npm - @sanctuary-framework/mcp-server - Versions diffs - 1.0.0-rc.1 → 1.1.0 - Mend

@sanctuary-framework/mcp-server 1.0.0-rc.1 → 1.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

package/dist/index.js CHANGED Viewed

@@ -3,8 +3,8 @@ import { gcm } from '@noble/ciphers/aes.js';
 import { sha256 } from '@noble/hashes/sha256';
 import { hmac } from '@noble/hashes/hmac';
 import { RistrettoPoint, ed25519 } from '@noble/curves/ed25519';
-import { readFile, mkdir, writeFile, stat, unlink, readdir, chmod, access } from 'fs/promises';
-import { join, dirname } from 'path';
+import { readFile, mkdir, writeFile, stat, unlink, readdir, chmod, lstat, realpath, rm, access } from 'fs/promises';
+import { join, resolve, dirname, sep, basename } from 'path';
 import { platform, homedir } from 'os';
 import { createRequire } from 'module';
 import { argon2id } from 'hash-wasm';
@@ -13,7 +13,7 @@ import { Server } from '@modelcontextprotocol/sdk/server/index.js';
 import { ListToolsRequestSchema, CallToolRequestSchema } from '@modelcontextprotocol/sdk/types.js';
 import { createServer as createServer$2 } from 'http';
 import { createServer as createServer$1 } from 'https';
-import { exec, execSync } from 'child_process';
+import { exec, execSync, spawn } from 'child_process';
 import { statSync, existsSync, readFileSync } from 'fs';
 import { Client } from '@modelcontextprotocol/sdk/client/index.js';
 import { StdioClientTransport } from '@modelcontextprotocol/sdk/client/stdio.js';
@@ -475,6 +475,15 @@ function defaultConfig() {
       auto_publish_to_verascore: true,
       // DELTA-04: default OFF for privacy. Enable explicitly per deployment.
       auto_publish_handshakes: false
+    },
+    privacy_filter: {
+      mode: "local",
+      // Fail-closed by default per Sanctuary Invariant #5: never silently
+      // degrade to a less-secure behavior on error. Operators who need a
+      // legacy fallback path opt in explicitly via config or env var.
+      fail_mode: "closed",
+      command: "opf",
+      timeout_ms: 5e3
     }
   };
 }
@@ -486,10 +495,14 @@ async function loadConfig(configPath) {
     const raw = await readFile(path, "utf-8");
     const fileConfig = JSON.parse(raw);
     config = deepMerge(config, fileConfig);
+    assertSanctuaryConfigShape(config);
   } catch (err) {
     if (err instanceof Error && err.message.includes("unimplemented features")) {
       throw err;
     }
+    if (err instanceof Error && err.message.startsWith("Sanctuary config field")) {
+      throw err;
+    }
   }
   if (process.env.SANCTUARY_STORAGE_PATH) {
     config.storage_path = process.env.SANCTUARY_STORAGE_PATH;
@@ -560,6 +573,21 @@ async function loadConfig(configPath) {
   if (process.env.SANCTUARY_AUTO_PUBLISH_HANDSHAKES === "false") {
     config.verascore.auto_publish_handshakes = false;
   }
+  if (process.env.SANCTUARY_PRIVACY_FILTER) {
+    config.privacy_filter.mode = process.env.SANCTUARY_PRIVACY_FILTER;
+  }
+  if (process.env.SANCTUARY_PRIVACY_FILTER_FAIL_MODE) {
+    config.privacy_filter.fail_mode = process.env.SANCTUARY_PRIVACY_FILTER_FAIL_MODE;
+  }
+  if (process.env.SANCTUARY_PRIVACY_FILTER_COMMAND) {
+    config.privacy_filter.command = process.env.SANCTUARY_PRIVACY_FILTER_COMMAND;
+  }
+  if (process.env.SANCTUARY_PRIVACY_FILTER_TIMEOUT_MS) {
+    config.privacy_filter.timeout_ms = parseInt(
+      process.env.SANCTUARY_PRIVACY_FILTER_TIMEOUT_MS,
+      10
+    );
+  }
   config.version = PKG_VERSION;
   validateConfig(config);
   return config;
@@ -600,6 +628,23 @@ function validateConfig(config) {
       `Unimplemented config value: reputation.mode = "${config.reputation.mode}". Only ${[...implementedReputationMode].map((v) => `"${v}"`).join(", ")} is currently implemented. Using an unimplemented reputation mode would silently skip reputation verification.`
     );
   }
+  const implementedPrivacyModes = /* @__PURE__ */ new Set(["local", "opf", "off"]);
+  if (!implementedPrivacyModes.has(config.privacy_filter.mode)) {
+    errors.push(
+      `Invalid config value: privacy_filter.mode = "${config.privacy_filter.mode}". Use ${[...implementedPrivacyModes].map((v) => `"${v}"`).join(", ")}.`
+    );
+  }
+  const implementedPrivacyFailModes = /* @__PURE__ */ new Set(["closed", "fallback"]);
+  if (!implementedPrivacyFailModes.has(config.privacy_filter.fail_mode)) {
+    errors.push(
+      `Invalid config value: privacy_filter.fail_mode = "${config.privacy_filter.fail_mode}". Use ${[...implementedPrivacyFailModes].map((v) => `"${v}"`).join(", ")}.`
+    );
+  }
+  if (!Number.isFinite(config.privacy_filter.timeout_ms) || config.privacy_filter.timeout_ms < 100) {
+    errors.push(
+      `Invalid config value: privacy_filter.timeout_ms = "${config.privacy_filter.timeout_ms}". Use an integer timeout of at least 100 ms.`
+    );
+  }
   if (errors.length > 0) {
     throw new Error(
       `Sanctuary configuration references unimplemented features:
@@ -621,6 +666,39 @@ function deepMerge(base, override) {
   }
   return result;
 }
+function assertSanctuaryConfigShape(c) {
+  const requiredObjectKeys = [
+    "state",
+    "execution",
+    "disclosure",
+    "reputation",
+    "dashboard",
+    "webhook",
+    "verascore",
+    "privacy_filter"
+  ];
+  for (const k of requiredObjectKeys) {
+    if (typeof c[k] !== "object" || c[k] === null || Array.isArray(c[k])) {
+      throw new Error(
+        `Sanctuary config field "${k}" must be an object; got ${c[k] === null ? "null" : Array.isArray(c[k]) ? "array" : typeof c[k]}`
+      );
+    }
+  }
+  if (typeof c.version !== "string") {
+    throw new Error(`Sanctuary config field "version" must be a string`);
+  }
+  if (typeof c.storage_path !== "string") {
+    throw new Error(`Sanctuary config field "storage_path" must be a string`);
+  }
+  if (c.transport !== "stdio" && c.transport !== "http") {
+    throw new Error(
+      `Sanctuary config field "transport" must be "stdio" | "http"; got ${JSON.stringify(c.transport)}`
+    );
+  }
+  if (typeof c.http_port !== "number" || !Number.isFinite(c.http_port)) {
+    throw new Error(`Sanctuary config field "http_port" must be a finite number`);
+  }
+}
 // src/storage/filesystem.ts
 init_random();
@@ -817,6 +895,11 @@ var RESERVED_NAMESPACE_PREFIXES = [
   "_context_gate_policies",
   "_fortress_mode"
 ];
+function isReservedNamespace(namespace) {
+  return RESERVED_NAMESPACE_PREFIXES.some(
+    (prefix) => namespace === prefix || namespace.startsWith(prefix + "/")
+  );
+}
 var StateStore = class _StateStore {
   storage;
   masterKey;
@@ -4145,6 +4228,25 @@ var DEFAULT_POLICY = {
     // Creates new Ed25519 identity + publishes — always requires approval
     "sanctuary_export_identity_bundle",
     // Exports portable identity — always requires approval
+    "exit_bundle_export",
+    // Complete portability bundle export. Always requires approval.
+    "exit_bundle_import",
+    // External durable-record import. Always requires approval.
+    "exit_bundle_import_activate",
+    // Activates imported material. Always requires approval.
+    "exit_bundle_rekey",
+    // Re-encrypts imported state under destination keys.
+    // v1.1 hub-control surfaces. Every operation_category in
+    // server/src/contracts/v1.1/hub-events.ts that is not already canonical
+    // here MUST be enrolled under Tier 1 in the same PR that lands the hub
+    // endpoint that surfaces it. Drift between the contract enum and this
+    // list is a release blocker per the contract comment.
+    "policy_change",
+    // Operator-driven policy bind on a wrapped agent.
+    "lockdown",
+    // Operator-driven hard-stop of a wrapped agent.
+    "unwrap",
+    // Operator-driven removal of the Sanctuary wrap from an agent.
     // WP-MVP-2 Operator Console: federation-node-join requires explicit
     // operator confirmation per Key 8. No auto-approve path. The console's
     // JoinApprover drives this gate via `MeshConsoleClient.makeJoinApprover`.
@@ -4334,6 +4436,13 @@ tier1_always_approve:
   - governor_reset
   - sanctuary_bootstrap
   - sanctuary_export_identity_bundle
+  - exit_bundle_export
+  - exit_bundle_import
+  - exit_bundle_import_activate
+  - exit_bundle_rekey
+  - policy_change
+  - lockdown
+  - unwrap
 # \u2500\u2500\u2500 Tier 2: Behavioral Anomaly Detection \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
 # Triggers approval when agent behavior deviates from its baseline.
@@ -8931,7 +9040,7 @@ var DashboardApprovalChannel = class {
       server = createServer$2(handler);
     }
     this.httpServer = server;
-    return new Promise((resolve, reject) => {
+    return new Promise((resolve4, reject) => {
       const protocol = this.useTLS ? "https" : "http";
       const baseUrl = `${protocol}://${this.config.host}:${this.config.port}`;
       server.listen(this.config.port, this.config.host, () => {
@@ -8956,7 +9065,7 @@ var DashboardApprovalChannel = class {
         if (shouldAutoOpen) {
           this.openInBrowser(sessionUrl);
         }
-        resolve();
+        resolve4();
       });
       server.on("error", (err) => {
         if (err.code === "EADDRINUSE") {
@@ -9002,8 +9111,8 @@ var DashboardApprovalChannel = class {
     }
     this.rateLimits.clear();
     if (this.httpServer) {
-      return new Promise((resolve) => {
-        this.httpServer.close(() => resolve());
+      return new Promise((resolve4) => {
+        this.httpServer.close(() => resolve4());
       });
     }
   }
@@ -9017,7 +9126,7 @@ var DashboardApprovalChannel = class {
       `[Sanctuary] Approval required: ${request.operation} (Tier ${request.tier}) \u2014 open dashboard to respond
 `
     );
-    return new Promise((resolve) => {
+    return new Promise((resolve4) => {
       const timer = setTimeout(() => {
         this.pending.delete(id);
         const response = {
@@ -9031,12 +9140,12 @@ var DashboardApprovalChannel = class {
           decision: response.decision,
           decided_by: "timeout"
         });
-        resolve(response);
+        resolve4(response);
       }, this.config.timeout_seconds * 1e3);
       const pending = {
         id,
         request,
-        resolve,
+        resolve: resolve4,
         timer,
         created_at: (/* @__PURE__ */ new Date()).toISOString()
       };
@@ -9882,7 +9991,7 @@ var WebhookApprovalChannel = class {
    * Start the callback listener server.
    */
   async start() {
-    return new Promise((resolve, reject) => {
+    return new Promise((resolve4, reject) => {
       this.callbackServer = createServer$2(
         (req, res) => this.handleCallback(req, res)
       );
@@ -9897,7 +10006,7 @@ var WebhookApprovalChannel = class {
 `
           );
-          resolve();
+          resolve4();
         }
       );
       this.callbackServer.on("error", reject);
@@ -9917,8 +10026,8 @@ var WebhookApprovalChannel = class {
     }
     this.pending.clear();
     if (this.callbackServer) {
-      return new Promise((resolve) => {
-        this.callbackServer.close(() => resolve());
+      return new Promise((resolve4) => {
+        this.callbackServer.close(() => resolve4());
       });
     }
   }
@@ -9931,7 +10040,7 @@ var WebhookApprovalChannel = class {
       `[Sanctuary] Webhook approval sent: ${request.operation} (Tier ${request.tier}) \u2014 awaiting callback
 `
     );
-    return new Promise((resolve) => {
+    return new Promise((resolve4) => {
       const timer = setTimeout(() => {
         this.pending.delete(id);
         const response = {
@@ -9940,12 +10049,12 @@ var WebhookApprovalChannel = class {
           decided_at: (/* @__PURE__ */ new Date()).toISOString(),
           decided_by: "timeout"
         };
-        resolve(response);
+        resolve4(response);
       }, this.config.timeout_seconds * 1e3);
       const pending = {
         id,
         request,
-        resolve,
+        resolve: resolve4,
         timer,
         created_at: (/* @__PURE__ */ new Date()).toISOString()
       };
@@ -11492,7 +11601,7 @@ var ApprovalGate = class {
     return {
       allowed: response.decision === "approve",
       tier,
-      reason: response.decision === "approve" ? `Approved by ${response.decided_by}` : reason,
+      reason: response.decision === "approve" ? `Approved by ${response.decided_by}` : `Tier ${tier} operation requires approval`,
       approval_required: true,
       approval_response: response
     };
@@ -13139,7 +13248,7 @@ function createBridgeCommitment(outcome, identity, identityEncryptionKey, includ
   const now = (/* @__PURE__ */ new Date()).toISOString();
   const canonicalBytes = canonicalize(outcome);
   const canonicalString = new TextDecoder().decode(canonicalBytes);
-  const sha2567 = createCommitment(canonicalString);
+  const sha2568 = createCommitment(canonicalString);
   let pedersenData;
   if (includePedersen && Number.isInteger(outcome.rounds) && outcome.rounds >= 0) {
     const pedersen = createPedersenCommitment(outcome.rounds);
@@ -13151,7 +13260,7 @@ function createBridgeCommitment(outcome, identity, identityEncryptionKey, includ
   const commitmentPayload = {
     bridge_commitment_id: commitmentId,
     session_id: outcome.session_id,
-    sha256_commitment: sha2567.commitment,
+    sha256_commitment: sha2568.commitment,
     terms_hash: outcome.terms_hash,
     committer_did: identity.did,
     committed_at: now,
@@ -13162,8 +13271,8 @@ function createBridgeCommitment(outcome, identity, identityEncryptionKey, includ
   return {
     bridge_commitment_id: commitmentId,
     session_id: outcome.session_id,
-    sha256_commitment: sha2567.commitment,
-    blinding_factor: sha2567.blinding_factor,
+    sha256_commitment: sha2568.commitment,
+    blinding_factor: sha2568.blinding_factor,
     committer_did: identity.did,
     signature: toBase64url(signature),
     pedersen_commitment: pedersenData,
@@ -14254,6 +14363,140 @@ function createAuditTools(config) {
   return { tools };
 }
+// src/audit/reset-history.ts
+init_hashing();
+init_encoding();
+var RESET_HISTORY_FILENAME = ".reset-history.log";
+var RECOVERED_FROM_RESET_OPERATION = "fortress_recovered_from_reset";
+var ResetHistoryMalformedError = class extends Error {
+  constructor(markerPath, lineNumber, cause) {
+    const reason = cause instanceof Error ? cause.message : String(cause);
+    super(
+      `Reset-history marker at ${markerPath} is malformed at line ${lineNumber}: ${reason}.
+Inspect the file and either correct the JSON or delete it manually before re-running.`
+    );
+    this.markerPath = markerPath;
+    this.lineNumber = lineNumber;
+    this.cause = cause;
+    this.name = "ResetHistoryMalformedError";
+  }
+};
+function parseResetHistory(content, markerPath) {
+  const markerHash = hashToString(stringToBytes(content));
+  const markers = [];
+  const lines = content.split("\n");
+  for (let i = 0; i < lines.length; i++) {
+    const raw = lines[i] ?? "";
+    if (raw.trim().length === 0) continue;
+    let parsed;
+    try {
+      parsed = JSON.parse(raw);
+    } catch (err) {
+      throw new ResetHistoryMalformedError(markerPath, i + 1, err);
+    }
+    markers.push(coerceMarker(parsed, markerPath, i + 1));
+  }
+  return { markers, markerHash };
+}
+function coerceMarker(raw, markerPath, lineNumber) {
+  if (!raw || typeof raw !== "object" || Array.isArray(raw)) {
+    throw new ResetHistoryMalformedError(
+      markerPath,
+      lineNumber,
+      new Error("expected a JSON object")
+    );
+  }
+  const obj = raw;
+  const required = [
+    "started_at",
+    "completed_at",
+    "recovery_mode",
+    "fortress_name",
+    "storage_path",
+    "keychain_cleared"
+  ];
+  for (const field of required) {
+    if (!(field in obj)) {
+      throw new ResetHistoryMalformedError(
+        markerPath,
+        lineNumber,
+        new Error(`missing required field "${field}"`)
+      );
+    }
+  }
+  if (typeof obj.started_at !== "string")
+    throw typed(markerPath, lineNumber, "started_at", "string");
+  if (typeof obj.completed_at !== "string")
+    throw typed(markerPath, lineNumber, "completed_at", "string");
+  if (typeof obj.fortress_name !== "string")
+    throw typed(markerPath, lineNumber, "fortress_name", "string");
+  if (typeof obj.storage_path !== "string")
+    throw typed(markerPath, lineNumber, "storage_path", "string");
+  if (typeof obj.keychain_cleared !== "boolean")
+    throw typed(markerPath, lineNumber, "keychain_cleared", "boolean");
+  if (obj.recovery_mode !== "shares" && obj.recovery_mode !== "guardian" && obj.recovery_mode !== "nuke") {
+    throw new ResetHistoryMalformedError(
+      markerPath,
+      lineNumber,
+      new Error(
+        `recovery_mode must be one of shares|guardian|nuke (got ${JSON.stringify(obj.recovery_mode)})`
+      )
+    );
+  }
+  return {
+    started_at: obj.started_at,
+    completed_at: obj.completed_at,
+    recovery_mode: obj.recovery_mode,
+    fortress_name: obj.fortress_name,
+    storage_path: obj.storage_path,
+    keychain_cleared: obj.keychain_cleared
+  };
+}
+function typed(markerPath, lineNumber, field, expected) {
+  return new ResetHistoryMalformedError(
+    markerPath,
+    lineNumber,
+    new Error(`field "${field}" must be a ${expected}`)
+  );
+}
+async function consumeResetHistoryMarker(options) {
+  const markerPath = join(options.storagePath, RESET_HISTORY_FILENAME);
+  if (!await fileExists2(markerPath)) {
+    return { emitted: 0, markerPath };
+  }
+  const content = await readFile(markerPath, "utf-8");
+  const { markers, markerHash } = parseResetHistory(content, markerPath);
+  if (markers.length === 0) {
+    await rm(markerPath, { force: true });
+    return { emitted: 0, markerHash, markerPath };
+  }
+  for (let i = 0; i < markers.length; i++) {
+    const marker = markers[i];
+    options.auditLog.append("l2", RECOVERED_FROM_RESET_OPERATION, "system", {
+      reset_at_started: marker.started_at,
+      reset_at_completed: marker.completed_at,
+      recovery_mode: marker.recovery_mode,
+      fortress_name: marker.fortress_name,
+      reset_storage_path: marker.storage_path,
+      keychain_cleared: marker.keychain_cleared,
+      reset_marker_hash: markerHash,
+      reset_marker_index: i,
+      reset_marker_total: markers.length
+    });
+  }
+  await options.auditLog.flush();
+  await rm(markerPath, { force: true });
+  return { emitted: markers.length, markerHash, markerPath };
+}
+async function fileExists2(path) {
+  try {
+    await access(path);
+    return true;
+  } catch {
+    return false;
+  }
+}
 // src/audit/siem-formatter.ts
 function parseGateDecision(details) {
   if (!details || typeof details.gate_decision !== "string") {
@@ -15321,6 +15564,607 @@ function matchesFieldPattern(normalizedField, pattern) {
 // src/l2-operational/context-gate-enforcer.ts
 init_encoding();
 init_hashing();
+// src/l2-operational/privacy-filter.ts
+init_encryption();
+init_encoding();
+init_hashing();
+var SPAN_PATTERNS = [
+  {
+    class: "email",
+    pattern: /\b[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,}\b/gi,
+    replacement: "[EMAIL_REDACTED]",
+    placeholderPrefix: "EMAIL",
+    detectorClass: "person"
+  },
+  {
+    class: "ssn",
+    pattern: /\b\d{3}-\d{2}-\d{4}\b/g,
+    replacement: "[SSN_REDACTED]",
+    placeholderPrefix: "SSN",
+    detectorClass: "person"
+  },
+  {
+    class: "credit_card",
+    pattern: /\b(?:\d[ -]*?){13,19}\b/g,
+    replacement: "[CARD_REDACTED]",
+    placeholderPrefix: "CARD",
+    detectorClass: "account"
+  },
+  {
+    class: "phone",
+    pattern: /\b(?:\+?1[-.\s]?)?(?:\(?\d{3}\)?[-.\s]?)\d{3}[-.\s]?\d{4}\b/g,
+    replacement: "[PHONE_REDACTED]",
+    placeholderPrefix: "PHONE",
+    detectorClass: "person"
+  },
+  {
+    class: "secret_assignment",
+    pattern: /\b(api[_-]?key|access[_-]?token|refresh[_-]?token|password|secret)\s*[:=]\s*["']?[^"',\s}]+/gi,
+    replacement: "$1=[SECRET_REDACTED]",
+    placeholderPrefix: "SECRET",
+    detectorClass: "secret"
+  },
+  {
+    class: "secret",
+    pattern: /\b(?:Bearer\s+[A-Za-z0-9._~+/-]{16,}|sk-[A-Za-z0-9_-]{12,}|sk_(?:live|test)_[A-Za-z0-9]{12,}|ghp_[A-Za-z0-9_]{20,}|xox[baprs]-[A-Za-z0-9-]{10,}|AKIA[0-9A-Z]{16}|eyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,})\b/g,
+    replacement: "[SECRET_REDACTED]",
+    placeholderPrefix: "SECRET",
+    detectorClass: "secret"
+  },
+  {
+    class: "credential",
+    pattern: /\b(?:credential|credentials|client[_-]?secret|private[_-]?key)\s*[:=]\s*["']?[^"',\s}]+/gi,
+    replacement: "[CREDENTIAL_REDACTED]",
+    placeholderPrefix: "CREDENTIAL",
+    detectorClass: "credential"
+  },
+  {
+    class: "account_number",
+    pattern: /\b(?:(?:acct|account|customer|tenant|org)[_-][A-Za-z0-9]{4,}|(?:acct|account)[0-9]{4,})\b/gi,
+    replacement: "[ACCOUNT_REDACTED]",
+    placeholderPrefix: "ACCOUNT",
+    detectorClass: "account"
+  },
+  {
+    class: "file_path",
+    pattern: /(?:~\/|\/(?:Users|home|var|tmp|etc|opt)\/|[A-Za-z]:\\|\.{1,2}\/)(?:[A-Za-z0-9._-]+[\\/])+[A-Za-z0-9._-]+/g,
+    replacement: "[FILE_PATH_REDACTED]",
+    placeholderPrefix: "FILE_PATH",
+    detectorClass: "file_path"
+  }
+];
+var MAX_DEPTH = 20;
+var VAULT_NAMESPACE = "_privacy_placeholder_vault";
+var PRIVACY_VAULT_CACHE_MAX = 5e3;
+var LruCache = class {
+  max;
+  map = /* @__PURE__ */ new Map();
+  constructor(max) {
+    this.max = max;
+  }
+  get(key) {
+    const value = this.map.get(key);
+    if (value === void 0) return void 0;
+    this.map.delete(key);
+    this.map.set(key, value);
+    return value;
+  }
+  set(key, value) {
+    if (this.map.has(key)) {
+      this.map.delete(key);
+    } else if (this.map.size >= this.max) {
+      const oldestKey = this.map.keys().next().value;
+      if (oldestKey !== void 0) {
+        this.map.delete(oldestKey);
+      }
+    }
+    this.map.set(key, value);
+  }
+  has(key) {
+    return this.map.has(key);
+  }
+  get size() {
+    return this.map.size;
+  }
+};
+var PrivacyPlaceholderVault = class {
+  storage;
+  encryptionKey;
+  lookupKey;
+  cache = new LruCache(PRIVACY_VAULT_CACHE_MAX);
+  pathCache = new LruCache(PRIVACY_VAULT_CACHE_MAX);
+  constructor(storage, masterKey) {
+    this.storage = storage;
+    this.encryptionKey = derivePurposeKey(masterKey, "l2-privacy-placeholders");
+    this.lookupKey = derivePurposeKey(masterKey, "l2-privacy-placeholder-lookup");
+  }
+  async placeholderFor(spanClass, rawValue, scope = "default") {
+    const key = this.recordKey(spanClass, rawValue, scope);
+    const cached = this.cache.get(key);
+    if (cached) return cached.placeholder;
+    const existing = await this.readRecord(key);
+    if (existing) {
+      this.cache.set(key, existing);
+      return existing.placeholder;
+    }
+    const index = await this.readIndex(scope);
+    const next = (index.counters[spanClass] ?? 0) + 1;
+    index.counters[spanClass] = next;
+    const placeholder = `${placeholderPrefixFor(spanClass)}_${next}`;
+    const record = {
+      version: 1,
+      kind: "placeholder",
+      scope,
+      class: spanClass,
+      placeholder,
+      raw_value: rawValue,
+      raw_hash: this.hmacString(`raw:${rawValue}`),
+      created_at: (/* @__PURE__ */ new Date()).toISOString()
+    };
+    await this.writeRecord(key, record);
+    await this.writeIndex(scope, index);
+    this.cache.set(key, record);
+    return placeholder;
+  }
+  async resolvePlaceholder(placeholder, scope = "default") {
+    const entries = await this.storage.list(VAULT_NAMESPACE, `${scope}__record__`);
+    for (const meta of entries) {
+      const record = await this.readRecord(meta.key);
+      if (record?.placeholder === placeholder) {
+        return record.raw_value;
+      }
+    }
+    return null;
+  }
+  async aliasForFieldPath(path, scope = "default") {
+    const key = this.pathRecordKey(path, scope);
+    const cached = this.pathCache.get(key);
+    if (cached) return cached.alias;
+    const existing = await this.readPathRecord(key);
+    if (existing) {
+      this.pathCache.set(key, existing);
+      return existing.alias;
+    }
+    const index = await this.readPathIndex(scope);
+    const alias = `$${index.next}`;
+    const nextIndex = { version: 1, next: index.next + 1 };
+    const record = {
+      version: 1,
+      kind: "field_path",
+      scope,
+      alias,
+      raw_path: path,
+      raw_hash: this.hmacString(`path:${path}`),
+      created_at: (/* @__PURE__ */ new Date()).toISOString()
+    };
+    await this.writePathRecord(key, record);
+    await this.writePathIndex(scope, nextIndex);
+    this.pathCache.set(key, record);
+    return alias;
+  }
+  async resolveFieldPathAlias(alias, scope = "default") {
+    const entries = await this.storage.list(VAULT_NAMESPACE, `${scope}__path__`);
+    for (const meta of entries) {
+      const record = await this.readPathRecord(meta.key);
+      if (record?.alias === alias) {
+        return record.raw_path;
+      }
+    }
+    return null;
+  }
+  recordKey(spanClass, rawValue, scope) {
+    const rawHash = this.hmacString(`${scope}:${spanClass}:${rawValue}`);
+    return `${scope}__record__${spanClass}__${rawHash}`;
+  }
+  indexKey(scope) {
+    return `${scope}__index`;
+  }
+  pathRecordKey(path, scope) {
+    return `${scope}__path__${this.hmacString(`${scope}:field_path:${path}`)}`;
+  }
+  pathIndexKey(scope) {
+    return `${scope}__path_index`;
+  }
+  async readIndex(scope) {
+    const raw = await this.storage.read(VAULT_NAMESPACE, this.indexKey(scope));
+    if (!raw) return { version: 1, counters: {} };
+    try {
+      const encrypted = JSON.parse(bytesToString(raw));
+      const decrypted = decrypt(encrypted, this.encryptionKey);
+      return JSON.parse(bytesToString(decrypted));
+    } catch (err) {
+      throw new PrivacyVaultError("privacy_vault_index_unreadable", err);
+    }
+  }
+  async writeIndex(scope, index) {
+    const encrypted = encrypt(stringToBytes(JSON.stringify(index)), this.encryptionKey);
+    await this.storage.write(
+      VAULT_NAMESPACE,
+      this.indexKey(scope),
+      stringToBytes(JSON.stringify(encrypted))
+    );
+  }
+  async readRecord(key) {
+    const raw = await this.storage.read(VAULT_NAMESPACE, key);
+    if (!raw) return null;
+    try {
+      const encrypted = JSON.parse(bytesToString(raw));
+      const decrypted = decrypt(encrypted, this.encryptionKey);
+      const parsed = JSON.parse(bytesToString(decrypted));
+      return parsed.kind === "placeholder" || parsed.kind === void 0 ? parsed : null;
+    } catch (err) {
+      throw new PrivacyVaultError("privacy_vault_record_unreadable", err);
+    }
+  }
+  async writeRecord(key, record) {
+    const encrypted = encrypt(stringToBytes(JSON.stringify(record)), this.encryptionKey);
+    await this.storage.write(
+      VAULT_NAMESPACE,
+      key,
+      stringToBytes(JSON.stringify(encrypted))
+    );
+  }
+  async readPathIndex(scope) {
+    const raw = await this.storage.read(VAULT_NAMESPACE, this.pathIndexKey(scope));
+    if (!raw) return { version: 1, next: 0 };
+    try {
+      const encrypted = JSON.parse(bytesToString(raw));
+      const decrypted = decrypt(encrypted, this.encryptionKey);
+      return JSON.parse(bytesToString(decrypted));
+    } catch (err) {
+      throw new PrivacyVaultError("privacy_vault_path_index_unreadable", err);
+    }
+  }
+  async writePathIndex(scope, index) {
+    const encrypted = encrypt(stringToBytes(JSON.stringify(index)), this.encryptionKey);
+    await this.storage.write(
+      VAULT_NAMESPACE,
+      this.pathIndexKey(scope),
+      stringToBytes(JSON.stringify(encrypted))
+    );
+  }
+  async readPathRecord(key) {
+    const raw = await this.storage.read(VAULT_NAMESPACE, key);
+    if (!raw) return null;
+    try {
+      const encrypted = JSON.parse(bytesToString(raw));
+      const decrypted = decrypt(encrypted, this.encryptionKey);
+      const parsed = JSON.parse(bytesToString(decrypted));
+      return parsed.kind === "field_path" ? parsed : null;
+    } catch (err) {
+      throw new PrivacyVaultError("privacy_vault_path_record_unreadable", err);
+    }
+  }
+  async writePathRecord(key, record) {
+    const encrypted = encrypt(stringToBytes(JSON.stringify(record)), this.encryptionKey);
+    await this.storage.write(
+      VAULT_NAMESPACE,
+      key,
+      stringToBytes(JSON.stringify(encrypted))
+    );
+  }
+  hmacString(value) {
+    return bytesToHex(hmacSha256(this.lookupKey, stringToBytes(value)));
+  }
+};
+var PrivacyVaultError = class extends Error {
+  code;
+  cause;
+  constructor(code, cause) {
+    super(code);
+    this.name = "PrivacyVaultError";
+    this.code = code;
+    this.cause = cause;
+  }
+};
+function applyLocalPrivacyFilter(value, path = "$") {
+  const findings = [];
+  const filtered = filterValue(value, path, findings, 0);
+  return { value: filtered, findings };
+}
+async function applyPrivacyPlaceholders(value, vault, scope = "default", path = "$") {
+  const findings = [];
+  const filtered = await placeholderValue(value, path, findings, vault, scope, 0);
+  return { value: filtered, findings };
+}
+async function applyOpenAIPrivacyFilterResult(result, vault, scope = "default", path = "$") {
+  const text = result.text;
+  const findings = [];
+  const spans = result.detected_spans.map((span) => ({
+    ...span,
+    class: mapOpenAIPrivacyLabel(span.label)
+  })).filter(
+    (span) => span.class !== null && Number.isInteger(span.start) && Number.isInteger(span.end) && span.start >= 0 && span.end > span.start && span.end <= text.length
+  ).sort((a, b) => a.start - b.start);
+  let cursor = 0;
+  const pieces = [];
+  for (const span of spans) {
+    if (span.start < cursor) continue;
+    const raw = text.slice(span.start, span.end);
+    const placeholder = await vault.placeholderFor(span.class, raw, scope);
+    pieces.push(text.slice(cursor, span.start));
+    pieces.push(placeholder);
+    cursor = span.end;
+    findings.push({
+      path,
+      class: span.class,
+      action: "placeholder",
+      placeholder
+    });
+  }
+  pieces.push(text.slice(cursor));
+  return {
+    value: pieces.join(""),
+    findings
+  };
+}
+function detectSensitiveSpans(input, options = {}) {
+  const spans = [];
+  addConfiguredTermSpans(
+    spans,
+    input,
+    options.clientNames ?? [],
+    "client",
+    "client",
+    "CLIENT"
+  );
+  addConfiguredTermSpans(
+    spans,
+    input,
+    options.projectNames ?? [],
+    "project",
+    "project",
+    "PROJECT"
+  );
+  addConfiguredTermSpans(
+    spans,
+    input,
+    options.domainTerms ?? [],
+    "domain_term",
+    "domain_term",
+    "TERM"
+  );
+  addConfiguredTermSpans(
+    spans,
+    input,
+    options.personNames ?? [],
+    "person",
+    "person",
+    "PERSON"
+  );
+  const pathHint = options.pathHint?.toLowerCase() ?? "";
+  if (input.length <= 120 && /(?:^|[^a-z0-9])(?:name|owner|recipient|contact|person)(?:$|[^a-z0-9])/.test(pathHint) && /^[A-Z][A-Za-z'-]+(?:\s+[A-Z][A-Za-z'-]+){1,3}$/.test(input.trim())) {
+    const start = input.indexOf(input.trim());
+    spans.push({
+      class: "person",
+      detectorClass: "person",
+      start,
+      end: start + input.trim().length,
+      text: input.trim(),
+      placeholderPrefix: "PERSON"
+    });
+  }
+  for (const pattern of SPAN_PATTERNS) {
+    pattern.pattern.lastIndex = 0;
+    for (const match of input.matchAll(pattern.pattern)) {
+      if (match.index === void 0 || match[0].length === 0) continue;
+      spans.push({
+        class: pattern.class,
+        detectorClass: pattern.detectorClass ?? detectorClassForSpan(pattern.class),
+        start: match.index,
+        end: match.index + match[0].length,
+        text: match[0],
+        placeholderPrefix: pattern.placeholderPrefix
+      });
+    }
+  }
+  return removeOverlappingSpans(spans);
+}
+function detectorClassForSpan(spanClass) {
+  switch (spanClass) {
+    case "client":
+      return "client";
+    case "project":
+      return "project";
+    case "secret":
+    case "secret_assignment":
+      return "secret";
+    case "credential":
+      return "credential";
+    case "account_number":
+    case "credit_card":
+      return "account";
+    case "file_path":
+      return "file_path";
+    case "domain_term":
+      return "domain_term";
+    case "custom":
+      return "custom";
+    case "email":
+    case "phone":
+    case "ssn":
+    case "address":
+    case "person":
+    case "url":
+    case "date":
+    default:
+      return "person";
+  }
+}
+function placeholderPrefixFor(spanClass) {
+  return SPAN_PATTERNS.find((p) => p.class === spanClass)?.placeholderPrefix ?? OPENAI_LABEL_PREFIXES[spanClass] ?? CONTRACT_CLASS_PREFIXES[spanClass] ?? "PRIVATE";
+}
+function filterValue(value, path, findings, depth) {
+  if (depth > MAX_DEPTH) return value;
+  if (typeof value === "string") {
+    return filterString(value, path, findings);
+  }
+  if (Array.isArray(value)) {
+    return value.map(
+      (item, index) => filterValue(item, `${path}[${index}]`, findings, depth + 1)
+    );
+  }
+  if (value && typeof value === "object") {
+    const filtered = {};
+    for (const [key, child] of Object.entries(value)) {
+      filtered[key] = filterValue(child, `${path}.${key}`, findings, depth + 1);
+    }
+    return filtered;
+  }
+  return value;
+}
+function filterString(input, path, findings) {
+  let output = input;
+  for (const span of SPAN_PATTERNS) {
+    const before = output;
+    output = output.replace(span.pattern, span.replacement);
+    if (output !== before) {
+      findings.push({ path, class: span.class, action: "redact" });
+    }
+  }
+  return output;
+}
+async function placeholderValue(value, path, findings, vault, scope, depth) {
+  if (depth > MAX_DEPTH) return value;
+  if (typeof value === "string") {
+    return placeholderString(value, path, findings, vault, scope);
+  }
+  if (Array.isArray(value)) {
+    const out = [];
+    for (let index = 0; index < value.length; index++) {
+      out.push(await placeholderValue(
+        value[index],
+        `${path}[${index}]`,
+        findings,
+        vault,
+        scope,
+        depth + 1
+      ));
+    }
+    return out;
+  }
+  if (value && typeof value === "object") {
+    const filtered = {};
+    for (const [key, child] of Object.entries(value)) {
+      filtered[key] = await placeholderValue(
+        child,
+        `${path}.${key}`,
+        findings,
+        vault,
+        scope,
+        depth + 1
+      );
+    }
+    return filtered;
+  }
+  return value;
+}
+async function placeholderString(input, path, findings, vault, scope) {
+  const spans = detectSensitiveSpans(input, { pathHint: path });
+  if (spans.length === 0) return input;
+  let cursor = 0;
+  const pieces = [];
+  for (const span of spans) {
+    const placeholder = await vault.placeholderFor(span.class, span.text, scope);
+    pieces.push(input.slice(cursor, span.start));
+    pieces.push(placeholder);
+    cursor = span.end;
+    findings.push({
+      path,
+      class: span.class,
+      action: "placeholder",
+      placeholder
+    });
+  }
+  pieces.push(input.slice(cursor));
+  return pieces.join("");
+}
+var OPENAI_LABEL_PREFIXES = {
+  account_number: "ACCOUNT",
+  address: "ADDRESS",
+  client: "CLIENT",
+  credential: "CREDENTIAL",
+  domain_term: "TERM",
+  person: "PERSON",
+  project: "PROJECT",
+  file_path: "FILE_PATH",
+  secret: "SECRET",
+  url: "URL",
+  date: "DATE"
+};
+var CONTRACT_CLASS_PREFIXES = {
+  account_number: "ACCOUNT",
+  client: "CLIENT",
+  credential: "CREDENTIAL",
+  domain_term: "TERM",
+  file_path: "FILE_PATH",
+  project: "PROJECT",
+  secret: "SECRET"
+};
+function addConfiguredTermSpans(spans, input, terms, spanClass, detectorClass, placeholderPrefix) {
+  const sortedTerms = [...new Set(terms.map((term) => term.trim()).filter(Boolean))].sort((a, b) => b.length - a.length);
+  for (const term of sortedTerms) {
+    const pattern = new RegExp(escapeRegExp(term), "gi");
+    for (const match of input.matchAll(pattern)) {
+      if (match.index === void 0 || match[0].length === 0) continue;
+      spans.push({
+        class: spanClass,
+        detectorClass,
+        start: match.index,
+        end: match.index + match[0].length,
+        text: match[0],
+        placeholderPrefix
+      });
+    }
+  }
+}
+function removeOverlappingSpans(spans) {
+  const sorted = spans.sort((a, b) => {
+    if (a.start !== b.start) return a.start - b.start;
+    return b.end - b.start - (a.end - a.start);
+  });
+  const accepted = [];
+  let cursor = -1;
+  for (const span of sorted) {
+    if (span.start < cursor) continue;
+    accepted.push(span);
+    cursor = span.end;
+  }
+  return accepted;
+}
+function escapeRegExp(input) {
+  return input.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+function bytesToHex(bytes) {
+  return Buffer.from(bytes).toString("hex");
+}
+function mapOpenAIPrivacyLabel(label) {
+  switch (label) {
+    case "account_number":
+      return "account_number";
+    case "private_address":
+      return "address";
+    case "private_email":
+      return "email";
+    case "private_person":
+      return "person";
+    case "private_phone":
+      return "phone";
+    case "private_url":
+      return "url";
+    case "private_date":
+      return "date";
+    case "secret":
+      return "secret_assignment";
+    case "redacted":
+      return "secret_assignment";
+    default:
+      return null;
+  }
+}
+// src/l2-operational/context-gate-enforcer.ts
 var BUILTIN_SENSITIVE_PATTERNS = [
   "*_key",
   "*_token",
@@ -15346,6 +16190,7 @@ var BUILTIN_SENSITIVE_PATTERNS = [
 var ContextGateEnforcer = class {
   policyStore;
   auditLog;
+  privacyVault;
   config;
   stats = {
     calls_inspected: 0,
@@ -15355,9 +16200,10 @@ var ContextGateEnforcer = class {
     fields_blocked: 0,
     calls_blocked: 0
   };
-  constructor(policyStore, auditLog, config) {
+  constructor(policyStore, auditLog, config, privacyVault) {
     this.policyStore = policyStore;
     this.auditLog = auditLog;
+    this.privacyVault = privacyVault;
     this.config = config;
   }
   /**
@@ -15434,6 +16280,7 @@ var ContextGateEnforcer = class {
       }
     }
     const filteredArgs = this.buildFilteredArgs(args, result.decisions);
+    const privacyFiltered = this.privacyVault ? await applyPrivacyPlaceholders(filteredArgs, this.privacyVault, policy.policy_id) : applyLocalPrivacyFilter(filteredArgs);
     if (this.config.log_only) {
       this.auditLog.append(
         "l2",
@@ -15447,6 +16294,8 @@ var ContextGateEnforcer = class {
           fields_redacted: result.fields_redacted,
           fields_hashed: result.fields_hashed,
           fields_blocked: deniedFields.length,
+          privacy_findings: privacyFiltered.findings.length,
+          privacy_classes: [...new Set(privacyFiltered.findings.map((f) => f.class))],
           original_context_hash: result.original_context_hash
         }
       );
@@ -15467,13 +16316,15 @@ var ContextGateEnforcer = class {
         fields_redacted: result.fields_redacted,
         fields_hashed: result.fields_hashed,
         fields_blocked: deniedFields.length,
+        privacy_findings: privacyFiltered.findings.length,
+        privacy_classes: [...new Set(privacyFiltered.findings.map((f) => f.class))],
         original_context_hash: result.original_context_hash
       }
     );
     this.stats.fields_redacted += result.fields_redacted;
     this.stats.fields_hashed += result.fields_hashed;
     this.stats.fields_blocked += deniedFields.length;
-    return originalHandler(filteredArgs);
+    return originalHandler(privacyFiltered.value);
   }
   /**
    * Filter tool arguments using built-in sensitive patterns.
@@ -15490,6 +16341,39 @@ var ContextGateEnforcer = class {
       }
     }
     if (fieldsToRedact.length === 0) {
+      const privacyFiltered2 = this.privacyVault ? await applyPrivacyPlaceholders(args, this.privacyVault, `builtin:${toolName}`) : applyLocalPrivacyFilter(args);
+      if (privacyFiltered2.findings.length > 0) {
+        const filteredHash2 = hashToString(
+          stringToBytes(JSON.stringify(privacyFiltered2.value))
+        );
+        if (this.config.log_only) {
+          this.auditLog.append(
+            "l2",
+            "context_gate_enforcer_builtin_privacy_log_only",
+            "system",
+            {
+              tool_name: toolName,
+              privacy_findings: privacyFiltered2.findings.length,
+              privacy_classes: [...new Set(privacyFiltered2.findings.map((f) => f.class))],
+              original_context_hash: originalHash
+            }
+          );
+          return originalHandler(args);
+        }
+        this.auditLog.append(
+          "l2",
+          "context_gate_enforcer_builtin_privacy_filter",
+          "system",
+          {
+            tool_name: toolName,
+            privacy_findings: privacyFiltered2.findings.length,
+            privacy_classes: [...new Set(privacyFiltered2.findings.map((f) => f.class))],
+            original_context_hash: originalHash,
+            filtered_context_hash: filteredHash2
+          }
+        );
+        return originalHandler(privacyFiltered2.value);
+      }
       this.auditLog.append(
         "l2",
         "context_gate_enforcer_builtin_pass",
@@ -15509,8 +16393,9 @@ var ContextGateEnforcer = class {
         filteredArgs[key] = value;
       }
     }
+    const privacyFiltered = this.privacyVault ? await applyPrivacyPlaceholders(filteredArgs, this.privacyVault, `builtin:${toolName}`) : applyLocalPrivacyFilter(filteredArgs);
     const filteredHash = hashToString(
-      stringToBytes(JSON.stringify(filteredArgs))
+      stringToBytes(JSON.stringify(privacyFiltered.value))
     );
     if (this.config.log_only) {
       this.auditLog.append(
@@ -15521,6 +16406,8 @@ var ContextGateEnforcer = class {
           tool_name: toolName,
           fields_redacted: fieldsToRedact.length,
           redacted_fields: fieldsToRedact,
+          privacy_findings: privacyFiltered.findings.length,
+          privacy_classes: [...new Set(privacyFiltered.findings.map((f) => f.class))],
           original_context_hash: originalHash
         }
       );
@@ -15535,12 +16422,14 @@ var ContextGateEnforcer = class {
         tool_name: toolName,
         fields_redacted: fieldsToRedact.length,
         redacted_fields: fieldsToRedact,
+        privacy_findings: privacyFiltered.findings.length,
+        privacy_classes: [...new Set(privacyFiltered.findings.map((f) => f.class))],
         original_context_hash: originalHash,
         filtered_context_hash: filteredHash
       }
     );
     this.stats.fields_redacted += fieldsToRedact.length;
-    return originalHandler(filteredArgs);
+    return originalHandler(privacyFiltered.value);
   }
   /**
    * Check if a tool should be filtered based on bypass prefixes.
@@ -15646,21 +16535,166 @@ var ContextGateEnforcer = class {
     };
   }
 };
-// src/l2-operational/context-gate-tools.ts
-function createContextGateTools(storage, masterKey, auditLog) {
-  const policyStore = new ContextGatePolicyStore(storage, masterKey);
-  const enforcerConfig = {
-    enabled: false,
-    // Off by default; agents must explicitly enable it
-    bypass_prefixes: ["*"],
-    // Skip all Sanctuary-internal tools; only proxy/ tools get filtered
-    log_only: false,
-    // Filter immediately
+var PrivacyFilterRuntimeError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "PrivacyFilterRuntimeError";
+  }
+};
+async function applyConfiguredPrivacyFilter(value, vault, scope, config) {
+  if (config.mode === "off") {
+    return { value, findings: [], mode: "off" };
+  }
+  if (config.mode === "local") {
+    const result = await applyPrivacyPlaceholders(value, vault, scope);
+    return { ...result, mode: "local" };
+  }
+  try {
+    const result = await applyOpenAIPrivacyFilter(value, vault, scope, config);
+    return { ...result, mode: "opf" };
+  } catch (err) {
+    if (config.fail_mode === "fallback") {
+      const result = await applyPrivacyPlaceholders(value, vault, scope);
+      return { ...result, mode: "local", fallback_from: "opf" };
+    }
+    throw err;
+  }
+}
+async function applyOpenAIPrivacyFilter(value, vault, scope, config) {
+  if (typeof value === "string") {
+    const opf = await runOpenAIPrivacyFilter(value, config);
+    const filtered = await applyOpenAIPrivacyFilterResult(opf, vault, scope);
+    return filtered;
+  }
+  if (Array.isArray(value)) {
+    const findings = [];
+    const out = [];
+    for (let index = 0; index < value.length; index++) {
+      const filtered = await applyOpenAIPrivacyFilter(
+        value[index],
+        vault,
+        scope,
+        config
+      );
+      out.push(filtered.value);
+      findings.push(...filtered.findings.map((f) => ({
+        ...f,
+        path: `$[${index}]${f.path === "$" ? "" : f.path.slice(1)}`
+      })));
+    }
+    return { value: out, findings };
+  }
+  if (value && typeof value === "object") {
+    const findings = [];
+    const out = {};
+    for (const [key, child] of Object.entries(value)) {
+      const filtered = await applyOpenAIPrivacyFilter(child, vault, scope, config);
+      out[key] = filtered.value;
+      findings.push(...filtered.findings.map((f) => ({
+        ...f,
+        path: `$.${key}${f.path === "$" ? "" : f.path.slice(1)}`
+      })));
+    }
+    return { value: out, findings };
+  }
+  return { value, findings: [] };
+}
+var OPF_STDOUT_MAX_BYTES = 1e7;
+async function runOpenAIPrivacyFilter(text, config) {
+  const stdout = await runCommand(config.command, text, config.timeout_ms);
+  if (Buffer.byteLength(stdout, "utf8") > OPF_STDOUT_MAX_BYTES) {
+    throw new PrivacyFilterRuntimeError(
+      `OpenAI privacy-filter stdout exceeded ${OPF_STDOUT_MAX_BYTES}-byte cap`
+    );
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(stdout);
+  } catch {
+    throw new PrivacyFilterRuntimeError("OpenAI privacy-filter returned invalid JSON");
+  }
+  if (!isOpenAIPrivacyFilterResult(parsed)) {
+    throw new PrivacyFilterRuntimeError(
+      "OpenAI privacy-filter JSON did not match the expected span schema"
+    );
+  }
+  return parsed;
+}
+function runCommand(command, input, timeoutMs) {
+  return new Promise((resolve4, reject) => {
+    const child = spawn(command, [], {
+      stdio: ["pipe", "pipe", "pipe"],
+      shell: false
+    });
+    let stdout = "";
+    let stderr = "";
+    const timer = setTimeout(() => {
+      child.kill("SIGTERM");
+      reject(new PrivacyFilterRuntimeError("OpenAI privacy-filter timed out"));
+    }, timeoutMs);
+    child.stdout.setEncoding("utf8");
+    child.stderr.setEncoding("utf8");
+    child.stdout.on("data", (chunk) => {
+      stdout += chunk;
+    });
+    child.stderr.on("data", (chunk) => {
+      stderr += chunk;
+    });
+    child.on("error", (err) => {
+      clearTimeout(timer);
+      reject(new PrivacyFilterRuntimeError(`OpenAI privacy-filter failed to start: ${err.message}`));
+    });
+    child.on("close", (code) => {
+      clearTimeout(timer);
+      if (code !== 0) {
+        reject(new PrivacyFilterRuntimeError(
+          `OpenAI privacy-filter exited with code ${code}: ${stderr.trim()}`
+        ));
+        return;
+      }
+      resolve4(stdout);
+    });
+    child.stdin.end(input);
+  });
+}
+function isOpenAIPrivacyFilterResult(value) {
+  if (!value || typeof value !== "object") return false;
+  const v = value;
+  if (typeof v.text !== "string") return false;
+  if (!Array.isArray(v.detected_spans)) return false;
+  return v.detected_spans.every((span) => {
+    if (!span || typeof span !== "object") return false;
+    const s = span;
+    return typeof s.label === "string" && typeof s.start === "number" && typeof s.end === "number" && typeof s.text === "string";
+  });
+}
+// src/l2-operational/context-gate-tools.ts
+function createContextGateTools(storage, masterKey, auditLog, options = {}) {
+  const policyStore = new ContextGatePolicyStore(storage, masterKey);
+  const privacyVault = new PrivacyPlaceholderVault(storage, masterKey);
+  const privacyFilterConfig = options.privacyFilter ?? {
+    mode: "local",
+    fail_mode: "closed",
+    command: "opf",
+    timeout_ms: 5e3
+  };
+  const enforcerConfig = {
+    enabled: false,
+    // Off by default; agents must explicitly enable it
+    bypass_prefixes: ["*"],
+    // Skip all Sanctuary-internal tools; only proxy/ tools get filtered
+    log_only: false,
+    // Filter immediately
     on_deny: "block"
     // Block requests with denied fields
   };
-  const enforcer = new ContextGateEnforcer(policyStore, auditLog, enforcerConfig);
+  const enforcer = new ContextGateEnforcer(
+    policyStore,
+    auditLog,
+    enforcerConfig,
+    privacyVault
+  );
   const tools = [
     // ── Set Policy ──────────────────────────────────────────────────
     {
@@ -15954,6 +16988,34 @@ function createContextGateTools(storage, masterKey, auditLog) {
               break;
           }
         }
+        let privacyFiltered;
+        try {
+          privacyFiltered = await applyConfiguredPrivacyFilter(
+            safeContext,
+            privacyVault,
+            policyId,
+            privacyFilterConfig
+          );
+        } catch (err) {
+          if (err instanceof PrivacyFilterRuntimeError) {
+            auditLog.append("l2", "context_gate_privacy_filter_failure", policy.identity_id ?? "system", {
+              policy_id: policyId,
+              provider,
+              mode: privacyFilterConfig.mode,
+              fail_mode: privacyFilterConfig.fail_mode,
+              original_context_hash: result.original_context_hash,
+              error: err.message
+            }, "failure");
+            return toolResult({
+              blocked: true,
+              error: "privacy_filter_failed",
+              message: err.message,
+              mode: privacyFilterConfig.mode,
+              recommendation: privacyFilterConfig.fail_mode === "closed" ? "Install/configure the local privacy filter or switch SANCTUARY_PRIVACY_FILTER_FAIL_MODE to fallback." : "Check the local privacy filter configuration."
+            });
+          }
+          throw err;
+        }
         auditLog.append("l2", "context_gate_filter", policy.identity_id ?? "system", {
           policy_id: policyId,
           provider,
@@ -15962,20 +17024,32 @@ function createContextGateTools(storage, masterKey, auditLog) {
           fields_redacted: result.fields_redacted,
           fields_hashed: result.fields_hashed,
           fields_summarized: result.fields_summarized,
+          privacy_findings: privacyFiltered.findings.length,
+          privacy_classes: [...new Set(privacyFiltered.findings.map((f) => f.class))],
+          privacy_filter_mode: privacyFiltered.mode,
+          privacy_filter_configured_mode: privacyFilterConfig.mode,
+          privacy_filter_fallback_from: privacyFiltered.fallback_from,
           original_context_hash: result.original_context_hash,
           filtered_context_hash: result.filtered_context_hash
         });
         return toolResult({
           blocked: false,
-          safe_context: safeContext,
+          safe_context: privacyFiltered.value,
           summary: {
             total_fields: Object.keys(context).length,
             allowed: result.fields_allowed,
             redacted: result.fields_redacted,
             hashed: result.fields_hashed,
-            summarized: result.fields_summarized
+            summarized: result.fields_summarized,
+            privacy_filtered_spans: privacyFiltered.findings.length
           },
           decisions: result.decisions,
+          privacy_filter: {
+            mode: privacyFiltered.mode,
+            configured_mode: privacyFilterConfig.mode,
+            fallback_from: privacyFiltered.fallback_from,
+            findings: privacyFiltered.findings
+          },
           audit: {
             original_context_hash: result.original_context_hash,
             filtered_context_hash: result.filtered_context_hash,
@@ -17256,6 +18330,55 @@ var ProxyRouter = class {
             return toolResult(govResult.cached_result ?? {});
           }
         }
+        let privacyPolicy = null;
+        let privacyDestination = "tool-api";
+        let outboundFiltered = false;
+        if (this.options.privacyEnforcement) {
+          const serverConfig = this.clientManager.getServerConfig(serverName);
+          privacyDestination = serverConfig?.destination_category ?? "tool-api";
+          const identityId = serverConfig?.privacy_identity_id;
+          try {
+            privacyPolicy = await this.options.privacyEnforcement.policyResolver(
+              serverName,
+              identityId
+            );
+          } catch {
+            privacyPolicy = null;
+          }
+          const decision = await this.options.privacyEnforcement.engine.filterOutbound({
+            payload: filteredArgs,
+            policy: privacyPolicy,
+            identity_id: identityId,
+            agent_id: `proxy:${serverName}`,
+            destination_category: privacyDestination,
+            audit_log: this.auditLog
+          });
+          if (decision.status === "denied") {
+            this.auditLog.append("l2", `proxy_privacy_denied:${proxyName}`, "system", {
+              server: serverName,
+              tool: toolName,
+              tier,
+              denial_reason_class: decision.audit_payload.denial_reason_class,
+              latency_ms: Date.now() - start
+            }, "failure");
+            this.notifyProxyCall(
+              proxyName,
+              serverName,
+              "blocked",
+              "privacy_denied",
+              tier
+            );
+            return toolResult({
+              error: "Operation not permitted",
+              proxy: true,
+              privacy_denied: true
+            });
+          }
+          if (decision.status === "filtered") {
+            outboundFiltered = true;
+            filteredArgs = decision.payload;
+          }
+        }
         const result = await this.callWithTimeout(
           serverName,
           toolName,
@@ -17274,6 +18397,26 @@ var ProxyRouter = class {
           latency_ms: latencyMs
         });
         this.notifyProxyCall(proxyName, serverName, "allowed", void 0, tier);
+        if (outboundFiltered && this.options.privacyEnforcement && privacyPolicy) {
+          const serverConfig = this.clientManager.getServerConfig(serverName);
+          const identityId = serverConfig?.privacy_identity_id;
+          const rehydrated = await this.options.privacyEnforcement.engine.rehydrateResponse({
+            response: result,
+            policy: privacyPolicy,
+            identity_id: identityId,
+            agent_id: `proxy:${serverName}`,
+            destination_category: privacyDestination,
+            audit_log: this.auditLog
+          });
+          if (rehydrated.status === "rehydrated") {
+            return this.normalizeResponse(
+              rehydrated.response
+            );
+          }
+          return this.normalizeResponse(
+            rehydrated.response
+          );
+        }
         return this.normalizeResponse(result);
       } catch (err) {
         const latencyMs = Date.now() - start;
@@ -17330,13 +18473,13 @@ var ProxyRouter = class {
    * Call an upstream tool with a timeout.
    */
   async callWithTimeout(serverName, toolName, args, timeoutMs) {
-    return new Promise((resolve, reject) => {
+    return new Promise((resolve4, reject) => {
       const timer = setTimeout(() => {
         reject(new Error(`Upstream tool call timed out after ${timeoutMs}ms`));
       }, timeoutMs);
       this.clientManager.callTool(serverName, toolName, args).then((result) => {
         clearTimeout(timer);
-        resolve(result);
+        resolve4(result);
       }).catch((err) => {
         clearTimeout(timer);
         reject(err);
@@ -17378,7 +18521,7 @@ var ProxyRouter = class {
 function strToBytes(s) {
   return new TextEncoder().encode(s);
 }
-function bytesToHex(bytes) {
+function bytesToHex2(bytes) {
   let hex = "";
   for (let i = 0; i < bytes.length; i++) {
     hex += bytes[i].toString(16).padStart(2, "0");
@@ -17386,7 +18529,7 @@ function bytesToHex(bytes) {
   return hex;
 }
 function sha256Hex(input) {
-  return bytesToHex(sha256(strToBytes(input)));
+  return bytesToHex2(sha256(strToBytes(input)));
 }
 var DEFAULT_CONFIG = {
   volume_limit: 200,
@@ -18100,18 +19243,18 @@ function createSanctuaryTools(opts) {
         const tagBytes = enc.encode(domainTag);
         const purposeBytes = enc.encode(purpose);
         const nonceBytes = enc.encode(nonce);
-        const sep = new Uint8Array([0]);
+        const sep2 = new Uint8Array([0]);
         const message = new Uint8Array(
           tagBytes.length + 1 + purposeBytes.length + 1 + nonceBytes.length
         );
         let offset = 0;
         message.set(tagBytes, offset);
         offset += tagBytes.length;
-        message.set(sep, offset);
+        message.set(sep2, offset);
         offset += 1;
         message.set(purposeBytes, offset);
         offset += purposeBytes.length;
-        message.set(sep, offset);
+        message.set(sep2, offset);
         offset += 1;
         message.set(nonceBytes, offset);
         let sigB64;
@@ -20411,7 +21554,7 @@ function classifyAgentDescription(description) {
 }
 // src/compliance/eu_ai_act/generator.ts
-function bytesToHex2(bytes) {
+function bytesToHex3(bytes) {
   let hex = "";
   for (let i = 0; i < bytes.length; i++) {
     hex += bytes[i].toString(16).padStart(2, "0");
@@ -20575,18 +21718,18 @@ function makeSigner(signer, masterKey) {
       const sig = sign(digest, signer.encrypted_private_key, encryptionKey);
       return toBase64url(sig);
     },
-    sha256Hex: (content) => bytesToHex2(hash(stringToBytes(content)))
+    sha256Hex: (content) => bytesToHex3(hash(stringToBytes(content)))
   };
 }
 function finaliseDocument(template, context, filename, ds) {
   const content = render(template, context);
-  const sha256Hex2 = ds.sha256Hex(content);
+  const sha256Hex4 = ds.sha256Hex(content);
   const signature = ds.signContent(content);
   return {
     filename,
     content,
     content_type: "text/markdown",
-    sha256: sha256Hex2,
+    sha256: sha256Hex4,
     signature
   };
 }
@@ -21384,101 +22527,1565 @@ var MemoryStorage = class {
   }
 };
-// src/dashboard/aggregator.ts
-var L4_DEGRADATION_IMPACT = {
-  critical: 40,
-  warning: 25,
-  info: 10
+// src/contracts/v1.1/constants.ts
+var SIGNATURE_SCHEME_V1 = "ed25519-v1";
+var EXIT_BUNDLE_MANIFEST_VERSION = "SANCTUARY_EXIT_BUNDLE_V1";
+var EXIT_BUNDLE_ARTIFACT_KINDS = [
+  "public_identity",
+  "encrypted_state",
+  "policy_set",
+  "audit_receipts",
+  "reputation_bundle",
+  "commitments",
+  "placeholder_vault_metadata"
+];
+// src/mesh/errors.ts
+var MeshError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "MeshError";
+  }
 };
-function computeL4LayerScore(degradations, status) {
-  if (status === "compromised") return 0;
-  let score = 100;
-  for (const deg of degradations) {
-    score -= L4_DEGRADATION_IMPACT[deg.severity] ?? 10;
+var MeshEnvelopeError = class extends MeshError {
+  constructor(message) {
+    super(message);
+    this.name = "MeshEnvelopeError";
   }
-  score = Math.max(0, score);
-  if (degradations.length === 0 && score > 50) {
-    score = Math.min(100, score + 5);
+};
+var MeshReservedExtensionKeyError = class extends MeshEnvelopeError {
+  constructor(key) {
+    super(
+      `v0.1 emitters MUST NOT populate reserved extension_envelope key: ${key}`
+    );
+    this.name = "MeshReservedExtensionKeyError";
   }
-  return Math.round(score);
+};
+var MeshReservedEventTypeError = class extends MeshEnvelopeError {
+  constructor(eventType) {
+    super(
+      `v0.1 emitters MUST NOT emit reserved-namespace event_type: ${eventType}`
+    );
+    this.name = "MeshReservedEventTypeError";
+  }
+};
+// src/mesh/canonical-json.ts
+var MeshCanonicalJsonError = class extends MeshError {
+  constructor(message) {
+    super(message);
+    this.name = "MeshCanonicalJsonError";
+  }
+};
+function canonicalize2(value) {
+  if (value === void 0) {
+    throw new MeshCanonicalJsonError(
+      "canonicalize(): top-level undefined is not serializable"
+    );
+  }
+  return encode(value);
 }
-var MAX_ACTIVITY = 50;
-var MAX_AUDIT = 50;
-function fingerprintDID(did) {
-  const raw = did.replace(/^did:[a-z0-9]+:/i, "");
-  if (raw.length <= 12) return raw;
-  return `${raw.slice(0, 6)}\u2026${raw.slice(-6)}`;
+function encode(value) {
+  if (value === null) return "null";
+  if (typeof value === "boolean") return value ? "true" : "false";
+  if (typeof value === "number") {
+    if (!Number.isFinite(value)) {
+      throw new MeshCanonicalJsonError(
+        `canonicalize(): non-finite number (${String(value)}) is not serializable`
+      );
+    }
+    return JSON.stringify(value);
+  }
+  if (typeof value === "string") return JSON.stringify(value);
+  if (Array.isArray(value)) return encodeArray(value);
+  if (typeof value === "object") return encodeObject(value);
+  throw new MeshCanonicalJsonError(
+    `canonicalize(): unsupported type ${typeof value}`
+  );
 }
-function countInjectionsToday(audit) {
-  const startOfDay = /* @__PURE__ */ new Date();
-  startOfDay.setHours(0, 0, 0, 0);
-  const cutoff = startOfDay.getTime();
-  return audit.filter((e) => {
-    const ts = new Date(e.timestamp).getTime();
-    if (isNaN(ts) || ts < cutoff) return false;
-    const op = (e.operation ?? "").toLowerCase();
-    return op.includes("injection") || op.includes("blocked");
-  }).length;
+function encodeArray(arr) {
+  const parts = [];
+  for (const item of arr) {
+    parts.push(item === void 0 ? "null" : encode(item));
+  }
+  return "[" + parts.join(",") + "]";
 }
-var PROOF_CREATION_OPS = /* @__PURE__ */ new Set([
-  "zk_prove",
-  "zk_range_prove",
-  "proof_commitment"
+function encodeObject(obj) {
+  const keys = Object.keys(obj).filter((k) => obj[k] !== void 0).sort();
+  const parts = [];
+  for (const k of keys) {
+    parts.push(JSON.stringify(k) + ":" + encode(obj[k]));
+  }
+  return "{" + parts.join(",") + "}";
+}
+function canonicalizeToBytes(value) {
+  return new TextEncoder().encode(canonicalize2(value));
+}
+// src/exit/bundle.ts
+init_hashing();
+init_encoding();
+init_encryption();
+init_identity();
+// src/contracts/v1.1/exit-bundle-manifest.ts
+var EXIT_BUNDLE_PATH_PATTERN = /^[a-z0-9._-]+(?:\/[a-z0-9._-]+)*$/;
+var EXIT_BUNDLE_PATH_MAX_BYTES = 256;
+// src/exit/verifier.ts
+init_encoding();
+init_hashing();
+var PRIVATE_MATERIAL_KEYS = /* @__PURE__ */ new Set([
+  "private_key",
+  "privatekey",
+  "encrypted_private_key",
+  "encryptedprivatekey",
+  "passphrase",
+  "recovery_key",
+  "recoverykey",
+  "seed",
+  "mnemonic"
 ]);
-function countProofsToday(audit) {
-  const startOfDay = /* @__PURE__ */ new Date();
-  startOfDay.setHours(0, 0, 0, 0);
-  const cutoff = startOfDay.getTime();
-  return audit.filter((e) => {
-    if (e.layer !== "l3") return false;
-    if (!PROOF_CREATION_OPS.has(e.operation)) return false;
-    const ts = new Date(e.timestamp).getTime();
-    return !isNaN(ts) && ts >= cutoff;
-  }).length;
+function sha256Hex2(bytes) {
+  return Array.from(hash(bytes)).map((b) => b.toString(16).padStart(2, "0")).join("");
 }
-function buildAgent(sources) {
-  if (!sources.identityManager) {
-    return {
-      display_name: "Unclaimed agent",
-      did: null,
-      did_fingerprint: null,
-      identity_count: 0,
-      primary_identity_id: null
-    };
-  }
-  const primary = sources.identityManager.getDefault();
-  const identities = sources.identityManager.list();
-  if (!primary) {
-    return {
-      display_name: "Unclaimed agent",
-      did: null,
-      did_fingerprint: null,
-      identity_count: identities.length,
-      primary_identity_id: null
-    };
-  }
+function resultBase(bundleDir, manifest, warnings = [], unsupported = []) {
+  const body = manifest?.body;
   return {
-    display_name: primary.label || "Sovereign agent",
-    did: primary.did,
-    did_fingerprint: fingerprintDID(primary.did),
-    identity_count: identities.length,
-    primary_identity_id: primary.identity_id
+    version: "1.1",
+    passed: false,
+    verified_at: (/* @__PURE__ */ new Date()).toISOString(),
+    manifest_path: join(bundleDir, "manifest.json"),
+    manifest_hash: null,
+    manifest_summary: {
+      manifest_version: body?.manifest_version ?? EXIT_BUNDLE_MANIFEST_VERSION,
+      fortress_id: body?.identity_binding?.fortress_id ?? "",
+      identity_id: body?.identity_binding?.identity_id ?? "",
+      exported_at: body?.exported_at ?? "",
+      artifact_count: body?.artifacts?.length ?? 0
+    },
+    artifact_results: body?.artifacts?.map((artifact) => ({
+      path: artifact.path,
+      kind: artifact.kind,
+      hash_passed: false,
+      size_passed: false
+    })) ?? [],
+    warnings,
+    unsupported_artifacts: unsupported
   };
 }
-function buildL1(sources, audit) {
-  const hasIdentity = !!sources.identityManager?.getDefault();
-  const state = hasIdentity ? "full" : "degraded";
+function fail(bundleDir, manifest, failureClass, warnings = [], unsupported = []) {
   return {
-    label: "L1 Cognitive",
-    state,
-    headline: hasIdentity ? "State encrypted at rest" : "No sovereign identity \u2014 run sanctuary_bootstrap",
-    encryption: "AES-256-GCM + HKDF per namespace",
-    injection_blocked_today: countInjectionsToday(audit),
-    memory_attest_ready: hasIdentity
+    ...resultBase(bundleDir, manifest, warnings, unsupported),
+    failure_class: failureClass
   };
 }
-function buildL2(sources) {
-  const teeAvailable = sources.teeAvailable ?? false;
+function isKnownKind(kind) {
+  return EXIT_BUNDLE_ARTIFACT_KINDS.includes(kind);
+}
+function validateArtifactPath(path) {
+  if (Buffer.byteLength(path, "utf8") > EXIT_BUNDLE_PATH_MAX_BYTES) {
+    return "unsafe";
+  }
+  if (!EXIT_BUNDLE_PATH_PATTERN.test(path)) return "unsafe";
+  if (path.startsWith("/") || path.includes("\\") || path.includes("\0")) {
+    return "unsafe";
+  }
+  const normalized = decodeURIComponentSafe(path).normalize("NFKC");
+  if (normalized.split("/").some((segment) => segment === "." || segment === "..")) {
+    return "unsafe";
+  }
+  return "ok";
+}
+function decodeURIComponentSafe(value) {
+  let current = value;
+  for (let i = 0; i < 2; i++) {
+    try {
+      const decoded = decodeURIComponent(current);
+      if (decoded === current) return decoded;
+      current = decoded;
+    } catch {
+      return current;
+    }
+  }
+  return current;
+}
+async function assertDescendant(root, candidate) {
+  const rootReal = await realpath(root);
+  const candidateDir = await realpath(dirname(candidate));
+  const rootWithSep = rootReal.endsWith(sep) ? rootReal : rootReal + sep;
+  return candidateDir === rootReal || candidateDir.startsWith(rootWithSep);
+}
+function findPrivateMaterial(value, path = "$") {
+  if (value === null || typeof value !== "object") return [];
+  if (Array.isArray(value)) {
+    return value.flatMap(
+      (item, index) => findPrivateMaterial(item, `${path}[${index}]`)
+    );
+  }
+  const findings = [];
+  for (const [key, child] of Object.entries(value)) {
+    const normalized = key.toLowerCase().replace(/[-\s]/g, "_");
+    if (PRIVATE_MATERIAL_KEYS.has(normalized)) {
+      findings.push(`${path}.${key}`);
+      continue;
+    }
+    findings.push(...findPrivateMaterial(child, `${path}.${key}`));
+  }
+  return findings;
+}
+async function readManifest(bundleDir) {
+  const bytes = await readFile(join(bundleDir, "manifest.json"));
+  return JSON.parse(Buffer.from(bytes).toString("utf8"));
+}
+async function loadExitArtifact(bundleDir, manifest, kind) {
+  const entry = manifest.body.artifacts.find((artifact) => artifact.kind === kind);
+  if (!entry) return null;
+  const artifactPath = join(bundleDir, entry.path);
+  const bytes = await readFile(artifactPath);
+  return {
+    entry,
+    path: artifactPath,
+    bytes: new Uint8Array(bytes.buffer, bytes.byteOffset, bytes.byteLength),
+    json: JSON.parse(Buffer.from(bytes).toString("utf8"))
+  };
+}
+function verifyIdentityArtifact(identityArtifact) {
+  const wrapper = identityArtifact;
+  const bundle = wrapper.bundle;
+  if (!bundle || typeof wrapper.signature !== "string") {
+    return { signature_valid: false };
+  }
+  const publicKey = bundle.publicKey;
+  if (typeof publicKey !== "string") {
+    return { signature_valid: false };
+  }
+  const signatureValid = ed25519.verify(
+    fromBase64url(wrapper.signature),
+    canonicalizeToBytes(bundle),
+    fromBase64url(publicKey)
+  );
+  return {
+    signature_valid: signatureValid,
+    identity_id: typeof bundle.identity_id === "string" ? bundle.identity_id : void 0,
+    did: typeof bundle.did === "string" ? bundle.did : void 0,
+    public_key: publicKey
+  };
+}
+function verifyReputationArtifact(reputationArtifact, publicKeysByDid) {
+  const bundle = reputationArtifact;
+  const attestations = Array.isArray(bundle.attestations) ? bundle.attestations : [];
+  let bundleSignatureValid = "unverifiable";
+  if (bundle.version === "SANCTUARY_REP_V1" && typeof bundle.exporter_did === "string" && typeof bundle.bundle_signature === "string") {
+    const exporterKey = publicKeysByDid.get(bundle.exporter_did);
+    if (exporterKey) {
+      const signedBody = {
+        version: "SANCTUARY_REP_V1",
+        attestations,
+        exported_at: bundle.exported_at,
+        exporter_did: bundle.exporter_did
+      };
+      bundleSignatureValid = ed25519.verify(
+        fromBase64url(bundle.bundle_signature),
+        stringToBytes(JSON.stringify(signedBody)),
+        exporterKey
+      );
+    }
+  }
+  let verified = 0;
+  let invalid = 0;
+  let unverifiable = 0;
+  for (const attestation of attestations) {
+    const signerKey = publicKeysByDid.get(attestation.signer);
+    if (!signerKey) {
+      unverifiable++;
+      continue;
+    }
+    const ok = ed25519.verify(
+      fromBase64url(attestation.signature),
+      stringToBytes(JSON.stringify(attestation.data)),
+      signerKey
+    );
+    if (ok) verified++;
+    else invalid++;
+  }
+  return {
+    bundle_signature_valid: bundleSignatureValid,
+    attestation_count: attestations.length,
+    verified_attestations: verified,
+    invalid_attestations: invalid,
+    unverifiable_attestations: unverifiable
+  };
+}
+async function verifyExitBundle(bundleDir) {
+  const root = resolve(bundleDir);
+  let manifest;
+  let manifestBytes;
+  try {
+    const raw = await readFile(join(root, "manifest.json"));
+    manifestBytes = new Uint8Array(raw.buffer, raw.byteOffset, raw.byteLength);
+    manifest = JSON.parse(Buffer.from(raw).toString("utf8"));
+  } catch {
+    return fail(root, null, "other", ["manifest.json is missing or unreadable"]);
+  }
+  const warnings = [];
+  const unsupportedArtifacts = [];
+  const body = manifest.body;
+  if (!body || body.manifest_version !== EXIT_BUNDLE_MANIFEST_VERSION) {
+    return fail(root, manifest, "manifest_unknown_version", warnings, unsupportedArtifacts);
+  }
+  if (body.signature_scheme !== SIGNATURE_SCHEME_V1) {
+    return fail(
+      root,
+      manifest,
+      "manifest_signature_scheme_invalid",
+      warnings,
+      unsupportedArtifacts
+    );
+  }
+  const seenPaths = /* @__PURE__ */ new Set();
+  for (const artifact of body.artifacts) {
+    if (!isKnownKind(artifact.kind)) {
+      return fail(root, manifest, "other", [`unknown artifact kind: ${artifact.kind}`]);
+    }
+    if (seenPaths.has(artifact.path)) {
+      return fail(root, manifest, "artifact_path_duplicate", warnings, unsupportedArtifacts);
+    }
+    seenPaths.add(artifact.path);
+    if (validateArtifactPath(artifact.path) !== "ok") {
+      return fail(root, manifest, "artifact_path_unsafe", warnings, unsupportedArtifacts);
+    }
+  }
+  const signatureOk = ed25519.verify(
+    fromBase64url(manifest.signature),
+    canonicalizeToBytes(body),
+    fromBase64url(body.identity_binding.fortress_master_pubkey)
+  );
+  if (!signatureOk) {
+    return fail(root, manifest, "manifest_signature_invalid", warnings, unsupportedArtifacts);
+  }
+  const expectedAggregate = sha256Hex2(
+    stringToBytes(canonicalize2(body.artifacts))
+  );
+  if (expectedAggregate !== body.artifacts_aggregate_hash) {
+    return fail(root, manifest, "aggregate_hash_mismatch", warnings, unsupportedArtifacts);
+  }
+  const artifactResults = [];
+  let artifactFailure = null;
+  for (const artifact of body.artifacts) {
+    const artifactPath = join(root, artifact.path);
+    let bytes;
+    let fileSize = -1;
+    try {
+      const linkStat = await lstat(artifactPath);
+      if (linkStat.isSymbolicLink()) {
+        artifactFailure = "archive_contains_symlink";
+        artifactResults.push({
+          path: artifact.path,
+          kind: artifact.kind,
+          hash_passed: false,
+          size_passed: false
+        });
+        continue;
+      }
+      const descends = await assertDescendant(root, artifactPath);
+      if (!descends) {
+        artifactFailure = "artifact_path_escapes_root";
+        artifactResults.push({
+          path: artifact.path,
+          kind: artifact.kind,
+          hash_passed: false,
+          size_passed: false
+        });
+        continue;
+      }
+      const fileStat = await stat(artifactPath);
+      fileSize = fileStat.size;
+      const raw = await readFile(artifactPath);
+      bytes = new Uint8Array(raw.buffer, raw.byteOffset, raw.byteLength);
+    } catch {
+      artifactFailure = "artifact_missing";
+      artifactResults.push({
+        path: artifact.path,
+        kind: artifact.kind,
+        hash_passed: false,
+        size_passed: false
+      });
+      continue;
+    }
+    const hashPassed = sha256Hex2(bytes) === artifact.hash;
+    const sizePassed = fileSize === artifact.size_bytes;
+    if (!hashPassed && !artifactFailure) artifactFailure = "artifact_hash_mismatch";
+    if (!sizePassed && !artifactFailure) artifactFailure = "artifact_size_mismatch";
+    artifactResults.push({
+      path: artifact.path,
+      kind: artifact.kind,
+      hash_passed: hashPassed,
+      size_passed: sizePassed
+    });
+    try {
+      const parsed = JSON.parse(Buffer.from(bytes).toString("utf8"));
+      const privateFindings = findPrivateMaterial(parsed);
+      if (privateFindings.length > 0) {
+        artifactFailure = "private_material_present";
+        warnings.push(
+          `${artifact.path} contains private-material field(s): ${privateFindings.join(", ")}`
+        );
+      }
+    } catch {
+      warnings.push(`${artifact.path} is not parseable JSON`);
+    }
+  }
+  if (artifactFailure) {
+    return {
+      ...fail(root, manifest, artifactFailure, warnings, unsupportedArtifacts),
+      manifest_hash: sha256Hex2(manifestBytes),
+      artifact_results: artifactResults
+    };
+  }
+  const publicKeysByDid = /* @__PURE__ */ new Map();
+  const identityArtifact = await loadExitArtifact(root, manifest, "public_identity");
+  let identity;
+  if (identityArtifact) {
+    const identityVerification = verifyIdentityArtifact(identityArtifact.json);
+    identity = {
+      signature_valid: identityVerification.signature_valid,
+      identity_id: identityVerification.identity_id,
+      did: identityVerification.did
+    };
+    if (identityVerification.did && identityVerification.public_key) {
+      publicKeysByDid.set(
+        identityVerification.did,
+        fromBase64url(identityVerification.public_key)
+      );
+    }
+    if (!identityVerification.signature_valid) {
+      warnings.push("public identity artifact signature is invalid");
+    }
+  }
+  const auditArtifact = await loadExitArtifact(root, manifest, "audit_receipts");
+  const audit = auditArtifact ? {
+    receipt_count: Array.isArray(auditArtifact.json.entries) ? auditArtifact.json.entries.length : 0,
+    individual_signatures_verified: false
+  } : void 0;
+  if (auditArtifact) {
+    unsupportedArtifacts.push(
+      "audit_receipts: individual audit entries are not signed in the legacy L2 audit log; verifier pins them by signed manifest hash"
+    );
+  }
+  const reputationArtifact = await loadExitArtifact(root, manifest, "reputation_bundle");
+  const reputation = reputationArtifact ? verifyReputationArtifact(reputationArtifact.json, publicKeysByDid) : void 0;
+  if (reputation) {
+    if (reputation.bundle_signature_valid === "unverifiable") {
+      warnings.push("reputation bundle signature is unverifiable from included public identities");
+    } else if (!reputation.bundle_signature_valid) {
+      warnings.push("reputation bundle signature is invalid");
+    }
+    if (reputation.unverifiable_attestations > 0) {
+      warnings.push(
+        `${reputation.unverifiable_attestations} reputation attestation(s) have unknown signer public keys`
+      );
+    }
+    if (reputation.invalid_attestations > 0) {
+      warnings.push(
+        `${reputation.invalid_attestations} reputation attestation(s) failed signature verification`
+      );
+    }
+  }
+  const reputationFailed = reputation?.bundle_signature_valid === false || (reputation?.invalid_attestations ?? 0) > 0;
+  const identityFailed = identity ? !identity.signature_valid : false;
+  return {
+    version: "1.1",
+    passed: !reputationFailed && !identityFailed,
+    verified_at: (/* @__PURE__ */ new Date()).toISOString(),
+    manifest_path: join(root, "manifest.json"),
+    manifest_hash: sha256Hex2(manifestBytes),
+    manifest_summary: {
+      manifest_version: body.manifest_version,
+      fortress_id: body.identity_binding.fortress_id,
+      identity_id: body.identity_binding.identity_id,
+      exported_at: body.exported_at,
+      artifact_count: body.artifacts.length
+    },
+    artifact_results: artifactResults,
+    warnings,
+    unsupported_artifacts: unsupportedArtifacts,
+    identity,
+    audit,
+    reputation,
+    failure_class: reputationFailed || identityFailed ? "other" : void 0
+  };
+}
+// src/exit/bundle.ts
+var ARTIFACT_DIR = "artifacts";
+var EXIT_IMPORT_NAMESPACE = "_exit_imports";
+var EXIT_PUBLIC_IDENTITIES_NAMESPACE = "_exit_public_identities";
+var EXIT_AUDIT_RECEIPTS_NAMESPACE = "_exit_audit_receipts";
+var EXIT_POLICY_SETS_NAMESPACE = "_exit_policy_sets";
+var EXIT_COMMITMENTS_NAMESPACE = "_exit_commitments";
+var EXIT_PLACEHOLDER_METADATA_NAMESPACE = "_exit_placeholder_metadata";
+var PRIVACY_PLACEHOLDER_NAMESPACE = "_privacy_placeholder_vault";
+function sha256Hex3(bytes) {
+  return Array.from(hash(bytes)).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+function jsonBytes(value) {
+  return stringToBytes(JSON.stringify(value, null, 2) + "\n");
+}
+async function writeJsonArtifact(bundleDir, path, value, kind) {
+  const bytes = jsonBytes(value);
+  const fullPath = join(bundleDir, path);
+  await mkdir(join(bundleDir, ARTIFACT_DIR), { recursive: true, mode: 448 });
+  await writeFile(fullPath, bytes, { mode: 384 });
+  return {
+    kind,
+    path,
+    hash_alg: "sha256",
+    hash: sha256Hex3(bytes),
+    size_bytes: bytes.length
+  };
+}
+async function readSourceKeyParams(storage) {
+  const raw = await storage.read("_meta", "key-params");
+  if (!raw) return void 0;
+  return JSON.parse(bytesToString(raw));
+}
+async function discoverFilesystemStateNamespaces(stateStoragePath) {
+  if (!stateStoragePath) return [];
+  try {
+    const names = await readdir(stateStoragePath);
+    const namespaces = [];
+    for (const name of names) {
+      const full = join(stateStoragePath, name);
+      const entryStat = await stat(full);
+      if (!entryStat.isDirectory()) continue;
+      if (name.startsWith("_")) continue;
+      namespaces.push(name);
+    }
+    return namespaces.sort();
+  } catch {
+    return [];
+  }
+}
+async function exportEncryptedState(opts) {
+  const namespaceSet = new Set(
+    opts.stateNamespaces ?? await discoverFilesystemStateNamespaces(opts.stateStoragePath)
+  );
+  const entries = [];
+  for (const namespace of [...namespaceSet].sort()) {
+    if (isReservedNamespace(namespace)) continue;
+    const metas = await opts.storage.list(namespace);
+    for (const meta of metas) {
+      const raw = await opts.storage.read(namespace, meta.key);
+      if (!raw) continue;
+      try {
+        entries.push({
+          namespace,
+          key: meta.key,
+          entry: JSON.parse(bytesToString(raw))
+        });
+      } catch {
+      }
+    }
+  }
+  return {
+    format: "SANCTUARY_EXIT_ENCRYPTED_STATE_V1",
+    exported_at: (/* @__PURE__ */ new Date()).toISOString(),
+    key_source: opts.keySource ?? "unknown",
+    source_key_derivation: await readSourceKeyParams(opts.storage),
+    namespaces: [...new Set(entries.map((entry) => entry.namespace))].sort(),
+    total_keys: entries.length,
+    contains_reserved_namespaces: false,
+    entries
+  };
+}
+function exportPublicIdentity(identity, masterKey) {
+  const body = {
+    format: "SANCTUARY_IDENTITY_BUNDLE_V1",
+    publicKey: identity.public_key,
+    did: identity.did,
+    identity_id: identity.identity_id,
+    label: identity.label,
+    key_type: identity.key_type,
+    key_protection: identity.key_protection,
+    rotation_history: identity.rotation_history ?? [],
+    exported_at: (/* @__PURE__ */ new Date()).toISOString()
+  };
+  const signature = sign(
+    canonicalizeToBytes(body),
+    identity.encrypted_private_key,
+    derivePurposeKey(masterKey, "identity-encryption")
+  );
+  return {
+    bundle: body,
+    signature: toBase64url(signature),
+    signed_by: identity.did
+  };
+}
+function redactedPolicy(policy) {
+  return {
+    ...policy,
+    approval_channel: {
+      type: policy.approval_channel.type,
+      timeout_seconds: policy.approval_channel.timeout_seconds,
+      webhook_url: policy.approval_channel.webhook_url
+    }
+  };
+}
+function exportPolicySet(policy, config) {
+  const cfg = config ?? defaultConfig();
+  return {
+    format: "SANCTUARY_EXIT_POLICY_SET_V1",
+    exported_at: (/* @__PURE__ */ new Date()).toISOString(),
+    principal_policy: redactedPolicy(policy),
+    config_summary: {
+      version: cfg.version,
+      state: cfg.state,
+      execution: cfg.execution,
+      disclosure: cfg.disclosure,
+      reputation: cfg.reputation,
+      privacy_filter: cfg.privacy_filter
+    }
+  };
+}
+async function exportAuditReceipts(auditLog) {
+  await auditLog.flush();
+  const result = await auditLog.query({ limit: 1e5 });
+  return {
+    format: "SANCTUARY_AUDIT_RECEIPTS_V1",
+    exported_at: (/* @__PURE__ */ new Date()).toISOString(),
+    total: result.total,
+    individual_entry_signatures: false,
+    entries: result.entries
+  };
+}
+async function exportCommitments(storage, masterKey) {
+  const encryptionKey = derivePurposeKey(masterKey, "l3-commitments");
+  const publicCommitments = [];
+  let unreadable = 0;
+  for (const meta of await storage.list("_commitments")) {
+    const raw = await storage.read("_commitments", meta.key);
+    if (!raw) continue;
+    try {
+      const encrypted = JSON.parse(bytesToString(raw));
+      const decrypted = decrypt(encrypted, encryptionKey);
+      const parsed = JSON.parse(bytesToString(decrypted));
+      publicCommitments.push({
+        commitment_id: meta.key,
+        commitment: parsed.commitment,
+        committed_at: parsed.committed_at,
+        revealed: parsed.revealed,
+        revealed_at: parsed.revealed_at
+      });
+    } catch {
+      unreadable++;
+    }
+  }
+  return {
+    format: "SANCTUARY_EXIT_COMMITMENTS_V1",
+    exported_at: (/* @__PURE__ */ new Date()).toISOString(),
+    public_commitments: publicCommitments,
+    unreadable_count: unreadable,
+    redacted_fields: ["value", "blinding_factor"]
+  };
+}
+async function exportPlaceholderVaultMetadata(storage, masterKey) {
+  const encryptionKey = derivePurposeKey(masterKey, "l2-privacy-placeholders");
+  const entries = [];
+  let unreadable = 0;
+  for (const meta of await storage.list(PRIVACY_PLACEHOLDER_NAMESPACE)) {
+    const raw = await storage.read(PRIVACY_PLACEHOLDER_NAMESPACE, meta.key);
+    if (!raw) continue;
+    try {
+      const encrypted = JSON.parse(bytesToString(raw));
+      const decrypted = decrypt(encrypted, encryptionKey);
+      const parsed = JSON.parse(bytesToString(decrypted));
+      const safe = {
+        key: meta.key,
+        version: parsed.version,
+        kind: parsed.kind ?? (meta.key.endsWith("__index") ? "index" : "metadata"),
+        scope: parsed.scope,
+        class: parsed.class,
+        placeholder: parsed.placeholder,
+        alias: parsed.alias,
+        raw_hash: parsed.raw_hash,
+        counters: parsed.counters,
+        next: parsed.next,
+        created_at: parsed.created_at
+      };
+      entries.push(
+        Object.fromEntries(
+          Object.entries(safe).filter(([, value]) => value !== void 0)
+        )
+      );
+    } catch {
+      unreadable++;
+    }
+  }
+  return {
+    format: "SANCTUARY_PLACEHOLDER_VAULT_METADATA_V1",
+    exported_at: (/* @__PURE__ */ new Date()).toISOString(),
+    entries,
+    unreadable_count: unreadable,
+    redacted_fields: ["raw_value", "raw_path"]
+  };
+}
+async function exportExitBundle(opts) {
+  const bundleDir = resolve(opts.bundleDir);
+  await mkdir(bundleDir, { recursive: true, mode: 448 });
+  await mkdir(join(bundleDir, ARTIFACT_DIR), { recursive: true, mode: 448 });
+  const identity = opts.identityManager.getDefault();
+  if (!identity) {
+    throw new Error("Cannot export exit bundle: no default identity exists.");
+  }
+  const exportApprovalAuditId = opts.exportApprovalAuditId ?? `exit-export-${Date.now()}`;
+  opts.auditLog.append("l1", "exit_bundle_export", identity.identity_id, {
+    approval_id: exportApprovalAuditId,
+    manifest_version: EXIT_BUNDLE_MANIFEST_VERSION
+  });
+  const reputationStore = opts.reputationStore ?? new ReputationStore(opts.storage, opts.masterKey);
+  const identityEncryptionKey = derivePurposeKey(opts.masterKey, "identity-encryption");
+  const artifacts = [];
+  artifacts.push(
+    await writeJsonArtifact(
+      bundleDir,
+      `${ARTIFACT_DIR}/public_identity.json`,
+      exportPublicIdentity(identity, opts.masterKey),
+      "public_identity"
+    )
+  );
+  artifacts.push(
+    await writeJsonArtifact(
+      bundleDir,
+      `${ARTIFACT_DIR}/encrypted_state.json`,
+      await exportEncryptedState(opts),
+      "encrypted_state"
+    )
+  );
+  artifacts.push(
+    await writeJsonArtifact(
+      bundleDir,
+      `${ARTIFACT_DIR}/policy_set.json`,
+      exportPolicySet(opts.policy, opts.config),
+      "policy_set"
+    )
+  );
+  artifacts.push(
+    await writeJsonArtifact(
+      bundleDir,
+      `${ARTIFACT_DIR}/audit_receipts.json`,
+      await exportAuditReceipts(opts.auditLog),
+      "audit_receipts"
+    )
+  );
+  artifacts.push(
+    await writeJsonArtifact(
+      bundleDir,
+      `${ARTIFACT_DIR}/reputation_bundle.json`,
+      await reputationStore.exportBundle(identity, identityEncryptionKey),
+      "reputation_bundle"
+    )
+  );
+  artifacts.push(
+    await writeJsonArtifact(
+      bundleDir,
+      `${ARTIFACT_DIR}/commitments.json`,
+      await exportCommitments(opts.storage, opts.masterKey),
+      "commitments"
+    )
+  );
+  artifacts.push(
+    await writeJsonArtifact(
+      bundleDir,
+      `${ARTIFACT_DIR}/placeholder_vault_metadata.json`,
+      await exportPlaceholderVaultMetadata(opts.storage, opts.masterKey),
+      "placeholder_vault_metadata"
+    )
+  );
+  const body = {
+    manifest_version: EXIT_BUNDLE_MANIFEST_VERSION,
+    exported_at: (/* @__PURE__ */ new Date()).toISOString(),
+    identity_binding: {
+      identity_id: identity.identity_id,
+      fortress_id: identity.did,
+      fortress_master_pubkey: identity.public_key,
+      did: identity.did
+    },
+    source_sanctuary_version: opts.config?.version ?? SANCTUARY_VERSION,
+    artifacts,
+    artifacts_aggregate_hash: sha256Hex3(
+      stringToBytes(canonicalize2(artifacts))
+    ),
+    artifacts_aggregate_hash_alg: "sha256",
+    export_approval_audit_id: exportApprovalAuditId,
+    signature_scheme: SIGNATURE_SCHEME_V1
+  };
+  const signature = sign(
+    canonicalizeToBytes(body),
+    identity.encrypted_private_key,
+    identityEncryptionKey
+  );
+  const manifest = {
+    body,
+    signature: toBase64url(signature)
+  };
+  const manifestBytes = jsonBytes(manifest);
+  await writeFile(join(bundleDir, "manifest.json"), manifestBytes, { mode: 384 });
+  await opts.auditLog.flush();
+  return {
+    bundle_dir: bundleDir,
+    manifest,
+    manifest_hash: sha256Hex3(manifestBytes),
+    artifact_count: artifacts.length,
+    unsupported_artifacts: [
+      "audit_receipts: legacy L2 audit entries are manifest-pinned but not individually signed"
+    ]
+  };
+}
+function publicKeysFromIdentityArtifact(identityArtifact) {
+  const pubkey = fromBase64url(identityArtifact.bundle.publicKey);
+  return {
+    byIdentityId: /* @__PURE__ */ new Map([[identityArtifact.bundle.identity_id, pubkey]]),
+    byDid: /* @__PURE__ */ new Map([[identityArtifact.bundle.did, pubkey]])
+  };
+}
+async function conflictReport(storage, identityArtifact, encryptedState, reputationBundle, manifest) {
+  const stateConflicts = [];
+  for (const item of encryptedState?.entries ?? []) {
+    if (await storage.exists(item.namespace, item.key)) {
+      stateConflicts.push({ namespace: item.namespace, key: item.key });
+    }
+  }
+  const reputationConflicts = [];
+  for (const attestation of reputationBundle?.attestations ?? []) {
+    if (await storage.exists("_reputation", attestation.attestation_id)) {
+      reputationConflicts.push(attestation.attestation_id);
+    }
+  }
+  const importId = importIdForManifest(manifest);
+  return {
+    public_identity_exists: identityArtifact ? await storage.exists(
+      EXIT_PUBLIC_IDENTITIES_NAMESPACE,
+      identityArtifact.bundle.identity_id
+    ) : false,
+    state_conflicts: stateConflicts,
+    reputation_conflicts: reputationConflicts,
+    policy_set_exists: await storage.exists(EXIT_POLICY_SETS_NAMESPACE, importId),
+    audit_receipts_exist: await storage.exists(EXIT_AUDIT_RECEIPTS_NAMESPACE, importId)
+  };
+}
+function importIdForManifest(manifest) {
+  return `${manifest.body.identity_binding.identity_id}-${manifest.body.exported_at.replace(/[^0-9a-zA-Z_.-]/g, "_")}`;
+}
+async function resolveSourceMasterKey(encryptedState, opts) {
+  if (!encryptedState || encryptedState.entries.length === 0) return null;
+  if (opts.sourceMasterKey) return opts.sourceMasterKey;
+  if (opts.sourcePassphrase && encryptedState.source_key_derivation) {
+    return (await deriveMasterKey(
+      opts.sourcePassphrase,
+      encryptedState.source_key_derivation
+    )).key;
+  }
+  if (opts.sourceRecoveryKey) {
+    const key = fromBase64url(opts.sourceRecoveryKey);
+    if (key.length !== 32) {
+      throw new Error("Source recovery key must decode to 32 bytes.");
+    }
+    return key;
+  }
+  return null;
+}
+async function rekeyState(encryptedState, opts, sourceMasterKey, publicKeysByIdentityId) {
+  const destinationSigner = opts.destinationSignerIdentityId ? opts.identityManager.get(opts.destinationSignerIdentityId) : opts.identityManager.getDefault();
+  if (!destinationSigner) {
+    return {
+      status: "skipped_no_destination_signer",
+      imported_keys: 0,
+      skipped_keys: encryptedState.entries.length,
+      skipped_invalid_sig: 0,
+      skipped_unknown_kid: 0,
+      conflicts: 0
+    };
+  }
+  const stateStore = new StateStore(opts.storage, opts.masterKey);
+  const identityEncryptionKey = derivePurposeKey(opts.masterKey, "identity-encryption");
+  let imported = 0;
+  let skipped = 0;
+  let skippedInvalidSig = 0;
+  let skippedUnknownKid = 0;
+  let conflicts = 0;
+  for (const item of encryptedState.entries) {
+    if (isReservedNamespace(item.namespace)) {
+      skipped++;
+      continue;
+    }
+    const signerPubkey = publicKeysByIdentityId.get(item.entry.kid);
+    if (!signerPubkey) {
+      skippedUnknownKid++;
+      skipped++;
+      continue;
+    }
+    const sourceSigValid = verify(
+      fromBase64url(item.entry.payload.ct),
+      fromBase64url(item.entry.sig),
+      signerPubkey
+    );
+    if (!sourceSigValid) {
+      skippedInvalidSig++;
+      skipped++;
+      continue;
+    }
+    const exists = await opts.storage.exists(item.namespace, item.key);
+    if (exists) {
+      conflicts++;
+      const resolution = opts.conflictResolution ?? "skip";
+      if (resolution === "skip") {
+        skipped++;
+        continue;
+      }
+      if (resolution === "version") {
+        const raw = await opts.storage.read(item.namespace, item.key);
+        if (raw) {
+          try {
+            const existing = JSON.parse(bytesToString(raw));
+            if (item.entry.ver <= existing.ver) {
+              skipped++;
+              continue;
+            }
+          } catch {
+          }
+        }
+      }
+    }
+    try {
+      const plaintext = decrypt(
+        item.entry.payload,
+        deriveNamespaceKey(sourceMasterKey, item.namespace)
+      );
+      if (hashToString(plaintext) !== item.entry.integrity_hash) {
+        skippedInvalidSig++;
+        skipped++;
+        continue;
+      }
+      await stateStore.write(
+        item.namespace,
+        item.key,
+        bytesToString(plaintext),
+        destinationSigner.identity_id,
+        destinationSigner.encrypted_private_key,
+        identityEncryptionKey,
+        {
+          content_type: item.entry.metadata.content_type,
+          ttl_seconds: item.entry.metadata.ttl_seconds,
+          tags: [
+            ...item.entry.metadata.tags ?? [],
+            "exit-import",
+            `source:${item.entry.kid}`
+          ]
+        }
+      );
+      imported++;
+    } catch {
+      skippedInvalidSig++;
+      skipped++;
+    }
+  }
+  return {
+    status: "rekeyed",
+    imported_keys: imported,
+    skipped_keys: skipped,
+    skipped_invalid_sig: skippedInvalidSig,
+    skipped_unknown_kid: skippedUnknownKid,
+    conflicts
+  };
+}
+async function stageArtifact(storage, namespace, key, value) {
+  await storage.write(namespace, key, jsonBytes(value));
+}
+async function importExitBundle(opts) {
+  const verification = await verifyExitBundle(opts.bundleDir);
+  if (!verification.passed) {
+    return {
+      verified: false,
+      activated: false,
+      conflicts: {
+        public_identity_exists: false,
+        state_conflicts: [],
+        reputation_conflicts: [],
+        policy_set_exists: false,
+        audit_receipts_exist: false
+      },
+      state: {
+        status: "not_requested",
+        imported_keys: 0,
+        skipped_keys: 0,
+        skipped_invalid_sig: 0,
+        skipped_unknown_kid: 0,
+        conflicts: 0
+      },
+      reputation: {
+        imported_attestations: 0,
+        invalid_attestations: 0,
+        unverifiable_attestations: verification.reputation?.unverifiable_attestations ?? 0
+      },
+      staged_artifacts: [],
+      warnings: verification.warnings,
+      unsupported_artifacts: verification.unsupported_artifacts
+    };
+  }
+  const manifest = await readManifest(opts.bundleDir);
+  const identityArtifact = await loadExitArtifact(
+    opts.bundleDir,
+    manifest,
+    "public_identity"
+  );
+  const encryptedState = await loadExitArtifact(
+    opts.bundleDir,
+    manifest,
+    "encrypted_state"
+  );
+  const policySet = await loadExitArtifact(
+    opts.bundleDir,
+    manifest,
+    "policy_set"
+  );
+  const auditReceipts = await loadExitArtifact(
+    opts.bundleDir,
+    manifest,
+    "audit_receipts"
+  );
+  const reputationArtifact = await loadExitArtifact(
+    opts.bundleDir,
+    manifest,
+    "reputation_bundle"
+  );
+  const commitments = await loadExitArtifact(
+    opts.bundleDir,
+    manifest,
+    "commitments"
+  );
+  const placeholderMetadata = await loadExitArtifact(
+    opts.bundleDir,
+    manifest,
+    "placeholder_vault_metadata"
+  );
+  const conflicts = await conflictReport(
+    opts.storage,
+    identityArtifact?.json ?? null,
+    encryptedState?.json ?? null,
+    reputationArtifact?.json ?? null,
+    manifest
+  );
+  if (!opts.activate) {
+    return {
+      verified: true,
+      activated: false,
+      conflicts,
+      state: {
+        status: "not_requested",
+        imported_keys: 0,
+        skipped_keys: 0,
+        skipped_invalid_sig: 0,
+        skipped_unknown_kid: 0,
+        conflicts: conflicts.state_conflicts.length
+      },
+      reputation: {
+        imported_attestations: 0,
+        invalid_attestations: 0,
+        unverifiable_attestations: verification.reputation?.unverifiable_attestations ?? 0
+      },
+      staged_artifacts: [],
+      warnings: verification.warnings,
+      unsupported_artifacts: verification.unsupported_artifacts
+    };
+  }
+  const importId = importIdForManifest(manifest);
+  const stagedArtifacts = [];
+  if (identityArtifact) {
+    await stageArtifact(
+      opts.storage,
+      EXIT_PUBLIC_IDENTITIES_NAMESPACE,
+      identityArtifact.json.bundle.identity_id,
+      identityArtifact.json
+    );
+    stagedArtifacts.push("public_identity");
+  }
+  if (policySet) {
+    await stageArtifact(opts.storage, EXIT_POLICY_SETS_NAMESPACE, importId, policySet.json);
+    stagedArtifacts.push("policy_set");
+  }
+  if (auditReceipts) {
+    await stageArtifact(
+      opts.storage,
+      EXIT_AUDIT_RECEIPTS_NAMESPACE,
+      importId,
+      auditReceipts.json
+    );
+    stagedArtifacts.push("audit_receipts");
+  }
+  if (commitments) {
+    await stageArtifact(opts.storage, EXIT_COMMITMENTS_NAMESPACE, importId, commitments.json);
+    stagedArtifacts.push("commitments");
+  }
+  if (placeholderMetadata) {
+    await stageArtifact(
+      opts.storage,
+      EXIT_PLACEHOLDER_METADATA_NAMESPACE,
+      importId,
+      placeholderMetadata.json
+    );
+    stagedArtifacts.push("placeholder_vault_metadata");
+  }
+  await stageArtifact(opts.storage, EXIT_IMPORT_NAMESPACE, importId, {
+    manifest: manifest.body,
+    verified_at: verification.verified_at,
+    activated_at: (/* @__PURE__ */ new Date()).toISOString()
+  });
+  const publicKeys = identityArtifact ? publicKeysFromIdentityArtifact(identityArtifact.json) : { byIdentityId: /* @__PURE__ */ new Map(), byDid: /* @__PURE__ */ new Map() };
+  let reputationResult = {
+    imported_attestations: 0,
+    invalid_attestations: 0,
+    unverifiable_attestations: verification.reputation?.unverifiable_attestations ?? 0
+  };
+  if (reputationArtifact) {
+    const reputationStore = opts.reputationStore ?? new ReputationStore(opts.storage, opts.masterKey);
+    const imported = await reputationStore.importBundle(
+      reputationArtifact.json,
+      true,
+      publicKeys.byDid
+    );
+    reputationResult = {
+      imported_attestations: imported.imported,
+      invalid_attestations: imported.invalid,
+      unverifiable_attestations: verification.reputation?.unverifiable_attestations ?? 0
+    };
+    stagedArtifacts.push("reputation_bundle");
+  }
+  const sourceMasterKey = await resolveSourceMasterKey(
+    encryptedState?.json ?? null,
+    opts
+  );
+  const stateResult = encryptedState && encryptedState.json.entries.length > 0 ? sourceMasterKey ? await rekeyState(
+    encryptedState.json,
+    opts,
+    sourceMasterKey,
+    publicKeys.byIdentityId
+  ) : {
+    status: "staged_requires_source_key",
+    imported_keys: 0,
+    skipped_keys: encryptedState.json.entries.length,
+    skipped_invalid_sig: 0,
+    skipped_unknown_kid: 0,
+    conflicts: conflicts.state_conflicts.length
+  } : {
+    status: "not_requested",
+    imported_keys: 0,
+    skipped_keys: 0,
+    skipped_invalid_sig: 0,
+    skipped_unknown_kid: 0,
+    conflicts: 0
+  };
+  opts.auditLog.append("l1", "exit_bundle_import_activate", manifest.body.identity_binding.identity_id, {
+    import_id: importId,
+    manifest_version: manifest.body.manifest_version,
+    state_status: stateResult.status,
+    state_imported_keys: stateResult.imported_keys,
+    reputation_imported_attestations: reputationResult.imported_attestations
+  });
+  await opts.auditLog.flush();
+  return {
+    verified: true,
+    activated: true,
+    conflicts,
+    state: stateResult,
+    reputation: reputationResult,
+    staged_artifacts: stagedArtifacts,
+    warnings: verification.warnings,
+    unsupported_artifacts: verification.unsupported_artifacts
+  };
+}
+function exitBundleManifestShape() {
+  return {
+    manifest_version: EXIT_BUNDLE_MANIFEST_VERSION,
+    artifacts: [...EXIT_BUNDLE_ARTIFACT_KINDS],
+    hash_alg: "sha256",
+    signature_scheme: SIGNATURE_SCHEME_V1,
+    required_top_level_file: "manifest.json",
+    artifact_paths: [
+      "artifacts/public_identity.json",
+      "artifacts/encrypted_state.json",
+      "artifacts/policy_set.json",
+      "artifacts/audit_receipts.json",
+      "artifacts/reputation_bundle.json",
+      "artifacts/commitments.json",
+      "artifacts/placeholder_vault_metadata.json"
+    ]
+  };
+}
+init_encoding();
+function write(stream, text) {
+  stream.write(text);
+}
+function flagValue(argv, name) {
+  const index = argv.indexOf(name);
+  if (index === -1) return void 0;
+  return argv[index + 1];
+}
+function hasFlag(argv, name) {
+  return argv.includes(name);
+}
+function repeatedFlagValues(argv, name) {
+  const values = [];
+  for (let i = 0; i < argv.length; i++) {
+    if (argv[i] === name && argv[i + 1]) values.push(argv[++i]);
+  }
+  return values;
+}
+async function confirmTier1(prompt, assumeYes, stdin, err) {
+  if (assumeYes) return true;
+  const readline = await import('readline/promises');
+  const rl = readline.createInterface({
+    input: stdin,
+    output: err
+  });
+  const answer = await rl.question(`${prompt} [y/N] `);
+  rl.close();
+  return /^y(es)?$/i.test(answer.trim());
+}
+async function openExitContext(argv, env) {
+  const passphrase = flagValue(argv, "--passphrase") ?? env.SANCTUARY_PASSPHRASE;
+  const recoveryKey = env.SANCTUARY_RECOVERY_KEY;
+  const config = await loadConfig();
+  await mkdir(config.storage_path, { recursive: true, mode: 448 });
+  const stateStoragePath = join(config.storage_path, "state");
+  const storage = new FilesystemStorage(stateStoragePath);
+  let masterKey;
+  let keySource = "unknown";
+  if (passphrase) {
+    let existingParams;
+    const raw = await storage.read("_meta", "key-params");
+    if (raw) existingParams = JSON.parse(bytesToString(raw));
+    const derived = await deriveMasterKey(passphrase, existingParams);
+    masterKey = derived.key;
+    if (!existingParams) {
+      await storage.write(
+        "_meta",
+        "key-params",
+        stringToBytes(JSON.stringify(derived.params))
+      );
+    }
+    keySource = "passphrase";
+  } else if (recoveryKey) {
+    masterKey = fromBase64url(recoveryKey);
+    if (masterKey.length !== 32) {
+      throw new Error("SANCTUARY_RECOVERY_KEY must decode to 32 bytes.");
+    }
+    keySource = "recovery-key";
+  } else {
+    throw new Error(
+      "sanctuary exit requires SANCTUARY_PASSPHRASE, --passphrase, or SANCTUARY_RECOVERY_KEY."
+    );
+  }
+  const auditLog = new AuditLog(storage, masterKey);
+  const identityManager = new IdentityManager(storage, masterKey);
+  await identityManager.load();
+  const reputationStore = new ReputationStore(storage, masterKey);
+  return {
+    storagePath: config.storage_path,
+    stateStoragePath,
+    storage,
+    masterKey,
+    auditLog,
+    identityManager,
+    reputationStore,
+    keySource
+  };
+}
+function printUsage(out) {
+  write(out, `
+Usage: sanctuary exit <command> [options]
+Commands:
+  export --out <dir>          Create a SANCTUARY_EXIT_BUNDLE_V1 directory
+  verify <dir>                Verify manifest, audit receipts, and reputation bundle
+  import <dir> [--activate]   Verify, report conflicts, and optionally activate
+  manifest-shape              Print the v1.1 manifest shape
+Options:
+  --passphrase <value>              Current destination/source passphrase
+  --source-passphrase <value>       Source passphrase for state re-key on import
+  --source-recovery-key <value>     Source recovery key for state re-key on import
+  --destination-identity-id <id>    Destination signer for re-keyed state
+  --state-namespace <name>          Export a namespace; repeatable
+  --conflict <skip|overwrite|version>
+  --json
+  --yes, -y                         Explicit non-interactive Tier 1 approval
+  --help, -h
+`);
+}
+async function runExitCommand(args) {
+  const argv = args.argv;
+  const out = args.out ?? process.stdout;
+  const err = args.err ?? process.stderr;
+  const stdin = args.stdin ?? process.stdin;
+  const env = args.env ?? process.env;
+  if (argv.length === 0 || hasFlag(argv, "--help") || hasFlag(argv, "-h")) {
+    printUsage(out);
+    return 0;
+  }
+  const command = argv[0];
+  const json = hasFlag(argv, "--json");
+  try {
+    if (command === "manifest-shape") {
+      write(out, JSON.stringify(exitBundleManifestShape(), null, 2) + "\n");
+      return 0;
+    }
+    if (command === "verify") {
+      const dir = argv[1];
+      if (!dir) {
+        write(err, "Usage: sanctuary exit verify <dir>\n");
+        return 2;
+      }
+      const result = await verifyExitBundle(dir);
+      if (json) {
+        write(out, JSON.stringify(result, null, 2) + "\n");
+      } else {
+        write(out, `manifest: ${result.passed ? "verified" : "failed"}
+`);
+        write(out, `identity: ${result.manifest_summary.identity_id}
+`);
+        write(out, `artifacts: ${result.manifest_summary.artifact_count}
+`);
+        if (result.reputation) {
+          write(
+            out,
+            `reputation: ${result.reputation.verified_attestations}/${result.reputation.attestation_count} attestations verified
+`
+          );
+        }
+        for (const warning of result.warnings) write(out, `warning: ${warning}
+`);
+        for (const item of result.unsupported_artifacts) {
+          write(out, `unsupported: ${item}
+`);
+        }
+      }
+      return result.passed ? 0 : 1;
+    }
+    if (command === "export") {
+      const outDir = flagValue(argv, "--out");
+      if (!outDir) {
+        write(err, "Usage: sanctuary exit export --out <dir>\n");
+        return 2;
+      }
+      const approved = await confirmTier1(
+        "Tier 1 approval required: export complete Sanctuary exit bundle?",
+        hasFlag(argv, "--yes") || hasFlag(argv, "-y"),
+        stdin,
+        err
+      );
+      if (!approved) {
+        write(err, "Aborted.\n");
+        return 1;
+      }
+      const config = await loadConfig();
+      const ctx = await openExitContext(argv, env);
+      const policy = await loadPrincipalPolicy(ctx.storagePath);
+      const result = await exportExitBundle({
+        bundleDir: outDir,
+        storage: ctx.storage,
+        masterKey: ctx.masterKey,
+        identityManager: ctx.identityManager,
+        auditLog: ctx.auditLog,
+        reputationStore: ctx.reputationStore,
+        policy,
+        config,
+        stateStoragePath: ctx.stateStoragePath,
+        stateNamespaces: repeatedFlagValues(argv, "--state-namespace"),
+        keySource: ctx.keySource
+      });
+      if (json) write(out, JSON.stringify(result, null, 2) + "\n");
+      else {
+        write(out, `exported: ${result.bundle_dir}
+`);
+        write(out, `manifest_hash: ${result.manifest_hash}
+`);
+        for (const item of result.unsupported_artifacts) {
+          write(out, `unsupported: ${item}
+`);
+        }
+      }
+      return 0;
+    }
+    if (command === "import") {
+      const dir = argv[1];
+      if (!dir) {
+        write(err, "Usage: sanctuary exit import <dir> [--activate]\n");
+        return 2;
+      }
+      const activate = hasFlag(argv, "--activate");
+      if (activate) {
+        const approved = await confirmTier1(
+          "Tier 1 approval required: activate verified imported exit bundle?",
+          hasFlag(argv, "--yes") || hasFlag(argv, "-y"),
+          stdin,
+          err
+        );
+        if (!approved) {
+          write(err, "Aborted.\n");
+          return 1;
+        }
+      }
+      const ctx = await openExitContext(argv, env);
+      const conflict = flagValue(argv, "--conflict") ?? "skip";
+      if (!["skip", "overwrite", "version"].includes(conflict)) {
+        write(err, "--conflict must be skip, overwrite, or version\n");
+        return 2;
+      }
+      const result = await importExitBundle({
+        bundleDir: dir,
+        storage: ctx.storage,
+        masterKey: ctx.masterKey,
+        identityManager: ctx.identityManager,
+        auditLog: ctx.auditLog,
+        reputationStore: ctx.reputationStore,
+        activate,
+        conflictResolution: conflict,
+        sourcePassphrase: flagValue(argv, "--source-passphrase"),
+        sourceRecoveryKey: flagValue(argv, "--source-recovery-key"),
+        destinationSignerIdentityId: flagValue(argv, "--destination-identity-id")
+      });
+      if (json) write(out, JSON.stringify(result, null, 2) + "\n");
+      else {
+        write(out, `verified: ${result.verified}
+`);
+        write(out, `activated: ${result.activated}
+`);
+        write(out, `state_conflicts: ${result.conflicts.state_conflicts.length}
+`);
+        write(out, `reputation_conflicts: ${result.conflicts.reputation_conflicts.length}
+`);
+        write(out, `state_status: ${result.state.status}
+`);
+        write(out, `state_imported_keys: ${result.state.imported_keys}
+`);
+        write(out, `reputation_imported_attestations: ${result.reputation.imported_attestations}
+`);
+        for (const warning of result.warnings) write(out, `warning: ${warning}
+`);
+        for (const item of result.unsupported_artifacts) {
+          write(out, `unsupported: ${item}
+`);
+        }
+      }
+      return result.verified ? 0 : 1;
+    }
+    write(err, `Unknown exit command: ${command}
+`);
+    return 2;
+  } catch (error) {
+    write(err, error instanceof Error ? `${error.message}
+` : `${String(error)}
+`);
+    return 1;
+  }
+}
+// src/dashboard/aggregator.ts
+var L4_DEGRADATION_IMPACT = {
+  critical: 40,
+  warning: 25,
+  info: 10
+};
+function computeL4LayerScore(degradations, status) {
+  if (status === "compromised") return 0;
+  let score = 100;
+  for (const deg of degradations) {
+    score -= L4_DEGRADATION_IMPACT[deg.severity] ?? 10;
+  }
+  score = Math.max(0, score);
+  if (degradations.length === 0 && score > 50) {
+    score = Math.min(100, score + 5);
+  }
+  return Math.round(score);
+}
+var MAX_ACTIVITY = 50;
+var MAX_AUDIT = 50;
+function fingerprintDID(did) {
+  const raw = did.replace(/^did:[a-z0-9]+:/i, "");
+  if (raw.length <= 12) return raw;
+  return `${raw.slice(0, 6)}\u2026${raw.slice(-6)}`;
+}
+function countInjectionsToday(audit) {
+  const startOfDay = /* @__PURE__ */ new Date();
+  startOfDay.setHours(0, 0, 0, 0);
+  const cutoff = startOfDay.getTime();
+  return audit.filter((e) => {
+    const ts = new Date(e.timestamp).getTime();
+    if (isNaN(ts) || ts < cutoff) return false;
+    const op = (e.operation ?? "").toLowerCase();
+    return op.includes("injection") || op.includes("blocked");
+  }).length;
+}
+var PROOF_CREATION_OPS = /* @__PURE__ */ new Set([
+  "zk_prove",
+  "zk_range_prove",
+  "proof_commitment"
+]);
+function countProofsToday(audit) {
+  const startOfDay = /* @__PURE__ */ new Date();
+  startOfDay.setHours(0, 0, 0, 0);
+  const cutoff = startOfDay.getTime();
+  return audit.filter((e) => {
+    if (e.layer !== "l3") return false;
+    if (!PROOF_CREATION_OPS.has(e.operation)) return false;
+    const ts = new Date(e.timestamp).getTime();
+    return !isNaN(ts) && ts >= cutoff;
+  }).length;
+}
+function buildAgent(sources) {
+  if (!sources.identityManager) {
+    return {
+      display_name: "Unclaimed agent",
+      did: null,
+      did_fingerprint: null,
+      identity_count: 0,
+      primary_identity_id: null
+    };
+  }
+  const primary = sources.identityManager.getDefault();
+  const identities = sources.identityManager.list();
+  if (!primary) {
+    return {
+      display_name: "Unclaimed agent",
+      did: null,
+      did_fingerprint: null,
+      identity_count: identities.length,
+      primary_identity_id: null
+    };
+  }
+  return {
+    display_name: primary.label || "Sovereign agent",
+    did: primary.did,
+    did_fingerprint: fingerprintDID(primary.did),
+    identity_count: identities.length,
+    primary_identity_id: primary.identity_id
+  };
+}
+function buildL1(sources, audit) {
+  const hasIdentity = !!sources.identityManager?.getDefault();
+  const state = hasIdentity ? "full" : "degraded";
+  return {
+    label: "L1 Cognitive",
+    state,
+    headline: hasIdentity ? "State encrypted at rest" : "No sovereign identity \u2014 run sanctuary_bootstrap",
+    encryption: "AES-256-GCM + HKDF per namespace",
+    injection_blocked_today: countInjectionsToday(audit),
+    memory_attest_ready: hasIdentity
+  };
+}
+function buildL2(sources) {
+  const teeAvailable = sources.teeAvailable ?? false;
   const state = teeAvailable ? "full" : "degraded";
   return {
     label: "L2 Operational",
@@ -21613,6 +24220,36 @@ function buildUpstreamServers(sources) {
     return entry;
   });
 }
+function buildPrivacySummary(audit) {
+  const classes = {};
+  let filteredEvents = 0;
+  let filteredSpans = 0;
+  let lastFilteredAt = null;
+  for (const entry of audit) {
+    const details = entry.details ?? {};
+    const rawFindings = details.privacy_findings;
+    const findings = typeof rawFindings === "number" && Number.isFinite(rawFindings) ? Math.max(0, rawFindings) : 0;
+    if (findings <= 0) continue;
+    filteredEvents++;
+    filteredSpans += findings;
+    if (!lastFilteredAt || new Date(entry.timestamp).getTime() > new Date(lastFilteredAt).getTime()) {
+      lastFilteredAt = entry.timestamp;
+    }
+    const rawClasses = details.privacy_classes;
+    if (Array.isArray(rawClasses)) {
+      for (const rawClass of rawClasses) {
+        const key = String(rawClass);
+        classes[key] = (classes[key] ?? 0) + 1;
+      }
+    }
+  }
+  return {
+    filtered_events: filteredEvents,
+    filtered_spans: filteredSpans,
+    classes,
+    last_filtered_at: lastFilteredAt
+  };
+}
 async function getProtectionSnapshot(sources) {
   let audit = [];
   if (sources.auditLog) {
@@ -21630,6 +24267,7 @@ async function getProtectionSnapshot(sources) {
   const l4 = buildL4(sources);
   const activity = (sources.activity ?? []).slice(0, MAX_ACTIVITY);
   const pending_approvals = sources.pendingApprovals ?? [];
+  const privacy = buildPrivacySummary(audit);
   const upstream_servers = buildUpstreamServers(sources);
   return {
     overall: computeOverall(l1, l2, l3, l4),
@@ -21638,6 +24276,7 @@ async function getProtectionSnapshot(sources) {
     activity,
     pending_approvals,
     audit: audit.slice(-MAX_AUDIT).reverse(),
+    privacy,
     upstream_servers,
     mode: sources.mode,
     server_version: sources.server_version,
@@ -21751,7 +24390,7 @@ function l4EvidenceBlock(l4) {
 }
 function renderDashboardHTML(options) {
   const { snapshot } = options;
-  const { overall, agent, layers, activity, pending_approvals, audit, upstream_servers } = snapshot;
+  const { overall, agent, layers, activity, pending_approvals, audit, privacy, upstream_servers } = snapshot;
   const activityRows = activity.length === 0 ? `<tr class="empty"><td colspan="5">Waiting for tool calls\u2026</td></tr>` : activity.map((entry) => {
     const time = new Date(entry.timestamp).toLocaleTimeString();
     return `<tr class="result-${escHtml(entry.result)}">
@@ -21784,6 +24423,8 @@ function renderDashboardHTML(options) {
           <span class="mono">${escHtml(s.name)}</span>
           <span class="server-meta">${escHtml(s.state)} \xB7 ${escHtml(s.tool_count)} tool${s.tool_count === 1 ? "" : "s"}</span>
         </li>`).join("");
+  const privacyClasses = Object.entries(privacy.classes).sort((a, b) => b[1] - a[1]).map(([name, count]) => `<span class="privacy-chip">${escHtml(name)} ${escHtml(count)}</span>`).join("");
+  const privacyLast = privacy.last_filtered_at ? new Date(privacy.last_filtered_at).toLocaleString() : "No filtering events yet";
   const initialSnapshot = JSON.stringify(snapshot).replace(/</g, "\\u003c").replace(/\u2028/g, "\\u2028").replace(/\u2029/g, "\\u2029");
   return `<!DOCTYPE html>
 <html lang="en">
@@ -22061,6 +24702,13 @@ button { font: inherit; cursor: pointer; }
 .panel { background: var(--surface); border: 1px solid var(--border); border-radius: var(--radius); overflow: hidden; }
 .panel-head { display: flex; justify-content: space-between; align-items: center; padding: 12px 18px; border-bottom: 1px solid var(--border); }
 .panel-head h3 { font-size: 12px; text-transform: uppercase; letter-spacing: 0.1em; color: var(--ink-dim); }
+.privacy-grid { display: grid; grid-template-columns: repeat(3, minmax(0, 1fr)); gap: 12px; }
+.privacy-metric { background: var(--surface); border: 1px solid var(--border); border-radius: var(--radius-sm); padding: 14px 16px; }
+.privacy-metric dt { color: var(--ink-mute); font-size: 11px; text-transform: uppercase; letter-spacing: 0.08em; margin-bottom: 6px; }
+.privacy-metric dd { color: var(--ink); font-size: 22px; font-weight: 700; }
+.privacy-metric dd.small { font-size: 13px; font-weight: 500; color: var(--ink-dim); line-height: 1.35; overflow-wrap: anywhere; }
+.privacy-classes { display: flex; flex-wrap: wrap; gap: 6px; margin-top: 10px; }
+.privacy-chip { border: 1px solid var(--border); color: var(--ink-dim); border-radius: 999px; padding: 4px 8px; font-size: 12px; background: rgba(255,255,255,0.03); }
 .filter-row { display: flex; gap: 6px; }
 .filter-row button {
   padding: 4px 10px;
@@ -22158,6 +24806,27 @@ details.audit-details .audit-filters { display: flex; gap: 6px; padding: 0 18px
     <ul class="server-list" id="server-list">${serverRows}</ul>
   </section>
+  <section class="section">
+    <h2>Privacy boundary <span class="count" id="privacy-count">${privacy.filtered_spans}</span></h2>
+    <dl class="privacy-grid">
+      <div class="privacy-metric">
+        <dt>Filtered spans</dt>
+        <dd id="privacy-spans">${escHtml(privacy.filtered_spans)}</dd>
+      </div>
+      <div class="privacy-metric">
+        <dt>Filtered events</dt>
+        <dd id="privacy-events">${escHtml(privacy.filtered_events)}</dd>
+      </div>
+      <div class="privacy-metric">
+        <dt>Last filter</dt>
+        <dd class="small" id="privacy-last">${escHtml(privacyLast)}</dd>
+      </div>
+    </dl>
+    <div class="privacy-classes" id="privacy-classes">
+      ${privacyClasses || `<span class="privacy-chip">No classes recorded</span>`}
+    </div>
+  </section>
   <section class="section">
     <h2>Live activity <span class="count" id="activity-count">${activity.length}</span></h2>
     <div class="panel">
@@ -22285,6 +24954,23 @@ details.audit-details .audit-filters { display: flex; gap: 6px; padding: 0 18px
     )).join("");
   }
+  function renderPrivacy(summary) {
+    const count = document.getElementById("privacy-count");
+    const spans = document.getElementById("privacy-spans");
+    const events = document.getElementById("privacy-events");
+    const last = document.getElementById("privacy-last");
+    const classes = document.getElementById("privacy-classes");
+    if (!summary || !spans || !events || !last || !classes) return;
+    if (count) count.textContent = String(summary.filtered_spans || 0);
+    spans.textContent = String(summary.filtered_spans || 0);
+    events.textContent = String(summary.filtered_events || 0);
+    last.textContent = summary.last_filtered_at ? new Date(summary.last_filtered_at).toLocaleString() : "No filtering events yet";
+    const rows = Object.entries(summary.classes || {}).sort((a, b) => b[1] - a[1]);
+    classes.innerHTML = rows.length
+      ? rows.map(([name, n]) => '<span class="privacy-chip">' + esc(name) + ' ' + esc(n) + '</span>').join("")
+      : '<span class="privacy-chip">No classes recorded</span>';
+  }
   function renderAll(snap) {
     snapshot = snap;
     renderShield(snap.overall.light, snap.overall.headline);
@@ -22294,6 +24980,7 @@ details.audit-details .audit-filters { display: flex; gap: 6px; padding: 0 18px
     document.getElementById("agent-did").textContent = snap.agent.did_fingerprint || "unclaimed";
     renderActivity(snap.activity);
     renderApprovals(snap.pending_approvals);
+    renderPrivacy(snap.privacy);
     renderAudit(snap.audit, currentAuditFilter());
   }
@@ -22385,9 +25072,7 @@ var TEMPLATE_NAMES = [
   "coding-assistant",
   "ops-runner",
   "planner",
-  "handoff-coordinator",
-  "x-miner",
-  "github-miner"
+  "handoff-coordinator"
 ];
 function isTemplateName(value) {
   return typeof value === "string" && TEMPLATE_NAMES.includes(value);
@@ -22763,88 +25448,6 @@ function applyChannelTemplate(id, params) {
   return entry.factory(params);
 }
-// src/mesh/errors.ts
-var MeshError = class extends Error {
-  constructor(message) {
-    super(message);
-    this.name = "MeshError";
-  }
-};
-var MeshEnvelopeError = class extends MeshError {
-  constructor(message) {
-    super(message);
-    this.name = "MeshEnvelopeError";
-  }
-};
-var MeshReservedExtensionKeyError = class extends MeshEnvelopeError {
-  constructor(key) {
-    super(
-      `v0.1 emitters MUST NOT populate reserved extension_envelope key: ${key}`
-    );
-    this.name = "MeshReservedExtensionKeyError";
-  }
-};
-var MeshReservedEventTypeError = class extends MeshEnvelopeError {
-  constructor(eventType) {
-    super(
-      `v0.1 emitters MUST NOT emit reserved-namespace event_type: ${eventType}`
-    );
-    this.name = "MeshReservedEventTypeError";
-  }
-};
-// src/mesh/canonical-json.ts
-var MeshCanonicalJsonError = class extends MeshError {
-  constructor(message) {
-    super(message);
-    this.name = "MeshCanonicalJsonError";
-  }
-};
-function canonicalize2(value) {
-  if (value === void 0) {
-    throw new MeshCanonicalJsonError(
-      "canonicalize(): top-level undefined is not serializable"
-    );
-  }
-  return encode(value);
-}
-function encode(value) {
-  if (value === null) return "null";
-  if (typeof value === "boolean") return value ? "true" : "false";
-  if (typeof value === "number") {
-    if (!Number.isFinite(value)) {
-      throw new MeshCanonicalJsonError(
-        `canonicalize(): non-finite number (${String(value)}) is not serializable`
-      );
-    }
-    return JSON.stringify(value);
-  }
-  if (typeof value === "string") return JSON.stringify(value);
-  if (Array.isArray(value)) return encodeArray(value);
-  if (typeof value === "object") return encodeObject(value);
-  throw new MeshCanonicalJsonError(
-    `canonicalize(): unsupported type ${typeof value}`
-  );
-}
-function encodeArray(arr) {
-  const parts = [];
-  for (const item of arr) {
-    parts.push(item === void 0 ? "null" : encode(item));
-  }
-  return "[" + parts.join(",") + "]";
-}
-function encodeObject(obj) {
-  const keys = Object.keys(obj).filter((k) => obj[k] !== void 0).sort();
-  const parts = [];
-  for (const k of keys) {
-    parts.push(JSON.stringify(k) + ":" + encode(obj[k]));
-  }
-  return "{" + parts.join(",") + "}";
-}
-function canonicalizeToBytes(value) {
-  return new TextEncoder().encode(canonicalize2(value));
-}
 // src/policy-engine/canonical-policy.ts
 init_encoding();
@@ -23312,6 +25915,176 @@ function initTemplate(params) {
   });
   return { compiled, signed_event, bundle };
 }
+var DEFAULT_STORAGE_DIR = ".sanctuary";
+var KEYCHAIN_SERVICE_DEFAULT = "sanctuary-passphrase";
+function keychainServiceFor(storagePath, home = homedir()) {
+  const defaultPath = join(home, DEFAULT_STORAGE_DIR);
+  if (storagePath === defaultPath) return KEYCHAIN_SERVICE_DEFAULT;
+  const digest = sha256(Buffer.from(storagePath, "utf-8"));
+  const suffix = Buffer.from(digest).toString("hex").slice(0, 12);
+  return `${KEYCHAIN_SERVICE_DEFAULT}-${suffix}`;
+}
+var RUNTIME_FILE_NAME = "runtime.json";
+function runtimePath(storagePath) {
+  return join(storagePath, RUNTIME_FILE_NAME);
+}
+async function readTenantRuntime(storagePath) {
+  try {
+    const raw = await readFile(runtimePath(storagePath), "utf-8");
+    const parsed = JSON.parse(raw);
+    if (typeof parsed.dashboard_port !== "number" || typeof parsed.pid !== "number" || typeof parsed.started_at !== "string" || typeof parsed.version !== "string" || typeof parsed.dashboard_host !== "string" || typeof parsed.mode !== "string") {
+      return null;
+    }
+    const state = {
+      version: parsed.version,
+      pid: parsed.pid,
+      started_at: parsed.started_at,
+      dashboard_host: parsed.dashboard_host,
+      dashboard_port: parsed.dashboard_port,
+      mode: parsed.mode
+    };
+    if (typeof parsed.webhook_callback_port === "number") {
+      state.webhook_callback_port = parsed.webhook_callback_port;
+    }
+    if (typeof parsed.webhook_callback_host === "string") {
+      state.webhook_callback_host = parsed.webhook_callback_host;
+    }
+    return state;
+  } catch {
+    return null;
+  }
+}
+// src/cli/agents/discovery.ts
+var EXTRAS_FILE_NAME = "agents-extra.json";
+async function isTenantDir(path) {
+  const [hasState, hasProfile, hasFallback] = await Promise.all([
+    dirExists(join(path, "state")),
+    fileExists3(join(path, "cocoon-profile.json")),
+    fileExists3(join(path, "passphrase.enc"))
+  ]);
+  const initialized = hasState;
+  let passphraseStatus;
+  if (hasFallback) passphraseStatus = "fallback-file";
+  else if (hasProfile || hasState) passphraseStatus = "keychain";
+  else passphraseStatus = "not-initialized";
+  return { initialized, hasProfile, passphraseStatus };
+}
+async function dirExists(path) {
+  try {
+    const s = await stat(path);
+    return s.isDirectory();
+  } catch {
+    return false;
+  }
+}
+async function fileExists3(path) {
+  try {
+    const s = await stat(path);
+    return s.isFile();
+  } catch {
+    return false;
+  }
+}
+async function newestAuditMtime(storagePath) {
+  const auditDir = join(storagePath, "state", "_audit");
+  let entries = [];
+  try {
+    entries = await readdir(auditDir);
+  } catch {
+    return null;
+  }
+  let newest = 0;
+  for (const name of entries) {
+    try {
+      const s = await stat(join(auditDir, name));
+      if (s.isFile() && s.mtimeMs > newest) newest = s.mtimeMs;
+    } catch {
+    }
+  }
+  if (newest === 0) return null;
+  return new Date(newest).toISOString();
+}
+async function readExtraPaths(root, env) {
+  const out = [];
+  const fromEnv = env.SANCTUARY_AGENTS_EXTRA_PATHS;
+  if (fromEnv && fromEnv.length > 0) {
+    for (const part of fromEnv.split(":")) {
+      const trimmed = part.trim();
+      if (trimmed.length > 0) out.push(resolve(trimmed));
+    }
+  }
+  try {
+    const raw = await readFile(join(root, EXTRAS_FILE_NAME), "utf-8");
+    const parsed = JSON.parse(raw);
+    if (Array.isArray(parsed)) {
+      for (const p of parsed) {
+        if (typeof p === "string" && p.trim().length > 0) out.push(resolve(p));
+      }
+    }
+  } catch {
+  }
+  return Array.from(new Set(out));
+}
+async function describeTenant(name, storagePath, home) {
+  const exists = await dirExists(storagePath);
+  if (!exists) return null;
+  const { initialized, hasProfile, passphraseStatus } = await isTenantDir(storagePath);
+  if (!initialized && !hasProfile && passphraseStatus === "not-initialized") {
+    return null;
+  }
+  const last_activity = await newestAuditMtime(storagePath);
+  const runtime = await readTenantRuntime(storagePath);
+  return {
+    name,
+    storage_path: storagePath,
+    exists: true,
+    initialized,
+    has_cocoon_profile: hasProfile,
+    keychain_service: keychainServiceFor(storagePath, home),
+    passphrase_status: passphraseStatus,
+    last_activity,
+    runtime
+  };
+}
+async function discoverTenants(options = {}) {
+  const home = options.home ?? homedir();
+  const env = options.env ?? process.env;
+  const root = options.root ?? join(home, DEFAULT_STORAGE_DIR);
+  const tenants = [];
+  const rootTenant = await describeTenant("default", root, home);
+  if (rootTenant) tenants.push(rootTenant);
+  let children = [];
+  try {
+    children = await readdir(root);
+  } catch {
+  }
+  for (const child of children) {
+    const childPath = join(root, child);
+    if (child.startsWith(".")) continue;
+    if (child === "state" || child === "backup" || child === "config") continue;
+    const s = await stat(childPath).catch(() => null);
+    if (!s || !s.isDirectory()) continue;
+    const desc = await describeTenant(child, childPath, home);
+    if (desc) tenants.push(desc);
+  }
+  const extras = await readExtraPaths(root, env);
+  for (const extra of extras) {
+    if (tenants.some((t) => t.storage_path === extra)) continue;
+    const desc = await describeTenant(basename(extra), extra, home);
+    if (desc) tenants.push(desc);
+  }
+  tenants.sort((a, b) => {
+    if (a.name === "default") return -1;
+    if (b.name === "default") return 1;
+    return a.name.localeCompare(b.name);
+  });
+  return tenants;
+}
+async function findTenant(name, options = {}) {
+  const tenants = await discoverTenants(options);
+  return tenants.find((t) => t.name === name) ?? null;
+}
 // src/dashboard/api.ts
 function constantTimeEquals(a, b) {
@@ -23465,6 +26238,18 @@ async function handleRequest(deps, req, res) {
         });
         return true;
       }
+      const isAgentWrapped = deps.isAgentWrapped ?? (async (agentId) => {
+        const tenant = await findTenant(agentId);
+        if (!tenant) return false;
+        return tenant.initialized || tenant.has_cocoon_profile;
+      });
+      if (!await isAgentWrapped(body.agent_name)) {
+        writeJSON(res, 400, {
+          error: "orphan_agent_id",
+          message: `No wrapped harness found for agent_id "${body.agent_name}". Run \`sanctuary wrap\` to wrap the harness first, then retry template init.`
+        });
+        return true;
+      }
       const nodeId = deps.nodeId ?? "dashboard-node";
       const nodePrivateKey = deps.nodePrivateKey ?? generateEphemeralKey();
       const principalId = deps.principalId ?? "dashboard-principal";
@@ -23573,11 +26358,11 @@ async function startDashboardServer(options) {
       }
     }
   });
-  await new Promise((resolve, reject) => {
+  await new Promise((resolve4, reject) => {
     server.once("error", reject);
     server.listen(port, host, () => {
       server.off("error", reject);
-      resolve();
+      resolve4();
     });
   });
   const actualPort = (() => {
@@ -23590,12 +26375,14 @@ async function startDashboardServer(options) {
     url,
     port: actualPort,
     host,
-    stop: () => new Promise((resolve, reject) => {
-      server.close((err) => err ? reject(err) : resolve());
+    stop: () => new Promise((resolve4, reject) => {
+      server.close((err) => err ? reject(err) : resolve4());
     }),
     publish,
     publishActivity: (entry) => publish({ type: "activity", data: entry }),
-    publishApproval: (approval) => publish({ type: "approval", data: approval })
+    publishApproval: (approval) => publish({ type: "approval", data: approval }),
+    publishInbox: (item) => publish({ type: "inbox", data: item }),
+    publishAgentStatus: (snapshot) => publish({ type: "agent_status", data: snapshot })
   };
 }
@@ -23730,6 +26517,20 @@ async function createSanctuaryServer(options) {
     }
   }
   const auditLog = new AuditLog(storage, masterKey);
+  try {
+    await consumeResetHistoryMarker({
+      storagePath: config.storage_path,
+      auditLog
+    });
+  } catch (err) {
+    if (err instanceof ResetHistoryMalformedError) {
+      throw new Error(
+        `Sanctuary: ${err.message}
+Refusing to start the cocoon while the reset-history marker is unreadable.`
+      );
+    }
+    throw err;
+  }
   const stateStore = new StateStore(storage, masterKey);
   const { tools: l1Tools, identityManager } = createL1Tools(
     stateStore,
@@ -24003,7 +26804,9 @@ async function createSanctuaryServer(options) {
   );
   const { tools: auditTools } = createAuditTools(config);
   const { tools: siemTools } = createSIEMTools(auditLog);
-  const { tools: contextGateTools, enforcer: contextGateEnforcer } = createContextGateTools(storage, masterKey, auditLog);
+  const { tools: contextGateTools, enforcer: contextGateEnforcer } = createContextGateTools(storage, masterKey, auditLog, {
+    privacyFilter: config.privacy_filter
+  });
   const hardeningTools = createL2HardeningTools(config.storage_path, auditLog);
   const profileStore = new SovereigntyProfileStore(storage, masterKey);
   await profileStore.load();
@@ -24192,7 +26995,7 @@ async function createSanctuaryServer(options) {
       clientManager.configure(enabledServers).catch((err) => {
         console.error(`[Sanctuary] Failed to configure upstream servers: ${err instanceof Error ? err.message : "unknown error"}`);
       });
-      await new Promise((resolve) => setTimeout(resolve, 2e3));
+      await new Promise((resolve4) => setTimeout(resolve4, 2e3));
       const proxiedTools = proxyRouter.getProxiedTools();
       if (proxiedTools.length > 0) {
         allTools.push(...proxiedTools);
@@ -24234,7 +27037,7 @@ async function createSanctuaryServer(options) {
   if (recoveryKey) {
     console.error(
       `\u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557
-\u2551  SANCTUARY: First Run \u2014 Recovery Key Generated          \u2551
+\u2551  SANCTUARY: First Run, Recovery Key Generated           \u2551
 \u2551                                                          \u2551
 \u2551  Recovery Key: ${recoveryKey.slice(0, 20)}...             \u2551
 \u2551                                                          \u2551
@@ -24253,6 +27056,6 @@ async function createSanctuaryServer(options) {
   };
 }
-export { ATTESTATION_VERSION, ApprovalGate, AuditLog, AutoApproveChannel, BaselineTracker, TEMPLATES as CONTEXT_GATE_TEMPLATES, CallbackApprovalChannel, ClientManager, CommitmentStore, ContextGateEnforcer, ContextGatePolicyStore, DashboardApprovalChannel, FederationRegistry, FilesystemStorage, HERO_COPY, InMemoryModelProvenanceStore, InjectionDetector, MODEL_PRESETS, MemoryStorage, PolicyStore, ProxyRouter, ReputationStore, SovereigntyProfileStore, StateStore, StderrApprovalChannel, TIER_WEIGHTS, WebhookApprovalChannel, canonicalize, classifyField, completeHandshake, computeWeightedScore, createBridgeCommitment, createDefaultProfile, createPedersenCommitment, createProofOfKnowledge, createRangeProof, createSanctuaryServer, evaluateField, filterContext, generateAttestation, generateSHR, generateSystemPrompt, getProtectionSnapshot, getTemplate, initiateHandshake, listTemplateIds, loadConfig, loadPrincipalPolicy, recommendPolicy, renderDashboardHTML, resolveTier, respondToHandshake, signPayload, startDashboard, startDashboardServer, tierDistribution, verifyAttestation, verifyBridgeCommitment, verifyCompletion, verifyPedersenCommitment, verifyProofOfKnowledge, verifyRangeProof, verifySHR, verifySignature };
+export { ATTESTATION_VERSION, ApprovalGate, AuditLog, AutoApproveChannel, BaselineTracker, TEMPLATES as CONTEXT_GATE_TEMPLATES, CallbackApprovalChannel, ClientManager, CommitmentStore, ContextGateEnforcer, ContextGatePolicyStore, DashboardApprovalChannel, FederationRegistry, FilesystemStorage, HERO_COPY, InMemoryModelProvenanceStore, InjectionDetector, MODEL_PRESETS, MemoryStorage, PolicyStore, ProxyRouter, ReputationStore, SovereigntyProfileStore, StateStore, StderrApprovalChannel, TIER_WEIGHTS, WebhookApprovalChannel, canonicalize, classifyField, completeHandshake, computeWeightedScore, createBridgeCommitment, createDefaultProfile, createPedersenCommitment, createProofOfKnowledge, createRangeProof, createSanctuaryServer, evaluateField, exitBundleManifestShape, exportExitBundle, filterContext, generateAttestation, generateSHR, generateSystemPrompt, getProtectionSnapshot, getTemplate, importExitBundle, initiateHandshake, listTemplateIds, loadConfig, loadExitArtifact, loadPrincipalPolicy, readManifest, recommendPolicy, renderDashboardHTML, resolveTier, respondToHandshake, runExitCommand, signPayload, startDashboard, startDashboardServer, tierDistribution, verifyAttestation, verifyBridgeCommitment, verifyCompletion, verifyExitBundle, verifyPedersenCommitment, verifyProofOfKnowledge, verifyRangeProof, verifySHR, verifySignature };
 //# sourceMappingURL=index.js.map
 //# sourceMappingURL=index.js.map