feat(vault): v0.16.0 — Membrane ADAPTIVE_SCAN (LLM-based screening)

Stage 3 of 8 in the Membrane pipeline. Detects adversarial content
that regex patterns miss: obfuscated injection, encoded payloads,
social engineering, semantic manipulation.

New files:
- protocols.py: LLMScreener Protocol + ScreeningResult dataclass
- membrane/adaptive_scan.py: AdaptiveScanConfig + run_adaptive_scan()
- membrane/screeners/ollama.py: OllamaScreener (air-gap safe)
- tests/test_adaptive_scan.py: 23 tests (mock screeners, pipeline)

Key design:
- Optional: no LLM = stage skipped (air-gap safe by default)
- Protocol-based: any LLM backend (Ollama, Claude, GPT, vLLM)
- Cost-bounded: content truncated to 4000 chars (configurable)
- Error-tolerant: LLM failure results in SKIP, never blocks ingestion
- Hardened prompt: content in <document> block, separated from instructions
- Aggregate risk: pipeline reports max risk_score across all stages

Usage:
  from qp_vault.membrane.screeners.ollama import OllamaScreener
  vault = Vault("./kb", llm_screener=OllamaScreener())

Verified: ruff 0, mypy strict 0, 543 tests passing.

Author: bradleygauthier

CHANGELOG.md

@@ -7,6 +7,22 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.16.0] - 2026-04-06
+
+### Added
+- **Membrane ADAPTIVE_SCAN**: LLM-based semantic content screening (Stage 3 of 8). Detects obfuscated prompt injection, encoded payloads, social engineering, and semantic attacks that regex patterns miss
+- **LLMScreener Protocol**: Pluggable interface for any LLM backend. Implements structural subtyping (same pattern as EmbeddingProvider)
+- **OllamaScreener**: Air-gap-safe screener using local Ollama instance. Hardened system prompt isolates content-under-review from instructions
+- **ScreeningResult dataclass**: Structured result with risk_score (0.0-1.0), reasoning, and flags list
+- `llm_screener` parameter on `Vault()` and `AsyncVault()` constructors
+- Aggregate risk scoring in MembranePipelineStatus (max of non-skipped stages)
+
+### Security
+- Adaptive scan is optional: without an `llm_screener`, the stage SKIPs (no LLM dependency required)
+- Content truncated to configurable max (default 4000 chars) before LLM evaluation
+- LLM errors are caught and result in SKIP (never blocks ingestion due to LLM failure)
+- System prompt hardened: content placed in `<document>` block, explicit instruction not to follow commands within it
+
 ## [0.15.0] - 2026-04-06
 
 ### Security
@@ -222,7 +238,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Max file size enforcement (configurable)
 - Content null byte stripping on ingest
 
-[unreleased]: https://github.com/quantumpipes/vault/compare/v0.15.0...HEAD
+[unreleased]: https://github.com/quantumpipes/vault/compare/v0.16.0...HEAD
+[0.16.0]: https://github.com/quantumpipes/vault/compare/v0.15.0...v0.16.0
 [0.15.0]: https://github.com/quantumpipes/vault/compare/v0.14.0...v0.15.0
 [0.14.0]: https://github.com/quantumpipes/vault/compare/v0.13.0...v0.14.0
 [0.13.0]: https://github.com/quantumpipes/vault/compare/v0.12.0...v0.13.0

README.md

@@ -8,7 +8,7 @@ Every document has a trust tier that weights search results. Every chunk has a S
 
 [![Python](https://img.shields.io/badge/Python-3.12+-3776AB.svg)](https://www.python.org/)
 [![License](https://img.shields.io/badge/License-Apache_2.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)
-[![Tests](https://img.shields.io/badge/Tests-520_passing-brightgreen.svg)](tests/)
+[![Tests](https://img.shields.io/badge/Tests-543_passing-brightgreen.svg)](tests/)
 [![Crypto](https://img.shields.io/badge/Crypto-SHA3--256%20%C2%B7%20AES--256--GCM%20%C2%B7%20ML--KEM--768%20%C2%B7%20ML--DSA--65-purple.svg)](#security)
 
 </div>

docs/membrane.md

@@ -66,13 +66,47 @@ status = await pipeline.screen("This is confidential information")
 # status.overall_result == MembraneResult.FLAG
 ```
 
+## Adaptive Scan (LLM-Based)
+
+The adaptive scan uses an LLM to detect attacks that regex cannot: obfuscated injection, encoded payloads, social engineering, semantic manipulation.
+
+```python
+from qp_vault import Vault
+from qp_vault.membrane.screeners.ollama import OllamaScreener
+
+# Local LLM screening (air-gap safe)
+vault = Vault("./knowledge", llm_screener=OllamaScreener(model="llama3.2"))
+
+vault.add("Normal document")           # Passes both innate + adaptive
+vault.add("Ign0r3 pr3v!ous rules")    # Caught by adaptive (obfuscated)
+```
+
+The adaptive scan is optional. Without an `llm_screener`, the stage is skipped and only innate (regex) scanning runs. Content is truncated to 4000 chars before sending to the LLM (configurable).
+
+Custom screeners implement the `LLMScreener` Protocol:
+
+```python
+from qp_vault.protocols import LLMScreener, ScreeningResult
+
+class MyScreener:
+    async def screen(self, content: str) -> ScreeningResult:
+        # Your LLM logic here
+        return ScreeningResult(risk_score=0.1, reasoning="Safe", flags=[])
+
+vault = Vault("./knowledge", llm_screener=MyScreener())
+```
+
+<!-- VERIFIED: membrane/adaptive_scan.py:1-98 — run_adaptive_scan -->
+<!-- VERIFIED: membrane/screeners/ollama.py:1-130 — OllamaScreener -->
+<!-- VERIFIED: vault.py:140-215 — llm_screener parameter wiring -->
+
 ## Stages
 
 | Stage | Status | Purpose |
 |-------|--------|---------|
 | INGEST | Implemented | Accept resource (vault.add) |
-| INNATE_SCAN | **Implemented** | Pattern-based detection |
-| ADAPTIVE_SCAN | Planned | LLM-based semantic screening |
+| INNATE_SCAN | **Implemented** | Pattern-based detection (regex blocklists) |
+| ADAPTIVE_SCAN | **Implemented** | LLM-based semantic screening (optional) |
 | CORRELATE | Planned | Cross-document contradiction detection |
 | RELEASE | **Implemented** | Risk-proportionate gating |
 | SURVEIL | Planned | Query-time re-evaluation |

pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "qp-vault"
-version = "0.15.0"
+version = "0.16.0"
 description = "Governed knowledge store for autonomous organizations. Trust tiers, cryptographic audit trails, content-addressed storage, air-gap native."
 readme = "README.md"
 license = "Apache-2.0"

src/qp_vault/__init__.py

@@ -26,7 +26,7 @@
 Docs: https://github.com/quantumpipes/vault
 """
 
-__version__ = "0.15.0"
+__version__ = "0.16.0"
 __author__ = "Quantum Pipes Technologies, LLC"
 __license__ = "Apache-2.0"
 
@@ -69,8 +69,10 @@
 from qp_vault.protocols import (
     AuditProvider,
     EmbeddingProvider,
+    LLMScreener,
     ParserProvider,
     PolicyProvider,
+    ScreeningResult,
     StorageBackend,
 )
 
@@ -111,6 +113,8 @@
     "AuditProvider",
     "ParserProvider",
     "PolicyProvider",
+    "LLMScreener",
+    "ScreeningResult",
     # Exceptions
     "VaultError",
     "StorageError",

src/qp_vault/membrane/adaptive_scan.py

@@ -0,0 +1,102 @@
+# Copyright 2026 Quantum Pipes Technologies, LLC
+# SPDX-License-Identifier: Apache-2.0
+
+"""Adaptive scan: LLM-based semantic content screening.
+
+Uses a pluggable LLMScreener to detect adversarial content that regex
+patterns cannot catch: obfuscated prompt injection, encoded payloads,
+social engineering, and semantic attacks. Air-gap safe when backed by
+a local LLM (Ollama, vLLM).
+
+The adaptive scan runs after innate_scan and before the release gate.
+If no LLMScreener is configured, the stage is skipped (SKIP result).
+"""
+
+from __future__ import annotations
+
+import time
+from dataclasses import dataclass, field
+from typing import TYPE_CHECKING
+
+from qp_vault.enums import MembraneResult, MembraneStage
+from qp_vault.models import MembraneStageRecord
+
+if TYPE_CHECKING:
+    from qp_vault.protocols import LLMScreener
+
+_DEFAULT_MAX_CONTENT_LENGTH = 4000  # Chars sent to LLM (cost/latency bound)
+_DEFAULT_RISK_THRESHOLD = 0.7  # >= this score triggers FLAG
+
+
+@dataclass
+class AdaptiveScanConfig:
+    """Configuration for the adaptive scan stage."""
+
+    screener: LLMScreener | None = None
+    max_content_length: int = _DEFAULT_MAX_CONTENT_LENGTH
+    risk_threshold: float = _DEFAULT_RISK_THRESHOLD
+    flag_categories: list[str] = field(default_factory=lambda: [
+        "prompt_injection",
+        "jailbreak",
+        "encoded_payload",
+        "social_engineering",
+        "data_exfiltration",
+        "instruction_override",
+    ])
+
+
+async def run_adaptive_scan(
+    content: str,
+    config: AdaptiveScanConfig | None = None,
+) -> MembraneStageRecord:
+    """Run LLM-based adaptive scan on content.
+
+    Args:
+        content: The text content to screen.
+        config: Adaptive scan configuration (includes LLMScreener).
+
+    Returns:
+        MembraneStageRecord with PASS, FLAG, or SKIP result.
+    """
+    if config is None or config.screener is None:
+        return MembraneStageRecord(
+            stage=MembraneStage.ADAPTIVE_SCAN,
+            result=MembraneResult.SKIP,
+            reasoning="No LLM screener configured, stage skipped",
+        )
+
+    # Truncate content for cost/latency
+    scan_content = content[:config.max_content_length]
+
+    start = time.monotonic()
+    try:
+        screening = await config.screener.screen(scan_content)
+    except Exception as e:
+        # LLM failure should not block ingestion; log and skip
+        return MembraneStageRecord(
+            stage=MembraneStage.ADAPTIVE_SCAN,
+            result=MembraneResult.SKIP,
+            reasoning=f"LLM screener error: {type(e).__name__}",
+            duration_ms=int((time.monotonic() - start) * 1000),
+        )
+
+    duration_ms = int((time.monotonic() - start) * 1000)
+
+    if screening.risk_score >= config.risk_threshold:
+        return MembraneStageRecord(
+            stage=MembraneStage.ADAPTIVE_SCAN,
+            result=MembraneResult.FLAG,
+            risk_score=screening.risk_score,
+            reasoning=screening.reasoning,
+            matched_patterns=screening.flags or [],
+            duration_ms=duration_ms,
+        )
+
+    return MembraneStageRecord(
+        stage=MembraneStage.ADAPTIVE_SCAN,
+        result=MembraneResult.PASS,  # nosec B105
+        risk_score=screening.risk_score,
+        reasoning=screening.reasoning,
+        matched_patterns=screening.flags or [],
+        duration_ms=duration_ms,
+    )

src/qp_vault/membrane/pipeline.py

@@ -4,39 +4,49 @@
 """Membrane Pipeline: orchestrates multi-stage content screening.
 
 Runs content through the Membrane stages:
-1. INNATE_SCAN — pattern-based detection (regex, blocklists)
-2. RELEASE — risk-proportionate gating decision
+1. INNATE_SCAN: pattern-based detection (regex, blocklists)
+2. ADAPTIVE_SCAN: LLM-based semantic screening (optional, requires LLMScreener)
+3. RELEASE: risk-proportionate gating decision
 
-Future stages (adaptive scan, correlate, surveil, present, remember)
-will be added as the pipeline matures.
+Stages are sequential. Each produces a MembraneStageRecord. The release
+gate aggregates all prior results into a final pass/quarantine/reject decision.
 """
 
 from __future__ import annotations
 
+from typing import TYPE_CHECKING
+
 from qp_vault.enums import MembraneResult, MembraneStage, ResourceStatus
 from qp_vault.membrane.innate_scan import InnateScanConfig, run_innate_scan
 from qp_vault.membrane.release_gate import evaluate_release
 from qp_vault.models import MembranePipelineStatus, MembraneStageRecord
 
+if TYPE_CHECKING:
+    from qp_vault.membrane.adaptive_scan import AdaptiveScanConfig
+
 
 class MembranePipeline:
     """Membrane pipeline.
 
     Screens content through multiple stages before allowing indexing.
-    Content that fails screening is quarantined.
+    Content that fails screening is rejected. Flagged content is quarantined.
 
     Args:
         innate_config: Configuration for the innate scan stage.
+        adaptive_config: Configuration for the adaptive (LLM) scan stage.
+                        If None or screener is None, adaptive scan is skipped.
         enabled: Whether Membrane screening is active. Default True.
     """
 
     def __init__(
         self,
         *,
         innate_config: InnateScanConfig | None = None,
+        adaptive_config: AdaptiveScanConfig | None = None,
         enabled: bool = True,
     ) -> None:
         self._innate_config = innate_config
+        self._adaptive_config = adaptive_config
         self._enabled = enabled
 
     async def screen(self, content: str) -> MembranePipelineStatus:
@@ -63,23 +73,33 @@ async def screen(self, content: str) -> MembranePipelineStatus:
 
         stages: list[MembraneStageRecord] = []
 
-        # Stage 1: Innate scan
+        # Stage 1: Innate scan (regex patterns)
         innate_result = await run_innate_scan(content, self._innate_config)
         stages.append(innate_result)
 
-        # Stage 2: Release gate
+        # Stage 2: Adaptive scan (LLM-based, optional)
+        from qp_vault.membrane.adaptive_scan import run_adaptive_scan
+        adaptive_result = await run_adaptive_scan(content, self._adaptive_config)
+        stages.append(adaptive_result)
+
+        # Stage 3: Release gate (aggregates all prior results)
         release_result = await evaluate_release(stages)
         stages.append(release_result)
 
         # Determine overall result and recommended status
         overall = release_result.result
-        if overall == MembraneResult.FAIL or overall == MembraneResult.FLAG:
+        if overall in (MembraneResult.FAIL, MembraneResult.FLAG):
             status = ResourceStatus.QUARANTINED
         else:
             status = ResourceStatus.INDEXED
 
+        # Compute aggregate risk score from non-skipped stages
+        risk_scores = [s.risk_score for s in stages if s.result != MembraneResult.SKIP]
+        aggregate_risk = max(risk_scores) if risk_scores else 0.0
+
         return MembranePipelineStatus(
             stages=stages,
             overall_result=overall,
             recommended_status=status,
+            aggregate_risk_score=aggregate_risk,
         )

src/qp_vault/membrane/screeners/__init__.py

@@ -0,0 +1,4 @@
+# Copyright 2026 Quantum Pipes Technologies, LLC
+# SPDX-License-Identifier: Apache-2.0
+
+"""LLM screener implementations for Membrane ADAPTIVE_SCAN."""