npm - @sanctuary-framework/mcp-server - Versions diffs - 1.0.0-rc.2 → 1.1.0 - Mend

@sanctuary-framework/mcp-server 1.0.0-rc.2 → 1.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

package/dist/index.d.cts CHANGED Viewed

@@ -2,6 +2,7 @@ import { Server } from '@modelcontextprotocol/sdk/server/index.js';
 import { Client } from '@modelcontextprotocol/sdk/client/index.js';
 import { StdioClientTransport } from '@modelcontextprotocol/sdk/client/stdio.js';
 import { SSEClientTransport } from '@modelcontextprotocol/sdk/client/sse.js';
+import { Writable } from 'node:stream';
 interface SanctuaryConfig {
     version: string;
@@ -68,6 +69,12 @@ interface SanctuaryConfig {
         /** Whether to auto-publish on successful handshake_respond calls. */
         auto_publish_handshakes: boolean;
     };
+    privacy_filter: {
+        mode: "local" | "opf" | "off";
+        fail_mode: "closed" | "fallback";
+        command: string;
+        timeout_ms: number;
+    };
 }
 /**
  * Load configuration from file, falling back to defaults.
@@ -761,6 +768,28 @@ interface EncryptedPayload {
  * - Secure deletion overwrites before unlinking
  */
+/** On-disk format for an encrypted state entry */
+interface StateEntry {
+    /** Format version */
+    v: number;
+    /** Encrypted payload */
+    payload: EncryptedPayload;
+    /** Version number (monotonically increasing) */
+    ver: number;
+    /** Signature over ciphertext by the writing identity (base64url) */
+    sig: string;
+    /** Identity that wrote this entry */
+    kid: string;
+    /** SHA-256 of the plaintext value (base64url, for client-side verification) */
+    integrity_hash: string;
+    /** Metadata */
+    metadata: {
+        content_type?: string;
+        ttl_seconds?: number;
+        tags?: string[];
+        written_at: string;
+    };
+}
 /** Result of a state write operation */
 interface WriteResult {
     key: string;
@@ -2122,6 +2151,109 @@ declare const MODEL_PRESETS: {
     mistral7bLocal: () => ModelProvenance;
 };
+/**
+ * Signature scheme identifier embedded on every signed v1.1 record.
+ *
+ * v1.1 only accepts "ed25519-v1". Mirrors the mesh module: this field is the
+ * forward-compat hinge for v1.4+ post-quantum migration. Verifiers MUST reject
+ * unknown schemes. Do not optimize this field away.
+ *
+ * Mirror of: server/src/mesh/constants.ts SignatureScheme.
+ */
+type SignatureScheme = "ed25519-v1";
+/**
+ * Detector classes for the privacy filter. Workstreams MUST use this enum so
+ * the dashboard privacy panel and audit consumers can group consistently.
+ *
+ * "custom" is reserved for operator-defined detectors via policy.
+ */
+declare const PRIVACY_DETECTOR_CLASSES: readonly ["person", "client", "project", "secret", "credential", "account", "file_path", "domain_term", "custom"];
+type PrivacyDetectorClass = (typeof PRIVACY_DETECTOR_CLASSES)[number];
+/**
+ * Outbound destination categories. The privacy filter and the remote-bound
+ * enforcement workstream agree on this enum so events compose end-to-end.
+ *
+ * Categories deliberately mirror the L2 `ProviderCategory` taxonomy in
+ * `server/src/l2-operational/context-gate.ts` (hyphen form) so JSON-stable
+ * strings flow through both layers without translation. If the L2 category
+ * set grows, keep this v1.1 list in lockstep through coordinator review.
+ */
+declare const PRIVACY_DESTINATION_CATEGORIES: readonly ["inference", "tool-api", "logging", "analytics", "peer-agent", "custom"];
+type PrivacyDestinationCategory = (typeof PRIVACY_DESTINATION_CATEGORIES)[number];
+/**
+ * Privacy actions taken on a single field. Uses the L2 vocabulary.
+ *
+ * "rehydrate" is v1.1-new and applies to inbound responses, not outbound calls.
+ */
+declare const PRIVACY_ACTIONS: readonly ["allow", "redact", "hash", "summarize", "deny", "rehydrate"];
+type PrivacyAction = (typeof PRIVACY_ACTIONS)[number];
+/**
+ * Hash algorithm identifier embedded in every privacy event content_hash.
+ *
+ * v1.1 ships ONLY `hmac-sha256-fortress-keyed-v1`: HMAC-SHA-256 over the
+ * raw field value, using a per-fortress secret derived from the master key
+ * via HKDF info string `sanctuary-v1.1-privacy-content-hmac`. Plain SHA-256
+ * is NOT permitted because privacy field values (PII, project names, client
+ * names, file paths) are low-entropy and dictionary-attackable. The keyed
+ * hash makes content hashes meaningful for equality checks across events
+ * within a fortress while remaining opaque to anyone without the per-
+ * fortress key.
+ *
+ * Forward-compat: a future v1.x privacy hardening pass may add ML-DSA-keyed
+ * variants. Verifiers MUST reject unknown algorithms.
+ */
+declare const PRIVACY_HASH_ALGS: readonly ["hmac-sha256-fortress-keyed-v1"];
+type PrivacyHashAlg = (typeof PRIVACY_HASH_ALGS)[number];
+/**
+ * Exit-bundle manifest version. v1 is the only valid value at v1.1 ship.
+ * v1.x bumps require coordinator-approved manifest amendment.
+ */
+declare const EXIT_BUNDLE_MANIFEST_VERSION: "SANCTUARY_EXIT_BUNDLE_V1";
+type ExitBundleManifestVersion = typeof EXIT_BUNDLE_MANIFEST_VERSION;
+/**
+ * Artifact kinds enumerated by the exit-bundle manifest. The export command
+ * MUST list every included artifact under one of these kinds. The verifier
+ * CLI rejects unknown kinds.
+ */
+declare const EXIT_BUNDLE_ARTIFACT_KINDS: readonly ["public_identity", "encrypted_state", "policy_set", "audit_receipts", "reputation_bundle", "commitments", "placeholder_vault_metadata"];
+type ExitBundleArtifactKind = (typeof EXIT_BUNDLE_ARTIFACT_KINDS)[number];
+/**
+ * Lightweight local privacy filter for outbound context.
+ *
+ * This is not a replacement for a full detector such as OpenAI privacy-filter.
+ * It gives Sanctuary a deterministic baseline that catches common high-risk
+ * spans inside otherwise-allowed fields, so policy gates are not limited to
+ * top-level field names.
+ */
+type PrivacySpanClass = "email" | "phone" | "ssn" | "credit_card" | "secret_assignment" | "secret" | "credential" | "account_number" | "address" | "person" | "client" | "project" | "file_path" | "domain_term" | "url" | "date" | "custom";
+declare class PrivacyPlaceholderVault {
+    private storage;
+    private encryptionKey;
+    private lookupKey;
+    private cache;
+    private pathCache;
+    constructor(storage: StorageBackend, masterKey: Uint8Array);
+    placeholderFor(spanClass: PrivacySpanClass, rawValue: string, scope?: string): Promise<string>;
+    resolvePlaceholder(placeholder: string, scope?: string): Promise<string | null>;
+    aliasForFieldPath(path: string, scope?: string): Promise<string>;
+    resolveFieldPathAlias(alias: string, scope?: string): Promise<string | null>;
+    private recordKey;
+    private indexKey;
+    private pathRecordKey;
+    private pathIndexKey;
+    private readIndex;
+    private writeIndex;
+    private readRecord;
+    private writeRecord;
+    private readPathIndex;
+    private writePathIndex;
+    private readPathRecord;
+    private writePathRecord;
+    private hmacString;
+}
 /**
  * Sanctuary MCP Server — L2 Context Gating: Automatic Enforcer
  *
@@ -2170,9 +2302,10 @@ interface EnforcerStatus {
 declare class ContextGateEnforcer {
     private policyStore;
     private auditLog;
+    private privacyVault?;
     private config;
     private stats;
-    constructor(policyStore: ContextGatePolicyStore, auditLog: AuditLog, config: EnforcerConfig);
+    constructor(policyStore: ContextGatePolicyStore, auditLog: AuditLog, config: EnforcerConfig, privacyVault?: PrivacyPlaceholderVault);
     /**
      * Wrap a tool handler to apply automatic context gating.
      *
@@ -2274,6 +2407,9 @@ interface UpstreamServer {
     tool_overrides?: Record<string, {
         tier: 1 | 2 | 3;
     }>;
+    destination_category?: "inference" | "tool-api" | "logging" | "analytics" | "peer-agent" | "custom";
+    privacy_policy_id?: string;
+    privacy_identity_id?: string;
 }
 interface SovereigntyProfile {
     version: 1;
@@ -2581,6 +2717,483 @@ declare class CallGovernor {
     private pruneDuplicateCache;
 }
+/**
+ * Sanctuary v1.1 — Privacy Audit Payload Contracts
+ *
+ * Shared payload shapes emitted by the privacy core (Prompt 3) and consumed by
+ * the remote-bound enforcement workstream (Prompt 4), the operator hub API
+ * (Prompt 5), and the dashboard privacy panel (Prompt 8).
+ *
+ * Local-only invariant:
+ * Payloads describe outbound traffic from a single fortress on a single
+ * operator's machine. v1.1 ships local-only, single-operator scope.
+ *
+ * Enclosure-and-signing model:
+ * Privacy events are NOT signed objects on their own. They are payloads
+ * carried inside an enclosing audit-chain entry (`l2-operational/audit-log`
+ * AuditEntry encrypted-at-rest under L1, plus `mesh/audit-batch`
+ * SignedAuditBatch where federation propagation applies). The enclosing
+ * audit entry carries the signature scheme; this file deliberately does not
+ * declare a signature field on any payload type.
+ *
+ * When an enforcement path emits a privacy event:
+ *   1. Build a `PrivacyAuditPayload` from this file.
+ *   2. Append it as the `details` (or equivalent payload field) of an
+ *      `AuditEntry` in the L2 audit log.
+ *   3. The mesh-layer batch envelope (`SIGNATURE_SCHEME_V1`) signs the
+ *      batch that carries this entry.
+ *
+ * Safe-metadata invariant:
+ * Raw sensitive content MUST NEVER appear in any field of any payload defined
+ * in this file. Only safe metadata is permitted: detector class, field path,
+ * action, content hash, policy id, destination category, identity id,
+ * placeholder labels.
+ *
+ * If a future workstream needs to surface a sensitive value to the operator,
+ * it MUST go through the encrypted placeholder vault — not through these
+ * payload shapes.
+ */
+/**
+ * Common metadata header on every v1.1 privacy audit payload.
+ *
+ * `event_id` is the audit-chain id assigned by the enclosing AuditEntry.
+ * `policy_id` is the bound privacy policy that produced the decision.
+ * `identity_id` is the operator identity the policy is bound to.
+ */
+interface PrivacyAuditPayloadHeader {
+    /** v1.1 payload-shape version. */
+    version: "1.1";
+    /** Unique event id; SHOULD match the enclosing audit-chain id. */
+    event_id: string;
+    /** ISO8601 timestamp of the decision. */
+    emitted_at: string;
+    /** Policy id that produced this decision. */
+    policy_id: string;
+    /** Identity the policy is bound to. */
+    identity_id: string;
+    /** Wrapped agent the outbound traffic originates from. */
+    agent_id: string;
+    /** Destination category for the outbound payload. */
+    destination_category: PrivacyDestinationCategory;
+}
+/**
+ * Per-field decision recorded inside a privacy audit payload. Field-level
+ * decisions bubble up into the rolled-up payload kinds below.
+ *
+ * Path-and-hash safety:
+ * `field_path` MUST be sanitized — see `PRIVACY_FIELD_PATH_PATTERN` in
+ * constants.ts. Raw object keys (which can themselves leak sensitive
+ * information) MUST NOT appear on the wire. `content_hash` MUST use a keyed
+ * hash algorithm (`hmac-sha256-fortress-keyed-v1` at v1.1) to defeat
+ * dictionary attacks against low-entropy field values.
+ */
+interface PrivacyFieldDecision {
+    /**
+     * Sanitized field path. Conforms to `PRIVACY_FIELD_PATH_PATTERN`:
+     * positional references like "$0" / "$1.$2" or typed positional like
+     * "obj:0" / "key:1.val:0". The fortress-local mapping back to the real
+     * path is held in the placeholder vault. Real object keys MUST NOT
+     * appear here.
+     */
+    field_path: string;
+    /** Detector class that fired on this field. */
+    detector_class: PrivacyDetectorClass;
+    /** Action taken on this field. */
+    action: PrivacyAction;
+    /**
+     * Keyed hash of the original field value. Hex-encoded.
+     * Algorithm pinned via `hash_alg`; v1.1 only accepts
+     * `hmac-sha256-fortress-keyed-v1`. The HMAC key is fortress-local
+     * (HKDF-derived from the master key); equality of two `content_hash`
+     * values within the same fortress means equal field values, but the
+     * hash is opaque to any verifier outside the fortress and resists
+     * dictionary attacks against low-entropy values. Plain SHA-256 is NOT
+     * permitted. The original value MUST NOT appear anywhere in the payload.
+     */
+    content_hash: string;
+    /** Hash algorithm identifier. v1.1 only accepts the keyed HMAC variant. */
+    hash_alg: PrivacyHashAlg;
+    /**
+     * Stable placeholder label this field was substituted with on the outbound
+     * payload, if applicable. Examples: "PERSON_1", "CLIENT_3", "SECRET_2".
+     */
+    placeholder_label?: string;
+}
+/**
+ * Outbound payload was filtered. At least one field was redacted, hashed, or
+ * substituted with a placeholder, and the call proceeded.
+ */
+interface PrivacyFilteredPayload extends PrivacyAuditPayloadHeader {
+    kind: "filtered";
+    field_decisions: PrivacyFieldDecision[];
+    /**
+     * Keyed hash of the canonicalized outbound payload after filtering.
+     * Same `hash_alg` constraint as `PrivacyFieldDecision.content_hash`.
+     */
+    outbound_payload_hash: string;
+    /** Hash algorithm. v1.1 only accepts `hmac-sha256-fortress-keyed-v1`. */
+    payload_hash_alg: PrivacyHashAlg;
+}
+/**
+ * Outbound payload was allowed unchanged. No detector fired, or every fired
+ * detector resolved to "allow" under the bound policy.
+ */
+interface PrivacyAllowedPayload extends PrivacyAuditPayloadHeader {
+    kind: "allowed";
+    /**
+     * Keyed hash of the canonicalized outbound payload.
+     * Same `hash_alg` constraint as `PrivacyFieldDecision.content_hash`.
+     */
+    outbound_payload_hash: string;
+    /** Hash algorithm. v1.1 only accepts `hmac-sha256-fortress-keyed-v1`. */
+    payload_hash_alg: PrivacyHashAlg;
+}
+/**
+ * Outbound payload was denied. Either a "deny" rule fired on a field, or the
+ * fail-closed default applied because the policy or vault was unavailable.
+ *
+ * The `denial_reason_class` is a machine-friendly label, NOT a free-text
+ * explanation. Operator-facing UIs may render a generic message keyed by this
+ * label; raw policy-rule details MUST NOT be revealed.
+ */
+interface PrivacyDeniedPayload extends PrivacyAuditPayloadHeader {
+    kind: "denied";
+    /**
+     * Coarse denial reason class. Permitted values:
+     * - "policy_deny_rule" — at least one field had a deny rule
+     * - "fail_closed_no_policy" — fail-closed because policy missing
+     * - "fail_closed_filter_error" — fail-closed because filter raised
+     * - "fail_closed_vault_error" — fail-closed because vault unavailable
+     * - "operator_override_denied" — explicit operator override path failed
+     */
+    denial_reason_class: "policy_deny_rule" | "fail_closed_no_policy" | "fail_closed_filter_error" | "fail_closed_vault_error" | "operator_override_denied";
+}
+/**
+ * Privacy filter raised an unrecoverable error and outbound traffic failed
+ * closed. Distinct from PrivacyDeniedPayload because the operator may want to
+ * surface error events as alerts rather than as policy decisions.
+ */
+interface PrivacyErrorPayload extends PrivacyAuditPayloadHeader {
+    kind: "error";
+    /** Stable error code. Implementation-specific catalog. No raw stack traces. */
+    error_code: string;
+}
+/**
+ * Inbound provider response was rehydrated using the placeholder vault. Only
+ * fires when the bound policy permits rehydration for the destination category.
+ */
+interface PrivacyRehydratedPayload extends PrivacyAuditPayloadHeader {
+    kind: "rehydrated";
+    /**
+     * Number of placeholders successfully rehydrated. The placeholders themselves
+     * are NOT logged.
+     */
+    rehydrated_count: number;
+    /** Number of placeholders that could not be rehydrated (e.g., vault entry expired). */
+    unresolvable_count: number;
+    /**
+     * Keyed hash of the canonicalized rehydrated response.
+     * Same `hash_alg` constraint as `PrivacyFieldDecision.content_hash`.
+     */
+    response_hash: string;
+    /** Hash algorithm. v1.1 only accepts `hmac-sha256-fortress-keyed-v1`. */
+    response_hash_alg: PrivacyHashAlg;
+}
+/**
+ * Discriminated union of every v1.1 privacy audit payload. The hub API and
+ * dashboard privacy panel switch on `kind`. Integrity of these payloads
+ * derives from the enclosing audit entry (encrypted-at-rest, plus signed at
+ * the mesh-batch layer where applicable). No payload in this file carries a
+ * self-signature.
+ */
+type PrivacyAuditPayload = PrivacyFilteredPayload | PrivacyAllowedPayload | PrivacyDeniedPayload | PrivacyErrorPayload | PrivacyRehydratedPayload;
+/**
+ * Sanctuary v1.1 — Exit Bundle Manifest Contract
+ *
+ * `SANCTUARY_EXIT_BUNDLE_V1` is the canonical manifest produced by the v1.1
+ * exit-bundle workstream (Prompt 7) and consumed by the standalone verifier
+ * CLI plus the import command.
+ *
+ * Local-only invariant:
+ * The bundle is produced by a single fortress on a single operator's machine
+ * and consumed by another single-operator destination. v1.1 ships local-only,
+ * single-operator scope. Cross-operator transfer is deferred to v1.3.
+ *
+ * Identity-binding invariant:
+ * The manifest is signed by the operator's fortress-master identity. The
+ * verifier MUST refuse to activate any artifact whose hash chain does not
+ * match the manifest, and MUST refuse to activate any manifest whose
+ * signature does not verify against the bound public identity.
+ *
+ * Public-only invariant:
+ * The bundle MUST NOT contain private keys, raw passphrases, or recovery
+ * seeds. Encrypted state may travel inside the bundle, but the master key
+ * MUST NOT. Re-keying happens on import using new operator-supplied
+ * material.
+ *
+ * Manifest-version invariant:
+ * v1.1 ships only "SANCTUARY_EXIT_BUNDLE_V1". Future versions land through
+ * coordinator-approved spec amendments. v1.1 verifiers MUST reject unknown
+ * manifest versions rather than silently accept.
+ */
+/**
+ * Hashing algorithm identifier embedded in every artifact entry. v1.1 uses
+ * SHA-256. Forward-compat: a future bundle version may add SHA-3 or BLAKE3.
+ */
+type ExitBundleHashAlg = "sha256";
+/**
+ * One artifact entry inside the manifest. Each artifact lives at a relative
+ * path inside the bundle archive. The verifier reads the file at that path
+ * and confirms its hash. See `EXIT_BUNDLE_PATH_PATTERN` and the safe-path
+ * rules block above for the full set of constraints.
+ */
+interface ExitBundleArtifactEntry {
+    /** Coarse artifact kind. */
+    kind: ExitBundleArtifactKind;
+    /**
+     * Relative path inside the bundle, POSIX-style. MUST satisfy
+     * `EXIT_BUNDLE_PATH_PATTERN` and the safe-path rules block above.
+     * The verifier rejects any entry whose path is absolute, contains "..",
+     * contains backslashes, or duplicates another entry's path. The verifier
+     * does NOT follow symlinks or hardlinks during extraction.
+     */
+    path: string;
+    /** Hash algorithm. v1.1 ships only "sha256". */
+    hash_alg: ExitBundleHashAlg;
+    /** Hex-encoded artifact hash. */
+    hash: string;
+    /** Size in bytes. Verifier MAY independently re-size and reject on mismatch. */
+    size_bytes: number;
+    /**
+     * Optional discriminator inside the kind, e.g., "audit-receipt-2026-Q2".
+     * Verifier does not interpret this; the import command may use it to order
+     * artifacts. Same path-pattern constraints DO NOT apply to subkind, but
+     * subkind MUST NOT contain control characters.
+     */
+    subkind?: string;
+}
+/**
+ * Identity binding embedded in the manifest. Carries only public material.
+ */
+interface ExitBundleIdentityBinding {
+    /** Operator identity id. */
+    identity_id: string;
+    /** Fortress id. */
+    fortress_id: string;
+    /** Base64url-encoded Ed25519 public key of the fortress-master. */
+    fortress_master_pubkey: string;
+    /** Optional DID, when one is bound to this identity. */
+    did?: string;
+}
+/**
+ * v1 manifest body — what the operator's fortress-master signs.
+ *
+ * `signature_scheme` lives INSIDE the body deliberately so the scheme is
+ * covered by the fortress-master signature. Without this, an attacker who
+ * substituted both `signature` and `signature_scheme` on the wrapper could
+ * present a valid-looking manifest with a different scheme. Pinning the
+ * scheme inside the signed bytes makes the crypto-agility hinge non-
+ * substitutable.
+ */
+interface ExitBundleManifestBody {
+    /** Manifest version constant. */
+    manifest_version: ExitBundleManifestVersion;
+    /** ISO8601 timestamp at export time. */
+    exported_at: string;
+    /** Source fortress / operator identity binding. */
+    identity_binding: ExitBundleIdentityBinding;
+    /**
+     * Sanctuary version string at export time. Verifier surfaces version skew
+     * to the operator if the destination fortress is older.
+     */
+    source_sanctuary_version: string;
+    /** Every artifact carried in the bundle. */
+    artifacts: ExitBundleArtifactEntry[];
+    /**
+     * Aggregate hash over canonicalize(artifacts[]). Lets the verifier perform
+     * a fast sanity check before walking each entry.
+     */
+    artifacts_aggregate_hash: string;
+    /** Aggregate hash algorithm. v1.1 ships only "sha256". */
+    artifacts_aggregate_hash_alg: ExitBundleHashAlg;
+    /**
+     * Tier 1 audit-event id that captured the export approval. Consumers MAY
+     * cross-reference with the source fortress audit chain.
+     */
+    export_approval_audit_id: string;
+    /**
+     * Signature scheme covering the wrapper's `signature` field. v1.1 ships
+     * only "ed25519-v1". Embedded inside the signed body so the scheme cannot
+     * be substituted independently of the signature.
+     */
+    signature_scheme: SignatureScheme;
+}
+/**
+ * Full signed manifest. Top-level shape that ships in the bundle archive.
+ *
+ * The wrapper carries only the `signature` and a pointer to the body. The
+ * scheme that produced the signature lives inside `body.signature_scheme`,
+ * so the signature itself attests to which scheme produced it.
+ */
+interface ExitBundleManifest {
+    /** Body — what the signature covers. */
+    body: ExitBundleManifestBody;
+    /**
+     * Base64url-encoded Ed25519 signature over canonicalize(body) by the
+     * fortress-master private key. The bundle archive is otherwise unsigned;
+     * artifact integrity comes from artifact hashes inside the body. The
+     * signing scheme is `body.signature_scheme`.
+     */
+    signature: string;
+}
+/**
+ * Verifier output shape. The standalone verifier CLI emits this structure on
+ * stdout (or as JSON for tool consumers) so import commands can branch
+ * cleanly. v1.1 ships one VerifierResult shape; future versions extend.
+ */
+interface ExitBundleVerifierResult {
+    version: "1.1";
+    /** True iff manifest signature, every artifact hash, and the aggregate hash all verify. */
+    passed: boolean;
+    /** ISO8601 timestamp of verification. */
+    verified_at: string;
+    /** Reference to the verified manifest body. */
+    manifest_summary: {
+        manifest_version: ExitBundleManifestVersion;
+        fortress_id: string;
+        identity_id: string;
+        exported_at: string;
+        artifact_count: number;
+    };
+    /**
+     * Per-artifact verification result. Order matches `manifest.body.artifacts`.
+     */
+    artifact_results: Array<{
+        path: string;
+        kind: ExitBundleArtifactKind;
+        hash_passed: boolean;
+        size_passed: boolean;
+    }>;
+    /**
+     * Coarse failure-class enum, when `passed` is false. Distinct from a free-text
+     * error message so import commands can branch.
+     */
+    failure_class?: "manifest_signature_invalid" | "manifest_unknown_version" | "manifest_signature_scheme_invalid" | "artifact_hash_mismatch" | "artifact_missing" | "artifact_size_mismatch" | "aggregate_hash_mismatch" | "artifact_path_unsafe" | "artifact_path_duplicate" | "artifact_path_escapes_root" | "archive_contains_symlink" | "private_material_present" | "other";
+}
+/**
+ * Sanctuary v1.1 — local query privacy core.
+ *
+ * This module is intentionally independent of dashboard UI and transport
+ * enforcement. Enforcement paths call it with a payload, destination category,
+ * identity-bound policy, and encrypted placeholder vault; the module returns a
+ * filtered payload or a fail-closed denial plus a shared privacy audit payload.
+ */
+type PrivacyPolicyAction = "placeholder" | Extract<PrivacyAction, "allow" | "redact" | "hash" | "deny">;
+interface PrivacyPolicy {
+    version: 1;
+    policy_id: string;
+    policy_name?: string;
+    identity_id: string;
+    detector_actions?: Partial<Record<PrivacyDetectorClass, PrivacyPolicyAction>>;
+    destination_detector_actions?: Partial<Record<PrivacyDestinationCategory, Partial<Record<PrivacyDetectorClass, PrivacyPolicyAction>>>>;
+    client_names?: string[];
+    project_names?: string[];
+    domain_terms?: string[];
+    person_names?: string[];
+    placeholder_scope?: "identity" | "policy";
+    rehydration?: {
+        default_action?: "allow" | "deny";
+        allowed_destinations?: PrivacyDestinationCategory[];
+        denied_destinations?: PrivacyDestinationCategory[];
+    };
+    max_depth?: number;
+    max_payload_bytes?: number;
+    max_string_bytes?: number;
+    operator_override?: {
+        allow_on_policy_error?: boolean;
+        allow_on_filter_error?: boolean;
+        allow_on_vault_error?: boolean;
+        allow_on_detector_error?: boolean;
+    };
+    created_at: string;
+    updated_at: string;
+}
+interface PrivacyCoreFinding {
+    raw_path: string;
+    detector_class: PrivacyDetectorClass;
+    span_class: PrivacySpanClass;
+    action: PrivacyAction;
+    content_hash: string;
+    placeholder_label?: string;
+}
+interface PrivacyFilterRequest {
+    payload: unknown;
+    policy: PrivacyPolicy | null;
+    identity_id?: string;
+    agent_id: string;
+    destination_category: PrivacyDestinationCategory;
+    audit_log?: AuditLog;
+    event_id?: string;
+}
+type PrivacyFilterDecision = {
+    status: "allowed";
+    payload: unknown;
+    findings: [];
+    audit_payload: PrivacyAuditPayload;
+} | {
+    status: "filtered";
+    payload: unknown;
+    findings: PrivacyCoreFinding[];
+    audit_payload: PrivacyAuditPayload;
+} | {
+    status: "denied";
+    payload: undefined;
+    findings: PrivacyCoreFinding[];
+    audit_payload: PrivacyDeniedPayload;
+};
+interface PrivacyRehydrationRequest {
+    response: unknown;
+    policy: PrivacyPolicy | null;
+    identity_id?: string;
+    agent_id: string;
+    destination_category: PrivacyDestinationCategory;
+    audit_log?: AuditLog;
+    event_id?: string;
+}
+type PrivacyRehydrationDecision = {
+    status: "rehydrated";
+    response: unknown;
+    rehydrated_count: number;
+    unresolvable_count: number;
+    audit_payload: PrivacyAuditPayload;
+} | {
+    status: "denied";
+    response: unknown;
+    rehydrated_count: 0;
+    unresolvable_count: 0;
+    audit_payload: PrivacyDeniedPayload;
+};
+declare class LocalPrivacyEngine {
+    private vault;
+    private hmacKey;
+    constructor(vault: PrivacyPlaceholderVault, masterKey: Uint8Array);
+    filterOutbound(request: PrivacyFilterRequest): Promise<PrivacyFilterDecision>;
+    rehydrateResponse(request: PrivacyRehydrationRequest): Promise<PrivacyRehydrationDecision>;
+    private filterNode;
+    private filterString;
+    private fieldDecisionsForFindings;
+    private rehydrateNode;
+    private rehydrateString;
+    private assertPayloadWithinBounds;
+    private deniedPayload;
+    private keyedHash;
+}
 /**
  * Sanctuary MCP Server — Proxy Router
  *
@@ -2603,6 +3216,27 @@ interface ProxyRouterOptions {
     contextGateFilter?: (toolName: string, args: Record<string, unknown>) => Promise<Record<string, unknown>>;
     /** Optional call governor for runtime governance */
     governor?: CallGovernor;
+    /**
+     * Optional v1.1 remote-bound privacy enforcement.
+     *
+     * When set, every proxied tool call is routed through
+     * `engine.filterOutbound` before the upstream forward. The bound
+     * `PrivacyPolicy` is resolved per-server via `policyResolver`, and the
+     * destination category comes from the server's `destination_category`
+     * field (defaulting to `tool-api` when absent).
+     *
+     * Fail-closed semantics:
+     * - `policyResolver` returns null when no policy is bound for the server;
+     *   the privacy engine treats that as `fail_closed_no_policy` and denies.
+     * - `policyResolver` rejecting (vault unreachable, decrypt failure, etc.)
+     *   is treated as `fail_closed_filter_error` and denies.
+     * - Operator overrides on the policy (`operator_override.allow_on_*`)
+     *   are honored by the engine itself.
+     */
+    privacyEnforcement?: {
+        engine: LocalPrivacyEngine;
+        policyResolver: (server: string, identityId: string | undefined) => Promise<PrivacyPolicy | null>;
+    };
     /** Optional callback after each proxy call decision (for dashboard feed) */
     onProxyCall?: (data: {
         tool: string;
@@ -2720,6 +3354,246 @@ declare class FilesystemStorage implements StorageBackend {
     totalSize(): Promise<number>;
 }
+/**
+ * Sanctuary MCP Server — Key Derivation
+ *
+ * Two-tier key derivation:
+ * 1. Master key from passphrase via Argon2id (memory-hard, GPU-resistant)
+ * 2. Namespace keys from master key via HKDF-SHA256
+ *
+ * This ensures:
+ * - Passphrase brute-force is expensive (Argon2id)
+ * - Compromise of one namespace key doesn't expose others (HKDF domain separation)
+ */
+/** Stored key derivation parameters (for re-deriving the master key) */
+interface KeyDerivationParams {
+    /** Algorithm */
+    alg: "argon2id";
+    /** Salt (base64url) */
+    salt: string;
+    /** Memory cost in KiB */
+    m: number;
+    /** Time cost (iterations) */
+    t: number;
+    /** Parallelism */
+    p: number;
+    /** Output length in bytes */
+    l: number;
+}
+/**
+ * Sanctuary v1.1 exit-bundle export/import implementation.
+ *
+ * The public bundle is a directory containing `manifest.json` and hashed JSON
+ * artifacts. Private keys and passphrases are never emitted. Encrypted user
+ * state can be re-keyed on import when the operator supplies source key
+ * material and the destination has a signing identity.
+ */
+interface ExitEncryptedStateBundle {
+    format: "SANCTUARY_EXIT_ENCRYPTED_STATE_V1";
+    exported_at: string;
+    key_source: "passphrase" | "recovery-key" | "unknown";
+    source_key_derivation?: KeyDerivationParams;
+    namespaces: string[];
+    total_keys: number;
+    contains_reserved_namespaces: false;
+    entries: Array<{
+        namespace: string;
+        key: string;
+        entry: StateEntry;
+    }>;
+}
+interface ExitPublicIdentityArtifact {
+    bundle: {
+        format: "SANCTUARY_IDENTITY_BUNDLE_V1";
+        publicKey: string;
+        did: string;
+        identity_id: string;
+        label: string;
+        key_type: "ed25519";
+        key_protection: string;
+        rotation_history: StoredIdentity["rotation_history"];
+        exported_at: string;
+    };
+    signature: string;
+    signed_by: string;
+}
+interface ExitPolicySetArtifact {
+    format: "SANCTUARY_EXIT_POLICY_SET_V1";
+    exported_at: string;
+    principal_policy: PrincipalPolicy;
+    config_summary: {
+        version: string;
+        state: SanctuaryConfig["state"];
+        execution: SanctuaryConfig["execution"];
+        disclosure: SanctuaryConfig["disclosure"];
+        reputation: SanctuaryConfig["reputation"];
+        privacy_filter: SanctuaryConfig["privacy_filter"];
+    };
+}
+interface ExitAuditReceiptsArtifact {
+    format: "SANCTUARY_AUDIT_RECEIPTS_V1";
+    exported_at: string;
+    total: number;
+    individual_entry_signatures: false;
+    entries: AuditEntry[];
+}
+interface ExitCommitmentsArtifact {
+    format: "SANCTUARY_EXIT_COMMITMENTS_V1";
+    exported_at: string;
+    public_commitments: Array<{
+        commitment_id: string;
+        commitment: string;
+        committed_at: string;
+        revealed: boolean;
+        revealed_at?: string;
+    }>;
+    unreadable_count: number;
+    redacted_fields: ["value", "blinding_factor"];
+}
+interface ExitPlaceholderVaultMetadataArtifact {
+    format: "SANCTUARY_PLACEHOLDER_VAULT_METADATA_V1";
+    exported_at: string;
+    entries: Array<Record<string, unknown>>;
+    unreadable_count: number;
+    redacted_fields: ["raw_value", "raw_path"];
+}
+interface ExportExitBundleOptions {
+    bundleDir: string;
+    storage: StorageBackend;
+    masterKey: Uint8Array;
+    identityManager: IdentityManager;
+    auditLog: AuditLog;
+    policy: PrincipalPolicy;
+    config?: SanctuaryConfig;
+    reputationStore?: ReputationStore;
+    stateStoragePath?: string;
+    stateNamespaces?: string[];
+    keySource?: "passphrase" | "recovery-key" | "unknown";
+    /**
+     * When the export is gated by a Tier 1 approval flow (e.g. the hub's
+     * fortress-scope export endpoint), the caller supplies the approval's
+     * audit id here. The value is embedded in the manifest's
+     * `export_approval_audit_id` field and as the `approval_id` of the L1
+     * "exit_bundle_export" audit entry, tying the manifest to the operator's
+     * actual approval rather than an internally-generated id (v1.0.2 (j)).
+     * When omitted, the export self-generates an id.
+     */
+    exportApprovalAuditId?: string;
+}
+interface ExportExitBundleResult {
+    bundle_dir: string;
+    manifest: ExitBundleManifest;
+    manifest_hash: string;
+    artifact_count: number;
+    unsupported_artifacts: string[];
+}
+interface ImportExitBundleOptions {
+    bundleDir: string;
+    storage: StorageBackend;
+    masterKey: Uint8Array;
+    identityManager: IdentityManager;
+    auditLog: AuditLog;
+    reputationStore?: ReputationStore;
+    activate?: boolean;
+    conflictResolution?: "skip" | "overwrite" | "version";
+    sourcePassphrase?: string;
+    sourceRecoveryKey?: string;
+    sourceMasterKey?: Uint8Array;
+    destinationSignerIdentityId?: string;
+}
+interface ExitBundleConflictReport {
+    public_identity_exists: boolean;
+    state_conflicts: Array<{
+        namespace: string;
+        key: string;
+    }>;
+    reputation_conflicts: string[];
+    policy_set_exists: boolean;
+    audit_receipts_exist: boolean;
+}
+interface ImportExitBundleResult {
+    verified: boolean;
+    activated: boolean;
+    conflicts: ExitBundleConflictReport;
+    state: {
+        status: "not_requested" | "rekeyed" | "staged_requires_source_key" | "skipped_no_destination_signer";
+        imported_keys: number;
+        skipped_keys: number;
+        skipped_invalid_sig: number;
+        skipped_unknown_kid: number;
+        conflicts: number;
+    };
+    reputation: {
+        imported_attestations: number;
+        invalid_attestations: number;
+        unverifiable_attestations: number;
+    };
+    staged_artifacts: string[];
+    warnings: string[];
+    unsupported_artifacts: string[];
+}
+declare function exportExitBundle(opts: ExportExitBundleOptions): Promise<ExportExitBundleResult>;
+declare function importExitBundle(opts: ImportExitBundleOptions): Promise<ImportExitBundleResult>;
+declare function exitBundleManifestShape(): Record<string, unknown>;
+/**
+ * Sanctuary v1.1 exit-bundle verifier.
+ *
+ * Verifies the signed SANCTUARY_EXIT_BUNDLE_V1 manifest, every artifact hash,
+ * and the exported identity / reputation signatures that are independently
+ * verifiable from public material in the bundle.
+ */
+interface ExitBundleDetailedVerifierResult extends ExitBundleVerifierResult {
+    manifest_path: string;
+    manifest_hash: string | null;
+    warnings: string[];
+    unsupported_artifacts: string[];
+    identity?: {
+        signature_valid: boolean;
+        identity_id?: string;
+        did?: string;
+    };
+    audit?: {
+        receipt_count: number;
+        individual_signatures_verified: boolean;
+    };
+    reputation?: {
+        bundle_signature_valid: boolean | "unverifiable";
+        attestation_count: number;
+        verified_attestations: number;
+        invalid_attestations: number;
+        unverifiable_attestations: number;
+    };
+}
+interface LoadedExitArtifact<T = unknown> {
+    entry: ExitBundleArtifactEntry;
+    path: string;
+    json: T;
+    bytes: Uint8Array;
+}
+declare function readManifest(bundleDir: string): Promise<ExitBundleManifest>;
+declare function loadExitArtifact<T = unknown>(bundleDir: string, manifest: ExitBundleManifest, kind: ExitBundleArtifactKind): Promise<LoadedExitArtifact<T> | null>;
+declare function verifyExitBundle(bundleDir: string): Promise<ExitBundleDetailedVerifierResult>;
+/**
+ * `sanctuary exit` CLI.
+ *
+ * Operator-facing export/import/verifier path for SANCTUARY_EXIT_BUNDLE_V1.
+ * Dashboard wizard work consumes the same module APIs later.
+ */
+interface ExitCommandArgs {
+    argv: string[];
+    out?: Writable;
+    err?: Writable;
+    stdin?: NodeJS.ReadableStream;
+    env?: NodeJS.ProcessEnv;
+}
+declare function runExitCommand(args: ExitCommandArgs): Promise<number>;
 /**
  * Sanctuary MCP Server — Principal Policy Loader
  *
@@ -3631,6 +4505,12 @@ interface UpstreamServerStatus {
     tool_count: number;
     error?: string;
 }
+interface PrivacySummary {
+    filtered_events: number;
+    filtered_spans: number;
+    classes: Record<string, number>;
+    last_filtered_at: string | null;
+}
 interface ProtectionSnapshot {
     overall: {
         status: OverallStatus;
@@ -3647,6 +4527,7 @@ interface ProtectionSnapshot {
     activity: ActivityEntry[];
     pending_approvals: PendingApproval[];
     audit: AuditEntry[];
+    privacy: PrivacySummary;
     upstream_servers: UpstreamServerStatus[];
     mode: "co-located" | "standalone";
     server_version: string;
@@ -3700,8 +4581,19 @@ interface ApprovalHandlers {
     allow: (id: string) => Promise<boolean>;
     deny: (id: string) => Promise<boolean>;
 }
+/**
+ * SSE event taxonomy.
+ *
+ * v1.0 event names: `snapshot` (initial hydration), `activity` (audit feed
+ * append), `approval` (pending approval surfaced).
+ *
+ * v1.1 added: `inbox` (HubInboxItem replace-or-prepend by item_id) and
+ * `agent_status` (HubAgentStatusSnapshot replace by agent_id). The hub
+ * service emits these via the existing `publish` interface; the producer
+ * wires every name verbatim through `event: <type>` SSE frames.
+ */
 interface StreamEvent {
-    type: "snapshot" | "activity" | "approval";
+    type: "snapshot" | "activity" | "approval" | "inbox" | "agent_status";
     data: unknown;
 }
@@ -3739,6 +4631,18 @@ interface DashboardHandle {
     publishActivity: (entry: ActivityEntry) => void;
     /** Push a new pending approval (already added by the approval channel). */
     publishApproval: (approval: PendingApproval) => void;
+    /**
+     * Push a v1.1 hub inbox item update. Producers (HubService) call this
+     * on inbox writes (Tier 1 enqueue, Tier 1 resolve, source-pulled item
+     * surfaced). Consumers replace-or-prepend by `item_id`.
+     */
+    publishInbox: (item: unknown) => void;
+    /**
+     * Push a v1.1 per-agent status update. Producers call this when the
+     * agent registry's `updateStatus` transitions. Consumers replace by
+     * `agent_id`.
+     */
+    publishAgentStatus: (snapshot: unknown) => void;
 }
 declare function startDashboardServer(options: DashboardServerOptions): Promise<DashboardHandle>;
@@ -3835,4 +4739,4 @@ declare function createSanctuaryServer(options?: {
     storage?: StorageBackend;
 }): Promise<SanctuaryServer>;
-export { ATTESTATION_VERSION, type ActivityEntry, type AggregatorSources, ApprovalGate, type ApprovalHandlers, type AttestationBody, type AttestationVerificationResult, AuditLog, AutoApproveChannel, BaselineTracker, type BridgeAttestationRequest, type BridgeAttestationResult, type BridgeCommitment, type BridgeVerificationResult, TEMPLATES as CONTEXT_GATE_TEMPLATES, CallbackApprovalChannel, ClientManager, CommitmentStore, type ConcordiaOutcome, type ConnectionState, type ContextAction, type ContextFilterResult, ContextGateEnforcer, type ContextGatePolicy, ContextGatePolicyStore, type ContextGateRule, type ContextGateTemplate, DashboardApprovalChannel, type DashboardConfig, type DashboardHandle, type DashboardServerOptions, type DetectionResult, type EnforcerConfig, type FederationCapabilities, type FederationPeer, FederationRegistry, type FieldClassification, type FieldFilterResult, FilesystemStorage, type GateResult, HERO_COPY, type HandshakeChallenge, type HandshakeCompletion, type HandshakeResponse, type HandshakeResult, InMemoryModelProvenanceStore, InjectionDetector, type InjectionDetectorConfig, type InjectionSignal, type L1Status, type L2Status, type L3Status, type L4Status, MODEL_PRESETS, MemoryStorage, type ModelProvenance, type ModelProvenanceStore, type PedersenCommitment, type PeerTrustEvaluation, type PendingApproval, type PolicyRecommendation, PolicyStore, type PrincipalPolicy, type ProtectionSnapshot, type ProviderCategory, ProxyRouter, type ProxyRouterOptions, type ReputationLookup, ReputationStore, type SHRBody, type SHRGeneratorOptions, type SHRVerificationResult, type SanctuaryConfig, type SanctuaryServer, type SignedAttestation, type SignedSHR, type SovereigntyProfile, SovereigntyProfileStore, type SovereigntyProfileUpdate, type SovereigntyTier, type StartDashboardOptions, StateStore, StderrApprovalChannel, type StreamEvent, TIER_WEIGHTS, type TierMetadata, type TieredAttestation, type UpstreamConnection, type UpstreamServer, type UpstreamTool, WebhookApprovalChannel, type WebhookCallbackPayload, type WebhookConfig, type WebhookPayload, type ZKProofOfKnowledge, type ZKRangeProof, canonicalize, classifyField, completeHandshake, computeWeightedScore, createBridgeCommitment, createDefaultProfile, createPedersenCommitment, createProofOfKnowledge, createRangeProof, createSanctuaryServer, evaluateField, filterContext, generateAttestation, generateSHR, generateSystemPrompt, getProtectionSnapshot, getTemplate, initiateHandshake, listTemplateIds, loadConfig, loadPrincipalPolicy, recommendPolicy, renderDashboardHTML, resolveTier, respondToHandshake, signPayload, startDashboard, startDashboardServer, tierDistribution, verifyAttestation, verifyBridgeCommitment, verifyCompletion, verifyPedersenCommitment, verifyProofOfKnowledge, verifyRangeProof, verifySHR, verifySignature };
+export { ATTESTATION_VERSION, type ActivityEntry, type AggregatorSources, ApprovalGate, type ApprovalHandlers, type AttestationBody, type AttestationVerificationResult, AuditLog, AutoApproveChannel, BaselineTracker, type BridgeAttestationRequest, type BridgeAttestationResult, type BridgeCommitment, type BridgeVerificationResult, TEMPLATES as CONTEXT_GATE_TEMPLATES, CallbackApprovalChannel, ClientManager, CommitmentStore, type ConcordiaOutcome, type ConnectionState, type ContextAction, type ContextFilterResult, ContextGateEnforcer, type ContextGatePolicy, ContextGatePolicyStore, type ContextGateRule, type ContextGateTemplate, DashboardApprovalChannel, type DashboardConfig, type DashboardHandle, type DashboardServerOptions, type DetectionResult, type EnforcerConfig, type ExitAuditReceiptsArtifact, type ExitBundleDetailedVerifierResult, type ExitCommandArgs, type ExitCommitmentsArtifact, type ExitEncryptedStateBundle, type ExitPlaceholderVaultMetadataArtifact, type ExitPolicySetArtifact, type ExitPublicIdentityArtifact, type ExportExitBundleOptions, type ExportExitBundleResult, type FederationCapabilities, type FederationPeer, FederationRegistry, type FieldClassification, type FieldFilterResult, FilesystemStorage, type GateResult, HERO_COPY, type HandshakeChallenge, type HandshakeCompletion, type HandshakeResponse, type HandshakeResult, type ImportExitBundleOptions, type ImportExitBundleResult, InMemoryModelProvenanceStore, InjectionDetector, type InjectionDetectorConfig, type InjectionSignal, type L1Status, type L2Status, type L3Status, type L4Status, type LoadedExitArtifact, MODEL_PRESETS, MemoryStorage, type ModelProvenance, type ModelProvenanceStore, type PedersenCommitment, type PeerTrustEvaluation, type PendingApproval, type PolicyRecommendation, PolicyStore, type PrincipalPolicy, type ProtectionSnapshot, type ProviderCategory, ProxyRouter, type ProxyRouterOptions, type ReputationLookup, ReputationStore, type SHRBody, type SHRGeneratorOptions, type SHRVerificationResult, type SanctuaryConfig, type SanctuaryServer, type SignedAttestation, type SignedSHR, type SovereigntyProfile, SovereigntyProfileStore, type SovereigntyProfileUpdate, type SovereigntyTier, type StartDashboardOptions, StateStore, StderrApprovalChannel, type StreamEvent, TIER_WEIGHTS, type TierMetadata, type TieredAttestation, type UpstreamConnection, type UpstreamServer, type UpstreamTool, WebhookApprovalChannel, type WebhookCallbackPayload, type WebhookConfig, type WebhookPayload, type ZKProofOfKnowledge, type ZKRangeProof, canonicalize, classifyField, completeHandshake, computeWeightedScore, createBridgeCommitment, createDefaultProfile, createPedersenCommitment, createProofOfKnowledge, createRangeProof, createSanctuaryServer, evaluateField, exitBundleManifestShape, exportExitBundle, filterContext, generateAttestation, generateSHR, generateSystemPrompt, getProtectionSnapshot, getTemplate, importExitBundle, initiateHandshake, listTemplateIds, loadConfig, loadExitArtifact, loadPrincipalPolicy, readManifest, recommendPolicy, renderDashboardHTML, resolveTier, respondToHandshake, runExitCommand, signPayload, startDashboard, startDashboardServer, tierDistribution, verifyAttestation, verifyBridgeCommitment, verifyCompletion, verifyExitBundle, verifyPedersenCommitment, verifyProofOfKnowledge, verifyRangeProof, verifySHR, verifySignature };