@sanctuary-framework/mcp-server 0.5.10 → 0.5.12

package/dist/index.d.cts

@@ -639,6 +639,16 @@ interface SHRLayerL2 {
     status: LayerStatus;
     isolation_type: string;
     attestation_available: boolean;
+    /** Model provenance: what inference model(s) power this agent */
+    model_provenance?: {
+        model_id: string;
+        model_name: string;
+        provider: string;
+        open_weights: boolean;
+        open_source: boolean;
+        local_inference: boolean;
+        weights_hash?: string;
+    };
 }
 interface SHRLayerL3 {
     status: LayerStatus;
@@ -1367,6 +1377,110 @@ declare function classifyField(fieldName: string): FieldClassification;
  */
 declare function recommendPolicy(context: Record<string, unknown>, provider?: string): PolicyRecommendation;
 
+/**
+ * Sanctuary MCP Server — L2 Model Provenance
+ *
+ * Declares and attests to the model(s) powering this agent.
+ *
+ * Vitalik Buterin's "Secure LLM" post (April 2026) identified a critical gap:
+ * open-weights-but-not-open-source models can have trained-in backdoors. Model
+ * provenance declaration lets agents and their operators verify the integrity
+ * of the inference backbone.
+ *
+ * Tracks: model name, version, weights hash, license, open-source status,
+ * training data hash (if available). Included in SHR L2 section.
+ *
+ * This sits in L2 (Operational Isolation) because it's part of the runtime
+ * attestation surface — the agent declares what model(s) it's actually running.
+ */
+/**
+ * Metadata about a single model powering this agent.
+ */
+interface ModelProvenance {
+    /** Machine-readable model ID (e.g., "qwen3.5-35b", "claude-opus-4", "llama-3.3-70b-instruct") */
+    model_id: string;
+    /** Human-readable model name (e.g., "Qwen 3.5", "Claude Opus 4", "Llama 3.3 70B Instruct") */
+    model_name: string;
+    /** Semantic version (e.g., "3.5", "4.0", "3.3") */
+    model_version: string;
+    /** Provider/vendor (e.g., "Alibaba Cloud", "Anthropic", "Meta", "local") */
+    provider: string;
+    /** SHA-256 of model weights file, if available and verifiable */
+    weights_hash?: string;
+    /** SHA-256 of training data manifest or metadata, if available */
+    training_data_hash?: string;
+    /** License identifier (e.g., "Apache-2.0", "CC-BY-4.0", "proprietary", "unknown") */
+    license: string;
+    /** True if model weights are publicly available (even if training is proprietary) */
+    open_weights: boolean;
+    /** True if full training code, data, and methodology are publicly available */
+    open_source: boolean;
+    /** True if inference runs on the local agent's hardware (not delegated to cloud API) */
+    local_inference: boolean;
+    /** ISO 8601 timestamp when this provenance was declared */
+    declared_at: string;
+}
+/**
+ * In-memory and persistent store for model provenance declarations.
+ * Declarations are encrypted under L1 sovereignty.
+ */
+interface ModelProvenanceStore {
+    /**
+     * Declare a model's provenance and add it to the store.
+     */
+    declare(provenance: ModelProvenance): void;
+    /**
+     * Retrieve a model's provenance by ID.
+     */
+    get(model_id: string): ModelProvenance | undefined;
+    /**
+     * List all declared models.
+     */
+    list(): ModelProvenance[];
+    /**
+     * Get the primary/main model (the one the agent uses by default for inference).
+     */
+    primary(): ModelProvenance | undefined;
+    /**
+     * Set which model is the primary.
+     */
+    setPrimary(model_id: string): void;
+}
+/**
+ * In-memory implementation of ModelProvenanceStore.
+ * Suitable for most use cases. For encrypted persistence, integrate with L1 state store.
+ */
+declare class InMemoryModelProvenanceStore implements ModelProvenanceStore {
+    private models;
+    private primaryModelId;
+    declare(provenance: ModelProvenance): void;
+    get(model_id: string): ModelProvenance | undefined;
+    list(): ModelProvenance[];
+    primary(): ModelProvenance | undefined;
+    setPrimary(model_id: string): void;
+}
+/**
+ * Common model provenance presets for quick initialization.
+ */
+declare const MODEL_PRESETS: {
+    /**
+     * Claude Opus 4 via Anthropic API (cloud inference, closed weights/source)
+     */
+    claudeOpus4: () => ModelProvenance;
+    /**
+     * Qwen 3.5 via local inference (open weights, proprietary training)
+     */
+    qwen35Local: () => ModelProvenance;
+    /**
+     * Llama 3.3 70B via local inference (open weights and code)
+     */
+    llama33Local: () => ModelProvenance;
+    /**
+     * Mistral 7B (open weights, open code, local inference)
+     */
+    mistral7bLocal: () => ModelProvenance;
+};
+
 /**
  * Sanctuary MCP Server — Prompt Injection Detection Layer
  *
@@ -1969,8 +2083,15 @@ declare class IdentityManager {
     private primaryIdentityId;
     constructor(storage: StorageBackend, masterKey: Uint8Array);
     private get encryptionKey();
-    /** Load identities from storage on startup */
-    load(): Promise<void>;
+    /** Load identities from storage on startup.
+     *  Returns { total: number of encrypted files found, loaded: number successfully decrypted }.
+     *  A mismatch (total > 0, loaded === 0) indicates a wrong master key / missing passphrase.
+     */
+    load(): Promise<{
+        total: number;
+        loaded: number;
+        failed: number;
+    }>;
     /** Save an identity to storage */
     save(identity: StoredIdentity): Promise<void>;
     get(id: string): StoredIdentity | undefined;
@@ -2673,4 +2794,4 @@ declare function createSanctuaryServer(options?: {
     storage?: StorageBackend;
 }): Promise<SanctuaryServer>;
 
-export { ATTESTATION_VERSION, ApprovalGate, type AttestationBody, type AttestationVerificationResult, AuditLog, AutoApproveChannel, BaselineTracker, type BridgeAttestationRequest, type BridgeAttestationResult, type BridgeCommitment, type BridgeVerificationResult, TEMPLATES as CONTEXT_GATE_TEMPLATES, CallbackApprovalChannel, CommitmentStore, type ConcordiaOutcome, type ContextAction, type ContextFilterResult, ContextGateEnforcer, type ContextGatePolicy, ContextGatePolicyStore, type ContextGateRule, type ContextGateTemplate, DashboardApprovalChannel, type DashboardConfig, type DetectionResult, type EnforcerConfig, type FederationCapabilities, type FederationPeer, FederationRegistry, type FieldClassification, type FieldFilterResult, FilesystemStorage, type GateResult, type HandshakeChallenge, type HandshakeCompletion, type HandshakeResponse, type HandshakeResult, InjectionDetector, type InjectionDetectorConfig, type InjectionSignal, MemoryStorage, type PedersenCommitment, type PeerTrustEvaluation, type PolicyRecommendation, PolicyStore, type PrincipalPolicy, type ProviderCategory, ReputationStore, type SHRBody, type SHRGeneratorOptions, type SHRVerificationResult, type SanctuaryConfig, type SanctuaryServer, type SignedAttestation, type SignedSHR, type SovereigntyTier, StateStore, StderrApprovalChannel, TIER_WEIGHTS, type TierMetadata, type TieredAttestation, WebhookApprovalChannel, type WebhookCallbackPayload, type WebhookConfig, type WebhookPayload, type ZKProofOfKnowledge, type ZKRangeProof, canonicalize, classifyField, completeHandshake, computeWeightedScore, createBridgeCommitment, createPedersenCommitment, createProofOfKnowledge, createRangeProof, createSanctuaryServer, evaluateField, filterContext, generateAttestation, generateSHR, getTemplate, initiateHandshake, listTemplateIds, loadConfig, loadPrincipalPolicy, recommendPolicy, resolveTier, respondToHandshake, signPayload, tierDistribution, verifyAttestation, verifyBridgeCommitment, verifyCompletion, verifyPedersenCommitment, verifyProofOfKnowledge, verifyRangeProof, verifySHR, verifySignature };
+export { ATTESTATION_VERSION, ApprovalGate, type AttestationBody, type AttestationVerificationResult, AuditLog, AutoApproveChannel, BaselineTracker, type BridgeAttestationRequest, type BridgeAttestationResult, type BridgeCommitment, type BridgeVerificationResult, TEMPLATES as CONTEXT_GATE_TEMPLATES, CallbackApprovalChannel, CommitmentStore, type ConcordiaOutcome, type ContextAction, type ContextFilterResult, ContextGateEnforcer, type ContextGatePolicy, ContextGatePolicyStore, type ContextGateRule, type ContextGateTemplate, DashboardApprovalChannel, type DashboardConfig, type DetectionResult, type EnforcerConfig, type FederationCapabilities, type FederationPeer, FederationRegistry, type FieldClassification, type FieldFilterResult, FilesystemStorage, type GateResult, type HandshakeChallenge, type HandshakeCompletion, type HandshakeResponse, type HandshakeResult, InMemoryModelProvenanceStore, InjectionDetector, type InjectionDetectorConfig, type InjectionSignal, MODEL_PRESETS, MemoryStorage, type ModelProvenance, type ModelProvenanceStore, type PedersenCommitment, type PeerTrustEvaluation, type PolicyRecommendation, PolicyStore, type PrincipalPolicy, type ProviderCategory, ReputationStore, type SHRBody, type SHRGeneratorOptions, type SHRVerificationResult, type SanctuaryConfig, type SanctuaryServer, type SignedAttestation, type SignedSHR, type SovereigntyTier, StateStore, StderrApprovalChannel, TIER_WEIGHTS, type TierMetadata, type TieredAttestation, WebhookApprovalChannel, type WebhookCallbackPayload, type WebhookConfig, type WebhookPayload, type ZKProofOfKnowledge, type ZKRangeProof, canonicalize, classifyField, completeHandshake, computeWeightedScore, createBridgeCommitment, createPedersenCommitment, createProofOfKnowledge, createRangeProof, createSanctuaryServer, evaluateField, filterContext, generateAttestation, generateSHR, getTemplate, initiateHandshake, listTemplateIds, loadConfig, loadPrincipalPolicy, recommendPolicy, resolveTier, respondToHandshake, signPayload, tierDistribution, verifyAttestation, verifyBridgeCommitment, verifyCompletion, verifyPedersenCommitment, verifyProofOfKnowledge, verifyRangeProof, verifySHR, verifySignature };

package/dist/index.d.ts

@@ -639,6 +639,16 @@ interface SHRLayerL2 {
     status: LayerStatus;
     isolation_type: string;
     attestation_available: boolean;
+    /** Model provenance: what inference model(s) power this agent */
+    model_provenance?: {
+        model_id: string;
+        model_name: string;
+        provider: string;
+        open_weights: boolean;
+        open_source: boolean;
+        local_inference: boolean;
+        weights_hash?: string;
+    };
 }
 interface SHRLayerL3 {
     status: LayerStatus;
@@ -1367,6 +1377,110 @@ declare function classifyField(fieldName: string): FieldClassification;
  */
 declare function recommendPolicy(context: Record<string, unknown>, provider?: string): PolicyRecommendation;
 
+/**
+ * Sanctuary MCP Server — L2 Model Provenance
+ *
+ * Declares and attests to the model(s) powering this agent.
+ *
+ * Vitalik Buterin's "Secure LLM" post (April 2026) identified a critical gap:
+ * open-weights-but-not-open-source models can have trained-in backdoors. Model
+ * provenance declaration lets agents and their operators verify the integrity
+ * of the inference backbone.
+ *
+ * Tracks: model name, version, weights hash, license, open-source status,
+ * training data hash (if available). Included in SHR L2 section.
+ *
+ * This sits in L2 (Operational Isolation) because it's part of the runtime
+ * attestation surface — the agent declares what model(s) it's actually running.
+ */
+/**
+ * Metadata about a single model powering this agent.
+ */
+interface ModelProvenance {
+    /** Machine-readable model ID (e.g., "qwen3.5-35b", "claude-opus-4", "llama-3.3-70b-instruct") */
+    model_id: string;
+    /** Human-readable model name (e.g., "Qwen 3.5", "Claude Opus 4", "Llama 3.3 70B Instruct") */
+    model_name: string;
+    /** Semantic version (e.g., "3.5", "4.0", "3.3") */
+    model_version: string;
+    /** Provider/vendor (e.g., "Alibaba Cloud", "Anthropic", "Meta", "local") */
+    provider: string;
+    /** SHA-256 of model weights file, if available and verifiable */
+    weights_hash?: string;
+    /** SHA-256 of training data manifest or metadata, if available */
+    training_data_hash?: string;
+    /** License identifier (e.g., "Apache-2.0", "CC-BY-4.0", "proprietary", "unknown") */
+    license: string;
+    /** True if model weights are publicly available (even if training is proprietary) */
+    open_weights: boolean;
+    /** True if full training code, data, and methodology are publicly available */
+    open_source: boolean;
+    /** True if inference runs on the local agent's hardware (not delegated to cloud API) */
+    local_inference: boolean;
+    /** ISO 8601 timestamp when this provenance was declared */
+    declared_at: string;
+}
+/**
+ * In-memory and persistent store for model provenance declarations.
+ * Declarations are encrypted under L1 sovereignty.
+ */
+interface ModelProvenanceStore {
+    /**
+     * Declare a model's provenance and add it to the store.
+     */
+    declare(provenance: ModelProvenance): void;
+    /**
+     * Retrieve a model's provenance by ID.
+     */
+    get(model_id: string): ModelProvenance | undefined;
+    /**
+     * List all declared models.
+     */
+    list(): ModelProvenance[];
+    /**
+     * Get the primary/main model (the one the agent uses by default for inference).
+     */
+    primary(): ModelProvenance | undefined;
+    /**
+     * Set which model is the primary.
+     */
+    setPrimary(model_id: string): void;
+}
+/**
+ * In-memory implementation of ModelProvenanceStore.
+ * Suitable for most use cases. For encrypted persistence, integrate with L1 state store.
+ */
+declare class InMemoryModelProvenanceStore implements ModelProvenanceStore {
+    private models;
+    private primaryModelId;
+    declare(provenance: ModelProvenance): void;
+    get(model_id: string): ModelProvenance | undefined;
+    list(): ModelProvenance[];
+    primary(): ModelProvenance | undefined;
+    setPrimary(model_id: string): void;
+}
+/**
+ * Common model provenance presets for quick initialization.
+ */
+declare const MODEL_PRESETS: {
+    /**
+     * Claude Opus 4 via Anthropic API (cloud inference, closed weights/source)
+     */
+    claudeOpus4: () => ModelProvenance;
+    /**
+     * Qwen 3.5 via local inference (open weights, proprietary training)
+     */
+    qwen35Local: () => ModelProvenance;
+    /**
+     * Llama 3.3 70B via local inference (open weights and code)
+     */
+    llama33Local: () => ModelProvenance;
+    /**
+     * Mistral 7B (open weights, open code, local inference)
+     */
+    mistral7bLocal: () => ModelProvenance;
+};
+
 /**
  * Sanctuary MCP Server — Prompt Injection Detection Layer
  *
@@ -1969,8 +2083,15 @@ declare class IdentityManager {
     private primaryIdentityId;
     constructor(storage: StorageBackend, masterKey: Uint8Array);
     private get encryptionKey();
-    /** Load identities from storage on startup */
-    load(): Promise<void>;
+    /** Load identities from storage on startup.
+     *  Returns { total: number of encrypted files found, loaded: number successfully decrypted }.
+     *  A mismatch (total > 0, loaded === 0) indicates a wrong master key / missing passphrase.
+     */
+    load(): Promise<{
+        total: number;
+        loaded: number;
+        failed: number;
+    }>;
     /** Save an identity to storage */
     save(identity: StoredIdentity): Promise<void>;
     get(id: string): StoredIdentity | undefined;
@@ -2673,4 +2794,4 @@ declare function createSanctuaryServer(options?: {
     storage?: StorageBackend;
 }): Promise<SanctuaryServer>;
 
-export { ATTESTATION_VERSION, ApprovalGate, type AttestationBody, type AttestationVerificationResult, AuditLog, AutoApproveChannel, BaselineTracker, type BridgeAttestationRequest, type BridgeAttestationResult, type BridgeCommitment, type BridgeVerificationResult, TEMPLATES as CONTEXT_GATE_TEMPLATES, CallbackApprovalChannel, CommitmentStore, type ConcordiaOutcome, type ContextAction, type ContextFilterResult, ContextGateEnforcer, type ContextGatePolicy, ContextGatePolicyStore, type ContextGateRule, type ContextGateTemplate, DashboardApprovalChannel, type DashboardConfig, type DetectionResult, type EnforcerConfig, type FederationCapabilities, type FederationPeer, FederationRegistry, type FieldClassification, type FieldFilterResult, FilesystemStorage, type GateResult, type HandshakeChallenge, type HandshakeCompletion, type HandshakeResponse, type HandshakeResult, InjectionDetector, type InjectionDetectorConfig, type InjectionSignal, MemoryStorage, type PedersenCommitment, type PeerTrustEvaluation, type PolicyRecommendation, PolicyStore, type PrincipalPolicy, type ProviderCategory, ReputationStore, type SHRBody, type SHRGeneratorOptions, type SHRVerificationResult, type SanctuaryConfig, type SanctuaryServer, type SignedAttestation, type SignedSHR, type SovereigntyTier, StateStore, StderrApprovalChannel, TIER_WEIGHTS, type TierMetadata, type TieredAttestation, WebhookApprovalChannel, type WebhookCallbackPayload, type WebhookConfig, type WebhookPayload, type ZKProofOfKnowledge, type ZKRangeProof, canonicalize, classifyField, completeHandshake, computeWeightedScore, createBridgeCommitment, createPedersenCommitment, createProofOfKnowledge, createRangeProof, createSanctuaryServer, evaluateField, filterContext, generateAttestation, generateSHR, getTemplate, initiateHandshake, listTemplateIds, loadConfig, loadPrincipalPolicy, recommendPolicy, resolveTier, respondToHandshake, signPayload, tierDistribution, verifyAttestation, verifyBridgeCommitment, verifyCompletion, verifyPedersenCommitment, verifyProofOfKnowledge, verifyRangeProof, verifySHR, verifySignature };
+export { ATTESTATION_VERSION, ApprovalGate, type AttestationBody, type AttestationVerificationResult, AuditLog, AutoApproveChannel, BaselineTracker, type BridgeAttestationRequest, type BridgeAttestationResult, type BridgeCommitment, type BridgeVerificationResult, TEMPLATES as CONTEXT_GATE_TEMPLATES, CallbackApprovalChannel, CommitmentStore, type ConcordiaOutcome, type ContextAction, type ContextFilterResult, ContextGateEnforcer, type ContextGatePolicy, ContextGatePolicyStore, type ContextGateRule, type ContextGateTemplate, DashboardApprovalChannel, type DashboardConfig, type DetectionResult, type EnforcerConfig, type FederationCapabilities, type FederationPeer, FederationRegistry, type FieldClassification, type FieldFilterResult, FilesystemStorage, type GateResult, type HandshakeChallenge, type HandshakeCompletion, type HandshakeResponse, type HandshakeResult, InMemoryModelProvenanceStore, InjectionDetector, type InjectionDetectorConfig, type InjectionSignal, MODEL_PRESETS, MemoryStorage, type ModelProvenance, type ModelProvenanceStore, type PedersenCommitment, type PeerTrustEvaluation, type PolicyRecommendation, PolicyStore, type PrincipalPolicy, type ProviderCategory, ReputationStore, type SHRBody, type SHRGeneratorOptions, type SHRVerificationResult, type SanctuaryConfig, type SanctuaryServer, type SignedAttestation, type SignedSHR, type SovereigntyTier, StateStore, StderrApprovalChannel, TIER_WEIGHTS, type TierMetadata, type TieredAttestation, WebhookApprovalChannel, type WebhookCallbackPayload, type WebhookConfig, type WebhookPayload, type ZKProofOfKnowledge, type ZKRangeProof, canonicalize, classifyField, completeHandshake, computeWeightedScore, createBridgeCommitment, createPedersenCommitment, createProofOfKnowledge, createRangeProof, createSanctuaryServer, evaluateField, filterContext, generateAttestation, generateSHR, getTemplate, initiateHandshake, listTemplateIds, loadConfig, loadPrincipalPolicy, recommendPolicy, resolveTier, respondToHandshake, signPayload, tierDistribution, verifyAttestation, verifyBridgeCommitment, verifyCompletion, verifyPedersenCommitment, verifyProofOfKnowledge, verifyRangeProof, verifySHR, verifySignature };

package/dist/index.js

@@ -1275,9 +1275,13 @@ var IdentityManager = class {
   get encryptionKey() {
     return derivePurposeKey(this.masterKey, "identity-encryption");
   }
-  /** Load identities from storage on startup */
+  /** Load identities from storage on startup.
+   *  Returns { total: number of encrypted files found, loaded: number successfully decrypted }.
+   *  A mismatch (total > 0, loaded === 0) indicates a wrong master key / missing passphrase.
+   */
   async load() {
     const entries = await this.storage.list("_identities");
+    let failed = 0;
     for (const entry of entries) {
       const raw = await this.storage.read("_identities", entry.key);
       if (!raw) continue;
@@ -1290,8 +1294,10 @@ var IdentityManager = class {
           this.primaryIdentityId = identity.identity_id;
         }
       } catch {
+        failed++;
       }
     }
+    return { total: entries.length, loaded: this.identities.size, failed };
   }
   /** Save an identity to storage */
   async save(identity) {
@@ -11081,11 +11087,57 @@ var TOOL_API_SCOPED = {
   ],
   default_action: "redact"
 };
+var REMOTE_INFERENCE_SANITIZE = {
+  id: "remote-inference-sanitize",
+  name: "Remote Inference Sanitization",
+  description: "Maximum privacy for remote/cloud LLM calls. Strips all identity, financial, location, and personal data before passing queries to external models. Inspired by Vitalik Buterin's 2-of-2 sovereignty model.",
+  use_when: "Your local agent needs to call a remote LLM for tasks beyond local model capability (complex coding, deep research) and you want to minimize data leakage to the remote provider. The remote model gets only the task, query, format requirements, and stripped code context.",
+  rules: [
+    {
+      provider: "inference",
+      allow: [
+        "task",
+        "task_description",
+        "current_query",
+        "query",
+        "prompt",
+        "question",
+        "instruction",
+        "output_format",
+        "format",
+        "language",
+        "code_context",
+        // Stripped code snippets for coding tasks
+        "error_message"
+        // For debugging help
+      ],
+      redact: [
+        ...ALWAYS_REDACT_SECRETS,
+        ...PII_PATTERNS,
+        ...INTERNAL_STATE_PATTERNS,
+        ...HISTORY_PATTERNS,
+        "tool_results",
+        "previous_results",
+        // Additional redactions for remote inference
+        "model_data",
+        "agent_state",
+        "runtime_config",
+        "capabilities",
+        "tool_list"
+      ],
+      // Deny patterns — these must NEVER reach the remote model, not even redacted
+      hash: [],
+      summarize: []
+    }
+  ],
+  default_action: "deny"
+};
 var TEMPLATES = {
   "inference-minimal": INFERENCE_MINIMAL,
   "inference-standard": INFERENCE_STANDARD,
   "logging-strict": LOGGING_STRICT,
-  "tool-api-scoped": TOOL_API_SCOPED
+  "tool-api-scoped": TOOL_API_SCOPED,
+  "remote-inference-sanitize": REMOTE_INFERENCE_SANITIZE
 };
 function listTemplateIds() {
   return Object.keys(TEMPLATES);
@@ -12573,6 +12625,101 @@ function createL2HardeningTools(storagePath, auditLog) {
 // src/index.ts
 init_encoding();
 
+// src/l2-operational/model-provenance.ts
+var InMemoryModelProvenanceStore = class {
+  models = /* @__PURE__ */ new Map();
+  primaryModelId = null;
+  declare(provenance) {
+    if (!provenance.model_id) {
+      throw new Error("ModelProvenance requires a model_id");
+    }
+    if (!provenance.model_name) {
+      throw new Error("ModelProvenance requires a model_name");
+    }
+    if (!provenance.provider) {
+      throw new Error("ModelProvenance requires a provider");
+    }
+    this.models.set(provenance.model_id, provenance);
+    if (this.primaryModelId === null) {
+      this.primaryModelId = provenance.model_id;
+    }
+  }
+  get(model_id) {
+    return this.models.get(model_id);
+  }
+  list() {
+    return Array.from(this.models.values());
+  }
+  primary() {
+    if (!this.primaryModelId) return void 0;
+    return this.models.get(this.primaryModelId);
+  }
+  setPrimary(model_id) {
+    if (!this.models.has(model_id)) {
+      throw new Error(`Model ${model_id} not found in store`);
+    }
+    this.primaryModelId = model_id;
+  }
+};
+var MODEL_PRESETS = {
+  /**
+   * Claude Opus 4 via Anthropic API (cloud inference, closed weights/source)
+   */
+  claudeOpus4: () => ({
+    model_id: "claude-opus-4",
+    model_name: "Claude Opus 4",
+    model_version: "4.0",
+    provider: "Anthropic",
+    license: "proprietary",
+    open_weights: false,
+    open_source: false,
+    local_inference: false,
+    declared_at: (/* @__PURE__ */ new Date()).toISOString()
+  }),
+  /**
+   * Qwen 3.5 via local inference (open weights, proprietary training)
+   */
+  qwen35Local: () => ({
+    model_id: "qwen-3.5-35b",
+    model_name: "Qwen 3.5 35B",
+    model_version: "3.5",
+    provider: "Alibaba Cloud",
+    license: "Apache-2.0",
+    open_weights: true,
+    open_source: false,
+    local_inference: true,
+    declared_at: (/* @__PURE__ */ new Date()).toISOString()
+  }),
+  /**
+   * Llama 3.3 70B via local inference (open weights and code)
+   */
+  llama33Local: () => ({
+    model_id: "llama-3.3-70b-instruct",
+    model_name: "Llama 3.3 70B Instruct",
+    model_version: "3.3",
+    provider: "Meta",
+    license: "Apache-2.0",
+    open_weights: true,
+    open_source: true,
+    local_inference: true,
+    declared_at: (/* @__PURE__ */ new Date()).toISOString()
+  }),
+  /**
+   * Mistral 7B (open weights, open code, local inference)
+   */
+  mistral7bLocal: () => ({
+    model_id: "mistral-7b-instruct",
+    model_name: "Mistral 7B Instruct",
+    model_version: "7",
+    provider: "Mistral AI",
+    license: "Apache-2.0",
+    open_weights: true,
+    open_source: true,
+    local_inference: true,
+    declared_at: (/* @__PURE__ */ new Date()).toISOString()
+  })
+};
+
 // src/storage/memory.ts
 var MemoryStorage = class {
   store = /* @__PURE__ */ new Map();
@@ -12722,7 +12869,29 @@ async function createSanctuaryServer(options) {
     keyProtection,
     auditLog
   );
-  await identityManager.load();
+  const loadResult = await identityManager.load();
+  if (loadResult.total > 0 && loadResult.loaded === 0) {
+    console.error(
+      `
+\u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557
+\u2551  \u26A0  WARNING: Encrypted identities found but NONE loaded     \u2551
+\u2560\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2563
+\u2551  ${loadResult.total} encrypted identity file(s) found on disk              \u2551
+\u2551  0 could be decrypted with the current master key            \u2551
+\u2551                                                              \u2551
+\u2551  This usually means SANCTUARY_PASSPHRASE is missing or       \u2551
+\u2551  incorrect. The server will start but with NO identity data. \u2551
+\u2551                                                              \u2551
+\u2551  To fix: set SANCTUARY_PASSPHRASE to the passphrase used     \u2551
+\u2551  when this Sanctuary instance was first configured.          \u2551
+\u255A\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255D
+`
+    );
+  } else if (loadResult.failed > 0) {
+    console.error(
+      `Warning: ${loadResult.failed} of ${loadResult.total} identity files could not be decrypted (possibly corrupted).`
+    );
+  }
   const l2Tools = [
     {
       name: "sanctuary/exec_attest",
@@ -13094,6 +13263,6 @@ async function createSanctuaryServer(options) {
   return { server, config };
 }
 
-export { ATTESTATION_VERSION, ApprovalGate, AuditLog, AutoApproveChannel, BaselineTracker, TEMPLATES as CONTEXT_GATE_TEMPLATES, CallbackApprovalChannel, CommitmentStore, ContextGateEnforcer, ContextGatePolicyStore, DashboardApprovalChannel, FederationRegistry, FilesystemStorage, InjectionDetector, MemoryStorage, PolicyStore, ReputationStore, StateStore, StderrApprovalChannel, TIER_WEIGHTS, WebhookApprovalChannel, canonicalize, classifyField, completeHandshake, computeWeightedScore, createBridgeCommitment, createPedersenCommitment, createProofOfKnowledge, createRangeProof, createSanctuaryServer, evaluateField, filterContext, generateAttestation, generateSHR, getTemplate, initiateHandshake, listTemplateIds, loadConfig, loadPrincipalPolicy, recommendPolicy, resolveTier, respondToHandshake, signPayload, tierDistribution, verifyAttestation, verifyBridgeCommitment, verifyCompletion, verifyPedersenCommitment, verifyProofOfKnowledge, verifyRangeProof, verifySHR, verifySignature };
+export { ATTESTATION_VERSION, ApprovalGate, AuditLog, AutoApproveChannel, BaselineTracker, TEMPLATES as CONTEXT_GATE_TEMPLATES, CallbackApprovalChannel, CommitmentStore, ContextGateEnforcer, ContextGatePolicyStore, DashboardApprovalChannel, FederationRegistry, FilesystemStorage, InMemoryModelProvenanceStore, InjectionDetector, MODEL_PRESETS, MemoryStorage, PolicyStore, ReputationStore, StateStore, StderrApprovalChannel, TIER_WEIGHTS, WebhookApprovalChannel, canonicalize, classifyField, completeHandshake, computeWeightedScore, createBridgeCommitment, createPedersenCommitment, createProofOfKnowledge, createRangeProof, createSanctuaryServer, evaluateField, filterContext, generateAttestation, generateSHR, getTemplate, initiateHandshake, listTemplateIds, loadConfig, loadPrincipalPolicy, recommendPolicy, resolveTier, respondToHandshake, signPayload, tierDistribution, verifyAttestation, verifyBridgeCommitment, verifyCompletion, verifyPedersenCommitment, verifyProofOfKnowledge, verifyRangeProof, verifySHR, verifySignature };
 //# sourceMappingURL=index.js.map
 //# sourceMappingURL=index.js.map