ShieldCortex is a security layer and brain-like memory system for AI agents. It combines persistent memory (STM/LTM/episodic) with a 6-layer defence pipeline that scans every memory write for threats.
Agent β ShieldCortex β Memory Store (SQLite)
β
Tier 1 (sync, 1-5ms):
Trust β Firewall β Sensitivity β Fragmentation β Credential β Audit
β (if QUARANTINE + verify enabled)
Tier 2 (async, 500-2000ms):
Cloud LLM Verification β verdict β optional QUARANTINEβBLOCK upgrade
- Scope: Current coding session
- Decay: Fast (hours)
- Limit: 100 memories max
- Scope: Cross-session, persistent
- Content: Architecture decisions, code patterns, user preferences
- Decay: Slow (weeks/months), reinforced by access
- Limit: 1,000 memories max
- Scope: Specific events/outcomes
- Content: "When I tried X, Y happened", successful solutions
- Decay: Based on utility
| Factor | Weight | Description |
|---|---|---|
| Explicit request | 1.0 | User says "remember this" |
| Architecture decision | 0.9 | System design choices |
| Error resolution | 0.8 | Debugging breakthroughs |
| Code pattern | 0.7 | Reusable implementation patterns |
| User preference | 0.7 | Coding style, tool preferences |
| Repeated mention | 0.6 | Topics that come up multiple times |
| File location | 0.5 | Where important code lives |
| Temporary context | 0.2 | Current debugging state |
Base salience: 0.25. Deletion threshold: 0.2.
- Decay:
score = base_score * (0.995 ^ hours_since_access) - Reinforcement: Each access boosts score by 1.2x
- Consolidation: High-access STM β LTM (runs every 4 hours)
Every addMemory() call runs through a tiered defence pipeline:
Scores the source of the memory write:
| Source | Trust Score |
|---|---|
| user | 1.0 |
| cli | 0.9 |
| hook | 0.8 |
| api | 0.7 |
| agent | 0.5 |
| web | 0.3 |
| unknown | 0.1 |
Low trust (< 0.5) escalates detections to BLOCK in balanced mode.
Four detection modules run in parallel:
- Instruction Detector β prompt injection, fake system prompts, hidden instructions, social engineering, delimiter attacks, frontmatter injection
- Privilege Detector β credential references, system commands, destructive filesystem ops, network exfiltration, external URLs
- Encoding Detector β base64, hex (including plain continuous hex), URL encoding, zero-width chars, RTL override, Unicode homoglyphs
- Anomaly Scorer β entropy analysis, length anomalies, repetition patterns
Modes:
strictβ any detection β BLOCKbalancedβ context-aware: instruction injection β QUARANTINE (low trust β BLOCK), encoding decoded and re-scanned, zero-width/RTL always quarantinedpermissiveβ allow all, populate indicators only
Classifies content as PUBLIC / INTERNAL / CONFIDENTIAL / RESTRICTED. Detects passwords, API keys, PII, credentials. RESTRICTED content is blocked. CONFIDENTIAL is redacted on recall.
Cross-references new memories with recent ones to catch multi-step assembly attacks:
- Entity extraction from content
- Temporal analysis of related memories
- Assembly pattern detection (fragments that combine into exploits)
Full forensic trail of every memory operation: source, trust score, firewall result, sensitivity level, anomaly score, threat indicators, blocked patterns, duration.
Scans content for 25+ credential patterns across 11 providers (AWS, GitHub, Stripe, etc.). Entropy analysis catches generic secrets. Blocked credentials upgrade the firewall result to BLOCK.
Optional async layer for content that Tier 1 flags as QUARANTINE. Submits content to /v1/verify for cloud-based LLM analysis (Claude 3.5 Haiku).
- Fail-OPEN β if the LLM is unavailable or times out, the Tier 1 verdict stands unchanged
- Advisory mode (default): fire-and-forget HTTP request, returns
{ status: 'pending' }immediately - Enforce mode: awaits the LLM verdict; upgrades QUARANTINE β BLOCK if verdict is THREAT with confidence >= 0.7
- Credentials are redacted before sending to the LLM
- Configurable timeout (default 5000ms, range 1000-30000ms)
- Gated by: cloud enabled + API key set + verify enabled + firewall result matches triggers
Config (~/.shieldcortex/config.json):
{
"verifyEnabled": true,
"verifyMode": "advisory",
"verifyTriggers": ["QUARANTINE"],
"verifyTimeoutMs": 5000
}API: runDefencePipelineWithVerify() wraps the sync pipeline and adds optional verification. Returns DefencePipelineResultWithVerify which extends the standard result with a verification field.
Entities and relationships automatically extracted from memories:
- Pattern-based entity extraction (files, tools, languages, concepts, people, services)
- Entity resolution with fuzzy matching
- Subject-predicate-object triples
- Graph traversal and path finding
SQLite with FTS5 full-text search. Location: ~/.shieldcortex/memories.db
CREATE TABLE memories (
id INTEGER PRIMARY KEY,
type TEXT NOT NULL, -- 'short_term', 'long_term', 'episodic'
category TEXT, -- 'architecture', 'pattern', 'preference', etc.
title TEXT NOT NULL,
content TEXT NOT NULL,
project TEXT,
tags TEXT, -- JSON array
salience REAL DEFAULT 0.5,
access_count INTEGER DEFAULT 0,
last_accessed TIMESTAMP,
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
decayed_score REAL,
metadata TEXT, -- JSON
trust_score REAL,
sensitivity_level TEXT,
source TEXT -- JSON { type, identifier }
);
CREATE VIRTUAL TABLE memories_fts USING fts5(
title, content, tags,
content='memories',
content_rowid='id'
);shieldcortex/
βββ src/
β βββ index.ts # MCP server entry point
β βββ server.ts # MCP server setup, tool definitions
β βββ database/
β β βββ init.ts # SQLite setup, schema, transactions
β βββ memory/
β β βββ types.ts # Memory type definitions
β β βββ store.ts # Core CRUD operations, links
β β βββ salience.ts # Salience scoring
β β βββ decay.ts # Temporal decay logic
β β βββ consolidate.ts # STM β LTM consolidation
β β βββ similarity.ts # Semantic similarity
β β βββ activation.ts # Spreading activation
β β βββ contradiction.ts # Contradiction detection
β βββ cloud/
β β βββ config.ts # Cloud + verify config (~/.shieldcortex/config.json)
β β βββ cli.ts # CLI flag handlers (cloud + verify)
β β βββ sync.ts # Fire-and-forget audit sync
β β βββ verify.ts # LLM verification HTTP client (Tier 2)
β βββ defence/
β β βββ pipeline.ts # Orchestrates all layers (sync + async verify)
β β βββ types.ts # Defence type definitions
β β βββ firewall/
β β β βββ index.ts # Firewall orchestrator
β β β βββ instruction-detector.ts
β β β βββ privilege-detector.ts
β β β βββ encoding-detector.ts
β β β βββ anomaly-scorer.ts
β β βββ trust/
β β β βββ source-scorer.ts # Trust hierarchy
β β β βββ recall-filter.ts # Filter by trust on recall
β β βββ sensitivity/
β β β βββ classifier.ts # PUBLIC/INTERNAL/CONFIDENTIAL/RESTRICTED
β β β βββ patterns.ts # Detection patterns
β β β βββ redaction.ts # Auto-redact secrets
β β βββ fragmentation/
β β β βββ entity-extractor.ts
β β β βββ temporal-analyzer.ts
β β β βββ assembly-detector.ts
β β βββ credential-leak/
β β β βββ index.ts # 25+ credential patterns, entropy analysis
β β βββ audit/
β β β βββ logger.ts # Write audit entries
β β β βββ queries.ts # Query audit trail
β β βββ scanner/
β β βββ scan-existing.ts # Retroactive memory scanner
β βββ integrations/
β β βββ langchain.ts # ShieldCortexMemory + ShieldCortexGuard
β β βββ index.ts
β βββ graph/
β β βββ extract.ts # Entity/triple extraction
β β βββ resolve.ts # Entity resolution
β β βββ backfill.ts # Backfill existing memories
β βββ api/
β β βββ visualization-server.ts # REST API + WebSocket + defence endpoints
β βββ tools/
β β βββ remember.ts
β β βββ recall.ts
β β βββ forget.ts
β β βββ context.ts
β β βββ graph.ts
β βββ context/
β β βββ project-context.ts # Project auto-detection
β βββ service/
β β βββ install.ts # Cross-platform service installer
β β βββ templates.ts # launchd/systemd/Windows templates
β βββ setup/
β β βββ migrate.ts # Claude Cortex β ShieldCortex migration
β β βββ settings-hooks.ts # Auto-configure hooks
β β βββ doctor.ts # Installation health check
β βββ worker/
β β βββ brain-worker.ts # Background processing
β βββ embeddings/
β βββ generator.ts # Text embeddings
βββ scripts/
β βββ session-start-hook.mjs # Auto-recall context
β βββ pre-compact-hook.mjs # Auto-extract before compaction
β βββ session-end-hook.mjs # Auto-extract on exit
β βββ stop-hook.mjs # Check last response (opt-in)
βββ hooks/
β βββ openclaw/cortex-memory/ # OpenClaw hook
βββ dashboard/ # Next.js 3D brain visualization
βββ package.json
βββ tsconfig.json
βββ README.md
- Max 100 STM, 1,000 LTM memories
- 10KB content limit per memory
- 100MB database hard limit
- Auto-consolidation every 4 hours
- Auto-vacuum after deletions
- Decay scores persisted every 5 minutes