Page Title: Oracle Engine & Shield Defense (TEM Stack)
Summary: The Oracle Engine provides structured reason → decide → act chains, while Shield and TEM form the defensive veil. Together they detect threats, log them to the proof system, and (optionally) orchestrate responses across shield-vm, lab nodes, and the wider mesh.

Key Findings:
- Oracle chains decisions through explicit reasoning steps, not opaque actions.
- Every significant decision can emit receipts into the proof spine.
- Shield monitors multiple vectors (network, process, file, device, etc.).
- Response levels span from passive logging to active isolation or countermeasures.
- Agent tasks allow scheduled or triggered operations (e.g., periodic scans).

Components:
- Oracle Reasoning Engine.
- Oracle Decision System.
- Tactical Chain Executor.
- Shield Monitor (sensors).
- Shield Responder (actions).
- TEM daemon (threat transmutation logic).
- Agent Task Scheduler.

Oracle Tools:
| Tool                   | Purpose                              |
|------------------------|--------------------------------------|
| oracle_status          | Node status and capabilities         |
| oracle_reason          | Analyze situation, propose actions   |
| oracle_decide          | Make autonomous decision             |
| oracle_tactical_chain  | Full reason → decide → act chain     |

Oracle Tactical Chain Flow:
1. **Context**: Collect current state (logs, metrics, alerts, lawchain state).
2. **Reason**: `oracle_reason` produces candidate actions with justifications.
3. **Decide**: `oracle_decide` selects an action based on risk tolerance and constraints.
4. **Act**: Execute playbooks, or keep in dry-run mode for simulation.
5. **Prove**: Generate a receipt and anchor via proof system (optional but recommended).

Shield Monitor Vectors:
| Vector    | Detection Capability           |
|-----------|--------------------------------|
| network   | Port scans, unusual flows      |
| wifi      | Rogue APs, deauth attempts     |
| bluetooth | Device enumeration/anomalies   |
| usb       | Storage/HID abuse              |
| process   | Suspicious binaries, behavior  |
| file      | Unauthorized modifications     |

Shield Response Levels:
| Level   | Action                                 |
|---------|----------------------------------------|
| log     | Record event only                      |
| alert   | Notify operator (Slack/email/etc.)     |
| block   | Prevent connection/action              |
| isolate | Quarantine node/container/service      |
| counter | Active response (e.g., honeypots)      |

Agent Tasks:
```json
{
  "name": "scheduled_scan",
  "trigger": {
    "type": "schedule",
    "config": {"cron": "0 */6 * * *"}
  },
  "actions": [
    {"tool": "shield_monitor", "args": {"vectors": ["network", "wifi"]}},
    {"tool": "oracle_tactical_chain", "args": {"dry_run": true}}
  ],
  "on_complete": "mesh_broadcast"
}
```

Security Notes:
- Dry-run mode is default for dangerous operations; production actions require explicit opt-in.
- Risk tolerance levels gate what Shield/TEM may do without human approval.
- All automated decisions can be bound to receipts for post-incident audit.

MCP / Mesh Tools:
- oracle_status, oracle_reason, oracle_decide, oracle_tactical_chain
- shield_status, shield_monitor, shield_respond
- Agent task management: agent_task, agent_list, agent_cancel

Dependencies:
- OffSec MCP server running on shield-vm/lab nodes.
- Proof system enabled for Oracle and Shield receipts.
- Integrations with metrics (Prometheus) and observability (Grafana).