shieldcortex 4.36.0 → 4.38.0

package/dashboard/.next/standalone/dashboard/.next/server/pages/500.html

@@ -1,2 +1,2 @@
-<!DOCTYPE html><!--_JsmCyMaqewdhBNXZu1me--><html id="__next_error__"><head><meta charSet="utf-8"/><meta name="viewport" content="width=device-width, initial-scale=1"/><link rel="preload" as="script" fetchPriority="low" href="/_next/static/chunks/d878b929b21636c4.js"/><script src="/_next/static/chunks/f70f563804550a9c.js" async=""></script><script src="/_next/static/chunks/43d761df92da7cb6.js" async=""></script><script src="/_next/static/chunks/e281719dbabcca1d.js" async=""></script><script src="/_next/static/chunks/9e56d1f8f4d7adcb.js" async=""></script><script src="/_next/static/chunks/turbopack-768a6a8b9db952e0.js" async=""></script><script src="/_next/static/chunks/102f894cc892994d.js" async=""></script><script src="/_next/static/chunks/417032eeb2cd875f.js" async=""></script><meta name="next-size-adjust" content=""/><title>500: Internal Server Error.</title><script src="/_next/static/chunks/a6dad97d9634a72d.js" noModule=""></script></head><body><div hidden=""><!--$--><!--/$--></div><div style="font-family:system-ui,&quot;Segoe UI&quot;,Roboto,Helvetica,Arial,sans-serif,&quot;Apple Color Emoji&quot;,&quot;Segoe UI Emoji&quot;;height:100vh;text-align:center;display:flex;flex-direction:column;align-items:center;justify-content:center"><div style="line-height:48px"><style>body{color:#000;background:#fff;margin:0}.next-error-h1{border-right:1px solid rgba(0,0,0,.3)}
-@media (prefers-color-scheme:dark){body{color:#fff;background:#000}.next-error-h1{border-right:1px solid rgba(255,255,255,.3)}}</style><h1 class="next-error-h1" style="display:inline-block;margin:0 20px 0 0;padding-right:23px;font-size:24px;font-weight:500;vertical-align:top">500</h1><div style="display:inline-block"><h2 style="font-size:14px;font-weight:400;line-height:28px">Internal Server Error.</h2></div></div></div><!--$--><!--/$--><script src="/_next/static/chunks/d878b929b21636c4.js" id="_R_" async=""></script><script>(self.__next_f=self.__next_f||[]).push([0])</script><script>self.__next_f.push([1,"1:\"$Sreact.fragment\"\n2:I[57043,[\"/_next/static/chunks/102f894cc892994d.js\",\"/_next/static/chunks/417032eeb2cd875f.js\"],\"default\"]\n3:I[27657,[\"/_next/static/chunks/102f894cc892994d.js\",\"/_next/static/chunks/417032eeb2cd875f.js\"],\"default\"]\n4:I[56978,[\"/_next/static/chunks/102f894cc892994d.js\",\"/_next/static/chunks/417032eeb2cd875f.js\"],\"OutletBoundary\"]\n5:\"$Sreact.suspense\"\n7:I[56978,[\"/_next/static/chunks/102f894cc892994d.js\",\"/_next/static/chunks/417032eeb2cd875f.js\"],\"ViewportBoundary\"]\n9:I[56978,[\"/_next/static/chunks/102f894cc892994d.js\",\"/_next/static/chunks/417032eeb2cd875f.js\"],\"MetadataBoundary\"]\nb:I[30687,[\"/_next/static/chunks/102f894cc892994d.js\",\"/_next/static/chunks/417032eeb2cd875f.js\"],\"default\"]\n"])</script><script>self.__next_f.push([1,"0:{\"P\":null,\"b\":\"_JsmCyMaqewdhBNXZu1me\",\"c\":[\"\",\"_global-error\"],\"q\":\"\",\"i\":false,\"f\":[[[\"\",{\"children\":[\"__PAGE__\",{}]}],[[\"$\",\"$1\",\"c\",{\"children\":[null,[\"$\",\"$L2\",null,{\"parallelRouterKey\":\"children\",\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L3\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"forbidden\":\"$undefined\",\"unauthorized\":\"$undefined\"}]]}],{\"children\":[[\"$\",\"$1\",\"c\",{\"children\":[[\"$\",\"html\",null,{\"id\":\"__next_error__\",\"children\":[[\"$\",\"head\",null,{\"children\":[\"$\",\"title\",null,{\"children\":\"500: Internal Server Error.\"}]}],[\"$\",\"body\",null,{\"children\":[\"$\",\"div\",null,{\"style\":{\"fontFamily\":\"system-ui,\\\"Segoe UI\\\",Roboto,Helvetica,Arial,sans-serif,\\\"Apple Color Emoji\\\",\\\"Segoe UI Emoji\\\"\",\"height\":\"100vh\",\"textAlign\":\"center\",\"display\":\"flex\",\"flexDirection\":\"column\",\"alignItems\":\"center\",\"justifyContent\":\"center\"},\"children\":[\"$\",\"div\",null,{\"style\":{\"lineHeight\":\"48px\"},\"children\":[[\"$\",\"style\",null,{\"dangerouslySetInnerHTML\":{\"__html\":\"body{color:#000;background:#fff;margin:0}.next-error-h1{border-right:1px solid rgba(0,0,0,.3)}\\n@media (prefers-color-scheme:dark){body{color:#fff;background:#000}.next-error-h1{border-right:1px solid rgba(255,255,255,.3)}}\"}}],[\"$\",\"h1\",null,{\"className\":\"next-error-h1\",\"style\":{\"display\":\"inline-block\",\"margin\":\"0 20px 0 0\",\"paddingRight\":23,\"fontSize\":24,\"fontWeight\":500,\"verticalAlign\":\"top\"},\"children\":\"500\"}],[\"$\",\"div\",null,{\"style\":{\"display\":\"inline-block\"},\"children\":[\"$\",\"h2\",null,{\"style\":{\"fontSize\":14,\"fontWeight\":400,\"lineHeight\":\"28px\"},\"children\":\"Internal Server Error.\"}]}]]}]}]}]]}],[[\"$\",\"script\",\"script-0\",{\"src\":\"/_next/static/chunks/102f894cc892994d.js\",\"async\":true,\"nonce\":\"$undefined\"}],[\"$\",\"script\",\"script-1\",{\"src\":\"/_next/static/chunks/417032eeb2cd875f.js\",\"async\":true,\"nonce\":\"$undefined\"}]],[\"$\",\"$L4\",null,{\"children\":[\"$\",\"$5\",null,{\"name\":\"Next.MetadataOutlet\",\"children\":\"$@6\"}]}]]}],{},null,false,false]},null,false,false],[\"$\",\"$1\",\"h\",{\"children\":[null,[\"$\",\"$L7\",null,{\"children\":\"$L8\"}],[\"$\",\"div\",null,{\"hidden\":true,\"children\":[\"$\",\"$L9\",null,{\"children\":[\"$\",\"$5\",null,{\"name\":\"Next.Metadata\",\"children\":\"$La\"}]}]}],[\"$\",\"meta\",null,{\"name\":\"next-size-adjust\",\"content\":\"\"}]]}],false]],\"m\":\"$undefined\",\"G\":[\"$b\",\"$undefined\"],\"S\":true}\n"])</script><script>self.__next_f.push([1,"8:[[\"$\",\"meta\",\"0\",{\"charSet\":\"utf-8\"}],[\"$\",\"meta\",\"1\",{\"name\":\"viewport\",\"content\":\"width=device-width, initial-scale=1\"}]]\n"])</script><script>self.__next_f.push([1,"6:null\na:[]\n"])</script></body></html>
+<!DOCTYPE html><!--PR51g0pS7Wp0zLzu2q6mQ--><html id="__next_error__"><head><meta charSet="utf-8"/><meta name="viewport" content="width=device-width, initial-scale=1"/><link rel="preload" as="script" fetchPriority="low" href="/_next/static/chunks/d878b929b21636c4.js"/><script src="/_next/static/chunks/f70f563804550a9c.js" async=""></script><script src="/_next/static/chunks/43d761df92da7cb6.js" async=""></script><script src="/_next/static/chunks/e281719dbabcca1d.js" async=""></script><script src="/_next/static/chunks/9e56d1f8f4d7adcb.js" async=""></script><script src="/_next/static/chunks/turbopack-768a6a8b9db952e0.js" async=""></script><script src="/_next/static/chunks/102f894cc892994d.js" async=""></script><script src="/_next/static/chunks/417032eeb2cd875f.js" async=""></script><meta name="next-size-adjust" content=""/><title>500: Internal Server Error.</title><script src="/_next/static/chunks/a6dad97d9634a72d.js" noModule=""></script></head><body><div hidden=""><!--$--><!--/$--></div><div style="font-family:system-ui,&quot;Segoe UI&quot;,Roboto,Helvetica,Arial,sans-serif,&quot;Apple Color Emoji&quot;,&quot;Segoe UI Emoji&quot;;height:100vh;text-align:center;display:flex;flex-direction:column;align-items:center;justify-content:center"><div style="line-height:48px"><style>body{color:#000;background:#fff;margin:0}.next-error-h1{border-right:1px solid rgba(0,0,0,.3)}
+@media (prefers-color-scheme:dark){body{color:#fff;background:#000}.next-error-h1{border-right:1px solid rgba(255,255,255,.3)}}</style><h1 class="next-error-h1" style="display:inline-block;margin:0 20px 0 0;padding-right:23px;font-size:24px;font-weight:500;vertical-align:top">500</h1><div style="display:inline-block"><h2 style="font-size:14px;font-weight:400;line-height:28px">Internal Server Error.</h2></div></div></div><!--$--><!--/$--><script src="/_next/static/chunks/d878b929b21636c4.js" id="_R_" async=""></script><script>(self.__next_f=self.__next_f||[]).push([0])</script><script>self.__next_f.push([1,"1:\"$Sreact.fragment\"\n2:I[57043,[\"/_next/static/chunks/102f894cc892994d.js\",\"/_next/static/chunks/417032eeb2cd875f.js\"],\"default\"]\n3:I[27657,[\"/_next/static/chunks/102f894cc892994d.js\",\"/_next/static/chunks/417032eeb2cd875f.js\"],\"default\"]\n4:I[56978,[\"/_next/static/chunks/102f894cc892994d.js\",\"/_next/static/chunks/417032eeb2cd875f.js\"],\"OutletBoundary\"]\n5:\"$Sreact.suspense\"\n7:I[56978,[\"/_next/static/chunks/102f894cc892994d.js\",\"/_next/static/chunks/417032eeb2cd875f.js\"],\"ViewportBoundary\"]\n9:I[56978,[\"/_next/static/chunks/102f894cc892994d.js\",\"/_next/static/chunks/417032eeb2cd875f.js\"],\"MetadataBoundary\"]\nb:I[30687,[\"/_next/static/chunks/102f894cc892994d.js\",\"/_next/static/chunks/417032eeb2cd875f.js\"],\"default\"]\n"])</script><script>self.__next_f.push([1,"0:{\"P\":null,\"b\":\"PR51g0pS7Wp0zLzu2q6mQ\",\"c\":[\"\",\"_global-error\"],\"q\":\"\",\"i\":false,\"f\":[[[\"\",{\"children\":[\"__PAGE__\",{}]}],[[\"$\",\"$1\",\"c\",{\"children\":[null,[\"$\",\"$L2\",null,{\"parallelRouterKey\":\"children\",\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L3\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"forbidden\":\"$undefined\",\"unauthorized\":\"$undefined\"}]]}],{\"children\":[[\"$\",\"$1\",\"c\",{\"children\":[[\"$\",\"html\",null,{\"id\":\"__next_error__\",\"children\":[[\"$\",\"head\",null,{\"children\":[\"$\",\"title\",null,{\"children\":\"500: Internal Server Error.\"}]}],[\"$\",\"body\",null,{\"children\":[\"$\",\"div\",null,{\"style\":{\"fontFamily\":\"system-ui,\\\"Segoe UI\\\",Roboto,Helvetica,Arial,sans-serif,\\\"Apple Color Emoji\\\",\\\"Segoe UI Emoji\\\"\",\"height\":\"100vh\",\"textAlign\":\"center\",\"display\":\"flex\",\"flexDirection\":\"column\",\"alignItems\":\"center\",\"justifyContent\":\"center\"},\"children\":[\"$\",\"div\",null,{\"style\":{\"lineHeight\":\"48px\"},\"children\":[[\"$\",\"style\",null,{\"dangerouslySetInnerHTML\":{\"__html\":\"body{color:#000;background:#fff;margin:0}.next-error-h1{border-right:1px solid rgba(0,0,0,.3)}\\n@media (prefers-color-scheme:dark){body{color:#fff;background:#000}.next-error-h1{border-right:1px solid rgba(255,255,255,.3)}}\"}}],[\"$\",\"h1\",null,{\"className\":\"next-error-h1\",\"style\":{\"display\":\"inline-block\",\"margin\":\"0 20px 0 0\",\"paddingRight\":23,\"fontSize\":24,\"fontWeight\":500,\"verticalAlign\":\"top\"},\"children\":\"500\"}],[\"$\",\"div\",null,{\"style\":{\"display\":\"inline-block\"},\"children\":[\"$\",\"h2\",null,{\"style\":{\"fontSize\":14,\"fontWeight\":400,\"lineHeight\":\"28px\"},\"children\":\"Internal Server Error.\"}]}]]}]}]}]]}],[[\"$\",\"script\",\"script-0\",{\"src\":\"/_next/static/chunks/102f894cc892994d.js\",\"async\":true,\"nonce\":\"$undefined\"}],[\"$\",\"script\",\"script-1\",{\"src\":\"/_next/static/chunks/417032eeb2cd875f.js\",\"async\":true,\"nonce\":\"$undefined\"}]],[\"$\",\"$L4\",null,{\"children\":[\"$\",\"$5\",null,{\"name\":\"Next.MetadataOutlet\",\"children\":\"$@6\"}]}]]}],{},null,false,false]},null,false,false],[\"$\",\"$1\",\"h\",{\"children\":[null,[\"$\",\"$L7\",null,{\"children\":\"$L8\"}],[\"$\",\"div\",null,{\"hidden\":true,\"children\":[\"$\",\"$L9\",null,{\"children\":[\"$\",\"$5\",null,{\"name\":\"Next.Metadata\",\"children\":\"$La\"}]}]}],[\"$\",\"meta\",null,{\"name\":\"next-size-adjust\",\"content\":\"\"}]]}],false]],\"m\":\"$undefined\",\"G\":[\"$b\",\"$undefined\"],\"S\":true}\n"])</script><script>self.__next_f.push([1,"8:[[\"$\",\"meta\",\"0\",{\"charSet\":\"utf-8\"}],[\"$\",\"meta\",\"1\",{\"name\":\"viewport\",\"content\":\"width=device-width, initial-scale=1\"}]]\n"])</script><script>self.__next_f.push([1,"6:null\na:[]\n"])</script></body></html>

package/dist/cloud/cli.js

@@ -1,4 +1,4 @@
-import { getCloudConfig, setCloudConfig, getCloudSyncControls, setCloudSyncControls, getDefenceMode, setDefenceMode, getVerifyConfig, setVerifyConfig, getReviewCopilotConfig, getOpenClawAutoMemory, setOpenClawAutoMemory, isProactiveRecallEnabled, setProactiveRecall, restore410Defaults, getRankerConfig, setRankerConfig, } from './config.js';
+import { getCloudConfig, setCloudConfig, getCloudSyncControls, setCloudSyncControls, getDefenceMode, setDefenceMode, getVerifyConfig, setVerifyConfig, getReviewCopilotConfig, getOpenClawAutoMemory, setOpenClawAutoMemory, isProactiveRecallEnabled, setProactiveRecall, restore410Defaults, getRankerConfig, setRankerConfig, getToolResponseScanConfig, setToolResponseScanConfig, } from './config.js';
 const VALID_RANKER_ENGINES = ['rrf', 'legacy'];
 import { syncAllGraphToCloud } from './graph-sync.js';
 import { syncAllMemoriesToCloud } from './memory-sync.js';
@@ -17,9 +17,11 @@ export function handleCloudConfig(args) {
         const openclawAutoMemory = getOpenClawAutoMemory();
         const ranker = getRankerConfig();
         const syncControls = getCloudSyncControls();
+        const toolFirewall = getToolResponseScanConfig();
         const rankerOverridden = !!process.env.SHIELDCORTEX_RANKER;
         console.log('\nShieldCortex Configuration:');
         console.log(`  Defence Mode: ${mode}`);
+        console.log(`  Tool-Output Firewall: ${toolFirewall.scanToolResponses ? toolFirewall.toolResponseMode : 'Off'}`);
         console.log(`  Cloud Enabled:  ${config.cloudEnabled ? 'Yes' : 'No'}`);
         console.log(`  API Key:  ${config.cloudApiKey ? config.cloudApiKey.substring(0, 12) + '...' : 'Not set'}`);
         console.log(`  Base URL: ${config.cloudBaseUrl}`);
@@ -188,6 +190,26 @@ export function handleCloudConfig(args) {
         console.log(`Proactive recall ${enabled ? 'enabled' : 'disabled'}.`);
         changed = true;
     }
+    if (args.includes('--tool-firewall-enforce')) {
+        setToolResponseScanConfig({ scanToolResponses: true, toolResponseMode: 'enforce' });
+        console.log('Tool-output firewall set to ENFORCE — threatening tool output will be redacted/withheld before the agent sees it.');
+        changed = true;
+    }
+    if (args.includes('--tool-firewall-advisory')) {
+        setToolResponseScanConfig({ scanToolResponses: true, toolResponseMode: 'advisory' });
+        console.log('Tool-output firewall set to ADVISORY — threats are logged but tool output is delivered intact (default).');
+        changed = true;
+    }
+    if (args.includes('--tool-firewall-off')) {
+        setToolResponseScanConfig({ scanToolResponses: false });
+        console.log('Tool-output firewall disabled — tool responses are no longer scanned.');
+        changed = true;
+    }
+    if (args.includes('--tool-firewall-on')) {
+        setToolResponseScanConfig({ scanToolResponses: true });
+        console.log('Tool-output firewall enabled (scanning on).');
+        changed = true;
+    }
     if (args.includes('--upsell-mute')) {
         setUpsellState({ proMuted: true });
         console.log('Pro upsell muted. Re-enable with --upsell-unmute.');
@@ -213,6 +235,9 @@ export function handleCloudConfig(args) {
         console.log('  --openclaw-auto-memory <true|false>  Extract memories from OpenClaw LLM output (default: off)');
         console.log('  --proactive-recall <true|false>  Inject SC memory into prompts (default: off — adds latency)');
         console.log('  --ranker <rrf|legacy>  Hybrid retrieval engine (default: rrf; SHIELDCORTEX_RANKER env overrides)');
+        console.log('  --tool-firewall-enforce   Redact/withhold threatening tool output before the agent sees it');
+        console.log('  --tool-firewall-advisory  Log tool-output threats but deliver intact (default)');
+        console.log('  --tool-firewall-off / --tool-firewall-on  Disable / enable tool-output scanning');
         console.log('  --restore-4.10-defaults  Restore pre-v4.11.0 defaults (recall on, strict interceptor, minimal preamble)');
         console.log('  --upsell-mute          Suppress the Pro upsell footer in doctor');
         console.log('  --upsell-unmute        Allow the Pro upsell footer to surface again');

package/dist/defence/firewall/markdown-image-detector.d.ts

@@ -32,3 +32,18 @@ export interface MarkdownImageExfilResult {
  * Scan content for markdown-image exfiltration links.
  */
 export declare function detectMarkdownImageExfil(content: string): MarkdownImageExfilResult;
+/** Replacement for a neutralised exfil image: a dead host carrying no data. */
+export declare const NEUTRALISED_IMAGE = "![redacted](https://blocked.invalid/shieldcortex-redacted)";
+/**
+ * Strip markdown-image exfiltration links from content for enforce mode.
+ *
+ * Re-runs the SAME regex + urlLooksLikeExfil predicate as detection and replaces
+ * each offending `![alt](url)` match WHOLE (alt dropped too — it can itself carry
+ * data). Splices by match offset, so it does not depend on substring equality
+ * with a previously-captured (truncated) URL and is unaffected by any other
+ * mutation applied to the content first. Benign images are left untouched.
+ */
+export declare function neutraliseMarkdownImageExfil(content: string): {
+    content: string;
+    stripped: number;
+};

package/dist/defence/firewall/markdown-image-detector.js

@@ -81,3 +81,33 @@ export function detectMarkdownImageExfil(content) {
         urls,
     };
 }
+/** Replacement for a neutralised exfil image: a dead host carrying no data. */
+export const NEUTRALISED_IMAGE = '![redacted](https://blocked.invalid/shieldcortex-redacted)';
+/**
+ * Strip markdown-image exfiltration links from content for enforce mode.
+ *
+ * Re-runs the SAME regex + urlLooksLikeExfil predicate as detection and replaces
+ * each offending `![alt](url)` match WHOLE (alt dropped too — it can itself carry
+ * data). Splices by match offset, so it does not depend on substring equality
+ * with a previously-captured (truncated) URL and is unaffected by any other
+ * mutation applied to the content first. Benign images are left untouched.
+ */
+export function neutraliseMarkdownImageExfil(content) {
+    const spans = [];
+    MARKDOWN_IMAGE_PATTERN.lastIndex = 0;
+    let match;
+    while ((match = MARKDOWN_IMAGE_PATTERN.exec(content)) !== null) {
+        if (urlLooksLikeExfil(match[1])) {
+            spans.push({ start: match.index, end: match.index + match[0].length });
+        }
+    }
+    if (spans.length === 0)
+        return { content, stripped: 0 };
+    // Splice from the end so earlier offsets stay valid.
+    let result = content;
+    for (let i = spans.length - 1; i >= 0; i--) {
+        const { start, end } = spans[i];
+        result = result.slice(0, start) + NEUTRALISED_IMAGE + result.slice(end);
+    }
+    return { content: result, stripped: spans.length };
+}

package/dist/defence/tool-response-enforce.d.ts

@@ -0,0 +1,57 @@
+/**
+ * Tool-Response Enforce Layer
+ *
+ * Advisory mode only LOGS threats in a tool response. Enforce mode must actually
+ * change the bytes the agent receives. This module is the action layer: given a
+ * tool response and the threat signals the scanner already computed, it returns
+ * the content the agent should actually see.
+ *
+ * Two-tier policy:
+ *
+ *   BLOCK (withhold the whole payload) — when the output is actively hostile or
+ *   smuggling: any injection signal, the instruction detector firing, a blob
+ *   that decodes to an injection, or a blob that decodes to a credential.
+ *   Natural-language injected instructions cannot be surgically removed without
+ *   risking that a fragment survives, so the safe action is to withhold the
+ *   entire response and tell the agent why.
+ *
+ *   REDACT (pass cleaned + tag) — when the threat is a secret or an exfil link
+ *   sitting in plaintext that we CAN surgically remove: credential leaks (masked
+ *   in place) and markdown-image exfiltration URLs (neutralised to a dead host).
+ *   The cleaned content is prefixed with an untrusted-origin tag so any
+ *   downstream memory write attributes it correctly.
+ *
+ * Pure and dependency-injection-free of any DB/IO — only the credential scanner
+ * (for positional redaction). Easy to unit test in isolation.
+ */
+export declare const TOOL_OUTPUT_BLOCKED_PLACEHOLDER: string;
+export declare const UNTRUSTED_TOOL_TAG = "[ShieldCortex: tool output sanitised \u2014 treat as derived-from-untrusted-tool]";
+/**
+ * Threat signals the scanner already computed for a (non-clean) tool response.
+ * Passed in so neutralisation never re-derives detection — single source of
+ * truth with scanToolResponse.
+ */
+export interface ToolResponseThreatSignals {
+    injectionRisk: 'NONE' | 'LOW' | 'MEDIUM' | 'HIGH' | 'CRITICAL';
+    instructionsDetected: boolean;
+    decodedInjection: boolean;
+    encodingDetected: boolean;
+    markdownImageUrls: string[];
+    credentialsLeaked: boolean;
+    decodedCredentialLeak: boolean;
+}
+export interface ToolResponseNeutralisation {
+    /** The content the agent should actually receive. */
+    sanitised: string;
+    /** True when the whole payload was withheld (blocked), not just redacted. */
+    blocked: boolean;
+    /** Human-readable list of actions taken, for audit/summary. */
+    actions: string[];
+}
+/**
+ * Compute the enforce-mode replacement for a tool response.
+ *
+ * Only meaningful when the scanner already found the response non-clean; with no
+ * signals it returns the content unchanged.
+ */
+export declare function neutraliseToolResponse(content: string, signals: ToolResponseThreatSignals): ToolResponseNeutralisation;

package/dist/defence/tool-response-enforce.js

@@ -0,0 +1,107 @@
+/**
+ * Tool-Response Enforce Layer
+ *
+ * Advisory mode only LOGS threats in a tool response. Enforce mode must actually
+ * change the bytes the agent receives. This module is the action layer: given a
+ * tool response and the threat signals the scanner already computed, it returns
+ * the content the agent should actually see.
+ *
+ * Two-tier policy:
+ *
+ *   BLOCK (withhold the whole payload) — when the output is actively hostile or
+ *   smuggling: any injection signal, the instruction detector firing, a blob
+ *   that decodes to an injection, or a blob that decodes to a credential.
+ *   Natural-language injected instructions cannot be surgically removed without
+ *   risking that a fragment survives, so the safe action is to withhold the
+ *   entire response and tell the agent why.
+ *
+ *   REDACT (pass cleaned + tag) — when the threat is a secret or an exfil link
+ *   sitting in plaintext that we CAN surgically remove: credential leaks (masked
+ *   in place) and markdown-image exfiltration URLs (neutralised to a dead host).
+ *   The cleaned content is prefixed with an untrusted-origin tag so any
+ *   downstream memory write attributes it correctly.
+ *
+ * Pure and dependency-injection-free of any DB/IO — only the credential scanner
+ * (for positional redaction). Easy to unit test in isolation.
+ */
+import { scanForCredentials } from './credential-leak/index.js';
+import { neutraliseMarkdownImageExfil } from './firewall/markdown-image-detector.js';
+export const TOOL_OUTPUT_BLOCKED_PLACEHOLDER = '[ShieldCortex] Tool output withheld in enforce mode — prompt-injection / data-smuggling detected. ' +
+    'The original response was blocked to protect the agent. Review the ShieldCortex audit log for details.';
+export const UNTRUSTED_TOOL_TAG = '[ShieldCortex: tool output sanitised — treat as derived-from-untrusted-tool]';
+function hasAnySignal(s) {
+    return (s.injectionRisk !== 'NONE' ||
+        s.instructionsDetected ||
+        s.decodedInjection ||
+        s.encodingDetected ||
+        s.markdownImageUrls.length > 0 ||
+        s.credentialsLeaked ||
+        s.decodedCredentialLeak);
+}
+/** Output is actively hostile / smuggling — withhold the whole payload. */
+function shouldBlock(s) {
+    return (s.injectionRisk !== 'NONE' ||
+        s.instructionsDetected ||
+        s.decodedInjection ||
+        s.decodedCredentialLeak);
+}
+/**
+ * Compute the enforce-mode replacement for a tool response.
+ *
+ * Only meaningful when the scanner already found the response non-clean; with no
+ * signals it returns the content unchanged.
+ */
+export function neutraliseToolResponse(content, signals) {
+    if (!hasAnySignal(signals)) {
+        return { sanitised: content, blocked: false, actions: [] };
+    }
+    if (shouldBlock(signals)) {
+        const actions = [];
+        if (signals.injectionRisk !== 'NONE') {
+            actions.push(`blocked: prompt-injection (${signals.injectionRisk.toLowerCase()})`);
+        }
+        else if (signals.instructionsDetected) {
+            // No high-confidence Iron Dome hit — be honest that this is the heuristic
+            // instruction detector, not a graded injection (don't say "injection (none)").
+            actions.push('blocked: suspicious-instruction pattern (heuristic)');
+        }
+        if (signals.decodedInjection)
+            actions.push('blocked: encoded payload decoded to injection');
+        if (signals.decodedCredentialLeak)
+            actions.push('blocked: encoded payload decoded to credential');
+        return { sanitised: TOOL_OUTPUT_BLOCKED_PLACEHOLDER, blocked: true, actions };
+    }
+    // Redact path: surgically clean a payload that merely contains secrets / exfil
+    // links in plaintext. The untrusted-origin tag is NOT embedded here — callers
+    // convey it out-of-band so redacted structured output (JSON/CSV) stays parseable.
+    const actions = [];
+    let working = content;
+    // Markdown-image exfil FIRST, before any other mutation. Uses a full-match
+    // regex over the content (not substring equality with a pre-captured, possibly
+    // truncated URL), so credential redaction reordering and >200-char URLs can't
+    // defeat it. If the scanner flagged exfil images but none could be located
+    // here, fail SAFE: withhold the whole payload rather than deliver it.
+    if (signals.markdownImageUrls.length > 0) {
+        const { content: stripped, stripped: count } = neutraliseMarkdownImageExfil(working);
+        if (count === 0) {
+            return {
+                sanitised: TOOL_OUTPUT_BLOCKED_PLACEHOLDER,
+                blocked: true,
+                actions: ['blocked: flagged markdown-image exfil could not be neutralised (fail-safe)'],
+            };
+        }
+        working = stripped;
+        actions.push(`stripped ${count} markdown-image exfil URL(s)`);
+    }
+    if (signals.credentialsLeaked) {
+        const cred = scanForCredentials(working);
+        if (cred.leaked && cred.redactedContent) {
+            working = cred.redactedContent;
+            actions.push(`redacted ${cred.findings.length} credential(s)`);
+        }
+    }
+    if (signals.encodingDetected) {
+        actions.push('flagged obfuscated/encoded content (passed through)');
+    }
+    return { sanitised: working, blocked: false, actions };
+}

package/dist/defence/tool-response-scanner.d.ts

@@ -17,9 +17,12 @@
  * It deliberately does NOT pull in the write-path's trust scoring, anomaly,
  * privilege, fragmentation or sensitivity layers — those are write concerns.
  *
- * Advisory by default: logs threats but never blocks tool responses. Only the
- * audit/event firewall_result reflects enforce mode; the scan itself never hard
- * blocks tool execution.
+ * Advisory by default: logs threats but leaves the response untouched. In
+ * enforce mode the scanner additionally computes `sanitisedContent` — the bytes
+ * the agent should actually receive (injection withheld, secrets redacted, exfil
+ * links stripped) — via the neutraliseToolResponse action layer. Callers
+ * (withResponseScan, the scan_tool_response tool) swap in sanitisedContent when
+ * present; the scanner never blocks tool EXECUTION, only the threatening output.
  */
 import type { ToolResponseScanResult } from './types.js';
 /**

package/dist/defence/tool-response-scanner.js

@@ -17,15 +17,19 @@
  * It deliberately does NOT pull in the write-path's trust scoring, anomaly,
  * privilege, fragmentation or sensitivity layers — those are write concerns.
  *
- * Advisory by default: logs threats but never blocks tool responses. Only the
- * audit/event firewall_result reflects enforce mode; the scan itself never hard
- * blocks tool execution.
+ * Advisory by default: logs threats but leaves the response untouched. In
+ * enforce mode the scanner additionally computes `sanitisedContent` — the bytes
+ * the agent should actually receive (injection withheld, secrets redacted, exfil
+ * links stripped) — via the neutraliseToolResponse action layer. Callers
+ * (withResponseScan, the scan_tool_response tool) swap in sanitisedContent when
+ * present; the scanner never blocks tool EXECUTION, only the threatening output.
  */
 import { scanForInjection } from './iron-dome/injection-scanner.js';
 import { scanForCredentials } from './credential-leak/index.js';
 import { detectInstructions } from './firewall/instruction-detector.js';
 import { detectEncoding } from './firewall/encoding-detector.js';
 import { detectMarkdownImageExfil } from './firewall/markdown-image-detector.js';
+import { neutraliseToolResponse } from './tool-response-enforce.js';
 import { logAudit } from './audit/logger.js';
 import { isDatabaseInitialized } from '../database/init.js';
 import { getToolResponseScanConfig } from '../cloud/config.js';
@@ -48,6 +52,11 @@ const HIGH_RISK_TOOLS = new Set([
     'export_memories',
     'detect_contradictions',
 ]);
+// Instruction-detector pattern groups that are WRITE-path concerns and over-fire
+// on legitimate tool OUTPUT (instructional docs telling the agent which tool to
+// call). Excluded from the read-path instruction signal; real injection groups
+// (system_prompt_marker, hidden_instruction, prompt_extraction, …) still apply.
+const READ_PATH_EXCLUDED_INSTRUCTION_PATTERNS = new Set(['imperative_tool_call']);
 // Tools that only return metadata/stats (not worth scanning)
 const METADATA_ONLY_TOOLS = new Set([
     'memory_stats',
@@ -90,6 +99,9 @@ export function scanToolResponse(toolName, content, mode) {
             summary: `Tool response from "${toolName}" skipped (too short)`,
             durationMs: Math.round(performance.now() - startTime),
             auditId: -1,
+            sanitisedContent: null,
+            blocked: false,
+            enforceActions: [],
         };
     }
     // 1. Injection scan (Iron Dome named patterns — drives the `injection` field
@@ -97,7 +109,17 @@ export function scanToolResponse(toolName, content, mode) {
     const injection = scanForInjection(content);
     // 2. Write-path detectors (parity). detectInstructions folds homoglyphs and
     //    scans in windows; detectEncoding decodes base64/hex/url blobs.
-    const instructions = detectInstructions(content);
+    //
+    //    FP reduction on the READ path: `imperative_tool_call` ("call the X tool")
+    //    exists to catch injected directives at WRITE time. On tool OUTPUT it is
+    //    legitimate instructional content (docs telling the agent which tool to
+    //    use), so we exclude it here. Real injection phrasing ("ignore previous
+    //    instructions", "you are now…") lives in the other groups + Iron Dome and
+    //    is unaffected. Decoded snippets (below) keep full detection — an encoded
+    //    imperative is inherently suspicious.
+    const instructionsRaw = detectInstructions(content);
+    const instructionPatterns = instructionsRaw.patterns.filter((p) => !READ_PATH_EXCLUDED_INSTRUCTION_PATTERNS.has(p));
+    const instructions = { detected: instructionPatterns.length > 0, patterns: instructionPatterns };
     const encoding = detectEncoding(content);
     // 2b. Decode-and-rescan: re-run instruction + credential detection on each
     //     decoded snippet so a BARE base64/hex blob that decodes to an injection
@@ -155,6 +177,31 @@ export function scanToolResponse(toolName, content, mode) {
         !markdownImage.detected &&
         !credentials.leaked;
     const durationMs = Math.round(performance.now() - startTime);
+    // 5b. Enforce action layer. Advisory mode only logs; enforce mode computes the
+    //     content the agent should ACTUALLY receive (block injection, redact
+    //     secrets, strip exfil links). Single source of truth in
+    //     neutraliseToolResponse — the scanner just feeds it the signals it found.
+    let sanitisedContent = null;
+    let blocked = false;
+    let enforceActions = [];
+    if (!clean && resolvedMode === 'enforce') {
+        const neutralisation = neutraliseToolResponse(content, {
+            injectionRisk: injection.riskLevel,
+            instructionsDetected: instructions.detected,
+            decodedInjection,
+            encodingDetected: encoding.detected,
+            markdownImageUrls: markdownImage.urls,
+            credentialsLeaked: credentials.leaked,
+            decodedCredentialLeak,
+        });
+        sanitisedContent = neutralisation.sanitised;
+        blocked = neutralisation.blocked;
+        enforceActions = neutralisation.actions;
+    }
+    // Truthful firewall_result: advisory only observes (ALLOW); enforce that
+    // withholds the whole payload is a BLOCK; enforce that surgically redacts but
+    // still delivers is a QUARANTINE.
+    const firewallResult = resolvedMode !== 'enforce' ? 'ALLOW' : blocked ? 'BLOCK' : 'QUARANTINE';
     // 6. Build summary
     let summary;
     if (clean) {
@@ -202,7 +249,7 @@ export function scanToolResponse(toolName, content, mode) {
                 source_identifier: toolName,
                 trust_score: 0.5,
                 sensitivity_level: (credentials.leaked || decodedCredentialLeak) ? 'CONFIDENTIAL' : 'PUBLIC',
-                firewall_result: resolvedMode === 'enforce' ? 'BLOCK' : 'ALLOW',
+                firewall_result: firewallResult,
                 anomaly_score: anomalyScore,
                 threat_indicators: JSON.stringify(threatIndicators),
                 blocked_patterns: JSON.stringify(blockedPatterns),
@@ -219,7 +266,7 @@ export function scanToolResponse(toolName, content, mode) {
             persistEvent('defence_event', {
                 source_type: 'tool_response',
                 source_identifier: toolName,
-                firewall_result: resolvedMode === 'enforce' ? 'BLOCK' : 'ALLOW',
+                firewall_result: firewallResult,
                 trust_score: 0.5,
                 anomaly_score: anomalyScore,
                 reason: summary,
@@ -241,5 +288,8 @@ export function scanToolResponse(toolName, content, mode) {
         summary,
         durationMs,
         auditId,
+        sanitisedContent,
+        blocked,
+        enforceActions,
     };
 }

package/dist/defence/trust/read-guard.d.ts

@@ -0,0 +1,45 @@
+/**
+ * MCP read-path access guard.
+ *
+ * The `.mjs` prompt/session hooks already filter recalled rows before injecting
+ * them into the prompt. The MCP read TOOLS (`get_memory`, `get_related`,
+ * `get_context`, and `recall`) returned rows without applying the access-control
+ * engine consistently — so a low-trust / compromised caller could pull RESTRICTED
+ * or other-source memories verbatim. This guard closes that path by applying the
+ * SAME `checkAccess('read')` tiers the search path uses:
+ *
+ *   - quarantined rows (trustScore === 0) are ALWAYS dropped (pending review);
+ *   - when a caller source is present, rows the caller cannot read are dropped
+ *     (RESTRICTED isolation below trust 0.7, own-only below 0.5);
+ *   - owner / high-trust callers pass through in full (chosen policy — no content
+ *     redaction on the MCP path; that is the prompt-hook surface's job).
+ *
+ * No source → only quarantined rows are dropped (callers that don't resolve an
+ * identity get no source-relative ACL). In practice the MCP server always
+ * resolves a source via resolveToolSource before calling the read tools.
+ */
+import type { DefenceSource } from '../types.js';
+import type { Memory, ContextSummary } from '../../memory/types.js';
+/** Filter recalled memories (camelCase Memory) to those the caller may read. */
+export declare function guardReadMemories(memories: Memory[], source: DefenceSource | undefined): Memory[];
+/**
+ * Filter raw snake_case DB rows (e.g. the export path's `SELECT *`) to those the
+ * caller may read. Same policy as guardReadMemories, different field casing.
+ */
+export declare function guardReadRows<T extends Record<string, unknown>>(rows: T[], source: DefenceSource | undefined): T[];
+/**
+ * Sensitivity-only guard for SHARED-CONTEXT bootstrap surfaces (get_context,
+ * start_session, the memory:// resources, restore_context, detect_contradictions).
+ *
+ * These surfaces feed the prompt / a broadly-shared project summary, so they must
+ * NEVER surface RESTRICTED or quarantined rows to ANYONE (matching the .mjs
+ * prompt hooks) — but, unlike the per-caller fetch tools, they do NOT apply the
+ * source-relative own-only tier, so a low-trust subagent still receives the
+ * INTERNAL project context it legitimately needs. Credential isolation without
+ * the availability blackout.
+ */
+export declare function guardReadBySensitivity(memories: Memory[]): Memory[];
+/** Apply the sensitivity guard to every memory list in a context summary. */
+export declare function guardContextSummary(summary: ContextSummary): ContextSummary;
+/** Guard a single memory; returns null if the caller may not read it. */
+export declare function guardReadMemory(memory: Memory | null | undefined, source: DefenceSource | undefined): Memory | null;

package/dist/defence/trust/read-guard.js

@@ -0,0 +1,76 @@
+/**
+ * MCP read-path access guard.
+ *
+ * The `.mjs` prompt/session hooks already filter recalled rows before injecting
+ * them into the prompt. The MCP read TOOLS (`get_memory`, `get_related`,
+ * `get_context`, and `recall`) returned rows without applying the access-control
+ * engine consistently — so a low-trust / compromised caller could pull RESTRICTED
+ * or other-source memories verbatim. This guard closes that path by applying the
+ * SAME `checkAccess('read')` tiers the search path uses:
+ *
+ *   - quarantined rows (trustScore === 0) are ALWAYS dropped (pending review);
+ *   - when a caller source is present, rows the caller cannot read are dropped
+ *     (RESTRICTED isolation below trust 0.7, own-only below 0.5);
+ *   - owner / high-trust callers pass through in full (chosen policy — no content
+ *     redaction on the MCP path; that is the prompt-hook surface's job).
+ *
+ * No source → only quarantined rows are dropped (callers that don't resolve an
+ * identity get no source-relative ACL). In practice the MCP server always
+ * resolves a source via resolveToolSource before calling the read tools.
+ */
+import { checkAccess } from './access-control.js';
+/**
+ * Core read decision, shared by the camelCase (Memory) and snake_case (raw row)
+ * guards so the policy lives in exactly one place.
+ */
+function callerCanRead(id, storedSource, sensitivityLevel, trustScore, source) {
+    // Quarantined memories are never surfaced through a normal read.
+    if (trustScore === 0)
+        return false;
+    // Without a caller identity we cannot make a source-relative decision;
+    // surface everything else (the server resolves a source in practice).
+    if (!source)
+        return true;
+    return checkAccess({ id, source: storedSource, sensitivity_level: sensitivityLevel }, source, 'read').canRead;
+}
+/** Filter recalled memories (camelCase Memory) to those the caller may read. */
+export function guardReadMemories(memories, source) {
+    return memories.filter((m) => callerCanRead(m.id, m.source, m.sensitivityLevel, m.trustScore, source));
+}
+/**
+ * Filter raw snake_case DB rows (e.g. the export path's `SELECT *`) to those the
+ * caller may read. Same policy as guardReadMemories, different field casing.
+ */
+export function guardReadRows(rows, source) {
+    return rows.filter((r) => callerCanRead(Number(r.id), r.source ?? null, r.sensitivity_level ?? null, Number(r.trust_score ?? 1), source));
+}
+/**
+ * Sensitivity-only guard for SHARED-CONTEXT bootstrap surfaces (get_context,
+ * start_session, the memory:// resources, restore_context, detect_contradictions).
+ *
+ * These surfaces feed the prompt / a broadly-shared project summary, so they must
+ * NEVER surface RESTRICTED or quarantined rows to ANYONE (matching the .mjs
+ * prompt hooks) — but, unlike the per-caller fetch tools, they do NOT apply the
+ * source-relative own-only tier, so a low-trust subagent still receives the
+ * INTERNAL project context it legitimately needs. Credential isolation without
+ * the availability blackout.
+ */
+export function guardReadBySensitivity(memories) {
+    return memories.filter((m) => m.trustScore !== 0 && m.sensitivityLevel !== 'RESTRICTED');
+}
+/** Apply the sensitivity guard to every memory list in a context summary. */
+export function guardContextSummary(summary) {
+    return {
+        ...summary,
+        recentMemories: guardReadBySensitivity(summary.recentMemories),
+        keyDecisions: guardReadBySensitivity(summary.keyDecisions),
+        activePatterns: guardReadBySensitivity(summary.activePatterns),
+        pendingItems: guardReadBySensitivity(summary.pendingItems),
+    };
+}
+/** Guard a single memory; returns null if the caller may not read it. */
+export function guardReadMemory(memory, source) {
+    if (!memory)
+        return null;
+    return guardReadMemories([memory], source)[0] ?? null;
+}

package/dist/defence/types.d.ts

@@ -21,6 +21,15 @@ export interface ToolResponseScanResult {
     summary: string;
     durationMs: number;
     auditId: number;
+    /**
+     * Enforce-mode replacement content the agent should actually receive.
+     * `null` in advisory mode and whenever the response is clean (nothing to do).
+     */
+    sanitisedContent: string | null;
+    /** True when enforce mode withheld the whole payload (vs. surgically redacting). */
+    blocked: boolean;
+    /** Human-readable actions taken in enforce mode (empty otherwise). */
+    enforceActions: string[];
 }
 export interface FirewallAnalysis {
     result: FirewallResult;

package/dist/memory/consolidate.d.ts

@@ -7,6 +7,7 @@
  * - Cleans up decayed/irrelevant memories
  * - Merges similar memories to reduce redundancy
  */
+import type { DefenceSource } from '../defence/types.js';
 import { Memory, MemoryConfig, ConsolidationResult, ContextSummary } from './types.js';
 /**
  * Run full consolidation process
@@ -147,7 +148,7 @@ export declare function getSuggestedContext(currentContext: string, project?: st
 /**
  * Export memories as JSON (for backup/transfer)
  */
-export declare function exportMemories(project?: string): string;
+export declare function exportMemories(project?: string, source?: DefenceSource): string;
 /**
  * Import memories from JSON
  */

package/dist/memory/consolidate.js

@@ -9,6 +9,7 @@
  */
 import { getDatabase, withTransaction } from '../database/init.js';
 import { expireQuarantineItems } from '../defence/quarantine/auto-expire.js';
+import { guardReadRows } from '../defence/trust/read-guard.js';
 import { DEFAULT_CONFIG, } from './types.js';
 import { getMemoriesByType, getRecentMemories, promoteMemory, deleteMemory, searchMemories, getMemoryStats, updateDecayScores, addMemory, rowToMemory, } from './store.js';
 import { processDecay, } from './decay.js';
@@ -794,7 +795,7 @@ export async function getSuggestedContext(currentContext, project, limit = 5) {
 /**
  * Export memories as JSON (for backup/transfer)
  */
-export function exportMemories(project) {
+export function exportMemories(project, source) {
     const db = getDatabase();
     let sql = 'SELECT * FROM memories';
     const params = [];
@@ -804,7 +805,11 @@ export function exportMemories(project) {
     }
     sql += ' ORDER BY created_at ASC';
     const rows = db.prepare(sql).all(...params);
-    return JSON.stringify(rows, null, 2);
+    // Read ACL: a bulk export is the sharpest exfil vector, so apply the same
+    // read guard as the per-tool paths — drop quarantined + rows the caller may
+    // not read (RESTRICTED isolation / own-only for low trust). With no caller
+    // source, only quarantined rows are dropped.
+    return JSON.stringify(guardReadRows(rows, source), null, 2);
 }
 /**
  * Import memories from JSON