npm - @sanctuary-framework/mcp-server - Versions diffs - 1.0.0-rc.2 → 1.1.1 - Mend

@sanctuary-framework/mcp-server 1.0.0-rc.2 → 1.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

package/dist/index.d.cts CHANGED Viewed

@@ -2,6 +2,7 @@ import { Server } from '@modelcontextprotocol/sdk/server/index.js';
 import { Client } from '@modelcontextprotocol/sdk/client/index.js';
 import { StdioClientTransport } from '@modelcontextprotocol/sdk/client/stdio.js';
 import { SSEClientTransport } from '@modelcontextprotocol/sdk/client/sse.js';
+import { Writable } from 'node:stream';
 interface SanctuaryConfig {
     version: string;
@@ -68,6 +69,12 @@ interface SanctuaryConfig {
         /** Whether to auto-publish on successful handshake_respond calls. */
         auto_publish_handshakes: boolean;
     };
+    privacy_filter: {
+        mode: "local" | "opf" | "off";
+        fail_mode: "closed" | "fallback";
+        command: string;
+        timeout_ms: number;
+    };
 }
 /**
  * Load configuration from file, falling back to defaults.
@@ -761,6 +768,28 @@ interface EncryptedPayload {
  * - Secure deletion overwrites before unlinking
  */
+/** On-disk format for an encrypted state entry */
+interface StateEntry {
+    /** Format version */
+    v: number;
+    /** Encrypted payload */
+    payload: EncryptedPayload;
+    /** Version number (monotonically increasing) */
+    ver: number;
+    /** Signature over ciphertext by the writing identity (base64url) */
+    sig: string;
+    /** Identity that wrote this entry */
+    kid: string;
+    /** SHA-256 of the plaintext value (base64url, for client-side verification) */
+    integrity_hash: string;
+    /** Metadata */
+    metadata: {
+        content_type?: string;
+        ttl_seconds?: number;
+        tags?: string[];
+        written_at: string;
+    };
+}
 /** Result of a state write operation */
 interface WriteResult {
     key: string;
@@ -2122,6 +2151,124 @@ declare const MODEL_PRESETS: {
     mistral7bLocal: () => ModelProvenance;
 };
+/**
+ * Signature scheme identifier embedded on every signed v1.1 record.
+ *
+ * v1.1 only accepts "ed25519-v1". Mirrors the mesh module: this field is the
+ * forward-compat hinge for v1.4+ post-quantum migration. Verifiers MUST reject
+ * unknown schemes. Do not optimize this field away.
+ *
+ * Mirror of: server/src/mesh/constants.ts SignatureScheme.
+ */
+type SignatureScheme = "ed25519-v1";
+/**
+ * Detector classes for the privacy filter. Workstreams MUST use this enum so
+ * the dashboard privacy panel and audit consumers can group consistently.
+ *
+ * "custom" is reserved for operator-defined detectors via policy.
+ */
+declare const PRIVACY_DETECTOR_CLASSES: readonly ["person", "client", "project", "secret", "credential", "account", "file_path", "domain_term", "custom"];
+type PrivacyDetectorClass = (typeof PRIVACY_DETECTOR_CLASSES)[number];
+/**
+ * Outbound destination categories. The privacy filter and the remote-bound
+ * enforcement workstream agree on this enum so events compose end-to-end.
+ *
+ * Categories deliberately mirror the L2 `ProviderCategory` taxonomy in
+ * `server/src/l2-operational/context-gate.ts` (hyphen form) so JSON-stable
+ * strings flow through both layers without translation. If the L2 category
+ * set grows, keep this v1.1 list in lockstep through coordinator review.
+ */
+declare const PRIVACY_DESTINATION_CATEGORIES: readonly ["inference", "tool-api", "logging", "analytics", "peer-agent", "custom"];
+type PrivacyDestinationCategory = (typeof PRIVACY_DESTINATION_CATEGORIES)[number];
+/**
+ * Privacy actions taken on a single field. Uses the L2 vocabulary.
+ *
+ * "rehydrate" is v1.1-new and applies to inbound responses, not outbound calls.
+ */
+declare const PRIVACY_ACTIONS: readonly ["allow", "redact", "hash", "summarize", "deny", "rehydrate"];
+type PrivacyAction = (typeof PRIVACY_ACTIONS)[number];
+/**
+ * Hash algorithm identifier embedded in every privacy event content_hash.
+ *
+ * v1.1 ships ONLY `hmac-sha256-fortress-keyed-v1`: HMAC-SHA-256 over the
+ * raw field value, using a per-fortress secret derived from the master key
+ * via HKDF info string `sanctuary-v1.1-privacy-content-hmac`. Plain SHA-256
+ * is NOT permitted because privacy field values (PII, project names, client
+ * names, file paths) are low-entropy and dictionary-attackable. The keyed
+ * hash makes content hashes meaningful for equality checks across events
+ * within a fortress while remaining opaque to anyone without the per-
+ * fortress key.
+ *
+ * Forward-compat: a future v1.x privacy hardening pass may add ML-DSA-keyed
+ * variants. Verifiers MUST reject unknown algorithms.
+ */
+declare const PRIVACY_HASH_ALGS: readonly ["hmac-sha256-fortress-keyed-v1"];
+type PrivacyHashAlg = (typeof PRIVACY_HASH_ALGS)[number];
+/**
+ * Hub inbox item kinds. Hub API and dashboard consume the same enum so the
+ * unified inbox renders without inventing new categories per surface.
+ */
+declare const HUB_INBOX_KINDS: readonly ["approval_pending", "blocked_egress", "privacy_event", "budget_warning", "recovery_prompt", "agent_error"];
+type HubInboxKind = (typeof HUB_INBOX_KINDS)[number];
+/**
+ * Agent lifecycle states surfaced to the operator hub.
+ *
+ * Underlying harness capability dictates which transitions are reachable; the
+ * hub API surfaces unsupported transitions as "not_supported" rather than
+ * faking them.
+ */
+declare const HUB_AGENT_STATUSES: readonly ["active", "paused", "restarting", "locked_down", "unwrapping", "error", "unknown"];
+type HubAgentStatus = (typeof HUB_AGENT_STATUSES)[number];
+/**
+ * Exit-bundle manifest version. v1 is the only valid value at v1.1 ship.
+ * v1.x bumps require coordinator-approved manifest amendment.
+ */
+declare const EXIT_BUNDLE_MANIFEST_VERSION: "SANCTUARY_EXIT_BUNDLE_V1";
+type ExitBundleManifestVersion = typeof EXIT_BUNDLE_MANIFEST_VERSION;
+/**
+ * Artifact kinds enumerated by the exit-bundle manifest. The export command
+ * MUST list every included artifact under one of these kinds. The verifier
+ * CLI rejects unknown kinds.
+ */
+declare const EXIT_BUNDLE_ARTIFACT_KINDS: readonly ["public_identity", "encrypted_state", "policy_set", "audit_receipts", "reputation_bundle", "commitments", "placeholder_vault_metadata"];
+type ExitBundleArtifactKind = (typeof EXIT_BUNDLE_ARTIFACT_KINDS)[number];
+/**
+ * Lightweight local privacy filter for outbound context.
+ *
+ * This is not a replacement for a full detector such as OpenAI privacy-filter.
+ * It gives Sanctuary a deterministic baseline that catches common high-risk
+ * spans inside otherwise-allowed fields, so policy gates are not limited to
+ * top-level field names.
+ */
+type PrivacySpanClass = "email" | "phone" | "ssn" | "credit_card" | "secret_assignment" | "secret" | "credential" | "account_number" | "address" | "person" | "client" | "project" | "file_path" | "domain_term" | "url" | "date" | "custom";
+declare class PrivacyPlaceholderVault {
+    private storage;
+    private encryptionKey;
+    private lookupKey;
+    private cache;
+    private pathCache;
+    constructor(storage: StorageBackend, masterKey: Uint8Array);
+    placeholderFor(spanClass: PrivacySpanClass, rawValue: string, scope?: string): Promise<string>;
+    resolvePlaceholder(placeholder: string, scope?: string): Promise<string | null>;
+    aliasForFieldPath(path: string, scope?: string): Promise<string>;
+    resolveFieldPathAlias(alias: string, scope?: string): Promise<string | null>;
+    private recordKey;
+    private indexKey;
+    private pathRecordKey;
+    private pathIndexKey;
+    private readIndex;
+    private writeIndex;
+    private readRecord;
+    private writeRecord;
+    private readPathIndex;
+    private writePathIndex;
+    private readPathRecord;
+    private writePathRecord;
+    private hmacString;
+}
 /**
  * Sanctuary MCP Server — L2 Context Gating: Automatic Enforcer
  *
@@ -2170,9 +2317,10 @@ interface EnforcerStatus {
 declare class ContextGateEnforcer {
     private policyStore;
     private auditLog;
+    private privacyVault?;
     private config;
     private stats;
-    constructor(policyStore: ContextGatePolicyStore, auditLog: AuditLog, config: EnforcerConfig);
+    constructor(policyStore: ContextGatePolicyStore, auditLog: AuditLog, config: EnforcerConfig, privacyVault?: PrivacyPlaceholderVault);
     /**
      * Wrap a tool handler to apply automatic context gating.
      *
@@ -2274,6 +2422,9 @@ interface UpstreamServer {
     tool_overrides?: Record<string, {
         tier: 1 | 2 | 3;
     }>;
+    destination_category?: "inference" | "tool-api" | "logging" | "analytics" | "peer-agent" | "custom";
+    privacy_policy_id?: string;
+    privacy_identity_id?: string;
 }
 interface SovereigntyProfile {
     version: 1;
@@ -2581,6 +2732,887 @@ declare class CallGovernor {
     private pruneDuplicateCache;
 }
+/**
+ * Sanctuary v1.1 — Privacy Audit Payload Contracts
+ *
+ * Shared payload shapes emitted by the privacy core (Prompt 3) and consumed by
+ * the remote-bound enforcement workstream (Prompt 4), the operator hub API
+ * (Prompt 5), and the dashboard privacy panel (Prompt 8).
+ *
+ * Local-only invariant:
+ * Payloads describe outbound traffic from a single fortress on a single
+ * operator's machine. v1.1 ships local-only, single-operator scope.
+ *
+ * Enclosure-and-signing model:
+ * Privacy events are NOT signed objects on their own. They are payloads
+ * carried inside an enclosing audit-chain entry (`l2-operational/audit-log`
+ * AuditEntry encrypted-at-rest under L1, plus `mesh/audit-batch`
+ * SignedAuditBatch where federation propagation applies). The enclosing
+ * audit entry carries the signature scheme; this file deliberately does not
+ * declare a signature field on any payload type.
+ *
+ * When an enforcement path emits a privacy event:
+ *   1. Build a `PrivacyAuditPayload` from this file.
+ *   2. Append it as the `details` (or equivalent payload field) of an
+ *      `AuditEntry` in the L2 audit log.
+ *   3. The mesh-layer batch envelope (`SIGNATURE_SCHEME_V1`) signs the
+ *      batch that carries this entry.
+ *
+ * Safe-metadata invariant:
+ * Raw sensitive content MUST NEVER appear in any field of any payload defined
+ * in this file. Only safe metadata is permitted: detector class, field path,
+ * action, content hash, policy id, destination category, identity id,
+ * placeholder labels.
+ *
+ * If a future workstream needs to surface a sensitive value to the operator,
+ * it MUST go through the encrypted placeholder vault — not through these
+ * payload shapes.
+ */
+/**
+ * Common metadata header on every v1.1 privacy audit payload.
+ *
+ * `event_id` is the audit-chain id assigned by the enclosing AuditEntry.
+ * `policy_id` is the bound privacy policy that produced the decision.
+ * `identity_id` is the operator identity the policy is bound to.
+ */
+interface PrivacyAuditPayloadHeader {
+    /** v1.1 payload-shape version. */
+    version: "1.1";
+    /** Unique event id; SHOULD match the enclosing audit-chain id. */
+    event_id: string;
+    /** ISO8601 timestamp of the decision. */
+    emitted_at: string;
+    /** Policy id that produced this decision. */
+    policy_id: string;
+    /** Identity the policy is bound to. */
+    identity_id: string;
+    /** Wrapped agent the outbound traffic originates from. */
+    agent_id: string;
+    /** Destination category for the outbound payload. */
+    destination_category: PrivacyDestinationCategory;
+}
+/**
+ * Per-field decision recorded inside a privacy audit payload. Field-level
+ * decisions bubble up into the rolled-up payload kinds below.
+ *
+ * Path-and-hash safety:
+ * `field_path` MUST be sanitized — see `PRIVACY_FIELD_PATH_PATTERN` in
+ * constants.ts. Raw object keys (which can themselves leak sensitive
+ * information) MUST NOT appear on the wire. `content_hash` MUST use a keyed
+ * hash algorithm (`hmac-sha256-fortress-keyed-v1` at v1.1) to defeat
+ * dictionary attacks against low-entropy field values.
+ */
+interface PrivacyFieldDecision {
+    /**
+     * Sanitized field path. Conforms to `PRIVACY_FIELD_PATH_PATTERN`:
+     * positional references like "$0" / "$1.$2" or typed positional like
+     * "obj:0" / "key:1.val:0". The fortress-local mapping back to the real
+     * path is held in the placeholder vault. Real object keys MUST NOT
+     * appear here.
+     */
+    field_path: string;
+    /** Detector class that fired on this field. */
+    detector_class: PrivacyDetectorClass;
+    /** Action taken on this field. */
+    action: PrivacyAction;
+    /**
+     * Keyed hash of the original field value. Hex-encoded.
+     * Algorithm pinned via `hash_alg`; v1.1 only accepts
+     * `hmac-sha256-fortress-keyed-v1`. The HMAC key is fortress-local
+     * (HKDF-derived from the master key); equality of two `content_hash`
+     * values within the same fortress means equal field values, but the
+     * hash is opaque to any verifier outside the fortress and resists
+     * dictionary attacks against low-entropy values. Plain SHA-256 is NOT
+     * permitted. The original value MUST NOT appear anywhere in the payload.
+     */
+    content_hash: string;
+    /** Hash algorithm identifier. v1.1 only accepts the keyed HMAC variant. */
+    hash_alg: PrivacyHashAlg;
+    /**
+     * Stable placeholder label this field was substituted with on the outbound
+     * payload, if applicable. Examples: "PERSON_1", "CLIENT_3", "SECRET_2".
+     */
+    placeholder_label?: string;
+}
+/**
+ * Outbound payload was filtered. At least one field was redacted, hashed, or
+ * substituted with a placeholder, and the call proceeded.
+ */
+interface PrivacyFilteredPayload extends PrivacyAuditPayloadHeader {
+    kind: "filtered";
+    field_decisions: PrivacyFieldDecision[];
+    /**
+     * Keyed hash of the canonicalized outbound payload after filtering.
+     * Same `hash_alg` constraint as `PrivacyFieldDecision.content_hash`.
+     */
+    outbound_payload_hash: string;
+    /** Hash algorithm. v1.1 only accepts `hmac-sha256-fortress-keyed-v1`. */
+    payload_hash_alg: PrivacyHashAlg;
+}
+/**
+ * Outbound payload was allowed unchanged. No detector fired, or every fired
+ * detector resolved to "allow" under the bound policy.
+ */
+interface PrivacyAllowedPayload extends PrivacyAuditPayloadHeader {
+    kind: "allowed";
+    /**
+     * Keyed hash of the canonicalized outbound payload.
+     * Same `hash_alg` constraint as `PrivacyFieldDecision.content_hash`.
+     */
+    outbound_payload_hash: string;
+    /** Hash algorithm. v1.1 only accepts `hmac-sha256-fortress-keyed-v1`. */
+    payload_hash_alg: PrivacyHashAlg;
+}
+/**
+ * Outbound payload was denied. Either a "deny" rule fired on a field, or the
+ * fail-closed default applied because the policy or vault was unavailable.
+ *
+ * The `denial_reason_class` is a machine-friendly label, NOT a free-text
+ * explanation. Operator-facing UIs may render a generic message keyed by this
+ * label; raw policy-rule details MUST NOT be revealed.
+ */
+interface PrivacyDeniedPayload extends PrivacyAuditPayloadHeader {
+    kind: "denied";
+    /**
+     * Coarse denial reason class. Permitted values:
+     * - "policy_deny_rule" — at least one field had a deny rule
+     * - "fail_closed_no_policy" — fail-closed because policy missing
+     * - "fail_closed_filter_error" — fail-closed because filter raised
+     * - "fail_closed_vault_error" — fail-closed because vault unavailable
+     * - "operator_override_denied" — explicit operator override path failed
+     */
+    denial_reason_class: "policy_deny_rule" | "fail_closed_no_policy" | "fail_closed_filter_error" | "fail_closed_vault_error" | "operator_override_denied";
+}
+/**
+ * Privacy filter raised an unrecoverable error and outbound traffic failed
+ * closed. Distinct from PrivacyDeniedPayload because the operator may want to
+ * surface error events as alerts rather than as policy decisions.
+ */
+interface PrivacyErrorPayload extends PrivacyAuditPayloadHeader {
+    kind: "error";
+    /** Stable error code. Implementation-specific catalog. No raw stack traces. */
+    error_code: string;
+}
+/**
+ * Inbound provider response was rehydrated using the placeholder vault. Only
+ * fires when the bound policy permits rehydration for the destination category.
+ */
+interface PrivacyRehydratedPayload extends PrivacyAuditPayloadHeader {
+    kind: "rehydrated";
+    /**
+     * Number of placeholders successfully rehydrated. The placeholders themselves
+     * are NOT logged.
+     */
+    rehydrated_count: number;
+    /** Number of placeholders that could not be rehydrated (e.g., vault entry expired). */
+    unresolvable_count: number;
+    /**
+     * Keyed hash of the canonicalized rehydrated response.
+     * Same `hash_alg` constraint as `PrivacyFieldDecision.content_hash`.
+     */
+    response_hash: string;
+    /** Hash algorithm. v1.1 only accepts `hmac-sha256-fortress-keyed-v1`. */
+    response_hash_alg: PrivacyHashAlg;
+}
+/**
+ * Discriminated union of every v1.1 privacy audit payload. The hub API and
+ * dashboard privacy panel switch on `kind`. Integrity of these payloads
+ * derives from the enclosing audit entry (encrypted-at-rest, plus signed at
+ * the mesh-batch layer where applicable). No payload in this file carries a
+ * self-signature.
+ */
+type PrivacyAuditPayload = PrivacyFilteredPayload | PrivacyAllowedPayload | PrivacyDeniedPayload | PrivacyErrorPayload | PrivacyRehydratedPayload;
+/**
+ * Sanctuary v1.1 — Operator Hub Event Contracts
+ *
+ * Shared shapes for the unified inbox, the activity feed, and the per-agent
+ * status panels. The operator hub API workstream (Prompt 5) emits these; the
+ * dashboard UI workstream (Prompt 8) consumes them. v1.2 mobile companion
+ * planning will evaluate these shapes when it scopes a phone surface, but
+ * v1.1 does not commit to mobile compatibility — these contracts are
+ * tuned for the local dashboard surface only.
+ *
+ * Local-only invariant:
+ * Every event in this file describes activity inside a single fortress on a
+ * single operator's machine. Cross-fortress, fleet, and public-federation
+ * events are out of scope.
+ *
+ * Safe-metadata invariant:
+ * No raw sensitive content in any field. Inbox cards may carry display titles
+ * and subtitles, but those titles MUST be derived from policy templates and
+ * MUST NOT contain raw query text, tool args, filenames, client names,
+ * passphrases, or secrets.
+ */
+/**
+ * Allowed value space for `display_template_args`. Only safe primitives plus
+ * a small enumerated value set are permitted. Free-form strings ARE NOT
+ * accepted; the dashboard rejects rendering on any value outside this union.
+ *
+ * The renderer treats every value as data to interpolate into a fixed
+ * template registered under `template_id` — never as raw content. This
+ * defends against secrets, query text, file paths, and client names leaking
+ * into inbox cards via stringly-typed display fields.
+ */
+type HubDisplayTemplateArg = {
+    kind: "agent_id";
+    value: string;
+} | {
+    kind: "identity_id";
+    value: string;
+} | {
+    kind: "policy_id";
+    value: string;
+} | {
+    kind: "destination_category";
+    value: PrivacyDestinationCategory;
+} | {
+    kind: "tier";
+    value: "tier1" | "tier2" | "tier3";
+} | {
+    kind: "count";
+    value: number;
+} | {
+    kind: "iso8601";
+    value: string;
+} | {
+    kind: "duration_ms";
+    value: number;
+};
+/**
+ * Common header on every v1.1 hub inbox item.
+ *
+ * Display rendering uses a `template_id` plus typed args, NOT free-form
+ * strings. The dashboard owns the template registry; backends only emit the
+ * id and the args. This makes secret-leakage into inbox copy structurally
+ * impossible: a backend cannot smuggle raw query content into a card by
+ * accident, because there is no free-text channel.
+ */
+interface HubInboxItemHeader {
+    /** v1.1 event-shape version. */
+    version: "1.1";
+    /** Stable inbox-item id. SHOULD reference an audit-chain id where applicable. */
+    item_id: string;
+    /** Inbox kind discriminator. */
+    kind: HubInboxKind;
+    /** ISO8601 timestamp the item was created. */
+    created_at: string;
+    /** Wrapped agent id this item refers to, if applicable. */
+    agent_id?: string;
+    /** Operator identity id. */
+    identity_id: string;
+    /**
+     * Display template id. Resolved by the dashboard against a registered
+     * template catalog; the catalog owns the actual render strings. Backends
+     * MUST NOT emit raw display copy. Template id space is namespaced per
+     * inbox kind, e.g., "approval_pending.tier1.export".
+     */
+    display_template_id: string;
+    /**
+     * Typed args interpolated into the template. Every value MUST be a
+     * `HubDisplayTemplateArg` instance — no free-form strings. Renderers
+     * reject any arg outside this union, which structurally blocks secret
+     * leakage via inbox copy.
+     */
+    display_template_args: HubDisplayTemplateArg[];
+    /** Whether the operator has resolved this inbox item. */
+    resolved: boolean;
+    /** ISO8601 timestamp of resolution, if resolved. */
+    resolved_at?: string;
+}
+/**
+ * A pending Tier 1 or Tier 2 approval surfaced to the operator inbox.
+ */
+interface HubApprovalPendingItem extends HubInboxItemHeader {
+    kind: "approval_pending";
+    /** Policy tier the underlying operation falls under. */
+    tier: "tier1" | "tier2";
+    /**
+     * Coarse operation category. Stable enum so the UI can group consistently;
+     * does not reveal underlying tool args. Names align with the canonical
+     * Tier 1 / Tier 2 sets in `server/src/principal-policy/loader.ts`. Names
+     * NOT in the canonical loader (e.g., `exit_bundle_export`, `policy_change`,
+     * `lockdown`, `unwrap`) are v1.1-new and MUST be added to the loader's
+     * Tier 1 set in the same PR that lands their behavior. Drift is a release
+     * blocker.
+     */
+    operation_category: "state_export" | "state_import" | "state_delete" | "identity_rotate" | "reputation_export" | "reputation_import" | "sanctuary_export_identity_bundle" | "exit_bundle_export" | "exit_bundle_import" | "exit_bundle_rekey" | "policy_change" | "lockdown" | "unwrap" | "other";
+    /** ISO8601 deadline after which the request will be auto-denied if applicable. */
+    deadline?: string;
+    /**
+     * Result fields surfaced after the Tier 1 handler runs. Empty until
+     * resolution. Populated for fortress-scope `exit_bundle_export` so the
+     * dashboard exit-drill page can advance the wizard from the inbox
+     * resolution alone, without round-tripping through the activity feed.
+     * Per-agent items leave it undefined. Producers MUST keep field values
+     * to safe metadata only (paths and hex hashes); raw secrets MUST NOT
+     * appear here.
+     */
+    resolution_payload?: {
+        bundle_dir?: string;
+        manifest_hash?: string;
+        artifact_count?: number;
+    };
+}
+/**
+ * Outbound traffic was blocked by the egress policy or the privacy filter.
+ */
+interface HubBlockedEgressItem extends HubInboxItemHeader {
+    kind: "blocked_egress";
+    /**
+     * Destination category. Same enum as the privacy filter so unified inbox,
+     * privacy panel, and egress dashboards group consistently. Drift is a
+     * release blocker.
+     */
+    destination_category: PrivacyDestinationCategory;
+    /**
+     * Why the egress was blocked. Coarse enum, not free text. Specific policy
+     * rule names are NOT revealed.
+     */
+    block_reason_class: "egress_policy_deny" | "budget_exceeded" | "privacy_fail_closed" | "privacy_deny_rule" | "lockdown_active" | "other";
+}
+/**
+ * A privacy event surfaced to the inbox. References the underlying privacy
+ * event id; the inbox card is a thin pointer, not a duplicate of the event.
+ */
+interface HubPrivacyEventItem extends HubInboxItemHeader {
+    kind: "privacy_event";
+    /** Foreign key into the privacy-event chain. */
+    privacy_event_id: string;
+    /** Privacy event kind. */
+    privacy_event_kind: "filtered" | "allowed" | "denied" | "error" | "rehydrated";
+}
+/**
+ * A budget threshold was crossed.
+ */
+interface HubBudgetWarningItem extends HubInboxItemHeader {
+    kind: "budget_warning";
+    /** Budget bucket identifier (daily / monthly / per-agent / custom). */
+    bucket: "daily" | "monthly" | "per_agent" | "custom";
+    /** Soft-warn or hard-cap. Hard-cap usually requires operator unblock. */
+    severity: "soft_warn" | "hard_cap";
+    /** Percentage of budget used at event time. 0..1. */
+    used_fraction: number;
+}
+/**
+ * Recovery prompt — operator should run a recovery flow (passphrase reset,
+ * keychain rebind, exit drill, etc.).
+ */
+interface HubRecoveryPromptItem extends HubInboxItemHeader {
+    kind: "recovery_prompt";
+    /** Coarse recovery class. */
+    recovery_class: "passphrase_reset" | "keychain_rebind" | "config_backup_restore" | "exit_drill" | "other";
+}
+/**
+ * Agent reported an internal error.
+ */
+interface HubAgentErrorItem extends HubInboxItemHeader {
+    kind: "agent_error";
+    /** Stable error code class. Implementation-specific catalog. */
+    error_class: string;
+    /** Whether the agent is still serving traffic after the error. */
+    agent_still_active: boolean;
+}
+/**
+ * Discriminated union of every v1.1 hub inbox item.
+ */
+type HubInboxItem = HubApprovalPendingItem | HubBlockedEgressItem | HubPrivacyEventItem | HubBudgetWarningItem | HubRecoveryPromptItem | HubAgentErrorItem;
+/**
+ * Activity feed entry. The feed is a flat stream backed by the audit chain;
+ * inbox items often reference a feed entry, but feed entries are not always
+ * inbox items.
+ *
+ * Activity feed entries are read-from-storage projections of audit-chain
+ * entries. They are NOT signed envelopes themselves; integrity derives from
+ * the underlying audit entry. Consumers that need to verify the feed entry
+ * MUST resolve it to the source audit entry by `entry_id` and verify there.
+ */
+interface HubActivityFeedEntry {
+    version: "1.1";
+    /** Audit-chain entry id. */
+    entry_id: string;
+    /** ISO8601 timestamp. */
+    emitted_at: string;
+    /** Wrapped agent id, if applicable. */
+    agent_id?: string;
+    /** Identity id. */
+    identity_id: string;
+    /** Stable category enum. */
+    category: "policy_decision" | "approval" | "denial" | "egress" | "privacy" | "handoff" | "lifecycle" | "config" | "other";
+    /**
+     * Display template id. Resolved by the dashboard against the activity-feed
+     * template catalog. Backends MUST NOT emit raw summary text — the template
+     * id plus typed args is the only legitimate channel.
+     */
+    display_template_id: string;
+    /** Typed args. Same constraints as `HubInboxItemHeader.display_template_args`. */
+    display_template_args: HubDisplayTemplateArg[];
+}
+/**
+ * Per-agent status snapshot returned by the hub API. Mirrors the agent
+ * registry record but is computed-on-read; it does not flow through the
+ * audit chain by itself.
+ */
+interface HubAgentStatusSnapshot {
+    version: "1.1";
+    agent_id: string;
+    status: HubAgentStatus;
+    /**
+     * Reason class for the current status. Same enum as
+     * `LocalAgentRecord.status_reason_class`. Stable, not free text. Present
+     * only when status is `locked_down`, `error`, or `restarting`.
+     */
+    status_reason_class?: "operator_lockdown" | "policy_breach" | "budget_hard_cap" | "harness_error" | "harness_unreachable" | "passphrase_required" | "config_drift" | "other";
+    /** ISO8601 last-seen timestamp. */
+    last_activity_at: string;
+    /** Inbox-item ids currently unresolved against this agent. */
+    open_inbox_item_ids: string[];
+}
+/**
+ * Sanctuary v1.1 — Local Agent Registry Records
+ *
+ * Shared shape for the per-agent record returned by the operator hub registry
+ * API. Implementations of the hub API workstream (Prompt 5) write these;
+ * dashboard UI (Prompt 8), internal coordination (Prompt 6), and the exit
+ * bundle workstream (Prompt 7) read these.
+ *
+ * Local-only invariant:
+ * Records describe agents wrapped by a single fortress on a single operator's
+ * machine. Cross-fortress agent discovery is deferred to v1.3.
+ *
+ * No-secret invariant:
+ * Records MUST NOT carry private keys, passphrases, recovery seeds, or raw
+ * provider credentials. Provider identifiers and policy ids are safe;
+ * provider tokens are not.
+ */
+/**
+ * Coarse harness label. Mirrors the README-supported wrap targets at v1.1
+ * ship. Adding a harness requires a new entry here plus harness-compatibility
+ * coverage from Prompt 9.
+ *
+ * `mastra` has a first-class Tier B adapter at
+ * `server/src/agent-contract/adapters/mastra.ts` and is therefore a
+ * first-class kind here. `langgraph` does NOT have a dedicated adapter at
+ * v1.1 ship; LangGraph wraps land via the generic `sanctuary wrap --wrap
+ * <path>` path and surface as `generic_mcp`. When a dedicated LangGraph
+ * adapter ships, add `langgraph` here in the same PR.
+ */
+type LocalHarnessKind = "openclaw" | "hermes" | "claude_code" | "cursor" | "cline" | "mastra" | "generic_mcp" | "other";
+/**
+ * Provider category for the underlying model. Distinct from the privacy
+ * destination category enum because providers and destinations are not 1:1
+ * (one provider can serve multiple destination categories).
+ */
+interface LocalAgentModelProvider {
+    /** Coarse provider label, e.g., "anthropic", "openai", "xai", "local", "other". */
+    vendor: string;
+    /** Concrete model identifier reported by the provider, e.g., "claude-opus-4". */
+    model_id: string;
+    /**
+     * Whether the model runs locally (on-device or LAN) versus a remote provider.
+     * Local models still flow through the privacy filter where applicable.
+     */
+    runs_locally: boolean;
+}
+/**
+ * Budget summary surfaced to the hub. Concrete budget enforcement lives in
+ * the policy engine; this is a read-only snapshot.
+ */
+interface LocalAgentBudgetSummary {
+    /** Daily bucket. */
+    daily?: {
+        /** Allotment unit, e.g., "tokens", "usd". */
+        unit: string;
+        /** Total allotment for the bucket. */
+        cap: number;
+        /** Amount used so far in the bucket window. */
+        used: number;
+        /** Soft-warn threshold fraction (0..1). */
+        soft_warn?: number;
+    };
+    /** Monthly bucket. */
+    monthly?: {
+        unit: string;
+        cap: number;
+        used: number;
+        soft_warn?: number;
+    };
+    /** ISO8601 timestamp of last budget refresh. */
+    last_refreshed_at: string;
+}
+/**
+ * The canonical local agent registry record for v1.1.
+ *
+ * Implementations SHOULD treat this as read-from-storage; mutating fields is
+ * the responsibility of the hub API plus the underlying agent lifecycle owner
+ * (wrap / unwrap / template assignment / lockdown).
+ */
+interface LocalAgentRecord {
+    version: "1.1";
+    /** Stable agent identifier, scoped to this fortress. */
+    agent_id: string;
+    /** Operator identity that owns the agent. */
+    identity_id: string;
+    /** Harness the agent runs under. */
+    harness: LocalHarnessKind;
+    /** Free-text harness version string from the harness, when available. */
+    harness_version?: string;
+    /** Model and provider details. */
+    model_provider: LocalAgentModelProvider;
+    /** Bound policy id (compiled policy artifact). */
+    policy_id: string;
+    /**
+     * Bound channel-template id, when one applies. Template id space is owned
+     * by the policy engine.
+     */
+    channel_template_id?: string;
+    /** Current lifecycle status as surfaced to the hub. */
+    status: HubAgentStatus;
+    /**
+     * Reason class for the current status. Stable enum, not free text.
+     * Present only when status is `locked_down`, `error`, or `restarting`.
+     * The dashboard renders human-readable copy from a template catalog
+     * keyed by this value; backends MUST NOT emit raw reason text.
+     */
+    status_reason_class?: "operator_lockdown" | "policy_breach" | "budget_hard_cap" | "harness_error" | "harness_unreachable" | "passphrase_required" | "config_drift" | "other";
+    /** Budget summary snapshot. */
+    budget_summary: LocalAgentBudgetSummary;
+    /** ISO8601 timestamp of last agent activity. */
+    last_activity_at: string;
+    /** ISO8601 timestamp of wrap. */
+    wrapped_at: string;
+    /**
+     * Capabilities flag set surfaced by the harness. Stable string set;
+     * dashboard renders supported controls based on this set.
+     */
+    capabilities: {
+        can_pause: boolean;
+        can_resume: boolean;
+        can_restart: boolean;
+        can_unwrap: boolean;
+        can_lockdown: boolean;
+        can_chat: boolean;
+        can_change_template: boolean;
+    };
+}
+/**
+ * Note on signing:
+ * `LocalAgentRecord` is a read-from-storage projection of agent registry
+ * state. It is NOT a signed envelope. Signed audit entries that reference
+ * this record (wrap, unwrap, policy change, lockdown, etc.) carry the
+ * signature scheme on the enclosing audit-chain entry, not on the record
+ * itself. Consumers that need to verify a registry change MUST resolve
+ * through the audit chain.
+ */
+/**
+ * Hub-side filter shape used by the registry list API. Workstreams may extend
+ * with additional filters; the canonical fields below are stable.
+ */
+interface LocalAgentRegistryFilter {
+    /** Restrict to one identity id. */
+    identity_id?: string;
+    /** Restrict to one or more harness kinds. */
+    harnesses?: LocalHarnessKind[];
+    /** Restrict to one or more lifecycle statuses. */
+    statuses?: HubAgentStatus[];
+    /**
+     * Maximum records to return. Implementations SHOULD enforce a server-side
+     * upper bound regardless of caller value.
+     */
+    limit?: number;
+    /** Pagination cursor; opaque to the caller. */
+    cursor?: string;
+}
+/**
+ * Sanctuary v1.1 — Exit Bundle Manifest Contract
+ *
+ * `SANCTUARY_EXIT_BUNDLE_V1` is the canonical manifest produced by the v1.1
+ * exit-bundle workstream (Prompt 7) and consumed by the standalone verifier
+ * CLI plus the import command.
+ *
+ * Local-only invariant:
+ * The bundle is produced by a single fortress on a single operator's machine
+ * and consumed by another single-operator destination. v1.1 ships local-only,
+ * single-operator scope. Cross-operator transfer is deferred to v1.3.
+ *
+ * Identity-binding invariant:
+ * The manifest is signed by the operator's fortress-master identity. The
+ * verifier MUST refuse to activate any artifact whose hash chain does not
+ * match the manifest, and MUST refuse to activate any manifest whose
+ * signature does not verify against the bound public identity.
+ *
+ * Public-only invariant:
+ * The bundle MUST NOT contain private keys, raw passphrases, or recovery
+ * seeds. Encrypted state may travel inside the bundle, but the master key
+ * MUST NOT. Re-keying happens on import using new operator-supplied
+ * material.
+ *
+ * Manifest-version invariant:
+ * v1.1 ships only "SANCTUARY_EXIT_BUNDLE_V1". Future versions land through
+ * coordinator-approved spec amendments. v1.1 verifiers MUST reject unknown
+ * manifest versions rather than silently accept.
+ */
+/**
+ * Hashing algorithm identifier embedded in every artifact entry. v1.1 uses
+ * SHA-256. Forward-compat: a future bundle version may add SHA-3 or BLAKE3.
+ */
+type ExitBundleHashAlg = "sha256";
+/**
+ * One artifact entry inside the manifest. Each artifact lives at a relative
+ * path inside the bundle archive. The verifier reads the file at that path
+ * and confirms its hash. See `EXIT_BUNDLE_PATH_PATTERN` and the safe-path
+ * rules block above for the full set of constraints.
+ */
+interface ExitBundleArtifactEntry {
+    /** Coarse artifact kind. */
+    kind: ExitBundleArtifactKind;
+    /**
+     * Relative path inside the bundle, POSIX-style. MUST satisfy
+     * `EXIT_BUNDLE_PATH_PATTERN` and the safe-path rules block above.
+     * The verifier rejects any entry whose path is absolute, contains "..",
+     * contains backslashes, or duplicates another entry's path. The verifier
+     * does NOT follow symlinks or hardlinks during extraction.
+     */
+    path: string;
+    /** Hash algorithm. v1.1 ships only "sha256". */
+    hash_alg: ExitBundleHashAlg;
+    /** Hex-encoded artifact hash. */
+    hash: string;
+    /** Size in bytes. Verifier MAY independently re-size and reject on mismatch. */
+    size_bytes: number;
+    /**
+     * Optional discriminator inside the kind, e.g., "audit-receipt-2026-Q2".
+     * Verifier does not interpret this; the import command may use it to order
+     * artifacts. Same path-pattern constraints DO NOT apply to subkind, but
+     * subkind MUST NOT contain control characters.
+     */
+    subkind?: string;
+}
+/**
+ * Identity binding embedded in the manifest. Carries only public material.
+ */
+interface ExitBundleIdentityBinding {
+    /** Operator identity id. */
+    identity_id: string;
+    /** Fortress id. */
+    fortress_id: string;
+    /** Base64url-encoded Ed25519 public key of the fortress-master. */
+    fortress_master_pubkey: string;
+    /** Optional DID, when one is bound to this identity. */
+    did?: string;
+}
+/**
+ * v1 manifest body — what the operator's fortress-master signs.
+ *
+ * `signature_scheme` lives INSIDE the body deliberately so the scheme is
+ * covered by the fortress-master signature. Without this, an attacker who
+ * substituted both `signature` and `signature_scheme` on the wrapper could
+ * present a valid-looking manifest with a different scheme. Pinning the
+ * scheme inside the signed bytes makes the crypto-agility hinge non-
+ * substitutable.
+ */
+interface ExitBundleManifestBody {
+    /** Manifest version constant. */
+    manifest_version: ExitBundleManifestVersion;
+    /** ISO8601 timestamp at export time. */
+    exported_at: string;
+    /** Source fortress / operator identity binding. */
+    identity_binding: ExitBundleIdentityBinding;
+    /**
+     * Sanctuary version string at export time. Verifier surfaces version skew
+     * to the operator if the destination fortress is older.
+     */
+    source_sanctuary_version: string;
+    /** Every artifact carried in the bundle. */
+    artifacts: ExitBundleArtifactEntry[];
+    /**
+     * Aggregate hash over canonicalize(artifacts[]). Lets the verifier perform
+     * a fast sanity check before walking each entry.
+     */
+    artifacts_aggregate_hash: string;
+    /** Aggregate hash algorithm. v1.1 ships only "sha256". */
+    artifacts_aggregate_hash_alg: ExitBundleHashAlg;
+    /**
+     * Tier 1 audit-event id that captured the export approval. Consumers MAY
+     * cross-reference with the source fortress audit chain.
+     */
+    export_approval_audit_id: string;
+    /**
+     * Signature scheme covering the wrapper's `signature` field. v1.1 ships
+     * only "ed25519-v1". Embedded inside the signed body so the scheme cannot
+     * be substituted independently of the signature.
+     */
+    signature_scheme: SignatureScheme;
+}
+/**
+ * Full signed manifest. Top-level shape that ships in the bundle archive.
+ *
+ * The wrapper carries only the `signature` and a pointer to the body. The
+ * scheme that produced the signature lives inside `body.signature_scheme`,
+ * so the signature itself attests to which scheme produced it.
+ */
+interface ExitBundleManifest {
+    /** Body — what the signature covers. */
+    body: ExitBundleManifestBody;
+    /**
+     * Base64url-encoded Ed25519 signature over canonicalize(body) by the
+     * fortress-master private key. The bundle archive is otherwise unsigned;
+     * artifact integrity comes from artifact hashes inside the body. The
+     * signing scheme is `body.signature_scheme`.
+     */
+    signature: string;
+}
+/**
+ * Verifier output shape. The standalone verifier CLI emits this structure on
+ * stdout (or as JSON for tool consumers) so import commands can branch
+ * cleanly. v1.1 ships one VerifierResult shape; future versions extend.
+ */
+interface ExitBundleVerifierResult {
+    version: "1.1";
+    /** True iff manifest signature, every artifact hash, and the aggregate hash all verify. */
+    passed: boolean;
+    /** ISO8601 timestamp of verification. */
+    verified_at: string;
+    /** Reference to the verified manifest body. */
+    manifest_summary: {
+        manifest_version: ExitBundleManifestVersion;
+        fortress_id: string;
+        identity_id: string;
+        exported_at: string;
+        artifact_count: number;
+    };
+    /**
+     * Per-artifact verification result. Order matches `manifest.body.artifacts`.
+     */
+    artifact_results: Array<{
+        path: string;
+        kind: ExitBundleArtifactKind;
+        hash_passed: boolean;
+        size_passed: boolean;
+    }>;
+    /**
+     * Coarse failure-class enum, when `passed` is false. Distinct from a free-text
+     * error message so import commands can branch.
+     */
+    failure_class?: "manifest_signature_invalid" | "manifest_unknown_version" | "manifest_signature_scheme_invalid" | "artifact_hash_mismatch" | "artifact_missing" | "artifact_size_mismatch" | "aggregate_hash_mismatch" | "artifact_path_unsafe" | "artifact_path_duplicate" | "artifact_path_escapes_root" | "archive_contains_symlink" | "private_material_present" | "other";
+}
+/**
+ * Sanctuary v1.1 — local query privacy core.
+ *
+ * This module is intentionally independent of dashboard UI and transport
+ * enforcement. Enforcement paths call it with a payload, destination category,
+ * identity-bound policy, and encrypted placeholder vault; the module returns a
+ * filtered payload or a fail-closed denial plus a shared privacy audit payload.
+ */
+type PrivacyPolicyAction = "placeholder" | Extract<PrivacyAction, "allow" | "redact" | "hash" | "deny">;
+interface PrivacyPolicy {
+    version: 1;
+    policy_id: string;
+    policy_name?: string;
+    identity_id: string;
+    detector_actions?: Partial<Record<PrivacyDetectorClass, PrivacyPolicyAction>>;
+    destination_detector_actions?: Partial<Record<PrivacyDestinationCategory, Partial<Record<PrivacyDetectorClass, PrivacyPolicyAction>>>>;
+    client_names?: string[];
+    project_names?: string[];
+    domain_terms?: string[];
+    person_names?: string[];
+    placeholder_scope?: "identity" | "policy";
+    rehydration?: {
+        default_action?: "allow" | "deny";
+        allowed_destinations?: PrivacyDestinationCategory[];
+        denied_destinations?: PrivacyDestinationCategory[];
+    };
+    max_depth?: number;
+    max_payload_bytes?: number;
+    max_string_bytes?: number;
+    operator_override?: {
+        allow_on_policy_error?: boolean;
+        allow_on_filter_error?: boolean;
+        allow_on_vault_error?: boolean;
+        allow_on_detector_error?: boolean;
+    };
+    created_at: string;
+    updated_at: string;
+}
+interface PrivacyCoreFinding {
+    raw_path: string;
+    detector_class: PrivacyDetectorClass;
+    span_class: PrivacySpanClass;
+    action: PrivacyAction;
+    content_hash: string;
+    placeholder_label?: string;
+}
+interface PrivacyFilterRequest {
+    payload: unknown;
+    policy: PrivacyPolicy | null;
+    identity_id?: string;
+    agent_id: string;
+    destination_category: PrivacyDestinationCategory;
+    audit_log?: AuditLog;
+    event_id?: string;
+}
+type PrivacyFilterDecision = {
+    status: "allowed";
+    payload: unknown;
+    findings: [];
+    audit_payload: PrivacyAuditPayload;
+} | {
+    status: "filtered";
+    payload: unknown;
+    findings: PrivacyCoreFinding[];
+    audit_payload: PrivacyAuditPayload;
+} | {
+    status: "denied";
+    payload: undefined;
+    findings: PrivacyCoreFinding[];
+    audit_payload: PrivacyDeniedPayload;
+};
+interface PrivacyRehydrationRequest {
+    response: unknown;
+    policy: PrivacyPolicy | null;
+    identity_id?: string;
+    agent_id: string;
+    destination_category: PrivacyDestinationCategory;
+    audit_log?: AuditLog;
+    event_id?: string;
+}
+type PrivacyRehydrationDecision = {
+    status: "rehydrated";
+    response: unknown;
+    rehydrated_count: number;
+    unresolvable_count: number;
+    audit_payload: PrivacyAuditPayload;
+} | {
+    status: "denied";
+    response: unknown;
+    rehydrated_count: 0;
+    unresolvable_count: 0;
+    audit_payload: PrivacyDeniedPayload;
+};
+declare class LocalPrivacyEngine {
+    private vault;
+    private hmacKey;
+    constructor(vault: PrivacyPlaceholderVault, masterKey: Uint8Array);
+    filterOutbound(request: PrivacyFilterRequest): Promise<PrivacyFilterDecision>;
+    rehydrateResponse(request: PrivacyRehydrationRequest): Promise<PrivacyRehydrationDecision>;
+    private filterNode;
+    private filterString;
+    private fieldDecisionsForFindings;
+    private rehydrateNode;
+    private rehydrateString;
+    private assertPayloadWithinBounds;
+    private deniedPayload;
+    private keyedHash;
+}
 /**
  * Sanctuary MCP Server — Proxy Router
  *
@@ -2603,6 +3635,27 @@ interface ProxyRouterOptions {
     contextGateFilter?: (toolName: string, args: Record<string, unknown>) => Promise<Record<string, unknown>>;
     /** Optional call governor for runtime governance */
     governor?: CallGovernor;
+    /**
+     * Optional v1.1 remote-bound privacy enforcement.
+     *
+     * When set, every proxied tool call is routed through
+     * `engine.filterOutbound` before the upstream forward. The bound
+     * `PrivacyPolicy` is resolved per-server via `policyResolver`, and the
+     * destination category comes from the server's `destination_category`
+     * field (defaulting to `tool-api` when absent).
+     *
+     * Fail-closed semantics:
+     * - `policyResolver` returns null when no policy is bound for the server;
+     *   the privacy engine treats that as `fail_closed_no_policy` and denies.
+     * - `policyResolver` rejecting (vault unreachable, decrypt failure, etc.)
+     *   is treated as `fail_closed_filter_error` and denies.
+     * - Operator overrides on the policy (`operator_override.allow_on_*`)
+     *   are honored by the engine itself.
+     */
+    privacyEnforcement?: {
+        engine: LocalPrivacyEngine;
+        policyResolver: (server: string, identityId: string | undefined) => Promise<PrivacyPolicy | null>;
+    };
     /** Optional callback after each proxy call decision (for dashboard feed) */
     onProxyCall?: (data: {
         tool: string;
@@ -2720,6 +3773,246 @@ declare class FilesystemStorage implements StorageBackend {
     totalSize(): Promise<number>;
 }
+/**
+ * Sanctuary MCP Server — Key Derivation
+ *
+ * Two-tier key derivation:
+ * 1. Master key from passphrase via Argon2id (memory-hard, GPU-resistant)
+ * 2. Namespace keys from master key via HKDF-SHA256
+ *
+ * This ensures:
+ * - Passphrase brute-force is expensive (Argon2id)
+ * - Compromise of one namespace key doesn't expose others (HKDF domain separation)
+ */
+/** Stored key derivation parameters (for re-deriving the master key) */
+interface KeyDerivationParams {
+    /** Algorithm */
+    alg: "argon2id";
+    /** Salt (base64url) */
+    salt: string;
+    /** Memory cost in KiB */
+    m: number;
+    /** Time cost (iterations) */
+    t: number;
+    /** Parallelism */
+    p: number;
+    /** Output length in bytes */
+    l: number;
+}
+/**
+ * Sanctuary v1.1 exit-bundle export/import implementation.
+ *
+ * The public bundle is a directory containing `manifest.json` and hashed JSON
+ * artifacts. Private keys and passphrases are never emitted. Encrypted user
+ * state can be re-keyed on import when the operator supplies source key
+ * material and the destination has a signing identity.
+ */
+interface ExitEncryptedStateBundle {
+    format: "SANCTUARY_EXIT_ENCRYPTED_STATE_V1";
+    exported_at: string;
+    key_source: "passphrase" | "recovery-key" | "unknown";
+    source_key_derivation?: KeyDerivationParams;
+    namespaces: string[];
+    total_keys: number;
+    contains_reserved_namespaces: false;
+    entries: Array<{
+        namespace: string;
+        key: string;
+        entry: StateEntry;
+    }>;
+}
+interface ExitPublicIdentityArtifact {
+    bundle: {
+        format: "SANCTUARY_IDENTITY_BUNDLE_V1";
+        publicKey: string;
+        did: string;
+        identity_id: string;
+        label: string;
+        key_type: "ed25519";
+        key_protection: string;
+        rotation_history: StoredIdentity["rotation_history"];
+        exported_at: string;
+    };
+    signature: string;
+    signed_by: string;
+}
+interface ExitPolicySetArtifact {
+    format: "SANCTUARY_EXIT_POLICY_SET_V1";
+    exported_at: string;
+    principal_policy: PrincipalPolicy;
+    config_summary: {
+        version: string;
+        state: SanctuaryConfig["state"];
+        execution: SanctuaryConfig["execution"];
+        disclosure: SanctuaryConfig["disclosure"];
+        reputation: SanctuaryConfig["reputation"];
+        privacy_filter: SanctuaryConfig["privacy_filter"];
+    };
+}
+interface ExitAuditReceiptsArtifact {
+    format: "SANCTUARY_AUDIT_RECEIPTS_V1";
+    exported_at: string;
+    total: number;
+    individual_entry_signatures: false;
+    entries: AuditEntry[];
+}
+interface ExitCommitmentsArtifact {
+    format: "SANCTUARY_EXIT_COMMITMENTS_V1";
+    exported_at: string;
+    public_commitments: Array<{
+        commitment_id: string;
+        commitment: string;
+        committed_at: string;
+        revealed: boolean;
+        revealed_at?: string;
+    }>;
+    unreadable_count: number;
+    redacted_fields: ["value", "blinding_factor"];
+}
+interface ExitPlaceholderVaultMetadataArtifact {
+    format: "SANCTUARY_PLACEHOLDER_VAULT_METADATA_V1";
+    exported_at: string;
+    entries: Array<Record<string, unknown>>;
+    unreadable_count: number;
+    redacted_fields: ["raw_value", "raw_path"];
+}
+interface ExportExitBundleOptions {
+    bundleDir: string;
+    storage: StorageBackend;
+    masterKey: Uint8Array;
+    identityManager: IdentityManager;
+    auditLog: AuditLog;
+    policy: PrincipalPolicy;
+    config?: SanctuaryConfig;
+    reputationStore?: ReputationStore;
+    stateStoragePath?: string;
+    stateNamespaces?: string[];
+    keySource?: "passphrase" | "recovery-key" | "unknown";
+    /**
+     * When the export is gated by a Tier 1 approval flow (e.g. the hub's
+     * fortress-scope export endpoint), the caller supplies the approval's
+     * audit id here. The value is embedded in the manifest's
+     * `export_approval_audit_id` field and as the `approval_id` of the L1
+     * "exit_bundle_export" audit entry, tying the manifest to the operator's
+     * actual approval rather than an internally-generated id (v1.0.2 (j)).
+     * When omitted, the export self-generates an id.
+     */
+    exportApprovalAuditId?: string;
+}
+interface ExportExitBundleResult {
+    bundle_dir: string;
+    manifest: ExitBundleManifest;
+    manifest_hash: string;
+    artifact_count: number;
+    unsupported_artifacts: string[];
+}
+interface ImportExitBundleOptions {
+    bundleDir: string;
+    storage: StorageBackend;
+    masterKey: Uint8Array;
+    identityManager: IdentityManager;
+    auditLog: AuditLog;
+    reputationStore?: ReputationStore;
+    activate?: boolean;
+    conflictResolution?: "skip" | "overwrite" | "version";
+    sourcePassphrase?: string;
+    sourceRecoveryKey?: string;
+    sourceMasterKey?: Uint8Array;
+    destinationSignerIdentityId?: string;
+}
+interface ExitBundleConflictReport {
+    public_identity_exists: boolean;
+    state_conflicts: Array<{
+        namespace: string;
+        key: string;
+    }>;
+    reputation_conflicts: string[];
+    policy_set_exists: boolean;
+    audit_receipts_exist: boolean;
+}
+interface ImportExitBundleResult {
+    verified: boolean;
+    activated: boolean;
+    conflicts: ExitBundleConflictReport;
+    state: {
+        status: "not_requested" | "rekeyed" | "staged_requires_source_key" | "skipped_no_destination_signer";
+        imported_keys: number;
+        skipped_keys: number;
+        skipped_invalid_sig: number;
+        skipped_unknown_kid: number;
+        conflicts: number;
+    };
+    reputation: {
+        imported_attestations: number;
+        invalid_attestations: number;
+        unverifiable_attestations: number;
+    };
+    staged_artifacts: string[];
+    warnings: string[];
+    unsupported_artifacts: string[];
+}
+declare function exportExitBundle(opts: ExportExitBundleOptions): Promise<ExportExitBundleResult>;
+declare function importExitBundle(opts: ImportExitBundleOptions): Promise<ImportExitBundleResult>;
+declare function exitBundleManifestShape(): Record<string, unknown>;
+/**
+ * Sanctuary v1.1 exit-bundle verifier.
+ *
+ * Verifies the signed SANCTUARY_EXIT_BUNDLE_V1 manifest, every artifact hash,
+ * and the exported identity / reputation signatures that are independently
+ * verifiable from public material in the bundle.
+ */
+interface ExitBundleDetailedVerifierResult extends ExitBundleVerifierResult {
+    manifest_path: string;
+    manifest_hash: string | null;
+    warnings: string[];
+    unsupported_artifacts: string[];
+    identity?: {
+        signature_valid: boolean;
+        identity_id?: string;
+        did?: string;
+    };
+    audit?: {
+        receipt_count: number;
+        individual_signatures_verified: boolean;
+    };
+    reputation?: {
+        bundle_signature_valid: boolean | "unverifiable";
+        attestation_count: number;
+        verified_attestations: number;
+        invalid_attestations: number;
+        unverifiable_attestations: number;
+    };
+}
+interface LoadedExitArtifact<T = unknown> {
+    entry: ExitBundleArtifactEntry;
+    path: string;
+    json: T;
+    bytes: Uint8Array;
+}
+declare function readManifest(bundleDir: string): Promise<ExitBundleManifest>;
+declare function loadExitArtifact<T = unknown>(bundleDir: string, manifest: ExitBundleManifest, kind: ExitBundleArtifactKind): Promise<LoadedExitArtifact<T> | null>;
+declare function verifyExitBundle(bundleDir: string): Promise<ExitBundleDetailedVerifierResult>;
+/**
+ * `sanctuary exit` CLI.
+ *
+ * Operator-facing export/import/verifier path for SANCTUARY_EXIT_BUNDLE_V1.
+ * Dashboard wizard work consumes the same module APIs later.
+ */
+interface ExitCommandArgs {
+    argv: string[];
+    out?: Writable;
+    err?: Writable;
+    stdin?: NodeJS.ReadableStream;
+    env?: NodeJS.ProcessEnv;
+}
+declare function runExitCommand(args: ExitCommandArgs): Promise<number>;
 /**
  * Sanctuary MCP Server — Principal Policy Loader
  *
@@ -2806,6 +4099,412 @@ interface SHRGeneratorOptions {
  */
 declare function generateSHR(identityId: string | undefined, opts: SHRGeneratorOptions): SignedSHR | string;
+/**
+ * Sanctuary v1.1 Operator Hub API Constants
+ *
+ * Routes, prefixes, and small enums shared across the hub modules.
+ * The hub API surface is consumed by the v1.1 dashboard UI (Prompt 8).
+ *
+ * Local-only invariant:
+ * Every route here describes activity inside a single fortress on a single
+ * operator's machine. Cross-fortress, fleet, and public-federation routes
+ * are out of scope.
+ */
+/**
+ * Inbox-resolve actions. The router rejects any other action token.
+ */
+declare const HUB_INBOX_ACTIONS: readonly ["approve", "deny", "dismiss"];
+type HubInboxAction = (typeof HUB_INBOX_ACTIONS)[number];
+/**
+ * Agent-control actions surfaced by `POST /api/hub/agents/:id/:action`.
+ *
+ * `pause` / `resume` / `restart` are control-plane operations that the
+ * underlying harness may execute immediately; they are not Tier 1.
+ *
+ * `unwrap` and `lockdown` are Tier 1 operations per the Principal Policy
+ * loader. Hub endpoints for these MUST enqueue an `approval_pending` inbox
+ * item rather than execute directly. Tier 1 approval gates remain in force
+ * from the dashboard. The dashboard never auto-approves Tier 1 work.
+ */
+declare const HUB_AGENT_CONTROL_ACTIONS: readonly ["pause", "resume", "restart", "unwrap", "lockdown"];
+type HubAgentControlAction = (typeof HUB_AGENT_CONTROL_ACTIONS)[number];
+/** Channel-template identifiers per Walkthrough Key 10 LOCKED starter set. */
+declare const CHANNEL_TEMPLATE_IDS: readonly ["read-outputs-only", "bidirectional-sync", "credential-share-scoped", "plan-inspect-read-only", "escrow-handoff"];
+type ChannelTemplateId = (typeof CHANNEL_TEMPLATE_IDS)[number];
+/**
+ * Sanctuary v1.1. Operator Hub API Types
+ *
+ * Service-deps shapes + small payload types not already defined in the
+ * v1.1 contracts. The contract surface (HubInboxItem, LocalAgentRecord,
+ * HubActivityFeedEntry, HubAgentStatusSnapshot) is the source of truth for
+ * everything that crosses the API boundary; types in this file are
+ * implementation glue.
+ */
+/**
+ * Result returned from a synchronous (non-Tier-1) agent control action.
+ */
+interface HubAgentControlResult {
+    agent_id: string;
+    prior_status: HubAgentStatus;
+    new_status: HubAgentStatus;
+    applied_at: string;
+}
+/**
+ * Result returned from a Tier-1 agent control action that has been
+ * deferred to operator approval. The hub returns the inbox item id so the
+ * caller can poll or subscribe; nothing executes until the operator
+ * resolves the inbox item.
+ */
+interface HubTier1ApprovalEnqueuedResult {
+    agent_id: string;
+    inbox_item_id: string;
+    status: "approval_pending";
+    /**
+     * Same enum as
+     * `HubApprovalPendingItem.operation_category`. Surfaced separately so
+     * non-inbox callers (CLI scripts, test harnesses) can act on the
+     * category without a second fetch.
+     */
+    operation_category: HubApprovalPendingItem["operation_category"];
+}
+/**
+ * Result returned from a fortress-scope Tier-1 action that has been
+ * deferred to operator approval. Distinguished from the per-agent shape by
+ * the absence of `agent_id` and the presence of `fortress_scope: true`.
+ * The Tier 1 handler iterates fortress-wide on approval; nothing executes
+ * until the operator resolves the inbox item.
+ */
+interface HubTier1FortressApprovalEnqueuedResult {
+    inbox_item_id: string;
+    status: "approval_pending";
+    operation_category: HubApprovalPendingItem["operation_category"];
+    /** Always true. Distinguishes from the per-agent shape. */
+    fortress_scope: true;
+}
+/**
+ * Result returned from `fortressExportBundle` after a fortress-scope
+ * exit-bundle export approval lands. Surfaced both in the inbox item's
+ * `resolution_payload` and (separately) in an activity feed entry.
+ */
+interface HubFortressExportResult {
+    bundle_dir: string;
+    manifest_hash: string;
+    artifact_count: number;
+}
+/**
+ * Generic capability check delegated to the underlying harness controller.
+ * The hub never performs the harness-side action itself; it asks the
+ * controller to apply a transition and reports the new status back.
+ *
+ * Each callback returns the agent's new status after the action lands.
+ * The controller MUST throw if it cannot apply the action; the hub maps
+ * those throws to HubCapabilityError or HubConflictError.
+ */
+interface HubAgentController {
+    pause(agentId: string): Promise<HubAgentStatus>;
+    resume(agentId: string): Promise<HubAgentStatus>;
+    restart(agentId: string): Promise<HubAgentStatus>;
+    /**
+     * Apply an operator-approved unwrap. Called only after a Tier 1
+     * approval lands through the inbox flow. Implementations SHOULD treat
+     * unwrap as durable (cocoon teardown + registry deregister).
+     */
+    unwrap(agentId: string): Promise<HubAgentStatus>;
+    /**
+     * Apply an operator-approved lockdown. Called only after a Tier 1
+     * approval lands. Implementations SHOULD treat lockdown as a hard-stop
+     * (deny all egress, freeze gates) until explicitly cleared.
+     */
+    lockdown(agentId: string): Promise<HubAgentStatus>;
+    /**
+     * Apply an operator-approved policy bind. Called only after a Tier 1
+     * approval lands.
+     */
+    bindPolicy(agentId: string, policyId: string): Promise<void>;
+    /**
+     * Apply a non-Tier-1 channel-template binding. Channel templates are
+     * compositions over the canonical four slots; binding does not require
+     * Tier 1 approval at v1.1.
+     */
+    bindChannelTemplate(agentId: string, templateId: ChannelTemplateId): Promise<void>;
+}
+/**
+ * Source-side input shapes the inbox aggregator pulls from. Each callback
+ * returns recent occurrences pre-shaped as the underlying contract type;
+ * the aggregator wraps them into HubInboxItem header form.
+ *
+ * Source callbacks are deliberately narrow; the hub does not know how to
+ * compute privacy events or budget thresholds. Other workstreams own those
+ * computations and feed them in through these callbacks.
+ */
+interface HubInboxSources {
+    /**
+     * Currently unresolved Tier 1 / Tier 2 approval requests. Items already
+     * in the hub-side inbox store are deduplicated by `item_id` against these.
+     */
+    listPendingApprovals: () => HubApprovalPendingItem[];
+    /**
+     * Recent egress denials. The hub surfaces each as a blocked-egress inbox
+     * card. The caller is responsible for trimming to the recent window.
+     */
+    listRecentBlockedEgress: () => HubBlockedEgressItem[];
+    /**
+     * Recent privacy events the operator should attend to. The hub does NOT
+     * surface every privacy event; it surfaces the ones that the privacy
+     * core has already promoted to operator attention (denied, error, plus
+     * filtered events flagged by the bound policy).
+     */
+    listRecentPrivacyEvents: () => HubPrivacyEventItem[];
+    /**
+     * Active budget warnings (soft-warn or hard-cap). Closed warnings are
+     * not returned.
+     */
+    listActiveBudgetWarnings: () => HubBudgetWarningItem[];
+    /**
+     * Active recovery prompts (passphrase reset due, exit drill recommended,
+     * keychain rebind required, etc.).
+     */
+    listActiveRecoveryPrompts: () => HubRecoveryPromptItem[];
+    /**
+     * Recent agent-error events.
+     */
+    listRecentAgentErrors: () => HubAgentErrorItem[];
+}
+interface HubActivitySources {
+    /**
+     * Underlying audit log the activity feed projects from.
+     */
+    auditLog: AuditLog;
+    /**
+     * Identity id the dashboard is currently scoped to. Activity entries are
+     * filtered to this identity; v1.1 is single-operator; the parameter is
+     * here so v1.2 can scope per-identity without breaking the API.
+     */
+    identityId: string;
+}
+/**
+ * Lightweight summary of a bound policy. Suitable for UI cards. Raw policy
+ * bytes never appear here.
+ */
+interface HubPolicySummary {
+    policy_id: string;
+    display_label: string;
+    /** ISO8601 timestamp the policy was bound. */
+    bound_at: string;
+    /** Number of agents currently bound to this policy. */
+    agent_count: number;
+    /** Channel template id the policy was compiled from, if applicable. */
+    channel_template_id?: ChannelTemplateId;
+}
+/**
+ * Lightweight summary of a budget bucket. Suitable for UI cards.
+ */
+interface HubBudgetSummary {
+    bucket_id: string;
+    /** Display label drawn from the policy compile step. */
+    display_label: string;
+    unit: string;
+    cap: number;
+    used: number;
+    /** Soft-warn threshold fraction (0..1). */
+    soft_warn?: number;
+    /** ISO8601 timestamp of last refresh. */
+    last_refreshed_at: string;
+}
+interface HubPolicyAndBudgetSources {
+    listPolicySummaries: () => HubPolicySummary[];
+    listBudgetSummaries: () => HubBudgetSummary[];
+}
+/**
+ * Read interface for the local agent registry. The hub does not invent
+ * agent records; it pulls them from this source. Backend implementations
+ * may persist records to disk or recompute them per call.
+ */
+interface HubAgentRegistrySource {
+    list(filter?: LocalAgentRegistryFilter): LocalAgentRecord[];
+    get(agentId: string): LocalAgentRecord | null;
+    /**
+     * Update a single field on a record. The hub uses this to flip status
+     * after a synchronous control action lands. Returns the updated record;
+     * throws if the agent does not exist.
+     */
+    updateStatus(agentId: string, status: HubAgentStatus, statusReasonClass?: LocalAgentRecord["status_reason_class"]): LocalAgentRecord;
+    /**
+     * Bind a different policy on a record. Used after an approved Tier 1
+     * policy_change action lands.
+     */
+    updatePolicyBinding(agentId: string, policyId: string): LocalAgentRecord;
+    /**
+     * Bind a different channel template on a record. Non-Tier-1.
+     */
+    updateChannelTemplateBinding(agentId: string, templateId: ChannelTemplateId): LocalAgentRecord;
+}
+interface HubServiceDeps {
+    /** Operator identity id this hub is scoped to. */
+    identityId: string;
+    /** Stable fortress id. */
+    fortressId: string;
+    /** Local agent registry source. */
+    agentRegistry: HubAgentRegistrySource;
+    /** Inbox aggregation sources. */
+    inboxSources: HubInboxSources;
+    /** Activity feed sources. */
+    activitySources: HubActivitySources;
+    /** Policy + budget summary sources. */
+    policyBudgetSources: HubPolicyAndBudgetSources;
+    /** Underlying agent controller for control endpoints. */
+    agentController: HubAgentController;
+    /**
+     * Optional fortress-scope exit-bundle export callback. Invoked only
+     * after a fortress-scope Tier 1 approval lands. The callback owns its
+     * own dependency wiring (storage, masterKey, identityManager, auditLog,
+     * policy, reputationStore, state namespaces); the hub layer remains
+     * crypto-agnostic. When omitted, the fortress export endpoint returns
+     * `HubCapabilityError`.
+     *
+     * The hub passes the inbox item's id as `approvalAuditId` so the
+     * callback can thread it into `exportExitBundle({ exportApprovalAuditId })`,
+     * tying the manifest's `export_approval_audit_id` to the operator's
+     * actual approval flow rather than an internally-generated value
+     * (closes v1.0.2 backlog item (j)). The argument is optional for
+     * backwards compatibility with existing callbacks.
+     */
+    fortressExportBundle?: (approvalAuditId?: string) => Promise<HubFortressExportResult>;
+    /**
+     * Clock override for deterministic timestamp emission in tests.
+     * Defaults to `() => new Date()` when omitted.
+     */
+    now?: () => Date;
+}
+/**
+ * Sanctuary v1.1. Operator Hub Service
+ *
+ * Public API the router calls. Owns no domain logic: it composes the
+ * agent registry source, the inbox aggregator + store, the activity feed
+ * projection, and the agent controller.
+ *
+ * Tier 1 enforcement contract:
+ * Hub control endpoints for `unwrap`, `lockdown`, and `policy_change` MUST
+ * NOT execute synchronously. The hub enqueues an `approval_pending` inbox
+ * item carrying the operation_category and binds the controller call to
+ * the inbox-store resolution handler. Only operator approval through the
+ * inbox path causes the controller call to fire. The dashboard never
+ * auto-approves Tier 1 work.
+ */
+declare class HubService {
+    private deps;
+    private inboxStore;
+    constructor(deps: HubServiceDeps);
+    private now;
+    private nowIso;
+    listInbox(): HubInboxItem[];
+    resolveInboxItem(itemId: string, action: HubInboxAction): Promise<HubInboxItem>;
+    listAgents(filter?: LocalAgentRegistryFilter): LocalAgentRecord[];
+    getAgent(agentId: string): LocalAgentRecord;
+    getAgentStatusSnapshot(agentId: string): HubAgentStatusSnapshot;
+    controlAgent(agentId: string, action: HubAgentControlAction): Promise<HubAgentControlResult | HubTier1ApprovalEnqueuedResult>;
+    /**
+     * Capability gate. Returns silently when the action is supported by the
+     * harness; throws HubCapabilityError when not.
+     */
+    private assertCapability;
+    /**
+     * Build a Tier 1 inbox item for an unwrap/lockdown/policy_change action
+     * and bind the controller call to its resolution.
+     */
+    private enqueueTier1ControlAction;
+    /**
+     * Bind a different policy on an agent. Tier 1: enqueues an approval
+     * pending inbox item rather than executing synchronously.
+     */
+    bindAgentPolicy(agentId: string, policyId: string): HubTier1ApprovalEnqueuedResult;
+    /**
+     * Bind a different channel template. Not Tier 1; channel templates are
+     * compositions over the four canonical slots and bind synchronously.
+     */
+    bindAgentChannelTemplate(agentId: string, rawTemplateId: unknown): Promise<LocalAgentRecord>;
+    /**
+     * Enqueue a fortress-scope Tier 1 lockdown. One inbox item is created;
+     * on operator approval the handler iterates `agentController.lockdown`
+     * over every wrapped agent for the bound identity, captures partial
+     * failures as per-agent `agent_error` inbox items, and emits a single
+     * `lifecycle` activity entry. Stacked fortress lockdowns are rejected
+     * with `HubConflictError` until the prior pending item resolves.
+     */
+    enqueueFortressLockdown(): HubTier1FortressApprovalEnqueuedResult;
+    /**
+     * Enqueue a fortress-scope Tier 1 exit-bundle export. One inbox item is
+     * created; on operator approval the handler invokes
+     * `fortressExportBundle()` once at fortress scope, attaches
+     * `bundle_dir` + `manifest_hash` + `artifact_count` to the inbox item's
+     * `resolution_payload`, and emits a `lifecycle` activity entry.
+     * Stacked exports are rejected with `HubConflictError`.
+     */
+    enqueueFortressExportBundle(): HubTier1FortressApprovalEnqueuedResult;
+    /**
+     * Reject stacked fortress-scope Tier 1 items. The check scans the inbox
+     * store for an unresolved `approval_pending` item with the same
+     * `operation_category` and no `agent_id` (the fortress-scope marker).
+     */
+    private assertNoPendingFortressTier1;
+    listActivity(filter: {
+        since?: string;
+        limit?: number;
+        agent_id?: string;
+        category?: HubActivityFeedEntry["category"];
+    }): Promise<HubActivityFeedEntry[]>;
+    listPolicySummaries(): HubPolicySummary[];
+    listBudgetSummaries(): HubBudgetSummary[];
+    /**
+     * Validate that a caller-supplied filter does not request cross-fortress
+     * scope; v1.1 hub is single-fortress; the filter rejects fortress-bridging
+     * fields outright; v1.3 federation will introduce an alternate surface.
+     */
+    static assertLocalOnlyFilter(filter: Record<string, unknown> | null): void;
+    /**
+     * Test/inspection helper. Not part of the public service surface.
+     */
+    inboxStoreSize(): number;
+}
+/**
+ * v1.1 Server Wiring (v1.1.1 hotfix)
+ *
+ * v1.1.0 shipped the v1.1 module suite (dashboard / hub API / exit bundle
+ * endpoints / coordination) but no entry-point server imported any of it.
+ * This module builds the canonical HubService construction the dashboard
+ * entry points share so the routes light up at boot without forcing each
+ * caller to know the deps shape.
+ *
+ * The wiring is deliberately minimal at v1.1.1:
+ *
+ *   - Local agent registry starts empty. v1.2 will populate it from
+ *     `discoverTenants()` and the wrapped harness manifest. v1.1.1 ships
+ *     the API surface so existing operator scripts can hit it; the data
+ *     plane is the next conversation.
+ *   - Inbox sources return empty arrays. The privacy chokepoint already
+ *     emits audit events through PR #69 / PR #71; the inbox aggregator is
+ *     the v1.2 work to project those into operator cards.
+ *   - Activity feed reads from the real audit log. This is the one source
+ *     that's already complete in v1.1.0 and just needs to be plugged in.
+ *   - Agent controller errors on every action. v1.1.1 cannot honestly
+ *     pause / unwrap / lockdown anything because no agent registry yet
+ *     exists; the wiring returns `HubCapabilityError` rather than lying
+ *     about what shipped.
+ */
+interface V11Bindings {
+    hubService: HubService;
+    identityId: string;
+    fortressId: string;
+}
 /**
  * Sanctuary MCP Server — Principal Dashboard
  *
@@ -2889,6 +4588,12 @@ declare class DashboardApprovalChannel implements ApprovalChannel {
      * policy change.
      */
     private _autoAuthLocalhost;
+    /**
+     * v1.1 routes (dashboard HTML at /v1.1, hub API at /api/hub/*) are
+     * mounted additively when set. Legacy routes at / continue to serve
+     * regardless. Default route flip is deferred to v1.2.
+     */
+    private v11Bindings;
     constructor(config: DashboardConfig);
     /**
      * Inject dependencies after construction.
@@ -2910,6 +4615,26 @@ declare class DashboardApprovalChannel implements ApprovalChannel {
      * Exposed via /api/status so the frontend can show an appropriate banner.
      */
     setStandaloneMode(standalone: boolean): void;
+    /**
+     * v1.1.1 hotfix: bind the v1.1 dashboard + hub API to this dashboard
+     * instance. After binding, requests to `/v1.1` serve the v1.1 HTML and
+     * requests under `/api/hub/*` route through the hub API. Legacy routes
+     * at `/` and `/api/*` keep their pre-v1.1 behavior (additive mount).
+     *
+     * Pass `null` to detach the bindings (used by tests and during shutdown).
+     */
+    setV11Bindings(bindings: V11Bindings | null): void;
+    /**
+     * v1.1 dispatch entry point. Called from `handleRequest` before the
+     * legacy route table. Returns true when the request was served by v1.1
+     * routes; false to fall through to legacy routing.
+     *
+     * Auth gating: the v1.1 dashboard HTML is served unconditionally (the
+     * client script handles its own auth dance). Hub API routes run through
+     * the same auth contract as legacy `/api/*` routes via the AuthConfig
+     * passed to `handleHubRoute`.
+     */
+    private dispatchV11;
     /**
      * v0.10.2: enable (or disable) the loopback auto-auth fast path. See
      * {@link _autoAuthLocalhost} for the rationale and threat model. Callers
@@ -2985,6 +4710,7 @@ declare class DashboardApprovalChannel implements ApprovalChannel {
      */
     private pruneRateLimits;
     private handleRequest;
+    private handleLegacyRequest;
     /**
      * SEC-012: Exchange a long-lived auth token (in Authorization header)
      * for a short-lived session ID. The session ID can be used in URL
@@ -3631,6 +5357,12 @@ interface UpstreamServerStatus {
     tool_count: number;
     error?: string;
 }
+interface PrivacySummary {
+    filtered_events: number;
+    filtered_spans: number;
+    classes: Record<string, number>;
+    last_filtered_at: string | null;
+}
 interface ProtectionSnapshot {
     overall: {
         status: OverallStatus;
@@ -3647,6 +5379,7 @@ interface ProtectionSnapshot {
     activity: ActivityEntry[];
     pending_approvals: PendingApproval[];
     audit: AuditEntry[];
+    privacy: PrivacySummary;
     upstream_servers: UpstreamServerStatus[];
     mode: "co-located" | "standalone";
     server_version: string;
@@ -3700,8 +5433,19 @@ interface ApprovalHandlers {
     allow: (id: string) => Promise<boolean>;
     deny: (id: string) => Promise<boolean>;
 }
+/**
+ * SSE event taxonomy.
+ *
+ * v1.0 event names: `snapshot` (initial hydration), `activity` (audit feed
+ * append), `approval` (pending approval surfaced).
+ *
+ * v1.1 added: `inbox` (HubInboxItem replace-or-prepend by item_id) and
+ * `agent_status` (HubAgentStatusSnapshot replace by agent_id). The hub
+ * service emits these via the existing `publish` interface; the producer
+ * wires every name verbatim through `event: <type>` SSE frames.
+ */
 interface StreamEvent {
-    type: "snapshot" | "activity" | "approval";
+    type: "snapshot" | "activity" | "approval" | "inbox" | "agent_status";
     data: unknown;
 }
@@ -3739,6 +5483,18 @@ interface DashboardHandle {
     publishActivity: (entry: ActivityEntry) => void;
     /** Push a new pending approval (already added by the approval channel). */
     publishApproval: (approval: PendingApproval) => void;
+    /**
+     * Push a v1.1 hub inbox item update. Producers (HubService) call this
+     * on inbox writes (Tier 1 enqueue, Tier 1 resolve, source-pulled item
+     * surfaced). Consumers replace-or-prepend by `item_id`.
+     */
+    publishInbox: (item: unknown) => void;
+    /**
+     * Push a v1.1 per-agent status update. Producers call this when the
+     * agent registry's `updateStatus` transitions. Consumers replace by
+     * `agent_id`.
+     */
+    publishAgentStatus: (snapshot: unknown) => void;
 }
 declare function startDashboardServer(options: DashboardServerOptions): Promise<DashboardHandle>;
@@ -3835,4 +5591,4 @@ declare function createSanctuaryServer(options?: {
     storage?: StorageBackend;
 }): Promise<SanctuaryServer>;
-export { ATTESTATION_VERSION, type ActivityEntry, type AggregatorSources, ApprovalGate, type ApprovalHandlers, type AttestationBody, type AttestationVerificationResult, AuditLog, AutoApproveChannel, BaselineTracker, type BridgeAttestationRequest, type BridgeAttestationResult, type BridgeCommitment, type BridgeVerificationResult, TEMPLATES as CONTEXT_GATE_TEMPLATES, CallbackApprovalChannel, ClientManager, CommitmentStore, type ConcordiaOutcome, type ConnectionState, type ContextAction, type ContextFilterResult, ContextGateEnforcer, type ContextGatePolicy, ContextGatePolicyStore, type ContextGateRule, type ContextGateTemplate, DashboardApprovalChannel, type DashboardConfig, type DashboardHandle, type DashboardServerOptions, type DetectionResult, type EnforcerConfig, type FederationCapabilities, type FederationPeer, FederationRegistry, type FieldClassification, type FieldFilterResult, FilesystemStorage, type GateResult, HERO_COPY, type HandshakeChallenge, type HandshakeCompletion, type HandshakeResponse, type HandshakeResult, InMemoryModelProvenanceStore, InjectionDetector, type InjectionDetectorConfig, type InjectionSignal, type L1Status, type L2Status, type L3Status, type L4Status, MODEL_PRESETS, MemoryStorage, type ModelProvenance, type ModelProvenanceStore, type PedersenCommitment, type PeerTrustEvaluation, type PendingApproval, type PolicyRecommendation, PolicyStore, type PrincipalPolicy, type ProtectionSnapshot, type ProviderCategory, ProxyRouter, type ProxyRouterOptions, type ReputationLookup, ReputationStore, type SHRBody, type SHRGeneratorOptions, type SHRVerificationResult, type SanctuaryConfig, type SanctuaryServer, type SignedAttestation, type SignedSHR, type SovereigntyProfile, SovereigntyProfileStore, type SovereigntyProfileUpdate, type SovereigntyTier, type StartDashboardOptions, StateStore, StderrApprovalChannel, type StreamEvent, TIER_WEIGHTS, type TierMetadata, type TieredAttestation, type UpstreamConnection, type UpstreamServer, type UpstreamTool, WebhookApprovalChannel, type WebhookCallbackPayload, type WebhookConfig, type WebhookPayload, type ZKProofOfKnowledge, type ZKRangeProof, canonicalize, classifyField, completeHandshake, computeWeightedScore, createBridgeCommitment, createDefaultProfile, createPedersenCommitment, createProofOfKnowledge, createRangeProof, createSanctuaryServer, evaluateField, filterContext, generateAttestation, generateSHR, generateSystemPrompt, getProtectionSnapshot, getTemplate, initiateHandshake, listTemplateIds, loadConfig, loadPrincipalPolicy, recommendPolicy, renderDashboardHTML, resolveTier, respondToHandshake, signPayload, startDashboard, startDashboardServer, tierDistribution, verifyAttestation, verifyBridgeCommitment, verifyCompletion, verifyPedersenCommitment, verifyProofOfKnowledge, verifyRangeProof, verifySHR, verifySignature };
+export { ATTESTATION_VERSION, type ActivityEntry, type AggregatorSources, ApprovalGate, type ApprovalHandlers, type AttestationBody, type AttestationVerificationResult, AuditLog, AutoApproveChannel, BaselineTracker, type BridgeAttestationRequest, type BridgeAttestationResult, type BridgeCommitment, type BridgeVerificationResult, TEMPLATES as CONTEXT_GATE_TEMPLATES, CallbackApprovalChannel, ClientManager, CommitmentStore, type ConcordiaOutcome, type ConnectionState, type ContextAction, type ContextFilterResult, ContextGateEnforcer, type ContextGatePolicy, ContextGatePolicyStore, type ContextGateRule, type ContextGateTemplate, DashboardApprovalChannel, type DashboardConfig, type DashboardHandle, type DashboardServerOptions, type DetectionResult, type EnforcerConfig, type ExitAuditReceiptsArtifact, type ExitBundleDetailedVerifierResult, type ExitCommandArgs, type ExitCommitmentsArtifact, type ExitEncryptedStateBundle, type ExitPlaceholderVaultMetadataArtifact, type ExitPolicySetArtifact, type ExitPublicIdentityArtifact, type ExportExitBundleOptions, type ExportExitBundleResult, type FederationCapabilities, type FederationPeer, FederationRegistry, type FieldClassification, type FieldFilterResult, FilesystemStorage, type GateResult, HERO_COPY, type HandshakeChallenge, type HandshakeCompletion, type HandshakeResponse, type HandshakeResult, type ImportExitBundleOptions, type ImportExitBundleResult, InMemoryModelProvenanceStore, InjectionDetector, type InjectionDetectorConfig, type InjectionSignal, type L1Status, type L2Status, type L3Status, type L4Status, type LoadedExitArtifact, MODEL_PRESETS, MemoryStorage, type ModelProvenance, type ModelProvenanceStore, type PedersenCommitment, type PeerTrustEvaluation, type PendingApproval, type PolicyRecommendation, PolicyStore, type PrincipalPolicy, type ProtectionSnapshot, type ProviderCategory, ProxyRouter, type ProxyRouterOptions, type ReputationLookup, ReputationStore, type SHRBody, type SHRGeneratorOptions, type SHRVerificationResult, type SanctuaryConfig, type SanctuaryServer, type SignedAttestation, type SignedSHR, type SovereigntyProfile, SovereigntyProfileStore, type SovereigntyProfileUpdate, type SovereigntyTier, type StartDashboardOptions, StateStore, StderrApprovalChannel, type StreamEvent, TIER_WEIGHTS, type TierMetadata, type TieredAttestation, type UpstreamConnection, type UpstreamServer, type UpstreamTool, WebhookApprovalChannel, type WebhookCallbackPayload, type WebhookConfig, type WebhookPayload, type ZKProofOfKnowledge, type ZKRangeProof, canonicalize, classifyField, completeHandshake, computeWeightedScore, createBridgeCommitment, createDefaultProfile, createPedersenCommitment, createProofOfKnowledge, createRangeProof, createSanctuaryServer, evaluateField, exitBundleManifestShape, exportExitBundle, filterContext, generateAttestation, generateSHR, generateSystemPrompt, getProtectionSnapshot, getTemplate, importExitBundle, initiateHandshake, listTemplateIds, loadConfig, loadExitArtifact, loadPrincipalPolicy, readManifest, recommendPolicy, renderDashboardHTML, resolveTier, respondToHandshake, runExitCommand, signPayload, startDashboard, startDashboardServer, tierDistribution, verifyAttestation, verifyBridgeCommitment, verifyCompletion, verifyExitBundle, verifyPedersenCommitment, verifyProofOfKnowledge, verifyRangeProof, verifySHR, verifySignature };