feat(vault): v1.1.0 — classification enforcement, lossless export, telemetry

GAP-1: DataClassification enforcement
  - CONFIDENTIAL/RESTRICTED content rejects cloud embedders (is_local=False)
  - is_local property added to EmbeddingProvider Protocol and all implementations
  - RESTRICTED resource reads emit audit events

GAP-2: Import/export content preservation (was data loss)
  - export_vault now includes chunk content in _chunks array
  - import_vault reconstructs content from chunks (lossless roundtrip)
  - Backward compatible: imports without _chunks fall back to name
  - Added export_vault/import_vault sync wrappers (were missing)

GAP-3: Telemetry integration
  - VaultTelemetry instantiated in AsyncVault.__init__
  - add() and search() operations tracked with _tracked() helper
  - Telemetry summary exposed in status() response
  - Tracks count, errors, avg/last latency per operation

16 new tests. Verified: ruff 0, mypy strict 0, 602 tests passing.

Author: bradleygauthier

pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "qp-vault"
-version = "1.0.0"
+version = "1.1.0"
 description = "Governed knowledge store for autonomous organizations. Trust tiers, cryptographic audit trails, content-addressed storage, air-gap native."
 readme = "README.md"
 license = "Apache-2.0"

src/qp_vault/__init__.py

@@ -26,7 +26,7 @@
 Docs: https://github.com/quantumpipes/vault
 """
 
-__version__ = "1.0.0"
+__version__ = "1.1.0"
 __author__ = "Quantum Pipes Technologies, LLC"
 __license__ = "Apache-2.0"
 

src/qp_vault/core/resource_manager.py

@@ -139,6 +139,19 @@ async def add(
                 )
             )
 
+        # Enforce data classification: CONFIDENTIAL/RESTRICTED must use local embedder
+        if self._embedder and data_class in (
+            DataClassification.CONFIDENTIAL,
+            DataClassification.RESTRICTED,
+        ):
+            is_local = getattr(self._embedder, "is_local", True)
+            if not is_local:
+                from qp_vault.exceptions import VaultError
+                raise VaultError(
+                    f"Cannot use cloud embedder for {data_class.value} content. "
+                    "Use a local embedder (SentenceTransformerEmbedder) or NoopEmbedder."
+                )
+
         # Generate embeddings if provider available
         if self._embedder and chunks:
             texts_to_embed = [c.content for c in chunks]

src/qp_vault/embeddings/noop.py

@@ -21,6 +21,10 @@ class NoopEmbedder:
     def dimensions(self) -> int:
         return 0
 
+    @property
+    def is_local(self) -> bool:
+        return True
+
     async def embed(self, texts: list[str]) -> list[list[float]]:
         """Return empty embeddings (text-only mode)."""
         return [[] for _ in texts]

src/qp_vault/embeddings/openai.py

@@ -42,6 +42,10 @@ def __init__(
     def dimensions(self) -> int:
         return self._dimensions
 
+    @property
+    def is_local(self) -> bool:
+        return False
+
     async def embed(self, texts: list[str]) -> list[list[float]]:
         """Generate embeddings via OpenAI API."""
         response = await self._client.embeddings.create(

src/qp_vault/embeddings/sentence.py

@@ -38,6 +38,10 @@ def __init__(self, model_name: str = "all-MiniLM-L6-v2") -> None:
     def dimensions(self) -> int:
         return int(self._dimensions or 0)
 
+    @property
+    def is_local(self) -> bool:
+        return True
+
     async def embed(self, texts: list[str]) -> list[list[float]]:
         """Generate embeddings for a batch of texts."""
         embeddings = self._model.encode(texts, convert_to_numpy=True)

src/qp_vault/protocols.py

@@ -173,6 +173,15 @@ class EmbeddingProvider(Protocol):
     @property
     def dimensions(self) -> int: ...
 
+    @property
+    def is_local(self) -> bool:
+        """Whether this embedder runs locally (no network calls).
+
+        Used to enforce DataClassification: CONFIDENTIAL/RESTRICTED content
+        must not be sent to cloud embedding services.
+        """
+        return True
+
     async def embed(self, texts: list[str]) -> list[list[float]]: ...
 
 

src/qp_vault/vault.py

@@ -221,6 +221,10 @@ def __init__(
 
         self._initialized = False
 
+        # Telemetry: operation tracking
+        from qp_vault.telemetry import VaultTelemetry
+        self._telemetry = VaultTelemetry()
+
         # TTL cache for expensive operations (health, status)
         self._cache: dict[str, tuple[float, Any]] = {}
 
@@ -294,6 +298,20 @@ def _resolve_tenant(self, tenant_id: str | None) -> str | None:
             )
         return tenant_id
 
+    async def _tracked(self, operation: str, coro: Any) -> Any:
+        """Run a coroutine with telemetry tracking."""
+        import time as _time
+        start = _time.monotonic()
+        error = False
+        try:
+            return await coro
+        except Exception:
+            error = True
+            raise
+        finally:
+            duration = (_time.monotonic() - start) * 1000
+            self._telemetry.record(operation, duration, error=error)
+
     # --- Resource Operations ---
 
     async def add(
@@ -436,7 +454,7 @@ async def add(
             if membrane_result.recommended_status.value == "quarantined":
                 _quarantine = True
 
-        resource = await self._resource_manager.add(
+        resource: Resource = await self._tracked("add", self._resource_manager.add(
             text,
             name=name,
             trust_tier=trust_tier,
@@ -449,7 +467,7 @@ async def add(
             valid_from=valid_from,
             valid_until=valid_until,
             tenant_id=tenant_id,
-        )
+        ))
 
         # If Membrane flagged content, mark as quarantined + suspicious
         if _quarantine:
@@ -468,7 +486,21 @@ async def add(
     async def get(self, resource_id: str) -> Resource:
         """Get a single resource by ID."""
         await self._ensure_initialized()
-        return await self._resource_manager.get(resource_id)
+        resource = await self._resource_manager.get(resource_id)
+
+        # Audit reads on RESTRICTED resources
+        if resource.data_classification == DataClassification.RESTRICTED:
+            from qp_vault.enums import EventType
+            from qp_vault.models import VaultEvent
+            await self._auditor.record(VaultEvent(
+                event_type=EventType.SEARCH,
+                resource_id=resource_id,
+                resource_name=resource.name,
+                resource_hash=resource.content_hash,
+                details={"classification": "restricted", "operation": "get"},
+            ))
+
+        return resource
 
     async def get_multiple(self, resource_ids: list[str]) -> list[Resource]:
         """Get multiple resources by ID in a single query.
@@ -819,7 +851,7 @@ async def search(
         )
 
         # Get raw results from storage (with timeout protection)
-        raw_results = await self._with_timeout(self._storage.search(search_query))
+        raw_results = await self._tracked("search", self._with_timeout(self._storage.search(search_query)))
 
         # Apply trust weighting with optional layer boost
         weighted = apply_trust_weighting(raw_results, self.config, layer_boost=_layer_boost)
@@ -1078,10 +1110,18 @@ async def export_vault(self, path: str | Path) -> dict[str, Any]:
         await self._ensure_initialized()
         self._check_permission("export_vault")
         resources: list[Resource] = await self._list_all_bounded()
+        export_resources = []
+        for r in resources:
+            r_dict = r.model_dump(mode="json")
+            # Include chunk content for lossless roundtrip
+            chunks = await self._storage.get_chunks_for_resource(r.id)
+            sorted_chunks = sorted(chunks, key=lambda c: c.chunk_index)
+            r_dict["_chunks"] = [{"content": c.content, "cid": c.cid} for c in sorted_chunks]
+            export_resources.append(r_dict)
         data = {
-            "version": "1.0.0",
+            "version": "1.1.0",
             "resource_count": len(resources),
-            "resources": [r.model_dump(mode="json") for r in resources],
+            "resources": export_resources,
         }
         out = Path(path)
         out.parent.mkdir(parents=True, exist_ok=True)
@@ -1103,11 +1143,17 @@ async def import_vault(self, path: str | Path) -> list[Resource]:
         data = _json.loads(Path(path).read_text())
         imported = []
         for r_data in data.get("resources", []):
-            content = r_data.get("name", "imported")
+            # Reconstruct content from chunks (lossless) or fall back to name
+            chunks_data = r_data.get("_chunks", [])
+            if chunks_data:
+                content = "\n\n".join(c["content"] for c in chunks_data)
+            else:
+                content = r_data.get("name", "imported")
             resource = await self.add(
                 content,
                 name=r_data.get("name", "imported"),
                 trust_tier=r_data.get("trust_tier", "working"),
+                classification=r_data.get("data_classification", "internal"),
                 tags=r_data.get("tags", []),
                 metadata=r_data.get("metadata", {}),
             )
@@ -1164,6 +1210,7 @@ async def status(self) -> dict[str, Any]:
             "layer_details": layer_stats,
             "vault_path": str(self.path),
             "backend": "sqlite",
+            "telemetry": self._telemetry.summary(),
         }
         self._cache_set(cache_key, result)
         return result
@@ -1364,6 +1411,15 @@ def status(self) -> dict[str, Any]:
         result: dict[str, Any] = _run_async(self._async.status())
         return result
 
+    def export_vault(self, path: str | Path) -> dict[str, Any]:
+        """Export the vault to a JSON file."""
+        result: dict[str, Any] = _run_async(self._async.export_vault(path))
+        return result
+
+    def import_vault(self, path: str | Path) -> list[Resource]:
+        """Import resources from an exported vault JSON file."""
+        return cast("list[Resource]", _run_async(self._async.import_vault(path)))
+
     def register_embedder(self, embedder: EmbeddingProvider) -> None:
         """Register a custom embedding provider."""
         self._async.register_embedder(embedder)