shieldcortex 4.27.1 → 4.27.3

package/dist/api/sql-classifier.js

@@ -0,0 +1,277 @@
+const READ_KEYWORDS = new Set(['SELECT', 'PRAGMA', 'EXPLAIN', 'VALUES']);
+const WRITE_KEYWORDS = new Set(['INSERT', 'UPDATE', 'DELETE', 'REPLACE', 'ALTER', 'CREATE']);
+const DESTROY_KEYWORDS = new Set(['DROP', 'TRUNCATE']);
+/**
+ * Strip SQL comments (line + block) and leading whitespace from the start of
+ * a query string. Returns the cleaned query with all leading noise removed.
+ *
+ * Note: this only strips LEADING comments/whitespace — we don't try to scrub
+ * comments inside string literals or anywhere else, because we only care
+ * about identifying the first real token.
+ */
+function stripLeadingNoise(query) {
+    let i = 0;
+    const n = query.length;
+    while (i < n) {
+        const ch = query[i];
+        // whitespace
+        if (ch === ' ' || ch === '\t' || ch === '\n' || ch === '\r' || ch === '\f' || ch === '\v') {
+            i++;
+            continue;
+        }
+        // line comment: -- ... \n
+        if (ch === '-' && query[i + 1] === '-') {
+            i += 2;
+            while (i < n && query[i] !== '\n')
+                i++;
+            continue;
+        }
+        // block comment: /* ... */
+        if (ch === '/' && query[i + 1] === '*') {
+            i += 2;
+            while (i < n && !(query[i] === '*' && query[i + 1] === '/'))
+                i++;
+            if (i < n)
+                i += 2; // skip closing */
+            continue;
+        }
+        break;
+    }
+    return query.slice(i);
+}
+/**
+ * Skip past a balanced-parenthesis block starting at `start` (which should
+ * point AT the opening '('). Returns the index just past the matching ')',
+ * or -1 if no matching paren is found.
+ *
+ * Aware of single-quoted string literals (SQL standard '' escape) and
+ * double-quoted identifiers (SQLite). Bracket [] and backtick `` quoting
+ * are also handled because SQLite accepts them.
+ */
+function skipParenBlock(query, start) {
+    if (query[start] !== '(')
+        return -1;
+    let depth = 0;
+    let i = start;
+    const n = query.length;
+    while (i < n) {
+        const ch = query[i];
+        if (ch === '(') {
+            depth++;
+            i++;
+            continue;
+        }
+        if (ch === ')') {
+            depth--;
+            i++;
+            if (depth === 0)
+                return i;
+            continue;
+        }
+        if (ch === "'") {
+            // skip single-quoted string with SQL '' escape
+            i++;
+            while (i < n) {
+                if (query[i] === "'") {
+                    if (query[i + 1] === "'") {
+                        i += 2;
+                        continue;
+                    }
+                    i++;
+                    break;
+                }
+                i++;
+            }
+            continue;
+        }
+        if (ch === '"') {
+            i++;
+            while (i < n && query[i] !== '"')
+                i++;
+            if (i < n)
+                i++;
+            continue;
+        }
+        if (ch === '`') {
+            i++;
+            while (i < n && query[i] !== '`')
+                i++;
+            if (i < n)
+                i++;
+            continue;
+        }
+        if (ch === '[') {
+            i++;
+            while (i < n && query[i] !== ']')
+                i++;
+            if (i < n)
+                i++;
+            continue;
+        }
+        // inline comments inside the CTE body
+        if (ch === '-' && query[i + 1] === '-') {
+            i += 2;
+            while (i < n && query[i] !== '\n')
+                i++;
+            continue;
+        }
+        if (ch === '/' && query[i + 1] === '*') {
+            i += 2;
+            while (i < n && !(query[i] === '*' && query[i + 1] === '/'))
+                i++;
+            if (i < n)
+                i += 2;
+            continue;
+        }
+        i++;
+    }
+    return -1;
+}
+/**
+ * Read the next uppercase keyword token at `i`, skipping leading
+ * whitespace/comments first. Returns the keyword and the index just past it,
+ * or null if no identifier token is present.
+ */
+function readNextKeyword(query, i) {
+    const trimmed = stripLeadingNoise(query.slice(i));
+    if (!trimmed)
+        return null;
+    const offset = query.length - trimmed.length;
+    const match = /^([A-Za-z_][A-Za-z0-9_]*)/.exec(trimmed);
+    if (!match)
+        return null;
+    return {
+        keyword: match[1].toUpperCase(),
+        nextIndex: offset + match[1].length,
+    };
+}
+/**
+ * Walk past a CTE list (`WITH [RECURSIVE] name [(...)] AS (...) [, ...]`)
+ * and return the index at the first real statement keyword.
+ * Returns -1 if the structure doesn't look like a valid CTE list.
+ */
+function skipCteList(query, afterWithIndex) {
+    let i = afterWithIndex;
+    const n = query.length;
+    // optional RECURSIVE
+    const first = readNextKeyword(query, i);
+    if (!first)
+        return -1;
+    if (first.keyword === 'RECURSIVE') {
+        i = first.nextIndex;
+    }
+    // parse one or more "<name> [(...)] AS (...)" groups, comma separated
+    while (i < n) {
+        // CTE name (identifier)
+        const nameStripped = stripLeadingNoise(query.slice(i));
+        if (!nameStripped)
+            return -1;
+        i = n - nameStripped.length;
+        // name can be bracketed/quoted; for our purposes we just need to consume it
+        const ch = query[i];
+        if (ch === '"' || ch === '`' || ch === '[') {
+            const close = ch === '[' ? ']' : ch;
+            i++;
+            while (i < n && query[i] !== close)
+                i++;
+            if (i < n)
+                i++;
+        }
+        else {
+            const m = /^[A-Za-z_][A-Za-z0-9_]*/.exec(query.slice(i));
+            if (!m)
+                return -1;
+            i += m[0].length;
+        }
+        // optional column list (col1, col2, ...)
+        const afterName = stripLeadingNoise(query.slice(i));
+        i = n - afterName.length;
+        if (query[i] === '(') {
+            const end = skipParenBlock(query, i);
+            if (end < 0)
+                return -1;
+            i = end;
+        }
+        // mandatory AS
+        const asKeyword = readNextKeyword(query, i);
+        if (!asKeyword || asKeyword.keyword !== 'AS')
+            return -1;
+        i = asKeyword.nextIndex;
+        // optional MATERIALIZED / NOT MATERIALIZED
+        const maybeMat = readNextKeyword(query, i);
+        if (maybeMat && maybeMat.keyword === 'NOT') {
+            const next = readNextKeyword(query, maybeMat.nextIndex);
+            if (next && next.keyword === 'MATERIALIZED') {
+                i = next.nextIndex;
+            }
+        }
+        else if (maybeMat && maybeMat.keyword === 'MATERIALIZED') {
+            i = maybeMat.nextIndex;
+        }
+        // mandatory ( CTE body )
+        const stripped = stripLeadingNoise(query.slice(i));
+        i = n - stripped.length;
+        if (query[i] !== '(')
+            return -1;
+        const bodyEnd = skipParenBlock(query, i);
+        if (bodyEnd < 0)
+            return -1;
+        i = bodyEnd;
+        // comma → another CTE, else we're done
+        const after = stripLeadingNoise(query.slice(i));
+        i = n - after.length;
+        if (query[i] === ',') {
+            i++;
+            continue;
+        }
+        break;
+    }
+    return i;
+}
+/**
+ * Classify a query as read / write / destroy / reject.
+ *
+ * Fail-closed: any structure we can't confidently classify becomes `reject`.
+ */
+export function classifySqlQuery(rawQuery) {
+    if (typeof rawQuery !== 'string' || rawQuery.trim().length === 0) {
+        return { kind: 'reject', reason: 'Empty query' };
+    }
+    const stripped = stripLeadingNoise(rawQuery);
+    if (!stripped) {
+        return { kind: 'reject', reason: 'Empty query after stripping comments' };
+    }
+    const first = readNextKeyword(rawQuery, rawQuery.length - stripped.length);
+    if (!first) {
+        return { kind: 'reject', reason: 'Could not identify leading keyword' };
+    }
+    let leadIndex = first.nextIndex;
+    let leadKeyword = first.keyword;
+    // Peek past CTE prefix (the security-critical bit)
+    if (leadKeyword === 'WITH') {
+        const afterCte = skipCteList(rawQuery, first.nextIndex);
+        if (afterCte < 0) {
+            return { kind: 'reject', reason: 'Malformed CTE prefix' };
+        }
+        const realFirst = readNextKeyword(rawQuery, afterCte);
+        if (!realFirst) {
+            return { kind: 'reject', reason: 'No statement after CTE prefix' };
+        }
+        leadKeyword = realFirst.keyword;
+        leadIndex = realFirst.nextIndex;
+    }
+    // Also reject any DROP/TRUNCATE anywhere in the query as defense-in-depth.
+    // (visualization-server's outer check already does this, but classify it
+    // here too so the function is correct on its own.)
+    if (DESTROY_KEYWORDS.has(leadKeyword)) {
+        return { kind: 'destroy', operation: leadKeyword };
+    }
+    if (WRITE_KEYWORDS.has(leadKeyword)) {
+        return { kind: 'write', operation: leadKeyword };
+    }
+    if (READ_KEYWORDS.has(leadKeyword)) {
+        return { kind: 'read' };
+    }
+    void leadIndex; // not needed by callers, but useful while debugging
+    return { kind: 'reject', reason: `Unrecognised leading keyword: ${leadKeyword}` };
+}

package/dist/api/visualization-server.js

@@ -40,6 +40,7 @@ import { registerDigestRoutes } from './routes/digest.js';
 import { registerSessionRoutes } from './routes/sessions.js';
 import { createIronDomeRouteGuard } from './iron-dome-route-guard.js';
 import { readAndClearDetectionEvents } from '../xray/activity.js';
+import { classifySqlQuery } from './sql-classifier.js';
 const PORT = process.env.PORT || 3001;
 /**
  * In-memory counters for FEATURE_GATED (403) responses per feature.
@@ -157,15 +158,19 @@ export function startVisualizationServer(dbPath) {
         });
     }
     function classifySqlAction(req) {
-        const query = typeof req.body?.query === 'string' ? req.body.query.trim().toUpperCase() : '';
-        if (!query)
+        const query = typeof req.body?.query === 'string' ? req.body.query : '';
+        if (!query.trim())
             return 'database_migrate';
-        if (query.startsWith('SELECT') || query.startsWith('PRAGMA'))
+        // PURGE is application-level (not a real SQL keyword) — keep the regex check.
+        if (/\bPURGE\b/i.test(query))
+            return 'destroy';
+        const classification = classifySqlQuery(query);
+        if (classification.kind === 'read')
             return 'run_report';
-        if (/\bDELETE\b/.test(query))
-            return 'delete';
-        if (/\bDROP\b|\bTRUNCATE\b|\bPURGE\b/.test(query))
+        if (classification.kind === 'destroy')
             return 'destroy';
+        if (classification.kind === 'write' && classification.operation === 'DELETE')
+            return 'delete';
         return 'database_migrate';
     }
     // ============================================
@@ -213,29 +218,30 @@ export function startVisualizationServer(dbPath) {
             if (!query || typeof query !== 'string') {
                 return res.status(400).json({ error: 'Query string required' });
             }
-            const upperQuery = query.toUpperCase().trim();
-            // Always block DROP and TRUNCATE
-            if (/\bDROP\b/.test(upperQuery) || /\bTRUNCATE\b/.test(upperQuery)) {
+            // Classify the query — robust against CTE prefixes that would bypass
+            // a naive `startsWith('INSERT'|'UPDATE'|...)` check, e.g.
+            //   WITH t AS (SELECT 1) INSERT INTO memories VALUES (...)
+            const classification = classifySqlQuery(query);
+            // Always block DROP and TRUNCATE (and reject anything we can't classify)
+            if (classification.kind === 'destroy') {
                 return res.status(403).json({
                     error: 'DROP and TRUNCATE operations are blocked for safety',
                 });
             }
+            if (classification.kind === 'reject') {
+                return res.status(400).json({
+                    error: `Query rejected: ${classification.reason}`,
+                });
+            }
             // Block writes unless explicitly allowed
-            const isWriteOperation = upperQuery.startsWith('INSERT') ||
-                upperQuery.startsWith('UPDATE') ||
-                upperQuery.startsWith('DELETE') ||
-                upperQuery.startsWith('ALTER') ||
-                upperQuery.startsWith('CREATE');
-            if (isWriteOperation && !allowWrite) {
+            if (classification.kind === 'write' && !allowWrite) {
                 return res.status(403).json({
                     error: 'Write operations are disabled. Enable allowWrite to execute.',
                 });
             }
             const db = getDatabase();
             const startTime = Date.now();
-            // Execute query
-            const isSelect = upperQuery.startsWith('SELECT') || upperQuery.startsWith('PRAGMA');
-            if (isSelect) {
+            if (classification.kind === 'read') {
                 const rows = db.prepare(query).all();
                 const executionTime = Date.now() - startTime;
                 // Get column names from first row or empty
@@ -248,7 +254,7 @@ export function startVisualizationServer(dbPath) {
                 });
             }
             else {
-                // Write operation
+                // Write operation (allowWrite === true at this point)
                 const result = db.prepare(query).run();
                 const executionTime = Date.now() - startTime;
                 res.json({

package/dist/cloud/cli.js

@@ -1,4 +1,4 @@
-import { getCloudConfig, setCloudConfig, getDefenceMode, setDefenceMode, getVerifyConfig, setVerifyConfig, getReviewCopilotConfig, getOpenClawAutoMemory, setOpenClawAutoMemory, isProactiveRecallEnabled, setProactiveRecall, restore410Defaults, getRankerConfig, setRankerConfig, } from './config.js';
+import { getCloudConfig, setCloudConfig, getCloudSyncControls, setCloudSyncControls, getDefenceMode, setDefenceMode, getVerifyConfig, setVerifyConfig, getReviewCopilotConfig, getOpenClawAutoMemory, setOpenClawAutoMemory, isProactiveRecallEnabled, setProactiveRecall, restore410Defaults, getRankerConfig, setRankerConfig, } from './config.js';
 const VALID_RANKER_ENGINES = ['rrf', 'legacy'];
 import { syncAllGraphToCloud } from './graph-sync.js';
 import { syncAllMemoriesToCloud } from './memory-sync.js';
@@ -16,12 +16,14 @@ export function handleCloudConfig(args) {
         const reviewCopilot = getReviewCopilotConfig();
         const openclawAutoMemory = getOpenClawAutoMemory();
         const ranker = getRankerConfig();
+        const syncControls = getCloudSyncControls();
         const rankerOverridden = !!process.env.SHIELDCORTEX_RANKER;
         console.log('\nShieldCortex Configuration:');
         console.log(`  Defence Mode: ${mode}`);
         console.log(`  Cloud Enabled:  ${config.cloudEnabled ? 'Yes' : 'No'}`);
         console.log(`  API Key:  ${config.cloudApiKey ? config.cloudApiKey.substring(0, 12) + '...' : 'Not set'}`);
         console.log(`  Base URL: ${config.cloudBaseUrl}`);
+        console.log(`  Sensitive Memories: ${syncControls.excludeSensitive ? 'Excluded from sync (safe default)' : 'Included in sync'}`);
         console.log(`  LLM Verify:   ${verify.verifyEnabled ? 'Enabled' : 'Disabled'} (${verify.verifyMode}, ${verify.verifyTimeoutMs}ms timeout)`);
         console.log(`  Verify Triggers: ${verify.verifyTriggers.join(', ')}`);
         console.log(`  Local AI Explainer: ${reviewCopilot.enabled ? 'Enabled' : 'Disabled'} (${reviewCopilot.modelId})`);
@@ -65,6 +67,21 @@ export function handleCloudConfig(args) {
         console.log('Cloud sync disabled.');
         changed = true;
     }
+    // ── Sensitive-content opt-in/opt-out ──
+    // Default since v4.27: CONFIDENTIAL+ memories are NOT shipped to the cloud.
+    // Users who genuinely want to mirror sensitive content (e.g. self-hosted
+    // backend on their own network) can opt back in here.
+    if (args.includes('--cloud-include-sensitive')) {
+        setCloudSyncControls({ excludeSensitive: false });
+        console.log('Cloud sync will now include CONFIDENTIAL+ memories.');
+        console.log('Note: content is sent to your configured cloudBaseUrl in full.');
+        changed = true;
+    }
+    if (args.includes('--cloud-exclude-sensitive')) {
+        setCloudSyncControls({ excludeSensitive: true });
+        console.log('Cloud sync will skip CONFIDENTIAL+ memories (default).');
+        changed = true;
+    }
     // ── Verify flags ──
     if (args.includes('--verify-enable')) {
         const config = getCloudConfig();
@@ -190,6 +207,8 @@ export function handleCloudConfig(args) {
         console.log('  --cloud-url <url>      Set cloud base URL');
         console.log('  --cloud-enable         Enable cloud sync');
         console.log('  --cloud-disable        Disable cloud sync');
+        console.log('  --cloud-include-sensitive  Sync CONFIDENTIAL+ memories (off by default since v4.27)');
+        console.log('  --cloud-exclude-sensitive  Stop syncing CONFIDENTIAL+ memories (default)');
         console.log('  --cloud-status         Show current configuration');
         console.log('  --openclaw-auto-memory <true|false>  Extract memories from OpenClaw LLM output (default: off)');
         console.log('  --proactive-recall <true|false>  Inject SC memory into prompts (default: off — adds latency)');

package/dist/cloud/config.js

@@ -18,11 +18,18 @@ function getIntegrityKeyFile() {
     return join(getConfigDir(), '.integrity-key');
 }
 const DEFAULT_BASE_URL = 'https://api.shieldcortex.ai';
+// Safety-first defaults: CONFIDENTIAL+ memories are NOT shipped to the cloud
+// unless the user explicitly opts in via `--cloud-include-sensitive` or the
+// dashboard. Prior to the v4.27 flip, `excludeSensitive` defaulted to false,
+// which meant enabling cloud sync silently shipped credential-bearing /
+// classified content without per-record consent. `contentMode` stays 'full'
+// so the opt-in sync stream remains useful for PUBLIC/INTERNAL records that
+// the user did consent to share.
 const DEFAULT_SYNC_CONTROLS = {
     projectMode: 'all',
     projects: [],
     contentMode: 'full',
-    excludeSensitive: false,
+    excludeSensitive: true,
 };
 const DEFAULT_REVIEW_COPILOT_CONFIG = {
     enabled: false,
@@ -164,6 +171,19 @@ function normalizeProjectList(value) {
 }
 export function getCloudSyncControls() {
     const raw = readRawConfig();
+    // One-shot v4.27 migration: pre-upgrade configs with cloud sync enabled
+    // were silently shipping CONFIDENTIAL+ content because `excludeSensitive`
+    // defaulted to false. Detect those configs (cloud on, no explicit setting,
+    // no prior migration stamp) and rewrite them to the new safe default. If
+    // the user later opts back in via `--cloud-include-sensitive`, that writes
+    // `cloudSyncExcludeSensitive: false` explicitly and this branch is skipped.
+    if (raw.cloudEnabled === true &&
+        typeof raw.cloudSyncExcludeSensitive !== 'boolean' &&
+        typeof raw.cloudSyncDefaultsMigratedAt !== 'string') {
+        raw.cloudSyncExcludeSensitive = true;
+        raw.cloudSyncDefaultsMigratedAt = new Date().toISOString();
+        writeRawConfig(raw);
+    }
     const projectMode = raw.cloudSyncProjectMode;
     const contentMode = raw.cloudSyncContentMode;
     return {

package/dist/cloud/memory-sync.d.ts

@@ -28,6 +28,11 @@ export interface MemorySyncEnvelope {
         platform: string;
     };
 }
+/**
+ * Per-record sync gate. Exported for unit testing the safety contract:
+ * a CONFIDENTIAL record on fresh-default controls MUST return false.
+ */
+export declare function shouldSyncRecord(record: Pick<SyncedMemoryRecord, 'project' | 'sensitivity_level' | 'cloud_excluded'>): boolean;
 export declare function syncMemoryUpsertToCloud(memory: Memory): void;
 export declare function syncMemoryDeleteToCloud(memory: Memory): void;
 export declare function syncAllMemoriesToCloud(): Promise<{

package/dist/cloud/memory-sync.js

@@ -44,7 +44,11 @@ function buildEnvelope(records) {
         },
     };
 }
-function shouldSyncRecord(record) {
+/**
+ * Per-record sync gate. Exported for unit testing the safety contract:
+ * a CONFIDENTIAL record on fresh-default controls MUST return false.
+ */
+export function shouldSyncRecord(record) {
     if (record.cloud_excluded)
         return false;
     const controls = getCloudSyncControls();

package/dist/cloud/verify.js

@@ -27,9 +27,10 @@ export async function submitVerification(content, title, pipelineResult, source)
     }
     // Redact credentials before sending to cloud
     const cleanContent = redactCredentials(content);
+    const cleanTitle = redactCredentials(title);
     const payload = {
         content: cleanContent,
-        title,
+        title: cleanTitle,
         source_type: source.type,
         source_identifier: source.identifier,
         anomaly_score: pipelineResult.firewall.anomalyScore,

package/dist/defence/trust/env-detector.d.ts

@@ -41,3 +41,34 @@ export declare function resolveSource(declaredSource?: DefenceSource, strictMode
     inferred: boolean;
     detection?: EnvDetectionResult;
 };
+export interface CeilingClampResult {
+    /** The effective source after clamping (declared if safe, env-inferred otherwise). */
+    source: DefenceSource;
+    /** True when the declared source claimed higher trust than the runtime environment justifies. */
+    clamped: boolean;
+    /** Trust score of the declared source (only meaningful when a declared source was passed). */
+    declaredScore: number | null;
+    /** Trust score the runtime environment actually permits. */
+    ceilingScore: number;
+    /** The environment-inferred source used as the trust ceiling. */
+    ceiling: DefenceSource;
+    /** Detection metadata for the environment inference. */
+    detection: EnvDetectionResult;
+}
+/**
+ * Clamp a caller-declared source against the environment-inferred trust ceiling.
+ *
+ * MCP callers are arbitrary processes — a prompt-injected agent could claim
+ * `{type:'user', identifier:'direct'}` to get trust=1.0 and bypass quarantine.
+ * To prevent that, we compute the highest trust the actual runtime allows
+ * (from env vars like CLAUDE_CODE_ENTRYPOINT) and refuse any declared source
+ * that would score higher.
+ *
+ * Semantics:
+ * - If no declared source: return env-inferred (no clamping).
+ * - If declaredScore <= ceilingScore: trust the declared source (allows
+ *   legitimate downgrades, e.g. an agent labelling input as `email`).
+ * - If declaredScore > ceilingScore: drop the declared source and use the
+ *   env-inferred one, with `clamped: true` so the caller can audit it.
+ */
+export declare function clampSourceToCeiling(declaredSource: DefenceSource | undefined): CeilingClampResult;

package/dist/defence/trust/env-detector.js

@@ -8,6 +8,7 @@
  * This addresses Phase 1 limitation: "security is opt-in" — with env detection,
  * Claude Code agents get correct trust automatically with zero configuration.
  */
+import { scoreSource } from './source-scorer.js';
 /**
  * Infer caller source from process environment variables.
  *
@@ -114,3 +115,52 @@ export function resolveSource(declaredSource, strictMode = false) {
         detection,
     };
 }
+/**
+ * Clamp a caller-declared source against the environment-inferred trust ceiling.
+ *
+ * MCP callers are arbitrary processes — a prompt-injected agent could claim
+ * `{type:'user', identifier:'direct'}` to get trust=1.0 and bypass quarantine.
+ * To prevent that, we compute the highest trust the actual runtime allows
+ * (from env vars like CLAUDE_CODE_ENTRYPOINT) and refuse any declared source
+ * that would score higher.
+ *
+ * Semantics:
+ * - If no declared source: return env-inferred (no clamping).
+ * - If declaredScore <= ceilingScore: trust the declared source (allows
+ *   legitimate downgrades, e.g. an agent labelling input as `email`).
+ * - If declaredScore > ceilingScore: drop the declared source and use the
+ *   env-inferred one, with `clamped: true` so the caller can audit it.
+ */
+export function clampSourceToCeiling(declaredSource) {
+    const detection = inferSourceFromEnvironment();
+    const ceilingScore = scoreSource(detection.source).score;
+    if (!declaredSource) {
+        return {
+            source: detection.source,
+            clamped: false,
+            declaredScore: null,
+            ceilingScore,
+            ceiling: detection.source,
+            detection,
+        };
+    }
+    const declaredScore = scoreSource(declaredSource).score;
+    if (declaredScore > ceilingScore) {
+        return {
+            source: detection.source,
+            clamped: true,
+            declaredScore,
+            ceilingScore,
+            ceiling: detection.source,
+            detection,
+        };
+    }
+    return {
+        source: declaredSource,
+        clamped: false,
+        declaredScore,
+        ceilingScore,
+        ceiling: detection.source,
+        detection,
+    };
+}

package/dist/defence/trust/index.d.ts

@@ -2,7 +2,10 @@ export { scoreSource } from './source-scorer.js';
 export { filterByTrust } from './recall-filter.js';
 export { scoreAgent, getAgentDepth, buildAgentHierarchy } from './agent-scorer.js';
 export { checkAccess } from './access-control.js';
-export { inferSourceFromEnvironment, resolveSource } from './env-detector.js';
+export { inferSourceFromEnvironment, resolveSource, clampSourceToCeiling } from './env-detector.js';
+export type { CeilingClampResult } from './env-detector.js';
+export { resolveToolSource } from './resolve-tool-source.js';
+export type { ResolveToolSourceOptions } from './resolve-tool-source.js';
 export type { AccessPolicy, AccessCheckMemory } from './access-control.js';
 export type { AgentTrustConfig } from './agent-scorer.js';
 export type { EnvDetectionResult } from './env-detector.js';

package/dist/defence/trust/index.js

@@ -2,4 +2,5 @@ export { scoreSource } from './source-scorer.js';
 export { filterByTrust } from './recall-filter.js';
 export { scoreAgent, getAgentDepth, buildAgentHierarchy } from './agent-scorer.js';
 export { checkAccess } from './access-control.js';
-export { inferSourceFromEnvironment, resolveSource } from './env-detector.js';
+export { inferSourceFromEnvironment, resolveSource, clampSourceToCeiling } from './env-detector.js';
+export { resolveToolSource } from './resolve-tool-source.js';

package/dist/defence/trust/resolve-tool-source.d.ts

@@ -0,0 +1,27 @@
+/**
+ * Resolve and harden the source of an MCP tool call.
+ *
+ * MCP callers can self-declare any source they like. This module:
+ * 1. Always computes the environment-inferred trust ceiling first.
+ * 2. Clamps any over-claimed declared source down to that ceiling.
+ * 3. Writes a `SOURCE_ELEVATION_BLOCKED` row to defence_audit when a clamp
+ *    happens, so operators can spot prompt-injection trying to escalate
+ *    its own trust.
+ * 4. Writes a `SOURCE_MISSING` row when no source was declared, preserving
+ *    the existing visibility into unconfigured callers.
+ */
+import type { DefenceSource } from '../types.js';
+export interface ResolveToolSourceOptions {
+    /** Tool name (e.g. 'remember', 'recall') — recorded in the audit reason. */
+    toolName: string;
+    /** Active project scope, recorded on the audit row. */
+    project: string | null;
+}
+/**
+ * Resolve the effective source for an MCP tool call.
+ *
+ * Returns the source the rest of the pipeline should use. When a caller
+ * over-claims trust the declared source is dropped, an audit row is written,
+ * and the env-inferred source is returned instead.
+ */
+export declare function resolveToolSource(declaredSource: DefenceSource | undefined, options: ResolveToolSourceOptions): DefenceSource;