npm - @sanctuary-framework/mcp-server - Versions diffs - 0.10.2 → 0.10.4 - Mend

@sanctuary-framework/mcp-server 0.10.2 → 0.10.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/cli.cjs CHANGED Viewed

@@ -27423,10 +27423,64 @@ var init_multi_server = __esm({
 // src/dashboard-standalone.ts
 var dashboard_standalone_exports = {};
 __export(dashboard_standalone_exports, {
+  discoverableSubTenants: () => discoverableSubTenants,
+  renderTenantDiscoveryHint: () => renderTenantDiscoveryHint,
   startStandaloneDashboard: () => startStandaloneDashboard
 });
+async function discoverableSubTenants(currentStoragePath) {
+  let all;
+  try {
+    all = await discoverTenants();
+  } catch {
+    return [];
+  }
+  return all.filter((t) => t.storage_path !== currentStoragePath && t.initialized);
+}
+function renderTenantDiscoveryHint(tenants) {
+  if (tenants.length === 0) {
+    return `No wrapped tenants discovered on this host.
+Run \`sanctuary wrap\` to create one, or set SANCTUARY_STORAGE_PATH
+if your tenant lives outside ~/.sanctuary/.`;
+  }
+  const lines = tenants.map((t) => {
+    const runtime = t.runtime ? ` (running on :${t.runtime.dashboard_port})` : "";
+    return `  \u2022 ${t.name}${runtime}
+      storage: ${t.storage_path}
+      keychain: ${t.keychain_service}`;
+  });
+  if (tenants.length === 1) {
+    return `Detected 1 wrapped tenant on this host:
+` + lines.join("\n") + `
+Boot the dashboard against it with:
+  sanctuary dashboard --tenant ${tenants[0].name}
+`;
+  }
+  return `Detected ${tenants.length} wrapped tenants on this host:
+` + lines.join("\n") + `
+Pick one explicitly:
+  sanctuary dashboard --tenant <name>
+Or browse all of them in the multi-tenant overview (no decryption):
+  sanctuary dashboard --multi
+`;
+}
 async function startStandaloneDashboard(options = {}) {
   process.env.SANCTUARY_DASHBOARD_ENABLED = "true";
+  if (options.tenant !== void 0) {
+    const match = await findTenant(options.tenant);
+    if (!match) {
+      const available = await discoverTenants();
+      const names = available.map((t) => t.name).join(", ") || "(none \u2014 run `sanctuary wrap`)";
+      throw new Error(
+        `Sanctuary Dashboard: --tenant "${options.tenant}" did not match any wrapped tenant.
+Available tenants: ${names}
+List details with \`sanctuary agents\`.`
+      );
+    }
+    process.env.SANCTUARY_STORAGE_PATH = match.storage_path;
+  }
   const config = await loadConfig(options.configPath);
   await promises.mkdir(config.storage_path, { recursive: true, mode: 448 });
   const storage = new FilesystemStorage(`${config.storage_path}/state`);
@@ -27476,12 +27530,16 @@ async function startStandaloneDashboard(options = {}) {
   } else {
     const { hashToString: hashToString2 } = await Promise.resolve().then(() => (init_hashing(), hashing_exports));
     const { stringToBytes: stringToBytes2, bytesToString: bytesToString2, fromBase64url: fromBase64url2, constantTimeEqual: constantTimeEqual2 } = await Promise.resolve().then(() => (init_encoding(), encoding_exports));
+    const otherTenants = await discoverableSubTenants(config.storage_path);
     const existingHash = await storage.read("_meta", "recovery-key-hash");
     if (existingHash) {
       const envRecoveryKey = process.env.SANCTUARY_RECOVERY_KEY;
       if (!envRecoveryKey) {
         throw new Error(
-          "Sanctuary Dashboard: Existing encrypted data found but no credentials provided.\nProvide SANCTUARY_PASSPHRASE or SANCTUARY_RECOVERY_KEY to start the dashboard.\nThe dashboard needs the same credentials as the MCP server to read encrypted data."
+          `Sanctuary Dashboard: Existing encrypted data found at ${config.storage_path} but no credentials provided.
+Provide SANCTUARY_PASSPHRASE or SANCTUARY_RECOVERY_KEY to start the dashboard against this storage path.
+` + (otherTenants.length > 0 ? renderTenantDiscoveryHint(otherTenants) + "\n" : "") + `See server/docs/keychain-schema.md for the keychain layout.`
         );
       }
       let recoveryKeyBytes;
@@ -27512,7 +27570,19 @@ async function startStandaloneDashboard(options = {}) {
       const hasKeyParams = existingNamespaces.some((e) => e.key === "key-params");
       if (hasKeyParams) {
         throw new Error(
-          "Sanctuary Dashboard: Existing encrypted data found (passphrase-protected).\nProvide SANCTUARY_PASSPHRASE to start the dashboard.\nThe dashboard needs the same credentials as the MCP server to read encrypted data."
+          `Sanctuary Dashboard: Existing encrypted data found at ${config.storage_path} (passphrase-protected).
+No passphrase was supplied via --passphrase, SANCTUARY_PASSPHRASE,
+or the per-tenant Keychain item ${keychainServiceFor(config.storage_path, os.homedir())}.
+` + (otherTenants.length > 0 ? renderTenantDiscoveryHint(otherTenants) + "\n" : "") + `See server/docs/keychain-schema.md for the keychain layout and recovery options.`
+        );
+      }
+      if (otherTenants.length > 0) {
+        throw new Error(
+          `Sanctuary Dashboard: ${config.storage_path} has no Sanctuary state, but other wrapped tenants exist on this host.
+Refusing to generate a new recovery key over the default root \u2014 that would obscure the existing tenants.
+` + renderTenantDiscoveryHint(otherTenants)
         );
       }
       console.error(
@@ -27602,27 +27672,26 @@ async function startStandaloneDashboard(options = {}) {
   if (loadResult.total > 0 && loadResult.loaded === 0) {
     const service = keychainServiceFor(config.storage_path, os.homedir());
     const sourceLabel = passphraseSource === "option" ? "--passphrase option" : passphraseSource === "env" ? "SANCTUARY_PASSPHRASE env var" : passphraseSource === "keychain" ? `macOS Keychain (service ${service})` : passphraseSource === "fallback-file" ? "encrypted fallback file" : "recovery key";
+    const otherTenants = await discoverableSubTenants(config.storage_path);
+    const hint = otherTenants.length > 0 ? `
+     ${renderTenantDiscoveryHint(otherTenants).split("\n").join("\n     ")}
+` : "";
     console.error(
       `
   \u26A0  WARNING: Encrypted identities found but NONE loaded
      ${loadResult.total} encrypted identity file(s) in ${config.storage_path}/state/_identities/
      0 could be decrypted with the master key derived from the ${sourceLabel}.
-     The dashboard will show empty panels. Since v0.10.0 each wrapped
-     tenant has its OWN passphrase, stored under a per-tenant Keychain
-     service name. A single SANCTUARY_PASSPHRASE unlocks at most one
-     tenant \u2014 it is not a global master credential.
-     To diagnose:
-       \u2022 List tenants on this host:       sanctuary agents
-       \u2022 Multi-tenant overview (no decrypt): sanctuary dashboard --multi
-       \u2022 Point at a specific tenant:      SANCTUARY_STORAGE_PATH=<path> sanctuary dashboard
-       \u2022 Inspect this tenant's Keychain:  security find-generic-password -s '${service}' -w
-     If this tenant's passphrase lives only in a different Keychain item
-     or on another machine, restore it before this dashboard can read
-     any state. Sanctuary will never auto-regenerate \u2014 that would
-     permanently destroy the data encrypted under the prior key.
+     The dashboard will show empty panels. Each wrapped tenant has its
+     own passphrase under its own per-tenant Keychain service
+     (this tenant's service: ${service}) \u2014 there is no global master
+     credential. Setting SANCTUARY_PASSPHRASE here will not help unless
+     that value is the passphrase that originally encrypted the
+     identity files at this storage path.
+` + hint + `
+     Diagnostic recipes: server/docs/keychain-schema.md
+     Sanctuary will never auto-regenerate \u2014 that would permanently
+     destroy the data encrypted under the prior key.
 `
     );
   } else if (loadResult.failed > 0) {
@@ -27653,6 +27722,7 @@ var init_dashboard_standalone = __esm({
     init_sovereignty_profile();
     init_runtime();
     init_passphrase();
+    init_discovery();
   }
 });
@@ -27821,6 +27891,7 @@ async function runStandaloneDashboard(args) {
   let port;
   let host;
   let multi = false;
+  let tenant;
   for (let i = 0; i < args.length; i++) {
     if (args[i] === "--passphrase" && args[i + 1]) {
       console.error(
@@ -27833,6 +27904,8 @@ async function runStandaloneDashboard(args) {
       host = args[++i];
     } else if (args[i] === "--multi") {
       multi = true;
+    } else if (args[i] === "--tenant" && args[i + 1]) {
+      tenant = args[++i];
     } else if (args[i] === "--help" || args[i] === "-h") {
       printDashboardHelp();
       process.exit(0);
@@ -27862,7 +27935,8 @@ async function runStandaloneDashboard(args) {
   await startStandaloneDashboard2({
     passphrase,
     port,
-    host
+    host,
+    ...tenant !== void 0 ? { tenant } : {}
   });
   console.error(`
 Sanctuary Dashboard running (standalone mode). Press Ctrl+C to stop.
@@ -27996,6 +28070,10 @@ Usage:
 Options:
   --port <port>        Dashboard port (default: from config or 3501; 3500 for --multi)
   --host <host>        Bind address (default: 127.0.0.1)
+  --tenant <name>      Boot against a specific wrapped tenant by the name printed
+                       by \`sanctuary agents\`. Resolves the per-tenant storage
+                       path and Keychain entry automatically. Use this on multi-
+                       tenant hosts instead of guessing SANCTUARY_PASSPHRASE.
   --multi              Start the multi-agent overview instead of a single-tenant
                        dashboard. Does not decrypt any tenant state \u2014 scans every
                        tenant on the host and deep-links into per-tenant dashboards.