@sanctuary-framework/mcp-server 0.5.6 → 0.5.8

package/dist/index.js

@@ -4064,6 +4064,108 @@ var AutoApproveChannel = class {
   }
 };
 
+// src/shr/types.ts
+function deepSortKeys(obj) {
+  if (obj === null || typeof obj !== "object") return obj;
+  if (Array.isArray(obj)) return obj.map(deepSortKeys);
+  const sorted = {};
+  for (const key of Object.keys(obj).sort()) {
+    sorted[key] = deepSortKeys(obj[key]);
+  }
+  return sorted;
+}
+function canonicalizeForSigning(body) {
+  return JSON.stringify(deepSortKeys(body));
+}
+
+// src/shr/generator.ts
+init_encoding();
+var DEFAULT_VALIDITY_MS = 60 * 60 * 1e3;
+function generateSHR(identityId, opts) {
+  const { config, identityManager, masterKey, validityMs } = opts;
+  const identity = identityId ? identityManager.get(identityId) : identityManager.getDefault();
+  if (!identity) {
+    return "No identity available for signing. Create an identity first.";
+  }
+  const now = /* @__PURE__ */ new Date();
+  const expiresAt = new Date(now.getTime() + (validityMs ?? DEFAULT_VALIDITY_MS));
+  const degradations = [];
+  if (config.execution.environment === "local-process") {
+    degradations.push({
+      layer: "l2",
+      code: "PROCESS_ISOLATION_ONLY",
+      severity: "warning",
+      description: "Process-level isolation only (no TEE)",
+      mitigation: "TEE support planned for a future release"
+    });
+    degradations.push({
+      layer: "l2",
+      code: "SELF_REPORTED_ATTESTATION",
+      severity: "warning",
+      description: "Attestation is self-reported (no hardware root of trust)",
+      mitigation: "TEE attestation planned for a future release"
+    });
+  }
+  const body = {
+    shr_version: "1.0",
+    implementation: {
+      sanctuary_version: config.version,
+      node_version: process.versions.node,
+      generated_by: "sanctuary-mcp-server"
+    },
+    instance_id: identity.identity_id,
+    generated_at: now.toISOString(),
+    expires_at: expiresAt.toISOString(),
+    layers: {
+      l1: {
+        status: "active",
+        encryption: config.state.encryption,
+        key_custody: "self",
+        integrity: config.state.integrity,
+        identity_type: config.state.identity_provider,
+        state_portable: true
+      },
+      l2: {
+        status: config.execution.environment === "local-process" ? "degraded" : "active",
+        isolation_type: config.execution.environment,
+        attestation_available: config.execution.attestation
+      },
+      l3: {
+        status: "active",
+        proof_system: config.disclosure.proof_system,
+        selective_disclosure: true
+      },
+      l4: {
+        status: "active",
+        reputation_mode: config.reputation.mode,
+        attestation_format: config.reputation.attestation_format,
+        reputation_portable: true
+      }
+    },
+    capabilities: {
+      handshake: true,
+      shr_exchange: true,
+      reputation_verify: true,
+      encrypted_channel: false
+      // Not yet implemented
+    },
+    degradations
+  };
+  const canonical = canonicalizeForSigning(body);
+  const payload = stringToBytes(canonical);
+  const encryptionKey = derivePurposeKey(masterKey, "identity-encryption");
+  const signatureBytes = sign(
+    payload,
+    identity.encrypted_private_key,
+    encryptionKey
+  );
+  return {
+    body,
+    signed_by: identity.public_key,
+    signature: toBase64url(signatureBytes)
+  };
+}
+
 // src/principal-policy/dashboard-html.ts
 function generateLoginHTML(options) {
   return `<!DOCTYPE html>
@@ -4071,7 +4173,7 @@ function generateLoginHTML(options) {
 <head>
   <meta charset="UTF-8">
   <meta name="viewport" content="width=device-width, initial-scale=1.0">
-  <title>Sanctuary Dashboard</title>
+  <title>Sanctuary \u2014 Principal Dashboard</title>
   <style>
     :root {
       --bg: #0d1117;
@@ -4242,7 +4344,7 @@ function generateLoginHTML(options) {
 
       <form id="login-form">
         <div class="form-group">
-          <label for="auth-token">Bearer Token</label>
+          <label for="auth-token">Auth Token</label>
           <input
             type="text"
             id="auth-token"
@@ -4327,7 +4429,7 @@ function generateDashboardHTML(options) {
 <head>
   <meta charset="UTF-8">
   <meta name="viewport" content="width=device-width, initial-scale=1.0">
-  <title>Sanctuary Dashboard</title>
+  <title>Sanctuary \u2014 Principal Dashboard</title>
   <style>
     :root {
       --bg: #0d1117;
@@ -5987,6 +6089,10 @@ var DashboardApprovalChannel = class {
   policy = null;
   baseline = null;
   auditLog = null;
+  identityManager = null;
+  handshakeResults = null;
+  shrOpts = null;
+  _sanctuaryConfig = null;
   dashboardHTML;
   loginHTML;
   authToken;
@@ -6020,6 +6126,10 @@ var DashboardApprovalChannel = class {
     this.policy = deps.policy;
     this.baseline = deps.baseline;
     this.auditLog = deps.auditLog;
+    if (deps.identityManager) this.identityManager = deps.identityManager;
+    if (deps.handshakeResults) this.handshakeResults = deps.handshakeResults;
+    if (deps.shrOpts) this.shrOpts = deps.shrOpts;
+    if (deps.sanctuaryConfig) this._sanctuaryConfig = deps.sanctuaryConfig;
   }
   /**
    * Start the HTTP(S) server for the dashboard.
@@ -6352,6 +6462,14 @@ var DashboardApprovalChannel = class {
         this.handlePendingList(res);
       } else if (method === "GET" && url.pathname === "/api/audit-log") {
         this.handleAuditLog(url, res);
+      } else if (method === "GET" && url.pathname === "/api/sovereignty") {
+        this.handleSovereignty(res);
+      } else if (method === "GET" && url.pathname === "/api/identity") {
+        this.handleIdentity(res);
+      } else if (method === "GET" && url.pathname === "/api/handshakes") {
+        this.handleHandshakes(res);
+      } else if (method === "GET" && url.pathname === "/api/shr") {
+        this.handleSHR(res);
       } else if (method === "POST" && url.pathname.startsWith("/api/approve/")) {
         if (!this.checkRateLimit(req, res, "decisions")) return;
         const id = url.pathname.slice("/api/approve/".length);
@@ -6541,6 +6659,107 @@ data: ${JSON.stringify(initData)}
     res.writeHead(200, { "Content-Type": "application/json" });
     res.end(JSON.stringify({ success: true, decision }));
   }
+  // ── Sovereignty Data Routes ─────────────────────────────────────────
+  handleSovereignty(res) {
+    if (!this.shrOpts) {
+      res.writeHead(200, { "Content-Type": "application/json" });
+      res.end(JSON.stringify({ error: "SHR generator not available" }));
+      return;
+    }
+    const shr = generateSHR(void 0, this.shrOpts);
+    if (typeof shr === "string") {
+      res.writeHead(200, { "Content-Type": "application/json" });
+      res.end(JSON.stringify({ error: shr }));
+      return;
+    }
+    const layers = shr.body.layers;
+    let score = 0;
+    for (const layer of [layers.l1, layers.l2, layers.l3, layers.l4]) {
+      if (layer.status === "active") score += 25;
+      else if (layer.status === "degraded") score += 15;
+    }
+    const overallLevel = score === 100 ? "full" : score >= 65 ? "degraded" : score >= 25 ? "minimal" : "unverified";
+    res.writeHead(200, { "Content-Type": "application/json" });
+    res.end(JSON.stringify({
+      score,
+      overall_level: overallLevel,
+      layers: {
+        l1: { status: layers.l1.status, detail: layers.l1.encryption, key_custody: layers.l1.key_custody },
+        l2: { status: layers.l2.status, detail: layers.l2.isolation_type, attestation: layers.l2.attestation_available },
+        l3: { status: layers.l3.status, detail: layers.l3.proof_system, selective_disclosure: layers.l3.selective_disclosure },
+        l4: { status: layers.l4.status, detail: layers.l4.attestation_format, reputation_portable: layers.l4.reputation_portable }
+      },
+      degradations: shr.body.degradations,
+      capabilities: shr.body.capabilities,
+      config_loaded: this._sanctuaryConfig != null
+    }));
+  }
+  handleIdentity(res) {
+    if (!this.identityManager) {
+      res.writeHead(200, { "Content-Type": "application/json" });
+      res.end(JSON.stringify({ identities: [], count: 0 }));
+      return;
+    }
+    const identities = this.identityManager.list().map((id) => ({
+      identity_id: id.identity_id,
+      label: id.label,
+      public_key: id.public_key,
+      did: id.did,
+      created_at: id.created_at,
+      key_type: id.key_type,
+      key_protection: id.key_protection,
+      rotation_count: id.rotation_history?.length ?? 0
+    }));
+    const primary = this.identityManager.getDefault();
+    res.writeHead(200, { "Content-Type": "application/json" });
+    res.end(JSON.stringify({
+      identities,
+      count: identities.length,
+      primary_id: primary?.identity_id ?? null
+    }));
+  }
+  handleHandshakes(res) {
+    if (!this.handshakeResults) {
+      res.writeHead(200, { "Content-Type": "application/json" });
+      res.end(JSON.stringify({ handshakes: [], count: 0 }));
+      return;
+    }
+    const handshakes = Array.from(this.handshakeResults.values()).map((h) => ({
+      counterparty_id: h.counterparty_id,
+      verified: h.verified,
+      sovereignty_level: h.sovereignty_level,
+      trust_tier: h.trust_tier,
+      completed_at: h.completed_at,
+      expires_at: h.expires_at,
+      errors: h.errors
+    }));
+    handshakes.sort((a, b) => new Date(b.completed_at).getTime() - new Date(a.completed_at).getTime());
+    res.writeHead(200, { "Content-Type": "application/json" });
+    res.end(JSON.stringify({
+      handshakes,
+      count: handshakes.length,
+      tier_distribution: {
+        verified_sovereign: handshakes.filter((h) => h.trust_tier === "verified-sovereign").length,
+        verified_degraded: handshakes.filter((h) => h.trust_tier === "verified-degraded").length,
+        unverified: handshakes.filter((h) => h.trust_tier === "unverified").length
+      }
+    }));
+  }
+  handleSHR(res) {
+    if (!this.shrOpts) {
+      res.writeHead(200, { "Content-Type": "application/json" });
+      res.end(JSON.stringify({ error: "SHR generator not available" }));
+      return;
+    }
+    const shr = generateSHR(void 0, this.shrOpts);
+    if (typeof shr === "string") {
+      res.writeHead(200, { "Content-Type": "application/json" });
+      res.end(JSON.stringify({ error: shr }));
+      return;
+    }
+    res.writeHead(200, { "Content-Type": "application/json" });
+    res.end(JSON.stringify(shr));
+  }
   // ── SSE Broadcasting ────────────────────────────────────────────────
   broadcastSSE(event, data) {
     const message = `event: ${event}
@@ -7707,108 +7926,6 @@ function createPrincipalPolicyTools(policy, baseline, auditLog) {
   ];
 }
 
-// src/shr/types.ts
-function deepSortKeys(obj) {
-  if (obj === null || typeof obj !== "object") return obj;
-  if (Array.isArray(obj)) return obj.map(deepSortKeys);
-  const sorted = {};
-  for (const key of Object.keys(obj).sort()) {
-    sorted[key] = deepSortKeys(obj[key]);
-  }
-  return sorted;
-}
-function canonicalizeForSigning(body) {
-  return JSON.stringify(deepSortKeys(body));
-}
-
-// src/shr/generator.ts
-init_encoding();
-var DEFAULT_VALIDITY_MS = 60 * 60 * 1e3;
-function generateSHR(identityId, opts) {
-  const { config, identityManager, masterKey, validityMs } = opts;
-  const identity = identityId ? identityManager.get(identityId) : identityManager.getDefault();
-  if (!identity) {
-    return "No identity available for signing. Create an identity first.";
-  }
-  const now = /* @__PURE__ */ new Date();
-  const expiresAt = new Date(now.getTime() + (validityMs ?? DEFAULT_VALIDITY_MS));
-  const degradations = [];
-  if (config.execution.environment === "local-process") {
-    degradations.push({
-      layer: "l2",
-      code: "PROCESS_ISOLATION_ONLY",
-      severity: "warning",
-      description: "Process-level isolation only (no TEE)",
-      mitigation: "TEE support planned for a future release"
-    });
-    degradations.push({
-      layer: "l2",
-      code: "SELF_REPORTED_ATTESTATION",
-      severity: "warning",
-      description: "Attestation is self-reported (no hardware root of trust)",
-      mitigation: "TEE attestation planned for a future release"
-    });
-  }
-  const body = {
-    shr_version: "1.0",
-    implementation: {
-      sanctuary_version: config.version,
-      node_version: process.versions.node,
-      generated_by: "sanctuary-mcp-server"
-    },
-    instance_id: identity.identity_id,
-    generated_at: now.toISOString(),
-    expires_at: expiresAt.toISOString(),
-    layers: {
-      l1: {
-        status: "active",
-        encryption: config.state.encryption,
-        key_custody: "self",
-        integrity: config.state.integrity,
-        identity_type: config.state.identity_provider,
-        state_portable: true
-      },
-      l2: {
-        status: config.execution.environment === "local-process" ? "degraded" : "active",
-        isolation_type: config.execution.environment,
-        attestation_available: config.execution.attestation
-      },
-      l3: {
-        status: "active",
-        proof_system: config.disclosure.proof_system,
-        selective_disclosure: true
-      },
-      l4: {
-        status: "active",
-        reputation_mode: config.reputation.mode,
-        attestation_format: config.reputation.attestation_format,
-        reputation_portable: true
-      }
-    },
-    capabilities: {
-      handshake: true,
-      shr_exchange: true,
-      reputation_verify: true,
-      encrypted_channel: false
-      // Not yet implemented
-    },
-    degradations
-  };
-  const canonical = canonicalizeForSigning(body);
-  const payload = stringToBytes(canonical);
-  const encryptionKey = derivePurposeKey(masterKey, "identity-encryption");
-  const signatureBytes = sign(
-    payload,
-    identity.encrypted_private_key,
-    encryptionKey
-  );
-  return {
-    body,
-    signed_by: identity.public_key,
-    signature: toBase64url(signatureBytes)
-  };
-}
-
 // src/shr/verifier.ts
 init_encoding();
 function verifySHR(shr, now) {
@@ -12679,7 +12796,15 @@ async function createSanctuaryServer(options) {
       tls: config.dashboard.tls,
       auto_open: config.dashboard.auto_open
     });
-    dashboard.setDependencies({ policy, baseline, auditLog });
+    dashboard.setDependencies({
+      policy,
+      baseline,
+      auditLog,
+      identityManager,
+      handshakeResults,
+      shrOpts: { config, identityManager, masterKey },
+      sanctuaryConfig: config
+    });
     await dashboard.start();
     approvalChannel = dashboard;
   } else if (config.webhook.enabled && config.webhook.url && config.webhook.secret) {