Quarantine Audit

Complete Workflow

Step 1: Identify Files for Quarantine

Files that should be quarantined:

• Duplicate files
• Obsolete/unused files
• Files marked for deletion
• High-risk files (suspicious, corrupted)

Example:

# Files identified for deletion
$filesToQuarantine = @(
    "C:\inventory_master\00_INBOX\duplicate_file.pdf",
    "C:\inventory_master\10_WORK\obsolete_doc.docx"
)

Step 2: Create Quarantine Plan

Use plan-gated-apply skill with quarantine action type:

{
  "plan_id": "2026-01-28T10:00:00__QUARANTINE-001",
  "policy": {
    "allow_delete": false,
    "require_hash_verify": true,
    "require_dry_run": true,
    "max_actions": 200
  },
  "actions": [
    {
      "id": "Q-001",
      "type": "quarantine",
      "src": "00_INBOX/duplicate_file.pdf",
      "dst": "99_QUARANTINE/2026-01-28/duplicate_file.pdf",
      "reason": "Duplicate file identified",
      "precheck": {"exists": true, "size_bytes": 1234567},
      "postcheck": {"exists": true, "size_bytes": 1234567}
    }
  ]
}

Step 3: Execute Quarantine (Plan→Approve→Apply)

Follow standard plan-gated-apply workflow:

# 1. Generate plan
python -m inventory_master plan --root "C:\inventory_master\" --quarantine

# 2. Review plan
cat _meta\plans\plan_2026-01-28__QUARANTINE-001.json

# 3. Approve (human gate)
python -m inventory_master approve --plan "_meta\plans\plan_2026-01-28__QUARANTINE-001.json"

# 4. Dry-run
python -m inventory_master apply --plan "_meta\plans\plan_2026-01-28__QUARANTINE-001.json" --dry-run

# 5. Apply
python -m inventory_master apply --plan "_meta\plans\plan_2026-01-28__QUARANTINE-001.json"

Step 4: Audit Trail

All quarantine operations are logged:

Location: _meta/audit/audit.jsonl (append-only)

Format:

{
  "timestamp": "2026-01-28T10:00:00+04:00",
  "operation": "quarantine",
  "plan_id": "2026-01-28T10:00:00__QUARANTINE-001",
  "action_id": "Q-001",
  "src": "00_INBOX/duplicate_file.pdf",
  "dst": "99_QUARANTINE/2026-01-28/duplicate_file.pdf",
  "reason": "Duplicate file identified",
  "hash_before": "sha256:abc123...",
  "hash_after": "sha256:abc123...",
  "verified": true
}

Step 5: Snapshot Evidence

Before/after snapshots saved:

Location: _meta/snapshots/

Files:

• before_2026-01-28T10:00:00__QUARANTINE-001.json
• after_2026-01-28T10:00:00__QUARANTINE-001.json

Purpose: Recovery evidence, integrity verification

30-Day Retention Policy

Quarantine Structure

99_QUARANTINE/
├── 2026-01-28/          # Date-based organization
│   ├── duplicate_file.pdf
│   └── obsolete_doc.docx
├── 2026-01-15/          # Older quarantine (can be reviewed)
└── README.md            # Policy reminder

Review Process (After 30 Days)

# 1. List files older than 30 days
Get-ChildItem "99_QUARANTINE\" -Recurse | 
    Where-Object { $_.LastWriteTime -lt (Get-Date).AddDays(-30) }

# 2. Review each file
# - Verify no longer needed
# - Check audit trail
# - Confirm safe to delete

# 3. Create deletion plan (after 30 days)
# Use plan-gated-apply with allow_delete=true (special approval)

Permanent Deletion (After 30 Days)

Special approval required:

• 30-day period must have elapsed
• Human review completed
• Audit trail verified
• Explicit approval token created

{
  "plan_id": "2026-02-28T10:00:00__DELETE-001",
  "policy": {
    "allow_delete": true,  // Special approval required
    "quarantine_period_elapsed": true,
    "reviewed_by": "human",
    "require_hash_verify": true
  },
  "actions": [
    {
      "id": "D-001",
      "type": "delete",
      "src": "99_QUARANTINE/2026-01-28/duplicate_file.pdf",
      "reason": "30-day quarantine period elapsed, reviewed and approved for deletion"
    }
  ]
}

Evidence Requirements

Audit Log (Append-Only)

• File: _meta/audit/audit.jsonl
• Format: JSONL (one JSON object per line)
• Requirement: Never modify, only append
• Content: All operations with timestamps, hashes, verification

Snapshots

• Location: _meta/snapshots/
• Format: JSON manifest files
• Content: Before/after file lists, hashes, metadata
• Purpose: Recovery and integrity verification

Approval Tokens

• Location: _meta/approvals/
• Format: APPROVED__<plan_id>.token
• Purpose: Human gate evidence

Risk Assessment

Low Risk

• Duplicate files (verified)
• Obsolete documentation
• Temporary files

Medium Risk

• User-created content
• Configuration files
• Log files

High Risk

• System files
• Database files
• Encrypted files
• Files with unknown origin

High-risk files: Require additional review before quarantine

Rollback Process

If quarantine was incorrect:

# 1. Find original location from audit log
# Check: _meta/audit/audit.jsonl

# 2. Create restore plan
python -m inventory_master plan --restore --from-quarantine "99_QUARANTINE/2026-01-28/duplicate_file.pdf"

# 3. Review and approve restore plan
python -m inventory_master approve --plan "_meta\plans\plan_restore_*.json"

# 4. Apply restore
python -m inventory_master apply --plan "_meta\plans\plan_restore_*.json"

Output

Success Output

✅ Quarantine Complete

Quarantined files:
- 00_INBOX/duplicate_file.pdf → 99_QUARANTINE/2026-01-28/duplicate_file.pdf
- 10_WORK/obsolete_doc.docx → 99_QUARANTINE/2026-01-28/obsolete_doc.docx

Audit trail:
- Logged in: _meta/audit/audit.jsonl
- Snapshots: _meta/snapshots/before_*.json, after_*.json

Next steps:
- Files will be held for 30 days
- Review after 30 days for permanent deletion
- Use audit-query skill to review operations

Risk Warning Output

⚠️ High-Risk Quarantine Detected

Files with high risk:
- system_config.json (system file)
- database_backup.db (database file)

Recommendations:
1. Verify these files are safe to quarantine
2. Create backup before quarantine
3. Review audit trail carefully
4. Consider additional approval

Proceed with caution!

Integration Points

• Works with plan-gated-apply skill (quarantine action type)
• Uses audit-query skill for reviewing operations
• Uses snapshot-verify skill for integrity checks
• Enforces agents.md safety policies

Related Skills

• plan-gated-apply - Execute quarantine operations
• audit-query - Review audit trail
• snapshot-verify - Verify snapshot integrity

Troubleshooting

Quarantine Directory Full

• Issue: 99_QUARANTINE/ directory growing large
• Solution: Review and delete files older than 30 days
• Solution: Archive old quarantine to 90_ARCHIVE/

Audit Log Missing

• Issue: Audit log not created
• Solution: Verify _meta/audit/ directory exists
• Solution: Check write permissions

Hash Verification Fails

• Issue: Hash mismatch after quarantine
• Solution: Do not proceed with operation
• Solution: Investigate file corruption or modification
• Solution: Use snapshot to verify original state