shieldcortex 4.38.0 → 4.40.0

package/dashboard/.next/standalone/dashboard/.next/server/pages/500.html

@@ -1,2 +1,2 @@
-<!DOCTYPE html><!--PR51g0pS7Wp0zLzu2q6mQ--><html id="__next_error__"><head><meta charSet="utf-8"/><meta name="viewport" content="width=device-width, initial-scale=1"/><link rel="preload" as="script" fetchPriority="low" href="/_next/static/chunks/d878b929b21636c4.js"/><script src="/_next/static/chunks/f70f563804550a9c.js" async=""></script><script src="/_next/static/chunks/43d761df92da7cb6.js" async=""></script><script src="/_next/static/chunks/e281719dbabcca1d.js" async=""></script><script src="/_next/static/chunks/9e56d1f8f4d7adcb.js" async=""></script><script src="/_next/static/chunks/turbopack-768a6a8b9db952e0.js" async=""></script><script src="/_next/static/chunks/102f894cc892994d.js" async=""></script><script src="/_next/static/chunks/417032eeb2cd875f.js" async=""></script><meta name="next-size-adjust" content=""/><title>500: Internal Server Error.</title><script src="/_next/static/chunks/a6dad97d9634a72d.js" noModule=""></script></head><body><div hidden=""><!--$--><!--/$--></div><div style="font-family:system-ui,&quot;Segoe UI&quot;,Roboto,Helvetica,Arial,sans-serif,&quot;Apple Color Emoji&quot;,&quot;Segoe UI Emoji&quot;;height:100vh;text-align:center;display:flex;flex-direction:column;align-items:center;justify-content:center"><div style="line-height:48px"><style>body{color:#000;background:#fff;margin:0}.next-error-h1{border-right:1px solid rgba(0,0,0,.3)}
-@media (prefers-color-scheme:dark){body{color:#fff;background:#000}.next-error-h1{border-right:1px solid rgba(255,255,255,.3)}}</style><h1 class="next-error-h1" style="display:inline-block;margin:0 20px 0 0;padding-right:23px;font-size:24px;font-weight:500;vertical-align:top">500</h1><div style="display:inline-block"><h2 style="font-size:14px;font-weight:400;line-height:28px">Internal Server Error.</h2></div></div></div><!--$--><!--/$--><script src="/_next/static/chunks/d878b929b21636c4.js" id="_R_" async=""></script><script>(self.__next_f=self.__next_f||[]).push([0])</script><script>self.__next_f.push([1,"1:\"$Sreact.fragment\"\n2:I[57043,[\"/_next/static/chunks/102f894cc892994d.js\",\"/_next/static/chunks/417032eeb2cd875f.js\"],\"default\"]\n3:I[27657,[\"/_next/static/chunks/102f894cc892994d.js\",\"/_next/static/chunks/417032eeb2cd875f.js\"],\"default\"]\n4:I[56978,[\"/_next/static/chunks/102f894cc892994d.js\",\"/_next/static/chunks/417032eeb2cd875f.js\"],\"OutletBoundary\"]\n5:\"$Sreact.suspense\"\n7:I[56978,[\"/_next/static/chunks/102f894cc892994d.js\",\"/_next/static/chunks/417032eeb2cd875f.js\"],\"ViewportBoundary\"]\n9:I[56978,[\"/_next/static/chunks/102f894cc892994d.js\",\"/_next/static/chunks/417032eeb2cd875f.js\"],\"MetadataBoundary\"]\nb:I[30687,[\"/_next/static/chunks/102f894cc892994d.js\",\"/_next/static/chunks/417032eeb2cd875f.js\"],\"default\"]\n"])</script><script>self.__next_f.push([1,"0:{\"P\":null,\"b\":\"PR51g0pS7Wp0zLzu2q6mQ\",\"c\":[\"\",\"_global-error\"],\"q\":\"\",\"i\":false,\"f\":[[[\"\",{\"children\":[\"__PAGE__\",{}]}],[[\"$\",\"$1\",\"c\",{\"children\":[null,[\"$\",\"$L2\",null,{\"parallelRouterKey\":\"children\",\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L3\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"forbidden\":\"$undefined\",\"unauthorized\":\"$undefined\"}]]}],{\"children\":[[\"$\",\"$1\",\"c\",{\"children\":[[\"$\",\"html\",null,{\"id\":\"__next_error__\",\"children\":[[\"$\",\"head\",null,{\"children\":[\"$\",\"title\",null,{\"children\":\"500: Internal Server Error.\"}]}],[\"$\",\"body\",null,{\"children\":[\"$\",\"div\",null,{\"style\":{\"fontFamily\":\"system-ui,\\\"Segoe UI\\\",Roboto,Helvetica,Arial,sans-serif,\\\"Apple Color Emoji\\\",\\\"Segoe UI Emoji\\\"\",\"height\":\"100vh\",\"textAlign\":\"center\",\"display\":\"flex\",\"flexDirection\":\"column\",\"alignItems\":\"center\",\"justifyContent\":\"center\"},\"children\":[\"$\",\"div\",null,{\"style\":{\"lineHeight\":\"48px\"},\"children\":[[\"$\",\"style\",null,{\"dangerouslySetInnerHTML\":{\"__html\":\"body{color:#000;background:#fff;margin:0}.next-error-h1{border-right:1px solid rgba(0,0,0,.3)}\\n@media (prefers-color-scheme:dark){body{color:#fff;background:#000}.next-error-h1{border-right:1px solid rgba(255,255,255,.3)}}\"}}],[\"$\",\"h1\",null,{\"className\":\"next-error-h1\",\"style\":{\"display\":\"inline-block\",\"margin\":\"0 20px 0 0\",\"paddingRight\":23,\"fontSize\":24,\"fontWeight\":500,\"verticalAlign\":\"top\"},\"children\":\"500\"}],[\"$\",\"div\",null,{\"style\":{\"display\":\"inline-block\"},\"children\":[\"$\",\"h2\",null,{\"style\":{\"fontSize\":14,\"fontWeight\":400,\"lineHeight\":\"28px\"},\"children\":\"Internal Server Error.\"}]}]]}]}]}]]}],[[\"$\",\"script\",\"script-0\",{\"src\":\"/_next/static/chunks/102f894cc892994d.js\",\"async\":true,\"nonce\":\"$undefined\"}],[\"$\",\"script\",\"script-1\",{\"src\":\"/_next/static/chunks/417032eeb2cd875f.js\",\"async\":true,\"nonce\":\"$undefined\"}]],[\"$\",\"$L4\",null,{\"children\":[\"$\",\"$5\",null,{\"name\":\"Next.MetadataOutlet\",\"children\":\"$@6\"}]}]]}],{},null,false,false]},null,false,false],[\"$\",\"$1\",\"h\",{\"children\":[null,[\"$\",\"$L7\",null,{\"children\":\"$L8\"}],[\"$\",\"div\",null,{\"hidden\":true,\"children\":[\"$\",\"$L9\",null,{\"children\":[\"$\",\"$5\",null,{\"name\":\"Next.Metadata\",\"children\":\"$La\"}]}]}],[\"$\",\"meta\",null,{\"name\":\"next-size-adjust\",\"content\":\"\"}]]}],false]],\"m\":\"$undefined\",\"G\":[\"$b\",\"$undefined\"],\"S\":true}\n"])</script><script>self.__next_f.push([1,"8:[[\"$\",\"meta\",\"0\",{\"charSet\":\"utf-8\"}],[\"$\",\"meta\",\"1\",{\"name\":\"viewport\",\"content\":\"width=device-width, initial-scale=1\"}]]\n"])</script><script>self.__next_f.push([1,"6:null\na:[]\n"])</script></body></html>
+<!DOCTYPE html><!--UA_86bJ_tNIyDXr_i0gK6--><html id="__next_error__"><head><meta charSet="utf-8"/><meta name="viewport" content="width=device-width, initial-scale=1"/><link rel="preload" as="script" fetchPriority="low" href="/_next/static/chunks/d878b929b21636c4.js"/><script src="/_next/static/chunks/f70f563804550a9c.js" async=""></script><script src="/_next/static/chunks/43d761df92da7cb6.js" async=""></script><script src="/_next/static/chunks/e281719dbabcca1d.js" async=""></script><script src="/_next/static/chunks/9e56d1f8f4d7adcb.js" async=""></script><script src="/_next/static/chunks/turbopack-768a6a8b9db952e0.js" async=""></script><script src="/_next/static/chunks/102f894cc892994d.js" async=""></script><script src="/_next/static/chunks/417032eeb2cd875f.js" async=""></script><meta name="next-size-adjust" content=""/><title>500: Internal Server Error.</title><script src="/_next/static/chunks/a6dad97d9634a72d.js" noModule=""></script></head><body><div hidden=""><!--$--><!--/$--></div><div style="font-family:system-ui,&quot;Segoe UI&quot;,Roboto,Helvetica,Arial,sans-serif,&quot;Apple Color Emoji&quot;,&quot;Segoe UI Emoji&quot;;height:100vh;text-align:center;display:flex;flex-direction:column;align-items:center;justify-content:center"><div style="line-height:48px"><style>body{color:#000;background:#fff;margin:0}.next-error-h1{border-right:1px solid rgba(0,0,0,.3)}
+@media (prefers-color-scheme:dark){body{color:#fff;background:#000}.next-error-h1{border-right:1px solid rgba(255,255,255,.3)}}</style><h1 class="next-error-h1" style="display:inline-block;margin:0 20px 0 0;padding-right:23px;font-size:24px;font-weight:500;vertical-align:top">500</h1><div style="display:inline-block"><h2 style="font-size:14px;font-weight:400;line-height:28px">Internal Server Error.</h2></div></div></div><!--$--><!--/$--><script src="/_next/static/chunks/d878b929b21636c4.js" id="_R_" async=""></script><script>(self.__next_f=self.__next_f||[]).push([0])</script><script>self.__next_f.push([1,"1:\"$Sreact.fragment\"\n2:I[57043,[\"/_next/static/chunks/102f894cc892994d.js\",\"/_next/static/chunks/417032eeb2cd875f.js\"],\"default\"]\n3:I[27657,[\"/_next/static/chunks/102f894cc892994d.js\",\"/_next/static/chunks/417032eeb2cd875f.js\"],\"default\"]\n4:I[56978,[\"/_next/static/chunks/102f894cc892994d.js\",\"/_next/static/chunks/417032eeb2cd875f.js\"],\"OutletBoundary\"]\n5:\"$Sreact.suspense\"\n7:I[56978,[\"/_next/static/chunks/102f894cc892994d.js\",\"/_next/static/chunks/417032eeb2cd875f.js\"],\"ViewportBoundary\"]\n9:I[56978,[\"/_next/static/chunks/102f894cc892994d.js\",\"/_next/static/chunks/417032eeb2cd875f.js\"],\"MetadataBoundary\"]\nb:I[30687,[\"/_next/static/chunks/102f894cc892994d.js\",\"/_next/static/chunks/417032eeb2cd875f.js\"],\"default\"]\n"])</script><script>self.__next_f.push([1,"0:{\"P\":null,\"b\":\"UA_86bJ-tNIyDXr-i0gK6\",\"c\":[\"\",\"_global-error\"],\"q\":\"\",\"i\":false,\"f\":[[[\"\",{\"children\":[\"__PAGE__\",{}]}],[[\"$\",\"$1\",\"c\",{\"children\":[null,[\"$\",\"$L2\",null,{\"parallelRouterKey\":\"children\",\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L3\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"forbidden\":\"$undefined\",\"unauthorized\":\"$undefined\"}]]}],{\"children\":[[\"$\",\"$1\",\"c\",{\"children\":[[\"$\",\"html\",null,{\"id\":\"__next_error__\",\"children\":[[\"$\",\"head\",null,{\"children\":[\"$\",\"title\",null,{\"children\":\"500: Internal Server Error.\"}]}],[\"$\",\"body\",null,{\"children\":[\"$\",\"div\",null,{\"style\":{\"fontFamily\":\"system-ui,\\\"Segoe UI\\\",Roboto,Helvetica,Arial,sans-serif,\\\"Apple Color Emoji\\\",\\\"Segoe UI Emoji\\\"\",\"height\":\"100vh\",\"textAlign\":\"center\",\"display\":\"flex\",\"flexDirection\":\"column\",\"alignItems\":\"center\",\"justifyContent\":\"center\"},\"children\":[\"$\",\"div\",null,{\"style\":{\"lineHeight\":\"48px\"},\"children\":[[\"$\",\"style\",null,{\"dangerouslySetInnerHTML\":{\"__html\":\"body{color:#000;background:#fff;margin:0}.next-error-h1{border-right:1px solid rgba(0,0,0,.3)}\\n@media (prefers-color-scheme:dark){body{color:#fff;background:#000}.next-error-h1{border-right:1px solid rgba(255,255,255,.3)}}\"}}],[\"$\",\"h1\",null,{\"className\":\"next-error-h1\",\"style\":{\"display\":\"inline-block\",\"margin\":\"0 20px 0 0\",\"paddingRight\":23,\"fontSize\":24,\"fontWeight\":500,\"verticalAlign\":\"top\"},\"children\":\"500\"}],[\"$\",\"div\",null,{\"style\":{\"display\":\"inline-block\"},\"children\":[\"$\",\"h2\",null,{\"style\":{\"fontSize\":14,\"fontWeight\":400,\"lineHeight\":\"28px\"},\"children\":\"Internal Server Error.\"}]}]]}]}]}]]}],[[\"$\",\"script\",\"script-0\",{\"src\":\"/_next/static/chunks/102f894cc892994d.js\",\"async\":true,\"nonce\":\"$undefined\"}],[\"$\",\"script\",\"script-1\",{\"src\":\"/_next/static/chunks/417032eeb2cd875f.js\",\"async\":true,\"nonce\":\"$undefined\"}]],[\"$\",\"$L4\",null,{\"children\":[\"$\",\"$5\",null,{\"name\":\"Next.MetadataOutlet\",\"children\":\"$@6\"}]}]]}],{},null,false,false]},null,false,false],[\"$\",\"$1\",\"h\",{\"children\":[null,[\"$\",\"$L7\",null,{\"children\":\"$L8\"}],[\"$\",\"div\",null,{\"hidden\":true,\"children\":[\"$\",\"$L9\",null,{\"children\":[\"$\",\"$5\",null,{\"name\":\"Next.Metadata\",\"children\":\"$La\"}]}]}],[\"$\",\"meta\",null,{\"name\":\"next-size-adjust\",\"content\":\"\"}]]}],false]],\"m\":\"$undefined\",\"G\":[\"$b\",\"$undefined\"],\"S\":true}\n"])</script><script>self.__next_f.push([1,"8:[[\"$\",\"meta\",\"0\",{\"charSet\":\"utf-8\"}],[\"$\",\"meta\",\"1\",{\"name\":\"viewport\",\"content\":\"width=device-width, initial-scale=1\"}]]\n"])</script><script>self.__next_f.push([1,"6:null\na:[]\n"])</script></body></html>

package/dist/api/routes/admin.js

@@ -99,6 +99,8 @@ export function registerAdminRoutes(app, deps) {
                 options.source = req.query.source;
             if (req.query.firewallResult)
                 options.firewallResult = req.query.firewallResult;
+            if (req.query.operation)
+                options.operation = req.query.operation;
             if (req.query.limit)
                 options.limit = parseInt(req.query.limit, 10);
             if (req.query.project)

package/dist/api/routes/memories.js

@@ -587,7 +587,10 @@ export function registerMemoryRoutes(app, deps) {
     }), (req, res) => {
         try {
             const id = parseInt(req.params.id, 10);
-            const success = deleteMemory(id);
+            // Attribute the dashboard delete so it lands on the provenance ledger
+            // (the primary human-initiated delete — the source-less exemption is only
+            // for internal consolidate/merge machinery).
+            const success = deleteMemory(id, { type: 'api', identifier: `dashboard:memory-delete:${id}` });
             if (!success) {
                 return res.status(404).json({ error: 'Memory not found' });
             }
@@ -1235,7 +1238,7 @@ export function registerMemoryRoutes(app, deps) {
             const db = getDatabase();
             db.prepare(`INSERT INTO quarantine (original_title, original_content, source_type, source_identifier, reason, project, status, created_at)
          VALUES (?, ?, ?, ?, ?, ?, 'pending', ?)`).run(memory.title, memory.content, 'dashboard', 'brain-control', req.body.reason || 'Manually quarantined from Brain dashboard', memory.project || null, new Date().toISOString());
-            deleteMemory(id);
+            deleteMemory(id, { type: 'api', identifier: `dashboard:quarantine-delete:${id}` });
             res.json({ success: true, quarantined: id });
         }
         catch (error) {

package/dist/api/visualization-server.js

@@ -187,6 +187,7 @@ export function handleV1Scan(req, res) {
                     trust_score: 0,
                     sensitivity_level: 'RESTRICTED',
                     firewall_result: 'BLOCK',
+                    operation: 'write',
                     anomaly_score: 0.5,
                     threat_indicators: '["config_tampering"]',
                     blocked_patterns: '[]',

package/dist/cloud/cli.js

@@ -1,4 +1,4 @@
-import { getCloudConfig, setCloudConfig, getCloudSyncControls, setCloudSyncControls, getDefenceMode, setDefenceMode, getVerifyConfig, setVerifyConfig, getReviewCopilotConfig, getOpenClawAutoMemory, setOpenClawAutoMemory, isProactiveRecallEnabled, setProactiveRecall, restore410Defaults, getRankerConfig, setRankerConfig, getToolResponseScanConfig, setToolResponseScanConfig, } from './config.js';
+import { getCloudConfig, setCloudConfig, getCloudSyncControls, setCloudSyncControls, getDefenceMode, setDefenceMode, getVerifyConfig, setVerifyConfig, getReviewCopilotConfig, getOpenClawAutoMemory, setOpenClawAutoMemory, isProactiveRecallEnabled, setProactiveRecall, restore410Defaults, getRankerConfig, setRankerConfig, getToolResponseScanConfig, setToolResponseScanConfig, isRevokeBySourceEnabled, setRevokeBySourceEnabled, } from './config.js';
 const VALID_RANKER_ENGINES = ['rrf', 'legacy'];
 import { syncAllGraphToCloud } from './graph-sync.js';
 import { syncAllMemoriesToCloud } from './memory-sync.js';
@@ -22,6 +22,7 @@ export function handleCloudConfig(args) {
         console.log('\nShieldCortex Configuration:');
         console.log(`  Defence Mode: ${mode}`);
         console.log(`  Tool-Output Firewall: ${toolFirewall.scanToolResponses ? toolFirewall.toolResponseMode : 'Off'}`);
+        console.log(`  Revoke-by-source: ${isRevokeBySourceEnabled() ? 'Enabled (destructive)' : 'Disabled (default)'}`);
         console.log(`  Cloud Enabled:  ${config.cloudEnabled ? 'Yes' : 'No'}`);
         console.log(`  API Key:  ${config.cloudApiKey ? config.cloudApiKey.substring(0, 12) + '...' : 'Not set'}`);
         console.log(`  Base URL: ${config.cloudBaseUrl}`);
@@ -210,6 +211,16 @@ export function handleCloudConfig(args) {
         console.log('Tool-output firewall enabled (scanning on).');
         changed = true;
     }
+    if (args.includes('--allow-revoke-by-source')) {
+        setRevokeBySourceEnabled(true);
+        console.log('Revoke-by-source ENABLED. `forget --fromSource` can now bulk-delete a source\'s memories (trust-hierarchy ACL still applies). Disable again with --disallow-revoke-by-source when done.');
+        changed = true;
+    }
+    if (args.includes('--disallow-revoke-by-source')) {
+        setRevokeBySourceEnabled(false);
+        console.log('Revoke-by-source disabled (default).');
+        changed = true;
+    }
     if (args.includes('--upsell-mute')) {
         setUpsellState({ proMuted: true });
         console.log('Pro upsell muted. Re-enable with --upsell-unmute.');
@@ -238,6 +249,7 @@ export function handleCloudConfig(args) {
         console.log('  --tool-firewall-enforce   Redact/withhold threatening tool output before the agent sees it');
         console.log('  --tool-firewall-advisory  Log tool-output threats but deliver intact (default)');
         console.log('  --tool-firewall-off / --tool-firewall-on  Disable / enable tool-output scanning');
+        console.log('  --allow-revoke-by-source / --disallow-revoke-by-source  Enable/disable destructive forget --fromSource (default: disabled)');
         console.log('  --restore-4.10-defaults  Restore pre-v4.11.0 defaults (recall on, strict interceptor, minimal preamble)');
         console.log('  --upsell-mute          Suppress the Pro upsell footer in doctor');
         console.log('  --upsell-unmute        Allow the Pro upsell footer to surface again');

package/dist/cloud/config.d.ts

@@ -191,6 +191,16 @@ export declare function getToolResponseScanConfig(): ToolResponseScanConfig;
  * Persists tool response scanning config.
  */
 export declare function setToolResponseScanConfig(updates: Partial<ToolResponseScanConfig>): void;
+/**
+ * revoke-by-source (bulk delete all memories from a source) is a destructive
+ * mass-delete primitive. Because a prompt-injection adversary runs AS the agent
+ * at the agent's own trust, no in-band (trust) check can distinguish "the human
+ * asked" from "an injection asked". So it is gated OFF by default and can only
+ * be enabled by an out-of-band human action (editing config / the CLI flag) that
+ * a hijacked agent cannot perform.
+ */
+export declare function isRevokeBySourceEnabled(): boolean;
+export declare function setRevokeBySourceEnabled(enabled: boolean): void;
 /**
  * Returns a stable UUID for this machine.
  * Generates and persists on first call; reads from config thereafter.

package/dist/cloud/config.js

@@ -938,6 +938,21 @@ export function setToolResponseScanConfig(updates) {
             raw.toolResponseMode = updates.toolResponseMode;
     });
 }
+// ── Revoke-by-source gate ─────────────────────────────
+/**
+ * revoke-by-source (bulk delete all memories from a source) is a destructive
+ * mass-delete primitive. Because a prompt-injection adversary runs AS the agent
+ * at the agent's own trust, no in-band (trust) check can distinguish "the human
+ * asked" from "an injection asked". So it is gated OFF by default and can only
+ * be enabled by an out-of-band human action (editing config / the CLI flag) that
+ * a hijacked agent cannot perform.
+ */
+export function isRevokeBySourceEnabled() {
+    return readRawConfig().allowRevokeBySource === true;
+}
+export function setRevokeBySourceEnabled(enabled) {
+    mutateRawConfig((raw) => { raw.allowRevokeBySource = enabled; });
+}
 // ── Device Identity ────────────────────────────────────
 /**
  * Returns a stable UUID for this machine.

package/dist/database/inline-schema.js

@@ -36,6 +36,7 @@ export function getInlineSchema() {
       trust_score REAL DEFAULT 1.0,
       sensitivity_level TEXT DEFAULT 'INTERNAL',
       source TEXT DEFAULT 'user:direct',
+      content_hash TEXT,
       status TEXT DEFAULT 'active' CHECK(status IN ('active', 'archived', 'suppressed', 'canonical')),
       pinned INTEGER DEFAULT 0,
       reviewed_at TIMESTAMP,
@@ -84,6 +85,8 @@ export function getInlineSchema() {
     CREATE INDEX IF NOT EXISTS idx_memories_decayed_score ON memories(decayed_score DESC);
     CREATE INDEX IF NOT EXISTS idx_memories_last_accessed ON memories(last_accessed DESC);
     CREATE INDEX IF NOT EXISTS idx_memories_updated ON memories(updated_at DESC);
+    CREATE INDEX IF NOT EXISTS idx_memories_source ON memories(source);
+    CREATE INDEX IF NOT EXISTS idx_memories_content_hash ON memories(content_hash);
 
     CREATE TABLE IF NOT EXISTS sessions (
       id INTEGER PRIMARY KEY AUTOINCREMENT,
@@ -168,6 +171,8 @@ export function getInlineSchema() {
       trust_score REAL NOT NULL,
       sensitivity_level TEXT NOT NULL DEFAULT 'INTERNAL',
       firewall_result TEXT NOT NULL CHECK(firewall_result IN ('ALLOW', 'BLOCK', 'QUARANTINE')),
+      operation TEXT,
+      content_hash TEXT,
       anomaly_score REAL DEFAULT 0.0,
       threat_indicators TEXT DEFAULT '[]',
       blocked_patterns TEXT DEFAULT '[]',
@@ -182,6 +187,7 @@ export function getInlineSchema() {
     CREATE INDEX IF NOT EXISTS idx_audit_result ON defence_audit(firewall_result);
     CREATE INDEX IF NOT EXISTS idx_audit_source ON defence_audit(source_type);
     CREATE INDEX IF NOT EXISTS idx_audit_project ON defence_audit(project);
+    CREATE INDEX IF NOT EXISTS idx_audit_operation ON defence_audit(operation);
 
     -- Cumulative audit aggregate (single row, id=1) — retention rollup target.
     -- See schema.sql for the rationale.

package/dist/database/migrations.js

@@ -750,4 +750,38 @@ export function runMigrations(database) {
     catch (err) {
         logIfUnexpectedDdlError(err, 'mcp_tool_hashes');
     }
+    // Migration: provenance ledger (v4.39.0) — add an `operation` discriminator
+    // (read/write/delete) and a `content_hash` (write-time tamper-evidence) to
+    // defence_audit, a `content_hash` to memories, and an index on memories.source
+    // for revoke-by-source. Existing rows keep operation/content_hash NULL (legacy,
+    // unclassifiable). Fresh installs get these from schema.sql / inline-schema.ts.
+    try {
+        const auditCols = database.prepare("PRAGMA table_info(defence_audit)").all();
+        if (auditCols.length > 0) {
+            const auditColNames = new Set(auditCols.map((c) => c.name));
+            if (!auditColNames.has('operation')) {
+                database.exec('ALTER TABLE defence_audit ADD COLUMN operation TEXT');
+            }
+            if (!auditColNames.has('content_hash')) {
+                database.exec('ALTER TABLE defence_audit ADD COLUMN content_hash TEXT');
+            }
+        }
+    }
+    catch (err) {
+        logIfUnexpectedDdlError(err, 'defence_audit provenance columns (operation, content_hash)');
+    }
+    if (!columnNames.has('content_hash')) {
+        database.exec('ALTER TABLE memories ADD COLUMN content_hash TEXT');
+    }
+    // Indexes in an unconditional, self-healing block: CREATE INDEX IF NOT EXISTS
+    // no-ops if the column already had its index, and back-fills it if the column
+    // exists without it (e.g. a column added by a prior partial run).
+    try {
+        database.exec('CREATE INDEX IF NOT EXISTS idx_audit_operation ON defence_audit(operation)');
+        database.exec('CREATE INDEX IF NOT EXISTS idx_memories_content_hash ON memories(content_hash)');
+        database.exec('CREATE INDEX IF NOT EXISTS idx_memories_source ON memories(source)');
+    }
+    catch (err) {
+        logIfUnexpectedDdlError(err, 'provenance ledger indexes (audit operation, memories content_hash/source)');
+    }
 }

package/dist/database/schema.sql

@@ -24,6 +24,7 @@ CREATE TABLE IF NOT EXISTS memories (
   trust_score REAL DEFAULT 1.0,
   sensitivity_level TEXT DEFAULT 'INTERNAL',
   source TEXT DEFAULT 'user:direct',
+  content_hash TEXT,
   status TEXT DEFAULT 'active' CHECK(status IN ('active', 'archived', 'suppressed', 'canonical')),
   pinned INTEGER DEFAULT 0,
   reviewed_at TIMESTAMP,
@@ -85,6 +86,8 @@ CREATE INDEX IF NOT EXISTS idx_memories_updated ON memories(updated_at DESC);
 CREATE INDEX IF NOT EXISTS idx_memories_status ON memories(status);
 CREATE INDEX IF NOT EXISTS idx_memories_pinned ON memories(pinned DESC);
 CREATE INDEX IF NOT EXISTS idx_memories_source_kind ON memories(source_kind);
+CREATE INDEX IF NOT EXISTS idx_memories_source ON memories(source);
+CREATE INDEX IF NOT EXISTS idx_memories_content_hash ON memories(content_hash);
 
 -- Session tracking for consolidation
 CREATE TABLE IF NOT EXISTS sessions (
@@ -214,6 +217,8 @@ CREATE TABLE IF NOT EXISTS defence_audit (
   trust_score REAL NOT NULL,
   sensitivity_level TEXT NOT NULL DEFAULT 'INTERNAL',
   firewall_result TEXT NOT NULL CHECK(firewall_result IN ('ALLOW', 'BLOCK', 'QUARANTINE')),
+  operation TEXT,                       -- provenance ledger: 'read' | 'write' | 'delete' (NULL on legacy rows)
+  content_hash TEXT,                    -- SHA-256 of content at write time (tamper-evidence)
   anomaly_score REAL DEFAULT 0.0,
   threat_indicators TEXT DEFAULT '[]',  -- JSON array of ThreatIndicator strings
   blocked_patterns TEXT DEFAULT '[]',   -- JSON array of matched patterns
@@ -228,6 +233,7 @@ CREATE INDEX IF NOT EXISTS idx_audit_timestamp ON defence_audit(timestamp DESC);
 CREATE INDEX IF NOT EXISTS idx_audit_result ON defence_audit(firewall_result);
 CREATE INDEX IF NOT EXISTS idx_audit_source ON defence_audit(source_type);
 CREATE INDEX IF NOT EXISTS idx_audit_project ON defence_audit(project);
+CREATE INDEX IF NOT EXISTS idx_audit_operation ON defence_audit(operation);
 
 -- Defence: cumulative audit aggregate (single row, id=1). Retention purges roll
 -- the to-be-deleted rows' lifetime-stat contributions into this row BEFORE

package/dist/defence/audit/logger.js

@@ -15,12 +15,12 @@ export function logAudit(entry) {
         const stmt = db.prepare(`
       INSERT INTO defence_audit (
         memory_id, project, timestamp, source_type, source_identifier,
-        trust_score, sensitivity_level, firewall_result,
+        trust_score, sensitivity_level, firewall_result, operation, content_hash,
         anomaly_score, threat_indicators, blocked_patterns,
         reason, fragmentation_score, pipeline_duration_ms
       ) VALUES (
         @memory_id, @project, @timestamp, @source_type, @source_identifier,
-        @trust_score, @sensitivity_level, @firewall_result,
+        @trust_score, @sensitivity_level, @firewall_result, @operation, @content_hash,
         @anomaly_score, @threat_indicators, @blocked_patterns,
         @reason, @fragmentation_score, @pipeline_duration_ms
       )
@@ -34,6 +34,8 @@ export function logAudit(entry) {
             trust_score: entry.trust_score,
             sensitivity_level: entry.sensitivity_level,
             firewall_result: entry.firewall_result,
+            operation: entry.operation ?? null,
+            content_hash: entry.content_hash ?? null,
             anomaly_score: entry.anomaly_score ?? 0,
             threat_indicators: entry.threat_indicators ?? '[]',
             blocked_patterns: entry.blocked_patterns ?? '[]',

package/dist/defence/audit/queries.d.ts

@@ -21,7 +21,7 @@ export interface AgentTimelinePoint {
 export interface AuditQueryOptions {
     startTime?: string;
     endTime?: string;
-    operation?: 'write' | 'read' | 'delete' | 'update';
+    operation?: 'write' | 'read' | 'delete' | 'update' | 'revoke';
     source?: string;
     firewallResult?: FirewallResult;
     memoryId?: number;

package/dist/defence/audit/queries.js

@@ -22,6 +22,10 @@ export function queryAuditLogs(options = {}) {
         conditions.push('da.firewall_result = @firewallResult');
         params.firewallResult = options.firewallResult;
     }
+    if (options.operation) {
+        conditions.push('da.operation = @operation');
+        params.operation = options.operation;
+    }
     if (options.source) {
         conditions.push('da.source_type = @source');
         params.source = options.source;

package/dist/defence/audit/retention.js

@@ -140,22 +140,32 @@ export function purgeAuditUnderSizePressure(options = {}) {
         const total = db.prepare('SELECT COUNT(*) AS c FROM defence_audit').get().c;
         if (total <= maxRows)
             return 0;
-        // Trim down to the cap by deleting the OLDEST rows. Find the cutoff id: keep
-        // the newest `maxRows` by timestamp, purge everything older.
-        const cutoffRow = db.prepare(`
-      SELECT timestamp FROM defence_audit
-      ORDER BY timestamp DESC
-      LIMIT 1 OFFSET ?
-    `).get(maxRows);
-        if (!cutoffRow)
+        const over = total - maxRows;
+        // Forensic-aware eviction: trim the `over` oldest rows, but evict
+        // LOW-VALUE provenance rows first (ALLOW reads/deletes — the high-volume,
+        // low-forensic-value entries) and only fall back to threat rows
+        // (BLOCK/QUARANTINE, or anything with threat_indicators) once the low-value
+        // rows are exhausted. Otherwise a flood of routine reads would push the
+        // oldest injection/credential-leak records out from under the row cap.
+        const ids = db.prepare(`
+      SELECT id FROM defence_audit
+      ORDER BY
+        CASE WHEN firewall_result = 'ALLOW'
+                  AND operation IN ('read', 'delete')
+                  AND (threat_indicators IS NULL OR threat_indicators IN ('', '[]'))
+             THEN 0 ELSE 1 END ASC,
+        timestamp ASC
+      LIMIT ?
+    `).all(over).map((r) => r.id);
+        if (ids.length === 0)
             return 0;
-        const where = 'timestamp <= ?';
-        const params = [cutoffRow.timestamp];
-        const delta = computeDelta(where, params);
+        const placeholders = ids.map(() => '?').join(',');
+        const where = `id IN (${placeholders})`;
+        const delta = computeDelta(where, ids);
         if (delta.total_scans === 0)
             return 0;
         rollIntoAggregate(delta);
-        const res = db.prepare(`DELETE FROM defence_audit WHERE ${where}`).run(...params);
+        const res = db.prepare(`DELETE FROM defence_audit WHERE ${where}`).run(...ids);
         return Number(res.changes ?? 0);
     })();
 }

package/dist/defence/iron-dome/audit.js

@@ -19,6 +19,7 @@ export function logIronDomeAudit(event) {
             trust_score: 0,
             sensitivity_level: 'PUBLIC',
             firewall_result: event.allowed ? 'ALLOW' : 'BLOCK',
+            operation: null, // iron-dome kill-switch / defence event, not a memory read/write/delete
             anomaly_score: 0,
             threat_indicators: '[]',
             blocked_patterns: '[]',

package/dist/defence/pipeline.js

@@ -11,7 +11,7 @@ import { analyzeFirewall } from './firewall/index.js';
 import { classifySensitivity } from './sensitivity/index.js';
 import { analyzeFragmentation } from './fragmentation/index.js';
 import { scanForCredentials } from './credential-leak/index.js';
-import { logAudit } from './audit/index.js';
+import { logAudit, createContentHash } from './audit/index.js';
 import { persistEvent } from '../api/events.js';
 import { syncToCloud } from '../cloud/sync.js';
 import { syncQuarantineToCloud } from '../cloud/quarantine-sync.js';
@@ -202,6 +202,8 @@ export function runDefencePipeline(content, title, source, config, project) {
             trust_score: trust.score,
             sensitivity_level: sensitivity.level,
             firewall_result: firewall.result,
+            operation: 'write',
+            content_hash: createContentHash(content),
             anomaly_score: firewall.anomalyScore,
             threat_indicators: JSON.stringify(firewall.threatIndicators),
             blocked_patterns: JSON.stringify(firewall.blockedPatterns),
@@ -283,6 +285,7 @@ export function runDefencePipeline(content, title, source, config, project) {
             trust_score: 0,
             sensitivity_level: 'RESTRICTED',
             firewall_result: 'BLOCK',
+            operation: 'write',
             anomaly_score: 1.0,
             threat_indicators: '["pipeline_error"]',
             blocked_patterns: '[]',

package/dist/defence/tool-response-scanner.js

@@ -250,6 +250,7 @@ export function scanToolResponse(toolName, content, mode) {
                 trust_score: 0.5,
                 sensitivity_level: (credentials.leaked || decodedCredentialLeak) ? 'CONFIDENTIAL' : 'PUBLIC',
                 firewall_result: firewallResult,
+                operation: 'read',
                 anomaly_score: anomalyScore,
                 threat_indicators: JSON.stringify(threatIndicators),
                 blocked_patterns: JSON.stringify(blockedPatterns),

package/dist/defence/trust/access-control.d.ts

@@ -22,7 +22,4 @@ export interface AccessCheckMemory {
     source?: string | null;
     sensitivity_level?: string | null;
 }
-/**
- * Check whether a source has access to a memory for a given operation.
- */
-export declare function checkAccess(memory: AccessCheckMemory, source: DefenceSource, operation: 'read' | 'write' | 'delete'): AccessPolicy;
+export declare function checkAccess(memory: AccessCheckMemory, source: DefenceSource, operation: 'read' | 'write' | 'delete' | 'revoke'): AccessPolicy;

package/dist/defence/trust/access-control.js

@@ -12,6 +12,13 @@ import { scoreSource } from './source-scorer.js';
 /**
  * Check whether a source has access to a memory for a given operation.
  */
+/** Parse a stored "type:identifier" source string back into a DefenceSource. */
+function parseStoredSource(stored) {
+    const i = stored.indexOf(':');
+    if (i === -1)
+        return { type: 'agent', identifier: stored }; // unknown shape → low-trust agent
+    return { type: stored.slice(0, i), identifier: stored.slice(i + 1) };
+}
 export function checkAccess(memory, source, operation) {
     const trust = scoreSource(source).score;
     const memorySource = memory.source || '__system:unattributed';
@@ -50,6 +57,31 @@ export function checkAccess(memory, source, operation) {
         }
         return deny('Can only delete own memories (trust ≥0.5)');
     }
+    if (operation === 'revoke') {
+        // Trust-hierarchy revoke (revoke-by-source remediation): own cleanup, OR a
+        // high-trust caller may purge a STRICTLY lower-trust source's memories.
+        // Equal/higher-trust targets are protected, so a 0.9 agent can never revoke
+        // user:direct (1.0). Single-row 'delete' stays own-only — this override is
+        // reachable only through the explicit revoke path.
+        if (isOwner && trust >= 0.5) {
+            return { canRead: true, canWrite: false, canDelete: true, writeRequiresQuarantine: false, reason: 'Owner revoke' };
+        }
+        // Fail-safe: never mass-revoke unattributed / unclassifiable memories. They
+        // have no clear owner to outrank, and a 0-trust target would be outranked by
+        // any caller — so a high-trust caller must NOT be able to sweep null-source
+        // rows by source.
+        if (!memory.source || memorySource === '__system:unattributed') {
+            return deny('Revoke denied: unattributed memories cannot be revoked by source');
+        }
+        const targetTrust = scoreSource(parseStoredSource(memorySource)).score;
+        if (targetTrust > 0 && trust >= 0.7 && trust > targetTrust) {
+            return {
+                canRead: true, canWrite: false, canDelete: true, writeRequiresQuarantine: false,
+                reason: `Trust-hierarchy revoke (caller ${trust.toFixed(2)} > target ${targetTrust.toFixed(2)})`,
+            };
+        }
+        return deny('Revoke denied: must own the source or outrank it (trust ≥0.7 and strictly > a known target source trust)');
+    }
     return deny('Unknown operation');
 }
 function allow(reason) {

package/dist/defence/trust/resolve-tool-source.js

@@ -33,6 +33,7 @@ export function resolveToolSource(declaredSource, options) {
                 trust_score: ceilingScore,
                 sensitivity_level: 'PUBLIC',
                 firewall_result: 'BLOCK',
+                operation: null, // source-resolution meta-event, not a memory read/write/delete
                 anomaly_score: 0,
                 threat_indicators: JSON.stringify(['privilege_escalation']),
                 blocked_patterns: '[]',
@@ -62,6 +63,7 @@ export function resolveToolSource(declaredSource, options) {
                 trust_score: 0,
                 sensitivity_level: 'PUBLIC',
                 firewall_result: 'ALLOW',
+                operation: null, // source-resolution meta-event, not a memory read/write/delete
                 anomaly_score: 0,
                 threat_indicators: '[]',
                 blocked_patterns: '[]',

package/dist/defence/types.d.ts

@@ -129,6 +129,8 @@ export interface QuarantineEntry {
     expires_at: string | null;
     audit_id: number | null;
 }
+/** Operation that produced an audit row (provenance ledger discriminator). */
+export type AuditOperation = 'write' | 'read' | 'delete' | 'update' | 'revoke';
 export interface AuditEntry {
     id: number;
     memory_id: number | null;
@@ -139,6 +141,14 @@ export interface AuditEntry {
     trust_score: number;
     sensitivity_level: string;
     firewall_result: FirewallResult;
+    /**
+     * The operation that produced this row. Required on every new emission so the
+     * ledger is queryable by read/write/delete; `null` only on legacy rows written
+     * before the provenance-ledger column existed.
+     */
+    operation: AuditOperation | null;
+    /** SHA-256 of the content at write time (tamper-evidence); null for read/delete rows. */
+    content_hash?: string | null;
     anomaly_score: number;
     threat_indicators: string;
     blocked_patterns: string;

package/dist/memory/lifecycle.js

@@ -27,6 +27,7 @@ import { jaccardSimilarity } from './similarity.js';
 import { emitMemoryAccessed, emitMemoryUpdated, persistEvent, } from '../api/events.js';
 import { createMemoryLink } from './links.js';
 import { runDefencePipeline } from '../defence/index.js';
+import { createContentHash } from '../defence/audit/logger.js';
 // Enrichment text is recall-query / caller-derived (attacker-influenced); scan
 // it before persisting. Trust doesn't matter here (the row keeps its own) — we
 // only act on the firewall verdict, so a low-trust web source is fine.
@@ -207,13 +208,15 @@ export function enrichMemory(memoryId, newContext, contextType = 'access') {
     if (defenceResult.firewall.result !== 'ALLOW') {
         return { enriched: false, reason: `Enrichment blocked by defence: ${defenceResult.firewall.reason}` };
     }
-    // Update memory
+    // Update memory (recompute content_hash — the integrity snapshot must track
+    // the enriched content, not the pre-enrichment original).
     db.prepare(`
     UPDATE memories
     SET content = ?,
+        content_hash = ?,
         last_accessed = CURRENT_TIMESTAMP
     WHERE id = ?
-  `).run(newContent, memoryId);
+  `).run(newContent, createContentHash(newContent), memoryId);
     // Update cooldown timestamp
     enrichmentTimestamps.set(memoryId, now);
     // Emit update event for dashboard

package/dist/memory/store.d.ts

@@ -5,7 +5,7 @@
  * Handles storage, retrieval, and management of memories.
  */
 import { Memory, MemoryInput, MemoryType, MemoryConfig } from './types.js';
-import type { DefenceSource } from '../defence/types.js';
+import type { DefenceSource, AuditOperation } from '../defence/types.js';
 export declare const MAX_CONTENT_SIZE: number;
 export declare const UNATTRIBUTED_SOURCE: DefenceSource;
 /**
@@ -20,7 +20,21 @@ export declare function getLastTruncationInfo(): {
  * Convert database row to Memory object
  */
 export declare function rowToMemory(row: Record<string, unknown>): Memory;
-export declare function logAccessDenial(memoryId: number, source: DefenceSource, reason: string): void;
+export declare function logAccessDenial(memoryId: number, source: DefenceSource, reason: string, operation?: AuditOperation): void;
+/**
+ * Provenance ledger: record an ALLOWED read. Emitted ONCE per tool call (not per
+ * row) to keep the audit table bounded — recall returns up to 50 rows, so a
+ * per-row emit would flood it. memory_id carries the single id for single-target
+ * reads; the full id list (capped) goes in blocked_patterns for forensics.
+ */
+export declare function logAllowedRead(source: DefenceSource, tool: string, memoryIds: number[], project?: string | null): void;
+/**
+ * Provenance ledger: record an ALLOWED delete (one row per deleted memory).
+ * memory_id is NULL by design — the row is emitted after the DELETE, and the
+ * audit.memory_id FK is ON DELETE SET NULL, so a live reference can't survive.
+ * The deleted id is preserved in `reason` + `blocked_patterns` for forensics.
+ */
+export declare function logAllowedDelete(memoryId: number, source: DefenceSource, project?: string | null, operation?: AuditOperation): void;
 /**
  * Error thrown when memory creation is paused
  */
@@ -51,7 +65,9 @@ export declare function mergeMemories(keptId: number, removedId: number, options
 /**
  * Delete a memory
  */
-export declare function deleteMemory(id: number, source?: DefenceSource): boolean;
+export declare function deleteMemory(id: number, source?: DefenceSource, opts?: {
+    mode?: 'delete' | 'revoke';
+}): boolean;
 /**
  * Get all memories for a project
  */