shieldcortex 4.35.0 → 4.37.0

package/dashboard/.next/standalone/dashboard/.next/server/pages/500.html

@@ -1,2 +1,2 @@
-<!DOCTYPE html><!--h2qG7AvaXDfMKQrI_bK4V--><html id="__next_error__"><head><meta charSet="utf-8"/><meta name="viewport" content="width=device-width, initial-scale=1"/><link rel="preload" as="script" fetchPriority="low" href="/_next/static/chunks/d878b929b21636c4.js"/><script src="/_next/static/chunks/f70f563804550a9c.js" async=""></script><script src="/_next/static/chunks/43d761df92da7cb6.js" async=""></script><script src="/_next/static/chunks/e281719dbabcca1d.js" async=""></script><script src="/_next/static/chunks/9e56d1f8f4d7adcb.js" async=""></script><script src="/_next/static/chunks/turbopack-768a6a8b9db952e0.js" async=""></script><script src="/_next/static/chunks/102f894cc892994d.js" async=""></script><script src="/_next/static/chunks/417032eeb2cd875f.js" async=""></script><meta name="next-size-adjust" content=""/><title>500: Internal Server Error.</title><script src="/_next/static/chunks/a6dad97d9634a72d.js" noModule=""></script></head><body><div hidden=""><!--$--><!--/$--></div><div style="font-family:system-ui,&quot;Segoe UI&quot;,Roboto,Helvetica,Arial,sans-serif,&quot;Apple Color Emoji&quot;,&quot;Segoe UI Emoji&quot;;height:100vh;text-align:center;display:flex;flex-direction:column;align-items:center;justify-content:center"><div style="line-height:48px"><style>body{color:#000;background:#fff;margin:0}.next-error-h1{border-right:1px solid rgba(0,0,0,.3)}
-@media (prefers-color-scheme:dark){body{color:#fff;background:#000}.next-error-h1{border-right:1px solid rgba(255,255,255,.3)}}</style><h1 class="next-error-h1" style="display:inline-block;margin:0 20px 0 0;padding-right:23px;font-size:24px;font-weight:500;vertical-align:top">500</h1><div style="display:inline-block"><h2 style="font-size:14px;font-weight:400;line-height:28px">Internal Server Error.</h2></div></div></div><!--$--><!--/$--><script src="/_next/static/chunks/d878b929b21636c4.js" id="_R_" async=""></script><script>(self.__next_f=self.__next_f||[]).push([0])</script><script>self.__next_f.push([1,"1:\"$Sreact.fragment\"\n2:I[57043,[\"/_next/static/chunks/102f894cc892994d.js\",\"/_next/static/chunks/417032eeb2cd875f.js\"],\"default\"]\n3:I[27657,[\"/_next/static/chunks/102f894cc892994d.js\",\"/_next/static/chunks/417032eeb2cd875f.js\"],\"default\"]\n4:I[56978,[\"/_next/static/chunks/102f894cc892994d.js\",\"/_next/static/chunks/417032eeb2cd875f.js\"],\"OutletBoundary\"]\n5:\"$Sreact.suspense\"\n7:I[56978,[\"/_next/static/chunks/102f894cc892994d.js\",\"/_next/static/chunks/417032eeb2cd875f.js\"],\"ViewportBoundary\"]\n9:I[56978,[\"/_next/static/chunks/102f894cc892994d.js\",\"/_next/static/chunks/417032eeb2cd875f.js\"],\"MetadataBoundary\"]\nb:I[30687,[\"/_next/static/chunks/102f894cc892994d.js\",\"/_next/static/chunks/417032eeb2cd875f.js\"],\"default\"]\n"])</script><script>self.__next_f.push([1,"0:{\"P\":null,\"b\":\"h2qG7AvaXDfMKQrI-bK4V\",\"c\":[\"\",\"_global-error\"],\"q\":\"\",\"i\":false,\"f\":[[[\"\",{\"children\":[\"__PAGE__\",{}]}],[[\"$\",\"$1\",\"c\",{\"children\":[null,[\"$\",\"$L2\",null,{\"parallelRouterKey\":\"children\",\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L3\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"forbidden\":\"$undefined\",\"unauthorized\":\"$undefined\"}]]}],{\"children\":[[\"$\",\"$1\",\"c\",{\"children\":[[\"$\",\"html\",null,{\"id\":\"__next_error__\",\"children\":[[\"$\",\"head\",null,{\"children\":[\"$\",\"title\",null,{\"children\":\"500: Internal Server Error.\"}]}],[\"$\",\"body\",null,{\"children\":[\"$\",\"div\",null,{\"style\":{\"fontFamily\":\"system-ui,\\\"Segoe UI\\\",Roboto,Helvetica,Arial,sans-serif,\\\"Apple Color Emoji\\\",\\\"Segoe UI Emoji\\\"\",\"height\":\"100vh\",\"textAlign\":\"center\",\"display\":\"flex\",\"flexDirection\":\"column\",\"alignItems\":\"center\",\"justifyContent\":\"center\"},\"children\":[\"$\",\"div\",null,{\"style\":{\"lineHeight\":\"48px\"},\"children\":[[\"$\",\"style\",null,{\"dangerouslySetInnerHTML\":{\"__html\":\"body{color:#000;background:#fff;margin:0}.next-error-h1{border-right:1px solid rgba(0,0,0,.3)}\\n@media (prefers-color-scheme:dark){body{color:#fff;background:#000}.next-error-h1{border-right:1px solid rgba(255,255,255,.3)}}\"}}],[\"$\",\"h1\",null,{\"className\":\"next-error-h1\",\"style\":{\"display\":\"inline-block\",\"margin\":\"0 20px 0 0\",\"paddingRight\":23,\"fontSize\":24,\"fontWeight\":500,\"verticalAlign\":\"top\"},\"children\":\"500\"}],[\"$\",\"div\",null,{\"style\":{\"display\":\"inline-block\"},\"children\":[\"$\",\"h2\",null,{\"style\":{\"fontSize\":14,\"fontWeight\":400,\"lineHeight\":\"28px\"},\"children\":\"Internal Server Error.\"}]}]]}]}]}]]}],[[\"$\",\"script\",\"script-0\",{\"src\":\"/_next/static/chunks/102f894cc892994d.js\",\"async\":true,\"nonce\":\"$undefined\"}],[\"$\",\"script\",\"script-1\",{\"src\":\"/_next/static/chunks/417032eeb2cd875f.js\",\"async\":true,\"nonce\":\"$undefined\"}]],[\"$\",\"$L4\",null,{\"children\":[\"$\",\"$5\",null,{\"name\":\"Next.MetadataOutlet\",\"children\":\"$@6\"}]}]]}],{},null,false,false]},null,false,false],[\"$\",\"$1\",\"h\",{\"children\":[null,[\"$\",\"$L7\",null,{\"children\":\"$L8\"}],[\"$\",\"div\",null,{\"hidden\":true,\"children\":[\"$\",\"$L9\",null,{\"children\":[\"$\",\"$5\",null,{\"name\":\"Next.Metadata\",\"children\":\"$La\"}]}]}],[\"$\",\"meta\",null,{\"name\":\"next-size-adjust\",\"content\":\"\"}]]}],false]],\"m\":\"$undefined\",\"G\":[\"$b\",\"$undefined\"],\"S\":true}\n"])</script><script>self.__next_f.push([1,"8:[[\"$\",\"meta\",\"0\",{\"charSet\":\"utf-8\"}],[\"$\",\"meta\",\"1\",{\"name\":\"viewport\",\"content\":\"width=device-width, initial-scale=1\"}]]\n"])</script><script>self.__next_f.push([1,"6:null\na:[]\n"])</script></body></html>
+<!DOCTYPE html><!--Xdk3QuQEKommHIbMSem56--><html id="__next_error__"><head><meta charSet="utf-8"/><meta name="viewport" content="width=device-width, initial-scale=1"/><link rel="preload" as="script" fetchPriority="low" href="/_next/static/chunks/d878b929b21636c4.js"/><script src="/_next/static/chunks/f70f563804550a9c.js" async=""></script><script src="/_next/static/chunks/43d761df92da7cb6.js" async=""></script><script src="/_next/static/chunks/e281719dbabcca1d.js" async=""></script><script src="/_next/static/chunks/9e56d1f8f4d7adcb.js" async=""></script><script src="/_next/static/chunks/turbopack-768a6a8b9db952e0.js" async=""></script><script src="/_next/static/chunks/102f894cc892994d.js" async=""></script><script src="/_next/static/chunks/417032eeb2cd875f.js" async=""></script><meta name="next-size-adjust" content=""/><title>500: Internal Server Error.</title><script src="/_next/static/chunks/a6dad97d9634a72d.js" noModule=""></script></head><body><div hidden=""><!--$--><!--/$--></div><div style="font-family:system-ui,&quot;Segoe UI&quot;,Roboto,Helvetica,Arial,sans-serif,&quot;Apple Color Emoji&quot;,&quot;Segoe UI Emoji&quot;;height:100vh;text-align:center;display:flex;flex-direction:column;align-items:center;justify-content:center"><div style="line-height:48px"><style>body{color:#000;background:#fff;margin:0}.next-error-h1{border-right:1px solid rgba(0,0,0,.3)}
+@media (prefers-color-scheme:dark){body{color:#fff;background:#000}.next-error-h1{border-right:1px solid rgba(255,255,255,.3)}}</style><h1 class="next-error-h1" style="display:inline-block;margin:0 20px 0 0;padding-right:23px;font-size:24px;font-weight:500;vertical-align:top">500</h1><div style="display:inline-block"><h2 style="font-size:14px;font-weight:400;line-height:28px">Internal Server Error.</h2></div></div></div><!--$--><!--/$--><script src="/_next/static/chunks/d878b929b21636c4.js" id="_R_" async=""></script><script>(self.__next_f=self.__next_f||[]).push([0])</script><script>self.__next_f.push([1,"1:\"$Sreact.fragment\"\n2:I[57043,[\"/_next/static/chunks/102f894cc892994d.js\",\"/_next/static/chunks/417032eeb2cd875f.js\"],\"default\"]\n3:I[27657,[\"/_next/static/chunks/102f894cc892994d.js\",\"/_next/static/chunks/417032eeb2cd875f.js\"],\"default\"]\n4:I[56978,[\"/_next/static/chunks/102f894cc892994d.js\",\"/_next/static/chunks/417032eeb2cd875f.js\"],\"OutletBoundary\"]\n5:\"$Sreact.suspense\"\n7:I[56978,[\"/_next/static/chunks/102f894cc892994d.js\",\"/_next/static/chunks/417032eeb2cd875f.js\"],\"ViewportBoundary\"]\n9:I[56978,[\"/_next/static/chunks/102f894cc892994d.js\",\"/_next/static/chunks/417032eeb2cd875f.js\"],\"MetadataBoundary\"]\nb:I[30687,[\"/_next/static/chunks/102f894cc892994d.js\",\"/_next/static/chunks/417032eeb2cd875f.js\"],\"default\"]\n"])</script><script>self.__next_f.push([1,"0:{\"P\":null,\"b\":\"Xdk3QuQEKommHIbMSem56\",\"c\":[\"\",\"_global-error\"],\"q\":\"\",\"i\":false,\"f\":[[[\"\",{\"children\":[\"__PAGE__\",{}]}],[[\"$\",\"$1\",\"c\",{\"children\":[null,[\"$\",\"$L2\",null,{\"parallelRouterKey\":\"children\",\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L3\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"forbidden\":\"$undefined\",\"unauthorized\":\"$undefined\"}]]}],{\"children\":[[\"$\",\"$1\",\"c\",{\"children\":[[\"$\",\"html\",null,{\"id\":\"__next_error__\",\"children\":[[\"$\",\"head\",null,{\"children\":[\"$\",\"title\",null,{\"children\":\"500: Internal Server Error.\"}]}],[\"$\",\"body\",null,{\"children\":[\"$\",\"div\",null,{\"style\":{\"fontFamily\":\"system-ui,\\\"Segoe UI\\\",Roboto,Helvetica,Arial,sans-serif,\\\"Apple Color Emoji\\\",\\\"Segoe UI Emoji\\\"\",\"height\":\"100vh\",\"textAlign\":\"center\",\"display\":\"flex\",\"flexDirection\":\"column\",\"alignItems\":\"center\",\"justifyContent\":\"center\"},\"children\":[\"$\",\"div\",null,{\"style\":{\"lineHeight\":\"48px\"},\"children\":[[\"$\",\"style\",null,{\"dangerouslySetInnerHTML\":{\"__html\":\"body{color:#000;background:#fff;margin:0}.next-error-h1{border-right:1px solid rgba(0,0,0,.3)}\\n@media (prefers-color-scheme:dark){body{color:#fff;background:#000}.next-error-h1{border-right:1px solid rgba(255,255,255,.3)}}\"}}],[\"$\",\"h1\",null,{\"className\":\"next-error-h1\",\"style\":{\"display\":\"inline-block\",\"margin\":\"0 20px 0 0\",\"paddingRight\":23,\"fontSize\":24,\"fontWeight\":500,\"verticalAlign\":\"top\"},\"children\":\"500\"}],[\"$\",\"div\",null,{\"style\":{\"display\":\"inline-block\"},\"children\":[\"$\",\"h2\",null,{\"style\":{\"fontSize\":14,\"fontWeight\":400,\"lineHeight\":\"28px\"},\"children\":\"Internal Server Error.\"}]}]]}]}]}]]}],[[\"$\",\"script\",\"script-0\",{\"src\":\"/_next/static/chunks/102f894cc892994d.js\",\"async\":true,\"nonce\":\"$undefined\"}],[\"$\",\"script\",\"script-1\",{\"src\":\"/_next/static/chunks/417032eeb2cd875f.js\",\"async\":true,\"nonce\":\"$undefined\"}]],[\"$\",\"$L4\",null,{\"children\":[\"$\",\"$5\",null,{\"name\":\"Next.MetadataOutlet\",\"children\":\"$@6\"}]}]]}],{},null,false,false]},null,false,false],[\"$\",\"$1\",\"h\",{\"children\":[null,[\"$\",\"$L7\",null,{\"children\":\"$L8\"}],[\"$\",\"div\",null,{\"hidden\":true,\"children\":[\"$\",\"$L9\",null,{\"children\":[\"$\",\"$5\",null,{\"name\":\"Next.Metadata\",\"children\":\"$La\"}]}]}],[\"$\",\"meta\",null,{\"name\":\"next-size-adjust\",\"content\":\"\"}]]}],false]],\"m\":\"$undefined\",\"G\":[\"$b\",\"$undefined\"],\"S\":true}\n"])</script><script>self.__next_f.push([1,"8:[[\"$\",\"meta\",\"0\",{\"charSet\":\"utf-8\"}],[\"$\",\"meta\",\"1\",{\"name\":\"viewport\",\"content\":\"width=device-width, initial-scale=1\"}]]\n"])</script><script>self.__next_f.push([1,"6:null\na:[]\n"])</script></body></html>

package/dist/api/routes/memories.js

@@ -553,7 +553,11 @@ export function registerMemoryRoutes(app, deps) {
                 salience,
                 memoryPurpose: memoryPurpose || undefined,
                 memoryScope: memoryScope || undefined,
-            });
+            }, undefined, 
+            // Operator-attributable dashboard write → api:dashboard (trust 0.7):
+            // scanned like every write, but stays broadly recallable (above the
+            // sub-agent band) rather than the generic unattributed 0.3.
+            { type: 'api', identifier: 'dashboard' });
             res.status(201).json(memory);
         }
         catch (error) {
@@ -564,6 +568,15 @@ export function registerMemoryRoutes(app, deps) {
                     message: 'Use the dashboard control panel to resume memory creation.',
                 });
             }
+            // The dashboard write is now scanned — surface a defence block as a 422,
+            // not a generic 500.
+            if (error.name === 'MemoryBlockedError') {
+                return res.status(422).json({
+                    error: 'Blocked by the defence pipeline',
+                    blocked: true,
+                    message: error.message,
+                });
+            }
             res.status(500).json({ error: error.message });
         }
     });

package/dist/cloud/cli.js

@@ -1,4 +1,4 @@
-import { getCloudConfig, setCloudConfig, getCloudSyncControls, setCloudSyncControls, getDefenceMode, setDefenceMode, getVerifyConfig, setVerifyConfig, getReviewCopilotConfig, getOpenClawAutoMemory, setOpenClawAutoMemory, isProactiveRecallEnabled, setProactiveRecall, restore410Defaults, getRankerConfig, setRankerConfig, } from './config.js';
+import { getCloudConfig, setCloudConfig, getCloudSyncControls, setCloudSyncControls, getDefenceMode, setDefenceMode, getVerifyConfig, setVerifyConfig, getReviewCopilotConfig, getOpenClawAutoMemory, setOpenClawAutoMemory, isProactiveRecallEnabled, setProactiveRecall, restore410Defaults, getRankerConfig, setRankerConfig, getToolResponseScanConfig, setToolResponseScanConfig, } from './config.js';
 const VALID_RANKER_ENGINES = ['rrf', 'legacy'];
 import { syncAllGraphToCloud } from './graph-sync.js';
 import { syncAllMemoriesToCloud } from './memory-sync.js';
@@ -17,9 +17,11 @@ export function handleCloudConfig(args) {
         const openclawAutoMemory = getOpenClawAutoMemory();
         const ranker = getRankerConfig();
         const syncControls = getCloudSyncControls();
+        const toolFirewall = getToolResponseScanConfig();
         const rankerOverridden = !!process.env.SHIELDCORTEX_RANKER;
         console.log('\nShieldCortex Configuration:');
         console.log(`  Defence Mode: ${mode}`);
+        console.log(`  Tool-Output Firewall: ${toolFirewall.scanToolResponses ? toolFirewall.toolResponseMode : 'Off'}`);
         console.log(`  Cloud Enabled:  ${config.cloudEnabled ? 'Yes' : 'No'}`);
         console.log(`  API Key:  ${config.cloudApiKey ? config.cloudApiKey.substring(0, 12) + '...' : 'Not set'}`);
         console.log(`  Base URL: ${config.cloudBaseUrl}`);
@@ -188,6 +190,26 @@ export function handleCloudConfig(args) {
         console.log(`Proactive recall ${enabled ? 'enabled' : 'disabled'}.`);
         changed = true;
     }
+    if (args.includes('--tool-firewall-enforce')) {
+        setToolResponseScanConfig({ scanToolResponses: true, toolResponseMode: 'enforce' });
+        console.log('Tool-output firewall set to ENFORCE — threatening tool output will be redacted/withheld before the agent sees it.');
+        changed = true;
+    }
+    if (args.includes('--tool-firewall-advisory')) {
+        setToolResponseScanConfig({ scanToolResponses: true, toolResponseMode: 'advisory' });
+        console.log('Tool-output firewall set to ADVISORY — threats are logged but tool output is delivered intact (default).');
+        changed = true;
+    }
+    if (args.includes('--tool-firewall-off')) {
+        setToolResponseScanConfig({ scanToolResponses: false });
+        console.log('Tool-output firewall disabled — tool responses are no longer scanned.');
+        changed = true;
+    }
+    if (args.includes('--tool-firewall-on')) {
+        setToolResponseScanConfig({ scanToolResponses: true });
+        console.log('Tool-output firewall enabled (scanning on).');
+        changed = true;
+    }
     if (args.includes('--upsell-mute')) {
         setUpsellState({ proMuted: true });
         console.log('Pro upsell muted. Re-enable with --upsell-unmute.');
@@ -213,6 +235,9 @@ export function handleCloudConfig(args) {
         console.log('  --openclaw-auto-memory <true|false>  Extract memories from OpenClaw LLM output (default: off)');
         console.log('  --proactive-recall <true|false>  Inject SC memory into prompts (default: off — adds latency)');
         console.log('  --ranker <rrf|legacy>  Hybrid retrieval engine (default: rrf; SHIELDCORTEX_RANKER env overrides)');
+        console.log('  --tool-firewall-enforce   Redact/withhold threatening tool output before the agent sees it');
+        console.log('  --tool-firewall-advisory  Log tool-output threats but deliver intact (default)');
+        console.log('  --tool-firewall-off / --tool-firewall-on  Disable / enable tool-output scanning');
         console.log('  --restore-4.10-defaults  Restore pre-v4.11.0 defaults (recall on, strict interceptor, minimal preamble)');
         console.log('  --upsell-mute          Suppress the Pro upsell footer in doctor');
         console.log('  --upsell-unmute        Allow the Pro upsell footer to surface again');

package/dist/defence/firewall/markdown-image-detector.d.ts

@@ -32,3 +32,18 @@ export interface MarkdownImageExfilResult {
  * Scan content for markdown-image exfiltration links.
  */
 export declare function detectMarkdownImageExfil(content: string): MarkdownImageExfilResult;
+/** Replacement for a neutralised exfil image: a dead host carrying no data. */
+export declare const NEUTRALISED_IMAGE = "![redacted](https://blocked.invalid/shieldcortex-redacted)";
+/**
+ * Strip markdown-image exfiltration links from content for enforce mode.
+ *
+ * Re-runs the SAME regex + urlLooksLikeExfil predicate as detection and replaces
+ * each offending `![alt](url)` match WHOLE (alt dropped too — it can itself carry
+ * data). Splices by match offset, so it does not depend on substring equality
+ * with a previously-captured (truncated) URL and is unaffected by any other
+ * mutation applied to the content first. Benign images are left untouched.
+ */
+export declare function neutraliseMarkdownImageExfil(content: string): {
+    content: string;
+    stripped: number;
+};

package/dist/defence/firewall/markdown-image-detector.js

@@ -81,3 +81,33 @@ export function detectMarkdownImageExfil(content) {
         urls,
     };
 }
+/** Replacement for a neutralised exfil image: a dead host carrying no data. */
+export const NEUTRALISED_IMAGE = '![redacted](https://blocked.invalid/shieldcortex-redacted)';
+/**
+ * Strip markdown-image exfiltration links from content for enforce mode.
+ *
+ * Re-runs the SAME regex + urlLooksLikeExfil predicate as detection and replaces
+ * each offending `![alt](url)` match WHOLE (alt dropped too — it can itself carry
+ * data). Splices by match offset, so it does not depend on substring equality
+ * with a previously-captured (truncated) URL and is unaffected by any other
+ * mutation applied to the content first. Benign images are left untouched.
+ */
+export function neutraliseMarkdownImageExfil(content) {
+    const spans = [];
+    MARKDOWN_IMAGE_PATTERN.lastIndex = 0;
+    let match;
+    while ((match = MARKDOWN_IMAGE_PATTERN.exec(content)) !== null) {
+        if (urlLooksLikeExfil(match[1])) {
+            spans.push({ start: match.index, end: match.index + match[0].length });
+        }
+    }
+    if (spans.length === 0)
+        return { content, stripped: 0 };
+    // Splice from the end so earlier offsets stay valid.
+    let result = content;
+    for (let i = spans.length - 1; i >= 0; i--) {
+        const { start, end } = spans[i];
+        result = result.slice(0, start) + NEUTRALISED_IMAGE + result.slice(end);
+    }
+    return { content: result, stripped: spans.length };
+}

package/dist/defence/quarantine/review.js

@@ -1,8 +1,8 @@
 import { getDatabase, withTransaction } from '../../database/init.js';
-import { addMemory } from '../../memory/store.js';
+import { addMemory, MemoryBlockedError } from '../../memory/store.js';
 function getPendingQuarantineRow(id) {
     const db = getDatabase();
-    const row = db.prepare(`SELECT id, original_title, original_content, project, source_type, source_identifier, reason
+    const row = db.prepare(`SELECT id, original_title, original_content, project, source_type, source_identifier, reason, firewall_result
        FROM quarantine
       WHERE id = ? AND status = 'pending'`).get(id);
     return row ?? null;
@@ -31,16 +31,20 @@ function promoteApprovedQuarantineRow(row, reviewedBy) {
             approvedFromQuarantine: true,
             quarantineId: row.id,
             quarantineReason: row.reason ?? null,
+            // Original provenance is preserved here (the trust now reflects the
+            // human approval, not the original source).
             originalSourceType: row.source_type ?? null,
             originalSourceIdentifier: row.source_identifier ?? null,
         },
         captureMethod: 'review',
         reviewedBy,
         sourceKind: normalizeSourceKind(row.source_type),
-        source: row.source_type && row.source_identifier
-            ? `${row.source_type}:${row.source_identifier}`
-            : 'quarantine:review',
-    });
+    }, undefined, 
+    // A human approving the item IS the parent-approval the quarantine was
+    // waiting for, so admit at user:approved (0.9 — out of the 0.5–0.7 auto-
+    // quarantine band, so it isn't re-quarantined in a loop). The pipeline still
+    // RE-SCANS, so genuinely-malicious content fails closed (caller catches it).
+    { type: 'user', identifier: 'approved' });
 }
 function markPendingRowReviewed(id, status, reviewedBy) {
     const db = getDatabase();
@@ -58,7 +62,25 @@ function approveExistingPendingRow(row, reviewedBy) {
             status: 'approved',
         };
     }
-    const memory = promoteApprovedQuarantineRow(row, reviewedBy);
+    // Never re-admit content the pipeline HARD-BLOCKED. Approving a BLOCK item
+    // rejects it instead of laundering hard-rejected poison back into memory.
+    if (row.firewall_result === 'BLOCK') {
+        markPendingRowReviewed(row.id, 'rejected', reviewedBy);
+        return { id: row.id, status: 'rejected' };
+    }
+    // QUARANTINE (soft hold): re-admit through the pipeline at operator-approved
+    // trust. If the content now hard-blocks, fail closed — reject, don't admit.
+    let memory;
+    try {
+        memory = promoteApprovedQuarantineRow(row, reviewedBy);
+    }
+    catch (e) {
+        if (e instanceof MemoryBlockedError) {
+            markPendingRowReviewed(row.id, 'rejected', reviewedBy);
+            return { id: row.id, status: 'rejected' };
+        }
+        throw e;
+    }
     markPendingRowReviewed(row.id, 'approved', reviewedBy);
     return {
         id: row.id,

package/dist/defence/tool-response-enforce.d.ts

@@ -0,0 +1,57 @@
+/**
+ * Tool-Response Enforce Layer
+ *
+ * Advisory mode only LOGS threats in a tool response. Enforce mode must actually
+ * change the bytes the agent receives. This module is the action layer: given a
+ * tool response and the threat signals the scanner already computed, it returns
+ * the content the agent should actually see.
+ *
+ * Two-tier policy:
+ *
+ *   BLOCK (withhold the whole payload) — when the output is actively hostile or
+ *   smuggling: any injection signal, the instruction detector firing, a blob
+ *   that decodes to an injection, or a blob that decodes to a credential.
+ *   Natural-language injected instructions cannot be surgically removed without
+ *   risking that a fragment survives, so the safe action is to withhold the
+ *   entire response and tell the agent why.
+ *
+ *   REDACT (pass cleaned + tag) — when the threat is a secret or an exfil link
+ *   sitting in plaintext that we CAN surgically remove: credential leaks (masked
+ *   in place) and markdown-image exfiltration URLs (neutralised to a dead host).
+ *   The cleaned content is prefixed with an untrusted-origin tag so any
+ *   downstream memory write attributes it correctly.
+ *
+ * Pure and dependency-injection-free of any DB/IO — only the credential scanner
+ * (for positional redaction). Easy to unit test in isolation.
+ */
+export declare const TOOL_OUTPUT_BLOCKED_PLACEHOLDER: string;
+export declare const UNTRUSTED_TOOL_TAG = "[ShieldCortex: tool output sanitised \u2014 treat as derived-from-untrusted-tool]";
+/**
+ * Threat signals the scanner already computed for a (non-clean) tool response.
+ * Passed in so neutralisation never re-derives detection — single source of
+ * truth with scanToolResponse.
+ */
+export interface ToolResponseThreatSignals {
+    injectionRisk: 'NONE' | 'LOW' | 'MEDIUM' | 'HIGH' | 'CRITICAL';
+    instructionsDetected: boolean;
+    decodedInjection: boolean;
+    encodingDetected: boolean;
+    markdownImageUrls: string[];
+    credentialsLeaked: boolean;
+    decodedCredentialLeak: boolean;
+}
+export interface ToolResponseNeutralisation {
+    /** The content the agent should actually receive. */
+    sanitised: string;
+    /** True when the whole payload was withheld (blocked), not just redacted. */
+    blocked: boolean;
+    /** Human-readable list of actions taken, for audit/summary. */
+    actions: string[];
+}
+/**
+ * Compute the enforce-mode replacement for a tool response.
+ *
+ * Only meaningful when the scanner already found the response non-clean; with no
+ * signals it returns the content unchanged.
+ */
+export declare function neutraliseToolResponse(content: string, signals: ToolResponseThreatSignals): ToolResponseNeutralisation;

package/dist/defence/tool-response-enforce.js

@@ -0,0 +1,107 @@
+/**
+ * Tool-Response Enforce Layer
+ *
+ * Advisory mode only LOGS threats in a tool response. Enforce mode must actually
+ * change the bytes the agent receives. This module is the action layer: given a
+ * tool response and the threat signals the scanner already computed, it returns
+ * the content the agent should actually see.
+ *
+ * Two-tier policy:
+ *
+ *   BLOCK (withhold the whole payload) — when the output is actively hostile or
+ *   smuggling: any injection signal, the instruction detector firing, a blob
+ *   that decodes to an injection, or a blob that decodes to a credential.
+ *   Natural-language injected instructions cannot be surgically removed without
+ *   risking that a fragment survives, so the safe action is to withhold the
+ *   entire response and tell the agent why.
+ *
+ *   REDACT (pass cleaned + tag) — when the threat is a secret or an exfil link
+ *   sitting in plaintext that we CAN surgically remove: credential leaks (masked
+ *   in place) and markdown-image exfiltration URLs (neutralised to a dead host).
+ *   The cleaned content is prefixed with an untrusted-origin tag so any
+ *   downstream memory write attributes it correctly.
+ *
+ * Pure and dependency-injection-free of any DB/IO — only the credential scanner
+ * (for positional redaction). Easy to unit test in isolation.
+ */
+import { scanForCredentials } from './credential-leak/index.js';
+import { neutraliseMarkdownImageExfil } from './firewall/markdown-image-detector.js';
+export const TOOL_OUTPUT_BLOCKED_PLACEHOLDER = '[ShieldCortex] Tool output withheld in enforce mode — prompt-injection / data-smuggling detected. ' +
+    'The original response was blocked to protect the agent. Review the ShieldCortex audit log for details.';
+export const UNTRUSTED_TOOL_TAG = '[ShieldCortex: tool output sanitised — treat as derived-from-untrusted-tool]';
+function hasAnySignal(s) {
+    return (s.injectionRisk !== 'NONE' ||
+        s.instructionsDetected ||
+        s.decodedInjection ||
+        s.encodingDetected ||
+        s.markdownImageUrls.length > 0 ||
+        s.credentialsLeaked ||
+        s.decodedCredentialLeak);
+}
+/** Output is actively hostile / smuggling — withhold the whole payload. */
+function shouldBlock(s) {
+    return (s.injectionRisk !== 'NONE' ||
+        s.instructionsDetected ||
+        s.decodedInjection ||
+        s.decodedCredentialLeak);
+}
+/**
+ * Compute the enforce-mode replacement for a tool response.
+ *
+ * Only meaningful when the scanner already found the response non-clean; with no
+ * signals it returns the content unchanged.
+ */
+export function neutraliseToolResponse(content, signals) {
+    if (!hasAnySignal(signals)) {
+        return { sanitised: content, blocked: false, actions: [] };
+    }
+    if (shouldBlock(signals)) {
+        const actions = [];
+        if (signals.injectionRisk !== 'NONE') {
+            actions.push(`blocked: prompt-injection (${signals.injectionRisk.toLowerCase()})`);
+        }
+        else if (signals.instructionsDetected) {
+            // No high-confidence Iron Dome hit — be honest that this is the heuristic
+            // instruction detector, not a graded injection (don't say "injection (none)").
+            actions.push('blocked: suspicious-instruction pattern (heuristic)');
+        }
+        if (signals.decodedInjection)
+            actions.push('blocked: encoded payload decoded to injection');
+        if (signals.decodedCredentialLeak)
+            actions.push('blocked: encoded payload decoded to credential');
+        return { sanitised: TOOL_OUTPUT_BLOCKED_PLACEHOLDER, blocked: true, actions };
+    }
+    // Redact path: surgically clean a payload that merely contains secrets / exfil
+    // links in plaintext. The untrusted-origin tag is NOT embedded here — callers
+    // convey it out-of-band so redacted structured output (JSON/CSV) stays parseable.
+    const actions = [];
+    let working = content;
+    // Markdown-image exfil FIRST, before any other mutation. Uses a full-match
+    // regex over the content (not substring equality with a pre-captured, possibly
+    // truncated URL), so credential redaction reordering and >200-char URLs can't
+    // defeat it. If the scanner flagged exfil images but none could be located
+    // here, fail SAFE: withhold the whole payload rather than deliver it.
+    if (signals.markdownImageUrls.length > 0) {
+        const { content: stripped, stripped: count } = neutraliseMarkdownImageExfil(working);
+        if (count === 0) {
+            return {
+                sanitised: TOOL_OUTPUT_BLOCKED_PLACEHOLDER,
+                blocked: true,
+                actions: ['blocked: flagged markdown-image exfil could not be neutralised (fail-safe)'],
+            };
+        }
+        working = stripped;
+        actions.push(`stripped ${count} markdown-image exfil URL(s)`);
+    }
+    if (signals.credentialsLeaked) {
+        const cred = scanForCredentials(working);
+        if (cred.leaked && cred.redactedContent) {
+            working = cred.redactedContent;
+            actions.push(`redacted ${cred.findings.length} credential(s)`);
+        }
+    }
+    if (signals.encodingDetected) {
+        actions.push('flagged obfuscated/encoded content (passed through)');
+    }
+    return { sanitised: working, blocked: false, actions };
+}

package/dist/defence/tool-response-scanner.d.ts

@@ -17,9 +17,12 @@
  * It deliberately does NOT pull in the write-path's trust scoring, anomaly,
  * privilege, fragmentation or sensitivity layers — those are write concerns.
  *
- * Advisory by default: logs threats but never blocks tool responses. Only the
- * audit/event firewall_result reflects enforce mode; the scan itself never hard
- * blocks tool execution.
+ * Advisory by default: logs threats but leaves the response untouched. In
+ * enforce mode the scanner additionally computes `sanitisedContent` — the bytes
+ * the agent should actually receive (injection withheld, secrets redacted, exfil
+ * links stripped) — via the neutraliseToolResponse action layer. Callers
+ * (withResponseScan, the scan_tool_response tool) swap in sanitisedContent when
+ * present; the scanner never blocks tool EXECUTION, only the threatening output.
  */
 import type { ToolResponseScanResult } from './types.js';
 /**

package/dist/defence/tool-response-scanner.js

@@ -17,15 +17,19 @@
  * It deliberately does NOT pull in the write-path's trust scoring, anomaly,
  * privilege, fragmentation or sensitivity layers — those are write concerns.
  *
- * Advisory by default: logs threats but never blocks tool responses. Only the
- * audit/event firewall_result reflects enforce mode; the scan itself never hard
- * blocks tool execution.
+ * Advisory by default: logs threats but leaves the response untouched. In
+ * enforce mode the scanner additionally computes `sanitisedContent` — the bytes
+ * the agent should actually receive (injection withheld, secrets redacted, exfil
+ * links stripped) — via the neutraliseToolResponse action layer. Callers
+ * (withResponseScan, the scan_tool_response tool) swap in sanitisedContent when
+ * present; the scanner never blocks tool EXECUTION, only the threatening output.
  */
 import { scanForInjection } from './iron-dome/injection-scanner.js';
 import { scanForCredentials } from './credential-leak/index.js';
 import { detectInstructions } from './firewall/instruction-detector.js';
 import { detectEncoding } from './firewall/encoding-detector.js';
 import { detectMarkdownImageExfil } from './firewall/markdown-image-detector.js';
+import { neutraliseToolResponse } from './tool-response-enforce.js';
 import { logAudit } from './audit/logger.js';
 import { isDatabaseInitialized } from '../database/init.js';
 import { getToolResponseScanConfig } from '../cloud/config.js';
@@ -48,6 +52,11 @@ const HIGH_RISK_TOOLS = new Set([
     'export_memories',
     'detect_contradictions',
 ]);
+// Instruction-detector pattern groups that are WRITE-path concerns and over-fire
+// on legitimate tool OUTPUT (instructional docs telling the agent which tool to
+// call). Excluded from the read-path instruction signal; real injection groups
+// (system_prompt_marker, hidden_instruction, prompt_extraction, …) still apply.
+const READ_PATH_EXCLUDED_INSTRUCTION_PATTERNS = new Set(['imperative_tool_call']);
 // Tools that only return metadata/stats (not worth scanning)
 const METADATA_ONLY_TOOLS = new Set([
     'memory_stats',
@@ -90,6 +99,9 @@ export function scanToolResponse(toolName, content, mode) {
             summary: `Tool response from "${toolName}" skipped (too short)`,
             durationMs: Math.round(performance.now() - startTime),
             auditId: -1,
+            sanitisedContent: null,
+            blocked: false,
+            enforceActions: [],
         };
     }
     // 1. Injection scan (Iron Dome named patterns — drives the `injection` field
@@ -97,7 +109,17 @@ export function scanToolResponse(toolName, content, mode) {
     const injection = scanForInjection(content);
     // 2. Write-path detectors (parity). detectInstructions folds homoglyphs and
     //    scans in windows; detectEncoding decodes base64/hex/url blobs.
-    const instructions = detectInstructions(content);
+    //
+    //    FP reduction on the READ path: `imperative_tool_call` ("call the X tool")
+    //    exists to catch injected directives at WRITE time. On tool OUTPUT it is
+    //    legitimate instructional content (docs telling the agent which tool to
+    //    use), so we exclude it here. Real injection phrasing ("ignore previous
+    //    instructions", "you are now…") lives in the other groups + Iron Dome and
+    //    is unaffected. Decoded snippets (below) keep full detection — an encoded
+    //    imperative is inherently suspicious.
+    const instructionsRaw = detectInstructions(content);
+    const instructionPatterns = instructionsRaw.patterns.filter((p) => !READ_PATH_EXCLUDED_INSTRUCTION_PATTERNS.has(p));
+    const instructions = { detected: instructionPatterns.length > 0, patterns: instructionPatterns };
     const encoding = detectEncoding(content);
     // 2b. Decode-and-rescan: re-run instruction + credential detection on each
     //     decoded snippet so a BARE base64/hex blob that decodes to an injection
@@ -155,6 +177,31 @@ export function scanToolResponse(toolName, content, mode) {
         !markdownImage.detected &&
         !credentials.leaked;
     const durationMs = Math.round(performance.now() - startTime);
+    // 5b. Enforce action layer. Advisory mode only logs; enforce mode computes the
+    //     content the agent should ACTUALLY receive (block injection, redact
+    //     secrets, strip exfil links). Single source of truth in
+    //     neutraliseToolResponse — the scanner just feeds it the signals it found.
+    let sanitisedContent = null;
+    let blocked = false;
+    let enforceActions = [];
+    if (!clean && resolvedMode === 'enforce') {
+        const neutralisation = neutraliseToolResponse(content, {
+            injectionRisk: injection.riskLevel,
+            instructionsDetected: instructions.detected,
+            decodedInjection,
+            encodingDetected: encoding.detected,
+            markdownImageUrls: markdownImage.urls,
+            credentialsLeaked: credentials.leaked,
+            decodedCredentialLeak,
+        });
+        sanitisedContent = neutralisation.sanitised;
+        blocked = neutralisation.blocked;
+        enforceActions = neutralisation.actions;
+    }
+    // Truthful firewall_result: advisory only observes (ALLOW); enforce that
+    // withholds the whole payload is a BLOCK; enforce that surgically redacts but
+    // still delivers is a QUARANTINE.
+    const firewallResult = resolvedMode !== 'enforce' ? 'ALLOW' : blocked ? 'BLOCK' : 'QUARANTINE';
     // 6. Build summary
     let summary;
     if (clean) {
@@ -202,7 +249,7 @@ export function scanToolResponse(toolName, content, mode) {
                 source_identifier: toolName,
                 trust_score: 0.5,
                 sensitivity_level: (credentials.leaked || decodedCredentialLeak) ? 'CONFIDENTIAL' : 'PUBLIC',
-                firewall_result: resolvedMode === 'enforce' ? 'BLOCK' : 'ALLOW',
+                firewall_result: firewallResult,
                 anomaly_score: anomalyScore,
                 threat_indicators: JSON.stringify(threatIndicators),
                 blocked_patterns: JSON.stringify(blockedPatterns),
@@ -219,7 +266,7 @@ export function scanToolResponse(toolName, content, mode) {
             persistEvent('defence_event', {
                 source_type: 'tool_response',
                 source_identifier: toolName,
-                firewall_result: resolvedMode === 'enforce' ? 'BLOCK' : 'ALLOW',
+                firewall_result: firewallResult,
                 trust_score: 0.5,
                 anomaly_score: anomalyScore,
                 reason: summary,
@@ -241,5 +288,8 @@ export function scanToolResponse(toolName, content, mode) {
         summary,
         durationMs,
         auditId,
+        sanitisedContent,
+        blocked,
+        enforceActions,
     };
 }

package/dist/defence/trust/recall-filter.js

@@ -11,9 +11,13 @@ export function filterByTrust(results, minTrust, context) {
         // Filter below minimum trust
         if (score < minTrust)
             return false;
-        // CONFIDENTIAL: only include if context matches
+        // CONFIDENTIAL: context-scope only when the row actually DECLARES a
+        // context. metadata.context is not written on store today, so requiring
+        // equality dropped every CONFIDENTIAL (any email/phone-bearing) row from
+        // recall — silent amnesia. Drop only a declared-but-mismatched context.
         if (item.sensitivity_level === 'CONFIDENTIAL') {
-            if (!context || item.metadata?.context !== context)
+            const rowContext = item.metadata?.context;
+            if (rowContext != null && context != null && rowContext !== context)
                 return false;
         }
         return true;

package/dist/defence/trust/source-scorer.js

@@ -5,6 +5,11 @@ import { scoreAgent, buildAgentHierarchy } from './agent-scorer.js';
 const BASE_SCORES = {
     'user:direct': 1.0,
     'user:approved': 0.9,
+    // Bulk import (restore from a backup/JSON). The generic `file` type is 0.6,
+    // which sits inside the 0.5–0.7 auto-quarantine band and would quarantine
+    // every imported row. Pin below the band so a benign restore succeeds while
+    // imported file data stays scanned + low-trust until reviewed.
+    'file:import': 0.4,
 };
 const TYPE_SCORES = {
     user: 1.0,

package/dist/defence/types.d.ts

@@ -21,6 +21,15 @@ export interface ToolResponseScanResult {
     summary: string;
     durationMs: number;
     auditId: number;
+    /**
+     * Enforce-mode replacement content the agent should actually receive.
+     * `null` in advisory mode and whenever the response is clean (nothing to do).
+     */
+    sanitisedContent: string | null;
+    /** True when enforce mode withheld the whole payload (vs. surgically redacting). */
+    blocked: boolean;
+    /** Human-readable actions taken in enforce mode (empty otherwise). */
+    enforceActions: string[];
 }
 export interface FirewallAnalysis {
     result: FirewallResult;