hanuscode 1.0.0__py3-none-any.whl

hanus/plugins/cortex.py

@@ -0,0 +1,1750 @@
+# plugins/cortex.py — Semantic Memory System with Knowledge Graph
+"""
+Semantic memory system with knowledge graphs.
+
+Allows long-term information retention and understanding relationships between concepts
+(people, events, preferences, projects) rather than just text matching.
+
+Commands:
+  /cortex remember <entity> <type> <attributes>  — Save entity with attributes
+  /cortex relate <entity1> <relation> <entity2>   — Create relation
+  /cortex recall <entity>                         — Get entity info
+  /cortex find <type>                             — Search entities by type
+  /cortex query <entity> <depth>                  — Query graph (relations)
+  /cortex forget <entity>                         — Delete entity
+  /cortex list                                    — List entities
+  /cortex types                                   — View entity types
+  /cortex relations                               — View relation types
+  /cortex graph [entity]                          — Visualize graph
+  /cortex timeline <entity>                       — View entity events
+  /cortex similar <entity>                        — Similar entities
+  /cortex path <entity1> <entity2>                — Path between entities
+"""
+import json
+import re
+from pathlib import Path
+from datetime import datetime
+from typing import Dict, List, Set, Optional, Tuple
+from collections import defaultdict
+
+NAME = "cortex"
+DESCRIPTION = "Semantic memory system with knowledge graphs - USE THIS to store data you learn"
+USAGE = "remember|relate|recall|find|query|forget|list|types|relations|graph|timeline|similar|path"
+
+AGENT_DOC = """
+## ⚠️ IMPORTANT: Cortex is for STORING DATA - DO NOT create files in .cortex/
+
+Cortex is a KNOWLEDGE GRAPH MEMORY SYSTEM. When you learn or discover information,
+STORE IT HERE using the commands below. DO NOT create markdown files in .cortex/ directory.
+
+## Why Cortex?
+
+**Notes** = text notes with keyword search.
+**Cortex** = STRUCTURED MEMORY with:
+- Typed entities (person, target, vulnerability, codebase, etc.)
+- Typed relations between entities (with automatic inverse relations)
+- Graph queries (find related entities, paths, similar items)
+- Episodic memory (events with temporal context)
+
+## MANDATORY - When to Use Cortex
+
+**You MUST use Cortex after EVERY significant action:**
+
+### After Security Work (pentesting, CTF, recon):
+1. **Found target/host?** → `<run_plugin name="cortex" args="remember target1 target type=host ip=10.10.10.1 os=linux"/>`
+2. **Found open port?** → `<run_plugin name="cortex" args="remember port_80 service port=80 service=http host=target1"/>`
+3. **Found vulnerability?** → `<run_plugin name="cortex" args="remember vuln1 vulnerability cve=CVE-2024-1234 severity=high"/>`
+4. **Found credential?** → `<run_plugin name="cortex" args="remember admin_cred credential type=password user=admin source=target1"/>`
+5. **Exploited something?** → `<run_plugin name="cortex" args="remember exploit1 exploit type=rce target=target1 cve=CVE-2024-1234"/>`
+
+### After Creating/Modifying Code:
+1. **New project?** → `<run_plugin name="cortex" args="remember myproject project language=python framework=flask"/>`
+2. **New file?** → `<run_plugin name="cortex" args="remember auth_module module path=auth.py purpose=authentication"/>`
+3. **New API?** → `<run_plugin name="cortex" args="remember login_api api method=POST path=/login auth=jwt"/>`
+
+### Create Relations:
+```
+<run_plugin name="cortex" args="relate target1 has_vuln vuln1"/>
+<run_plugin name="cortex" args="relate vuln1 exploited_by exploit1"/>
+<run_plugin name="cortex" args="relate auth_module defines login_api"/>
+```
+
+## Quick Reference Commands
+
+### remember - Save an entity
+```
+<run_plugin name="cortex" args="remember <entity_name> <type> [key=value ...]"/>
+<run_plugin name="cortex" args="remember webserver host ip=192.168.1.1 os=linux ports=22,80,443"/>
+<run_plugin name="cortex" args="remember sqli_vuln vulnerability severity=high url=/search param=id"/>
+```
+
+### relate - Create relationship
+```
+<run_plugin name="cortex" args="relate <entity1> <relation> <entity2>"/>
+<run_plugin name="cortex" args="relate webserver has_vuln sqli_vuln"/>
+```
+
+### recall - Get entity info
+```
+<run_plugin name="cortex" args="recall webserver"/>
+```
+
+### find - Search by type
+```
+<run_plugin name="cortex" args="find host"/>
+<run_plugin name="cortex" args="find vulnerability severity=high"/>
+```
+
+### query - Get related entities
+```
+<run_plugin name="cortex" args="query webserver 2"/>
+```
+
+### list - List all entities
+```
+<run_plugin name="cortex" args="list"/>
+```
+
+## Entity Types (you can use ANY type)
+
+| Type | Use Case | Common Attributes |
+|------|----------|-------------------|
+| target | Security targets | type, scope, status |
+| host | Servers/hosts | ip, hostname, os, ports, services |
+| domain | Domain names | name, registrar, ip |
+| port | Open ports | number, service, version |
+| vulnerability | Vulnerabilities | cve, severity, cvss, affected |
+| exploit | Exploits/PoCs | name, type, cve, reliability |
+| credential | Found credentials | type, source, valid, scope |
+| tool | Security tools | category, purpose, usage |
+| finding | Security findings | severity, type, url, evidence |
+| project | Software projects | status, language, framework |
+| module | Code files | path, purpose, dependencies |
+| api | APIs/endpoints | method, path, auth |
+| person | People | role, team, email |
+
+## Relation Types (you can use ANY relation)
+
+| Relation | Inverse | Meaning |
+|----------|---------|---------|
+| has_vuln | vuln_in | Has vulnerability |
+| exploits | exploited_by | Exploits vulnerability |
+| targets | targeted_by | Targets host/domain |
+| hosts | hosted_on | Hosts service |
+| contains | contained_in | Contains sub-component |
+| uses | used_by | Uses technology/service |
+| depends_on | depended_by | Depends on |
+| depends_on | depended_by | Depends on |
+| calls | called_by | Calls function |
+| imports | imported_by | Imports module |
+| defines | defined_in | Defines function/class |
+| exposes | exposed_by | Exposes API |
+| fixes | fixed_by | Fixes bug |
+| has_vuln | vuln_in | Has vulnerability |
+| exploits | exploited_by | Exploits vuln |
+| targets | targeted_by | Targets host/domain |
+| finds | found_by | Finds vulnerability |
+| hosts | hosted_on | Hosts service |
+| works_on | has_member | Works on project |
+
+## Commands
+
+### remember <entity> <type> [key=value...]
+Save entity with attributes.
+
+<run_plugin name="cortex" args="remember 'Auth API' project status=active language=python framework=flask"/>
+<run_plugin name="cortex" args="remember auth.py module path=/auth purpose='authentication module'"/>
+<run_plugin name="cortex" args="remember login function file=auth.py params='username,password'"/>
+
+### relate <entity1> <relation> <entity2>
+Create relation (auto-creates inverse).
+
+<run_plugin name="cortex" args="relate 'Auth API' contains auth.py"/>
+<run_plugin name="cortex" args="relate auth.py defines login"/>
+<run_plugin name="cortex" args="relate 'Auth API' uses Flask"/>
+
+### recall <entity>
+Get all entity info.
+
+<run_plugin name="cortex" args="recall 'Auth API'"/>
+
+### find <type> [key=value]
+Search entities by type and/or attributes.
+
+<run_plugin name="cortex" args="find module"/>
+<run_plugin name="cortex" args="find bug severity=critical"/>
+
+### query <entity> [depth]
+Get related entities up to N levels.
+
+<run_plugin name="cortex" args="query 'Auth API' 2"/>
+
+### graph [entity]
+Visualize the knowledge graph.
+
+<run_plugin name="cortex" args="graph"/>
+
+### reset --force
+Clear all data (use with caution).
+
+<run_plugin name="cortex" args="reset --force"/>
+
+<run_plugin name="cortex" args="path John Python"/>
+
+## Notes
+
+- Entity types and relations are SUGGESTIONS, not restrictions
+- You can create any type or relation you need
+- Inverse relations are auto-created when defined
+- Use /cortex types and /cortex relations to see all available
+"""
+
+DATA_DIR = Path.home() / ".hanus" / "cortex"
+ENTITIES_FILE = DATA_DIR / "entities.json"
+RELATIONS_FILE = DATA_DIR / "relations.json"
+EVENTS_FILE = DATA_DIR / "events.json"
+
+# Suggested entity types with common attributes
+# These are SUGGESTIONS - any type can be used
+ENTITY_TYPES = {
+    # === PEOPLE & ORGANIZATIONS ===
+    "person": {
+        "description": "Person",
+        "default_attrs": ["role", "team", "email", "seniority", "timezone", "github", "skills"]
+    },
+    "organization": {
+        "description": "Company, team or group",
+        "default_attrs": ["type", "size", "industry", "website", "scope"]
+    },
+    "team": {
+        "description": "Work team",
+        "default_attrs": ["name", "project", "members", "tech_stack"]
+    },
+
+    # === PROJECTS & CODE ===
+    "project": {
+        "description": "Software project",
+        "default_attrs": ["status", "priority", "language", "framework", "repo", "branch"]
+    },
+    "codebase": {
+        "description": "Code repository",
+        "default_attrs": ["language", "framework", "size", "structure", "main_tech"]
+    },
+    "module": {
+        "description": "Code module or component",
+        "default_attrs": ["path", "language", "purpose", "dependencies"]
+    },
+    "function": {
+        "description": "Function or method",
+        "default_attrs": ["name", "file", "params", "returns", "purpose"]
+    },
+    "class": {
+        "description": "Class or type",
+        "default_attrs": ["name", "file", "inherits", "methods", "purpose"]
+    },
+    "api": {
+        "description": "API or service",
+        "default_attrs": ["method", "path", "auth", "rate_limit", "purpose"]
+    },
+    "endpoint": {
+        "description": "HTTP endpoint",
+        "default_attrs": ["url", "method", "auth_type", "params", "response_type"]
+    },
+    "database": {
+        "description": "Database",
+        "default_attrs": ["type", "host", "port", "name", "schema"]
+    },
+    "dependency": {
+        "description": "Dependency or library",
+        "default_attrs": ["name", "version", "source", "license", "purpose"]
+    },
+
+    # === DEVELOPMENT ===
+    "bug": {
+        "description": "Bug or issue",
+        "default_attrs": ["severity", "status", "component", "found_in", "fixed_in"]
+    },
+    "feature": {
+        "description": "Feature or functionality",
+        "default_attrs": ["status", "priority", "effort", "component", "milestone"]
+    },
+    "pr": {
+        "description": "Pull Request",
+        "default_attrs": ["number", "status", "author", "branch", "files_changed"]
+    },
+    "commit": {
+        "description": "Git commit",
+        "default_attrs": ["hash", "author", "date", "message", "files"]
+    },
+    "test": {
+        "description": "Test or test suite",
+        "default_attrs": ["type", "coverage", "status", "component"]
+    },
+    "config": {
+        "description": "Configuration",
+        "default_attrs": ["file", "environment", "purpose", "sensitive"]
+    },
+
+    # === SECURITY - INFRASTRUCTURE ===
+    "target": {
+        "description": "Security target (host, domain, app)",
+        "default_attrs": ["type", "scope", "status", "priority", "notes"]
+    },
+    "domain": {
+        "description": "Web domain",
+        "default_attrs": ["name", "registrar", "ip", "ports", "tech_stack"]
+    },
+    "host": {
+        "description": "Host or server",
+        "default_attrs": ["ip", "hostname", "os", "ports", "services"]
+    },
+    "ip": {
+        "description": "IP address",
+        "default_attrs": ["address", "type", "asn", "country", "hostname"]
+    },
+    "port": {
+        "description": "Open port",
+        "default_attrs": ["number", "protocol", "service", "version", "banner"]
+    },
+    "service": {
+        "description": "Detected service",
+        "default_attrs": ["name", "port", "version", "product", "vulnerabilities"]
+    },
+    "network": {
+        "description": "Network or subnet",
+        "default_attrs": ["cidr", "gateway", "range", "hosts", "purpose"]
+    },
+
+    # === SECURITY - VULNERABILITIES ===
+    "vulnerability": {
+        "description": "Vulnerability",
+        "default_attrs": ["cve", "severity", "cvss", "vector", "affected"]
+    },
+    "cve": {
+        "description": "Specific CVE",
+        "default_attrs": ["id", "severity", "product", "version", "exploit_available"]
+    },
+    "exploit": {
+        "description": "Exploit or PoC",
+        "default_attrs": ["name", "type", "cve", "reliability", "source"]
+    },
+    "payload": {
+        "description": "Exploit payload",
+        "default_attrs": ["type", "language", "target", "purpose", "detected_by"]
+    },
+    "finding": {
+        "description": "Security finding",
+        "default_attrs": ["severity", "type", "url", "parameter", "evidence"]
+    },
+
+    # === SECURITY - TOOLS & TECHNIQUES ===
+    "tool": {
+        "description": "Security tool",
+        "default_attrs": ["category", "language", "source", "purpose", "usage"]
+    },
+    "technique": {
+        "description": "Attack/defense technique",
+        "default_attrs": ["category", "mitre_id", "difficulty", "detection", "mitigation"]
+    },
+    "wordlist": {
+        "description": "Wordlist or dictionary",
+        "default_attrs": ["type", "size", "source", "purpose"]
+    },
+    "payload_type": {
+        "description": "Payload type",
+        "default_attrs": ["category", "context", "encoding", "bypasses"]
+    },
+    "scan": {
+        "description": "Scan performed",
+        "default_attrs": ["type", "tool", "target", "date", "findings"]
+    },
+
+    # === SECURITY - CREDENTIALS & ACCESS ===
+    "credential": {
+        "description": "Found credential",
+        "default_attrs": ["type", "source", "valid", "scope", "leaked_in"]
+    },
+    "session": {
+        "description": "Session or token",
+        "default_attrs": ["type", "valid_until", "scope", "user"]
+    },
+    "backdoor": {
+        "description": "Backdoor or access",
+        "default_attrs": ["type", "location", "persistence", "detected"]
+    },
+
+    # === GENERAL ===
+    "event": {
+        "description": "Event or meeting",
+        "default_attrs": ["date", "time", "location", "outcome", "attendees"]
+    },
+    "preference": {
+        "description": "Preference or setting",
+        "default_attrs": ["category", "value", "context", "reason"]
+    },
+    "technology": {
+        "description": "General technology",
+        "default_attrs": ["type", "version", "category", "maturity", "docs"]
+    },
+    "location": {
+        "description": "Location",
+        "default_attrs": ["type", "address", "timezone", "related_hosts"]
+    },
+    "task": {
+        "description": "Pending task",
+        "default_attrs": ["status", "priority", "due", "assignee", "context"]
+    },
+    "decision": {
+        "description": "Decision made",
+        "default_attrs": ["date", "context", "outcome", "rationale", "impact"]
+    },
+    "resource": {
+        "description": "External resource",
+        "default_attrs": ["type", "url", "access", "purpose"]
+    },
+    "note": {
+        "description": "Note or information",
+        "default_attrs": ["source", "date", "importance", "context"]
+    },
+    "knowledge": {
+        "description": "Learned knowledge",
+        "default_attrs": ["topic", "source", "confidence", "applicable_to"]
+    },
+    "concept": {
+        "description": "Concept or idea",
+        "default_attrs": ["definition", "related_to", "importance", "context"]
+    },
+}
+
+# Relation types with inverse mapping
+# These are SUGGESTIONS - any relation can be used
+# Format: relation_name -> {inverse: inverse_relation, description: meaning}
+RELATION_TYPES = {
+    # === SOCIAL ===
+    "knows": {"inverse": "knows", "description": "Knows"},
+    "works_with": {"inverse": "works_with", "description": "Works with"},
+    "reports_to": {"inverse": "manages", "description": "Reports to"},
+    "manages": {"inverse": "reports_to", "description": "Manages"},
+    "collaborates_with": {"inverse": "collaborates_with", "description": "Collaborates with"},
+
+    # === PROJECTS ===
+    "works_on": {"inverse": "has_member", "description": "Works on"},
+    "has_member": {"inverse": "works_on", "description": "Has member"},
+    "leads": {"inverse": "led_by", "description": "Leads"},
+    "led_by": {"inverse": "leads", "description": "Led by"},
+    "owns": {"inverse": "owned_by", "description": "Owns"},
+    "owned_by": {"inverse": "owns", "description": "Owned by"},
+    "maintains": {"inverse": "maintained_by", "description": "Maintains"},
+    "maintained_by": {"inverse": "maintains", "description": "Maintained by"},
+
+    # === CODE ===
+    "imports": {"inverse": "imported_by", "description": "Imports"},
+    "imported_by": {"inverse": "imports", "description": "Imported by"},
+    "calls": {"inverse": "called_by", "description": "Calls"},
+    "called_by": {"inverse": "calls", "description": "Called by"},
+    "extends": {"inverse": "extended_by", "description": "Extends"},
+    "extended_by": {"inverse": "extends", "description": "Extended by"},
+    "implements": {"inverse": "implemented_by", "description": "Implements"},
+    "implemented_by": {"inverse": "implements", "description": "Implemented by"},
+    "overrides": {"inverse": "overridden_by", "description": "Overrides"},
+    "overridden_by": {"inverse": "overrides", "description": "Overridden by"},
+    "contains": {"inverse": "contained_in", "description": "Contains"},
+    "contained_in": {"inverse": "contains", "description": "Contained in"},
+    "defines": {"inverse": "defined_in", "description": "Defines"},
+    "defined_in": {"inverse": "defines", "description": "Defined in"},
+    "references": {"inverse": "referenced_by", "description": "References"},
+    "referenced_by": {"inverse": "references", "description": "Referenced by"},
+    "exposes": {"inverse": "exposed_by", "description": "Exposes"},
+    "exposed_by": {"inverse": "exposes", "description": "Exposed by"},
+
+    # === DEPENDENCIES ===
+    "depends_on": {"inverse": "depended_by", "description": "Depends on"},
+    "depended_by": {"inverse": "depends_on", "description": "Depended by"},
+    "requires": {"inverse": "required_by", "description": "Requires"},
+    "required_by": {"inverse": "requires", "description": "Required by"},
+    "uses": {"inverse": "used_by", "description": "Uses"},
+    "used_by": {"inverse": "uses", "description": "Used by"},
+    "includes": {"inverse": "included_in", "description": "Includes"},
+    "included_in": {"inverse": "includes", "description": "Included in"},
+
+    # === DEVELOPMENT ===
+    "fixes": {"inverse": "fixed_by", "description": "Fixes"},
+    "fixed_by": {"inverse": "fixes", "description": "Fixed by"},
+    "introduces": {"inverse": "introduced_by", "description": "Introduces"},
+    "introduced_by": {"inverse": "introduces", "description": "Introduced by"},
+    "causes": {"inverse": "caused_by", "description": "Causes"},
+    "caused_by": {"inverse": "causes", "description": "Caused by"},
+    "affects": {"inverse": "affected_by", "description": "Affects"},
+    "affected_by": {"inverse": "affects", "description": "Affected by"},
+    "tests": {"inverse": "tested_by", "description": "Tests"},
+    "tested_by": {"inverse": "tests", "description": "Tested by"},
+    "covers": {"inverse": "covered_by", "description": "Covers"},
+    "covered_by": {"inverse": "covers", "description": "Covered by"},
+    "merges": {"inverse": "merged_in", "description": "Merges"},
+    "merged_in": {"inverse": "merges", "description": "Merged in"},
+
+    # === SECURITY - INFRASTRUCTURE ===
+    "hosts": {"inverse": "hosted_on", "description": "Hosts"},
+    "hosted_on": {"inverse": "hosts", "description": "Hosted on"},
+    "runs_on": {"inverse": "runs", "description": "Runs on"},
+    "runs": {"inverse": "runs_on", "description": "Runs"},
+    "has_port": {"inverse": "port_of", "description": "Has port"},
+    "port_of": {"inverse": "has_port", "description": "Port of"},
+    "has_service": {"inverse": "service_of", "description": "Has service"},
+    "service_of": {"inverse": "has_service", "description": "Service of"},
+    "resolves_to": {"inverse": "resolves_from", "description": "Resolves to"},
+    "resolves_from": {"inverse": "resolves_to", "description": "Resolves from"},
+    "belongs_to": {"inverse": "owns", "description": "Belongs to"},
+    "part_of_network": {"inverse": "has_host", "description": "Part of network"},
+    "has_host": {"inverse": "part_of_network", "description": "Has host"},
+
+    # === SECURITY - ATTACKS ===
+    "has_vuln": {"inverse": "vuln_in", "description": "Has vulnerability"},
+    "vuln_in": {"inverse": "has_vuln", "description": "Vulnerability in"},
+    "exploits": {"inverse": "exploited_by", "description": "Exploits"},
+    "exploited_by": {"inverse": "exploits", "description": "Exploited by"},
+    "targets": {"inverse": "targeted_by", "description": "Targets"},
+    "targeted_by": {"inverse": "targets", "description": "Targeted by"},
+    "attacks": {"inverse": "attacked_by", "description": "Attacks"},
+    "attacked_by": {"inverse": "attacks", "description": "Attacked by"},
+    "scans": {"inverse": "scanned_by", "description": "Scans"},
+    "scanned_by": {"inverse": "scans", "description": "Scanned by"},
+    "finds": {"inverse": "found_by", "description": "Finds"},
+    "found_by": {"inverse": "finds", "description": "Found by"},
+    "detects": {"inverse": "detected_by", "description": "Detects"},
+    "detected_by": {"inverse": "detects", "description": "Detected by"},
+    "bypasses": {"inverse": "bypassed_by", "description": "Bypasses"},
+    "bypassed_by": {"inverse": "bypasses", "description": "Bypassed by"},
+    "mitigates": {"inverse": "mitigated_by", "description": "Mitigates"},
+    "mitigated_by": {"inverse": "mitigates", "description": "Mitigated by"},
+    "patches": {"inverse": "patched_by", "description": "Patches"},
+    "patched_by": {"inverse": "patches", "description": "Patched by"},
+
+    # === SECURITY - CREDENTIALS ===
+    "leaks": {"inverse": "leaked_in", "description": "Leaks"},
+    "leaked_in": {"inverse": "leaks", "description": "Leaked in"},
+    "uses_credential": {"inverse": "credential_for", "description": "Uses credential"},
+    "credential_for": {"inverse": "uses_credential", "description": "Credential for"},
+    "valid_for": {"inverse": "has_valid", "description": "Valid for"},
+    "has_valid": {"inverse": "valid_for", "description": "Has valid"},
+    "compromises": {"inverse": "compromised_by", "description": "Compromises"},
+    "compromised_by": {"inverse": "compromises", "description": "Compromised by"},
+
+    # === SECURITY - TOOLS ===
+    "runs_tool": {"inverse": "tool_runs_on", "description": "Runs tool"},
+    "tool_runs_on": {"inverse": "runs_tool", "description": "Tool runs on"},
+    "generates": {"inverse": "generated_by", "description": "Generates"},
+    "generated_by": {"inverse": "generates", "description": "Generated by"},
+    "produces": {"inverse": "produced_by", "description": "Produces"},
+    "produced_by": {"inverse": "produces", "description": "Produced by"},
+    "consumes": {"inverse": "consumed_by", "description": "Consumes"},
+    "consumed_by": {"inverse": "consumes", "description": "Consumed by"},
+
+    # === STRUCTURAL ===
+    "related_to": {"inverse": "related_to", "description": "Related to"},
+    "part_of": {"inverse": "has_part", "description": "Part of"},
+    "has_part": {"inverse": "part_of", "description": "Has part"},
+    "parent_of": {"inverse": "child_of", "description": "Parent of"},
+    "child_of": {"inverse": "parent_of", "description": "Child of"},
+    "similar_to": {"inverse": "similar_to", "description": "Similar to"},
+    "same_as": {"inverse": "same_as", "description": "Same as"},
+    "alternative_to": {"inverse": "alternative_to", "description": "Alternative to"},
+
+    # === CREATION ===
+    "created": {"inverse": "created_by", "description": "Created"},
+    "created_by": {"inverse": "created", "description": "Created by"},
+    "modified": {"inverse": "modified_by", "description": "Modified"},
+    "modified_by": {"inverse": "modified", "description": "Modified by"},
+    "discovered": {"inverse": "discovered_by", "description": "Discovered"},
+    "discovered_by": {"inverse": "discovered", "description": "Discovered by"},
+    "reported": {"inverse": "reported_by", "description": "Reported"},
+    "reported_by": {"inverse": "reported", "description": "Reported by"},
+
+    # === LOCATION ===
+    "located_at": {"inverse": "location_of", "description": "Located at"},
+    "location_of": {"inverse": "located_at", "description": "Location of"},
+    "based_in": {"inverse": "base_of", "description": "Based in"},
+    "base_of": {"inverse": "based_in", "description": "Base of"},
+    "stored_in": {"inverse": "stores", "description": "Stored in"},
+    "stores": {"inverse": "stored_in", "description": "Stores"},
+    "accessible_from": {"inverse": "provides_access_to", "description": "Accessible from"},
+    "provides_access_to": {"inverse": "accessible_from", "description": "Provides access to"},
+
+    # === TIME/EVENTS ===
+    "scheduled": {"inverse": "has_event", "description": "Scheduled"},
+    "has_event": {"inverse": "scheduled", "description": "Has event"},
+    "attended": {"inverse": "attendee", "description": "Attended"},
+    "attendee": {"inverse": "attended", "description": "Attendee of"},
+    "occurred_in": {"inverse": "has_occurrence", "description": "Occurred in"},
+    "has_occurrence": {"inverse": "occurred_in", "description": "Has occurrence"},
+    "before": {"inverse": "after", "description": "Before"},
+    "after": {"inverse": "before", "description": "After"},
+    "during": {"inverse": "includes_event", "description": "During"},
+    "includes_event": {"inverse": "during", "description": "Includes event"},
+
+    # === DECISIONS ===
+    "decided_in": {"inverse": "has_decision", "description": "Decided in"},
+    "has_decision": {"inverse": "decided_in", "description": "Has decision"},
+    "participated_in": {"inverse": "participant", "description": "Participated in"},
+    "participant": {"inverse": "participated_in", "description": "Participant of"},
+    "approved_by": {"inverse": "approves", "description": "Approved by"},
+    "approves": {"inverse": "approved_by", "description": "Approves"},
+    "rejected_by": {"inverse": "rejects", "description": "Rejected by"},
+    "rejects": {"inverse": "rejected_by", "description": "Rejects"},
+
+    # === REFERENCES ===
+    "mentions": {"inverse": "mentioned_in", "description": "Mentions"},
+    "mentioned_in": {"inverse": "mentions", "description": "Mentioned in"},
+    "documents": {"inverse": "documented_in", "description": "Documents"},
+    "documented_in": {"inverse": "documents", "description": "Documented in"},
+    "proves": {"inverse": "proven_by", "description": "Proves"},
+    "proven_by": {"inverse": "proves", "description": "Proven by"},
+    "evidences": {"inverse": "evidenced_by", "description": "Evidences"},
+    "evidenced_by": {"inverse": "evidences", "description": "Evidenced by"},
+
+    # === COMMUNICATION ===
+    "contacted": {"inverse": "contacted_by", "description": "Contacted"},
+    "contacted_by": {"inverse": "contacted", "description": "Contacted by"},
+    "emailed": {"inverse": "emailed_by", "description": "Emailed"},
+    "emailed_by": {"inverse": "emailed", "description": "Emailed by"},
+    "messaged": {"inverse": "messaged_by", "description": "Messaged"},
+    "messaged_by": {"inverse": "messaged", "description": "Messaged by"},
+    "notified": {"inverse": "notified_by", "description": "Notified"},
+    "notified_by": {"inverse": "notified", "description": "Notified by"},
+    "asked": {"inverse": "asked_by", "description": "Asked"},
+    "asked_by": {"inverse": "asked", "description": "Asked by"},
+    "answered": {"inverse": "answered_by", "description": "Answered"},
+    "answered_by": {"inverse": "answered", "description": "Answered by"},
+
+    # === KNOWLEDGE ===
+    "learns": {"inverse": "learned_by", "description": "Learns"},
+    "learned_by": {"inverse": "learns", "description": "Learned by"},
+    "teaches": {"inverse": "taught_by", "description": "Teaches"},
+    "taught_by": {"inverse": "teaches", "description": "Taught by"},
+    "applies_to": {"inverse": "applied_in", "description": "Applies to"},
+    "applied_in": {"inverse": "applies_to", "description": "Applied in"},
+}
+
+
+class CortexDB:
+    """Knowledge graph database."""
+
+    def __init__(self):
+        self.entities: Dict[str, dict] = {}  # entity_name -> {type, attrs, created, modified}
+        self.relations: List[dict] = []  # [{from, relation, to, created, weight}]
+        self.events: List[dict] = []  # [{entity, event, timestamp, context}]
+        self._relation_index: Dict[str, List[int]] = defaultdict(list)  # entity -> [relation_indices]
+        self.load()
+
+    def load(self):
+        """Load data from files."""
+        DATA_DIR.mkdir(parents=True, exist_ok=True)
+
+        if ENTITIES_FILE.exists():
+            try:
+                self.entities = json.loads(ENTITIES_FILE.read_text(encoding="utf-8"))
+            except:
+                self.entities = {}
+
+        if RELATIONS_FILE.exists():
+            try:
+                self.relations = json.loads(RELATIONS_FILE.read_text(encoding="utf-8"))
+                # Rebuild index
+                for i, r in enumerate(self.relations):
+                    self._relation_index[self._norm(r["from"])].append(i)
+                    self._relation_index[self._norm(r["to"])].append(i)
+            except:
+                self.relations = []
+
+        if EVENTS_FILE.exists():
+            try:
+                self.events = json.loads(EVENTS_FILE.read_text(encoding="utf-8"))
+            except:
+                self.events = []
+
+    def save(self):
+        """Save data to files."""
+        DATA_DIR.mkdir(parents=True, exist_ok=True)
+        ENTITIES_FILE.write_text(json.dumps(self.entities, indent=2, ensure_ascii=False), encoding="utf-8")
+        RELATIONS_FILE.write_text(json.dumps(self.relations, indent=2, ensure_ascii=False), encoding="utf-8")
+        EVENTS_FILE.write_text(json.dumps(self.events, indent=2, ensure_ascii=False), encoding="utf-8")
+
+    def _norm(self, name: str) -> str:
+        """Normalize entity name."""
+        return name.lower().strip()
+
+    def add_entity(self, name: str, entity_type: str, attrs: dict = None) -> bool:
+        """Add or update an entity."""
+        key = self._norm(name)
+        now = datetime.now().isoformat()
+
+        if key in self.entities:
+            # Update existing
+            self.entities[key]["type"] = entity_type
+            if attrs:
+                self.entities[key]["attrs"].update(attrs)
+            self.entities[key]["modified"] = now
+            return False  # Updated
+
+        # Create new
+        self.entities[key] = {
+            "name": name,
+            "type": entity_type,
+            "attrs": attrs or {},
+            "created": now,
+            "modified": now
+        }
+        return True  # Created
+
+    def get_entity(self, name: str) -> Optional[dict]:
+        """Get an entity."""
+        return self.entities.get(self._norm(name))
+
+    def delete_entity(self, name: str) -> bool:
+        """Delete an entity and its relations."""
+        key = self._norm(name)
+        if key not in self.entities:
+            return False
+
+        del self.entities[key]
+
+        # Remove relations
+        indices_to_remove = self._relation_index.get(key, [])
+        for i in sorted(indices_to_remove, reverse=True):
+            if i < len(self.relations):
+                del self.relations[i]
+
+        # Rebuild index
+        self._relation_index = defaultdict(list)
+        for i, r in enumerate(self.relations):
+            self._relation_index[self._norm(r["from"])].append(i)
+            self._relation_index[self._norm(r["to"])].append(i)
+
+        self.save()
+        return True
+
+    def add_relation(self, from_entity: str, relation: str, to_entity: str, weight: float = 1.0) -> bool:
+        """Add a relation between entities."""
+        from_key = self._norm(from_entity)
+        to_key = self._norm(to_entity)
+        relation = relation.lower()
+
+        if from_key not in self.entities:
+            return False
+        if to_key not in self.entities:
+            return False
+
+        # Check if relation already exists
+        for r in self.relations:
+            if (self._norm(r["from"]) == from_key and
+                r["relation"] == relation and
+                self._norm(r["to"]) == to_key):
+                return False  # Already exists
+
+        # Add relation
+        rel_entry = {
+            "from": from_entity,
+            "relation": relation,
+            "to": to_entity,
+            "weight": weight,
+            "created": datetime.now().isoformat()
+        }
+        idx = len(self.relations)
+        self.relations.append(rel_entry)
+        self._relation_index[from_key].append(idx)
+        self._relation_index[to_key].append(idx)
+
+        # Add inverse relation if defined
+        if relation in RELATION_TYPES:
+            inverse = RELATION_TYPES[relation].get("inverse")
+            if inverse and inverse != relation:
+                inv_entry = {
+                    "from": to_entity,
+                    "relation": inverse,
+                    "to": from_entity,
+                    "weight": weight,
+                    "created": datetime.now().isoformat(),
+                    "inverse_of": True
+                }
+                idx2 = len(self.relations)
+                self.relations.append(inv_entry)
+                self._relation_index[to_key].append(idx2)
+                self._relation_index[from_key].append(idx2)
+
+        self.save()
+        return True
+
+    def get_relations(self, entity: str, direction: str = "both") -> List[dict]:
+        """Get relations for an entity."""
+        key = self._norm(entity)
+        result = []
+
+        for i in self._relation_index.get(key, []):
+            if i >= len(self.relations):
+                continue
+            r = self.relations[i]
+            is_from = self._norm(r["from"]) == key
+
+            if direction == "out" and not is_from:
+                continue
+            if direction == "in" and is_from:
+                continue
+
+            result.append(r)
+
+        return result
+
+    def get_related_entities(self, entity: str, depth: int = 1) -> Set[str]:
+        """Get related entities up to certain depth."""
+        key = self._norm(entity)
+        visited = {key}
+        frontier = {key}
+
+        for _ in range(depth):
+            next_frontier = set()
+            for e in frontier:
+                for r in self.get_relations(e):
+                    other = self._norm(r["to"]) if self._norm(r["from"]) == e else self._norm(r["from"])
+                    if other not in visited:
+                        visited.add(other)
+                        next_frontier.add(other)
+            frontier = next_frontier
+            if not frontier:
+                break
+
+        return visited - {key}
+
+    def find_path(self, from_entity: str, to_entity: str) -> Optional[List[Tuple[str, str, str]]]:
+        """Find shortest path between two entities (BFS)."""
+        from_key = self._norm(from_entity)
+        to_key = self._norm(to_entity)
+
+        if from_key not in self.entities or to_key not in self.entities:
+            return None
+
+        if from_key == to_key:
+            return []
+
+        # BFS
+        queue = [(from_key, [])]
+        visited = {from_key}
+
+        while queue:
+            current, path = queue.pop(0)
+
+            for r in self.get_relations(current, "out"):
+                other = self._norm(r["to"])
+                new_path = path + [(r["from"], r["relation"], r["to"])]
+
+                if other == to_key:
+                    return new_path
+
+                if other not in visited:
+                    visited.add(other)
+                    queue.append((other, new_path))
+
+        return None
+
+    def find_similar(self, entity: str) -> List[Tuple[str, float]]:
+        """Find similar entities based on type and shared relations."""
+        key = self._norm(entity)
+        if key not in self.entities:
+            return []
+
+        entity_type = self.entities[key]["type"]
+        entity_relations = set()
+
+        for r in self.get_relations(key):
+            other = self._norm(r["to"]) if self._norm(r["from"]) == key else self._norm(r["from"])
+            entity_relations.add(other)
+
+        scores = []
+        for other_key, other_data in self.entities.items():
+            if other_key == key:
+                continue
+
+            score = 0.0
+
+            # Same type
+            if other_data["type"] == entity_type:
+                score += 0.5
+
+            # Shared relations
+            other_relations = set()
+            for r in self.get_relations(other_key):
+                third = self._norm(r["to"]) if self._norm(r["from"]) == other_key else self._norm(r["from"])
+                other_relations.add(third)
+
+            shared = entity_relations & other_relations
+            if entity_relations or other_relations:
+                jaccard = len(shared) / len(entity_relations | other_relations)
+                score += jaccard * 0.5
+
+            if score > 0:
+                scores.append((other_data["name"], score))
+
+        return sorted(scores, key=lambda x: -x[1])
+
+    def search_by_attrs(self, entity_type: str = None, attrs: dict = None) -> List[dict]:
+        """Search entities by type and/or attributes."""
+        results = []
+
+        for key, data in self.entities.items():
+            if entity_type and data["type"] != entity_type:
+                continue
+
+            if attrs:
+                match = True
+                for k, v in attrs.items():
+                    if data["attrs"].get(k) != v:
+                        match = False
+                        break
+                if not match:
+                    continue
+
+            results.append(data)
+
+        return results
+
+    def add_event(self, entity: str, event: str, context: str = ""):
+        """Add an episodic event."""
+        key = self._norm(entity)
+        if key not in self.entities:
+            return False
+
+        self.events.append({
+            "entity": entity,
+            "event": event,
+            "context": context,
+            "timestamp": datetime.now().isoformat()
+        })
+        self.save()
+        return True
+
+    def get_timeline(self, entity: str = None) -> List[dict]:
+        """Get events ordered by time."""
+        if entity:
+            key = self._norm(entity)
+            events = [e for e in self.events if self._norm(e["entity"]) == key]
+        else:
+            events = self.events
+
+        return sorted(events, key=lambda x: x["timestamp"], reverse=True)
+
+    def get_stats(self) -> dict:
+        """Get system statistics."""
+        type_counts = defaultdict(int)
+        for data in self.entities.values():
+            type_counts[data["type"]] += 1
+
+        rel_counts = defaultdict(int)
+        for r in self.relations:
+            rel_counts[r["relation"]] += 1
+
+        return {
+            "total_entities": len(self.entities),
+            "total_relations": len(self.relations),
+            "total_events": len(self.events),
+            "entity_types": dict(type_counts),
+            "relation_types": dict(rel_counts)
+        }
+
+
+# Global instance
+_db: Optional[CortexDB] = None
+
+
+def _get_db() -> CortexDB:
+    global _db
+    if _db is None:
+        _db = CortexDB()
+    return _db
+
+
+def run(args: str = "") -> str:
+    """Plugin entry point."""
+    if not args.strip():
+        return _cmd_list("")
+
+    parts = args.strip().split(maxsplit=2)
+    cmd = parts[0].lower()
+    rest = parts[1] if len(parts) > 1 else ""
+    rest2 = parts[2] if len(parts) > 2 else ""
+
+    commands = {
+        "remember": _cmd_remember,
+        "memorize": _cmd_remember,
+        "learn": _cmd_remember,
+        "relate": _cmd_relate,
+        "link": _cmd_relate,
+        "connect": _cmd_relate,
+        "recall": _cmd_recall,
+        "get": _cmd_recall,
+        "show": _cmd_recall,
+        "find": _cmd_find,
+        "search": _cmd_find,
+        "query": _cmd_query,
+        "explore": _cmd_query,
+        "forget": _cmd_forget,
+        "delete": _cmd_forget,
+        "remove": _cmd_forget,
+        "list": _cmd_list,
+        "ls": _cmd_list,
+        "types": _cmd_types,
+        "relations": _cmd_relations,
+        "graph": _cmd_graph,
+        "visualize": _cmd_graph,
+        "timeline": _cmd_timeline,
+        "history": _cmd_timeline,
+        "similar": _cmd_similar,
+        "related": _cmd_similar,
+        "path": _cmd_path,
+        "route": _cmd_path,
+        "stats": _cmd_stats,
+        "info": _cmd_stats,
+        "demo": _cmd_demo,
+        "init": _cmd_demo,
+        "example": _cmd_demo,
+        "reset": _cmd_reset,
+        "clear": _cmd_reset,
+        "wipe": _cmd_reset,
+    }
+
+    handler = commands.get(cmd)
+    if not handler:
+        return f"Unknown command: {cmd}\n\nCommands: remember, relate, recall, find, query, forget, list, types, relations, graph, timeline, similar, path, stats, demo, reset"
+
+    return handler(rest + (" " + rest2 if rest2 else ""))
+
+
+def _parse_attrs(attr_str: str) -> dict:
+    """Parse attributes in key=value format."""
+    attrs = {}
+    # Match key=value or key="value with spaces"
+    pattern = r'(\w+)=(?:"([^"]*)"|(\S+))'
+    for match in re.finditer(pattern, attr_str):
+        key = match.group(1)
+        value = match.group(2) if match.group(2) is not None else match.group(3)
+        attrs[key] = value
+    return attrs
+
+
+def _cmd_remember(args: str) -> str:
+    """Save an entity with attributes."""
+    if not args.strip():
+        return """Usage: cortex remember <name> <type> [key=value ...]
+
+Types: person, project, target, host, vulnerability, codebase, module, function, api, bug, technology, event...
+
+Examples:
+  cortex remember John person role=developer team=backend
+  cortex remember 'Auth API' project status=active language=python
+  cortex remember target.example.com domain ip=1.2.3.4
+"""
+
+    parts = args.strip().split(maxsplit=2)
+    if len(parts) < 2:
+        return "Usage: cortex remember <name> <type> [key=value ...]"
+
+    name = parts[0].strip('"\'')
+    entity_type = parts[1].lower()
+    attr_str = parts[2] if len(parts) > 2 else ""
+
+    # Note: Type is NOT validated - any type can be used
+    # Show warning only if type is not in suggested types
+    type_warning = ""
+    if entity_type not in ENTITY_TYPES:
+        type_warning = f"\n  (Note: '{entity_type}' is a custom type - that's fine!)"
+
+    attrs = _parse_attrs(attr_str)
+
+    db = _get_db()
+    created = db.add_entity(name, entity_type, attrs)
+    db.save()
+
+    action = "Created" if created else "Updated"
+    type_info = ENTITY_TYPES.get(entity_type, {"description": "custom entity"})
+
+    lines = [
+        f"✓ {action} entity: {name}",
+        f"  Type: {entity_type} ({type_info['description']})"
+    ]
+
+    if attrs:
+        lines.append("  Attributes:")
+        for k, v in attrs.items():
+            lines.append(f"    {k} = {v}")
+
+    if type_warning:
+        lines.append(type_warning)
+
+    return "\n".join(lines)
+
+
+def _cmd_relate(args: str) -> str:
+    """Create a relation between entities."""
+    if not args.strip():
+        # Show available relations
+        lines = ["Usage: cortex relate <entity1> <relation> <entity2>", "", "Common relations:"]
+        shown = set()
+        for rel, info in list(RELATION_TYPES.items())[:20]:
+            if rel in shown or info.get("inverse") in shown:
+                continue
+            shown.add(rel)
+            inv = f" ↔ {info['inverse']}" if info.get("inverse") and info["inverse"] != rel else ""
+            lines.append(f"  {rel}: {info['description']}{inv}")
+        lines.append("\n  (Use any relation - these are just suggestions)")
+        return "\n".join(lines)
+
+    parts = args.strip().split(maxsplit=2)
+    if len(parts) < 3:
+        return "Usage: cortex relate <entity1> <relation> <entity2>"
+
+    from_entity = parts[0].strip('"\'')
+    relation = parts[1].lower()
+    to_entity = parts[2].strip('"\'')
+
+    db = _get_db()
+
+    # Check entities exist
+    if not db.get_entity(from_entity):
+        return f"Entity not found: {from_entity}"
+    if not db.get_entity(to_entity):
+        return f"Entity not found: {to_entity}"
+
+    # Note: Relation is NOT validated - any relation can be used
+    # Show warning only if relation is not in suggested types
+    rel_warning = ""
+    if relation not in RELATION_TYPES:
+        rel_warning = f"\n  (Note: '{relation}' is a custom relation - that's fine!)"
+
+    if db.add_relation(from_entity, relation, to_entity):
+        inv_info = ""
+        if relation in RELATION_TYPES:
+            inv = RELATION_TYPES[relation].get("inverse")
+            if inv and inv != relation:
+                inv_info = f"\n  (Auto-created inverse: {to_entity} {inv} {from_entity})"
+
+        return f"✓ Relation created:\n  {from_entity} → {relation} → {to_entity}{inv_info}{rel_warning}"
+    else:
+        return f"Relation already exists: {from_entity} → {relation} → {to_entity}"
+
+
+def _cmd_recall(args: str) -> str:
+    """Get information about an entity."""
+    if not args.strip():
+        return "Usage: cortex recall <entity>"
+
+    name = args.strip().strip('"\'')
+    db = _get_db()
+    entity = db.get_entity(name)
+
+    if not entity:
+        # Try fuzzy match
+        matches = [e for e in db.entities if name.lower() in e]
+        if matches:
+            return f"Entity not found.\nSimilar: {', '.join(db.entities[m]['name'] for m in matches[:5])}"
+        return f"Entity not found: {name}"
+
+    type_info = ENTITY_TYPES.get(entity["type"], {"description": "custom entity"})
+
+    lines = [
+        f"═══ {entity['name']} ═══",
+        f"Type: {entity['type']} ({type_info.get('description', 'unknown')})"
+    ]
+
+    if entity["attrs"]:
+        lines.append("\nAttributes:")
+        for k, v in entity["attrs"].items():
+            lines.append(f"  {k}: {v}")
+
+    # Outgoing relations
+    out_rels = db.get_relations(name, "out")
+    if out_rels:
+        lines.append("\nOutgoing relations:")
+        for r in out_rels[:10]:
+            rel_info = RELATION_TYPES.get(r["relation"], {})
+            desc = rel_info.get("description", r["relation"])
+            lines.append(f"  → {desc} → {r['to']}")
+
+    # Incoming relations
+    in_rels = db.get_relations(name, "in")
+    if in_rels:
+        lines.append("\nIncoming relations:")
+        for r in in_rels[:10]:
+            rel_info = RELATION_TYPES.get(r["relation"], {})
+            desc = rel_info.get("description", r["relation"])
+            lines.append(f"  ← {desc} ← {r['from']}")
+
+    # Recent events
+    events = [e for e in db.events if db._norm(e["entity"]) == db._norm(name)]
+    if events:
+        lines.append(f"\nEvents ({len(events)}):")
+        for e in events[-5:]:
+            ts = e["timestamp"][:10]
+            lines.append(f"  [{ts}] {e['event']}")
+
+    lines.append(f"\nCreated: {entity['created'][:10]}")
+    lines.append(f"Modified: {entity['modified'][:10]}")
+
+    return "\n".join(lines)
+
+
+def _cmd_find(args: str) -> str:
+    """Search entities by type and/or attributes."""
+    if not args.strip():
+        db = _get_db()
+        stats = db.get_stats()
+        lines = ["Usage: cortex find <type> [key=value ...]", "", "Entities by type:"]
+        for t, count in sorted(stats["entity_types"].items()):
+            type_info = ENTITY_TYPES.get(t, {})
+            desc = type_info.get("description", "custom")
+            lines.append(f"  {t}: {count} ({desc})")
+        return "\n".join(lines)
+
+    parts = args.strip().split(maxsplit=1)
+    entity_type = parts[0].lower()
+    attrs = _parse_attrs(parts[1]) if len(parts) > 1 else {}
+
+    db = _get_db()
+
+    # If type is not valid, search in all types
+    if entity_type not in ENTITY_TYPES:
+        # Treat as attribute search
+        attrs = _parse_attrs(args)
+        entity_type = None
+
+    results = db.search_by_attrs(entity_type, attrs)
+
+    if not results:
+        return "No entities found."
+
+    lines = [f"Found {len(results)} entities:"]
+    for e in results[:20]:
+        attrs_str = ", ".join(f"{k}={v}" for k, v in list(e["attrs"].items())[:3])
+        if attrs_str:
+            attrs_str = f" ({attrs_str})"
+        lines.append(f"  • [{e['type']}] {e['name']}{attrs_str}")
+
+    return "\n".join(lines)
+
+
+def _cmd_query(args: str) -> str:
+    """Graph query with depth."""
+    if not args.strip():
+        return "Usage: cortex query <entity> [depth]"
+
+    parts = args.strip().split()
+    name = parts[0].strip('"\'')
+    depth = int(parts[1]) if len(parts) > 1 else 2
+
+    db = _get_db()
+    entity = db.get_entity(name)
+
+    if not entity:
+        return f"Entity not found: {name}"
+
+    related = db.get_related_entities(name, depth)
+
+    if not related:
+        return f"No entities related to '{name}'"
+
+    lines = [f"Entities related to '{name}' (depth {depth}):"]
+    lines.append("=" * 50)
+
+    # Group by distance
+    visited = {db._norm(name)}
+    current_level = {db._norm(name)}
+
+    for d in range(1, depth + 1):
+        next_level = set()
+        for e in current_level:
+            for r in db.get_relations(e, "out"):
+                other = db._norm(r["to"])
+                if other not in visited:
+                    visited.add(other)
+                    next_level.add(other)
+                    e_name = db.entities.get(e, {}).get("name", e)
+                    other_name = db.entities.get(other, {}).get("name", other)
+                    rel_desc = RELATION_TYPES.get(r["relation"], {}).get("description", r["relation"])
+                    lines.append(f"  {'  ' * (d-1)}{e_name} → {rel_desc} → {other_name}")
+
+        current_level = next_level
+        if not current_level:
+            break
+
+    lines.append(f"\nTotal: {len(related)} related entities")
+
+    return "\n".join(lines)
+
+
+def _cmd_forget(args: str) -> str:
+    """Delete an entity."""
+    if not args.strip():
+        return "Usage: cortex forget <entity>"
+
+    name = args.strip().strip('"\'')
+    db = _get_db()
+
+    entity = db.get_entity(name)
+    if not entity:
+        return f"Entity not found: {name}"
+
+    # Count relations
+    rels = db.get_relations(name)
+
+    db.delete_entity(name)
+
+    return f"✓ Deleted entity: {name}\n  {len(rels)} relations removed"
+
+
+def _cmd_list(args: str) -> str:
+    """List all entities."""
+    db = _get_db()
+    stats = db.get_stats()
+
+    if not db.entities:
+        return "No entities saved.\n\nUse: cortex remember <name> <type> [attrs]"
+
+    lines = [f"Entities ({len(db.entities)}):"]
+    lines.append("=" * 50)
+
+    # Group by type
+    by_type = defaultdict(list)
+    for key, data in db.entities.items():
+        by_type[data["type"]].append(data)
+
+    for etype in sorted(by_type.keys()):
+        type_info = ENTITY_TYPES.get(etype, {})
+        lines.append(f"\n[{etype}] {type_info.get('description', 'custom')}:")
+
+        for e in sorted(by_type[etype], key=lambda x: x["name"]):
+            rels = db.get_relations(e["name"])
+            attrs_str = ""
+            if e["attrs"]:
+                attrs_str = " — " + ", ".join(f"{k}={v}" for k, v in list(e["attrs"].items())[:2])
+            lines.append(f"  • {e['name']}{attrs_str} ({len(rels)} rels)")
+
+    lines.append(f"\n" + "=" * 50)
+    lines.append(f"Total relations: {len(db.relations)}")
+    lines.append(f"Total events: {len(db.events)}")
+
+    return "\n".join(lines)
+
+
+def _cmd_types(args: str) -> str:
+    """Show entity types."""
+    lines = ["Entity types (suggestions - you can use any type):", "=" * 50]
+
+    for etype, info in sorted(ENTITY_TYPES.items()):
+        attrs = ", ".join(info["default_attrs"][:5])
+        lines.append(f"\n{etype}:")
+        lines.append(f"  {info['description']}")
+        if attrs:
+            lines.append(f"  Common attrs: {attrs}")
+
+    return "\n".join(lines)
+
+
+def _cmd_relations(args: str) -> str:
+    """Show relation types."""
+    lines = ["Relation types (suggestions - you can use any relation):", "=" * 50]
+
+    # Group by category
+    categories = {
+        "Social": ["knows", "works_with", "reports_to", "manages", "collaborates_with"],
+        "Projects": ["works_on", "has_member", "leads", "led_by", "owns", "owned_by", "maintains"],
+        "Code": ["imports", "calls", "extends", "implements", "contains", "defines", "references"],
+        "Dependencies": ["depends_on", "requires", "uses", "includes"],
+        "Development": ["fixes", "introduces", "causes", "affects", "tests", "covers", "merges"],
+        "Security - Infrastructure": ["hosts", "runs_on", "has_port", "has_service", "resolves_to"],
+        "Security - Attacks": ["has_vuln", "exploits", "targets", "attacks", "scans", "finds", "detects", "bypasses", "mitigates"],
+        "Security - Credentials": ["leaks", "uses_credential", "valid_for", "compromises"],
+        "Security - Tools": ["runs_tool", "generates", "produces", "consumes"],
+        "Structural": ["related_to", "part_of", "parent_of", "child_of", "similar_to", "same_as"],
+        "Creation": ["created", "created_by", "modified", "modified_by", "discovered", "reported"],
+        "Location": ["located_at", "based_in", "stored_in", "accessible_from"],
+        "Events": ["scheduled", "attended", "occurred_in", "before", "after", "during"],
+        "Decisions": ["decided_in", "participated_in", "approved_by", "rejected_by"],
+        "References": ["mentions", "documents", "proves", "evidences"],
+        "Communication": ["contacted", "emailed", "messaged", "notified", "asked", "answered"],
+        "Knowledge": ["learns", "teaches", "applies_to"],
+    }
+
+    for cat, rels in categories.items():
+        cat_lines = []
+        for rel in rels:
+            if rel in RELATION_TYPES:
+                info = RELATION_TYPES[rel]
+                inv = f" ↔ {info['inverse']}" if info.get("inverse") and info["inverse"] != rel else ""
+                cat_lines.append(f"  {rel}: {info['description']}{inv}")
+        if cat_lines:
+            lines.append(f"\n{cat}:")
+            lines.extend(cat_lines)
+
+    return "\n".join(lines)
+
+
+def _cmd_graph(args: str) -> str:
+    """Visualize the graph."""
+    db = _get_db()
+
+    if not db.entities:
+        return "No entities to visualize."
+
+    if args.strip():
+        # Graph centered on entity
+        name = args.strip().strip('"\'')
+        entity = db.get_entity(name)
+        if not entity:
+            return f"Entity not found: {name}"
+
+        related = db.get_related_entities(name, 2)
+        entities_to_show = {db._norm(name)} | related
+    else:
+        entities_to_show = set(db.entities.keys())
+
+    lines = ["Knowledge graph:", "=" * 50]
+
+    # Build adjacency for display
+    for key in sorted(entities_to_show):
+        if key not in db.entities:
+            continue
+
+        data = db.entities[key]
+        type_emoji = {
+            "person": "👤",
+            "project": "📁",
+            "concept": "💡",
+            "event": "📅",
+            "preference": "⭐",
+            "organization": "🏢",
+            "technology": "⚙️",
+            "location": "📍",
+            "task": "✅",
+            "decision": "🎯",
+            "target": "🎯",
+            "host": "🖥️",
+            "domain": "🌐",
+            "vulnerability": "🔴",
+            "exploit": "💥",
+            "credential": "🔑",
+            "tool": "🔧",
+            "codebase": "📦",
+            "module": "📦",
+            "api": "🔌",
+        }.get(data["type"], "📌")
+
+        lines.append(f"\n{type_emoji} {data['name']} [{data['type']}]")
+
+        # Show outgoing relations
+        for r in db.get_relations(key, "out"):
+            other_key = db._norm(r["to"])
+            if other_key in entities_to_show:
+                rel_desc = RELATION_TYPES.get(r["relation"], {}).get("description", r["relation"])
+                other_name = db.entities.get(other_key, {}).get("name", other_key)
+                lines.append(f"   → {rel_desc} → {other_name}")
+
+    lines.append("\n" + "=" * 50)
+    lines.append(f"Nodes: {len(entities_to_show)}")
+
+    return "\n".join(lines)
+
+
+def _cmd_timeline(args: str) -> str:
+    """Show events in temporal order."""
+    db = _get_db()
+
+    entity = args.strip().strip('"\'') if args.strip() else None
+
+    events = db.get_timeline(entity)
+
+    if not events:
+        if entity:
+            return f"No events for: {entity}"
+        return "No events recorded."
+
+    lines = [f"Timeline{' for ' + entity if entity else ''}:", "=" * 50]
+
+    for e in events[:30]:
+        ts = e["timestamp"][:16]
+        entity_name = db.entities.get(db._norm(e["entity"]), {}).get("name", e["entity"])
+        lines.append(f"  [{ts}] {entity_name}: {e['event']}")
+        if e.get("context"):
+            lines.append(f"         {e['context'][:50]}")
+
+    if len(events) > 30:
+        lines.append(f"\n  ... and {len(events) - 30} more events")
+
+    return "\n".join(lines)
+
+
+def _cmd_similar(args: str) -> str:
+    """Find similar entities."""
+    if not args.strip():
+        return "Usage: cortex similar <entity>"
+
+    name = args.strip().strip('"\'')
+    db = _get_db()
+
+    entity = db.get_entity(name)
+    if not entity:
+        return f"Entity not found: {name}"
+
+    similar = db.find_similar(name)
+
+    if not similar:
+        return f"No entities similar to '{name}'"
+
+    lines = [f"Entities similar to '{name}':", "=" * 50]
+
+    for other_name, score in similar[:10]:
+        other = db.get_entity(other_name)
+        if other:
+            lines.append(f"  • {other_name} [{other['type']}] - {score:.0%} similar")
+            # Show why
+            shared_rels = set()
+            for r in db.get_relations(name):
+                other_rel = db._norm(r["to"]) if db._norm(r["from"]) == db._norm(name) else db._norm(r["from"])
+                shared_rels.add(other_rel)
+            for r in db.get_relations(other_name):
+                third = db._norm(r["to"]) if db._norm(r["from"]) == db._norm(other_name) else db._norm(r["from"])
+                if third in shared_rels:
+                    lines.append(f"      Common connection: {db.entities.get(third, {}).get('name', third)}")
+
+    return "\n".join(lines)
+
+
+def _cmd_path(args: str) -> str:
+    """Find path between entities."""
+    if not args.strip():
+        return "Usage: cortex path <entity1> <entity2>"
+
+    parts = args.strip().split()
+    if len(parts) < 2:
+        return "Usage: cortex path <entity1> <entity2>"
+
+    from_name = parts[0].strip('"\'')
+    to_name = parts[1].strip('"\'')
+
+    db = _get_db()
+
+    path = db.find_path(from_name, to_name)
+
+    if path is None:
+        return f"No path between '{from_name}' and '{to_name}'"
+
+    if not path:
+        return f"Same entity: {from_name}"
+
+    lines = [f"Path from '{from_name}' to '{to_name}':", "=" * 50]
+
+    for from_e, rel, to_e in path:
+        rel_desc = RELATION_TYPES.get(rel, {}).get("description", rel)
+        lines.append(f"  {from_e} → {rel_desc} → {to_e}")
+
+    lines.append(f"\nDistance: {len(path)} steps")
+
+    return "\n".join(lines)
+
+
+def _cmd_stats(args: str) -> str:
+    """Show statistics."""
+    db = _get_db()
+    stats = db.get_stats()
+
+    lines = [
+        "════════════════════════════════════",
+        "       CORTEX - STATISTICS",
+        "════════════════════════════════════",
+        "",
+        f"Total entities: {stats['total_entities']}",
+        f"Total relations: {stats['total_relations']}",
+        f"Total events: {stats['total_events']}",
+        "",
+        "Entities by type:",
+    ]
+
+    for t, count in sorted(stats["entity_types"].items(), key=lambda x: -x[1]):
+        type_info = ENTITY_TYPES.get(t, {})
+        desc = type_info.get("description", "custom")
+        bar = "█" * min(count, 20)
+        lines.append(f"  {t:<12} {bar} {count}")
+
+    lines.append("\nMost used relations:")
+
+    for r, count in sorted(stats["relation_types"].items(), key=lambda x: -x[1])[:10]:
+        rel_info = RELATION_TYPES.get(r, {})
+        desc = rel_info.get("description", r)
+        lines.append(f"  {r:<15} {count:>3} ({desc})")
+
+    return "\n".join(lines)
+
+
+def _cmd_demo(args: str) -> str:
+    """Generate demo data for testing."""
+    db = _get_db()
+
+    # Check if already has data
+    if db.entities:
+        return f"Database already has {len(db.entities)} entities.\nUse '/cortex forget <name>' to remove or '/cortex list' to see them.\n\nTo reset and add demo data: /cortex demo --force"
+
+    demo_type = args.strip().lower() if args.strip() else "all"
+
+    lines = ["Generating demo data...", "=" * 50]
+
+    # === PROGRAMMING DEMO DATA ===
+    if demo_type in ["all", "programming", "code"]:
+        lines.append("\n📁 Programming Demo:")
+
+        # People
+        db.add_entity("Alice", "person", {"role": "lead developer", "team": "backend", "email": "alice@example.com"})
+        db.add_entity("Bob", "person", {"role": "developer", "team": "backend", "email": "bob@example.com"})
+        db.add_entity("Carol", "person", {"role": "devops", "team": "infrastructure", "email": "carol@example.com"})
+
+        # Projects
+        db.add_entity("HanusCode", "project", {"status": "active", "language": "python", "priority": "high"})
+        db.add_entity("WebUI", "project", {"status": "active", "language": "javascript", "priority": "medium"})
+
+        # Codebase
+        db.add_entity("hanus-core", "codebase", {"language": "python", "framework": "none", "size": "15k LOC"})
+        db.add_entity("hanus-plugins", "module", {"path": "hanus/plugins/", "purpose": "plugin system"})
+        db.add_entity("cortex", "module", {"path": "hanus/plugins/cortex.py", "purpose": "semantic memory"})
+
+        # Technologies
+        db.add_entity("Python", "technology", {"type": "language", "version": "3.11"})
+        db.add_entity("FastAPI", "technology", {"type": "framework", "category": "web"})
+        db.add_entity("SQLite", "technology", {"type": "database", "category": "storage"})
+
+        # Relations
+        db.add_relation("Alice", "leads", "HanusCode")
+        db.add_relation("Alice", "works_on", "hanus-core")
+        db.add_relation("Bob", "works_on", "hanus-plugins")
+        db.add_relation("Bob", "works_on", "WebUI")
+        db.add_relation("Carol", "maintains", "HanusCode")
+        db.add_relation("HanusCode", "uses", "Python")
+        db.add_relation("HanusCode", "uses", "FastAPI")
+        db.add_relation("HanusCode", "uses", "SQLite")
+        db.add_relation("hanus-core", "contains", "hanus-plugins")
+        db.add_relation("hanus-plugins", "contains", "cortex")
+        db.add_relation("Alice", "knows", "Bob")
+        db.add_relation("Bob", "knows", "Carol")
+
+        lines.append("  ✓ Added programming entities (people, projects, code)")
+
+    # === SECURITY DEMO DATA ===
+    if demo_type in ["all", "security", "pentest"]:
+        lines.append("\n🔒 Security Demo:")
+
+        # Targets
+        db.add_entity("target.local", "target", {"type": "network", "scope": "internal", "status": "in_scope"})
+        db.add_entity("web.target.local", "domain", {"ip": "192.168.1.100", "ports": "80,443,8080"})
+        db.add_entity("api.target.local", "domain", {"ip": "192.168.1.101", "ports": "443,8443"})
+
+        # Hosts
+        db.add_entity("192.168.1.100", "host", {"hostname": "web.target.local", "os": "Ubuntu 22.04"})
+        db.add_entity("192.168.1.101", "host", {"hostname": "api.target.local", "os": "Debian 11"})
+        db.add_entity("192.168.1.1", "host", {"hostname": "gateway.local", "os": "Linux"})
+
+        # Services
+        db.add_entity("nginx-80", "service", {"name": "nginx", "port": "80", "version": "1.18.0"})
+        db.add_entity("ssh-22", "service", {"name": "openssh", "port": "22", "version": "8.9"})
+
+        # Vulnerabilities
+        db.add_entity("CVE-2023-1234", "cve", {"severity": "high", "cvss": "8.5", "product": "nginx"})
+        db.add_entity("CVE-2024-5678", "cve", {"severity": "critical", "cvss": "9.8", "product": "openssh"})
+
+        # Findings
+        db.add_entity("SQLi-login", "finding", {"severity": "critical", "type": "sqli", "url": "/login"})
+        db.add_entity("XSS-search", "finding", {"severity": "medium", "type": "xss", "url": "/search"})
+
+        # Tools
+        db.add_entity("nmap", "tool", {"category": "recon", "purpose": "port scanning"})
+        db.add_entity("sqlmap", "tool", {"category": "exploitation", "purpose": "SQL injection"})
+        db.add_entity("burpsuite", "tool", {"category": "web", "purpose": "web testing"})
+
+        # Credentials
+        db.add_entity("admin-creds", "credential", {"type": "password", "source": "phishing", "valid": "true"})
+
+        # Exploits
+        db.add_entity("exploit-db-12345", "exploit", {"name": "nginx_rce", "cve": "CVE-2023-1234", "reliability": "high"})
+
+        # Relations
+        db.add_relation("target.local", "has_host", "192.168.1.100")
+        db.add_relation("target.local", "has_host", "192.168.1.101")
+        db.add_relation("web.target.local", "resolves_to", "192.168.1.100")
+        db.add_relation("api.target.local", "resolves_to", "192.168.1.101")
+        db.add_relation("192.168.1.100", "has_service", "nginx-80")
+        db.add_relation("192.168.1.100", "has_service", "ssh-22")
+        db.add_relation("nginx-80", "has_vuln", "CVE-2023-1234")
+        db.add_relation("ssh-22", "has_vuln", "CVE-2024-5678")
+        db.add_relation("web.target.local", "has_vuln", "SQLi-login")
+        db.add_relation("web.target.local", "has_vuln", "XSS-search")
+        db.add_relation("exploit-db-12345", "exploits", "CVE-2023-1234")
+        db.add_relation("sqlmap", "finds", "SQLi-login")
+        db.add_relation("admin-creds", "valid_for", "web.target.local")
+        db.add_relation("192.168.1.1", "part_of_network", "target.local")
+
+        lines.append("  ✓ Added security entities (targets, hosts, vulns, tools)")
+
+    db.save()
+
+    stats = db.get_stats()
+    lines.append(f"\n✓ Demo complete!")
+    lines.append(f"  Total entities: {stats['total_entities']}")
+    lines.append(f"  Total relations: {stats['total_relations']}")
+    lines.append(f"\nTry: /cortex graph")
+    lines.append(f"     /cortex query HanusCode 2")
+    lines.append(f"     /cortex path Alice Python")
+
+    return "\n".join(lines)
+
+
+def _cmd_reset(args: str) -> str:
+    """Reset/clear all cortex data."""
+    db = _get_db()
+
+    if args.strip().lower() == "--force":
+        # Skip confirmation
+        pass
+    elif db.entities:
+        return f"⚠️  This will delete ALL data:\n  - {len(db.entities)} entities\n  - {len(db.relations)} relations\n  - {len(db.events)} events\n\nUse: /cortex reset --force"
+
+    # Clear all data
+    db.entities.clear()
+    db.relations.clear()
+    db.events.clear()
+    db._relation_index.clear()
+    db.save()
+
+    # Clear global nodes in webui
+    return "✓ All cortex data has been cleared.\n\nUse '/cortex demo' to generate sample data."
+
+
+# API for integration with other plugins
+def get_entity(name: str) -> Optional[dict]:
+    """API: Get an entity."""
+    return _get_db().get_entity(name)
+
+
+def add_entity(name: str, entity_type: str, attrs: dict = None) -> bool:
+    """API: Add an entity."""
+    db = _get_db()
+    result = db.add_entity(name, entity_type, attrs)
+    db.save()
+    return result
+
+
+def add_relation(from_entity: str, relation: str, to_entity: str) -> bool:
+    """API: Add a relation."""
+    return _get_db().add_relation(from_entity, relation, to_entity)
+
+
+def get_related(entity: str, depth: int = 1) -> Set[str]:
+    """API: Get related entities."""
+    return _get_db().get_related_entities(entity, depth)
+
+
+def find_path(from_entity: str, to_entity: str) -> Optional[List[Tuple[str, str, str]]]:
+    """API: Find path between entities."""
+    return _get_db().find_path(from_entity, to_entity)