@sanctuary-framework/mcp-server 1.0.0-rc.1 → 1.0.0-rc.2

package/dist/cli.cjs

@@ -23080,9 +23080,7 @@ var init_registry2 = __esm({
       "coding-assistant",
       "ops-runner",
       "planner",
-      "handoff-coordinator",
-      "x-miner",
-      "github-miner"
+      "handoff-coordinator"
     ];
     TemplateValidationError = class extends Error {
       constructor(templateName, message) {
@@ -23909,1686 +23907,1836 @@ var init_init = __esm({
     init_registry2();
   }
 });
-function constantTimeEquals(a, b) {
-  if (a.length !== b.length) return false;
-  let diff = 0;
-  for (let i = 0; i < a.length; i++) {
-    diff |= a.charCodeAt(i) ^ b.charCodeAt(i);
-  }
-  return diff === 0;
+function resolveStoragePath(env = process.env, home = os.homedir()) {
+  const override = env.SANCTUARY_STORAGE_PATH;
+  if (override && override.length > 0) return override;
+  return path.join(home, DEFAULT_STORAGE_DIR);
 }
-function extractToken(req, url) {
-  const header = req.headers.authorization;
-  if (header && header.startsWith("Bearer ")) {
-    return header.slice(7).trim();
+function resolveDashboardPort(explicitPort, env = process.env) {
+  if (typeof explicitPort === "number" && !Number.isNaN(explicitPort)) {
+    return explicitPort;
   }
-  const q = url.searchParams.get("token");
-  return q ?? null;
-}
-function isAuthorized(deps, req, url) {
-  if (!deps.authToken) return true;
-  const token = extractToken(req, url);
-  if (!token) return false;
-  return constantTimeEquals(token, deps.authToken);
-}
-function writeJSON(res, status, payload) {
-  res.writeHead(status, {
-    "Content-Type": "application/json",
-    "Cache-Control": "no-store"
-  });
-  res.end(JSON.stringify(payload));
-}
-async function readJSONBody(req) {
-  const chunks = [];
-  let size = 0;
-  const MAX = 256 * 1024;
-  for await (const chunk of req) {
-    size += chunk.length;
-    if (size > MAX) throw new Error("request body too large");
-    chunks.push(chunk);
+  const envPort = env.SANCTUARY_DASHBOARD_PORT;
+  if (envPort) {
+    const parsed = parseInt(envPort, 10);
+    if (!Number.isNaN(parsed)) return parsed;
   }
-  const body = Buffer.concat(chunks).toString("utf-8");
-  if (!body) return {};
-  return JSON.parse(body);
-}
-function generateEphemeralKey() {
-  return new Uint8Array(crypto.randomBytes(32));
-}
-function writeText(res, status, body, contentType = "text/plain") {
-  res.writeHead(status, {
-    "Content-Type": contentType,
-    "Cache-Control": "no-store"
-  });
-  res.end(body);
+  return DEFAULT_DASHBOARD_PORT;
 }
-async function handleRequest(deps, req, res) {
-  const host = req.headers.host || "localhost";
-  const url = new URL(req.url ?? "/", `http://${host}`);
-  const method = (req.method ?? "GET").toUpperCase();
-  const path = url.pathname;
-  if (!isAuthorized(deps, req, url)) {
-    writeJSON(res, 401, { error: "unauthorized" });
-    return true;
+var DEFAULT_STORAGE_DIR, DEFAULT_DASHBOARD_PORT;
+var init_paths = __esm({
+  "src/paths.ts"() {
+    DEFAULT_STORAGE_DIR = ".sanctuary";
+    DEFAULT_DASHBOARD_PORT = 3501;
   }
-  if (method === "GET" && path === "/api/health") {
-    writeJSON(res, 200, { ok: true, mode: deps.sources.mode });
-    return true;
+});
+
+// src/cocoon/passphrase.ts
+var passphrase_exports = {};
+__export(passphrase_exports, {
+  PassphraseUnreadableError: () => PassphraseUnreadableError,
+  fallbackFilePath: () => fallbackFilePath,
+  generatePassphrase: () => generatePassphrase,
+  getOrCreatePassphrase: () => getOrCreatePassphrase,
+  keychainServiceFor: () => keychainServiceFor,
+  persistUserProvidedPassphrase: () => persistUserProvidedPassphrase,
+  readStoredPassphrase: () => readStoredPassphrase
+});
+async function getOrCreatePassphrase(opts = {}) {
+  const home = opts.home ?? os.homedir();
+  const storagePath = opts.storagePath ?? resolveStoragePath(process.env, home);
+  const service = keychainServiceFor(storagePath, home);
+  const plat = opts.platformOverride ?? os.platform();
+  const exec2 = opts.exec ?? defaultExec;
+  const derive = opts.deriveMachineKey ?? deriveMachineKey;
+  if (plat === "darwin") {
+    const fromKc = await readFromKeychain(exec2, service);
+    if (fromKc) {
+      return { value: fromKc, source: "keychain", location: "macOS Keychain" };
+    }
   }
-  if (method === "GET" && (path === "/" || path === "/index.html")) {
-    const snapshot = await getProtectionSnapshot(deps.sources);
-    const html = renderDashboardHTML({ snapshot, authToken: deps.authToken });
-    writeText(res, 200, html, "text/html; charset=utf-8");
-    return true;
+  const fallback = fallbackFilePath(home, storagePath);
+  const fromFile = await readFromFallbackFile(fallback, home, derive);
+  if (fromFile.status === "ok") {
+    return {
+      value: fromFile.value,
+      source: "fallback-file",
+      location: fallback
+    };
   }
-  if (method === "GET" && path === "/api/snapshot") {
-    const snapshot = await getProtectionSnapshot(deps.sources);
-    writeJSON(res, 200, snapshot);
-    return true;
+  if (fromFile.status === "unreadable") {
+    throw new PassphraseUnreadableError(fallback, fromFile.reason);
   }
-  const approvalMatch = /^\/api\/approvals\/([^/]+)\/(allow|deny)$/.exec(path);
-  if (method === "POST" && approvalMatch) {
-    const id = decodeURIComponent(approvalMatch[1]);
-    const action = approvalMatch[2];
-    if (!deps.approvals) {
-      writeJSON(res, 503, { error: "approvals_unavailable" });
-      return true;
-    }
-    const handler = action === "allow" ? deps.approvals.allow : deps.approvals.deny;
-    try {
-      const ok2 = await handler(id);
-      writeJSON(res, ok2 ? 200 : 404, { id, action, ok: ok2 });
-    } catch (err) {
-      writeJSON(res, 500, { error: "approval_failed", message: err.message });
+  const value = generatePassphrase();
+  if (plat === "darwin") {
+    const ok2 = await writeToKeychain(value, exec2, service);
+    if (ok2) {
+      return { value, source: "generated", location: "macOS Keychain" };
     }
-    return true;
-  }
-  if (method === "GET" && path === "/api/stream") {
-    await handleStream(deps, res);
-    return true;
   }
-  if (method === "GET" && path === "/api/templates") {
-    try {
-      const templates = listTemplates();
-      writeJSON(res, 200, { templates });
-    } catch (err) {
-      writeJSON(res, 500, {
-        error: "template_load_failed",
-        message: err.message
-      });
+  await writeToFallbackFile(fallback, value, home, derive);
+  return { value, source: "generated", location: fallback };
+}
+async function readStoredPassphrase(opts = {}) {
+  const home = opts.home ?? os.homedir();
+  const storagePath = opts.storagePath ?? resolveStoragePath(process.env, home);
+  const service = keychainServiceFor(storagePath, home);
+  const plat = opts.platformOverride ?? os.platform();
+  const exec2 = opts.exec ?? defaultExec;
+  const derive = opts.deriveMachineKey ?? deriveMachineKey;
+  if (plat === "darwin") {
+    const fromKc = await readFromKeychain(exec2, service);
+    if (fromKc) {
+      return { value: fromKc, source: "keychain", location: "macOS Keychain" };
     }
-    return true;
   }
-  const templateMatch = /^\/api\/templates\/([^/]+)$/.exec(path);
-  if (method === "GET" && templateMatch) {
-    const name = decodeURIComponent(templateMatch[1]);
-    try {
-      const entry = getTemplateEntry(name);
-      if (!entry) {
-        writeJSON(res, 404, { error: "template_not_found", name });
-        return true;
-      }
-      writeJSON(res, 200, entry);
-    } catch (err) {
-      writeJSON(res, 500, {
-        error: "template_load_failed",
-        message: err.message
-      });
-    }
-    return true;
+  const fallback = fallbackFilePath(home, storagePath);
+  const fromFile = await readFromFallbackFile(fallback, home, derive);
+  if (fromFile.status === "ok") {
+    return {
+      value: fromFile.value,
+      source: "fallback-file",
+      location: fallback
+    };
   }
-  const initMatch = /^\/api\/templates\/([^/]+)\/init$/.exec(path);
-  if (method === "POST" && initMatch) {
-    const name = decodeURIComponent(initMatch[1]);
-    try {
-      const bundle = getTemplate2(name);
-      if (!bundle) {
-        writeJSON(res, 404, { error: "template_not_found", name });
-        return true;
-      }
-      const body = await readJSONBody(req);
-      if (!body.agent_name || typeof body.agent_name !== "string") {
-        writeJSON(res, 400, {
-          error: "validation_error",
-          message: "agent_name is required and must be a string"
-        });
-        return true;
-      }
-      if (!/^[a-zA-Z0-9_-]+$/.test(body.agent_name)) {
-        writeJSON(res, 400, {
-          error: "validation_error",
-          message: "agent_name must contain only alphanumeric characters, hyphens, and underscores"
-        });
-        return true;
-      }
-      const nodeId = deps.nodeId ?? "dashboard-node";
-      const nodePrivateKey = deps.nodePrivateKey ?? generateEphemeralKey();
-      const principalId = deps.principalId ?? "dashboard-principal";
-      const fortressId = deps.fortressId ?? "default";
-      const result = initTemplate({
-        template_name: name,
-        agent_id: body.agent_name,
-        fortress_id: fortressId,
-        counterparty: "*",
-        policy_version: 1,
-        emitter_node: nodeId,
-        emitter_principal: principalId,
-        monotonic_seq: 1,
-        node_private_key: nodePrivateKey
-      });
-      writeJSON(res, 200, {
-        agent_id: body.agent_name,
-        signed_event_id: result.signed_event.event_id,
-        policy_version: result.compiled.policy_version,
-        template_name: name,
-        attestation_panel_url: `/console#agent_roster`
-      });
-    } catch (err) {
-      writeJSON(res, 500, {
-        error: "template_init_failed",
-        message: err.message
-      });
-    }
-    return true;
+  if (fromFile.status === "unreadable") {
+    throw new PassphraseUnreadableError(fallback, fromFile.reason);
   }
-  return false;
+  return null;
 }
-async function handleStream(deps, res) {
-  res.writeHead(200, {
-    "Content-Type": "text/event-stream",
-    "Cache-Control": "no-cache, no-transform",
-    Connection: "keep-alive",
-    "X-Accel-Buffering": "no"
-  });
-  const snapshot = await getProtectionSnapshot(deps.sources);
-  res.write(`event: snapshot
-data: ${JSON.stringify(snapshot)}
-
-`);
-  const unsubscribe = deps.onEvent ? deps.onEvent((event) => {
-    try {
-      res.write(`event: ${event.type}
-data: ${JSON.stringify(event.data)}
-
-`);
-    } catch {
-    }
-  }) : () => {
-  };
-  const keepAlive = setInterval(() => {
-    try {
-      res.write(": keepalive\n\n");
-    } catch {
+async function persistUserProvidedPassphrase(value, opts = {}) {
+  const home = opts.home ?? os.homedir();
+  const storagePath = opts.storagePath ?? resolveStoragePath(process.env, home);
+  const service = keychainServiceFor(storagePath, home);
+  const plat = opts.platformOverride ?? os.platform();
+  const exec2 = opts.exec ?? defaultExec;
+  const derive = opts.deriveMachineKey ?? deriveMachineKey;
+  if (plat === "darwin") {
+    const ok2 = await writeToKeychain(value, exec2, service);
+    if (ok2) {
+      return { location: "macOS Keychain", source: "keychain" };
     }
-  }, 25e3);
-  const cleanup = () => {
-    clearInterval(keepAlive);
-    unsubscribe();
-  };
-  res.on("close", cleanup);
-  res.on("error", cleanup);
+  }
+  const fallback = fallbackFilePath(home, storagePath);
+  try {
+    await writeToFallbackFile(fallback, value, home, derive);
+  } catch (err) {
+    throw new Error(
+      `Could not persist the provided passphrase to either Keychain or ${fallback}: ${err.message}. Refusing to proceed \u2014 writing the passphrase into the rewritten agent config would leak it as plaintext at rest and in process argv.`
+    );
+  }
+  return { location: fallback, source: "fallback-file" };
 }
-var init_api = __esm({
-  "src/dashboard/api.ts"() {
-    init_aggregator();
-    init_html();
-    init_registry2();
-    init_init();
+function generatePassphrase() {
+  return crypto.randomBytes(32).toString("base64");
+}
+async function readFromKeychain(exec2, service = KEYCHAIN_SERVICE_DEFAULT) {
+  try {
+    const result = await exec2(
+      "security",
+      ["find-generic-password", "-a", KEYCHAIN_ACCOUNT, "-s", service, "-w"]
+    );
+    if (result.code !== 0) return null;
+    const value = result.stdout.trim();
+    return value.length > 0 ? value : null;
+  } catch {
+    return null;
   }
-});
-async function startDashboardServer(options) {
-  const port = options.port ?? DEFAULT_PORT;
-  const host = options.host ?? DEFAULT_HOST;
-  const listeners = /* @__PURE__ */ new Set();
-  const onEvent = (listener) => {
-    listeners.add(listener);
-    return () => listeners.delete(listener);
-  };
-  const publish = (event) => {
-    for (const listener of listeners) {
-      try {
-        listener(event);
-      } catch {
-      }
-    }
-  };
-  const deps = {
-    sources: options.sources,
-    authToken: options.authToken,
-    approvals: options.approvals,
-    onEvent
-  };
-  const server = http.createServer(async (req, res) => {
-    try {
-      const served = await handleRequest(deps, req, res);
-      if (!served) {
-        res.writeHead(404, { "Content-Type": "application/json" });
-        res.end(JSON.stringify({ error: "not_found", path: req.url }));
-      }
-    } catch (err) {
-      try {
-        res.writeHead(500, { "Content-Type": "application/json" });
-        res.end(JSON.stringify({ error: "internal", message: err.message }));
-      } catch {
-      }
+}
+async function writeToKeychain(value, exec2, service = KEYCHAIN_SERVICE_DEFAULT) {
+  try {
+    const result = await exec2(
+      "security",
+      [
+        "add-generic-password",
+        "-U",
+        "-a",
+        KEYCHAIN_ACCOUNT,
+        "-s",
+        service,
+        "-w",
+        value
+      ]
+    );
+    return result.code === 0;
+  } catch {
+    return false;
+  }
+}
+function keychainServiceFor(storagePath, home = os.homedir()) {
+  const defaultPath = path.join(home, DEFAULT_STORAGE_DIR);
+  if (storagePath === defaultPath) return KEYCHAIN_SERVICE_DEFAULT;
+  const digest = sha256.sha256(Buffer.from(storagePath, "utf-8"));
+  const suffix = Buffer.from(digest).toString("hex").slice(0, 12);
+  return `${KEYCHAIN_SERVICE_DEFAULT}-${suffix}`;
+}
+function fallbackFilePath(home, storagePath) {
+  if (storagePath !== void 0) return path.join(storagePath, "passphrase.enc");
+  return path.join(home, DEFAULT_STORAGE_DIR, "passphrase.enc");
+}
+async function readFromFallbackFile(path, home, derive = deriveMachineKey) {
+  try {
+    await promises.access(path);
+  } catch {
+    return { status: "not-found" };
+  }
+  try {
+    const raw = await promises.readFile(path);
+    if (raw.length < 13) {
+      return { status: "unreadable", reason: "file too short to contain a valid nonce + ciphertext" };
     }
-  });
-  await new Promise((resolve2, reject) => {
-    server.once("error", reject);
-    server.listen(port, host, () => {
-      server.off("error", reject);
-      resolve2();
+    const nonce = raw.subarray(0, 12);
+    const ciphertext = raw.subarray(12);
+    const key = derive(home);
+    const cipher = aes_js.gcm(key, nonce);
+    const plain = cipher.decrypt(ciphertext);
+    return { status: "ok", value: Buffer.from(plain).toString("utf-8") };
+  } catch (err) {
+    return {
+      status: "unreadable",
+      reason: err.message ?? "unknown decryption error"
+    };
+  }
+}
+async function writeToFallbackFile(path$1, value, home, derive = deriveMachineKey) {
+  const dir = path.dirname(path$1);
+  await promises.mkdir(dir, { recursive: true, mode: 448 });
+  const nonce = crypto.randomBytes(12);
+  const key = derive(home);
+  const cipher = aes_js.gcm(key, nonce);
+  const ciphertext = cipher.encrypt(Buffer.from(value, "utf-8"));
+  const payload = Buffer.concat([nonce, Buffer.from(ciphertext)]);
+  await promises.writeFile(path$1, payload, { mode: 384 });
+}
+function deriveMachineKey(home) {
+  const info = os.userInfo();
+  const material = Buffer.from(
+    `${os.hostname()}:${info.uid}:${info.username}:${home}`,
+    "utf-8"
+  );
+  return hkdf.hkdf(sha256.sha256, material, void 0, "sanctuary-passphrase-v1", 32);
+}
+async function defaultExec(cmd, args, input) {
+  return new Promise((resolve2, reject) => {
+    const child = child_process.spawn(cmd, args, { stdio: ["pipe", "pipe", "pipe"] });
+    let stdout = "";
+    let stderr = "";
+    child.stdout.on("data", (d) => {
+      stdout += d.toString();
+    });
+    child.stderr.on("data", (d) => {
+      stderr += d.toString();
     });
+    child.on("error", reject);
+    child.on("close", (code) => resolve2({ stdout, stderr, code }));
+    if (input !== void 0) {
+      child.stdin.write(input);
+    }
+    child.stdin.end();
   });
-  const actualPort = (() => {
-    const addr = server.address();
-    if (addr && typeof addr === "object") return addr.port;
-    return port;
-  })();
-  const url = `http://${host}:${actualPort}`;
-  return {
-    url,
-    port: actualPort,
-    host,
-    stop: () => new Promise((resolve2, reject) => {
-      server.close((err) => err ? reject(err) : resolve2());
-    }),
-    publish,
-    publishActivity: (entry) => publish({ type: "activity", data: entry }),
-    publishApproval: (approval) => publish({ type: "approval", data: approval })
-  };
 }
-var DEFAULT_PORT, DEFAULT_HOST;
-var init_server = __esm({
-  "src/dashboard/server.ts"() {
-    init_api();
-    DEFAULT_PORT = 3501;
-    DEFAULT_HOST = "127.0.0.1";
+var KEYCHAIN_ACCOUNT, KEYCHAIN_SERVICE_DEFAULT, PassphraseUnreadableError;
+var init_passphrase = __esm({
+  "src/cocoon/passphrase.ts"() {
+    init_paths();
+    KEYCHAIN_ACCOUNT = "sanctuary";
+    KEYCHAIN_SERVICE_DEFAULT = "sanctuary-passphrase";
+    PassphraseUnreadableError = class extends Error {
+      path;
+      reason;
+      constructor(path, reason) {
+        super(
+          `Sanctuary passphrase file at ${path} exists but could not be decrypted (${reason}).
+
+Your existing encrypted state cannot be recovered with a new passphrase. Options:
+  1. Restore ${path} from a backup.
+  2. Re-import the original passphrase via SANCTUARY_PASSPHRASE=<value> sanctuary wrap ...
+  3. Run \`sanctuary reset-passphrase\` (coming soon) to wipe state and start fresh.
+
+Refusing to regenerate the passphrase \u2014 that would permanently destroy the data encrypted under the previous key.`
+        );
+        this.name = "PassphraseUnreadableError";
+        this.path = path;
+        this.reason = reason;
+      }
+    };
   }
 });
-
-// src/dashboard/index.ts
-async function startDashboard(options) {
-  const activity = options.initialActivity ? [...options.initialActivity] : [];
-  const pending = options.initialPendingApprovals ? [...options.initialPendingApprovals] : [];
-  const sources = {
-    mode: options.mode,
-    server_version: options.serverVersion,
-    ...options.auditLog ? { auditLog: options.auditLog } : {},
-    ...options.identityManager ? { identityManager: options.identityManager } : {},
-    ...options.clientManager ? { clientManager: options.clientManager } : {},
-    ...options.baseline ? { baseline: options.baseline } : {},
-    ...options.policy ? { policy: options.policy } : {},
-    ...options.reputation ? { reputation: options.reputation } : {},
-    ...options.teeAvailable != null ? { teeAvailable: options.teeAvailable } : {},
-    ...options.l4Evidence ? { l4Evidence: options.l4Evidence } : {},
-    activity,
-    pendingApprovals: pending
-  };
-  const serverOpts = {
-    mode: options.mode,
-    sources,
-    ...options.port != null ? { port: options.port } : {},
-    ...options.host ? { host: options.host } : {},
-    ...options.authToken ? { authToken: options.authToken } : {},
-    ...options.approvals ? { approvals: options.approvals } : {}
-  };
-  const handle = await startDashboardServer(serverOpts);
-  const wrapped = {
-    ...handle,
-    publishActivity: (entry) => {
-      activity.unshift(entry);
-      if (activity.length > 50) activity.length = 50;
-      handle.publishActivity(entry);
-    },
-    publishApproval: (approval) => {
-      pending.push(approval);
-      handle.publishApproval(approval);
+function runtimePath(storagePath) {
+  return path.join(storagePath, RUNTIME_FILE_NAME);
+}
+async function writeTenantRuntime(storagePath, state) {
+  try {
+    await promises.writeFile(
+      runtimePath(storagePath),
+      JSON.stringify(state, null, 2),
+      { mode: 384 }
+    );
+  } catch {
+  }
+}
+async function clearTenantRuntime(storagePath) {
+  try {
+    await promises.unlink(runtimePath(storagePath));
+  } catch {
+  }
+}
+async function readTenantRuntime(storagePath) {
+  try {
+    const raw = await promises.readFile(runtimePath(storagePath), "utf-8");
+    const parsed = JSON.parse(raw);
+    if (typeof parsed.dashboard_port !== "number" || typeof parsed.pid !== "number" || typeof parsed.started_at !== "string" || typeof parsed.version !== "string" || typeof parsed.dashboard_host !== "string" || typeof parsed.mode !== "string") {
+      return null;
     }
-  };
-  return wrapped;
+    const state = {
+      version: parsed.version,
+      pid: parsed.pid,
+      started_at: parsed.started_at,
+      dashboard_host: parsed.dashboard_host,
+      dashboard_port: parsed.dashboard_port,
+      mode: parsed.mode
+    };
+    if (typeof parsed.webhook_callback_port === "number") {
+      state.webhook_callback_port = parsed.webhook_callback_port;
+    }
+    if (typeof parsed.webhook_callback_host === "string") {
+      state.webhook_callback_host = parsed.webhook_callback_host;
+    }
+    return state;
+  } catch {
+    return null;
+  }
 }
-var init_dashboard2 = __esm({
-  "src/dashboard/index.ts"() {
-    init_server();
-    init_aggregator();
-    init_html();
-    init_api();
-    init_server();
+var RUNTIME_FILE_NAME;
+var init_runtime = __esm({
+  "src/cli/agents/runtime.ts"() {
+    RUNTIME_FILE_NAME = "runtime.json";
   }
 });
-async function createSanctuaryServer(options) {
-  const config = await loadConfig(options?.configPath);
-  await promises.mkdir(config.storage_path, { recursive: true, mode: 448 });
-  await tightenStoragePermissions(config.storage_path);
-  const storage = options?.storage ?? new FilesystemStorage(
-    `${config.storage_path}/state`
-  );
-  let masterKey;
-  let keyProtection;
-  let recoveryKey;
-  const passphrase = options?.passphrase ?? process.env.SANCTUARY_PASSPHRASE;
-  if (passphrase) {
-    keyProtection = "passphrase";
-    let existingParams;
+async function isTenantDir(path$1) {
+  const [hasState, hasProfile, hasFallback] = await Promise.all([
+    dirExists(path.join(path$1, "state")),
+    fileExists2(path.join(path$1, "cocoon-profile.json")),
+    fileExists2(path.join(path$1, "passphrase.enc"))
+  ]);
+  const initialized = hasState;
+  let passphraseStatus;
+  if (hasFallback) passphraseStatus = "fallback-file";
+  else if (hasProfile || hasState) passphraseStatus = "keychain";
+  else passphraseStatus = "not-initialized";
+  return { initialized, hasProfile, passphraseStatus };
+}
+async function dirExists(path) {
+  try {
+    const s = await promises.stat(path);
+    return s.isDirectory();
+  } catch {
+    return false;
+  }
+}
+async function fileExists2(path) {
+  try {
+    const s = await promises.stat(path);
+    return s.isFile();
+  } catch {
+    return false;
+  }
+}
+async function newestAuditMtime(storagePath) {
+  const auditDir = path.join(storagePath, "state", "_audit");
+  let entries = [];
+  try {
+    entries = await promises.readdir(auditDir);
+  } catch {
+    return null;
+  }
+  let newest = 0;
+  for (const name of entries) {
     try {
-      const raw = await storage.read("_meta", "key-params");
-      if (raw) {
-        const { bytesToString: bytesToString2 } = await Promise.resolve().then(() => (init_encoding(), encoding_exports));
-        existingParams = JSON.parse(bytesToString2(raw));
-      }
+      const s = await promises.stat(path.join(auditDir, name));
+      if (s.isFile() && s.mtimeMs > newest) newest = s.mtimeMs;
     } catch {
     }
-    const result = await deriveMasterKey(passphrase, existingParams);
-    masterKey = result.key;
-    if (!existingParams) {
-      const { stringToBytes: stringToBytes2 } = await Promise.resolve().then(() => (init_encoding(), encoding_exports));
-      await storage.write(
-        "_meta",
-        "key-params",
-        stringToBytes2(JSON.stringify(result.params))
-      );
+  }
+  if (newest === 0) return null;
+  return new Date(newest).toISOString();
+}
+async function readExtraPaths(root, env) {
+  const out = [];
+  const fromEnv = env.SANCTUARY_AGENTS_EXTRA_PATHS;
+  if (fromEnv && fromEnv.length > 0) {
+    for (const part of fromEnv.split(":")) {
+      const trimmed = part.trim();
+      if (trimmed.length > 0) out.push(path.resolve(trimmed));
     }
-  } else {
-    keyProtection = "recovery-key";
-    const { hashToString: hashToString2 } = await Promise.resolve().then(() => (init_hashing(), hashing_exports));
-    const { stringToBytes: stringToBytes2, bytesToString: bytesToString2 } = await Promise.resolve().then(() => (init_encoding(), encoding_exports));
-    const { fromBase64url: fromBase64url2 } = await Promise.resolve().then(() => (init_encoding(), encoding_exports));
-    const { constantTimeEqual: constantTimeEqual2 } = await Promise.resolve().then(() => (init_encoding(), encoding_exports));
-    const existingHash = await storage.read("_meta", "recovery-key-hash");
-    if (existingHash) {
-      const envRecoveryKey = process.env.SANCTUARY_RECOVERY_KEY;
-      if (!envRecoveryKey) {
-        throw new Error(
-          "Sanctuary: Existing encrypted data found but no credentials provided.\nThis installation was previously set up with a recovery key.\n\nTo start the server, provide one of:\n  - SANCTUARY_PASSPHRASE (if you later configured a passphrase)\n  - SANCTUARY_RECOVERY_KEY (the recovery key shown at first run)\n\nWithout the correct credentials, encrypted state cannot be accessed.\nRefusing to start to prevent silent data loss."
-        );
-      }
-      let recoveryKeyBytes;
-      try {
-        recoveryKeyBytes = fromBase64url2(envRecoveryKey);
-      } catch {
-        throw new Error(
-          "Sanctuary: SANCTUARY_RECOVERY_KEY is not valid base64url. The recovery key should be the exact string shown at first run."
-        );
-      }
-      if (recoveryKeyBytes.length !== 32) {
-        throw new Error(
-          "Sanctuary: SANCTUARY_RECOVERY_KEY has incorrect length. The recovery key should be the exact string shown at first run."
-        );
-      }
-      const providedHash = hashToString2(recoveryKeyBytes);
-      const storedHash = bytesToString2(existingHash);
-      const providedHashBytes = stringToBytes2(providedHash);
-      const storedHashBytes = stringToBytes2(storedHash);
-      if (!constantTimeEqual2(providedHashBytes, storedHashBytes)) {
-        throw new Error(
-          "Sanctuary: Recovery key does not match the stored key hash.\nThe recovery key provided via SANCTUARY_RECOVERY_KEY is incorrect.\nUse the exact recovery key that was displayed at first run."
-        );
-      }
-      masterKey = recoveryKeyBytes;
-    } else {
-      const existingNamespaces = await storage.list("_meta");
-      const hasKeyParams = existingNamespaces.some((e) => e.key === "key-params");
-      if (hasKeyParams) {
-        throw new Error(
-          "Sanctuary: Found existing key derivation parameters but no recovery key hash.\nThis indicates a corrupted or incomplete installation.\nIf you previously used a passphrase, set SANCTUARY_PASSPHRASE to start."
-        );
+  }
+  try {
+    const raw = await promises.readFile(path.join(root, EXTRAS_FILE_NAME), "utf-8");
+    const parsed = JSON.parse(raw);
+    if (Array.isArray(parsed)) {
+      for (const p of parsed) {
+        if (typeof p === "string" && p.trim().length > 0) out.push(path.resolve(p));
       }
-      masterKey = generateRandomKey();
-      recoveryKey = toBase64url(masterKey);
-      const keyHash = hashToString2(masterKey);
-      await storage.write(
-        "_meta",
-        "recovery-key-hash",
-        stringToBytes2(keyHash)
-      );
     }
+  } catch {
   }
-  const auditLog = new AuditLog(storage, masterKey);
-  const stateStore = new StateStore(storage, masterKey);
-  const { tools: l1Tools, identityManager } = createL1Tools(
-    stateStore,
-    storage,
-    masterKey,
-    keyProtection,
-    auditLog
-  );
-  const loadResult = await identityManager.load();
-  if (loadResult.total > 0 && loadResult.loaded === 0) {
-    console.error(
-      `
-\u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557
-\u2551  \u26A0  WARNING: Encrypted identities found but NONE loaded     \u2551
-\u2560\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2563
-\u2551  ${loadResult.total} encrypted identity file(s) found on disk              \u2551
-\u2551  0 could be decrypted with the current master key            \u2551
-\u2551                                                              \u2551
-\u2551  This usually means SANCTUARY_PASSPHRASE is missing or       \u2551
-\u2551  incorrect. The server will start but with NO identity data. \u2551
-\u2551                                                              \u2551
-\u2551  To fix: set SANCTUARY_PASSPHRASE to the passphrase used     \u2551
-\u2551  when this Sanctuary instance was first configured.          \u2551
-\u255A\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255D
-`
-    );
-  } else if (loadResult.failed > 0) {
-    console.error(
-      `Warning: ${loadResult.failed} of ${loadResult.total} identity files could not be decrypted (possibly corrupted).`
-    );
-  }
-  const l2Tools = [
-    {
-      name: "exec_attest",
-      description: "Generate an attestation of the current execution environment, including sovereignty assessment and degradation report.",
-      inputSchema: {
-        type: "object",
-        properties: {
-          include_hardware: { type: "boolean", default: true },
-          include_software: { type: "boolean", default: true },
-          include_network: { type: "boolean", default: true }
-        }
-      },
-      handler: async () => {
-        const degradations = [];
-        degradations.push(
-          "L2 isolation is process-level only; no TEE available"
-        );
-        return toolResult({
-          attestation: {
-            environment_type: config.execution.environment,
-            hardware: {
-              cpu_vendor: process.arch,
-              tee_available: false,
-              tee_type: void 0
-            },
-            software: {
-              os: `${process.platform}-${process.arch}`,
-              runtime: `node-${process.version}`,
-              sanctuary_version: config.version,
-              mcp_sdk_version: "1.26.0"
-            },
-            network: {
-              internet_accessible: true,
-              // Conservative assumption
-              listening_ports: [],
-              egress_restricted: false
-            },
-            isolation_level: "process",
-            sovereignty_assessment: {
-              l1_state_encrypted: true,
-              l2_execution_isolated: false,
-              l2_isolation_type: "process-level",
-              l3_proofs_available: true,
-              l4_reputation_active: true,
-              overall_level: "mvs",
-              degradations
-            }
-          },
-          attested_at: (/* @__PURE__ */ new Date()).toISOString()
-        });
-      }
-    },
-    {
-      name: "monitor_health",
-      description: "Sanctuary Health Report (SHR) \u2014 standardized sovereignty status.",
-      inputSchema: { type: "object", properties: {} },
-      handler: async () => {
-        const storageSizeBytes = await storage.totalSize();
-        const degradations = [];
-        degradations.push({
-          layer: "l2",
-          description: "Process-level isolation only (no TEE)",
-          severity: "warning",
-          mitigation: "TEE support planned for a future release"
-        });
-        return toolResult({
-          status: degradations.some((d) => d.severity === "critical") ? "compromised" : degradations.some((d) => d.severity === "warning") ? "degraded" : "healthy",
-          storage_bytes: storageSizeBytes,
-          layers: {
-            l1: {
-              status: "active",
-              encryption_algorithm: "aes-256-gcm",
-              key_count: identityManager.list().length,
-              state_integrity: "verified",
-              last_integrity_check: (/* @__PURE__ */ new Date()).toISOString()
-            },
-            l2: {
-              status: "degraded",
-              isolation_type: "process-level",
-              attestation_available: true,
-              last_attestation: (/* @__PURE__ */ new Date()).toISOString()
-            },
-            l3: {
-              status: "active",
-              proof_system: config.disclosure.proof_system,
-              circuits_loaded: 0,
-              proofs_generated_total: 0
-            },
-            l4: {
-              status: "active",
-              mode: config.reputation.mode,
-              interaction_count: 0,
-              // TODO: track from reputation store
-              reputation_exportable: true
-            }
-          },
-          degradations,
-          checked_at: (/* @__PURE__ */ new Date()).toISOString()
-        });
-      }
-    },
-    {
-      name: "monitor_audit_log",
-      description: "Query the sovereignty audit log.",
-      inputSchema: {
-        type: "object",
-        properties: {
-          since: { type: "string", description: "ISO 8601 timestamp" },
-          layer: {
-            type: "string",
-            enum: ["l1", "l2", "l3", "l4"]
-          },
-          operation_type: { type: "string" },
-          limit: { type: "number", default: 50 }
-        }
-      },
-      handler: async (args) => {
-        const result = await auditLog.query({
-          since: args.since,
-          layer: args.layer,
-          operation_type: args.operation_type,
-          limit: args.limit ?? 50
-        });
-        return toolResult(result);
-      }
-    }
-  ];
-  const manifestTool = {
-    name: "manifest",
-    description: "Generate the Sanctuary Interface Manifest (SIM) \u2014 a machine-readable declaration of this server's capabilities.",
-    inputSchema: { type: "object", properties: {} },
-    handler: async () => {
-      return toolResult({
-        sanctuary_version: "0.2",
-        implementation: {
-          name: "@sanctuary-framework/mcp-server",
-          version: config.version,
-          language: "typescript",
-          license: "Apache-2.0"
-        },
-        layers: {
-          l1: {
-            implemented: true,
-            interfaces: ["StateStore", "IdentityRoot"],
-            encryption: ["aes-256-gcm"],
-            identity: ["ed25519"],
-            properties: {
-              "S1.1_participant_held_keys": "full",
-              "S1.2_encryption_at_rest": "full",
-              "S1.3_integrity_verification": "full",
-              "S1.4_selective_state_sharing": "full",
-              "S1.5_state_portability": "full",
-              "S1.6_deletion_rights": "full",
-              "S1.7_identity_anchoring": "partial"
-            }
-          },
-          l2: {
-            implemented: true,
-            interfaces: ["ExecutionEnvironment", "RuntimeMonitor"],
-            isolation_types: [config.execution.environment],
-            properties: {
-              "S2.1_execution_confidentiality": "documented",
-              "S2.2_verifiable_execution": "self-reported",
-              "S2.5_attestation": "self-reported"
-            }
-          },
-          l3: {
-            implemented: true,
-            interfaces: ["ProofEngine", "DisclosurePolicy"],
-            proof_systems: [config.disclosure.proof_system],
-            properties: {
-              "S3.1_minimum_disclosure": "policy-based",
-              "S3.3_proof_without_revelation": "commitment"
-            }
-          },
-          l4: {
-            implemented: true,
-            interfaces: ["ReputationStore", "TrustBootstrap"],
-            modes: [config.reputation.mode],
-            properties: {
-              "S4.1_earned_reputation": "full",
-              "S4.2_participant_owned": "full",
-              "S4.5_sybil_resistance": "basic",
-              "S4.7_trust_bootstrapping": "full"
-            }
-          }
-        },
-        composition: {
-          sim_version: "1.0",
-          spf_supported: false,
-          shr_supported: true,
-          delegation_depth: 1
-        },
-        limitations: [
-          "L1 identity uses ed25519 only; KERI support planned for v0.2.0",
-          "L2 isolation is process-level only; TEE support planned for a future release",
-          "L3 uses commitment schemes only; ZK proofs planned for v0.2.0",
-          "L4 Sybil resistance is escrow-based only",
-          "Spec license: CC-BY-4.0 | Code license: Apache-2.0"
-        ]
-      });
-    }
-  };
-  const { tools: l3Tools } = createL3Tools(storage, masterKey, auditLog);
-  const { tools: handshakeTools, handshakeResults } = createHandshakeTools(
-    config,
-    identityManager,
-    masterKey,
-    auditLog,
-    {
-      autoPublishHandshakes: config.verascore.auto_publish_handshakes,
-      verascoreUrl: config.verascore.url
-    }
-  );
-  const { tools: l4Tools, reputationStore } = createL4Tools(
-    storage,
-    masterKey,
-    identityManager,
-    auditLog,
-    handshakeResults,
-    config.verascore.url
-  );
-  const { tools: shrTools } = createSHRTools(
-    config,
-    identityManager,
-    masterKey,
-    auditLog,
-    reputationStore
-  );
-  const { tools: federationTools } = createFederationTools(
-    auditLog,
-    handshakeResults
-  );
-  const { tools: bridgeTools } = createBridgeTools(
-    storage,
-    masterKey,
-    identityManager,
-    auditLog,
-    handshakeResults
-  );
-  const { tools: auditTools } = createAuditTools(config);
-  const { tools: siemTools } = createSIEMTools(auditLog);
-  const { tools: contextGateTools, enforcer: contextGateEnforcer } = createContextGateTools(storage, masterKey, auditLog);
-  const hardeningTools = createL2HardeningTools(config.storage_path, auditLog);
-  const profileStore = new SovereigntyProfileStore(storage, masterKey);
-  await profileStore.load();
-  const { tools: profileTools } = createSovereigntyProfileTools(profileStore, auditLog);
-  const policy = await loadPrincipalPolicy(config.storage_path);
-  const baseline = new BaselineTracker(storage, masterKey);
-  await baseline.load();
-  let approvalChannel;
-  let dashboard;
-  if (config.dashboard.enabled) {
-    let authToken = config.dashboard.auth_token;
-    if (authToken === "auto") {
-      const { randomBytes: rb } = await import('crypto');
-      authToken = rb(32).toString("hex");
-    }
-    dashboard = new DashboardApprovalChannel({
-      port: config.dashboard.port,
-      host: config.dashboard.host,
-      timeout_seconds: policy.approval_channel.timeout_seconds,
-      // SEC-002: auto_deny removed — timeout always denies
-      auth_token: authToken,
-      tls: config.dashboard.tls,
-      auto_open: config.dashboard.auto_open
-    });
-    dashboard.setDependencies({
-      policy,
-      baseline,
-      auditLog,
-      identityManager,
-      handshakeResults,
-      shrOpts: { config, identityManager, masterKey },
-      sanctuaryConfig: config,
-      profileStore
-    });
-    await dashboard.start();
-    approvalChannel = dashboard;
-  } else if (config.webhook.enabled && config.webhook.url && config.webhook.secret) {
-    const webhook = new WebhookApprovalChannel({
-      webhook_url: config.webhook.url,
-      webhook_secret: config.webhook.secret,
-      callback_port: config.webhook.callback_port,
-      callback_host: config.webhook.callback_host,
-      timeout_seconds: policy.approval_channel.timeout_seconds
-      // SEC-002: auto_deny removed — timeout always denies
-    });
-    await webhook.start();
-    approvalChannel = webhook;
-  } else {
-    approvalChannel = new StderrApprovalChannel(policy.approval_channel);
-  }
-  const injectionDetector = new InjectionDetector({
-    enabled: true,
-    sensitivity: "medium",
-    on_detection: "escalate"
-  });
-  const onInjectionAlert = dashboard ? (alert) => {
-    dashboard.broadcastSSE("injection-alert", {
-      tool: alert.toolName,
-      confidence: alert.result.confidence,
-      signals: alert.result.signals.map((s) => ({
-        type: s.type,
-        location: s.location,
-        severity: s.severity
-      })),
-      recommendation: alert.result.recommendation,
-      timestamp: alert.timestamp
-    });
-  } : void 0;
-  const gate = new ApprovalGate(policy, baseline, approvalChannel, auditLog, injectionDetector, onInjectionAlert);
-  const policyTools = createPrincipalPolicyTools(policy, baseline, auditLog);
-  const { tools: sanctuaryMetaTools } = createSanctuaryTools({
-    config,
-    identityManager,
-    masterKey,
-    auditLog,
-    policy,
-    keyProtection,
-    reputationStore
-  });
-  const { tools: memoryAttestTools } = createMemoryAttestTools(
-    identityManager,
-    masterKey,
-    auditLog
-  );
-  const { tools: complianceTools } = createComplianceTools({
-    config,
-    identityManager,
-    masterKey,
-    auditLog,
-    policy
-  });
-  const dashboardTools = [];
-  if (dashboard) {
-    dashboardTools.push({
-      name: "dashboard_open",
-      description: "Generate a one-click URL to open the Principal Dashboard in a browser. Returns a pre-authenticated link \u2014 no manual token entry needed.",
-      inputSchema: {
-        type: "object",
-        properties: {}
-      },
-      handler: async () => {
-        const url = dashboard.createSessionUrl();
-        return {
-          content: [
-            {
-              type: "text",
-              text: JSON.stringify({
-                dashboard_url: url,
-                base_url: dashboard.getBaseUrl(),
-                note: "Click the dashboard_url to open the Principal Dashboard. The session is pre-authenticated."
-              }, null, 2)
-            }
-          ]
-        };
-      }
-    });
+  return Array.from(new Set(out));
+}
+async function describeTenant(name, storagePath, home) {
+  const exists = await dirExists(storagePath);
+  if (!exists) return null;
+  const { initialized, hasProfile, passphraseStatus } = await isTenantDir(storagePath);
+  if (!initialized && !hasProfile && passphraseStatus === "not-initialized") {
+    return null;
   }
-  let allTools = [
-    ...l1Tools,
-    ...l2Tools,
-    ...l3Tools,
-    ...l4Tools,
-    ...policyTools,
-    ...shrTools,
-    ...handshakeTools,
-    ...federationTools,
-    ...bridgeTools,
-    ...auditTools,
-    ...siemTools,
-    ...contextGateTools,
-    ...hardeningTools,
-    ...profileTools,
-    ...dashboardTools,
-    ...sanctuaryMetaTools,
-    ...memoryAttestTools,
-    ...complianceTools,
-    manifestTool
-  ];
-  let clientManager;
-  let proxyRouter;
-  const governor = new CallGovernor();
-  const { tools: governorTools } = createGovernorTools(governor, auditLog);
-  allTools.push(...governorTools);
-  const profile = profileStore.get();
-  if (profile.upstream_servers && profile.upstream_servers.length > 0) {
-    const enabledServers = profile.upstream_servers.filter((s) => s.enabled);
-    if (enabledServers.length > 0) {
-      clientManager = new ClientManager({
-        onStateChange: (serverName, state, toolCount, error) => {
-          if (dashboard) {
-            dashboard.broadcastSSE("proxy-server-status", {
-              server: serverName,
-              state,
-              tool_count: toolCount,
-              error,
-              timestamp: (/* @__PURE__ */ new Date()).toISOString()
-            });
-          }
-          auditLog.append("l2", `proxy_server_${state}`, "system", {
-            server: serverName,
-            tool_count: toolCount,
-            error
-          });
-        }
-      });
-      proxyRouter = new ProxyRouter(
-        clientManager,
-        injectionDetector,
-        auditLog,
-        {
-          contextGateFilter: async (_toolName, args) => {
-            const activeProfile = profileStore.get();
-            if (activeProfile.features.context_gating.enabled) {
-              return args;
-            }
-            return args;
-          },
-          governor,
-          onProxyCall: (data) => {
-            if (dashboard) {
-              dashboard.broadcastProxyCall(data);
-            }
-          }
-        }
-      );
-      clientManager.configure(enabledServers).catch((err) => {
-        console.error(`[Sanctuary] Failed to configure upstream servers: ${err instanceof Error ? err.message : "unknown error"}`);
-      });
-      await new Promise((resolve2) => setTimeout(resolve2, 2e3));
-      const proxiedTools = proxyRouter.getProxiedTools();
-      if (proxiedTools.length > 0) {
-        allTools.push(...proxiedTools);
-      }
-      if (dashboard) {
-        dashboard.setDependencies({
-          policy,
-          baseline,
-          auditLog,
-          clientManager
-        });
-        dashboard.enableFortressView(enabledServers.length);
-      }
-    }
+  const last_activity = await newestAuditMtime(storagePath);
+  const runtime = await readTenantRuntime(storagePath);
+  return {
+    name,
+    storage_path: storagePath,
+    exists: true,
+    initialized,
+    has_cocoon_profile: hasProfile,
+    keychain_service: keychainServiceFor(storagePath, home),
+    passphrase_status: passphraseStatus,
+    last_activity,
+    runtime
+  };
+}
+async function discoverTenants(options = {}) {
+  const home = options.home ?? os.homedir();
+  const env = options.env ?? process.env;
+  const root = options.root ?? path.join(home, DEFAULT_STORAGE_DIR);
+  const tenants = [];
+  const rootTenant = await describeTenant("default", root, home);
+  if (rootTenant) tenants.push(rootTenant);
+  let children = [];
+  try {
+    children = await promises.readdir(root);
+  } catch {
   }
-  allTools = allTools.map((tool) => ({
-    ...tool,
-    handler: contextGateEnforcer.wrapHandler(tool.name, tool.handler)
-  }));
-  if (proxyRouter) {
-    gate.setProxyTierResolver((toolName) => {
-      const parsed = ProxyRouter.parseProxyToolName(toolName);
-      if (!parsed) return null;
-      return proxyRouter.getTierForTool(parsed.serverName, parsed.toolName);
-    });
+  for (const child of children) {
+    const childPath = path.join(root, child);
+    if (child.startsWith(".")) continue;
+    if (child === "state" || child === "backup" || child === "config") continue;
+    const s = await promises.stat(childPath).catch(() => null);
+    if (!s || !s.isDirectory()) continue;
+    const desc = await describeTenant(child, childPath, home);
+    if (desc) tenants.push(desc);
   }
-  const server = createServer(allTools, { gate });
-  await saveConfig(config);
-  const cleanup = () => {
-    baseline.save().catch(() => {
-    });
-    if (clientManager) {
-      clientManager.shutdown().catch(() => {
-      });
-    }
-  };
-  process.on("SIGINT", cleanup);
-  process.on("SIGTERM", cleanup);
-  if (recoveryKey) {
-    console.error(
-      `\u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557
-\u2551  SANCTUARY: First Run \u2014 Recovery Key Generated          \u2551
-\u2551                                                          \u2551
-\u2551  Recovery Key: ${recoveryKey.slice(0, 20)}...             \u2551
-\u2551                                                          \u2551
-\u2551  SAVE THIS KEY. It will not be shown again.              \u2551
-\u2551  Without it, your encrypted state is unrecoverable.      \u2551
-\u255A\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255D`
-    );
+  const extras = await readExtraPaths(root, env);
+  for (const extra of extras) {
+    if (tenants.some((t) => t.storage_path === extra)) continue;
+    const desc = await describeTenant(path.basename(extra), extra, home);
+    if (desc) tenants.push(desc);
   }
-  return {
-    server,
-    config,
-    identityManager,
-    masterKey,
-    auditLog,
-    policy
-  };
+  tenants.sort((a, b) => {
+    if (a.name === "default") return -1;
+    if (b.name === "default") return 1;
+    return a.name.localeCompare(b.name);
+  });
+  return tenants;
 }
-var init_src = __esm({
-  "src/index.ts"() {
-    init_permissions();
-    init_config();
-    init_filesystem();
-    init_state_store();
-    init_tools();
-    init_audit_log();
-    init_tools2();
-    init_tools3();
-    init_loader();
-    init_baseline();
-    init_approval_channel();
-    init_dashboard();
-    init_webhook();
-    init_gate();
-    init_tools4();
-    init_router();
-    init_router();
-    init_tools5();
-    init_tools6();
-    init_tools7();
-    init_tools8();
-    init_tools9();
-    init_siem_tools();
-    init_context_gate_tools();
-    init_hardening_tools();
-    init_sovereignty_profile();
-    init_sovereignty_profile_tools();
-    init_injection_detector();
-    init_client_manager();
-    init_proxy_router();
-    init_call_governor();
-    init_governor_tools();
-    init_sanctuary_tools();
-    init_memory_attest();
-    init_generator2();
-    init_key_derivation();
-    init_random();
-    init_encoding();
-    init_config();
-    init_state_store();
-    init_audit_log();
-    init_commitments();
-    init_zk_proofs();
-    init_policies();
-    init_reputation_store();
-    init_tiers();
-    init_registry();
-    init_context_gate();
-    init_context_gate_templates();
-    init_context_gate_recommend();
-    init_model_provenance();
-    init_context_gate();
-    init_injection_detector();
-    init_context_gate_enforcer();
-    init_sovereignty_profile();
-    init_client_manager();
-    init_proxy_router();
-    init_system_prompt_generator();
-    init_memory();
-    init_filesystem();
-    init_gate();
-    init_baseline();
-    init_loader();
-    init_approval_channel();
-    init_dashboard();
-    init_webhook();
-    init_generator();
-    init_verifier();
-    init_protocol();
-    init_attestation();
-    init_bridge();
-    init_dashboard2();
+async function findTenant(name, options = {}) {
+  const tenants = await discoverTenants(options);
+  return tenants.find((t) => t.name === name) ?? null;
+}
+var EXTRAS_FILE_NAME;
+var init_discovery = __esm({
+  "src/cli/agents/discovery.ts"() {
+    init_paths();
+    init_passphrase();
+    init_runtime();
+    EXTRAS_FILE_NAME = "agents-extra.json";
   }
 });
-function resolveStoragePath(env = process.env, home = os.homedir()) {
-  const override = env.SANCTUARY_STORAGE_PATH;
-  if (override && override.length > 0) return override;
-  return path.join(home, DEFAULT_STORAGE_DIR);
-}
-function resolveDashboardPort(explicitPort, env = process.env) {
-  if (typeof explicitPort === "number" && !Number.isNaN(explicitPort)) {
-    return explicitPort;
+function constantTimeEquals(a, b) {
+  if (a.length !== b.length) return false;
+  let diff = 0;
+  for (let i = 0; i < a.length; i++) {
+    diff |= a.charCodeAt(i) ^ b.charCodeAt(i);
   }
-  const envPort = env.SANCTUARY_DASHBOARD_PORT;
-  if (envPort) {
-    const parsed = parseInt(envPort, 10);
-    if (!Number.isNaN(parsed)) return parsed;
+  return diff === 0;
+}
+function extractToken(req, url) {
+  const header = req.headers.authorization;
+  if (header && header.startsWith("Bearer ")) {
+    return header.slice(7).trim();
   }
-  return DEFAULT_DASHBOARD_PORT;
+  const q = url.searchParams.get("token");
+  return q ?? null;
 }
-var DEFAULT_STORAGE_DIR, DEFAULT_DASHBOARD_PORT;
-var init_paths = __esm({
-  "src/paths.ts"() {
-    DEFAULT_STORAGE_DIR = ".sanctuary";
-    DEFAULT_DASHBOARD_PORT = 3501;
+function isAuthorized(deps, req, url) {
+  if (!deps.authToken) return true;
+  const token = extractToken(req, url);
+  if (!token) return false;
+  return constantTimeEquals(token, deps.authToken);
+}
+function writeJSON(res, status, payload) {
+  res.writeHead(status, {
+    "Content-Type": "application/json",
+    "Cache-Control": "no-store"
+  });
+  res.end(JSON.stringify(payload));
+}
+async function readJSONBody(req) {
+  const chunks = [];
+  let size = 0;
+  const MAX = 256 * 1024;
+  for await (const chunk of req) {
+    size += chunk.length;
+    if (size > MAX) throw new Error("request body too large");
+    chunks.push(chunk);
   }
-});
-function getPlatformPaths() {
-  const home = os.homedir();
-  return {
-    "openclaw": [
-      path.join(home, ".openclaw", "openclaw.json"),
-      path.join(home, ".openclaw", "config.json"),
-      path.join(home, "Library", "Application Support", "OpenClaw", "openclaw.json"),
-      path.join(home, "Library", "Application Support", "OpenClaw", "config.json")
-    ],
-    // Hermes Agent (NousResearch, v0.9.0) canonicals live under ~/.hermes.
-    // Hermes ships `cli-config.yaml` as the primary surface per upstream docs.
-    // Sanctuary wrap v1.0 detects the JSON variant only: operators who keep
-    // YAML can still wrap via `sanctuary wrap --wrap <path>` after exporting
-    // to JSON. YAML-native detection is flagged as a v1.x follow-up.
-    "hermes": [
-      path.join(home, ".hermes", "cli-config.json"),
-      path.join(home, ".hermes", "config.json"),
-      path.join(home, ".config", "hermes", "cli-config.json")
-    ],
-    // Claude Code's modern canonical surface is ~/.claude.json (`claude mcp
-    // add` writes here). The legacy ~/.claude/settings.json shape predates
-    // it and is still respected if present. Probe order = preference order:
-    // wrap operates on the first one that exists, and bootstraps a fresh
-    // ~/.claude.json when neither is present (per the cli.ts bootstrap).
-    "claude-code": [
-      path.join(home, ".claude.json"),
-      path.join(home, ".claude", "settings.json"),
-      path.join(home, ".config", "claude-code", "settings.json")
-    ],
-    "cursor": [
-      path.join(home, ".cursor", "mcp.json")
-    ],
-    // Cline is a VS Code extension (saoudrizwan.claude-dev). Its MCP settings
-    // live under the VS Code globalStorage tree, which is OS-specific. We
-    // enumerate the three supported OS layouts; at detection time only the
-    // one matching the running OS will exist.
-    "cline": [
-      // macOS
-      path.join(
-        home,
-        "Library",
-        "Application Support",
-        "Code",
-        "User",
-        "globalStorage",
-        "saoudrizwan.claude-dev",
-        "settings",
-        "cline_mcp_settings.json"
-      ),
-      // Linux
-      path.join(
-        home,
-        ".config",
-        "Code",
-        "User",
-        "globalStorage",
-        "saoudrizwan.claude-dev",
-        "settings",
-        "cline_mcp_settings.json"
-      ),
-      // Windows (honour APPDATA when set, otherwise reconstruct under home)
-      process.env.APPDATA ? path.join(
-        process.env.APPDATA,
-        "Code",
-        "User",
-        "globalStorage",
-        "saoudrizwan.claude-dev",
-        "settings",
-        "cline_mcp_settings.json"
-      ) : path.join(
-        home,
-        "AppData",
-        "Roaming",
-        "Code",
-        "User",
-        "globalStorage",
-        "saoudrizwan.claude-dev",
-        "settings",
-        "cline_mcp_settings.json"
-      )
-    ],
-    "generic": []
-  };
+  const body = Buffer.concat(chunks).toString("utf-8");
+  if (!body) return {};
+  return JSON.parse(body);
 }
-function backupDir() {
-  return path.join(resolveStoragePath(), "backup");
+function generateEphemeralKey() {
+  return new Uint8Array(crypto.randomBytes(32));
 }
-async function backupConfig(configPath) {
-  const dir = backupDir();
-  await promises.mkdir(dir, { recursive: true, mode: 448 });
-  const timestamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
-  const backupPath = path.join(dir, `config-backup-${timestamp}.json`);
-  await promises.copyFile(configPath, backupPath);
-  return backupPath;
+function writeText(res, status, body, contentType = "text/plain") {
+  res.writeHead(status, {
+    "Content-Type": contentType,
+    "Cache-Control": "no-store"
+  });
+  res.end(body);
+}
+async function handleRequest(deps, req, res) {
+  const host = req.headers.host || "localhost";
+  const url = new URL(req.url ?? "/", `http://${host}`);
+  const method = (req.method ?? "GET").toUpperCase();
+  const path = url.pathname;
+  if (!isAuthorized(deps, req, url)) {
+    writeJSON(res, 401, { error: "unauthorized" });
+    return true;
+  }
+  if (method === "GET" && path === "/api/health") {
+    writeJSON(res, 200, { ok: true, mode: deps.sources.mode });
+    return true;
+  }
+  if (method === "GET" && (path === "/" || path === "/index.html")) {
+    const snapshot = await getProtectionSnapshot(deps.sources);
+    const html = renderDashboardHTML({ snapshot, authToken: deps.authToken });
+    writeText(res, 200, html, "text/html; charset=utf-8");
+    return true;
+  }
+  if (method === "GET" && path === "/api/snapshot") {
+    const snapshot = await getProtectionSnapshot(deps.sources);
+    writeJSON(res, 200, snapshot);
+    return true;
+  }
+  const approvalMatch = /^\/api\/approvals\/([^/]+)\/(allow|deny)$/.exec(path);
+  if (method === "POST" && approvalMatch) {
+    const id = decodeURIComponent(approvalMatch[1]);
+    const action = approvalMatch[2];
+    if (!deps.approvals) {
+      writeJSON(res, 503, { error: "approvals_unavailable" });
+      return true;
+    }
+    const handler = action === "allow" ? deps.approvals.allow : deps.approvals.deny;
+    try {
+      const ok2 = await handler(id);
+      writeJSON(res, ok2 ? 200 : 404, { id, action, ok: ok2 });
+    } catch (err) {
+      writeJSON(res, 500, { error: "approval_failed", message: err.message });
+    }
+    return true;
+  }
+  if (method === "GET" && path === "/api/stream") {
+    await handleStream(deps, res);
+    return true;
+  }
+  if (method === "GET" && path === "/api/templates") {
+    try {
+      const templates = listTemplates();
+      writeJSON(res, 200, { templates });
+    } catch (err) {
+      writeJSON(res, 500, {
+        error: "template_load_failed",
+        message: err.message
+      });
+    }
+    return true;
+  }
+  const templateMatch = /^\/api\/templates\/([^/]+)$/.exec(path);
+  if (method === "GET" && templateMatch) {
+    const name = decodeURIComponent(templateMatch[1]);
+    try {
+      const entry = getTemplateEntry(name);
+      if (!entry) {
+        writeJSON(res, 404, { error: "template_not_found", name });
+        return true;
+      }
+      writeJSON(res, 200, entry);
+    } catch (err) {
+      writeJSON(res, 500, {
+        error: "template_load_failed",
+        message: err.message
+      });
+    }
+    return true;
+  }
+  const initMatch = /^\/api\/templates\/([^/]+)\/init$/.exec(path);
+  if (method === "POST" && initMatch) {
+    const name = decodeURIComponent(initMatch[1]);
+    try {
+      const bundle = getTemplate2(name);
+      if (!bundle) {
+        writeJSON(res, 404, { error: "template_not_found", name });
+        return true;
+      }
+      const body = await readJSONBody(req);
+      if (!body.agent_name || typeof body.agent_name !== "string") {
+        writeJSON(res, 400, {
+          error: "validation_error",
+          message: "agent_name is required and must be a string"
+        });
+        return true;
+      }
+      if (!/^[a-zA-Z0-9_-]+$/.test(body.agent_name)) {
+        writeJSON(res, 400, {
+          error: "validation_error",
+          message: "agent_name must contain only alphanumeric characters, hyphens, and underscores"
+        });
+        return true;
+      }
+      const isAgentWrapped = deps.isAgentWrapped ?? (async (agentId) => {
+        const tenant = await findTenant(agentId);
+        if (!tenant) return false;
+        return tenant.initialized || tenant.has_cocoon_profile;
+      });
+      if (!await isAgentWrapped(body.agent_name)) {
+        writeJSON(res, 400, {
+          error: "orphan_agent_id",
+          message: `No wrapped harness found for agent_id "${body.agent_name}". Run \`sanctuary wrap\` to wrap the harness first, then retry template init.`
+        });
+        return true;
+      }
+      const nodeId = deps.nodeId ?? "dashboard-node";
+      const nodePrivateKey = deps.nodePrivateKey ?? generateEphemeralKey();
+      const principalId = deps.principalId ?? "dashboard-principal";
+      const fortressId = deps.fortressId ?? "default";
+      const result = initTemplate({
+        template_name: name,
+        agent_id: body.agent_name,
+        fortress_id: fortressId,
+        counterparty: "*",
+        policy_version: 1,
+        emitter_node: nodeId,
+        emitter_principal: principalId,
+        monotonic_seq: 1,
+        node_private_key: nodePrivateKey
+      });
+      writeJSON(res, 200, {
+        agent_id: body.agent_name,
+        signed_event_id: result.signed_event.event_id,
+        policy_version: result.compiled.policy_version,
+        template_name: name,
+        attestation_panel_url: `/console#agent_roster`
+      });
+    } catch (err) {
+      writeJSON(res, 500, {
+        error: "template_init_failed",
+        message: err.message
+      });
+    }
+    return true;
+  }
+  return false;
 }
-async function restoreConfig(backupPath, targetPath) {
-  await promises.copyFile(backupPath, targetPath);
+async function handleStream(deps, res) {
+  res.writeHead(200, {
+    "Content-Type": "text/event-stream",
+    "Cache-Control": "no-cache, no-transform",
+    Connection: "keep-alive",
+    "X-Accel-Buffering": "no"
+  });
+  const snapshot = await getProtectionSnapshot(deps.sources);
+  res.write(`event: snapshot
+data: ${JSON.stringify(snapshot)}
+
+`);
+  const unsubscribe = deps.onEvent ? deps.onEvent((event) => {
+    try {
+      res.write(`event: ${event.type}
+data: ${JSON.stringify(event.data)}
+
+`);
+    } catch {
+    }
+  }) : () => {
+  };
+  const keepAlive = setInterval(() => {
+    try {
+      res.write(": keepalive\n\n");
+    } catch {
+    }
+  }, 25e3);
+  const cleanup = () => {
+    clearInterval(keepAlive);
+    unsubscribe();
+  };
+  res.on("close", cleanup);
+  res.on("error", cleanup);
 }
-async function findLatestBackup() {
-  const metaPath = path.join(backupDir(), "cocoon-meta.json");
-  try {
-    const raw = await promises.readFile(metaPath, "utf-8");
-    const meta = JSON.parse(raw);
-    return {
-      backupPath: meta.backupPath,
-      originalPath: meta.originalPath
-    };
-  } catch {
-    return null;
+var init_api = __esm({
+  "src/dashboard/api.ts"() {
+    init_aggregator();
+    init_html();
+    init_registry2();
+    init_init();
+    init_discovery();
   }
+});
+async function startDashboardServer(options) {
+  const port = options.port ?? DEFAULT_PORT;
+  const host = options.host ?? DEFAULT_HOST;
+  const listeners = /* @__PURE__ */ new Set();
+  const onEvent = (listener) => {
+    listeners.add(listener);
+    return () => listeners.delete(listener);
+  };
+  const publish = (event) => {
+    for (const listener of listeners) {
+      try {
+        listener(event);
+      } catch {
+      }
+    }
+  };
+  const deps = {
+    sources: options.sources,
+    authToken: options.authToken,
+    approvals: options.approvals,
+    onEvent
+  };
+  const server = http.createServer(async (req, res) => {
+    try {
+      const served = await handleRequest(deps, req, res);
+      if (!served) {
+        res.writeHead(404, { "Content-Type": "application/json" });
+        res.end(JSON.stringify({ error: "not_found", path: req.url }));
+      }
+    } catch (err) {
+      try {
+        res.writeHead(500, { "Content-Type": "application/json" });
+        res.end(JSON.stringify({ error: "internal", message: err.message }));
+      } catch {
+      }
+    }
+  });
+  await new Promise((resolve2, reject) => {
+    server.once("error", reject);
+    server.listen(port, host, () => {
+      server.off("error", reject);
+      resolve2();
+    });
+  });
+  const actualPort = (() => {
+    const addr = server.address();
+    if (addr && typeof addr === "object") return addr.port;
+    return port;
+  })();
+  const url = `http://${host}:${actualPort}`;
+  return {
+    url,
+    port: actualPort,
+    host,
+    stop: () => new Promise((resolve2, reject) => {
+      server.close((err) => err ? reject(err) : resolve2());
+    }),
+    publish,
+    publishActivity: (entry) => publish({ type: "activity", data: entry }),
+    publishApproval: (approval) => publish({ type: "approval", data: approval })
+  };
 }
-async function saveCocoonMeta(meta) {
-  const dir = backupDir();
-  await promises.mkdir(dir, { recursive: true, mode: 448 });
-  const metaPath = path.join(dir, "cocoon-meta.json");
-  await promises.writeFile(metaPath, JSON.stringify(meta, null, 2), { mode: 384 });
+var DEFAULT_PORT, DEFAULT_HOST;
+var init_server = __esm({
+  "src/dashboard/server.ts"() {
+    init_api();
+    DEFAULT_PORT = 3501;
+    DEFAULT_HOST = "127.0.0.1";
+  }
+});
+
+// src/dashboard/index.ts
+async function startDashboard(options) {
+  const activity = options.initialActivity ? [...options.initialActivity] : [];
+  const pending = options.initialPendingApprovals ? [...options.initialPendingApprovals] : [];
+  const sources = {
+    mode: options.mode,
+    server_version: options.serverVersion,
+    ...options.auditLog ? { auditLog: options.auditLog } : {},
+    ...options.identityManager ? { identityManager: options.identityManager } : {},
+    ...options.clientManager ? { clientManager: options.clientManager } : {},
+    ...options.baseline ? { baseline: options.baseline } : {},
+    ...options.policy ? { policy: options.policy } : {},
+    ...options.reputation ? { reputation: options.reputation } : {},
+    ...options.teeAvailable != null ? { teeAvailable: options.teeAvailable } : {},
+    ...options.l4Evidence ? { l4Evidence: options.l4Evidence } : {},
+    activity,
+    pendingApprovals: pending
+  };
+  const serverOpts = {
+    mode: options.mode,
+    sources,
+    ...options.port != null ? { port: options.port } : {},
+    ...options.host ? { host: options.host } : {},
+    ...options.authToken ? { authToken: options.authToken } : {},
+    ...options.approvals ? { approvals: options.approvals } : {}
+  };
+  const handle = await startDashboardServer(serverOpts);
+  const wrapped = {
+    ...handle,
+    publishActivity: (entry) => {
+      activity.unshift(entry);
+      if (activity.length > 50) activity.length = 50;
+      handle.publishActivity(entry);
+    },
+    publishApproval: (approval) => {
+      pending.push(approval);
+      handle.publishApproval(approval);
+    }
+  };
+  return wrapped;
 }
-async function detectAgentConfigWithDiagnostics(platform4, configPath) {
-  const pathsChecked = [];
-  const errors = [];
-  if (configPath) {
-    pathsChecked.push(configPath);
-    const { config, error } = await readConfigFileWithError(configPath, platform4 ?? "generic");
-    if (error) errors.push({ path: configPath, error });
-    return { config, pathsChecked, errors };
+var init_dashboard2 = __esm({
+  "src/dashboard/index.ts"() {
+    init_server();
+    init_aggregator();
+    init_html();
+    init_api();
+    init_server();
   }
-  if (platform4) {
-    const paths = getPlatformPaths()[platform4];
-    for (const path of paths) {
-      pathsChecked.push(path);
-      const { config, error } = await readConfigFileWithError(path, platform4);
-      if (error) errors.push({ path, error });
-      if (config) return { config, pathsChecked, errors };
+});
+async function createSanctuaryServer(options) {
+  const config = await loadConfig(options?.configPath);
+  await promises.mkdir(config.storage_path, { recursive: true, mode: 448 });
+  await tightenStoragePermissions(config.storage_path);
+  const storage = options?.storage ?? new FilesystemStorage(
+    `${config.storage_path}/state`
+  );
+  let masterKey;
+  let keyProtection;
+  let recoveryKey;
+  const passphrase = options?.passphrase ?? process.env.SANCTUARY_PASSPHRASE;
+  if (passphrase) {
+    keyProtection = "passphrase";
+    let existingParams;
+    try {
+      const raw = await storage.read("_meta", "key-params");
+      if (raw) {
+        const { bytesToString: bytesToString2 } = await Promise.resolve().then(() => (init_encoding(), encoding_exports));
+        existingParams = JSON.parse(bytesToString2(raw));
+      }
+    } catch {
+    }
+    const result = await deriveMasterKey(passphrase, existingParams);
+    masterKey = result.key;
+    if (!existingParams) {
+      const { stringToBytes: stringToBytes2 } = await Promise.resolve().then(() => (init_encoding(), encoding_exports));
+      await storage.write(
+        "_meta",
+        "key-params",
+        stringToBytes2(JSON.stringify(result.params))
+      );
     }
-    return { config: null, pathsChecked, errors };
-  }
-  for (const [plat, paths] of Object.entries(getPlatformPaths())) {
-    for (const path of paths) {
-      pathsChecked.push(path);
-      const { config, error } = await readConfigFileWithError(path, plat);
-      if (error) errors.push({ path, error });
-      if (config) return { config, pathsChecked, errors };
+  } else {
+    keyProtection = "recovery-key";
+    const { hashToString: hashToString2 } = await Promise.resolve().then(() => (init_hashing(), hashing_exports));
+    const { stringToBytes: stringToBytes2, bytesToString: bytesToString2 } = await Promise.resolve().then(() => (init_encoding(), encoding_exports));
+    const { fromBase64url: fromBase64url2 } = await Promise.resolve().then(() => (init_encoding(), encoding_exports));
+    const { constantTimeEqual: constantTimeEqual2 } = await Promise.resolve().then(() => (init_encoding(), encoding_exports));
+    const existingHash = await storage.read("_meta", "recovery-key-hash");
+    if (existingHash) {
+      const envRecoveryKey = process.env.SANCTUARY_RECOVERY_KEY;
+      if (!envRecoveryKey) {
+        throw new Error(
+          "Sanctuary: Existing encrypted data found but no credentials provided.\nThis installation was previously set up with a recovery key.\n\nTo start the server, provide one of:\n  - SANCTUARY_PASSPHRASE (if you later configured a passphrase)\n  - SANCTUARY_RECOVERY_KEY (the recovery key shown at first run)\n\nWithout the correct credentials, encrypted state cannot be accessed.\nRefusing to start to prevent silent data loss."
+        );
+      }
+      let recoveryKeyBytes;
+      try {
+        recoveryKeyBytes = fromBase64url2(envRecoveryKey);
+      } catch {
+        throw new Error(
+          "Sanctuary: SANCTUARY_RECOVERY_KEY is not valid base64url. The recovery key should be the exact string shown at first run."
+        );
+      }
+      if (recoveryKeyBytes.length !== 32) {
+        throw new Error(
+          "Sanctuary: SANCTUARY_RECOVERY_KEY has incorrect length. The recovery key should be the exact string shown at first run."
+        );
+      }
+      const providedHash = hashToString2(recoveryKeyBytes);
+      const storedHash = bytesToString2(existingHash);
+      const providedHashBytes = stringToBytes2(providedHash);
+      const storedHashBytes = stringToBytes2(storedHash);
+      if (!constantTimeEqual2(providedHashBytes, storedHashBytes)) {
+        throw new Error(
+          "Sanctuary: Recovery key does not match the stored key hash.\nThe recovery key provided via SANCTUARY_RECOVERY_KEY is incorrect.\nUse the exact recovery key that was displayed at first run."
+        );
+      }
+      masterKey = recoveryKeyBytes;
+    } else {
+      const existingNamespaces = await storage.list("_meta");
+      const hasKeyParams = existingNamespaces.some((e) => e.key === "key-params");
+      if (hasKeyParams) {
+        throw new Error(
+          "Sanctuary: Found existing key derivation parameters but no recovery key hash.\nThis indicates a corrupted or incomplete installation.\nIf you previously used a passphrase, set SANCTUARY_PASSPHRASE to start."
+        );
+      }
+      masterKey = generateRandomKey();
+      recoveryKey = toBase64url(masterKey);
+      const keyHash = hashToString2(masterKey);
+      await storage.write(
+        "_meta",
+        "recovery-key-hash",
+        stringToBytes2(keyHash)
+      );
     }
   }
-  return { config: null, pathsChecked, errors };
-}
-async function readConfigFileWithError(path, platform4) {
-  try {
-    await promises.access(path);
-  } catch {
-    return { config: null };
-  }
-  let raw;
-  try {
-    raw = await promises.readFile(path, "utf-8");
-  } catch (err) {
-    return { config: null, error: `Cannot read file: ${err.message}` };
-  }
-  let config;
-  try {
-    config = JSON.parse(raw);
-  } catch (err) {
-    return { config: null, error: `Invalid JSON: ${err.message}` };
+  const auditLog = new AuditLog(storage, masterKey);
+  const stateStore = new StateStore(storage, masterKey);
+  const { tools: l1Tools, identityManager } = createL1Tools(
+    stateStore,
+    storage,
+    masterKey,
+    keyProtection,
+    auditLog
+  );
+  const loadResult = await identityManager.load();
+  if (loadResult.total > 0 && loadResult.loaded === 0) {
+    console.error(
+      `
+\u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557
+\u2551  \u26A0  WARNING: Encrypted identities found but NONE loaded     \u2551
+\u2560\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2563
+\u2551  ${loadResult.total} encrypted identity file(s) found on disk              \u2551
+\u2551  0 could be decrypted with the current master key            \u2551
+\u2551                                                              \u2551
+\u2551  This usually means SANCTUARY_PASSPHRASE is missing or       \u2551
+\u2551  incorrect. The server will start but with NO identity data. \u2551
+\u2551                                                              \u2551
+\u2551  To fix: set SANCTUARY_PASSPHRASE to the passphrase used     \u2551
+\u2551  when this Sanctuary instance was first configured.          \u2551
+\u255A\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255D
+`
+    );
+  } else if (loadResult.failed > 0) {
+    console.error(
+      `Warning: ${loadResult.failed} of ${loadResult.total} identity files could not be decrypted (possibly corrupted).`
+    );
   }
-  const servers = extractServers(config, platform4);
-  return { config: { platform: platform4, configPath: path, servers, rawConfig: config } };
-}
-function extractServers(config, platform4) {
-  if (!config || typeof config !== "object") return [];
-  const servers = [];
-  const obj = config;
-  if (platform4 === "openclaw" || platform4 === "generic") {
-    const mcp = obj.mcp;
-    const nestedServers = mcp?.servers;
-    if (nestedServers && typeof nestedServers === "object") {
-      for (const [name, serverConfig] of Object.entries(nestedServers)) {
-        const entry = parseServerEntry(name, serverConfig);
-        if (entry) servers.push(entry);
+  const l2Tools = [
+    {
+      name: "exec_attest",
+      description: "Generate an attestation of the current execution environment, including sovereignty assessment and degradation report.",
+      inputSchema: {
+        type: "object",
+        properties: {
+          include_hardware: { type: "boolean", default: true },
+          include_software: { type: "boolean", default: true },
+          include_network: { type: "boolean", default: true }
+        }
+      },
+      handler: async () => {
+        const degradations = [];
+        degradations.push(
+          "L2 isolation is process-level only; no TEE available"
+        );
+        return toolResult({
+          attestation: {
+            environment_type: config.execution.environment,
+            hardware: {
+              cpu_vendor: process.arch,
+              tee_available: false,
+              tee_type: void 0
+            },
+            software: {
+              os: `${process.platform}-${process.arch}`,
+              runtime: `node-${process.version}`,
+              sanctuary_version: config.version,
+              mcp_sdk_version: "1.26.0"
+            },
+            network: {
+              internet_accessible: true,
+              // Conservative assumption
+              listening_ports: [],
+              egress_restricted: false
+            },
+            isolation_level: "process",
+            sovereignty_assessment: {
+              l1_state_encrypted: true,
+              l2_execution_isolated: false,
+              l2_isolation_type: "process-level",
+              l3_proofs_available: true,
+              l4_reputation_active: true,
+              overall_level: "mvs",
+              degradations
+            }
+          },
+          attested_at: (/* @__PURE__ */ new Date()).toISOString()
+        });
       }
-    }
-    if (servers.length === 0) {
-      const mcpServers = obj.mcpServers;
-      if (mcpServers && typeof mcpServers === "object") {
-        for (const [name, serverConfig] of Object.entries(mcpServers)) {
-          const entry = parseServerEntry(name, serverConfig);
-          if (entry) servers.push(entry);
+    },
+    {
+      name: "monitor_health",
+      description: "Sanctuary Health Report (SHR) \u2014 standardized sovereignty status.",
+      inputSchema: { type: "object", properties: {} },
+      handler: async () => {
+        const storageSizeBytes = await storage.totalSize();
+        const degradations = [];
+        degradations.push({
+          layer: "l2",
+          description: "Process-level isolation only (no TEE)",
+          severity: "warning",
+          mitigation: "TEE support planned for a future release"
+        });
+        return toolResult({
+          status: degradations.some((d) => d.severity === "critical") ? "compromised" : degradations.some((d) => d.severity === "warning") ? "degraded" : "healthy",
+          storage_bytes: storageSizeBytes,
+          layers: {
+            l1: {
+              status: "active",
+              encryption_algorithm: "aes-256-gcm",
+              key_count: identityManager.list().length,
+              state_integrity: "verified",
+              last_integrity_check: (/* @__PURE__ */ new Date()).toISOString()
+            },
+            l2: {
+              status: "degraded",
+              isolation_type: "process-level",
+              attestation_available: true,
+              last_attestation: (/* @__PURE__ */ new Date()).toISOString()
+            },
+            l3: {
+              status: "active",
+              proof_system: config.disclosure.proof_system,
+              circuits_loaded: 0,
+              proofs_generated_total: 0
+            },
+            l4: {
+              status: "active",
+              mode: config.reputation.mode,
+              interaction_count: 0,
+              // TODO: track from reputation store
+              reputation_exportable: true
+            }
+          },
+          degradations,
+          checked_at: (/* @__PURE__ */ new Date()).toISOString()
+        });
+      }
+    },
+    {
+      name: "monitor_audit_log",
+      description: "Query the sovereignty audit log.",
+      inputSchema: {
+        type: "object",
+        properties: {
+          since: { type: "string", description: "ISO 8601 timestamp" },
+          layer: {
+            type: "string",
+            enum: ["l1", "l2", "l3", "l4"]
+          },
+          operation_type: { type: "string" },
+          limit: { type: "number", default: 50 }
         }
+      },
+      handler: async (args) => {
+        const result = await auditLog.query({
+          since: args.since,
+          layer: args.layer,
+          operation_type: args.operation_type,
+          limit: args.limit ?? 50
+        });
+        return toolResult(result);
       }
     }
-  }
-  if (platform4 === "claude-code") {
-    const mcpServers = obj.mcpServers;
-    if (mcpServers && typeof mcpServers === "object") {
-      for (const [name, serverConfig] of Object.entries(mcpServers)) {
-        if (isCanonicalSanctuaryName(name)) continue;
-        const entry = parseServerEntry(name, serverConfig);
-        if (entry) servers.push(entry);
-      }
+  ];
+  const manifestTool = {
+    name: "manifest",
+    description: "Generate the Sanctuary Interface Manifest (SIM) \u2014 a machine-readable declaration of this server's capabilities.",
+    inputSchema: { type: "object", properties: {} },
+    handler: async () => {
+      return toolResult({
+        sanctuary_version: "0.2",
+        implementation: {
+          name: "@sanctuary-framework/mcp-server",
+          version: config.version,
+          language: "typescript",
+          license: "Apache-2.0"
+        },
+        layers: {
+          l1: {
+            implemented: true,
+            interfaces: ["StateStore", "IdentityRoot"],
+            encryption: ["aes-256-gcm"],
+            identity: ["ed25519"],
+            properties: {
+              "S1.1_participant_held_keys": "full",
+              "S1.2_encryption_at_rest": "full",
+              "S1.3_integrity_verification": "full",
+              "S1.4_selective_state_sharing": "full",
+              "S1.5_state_portability": "full",
+              "S1.6_deletion_rights": "full",
+              "S1.7_identity_anchoring": "partial"
+            }
+          },
+          l2: {
+            implemented: true,
+            interfaces: ["ExecutionEnvironment", "RuntimeMonitor"],
+            isolation_types: [config.execution.environment],
+            properties: {
+              "S2.1_execution_confidentiality": "documented",
+              "S2.2_verifiable_execution": "self-reported",
+              "S2.5_attestation": "self-reported"
+            }
+          },
+          l3: {
+            implemented: true,
+            interfaces: ["ProofEngine", "DisclosurePolicy"],
+            proof_systems: [config.disclosure.proof_system],
+            properties: {
+              "S3.1_minimum_disclosure": "policy-based",
+              "S3.3_proof_without_revelation": "commitment"
+            }
+          },
+          l4: {
+            implemented: true,
+            interfaces: ["ReputationStore", "TrustBootstrap"],
+            modes: [config.reputation.mode],
+            properties: {
+              "S4.1_earned_reputation": "full",
+              "S4.2_participant_owned": "full",
+              "S4.5_sybil_resistance": "basic",
+              "S4.7_trust_bootstrapping": "full"
+            }
+          }
+        },
+        composition: {
+          sim_version: "1.0",
+          spf_supported: false,
+          shr_supported: true,
+          delegation_depth: 1
+        },
+        limitations: [
+          "L1 identity uses ed25519 only; KERI support planned for v0.2.0",
+          "L2 isolation is process-level only; TEE support planned for a future release",
+          "L3 uses commitment schemes only; ZK proofs planned for v0.2.0",
+          "L4 Sybil resistance is escrow-based only",
+          "Spec license: CC-BY-4.0 | Code license: Apache-2.0"
+        ]
+      });
     }
-  }
-  if (platform4 === "cursor") {
-    const mcpServers = obj.mcpServers;
-    if (mcpServers && typeof mcpServers === "object") {
-      for (const [name, serverConfig] of Object.entries(mcpServers)) {
-        if (isCanonicalSanctuaryName(name)) continue;
-        const entry = parseServerEntry(name, serverConfig);
-        if (entry) servers.push(entry);
-      }
+  };
+  const { tools: l3Tools } = createL3Tools(storage, masterKey, auditLog);
+  const { tools: handshakeTools, handshakeResults } = createHandshakeTools(
+    config,
+    identityManager,
+    masterKey,
+    auditLog,
+    {
+      autoPublishHandshakes: config.verascore.auto_publish_handshakes,
+      verascoreUrl: config.verascore.url
     }
-  }
-  if (platform4 === "hermes") {
-    const mcpServers = obj.mcp_servers;
-    if (mcpServers && typeof mcpServers === "object") {
-      for (const [name, serverConfig] of Object.entries(mcpServers)) {
-        if (isCanonicalSanctuaryName(name)) continue;
-        const entry = parseServerEntry(name, serverConfig);
-        if (entry) servers.push(entry);
-      }
+  );
+  const { tools: l4Tools, reputationStore } = createL4Tools(
+    storage,
+    masterKey,
+    identityManager,
+    auditLog,
+    handshakeResults,
+    config.verascore.url
+  );
+  const { tools: shrTools } = createSHRTools(
+    config,
+    identityManager,
+    masterKey,
+    auditLog,
+    reputationStore
+  );
+  const { tools: federationTools } = createFederationTools(
+    auditLog,
+    handshakeResults
+  );
+  const { tools: bridgeTools } = createBridgeTools(
+    storage,
+    masterKey,
+    identityManager,
+    auditLog,
+    handshakeResults
+  );
+  const { tools: auditTools } = createAuditTools(config);
+  const { tools: siemTools } = createSIEMTools(auditLog);
+  const { tools: contextGateTools, enforcer: contextGateEnforcer } = createContextGateTools(storage, masterKey, auditLog);
+  const hardeningTools = createL2HardeningTools(config.storage_path, auditLog);
+  const profileStore = new SovereigntyProfileStore(storage, masterKey);
+  await profileStore.load();
+  const { tools: profileTools } = createSovereigntyProfileTools(profileStore, auditLog);
+  const policy = await loadPrincipalPolicy(config.storage_path);
+  const baseline = new BaselineTracker(storage, masterKey);
+  await baseline.load();
+  let approvalChannel;
+  let dashboard;
+  if (config.dashboard.enabled) {
+    let authToken = config.dashboard.auth_token;
+    if (authToken === "auto") {
+      const { randomBytes: rb } = await import('crypto');
+      authToken = rb(32).toString("hex");
     }
+    dashboard = new DashboardApprovalChannel({
+      port: config.dashboard.port,
+      host: config.dashboard.host,
+      timeout_seconds: policy.approval_channel.timeout_seconds,
+      // SEC-002: auto_deny removed — timeout always denies
+      auth_token: authToken,
+      tls: config.dashboard.tls,
+      auto_open: config.dashboard.auto_open
+    });
+    dashboard.setDependencies({
+      policy,
+      baseline,
+      auditLog,
+      identityManager,
+      handshakeResults,
+      shrOpts: { config, identityManager, masterKey },
+      sanctuaryConfig: config,
+      profileStore
+    });
+    await dashboard.start();
+    approvalChannel = dashboard;
+  } else if (config.webhook.enabled && config.webhook.url && config.webhook.secret) {
+    const webhook = new WebhookApprovalChannel({
+      webhook_url: config.webhook.url,
+      webhook_secret: config.webhook.secret,
+      callback_port: config.webhook.callback_port,
+      callback_host: config.webhook.callback_host,
+      timeout_seconds: policy.approval_channel.timeout_seconds
+      // SEC-002: auto_deny removed — timeout always denies
+    });
+    await webhook.start();
+    approvalChannel = webhook;
+  } else {
+    approvalChannel = new StderrApprovalChannel(policy.approval_channel);
   }
-  if (platform4 === "cline") {
-    const mcpServers = obj.mcpServers;
-    if (mcpServers && typeof mcpServers === "object") {
-      for (const [name, serverConfig] of Object.entries(mcpServers)) {
-        if (isCanonicalSanctuaryName(name)) continue;
-        const entry = parseServerEntry(name, serverConfig);
-        if (entry) servers.push(entry);
+  const injectionDetector = new InjectionDetector({
+    enabled: true,
+    sensitivity: "medium",
+    on_detection: "escalate"
+  });
+  const onInjectionAlert = dashboard ? (alert) => {
+    dashboard.broadcastSSE("injection-alert", {
+      tool: alert.toolName,
+      confidence: alert.result.confidence,
+      signals: alert.result.signals.map((s) => ({
+        type: s.type,
+        location: s.location,
+        severity: s.severity
+      })),
+      recommendation: alert.result.recommendation,
+      timestamp: alert.timestamp
+    });
+  } : void 0;
+  const gate = new ApprovalGate(policy, baseline, approvalChannel, auditLog, injectionDetector, onInjectionAlert);
+  const policyTools = createPrincipalPolicyTools(policy, baseline, auditLog);
+  const { tools: sanctuaryMetaTools } = createSanctuaryTools({
+    config,
+    identityManager,
+    masterKey,
+    auditLog,
+    policy,
+    keyProtection,
+    reputationStore
+  });
+  const { tools: memoryAttestTools } = createMemoryAttestTools(
+    identityManager,
+    masterKey,
+    auditLog
+  );
+  const { tools: complianceTools } = createComplianceTools({
+    config,
+    identityManager,
+    masterKey,
+    auditLog,
+    policy
+  });
+  const dashboardTools = [];
+  if (dashboard) {
+    dashboardTools.push({
+      name: "dashboard_open",
+      description: "Generate a one-click URL to open the Principal Dashboard in a browser. Returns a pre-authenticated link \u2014 no manual token entry needed.",
+      inputSchema: {
+        type: "object",
+        properties: {}
+      },
+      handler: async () => {
+        const url = dashboard.createSessionUrl();
+        return {
+          content: [
+            {
+              type: "text",
+              text: JSON.stringify({
+                dashboard_url: url,
+                base_url: dashboard.getBaseUrl(),
+                note: "Click the dashboard_url to open the Principal Dashboard. The session is pre-authenticated."
+              }, null, 2)
+            }
+          ]
+        };
       }
-    }
-  }
-  return servers;
-}
-function isCanonicalSanctuaryName(name) {
-  return name.toLowerCase() === "sanctuary";
-}
-function parseServerEntry(name, config) {
-  if (!config || typeof config !== "object") return null;
-  const c = config;
-  const safeName = name.replace(/[^a-zA-Z0-9_-]/g, "-").substring(0, 128);
-  if (!safeName) return null;
-  if (c.url && typeof c.url === "string") {
-    return {
-      name: safeName,
-      transport: "sse",
-      url: c.url,
-      env: extractEnv(c.env)
-    };
-  }
-  if (c.command && typeof c.command === "string") {
-    return {
-      name: safeName,
-      transport: "stdio",
-      command: c.command,
-      args: Array.isArray(c.args) ? c.args.filter((a) => typeof a === "string") : void 0,
-      env: extractEnv(c.env)
-    };
-  }
-  return null;
-}
-function extractEnv(env) {
-  if (!env || typeof env !== "object") return void 0;
-  const result = {};
-  for (const [k, v] of Object.entries(env)) {
-    if (typeof v === "string") result[k] = v;
-  }
-  return Object.keys(result).length > 0 ? result : void 0;
-}
-async function rewriteConfigForCocoon(agentConfig, sanctuaryCommand, sanctuaryArgs, sanctuaryEnv) {
-  const raw = agentConfig.rawConfig;
-  let existingServers = {};
-  if (agentConfig.platform === "openclaw") {
-    const existingMcp = raw.mcp ?? {};
-    existingServers = existingMcp.servers ?? {};
-  } else if (agentConfig.platform === "hermes") {
-    existingServers = raw.mcp_servers ?? {};
-  } else {
-    existingServers = raw.mcpServers ?? {};
-  }
-  let resolvedEnv = sanctuaryEnv;
-  if (!resolvedEnv) {
-    const existingSanctuary = existingServers.sanctuary;
-    if (existingSanctuary?.env && typeof existingSanctuary.env === "object") {
-      const extracted = extractEnv(existingSanctuary.env);
-      if (extracted) resolvedEnv = extracted;
-    }
+    });
   }
-  const CRITICAL_VARS = [
-    "SANCTUARY_PASSPHRASE",
-    "SANCTUARY_DASHBOARD_AUTH_TOKEN",
-    "SANCTUARY_DASHBOARD_ENABLED"
+  let allTools = [
+    ...l1Tools,
+    ...l2Tools,
+    ...l3Tools,
+    ...l4Tools,
+    ...policyTools,
+    ...shrTools,
+    ...handshakeTools,
+    ...federationTools,
+    ...bridgeTools,
+    ...auditTools,
+    ...siemTools,
+    ...contextGateTools,
+    ...hardeningTools,
+    ...profileTools,
+    ...dashboardTools,
+    ...sanctuaryMetaTools,
+    ...memoryAttestTools,
+    ...complianceTools,
+    manifestTool
   ];
-  for (const key of CRITICAL_VARS) {
-    if (process.env[key] && (!resolvedEnv || !resolvedEnv[key])) {
-      if (!resolvedEnv) resolvedEnv = {};
-      resolvedEnv[key] = process.env[key];
-    }
-  }
-  const sanctuaryEntry = {
-    command: sanctuaryCommand,
-    args: sanctuaryArgs
-  };
-  if (resolvedEnv && Object.keys(resolvedEnv).length > 0) {
-    sanctuaryEntry.env = resolvedEnv;
-  }
-  let rewritten;
-  if (agentConfig.platform === "openclaw") {
-    const existingMcp = raw.mcp ?? {};
-    rewritten = {
-      ...raw,
-      mcp: {
-        ...existingMcp,
-        servers: {
-          ...existingServers,
-          sanctuary: sanctuaryEntry
+  let clientManager;
+  let proxyRouter;
+  const governor = new CallGovernor();
+  const { tools: governorTools } = createGovernorTools(governor, auditLog);
+  allTools.push(...governorTools);
+  const profile = profileStore.get();
+  if (profile.upstream_servers && profile.upstream_servers.length > 0) {
+    const enabledServers = profile.upstream_servers.filter((s) => s.enabled);
+    if (enabledServers.length > 0) {
+      clientManager = new ClientManager({
+        onStateChange: (serverName, state, toolCount, error) => {
+          if (dashboard) {
+            dashboard.broadcastSSE("proxy-server-status", {
+              server: serverName,
+              state,
+              tool_count: toolCount,
+              error,
+              timestamp: (/* @__PURE__ */ new Date()).toISOString()
+            });
+          }
+          auditLog.append("l2", `proxy_server_${state}`, "system", {
+            server: serverName,
+            tool_count: toolCount,
+            error
+          });
         }
+      });
+      proxyRouter = new ProxyRouter(
+        clientManager,
+        injectionDetector,
+        auditLog,
+        {
+          contextGateFilter: async (_toolName, args) => {
+            const activeProfile = profileStore.get();
+            if (activeProfile.features.context_gating.enabled) {
+              return args;
+            }
+            return args;
+          },
+          governor,
+          onProxyCall: (data) => {
+            if (dashboard) {
+              dashboard.broadcastProxyCall(data);
+            }
+          }
+        }
+      );
+      clientManager.configure(enabledServers).catch((err) => {
+        console.error(`[Sanctuary] Failed to configure upstream servers: ${err instanceof Error ? err.message : "unknown error"}`);
+      });
+      await new Promise((resolve2) => setTimeout(resolve2, 2e3));
+      const proxiedTools = proxyRouter.getProxiedTools();
+      if (proxiedTools.length > 0) {
+        allTools.push(...proxiedTools);
+      }
+      if (dashboard) {
+        dashboard.setDependencies({
+          policy,
+          baseline,
+          auditLog,
+          clientManager
+        });
+        dashboard.enableFortressView(enabledServers.length);
       }
-    };
-    delete rewritten.mcpServers;
-  } else if (agentConfig.platform === "hermes") {
-    rewritten = {
-      ...raw,
-      mcp_servers: {
-        ...existingServers,
-        sanctuary: sanctuaryEntry
-      }
-    };
-  } else {
-    rewritten = {
-      ...raw,
-      mcpServers: {
-        ...existingServers,
-        sanctuary: sanctuaryEntry
-      }
-    };
-  }
-  await promises.writeFile(agentConfig.configPath, JSON.stringify(rewritten, null, 2), { mode: 384 });
-  return agentConfig.configPath;
-}
-var init_config_reader = __esm({
-  "src/cocoon/config-reader.ts"() {
-    init_paths();
-  }
-});
-
-// src/cocoon/passphrase.ts
-var passphrase_exports = {};
-__export(passphrase_exports, {
-  PassphraseUnreadableError: () => PassphraseUnreadableError,
-  fallbackFilePath: () => fallbackFilePath,
-  generatePassphrase: () => generatePassphrase,
-  getOrCreatePassphrase: () => getOrCreatePassphrase,
-  keychainServiceFor: () => keychainServiceFor,
-  persistUserProvidedPassphrase: () => persistUserProvidedPassphrase,
-  readStoredPassphrase: () => readStoredPassphrase
-});
-async function getOrCreatePassphrase(opts = {}) {
-  const home = opts.home ?? os.homedir();
-  const storagePath = opts.storagePath ?? resolveStoragePath(process.env, home);
-  const service = keychainServiceFor(storagePath, home);
-  const plat = opts.platformOverride ?? os.platform();
-  const exec2 = opts.exec ?? defaultExec;
-  const derive = opts.deriveMachineKey ?? deriveMachineKey;
-  if (plat === "darwin") {
-    const fromKc = await readFromKeychain(exec2, service);
-    if (fromKc) {
-      return { value: fromKc, source: "keychain", location: "macOS Keychain" };
-    }
-  }
-  const fallback = fallbackFilePath(home, storagePath);
-  const fromFile = await readFromFallbackFile(fallback, home, derive);
-  if (fromFile.status === "ok") {
-    return {
-      value: fromFile.value,
-      source: "fallback-file",
-      location: fallback
-    };
-  }
-  if (fromFile.status === "unreadable") {
-    throw new PassphraseUnreadableError(fallback, fromFile.reason);
-  }
-  const value = generatePassphrase();
-  if (plat === "darwin") {
-    const ok2 = await writeToKeychain(value, exec2, service);
-    if (ok2) {
-      return { value, source: "generated", location: "macOS Keychain" };
-    }
-  }
-  await writeToFallbackFile(fallback, value, home, derive);
-  return { value, source: "generated", location: fallback };
-}
-async function readStoredPassphrase(opts = {}) {
-  const home = opts.home ?? os.homedir();
-  const storagePath = opts.storagePath ?? resolveStoragePath(process.env, home);
-  const service = keychainServiceFor(storagePath, home);
-  const plat = opts.platformOverride ?? os.platform();
-  const exec2 = opts.exec ?? defaultExec;
-  const derive = opts.deriveMachineKey ?? deriveMachineKey;
-  if (plat === "darwin") {
-    const fromKc = await readFromKeychain(exec2, service);
-    if (fromKc) {
-      return { value: fromKc, source: "keychain", location: "macOS Keychain" };
     }
   }
-  const fallback = fallbackFilePath(home, storagePath);
-  const fromFile = await readFromFallbackFile(fallback, home, derive);
-  if (fromFile.status === "ok") {
-    return {
-      value: fromFile.value,
-      source: "fallback-file",
-      location: fallback
-    };
-  }
-  if (fromFile.status === "unreadable") {
-    throw new PassphraseUnreadableError(fallback, fromFile.reason);
+  allTools = allTools.map((tool) => ({
+    ...tool,
+    handler: contextGateEnforcer.wrapHandler(tool.name, tool.handler)
+  }));
+  if (proxyRouter) {
+    gate.setProxyTierResolver((toolName) => {
+      const parsed = ProxyRouter.parseProxyToolName(toolName);
+      if (!parsed) return null;
+      return proxyRouter.getTierForTool(parsed.serverName, parsed.toolName);
+    });
   }
-  return null;
-}
-async function persistUserProvidedPassphrase(value, opts = {}) {
-  const home = opts.home ?? os.homedir();
-  const storagePath = opts.storagePath ?? resolveStoragePath(process.env, home);
-  const service = keychainServiceFor(storagePath, home);
-  const plat = opts.platformOverride ?? os.platform();
-  const exec2 = opts.exec ?? defaultExec;
-  const derive = opts.deriveMachineKey ?? deriveMachineKey;
-  if (plat === "darwin") {
-    const ok2 = await writeToKeychain(value, exec2, service);
-    if (ok2) {
-      return { location: "macOS Keychain", source: "keychain" };
+  const server = createServer(allTools, { gate });
+  await saveConfig(config);
+  const cleanup = () => {
+    baseline.save().catch(() => {
+    });
+    if (clientManager) {
+      clientManager.shutdown().catch(() => {
+      });
     }
-  }
-  const fallback = fallbackFilePath(home, storagePath);
-  try {
-    await writeToFallbackFile(fallback, value, home, derive);
-  } catch (err) {
-    throw new Error(
-      `Could not persist the provided passphrase to either Keychain or ${fallback}: ${err.message}. Refusing to proceed \u2014 writing the passphrase into the rewritten agent config would leak it as plaintext at rest and in process argv.`
+  };
+  process.on("SIGINT", cleanup);
+  process.on("SIGTERM", cleanup);
+  if (recoveryKey) {
+    console.error(
+      `\u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557
+\u2551  SANCTUARY: First Run \u2014 Recovery Key Generated          \u2551
+\u2551                                                          \u2551
+\u2551  Recovery Key: ${recoveryKey.slice(0, 20)}...             \u2551
+\u2551                                                          \u2551
+\u2551  SAVE THIS KEY. It will not be shown again.              \u2551
+\u2551  Without it, your encrypted state is unrecoverable.      \u2551
+\u255A\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255D`
     );
   }
-  return { location: fallback, source: "fallback-file" };
-}
-function generatePassphrase() {
-  return crypto.randomBytes(32).toString("base64");
+  return {
+    server,
+    config,
+    identityManager,
+    masterKey,
+    auditLog,
+    policy
+  };
 }
-async function readFromKeychain(exec2, service = KEYCHAIN_SERVICE_DEFAULT) {
-  try {
-    const result = await exec2(
-      "security",
-      ["find-generic-password", "-a", KEYCHAIN_ACCOUNT, "-s", service, "-w"]
-    );
-    if (result.code !== 0) return null;
-    const value = result.stdout.trim();
-    return value.length > 0 ? value : null;
-  } catch {
-    return null;
+var init_src = __esm({
+  "src/index.ts"() {
+    init_permissions();
+    init_config();
+    init_filesystem();
+    init_state_store();
+    init_tools();
+    init_audit_log();
+    init_tools2();
+    init_tools3();
+    init_loader();
+    init_baseline();
+    init_approval_channel();
+    init_dashboard();
+    init_webhook();
+    init_gate();
+    init_tools4();
+    init_router();
+    init_router();
+    init_tools5();
+    init_tools6();
+    init_tools7();
+    init_tools8();
+    init_tools9();
+    init_siem_tools();
+    init_context_gate_tools();
+    init_hardening_tools();
+    init_sovereignty_profile();
+    init_sovereignty_profile_tools();
+    init_injection_detector();
+    init_client_manager();
+    init_proxy_router();
+    init_call_governor();
+    init_governor_tools();
+    init_sanctuary_tools();
+    init_memory_attest();
+    init_generator2();
+    init_key_derivation();
+    init_random();
+    init_encoding();
+    init_config();
+    init_state_store();
+    init_audit_log();
+    init_commitments();
+    init_zk_proofs();
+    init_policies();
+    init_reputation_store();
+    init_tiers();
+    init_registry();
+    init_context_gate();
+    init_context_gate_templates();
+    init_context_gate_recommend();
+    init_model_provenance();
+    init_context_gate();
+    init_injection_detector();
+    init_context_gate_enforcer();
+    init_sovereignty_profile();
+    init_client_manager();
+    init_proxy_router();
+    init_system_prompt_generator();
+    init_memory();
+    init_filesystem();
+    init_gate();
+    init_baseline();
+    init_loader();
+    init_approval_channel();
+    init_dashboard();
+    init_webhook();
+    init_generator();
+    init_verifier();
+    init_protocol();
+    init_attestation();
+    init_bridge();
+    init_dashboard2();
   }
+});
+function getPlatformPaths() {
+  const home = os.homedir();
+  return {
+    "openclaw": [
+      path.join(home, ".openclaw", "openclaw.json"),
+      path.join(home, ".openclaw", "config.json"),
+      path.join(home, "Library", "Application Support", "OpenClaw", "openclaw.json"),
+      path.join(home, "Library", "Application Support", "OpenClaw", "config.json")
+    ],
+    // Hermes Agent (NousResearch, v0.9.0) canonicals live under ~/.hermes.
+    // Hermes ships `cli-config.yaml` as the primary surface per upstream docs.
+    // Sanctuary wrap v1.0 detects the JSON variant only: operators who keep
+    // YAML can still wrap via `sanctuary wrap --wrap <path>` after exporting
+    // to JSON. YAML-native detection is flagged as a v1.x follow-up.
+    "hermes": [
+      path.join(home, ".hermes", "cli-config.json"),
+      path.join(home, ".hermes", "config.json"),
+      path.join(home, ".config", "hermes", "cli-config.json")
+    ],
+    // Claude Code's modern canonical surface is ~/.claude.json (`claude mcp
+    // add` writes here). The legacy ~/.claude/settings.json shape predates
+    // it and is still respected if present. Probe order = preference order:
+    // wrap operates on the first one that exists, and bootstraps a fresh
+    // ~/.claude.json when neither is present (per the cli.ts bootstrap).
+    "claude-code": [
+      path.join(home, ".claude.json"),
+      path.join(home, ".claude", "settings.json"),
+      path.join(home, ".config", "claude-code", "settings.json")
+    ],
+    "cursor": [
+      path.join(home, ".cursor", "mcp.json")
+    ],
+    // Cline is a VS Code extension (saoudrizwan.claude-dev). Its MCP settings
+    // live under the VS Code globalStorage tree, which is OS-specific. We
+    // enumerate the three supported OS layouts; at detection time only the
+    // one matching the running OS will exist.
+    "cline": [
+      // macOS
+      path.join(
+        home,
+        "Library",
+        "Application Support",
+        "Code",
+        "User",
+        "globalStorage",
+        "saoudrizwan.claude-dev",
+        "settings",
+        "cline_mcp_settings.json"
+      ),
+      // Linux
+      path.join(
+        home,
+        ".config",
+        "Code",
+        "User",
+        "globalStorage",
+        "saoudrizwan.claude-dev",
+        "settings",
+        "cline_mcp_settings.json"
+      ),
+      // Windows (honour APPDATA when set, otherwise reconstruct under home)
+      process.env.APPDATA ? path.join(
+        process.env.APPDATA,
+        "Code",
+        "User",
+        "globalStorage",
+        "saoudrizwan.claude-dev",
+        "settings",
+        "cline_mcp_settings.json"
+      ) : path.join(
+        home,
+        "AppData",
+        "Roaming",
+        "Code",
+        "User",
+        "globalStorage",
+        "saoudrizwan.claude-dev",
+        "settings",
+        "cline_mcp_settings.json"
+      )
+    ],
+    "generic": []
+  };
+}
+function backupDir() {
+  return path.join(resolveStoragePath(), "backup");
+}
+async function backupConfig(configPath) {
+  const dir = backupDir();
+  await promises.mkdir(dir, { recursive: true, mode: 448 });
+  const timestamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
+  const backupPath = path.join(dir, `config-backup-${timestamp}.json`);
+  await promises.copyFile(configPath, backupPath);
+  return backupPath;
 }
-async function writeToKeychain(value, exec2, service = KEYCHAIN_SERVICE_DEFAULT) {
+async function restoreConfig(backupPath, targetPath) {
+  await promises.copyFile(backupPath, targetPath);
+}
+async function findLatestBackup() {
+  const metaPath = path.join(backupDir(), "cocoon-meta.json");
   try {
-    const result = await exec2(
-      "security",
-      [
-        "add-generic-password",
-        "-U",
-        "-a",
-        KEYCHAIN_ACCOUNT,
-        "-s",
-        service,
-        "-w",
-        value
-      ]
-    );
-    return result.code === 0;
+    const raw = await promises.readFile(metaPath, "utf-8");
+    const meta = JSON.parse(raw);
+    return {
+      backupPath: meta.backupPath,
+      originalPath: meta.originalPath
+    };
   } catch {
-    return false;
+    return null;
   }
 }
-function keychainServiceFor(storagePath, home = os.homedir()) {
-  const defaultPath = path.join(home, DEFAULT_STORAGE_DIR);
-  if (storagePath === defaultPath) return KEYCHAIN_SERVICE_DEFAULT;
-  const digest = sha256.sha256(Buffer.from(storagePath, "utf-8"));
-  const suffix = Buffer.from(digest).toString("hex").slice(0, 12);
-  return `${KEYCHAIN_SERVICE_DEFAULT}-${suffix}`;
+async function saveCocoonMeta(meta) {
+  const dir = backupDir();
+  await promises.mkdir(dir, { recursive: true, mode: 448 });
+  const metaPath = path.join(dir, "cocoon-meta.json");
+  await promises.writeFile(metaPath, JSON.stringify(meta, null, 2), { mode: 384 });
 }
-function fallbackFilePath(home, storagePath) {
-  if (storagePath !== void 0) return path.join(storagePath, "passphrase.enc");
-  return path.join(home, DEFAULT_STORAGE_DIR, "passphrase.enc");
+async function detectAgentConfigWithDiagnostics(platform4, configPath) {
+  const pathsChecked = [];
+  const errors = [];
+  if (configPath) {
+    pathsChecked.push(configPath);
+    const { config, error } = await readConfigFileWithError(configPath, platform4 ?? "generic");
+    if (error) errors.push({ path: configPath, error });
+    return { config, pathsChecked, errors };
+  }
+  if (platform4) {
+    const paths = getPlatformPaths()[platform4];
+    for (const path of paths) {
+      pathsChecked.push(path);
+      const { config, error } = await readConfigFileWithError(path, platform4);
+      if (error) errors.push({ path, error });
+      if (config) return { config, pathsChecked, errors };
+    }
+    return { config: null, pathsChecked, errors };
+  }
+  for (const [plat, paths] of Object.entries(getPlatformPaths())) {
+    for (const path of paths) {
+      pathsChecked.push(path);
+      const { config, error } = await readConfigFileWithError(path, plat);
+      if (error) errors.push({ path, error });
+      if (config) return { config, pathsChecked, errors };
+    }
+  }
+  return { config: null, pathsChecked, errors };
 }
-async function readFromFallbackFile(path, home, derive = deriveMachineKey) {
+async function readConfigFileWithError(path, platform4) {
   try {
     await promises.access(path);
   } catch {
-    return { status: "not-found" };
+    return { config: null };
   }
+  let raw;
   try {
-    const raw = await promises.readFile(path);
-    if (raw.length < 13) {
-      return { status: "unreadable", reason: "file too short to contain a valid nonce + ciphertext" };
-    }
-    const nonce = raw.subarray(0, 12);
-    const ciphertext = raw.subarray(12);
-    const key = derive(home);
-    const cipher = aes_js.gcm(key, nonce);
-    const plain = cipher.decrypt(ciphertext);
-    return { status: "ok", value: Buffer.from(plain).toString("utf-8") };
+    raw = await promises.readFile(path, "utf-8");
   } catch (err) {
-    return {
-      status: "unreadable",
-      reason: err.message ?? "unknown decryption error"
-    };
+    return { config: null, error: `Cannot read file: ${err.message}` };
   }
+  let config;
+  try {
+    config = JSON.parse(raw);
+  } catch (err) {
+    return { config: null, error: `Invalid JSON: ${err.message}` };
+  }
+  const servers = extractServers(config, platform4);
+  return { config: { platform: platform4, configPath: path, servers, rawConfig: config } };
 }
-async function writeToFallbackFile(path$1, value, home, derive = deriveMachineKey) {
-  const dir = path.dirname(path$1);
-  await promises.mkdir(dir, { recursive: true, mode: 448 });
-  const nonce = crypto.randomBytes(12);
-  const key = derive(home);
-  const cipher = aes_js.gcm(key, nonce);
-  const ciphertext = cipher.encrypt(Buffer.from(value, "utf-8"));
-  const payload = Buffer.concat([nonce, Buffer.from(ciphertext)]);
-  await promises.writeFile(path$1, payload, { mode: 384 });
-}
-function deriveMachineKey(home) {
-  const info = os.userInfo();
-  const material = Buffer.from(
-    `${os.hostname()}:${info.uid}:${info.username}:${home}`,
-    "utf-8"
-  );
-  return hkdf.hkdf(sha256.sha256, material, void 0, "sanctuary-passphrase-v1", 32);
-}
-async function defaultExec(cmd, args, input) {
-  return new Promise((resolve2, reject) => {
-    const child = child_process.spawn(cmd, args, { stdio: ["pipe", "pipe", "pipe"] });
-    let stdout = "";
-    let stderr = "";
-    child.stdout.on("data", (d) => {
-      stdout += d.toString();
-    });
-    child.stderr.on("data", (d) => {
-      stderr += d.toString();
-    });
-    child.on("error", reject);
-    child.on("close", (code) => resolve2({ stdout, stderr, code }));
-    if (input !== void 0) {
-      child.stdin.write(input);
+function extractServers(config, platform4) {
+  if (!config || typeof config !== "object") return [];
+  const servers = [];
+  const obj = config;
+  if (platform4 === "openclaw" || platform4 === "generic") {
+    const mcp = obj.mcp;
+    const nestedServers = mcp?.servers;
+    if (nestedServers && typeof nestedServers === "object") {
+      for (const [name, serverConfig] of Object.entries(nestedServers)) {
+        const entry = parseServerEntry(name, serverConfig);
+        if (entry) servers.push(entry);
+      }
     }
-    child.stdin.end();
-  });
-}
-var KEYCHAIN_ACCOUNT, KEYCHAIN_SERVICE_DEFAULT, PassphraseUnreadableError;
-var init_passphrase = __esm({
-  "src/cocoon/passphrase.ts"() {
-    init_paths();
-    KEYCHAIN_ACCOUNT = "sanctuary";
-    KEYCHAIN_SERVICE_DEFAULT = "sanctuary-passphrase";
-    PassphraseUnreadableError = class extends Error {
-      path;
-      reason;
-      constructor(path, reason) {
-        super(
-          `Sanctuary passphrase file at ${path} exists but could not be decrypted (${reason}).
-
-Your existing encrypted state cannot be recovered with a new passphrase. Options:
-  1. Restore ${path} from a backup.
-  2. Re-import the original passphrase via SANCTUARY_PASSPHRASE=<value> sanctuary wrap ...
-  3. Run \`sanctuary reset-passphrase\` (coming soon) to wipe state and start fresh.
-
-Refusing to regenerate the passphrase \u2014 that would permanently destroy the data encrypted under the previous key.`
-        );
-        this.name = "PassphraseUnreadableError";
-        this.path = path;
-        this.reason = reason;
+    if (servers.length === 0) {
+      const mcpServers = obj.mcpServers;
+      if (mcpServers && typeof mcpServers === "object") {
+        for (const [name, serverConfig] of Object.entries(mcpServers)) {
+          const entry = parseServerEntry(name, serverConfig);
+          if (entry) servers.push(entry);
+        }
       }
-    };
+    }
   }
-});
-function runtimePath(storagePath) {
-  return path.join(storagePath, RUNTIME_FILE_NAME);
+  if (platform4 === "claude-code") {
+    const mcpServers = obj.mcpServers;
+    if (mcpServers && typeof mcpServers === "object") {
+      for (const [name, serverConfig] of Object.entries(mcpServers)) {
+        if (isCanonicalSanctuaryName(name)) continue;
+        const entry = parseServerEntry(name, serverConfig);
+        if (entry) servers.push(entry);
+      }
+    }
+  }
+  if (platform4 === "cursor") {
+    const mcpServers = obj.mcpServers;
+    if (mcpServers && typeof mcpServers === "object") {
+      for (const [name, serverConfig] of Object.entries(mcpServers)) {
+        if (isCanonicalSanctuaryName(name)) continue;
+        const entry = parseServerEntry(name, serverConfig);
+        if (entry) servers.push(entry);
+      }
+    }
+  }
+  if (platform4 === "hermes") {
+    const mcpServers = obj.mcp_servers;
+    if (mcpServers && typeof mcpServers === "object") {
+      for (const [name, serverConfig] of Object.entries(mcpServers)) {
+        if (isCanonicalSanctuaryName(name)) continue;
+        const entry = parseServerEntry(name, serverConfig);
+        if (entry) servers.push(entry);
+      }
+    }
+  }
+  if (platform4 === "cline") {
+    const mcpServers = obj.mcpServers;
+    if (mcpServers && typeof mcpServers === "object") {
+      for (const [name, serverConfig] of Object.entries(mcpServers)) {
+        if (isCanonicalSanctuaryName(name)) continue;
+        const entry = parseServerEntry(name, serverConfig);
+        if (entry) servers.push(entry);
+      }
+    }
+  }
+  return servers;
 }
-async function writeTenantRuntime(storagePath, state) {
-  try {
-    await promises.writeFile(
-      runtimePath(storagePath),
-      JSON.stringify(state, null, 2),
-      { mode: 384 }
-    );
-  } catch {
+function isCanonicalSanctuaryName(name) {
+  return name.toLowerCase() === "sanctuary";
+}
+function parseServerEntry(name, config) {
+  if (!config || typeof config !== "object") return null;
+  const c = config;
+  const safeName = name.replace(/[^a-zA-Z0-9_-]/g, "-").substring(0, 128);
+  if (!safeName) return null;
+  if (c.url && typeof c.url === "string") {
+    return {
+      name: safeName,
+      transport: "sse",
+      url: c.url,
+      env: extractEnv(c.env)
+    };
+  }
+  if (c.command && typeof c.command === "string") {
+    return {
+      name: safeName,
+      transport: "stdio",
+      command: c.command,
+      args: Array.isArray(c.args) ? c.args.filter((a) => typeof a === "string") : void 0,
+      env: extractEnv(c.env)
+    };
   }
+  return null;
 }
-async function clearTenantRuntime(storagePath) {
-  try {
-    await promises.unlink(runtimePath(storagePath));
-  } catch {
+function extractEnv(env) {
+  if (!env || typeof env !== "object") return void 0;
+  const result = {};
+  for (const [k, v] of Object.entries(env)) {
+    if (typeof v === "string") result[k] = v;
   }
+  return Object.keys(result).length > 0 ? result : void 0;
 }
-async function readTenantRuntime(storagePath) {
-  try {
-    const raw = await promises.readFile(runtimePath(storagePath), "utf-8");
-    const parsed = JSON.parse(raw);
-    if (typeof parsed.dashboard_port !== "number" || typeof parsed.pid !== "number" || typeof parsed.started_at !== "string" || typeof parsed.version !== "string" || typeof parsed.dashboard_host !== "string" || typeof parsed.mode !== "string") {
-      return null;
-    }
-    const state = {
-      version: parsed.version,
-      pid: parsed.pid,
-      started_at: parsed.started_at,
-      dashboard_host: parsed.dashboard_host,
-      dashboard_port: parsed.dashboard_port,
-      mode: parsed.mode
-    };
-    if (typeof parsed.webhook_callback_port === "number") {
-      state.webhook_callback_port = parsed.webhook_callback_port;
+async function rewriteConfigForCocoon(agentConfig, sanctuaryCommand, sanctuaryArgs, sanctuaryEnv) {
+  const raw = agentConfig.rawConfig;
+  let existingServers = {};
+  if (agentConfig.platform === "openclaw") {
+    const existingMcp = raw.mcp ?? {};
+    existingServers = existingMcp.servers ?? {};
+  } else if (agentConfig.platform === "hermes") {
+    existingServers = raw.mcp_servers ?? {};
+  } else {
+    existingServers = raw.mcpServers ?? {};
+  }
+  let resolvedEnv = sanctuaryEnv;
+  if (!resolvedEnv) {
+    const existingSanctuary = existingServers.sanctuary;
+    if (existingSanctuary?.env && typeof existingSanctuary.env === "object") {
+      const extracted = extractEnv(existingSanctuary.env);
+      if (extracted) resolvedEnv = extracted;
     }
-    if (typeof parsed.webhook_callback_host === "string") {
-      state.webhook_callback_host = parsed.webhook_callback_host;
+  }
+  const CRITICAL_VARS = [
+    "SANCTUARY_PASSPHRASE",
+    "SANCTUARY_DASHBOARD_AUTH_TOKEN",
+    "SANCTUARY_DASHBOARD_ENABLED"
+  ];
+  for (const key of CRITICAL_VARS) {
+    if (process.env[key] && (!resolvedEnv || !resolvedEnv[key])) {
+      if (!resolvedEnv) resolvedEnv = {};
+      resolvedEnv[key] = process.env[key];
     }
-    return state;
-  } catch {
-    return null;
   }
+  const sanctuaryEntry = {
+    command: sanctuaryCommand,
+    args: sanctuaryArgs
+  };
+  if (resolvedEnv && Object.keys(resolvedEnv).length > 0) {
+    sanctuaryEntry.env = resolvedEnv;
+  }
+  let rewritten;
+  if (agentConfig.platform === "openclaw") {
+    const existingMcp = raw.mcp ?? {};
+    rewritten = {
+      ...raw,
+      mcp: {
+        ...existingMcp,
+        servers: {
+          ...existingServers,
+          sanctuary: sanctuaryEntry
+        }
+      }
+    };
+    delete rewritten.mcpServers;
+  } else if (agentConfig.platform === "hermes") {
+    rewritten = {
+      ...raw,
+      mcp_servers: {
+        ...existingServers,
+        sanctuary: sanctuaryEntry
+      }
+    };
+  } else {
+    rewritten = {
+      ...raw,
+      mcpServers: {
+        ...existingServers,
+        sanctuary: sanctuaryEntry
+      }
+    };
+  }
+  await promises.writeFile(agentConfig.configPath, JSON.stringify(rewritten, null, 2), { mode: 384 });
+  return agentConfig.configPath;
 }
-var RUNTIME_FILE_NAME;
-var init_runtime = __esm({
-  "src/cli/agents/runtime.ts"() {
-    RUNTIME_FILE_NAME = "runtime.json";
+var init_config_reader = __esm({
+  "src/cocoon/config-reader.ts"() {
+    init_paths();
   }
 });
 
@@ -28124,7 +28272,7 @@ async function runTemplateCommand(args) {
     case "list":
       return cmdList2(out);
     case "init":
-      return cmdInit(rest, out, err);
+      return cmdInit(rest, out, err, args.isAgentWrapped ?? defaultIsAgentWrapped);
     default:
       err.write(`Unknown template subcommand: ${sub}
 `);
@@ -28132,6 +28280,11 @@ async function runTemplateCommand(args) {
       return 1;
   }
 }
+async function defaultIsAgentWrapped(agentId) {
+  const tenant = await findTenant(agentId);
+  if (!tenant) return false;
+  return tenant.initialized || tenant.has_cocoon_profile;
+}
 function cmdList2(out, _err) {
   const templates = listTemplates();
   out.write("\nSanctuary Template Library\n");
@@ -28155,7 +28308,7 @@ function cmdList2(out, _err) {
 function padRight(str, len) {
   return str.length >= len ? str + " " : str + " ".repeat(len - str.length);
 }
-function cmdInit(argv, out, err) {
+async function cmdInit(argv, out, err, isAgentWrapped) {
   let templateName;
   let agentId;
   let fortressId = "fortress-default";
@@ -28191,6 +28344,20 @@ function cmdInit(argv, out, err) {
     err.write("Error: --agent-id is required.\n");
     return 1;
   }
+  const wrapped = await isAgentWrapped(agentId);
+  if (!wrapped) {
+    err.write(
+      `Error: no wrapped harness found for agent-id "${agentId}".
+
+A channel-shape template binds to an already-wrapped harness.
+Wrap the harness first, then re-run template init:
+
+  sanctuary wrap --claude-code   # or --openclaw, --hermes, --cursor, --cline
+  sanctuary template init ${templateName} --agent-id ${agentId}
+`
+    );
+    return 1;
+  }
   const bundle = getTemplate2(templateName);
   if (!bundle) {
     err.write(`Error: template "${templateName}" not found.
@@ -28328,143 +28495,7 @@ var init_cli3 = __esm({
     init_registry2();
     init_init();
     init_canonical_policy();
-  }
-});
-async function isTenantDir(path$1) {
-  const [hasState, hasProfile, hasFallback] = await Promise.all([
-    dirExists(path.join(path$1, "state")),
-    fileExists2(path.join(path$1, "cocoon-profile.json")),
-    fileExists2(path.join(path$1, "passphrase.enc"))
-  ]);
-  const initialized = hasState;
-  let passphraseStatus;
-  if (hasFallback) passphraseStatus = "fallback-file";
-  else if (hasProfile || hasState) passphraseStatus = "keychain";
-  else passphraseStatus = "not-initialized";
-  return { initialized, hasProfile, passphraseStatus };
-}
-async function dirExists(path) {
-  try {
-    const s = await promises.stat(path);
-    return s.isDirectory();
-  } catch {
-    return false;
-  }
-}
-async function fileExists2(path) {
-  try {
-    const s = await promises.stat(path);
-    return s.isFile();
-  } catch {
-    return false;
-  }
-}
-async function newestAuditMtime(storagePath) {
-  const auditDir = path.join(storagePath, "state", "_audit");
-  let entries = [];
-  try {
-    entries = await promises.readdir(auditDir);
-  } catch {
-    return null;
-  }
-  let newest = 0;
-  for (const name of entries) {
-    try {
-      const s = await promises.stat(path.join(auditDir, name));
-      if (s.isFile() && s.mtimeMs > newest) newest = s.mtimeMs;
-    } catch {
-    }
-  }
-  if (newest === 0) return null;
-  return new Date(newest).toISOString();
-}
-async function readExtraPaths(root, env) {
-  const out = [];
-  const fromEnv = env.SANCTUARY_AGENTS_EXTRA_PATHS;
-  if (fromEnv && fromEnv.length > 0) {
-    for (const part of fromEnv.split(":")) {
-      const trimmed = part.trim();
-      if (trimmed.length > 0) out.push(path.resolve(trimmed));
-    }
-  }
-  try {
-    const raw = await promises.readFile(path.join(root, EXTRAS_FILE_NAME), "utf-8");
-    const parsed = JSON.parse(raw);
-    if (Array.isArray(parsed)) {
-      for (const p of parsed) {
-        if (typeof p === "string" && p.trim().length > 0) out.push(path.resolve(p));
-      }
-    }
-  } catch {
-  }
-  return Array.from(new Set(out));
-}
-async function describeTenant(name, storagePath, home) {
-  const exists = await dirExists(storagePath);
-  if (!exists) return null;
-  const { initialized, hasProfile, passphraseStatus } = await isTenantDir(storagePath);
-  if (!initialized && !hasProfile && passphraseStatus === "not-initialized") {
-    return null;
-  }
-  const last_activity = await newestAuditMtime(storagePath);
-  const runtime = await readTenantRuntime(storagePath);
-  return {
-    name,
-    storage_path: storagePath,
-    exists: true,
-    initialized,
-    has_cocoon_profile: hasProfile,
-    keychain_service: keychainServiceFor(storagePath, home),
-    passphrase_status: passphraseStatus,
-    last_activity,
-    runtime
-  };
-}
-async function discoverTenants(options = {}) {
-  const home = options.home ?? os.homedir();
-  const env = options.env ?? process.env;
-  const root = options.root ?? path.join(home, DEFAULT_STORAGE_DIR);
-  const tenants = [];
-  const rootTenant = await describeTenant("default", root, home);
-  if (rootTenant) tenants.push(rootTenant);
-  let children = [];
-  try {
-    children = await promises.readdir(root);
-  } catch {
-  }
-  for (const child of children) {
-    const childPath = path.join(root, child);
-    if (child.startsWith(".")) continue;
-    if (child === "state" || child === "backup" || child === "config") continue;
-    const s = await promises.stat(childPath).catch(() => null);
-    if (!s || !s.isDirectory()) continue;
-    const desc = await describeTenant(child, childPath, home);
-    if (desc) tenants.push(desc);
-  }
-  const extras = await readExtraPaths(root, env);
-  for (const extra of extras) {
-    if (tenants.some((t) => t.storage_path === extra)) continue;
-    const desc = await describeTenant(path.basename(extra), extra, home);
-    if (desc) tenants.push(desc);
-  }
-  tenants.sort((a, b) => {
-    if (a.name === "default") return -1;
-    if (b.name === "default") return 1;
-    return a.name.localeCompare(b.name);
-  });
-  return tenants;
-}
-async function findTenant(name, options = {}) {
-  const tenants = await discoverTenants(options);
-  return tenants.find((t) => t.name === name) ?? null;
-}
-var EXTRAS_FILE_NAME;
-var init_discovery = __esm({
-  "src/cli/agents/discovery.ts"() {
-    init_paths();
-    init_passphrase();
-    init_runtime();
-    EXTRAS_FILE_NAME = "agents-extra.json";
+    init_discovery();
   }
 });
 async function probeTenantDashboard(tenant, options = {}) {