@sanctuary-framework/mcp-server 0.5.6 → 0.5.8

package/dist/cli.js

@@ -7,6 +7,7 @@ import { randomBytes as randomBytes$1, createHmac } from 'crypto';
 import { gcm } from '@noble/ciphers/aes.js';
 import { sha256 } from '@noble/hashes/sha256';
 import { hmac } from '@noble/hashes/hmac';
+import { RistrettoPoint, ed25519 } from '@noble/curves/ed25519';
 import { argon2id } from 'hash-wasm';
 import { hkdf } from '@noble/hashes/hkdf';
 import { createServer as createServer$1 } from 'http';
@@ -14,7 +15,6 @@ import { get, createServer as createServer$2 } from 'https';
 import { statSync, readFileSync } from 'fs';
 import { execSync, exec } from 'child_process';
 import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js';
-import { RistrettoPoint, ed25519 } from '@noble/curves/ed25519';
 import { Server } from '@modelcontextprotocol/sdk/server/index.js';
 import { ListToolsRequestSchema, CallToolRequestSchema } from '@modelcontextprotocol/sdk/types.js';
 
@@ -557,6 +557,111 @@ var init_hashing = __esm({
     init_encoding();
   }
 });
+function generateKeypair() {
+  const privateKey = randomBytes(32);
+  const publicKey = ed25519.getPublicKey(privateKey);
+  return { publicKey, privateKey };
+}
+function publicKeyToDid(publicKey) {
+  const multicodec = new Uint8Array([237, 1, ...publicKey]);
+  return `did:key:z${toBase64url(multicodec)}`;
+}
+function generateIdentityId(publicKey) {
+  const keyHash = hash(publicKey);
+  return Array.from(keyHash.slice(0, 16)).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+function createIdentity(label, encryptionKey, keyProtection) {
+  const { publicKey, privateKey } = generateKeypair();
+  const identityId = generateIdentityId(publicKey);
+  const did = publicKeyToDid(publicKey);
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  const encryptedPrivateKey = encrypt(privateKey, encryptionKey);
+  privateKey.fill(0);
+  const publicIdentity = {
+    identity_id: identityId,
+    label,
+    public_key: toBase64url(publicKey),
+    did,
+    created_at: now,
+    key_type: "ed25519",
+    key_protection: keyProtection
+  };
+  const storedIdentity = {
+    ...publicIdentity,
+    encrypted_private_key: encryptedPrivateKey,
+    rotation_history: []
+  };
+  return { publicIdentity, storedIdentity };
+}
+function sign(payload, encryptedPrivateKey, encryptionKey) {
+  const privateKey = decrypt(encryptedPrivateKey, encryptionKey);
+  try {
+    return ed25519.sign(payload, privateKey);
+  } finally {
+    privateKey.fill(0);
+  }
+}
+function verify(payload, signature, publicKey) {
+  try {
+    return ed25519.verify(signature, payload, publicKey);
+  } catch {
+    return false;
+  }
+}
+function rotateKeys(storedIdentity, encryptionKey, reason) {
+  const { publicKey: newPublicKey, privateKey: newPrivateKey } = generateKeypair();
+  const newIdentityDid = publicKeyToDid(newPublicKey);
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  const eventData = JSON.stringify({
+    old_public_key: storedIdentity.public_key,
+    new_public_key: toBase64url(newPublicKey),
+    identity_id: storedIdentity.identity_id,
+    reason,
+    rotated_at: now
+  });
+  const eventBytes = new TextEncoder().encode(eventData);
+  const signature = sign(
+    eventBytes,
+    storedIdentity.encrypted_private_key,
+    encryptionKey
+  );
+  const rotationEvent = {
+    old_public_key: storedIdentity.public_key,
+    new_public_key: toBase64url(newPublicKey),
+    identity_id: storedIdentity.identity_id,
+    reason,
+    rotated_at: now,
+    signature: toBase64url(signature)
+  };
+  const encryptedNewPrivateKey = encrypt(newPrivateKey, encryptionKey);
+  newPrivateKey.fill(0);
+  const updatedIdentity = {
+    ...storedIdentity,
+    public_key: toBase64url(newPublicKey),
+    did: newIdentityDid,
+    encrypted_private_key: encryptedNewPrivateKey,
+    rotation_history: [
+      ...storedIdentity.rotation_history,
+      {
+        old_public_key: storedIdentity.public_key,
+        new_public_key: toBase64url(newPublicKey),
+        rotation_event: toBase64url(
+          new TextEncoder().encode(JSON.stringify(rotationEvent))
+        ),
+        rotated_at: now
+      }
+    ]
+  };
+  return { updatedIdentity, rotationEvent };
+}
+var init_identity = __esm({
+  "src/core/identity.ts"() {
+    init_encoding();
+    init_encryption();
+    init_hashing();
+    init_random();
+  }
+});
 async function deriveMasterKey(passphrase, existingParams) {
   const salt = existingParams ? fromBase64url(existingParams.salt) : generateSalt();
   const params = existingParams ?? {
@@ -1161,6 +1266,120 @@ var init_baseline = __esm({
   }
 });
 
+// src/shr/types.ts
+function deepSortKeys(obj) {
+  if (obj === null || typeof obj !== "object") return obj;
+  if (Array.isArray(obj)) return obj.map(deepSortKeys);
+  const sorted = {};
+  for (const key of Object.keys(obj).sort()) {
+    sorted[key] = deepSortKeys(obj[key]);
+  }
+  return sorted;
+}
+function canonicalizeForSigning(body) {
+  return JSON.stringify(deepSortKeys(body));
+}
+var init_types = __esm({
+  "src/shr/types.ts"() {
+  }
+});
+
+// src/shr/generator.ts
+function generateSHR(identityId, opts) {
+  const { config, identityManager, masterKey, validityMs } = opts;
+  const identity = identityId ? identityManager.get(identityId) : identityManager.getDefault();
+  if (!identity) {
+    return "No identity available for signing. Create an identity first.";
+  }
+  const now = /* @__PURE__ */ new Date();
+  const expiresAt = new Date(now.getTime() + (validityMs ?? DEFAULT_VALIDITY_MS));
+  const degradations = [];
+  if (config.execution.environment === "local-process") {
+    degradations.push({
+      layer: "l2",
+      code: "PROCESS_ISOLATION_ONLY",
+      severity: "warning",
+      description: "Process-level isolation only (no TEE)",
+      mitigation: "TEE support planned for a future release"
+    });
+    degradations.push({
+      layer: "l2",
+      code: "SELF_REPORTED_ATTESTATION",
+      severity: "warning",
+      description: "Attestation is self-reported (no hardware root of trust)",
+      mitigation: "TEE attestation planned for a future release"
+    });
+  }
+  const body = {
+    shr_version: "1.0",
+    implementation: {
+      sanctuary_version: config.version,
+      node_version: process.versions.node,
+      generated_by: "sanctuary-mcp-server"
+    },
+    instance_id: identity.identity_id,
+    generated_at: now.toISOString(),
+    expires_at: expiresAt.toISOString(),
+    layers: {
+      l1: {
+        status: "active",
+        encryption: config.state.encryption,
+        key_custody: "self",
+        integrity: config.state.integrity,
+        identity_type: config.state.identity_provider,
+        state_portable: true
+      },
+      l2: {
+        status: config.execution.environment === "local-process" ? "degraded" : "active",
+        isolation_type: config.execution.environment,
+        attestation_available: config.execution.attestation
+      },
+      l3: {
+        status: "active",
+        proof_system: config.disclosure.proof_system,
+        selective_disclosure: true
+      },
+      l4: {
+        status: "active",
+        reputation_mode: config.reputation.mode,
+        attestation_format: config.reputation.attestation_format,
+        reputation_portable: true
+      }
+    },
+    capabilities: {
+      handshake: true,
+      shr_exchange: true,
+      reputation_verify: true,
+      encrypted_channel: false
+      // Not yet implemented
+    },
+    degradations
+  };
+  const canonical = canonicalizeForSigning(body);
+  const payload = stringToBytes(canonical);
+  const encryptionKey = derivePurposeKey(masterKey, "identity-encryption");
+  const signatureBytes = sign(
+    payload,
+    identity.encrypted_private_key,
+    encryptionKey
+  );
+  return {
+    body,
+    signed_by: identity.public_key,
+    signature: toBase64url(signatureBytes)
+  };
+}
+var DEFAULT_VALIDITY_MS;
+var init_generator = __esm({
+  "src/shr/generator.ts"() {
+    init_types();
+    init_identity();
+    init_encoding();
+    init_key_derivation();
+    DEFAULT_VALIDITY_MS = 60 * 60 * 1e3;
+  }
+});
+
 // src/principal-policy/dashboard-html.ts
 function generateLoginHTML(options) {
   return `<!DOCTYPE html>
@@ -1168,7 +1387,7 @@ function generateLoginHTML(options) {
 <head>
   <meta charset="UTF-8">
   <meta name="viewport" content="width=device-width, initial-scale=1.0">
-  <title>Sanctuary Dashboard</title>
+  <title>Sanctuary \u2014 Principal Dashboard</title>
   <style>
     :root {
       --bg: #0d1117;
@@ -1339,7 +1558,7 @@ function generateLoginHTML(options) {
 
       <form id="login-form">
         <div class="form-group">
-          <label for="auth-token">Bearer Token</label>
+          <label for="auth-token">Auth Token</label>
           <input
             type="text"
             id="auth-token"
@@ -1424,7 +1643,7 @@ function generateDashboardHTML(options) {
 <head>
   <meta charset="UTF-8">
   <meta name="viewport" content="width=device-width, initial-scale=1.0">
-  <title>Sanctuary Dashboard</title>
+  <title>Sanctuary \u2014 Principal Dashboard</title>
   <style>
     :root {
       --bg: #0d1117;
@@ -3075,6 +3294,7 @@ var SESSION_TTL_REMOTE_MS, SESSION_TTL_LOCAL_MS, MAX_SESSIONS, RATE_LIMIT_WINDOW
 var init_dashboard = __esm({
   "src/principal-policy/dashboard.ts"() {
     init_config();
+    init_generator();
     init_dashboard_html();
     SESSION_TTL_REMOTE_MS = 5 * 60 * 1e3;
     SESSION_TTL_LOCAL_MS = 24 * 60 * 60 * 1e3;
@@ -3091,6 +3311,10 @@ var init_dashboard = __esm({
       policy = null;
       baseline = null;
       auditLog = null;
+      identityManager = null;
+      handshakeResults = null;
+      shrOpts = null;
+      _sanctuaryConfig = null;
       dashboardHTML;
       loginHTML;
       authToken;
@@ -3124,6 +3348,10 @@ var init_dashboard = __esm({
         this.policy = deps.policy;
         this.baseline = deps.baseline;
         this.auditLog = deps.auditLog;
+        if (deps.identityManager) this.identityManager = deps.identityManager;
+        if (deps.handshakeResults) this.handshakeResults = deps.handshakeResults;
+        if (deps.shrOpts) this.shrOpts = deps.shrOpts;
+        if (deps.sanctuaryConfig) this._sanctuaryConfig = deps.sanctuaryConfig;
       }
       /**
        * Start the HTTP(S) server for the dashboard.
@@ -3456,6 +3684,14 @@ var init_dashboard = __esm({
             this.handlePendingList(res);
           } else if (method === "GET" && url.pathname === "/api/audit-log") {
             this.handleAuditLog(url, res);
+          } else if (method === "GET" && url.pathname === "/api/sovereignty") {
+            this.handleSovereignty(res);
+          } else if (method === "GET" && url.pathname === "/api/identity") {
+            this.handleIdentity(res);
+          } else if (method === "GET" && url.pathname === "/api/handshakes") {
+            this.handleHandshakes(res);
+          } else if (method === "GET" && url.pathname === "/api/shr") {
+            this.handleSHR(res);
           } else if (method === "POST" && url.pathname.startsWith("/api/approve/")) {
             if (!this.checkRateLimit(req, res, "decisions")) return;
             const id = url.pathname.slice("/api/approve/".length);
@@ -3645,6 +3881,107 @@ data: ${JSON.stringify(initData)}
         res.writeHead(200, { "Content-Type": "application/json" });
         res.end(JSON.stringify({ success: true, decision }));
       }
+      // ── Sovereignty Data Routes ─────────────────────────────────────────
+      handleSovereignty(res) {
+        if (!this.shrOpts) {
+          res.writeHead(200, { "Content-Type": "application/json" });
+          res.end(JSON.stringify({ error: "SHR generator not available" }));
+          return;
+        }
+        const shr = generateSHR(void 0, this.shrOpts);
+        if (typeof shr === "string") {
+          res.writeHead(200, { "Content-Type": "application/json" });
+          res.end(JSON.stringify({ error: shr }));
+          return;
+        }
+        const layers = shr.body.layers;
+        let score = 0;
+        for (const layer of [layers.l1, layers.l2, layers.l3, layers.l4]) {
+          if (layer.status === "active") score += 25;
+          else if (layer.status === "degraded") score += 15;
+        }
+        const overallLevel = score === 100 ? "full" : score >= 65 ? "degraded" : score >= 25 ? "minimal" : "unverified";
+        res.writeHead(200, { "Content-Type": "application/json" });
+        res.end(JSON.stringify({
+          score,
+          overall_level: overallLevel,
+          layers: {
+            l1: { status: layers.l1.status, detail: layers.l1.encryption, key_custody: layers.l1.key_custody },
+            l2: { status: layers.l2.status, detail: layers.l2.isolation_type, attestation: layers.l2.attestation_available },
+            l3: { status: layers.l3.status, detail: layers.l3.proof_system, selective_disclosure: layers.l3.selective_disclosure },
+            l4: { status: layers.l4.status, detail: layers.l4.attestation_format, reputation_portable: layers.l4.reputation_portable }
+          },
+          degradations: shr.body.degradations,
+          capabilities: shr.body.capabilities,
+          config_loaded: this._sanctuaryConfig != null
+        }));
+      }
+      handleIdentity(res) {
+        if (!this.identityManager) {
+          res.writeHead(200, { "Content-Type": "application/json" });
+          res.end(JSON.stringify({ identities: [], count: 0 }));
+          return;
+        }
+        const identities = this.identityManager.list().map((id) => ({
+          identity_id: id.identity_id,
+          label: id.label,
+          public_key: id.public_key,
+          did: id.did,
+          created_at: id.created_at,
+          key_type: id.key_type,
+          key_protection: id.key_protection,
+          rotation_count: id.rotation_history?.length ?? 0
+        }));
+        const primary = this.identityManager.getDefault();
+        res.writeHead(200, { "Content-Type": "application/json" });
+        res.end(JSON.stringify({
+          identities,
+          count: identities.length,
+          primary_id: primary?.identity_id ?? null
+        }));
+      }
+      handleHandshakes(res) {
+        if (!this.handshakeResults) {
+          res.writeHead(200, { "Content-Type": "application/json" });
+          res.end(JSON.stringify({ handshakes: [], count: 0 }));
+          return;
+        }
+        const handshakes = Array.from(this.handshakeResults.values()).map((h) => ({
+          counterparty_id: h.counterparty_id,
+          verified: h.verified,
+          sovereignty_level: h.sovereignty_level,
+          trust_tier: h.trust_tier,
+          completed_at: h.completed_at,
+          expires_at: h.expires_at,
+          errors: h.errors
+        }));
+        handshakes.sort((a, b) => new Date(b.completed_at).getTime() - new Date(a.completed_at).getTime());
+        res.writeHead(200, { "Content-Type": "application/json" });
+        res.end(JSON.stringify({
+          handshakes,
+          count: handshakes.length,
+          tier_distribution: {
+            verified_sovereign: handshakes.filter((h) => h.trust_tier === "verified-sovereign").length,
+            verified_degraded: handshakes.filter((h) => h.trust_tier === "verified-degraded").length,
+            unverified: handshakes.filter((h) => h.trust_tier === "unverified").length
+          }
+        }));
+      }
+      handleSHR(res) {
+        if (!this.shrOpts) {
+          res.writeHead(200, { "Content-Type": "application/json" });
+          res.end(JSON.stringify({ error: "SHR generator not available" }));
+          return;
+        }
+        const shr = generateSHR(void 0, this.shrOpts);
+        if (typeof shr === "string") {
+          res.writeHead(200, { "Content-Type": "application/json" });
+          res.end(JSON.stringify({ error: shr }));
+          return;
+        }
+        res.writeHead(200, { "Content-Type": "application/json" });
+        res.end(JSON.stringify(shr));
+      }
       // ── SSE Broadcasting ────────────────────────────────────────────────
       broadcastSSE(event, data) {
         const message = `event: ${event}
@@ -3886,111 +4223,7 @@ init_filesystem();
 // src/l1-cognitive/state-store.ts
 init_encryption();
 init_hashing();
-
-// src/core/identity.ts
-init_encoding();
-init_encryption();
-init_hashing();
-init_random();
-function generateKeypair() {
-  const privateKey = randomBytes(32);
-  const publicKey = ed25519.getPublicKey(privateKey);
-  return { publicKey, privateKey };
-}
-function publicKeyToDid(publicKey) {
-  const multicodec = new Uint8Array([237, 1, ...publicKey]);
-  return `did:key:z${toBase64url(multicodec)}`;
-}
-function generateIdentityId(publicKey) {
-  const keyHash = hash(publicKey);
-  return Array.from(keyHash.slice(0, 16)).map((b) => b.toString(16).padStart(2, "0")).join("");
-}
-function createIdentity(label, encryptionKey, keyProtection) {
-  const { publicKey, privateKey } = generateKeypair();
-  const identityId = generateIdentityId(publicKey);
-  const did = publicKeyToDid(publicKey);
-  const now = (/* @__PURE__ */ new Date()).toISOString();
-  const encryptedPrivateKey = encrypt(privateKey, encryptionKey);
-  privateKey.fill(0);
-  const publicIdentity = {
-    identity_id: identityId,
-    label,
-    public_key: toBase64url(publicKey),
-    did,
-    created_at: now,
-    key_type: "ed25519",
-    key_protection: keyProtection
-  };
-  const storedIdentity = {
-    ...publicIdentity,
-    encrypted_private_key: encryptedPrivateKey,
-    rotation_history: []
-  };
-  return { publicIdentity, storedIdentity };
-}
-function sign(payload, encryptedPrivateKey, encryptionKey) {
-  const privateKey = decrypt(encryptedPrivateKey, encryptionKey);
-  try {
-    return ed25519.sign(payload, privateKey);
-  } finally {
-    privateKey.fill(0);
-  }
-}
-function verify(payload, signature, publicKey) {
-  try {
-    return ed25519.verify(signature, payload, publicKey);
-  } catch {
-    return false;
-  }
-}
-function rotateKeys(storedIdentity, encryptionKey, reason) {
-  const { publicKey: newPublicKey, privateKey: newPrivateKey } = generateKeypair();
-  const newIdentityDid = publicKeyToDid(newPublicKey);
-  const now = (/* @__PURE__ */ new Date()).toISOString();
-  const eventData = JSON.stringify({
-    old_public_key: storedIdentity.public_key,
-    new_public_key: toBase64url(newPublicKey),
-    identity_id: storedIdentity.identity_id,
-    reason,
-    rotated_at: now
-  });
-  const eventBytes = new TextEncoder().encode(eventData);
-  const signature = sign(
-    eventBytes,
-    storedIdentity.encrypted_private_key,
-    encryptionKey
-  );
-  const rotationEvent = {
-    old_public_key: storedIdentity.public_key,
-    new_public_key: toBase64url(newPublicKey),
-    identity_id: storedIdentity.identity_id,
-    reason,
-    rotated_at: now,
-    signature: toBase64url(signature)
-  };
-  const encryptedNewPrivateKey = encrypt(newPrivateKey, encryptionKey);
-  newPrivateKey.fill(0);
-  const updatedIdentity = {
-    ...storedIdentity,
-    public_key: toBase64url(newPublicKey),
-    did: newIdentityDid,
-    encrypted_private_key: encryptedNewPrivateKey,
-    rotation_history: [
-      ...storedIdentity.rotation_history,
-      {
-        old_public_key: storedIdentity.public_key,
-        new_public_key: toBase64url(newPublicKey),
-        rotation_event: toBase64url(
-          new TextEncoder().encode(JSON.stringify(rotationEvent))
-        ),
-        rotated_at: now
-      }
-    ]
-  };
-  return { updatedIdentity, rotationEvent };
-}
-
-// src/l1-cognitive/state-store.ts
+init_identity();
 init_key_derivation();
 init_encoding();
 var RESERVED_NAMESPACE_PREFIXES = [
@@ -4530,6 +4763,7 @@ function toolResult(data) {
 }
 
 // src/l1-cognitive/tools.ts
+init_identity();
 init_key_derivation();
 init_encoding();
 init_encryption();
@@ -5939,6 +6173,7 @@ init_encryption();
 init_key_derivation();
 init_encoding();
 init_random();
+init_identity();
 function computeMedian(values) {
   if (values.length === 0) return 0;
   const sorted = [...values].sort((a, b) => a - b);
@@ -7911,110 +8146,12 @@ function createPrincipalPolicyTools(policy, baseline, auditLog) {
   ];
 }
 
-// src/shr/types.ts
-function deepSortKeys(obj) {
-  if (obj === null || typeof obj !== "object") return obj;
-  if (Array.isArray(obj)) return obj.map(deepSortKeys);
-  const sorted = {};
-  for (const key of Object.keys(obj).sort()) {
-    sorted[key] = deepSortKeys(obj[key]);
-  }
-  return sorted;
-}
-function canonicalizeForSigning(body) {
-  return JSON.stringify(deepSortKeys(body));
-}
-
-// src/shr/generator.ts
-init_encoding();
-init_key_derivation();
-var DEFAULT_VALIDITY_MS = 60 * 60 * 1e3;
-function generateSHR(identityId, opts) {
-  const { config, identityManager, masterKey, validityMs } = opts;
-  const identity = identityId ? identityManager.get(identityId) : identityManager.getDefault();
-  if (!identity) {
-    return "No identity available for signing. Create an identity first.";
-  }
-  const now = /* @__PURE__ */ new Date();
-  const expiresAt = new Date(now.getTime() + (validityMs ?? DEFAULT_VALIDITY_MS));
-  const degradations = [];
-  if (config.execution.environment === "local-process") {
-    degradations.push({
-      layer: "l2",
-      code: "PROCESS_ISOLATION_ONLY",
-      severity: "warning",
-      description: "Process-level isolation only (no TEE)",
-      mitigation: "TEE support planned for a future release"
-    });
-    degradations.push({
-      layer: "l2",
-      code: "SELF_REPORTED_ATTESTATION",
-      severity: "warning",
-      description: "Attestation is self-reported (no hardware root of trust)",
-      mitigation: "TEE attestation planned for a future release"
-    });
-  }
-  const body = {
-    shr_version: "1.0",
-    implementation: {
-      sanctuary_version: config.version,
-      node_version: process.versions.node,
-      generated_by: "sanctuary-mcp-server"
-    },
-    instance_id: identity.identity_id,
-    generated_at: now.toISOString(),
-    expires_at: expiresAt.toISOString(),
-    layers: {
-      l1: {
-        status: "active",
-        encryption: config.state.encryption,
-        key_custody: "self",
-        integrity: config.state.integrity,
-        identity_type: config.state.identity_provider,
-        state_portable: true
-      },
-      l2: {
-        status: config.execution.environment === "local-process" ? "degraded" : "active",
-        isolation_type: config.execution.environment,
-        attestation_available: config.execution.attestation
-      },
-      l3: {
-        status: "active",
-        proof_system: config.disclosure.proof_system,
-        selective_disclosure: true
-      },
-      l4: {
-        status: "active",
-        reputation_mode: config.reputation.mode,
-        attestation_format: config.reputation.attestation_format,
-        reputation_portable: true
-      }
-    },
-    capabilities: {
-      handshake: true,
-      shr_exchange: true,
-      reputation_verify: true,
-      encrypted_channel: false
-      // Not yet implemented
-    },
-    degradations
-  };
-  const canonical = canonicalizeForSigning(body);
-  const payload = stringToBytes(canonical);
-  const encryptionKey = derivePurposeKey(masterKey, "identity-encryption");
-  const signatureBytes = sign(
-    payload,
-    identity.encrypted_private_key,
-    encryptionKey
-  );
-  return {
-    body,
-    signed_by: identity.public_key,
-    signature: toBase64url(signatureBytes)
-  };
-}
+// src/shr/tools.ts
+init_generator();
 
 // src/shr/verifier.ts
+init_types();
+init_identity();
 init_encoding();
 function verifySHR(shr, now) {
   const errors = [];
@@ -8436,7 +8573,11 @@ function createSHRTools(config, identityManager, masterKey, auditLog) {
   return { tools };
 }
 
+// src/handshake/tools.ts
+init_generator();
+
 // src/handshake/protocol.ts
+init_identity();
 init_encoding();
 init_random();
 init_key_derivation();
@@ -8606,8 +8747,11 @@ function deriveTrustTier(level) {
 }
 
 // src/handshake/attestation.ts
+init_types();
+init_identity();
 init_encoding();
 init_key_derivation();
+init_identity();
 init_encoding();
 var ATTESTATION_VERSION = "1.0";
 function deriveTrustTier2(level) {
@@ -9405,6 +9549,7 @@ init_encryption();
 init_encoding();
 
 // src/bridge/bridge.ts
+init_identity();
 init_encoding();
 init_random();
 init_hashing();
@@ -12493,6 +12638,7 @@ init_filesystem();
 init_baseline();
 init_loader();
 init_dashboard();
+init_generator();
 async function createSanctuaryServer(options) {
   const config = await loadConfig(options?.configPath);
   await mkdir(config.storage_path, { recursive: true, mode: 448 });
@@ -12846,7 +12992,15 @@ async function createSanctuaryServer(options) {
       tls: config.dashboard.tls,
       auto_open: config.dashboard.auto_open
     });
-    dashboard.setDependencies({ policy, baseline, auditLog });
+    dashboard.setDependencies({
+      policy,
+      baseline,
+      auditLog,
+      identityManager,
+      handshakeResults,
+      shrOpts: { config, identityManager, masterKey },
+      sanctuaryConfig: config
+    });
     await dashboard.start();
     approvalChannel = dashboard;
   } else if (config.webhook.enabled && config.webhook.url && config.webhook.secret) {