@sanctuary-framework/mcp-server 0.7.0 → 0.10.0

package/dist/index.d.cts

@@ -6,7 +6,6 @@ import { SSEClientTransport } from '@modelcontextprotocol/sdk/client/sse.js';
 interface SanctuaryConfig {
     version: string;
     storage_path: string;
-    principal_id?: string;
     state: {
         encryption: "aes-256-gcm";
         key_protection: "passphrase" | "hardware-key" | "none";
@@ -127,157 +126,6 @@ interface StorageBackend {
     totalSize(): Promise<number>;
 }
 
-/**
- * Sanctuary MCP Server — AES-256-GCM Encryption
- *
- * All state encryption in Sanctuary uses AES-256-GCM (authenticated encryption).
- * This provides both confidentiality and integrity — a modified ciphertext will
- * fail authentication, detecting tampering.
- *
- * Security invariants:
- * - Every encryption uses a unique 12-byte IV (NIST SP 800-38D)
- * - The 16-byte authentication tag is always verified on decryption
- * - Keys are 256 bits (32 bytes)
- */
-/** Encrypted payload structure stored on disk */
-interface EncryptedPayload {
-    /** Format version */
-    v: number;
-    /** Algorithm identifier */
-    alg: "aes-256-gcm";
-    /** Initialization vector (base64url) */
-    iv: string;
-    /** Ciphertext (base64url) */
-    ct: string;
-    /** Authentication tag (base64url) — included in ciphertext by @noble/ciphers */
-    /** Timestamp */
-    ts: string;
-}
-
-/**
- * Sanctuary MCP Server — L1 Cognitive Sovereignty: StateStore
- *
- * The encrypted state store is the foundation of Sanctuary.
- * Every read and write goes through here. All data is encrypted
- * with namespace-specific keys. All writes are signed by an identity.
- * All reads verify integrity via Merkle proofs.
- *
- * Security invariants:
- * - Plaintext never touches the filesystem
- * - Every write gets a unique IV
- * - Every write is signed (non-repudiation)
- * - Monotonic version numbers prevent rollback
- * - Merkle tree verifies namespace integrity
- * - Secure deletion overwrites before unlinking
- */
-
-/** Result of a state write operation */
-interface WriteResult {
-    key: string;
-    namespace: string;
-    version: number;
-    merkle_root: string;
-    written_at: string;
-    size_bytes: number;
-    integrity_hash: string;
-}
-/** Result of a state read operation */
-interface ReadResult {
-    key: string;
-    namespace: string;
-    value: string;
-    version: number;
-    integrity_verified: boolean;
-    merkle_proof: string[];
-    written_at: string;
-    written_by: string;
-}
-/** Options for state write */
-interface WriteOptions {
-    content_type?: string;
-    ttl_seconds?: number;
-    tags?: string[];
-}
-declare class StateStore {
-    private storage;
-    private masterKey;
-    private versionCache;
-    private contentHashes;
-    constructor(storage: StorageBackend, masterKey: Uint8Array);
-    private versionKey;
-    /**
-     * Get or initialize the content hash map for a namespace.
-     */
-    private getNamespaceHashes;
-    /**
-     * Write encrypted state.
-     *
-     * @param namespace - Logical grouping
-     * @param key - State key
-     * @param value - Plaintext value (will be encrypted)
-     * @param identityId - Identity performing the write
-     * @param encryptedPrivateKey - Identity's encrypted private key (for signing)
-     * @param identityEncryptionKey - Key to decrypt the identity's private key
-     * @param options - Optional metadata
-     */
-    write(namespace: string, key: string, value: string, identityId: string, encryptedPrivateKey: EncryptedPayload, identityEncryptionKey: Uint8Array, options?: WriteOptions): Promise<WriteResult>;
-    /**
-     * Read and decrypt state.
-     *
-     * @param namespace - Logical grouping
-     * @param key - State key
-     * @param signerPublicKey - Expected signer's public key (for signature verification)
-     * @param verifyIntegrity - Whether to verify Merkle proof (default: true)
-     */
-    read(namespace: string, key: string, signerPublicKey?: Uint8Array, verifyIntegrity?: boolean): Promise<ReadResult | null>;
-    /**
-     * List keys in a namespace (metadata only — no decryption).
-     */
-    list(namespace: string, prefix?: string, tags?: string[], limit?: number, offset?: number): Promise<{
-        keys: Array<{
-            key: string;
-            version: number;
-            size_bytes: number;
-            written_at: string;
-            tags: string[];
-        }>;
-        total: number;
-        merkle_root: string;
-    }>;
-    /**
-     * Securely delete state (overwrite with random bytes before removal).
-     */
-    delete(namespace: string, key: string): Promise<{
-        deleted: boolean;
-        key: string;
-        namespace: string;
-        new_merkle_root: string;
-        deleted_at: string;
-    }>;
-    /**
-     * Export all state for a namespace as an encrypted bundle.
-     */
-    export(namespace?: string): Promise<{
-        bundle: string;
-        namespaces: string[];
-        total_keys: number;
-        bundle_hash: string;
-        exported_at: string;
-    }>;
-    /**
-     * Import a previously exported state bundle.
-     */
-    import(bundleBase64: string, conflictResolution: "skip" | "overwrite" | "version" | undefined, publicKeyResolver: (kid: string) => Uint8Array | null): Promise<{
-        imported_keys: number;
-        skipped_keys: number;
-        skipped_invalid_sig: number;
-        skipped_unknown_kid: number;
-        conflicts: number;
-        namespaces: string[];
-        imported_at: string;
-    }>;
-}
-
 /**
  * Sanctuary MCP Server — L2 Operational Isolation: Audit Log
  *
@@ -297,17 +145,31 @@ interface AuditEntry {
     result: "success" | "failure";
     details?: Record<string, unknown>;
 }
+interface AuditLogConfig {
+    /** Maximum total size of stored audit entries in bytes. Default: 100 MB. */
+    maxTotalSizeBytes?: number;
+    /** Maximum number of stored audit entry files to retain. Default: 100_000. */
+    maxEntries?: number;
+}
 declare class AuditLog {
     private storage;
     private encryptionKey;
     private entries;
     private counter;
-    constructor(storage: StorageBackend, masterKey: Uint8Array);
+    private readonly maxTotalSizeBytes;
+    private readonly maxEntries;
+    private rotationInFlight;
+    constructor(storage: StorageBackend, masterKey: Uint8Array, config?: AuditLogConfig);
     /**
      * Append an audit entry.
      */
     append(layer: AuditEntry["layer"], operation: string, identityId: string, details?: Record<string, unknown>, result?: "success" | "failure"): void;
     private persistEntry;
+    /**
+     * Prune oldest audit entries when storage exceeds configured limits.
+     * Entries are sorted by key (timestamp-based) so oldest are pruned first.
+     */
+    private maybeRotate;
     /**
      * Query the audit log with filtering.
      */
@@ -328,942 +190,1010 @@ declare class AuditLog {
 }
 
 /**
- * Sanctuary MCP Server — L3 Selective Disclosure: Commitment Schemes
- *
- * Cryptographic commitments allow an agent to commit to a value
- * without revealing it, then later prove what was committed.
- *
- * This is the MVS approach to selective disclosure — simpler than
- * full ZK proofs but still cryptographically sound. The commitment
- * is SHA-256(value || blinding_factor), which is:
- * - Hiding: the commitment reveals nothing about the value
- * - Binding: the committer cannot change the value after committing
+ * Sanctuary MCP Server — Principal Policy Types
  *
- * Security invariants:
- * - Blinding factors are cryptographically random (32 bytes)
- * - Commitments are stored encrypted under L1 sovereignty
- * - Revealed values are verified via constant-time comparison
+ * Type definitions for the Principal Policy system.
+ * The Principal Policy is the human-controlled, agent-immutable
+ * configuration that gates operations through approval tiers.
  */
-
-/** A cryptographic commitment */
-interface Commitment {
-    /** The commitment hash: SHA-256(value || blinding_factor) as base64url */
-    commitment: string;
-    /** The blinding factor (must be stored securely for later reveal) */
-    blinding_factor: string;
-    /** When the commitment was created */
-    committed_at: string;
-}
-/** Stored commitment metadata (encrypted at rest) */
-interface StoredCommitment {
-    commitment: string;
-    blinding_factor: string;
-    value: string;
-    committed_at: string;
-    revealed: boolean;
-    revealed_at?: string;
+/** Tier 2 anomaly action: what to do when an anomaly is detected */
+type AnomalyAction = "approve" | "log" | "allow";
+/** Tier 2 anomaly detection configuration */
+interface Tier2Config {
+    /** Action when agent accesses a namespace it hasn't used before */
+    new_namespace_access: AnomalyAction;
+    /** Action when agent interacts with an unknown counterparty DID */
+    new_counterparty: AnomalyAction;
+    /** Tool call frequency multiplier that triggers anomaly */
+    frequency_spike_multiplier: number;
+    /** Maximum signing operations per minute before triggering */
+    max_signs_per_minute: number;
+    /** Reading more than N keys in a namespace within 60 seconds */
+    bulk_read_threshold: number;
+    /** Policy for first session when no baseline exists */
+    first_session_policy: AnomalyAction;
 }
-/**
- * Commitment store — manages commitments encrypted under L1 sovereignty.
- */
-declare class CommitmentStore {
-    private storage;
-    private encryptionKey;
-    constructor(storage: StorageBackend, masterKey: Uint8Array);
-    /**
-     * Store a commitment (encrypted) for later reference.
-     */
-    store(commitment: Commitment, value: string): Promise<string>;
-    /**
-     * Retrieve a stored commitment by ID.
-     */
-    get(id: string): Promise<StoredCommitment | null>;
+/** Approval channel configuration */
+interface ApprovalChannelConfig {
+    type: "stderr" | "webhook" | "callback";
+    timeout_seconds: number;
     /**
-     * Mark a commitment as revealed.
+     * SEC-002: auto_deny is hardcoded to true and not configurable.
+     * Timeout on any approval channel ALWAYS results in denial.
+     * This field is retained for backward compatibility with existing
+     * policy files but is ignored — timeout always denies.
      */
-    markRevealed(id: string): Promise<void>;
+    auto_deny?: boolean;
+    webhook_url?: string;
+    webhook_secret?: string;
 }
-
-/**
- * Sanctuary MCP Server — L3 Selective Disclosure: Zero-Knowledge Proofs
- *
- * Upgrades the commitment-only L3 to support real zero-knowledge proofs.
- * Uses Ristretto255 (prime-order curve group, no cofactor issues) for:
- *
- *   1. Pedersen commitments: C = v*G + b*H (computationally hiding, perfectly binding)
- *   2. ZK proof of knowledge: Schnorr sigma protocol via Fiat-Shamir
- *   3. ZK range proofs: Prove value ∈ [min, max] without revealing it
- *
- * Ristretto255 is available via @noble/curves/ed25519, which we already depend on.
- * This is genuine zero-knowledge — proofs reveal nothing beyond the stated property.
- *
- * Architecture note:
- * The existing commitment scheme (SHA-256 based) remains available for backward
- * compatibility. The ZK proofs operate on a separate Pedersen commitment system
- * that provides algebraic structure for proper ZK properties.
- *
- * Security invariants:
- * - Generator H is derived via hash-to-curve (nothing-up-my-sleeve)
- * - Blinding factors are cryptographically random (32 bytes)
- * - Fiat-Shamir challenges use domain-separated hashing
- * - Range proofs use a bit-decomposition approach (sound but logarithmic size)
- */
-/** A Pedersen commitment: C = v*G + b*H */
-interface PedersenCommitment {
-    /** The commitment point (encoded as base64url) */
-    commitment: string;
-    /** The blinding factor b (base64url, 32 bytes) — keep secret */
-    blinding_factor: string;
-    /** When the commitment was created */
-    committed_at: string;
+/** Complete Principal Policy */
+interface PrincipalPolicy {
+    version: number;
+    /** Operations that always require human approval */
+    tier1_always_approve: string[];
+    /** Behavioral anomaly detection configuration */
+    tier2_anomaly: Tier2Config;
+    /** Operations that never require approval (audit only) */
+    tier3_always_allow: string[];
+    /** How approval requests reach the human */
+    approval_channel: ApprovalChannelConfig;
 }
-/** A non-interactive ZK proof of knowledge of a commitment's opening */
-interface ZKProofOfKnowledge {
-    /** Proof type identifier */
-    type: "schnorr-pedersen-ristretto255";
-    /** The commitment this proof is for */
-    commitment: string;
-    /** Announcement point R (base64url) */
-    announcement: string;
-    /** Response scalar s_v (base64url) */
-    response_v: string;
-    /** Response scalar s_b (base64url) */
-    response_b: string;
-    /** Proof generated at */
-    generated_at: string;
+/** Approval request sent to the human */
+interface ApprovalRequest {
+    operation: string;
+    tier: 1 | 2;
+    reason: string;
+    context: Record<string, unknown>;
+    timestamp: string;
 }
-/** A ZK range proof: proves value ∈ [min, max] */
-interface ZKRangeProof {
-    /** Proof type identifier */
-    type: "range-pedersen-ristretto255";
-    /** The commitment this proof is for */
-    commitment: string;
-    /** Minimum value (inclusive) */
-    min: number;
-    /** Maximum value (inclusive) */
-    max: number;
-    /** Bit commitments for the shifted value (v - min) */
-    bit_commitments: string[];
-    /** Proofs that each bit commitment is 0 or 1 */
-    bit_proofs: Array<{
-        announcement_0: string;
-        announcement_1: string;
-        challenge_0: string;
-        challenge_1: string;
-        response_0: string;
-        response_1: string;
-    }>;
-    /** Sum proof: bit commitments sum to the value commitment */
-    sum_proof: {
-        announcement: string;
-        response: string;
-    };
-    /** Proof generated at */
-    generated_at: string;
+/** Approval response from the human */
+interface ApprovalResponse {
+    decision: "approve" | "deny";
+    decided_at: string;
+    decided_by: "human" | "timeout" | "auto" | "stderr:non-interactive";
+}
+/** Result of the approval gate evaluation */
+interface GateResult {
+    allowed: boolean;
+    tier: 1 | 2 | 3;
+    reason: string;
+    approval_required: boolean;
+    approval_response?: ApprovalResponse;
+}
+/** Behavioral baseline for anomaly detection */
+interface SessionProfile {
+    /** Namespaces accessed (read or write) */
+    known_namespaces: string[];
+    /** Counterparty DIDs seen in reputation operations */
+    known_counterparties: string[];
+    /** Tool call counts per tool name (lifetime in session) */
+    tool_call_counts: Record<string, number>;
+    /** Whether this is the first session (no prior baseline) */
+    is_first_session: boolean;
+    /** Session start time */
+    started_at: string;
+    /** When the baseline was last saved */
+    saved_at?: string;
 }
+
 /**
- * Create a Pedersen commitment to a numeric value.
- *
- * C = v*G + b*H
- *
- * Properties:
- * - Computationally hiding (under discrete log assumption)
- * - Perfectly binding (information-theoretic)
- * - Homomorphic: C(v1) + C(v2) = C(v1+v2) with adjusted blinding
+ * Sanctuary MCP Server — Approval Channel
  *
- * @param value - The value to commit to (integer)
- * @returns The commitment and blinding factor
- */
-declare function createPedersenCommitment(value: number): PedersenCommitment;
-/**
- * Verify a Pedersen commitment against a revealed value and blinding factor.
+ * Out-of-band communication with the human principal for operation approval.
+ * The default channel uses stderr (outside MCP's stdin/stdout protocol),
+ * ensuring the agent cannot intercept or forge approval responses.
  *
- * Recomputes C' = v*G + b*H and checks C' == C.
+ * Security invariant:
+ * - Approval prompts go through a channel the agent cannot access.
+ * - Timeouts result in denial by default (fail closed).
  */
-declare function verifyPedersenCommitment(commitment: string, value: number, blindingFactor: string): boolean;
+
+/** Abstract approval channel interface */
+interface ApprovalChannel {
+    requestApproval(request: ApprovalRequest): Promise<ApprovalResponse>;
+}
 /**
- * Create a non-interactive ZK proof that you know the opening (v, b)
- * of a Pedersen commitment C = v*G + b*H.
- *
- * Schnorr sigma protocol with Fiat-Shamir transform:
- *   1. Pick random r_v, r_b
- *   2. Compute R = r_v*G + r_b*H (announcement)
- *   3. Compute e = H_FS(C || R) (challenge via Fiat-Shamir)
- *   4. Compute s_v = r_v + e*v, s_b = r_b + e*b (responses)
- *   5. Proof = (R, s_v, s_b)
+ * Stderr approval channel — non-interactive informational channel.
  *
- * Zero-knowledge: the transcript (R, e, s_v, s_b) can be simulated
- * without knowing (v, b), so it reveals nothing.
+ * In the MCP stdio model:
+ * - stdin/stdout carry the MCP protocol (JSON-RPC)
+ * - stderr is available for out-of-band human communication
  *
- * @param value - The committed value
- * @param blindingFactor - The blinding factor (base64url)
- * @param commitment - The commitment (base64url)
- */
-declare function createProofOfKnowledge(value: number, blindingFactor: string, commitment: string): ZKProofOfKnowledge;
-/**
- * Verify a ZK proof of knowledge of a commitment's opening.
+ * Because stdin is consumed by the MCP JSON-RPC transport, this channel
+ * CANNOT read interactive human input. It is strictly informational:
+ * the prompt is displayed so the human sees what is happening, and the
+ * operation is denied immediately.
  *
- * Check: s_v*G + s_b*H == R + e*C
+ * SEC-002 + SEC-016 invariants:
+ * - This channel ALWAYS denies. No configuration can change this.
+ * - There is no timeout or async delay — denial is synchronous.
+ * - The `auto_deny` config field is ignored (SEC-002).
+ * - For interactive approval, use the dashboard or webhook channel.
  */
-declare function verifyProofOfKnowledge(proof: ZKProofOfKnowledge): boolean;
+declare class StderrApprovalChannel implements ApprovalChannel {
+    constructor(_config: ApprovalChannelConfig);
+    requestApproval(request: ApprovalRequest): Promise<ApprovalResponse>;
+    private formatPrompt;
+}
 /**
- * Create a ZK range proof: prove value ∈ [min, max] without revealing value.
- *
- * Approach: bit-decomposition of (value - min) into n bits where 2^n > max - min.
- * Each bit gets a Pedersen commitment and a proof it's 0 or 1.
- * A sum proof shows the bit commitments reconstruct the original commitment
- * (shifted by min).
- *
- * @param value - The committed value
- * @param blindingFactor - The blinding factor (base64url)
- * @param commitment - The commitment (base64url)
- * @param min - Minimum value (inclusive)
- * @param max - Maximum value (inclusive)
+ * Programmatic approval channel — for testing and API integration.
  */
-declare function createRangeProof(value: number, blindingFactor: string, commitment: string, min: number, max: number): ZKRangeProof | {
-    error: string;
-};
+declare class CallbackApprovalChannel implements ApprovalChannel {
+    private callback;
+    constructor(callback: (request: ApprovalRequest) => Promise<ApprovalResponse>);
+    requestApproval(request: ApprovalRequest): Promise<ApprovalResponse>;
+}
 /**
- * Verify a ZK range proof.
+ * Auto-approve channel — for testing. Approves everything.
  */
-declare function verifyRangeProof(proof: ZKRangeProof): boolean;
+declare class AutoApproveChannel implements ApprovalChannel {
+    requestApproval(_request: ApprovalRequest): Promise<ApprovalResponse>;
+}
 
 /**
- * Sanctuary MCP Server — L3 Selective Disclosure: Disclosure Policies
- *
- * Disclosure policies define what an agent will and will not disclose
- * in different interaction contexts. Policies are evaluated against
- * incoming disclosure requests to produce per-field decisions.
+ * Sanctuary MCP Server — Behavioral Baseline Tracker
  *
- * This is the agent's "privacy preferences" layer — it codifies the
- * human principal's intent about what information can flow where.
+ * Tracks the agent's behavioral profile during a session and persists
+ * it for cross-session anomaly detection. The baseline defines "normal"
+ * so that deviations can trigger Tier 2 approval.
  *
  * Security invariants:
- * - Policies are stored encrypted under L1 sovereignty
- * - Default action is always "withhold" unless explicitly overridden
- * - Policy evaluation is deterministic (same request → same decision)
+ * - Baseline is stored encrypted under L1 sovereignty
+ * - Baseline changes are audit-logged
+ * - Baseline is integrity-verified via L1 Merkle tree
+ * - No MCP tool can directly modify the baseline
  */
 
-/** A single disclosure rule within a policy */
-interface DisclosureRule {
-    /** Interaction context this rule applies to */
-    context: string;
-    /** Fields/claims the agent MAY disclose */
-    disclose: string[];
-    /** Fields/claims the agent MUST NOT disclose */
-    withhold: string[];
-    /** Fields that require proof rather than plain disclosure */
-    proof_required: string[];
-}
-/** A complete disclosure policy */
-interface DisclosurePolicy {
-    policy_id: string;
-    policy_name: string;
-    rules: DisclosureRule[];
-    default_action: "withhold" | "ask-principal";
-    identity_id?: string;
-    created_at: string;
-    updated_at: string;
-}
-/**
- * Policy store — manages disclosure policies encrypted under L1 sovereignty.
- */
-declare class PolicyStore {
+declare class BaselineTracker {
     private storage;
     private encryptionKey;
-    private policies;
+    private profile;
+    /** Sliding window: timestamps of tool calls per tool name (last 60s) */
+    private callWindows;
+    /** Sliding window: read counts per namespace (last 60s) */
+    private readWindows;
+    /** Sliding window: sign call timestamps (last 60s) */
+    private signWindow;
     constructor(storage: StorageBackend, masterKey: Uint8Array);
     /**
-     * Create and store a new disclosure policy.
+     * Load the previous session's baseline from storage.
+     * If none exists, this is a first session.
      */
-    create(policyName: string, rules: DisclosureRule[], defaultAction: "withhold" | "ask-principal", identityId?: string): Promise<DisclosurePolicy>;
+    load(): Promise<void>;
     /**
-     * Get a policy by ID.
+     * Save the current baseline to storage (encrypted).
+     * Called at session end or periodically.
      */
-    get(policyId: string): Promise<DisclosurePolicy | null>;
+    save(): Promise<void>;
     /**
-     * List all policies.
+     * Record a tool call for baseline tracking.
+     * Returns anomaly information if applicable.
      */
-    list(): Promise<DisclosurePolicy[]>;
+    recordToolCall(toolName: string): void;
     /**
-     * Load all persisted policies into memory.
+     * Record a namespace access.
+     * @returns true if this is a new namespace (not in baseline)
      */
-    private loadAll;
-    private persist;
+    recordNamespaceAccess(namespace: string): boolean;
+    /**
+     * Record a namespace read for bulk-read detection.
+     * @returns the number of reads in the current 60-second window
+     */
+    recordNamespaceRead(namespace: string): number;
+    /**
+     * Record a counterparty DID interaction.
+     * @returns true if this is a new counterparty (not in baseline)
+     */
+    recordCounterparty(did: string): boolean;
+    /**
+     * Record a signing operation.
+     * @returns the number of signs in the current 60-second window
+     */
+    recordSign(): number;
+    /**
+     * Get the current call rate for a tool (calls per minute).
+     */
+    getCallRate(toolName: string): number;
+    /**
+     * Get the average call rate across all tools in the baseline.
+     */
+    getAverageCallRate(): number;
+    /** Whether this is the first session */
+    get isFirstSession(): boolean;
+    /** Get a read-only view of the current profile */
+    getProfile(): SessionProfile;
 }
 
 /**
- * Sanctuary MCP Server — Ed25519 Identity Management
- *
- * Sovereign identity based on Ed25519 keypairs.
- * Private keys are always encrypted at rest — never stored in plaintext.
+ * Sanctuary MCP Server — Prompt Injection Detection Layer
  *
- * Security invariants:
- * - Private keys never appear in any MCP tool response
- * - Private keys are encrypted with identity-specific keys derived from the master key
- * - Key rotation produces a signed rotation event (verifiable chain)
- */
-
-/** Public identity information (safe to share) */
-interface PublicIdentity {
-    identity_id: string;
-    label: string;
-    public_key: string;
-    did: string;
-    created_at: string;
-    key_type: "ed25519";
-    key_protection: "passphrase" | "hardware-key" | "recovery-key";
-}
-/** Stored identity (private key is encrypted) */
-interface StoredIdentity extends PublicIdentity {
-    encrypted_private_key: EncryptedPayload;
-    /** Previous public keys (for rotation chain verification) */
-    rotation_history: Array<{
-        old_public_key: string;
-        new_public_key: string;
-        rotation_event: string;
-        rotated_at: string;
-    }>;
-}
-
-/**
- * Sanctuary MCP Server — Sovereignty Health Report (SHR) Types
+ * Fast, zero-dependency detection of common prompt injection patterns.
+ * Scans tool arguments for role override, security bypass, encoding evasion,
+ * data exfiltration, and prompt stuffing signals.
  *
- * Machine-readable, signed, versioned sovereignty capability advertisement.
- * An agent presents its SHR to counterparties to prove its sovereignty posture.
- * The SHR is signed by one of the instance's Ed25519 identities and can be
- * independently verified by any party without trusting the presenter.
+ * SEC-034/SEC-035: Enhanced with Unicode sanitization pre-pass, decoded content
+ * re-scanning, token budget analysis, and outbound content scanning.
  *
- * SHR version: 1.0
+ * Security invariants:
+ * - Always returns a result, never throws
+ * - Typical scan completes in < 5ms
+ * - False positives minimized via field-aware scanning
+ * - Recursive scanning of nested objects/arrays
+ * - Outbound scanning catches secret leaks and injection artifact survival
  */
-type LayerStatus = "active" | "degraded" | "inactive";
-type DegradationSeverity = "info" | "warning" | "critical";
-type DegradationCode = "NO_TEE" | "PROCESS_ISOLATION_ONLY" | "COMMITMENT_ONLY" | "NO_ZK_PROOFS" | "SELF_REPORTED_ATTESTATION" | "NO_SELECTIVE_DISCLOSURE" | "BASIC_SYBIL_ONLY";
-interface SHRLayerL1 {
-    status: LayerStatus;
-    encryption: string;
-    key_custody: "self" | "delegated" | "platform";
-    integrity: string;
-    identity_type: string;
-    state_portable: boolean;
-}
-interface SHRLayerL2 {
-    status: LayerStatus;
-    isolation_type: string;
-    attestation_available: boolean;
-    /** Model provenance: what inference model(s) power this agent */
-    model_provenance?: {
-        model_id: string;
-        model_name: string;
-        provider: string;
-        open_weights: boolean;
-        open_source: boolean;
-        local_inference: boolean;
-        weights_hash?: string;
-    };
-}
-interface SHRLayerL3 {
-    status: LayerStatus;
-    proof_system: string;
-    selective_disclosure: boolean;
-}
-interface SHRLayerL4 {
-    status: LayerStatus;
-    reputation_mode: string;
-    attestation_format: string;
-    reputation_portable: boolean;
+interface InjectionDetectorConfig {
+    enabled: boolean;
+    sensitivity: "low" | "medium" | "high";
+    on_detection: "escalate" | "block" | "log";
+    custom_patterns?: string[];
 }
-interface SHRDegradation {
-    layer: "l1" | "l2" | "l3" | "l4";
-    code: DegradationCode;
-    severity: DegradationSeverity;
-    description: string;
-    mitigation?: string;
+interface InjectionSignal {
+    type: string;
+    pattern: string;
+    location: string;
+    severity: "low" | "medium" | "high";
 }
-interface SHRCapabilities {
-    handshake: boolean;
-    shr_exchange: boolean;
-    reputation_verify: boolean;
-    encrypted_channel: boolean;
+interface DetectionResult {
+    flagged: boolean;
+    confidence: number;
+    signals: InjectionSignal[];
+    recommendation: "allow" | "escalate" | "block";
 }
-/**
- * The SHR body — the content that gets signed.
- * Canonical form: JSON with sorted keys, no whitespace.
- */
-interface SHRBody {
-    shr_version: "1.0";
-    implementation: {
-        sanctuary_version: string;
-        node_version: string;
-        generated_by: string;
-    };
-    instance_id: string;
-    generated_at: string;
-    expires_at: string;
-    layers: {
-        l1: SHRLayerL1;
-        l2: SHRLayerL2;
-        l3: SHRLayerL3;
-        l4: SHRLayerL4;
+declare class InjectionDetector {
+    private config;
+    private stats;
+    constructor(config?: Partial<InjectionDetectorConfig>);
+    /**
+     * Scan tool arguments for injection signals.
+     * @param toolName Full tool name (e.g., "state_read")
+     * @param args Tool arguments
+     * @returns DetectionResult with all detected signals
+     */
+    scan(toolName: string, args: Record<string, unknown>): DetectionResult;
+    /**
+     * SEC-035: Scan outbound content for secret leaks, data exfiltration,
+     * internal path exposure, and injection artifact survival.
+     *
+     * @param content The outbound content string to scan
+     * @returns DetectionResult with outbound-specific signal types
+     */
+    scanOutbound(content: string): DetectionResult;
+    /**
+     * Recursively scan a value and all nested values.
+     */
+    private scanValue;
+    /**
+     * Scan a single string for injection signals.
+     */
+    private scanString;
+    /**
+     * Count invisible Unicode characters in a string.
+     * Includes zero-width chars, soft hyphens, directional marks,
+     * variation selectors, and other invisible categories.
+     */
+    private countInvisibleChars;
+    /**
+     * Strip invisible characters from a string for clean pattern matching.
+     * Returns a new string with all invisible chars removed.
+     */
+    private stripInvisibleChars;
+    /**
+     * SEC-034: Token budget attack detection.
+     * Some Unicode sequences expand dramatically during tokenization (e.g., CJK
+     * ideographs, combining characters, emoji sequences). If the estimated token
+     * cost per character is anomalously high, this may be a wallet-drain payload.
+     *
+     * Heuristic: count chars that typically tokenize into multiple tokens.
+     * If the ratio of estimated tokens to char count exceeds 3x, flag it.
+     */
+    private detectTokenBudgetAttack;
+    /**
+     * Detect encoded content (base64, hex, HTML entities, URL encoding),
+     * decode it, and re-scan the decoded content through injection patterns.
+     * If the decoded content contains injection patterns, flag as encoding_evasion.
+     */
+    private detectEncodedPayloads;
+    /**
+     * Check if a string contains any injection patterns (role override or security bypass).
+     */
+    private containsInjectionPatterns;
+    /**
+     * Safely decode a base64 string. Returns null if it's not valid base64
+     * or doesn't decode to a meaningful string.
+     */
+    private safeBase64Decode;
+    /**
+     * Safely decode a hex string. Returns null on failure.
+     */
+    private safeHexDecode;
+    /**
+     * Decode HTML numeric entities (&#xHH; and &#DDD;) in a string.
+     */
+    private decodeHtmlEntities;
+    /**
+     * Safely decode a URL-encoded string. Returns null on failure.
+     */
+    private safeUrlDecode;
+    /**
+     * Heuristic: does this look like readable text (vs. binary garbage)?
+     * Checks that most characters are printable ASCII or common Unicode.
+     */
+    private looksLikeText;
+    /**
+     * Detect API keys and secrets in outbound content.
+     */
+    private detectSecretPatterns;
+    /**
+     * Detect data exfiltration via markdown images with data-carrying query params.
+     */
+    private detectOutboundExfiltration;
+    /**
+     * Detect internal filesystem path leaks in outbound content.
+     */
+    private detectInternalPathLeaks;
+    /**
+     * Detect private IP addresses and localhost references in outbound content.
+     */
+    private detectPrivateNetworkLeaks;
+    /**
+     * Detect role markers / prompt template artifacts in outbound content.
+     * These should never appear in agent output — their presence indicates
+     * injection artifact survival.
+     */
+    private detectOutputRoleMarkers;
+    /**
+     * Detect base64 strings, base64url, and zero-width character evasion.
+     */
+    private detectEncodingEvasion;
+    /**
+     * Detect URLs and emails in fields that shouldn't have them.
+     */
+    private detectDataExfiltration;
+    /**
+     * Detect prompt stuffing: very large strings or high repetition.
+     */
+    private detectPromptStuffing;
+    /**
+     * Determine if this field is inherently safe from role override.
+     */
+    private isSafeField;
+    /**
+     * Determine if this is a tool name field (where tool refs are expected).
+     */
+    private isToolNameField;
+    /**
+     * Determine if this field is safe for URLs.
+     */
+    private isUrlSafeField;
+    /**
+     * Determine if this field is safe for emails.
+     */
+    private isEmailSafeField;
+    /**
+     * Determine if this field is safe for structured data (JSON/XML).
+     */
+    private isStructuredField;
+    /**
+     * SEC-032/SEC-034: Map common cross-script confusable characters to their
+     * Latin equivalents. NFKC normalization handles fullwidth and compatibility
+     * forms, but does NOT map Cyrillic/Greek/Armenian/Georgian lookalikes to
+     * Latin (they're distinct codepoints by design).
+     *
+     * Extended to 50+ confusable pairs covering Cyrillic, Greek, Armenian,
+     * Georgian, Cherokee, and mathematical/symbol lookalikes.
+     */
+    private normalizeConfusables;
+    /**
+     * Compute confidence score based on signals.
+     * More high-severity signals = higher confidence.
+     */
+    private computeConfidence;
+    /**
+     * Compute recommendation based on signals and sensitivity.
+     */
+    private computeRecommendation;
+    /**
+     * Get statistics about scans performed.
+     */
+    getStats(): {
+        total_scans: number;
+        total_flags: number;
+        total_blocks: number;
+        signals_by_type: Record<string, number>;
     };
-    capabilities: SHRCapabilities;
-    degradations: SHRDegradation[];
-}
-/**
- * The complete signed SHR — body + signature envelope.
- */
-interface SignedSHR {
-    body: SHRBody;
-    signed_by: string;
-    signature: string;
-}
-interface SHRVerificationResult {
-    valid: boolean;
-    errors: string[];
-    warnings: string[];
-    sovereignty_level: "full" | "degraded" | "minimal";
-    counterparty_id: string;
-    expires_at: string;
-}
-
-/**
- * Sanctuary MCP Server — Sovereignty Handshake Types
- *
- * The sovereignty handshake is a mutual verification protocol between
- * two Sanctuary instances. Each party presents its SHR and proves
- * liveness via nonce challenge-response.
- *
- * Protocol:
- *   A → B: HandshakeChallenge (A's SHR + nonce)
- *   B → A: HandshakeResponse (B's SHR + B's nonce + signature over A's nonce)
- *   A → B: HandshakeCompletion (signature over B's nonce)
- *   Result: Both hold a HandshakeResult with verified counterparty status
- */
-
-/** Trust tier derived from sovereignty handshake */
-type TrustTier = "verified-sovereign" | "verified-degraded" | "unverified";
-/** Sovereignty level from SHR assessment */
-type SovereigntyLevel = "full" | "degraded" | "minimal" | "unverified";
-/**
- * Step 1: Initiator sends challenge
- */
-interface HandshakeChallenge {
-    protocol_version: "1.0";
-    shr: SignedSHR;
-    nonce: string;
-    initiated_at: string;
-}
-/**
- * Step 2: Responder sends response
- */
-interface HandshakeResponse {
-    protocol_version: "1.0";
-    shr: SignedSHR;
-    responder_nonce: string;
-    initiator_nonce_signature: string;
-    responded_at: string;
-}
-/**
- * Step 3: Initiator sends completion
- */
-interface HandshakeCompletion {
-    protocol_version: "1.0";
-    responder_nonce_signature: string;
-    completed_at: string;
-}
-/**
- * Final result: both parties hold this after a successful handshake
- */
-interface HandshakeResult {
-    counterparty_id: string;
-    counterparty_shr: SignedSHR;
-    verified: boolean;
-    sovereignty_level: SovereigntyLevel;
-    trust_tier: TrustTier;
-    completed_at: string;
-    expires_at: string;
-    errors: string[];
-}
-/**
- * In-progress handshake state (stored on initiator side)
- */
-interface HandshakeSession {
-    session_id: string;
-    role: "initiator" | "responder";
-    state: "initiated" | "responded" | "completed" | "failed";
-    our_nonce: string;
-    their_nonce?: string;
-    our_shr: SignedSHR;
-    their_shr?: SignedSHR;
-    initiated_at: string;
-    result?: HandshakeResult;
+    /**
+     * Reset statistics.
+     */
+    resetStats(): void;
 }
 
 /**
- * Sanctuary MCP Server — Sovereignty-Gated Reputation Tiers
+ * Sanctuary MCP Server — Approval Gate
  *
- * Attestations carry a sovereignty_tier field reflecting the signer's
- * sovereignty posture at the time of recording. When querying or evaluating
- * reputation, attestations from verified-sovereign agents carry more weight
- * than those from unverified agents.
+ * The three-tier approval gate sits between the MCP router and tool handlers.
+ * Every tool call passes through the gate before execution.
  *
- * Tier hierarchy (descending credibility):
- *   1. "verified-sovereign"  — signer completed a handshake with full sovereignty
- *   2. "verified-degraded"   — signer completed a handshake with degraded sovereignty
- *   3. "self-attested"       — signer has a Sanctuary identity but no handshake verification
- *   4. "unverified"          — no Sanctuary identity or sovereignty proof
+ * Evaluation order:
+ * 1. Tier 1: Is this operation in the always-approve list? → Request approval.
+ * 2. Tier 2: Does this call represent a behavioral anomaly? → Request approval.
+ * 3. Tier 3 / default: Allow with audit logging.
  *
- * Weight multipliers are applied during reputation scoring. They are NOT
- * gatekeeping — unverified attestations still count, just less.
+ * Security invariants:
+ * - The gate cannot be bypassed — it wraps every tool handler.
+ * - Denial responses do not reveal policy details to the agent.
+ * - All gate decisions (approve, deny, allow) are audit-logged.
  */
 
-type SovereigntyTier = "verified-sovereign" | "verified-degraded" | "self-attested" | "unverified";
-/** Weight multipliers for each tier */
-declare const TIER_WEIGHTS: Record<SovereigntyTier, number>;
-/** Tier metadata embedded in attestations */
-interface TierMetadata {
-    sovereignty_tier: SovereigntyTier;
-    /** If verified, the handshake that established it */
-    handshake_completed_at?: string;
-    /** Counterparty ID from handshake (if applicable) */
-    verified_by?: string;
+/** Callback invoked when an injection is detected, for dashboard broadcasting */
+type InjectionAlertCallback = (alert: {
+    toolName: string;
+    result: DetectionResult;
+    timestamp: string;
+}) => void;
+/** Resolver for proxy tool tiers — provided by the ProxyRouter */
+type ProxyTierResolver = (toolName: string) => (1 | 2 | 3) | null;
+declare class ApprovalGate {
+    private policy;
+    private baseline;
+    private channel;
+    private auditLog;
+    private injectionDetector;
+    private onInjectionAlert?;
+    private proxyTierResolver?;
+    constructor(policy: PrincipalPolicy, baseline: BaselineTracker, channel: ApprovalChannel, auditLog: AuditLog, injectionDetector?: InjectionDetector, onInjectionAlert?: InjectionAlertCallback);
+    /**
+     * Set the proxy tier resolver. Called after the proxy router is initialized.
+     */
+    setProxyTierResolver(resolver: ProxyTierResolver): void;
+    /**
+     * Evaluate a tool call against the Principal Policy.
+     *
+     * @param toolName - Full MCP tool name (e.g., "state_export")
+     * @param args - Tool call arguments (for context extraction)
+     * @returns GateResult indicating whether the call is allowed
+     */
+    evaluate(toolName: string, args: Record<string, unknown>): Promise<GateResult>;
+    /**
+     * Detect Tier 2 behavioral anomalies.
+     */
+    private detectAnomaly;
+    /**
+     * Request approval from the human principal.
+     */
+    private requestApproval;
+    /**
+     * Summarize tool arguments for the approval prompt.
+     * Strips potentially large values to keep the prompt readable.
+     */
+    private summarizeArgs;
+    /** Get the baseline tracker for saving at session end */
+    getBaseline(): BaselineTracker;
+    /** Get the injection detector for stats/configuration access */
+    getInjectionDetector(): InjectionDetector;
 }
+
 /**
- * Resolve the sovereignty tier for a counterparty based on handshake history.
+ * Sanctuary MCP Server — Tool Router
  *
- * @param counterpartyId - The counterparty's instance ID
- * @param handshakeResults - Map of counterparty ID → most recent handshake result
- * @param hasSanctuaryIdentity - Whether the counterparty has a known Sanctuary identity
- * @returns TierMetadata for embedding in attestations
+ * Routes sanctuary/* tool calls to their layer-specific handlers.
+ * Every tool call passes through schema validation and the ApprovalGate
+ * (if configured) before execution. Neither can be bypassed.
+ *
+ * This module is the abstraction boundary for MCP SDK version migration —
+ * if the SDK API changes, only this module needs updating.
  */
-declare function resolveTier(counterpartyId: string, handshakeResults: Map<string, HandshakeResult>, hasSanctuaryIdentity: boolean): TierMetadata;
-/** An attestation with its tier for weighted scoring */
-interface TieredAttestation {
-    /** The raw metric value */
-    value: number;
-    /** The sovereignty tier of the attestation signer */
-    tier: SovereigntyTier;
+
+/** Tool handler function signature */
+type ToolHandler = (args: Record<string, unknown>) => Promise<{
+    content: Array<{
+        type: "text";
+        text: string;
+    }>;
+}>;
+/** Tool definition for registration */
+interface ToolDefinition {
+    name: string;
+    description: string;
+    inputSchema: Record<string, unknown>;
+    handler: ToolHandler;
 }
+
 /**
- * Compute a weighted reputation score from tiered attestations.
+ * Sanctuary MCP Server — AES-256-GCM Encryption
  *
- * Each attestation's contribution is multiplied by its tier weight.
- * The result is normalized by total weight (not count), so adding
- * low-tier attestations doesn't dilute high-tier ones.
+ * All state encryption in Sanctuary uses AES-256-GCM (authenticated encryption).
+ * This provides both confidentiality and integrity — a modified ciphertext will
+ * fail authentication, detecting tampering.
  *
- * @param attestations - Array of value + tier pairs
- * @returns Weighted score, or null if no attestations
- */
-declare function computeWeightedScore(attestations: TieredAttestation[]): number | null;
-/**
- * Compute a tier distribution summary for a set of attestations.
+ * Security invariants:
+ * - Every encryption uses a unique 12-byte IV (NIST SP 800-38D)
+ * - The 16-byte authentication tag is always verified on decryption
+ * - Keys are 256 bits (32 bytes)
  */
-declare function tierDistribution(tiers: SovereigntyTier[]): Record<SovereigntyTier, number>;
+/** Encrypted payload structure stored on disk */
+interface EncryptedPayload {
+    /** Format version */
+    v: number;
+    /** Algorithm identifier */
+    alg: "aes-256-gcm";
+    /** Initialization vector (base64url) */
+    iv: string;
+    /** Ciphertext (base64url) */
+    ct: string;
+    /** Authentication tag (base64url) — included in ciphertext by @noble/ciphers */
+    /** Timestamp */
+    ts: string;
+}
 
 /**
- * Sanctuary MCP Server — L4 Verifiable Reputation: Reputation Store
- *
- * Records interaction outcomes as signed attestations, queries aggregated
- * reputation data, and supports export/import for cross-platform portability.
+ * Sanctuary MCP Server — L1 Cognitive Sovereignty: StateStore
  *
- * Attestation format is EAS-compatible (Ethereum Attestation Service) to
- * enable future on-chain anchoring without requiring blockchain for MVS.
+ * The encrypted state store is the foundation of Sanctuary.
+ * Every read and write goes through here. All data is encrypted
+ * with namespace-specific keys. All writes are signed by an identity.
+ * All reads verify integrity via Merkle proofs.
  *
  * Security invariants:
- * - All attestations are signed by the recording identity
- * - Attestations are stored encrypted under L1 sovereignty
- * - Reputation queries return aggregates, never raw interaction data
- * - Export bundles include all signatures for independent verification
- * - Import verifies every signature before accepting attestations
+ * - Plaintext never touches the filesystem
+ * - Every write gets a unique IV
+ * - Every write is signed (non-repudiation)
+ * - Monotonic version numbers prevent rollback
+ * - Merkle tree verifies namespace integrity
+ * - Secure deletion overwrites before unlinking
  */
 
-/** Interaction outcome for recording */
-interface InteractionOutcome {
-    type: "transaction" | "negotiation" | "service" | "dispute" | "custom";
-    result: "completed" | "partial" | "failed" | "disputed";
-    metrics?: Record<string, number>;
-}
-/** A signed attestation of an interaction */
-interface Attestation {
-    attestation_id: string;
-    schema: "sanctuary-interaction-v1";
-    data: {
-        interaction_id: string;
-        participant_did: string;
-        counterparty_did: string;
-        outcome_type: string;
-        outcome_result: string;
-        metrics: Record<string, number>;
-        context: string;
-        timestamp: string;
-        /** Sovereignty tier of the signer at time of recording */
-        sovereignty_tier?: SovereigntyTier;
-    };
-    signature: string;
-    signer: string;
-}
-/** Stored attestation (encrypted at rest) */
-interface StoredAttestation {
-    attestation: Attestation;
-    counterparty_attestation?: string;
-    counterparty_confirmed: boolean;
-    recorded_at: string;
-}
-/** Aggregated metric statistics */
-interface MetricAggregate {
-    mean: number;
-    median: number;
-    min: number;
-    max: number;
-    count: number;
-}
-/** Reputation query result */
-interface ReputationSummary {
-    total_interactions: number;
-    completed: number;
-    partial: number;
-    failed: number;
-    disputed: number;
-    contexts: string[];
-    time_range: {
-        start: string;
-        end: string;
-    };
-    aggregate_metrics: Record<string, MetricAggregate>;
-}
-/** Portable reputation bundle */
-interface ReputationBundle {
-    version: "SANCTUARY_REP_V1";
-    attestations: Attestation[];
-    exported_at: string;
-    exporter_did: string;
-    bundle_signature: string;
+/** Result of a state write operation */
+interface WriteResult {
+    key: string;
+    namespace: string;
+    version: number;
+    merkle_root: string;
+    written_at: string;
+    size_bytes: number;
+    integrity_hash: string;
 }
-/** Escrow for trust bootstrapping */
-interface Escrow {
-    escrow_id: string;
-    transaction_terms: string;
-    terms_hash: string;
-    collateral_amount?: number;
-    counterparty_did: string;
-    creator_did: string;
-    created_at: string;
-    expires_at: string;
-    status: "pending" | "active" | "released" | "disputed" | "expired";
+/** Result of a state read operation */
+interface ReadResult {
+    key: string;
+    namespace: string;
+    value: string;
+    version: number;
+    integrity_verified: boolean;
+    merkle_proof: string[];
+    written_at: string;
+    written_by: string;
 }
-/** Principal guarantee for a new agent */
-interface Guarantee {
-    guarantee_id: string;
-    principal_did: string;
-    agent_did: string;
-    scope: string;
-    max_liability?: number;
-    valid_until: string;
-    certificate: string;
-    created_at: string;
+/** Options for state write */
+interface WriteOptions {
+    content_type?: string;
+    ttl_seconds?: number;
+    tags?: string[];
 }
-declare class ReputationStore {
+declare class StateStore {
     private storage;
-    private encryptionKey;
+    private masterKey;
+    private versionCache;
+    private contentHashes;
+    private namespaceKeyCache;
+    private static readonly KEY_CACHE_TTL_MS;
+    private static readonly KEY_CACHE_MAX_ENTRIES;
     constructor(storage: StorageBackend, masterKey: Uint8Array);
     /**
-     * Record an interaction outcome as a signed attestation.
+     * Get or derive a namespace encryption key, with caching.
+     * Cache entries expire after 15 minutes and are evicted LRU when
+     * the cache exceeds 128 entries.
      */
-    record(interactionId: string, counterpartyDid: string, outcome: InteractionOutcome, context: string, identity: StoredIdentity, identityEncryptionKey: Uint8Array, counterpartyAttestation?: string, sovereigntyTier?: SovereigntyTier): Promise<StoredAttestation>;
+    private getNamespaceKey;
+    /** Invalidate all cached namespace keys (call on master key rotation). */
+    invalidateKeyCache(): void;
+    private versionKey;
     /**
-     * Query reputation data with filtering.
-     * Returns aggregates only — not raw interaction data.
+     * Get or initialize the content hash map for a namespace.
      */
-    query(options: {
-        context?: string;
-        time_range?: {
-            start: string;
-            end: string;
-        };
-        metrics?: string[];
-        counterparty_did?: string;
-    }): Promise<ReputationSummary>;
+    private getNamespaceHashes;
     /**
-     * Export attestations as a portable reputation bundle.
+     * Write encrypted state.
+     *
+     * @param namespace - Logical grouping
+     * @param key - State key
+     * @param value - Plaintext value (will be encrypted)
+     * @param identityId - Identity performing the write
+     * @param encryptedPrivateKey - Identity's encrypted private key (for signing)
+     * @param identityEncryptionKey - Key to decrypt the identity's private key
+     * @param options - Optional metadata
      */
-    exportBundle(identity: StoredIdentity, identityEncryptionKey: Uint8Array, context?: string): Promise<ReputationBundle>;
+    write(namespace: string, key: string, value: string, identityId: string, encryptedPrivateKey: EncryptedPayload, identityEncryptionKey: Uint8Array, options?: WriteOptions): Promise<WriteResult>;
     /**
-     * Import attestations from a reputation bundle.
-     * Verifies signatures if requested (default: true).
+     * Read and decrypt state.
      *
-     * @param publicKeys - Map of DID → public key bytes for signature verification
+     * @param namespace - Logical grouping
+     * @param key - State key
+     * @param signerPublicKey - Expected signer's public key (for signature verification)
+     * @param verifyIntegrity - Whether to verify Merkle proof (default: true)
      */
-    importBundle(bundle: ReputationBundle, verifySignatures: boolean, publicKeys: Map<string, Uint8Array>): Promise<{
-        imported: number;
-        invalid: number;
-        contexts: string[];
-    }>;
+    read(namespace: string, key: string, signerPublicKey?: Uint8Array, verifyIntegrity?: boolean): Promise<ReadResult | null>;
     /**
-     * Create an escrow for trust bootstrapping.
+     * List keys in a namespace (metadata only — no decryption).
      */
-    createEscrow(transactionTerms: string, counterpartyDid: string, timeoutSeconds: number, creatorDid: string, collateralAmount?: number): Promise<Escrow>;
+    list(namespace: string, prefix?: string, tags?: string[], limit?: number, offset?: number): Promise<{
+        keys: Array<{
+            key: string;
+            version: number;
+            size_bytes: number;
+            written_at: string;
+            tags: string[];
+        }>;
+        total: number;
+        merkle_root: string;
+    }>;
     /**
-     * Get an escrow by ID.
+     * Securely delete state (overwrite with random bytes before removal).
      */
-    getEscrow(escrowId: string): Promise<Escrow | null>;
+    delete(namespace: string, key: string): Promise<{
+        deleted: boolean;
+        key: string;
+        namespace: string;
+        new_merkle_root: string;
+        deleted_at: string;
+    }>;
     /**
-     * Create a principal's guarantee for a new agent.
+     * Export all state for a namespace as an encrypted bundle.
      */
-    createGuarantee(principalIdentity: StoredIdentity, agentDid: string, scope: string, durationSeconds: number, identityEncryptionKey: Uint8Array, maxLiability?: number): Promise<Guarantee>;
+    export(namespace?: string): Promise<{
+        bundle: string;
+        namespaces: string[];
+        total_keys: number;
+        bundle_hash: string;
+        exported_at: string;
+    }>;
     /**
-     * Load attestations for tier-weighted scoring.
-     * Applies basic context/counterparty filtering, returns full StoredAttestations
-     * so callers can access sovereignty_tier from attestation data.
+     * Import a previously exported state bundle.
      */
-    loadAllForTierScoring(options?: {
-        context?: string;
-        counterparty_did?: string;
-    }): Promise<StoredAttestation[]>;
-    private loadAll;
+    import(bundleBase64: string, conflictResolution: "skip" | "overwrite" | "version" | undefined, publicKeyResolver: (kid: string) => Uint8Array | null): Promise<{
+        imported_keys: number;
+        skipped_keys: number;
+        skipped_invalid_sig: number;
+        skipped_unknown_kid: number;
+        conflicts: number;
+        namespaces: string[];
+        imported_at: string;
+    }>;
 }
 
 /**
- * Sanctuary MCP Server — Federation Types
- *
- * MCP-to-MCP federation enables two Sanctuary instances to:
- *   1. Discover each other's capabilities (SIM exchange)
- *   2. Establish mutual trust (sovereignty handshake)
- *   3. Exchange signed reputation attestations
- *   4. Evaluate trust for cross-instance interactions
+ * Sanctuary MCP Server — Ed25519 Identity Management
  *
- * Federation operates as a protocol layer atop the handshake:
- *   Handshake establishes trust → Federation uses that trust for ongoing operations.
+ * Sovereign identity based on Ed25519 keypairs.
+ * Private keys are always encrypted at rest — never stored in plaintext.
  *
- * Key constraint: Federation MUST respect each party's sovereignty.
- * Neither party can compel the other to share data they haven't disclosed
- * via their disclosure policy.
+ * Security invariants:
+ * - Private keys never appear in any MCP tool response
+ * - Private keys are encrypted with identity-specific keys derived from the master key
+ * - Key rotation produces a signed rotation event (verifiable chain)
  */
 
-/** A known federation peer */
-interface FederationPeer {
-    /** The peer's instance ID (from their SHR) */
-    peer_id: string;
-    /** The peer's DID (identity) */
-    peer_did: string;
-    /** When this peer was first seen */
-    first_seen: string;
-    /** When last handshake completed */
-    last_handshake: string;
-    /** Current trust tier from most recent handshake */
-    trust_tier: SovereigntyTier;
-    /** Handshake result (for tier resolution) */
-    handshake_result: HandshakeResult;
-    /** Peer's advertised capabilities (from their SIM) */
-    capabilities: FederationCapabilities;
-    /** Whether we have a valid (non-expired) handshake */
-    active: boolean;
+/** Public identity information (safe to share) */
+interface PublicIdentity {
+    identity_id: string;
+    label: string;
+    public_key: string;
+    did: string;
+    created_at: string;
+    key_type: "ed25519";
+    key_protection: "passphrase" | "hardware-key" | "recovery-key";
 }
-/** Capabilities a peer advertises for federation */
-interface FederationCapabilities {
-    /** Whether the peer supports reputation exchange */
-    reputation_exchange: boolean;
-    /** Whether the peer supports mutual attestation */
-    mutual_attestation: boolean;
-    /** Whether the peer supports encrypted channels */
-    encrypted_channel: boolean;
-    /** Supported attestation formats */
-    attestation_formats: string[];
+/** Stored identity (private key is encrypted) */
+interface StoredIdentity extends PublicIdentity {
+    encrypted_private_key: EncryptedPayload;
+    /** Previous public keys (for rotation chain verification) */
+    rotation_history: Array<{
+        old_public_key: string;
+        new_public_key: string;
+        rotation_event: string;
+        rotated_at: string;
+    }>;
 }
-/** Trust evaluation result for a federation peer */
-interface PeerTrustEvaluation {
-    peer_id: string;
-    /** Current sovereignty tier (from handshake) */
-    sovereignty_tier: SovereigntyTier;
-    /** Whether handshake is current (not expired) */
-    handshake_current: boolean;
-    /** Reputation summary (if available) */
-    reputation_score?: number;
-    /** How many mutual attestations we share */
-    mutual_attestation_count: number;
-    /** Overall trust assessment */
-    trust_level: "high" | "medium" | "low" | "none";
-    /** Reasoning for the assessment */
-    factors: string[];
-    /** Evaluated at */
-    evaluated_at: string;
+
+/**
+ * Sanctuary MCP Server — L1 Cognitive Sovereignty: Tool Definitions
+ *
+ * MCP tool wrappers for StateStore and IdentityRoot operations.
+ * These tools are the public API that agents interact with.
+ */
+
+/** Manages all identities — provides storage and retrieval */
+declare class IdentityManager {
+    private storage;
+    private masterKey;
+    private identities;
+    private primaryIdentityId;
+    private metadataKey;
+    constructor(storage: StorageBackend, masterKey: Uint8Array);
+    private get encryptionKey();
+    /** Load identities from storage on startup.
+     *  Returns { total: number of encrypted files found, loaded: number successfully decrypted }.
+     *  A mismatch (total > 0, loaded === 0) indicates a wrong master key / missing passphrase.
+     */
+    load(): Promise<{
+        total: number;
+        loaded: number;
+        failed: number;
+    }>;
+    /** Save an identity to storage */
+    save(identity: StoredIdentity): Promise<void>;
+    /** Set which identity is the default/primary identity */
+    setPrimary(identityId: string): Promise<boolean>;
+    /** Persist the primary identity ID to storage */
+    private savePrimaryIdentityId;
+    get(id: string): StoredIdentity | undefined;
+    getDefault(): StoredIdentity | undefined;
+    getPrimaryIdentityId(): string | null;
+    list(): PublicIdentity[];
+    /** List identities with rotation count (for dashboard display). */
+    listWithRotationCount(): Array<PublicIdentity & {
+        rotation_count: number;
+    }>;
 }
 
 /**
- * Sanctuary MCP Server — Federation Peer Registry
+ * Sanctuary MCP Server — L3 Selective Disclosure: Commitment Schemes
  *
- * Manages known federation peers. Peers are discovered through handshakes
- * and tracked for ongoing federation operations.
+ * Cryptographic commitments allow an agent to commit to a value
+ * without revealing it, then later prove what was committed.
  *
- * The registry is the source of truth for:
- * - Who we've federated with
- * - Current trust status of each peer
- * - Peer capabilities (what operations they support)
+ * This is the MVS approach to selective disclosure — simpler than
+ * full ZK proofs but still cryptographically sound. The commitment
+ * is SHA-256(value || blinding_factor), which is:
+ * - Hiding: the commitment reveals nothing about the value
+ * - Binding: the committer cannot change the value after committing
  *
  * Security invariants:
- * - Peers are ONLY added through completed handshakes (not self-registration)
- * - Trust tiers degrade automatically when handshakes expire
- * - Peer data is stored encrypted under L1 sovereignty
+ * - Blinding factors are cryptographically random (32 bytes)
+ * - Commitments are stored encrypted under L1 sovereignty
+ * - Revealed values are verified via constant-time comparison
+ */
+
+/** A cryptographic commitment */
+interface Commitment {
+    /** The commitment hash: SHA-256(value || blinding_factor) as base64url */
+    commitment: string;
+    /** The blinding factor (must be stored securely for later reveal) */
+    blinding_factor: string;
+    /** When the commitment was created */
+    committed_at: string;
+}
+/** Stored commitment metadata (encrypted at rest) */
+interface StoredCommitment {
+    commitment: string;
+    blinding_factor: string;
+    value: string;
+    committed_at: string;
+    revealed: boolean;
+    revealed_at?: string;
+}
+/**
+ * Commitment store — manages commitments encrypted under L1 sovereignty.
  */
-
-declare class FederationRegistry {
-    private peers;
-    /**
-     * Register or update a peer from a completed handshake.
-     * This is the ONLY way peers enter the registry.
-     */
-    registerFromHandshake(result: HandshakeResult, peerDid: string, capabilities?: Partial<FederationCapabilities>): FederationPeer;
-    /**
-     * Get a peer by instance ID.
-     * Automatically updates active status based on handshake expiry.
-     */
-    getPeer(peerId: string): FederationPeer | null;
-    /**
-     * List all known peers, optionally filtered by status.
-     */
-    listPeers(filter?: {
-        active_only?: boolean;
-    }): FederationPeer[];
+declare class CommitmentStore {
+    private storage;
+    private encryptionKey;
+    constructor(storage: StorageBackend, masterKey: Uint8Array);
     /**
-     * Evaluate trust for a federation peer.
-     *
-     * Trust assessment considers:
-     * - Handshake status (current vs expired)
-     * - Sovereignty tier (verified-sovereign vs degraded vs unverified)
-     * - Reputation data (if available)
-     * - Mutual attestation history
+     * Store a commitment (encrypted) for later reference.
      */
-    evaluateTrust(peerId: string, mutualAttestationCount?: number, reputationScore?: number): PeerTrustEvaluation;
+    store(commitment: Commitment, value: string): Promise<string>;
     /**
-     * Remove a peer from the registry.
+     * Retrieve a stored commitment by ID.
      */
-    removePeer(peerId: string): boolean;
+    get(id: string): Promise<StoredCommitment | null>;
     /**
-     * Get the handshake results map (for tier resolution integration).
+     * Mark a commitment as revealed.
      */
-    getHandshakeResults(): Map<string, HandshakeResult>;
+    markRevealed(id: string): Promise<void>;
 }
 
 /**
- * Sanctuary MCP Server — L2 Operational Isolation: Context Gating
+ * Sanctuary MCP Server — L3 Selective Disclosure: Zero-Knowledge Proofs
  *
- * Context gating controls what information leaves the sovereignty boundary
- * when an agent makes outbound calls — especially inference calls to remote
- * LLM providers. This is the "minimum-necessary context" enforcement layer.
+ * Upgrades the commitment-only L3 to support real zero-knowledge proofs.
+ * Uses Ristretto255 (prime-order curve group, no cofactor issues) for:
  *
- * The problem: When an agent sends a request to a remote LLM provider (Claude,
- * GPT, etc.), most harnesses send the agent's full context — conversation
- * history, memory, tool results, preferences, internal reasoning. The agent
- * has no control over what the provider sees.
+ *   1. Pedersen commitments: C = v*G + b*H (computationally hiding, perfectly binding)
+ *   2. ZK proof of knowledge: Schnorr sigma protocol via Fiat-Shamir
+ *   3. ZK range proofs: Prove value ∈ [min, max] without revealing it
  *
- * Context gating lets the agent define:
- * - Provider categories (inference, tool-api, logging, analytics, etc.)
- * - What fields/categories of context may flow to each provider type
- * - What must always be redacted (secrets, internal reasoning, PII, etc.)
- * - What requires transformation (hashing, summarizing, anonymizing)
+ * Ristretto255 is available via @noble/curves/ed25519, which we already depend on.
+ * This is genuine zero-knowledge — proofs reveal nothing beyond the stated property.
  *
- * This sits in L2 (Operational Isolation) because it controls information
- * flow at the execution boundary. L3 (Selective Disclosure) handles agent-
- * to-agent trust negotiation with cryptographic proofs; context gating
- * handles agent-to-infrastructure information flow.
+ * Architecture note:
+ * The existing commitment scheme (SHA-256 based) remains available for backward
+ * compatibility. The ZK proofs operate on a separate Pedersen commitment system
+ * that provides algebraic structure for proper ZK properties.
  *
  * Security invariants:
- * - Redact rules take absolute priority (like withhold in L3)
- * - Policies are stored encrypted under L1 sovereignty
- * - Every filter operation is audit-logged with a content hash
- *   (what was sent, what was redacted — without storing the content itself)
- * - Default policy: redact everything not explicitly allowed
+ * - Generator H is derived via hash-to-curve (nothing-up-my-sleeve)
+ * - Blinding factors are cryptographically random (32 bytes)
+ * - Fiat-Shamir challenges use domain-separated hashing
+ * - Range proofs use a bit-decomposition approach (sound but logarithmic size)
  */
-
-/** Provider categories that context may flow to */
-type ProviderCategory = "inference" | "tool-api" | "logging" | "analytics" | "peer-agent" | "custom";
-/** Actions that can be taken on a context field */
-type ContextAction = "allow" | "redact" | "hash" | "summarize" | "deny";
-/** A rule within a context-gating policy */
-interface ContextGateRule {
-    /** Provider category this rule applies to */
-    provider: ProviderCategory | "*";
-    /** Fields/patterns that may pass through */
-    allow: string[];
-    /** Fields/patterns that must be redacted (highest priority) */
-    redact: string[];
-    /** Fields/patterns that should be hashed */
-    hash: string[];
-    /** Fields/patterns that should be summarized (advisory) */
-    summarize: string[];
-}
-/** A complete context-gating policy */
-interface ContextGatePolicy {
-    policy_id: string;
-    policy_name: string;
-    rules: ContextGateRule[];
-    /** Default action when no rule matches a field */
-    default_action: "redact" | "deny";
-    /** Identity this policy is bound to (optional) */
-    identity_id?: string;
-    created_at: string;
-    updated_at: string;
+/** A Pedersen commitment: C = v*G + b*H */
+interface PedersenCommitment {
+    /** The commitment point (encoded as base64url) */
+    commitment: string;
+    /** The blinding factor b (base64url, 32 bytes) — keep secret */
+    blinding_factor: string;
+    /** When the commitment was created */
+    committed_at: string;
 }
-/** Result of filtering a single field */
-interface FieldFilterResult {
-    field: string;
-    action: ContextAction;
-    reason: string;
-    /** If action is "hash", contains the hash */
-    hash_value?: string;
+/** A non-interactive ZK proof of knowledge of a commitment's opening */
+interface ZKProofOfKnowledge {
+    /** Proof type identifier */
+    type: "schnorr-pedersen-ristretto255";
+    /** The commitment this proof is for */
+    commitment: string;
+    /** Announcement point R (base64url) */
+    announcement: string;
+    /** Response scalar s_v (base64url) */
+    response_v: string;
+    /** Response scalar s_b (base64url) */
+    response_b: string;
+    /** Proof generated at */
+    generated_at: string;
 }
-/** Result of a full context filter operation */
-interface ContextFilterResult {
-    policy_id: string;
-    provider: ProviderCategory | string;
-    fields_allowed: number;
-    fields_redacted: number;
-    fields_hashed: number;
-    fields_summarized: number;
-    fields_denied: number;
-    decisions: FieldFilterResult[];
-    /** SHA-256 hash of the original context (for audit trail) */
-    original_context_hash: string;
-    /** SHA-256 hash of the filtered output (for audit trail) */
-    filtered_context_hash: string;
-    filtered_at: string;
+/** A ZK range proof: proves value ∈ [min, max] */
+interface ZKRangeProof {
+    /** Proof type identifier */
+    type: "range-pedersen-ristretto255";
+    /** The commitment this proof is for */
+    commitment: string;
+    /** Minimum value (inclusive) */
+    min: number;
+    /** Maximum value (inclusive) */
+    max: number;
+    /** Bit commitments for the shifted value (v - min) */
+    bit_commitments: string[];
+    /** Proofs that each bit commitment is 0 or 1 */
+    bit_proofs: Array<{
+        announcement_0: string;
+        announcement_1: string;
+        challenge_0: string;
+        challenge_1: string;
+        response_0: string;
+        response_1: string;
+    }>;
+    /** Sum proof: bit commitments sum to the value commitment */
+    sum_proof: {
+        announcement: string;
+        response: string;
+    };
+    /** Proof generated at */
+    generated_at: string;
 }
 /**
- * Evaluate a context field against a policy for a given provider.
+ * Create a Pedersen commitment to a numeric value.
  *
- * Priority order (same as L3 disclosure):
- * 1. Redact (blocks — highest priority)
- * 2. Deny (blocks entire request)
- * 3. Hash (transforms)
- * 4. Summarize (advisory transform)
- * 5. Allow (passes through)
- * 6. Default action
+ * C = v*G + b*H
+ *
+ * Properties:
+ * - Computationally hiding (under discrete log assumption)
+ * - Perfectly binding (information-theoretic)
+ * - Homomorphic: C(v1) + C(v2) = C(v1+v2) with adjusted blinding
+ *
+ * @param value - The value to commit to (integer)
+ * @returns The commitment and blinding factor
  */
-declare function evaluateField(policy: ContextGatePolicy, provider: ProviderCategory | string, field: string): FieldFilterResult;
+declare function createPedersenCommitment(value: number): PedersenCommitment;
+/**
+ * Verify a Pedersen commitment against a revealed value and blinding factor.
+ *
+ * Recomputes C' = v*G + b*H and checks C' == C.
+ */
+declare function verifyPedersenCommitment(commitment: string, value: number, blindingFactor: string): boolean;
+/**
+ * Create a non-interactive ZK proof that you know the opening (v, b)
+ * of a Pedersen commitment C = v*G + b*H.
+ *
+ * Schnorr sigma protocol with Fiat-Shamir transform:
+ *   1. Pick random r_v, r_b
+ *   2. Compute R = r_v*G + r_b*H (announcement)
+ *   3. Compute e = H_FS(C || R) (challenge via Fiat-Shamir)
+ *   4. Compute s_v = r_v + e*v, s_b = r_b + e*b (responses)
+ *   5. Proof = (R, s_v, s_b)
+ *
+ * Zero-knowledge: the transcript (R, e, s_v, s_b) can be simulated
+ * without knowing (v, b), so it reveals nothing.
+ *
+ * @param value - The committed value
+ * @param blindingFactor - The blinding factor (base64url)
+ * @param commitment - The commitment (base64url)
+ */
+declare function createProofOfKnowledge(value: number, blindingFactor: string, commitment: string): ZKProofOfKnowledge;
+/**
+ * Verify a ZK proof of knowledge of a commitment's opening.
+ *
+ * Check: s_v*G + s_b*H == R + e*C
+ */
+declare function verifyProofOfKnowledge(proof: ZKProofOfKnowledge): boolean;
+/**
+ * Create a ZK range proof: prove value ∈ [min, max] without revealing value.
+ *
+ * Approach: bit-decomposition of (value - min) into n bits where 2^n > max - min.
+ * Each bit gets a Pedersen commitment and a proof it's 0 or 1.
+ * A sum proof shows the bit commitments reconstruct the original commitment
+ * (shifted by min).
+ *
+ * @param value - The committed value
+ * @param blindingFactor - The blinding factor (base64url)
+ * @param commitment - The commitment (base64url)
+ * @param min - Minimum value (inclusive)
+ * @param max - Maximum value (inclusive)
+ */
+declare function createRangeProof(value: number, blindingFactor: string, commitment: string, min: number, max: number): ZKRangeProof | {
+    error: string;
+};
+/**
+ * Verify a ZK range proof.
+ */
+declare function verifyRangeProof(proof: ZKRangeProof): boolean;
+
 /**
- * Filter a full context object against a policy for a given provider.
- * Returns per-field decisions and content hashes for the audit trail.
+ * Sanctuary MCP Server — L3 Selective Disclosure: Disclosure Policies
+ *
+ * Disclosure policies define what an agent will and will not disclose
+ * in different interaction contexts. Policies are evaluated against
+ * incoming disclosure requests to produce per-field decisions.
+ *
+ * This is the agent's "privacy preferences" layer — it codifies the
+ * human principal's intent about what information can flow where.
+ *
+ * Security invariants:
+ * - Policies are stored encrypted under L1 sovereignty
+ * - Default action is always "withhold" unless explicitly overridden
+ * - Policy evaluation is deterministic (same request → same decision)
  */
-declare function filterContext(policy: ContextGatePolicy, provider: ProviderCategory | string, context: Record<string, unknown>): ContextFilterResult;
+
+/** A single disclosure rule within a policy */
+interface DisclosureRule {
+    /** Interaction context this rule applies to */
+    context: string;
+    /** Fields/claims the agent MAY disclose */
+    disclose: string[];
+    /** Fields/claims the agent MUST NOT disclose */
+    withhold: string[];
+    /** Fields that require proof rather than plain disclosure */
+    proof_required: string[];
+}
+/** A complete disclosure policy */
+interface DisclosurePolicy {
+    policy_id: string;
+    policy_name: string;
+    rules: DisclosureRule[];
+    default_action: "withhold" | "ask-principal";
+    identity_id?: string;
+    created_at: string;
+    updated_at: string;
+}
 /**
- * Context gate policy store — encrypted under L1 sovereignty.
+ * Policy store — manages disclosure policies encrypted under L1 sovereignty.
  */
-declare class ContextGatePolicyStore {
+declare class PolicyStore {
     private storage;
     private encryptionKey;
     private policies;
     constructor(storage: StorageBackend, masterKey: Uint8Array);
     /**
-     * Create and store a new context-gating policy.
+     * Create and store a new disclosure policy.
      */
-    create(policyName: string, rules: ContextGateRule[], defaultAction: "redact" | "deny", identityId?: string): Promise<ContextGatePolicy>;
+    create(policyName: string, rules: DisclosureRule[], defaultAction: "withhold" | "ask-principal", identityId?: string): Promise<DisclosurePolicy>;
     /**
      * Get a policy by ID.
      */
-    get(policyId: string): Promise<ContextGatePolicy | null>;
+    get(policyId: string): Promise<DisclosurePolicy | null>;
     /**
-     * List all context-gating policies.
+     * List all policies.
      */
-    list(): Promise<ContextGatePolicy[]>;
+    list(): Promise<DisclosurePolicy[]>;
     /**
      * Load all persisted policies into memory.
      */
@@ -1272,736 +1202,907 @@ declare class ContextGatePolicyStore {
 }
 
 /**
- * Sanctuary MCP Server — L2 Context Gating: Starter Policy Templates
- *
- * Pre-built policies for common use cases. These are starting points —
- * users should customize them for their specific context structure.
- *
- * Templates:
- *
- *   inference-minimal
- *     Only the current task and query reach the LLM. Everything else
- *     is redacted. Secrets, PII, memory, reasoning, and history are
- *     all blocked. IDs are hashed. Maximum privacy, minimum context.
- *
- *   inference-standard
- *     Task, query, and tool results pass through. Conversation history
- *     is flagged for summarization (compress before sending). Secrets,
- *     PII, and internal reasoning are redacted. IDs are hashed.
- *     Balanced: the LLM has enough context to be useful without seeing
- *     everything the agent knows.
+ * Sanctuary MCP Server — Sovereignty Health Report (SHR) Types
  *
- *   logging-strict
- *     Redacts everything for logging/analytics providers. Only
- *     operation names and timestamps pass through. Use this for
- *     telemetry services where you want usage metrics without
- *     content exposure.
+ * Machine-readable, signed, versioned sovereignty capability advertisement.
+ * An agent presents its SHR to counterparties to prove its sovereignty posture.
+ * The SHR is signed by one of the instance's Ed25519 identities and can be
+ * independently verified by any party without trusting the presenter.
  *
- *   tool-api-scoped
- *     Allows tool-specific parameters and the current task, redacts
- *     memory, history, secrets, and PII. Hashes IDs. For outbound
- *     calls to external APIs (search, database, etc.) where you need
- *     to send query parameters but not your agent's full state.
+ * SHR version: 1.0
  */
-
-/** A template definition ready to be applied via the policy store */
-interface ContextGateTemplate {
-    /** Machine-readable template ID */
-    id: string;
-    /** Human-readable name */
-    name: string;
-    /** One-line description */
+type LayerStatus = "active" | "degraded" | "inactive";
+type DegradationSeverity = "info" | "warning" | "critical";
+type DegradationCode = "NO_TEE" | "PROCESS_ISOLATION_ONLY" | "COMMITMENT_ONLY" | "NO_ZK_PROOFS" | "SELF_REPORTED_ATTESTATION" | "NO_SELECTIVE_DISCLOSURE" | "BASIC_SYBIL_ONLY" | "NO_REPUTATION_HISTORY" | "LOW_TIER_DOMINANCE" | "STALE_REPUTATION" | "DISPUTE_ON_RECORD" | "NO_VERASCORE_LINK";
+interface SHRLayerL1 {
+    status: LayerStatus;
+    encryption: string;
+    key_custody: "self" | "delegated" | "platform";
+    integrity: string;
+    identity_type: string;
+    state_portable: boolean;
+}
+interface SHRLayerL2 {
+    status: LayerStatus;
+    isolation_type: string;
+    attestation_available: boolean;
+    /** Model provenance: what inference model(s) power this agent */
+    model_provenance?: {
+        model_id: string;
+        model_name: string;
+        provider: string;
+        open_weights: boolean;
+        open_source: boolean;
+        local_inference: boolean;
+        weights_hash?: string;
+    };
+}
+interface SHRLayerL3 {
+    status: LayerStatus;
+    proof_system: string;
+    selective_disclosure: boolean;
+}
+interface SHRLayerL4 {
+    status: LayerStatus;
+    reputation_mode: string;
+    attestation_format: string;
+    reputation_portable: boolean;
+}
+interface SHRDegradation {
+    layer: "l1" | "l2" | "l3" | "l4";
+    code: DegradationCode;
+    severity: DegradationSeverity;
     description: string;
-    /** When to use this template */
-    use_when: string;
-    /** The rules that make up this template */
-    rules: ContextGateRule[];
-    /** Default action for unmatched fields */
-    default_action: "redact" | "deny";
+    mitigation?: string;
+}
+interface SHRCapabilities {
+    handshake: boolean;
+    shr_exchange: boolean;
+    reputation_verify: boolean;
+    encrypted_channel: boolean;
 }
-/** All available templates, keyed by ID */
-declare const TEMPLATES: Record<string, ContextGateTemplate>;
-/** List all available template IDs */
-declare function listTemplateIds(): string[];
-/** Get a template by ID (returns undefined if not found) */
-declare function getTemplate(id: string): ContextGateTemplate | undefined;
-
 /**
- * Sanctuary MCP Server — L2 Context Gating: Policy Recommendation Engine
- *
- * Analyzes a sample context object and recommends a context-gating policy
- * based on field name heuristics. The agent (or human) can then review,
- * adjust, and apply the recommendation.
- *
- * This is deliberately conservative: when in doubt, it recommends redact.
- * A false redaction is a usability issue; a false allow is a privacy leak.
- *
- * Classification heuristics:
- * - Known secret patterns → redact (highest confidence)
- * - Known PII patterns → redact (high confidence)
- * - Known internal state patterns → redact (high confidence)
- * - Known ID patterns → hash (medium confidence)
- * - Known history patterns → summarize (medium confidence)
- * - Known task/query patterns → allow (medium confidence)
- * - Everything else → redact (conservative default)
- *
- * WARNING: Fields like 'tool_results' and 'tool_output' are classified as
- * "allow" (medium confidence) but may contain sensitive data from external
- * API responses, including auth tokens, user data, or PII. Always review
- * recommendations before applying — the heuristic classifies by field NAME,
- * not field CONTENT.
+ * The SHR body — the content that gets signed.
+ * Canonical form: JSON with sorted keys, no whitespace.
  */
-/** Classification result for a single field */
-interface FieldClassification {
-    field: string;
-    recommended_action: "allow" | "redact" | "hash" | "summarize";
-    reason: string;
-    confidence: "high" | "medium" | "low";
-    /** Pattern that matched, if any */
-    matched_pattern: string | null;
-}
-/** Full recommendation result */
-interface PolicyRecommendation {
-    provider: string;
-    classifications: FieldClassification[];
-    recommended_rules: {
-        allow: string[];
-        redact: string[];
-        hash: string[];
-        summarize: string[];
+interface SHRBody {
+    shr_version: "1.0";
+    implementation: {
+        sanctuary_version: string;
+        node_version: string;
+        generated_by: string;
     };
-    default_action: "redact";
-    summary: {
-        total_fields: number;
-        allow: number;
-        redact: number;
-        hash: number;
-        summarize: number;
+    instance_id: string;
+    generated_at: string;
+    expires_at: string;
+    layers: {
+        l1: SHRLayerL1;
+        l2: SHRLayerL2;
+        l3: SHRLayerL3;
+        l4: SHRLayerL4;
     };
+    capabilities: SHRCapabilities;
+    degradations: SHRDegradation[];
+}
+/**
+ * The complete signed SHR — body + signature envelope.
+ */
+interface SignedSHR {
+    body: SHRBody;
+    signed_by: string;
+    signature: string;
+}
+interface SHRVerificationResult {
+    valid: boolean;
+    errors: string[];
     warnings: string[];
+    sovereignty_level: "full" | "degraded" | "minimal";
+    counterparty_id: string;
+    expires_at: string;
+}
+
+/**
+ * Sanctuary MCP Server — Sovereignty Handshake Types
+ *
+ * The sovereignty handshake is a mutual verification protocol between
+ * two Sanctuary instances. Each party presents its SHR and proves
+ * liveness via nonce challenge-response.
+ *
+ * Protocol:
+ *   A → B: HandshakeChallenge (A's SHR + nonce)
+ *   B → A: HandshakeResponse (B's SHR + B's nonce + signature over A's nonce)
+ *   A → B: HandshakeCompletion (signature over B's nonce)
+ *   Result: Both hold a HandshakeResult with verified counterparty status
+ */
+
+/** Trust tier derived from sovereignty handshake */
+type TrustTier = "verified-sovereign" | "verified-degraded" | "unverified";
+/** Sovereignty level from SHR assessment */
+type SovereigntyLevel = "full" | "degraded" | "minimal" | "unverified";
+/**
+ * Step 1: Initiator sends challenge
+ */
+interface HandshakeChallenge {
+    protocol_version: "1.0";
+    shr: SignedSHR;
+    nonce: string;
+    initiated_at: string;
 }
 /**
- * Classify a single field name and return a recommendation.
+ * Step 2: Responder sends response
  */
-declare function classifyField(fieldName: string): FieldClassification;
+interface HandshakeResponse {
+    protocol_version: "1.0";
+    shr: SignedSHR;
+    responder_nonce: string;
+    initiator_nonce_signature: string;
+    responded_at: string;
+}
 /**
- * Analyze a full context object and recommend a policy.
+ * Step 3: Initiator sends completion
  */
-declare function recommendPolicy(context: Record<string, unknown>, provider?: string): PolicyRecommendation;
+interface HandshakeCompletion {
+    protocol_version: "1.0";
+    responder_nonce_signature: string;
+    completed_at: string;
+}
+/**
+ * Final result: both parties hold this after a successful handshake
+ */
+interface HandshakeResult {
+    counterparty_id: string;
+    counterparty_shr: SignedSHR;
+    verified: boolean;
+    sovereignty_level: SovereigntyLevel;
+    trust_tier: TrustTier;
+    completed_at: string;
+    expires_at: string;
+    errors: string[];
+}
+/**
+ * In-progress handshake state (stored on initiator side)
+ */
+interface HandshakeSession {
+    session_id: string;
+    role: "initiator" | "responder";
+    state: "initiated" | "responded" | "completed" | "failed";
+    our_nonce: string;
+    their_nonce?: string;
+    our_shr: SignedSHR;
+    their_shr?: SignedSHR;
+    initiated_at: string;
+    result?: HandshakeResult;
+}
 
 /**
- * Sanctuary MCP Server — L2 Model Provenance
- *
- * Declares and attests to the model(s) powering this agent.
+ * Sanctuary MCP Server — Sovereignty-Gated Reputation Tiers
  *
- * Vitalik Buterin's "Secure LLM" post (April 2026) identified a critical gap:
- * open-weights-but-not-open-source models can have trained-in backdoors. Model
- * provenance declaration lets agents and their operators verify the integrity
- * of the inference backbone.
+ * Attestations carry a sovereignty_tier field reflecting the signer's
+ * sovereignty posture at the time of recording. When querying or evaluating
+ * reputation, attestations from verified-sovereign agents carry more weight
+ * than those from unverified agents.
  *
- * Tracks: model name, version, weights hash, license, open-source status,
- * training data hash (if available). Included in SHR L2 section.
+ * Tier hierarchy (descending credibility):
+ *   1. "verified-sovereign"  — signer completed a handshake with full sovereignty
+ *   2. "verified-degraded"   — signer completed a handshake with degraded sovereignty
+ *   3. "self-attested"       — signer has a Sanctuary identity but no handshake verification
+ *   4. "unverified"          — no Sanctuary identity or sovereignty proof
  *
- * This sits in L2 (Operational Isolation) because it's part of the runtime
- * attestation surface — the agent declares what model(s) it's actually running.
+ * Weight multipliers are applied during reputation scoring. They are NOT
+ * gatekeeping — unverified attestations still count, just less.
  */
+
+type SovereigntyTier = "verified-sovereign" | "verified-degraded" | "self-attested" | "unverified";
+/** Weight multipliers for each tier */
+declare const TIER_WEIGHTS: Record<SovereigntyTier, number>;
+/** Tier metadata embedded in attestations */
+interface TierMetadata {
+    sovereignty_tier: SovereigntyTier;
+    /** If verified, the handshake that established it */
+    handshake_completed_at?: string;
+    /** Counterparty ID from handshake (if applicable) */
+    verified_by?: string;
+}
 /**
- * Metadata about a single model powering this agent.
+ * Resolve the sovereignty tier for a counterparty based on handshake history.
+ *
+ * @param counterpartyId - The counterparty's instance ID
+ * @param handshakeResults - Map of counterparty ID → most recent handshake result
+ * @param hasSanctuaryIdentity - Whether the counterparty has a known Sanctuary identity
+ * @returns TierMetadata for embedding in attestations
  */
-interface ModelProvenance {
-    /** Machine-readable model ID (e.g., "qwen3.5-35b", "claude-opus-4", "llama-3.3-70b-instruct") */
-    model_id: string;
-    /** Human-readable model name (e.g., "Qwen 3.5", "Claude Opus 4", "Llama 3.3 70B Instruct") */
-    model_name: string;
-    /** Semantic version (e.g., "3.5", "4.0", "3.3") */
-    model_version: string;
-    /** Provider/vendor (e.g., "Alibaba Cloud", "Anthropic", "Meta", "local") */
-    provider: string;
-    /** SHA-256 of model weights file, if available and verifiable */
-    weights_hash?: string;
-    /** SHA-256 of training data manifest or metadata, if available */
-    training_data_hash?: string;
-    /** License identifier (e.g., "Apache-2.0", "CC-BY-4.0", "proprietary", "unknown") */
-    license: string;
-    /** True if model weights are publicly available (even if training is proprietary) */
-    open_weights: boolean;
-    /** True if full training code, data, and methodology are publicly available */
-    open_source: boolean;
-    /** True if inference runs on the local agent's hardware (not delegated to cloud API) */
-    local_inference: boolean;
-    /** ISO 8601 timestamp when this provenance was declared */
-    declared_at: string;
+declare function resolveTier(counterpartyId: string, handshakeResults: Map<string, HandshakeResult>, hasSanctuaryIdentity: boolean): TierMetadata;
+/** An attestation with its tier for weighted scoring */
+interface TieredAttestation {
+    /** The raw metric value */
+    value: number;
+    /** The sovereignty tier of the attestation signer */
+    tier: SovereigntyTier;
 }
 /**
- * In-memory and persistent store for model provenance declarations.
- * Declarations are encrypted under L1 sovereignty.
+ * Compute a weighted reputation score from tiered attestations.
+ *
+ * Each attestation's contribution is multiplied by its tier weight.
+ * The result is normalized by total weight (not count), so adding
+ * low-tier attestations doesn't dilute high-tier ones.
+ *
+ * @param attestations - Array of value + tier pairs
+ * @returns Weighted score, or null if no attestations
  */
-interface ModelProvenanceStore {
-    /**
-     * Declare a model's provenance and add it to the store.
-     */
-    declare(provenance: ModelProvenance): void;
-    /**
-     * Retrieve a model's provenance by ID.
-     */
-    get(model_id: string): ModelProvenance | undefined;
-    /**
-     * List all declared models.
-     */
-    list(): ModelProvenance[];
-    /**
-     * Get the primary/main model (the one the agent uses by default for inference).
-     */
-    primary(): ModelProvenance | undefined;
-    /**
-     * Set which model is the primary.
-     */
-    setPrimary(model_id: string): void;
-}
+declare function computeWeightedScore(attestations: TieredAttestation[]): number | null;
 /**
- * In-memory implementation of ModelProvenanceStore.
- * Suitable for most use cases. For encrypted persistence, integrate with L1 state store.
+ * Compute a tier distribution summary for a set of attestations.
  */
-declare class InMemoryModelProvenanceStore implements ModelProvenanceStore {
-    private models;
-    private primaryModelId;
-    declare(provenance: ModelProvenance): void;
-    get(model_id: string): ModelProvenance | undefined;
-    list(): ModelProvenance[];
-    primary(): ModelProvenance | undefined;
-    setPrimary(model_id: string): void;
-}
+declare function tierDistribution(tiers: SovereigntyTier[]): Record<SovereigntyTier, number>;
+
 /**
- * Common model provenance presets for quick initialization.
+ * Sanctuary MCP Server — L4 Verifiable Reputation: Reputation Store
+ *
+ * Records interaction outcomes as signed attestations, queries aggregated
+ * reputation data, and supports export/import for cross-platform portability.
+ *
+ * Attestation format is EAS-compatible (Ethereum Attestation Service) to
+ * enable future on-chain anchoring without requiring blockchain for MVS.
+ *
+ * Security invariants:
+ * - All attestations are signed by the recording identity
+ * - Attestations are stored encrypted under L1 sovereignty
+ * - Reputation queries return aggregates, never raw interaction data
+ * - Export bundles include all signatures for independent verification
+ * - Import verifies every signature before accepting attestations
  */
-declare const MODEL_PRESETS: {
-    /**
-     * Claude Opus 4 via Anthropic API (cloud inference, closed weights/source)
-     */
-    claudeOpus4: () => ModelProvenance;
-    /**
-     * Qwen 3.5 via local inference (open weights, proprietary training)
-     */
-    qwen35Local: () => ModelProvenance;
-    /**
-     * Llama 3.3 70B via local inference (open weights and code)
-     */
-    llama33Local: () => ModelProvenance;
-    /**
-     * Mistral 7B (open weights, open code, local inference)
-     */
-    mistral7bLocal: () => ModelProvenance;
-};
 
+/** Interaction outcome for recording */
+interface InteractionOutcome {
+    type: "transaction" | "negotiation" | "service" | "dispute" | "custom";
+    result: "completed" | "partial" | "failed" | "disputed";
+    metrics?: Record<string, number>;
+}
+/** A signed attestation of an interaction */
+interface Attestation {
+    attestation_id: string;
+    schema: "sanctuary-interaction-v1";
+    data: {
+        interaction_id: string;
+        participant_did: string;
+        counterparty_did: string;
+        outcome_type: string;
+        outcome_result: string;
+        metrics: Record<string, number>;
+        context: string;
+        timestamp: string;
+        /** Sovereignty tier of the signer at time of recording */
+        sovereignty_tier?: SovereigntyTier;
+    };
+    signature: string;
+    signer: string;
+}
+/** Stored attestation (encrypted at rest) */
+interface StoredAttestation {
+    attestation: Attestation;
+    counterparty_attestation?: string;
+    counterparty_confirmed: boolean;
+    recorded_at: string;
+}
+/** Aggregated metric statistics */
+interface MetricAggregate {
+    mean: number;
+    median: number;
+    min: number;
+    max: number;
+    count: number;
+}
+/** Reputation query result */
+interface ReputationSummary {
+    total_interactions: number;
+    completed: number;
+    partial: number;
+    failed: number;
+    disputed: number;
+    contexts: string[];
+    time_range: {
+        start: string;
+        end: string;
+    };
+    aggregate_metrics: Record<string, MetricAggregate>;
+}
 /**
- * Sanctuary MCP Server — Prompt Injection Detection Layer
- *
- * Fast, zero-dependency detection of common prompt injection patterns.
- * Scans tool arguments for role override, security bypass, encoding evasion,
- * data exfiltration, and prompt stuffing signals.
- *
- * SEC-034/SEC-035: Enhanced with Unicode sanitization pre-pass, decoded content
- * re-scanning, token budget analysis, and outbound content scanning.
- *
- * Security invariants:
- * - Always returns a result, never throws
- * - Typical scan completes in < 5ms
- * - False positives minimized via field-aware scanning
- * - Recursive scanning of nested objects/arrays
- * - Outbound scanning catches secret leaks and injection artifact survival
+ * L4 attestation evidence summary for the SHR degradation emitter and the
+ * dashboard evidence widget. Derived from the stored attestations; does not
+ * include Verascore-link state (tracked separately via audit log).
  */
-interface InjectionDetectorConfig {
-    enabled: boolean;
-    sensitivity: "low" | "medium" | "high";
-    on_detection: "escalate" | "block" | "log";
-    custom_patterns?: string[];
+interface L4AttestationSummary {
+    /** Total number of attestations covered by the summary */
+    attestation_count: number;
+    /** Count of attestations at each sovereignty tier */
+    tier_distribution: Record<SovereigntyTier, number>;
+    /** ISO timestamp of the most recent attestation, or null if none */
+    most_recent_attestation_at: string | null;
+    /** Count of attestations with outcome_result === "disputed" */
+    dispute_count: number;
+    /** Count of attestations per context label */
+    context_breakdown: Record<string, number>;
 }
-interface InjectionSignal {
-    type: string;
-    pattern: string;
-    location: string;
-    severity: "low" | "medium" | "high";
+/** Portable reputation bundle */
+interface ReputationBundle {
+    version: "SANCTUARY_REP_V1";
+    attestations: Attestation[];
+    exported_at: string;
+    exporter_did: string;
+    bundle_signature: string;
 }
-interface DetectionResult {
-    flagged: boolean;
-    confidence: number;
-    signals: InjectionSignal[];
-    recommendation: "allow" | "escalate" | "block";
+/** Escrow for trust bootstrapping */
+interface Escrow {
+    escrow_id: string;
+    transaction_terms: string;
+    terms_hash: string;
+    collateral_amount?: number;
+    counterparty_did: string;
+    creator_did: string;
+    created_at: string;
+    expires_at: string;
+    status: "pending" | "active" | "released" | "disputed" | "expired";
 }
-declare class InjectionDetector {
-    private config;
-    private stats;
-    constructor(config?: Partial<InjectionDetectorConfig>);
-    /**
-     * Scan tool arguments for injection signals.
-     * @param toolName Full tool name (e.g., "state_read")
-     * @param args Tool arguments
-     * @returns DetectionResult with all detected signals
-     */
-    scan(toolName: string, args: Record<string, unknown>): DetectionResult;
-    /**
-     * SEC-035: Scan outbound content for secret leaks, data exfiltration,
-     * internal path exposure, and injection artifact survival.
-     *
-     * @param content The outbound content string to scan
-     * @returns DetectionResult with outbound-specific signal types
-     */
-    scanOutbound(content: string): DetectionResult;
-    /**
-     * Recursively scan a value and all nested values.
-     */
-    private scanValue;
+/** Principal guarantee for a new agent */
+interface Guarantee {
+    guarantee_id: string;
+    principal_did: string;
+    agent_did: string;
+    scope: string;
+    max_liability?: number;
+    valid_until: string;
+    certificate: string;
+    created_at: string;
+}
+declare class ReputationStore {
+    private storage;
+    private encryptionKey;
+    constructor(storage: StorageBackend, masterKey: Uint8Array);
     /**
-     * Scan a single string for injection signals.
+     * Record an interaction outcome as a signed attestation.
      */
-    private scanString;
+    record(interactionId: string, counterpartyDid: string, outcome: InteractionOutcome, context: string, identity: StoredIdentity, identityEncryptionKey: Uint8Array, counterpartyAttestation?: string, sovereigntyTier?: SovereigntyTier): Promise<StoredAttestation>;
     /**
-     * Count invisible Unicode characters in a string.
-     * Includes zero-width chars, soft hyphens, directional marks,
-     * variation selectors, and other invisible categories.
+     * Query reputation data with filtering.
+     * Returns aggregates only — not raw interaction data.
      */
-    private countInvisibleChars;
+    query(options: {
+        context?: string;
+        time_range?: {
+            start: string;
+            end: string;
+        };
+        metrics?: string[];
+        counterparty_did?: string;
+    }): Promise<ReputationSummary>;
     /**
-     * Strip invisible characters from a string for clean pattern matching.
-     * Returns a new string with all invisible chars removed.
+     * Export attestations as a portable reputation bundle.
      */
-    private stripInvisibleChars;
+    exportBundle(identity: StoredIdentity, identityEncryptionKey: Uint8Array, context?: string): Promise<ReputationBundle>;
     /**
-     * SEC-034: Token budget attack detection.
-     * Some Unicode sequences expand dramatically during tokenization (e.g., CJK
-     * ideographs, combining characters, emoji sequences). If the estimated token
-     * cost per character is anomalously high, this may be a wallet-drain payload.
+     * Import attestations from a reputation bundle.
+     * Verifies signatures if requested (default: true).
      *
-     * Heuristic: count chars that typically tokenize into multiple tokens.
-     * If the ratio of estimated tokens to char count exceeds 3x, flag it.
-     */
-    private detectTokenBudgetAttack;
-    /**
-     * Detect encoded content (base64, hex, HTML entities, URL encoding),
-     * decode it, and re-scan the decoded content through injection patterns.
-     * If the decoded content contains injection patterns, flag as encoding_evasion.
-     */
-    private detectEncodedPayloads;
-    /**
-     * Check if a string contains any injection patterns (role override or security bypass).
-     */
-    private containsInjectionPatterns;
-    /**
-     * Safely decode a base64 string. Returns null if it's not valid base64
-     * or doesn't decode to a meaningful string.
-     */
-    private safeBase64Decode;
-    /**
-     * Safely decode a hex string. Returns null on failure.
-     */
-    private safeHexDecode;
-    /**
-     * Decode HTML numeric entities (&#xHH; and &#DDD;) in a string.
-     */
-    private decodeHtmlEntities;
-    /**
-     * Safely decode a URL-encoded string. Returns null on failure.
-     */
-    private safeUrlDecode;
-    /**
-     * Heuristic: does this look like readable text (vs. binary garbage)?
-     * Checks that most characters are printable ASCII or common Unicode.
-     */
-    private looksLikeText;
-    /**
-     * Detect API keys and secrets in outbound content.
-     */
-    private detectSecretPatterns;
-    /**
-     * Detect data exfiltration via markdown images with data-carrying query params.
-     */
-    private detectOutboundExfiltration;
-    /**
-     * Detect internal filesystem path leaks in outbound content.
-     */
-    private detectInternalPathLeaks;
-    /**
-     * Detect private IP addresses and localhost references in outbound content.
+     * @param publicKeys - Map of DID → public key bytes for signature verification
      */
-    private detectPrivateNetworkLeaks;
+    importBundle(bundle: ReputationBundle, verifySignatures: boolean, publicKeys: Map<string, Uint8Array>): Promise<{
+        imported: number;
+        invalid: number;
+        contexts: string[];
+    }>;
     /**
-     * Detect role markers / prompt template artifacts in outbound content.
-     * These should never appear in agent output — their presence indicates
-     * injection artifact survival.
+     * Create an escrow for trust bootstrapping.
      */
-    private detectOutputRoleMarkers;
+    createEscrow(transactionTerms: string, counterpartyDid: string, timeoutSeconds: number, creatorDid: string, collateralAmount?: number): Promise<Escrow>;
     /**
-     * Detect base64 strings, base64url, and zero-width character evasion.
+     * Get an escrow by ID.
      */
-    private detectEncodingEvasion;
+    getEscrow(escrowId: string): Promise<Escrow | null>;
     /**
-     * Detect URLs and emails in fields that shouldn't have them.
+     * Create a principal's guarantee for a new agent.
      */
-    private detectDataExfiltration;
+    createGuarantee(principalIdentity: StoredIdentity, agentDid: string, scope: string, durationSeconds: number, identityEncryptionKey: Uint8Array, maxLiability?: number): Promise<Guarantee>;
     /**
-     * Detect prompt stuffing: very large strings or high repetition.
+     * Summarize attestations for the L4 degradation emitter and dashboard widget.
+     *
+     * Returns aggregate evidence about the identity's reputation state —
+     * counts, tier distribution, recency, dispute counts, context coverage —
+     * without exposing raw attestations. The caller combines this with an
+     * audit-log check for Verascore link state to produce the final
+     * `L4Evidence` struct consumed by the SHR generator.
+     *
+     * @param participantDid - If provided, only count attestations where the
+     *   `participant_did` matches. If omitted, covers all attestations in the
+     *   store.
      */
-    private detectPromptStuffing;
+    summarizeForSHR(participantDid?: string): Promise<L4AttestationSummary>;
     /**
-     * Determine if this field is inherently safe from role override.
+     * Load attestations for tier-weighted scoring.
+     * Applies basic context/counterparty filtering, returns full StoredAttestations
+     * so callers can access sovereignty_tier from attestation data.
      */
-    private isSafeField;
+    loadAllForTierScoring(options?: {
+        context?: string;
+        counterparty_did?: string;
+    }): Promise<StoredAttestation[]>;
+    private loadAll;
     /**
-     * Determine if this is a tool name field (where tool refs are expected).
+     * Cursor-based async iterator that loads attestations in pages.
+     * Prevents OOM at 100K+ records by reading and decrypting in batches.
      */
-    private isToolNameField;
+    loadAllPaginated(pageSize?: number): AsyncGenerator<StoredAttestation[]>;
+}
+
+/**
+ * Sanctuary MCP Server — Federation Types
+ *
+ * MCP-to-MCP federation enables two Sanctuary instances to:
+ *   1. Discover each other's capabilities (SIM exchange)
+ *   2. Establish mutual trust (sovereignty handshake)
+ *   3. Exchange signed reputation attestations
+ *   4. Evaluate trust for cross-instance interactions
+ *
+ * Federation operates as a protocol layer atop the handshake:
+ *   Handshake establishes trust → Federation uses that trust for ongoing operations.
+ *
+ * Key constraint: Federation MUST respect each party's sovereignty.
+ * Neither party can compel the other to share data they haven't disclosed
+ * via their disclosure policy.
+ */
+
+/** A known federation peer */
+interface FederationPeer {
+    /** The peer's instance ID (from their SHR) */
+    peer_id: string;
+    /** The peer's DID (identity) */
+    peer_did: string;
+    /** When this peer was first seen */
+    first_seen: string;
+    /** When last handshake completed */
+    last_handshake: string;
+    /** Current trust tier from most recent handshake */
+    trust_tier: SovereigntyTier;
+    /** Handshake result (for tier resolution) */
+    handshake_result: HandshakeResult;
+    /** Peer's advertised capabilities (from their SIM) */
+    capabilities: FederationCapabilities;
+    /** Whether we have a valid (non-expired) handshake */
+    active: boolean;
+}
+/** Capabilities a peer advertises for federation */
+interface FederationCapabilities {
+    /** Whether the peer supports reputation exchange */
+    reputation_exchange: boolean;
+    /** Whether the peer supports mutual attestation */
+    mutual_attestation: boolean;
+    /** Whether the peer supports encrypted channels */
+    encrypted_channel: boolean;
+    /** Supported attestation formats */
+    attestation_formats: string[];
+}
+/** Trust evaluation result for a federation peer */
+interface PeerTrustEvaluation {
+    peer_id: string;
+    /** Current sovereignty tier (from handshake) */
+    sovereignty_tier: SovereigntyTier;
+    /** Whether handshake is current (not expired) */
+    handshake_current: boolean;
+    /** Reputation summary (if available) */
+    reputation_score?: number;
+    /** How many mutual attestations we share */
+    mutual_attestation_count: number;
+    /** Overall trust assessment */
+    trust_level: "high" | "medium" | "low" | "none";
+    /** Reasoning for the assessment */
+    factors: string[];
+    /** Evaluated at */
+    evaluated_at: string;
+}
+
+/**
+ * Sanctuary MCP Server — Federation Peer Registry
+ *
+ * Manages known federation peers. Peers are discovered through handshakes
+ * and tracked for ongoing federation operations.
+ *
+ * The registry is the source of truth for:
+ * - Who we've federated with
+ * - Current trust status of each peer
+ * - Peer capabilities (what operations they support)
+ *
+ * Security invariants:
+ * - Peers are ONLY added through completed handshakes (not self-registration)
+ * - Trust tiers degrade automatically when handshakes expire
+ * - Peer data is stored encrypted under L1 sovereignty
+ */
+
+declare class FederationRegistry {
+    private peers;
     /**
-     * Determine if this field is safe for URLs.
+     * Register or update a peer from a completed handshake.
+     * This is the ONLY way peers enter the registry.
      */
-    private isUrlSafeField;
+    registerFromHandshake(result: HandshakeResult, peerDid: string, capabilities?: Partial<FederationCapabilities>): FederationPeer;
     /**
-     * Determine if this field is safe for emails.
+     * Get a peer by instance ID.
+     * Automatically updates active status based on handshake expiry.
      */
-    private isEmailSafeField;
+    getPeer(peerId: string): FederationPeer | null;
     /**
-     * Determine if this field is safe for structured data (JSON/XML).
+     * List all known peers, optionally filtered by status.
      */
-    private isStructuredField;
+    listPeers(filter?: {
+        active_only?: boolean;
+    }): FederationPeer[];
     /**
-     * SEC-032/SEC-034: Map common cross-script confusable characters to their
-     * Latin equivalents. NFKC normalization handles fullwidth and compatibility
-     * forms, but does NOT map Cyrillic/Greek/Armenian/Georgian lookalikes to
-     * Latin (they're distinct codepoints by design).
+     * Evaluate trust for a federation peer.
      *
-     * Extended to 50+ confusable pairs covering Cyrillic, Greek, Armenian,
-     * Georgian, Cherokee, and mathematical/symbol lookalikes.
-     */
-    private normalizeConfusables;
-    /**
-     * Compute confidence score based on signals.
-     * More high-severity signals = higher confidence.
-     */
-    private computeConfidence;
-    /**
-     * Compute recommendation based on signals and sensitivity.
+     * Trust assessment considers:
+     * - Handshake status (current vs expired)
+     * - Sovereignty tier (verified-sovereign vs degraded vs unverified)
+     * - Reputation data (if available)
+     * - Mutual attestation history
      */
-    private computeRecommendation;
+    evaluateTrust(peerId: string, mutualAttestationCount?: number, reputationScore?: number): PeerTrustEvaluation;
     /**
-     * Get statistics about scans performed.
+     * Remove a peer from the registry.
      */
-    getStats(): {
-        total_scans: number;
-        total_flags: number;
-        total_blocks: number;
-        signals_by_type: Record<string, number>;
-    };
+    removePeer(peerId: string): boolean;
     /**
-     * Reset statistics.
+     * Get the handshake results map (for tier resolution integration).
      */
-    resetStats(): void;
+    getHandshakeResults(): Map<string, HandshakeResult>;
 }
 
 /**
- * Sanctuary MCP Server — Principal Policy Types
+ * Sanctuary MCP Server — L2 Operational Isolation: Context Gating
  *
- * Type definitions for the Principal Policy system.
- * The Principal Policy is the human-controlled, agent-immutable
- * configuration that gates operations through approval tiers.
+ * Context gating controls what information leaves the sovereignty boundary
+ * when an agent makes outbound calls — especially inference calls to remote
+ * LLM providers. This is the "minimum-necessary context" enforcement layer.
+ *
+ * The problem: When an agent sends a request to a remote LLM provider (Claude,
+ * GPT, etc.), most harnesses send the agent's full context — conversation
+ * history, memory, tool results, preferences, internal reasoning. The agent
+ * has no control over what the provider sees.
+ *
+ * Context gating lets the agent define:
+ * - Provider categories (inference, tool-api, logging, analytics, etc.)
+ * - What fields/categories of context may flow to each provider type
+ * - What must always be redacted (secrets, internal reasoning, PII, etc.)
+ * - What requires transformation (hashing, summarizing, anonymizing)
+ *
+ * This sits in L2 (Operational Isolation) because it controls information
+ * flow at the execution boundary. L3 (Selective Disclosure) handles agent-
+ * to-agent trust negotiation with cryptographic proofs; context gating
+ * handles agent-to-infrastructure information flow.
+ *
+ * Security invariants:
+ * - Redact rules take absolute priority (like withhold in L3)
+ * - Policies are stored encrypted under L1 sovereignty
+ * - Every filter operation is audit-logged with a content hash
+ *   (what was sent, what was redacted — without storing the content itself)
+ * - Default policy: redact everything not explicitly allowed
  */
-/** Tier 2 anomaly action: what to do when an anomaly is detected */
-type AnomalyAction = "approve" | "log" | "allow";
-/** Tier 2 anomaly detection configuration */
-interface Tier2Config {
-    /** Action when agent accesses a namespace it hasn't used before */
-    new_namespace_access: AnomalyAction;
-    /** Action when agent interacts with an unknown counterparty DID */
-    new_counterparty: AnomalyAction;
-    /** Tool call frequency multiplier that triggers anomaly */
-    frequency_spike_multiplier: number;
-    /** Maximum signing operations per minute before triggering */
-    max_signs_per_minute: number;
-    /** Reading more than N keys in a namespace within 60 seconds */
-    bulk_read_threshold: number;
-    /** Policy for first session when no baseline exists */
-    first_session_policy: AnomalyAction;
-}
-/** Approval channel configuration */
-interface ApprovalChannelConfig {
-    type: "stderr" | "webhook" | "callback";
-    timeout_seconds: number;
-    /**
-     * SEC-002: auto_deny is hardcoded to true and not configurable.
-     * Timeout on any approval channel ALWAYS results in denial.
-     * This field is retained for backward compatibility with existing
-     * policy files but is ignored — timeout always denies.
-     */
-    auto_deny?: boolean;
-    webhook_url?: string;
-    webhook_secret?: string;
+
+/** Provider categories that context may flow to */
+type ProviderCategory = "inference" | "tool-api" | "logging" | "analytics" | "peer-agent" | "custom";
+/** Actions that can be taken on a context field */
+type ContextAction = "allow" | "redact" | "hash" | "summarize" | "deny";
+/** A rule within a context-gating policy */
+interface ContextGateRule {
+    /** Provider category this rule applies to */
+    provider: ProviderCategory | "*";
+    /** Fields/patterns that may pass through */
+    allow: string[];
+    /** Fields/patterns that must be redacted (highest priority) */
+    redact: string[];
+    /** Fields/patterns that should be hashed */
+    hash: string[];
+    /** Fields/patterns that should be summarized (advisory) */
+    summarize: string[];
 }
-/** Complete Principal Policy */
-interface PrincipalPolicy {
-    version: number;
-    /** Operations that always require human approval */
-    tier1_always_approve: string[];
-    /** Behavioral anomaly detection configuration */
-    tier2_anomaly: Tier2Config;
-    /** Operations that never require approval (audit only) */
-    tier3_always_allow: string[];
-    /** How approval requests reach the human */
-    approval_channel: ApprovalChannelConfig;
+/** A complete context-gating policy */
+interface ContextGatePolicy {
+    policy_id: string;
+    policy_name: string;
+    rules: ContextGateRule[];
+    /** Default action when no rule matches a field */
+    default_action: "redact" | "deny";
+    /** Identity this policy is bound to (optional) */
+    identity_id?: string;
+    created_at: string;
+    updated_at: string;
 }
-/** Approval request sent to the human */
-interface ApprovalRequest {
-    operation: string;
-    tier: 1 | 2;
+/** Result of filtering a single field */
+interface FieldFilterResult {
+    field: string;
+    action: ContextAction;
     reason: string;
-    context: Record<string, unknown>;
-    timestamp: string;
-}
-/** Approval response from the human */
-interface ApprovalResponse {
-    decision: "approve" | "deny";
-    decided_at: string;
-    decided_by: "human" | "timeout" | "auto" | "stderr:non-interactive";
+    /** If action is "hash", contains the hash */
+    hash_value?: string;
 }
-/** Result of the approval gate evaluation */
-interface GateResult {
-    allowed: boolean;
-    tier: 1 | 2 | 3;
-    reason: string;
-    approval_required: boolean;
-    approval_response?: ApprovalResponse;
+/** Result of a full context filter operation */
+interface ContextFilterResult {
+    policy_id: string;
+    provider: ProviderCategory | string;
+    fields_allowed: number;
+    fields_redacted: number;
+    fields_hashed: number;
+    fields_summarized: number;
+    fields_denied: number;
+    decisions: FieldFilterResult[];
+    /** SHA-256 hash of the original context (for audit trail) */
+    original_context_hash: string;
+    /** SHA-256 hash of the filtered output (for audit trail) */
+    filtered_context_hash: string;
+    filtered_at: string;
 }
-/** Behavioral baseline for anomaly detection */
-interface SessionProfile {
-    /** Namespaces accessed (read or write) */
-    known_namespaces: string[];
-    /** Counterparty DIDs seen in reputation operations */
-    known_counterparties: string[];
-    /** Tool call counts per tool name (lifetime in session) */
-    tool_call_counts: Record<string, number>;
-    /** Whether this is the first session (no prior baseline) */
-    is_first_session: boolean;
-    /** Session start time */
-    started_at: string;
-    /** When the baseline was last saved */
-    saved_at?: string;
+/**
+ * Evaluate a context field against a policy for a given provider.
+ *
+ * Priority order (same as L3 disclosure):
+ * 1. Redact (blocks — highest priority)
+ * 2. Deny (blocks entire request)
+ * 3. Hash (transforms)
+ * 4. Summarize (advisory transform)
+ * 5. Allow (passes through)
+ * 6. Default action
+ */
+declare function evaluateField(policy: ContextGatePolicy, provider: ProviderCategory | string, field: string): FieldFilterResult;
+/**
+ * Filter a full context object against a policy for a given provider.
+ * Returns per-field decisions and content hashes for the audit trail.
+ */
+declare function filterContext(policy: ContextGatePolicy, provider: ProviderCategory | string, context: Record<string, unknown>): ContextFilterResult;
+/**
+ * Context gate policy store — encrypted under L1 sovereignty.
+ */
+declare class ContextGatePolicyStore {
+    private storage;
+    private encryptionKey;
+    private policies;
+    constructor(storage: StorageBackend, masterKey: Uint8Array);
+    /**
+     * Create and store a new context-gating policy.
+     */
+    create(policyName: string, rules: ContextGateRule[], defaultAction: "redact" | "deny", identityId?: string): Promise<ContextGatePolicy>;
+    /**
+     * Get a policy by ID.
+     */
+    get(policyId: string): Promise<ContextGatePolicy | null>;
+    /**
+     * List all context-gating policies.
+     */
+    list(): Promise<ContextGatePolicy[]>;
+    /**
+     * Load all persisted policies into memory.
+     */
+    private loadAll;
+    private persist;
 }
 
 /**
- * Sanctuary MCP Server — Approval Channel
+ * Sanctuary MCP Server — L2 Context Gating: Starter Policy Templates
  *
- * Out-of-band communication with the human principal for operation approval.
- * The default channel uses stderr (outside MCP's stdin/stdout protocol),
- * ensuring the agent cannot intercept or forge approval responses.
+ * Pre-built policies for common use cases. These are starting points —
+ * users should customize them for their specific context structure.
  *
- * Security invariant:
- * - Approval prompts go through a channel the agent cannot access.
- * - Timeouts result in denial by default (fail closed).
+ * Templates:
+ *
+ *   inference-minimal
+ *     Only the current task and query reach the LLM. Everything else
+ *     is redacted. Secrets, PII, memory, reasoning, and history are
+ *     all blocked. IDs are hashed. Maximum privacy, minimum context.
+ *
+ *   inference-standard
+ *     Task, query, and tool results pass through. Conversation history
+ *     is flagged for summarization (compress before sending). Secrets,
+ *     PII, and internal reasoning are redacted. IDs are hashed.
+ *     Balanced: the LLM has enough context to be useful without seeing
+ *     everything the agent knows.
+ *
+ *   logging-strict
+ *     Redacts everything for logging/analytics providers. Only
+ *     operation names and timestamps pass through. Use this for
+ *     telemetry services where you want usage metrics without
+ *     content exposure.
+ *
+ *   tool-api-scoped
+ *     Allows tool-specific parameters and the current task, redacts
+ *     memory, history, secrets, and PII. Hashes IDs. For outbound
+ *     calls to external APIs (search, database, etc.) where you need
+ *     to send query parameters but not your agent's full state.
  */
 
-/** Abstract approval channel interface */
-interface ApprovalChannel {
-    requestApproval(request: ApprovalRequest): Promise<ApprovalResponse>;
+/** A template definition ready to be applied via the policy store */
+interface ContextGateTemplate {
+    /** Machine-readable template ID */
+    id: string;
+    /** Human-readable name */
+    name: string;
+    /** One-line description */
+    description: string;
+    /** When to use this template */
+    use_when: string;
+    /** The rules that make up this template */
+    rules: ContextGateRule[];
+    /** Default action for unmatched fields */
+    default_action: "redact" | "deny";
 }
+/** All available templates, keyed by ID */
+declare const TEMPLATES: Record<string, ContextGateTemplate>;
+/** List all available template IDs */
+declare function listTemplateIds(): string[];
+/** Get a template by ID (returns undefined if not found) */
+declare function getTemplate(id: string): ContextGateTemplate | undefined;
+
 /**
- * Stderr approval channel — non-interactive informational channel.
+ * Sanctuary MCP Server — L2 Context Gating: Policy Recommendation Engine
  *
- * In the MCP stdio model:
- * - stdin/stdout carry the MCP protocol (JSON-RPC)
- * - stderr is available for out-of-band human communication
+ * Analyzes a sample context object and recommends a context-gating policy
+ * based on field name heuristics. The agent (or human) can then review,
+ * adjust, and apply the recommendation.
  *
- * Because stdin is consumed by the MCP JSON-RPC transport, this channel
- * CANNOT read interactive human input. It is strictly informational:
- * the prompt is displayed so the human sees what is happening, and the
- * operation is denied immediately.
+ * This is deliberately conservative: when in doubt, it recommends redact.
+ * A false redaction is a usability issue; a false allow is a privacy leak.
  *
- * SEC-002 + SEC-016 invariants:
- * - This channel ALWAYS denies. No configuration can change this.
- * - There is no timeout or async delay — denial is synchronous.
- * - The `auto_deny` config field is ignored (SEC-002).
- * - For interactive approval, use the dashboard or webhook channel.
+ * Classification heuristics:
+ * - Known secret patterns → redact (highest confidence)
+ * - Known PII patterns → redact (high confidence)
+ * - Known internal state patterns → redact (high confidence)
+ * - Known ID patterns → hash (medium confidence)
+ * - Known history patterns → summarize (medium confidence)
+ * - Known task/query patterns → allow (medium confidence)
+ * - Everything else → redact (conservative default)
+ *
+ * WARNING: Fields like 'tool_results' and 'tool_output' are classified as
+ * "allow" (medium confidence) but may contain sensitive data from external
+ * API responses, including auth tokens, user data, or PII. Always review
+ * recommendations before applying — the heuristic classifies by field NAME,
+ * not field CONTENT.
  */
-declare class StderrApprovalChannel implements ApprovalChannel {
-    constructor(_config: ApprovalChannelConfig);
-    requestApproval(request: ApprovalRequest): Promise<ApprovalResponse>;
-    private formatPrompt;
+/** Classification result for a single field */
+interface FieldClassification {
+    field: string;
+    recommended_action: "allow" | "redact" | "hash" | "summarize";
+    reason: string;
+    confidence: "high" | "medium" | "low";
+    /** Pattern that matched, if any */
+    matched_pattern: string | null;
+}
+/** Full recommendation result */
+interface PolicyRecommendation {
+    provider: string;
+    classifications: FieldClassification[];
+    recommended_rules: {
+        allow: string[];
+        redact: string[];
+        hash: string[];
+        summarize: string[];
+    };
+    default_action: "redact";
+    summary: {
+        total_fields: number;
+        allow: number;
+        redact: number;
+        hash: number;
+        summarize: number;
+    };
+    warnings: string[];
 }
 /**
- * Programmatic approval channel — for testing and API integration.
+ * Classify a single field name and return a recommendation.
  */
-declare class CallbackApprovalChannel implements ApprovalChannel {
-    private callback;
-    constructor(callback: (request: ApprovalRequest) => Promise<ApprovalResponse>);
-    requestApproval(request: ApprovalRequest): Promise<ApprovalResponse>;
-}
+declare function classifyField(fieldName: string): FieldClassification;
 /**
- * Auto-approve channel — for testing. Approves everything.
+ * Analyze a full context object and recommend a policy.
  */
-declare class AutoApproveChannel implements ApprovalChannel {
-    requestApproval(_request: ApprovalRequest): Promise<ApprovalResponse>;
-}
+declare function recommendPolicy(context: Record<string, unknown>, provider?: string): PolicyRecommendation;
 
 /**
- * Sanctuary MCP Server — Behavioral Baseline Tracker
+ * Sanctuary MCP Server — L2 Model Provenance
  *
- * Tracks the agent's behavioral profile during a session and persists
- * it for cross-session anomaly detection. The baseline defines "normal"
- * so that deviations can trigger Tier 2 approval.
+ * Declares and attests to the model(s) powering this agent.
  *
- * Security invariants:
- * - Baseline is stored encrypted under L1 sovereignty
- * - Baseline changes are audit-logged
- * - Baseline is integrity-verified via L1 Merkle tree
- * - No MCP tool can directly modify the baseline
+ * Vitalik Buterin's "Secure LLM" post (April 2026) identified a critical gap:
+ * open-weights-but-not-open-source models can have trained-in backdoors. Model
+ * provenance declaration lets agents and their operators verify the integrity
+ * of the inference backbone.
+ *
+ * Tracks: model name, version, weights hash, license, open-source status,
+ * training data hash (if available). Included in SHR L2 section.
+ *
+ * This sits in L2 (Operational Isolation) because it's part of the runtime
+ * attestation surface — the agent declares what model(s) it's actually running.
  */
-
-declare class BaselineTracker {
-    private storage;
-    private encryptionKey;
-    private profile;
-    /** Sliding window: timestamps of tool calls per tool name (last 60s) */
-    private callWindows;
-    /** Sliding window: read counts per namespace (last 60s) */
-    private readWindows;
-    /** Sliding window: sign call timestamps (last 60s) */
-    private signWindow;
-    constructor(storage: StorageBackend, masterKey: Uint8Array);
-    /**
-     * Load the previous session's baseline from storage.
-     * If none exists, this is a first session.
-     */
-    load(): Promise<void>;
-    /**
-     * Save the current baseline to storage (encrypted).
-     * Called at session end or periodically.
-     */
-    save(): Promise<void>;
-    /**
-     * Record a tool call for baseline tracking.
-     * Returns anomaly information if applicable.
-     */
-    recordToolCall(toolName: string): void;
-    /**
-     * Record a namespace access.
-     * @returns true if this is a new namespace (not in baseline)
-     */
-    recordNamespaceAccess(namespace: string): boolean;
+/**
+ * Metadata about a single model powering this agent.
+ */
+interface ModelProvenance {
+    /** Machine-readable model ID (e.g., "qwen3.5-35b", "claude-opus-4", "llama-3.3-70b-instruct") */
+    model_id: string;
+    /** Human-readable model name (e.g., "Qwen 3.5", "Claude Opus 4", "Llama 3.3 70B Instruct") */
+    model_name: string;
+    /** Semantic version (e.g., "3.5", "4.0", "3.3") */
+    model_version: string;
+    /** Provider/vendor (e.g., "Alibaba Cloud", "Anthropic", "Meta", "local") */
+    provider: string;
+    /** SHA-256 of model weights file, if available and verifiable */
+    weights_hash?: string;
+    /** SHA-256 of training data manifest or metadata, if available */
+    training_data_hash?: string;
+    /** License identifier (e.g., "Apache-2.0", "CC-BY-4.0", "proprietary", "unknown") */
+    license: string;
+    /** True if model weights are publicly available (even if training is proprietary) */
+    open_weights: boolean;
+    /** True if full training code, data, and methodology are publicly available */
+    open_source: boolean;
+    /** True if inference runs on the local agent's hardware (not delegated to cloud API) */
+    local_inference: boolean;
+    /** ISO 8601 timestamp when this provenance was declared */
+    declared_at: string;
+}
+/**
+ * In-memory and persistent store for model provenance declarations.
+ * Declarations are encrypted under L1 sovereignty.
+ */
+interface ModelProvenanceStore {
     /**
-     * Record a namespace read for bulk-read detection.
-     * @returns the number of reads in the current 60-second window
+     * Declare a model's provenance and add it to the store.
      */
-    recordNamespaceRead(namespace: string): number;
+    declare(provenance: ModelProvenance): void;
     /**
-     * Record a counterparty DID interaction.
-     * @returns true if this is a new counterparty (not in baseline)
+     * Retrieve a model's provenance by ID.
      */
-    recordCounterparty(did: string): boolean;
+    get(model_id: string): ModelProvenance | undefined;
     /**
-     * Record a signing operation.
-     * @returns the number of signs in the current 60-second window
+     * List all declared models.
      */
-    recordSign(): number;
+    list(): ModelProvenance[];
     /**
-     * Get the current call rate for a tool (calls per minute).
+     * Get the primary/main model (the one the agent uses by default for inference).
      */
-    getCallRate(toolName: string): number;
+    primary(): ModelProvenance | undefined;
     /**
-     * Get the average call rate across all tools in the baseline.
+     * Set which model is the primary.
      */
-    getAverageCallRate(): number;
-    /** Whether this is the first session */
-    get isFirstSession(): boolean;
-    /** Get a read-only view of the current profile */
-    getProfile(): SessionProfile;
+    setPrimary(model_id: string): void;
 }
-
 /**
- * Sanctuary MCP Server — Approval Gate
- *
- * The three-tier approval gate sits between the MCP router and tool handlers.
- * Every tool call passes through the gate before execution.
- *
- * Evaluation order:
- * 1. Tier 1: Is this operation in the always-approve list? → Request approval.
- * 2. Tier 2: Does this call represent a behavioral anomaly? → Request approval.
- * 3. Tier 3 / default: Allow with audit logging.
- *
- * Security invariants:
- * - The gate cannot be bypassed — it wraps every tool handler.
- * - Denial responses do not reveal policy details to the agent.
- * - All gate decisions (approve, deny, allow) are audit-logged.
+ * In-memory implementation of ModelProvenanceStore.
+ * Suitable for most use cases. For encrypted persistence, integrate with L1 state store.
  */
-
-/** Callback invoked when an injection is detected, for dashboard broadcasting */
-type InjectionAlertCallback = (alert: {
-    toolName: string;
-    result: DetectionResult;
-    timestamp: string;
-}) => void;
-/** Resolver for proxy tool tiers — provided by the ProxyRouter */
-type ProxyTierResolver = (toolName: string) => (1 | 2 | 3) | null;
-declare class ApprovalGate {
-    private policy;
-    private baseline;
-    private channel;
-    private auditLog;
-    private injectionDetector;
-    private onInjectionAlert?;
-    private proxyTierResolver?;
-    constructor(policy: PrincipalPolicy, baseline: BaselineTracker, channel: ApprovalChannel, auditLog: AuditLog, injectionDetector?: InjectionDetector, onInjectionAlert?: InjectionAlertCallback);
-    /**
-     * Set the proxy tier resolver. Called after the proxy router is initialized.
-     */
-    setProxyTierResolver(resolver: ProxyTierResolver): void;
+declare class InMemoryModelProvenanceStore implements ModelProvenanceStore {
+    private models;
+    private primaryModelId;
+    declare(provenance: ModelProvenance): void;
+    get(model_id: string): ModelProvenance | undefined;
+    list(): ModelProvenance[];
+    primary(): ModelProvenance | undefined;
+    setPrimary(model_id: string): void;
+}
+/**
+ * Common model provenance presets for quick initialization.
+ */
+declare const MODEL_PRESETS: {
     /**
-     * Evaluate a tool call against the Principal Policy.
-     *
-     * @param toolName - Full MCP tool name (e.g., "state_export")
-     * @param args - Tool call arguments (for context extraction)
-     * @returns GateResult indicating whether the call is allowed
+     * Claude Opus 4 via Anthropic API (cloud inference, closed weights/source)
      */
-    evaluate(toolName: string, args: Record<string, unknown>): Promise<GateResult>;
+    claudeOpus4: () => ModelProvenance;
     /**
-     * Detect Tier 2 behavioral anomalies.
+     * Qwen 3.5 via local inference (open weights, proprietary training)
      */
-    private detectAnomaly;
+    qwen35Local: () => ModelProvenance;
     /**
-     * Request approval from the human principal.
+     * Llama 3.3 70B via local inference (open weights and code)
      */
-    private requestApproval;
+    llama33Local: () => ModelProvenance;
     /**
-     * Summarize tool arguments for the approval prompt.
-     * Strips potentially large values to keep the prompt readable.
+     * Mistral 7B (open weights, open code, local inference)
      */
-    private summarizeArgs;
-    /** Get the baseline tracker for saving at session end */
-    getBaseline(): BaselineTracker;
-    /** Get the injection detector for stats/configuration access */
-    getInjectionDetector(): InjectionDetector;
-}
-
-/**
- * Sanctuary MCP Server — Tool Router
- *
- * Routes sanctuary/* tool calls to their layer-specific handlers.
- * Every tool call passes through schema validation and the ApprovalGate
- * (if configured) before execution. Neither can be bypassed.
- *
- * This module is the abstraction boundary for MCP SDK version migration —
- * if the SDK API changes, only this module needs updating.
- */
-
-/** Tool handler function signature */
-type ToolHandler = (args: Record<string, unknown>) => Promise<{
-    content: Array<{
-        type: "text";
-        text: string;
-    }>;
-}>;
-/** Tool definition for registration */
-interface ToolDefinition {
-    name: string;
-    description: string;
-    inputSchema: Record<string, unknown>;
-    handler: ToolHandler;
-}
+    mistral7bLocal: () => ModelProvenance;
+};
 
 /**
  * Sanctuary MCP Server — L2 Context Gating: Automatic Enforcer
@@ -2620,37 +2721,6 @@ declare class FilesystemStorage implements StorageBackend {
  */
 declare function loadPrincipalPolicy(storagePath: string): Promise<PrincipalPolicy>;
 
-/**
- * Sanctuary MCP Server — L1 Cognitive Sovereignty: Tool Definitions
- *
- * MCP tool wrappers for StateStore and IdentityRoot operations.
- * These tools are the public API that agents interact with.
- */
-
-/** Manages all identities — provides storage and retrieval */
-declare class IdentityManager {
-    private storage;
-    private masterKey;
-    private identities;
-    private primaryIdentityId;
-    constructor(storage: StorageBackend, masterKey: Uint8Array);
-    private get encryptionKey();
-    /** Load identities from storage on startup.
-     *  Returns { total: number of encrypted files found, loaded: number successfully decrypted }.
-     *  A mismatch (total > 0, loaded === 0) indicates a wrong master key / missing passphrase.
-     */
-    load(): Promise<{
-        total: number;
-        loaded: number;
-        failed: number;
-    }>;
-    /** Save an identity to storage */
-    save(identity: StoredIdentity): Promise<void>;
-    get(id: string): StoredIdentity | undefined;
-    getDefault(): StoredIdentity | undefined;
-    list(): PublicIdentity[];
-}
-
 /**
  * Sanctuary MCP Server — SHR Generator
  *
@@ -2658,12 +2728,56 @@ declare class IdentityManager {
  * signs it with a specified identity, and returns the complete signed SHR.
  */
 
+/**
+ * Observed L4 reputation state used by the emitter. Callers gather these
+ * facts from the reputation store + audit log; the emitter derives
+ * degradations from them. Keeping evidence as plain data keeps the
+ * generator synchronous and easy to test.
+ */
+interface L4Evidence {
+    /** Total attestations attributed to the signing identity */
+    attestation_count: number;
+    /** Count of attestations at each sovereignty tier */
+    tier_distribution: Record<SovereigntyTier, number>;
+    /** ISO timestamp of most recent attestation, or null when none exist */
+    most_recent_attestation_at: string | null;
+    /** Count of attestations with outcome_result === "disputed" */
+    dispute_count: number;
+    /** Attestation count per context label (optional; used by dashboard) */
+    context_breakdown?: Record<string, number>;
+    /**
+     * True iff the `reputation_publish` tool has been successfully invoked
+     * for this identity (i.e., there is at least one success audit entry).
+     */
+    verascore_linked: boolean;
+    /**
+     * Optional overrides for the emitter thresholds. Defaults apply when
+     * omitted or when a field is missing.
+     */
+    thresholds?: {
+        freshness_window_days?: number;
+        low_tier_dominance_threshold?: number;
+    };
+}
 interface SHRGeneratorOptions {
     config: SanctuaryConfig;
     identityManager: IdentityManager;
     masterKey: Uint8Array;
     /** Override validity window (milliseconds). Default: 1 hour. */
     validityMs?: number;
+    /**
+     * Optional L4 reputation evidence. When provided, the generator emits
+     * L4 degradations (NO_REPUTATION_HISTORY, LOW_TIER_DOMINANCE,
+     * STALE_REPUTATION, DISPUTE_ON_RECORD, NO_VERASCORE_LINK) accordingly
+     * and downgrades `layers.l4.status` to `degraded` when any fire.
+     * When omitted, L4 is left at "active" (backward-compatible).
+     */
+    l4Evidence?: L4Evidence;
+    /**
+     * Clock override for deterministic testing of staleness behavior.
+     * Defaults to the current wall clock.
+     */
+    now?: Date;
 }
 /**
  * Generate and sign a Sovereignty Health Report.
@@ -3358,6 +3472,279 @@ declare function createBridgeCommitment(outcome: ConcordiaOutcome, identity: Sto
  */
 declare function verifyBridgeCommitment(commitment: BridgeCommitment, outcome: ConcordiaOutcome, committerPublicKey: Uint8Array): BridgeVerificationResult;
 
+/**
+ * Sanctuary Dashboard — Protection Snapshot Aggregator
+ *
+ * Pulls unified protection state from the existing subsystems
+ * (IdentityManager, AuditLog, ClientManager, BaselineTracker, policy)
+ * and returns a single typed snapshot consumed by the API + HTML.
+ *
+ * The aggregator is the single source of truth for dashboard state.
+ * It is pure (no I/O beyond what the injected sources already do) and
+ * safe to call repeatedly — callers control freshness.
+ */
+
+type LayerState = "full" | "degraded" | "compromised";
+type OverallStatus = "healthy" | "degraded" | "compromised";
+interface AgentInfo {
+    display_name: string;
+    did: string | null;
+    did_fingerprint: string | null;
+    identity_count: number;
+    primary_identity_id: string | null;
+}
+interface L1Status {
+    label: string;
+    state: LayerState;
+    headline: string;
+    encryption: string;
+    injection_blocked_today: number;
+    memory_attest_ready: boolean;
+}
+interface L2Status {
+    label: string;
+    state: LayerState;
+    headline: string;
+    isolation_type: string;
+    tee_available: boolean;
+    tee_status: string;
+    sandbox_status: string;
+}
+interface L3Status {
+    label: string;
+    state: LayerState;
+    headline: string;
+    did_active: boolean;
+    vc_count: number;
+    proofs_today: number;
+}
+/** A single L4 degradation surfaced to the dashboard widget. */
+interface L4ActiveDegradation {
+    code: string;
+    severity: "info" | "warning" | "critical";
+    description: string;
+    mitigation?: string;
+}
+interface L4Status {
+    label: string;
+    state: LayerState;
+    headline: string;
+    score: number | null;
+    profile_url: string | null;
+    claim_cta: string | null;
+    /**
+     * Evidence surfaced under the L4 tile so users can tell what underlies
+     * the reputation state. Null when no reputation store is wired in
+     * (standalone mode, some tests).
+     */
+    evidence?: {
+        attestation_count: number;
+        tier_distribution: Record<SovereigntyTier, number>;
+        most_recent_attestation_at: string | null;
+        dispute_count: number;
+        context_breakdown: Record<string, number>;
+        verascore_linked: boolean;
+    };
+    /**
+     * SHR-aligned L4 layer score (0-100) when evidence is available.
+     * Computed with the same scoring model the gateway adapter uses so
+     * counterparties and the dashboard agree on the number.
+     */
+    layer_score?: number;
+    /** Active L4 degradations rendered under the widget. */
+    active_degradations?: L4ActiveDegradation[];
+}
+interface ActivityEntry {
+    timestamp: string;
+    tool: string;
+    server: string;
+    tier: 1 | 2 | 3;
+    result: "allowed" | "denied" | "approved" | "pending";
+}
+interface PendingApproval {
+    id: string;
+    operation: string;
+    tier: 1 | 2;
+    reason: string;
+    created_at: string;
+}
+interface UpstreamServerStatus {
+    name: string;
+    state: string;
+    tool_count: number;
+    error?: string;
+}
+interface ProtectionSnapshot {
+    overall: {
+        status: OverallStatus;
+        light: "green" | "yellow" | "red";
+        headline: string;
+    };
+    agent: AgentInfo;
+    layers: {
+        l1: L1Status;
+        l2: L2Status;
+        l3: L3Status;
+        l4: L4Status;
+    };
+    activity: ActivityEntry[];
+    pending_approvals: PendingApproval[];
+    audit: AuditEntry[];
+    upstream_servers: UpstreamServerStatus[];
+    mode: "co-located" | "standalone";
+    server_version: string;
+    generated_at: string;
+}
+interface ReputationLookup {
+    score: number | null;
+    profile_url: string | null;
+}
+interface AggregatorSources {
+    mode: "co-located" | "standalone";
+    server_version: string;
+    identityManager?: IdentityManager;
+    auditLog?: AuditLog;
+    clientManager?: ClientManager;
+    baseline?: BaselineTracker;
+    policy?: PrincipalPolicy;
+    activity?: ActivityEntry[];
+    pendingApprovals?: PendingApproval[];
+    reputation?: ReputationLookup;
+    teeAvailable?: boolean;
+    /**
+     * Pre-computed L4 reputation evidence for the primary identity. When
+     * present the dashboard renders the evidence widget under the L4 tile
+     * and computes an SHR-aligned L4 layer score. Providers build this
+     * via `gatherL4Evidence` from `shr/tools.ts`.
+     */
+    l4Evidence?: L4Evidence;
+    /** Clock override for deterministic staleness rendering in tests. */
+    l4Now?: Date;
+}
+/**
+ * Pull a unified protection snapshot from the injected sources.
+ *
+ * Any missing source degrades gracefully — standalone mode may have
+ * no ClientManager or live activity feed, for example, and the
+ * aggregator returns a coherent snapshot with empty arrays rather
+ * than throwing.
+ */
+declare function getProtectionSnapshot(sources: AggregatorSources): Promise<ProtectionSnapshot>;
+
+/**
+ * Sanctuary Dashboard — HTTP API + SSE
+ *
+ * Request router for the unified dashboard. Pure functions that
+ * take a request + sources and produce a response so the transport
+ * layer (node:http) and tests can exercise the same code paths.
+ */
+
+interface ApprovalHandlers {
+    allow: (id: string) => Promise<boolean>;
+    deny: (id: string) => Promise<boolean>;
+}
+interface StreamEvent {
+    type: "snapshot" | "activity" | "approval";
+    data: unknown;
+}
+
+/**
+ * Sanctuary Dashboard — HTTP Server
+ *
+ * Thin wrapper around node:http that wires the request handler
+ * from api.ts. No Express. Listens on 127.0.0.1 by default.
+ *
+ * Exposes a minimal event emitter (publish / subscribe) so callers
+ * can push live activity + approval events to SSE clients without
+ * the server layer needing to know about aggregator internals.
+ */
+
+interface DashboardServerOptions {
+    port?: number;
+    host?: string;
+    authToken?: string;
+    mode: "co-located" | "standalone";
+    sources: AggregatorSources;
+    approvals?: ApprovalHandlers;
+}
+interface DashboardHandle {
+    url: string;
+    port: number;
+    host: string;
+    stop: () => Promise<void>;
+    /** Push an event to all connected SSE clients. */
+    publish: (event: StreamEvent) => void;
+    /**
+     * Push a fresh activity entry. Exposes a simple shortcut so callers
+     * (e.g. the Sanctuary proxy / upstream clients) can report tool calls
+     * without constructing a StreamEvent themselves.
+     */
+    publishActivity: (entry: ActivityEntry) => void;
+    /** Push a new pending approval (already added by the approval channel). */
+    publishApproval: (approval: PendingApproval) => void;
+}
+declare function startDashboardServer(options: DashboardServerOptions): Promise<DashboardHandle>;
+
+/**
+ * Sanctuary Dashboard — Single-Page HTML
+ *
+ * Hero shield + four layer cards + live activity feed + approval queue +
+ * audit trail. Vanilla HTML/CSS/JS in one string, matching the convention
+ * established by server/src/cocoon/fortress-view.ts.
+ *
+ * The initial snapshot is embedded server-side so the page renders
+ * correctly without JavaScript. Live updates layer on via SSE + REST.
+ */
+
+/** Hero copy. Change here if we ever A/B test. */
+declare const HERO_COPY = "Your agent is protected.";
+interface DashboardHTMLOptions {
+    snapshot: ProtectionSnapshot;
+    authToken?: string;
+}
+declare function renderDashboardHTML(options: DashboardHTMLOptions): string;
+
+/**
+ * Sanctuary Sovereignty Dashboard — public surface.
+ *
+ * Consumers import `startDashboard` to bring up the hero-shield UI
+ * on port 3501 (default). The rest of the exports are types + utilities
+ * for tests and callers that want to wire in live events.
+ */
+
+interface StartDashboardOptions {
+    port?: number;
+    host?: string;
+    authToken?: string;
+    mode: "co-located" | "standalone";
+    serverVersion: string;
+    auditLog?: AuditLog;
+    identityManager?: IdentityManager;
+    clientManager?: ClientManager;
+    baseline?: BaselineTracker;
+    policy?: PrincipalPolicy;
+    reputation?: ReputationLookup;
+    teeAvailable?: boolean;
+    approvals?: ApprovalHandlers;
+    /** Seed activity entries (most recent first). Runtime entries arrive via publishActivity. */
+    initialActivity?: ActivityEntry[];
+    /** Seed pending approvals. Runtime approvals arrive via publishApproval. */
+    initialPendingApprovals?: PendingApproval[];
+    /**
+     * Pre-computed L4 reputation evidence. When provided the dashboard
+     * renders the L4 evidence widget (attestation count, tier distribution,
+     * disputes, freshness, active degradations). Typically supplied by the
+     * server after L4 tools are constructed.
+     */
+    l4Evidence?: L4Evidence;
+}
+/**
+ * High-level entry point used by callers (CLI, standalone service).
+ * Returns a DashboardHandle that exposes `stop()` and `publish*`
+ * helpers for driving live updates.
+ */
+declare function startDashboard(options: StartDashboardOptions): Promise<DashboardHandle>;
+
 /**
  * Sanctuary MCP Server — Main Entry Point
  *
@@ -3368,6 +3755,16 @@ declare function verifyBridgeCommitment(commitment: BridgeCommitment, outcome: C
 interface SanctuaryServer {
     server: Server;
     config: SanctuaryConfig;
+    /**
+     * Runtime dependencies exposed for embedding callers that need
+     * direct access to the Sanctuary substrate (e.g., the EU AI Act
+     * compliance CLI subcommand). Most callers only use `server` and
+     * `config`; these are optional-usage extras.
+     */
+    identityManager: IdentityManager;
+    masterKey: Uint8Array;
+    auditLog: AuditLog;
+    policy: PrincipalPolicy;
 }
 /**
  * Initialize the Sanctuary MCP Server.
@@ -3381,4 +3778,4 @@ declare function createSanctuaryServer(options?: {
     storage?: StorageBackend;
 }): Promise<SanctuaryServer>;
 
-export { ATTESTATION_VERSION, ApprovalGate, type AttestationBody, type AttestationVerificationResult, AuditLog, AutoApproveChannel, BaselineTracker, type BridgeAttestationRequest, type BridgeAttestationResult, type BridgeCommitment, type BridgeVerificationResult, TEMPLATES as CONTEXT_GATE_TEMPLATES, CallbackApprovalChannel, ClientManager, CommitmentStore, type ConcordiaOutcome, type ConnectionState, type ContextAction, type ContextFilterResult, ContextGateEnforcer, type ContextGatePolicy, ContextGatePolicyStore, type ContextGateRule, type ContextGateTemplate, DashboardApprovalChannel, type DashboardConfig, type DetectionResult, type EnforcerConfig, type FederationCapabilities, type FederationPeer, FederationRegistry, type FieldClassification, type FieldFilterResult, FilesystemStorage, type GateResult, type HandshakeChallenge, type HandshakeCompletion, type HandshakeResponse, type HandshakeResult, InMemoryModelProvenanceStore, InjectionDetector, type InjectionDetectorConfig, type InjectionSignal, MODEL_PRESETS, MemoryStorage, type ModelProvenance, type ModelProvenanceStore, type PedersenCommitment, type PeerTrustEvaluation, type PolicyRecommendation, PolicyStore, type PrincipalPolicy, type ProviderCategory, ProxyRouter, type ProxyRouterOptions, ReputationStore, type SHRBody, type SHRGeneratorOptions, type SHRVerificationResult, type SanctuaryConfig, type SanctuaryServer, type SignedAttestation, type SignedSHR, type SovereigntyProfile, SovereigntyProfileStore, type SovereigntyProfileUpdate, type SovereigntyTier, StateStore, StderrApprovalChannel, TIER_WEIGHTS, type TierMetadata, type TieredAttestation, type UpstreamConnection, type UpstreamServer, type UpstreamTool, WebhookApprovalChannel, type WebhookCallbackPayload, type WebhookConfig, type WebhookPayload, type ZKProofOfKnowledge, type ZKRangeProof, canonicalize, classifyField, completeHandshake, computeWeightedScore, createBridgeCommitment, createDefaultProfile, createPedersenCommitment, createProofOfKnowledge, createRangeProof, createSanctuaryServer, evaluateField, filterContext, generateAttestation, generateSHR, generateSystemPrompt, getTemplate, initiateHandshake, listTemplateIds, loadConfig, loadPrincipalPolicy, recommendPolicy, resolveTier, respondToHandshake, signPayload, tierDistribution, verifyAttestation, verifyBridgeCommitment, verifyCompletion, verifyPedersenCommitment, verifyProofOfKnowledge, verifyRangeProof, verifySHR, verifySignature };
+export { ATTESTATION_VERSION, type ActivityEntry, type AggregatorSources, ApprovalGate, type ApprovalHandlers, type AttestationBody, type AttestationVerificationResult, AuditLog, AutoApproveChannel, BaselineTracker, type BridgeAttestationRequest, type BridgeAttestationResult, type BridgeCommitment, type BridgeVerificationResult, TEMPLATES as CONTEXT_GATE_TEMPLATES, CallbackApprovalChannel, ClientManager, CommitmentStore, type ConcordiaOutcome, type ConnectionState, type ContextAction, type ContextFilterResult, ContextGateEnforcer, type ContextGatePolicy, ContextGatePolicyStore, type ContextGateRule, type ContextGateTemplate, DashboardApprovalChannel, type DashboardConfig, type DashboardHandle, type DashboardServerOptions, type DetectionResult, type EnforcerConfig, type FederationCapabilities, type FederationPeer, FederationRegistry, type FieldClassification, type FieldFilterResult, FilesystemStorage, type GateResult, HERO_COPY, type HandshakeChallenge, type HandshakeCompletion, type HandshakeResponse, type HandshakeResult, InMemoryModelProvenanceStore, InjectionDetector, type InjectionDetectorConfig, type InjectionSignal, type L1Status, type L2Status, type L3Status, type L4Status, MODEL_PRESETS, MemoryStorage, type ModelProvenance, type ModelProvenanceStore, type PedersenCommitment, type PeerTrustEvaluation, type PendingApproval, type PolicyRecommendation, PolicyStore, type PrincipalPolicy, type ProtectionSnapshot, type ProviderCategory, ProxyRouter, type ProxyRouterOptions, type ReputationLookup, ReputationStore, type SHRBody, type SHRGeneratorOptions, type SHRVerificationResult, type SanctuaryConfig, type SanctuaryServer, type SignedAttestation, type SignedSHR, type SovereigntyProfile, SovereigntyProfileStore, type SovereigntyProfileUpdate, type SovereigntyTier, type StartDashboardOptions, StateStore, StderrApprovalChannel, type StreamEvent, TIER_WEIGHTS, type TierMetadata, type TieredAttestation, type UpstreamConnection, type UpstreamServer, type UpstreamTool, WebhookApprovalChannel, type WebhookCallbackPayload, type WebhookConfig, type WebhookPayload, type ZKProofOfKnowledge, type ZKRangeProof, canonicalize, classifyField, completeHandshake, computeWeightedScore, createBridgeCommitment, createDefaultProfile, createPedersenCommitment, createProofOfKnowledge, createRangeProof, createSanctuaryServer, evaluateField, filterContext, generateAttestation, generateSHR, generateSystemPrompt, getProtectionSnapshot, getTemplate, initiateHandshake, listTemplateIds, loadConfig, loadPrincipalPolicy, recommendPolicy, renderDashboardHTML, resolveTier, respondToHandshake, signPayload, startDashboard, startDashboardServer, tierDistribution, verifyAttestation, verifyBridgeCommitment, verifyCompletion, verifyPedersenCommitment, verifyProofOfKnowledge, verifyRangeProof, verifySHR, verifySignature };