shieldcortex 4.27.2 → 4.28.0

package/dist/defence/trust/resolve-tool-source.js

@@ -0,0 +1,80 @@
+/**
+ * Resolve and harden the source of an MCP tool call.
+ *
+ * MCP callers can self-declare any source they like. This module:
+ * 1. Always computes the environment-inferred trust ceiling first.
+ * 2. Clamps any over-claimed declared source down to that ceiling.
+ * 3. Writes a `SOURCE_ELEVATION_BLOCKED` row to defence_audit when a clamp
+ *    happens, so operators can spot prompt-injection trying to escalate
+ *    its own trust.
+ * 4. Writes a `SOURCE_MISSING` row when no source was declared, preserving
+ *    the existing visibility into unconfigured callers.
+ */
+import { clampSourceToCeiling } from './env-detector.js';
+import { logAudit } from '../audit/logger.js';
+/**
+ * Resolve the effective source for an MCP tool call.
+ *
+ * Returns the source the rest of the pipeline should use. When a caller
+ * over-claims trust the declared source is dropped, an audit row is written,
+ * and the env-inferred source is returned instead.
+ */
+export function resolveToolSource(declaredSource, options) {
+    const clampResult = clampSourceToCeiling(declaredSource);
+    const { source, clamped, declaredScore, ceilingScore, detection } = clampResult;
+    if (clamped && declaredSource) {
+        try {
+            logAudit({
+                memory_id: null,
+                project: options.project,
+                timestamp: new Date().toISOString(),
+                source_type: source.type,
+                source_identifier: source.identifier,
+                trust_score: ceilingScore,
+                sensitivity_level: 'PUBLIC',
+                firewall_result: 'BLOCK',
+                anomaly_score: 0,
+                threat_indicators: JSON.stringify(['privilege_escalation']),
+                blocked_patterns: '[]',
+                reason: `SOURCE_ELEVATION_BLOCKED: tool=${options.toolName}, ` +
+                    `declared=${declaredSource.type}:${declaredSource.identifier} (score=${declaredScore}), ` +
+                    `clamped=${source.type}:${source.identifier} (score=${ceilingScore}) ` +
+                    `via ${detection.method} (confidence: ${detection.confidence})`,
+                fragmentation_score: null,
+                pipeline_duration_ms: null,
+            });
+        }
+        catch {
+            // Audit logging must never break tool execution.
+        }
+        return source;
+    }
+    // No declared source — inferred from environment. Preserve the existing
+    // SOURCE_MISSING visibility so operators see unconfigured callers.
+    if (!declaredSource) {
+        try {
+            logAudit({
+                memory_id: null,
+                project: options.project,
+                timestamp: new Date().toISOString(),
+                source_type: source.type,
+                source_identifier: source.identifier,
+                trust_score: 0,
+                sensitivity_level: 'PUBLIC',
+                firewall_result: 'ALLOW',
+                anomaly_score: 0,
+                threat_indicators: '[]',
+                blocked_patterns: '[]',
+                reason: `SOURCE_MISSING: tool=${options.toolName}, ` +
+                    `inferred=${source.type}:${source.identifier} ` +
+                    `via ${detection.method} (confidence: ${detection.confidence})`,
+                fragmentation_score: null,
+                pipeline_duration_ms: null,
+            });
+        }
+        catch {
+            // Audit logging must never break tool execution.
+        }
+    }
+    return source;
+}

package/dist/memory/consolidate.js

@@ -10,6 +10,7 @@
 import { getDatabase, withTransaction } from '../database/init.js';
 import { DEFAULT_CONFIG, } from './types.js';
 import { getMemoriesByType, getRecentMemories, promoteMemory, deleteMemory, searchMemories, getMemoryStats, updateDecayScores, addMemory, rowToMemory, } from './store.js';
+import { runDefencePipeline } from '../defence/index.js';
 import { processDecay, } from './decay.js';
 import { detectContradictions, linkContradictions, } from './contradiction.js';
 import { jaccardSimilarity } from './similarity.js';
@@ -276,6 +277,18 @@ export function deduplicateMemories(options) {
                     .filter(s => s.length > 0 && !keptSentences.has(s.toLowerCase()));
                 if (uniqueSentences.length > 0) {
                     const mergedContent = kept.content + '\n\nMerged from duplicate:\n' + uniqueSentences.join('. ') + '.';
+                    // DEFENCE PIPELINE: re-scan the merged content. Two individually-clean
+                    // memories can produce content that straddles a credential pattern
+                    // across the join. Without this re-scan the "every byte in `memories`
+                    // has been scanned" invariant is broken. If the merge is blocked, skip
+                    // both the content update AND the delete so the source rows survive.
+                    const dedupSource = { type: 'hook', identifier: 'hook:consolidation' };
+                    const defenceResult = runDefencePipeline(mergedContent, kept.title, dedupSource, undefined, kept.project ?? discarded.project ?? undefined);
+                    if (defenceResult.firewall.result !== 'ALLOW') {
+                        // Surface in audit (already written by the pipeline) and skip this pair.
+                        console.warn(`[shieldcortex] Dedup merge blocked for memory ${kept.id} + ${removedId}: ${defenceResult.firewall.reason}`);
+                        continue;
+                    }
                     db.prepare('UPDATE memories SET content = ? WHERE id = ?').run(mergedContent, kept.id);
                 }
                 deleteMemory(removedId);

package/dist/memory/store.d.ts

@@ -46,7 +46,7 @@ export declare function getMemoryById(id: number, source?: DefenceSource): Memor
 export declare function updateMemory(id: number, updates: Partial<MemoryInput>): Memory | null;
 export declare function mergeMemories(keptId: number, removedId: number, options?: {
     reviewedBy?: string | null;
-}): Memory | null;
+}, source?: DefenceSource): Memory | null;
 /**
  * Delete a memory
  */

package/dist/memory/store.js

@@ -672,7 +672,7 @@ function uniqueSentencesFrom(source, existing) {
         .map((sentence) => sentence.trim())
         .filter((sentence) => sentence.length > 0 && !existingSentences.has(sentence.toLowerCase()));
 }
-export function mergeMemories(keptId, removedId, options) {
+export function mergeMemories(keptId, removedId, options, source = { type: 'cli', identifier: 'merge' }) {
     if (keptId === removedId)
         return getMemoryById(keptId);
     return withTransaction(() => {
@@ -685,6 +685,18 @@ export function mergeMemories(keptId, removedId, options) {
         const mergedContent = mergedSnippets.length > 0
             ? `${kept.content}\n\nMerged from duplicate (${removed.title}):\n${mergedSnippets.join('. ')}.`
             : kept.content;
+        // DEFENCE PIPELINE: re-scan the *merged* content. Two individually-clean
+        // memories can produce content that straddles a credential or injection
+        // pattern across the join (kept.content + " " + removed sentences). This
+        // is the one path that mechanically constructs new content from existing
+        // rows — without this re-scan the "every byte in `memories` has been
+        // scanned" invariant is broken. Throwing here rolls back the transaction
+        // so neither the kept row nor the removed row changes.
+        const mergedTitle = kept.title;
+        const defenceResult = runDefencePipeline(mergedContent, mergedTitle, source, undefined, kept.project ?? removed.project ?? undefined);
+        if (defenceResult.firewall.result !== 'ALLOW') {
+            throw new MemoryBlockedError(defenceResult.firewall.reason);
+        }
         const mergedTags = Array.from(new Set([...(kept.tags ?? []), ...(removed.tags ?? [])]));
         const mergedFrom = Array.isArray(kept.metadata?.mergedFrom)
             ? [...kept.metadata.mergedFrom]

package/dist/server.js

@@ -22,16 +22,22 @@ import { handleGraphQuery, handleGraphEntities, handleGraphExplain } from './too
 import { checkDatabaseSize } from './database/init.js';
 import { queryAuditLogs, getAuditStats, getLifetimeStats } from './defence/audit/index.js';
 import { scanExistingMemories } from './defence/scanner/index.js';
-import { resolveSource } from './defence/trust/env-detector.js';
-import { logAudit } from './defence/audit/logger.js';
+import { resolveToolSource as resolveToolSourceImpl } from './defence/trust/resolve-tool-source.js';
 import { scanToolResponse, shouldScanToolResponse } from './defence/tool-response-scanner.js';
 import { getToolResponseScanConfig } from './cloud/config.js';
 import { isKillSwitchActive, getKillSwitchMeta, assertOperationAllowed, activateKillSwitch, deactivateKillSwitch, KillSwitchError, } from './api/control.js';
-// Shared source schema for access control on MCP tools
+// Shared source schema for access control on MCP tools.
+// NOTE: 'user' is intentionally NOT accepted from MCP callers. MCP tools are
+// always invoked by an agent, hook, CLI or API — never by a literal human
+// typing — so accepting type:'user' would let a prompt-injected agent
+// self-attest as the human operator and earn trust=1.0, bypassing the
+// quarantine band and RESTRICTED read gating. The 'user' type still exists
+// internally for things like dashboard-originated writes, but it must never
+// be honoured when it arrives over the MCP transport.
 const sourceParam = z.object({
-    type: z.enum(['user', 'cli', 'hook', 'email', 'web', 'agent', 'file', 'api', 'tool_response']),
+    type: z.enum(['cli', 'hook', 'email', 'web', 'agent', 'file', 'api', 'tool_response']),
     identifier: z.string(),
-}).optional().describe('Caller identity for access control (agents should pass this)');
+}).optional().describe('Caller identity for access control (agents should pass this). type:"user" is rejected — MCP is never a human channel.');
 /**
  * Wrap an MCP tool handler to scan its response for threats.
  * Advisory mode: appends a warning but never blocks.
@@ -67,35 +73,19 @@ function withResponseScan(toolName, handler) {
     };
 }
 /**
- * Resolve source for an MCP tool call, inferring from environment if not declared.
- * Logs an audit warning when source is missing (gives operators visibility).
+ * Resolve source for an MCP tool call.
+ *
+ * Delegates to the env-ceiling clamp helper, which:
+ * - Drops any caller-declared source that claims higher trust than the
+ *   runtime environment justifies (writes SOURCE_ELEVATION_BLOCKED to audit).
+ * - Falls back to env-inferred source when none was declared (writes
+ *   SOURCE_MISSING to audit for operator visibility).
  */
 function resolveToolSource(declaredSource, toolName) {
-    const { source, inferred, detection } = resolveSource(declaredSource);
-    if (inferred) {
-        try {
-            logAudit({
-                memory_id: null,
-                project: getActiveProject(),
-                timestamp: new Date().toISOString(),
-                source_type: source.type,
-                source_identifier: source.identifier,
-                trust_score: 0,
-                sensitivity_level: 'PUBLIC',
-                firewall_result: 'ALLOW',
-                anomaly_score: 0,
-                threat_indicators: '[]',
-                blocked_patterns: '[]',
-                reason: `SOURCE_MISSING: tool=${toolName}, inferred=${source.type}:${source.identifier} via ${detection?.method ?? 'default'} (confidence: ${detection?.confidence ?? 'low'})`,
-                fragmentation_score: null,
-                pipeline_duration_ms: null,
-            });
-        }
-        catch {
-            // Audit logging should never break tool execution
-        }
-    }
-    return source;
+    return resolveToolSourceImpl(declaredSource, {
+        toolName,
+        project: getActiveProject(),
+    });
 }
 /**
  * Wrap an MCP tool handler to enforce kill switch lockdown.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "shieldcortex",
-  "version": "4.27.2",
+  "version": "4.28.0",
   "description": "Trustworthy memory and security for AI agents. Recall debugging, review queue, OpenClaw session capture, and memory poisoning defence for Claude Code, Codex, OpenClaw, LangChain, and MCP agents.",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -61,7 +61,8 @@
     "bench:smoke": "SHIELDCORTEX_SKIP_EMBEDDINGS=1 tsx benchmark/longmemeval/run.ts --quiet",
     "audit:security": "npm audit --audit-level=moderate",
     "prepack": "node scripts/ensure-bin-executable.mjs",
-    "prepublishOnly": "npm run build"
+    "version": "node scripts/sync-plugin-version.mjs && git add plugins/openclaw/package.json plugins/openclaw/openclaw.plugin.json",
+    "prepublishOnly": "node scripts/sync-plugin-version.mjs --check && npm run build"
   },
   "keywords": [
     "ai-memory",

package/scripts/lib/capture-prompt.mjs

@@ -0,0 +1,160 @@
+/**
+ * Hook-side prompt capture sanitiser (Fix #10).
+ *
+ * UserPromptSubmit historically stored the raw prompt text verbatim into
+ * `session_events`. Pasting a `.env` file (or any other credential-laden
+ * snippet) into Claude Code persisted it forever and the dashboard's session
+ * replay UI surfaced it on demand.
+ *
+ * This module runs the defence pipeline's credential redaction + sensitivity
+ * classifier against the prompt BEFORE it lands in `session_events`, returning:
+ *   - redactedText: prompt with credentials replaced by [REDACTED-…] markers
+ *   - sensitivity: classifier level (PUBLIC | INTERNAL | CONFIDENTIAL | RESTRICTED)
+ *   - findings: credential scan findings (already-redacted match previews)
+ *   - redactedCount: number of credentials that were rewritten
+ *
+ * Fail-closed: if the dist defence modules cannot be loaded (dev workspace
+ * without `npm run build`, missing dist/, broken import), the caller gets a
+ * placeholder payload tagged RESTRICTED and a stderr warning. That keeps the
+ * raw text out of the database under all failure modes.
+ *
+ * Mirrors the lazy-loader pattern used by scripts/lib/save-memory.mjs so both
+ * hooks share the same dist resolution rules.
+ */
+
+import { dirname, resolve } from 'path';
+import { fileURLToPath, pathToFileURL } from 'url';
+
+const FAIL_CLOSED_PLACEHOLDER = '[defence_unavailable: prompt suppressed]';
+
+let _defenceCache = null;
+let _defenceCacheKey = null;
+
+/**
+ * Sanitise a raw user prompt for safe storage in `session_events`.
+ *
+ * @param {string} rawText - The raw user prompt as received by the hook.
+ * @returns {Promise<{ redactedText: string, sensitivity: string, findings: Array, redactedCount: number }>}
+ */
+export async function captureForSessionEvent(rawText) {
+  const text = typeof rawText === 'string' ? rawText : '';
+
+  const defence = await loadDefenceModules();
+  if (!defence) {
+    process.stderr.write(
+      '[shieldcortex capture-prompt] defence modules unavailable — prompt suppressed (fail-closed)\n',
+    );
+    return {
+      redactedText: FAIL_CLOSED_PLACEHOLDER,
+      sensitivity: 'RESTRICTED',
+      findings: [],
+      redactedCount: 0,
+    };
+  }
+
+  // ── Credential redaction ──
+  // scanForCredentials gives both the redacted body and the findings array.
+  // redactCredentials would do the same string transform but throw away the
+  // findings — we want both so the caller can count and (later) audit.
+  let scan;
+  try {
+    scan = defence.scanForCredentials(text);
+  } catch (err) {
+    const msg = err && err.message ? err.message : String(err);
+    process.stderr.write(
+      `[shieldcortex capture-prompt] credential scan failed (${msg}) — prompt suppressed (fail-closed)\n`,
+    );
+    return {
+      redactedText: FAIL_CLOSED_PLACEHOLDER,
+      sensitivity: 'RESTRICTED',
+      findings: [],
+      redactedCount: 0,
+    };
+  }
+
+  const findings = Array.isArray(scan?.findings) ? scan.findings : [];
+  const redactedText = scan?.redactedContent ?? text;
+  const redactedCount = findings.length;
+
+  // ── Sensitivity classification ──
+  // Classifier is sync and pattern-based — failures here shouldn't fail-close
+  // the whole capture (we still have a useful redaction). Degrade to INTERNAL.
+  let sensitivity = 'INTERNAL';
+  try {
+    const classification = defence.classifySensitivity(text, '');
+    if (classification && typeof classification.level === 'string') {
+      sensitivity = classification.level;
+    }
+  } catch {
+    // Best-effort — keep INTERNAL default.
+  }
+
+  // If credentials were found, force at least CONFIDENTIAL. The classifier
+  // catches "api_key=" style markers but raw secret strings without context
+  // can slip past it, and we never want a prompt full of secrets tagged
+  // PUBLIC or INTERNAL just because the surrounding text was unremarkable.
+  if (redactedCount > 0 && (sensitivity === 'PUBLIC' || sensitivity === 'INTERNAL')) {
+    sensitivity = 'CONFIDENTIAL';
+  }
+
+  return {
+    redactedText,
+    sensitivity,
+    findings,
+    redactedCount,
+  };
+}
+
+// ==================== Internal: lazy dist loader ====================
+
+async function loadDefenceModules() {
+  // capture-prompt.mjs lives at scripts/lib/, so dist is two directories up.
+  const here = dirname(fileURLToPath(import.meta.url));
+  const distRoot = resolve(here, '..', '..', 'dist');
+
+  if (_defenceCache && _defenceCacheKey === distRoot) {
+    return _defenceCache;
+  }
+
+  try {
+    const credentialUrl = pathToFileURL(
+      resolve(distRoot, 'defence', 'credential-leak', 'index.js'),
+    ).href;
+    const sensitivityUrl = pathToFileURL(
+      resolve(distRoot, 'defence', 'sensitivity', 'index.js'),
+    ).href;
+
+    const [credentialMod, sensitivityMod] = await Promise.all([
+      import(credentialUrl),
+      import(sensitivityUrl),
+    ]);
+
+    if (
+      typeof credentialMod.scanForCredentials !== 'function'
+      || typeof credentialMod.redactCredentials !== 'function'
+      || typeof sensitivityMod.classifySensitivity !== 'function'
+    ) {
+      return null;
+    }
+
+    _defenceCache = {
+      scanForCredentials: credentialMod.scanForCredentials,
+      redactCredentials: credentialMod.redactCredentials,
+      classifySensitivity: sensitivityMod.classifySensitivity,
+    };
+    _defenceCacheKey = distRoot;
+    return _defenceCache;
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Test-only: reset the lazy-load cache so unit tests can simulate dist-missing
+ * failure modes without spinning up a second process. Not exported via the
+ * scripts barrel — only the tests reach for it.
+ */
+export function __resetCacheForTests() {
+  _defenceCache = null;
+  _defenceCacheKey = null;
+}

package/scripts/lib/session-capture.mjs

@@ -21,10 +21,14 @@ const VALID_KINDS = new Set([
   'hook_fire',
 ]);
 
+// v4.28 (Fix #10): `sensitivity_level` carries the defence classifier verdict
+// (PUBLIC | INTERNAL | CONFIDENTIAL | RESTRICTED) so the dashboard replay UI
+// can mask/strip rows that contain credentials or otherwise-sensitive prompts.
+// Defaults to 'INTERNAL' for events written by callers that don't set it.
 const INSERT_SQL = `
   INSERT INTO session_events
-    (session_id, project, ts, kind, actor, payload, duration_ms, audit_id)
-  VALUES (?, ?, ?, ?, ?, ?, ?, ?)
+    (session_id, project, ts, kind, actor, payload, duration_ms, audit_id, sensitivity_level)
+  VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)
 `;
 
 /** Stringify payload — objects → JSON, strings pass through verbatim. */
@@ -60,6 +64,7 @@ export function recordSessionEvent(db, event) {
       serialisePayload(event.payload),
       event.duration_ms ?? null,
       event.audit_id ?? null,
+      event.sensitivity_level ?? 'INTERNAL',
     );
     return Number(result.lastInsertRowid);
   } catch (err) {
@@ -93,6 +98,7 @@ export function recordSessionEvents(db, events) {
         serialisePayload(event.payload),
         event.duration_ms ?? null,
         event.audit_id ?? null,
+        event.sensitivity_level ?? 'INTERNAL',
       );
       ids.push(Number(result.lastInsertRowid));
     }

package/scripts/prompt-recall-hook.mjs

@@ -17,6 +17,7 @@ import { homedir } from 'os';
 import { deriveProjectKey } from './lib/project-key.mjs';
 import { sanitisePromptForRecall } from './lib/prompt-sanitiser.mjs';
 import { recordSessionEvent } from './lib/session-capture.mjs';
+import { captureForSessionEvent } from './lib/capture-prompt.mjs';
 import { truncatePreservingWords } from './lib/truncate.mjs';
 import { compareRecallResults } from './lib/recall-rank.mjs';
 import { computeEffectiveSalience } from './lib/salience.mjs';
@@ -291,7 +292,7 @@ process.stdin.on('readable', () => {
   while ((chunk = process.stdin.read()) !== null) input += chunk;
 });
 
-process.stdin.on('end', () => {
+process.stdin.on('end', async () => {
   try {
     const config = loadConfig();
     const hookData = JSON.parse(input || '{}');
@@ -303,19 +304,27 @@ process.stdin.on('end', () => {
     //    proactiveRecall config so the dashboard replay timeline gets a
     //    complete event stream. Opt-out via captureEvents=false. Failures
     //    are swallowed — capture must never block the user prompt.
+    //
+    // Fix #10 (v4.28): redact credentials + classify sensitivity BEFORE the
+    // INSERT. Pasting a `.env` into Claude Code used to land verbatim in
+    // session_events; now it's routed through the defence pipeline first
+    // and the resulting sensitivity_level lets the dashboard mask/strip
+    // RESTRICTED rows from replay timelines.
     if (config.captureEvents !== false && sessionId && rawPrompt) {
       try {
         const project = deriveProjectKey(cwd);
         const dbPath = getDbPath();
         if (existsSync(dbPath)) {
+          const { redactedText, sensitivity } = await captureForSessionEvent(rawPrompt);
           const captureDb = new Database(dbPath, { timeout: 1000 });
           recordSessionEvent(captureDb, {
             session_id: sessionId,
             ts: new Date().toISOString(),
             kind: 'prompt',
-            payload: { text: rawPrompt },
+            payload: { text: redactedText },
             project: project || null,
             actor: 'user',
+            sensitivity_level: sensitivity,
           });
           captureDb.close();
         }