@sanctuary-framework/mcp-server 1.0.0-rc.1 → 1.0.0-rc.2

package/dist/index.js

@@ -4,7 +4,7 @@ import { sha256 } from '@noble/hashes/sha256';
 import { hmac } from '@noble/hashes/hmac';
 import { RistrettoPoint, ed25519 } from '@noble/curves/ed25519';
 import { readFile, mkdir, writeFile, stat, unlink, readdir, chmod, access } from 'fs/promises';
-import { join, dirname } from 'path';
+import { join, basename, dirname, resolve } from 'path';
 import { platform, homedir } from 'os';
 import { createRequire } from 'module';
 import { argon2id } from 'hash-wasm';
@@ -8931,7 +8931,7 @@ var DashboardApprovalChannel = class {
       server = createServer$2(handler);
     }
     this.httpServer = server;
-    return new Promise((resolve, reject) => {
+    return new Promise((resolve2, reject) => {
       const protocol = this.useTLS ? "https" : "http";
       const baseUrl = `${protocol}://${this.config.host}:${this.config.port}`;
       server.listen(this.config.port, this.config.host, () => {
@@ -8956,7 +8956,7 @@ var DashboardApprovalChannel = class {
         if (shouldAutoOpen) {
           this.openInBrowser(sessionUrl);
         }
-        resolve();
+        resolve2();
       });
       server.on("error", (err) => {
         if (err.code === "EADDRINUSE") {
@@ -9002,8 +9002,8 @@ var DashboardApprovalChannel = class {
     }
     this.rateLimits.clear();
     if (this.httpServer) {
-      return new Promise((resolve) => {
-        this.httpServer.close(() => resolve());
+      return new Promise((resolve2) => {
+        this.httpServer.close(() => resolve2());
       });
     }
   }
@@ -9017,7 +9017,7 @@ var DashboardApprovalChannel = class {
       `[Sanctuary] Approval required: ${request.operation} (Tier ${request.tier}) \u2014 open dashboard to respond
 `
     );
-    return new Promise((resolve) => {
+    return new Promise((resolve2) => {
       const timer = setTimeout(() => {
         this.pending.delete(id);
         const response = {
@@ -9031,12 +9031,12 @@ var DashboardApprovalChannel = class {
           decision: response.decision,
           decided_by: "timeout"
         });
-        resolve(response);
+        resolve2(response);
       }, this.config.timeout_seconds * 1e3);
       const pending = {
         id,
         request,
-        resolve,
+        resolve: resolve2,
         timer,
         created_at: (/* @__PURE__ */ new Date()).toISOString()
       };
@@ -9882,7 +9882,7 @@ var WebhookApprovalChannel = class {
    * Start the callback listener server.
    */
   async start() {
-    return new Promise((resolve, reject) => {
+    return new Promise((resolve2, reject) => {
       this.callbackServer = createServer$2(
         (req, res) => this.handleCallback(req, res)
       );
@@ -9897,7 +9897,7 @@ var WebhookApprovalChannel = class {
 
 `
           );
-          resolve();
+          resolve2();
         }
       );
       this.callbackServer.on("error", reject);
@@ -9917,8 +9917,8 @@ var WebhookApprovalChannel = class {
     }
     this.pending.clear();
     if (this.callbackServer) {
-      return new Promise((resolve) => {
-        this.callbackServer.close(() => resolve());
+      return new Promise((resolve2) => {
+        this.callbackServer.close(() => resolve2());
       });
     }
   }
@@ -9931,7 +9931,7 @@ var WebhookApprovalChannel = class {
       `[Sanctuary] Webhook approval sent: ${request.operation} (Tier ${request.tier}) \u2014 awaiting callback
 `
     );
-    return new Promise((resolve) => {
+    return new Promise((resolve2) => {
       const timer = setTimeout(() => {
         this.pending.delete(id);
         const response = {
@@ -9940,12 +9940,12 @@ var WebhookApprovalChannel = class {
           decided_at: (/* @__PURE__ */ new Date()).toISOString(),
           decided_by: "timeout"
         };
-        resolve(response);
+        resolve2(response);
       }, this.config.timeout_seconds * 1e3);
       const pending = {
         id,
         request,
-        resolve,
+        resolve: resolve2,
         timer,
         created_at: (/* @__PURE__ */ new Date()).toISOString()
       };
@@ -13139,7 +13139,7 @@ function createBridgeCommitment(outcome, identity, identityEncryptionKey, includ
   const now = (/* @__PURE__ */ new Date()).toISOString();
   const canonicalBytes = canonicalize(outcome);
   const canonicalString = new TextDecoder().decode(canonicalBytes);
-  const sha2567 = createCommitment(canonicalString);
+  const sha2568 = createCommitment(canonicalString);
   let pedersenData;
   if (includePedersen && Number.isInteger(outcome.rounds) && outcome.rounds >= 0) {
     const pedersen = createPedersenCommitment(outcome.rounds);
@@ -13151,7 +13151,7 @@ function createBridgeCommitment(outcome, identity, identityEncryptionKey, includ
   const commitmentPayload = {
     bridge_commitment_id: commitmentId,
     session_id: outcome.session_id,
-    sha256_commitment: sha2567.commitment,
+    sha256_commitment: sha2568.commitment,
     terms_hash: outcome.terms_hash,
     committer_did: identity.did,
     committed_at: now,
@@ -13162,8 +13162,8 @@ function createBridgeCommitment(outcome, identity, identityEncryptionKey, includ
   return {
     bridge_commitment_id: commitmentId,
     session_id: outcome.session_id,
-    sha256_commitment: sha2567.commitment,
-    blinding_factor: sha2567.blinding_factor,
+    sha256_commitment: sha2568.commitment,
+    blinding_factor: sha2568.blinding_factor,
     committer_did: identity.did,
     signature: toBase64url(signature),
     pedersen_commitment: pedersenData,
@@ -17330,13 +17330,13 @@ var ProxyRouter = class {
    * Call an upstream tool with a timeout.
    */
   async callWithTimeout(serverName, toolName, args, timeoutMs) {
-    return new Promise((resolve, reject) => {
+    return new Promise((resolve2, reject) => {
       const timer = setTimeout(() => {
         reject(new Error(`Upstream tool call timed out after ${timeoutMs}ms`));
       }, timeoutMs);
       this.clientManager.callTool(serverName, toolName, args).then((result) => {
         clearTimeout(timer);
-        resolve(result);
+        resolve2(result);
       }).catch((err) => {
         clearTimeout(timer);
         reject(err);
@@ -22385,9 +22385,7 @@ var TEMPLATE_NAMES = [
   "coding-assistant",
   "ops-runner",
   "planner",
-  "handoff-coordinator",
-  "x-miner",
-  "github-miner"
+  "handoff-coordinator"
 ];
 function isTemplateName(value) {
   return typeof value === "string" && TEMPLATE_NAMES.includes(value);
@@ -23312,6 +23310,176 @@ function initTemplate(params) {
   });
   return { compiled, signed_event, bundle };
 }
+var DEFAULT_STORAGE_DIR = ".sanctuary";
+var KEYCHAIN_SERVICE_DEFAULT = "sanctuary-passphrase";
+function keychainServiceFor(storagePath, home = homedir()) {
+  const defaultPath = join(home, DEFAULT_STORAGE_DIR);
+  if (storagePath === defaultPath) return KEYCHAIN_SERVICE_DEFAULT;
+  const digest = sha256(Buffer.from(storagePath, "utf-8"));
+  const suffix = Buffer.from(digest).toString("hex").slice(0, 12);
+  return `${KEYCHAIN_SERVICE_DEFAULT}-${suffix}`;
+}
+var RUNTIME_FILE_NAME = "runtime.json";
+function runtimePath(storagePath) {
+  return join(storagePath, RUNTIME_FILE_NAME);
+}
+async function readTenantRuntime(storagePath) {
+  try {
+    const raw = await readFile(runtimePath(storagePath), "utf-8");
+    const parsed = JSON.parse(raw);
+    if (typeof parsed.dashboard_port !== "number" || typeof parsed.pid !== "number" || typeof parsed.started_at !== "string" || typeof parsed.version !== "string" || typeof parsed.dashboard_host !== "string" || typeof parsed.mode !== "string") {
+      return null;
+    }
+    const state = {
+      version: parsed.version,
+      pid: parsed.pid,
+      started_at: parsed.started_at,
+      dashboard_host: parsed.dashboard_host,
+      dashboard_port: parsed.dashboard_port,
+      mode: parsed.mode
+    };
+    if (typeof parsed.webhook_callback_port === "number") {
+      state.webhook_callback_port = parsed.webhook_callback_port;
+    }
+    if (typeof parsed.webhook_callback_host === "string") {
+      state.webhook_callback_host = parsed.webhook_callback_host;
+    }
+    return state;
+  } catch {
+    return null;
+  }
+}
+
+// src/cli/agents/discovery.ts
+var EXTRAS_FILE_NAME = "agents-extra.json";
+async function isTenantDir(path) {
+  const [hasState, hasProfile, hasFallback] = await Promise.all([
+    dirExists(join(path, "state")),
+    fileExists2(join(path, "cocoon-profile.json")),
+    fileExists2(join(path, "passphrase.enc"))
+  ]);
+  const initialized = hasState;
+  let passphraseStatus;
+  if (hasFallback) passphraseStatus = "fallback-file";
+  else if (hasProfile || hasState) passphraseStatus = "keychain";
+  else passphraseStatus = "not-initialized";
+  return { initialized, hasProfile, passphraseStatus };
+}
+async function dirExists(path) {
+  try {
+    const s = await stat(path);
+    return s.isDirectory();
+  } catch {
+    return false;
+  }
+}
+async function fileExists2(path) {
+  try {
+    const s = await stat(path);
+    return s.isFile();
+  } catch {
+    return false;
+  }
+}
+async function newestAuditMtime(storagePath) {
+  const auditDir = join(storagePath, "state", "_audit");
+  let entries = [];
+  try {
+    entries = await readdir(auditDir);
+  } catch {
+    return null;
+  }
+  let newest = 0;
+  for (const name of entries) {
+    try {
+      const s = await stat(join(auditDir, name));
+      if (s.isFile() && s.mtimeMs > newest) newest = s.mtimeMs;
+    } catch {
+    }
+  }
+  if (newest === 0) return null;
+  return new Date(newest).toISOString();
+}
+async function readExtraPaths(root, env) {
+  const out = [];
+  const fromEnv = env.SANCTUARY_AGENTS_EXTRA_PATHS;
+  if (fromEnv && fromEnv.length > 0) {
+    for (const part of fromEnv.split(":")) {
+      const trimmed = part.trim();
+      if (trimmed.length > 0) out.push(resolve(trimmed));
+    }
+  }
+  try {
+    const raw = await readFile(join(root, EXTRAS_FILE_NAME), "utf-8");
+    const parsed = JSON.parse(raw);
+    if (Array.isArray(parsed)) {
+      for (const p of parsed) {
+        if (typeof p === "string" && p.trim().length > 0) out.push(resolve(p));
+      }
+    }
+  } catch {
+  }
+  return Array.from(new Set(out));
+}
+async function describeTenant(name, storagePath, home) {
+  const exists = await dirExists(storagePath);
+  if (!exists) return null;
+  const { initialized, hasProfile, passphraseStatus } = await isTenantDir(storagePath);
+  if (!initialized && !hasProfile && passphraseStatus === "not-initialized") {
+    return null;
+  }
+  const last_activity = await newestAuditMtime(storagePath);
+  const runtime = await readTenantRuntime(storagePath);
+  return {
+    name,
+    storage_path: storagePath,
+    exists: true,
+    initialized,
+    has_cocoon_profile: hasProfile,
+    keychain_service: keychainServiceFor(storagePath, home),
+    passphrase_status: passphraseStatus,
+    last_activity,
+    runtime
+  };
+}
+async function discoverTenants(options = {}) {
+  const home = options.home ?? homedir();
+  const env = options.env ?? process.env;
+  const root = options.root ?? join(home, DEFAULT_STORAGE_DIR);
+  const tenants = [];
+  const rootTenant = await describeTenant("default", root, home);
+  if (rootTenant) tenants.push(rootTenant);
+  let children = [];
+  try {
+    children = await readdir(root);
+  } catch {
+  }
+  for (const child of children) {
+    const childPath = join(root, child);
+    if (child.startsWith(".")) continue;
+    if (child === "state" || child === "backup" || child === "config") continue;
+    const s = await stat(childPath).catch(() => null);
+    if (!s || !s.isDirectory()) continue;
+    const desc = await describeTenant(child, childPath, home);
+    if (desc) tenants.push(desc);
+  }
+  const extras = await readExtraPaths(root, env);
+  for (const extra of extras) {
+    if (tenants.some((t) => t.storage_path === extra)) continue;
+    const desc = await describeTenant(basename(extra), extra, home);
+    if (desc) tenants.push(desc);
+  }
+  tenants.sort((a, b) => {
+    if (a.name === "default") return -1;
+    if (b.name === "default") return 1;
+    return a.name.localeCompare(b.name);
+  });
+  return tenants;
+}
+async function findTenant(name, options = {}) {
+  const tenants = await discoverTenants(options);
+  return tenants.find((t) => t.name === name) ?? null;
+}
 
 // src/dashboard/api.ts
 function constantTimeEquals(a, b) {
@@ -23465,6 +23633,18 @@ async function handleRequest(deps, req, res) {
         });
         return true;
       }
+      const isAgentWrapped = deps.isAgentWrapped ?? (async (agentId) => {
+        const tenant = await findTenant(agentId);
+        if (!tenant) return false;
+        return tenant.initialized || tenant.has_cocoon_profile;
+      });
+      if (!await isAgentWrapped(body.agent_name)) {
+        writeJSON(res, 400, {
+          error: "orphan_agent_id",
+          message: `No wrapped harness found for agent_id "${body.agent_name}". Run \`sanctuary wrap\` to wrap the harness first, then retry template init.`
+        });
+        return true;
+      }
       const nodeId = deps.nodeId ?? "dashboard-node";
       const nodePrivateKey = deps.nodePrivateKey ?? generateEphemeralKey();
       const principalId = deps.principalId ?? "dashboard-principal";
@@ -23573,11 +23753,11 @@ async function startDashboardServer(options) {
       }
     }
   });
-  await new Promise((resolve, reject) => {
+  await new Promise((resolve2, reject) => {
     server.once("error", reject);
     server.listen(port, host, () => {
       server.off("error", reject);
-      resolve();
+      resolve2();
     });
   });
   const actualPort = (() => {
@@ -23590,8 +23770,8 @@ async function startDashboardServer(options) {
     url,
     port: actualPort,
     host,
-    stop: () => new Promise((resolve, reject) => {
-      server.close((err) => err ? reject(err) : resolve());
+    stop: () => new Promise((resolve2, reject) => {
+      server.close((err) => err ? reject(err) : resolve2());
     }),
     publish,
     publishActivity: (entry) => publish({ type: "activity", data: entry }),
@@ -24192,7 +24372,7 @@ async function createSanctuaryServer(options) {
       clientManager.configure(enabledServers).catch((err) => {
         console.error(`[Sanctuary] Failed to configure upstream servers: ${err instanceof Error ? err.message : "unknown error"}`);
       });
-      await new Promise((resolve) => setTimeout(resolve, 2e3));
+      await new Promise((resolve2) => setTimeout(resolve2, 2e3));
       const proxiedTools = proxyRouter.getProxiedTools();
       if (proxiedTools.length > 0) {
         allTools.push(...proxiedTools);