shieldcortex 4.37.0 → 4.38.0

package/dashboard/.next/standalone/dashboard/.next/server/pages/500.html

@@ -1,2 +1,2 @@
-<!DOCTYPE html><!--Xdk3QuQEKommHIbMSem56--><html id="__next_error__"><head><meta charSet="utf-8"/><meta name="viewport" content="width=device-width, initial-scale=1"/><link rel="preload" as="script" fetchPriority="low" href="/_next/static/chunks/d878b929b21636c4.js"/><script src="/_next/static/chunks/f70f563804550a9c.js" async=""></script><script src="/_next/static/chunks/43d761df92da7cb6.js" async=""></script><script src="/_next/static/chunks/e281719dbabcca1d.js" async=""></script><script src="/_next/static/chunks/9e56d1f8f4d7adcb.js" async=""></script><script src="/_next/static/chunks/turbopack-768a6a8b9db952e0.js" async=""></script><script src="/_next/static/chunks/102f894cc892994d.js" async=""></script><script src="/_next/static/chunks/417032eeb2cd875f.js" async=""></script><meta name="next-size-adjust" content=""/><title>500: Internal Server Error.</title><script src="/_next/static/chunks/a6dad97d9634a72d.js" noModule=""></script></head><body><div hidden=""><!--$--><!--/$--></div><div style="font-family:system-ui,&quot;Segoe UI&quot;,Roboto,Helvetica,Arial,sans-serif,&quot;Apple Color Emoji&quot;,&quot;Segoe UI Emoji&quot;;height:100vh;text-align:center;display:flex;flex-direction:column;align-items:center;justify-content:center"><div style="line-height:48px"><style>body{color:#000;background:#fff;margin:0}.next-error-h1{border-right:1px solid rgba(0,0,0,.3)}
-@media (prefers-color-scheme:dark){body{color:#fff;background:#000}.next-error-h1{border-right:1px solid rgba(255,255,255,.3)}}</style><h1 class="next-error-h1" style="display:inline-block;margin:0 20px 0 0;padding-right:23px;font-size:24px;font-weight:500;vertical-align:top">500</h1><div style="display:inline-block"><h2 style="font-size:14px;font-weight:400;line-height:28px">Internal Server Error.</h2></div></div></div><!--$--><!--/$--><script src="/_next/static/chunks/d878b929b21636c4.js" id="_R_" async=""></script><script>(self.__next_f=self.__next_f||[]).push([0])</script><script>self.__next_f.push([1,"1:\"$Sreact.fragment\"\n2:I[57043,[\"/_next/static/chunks/102f894cc892994d.js\",\"/_next/static/chunks/417032eeb2cd875f.js\"],\"default\"]\n3:I[27657,[\"/_next/static/chunks/102f894cc892994d.js\",\"/_next/static/chunks/417032eeb2cd875f.js\"],\"default\"]\n4:I[56978,[\"/_next/static/chunks/102f894cc892994d.js\",\"/_next/static/chunks/417032eeb2cd875f.js\"],\"OutletBoundary\"]\n5:\"$Sreact.suspense\"\n7:I[56978,[\"/_next/static/chunks/102f894cc892994d.js\",\"/_next/static/chunks/417032eeb2cd875f.js\"],\"ViewportBoundary\"]\n9:I[56978,[\"/_next/static/chunks/102f894cc892994d.js\",\"/_next/static/chunks/417032eeb2cd875f.js\"],\"MetadataBoundary\"]\nb:I[30687,[\"/_next/static/chunks/102f894cc892994d.js\",\"/_next/static/chunks/417032eeb2cd875f.js\"],\"default\"]\n"])</script><script>self.__next_f.push([1,"0:{\"P\":null,\"b\":\"Xdk3QuQEKommHIbMSem56\",\"c\":[\"\",\"_global-error\"],\"q\":\"\",\"i\":false,\"f\":[[[\"\",{\"children\":[\"__PAGE__\",{}]}],[[\"$\",\"$1\",\"c\",{\"children\":[null,[\"$\",\"$L2\",null,{\"parallelRouterKey\":\"children\",\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L3\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"forbidden\":\"$undefined\",\"unauthorized\":\"$undefined\"}]]}],{\"children\":[[\"$\",\"$1\",\"c\",{\"children\":[[\"$\",\"html\",null,{\"id\":\"__next_error__\",\"children\":[[\"$\",\"head\",null,{\"children\":[\"$\",\"title\",null,{\"children\":\"500: Internal Server Error.\"}]}],[\"$\",\"body\",null,{\"children\":[\"$\",\"div\",null,{\"style\":{\"fontFamily\":\"system-ui,\\\"Segoe UI\\\",Roboto,Helvetica,Arial,sans-serif,\\\"Apple Color Emoji\\\",\\\"Segoe UI Emoji\\\"\",\"height\":\"100vh\",\"textAlign\":\"center\",\"display\":\"flex\",\"flexDirection\":\"column\",\"alignItems\":\"center\",\"justifyContent\":\"center\"},\"children\":[\"$\",\"div\",null,{\"style\":{\"lineHeight\":\"48px\"},\"children\":[[\"$\",\"style\",null,{\"dangerouslySetInnerHTML\":{\"__html\":\"body{color:#000;background:#fff;margin:0}.next-error-h1{border-right:1px solid rgba(0,0,0,.3)}\\n@media (prefers-color-scheme:dark){body{color:#fff;background:#000}.next-error-h1{border-right:1px solid rgba(255,255,255,.3)}}\"}}],[\"$\",\"h1\",null,{\"className\":\"next-error-h1\",\"style\":{\"display\":\"inline-block\",\"margin\":\"0 20px 0 0\",\"paddingRight\":23,\"fontSize\":24,\"fontWeight\":500,\"verticalAlign\":\"top\"},\"children\":\"500\"}],[\"$\",\"div\",null,{\"style\":{\"display\":\"inline-block\"},\"children\":[\"$\",\"h2\",null,{\"style\":{\"fontSize\":14,\"fontWeight\":400,\"lineHeight\":\"28px\"},\"children\":\"Internal Server Error.\"}]}]]}]}]}]]}],[[\"$\",\"script\",\"script-0\",{\"src\":\"/_next/static/chunks/102f894cc892994d.js\",\"async\":true,\"nonce\":\"$undefined\"}],[\"$\",\"script\",\"script-1\",{\"src\":\"/_next/static/chunks/417032eeb2cd875f.js\",\"async\":true,\"nonce\":\"$undefined\"}]],[\"$\",\"$L4\",null,{\"children\":[\"$\",\"$5\",null,{\"name\":\"Next.MetadataOutlet\",\"children\":\"$@6\"}]}]]}],{},null,false,false]},null,false,false],[\"$\",\"$1\",\"h\",{\"children\":[null,[\"$\",\"$L7\",null,{\"children\":\"$L8\"}],[\"$\",\"div\",null,{\"hidden\":true,\"children\":[\"$\",\"$L9\",null,{\"children\":[\"$\",\"$5\",null,{\"name\":\"Next.Metadata\",\"children\":\"$La\"}]}]}],[\"$\",\"meta\",null,{\"name\":\"next-size-adjust\",\"content\":\"\"}]]}],false]],\"m\":\"$undefined\",\"G\":[\"$b\",\"$undefined\"],\"S\":true}\n"])</script><script>self.__next_f.push([1,"8:[[\"$\",\"meta\",\"0\",{\"charSet\":\"utf-8\"}],[\"$\",\"meta\",\"1\",{\"name\":\"viewport\",\"content\":\"width=device-width, initial-scale=1\"}]]\n"])</script><script>self.__next_f.push([1,"6:null\na:[]\n"])</script></body></html>
+<!DOCTYPE html><!--PR51g0pS7Wp0zLzu2q6mQ--><html id="__next_error__"><head><meta charSet="utf-8"/><meta name="viewport" content="width=device-width, initial-scale=1"/><link rel="preload" as="script" fetchPriority="low" href="/_next/static/chunks/d878b929b21636c4.js"/><script src="/_next/static/chunks/f70f563804550a9c.js" async=""></script><script src="/_next/static/chunks/43d761df92da7cb6.js" async=""></script><script src="/_next/static/chunks/e281719dbabcca1d.js" async=""></script><script src="/_next/static/chunks/9e56d1f8f4d7adcb.js" async=""></script><script src="/_next/static/chunks/turbopack-768a6a8b9db952e0.js" async=""></script><script src="/_next/static/chunks/102f894cc892994d.js" async=""></script><script src="/_next/static/chunks/417032eeb2cd875f.js" async=""></script><meta name="next-size-adjust" content=""/><title>500: Internal Server Error.</title><script src="/_next/static/chunks/a6dad97d9634a72d.js" noModule=""></script></head><body><div hidden=""><!--$--><!--/$--></div><div style="font-family:system-ui,&quot;Segoe UI&quot;,Roboto,Helvetica,Arial,sans-serif,&quot;Apple Color Emoji&quot;,&quot;Segoe UI Emoji&quot;;height:100vh;text-align:center;display:flex;flex-direction:column;align-items:center;justify-content:center"><div style="line-height:48px"><style>body{color:#000;background:#fff;margin:0}.next-error-h1{border-right:1px solid rgba(0,0,0,.3)}
+@media (prefers-color-scheme:dark){body{color:#fff;background:#000}.next-error-h1{border-right:1px solid rgba(255,255,255,.3)}}</style><h1 class="next-error-h1" style="display:inline-block;margin:0 20px 0 0;padding-right:23px;font-size:24px;font-weight:500;vertical-align:top">500</h1><div style="display:inline-block"><h2 style="font-size:14px;font-weight:400;line-height:28px">Internal Server Error.</h2></div></div></div><!--$--><!--/$--><script src="/_next/static/chunks/d878b929b21636c4.js" id="_R_" async=""></script><script>(self.__next_f=self.__next_f||[]).push([0])</script><script>self.__next_f.push([1,"1:\"$Sreact.fragment\"\n2:I[57043,[\"/_next/static/chunks/102f894cc892994d.js\",\"/_next/static/chunks/417032eeb2cd875f.js\"],\"default\"]\n3:I[27657,[\"/_next/static/chunks/102f894cc892994d.js\",\"/_next/static/chunks/417032eeb2cd875f.js\"],\"default\"]\n4:I[56978,[\"/_next/static/chunks/102f894cc892994d.js\",\"/_next/static/chunks/417032eeb2cd875f.js\"],\"OutletBoundary\"]\n5:\"$Sreact.suspense\"\n7:I[56978,[\"/_next/static/chunks/102f894cc892994d.js\",\"/_next/static/chunks/417032eeb2cd875f.js\"],\"ViewportBoundary\"]\n9:I[56978,[\"/_next/static/chunks/102f894cc892994d.js\",\"/_next/static/chunks/417032eeb2cd875f.js\"],\"MetadataBoundary\"]\nb:I[30687,[\"/_next/static/chunks/102f894cc892994d.js\",\"/_next/static/chunks/417032eeb2cd875f.js\"],\"default\"]\n"])</script><script>self.__next_f.push([1,"0:{\"P\":null,\"b\":\"PR51g0pS7Wp0zLzu2q6mQ\",\"c\":[\"\",\"_global-error\"],\"q\":\"\",\"i\":false,\"f\":[[[\"\",{\"children\":[\"__PAGE__\",{}]}],[[\"$\",\"$1\",\"c\",{\"children\":[null,[\"$\",\"$L2\",null,{\"parallelRouterKey\":\"children\",\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L3\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"forbidden\":\"$undefined\",\"unauthorized\":\"$undefined\"}]]}],{\"children\":[[\"$\",\"$1\",\"c\",{\"children\":[[\"$\",\"html\",null,{\"id\":\"__next_error__\",\"children\":[[\"$\",\"head\",null,{\"children\":[\"$\",\"title\",null,{\"children\":\"500: Internal Server Error.\"}]}],[\"$\",\"body\",null,{\"children\":[\"$\",\"div\",null,{\"style\":{\"fontFamily\":\"system-ui,\\\"Segoe UI\\\",Roboto,Helvetica,Arial,sans-serif,\\\"Apple Color Emoji\\\",\\\"Segoe UI Emoji\\\"\",\"height\":\"100vh\",\"textAlign\":\"center\",\"display\":\"flex\",\"flexDirection\":\"column\",\"alignItems\":\"center\",\"justifyContent\":\"center\"},\"children\":[\"$\",\"div\",null,{\"style\":{\"lineHeight\":\"48px\"},\"children\":[[\"$\",\"style\",null,{\"dangerouslySetInnerHTML\":{\"__html\":\"body{color:#000;background:#fff;margin:0}.next-error-h1{border-right:1px solid rgba(0,0,0,.3)}\\n@media (prefers-color-scheme:dark){body{color:#fff;background:#000}.next-error-h1{border-right:1px solid rgba(255,255,255,.3)}}\"}}],[\"$\",\"h1\",null,{\"className\":\"next-error-h1\",\"style\":{\"display\":\"inline-block\",\"margin\":\"0 20px 0 0\",\"paddingRight\":23,\"fontSize\":24,\"fontWeight\":500,\"verticalAlign\":\"top\"},\"children\":\"500\"}],[\"$\",\"div\",null,{\"style\":{\"display\":\"inline-block\"},\"children\":[\"$\",\"h2\",null,{\"style\":{\"fontSize\":14,\"fontWeight\":400,\"lineHeight\":\"28px\"},\"children\":\"Internal Server Error.\"}]}]]}]}]}]]}],[[\"$\",\"script\",\"script-0\",{\"src\":\"/_next/static/chunks/102f894cc892994d.js\",\"async\":true,\"nonce\":\"$undefined\"}],[\"$\",\"script\",\"script-1\",{\"src\":\"/_next/static/chunks/417032eeb2cd875f.js\",\"async\":true,\"nonce\":\"$undefined\"}]],[\"$\",\"$L4\",null,{\"children\":[\"$\",\"$5\",null,{\"name\":\"Next.MetadataOutlet\",\"children\":\"$@6\"}]}]]}],{},null,false,false]},null,false,false],[\"$\",\"$1\",\"h\",{\"children\":[null,[\"$\",\"$L7\",null,{\"children\":\"$L8\"}],[\"$\",\"div\",null,{\"hidden\":true,\"children\":[\"$\",\"$L9\",null,{\"children\":[\"$\",\"$5\",null,{\"name\":\"Next.Metadata\",\"children\":\"$La\"}]}]}],[\"$\",\"meta\",null,{\"name\":\"next-size-adjust\",\"content\":\"\"}]]}],false]],\"m\":\"$undefined\",\"G\":[\"$b\",\"$undefined\"],\"S\":true}\n"])</script><script>self.__next_f.push([1,"8:[[\"$\",\"meta\",\"0\",{\"charSet\":\"utf-8\"}],[\"$\",\"meta\",\"1\",{\"name\":\"viewport\",\"content\":\"width=device-width, initial-scale=1\"}]]\n"])</script><script>self.__next_f.push([1,"6:null\na:[]\n"])</script></body></html>

package/dist/defence/trust/read-guard.d.ts

@@ -0,0 +1,45 @@
+/**
+ * MCP read-path access guard.
+ *
+ * The `.mjs` prompt/session hooks already filter recalled rows before injecting
+ * them into the prompt. The MCP read TOOLS (`get_memory`, `get_related`,
+ * `get_context`, and `recall`) returned rows without applying the access-control
+ * engine consistently — so a low-trust / compromised caller could pull RESTRICTED
+ * or other-source memories verbatim. This guard closes that path by applying the
+ * SAME `checkAccess('read')` tiers the search path uses:
+ *
+ *   - quarantined rows (trustScore === 0) are ALWAYS dropped (pending review);
+ *   - when a caller source is present, rows the caller cannot read are dropped
+ *     (RESTRICTED isolation below trust 0.7, own-only below 0.5);
+ *   - owner / high-trust callers pass through in full (chosen policy — no content
+ *     redaction on the MCP path; that is the prompt-hook surface's job).
+ *
+ * No source → only quarantined rows are dropped (callers that don't resolve an
+ * identity get no source-relative ACL). In practice the MCP server always
+ * resolves a source via resolveToolSource before calling the read tools.
+ */
+import type { DefenceSource } from '../types.js';
+import type { Memory, ContextSummary } from '../../memory/types.js';
+/** Filter recalled memories (camelCase Memory) to those the caller may read. */
+export declare function guardReadMemories(memories: Memory[], source: DefenceSource | undefined): Memory[];
+/**
+ * Filter raw snake_case DB rows (e.g. the export path's `SELECT *`) to those the
+ * caller may read. Same policy as guardReadMemories, different field casing.
+ */
+export declare function guardReadRows<T extends Record<string, unknown>>(rows: T[], source: DefenceSource | undefined): T[];
+/**
+ * Sensitivity-only guard for SHARED-CONTEXT bootstrap surfaces (get_context,
+ * start_session, the memory:// resources, restore_context, detect_contradictions).
+ *
+ * These surfaces feed the prompt / a broadly-shared project summary, so they must
+ * NEVER surface RESTRICTED or quarantined rows to ANYONE (matching the .mjs
+ * prompt hooks) — but, unlike the per-caller fetch tools, they do NOT apply the
+ * source-relative own-only tier, so a low-trust subagent still receives the
+ * INTERNAL project context it legitimately needs. Credential isolation without
+ * the availability blackout.
+ */
+export declare function guardReadBySensitivity(memories: Memory[]): Memory[];
+/** Apply the sensitivity guard to every memory list in a context summary. */
+export declare function guardContextSummary(summary: ContextSummary): ContextSummary;
+/** Guard a single memory; returns null if the caller may not read it. */
+export declare function guardReadMemory(memory: Memory | null | undefined, source: DefenceSource | undefined): Memory | null;

package/dist/defence/trust/read-guard.js

@@ -0,0 +1,76 @@
+/**
+ * MCP read-path access guard.
+ *
+ * The `.mjs` prompt/session hooks already filter recalled rows before injecting
+ * them into the prompt. The MCP read TOOLS (`get_memory`, `get_related`,
+ * `get_context`, and `recall`) returned rows without applying the access-control
+ * engine consistently — so a low-trust / compromised caller could pull RESTRICTED
+ * or other-source memories verbatim. This guard closes that path by applying the
+ * SAME `checkAccess('read')` tiers the search path uses:
+ *
+ *   - quarantined rows (trustScore === 0) are ALWAYS dropped (pending review);
+ *   - when a caller source is present, rows the caller cannot read are dropped
+ *     (RESTRICTED isolation below trust 0.7, own-only below 0.5);
+ *   - owner / high-trust callers pass through in full (chosen policy — no content
+ *     redaction on the MCP path; that is the prompt-hook surface's job).
+ *
+ * No source → only quarantined rows are dropped (callers that don't resolve an
+ * identity get no source-relative ACL). In practice the MCP server always
+ * resolves a source via resolveToolSource before calling the read tools.
+ */
+import { checkAccess } from './access-control.js';
+/**
+ * Core read decision, shared by the camelCase (Memory) and snake_case (raw row)
+ * guards so the policy lives in exactly one place.
+ */
+function callerCanRead(id, storedSource, sensitivityLevel, trustScore, source) {
+    // Quarantined memories are never surfaced through a normal read.
+    if (trustScore === 0)
+        return false;
+    // Without a caller identity we cannot make a source-relative decision;
+    // surface everything else (the server resolves a source in practice).
+    if (!source)
+        return true;
+    return checkAccess({ id, source: storedSource, sensitivity_level: sensitivityLevel }, source, 'read').canRead;
+}
+/** Filter recalled memories (camelCase Memory) to those the caller may read. */
+export function guardReadMemories(memories, source) {
+    return memories.filter((m) => callerCanRead(m.id, m.source, m.sensitivityLevel, m.trustScore, source));
+}
+/**
+ * Filter raw snake_case DB rows (e.g. the export path's `SELECT *`) to those the
+ * caller may read. Same policy as guardReadMemories, different field casing.
+ */
+export function guardReadRows(rows, source) {
+    return rows.filter((r) => callerCanRead(Number(r.id), r.source ?? null, r.sensitivity_level ?? null, Number(r.trust_score ?? 1), source));
+}
+/**
+ * Sensitivity-only guard for SHARED-CONTEXT bootstrap surfaces (get_context,
+ * start_session, the memory:// resources, restore_context, detect_contradictions).
+ *
+ * These surfaces feed the prompt / a broadly-shared project summary, so they must
+ * NEVER surface RESTRICTED or quarantined rows to ANYONE (matching the .mjs
+ * prompt hooks) — but, unlike the per-caller fetch tools, they do NOT apply the
+ * source-relative own-only tier, so a low-trust subagent still receives the
+ * INTERNAL project context it legitimately needs. Credential isolation without
+ * the availability blackout.
+ */
+export function guardReadBySensitivity(memories) {
+    return memories.filter((m) => m.trustScore !== 0 && m.sensitivityLevel !== 'RESTRICTED');
+}
+/** Apply the sensitivity guard to every memory list in a context summary. */
+export function guardContextSummary(summary) {
+    return {
+        ...summary,
+        recentMemories: guardReadBySensitivity(summary.recentMemories),
+        keyDecisions: guardReadBySensitivity(summary.keyDecisions),
+        activePatterns: guardReadBySensitivity(summary.activePatterns),
+        pendingItems: guardReadBySensitivity(summary.pendingItems),
+    };
+}
+/** Guard a single memory; returns null if the caller may not read it. */
+export function guardReadMemory(memory, source) {
+    if (!memory)
+        return null;
+    return guardReadMemories([memory], source)[0] ?? null;
+}

package/dist/memory/consolidate.d.ts

@@ -7,6 +7,7 @@
  * - Cleans up decayed/irrelevant memories
  * - Merges similar memories to reduce redundancy
  */
+import type { DefenceSource } from '../defence/types.js';
 import { Memory, MemoryConfig, ConsolidationResult, ContextSummary } from './types.js';
 /**
  * Run full consolidation process
@@ -147,7 +148,7 @@ export declare function getSuggestedContext(currentContext: string, project?: st
 /**
  * Export memories as JSON (for backup/transfer)
  */
-export declare function exportMemories(project?: string): string;
+export declare function exportMemories(project?: string, source?: DefenceSource): string;
 /**
  * Import memories from JSON
  */

package/dist/memory/consolidate.js

@@ -9,6 +9,7 @@
  */
 import { getDatabase, withTransaction } from '../database/init.js';
 import { expireQuarantineItems } from '../defence/quarantine/auto-expire.js';
+import { guardReadRows } from '../defence/trust/read-guard.js';
 import { DEFAULT_CONFIG, } from './types.js';
 import { getMemoriesByType, getRecentMemories, promoteMemory, deleteMemory, searchMemories, getMemoryStats, updateDecayScores, addMemory, rowToMemory, } from './store.js';
 import { processDecay, } from './decay.js';
@@ -794,7 +795,7 @@ export async function getSuggestedContext(currentContext, project, limit = 5) {
 /**
  * Export memories as JSON (for backup/transfer)
  */
-export function exportMemories(project) {
+export function exportMemories(project, source) {
     const db = getDatabase();
     let sql = 'SELECT * FROM memories';
     const params = [];
@@ -804,7 +805,11 @@ export function exportMemories(project) {
     }
     sql += ' ORDER BY created_at ASC';
     const rows = db.prepare(sql).all(...params);
-    return JSON.stringify(rows, null, 2);
+    // Read ACL: a bulk export is the sharpest exfil vector, so apply the same
+    // read guard as the per-tool paths — drop quarantined + rows the caller may
+    // not read (RESTRICTED isolation / own-only for low trust). With no caller
+    // source, only quarantined rows are dropped.
+    return JSON.stringify(guardReadRows(rows, source), null, 2);
 }
 /**
  * Import memories from JSON

package/dist/server.js

@@ -12,11 +12,11 @@ import { getCurrentVersion } from './api/version.js';
 import { initProjectContext, getActiveProject, setActiveProject, getProjectContextInfo, GLOBAL_PROJECT_SENTINEL, } from './context/project-context.js';
 // Import tools
 import { executeRemember, formatRememberResult } from './tools/remember.js';
-import { executeRecall, formatRecallResult, executeGetMemory, formatMemory } from './tools/recall.js';
+import { executeRecall, formatRecallResult, executeGetMemory, executeGetRelated, formatMemory } from './tools/recall.js';
 import { executeForget, formatForgetResult } from './tools/forget.js';
 import { executeGetContext, executeStartSession, executeEndSession, executeConsolidate, executeStats, formatStats, executeExport, executeImport, } from './tools/context.js';
 import { generateContextSummary, formatContextSummary, fullCleanup } from './memory/consolidate.js';
-import { getHighPriorityMemories, getRecentMemories, getRelatedMemories, createMemoryLink } from './memory/store.js';
+import { getHighPriorityMemories, getRecentMemories, createMemoryLink } from './memory/store.js';
 import { detectContradictions } from './memory/contradiction.js';
 import { handleGraphQuery, handleGraphEntities, handleGraphExplain } from './tools/graph.js';
 import { checkDatabaseSize } from './database/init.js';
@@ -25,6 +25,7 @@ import { scanExistingMemories } from './defence/scanner/index.js';
 import { resolveToolSource as resolveToolSourceImpl } from './defence/trust/resolve-tool-source.js';
 import { scanToolResponse, shouldScanToolResponse } from './defence/tool-response-scanner.js';
 import { UNTRUSTED_TOOL_TAG } from './defence/tool-response-enforce.js';
+import { guardReadBySensitivity, guardContextSummary } from './defence/trust/read-guard.js';
 import { getToolResponseScanConfig } from './cloud/config.js';
 import { checkKillPhrase } from './defence/iron-dome/index.js';
 import { isKillSwitchActive, getKillSwitchMeta, assertOperationAllowed, activateKillSwitch, deactivateKillSwitch, KillSwitchError, } from './api/control.js';
@@ -410,8 +411,10 @@ Returns: architecture decisions, patterns, pending items, recent activity.`, {
     // Export memories
     server.tool('export_memories', 'Export memories as JSON for backup.', {
         project: z.string().optional().describe('Project scope. Auto-detected if not provided. Use "*" for all projects.'),
+        source: sourceParam,
     }, { title: 'Export Memories', readOnlyHint: true, destructiveHint: false, idempotentHint: true }, withKillSwitchGuard('memory_read', withResponseScan('export_memories', async (args) => {
-        const result = executeExport(args);
+        const source = resolveToolSource(args.source, 'export_memories');
+        const result = executeExport({ ...args, source });
         return {
             content: [{
                     type: 'text',
@@ -456,8 +459,14 @@ Returns: architecture decisions, patterns, pending items, recent activity.`, {
     // Get Related Memories
     server.tool('get_related', 'Get memories related to a specific memory. Shows connections and relationships.', {
         id: z.number().describe('Memory ID to find relationships for'),
+        source: sourceParam,
     }, { title: 'Get Related Memories', readOnlyHint: true, destructiveHint: false, idempotentHint: true }, withKillSwitchGuard('memory_read', withResponseScan('get_related', async (args) => {
-        const related = getRelatedMemories(args.id);
+        const source = resolveToolSource(args.source, 'get_related');
+        const result = executeGetRelated({ id: args.id, source });
+        if (!result.success) {
+            return { content: [{ type: 'text', text: `Error: ${result.error}` }], isError: true };
+        }
+        const related = result.related;
         if (related.length === 0) {
             return { content: [{ type: 'text', text: 'No related memories found.' }] };
         }
@@ -536,7 +545,10 @@ but you can use this tool to check for new contradictions at any time.`, {
             category: args.category,
             minScore: args.minScore,
             limit: args.limit,
-        });
+        }).filter(
+        // Drop a pair if either side is RESTRICTED/quarantined (don't leak a
+        // credential-class memory's title via a contradiction listing).
+        (c) => guardReadBySensitivity([c.memoryA, c.memoryB]).length === 2);
         if (contradictions.length === 0) {
             return { content: [{ type: 'text', text: 'No contradictions detected.' }] };
         }
@@ -942,7 +954,8 @@ Runs injection detection (40+ patterns) and credential leak scanning (25+ provid
         if (isKillSwitchActive()) {
             return { contents: [{ uri: 'memory://context', mimeType: 'text/plain', text: '[KILL SWITCH ACTIVE] Memory access blocked.' }] };
         }
-        const summary = await generateContextSummary();
+        // Shared-context resource: strip RESTRICTED + quarantined (sensitivity guard).
+        const summary = guardContextSummary(await generateContextSummary());
         return {
             contents: [{
                     uri: 'memory://context',
@@ -956,7 +969,8 @@ Runs injection detection (40+ patterns) and credential leak scanning (25+ provid
         if (isKillSwitchActive()) {
             return { contents: [{ uri: 'memory://important', mimeType: 'text/plain', text: '[KILL SWITCH ACTIVE] Memory access blocked.' }] };
         }
-        const memories = getHighPriorityMemories(20);
+        // Shared-context resource: strip RESTRICTED + quarantined before exposing content.
+        const memories = guardReadBySensitivity(getHighPriorityMemories(20));
         const text = memories.map(m => `## ${m.title}\n${m.content}\n*${m.category} | ${(m.salience * 100).toFixed(0)}% salience*\n`).join('\n');
         return {
             contents: [{
@@ -971,7 +985,8 @@ Runs injection detection (40+ patterns) and credential leak scanning (25+ provid
         if (isKillSwitchActive()) {
             return { contents: [{ uri: 'memory://recent', mimeType: 'text/plain', text: '[KILL SWITCH ACTIVE] Memory access blocked.' }] };
         }
-        const memories = getRecentMemories(15);
+        // Shared-context resource: strip RESTRICTED + quarantined before exposing content.
+        const memories = guardReadBySensitivity(getRecentMemories(15));
         const text = memories.map(m => `- **${m.title}** (${m.category}): ${m.content.slice(0, 100)}...`).join('\n');
         return {
             contents: [{
@@ -991,7 +1006,8 @@ Runs injection detection (40+ patterns) and credential leak scanning (25+ provid
                 messages: [{ role: 'user', content: { type: 'text', text: '[KILL SWITCH ACTIVE] Context restoration blocked. Use iron_dome_resume to resume.' } }],
             };
         }
-        const summary = await generateContextSummary();
+        // Shared-context prompt: strip RESTRICTED + quarantined (sensitivity guard).
+        const summary = guardContextSummary(await generateContextSummary());
         const context = formatContextSummary(summary);
         return {
             messages: [{

package/dist/tools/context.d.ts

@@ -8,6 +8,7 @@ import { z } from 'zod';
 import { getMemoryStats } from '../memory/store.js';
 import { type SalienceDistribution } from '../memory/metrics.js';
 import { Memory, ContextSummary, ConsolidationResult } from '../memory/types.js';
+import type { DefenceSource } from '../defence/types.js';
 export declare const getContextSchema: z.ZodObject<{
     project: z.ZodOptional<z.ZodString>;
     query: z.ZodOptional<z.ZodString>;
@@ -132,6 +133,7 @@ export declare const exportSchema: z.ZodObject<{
 }>;
 export declare function executeExport(input: {
     project?: string;
+    source?: DefenceSource;
 }): {
     success: boolean;
     data?: string;

package/dist/tools/context.js

@@ -10,6 +10,7 @@ import { getMemoryStats } from '../memory/store.js';
 import { getSalienceDistribution } from '../memory/metrics.js';
 import { getDatabase } from '../database/init.js';
 import { resolveProject } from '../context/project-context.js';
+import { guardReadBySensitivity, guardContextSummary } from '../defence/trust/read-guard.js';
 // Input schema for getting context
 export const getContextSchema = z.object({
     project: z.string().optional().describe('Project to get context for'),
@@ -29,12 +30,18 @@ export async function executeGetContext(input) {
         // Resolve project (auto-detect if not provided)
         const resolvedProject = resolveProject(input.project);
         const projectFilter = resolvedProject ?? undefined;
+        // Read guard: get_context is a SHARED-CONTEXT bootstrap surface that feeds
+        // the prompt, so strip RESTRICTED + quarantined for everyone (matching the
+        // .mjs prompt hooks) but keep INTERNAL project context available — a
+        // sensitivity guard, not the per-caller own-only ACL, so a low-trust
+        // subagent isn't blacked out from the context it needs. Owner-specific
+        // RESTRICTED retrieval is the explicit get_memory tool's job.
         // Generate context summary
-        const summary = await generateContextSummary(projectFilter);
+        const summary = guardContextSummary(await generateContextSummary(projectFilter));
         // If there's a query, also get specifically relevant memories
         let relevantMemories = [];
         if (input.query) {
-            relevantMemories = await getSuggestedContext(input.query, projectFilter, 5);
+            relevantMemories = guardReadBySensitivity(await getSuggestedContext(input.query, projectFilter, 5));
         }
         // Format based on requested format
         let context;
@@ -133,7 +140,10 @@ export async function executeStartSession(input) {
         const resolvedProject = resolveProject(input.project);
         const projectFilter = resolvedProject ?? undefined;
         const { sessionId, context } = await startSession(projectFilter);
-        const formattedContext = formatContextSummary(context);
+        // Read guard: start_session is a shared-context bootstrap surface (sibling of
+        // get_context) — strip RESTRICTED + quarantined before formatting so the
+        // session preamble never leaks credential-class memories.
+        const formattedContext = formatContextSummary(guardContextSummary(context));
         return {
             success: true,
             sessionId,
@@ -257,7 +267,8 @@ export function executeExport(input) {
         // Resolve project (auto-detect if not provided)
         const resolvedProject = resolveProject(input.project);
         const projectFilter = resolvedProject ?? undefined;
-        const data = exportMemories(projectFilter);
+        // Read ACL: filter the bulk dump to rows this caller may read.
+        const data = exportMemories(projectFilter, input.source);
         const memories = JSON.parse(data);
         return {
             success: true,

package/dist/tools/recall.d.ts

@@ -4,6 +4,7 @@
  * Search and retrieve memories using semantic search and filters.
  */
 import { z } from 'zod';
+import { getRelatedMemories } from '../memory/store.js';
 import { Memory } from '../memory/types.js';
 import type { DefenceSource } from '../defence/types.js';
 export declare const recallSchema: z.ZodObject<{
@@ -114,3 +115,17 @@ export declare function executeGetMemory(input: {
     memory?: Memory;
     error?: string;
 };
+/**
+ * Execute the get_related tool — related memories, ACL-filtered.
+ *
+ * Related links can cross trust/sensitivity boundaries, so the same read ACL
+ * applies: a caller only sees related memories it is permitted to read.
+ */
+export declare function executeGetRelated(input: {
+    id: number;
+    source?: DefenceSource;
+}): {
+    success: boolean;
+    related?: ReturnType<typeof getRelatedMemories>;
+    error?: string;
+};

package/dist/tools/recall.js

@@ -4,11 +4,12 @@
  * Search and retrieve memories using semantic search and filters.
  */
 import { z } from 'zod';
-import { searchMemories, recallWithEmbeddings, accessMemory, getRecentMemories, getHighPriorityMemories } from '../memory/store.js';
+import { searchMemories, recallWithEmbeddings, accessMemory, getRecentMemories, getHighPriorityMemories, getRelatedMemories } from '../memory/store.js';
 import { formatTimeSinceAccess } from '../memory/decay.js';
 import { MemoryNotFoundError, formatErrorForMcp } from '../errors.js';
 import { resolveProject } from '../context/project-context.js';
 import { memoryFreshnessWarning } from '../memory/staleness.js';
+import { guardReadMemories, guardReadMemory } from '../defence/trust/read-guard.js';
 const sourceSchema = z.object({
     type: z.enum(['user', 'cli', 'hook', 'email', 'web', 'agent', 'file', 'api', 'tool_response']),
     identifier: z.string(),
@@ -99,6 +100,11 @@ export async function executeRecall(input) {
                 }
                 break;
         }
+        // Read ACL: drop quarantined + rows this caller may not read (RESTRICTED
+        // isolation / own-only for low trust). Belt-and-braces — the recent/important
+        // store helpers + search already apply access control, but this keeps every
+        // recall mode uniform and never reinforces a row the caller can't see.
+        memories = guardReadMemories(memories, source);
         // Access each memory to reinforce it
         memories = memories.map(m => accessMemory(m.id, undefined, source) || m);
         // v4.0.0: Append staleness warnings to old memories
@@ -180,14 +186,36 @@ export const getMemorySchema = z.object({
 export function executeGetMemory(input) {
     try {
         const memory = accessMemory(input.id, undefined, input.source);
-        if (!memory) {
+        // Read ACL: a caller that may not read this memory gets a not-found, never
+        // the content (don't reveal existence of RESTRICTED / other-source rows).
+        const allowed = guardReadMemory(memory, input.source);
+        if (!allowed) {
             const error = new MemoryNotFoundError(input.id);
             return {
                 success: false,
                 error: error.toUserMessage(),
             };
         }
-        return { success: true, memory };
+        return { success: true, memory: allowed };
+    }
+    catch (error) {
+        return {
+            success: false,
+            error: formatErrorForMcp(error),
+        };
+    }
+}
+/**
+ * Execute the get_related tool — related memories, ACL-filtered.
+ *
+ * Related links can cross trust/sensitivity boundaries, so the same read ACL
+ * applies: a caller only sees related memories it is permitted to read.
+ */
+export function executeGetRelated(input) {
+    try {
+        const related = getRelatedMemories(input.id);
+        const allowedIds = new Set(guardReadMemories(related.map((r) => r.memory), input.source).map((m) => m.id));
+        return { success: true, related: related.filter((r) => allowedIds.has(r.memory.id)) };
     }
     catch (error) {
         return {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "shieldcortex",
-  "version": "4.37.0",
+  "version": "4.38.0",
   "description": "Trustworthy memory and security for AI agents. Recall debugging, review queue, OpenClaw session capture, and memory poisoning defence for Claude Code, Codex, OpenClaw, LangChain, and MCP agents.",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",