shieldcortex 4.37.0 → 4.39.0

package/dashboard/.next/standalone/dashboard/.next/server/pages/500.html

@@ -1,2 +1,2 @@
-<!DOCTYPE html><!--Xdk3QuQEKommHIbMSem56--><html id="__next_error__"><head><meta charSet="utf-8"/><meta name="viewport" content="width=device-width, initial-scale=1"/><link rel="preload" as="script" fetchPriority="low" href="/_next/static/chunks/d878b929b21636c4.js"/><script src="/_next/static/chunks/f70f563804550a9c.js" async=""></script><script src="/_next/static/chunks/43d761df92da7cb6.js" async=""></script><script src="/_next/static/chunks/e281719dbabcca1d.js" async=""></script><script src="/_next/static/chunks/9e56d1f8f4d7adcb.js" async=""></script><script src="/_next/static/chunks/turbopack-768a6a8b9db952e0.js" async=""></script><script src="/_next/static/chunks/102f894cc892994d.js" async=""></script><script src="/_next/static/chunks/417032eeb2cd875f.js" async=""></script><meta name="next-size-adjust" content=""/><title>500: Internal Server Error.</title><script src="/_next/static/chunks/a6dad97d9634a72d.js" noModule=""></script></head><body><div hidden=""><!--$--><!--/$--></div><div style="font-family:system-ui,&quot;Segoe UI&quot;,Roboto,Helvetica,Arial,sans-serif,&quot;Apple Color Emoji&quot;,&quot;Segoe UI Emoji&quot;;height:100vh;text-align:center;display:flex;flex-direction:column;align-items:center;justify-content:center"><div style="line-height:48px"><style>body{color:#000;background:#fff;margin:0}.next-error-h1{border-right:1px solid rgba(0,0,0,.3)}
-@media (prefers-color-scheme:dark){body{color:#fff;background:#000}.next-error-h1{border-right:1px solid rgba(255,255,255,.3)}}</style><h1 class="next-error-h1" style="display:inline-block;margin:0 20px 0 0;padding-right:23px;font-size:24px;font-weight:500;vertical-align:top">500</h1><div style="display:inline-block"><h2 style="font-size:14px;font-weight:400;line-height:28px">Internal Server Error.</h2></div></div></div><!--$--><!--/$--><script src="/_next/static/chunks/d878b929b21636c4.js" id="_R_" async=""></script><script>(self.__next_f=self.__next_f||[]).push([0])</script><script>self.__next_f.push([1,"1:\"$Sreact.fragment\"\n2:I[57043,[\"/_next/static/chunks/102f894cc892994d.js\",\"/_next/static/chunks/417032eeb2cd875f.js\"],\"default\"]\n3:I[27657,[\"/_next/static/chunks/102f894cc892994d.js\",\"/_next/static/chunks/417032eeb2cd875f.js\"],\"default\"]\n4:I[56978,[\"/_next/static/chunks/102f894cc892994d.js\",\"/_next/static/chunks/417032eeb2cd875f.js\"],\"OutletBoundary\"]\n5:\"$Sreact.suspense\"\n7:I[56978,[\"/_next/static/chunks/102f894cc892994d.js\",\"/_next/static/chunks/417032eeb2cd875f.js\"],\"ViewportBoundary\"]\n9:I[56978,[\"/_next/static/chunks/102f894cc892994d.js\",\"/_next/static/chunks/417032eeb2cd875f.js\"],\"MetadataBoundary\"]\nb:I[30687,[\"/_next/static/chunks/102f894cc892994d.js\",\"/_next/static/chunks/417032eeb2cd875f.js\"],\"default\"]\n"])</script><script>self.__next_f.push([1,"0:{\"P\":null,\"b\":\"Xdk3QuQEKommHIbMSem56\",\"c\":[\"\",\"_global-error\"],\"q\":\"\",\"i\":false,\"f\":[[[\"\",{\"children\":[\"__PAGE__\",{}]}],[[\"$\",\"$1\",\"c\",{\"children\":[null,[\"$\",\"$L2\",null,{\"parallelRouterKey\":\"children\",\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L3\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"forbidden\":\"$undefined\",\"unauthorized\":\"$undefined\"}]]}],{\"children\":[[\"$\",\"$1\",\"c\",{\"children\":[[\"$\",\"html\",null,{\"id\":\"__next_error__\",\"children\":[[\"$\",\"head\",null,{\"children\":[\"$\",\"title\",null,{\"children\":\"500: Internal Server Error.\"}]}],[\"$\",\"body\",null,{\"children\":[\"$\",\"div\",null,{\"style\":{\"fontFamily\":\"system-ui,\\\"Segoe UI\\\",Roboto,Helvetica,Arial,sans-serif,\\\"Apple Color Emoji\\\",\\\"Segoe UI Emoji\\\"\",\"height\":\"100vh\",\"textAlign\":\"center\",\"display\":\"flex\",\"flexDirection\":\"column\",\"alignItems\":\"center\",\"justifyContent\":\"center\"},\"children\":[\"$\",\"div\",null,{\"style\":{\"lineHeight\":\"48px\"},\"children\":[[\"$\",\"style\",null,{\"dangerouslySetInnerHTML\":{\"__html\":\"body{color:#000;background:#fff;margin:0}.next-error-h1{border-right:1px solid rgba(0,0,0,.3)}\\n@media (prefers-color-scheme:dark){body{color:#fff;background:#000}.next-error-h1{border-right:1px solid rgba(255,255,255,.3)}}\"}}],[\"$\",\"h1\",null,{\"className\":\"next-error-h1\",\"style\":{\"display\":\"inline-block\",\"margin\":\"0 20px 0 0\",\"paddingRight\":23,\"fontSize\":24,\"fontWeight\":500,\"verticalAlign\":\"top\"},\"children\":\"500\"}],[\"$\",\"div\",null,{\"style\":{\"display\":\"inline-block\"},\"children\":[\"$\",\"h2\",null,{\"style\":{\"fontSize\":14,\"fontWeight\":400,\"lineHeight\":\"28px\"},\"children\":\"Internal Server Error.\"}]}]]}]}]}]]}],[[\"$\",\"script\",\"script-0\",{\"src\":\"/_next/static/chunks/102f894cc892994d.js\",\"async\":true,\"nonce\":\"$undefined\"}],[\"$\",\"script\",\"script-1\",{\"src\":\"/_next/static/chunks/417032eeb2cd875f.js\",\"async\":true,\"nonce\":\"$undefined\"}]],[\"$\",\"$L4\",null,{\"children\":[\"$\",\"$5\",null,{\"name\":\"Next.MetadataOutlet\",\"children\":\"$@6\"}]}]]}],{},null,false,false]},null,false,false],[\"$\",\"$1\",\"h\",{\"children\":[null,[\"$\",\"$L7\",null,{\"children\":\"$L8\"}],[\"$\",\"div\",null,{\"hidden\":true,\"children\":[\"$\",\"$L9\",null,{\"children\":[\"$\",\"$5\",null,{\"name\":\"Next.Metadata\",\"children\":\"$La\"}]}]}],[\"$\",\"meta\",null,{\"name\":\"next-size-adjust\",\"content\":\"\"}]]}],false]],\"m\":\"$undefined\",\"G\":[\"$b\",\"$undefined\"],\"S\":true}\n"])</script><script>self.__next_f.push([1,"8:[[\"$\",\"meta\",\"0\",{\"charSet\":\"utf-8\"}],[\"$\",\"meta\",\"1\",{\"name\":\"viewport\",\"content\":\"width=device-width, initial-scale=1\"}]]\n"])</script><script>self.__next_f.push([1,"6:null\na:[]\n"])</script></body></html>
+<!DOCTYPE html><!--LfTY3B6uX3j7zNwqqgvPG--><html id="__next_error__"><head><meta charSet="utf-8"/><meta name="viewport" content="width=device-width, initial-scale=1"/><link rel="preload" as="script" fetchPriority="low" href="/_next/static/chunks/d878b929b21636c4.js"/><script src="/_next/static/chunks/f70f563804550a9c.js" async=""></script><script src="/_next/static/chunks/43d761df92da7cb6.js" async=""></script><script src="/_next/static/chunks/e281719dbabcca1d.js" async=""></script><script src="/_next/static/chunks/9e56d1f8f4d7adcb.js" async=""></script><script src="/_next/static/chunks/turbopack-768a6a8b9db952e0.js" async=""></script><script src="/_next/static/chunks/102f894cc892994d.js" async=""></script><script src="/_next/static/chunks/417032eeb2cd875f.js" async=""></script><meta name="next-size-adjust" content=""/><title>500: Internal Server Error.</title><script src="/_next/static/chunks/a6dad97d9634a72d.js" noModule=""></script></head><body><div hidden=""><!--$--><!--/$--></div><div style="font-family:system-ui,&quot;Segoe UI&quot;,Roboto,Helvetica,Arial,sans-serif,&quot;Apple Color Emoji&quot;,&quot;Segoe UI Emoji&quot;;height:100vh;text-align:center;display:flex;flex-direction:column;align-items:center;justify-content:center"><div style="line-height:48px"><style>body{color:#000;background:#fff;margin:0}.next-error-h1{border-right:1px solid rgba(0,0,0,.3)}
+@media (prefers-color-scheme:dark){body{color:#fff;background:#000}.next-error-h1{border-right:1px solid rgba(255,255,255,.3)}}</style><h1 class="next-error-h1" style="display:inline-block;margin:0 20px 0 0;padding-right:23px;font-size:24px;font-weight:500;vertical-align:top">500</h1><div style="display:inline-block"><h2 style="font-size:14px;font-weight:400;line-height:28px">Internal Server Error.</h2></div></div></div><!--$--><!--/$--><script src="/_next/static/chunks/d878b929b21636c4.js" id="_R_" async=""></script><script>(self.__next_f=self.__next_f||[]).push([0])</script><script>self.__next_f.push([1,"1:\"$Sreact.fragment\"\n2:I[57043,[\"/_next/static/chunks/102f894cc892994d.js\",\"/_next/static/chunks/417032eeb2cd875f.js\"],\"default\"]\n3:I[27657,[\"/_next/static/chunks/102f894cc892994d.js\",\"/_next/static/chunks/417032eeb2cd875f.js\"],\"default\"]\n4:I[56978,[\"/_next/static/chunks/102f894cc892994d.js\",\"/_next/static/chunks/417032eeb2cd875f.js\"],\"OutletBoundary\"]\n5:\"$Sreact.suspense\"\n7:I[56978,[\"/_next/static/chunks/102f894cc892994d.js\",\"/_next/static/chunks/417032eeb2cd875f.js\"],\"ViewportBoundary\"]\n9:I[56978,[\"/_next/static/chunks/102f894cc892994d.js\",\"/_next/static/chunks/417032eeb2cd875f.js\"],\"MetadataBoundary\"]\nb:I[30687,[\"/_next/static/chunks/102f894cc892994d.js\",\"/_next/static/chunks/417032eeb2cd875f.js\"],\"default\"]\n"])</script><script>self.__next_f.push([1,"0:{\"P\":null,\"b\":\"LfTY3B6uX3j7zNwqqgvPG\",\"c\":[\"\",\"_global-error\"],\"q\":\"\",\"i\":false,\"f\":[[[\"\",{\"children\":[\"__PAGE__\",{}]}],[[\"$\",\"$1\",\"c\",{\"children\":[null,[\"$\",\"$L2\",null,{\"parallelRouterKey\":\"children\",\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L3\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"forbidden\":\"$undefined\",\"unauthorized\":\"$undefined\"}]]}],{\"children\":[[\"$\",\"$1\",\"c\",{\"children\":[[\"$\",\"html\",null,{\"id\":\"__next_error__\",\"children\":[[\"$\",\"head\",null,{\"children\":[\"$\",\"title\",null,{\"children\":\"500: Internal Server Error.\"}]}],[\"$\",\"body\",null,{\"children\":[\"$\",\"div\",null,{\"style\":{\"fontFamily\":\"system-ui,\\\"Segoe UI\\\",Roboto,Helvetica,Arial,sans-serif,\\\"Apple Color Emoji\\\",\\\"Segoe UI Emoji\\\"\",\"height\":\"100vh\",\"textAlign\":\"center\",\"display\":\"flex\",\"flexDirection\":\"column\",\"alignItems\":\"center\",\"justifyContent\":\"center\"},\"children\":[\"$\",\"div\",null,{\"style\":{\"lineHeight\":\"48px\"},\"children\":[[\"$\",\"style\",null,{\"dangerouslySetInnerHTML\":{\"__html\":\"body{color:#000;background:#fff;margin:0}.next-error-h1{border-right:1px solid rgba(0,0,0,.3)}\\n@media (prefers-color-scheme:dark){body{color:#fff;background:#000}.next-error-h1{border-right:1px solid rgba(255,255,255,.3)}}\"}}],[\"$\",\"h1\",null,{\"className\":\"next-error-h1\",\"style\":{\"display\":\"inline-block\",\"margin\":\"0 20px 0 0\",\"paddingRight\":23,\"fontSize\":24,\"fontWeight\":500,\"verticalAlign\":\"top\"},\"children\":\"500\"}],[\"$\",\"div\",null,{\"style\":{\"display\":\"inline-block\"},\"children\":[\"$\",\"h2\",null,{\"style\":{\"fontSize\":14,\"fontWeight\":400,\"lineHeight\":\"28px\"},\"children\":\"Internal Server Error.\"}]}]]}]}]}]]}],[[\"$\",\"script\",\"script-0\",{\"src\":\"/_next/static/chunks/102f894cc892994d.js\",\"async\":true,\"nonce\":\"$undefined\"}],[\"$\",\"script\",\"script-1\",{\"src\":\"/_next/static/chunks/417032eeb2cd875f.js\",\"async\":true,\"nonce\":\"$undefined\"}]],[\"$\",\"$L4\",null,{\"children\":[\"$\",\"$5\",null,{\"name\":\"Next.MetadataOutlet\",\"children\":\"$@6\"}]}]]}],{},null,false,false]},null,false,false],[\"$\",\"$1\",\"h\",{\"children\":[null,[\"$\",\"$L7\",null,{\"children\":\"$L8\"}],[\"$\",\"div\",null,{\"hidden\":true,\"children\":[\"$\",\"$L9\",null,{\"children\":[\"$\",\"$5\",null,{\"name\":\"Next.Metadata\",\"children\":\"$La\"}]}]}],[\"$\",\"meta\",null,{\"name\":\"next-size-adjust\",\"content\":\"\"}]]}],false]],\"m\":\"$undefined\",\"G\":[\"$b\",\"$undefined\"],\"S\":true}\n"])</script><script>self.__next_f.push([1,"8:[[\"$\",\"meta\",\"0\",{\"charSet\":\"utf-8\"}],[\"$\",\"meta\",\"1\",{\"name\":\"viewport\",\"content\":\"width=device-width, initial-scale=1\"}]]\n"])</script><script>self.__next_f.push([1,"6:null\na:[]\n"])</script></body></html>

package/dist/api/routes/admin.js

@@ -99,6 +99,8 @@ export function registerAdminRoutes(app, deps) {
                 options.source = req.query.source;
             if (req.query.firewallResult)
                 options.firewallResult = req.query.firewallResult;
+            if (req.query.operation)
+                options.operation = req.query.operation;
             if (req.query.limit)
                 options.limit = parseInt(req.query.limit, 10);
             if (req.query.project)

package/dist/api/routes/memories.js

@@ -587,7 +587,10 @@ export function registerMemoryRoutes(app, deps) {
     }), (req, res) => {
         try {
             const id = parseInt(req.params.id, 10);
-            const success = deleteMemory(id);
+            // Attribute the dashboard delete so it lands on the provenance ledger
+            // (the primary human-initiated delete — the source-less exemption is only
+            // for internal consolidate/merge machinery).
+            const success = deleteMemory(id, { type: 'api', identifier: `dashboard:memory-delete:${id}` });
             if (!success) {
                 return res.status(404).json({ error: 'Memory not found' });
             }
@@ -1235,7 +1238,7 @@ export function registerMemoryRoutes(app, deps) {
             const db = getDatabase();
             db.prepare(`INSERT INTO quarantine (original_title, original_content, source_type, source_identifier, reason, project, status, created_at)
          VALUES (?, ?, ?, ?, ?, ?, 'pending', ?)`).run(memory.title, memory.content, 'dashboard', 'brain-control', req.body.reason || 'Manually quarantined from Brain dashboard', memory.project || null, new Date().toISOString());
-            deleteMemory(id);
+            deleteMemory(id, { type: 'api', identifier: `dashboard:quarantine-delete:${id}` });
             res.json({ success: true, quarantined: id });
         }
         catch (error) {

package/dist/api/visualization-server.js

@@ -187,6 +187,7 @@ export function handleV1Scan(req, res) {
                     trust_score: 0,
                     sensitivity_level: 'RESTRICTED',
                     firewall_result: 'BLOCK',
+                    operation: 'write',
                     anomaly_score: 0.5,
                     threat_indicators: '["config_tampering"]',
                     blocked_patterns: '[]',

package/dist/database/inline-schema.js

@@ -36,6 +36,7 @@ export function getInlineSchema() {
       trust_score REAL DEFAULT 1.0,
       sensitivity_level TEXT DEFAULT 'INTERNAL',
       source TEXT DEFAULT 'user:direct',
+      content_hash TEXT,
       status TEXT DEFAULT 'active' CHECK(status IN ('active', 'archived', 'suppressed', 'canonical')),
       pinned INTEGER DEFAULT 0,
       reviewed_at TIMESTAMP,
@@ -84,6 +85,8 @@ export function getInlineSchema() {
     CREATE INDEX IF NOT EXISTS idx_memories_decayed_score ON memories(decayed_score DESC);
     CREATE INDEX IF NOT EXISTS idx_memories_last_accessed ON memories(last_accessed DESC);
     CREATE INDEX IF NOT EXISTS idx_memories_updated ON memories(updated_at DESC);
+    CREATE INDEX IF NOT EXISTS idx_memories_source ON memories(source);
+    CREATE INDEX IF NOT EXISTS idx_memories_content_hash ON memories(content_hash);
 
     CREATE TABLE IF NOT EXISTS sessions (
       id INTEGER PRIMARY KEY AUTOINCREMENT,
@@ -168,6 +171,8 @@ export function getInlineSchema() {
       trust_score REAL NOT NULL,
       sensitivity_level TEXT NOT NULL DEFAULT 'INTERNAL',
       firewall_result TEXT NOT NULL CHECK(firewall_result IN ('ALLOW', 'BLOCK', 'QUARANTINE')),
+      operation TEXT,
+      content_hash TEXT,
       anomaly_score REAL DEFAULT 0.0,
       threat_indicators TEXT DEFAULT '[]',
       blocked_patterns TEXT DEFAULT '[]',
@@ -182,6 +187,7 @@ export function getInlineSchema() {
     CREATE INDEX IF NOT EXISTS idx_audit_result ON defence_audit(firewall_result);
     CREATE INDEX IF NOT EXISTS idx_audit_source ON defence_audit(source_type);
     CREATE INDEX IF NOT EXISTS idx_audit_project ON defence_audit(project);
+    CREATE INDEX IF NOT EXISTS idx_audit_operation ON defence_audit(operation);
 
     -- Cumulative audit aggregate (single row, id=1) — retention rollup target.
     -- See schema.sql for the rationale.

package/dist/database/migrations.js

@@ -750,4 +750,38 @@ export function runMigrations(database) {
     catch (err) {
         logIfUnexpectedDdlError(err, 'mcp_tool_hashes');
     }
+    // Migration: provenance ledger (v4.39.0) — add an `operation` discriminator
+    // (read/write/delete) and a `content_hash` (write-time tamper-evidence) to
+    // defence_audit, a `content_hash` to memories, and an index on memories.source
+    // for revoke-by-source. Existing rows keep operation/content_hash NULL (legacy,
+    // unclassifiable). Fresh installs get these from schema.sql / inline-schema.ts.
+    try {
+        const auditCols = database.prepare("PRAGMA table_info(defence_audit)").all();
+        if (auditCols.length > 0) {
+            const auditColNames = new Set(auditCols.map((c) => c.name));
+            if (!auditColNames.has('operation')) {
+                database.exec('ALTER TABLE defence_audit ADD COLUMN operation TEXT');
+            }
+            if (!auditColNames.has('content_hash')) {
+                database.exec('ALTER TABLE defence_audit ADD COLUMN content_hash TEXT');
+            }
+        }
+    }
+    catch (err) {
+        logIfUnexpectedDdlError(err, 'defence_audit provenance columns (operation, content_hash)');
+    }
+    if (!columnNames.has('content_hash')) {
+        database.exec('ALTER TABLE memories ADD COLUMN content_hash TEXT');
+    }
+    // Indexes in an unconditional, self-healing block: CREATE INDEX IF NOT EXISTS
+    // no-ops if the column already had its index, and back-fills it if the column
+    // exists without it (e.g. a column added by a prior partial run).
+    try {
+        database.exec('CREATE INDEX IF NOT EXISTS idx_audit_operation ON defence_audit(operation)');
+        database.exec('CREATE INDEX IF NOT EXISTS idx_memories_content_hash ON memories(content_hash)');
+        database.exec('CREATE INDEX IF NOT EXISTS idx_memories_source ON memories(source)');
+    }
+    catch (err) {
+        logIfUnexpectedDdlError(err, 'provenance ledger indexes (audit operation, memories content_hash/source)');
+    }
 }

package/dist/database/schema.sql

@@ -24,6 +24,7 @@ CREATE TABLE IF NOT EXISTS memories (
   trust_score REAL DEFAULT 1.0,
   sensitivity_level TEXT DEFAULT 'INTERNAL',
   source TEXT DEFAULT 'user:direct',
+  content_hash TEXT,
   status TEXT DEFAULT 'active' CHECK(status IN ('active', 'archived', 'suppressed', 'canonical')),
   pinned INTEGER DEFAULT 0,
   reviewed_at TIMESTAMP,
@@ -85,6 +86,8 @@ CREATE INDEX IF NOT EXISTS idx_memories_updated ON memories(updated_at DESC);
 CREATE INDEX IF NOT EXISTS idx_memories_status ON memories(status);
 CREATE INDEX IF NOT EXISTS idx_memories_pinned ON memories(pinned DESC);
 CREATE INDEX IF NOT EXISTS idx_memories_source_kind ON memories(source_kind);
+CREATE INDEX IF NOT EXISTS idx_memories_source ON memories(source);
+CREATE INDEX IF NOT EXISTS idx_memories_content_hash ON memories(content_hash);
 
 -- Session tracking for consolidation
 CREATE TABLE IF NOT EXISTS sessions (
@@ -214,6 +217,8 @@ CREATE TABLE IF NOT EXISTS defence_audit (
   trust_score REAL NOT NULL,
   sensitivity_level TEXT NOT NULL DEFAULT 'INTERNAL',
   firewall_result TEXT NOT NULL CHECK(firewall_result IN ('ALLOW', 'BLOCK', 'QUARANTINE')),
+  operation TEXT,                       -- provenance ledger: 'read' | 'write' | 'delete' (NULL on legacy rows)
+  content_hash TEXT,                    -- SHA-256 of content at write time (tamper-evidence)
   anomaly_score REAL DEFAULT 0.0,
   threat_indicators TEXT DEFAULT '[]',  -- JSON array of ThreatIndicator strings
   blocked_patterns TEXT DEFAULT '[]',   -- JSON array of matched patterns
@@ -228,6 +233,7 @@ CREATE INDEX IF NOT EXISTS idx_audit_timestamp ON defence_audit(timestamp DESC);
 CREATE INDEX IF NOT EXISTS idx_audit_result ON defence_audit(firewall_result);
 CREATE INDEX IF NOT EXISTS idx_audit_source ON defence_audit(source_type);
 CREATE INDEX IF NOT EXISTS idx_audit_project ON defence_audit(project);
+CREATE INDEX IF NOT EXISTS idx_audit_operation ON defence_audit(operation);
 
 -- Defence: cumulative audit aggregate (single row, id=1). Retention purges roll
 -- the to-be-deleted rows' lifetime-stat contributions into this row BEFORE

package/dist/defence/audit/logger.js

@@ -15,12 +15,12 @@ export function logAudit(entry) {
         const stmt = db.prepare(`
       INSERT INTO defence_audit (
         memory_id, project, timestamp, source_type, source_identifier,
-        trust_score, sensitivity_level, firewall_result,
+        trust_score, sensitivity_level, firewall_result, operation, content_hash,
         anomaly_score, threat_indicators, blocked_patterns,
         reason, fragmentation_score, pipeline_duration_ms
       ) VALUES (
         @memory_id, @project, @timestamp, @source_type, @source_identifier,
-        @trust_score, @sensitivity_level, @firewall_result,
+        @trust_score, @sensitivity_level, @firewall_result, @operation, @content_hash,
         @anomaly_score, @threat_indicators, @blocked_patterns,
         @reason, @fragmentation_score, @pipeline_duration_ms
       )
@@ -34,6 +34,8 @@ export function logAudit(entry) {
             trust_score: entry.trust_score,
             sensitivity_level: entry.sensitivity_level,
             firewall_result: entry.firewall_result,
+            operation: entry.operation ?? null,
+            content_hash: entry.content_hash ?? null,
             anomaly_score: entry.anomaly_score ?? 0,
             threat_indicators: entry.threat_indicators ?? '[]',
             blocked_patterns: entry.blocked_patterns ?? '[]',

package/dist/defence/audit/queries.js

@@ -22,6 +22,10 @@ export function queryAuditLogs(options = {}) {
         conditions.push('da.firewall_result = @firewallResult');
         params.firewallResult = options.firewallResult;
     }
+    if (options.operation) {
+        conditions.push('da.operation = @operation');
+        params.operation = options.operation;
+    }
     if (options.source) {
         conditions.push('da.source_type = @source');
         params.source = options.source;

package/dist/defence/audit/retention.js

@@ -140,22 +140,32 @@ export function purgeAuditUnderSizePressure(options = {}) {
         const total = db.prepare('SELECT COUNT(*) AS c FROM defence_audit').get().c;
         if (total <= maxRows)
             return 0;
-        // Trim down to the cap by deleting the OLDEST rows. Find the cutoff id: keep
-        // the newest `maxRows` by timestamp, purge everything older.
-        const cutoffRow = db.prepare(`
-      SELECT timestamp FROM defence_audit
-      ORDER BY timestamp DESC
-      LIMIT 1 OFFSET ?
-    `).get(maxRows);
-        if (!cutoffRow)
+        const over = total - maxRows;
+        // Forensic-aware eviction: trim the `over` oldest rows, but evict
+        // LOW-VALUE provenance rows first (ALLOW reads/deletes — the high-volume,
+        // low-forensic-value entries) and only fall back to threat rows
+        // (BLOCK/QUARANTINE, or anything with threat_indicators) once the low-value
+        // rows are exhausted. Otherwise a flood of routine reads would push the
+        // oldest injection/credential-leak records out from under the row cap.
+        const ids = db.prepare(`
+      SELECT id FROM defence_audit
+      ORDER BY
+        CASE WHEN firewall_result = 'ALLOW'
+                  AND operation IN ('read', 'delete')
+                  AND (threat_indicators IS NULL OR threat_indicators IN ('', '[]'))
+             THEN 0 ELSE 1 END ASC,
+        timestamp ASC
+      LIMIT ?
+    `).all(over).map((r) => r.id);
+        if (ids.length === 0)
             return 0;
-        const where = 'timestamp <= ?';
-        const params = [cutoffRow.timestamp];
-        const delta = computeDelta(where, params);
+        const placeholders = ids.map(() => '?').join(',');
+        const where = `id IN (${placeholders})`;
+        const delta = computeDelta(where, ids);
         if (delta.total_scans === 0)
             return 0;
         rollIntoAggregate(delta);
-        const res = db.prepare(`DELETE FROM defence_audit WHERE ${where}`).run(...params);
+        const res = db.prepare(`DELETE FROM defence_audit WHERE ${where}`).run(...ids);
         return Number(res.changes ?? 0);
     })();
 }

package/dist/defence/iron-dome/audit.js

@@ -19,6 +19,7 @@ export function logIronDomeAudit(event) {
             trust_score: 0,
             sensitivity_level: 'PUBLIC',
             firewall_result: event.allowed ? 'ALLOW' : 'BLOCK',
+            operation: null, // iron-dome kill-switch / defence event, not a memory read/write/delete
             anomaly_score: 0,
             threat_indicators: '[]',
             blocked_patterns: '[]',

package/dist/defence/pipeline.js

@@ -11,7 +11,7 @@ import { analyzeFirewall } from './firewall/index.js';
 import { classifySensitivity } from './sensitivity/index.js';
 import { analyzeFragmentation } from './fragmentation/index.js';
 import { scanForCredentials } from './credential-leak/index.js';
-import { logAudit } from './audit/index.js';
+import { logAudit, createContentHash } from './audit/index.js';
 import { persistEvent } from '../api/events.js';
 import { syncToCloud } from '../cloud/sync.js';
 import { syncQuarantineToCloud } from '../cloud/quarantine-sync.js';
@@ -202,6 +202,8 @@ export function runDefencePipeline(content, title, source, config, project) {
             trust_score: trust.score,
             sensitivity_level: sensitivity.level,
             firewall_result: firewall.result,
+            operation: 'write',
+            content_hash: createContentHash(content),
             anomaly_score: firewall.anomalyScore,
             threat_indicators: JSON.stringify(firewall.threatIndicators),
             blocked_patterns: JSON.stringify(firewall.blockedPatterns),
@@ -283,6 +285,7 @@ export function runDefencePipeline(content, title, source, config, project) {
             trust_score: 0,
             sensitivity_level: 'RESTRICTED',
             firewall_result: 'BLOCK',
+            operation: 'write',
             anomaly_score: 1.0,
             threat_indicators: '["pipeline_error"]',
             blocked_patterns: '[]',

package/dist/defence/tool-response-scanner.js

@@ -250,6 +250,7 @@ export function scanToolResponse(toolName, content, mode) {
                 trust_score: 0.5,
                 sensitivity_level: (credentials.leaked || decodedCredentialLeak) ? 'CONFIDENTIAL' : 'PUBLIC',
                 firewall_result: firewallResult,
+                operation: 'read',
                 anomaly_score: anomalyScore,
                 threat_indicators: JSON.stringify(threatIndicators),
                 blocked_patterns: JSON.stringify(blockedPatterns),

package/dist/defence/trust/read-guard.d.ts

@@ -0,0 +1,45 @@
+/**
+ * MCP read-path access guard.
+ *
+ * The `.mjs` prompt/session hooks already filter recalled rows before injecting
+ * them into the prompt. The MCP read TOOLS (`get_memory`, `get_related`,
+ * `get_context`, and `recall`) returned rows without applying the access-control
+ * engine consistently — so a low-trust / compromised caller could pull RESTRICTED
+ * or other-source memories verbatim. This guard closes that path by applying the
+ * SAME `checkAccess('read')` tiers the search path uses:
+ *
+ *   - quarantined rows (trustScore === 0) are ALWAYS dropped (pending review);
+ *   - when a caller source is present, rows the caller cannot read are dropped
+ *     (RESTRICTED isolation below trust 0.7, own-only below 0.5);
+ *   - owner / high-trust callers pass through in full (chosen policy — no content
+ *     redaction on the MCP path; that is the prompt-hook surface's job).
+ *
+ * No source → only quarantined rows are dropped (callers that don't resolve an
+ * identity get no source-relative ACL). In practice the MCP server always
+ * resolves a source via resolveToolSource before calling the read tools.
+ */
+import type { DefenceSource } from '../types.js';
+import type { Memory, ContextSummary } from '../../memory/types.js';
+/** Filter recalled memories (camelCase Memory) to those the caller may read. */
+export declare function guardReadMemories(memories: Memory[], source: DefenceSource | undefined): Memory[];
+/**
+ * Filter raw snake_case DB rows (e.g. the export path's `SELECT *`) to those the
+ * caller may read. Same policy as guardReadMemories, different field casing.
+ */
+export declare function guardReadRows<T extends Record<string, unknown>>(rows: T[], source: DefenceSource | undefined): T[];
+/**
+ * Sensitivity-only guard for SHARED-CONTEXT bootstrap surfaces (get_context,
+ * start_session, the memory:// resources, restore_context, detect_contradictions).
+ *
+ * These surfaces feed the prompt / a broadly-shared project summary, so they must
+ * NEVER surface RESTRICTED or quarantined rows to ANYONE (matching the .mjs
+ * prompt hooks) — but, unlike the per-caller fetch tools, they do NOT apply the
+ * source-relative own-only tier, so a low-trust subagent still receives the
+ * INTERNAL project context it legitimately needs. Credential isolation without
+ * the availability blackout.
+ */
+export declare function guardReadBySensitivity(memories: Memory[]): Memory[];
+/** Apply the sensitivity guard to every memory list in a context summary. */
+export declare function guardContextSummary(summary: ContextSummary): ContextSummary;
+/** Guard a single memory; returns null if the caller may not read it. */
+export declare function guardReadMemory(memory: Memory | null | undefined, source: DefenceSource | undefined): Memory | null;

package/dist/defence/trust/read-guard.js

@@ -0,0 +1,76 @@
+/**
+ * MCP read-path access guard.
+ *
+ * The `.mjs` prompt/session hooks already filter recalled rows before injecting
+ * them into the prompt. The MCP read TOOLS (`get_memory`, `get_related`,
+ * `get_context`, and `recall`) returned rows without applying the access-control
+ * engine consistently — so a low-trust / compromised caller could pull RESTRICTED
+ * or other-source memories verbatim. This guard closes that path by applying the
+ * SAME `checkAccess('read')` tiers the search path uses:
+ *
+ *   - quarantined rows (trustScore === 0) are ALWAYS dropped (pending review);
+ *   - when a caller source is present, rows the caller cannot read are dropped
+ *     (RESTRICTED isolation below trust 0.7, own-only below 0.5);
+ *   - owner / high-trust callers pass through in full (chosen policy — no content
+ *     redaction on the MCP path; that is the prompt-hook surface's job).
+ *
+ * No source → only quarantined rows are dropped (callers that don't resolve an
+ * identity get no source-relative ACL). In practice the MCP server always
+ * resolves a source via resolveToolSource before calling the read tools.
+ */
+import { checkAccess } from './access-control.js';
+/**
+ * Core read decision, shared by the camelCase (Memory) and snake_case (raw row)
+ * guards so the policy lives in exactly one place.
+ */
+function callerCanRead(id, storedSource, sensitivityLevel, trustScore, source) {
+    // Quarantined memories are never surfaced through a normal read.
+    if (trustScore === 0)
+        return false;
+    // Without a caller identity we cannot make a source-relative decision;
+    // surface everything else (the server resolves a source in practice).
+    if (!source)
+        return true;
+    return checkAccess({ id, source: storedSource, sensitivity_level: sensitivityLevel }, source, 'read').canRead;
+}
+/** Filter recalled memories (camelCase Memory) to those the caller may read. */
+export function guardReadMemories(memories, source) {
+    return memories.filter((m) => callerCanRead(m.id, m.source, m.sensitivityLevel, m.trustScore, source));
+}
+/**
+ * Filter raw snake_case DB rows (e.g. the export path's `SELECT *`) to those the
+ * caller may read. Same policy as guardReadMemories, different field casing.
+ */
+export function guardReadRows(rows, source) {
+    return rows.filter((r) => callerCanRead(Number(r.id), r.source ?? null, r.sensitivity_level ?? null, Number(r.trust_score ?? 1), source));
+}
+/**
+ * Sensitivity-only guard for SHARED-CONTEXT bootstrap surfaces (get_context,
+ * start_session, the memory:// resources, restore_context, detect_contradictions).
+ *
+ * These surfaces feed the prompt / a broadly-shared project summary, so they must
+ * NEVER surface RESTRICTED or quarantined rows to ANYONE (matching the .mjs
+ * prompt hooks) — but, unlike the per-caller fetch tools, they do NOT apply the
+ * source-relative own-only tier, so a low-trust subagent still receives the
+ * INTERNAL project context it legitimately needs. Credential isolation without
+ * the availability blackout.
+ */
+export function guardReadBySensitivity(memories) {
+    return memories.filter((m) => m.trustScore !== 0 && m.sensitivityLevel !== 'RESTRICTED');
+}
+/** Apply the sensitivity guard to every memory list in a context summary. */
+export function guardContextSummary(summary) {
+    return {
+        ...summary,
+        recentMemories: guardReadBySensitivity(summary.recentMemories),
+        keyDecisions: guardReadBySensitivity(summary.keyDecisions),
+        activePatterns: guardReadBySensitivity(summary.activePatterns),
+        pendingItems: guardReadBySensitivity(summary.pendingItems),
+    };
+}
+/** Guard a single memory; returns null if the caller may not read it. */
+export function guardReadMemory(memory, source) {
+    if (!memory)
+        return null;
+    return guardReadMemories([memory], source)[0] ?? null;
+}

package/dist/defence/trust/resolve-tool-source.js

@@ -33,6 +33,7 @@ export function resolveToolSource(declaredSource, options) {
                 trust_score: ceilingScore,
                 sensitivity_level: 'PUBLIC',
                 firewall_result: 'BLOCK',
+                operation: null, // source-resolution meta-event, not a memory read/write/delete
                 anomaly_score: 0,
                 threat_indicators: JSON.stringify(['privilege_escalation']),
                 blocked_patterns: '[]',
@@ -62,6 +63,7 @@ export function resolveToolSource(declaredSource, options) {
                 trust_score: 0,
                 sensitivity_level: 'PUBLIC',
                 firewall_result: 'ALLOW',
+                operation: null, // source-resolution meta-event, not a memory read/write/delete
                 anomaly_score: 0,
                 threat_indicators: '[]',
                 blocked_patterns: '[]',

package/dist/defence/types.d.ts

@@ -129,6 +129,8 @@ export interface QuarantineEntry {
     expires_at: string | null;
     audit_id: number | null;
 }
+/** Operation that produced an audit row (provenance ledger discriminator). */
+export type AuditOperation = 'write' | 'read' | 'delete' | 'update';
 export interface AuditEntry {
     id: number;
     memory_id: number | null;
@@ -139,6 +141,14 @@ export interface AuditEntry {
     trust_score: number;
     sensitivity_level: string;
     firewall_result: FirewallResult;
+    /**
+     * The operation that produced this row. Required on every new emission so the
+     * ledger is queryable by read/write/delete; `null` only on legacy rows written
+     * before the provenance-ledger column existed.
+     */
+    operation: AuditOperation | null;
+    /** SHA-256 of the content at write time (tamper-evidence); null for read/delete rows. */
+    content_hash?: string | null;
     anomaly_score: number;
     threat_indicators: string;
     blocked_patterns: string;

package/dist/memory/consolidate.d.ts

@@ -7,6 +7,7 @@
  * - Cleans up decayed/irrelevant memories
  * - Merges similar memories to reduce redundancy
  */
+import type { DefenceSource } from '../defence/types.js';
 import { Memory, MemoryConfig, ConsolidationResult, ContextSummary } from './types.js';
 /**
  * Run full consolidation process
@@ -147,7 +148,7 @@ export declare function getSuggestedContext(currentContext: string, project?: st
 /**
  * Export memories as JSON (for backup/transfer)
  */
-export declare function exportMemories(project?: string): string;
+export declare function exportMemories(project?: string, source?: DefenceSource): string;
 /**
  * Import memories from JSON
  */

package/dist/memory/consolidate.js

@@ -9,6 +9,7 @@
  */
 import { getDatabase, withTransaction } from '../database/init.js';
 import { expireQuarantineItems } from '../defence/quarantine/auto-expire.js';
+import { guardReadRows } from '../defence/trust/read-guard.js';
 import { DEFAULT_CONFIG, } from './types.js';
 import { getMemoriesByType, getRecentMemories, promoteMemory, deleteMemory, searchMemories, getMemoryStats, updateDecayScores, addMemory, rowToMemory, } from './store.js';
 import { processDecay, } from './decay.js';
@@ -794,7 +795,7 @@ export async function getSuggestedContext(currentContext, project, limit = 5) {
 /**
  * Export memories as JSON (for backup/transfer)
  */
-export function exportMemories(project) {
+export function exportMemories(project, source) {
     const db = getDatabase();
     let sql = 'SELECT * FROM memories';
     const params = [];
@@ -804,7 +805,11 @@ export function exportMemories(project) {
     }
     sql += ' ORDER BY created_at ASC';
     const rows = db.prepare(sql).all(...params);
-    return JSON.stringify(rows, null, 2);
+    // Read ACL: a bulk export is the sharpest exfil vector, so apply the same
+    // read guard as the per-tool paths — drop quarantined + rows the caller may
+    // not read (RESTRICTED isolation / own-only for low trust). With no caller
+    // source, only quarantined rows are dropped.
+    return JSON.stringify(guardReadRows(rows, source), null, 2);
 }
 /**
  * Import memories from JSON

package/dist/memory/lifecycle.js

@@ -27,6 +27,7 @@ import { jaccardSimilarity } from './similarity.js';
 import { emitMemoryAccessed, emitMemoryUpdated, persistEvent, } from '../api/events.js';
 import { createMemoryLink } from './links.js';
 import { runDefencePipeline } from '../defence/index.js';
+import { createContentHash } from '../defence/audit/logger.js';
 // Enrichment text is recall-query / caller-derived (attacker-influenced); scan
 // it before persisting. Trust doesn't matter here (the row keeps its own) — we
 // only act on the firewall verdict, so a low-trust web source is fine.
@@ -207,13 +208,15 @@ export function enrichMemory(memoryId, newContext, contextType = 'access') {
     if (defenceResult.firewall.result !== 'ALLOW') {
         return { enriched: false, reason: `Enrichment blocked by defence: ${defenceResult.firewall.reason}` };
     }
-    // Update memory
+    // Update memory (recompute content_hash — the integrity snapshot must track
+    // the enriched content, not the pre-enrichment original).
     db.prepare(`
     UPDATE memories
     SET content = ?,
+        content_hash = ?,
         last_accessed = CURRENT_TIMESTAMP
     WHERE id = ?
-  `).run(newContent, memoryId);
+  `).run(newContent, createContentHash(newContent), memoryId);
     // Update cooldown timestamp
     enrichmentTimestamps.set(memoryId, now);
     // Emit update event for dashboard

package/dist/memory/store.d.ts

@@ -5,7 +5,7 @@
  * Handles storage, retrieval, and management of memories.
  */
 import { Memory, MemoryInput, MemoryType, MemoryConfig } from './types.js';
-import type { DefenceSource } from '../defence/types.js';
+import type { DefenceSource, AuditOperation } from '../defence/types.js';
 export declare const MAX_CONTENT_SIZE: number;
 export declare const UNATTRIBUTED_SOURCE: DefenceSource;
 /**
@@ -20,7 +20,21 @@ export declare function getLastTruncationInfo(): {
  * Convert database row to Memory object
  */
 export declare function rowToMemory(row: Record<string, unknown>): Memory;
-export declare function logAccessDenial(memoryId: number, source: DefenceSource, reason: string): void;
+export declare function logAccessDenial(memoryId: number, source: DefenceSource, reason: string, operation?: AuditOperation): void;
+/**
+ * Provenance ledger: record an ALLOWED read. Emitted ONCE per tool call (not per
+ * row) to keep the audit table bounded — recall returns up to 50 rows, so a
+ * per-row emit would flood it. memory_id carries the single id for single-target
+ * reads; the full id list (capped) goes in blocked_patterns for forensics.
+ */
+export declare function logAllowedRead(source: DefenceSource, tool: string, memoryIds: number[], project?: string | null): void;
+/**
+ * Provenance ledger: record an ALLOWED delete (one row per deleted memory).
+ * memory_id is NULL by design — the row is emitted after the DELETE, and the
+ * audit.memory_id FK is ON DELETE SET NULL, so a live reference can't survive.
+ * The deleted id is preserved in `reason` + `blocked_patterns` for forensics.
+ */
+export declare function logAllowedDelete(memoryId: number, source: DefenceSource, project?: string | null): void;
 /**
  * Error thrown when memory creation is paused
  */