@sanctuary-framework/mcp-server 0.5.16 → 0.7.0

package/dist/cli.js

@@ -1,5 +1,5 @@
 #!/usr/bin/env node
-import { mkdir, readFile, writeFile, chmod, access, stat, unlink, readdir } from 'fs/promises';
+import { mkdir, readFile, writeFile, chmod, access, stat, unlink, readdir, copyFile } from 'fs/promises';
 import { join } from 'path';
 import { homedir, platform } from 'os';
 import { createRequire } from 'module';
@@ -73,6 +73,12 @@ function defaultConfig() {
       secret: "",
       callback_port: 3502,
       callback_host: "127.0.0.1"
+    },
+    verascore: {
+      url: "https://verascore.ai",
+      auto_publish_to_verascore: true,
+      // DELTA-04: default OFF for privacy. Enable explicitly per deployment.
+      auto_publish_handshakes: false
     }
   };
 }
@@ -143,6 +149,21 @@ async function loadConfig(configPath) {
   if (process.env.SANCTUARY_WEBHOOK_CALLBACK_HOST) {
     config.webhook.callback_host = process.env.SANCTUARY_WEBHOOK_CALLBACK_HOST;
   }
+  if (process.env.SANCTUARY_VERASCORE_URL) {
+    config.verascore.url = process.env.SANCTUARY_VERASCORE_URL;
+  }
+  if (process.env.SANCTUARY_AUTO_PUBLISH_TO_VERASCORE === "true") {
+    config.verascore.auto_publish_to_verascore = true;
+  }
+  if (process.env.SANCTUARY_AUTO_PUBLISH_TO_VERASCORE === "false") {
+    config.verascore.auto_publish_to_verascore = false;
+  }
+  if (process.env.SANCTUARY_AUTO_PUBLISH_HANDSHAKES === "true") {
+    config.verascore.auto_publish_handshakes = true;
+  }
+  if (process.env.SANCTUARY_AUTO_PUBLISH_HANDSHAKES === "false") {
+    config.verascore.auto_publish_handshakes = false;
+  }
   config.version = PKG_VERSION;
   validateConfig(config);
   return config;
@@ -941,7 +962,7 @@ function createL1Tools(stateStore, storage, masterKey, keyProtection, auditLog)
   const tools = [
     // ── Identity Tools ──────────────────────────────────────────────────
     {
-      name: "sanctuary/identity_create",
+      name: "identity_create",
       description: "Create a new sovereign identity (Ed25519 keypair). The private key is encrypted and never exposed.",
       inputSchema: {
         type: "object",
@@ -976,7 +997,7 @@ function createL1Tools(stateStore, storage, masterKey, keyProtection, auditLog)
       }
     },
     {
-      name: "sanctuary/identity_list",
+      name: "identity_list",
       description: "List all managed sovereign identities.",
       inputSchema: {
         type: "object",
@@ -1001,7 +1022,7 @@ function createL1Tools(stateStore, storage, masterKey, keyProtection, auditLog)
       }
     },
     {
-      name: "sanctuary/identity_sign",
+      name: "identity_sign",
       description: "Sign data with a managed identity. The private key is decrypted in memory only during signing.",
       inputSchema: {
         type: "object",
@@ -1039,7 +1060,7 @@ function createL1Tools(stateStore, storage, masterKey, keyProtection, auditLog)
       }
     },
     {
-      name: "sanctuary/identity_verify",
+      name: "identity_verify",
       description: "Verify an Ed25519 signature. Provide either identity_id or public_key.",
       inputSchema: {
         type: "object",
@@ -1088,7 +1109,7 @@ function createL1Tools(stateStore, storage, masterKey, keyProtection, auditLog)
       }
     },
     {
-      name: "sanctuary/identity_rotate",
+      name: "identity_rotate",
       description: "Rotate keys for an identity. Generates a new keypair and signs a rotation event with the old key for verifiable chain.",
       inputSchema: {
         type: "object",
@@ -1121,7 +1142,7 @@ function createL1Tools(stateStore, storage, masterKey, keyProtection, auditLog)
     },
     // ── State Tools ─────────────────────────────────────────────────────
     {
-      name: "sanctuary/state_write",
+      name: "state_write",
       description: "Write encrypted state to the sovereign store. Value is encrypted with a namespace-specific key. The write is signed by the active identity.",
       inputSchema: {
         type: "object",
@@ -1178,7 +1199,7 @@ function createL1Tools(stateStore, storage, masterKey, keyProtection, auditLog)
       }
     },
     {
-      name: "sanctuary/state_read",
+      name: "state_read",
       description: "Read and decrypt state from the sovereign store. Verifies integrity via Merkle proof and signature.",
       inputSchema: {
         type: "object",
@@ -1219,7 +1240,7 @@ function createL1Tools(stateStore, storage, masterKey, keyProtection, auditLog)
       }
     },
     {
-      name: "sanctuary/state_list",
+      name: "state_list",
       description: "List keys in a namespace (metadata only \u2014 no decryption).",
       inputSchema: {
         type: "object",
@@ -1251,7 +1272,7 @@ function createL1Tools(stateStore, storage, masterKey, keyProtection, auditLog)
       }
     },
     {
-      name: "sanctuary/state_delete",
+      name: "state_delete",
       description: "Securely delete state. Overwrites file with random bytes before removal (right to deletion, S1.6).",
       inputSchema: {
         type: "object",
@@ -1283,7 +1304,7 @@ function createL1Tools(stateStore, storage, masterKey, keyProtection, auditLog)
       }
     },
     {
-      name: "sanctuary/state_export",
+      name: "state_export",
       description: "Export state as an encrypted, portable bundle for migration.",
       inputSchema: {
         type: "object",
@@ -1303,7 +1324,7 @@ function createL1Tools(stateStore, storage, masterKey, keyProtection, auditLog)
       }
     },
     {
-      name: "sanctuary/state_import",
+      name: "state_import",
       description: "Import a previously exported state bundle.",
       inputSchema: {
         type: "object",
@@ -1643,9 +1664,10 @@ tier1_always_approve:
   - reputation_import
   - reputation_export
   - bootstrap_provide_guarantee
-  - reputation_publish
   - sovereignty_profile_update
   - governor_reset
+  - sanctuary_bootstrap
+  - sanctuary_export_identity_bundle
 
 # \u2500\u2500\u2500 Tier 2: Behavioral Anomaly Detection \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
 # Triggers approval when agent behavior deviates from its baseline.
@@ -1711,6 +1733,8 @@ tier3_always_allow:
   - dashboard_open
   - sovereignty_profile_get
   - governor_status
+  - reputation_publish
+  - sanctuary_policy_status
 
 # \u2500\u2500\u2500 Approval Channel \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
 # How Sanctuary reaches you when approval is needed.
@@ -1764,12 +1788,14 @@ var init_loader = __esm({
         "reputation_export",
         "bootstrap_provide_guarantee",
         "decommission_certificate",
-        "reputation_publish",
-        // SEC-039: Explicit Tier 1 — sends data to external API
         "sovereignty_profile_update",
         // Changes enforcement behavior — always requires approval
-        "governor_reset"
+        "governor_reset",
         // Clears all runtime governance state — always requires approval
+        "sanctuary_bootstrap",
+        // Creates new Ed25519 identity + publishes — always requires approval
+        "sanctuary_export_identity_bundle"
+        // Exports portable identity — always requires approval
       ],
       tier2_anomaly: DEFAULT_TIER2,
       tier3_always_allow: [
@@ -1827,7 +1853,11 @@ var init_loader = __esm({
         "sovereignty_profile_get",
         "sovereignty_profile_generate_prompt",
         // Agent needs its own config to generate system prompt
-        "governor_status"
+        "governor_status",
+        "reputation_publish",
+        // Auto-allow: publishing sovereignty data to Verascore is routine
+        "sanctuary_policy_status"
+        // Read-only policy summary
       ],
       approval_channel: DEFAULT_CHANNEL
     };
@@ -5038,244 +5068,1047 @@ var init_dashboard_html = __esm({
   }
 });
 
-// src/system-prompt-generator.ts
-function generateSystemPrompt(profile) {
-  const activeFeatures = [];
-  const inactiveFeatures = [];
-  const activeKeys = [];
-  const featureKeys = [
-    "audit_logging",
-    "injection_detection",
-    "context_gating",
-    "approval_gate",
-    "zk_proofs"
-  ];
-  for (const key of featureKeys) {
-    const featureConfig = profile.features[key];
-    const info = FEATURE_INFO[key];
-    if (featureConfig.enabled) {
-      activeKeys.push(key);
-      let desc = `- ${info.name}: ${info.activeDescription}`;
-      if (key === "injection_detection" && "sensitivity" in featureConfig && featureConfig.sensitivity) {
-        desc += ` Sensitivity: ${featureConfig.sensitivity}.`;
-      }
-      if (key === "context_gating" && "policy_id" in featureConfig && featureConfig.policy_id) {
-        desc += ` Active policy: ${featureConfig.policy_id}.`;
-      }
-      activeFeatures.push(desc);
-    } else {
-      inactiveFeatures.push(info.disabledDescription);
+// src/cocoon/fortress-view.ts
+function generateFortressViewHTML(options) {
+  return `<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>Sanctuary \u2014 Fortress View</title>
+  <style>
+    :root {
+      --bg: #0d1117;
+      --surface: #161b22;
+      --surface-raised: #1c2128;
+      --border: #30363d;
+      --text-primary: #e6edf3;
+      --text-secondary: #8b949e;
+      --text-muted: #484f58;
+      --green: #3fb950;
+      --green-dim: #238636;
+      --amber: #d29922;
+      --amber-dim: #9e6a03;
+      --red: #f85149;
+      --red-dim: #da3633;
+      --blue: #58a6ff;
+      --blue-dim: #1f6feb;
     }
-  }
-  const lines = [];
-  if (activeKeys.length > 0) {
-    lines.push("QUICK START:");
-    const quickStartItems = buildQuickStart(activeKeys);
-    for (const item of quickStartItems) {
-      lines.push(`  ${item}`);
+
+    * { margin: 0; padding: 0; box-sizing: border-box; }
+
+    body {
+      font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Helvetica, Arial, sans-serif;
+      background-color: var(--bg);
+      color: var(--text-primary);
+      min-height: 100vh;
     }
-    lines.push("");
-  }
-  lines.push(
-    "You are protected by Sanctuary sovereignty infrastructure. The following protections are active:"
-  );
-  lines.push("");
-  if (activeFeatures.length > 0) {
-    lines.push(...activeFeatures);
-  } else {
-    lines.push(
-      "- No features are currently enabled. Contact your operator to configure protections."
-    );
-  }
-  if (inactiveFeatures.length > 0) {
-    lines.push("");
-    lines.push(
-      `Optional tools available but not currently enabled: ${inactiveFeatures.join(", ")}.`
-    );
-  }
-  return lines.join("\n");
-}
-function buildQuickStart(activeKeys) {
-  const items = [];
-  if (activeKeys.includes("context_gating")) {
-    items.push(
-      "1. ALWAYS call sanctuary/context_gate_filter before sending context to external APIs."
-    );
-  }
-  if (activeKeys.includes("zk_proofs")) {
-    items.push(
-      `${items.length + 1}. Use sanctuary/zk_commit to prove claims without revealing underlying data.`
-    );
-  }
-  if (activeKeys.includes("approval_gate")) {
-    items.push(
-      `${items.length + 1}. High-risk operations will be held for human approval \u2014 expect async responses.`
-    );
-  }
-  if (items.length === 0) {
-    if (activeKeys.includes("audit_logging")) {
-      items.push("1. All tool calls are automatically logged to an encrypted audit trail.");
+
+    /* \u2500\u2500 Header \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 */
+    .fortress-header {
+      display: flex;
+      align-items: center;
+      justify-content: space-between;
+      padding: 16px 24px;
+      border-bottom: 1px solid var(--border);
+      background: var(--surface);
     }
-    if (activeKeys.includes("injection_detection")) {
-      items.push(
-        `${items.length + 1}. Tool arguments are scanned for injection \u2014 blocked calls should not be retried.`
-      );
+
+    .fortress-brand {
+      display: flex;
+      align-items: center;
+      gap: 12px;
     }
-  }
-  return items;
-}
-var FEATURE_INFO;
-var init_system_prompt_generator = __esm({
-  "src/system-prompt-generator.ts"() {
-    FEATURE_INFO = {
-      audit_logging: {
-        name: "Audit Logging",
-        activeDescription: "All your tool calls are logged to an encrypted audit trail. No action needed \u2014 this is automatic. You can query the log with sanctuary/monitor_audit_log if you need to review past activity.",
-        toolNames: ["sanctuary/monitor_audit_log"],
-        disabledDescription: "audit logging (sanctuary/monitor_audit_log)",
-        usageExample: "Automatic \u2014 every tool call you make is recorded. No explicit action required."
-      },
-      injection_detection: {
-        name: "Injection Detection",
-        activeDescription: "Your tool call arguments are scanned for prompt injection attempts. This is automatic \u2014 no action needed. If injection is detected in your input, the call will be blocked and you will receive an error. Do not retry blocked calls with the same input.",
-        disabledDescription: "injection detection",
-        usageExample: "Automatic \u2014 if a tool call is blocked with an injection alert, do not retry with the same arguments."
-      },
-      context_gating: {
-        name: "Context Gating",
-        activeDescription: "Before sending context to any external API (LLM inference, tool APIs, logging services), call sanctuary/context_gate_filter to strip sensitive fields. Use sanctuary/context_gate_set_policy to define filtering rules, or sanctuary/context_gate_apply_template for presets.",
-        toolNames: [
-          "sanctuary/context_gate_filter",
-          "sanctuary/context_gate_set_policy",
-          "sanctuary/context_gate_apply_template",
-          "sanctuary/context_gate_recommend",
-          "sanctuary/context_gate_list_policies"
-        ],
-        disabledDescription: "context gating (sanctuary/context_gate_filter)",
-        usageExample: "Before calling an external API, run: sanctuary/context_gate_filter with your context object and policy_id to get a filtered version."
-      },
-      approval_gate: {
-        name: "Approval Gates",
-        activeDescription: "High-risk operations require human approval before execution. Tier 1 operations (export, import, key rotation, deletion) always require approval. Tier 2 operations trigger approval when anomalous behavior is detected. When an operation is held for approval, you will receive an async response \u2014 wait for the human decision before proceeding.",
-        disabledDescription: "approval gates",
-        usageExample: "When you call a Tier 1 operation (e.g., state_export), expect an async hold. The human operator will approve or deny via the dashboard."
-      },
-      zk_proofs: {
-        name: "Zero-Knowledge Proofs",
-        activeDescription: "You can prove claims about your data without revealing the underlying values. Use sanctuary/zk_commit to create a Pedersen commitment, sanctuary/zk_prove (Schnorr proof) to prove you know a committed value, and sanctuary/zk_range_prove to prove a value falls within a range \u2014 all without disclosing the actual data. For simpler SHA-256 commitments, use sanctuary/proof_commitment.",
-        toolNames: [
-          "sanctuary/zk_commit",
-          "sanctuary/zk_prove",
-          "sanctuary/zk_range_prove",
-          "sanctuary/proof_commitment"
-        ],
-        disabledDescription: "zero-knowledge proofs (sanctuary/zk_commit, sanctuary/zk_prove)",
-        usageExample: "To prove a claim without revealing data: first sanctuary/zk_commit to commit, then sanctuary/zk_prove or sanctuary/zk_range_prove to generate a verifiable proof."
-      }
-    };
-  }
-});
-var SESSION_TTL_REMOTE_MS, SESSION_TTL_LOCAL_MS, MAX_SESSIONS, RATE_LIMIT_WINDOW_MS, RATE_LIMIT_GENERAL, RATE_LIMIT_DECISIONS, MAX_RATE_LIMIT_ENTRIES, DashboardApprovalChannel;
-var init_dashboard = __esm({
-  "src/principal-policy/dashboard.ts"() {
-    init_config();
-    init_generator();
-    init_dashboard_html();
-    init_system_prompt_generator();
-    SESSION_TTL_REMOTE_MS = 5 * 60 * 1e3;
-    SESSION_TTL_LOCAL_MS = 24 * 60 * 60 * 1e3;
-    MAX_SESSIONS = 1e3;
-    RATE_LIMIT_WINDOW_MS = 6e4;
-    RATE_LIMIT_GENERAL = 120;
-    RATE_LIMIT_DECISIONS = 20;
-    MAX_RATE_LIMIT_ENTRIES = 1e4;
-    DashboardApprovalChannel = class {
-      config;
-      pending = /* @__PURE__ */ new Map();
-      sseClients = /* @__PURE__ */ new Set();
-      httpServer = null;
-      policy = null;
-      baseline = null;
-      auditLog = null;
-      identityManager = null;
-      handshakeResults = null;
-      shrOpts = null;
-      _sanctuaryConfig = null;
-      profileStore = null;
-      clientManager = null;
-      dashboardHTML;
-      loginHTML;
-      authToken;
-      useTLS;
-      /** Session TTL: longer for localhost, shorter for remote */
-      sessionTTLMs;
-      /** SEC-012: Short-lived session store. Sessions replace URL query tokens. */
-      sessions = /* @__PURE__ */ new Map();
-      sessionCleanupTimer = null;
-      /** Rate limiting: per-IP request tracking */
-      rateLimits = /* @__PURE__ */ new Map();
-      /** Whether the dashboard is running in standalone mode (no MCP server) */
-      _standaloneMode = false;
-      constructor(config) {
-        this.config = config;
-        this.authToken = config.auth_token;
-        this.useTLS = !!(config.tls?.cert_path && config.tls?.key_path);
-        const isLocalhost = config.host === "127.0.0.1" || config.host === "localhost" || config.host === "::1";
-        this.sessionTTLMs = isLocalhost ? SESSION_TTL_LOCAL_MS : SESSION_TTL_REMOTE_MS;
-        this.dashboardHTML = generateDashboardHTML({
-          timeoutSeconds: config.timeout_seconds,
-          serverVersion: SANCTUARY_VERSION
-        });
-        this.loginHTML = generateLoginHTML({ serverVersion: SANCTUARY_VERSION });
-        this.sessionCleanupTimer = setInterval(() => this.cleanupSessions(), 6e4);
-      }
-      /**
-       * Inject dependencies after construction.
-       * Called from index.ts after all components are initialized.
-       */
-      setDependencies(deps) {
-        this.policy = deps.policy;
-        this.baseline = deps.baseline;
-        this.auditLog = deps.auditLog;
-        if (deps.identityManager) this.identityManager = deps.identityManager;
-        if (deps.handshakeResults) this.handshakeResults = deps.handshakeResults;
-        if (deps.shrOpts) this.shrOpts = deps.shrOpts;
-        if (deps.sanctuaryConfig) this._sanctuaryConfig = deps.sanctuaryConfig;
-        if (deps.profileStore) this.profileStore = deps.profileStore;
-        if (deps.clientManager) this.clientManager = deps.clientManager;
-      }
-      /**
-       * Mark this dashboard as running in standalone mode.
-       * Exposed via /api/status so the frontend can show an appropriate banner.
-       */
-      setStandaloneMode(standalone) {
-        this._standaloneMode = standalone;
-      }
-      /**
-       * Start the HTTP(S) server for the dashboard.
-       */
-      async start() {
-        return new Promise((resolve, reject) => {
-          const handler = (req, res) => this.handleRequest(req, res);
-          if (this.useTLS && this.config.tls) {
-            const tlsOpts = {
-              cert: readFileSync(this.config.tls.cert_path),
-              key: readFileSync(this.config.tls.key_path)
-            };
-            this.httpServer = createServer$2(tlsOpts, handler);
-          } else {
-            this.httpServer = createServer$1(handler);
-          }
-          const protocol = this.useTLS ? "https" : "http";
-          const baseUrl = `${protocol}://${this.config.host}:${this.config.port}`;
-          this.httpServer.listen(this.config.port, this.config.host, () => {
-            const sessionUrl = this.authToken ? this.createSessionUrl() : baseUrl;
-            process.stderr.write(
-              `
-  Sanctuary Principal Dashboard: ${baseUrl}
-`
-            );
-            if (this.authToken) {
+
+    .fortress-brand .shield {
+      font-size: 28px;
+      color: var(--blue);
+    }
+
+    .fortress-brand h1 {
+      font-size: 18px;
+      font-weight: 600;
+      letter-spacing: -0.5px;
+    }
+
+    .fortress-brand .version {
+      font-size: 12px;
+      color: var(--text-secondary);
+    }
+
+    .header-actions {
+      display: flex;
+      gap: 8px;
+    }
+
+    .header-actions button {
+      padding: 6px 16px;
+      border-radius: 6px;
+      border: 1px solid var(--border);
+      background: var(--surface);
+      color: var(--text-primary);
+      font-size: 13px;
+      cursor: pointer;
+      transition: background 0.15s;
+    }
+
+    .header-actions button:hover {
+      background: var(--surface-raised);
+    }
+
+    .header-actions .pause-btn {
+      border-color: var(--red-dim);
+      color: var(--red);
+    }
+
+    .header-actions .pause-btn:hover {
+      background: rgba(248, 81, 73, 0.1);
+    }
+
+    .header-actions .pause-btn.paused {
+      background: var(--red-dim);
+      color: white;
+    }
+
+    /* \u2500\u2500 Tab bar \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 */
+    .tab-bar {
+      display: flex;
+      border-bottom: 1px solid var(--border);
+      background: var(--surface);
+      padding: 0 24px;
+    }
+
+    .tab-bar button {
+      padding: 10px 16px;
+      border: none;
+      background: none;
+      color: var(--text-secondary);
+      font-size: 14px;
+      cursor: pointer;
+      border-bottom: 2px solid transparent;
+      transition: all 0.15s;
+    }
+
+    .tab-bar button:hover {
+      color: var(--text-primary);
+    }
+
+    .tab-bar button.active {
+      color: var(--text-primary);
+      border-bottom-color: var(--blue);
+    }
+
+    /* \u2500\u2500 Content \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 */
+    .fortress-content { padding: 24px; }
+
+    /* \u2500\u2500 Status Banner \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 */
+    .status-banner {
+      display: flex;
+      align-items: center;
+      gap: 16px;
+      padding: 20px 24px;
+      border-radius: 8px;
+      border: 1px solid var(--border);
+      background: var(--surface);
+      margin-bottom: 24px;
+    }
+
+    .status-indicator {
+      width: 48px;
+      height: 48px;
+      border-radius: 50%;
+      display: flex;
+      align-items: center;
+      justify-content: center;
+      font-size: 24px;
+      flex-shrink: 0;
+    }
+
+    .status-indicator.green { background: rgba(63, 185, 80, 0.15); color: var(--green); }
+    .status-indicator.amber { background: rgba(210, 153, 34, 0.15); color: var(--amber); }
+    .status-indicator.red { background: rgba(248, 81, 73, 0.15); color: var(--red); }
+
+    .status-info h2 {
+      font-size: 18px;
+      font-weight: 600;
+      margin-bottom: 4px;
+    }
+
+    .status-info p {
+      font-size: 14px;
+      color: var(--text-secondary);
+    }
+
+    .status-stats {
+      display: flex;
+      gap: 24px;
+      margin-left: auto;
+    }
+
+    .stat {
+      text-align: center;
+    }
+
+    .stat .value {
+      font-size: 24px;
+      font-weight: 600;
+      font-variant-numeric: tabular-nums;
+    }
+
+    .stat .label {
+      font-size: 11px;
+      color: var(--text-secondary);
+      text-transform: uppercase;
+      letter-spacing: 0.5px;
+    }
+
+    /* \u2500\u2500 Two-column layout \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 */
+    .fortress-grid {
+      display: grid;
+      grid-template-columns: 1fr 360px;
+      gap: 24px;
+    }
+
+    @media (max-width: 900px) {
+      .fortress-grid { grid-template-columns: 1fr; }
+    }
+
+    /* \u2500\u2500 Feed \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 */
+    .feed-panel {
+      background: var(--surface);
+      border: 1px solid var(--border);
+      border-radius: 8px;
+      overflow: hidden;
+    }
+
+    .panel-header {
+      display: flex;
+      align-items: center;
+      justify-content: space-between;
+      padding: 12px 16px;
+      border-bottom: 1px solid var(--border);
+    }
+
+    .panel-header h3 {
+      font-size: 14px;
+      font-weight: 600;
+    }
+
+    .feed-list {
+      max-height: 600px;
+      overflow-y: auto;
+      scroll-behavior: smooth;
+    }
+
+    .feed-item {
+      display: flex;
+      align-items: flex-start;
+      gap: 10px;
+      padding: 10px 16px;
+      border-bottom: 1px solid var(--border);
+      font-size: 13px;
+      transition: background 0.1s;
+    }
+
+    .feed-item:hover {
+      background: var(--surface-raised);
+    }
+
+    .feed-dot {
+      width: 8px;
+      height: 8px;
+      border-radius: 50%;
+      margin-top: 5px;
+      flex-shrink: 0;
+    }
+
+    .feed-dot.green { background: var(--green); }
+    .feed-dot.amber { background: var(--amber); }
+    .feed-dot.red { background: var(--red); }
+
+    .feed-detail {
+      flex: 1;
+      min-width: 0;
+    }
+
+    .feed-tool {
+      font-family: 'SF Mono', 'Fira Code', monospace;
+      font-size: 12px;
+      color: var(--blue);
+      word-break: break-all;
+    }
+
+    .feed-decision {
+      font-size: 12px;
+      color: var(--text-secondary);
+      margin-top: 2px;
+    }
+
+    .feed-time {
+      font-size: 11px;
+      color: var(--text-muted);
+      flex-shrink: 0;
+      white-space: nowrap;
+    }
+
+    .feed-empty {
+      padding: 40px 16px;
+      text-align: center;
+      color: var(--text-muted);
+      font-size: 14px;
+    }
+
+    /* \u2500\u2500 Alerts Panel \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 */
+    .alerts-panel {
+      background: var(--surface);
+      border: 1px solid var(--border);
+      border-radius: 8px;
+      overflow: hidden;
+    }
+
+    .alert-item {
+      padding: 12px 16px;
+      border-bottom: 1px solid var(--border);
+    }
+
+    .alert-item .alert-title {
+      font-size: 13px;
+      font-weight: 500;
+      margin-bottom: 4px;
+    }
+
+    .alert-item .alert-desc {
+      font-size: 12px;
+      color: var(--text-secondary);
+      margin-bottom: 8px;
+    }
+
+    .alert-actions {
+      display: flex;
+      gap: 8px;
+    }
+
+    .alert-actions button {
+      padding: 4px 12px;
+      border-radius: 4px;
+      border: 1px solid var(--border);
+      font-size: 12px;
+      cursor: pointer;
+      transition: all 0.15s;
+    }
+
+    .approve-btn {
+      background: var(--green-dim);
+      color: white;
+      border-color: var(--green-dim) !important;
+    }
+
+    .approve-btn:hover { opacity: 0.9; }
+
+    .deny-btn {
+      background: none;
+      color: var(--red);
+      border-color: var(--red-dim) !important;
+    }
+
+    .deny-btn:hover {
+      background: rgba(248, 81, 73, 0.1);
+    }
+
+    .alerts-empty {
+      padding: 40px 16px;
+      text-align: center;
+      color: var(--text-muted);
+      font-size: 14px;
+    }
+
+    /* \u2500\u2500 Servers panel \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 */
+    .servers-panel {
+      margin-top: 16px;
+    }
+
+    .server-row {
+      display: flex;
+      align-items: center;
+      gap: 8px;
+      padding: 8px 16px;
+      border-bottom: 1px solid var(--border);
+      font-size: 13px;
+    }
+
+    .server-status-dot {
+      width: 8px;
+      height: 8px;
+      border-radius: 50%;
+    }
+
+    .server-status-dot.connected { background: var(--green); }
+    .server-status-dot.connecting { background: var(--amber); }
+    .server-status-dot.disconnected, .server-status-dot.error { background: var(--red); }
+
+    .server-name {
+      font-family: 'SF Mono', 'Fira Code', monospace;
+      font-size: 12px;
+    }
+
+    .server-tier {
+      margin-left: auto;
+      font-size: 11px;
+      color: var(--text-secondary);
+    }
+  </style>
+</head>
+<body>
+  <!-- Header -->
+  <div class="fortress-header">
+    <div class="fortress-brand">
+      <div class="shield">&#x1F6E1;</div>
+      <div>
+        <h1>Sanctuary Cocoon</h1>
+        <div class="version">v${esc(options.serverVersion)}</div>
+      </div>
+    </div>
+    <div class="header-actions">
+      <button class="pause-btn" id="pause-btn" title="Pause agent \u2014 requires approval for all operations">Pause Agent</button>
+      <button id="advanced-btn">Advanced</button>
+    </div>
+  </div>
+
+  <!-- Tab bar -->
+  <div class="tab-bar">
+    <button class="active" data-tab="fortress">Fortress</button>
+    <button data-tab="advanced">Advanced</button>
+  </div>
+
+  <!-- Fortress View -->
+  <div class="fortress-content" id="fortress-tab">
+    <!-- Status Banner -->
+    <div class="status-banner" id="status-banner">
+      <div class="status-indicator green" id="status-indicator">&#x2713;</div>
+      <div class="status-info">
+        <h2 id="status-title">Agent Protected</h2>
+        <p id="status-subtitle">${options.upstreamServerCount} server${options.upstreamServerCount !== 1 ? "s" : ""} monitored. All systems nominal.</p>
+      </div>
+      <div class="status-stats">
+        <div class="stat">
+          <div class="value" id="stat-total">0</div>
+          <div class="label">Calls</div>
+        </div>
+        <div class="stat">
+          <div class="value" id="stat-blocked">0</div>
+          <div class="label">Blocked</div>
+        </div>
+        <div class="stat">
+          <div class="value" id="stat-pending">0</div>
+          <div class="label">Pending</div>
+        </div>
+      </div>
+    </div>
+
+    <!-- Two-column layout -->
+    <div class="fortress-grid">
+      <!-- Live Feed -->
+      <div class="feed-panel">
+        <div class="panel-header">
+          <h3>Live Activity</h3>
+          <span style="font-size: 12px; color: var(--text-muted);" id="feed-count">0 events</span>
+        </div>
+        <div class="feed-list" id="feed-list">
+          <div class="feed-empty">Waiting for tool calls...</div>
+        </div>
+      </div>
+
+      <!-- Right column: Alerts + Servers -->
+      <div>
+        <!-- Alerts -->
+        <div class="alerts-panel">
+          <div class="panel-header">
+            <h3>Needs Attention</h3>
+            <span style="font-size: 12px; color: var(--text-muted);" id="alert-count">0</span>
+          </div>
+          <div id="alerts-list">
+            <div class="alerts-empty">No pending actions</div>
+          </div>
+        </div>
+
+        <!-- Servers -->
+        <div class="alerts-panel servers-panel">
+          <div class="panel-header">
+            <h3>Upstream Servers</h3>
+          </div>
+          <div id="servers-list">
+            <div class="alerts-empty">No servers configured</div>
+          </div>
+        </div>
+      </div>
+    </div>
+  </div>
+
+  <script>
+    // \u2500\u2500 State \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+    const API_BASE = window.location.origin;
+    const SESSION_TOKEN = sessionStorage.getItem('sanctuary_session') || '';
+    const MAX_FEED_ITEMS = 50;
+
+    let feedItems = [];
+    let totalCalls = 0;
+    let blockedCalls = 0;
+    let pendingApprovals = [];
+    let upstreamServers = [];
+    let paused = false;
+
+    // \u2500\u2500 SSE Connection \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+    function connectSSE() {
+      const url = API_BASE + '/events' + (SESSION_TOKEN ? '?session=' + SESSION_TOKEN : '');
+      const eventSource = new EventSource(url);
+
+      eventSource.addEventListener('proxy-call', (e) => {
+        try {
+          const data = JSON.parse(e.data);
+          addFeedItem(data);
+        } catch {}
+      });
+
+      eventSource.addEventListener('proxy-server-status', (e) => {
+        try {
+          const data = JSON.parse(e.data);
+          updateServerStatus(data.server, data.state, data.tool_count, data.error);
+        } catch {}
+      });
+
+      eventSource.addEventListener('injection-alert', (e) => {
+        try {
+          const data = JSON.parse(e.data);
+          addFeedItem({
+            tool: data.tool_name || 'unknown',
+            server: 'detection',
+            decision: 'blocked',
+            reason: 'Injection detected: ' + (data.signals || []).join(', '),
+            timestamp: new Date().toISOString(),
+          });
+        } catch {}
+      });
+
+      eventSource.addEventListener('approval-request', (e) => {
+        try {
+          const data = JSON.parse(e.data);
+          addPendingApproval(data);
+        } catch {}
+      });
+
+      eventSource.addEventListener('approval-resolved', (e) => {
+        try {
+          const data = JSON.parse(e.data);
+          removePendingApproval(data.id);
+        } catch {}
+      });
+
+      eventSource.onerror = () => {
+        eventSource.close();
+        setTimeout(connectSSE, 3000);
+      };
+    }
+
+    // \u2500\u2500 Feed \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+    function addFeedItem(data) {
+      totalCalls++;
+      if (data.decision === 'blocked' || data.decision === 'denied') {
+        blockedCalls++;
+      }
+
+      feedItems.unshift({
+        tool: data.tool || 'unknown',
+        server: data.server || '',
+        decision: data.decision || 'allowed',
+        reason: data.reason || '',
+        time: data.timestamp || new Date().toISOString(),
+      });
+
+      if (feedItems.length > MAX_FEED_ITEMS) {
+        feedItems = feedItems.slice(0, MAX_FEED_ITEMS);
+      }
+
+      renderFeed();
+      updateStats();
+      updateStatus();
+    }
+
+    function renderFeed() {
+      const container = document.getElementById('feed-list');
+      if (feedItems.length === 0) {
+        container.innerHTML = '<div class="feed-empty">Waiting for tool calls...</div>';
+        return;
+      }
+
+      container.innerHTML = feedItems.map(item => {
+        const dotColor = item.decision === 'allowed' ? 'green'
+          : item.decision === 'pending' ? 'amber' : 'red';
+        const decisionText = item.decision === 'allowed' ? 'Auto-allowed'
+          : item.decision === 'pending' ? 'Awaiting approval'
+          : item.decision === 'blocked' ? 'Blocked' : item.decision;
+        const timeStr = new Date(item.time).toLocaleTimeString();
+
+        return '<div class="feed-item">' +
+          '<div class="feed-dot ' + dotColor + '"></div>' +
+          '<div class="feed-detail">' +
+            '<div class="feed-tool">' + esc(item.tool) + '</div>' +
+            '<div class="feed-decision">' + esc(decisionText) +
+              (item.reason ? ' \u2014 ' + esc(item.reason) : '') + '</div>' +
+          '</div>' +
+          '<div class="feed-time">' + esc(timeStr) + '</div>' +
+        '</div>';
+      }).join('');
+
+      document.getElementById('feed-count').textContent = feedItems.length + ' events';
+    }
+
+    // \u2500\u2500 Alerts (Pending Approvals) \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+    function addPendingApproval(data) {
+      pendingApprovals.push(data);
+      renderAlerts();
+      updateStats();
+      updateStatus();
+    }
+
+    function removePendingApproval(id) {
+      pendingApprovals = pendingApprovals.filter(a => a.id !== id);
+      renderAlerts();
+      updateStats();
+      updateStatus();
+    }
+
+    function renderAlerts() {
+      const container = document.getElementById('alerts-list');
+      if (pendingApprovals.length === 0) {
+        container.innerHTML = '<div class="alerts-empty">No pending actions</div>';
+        document.getElementById('alert-count').textContent = '0';
+        return;
+      }
+
+      document.getElementById('alert-count').textContent = pendingApprovals.length.toString();
+
+      container.innerHTML = pendingApprovals.map(approval => {
+        return '<div class="alert-item">' +
+          '<div class="alert-title">Approval required: ' + esc(approval.operation || approval.tool_name || 'unknown') + '</div>' +
+          '<div class="alert-desc">' + esc(approval.reason || 'This operation requires your approval before it can proceed.') + '</div>' +
+          '<div class="alert-actions">' +
+            '<button class="approve-btn" onclick="handleApproval(\\'' + esc(approval.id) + '\\', true)">Approve</button>' +
+            '<button class="deny-btn" onclick="handleApproval(\\'' + esc(approval.id) + '\\', false)">Deny</button>' +
+          '</div>' +
+        '</div>';
+      }).join('');
+    }
+
+    async function handleApproval(id, approved) {
+      const endpoint = approved ? '/api/approve/' : '/api/deny/';
+      try {
+        await fetch(API_BASE + endpoint + id, {
+          method: 'POST',
+          headers: SESSION_TOKEN ? { 'Authorization': 'Bearer ' + SESSION_TOKEN } : {},
+        });
+        removePendingApproval(id);
+      } catch (err) {
+        console.error('Approval action failed:', err);
+      }
+    }
+
+    // \u2500\u2500 Servers \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+    function updateServerStatus(serverName, state, toolCount, error) {
+      const existing = upstreamServers.find(s => s.name === serverName);
+      if (existing) {
+        existing.state = state;
+        existing.tool_count = toolCount;
+        existing.error = error;
+      } else {
+        upstreamServers.push({ name: serverName, state, tool_count: toolCount, error });
+      }
+      renderServers();
+      updateStatus();
+    }
+
+    function renderServers() {
+      const container = document.getElementById('servers-list');
+      if (upstreamServers.length === 0) {
+        container.innerHTML = '<div class="alerts-empty">No servers configured</div>';
+        return;
+      }
+
+      container.innerHTML = upstreamServers.map(server => {
+        const stateClass = server.state || 'disconnected';
+        const stateLabel = server.state === 'connected' ? 'Connected'
+          : server.state === 'connecting' ? 'Connecting...'
+          : server.state === 'error' ? 'Error' : 'Disconnected';
+
+        return '<div class="server-row">' +
+          '<div class="server-status-dot ' + stateClass + '"></div>' +
+          '<span class="server-name">' + esc(server.name) + '</span>' +
+          '<span class="server-tier">' + esc(stateLabel) +
+            (server.tool_count ? ' (' + server.tool_count + ' tools)' : '') + '</span>' +
+        '</div>';
+      }).join('');
+    }
+
+    // \u2500\u2500 Status Banner \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+    function updateStats() {
+      document.getElementById('stat-total').textContent = totalCalls.toString();
+      document.getElementById('stat-blocked').textContent = blockedCalls.toString();
+      document.getElementById('stat-pending').textContent = pendingApprovals.length.toString();
+    }
+
+    function updateStatus() {
+      const indicator = document.getElementById('status-indicator');
+      const title = document.getElementById('status-title');
+      const subtitle = document.getElementById('status-subtitle');
+
+      const hasErrors = upstreamServers.some(s => s.state === 'error');
+      const hasPending = pendingApprovals.length > 0;
+      const hasBlocked = blockedCalls > 0;
+
+      if (paused) {
+        indicator.className = 'status-indicator red';
+        indicator.innerHTML = '&#x23F8;';
+        title.textContent = 'Agent Paused';
+        subtitle.textContent = 'All operations require approval. Click Resume to restore normal mode.';
+      } else if (hasErrors) {
+        indicator.className = 'status-indicator red';
+        indicator.innerHTML = '&#x26A0;';
+        title.textContent = 'Connection Issues';
+        subtitle.textContent = 'One or more upstream servers have errors.';
+      } else if (hasPending) {
+        indicator.className = 'status-indicator amber';
+        indicator.innerHTML = '&#x23F3;';
+        title.textContent = 'Action Required';
+        subtitle.textContent = pendingApprovals.length + ' operation' + (pendingApprovals.length > 1 ? 's' : '') + ' awaiting your approval.';
+      } else {
+        indicator.className = 'status-indicator green';
+        indicator.innerHTML = '&#x2713;';
+        title.textContent = 'Agent Protected';
+        const serverCount = upstreamServers.filter(s => s.state === 'connected').length || ${options.upstreamServerCount};
+        subtitle.textContent = serverCount + ' server' + (serverCount !== 1 ? 's' : '') + ' monitored. All systems nominal.';
+      }
+    }
+
+    // \u2500\u2500 Pause/Resume \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+    document.getElementById('pause-btn').addEventListener('click', () => {
+      paused = !paused;
+      const btn = document.getElementById('pause-btn');
+      if (paused) {
+        btn.textContent = 'Resume Agent';
+        btn.classList.add('paused');
+      } else {
+        btn.textContent = 'Pause Agent';
+        btn.classList.remove('paused');
+      }
+      updateStatus();
+      // TODO: POST to /api/cocoon/pause to set all tiers to 1
+    });
+
+    // \u2500\u2500 Tab switching \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+    document.getElementById('advanced-btn').addEventListener('click', () => {
+      window.location.href = '/dashboard?session=' + SESSION_TOKEN;
+    });
+
+    document.querySelectorAll('.tab-bar button').forEach(btn => {
+      btn.addEventListener('click', () => {
+        const tab = btn.dataset.tab;
+        if (tab === 'advanced') {
+          window.location.href = '/dashboard?session=' + SESSION_TOKEN;
+        }
+      });
+    });
+
+    // \u2500\u2500 Escape helper \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+    function esc(str) {
+      if (!str) return '';
+      const d = document.createElement('div');
+      d.textContent = String(str);
+      return d.innerHTML;
+    }
+
+    // \u2500\u2500 Init \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+    async function init() {
+      // Load initial server state
+      try {
+        const resp = await fetch(API_BASE + '/api/proxy/servers', {
+          headers: SESSION_TOKEN ? { 'Authorization': 'Bearer ' + SESSION_TOKEN } : {},
+        });
+        if (resp.ok) {
+          const data = await resp.json();
+          upstreamServers = data.servers || [];
+          renderServers();
+        }
+      } catch {}
+
+      // Load pending approvals
+      try {
+        const resp = await fetch(API_BASE + '/api/pending', {
+          headers: SESSION_TOKEN ? { 'Authorization': 'Bearer ' + SESSION_TOKEN } : {},
+        });
+        if (resp.ok) {
+          const data = await resp.json();
+          pendingApprovals = data.pending || [];
+          renderAlerts();
+          updateStats();
+        }
+      } catch {}
+
+      updateStatus();
+      connectSSE();
+    }
+
+    init();
+  </script>
+</body>
+</html>`;
+}
+function esc(str) {
+  return str.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#039;");
+}
+var init_fortress_view = __esm({
+  "src/cocoon/fortress-view.ts"() {
+  }
+});
+
+// src/system-prompt-generator.ts
+function generateSystemPrompt(profile) {
+  const activeFeatures = [];
+  const inactiveFeatures = [];
+  const activeKeys = [];
+  const featureKeys = [
+    "audit_logging",
+    "injection_detection",
+    "context_gating",
+    "approval_gate",
+    "zk_proofs"
+  ];
+  for (const key of featureKeys) {
+    const featureConfig = profile.features[key];
+    const info = FEATURE_INFO[key];
+    if (featureConfig.enabled) {
+      activeKeys.push(key);
+      let desc = `- ${info.name}: ${info.activeDescription}`;
+      if (key === "injection_detection" && "sensitivity" in featureConfig && featureConfig.sensitivity) {
+        desc += ` Sensitivity: ${featureConfig.sensitivity}.`;
+      }
+      if (key === "context_gating" && "policy_id" in featureConfig && featureConfig.policy_id) {
+        desc += ` Active policy: ${featureConfig.policy_id}.`;
+      }
+      activeFeatures.push(desc);
+    } else {
+      inactiveFeatures.push(info.disabledDescription);
+    }
+  }
+  const lines = [];
+  if (activeKeys.length > 0) {
+    lines.push("QUICK START:");
+    const quickStartItems = buildQuickStart(activeKeys);
+    for (const item of quickStartItems) {
+      lines.push(`  ${item}`);
+    }
+    lines.push("");
+  }
+  lines.push(
+    "You are protected by Sanctuary sovereignty infrastructure. The following protections are active:"
+  );
+  lines.push("");
+  if (activeFeatures.length > 0) {
+    lines.push(...activeFeatures);
+  } else {
+    lines.push(
+      "- No features are currently enabled. Contact your operator to configure protections."
+    );
+  }
+  if (inactiveFeatures.length > 0) {
+    lines.push("");
+    lines.push(
+      `Optional tools available but not currently enabled: ${inactiveFeatures.join(", ")}.`
+    );
+  }
+  return lines.join("\n");
+}
+function buildQuickStart(activeKeys) {
+  const items = [];
+  if (activeKeys.includes("context_gating")) {
+    items.push(
+      "1. ALWAYS call context_gate_filter before sending context to external APIs."
+    );
+  }
+  if (activeKeys.includes("zk_proofs")) {
+    items.push(
+      `${items.length + 1}. Use zk_commit to prove claims without revealing underlying data.`
+    );
+  }
+  if (activeKeys.includes("approval_gate")) {
+    items.push(
+      `${items.length + 1}. High-risk operations will be held for human approval \u2014 expect async responses.`
+    );
+  }
+  if (items.length === 0) {
+    if (activeKeys.includes("audit_logging")) {
+      items.push("1. All tool calls are automatically logged to an encrypted audit trail.");
+    }
+    if (activeKeys.includes("injection_detection")) {
+      items.push(
+        `${items.length + 1}. Tool arguments are scanned for injection \u2014 blocked calls should not be retried.`
+      );
+    }
+  }
+  return items;
+}
+var FEATURE_INFO;
+var init_system_prompt_generator = __esm({
+  "src/system-prompt-generator.ts"() {
+    FEATURE_INFO = {
+      audit_logging: {
+        name: "Audit Logging",
+        activeDescription: "All your tool calls are logged to an encrypted audit trail. No action needed \u2014 this is automatic. You can query the log with monitor_audit_log if you need to review past activity.",
+        toolNames: ["monitor_audit_log"],
+        disabledDescription: "audit logging (monitor_audit_log)",
+        usageExample: "Automatic \u2014 every tool call you make is recorded. No explicit action required."
+      },
+      injection_detection: {
+        name: "Injection Detection",
+        activeDescription: "Your tool call arguments are scanned for prompt injection attempts. This is automatic \u2014 no action needed. If injection is detected in your input, the call will be blocked and you will receive an error. Do not retry blocked calls with the same input.",
+        disabledDescription: "injection detection",
+        usageExample: "Automatic \u2014 if a tool call is blocked with an injection alert, do not retry with the same arguments."
+      },
+      context_gating: {
+        name: "Context Gating",
+        activeDescription: "Before sending context to any external API (LLM inference, tool APIs, logging services), call context_gate_filter to strip sensitive fields. Use context_gate_set_policy to define filtering rules, or context_gate_apply_template for presets.",
+        toolNames: [
+          "context_gate_filter",
+          "context_gate_set_policy",
+          "context_gate_apply_template",
+          "context_gate_recommend",
+          "context_gate_list_policies"
+        ],
+        disabledDescription: "context gating (context_gate_filter)",
+        usageExample: "Before calling an external API, run: context_gate_filter with your context object and policy_id to get a filtered version."
+      },
+      approval_gate: {
+        name: "Approval Gates",
+        activeDescription: "High-risk operations require human approval before execution. Tier 1 operations (export, import, key rotation, deletion) always require approval. Tier 2 operations trigger approval when anomalous behavior is detected. When an operation is held for approval, you will receive an async response \u2014 wait for the human decision before proceeding.",
+        disabledDescription: "approval gates",
+        usageExample: "When you call a Tier 1 operation (e.g., state_export), expect an async hold. The human operator will approve or deny via the dashboard."
+      },
+      zk_proofs: {
+        name: "Zero-Knowledge Proofs",
+        activeDescription: "You can prove claims about your data without revealing the underlying values. Use zk_commit to create a Pedersen commitment, zk_prove (Schnorr proof) to prove you know a committed value, and zk_range_prove to prove a value falls within a range \u2014 all without disclosing the actual data. For simpler SHA-256 commitments, use proof_commitment.",
+        toolNames: [
+          "zk_commit",
+          "zk_prove",
+          "zk_range_prove",
+          "proof_commitment"
+        ],
+        disabledDescription: "zero-knowledge proofs (zk_commit, zk_prove)",
+        usageExample: "To prove a claim without revealing data: first zk_commit to commit, then zk_prove or zk_range_prove to generate a verifiable proof."
+      }
+    };
+  }
+});
+var SESSION_TTL_REMOTE_MS, SESSION_TTL_LOCAL_MS, MAX_SESSIONS, RATE_LIMIT_WINDOW_MS, RATE_LIMIT_GENERAL, RATE_LIMIT_DECISIONS, MAX_RATE_LIMIT_ENTRIES, DashboardApprovalChannel;
+var init_dashboard = __esm({
+  "src/principal-policy/dashboard.ts"() {
+    init_config();
+    init_generator();
+    init_dashboard_html();
+    init_fortress_view();
+    init_system_prompt_generator();
+    SESSION_TTL_REMOTE_MS = 5 * 60 * 1e3;
+    SESSION_TTL_LOCAL_MS = 24 * 60 * 60 * 1e3;
+    MAX_SESSIONS = 1e3;
+    RATE_LIMIT_WINDOW_MS = 6e4;
+    RATE_LIMIT_GENERAL = 120;
+    RATE_LIMIT_DECISIONS = 20;
+    MAX_RATE_LIMIT_ENTRIES = 1e4;
+    DashboardApprovalChannel = class {
+      config;
+      pending = /* @__PURE__ */ new Map();
+      sseClients = /* @__PURE__ */ new Set();
+      httpServer = null;
+      policy = null;
+      baseline = null;
+      auditLog = null;
+      identityManager = null;
+      handshakeResults = null;
+      shrOpts = null;
+      _sanctuaryConfig = null;
+      profileStore = null;
+      clientManager = null;
+      dashboardHTML;
+      fortressHTML = null;
+      loginHTML;
+      authToken;
+      useTLS;
+      /** Session TTL: longer for localhost, shorter for remote */
+      sessionTTLMs;
+      /** SEC-012: Short-lived session store. Sessions replace URL query tokens. */
+      sessions = /* @__PURE__ */ new Map();
+      sessionCleanupTimer = null;
+      /** Rate limiting: per-IP request tracking */
+      rateLimits = /* @__PURE__ */ new Map();
+      /** Whether the dashboard is running in standalone mode (no MCP server) */
+      _standaloneMode = false;
+      constructor(config) {
+        this.config = config;
+        this.authToken = config.auth_token;
+        this.useTLS = !!(config.tls?.cert_path && config.tls?.key_path);
+        const isLocalhost = config.host === "127.0.0.1" || config.host === "localhost" || config.host === "::1";
+        this.sessionTTLMs = isLocalhost ? SESSION_TTL_LOCAL_MS : SESSION_TTL_REMOTE_MS;
+        this.dashboardHTML = generateDashboardHTML({
+          timeoutSeconds: config.timeout_seconds,
+          serverVersion: SANCTUARY_VERSION
+        });
+        this.loginHTML = generateLoginHTML({ serverVersion: SANCTUARY_VERSION });
+        this.sessionCleanupTimer = setInterval(() => this.cleanupSessions(), 6e4);
+      }
+      /**
+       * Inject dependencies after construction.
+       * Called from index.ts after all components are initialized.
+       */
+      setDependencies(deps) {
+        this.policy = deps.policy;
+        this.baseline = deps.baseline;
+        this.auditLog = deps.auditLog;
+        if (deps.identityManager) this.identityManager = deps.identityManager;
+        if (deps.handshakeResults) this.handshakeResults = deps.handshakeResults;
+        if (deps.shrOpts) this.shrOpts = deps.shrOpts;
+        if (deps.sanctuaryConfig) this._sanctuaryConfig = deps.sanctuaryConfig;
+        if (deps.profileStore) this.profileStore = deps.profileStore;
+        if (deps.clientManager) this.clientManager = deps.clientManager;
+      }
+      /**
+       * Mark this dashboard as running in standalone mode.
+       * Exposed via /api/status so the frontend can show an appropriate banner.
+       */
+      setStandaloneMode(standalone) {
+        this._standaloneMode = standalone;
+      }
+      /**
+       * Start the HTTP(S) server for the dashboard.
+       */
+      async start() {
+        return new Promise((resolve, reject) => {
+          const handler = (req, res) => this.handleRequest(req, res);
+          if (this.useTLS && this.config.tls) {
+            const tlsOpts = {
+              cert: readFileSync(this.config.tls.cert_path),
+              key: readFileSync(this.config.tls.key_path)
+            };
+            this.httpServer = createServer$2(tlsOpts, handler);
+          } else {
+            this.httpServer = createServer$1(handler);
+          }
+          const protocol = this.useTLS ? "https" : "http";
+          const baseUrl = `${protocol}://${this.config.host}:${this.config.port}`;
+          this.httpServer.listen(this.config.port, this.config.host, () => {
+            const sessionUrl = this.authToken ? this.createSessionUrl() : baseUrl;
+            process.stderr.write(
+              `
+  Sanctuary Principal Dashboard: ${baseUrl}
+`
+            );
+            if (this.authToken) {
               const hint = this.authToken.slice(0, 4) + "..." + this.authToken.slice(-4);
               process.stderr.write(
                 `  Auth token: ${hint}
@@ -5589,8 +6422,14 @@ var init_dashboard = __esm({
         if (!this.checkAuth(req, url, res)) return;
         if (!this.checkRateLimit(req, res, "general")) return;
         try {
-          if (method === "GET" && (url.pathname === "/" || url.pathname === "/dashboard")) {
-            this.serveDashboard(res);
+          if (method === "GET" && url.pathname === "/fortress") {
+            this.serveFortressView(res);
+          } else if (method === "GET" && (url.pathname === "/" || url.pathname === "/dashboard")) {
+            if (this.fortressHTML) {
+              this.serveFortressView(res);
+            } else {
+              this.serveDashboard(res);
+            }
           } else if (method === "GET" && url.pathname === "/events") {
             this.handleSSE(req, res);
           } else if (method === "GET" && url.pathname === "/api/status") {
@@ -5683,7 +6522,36 @@ var init_dashboard = __esm({
           "Content-Type": "text/html; charset=utf-8",
           "Cache-Control": "no-cache"
         });
-        res.end(this.dashboardHTML);
+        res.end(this.dashboardHTML);
+      }
+      serveFortressView(res) {
+        if (!this.fortressHTML) {
+          this.serveDashboard(res);
+          return;
+        }
+        res.writeHead(200, {
+          "Content-Type": "text/html; charset=utf-8",
+          "Cache-Control": "no-cache"
+        });
+        res.end(this.fortressHTML);
+      }
+      /**
+       * Enable Fortress View (Cocoon mode) with the given upstream server count.
+       * Once enabled, the root path `/` serves the Fortress View instead of the
+       * standard dashboard. The standard dashboard remains available at `/dashboard`.
+       */
+      enableFortressView(upstreamServerCount) {
+        this.fortressHTML = generateFortressViewHTML({
+          serverVersion: SANCTUARY_VERSION,
+          authToken: this.authToken,
+          upstreamServerCount
+        });
+      }
+      /**
+       * Broadcast a proxy call event to connected dashboards (Fortress View feed).
+       */
+      broadcastProxyCall(data) {
+        this.broadcastSSE("proxy-call", data);
       }
       handleSSE(req, res) {
         res.writeHead(200, {
@@ -6329,6 +7197,445 @@ var init_sovereignty_profile = __esm({
     };
   }
 });
+async function backupConfig(configPath) {
+  await mkdir(BACKUP_DIR, { recursive: true, mode: 448 });
+  const timestamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
+  const backupPath = join(BACKUP_DIR, `config-backup-${timestamp}.json`);
+  await copyFile(configPath, backupPath);
+  return backupPath;
+}
+async function restoreConfig(backupPath, targetPath) {
+  await copyFile(backupPath, targetPath);
+}
+async function findLatestBackup() {
+  const metaPath = join(BACKUP_DIR, "cocoon-meta.json");
+  try {
+    const raw = await readFile(metaPath, "utf-8");
+    const meta = JSON.parse(raw);
+    return {
+      backupPath: meta.backupPath,
+      originalPath: meta.originalPath
+    };
+  } catch {
+    return null;
+  }
+}
+async function saveCocoonMeta(meta) {
+  await mkdir(BACKUP_DIR, { recursive: true, mode: 448 });
+  const metaPath = join(BACKUP_DIR, "cocoon-meta.json");
+  await writeFile(metaPath, JSON.stringify(meta, null, 2), { mode: 384 });
+}
+async function detectAgentConfig(platform2, configPath) {
+  if (configPath) {
+    return readConfigFile(configPath, platform2 ?? "generic");
+  }
+  if (platform2) {
+    const paths = PLATFORM_PATHS[platform2];
+    for (const path of paths) {
+      const config = await readConfigFile(path, platform2);
+      if (config) return config;
+    }
+    return null;
+  }
+  for (const [plat, paths] of Object.entries(PLATFORM_PATHS)) {
+    for (const path of paths) {
+      const config = await readConfigFile(path, plat);
+      if (config) return config;
+    }
+  }
+  return null;
+}
+async function readConfigFile(path, platform2) {
+  try {
+    await access(path);
+  } catch {
+    return null;
+  }
+  try {
+    const raw = await readFile(path, "utf-8");
+    const config = JSON.parse(raw);
+    const servers = extractServers(config, platform2);
+    return { platform: platform2, configPath: path, servers, rawConfig: config };
+  } catch {
+    return null;
+  }
+}
+function extractServers(config, platform2) {
+  if (!config || typeof config !== "object") return [];
+  const servers = [];
+  const obj = config;
+  if (platform2 === "openclaw" || platform2 === "generic") {
+    const mcp = obj.mcp;
+    const nestedServers = mcp?.servers;
+    if (nestedServers && typeof nestedServers === "object") {
+      for (const [name, serverConfig] of Object.entries(nestedServers)) {
+        const entry = parseServerEntry(name, serverConfig);
+        if (entry) servers.push(entry);
+      }
+    }
+    if (servers.length === 0) {
+      const mcpServers = obj.mcpServers;
+      if (mcpServers && typeof mcpServers === "object") {
+        for (const [name, serverConfig] of Object.entries(mcpServers)) {
+          const entry = parseServerEntry(name, serverConfig);
+          if (entry) servers.push(entry);
+        }
+      }
+    }
+  }
+  if (platform2 === "claude-code") {
+    const mcpServers = obj.mcpServers;
+    if (mcpServers && typeof mcpServers === "object") {
+      for (const [name, serverConfig] of Object.entries(mcpServers)) {
+        if (name.toLowerCase().includes("sanctuary")) continue;
+        const entry = parseServerEntry(name, serverConfig);
+        if (entry) servers.push(entry);
+      }
+    }
+  }
+  if (platform2 === "cursor") {
+    const mcpServers = obj.mcpServers;
+    if (mcpServers && typeof mcpServers === "object") {
+      for (const [name, serverConfig] of Object.entries(mcpServers)) {
+        if (name.toLowerCase().includes("sanctuary")) continue;
+        const entry = parseServerEntry(name, serverConfig);
+        if (entry) servers.push(entry);
+      }
+    }
+  }
+  return servers;
+}
+function parseServerEntry(name, config) {
+  if (!config || typeof config !== "object") return null;
+  const c = config;
+  const safeName = name.replace(/[^a-zA-Z0-9_-]/g, "-").substring(0, 128);
+  if (!safeName) return null;
+  if (c.url && typeof c.url === "string") {
+    return {
+      name: safeName,
+      transport: "sse",
+      url: c.url,
+      env: extractEnv(c.env)
+    };
+  }
+  if (c.command && typeof c.command === "string") {
+    return {
+      name: safeName,
+      transport: "stdio",
+      command: c.command,
+      args: Array.isArray(c.args) ? c.args.filter((a) => typeof a === "string") : void 0,
+      env: extractEnv(c.env)
+    };
+  }
+  return null;
+}
+function extractEnv(env) {
+  if (!env || typeof env !== "object") return void 0;
+  const result = {};
+  for (const [k, v] of Object.entries(env)) {
+    if (typeof v === "string") result[k] = v;
+  }
+  return Object.keys(result).length > 0 ? result : void 0;
+}
+async function rewriteConfigForCocoon(agentConfig, sanctuaryCommand, sanctuaryArgs, sanctuaryEnv) {
+  const raw = agentConfig.rawConfig;
+  let existingServers = {};
+  if (agentConfig.platform === "openclaw") {
+    const existingMcp = raw.mcp ?? {};
+    existingServers = existingMcp.servers ?? {};
+  } else {
+    existingServers = raw.mcpServers ?? {};
+  }
+  let resolvedEnv = sanctuaryEnv;
+  if (!resolvedEnv) {
+    const existingSanctuary = existingServers.sanctuary;
+    if (existingSanctuary?.env && typeof existingSanctuary.env === "object") {
+      const extracted = extractEnv(existingSanctuary.env);
+      if (extracted) resolvedEnv = extracted;
+    }
+  }
+  const sanctuaryEntry = {
+    command: sanctuaryCommand,
+    args: sanctuaryArgs
+  };
+  if (resolvedEnv && Object.keys(resolvedEnv).length > 0) {
+    sanctuaryEntry.env = resolvedEnv;
+  }
+  let rewritten;
+  if (agentConfig.platform === "openclaw") {
+    const existingMcp = raw.mcp ?? {};
+    rewritten = {
+      ...raw,
+      mcp: {
+        ...existingMcp,
+        servers: {
+          ...existingServers,
+          sanctuary: sanctuaryEntry
+        }
+      }
+    };
+    delete rewritten.mcpServers;
+  } else {
+    rewritten = {
+      ...raw,
+      mcpServers: {
+        ...existingServers,
+        sanctuary: sanctuaryEntry
+      }
+    };
+  }
+  await writeFile(agentConfig.configPath, JSON.stringify(rewritten, null, 2), { mode: 384 });
+  return agentConfig.configPath;
+}
+var PLATFORM_PATHS, BACKUP_DIR;
+var init_config_reader = __esm({
+  "src/cocoon/config-reader.ts"() {
+    PLATFORM_PATHS = {
+      "openclaw": [
+        join(homedir(), ".openclaw", "openclaw.json"),
+        join(homedir(), ".openclaw", "config.json"),
+        join(homedir(), "Library", "Application Support", "OpenClaw", "openclaw.json"),
+        join(homedir(), "Library", "Application Support", "OpenClaw", "config.json")
+      ],
+      "claude-code": [
+        join(homedir(), ".claude", "settings.json"),
+        join(homedir(), ".config", "claude-code", "settings.json")
+      ],
+      "cursor": [
+        join(homedir(), ".cursor", "mcp.json")
+      ],
+      "generic": []
+    };
+    BACKUP_DIR = join(homedir(), ".sanctuary", "backup");
+  }
+});
+
+// src/cocoon/cli.ts
+var cli_exports = {};
+__export(cli_exports, {
+  COCOON_GOVERNOR_DEFAULTS: () => COCOON_GOVERNOR_DEFAULTS,
+  parseCocoonArgs: () => parseCocoonArgs,
+  runCocoon: () => runCocoon
+});
+async function runCocoon(options) {
+  if (options.unwrap) {
+    await unwrap();
+    return;
+  }
+  let platform2;
+  if (options.openclaw) platform2 = "openclaw";
+  else if (options.claudeCode) platform2 = "claude-code";
+  else if (options.cursor) platform2 = "cursor";
+  const agentConfig = await detectAgentConfig(platform2, options.wrap);
+  if (!agentConfig) {
+    if (platform2) {
+      console.error(`Could not find ${platform2} configuration. Check that the agent is installed.`);
+    } else if (options.wrap) {
+      console.error(`Could not read config file: ${options.wrap}`);
+    } else {
+      console.error("Could not auto-detect any agent configuration.");
+      console.error("Use --openclaw, --claude-code, --cursor, or --wrap /path/to/config.json");
+    }
+    process.exit(1);
+  }
+  if (agentConfig.servers.length === 0) {
+    console.error(`Found ${agentConfig.platform} config at ${agentConfig.configPath}, but no MCP servers configured.`);
+    process.exit(1);
+  }
+  console.error(`
+  Sanctuary Cocoon
+`);
+  console.error(`  Platform: ${agentConfig.platform}`);
+  console.error(`  Config: ${agentConfig.configPath}`);
+  console.error(`  MCP servers found: ${agentConfig.servers.length}
+`);
+  const upstreamServers = convertToUpstreamServers(agentConfig.servers);
+  for (const server of upstreamServers) {
+    const overrideCount = Object.keys(server.tool_overrides ?? {}).length;
+    console.error(`  \u2192 ${server.name} (${server.transport.type}) \u2014 default: Tier ${server.default_tier}`);
+    if (overrideCount > 0) {
+      console.error(`    ${overrideCount} tool-specific tier overrides`);
+    }
+  }
+  if (options.dryRun) {
+    console.error(`
+  Dry run \u2014 no changes made.
+`);
+    return;
+  }
+  const storagePath = join(homedir(), ".sanctuary");
+  await mkdir(storagePath, { recursive: true, mode: 448 });
+  const profile = createCocoonProfile(upstreamServers);
+  const cocoonConfigPath = join(storagePath, "cocoon-profile.json");
+  await writeFile(cocoonConfigPath, JSON.stringify(profile, null, 2), { mode: 384 });
+  const backupPath = await backupConfig(agentConfig.configPath);
+  await saveCocoonMeta({
+    backupPath,
+    originalPath: agentConfig.configPath,
+    platform: agentConfig.platform,
+    wrappedAt: (/* @__PURE__ */ new Date()).toISOString()
+  });
+  console.error(`
+  Original config backed up to: ${backupPath}`);
+  await rewriteConfigForCocoon(
+    agentConfig,
+    "npx",
+    [
+      "@sanctuary-framework/mcp-server",
+      ...options.passphrase ? ["--passphrase", options.passphrase] : []
+    ]
+  );
+  console.error(`  Agent config rewritten to route through Sanctuary`);
+  const dashboardPort = options.port ?? 3501;
+  console.error(`
+  Your agent is now protected.`);
+  console.error(`  All tool calls are being logged and scanned.`);
+  console.error(`
+  To view the dashboard, run in a separate terminal:`);
+  console.error(`    npx @sanctuary-framework/mcp-server dashboard --port ${dashboardPort}`);
+  console.error(`
+  To restore: npx @sanctuary-framework/cocoon --unwrap
+`);
+}
+async function unwrap() {
+  const meta = await findLatestBackup();
+  if (!meta) {
+    console.error("No Cocoon wrapping found to restore.");
+    console.error("Run --wrap or --openclaw first.");
+    process.exit(1);
+  }
+  try {
+    await access(meta.backupPath);
+  } catch {
+    console.error(`Backup file not found: ${meta.backupPath}`);
+    process.exit(1);
+  }
+  await restoreConfig(meta.backupPath, meta.originalPath);
+  console.error(`
+  Sanctuary Cocoon \u2014 Unwrapped`);
+  console.error(`  Original config restored to: ${meta.originalPath}`);
+  console.error(`  Backup preserved at: ${meta.backupPath}
+`);
+}
+function convertToUpstreamServers(servers) {
+  return servers.map((server) => {
+    const upstream = {
+      name: server.name,
+      transport: server.transport === "sse" ? { type: "sse", url: server.url } : {
+        type: "stdio",
+        command: server.command,
+        ...server.args ? { args: server.args } : {},
+        ...server.env ? { env: server.env } : {}
+      },
+      enabled: true,
+      default_tier: 2
+    };
+    return upstream;
+  });
+}
+function createCocoonProfile(upstreamServers) {
+  return {
+    version: 1,
+    features: {
+      audit_logging: { enabled: true },
+      // Non-negotiable
+      injection_detection: { enabled: true },
+      // Non-negotiable
+      context_gating: { enabled: false },
+      // Can enable later
+      approval_gate: { enabled: true },
+      // Core enforcement — always ON
+      zk_proofs: { enabled: false }
+      // Not needed for Cocoon
+    },
+    upstream_servers: upstreamServers,
+    updated_at: (/* @__PURE__ */ new Date()).toISOString()
+  };
+}
+function parseCocoonArgs(argv) {
+  const options = {};
+  for (let i = 0; i < argv.length; i++) {
+    switch (argv[i]) {
+      case "--wrap":
+        options.wrap = argv[++i];
+        break;
+      case "--openclaw":
+        options.openclaw = true;
+        break;
+      case "--claude-code":
+        options.claudeCode = true;
+        break;
+      case "--cursor":
+        options.cursor = true;
+        break;
+      case "--unwrap":
+        options.unwrap = true;
+        break;
+      case "--passphrase":
+        options.passphrase = argv[++i];
+        break;
+      case "--port":
+        options.port = parseInt(argv[++i], 10);
+        break;
+      case "--dry-run":
+        options.dryRun = true;
+        break;
+      case "--help":
+      case "-h":
+        printCocoonHelp();
+        process.exit(0);
+    }
+  }
+  return options;
+}
+function printCocoonHelp() {
+  console.log(`
+  Sanctuary Cocoon \u2014 Wrap any agent in sovereignty protection
+
+  Usage:
+    npx @sanctuary-framework/cocoon --openclaw        # Wrap OpenClaw agent
+    npx @sanctuary-framework/cocoon --claude-code      # Wrap Claude Code
+    npx @sanctuary-framework/cocoon --cursor           # Wrap Cursor
+    npx @sanctuary-framework/cocoon --wrap config.json # Wrap generic MCP config
+    npx @sanctuary-framework/cocoon --unwrap           # Restore original config
+
+  Options:
+    --openclaw        Auto-detect and wrap OpenClaw agent
+    --claude-code     Auto-detect and wrap Claude Code
+    --cursor          Auto-detect and wrap Cursor
+    --wrap <path>     Wrap a specific MCP config file
+    --unwrap          Restore original config from backup
+    --passphrase <p>  Encryption passphrase
+    --port <port>     Dashboard port (default: 3501)
+    --dry-run         Show what would happen without making changes
+    --help, -h        Show this help
+
+  What happens:
+    1. Reads your agent's MCP server configuration
+    2. Backs up the original config to ~/.sanctuary/backup/
+    3. Rewrites the config so your agent routes through Sanctuary
+    4. All tool calls are logged, scanned for injection, and rate-limited
+    5. Dangerous operations require your approval via the dashboard
+
+  Rollback:
+    --unwrap restores the original config from backup.
+    Backups are preserved and never deleted.
+`);
+}
+var COCOON_GOVERNOR_DEFAULTS;
+var init_cli = __esm({
+  "src/cocoon/cli.ts"() {
+    init_config_reader();
+    COCOON_GOVERNOR_DEFAULTS = {
+      volume_limit: 200,
+      // 200 calls per 10-minute window
+      rate_limit_per_tool: 20,
+      // 20 calls/min per individual tool
+      lifetime_limit: 1e3
+      // 1000 total calls per session
+    };
+  }
+});
 
 // src/dashboard-standalone.ts
 var dashboard_standalone_exports = {};
@@ -7380,7 +8687,7 @@ function createL3Tools(storage, masterKey, auditLog) {
   const tools = [
     // ─── Commitment Schemes ───────────────────────────────────────────────
     {
-      name: "sanctuary/proof_commitment",
+      name: "proof_commitment",
       description: "Create a cryptographic commitment to a value. The commitment hides the value until you choose to reveal it. Returns the commitment hash and a blinding factor (store securely).",
       inputSchema: {
         type: "object",
@@ -7415,7 +8722,7 @@ function createL3Tools(storage, masterKey, auditLog) {
       }
     },
     {
-      name: "sanctuary/proof_reveal",
+      name: "proof_reveal",
       description: "Verify a previously committed value by revealing it with the blinding factor. Returns whether the revealed value matches the commitment.",
       inputSchema: {
         type: "object",
@@ -7453,7 +8760,7 @@ function createL3Tools(storage, masterKey, auditLog) {
     },
     // ─── Disclosure Policies ──────────────────────────────────────────────
     {
-      name: "sanctuary/disclosure_set_policy",
+      name: "disclosure_set_policy",
       description: "Define a disclosure policy that controls what an agent will and will not disclose in different interaction contexts. Rules specify which fields may be disclosed, which must be withheld, and which require cryptographic proof.",
       inputSchema: {
         type: "object",
@@ -7528,7 +8835,7 @@ function createL3Tools(storage, masterKey, auditLog) {
       }
     },
     {
-      name: "sanctuary/disclosure_evaluate",
+      name: "disclosure_evaluate",
       description: "Evaluate a disclosure request against an active policy. Returns per-field decisions: disclose, withhold, proof, or ask-principal.",
       inputSchema: {
         type: "object",
@@ -7604,7 +8911,7 @@ function createL3Tools(storage, masterKey, auditLog) {
     },
     // ─── ZK Proof Tools ───────────────────────────────────────────────────
     {
-      name: "sanctuary/zk_commit",
+      name: "zk_commit",
       description: "Create a Pedersen commitment to a numeric value on Ristretto255. Unlike SHA-256 commitments, Pedersen commitments support zero-knowledge proofs: you can prove properties about the committed value without revealing it.",
       inputSchema: {
         type: "object",
@@ -7635,7 +8942,7 @@ function createL3Tools(storage, masterKey, auditLog) {
       }
     },
     {
-      name: "sanctuary/zk_prove",
+      name: "zk_prove",
       description: "Create a zero-knowledge proof of knowledge for a Pedersen commitment. Proves you know the value and blinding factor without revealing either. Uses a Schnorr sigma protocol with Fiat-Shamir transform.",
       inputSchema: {
         type: "object",
@@ -7676,7 +8983,7 @@ function createL3Tools(storage, masterKey, auditLog) {
       }
     },
     {
-      name: "sanctuary/zk_verify",
+      name: "zk_verify",
       description: "Verify a zero-knowledge proof of knowledge for a Pedersen commitment. Checks that the prover knows the commitment's opening without learning anything.",
       inputSchema: {
         type: "object",
@@ -7704,7 +9011,7 @@ function createL3Tools(storage, masterKey, auditLog) {
       }
     },
     {
-      name: "sanctuary/zk_range_prove",
+      name: "zk_range_prove",
       description: "Create a zero-knowledge range proof: prove that a committed value is within [min, max] without revealing the exact value. Uses bit-decomposition with OR-proofs on Ristretto255.",
       inputSchema: {
         type: "object",
@@ -7754,7 +9061,7 @@ function createL3Tools(storage, masterKey, auditLog) {
       }
     },
     {
-      name: "sanctuary/zk_range_verify",
+      name: "zk_range_verify",
       description: "Verify a zero-knowledge range proof \u2014 confirms a committed value is within the claimed range without learning the value.",
       inputSchema: {
         type: "object",
@@ -8200,14 +9507,14 @@ function tierDistribution(tiers) {
 }
 
 // src/l4-reputation/tools.ts
-function createL4Tools(storage, masterKey, identityManager, auditLog, handshakeResults) {
+function createL4Tools(storage, masterKey, identityManager, auditLog, handshakeResults, verascoreUrl) {
   const reputationStore = new ReputationStore(storage, masterKey);
   const identityEncryptionKey = derivePurposeKey(masterKey, "identity-encryption");
   const hsResults = handshakeResults ?? /* @__PURE__ */ new Map();
   const tools = [
     // ─── Reputation Recording ─────────────────────────────────────────
     {
-      name: "sanctuary/reputation_record",
+      name: "reputation_record",
       description: "Record an interaction outcome as a signed attestation. Creates an EAS-compatible attestation signed by the specified identity.",
       inputSchema: {
         type: "object",
@@ -8300,7 +9607,7 @@ function createL4Tools(storage, masterKey, identityManager, auditLog, handshakeR
     },
     // ─── Reputation Query ─────────────────────────────────────────────
     {
-      name: "sanctuary/reputation_query",
+      name: "reputation_query",
       description: "Query aggregated reputation data with filtering. Returns summary statistics, never raw interaction details.",
       inputSchema: {
         type: "object",
@@ -8348,7 +9655,7 @@ function createL4Tools(storage, masterKey, identityManager, auditLog, handshakeR
     },
     // ─── Reputation Export ─────────────────────────────────────────────
     {
-      name: "sanctuary/reputation_export",
+      name: "reputation_export",
       description: "Export a portable reputation bundle (SANCTUARY_REP_V1). Includes all signed attestations for independent verification.",
       inputSchema: {
         type: "object",
@@ -8407,7 +9714,7 @@ function createL4Tools(storage, masterKey, identityManager, auditLog, handshakeR
     },
     // ─── Reputation Import ────────────────────────────────────────────
     {
-      name: "sanctuary/reputation_import",
+      name: "reputation_import",
       description: "Import a reputation bundle from another Sanctuary instance. Verifies all attestation signatures by default.",
       inputSchema: {
         type: "object",
@@ -8459,7 +9766,7 @@ function createL4Tools(storage, masterKey, identityManager, auditLog, handshakeR
     },
     // ─── Sovereignty-Weighted Query ──────────────────────────────────
     {
-      name: "sanctuary/reputation_query_weighted",
+      name: "reputation_query_weighted",
       description: "Query reputation with sovereignty-weighted scoring. Attestations from verified-sovereign agents carry full weight (1.0); unverified attestations carry reduced weight (0.2). Returns both the weighted score and tier distribution.",
       inputSchema: {
         type: "object",
@@ -8515,7 +9822,7 @@ function createL4Tools(storage, masterKey, identityManager, auditLog, handshakeR
     },
     // ─── Trust Bootstrap: Escrow ──────────────────────────────────────
     {
-      name: "sanctuary/bootstrap_create_escrow",
+      name: "bootstrap_create_escrow",
       description: "Create an escrow record for trust bootstrapping. Allows new participants with no reputation to transact safely.",
       inputSchema: {
         type: "object",
@@ -8574,7 +9881,7 @@ function createL4Tools(storage, masterKey, identityManager, auditLog, handshakeR
     },
     // ─── Trust Bootstrap: Guarantee ───────────────────────────────────
     {
-      name: "sanctuary/bootstrap_provide_guarantee",
+      name: "bootstrap_provide_guarantee",
       description: "A principal provides a signed reputation guarantee for a new agent. The guarantee certificate can be presented to counterparties.",
       inputSchema: {
         type: "object",
@@ -8652,7 +9959,7 @@ function createL4Tools(storage, masterKey, identityManager, auditLog, handshakeR
     },
     // ─── Verascore Reputation Publish ────────────────────────────────
     {
-      name: "sanctuary/reputation_publish",
+      name: "reputation_publish",
       description: "Publish sovereignty data to Verascore (verascore.ai) \u2014 the agent reputation platform. Sends SHR data, handshake attestations, or sovereignty updates. The data is signed with the agent's Ed25519 key for verification. Requires a Verascore agent profile (claimed or stub) to exist.",
       inputSchema: {
         type: "object",
@@ -8690,8 +9997,18 @@ function createL4Tools(storage, masterKey, identityManager, auditLog, handshakeR
           });
         }
         const publishType = args.type;
-        const veracoreUrl = args.verascore_url || "https://verascore.ai";
-        const ALLOWED_VERASCORE_HOSTS = ["verascore.ai", "www.verascore.ai", "api.verascore.ai"];
+        const configuredVerascoreUrl = verascoreUrl || "https://verascore.ai";
+        const veracoreUrl = args.verascore_url || configuredVerascoreUrl;
+        const ALLOWED_VERASCORE_HOSTS = /* @__PURE__ */ new Set([
+          "verascore.ai",
+          "www.verascore.ai",
+          "api.verascore.ai"
+        ]);
+        try {
+          const configuredHost = new URL(configuredVerascoreUrl).hostname;
+          ALLOWED_VERASCORE_HOSTS.add(configuredHost);
+        } catch {
+        }
         try {
           const parsed = new URL(veracoreUrl);
           if (parsed.protocol !== "https:") {
@@ -8699,9 +10016,9 @@ function createL4Tools(storage, masterKey, identityManager, auditLog, handshakeR
               error: `verascore_url must use HTTPS. Got: ${parsed.protocol}`
             });
           }
-          if (!ALLOWED_VERASCORE_HOSTS.includes(parsed.hostname)) {
+          if (!ALLOWED_VERASCORE_HOSTS.has(parsed.hostname)) {
             return toolResult({
-              error: `verascore_url must point to a known Verascore domain (${ALLOWED_VERASCORE_HOSTS.join(", ")}). Got: ${parsed.hostname}`
+              error: `verascore_url must point to a known Verascore domain (${[...ALLOWED_VERASCORE_HOSTS].join(", ")}). Got: ${parsed.hostname}`
             });
           }
         } catch {
@@ -9264,7 +10581,7 @@ var InjectionDetector = class {
   }
   /**
    * Scan tool arguments for injection signals.
-   * @param toolName Full tool name (e.g., "sanctuary/state_read")
+   * @param toolName Full tool name (e.g., "state_read")
    * @param args Tool arguments
    * @returns DetectionResult with all detected signals
    */
@@ -10265,7 +11582,7 @@ var ApprovalGate = class {
   /**
    * Evaluate a tool call against the Principal Policy.
    *
-   * @param toolName - Full MCP tool name (e.g., "sanctuary/state_export")
+   * @param toolName - Full MCP tool name (e.g., "state_export")
    * @param args - Tool call arguments (for context extraction)
    * @returns GateResult indicating whether the call is allowed
    */
@@ -10535,7 +11852,7 @@ init_router();
 function createPrincipalPolicyTools(policy, baseline, auditLog) {
   return [
     {
-      name: "sanctuary/principal_policy_view",
+      name: "principal_policy_view",
       description: "View the current Principal Policy \u2014 the human-controlled rules governing what operations require approval. Read-only.",
       inputSchema: {
         type: "object",
@@ -10573,7 +11890,7 @@ function createPrincipalPolicyTools(policy, baseline, auditLog) {
       }
     },
     {
-      name: "sanctuary/principal_baseline_view",
+      name: "principal_baseline_view",
       description: "View the current behavioral baseline \u2014 the session profile used for anomaly detection. Shows known namespaces, counterparties, and tool call counts. Read-only.",
       inputSchema: {
         type: "object",
@@ -10922,7 +12239,7 @@ function createSHRTools(config, identityManager, masterKey, auditLog) {
   };
   const tools = [
     {
-      name: "sanctuary/shr_generate",
+      name: "shr_generate",
       description: "Generate a signed Sovereignty Health Report (SHR) \u2014 a machine-readable, cryptographically signed advertisement of this instance's sovereignty posture. Present this to counterparties to prove your sovereignty capabilities.",
       inputSchema: {
         type: "object",
@@ -10951,7 +12268,7 @@ function createSHRTools(config, identityManager, masterKey, auditLog) {
       }
     },
     {
-      name: "sanctuary/shr_verify",
+      name: "shr_verify",
       description: "Verify a counterparty's Sovereignty Health Report (SHR). Checks signature validity, temporal validity, and assesses sovereignty level.",
       inputSchema: {
         type: "object",
@@ -10977,7 +12294,7 @@ function createSHRTools(config, identityManager, masterKey, auditLog) {
       }
     },
     {
-      name: "sanctuary/shr_gateway_export",
+      name: "shr_gateway_export",
       description: "Export this instance's Sovereignty Health Report formatted for Ping Identity's Agent Gateway or other identity providers. Transforms the SHR into an authorization context with sovereignty scores, capability flags, and recommended access constraints.",
       inputSchema: {
         type: "object",
@@ -11030,6 +12347,9 @@ function createSHRTools(config, identityManager, masterKey, auditLog) {
 // src/handshake/tools.ts
 init_router();
 init_generator();
+init_identity();
+init_key_derivation();
+init_encoding();
 
 // src/handshake/protocol.ts
 init_identity();
@@ -11354,7 +12674,10 @@ function verifyAttestation(attestation, now) {
 }
 
 // src/handshake/tools.ts
-function createHandshakeTools(config, identityManager, masterKey, auditLog) {
+function createHandshakeTools(config, identityManager, masterKey, auditLog, options) {
+  const autoPublishHandshakes = options?.autoPublishHandshakes ?? false;
+  const verascoreUrl = options?.verascoreUrl ?? "https://verascore.ai";
+  const identityEncKey = derivePurposeKey(masterKey, "identity-encryption");
   const sessions = /* @__PURE__ */ new Map();
   const handshakeResults = /* @__PURE__ */ new Map();
   const shrOpts = {
@@ -11364,7 +12687,7 @@ function createHandshakeTools(config, identityManager, masterKey, auditLog) {
   };
   const tools = [
     {
-      name: "sanctuary/handshake_initiate",
+      name: "handshake_initiate",
       description: "Initiate a sovereignty handshake with a counterparty. Generates a challenge containing this instance's signed SHR and a cryptographic nonce. Send the returned challenge to the counterparty.",
       inputSchema: {
         type: "object",
@@ -11391,7 +12714,7 @@ function createHandshakeTools(config, identityManager, masterKey, auditLog) {
       }
     },
     {
-      name: "sanctuary/handshake_respond",
+      name: "handshake_respond",
       description: "Respond to an incoming sovereignty handshake challenge. Verifies the initiator's SHR, signs their nonce, and returns our SHR with a counter-nonce.",
       inputSchema: {
         type: "object",
@@ -11426,17 +12749,93 @@ function createHandshakeTools(config, identityManager, masterKey, auditLog) {
         }
         sessions.set(result.session.session_id, result.session);
         auditLog.append("l4", "handshake_respond", shr.body.instance_id);
+        let autoPublishResult;
+        if (autoPublishHandshakes) {
+          autoPublishResult = { attempted: true };
+          try {
+            const parsed = new URL(verascoreUrl);
+            if (parsed.protocol !== "https:") {
+              autoPublishResult.error = `verascore URL must use HTTPS (got ${parsed.protocol})`;
+            } else {
+              const attestationPayload = {
+                type: "handshake",
+                our_shr_signed_by: shr.signed_by,
+                counterparty_signed_by: "redacted",
+                session_id: result.session.session_id,
+                responded_at: (/* @__PURE__ */ new Date()).toISOString()
+              };
+              const responderIdentity = identityManager.get(shr.body.instance_id);
+              if (!responderIdentity) {
+                autoPublishResult.error = `responder identity ${shr.body.instance_id} not found; skipping auto-publish`;
+                auditLog.append(
+                  "l4",
+                  "handshake_auto_publish",
+                  shr.body.instance_id,
+                  { error: autoPublishResult.error },
+                  "failure"
+                );
+              } else {
+                const payloadBytes = new TextEncoder().encode(
+                  JSON.stringify(attestationPayload)
+                );
+                const sigBytes = sign(
+                  payloadBytes,
+                  responderIdentity.encrypted_private_key,
+                  identityEncKey
+                );
+                const signatureB64 = toBase64url(sigBytes);
+                const resp = await fetch(
+                  `${verascoreUrl.replace(/\/$/, "")}/api/publish`,
+                  {
+                    method: "POST",
+                    headers: { "Content-Type": "application/json" },
+                    body: JSON.stringify({
+                      agentId: shr.body.instance_id,
+                      publicKey: shr.signed_by,
+                      signature: signatureB64,
+                      type: "handshake",
+                      data: attestationPayload
+                    })
+                  }
+                );
+                autoPublishResult.ok = resp.ok;
+                autoPublishResult.status = resp.status;
+                auditLog.append(
+                  "l4",
+                  "handshake_auto_publish",
+                  shr.body.instance_id,
+                  {
+                    verascore_url: verascoreUrl,
+                    status: resp.status,
+                    ok: resp.ok
+                  },
+                  resp.ok ? "success" : "failure"
+                );
+              }
+            }
+          } catch (err) {
+            autoPublishResult.error = err instanceof Error ? err.message : String(err);
+            auditLog.append(
+              "l4",
+              "handshake_auto_publish",
+              shr.body.instance_id,
+              { verascore_url: verascoreUrl, error: autoPublishResult.error },
+              "failure"
+            );
+          }
+        }
         return toolResult({
           session_id: result.session.session_id,
           response: result.response,
           instructions: "Send the 'response' object back to the initiator. When you receive their completion, pass it to sanctuary/handshake_status with this session_id.",
+          auto_publish: autoPublishResult,
           // SEC-ADD-03: Tag response — contains SHR data that will be sent to counterparty
           _content_trust: "external"
         });
       }
     },
     {
-      name: "sanctuary/handshake_complete",
+      name: "handshake_complete",
       description: "Complete a sovereignty handshake (initiator side). Verifies the responder's SHR and nonce signature, signs their nonce, and produces the final result.",
       inputSchema: {
         type: "object",
@@ -11491,7 +12890,7 @@ function createHandshakeTools(config, identityManager, masterKey, auditLog) {
       }
     },
     {
-      name: "sanctuary/handshake_status",
+      name: "handshake_status",
       description: "Check the status of a handshake session, or verify a completion message (responder side).",
       inputSchema: {
         type: "object",
@@ -11541,7 +12940,7 @@ function createHandshakeTools(config, identityManager, masterKey, auditLog) {
     },
     // ─── Streamlined Exchange ─────────────────────────────────────────
     {
-      name: "sanctuary/handshake_exchange",
+      name: "handshake_exchange",
       description: "One-shot sovereignty exchange. Accepts a counterparty's signed SHR, verifies it, generates our SHR, and produces a signed attestation artifact \u2014 all in a single call. Returns a shareable attestation with human-readable summary. Use this instead of the 4-step handshake protocol when you want a quick, portable sovereignty verification (e.g., for social posting or async exchanges).",
       inputSchema: {
         type: "object",
@@ -11608,7 +13007,7 @@ function createHandshakeTools(config, identityManager, masterKey, auditLog) {
       }
     },
     {
-      name: "sanctuary/handshake_verify_attestation",
+      name: "handshake_verify_attestation",
       description: "Verify a signed attestation artifact from another agent. Checks the Ed25519 signature, temporal validity, and structural integrity.",
       inputSchema: {
         type: "object",
@@ -11820,7 +13219,7 @@ function createFederationTools(auditLog, handshakeResults) {
   const tools = [
     // ─── Peer Management ──────────────────────────────────────────────
     {
-      name: "sanctuary/federation_peers",
+      name: "federation_peers",
       description: "List known federation peers, register a peer from a completed handshake, or remove a peer. Every peer MUST enter through a verified handshake \u2014 no self-registration allowed.",
       inputSchema: {
         type: "object",
@@ -11923,7 +13322,7 @@ function createFederationTools(auditLog, handshakeResults) {
     },
     // ─── Trust Evaluation ─────────────────────────────────────────────
     {
-      name: "sanctuary/federation_trust_evaluate",
+      name: "federation_trust_evaluate",
       description: "Evaluate the trust level of a federation peer. Considers handshake status, sovereignty tier, reputation score, and mutual attestation history. Returns a composite trust assessment.",
       inputSchema: {
         type: "object",
@@ -11958,7 +13357,7 @@ function createFederationTools(auditLog, handshakeResults) {
     },
     // ─── Federation Status ────────────────────────────────────────────
     {
-      name: "sanctuary/federation_status",
+      name: "federation_status",
       description: "Overview of federation state: total peers, active connections, trust distribution, and readiness for cross-instance operations.",
       inputSchema: {
         type: "object",
@@ -12171,7 +13570,7 @@ function createBridgeTools(storage, masterKey, identityManager, auditLog, handsh
   const tools = [
     // ─── bridge_commit ─────────────────────────────────────────────────
     {
-      name: "sanctuary/bridge_commit",
+      name: "bridge_commit",
       description: "Create a cryptographic commitment binding a Concordia negotiation outcome to Sanctuary's L3 proof layer. The commitment includes a SHA-256 hash of the canonical outcome (hiding + binding), an Ed25519 signature by the committer's identity, and an optional Pedersen commitment on the round count for zero-knowledge range proofs. This is the Sanctuary side of the Concordia bridge \u2014 call this when a Concordia `accept` fires.",
       inputSchema: {
         type: "object",
@@ -12273,7 +13672,7 @@ function createBridgeTools(storage, masterKey, identityManager, auditLog, handsh
     },
     // ─── bridge_verify ───────────────────────────────────────────────────
     {
-      name: "sanctuary/bridge_verify",
+      name: "bridge_verify",
       description: "Verify a bridge commitment against a revealed Concordia negotiation outcome. Checks SHA-256 commitment validity, Ed25519 signature, session ID match, terms hash integrity, and Pedersen commitment (if present). Use this to confirm that a counterparty's claimed negotiation outcome matches what was cryptographically committed.",
       inputSchema: {
         type: "object",
@@ -12329,7 +13728,7 @@ function createBridgeTools(storage, masterKey, identityManager, auditLog, handsh
     },
     // ─── bridge_attest ───────────────────────────────────────────────────
     {
-      name: "sanctuary/bridge_attest",
+      name: "bridge_attest",
       description: "Record a Concordia negotiation as a Sanctuary L4 reputation attestation, linked to a bridge commitment. This completes the bridge: the commitment (L3) proves the terms were agreed, and the attestation (L4) feeds the sovereignty-weighted reputation score. The attestation is automatically tagged with the counterparty's sovereignty tier from any completed handshake.",
       inputSchema: {
         type: "object",
@@ -12893,7 +14292,7 @@ function generateGaps(env, l1, l2, l3, l4) {
       title: "No context gating for outbound inference calls",
       description: "Your agent sends its full context \u2014 conversation history, memory, preferences, internal reasoning \u2014 to remote LLM providers on every inference call. There is no mechanism to filter what leaves the sovereignty boundary. The provider sees everything the agent knows.",
       openclaw_relevance: env.openclaw_detected ? "OpenClaw sends full agent context (including MEMORY.md, tool results, and conversation history) to the configured LLM provider with every API call. There is no built-in context filtering." : null,
-      sanctuary_solution: "Sanctuary's context gating (sanctuary/context_gate_set_policy + sanctuary/context_gate_filter) lets you define per-provider policies that control exactly what context flows outbound. Redact secrets, hash identifiers, and send only minimum-necessary context for each call.",
+      sanctuary_solution: "Sanctuary's context gating (sanctuary/context_gate_set_policy + context_gate_filter) lets you define per-provider policies that control exactly what context flows outbound. Redact secrets, hash identifiers, and send only minimum-necessary context for each call.",
       incident_class: INCIDENT_CONTEXT_LEAKAGE
     });
   }
@@ -12905,7 +14304,7 @@ function generateGaps(env, l1, l2, l3, l4) {
       title: "No audit trail",
       description: "No audit trail exists for tool call history. There is no record of what operations were executed, when, or by whom.",
       openclaw_relevance: null,
-      sanctuary_solution: "Sanctuary maintains an encrypted audit log of all operations, queryable via sanctuary/monitor_audit_log.",
+      sanctuary_solution: "Sanctuary maintains an encrypted audit log of all operations, queryable via monitor_audit_log.",
       incident_class: INCIDENT_CLAUDE_CODE_LEAK
     });
   }
@@ -12940,7 +14339,7 @@ function generateRecommendations(env, l1, l2, l3, l4) {
     recs.push({
       priority: 1,
       action: "Create a cryptographic identity \u2014 your agent's foundation for all sovereignty operations",
-      tool: "sanctuary/identity_create",
+      tool: "identity_create",
       effort: "immediate",
       impact: "critical"
     });
@@ -12949,7 +14348,7 @@ function generateRecommendations(env, l1, l2, l3, l4) {
     recs.push({
       priority: 2,
       action: "Migrate plaintext agent state to Sanctuary's encrypted store",
-      tool: "sanctuary/state_write",
+      tool: "state_write",
       effort: "minutes",
       impact: "critical"
     });
@@ -12957,7 +14356,7 @@ function generateRecommendations(env, l1, l2, l3, l4) {
   recs.push({
     priority: 3,
     action: "Generate a Sovereignty Health Report to present to counterparties",
-    tool: "sanctuary/shr_generate",
+    tool: "shr_generate",
     effort: "immediate",
     impact: "high"
   });
@@ -12965,7 +14364,7 @@ function generateRecommendations(env, l1, l2, l3, l4) {
     recs.push({
       priority: 4,
       action: "Enable the three-tier Principal Policy gate for graduated approval",
-      tool: "sanctuary/principal_policy_view",
+      tool: "principal_policy_view",
       effort: "minutes",
       impact: "high"
     });
@@ -12974,7 +14373,7 @@ function generateRecommendations(env, l1, l2, l3, l4) {
     recs.push({
       priority: 5,
       action: "Configure context gating to control what flows to LLM providers",
-      tool: "sanctuary/context_gate_set_policy",
+      tool: "context_gate_set_policy",
       effort: "minutes",
       impact: "high"
     });
@@ -12983,7 +14382,7 @@ function generateRecommendations(env, l1, l2, l3, l4) {
     recs.push({
       priority: 6,
       action: "Start recording reputation attestations from completed interactions",
-      tool: "sanctuary/reputation_record",
+      tool: "reputation_record",
       effort: "minutes",
       impact: "medium"
     });
@@ -12992,7 +14391,7 @@ function generateRecommendations(env, l1, l2, l3, l4) {
     recs.push({
       priority: 7,
       action: "Configure selective disclosure policies for data sharing",
-      tool: "sanctuary/disclosure_set_policy",
+      tool: "disclosure_set_policy",
       effort: "hours",
       impact: "medium"
     });
@@ -13132,7 +14531,7 @@ function wordWrap(text, maxWidth) {
 function createAuditTools(config) {
   const tools = [
     {
-      name: "sanctuary/sovereignty_audit",
+      name: "sovereignty_audit",
       description: "Audit your agent's sovereignty posture. Inspects the local environment for encryption, identity, approval gates, selective disclosure, and reputation \u2014 including OpenClaw-specific configurations. Returns a scored gap analysis with prioritized recommendations.",
       inputSchema: {
         type: "object",
@@ -13150,8 +14549,304 @@ function createAuditTools(config) {
         const report = formatAuditReport(result);
         return {
           content: [
-            { type: "text", text: report },
-            { type: "text", text: JSON.stringify(result, null, 2) }
+            { type: "text", text: report },
+            { type: "text", text: JSON.stringify(result, null, 2) }
+          ]
+        };
+      }
+    }
+  ];
+  return { tools };
+}
+
+// src/audit/siem-formatter.ts
+function parseGateDecision(details) {
+  if (!details || typeof details.gate_decision !== "string") {
+    return "auto-allow";
+  }
+  const decision = details.gate_decision.toLowerCase();
+  if (decision === "approve" || decision === "deny") {
+    return decision;
+  }
+  return "auto-allow";
+}
+function parseTier(details) {
+  if (!details || typeof details.tier !== "number") {
+    return 3;
+  }
+  return Math.max(1, Math.min(3, details.tier));
+}
+function parseSessionId(details) {
+  if (!details || typeof details.session_id !== "string") {
+    return "unknown";
+  }
+  return details.session_id;
+}
+function parseAgentDid(details) {
+  if (!details || typeof details.agent_did !== "string") {
+    return "unknown";
+  }
+  return details.agent_did;
+}
+function gateToCEFSeverity(decision, tier) {
+  if (decision === "deny") {
+    return 8;
+  }
+  if (decision === "approve") {
+    if (tier === 1) return 5;
+    if (tier === 2) return 3;
+  }
+  return 1;
+}
+function formatAsCEF(entry, options) {
+  const version = "0";
+  const vendor = "Sanctuary";
+  const product = "MCP-Server";
+  const productVersion = "0.7.0";
+  const decision = parseGateDecision(entry.details);
+  const tier = parseTier(entry.details);
+  const sessionId = parseSessionId(entry.details);
+  const agentDid = parseAgentDid(entry.details);
+  const severity = gateToCEFSeverity(decision, tier);
+  const signatureId = entry.operation.replace(/[^a-zA-Z0-9_-]/g, "_");
+  const description = `Sanctuary ${entry.operation}`;
+  const extensions = [
+    `src=${agentDid}`,
+    `act=${entry.operation}`,
+    `outcome=${decision}`,
+    `tier=${tier}`,
+    `cs1=${sessionId}`,
+    `cs1Label=SessionId`,
+    `rt=${new Date(entry.timestamp).getTime()}`,
+    `layer=${entry.layer}`,
+    `result=${entry.result}`
+  ];
+  return `CEF:${version}|${vendor}|${product}|${productVersion}|${signatureId}|${description}|${severity}|${extensions.join(" ")}`;
+}
+function gateToOCSFStatus(decision, result) {
+  return decision === "deny" || result === "failure" ? 2 : 1;
+}
+function gateToCOCSFSeverity(decision, tier) {
+  if (decision === "deny") {
+    return 4;
+  }
+  if (decision === "approve") {
+    if (tier === 1) return 3;
+    if (tier === 2) return 2;
+  }
+  return 1;
+}
+function gateToOCSFDisposition(decision) {
+  return decision === "deny" ? 2 : 1;
+}
+function formatAsOCSF(entry) {
+  const decision = parseGateDecision(entry.details);
+  const tier = parseTier(entry.details);
+  const agentDid = parseAgentDid(entry.details);
+  const timestamp = new Date(entry.timestamp).getTime();
+  const statusId = gateToOCSFStatus(decision, entry.result);
+  const severityId = gateToCOCSFSeverity(decision, tier);
+  const dispositionId = gateToOCSFDisposition(decision);
+  return {
+    class_uid: 3001,
+    class_name: "API Activity",
+    category_uid: 3,
+    category_name: "Application Activity",
+    severity_id: severityId,
+    time: timestamp,
+    activity_id: 1,
+    activity_name: "API Call",
+    actor: {
+      user: {
+        uid: agentDid
+      }
+    },
+    api: {
+      operation: entry.operation,
+      service: {
+        name: "sanctuary-mcp"
+      }
+    },
+    status_id: statusId,
+    disposition_id: dispositionId,
+    metadata: {
+      version: "1.3.0",
+      product: {
+        name: "Sanctuary Framework",
+        vendor_name: "Erik Newton",
+        version: "0.7.0"
+      }
+    }
+  };
+}
+
+// src/audit/siem-tools.ts
+function createSIEMTools(auditLog) {
+  const tools = [
+    {
+      name: "audit_export_siem",
+      description: "Export audit log events in SIEM-standard formats (CEF or OCSF) for ingestion into Splunk, Datadog, QRadar, and other security information and event management (SIEM) platforms. Encrypted audit entries are decrypted and formatted according to your chosen standard. Tier 2 \u2014 may contain sensitive operation metadata.",
+      inputSchema: {
+        type: "object",
+        properties: {
+          format: {
+            type: "string",
+            enum: ["cef", "ocsf"],
+            description: 'Output format: "cef" (Common Event Format, newline-delimited) or "ocsf" (Open Cybersecurity Schema Framework, JSON array)'
+          },
+          since: {
+            type: "string",
+            description: "Optional ISO 8601 timestamp. Export only events on or after this time. Defaults to 24 hours ago."
+          },
+          until: {
+            type: "string",
+            description: "Optional ISO 8601 timestamp. Export only events before this time. Defaults to now."
+          },
+          limit: {
+            type: "number",
+            description: "Maximum number of events to export (default 100, max 1000). Set to 1000 for bulk exports to SIEMs."
+          },
+          filter_tool: {
+            type: "string",
+            description: 'Optional. Export only events from this tool name (e.g., "sovereignty_audit", "state_set"). Case-insensitive substring matching.'
+          },
+          filter_decision: {
+            type: "string",
+            enum: ["approve", "deny", "auto-allow"],
+            description: 'Optional. Export only events with this gate decision: "approve" (manual approval), "deny" (blocked), or "auto-allow" (Tier 3 auto-allowed).'
+          },
+          filter_layer: {
+            type: "string",
+            enum: ["l1", "l2", "l3", "l4"],
+            description: "Optional. Export only events from this sovereignty layer (L1=Cognitive, L2=Operational, L3=Disclosure, L4=Reputation)."
+          },
+          filter_result: {
+            type: "string",
+            enum: ["success", "failure"],
+            description: 'Optional. Export only events with this result: "success" or "failure".'
+          }
+        },
+        required: ["format"]
+      },
+      handler: async (args) => {
+        const format = String(args.format || "").toLowerCase();
+        if (format !== "cef" && format !== "ocsf") {
+          return {
+            content: [
+              {
+                type: "text",
+                text: JSON.stringify({
+                  error: "Invalid format. Must be 'cef' or 'ocsf'."
+                })
+              }
+            ]
+          };
+        }
+        let since;
+        if (args.since) {
+          since = String(args.since);
+          const sinceDate = new Date(since);
+          if (isNaN(sinceDate.getTime())) {
+            return {
+              content: [
+                {
+                  type: "text",
+                  text: JSON.stringify({
+                    error: `Invalid 'since' timestamp: ${since}. Must be ISO 8601.`
+                  })
+                }
+              ]
+            };
+          }
+        } else {
+          const now = /* @__PURE__ */ new Date();
+          const oneDayAgo = new Date(now.getTime() - 24 * 60 * 60 * 1e3);
+          since = oneDayAgo.toISOString();
+        }
+        let until;
+        if (args.until) {
+          until = String(args.until);
+          const untilDate = new Date(until);
+          if (isNaN(untilDate.getTime())) {
+            return {
+              content: [
+                {
+                  type: "text",
+                  text: JSON.stringify({
+                    error: `Invalid 'until' timestamp: ${until}. Must be ISO 8601.`
+                  })
+                }
+              ]
+            };
+          }
+        }
+        let limit = 100;
+        if (typeof args.limit === "number") {
+          limit = Math.max(1, Math.min(1e3, args.limit));
+        }
+        const filterTool = args.filter_tool ? String(args.filter_tool).toLowerCase() : void 0;
+        const filterDecision = args.filter_decision ? String(args.filter_decision).toLowerCase() : void 0;
+        const filterLayer = args.filter_layer ? String(args.filter_layer).toLowerCase() : void 0;
+        const filterResult = args.filter_result ? String(args.filter_result).toLowerCase() : void 0;
+        const result = await auditLog.query({
+          since,
+          layer: filterLayer,
+          operation_type: void 0,
+          // Will filter after
+          limit
+        });
+        let filtered = result.entries;
+        if (filterTool) {
+          filtered = filtered.filter(
+            (e) => e.operation.toLowerCase().includes(filterTool)
+          );
+        }
+        if (filterDecision) {
+          filtered = filtered.filter((e) => {
+            const decision = String(e.details?.gate_decision || "auto-allow").toLowerCase();
+            return decision === filterDecision;
+          });
+        }
+        if (filterResult) {
+          filtered = filtered.filter((e) => e.result === filterResult);
+        }
+        if (until) {
+          const untilDate = new Date(until);
+          filtered = filtered.filter((e) => new Date(e.timestamp) < untilDate);
+        }
+        let output;
+        if (format === "cef") {
+          const cefLines = filtered.map((entry) => formatAsCEF(entry));
+          output = cefLines.join("\n");
+        } else {
+          const ocsfObjects = filtered.map((entry) => formatAsOCSF(entry));
+          output = JSON.stringify(ocsfObjects, null, 2);
+        }
+        return {
+          content: [
+            {
+              type: "text",
+              text: JSON.stringify({
+                format,
+                count: filtered.length,
+                total_available: result.total,
+                time_range: {
+                  since,
+                  until: until || (/* @__PURE__ */ new Date()).toISOString()
+                },
+                filters: {
+                  tool: filterTool,
+                  decision: filterDecision,
+                  layer: filterLayer,
+                  result: filterResult
+                },
+                note: format === "cef" ? `${filtered.length} CEF events (newline-delimited). Each line is a complete CEF event.` : `${filtered.length} OCSF objects in JSON array format.`
+              })
+            },
+            {
+              type: "text",
+              text: output
+            }
           ]
         };
       }
@@ -14161,13 +15856,17 @@ var ContextGateEnforcer = class {
    * Check if a tool should be filtered based on bypass prefixes.
    *
    * SEC-033: Uses exact namespace component matching, not bare startsWith().
-   * A prefix of "sanctuary/" matches "sanctuary/state_read" but NOT
-   * "sanctuary_evil/steal_data" (no slash boundary confusion). The prefix
-   * must match exactly up to its length, and the prefix must end with "/"
-   * to enforce namespace boundaries (if it doesn't, we add one for safety).
+   * A prefix of "proxy/" matches "proxy/server/tool" but NOT "proxyevil/steal".
+   * The prefix must match exactly up to its length, and the prefix must end
+   * with "/" to enforce namespace boundaries (if it doesn't, we add one).
+   *
+   * Special sentinel: "*" bypasses ALL tools (used when all Sanctuary-internal
+   * tools should skip context gating — the default). Only proxy/external tools
+   * should be filtered in production.
    */
   shouldFilter(toolName) {
     for (const prefix of this.config.bypass_prefixes) {
+      if (prefix === "*") return false;
       const safePrefix = prefix.endsWith("/") ? prefix : prefix + "/";
       if (toolName === safePrefix.slice(0, -1) || toolName.startsWith(safePrefix)) {
         return false;
@@ -14264,8 +15963,8 @@ function createContextGateTools(storage, masterKey, auditLog) {
   const enforcerConfig = {
     enabled: false,
     // Off by default; agents must explicitly enable it
-    bypass_prefixes: ["sanctuary/"],
-    // Skip internal tools by default
+    bypass_prefixes: ["*"],
+    // Skip all Sanctuary-internal tools; only proxy/ tools get filtered
     log_only: false,
     // Filter immediately
     on_deny: "block"
@@ -14275,7 +15974,7 @@ function createContextGateTools(storage, masterKey, auditLog) {
   const tools = [
     // ── Set Policy ──────────────────────────────────────────────────
     {
-      name: "sanctuary/context_gate_set_policy",
+      name: "context_gate_set_policy",
       description: "Create a context-gating policy that controls what information flows to remote providers (LLM APIs, tool APIs, logging services). Each rule specifies a provider category and which context fields to allow, redact, hash, or flag for summarization. Redact rules take absolute priority \u2014 if a field is in both 'allow' and 'redact', it is redacted. Default action applies to any field not mentioned in any rule. Use this to prevent your full agent context from being sent to remote LLM providers during inference calls.",
       inputSchema: {
         type: "object",
@@ -14384,13 +16083,13 @@ function createContextGateTools(storage, masterKey, auditLog) {
           rules: policy.rules,
           default_action: policy.default_action,
           created_at: policy.created_at,
-          message: "Context-gating policy created. Use sanctuary/context_gate_filter to apply this policy before making outbound calls."
+          message: "Context-gating policy created. Use context_gate_filter to apply this policy before making outbound calls."
         });
       }
     },
     // ── Apply Template ───────────────────────────────────────────────
     {
-      name: "sanctuary/context_gate_apply_template",
+      name: "context_gate_apply_template",
       description: "Apply a starter context-gating template. Available templates: inference-minimal (strictest \u2014 only task and query pass through), inference-standard (balanced \u2014 adds tool results, summarizes history), logging-strict (redacts all content for telemetry services), tool-api-scoped (allows tool parameters, redacts agent state). Templates are starting points \u2014 customize after applying.",
       inputSchema: {
         type: "object",
@@ -14439,13 +16138,13 @@ function createContextGateTools(storage, masterKey, auditLog) {
           rules: policy.rules,
           default_action: policy.default_action,
           created_at: policy.created_at,
-          message: "Template applied. Use sanctuary/context_gate_filter with this policy_id to filter context before outbound calls. Customize rules with sanctuary/context_gate_set_policy if needed."
+          message: "Template applied. Use context_gate_filter with this policy_id to filter context before outbound calls. Customize rules with context_gate_set_policy if needed."
         });
       }
     },
     // ── Recommend Policy ────────────────────────────────────────────
     {
-      name: "sanctuary/context_gate_recommend",
+      name: "context_gate_recommend",
       description: "Analyze a sample context object and recommend a context-gating policy based on field name heuristics. Classifies each field as allow, redact, hash, or summarize with confidence levels. Returns a ready-to-apply rule set. When in doubt, recommends redact (conservative). Review the recommendations before applying.",
       inputSchema: {
         type: "object",
@@ -14482,7 +16181,7 @@ function createContextGateTools(storage, masterKey, auditLog) {
         });
         return toolResult({
           ...recommendation,
-          next_steps: "Review the classifications above. If they look correct, you can apply them directly with sanctuary/context_gate_set_policy using the recommended_rules. Or start with a template via sanctuary/context_gate_apply_template and customize from there.",
+          next_steps: "Review the classifications above. If they look correct, you can apply them directly with context_gate_set_policy using the recommended_rules. Or start with a template via context_gate_apply_template and customize from there.",
           available_templates: listTemplateIds().map((id) => {
             const t = TEMPLATES[id];
             return { id, name: t.name, description: t.description };
@@ -14492,7 +16191,7 @@ function createContextGateTools(storage, masterKey, auditLog) {
     },
     // ── Filter Context ──────────────────────────────────────────────
     {
-      name: "sanctuary/context_gate_filter",
+      name: "context_gate_filter",
       description: "Filter agent context through a gating policy before sending to a remote provider. Returns per-field decisions (allow, redact, hash, summarize) and content hashes for the audit trail. Call this BEFORE making any outbound API call to ensure you are only sending the minimum necessary context. The filtered output tells you exactly what can be sent safely.",
       inputSchema: {
         type: "object",
@@ -14598,7 +16297,7 @@ function createContextGateTools(storage, masterKey, auditLog) {
     },
     // ── List Policies ───────────────────────────────────────────────
     {
-      name: "sanctuary/context_gate_list_policies",
+      name: "context_gate_list_policies",
       description: "List all configured context-gating policies. Returns policy IDs, names, rule summaries, and default actions.",
       inputSchema: {
         type: "object",
@@ -14621,13 +16320,13 @@ function createContextGateTools(storage, masterKey, auditLog) {
             updated_at: p.updated_at
           })),
           count: policies.length,
-          message: policies.length === 0 ? "No context-gating policies configured. Use sanctuary/context_gate_set_policy to create one." : `${policies.length} context-gating ${policies.length === 1 ? "policy" : "policies"} configured.`
+          message: policies.length === 0 ? "No context-gating policies configured. Use context_gate_set_policy to create one." : `${policies.length} context-gating ${policies.length === 1 ? "policy" : "policies"} configured.`
         });
       }
     },
     // ── Enforcer Status ─────────────────────────────────────────────────
     {
-      name: "sanctuary/context_gate_enforcer_status",
+      name: "context_gate_enforcer_status",
       description: "Get the status of the automatic context gate enforcer, including enabled/disabled state, log_only mode, active policy, and statistics. The enforcer automatically filters tool arguments when enabled. Use this to monitor what the enforcer has been filtering.",
       inputSchema: {
         type: "object",
@@ -14648,13 +16347,13 @@ function createContextGateTools(storage, masterKey, auditLog) {
         return toolResult({
           enforcer_status: status,
           description: "The enforcer is " + (status.enabled ? "enabled" : "disabled") + ". " + (status.log_only ? "Currently in log_only mode \u2014 filtering is logged but not applied." : "Filtering is actively applied to tool arguments."),
-          guidance: status.stats.calls_inspected > 0 ? `Over ${status.stats.calls_inspected} tool calls, ${status.stats.fields_redacted} sensitive fields were redacted. Use sanctuary/context_gate_enforcer_configure to adjust settings.` : "No tool calls have been inspected yet."
+          guidance: status.stats.calls_inspected > 0 ? `Over ${status.stats.calls_inspected} tool calls, ${status.stats.fields_redacted} sensitive fields were redacted. Use context_gate_enforcer_configure to adjust settings.` : "No tool calls have been inspected yet."
         });
       }
     },
     // ── Enforcer Configuration ──────────────────────────────────────────
     {
-      name: "sanctuary/context_gate_enforcer_configure",
+      name: "context_gate_enforcer_configure",
       description: "Configure the automatic context gate enforcer. Control whether it filters tool arguments, toggle log_only mode for gradual rollout, set the active policy, and choose what to do when denied fields are encountered (block the request or redact the field). Use this to enable automatic context protection.",
       inputSchema: {
         type: "object",
@@ -14980,7 +16679,7 @@ function assessL2Hardening(storagePath) {
 function createL2HardeningTools(storagePath, auditLog) {
   return [
     {
-      name: "sanctuary/l2_hardening_status",
+      name: "l2_hardening_status",
       description: "L2 Process Hardening Status \u2014 Verify software-based operational isolation. Reports memory protection, process isolation level, filesystem permissions, and overall hardening assessment. Read-only. Tier 3 \u2014 always allowed.",
       inputSchema: {
         type: "object",
@@ -15048,7 +16747,7 @@ function createL2HardeningTools(storagePath, auditLog) {
       }
     },
     {
-      name: "sanctuary/l2_verify_isolation",
+      name: "l2_verify_isolation",
       description: "Verify L2 process isolation at runtime. Checks whether the Sanctuary server is running in an isolated environment (container, VM, sandbox) and validates filesystem and memory protections. Reports isolation level and any issues. Read-only. Tier 3 \u2014 always allowed.",
       inputSchema: {
         type: "object",
@@ -15150,7 +16849,7 @@ function createSovereigntyProfileTools(profileStore, auditLog) {
   const tools = [
     // ── Get Profile ──────────────────────────────────────────────────
     {
-      name: "sanctuary/sovereignty_profile_get",
+      name: "sovereignty_profile_get",
       description: "Get the current Sovereignty Profile \u2014 shows which Sanctuary features are active (audit logging, injection detection, context gating, approval gates, ZK proofs) and their configuration.",
       inputSchema: {
         type: "object",
@@ -15169,7 +16868,7 @@ function createSovereigntyProfileTools(profileStore, auditLog) {
     },
     // ── Update Profile ───────────────────────────────────────────────
     {
-      name: "sanctuary/sovereignty_profile_update",
+      name: "sovereignty_profile_update",
       description: "Update the Sovereignty Profile feature toggles. This changes which Sanctuary protections are active. Requires human approval (Tier 1) because it modifies enforcement behavior. Pass only the features you want to change \u2014 unspecified features remain unchanged.",
       inputSchema: {
         type: "object",
@@ -15250,7 +16949,7 @@ function createSovereigntyProfileTools(profileStore, auditLog) {
     },
     // ── Generate System Prompt ───────────────────────────────────────
     {
-      name: "sanctuary/sovereignty_profile_generate_prompt",
+      name: "sovereignty_profile_generate_prompt",
       description: "Generate a system prompt snippet based on the active Sovereignty Profile. The snippet instructs an agent on which Sanctuary features are active and how to use them. Copy and paste this into your agent's system configuration.",
       inputSchema: {
         type: "object",
@@ -15645,6 +17344,7 @@ var ProxyRouter = class {
             confidence: injectionResult.confidence,
             latency_ms: Date.now() - start
           }, "failure");
+          this.notifyProxyCall(proxyName, serverName, "blocked", "injection_detected", tier);
           return toolResult({
             error: "Operation not permitted",
             proxy: true
@@ -15675,6 +17375,7 @@ var ProxyRouter = class {
               reason: govResult.reason,
               latency_ms: Date.now() - start
             }, "failure");
+            this.notifyProxyCall(proxyName, serverName, "blocked", govResult.reason, tier);
             return toolResult({
               error: "Operation not permitted",
               proxy: true,
@@ -15709,6 +17410,7 @@ var ProxyRouter = class {
           decision: "allowed",
           latency_ms: latencyMs
         });
+        this.notifyProxyCall(proxyName, serverName, "allowed", void 0, tier);
         return this.normalizeResponse(result);
       } catch (err) {
         const latencyMs = Date.now() - start;
@@ -15728,6 +17430,7 @@ var ProxyRouter = class {
           error: errorMessage,
           latency_ms: latencyMs
         }, "failure");
+        this.notifyProxyCall(proxyName, serverName, "error", errorMessage, tier);
         return {
           content: [{
             type: "text",
@@ -15742,6 +17445,24 @@ var ProxyRouter = class {
       }
     };
   }
+  /**
+   * Notify the onProxyCall callback if configured.
+   */
+  notifyProxyCall(tool, server, decision, reason, tier) {
+    if (this.options.onProxyCall) {
+      try {
+        this.options.onProxyCall({
+          tool,
+          server,
+          decision,
+          reason,
+          tier,
+          timestamp: (/* @__PURE__ */ new Date()).toISOString()
+        });
+      } catch {
+      }
+    }
+  }
   /**
    * Call an upstream tool with a timeout.
    */
@@ -16015,7 +17736,7 @@ function createGovernorTools(governor, auditLog) {
   const tools = [
     // ── Governor Status ─────────────────────────────────────────────
     {
-      name: "sanctuary/governor_status",
+      name: "governor_status",
       description: "View the current Call Governor status including volume counters, per-tool rate counts, duplicate cache size, and lifetime counter. Use this to monitor tool call consumption, detect potential loops, and check how close you are to governance limits. The governor protects against runaway tool calls by enforcing volume limits, rate limits, duplicate detection, and a session lifetime cap.",
       inputSchema: {
         type: "object",
@@ -16055,7 +17776,7 @@ function createGovernorTools(governor, auditLog) {
     },
     // ── Governor Reset ──────────────────────────────────────────────
     {
-      name: "sanctuary/governor_reset",
+      name: "governor_reset",
       description: "Reset all Call Governor counters: volume window, per-tool rate windows, duplicate cache, and lifetime counter. This clears the hard stop if the lifetime limit was reached. This is a Tier 1 operation \u2014 requires human approval because it removes all runtime governance state and could allow previously blocked behavior to resume.",
       inputSchema: {
         type: "object",
@@ -16109,6 +17830,438 @@ function createGovernorTools(governor, auditLog) {
   return { tools };
 }
 
+// src/sanctuary-tools.ts
+init_router();
+init_identity();
+init_key_derivation();
+init_encoding();
+init_identity();
+init_generator();
+function validateVerascoreUrl(urlStr, configuredUrl) {
+  const allowed = /* @__PURE__ */ new Set([
+    "verascore.ai",
+    "www.verascore.ai",
+    "api.verascore.ai"
+  ]);
+  try {
+    allowed.add(new URL(configuredUrl).hostname);
+  } catch {
+  }
+  try {
+    const parsed = new URL(urlStr);
+    if (parsed.protocol !== "https:") {
+      return { ok: false, error: `Verascore URL must use HTTPS. Got: ${parsed.protocol}` };
+    }
+    if (!allowed.has(parsed.hostname)) {
+      return {
+        ok: false,
+        error: `Verascore URL must point to a known Verascore host (${[...allowed].join(", ")}). Got: ${parsed.hostname}`
+      };
+    }
+    return { ok: true };
+  } catch {
+    return { ok: false, error: `Invalid Verascore URL: ${urlStr}` };
+  }
+}
+function createSanctuaryTools(opts) {
+  const { config, identityManager, masterKey, auditLog, policy, keyProtection } = opts;
+  const identityEncKey = derivePurposeKey(masterKey, "identity-encryption");
+  const tools = [
+    // ─── sanctuary_bootstrap ───────────────────────────────────────────
+    {
+      name: "sanctuary_bootstrap",
+      description: "One-shot bootstrap for a new sovereign agent identity. Generates an Ed25519 keypair, stores the encrypted identity, constructs a Sovereignty Health Report (SHR), and publishes it to Verascore. Returns { did, profileUrl, tier } for the newly-minted agent.",
+      inputSchema: {
+        type: "object",
+        properties: {
+          label: {
+            type: "string",
+            description: "Human-readable label for the new identity (default: 'sovereign-agent')"
+          },
+          verascore_url: {
+            type: "string",
+            description: "Verascore base URL. Defaults to server config / SANCTUARY_VERASCORE_URL."
+          },
+          publish: {
+            type: "boolean",
+            description: "Whether to publish the SHR to Verascore. Defaults to true."
+          }
+        }
+      },
+      handler: async (args) => {
+        const label = args.label || "sovereign-agent";
+        const publish = args.publish === void 0 ? true : Boolean(args.publish);
+        const verascoreUrl = args.verascore_url || config.verascore.url || "https://verascore.ai";
+        const { publicIdentity, storedIdentity } = createIdentity(
+          label,
+          identityEncKey,
+          keyProtection
+        );
+        await identityManager.save(storedIdentity);
+        auditLog.append("l1", "sanctuary_bootstrap:identity_create", publicIdentity.identity_id, {
+          label,
+          did: publicIdentity.did
+        });
+        const shr = generateSHR(publicIdentity.identity_id, {
+          config,
+          identityManager,
+          masterKey
+        });
+        if (typeof shr === "string") {
+          return toolResult({
+            error: `Identity created but SHR generation failed: ${shr}`,
+            did: publicIdentity.did,
+            identity_id: publicIdentity.identity_id
+          });
+        }
+        const agentSlug = publicIdentity.did.replace(/[^a-zA-Z0-9-]/g, "-").toLowerCase();
+        const profileUrl = `${verascoreUrl.replace(/\/$/, "")}/agent/${publicIdentity.did}`;
+        if (!publish || !config.verascore.auto_publish_to_verascore) {
+          auditLog.append("l4", "sanctuary_bootstrap", publicIdentity.identity_id, {
+            did: publicIdentity.did,
+            published: false
+          });
+          return toolResult({
+            did: publicIdentity.did,
+            identity_id: publicIdentity.identity_id,
+            profileUrl,
+            tier: "self-attested",
+            published: false
+          });
+        }
+        const urlCheck = validateVerascoreUrl(verascoreUrl, config.verascore.url);
+        if (!urlCheck.ok) {
+          return toolResult({
+            error: urlCheck.error,
+            did: publicIdentity.did,
+            identity_id: publicIdentity.identity_id
+          });
+        }
+        const publishData = {
+          sovereigntyLayers: shr.body.layers,
+          capabilities: shr.body.capabilities,
+          degradations: shr.body.degradations,
+          did: publicIdentity.did,
+          label
+        };
+        const payloadBytes = new TextEncoder().encode(JSON.stringify(publishData));
+        let signatureB64;
+        try {
+          const sigBytes = sign(
+            payloadBytes,
+            storedIdentity.encrypted_private_key,
+            identityEncKey
+          );
+          signatureB64 = toBase64url(sigBytes);
+        } catch (err) {
+          return toolResult({
+            error: "Failed to sign bootstrap payload",
+            details: err instanceof Error ? err.message : String(err),
+            did: publicIdentity.did
+          });
+        }
+        const body = {
+          agentId: agentSlug,
+          signature: signatureB64,
+          publicKey: publicIdentity.public_key,
+          type: "shr",
+          data: publishData
+        };
+        try {
+          const response = await fetch(`${verascoreUrl.replace(/\/$/, "")}/api/publish`, {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: JSON.stringify(body)
+          });
+          const result = await response.json().catch(() => ({}));
+          auditLog.append("l4", "sanctuary_bootstrap", publicIdentity.identity_id, {
+            did: publicIdentity.did,
+            verascore_url: verascoreUrl,
+            status: response.status,
+            published: response.ok
+          });
+          return toolResult({
+            did: publicIdentity.did,
+            identity_id: publicIdentity.identity_id,
+            profileUrl,
+            tier: "self-attested",
+            published: response.ok,
+            verascore_status: response.status,
+            verascore_response: result
+          });
+        } catch (err) {
+          auditLog.append("l4", "sanctuary_bootstrap", publicIdentity.identity_id, {
+            did: publicIdentity.did,
+            error: err instanceof Error ? err.message : String(err)
+          });
+          return toolResult({
+            did: publicIdentity.did,
+            identity_id: publicIdentity.identity_id,
+            profileUrl,
+            tier: "self-attested",
+            published: false,
+            warning: `Identity created but Verascore publish failed: ${err instanceof Error ? err.message : String(err)}`
+          });
+        }
+      }
+    },
+    // ─── sanctuary_policy_status ───────────────────────────────────────
+    {
+      name: "sanctuary_policy_status",
+      description: "Return a summary of the active Principal Policy: which operations require approval (Tier 1), which are subject to anomaly detection (Tier 2), and which auto-allow with audit (Tier 3).",
+      inputSchema: {
+        type: "object",
+        properties: {}
+      },
+      handler: async () => {
+        const tier1 = [...policy.tier1_always_approve].sort();
+        const tier3 = [...policy.tier3_always_allow].sort();
+        const tier2Config = policy.tier2_anomaly;
+        auditLog.append("l2", "sanctuary_policy_status", "system", {
+          tier1_count: tier1.length,
+          tier3_count: tier3.length
+        });
+        return toolResult({
+          tier1,
+          tier2: [],
+          tier3,
+          tier2_anomaly_config: tier2Config,
+          counts: {
+            tier1: tier1.length,
+            tier2: 0,
+            tier3: tier3.length
+          },
+          note: "Tier 2 is not a named list in Sanctuary \u2014 it is behavioral anomaly detection applied to all operations. See tier2_anomaly_config."
+        });
+      }
+    },
+    // ─── sanctuary_export_identity_bundle ──────────────────────────────
+    {
+      name: "sanctuary_export_identity_bundle",
+      description: "Export a signed, portable identity bundle: { publicKey, did, shr, attestations }. The bundle is signed with the identity's Ed25519 key so a recipient can verify authenticity against the public key. Private keys are never included.",
+      inputSchema: {
+        type: "object",
+        properties: {
+          identity_id: {
+            type: "string",
+            description: "Identity to export (defaults to primary identity)."
+          },
+          attestations: {
+            type: "array",
+            items: { type: "object" },
+            description: "Optional list of attestation objects to include in the bundle."
+          }
+        }
+      },
+      handler: async (args) => {
+        const identityId = args.identity_id;
+        const identity = identityId ? identityManager.get(identityId) : identityManager.getDefault();
+        if (!identity) {
+          return toolResult({
+            error: "No identity found. Create one with identity_create first."
+          });
+        }
+        const shr = generateSHR(identity.identity_id, {
+          config,
+          identityManager,
+          masterKey
+        });
+        const attestations = args.attestations ?? [];
+        const body = {
+          format: "SANCTUARY_IDENTITY_BUNDLE_V1",
+          publicKey: identity.public_key,
+          did: identity.did,
+          identity_id: identity.identity_id,
+          label: identity.label,
+          key_type: identity.key_type,
+          shr: typeof shr === "string" ? null : shr,
+          attestations,
+          exported_at: (/* @__PURE__ */ new Date()).toISOString()
+        };
+        const bodyBytes = new TextEncoder().encode(JSON.stringify(body));
+        let signatureB64;
+        try {
+          const sigBytes = sign(
+            bodyBytes,
+            identity.encrypted_private_key,
+            identityEncKey
+          );
+          signatureB64 = toBase64url(sigBytes);
+        } catch (err) {
+          return toolResult({
+            error: "Failed to sign identity bundle.",
+            details: err instanceof Error ? err.message : String(err)
+          });
+        }
+        auditLog.append("l1", "sanctuary_export_identity_bundle", identity.identity_id, {
+          did: identity.did,
+          attestation_count: attestations.length
+        });
+        return toolResult({
+          bundle: body,
+          signature: signatureB64,
+          signed_by: identity.did
+        });
+      }
+    },
+    // ─── sanctuary_link_to_human ───────────────────────────────────────
+    {
+      name: "sanctuary_link_to_human",
+      description: "Trigger a Verascore magic-link login flow so a human principal can authenticate and subsequently claim this agent's DID. The email is sent by Verascore to the supplied address. This tool only initiates the flow \u2014 it does not directly bind the DID.",
+      inputSchema: {
+        type: "object",
+        properties: {
+          email: {
+            type: "string",
+            description: "Email address of the human to link this agent to."
+          },
+          verascore_url: {
+            type: "string",
+            description: "Verascore base URL. Defaults to server config."
+          }
+        },
+        required: ["email"]
+      },
+      handler: async (args) => {
+        const email = args.email;
+        const verascoreUrl = args.verascore_url || config.verascore.url || "https://verascore.ai";
+        const urlCheck = validateVerascoreUrl(verascoreUrl, config.verascore.url);
+        if (!urlCheck.ok) {
+          return toolResult({ ok: false, error: urlCheck.error });
+        }
+        if (!/^[^@\s]+@[^@\s]+\.[^@\s]+$/.test(email)) {
+          return toolResult({ ok: false, error: "Invalid email format." });
+        }
+        try {
+          const response = await fetch(`${verascoreUrl.replace(/\/$/, "")}/api/auth/request`, {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: JSON.stringify({ email })
+          });
+          await response.json().catch(() => ({}));
+          auditLog.append("l4", "sanctuary_link_to_human", "system", {
+            verascore_url: verascoreUrl,
+            status: response.status,
+            // Do not log the email to the audit trail — keep it local.
+            email_domain: email.split("@")[1] ?? null
+          });
+          return toolResult({
+            ok: response.ok,
+            message: "Check your email for a login link. After logging in, visit verascore.ai to claim this agent's DID.",
+            email_redacted: `***@${email.split("@")[1] ?? "***"}`,
+            verascore_status: response.status
+          });
+        } catch (err) {
+          return toolResult({
+            ok: false,
+            error: `Failed to reach Verascore at ${verascoreUrl}: ${err instanceof Error ? err.message : String(err)}`
+          });
+        }
+      }
+    },
+    // ─── sanctuary_sign_challenge ──────────────────────────────────────
+    {
+      name: "sanctuary_sign_challenge",
+      description: "Sign a domain-separated nonce with the agent's Ed25519 key. Used in DID-ownership proof flows. The signed message is constructed as: 'sanctuary-sign-challenge-v1\\x00' + purpose + '\\x00' + nonce. The verifier MUST reconstruct the same domain-prefixed message before calling Ed25519 verify \u2014 a raw-nonce signature is NOT valid for this tool. The `purpose` field binds the signature to a specific use case (e.g. 'verascore-claim') so a signature produced for one purpose cannot be replayed against a different verifier.",
+      inputSchema: {
+        type: "object",
+        properties: {
+          nonce: {
+            type: "string",
+            description: "The nonce / challenge string to sign."
+          },
+          purpose: {
+            type: "string",
+            description: "Domain-separation tag identifying what the signature will be used for (e.g. 'verascore-claim'). Required. Max 128 chars, printable ASCII only."
+          },
+          identity_id: {
+            type: "string",
+            description: "Identity to sign with (defaults to primary)."
+          }
+        },
+        required: ["nonce", "purpose"]
+      },
+      handler: async (args) => {
+        const nonce = args.nonce;
+        const purpose = args.purpose;
+        if (!nonce || nonce.length === 0) {
+          return toolResult({ error: "nonce must be a non-empty string." });
+        }
+        if (nonce.length > 4096) {
+          return toolResult({ error: "nonce exceeds maximum length (4096)." });
+        }
+        if (typeof purpose !== "string" || purpose.length === 0) {
+          return toolResult({
+            error: "purpose is required (domain-separation tag, e.g. 'verascore-claim')."
+          });
+        }
+        if (purpose.length > 128) {
+          return toolResult({ error: "purpose exceeds maximum length (128)." });
+        }
+        if (!/^[\x20-\x7E]+$/.test(purpose)) {
+          return toolResult({
+            error: "purpose must be printable ASCII only (no NUL, no non-ASCII)."
+          });
+        }
+        const identityId = args.identity_id;
+        const identity = identityId ? identityManager.get(identityId) : identityManager.getDefault();
+        if (!identity) {
+          return toolResult({
+            error: "No identity found. Create one with identity_create first."
+          });
+        }
+        const domainTag = "sanctuary-sign-challenge-v1";
+        const enc = new TextEncoder();
+        const tagBytes = enc.encode(domainTag);
+        const purposeBytes = enc.encode(purpose);
+        const nonceBytes = enc.encode(nonce);
+        const sep = new Uint8Array([0]);
+        const message = new Uint8Array(
+          tagBytes.length + 1 + purposeBytes.length + 1 + nonceBytes.length
+        );
+        let offset = 0;
+        message.set(tagBytes, offset);
+        offset += tagBytes.length;
+        message.set(sep, offset);
+        offset += 1;
+        message.set(purposeBytes, offset);
+        offset += purposeBytes.length;
+        message.set(sep, offset);
+        offset += 1;
+        message.set(nonceBytes, offset);
+        let sigB64;
+        try {
+          const sig = sign(
+            message,
+            identity.encrypted_private_key,
+            identityEncKey
+          );
+          sigB64 = toBase64url(sig);
+        } catch (err) {
+          return toolResult({
+            error: "Failed to sign nonce.",
+            details: err instanceof Error ? err.message : String(err)
+          });
+        }
+        auditLog.append("l1", "sanctuary_sign_challenge", identity.identity_id, {
+          did: identity.did,
+          nonce_len: nonce.length,
+          purpose
+        });
+        return toolResult({
+          signature: sigB64,
+          did: identity.did,
+          public_key: identity.public_key,
+          signed_by: identity.did,
+          domain_tag: domainTag,
+          purpose
+        });
+      }
+    }
+  ];
+  return { tools };
+}
+
 // src/index.ts
 init_key_derivation();
 init_random();
@@ -16242,7 +18395,7 @@ async function createSanctuaryServer(options) {
   }
   const l2Tools = [
     {
-      name: "sanctuary/exec_attest",
+      name: "exec_attest",
       description: "Generate an attestation of the current execution environment, including sovereignty assessment and degradation report.",
       inputSchema: {
         type: "object",
@@ -16293,7 +18446,7 @@ async function createSanctuaryServer(options) {
       }
     },
     {
-      name: "sanctuary/monitor_health",
+      name: "monitor_health",
       description: "Sanctuary Health Report (SHR) \u2014 standardized sovereignty status.",
       inputSchema: { type: "object", properties: {} },
       handler: async () => {
@@ -16342,7 +18495,7 @@ async function createSanctuaryServer(options) {
       }
     },
     {
-      name: "sanctuary/monitor_audit_log",
+      name: "monitor_audit_log",
       description: "Query the sovereignty audit log.",
       inputSchema: {
         type: "object",
@@ -16368,7 +18521,7 @@ async function createSanctuaryServer(options) {
     }
   ];
   const manifestTool = {
-    name: "sanctuary/manifest",
+    name: "manifest",
     description: "Generate the Sanctuary Interface Manifest (SIM) \u2014 a machine-readable declaration of this server's capabilities.",
     inputSchema: { type: "object", properties: {} },
     handler: async () => {
@@ -16454,14 +18607,19 @@ async function createSanctuaryServer(options) {
     config,
     identityManager,
     masterKey,
-    auditLog
+    auditLog,
+    {
+      autoPublishHandshakes: config.verascore.auto_publish_handshakes,
+      verascoreUrl: config.verascore.url
+    }
   );
   const { tools: l4Tools} = createL4Tools(
     storage,
     masterKey,
     identityManager,
     auditLog,
-    handshakeResults
+    handshakeResults,
+    config.verascore.url
   );
   const { tools: federationTools } = createFederationTools(
     auditLog,
@@ -16475,6 +18633,7 @@ async function createSanctuaryServer(options) {
     handshakeResults
   );
   const { tools: auditTools } = createAuditTools(config);
+  const { tools: siemTools } = createSIEMTools(auditLog);
   const { tools: contextGateTools, enforcer: contextGateEnforcer } = createContextGateTools(storage, masterKey, auditLog);
   const hardeningTools = createL2HardeningTools(config.storage_path, auditLog);
   const profileStore = new SovereigntyProfileStore(storage, masterKey);
@@ -16546,10 +18705,18 @@ async function createSanctuaryServer(options) {
   } : void 0;
   const gate = new ApprovalGate(policy, baseline, approvalChannel, auditLog, injectionDetector, onInjectionAlert);
   const policyTools = createPrincipalPolicyTools(policy, baseline, auditLog);
+  const { tools: sanctuaryMetaTools } = createSanctuaryTools({
+    config,
+    identityManager,
+    masterKey,
+    auditLog,
+    policy,
+    keyProtection
+  });
   const dashboardTools = [];
   if (dashboard) {
     dashboardTools.push({
-      name: "sanctuary/dashboard_open",
+      name: "dashboard_open",
       description: "Generate a one-click URL to open the Principal Dashboard in a browser. Returns a pre-authenticated link \u2014 no manual token entry needed.",
       inputSchema: {
         type: "object",
@@ -16583,10 +18750,12 @@ async function createSanctuaryServer(options) {
     ...federationTools,
     ...bridgeTools,
     ...auditTools,
+    ...siemTools,
     ...contextGateTools,
     ...hardeningTools,
     ...profileTools,
     ...dashboardTools,
+    ...sanctuaryMetaTools,
     manifestTool
   ];
   let clientManager;
@@ -16628,7 +18797,12 @@ async function createSanctuaryServer(options) {
             }
             return args;
           },
-          governor
+          governor,
+          onProxyCall: (data) => {
+            if (dashboard) {
+              dashboard.broadcastProxyCall(data);
+            }
+          }
         }
       );
       clientManager.configure(enabledServers).catch((err) => {
@@ -16646,6 +18820,7 @@ async function createSanctuaryServer(options) {
           auditLog,
           clientManager
         });
+        dashboard.enableFortressView(enabledServers.length);
       }
     }
   }
@@ -16765,6 +18940,12 @@ async function main() {
     await runStandaloneDashboard(args.slice(1));
     return;
   }
+  if (args[0] === "cocoon") {
+    const { parseCocoonArgs: parseCocoonArgs2, runCocoon: runCocoon2 } = await Promise.resolve().then(() => (init_cli(), cli_exports));
+    const cocoonOpts = parseCocoonArgs2(args.slice(1));
+    await runCocoon2(cocoonOpts);
+    return;
+  }
   for (let i = 0; i < args.length; i++) {
     if (args[i] === "--dashboard") {
       process.env.SANCTUARY_DASHBOARD_ENABLED = "true";
@@ -16832,6 +19013,7 @@ Sovereignty infrastructure for agents in the agentic economy.
 Usage:
   sanctuary-mcp-server [options]          # MCP server (stdio)
   sanctuary-mcp-server dashboard [opts]   # Standalone dashboard
+  sanctuary-mcp-server cocoon [opts]      # Wrap agent in Cocoon protection
 
 Options:
   --dashboard          Enable the Principal Dashboard (web UI)
@@ -16844,6 +19026,10 @@ Subcommands:
                        Reads from the same storage as the MCP server.
                        Use "sanctuary-mcp-server dashboard --help" for options.
 
+  cocoon               Wrap an existing agent in Sanctuary's enforcement chain.
+                       One command to protect any MCP-compatible agent.
+                       Use "sanctuary-mcp-server cocoon --help" for options.
+
 Environment variables:
   SANCTUARY_STORAGE_PATH            State directory (default: ~/.sanctuary)
   SANCTUARY_PASSPHRASE              Key derivation passphrase