npm - @sanctuary-framework/mcp-server - Versions diffs - 0.2.0 - Mend

@sanctuary-framework/mcp-server 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (15) hide show

package/dist/cli.cjs ADDED Viewed

@@ -0,0 +1,4451 @@
+#!/usr/bin/env node
+'use strict';
+var sha256 = require('@noble/hashes/sha256');
+var hmac = require('@noble/hashes/hmac');
+var stdio_js = require('@modelcontextprotocol/sdk/server/stdio.js');
+var promises = require('fs/promises');
+var path = require('path');
+var os = require('os');
+var crypto = require('crypto');
+var aes_js = require('@noble/ciphers/aes.js');
+var ed25519 = require('@noble/curves/ed25519');
+var hashWasm = require('hash-wasm');
+var hkdf = require('@noble/hashes/hkdf');
+var index_js = require('@modelcontextprotocol/sdk/server/index.js');
+var types_js = require('@modelcontextprotocol/sdk/types.js');
+var __defProp = Object.defineProperty;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __esm = (fn, res) => function __init() {
+  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
+};
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+// src/core/encoding.ts
+var encoding_exports = {};
+__export(encoding_exports, {
+  bytesToString: () => bytesToString,
+  concatBytes: () => concatBytes,
+  constantTimeEqual: () => constantTimeEqual,
+  fromBase64url: () => fromBase64url,
+  stringToBytes: () => stringToBytes,
+  toBase64url: () => toBase64url
+});
+function toBase64url(bytes) {
+  const base64 = Buffer.from(bytes).toString("base64");
+  return base64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+function fromBase64url(str) {
+  let base64 = str.replace(/-/g, "+").replace(/_/g, "/");
+  while (base64.length % 4 !== 0) {
+    base64 += "=";
+  }
+  const buf = Buffer.from(base64, "base64");
+  return new Uint8Array(buf.buffer, buf.byteOffset, buf.byteLength);
+}
+function stringToBytes(str) {
+  return new TextEncoder().encode(str);
+}
+function bytesToString(bytes) {
+  return new TextDecoder().decode(bytes);
+}
+function concatBytes(...arrays) {
+  const totalLength = arrays.reduce((sum, arr) => sum + arr.length, 0);
+  const result = new Uint8Array(totalLength);
+  let offset = 0;
+  for (const arr of arrays) {
+    result.set(arr, offset);
+    offset += arr.length;
+  }
+  return result;
+}
+function constantTimeEqual(a, b) {
+  if (a.length !== b.length) return false;
+  let diff = 0;
+  for (let i = 0; i < a.length; i++) {
+    diff |= a[i] ^ b[i];
+  }
+  return diff === 0;
+}
+var init_encoding = __esm({
+  "src/core/encoding.ts"() {
+  }
+});
+// src/core/hashing.ts
+var hashing_exports = {};
+__export(hashing_exports, {
+  buildMerkleTree: () => buildMerkleTree,
+  computeMerkleRoot: () => computeMerkleRoot,
+  generateMerkleProof: () => generateMerkleProof,
+  hash: () => hash,
+  hashToString: () => hashToString,
+  hmacSha256: () => hmacSha256,
+  verifyMerkleProof: () => verifyMerkleProof
+});
+function hash(data) {
+  return sha256.sha256(data);
+}
+function hashToString(data) {
+  return toBase64url(hash(data));
+}
+function hmacSha256(key, data) {
+  return hmac.hmac(sha256.sha256, key, data);
+}
+function buildMerkleTree(entries) {
+  if (entries.size === 0) return null;
+  const sortedKeys = Array.from(entries.keys()).sort();
+  let nodes = sortedKeys.map((key) => {
+    const contentHash = entries.get(key);
+    const leafData = concatBytes(
+      stringToBytes(key),
+      stringToBytes(contentHash)
+    );
+    return {
+      hash: hashToString(leafData),
+      key
+    };
+  });
+  while (nodes.length > 1) {
+    const nextLevel = [];
+    for (let i = 0; i < nodes.length; i += 2) {
+      const left = nodes[i];
+      if (i + 1 < nodes.length) {
+        const right = nodes[i + 1];
+        const parentData = concatBytes(
+          stringToBytes(left.hash),
+          stringToBytes(right.hash)
+        );
+        nextLevel.push({
+          hash: hashToString(parentData),
+          left,
+          right
+        });
+      } else {
+        nextLevel.push(left);
+      }
+    }
+    nodes = nextLevel;
+  }
+  return nodes[0] ?? null;
+}
+function generateMerkleProof(entries, targetKey) {
+  if (!entries.has(targetKey)) return null;
+  const sortedKeys = Array.from(entries.keys()).sort();
+  const targetIndex = sortedKeys.indexOf(targetKey);
+  if (targetIndex === -1) return null;
+  const leafHashes = sortedKeys.map((key) => {
+    const contentHash = entries.get(key);
+    const leafData = concatBytes(
+      stringToBytes(key),
+      stringToBytes(contentHash)
+    );
+    return hashToString(leafData);
+  });
+  const path = [];
+  let currentIndex = targetIndex;
+  let currentLevel = leafHashes;
+  while (currentLevel.length > 1) {
+    const nextLevel = [];
+    for (let i = 0; i < currentLevel.length; i += 2) {
+      const left = currentLevel[i];
+      if (i + 1 < currentLevel.length) {
+        const right = currentLevel[i + 1];
+        if (i === currentIndex || i + 1 === currentIndex) {
+          if (currentIndex === i) {
+            path.push({ hash: right, position: "right" });
+          } else {
+            path.push({ hash: left, position: "left" });
+          }
+        }
+        const parentData = concatBytes(
+          stringToBytes(left),
+          stringToBytes(right)
+        );
+        nextLevel.push(hashToString(parentData));
+      } else {
+        nextLevel.push(left);
+      }
+    }
+    currentIndex = Math.floor(currentIndex / 2);
+    currentLevel = nextLevel;
+  }
+  const root = buildMerkleTree(entries);
+  return {
+    leaf: leafHashes[targetIndex],
+    path,
+    root: root?.hash ?? ""
+  };
+}
+function verifyMerkleProof(proof) {
+  let currentHash = proof.leaf;
+  for (const step of proof.path) {
+    const left = step.position === "left" ? step.hash : currentHash;
+    const right = step.position === "right" ? step.hash : currentHash;
+    const parentData = concatBytes(
+      stringToBytes(left),
+      stringToBytes(right)
+    );
+    currentHash = hashToString(parentData);
+  }
+  return currentHash === proof.root;
+}
+function computeMerkleRoot(entries) {
+  const tree = buildMerkleTree(entries);
+  return tree?.hash ?? "";
+}
+var init_hashing = __esm({
+  "src/core/hashing.ts"() {
+    init_encoding();
+  }
+});
+function defaultConfig() {
+  return {
+    version: "0.2.0",
+    storage_path: path.join(os.homedir(), ".sanctuary"),
+    state: {
+      encryption: "aes-256-gcm",
+      key_protection: "none",
+      key_derivation: "argon2id",
+      integrity: "merkle-sha256",
+      identity_provider: "ed25519"
+    },
+    execution: {
+      environment: "local-process",
+      attestation: true,
+      resource_limits: {
+        max_memory_mb: 512,
+        max_storage_mb: 1024,
+        max_cpu_percent: 50
+      }
+    },
+    disclosure: {
+      proof_system: "commitment-only",
+      default_policy: "minimum-necessary"
+    },
+    reputation: {
+      mode: "self-custodied",
+      attestation_format: "eas-compatible",
+      export_format: "SANCTUARY_REP_V1",
+      service_endpoints: []
+    },
+    transport: "stdio",
+    http_port: 3500
+  };
+}
+async function loadConfig(configPath) {
+  const config = defaultConfig();
+  if (process.env.SANCTUARY_STORAGE_PATH) {
+    config.storage_path = process.env.SANCTUARY_STORAGE_PATH;
+  }
+  if (process.env.SANCTUARY_TRANSPORT) {
+    config.transport = process.env.SANCTUARY_TRANSPORT;
+  }
+  if (process.env.SANCTUARY_HTTP_PORT) {
+    config.http_port = parseInt(process.env.SANCTUARY_HTTP_PORT, 10);
+  }
+  const path$1 = configPath ?? path.join(config.storage_path, "sanctuary.json");
+  try {
+    const raw = await promises.readFile(path$1, "utf-8");
+    const fileConfig = JSON.parse(raw);
+    return deepMerge(config, fileConfig);
+  } catch {
+    return config;
+  }
+}
+async function saveConfig(config, configPath) {
+  const path$1 = path.join(config.storage_path, "sanctuary.json");
+  await promises.writeFile(path$1, JSON.stringify(config, null, 2), { mode: 384 });
+}
+function deepMerge(base, override) {
+  const result = { ...base };
+  for (const [key, value] of Object.entries(override)) {
+    if (value !== null && typeof value === "object" && !Array.isArray(value) && typeof result[key] === "object" && result[key] !== null) {
+      result[key] = deepMerge(
+        result[key],
+        value
+      );
+    } else {
+      result[key] = value;
+    }
+  }
+  return result;
+}
+function randomBytes(length) {
+  if (length <= 0) {
+    throw new RangeError("Length must be positive");
+  }
+  const buf = crypto.randomBytes(length);
+  return new Uint8Array(buf.buffer, buf.byteOffset, buf.byteLength);
+}
+function generateIV() {
+  return randomBytes(12);
+}
+function generateSalt() {
+  return randomBytes(32);
+}
+function generateRandomKey() {
+  return randomBytes(32);
+}
+// src/storage/filesystem.ts
+var FilesystemStorage = class {
+  basePath;
+  constructor(basePath) {
+    this.basePath = basePath;
+  }
+  entryPath(namespace, key) {
+    const safeNamespace = namespace.replace(/[^a-zA-Z0-9_-]/g, "_");
+    const safeKey = key.replace(/[^a-zA-Z0-9_.-]/g, "_");
+    return path.join(this.basePath, safeNamespace, `${safeKey}.enc`);
+  }
+  namespacePath(namespace) {
+    const safeNamespace = namespace.replace(/[^a-zA-Z0-9_-]/g, "_");
+    return path.join(this.basePath, safeNamespace);
+  }
+  async write(namespace, key, data) {
+    const dirPath = this.namespacePath(namespace);
+    const filePath = this.entryPath(namespace, key);
+    await promises.mkdir(dirPath, { recursive: true, mode: 448 });
+    await promises.writeFile(filePath, data, { mode: 384 });
+  }
+  async read(namespace, key) {
+    const filePath = this.entryPath(namespace, key);
+    try {
+      const buf = await promises.readFile(filePath);
+      return new Uint8Array(buf.buffer, buf.byteOffset, buf.byteLength);
+    } catch (err) {
+      if (err instanceof Error && "code" in err && err.code === "ENOENT") {
+        return null;
+      }
+      throw err;
+    }
+  }
+  async delete(namespace, key, secureOverwrite = true) {
+    const filePath = this.entryPath(namespace, key);
+    try {
+      if (secureOverwrite) {
+        const fileStat = await promises.stat(filePath);
+        const size = fileStat.size;
+        for (let pass = 0; pass < 3; pass++) {
+          const randomData = randomBytes(size);
+          await promises.writeFile(filePath, randomData, { mode: 384 });
+        }
+      }
+      await promises.unlink(filePath);
+      return true;
+    } catch (err) {
+      if (err instanceof Error && "code" in err && err.code === "ENOENT") {
+        return false;
+      }
+      throw err;
+    }
+  }
+  async list(namespace, prefix) {
+    const dirPath = this.namespacePath(namespace);
+    try {
+      const files = await promises.readdir(dirPath);
+      const entries = [];
+      for (const file of files) {
+        if (!file.endsWith(".enc")) continue;
+        const key = file.slice(0, -4);
+        if (prefix && !key.startsWith(prefix)) continue;
+        const filePath = path.join(dirPath, file);
+        const fileStat = await promises.stat(filePath);
+        entries.push({
+          key,
+          namespace,
+          size_bytes: fileStat.size,
+          modified_at: fileStat.mtime.toISOString()
+        });
+      }
+      return entries.sort((a, b) => a.key.localeCompare(b.key));
+    } catch (err) {
+      if (err instanceof Error && "code" in err && err.code === "ENOENT") {
+        return [];
+      }
+      throw err;
+    }
+  }
+  async exists(namespace, key) {
+    const filePath = this.entryPath(namespace, key);
+    try {
+      await promises.stat(filePath);
+      return true;
+    } catch {
+      return false;
+    }
+  }
+  async totalSize() {
+    let total = 0;
+    try {
+      const namespaces = await promises.readdir(this.basePath);
+      for (const ns of namespaces) {
+        const nsPath = path.join(this.basePath, ns);
+        const nsStat = await promises.stat(nsPath);
+        if (!nsStat.isDirectory()) continue;
+        const files = await promises.readdir(nsPath);
+        for (const file of files) {
+          const filePath = path.join(nsPath, file);
+          const fileStat = await promises.stat(filePath);
+          total += fileStat.size;
+        }
+      }
+    } catch {
+    }
+    return total;
+  }
+};
+init_encoding();
+function encrypt(plaintext, key, aad) {
+  if (key.length !== 32) {
+    throw new Error("Key must be exactly 32 bytes (256 bits)");
+  }
+  const iv = generateIV();
+  const cipher = aes_js.gcm(key, iv, aad);
+  const ciphertext = cipher.encrypt(plaintext);
+  return {
+    v: 1,
+    alg: "aes-256-gcm",
+    iv: toBase64url(iv),
+    ct: toBase64url(ciphertext),
+    ts: (/* @__PURE__ */ new Date()).toISOString()
+  };
+}
+function decrypt(payload, key, aad) {
+  if (key.length !== 32) {
+    throw new Error("Key must be exactly 32 bytes (256 bits)");
+  }
+  if (payload.v !== 1) {
+    throw new Error(`Unsupported payload version: ${payload.v}`);
+  }
+  if (payload.alg !== "aes-256-gcm") {
+    throw new Error(`Unsupported algorithm: ${payload.alg}`);
+  }
+  const iv = fromBase64url(payload.iv);
+  const ciphertext = fromBase64url(payload.ct);
+  const cipher = aes_js.gcm(key, iv, aad);
+  return cipher.decrypt(ciphertext);
+}
+// src/l1-cognitive/state-store.ts
+init_hashing();
+// src/core/identity.ts
+init_encoding();
+init_hashing();
+function generateKeypair() {
+  const privateKey = randomBytes(32);
+  const publicKey = ed25519.ed25519.getPublicKey(privateKey);
+  return { publicKey, privateKey };
+}
+function publicKeyToDid(publicKey) {
+  const multicodec = new Uint8Array([237, 1, ...publicKey]);
+  return `did:key:z${toBase64url(multicodec)}`;
+}
+function generateIdentityId(publicKey) {
+  const keyHash = hash(publicKey);
+  return Array.from(keyHash.slice(0, 16)).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+function createIdentity(label, encryptionKey, keyProtection) {
+  const { publicKey, privateKey } = generateKeypair();
+  const identityId = generateIdentityId(publicKey);
+  const did = publicKeyToDid(publicKey);
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  const encryptedPrivateKey = encrypt(privateKey, encryptionKey);
+  privateKey.fill(0);
+  const publicIdentity = {
+    identity_id: identityId,
+    label,
+    public_key: toBase64url(publicKey),
+    did,
+    created_at: now,
+    key_type: "ed25519",
+    key_protection: keyProtection
+  };
+  const storedIdentity = {
+    ...publicIdentity,
+    encrypted_private_key: encryptedPrivateKey,
+    rotation_history: []
+  };
+  return { publicIdentity, storedIdentity };
+}
+function sign(payload, encryptedPrivateKey, encryptionKey) {
+  const privateKey = decrypt(encryptedPrivateKey, encryptionKey);
+  try {
+    return ed25519.ed25519.sign(payload, privateKey);
+  } finally {
+    privateKey.fill(0);
+  }
+}
+function verify(payload, signature, publicKey) {
+  try {
+    return ed25519.ed25519.verify(signature, payload, publicKey);
+  } catch {
+    return false;
+  }
+}
+function rotateKeys(storedIdentity, encryptionKey, reason) {
+  const { publicKey: newPublicKey, privateKey: newPrivateKey } = generateKeypair();
+  const newIdentityDid = publicKeyToDid(newPublicKey);
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  const eventData = JSON.stringify({
+    old_public_key: storedIdentity.public_key,
+    new_public_key: toBase64url(newPublicKey),
+    identity_id: storedIdentity.identity_id,
+    reason,
+    rotated_at: now
+  });
+  const eventBytes = new TextEncoder().encode(eventData);
+  const signature = sign(
+    eventBytes,
+    storedIdentity.encrypted_private_key,
+    encryptionKey
+  );
+  const rotationEvent = {
+    old_public_key: storedIdentity.public_key,
+    new_public_key: toBase64url(newPublicKey),
+    identity_id: storedIdentity.identity_id,
+    reason,
+    rotated_at: now,
+    signature: toBase64url(signature)
+  };
+  const encryptedNewPrivateKey = encrypt(newPrivateKey, encryptionKey);
+  newPrivateKey.fill(0);
+  const updatedIdentity = {
+    ...storedIdentity,
+    public_key: toBase64url(newPublicKey),
+    did: newIdentityDid,
+    encrypted_private_key: encryptedNewPrivateKey,
+    rotation_history: [
+      ...storedIdentity.rotation_history,
+      {
+        old_public_key: storedIdentity.public_key,
+        new_public_key: toBase64url(newPublicKey),
+        rotation_event: toBase64url(
+          new TextEncoder().encode(JSON.stringify(rotationEvent))
+        ),
+        rotated_at: now
+      }
+    ]
+  };
+  return { updatedIdentity, rotationEvent };
+}
+init_encoding();
+var ARGON2_MEMORY_COST = 65536;
+var ARGON2_TIME_COST = 3;
+var ARGON2_PARALLELISM = 4;
+var ARGON2_HASH_LENGTH = 32;
+async function deriveMasterKey(passphrase, existingParams) {
+  const salt = existingParams ? fromBase64url(existingParams.salt) : generateSalt();
+  const params = existingParams ?? {
+    alg: "argon2id",
+    salt: toBase64url(salt),
+    m: ARGON2_MEMORY_COST,
+    t: ARGON2_TIME_COST,
+    p: ARGON2_PARALLELISM,
+    l: ARGON2_HASH_LENGTH
+  };
+  const hashHex = await hashWasm.argon2id({
+    password: passphrase,
+    salt,
+    parallelism: params.p,
+    iterations: params.t,
+    memorySize: params.m,
+    hashLength: params.l,
+    outputType: "hex"
+  });
+  const key = new Uint8Array(params.l);
+  for (let i = 0; i < params.l; i++) {
+    key[i] = parseInt(hashHex.substring(i * 2, i * 2 + 2), 16);
+  }
+  return { key, params };
+}
+function deriveNamespaceKey(masterKey, namespace) {
+  if (masterKey.length !== 32) {
+    throw new Error("Master key must be 32 bytes");
+  }
+  return hkdf.hkdf(
+    sha256.sha256,
+    masterKey,
+    stringToBytes("sanctuary-namespace-v1"),
+    // salt (fixed, acts as domain separator)
+    stringToBytes(namespace),
+    // info (namespace name)
+    32
+    // output length: 256 bits
+  );
+}
+function derivePurposeKey(masterKey, purpose) {
+  if (masterKey.length !== 32) {
+    throw new Error("Master key must be 32 bytes");
+  }
+  return hkdf.hkdf(
+    sha256.sha256,
+    masterKey,
+    stringToBytes("sanctuary-purpose-v1"),
+    stringToBytes(purpose),
+    32
+  );
+}
+// src/l1-cognitive/state-store.ts
+init_encoding();
+var RESERVED_NAMESPACE_PREFIXES = [
+  "_identities",
+  "_policies",
+  "_audit",
+  "_meta",
+  "_principal",
+  "_commitments",
+  "_reputation",
+  "_escrow",
+  "_guarantees"
+];
+var StateStore = class {
+  storage;
+  masterKey;
+  // Cache of version numbers per namespace/key for anti-rollback
+  versionCache = /* @__PURE__ */ new Map();
+  // Cache of content hashes per namespace for Merkle tree computation
+  contentHashes = /* @__PURE__ */ new Map();
+  constructor(storage, masterKey) {
+    this.storage = storage;
+    this.masterKey = masterKey;
+  }
+  versionKey(namespace, key) {
+    return `${namespace}/${key}`;
+  }
+  /**
+   * Get or initialize the content hash map for a namespace.
+   */
+  async getNamespaceHashes(namespace) {
+    if (this.contentHashes.has(namespace)) {
+      return this.contentHashes.get(namespace);
+    }
+    const entries = await this.storage.list(namespace);
+    const hashMap = /* @__PURE__ */ new Map();
+    for (const entry of entries) {
+      const raw = await this.storage.read(namespace, entry.key);
+      if (raw) {
+        try {
+          const stateEntry = JSON.parse(bytesToString(raw));
+          hashMap.set(entry.key, stateEntry.integrity_hash);
+          this.versionCache.set(
+            this.versionKey(namespace, entry.key),
+            stateEntry.ver
+          );
+        } catch {
+        }
+      }
+    }
+    this.contentHashes.set(namespace, hashMap);
+    return hashMap;
+  }
+  /**
+   * Write encrypted state.
+   *
+   * @param namespace - Logical grouping
+   * @param key - State key
+   * @param value - Plaintext value (will be encrypted)
+   * @param identityId - Identity performing the write
+   * @param encryptedPrivateKey - Identity's encrypted private key (for signing)
+   * @param identityEncryptionKey - Key to decrypt the identity's private key
+   * @param options - Optional metadata
+   */
+  async write(namespace, key, value, identityId, encryptedPrivateKey, identityEncryptionKey, options = {}) {
+    const namespaceKey = deriveNamespaceKey(this.masterKey, namespace);
+    const plaintext = stringToBytes(value);
+    const integrityHash = hashToString(plaintext);
+    const payload = encrypt(plaintext, namespaceKey);
+    const vk = this.versionKey(namespace, key);
+    const currentVersion = this.versionCache.get(vk) ?? 0;
+    const newVersion = currentVersion + 1;
+    const ciphertextBytes = fromBase64url(payload.ct);
+    const signature = sign(
+      ciphertextBytes,
+      encryptedPrivateKey,
+      identityEncryptionKey
+    );
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    const stateEntry = {
+      v: 1,
+      payload,
+      ver: newVersion,
+      sig: toBase64url(signature),
+      kid: identityId,
+      integrity_hash: integrityHash,
+      metadata: {
+        content_type: options.content_type,
+        ttl_seconds: options.ttl_seconds,
+        tags: options.tags,
+        written_at: now
+      }
+    };
+    const serialized = stringToBytes(JSON.stringify(stateEntry));
+    await this.storage.write(namespace, key, serialized);
+    this.versionCache.set(vk, newVersion);
+    const nsHashes = await this.getNamespaceHashes(namespace);
+    nsHashes.set(key, integrityHash);
+    const merkleRoot = computeMerkleRoot(nsHashes);
+    return {
+      key,
+      namespace,
+      version: newVersion,
+      merkle_root: merkleRoot,
+      written_at: now,
+      size_bytes: serialized.length,
+      integrity_hash: integrityHash
+    };
+  }
+  /**
+   * Read and decrypt state.
+   *
+   * @param namespace - Logical grouping
+   * @param key - State key
+   * @param signerPublicKey - Expected signer's public key (for signature verification)
+   * @param verifyIntegrity - Whether to verify Merkle proof (default: true)
+   */
+  async read(namespace, key, signerPublicKey, verifyIntegrity = true) {
+    const raw = await this.storage.read(namespace, key);
+    if (!raw) return null;
+    let stateEntry;
+    try {
+      stateEntry = JSON.parse(bytesToString(raw));
+    } catch {
+      throw new Error(`Corrupted state entry: ${namespace}/${key}`);
+    }
+    if (stateEntry.v !== 1) {
+      throw new Error(`Unsupported state entry version: ${stateEntry.v}`);
+    }
+    const vk = this.versionKey(namespace, key);
+    const cachedVersion = this.versionCache.get(vk);
+    if (cachedVersion !== void 0 && stateEntry.ver < cachedVersion) {
+      throw new Error(
+        `Rollback detected for ${namespace}/${key}: found version ${stateEntry.ver}, expected >= ${cachedVersion}`
+      );
+    }
+    if (signerPublicKey) {
+      const ciphertextBytes = fromBase64url(stateEntry.payload.ct);
+      const signatureBytes = fromBase64url(stateEntry.sig);
+      const sigValid = verify(ciphertextBytes, signatureBytes, signerPublicKey);
+      if (!sigValid) {
+        throw new Error(
+          `Signature verification failed for ${namespace}/${key}`
+        );
+      }
+    }
+    const namespaceKey = deriveNamespaceKey(this.masterKey, namespace);
+    const plaintext = decrypt(stateEntry.payload, namespaceKey);
+    const value = bytesToString(plaintext);
+    const computedHash = hashToString(plaintext);
+    if (computedHash !== stateEntry.integrity_hash) {
+      throw new Error(
+        `Integrity hash mismatch for ${namespace}/${key}: computed ${computedHash}, stored ${stateEntry.integrity_hash}`
+      );
+    }
+    let merkleProofPath = [];
+    let integrityVerified = true;
+    if (verifyIntegrity) {
+      const nsHashes = await this.getNamespaceHashes(namespace);
+      const proof = generateMerkleProof(nsHashes, key);
+      if (proof) {
+        integrityVerified = verifyMerkleProof(proof);
+        merkleProofPath = proof.path.map(
+          (step) => `${step.position}:${step.hash}`
+        );
+      }
+    }
+    this.versionCache.set(vk, stateEntry.ver);
+    return {
+      key,
+      namespace,
+      value,
+      version: stateEntry.ver,
+      integrity_verified: integrityVerified,
+      merkle_proof: merkleProofPath,
+      written_at: stateEntry.metadata.written_at,
+      written_by: stateEntry.kid
+    };
+  }
+  /**
+   * List keys in a namespace (metadata only — no decryption).
+   */
+  async list(namespace, prefix, tags, limit = 100, offset = 0) {
+    const storageEntries = await this.storage.list(namespace, prefix);
+    const result = [];
+    for (const entry of storageEntries) {
+      const raw = await this.storage.read(namespace, entry.key);
+      if (!raw) continue;
+      try {
+        const stateEntry = JSON.parse(bytesToString(raw));
+        if (tags && tags.length > 0) {
+          const entryTags = stateEntry.metadata.tags ?? [];
+          const hasMatchingTag = tags.some((t) => entryTags.includes(t));
+          if (!hasMatchingTag) continue;
+        }
+        result.push({
+          key: entry.key,
+          version: stateEntry.ver,
+          size_bytes: entry.size_bytes,
+          written_at: stateEntry.metadata.written_at,
+          tags: stateEntry.metadata.tags ?? []
+        });
+      } catch {
+      }
+    }
+    const nsHashes = await this.getNamespaceHashes(namespace);
+    const merkleRoot = computeMerkleRoot(nsHashes);
+    return {
+      keys: result.slice(offset, offset + limit),
+      total: result.length,
+      merkle_root: merkleRoot
+    };
+  }
+  /**
+   * Securely delete state (overwrite with random bytes before removal).
+   */
+  async delete(namespace, key) {
+    const deleted = await this.storage.delete(namespace, key, true);
+    const vk = this.versionKey(namespace, key);
+    this.versionCache.delete(vk);
+    const nsHashes = await this.getNamespaceHashes(namespace);
+    nsHashes.delete(key);
+    const merkleRoot = computeMerkleRoot(nsHashes);
+    return {
+      deleted,
+      key,
+      namespace,
+      new_merkle_root: merkleRoot,
+      deleted_at: (/* @__PURE__ */ new Date()).toISOString()
+    };
+  }
+  /**
+   * Export all state for a namespace as an encrypted bundle.
+   */
+  async export(namespace) {
+    const namespacesToExport = [];
+    if (namespace) {
+      namespacesToExport.push(namespace);
+    } else {
+      for (const ns of this.contentHashes.keys()) {
+        namespacesToExport.push(ns);
+      }
+    }
+    const exportData = {};
+    let totalKeys = 0;
+    for (const ns of namespacesToExport) {
+      const entries = await this.storage.list(ns);
+      exportData[ns] = [];
+      for (const entry of entries) {
+        const raw = await this.storage.read(ns, entry.key);
+        if (!raw) continue;
+        try {
+          const stateEntry = JSON.parse(bytesToString(raw));
+          exportData[ns].push({ key: entry.key, entry: stateEntry });
+          totalKeys++;
+        } catch {
+        }
+      }
+    }
+    const bundleJson = JSON.stringify({
+      sanctuary_export_version: 1,
+      exported_at: (/* @__PURE__ */ new Date()).toISOString(),
+      namespaces: namespacesToExport,
+      data: exportData
+    });
+    const bundleBytes = stringToBytes(bundleJson);
+    const bundleHash = hashToString(bundleBytes);
+    return {
+      bundle: toBase64url(bundleBytes),
+      namespaces: namespacesToExport,
+      total_keys: totalKeys,
+      bundle_hash: bundleHash,
+      exported_at: (/* @__PURE__ */ new Date()).toISOString()
+    };
+  }
+  /**
+   * Import a previously exported state bundle.
+   */
+  async import(bundleBase64, conflictResolution = "skip") {
+    const bundleBytes = fromBase64url(bundleBase64);
+    const bundleJson = bytesToString(bundleBytes);
+    const bundle = JSON.parse(bundleJson);
+    let importedKeys = 0;
+    let skippedKeys = 0;
+    let conflicts = 0;
+    const namespaces = [];
+    for (const [ns, entries] of Object.entries(
+      bundle.data
+    )) {
+      if (RESERVED_NAMESPACE_PREFIXES.some(
+        (prefix) => ns === prefix || ns.startsWith(prefix + "/")
+      )) {
+        skippedKeys += entries.length;
+        continue;
+      }
+      namespaces.push(ns);
+      for (const { key, entry } of entries) {
+        const exists = await this.storage.exists(ns, key);
+        if (exists) {
+          conflicts++;
+          if (conflictResolution === "skip") {
+            skippedKeys++;
+            continue;
+          }
+          if (conflictResolution === "version") {
+            const raw = await this.storage.read(ns, key);
+            if (raw) {
+              try {
+                const existingEntry = JSON.parse(
+                  bytesToString(raw)
+                );
+                if (entry.ver <= existingEntry.ver) {
+                  skippedKeys++;
+                  continue;
+                }
+              } catch {
+              }
+            }
+          }
+        }
+        const serialized = stringToBytes(JSON.stringify(entry));
+        await this.storage.write(ns, key, serialized);
+        importedKeys++;
+        const vk = this.versionKey(ns, key);
+        this.versionCache.set(vk, entry.ver);
+        const nsHashes = await this.getNamespaceHashes(ns);
+        nsHashes.set(key, entry.integrity_hash);
+      }
+    }
+    return {
+      imported_keys: importedKeys,
+      skipped_keys: skippedKeys,
+      conflicts,
+      namespaces,
+      imported_at: (/* @__PURE__ */ new Date()).toISOString()
+    };
+  }
+};
+var MAX_STRING_BYTES = 1048576;
+var MAX_BUNDLE_BYTES = 5242880;
+var BUNDLE_FIELDS = /* @__PURE__ */ new Set(["bundle"]);
+function validateArgs(args, schema) {
+  const errors = [];
+  const properties = schema.properties ?? {};
+  const required = schema.required ?? [];
+  for (const field of required) {
+    if (args[field] === void 0 || args[field] === null) {
+      errors.push({ field, message: `Required field "${field}" is missing` });
+    }
+  }
+  const knownFields = new Set(Object.keys(properties));
+  for (const field of Object.keys(args)) {
+    if (!knownFields.has(field)) {
+      errors.push({ field, message: `Unknown field "${field}"` });
+    }
+  }
+  for (const [field, value] of Object.entries(args)) {
+    if (value === void 0 || value === null) continue;
+    const propSchema = properties[field];
+    if (!propSchema) continue;
+    const typeError = checkType(field, value, propSchema);
+    if (typeError) {
+      errors.push(typeError);
+      continue;
+    }
+    if (typeof value === "string") {
+      const maxBytes = BUNDLE_FIELDS.has(field) ? MAX_BUNDLE_BYTES : MAX_STRING_BYTES;
+      const byteLength = new TextEncoder().encode(value).length;
+      if (byteLength > maxBytes) {
+        errors.push({
+          field,
+          message: `Field "${field}" exceeds maximum size (${byteLength} bytes > ${maxBytes} bytes)`
+        });
+      }
+    }
+    if (propSchema.enum && !propSchema.enum.includes(value)) {
+      errors.push({
+        field,
+        message: `Field "${field}" must be one of: ${propSchema.enum.join(", ")}`
+      });
+    }
+  }
+  return errors;
+}
+function checkType(field, value, schema) {
+  if (!schema.type) return null;
+  switch (schema.type) {
+    case "string":
+      if (typeof value !== "string") {
+        return { field, message: `Expected string for "${field}", got ${typeof value}` };
+      }
+      break;
+    case "number":
+      if (typeof value !== "number") {
+        return { field, message: `Expected number for "${field}", got ${typeof value}` };
+      }
+      break;
+    case "boolean":
+      if (typeof value !== "boolean") {
+        return { field, message: `Expected boolean for "${field}", got ${typeof value}` };
+      }
+      break;
+    case "object":
+      if (typeof value !== "object" || Array.isArray(value)) {
+        return { field, message: `Expected object for "${field}", got ${typeof value}` };
+      }
+      break;
+    case "array":
+      if (!Array.isArray(value)) {
+        return { field, message: `Expected array for "${field}", got ${typeof value}` };
+      }
+      break;
+  }
+  return null;
+}
+function createServer(tools, options) {
+  const gate = options?.gate;
+  const server = new index_js.Server(
+    {
+      name: "sanctuary-mcp-server",
+      version: "0.2.0"
+    },
+    {
+      capabilities: {
+        tools: {}
+      }
+    }
+  );
+  server.setRequestHandler(types_js.ListToolsRequestSchema, async () => {
+    return {
+      tools: tools.map((t) => ({
+        name: t.name,
+        description: t.description,
+        inputSchema: t.inputSchema
+      }))
+    };
+  });
+  server.setRequestHandler(types_js.CallToolRequestSchema, async (request) => {
+    const { name, arguments: args } = request.params;
+    const typedArgs = args ?? {};
+    const tool = tools.find((t) => t.name === name);
+    if (!tool) {
+      return {
+        content: [
+          {
+            type: "text",
+            text: JSON.stringify({ error: `Unknown tool: ${name}` })
+          }
+        ],
+        isError: true
+      };
+    }
+    const validationErrors = validateArgs(typedArgs, tool.inputSchema);
+    if (validationErrors.length > 0) {
+      return {
+        content: [
+          {
+            type: "text",
+            text: JSON.stringify({
+              error: "validation_failed",
+              message: "Tool arguments failed schema validation",
+              violations: validationErrors
+            })
+          }
+        ],
+        isError: true
+      };
+    }
+    if (gate) {
+      const result = await gate.evaluate(name, typedArgs);
+      if (!result.allowed) {
+        return {
+          content: [
+            {
+              type: "text",
+              text: JSON.stringify({
+                error: "Operation not permitted",
+                approval_required: result.approval_required
+              })
+            }
+          ],
+          isError: true
+        };
+      }
+    }
+    try {
+      return await tool.handler(typedArgs);
+    } catch (err) {
+      const message = err instanceof Error ? err.message : "Unknown error";
+      return {
+        content: [
+          {
+            type: "text",
+            text: JSON.stringify({ error: message })
+          }
+        ],
+        isError: true
+      };
+    }
+  });
+  return server;
+}
+function toolResult(data) {
+  return {
+    content: [{ type: "text", text: JSON.stringify(data, null, 2) }]
+  };
+}
+// src/l1-cognitive/tools.ts
+init_encoding();
+init_encoding();
+var RESERVED_NAMESPACE_PREFIXES2 = [
+  "_identities",
+  "_policies",
+  "_audit",
+  "_meta",
+  "_principal",
+  "_commitments",
+  "_reputation",
+  "_escrow",
+  "_guarantees"
+];
+function getReservedNamespaceViolation(namespace) {
+  for (const prefix of RESERVED_NAMESPACE_PREFIXES2) {
+    if (namespace === prefix || namespace.startsWith(prefix + "/")) {
+      return prefix;
+    }
+  }
+  return null;
+}
+var IdentityManager = class {
+  storage;
+  masterKey;
+  identities = /* @__PURE__ */ new Map();
+  primaryIdentityId = null;
+  constructor(storage, masterKey) {
+    this.storage = storage;
+    this.masterKey = masterKey;
+  }
+  get encryptionKey() {
+    return derivePurposeKey(this.masterKey, "identity-encryption");
+  }
+  /** Load identities from storage on startup */
+  async load() {
+    const entries = await this.storage.list("_identities");
+    for (const entry of entries) {
+      const raw = await this.storage.read("_identities", entry.key);
+      if (!raw) continue;
+      try {
+        const encrypted = JSON.parse(bytesToString(raw));
+        const decrypted = decrypt(encrypted, this.encryptionKey);
+        const identity = JSON.parse(bytesToString(decrypted));
+        this.identities.set(identity.identity_id, identity);
+        if (!this.primaryIdentityId) {
+          this.primaryIdentityId = identity.identity_id;
+        }
+      } catch {
+      }
+    }
+  }
+  /** Save an identity to storage */
+  async save(identity) {
+    const serialized = stringToBytes(JSON.stringify(identity));
+    const encrypted = encrypt(serialized, this.encryptionKey);
+    await this.storage.write(
+      "_identities",
+      identity.identity_id,
+      stringToBytes(JSON.stringify(encrypted))
+    );
+    this.identities.set(identity.identity_id, identity);
+    if (!this.primaryIdentityId) {
+      this.primaryIdentityId = identity.identity_id;
+    }
+  }
+  get(id) {
+    return this.identities.get(id);
+  }
+  getDefault() {
+    if (!this.primaryIdentityId) return void 0;
+    return this.identities.get(this.primaryIdentityId);
+  }
+  list() {
+    return Array.from(this.identities.values()).map((si) => ({
+      identity_id: si.identity_id,
+      label: si.label,
+      public_key: si.public_key,
+      did: si.did,
+      created_at: si.created_at,
+      key_type: si.key_type,
+      key_protection: si.key_protection
+    }));
+  }
+};
+function createL1Tools(stateStore, storage, masterKey, keyProtection, auditLog) {
+  const identityMgr = new IdentityManager(storage, masterKey);
+  const identityEncKey = derivePurposeKey(masterKey, "identity-encryption");
+  function resolveIdentity(identityId) {
+    const id = identityId ? identityMgr.get(identityId) : identityMgr.getDefault();
+    if (!id) {
+      throw new Error(
+        identityId ? `Identity not found: ${identityId}` : "No default identity. Create one with sanctuary/identity_create."
+      );
+    }
+    return id;
+  }
+  const tools = [
+    // ── Identity Tools ──────────────────────────────────────────────────
+    {
+      name: "sanctuary/identity_create",
+      description: "Create a new sovereign identity (Ed25519 keypair). The private key is encrypted and never exposed.",
+      inputSchema: {
+        type: "object",
+        properties: {
+          label: {
+            type: "string",
+            description: 'Human-readable label (e.g., "my-agent")'
+          }
+        },
+        required: ["label"]
+      },
+      handler: async (args) => {
+        const label = args.label;
+        const { publicIdentity, storedIdentity } = createIdentity(
+          label,
+          identityEncKey,
+          keyProtection
+        );
+        await identityMgr.save(storedIdentity);
+        auditLog?.append("l1", "identity_create", publicIdentity.identity_id, {
+          label
+        });
+        return toolResult({
+          identity_id: publicIdentity.identity_id,
+          public_key: publicIdentity.public_key,
+          did: publicIdentity.did,
+          created_at: publicIdentity.created_at,
+          key_type: publicIdentity.key_type,
+          key_protection: publicIdentity.key_protection,
+          backed_up: false
+        });
+      }
+    },
+    {
+      name: "sanctuary/identity_list",
+      description: "List all managed sovereign identities.",
+      inputSchema: {
+        type: "object",
+        properties: {
+          filter: {
+            type: "object",
+            properties: {
+              label: { type: "string" }
+            }
+          }
+        }
+      },
+      handler: async (args) => {
+        let identities = identityMgr.list();
+        const filter = args.filter;
+        if (filter?.label) {
+          identities = identities.filter(
+            (i) => i.label.includes(filter.label)
+          );
+        }
+        return toolResult({ identities });
+      }
+    },
+    {
+      name: "sanctuary/identity_sign",
+      description: "Sign data with a managed identity. The private key is decrypted in memory only during signing.",
+      inputSchema: {
+        type: "object",
+        properties: {
+          identity_id: { type: "string" },
+          payload: {
+            type: "string",
+            description: "Base64url-encoded data to sign"
+          }
+        },
+        required: ["payload"]
+      },
+      handler: async (args) => {
+        const identity = resolveIdentity(args.identity_id);
+        const payloadStr = args.payload;
+        let payload;
+        try {
+          payload = fromBase64url(payloadStr);
+        } catch {
+          payload = stringToBytes(payloadStr);
+        }
+        const signature = sign(
+          payload,
+          identity.encrypted_private_key,
+          identityEncKey
+        );
+        auditLog?.append("l1", "identity_sign", identity.identity_id);
+        return toolResult({
+          signature: toBase64url(signature),
+          algorithm: "Ed25519",
+          signed_at: (/* @__PURE__ */ new Date()).toISOString(),
+          public_key: identity.public_key,
+          payload_encoding: "base64url"
+        });
+      }
+    },
+    {
+      name: "sanctuary/identity_verify",
+      description: "Verify an Ed25519 signature. Provide either identity_id or public_key.",
+      inputSchema: {
+        type: "object",
+        properties: {
+          payload: {
+            type: "string",
+            description: "Original data (plain text or base64url-encoded)"
+          },
+          signature: { type: "string", description: "Base64url signature" },
+          identity_id: {
+            type: "string",
+            description: "Identity ID to look up public key (alternative to public_key)"
+          },
+          public_key: {
+            type: "string",
+            description: "Base64url public key (alternative to identity_id)"
+          }
+        },
+        required: ["payload", "signature"]
+      },
+      handler: async (args) => {
+        const payloadStr = args.payload;
+        let payload;
+        try {
+          payload = fromBase64url(payloadStr);
+        } catch {
+          payload = stringToBytes(payloadStr);
+        }
+        const signature = fromBase64url(args.signature);
+        let publicKey;
+        if (args.identity_id) {
+          const identity = resolveIdentity(args.identity_id);
+          publicKey = fromBase64url(identity.public_key);
+        } else if (args.public_key) {
+          publicKey = fromBase64url(args.public_key);
+        } else {
+          return toolResult({
+            error: "Provide either identity_id or public_key for verification."
+          });
+        }
+        const valid = verify(payload, signature, publicKey);
+        return toolResult({
+          valid,
+          verified_at: (/* @__PURE__ */ new Date()).toISOString()
+        });
+      }
+    },
+    {
+      name: "sanctuary/identity_rotate",
+      description: "Rotate keys for an identity. Generates a new keypair and signs a rotation event with the old key for verifiable chain.",
+      inputSchema: {
+        type: "object",
+        properties: {
+          identity_id: { type: "string" },
+          reason: { type: "string" }
+        },
+        required: ["identity_id"]
+      },
+      handler: async (args) => {
+        const identity = resolveIdentity(args.identity_id);
+        const reason = args.reason ?? "Key rotation";
+        const { updatedIdentity, rotationEvent } = rotateKeys(
+          identity,
+          identityEncKey,
+          reason
+        );
+        await identityMgr.save(updatedIdentity);
+        auditLog?.append("l1", "identity_rotate", identity.identity_id, {
+          reason
+        });
+        return toolResult({
+          identity_id: updatedIdentity.identity_id,
+          old_public_key: rotationEvent.old_public_key,
+          new_public_key: rotationEvent.new_public_key,
+          new_did: updatedIdentity.did,
+          rotated_at: rotationEvent.rotated_at
+        });
+      }
+    },
+    // ── State Tools ─────────────────────────────────────────────────────
+    {
+      name: "sanctuary/state_write",
+      description: "Write encrypted state to the sovereign store. Value is encrypted with a namespace-specific key. The write is signed by the active identity.",
+      inputSchema: {
+        type: "object",
+        properties: {
+          namespace: {
+            type: "string",
+            description: 'Logical grouping (e.g., "memory", "config")'
+          },
+          key: { type: "string", description: "State key within namespace" },
+          value: {
+            type: "string",
+            description: "Plaintext value (encrypted before storage)"
+          },
+          metadata: {
+            type: "object",
+            properties: {
+              content_type: { type: "string" },
+              ttl_seconds: { type: "number" },
+              tags: { type: "array", items: { type: "string" } }
+            }
+          },
+          identity_id: { type: "string" }
+        },
+        required: ["namespace", "key", "value"]
+      },
+      handler: async (args) => {
+        const reservedViolation = getReservedNamespaceViolation(args.namespace);
+        if (reservedViolation) {
+          return toolResult({
+            error: "namespace_reserved",
+            message: `Namespace "${args.namespace}" is reserved for internal use (prefix: ${reservedViolation}). Choose a different namespace.`
+          });
+        }
+        const identity = resolveIdentity(args.identity_id);
+        const metadata = args.metadata;
+        const result = await stateStore.write(
+          args.namespace,
+          args.key,
+          args.value,
+          identity.identity_id,
+          identity.encrypted_private_key,
+          identityEncKey,
+          {
+            content_type: metadata?.content_type,
+            ttl_seconds: metadata?.ttl_seconds,
+            tags: metadata?.tags
+          }
+        );
+        auditLog?.append("l1", "state_write", identity.identity_id, {
+          namespace: args.namespace,
+          key: args.key
+        });
+        return toolResult(result);
+      }
+    },
+    {
+      name: "sanctuary/state_read",
+      description: "Read and decrypt state from the sovereign store. Verifies integrity via Merkle proof and signature.",
+      inputSchema: {
+        type: "object",
+        properties: {
+          namespace: { type: "string" },
+          key: { type: "string" },
+          verify_integrity: { type: "boolean", default: true }
+        },
+        required: ["namespace", "key"]
+      },
+      handler: async (args) => {
+        const result = await stateStore.read(
+          args.namespace,
+          args.key,
+          void 0,
+          // Skip signature verification for now (would need writer's pubkey)
+          args.verify_integrity ?? true
+        );
+        if (!result) {
+          return toolResult({
+            error: "not_found",
+            namespace: args.namespace,
+            key: args.key
+          });
+        }
+        auditLog?.append("l1", "state_read", result.written_by, {
+          namespace: args.namespace,
+          key: args.key
+        });
+        return toolResult(result);
+      }
+    },
+    {
+      name: "sanctuary/state_list",
+      description: "List keys in a namespace (metadata only \u2014 no decryption).",
+      inputSchema: {
+        type: "object",
+        properties: {
+          namespace: { type: "string" },
+          prefix: { type: "string" },
+          tags: { type: "array", items: { type: "string" } },
+          limit: { type: "number", default: 100 },
+          offset: { type: "number", default: 0 }
+        },
+        required: ["namespace"]
+      },
+      handler: async (args) => {
+        const result = await stateStore.list(
+          args.namespace,
+          args.prefix,
+          args.tags,
+          args.limit ?? 100,
+          args.offset ?? 0
+        );
+        return toolResult(result);
+      }
+    },
+    {
+      name: "sanctuary/state_delete",
+      description: "Securely delete state. Overwrites file with random bytes before removal (right to deletion, S1.6).",
+      inputSchema: {
+        type: "object",
+        properties: {
+          namespace: { type: "string" },
+          key: { type: "string" },
+          reason: { type: "string" }
+        },
+        required: ["namespace", "key"]
+      },
+      handler: async (args) => {
+        const reservedViolation = getReservedNamespaceViolation(args.namespace);
+        if (reservedViolation) {
+          return toolResult({
+            error: "namespace_reserved",
+            message: `Namespace "${args.namespace}" is reserved for internal use (prefix: ${reservedViolation}). Cannot delete from reserved namespaces.`
+          });
+        }
+        const result = await stateStore.delete(
+          args.namespace,
+          args.key
+        );
+        auditLog?.append("l1", "state_delete", "principal", {
+          namespace: args.namespace,
+          key: args.key,
+          reason: args.reason
+        });
+        return toolResult(result);
+      }
+    },
+    {
+      name: "sanctuary/state_export",
+      description: "Export state as an encrypted, portable bundle for migration.",
+      inputSchema: {
+        type: "object",
+        properties: {
+          namespace: { type: "string" },
+          format: { type: "string", default: "sanctuary-v1" }
+        }
+      },
+      handler: async (args) => {
+        const result = await stateStore.export(
+          args.namespace
+        );
+        auditLog?.append("l1", "state_export", "principal", {
+          namespaces: result.namespaces
+        });
+        return toolResult(result);
+      }
+    },
+    {
+      name: "sanctuary/state_import",
+      description: "Import a previously exported state bundle.",
+      inputSchema: {
+        type: "object",
+        properties: {
+          bundle: { type: "string", description: "Base64url-encoded bundle" },
+          conflict_resolution: {
+            type: "string",
+            enum: ["skip", "overwrite", "version"],
+            default: "skip"
+          }
+        },
+        required: ["bundle"]
+      },
+      handler: async (args) => {
+        const result = await stateStore.import(
+          args.bundle,
+          args.conflict_resolution ?? "skip"
+        );
+        auditLog?.append("l1", "state_import", "principal", {
+          imported_keys: result.imported_keys
+        });
+        return toolResult(result);
+      }
+    }
+  ];
+  return { tools, identityManager: identityMgr };
+}
+// src/l2-operational/audit-log.ts
+init_encoding();
+var AuditLog = class {
+  storage;
+  encryptionKey;
+  entries = [];
+  counter = 0;
+  constructor(storage, masterKey) {
+    this.storage = storage;
+    this.encryptionKey = derivePurposeKey(masterKey, "audit-log");
+  }
+  /**
+   * Append an audit entry.
+   */
+  append(layer, operation, identityId, details, result = "success") {
+    const entry = {
+      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+      layer,
+      operation,
+      identity_id: identityId,
+      result,
+      details
+    };
+    this.entries.push(entry);
+    this.persistEntry(entry).catch(() => {
+    });
+  }
+  async persistEntry(entry) {
+    const key = `${Date.now()}-${this.counter++}`;
+    const serialized = stringToBytes(JSON.stringify(entry));
+    const encrypted = encrypt(serialized, this.encryptionKey);
+    await this.storage.write(
+      "_audit",
+      key,
+      stringToBytes(JSON.stringify(encrypted))
+    );
+  }
+  /**
+   * Query the audit log with filtering.
+   */
+  async query(options) {
+    await this.loadPersistedEntries();
+    let filtered = this.entries;
+    if (options.since) {
+      const sinceDate = new Date(options.since);
+      filtered = filtered.filter(
+        (e) => new Date(e.timestamp) >= sinceDate
+      );
+    }
+    if (options.layer) {
+      filtered = filtered.filter((e) => e.layer === options.layer);
+    }
+    if (options.operation_type) {
+      filtered = filtered.filter(
+        (e) => e.operation === options.operation_type
+      );
+    }
+    const total = filtered.length;
+    const limit = options.limit ?? 50;
+    const entries = filtered.slice(-limit);
+    return { entries, total };
+  }
+  async loadPersistedEntries() {
+    try {
+      const storedEntries = await this.storage.list("_audit");
+      for (const meta of storedEntries) {
+        const raw = await this.storage.read("_audit", meta.key);
+        if (!raw) continue;
+        try {
+          const encrypted = JSON.parse(bytesToString(raw));
+          const decrypted = decrypt(encrypted, this.encryptionKey);
+          const entry = JSON.parse(bytesToString(decrypted));
+          const isDuplicate = this.entries.some(
+            (e) => e.timestamp === entry.timestamp && e.operation === entry.operation && e.identity_id === entry.identity_id
+          );
+          if (!isDuplicate) {
+            this.entries.push(entry);
+          }
+        } catch {
+        }
+      }
+      this.entries.sort(
+        (a, b) => new Date(a.timestamp).getTime() - new Date(b.timestamp).getTime()
+      );
+    } catch {
+    }
+  }
+  /**
+   * Get total number of entries.
+   */
+  get size() {
+    return this.entries.length;
+  }
+};
+// src/l3-disclosure/commitments.ts
+init_hashing();
+init_encoding();
+init_encoding();
+function createCommitment(value, blindingFactor) {
+  const blindingBytes = blindingFactor ? fromBase64url(blindingFactor) : randomBytes(32);
+  const valueBytes = stringToBytes(value);
+  const combined = concatBytes(valueBytes, blindingBytes);
+  const commitmentHash = hash(combined);
+  return {
+    commitment: toBase64url(commitmentHash),
+    blinding_factor: toBase64url(blindingBytes),
+    committed_at: (/* @__PURE__ */ new Date()).toISOString()
+  };
+}
+function verifyCommitment(commitment, value, blindingFactor) {
+  const blindingBytes = fromBase64url(blindingFactor);
+  const valueBytes = stringToBytes(value);
+  const combined = concatBytes(valueBytes, blindingBytes);
+  const expectedHash = toBase64url(hash(combined));
+  return commitment === expectedHash;
+}
+var CommitmentStore = class {
+  storage;
+  encryptionKey;
+  constructor(storage, masterKey) {
+    this.storage = storage;
+    this.encryptionKey = derivePurposeKey(masterKey, "l3-commitments");
+  }
+  /**
+   * Store a commitment (encrypted) for later reference.
+   */
+  async store(commitment, value) {
+    const id = `cmt-${Date.now()}-${toBase64url(randomBytes(8))}`;
+    const stored = {
+      commitment: commitment.commitment,
+      blinding_factor: commitment.blinding_factor,
+      value,
+      committed_at: commitment.committed_at,
+      revealed: false
+    };
+    const serialized = stringToBytes(JSON.stringify(stored));
+    const encrypted = encrypt(serialized, this.encryptionKey);
+    await this.storage.write(
+      "_commitments",
+      id,
+      stringToBytes(JSON.stringify(encrypted))
+    );
+    return id;
+  }
+  /**
+   * Retrieve a stored commitment by ID.
+   */
+  async get(id) {
+    const raw = await this.storage.read("_commitments", id);
+    if (!raw) return null;
+    try {
+      const encrypted = JSON.parse(bytesToString(raw));
+      const decrypted = decrypt(encrypted, this.encryptionKey);
+      return JSON.parse(bytesToString(decrypted));
+    } catch {
+      return null;
+    }
+  }
+  /**
+   * Mark a commitment as revealed.
+   */
+  async markRevealed(id) {
+    const stored = await this.get(id);
+    if (!stored) return;
+    stored.revealed = true;
+    stored.revealed_at = (/* @__PURE__ */ new Date()).toISOString();
+    const serialized = stringToBytes(JSON.stringify(stored));
+    const encrypted = encrypt(serialized, this.encryptionKey);
+    await this.storage.write(
+      "_commitments",
+      id,
+      stringToBytes(JSON.stringify(encrypted))
+    );
+  }
+};
+// src/l3-disclosure/policies.ts
+init_encoding();
+function evaluateDisclosure(policy, context, requestedFields) {
+  return requestedFields.map((field) => {
+    const exactRule = policy.rules.find((r) => r.context === context);
+    const wildcardRule = policy.rules.find((r) => r.context === "*");
+    const matchedRule = exactRule ?? wildcardRule;
+    if (!matchedRule) {
+      return {
+        field,
+        action: policy.default_action,
+        reason: `No rule matches context "${context}"`,
+        applicable_rule: "default"
+      };
+    }
+    const ruleName = `${matchedRule.context}`;
+    if (matchedRule.withhold.includes(field)) {
+      return {
+        field,
+        action: "withhold",
+        reason: `Field "${field}" is explicitly withheld in ${ruleName} context`,
+        applicable_rule: ruleName
+      };
+    }
+    if (matchedRule.proof_required.includes(field)) {
+      return {
+        field,
+        action: "proof",
+        reason: `Field "${field}" requires cryptographic proof in ${ruleName} context`,
+        applicable_rule: ruleName
+      };
+    }
+    if (matchedRule.disclose.includes(field)) {
+      return {
+        field,
+        action: "disclose",
+        reason: `Field "${field}" is permitted for disclosure in ${ruleName} context`,
+        applicable_rule: ruleName
+      };
+    }
+    return {
+      field,
+      action: policy.default_action,
+      reason: `Field "${field}" not addressed in ${ruleName} rule; applying default`,
+      applicable_rule: ruleName
+    };
+  });
+}
+var PolicyStore = class {
+  storage;
+  encryptionKey;
+  policies = /* @__PURE__ */ new Map();
+  constructor(storage, masterKey) {
+    this.storage = storage;
+    this.encryptionKey = derivePurposeKey(masterKey, "l3-policies");
+  }
+  /**
+   * Create and store a new disclosure policy.
+   */
+  async create(policyName, rules, defaultAction, identityId) {
+    const policyId = `pol-${Date.now()}-${toBase64url(randomBytes(8))}`;
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    const policy = {
+      policy_id: policyId,
+      policy_name: policyName,
+      rules,
+      default_action: defaultAction,
+      identity_id: identityId,
+      created_at: now,
+      updated_at: now
+    };
+    await this.persist(policy);
+    this.policies.set(policyId, policy);
+    return policy;
+  }
+  /**
+   * Get a policy by ID.
+   */
+  async get(policyId) {
+    if (this.policies.has(policyId)) {
+      return this.policies.get(policyId);
+    }
+    const raw = await this.storage.read("_policies", policyId);
+    if (!raw) return null;
+    try {
+      const encrypted = JSON.parse(bytesToString(raw));
+      const decrypted = decrypt(encrypted, this.encryptionKey);
+      const policy = JSON.parse(bytesToString(decrypted));
+      this.policies.set(policyId, policy);
+      return policy;
+    } catch {
+      return null;
+    }
+  }
+  /**
+   * List all policies.
+   */
+  async list() {
+    await this.loadAll();
+    return Array.from(this.policies.values());
+  }
+  /**
+   * Load all persisted policies into memory.
+   */
+  async loadAll() {
+    try {
+      const entries = await this.storage.list("_policies");
+      for (const meta of entries) {
+        if (this.policies.has(meta.key)) continue;
+        const raw = await this.storage.read("_policies", meta.key);
+        if (!raw) continue;
+        try {
+          const encrypted = JSON.parse(bytesToString(raw));
+          const decrypted = decrypt(encrypted, this.encryptionKey);
+          const policy = JSON.parse(bytesToString(decrypted));
+          this.policies.set(policy.policy_id, policy);
+        } catch {
+        }
+      }
+    } catch {
+    }
+  }
+  async persist(policy) {
+    const serialized = stringToBytes(JSON.stringify(policy));
+    const encrypted = encrypt(serialized, this.encryptionKey);
+    await this.storage.write(
+      "_policies",
+      policy.policy_id,
+      stringToBytes(JSON.stringify(encrypted))
+    );
+  }
+};
+// src/l3-disclosure/tools.ts
+function createL3Tools(storage, masterKey, auditLog) {
+  const commitmentStore = new CommitmentStore(storage, masterKey);
+  const policyStore = new PolicyStore(storage, masterKey);
+  const tools = [
+    // ─── Commitment Schemes ───────────────────────────────────────────────
+    {
+      name: "sanctuary/proof_commitment",
+      description: "Create a cryptographic commitment to a value. The commitment hides the value until you choose to reveal it. Returns the commitment hash and a blinding factor (store securely).",
+      inputSchema: {
+        type: "object",
+        properties: {
+          value: {
+            type: "string",
+            description: "The value to commit to"
+          },
+          blinding_factor: {
+            type: "string",
+            description: "Optional base64url blinding factor (auto-generated if omitted)"
+          }
+        },
+        required: ["value"]
+      },
+      handler: async (args) => {
+        const value = args.value;
+        const blindingFactor = args.blinding_factor;
+        const commitment = createCommitment(value, blindingFactor);
+        const commitmentId = await commitmentStore.store(commitment, value);
+        auditLog.append("l3", "proof_commitment", "system", {
+          commitment_id: commitmentId,
+          commitment_hash: commitment.commitment
+        });
+        return toolResult({
+          commitment_id: commitmentId,
+          commitment: commitment.commitment,
+          blinding_factor: commitment.blinding_factor,
+          committed_at: commitment.committed_at,
+          note: "Store the blinding_factor securely. You will need it to reveal the committed value."
+        });
+      }
+    },
+    {
+      name: "sanctuary/proof_reveal",
+      description: "Verify a previously committed value by revealing it with the blinding factor. Returns whether the revealed value matches the commitment.",
+      inputSchema: {
+        type: "object",
+        properties: {
+          commitment: {
+            type: "string",
+            description: "The original commitment hash"
+          },
+          value: {
+            type: "string",
+            description: "The value being revealed"
+          },
+          blinding_factor: {
+            type: "string",
+            description: "The blinding factor from the original commitment"
+          }
+        },
+        required: ["commitment", "value", "blinding_factor"]
+      },
+      handler: async (args) => {
+        const commitment = args.commitment;
+        const value = args.value;
+        const blindingFactor = args.blinding_factor;
+        const valid = verifyCommitment(commitment, value, blindingFactor);
+        auditLog.append("l3", "proof_reveal", "system", {
+          commitment_hash: commitment,
+          valid
+        });
+        return toolResult({
+          valid,
+          commitment,
+          revealed_at: (/* @__PURE__ */ new Date()).toISOString()
+        });
+      }
+    },
+    // ─── Disclosure Policies ──────────────────────────────────────────────
+    {
+      name: "sanctuary/disclosure_set_policy",
+      description: "Define a disclosure policy that controls what an agent will and will not disclose in different interaction contexts. Rules specify which fields may be disclosed, which must be withheld, and which require cryptographic proof.",
+      inputSchema: {
+        type: "object",
+        properties: {
+          policy_name: {
+            type: "string",
+            description: "Human-readable policy name"
+          },
+          rules: {
+            type: "array",
+            description: "Disclosure rules for different contexts",
+            items: {
+              type: "object",
+              properties: {
+                context: {
+                  type: "string",
+                  description: 'Interaction context: "negotiation", "commerce", "identity", "*" (wildcard)'
+                },
+                disclose: {
+                  type: "array",
+                  items: { type: "string" },
+                  description: "Fields the agent MAY disclose"
+                },
+                withhold: {
+                  type: "array",
+                  items: { type: "string" },
+                  description: "Fields the agent MUST NOT disclose"
+                },
+                proof_required: {
+                  type: "array",
+                  items: { type: "string" },
+                  description: "Fields that require proof rather than plain disclosure"
+                }
+              },
+              required: ["context", "disclose", "withhold", "proof_required"]
+            }
+          },
+          default_action: {
+            type: "string",
+            enum: ["withhold", "ask-principal"],
+            description: "What to do when no rule matches a field"
+          },
+          identity_id: {
+            type: "string",
+            description: "Optional identity this policy is bound to"
+          }
+        },
+        required: ["policy_name", "rules", "default_action"]
+      },
+      handler: async (args) => {
+        const policyName = args.policy_name;
+        const rules = args.rules;
+        const defaultAction = args.default_action;
+        const identityId = args.identity_id;
+        const policy = await policyStore.create(
+          policyName,
+          rules,
+          defaultAction,
+          identityId
+        );
+        auditLog.append("l3", "disclosure_set_policy", identityId ?? "system", {
+          policy_id: policy.policy_id,
+          policy_name: policyName,
+          rules_count: rules.length
+        });
+        return toolResult({
+          policy_id: policy.policy_id,
+          policy_name: policy.policy_name,
+          rules_count: policy.rules.length,
+          created_at: policy.created_at
+        });
+      }
+    },
+    {
+      name: "sanctuary/disclosure_evaluate",
+      description: "Evaluate a disclosure request against an active policy. Returns per-field decisions: disclose, withhold, proof, or ask-principal.",
+      inputSchema: {
+        type: "object",
+        properties: {
+          context: {
+            type: "string",
+            description: "The interaction context"
+          },
+          requested_fields: {
+            type: "array",
+            items: { type: "string" },
+            description: "Fields the counterparty is requesting"
+          },
+          policy_id: {
+            type: "string",
+            description: "Specific policy to evaluate (uses first available if omitted)"
+          }
+        },
+        required: ["context", "requested_fields"]
+      },
+      handler: async (args) => {
+        const context = args.context;
+        const requestedFields = args.requested_fields;
+        const policyId = args.policy_id;
+        let policy;
+        if (policyId) {
+          policy = await policyStore.get(policyId);
+        } else {
+          const allPolicies = await policyStore.list();
+          policy = allPolicies[0] ?? null;
+        }
+        if (!policy) {
+          return toolResult({
+            error: "No disclosure policy found. Create one with disclosure_set_policy first."
+          });
+        }
+        const decisions = evaluateDisclosure(policy, context, requestedFields);
+        const withholding = decisions.filter(
+          (d) => d.action === "withhold"
+        ).length;
+        const disclosing = decisions.filter(
+          (d) => d.action === "disclose"
+        ).length;
+        const proofRequired = decisions.filter(
+          (d) => d.action === "proof"
+        ).length;
+        const askPrincipal = decisions.filter(
+          (d) => d.action === "ask-principal"
+        ).length;
+        auditLog.append("l3", "disclosure_evaluate", "system", {
+          policy_id: policy.policy_id,
+          context,
+          fields_requested: requestedFields.length,
+          withholding,
+          disclosing,
+          proof_required: proofRequired
+        });
+        return toolResult({
+          policy_id: policy.policy_id,
+          policy_name: policy.policy_name,
+          context,
+          decisions,
+          summary: {
+            total_fields: requestedFields.length,
+            disclose: disclosing,
+            withhold: withholding,
+            proof: proofRequired,
+            ask_principal: askPrincipal
+          },
+          overall_recommendation: withholding > 0 ? `Withholding ${withholding} of ${requestedFields.length} requested fields per policy "${policy.policy_name}"` : `All ${requestedFields.length} fields may be disclosed per policy "${policy.policy_name}"`
+        });
+      }
+    }
+  ];
+  return { tools, commitmentStore, policyStore };
+}
+// src/l4-reputation/reputation-store.ts
+init_encoding();
+function computeMedian(values) {
+  if (values.length === 0) return 0;
+  const sorted = [...values].sort((a, b) => a - b);
+  const mid = Math.floor(sorted.length / 2);
+  return sorted.length % 2 !== 0 ? sorted[mid] : (sorted[mid - 1] + sorted[mid]) / 2;
+}
+function aggregateMetrics(attestations, metricNames) {
+  const result = {};
+  const names = metricNames ?? Array.from(
+    new Set(
+      attestations.flatMap(
+        (a) => Object.keys(a.attestation.data.metrics)
+      )
+    )
+  );
+  for (const name of names) {
+    const values = attestations.map((a) => a.attestation.data.metrics[name]).filter((v) => v !== void 0);
+    if (values.length === 0) {
+      result[name] = { mean: 0, median: 0, min: 0, max: 0, count: 0 };
+      continue;
+    }
+    result[name] = {
+      mean: values.reduce((s, v) => s + v, 0) / values.length,
+      median: computeMedian(values),
+      min: Math.min(...values),
+      max: Math.max(...values),
+      count: values.length
+    };
+  }
+  return result;
+}
+var ReputationStore = class {
+  storage;
+  encryptionKey;
+  constructor(storage, masterKey) {
+    this.storage = storage;
+    this.encryptionKey = derivePurposeKey(masterKey, "l4-reputation");
+  }
+  /**
+   * Record an interaction outcome as a signed attestation.
+   */
+  async record(interactionId, counterpartyDid, outcome, context, identity, identityEncryptionKey, counterpartyAttestation) {
+    const attestationId = `att-${Date.now()}-${toBase64url(randomBytes(8))}`;
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    const attestationData = {
+      interaction_id: interactionId,
+      participant_did: identity.did,
+      counterparty_did: counterpartyDid,
+      outcome_type: outcome.type,
+      outcome_result: outcome.result,
+      metrics: outcome.metrics ?? {},
+      context,
+      timestamp: now
+    };
+    const dataBytes = stringToBytes(JSON.stringify(attestationData));
+    const signature = sign(
+      dataBytes,
+      identity.encrypted_private_key,
+      identityEncryptionKey
+    );
+    const attestation = {
+      attestation_id: attestationId,
+      schema: "sanctuary-interaction-v1",
+      data: attestationData,
+      signature: toBase64url(signature),
+      signer: identity.did
+    };
+    const stored = {
+      attestation,
+      counterparty_attestation: counterpartyAttestation,
+      counterparty_confirmed: !!counterpartyAttestation,
+      recorded_at: now
+    };
+    const serialized = stringToBytes(JSON.stringify(stored));
+    const encrypted = encrypt(serialized, this.encryptionKey);
+    await this.storage.write(
+      "_reputation",
+      attestationId,
+      stringToBytes(JSON.stringify(encrypted))
+    );
+    return stored;
+  }
+  /**
+   * Query reputation data with filtering.
+   * Returns aggregates only — not raw interaction data.
+   */
+  async query(options) {
+    const all = await this.loadAll();
+    let filtered = all;
+    if (options.context) {
+      filtered = filtered.filter(
+        (a) => a.attestation.data.context === options.context
+      );
+    }
+    if (options.time_range) {
+      const start2 = new Date(options.time_range.start).getTime();
+      const end2 = new Date(options.time_range.end).getTime();
+      filtered = filtered.filter((a) => {
+        const t = new Date(a.attestation.data.timestamp).getTime();
+        return t >= start2 && t <= end2;
+      });
+    }
+    if (options.counterparty_did) {
+      filtered = filtered.filter(
+        (a) => a.attestation.data.counterparty_did === options.counterparty_did
+      );
+    }
+    const contexts = Array.from(
+      new Set(filtered.map((a) => a.attestation.data.context))
+    );
+    const timestamps = filtered.map(
+      (a) => new Date(a.attestation.data.timestamp).getTime()
+    );
+    const start = timestamps.length > 0 ? new Date(Math.min(...timestamps)).toISOString() : (/* @__PURE__ */ new Date()).toISOString();
+    const end = timestamps.length > 0 ? new Date(Math.max(...timestamps)).toISOString() : (/* @__PURE__ */ new Date()).toISOString();
+    return {
+      total_interactions: filtered.length,
+      completed: filtered.filter(
+        (a) => a.attestation.data.outcome_result === "completed"
+      ).length,
+      partial: filtered.filter(
+        (a) => a.attestation.data.outcome_result === "partial"
+      ).length,
+      failed: filtered.filter(
+        (a) => a.attestation.data.outcome_result === "failed"
+      ).length,
+      disputed: filtered.filter(
+        (a) => a.attestation.data.outcome_result === "disputed"
+      ).length,
+      contexts,
+      time_range: { start, end },
+      aggregate_metrics: aggregateMetrics(filtered, options.metrics)
+    };
+  }
+  /**
+   * Export attestations as a portable reputation bundle.
+   */
+  async exportBundle(identity, identityEncryptionKey, context) {
+    let all = await this.loadAll();
+    if (context) {
+      all = all.filter((a) => a.attestation.data.context === context);
+    }
+    const attestations = all.map((a) => a.attestation);
+    const bundleData = {
+      version: "SANCTUARY_REP_V1",
+      attestations,
+      exported_at: (/* @__PURE__ */ new Date()).toISOString(),
+      exporter_did: identity.did
+    };
+    const bundleBytes = stringToBytes(JSON.stringify(bundleData));
+    const bundleSignature = sign(
+      bundleBytes,
+      identity.encrypted_private_key,
+      identityEncryptionKey
+    );
+    return {
+      ...bundleData,
+      bundle_signature: toBase64url(bundleSignature)
+    };
+  }
+  /**
+   * Import attestations from a reputation bundle.
+   * Verifies signatures if requested (default: true).
+   *
+   * @param publicKeys - Map of DID → public key bytes for signature verification
+   */
+  async importBundle(bundle, verifySignatures, publicKeys) {
+    let imported = 0;
+    let invalid = 0;
+    const contexts = /* @__PURE__ */ new Set();
+    for (const attestation of bundle.attestations) {
+      if (verifySignatures) {
+        const signerKey = publicKeys.get(attestation.signer);
+        if (!signerKey) {
+          invalid++;
+          continue;
+        }
+        const dataBytes = stringToBytes(
+          JSON.stringify(attestation.data)
+        );
+        const sigBytes = fromBase64url(attestation.signature);
+        if (!verify(dataBytes, sigBytes, signerKey)) {
+          invalid++;
+          continue;
+        }
+      }
+      const stored = {
+        attestation,
+        counterparty_confirmed: false,
+        recorded_at: (/* @__PURE__ */ new Date()).toISOString()
+      };
+      const serialized = stringToBytes(JSON.stringify(stored));
+      const encrypted = encrypt(serialized, this.encryptionKey);
+      await this.storage.write(
+        "_reputation",
+        attestation.attestation_id,
+        stringToBytes(JSON.stringify(encrypted))
+      );
+      imported++;
+      contexts.add(attestation.data.context);
+    }
+    return {
+      imported,
+      invalid,
+      contexts: Array.from(contexts)
+    };
+  }
+  // ─── Escrow ───────────────────────────────────────────────────────────
+  /**
+   * Create an escrow for trust bootstrapping.
+   */
+  async createEscrow(transactionTerms, counterpartyDid, timeoutSeconds, creatorDid, collateralAmount) {
+    const escrowId = `esc-${Date.now()}-${toBase64url(randomBytes(8))}`;
+    const now = /* @__PURE__ */ new Date();
+    const expiresAt = new Date(now.getTime() + timeoutSeconds * 1e3);
+    const { hashToString: hashToString2 } = await Promise.resolve().then(() => (init_hashing(), hashing_exports));
+    const termsHash = hashToString2(stringToBytes(transactionTerms));
+    const escrow = {
+      escrow_id: escrowId,
+      transaction_terms: transactionTerms,
+      terms_hash: termsHash,
+      collateral_amount: collateralAmount,
+      counterparty_did: counterpartyDid,
+      creator_did: creatorDid,
+      created_at: now.toISOString(),
+      expires_at: expiresAt.toISOString(),
+      status: "pending"
+    };
+    const serialized = stringToBytes(JSON.stringify(escrow));
+    const encrypted = encrypt(serialized, this.encryptionKey);
+    await this.storage.write(
+      "_escrows",
+      escrowId,
+      stringToBytes(JSON.stringify(encrypted))
+    );
+    return escrow;
+  }
+  /**
+   * Get an escrow by ID.
+   */
+  async getEscrow(escrowId) {
+    const raw = await this.storage.read("_escrows", escrowId);
+    if (!raw) return null;
+    try {
+      const encrypted = JSON.parse(bytesToString(raw));
+      const decrypted = decrypt(encrypted, this.encryptionKey);
+      return JSON.parse(bytesToString(decrypted));
+    } catch {
+      return null;
+    }
+  }
+  // ─── Guarantees ─────────────────────────────────────────────────────
+  /**
+   * Create a principal's guarantee for a new agent.
+   */
+  async createGuarantee(principalIdentity, agentDid, scope, durationSeconds, identityEncryptionKey, maxLiability) {
+    const guaranteeId = `guar-${Date.now()}-${toBase64url(randomBytes(8))}`;
+    const now = /* @__PURE__ */ new Date();
+    const validUntil = new Date(now.getTime() + durationSeconds * 1e3);
+    const certificateData = {
+      guarantee_id: guaranteeId,
+      principal_did: principalIdentity.did,
+      agent_did: agentDid,
+      scope,
+      max_liability: maxLiability,
+      valid_until: validUntil.toISOString(),
+      issued_at: now.toISOString()
+    };
+    const certBytes = stringToBytes(JSON.stringify(certificateData));
+    const signature = sign(
+      certBytes,
+      principalIdentity.encrypted_private_key,
+      identityEncryptionKey
+    );
+    const certificate = toBase64url(
+      stringToBytes(
+        JSON.stringify({
+          ...certificateData,
+          signature: toBase64url(signature)
+        })
+      )
+    );
+    const guarantee = {
+      guarantee_id: guaranteeId,
+      principal_did: principalIdentity.did,
+      agent_did: agentDid,
+      scope,
+      max_liability: maxLiability,
+      valid_until: validUntil.toISOString(),
+      certificate,
+      created_at: now.toISOString()
+    };
+    const serialized = stringToBytes(JSON.stringify(guarantee));
+    const encrypted = encrypt(serialized, this.encryptionKey);
+    await this.storage.write(
+      "_guarantees",
+      guaranteeId,
+      stringToBytes(JSON.stringify(encrypted))
+    );
+    return guarantee;
+  }
+  // ─── Internal ─────────────────────────────────────────────────────────
+  async loadAll() {
+    const results = [];
+    try {
+      const entries = await this.storage.list("_reputation");
+      for (const meta of entries) {
+        const raw = await this.storage.read("_reputation", meta.key);
+        if (!raw) continue;
+        try {
+          const encrypted = JSON.parse(bytesToString(raw));
+          const decrypted = decrypt(encrypted, this.encryptionKey);
+          results.push(JSON.parse(bytesToString(decrypted)));
+        } catch {
+        }
+      }
+    } catch {
+    }
+    return results;
+  }
+};
+// src/l4-reputation/tools.ts
+init_encoding();
+function createL4Tools(storage, masterKey, identityManager, auditLog) {
+  const reputationStore = new ReputationStore(storage, masterKey);
+  const identityEncryptionKey = derivePurposeKey(masterKey, "identity-encryption");
+  const tools = [
+    // ─── Reputation Recording ─────────────────────────────────────────
+    {
+      name: "sanctuary/reputation_record",
+      description: "Record an interaction outcome as a signed attestation. Creates an EAS-compatible attestation signed by the specified identity.",
+      inputSchema: {
+        type: "object",
+        properties: {
+          interaction_id: {
+            type: "string",
+            description: "Unique interaction identifier"
+          },
+          counterparty_did: {
+            type: "string",
+            description: "Counterparty's DID"
+          },
+          outcome: {
+            type: "object",
+            description: "Interaction outcome",
+            properties: {
+              type: {
+                type: "string",
+                enum: ["transaction", "negotiation", "service", "dispute", "custom"]
+              },
+              result: {
+                type: "string",
+                enum: ["completed", "partial", "failed", "disputed"]
+              },
+              metrics: {
+                type: "object",
+                description: "Domain-specific metrics (e.g., fulfillment_rate, response_time_ms)"
+              }
+            },
+            required: ["type", "result"]
+          },
+          context: {
+            type: "string",
+            description: "Category/domain for context-specific reputation",
+            default: "general"
+          },
+          counterparty_attestation: {
+            type: "string",
+            description: "Counterparty's signed attestation of the same interaction"
+          },
+          identity_id: {
+            type: "string",
+            description: "Identity to sign with (uses default if omitted)"
+          }
+        },
+        required: ["interaction_id", "counterparty_did", "outcome"]
+      },
+      handler: async (args) => {
+        const identityId = args.identity_id;
+        const identity = identityId ? identityManager.get(identityId) : identityManager.getDefault();
+        if (!identity) {
+          return toolResult({
+            error: "No identity found. Create one with identity_create first."
+          });
+        }
+        const outcome = args.outcome;
+        const context = args.context ?? "general";
+        const stored = await reputationStore.record(
+          args.interaction_id,
+          args.counterparty_did,
+          outcome,
+          context,
+          identity,
+          identityEncryptionKey,
+          args.counterparty_attestation
+        );
+        auditLog.append("l4", "reputation_record", identity.identity_id, {
+          interaction_id: args.interaction_id,
+          outcome_type: outcome.type,
+          outcome_result: outcome.result,
+          context
+        });
+        return toolResult({
+          attestation_id: stored.attestation.attestation_id,
+          interaction_id: stored.attestation.data.interaction_id,
+          self_attestation: stored.attestation.signature,
+          counterparty_confirmed: stored.counterparty_confirmed,
+          context,
+          recorded_at: stored.recorded_at
+        });
+      }
+    },
+    // ─── Reputation Query ─────────────────────────────────────────────
+    {
+      name: "sanctuary/reputation_query",
+      description: "Query aggregated reputation data with filtering. Returns summary statistics, never raw interaction details.",
+      inputSchema: {
+        type: "object",
+        properties: {
+          context: {
+            type: "string",
+            description: "Filter by context/domain"
+          },
+          time_range: {
+            type: "object",
+            description: "Filter by time range",
+            properties: {
+              start: { type: "string", description: "ISO 8601 start" },
+              end: { type: "string", description: "ISO 8601 end" }
+            }
+          },
+          metrics: {
+            type: "array",
+            items: { type: "string" },
+            description: "Which metrics to aggregate"
+          },
+          counterparty_did: {
+            type: "string",
+            description: "Filter by counterparty"
+          }
+        }
+      },
+      handler: async (args) => {
+        const summary = await reputationStore.query({
+          context: args.context,
+          time_range: args.time_range,
+          metrics: args.metrics,
+          counterparty_did: args.counterparty_did
+        });
+        auditLog.append("l4", "reputation_query", "system", {
+          total_interactions: summary.total_interactions,
+          contexts: summary.contexts
+        });
+        return toolResult({
+          summary
+        });
+      }
+    },
+    // ─── Reputation Export ─────────────────────────────────────────────
+    {
+      name: "sanctuary/reputation_export",
+      description: "Export a portable reputation bundle (SANCTUARY_REP_V1). Includes all signed attestations for independent verification.",
+      inputSchema: {
+        type: "object",
+        properties: {
+          format: {
+            type: "string",
+            enum: ["SANCTUARY_REP_V1"],
+            default: "SANCTUARY_REP_V1"
+          },
+          context: {
+            type: "string",
+            description: "Export specific context only"
+          },
+          identity_id: {
+            type: "string",
+            description: "Identity to sign the bundle with"
+          }
+        }
+      },
+      handler: async (args) => {
+        const identityId = args.identity_id;
+        const identity = identityId ? identityManager.get(identityId) : identityManager.getDefault();
+        if (!identity) {
+          return toolResult({
+            error: "No identity found. Create one with identity_create first."
+          });
+        }
+        const context = args.context;
+        const bundle = await reputationStore.exportBundle(
+          identity,
+          identityEncryptionKey,
+          context
+        );
+        const bundleJson = JSON.stringify(bundle);
+        const bundleBase64 = toBase64url(
+          new TextEncoder().encode(bundleJson)
+        );
+        auditLog.append("l4", "reputation_export", identity.identity_id, {
+          attestation_count: bundle.attestations.length,
+          contexts: Array.from(
+            new Set(bundle.attestations.map((a) => a.data.context))
+          )
+        });
+        const { hashToString: hashToString2 } = await Promise.resolve().then(() => (init_hashing(), hashing_exports));
+        const { stringToBytes: stringToBytes2 } = await Promise.resolve().then(() => (init_encoding(), encoding_exports));
+        return toolResult({
+          bundle: bundleBase64,
+          attestation_count: bundle.attestations.length,
+          contexts: Array.from(
+            new Set(bundle.attestations.map((a) => a.data.context))
+          ),
+          bundle_hash: hashToString2(stringToBytes2(bundleJson)),
+          exported_at: bundle.exported_at
+        });
+      }
+    },
+    // ─── Reputation Import ────────────────────────────────────────────
+    {
+      name: "sanctuary/reputation_import",
+      description: "Import a reputation bundle from another Sanctuary instance. Verifies all attestation signatures by default.",
+      inputSchema: {
+        type: "object",
+        properties: {
+          bundle: {
+            type: "string",
+            description: "Base64url-encoded reputation bundle"
+          }
+        },
+        required: ["bundle"]
+      },
+      handler: async (args) => {
+        const bundleBase64 = args.bundle;
+        const verifySignatures = true;
+        let bundle;
+        try {
+          const bundleBytes = fromBase64url(bundleBase64);
+          const bundleJson = new TextDecoder().decode(bundleBytes);
+          bundle = JSON.parse(bundleJson);
+        } catch {
+          return toolResult({
+            error: "Invalid bundle format. Expected base64url-encoded JSON."
+          });
+        }
+        const publicKeys = /* @__PURE__ */ new Map();
+        for (const pub of identityManager.list()) {
+          const identity = identityManager.get(pub.identity_id);
+          if (identity) {
+            publicKeys.set(identity.did, fromBase64url(identity.public_key));
+          }
+        }
+        const result = await reputationStore.importBundle(
+          bundle,
+          verifySignatures,
+          publicKeys
+        );
+        auditLog.append("l4", "reputation_import", "system", {
+          imported: result.imported,
+          invalid: result.invalid,
+          contexts: result.contexts
+        });
+        return toolResult({
+          imported_attestations: result.imported,
+          invalid_attestations: result.invalid,
+          contexts: result.contexts,
+          imported_at: (/* @__PURE__ */ new Date()).toISOString()
+        });
+      }
+    },
+    // ─── Trust Bootstrap: Escrow ──────────────────────────────────────
+    {
+      name: "sanctuary/bootstrap_create_escrow",
+      description: "Create an escrow record for trust bootstrapping. Allows new participants with no reputation to transact safely.",
+      inputSchema: {
+        type: "object",
+        properties: {
+          transaction_terms: {
+            type: "string",
+            description: "Description of the transaction"
+          },
+          collateral_amount: {
+            type: "number",
+            description: "Optional stake/collateral amount"
+          },
+          counterparty_did: {
+            type: "string",
+            description: "Counterparty's DID"
+          },
+          timeout_seconds: {
+            type: "number",
+            description: "Escrow timeout in seconds"
+          },
+          identity_id: {
+            type: "string",
+            description: "Identity creating the escrow"
+          }
+        },
+        required: ["transaction_terms", "counterparty_did", "timeout_seconds"]
+      },
+      handler: async (args) => {
+        const identityId = args.identity_id;
+        const identity = identityId ? identityManager.get(identityId) : identityManager.getDefault();
+        if (!identity) {
+          return toolResult({
+            error: "No identity found. Create one with identity_create first."
+          });
+        }
+        const escrow = await reputationStore.createEscrow(
+          args.transaction_terms,
+          args.counterparty_did,
+          args.timeout_seconds,
+          identity.did,
+          args.collateral_amount
+        );
+        auditLog.append("l4", "bootstrap_create_escrow", identity.identity_id, {
+          escrow_id: escrow.escrow_id,
+          counterparty_did: args.counterparty_did,
+          timeout_seconds: args.timeout_seconds
+        });
+        return toolResult({
+          escrow_id: escrow.escrow_id,
+          terms_hash: escrow.terms_hash,
+          created_at: escrow.created_at,
+          expires_at: escrow.expires_at,
+          status: escrow.status
+        });
+      }
+    },
+    // ─── Trust Bootstrap: Guarantee ───────────────────────────────────
+    {
+      name: "sanctuary/bootstrap_provide_guarantee",
+      description: "A principal provides a signed reputation guarantee for a new agent. The guarantee certificate can be presented to counterparties.",
+      inputSchema: {
+        type: "object",
+        properties: {
+          principal_identity_id: {
+            type: "string",
+            description: "Identity of the guarantor (principal)"
+          },
+          agent_identity_id: {
+            type: "string",
+            description: "Identity of the agent being guaranteed"
+          },
+          scope: {
+            type: "string",
+            description: "What the guarantee covers"
+          },
+          duration_seconds: {
+            type: "number",
+            description: "How long the guarantee is valid"
+          },
+          max_liability: {
+            type: "number",
+            description: "Maximum liability amount"
+          }
+        },
+        required: [
+          "principal_identity_id",
+          "agent_identity_id",
+          "scope",
+          "duration_seconds"
+        ]
+      },
+      handler: async (args) => {
+        const principalIdentity = identityManager.get(
+          args.principal_identity_id
+        );
+        const agentIdentity = identityManager.get(
+          args.agent_identity_id
+        );
+        if (!principalIdentity) {
+          return toolResult({
+            error: `Principal identity "${args.principal_identity_id}" not found.`
+          });
+        }
+        if (!agentIdentity) {
+          return toolResult({
+            error: `Agent identity "${args.agent_identity_id}" not found.`
+          });
+        }
+        const guarantee = await reputationStore.createGuarantee(
+          principalIdentity,
+          agentIdentity.did,
+          args.scope,
+          args.duration_seconds,
+          identityEncryptionKey,
+          args.max_liability
+        );
+        auditLog.append(
+          "l4",
+          "bootstrap_provide_guarantee",
+          principalIdentity.identity_id,
+          {
+            guarantee_id: guarantee.guarantee_id,
+            agent_did: agentIdentity.did,
+            scope: args.scope
+          }
+        );
+        return toolResult({
+          guarantee_id: guarantee.guarantee_id,
+          guarantee_certificate: guarantee.certificate,
+          scope: guarantee.scope,
+          valid_until: guarantee.valid_until
+        });
+      }
+    }
+  ];
+  return { tools, reputationStore };
+}
+var DEFAULT_TIER2 = {
+  new_namespace_access: "approve",
+  new_counterparty: "approve",
+  frequency_spike_multiplier: 5,
+  max_signs_per_minute: 10,
+  bulk_read_threshold: 20,
+  first_session_policy: "approve"
+};
+var DEFAULT_CHANNEL = {
+  type: "stderr",
+  timeout_seconds: 300,
+  auto_deny: true
+};
+var DEFAULT_POLICY = {
+  version: 1,
+  tier1_always_approve: [
+    "state_export",
+    "state_import",
+    "identity_rotate",
+    "reputation_import",
+    "bootstrap_provide_guarantee"
+  ],
+  tier2_anomaly: DEFAULT_TIER2,
+  tier3_always_allow: [
+    "state_read",
+    "state_write",
+    "state_list",
+    "state_delete",
+    "identity_create",
+    "identity_list",
+    "identity_sign",
+    "identity_verify",
+    "proof_commitment",
+    "proof_reveal",
+    "disclosure_set_policy",
+    "disclosure_evaluate",
+    "reputation_record",
+    "reputation_query",
+    "reputation_export",
+    "bootstrap_create_escrow",
+    "exec_attest",
+    "monitor_health",
+    "monitor_audit_log",
+    "manifest",
+    "principal_policy_view",
+    "principal_baseline_view"
+  ],
+  approval_channel: DEFAULT_CHANNEL
+};
+function extractOperationName(toolName) {
+  return toolName.startsWith("sanctuary/") ? toolName.slice("sanctuary/".length) : toolName;
+}
+function parsePolicy(content) {
+  const trimmed = content.trim();
+  if (trimmed.startsWith("{")) {
+    const parsed = JSON.parse(trimmed);
+    return validatePolicy(parsed);
+  }
+  const policy = {};
+  let currentKey = null;
+  let currentList = null;
+  let currentObject = null;
+  for (const rawLine of trimmed.split("\n")) {
+    const line = rawLine.split("#")[0];
+    if (line.trim() === "") continue;
+    const indent = line.length - line.trimStart().length;
+    const stripped = line.trim();
+    if (indent === 0 && stripped.includes(":")) {
+      if (currentKey && currentList) {
+        policy[currentKey] = currentList;
+      } else if (currentKey && currentObject) {
+        policy[currentKey] = currentObject;
+      }
+      const colonIdx = stripped.indexOf(":");
+      const key = stripped.slice(0, colonIdx).trim();
+      const value = stripped.slice(colonIdx + 1).trim();
+      if (value === "" || value === "|") {
+        currentKey = key;
+        currentList = null;
+        currentObject = null;
+      } else {
+        policy[key] = parseScalar(value);
+        currentKey = null;
+        currentList = null;
+        currentObject = null;
+      }
+    } else if (indent > 0 && stripped.startsWith("- ")) {
+      if (!currentList) currentList = [];
+      currentList.push(stripped.slice(2).trim().split(/\s+/)[0]);
+    } else if (indent > 0 && stripped.includes(":")) {
+      if (!currentObject) currentObject = {};
+      const colonIdx = stripped.indexOf(":");
+      const key = stripped.slice(0, colonIdx).trim();
+      const value = stripped.slice(colonIdx + 1).trim();
+      currentObject[key] = parseScalar(value.split(/\s+/)[0]);
+    }
+  }
+  if (currentKey && currentList) {
+    policy[currentKey] = currentList;
+  } else if (currentKey && currentObject) {
+    policy[currentKey] = currentObject;
+  }
+  return validatePolicy(policy);
+}
+function parseScalar(value) {
+  if (value === "true") return true;
+  if (value === "false") return false;
+  const num = Number(value);
+  if (!isNaN(num) && value !== "") return num;
+  return value.replace(/^["']|["']$/g, "");
+}
+function validatePolicy(raw) {
+  return {
+    version: raw.version ?? 1,
+    tier1_always_approve: raw.tier1_always_approve ?? DEFAULT_POLICY.tier1_always_approve,
+    tier2_anomaly: {
+      ...DEFAULT_TIER2,
+      ...raw.tier2_anomaly ?? {}
+    },
+    tier3_always_allow: raw.tier3_always_allow ?? DEFAULT_POLICY.tier3_always_allow,
+    approval_channel: {
+      ...DEFAULT_CHANNEL,
+      ...raw.approval_channel ?? {}
+    }
+  };
+}
+function generateDefaultPolicyYaml() {
+  return `# Sanctuary Principal Policy v1
+# This file controls what your agent can do without asking.
+# Edit this file directly. Your agent cannot modify it.
+# Changes take effect on server restart.
+version: 1
+# \u2500\u2500\u2500 Tier 1: Always Requires Approval \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+# These operations ALWAYS require your explicit approval.
+# They are inherently high-risk regardless of context.
+tier1_always_approve:
+  - state_export
+  - state_import
+  - identity_rotate
+  - reputation_import
+  - bootstrap_provide_guarantee
+# \u2500\u2500\u2500 Tier 2: Behavioral Anomaly Detection \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+# Triggers approval when agent behavior deviates from its baseline.
+# Options for each setting: approve | log | allow
+tier2_anomaly:
+  new_namespace_access: approve
+  new_counterparty: approve
+  frequency_spike_multiplier: 5
+  max_signs_per_minute: 10
+  bulk_read_threshold: 20
+  first_session_policy: approve
+# \u2500\u2500\u2500 Tier 3: Always Allowed (Audit Only) \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+# These operations never require approval but are always logged.
+tier3_always_allow:
+  - state_read
+  - state_write
+  - state_list
+  - state_delete
+  - identity_create
+  - identity_list
+  - identity_sign
+  - identity_verify
+  - proof_commitment
+  - proof_reveal
+  - disclosure_set_policy
+  - disclosure_evaluate
+  - reputation_record
+  - reputation_query
+  - reputation_export
+  - bootstrap_create_escrow
+  - exec_attest
+  - monitor_health
+  - monitor_audit_log
+  - manifest
+  - principal_policy_view
+  - principal_baseline_view
+# \u2500\u2500\u2500 Approval Channel \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+# How Sanctuary reaches you when approval is needed.
+approval_channel:
+  type: stderr
+  timeout_seconds: 300
+  auto_deny: true
+`;
+}
+async function loadPrincipalPolicy(storagePath) {
+  const policyPath = path.join(storagePath, "principal-policy.yaml");
+  try {
+    const content = await promises.readFile(policyPath, "utf-8");
+    const policy = parsePolicy(content);
+    return Object.freeze(policy);
+  } catch {
+    const defaultYaml = generateDefaultPolicyYaml();
+    try {
+      await promises.writeFile(policyPath, defaultYaml, "utf-8");
+      await promises.chmod(policyPath, 384);
+    } catch {
+    }
+    return Object.freeze({ ...DEFAULT_POLICY });
+  }
+}
+// src/principal-policy/baseline.ts
+init_encoding();
+var BASELINE_NAMESPACE = "_principal";
+var BASELINE_KEY = "session-baseline";
+var BaselineTracker = class {
+  storage;
+  encryptionKey;
+  profile;
+  /** Sliding window: timestamps of tool calls per tool name (last 60s) */
+  callWindows = /* @__PURE__ */ new Map();
+  /** Sliding window: read counts per namespace (last 60s) */
+  readWindows = /* @__PURE__ */ new Map();
+  /** Sliding window: sign call timestamps (last 60s) */
+  signWindow = [];
+  constructor(storage, masterKey) {
+    this.storage = storage;
+    this.encryptionKey = derivePurposeKey(masterKey, "principal-baseline");
+    this.profile = {
+      known_namespaces: [],
+      known_counterparties: [],
+      tool_call_counts: {},
+      is_first_session: true,
+      started_at: (/* @__PURE__ */ new Date()).toISOString()
+    };
+  }
+  /**
+   * Load the previous session's baseline from storage.
+   * If none exists, this is a first session.
+   */
+  async load() {
+    try {
+      const raw = await this.storage.read(BASELINE_NAMESPACE, BASELINE_KEY);
+      if (!raw) return;
+      const encrypted = JSON.parse(bytesToString(raw));
+      const decrypted = decrypt(encrypted, this.encryptionKey);
+      const saved = JSON.parse(bytesToString(decrypted));
+      this.profile.known_namespaces = saved.known_namespaces ?? [];
+      this.profile.known_counterparties = saved.known_counterparties ?? [];
+      this.profile.is_first_session = false;
+    } catch {
+      this.profile.is_first_session = true;
+    }
+  }
+  /**
+   * Save the current baseline to storage (encrypted).
+   * Called at session end or periodically.
+   */
+  async save() {
+    this.profile.saved_at = (/* @__PURE__ */ new Date()).toISOString();
+    const serialized = stringToBytes(JSON.stringify(this.profile));
+    const encrypted = encrypt(serialized, this.encryptionKey);
+    await this.storage.write(
+      BASELINE_NAMESPACE,
+      BASELINE_KEY,
+      stringToBytes(JSON.stringify(encrypted))
+    );
+  }
+  /**
+   * Record a tool call for baseline tracking.
+   * Returns anomaly information if applicable.
+   */
+  recordToolCall(toolName) {
+    const now = Date.now();
+    this.profile.tool_call_counts[toolName] = (this.profile.tool_call_counts[toolName] ?? 0) + 1;
+    if (!this.callWindows.has(toolName)) {
+      this.callWindows.set(toolName, []);
+    }
+    const window = this.callWindows.get(toolName);
+    window.push(now);
+    const cutoff = now - 6e4;
+    while (window.length > 0 && window[0] < cutoff) {
+      window.shift();
+    }
+  }
+  /**
+   * Record a namespace access.
+   * @returns true if this is a new namespace (not in baseline)
+   */
+  recordNamespaceAccess(namespace) {
+    if (namespace.startsWith("_")) return false;
+    const isNew = !this.profile.known_namespaces.includes(namespace);
+    if (isNew) {
+      this.profile.known_namespaces.push(namespace);
+    }
+    return isNew;
+  }
+  /**
+   * Record a namespace read for bulk-read detection.
+   * @returns the number of reads in the current 60-second window
+   */
+  recordNamespaceRead(namespace) {
+    const now = Date.now();
+    if (!this.readWindows.has(namespace)) {
+      this.readWindows.set(namespace, []);
+    }
+    const window = this.readWindows.get(namespace);
+    window.push(now);
+    const cutoff = now - 6e4;
+    while (window.length > 0 && window[0] < cutoff) {
+      window.shift();
+    }
+    return window.length;
+  }
+  /**
+   * Record a counterparty DID interaction.
+   * @returns true if this is a new counterparty (not in baseline)
+   */
+  recordCounterparty(did) {
+    const isNew = !this.profile.known_counterparties.includes(did);
+    if (isNew) {
+      this.profile.known_counterparties.push(did);
+    }
+    return isNew;
+  }
+  /**
+   * Record a signing operation.
+   * @returns the number of signs in the current 60-second window
+   */
+  recordSign() {
+    const now = Date.now();
+    this.signWindow.push(now);
+    const cutoff = now - 6e4;
+    while (this.signWindow.length > 0 && this.signWindow[0] < cutoff) {
+      this.signWindow.shift();
+    }
+    return this.signWindow.length;
+  }
+  /**
+   * Get the current call rate for a tool (calls per minute).
+   */
+  getCallRate(toolName) {
+    return this.callWindows.get(toolName)?.length ?? 0;
+  }
+  /**
+   * Get the average call rate across all tools in the baseline.
+   */
+  getAverageCallRate() {
+    let total = 0;
+    let count = 0;
+    for (const window of this.callWindows.values()) {
+      total += window.length;
+      count++;
+    }
+    return count > 0 ? total / count : 0;
+  }
+  /** Whether this is the first session */
+  get isFirstSession() {
+    return this.profile.is_first_session;
+  }
+  /** Get a read-only view of the current profile */
+  getProfile() {
+    return { ...this.profile };
+  }
+};
+// src/principal-policy/approval-channel.ts
+var StderrApprovalChannel = class {
+  config;
+  constructor(config) {
+    this.config = config;
+  }
+  async requestApproval(request) {
+    const prompt = this.formatPrompt(request);
+    process.stderr.write(prompt + "\n");
+    await new Promise((resolve) => setTimeout(resolve, 100));
+    if (this.config.auto_deny) {
+      return {
+        decision: "deny",
+        decided_at: (/* @__PURE__ */ new Date()).toISOString(),
+        decided_by: "timeout"
+      };
+    } else {
+      return {
+        decision: "approve",
+        decided_at: (/* @__PURE__ */ new Date()).toISOString(),
+        decided_by: "auto"
+      };
+    }
+  }
+  formatPrompt(request) {
+    const tierLabel = request.tier === 1 ? "Tier 1 \u2014 always requires approval" : "Tier 2 \u2014 behavioral anomaly detected";
+    const contextLines = Object.entries(request.context).map(([k, v]) => `  ${k}: ${typeof v === "string" ? v : JSON.stringify(v)}`).join("\n");
+    return [
+      "",
+      "\u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557",
+      "\u2551  SANCTUARY: Approval Required                                    \u2551",
+      "\u2560\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2563",
+      `\u2551  Operation:  ${request.operation.padEnd(50)}\u2551`,
+      `\u2551  ${tierLabel.padEnd(62)}\u2551`,
+      `\u2551  Reason:     ${request.reason.slice(0, 50).padEnd(50)}\u2551`,
+      "\u2551                                                                  \u2551",
+      `\u2551  Details:                                                        \u2551`,
+      ...contextLines.split("\n").map(
+        (line) => `\u2551    ${line.padEnd(60)}\u2551`
+      ),
+      "\u2551                                                                  \u2551",
+      this.config.auto_deny ? "\u2551  Auto-denying (configure approval_channel.auto_deny to change)  \u2551" : "\u2551  Auto-approving (informational mode)                            \u2551",
+      "\u255A\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255D",
+      ""
+    ].join("\n");
+  }
+};
+// src/principal-policy/gate.ts
+var ApprovalGate = class {
+  policy;
+  baseline;
+  channel;
+  auditLog;
+  constructor(policy, baseline, channel, auditLog) {
+    this.policy = policy;
+    this.baseline = baseline;
+    this.channel = channel;
+    this.auditLog = auditLog;
+  }
+  /**
+   * Evaluate a tool call against the Principal Policy.
+   *
+   * @param toolName - Full MCP tool name (e.g., "sanctuary/state_export")
+   * @param args - Tool call arguments (for context extraction)
+   * @returns GateResult indicating whether the call is allowed
+   */
+  async evaluate(toolName, args) {
+    const operation = extractOperationName(toolName);
+    this.baseline.recordToolCall(operation);
+    if (this.policy.tier1_always_approve.includes(operation)) {
+      return this.requestApproval(operation, 1, `"${operation}" is a Tier 1 operation (always requires approval)`, {
+        operation,
+        args_summary: this.summarizeArgs(args)
+      });
+    }
+    const anomaly = this.detectAnomaly(operation, args);
+    if (anomaly) {
+      return this.requestApproval(operation, 2, anomaly.reason, anomaly.context);
+    }
+    this.auditLog.append("l2", `gate_allow:${operation}`, "system", {
+      tier: 3,
+      operation
+    });
+    return {
+      allowed: true,
+      tier: 3,
+      reason: "Operation allowed (Tier 3)",
+      approval_required: false
+    };
+  }
+  /**
+   * Detect Tier 2 behavioral anomalies.
+   */
+  detectAnomaly(operation, args) {
+    const config = this.policy.tier2_anomaly;
+    if (this.baseline.isFirstSession && config.first_session_policy === "approve") {
+      if (!this.policy.tier3_always_allow.includes(operation)) {
+        return {
+          reason: `First session: "${operation}" has no established baseline`,
+          context: { operation, is_first_session: true }
+        };
+      }
+    }
+    if (config.new_namespace_access === "approve") {
+      const namespace = args.namespace;
+      if (namespace) {
+        const isNew = this.baseline.recordNamespaceAccess(namespace);
+        if (isNew) {
+          return {
+            reason: `First access to namespace "${namespace}" (not in session baseline)`,
+            context: {
+              operation,
+              namespace,
+              known_namespaces: this.baseline.getProfile().known_namespaces
+            }
+          };
+        }
+      }
+    } else if (config.new_namespace_access === "log") {
+      const namespace = args.namespace;
+      if (namespace) {
+        this.baseline.recordNamespaceAccess(namespace);
+      }
+    }
+    if (config.new_counterparty === "approve") {
+      const counterpartyDid = args.counterparty_did ?? args.agent_identity_id;
+      if (counterpartyDid) {
+        const isNew = this.baseline.recordCounterparty(counterpartyDid);
+        if (isNew) {
+          return {
+            reason: `First interaction with counterparty "${counterpartyDid}"`,
+            context: {
+              operation,
+              counterparty_did: counterpartyDid,
+              known_counterparties: this.baseline.getProfile().known_counterparties
+            }
+          };
+        }
+      }
+    } else if (config.new_counterparty === "log") {
+      const counterpartyDid = args.counterparty_did;
+      if (counterpartyDid) {
+        this.baseline.recordCounterparty(counterpartyDid);
+      }
+    }
+    if (operation === "identity_sign") {
+      const signCount = this.baseline.recordSign();
+      if (signCount > config.max_signs_per_minute) {
+        return {
+          reason: `Signing frequency (${signCount}/min) exceeds limit (${config.max_signs_per_minute}/min)`,
+          context: {
+            operation,
+            signs_per_minute: signCount,
+            limit: config.max_signs_per_minute
+          }
+        };
+      }
+    }
+    if (operation === "state_read") {
+      const namespace = args.namespace;
+      if (namespace) {
+        const readCount = this.baseline.recordNamespaceRead(namespace);
+        if (readCount > config.bulk_read_threshold) {
+          return {
+            reason: `Bulk read detected: ${readCount} reads from "${namespace}" in 60 seconds (threshold: ${config.bulk_read_threshold})`,
+            context: {
+              operation,
+              namespace,
+              reads_in_window: readCount,
+              threshold: config.bulk_read_threshold
+            }
+          };
+        }
+      }
+    }
+    const callRate = this.baseline.getCallRate(operation);
+    const avgRate = this.baseline.getAverageCallRate();
+    if (avgRate > 0 && callRate > avgRate * config.frequency_spike_multiplier) {
+      return {
+        reason: `Frequency spike: "${operation}" at ${callRate}/min (${config.frequency_spike_multiplier}\xD7 above average ${avgRate.toFixed(1)}/min)`,
+        context: {
+          operation,
+          current_rate: callRate,
+          average_rate: avgRate,
+          multiplier: config.frequency_spike_multiplier
+        }
+      };
+    }
+    return null;
+  }
+  /**
+   * Request approval from the human principal.
+   */
+  async requestApproval(operation, tier, reason, context) {
+    const request = {
+      operation,
+      tier,
+      reason,
+      context,
+      timestamp: (/* @__PURE__ */ new Date()).toISOString()
+    };
+    const response = await this.channel.requestApproval(request);
+    this.auditLog.append("l2", `gate_${response.decision}:${operation}`, "system", {
+      tier,
+      reason,
+      decided_by: response.decided_by
+    });
+    return {
+      allowed: response.decision === "approve",
+      tier,
+      reason: response.decision === "approve" ? `Approved by ${response.decided_by}` : reason,
+      approval_required: true,
+      approval_response: response
+    };
+  }
+  /**
+   * Summarize tool arguments for the approval prompt.
+   * Strips potentially large values to keep the prompt readable.
+   */
+  summarizeArgs(args) {
+    const summary = {};
+    for (const [key, value] of Object.entries(args)) {
+      if (typeof value === "string" && value.length > 100) {
+        summary[key] = value.slice(0, 100) + "...";
+      } else {
+        summary[key] = value;
+      }
+    }
+    return summary;
+  }
+  /** Get the baseline tracker for saving at session end */
+  getBaseline() {
+    return this.baseline;
+  }
+};
+// src/principal-policy/tools.ts
+function createPrincipalPolicyTools(policy, baseline, auditLog) {
+  return [
+    {
+      name: "sanctuary/principal_policy_view",
+      description: "View the current Principal Policy \u2014 the human-controlled rules governing what operations require approval. Read-only.",
+      inputSchema: {
+        type: "object",
+        properties: {
+          include_defaults: {
+            type: "boolean",
+            description: "Include tier3_always_allow list (can be long)",
+            default: false
+          }
+        }
+      },
+      handler: async (args) => {
+        const includeDefaults = args.include_defaults ?? false;
+        const view = {
+          version: policy.version,
+          tier1_always_approve: policy.tier1_always_approve,
+          tier2_anomaly: policy.tier2_anomaly,
+          approval_channel: {
+            type: policy.approval_channel.type,
+            timeout_seconds: policy.approval_channel.timeout_seconds,
+            auto_deny: policy.approval_channel.auto_deny
+          }
+        };
+        if (includeDefaults) {
+          view.tier3_always_allow = policy.tier3_always_allow;
+        } else {
+          view.tier3_always_allow_count = policy.tier3_always_allow.length;
+          view.note = "Pass include_defaults: true to see the full tier3_always_allow list";
+        }
+        auditLog.append("l2", "principal_policy_view", "system", {
+          include_defaults: includeDefaults
+        });
+        return toolResult(view);
+      }
+    },
+    {
+      name: "sanctuary/principal_baseline_view",
+      description: "View the current behavioral baseline \u2014 the session profile used for anomaly detection. Shows known namespaces, counterparties, and tool call counts. Read-only.",
+      inputSchema: {
+        type: "object",
+        properties: {}
+      },
+      handler: async () => {
+        const profile = baseline.getProfile();
+        auditLog.append("l2", "principal_baseline_view", "system");
+        return toolResult({
+          is_first_session: profile.is_first_session,
+          session_started_at: profile.started_at,
+          known_namespaces: profile.known_namespaces,
+          known_counterparties: profile.known_counterparties,
+          tool_call_counts: profile.tool_call_counts,
+          last_saved: profile.saved_at ?? "not yet saved"
+        });
+      }
+    }
+  ];
+}
+// src/shr/types.ts
+function deepSortKeys(obj) {
+  if (obj === null || typeof obj !== "object") return obj;
+  if (Array.isArray(obj)) return obj.map(deepSortKeys);
+  const sorted = {};
+  for (const key of Object.keys(obj).sort()) {
+    sorted[key] = deepSortKeys(obj[key]);
+  }
+  return sorted;
+}
+function canonicalizeForSigning(body) {
+  return JSON.stringify(deepSortKeys(body));
+}
+// src/shr/generator.ts
+init_encoding();
+var DEFAULT_VALIDITY_MS = 60 * 60 * 1e3;
+function generateSHR(identityId, opts) {
+  const { config, identityManager, masterKey, validityMs } = opts;
+  const identity = identityId ? identityManager.get(identityId) : identityManager.getDefault();
+  if (!identity) {
+    return "No identity available for signing. Create an identity first.";
+  }
+  const now = /* @__PURE__ */ new Date();
+  const expiresAt = new Date(now.getTime() + (validityMs ?? DEFAULT_VALIDITY_MS));
+  const degradations = [];
+  if (config.execution.environment === "local-process") {
+    degradations.push({
+      layer: "l2",
+      code: "PROCESS_ISOLATION_ONLY",
+      severity: "warning",
+      description: "Process-level isolation only (no TEE)",
+      mitigation: "TEE support planned for v0.3.0"
+    });
+    degradations.push({
+      layer: "l2",
+      code: "SELF_REPORTED_ATTESTATION",
+      severity: "warning",
+      description: "Attestation is self-reported (no hardware root of trust)",
+      mitigation: "TEE attestation planned for v0.3.0"
+    });
+  }
+  if (config.disclosure.proof_system === "commitment-only") {
+    degradations.push({
+      layer: "l3",
+      code: "COMMITMENT_ONLY",
+      severity: "info",
+      description: "Commitment schemes only (no ZK proofs)",
+      mitigation: "ZK proof support planned for future release"
+    });
+  }
+  const body = {
+    shr_version: "1.0",
+    instance_id: identity.identity_id,
+    generated_at: now.toISOString(),
+    expires_at: expiresAt.toISOString(),
+    layers: {
+      l1: {
+        status: "active",
+        encryption: config.state.encryption,
+        key_custody: "self",
+        integrity: config.state.integrity,
+        identity_type: config.state.identity_provider,
+        state_portable: true
+      },
+      l2: {
+        status: config.execution.environment === "local-process" ? "degraded" : "active",
+        isolation_type: config.execution.environment,
+        attestation_available: config.execution.attestation
+      },
+      l3: {
+        status: config.disclosure.proof_system === "commitment-only" ? "degraded" : "active",
+        proof_system: config.disclosure.proof_system,
+        selective_disclosure: config.disclosure.proof_system !== "commitment-only"
+      },
+      l4: {
+        status: "active",
+        reputation_mode: config.reputation.mode,
+        attestation_format: config.reputation.attestation_format,
+        reputation_portable: true
+      }
+    },
+    capabilities: {
+      handshake: true,
+      shr_exchange: true,
+      reputation_verify: true,
+      encrypted_channel: false
+      // Not yet implemented
+    },
+    degradations
+  };
+  const canonical = canonicalizeForSigning(body);
+  const payload = stringToBytes(canonical);
+  const encryptionKey = derivePurposeKey(masterKey, "identity-encryption");
+  const signatureBytes = sign(
+    payload,
+    identity.encrypted_private_key,
+    encryptionKey
+  );
+  return {
+    body,
+    signed_by: identity.public_key,
+    signature: toBase64url(signatureBytes)
+  };
+}
+// src/shr/verifier.ts
+init_encoding();
+function verifySHR(shr, now) {
+  const errors = [];
+  const warnings = [];
+  const currentTime = /* @__PURE__ */ new Date();
+  if (!shr.body || !shr.signed_by || !shr.signature) {
+    errors.push("Missing required SHR fields (body, signed_by, or signature)");
+    return {
+      valid: false,
+      errors,
+      warnings,
+      sovereignty_level: "minimal",
+      counterparty_id: shr.body?.instance_id ?? "unknown",
+      expires_at: shr.body?.expires_at ?? "unknown"
+    };
+  }
+  if (shr.body.shr_version !== "1.0") {
+    errors.push(`Unsupported SHR version: ${shr.body.shr_version}`);
+  }
+  const expiresAt = new Date(shr.body.expires_at);
+  if (isNaN(expiresAt.getTime())) {
+    errors.push("Invalid expires_at timestamp");
+  } else if (currentTime > expiresAt) {
+    errors.push(`SHR expired at ${shr.body.expires_at}`);
+  }
+  const generatedAt = new Date(shr.body.generated_at);
+  if (isNaN(generatedAt.getTime())) {
+    errors.push("Invalid generated_at timestamp");
+  } else if (generatedAt > currentTime) {
+    warnings.push("SHR generated_at is in the future \u2014 clock skew detected");
+  }
+  try {
+    const publicKey = fromBase64url(shr.signed_by);
+    const signatureBytes = fromBase64url(shr.signature);
+    const canonical = canonicalizeForSigning(shr.body);
+    const payload = stringToBytes(canonical);
+    const signatureValid = verify(payload, signatureBytes, publicKey);
+    if (!signatureValid) {
+      errors.push("Invalid signature \u2014 SHR may have been tampered with");
+    }
+  } catch (e) {
+    errors.push(`Signature verification failed: ${e.message}`);
+  }
+  const { layers } = shr.body;
+  if (!layers.l1 || !layers.l2 || !layers.l3 || !layers.l4) {
+    errors.push("Missing one or more layer definitions");
+  }
+  const sovereigntyLevel = assessSovereigntyLevel(shr.body);
+  for (const d of shr.body.degradations ?? []) {
+    if (d.severity === "critical") {
+      warnings.push(`Critical degradation in ${d.layer}: ${d.description}`);
+    }
+  }
+  return {
+    valid: errors.length === 0,
+    errors,
+    warnings,
+    sovereignty_level: sovereigntyLevel,
+    counterparty_id: shr.body.instance_id,
+    expires_at: shr.body.expires_at
+  };
+}
+function assessSovereigntyLevel(body) {
+  const { l1, l2, l3, l4 } = body.layers;
+  if (l1.status === "active" && l2.status === "active" && l3.status === "active" && l4.status === "active") {
+    return "full";
+  }
+  if (l1.status !== "active") {
+    return "minimal";
+  }
+  if (l4.status === "active" || l4.status === "degraded") {
+    return "degraded";
+  }
+  return "minimal";
+}
+// src/shr/tools.ts
+function createSHRTools(config, identityManager, masterKey, auditLog) {
+  const generatorOpts = {
+    config,
+    identityManager,
+    masterKey
+  };
+  const tools = [
+    {
+      name: "sanctuary/shr_generate",
+      description: "Generate a signed Sovereignty Health Report (SHR) \u2014 a machine-readable, cryptographically signed advertisement of this instance's sovereignty posture. Present this to counterparties to prove your sovereignty capabilities.",
+      inputSchema: {
+        type: "object",
+        properties: {
+          identity_id: {
+            type: "string",
+            description: "Identity to sign the SHR with. Defaults to primary identity."
+          },
+          validity_minutes: {
+            type: "number",
+            description: "How long the SHR is valid (minutes). Default: 60."
+          }
+        }
+      },
+      handler: async (args) => {
+        const validityMs = args.validity_minutes ? args.validity_minutes * 60 * 1e3 : void 0;
+        const result = generateSHR(args.identity_id, {
+          ...generatorOpts,
+          validityMs
+        });
+        if (typeof result === "string") {
+          return toolResult({ error: result });
+        }
+        auditLog.append("l2", "shr_generate", result.body.instance_id);
+        return toolResult(result);
+      }
+    },
+    {
+      name: "sanctuary/shr_verify",
+      description: "Verify a counterparty's Sovereignty Health Report (SHR). Checks signature validity, temporal validity, and assesses sovereignty level.",
+      inputSchema: {
+        type: "object",
+        properties: {
+          shr: {
+            type: "object",
+            description: "The signed SHR to verify (full SignedSHR object)."
+          }
+        },
+        required: ["shr"]
+      },
+      handler: async (args) => {
+        const shr = args.shr;
+        const result = verifySHR(shr);
+        auditLog.append(
+          "l2",
+          "shr_verify",
+          result.counterparty_id,
+          void 0,
+          result.valid ? "success" : "failure"
+        );
+        return toolResult(result);
+      }
+    }
+  ];
+  return { tools };
+}
+// src/handshake/protocol.ts
+init_encoding();
+function generateNonce() {
+  return toBase64url(randomBytes(32));
+}
+function initiateHandshake(ourSHR) {
+  const nonce = generateNonce();
+  const sessionId = toBase64url(randomBytes(16));
+  const challenge = {
+    protocol_version: "1.0",
+    shr: ourSHR,
+    nonce,
+    initiated_at: (/* @__PURE__ */ new Date()).toISOString()
+  };
+  const session = {
+    session_id: sessionId,
+    role: "initiator",
+    state: "initiated",
+    our_nonce: nonce,
+    our_shr: ourSHR,
+    initiated_at: challenge.initiated_at
+  };
+  return { challenge, session };
+}
+function respondToHandshake(challenge, ourSHR, identityManager, masterKey, identityId) {
+  if (challenge.protocol_version !== "1.0") {
+    return { error: `Unsupported protocol version: ${challenge.protocol_version}` };
+  }
+  const shrResult = verifySHR(challenge.shr);
+  if (!shrResult.valid) {
+    return { error: `Initiator SHR verification failed: ${shrResult.errors.join(", ")}` };
+  }
+  const identity = identityId ? identityManager.get(identityId) : identityManager.getDefault();
+  if (!identity) {
+    return { error: "No identity available for signing" };
+  }
+  const encryptionKey = derivePurposeKey(masterKey, "identity-encryption");
+  const nonceBytes = stringToBytes(challenge.nonce);
+  const nonceSignature = sign(
+    nonceBytes,
+    identity.encrypted_private_key,
+    encryptionKey
+  );
+  const responderNonce = generateNonce();
+  const response = {
+    protocol_version: "1.0",
+    shr: ourSHR,
+    responder_nonce: responderNonce,
+    initiator_nonce_signature: toBase64url(nonceSignature),
+    responded_at: (/* @__PURE__ */ new Date()).toISOString()
+  };
+  const session = {
+    session_id: toBase64url(randomBytes(16)),
+    role: "responder",
+    state: "responded",
+    our_nonce: responderNonce,
+    their_nonce: challenge.nonce,
+    our_shr: ourSHR,
+    their_shr: challenge.shr,
+    initiated_at: challenge.initiated_at
+  };
+  return { response, session };
+}
+function completeHandshake(response, session, identityManager, masterKey, identityId) {
+  if (response.protocol_version !== "1.0") {
+    return { error: `Unsupported protocol version: ${response.protocol_version}` };
+  }
+  const shrResult = verifySHR(response.shr);
+  if (!shrResult.valid) {
+    return { error: `Responder SHR verification failed: ${shrResult.errors.join(", ")}` };
+  }
+  const responderPublicKey = fromBase64url(response.shr.signed_by);
+  const ourNonceBytes = stringToBytes(session.our_nonce);
+  const nonceSignatureBytes = fromBase64url(response.initiator_nonce_signature);
+  const nonceSignatureValid = verify(
+    ourNonceBytes,
+    nonceSignatureBytes,
+    responderPublicKey
+  );
+  if (!nonceSignatureValid) {
+    return { error: "Responder's nonce signature is invalid \u2014 possible replay or MITM" };
+  }
+  const identity = identityManager.getDefault();
+  if (!identity) {
+    return { error: "No identity available for signing" };
+  }
+  const encryptionKey = derivePurposeKey(masterKey, "identity-encryption");
+  const responderNonceBytes = stringToBytes(response.responder_nonce);
+  const responderNonceSignature = sign(
+    responderNonceBytes,
+    identity.encrypted_private_key,
+    encryptionKey
+  );
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  const completion = {
+    protocol_version: "1.0",
+    responder_nonce_signature: toBase64url(responderNonceSignature),
+    completed_at: now
+  };
+  const sovereigntyLevel = shrResult.sovereignty_level;
+  const trustTier = deriveTrustTier(sovereigntyLevel);
+  const result = {
+    counterparty_id: shrResult.counterparty_id,
+    counterparty_shr: response.shr,
+    verified: true,
+    sovereignty_level: sovereigntyLevel,
+    trust_tier: trustTier,
+    completed_at: now,
+    expires_at: shrResult.expires_at,
+    errors: []
+  };
+  return { completion, result };
+}
+function verifyCompletion(completion, session) {
+  const errors = [];
+  if (!session.their_shr) {
+    return {
+      counterparty_id: "unknown",
+      counterparty_shr: session.our_shr,
+      // placeholder
+      verified: false,
+      sovereignty_level: "unverified",
+      trust_tier: "unverified",
+      completed_at: completion.completed_at,
+      expires_at: (/* @__PURE__ */ new Date()).toISOString(),
+      errors: ["No initiator SHR in session state"]
+    };
+  }
+  const initiatorPublicKey = fromBase64url(session.their_shr.signed_by);
+  const ourNonceBytes = stringToBytes(session.our_nonce);
+  const nonceSignatureBytes = fromBase64url(completion.responder_nonce_signature);
+  const nonceSignatureValid = verify(
+    ourNonceBytes,
+    nonceSignatureBytes,
+    initiatorPublicKey
+  );
+  if (!nonceSignatureValid) {
+    errors.push("Initiator's nonce signature is invalid \u2014 possible replay or MITM");
+  }
+  const shrResult = verifySHR(session.their_shr);
+  if (!shrResult.valid) {
+    errors.push(...shrResult.errors);
+  }
+  const verified = errors.length === 0;
+  const sovereigntyLevel = verified ? shrResult.sovereignty_level : "unverified";
+  return {
+    counterparty_id: session.their_shr.body.instance_id,
+    counterparty_shr: session.their_shr,
+    verified,
+    sovereignty_level: sovereigntyLevel,
+    trust_tier: deriveTrustTier(sovereigntyLevel),
+    completed_at: completion.completed_at,
+    expires_at: session.their_shr.body.expires_at,
+    errors
+  };
+}
+function deriveTrustTier(level) {
+  switch (level) {
+    case "full":
+      return "verified-sovereign";
+    case "degraded":
+      return "verified-degraded";
+    default:
+      return "unverified";
+  }
+}
+// src/handshake/tools.ts
+function createHandshakeTools(config, identityManager, masterKey, auditLog) {
+  const sessions = /* @__PURE__ */ new Map();
+  const shrOpts = {
+    config,
+    identityManager,
+    masterKey
+  };
+  const tools = [
+    {
+      name: "sanctuary/handshake_initiate",
+      description: "Initiate a sovereignty handshake with a counterparty. Generates a challenge containing this instance's signed SHR and a cryptographic nonce. Send the returned challenge to the counterparty.",
+      inputSchema: {
+        type: "object",
+        properties: {
+          identity_id: {
+            type: "string",
+            description: "Identity to use for the handshake. Defaults to primary identity."
+          }
+        }
+      },
+      handler: async (args) => {
+        const shr = generateSHR(args.identity_id, shrOpts);
+        if (typeof shr === "string") {
+          return toolResult({ error: shr });
+        }
+        const { challenge, session } = initiateHandshake(shr);
+        sessions.set(session.session_id, session);
+        auditLog.append("l4", "handshake_initiate", shr.body.instance_id);
+        return toolResult({
+          session_id: session.session_id,
+          challenge,
+          instructions: "Send the 'challenge' object to the counterparty's sanctuary/handshake_respond tool. When you receive their response, pass it to sanctuary/handshake_complete with this session_id."
+        });
+      }
+    },
+    {
+      name: "sanctuary/handshake_respond",
+      description: "Respond to an incoming sovereignty handshake challenge. Verifies the initiator's SHR, signs their nonce, and returns our SHR with a counter-nonce.",
+      inputSchema: {
+        type: "object",
+        properties: {
+          challenge: {
+            type: "object",
+            description: "The HandshakeChallenge received from the initiator."
+          },
+          identity_id: {
+            type: "string",
+            description: "Identity to use for the response. Defaults to primary identity."
+          }
+        },
+        required: ["challenge"]
+      },
+      handler: async (args) => {
+        const challenge = args.challenge;
+        const shr = generateSHR(args.identity_id, shrOpts);
+        if (typeof shr === "string") {
+          return toolResult({ error: shr });
+        }
+        const result = respondToHandshake(
+          challenge,
+          shr,
+          identityManager,
+          masterKey,
+          args.identity_id
+        );
+        if ("error" in result) {
+          auditLog.append("l4", "handshake_respond", shr.body.instance_id, void 0, "failure");
+          return toolResult({ error: result.error });
+        }
+        sessions.set(result.session.session_id, result.session);
+        auditLog.append("l4", "handshake_respond", shr.body.instance_id);
+        return toolResult({
+          session_id: result.session.session_id,
+          response: result.response,
+          instructions: "Send the 'response' object back to the initiator. When you receive their completion, pass it to sanctuary/handshake_status with this session_id."
+        });
+      }
+    },
+    {
+      name: "sanctuary/handshake_complete",
+      description: "Complete a sovereignty handshake (initiator side). Verifies the responder's SHR and nonce signature, signs their nonce, and produces the final result.",
+      inputSchema: {
+        type: "object",
+        properties: {
+          session_id: {
+            type: "string",
+            description: "Session ID from handshake_initiate."
+          },
+          response: {
+            type: "object",
+            description: "The HandshakeResponse received from the responder."
+          }
+        },
+        required: ["session_id", "response"]
+      },
+      handler: async (args) => {
+        const sessionId = args.session_id;
+        const response = args.response;
+        const session = sessions.get(sessionId);
+        if (!session) {
+          return toolResult({ error: `No handshake session found: ${sessionId}` });
+        }
+        if (session.state !== "initiated") {
+          return toolResult({
+            error: `Session is in state '${session.state}', expected 'initiated'`
+          });
+        }
+        const result = completeHandshake(
+          response,
+          session,
+          identityManager,
+          masterKey
+        );
+        if ("error" in result) {
+          session.state = "failed";
+          auditLog.append("l4", "handshake_complete", session.our_shr.body.instance_id, void 0, "failure");
+          return toolResult({ error: result.error });
+        }
+        session.state = "completed";
+        session.their_shr = response.shr;
+        session.their_nonce = response.responder_nonce;
+        session.result = result.result;
+        auditLog.append("l4", "handshake_complete", session.our_shr.body.instance_id);
+        return toolResult({
+          completion: result.completion,
+          result: result.result,
+          instructions: "Send the 'completion' object to the responder so they can verify the handshake. The 'result' object contains the verified counterparty status and trust tier."
+        });
+      }
+    },
+    {
+      name: "sanctuary/handshake_status",
+      description: "Check the status of a handshake session, or verify a completion message (responder side).",
+      inputSchema: {
+        type: "object",
+        properties: {
+          session_id: {
+            type: "string",
+            description: "Session ID to check."
+          },
+          completion: {
+            type: "object",
+            description: "Optional: HandshakeCompletion from the initiator (responder-side verification)."
+          }
+        },
+        required: ["session_id"]
+      },
+      handler: async (args) => {
+        const sessionId = args.session_id;
+        const completion = args.completion;
+        const session = sessions.get(sessionId);
+        if (!session) {
+          return toolResult({ error: `No handshake session found: ${sessionId}` });
+        }
+        if (completion && session.role === "responder" && session.state === "responded") {
+          const result = verifyCompletion(completion, session);
+          session.state = result.verified ? "completed" : "failed";
+          session.result = result;
+          auditLog.append(
+            "l4",
+            "handshake_verify_completion",
+            session.our_shr.body.instance_id,
+            void 0,
+            result.verified ? "success" : "failure"
+          );
+          return toolResult({ result });
+        }
+        return toolResult({
+          session_id: session.session_id,
+          role: session.role,
+          state: session.state,
+          initiated_at: session.initiated_at,
+          result: session.result ?? null
+        });
+      }
+    }
+  ];
+  return { tools };
+}
+// src/index.ts
+init_encoding();
+async function createSanctuaryServer(options) {
+  const config = await loadConfig(options?.configPath);
+  await promises.mkdir(config.storage_path, { recursive: true, mode: 448 });
+  const storage = options?.storage ?? new FilesystemStorage(
+    `${config.storage_path}/state`
+  );
+  let masterKey;
+  let keyProtection;
+  let recoveryKey;
+  const passphrase = options?.passphrase ?? process.env.SANCTUARY_PASSPHRASE;
+  if (passphrase) {
+    keyProtection = "passphrase";
+    let existingParams;
+    try {
+      const raw = await storage.read("_meta", "key-params");
+      if (raw) {
+        const { bytesToString: bytesToString2 } = await Promise.resolve().then(() => (init_encoding(), encoding_exports));
+        existingParams = JSON.parse(bytesToString2(raw));
+      }
+    } catch {
+    }
+    const result = await deriveMasterKey(passphrase, existingParams);
+    masterKey = result.key;
+    if (!existingParams) {
+      const { stringToBytes: stringToBytes2 } = await Promise.resolve().then(() => (init_encoding(), encoding_exports));
+      await storage.write(
+        "_meta",
+        "key-params",
+        stringToBytes2(JSON.stringify(result.params))
+      );
+    }
+  } else {
+    keyProtection = "recovery-key";
+    const existing = await storage.read("_meta", "recovery-key-hash");
+    if (existing) {
+      masterKey = generateRandomKey();
+      recoveryKey = toBase64url(masterKey);
+    } else {
+      masterKey = generateRandomKey();
+      recoveryKey = toBase64url(masterKey);
+      const { hashToString: hashToString2 } = await Promise.resolve().then(() => (init_hashing(), hashing_exports));
+      const { stringToBytes: stringToBytes2 } = await Promise.resolve().then(() => (init_encoding(), encoding_exports));
+      const keyHash = hashToString2(masterKey);
+      await storage.write(
+        "_meta",
+        "recovery-key-hash",
+        stringToBytes2(keyHash)
+      );
+    }
+  }
+  const auditLog = new AuditLog(storage, masterKey);
+  const stateStore = new StateStore(storage, masterKey);
+  const { tools: l1Tools, identityManager } = createL1Tools(
+    stateStore,
+    storage,
+    masterKey,
+    keyProtection,
+    auditLog
+  );
+  await identityManager.load();
+  const l2Tools = [
+    {
+      name: "sanctuary/exec_attest",
+      description: "Generate an attestation of the current execution environment, including sovereignty assessment and degradation report.",
+      inputSchema: {
+        type: "object",
+        properties: {
+          include_hardware: { type: "boolean", default: true },
+          include_software: { type: "boolean", default: true },
+          include_network: { type: "boolean", default: true }
+        }
+      },
+      handler: async () => {
+        const degradations = [];
+        degradations.push(
+          "L2 isolation is process-level only; no TEE available"
+        );
+        if (config.disclosure.proof_system === "commitment-only") {
+          degradations.push(
+            "L3 proofs are commitment-based only; ZK proofs not yet available"
+          );
+        }
+        return toolResult({
+          attestation: {
+            environment_type: config.execution.environment,
+            hardware: {
+              cpu_vendor: process.arch,
+              tee_available: false,
+              tee_type: void 0
+            },
+            software: {
+              os: `${process.platform}-${process.arch}`,
+              runtime: `node-${process.version}`,
+              sanctuary_version: config.version,
+              mcp_sdk_version: "1.26.0"
+            },
+            network: {
+              internet_accessible: true,
+              // Conservative assumption
+              listening_ports: [],
+              egress_restricted: false
+            },
+            isolation_level: "process",
+            sovereignty_assessment: {
+              l1_state_encrypted: true,
+              l2_execution_isolated: false,
+              l2_isolation_type: "process-level",
+              l3_proofs_available: config.disclosure.proof_system !== "commitment-only",
+              l4_reputation_active: true,
+              overall_level: "mvs",
+              degradations
+            }
+          },
+          attested_at: (/* @__PURE__ */ new Date()).toISOString()
+        });
+      }
+    },
+    {
+      name: "sanctuary/monitor_health",
+      description: "Sanctuary Health Report (SHR) \u2014 standardized sovereignty status.",
+      inputSchema: { type: "object", properties: {} },
+      handler: async () => {
+        const storageSizeBytes = await storage.totalSize();
+        const degradations = [];
+        degradations.push({
+          layer: "l2",
+          description: "Process-level isolation only (no TEE)",
+          severity: "warning",
+          mitigation: "TEE support planned for v0.3.0"
+        });
+        if (config.disclosure.proof_system === "commitment-only") {
+          degradations.push({
+            layer: "l3",
+            description: "Commitment schemes only (no ZK proofs)",
+            severity: "info",
+            mitigation: "ZK proof support planned for v0.2.0"
+          });
+        }
+        return toolResult({
+          status: degradations.some((d) => d.severity === "critical") ? "compromised" : degradations.some((d) => d.severity === "warning") ? "degraded" : "healthy",
+          storage_bytes: storageSizeBytes,
+          layers: {
+            l1: {
+              status: "active",
+              encryption_algorithm: "aes-256-gcm",
+              key_count: identityManager.list().length,
+              state_integrity: "verified",
+              last_integrity_check: (/* @__PURE__ */ new Date()).toISOString()
+            },
+            l2: {
+              status: "degraded",
+              isolation_type: "process-level",
+              attestation_available: true,
+              last_attestation: (/* @__PURE__ */ new Date()).toISOString()
+            },
+            l3: {
+              status: config.disclosure.proof_system === "commitment-only" ? "degraded" : "active",
+              proof_system: config.disclosure.proof_system,
+              circuits_loaded: 0,
+              proofs_generated_total: 0
+            },
+            l4: {
+              status: "active",
+              mode: config.reputation.mode,
+              interaction_count: 0,
+              // TODO: track from reputation store
+              reputation_exportable: true
+            }
+          },
+          degradations,
+          checked_at: (/* @__PURE__ */ new Date()).toISOString()
+        });
+      }
+    },
+    {
+      name: "sanctuary/monitor_audit_log",
+      description: "Query the sovereignty audit log.",
+      inputSchema: {
+        type: "object",
+        properties: {
+          since: { type: "string", description: "ISO 8601 timestamp" },
+          layer: {
+            type: "string",
+            enum: ["l1", "l2", "l3", "l4"]
+          },
+          operation_type: { type: "string" },
+          limit: { type: "number", default: 50 }
+        }
+      },
+      handler: async (args) => {
+        const result = await auditLog.query({
+          since: args.since,
+          layer: args.layer,
+          operation_type: args.operation_type,
+          limit: args.limit ?? 50
+        });
+        return toolResult(result);
+      }
+    }
+  ];
+  const manifestTool = {
+    name: "sanctuary/manifest",
+    description: "Generate the Sanctuary Interface Manifest (SIM) \u2014 a machine-readable declaration of this server's capabilities.",
+    inputSchema: { type: "object", properties: {} },
+    handler: async () => {
+      return toolResult({
+        sanctuary_version: "0.2",
+        implementation: {
+          name: "@sanctuary-framework/mcp-server",
+          version: config.version,
+          language: "typescript",
+          license: "Apache-2.0"
+        },
+        layers: {
+          l1: {
+            implemented: true,
+            interfaces: ["StateStore", "IdentityRoot"],
+            encryption: ["aes-256-gcm"],
+            identity: ["ed25519"],
+            properties: {
+              "S1.1_participant_held_keys": "full",
+              "S1.2_encryption_at_rest": "full",
+              "S1.3_integrity_verification": "full",
+              "S1.4_selective_state_sharing": "full",
+              "S1.5_state_portability": "full",
+              "S1.6_deletion_rights": "full",
+              "S1.7_identity_anchoring": "partial"
+            }
+          },
+          l2: {
+            implemented: true,
+            interfaces: ["ExecutionEnvironment", "RuntimeMonitor"],
+            isolation_types: [config.execution.environment],
+            properties: {
+              "S2.1_execution_confidentiality": "documented",
+              "S2.2_verifiable_execution": "self-reported",
+              "S2.5_attestation": "self-reported"
+            }
+          },
+          l3: {
+            implemented: true,
+            interfaces: ["ProofEngine", "DisclosurePolicy"],
+            proof_systems: [config.disclosure.proof_system],
+            properties: {
+              "S3.1_minimum_disclosure": "policy-based",
+              "S3.3_proof_without_revelation": "commitment"
+            }
+          },
+          l4: {
+            implemented: true,
+            interfaces: ["ReputationStore", "TrustBootstrap"],
+            modes: [config.reputation.mode],
+            properties: {
+              "S4.1_earned_reputation": "full",
+              "S4.2_participant_owned": "full",
+              "S4.5_sybil_resistance": "basic",
+              "S4.7_trust_bootstrapping": "full"
+            }
+          }
+        },
+        composition: {
+          sim_version: "1.0",
+          spf_supported: false,
+          shr_supported: true,
+          delegation_depth: 1
+        },
+        limitations: [
+          "L1 identity uses ed25519 only; KERI support planned for v0.2.0",
+          "L2 isolation is process-level only; TEE support planned for v0.3.0",
+          "L3 uses commitment schemes only; ZK proofs planned for v0.2.0",
+          "L4 Sybil resistance is escrow-based only",
+          "Spec license: CC-BY-4.0 | Code license: Apache-2.0"
+        ]
+      });
+    }
+  };
+  const { tools: l3Tools } = createL3Tools(storage, masterKey, auditLog);
+  const { tools: l4Tools } = createL4Tools(
+    storage,
+    masterKey,
+    identityManager,
+    auditLog
+  );
+  const policy = await loadPrincipalPolicy(config.storage_path);
+  const baseline = new BaselineTracker(storage, masterKey);
+  await baseline.load();
+  const approvalChannel = new StderrApprovalChannel(policy.approval_channel);
+  const gate = new ApprovalGate(policy, baseline, approvalChannel, auditLog);
+  const policyTools = createPrincipalPolicyTools(policy, baseline, auditLog);
+  const { tools: shrTools } = createSHRTools(
+    config,
+    identityManager,
+    masterKey,
+    auditLog
+  );
+  const { tools: handshakeTools } = createHandshakeTools(
+    config,
+    identityManager,
+    masterKey,
+    auditLog
+  );
+  const allTools = [
+    ...l1Tools,
+    ...l2Tools,
+    ...l3Tools,
+    ...l4Tools,
+    ...policyTools,
+    ...shrTools,
+    ...handshakeTools,
+    manifestTool
+  ];
+  const server = createServer(allTools, { gate });
+  await saveConfig(config);
+  const saveBaseline = () => {
+    baseline.save().catch(() => {
+    });
+  };
+  process.on("SIGINT", saveBaseline);
+  process.on("SIGTERM", saveBaseline);
+  if (recoveryKey) {
+    console.error(
+      `\u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557
+\u2551  SANCTUARY: First Run \u2014 Recovery Key Generated          \u2551
+\u2551                                                          \u2551
+\u2551  Recovery Key: ${recoveryKey.slice(0, 20)}...             \u2551
+\u2551                                                          \u2551
+\u2551  SAVE THIS KEY. It will not be shown again.              \u2551
+\u2551  Without it, your encrypted state is unrecoverable.      \u2551
+\u255A\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255D`
+    );
+  }
+  return { server, config };
+}
+// src/cli.ts
+async function main() {
+  const passphrase = process.env.SANCTUARY_PASSPHRASE;
+  const { server, config } = await createSanctuaryServer({ passphrase });
+  if (config.transport === "stdio") {
+    const transport = new stdio_js.StdioServerTransport();
+    await server.connect(transport);
+    console.error(`Sanctuary MCP Server v${config.version} running (stdio)`);
+    console.error(`Storage: ${config.storage_path}`);
+    console.error("Tools: all registered");
+  } else {
+    console.error("HTTP transport not yet implemented. Use stdio.");
+    process.exit(1);
+  }
+}
+main().catch((err) => {
+  console.error("Sanctuary MCP Server failed to start:", err);
+  process.exit(1);
+});
+//# sourceMappingURL=cli.cjs.map
+//# sourceMappingURL=cli.cjs.map