One Ed25519-signed directed acyclic graph linking findings across all 78 NIGHTFALL tools. Replaces 78 disjoint evidence files with one cryptographically integral graph. Queryable. Mergeable. Verifiable.
Every engagement produces evidence from many NIGHTFALL tools — BOUNDARY scans the model, SHROUD finds origin servers, POLTERGEIST exploits the web stack, SPECTER ATLAS attacks the operator API, SPECTER MEMETIC hijacks agent memory. Each tool emits its own signed report. Cross-tool attack paths exist only in the operator's head and the final-report PDF. CAMPAIGN GRAPH is the source of truth: one DAG, one signature, one merge protocol. Every finding lives on the same graph keyed by shared entities. Every causal edge is recorded. Every byte is hash-chained. KPMG, IETF, and law-enforcement disclosure pipelines consume one artefact instead of N.
BFS reachability, weighted Dijkstra shortest-path, severity / time / entity / tool filters, longest-severity critical path. Output as JSON, DOT (Graphviz), or HTML. Sub-200ms on 10K nodes / 50K edges with WAL-mode SQLite and pre-built adjacency index.
04 / EXPORT
Signed Bundle Emission
OPEN GATE
Compiles the full DAG into one Ed25519-signed JSON file. Summary statistics, top entities, ingest log, critical path, and an embedded base64 Graphviz SVG of the campaign. Real cryptographic signature with PEM-encoded public key and SHA-256 fingerprint.
05 / VERIFY
Integrity Validation
OPEN GATE
Re-hashes every node, walks the hash chain from genesis, re-validates the Ed25519 signature on the bundle. Detects byte-level tamper of any node, edge, or signature field. Verifies live SQLite stores and offline JSON bundles. Same cryptographic guarantees in both paths.
06 / MERGE
Multi-Bundle Combination
INJECT / DESTROY GATE
Combines two or more signed bundles into a fresh signed campaign. Signature-gated — refuses to merge any bundle that fails verification. Conflict resolution by newer timestamp; --force (DESTROY tier) for manual override. Append-only signature history preserves provenance.
Tools That Plug In
Adapter Coverage Across the 78-Tool Fleet
Six tool-specific adapters cover the existing evidence formats. Every other tool plugs in through the generic NIGHTFALL adapter that consumes the canonical schema. Adding a new tool means one canonical report shape — no new adapter code required for tools that emit findings[] with finding_id, target, severity, timestamp, confidence.
BOUNDARY
SHROUD
POLTERGEIST
SPECTER DARK
JUSTICE
KAMIKAZE
+ Generic T1-T78
Operator Workflow
Six Commands, One Campaign
# 1. Generate operator Ed25519 keypair$ campaign-graph keygen --out ./keys
keypair written → fingerprint: 50868368...ea514041# 2. Initialise a campaign DB$ campaign-graph --db campaign.db --clearance FORGE init
campaign_id: CG-bd9529b9-f021-43b7-82af-c830082659b3# 3. Ingest reports from real NIGHTFALL tools$ campaign-graph --db campaign.db --clearance FORGE ingest \
reports/BND-1778098159.json \
shroud_SHD-RPT-15E4EC76.json \
poltergeist-3e7570df.json \
specter-dark-hidden_recon.json --allow-unsigned
ingested 6 reports across 6 tools → 11 nodes, 346 entities# 4. Auto-link by shared entity$ campaign-graph --db campaign.db --clearance FORGE link auto
auto_added=2 edges# 5. Sign and export the campaign bundle$ campaign-graph --db campaign.db export campaign-final.json
exported → nodes=11 edges=7 entities=346# 6. Verify the bundle anywhere$ campaign-graph verify --file campaign-final.json
{ "ok": true, "signature_ok": true, "chain_ok": true }
UNLEASHED Clearance Model
Operator Authorisation Per Stage
TIER 1
OBSERVE
READ-ONLY
query, verify, status. Export still signs but cannot ingest new evidence at this tier. Default clearance for read-side downstream consumers.
TIER 2
FORGE
WRITE
init, ingest, link (auto / manual / batch / aggressive). Required to add new evidence to a campaign. CORTEX-aggressive LLM-inferred edges enabled at this tier.
TIER 3
INJECT
MERGE
Non-destructive merge between signed bundles. Conflict resolution by newer timestamp. Append-only signature history preserved.
TIER 4
DESTROY
FORCE OVERRIDE
merge --force. Overwrites conflicting nodes and edges with the RHS bundle regardless of timestamp. Recorded in meta.merge_force=1 — no silent-override path.
Performance
Sub-200ms Query Budget at 10K Nodes
Operation
Budget
Measured
Build 10K nodes / 50K edges
< 60 s
~5 s
reachable_from (depth 8)
< 200 ms
< 30 ms
shortest_path (50-hop)
< 200 ms
< 40 ms
filter (tool + severity)
< 1500 ms
< 30 ms
Cryptographic Integrity
Real Crypto. Zero Stubs.
Every node carries payload_hash (SHA-256 of canonical tool evidence), node_hash (SHA-256 of identity content), prev_hash (chain link to the previous node), and chain_hash (SHA-256 of prev_hash + node_hash). Genesis hash is 0x00 × 64. Exported bundles are signed with the operator's Ed25519 key (cryptography library, deterministic signing). Public key and SHA-256 fingerprint embed in the bundle. Merge refuses to consume any bundle whose signature does not verify. Tamper at any node breaks the chain at that node and every subsequent node. No blockchain. No remote storage. No simulated crypto.