shieldcortex 4.38.0 → 4.39.0

package/dashboard/.next/standalone/dashboard/.next/server/pages/500.html

@@ -1,2 +1,2 @@
-<!DOCTYPE html><!--PR51g0pS7Wp0zLzu2q6mQ--><html id="__next_error__"><head><meta charSet="utf-8"/><meta name="viewport" content="width=device-width, initial-scale=1"/><link rel="preload" as="script" fetchPriority="low" href="/_next/static/chunks/d878b929b21636c4.js"/><script src="/_next/static/chunks/f70f563804550a9c.js" async=""></script><script src="/_next/static/chunks/43d761df92da7cb6.js" async=""></script><script src="/_next/static/chunks/e281719dbabcca1d.js" async=""></script><script src="/_next/static/chunks/9e56d1f8f4d7adcb.js" async=""></script><script src="/_next/static/chunks/turbopack-768a6a8b9db952e0.js" async=""></script><script src="/_next/static/chunks/102f894cc892994d.js" async=""></script><script src="/_next/static/chunks/417032eeb2cd875f.js" async=""></script><meta name="next-size-adjust" content=""/><title>500: Internal Server Error.</title><script src="/_next/static/chunks/a6dad97d9634a72d.js" noModule=""></script></head><body><div hidden=""><!--$--><!--/$--></div><div style="font-family:system-ui,&quot;Segoe UI&quot;,Roboto,Helvetica,Arial,sans-serif,&quot;Apple Color Emoji&quot;,&quot;Segoe UI Emoji&quot;;height:100vh;text-align:center;display:flex;flex-direction:column;align-items:center;justify-content:center"><div style="line-height:48px"><style>body{color:#000;background:#fff;margin:0}.next-error-h1{border-right:1px solid rgba(0,0,0,.3)}
-@media (prefers-color-scheme:dark){body{color:#fff;background:#000}.next-error-h1{border-right:1px solid rgba(255,255,255,.3)}}</style><h1 class="next-error-h1" style="display:inline-block;margin:0 20px 0 0;padding-right:23px;font-size:24px;font-weight:500;vertical-align:top">500</h1><div style="display:inline-block"><h2 style="font-size:14px;font-weight:400;line-height:28px">Internal Server Error.</h2></div></div></div><!--$--><!--/$--><script src="/_next/static/chunks/d878b929b21636c4.js" id="_R_" async=""></script><script>(self.__next_f=self.__next_f||[]).push([0])</script><script>self.__next_f.push([1,"1:\"$Sreact.fragment\"\n2:I[57043,[\"/_next/static/chunks/102f894cc892994d.js\",\"/_next/static/chunks/417032eeb2cd875f.js\"],\"default\"]\n3:I[27657,[\"/_next/static/chunks/102f894cc892994d.js\",\"/_next/static/chunks/417032eeb2cd875f.js\"],\"default\"]\n4:I[56978,[\"/_next/static/chunks/102f894cc892994d.js\",\"/_next/static/chunks/417032eeb2cd875f.js\"],\"OutletBoundary\"]\n5:\"$Sreact.suspense\"\n7:I[56978,[\"/_next/static/chunks/102f894cc892994d.js\",\"/_next/static/chunks/417032eeb2cd875f.js\"],\"ViewportBoundary\"]\n9:I[56978,[\"/_next/static/chunks/102f894cc892994d.js\",\"/_next/static/chunks/417032eeb2cd875f.js\"],\"MetadataBoundary\"]\nb:I[30687,[\"/_next/static/chunks/102f894cc892994d.js\",\"/_next/static/chunks/417032eeb2cd875f.js\"],\"default\"]\n"])</script><script>self.__next_f.push([1,"0:{\"P\":null,\"b\":\"PR51g0pS7Wp0zLzu2q6mQ\",\"c\":[\"\",\"_global-error\"],\"q\":\"\",\"i\":false,\"f\":[[[\"\",{\"children\":[\"__PAGE__\",{}]}],[[\"$\",\"$1\",\"c\",{\"children\":[null,[\"$\",\"$L2\",null,{\"parallelRouterKey\":\"children\",\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L3\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"forbidden\":\"$undefined\",\"unauthorized\":\"$undefined\"}]]}],{\"children\":[[\"$\",\"$1\",\"c\",{\"children\":[[\"$\",\"html\",null,{\"id\":\"__next_error__\",\"children\":[[\"$\",\"head\",null,{\"children\":[\"$\",\"title\",null,{\"children\":\"500: Internal Server Error.\"}]}],[\"$\",\"body\",null,{\"children\":[\"$\",\"div\",null,{\"style\":{\"fontFamily\":\"system-ui,\\\"Segoe UI\\\",Roboto,Helvetica,Arial,sans-serif,\\\"Apple Color Emoji\\\",\\\"Segoe UI Emoji\\\"\",\"height\":\"100vh\",\"textAlign\":\"center\",\"display\":\"flex\",\"flexDirection\":\"column\",\"alignItems\":\"center\",\"justifyContent\":\"center\"},\"children\":[\"$\",\"div\",null,{\"style\":{\"lineHeight\":\"48px\"},\"children\":[[\"$\",\"style\",null,{\"dangerouslySetInnerHTML\":{\"__html\":\"body{color:#000;background:#fff;margin:0}.next-error-h1{border-right:1px solid rgba(0,0,0,.3)}\\n@media (prefers-color-scheme:dark){body{color:#fff;background:#000}.next-error-h1{border-right:1px solid rgba(255,255,255,.3)}}\"}}],[\"$\",\"h1\",null,{\"className\":\"next-error-h1\",\"style\":{\"display\":\"inline-block\",\"margin\":\"0 20px 0 0\",\"paddingRight\":23,\"fontSize\":24,\"fontWeight\":500,\"verticalAlign\":\"top\"},\"children\":\"500\"}],[\"$\",\"div\",null,{\"style\":{\"display\":\"inline-block\"},\"children\":[\"$\",\"h2\",null,{\"style\":{\"fontSize\":14,\"fontWeight\":400,\"lineHeight\":\"28px\"},\"children\":\"Internal Server Error.\"}]}]]}]}]}]]}],[[\"$\",\"script\",\"script-0\",{\"src\":\"/_next/static/chunks/102f894cc892994d.js\",\"async\":true,\"nonce\":\"$undefined\"}],[\"$\",\"script\",\"script-1\",{\"src\":\"/_next/static/chunks/417032eeb2cd875f.js\",\"async\":true,\"nonce\":\"$undefined\"}]],[\"$\",\"$L4\",null,{\"children\":[\"$\",\"$5\",null,{\"name\":\"Next.MetadataOutlet\",\"children\":\"$@6\"}]}]]}],{},null,false,false]},null,false,false],[\"$\",\"$1\",\"h\",{\"children\":[null,[\"$\",\"$L7\",null,{\"children\":\"$L8\"}],[\"$\",\"div\",null,{\"hidden\":true,\"children\":[\"$\",\"$L9\",null,{\"children\":[\"$\",\"$5\",null,{\"name\":\"Next.Metadata\",\"children\":\"$La\"}]}]}],[\"$\",\"meta\",null,{\"name\":\"next-size-adjust\",\"content\":\"\"}]]}],false]],\"m\":\"$undefined\",\"G\":[\"$b\",\"$undefined\"],\"S\":true}\n"])</script><script>self.__next_f.push([1,"8:[[\"$\",\"meta\",\"0\",{\"charSet\":\"utf-8\"}],[\"$\",\"meta\",\"1\",{\"name\":\"viewport\",\"content\":\"width=device-width, initial-scale=1\"}]]\n"])</script><script>self.__next_f.push([1,"6:null\na:[]\n"])</script></body></html>
+<!DOCTYPE html><!--LfTY3B6uX3j7zNwqqgvPG--><html id="__next_error__"><head><meta charSet="utf-8"/><meta name="viewport" content="width=device-width, initial-scale=1"/><link rel="preload" as="script" fetchPriority="low" href="/_next/static/chunks/d878b929b21636c4.js"/><script src="/_next/static/chunks/f70f563804550a9c.js" async=""></script><script src="/_next/static/chunks/43d761df92da7cb6.js" async=""></script><script src="/_next/static/chunks/e281719dbabcca1d.js" async=""></script><script src="/_next/static/chunks/9e56d1f8f4d7adcb.js" async=""></script><script src="/_next/static/chunks/turbopack-768a6a8b9db952e0.js" async=""></script><script src="/_next/static/chunks/102f894cc892994d.js" async=""></script><script src="/_next/static/chunks/417032eeb2cd875f.js" async=""></script><meta name="next-size-adjust" content=""/><title>500: Internal Server Error.</title><script src="/_next/static/chunks/a6dad97d9634a72d.js" noModule=""></script></head><body><div hidden=""><!--$--><!--/$--></div><div style="font-family:system-ui,&quot;Segoe UI&quot;,Roboto,Helvetica,Arial,sans-serif,&quot;Apple Color Emoji&quot;,&quot;Segoe UI Emoji&quot;;height:100vh;text-align:center;display:flex;flex-direction:column;align-items:center;justify-content:center"><div style="line-height:48px"><style>body{color:#000;background:#fff;margin:0}.next-error-h1{border-right:1px solid rgba(0,0,0,.3)}
+@media (prefers-color-scheme:dark){body{color:#fff;background:#000}.next-error-h1{border-right:1px solid rgba(255,255,255,.3)}}</style><h1 class="next-error-h1" style="display:inline-block;margin:0 20px 0 0;padding-right:23px;font-size:24px;font-weight:500;vertical-align:top">500</h1><div style="display:inline-block"><h2 style="font-size:14px;font-weight:400;line-height:28px">Internal Server Error.</h2></div></div></div><!--$--><!--/$--><script src="/_next/static/chunks/d878b929b21636c4.js" id="_R_" async=""></script><script>(self.__next_f=self.__next_f||[]).push([0])</script><script>self.__next_f.push([1,"1:\"$Sreact.fragment\"\n2:I[57043,[\"/_next/static/chunks/102f894cc892994d.js\",\"/_next/static/chunks/417032eeb2cd875f.js\"],\"default\"]\n3:I[27657,[\"/_next/static/chunks/102f894cc892994d.js\",\"/_next/static/chunks/417032eeb2cd875f.js\"],\"default\"]\n4:I[56978,[\"/_next/static/chunks/102f894cc892994d.js\",\"/_next/static/chunks/417032eeb2cd875f.js\"],\"OutletBoundary\"]\n5:\"$Sreact.suspense\"\n7:I[56978,[\"/_next/static/chunks/102f894cc892994d.js\",\"/_next/static/chunks/417032eeb2cd875f.js\"],\"ViewportBoundary\"]\n9:I[56978,[\"/_next/static/chunks/102f894cc892994d.js\",\"/_next/static/chunks/417032eeb2cd875f.js\"],\"MetadataBoundary\"]\nb:I[30687,[\"/_next/static/chunks/102f894cc892994d.js\",\"/_next/static/chunks/417032eeb2cd875f.js\"],\"default\"]\n"])</script><script>self.__next_f.push([1,"0:{\"P\":null,\"b\":\"LfTY3B6uX3j7zNwqqgvPG\",\"c\":[\"\",\"_global-error\"],\"q\":\"\",\"i\":false,\"f\":[[[\"\",{\"children\":[\"__PAGE__\",{}]}],[[\"$\",\"$1\",\"c\",{\"children\":[null,[\"$\",\"$L2\",null,{\"parallelRouterKey\":\"children\",\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L3\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"forbidden\":\"$undefined\",\"unauthorized\":\"$undefined\"}]]}],{\"children\":[[\"$\",\"$1\",\"c\",{\"children\":[[\"$\",\"html\",null,{\"id\":\"__next_error__\",\"children\":[[\"$\",\"head\",null,{\"children\":[\"$\",\"title\",null,{\"children\":\"500: Internal Server Error.\"}]}],[\"$\",\"body\",null,{\"children\":[\"$\",\"div\",null,{\"style\":{\"fontFamily\":\"system-ui,\\\"Segoe UI\\\",Roboto,Helvetica,Arial,sans-serif,\\\"Apple Color Emoji\\\",\\\"Segoe UI Emoji\\\"\",\"height\":\"100vh\",\"textAlign\":\"center\",\"display\":\"flex\",\"flexDirection\":\"column\",\"alignItems\":\"center\",\"justifyContent\":\"center\"},\"children\":[\"$\",\"div\",null,{\"style\":{\"lineHeight\":\"48px\"},\"children\":[[\"$\",\"style\",null,{\"dangerouslySetInnerHTML\":{\"__html\":\"body{color:#000;background:#fff;margin:0}.next-error-h1{border-right:1px solid rgba(0,0,0,.3)}\\n@media (prefers-color-scheme:dark){body{color:#fff;background:#000}.next-error-h1{border-right:1px solid rgba(255,255,255,.3)}}\"}}],[\"$\",\"h1\",null,{\"className\":\"next-error-h1\",\"style\":{\"display\":\"inline-block\",\"margin\":\"0 20px 0 0\",\"paddingRight\":23,\"fontSize\":24,\"fontWeight\":500,\"verticalAlign\":\"top\"},\"children\":\"500\"}],[\"$\",\"div\",null,{\"style\":{\"display\":\"inline-block\"},\"children\":[\"$\",\"h2\",null,{\"style\":{\"fontSize\":14,\"fontWeight\":400,\"lineHeight\":\"28px\"},\"children\":\"Internal Server Error.\"}]}]]}]}]}]]}],[[\"$\",\"script\",\"script-0\",{\"src\":\"/_next/static/chunks/102f894cc892994d.js\",\"async\":true,\"nonce\":\"$undefined\"}],[\"$\",\"script\",\"script-1\",{\"src\":\"/_next/static/chunks/417032eeb2cd875f.js\",\"async\":true,\"nonce\":\"$undefined\"}]],[\"$\",\"$L4\",null,{\"children\":[\"$\",\"$5\",null,{\"name\":\"Next.MetadataOutlet\",\"children\":\"$@6\"}]}]]}],{},null,false,false]},null,false,false],[\"$\",\"$1\",\"h\",{\"children\":[null,[\"$\",\"$L7\",null,{\"children\":\"$L8\"}],[\"$\",\"div\",null,{\"hidden\":true,\"children\":[\"$\",\"$L9\",null,{\"children\":[\"$\",\"$5\",null,{\"name\":\"Next.Metadata\",\"children\":\"$La\"}]}]}],[\"$\",\"meta\",null,{\"name\":\"next-size-adjust\",\"content\":\"\"}]]}],false]],\"m\":\"$undefined\",\"G\":[\"$b\",\"$undefined\"],\"S\":true}\n"])</script><script>self.__next_f.push([1,"8:[[\"$\",\"meta\",\"0\",{\"charSet\":\"utf-8\"}],[\"$\",\"meta\",\"1\",{\"name\":\"viewport\",\"content\":\"width=device-width, initial-scale=1\"}]]\n"])</script><script>self.__next_f.push([1,"6:null\na:[]\n"])</script></body></html>

package/dist/api/routes/admin.js

@@ -99,6 +99,8 @@ export function registerAdminRoutes(app, deps) {
                 options.source = req.query.source;
             if (req.query.firewallResult)
                 options.firewallResult = req.query.firewallResult;
+            if (req.query.operation)
+                options.operation = req.query.operation;
             if (req.query.limit)
                 options.limit = parseInt(req.query.limit, 10);
             if (req.query.project)

package/dist/api/routes/memories.js

@@ -587,7 +587,10 @@ export function registerMemoryRoutes(app, deps) {
     }), (req, res) => {
         try {
             const id = parseInt(req.params.id, 10);
-            const success = deleteMemory(id);
+            // Attribute the dashboard delete so it lands on the provenance ledger
+            // (the primary human-initiated delete — the source-less exemption is only
+            // for internal consolidate/merge machinery).
+            const success = deleteMemory(id, { type: 'api', identifier: `dashboard:memory-delete:${id}` });
             if (!success) {
                 return res.status(404).json({ error: 'Memory not found' });
             }
@@ -1235,7 +1238,7 @@ export function registerMemoryRoutes(app, deps) {
             const db = getDatabase();
             db.prepare(`INSERT INTO quarantine (original_title, original_content, source_type, source_identifier, reason, project, status, created_at)
          VALUES (?, ?, ?, ?, ?, ?, 'pending', ?)`).run(memory.title, memory.content, 'dashboard', 'brain-control', req.body.reason || 'Manually quarantined from Brain dashboard', memory.project || null, new Date().toISOString());
-            deleteMemory(id);
+            deleteMemory(id, { type: 'api', identifier: `dashboard:quarantine-delete:${id}` });
             res.json({ success: true, quarantined: id });
         }
         catch (error) {

package/dist/api/visualization-server.js

@@ -187,6 +187,7 @@ export function handleV1Scan(req, res) {
                     trust_score: 0,
                     sensitivity_level: 'RESTRICTED',
                     firewall_result: 'BLOCK',
+                    operation: 'write',
                     anomaly_score: 0.5,
                     threat_indicators: '["config_tampering"]',
                     blocked_patterns: '[]',

package/dist/database/inline-schema.js

@@ -36,6 +36,7 @@ export function getInlineSchema() {
       trust_score REAL DEFAULT 1.0,
       sensitivity_level TEXT DEFAULT 'INTERNAL',
       source TEXT DEFAULT 'user:direct',
+      content_hash TEXT,
       status TEXT DEFAULT 'active' CHECK(status IN ('active', 'archived', 'suppressed', 'canonical')),
       pinned INTEGER DEFAULT 0,
       reviewed_at TIMESTAMP,
@@ -84,6 +85,8 @@ export function getInlineSchema() {
     CREATE INDEX IF NOT EXISTS idx_memories_decayed_score ON memories(decayed_score DESC);
     CREATE INDEX IF NOT EXISTS idx_memories_last_accessed ON memories(last_accessed DESC);
     CREATE INDEX IF NOT EXISTS idx_memories_updated ON memories(updated_at DESC);
+    CREATE INDEX IF NOT EXISTS idx_memories_source ON memories(source);
+    CREATE INDEX IF NOT EXISTS idx_memories_content_hash ON memories(content_hash);
 
     CREATE TABLE IF NOT EXISTS sessions (
       id INTEGER PRIMARY KEY AUTOINCREMENT,
@@ -168,6 +171,8 @@ export function getInlineSchema() {
       trust_score REAL NOT NULL,
       sensitivity_level TEXT NOT NULL DEFAULT 'INTERNAL',
       firewall_result TEXT NOT NULL CHECK(firewall_result IN ('ALLOW', 'BLOCK', 'QUARANTINE')),
+      operation TEXT,
+      content_hash TEXT,
       anomaly_score REAL DEFAULT 0.0,
       threat_indicators TEXT DEFAULT '[]',
       blocked_patterns TEXT DEFAULT '[]',
@@ -182,6 +187,7 @@ export function getInlineSchema() {
     CREATE INDEX IF NOT EXISTS idx_audit_result ON defence_audit(firewall_result);
     CREATE INDEX IF NOT EXISTS idx_audit_source ON defence_audit(source_type);
     CREATE INDEX IF NOT EXISTS idx_audit_project ON defence_audit(project);
+    CREATE INDEX IF NOT EXISTS idx_audit_operation ON defence_audit(operation);
 
     -- Cumulative audit aggregate (single row, id=1) — retention rollup target.
     -- See schema.sql for the rationale.

package/dist/database/migrations.js

@@ -750,4 +750,38 @@ export function runMigrations(database) {
     catch (err) {
         logIfUnexpectedDdlError(err, 'mcp_tool_hashes');
     }
+    // Migration: provenance ledger (v4.39.0) — add an `operation` discriminator
+    // (read/write/delete) and a `content_hash` (write-time tamper-evidence) to
+    // defence_audit, a `content_hash` to memories, and an index on memories.source
+    // for revoke-by-source. Existing rows keep operation/content_hash NULL (legacy,
+    // unclassifiable). Fresh installs get these from schema.sql / inline-schema.ts.
+    try {
+        const auditCols = database.prepare("PRAGMA table_info(defence_audit)").all();
+        if (auditCols.length > 0) {
+            const auditColNames = new Set(auditCols.map((c) => c.name));
+            if (!auditColNames.has('operation')) {
+                database.exec('ALTER TABLE defence_audit ADD COLUMN operation TEXT');
+            }
+            if (!auditColNames.has('content_hash')) {
+                database.exec('ALTER TABLE defence_audit ADD COLUMN content_hash TEXT');
+            }
+        }
+    }
+    catch (err) {
+        logIfUnexpectedDdlError(err, 'defence_audit provenance columns (operation, content_hash)');
+    }
+    if (!columnNames.has('content_hash')) {
+        database.exec('ALTER TABLE memories ADD COLUMN content_hash TEXT');
+    }
+    // Indexes in an unconditional, self-healing block: CREATE INDEX IF NOT EXISTS
+    // no-ops if the column already had its index, and back-fills it if the column
+    // exists without it (e.g. a column added by a prior partial run).
+    try {
+        database.exec('CREATE INDEX IF NOT EXISTS idx_audit_operation ON defence_audit(operation)');
+        database.exec('CREATE INDEX IF NOT EXISTS idx_memories_content_hash ON memories(content_hash)');
+        database.exec('CREATE INDEX IF NOT EXISTS idx_memories_source ON memories(source)');
+    }
+    catch (err) {
+        logIfUnexpectedDdlError(err, 'provenance ledger indexes (audit operation, memories content_hash/source)');
+    }
 }

package/dist/database/schema.sql

@@ -24,6 +24,7 @@ CREATE TABLE IF NOT EXISTS memories (
   trust_score REAL DEFAULT 1.0,
   sensitivity_level TEXT DEFAULT 'INTERNAL',
   source TEXT DEFAULT 'user:direct',
+  content_hash TEXT,
   status TEXT DEFAULT 'active' CHECK(status IN ('active', 'archived', 'suppressed', 'canonical')),
   pinned INTEGER DEFAULT 0,
   reviewed_at TIMESTAMP,
@@ -85,6 +86,8 @@ CREATE INDEX IF NOT EXISTS idx_memories_updated ON memories(updated_at DESC);
 CREATE INDEX IF NOT EXISTS idx_memories_status ON memories(status);
 CREATE INDEX IF NOT EXISTS idx_memories_pinned ON memories(pinned DESC);
 CREATE INDEX IF NOT EXISTS idx_memories_source_kind ON memories(source_kind);
+CREATE INDEX IF NOT EXISTS idx_memories_source ON memories(source);
+CREATE INDEX IF NOT EXISTS idx_memories_content_hash ON memories(content_hash);
 
 -- Session tracking for consolidation
 CREATE TABLE IF NOT EXISTS sessions (
@@ -214,6 +217,8 @@ CREATE TABLE IF NOT EXISTS defence_audit (
   trust_score REAL NOT NULL,
   sensitivity_level TEXT NOT NULL DEFAULT 'INTERNAL',
   firewall_result TEXT NOT NULL CHECK(firewall_result IN ('ALLOW', 'BLOCK', 'QUARANTINE')),
+  operation TEXT,                       -- provenance ledger: 'read' | 'write' | 'delete' (NULL on legacy rows)
+  content_hash TEXT,                    -- SHA-256 of content at write time (tamper-evidence)
   anomaly_score REAL DEFAULT 0.0,
   threat_indicators TEXT DEFAULT '[]',  -- JSON array of ThreatIndicator strings
   blocked_patterns TEXT DEFAULT '[]',   -- JSON array of matched patterns
@@ -228,6 +233,7 @@ CREATE INDEX IF NOT EXISTS idx_audit_timestamp ON defence_audit(timestamp DESC);
 CREATE INDEX IF NOT EXISTS idx_audit_result ON defence_audit(firewall_result);
 CREATE INDEX IF NOT EXISTS idx_audit_source ON defence_audit(source_type);
 CREATE INDEX IF NOT EXISTS idx_audit_project ON defence_audit(project);
+CREATE INDEX IF NOT EXISTS idx_audit_operation ON defence_audit(operation);
 
 -- Defence: cumulative audit aggregate (single row, id=1). Retention purges roll
 -- the to-be-deleted rows' lifetime-stat contributions into this row BEFORE

package/dist/defence/audit/logger.js

@@ -15,12 +15,12 @@ export function logAudit(entry) {
         const stmt = db.prepare(`
       INSERT INTO defence_audit (
         memory_id, project, timestamp, source_type, source_identifier,
-        trust_score, sensitivity_level, firewall_result,
+        trust_score, sensitivity_level, firewall_result, operation, content_hash,
         anomaly_score, threat_indicators, blocked_patterns,
         reason, fragmentation_score, pipeline_duration_ms
       ) VALUES (
         @memory_id, @project, @timestamp, @source_type, @source_identifier,
-        @trust_score, @sensitivity_level, @firewall_result,
+        @trust_score, @sensitivity_level, @firewall_result, @operation, @content_hash,
         @anomaly_score, @threat_indicators, @blocked_patterns,
         @reason, @fragmentation_score, @pipeline_duration_ms
       )
@@ -34,6 +34,8 @@ export function logAudit(entry) {
             trust_score: entry.trust_score,
             sensitivity_level: entry.sensitivity_level,
             firewall_result: entry.firewall_result,
+            operation: entry.operation ?? null,
+            content_hash: entry.content_hash ?? null,
             anomaly_score: entry.anomaly_score ?? 0,
             threat_indicators: entry.threat_indicators ?? '[]',
             blocked_patterns: entry.blocked_patterns ?? '[]',

package/dist/defence/audit/queries.js

@@ -22,6 +22,10 @@ export function queryAuditLogs(options = {}) {
         conditions.push('da.firewall_result = @firewallResult');
         params.firewallResult = options.firewallResult;
     }
+    if (options.operation) {
+        conditions.push('da.operation = @operation');
+        params.operation = options.operation;
+    }
     if (options.source) {
         conditions.push('da.source_type = @source');
         params.source = options.source;

package/dist/defence/audit/retention.js

@@ -140,22 +140,32 @@ export function purgeAuditUnderSizePressure(options = {}) {
         const total = db.prepare('SELECT COUNT(*) AS c FROM defence_audit').get().c;
         if (total <= maxRows)
             return 0;
-        // Trim down to the cap by deleting the OLDEST rows. Find the cutoff id: keep
-        // the newest `maxRows` by timestamp, purge everything older.
-        const cutoffRow = db.prepare(`
-      SELECT timestamp FROM defence_audit
-      ORDER BY timestamp DESC
-      LIMIT 1 OFFSET ?
-    `).get(maxRows);
-        if (!cutoffRow)
+        const over = total - maxRows;
+        // Forensic-aware eviction: trim the `over` oldest rows, but evict
+        // LOW-VALUE provenance rows first (ALLOW reads/deletes — the high-volume,
+        // low-forensic-value entries) and only fall back to threat rows
+        // (BLOCK/QUARANTINE, or anything with threat_indicators) once the low-value
+        // rows are exhausted. Otherwise a flood of routine reads would push the
+        // oldest injection/credential-leak records out from under the row cap.
+        const ids = db.prepare(`
+      SELECT id FROM defence_audit
+      ORDER BY
+        CASE WHEN firewall_result = 'ALLOW'
+                  AND operation IN ('read', 'delete')
+                  AND (threat_indicators IS NULL OR threat_indicators IN ('', '[]'))
+             THEN 0 ELSE 1 END ASC,
+        timestamp ASC
+      LIMIT ?
+    `).all(over).map((r) => r.id);
+        if (ids.length === 0)
             return 0;
-        const where = 'timestamp <= ?';
-        const params = [cutoffRow.timestamp];
-        const delta = computeDelta(where, params);
+        const placeholders = ids.map(() => '?').join(',');
+        const where = `id IN (${placeholders})`;
+        const delta = computeDelta(where, ids);
         if (delta.total_scans === 0)
             return 0;
         rollIntoAggregate(delta);
-        const res = db.prepare(`DELETE FROM defence_audit WHERE ${where}`).run(...params);
+        const res = db.prepare(`DELETE FROM defence_audit WHERE ${where}`).run(...ids);
         return Number(res.changes ?? 0);
     })();
 }

package/dist/defence/iron-dome/audit.js

@@ -19,6 +19,7 @@ export function logIronDomeAudit(event) {
             trust_score: 0,
             sensitivity_level: 'PUBLIC',
             firewall_result: event.allowed ? 'ALLOW' : 'BLOCK',
+            operation: null, // iron-dome kill-switch / defence event, not a memory read/write/delete
             anomaly_score: 0,
             threat_indicators: '[]',
             blocked_patterns: '[]',

package/dist/defence/pipeline.js

@@ -11,7 +11,7 @@ import { analyzeFirewall } from './firewall/index.js';
 import { classifySensitivity } from './sensitivity/index.js';
 import { analyzeFragmentation } from './fragmentation/index.js';
 import { scanForCredentials } from './credential-leak/index.js';
-import { logAudit } from './audit/index.js';
+import { logAudit, createContentHash } from './audit/index.js';
 import { persistEvent } from '../api/events.js';
 import { syncToCloud } from '../cloud/sync.js';
 import { syncQuarantineToCloud } from '../cloud/quarantine-sync.js';
@@ -202,6 +202,8 @@ export function runDefencePipeline(content, title, source, config, project) {
             trust_score: trust.score,
             sensitivity_level: sensitivity.level,
             firewall_result: firewall.result,
+            operation: 'write',
+            content_hash: createContentHash(content),
             anomaly_score: firewall.anomalyScore,
             threat_indicators: JSON.stringify(firewall.threatIndicators),
             blocked_patterns: JSON.stringify(firewall.blockedPatterns),
@@ -283,6 +285,7 @@ export function runDefencePipeline(content, title, source, config, project) {
             trust_score: 0,
             sensitivity_level: 'RESTRICTED',
             firewall_result: 'BLOCK',
+            operation: 'write',
             anomaly_score: 1.0,
             threat_indicators: '["pipeline_error"]',
             blocked_patterns: '[]',

package/dist/defence/tool-response-scanner.js

@@ -250,6 +250,7 @@ export function scanToolResponse(toolName, content, mode) {
                 trust_score: 0.5,
                 sensitivity_level: (credentials.leaked || decodedCredentialLeak) ? 'CONFIDENTIAL' : 'PUBLIC',
                 firewall_result: firewallResult,
+                operation: 'read',
                 anomaly_score: anomalyScore,
                 threat_indicators: JSON.stringify(threatIndicators),
                 blocked_patterns: JSON.stringify(blockedPatterns),

package/dist/defence/trust/resolve-tool-source.js

@@ -33,6 +33,7 @@ export function resolveToolSource(declaredSource, options) {
                 trust_score: ceilingScore,
                 sensitivity_level: 'PUBLIC',
                 firewall_result: 'BLOCK',
+                operation: null, // source-resolution meta-event, not a memory read/write/delete
                 anomaly_score: 0,
                 threat_indicators: JSON.stringify(['privilege_escalation']),
                 blocked_patterns: '[]',
@@ -62,6 +63,7 @@ export function resolveToolSource(declaredSource, options) {
                 trust_score: 0,
                 sensitivity_level: 'PUBLIC',
                 firewall_result: 'ALLOW',
+                operation: null, // source-resolution meta-event, not a memory read/write/delete
                 anomaly_score: 0,
                 threat_indicators: '[]',
                 blocked_patterns: '[]',

package/dist/defence/types.d.ts

@@ -129,6 +129,8 @@ export interface QuarantineEntry {
     expires_at: string | null;
     audit_id: number | null;
 }
+/** Operation that produced an audit row (provenance ledger discriminator). */
+export type AuditOperation = 'write' | 'read' | 'delete' | 'update';
 export interface AuditEntry {
     id: number;
     memory_id: number | null;
@@ -139,6 +141,14 @@ export interface AuditEntry {
     trust_score: number;
     sensitivity_level: string;
     firewall_result: FirewallResult;
+    /**
+     * The operation that produced this row. Required on every new emission so the
+     * ledger is queryable by read/write/delete; `null` only on legacy rows written
+     * before the provenance-ledger column existed.
+     */
+    operation: AuditOperation | null;
+    /** SHA-256 of the content at write time (tamper-evidence); null for read/delete rows. */
+    content_hash?: string | null;
     anomaly_score: number;
     threat_indicators: string;
     blocked_patterns: string;

package/dist/memory/lifecycle.js

@@ -27,6 +27,7 @@ import { jaccardSimilarity } from './similarity.js';
 import { emitMemoryAccessed, emitMemoryUpdated, persistEvent, } from '../api/events.js';
 import { createMemoryLink } from './links.js';
 import { runDefencePipeline } from '../defence/index.js';
+import { createContentHash } from '../defence/audit/logger.js';
 // Enrichment text is recall-query / caller-derived (attacker-influenced); scan
 // it before persisting. Trust doesn't matter here (the row keeps its own) — we
 // only act on the firewall verdict, so a low-trust web source is fine.
@@ -207,13 +208,15 @@ export function enrichMemory(memoryId, newContext, contextType = 'access') {
     if (defenceResult.firewall.result !== 'ALLOW') {
         return { enriched: false, reason: `Enrichment blocked by defence: ${defenceResult.firewall.reason}` };
     }
-    // Update memory
+    // Update memory (recompute content_hash — the integrity snapshot must track
+    // the enriched content, not the pre-enrichment original).
     db.prepare(`
     UPDATE memories
     SET content = ?,
+        content_hash = ?,
         last_accessed = CURRENT_TIMESTAMP
     WHERE id = ?
-  `).run(newContent, memoryId);
+  `).run(newContent, createContentHash(newContent), memoryId);
     // Update cooldown timestamp
     enrichmentTimestamps.set(memoryId, now);
     // Emit update event for dashboard

package/dist/memory/store.d.ts

@@ -5,7 +5,7 @@
  * Handles storage, retrieval, and management of memories.
  */
 import { Memory, MemoryInput, MemoryType, MemoryConfig } from './types.js';
-import type { DefenceSource } from '../defence/types.js';
+import type { DefenceSource, AuditOperation } from '../defence/types.js';
 export declare const MAX_CONTENT_SIZE: number;
 export declare const UNATTRIBUTED_SOURCE: DefenceSource;
 /**
@@ -20,7 +20,21 @@ export declare function getLastTruncationInfo(): {
  * Convert database row to Memory object
  */
 export declare function rowToMemory(row: Record<string, unknown>): Memory;
-export declare function logAccessDenial(memoryId: number, source: DefenceSource, reason: string): void;
+export declare function logAccessDenial(memoryId: number, source: DefenceSource, reason: string, operation?: AuditOperation): void;
+/**
+ * Provenance ledger: record an ALLOWED read. Emitted ONCE per tool call (not per
+ * row) to keep the audit table bounded — recall returns up to 50 rows, so a
+ * per-row emit would flood it. memory_id carries the single id for single-target
+ * reads; the full id list (capped) goes in blocked_patterns for forensics.
+ */
+export declare function logAllowedRead(source: DefenceSource, tool: string, memoryIds: number[], project?: string | null): void;
+/**
+ * Provenance ledger: record an ALLOWED delete (one row per deleted memory).
+ * memory_id is NULL by design — the row is emitted after the DELETE, and the
+ * audit.memory_id FK is ON DELETE SET NULL, so a live reference can't survive.
+ * The deleted id is preserved in `reason` + `blocked_patterns` for forensics.
+ */
+export declare function logAllowedDelete(memoryId: number, source: DefenceSource, project?: string | null): void;
 /**
  * Error thrown when memory creation is paused
  */

package/dist/memory/store.js

@@ -21,7 +21,7 @@ import { syncMemoryDeleteToCloud, syncMemoryUpsertToCloud } from '../cloud/memor
 import { isFeatureEnabled } from '../license/gate.js';
 import { checkAccess } from '../defence/trust/access-control.js';
 import { scoreSource } from '../defence/trust/source-scorer.js';
-import { logAudit } from '../defence/audit/logger.js';
+import { logAudit, createContentHash } from '../defence/audit/logger.js';
 import { dispatchWebhook } from '../events/webhooks.js';
 import { safeJsonParse } from './fts.js';
 // Internal use of the link API. links.ts also imports from store.ts (getMemoryById,
@@ -230,7 +230,7 @@ function checkRateLimit(source) {
 // ── Read-Time Access Control ──
 // Exported because search-recall.ts also calls logAccessDenial inside its
 // post-search ACL filter (cycle artifact, not intended public API).
-export function logAccessDenial(memoryId, source, reason) {
+export function logAccessDenial(memoryId, source, reason, operation = 'read') {
     const trust = scoreSource(source).score;
     logAudit({
         memory_id: memoryId,
@@ -241,6 +241,7 @@ export function logAccessDenial(memoryId, source, reason) {
         trust_score: trust,
         sensitivity_level: 'INTERNAL',
         firewall_result: 'BLOCK',
+        operation,
         anomaly_score: 0,
         threat_indicators: '[]',
         blocked_patterns: '[]',
@@ -249,6 +250,58 @@ export function logAccessDenial(memoryId, source, reason) {
         pipeline_duration_ms: 0,
     });
 }
+/**
+ * Provenance ledger: record an ALLOWED read. Emitted ONCE per tool call (not per
+ * row) to keep the audit table bounded — recall returns up to 50 rows, so a
+ * per-row emit would flood it. memory_id carries the single id for single-target
+ * reads; the full id list (capped) goes in blocked_patterns for forensics.
+ */
+export function logAllowedRead(source, tool, memoryIds, project) {
+    if (memoryIds.length === 0)
+        return;
+    logAudit({
+        memory_id: memoryIds.length === 1 ? memoryIds[0] : null,
+        project: project ?? null,
+        timestamp: new Date().toISOString(),
+        source_type: source.type,
+        source_identifier: source.identifier,
+        trust_score: scoreSource(source).score,
+        sensitivity_level: 'INTERNAL',
+        firewall_result: 'ALLOW',
+        operation: 'read',
+        anomaly_score: 0,
+        threat_indicators: '[]',
+        blocked_patterns: JSON.stringify(memoryIds.slice(0, 50)),
+        reason: `read ${memoryIds.length} memor${memoryIds.length === 1 ? 'y' : 'ies'} via ${tool}`,
+        fragmentation_score: null,
+        pipeline_duration_ms: null,
+    });
+}
+/**
+ * Provenance ledger: record an ALLOWED delete (one row per deleted memory).
+ * memory_id is NULL by design — the row is emitted after the DELETE, and the
+ * audit.memory_id FK is ON DELETE SET NULL, so a live reference can't survive.
+ * The deleted id is preserved in `reason` + `blocked_patterns` for forensics.
+ */
+export function logAllowedDelete(memoryId, source, project) {
+    logAudit({
+        memory_id: null,
+        project: project ?? null,
+        timestamp: new Date().toISOString(),
+        source_type: source.type,
+        source_identifier: source.identifier,
+        trust_score: scoreSource(source).score,
+        sensitivity_level: 'INTERNAL',
+        firewall_result: 'ALLOW',
+        operation: 'delete',
+        anomaly_score: 0,
+        threat_indicators: '[]',
+        blocked_patterns: JSON.stringify([memoryId]),
+        reason: `deleted memory #${memoryId}`,
+        fragmentation_score: null,
+        pipeline_duration_ms: null,
+    });
+}
 /**
  * Filter raw DB rows by access control before converting to Memory objects.
  * Returns only rows the source is allowed to read.
@@ -324,6 +377,7 @@ export function addMemory(input, config = DEFAULT_CONFIG, source) {
             trust_score: scoreSource(source).score,
             sensitivity_level: 'INTERNAL',
             firewall_result: 'BLOCK',
+            operation: 'write',
             anomaly_score: 1.0,
             threat_indicators: JSON.stringify(['rate_limit_exceeded']),
             blocked_patterns: '[]',
@@ -413,8 +467,11 @@ export function addMemory(input, config = DEFAULT_CONFIG, source) {
         // defenceResult is always set now (every write is scanned), so always stamp
         // the pipeline's real trust + sensitivity alongside the resolved source —
         // no source-less branch can default to trust 1.0 / unscanned INTERNAL.
-        db.prepare(`UPDATE memories SET trust_score = ?, sensitivity_level = ?, source = ? WHERE id = ?`)
-            .run(defenceResult.trust.score, defenceResult.sensitivity.level, sourceDetails.sourceValue, result.lastInsertRowid);
+        db.prepare(`UPDATE memories SET trust_score = ?, sensitivity_level = ?, source = ?, content_hash = ? WHERE id = ?`)
+            // content_hash = SHA-256 of the SUBMITTED content (a write-time provenance
+            // snapshot), matching the write-audit row in pipeline.ts. Consistent for
+            // >10KB memories too (where the STORED content is truncated).
+            .run(defenceResult.trust.score, defenceResult.sensitivity.level, sourceDetails.sourceValue, createContentHash(input.content), result.lastInsertRowid);
         return result.lastInsertRowid;
     })();
     const memory = getMemoryById(insertedId);
@@ -701,6 +758,14 @@ export function updateMemory(id, updates) {
     if (embeddedTextChanged) {
         fields.push('embedding = NULL');
     }
+    // STALENESS: content_hash is a write-time integrity snapshot. When content
+    // changes it must be recomputed in the SAME UPDATE — otherwise the stored hash
+    // refers to the old content and any tamper check false-positives on a
+    // legitimately-edited memory.
+    if (updates.content !== undefined) {
+        fields.push('content_hash = ?');
+        values.push(createContentHash(updates.content));
+    }
     if (fields.length === 0)
         return existing;
     values.push(id);
@@ -721,6 +786,28 @@ export function updateMemory(id, updates) {
             console.error('[shieldcortex] Entity extraction refresh failed:', e);
         }
     }
+    // Provenance ledger: a content/title change is an update-class mutation.
+    if (updates.content !== undefined || updates.title !== undefined) {
+        const changed = [updates.title !== undefined ? 'title' : null, updates.content !== undefined ? 'content' : null].filter(Boolean).join('+');
+        logAudit({
+            memory_id: id,
+            project: updatedMemory.project ?? null,
+            timestamp: new Date().toISOString(),
+            source_type: 'cli',
+            source_identifier: 'memory-update',
+            trust_score: updatedMemory.trustScore ?? 1,
+            sensitivity_level: updatedMemory.sensitivityLevel ?? 'INTERNAL',
+            firewall_result: 'ALLOW',
+            operation: 'update',
+            content_hash: updates.content !== undefined ? createContentHash(updates.content) : null,
+            anomaly_score: 0,
+            threat_indicators: '[]',
+            blocked_patterns: '[]',
+            reason: `updated memory #${id} (${changed})`,
+            fragmentation_score: null,
+            pipeline_duration_ms: null,
+        });
+    }
     // Emit event for real-time dashboard (in-process)
     emitMemoryUpdated(updatedMemory);
     // Persist event for cross-process IPC (MCP → Dashboard)
@@ -804,6 +891,7 @@ export function mergeMemories(keptId, removedId, options, source = { type: 'cli'
         db.prepare(`
       UPDATE memories
       SET content = ?,
+          content_hash = ?,
           tags = ?,
           salience = ?,
           project = ?,
@@ -822,7 +910,7 @@ export function mergeMemories(keptId, removedId, options, source = { type: 'cli'
           embedding = NULL,
           updated_at = CURRENT_TIMESTAMP
       WHERE id = ?
-    `).run(mergedContent, JSON.stringify(mergedTags), mergedSalience, mergedProject, JSON.stringify(mergedMetadata), mergedScope, mergedTransferable ? 1 : 0, mergedStatus, mergedPinned ? 1 : 0, mergedReviewedBy, new Date().toISOString(), mergedTrustScore, mergedSensitivity, mergedCloudExcluded ? 1 : 0, mergedAccessCount, mergedLastAccessed, kept.id);
+    `).run(mergedContent, createContentHash(mergedContent), JSON.stringify(mergedTags), mergedSalience, mergedProject, JSON.stringify(mergedMetadata), mergedScope, mergedTransferable ? 1 : 0, mergedStatus, mergedPinned ? 1 : 0, mergedReviewedBy, new Date().toISOString(), mergedTrustScore, mergedSensitivity, mergedCloudExcluded ? 1 : 0, mergedAccessCount, mergedLastAccessed, kept.id);
         const updatedMemory = getMemoryById(kept.id);
         try {
             const extraction = extractFromMemory(updatedMemory.title, updatedMemory.content, updatedMemory.category);
@@ -856,7 +944,7 @@ export function deleteMemory(id, source) {
         if (row) {
             const policy = checkAccess({ id: row.id, source: row.source, sensitivity_level: row.sensitivity_level }, source, 'delete');
             if (!policy.canDelete) {
-                logAccessDenial(id, source, policy.reason);
+                logAccessDenial(id, source, policy.reason, 'delete');
                 return false;
             }
         }
@@ -874,6 +962,12 @@ export function deleteMemory(id, source) {
     const result = db.prepare('DELETE FROM memories WHERE id = ?').run(id);
     // Emit event for real-time dashboard (in-process)
     if (result.changes > 0 && memory) {
+        // Provenance ledger: record the allowed delete (one row per memory) when the
+        // caller is attributed. Internal source-less deletes (merge/consolidation)
+        // are machinery, not user actions, so they're not audited here.
+        if (source) {
+            logAllowedDelete(id, source, memory.project ?? null);
+        }
         if (isFeatureEnabled('cloud_sync')) {
             syncMemoryDeleteToCloud(memory);
             syncGraphDeleteForMemoryToCloud(memory);