shieldcortex 4.36.0 → 4.37.0

package/dashboard/.next/standalone/dashboard/.next/server/pages/500.html

@@ -1,2 +1,2 @@
-<!DOCTYPE html><!--_JsmCyMaqewdhBNXZu1me--><html id="__next_error__"><head><meta charSet="utf-8"/><meta name="viewport" content="width=device-width, initial-scale=1"/><link rel="preload" as="script" fetchPriority="low" href="/_next/static/chunks/d878b929b21636c4.js"/><script src="/_next/static/chunks/f70f563804550a9c.js" async=""></script><script src="/_next/static/chunks/43d761df92da7cb6.js" async=""></script><script src="/_next/static/chunks/e281719dbabcca1d.js" async=""></script><script src="/_next/static/chunks/9e56d1f8f4d7adcb.js" async=""></script><script src="/_next/static/chunks/turbopack-768a6a8b9db952e0.js" async=""></script><script src="/_next/static/chunks/102f894cc892994d.js" async=""></script><script src="/_next/static/chunks/417032eeb2cd875f.js" async=""></script><meta name="next-size-adjust" content=""/><title>500: Internal Server Error.</title><script src="/_next/static/chunks/a6dad97d9634a72d.js" noModule=""></script></head><body><div hidden=""><!--$--><!--/$--></div><div style="font-family:system-ui,&quot;Segoe UI&quot;,Roboto,Helvetica,Arial,sans-serif,&quot;Apple Color Emoji&quot;,&quot;Segoe UI Emoji&quot;;height:100vh;text-align:center;display:flex;flex-direction:column;align-items:center;justify-content:center"><div style="line-height:48px"><style>body{color:#000;background:#fff;margin:0}.next-error-h1{border-right:1px solid rgba(0,0,0,.3)}
-@media (prefers-color-scheme:dark){body{color:#fff;background:#000}.next-error-h1{border-right:1px solid rgba(255,255,255,.3)}}</style><h1 class="next-error-h1" style="display:inline-block;margin:0 20px 0 0;padding-right:23px;font-size:24px;font-weight:500;vertical-align:top">500</h1><div style="display:inline-block"><h2 style="font-size:14px;font-weight:400;line-height:28px">Internal Server Error.</h2></div></div></div><!--$--><!--/$--><script src="/_next/static/chunks/d878b929b21636c4.js" id="_R_" async=""></script><script>(self.__next_f=self.__next_f||[]).push([0])</script><script>self.__next_f.push([1,"1:\"$Sreact.fragment\"\n2:I[57043,[\"/_next/static/chunks/102f894cc892994d.js\",\"/_next/static/chunks/417032eeb2cd875f.js\"],\"default\"]\n3:I[27657,[\"/_next/static/chunks/102f894cc892994d.js\",\"/_next/static/chunks/417032eeb2cd875f.js\"],\"default\"]\n4:I[56978,[\"/_next/static/chunks/102f894cc892994d.js\",\"/_next/static/chunks/417032eeb2cd875f.js\"],\"OutletBoundary\"]\n5:\"$Sreact.suspense\"\n7:I[56978,[\"/_next/static/chunks/102f894cc892994d.js\",\"/_next/static/chunks/417032eeb2cd875f.js\"],\"ViewportBoundary\"]\n9:I[56978,[\"/_next/static/chunks/102f894cc892994d.js\",\"/_next/static/chunks/417032eeb2cd875f.js\"],\"MetadataBoundary\"]\nb:I[30687,[\"/_next/static/chunks/102f894cc892994d.js\",\"/_next/static/chunks/417032eeb2cd875f.js\"],\"default\"]\n"])</script><script>self.__next_f.push([1,"0:{\"P\":null,\"b\":\"_JsmCyMaqewdhBNXZu1me\",\"c\":[\"\",\"_global-error\"],\"q\":\"\",\"i\":false,\"f\":[[[\"\",{\"children\":[\"__PAGE__\",{}]}],[[\"$\",\"$1\",\"c\",{\"children\":[null,[\"$\",\"$L2\",null,{\"parallelRouterKey\":\"children\",\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L3\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"forbidden\":\"$undefined\",\"unauthorized\":\"$undefined\"}]]}],{\"children\":[[\"$\",\"$1\",\"c\",{\"children\":[[\"$\",\"html\",null,{\"id\":\"__next_error__\",\"children\":[[\"$\",\"head\",null,{\"children\":[\"$\",\"title\",null,{\"children\":\"500: Internal Server Error.\"}]}],[\"$\",\"body\",null,{\"children\":[\"$\",\"div\",null,{\"style\":{\"fontFamily\":\"system-ui,\\\"Segoe UI\\\",Roboto,Helvetica,Arial,sans-serif,\\\"Apple Color Emoji\\\",\\\"Segoe UI Emoji\\\"\",\"height\":\"100vh\",\"textAlign\":\"center\",\"display\":\"flex\",\"flexDirection\":\"column\",\"alignItems\":\"center\",\"justifyContent\":\"center\"},\"children\":[\"$\",\"div\",null,{\"style\":{\"lineHeight\":\"48px\"},\"children\":[[\"$\",\"style\",null,{\"dangerouslySetInnerHTML\":{\"__html\":\"body{color:#000;background:#fff;margin:0}.next-error-h1{border-right:1px solid rgba(0,0,0,.3)}\\n@media (prefers-color-scheme:dark){body{color:#fff;background:#000}.next-error-h1{border-right:1px solid rgba(255,255,255,.3)}}\"}}],[\"$\",\"h1\",null,{\"className\":\"next-error-h1\",\"style\":{\"display\":\"inline-block\",\"margin\":\"0 20px 0 0\",\"paddingRight\":23,\"fontSize\":24,\"fontWeight\":500,\"verticalAlign\":\"top\"},\"children\":\"500\"}],[\"$\",\"div\",null,{\"style\":{\"display\":\"inline-block\"},\"children\":[\"$\",\"h2\",null,{\"style\":{\"fontSize\":14,\"fontWeight\":400,\"lineHeight\":\"28px\"},\"children\":\"Internal Server Error.\"}]}]]}]}]}]]}],[[\"$\",\"script\",\"script-0\",{\"src\":\"/_next/static/chunks/102f894cc892994d.js\",\"async\":true,\"nonce\":\"$undefined\"}],[\"$\",\"script\",\"script-1\",{\"src\":\"/_next/static/chunks/417032eeb2cd875f.js\",\"async\":true,\"nonce\":\"$undefined\"}]],[\"$\",\"$L4\",null,{\"children\":[\"$\",\"$5\",null,{\"name\":\"Next.MetadataOutlet\",\"children\":\"$@6\"}]}]]}],{},null,false,false]},null,false,false],[\"$\",\"$1\",\"h\",{\"children\":[null,[\"$\",\"$L7\",null,{\"children\":\"$L8\"}],[\"$\",\"div\",null,{\"hidden\":true,\"children\":[\"$\",\"$L9\",null,{\"children\":[\"$\",\"$5\",null,{\"name\":\"Next.Metadata\",\"children\":\"$La\"}]}]}],[\"$\",\"meta\",null,{\"name\":\"next-size-adjust\",\"content\":\"\"}]]}],false]],\"m\":\"$undefined\",\"G\":[\"$b\",\"$undefined\"],\"S\":true}\n"])</script><script>self.__next_f.push([1,"8:[[\"$\",\"meta\",\"0\",{\"charSet\":\"utf-8\"}],[\"$\",\"meta\",\"1\",{\"name\":\"viewport\",\"content\":\"width=device-width, initial-scale=1\"}]]\n"])</script><script>self.__next_f.push([1,"6:null\na:[]\n"])</script></body></html>
+<!DOCTYPE html><!--Xdk3QuQEKommHIbMSem56--><html id="__next_error__"><head><meta charSet="utf-8"/><meta name="viewport" content="width=device-width, initial-scale=1"/><link rel="preload" as="script" fetchPriority="low" href="/_next/static/chunks/d878b929b21636c4.js"/><script src="/_next/static/chunks/f70f563804550a9c.js" async=""></script><script src="/_next/static/chunks/43d761df92da7cb6.js" async=""></script><script src="/_next/static/chunks/e281719dbabcca1d.js" async=""></script><script src="/_next/static/chunks/9e56d1f8f4d7adcb.js" async=""></script><script src="/_next/static/chunks/turbopack-768a6a8b9db952e0.js" async=""></script><script src="/_next/static/chunks/102f894cc892994d.js" async=""></script><script src="/_next/static/chunks/417032eeb2cd875f.js" async=""></script><meta name="next-size-adjust" content=""/><title>500: Internal Server Error.</title><script src="/_next/static/chunks/a6dad97d9634a72d.js" noModule=""></script></head><body><div hidden=""><!--$--><!--/$--></div><div style="font-family:system-ui,&quot;Segoe UI&quot;,Roboto,Helvetica,Arial,sans-serif,&quot;Apple Color Emoji&quot;,&quot;Segoe UI Emoji&quot;;height:100vh;text-align:center;display:flex;flex-direction:column;align-items:center;justify-content:center"><div style="line-height:48px"><style>body{color:#000;background:#fff;margin:0}.next-error-h1{border-right:1px solid rgba(0,0,0,.3)}
+@media (prefers-color-scheme:dark){body{color:#fff;background:#000}.next-error-h1{border-right:1px solid rgba(255,255,255,.3)}}</style><h1 class="next-error-h1" style="display:inline-block;margin:0 20px 0 0;padding-right:23px;font-size:24px;font-weight:500;vertical-align:top">500</h1><div style="display:inline-block"><h2 style="font-size:14px;font-weight:400;line-height:28px">Internal Server Error.</h2></div></div></div><!--$--><!--/$--><script src="/_next/static/chunks/d878b929b21636c4.js" id="_R_" async=""></script><script>(self.__next_f=self.__next_f||[]).push([0])</script><script>self.__next_f.push([1,"1:\"$Sreact.fragment\"\n2:I[57043,[\"/_next/static/chunks/102f894cc892994d.js\",\"/_next/static/chunks/417032eeb2cd875f.js\"],\"default\"]\n3:I[27657,[\"/_next/static/chunks/102f894cc892994d.js\",\"/_next/static/chunks/417032eeb2cd875f.js\"],\"default\"]\n4:I[56978,[\"/_next/static/chunks/102f894cc892994d.js\",\"/_next/static/chunks/417032eeb2cd875f.js\"],\"OutletBoundary\"]\n5:\"$Sreact.suspense\"\n7:I[56978,[\"/_next/static/chunks/102f894cc892994d.js\",\"/_next/static/chunks/417032eeb2cd875f.js\"],\"ViewportBoundary\"]\n9:I[56978,[\"/_next/static/chunks/102f894cc892994d.js\",\"/_next/static/chunks/417032eeb2cd875f.js\"],\"MetadataBoundary\"]\nb:I[30687,[\"/_next/static/chunks/102f894cc892994d.js\",\"/_next/static/chunks/417032eeb2cd875f.js\"],\"default\"]\n"])</script><script>self.__next_f.push([1,"0:{\"P\":null,\"b\":\"Xdk3QuQEKommHIbMSem56\",\"c\":[\"\",\"_global-error\"],\"q\":\"\",\"i\":false,\"f\":[[[\"\",{\"children\":[\"__PAGE__\",{}]}],[[\"$\",\"$1\",\"c\",{\"children\":[null,[\"$\",\"$L2\",null,{\"parallelRouterKey\":\"children\",\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L3\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"forbidden\":\"$undefined\",\"unauthorized\":\"$undefined\"}]]}],{\"children\":[[\"$\",\"$1\",\"c\",{\"children\":[[\"$\",\"html\",null,{\"id\":\"__next_error__\",\"children\":[[\"$\",\"head\",null,{\"children\":[\"$\",\"title\",null,{\"children\":\"500: Internal Server Error.\"}]}],[\"$\",\"body\",null,{\"children\":[\"$\",\"div\",null,{\"style\":{\"fontFamily\":\"system-ui,\\\"Segoe UI\\\",Roboto,Helvetica,Arial,sans-serif,\\\"Apple Color Emoji\\\",\\\"Segoe UI Emoji\\\"\",\"height\":\"100vh\",\"textAlign\":\"center\",\"display\":\"flex\",\"flexDirection\":\"column\",\"alignItems\":\"center\",\"justifyContent\":\"center\"},\"children\":[\"$\",\"div\",null,{\"style\":{\"lineHeight\":\"48px\"},\"children\":[[\"$\",\"style\",null,{\"dangerouslySetInnerHTML\":{\"__html\":\"body{color:#000;background:#fff;margin:0}.next-error-h1{border-right:1px solid rgba(0,0,0,.3)}\\n@media (prefers-color-scheme:dark){body{color:#fff;background:#000}.next-error-h1{border-right:1px solid rgba(255,255,255,.3)}}\"}}],[\"$\",\"h1\",null,{\"className\":\"next-error-h1\",\"style\":{\"display\":\"inline-block\",\"margin\":\"0 20px 0 0\",\"paddingRight\":23,\"fontSize\":24,\"fontWeight\":500,\"verticalAlign\":\"top\"},\"children\":\"500\"}],[\"$\",\"div\",null,{\"style\":{\"display\":\"inline-block\"},\"children\":[\"$\",\"h2\",null,{\"style\":{\"fontSize\":14,\"fontWeight\":400,\"lineHeight\":\"28px\"},\"children\":\"Internal Server Error.\"}]}]]}]}]}]]}],[[\"$\",\"script\",\"script-0\",{\"src\":\"/_next/static/chunks/102f894cc892994d.js\",\"async\":true,\"nonce\":\"$undefined\"}],[\"$\",\"script\",\"script-1\",{\"src\":\"/_next/static/chunks/417032eeb2cd875f.js\",\"async\":true,\"nonce\":\"$undefined\"}]],[\"$\",\"$L4\",null,{\"children\":[\"$\",\"$5\",null,{\"name\":\"Next.MetadataOutlet\",\"children\":\"$@6\"}]}]]}],{},null,false,false]},null,false,false],[\"$\",\"$1\",\"h\",{\"children\":[null,[\"$\",\"$L7\",null,{\"children\":\"$L8\"}],[\"$\",\"div\",null,{\"hidden\":true,\"children\":[\"$\",\"$L9\",null,{\"children\":[\"$\",\"$5\",null,{\"name\":\"Next.Metadata\",\"children\":\"$La\"}]}]}],[\"$\",\"meta\",null,{\"name\":\"next-size-adjust\",\"content\":\"\"}]]}],false]],\"m\":\"$undefined\",\"G\":[\"$b\",\"$undefined\"],\"S\":true}\n"])</script><script>self.__next_f.push([1,"8:[[\"$\",\"meta\",\"0\",{\"charSet\":\"utf-8\"}],[\"$\",\"meta\",\"1\",{\"name\":\"viewport\",\"content\":\"width=device-width, initial-scale=1\"}]]\n"])</script><script>self.__next_f.push([1,"6:null\na:[]\n"])</script></body></html>

package/dist/cloud/cli.js

@@ -1,4 +1,4 @@
-import { getCloudConfig, setCloudConfig, getCloudSyncControls, setCloudSyncControls, getDefenceMode, setDefenceMode, getVerifyConfig, setVerifyConfig, getReviewCopilotConfig, getOpenClawAutoMemory, setOpenClawAutoMemory, isProactiveRecallEnabled, setProactiveRecall, restore410Defaults, getRankerConfig, setRankerConfig, } from './config.js';
+import { getCloudConfig, setCloudConfig, getCloudSyncControls, setCloudSyncControls, getDefenceMode, setDefenceMode, getVerifyConfig, setVerifyConfig, getReviewCopilotConfig, getOpenClawAutoMemory, setOpenClawAutoMemory, isProactiveRecallEnabled, setProactiveRecall, restore410Defaults, getRankerConfig, setRankerConfig, getToolResponseScanConfig, setToolResponseScanConfig, } from './config.js';
 const VALID_RANKER_ENGINES = ['rrf', 'legacy'];
 import { syncAllGraphToCloud } from './graph-sync.js';
 import { syncAllMemoriesToCloud } from './memory-sync.js';
@@ -17,9 +17,11 @@ export function handleCloudConfig(args) {
         const openclawAutoMemory = getOpenClawAutoMemory();
         const ranker = getRankerConfig();
         const syncControls = getCloudSyncControls();
+        const toolFirewall = getToolResponseScanConfig();
         const rankerOverridden = !!process.env.SHIELDCORTEX_RANKER;
         console.log('\nShieldCortex Configuration:');
         console.log(`  Defence Mode: ${mode}`);
+        console.log(`  Tool-Output Firewall: ${toolFirewall.scanToolResponses ? toolFirewall.toolResponseMode : 'Off'}`);
         console.log(`  Cloud Enabled:  ${config.cloudEnabled ? 'Yes' : 'No'}`);
         console.log(`  API Key:  ${config.cloudApiKey ? config.cloudApiKey.substring(0, 12) + '...' : 'Not set'}`);
         console.log(`  Base URL: ${config.cloudBaseUrl}`);
@@ -188,6 +190,26 @@ export function handleCloudConfig(args) {
         console.log(`Proactive recall ${enabled ? 'enabled' : 'disabled'}.`);
         changed = true;
     }
+    if (args.includes('--tool-firewall-enforce')) {
+        setToolResponseScanConfig({ scanToolResponses: true, toolResponseMode: 'enforce' });
+        console.log('Tool-output firewall set to ENFORCE — threatening tool output will be redacted/withheld before the agent sees it.');
+        changed = true;
+    }
+    if (args.includes('--tool-firewall-advisory')) {
+        setToolResponseScanConfig({ scanToolResponses: true, toolResponseMode: 'advisory' });
+        console.log('Tool-output firewall set to ADVISORY — threats are logged but tool output is delivered intact (default).');
+        changed = true;
+    }
+    if (args.includes('--tool-firewall-off')) {
+        setToolResponseScanConfig({ scanToolResponses: false });
+        console.log('Tool-output firewall disabled — tool responses are no longer scanned.');
+        changed = true;
+    }
+    if (args.includes('--tool-firewall-on')) {
+        setToolResponseScanConfig({ scanToolResponses: true });
+        console.log('Tool-output firewall enabled (scanning on).');
+        changed = true;
+    }
     if (args.includes('--upsell-mute')) {
         setUpsellState({ proMuted: true });
         console.log('Pro upsell muted. Re-enable with --upsell-unmute.');
@@ -213,6 +235,9 @@ export function handleCloudConfig(args) {
         console.log('  --openclaw-auto-memory <true|false>  Extract memories from OpenClaw LLM output (default: off)');
         console.log('  --proactive-recall <true|false>  Inject SC memory into prompts (default: off — adds latency)');
         console.log('  --ranker <rrf|legacy>  Hybrid retrieval engine (default: rrf; SHIELDCORTEX_RANKER env overrides)');
+        console.log('  --tool-firewall-enforce   Redact/withhold threatening tool output before the agent sees it');
+        console.log('  --tool-firewall-advisory  Log tool-output threats but deliver intact (default)');
+        console.log('  --tool-firewall-off / --tool-firewall-on  Disable / enable tool-output scanning');
         console.log('  --restore-4.10-defaults  Restore pre-v4.11.0 defaults (recall on, strict interceptor, minimal preamble)');
         console.log('  --upsell-mute          Suppress the Pro upsell footer in doctor');
         console.log('  --upsell-unmute        Allow the Pro upsell footer to surface again');

package/dist/defence/firewall/markdown-image-detector.d.ts

@@ -32,3 +32,18 @@ export interface MarkdownImageExfilResult {
  * Scan content for markdown-image exfiltration links.
  */
 export declare function detectMarkdownImageExfil(content: string): MarkdownImageExfilResult;
+/** Replacement for a neutralised exfil image: a dead host carrying no data. */
+export declare const NEUTRALISED_IMAGE = "![redacted](https://blocked.invalid/shieldcortex-redacted)";
+/**
+ * Strip markdown-image exfiltration links from content for enforce mode.
+ *
+ * Re-runs the SAME regex + urlLooksLikeExfil predicate as detection and replaces
+ * each offending `![alt](url)` match WHOLE (alt dropped too — it can itself carry
+ * data). Splices by match offset, so it does not depend on substring equality
+ * with a previously-captured (truncated) URL and is unaffected by any other
+ * mutation applied to the content first. Benign images are left untouched.
+ */
+export declare function neutraliseMarkdownImageExfil(content: string): {
+    content: string;
+    stripped: number;
+};

package/dist/defence/firewall/markdown-image-detector.js

@@ -81,3 +81,33 @@ export function detectMarkdownImageExfil(content) {
         urls,
     };
 }
+/** Replacement for a neutralised exfil image: a dead host carrying no data. */
+export const NEUTRALISED_IMAGE = '![redacted](https://blocked.invalid/shieldcortex-redacted)';
+/**
+ * Strip markdown-image exfiltration links from content for enforce mode.
+ *
+ * Re-runs the SAME regex + urlLooksLikeExfil predicate as detection and replaces
+ * each offending `![alt](url)` match WHOLE (alt dropped too — it can itself carry
+ * data). Splices by match offset, so it does not depend on substring equality
+ * with a previously-captured (truncated) URL and is unaffected by any other
+ * mutation applied to the content first. Benign images are left untouched.
+ */
+export function neutraliseMarkdownImageExfil(content) {
+    const spans = [];
+    MARKDOWN_IMAGE_PATTERN.lastIndex = 0;
+    let match;
+    while ((match = MARKDOWN_IMAGE_PATTERN.exec(content)) !== null) {
+        if (urlLooksLikeExfil(match[1])) {
+            spans.push({ start: match.index, end: match.index + match[0].length });
+        }
+    }
+    if (spans.length === 0)
+        return { content, stripped: 0 };
+    // Splice from the end so earlier offsets stay valid.
+    let result = content;
+    for (let i = spans.length - 1; i >= 0; i--) {
+        const { start, end } = spans[i];
+        result = result.slice(0, start) + NEUTRALISED_IMAGE + result.slice(end);
+    }
+    return { content: result, stripped: spans.length };
+}

package/dist/defence/tool-response-enforce.d.ts

@@ -0,0 +1,57 @@
+/**
+ * Tool-Response Enforce Layer
+ *
+ * Advisory mode only LOGS threats in a tool response. Enforce mode must actually
+ * change the bytes the agent receives. This module is the action layer: given a
+ * tool response and the threat signals the scanner already computed, it returns
+ * the content the agent should actually see.
+ *
+ * Two-tier policy:
+ *
+ *   BLOCK (withhold the whole payload) — when the output is actively hostile or
+ *   smuggling: any injection signal, the instruction detector firing, a blob
+ *   that decodes to an injection, or a blob that decodes to a credential.
+ *   Natural-language injected instructions cannot be surgically removed without
+ *   risking that a fragment survives, so the safe action is to withhold the
+ *   entire response and tell the agent why.
+ *
+ *   REDACT (pass cleaned + tag) — when the threat is a secret or an exfil link
+ *   sitting in plaintext that we CAN surgically remove: credential leaks (masked
+ *   in place) and markdown-image exfiltration URLs (neutralised to a dead host).
+ *   The cleaned content is prefixed with an untrusted-origin tag so any
+ *   downstream memory write attributes it correctly.
+ *
+ * Pure and dependency-injection-free of any DB/IO — only the credential scanner
+ * (for positional redaction). Easy to unit test in isolation.
+ */
+export declare const TOOL_OUTPUT_BLOCKED_PLACEHOLDER: string;
+export declare const UNTRUSTED_TOOL_TAG = "[ShieldCortex: tool output sanitised \u2014 treat as derived-from-untrusted-tool]";
+/**
+ * Threat signals the scanner already computed for a (non-clean) tool response.
+ * Passed in so neutralisation never re-derives detection — single source of
+ * truth with scanToolResponse.
+ */
+export interface ToolResponseThreatSignals {
+    injectionRisk: 'NONE' | 'LOW' | 'MEDIUM' | 'HIGH' | 'CRITICAL';
+    instructionsDetected: boolean;
+    decodedInjection: boolean;
+    encodingDetected: boolean;
+    markdownImageUrls: string[];
+    credentialsLeaked: boolean;
+    decodedCredentialLeak: boolean;
+}
+export interface ToolResponseNeutralisation {
+    /** The content the agent should actually receive. */
+    sanitised: string;
+    /** True when the whole payload was withheld (blocked), not just redacted. */
+    blocked: boolean;
+    /** Human-readable list of actions taken, for audit/summary. */
+    actions: string[];
+}
+/**
+ * Compute the enforce-mode replacement for a tool response.
+ *
+ * Only meaningful when the scanner already found the response non-clean; with no
+ * signals it returns the content unchanged.
+ */
+export declare function neutraliseToolResponse(content: string, signals: ToolResponseThreatSignals): ToolResponseNeutralisation;

package/dist/defence/tool-response-enforce.js

@@ -0,0 +1,107 @@
+/**
+ * Tool-Response Enforce Layer
+ *
+ * Advisory mode only LOGS threats in a tool response. Enforce mode must actually
+ * change the bytes the agent receives. This module is the action layer: given a
+ * tool response and the threat signals the scanner already computed, it returns
+ * the content the agent should actually see.
+ *
+ * Two-tier policy:
+ *
+ *   BLOCK (withhold the whole payload) — when the output is actively hostile or
+ *   smuggling: any injection signal, the instruction detector firing, a blob
+ *   that decodes to an injection, or a blob that decodes to a credential.
+ *   Natural-language injected instructions cannot be surgically removed without
+ *   risking that a fragment survives, so the safe action is to withhold the
+ *   entire response and tell the agent why.
+ *
+ *   REDACT (pass cleaned + tag) — when the threat is a secret or an exfil link
+ *   sitting in plaintext that we CAN surgically remove: credential leaks (masked
+ *   in place) and markdown-image exfiltration URLs (neutralised to a dead host).
+ *   The cleaned content is prefixed with an untrusted-origin tag so any
+ *   downstream memory write attributes it correctly.
+ *
+ * Pure and dependency-injection-free of any DB/IO — only the credential scanner
+ * (for positional redaction). Easy to unit test in isolation.
+ */
+import { scanForCredentials } from './credential-leak/index.js';
+import { neutraliseMarkdownImageExfil } from './firewall/markdown-image-detector.js';
+export const TOOL_OUTPUT_BLOCKED_PLACEHOLDER = '[ShieldCortex] Tool output withheld in enforce mode — prompt-injection / data-smuggling detected. ' +
+    'The original response was blocked to protect the agent. Review the ShieldCortex audit log for details.';
+export const UNTRUSTED_TOOL_TAG = '[ShieldCortex: tool output sanitised — treat as derived-from-untrusted-tool]';
+function hasAnySignal(s) {
+    return (s.injectionRisk !== 'NONE' ||
+        s.instructionsDetected ||
+        s.decodedInjection ||
+        s.encodingDetected ||
+        s.markdownImageUrls.length > 0 ||
+        s.credentialsLeaked ||
+        s.decodedCredentialLeak);
+}
+/** Output is actively hostile / smuggling — withhold the whole payload. */
+function shouldBlock(s) {
+    return (s.injectionRisk !== 'NONE' ||
+        s.instructionsDetected ||
+        s.decodedInjection ||
+        s.decodedCredentialLeak);
+}
+/**
+ * Compute the enforce-mode replacement for a tool response.
+ *
+ * Only meaningful when the scanner already found the response non-clean; with no
+ * signals it returns the content unchanged.
+ */
+export function neutraliseToolResponse(content, signals) {
+    if (!hasAnySignal(signals)) {
+        return { sanitised: content, blocked: false, actions: [] };
+    }
+    if (shouldBlock(signals)) {
+        const actions = [];
+        if (signals.injectionRisk !== 'NONE') {
+            actions.push(`blocked: prompt-injection (${signals.injectionRisk.toLowerCase()})`);
+        }
+        else if (signals.instructionsDetected) {
+            // No high-confidence Iron Dome hit — be honest that this is the heuristic
+            // instruction detector, not a graded injection (don't say "injection (none)").
+            actions.push('blocked: suspicious-instruction pattern (heuristic)');
+        }
+        if (signals.decodedInjection)
+            actions.push('blocked: encoded payload decoded to injection');
+        if (signals.decodedCredentialLeak)
+            actions.push('blocked: encoded payload decoded to credential');
+        return { sanitised: TOOL_OUTPUT_BLOCKED_PLACEHOLDER, blocked: true, actions };
+    }
+    // Redact path: surgically clean a payload that merely contains secrets / exfil
+    // links in plaintext. The untrusted-origin tag is NOT embedded here — callers
+    // convey it out-of-band so redacted structured output (JSON/CSV) stays parseable.
+    const actions = [];
+    let working = content;
+    // Markdown-image exfil FIRST, before any other mutation. Uses a full-match
+    // regex over the content (not substring equality with a pre-captured, possibly
+    // truncated URL), so credential redaction reordering and >200-char URLs can't
+    // defeat it. If the scanner flagged exfil images but none could be located
+    // here, fail SAFE: withhold the whole payload rather than deliver it.
+    if (signals.markdownImageUrls.length > 0) {
+        const { content: stripped, stripped: count } = neutraliseMarkdownImageExfil(working);
+        if (count === 0) {
+            return {
+                sanitised: TOOL_OUTPUT_BLOCKED_PLACEHOLDER,
+                blocked: true,
+                actions: ['blocked: flagged markdown-image exfil could not be neutralised (fail-safe)'],
+            };
+        }
+        working = stripped;
+        actions.push(`stripped ${count} markdown-image exfil URL(s)`);
+    }
+    if (signals.credentialsLeaked) {
+        const cred = scanForCredentials(working);
+        if (cred.leaked && cred.redactedContent) {
+            working = cred.redactedContent;
+            actions.push(`redacted ${cred.findings.length} credential(s)`);
+        }
+    }
+    if (signals.encodingDetected) {
+        actions.push('flagged obfuscated/encoded content (passed through)');
+    }
+    return { sanitised: working, blocked: false, actions };
+}

package/dist/defence/tool-response-scanner.d.ts

@@ -17,9 +17,12 @@
  * It deliberately does NOT pull in the write-path's trust scoring, anomaly,
  * privilege, fragmentation or sensitivity layers — those are write concerns.
  *
- * Advisory by default: logs threats but never blocks tool responses. Only the
- * audit/event firewall_result reflects enforce mode; the scan itself never hard
- * blocks tool execution.
+ * Advisory by default: logs threats but leaves the response untouched. In
+ * enforce mode the scanner additionally computes `sanitisedContent` — the bytes
+ * the agent should actually receive (injection withheld, secrets redacted, exfil
+ * links stripped) — via the neutraliseToolResponse action layer. Callers
+ * (withResponseScan, the scan_tool_response tool) swap in sanitisedContent when
+ * present; the scanner never blocks tool EXECUTION, only the threatening output.
  */
 import type { ToolResponseScanResult } from './types.js';
 /**

package/dist/defence/tool-response-scanner.js

@@ -17,15 +17,19 @@
  * It deliberately does NOT pull in the write-path's trust scoring, anomaly,
  * privilege, fragmentation or sensitivity layers — those are write concerns.
  *
- * Advisory by default: logs threats but never blocks tool responses. Only the
- * audit/event firewall_result reflects enforce mode; the scan itself never hard
- * blocks tool execution.
+ * Advisory by default: logs threats but leaves the response untouched. In
+ * enforce mode the scanner additionally computes `sanitisedContent` — the bytes
+ * the agent should actually receive (injection withheld, secrets redacted, exfil
+ * links stripped) — via the neutraliseToolResponse action layer. Callers
+ * (withResponseScan, the scan_tool_response tool) swap in sanitisedContent when
+ * present; the scanner never blocks tool EXECUTION, only the threatening output.
  */
 import { scanForInjection } from './iron-dome/injection-scanner.js';
 import { scanForCredentials } from './credential-leak/index.js';
 import { detectInstructions } from './firewall/instruction-detector.js';
 import { detectEncoding } from './firewall/encoding-detector.js';
 import { detectMarkdownImageExfil } from './firewall/markdown-image-detector.js';
+import { neutraliseToolResponse } from './tool-response-enforce.js';
 import { logAudit } from './audit/logger.js';
 import { isDatabaseInitialized } from '../database/init.js';
 import { getToolResponseScanConfig } from '../cloud/config.js';
@@ -48,6 +52,11 @@ const HIGH_RISK_TOOLS = new Set([
     'export_memories',
     'detect_contradictions',
 ]);
+// Instruction-detector pattern groups that are WRITE-path concerns and over-fire
+// on legitimate tool OUTPUT (instructional docs telling the agent which tool to
+// call). Excluded from the read-path instruction signal; real injection groups
+// (system_prompt_marker, hidden_instruction, prompt_extraction, …) still apply.
+const READ_PATH_EXCLUDED_INSTRUCTION_PATTERNS = new Set(['imperative_tool_call']);
 // Tools that only return metadata/stats (not worth scanning)
 const METADATA_ONLY_TOOLS = new Set([
     'memory_stats',
@@ -90,6 +99,9 @@ export function scanToolResponse(toolName, content, mode) {
             summary: `Tool response from "${toolName}" skipped (too short)`,
             durationMs: Math.round(performance.now() - startTime),
             auditId: -1,
+            sanitisedContent: null,
+            blocked: false,
+            enforceActions: [],
         };
     }
     // 1. Injection scan (Iron Dome named patterns — drives the `injection` field
@@ -97,7 +109,17 @@ export function scanToolResponse(toolName, content, mode) {
     const injection = scanForInjection(content);
     // 2. Write-path detectors (parity). detectInstructions folds homoglyphs and
     //    scans in windows; detectEncoding decodes base64/hex/url blobs.
-    const instructions = detectInstructions(content);
+    //
+    //    FP reduction on the READ path: `imperative_tool_call` ("call the X tool")
+    //    exists to catch injected directives at WRITE time. On tool OUTPUT it is
+    //    legitimate instructional content (docs telling the agent which tool to
+    //    use), so we exclude it here. Real injection phrasing ("ignore previous
+    //    instructions", "you are now…") lives in the other groups + Iron Dome and
+    //    is unaffected. Decoded snippets (below) keep full detection — an encoded
+    //    imperative is inherently suspicious.
+    const instructionsRaw = detectInstructions(content);
+    const instructionPatterns = instructionsRaw.patterns.filter((p) => !READ_PATH_EXCLUDED_INSTRUCTION_PATTERNS.has(p));
+    const instructions = { detected: instructionPatterns.length > 0, patterns: instructionPatterns };
     const encoding = detectEncoding(content);
     // 2b. Decode-and-rescan: re-run instruction + credential detection on each
     //     decoded snippet so a BARE base64/hex blob that decodes to an injection
@@ -155,6 +177,31 @@ export function scanToolResponse(toolName, content, mode) {
         !markdownImage.detected &&
         !credentials.leaked;
     const durationMs = Math.round(performance.now() - startTime);
+    // 5b. Enforce action layer. Advisory mode only logs; enforce mode computes the
+    //     content the agent should ACTUALLY receive (block injection, redact
+    //     secrets, strip exfil links). Single source of truth in
+    //     neutraliseToolResponse — the scanner just feeds it the signals it found.
+    let sanitisedContent = null;
+    let blocked = false;
+    let enforceActions = [];
+    if (!clean && resolvedMode === 'enforce') {
+        const neutralisation = neutraliseToolResponse(content, {
+            injectionRisk: injection.riskLevel,
+            instructionsDetected: instructions.detected,
+            decodedInjection,
+            encodingDetected: encoding.detected,
+            markdownImageUrls: markdownImage.urls,
+            credentialsLeaked: credentials.leaked,
+            decodedCredentialLeak,
+        });
+        sanitisedContent = neutralisation.sanitised;
+        blocked = neutralisation.blocked;
+        enforceActions = neutralisation.actions;
+    }
+    // Truthful firewall_result: advisory only observes (ALLOW); enforce that
+    // withholds the whole payload is a BLOCK; enforce that surgically redacts but
+    // still delivers is a QUARANTINE.
+    const firewallResult = resolvedMode !== 'enforce' ? 'ALLOW' : blocked ? 'BLOCK' : 'QUARANTINE';
     // 6. Build summary
     let summary;
     if (clean) {
@@ -202,7 +249,7 @@ export function scanToolResponse(toolName, content, mode) {
                 source_identifier: toolName,
                 trust_score: 0.5,
                 sensitivity_level: (credentials.leaked || decodedCredentialLeak) ? 'CONFIDENTIAL' : 'PUBLIC',
-                firewall_result: resolvedMode === 'enforce' ? 'BLOCK' : 'ALLOW',
+                firewall_result: firewallResult,
                 anomaly_score: anomalyScore,
                 threat_indicators: JSON.stringify(threatIndicators),
                 blocked_patterns: JSON.stringify(blockedPatterns),
@@ -219,7 +266,7 @@ export function scanToolResponse(toolName, content, mode) {
             persistEvent('defence_event', {
                 source_type: 'tool_response',
                 source_identifier: toolName,
-                firewall_result: resolvedMode === 'enforce' ? 'BLOCK' : 'ALLOW',
+                firewall_result: firewallResult,
                 trust_score: 0.5,
                 anomaly_score: anomalyScore,
                 reason: summary,
@@ -241,5 +288,8 @@ export function scanToolResponse(toolName, content, mode) {
         summary,
         durationMs,
         auditId,
+        sanitisedContent,
+        blocked,
+        enforceActions,
     };
 }

package/dist/defence/types.d.ts

@@ -21,6 +21,15 @@ export interface ToolResponseScanResult {
     summary: string;
     durationMs: number;
     auditId: number;
+    /**
+     * Enforce-mode replacement content the agent should actually receive.
+     * `null` in advisory mode and whenever the response is clean (nothing to do).
+     */
+    sanitisedContent: string | null;
+    /** True when enforce mode withheld the whole payload (vs. surgically redacting). */
+    blocked: boolean;
+    /** Human-readable actions taken in enforce mode (empty otherwise). */
+    enforceActions: string[];
 }
 export interface FirewallAnalysis {
     result: FirewallResult;

package/dist/server.d.ts

@@ -5,6 +5,12 @@
  * Solves context compaction and memory persistence issues.
  */
 import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
+/**
+ * Wrap an MCP tool handler to scan its response for threats.
+ * Advisory mode: appends a warning but never blocks.
+ * Enforce mode: can redact credential leaks.
+ */
+export declare function withResponseScan(toolName: string, handler: (...args: any[]) => any): (...args: any[]) => any;
 /**
  * Check text for kill phrase and trigger kill switch if detected.
  * Returns true if kill switch was activated.

package/dist/server.js

@@ -24,6 +24,7 @@ import { queryAuditLogs, getAuditStats, getLifetimeStats } from './defence/audit
 import { scanExistingMemories } from './defence/scanner/index.js';
 import { resolveToolSource as resolveToolSourceImpl } from './defence/trust/resolve-tool-source.js';
 import { scanToolResponse, shouldScanToolResponse } from './defence/tool-response-scanner.js';
+import { UNTRUSTED_TOOL_TAG } from './defence/tool-response-enforce.js';
 import { getToolResponseScanConfig } from './cloud/config.js';
 import { checkKillPhrase } from './defence/iron-dome/index.js';
 import { isKillSwitchActive, getKillSwitchMeta, assertOperationAllowed, activateKillSwitch, deactivateKillSwitch, KillSwitchError, } from './api/control.js';
@@ -45,7 +46,7 @@ const sourceParam = z.object({
  * Enforce mode: can redact credential leaks.
  */
 // eslint-disable-next-line @typescript-eslint/no-explicit-any
-function withResponseScan(toolName, handler) {
+export function withResponseScan(toolName, handler) {
     // eslint-disable-next-line @typescript-eslint/no-explicit-any
     return async (...handlerArgs) => {
         const result = await handler(...handlerArgs);
@@ -61,8 +62,35 @@ function withResponseScan(toolName, handler) {
         const scan = scanToolResponse(toolName, textContent, config.toolResponseMode);
         if (scan.clean)
             return result;
-        // Append warning to the response
+        // Enforce mode: swap the threatening text for the sanitised payload the
+        // scanner produced (injection withheld, secrets redacted, exfil stripped).
+        // Non-text blocks (e.g. images) are preserved. Advisory mode keeps the
+        // observe-only behaviour: leave the response intact, append a warning.
+        if (scan.mode === 'enforce' && scan.sanitisedContent !== null) {
+            const nonText = result.content.filter((c) => c.type !== 'text');
+            if (scan.blocked) {
+                // Whole payload withheld → surface as a tool error so the agent can tell
+                // "withheld by firewall" apart from "no results / empty".
+                return {
+                    ...result,
+                    content: [...nonText, { type: 'text', text: scan.sanitisedContent }],
+                    isError: true,
+                };
+            }
+            // Redacted-and-delivered → cleaned payload + the untrusted-origin tag in a
+            // SEPARATE block, so redacted structured output (JSON/CSV) stays parseable.
+            return {
+                ...result,
+                content: [
+                    ...nonText,
+                    { type: 'text', text: scan.sanitisedContent },
+                    { type: 'text', text: UNTRUSTED_TOOL_TAG },
+                ],
+            };
+        }
+        // Advisory: append warning to the response.
         return {
+            ...result,
             content: [
                 ...result.content,
                 {
@@ -688,6 +716,28 @@ Runs injection detection (40+ patterns) and credential leak scanning (25+ provid
         if (scan.auditId > 0) {
             lines.push(`**Audit ID:** ${scan.auditId}`);
         }
+        // Enforce mode produced an actioned payload — surface it so callers using
+        // this tool as a programmatic firewall receive the safe content, not just
+        // a verdict. Advisory scans leave sanitisedContent null (verdict only).
+        if (scan.sanitisedContent !== null) {
+            lines.push('');
+            lines.push(`### Enforcement (${scan.blocked ? 'BLOCKED' : 'REDACTED'})`);
+            for (const action of scan.enforceActions) {
+                lines.push(`- ${action}`);
+            }
+            if (!scan.blocked) {
+                lines.push(`- origin: ${UNTRUSTED_TOOL_TAG}`);
+            }
+            lines.push('');
+            lines.push('**Sanitised content (deliver this instead):**');
+            // Dynamic fence longer than any backtick run in the content, so content
+            // containing ``` cannot break out of the code block.
+            const longestRun = Math.max(0, ...(scan.sanitisedContent.match(/`+/g) || []).map((s) => s.length));
+            const fence = '`'.repeat(Math.max(3, longestRun + 1));
+            lines.push(fence);
+            lines.push(scan.sanitisedContent);
+            lines.push(fence);
+        }
         lines.push('');
         lines.push(scan.summary);
         return { content: [{ type: 'text', text: lines.join('\n') }] };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "shieldcortex",
-  "version": "4.36.0",
+  "version": "4.37.0",
   "description": "Trustworthy memory and security for AI agents. Recall debugging, review queue, OpenClaw session capture, and memory poisoning defence for Claude Code, Codex, OpenClaw, LangChain, and MCP agents.",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",