release: v2.7.0 with memory defenses (#152)

Release ZettelForge 2.7.0 with write-time MemSAD memory defenses, governance configuration, documentation, telemetry compatibility, and regression coverage.

Author: rolandpg

CHANGELOG.md

@@ -6,8 +6,31 @@ Versioning follows [Semantic Versioning](https://semver.org/).
 
 ## [Unreleased]
 
+## [2.7.0] - 2026-05-26
+
+Security and OSINT release. Adds the RFC-016 OSINT layer and the first
+SEC-011 / MemSAD-inspired write-time memory-poisoning defense. No data
+migration is required. The new memory defense ships in audit mode by default.
+
 ### Added
 
+- **OSINT layer scaffold and Phase 1 collectors** (RFC-016). Adds
+  `zettelforge.osint` with infrastructure, breach, people, social, and
+  technology collector packages; OSINT ontology and relation extensions;
+  entity canonicalization helpers; collector registry; and tests covering
+  DNS, WHOIS, certificates, BGP, ports, breach, people, social, and tech
+  collector contracts. Optional runtime dependencies are available with
+  `pip install zettelforge[osint]`.
+- **Write-time memory anomaly defense** (SEC-011 / MemSAD). New
+  `MemoryAnomalyGate` scores candidate notes before persistence using
+  MemSAD-style max/mean embedding similarity against recent domain
+  calibration notes plus character n-gram Jensen-Shannon divergence to
+  reduce synonym/paraphrase evasion. Config lives under
+  `governance.memory_defense`; default mode is `audit`, with `block` and
+  `quarantine` available once a deployment has a clean calibration corpus.
+- **Quarantine path for rejected memory writes.** In `quarantine` mode,
+  flagged notes are written to JSONL forensic quarantine and are not exposed
+  to recall, entity lookup, LanceDB, or graph traversal.
 - **CrewAI integration** (issue #40). New optional extra
   `pip install zettelforge[crewai]` exposes `ZettelForgeRecallTool`,
   `ZettelForgeRememberTool`, and `ZettelForgeSynthesizeTool` as CrewAI
@@ -19,6 +42,23 @@ Versioning follows [Semantic Versioning](https://semver.org/).
   Tests gated on `pytest.importorskip("crewai")`; 11 pass against
   crewai 1.14.x.
 
+### Changed
+
+- **Telemetry attribution compatibility.** `caller` is now supported in
+  telemetry events while the previous `actor` field and method arguments
+  remain backward-compatible for existing dashboards and tests.
+- **Real LLM integration and performance tests are explicit opt-in.**
+  Set `ZETTELFORGE_RUN_LLM_INTEGRATION=1` or
+  `ZETTELFORGE_RUN_PERFORMANCE_TESTS=1` to run environment-sensitive suites.
+  The default regression suite is now deterministic on machines without
+  local LLM credentials or dedicated benchmark hardware.
+
+### Tests
+
+- Added focused memory-defense tests for insufficient calibration, audit-mode
+  anomaly detection, and quarantine writes.
+- Default regression gate: `742 passed, 13 skipped`.
+
 ## [2.6.2] - 2026-04-27
 
 UI/UX release. Fixes the `/config` page so the Apply button actually works

config.default.yaml

@@ -376,6 +376,10 @@ synthesis:
 #   ZETTELFORGE_PII_ACTION=redact
 #   ZETTELFORGE_LIMITS_MAX_CONTENT_LENGTH=104857600
 #   ZETTELFORGE_LIMITS_RECALL_TIMEOUT=60
+#   ZETTELFORGE_MEMORY_DEFENSE_ENABLED=true
+#   ZETTELFORGE_MEMORY_DEFENSE_MODE=audit       # audit | block | quarantine
+#   ZETTELFORGE_MEMORY_DEFENSE_MIN_CALIBRATION=50
+#   ZETTELFORGE_MEMORY_DEFENSE_KAPPA=2.0
 #
 governance:
   enabled: true
@@ -390,6 +394,17 @@ governance:
   limits:
     max_content_length: 52428800  # 50 MB, 0 = unlimited
     recall_timeout_seconds: 30.0  # seconds, 0 = unlimited
+  memory_defense:
+    enabled: true
+    mode: audit  # audit | block | quarantine
+    min_calibration_notes: 50
+    max_reference_notes: 50
+    kappa: 2.0
+    lexical_weight: 0.25
+    ngram_size: 3
+    monitored_domains: []  # empty = all domains
+    quarantine_path: ""  # default: <storage.data_dir>/quarantine/memory_anomalies.jsonl
+    quarantine_raw_content: true
 
 
 # ── LanceDB Maintenance (RFC-009 Phase 1.5) ─────────────────────────────────
@@ -487,4 +502,3 @@ web:
   enabled: true
   host: 0.0.0.0
   port: 8088
-

docs/reference/configuration.md

@@ -8,8 +8,8 @@ tags:
   - environment-variables
   - settings
   - deployment
-last_updated: "2026-04-25"
-version: "2.6.0"
+last_updated: "2026-05-26"
+version: "2.7.0"
 ---
 
 # Configuration Reference
@@ -264,6 +264,8 @@ class GovernanceConfig:
     enabled: bool = True
     min_content_length: int = 1
     pii: PIIConfig = field(default_factory=PIIConfig)
+    limits: LimitsConfig = field(default_factory=LimitsConfig)
+    memory_defense: MemoryDefenseConfig = field(default_factory=MemoryDefenseConfig)
 ```
 
 | Key | Type | Default | Env Override | Description |
@@ -309,6 +311,36 @@ class LimitsConfig:
 | `governance.limits.max_content_length` | `int` | `52428800` | `ZETTELFORGE_LIMITS_MAX_CONTENT_LENGTH` | Maximum content length in bytes for `remember()`. 0 = unlimited. 50 MB default. |
 | `governance.limits.recall_timeout_seconds` | `float` | `30.0` | `ZETTELFORGE_LIMITS_RECALL_TIMEOUT` | Maximum seconds for a recall() query. 0 = unlimited. |
 
+#### governance.memory_defense (SEC-011 / MemSAD)
+
+```python
+@dataclass
+class MemoryDefenseConfig:
+    enabled: bool = True
+    mode: str = "audit"
+    min_calibration_notes: int = 50
+    max_reference_notes: int = 50
+    kappa: float = 2.0
+    lexical_weight: float = 0.25
+    ngram_size: int = 3
+    monitored_domains: list[str] = field(default_factory=list)
+    quarantine_path: str = ""
+    quarantine_raw_content: bool = True
+```
+
+| Key | Type | Default | Env Override | Description |
+|:----|:-----|:--------|:-------------|:------------|
+| `governance.memory_defense.enabled` | `bool` | `True` | `ZETTELFORGE_MEMORY_DEFENSE_ENABLED` | Enable write-time memory-poisoning anomaly evaluation before notes are persisted or indexed. |
+| `governance.memory_defense.mode` | `str` | `audit` | `ZETTELFORGE_MEMORY_DEFENSE_MODE` | Policy for flagged writes: `audit` logs only, `block` rejects the write, `quarantine` writes a forensic JSONL record and rejects the write. |
+| `governance.memory_defense.min_calibration_notes` | `int` | `50` | `ZETTELFORGE_MEMORY_DEFENSE_MIN_CALIBRATION` | Minimum same-domain reference notes required before thresholding. Below this count, writes are allowed with `calibration_insufficient` audit metadata. |
+| `governance.memory_defense.max_reference_notes` | `int` | `50` | -- | Maximum recent same-domain reference notes used for calibration and scoring. |
+| `governance.memory_defense.kappa` | `float` | `2.0` | `ZETTELFORGE_MEMORY_DEFENSE_KAPPA` | Threshold multiplier: `mean + kappa * stddev` over calibration scores. |
+| `governance.memory_defense.lexical_weight` | `float` | `0.25` | -- | Weight applied to character n-gram Jensen-Shannon divergence, complementing embedding similarity against synonym/paraphrase evasion. |
+| `governance.memory_defense.ngram_size` | `int` | `3` | -- | Character n-gram size for lexical divergence. |
+| `governance.memory_defense.monitored_domains` | `list[str]` | `[]` | -- | Domains to evaluate. Empty list means every domain. |
+| `governance.memory_defense.quarantine_path` | `str` | `""` | -- | JSONL quarantine path. Empty uses `<storage.data_dir>/quarantine/memory_anomalies.jsonl`. |
+| `governance.memory_defense.quarantine_raw_content` | `bool` | `True` | -- | Include raw rejected content in quarantine records. Disable if quarantine storage is not approved for raw content. |
+
 ---
 
 ### web (RFC-015)