shieldcortex 4.27.2 → 4.28.0

package/dist/api/visualization-server.js

@@ -40,7 +40,44 @@ import { registerDigestRoutes } from './routes/digest.js';
 import { registerSessionRoutes } from './routes/sessions.js';
 import { createIronDomeRouteGuard } from './iron-dome-route-guard.js';
 import { readAndClearDetectionEvents } from '../xray/activity.js';
+import { classifySqlQuery } from './sql-classifier.js';
 const PORT = process.env.PORT || 3001;
+// ── Defence source whitelist (Fix #13) ──────────────────────────────────────
+// The DefenceSource.type field is part of the threat-model surface — caller-
+// controlled `source.type` values pollute Iron Dome dashboards and audit
+// queries. Normalise unknown values to 'api' silently (defence in depth) and
+// cap identifier length to avoid log-explosion attacks.
+const ALLOWED_DEFENCE_SOURCE_TYPES = [
+    'user', 'cli', 'hook', 'email', 'web', 'agent', 'file', 'api', 'tool_response',
+];
+const MAX_SOURCE_IDENTIFIER_LENGTH = 200;
+/**
+ * Normalise an incoming `source` object from a REST request body into a
+ * trusted `DefenceSource`.
+ *
+ * - Unknown `type` values fall back to `'api'` (no rejection — defence in depth)
+ * - `identifier` longer than {@link MAX_SOURCE_IDENTIFIER_LENGTH} is truncated
+ *   with an ellipsis ("…") so the truncation is visible in audit logs
+ * - Non-string identifiers fall back to `'rest-api'`
+ *
+ * Exported for unit tests.
+ */
+export function normaliseDefenceSource(raw) {
+    const candidate = (raw ?? {});
+    const rawType = typeof candidate.type === 'string' ? candidate.type : undefined;
+    const type = rawType && ALLOWED_DEFENCE_SOURCE_TYPES.includes(rawType)
+        ? rawType
+        : 'api';
+    const rawIdentifier = typeof candidate.identifier === 'string' ? candidate.identifier : 'rest-api';
+    const identifier = rawIdentifier.length > MAX_SOURCE_IDENTIFIER_LENGTH
+        ? rawIdentifier.slice(0, MAX_SOURCE_IDENTIFIER_LENGTH - 1) + '…'
+        : rawIdentifier;
+    return { type, identifier };
+}
+export const __test__ = {
+    ALLOWED_DEFENCE_SOURCE_TYPES,
+    MAX_SOURCE_IDENTIFIER_LENGTH,
+};
 /**
  * In-memory counters for FEATURE_GATED (403) responses per feature.
  * Lightweight telemetry to detect noisy free-tier clients hammering gated endpoints.
@@ -75,6 +112,95 @@ function requireProFeature(feature) {
 }
 // Track connected WebSocket clients
 const clients = new Set();
+/**
+ * Handler for `POST /api/v1/scan`.
+ *
+ * Scans content through the defence pipeline. The `config` field on the
+ * request body is intentionally ignored — runtime always uses the persisted
+ * defence mode. Any attempt to override config is logged as a BLOCK with
+ * RESTRICTED sensitivity so incident-triage queries surface it (Fix #13).
+ *
+ * Exported for unit tests.
+ */
+export function handleV1Scan(req, res) {
+    try {
+        const { content, title, source } = req.body;
+        if (!content || typeof content !== 'string') {
+            res.status(400).json({ error: 'content (string) is required' });
+            return;
+        }
+        // Log if caller tried to override config (potential tampering).
+        // Fix #13: record as BLOCK / RESTRICTED so incident-triage queries
+        // filtering on firewall_result IN ('BLOCK','QUARANTINE') surface
+        // config-tampering attempts.
+        if (req.body.config) {
+            try {
+                logAudit({
+                    memory_id: null,
+                    project: null,
+                    timestamp: new Date().toISOString(),
+                    source_type: 'api',
+                    source_identifier: 'rest-api',
+                    trust_score: 0,
+                    sensitivity_level: 'RESTRICTED',
+                    firewall_result: 'BLOCK',
+                    anomaly_score: 0.5,
+                    threat_indicators: '["config_tampering"]',
+                    blocked_patterns: '[]',
+                    reason: 'config_override_attempt: scan endpoint config parameter ignored',
+                    fragmentation_score: null,
+                    pipeline_duration_ms: 0,
+                });
+            }
+            catch { /* audit is best-effort */ }
+        }
+        // Fix #13: whitelist source.type and cap identifier length
+        const defenceSource = normaliseDefenceSource(source);
+        // Always use persisted config — no per-request overrides via HTTP
+        const defenceConfig = { ...DEFAULT_DEFENCE_CONFIG, mode: getDefenceMode() };
+        const result = runDefencePipeline(content, title ?? 'Untitled', defenceSource, defenceConfig);
+        res.json(result);
+    }
+    catch (error) {
+        res.status(500).json({ error: error.message });
+    }
+}
+/**
+ * Handler for `POST /api/v1/scan/batch`.
+ *
+ * Scans up to 100 items in one request. Like {@link handleV1Scan}, the
+ * `config` field is intentionally ignored; source is normalised through
+ * {@link normaliseDefenceSource} (Fix #13).
+ *
+ * Exported for unit tests.
+ */
+export function handleV1ScanBatch(req, res) {
+    try {
+        const { items, source } = req.body;
+        if (!Array.isArray(items) || items.length === 0) {
+            res.status(400).json({ error: 'items (array) is required' });
+            return;
+        }
+        if (items.length > 100) {
+            res.status(400).json({ error: 'Maximum 100 items per batch' });
+            return;
+        }
+        // Fix #13: whitelist source.type and cap identifier length
+        const defenceSource = normaliseDefenceSource(source);
+        // Always use persisted config — no per-request overrides via HTTP
+        const defenceConfig = { ...DEFAULT_DEFENCE_CONFIG, mode: getDefenceMode() };
+        const results = items.map((item) => {
+            if (!item.content || typeof item.content !== 'string') {
+                return { error: 'content (string) is required', allowed: false };
+            }
+            return runDefencePipeline(item.content, item.title ?? 'Untitled', defenceSource, defenceConfig);
+        });
+        res.json({ results, total: results.length });
+    }
+    catch (error) {
+        res.status(500).json({ error: error.message });
+    }
+}
 /**
  * Start the visualization API server
  */
@@ -157,15 +283,19 @@ export function startVisualizationServer(dbPath) {
         });
     }
     function classifySqlAction(req) {
-        const query = typeof req.body?.query === 'string' ? req.body.query.trim().toUpperCase() : '';
-        if (!query)
+        const query = typeof req.body?.query === 'string' ? req.body.query : '';
+        if (!query.trim())
             return 'database_migrate';
-        if (query.startsWith('SELECT') || query.startsWith('PRAGMA'))
+        // PURGE is application-level (not a real SQL keyword) — keep the regex check.
+        if (/\bPURGE\b/i.test(query))
+            return 'destroy';
+        const classification = classifySqlQuery(query);
+        if (classification.kind === 'read')
             return 'run_report';
-        if (/\bDELETE\b/.test(query))
-            return 'delete';
-        if (/\bDROP\b|\bTRUNCATE\b|\bPURGE\b/.test(query))
+        if (classification.kind === 'destroy')
             return 'destroy';
+        if (classification.kind === 'write' && classification.operation === 'DELETE')
+            return 'delete';
         return 'database_migrate';
     }
     // ============================================
@@ -213,29 +343,30 @@ export function startVisualizationServer(dbPath) {
             if (!query || typeof query !== 'string') {
                 return res.status(400).json({ error: 'Query string required' });
             }
-            const upperQuery = query.toUpperCase().trim();
-            // Always block DROP and TRUNCATE
-            if (/\bDROP\b/.test(upperQuery) || /\bTRUNCATE\b/.test(upperQuery)) {
+            // Classify the query — robust against CTE prefixes that would bypass
+            // a naive `startsWith('INSERT'|'UPDATE'|...)` check, e.g.
+            //   WITH t AS (SELECT 1) INSERT INTO memories VALUES (...)
+            const classification = classifySqlQuery(query);
+            // Always block DROP and TRUNCATE (and reject anything we can't classify)
+            if (classification.kind === 'destroy') {
                 return res.status(403).json({
                     error: 'DROP and TRUNCATE operations are blocked for safety',
                 });
             }
+            if (classification.kind === 'reject') {
+                return res.status(400).json({
+                    error: `Query rejected: ${classification.reason}`,
+                });
+            }
             // Block writes unless explicitly allowed
-            const isWriteOperation = upperQuery.startsWith('INSERT') ||
-                upperQuery.startsWith('UPDATE') ||
-                upperQuery.startsWith('DELETE') ||
-                upperQuery.startsWith('ALTER') ||
-                upperQuery.startsWith('CREATE');
-            if (isWriteOperation && !allowWrite) {
+            if (classification.kind === 'write' && !allowWrite) {
                 return res.status(403).json({
                     error: 'Write operations are disabled. Enable allowWrite to execute.',
                 });
             }
             const db = getDatabase();
             const startTime = Date.now();
-            // Execute query
-            const isSelect = upperQuery.startsWith('SELECT') || upperQuery.startsWith('PRAGMA');
-            if (isSelect) {
+            if (classification.kind === 'read') {
                 const rows = db.prepare(query).all();
                 const executionTime = Date.now() - startTime;
                 // Get column names from first row or empty
@@ -248,7 +379,7 @@ export function startVisualizationServer(dbPath) {
                 });
             }
             else {
-                // Write operation
+                // Write operation (allowWrite === true at this point)
                 const result = db.prepare(query).run();
                 const executionTime = Date.now() - startTime;
                 res.json({
@@ -563,78 +694,8 @@ export function startVisualizationServer(dbPath) {
     // BRAIN WORKER (Phase 4)
     // ============================================
     // ── Defence API v1 ──────────────────────────────────────────
-    // Scan content through the defence pipeline
-    // NOTE: config parameter is intentionally ignored — always uses persisted mode (security hardening)
-    app.post('/api/v1/scan', (req, res) => {
-        try {
-            const { content, title, source } = req.body;
-            if (!content || typeof content !== 'string') {
-                return res.status(400).json({ error: 'content (string) is required' });
-            }
-            // Log if caller tried to override config (potential tampering)
-            if (req.body.config) {
-                try {
-                    logAudit({
-                        memory_id: null,
-                        project: null,
-                        timestamp: new Date().toISOString(),
-                        source_type: 'api',
-                        source_identifier: 'rest-api',
-                        trust_score: 0,
-                        sensitivity_level: 'INTERNAL',
-                        firewall_result: 'ALLOW',
-                        anomaly_score: 0.5,
-                        threat_indicators: '["config_tampering"]',
-                        blocked_patterns: '[]',
-                        reason: 'config_override_attempt: scan endpoint config parameter ignored',
-                        fragmentation_score: null,
-                        pipeline_duration_ms: 0,
-                    });
-                }
-                catch { /* audit is best-effort */ }
-            }
-            const defenceSource = {
-                type: source?.type ?? 'api',
-                identifier: source?.identifier ?? 'rest-api',
-            };
-            // Always use persisted config — no per-request overrides via HTTP
-            const defenceConfig = { ...DEFAULT_DEFENCE_CONFIG, mode: getDefenceMode() };
-            const result = runDefencePipeline(content, title ?? 'Untitled', defenceSource, defenceConfig);
-            res.json(result);
-        }
-        catch (error) {
-            res.status(500).json({ error: error.message });
-        }
-    });
-    // Batch scan multiple items
-    // NOTE: config parameter is intentionally ignored — always uses persisted mode (security hardening)
-    app.post('/api/v1/scan/batch', (req, res) => {
-        try {
-            const { items, source } = req.body;
-            if (!Array.isArray(items) || items.length === 0) {
-                return res.status(400).json({ error: 'items (array) is required' });
-            }
-            if (items.length > 100) {
-                return res.status(400).json({ error: 'Maximum 100 items per batch' });
-            }
-            const defenceSource = {
-                type: source?.type ?? 'api',
-                identifier: source?.identifier ?? 'rest-api',
-            };
-            // Always use persisted config — no per-request overrides via HTTP
-            const defenceConfig = { ...DEFAULT_DEFENCE_CONFIG, mode: getDefenceMode() };
-            const results = items.map((item) => {
-                if (!item.content || typeof item.content !== 'string') {
-                    return { error: 'content (string) is required', allowed: false };
-                }
-                return runDefencePipeline(item.content, item.title ?? 'Untitled', defenceSource, defenceConfig);
-            });
-            res.json({ results, total: results.length });
-        }
-        catch (error) {
-            res.status(500).json({ error: error.message });
-        }
-    });
+    app.post('/api/v1/scan', handleV1Scan);
+    app.post('/api/v1/scan/batch', handleV1ScanBatch);
     const brainWorker = new BrainWorker();
     registerIncidentRoutes(app);
     registerAdminRoutes(app, {

package/dist/cloud/cli.js

@@ -1,4 +1,4 @@
-import { getCloudConfig, setCloudConfig, getDefenceMode, setDefenceMode, getVerifyConfig, setVerifyConfig, getReviewCopilotConfig, getOpenClawAutoMemory, setOpenClawAutoMemory, isProactiveRecallEnabled, setProactiveRecall, restore410Defaults, getRankerConfig, setRankerConfig, } from './config.js';
+import { getCloudConfig, setCloudConfig, getCloudSyncControls, setCloudSyncControls, getDefenceMode, setDefenceMode, getVerifyConfig, setVerifyConfig, getReviewCopilotConfig, getOpenClawAutoMemory, setOpenClawAutoMemory, isProactiveRecallEnabled, setProactiveRecall, restore410Defaults, getRankerConfig, setRankerConfig, } from './config.js';
 const VALID_RANKER_ENGINES = ['rrf', 'legacy'];
 import { syncAllGraphToCloud } from './graph-sync.js';
 import { syncAllMemoriesToCloud } from './memory-sync.js';
@@ -16,12 +16,14 @@ export function handleCloudConfig(args) {
         const reviewCopilot = getReviewCopilotConfig();
         const openclawAutoMemory = getOpenClawAutoMemory();
         const ranker = getRankerConfig();
+        const syncControls = getCloudSyncControls();
         const rankerOverridden = !!process.env.SHIELDCORTEX_RANKER;
         console.log('\nShieldCortex Configuration:');
         console.log(`  Defence Mode: ${mode}`);
         console.log(`  Cloud Enabled:  ${config.cloudEnabled ? 'Yes' : 'No'}`);
         console.log(`  API Key:  ${config.cloudApiKey ? config.cloudApiKey.substring(0, 12) + '...' : 'Not set'}`);
         console.log(`  Base URL: ${config.cloudBaseUrl}`);
+        console.log(`  Sensitive Memories: ${syncControls.excludeSensitive ? 'Excluded from sync (safe default)' : 'Included in sync'}`);
         console.log(`  LLM Verify:   ${verify.verifyEnabled ? 'Enabled' : 'Disabled'} (${verify.verifyMode}, ${verify.verifyTimeoutMs}ms timeout)`);
         console.log(`  Verify Triggers: ${verify.verifyTriggers.join(', ')}`);
         console.log(`  Local AI Explainer: ${reviewCopilot.enabled ? 'Enabled' : 'Disabled'} (${reviewCopilot.modelId})`);
@@ -65,6 +67,21 @@ export function handleCloudConfig(args) {
         console.log('Cloud sync disabled.');
         changed = true;
     }
+    // ── Sensitive-content opt-in/opt-out ──
+    // Default since v4.27: CONFIDENTIAL+ memories are NOT shipped to the cloud.
+    // Users who genuinely want to mirror sensitive content (e.g. self-hosted
+    // backend on their own network) can opt back in here.
+    if (args.includes('--cloud-include-sensitive')) {
+        setCloudSyncControls({ excludeSensitive: false });
+        console.log('Cloud sync will now include CONFIDENTIAL+ memories.');
+        console.log('Note: content is sent to your configured cloudBaseUrl in full.');
+        changed = true;
+    }
+    if (args.includes('--cloud-exclude-sensitive')) {
+        setCloudSyncControls({ excludeSensitive: true });
+        console.log('Cloud sync will skip CONFIDENTIAL+ memories (default).');
+        changed = true;
+    }
     // ── Verify flags ──
     if (args.includes('--verify-enable')) {
         const config = getCloudConfig();
@@ -190,6 +207,8 @@ export function handleCloudConfig(args) {
         console.log('  --cloud-url <url>      Set cloud base URL');
         console.log('  --cloud-enable         Enable cloud sync');
         console.log('  --cloud-disable        Disable cloud sync');
+        console.log('  --cloud-include-sensitive  Sync CONFIDENTIAL+ memories (off by default since v4.27)');
+        console.log('  --cloud-exclude-sensitive  Stop syncing CONFIDENTIAL+ memories (default)');
         console.log('  --cloud-status         Show current configuration');
         console.log('  --openclaw-auto-memory <true|false>  Extract memories from OpenClaw LLM output (default: off)');
         console.log('  --proactive-recall <true|false>  Inject SC memory into prompts (default: off — adds latency)');

package/dist/cloud/config.js

@@ -18,11 +18,18 @@ function getIntegrityKeyFile() {
     return join(getConfigDir(), '.integrity-key');
 }
 const DEFAULT_BASE_URL = 'https://api.shieldcortex.ai';
+// Safety-first defaults: CONFIDENTIAL+ memories are NOT shipped to the cloud
+// unless the user explicitly opts in via `--cloud-include-sensitive` or the
+// dashboard. Prior to the v4.27 flip, `excludeSensitive` defaulted to false,
+// which meant enabling cloud sync silently shipped credential-bearing /
+// classified content without per-record consent. `contentMode` stays 'full'
+// so the opt-in sync stream remains useful for PUBLIC/INTERNAL records that
+// the user did consent to share.
 const DEFAULT_SYNC_CONTROLS = {
     projectMode: 'all',
     projects: [],
     contentMode: 'full',
-    excludeSensitive: false,
+    excludeSensitive: true,
 };
 const DEFAULT_REVIEW_COPILOT_CONFIG = {
     enabled: false,
@@ -164,6 +171,19 @@ function normalizeProjectList(value) {
 }
 export function getCloudSyncControls() {
     const raw = readRawConfig();
+    // One-shot v4.27 migration: pre-upgrade configs with cloud sync enabled
+    // were silently shipping CONFIDENTIAL+ content because `excludeSensitive`
+    // defaulted to false. Detect those configs (cloud on, no explicit setting,
+    // no prior migration stamp) and rewrite them to the new safe default. If
+    // the user later opts back in via `--cloud-include-sensitive`, that writes
+    // `cloudSyncExcludeSensitive: false` explicitly and this branch is skipped.
+    if (raw.cloudEnabled === true &&
+        typeof raw.cloudSyncExcludeSensitive !== 'boolean' &&
+        typeof raw.cloudSyncDefaultsMigratedAt !== 'string') {
+        raw.cloudSyncExcludeSensitive = true;
+        raw.cloudSyncDefaultsMigratedAt = new Date().toISOString();
+        writeRawConfig(raw);
+    }
     const projectMode = raw.cloudSyncProjectMode;
     const contentMode = raw.cloudSyncContentMode;
     return {

package/dist/cloud/memory-sync.d.ts

@@ -28,6 +28,11 @@ export interface MemorySyncEnvelope {
         platform: string;
     };
 }
+/**
+ * Per-record sync gate. Exported for unit testing the safety contract:
+ * a CONFIDENTIAL record on fresh-default controls MUST return false.
+ */
+export declare function shouldSyncRecord(record: Pick<SyncedMemoryRecord, 'project' | 'sensitivity_level' | 'cloud_excluded'>): boolean;
 export declare function syncMemoryUpsertToCloud(memory: Memory): void;
 export declare function syncMemoryDeleteToCloud(memory: Memory): void;
 export declare function syncAllMemoriesToCloud(): Promise<{

package/dist/cloud/memory-sync.js

@@ -44,7 +44,11 @@ function buildEnvelope(records) {
         },
     };
 }
-function shouldSyncRecord(record) {
+/**
+ * Per-record sync gate. Exported for unit testing the safety contract:
+ * a CONFIDENTIAL record on fresh-default controls MUST return false.
+ */
+export function shouldSyncRecord(record) {
     if (record.cloud_excluded)
         return false;
     const controls = getCloudSyncControls();

package/dist/cloud/verify.js

@@ -27,9 +27,10 @@ export async function submitVerification(content, title, pipelineResult, source)
     }
     // Redact credentials before sending to cloud
     const cleanContent = redactCredentials(content);
+    const cleanTitle = redactCredentials(title);
     const payload = {
         content: cleanContent,
-        title,
+        title: cleanTitle,
         source_type: source.type,
         source_identifier: source.identifier,
         anomaly_score: pipelineResult.firewall.anomalyScore,

package/dist/database/inline-schema.js

@@ -295,6 +295,7 @@ export function getInlineSchema() {
     );
 
     -- v4.17 Session capture (mirrors schema.sql; bundled fallback only).
+    -- v4.28 (Fix #10): + sensitivity_level for prompt-redaction tagging.
     CREATE TABLE IF NOT EXISTS session_events (
       id INTEGER PRIMARY KEY AUTOINCREMENT,
       session_id TEXT NOT NULL,
@@ -308,11 +309,13 @@ export function getInlineSchema() {
       duration_ms INTEGER,
       audit_id INTEGER,
       content_hash TEXT,
+      sensitivity_level TEXT DEFAULT 'INTERNAL',
       created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
       FOREIGN KEY (audit_id) REFERENCES defence_audit(id) ON DELETE SET NULL
     );
     CREATE INDEX IF NOT EXISTS idx_session_events_session ON session_events(session_id, ts);
     CREATE INDEX IF NOT EXISTS idx_session_events_project ON session_events(project, ts DESC);
+    CREATE INDEX IF NOT EXISTS idx_session_events_sensitivity ON session_events(sensitivity_level);
     CREATE UNIQUE INDEX IF NOT EXISTS idx_session_events_dedupe
       ON session_events(session_id, ts, kind, content_hash);
   `;

package/dist/database/migrations.js

@@ -503,4 +503,29 @@ export function runMigrations(database) {
         logIfUnexpectedDdlError(err, 'session_events.content_hash column + dedupe index');
         // (importer-side INSERT OR IGNORE handles missing index gracefully)
     }
+    // Migration: session_events.sensitivity_level (v4.28 — Fix #10).
+    //
+    // Without this, the UserPromptSubmit hook captured the raw prompt verbatim
+    // (no pipeline, no credential scan, no sensitivity tag). The column lets
+    // the hook record the defence classifier's verdict alongside the redacted
+    // text so the dashboard's replay UI can mask/strip RESTRICTED rows.
+    // Defaults to 'INTERNAL' for backfilled rows + future callers that omit it.
+    try {
+        const sessionEventsTable = database
+            .prepare("SELECT name FROM sqlite_master WHERE type='table' AND name='session_events'")
+            .get();
+        if (sessionEventsTable) {
+            const sessionCols = database
+                .prepare("PRAGMA table_info(session_events)")
+                .all();
+            const sessionColNames = new Set(sessionCols.map((c) => c.name));
+            if (!sessionColNames.has('sensitivity_level')) {
+                database.exec("ALTER TABLE session_events ADD COLUMN sensitivity_level TEXT DEFAULT 'INTERNAL'");
+            }
+            database.exec('CREATE INDEX IF NOT EXISTS idx_session_events_sensitivity ON session_events(sensitivity_level)');
+        }
+    }
+    catch (err) {
+        logIfUnexpectedDdlError(err, 'session_events.sensitivity_level column + index');
+    }
 }

package/dist/database/schema.sql

@@ -120,11 +120,16 @@ CREATE TABLE IF NOT EXISTS session_events (
   duration_ms INTEGER,
   audit_id INTEGER,
   content_hash TEXT,
+  -- v4.28 (Fix #10): defence classifier verdict for this event.
+  -- PUBLIC | INTERNAL | CONFIDENTIAL | RESTRICTED. Lets the dashboard
+  -- replay UI mask or strip sensitive prompts/responses.
+  sensitivity_level TEXT DEFAULT 'INTERNAL',
   created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
   FOREIGN KEY (audit_id) REFERENCES defence_audit(id) ON DELETE SET NULL
 );
 CREATE INDEX IF NOT EXISTS idx_session_events_session ON session_events(session_id, ts);
 CREATE INDEX IF NOT EXISTS idx_session_events_project ON session_events(project, ts DESC);
+CREATE INDEX IF NOT EXISTS idx_session_events_sensitivity ON session_events(sensitivity_level);
 CREATE UNIQUE INDEX IF NOT EXISTS idx_session_events_dedupe
   ON session_events(session_id, ts, kind, content_hash);
 

package/dist/defence/trust/env-detector.d.ts

@@ -41,3 +41,34 @@ export declare function resolveSource(declaredSource?: DefenceSource, strictMode
     inferred: boolean;
     detection?: EnvDetectionResult;
 };
+export interface CeilingClampResult {
+    /** The effective source after clamping (declared if safe, env-inferred otherwise). */
+    source: DefenceSource;
+    /** True when the declared source claimed higher trust than the runtime environment justifies. */
+    clamped: boolean;
+    /** Trust score of the declared source (only meaningful when a declared source was passed). */
+    declaredScore: number | null;
+    /** Trust score the runtime environment actually permits. */
+    ceilingScore: number;
+    /** The environment-inferred source used as the trust ceiling. */
+    ceiling: DefenceSource;
+    /** Detection metadata for the environment inference. */
+    detection: EnvDetectionResult;
+}
+/**
+ * Clamp a caller-declared source against the environment-inferred trust ceiling.
+ *
+ * MCP callers are arbitrary processes — a prompt-injected agent could claim
+ * `{type:'user', identifier:'direct'}` to get trust=1.0 and bypass quarantine.
+ * To prevent that, we compute the highest trust the actual runtime allows
+ * (from env vars like CLAUDE_CODE_ENTRYPOINT) and refuse any declared source
+ * that would score higher.
+ *
+ * Semantics:
+ * - If no declared source: return env-inferred (no clamping).
+ * - If declaredScore <= ceilingScore: trust the declared source (allows
+ *   legitimate downgrades, e.g. an agent labelling input as `email`).
+ * - If declaredScore > ceilingScore: drop the declared source and use the
+ *   env-inferred one, with `clamped: true` so the caller can audit it.
+ */
+export declare function clampSourceToCeiling(declaredSource: DefenceSource | undefined): CeilingClampResult;

package/dist/defence/trust/env-detector.js

@@ -8,6 +8,7 @@
  * This addresses Phase 1 limitation: "security is opt-in" — with env detection,
  * Claude Code agents get correct trust automatically with zero configuration.
  */
+import { scoreSource } from './source-scorer.js';
 /**
  * Infer caller source from process environment variables.
  *
@@ -114,3 +115,52 @@ export function resolveSource(declaredSource, strictMode = false) {
         detection,
     };
 }
+/**
+ * Clamp a caller-declared source against the environment-inferred trust ceiling.
+ *
+ * MCP callers are arbitrary processes — a prompt-injected agent could claim
+ * `{type:'user', identifier:'direct'}` to get trust=1.0 and bypass quarantine.
+ * To prevent that, we compute the highest trust the actual runtime allows
+ * (from env vars like CLAUDE_CODE_ENTRYPOINT) and refuse any declared source
+ * that would score higher.
+ *
+ * Semantics:
+ * - If no declared source: return env-inferred (no clamping).
+ * - If declaredScore <= ceilingScore: trust the declared source (allows
+ *   legitimate downgrades, e.g. an agent labelling input as `email`).
+ * - If declaredScore > ceilingScore: drop the declared source and use the
+ *   env-inferred one, with `clamped: true` so the caller can audit it.
+ */
+export function clampSourceToCeiling(declaredSource) {
+    const detection = inferSourceFromEnvironment();
+    const ceilingScore = scoreSource(detection.source).score;
+    if (!declaredSource) {
+        return {
+            source: detection.source,
+            clamped: false,
+            declaredScore: null,
+            ceilingScore,
+            ceiling: detection.source,
+            detection,
+        };
+    }
+    const declaredScore = scoreSource(declaredSource).score;
+    if (declaredScore > ceilingScore) {
+        return {
+            source: detection.source,
+            clamped: true,
+            declaredScore,
+            ceilingScore,
+            ceiling: detection.source,
+            detection,
+        };
+    }
+    return {
+        source: declaredSource,
+        clamped: false,
+        declaredScore,
+        ceilingScore,
+        ceiling: detection.source,
+        detection,
+    };
+}

package/dist/defence/trust/index.d.ts

@@ -2,7 +2,10 @@ export { scoreSource } from './source-scorer.js';
 export { filterByTrust } from './recall-filter.js';
 export { scoreAgent, getAgentDepth, buildAgentHierarchy } from './agent-scorer.js';
 export { checkAccess } from './access-control.js';
-export { inferSourceFromEnvironment, resolveSource } from './env-detector.js';
+export { inferSourceFromEnvironment, resolveSource, clampSourceToCeiling } from './env-detector.js';
+export type { CeilingClampResult } from './env-detector.js';
+export { resolveToolSource } from './resolve-tool-source.js';
+export type { ResolveToolSourceOptions } from './resolve-tool-source.js';
 export type { AccessPolicy, AccessCheckMemory } from './access-control.js';
 export type { AgentTrustConfig } from './agent-scorer.js';
 export type { EnvDetectionResult } from './env-detector.js';

package/dist/defence/trust/index.js

@@ -2,4 +2,5 @@ export { scoreSource } from './source-scorer.js';
 export { filterByTrust } from './recall-filter.js';
 export { scoreAgent, getAgentDepth, buildAgentHierarchy } from './agent-scorer.js';
 export { checkAccess } from './access-control.js';
-export { inferSourceFromEnvironment, resolveSource } from './env-detector.js';
+export { inferSourceFromEnvironment, resolveSource, clampSourceToCeiling } from './env-detector.js';
+export { resolveToolSource } from './resolve-tool-source.js';

package/dist/defence/trust/resolve-tool-source.d.ts

@@ -0,0 +1,27 @@
+/**
+ * Resolve and harden the source of an MCP tool call.
+ *
+ * MCP callers can self-declare any source they like. This module:
+ * 1. Always computes the environment-inferred trust ceiling first.
+ * 2. Clamps any over-claimed declared source down to that ceiling.
+ * 3. Writes a `SOURCE_ELEVATION_BLOCKED` row to defence_audit when a clamp
+ *    happens, so operators can spot prompt-injection trying to escalate
+ *    its own trust.
+ * 4. Writes a `SOURCE_MISSING` row when no source was declared, preserving
+ *    the existing visibility into unconfigured callers.
+ */
+import type { DefenceSource } from '../types.js';
+export interface ResolveToolSourceOptions {
+    /** Tool name (e.g. 'remember', 'recall') — recorded in the audit reason. */
+    toolName: string;
+    /** Active project scope, recorded on the audit row. */
+    project: string | null;
+}
+/**
+ * Resolve the effective source for an MCP tool call.
+ *
+ * Returns the source the rest of the pipeline should use. When a caller
+ * over-claims trust the declared source is dropped, an audit row is written,
+ * and the env-inferred source is returned instead.
+ */
+export declare function resolveToolSource(declaredSource: DefenceSource | undefined, options: ResolveToolSourceOptions): DefenceSource;