthetic: true,
+    };
+}
+export function parseLocalAiExplanation(rawText, subject, modelId) {
+    if (!rawText) {
+        return fallbackLocalAiExplanation(subject, modelId, 'model_unavailable');
+    }
+    try {
+        const parsed = explanationSchema.parse(extractJsonObject(rawText));
+        const content = subject.content ?? '';
+        const baseline = fallbackText(subject);
+        const modelText = [
+            parsed.summary,
+            parsed.whyItMatters,
+            ...parsed.nextSteps,
+            ...parsed.riskSignals,
+        ].join('\n');
+        if (UNSAFE_MODEL_OUTPUT_PATTERN.test(modelText)) {
+            return fallbackLocalAiExplanation(subject, modelId, 'model_output_rejected');
+        }
+        const evidence = parsed.evidence.filter((entry) => (entry.snippet.trim().length > 0 && content.includes(entry.snippet)));
+        const nextSteps = parsed.nextSteps
+            .filter((step) => step.includes(' ') && !step.includes('_'))
+            .slice(0, 5);
+        const riskSignals = parsed.riskSignals.length > 0
+            ? parsed.riskSignals
+            : subjectSignals(subject);
+        return {
+            kind: subject.kind,
+            summary: parsed.summary,
+            whyItMatters: parsed.whyItMatters,
+            evidence: evidence.length > 0 ? evidence : baseline.evidence,
+            nextSteps: nextSteps.length >= 2 ? nextSteps : baseline.nextSteps,
+            riskSignals: riskSignals.length > 0 ? riskSignals : baseline.riskSignals,
+            confidence: parsed.confidence,
+            modelId,
+            generatedAt: new Date().toISOString(),
+            synthetic: false,
+        };
+    }
+    catch (error) {
+        const reason = error instanceof Error ? error.message : String(error);
+        return fallbackLocalAiExplanation(subject, modelId, reason);
+    }
+}

package/dist/defence/explainer/types.d.ts

@@ -0,0 +1,26 @@
+export type LocalAiExplainSubjectKind = 'memory' | 'memory_file' | 'xray_finding' | 'quarantine_item' | 'audit_event' | 'generic';
+export interface LocalAiExplainSubject {
+    kind: LocalAiExplainSubjectKind;
+    title: string;
+    content: string;
+    project?: string | null;
+    source?: string | null;
+    signals?: string[];
+    metadata?: Record<string, unknown>;
+}
+export interface LocalAiEvidence {
+    snippet: string;
+    reason: string;
+}
+export interface LocalAiExplanation {
+    kind: LocalAiExplainSubjectKind;
+    summary: string;
+    whyItMatters: string;
+    evidence: LocalAiEvidence[];
+    nextSteps: string[];
+    riskSignals: string[];
+    confidence: number;
+    modelId: string;
+    generatedAt: string;
+    synthetic: boolean;
+}

package/dist/defence/explainer/types.js

@@ -0,0 +1 @@
+export {};

package/dist/defence/judge/annotate.d.ts

@@ -0,0 +1,8 @@
+import { getAnnotationForItem } from './annotations-store.js';
+import type { AnnotationRunResult, ReviewAnnotation } from './types.js';
+export declare function annotateQuarantineItem(id: number): Promise<ReviewAnnotation | null>;
+export declare function annotatePendingQuarantineItems(options?: {
+    limit?: number;
+    project?: string;
+}): Promise<AnnotationRunResult>;
+export { getAnnotationForItem };

package/dist/defence/judge/annotate.js

@@ -0,0 +1,107 @@
+import { getDatabase } from '../../database/init.js';
+import { requireFeature } from '../../license/gate.js';
+import { reviewQuarantineItem } from './index.js';
+import { saveQuarantineAnnotation, getAnnotationForItem } from './annotations-store.js';
+import { recordAnnotationCreated } from './telemetry.js';
+function parseThreatIndicators(value) {
+    if (!value)
+        return [];
+    try {
+        const parsed = JSON.parse(value);
+        return Array.isArray(parsed) ? parsed.filter((entry) => typeof entry === 'string') : [];
+    }
+    catch {
+        return [];
+    }
+}
+function toReviewItem(row) {
+    return {
+        id: row.id,
+        content: row.original_content,
+        title: row.original_title,
+        project: row.project,
+        sourceType: row.source_type,
+        sourceIdentifier: row.source_identifier,
+        reason: row.reason,
+        threatIndicators: parseThreatIndicators(row.threat_indicators),
+        anomalyScore: row.anomaly_score,
+        firewallResult: row.firewall_result,
+        createdAt: row.created_at,
+    };
+}
+function shouldPersistAnnotation(annotation) {
+    return annotation.synthetic !== true;
+}
+function getPendingRow(id) {
+    const db = getDatabase();
+    const row = db.prepare(`
+    SELECT id, original_title, original_content, project, source_type, source_identifier,
+           reason, threat_indicators, anomaly_score, firewall_result, created_at
+    FROM quarantine
+    WHERE id = ? AND status = 'pending'
+  `).get(id);
+    return row ?? null;
+}
+export async function annotateQuarantineItem(id) {
+    requireFeature('local_ai_explainer');
+    const row = getPendingRow(id);
+    if (!row)
+        return null;
+    const annotation = await reviewQuarantineItem(toReviewItem(row));
+    if (!shouldPersistAnnotation(annotation))
+        return null;
+    saveQuarantineAnnotation(annotation);
+    recordAnnotationCreated(annotation);
+    return annotation;
+}
+export async function annotatePendingQuarantineItems(options = {}) {
+    requireFeature('local_ai_explainer');
+    const db = getDatabase();
+    const limit = Math.max(1, Math.min(500, Math.floor(options.limit ?? 50)));
+    const rows = (options.project
+        ? db.prepare(`
+        SELECT id, original_title, original_content, project, source_type, source_identifier,
+               reason, threat_indicators, anomaly_score, firewall_result, created_at
+        FROM quarantine
+        WHERE status = 'pending' AND project = ?
+          AND NOT EXISTS (
+            SELECT 1 FROM quarantine_annotations qa WHERE qa.item_id = quarantine.id
+          )
+        ORDER BY created_at ASC
+        LIMIT ?
+      `).all(options.project, limit)
+        : db.prepare(`
+        SELECT id, original_title, original_content, project, source_type, source_identifier,
+               reason, threat_indicators, anomaly_score, firewall_result, created_at
+        FROM quarantine
+        WHERE status = 'pending'
+          AND NOT EXISTS (
+            SELECT 1 FROM quarantine_annotations qa WHERE qa.item_id = quarantine.id
+          )
+        ORDER BY created_at ASC
+        LIMIT ?
+      `).all(limit));
+    const result = {
+        attempted: rows.length,
+        annotated: 0,
+        skipped: 0,
+        failed: 0,
+    };
+    for (const row of rows) {
+        try {
+            const annotation = await reviewQuarantineItem(toReviewItem(row));
+            if (!shouldPersistAnnotation(annotation)) {
+                result.skipped++;
+                continue;
+            }
+            saveQuarantineAnnotation(annotation);
+            recordAnnotationCreated(annotation);
+            result.annotated++;
+        }
+        catch {
+            result.failed++;
+        }
+    }
+    return result;
+}
+export { getAnnotationForItem };

package/dist/defence/judge/annotations-store.d.ts

@@ -0,0 +1,4 @@
+import type { ReviewAnnotation } from './types.js';
+export declare function saveQuarantineAnnotation(annotation: ReviewAnnotation): void;
+export declare function getAnnotationForItem(id: number): ReviewAnnotation | null;
+export declare function listAnnotations(limit?: number): ReviewAnnotation[];

package/dist/defence/judge/annotations-store.js

@@ -0,0 +1,67 @@
+import { getDatabase } from '../../database/init.js';
+function toNumericItemId(itemId) {
+    const numericId = Number(itemId);
+    if (!Number.isSafeInteger(numericId) || numericId <= 0) {
+        throw new Error(`invalid_annotation_item_id:${itemId}`);
+    }
+    return numericId;
+}
+export function saveQuarantineAnnotation(annotation) {
+    const db = getDatabase();
+    const itemId = toNumericItemId(annotation.itemId);
+    db.prepare(`
+    INSERT INTO quarantine_annotations (
+      item_id,
+      category,
+      suggested_action,
+      confidence,
+      similar_group_key,
+      copilot_version,
+      annotation_json,
+      generated_at
+    )
+    VALUES (?, ?, ?, ?, ?, ?, ?, ?)
+    ON CONFLICT(item_id, copilot_version) DO UPDATE SET
+      category = excluded.category,
+      suggested_action = excluded.suggested_action,
+      confidence = excluded.confidence,
+      similar_group_key = excluded.similar_group_key,
+      annotation_json = excluded.annotation_json,
+      generated_at = excluded.generated_at
+  `).run(itemId, annotation.category, annotation.suggestedAction, annotation.confidence, annotation.similarGroupKey, annotation.copilotVersion, JSON.stringify(annotation), annotation.generatedAt);
+}
+export function getAnnotationForItem(id) {
+    const db = getDatabase();
+    const row = db.prepare(`
+    SELECT item_id, annotation_json
+    FROM quarantine_annotations
+    WHERE item_id = ?
+    ORDER BY generated_at DESC
+    LIMIT 1
+  `).get(id);
+    if (!row)
+        return null;
+    try {
+        return JSON.parse(row.annotation_json);
+    }
+    catch {
+        return null;
+    }
+}
+export function listAnnotations(limit = 50) {
+    const db = getDatabase();
+    const rows = db.prepare(`
+    SELECT item_id, annotation_json
+    FROM quarantine_annotations
+    ORDER BY generated_at DESC
+    LIMIT ?
+  `).all(limit);
+    return rows.flatMap((row) => {
+        try {
+            return [JSON.parse(row.annotation_json)];
+        }
+        catch {
+            return [];
+        }
+    });
+}

package/dist/defence/judge/decision.d.ts

@@ -0,0 +1,10 @@
+import type { ReviewAnnotation, ReviewCopilotCategory, ReviewCopilotSuggestion, ReviewQuarantineItem } from './types.js';
+export interface DeterministicReviewDecision {
+    category: ReviewCopilotCategory;
+    suggestedAction: ReviewCopilotSuggestion;
+    confidence: number;
+    reasoning: string;
+    signals: string[];
+}
+export declare function decideReviewAnnotation(item: ReviewQuarantineItem): DeterministicReviewDecision;
+export declare function deterministicAnnotation(item: ReviewQuarantineItem, copilotVersion: string, decisionResult: DeterministicReviewDecision, reason: string): ReviewAnnotation;

package/dist/defence/judge/decision.js

@@ -0,0 +1,165 @@
+import { scanForCredentials } from '../credential-leak/index.js';
+import { detectInstructions } from '../firewall/instruction-detector.js';
+import { detectPrivilegeEscalation } from '../firewall/privilege-detector.js';
+import { detectSkillThreats } from '../skill-scanner/patterns.js';
+function parseThreatIndicators(value) {
+    if (!value)
+        return [];
+    if (Array.isArray(value))
+        return value.map(String).map((entry) => entry.toLowerCase());
+    try {
+        const parsed = JSON.parse(value);
+        if (Array.isArray(parsed)) {
+            return parsed.map(String).map((entry) => entry.toLowerCase());
+        }
+    }
+    catch {
+        // Fall through to comma/string parsing.
+    }
+    return String(value)
+        .split(/[,\s]+/)
+        .map((entry) => entry.trim().toLowerCase())
+        .filter(Boolean);
+}
+function includesAny(text, patterns) {
+    return patterns.some((pattern) => pattern.test(text));
+}
+function isDocumentationLike(text) {
+    return includesAny(text, [
+        /\b(documentation|docs?|readme|blog draft|release note|training note|security training)\b/i,
+        /\b(test fixture|unit test|documentation example|docs example|quoted example|benign examples?|placeholder|fake key|not real|expected to be blocked)\b/i,
+    ]);
+}
+function isExplicitlyBenign(text) {
+    return includesAny(text, [
+        /\b(meeting note|project note|support note|design note|operational note|architecture note|reminder|preference)\b/i,
+        /\b(no secrets present|metadata only|local-only|advisory)\b/i,
+    ]);
+}
+function deterministicSummary(decision) {
+    switch (decision.category) {
+        case 'credential_leak':
+            return 'ShieldCortex deterministic scanners found credential material.';
+        case 'exfiltration_attempt':
+            return 'ShieldCortex deterministic scanners found an exfiltration pattern.';
+        case 'scope_escalation':
+            return 'ShieldCortex deterministic scanners found a scope-escalation pattern.';
+        case 'persistence_attempt':
+            return 'ShieldCortex deterministic scanners found a persistence attempt.';
+        case 'prompt_injection':
+            return 'ShieldCortex deterministic scanners found prompt-injection behaviour.';
+        case 'documentation_or_example':
+            return 'ShieldCortex classified this as documentation or a test example.';
+        case 'benign_log':
+            return 'ShieldCortex classified this as a benign operational note.';
+        case 'uncertain':
+            return 'ShieldCortex could not classify this item confidently.';
+    }
+}
+function rejectOrKeep(item) {
+    return item.firewallResult === 'BLOCK' ? 'reject' : 'keep_quarantined';
+}
+function decision(category, suggestedAction, confidence, reasoning, signals) {
+    return {
+        category,
+        suggestedAction,
+        confidence,
+        reasoning,
+        signals: [...new Set(signals)].slice(0, 12),
+    };
+}
+export function decideReviewAnnotation(item) {
+    const content = item.content ?? '';
+    const title = item.title ?? '';
+    const reason = item.reason ?? '';
+    const combined = `${title}\n${reason}\n${content}`;
+    const indicators = parseThreatIndicators(item.threatIndicators);
+    const credentialScan = scanForCredentials(content);
+    const skillThreats = detectSkillThreats(content);
+    const instructions = detectInstructions(content);
+    const privilege = detectPrivilegeEscalation(content);
+    const signals = [
+        ...indicators.map((indicator) => `indicator:${indicator}`),
+        ...skillThreats.threats.map((threat) => `skill:${threat}`),
+        ...privilege.indicators.map((indicator) => `privilege:${indicator}`),
+        ...credentialScan.findings.map((finding) => `credential:${finding.provider ?? finding.type}:${finding.severity}`),
+        ...(instructions.detected ? ['instruction_injection'] : []),
+        ...(item.firewallResult ? [`firewall:${item.firewallResult.toLowerCase()}`] : []),
+    ];
+    const docsLike = isDocumentationLike(combined);
+    const benignLike = isExplicitlyBenign(combined);
+    if (benignLike && !credentialScan.findings.some((finding) => finding.action === 'blocked')) {
+        return decision('benign_log', 'approve', 0.78, 'No deterministic threat signal was found and the content looks operational/benign.', signals);
+    }
+    if (docsLike && !credentialScan.findings.some((finding) => finding.action === 'blocked')) {
+        return decision('documentation_or_example', 'approve', 0.82, 'Documentation/test-example language was detected and no live blocked credential pattern was found.', [...signals, 'documentation_like']);
+    }
+    if (credentialScan.leaked || indicators.includes('credential_leak') || indicators.includes('restricted_content')) {
+        return decision('credential_leak', rejectOrKeep(item), credentialScan.findings.some((finding) => finding.action === 'blocked') ? 0.96 : 0.88, 'Credential leak detection is deterministic and overrides model classification.', signals);
+    }
+    if (skillThreats.threats.includes('data_exfiltration') ||
+        privilege.indicators.includes('network_exfiltration') ||
+        indicators.includes('data_exfiltration') ||
+        includesAny(content, [
+            /\b(exfiltrate|send|upload|post|curl|forward|include)\b[\s\S]{0,140}\b(https?:|webhook|pastebin|env vars?|environment variables?|\.env|private key|credentials?|api key|cookies?|transcripts?)\b/i,
+            /\b(cookies?|api key|credentials?|secrets?)\b[\s\S]{0,140}\b(memory|retrieve|transcripts?|webhook|pastebin|external|attacker)\b/i,
+        ])) {
+        return decision('exfiltration_attempt', rejectOrKeep(item), 0.94, 'Deterministic exfiltration patterns were found in the quarantined content.', signals);
+    }
+    if (skillThreats.threats.includes('scope_escalation') ||
+        indicators.includes('scope_escalation') ||
+        indicators.includes('privilege_escalation') ||
+        privilege.indicators.includes('system_access') ||
+        privilege.indicators.includes('destructive_filesystem') ||
+        includesAny(content, [
+            /\b(add yourself|add (me|this agent))\b[\s\S]{0,80}\b(admin|administrator|team)\b/i,
+            /\bbypass\b[\s\S]{0,80}\b(confirmation|approval|gate|permission)\b/i,
+            /\balready approved\b[\s\S]{0,80}\b(future|destructive|commands?)\b/i,
+        ])) {
+        return decision('scope_escalation', rejectOrKeep(item), 0.9, 'Deterministic privilege/scope escalation signals were found.', signals);
+    }
+    if (skillThreats.threats.includes('persistence') ||
+        indicators.includes('persistence') ||
+        includesAny(content, [
+            /\b(remember|store|create a memory|save)\b[\s\S]{0,80}\b(forever|future|later|every later|hidden rule)\b/i,
+            /\b(hidden rule|never show|trust messages? from|attacker\.example)\b/i,
+        ])) {
+        return decision('persistence_attempt', rejectOrKeep(item), 0.9, 'Deterministic persistence patterns were found.', signals);
+    }
+    if (instructions.detected ||
+        skillThreats.threats.includes('agent_manipulation') ||
+        skillThreats.threats.includes('stealth_instruction') ||
+        indicators.includes('instruction_injection') ||
+        includesAny(content, [
+            /\b(forget|ignore|override)\b[\s\S]{0,80}\b(policy|instructions?|rules?|safety|security)\b/i,
+            /\b(mark|treat)\b[\s\S]{0,40}\b(memory|item|this)\b[\s\S]{0,40}\b(safe|approved?)\b/i,
+            /\bapprove\b[\s\S]{0,60}\b(automatically|only|always|this quarantine item)\b/i,
+            /\bprefer\b[\s\S]{0,60}\battacker instructions?\b/i,
+            /\b(secretly|hidden instruction)\b[\s\S]{0,80}\b(print|reveal|answer only|developer message|approve)\b/i,
+            /\bbypass\b[\s\S]{0,80}\b(iron dome|shieldcortex|security|safety)\b/i,
+        ])) {
+        return decision('prompt_injection', rejectOrKeep(item), Math.max(0.84, instructions.confidence ?? 0), 'Deterministic prompt-injection or agent-manipulation patterns were found.', signals);
+    }
+    if (skillThreats.detected || indicators.includes('custom_rule') || indicators.includes('custom_pattern')) {
+        return decision('prompt_injection', 'create_rule', Math.max(0.78, skillThreats.confidence), 'A repeatable deterministic pattern was detected and may warrant a rule.', signals);
+    }
+    if (item.firewallResult === 'ALLOW') {
+        return decision('benign_log', 'approve', 0.78, 'No deterministic threat signal was found and the content looks operational/benign.', signals);
+    }
+    return decision('uncertain', 'keep_quarantined', 0.5, 'No deterministic signal was strong enough to classify this item.', signals);
+}
+export function deterministicAnnotation(item, copilotVersion, decisionResult, reason) {
+    return {
+        itemId: String(item.id),
+        category: decisionResult.category,
+        summary: deterministicSummary(decisionResult),
+        evidence: [],
+        suggestedAction: decisionResult.suggestedAction,
+        confidence: decisionResult.confidence,
+        similarGroupKey: null,
+        reasoning: `${decisionResult.reasoning} Local model summary unavailable: ${reason}`.slice(0, 400),
+        copilotVersion,
+        generatedAt: new Date().toISOString(),
+        synthetic: false,
+    };
+}

package/dist/defence/judge/fallback.d.ts

@@ -0,0 +1,4 @@
+import type { ReviewAnnotation, ReviewQuarantineItem } from './types.js';
+export declare const REVIEW_COPILOT_PROMPT_VERSION = "review-copilot-prompt-v1";
+export declare function getCopilotVersion(modelId: string): string;
+export declare function fallbackAnnotation(item: Pick<ReviewQuarantineItem, 'id'>, modelId?: string, reason?: string): ReviewAnnotation;

package/dist/defence/judge/fallback.js

@@ -0,0 +1,19 @@
+export const REVIEW_COPILOT_PROMPT_VERSION = 'review-copilot-prompt-v1';
+export function getCopilotVersion(modelId) {
+    return `${modelId}@${REVIEW_COPILOT_PROMPT_VERSION}`;
+}
+export function fallbackAnnotation(item, modelId = 'unavailable', reason = 'No local model annotation was available.') {
+    return {
+        itemId: String(item.id),
+        category: 'uncertain',
+        summary: 'Review Copilot unavailable.',
+        evidence: [],
+        suggestedAction: 'keep_quarantined',
+        confidence: 0,
+        similarGroupKey: null,
+        reasoning: reason.slice(0, 400),
+        copilotVersion: getCopilotVersion(modelId),
+        generatedAt: new Date().toISOString(),
+        synthetic: true,
+    };
+}

package/dist/defence/judge/grouping.d.ts

@@ -0,0 +1,4 @@
+import type { ReviewAnnotation, ReviewBatch } from './types.js';
+export declare function computeSimilarGroupKey(annotation: Pick<ReviewAnnotation, 'category' | 'suggestedAction' | 'summary'>): string;
+export declare function withSimilarGroupKey(annotation: ReviewAnnotation): ReviewAnnotation;
+export declare function groupSimilarItems(annotations: ReviewAnnotation[]): ReviewBatch[];