@sanctuary-framework/mcp-server 0.2.0 → 0.3.1

package/dist/cli.js

@@ -2,16 +2,19 @@
 import { sha256 } from '@noble/hashes/sha256';
 import { hmac } from '@noble/hashes/hmac';
 import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js';
-import { mkdir, readFile, writeFile, stat, unlink, readdir, chmod } from 'fs/promises';
+import { mkdir, readFile, writeFile, stat, unlink, readdir, chmod, access } from 'fs/promises';
 import { join } from 'path';
 import { homedir } from 'os';
-import { randomBytes as randomBytes$1 } from 'crypto';
+import { randomBytes as randomBytes$1, createHmac } from 'crypto';
 import { gcm } from '@noble/ciphers/aes.js';
-import { ed25519 } from '@noble/curves/ed25519';
+import { RistrettoPoint, ed25519 } from '@noble/curves/ed25519';
 import { argon2id } from 'hash-wasm';
 import { hkdf } from '@noble/hashes/hkdf';
 import { Server } from '@modelcontextprotocol/sdk/server/index.js';
 import { ListToolsRequestSchema, CallToolRequestSchema } from '@modelcontextprotocol/sdk/types.js';
+import { createServer as createServer$2 } from 'http';
+import { createServer as createServer$1 } from 'https';
+import { readFileSync } from 'fs';
 
 var __defProp = Object.defineProperty;
 var __getOwnPropNames = Object.getOwnPropertyNames;
@@ -203,7 +206,7 @@ var init_hashing = __esm({
 });
 function defaultConfig() {
   return {
-    version: "0.2.0",
+    version: "0.3.0",
     storage_path: join(homedir(), ".sanctuary"),
     state: {
       encryption: "aes-256-gcm",
@@ -232,7 +235,19 @@ function defaultConfig() {
       service_endpoints: []
     },
     transport: "stdio",
-    http_port: 3500
+    http_port: 3500,
+    dashboard: {
+      enabled: false,
+      port: 3501,
+      host: "127.0.0.1"
+    },
+    webhook: {
+      enabled: false,
+      url: "",
+      secret: "",
+      callback_port: 3502,
+      callback_host: "127.0.0.1"
+    }
   };
 }
 async function loadConfig(configPath) {
@@ -246,12 +261,50 @@ async function loadConfig(configPath) {
   if (process.env.SANCTUARY_HTTP_PORT) {
     config.http_port = parseInt(process.env.SANCTUARY_HTTP_PORT, 10);
   }
+  if (process.env.SANCTUARY_DASHBOARD_ENABLED === "true") {
+    config.dashboard.enabled = true;
+  }
+  if (process.env.SANCTUARY_DASHBOARD_PORT) {
+    config.dashboard.port = parseInt(process.env.SANCTUARY_DASHBOARD_PORT, 10);
+  }
+  if (process.env.SANCTUARY_DASHBOARD_HOST) {
+    config.dashboard.host = process.env.SANCTUARY_DASHBOARD_HOST;
+  }
+  if (process.env.SANCTUARY_DASHBOARD_AUTH_TOKEN) {
+    config.dashboard.auth_token = process.env.SANCTUARY_DASHBOARD_AUTH_TOKEN;
+  }
+  if (process.env.SANCTUARY_DASHBOARD_TLS_CERT && process.env.SANCTUARY_DASHBOARD_TLS_KEY) {
+    config.dashboard.tls = {
+      cert_path: process.env.SANCTUARY_DASHBOARD_TLS_CERT,
+      key_path: process.env.SANCTUARY_DASHBOARD_TLS_KEY
+    };
+  }
+  if (process.env.SANCTUARY_WEBHOOK_ENABLED === "true") {
+    config.webhook.enabled = true;
+  }
+  if (process.env.SANCTUARY_WEBHOOK_URL) {
+    config.webhook.url = process.env.SANCTUARY_WEBHOOK_URL;
+  }
+  if (process.env.SANCTUARY_WEBHOOK_SECRET) {
+    config.webhook.secret = process.env.SANCTUARY_WEBHOOK_SECRET;
+  }
+  if (process.env.SANCTUARY_WEBHOOK_CALLBACK_PORT) {
+    config.webhook.callback_port = parseInt(process.env.SANCTUARY_WEBHOOK_CALLBACK_PORT, 10);
+  }
+  if (process.env.SANCTUARY_WEBHOOK_CALLBACK_HOST) {
+    config.webhook.callback_host = process.env.SANCTUARY_WEBHOOK_CALLBACK_HOST;
+  }
   const path = configPath ?? join(config.storage_path, "sanctuary.json");
   try {
     const raw = await readFile(path, "utf-8");
     const fileConfig = JSON.parse(raw);
-    return deepMerge(config, fileConfig);
-  } catch {
+    const merged = deepMerge(config, fileConfig);
+    validateConfig(merged);
+    return merged;
+  } catch (err) {
+    if (err instanceof Error && err.message.includes("unimplemented features")) {
+      throw err;
+    }
     return config;
   }
 }
@@ -259,6 +312,33 @@ async function saveConfig(config, configPath) {
   const path = join(config.storage_path, "sanctuary.json");
   await writeFile(path, JSON.stringify(config, null, 2), { mode: 384 });
 }
+function validateConfig(config) {
+  const errors = [];
+  const implementedKeyProtection = /* @__PURE__ */ new Set(["passphrase", "none"]);
+  if (!implementedKeyProtection.has(config.state.key_protection)) {
+    errors.push(
+      `Unimplemented config value: state.key_protection = "${config.state.key_protection}". Only ${[...implementedKeyProtection].map((v) => `"${v}"`).join(", ")} are currently implemented. Using an unimplemented key protection mode would silently degrade security.`
+    );
+  }
+  const implementedEnvironment = /* @__PURE__ */ new Set(["local-process", "docker"]);
+  if (!implementedEnvironment.has(config.execution.environment)) {
+    errors.push(
+      `Unimplemented config value: execution.environment = "${config.execution.environment}". Only ${[...implementedEnvironment].map((v) => `"${v}"`).join(", ")} are currently implemented. Using an unimplemented environment would silently degrade security.`
+    );
+  }
+  const implementedProofSystem = /* @__PURE__ */ new Set(["commitment-only"]);
+  if (!implementedProofSystem.has(config.disclosure.proof_system)) {
+    errors.push(
+      `Unimplemented config value: disclosure.proof_system = "${config.disclosure.proof_system}". Only ${[...implementedProofSystem].map((v) => `"${v}"`).join(", ")} is currently implemented. Using an unimplemented proof system would silently degrade security.`
+    );
+  }
+  if (errors.length > 0) {
+    throw new Error(
+      `Sanctuary configuration references unimplemented features:
+${errors.join("\n")}`
+    );
+  }
+}
 function deepMerge(base, override) {
   const result = { ...base };
   for (const [key, value] of Object.entries(override)) {
@@ -602,7 +682,11 @@ var RESERVED_NAMESPACE_PREFIXES = [
   "_commitments",
   "_reputation",
   "_escrow",
-  "_guarantees"
+  "_guarantees",
+  "_bridge",
+  "_federation",
+  "_handshake",
+  "_shr"
 ];
 var StateStore = class {
   storage;
@@ -869,12 +953,14 @@ var StateStore = class {
   /**
    * Import a previously exported state bundle.
    */
-  async import(bundleBase64, conflictResolution = "skip") {
+  async import(bundleBase64, conflictResolution = "skip", publicKeyResolver) {
     const bundleBytes = fromBase64url(bundleBase64);
     const bundleJson = bytesToString(bundleBytes);
     const bundle = JSON.parse(bundleJson);
     let importedKeys = 0;
     let skippedKeys = 0;
+    let skippedInvalidSig = 0;
+    let skippedUnknownKid = 0;
     let conflicts = 0;
     const namespaces = [];
     for (const [ns, entries] of Object.entries(
@@ -888,6 +974,26 @@ var StateStore = class {
       }
       namespaces.push(ns);
       for (const { key, entry } of entries) {
+        const signerPublicKey = publicKeyResolver(entry.kid);
+        if (!signerPublicKey) {
+          skippedUnknownKid++;
+          skippedKeys++;
+          continue;
+        }
+        try {
+          const ciphertextBytes = fromBase64url(entry.payload.ct);
+          const signatureBytes = fromBase64url(entry.sig);
+          const sigValid = verify(ciphertextBytes, signatureBytes, signerPublicKey);
+          if (!sigValid) {
+            skippedInvalidSig++;
+            skippedKeys++;
+            continue;
+          }
+        } catch {
+          skippedInvalidSig++;
+          skippedKeys++;
+          continue;
+        }
         const exists = await this.storage.exists(ns, key);
         if (exists) {
           conflicts++;
@@ -923,6 +1029,8 @@ var StateStore = class {
     return {
       imported_keys: importedKeys,
       skipped_keys: skippedKeys,
+      skipped_invalid_sig: skippedInvalidSig,
+      skipped_unknown_kid: skippedUnknownKid,
       conflicts,
       namespaces,
       imported_at: (/* @__PURE__ */ new Date()).toISOString()
@@ -1011,7 +1119,7 @@ function createServer(tools, options) {
   const server = new Server(
     {
       name: "sanctuary-mcp-server",
-      version: "0.2.0"
+      version: "0.3.0"
     },
     {
       capabilities: {
@@ -1111,7 +1219,11 @@ var RESERVED_NAMESPACE_PREFIXES2 = [
   "_commitments",
   "_reputation",
   "_escrow",
-  "_guarantees"
+  "_guarantees",
+  "_bridge",
+  "_federation",
+  "_handshake",
+  "_shr"
 ];
 function getReservedNamespaceViolation(namespace) {
   for (const prefix of RESERVED_NAMESPACE_PREFIXES2) {
@@ -1448,6 +1560,13 @@ function createL1Tools(stateStore, storage, masterKey, keyProtection, auditLog)
         required: ["namespace", "key"]
       },
       handler: async (args) => {
+        const reservedViolation = getReservedNamespaceViolation(args.namespace);
+        if (reservedViolation) {
+          return toolResult({
+            error: "namespace_reserved",
+            message: `Namespace "${args.namespace}" is reserved for internal use (prefix: ${reservedViolation}). Cannot read from reserved namespaces.`
+          });
+        }
         const result = await stateStore.read(
           args.namespace,
           args.key,
@@ -1484,6 +1603,13 @@ function createL1Tools(stateStore, storage, masterKey, keyProtection, auditLog)
         required: ["namespace"]
       },
       handler: async (args) => {
+        const reservedViolation = getReservedNamespaceViolation(args.namespace);
+        if (reservedViolation) {
+          return toolResult({
+            error: "namespace_reserved",
+            message: `Namespace "${args.namespace}" is reserved for internal use (prefix: ${reservedViolation}). Cannot list reserved namespaces.`
+          });
+        }
         const result = await stateStore.list(
           args.namespace,
           args.prefix,
@@ -1562,9 +1688,15 @@ function createL1Tools(stateStore, storage, masterKey, keyProtection, auditLog)
         required: ["bundle"]
       },
       handler: async (args) => {
+        const publicKeyResolver = (kid) => {
+          const identity = identityMgr.get(kid);
+          if (!identity) return null;
+          return fromBase64url(identity.public_key);
+        };
         const result = await stateStore.import(
           args.bundle,
-          args.conflict_resolution ?? "skip"
+          args.conflict_resolution ?? "skip",
+          publicKeyResolver
         );
         auditLog?.append("l1", "state_import", "principal", {
           imported_keys: result.imported_keys
@@ -1885,6 +2017,267 @@ var PolicyStore = class {
     );
   }
 };
+init_encoding();
+var G = RistrettoPoint.BASE;
+var H_INPUT = concatBytes(
+  sha256(stringToBytes("sanctuary-pedersen-generator-H-v1-a")),
+  sha256(stringToBytes("sanctuary-pedersen-generator-H-v1-b"))
+);
+var H = RistrettoPoint.hashToCurve(H_INPUT);
+function bigintToBytes(n) {
+  const hex = n.toString(16).padStart(64, "0");
+  const bytes = new Uint8Array(32);
+  for (let i = 0; i < 32; i++) {
+    bytes[i] = parseInt(hex.slice(i * 2, i * 2 + 2), 16);
+  }
+  return bytes;
+}
+function bytesToBigint(bytes) {
+  let hex = "";
+  for (const b of bytes) {
+    hex += b.toString(16).padStart(2, "0");
+  }
+  return BigInt("0x" + hex);
+}
+var ORDER = BigInt("7237005577332262213973186563042994240857116359379907606001950938285454250989");
+function mod(n) {
+  return (n % ORDER + ORDER) % ORDER;
+}
+function safeMultiply(point, scalar) {
+  const s = mod(scalar);
+  if (s === 0n) return RistrettoPoint.ZERO;
+  return point.multiply(s);
+}
+function randomScalar() {
+  const bytes = randomBytes(64);
+  return mod(bytesToBigint(bytes));
+}
+function fiatShamirChallenge(domain, ...points) {
+  const domainBytes = stringToBytes(domain);
+  const combined = concatBytes(domainBytes, ...points);
+  const hash2 = sha256(combined);
+  return mod(bytesToBigint(hash2));
+}
+function createPedersenCommitment(value) {
+  const v = mod(BigInt(value));
+  const b = randomScalar();
+  const C = safeMultiply(G, v).add(safeMultiply(H, b));
+  return {
+    commitment: toBase64url(C.toRawBytes()),
+    blinding_factor: toBase64url(bigintToBytes(b)),
+    committed_at: (/* @__PURE__ */ new Date()).toISOString()
+  };
+}
+function verifyPedersenCommitment(commitment, value, blindingFactor) {
+  try {
+    const C = RistrettoPoint.fromHex(fromBase64url(commitment));
+    const v = mod(BigInt(value));
+    const b = bytesToBigint(fromBase64url(blindingFactor));
+    const expected = safeMultiply(G, v).add(safeMultiply(H, b));
+    return C.equals(expected);
+  } catch {
+    return false;
+  }
+}
+function createProofOfKnowledge(value, blindingFactor, commitment) {
+  const v = mod(BigInt(value));
+  const b = bytesToBigint(fromBase64url(blindingFactor));
+  const r_v = randomScalar();
+  const r_b = randomScalar();
+  const R = safeMultiply(G, r_v).add(safeMultiply(H, r_b));
+  const C_bytes = fromBase64url(commitment);
+  const R_bytes = R.toRawBytes();
+  const e = fiatShamirChallenge("sanctuary-zk-pok-v1", C_bytes, R_bytes);
+  const s_v = mod(r_v + e * v);
+  const s_b = mod(r_b + e * b);
+  return {
+    type: "schnorr-pedersen-ristretto255",
+    commitment,
+    announcement: toBase64url(R_bytes),
+    response_v: toBase64url(bigintToBytes(s_v)),
+    response_b: toBase64url(bigintToBytes(s_b)),
+    generated_at: (/* @__PURE__ */ new Date()).toISOString()
+  };
+}
+function verifyProofOfKnowledge(proof) {
+  try {
+    const C = RistrettoPoint.fromHex(fromBase64url(proof.commitment));
+    const R = RistrettoPoint.fromHex(fromBase64url(proof.announcement));
+    const s_v = bytesToBigint(fromBase64url(proof.response_v));
+    const s_b = bytesToBigint(fromBase64url(proof.response_b));
+    const e = fiatShamirChallenge(
+      "sanctuary-zk-pok-v1",
+      fromBase64url(proof.commitment),
+      fromBase64url(proof.announcement)
+    );
+    const lhs = safeMultiply(G, s_v).add(safeMultiply(H, s_b));
+    const rhs = R.add(safeMultiply(C, e));
+    return lhs.equals(rhs);
+  } catch {
+    return false;
+  }
+}
+function createRangeProof(value, blindingFactor, commitment, min, max) {
+  if (value < min || value > max) {
+    return { error: `Value ${value} is not in range [${min}, ${max}]` };
+  }
+  const range = max - min;
+  const numBits = Math.ceil(Math.log2(range + 1));
+  const shifted = value - min;
+  const b = bytesToBigint(fromBase64url(blindingFactor));
+  const bits = [];
+  for (let i = 0; i < numBits; i++) {
+    bits.push(shifted >> i & 1);
+  }
+  const bitBlindings = [];
+  const bitCommitments = [];
+  const bitProofs = [];
+  for (let i = 0; i < numBits; i++) {
+    const bit_b = randomScalar();
+    bitBlindings.push(bit_b);
+    const C_i = safeMultiply(G, mod(BigInt(bits[i]))).add(safeMultiply(H, bit_b));
+    bitCommitments.push(toBase64url(C_i.toRawBytes()));
+    const bitProof = createBitProof(bits[i], bit_b, C_i);
+    bitProofs.push(bitProof);
+  }
+  const sumBlinding = bitBlindings.reduce(
+    (acc, bi, i) => mod(acc + mod(BigInt(1) << BigInt(i)) * bi),
+    0n
+  );
+  const blindingDiff = mod(b - sumBlinding);
+  const r_sum = randomScalar();
+  const R_sum = safeMultiply(H, r_sum);
+  const e_sum = fiatShamirChallenge(
+    "sanctuary-zk-range-sum-v1",
+    fromBase64url(commitment),
+    R_sum.toRawBytes()
+  );
+  const s_sum = mod(r_sum + e_sum * blindingDiff);
+  return {
+    type: "range-pedersen-ristretto255",
+    commitment,
+    min,
+    max,
+    bit_commitments: bitCommitments,
+    bit_proofs: bitProofs,
+    sum_proof: {
+      announcement: toBase64url(R_sum.toRawBytes()),
+      response: toBase64url(bigintToBytes(s_sum))
+    },
+    generated_at: (/* @__PURE__ */ new Date()).toISOString()
+  };
+}
+function verifyRangeProof(proof) {
+  try {
+    const C = RistrettoPoint.fromHex(fromBase64url(proof.commitment));
+    const range = proof.max - proof.min;
+    const numBits = Math.ceil(Math.log2(range + 1));
+    if (proof.bit_commitments.length !== numBits) return false;
+    if (proof.bit_proofs.length !== numBits) return false;
+    for (let i = 0; i < numBits; i++) {
+      const C_i = RistrettoPoint.fromHex(fromBase64url(proof.bit_commitments[i]));
+      if (!verifyBitProof(proof.bit_proofs[i], C_i)) {
+        return false;
+      }
+    }
+    let reconstructed = RistrettoPoint.ZERO;
+    for (let i = 0; i < numBits; i++) {
+      const C_i = RistrettoPoint.fromHex(fromBase64url(proof.bit_commitments[i]));
+      const weight = mod(BigInt(1) << BigInt(i));
+      reconstructed = reconstructed.add(safeMultiply(C_i, weight));
+    }
+    const diff = C.subtract(safeMultiply(G, mod(BigInt(proof.min)))).subtract(reconstructed);
+    const R_sum = RistrettoPoint.fromHex(fromBase64url(proof.sum_proof.announcement));
+    const s_sum = bytesToBigint(fromBase64url(proof.sum_proof.response));
+    const e_sum = fiatShamirChallenge(
+      "sanctuary-zk-range-sum-v1",
+      fromBase64url(proof.commitment),
+      fromBase64url(proof.sum_proof.announcement)
+    );
+    const lhs = safeMultiply(H, s_sum);
+    const rhs = R_sum.add(safeMultiply(diff, e_sum));
+    return lhs.equals(rhs);
+  } catch {
+    return false;
+  }
+}
+function createBitProof(bit, blinding, commitment) {
+  const C_bytes = commitment.toRawBytes();
+  if (bit === 0) {
+    const C_minus_G = commitment.subtract(G);
+    const e_1 = randomScalar();
+    const s_1 = randomScalar();
+    const R_1 = safeMultiply(H, s_1).subtract(safeMultiply(C_minus_G, e_1));
+    const r_0 = randomScalar();
+    const R_0 = safeMultiply(H, r_0);
+    const e = fiatShamirChallenge(
+      "sanctuary-zk-bit-v1",
+      C_bytes,
+      R_0.toRawBytes(),
+      R_1.toRawBytes()
+    );
+    const e_0 = mod(e - e_1);
+    const s_0 = mod(r_0 + e_0 * blinding);
+    return {
+      announcement_0: toBase64url(R_0.toRawBytes()),
+      announcement_1: toBase64url(R_1.toRawBytes()),
+      challenge_0: toBase64url(bigintToBytes(e_0)),
+      challenge_1: toBase64url(bigintToBytes(e_1)),
+      response_0: toBase64url(bigintToBytes(s_0)),
+      response_1: toBase64url(bigintToBytes(s_1))
+    };
+  } else {
+    const e_0 = randomScalar();
+    const s_0 = randomScalar();
+    const R_0 = safeMultiply(H, s_0).subtract(safeMultiply(commitment, e_0));
+    const r_1 = randomScalar();
+    const R_1 = safeMultiply(H, r_1);
+    const e = fiatShamirChallenge(
+      "sanctuary-zk-bit-v1",
+      C_bytes,
+      R_0.toRawBytes(),
+      R_1.toRawBytes()
+    );
+    const e_1 = mod(e - e_0);
+    const s_1 = mod(r_1 + e_1 * blinding);
+    return {
+      announcement_0: toBase64url(R_0.toRawBytes()),
+      announcement_1: toBase64url(R_1.toRawBytes()),
+      challenge_0: toBase64url(bigintToBytes(e_0)),
+      challenge_1: toBase64url(bigintToBytes(e_1)),
+      response_0: toBase64url(bigintToBytes(s_0)),
+      response_1: toBase64url(bigintToBytes(s_1))
+    };
+  }
+}
+function verifyBitProof(proof, commitment) {
+  try {
+    const C_bytes = commitment.toRawBytes();
+    const R_0 = RistrettoPoint.fromHex(fromBase64url(proof.announcement_0));
+    const R_1 = RistrettoPoint.fromHex(fromBase64url(proof.announcement_1));
+    const e_0 = bytesToBigint(fromBase64url(proof.challenge_0));
+    const e_1 = bytesToBigint(fromBase64url(proof.challenge_1));
+    const s_0 = bytesToBigint(fromBase64url(proof.response_0));
+    const s_1 = bytesToBigint(fromBase64url(proof.response_1));
+    const e = fiatShamirChallenge(
+      "sanctuary-zk-bit-v1",
+      C_bytes,
+      R_0.toRawBytes(),
+      R_1.toRawBytes()
+    );
+    if (mod(e_0 + e_1) !== e) return false;
+    const lhs_0 = safeMultiply(H, s_0);
+    const rhs_0 = R_0.add(safeMultiply(commitment, e_0));
+    if (!lhs_0.equals(rhs_0)) return false;
+    const C_minus_G = commitment.subtract(G);
+    const lhs_1 = safeMultiply(H, s_1);
+    const rhs_1 = R_1.add(safeMultiply(C_minus_G, e_1));
+    if (!lhs_1.equals(rhs_1)) return false;
+    return true;
+  } catch {
+    return false;
+  }
+}
 
 // src/l3-disclosure/tools.ts
 function createL3Tools(storage, masterKey, auditLog) {
@@ -2114,6 +2507,187 @@ function createL3Tools(storage, masterKey, auditLog) {
           overall_recommendation: withholding > 0 ? `Withholding ${withholding} of ${requestedFields.length} requested fields per policy "${policy.policy_name}"` : `All ${requestedFields.length} fields may be disclosed per policy "${policy.policy_name}"`
         });
       }
+    },
+    // ─── ZK Proof Tools ───────────────────────────────────────────────────
+    {
+      name: "sanctuary/zk_commit",
+      description: "Create a Pedersen commitment to a numeric value on Ristretto255. Unlike SHA-256 commitments, Pedersen commitments support zero-knowledge proofs: you can prove properties about the committed value without revealing it.",
+      inputSchema: {
+        type: "object",
+        properties: {
+          value: {
+            type: "number",
+            description: "The integer value to commit to"
+          }
+        },
+        required: ["value"]
+      },
+      handler: async (args) => {
+        const value = args.value;
+        if (!Number.isInteger(value)) {
+          return toolResult({ error: "Value must be an integer." });
+        }
+        const commitment = createPedersenCommitment(value);
+        auditLog.append("l3", "zk_commit", "system", {
+          commitment_hash: commitment.commitment.slice(0, 16) + "..."
+        });
+        return toolResult({
+          commitment: commitment.commitment,
+          blinding_factor: commitment.blinding_factor,
+          committed_at: commitment.committed_at,
+          proof_system: "pedersen-ristretto255",
+          note: "Store the blinding_factor securely. Use zk_prove to create proofs about this commitment."
+        });
+      }
+    },
+    {
+      name: "sanctuary/zk_prove",
+      description: "Create a zero-knowledge proof of knowledge for a Pedersen commitment. Proves you know the value and blinding factor without revealing either. Uses a Schnorr sigma protocol with Fiat-Shamir transform.",
+      inputSchema: {
+        type: "object",
+        properties: {
+          value: {
+            type: "number",
+            description: "The committed value (integer)"
+          },
+          blinding_factor: {
+            type: "string",
+            description: "The blinding factor from zk_commit (base64url)"
+          },
+          commitment: {
+            type: "string",
+            description: "The Pedersen commitment (base64url)"
+          }
+        },
+        required: ["value", "blinding_factor", "commitment"]
+      },
+      handler: async (args) => {
+        const value = args.value;
+        const blindingFactor = args.blinding_factor;
+        const commitment = args.commitment;
+        if (!verifyPedersenCommitment(commitment, value, blindingFactor)) {
+          return toolResult({
+            error: "The provided value and blinding factor do not match the commitment."
+          });
+        }
+        const proof = createProofOfKnowledge(value, blindingFactor, commitment);
+        auditLog.append("l3", "zk_prove", "system", {
+          proof_type: proof.type,
+          commitment: commitment.slice(0, 16) + "..."
+        });
+        return toolResult({
+          proof,
+          note: "This proof demonstrates knowledge of the commitment opening without revealing the value."
+        });
+      }
+    },
+    {
+      name: "sanctuary/zk_verify",
+      description: "Verify a zero-knowledge proof of knowledge for a Pedersen commitment. Checks that the prover knows the commitment's opening without learning anything.",
+      inputSchema: {
+        type: "object",
+        properties: {
+          proof: {
+            type: "object",
+            description: "The ZK proof object from zk_prove"
+          }
+        },
+        required: ["proof"]
+      },
+      handler: async (args) => {
+        const proof = args.proof;
+        const valid = verifyProofOfKnowledge(proof);
+        auditLog.append("l3", "zk_verify", "system", {
+          proof_type: proof.type,
+          valid
+        });
+        return toolResult({
+          valid,
+          proof_type: proof.type,
+          commitment: proof.commitment,
+          verified_at: (/* @__PURE__ */ new Date()).toISOString()
+        });
+      }
+    },
+    {
+      name: "sanctuary/zk_range_prove",
+      description: "Create a zero-knowledge range proof: prove that a committed value is within [min, max] without revealing the exact value. Uses bit-decomposition with OR-proofs on Ristretto255.",
+      inputSchema: {
+        type: "object",
+        properties: {
+          value: {
+            type: "number",
+            description: "The committed value (integer)"
+          },
+          blinding_factor: {
+            type: "string",
+            description: "The blinding factor from zk_commit (base64url)"
+          },
+          commitment: {
+            type: "string",
+            description: "The Pedersen commitment (base64url)"
+          },
+          min: {
+            type: "number",
+            description: "Minimum of the range (inclusive)"
+          },
+          max: {
+            type: "number",
+            description: "Maximum of the range (inclusive)"
+          }
+        },
+        required: ["value", "blinding_factor", "commitment", "min", "max"]
+      },
+      handler: async (args) => {
+        const value = args.value;
+        const blindingFactor = args.blinding_factor;
+        const commitment = args.commitment;
+        const min = args.min;
+        const max = args.max;
+        const proof = createRangeProof(value, blindingFactor, commitment, min, max);
+        if ("error" in proof) {
+          return toolResult({ error: proof.error });
+        }
+        auditLog.append("l3", "zk_range_prove", "system", {
+          proof_type: proof.type,
+          range: `[${min}, ${max}]`,
+          bits: proof.bit_commitments.length
+        });
+        return toolResult({
+          proof,
+          note: `This proof demonstrates the committed value is in [${min}, ${max}] without revealing it.`
+        });
+      }
+    },
+    {
+      name: "sanctuary/zk_range_verify",
+      description: "Verify a zero-knowledge range proof \u2014 confirms a committed value is within the claimed range without learning the value.",
+      inputSchema: {
+        type: "object",
+        properties: {
+          proof: {
+            type: "object",
+            description: "The range proof object from zk_range_prove"
+          }
+        },
+        required: ["proof"]
+      },
+      handler: async (args) => {
+        const proof = args.proof;
+        const valid = verifyRangeProof(proof);
+        auditLog.append("l3", "zk_range_verify", "system", {
+          proof_type: proof.type,
+          valid,
+          range: `[${proof.min}, ${proof.max}]`
+        });
+        return toolResult({
+          valid,
+          proof_type: proof.type,
+          range: { min: proof.min, max: proof.max },
+          commitment: proof.commitment,
+          verified_at: (/* @__PURE__ */ new Date()).toISOString()
+        });
+      }
     }
   ];
   return { tools, commitmentStore, policyStore };
@@ -2162,7 +2736,7 @@ var ReputationStore = class {
   /**
    * Record an interaction outcome as a signed attestation.
    */
-  async record(interactionId, counterpartyDid, outcome, context, identity, identityEncryptionKey, counterpartyAttestation) {
+  async record(interactionId, counterpartyDid, outcome, context, identity, identityEncryptionKey, counterpartyAttestation, sovereigntyTier) {
     const attestationId = `att-${Date.now()}-${toBase64url(randomBytes(8))}`;
     const now = (/* @__PURE__ */ new Date()).toISOString();
     const attestationData = {
@@ -2173,7 +2747,8 @@ var ReputationStore = class {
       outcome_result: outcome.result,
       metrics: outcome.metrics ?? {},
       context,
-      timestamp: now
+      timestamp: now,
+      sovereignty_tier: sovereigntyTier
     };
     const dataBytes = stringToBytes(JSON.stringify(attestationData));
     const signature = sign(
@@ -2422,6 +2997,24 @@ var ReputationStore = class {
     );
     return guarantee;
   }
+  // ─── Tier-Aware Access ───────────────────────────────────────────────
+  /**
+   * Load attestations for tier-weighted scoring.
+   * Applies basic context/counterparty filtering, returns full StoredAttestations
+   * so callers can access sovereignty_tier from attestation data.
+   */
+  async loadAllForTierScoring(options) {
+    let all = await this.loadAll();
+    if (options?.context) {
+      all = all.filter((a) => a.attestation.data.context === options.context);
+    }
+    if (options?.counterparty_did) {
+      all = all.filter(
+        (a) => a.attestation.data.counterparty_did === options.counterparty_did
+      );
+    }
+    return all;
+  }
   // ─── Internal ─────────────────────────────────────────────────────────
   async loadAll() {
     const results = [];
@@ -2445,9 +3038,70 @@ var ReputationStore = class {
 
 // src/l4-reputation/tools.ts
 init_encoding();
-function createL4Tools(storage, masterKey, identityManager, auditLog) {
+
+// src/l4-reputation/tiers.ts
+var TIER_WEIGHTS = {
+  "verified-sovereign": 1,
+  "verified-degraded": 0.8,
+  "self-attested": 0.5,
+  "unverified": 0.2
+};
+function resolveTier(counterpartyId, handshakeResults, hasSanctuaryIdentity) {
+  const handshake = handshakeResults.get(counterpartyId);
+  if (handshake && handshake.verified) {
+    const expiresAt = new Date(handshake.expires_at);
+    if (expiresAt > /* @__PURE__ */ new Date()) {
+      return {
+        sovereignty_tier: handshake.trust_tier,
+        handshake_completed_at: handshake.completed_at,
+        verified_by: handshake.counterparty_id
+      };
+    }
+  }
+  if (hasSanctuaryIdentity) {
+    return { sovereignty_tier: "self-attested" };
+  }
+  return { sovereignty_tier: "unverified" };
+}
+function trustTierToSovereigntyTier(trustTier) {
+  switch (trustTier) {
+    case "verified-sovereign":
+      return "verified-sovereign";
+    case "verified-degraded":
+      return "verified-degraded";
+    default:
+      return "unverified";
+  }
+}
+function computeWeightedScore(attestations) {
+  if (attestations.length === 0) return null;
+  let weightedSum = 0;
+  let totalWeight = 0;
+  for (const a of attestations) {
+    const weight = TIER_WEIGHTS[a.tier];
+    weightedSum += a.value * weight;
+    totalWeight += weight;
+  }
+  return totalWeight > 0 ? weightedSum / totalWeight : null;
+}
+function tierDistribution(tiers) {
+  const dist = {
+    "verified-sovereign": 0,
+    "verified-degraded": 0,
+    "self-attested": 0,
+    "unverified": 0
+  };
+  for (const tier of tiers) {
+    dist[tier]++;
+  }
+  return dist;
+}
+
+// src/l4-reputation/tools.ts
+function createL4Tools(storage, masterKey, identityManager, auditLog, handshakeResults) {
   const reputationStore = new ReputationStore(storage, masterKey);
   const identityEncryptionKey = derivePurposeKey(masterKey, "identity-encryption");
+  const hsResults = handshakeResults ?? /* @__PURE__ */ new Map();
   const tools = [
     // ─── Reputation Recording ─────────────────────────────────────────
     {
@@ -2509,26 +3163,34 @@ function createL4Tools(storage, masterKey, identityManager, auditLog) {
         }
         const outcome = args.outcome;
         const context = args.context ?? "general";
+        const counterpartyDid = args.counterparty_did;
+        const hasSanctuaryIdentity = identityManager.list().some(
+          (id) => identityManager.get(id.identity_id)?.did === counterpartyDid
+        );
+        const tierMeta = resolveTier(counterpartyDid, hsResults, hasSanctuaryIdentity);
         const stored = await reputationStore.record(
           args.interaction_id,
-          args.counterparty_did,
+          counterpartyDid,
           outcome,
           context,
           identity,
           identityEncryptionKey,
-          args.counterparty_attestation
+          args.counterparty_attestation,
+          tierMeta.sovereignty_tier
         );
         auditLog.append("l4", "reputation_record", identity.identity_id, {
           interaction_id: args.interaction_id,
           outcome_type: outcome.type,
           outcome_result: outcome.result,
-          context
+          context,
+          sovereignty_tier: tierMeta.sovereignty_tier
         });
         return toolResult({
           attestation_id: stored.attestation.attestation_id,
           interaction_id: stored.attestation.data.interaction_id,
           self_attestation: stored.attestation.signature,
           counterparty_confirmed: stored.counterparty_confirmed,
+          sovereignty_tier: tierMeta.sovereignty_tier,
           context,
           recorded_at: stored.recorded_at
         });
@@ -2576,7 +3238,9 @@ function createL4Tools(storage, masterKey, identityManager, auditLog) {
           contexts: summary.contexts
         });
         return toolResult({
-          summary
+          summary,
+          // SEC-ADD-03: Tag response as containing counterparty-generated attestation data
+          _content_trust: "external"
         });
       }
     },
@@ -2691,20 +3355,76 @@ function createL4Tools(storage, masterKey, identityManager, auditLog) {
         });
       }
     },
-    // ─── Trust Bootstrap: Escrow ──────────────────────────────────────
+    // ─── Sovereignty-Weighted Query ──────────────────────────────────
     {
-      name: "sanctuary/bootstrap_create_escrow",
-      description: "Create an escrow record for trust bootstrapping. Allows new participants with no reputation to transact safely.",
+      name: "sanctuary/reputation_query_weighted",
+      description: "Query reputation with sovereignty-weighted scoring. Attestations from verified-sovereign agents carry full weight (1.0); unverified attestations carry reduced weight (0.2). Returns both the weighted score and tier distribution.",
       inputSchema: {
         type: "object",
         properties: {
-          transaction_terms: {
+          metric: {
             type: "string",
-            description: "Description of the transaction"
+            description: "Which metric to compute the weighted score for"
           },
-          collateral_amount: {
-            type: "number",
-            description: "Optional stake/collateral amount"
+          context: {
+            type: "string",
+            description: "Filter by context/domain"
+          },
+          counterparty_did: {
+            type: "string",
+            description: "Filter by counterparty"
+          }
+        },
+        required: ["metric"]
+      },
+      handler: async (args) => {
+        const summary = await reputationStore.query({
+          context: args.context,
+          counterparty_did: args.counterparty_did
+        });
+        const allAttestations = await reputationStore.loadAllForTierScoring({
+          context: args.context,
+          counterparty_did: args.counterparty_did
+        });
+        const metric = args.metric;
+        const tieredAttestations = allAttestations.filter((a) => a.attestation.data.metrics[metric] !== void 0).map((a) => ({
+          value: a.attestation.data.metrics[metric],
+          tier: a.attestation.data.sovereignty_tier ?? "unverified"
+        }));
+        const weightedScore = computeWeightedScore(tieredAttestations);
+        const tiers = allAttestations.map(
+          (a) => a.attestation.data.sovereignty_tier ?? "unverified"
+        );
+        const dist = tierDistribution(tiers);
+        auditLog.append("l4", "reputation_query_weighted", "system", {
+          metric,
+          attestation_count: tieredAttestations.length,
+          weighted_score: weightedScore
+        });
+        return toolResult({
+          metric,
+          weighted_score: weightedScore,
+          attestation_count: tieredAttestations.length,
+          tier_distribution: dist,
+          tier_weights: TIER_WEIGHTS,
+          unweighted_summary: summary
+        });
+      }
+    },
+    // ─── Trust Bootstrap: Escrow ──────────────────────────────────────
+    {
+      name: "sanctuary/bootstrap_create_escrow",
+      description: "Create an escrow record for trust bootstrapping. Allows new participants with no reputation to transact safely.",
+      inputSchema: {
+        type: "object",
+        properties: {
+          transaction_terms: {
+            type: "string",
+            description: "Description of the transaction"
+          },
+          collateral_amount: {
+            type: "number",
+            description: "Optional stake/collateral amount"
           },
           counterparty_did: {
             type: "string",
@@ -2841,14 +3561,16 @@ var DEFAULT_TIER2 = {
 };
 var DEFAULT_CHANNEL = {
   type: "stderr",
-  timeout_seconds: 300,
-  auto_deny: true
+  timeout_seconds: 300
+  // SEC-002: auto_deny is not configurable. Timeout always denies.
+  // Field omitted intentionally — all channels hardcode deny on timeout.
 };
 var DEFAULT_POLICY = {
   version: 1,
   tier1_always_approve: [
     "state_export",
     "state_import",
+    "state_delete",
     "identity_rotate",
     "reputation_import",
     "bootstrap_provide_guarantee"
@@ -2858,7 +3580,6 @@ var DEFAULT_POLICY = {
     "state_read",
     "state_write",
     "state_list",
-    "state_delete",
     "identity_create",
     "identity_list",
     "identity_sign",
@@ -2876,7 +3597,22 @@ var DEFAULT_POLICY = {
     "monitor_audit_log",
     "manifest",
     "principal_policy_view",
-    "principal_baseline_view"
+    "principal_baseline_view",
+    "shr_generate",
+    "shr_verify",
+    "handshake_initiate",
+    "handshake_respond",
+    "handshake_complete",
+    "handshake_status",
+    "reputation_query_weighted",
+    "federation_peers",
+    "federation_trust_evaluate",
+    "federation_status",
+    "zk_commit",
+    "zk_prove",
+    "zk_verify",
+    "zk_range_prove",
+    "zk_range_verify"
   ],
   approval_channel: DEFAULT_CHANNEL
 };
@@ -2951,10 +3687,14 @@ function validatePolicy(raw) {
       ...raw.tier2_anomaly ?? {}
     },
     tier3_always_allow: raw.tier3_always_allow ?? DEFAULT_POLICY.tier3_always_allow,
-    approval_channel: {
-      ...DEFAULT_CHANNEL,
-      ...raw.approval_channel ?? {}
-    }
+    approval_channel: (() => {
+      const merged = {
+        ...DEFAULT_CHANNEL,
+        ...raw.approval_channel ?? {}
+      };
+      delete merged.auto_deny;
+      return merged;
+    })()
   };
 }
 function generateDefaultPolicyYaml() {
@@ -2971,6 +3711,7 @@ version: 1
 tier1_always_approve:
   - state_export
   - state_import
+  - state_delete
   - identity_rotate
   - reputation_import
   - bootstrap_provide_guarantee
@@ -2992,7 +3733,6 @@ tier3_always_allow:
   - state_read
   - state_write
   - state_list
-  - state_delete
   - identity_create
   - identity_list
   - identity_sign
@@ -3011,13 +3751,28 @@ tier3_always_allow:
   - manifest
   - principal_policy_view
   - principal_baseline_view
+  - shr_generate
+  - shr_verify
+  - handshake_initiate
+  - handshake_respond
+  - handshake_complete
+  - handshake_status
+  - reputation_query_weighted
+  - federation_peers
+  - federation_trust_evaluate
+  - federation_status
+  - zk_commit
+  - zk_prove
+  - zk_verify
+  - zk_range_prove
+  - zk_range_verify
 
 # \u2500\u2500\u2500 Approval Channel \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
 # How Sanctuary reaches you when approval is needed.
+# NOTE: Timeout always results in denial. This is not configurable (SEC-002).
 approval_channel:
   type: stderr
   timeout_seconds: 300
-  auto_deny: true
 `;
 }
 async function loadPrincipalPolicy(storagePath) {
@@ -3194,27 +3949,16 @@ var BaselineTracker = class {
 
 // src/principal-policy/approval-channel.ts
 var StderrApprovalChannel = class {
-  config;
-  constructor(config) {
-    this.config = config;
+  constructor(_config) {
   }
   async requestApproval(request) {
     const prompt = this.formatPrompt(request);
     process.stderr.write(prompt + "\n");
-    await new Promise((resolve) => setTimeout(resolve, 100));
-    if (this.config.auto_deny) {
-      return {
-        decision: "deny",
-        decided_at: (/* @__PURE__ */ new Date()).toISOString(),
-        decided_by: "timeout"
-      };
-    } else {
-      return {
-        decision: "approve",
-        decided_at: (/* @__PURE__ */ new Date()).toISOString(),
-        decided_by: "auto"
-      };
-    }
+    return {
+      decision: "deny",
+      decided_at: (/* @__PURE__ */ new Date()).toISOString(),
+      decided_by: "stderr:non-interactive"
+    };
   }
   formatPrompt(request) {
     const tierLabel = request.tier === 1 ? "Tier 1 \u2014 always requires approval" : "Tier 2 \u2014 behavioral anomaly detected";
@@ -3222,7 +3966,7 @@ var StderrApprovalChannel = class {
     return [
       "",
       "\u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557",
-      "\u2551  SANCTUARY: Approval Required                                    \u2551",
+      "\u2551  SANCTUARY: Operation Denied (non-interactive channel)           \u2551",
       "\u2560\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2563",
       `\u2551  Operation:  ${request.operation.padEnd(50)}\u2551`,
       `\u2551  ${tierLabel.padEnd(62)}\u2551`,
@@ -3233,113 +3977,1391 @@ var StderrApprovalChannel = class {
         (line) => `\u2551    ${line.padEnd(60)}\u2551`
       ),
       "\u2551                                                                  \u2551",
-      this.config.auto_deny ? "\u2551  Auto-denying (configure approval_channel.auto_deny to change)  \u2551" : "\u2551  Auto-approving (informational mode)                            \u2551",
+      "\u2551  Denied: stderr channel cannot accept input (SEC-016)            \u2551",
+      "\u2551  Use dashboard or webhook channel for interactive approval.      \u2551",
       "\u255A\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255D",
       ""
     ].join("\n");
   }
 };
 
-// src/principal-policy/gate.ts
-var ApprovalGate = class {
-  policy;
-  baseline;
-  channel;
-  auditLog;
-  constructor(policy, baseline, channel, auditLog) {
-    this.policy = policy;
-    this.baseline = baseline;
-    this.channel = channel;
-    this.auditLog = auditLog;
+// src/principal-policy/dashboard-html.ts
+function generateDashboardHTML(options) {
+  return `<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="utf-8">
+<meta name="viewport" content="width=device-width, initial-scale=1">
+<title>Sanctuary \u2014 Principal Dashboard</title>
+<style>
+  :root {
+    --bg: #0f1117;
+    --bg-surface: #1a1d27;
+    --bg-elevated: #242736;
+    --border: #2e3244;
+    --text: #e4e6f0;
+    --text-muted: #8b8fa3;
+    --accent: #6c8aff;
+    --accent-hover: #839dff;
+    --approve: #3ecf8e;
+    --approve-hover: #5dd9a3;
+    --deny: #f87171;
+    --deny-hover: #fca5a5;
+    --warning: #fbbf24;
+    --tier1: #f87171;
+    --tier2: #fbbf24;
+    --tier3: #3ecf8e;
+    --font: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, sans-serif;
+    --mono: "SF Mono", "Fira Code", "Cascadia Code", monospace;
+    --radius: 8px;
+  }
+
+  * { box-sizing: border-box; margin: 0; padding: 0; }
+  body {
+    font-family: var(--font);
+    background: var(--bg);
+    color: var(--text);
+    line-height: 1.5;
+    min-height: 100vh;
+  }
+
+  /* Layout */
+  .container { max-width: 960px; margin: 0 auto; padding: 24px 16px; }
+
+  header {
+    display: flex; align-items: center; justify-content: space-between;
+    padding-bottom: 20px; border-bottom: 1px solid var(--border);
+    margin-bottom: 24px;
+  }
+  header h1 { font-size: 20px; font-weight: 600; letter-spacing: -0.3px; }
+  header h1 span { color: var(--accent); }
+  .status-badge {
+    display: inline-flex; align-items: center; gap: 6px;
+    font-size: 12px; color: var(--text-muted);
+    padding: 4px 10px; border-radius: 12px;
+    background: var(--bg-surface); border: 1px solid var(--border);
+  }
+  .status-dot {
+    width: 8px; height: 8px; border-radius: 50%;
+    background: var(--approve); animation: pulse 2s infinite;
+  }
+  .status-dot.disconnected { background: var(--deny); animation: none; }
+  @keyframes pulse { 0%, 100% { opacity: 1; } 50% { opacity: 0.5; } }
+
+  /* Tabs */
+  .tabs {
+    display: flex; gap: 2px; margin-bottom: 20px;
+    background: var(--bg-surface); border-radius: var(--radius);
+    padding: 3px; border: 1px solid var(--border);
+  }
+  .tab {
+    flex: 1; padding: 8px 12px; text-align: center;
+    font-size: 13px; font-weight: 500; cursor: pointer;
+    border-radius: 6px; border: none; color: var(--text-muted);
+    background: transparent; transition: all 0.15s;
+  }
+  .tab:hover { color: var(--text); }
+  .tab.active { background: var(--bg-elevated); color: var(--text); }
+  .tab .count {
+    display: inline-flex; align-items: center; justify-content: center;
+    min-width: 18px; height: 18px; padding: 0 5px;
+    font-size: 11px; font-weight: 600; border-radius: 9px;
+    margin-left: 6px;
+  }
+  .tab .count.alert { background: var(--deny); color: white; }
+  .tab .count.muted { background: var(--border); color: var(--text-muted); }
+
+  /* Tab Content */
+  .tab-content { display: none; }
+  .tab-content.active { display: block; }
+
+  /* Pending Requests */
+  .pending-empty {
+    text-align: center; padding: 60px 20px; color: var(--text-muted);
+  }
+  .pending-empty .icon { font-size: 32px; margin-bottom: 12px; }
+  .pending-empty p { font-size: 14px; }
+
+  .request-card {
+    background: var(--bg-surface); border: 1px solid var(--border);
+    border-radius: var(--radius); padding: 16px; margin-bottom: 12px;
+    animation: slideIn 0.2s ease-out;
+  }
+  @keyframes slideIn { from { opacity: 0; transform: translateY(-8px); } to { opacity: 1; transform: translateY(0); } }
+  .request-card.tier1 { border-left: 3px solid var(--tier1); }
+  .request-card.tier2 { border-left: 3px solid var(--tier2); }
+  .request-header {
+    display: flex; align-items: center; justify-content: space-between;
+    margin-bottom: 10px;
+  }
+  .request-op {
+    font-family: var(--mono); font-size: 14px; font-weight: 600;
+  }
+  .tier-badge {
+    font-size: 11px; font-weight: 600; padding: 2px 8px;
+    border-radius: 4px; text-transform: uppercase;
+  }
+  .tier-badge.tier1 { background: rgba(248,113,113,0.15); color: var(--tier1); }
+  .tier-badge.tier2 { background: rgba(251,191,36,0.15); color: var(--tier2); }
+  .request-reason {
+    font-size: 13px; color: var(--text-muted); margin-bottom: 12px;
+  }
+  .request-context {
+    font-family: var(--mono); font-size: 12px; color: var(--text-muted);
+    background: var(--bg); border-radius: 4px; padding: 8px 10px;
+    margin-bottom: 14px; white-space: pre-wrap; word-break: break-all;
+    max-height: 120px; overflow-y: auto;
+  }
+  .request-actions {
+    display: flex; align-items: center; gap: 10px;
+  }
+  .btn {
+    padding: 7px 16px; border-radius: 6px; font-size: 13px;
+    font-weight: 600; border: none; cursor: pointer;
+    transition: all 0.15s;
+  }
+  .btn-approve { background: var(--approve); color: #0f1117; }
+  .btn-approve:hover { background: var(--approve-hover); }
+  .btn-deny { background: var(--deny); color: white; }
+  .btn-deny:hover { background: var(--deny-hover); }
+  .countdown {
+    margin-left: auto; font-size: 12px; color: var(--text-muted);
+    font-family: var(--mono);
+  }
+  .countdown.urgent { color: var(--deny); font-weight: 600; }
+
+  /* Audit Log */
+  .audit-table { width: 100%; border-collapse: collapse; }
+  .audit-table th {
+    text-align: left; font-size: 11px; font-weight: 600;
+    text-transform: uppercase; letter-spacing: 0.5px;
+    color: var(--text-muted); padding: 8px 10px;
+    border-bottom: 1px solid var(--border);
+  }
+  .audit-table td {
+    font-size: 13px; padding: 8px 10px;
+    border-bottom: 1px solid var(--border);
+  }
+  .audit-table tr { transition: background 0.1s; }
+  .audit-table tr:hover { background: var(--bg-elevated); }
+  .audit-table tr.new { animation: highlight 1s ease-out; }
+  @keyframes highlight { from { background: rgba(108,138,255,0.15); } to { background: transparent; } }
+  .audit-time { font-family: var(--mono); font-size: 12px; color: var(--text-muted); }
+  .audit-op { font-family: var(--mono); font-size: 12px; }
+  .audit-layer {
+    font-size: 11px; font-weight: 600; padding: 1px 6px;
+    border-radius: 3px; text-transform: uppercase;
+  }
+  .audit-layer.l1 { background: rgba(108,138,255,0.15); color: var(--accent); }
+  .audit-layer.l2 { background: rgba(251,191,36,0.15); color: var(--tier2); }
+  .audit-layer.l3 { background: rgba(62,207,142,0.15); color: var(--tier3); }
+  .audit-layer.l4 { background: rgba(168,85,247,0.15); color: #a855f7; }
+
+  /* Baseline & Policy */
+  .info-section {
+    background: var(--bg-surface); border: 1px solid var(--border);
+    border-radius: var(--radius); padding: 16px; margin-bottom: 16px;
+  }
+  .info-section h3 {
+    font-size: 13px; font-weight: 600; text-transform: uppercase;
+    letter-spacing: 0.5px; color: var(--text-muted); margin-bottom: 12px;
+  }
+  .info-row {
+    display: flex; justify-content: space-between; align-items: center;
+    padding: 6px 0; font-size: 13px;
+  }
+  .info-label { color: var(--text-muted); }
+  .info-value { font-family: var(--mono); font-size: 12px; }
+  .tag-list { display: flex; flex-wrap: wrap; gap: 4px; }
+  .tag {
+    font-family: var(--mono); font-size: 11px; padding: 2px 8px;
+    background: var(--bg-elevated); border-radius: 4px;
+    color: var(--text-muted); border: 1px solid var(--border);
+  }
+  .policy-op {
+    font-family: var(--mono); font-size: 12px; padding: 3px 0;
+  }
+
+  /* Footer */
+  footer {
+    margin-top: 32px; padding-top: 16px;
+    border-top: 1px solid var(--border);
+    font-size: 12px; color: var(--text-muted);
+    text-align: center;
+  }
+</style>
+</head>
+<body>
+<div class="container">
+  <header>
+    <h1><span>Sanctuary</span> Principal Dashboard</h1>
+    <div class="status-badge">
+      <div class="status-dot" id="statusDot"></div>
+      <span id="statusText">Connected</span>
+    </div>
+  </header>
+
+  <div class="tabs">
+    <button class="tab active" data-tab="pending">
+      Pending<span class="count muted" id="pendingCount">0</span>
+    </button>
+    <button class="tab" data-tab="audit">
+      Audit Log<span class="count muted" id="auditCount">0</span>
+    </button>
+    <button class="tab" data-tab="baseline">Baseline</button>
+    <button class="tab" data-tab="policy">Policy</button>
+  </div>
+
+  <!-- Pending Approvals -->
+  <div class="tab-content active" id="tab-pending">
+    <div class="pending-empty" id="pendingEmpty">
+      <div class="icon">&#x2714;</div>
+      <p>No pending approval requests.</p>
+      <p style="font-size:12px; margin-top:4px;">Requests will appear here in real time.</p>
+    </div>
+    <div id="pendingList"></div>
+  </div>
+
+  <!-- Audit Log -->
+  <div class="tab-content" id="tab-audit">
+    <table class="audit-table">
+      <thead>
+        <tr><th>Time</th><th>Layer</th><th>Operation</th><th>Identity</th></tr>
+      </thead>
+      <tbody id="auditBody"></tbody>
+    </table>
+  </div>
+
+  <!-- Baseline -->
+  <div class="tab-content" id="tab-baseline">
+    <div class="info-section">
+      <h3>Session Info</h3>
+      <div class="info-row"><span class="info-label">First session</span><span class="info-value" id="bFirstSession">\u2014</span></div>
+      <div class="info-row"><span class="info-label">Started</span><span class="info-value" id="bStarted">\u2014</span></div>
+    </div>
+    <div class="info-section">
+      <h3>Known Namespaces</h3>
+      <div class="tag-list" id="bNamespaces"><span class="tag">\u2014</span></div>
+    </div>
+    <div class="info-section">
+      <h3>Known Counterparties</h3>
+      <div class="tag-list" id="bCounterparties"><span class="tag">\u2014</span></div>
+    </div>
+    <div class="info-section">
+      <h3>Tool Call Counts</h3>
+      <div id="bToolCalls"><span class="info-value">\u2014</span></div>
+    </div>
+  </div>
+
+  <!-- Policy -->
+  <div class="tab-content" id="tab-policy">
+    <div class="info-section">
+      <h3>Tier 1 \u2014 Always Requires Approval</h3>
+      <div id="pTier1"></div>
+    </div>
+    <div class="info-section">
+      <h3>Tier 2 \u2014 Anomaly Detection</h3>
+      <div id="pTier2"></div>
+    </div>
+    <div class="info-section">
+      <h3>Tier 3 \u2014 Always Allowed</h3>
+      <div class="info-row">
+        <span class="info-label">Operations</span>
+        <span class="info-value" id="pTier3Count">\u2014</span>
+      </div>
+    </div>
+    <div class="info-section">
+      <h3>Approval Channel</h3>
+      <div id="pChannel"></div>
+    </div>
+  </div>
+
+  <footer>Sanctuary Framework v${options.serverVersion} \u2014 Principal Dashboard</footer>
+</div>
+
+<script>
+(function() {
+  const TIMEOUT = ${options.timeoutSeconds};
+  // SEC-012: Auth token is passed via Authorization header only \u2014 never in URLs.
+  // The token is provided by the server at generation time (embedded for initial auth).
+  const AUTH_TOKEN = ${options.authToken ? JSON.stringify(options.authToken) : "null"};
+  let SESSION_ID = null; // Short-lived session for SSE and URL-based requests
+  const pending = new Map();
+  let auditCount = 0;
+
+  // Auth helpers \u2014 SEC-012: token goes in header, session goes in URL
+  function authHeaders() {
+    const h = { 'Content-Type': 'application/json' };
+    if (AUTH_TOKEN) h['Authorization'] = 'Bearer ' + AUTH_TOKEN;
+    return h;
+  }
+  function sessionQuery(url) {
+    if (!SESSION_ID) return url;
+    const sep = url.includes('?') ? '&' : '?';
+    return url + sep + 'session=' + SESSION_ID;
+  }
+
+  // SEC-012: Exchange the long-lived token for a short-lived session
+  async function exchangeSession() {
+    if (!AUTH_TOKEN) return;
+    try {
+      const resp = await fetch('/auth/session', { method: 'POST', headers: authHeaders() });
+      if (resp.ok) {
+        const data = await resp.json();
+        SESSION_ID = data.session_id;
+        // Refresh session before expiry (at 80% of TTL)
+        const refreshMs = (data.expires_in_seconds || 300) * 800;
+        setTimeout(async () => { await exchangeSession(); reconnectSSE(); }, refreshMs);
+      }
+    } catch(e) { /* will retry on next connect */ }
+  }
+
+  // Tab switching
+  document.querySelectorAll('.tab').forEach(tab => {
+    tab.addEventListener('click', () => {
+      document.querySelectorAll('.tab').forEach(t => t.classList.remove('active'));
+      document.querySelectorAll('.tab-content').forEach(c => c.classList.remove('active'));
+      tab.classList.add('active');
+      document.getElementById('tab-' + tab.dataset.tab).classList.add('active');
+    });
+  });
+
+  // SSE Connection \u2014 SEC-012: uses short-lived session token in URL, not auth token
+  let evtSource;
+  function reconnectSSE() {
+    if (evtSource) { evtSource.close(); }
+    connect();
+  }
+  function connect() {
+    evtSource = new EventSource(sessionQuery('/events'));
+    evtSource.onopen = () => {
+      document.getElementById('statusDot').classList.remove('disconnected');
+      document.getElementById('statusText').textContent = 'Connected';
+    };
+    evtSource.onerror = () => {
+      document.getElementById('statusDot').classList.add('disconnected');
+      document.getElementById('statusText').textContent = 'Reconnecting...';
+    };
+    evtSource.addEventListener('pending-request', (e) => {
+      const data = JSON.parse(e.data);
+      addPendingRequest(data);
+    });
+    evtSource.addEventListener('request-resolved', (e) => {
+      const data = JSON.parse(e.data);
+      removePendingRequest(data.request_id);
+    });
+    evtSource.addEventListener('audit-entry', (e) => {
+      const data = JSON.parse(e.data);
+      addAuditEntry(data);
+    });
+    evtSource.addEventListener('baseline-update', (e) => {
+      const data = JSON.parse(e.data);
+      updateBaseline(data);
+    });
+    evtSource.addEventListener('policy-update', (e) => {
+      const data = JSON.parse(e.data);
+      updatePolicy(data);
+    });
+    evtSource.addEventListener('init', (e) => {
+      const data = JSON.parse(e.data);
+      if (data.baseline) updateBaseline(data.baseline);
+      if (data.policy) updatePolicy(data.policy);
+      if (data.pending) data.pending.forEach(addPendingRequest);
+      if (data.audit) data.audit.forEach(addAuditEntry);
+    });
+  }
+
+  // Pending requests
+  function addPendingRequest(req) {
+    pending.set(req.request_id, { ...req, remaining: TIMEOUT });
+    renderPending();
+    updatePendingCount();
+    flashTab('pending');
+  }
+
+  function removePendingRequest(id) {
+    pending.delete(id);
+    renderPending();
+    updatePendingCount();
+  }
+
+  function renderPending() {
+    const list = document.getElementById('pendingList');
+    const empty = document.getElementById('pendingEmpty');
+    if (pending.size === 0) {
+      list.innerHTML = '';
+      empty.style.display = 'block';
+      return;
+    }
+    empty.style.display = 'none';
+    list.innerHTML = '';
+    for (const [id, req] of pending) {
+      const card = document.createElement('div');
+      card.className = 'request-card tier' + req.tier;
+      card.id = 'req-' + id;
+      const ctx = typeof req.context === 'string' ? req.context : JSON.stringify(req.context, null, 2);
+      card.innerHTML =
+        '<div class="request-header">' +
+          '<span class="request-op">' + esc(req.operation) + '</span>' +
+          '<span class="tier-badge tier' + req.tier + '">Tier ' + req.tier + '</span>' +
+        '</div>' +
+        '<div class="request-reason">' + esc(req.reason) + '</div>' +
+        '<div class="request-context">' + esc(ctx) + '</div>' +
+        '<div class="request-actions">' +
+          '<button class="btn btn-approve" onclick="handleApprove(\\'' + id + '\\')">Approve</button>' +
+          '<button class="btn btn-deny" onclick="handleDeny(\\'' + id + '\\')">Deny</button>' +
+          '<span class="countdown" id="cd-' + id + '">' + req.remaining + 's</span>' +
+        '</div>';
+      list.appendChild(card);
+    }
+  }
+
+  function updatePendingCount() {
+    const el = document.getElementById('pendingCount');
+    el.textContent = pending.size;
+    el.className = pending.size > 0 ? 'count alert' : 'count muted';
+  }
+
+  function flashTab(name) {
+    const tab = document.querySelector('[data-tab="' + name + '"]');
+    if (!tab.classList.contains('active')) {
+      tab.style.background = 'rgba(248,113,113,0.15)';
+      setTimeout(() => { tab.style.background = ''; }, 1500);
+    }
+  }
+
+  // Countdown timer
+  setInterval(() => {
+    for (const [id, req] of pending) {
+      req.remaining = Math.max(0, req.remaining - 1);
+      const el = document.getElementById('cd-' + id);
+      if (el) {
+        el.textContent = req.remaining + 's';
+        el.className = req.remaining <= 30 ? 'countdown urgent' : 'countdown';
+      }
+    }
+  }, 1000);
+
+  // Approve / Deny handlers (global scope)
+  window.handleApprove = function(id) {
+    fetch('/api/approve/' + id, { method: 'POST', headers: authHeaders() }).then(() => {
+      removePendingRequest(id);
+    });
+  };
+  window.handleDeny = function(id) {
+    fetch('/api/deny/' + id, { method: 'POST', headers: authHeaders() }).then(() => {
+      removePendingRequest(id);
+    });
+  };
+
+  // Audit log
+  function addAuditEntry(entry) {
+    auditCount++;
+    document.getElementById('auditCount').textContent = auditCount;
+    const tbody = document.getElementById('auditBody');
+    const tr = document.createElement('tr');
+    tr.className = 'new';
+    const time = entry.timestamp ? new Date(entry.timestamp).toLocaleTimeString() : '\u2014';
+    const layer = entry.layer || '\u2014';
+    tr.innerHTML =
+      '<td class="audit-time">' + esc(time) + '</td>' +
+      '<td><span class="audit-layer ' + layer + '">' + esc(layer) + '</span></td>' +
+      '<td class="audit-op">' + esc(entry.operation || '\u2014') + '</td>' +
+      '<td style="font-size:12px;color:var(--text-muted)">' + esc(entry.identity_id || '\u2014') + '</td>';
+    tbody.insertBefore(tr, tbody.firstChild);
+    // Keep last 100 entries
+    while (tbody.children.length > 100) tbody.removeChild(tbody.lastChild);
+  }
+
+  // Baseline
+  function updateBaseline(b) {
+    if (!b) return;
+    document.getElementById('bFirstSession').textContent = b.is_first_session ? 'Yes' : 'No';
+    document.getElementById('bStarted').textContent = b.started_at ? new Date(b.started_at).toLocaleString() : '\u2014';
+    const ns = document.getElementById('bNamespaces');
+    ns.innerHTML = (b.known_namespaces || []).length > 0
+      ? (b.known_namespaces || []).map(n => '<span class="tag">' + esc(n) + '</span>').join('')
+      : '<span class="tag">none</span>';
+    const cp = document.getElementById('bCounterparties');
+    cp.innerHTML = (b.known_counterparties || []).length > 0
+      ? (b.known_counterparties || []).map(c => '<span class="tag">' + esc(c.slice(0,16)) + '...</span>').join('')
+      : '<span class="tag">none</span>';
+    const tc = document.getElementById('bToolCalls');
+    const counts = b.tool_call_counts || {};
+    const entries = Object.entries(counts).sort((a,b) => b[1] - a[1]);
+    tc.innerHTML = entries.length > 0
+      ? entries.map(([k,v]) => '<div class="info-row"><span class="info-label">' + esc(k) + '</span><span class="info-value">' + v + '</span></div>').join('')
+      : '<span class="info-value">no calls yet</span>';
+  }
+
+  // Policy
+  function updatePolicy(p) {
+    if (!p) return;
+    const t1 = document.getElementById('pTier1');
+    t1.innerHTML = (p.tier1_always_approve || []).map(op =>
+      '<div class="policy-op">' + esc(op) + '</div>'
+    ).join('');
+    const t2 = document.getElementById('pTier2');
+    const cfg = p.tier2_anomaly || {};
+    t2.innerHTML = Object.entries(cfg).map(([k,v]) =>
+      '<div class="info-row"><span class="info-label">' + esc(k) + '</span><span class="info-value">' + esc(String(v)) + '</span></div>'
+    ).join('');
+    document.getElementById('pTier3Count').textContent = (p.tier3_always_allow || []).length + ' operations';
+    const ch = document.getElementById('pChannel');
+    const chan = p.approval_channel || {};
+    ch.innerHTML = Object.entries(chan).filter(([k]) => k !== 'webhook_secret').map(([k,v]) =>
+      '<div class="info-row"><span class="info-label">' + esc(k) + '</span><span class="info-value">' + esc(String(v)) + '</span></div>'
+    ).join('');
+  }
+
+  function esc(s) {
+    if (!s) return '';
+    const d = document.createElement('div');
+    d.textContent = String(s);
+    return d.innerHTML;
+  }
+
+  // Init \u2014 SEC-012: exchange token for session before connecting SSE
+  (async function init() {
+    await exchangeSession();
+    // Clean token from URL if present (legacy bookmarks)
+    if (window.location.search.includes('token=')) {
+      const clean = window.location.pathname;
+      window.history.replaceState({}, '', clean);
+    }
+    connect();
+    fetch('/api/status', { headers: authHeaders() }).then(r => r.json()).then(data => {
+      if (data.baseline) updateBaseline(data.baseline);
+      if (data.policy) updatePolicy(data.policy);
+    }).catch(() => {});
+  })();
+})();
+</script>
+</body>
+</html>`;
+}
+
+// src/principal-policy/dashboard.ts
+var SESSION_TTL_MS = 5 * 60 * 1e3;
+var MAX_SESSIONS = 1e3;
+var DashboardApprovalChannel = class {
+  config;
+  pending = /* @__PURE__ */ new Map();
+  sseClients = /* @__PURE__ */ new Set();
+  httpServer = null;
+  policy = null;
+  baseline = null;
+  auditLog = null;
+  dashboardHTML;
+  authToken;
+  useTLS;
+  /** SEC-012: Short-lived session store. Sessions replace URL query tokens. */
+  sessions = /* @__PURE__ */ new Map();
+  sessionCleanupTimer = null;
+  constructor(config) {
+    this.config = config;
+    this.authToken = config.auth_token;
+    this.useTLS = !!(config.tls?.cert_path && config.tls?.key_path);
+    this.dashboardHTML = generateDashboardHTML({
+      timeoutSeconds: config.timeout_seconds,
+      serverVersion: "0.3.0",
+      authToken: this.authToken
+    });
+    this.sessionCleanupTimer = setInterval(() => this.cleanupSessions(), 6e4);
   }
   /**
-   * Evaluate a tool call against the Principal Policy.
-   *
-   * @param toolName - Full MCP tool name (e.g., "sanctuary/state_export")
-   * @param args - Tool call arguments (for context extraction)
-   * @returns GateResult indicating whether the call is allowed
+   * Inject dependencies after construction.
+   * Called from index.ts after all components are initialized.
    */
-  async evaluate(toolName, args) {
-    const operation = extractOperationName(toolName);
-    this.baseline.recordToolCall(operation);
-    if (this.policy.tier1_always_approve.includes(operation)) {
-      return this.requestApproval(operation, 1, `"${operation}" is a Tier 1 operation (always requires approval)`, {
-        operation,
-        args_summary: this.summarizeArgs(args)
+  setDependencies(deps) {
+    this.policy = deps.policy;
+    this.baseline = deps.baseline;
+    this.auditLog = deps.auditLog;
+  }
+  /**
+   * Start the HTTP(S) server for the dashboard.
+   */
+  async start() {
+    return new Promise((resolve, reject) => {
+      const handler = (req, res) => this.handleRequest(req, res);
+      if (this.useTLS && this.config.tls) {
+        const tlsOpts = {
+          cert: readFileSync(this.config.tls.cert_path),
+          key: readFileSync(this.config.tls.key_path)
+        };
+        this.httpServer = createServer$1(tlsOpts, handler);
+      } else {
+        this.httpServer = createServer$2(handler);
+      }
+      const protocol = this.useTLS ? "https" : "http";
+      const baseUrl = `${protocol}://${this.config.host}:${this.config.port}`;
+      this.httpServer.listen(this.config.port, this.config.host, () => {
+        if (this.authToken) {
+          const hint = this.authToken.slice(0, 4) + "..." + this.authToken.slice(-4);
+          process.stderr.write(
+            `
+  Sanctuary Principal Dashboard: ${baseUrl}
+`
+          );
+          process.stderr.write(
+            `  Auth required (token: ${hint}). Use Authorization: Bearer <TOKEN> header.
+
+`
+          );
+        } else {
+          process.stderr.write(
+            `
+  Sanctuary Principal Dashboard: ${baseUrl}
+
+`
+          );
+        }
+        resolve();
+      });
+      this.httpServer.on("error", reject);
+    });
+  }
+  /**
+   * Stop the HTTP server and clean up.
+   */
+  async stop() {
+    for (const [, pending] of this.pending) {
+      clearTimeout(pending.timer);
+      pending.resolve({
+        decision: "deny",
+        decided_at: (/* @__PURE__ */ new Date()).toISOString(),
+        decided_by: "auto"
       });
     }
-    const anomaly = this.detectAnomaly(operation, args);
-    if (anomaly) {
-      return this.requestApproval(operation, 2, anomaly.reason, anomaly.context);
+    this.pending.clear();
+    for (const client of this.sseClients) {
+      client.end();
+    }
+    this.sseClients.clear();
+    this.sessions.clear();
+    if (this.sessionCleanupTimer) {
+      clearInterval(this.sessionCleanupTimer);
+      this.sessionCleanupTimer = null;
+    }
+    if (this.httpServer) {
+      return new Promise((resolve) => {
+        this.httpServer.close(() => resolve());
+      });
     }
-    this.auditLog.append("l2", `gate_allow:${operation}`, "system", {
-      tier: 3,
-      operation
-    });
-    return {
-      allowed: true,
-      tier: 3,
-      reason: "Operation allowed (Tier 3)",
-      approval_required: false
-    };
   }
   /**
-   * Detect Tier 2 behavioral anomalies.
+   * Request approval from the human via the dashboard.
+   * Blocks until the human approves/denies or timeout occurs.
    */
-  detectAnomaly(operation, args) {
-    const config = this.policy.tier2_anomaly;
-    if (this.baseline.isFirstSession && config.first_session_policy === "approve") {
-      if (!this.policy.tier3_always_allow.includes(operation)) {
-        return {
-          reason: `First session: "${operation}" has no established baseline`,
-          context: { operation, is_first_session: true }
+  async requestApproval(request) {
+    const id = randomBytes$1(8).toString("hex");
+    process.stderr.write(
+      `[Sanctuary] Approval required: ${request.operation} (Tier ${request.tier}) \u2014 open dashboard to respond
+`
+    );
+    return new Promise((resolve) => {
+      const timer = setTimeout(() => {
+        this.pending.delete(id);
+        const response = {
+          // SEC-002: Timeout ALWAYS denies. No configuration can change this.
+          decision: "deny",
+          decided_at: (/* @__PURE__ */ new Date()).toISOString(),
+          decided_by: "timeout"
         };
+        this.broadcastSSE("request-resolved", {
+          request_id: id,
+          decision: response.decision,
+          decided_by: "timeout"
+        });
+        resolve(response);
+      }, this.config.timeout_seconds * 1e3);
+      const pending = {
+        id,
+        request,
+        resolve,
+        timer,
+        created_at: (/* @__PURE__ */ new Date()).toISOString()
+      };
+      this.pending.set(id, pending);
+      this.broadcastSSE("pending-request", {
+        request_id: id,
+        operation: request.operation,
+        tier: request.tier,
+        reason: request.reason,
+        context: request.context,
+        timestamp: request.timestamp
+      });
+    });
+  }
+  // ── Authentication ──────────────────────────────────────────────────
+  /**
+   * Verify bearer token authentication.
+   *
+   * SEC-012: The long-lived auth token is ONLY accepted via the Authorization
+   * header — never in URL query strings. For SSE and page loads that cannot
+   * set headers, a short-lived session token (obtained via POST /auth/session)
+   * is accepted via ?session= query parameter.
+   *
+   * Returns true if auth passes, false if blocked (response already sent).
+   */
+  checkAuth(req, url, res) {
+    if (!this.authToken) return true;
+    const authHeader = req.headers.authorization;
+    if (authHeader) {
+      const parts = authHeader.split(" ");
+      if (parts.length === 2 && parts[0] === "Bearer" && parts[1] === this.authToken) {
+        return true;
       }
     }
-    if (config.new_namespace_access === "approve") {
-      const namespace = args.namespace;
-      if (namespace) {
-        const isNew = this.baseline.recordNamespaceAccess(namespace);
-        if (isNew) {
-          return {
-            reason: `First access to namespace "${namespace}" (not in session baseline)`,
-            context: {
-              operation,
-              namespace,
-              known_namespaces: this.baseline.getProfile().known_namespaces
-            }
-          };
-        }
-      }
-    } else if (config.new_namespace_access === "log") {
-      const namespace = args.namespace;
-      if (namespace) {
-        this.baseline.recordNamespaceAccess(namespace);
-      }
+    const sessionId = url.searchParams.get("session");
+    if (sessionId && this.validateSession(sessionId)) {
+      return true;
     }
-    if (config.new_counterparty === "approve") {
-      const counterpartyDid = args.counterparty_did ?? args.agent_identity_id;
-      if (counterpartyDid) {
-        const isNew = this.baseline.recordCounterparty(counterpartyDid);
-        if (isNew) {
-          return {
-            reason: `First interaction with counterparty "${counterpartyDid}"`,
-            context: {
-              operation,
-              counterparty_did: counterpartyDid,
-              known_counterparties: this.baseline.getProfile().known_counterparties
-            }
-          };
-        }
-      }
-    } else if (config.new_counterparty === "log") {
-      const counterpartyDid = args.counterparty_did;
-      if (counterpartyDid) {
-        this.baseline.recordCounterparty(counterpartyDid);
+    res.writeHead(401, { "Content-Type": "application/json" });
+    res.end(JSON.stringify({ error: "Unauthorized \u2014 use Authorization: Bearer header or a valid session" }));
+    return false;
+  }
+  // ── Session Management (SEC-012) ──────────────────────────────────
+  /**
+   * Create a short-lived session by exchanging the long-lived auth token
+   * (provided in the Authorization header) for a session ID.
+   */
+  createSession() {
+    if (this.sessions.size >= MAX_SESSIONS) {
+      this.cleanupSessions();
+      if (this.sessions.size >= MAX_SESSIONS) {
+        const oldest = [...this.sessions.entries()].sort(
+          (a, b) => a[1].created_at - b[1].created_at
+        )[0];
+        if (oldest) this.sessions.delete(oldest[0]);
       }
     }
-    if (operation === "identity_sign") {
-      const signCount = this.baseline.recordSign();
+    const id = randomBytes$1(32).toString("hex");
+    const now = Date.now();
+    this.sessions.set(id, {
+      id,
+      created_at: now,
+      expires_at: now + SESSION_TTL_MS
+    });
+    return id;
+  }
+  /**
+   * Validate a session ID — must exist and not be expired.
+   */
+  validateSession(sessionId) {
+    const session = this.sessions.get(sessionId);
+    if (!session) return false;
+    if (Date.now() > session.expires_at) {
+      this.sessions.delete(sessionId);
+      return false;
+    }
+    return true;
+  }
+  /**
+   * Remove all expired sessions.
+   */
+  cleanupSessions() {
+    const now = Date.now();
+    for (const [id, session] of this.sessions) {
+      if (now > session.expires_at) {
+        this.sessions.delete(id);
+      }
+    }
+  }
+  // ── HTTP Request Handler ────────────────────────────────────────────
+  handleRequest(req, res) {
+    const url = new URL(req.url ?? "/", `http://${req.headers.host ?? "localhost"}`);
+    const method = req.method ?? "GET";
+    const origin = req.headers.origin;
+    const protocol = this.useTLS ? "https" : "http";
+    const selfOrigin = `${protocol}://${this.config.host}:${this.config.port}`;
+    if (origin === selfOrigin) {
+      res.setHeader("Access-Control-Allow-Origin", origin);
+    }
+    res.setHeader("Access-Control-Allow-Methods", "GET, POST, OPTIONS");
+    res.setHeader("Access-Control-Allow-Headers", "Content-Type, Authorization");
+    if (method === "OPTIONS") {
+      res.writeHead(204);
+      res.end();
+      return;
+    }
+    if (!this.checkAuth(req, url, res)) return;
+    try {
+      if (method === "POST" && url.pathname === "/auth/session") {
+        this.handleSessionExchange(req, res);
+        return;
+      }
+      if (method === "GET" && url.pathname === "/") {
+        this.serveDashboard(res);
+      } else if (method === "GET" && url.pathname === "/events") {
+        this.handleSSE(req, res);
+      } else if (method === "GET" && url.pathname === "/api/status") {
+        this.handleStatus(res);
+      } else if (method === "GET" && url.pathname === "/api/pending") {
+        this.handlePendingList(res);
+      } else if (method === "GET" && url.pathname === "/api/audit-log") {
+        this.handleAuditLog(url, res);
+      } else if (method === "POST" && url.pathname.startsWith("/api/approve/")) {
+        const id = url.pathname.slice("/api/approve/".length);
+        this.handleDecision(id, "approve", res);
+      } else if (method === "POST" && url.pathname.startsWith("/api/deny/")) {
+        const id = url.pathname.slice("/api/deny/".length);
+        this.handleDecision(id, "deny", res);
+      } else {
+        res.writeHead(404, { "Content-Type": "application/json" });
+        res.end(JSON.stringify({ error: "Not found" }));
+      }
+    } catch (err) {
+      res.writeHead(500, { "Content-Type": "application/json" });
+      res.end(JSON.stringify({ error: "Internal server error" }));
+    }
+  }
+  // ── Route Handlers ──────────────────────────────────────────────────
+  /**
+   * SEC-012: Exchange a long-lived auth token (in Authorization header)
+   * for a short-lived session ID. The session ID can be used in URL
+   * query parameters without exposing the long-lived credential.
+   *
+   * This endpoint performs its OWN auth check (header-only) because it
+   * must reject query-parameter tokens and is called before the
+   * normal checkAuth flow.
+   */
+  handleSessionExchange(req, res) {
+    if (!this.authToken) {
+      res.writeHead(200, { "Content-Type": "application/json" });
+      res.end(JSON.stringify({ session_id: "no-auth" }));
+      return;
+    }
+    const authHeader = req.headers.authorization;
+    if (!authHeader) {
+      res.writeHead(401, { "Content-Type": "application/json" });
+      res.end(JSON.stringify({ error: "Authorization header required" }));
+      return;
+    }
+    const parts = authHeader.split(" ");
+    if (parts.length !== 2 || parts[0] !== "Bearer" || parts[1] !== this.authToken) {
+      res.writeHead(401, { "Content-Type": "application/json" });
+      res.end(JSON.stringify({ error: "Invalid bearer token" }));
+      return;
+    }
+    const sessionId = this.createSession();
+    res.writeHead(200, { "Content-Type": "application/json" });
+    res.end(JSON.stringify({
+      session_id: sessionId,
+      expires_in_seconds: SESSION_TTL_MS / 1e3
+    }));
+  }
+  serveDashboard(res) {
+    res.writeHead(200, {
+      "Content-Type": "text/html; charset=utf-8",
+      "Cache-Control": "no-cache"
+    });
+    res.end(this.dashboardHTML);
+  }
+  handleSSE(req, res) {
+    res.writeHead(200, {
+      "Content-Type": "text/event-stream",
+      "Cache-Control": "no-cache",
+      "Connection": "keep-alive"
+    });
+    const initData = {};
+    if (this.baseline) {
+      initData.baseline = this.baseline.getProfile();
+    }
+    if (this.policy) {
+      initData.policy = {
+        tier1_always_approve: this.policy.tier1_always_approve,
+        tier2_anomaly: this.policy.tier2_anomaly,
+        tier3_always_allow: this.policy.tier3_always_allow,
+        approval_channel: {
+          type: this.policy.approval_channel.type,
+          timeout_seconds: this.policy.approval_channel.timeout_seconds,
+          auto_deny: true
+          // SEC-002: hardcoded, not configurable
+        }
+      };
+    }
+    const pendingList = Array.from(this.pending.values()).map((p) => ({
+      request_id: p.id,
+      operation: p.request.operation,
+      tier: p.request.tier,
+      reason: p.request.reason,
+      context: p.request.context,
+      timestamp: p.request.timestamp
+    }));
+    if (pendingList.length > 0) {
+      initData.pending = pendingList;
+    }
+    res.write(`event: init
+data: ${JSON.stringify(initData)}
+
+`);
+    this.sseClients.add(res);
+    req.on("close", () => {
+      this.sseClients.delete(res);
+    });
+  }
+  handleStatus(res) {
+    const status = {
+      pending_count: this.pending.size,
+      connected_clients: this.sseClients.size
+    };
+    if (this.baseline) {
+      status.baseline = this.baseline.getProfile();
+    }
+    if (this.policy) {
+      status.policy = {
+        version: this.policy.version,
+        tier1_always_approve: this.policy.tier1_always_approve,
+        tier2_anomaly: this.policy.tier2_anomaly,
+        tier3_always_allow: this.policy.tier3_always_allow,
+        approval_channel: {
+          type: this.policy.approval_channel.type,
+          timeout_seconds: this.policy.approval_channel.timeout_seconds,
+          auto_deny: true
+          // SEC-002: hardcoded, not configurable
+        }
+      };
+    }
+    res.writeHead(200, { "Content-Type": "application/json" });
+    res.end(JSON.stringify(status));
+  }
+  handlePendingList(res) {
+    const list = Array.from(this.pending.values()).map((p) => ({
+      id: p.id,
+      operation: p.request.operation,
+      tier: p.request.tier,
+      reason: p.request.reason,
+      context: p.request.context,
+      timestamp: p.request.timestamp,
+      created_at: p.created_at
+    }));
+    res.writeHead(200, { "Content-Type": "application/json" });
+    res.end(JSON.stringify(list));
+  }
+  handleAuditLog(url, res) {
+    const limit = parseInt(url.searchParams.get("limit") ?? "50", 10);
+    if (this.auditLog) {
+      this.auditLog.query({ limit }).then((entries) => {
+        res.writeHead(200, { "Content-Type": "application/json" });
+        res.end(JSON.stringify(entries));
+      }).catch(() => {
+        res.writeHead(200, { "Content-Type": "application/json" });
+        res.end(JSON.stringify([]));
+      });
+    } else {
+      res.writeHead(200, { "Content-Type": "application/json" });
+      res.end(JSON.stringify([]));
+    }
+  }
+  handleDecision(id, decision, res) {
+    const pending = this.pending.get(id);
+    if (!pending) {
+      res.writeHead(404, { "Content-Type": "application/json" });
+      res.end(JSON.stringify({ error: "Request not found or already resolved" }));
+      return;
+    }
+    clearTimeout(pending.timer);
+    this.pending.delete(id);
+    const response = {
+      decision,
+      decided_at: (/* @__PURE__ */ new Date()).toISOString(),
+      decided_by: "human"
+    };
+    this.broadcastSSE("request-resolved", {
+      request_id: id,
+      decision,
+      decided_by: "human"
+    });
+    pending.resolve(response);
+    res.writeHead(200, { "Content-Type": "application/json" });
+    res.end(JSON.stringify({ success: true, decision }));
+  }
+  // ── SSE Broadcasting ────────────────────────────────────────────────
+  broadcastSSE(event, data) {
+    const message = `event: ${event}
+data: ${JSON.stringify(data)}
+
+`;
+    for (const client of this.sseClients) {
+      try {
+        client.write(message);
+      } catch {
+        this.sseClients.delete(client);
+      }
+    }
+  }
+  /**
+   * Broadcast an audit entry to connected dashboards.
+   * Called externally when audit events happen.
+   */
+  broadcastAuditEntry(entry) {
+    this.broadcastSSE("audit-entry", entry);
+  }
+  /**
+   * Broadcast a baseline update to connected dashboards.
+   * Called externally after baseline changes.
+   */
+  broadcastBaselineUpdate() {
+    if (this.baseline) {
+      this.broadcastSSE("baseline-update", this.baseline.getProfile());
+    }
+  }
+  /** Get the number of pending requests */
+  get pendingCount() {
+    return this.pending.size;
+  }
+  /** Get the number of connected SSE clients */
+  get clientCount() {
+    return this.sseClients.size;
+  }
+};
+function signPayload(body, secret) {
+  return createHmac("sha256", secret).update(body).digest("hex");
+}
+function verifySignature(body, signature, secret) {
+  const expected = signPayload(body, secret);
+  if (expected.length !== signature.length) return false;
+  let mismatch = 0;
+  for (let i = 0; i < expected.length; i++) {
+    mismatch |= expected.charCodeAt(i) ^ signature.charCodeAt(i);
+  }
+  return mismatch === 0;
+}
+var WebhookApprovalChannel = class {
+  config;
+  pending = /* @__PURE__ */ new Map();
+  callbackServer = null;
+  constructor(config) {
+    this.config = config;
+  }
+  /**
+   * Start the callback listener server.
+   */
+  async start() {
+    return new Promise((resolve, reject) => {
+      this.callbackServer = createServer$2(
+        (req, res) => this.handleCallback(req, res)
+      );
+      this.callbackServer.listen(
+        this.config.callback_port,
+        this.config.callback_host,
+        () => {
+          process.stderr.write(
+            `
+  Sanctuary Webhook Callback: http://${this.config.callback_host}:${this.config.callback_port}
+  Webhook target: ${this.config.webhook_url}
+
+`
+          );
+          resolve();
+        }
+      );
+      this.callbackServer.on("error", reject);
+    });
+  }
+  /**
+   * Stop the callback server and clean up pending requests.
+   */
+  async stop() {
+    for (const [, pending] of this.pending) {
+      clearTimeout(pending.timer);
+      pending.resolve({
+        decision: "deny",
+        decided_at: (/* @__PURE__ */ new Date()).toISOString(),
+        decided_by: "auto"
+      });
+    }
+    this.pending.clear();
+    if (this.callbackServer) {
+      return new Promise((resolve) => {
+        this.callbackServer.close(() => resolve());
+      });
+    }
+  }
+  /**
+   * Request approval by POSTing to the webhook and waiting for a callback.
+   */
+  async requestApproval(request) {
+    const id = randomBytes$1(8).toString("hex");
+    process.stderr.write(
+      `[Sanctuary] Webhook approval sent: ${request.operation} (Tier ${request.tier}) \u2014 awaiting callback
+`
+    );
+    return new Promise((resolve) => {
+      const timer = setTimeout(() => {
+        this.pending.delete(id);
+        const response = {
+          // SEC-002: Timeout ALWAYS denies. No configuration can change this.
+          decision: "deny",
+          decided_at: (/* @__PURE__ */ new Date()).toISOString(),
+          decided_by: "timeout"
+        };
+        resolve(response);
+      }, this.config.timeout_seconds * 1e3);
+      const pending = {
+        id,
+        request,
+        resolve,
+        timer,
+        created_at: (/* @__PURE__ */ new Date()).toISOString()
+      };
+      this.pending.set(id, pending);
+      const callbackUrl = `http://${this.config.callback_host}:${this.config.callback_port}/webhook/respond/${id}`;
+      const payload = {
+        request_id: id,
+        operation: request.operation,
+        tier: request.tier,
+        reason: request.reason,
+        context: request.context,
+        timestamp: request.timestamp,
+        callback_url: callbackUrl,
+        timeout_seconds: this.config.timeout_seconds
+      };
+      this.sendWebhook(payload).catch((err) => {
+        process.stderr.write(
+          `[Sanctuary] Webhook delivery failed: ${err instanceof Error ? err.message : String(err)}
+`
+        );
+      });
+    });
+  }
+  // ── Outbound Webhook ──────────────────────────────────────────────────
+  async sendWebhook(payload) {
+    const body = JSON.stringify(payload);
+    const signature = signPayload(body, this.config.webhook_secret);
+    const response = await fetch(this.config.webhook_url, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        "X-Sanctuary-Signature": signature,
+        "X-Sanctuary-Request-Id": payload.request_id
+      },
+      body
+    });
+    if (!response.ok) {
+      throw new Error(
+        `Webhook returned ${response.status}: ${await response.text().catch(() => "")}`
+      );
+    }
+  }
+  // ── Inbound Callback Handler ──────────────────────────────────────────
+  handleCallback(req, res) {
+    const url = new URL(
+      req.url ?? "/",
+      `http://${req.headers.host ?? "localhost"}`
+    );
+    const method = req.method ?? "GET";
+    res.setHeader("Access-Control-Allow-Origin", "*");
+    res.setHeader("Access-Control-Allow-Methods", "POST, OPTIONS");
+    res.setHeader(
+      "Access-Control-Allow-Headers",
+      "Content-Type, X-Sanctuary-Signature"
+    );
+    if (method === "OPTIONS") {
+      res.writeHead(204);
+      res.end();
+      return;
+    }
+    if (method === "GET" && url.pathname === "/health") {
+      res.writeHead(200, { "Content-Type": "application/json" });
+      res.end(
+        JSON.stringify({
+          status: "ok",
+          pending_count: this.pending.size
+        })
+      );
+      return;
+    }
+    const match = url.pathname.match(/^\/webhook\/respond\/([a-f0-9]+)$/);
+    if (method !== "POST" || !match) {
+      res.writeHead(404, { "Content-Type": "application/json" });
+      res.end(JSON.stringify({ error: "Not found" }));
+      return;
+    }
+    const requestId = match[1];
+    let bodyChunks = [];
+    req.on("data", (chunk) => bodyChunks.push(chunk));
+    req.on("end", () => {
+      const body = Buffer.concat(bodyChunks).toString("utf-8");
+      const signature = req.headers["x-sanctuary-signature"];
+      if (typeof signature !== "string" || !verifySignature(body, signature, this.config.webhook_secret)) {
+        res.writeHead(401, { "Content-Type": "application/json" });
+        res.end(
+          JSON.stringify({ error: "Invalid signature" })
+        );
+        return;
+      }
+      let callbackPayload;
+      try {
+        callbackPayload = JSON.parse(body);
+      } catch {
+        res.writeHead(400, { "Content-Type": "application/json" });
+        res.end(JSON.stringify({ error: "Invalid JSON" }));
+        return;
+      }
+      if (callbackPayload.decision !== "approve" && callbackPayload.decision !== "deny") {
+        res.writeHead(400, { "Content-Type": "application/json" });
+        res.end(
+          JSON.stringify({
+            error: 'Decision must be "approve" or "deny"'
+          })
+        );
+        return;
+      }
+      if (callbackPayload.request_id !== requestId) {
+        res.writeHead(400, { "Content-Type": "application/json" });
+        res.end(
+          JSON.stringify({ error: "Request ID mismatch" })
+        );
+        return;
+      }
+      const pending = this.pending.get(requestId);
+      if (!pending) {
+        res.writeHead(404, { "Content-Type": "application/json" });
+        res.end(
+          JSON.stringify({
+            error: "Request not found or already resolved"
+          })
+        );
+        return;
+      }
+      clearTimeout(pending.timer);
+      this.pending.delete(requestId);
+      const response = {
+        decision: callbackPayload.decision,
+        decided_at: (/* @__PURE__ */ new Date()).toISOString(),
+        decided_by: "human"
+      };
+      pending.resolve(response);
+      res.writeHead(200, { "Content-Type": "application/json" });
+      res.end(
+        JSON.stringify({
+          success: true,
+          decision: callbackPayload.decision
+        })
+      );
+    });
+  }
+  /** Get the number of pending requests */
+  get pendingCount() {
+    return this.pending.size;
+  }
+};
+
+// src/principal-policy/gate.ts
+var ApprovalGate = class {
+  policy;
+  baseline;
+  channel;
+  auditLog;
+  constructor(policy, baseline, channel, auditLog) {
+    this.policy = policy;
+    this.baseline = baseline;
+    this.channel = channel;
+    this.auditLog = auditLog;
+  }
+  /**
+   * Evaluate a tool call against the Principal Policy.
+   *
+   * @param toolName - Full MCP tool name (e.g., "sanctuary/state_export")
+   * @param args - Tool call arguments (for context extraction)
+   * @returns GateResult indicating whether the call is allowed
+   */
+  async evaluate(toolName, args) {
+    const operation = extractOperationName(toolName);
+    this.baseline.recordToolCall(operation);
+    if (this.policy.tier1_always_approve.includes(operation)) {
+      return this.requestApproval(operation, 1, `"${operation}" is a Tier 1 operation (always requires approval)`, {
+        operation,
+        args_summary: this.summarizeArgs(args)
+      });
+    }
+    const anomaly = this.detectAnomaly(operation, args);
+    if (anomaly) {
+      return this.requestApproval(operation, 2, anomaly.reason, anomaly.context);
+    }
+    if (this.policy.tier3_always_allow.includes(operation)) {
+      this.auditLog.append("l2", `gate_allow:${operation}`, "system", {
+        tier: 3,
+        operation
+      });
+      return {
+        allowed: true,
+        tier: 3,
+        reason: "Operation allowed (Tier 3)",
+        approval_required: false
+      };
+    }
+    this.auditLog.append("l2", `gate_unclassified:${operation}`, "system", {
+      tier: 1,
+      operation,
+      warning: "Operation is not classified in any policy tier \u2014 defaulting to Tier 1 (require approval)"
+    });
+    return this.requestApproval(
+      operation,
+      1,
+      `"${operation}" is not classified in any policy tier \u2014 requires approval (SEC-011 safe default)`,
+      { operation, unclassified: true }
+    );
+  }
+  /**
+   * Detect Tier 2 behavioral anomalies.
+   */
+  detectAnomaly(operation, args) {
+    const config = this.policy.tier2_anomaly;
+    if (this.baseline.isFirstSession && config.first_session_policy === "approve") {
+      if (!this.policy.tier3_always_allow.includes(operation)) {
+        return {
+          reason: `First session: "${operation}" has no established baseline`,
+          context: { operation, is_first_session: true }
+        };
+      }
+    }
+    if (config.new_namespace_access === "approve") {
+      const namespace = args.namespace;
+      if (namespace) {
+        const isNew = this.baseline.recordNamespaceAccess(namespace);
+        if (isNew) {
+          return {
+            reason: `First access to namespace "${namespace}" (not in session baseline)`,
+            context: {
+              operation,
+              namespace,
+              known_namespaces: this.baseline.getProfile().known_namespaces
+            }
+          };
+        }
+      }
+    } else if (config.new_namespace_access === "log") {
+      const namespace = args.namespace;
+      if (namespace) {
+        this.baseline.recordNamespaceAccess(namespace);
+      }
+    }
+    if (config.new_counterparty === "approve") {
+      const counterpartyDid = args.counterparty_did ?? args.agent_identity_id;
+      if (counterpartyDid) {
+        const isNew = this.baseline.recordCounterparty(counterpartyDid);
+        if (isNew) {
+          return {
+            reason: `First interaction with counterparty "${counterpartyDid}"`,
+            context: {
+              operation,
+              counterparty_did: counterpartyDid,
+              known_counterparties: this.baseline.getProfile().known_counterparties
+            }
+          };
+        }
+      }
+    } else if (config.new_counterparty === "log") {
+      const counterpartyDid = args.counterparty_did;
+      if (counterpartyDid) {
+        this.baseline.recordCounterparty(counterpartyDid);
+      }
+    }
+    if (operation === "identity_sign") {
+      const signCount = this.baseline.recordSign();
       if (signCount > config.max_signs_per_minute) {
         return {
           reason: `Signing frequency (${signCount}/min) exceeds limit (${config.max_signs_per_minute}/min)`,
@@ -3454,7 +5476,8 @@ function createPrincipalPolicyTools(policy, baseline, auditLog) {
           approval_channel: {
             type: policy.approval_channel.type,
             timeout_seconds: policy.approval_channel.timeout_seconds,
-            auto_deny: policy.approval_channel.auto_deny
+            auto_deny: true
+            // SEC-002: hardcoded, not configurable
           }
         };
         if (includeDefaults) {
@@ -3912,6 +5935,7 @@ function deriveTrustTier(level) {
 // src/handshake/tools.ts
 function createHandshakeTools(config, identityManager, masterKey, auditLog) {
   const sessions = /* @__PURE__ */ new Map();
+  const handshakeResults = /* @__PURE__ */ new Map();
   const shrOpts = {
     config,
     identityManager,
@@ -3984,7 +6008,9 @@ function createHandshakeTools(config, identityManager, masterKey, auditLog) {
         return toolResult({
           session_id: result.session.session_id,
           response: result.response,
-          instructions: "Send the 'response' object back to the initiator. When you receive their completion, pass it to sanctuary/handshake_status with this session_id."
+          instructions: "Send the 'response' object back to the initiator. When you receive their completion, pass it to sanctuary/handshake_status with this session_id.",
+          // SEC-ADD-03: Tag response — contains SHR data that will be sent to counterparty
+          _content_trust: "external"
         });
       }
     },
@@ -4032,11 +6058,14 @@ function createHandshakeTools(config, identityManager, masterKey, auditLog) {
         session.their_shr = response.shr;
         session.their_nonce = response.responder_nonce;
         session.result = result.result;
+        handshakeResults.set(result.result.counterparty_id, result.result);
         auditLog.append("l4", "handshake_complete", session.our_shr.body.instance_id);
         return toolResult({
           completion: result.completion,
           result: result.result,
-          instructions: "Send the 'completion' object to the responder so they can verify the handshake. The 'result' object contains the verified counterparty status and trust tier."
+          instructions: "Send the 'completion' object to the responder so they can verify the handshake. The 'result' object contains the verified counterparty status and trust tier.",
+          // SEC-ADD-03: Tag response as containing counterparty-controlled SHR data
+          _content_trust: "external"
         });
       }
     },
@@ -4068,6 +6097,9 @@ function createHandshakeTools(config, identityManager, masterKey, auditLog) {
           const result = verifyCompletion(completion, session);
           session.state = result.verified ? "completed" : "failed";
           session.result = result;
+          if (result.verified) {
+            handshakeResults.set(result.counterparty_id, result);
+          }
           auditLog.append(
             "l4",
             "handshake_verify_completion",
@@ -4087,18 +6119,1450 @@ function createHandshakeTools(config, identityManager, masterKey, auditLog) {
       }
     }
   ];
-  return { tools };
+  return { tools, handshakeResults };
 }
 
-// src/index.ts
-init_encoding();
-async function createSanctuaryServer(options) {
-  const config = await loadConfig(options?.configPath);
-  await mkdir(config.storage_path, { recursive: true, mode: 448 });
-  const storage = options?.storage ?? new FilesystemStorage(
-    `${config.storage_path}/state`
-  );
-  let masterKey;
+// src/federation/registry.ts
+var DEFAULT_CAPABILITIES = {
+  reputation_exchange: true,
+  mutual_attestation: true,
+  encrypted_channel: false,
+  attestation_formats: ["sanctuary-interaction-v1"]
+};
+var FederationRegistry = class {
+  peers = /* @__PURE__ */ new Map();
+  /**
+   * Register or update a peer from a completed handshake.
+   * This is the ONLY way peers enter the registry.
+   */
+  registerFromHandshake(result, peerDid, capabilities) {
+    const existing = this.peers.get(result.counterparty_id);
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    const peer = {
+      peer_id: result.counterparty_id,
+      peer_did: peerDid,
+      first_seen: existing?.first_seen ?? now,
+      last_handshake: result.completed_at,
+      trust_tier: trustTierToSovereigntyTier(result.trust_tier),
+      handshake_result: result,
+      capabilities: {
+        ...DEFAULT_CAPABILITIES,
+        ...existing?.capabilities ?? {},
+        ...capabilities ?? {}
+      },
+      active: result.verified && new Date(result.expires_at) > /* @__PURE__ */ new Date()
+    };
+    if (!peer.active) {
+      peer.trust_tier = "self-attested";
+    }
+    this.peers.set(result.counterparty_id, peer);
+    return peer;
+  }
+  /**
+   * Get a peer by instance ID.
+   * Automatically updates active status based on handshake expiry.
+   */
+  getPeer(peerId) {
+    const peer = this.peers.get(peerId);
+    if (!peer) return null;
+    if (peer.active && new Date(peer.handshake_result.expires_at) <= /* @__PURE__ */ new Date()) {
+      peer.active = false;
+      peer.trust_tier = "self-attested";
+    }
+    return peer;
+  }
+  /**
+   * List all known peers, optionally filtered by status.
+   */
+  listPeers(filter) {
+    const peers = Array.from(this.peers.values());
+    for (const peer of peers) {
+      if (peer.active && new Date(peer.handshake_result.expires_at) <= /* @__PURE__ */ new Date()) {
+        peer.active = false;
+        peer.trust_tier = "self-attested";
+      }
+    }
+    if (filter?.active_only) {
+      return peers.filter((p) => p.active);
+    }
+    return peers;
+  }
+  /**
+   * Evaluate trust for a federation peer.
+   *
+   * Trust assessment considers:
+   * - Handshake status (current vs expired)
+   * - Sovereignty tier (verified-sovereign vs degraded vs unverified)
+   * - Reputation data (if available)
+   * - Mutual attestation history
+   */
+  evaluateTrust(peerId, mutualAttestationCount = 0, reputationScore) {
+    const peer = this.getPeer(peerId);
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    if (!peer) {
+      return {
+        peer_id: peerId,
+        sovereignty_tier: "unverified",
+        handshake_current: false,
+        mutual_attestation_count: 0,
+        trust_level: "none",
+        factors: ["Peer not found in federation registry"],
+        evaluated_at: now
+      };
+    }
+    const factors = [];
+    let score = 0;
+    if (peer.active) {
+      factors.push("Active handshake (trust current)");
+      score += 3;
+    } else {
+      factors.push("Handshake expired (trust degraded)");
+      score += 1;
+    }
+    switch (peer.trust_tier) {
+      case "verified-sovereign":
+        factors.push("Verified sovereign \u2014 full sovereignty posture");
+        score += 4;
+        break;
+      case "verified-degraded":
+        factors.push("Verified degraded \u2014 sovereignty with known limitations");
+        score += 3;
+        break;
+      case "self-attested":
+        factors.push("Self-attested \u2014 claims not independently verified");
+        score += 1;
+        break;
+      case "unverified":
+        factors.push("Unverified \u2014 no sovereignty proof");
+        score += 0;
+        break;
+    }
+    if (mutualAttestationCount > 10) {
+      factors.push(`Strong attestation history (${mutualAttestationCount} mutual attestations)`);
+      score += 3;
+    } else if (mutualAttestationCount > 0) {
+      factors.push(`Some attestation history (${mutualAttestationCount} mutual attestations)`);
+      score += 1;
+    } else {
+      factors.push("No mutual attestation history");
+    }
+    if (reputationScore !== void 0) {
+      if (reputationScore >= 80) {
+        factors.push(`High reputation score (${reputationScore})`);
+        score += 2;
+      } else if (reputationScore >= 50) {
+        factors.push(`Moderate reputation score (${reputationScore})`);
+        score += 1;
+      } else {
+        factors.push(`Low reputation score (${reputationScore})`);
+      }
+    }
+    let trust_level;
+    if (score >= 9) trust_level = "high";
+    else if (score >= 5) trust_level = "medium";
+    else if (score >= 2) trust_level = "low";
+    else trust_level = "none";
+    return {
+      peer_id: peerId,
+      sovereignty_tier: peer.trust_tier,
+      handshake_current: peer.active,
+      reputation_score: reputationScore,
+      mutual_attestation_count: mutualAttestationCount,
+      trust_level,
+      factors,
+      evaluated_at: now
+    };
+  }
+  /**
+   * Remove a peer from the registry.
+   */
+  removePeer(peerId) {
+    return this.peers.delete(peerId);
+  }
+  /**
+   * Get the handshake results map (for tier resolution integration).
+   */
+  getHandshakeResults() {
+    const results = /* @__PURE__ */ new Map();
+    for (const [id, peer] of this.peers) {
+      if (peer.active) {
+        results.set(id, peer.handshake_result);
+      }
+    }
+    return results;
+  }
+};
+
+// src/federation/tools.ts
+function createFederationTools(auditLog, handshakeResults) {
+  const registry = new FederationRegistry();
+  const tools = [
+    // ─── Peer Management ──────────────────────────────────────────────
+    {
+      name: "sanctuary/federation_peers",
+      description: "List known federation peers, register a peer from a completed handshake, or remove a peer. Every peer MUST enter through a verified handshake \u2014 no self-registration allowed.",
+      inputSchema: {
+        type: "object",
+        properties: {
+          action: {
+            type: "string",
+            enum: ["list", "register", "remove"],
+            description: "Operation to perform on the peer registry"
+          },
+          peer_id: {
+            type: "string",
+            description: "Peer instance ID (required for register/remove)"
+          },
+          peer_did: {
+            type: "string",
+            description: "Peer DID (required for register)"
+          },
+          active_only: {
+            type: "boolean",
+            description: "When listing, only show peers with active handshakes"
+          }
+        },
+        required: ["action"]
+      },
+      handler: async (args) => {
+        const action = args.action;
+        switch (action) {
+          case "list": {
+            const peers = registry.listPeers({
+              active_only: args.active_only
+            });
+            auditLog.append("l4", "federation_peers_list", "system", {
+              peer_count: peers.length
+            });
+            return toolResult({
+              peers: peers.map((p) => ({
+                peer_id: p.peer_id,
+                peer_did: p.peer_did,
+                trust_tier: p.trust_tier,
+                active: p.active,
+                first_seen: p.first_seen,
+                last_handshake: p.last_handshake,
+                capabilities: p.capabilities
+              })),
+              total: peers.length
+            });
+          }
+          case "register": {
+            const peerId = args.peer_id;
+            const peerDid = args.peer_did;
+            if (!peerId || !peerDid) {
+              return toolResult({
+                error: "Both peer_id and peer_did are required for registration."
+              });
+            }
+            const hsResult = handshakeResults.get(peerId);
+            if (!hsResult) {
+              return toolResult({
+                error: `No completed handshake found for peer "${peerId}". Complete a sovereignty handshake first using handshake_initiate.`
+              });
+            }
+            if (!hsResult.verified) {
+              return toolResult({
+                error: `Handshake with "${peerId}" was not verified. Only verified handshakes can establish federation.`
+              });
+            }
+            const peer = registry.registerFromHandshake(hsResult, peerDid);
+            auditLog.append("l4", "federation_peer_register", "system", {
+              peer_id: peerId,
+              peer_did: peerDid,
+              trust_tier: peer.trust_tier
+            });
+            return toolResult({
+              registered: true,
+              peer_id: peer.peer_id,
+              trust_tier: peer.trust_tier,
+              active: peer.active,
+              capabilities: peer.capabilities
+            });
+          }
+          case "remove": {
+            const peerId = args.peer_id;
+            if (!peerId) {
+              return toolResult({ error: "peer_id is required for removal." });
+            }
+            const removed = registry.removePeer(peerId);
+            auditLog.append("l4", "federation_peer_remove", "system", {
+              peer_id: peerId,
+              removed
+            });
+            return toolResult({
+              removed,
+              peer_id: peerId
+            });
+          }
+          default:
+            return toolResult({ error: `Unknown action: ${action}` });
+        }
+      }
+    },
+    // ─── Trust Evaluation ─────────────────────────────────────────────
+    {
+      name: "sanctuary/federation_trust_evaluate",
+      description: "Evaluate the trust level of a federation peer. Considers handshake status, sovereignty tier, reputation score, and mutual attestation history. Returns a composite trust assessment.",
+      inputSchema: {
+        type: "object",
+        properties: {
+          peer_id: {
+            type: "string",
+            description: "Peer instance ID to evaluate"
+          },
+          mutual_attestation_count: {
+            type: "number",
+            description: "Number of mutual attestations with this peer (0 if unknown)"
+          },
+          reputation_score: {
+            type: "number",
+            description: "Peer's weighted reputation score (from reputation_query_weighted)"
+          }
+        },
+        required: ["peer_id"]
+      },
+      handler: async (args) => {
+        const peerId = args.peer_id;
+        const mutualCount = args.mutual_attestation_count ?? 0;
+        const repScore = args.reputation_score;
+        const evaluation = registry.evaluateTrust(peerId, mutualCount, repScore);
+        auditLog.append("l4", "federation_trust_evaluate", "system", {
+          peer_id: peerId,
+          trust_level: evaluation.trust_level,
+          sovereignty_tier: evaluation.sovereignty_tier
+        });
+        return toolResult(evaluation);
+      }
+    },
+    // ─── Federation Status ────────────────────────────────────────────
+    {
+      name: "sanctuary/federation_status",
+      description: "Overview of federation state: total peers, active connections, trust distribution, and readiness for cross-instance operations.",
+      inputSchema: {
+        type: "object",
+        properties: {}
+      },
+      handler: async () => {
+        const allPeers = registry.listPeers();
+        const activePeers = registry.listPeers({ active_only: true });
+        const tierCounts = {
+          "verified-sovereign": 0,
+          "verified-degraded": 0,
+          "self-attested": 0,
+          "unverified": 0
+        };
+        for (const peer of allPeers) {
+          tierCounts[peer.trust_tier] = (tierCounts[peer.trust_tier] ?? 0) + 1;
+        }
+        const capCounts = {
+          reputation_exchange: activePeers.filter((p) => p.capabilities.reputation_exchange).length,
+          mutual_attestation: activePeers.filter((p) => p.capabilities.mutual_attestation).length,
+          encrypted_channel: activePeers.filter((p) => p.capabilities.encrypted_channel).length
+        };
+        auditLog.append("l4", "federation_status", "system", {
+          total_peers: allPeers.length,
+          active_peers: activePeers.length
+        });
+        return toolResult({
+          total_peers: allPeers.length,
+          active_peers: activePeers.length,
+          expired_peers: allPeers.length - activePeers.length,
+          trust_distribution: tierCounts,
+          capability_coverage: capCounts,
+          federation_ready: activePeers.length > 0,
+          checked_at: (/* @__PURE__ */ new Date()).toISOString()
+        });
+      }
+    }
+  ];
+  return { tools, registry };
+}
+
+// src/bridge/tools.ts
+init_encoding();
+init_encoding();
+
+// src/bridge/bridge.ts
+init_encoding();
+init_hashing();
+function canonicalize(outcome) {
+  return stringToBytes(stableStringify(outcome));
+}
+function stableStringify(value) {
+  if (value === null) return "null";
+  if (value === void 0) return "null";
+  if (typeof value === "number") {
+    if (!Number.isFinite(value)) {
+      throw new Error(
+        `Cannot canonicalize non-finite number: ${value}. NaN, Infinity, and -Infinity are not representable in JSON.`
+      );
+    }
+    if (Object.is(value, -0)) {
+      throw new Error(
+        "Cannot canonicalize negative zero (-0). Use 0 instead for deterministic cross-language serialization."
+      );
+    }
+    return JSON.stringify(value);
+  }
+  if (typeof value !== "object") return JSON.stringify(value);
+  if (Array.isArray(value)) {
+    return "[" + value.map((v) => stableStringify(v)).join(",") + "]";
+  }
+  const obj = value;
+  const keys = Object.keys(obj).sort();
+  const pairs = keys.map((k) => JSON.stringify(k) + ":" + stableStringify(obj[k]));
+  return "{" + pairs.join(",") + "}";
+}
+function createBridgeCommitment(outcome, identity, identityEncryptionKey, includePedersen = false) {
+  const commitmentId = `bridge-${Date.now()}-${toBase64url(randomBytes(8))}`;
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  const canonicalBytes = canonicalize(outcome);
+  const canonicalString = new TextDecoder().decode(canonicalBytes);
+  const sha2564 = createCommitment(canonicalString);
+  let pedersenData;
+  if (includePedersen && Number.isInteger(outcome.rounds) && outcome.rounds >= 0) {
+    const pedersen = createPedersenCommitment(outcome.rounds);
+    pedersenData = {
+      commitment: pedersen.commitment,
+      blinding_factor: pedersen.blinding_factor
+    };
+  }
+  const commitmentPayload = {
+    bridge_commitment_id: commitmentId,
+    session_id: outcome.session_id,
+    sha256_commitment: sha2564.commitment,
+    terms_hash: outcome.terms_hash,
+    committer_did: identity.did,
+    committed_at: now,
+    bridge_version: "sanctuary-concordia-bridge-v1"
+  };
+  const payloadBytes = stringToBytes(stableStringify(commitmentPayload));
+  const signature = sign(payloadBytes, identity.encrypted_private_key, identityEncryptionKey);
+  return {
+    bridge_commitment_id: commitmentId,
+    session_id: outcome.session_id,
+    sha256_commitment: sha2564.commitment,
+    blinding_factor: sha2564.blinding_factor,
+    committer_did: identity.did,
+    signature: toBase64url(signature),
+    pedersen_commitment: pedersenData,
+    committed_at: now,
+    bridge_version: "sanctuary-concordia-bridge-v1"
+  };
+}
+function verifyBridgeCommitment(commitment, outcome, committerPublicKey) {
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  const canonicalString = new TextDecoder().decode(canonicalize(outcome));
+  const sha256Match = verifyCommitment(
+    commitment.sha256_commitment,
+    canonicalString,
+    commitment.blinding_factor
+  );
+  const commitmentPayload = {
+    bridge_commitment_id: commitment.bridge_commitment_id,
+    session_id: commitment.session_id,
+    sha256_commitment: commitment.sha256_commitment,
+    terms_hash: outcome.terms_hash,
+    committer_did: commitment.committer_did,
+    committed_at: commitment.committed_at,
+    bridge_version: commitment.bridge_version
+  };
+  const payloadBytes = stringToBytes(stableStringify(commitmentPayload));
+  const sigBytes = fromBase64url(commitment.signature);
+  const signatureValid = verify(payloadBytes, sigBytes, committerPublicKey);
+  const sessionIdMatch = commitment.session_id === outcome.session_id;
+  const termsBytes = stringToBytes(stableStringify(outcome.terms));
+  const computedTermsHash = toBase64url(hash(termsBytes));
+  const termsHashMatch = computedTermsHash === outcome.terms_hash;
+  let pedersenMatch;
+  if (commitment.pedersen_commitment) {
+    pedersenMatch = verifyPedersenCommitment(
+      commitment.pedersen_commitment.commitment,
+      outcome.rounds,
+      commitment.pedersen_commitment.blinding_factor
+    );
+  }
+  const valid = sha256Match && signatureValid && sessionIdMatch && termsHashMatch && (pedersenMatch === void 0 || pedersenMatch);
+  return {
+    valid,
+    checks: {
+      sha256_match: sha256Match,
+      signature_valid: signatureValid,
+      session_id_match: sessionIdMatch,
+      terms_hash_match: termsHashMatch,
+      pedersen_match: pedersenMatch
+    },
+    bridge_commitment_id: commitment.bridge_commitment_id,
+    verified_at: now
+  };
+}
+
+// src/bridge/tools.ts
+var BridgeStore = class {
+  storage;
+  encryptionKey;
+  constructor(storage, masterKey) {
+    this.storage = storage;
+    this.encryptionKey = derivePurposeKey(masterKey, "bridge-commitments");
+  }
+  async save(commitment, outcome) {
+    const record = { commitment, outcome };
+    const serialized = stringToBytes(JSON.stringify(record));
+    const encrypted = encrypt(serialized, this.encryptionKey);
+    await this.storage.write(
+      "_bridge",
+      commitment.bridge_commitment_id,
+      stringToBytes(JSON.stringify(encrypted))
+    );
+  }
+  async get(commitmentId) {
+    const raw = await this.storage.read("_bridge", commitmentId);
+    if (!raw) return null;
+    try {
+      const encrypted = JSON.parse(bytesToString(raw));
+      const decrypted = decrypt(encrypted, this.encryptionKey);
+      return JSON.parse(bytesToString(decrypted));
+    } catch {
+      return null;
+    }
+  }
+};
+function createBridgeTools(storage, masterKey, identityManager, auditLog, handshakeResults) {
+  const bridgeStore = new BridgeStore(storage, masterKey);
+  const reputationStore = new ReputationStore(storage, masterKey);
+  const identityEncryptionKey = derivePurposeKey(masterKey, "identity-encryption");
+  const hsResults = handshakeResults ?? /* @__PURE__ */ new Map();
+  function resolveIdentity(identityId) {
+    const id = identityId ? identityManager.get(identityId) : identityManager.getDefault();
+    if (!id) {
+      throw new Error(
+        identityId ? `Identity "${identityId}" not found` : "No identity available. Create one with identity_create first."
+      );
+    }
+    return id;
+  }
+  const tools = [
+    // ─── bridge_commit ─────────────────────────────────────────────────
+    {
+      name: "sanctuary/bridge_commit",
+      description: "Create a cryptographic commitment binding a Concordia negotiation outcome to Sanctuary's L3 proof layer. The commitment includes a SHA-256 hash of the canonical outcome (hiding + binding), an Ed25519 signature by the committer's identity, and an optional Pedersen commitment on the round count for zero-knowledge range proofs. This is the Sanctuary side of the Concordia bridge \u2014 call this when a Concordia `accept` fires.",
+      inputSchema: {
+        type: "object",
+        properties: {
+          session_id: {
+            type: "string",
+            description: "Concordia session identifier"
+          },
+          protocol_version: {
+            type: "string",
+            description: 'Concordia protocol version (e.g., "concordia-v1")'
+          },
+          proposer_did: {
+            type: "string",
+            description: "DID of the party who proposed the accepted terms"
+          },
+          acceptor_did: {
+            type: "string",
+            description: "DID of the party who accepted"
+          },
+          terms: {
+            type: "object",
+            description: "The accepted terms (opaque to Sanctuary, meaningful to Concordia)"
+          },
+          terms_hash: {
+            type: "string",
+            description: "SHA-256 hash of the canonical terms serialization (computed by Concordia)"
+          },
+          rounds: {
+            type: "number",
+            description: "Number of negotiation rounds (propose/counter cycles)"
+          },
+          accepted_at: {
+            type: "string",
+            description: "ISO 8601 timestamp when accept was issued"
+          },
+          session_receipt: {
+            type: "string",
+            description: "Optional: signed Concordia session receipt"
+          },
+          identity_id: {
+            type: "string",
+            description: "Sanctuary identity to sign the commitment (uses default if omitted)"
+          },
+          include_pedersen: {
+            type: "boolean",
+            description: "Include a Pedersen commitment on round count for ZK range proofs"
+          }
+        },
+        required: [
+          "session_id",
+          "protocol_version",
+          "proposer_did",
+          "acceptor_did",
+          "terms",
+          "terms_hash",
+          "rounds",
+          "accepted_at"
+        ]
+      },
+      handler: async (args) => {
+        const outcome = {
+          session_id: args.session_id,
+          protocol_version: args.protocol_version,
+          proposer_did: args.proposer_did,
+          acceptor_did: args.acceptor_did,
+          terms: args.terms,
+          terms_hash: args.terms_hash,
+          rounds: args.rounds,
+          accepted_at: args.accepted_at,
+          session_receipt: args.session_receipt
+        };
+        const identity = resolveIdentity(args.identity_id);
+        const includePedersen = args.include_pedersen ?? false;
+        const bridgeCommitment = createBridgeCommitment(
+          outcome,
+          identity,
+          identityEncryptionKey,
+          includePedersen
+        );
+        await bridgeStore.save(bridgeCommitment, outcome);
+        auditLog.append("l3", "bridge_commit", identity.identity_id, {
+          bridge_commitment_id: bridgeCommitment.bridge_commitment_id,
+          session_id: outcome.session_id,
+          counterparty: outcome.proposer_did === identity.did ? outcome.acceptor_did : outcome.proposer_did
+        });
+        return toolResult({
+          bridge_commitment_id: bridgeCommitment.bridge_commitment_id,
+          session_id: bridgeCommitment.session_id,
+          sha256_commitment: bridgeCommitment.sha256_commitment,
+          committer_did: bridgeCommitment.committer_did,
+          signature: bridgeCommitment.signature,
+          pedersen_commitment: bridgeCommitment.pedersen_commitment ? { commitment: bridgeCommitment.pedersen_commitment.commitment } : void 0,
+          committed_at: bridgeCommitment.committed_at,
+          bridge_version: bridgeCommitment.bridge_version,
+          note: "Bridge commitment created. The blinding factor is stored encrypted. Use bridge_verify to verify the commitment against the revealed outcome. Use bridge_attest to link this negotiation to your reputation."
+        });
+      }
+    },
+    // ─── bridge_verify ───────────────────────────────────────────────────
+    {
+      name: "sanctuary/bridge_verify",
+      description: "Verify a bridge commitment against a revealed Concordia negotiation outcome. Checks SHA-256 commitment validity, Ed25519 signature, session ID match, terms hash integrity, and Pedersen commitment (if present). Use this to confirm that a counterparty's claimed negotiation outcome matches what was cryptographically committed.",
+      inputSchema: {
+        type: "object",
+        properties: {
+          bridge_commitment_id: {
+            type: "string",
+            description: "The bridge commitment ID to verify"
+          },
+          committer_public_key: {
+            type: "string",
+            description: "The committer's Ed25519 public key (base64url). Required if verifying a counterparty's commitment. Omit to auto-resolve from local identities."
+          }
+        },
+        required: ["bridge_commitment_id"]
+      },
+      handler: async (args) => {
+        const commitmentId = args.bridge_commitment_id;
+        const externalPublicKey = args.committer_public_key;
+        const record = await bridgeStore.get(commitmentId);
+        if (!record) {
+          return toolResult({
+            error: `Bridge commitment "${commitmentId}" not found`
+          });
+        }
+        const { commitment: storedCommitment, outcome } = record;
+        let publicKey;
+        if (externalPublicKey) {
+          publicKey = fromBase64url(externalPublicKey);
+        } else {
+          const localIdentities = identityManager.list();
+          const match = localIdentities.find((i) => i.did === storedCommitment.committer_did);
+          if (!match) {
+            return toolResult({
+              error: `Cannot resolve public key for committer "${storedCommitment.committer_did}". Provide committer_public_key for external verification.`
+            });
+          }
+          publicKey = fromBase64url(match.public_key);
+        }
+        const result = verifyBridgeCommitment(storedCommitment, outcome, publicKey);
+        auditLog.append("l3", "bridge_verify", "system", {
+          bridge_commitment_id: commitmentId,
+          session_id: storedCommitment.session_id,
+          valid: result.valid
+        });
+        return toolResult({
+          ...result,
+          session_id: storedCommitment.session_id,
+          committer_did: storedCommitment.committer_did,
+          // SEC-ADD-03: Tag response as containing counterparty-controlled data
+          _content_trust: "external"
+        });
+      }
+    },
+    // ─── bridge_attest ───────────────────────────────────────────────────
+    {
+      name: "sanctuary/bridge_attest",
+      description: "Record a Concordia negotiation as a Sanctuary L4 reputation attestation, linked to a bridge commitment. This completes the bridge: the commitment (L3) proves the terms were agreed, and the attestation (L4) feeds the sovereignty-weighted reputation score. The attestation is automatically tagged with the counterparty's sovereignty tier from any completed handshake.",
+      inputSchema: {
+        type: "object",
+        properties: {
+          bridge_commitment_id: {
+            type: "string",
+            description: "The bridge commitment ID to link"
+          },
+          outcome_result: {
+            type: "string",
+            enum: ["completed", "partial", "failed", "disputed"],
+            description: "Negotiation outcome for reputation scoring"
+          },
+          metrics: {
+            type: "object",
+            description: "Optional metrics (e.g., rounds, response_time_ms, terms_complexity)"
+          },
+          identity_id: {
+            type: "string",
+            description: "Identity to sign the attestation (uses default if omitted)"
+          }
+        },
+        required: ["bridge_commitment_id", "outcome_result"]
+      },
+      handler: async (args) => {
+        const commitmentId = args.bridge_commitment_id;
+        const outcomeResult = args.outcome_result;
+        const metrics = args.metrics ?? {};
+        const identityId = args.identity_id;
+        const record = await bridgeStore.get(commitmentId);
+        if (!record) {
+          return toolResult({
+            error: `Bridge commitment "${commitmentId}" not found`
+          });
+        }
+        const { outcome } = record;
+        const identity = resolveIdentity(identityId);
+        const counterpartyDid = outcome.proposer_did === identity.did ? outcome.acceptor_did : outcome.proposer_did;
+        const hasSanctuaryIdentity = identityManager.list().some(
+          (id) => identityManager.get(id.identity_id)?.did === counterpartyDid
+        );
+        const tierMeta = resolveTier(counterpartyDid, hsResults, hasSanctuaryIdentity);
+        const tier = tierMeta.sovereignty_tier;
+        const fullMetrics = {
+          ...metrics,
+          negotiation_rounds: outcome.rounds
+        };
+        const attestation = await reputationStore.record(
+          outcome.session_id,
+          // interaction_id = concordia session
+          counterpartyDid,
+          {
+            type: "negotiation",
+            result: outcomeResult,
+            metrics: fullMetrics
+          },
+          "concordia-bridge",
+          // context
+          identity,
+          identityEncryptionKey,
+          void 0,
+          // counterparty_attestation
+          tier
+        );
+        auditLog.append("l4", "bridge_attest", identity.identity_id, {
+          bridge_commitment_id: commitmentId,
+          session_id: outcome.session_id,
+          attestation_id: attestation.attestation.attestation_id,
+          counterparty_did: counterpartyDid,
+          sovereignty_tier: tier
+        });
+        const weight = TIER_WEIGHTS[tier];
+        return toolResult({
+          attestation_id: attestation.attestation.attestation_id,
+          bridge_commitment_id: commitmentId,
+          session_id: outcome.session_id,
+          counterparty_did: counterpartyDid,
+          outcome_result: outcomeResult,
+          sovereignty_tier: tier,
+          attested_at: attestation.recorded_at,
+          note: `Negotiation recorded as reputation attestation. Counterparty sovereignty tier: ${tier} (weight: ${weight}).`
+        });
+      }
+    }
+  ];
+  return { tools };
+}
+function lenientJsonParse(raw) {
+  let cleaned = raw.replace(/\/\/[^\n]*/g, "");
+  cleaned = cleaned.replace(/\/\*[\s\S]*?\*\//g, "");
+  cleaned = cleaned.replace(/,\s*([\]}])/g, "$1");
+  return JSON.parse(cleaned);
+}
+async function fileExists(path) {
+  try {
+    await access(path);
+    return true;
+  } catch {
+    return false;
+  }
+}
+async function safeReadFile(path) {
+  try {
+    return await readFile(path, "utf-8");
+  } catch {
+    return null;
+  }
+}
+async function detectEnvironment(config, deepScan) {
+  const fingerprint = {
+    sanctuary_installed: true,
+    // We're running inside Sanctuary
+    sanctuary_version: config.version,
+    openclaw_detected: false,
+    openclaw_version: null,
+    openclaw_config: null,
+    node_version: process.version,
+    platform: `${process.platform}-${process.arch}`
+  };
+  if (!deepScan) {
+    return fingerprint;
+  }
+  const home = homedir();
+  const openclawConfigPath = join(home, ".openclaw", "openclaw.json");
+  const openclawEnvPath = join(home, ".openclaw", ".env");
+  const openclawMemoryPath = join(home, ".openclaw", "workspace", "MEMORY.md");
+  const openclawMemoryDir = join(home, ".openclaw", "workspace", "memory");
+  const configExists = await fileExists(openclawConfigPath);
+  const envExists = await fileExists(openclawEnvPath);
+  const memoryExists = await fileExists(openclawMemoryPath);
+  const memoryDirExists = await fileExists(openclawMemoryDir);
+  if (configExists || memoryExists || memoryDirExists) {
+    fingerprint.openclaw_detected = true;
+    fingerprint.openclaw_config = await auditOpenClawConfig(
+      openclawConfigPath,
+      openclawEnvPath,
+      openclawMemoryPath,
+      configExists,
+      envExists,
+      memoryExists
+    );
+  }
+  return fingerprint;
+}
+async function auditOpenClawConfig(configPath, envPath, _memoryPath, configExists, envExists, memoryExists) {
+  const audit = {
+    config_path: configExists ? configPath : null,
+    require_approval_enabled: false,
+    sandbox_policy_active: false,
+    sandbox_allow_list: [],
+    sandbox_deny_list: [],
+    memory_encrypted: false,
+    // Stock OpenClaw never encrypts memory
+    env_file_exposed: false,
+    gateway_token_set: false,
+    dm_pairing_enabled: false,
+    mcp_bridge_active: false
+  };
+  if (configExists) {
+    const raw = await safeReadFile(configPath);
+    if (raw) {
+      try {
+        const parsed = lenientJsonParse(raw);
+        const hooks = parsed.hooks;
+        if (hooks) {
+          const beforeToolCall = hooks.before_tool_call;
+          if (beforeToolCall) {
+            const hookStr = JSON.stringify(beforeToolCall);
+            audit.require_approval_enabled = hookStr.includes("requireApproval");
+          }
+        }
+        const tools = parsed.tools;
+        if (tools) {
+          const sandbox = tools.sandbox;
+          if (sandbox) {
+            const sandboxTools = sandbox.tools;
+            if (sandboxTools) {
+              audit.sandbox_policy_active = true;
+              if (Array.isArray(sandboxTools.allow)) {
+                audit.sandbox_allow_list = sandboxTools.allow.filter(
+                  (item) => typeof item === "string"
+                );
+              }
+              if (Array.isArray(sandboxTools.alsoAllow)) {
+                audit.sandbox_allow_list = [
+                  ...audit.sandbox_allow_list,
+                  ...sandboxTools.alsoAllow.filter(
+                    (item) => typeof item === "string"
+                  )
+                ];
+              }
+              if (Array.isArray(sandboxTools.deny)) {
+                audit.sandbox_deny_list = sandboxTools.deny.filter(
+                  (item) => typeof item === "string"
+                );
+              }
+            }
+          }
+        }
+        const mcpServers = parsed.mcpServers;
+        if (mcpServers && Object.keys(mcpServers).length > 0) {
+          audit.mcp_bridge_active = true;
+        }
+      } catch {
+      }
+    }
+  }
+  if (envExists) {
+    const envContent = await safeReadFile(envPath);
+    if (envContent) {
+      const secretPatterns = [
+        /[A-Z_]*API_KEY\s*=/,
+        /[A-Z_]*TOKEN\s*=/,
+        /[A-Z_]*SECRET\s*=/,
+        /[A-Z_]*PASSWORD\s*=/,
+        /[A-Z_]*PRIVATE_KEY\s*=/
+      ];
+      audit.env_file_exposed = secretPatterns.some((p) => p.test(envContent));
+      audit.gateway_token_set = /OPENCLAW_GATEWAY_TOKEN\s*=/.test(envContent);
+    }
+  }
+  if (memoryExists) {
+    audit.memory_encrypted = false;
+  }
+  return audit;
+}
+
+// src/audit/analyzer.ts
+var L1_ENCRYPTION_AT_REST = 10;
+var L1_IDENTITY_CRYPTOGRAPHIC = 10;
+var L1_INTEGRITY_VERIFICATION = 8;
+var L1_STATE_PORTABLE = 7;
+var L2_THREE_TIER_GATE = 10;
+var L2_BINARY_GATE = 3;
+var L2_ANOMALY_DETECTION = 7;
+var L2_ENCRYPTED_AUDIT = 5;
+var L2_TOOL_SANDBOXING = 3;
+var L3_COMMITMENT_SCHEME = 8;
+var L3_ZK_PROOFS = 7;
+var L3_DISCLOSURE_POLICIES = 5;
+var L4_PORTABLE_REPUTATION = 6;
+var L4_SIGNED_ATTESTATIONS = 6;
+var L4_SYBIL_DETECTION = 4;
+var L4_SOVEREIGNTY_GATED = 4;
+var SEVERITY_ORDER = {
+  critical: 0,
+  high: 1,
+  medium: 2,
+  low: 3
+};
+function analyzeSovereignty(env, config) {
+  const l1 = assessL1(env, config);
+  const l2 = assessL2(env);
+  const l3 = assessL3(env);
+  const l4 = assessL4(env);
+  const l1Score = scoreL1(l1);
+  const l2Score = scoreL2(l2);
+  const l3Score = scoreL3(l3);
+  const l4Score = scoreL4(l4);
+  const overallScore = l1Score + l2Score + l3Score + l4Score;
+  const sovereigntyLevel = overallScore >= 80 ? "full" : overallScore >= 50 ? "partial" : overallScore >= 20 ? "minimal" : "none";
+  const gaps = generateGaps(env, l1, l2, l3, l4);
+  gaps.sort((a, b) => SEVERITY_ORDER[a.severity] - SEVERITY_ORDER[b.severity]);
+  const recommendations = generateRecommendations(env, l1, l2, l3, l4);
+  return {
+    version: "1.0",
+    audited_at: (/* @__PURE__ */ new Date()).toISOString(),
+    environment: env,
+    layers: {
+      l1_cognitive: l1,
+      l2_operational: l2,
+      l3_selective_disclosure: l3,
+      l4_reputation: l4
+    },
+    overall_score: overallScore,
+    sovereignty_level: sovereigntyLevel,
+    gaps,
+    recommendations
+  };
+}
+function assessL1(env, config) {
+  const findings = [];
+  const sanctuaryActive = env.sanctuary_installed;
+  const encryptionAtRest = sanctuaryActive;
+  const keyCustody = sanctuaryActive ? "self" : "none";
+  const integrityVerification = sanctuaryActive;
+  const identityCryptographic = sanctuaryActive;
+  const statePortable = sanctuaryActive;
+  if (sanctuaryActive) {
+    findings.push("AES-256-GCM encryption active for all state");
+    findings.push(`Key derivation: ${config.state.key_derivation}`);
+    findings.push(`Identity provider: ${config.state.identity_provider}`);
+    findings.push("Merkle integrity verification enabled");
+    findings.push("State export/import available");
+  }
+  if (env.openclaw_detected && env.openclaw_config) {
+    if (!env.openclaw_config.memory_encrypted) {
+      findings.push("OpenClaw agent memory (MEMORY.md, daily notes) stored in plaintext");
+    }
+    if (env.openclaw_config.env_file_exposed) {
+      findings.push("OpenClaw .env file contains plaintext API keys/tokens");
+    }
+  }
+  const status = encryptionAtRest && identityCryptographic ? "active" : encryptionAtRest || identityCryptographic ? "partial" : "inactive";
+  return {
+    status,
+    encryption_at_rest: encryptionAtRest,
+    key_custody: keyCustody,
+    integrity_verification: integrityVerification,
+    identity_cryptographic: identityCryptographic,
+    state_portable: statePortable,
+    findings
+  };
+}
+function assessL2(env, _config) {
+  const findings = [];
+  const sanctuaryActive = env.sanctuary_installed;
+  let approvalGate = "none";
+  let behavioralAnomalyDetection = false;
+  let auditTrailEncrypted = false;
+  let auditTrailExists = false;
+  let toolSandboxing = "none";
+  if (sanctuaryActive) {
+    approvalGate = "three-tier";
+    behavioralAnomalyDetection = true;
+    auditTrailEncrypted = true;
+    auditTrailExists = true;
+    findings.push("Three-tier Principal Policy gate active");
+    findings.push("Behavioral anomaly detection (BaselineTracker) enabled");
+    findings.push("Encrypted audit trail active");
+  }
+  if (env.openclaw_detected && env.openclaw_config) {
+    if (env.openclaw_config.require_approval_enabled) {
+      if (!sanctuaryActive) {
+        approvalGate = "binary";
+      }
+      findings.push("OpenClaw requireApproval hook enabled (binary approve/deny)");
+    }
+    if (env.openclaw_config.sandbox_policy_active) {
+      if (!sanctuaryActive) {
+        toolSandboxing = "basic";
+      }
+      findings.push(
+        `OpenClaw sandbox policy active (${env.openclaw_config.sandbox_allow_list.length} allowed, ${env.openclaw_config.sandbox_deny_list.length} denied)`
+      );
+    }
+  }
+  const status = approvalGate === "three-tier" && auditTrailEncrypted ? "active" : approvalGate !== "none" || auditTrailExists ? "partial" : "inactive";
+  return {
+    status,
+    approval_gate: approvalGate,
+    behavioral_anomaly_detection: behavioralAnomalyDetection,
+    audit_trail_encrypted: auditTrailEncrypted,
+    audit_trail_exists: auditTrailExists,
+    tool_sandboxing: sanctuaryActive ? "policy-enforced" : toolSandboxing,
+    findings
+  };
+}
+function assessL3(env, _config) {
+  const findings = [];
+  const sanctuaryActive = env.sanctuary_installed;
+  let commitmentScheme = "none";
+  let zkProofs = false;
+  let selectiveDisclosurePolicy = false;
+  if (sanctuaryActive) {
+    commitmentScheme = "pedersen+sha256";
+    zkProofs = true;
+    selectiveDisclosurePolicy = true;
+    findings.push("SHA-256 + Pedersen commitment schemes active");
+    findings.push("Schnorr ZK proofs and range proofs available");
+    findings.push("Selective disclosure policies configurable");
+  }
+  const status = commitmentScheme === "pedersen+sha256" && zkProofs ? "active" : commitmentScheme !== "none" ? "partial" : "inactive";
+  return {
+    status,
+    commitment_scheme: commitmentScheme,
+    zero_knowledge_proofs: zkProofs,
+    selective_disclosure_policy: selectiveDisclosurePolicy,
+    findings
+  };
+}
+function assessL4(env, _config) {
+  const findings = [];
+  const sanctuaryActive = env.sanctuary_installed;
+  const reputationPortable = sanctuaryActive;
+  const reputationSigned = sanctuaryActive;
+  const sybilDetection = sanctuaryActive;
+  const sovereigntyGated = sanctuaryActive;
+  if (sanctuaryActive) {
+    findings.push("Signed EAS-compatible attestations active");
+    findings.push("Reputation export/import available");
+    findings.push("Sybil detection heuristics enabled");
+    findings.push("Sovereignty-gated reputation tiers active");
+  } else {
+    findings.push("No portable reputation system detected");
+  }
+  const status = reputationPortable && reputationSigned && sovereigntyGated ? "active" : reputationPortable || reputationSigned ? "partial" : "inactive";
+  return {
+    status,
+    reputation_portable: reputationPortable,
+    reputation_signed: reputationSigned,
+    reputation_sybil_detection: sybilDetection,
+    sovereignty_gated_tiers: sovereigntyGated,
+    findings
+  };
+}
+function scoreL1(l1) {
+  let score = 0;
+  if (l1.encryption_at_rest) score += L1_ENCRYPTION_AT_REST;
+  if (l1.identity_cryptographic) score += L1_IDENTITY_CRYPTOGRAPHIC;
+  if (l1.integrity_verification) score += L1_INTEGRITY_VERIFICATION;
+  if (l1.state_portable) score += L1_STATE_PORTABLE;
+  return score;
+}
+function scoreL2(l2) {
+  let score = 0;
+  if (l2.approval_gate === "three-tier") score += L2_THREE_TIER_GATE;
+  else if (l2.approval_gate === "binary") score += L2_BINARY_GATE;
+  if (l2.behavioral_anomaly_detection) score += L2_ANOMALY_DETECTION;
+  if (l2.audit_trail_encrypted) score += L2_ENCRYPTED_AUDIT;
+  if (l2.tool_sandboxing === "policy-enforced") score += L2_TOOL_SANDBOXING;
+  else if (l2.tool_sandboxing === "basic") score += 1;
+  return score;
+}
+function scoreL3(l3) {
+  let score = 0;
+  if (l3.commitment_scheme === "pedersen+sha256") score += L3_COMMITMENT_SCHEME;
+  else if (l3.commitment_scheme === "sha256-only") score += 4;
+  if (l3.zero_knowledge_proofs) score += L3_ZK_PROOFS;
+  if (l3.selective_disclosure_policy) score += L3_DISCLOSURE_POLICIES;
+  return score;
+}
+function scoreL4(l4) {
+  let score = 0;
+  if (l4.reputation_portable) score += L4_PORTABLE_REPUTATION;
+  if (l4.reputation_signed) score += L4_SIGNED_ATTESTATIONS;
+  if (l4.reputation_sybil_detection) score += L4_SYBIL_DETECTION;
+  if (l4.sovereignty_gated_tiers) score += L4_SOVEREIGNTY_GATED;
+  return score;
+}
+function generateGaps(env, l1, l2, l3, l4) {
+  const gaps = [];
+  const oc = env.openclaw_config;
+  if (oc && !oc.memory_encrypted) {
+    gaps.push({
+      id: "GAP-L1-001",
+      layer: "L1",
+      severity: "critical",
+      title: "Agent memory stored in plaintext",
+      description: "Your agent's memory (MEMORY.md, daily notes, SQLite index) is stored in plaintext at ~/.openclaw/workspace/. Any process with file access can read your agent's full context \u2014 preferences, decisions, conversation history.",
+      openclaw_relevance: "Stock OpenClaw stores all agent memory in plaintext files. There is no built-in encryption for agent state.",
+      sanctuary_solution: "Sanctuary encrypts all state at rest with AES-256-GCM using a key derived from Argon2id, making state opaque to any process that doesn't hold the master key. Use sanctuary/state_write to migrate sensitive state to the encrypted store."
+    });
+  }
+  if (oc && oc.env_file_exposed) {
+    gaps.push({
+      id: "GAP-L1-002",
+      layer: "L1",
+      severity: "critical",
+      title: "Plaintext API keys in .env file",
+      description: "Your .env file contains plaintext API keys and tokens. These secrets are readable by any process with filesystem access.",
+      openclaw_relevance: "OpenClaw stores API keys (LLM providers, gateway tokens) in a plaintext .env file.",
+      sanctuary_solution: "Sanctuary's encrypted state store can hold secrets under the same AES-256-GCM envelope as all other state, tied to your self-custodied identity. Use sanctuary/state_write with namespace 'secrets'."
+    });
+  }
+  if (!l1.identity_cryptographic) {
+    gaps.push({
+      id: "GAP-L1-003",
+      layer: "L1",
+      severity: "critical",
+      title: "No cryptographic agent identity",
+      description: "Your agent has no cryptographic identity. It cannot prove it is who it claims to be to any counterparty, sign messages, or participate in sovereignty handshakes.",
+      openclaw_relevance: env.openclaw_detected ? "OpenClaw has no cryptographic agent identity. Agent identity is implicit (tied to the process/session), not cryptographically verifiable." : null,
+      sanctuary_solution: "Sanctuary provides Ed25519 self-custodied identity with key rotation and delegation. Use sanctuary/identity_create to establish your cryptographic identity."
+    });
+  }
+  if (l2.approval_gate === "binary" && !l2.behavioral_anomaly_detection) {
+    gaps.push({
+      id: "GAP-L2-001",
+      layer: "L2",
+      severity: "high",
+      title: "Binary approval gate (no anomaly detection)",
+      description: "Your approval gate provides binary approve/deny gating without behavioral anomaly detection. Routine operations require the same manual approval as sensitive ones.",
+      openclaw_relevance: env.openclaw_detected ? "OpenClaw's requireApproval hook provides binary approve/deny gating. Sanctuary's three-tier Principal Policy adds behavioral anomaly detection (auto-escalation when agent behavior deviates from baseline), encrypted audit trails, and graduated approval tiers \u2014 so routine operations auto-proceed while sensitive operations require explicit consent." : null,
+      sanctuary_solution: "Sanctuary's three-tier Principal Policy gate auto-allows routine operations (Tier 3), escalates anomalous behavior (Tier 2), and always requires human approval for irreversible operations (Tier 1). Use sanctuary/principal_policy_view to inspect."
+    });
+  } else if (l2.approval_gate === "none") {
+    gaps.push({
+      id: "GAP-L2-001",
+      layer: "L2",
+      severity: "critical",
+      title: "No approval gate",
+      description: "No approval gate is configured. All tool calls execute without oversight.",
+      openclaw_relevance: null,
+      sanctuary_solution: "Sanctuary's Principal Policy evaluates every tool call before execution. Enable it to get three-tier approval gating with behavioral anomaly detection."
+    });
+  }
+  if (l2.tool_sandboxing === "basic") {
+    gaps.push({
+      id: "GAP-L2-002",
+      layer: "L2",
+      severity: "medium",
+      title: "Basic tool sandboxing (no cryptographic attestation)",
+      description: "Your tool sandbox enforces allow/deny lists but provides no cryptographic attestation of execution context.",
+      openclaw_relevance: env.openclaw_detected ? "OpenClaw's sandbox tool policy (tools.sandbox.tools) enforces allow/deny lists. Sanctuary adds cryptographic attestation of execution context \u2014 a verifiable proof that an operation ran within policy, not just that a policy was configured." : null,
+      sanctuary_solution: "Sanctuary provides cryptographic execution attestation via sanctuary/exec_attest and policy-enforced sandboxing with encrypted audit trails."
+    });
+  }
+  if (!l2.audit_trail_exists) {
+    gaps.push({
+      id: "GAP-L2-003",
+      layer: "L2",
+      severity: "high",
+      title: "No audit trail",
+      description: "No audit trail exists for tool call history. There is no record of what operations were executed, when, or by whom.",
+      openclaw_relevance: null,
+      sanctuary_solution: "Sanctuary maintains an encrypted audit log of all operations, queryable via sanctuary/monitor_audit_log."
+    });
+  }
+  if (l3.commitment_scheme === "none") {
+    gaps.push({
+      id: "GAP-L3-001",
+      layer: "L3",
+      severity: "high",
+      title: "No selective disclosure capability",
+      description: "Your agent has no way to prove facts about its state without revealing the state itself. Every disclosure is all-or-nothing.",
+      openclaw_relevance: env.openclaw_detected ? "OpenClaw has no selective disclosure mechanism. When your agent shares information, it shares everything or nothing \u2014 there is no way to prove a claim without revealing the underlying data." : null,
+      sanctuary_solution: "Sanctuary's L3 provides SHA-256 + Pedersen commitments and Schnorr zero-knowledge proofs. Your agent can prove it has a valid credential, sufficient reputation, or a completed transaction without exposing the underlying data. Use sanctuary/zk_commit and sanctuary/zk_prove."
+    });
+  }
+  if (!l4.reputation_portable) {
+    gaps.push({
+      id: "GAP-L4-001",
+      layer: "L4",
+      severity: "high",
+      title: "No portable reputation",
+      description: "Your agent's reputation is platform-locked. If you move to a different harness or platform, your track record doesn't follow.",
+      openclaw_relevance: env.openclaw_detected ? "OpenClaw has no reputation system. Your agent's track record exists only in conversation history, which is not structured, signed, or portable." : null,
+      sanctuary_solution: "Sanctuary's L4 provides signed EAS-compatible attestations that are self-custodied, portable, and cryptographically verifiable. Your reputation is yours, not your platform's. Use sanctuary/reputation_record to start building portable reputation."
+    });
+  }
+  return gaps;
+}
+function generateRecommendations(env, l1, l2, l3, l4) {
+  const recs = [];
+  if (!l1.identity_cryptographic) {
+    recs.push({
+      priority: 1,
+      action: "Create a cryptographic identity \u2014 your agent's foundation for all sovereignty operations",
+      tool: "sanctuary/identity_create",
+      effort: "immediate",
+      impact: "critical"
+    });
+  }
+  if (!l1.encryption_at_rest || env.openclaw_config && !env.openclaw_config.memory_encrypted) {
+    recs.push({
+      priority: 2,
+      action: "Migrate plaintext agent state to Sanctuary's encrypted store",
+      tool: "sanctuary/state_write",
+      effort: "minutes",
+      impact: "critical"
+    });
+  }
+  recs.push({
+    priority: 3,
+    action: "Generate a Sovereignty Health Report to present to counterparties",
+    tool: "sanctuary/shr_generate",
+    effort: "immediate",
+    impact: "high"
+  });
+  if (l2.approval_gate !== "three-tier") {
+    recs.push({
+      priority: 4,
+      action: "Enable the three-tier Principal Policy gate for graduated approval",
+      tool: "sanctuary/principal_policy_view",
+      effort: "minutes",
+      impact: "high"
+    });
+  }
+  if (!l4.reputation_signed) {
+    recs.push({
+      priority: 5,
+      action: "Start recording reputation attestations from completed interactions",
+      tool: "sanctuary/reputation_record",
+      effort: "minutes",
+      impact: "medium"
+    });
+  }
+  if (!l3.selective_disclosure_policy) {
+    recs.push({
+      priority: 6,
+      action: "Configure selective disclosure policies for data sharing",
+      tool: "sanctuary/disclosure_set_policy",
+      effort: "hours",
+      impact: "medium"
+    });
+  }
+  return recs;
+}
+function formatAuditReport(result) {
+  const { environment: env, layers, overall_score, sovereignty_level, gaps, recommendations } = result;
+  const scoreBar = formatScoreBar(overall_score);
+  const levelLabel = sovereignty_level.toUpperCase();
+  let report = "";
+  report += "\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\n";
+  report += "  SOVEREIGNTY AUDIT REPORT\n";
+  report += `  Generated: ${result.audited_at}
+`;
+  report += "\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\n";
+  report += "\n";
+  report += `  Overall Score: ${overall_score} / 100  ${scoreBar}  ${levelLabel}
+`;
+  report += "\n";
+  report += "  Environment:\n";
+  report += `  \u2022 Sanctuary v${env.sanctuary_version ?? "?"} ${padDots("Sanctuary v" + (env.sanctuary_version ?? "?"))} ${env.sanctuary_installed ? "\u2713 installed" : "\u2717 not found"}
+`;
+  if (env.openclaw_detected) {
+    report += `  \u2022 OpenClaw ${padDots("OpenClaw")} \u2713 detected
+`;
+    if (env.openclaw_config) {
+      report += `  \u2022 OpenClaw requireApproval ${padDots("OpenClaw requireApproval")} ${env.openclaw_config.require_approval_enabled ? "\u2713 enabled" : "\u2717 disabled"}
+`;
+      report += `  \u2022 OpenClaw sandbox policy ${padDots("OpenClaw sandbox policy")} ${env.openclaw_config.sandbox_policy_active ? "\u2713 active" : "\u2717 inactive"}
+`;
+    }
+  }
+  report += "\n";
+  const l1Score = scoreL1(layers.l1_cognitive);
+  const l2Score = scoreL2(layers.l2_operational);
+  const l3Score = scoreL3(layers.l3_selective_disclosure);
+  const l4Score = scoreL4(layers.l4_reputation);
+  report += "  Layer Assessment:\n";
+  report += "  \u250C\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252C\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252C\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n";
+  report += "  \u2502 Layer                       \u2502 Status   \u2502 Score \u2502\n";
+  report += "  \u251C\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253C\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253C\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n";
+  report += `  \u2502 L1 Cognitive Sovereignty    \u2502 ${padStatus(layers.l1_cognitive.status)} \u2502 ${padScore(l1Score, 35)} \u2502
+`;
+  report += `  \u2502 L2 Operational Isolation    \u2502 ${padStatus(layers.l2_operational.status)} \u2502 ${padScore(l2Score, 25)} \u2502
+`;
+  report += `  \u2502 L3 Selective Disclosure     \u2502 ${padStatus(layers.l3_selective_disclosure.status)} \u2502 ${padScore(l3Score, 20)} \u2502
+`;
+  report += `  \u2502 L4 Verifiable Reputation    \u2502 ${padStatus(layers.l4_reputation.status)} \u2502 ${padScore(l4Score, 20)} \u2502
+`;
+  report += "  \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n";
+  report += "\n";
+  if (gaps.length > 0) {
+    report += `  \u26A0 ${gaps.length} SOVEREIGNTY GAP${gaps.length !== 1 ? "S" : ""} FOUND
+`;
+    report += "\n";
+    for (const gap of gaps) {
+      const severityLabel = `[${gap.severity.toUpperCase()}]`;
+      report += `  ${severityLabel} ${gap.id}: ${gap.title}
+`;
+      const descLines = wordWrap(gap.description, 66);
+      for (const line of descLines) {
+        report += `  ${line}
+`;
+      }
+      report += `  \u2192 Fix: ${gap.sanctuary_solution.split(".")[0]}.
+`;
+      if (gap.openclaw_relevance) {
+        report += `  \u2192 OpenClaw context: ${gap.openclaw_relevance.split(".")[0]}.
+`;
+      }
+      report += "\n";
+    }
+  } else {
+    report += "  \u2713 NO SOVEREIGNTY GAPS FOUND\n";
+    report += "\n";
+  }
+  if (recommendations.length > 0) {
+    report += "  RECOMMENDED NEXT STEPS (in order):\n";
+    for (const rec of recommendations) {
+      const effortLabel = rec.effort === "immediate" ? "immediate" : rec.effort === "minutes" ? "5 min" : "30 min";
+      report += `  ${rec.priority}. [${effortLabel}] ${rec.action}`;
+      if (rec.tool) {
+        report += `: ${rec.tool}`;
+      }
+      report += "\n";
+    }
+    report += "\n";
+  }
+  report += "\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\n";
+  return report;
+}
+function formatScoreBar(score) {
+  const filled = Math.round(score / 10);
+  return "[" + "\u25A0".repeat(filled) + "\u2591".repeat(10 - filled) + "]";
+}
+function padDots(label) {
+  const totalWidth = 30;
+  const dotsNeeded = Math.max(2, totalWidth - label.length - 4);
+  return ".".repeat(dotsNeeded);
+}
+function padStatus(status) {
+  const label = status.toUpperCase();
+  return label + " ".repeat(Math.max(0, 8 - label.length));
+}
+function padScore(score, max) {
+  const text = `${score}/${max}`;
+  return " ".repeat(Math.max(0, 5 - text.length)) + text;
+}
+function wordWrap(text, maxWidth) {
+  const words = text.split(" ");
+  const lines = [];
+  let current = "";
+  for (const word of words) {
+    if (current.length + word.length + 1 > maxWidth && current.length > 0) {
+      lines.push(current);
+      current = word;
+    } else {
+      current = current.length > 0 ? current + " " + word : word;
+    }
+  }
+  if (current.length > 0) lines.push(current);
+  return lines;
+}
+
+// src/audit/tools.ts
+function createAuditTools(config) {
+  const tools = [
+    {
+      name: "sanctuary/sovereignty_audit",
+      description: "Audit your agent's sovereignty posture. Inspects the local environment for encryption, identity, approval gates, selective disclosure, and reputation \u2014 including OpenClaw-specific configurations. Returns a scored gap analysis with prioritized recommendations.",
+      inputSchema: {
+        type: "object",
+        properties: {
+          deep_scan: {
+            type: "boolean",
+            description: "If true (default), also scans for OpenClaw config, .env files, and memory files. Set to false for a Sanctuary-only assessment."
+          }
+        }
+      },
+      handler: async (args) => {
+        const deepScan = args.deep_scan !== false;
+        const env = await detectEnvironment(config, deepScan);
+        const result = analyzeSovereignty(env, config);
+        const report = formatAuditReport(result);
+        return {
+          content: [
+            { type: "text", text: report },
+            { type: "text", text: JSON.stringify(result, null, 2) }
+          ]
+        };
+      }
+    }
+  ];
+  return { tools };
+}
+
+// src/index.ts
+init_encoding();
+async function createSanctuaryServer(options) {
+  const config = await loadConfig(options?.configPath);
+  await mkdir(config.storage_path, { recursive: true, mode: 448 });
+  const storage = options?.storage ?? new FilesystemStorage(
+    `${config.storage_path}/state`
+  );
+  let masterKey;
   let keyProtection;
   let recoveryKey;
   const passphrase = options?.passphrase ?? process.env.SANCTUARY_PASSPHRASE;
@@ -4125,15 +7589,51 @@ async function createSanctuaryServer(options) {
     }
   } else {
     keyProtection = "recovery-key";
-    const existing = await storage.read("_meta", "recovery-key-hash");
-    if (existing) {
-      masterKey = generateRandomKey();
-      recoveryKey = toBase64url(masterKey);
+    const { hashToString: hashToString2 } = await Promise.resolve().then(() => (init_hashing(), hashing_exports));
+    const { stringToBytes: stringToBytes2, bytesToString: bytesToString2 } = await Promise.resolve().then(() => (init_encoding(), encoding_exports));
+    const { fromBase64url: fromBase64url2 } = await Promise.resolve().then(() => (init_encoding(), encoding_exports));
+    const { constantTimeEqual: constantTimeEqual2 } = await Promise.resolve().then(() => (init_encoding(), encoding_exports));
+    const existingHash = await storage.read("_meta", "recovery-key-hash");
+    if (existingHash) {
+      const envRecoveryKey = process.env.SANCTUARY_RECOVERY_KEY;
+      if (!envRecoveryKey) {
+        throw new Error(
+          "Sanctuary: Existing encrypted data found but no credentials provided.\nThis installation was previously set up with a recovery key.\n\nTo start the server, provide one of:\n  - SANCTUARY_PASSPHRASE (if you later configured a passphrase)\n  - SANCTUARY_RECOVERY_KEY (the recovery key shown at first run)\n\nWithout the correct credentials, encrypted state cannot be accessed.\nRefusing to start to prevent silent data loss."
+        );
+      }
+      let recoveryKeyBytes;
+      try {
+        recoveryKeyBytes = fromBase64url2(envRecoveryKey);
+      } catch {
+        throw new Error(
+          "Sanctuary: SANCTUARY_RECOVERY_KEY is not valid base64url. The recovery key should be the exact string shown at first run."
+        );
+      }
+      if (recoveryKeyBytes.length !== 32) {
+        throw new Error(
+          "Sanctuary: SANCTUARY_RECOVERY_KEY has incorrect length. The recovery key should be the exact string shown at first run."
+        );
+      }
+      const providedHash = hashToString2(recoveryKeyBytes);
+      const storedHash = bytesToString2(existingHash);
+      const providedHashBytes = stringToBytes2(providedHash);
+      const storedHashBytes = stringToBytes2(storedHash);
+      if (!constantTimeEqual2(providedHashBytes, storedHashBytes)) {
+        throw new Error(
+          "Sanctuary: Recovery key does not match the stored key hash.\nThe recovery key provided via SANCTUARY_RECOVERY_KEY is incorrect.\nUse the exact recovery key that was displayed at first run."
+        );
+      }
+      masterKey = recoveryKeyBytes;
     } else {
+      const existingNamespaces = await storage.list("_meta");
+      const hasKeyParams = existingNamespaces.some((e) => e.key === "key-params");
+      if (hasKeyParams) {
+        throw new Error(
+          "Sanctuary: Found existing key derivation parameters but no recovery key hash.\nThis indicates a corrupted or incomplete installation.\nIf you previously used a passphrase, set SANCTUARY_PASSPHRASE to start."
+        );
+      }
       masterKey = generateRandomKey();
       recoveryKey = toBase64url(masterKey);
-      const { hashToString: hashToString2 } = await Promise.resolve().then(() => (init_hashing(), hashing_exports));
-      const { stringToBytes: stringToBytes2 } = await Promise.resolve().then(() => (init_encoding(), encoding_exports));
       const keyHash = hashToString2(masterKey);
       await storage.write(
         "_meta",
@@ -4369,30 +7869,75 @@ async function createSanctuaryServer(options) {
     }
   };
   const { tools: l3Tools } = createL3Tools(storage, masterKey, auditLog);
-  const { tools: l4Tools } = createL4Tools(
-    storage,
-    masterKey,
-    identityManager,
-    auditLog
-  );
-  const policy = await loadPrincipalPolicy(config.storage_path);
-  const baseline = new BaselineTracker(storage, masterKey);
-  await baseline.load();
-  const approvalChannel = new StderrApprovalChannel(policy.approval_channel);
-  const gate = new ApprovalGate(policy, baseline, approvalChannel, auditLog);
-  const policyTools = createPrincipalPolicyTools(policy, baseline, auditLog);
   const { tools: shrTools } = createSHRTools(
     config,
     identityManager,
     masterKey,
     auditLog
   );
-  const { tools: handshakeTools } = createHandshakeTools(
+  const { tools: handshakeTools, handshakeResults } = createHandshakeTools(
     config,
     identityManager,
     masterKey,
     auditLog
   );
+  const { tools: l4Tools } = createL4Tools(
+    storage,
+    masterKey,
+    identityManager,
+    auditLog,
+    handshakeResults
+  );
+  const { tools: federationTools } = createFederationTools(
+    auditLog,
+    handshakeResults
+  );
+  const { tools: bridgeTools } = createBridgeTools(
+    storage,
+    masterKey,
+    identityManager,
+    auditLog,
+    handshakeResults
+  );
+  const { tools: auditTools } = createAuditTools(config);
+  const policy = await loadPrincipalPolicy(config.storage_path);
+  const baseline = new BaselineTracker(storage, masterKey);
+  await baseline.load();
+  let approvalChannel;
+  let dashboard;
+  if (config.dashboard.enabled) {
+    let authToken = config.dashboard.auth_token;
+    if (authToken === "auto") {
+      const { randomBytes: rb } = await import('crypto');
+      authToken = rb(32).toString("hex");
+    }
+    dashboard = new DashboardApprovalChannel({
+      port: config.dashboard.port,
+      host: config.dashboard.host,
+      timeout_seconds: policy.approval_channel.timeout_seconds,
+      // SEC-002: auto_deny removed — timeout always denies
+      auth_token: authToken,
+      tls: config.dashboard.tls
+    });
+    dashboard.setDependencies({ policy, baseline, auditLog });
+    await dashboard.start();
+    approvalChannel = dashboard;
+  } else if (config.webhook.enabled && config.webhook.url && config.webhook.secret) {
+    const webhook = new WebhookApprovalChannel({
+      webhook_url: config.webhook.url,
+      webhook_secret: config.webhook.secret,
+      callback_port: config.webhook.callback_port,
+      callback_host: config.webhook.callback_host,
+      timeout_seconds: policy.approval_channel.timeout_seconds
+      // SEC-002: auto_deny removed — timeout always denies
+    });
+    await webhook.start();
+    approvalChannel = webhook;
+  } else {
+    approvalChannel = new StderrApprovalChannel(policy.approval_channel);
+  }
+  const gate = new ApprovalGate(policy, baseline, approvalChannel, auditLog);
+  const policyTools = createPrincipalPolicyTools(policy, baseline, auditLog);
   const allTools = [
     ...l1Tools,
     ...l2Tools,
@@ -4401,6 +7946,9 @@ async function createSanctuaryServer(options) {
     ...policyTools,
     ...shrTools,
     ...handshakeTools,
+    ...federationTools,
+    ...bridgeTools,
+    ...auditTools,
     manifestTool
   ];
   const server = createServer(allTools, { gate });
@@ -4428,7 +7976,21 @@ async function createSanctuaryServer(options) {
 
 // src/cli.ts
 async function main() {
-  const passphrase = process.env.SANCTUARY_PASSPHRASE;
+  const args = process.argv.slice(2);
+  let passphrase = process.env.SANCTUARY_PASSPHRASE;
+  for (let i = 0; i < args.length; i++) {
+    if (args[i] === "--dashboard") {
+      process.env.SANCTUARY_DASHBOARD_ENABLED = "true";
+    } else if (args[i] === "--passphrase" && args[i + 1]) {
+      passphrase = args[++i];
+    } else if (args[i] === "--help" || args[i] === "-h") {
+      printHelp();
+      process.exit(0);
+    } else if (args[i] === "--version" || args[i] === "-v") {
+      console.log("@sanctuary-framework/mcp-server 0.3.0");
+      process.exit(0);
+    }
+  }
   const { server, config } = await createSanctuaryServer({ passphrase });
   if (config.transport === "stdio") {
     const transport = new StdioServerTransport();
@@ -4441,6 +8003,34 @@ async function main() {
     process.exit(1);
   }
 }
+function printHelp() {
+  console.log(`
+@sanctuary-framework/mcp-server v0.3.0
+
+Sovereignty infrastructure for agents in the agentic economy.
+
+Usage:
+  sanctuary-mcp-server [options]
+
+Options:
+  --dashboard          Enable the Principal Dashboard (web UI)
+  --passphrase <pass>  Derive encryption key from passphrase
+  --help, -h           Show this help
+  --version, -v        Show version
+
+Environment variables:
+  SANCTUARY_STORAGE_PATH            State directory (default: ~/.sanctuary)
+  SANCTUARY_PASSPHRASE              Key derivation passphrase
+  SANCTUARY_DASHBOARD_ENABLED       "true" to enable dashboard
+  SANCTUARY_DASHBOARD_PORT          Dashboard port (default: 3501)
+  SANCTUARY_DASHBOARD_AUTH_TOKEN    Bearer token or "auto"
+  SANCTUARY_WEBHOOK_ENABLED         "true" to enable webhook approvals
+  SANCTUARY_WEBHOOK_URL             Webhook target URL
+  SANCTUARY_WEBHOOK_SECRET          HMAC-SHA256 shared secret
+
+For more info: https://github.com/eriknewton/sanctuary-framework
+`);
+}
 main().catch((err) => {
   console.error("Sanctuary MCP Server failed to start:", err);
   process.exit(1);