shieldcortex 4.37.0 → 4.39.0

package/dist/memory/store.js

@@ -21,7 +21,7 @@ import { syncMemoryDeleteToCloud, syncMemoryUpsertToCloud } from '../cloud/memor
 import { isFeatureEnabled } from '../license/gate.js';
 import { checkAccess } from '../defence/trust/access-control.js';
 import { scoreSource } from '../defence/trust/source-scorer.js';
-import { logAudit } from '../defence/audit/logger.js';
+import { logAudit, createContentHash } from '../defence/audit/logger.js';
 import { dispatchWebhook } from '../events/webhooks.js';
 import { safeJsonParse } from './fts.js';
 // Internal use of the link API. links.ts also imports from store.ts (getMemoryById,
@@ -230,7 +230,7 @@ function checkRateLimit(source) {
 // ── Read-Time Access Control ──
 // Exported because search-recall.ts also calls logAccessDenial inside its
 // post-search ACL filter (cycle artifact, not intended public API).
-export function logAccessDenial(memoryId, source, reason) {
+export function logAccessDenial(memoryId, source, reason, operation = 'read') {
     const trust = scoreSource(source).score;
     logAudit({
         memory_id: memoryId,
@@ -241,6 +241,7 @@ export function logAccessDenial(memoryId, source, reason) {
         trust_score: trust,
         sensitivity_level: 'INTERNAL',
         firewall_result: 'BLOCK',
+        operation,
         anomaly_score: 0,
         threat_indicators: '[]',
         blocked_patterns: '[]',
@@ -249,6 +250,58 @@ export function logAccessDenial(memoryId, source, reason) {
         pipeline_duration_ms: 0,
     });
 }
+/**
+ * Provenance ledger: record an ALLOWED read. Emitted ONCE per tool call (not per
+ * row) to keep the audit table bounded — recall returns up to 50 rows, so a
+ * per-row emit would flood it. memory_id carries the single id for single-target
+ * reads; the full id list (capped) goes in blocked_patterns for forensics.
+ */
+export function logAllowedRead(source, tool, memoryIds, project) {
+    if (memoryIds.length === 0)
+        return;
+    logAudit({
+        memory_id: memoryIds.length === 1 ? memoryIds[0] : null,
+        project: project ?? null,
+        timestamp: new Date().toISOString(),
+        source_type: source.type,
+        source_identifier: source.identifier,
+        trust_score: scoreSource(source).score,
+        sensitivity_level: 'INTERNAL',
+        firewall_result: 'ALLOW',
+        operation: 'read',
+        anomaly_score: 0,
+        threat_indicators: '[]',
+        blocked_patterns: JSON.stringify(memoryIds.slice(0, 50)),
+        reason: `read ${memoryIds.length} memor${memoryIds.length === 1 ? 'y' : 'ies'} via ${tool}`,
+        fragmentation_score: null,
+        pipeline_duration_ms: null,
+    });
+}
+/**
+ * Provenance ledger: record an ALLOWED delete (one row per deleted memory).
+ * memory_id is NULL by design — the row is emitted after the DELETE, and the
+ * audit.memory_id FK is ON DELETE SET NULL, so a live reference can't survive.
+ * The deleted id is preserved in `reason` + `blocked_patterns` for forensics.
+ */
+export function logAllowedDelete(memoryId, source, project) {
+    logAudit({
+        memory_id: null,
+        project: project ?? null,
+        timestamp: new Date().toISOString(),
+        source_type: source.type,
+        source_identifier: source.identifier,
+        trust_score: scoreSource(source).score,
+        sensitivity_level: 'INTERNAL',
+        firewall_result: 'ALLOW',
+        operation: 'delete',
+        anomaly_score: 0,
+        threat_indicators: '[]',
+        blocked_patterns: JSON.stringify([memoryId]),
+        reason: `deleted memory #${memoryId}`,
+        fragmentation_score: null,
+        pipeline_duration_ms: null,
+    });
+}
 /**
  * Filter raw DB rows by access control before converting to Memory objects.
  * Returns only rows the source is allowed to read.
@@ -324,6 +377,7 @@ export function addMemory(input, config = DEFAULT_CONFIG, source) {
             trust_score: scoreSource(source).score,
             sensitivity_level: 'INTERNAL',
             firewall_result: 'BLOCK',
+            operation: 'write',
             anomaly_score: 1.0,
             threat_indicators: JSON.stringify(['rate_limit_exceeded']),
             blocked_patterns: '[]',
@@ -413,8 +467,11 @@ export function addMemory(input, config = DEFAULT_CONFIG, source) {
         // defenceResult is always set now (every write is scanned), so always stamp
         // the pipeline's real trust + sensitivity alongside the resolved source —
         // no source-less branch can default to trust 1.0 / unscanned INTERNAL.
-        db.prepare(`UPDATE memories SET trust_score = ?, sensitivity_level = ?, source = ? WHERE id = ?`)
-            .run(defenceResult.trust.score, defenceResult.sensitivity.level, sourceDetails.sourceValue, result.lastInsertRowid);
+        db.prepare(`UPDATE memories SET trust_score = ?, sensitivity_level = ?, source = ?, content_hash = ? WHERE id = ?`)
+            // content_hash = SHA-256 of the SUBMITTED content (a write-time provenance
+            // snapshot), matching the write-audit row in pipeline.ts. Consistent for
+            // >10KB memories too (where the STORED content is truncated).
+            .run(defenceResult.trust.score, defenceResult.sensitivity.level, sourceDetails.sourceValue, createContentHash(input.content), result.lastInsertRowid);
         return result.lastInsertRowid;
     })();
     const memory = getMemoryById(insertedId);
@@ -701,6 +758,14 @@ export function updateMemory(id, updates) {
     if (embeddedTextChanged) {
         fields.push('embedding = NULL');
     }
+    // STALENESS: content_hash is a write-time integrity snapshot. When content
+    // changes it must be recomputed in the SAME UPDATE — otherwise the stored hash
+    // refers to the old content and any tamper check false-positives on a
+    // legitimately-edited memory.
+    if (updates.content !== undefined) {
+        fields.push('content_hash = ?');
+        values.push(createContentHash(updates.content));
+    }
     if (fields.length === 0)
         return existing;
     values.push(id);
@@ -721,6 +786,28 @@ export function updateMemory(id, updates) {
             console.error('[shieldcortex] Entity extraction refresh failed:', e);
         }
     }
+    // Provenance ledger: a content/title change is an update-class mutation.
+    if (updates.content !== undefined || updates.title !== undefined) {
+        const changed = [updates.title !== undefined ? 'title' : null, updates.content !== undefined ? 'content' : null].filter(Boolean).join('+');
+        logAudit({
+            memory_id: id,
+            project: updatedMemory.project ?? null,
+            timestamp: new Date().toISOString(),
+            source_type: 'cli',
+            source_identifier: 'memory-update',
+            trust_score: updatedMemory.trustScore ?? 1,
+            sensitivity_level: updatedMemory.sensitivityLevel ?? 'INTERNAL',
+            firewall_result: 'ALLOW',
+            operation: 'update',
+            content_hash: updates.content !== undefined ? createContentHash(updates.content) : null,
+            anomaly_score: 0,
+            threat_indicators: '[]',
+            blocked_patterns: '[]',
+            reason: `updated memory #${id} (${changed})`,
+            fragmentation_score: null,
+            pipeline_duration_ms: null,
+        });
+    }
     // Emit event for real-time dashboard (in-process)
     emitMemoryUpdated(updatedMemory);
     // Persist event for cross-process IPC (MCP → Dashboard)
@@ -804,6 +891,7 @@ export function mergeMemories(keptId, removedId, options, source = { type: 'cli'
         db.prepare(`
       UPDATE memories
       SET content = ?,
+          content_hash = ?,
           tags = ?,
           salience = ?,
           project = ?,
@@ -822,7 +910,7 @@ export function mergeMemories(keptId, removedId, options, source = { type: 'cli'
           embedding = NULL,
           updated_at = CURRENT_TIMESTAMP
       WHERE id = ?
-    `).run(mergedContent, JSON.stringify(mergedTags), mergedSalience, mergedProject, JSON.stringify(mergedMetadata), mergedScope, mergedTransferable ? 1 : 0, mergedStatus, mergedPinned ? 1 : 0, mergedReviewedBy, new Date().toISOString(), mergedTrustScore, mergedSensitivity, mergedCloudExcluded ? 1 : 0, mergedAccessCount, mergedLastAccessed, kept.id);
+    `).run(mergedContent, createContentHash(mergedContent), JSON.stringify(mergedTags), mergedSalience, mergedProject, JSON.stringify(mergedMetadata), mergedScope, mergedTransferable ? 1 : 0, mergedStatus, mergedPinned ? 1 : 0, mergedReviewedBy, new Date().toISOString(), mergedTrustScore, mergedSensitivity, mergedCloudExcluded ? 1 : 0, mergedAccessCount, mergedLastAccessed, kept.id);
         const updatedMemory = getMemoryById(kept.id);
         try {
             const extraction = extractFromMemory(updatedMemory.title, updatedMemory.content, updatedMemory.category);
@@ -856,7 +944,7 @@ export function deleteMemory(id, source) {
         if (row) {
             const policy = checkAccess({ id: row.id, source: row.source, sensitivity_level: row.sensitivity_level }, source, 'delete');
             if (!policy.canDelete) {
-                logAccessDenial(id, source, policy.reason);
+                logAccessDenial(id, source, policy.reason, 'delete');
                 return false;
             }
         }
@@ -874,6 +962,12 @@ export function deleteMemory(id, source) {
     const result = db.prepare('DELETE FROM memories WHERE id = ?').run(id);
     // Emit event for real-time dashboard (in-process)
     if (result.changes > 0 && memory) {
+        // Provenance ledger: record the allowed delete (one row per memory) when the
+        // caller is attributed. Internal source-less deletes (merge/consolidation)
+        // are machinery, not user actions, so they're not audited here.
+        if (source) {
+            logAllowedDelete(id, source, memory.project ?? null);
+        }
         if (isFeatureEnabled('cloud_sync')) {
             syncMemoryDeleteToCloud(memory);
             syncGraphDeleteForMemoryToCloud(memory);

package/dist/server.js

@@ -12,11 +12,11 @@ import { getCurrentVersion } from './api/version.js';
 import { initProjectContext, getActiveProject, setActiveProject, getProjectContextInfo, GLOBAL_PROJECT_SENTINEL, } from './context/project-context.js';
 // Import tools
 import { executeRemember, formatRememberResult } from './tools/remember.js';
-import { executeRecall, formatRecallResult, executeGetMemory, formatMemory } from './tools/recall.js';
+import { executeRecall, formatRecallResult, executeGetMemory, executeGetRelated, formatMemory } from './tools/recall.js';
 import { executeForget, formatForgetResult } from './tools/forget.js';
 import { executeGetContext, executeStartSession, executeEndSession, executeConsolidate, executeStats, formatStats, executeExport, executeImport, } from './tools/context.js';
 import { generateContextSummary, formatContextSummary, fullCleanup } from './memory/consolidate.js';
-import { getHighPriorityMemories, getRecentMemories, getRelatedMemories, createMemoryLink } from './memory/store.js';
+import { getHighPriorityMemories, getRecentMemories, createMemoryLink } from './memory/store.js';
 import { detectContradictions } from './memory/contradiction.js';
 import { handleGraphQuery, handleGraphEntities, handleGraphExplain } from './tools/graph.js';
 import { checkDatabaseSize } from './database/init.js';
@@ -25,6 +25,7 @@ import { scanExistingMemories } from './defence/scanner/index.js';
 import { resolveToolSource as resolveToolSourceImpl } from './defence/trust/resolve-tool-source.js';
 import { scanToolResponse, shouldScanToolResponse } from './defence/tool-response-scanner.js';
 import { UNTRUSTED_TOOL_TAG } from './defence/tool-response-enforce.js';
+import { guardReadBySensitivity, guardContextSummary } from './defence/trust/read-guard.js';
 import { getToolResponseScanConfig } from './cloud/config.js';
 import { checkKillPhrase } from './defence/iron-dome/index.js';
 import { isKillSwitchActive, getKillSwitchMeta, assertOperationAllowed, activateKillSwitch, deactivateKillSwitch, KillSwitchError, } from './api/control.js';
@@ -410,8 +411,10 @@ Returns: architecture decisions, patterns, pending items, recent activity.`, {
     // Export memories
     server.tool('export_memories', 'Export memories as JSON for backup.', {
         project: z.string().optional().describe('Project scope. Auto-detected if not provided. Use "*" for all projects.'),
+        source: sourceParam,
     }, { title: 'Export Memories', readOnlyHint: true, destructiveHint: false, idempotentHint: true }, withKillSwitchGuard('memory_read', withResponseScan('export_memories', async (args) => {
-        const result = executeExport(args);
+        const source = resolveToolSource(args.source, 'export_memories');
+        const result = executeExport({ ...args, source });
         return {
             content: [{
                     type: 'text',
@@ -456,8 +459,14 @@ Returns: architecture decisions, patterns, pending items, recent activity.`, {
     // Get Related Memories
     server.tool('get_related', 'Get memories related to a specific memory. Shows connections and relationships.', {
         id: z.number().describe('Memory ID to find relationships for'),
+        source: sourceParam,
     }, { title: 'Get Related Memories', readOnlyHint: true, destructiveHint: false, idempotentHint: true }, withKillSwitchGuard('memory_read', withResponseScan('get_related', async (args) => {
-        const related = getRelatedMemories(args.id);
+        const source = resolveToolSource(args.source, 'get_related');
+        const result = executeGetRelated({ id: args.id, source });
+        if (!result.success) {
+            return { content: [{ type: 'text', text: `Error: ${result.error}` }], isError: true };
+        }
+        const related = result.related;
         if (related.length === 0) {
             return { content: [{ type: 'text', text: 'No related memories found.' }] };
         }
@@ -536,7 +545,10 @@ but you can use this tool to check for new contradictions at any time.`, {
             category: args.category,
             minScore: args.minScore,
             limit: args.limit,
-        });
+        }).filter(
+        // Drop a pair if either side is RESTRICTED/quarantined (don't leak a
+        // credential-class memory's title via a contradiction listing).
+        (c) => guardReadBySensitivity([c.memoryA, c.memoryB]).length === 2);
         if (contradictions.length === 0) {
             return { content: [{ type: 'text', text: 'No contradictions detected.' }] };
         }
@@ -942,7 +954,8 @@ Runs injection detection (40+ patterns) and credential leak scanning (25+ provid
         if (isKillSwitchActive()) {
             return { contents: [{ uri: 'memory://context', mimeType: 'text/plain', text: '[KILL SWITCH ACTIVE] Memory access blocked.' }] };
         }
-        const summary = await generateContextSummary();
+        // Shared-context resource: strip RESTRICTED + quarantined (sensitivity guard).
+        const summary = guardContextSummary(await generateContextSummary());
         return {
             contents: [{
                     uri: 'memory://context',
@@ -956,7 +969,8 @@ Runs injection detection (40+ patterns) and credential leak scanning (25+ provid
         if (isKillSwitchActive()) {
             return { contents: [{ uri: 'memory://important', mimeType: 'text/plain', text: '[KILL SWITCH ACTIVE] Memory access blocked.' }] };
         }
-        const memories = getHighPriorityMemories(20);
+        // Shared-context resource: strip RESTRICTED + quarantined before exposing content.
+        const memories = guardReadBySensitivity(getHighPriorityMemories(20));
         const text = memories.map(m => `## ${m.title}\n${m.content}\n*${m.category} | ${(m.salience * 100).toFixed(0)}% salience*\n`).join('\n');
         return {
             contents: [{
@@ -971,7 +985,8 @@ Runs injection detection (40+ patterns) and credential leak scanning (25+ provid
         if (isKillSwitchActive()) {
             return { contents: [{ uri: 'memory://recent', mimeType: 'text/plain', text: '[KILL SWITCH ACTIVE] Memory access blocked.' }] };
         }
-        const memories = getRecentMemories(15);
+        // Shared-context resource: strip RESTRICTED + quarantined before exposing content.
+        const memories = guardReadBySensitivity(getRecentMemories(15));
         const text = memories.map(m => `- **${m.title}** (${m.category}): ${m.content.slice(0, 100)}...`).join('\n');
         return {
             contents: [{
@@ -991,7 +1006,8 @@ Runs injection detection (40+ patterns) and credential leak scanning (25+ provid
                 messages: [{ role: 'user', content: { type: 'text', text: '[KILL SWITCH ACTIVE] Context restoration blocked. Use iron_dome_resume to resume.' } }],
             };
         }
-        const summary = await generateContextSummary();
+        // Shared-context prompt: strip RESTRICTED + quarantined (sensitivity guard).
+        const summary = guardContextSummary(await generateContextSummary());
         const context = formatContextSummary(summary);
         return {
             messages: [{

package/dist/tools/context.d.ts

@@ -8,6 +8,7 @@ import { z } from 'zod';
 import { getMemoryStats } from '../memory/store.js';
 import { type SalienceDistribution } from '../memory/metrics.js';
 import { Memory, ContextSummary, ConsolidationResult } from '../memory/types.js';
+import type { DefenceSource } from '../defence/types.js';
 export declare const getContextSchema: z.ZodObject<{
     project: z.ZodOptional<z.ZodString>;
     query: z.ZodOptional<z.ZodString>;
@@ -132,6 +133,7 @@ export declare const exportSchema: z.ZodObject<{
 }>;
 export declare function executeExport(input: {
     project?: string;
+    source?: DefenceSource;
 }): {
     success: boolean;
     data?: string;

package/dist/tools/context.js

@@ -6,10 +6,11 @@
  */
 import { z } from 'zod';
 import { generateContextSummary, formatContextSummary, startSession, endSession, getSuggestedContext, consolidate, previewConsolidation, exportMemories, importMemories, } from '../memory/consolidate.js';
-import { getMemoryStats } from '../memory/store.js';
+import { getMemoryStats, logAllowedRead } from '../memory/store.js';
 import { getSalienceDistribution } from '../memory/metrics.js';
 import { getDatabase } from '../database/init.js';
 import { resolveProject } from '../context/project-context.js';
+import { guardReadBySensitivity, guardContextSummary } from '../defence/trust/read-guard.js';
 // Input schema for getting context
 export const getContextSchema = z.object({
     project: z.string().optional().describe('Project to get context for'),
@@ -29,12 +30,18 @@ export async function executeGetContext(input) {
         // Resolve project (auto-detect if not provided)
         const resolvedProject = resolveProject(input.project);
         const projectFilter = resolvedProject ?? undefined;
+        // Read guard: get_context is a SHARED-CONTEXT bootstrap surface that feeds
+        // the prompt, so strip RESTRICTED + quarantined for everyone (matching the
+        // .mjs prompt hooks) but keep INTERNAL project context available — a
+        // sensitivity guard, not the per-caller own-only ACL, so a low-trust
+        // subagent isn't blacked out from the context it needs. Owner-specific
+        // RESTRICTED retrieval is the explicit get_memory tool's job.
         // Generate context summary
-        const summary = await generateContextSummary(projectFilter);
+        const summary = guardContextSummary(await generateContextSummary(projectFilter));
         // If there's a query, also get specifically relevant memories
         let relevantMemories = [];
         if (input.query) {
-            relevantMemories = await getSuggestedContext(input.query, projectFilter, 5);
+            relevantMemories = guardReadBySensitivity(await getSuggestedContext(input.query, projectFilter, 5));
         }
         // Format based on requested format
         let context;
@@ -54,6 +61,16 @@ export async function executeGetContext(input) {
                 }
                 break;
         }
+        // Provenance ledger: one allowed-read row per get_context call, covering
+        // every memory surfaced into the context.
+        const source = input.source;
+        if (source) {
+            const surfacedIds = [
+                ...summary.recentMemories, ...summary.keyDecisions,
+                ...summary.activePatterns, ...summary.pendingItems, ...relevantMemories,
+            ].map(m => m.id);
+            logAllowedRead(source, 'get_context', [...new Set(surfacedIds)], projectFilter);
+        }
         return {
             success: true,
             context,
@@ -133,7 +150,10 @@ export async function executeStartSession(input) {
         const resolvedProject = resolveProject(input.project);
         const projectFilter = resolvedProject ?? undefined;
         const { sessionId, context } = await startSession(projectFilter);
-        const formattedContext = formatContextSummary(context);
+        // Read guard: start_session is a shared-context bootstrap surface (sibling of
+        // get_context) — strip RESTRICTED + quarantined before formatting so the
+        // session preamble never leaks credential-class memories.
+        const formattedContext = formatContextSummary(guardContextSummary(context));
         return {
             success: true,
             sessionId,
@@ -257,8 +277,13 @@ export function executeExport(input) {
         // Resolve project (auto-detect if not provided)
         const resolvedProject = resolveProject(input.project);
         const projectFilter = resolvedProject ?? undefined;
-        const data = exportMemories(projectFilter);
+        // Read ACL: filter the bulk dump to rows this caller may read.
+        const data = exportMemories(projectFilter, input.source);
         const memories = JSON.parse(data);
+        // Provenance ledger: a bulk export is the highest-value read to audit.
+        if (input.source) {
+            logAllowedRead(input.source, 'export_memories', memories.map(m => m.id), projectFilter);
+        }
         return {
             success: true,
             data,

package/dist/tools/recall.d.ts

@@ -4,6 +4,7 @@
  * Search and retrieve memories using semantic search and filters.
  */
 import { z } from 'zod';
+import { getRelatedMemories } from '../memory/store.js';
 import { Memory } from '../memory/types.js';
 import type { DefenceSource } from '../defence/types.js';
 export declare const recallSchema: z.ZodObject<{
@@ -114,3 +115,17 @@ export declare function executeGetMemory(input: {
     memory?: Memory;
     error?: string;
 };
+/**
+ * Execute the get_related tool — related memories, ACL-filtered.
+ *
+ * Related links can cross trust/sensitivity boundaries, so the same read ACL
+ * applies: a caller only sees related memories it is permitted to read.
+ */
+export declare function executeGetRelated(input: {
+    id: number;
+    source?: DefenceSource;
+}): {
+    success: boolean;
+    related?: ReturnType<typeof getRelatedMemories>;
+    error?: string;
+};

package/dist/tools/recall.js

@@ -4,11 +4,12 @@
  * Search and retrieve memories using semantic search and filters.
  */
 import { z } from 'zod';
-import { searchMemories, recallWithEmbeddings, accessMemory, getRecentMemories, getHighPriorityMemories } from '../memory/store.js';
+import { searchMemories, recallWithEmbeddings, accessMemory, getRecentMemories, getHighPriorityMemories, getRelatedMemories, logAllowedRead } from '../memory/store.js';
 import { formatTimeSinceAccess } from '../memory/decay.js';
 import { MemoryNotFoundError, formatErrorForMcp } from '../errors.js';
 import { resolveProject } from '../context/project-context.js';
 import { memoryFreshnessWarning } from '../memory/staleness.js';
+import { guardReadMemories, guardReadMemory } from '../defence/trust/read-guard.js';
 const sourceSchema = z.object({
     type: z.enum(['user', 'cli', 'hook', 'email', 'web', 'agent', 'file', 'api', 'tool_response']),
     identifier: z.string(),
@@ -99,6 +100,11 @@ export async function executeRecall(input) {
                 }
                 break;
         }
+        // Read ACL: drop quarantined + rows this caller may not read (RESTRICTED
+        // isolation / own-only for low trust). Belt-and-braces — the recent/important
+        // store helpers + search already apply access control, but this keeps every
+        // recall mode uniform and never reinforces a row the caller can't see.
+        memories = guardReadMemories(memories, source);
         // Access each memory to reinforce it
         memories = memories.map(m => accessMemory(m.id, undefined, source) || m);
         // v4.0.0: Append staleness warnings to old memories
@@ -109,6 +115,9 @@ export async function executeRecall(input) {
             }
             return m;
         });
+        // Provenance ledger: one allowed-read row per recall call (not per memory).
+        if (source)
+            logAllowedRead(source, `recall:${input.mode}`, memories.map(m => m.id), projectFilter);
         return {
             success: true,
             memories,
@@ -180,14 +189,41 @@ export const getMemorySchema = z.object({
 export function executeGetMemory(input) {
     try {
         const memory = accessMemory(input.id, undefined, input.source);
-        if (!memory) {
+        // Read ACL: a caller that may not read this memory gets a not-found, never
+        // the content (don't reveal existence of RESTRICTED / other-source rows).
+        const allowed = guardReadMemory(memory, input.source);
+        if (!allowed) {
             const error = new MemoryNotFoundError(input.id);
             return {
                 success: false,
                 error: error.toUserMessage(),
             };
         }
-        return { success: true, memory };
+        if (input.source)
+            logAllowedRead(input.source, 'get_memory', [allowed.id], allowed.project ?? null);
+        return { success: true, memory: allowed };
+    }
+    catch (error) {
+        return {
+            success: false,
+            error: formatErrorForMcp(error),
+        };
+    }
+}
+/**
+ * Execute the get_related tool — related memories, ACL-filtered.
+ *
+ * Related links can cross trust/sensitivity boundaries, so the same read ACL
+ * applies: a caller only sees related memories it is permitted to read.
+ */
+export function executeGetRelated(input) {
+    try {
+        const related = getRelatedMemories(input.id);
+        const allowedIds = new Set(guardReadMemories(related.map((r) => r.memory), input.source).map((m) => m.id));
+        if (input.source && allowedIds.size > 0) {
+            logAllowedRead(input.source, 'get_related', [...allowedIds]);
+        }
+        return { success: true, related: related.filter((r) => allowedIds.has(r.memory.id)) };
     }
     catch (error) {
         return {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "shieldcortex",
-  "version": "4.37.0",
+  "version": "4.39.0",
   "description": "Trustworthy memory and security for AI agents. Recall debugging, review queue, OpenClaw session capture, and memory poisoning defence for Claude Code, Codex, OpenClaw, LangChain, and MCP agents.",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",