npm - @sanctuary-framework/mcp-server - Versions diffs - 1.1.0 → 1.1.2 - Mend

@sanctuary-framework/mcp-server 1.1.0 → 1.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

package/dist/index.d.ts CHANGED Viewed

@@ -2204,6 +2204,21 @@ type PrivacyAction = (typeof PRIVACY_ACTIONS)[number];
  */
 declare const PRIVACY_HASH_ALGS: readonly ["hmac-sha256-fortress-keyed-v1"];
 type PrivacyHashAlg = (typeof PRIVACY_HASH_ALGS)[number];
+/**
+ * Hub inbox item kinds. Hub API and dashboard consume the same enum so the
+ * unified inbox renders without inventing new categories per surface.
+ */
+declare const HUB_INBOX_KINDS: readonly ["approval_pending", "blocked_egress", "privacy_event", "budget_warning", "recovery_prompt", "agent_error"];
+type HubInboxKind = (typeof HUB_INBOX_KINDS)[number];
+/**
+ * Agent lifecycle states surfaced to the operator hub.
+ *
+ * Underlying harness capability dictates which transitions are reachable; the
+ * hub API surfaces unsupported transitions as "not_supported" rather than
+ * faking them.
+ */
+declare const HUB_AGENT_STATUSES: readonly ["active", "paused", "restarting", "locked_down", "unwrapping", "error", "unknown"];
+type HubAgentStatus = (typeof HUB_AGENT_STATUSES)[number];
 /**
  * Exit-bundle manifest version. v1 is the only valid value at v1.1 ship.
  * v1.x bumps require coordinator-approved manifest amendment.
@@ -2909,6 +2924,410 @@ interface PrivacyRehydratedPayload extends PrivacyAuditPayloadHeader {
  */
 type PrivacyAuditPayload = PrivacyFilteredPayload | PrivacyAllowedPayload | PrivacyDeniedPayload | PrivacyErrorPayload | PrivacyRehydratedPayload;
+/**
+ * Sanctuary v1.1 — Operator Hub Event Contracts
+ *
+ * Shared shapes for the unified inbox, the activity feed, and the per-agent
+ * status panels. The operator hub API workstream (Prompt 5) emits these; the
+ * dashboard UI workstream (Prompt 8) consumes them. v1.2 mobile companion
+ * planning will evaluate these shapes when it scopes a phone surface, but
+ * v1.1 does not commit to mobile compatibility — these contracts are
+ * tuned for the local dashboard surface only.
+ *
+ * Local-only invariant:
+ * Every event in this file describes activity inside a single fortress on a
+ * single operator's machine. Cross-fortress, fleet, and public-federation
+ * events are out of scope.
+ *
+ * Safe-metadata invariant:
+ * No raw sensitive content in any field. Inbox cards may carry display titles
+ * and subtitles, but those titles MUST be derived from policy templates and
+ * MUST NOT contain raw query text, tool args, filenames, client names,
+ * passphrases, or secrets.
+ */
+/**
+ * Allowed value space for `display_template_args`. Only safe primitives plus
+ * a small enumerated value set are permitted. Free-form strings ARE NOT
+ * accepted; the dashboard rejects rendering on any value outside this union.
+ *
+ * The renderer treats every value as data to interpolate into a fixed
+ * template registered under `template_id` — never as raw content. This
+ * defends against secrets, query text, file paths, and client names leaking
+ * into inbox cards via stringly-typed display fields.
+ */
+type HubDisplayTemplateArg = {
+    kind: "agent_id";
+    value: string;
+} | {
+    kind: "identity_id";
+    value: string;
+} | {
+    kind: "policy_id";
+    value: string;
+} | {
+    kind: "destination_category";
+    value: PrivacyDestinationCategory;
+} | {
+    kind: "tier";
+    value: "tier1" | "tier2" | "tier3";
+} | {
+    kind: "count";
+    value: number;
+} | {
+    kind: "iso8601";
+    value: string;
+} | {
+    kind: "duration_ms";
+    value: number;
+};
+/**
+ * Common header on every v1.1 hub inbox item.
+ *
+ * Display rendering uses a `template_id` plus typed args, NOT free-form
+ * strings. The dashboard owns the template registry; backends only emit the
+ * id and the args. This makes secret-leakage into inbox copy structurally
+ * impossible: a backend cannot smuggle raw query content into a card by
+ * accident, because there is no free-text channel.
+ */
+interface HubInboxItemHeader {
+    /** v1.1 event-shape version. */
+    version: "1.1";
+    /** Stable inbox-item id. SHOULD reference an audit-chain id where applicable. */
+    item_id: string;
+    /** Inbox kind discriminator. */
+    kind: HubInboxKind;
+    /** ISO8601 timestamp the item was created. */
+    created_at: string;
+    /** Wrapped agent id this item refers to, if applicable. */
+    agent_id?: string;
+    /** Operator identity id. */
+    identity_id: string;
+    /**
+     * Display template id. Resolved by the dashboard against a registered
+     * template catalog; the catalog owns the actual render strings. Backends
+     * MUST NOT emit raw display copy. Template id space is namespaced per
+     * inbox kind, e.g., "approval_pending.tier1.export".
+     */
+    display_template_id: string;
+    /**
+     * Typed args interpolated into the template. Every value MUST be a
+     * `HubDisplayTemplateArg` instance — no free-form strings. Renderers
+     * reject any arg outside this union, which structurally blocks secret
+     * leakage via inbox copy.
+     */
+    display_template_args: HubDisplayTemplateArg[];
+    /** Whether the operator has resolved this inbox item. */
+    resolved: boolean;
+    /** ISO8601 timestamp of resolution, if resolved. */
+    resolved_at?: string;
+}
+/**
+ * A pending Tier 1 or Tier 2 approval surfaced to the operator inbox.
+ */
+interface HubApprovalPendingItem extends HubInboxItemHeader {
+    kind: "approval_pending";
+    /** Policy tier the underlying operation falls under. */
+    tier: "tier1" | "tier2";
+    /**
+     * Coarse operation category. Stable enum so the UI can group consistently;
+     * does not reveal underlying tool args. Names align with the canonical
+     * Tier 1 / Tier 2 sets in `server/src/principal-policy/loader.ts`. Names
+     * NOT in the canonical loader (e.g., `exit_bundle_export`, `policy_change`,
+     * `lockdown`, `unwrap`) are v1.1-new and MUST be added to the loader's
+     * Tier 1 set in the same PR that lands their behavior. Drift is a release
+     * blocker.
+     */
+    operation_category: "state_export" | "state_import" | "state_delete" | "identity_rotate" | "reputation_export" | "reputation_import" | "sanctuary_export_identity_bundle" | "exit_bundle_export" | "exit_bundle_import" | "exit_bundle_rekey" | "policy_change" | "lockdown" | "unwrap" | "other";
+    /** ISO8601 deadline after which the request will be auto-denied if applicable. */
+    deadline?: string;
+    /**
+     * Result fields surfaced after the Tier 1 handler runs. Empty until
+     * resolution. Populated for fortress-scope `exit_bundle_export` so the
+     * dashboard exit-drill page can advance the wizard from the inbox
+     * resolution alone, without round-tripping through the activity feed.
+     * Per-agent items leave it undefined. Producers MUST keep field values
+     * to safe metadata only (paths and hex hashes); raw secrets MUST NOT
+     * appear here.
+     */
+    resolution_payload?: {
+        bundle_dir?: string;
+        manifest_hash?: string;
+        artifact_count?: number;
+    };
+}
+/**
+ * Outbound traffic was blocked by the egress policy or the privacy filter.
+ */
+interface HubBlockedEgressItem extends HubInboxItemHeader {
+    kind: "blocked_egress";
+    /**
+     * Destination category. Same enum as the privacy filter so unified inbox,
+     * privacy panel, and egress dashboards group consistently. Drift is a
+     * release blocker.
+     */
+    destination_category: PrivacyDestinationCategory;
+    /**
+     * Why the egress was blocked. Coarse enum, not free text. Specific policy
+     * rule names are NOT revealed.
+     */
+    block_reason_class: "egress_policy_deny" | "budget_exceeded" | "privacy_fail_closed" | "privacy_deny_rule" | "lockdown_active" | "other";
+}
+/**
+ * A privacy event surfaced to the inbox. References the underlying privacy
+ * event id; the inbox card is a thin pointer, not a duplicate of the event.
+ */
+interface HubPrivacyEventItem extends HubInboxItemHeader {
+    kind: "privacy_event";
+    /** Foreign key into the privacy-event chain. */
+    privacy_event_id: string;
+    /** Privacy event kind. */
+    privacy_event_kind: "filtered" | "allowed" | "denied" | "error" | "rehydrated";
+}
+/**
+ * A budget threshold was crossed.
+ */
+interface HubBudgetWarningItem extends HubInboxItemHeader {
+    kind: "budget_warning";
+    /** Budget bucket identifier (daily / monthly / per-agent / custom). */
+    bucket: "daily" | "monthly" | "per_agent" | "custom";
+    /** Soft-warn or hard-cap. Hard-cap usually requires operator unblock. */
+    severity: "soft_warn" | "hard_cap";
+    /** Percentage of budget used at event time. 0..1. */
+    used_fraction: number;
+}
+/**
+ * Recovery prompt — operator should run a recovery flow (passphrase reset,
+ * keychain rebind, exit drill, etc.).
+ */
+interface HubRecoveryPromptItem extends HubInboxItemHeader {
+    kind: "recovery_prompt";
+    /** Coarse recovery class. */
+    recovery_class: "passphrase_reset" | "keychain_rebind" | "config_backup_restore" | "exit_drill" | "other";
+}
+/**
+ * Agent reported an internal error.
+ */
+interface HubAgentErrorItem extends HubInboxItemHeader {
+    kind: "agent_error";
+    /** Stable error code class. Implementation-specific catalog. */
+    error_class: string;
+    /** Whether the agent is still serving traffic after the error. */
+    agent_still_active: boolean;
+}
+/**
+ * Discriminated union of every v1.1 hub inbox item.
+ */
+type HubInboxItem = HubApprovalPendingItem | HubBlockedEgressItem | HubPrivacyEventItem | HubBudgetWarningItem | HubRecoveryPromptItem | HubAgentErrorItem;
+/**
+ * Activity feed entry. The feed is a flat stream backed by the audit chain;
+ * inbox items often reference a feed entry, but feed entries are not always
+ * inbox items.
+ *
+ * Activity feed entries are read-from-storage projections of audit-chain
+ * entries. They are NOT signed envelopes themselves; integrity derives from
+ * the underlying audit entry. Consumers that need to verify the feed entry
+ * MUST resolve it to the source audit entry by `entry_id` and verify there.
+ */
+interface HubActivityFeedEntry {
+    version: "1.1";
+    /** Audit-chain entry id. */
+    entry_id: string;
+    /** ISO8601 timestamp. */
+    emitted_at: string;
+    /** Wrapped agent id, if applicable. */
+    agent_id?: string;
+    /** Identity id. */
+    identity_id: string;
+    /** Stable category enum. */
+    category: "policy_decision" | "approval" | "denial" | "egress" | "privacy" | "handoff" | "lifecycle" | "config" | "other";
+    /**
+     * Display template id. Resolved by the dashboard against the activity-feed
+     * template catalog. Backends MUST NOT emit raw summary text — the template
+     * id plus typed args is the only legitimate channel.
+     */
+    display_template_id: string;
+    /** Typed args. Same constraints as `HubInboxItemHeader.display_template_args`. */
+    display_template_args: HubDisplayTemplateArg[];
+}
+/**
+ * Per-agent status snapshot returned by the hub API. Mirrors the agent
+ * registry record but is computed-on-read; it does not flow through the
+ * audit chain by itself.
+ */
+interface HubAgentStatusSnapshot {
+    version: "1.1";
+    agent_id: string;
+    status: HubAgentStatus;
+    /**
+     * Reason class for the current status. Same enum as
+     * `LocalAgentRecord.status_reason_class`. Stable, not free text. Present
+     * only when status is `locked_down`, `error`, or `restarting`.
+     */
+    status_reason_class?: "operator_lockdown" | "policy_breach" | "budget_hard_cap" | "harness_error" | "harness_unreachable" | "passphrase_required" | "config_drift" | "other";
+    /** ISO8601 last-seen timestamp. */
+    last_activity_at: string;
+    /** Inbox-item ids currently unresolved against this agent. */
+    open_inbox_item_ids: string[];
+}
+/**
+ * Sanctuary v1.1 — Local Agent Registry Records
+ *
+ * Shared shape for the per-agent record returned by the operator hub registry
+ * API. Implementations of the hub API workstream (Prompt 5) write these;
+ * dashboard UI (Prompt 8), internal coordination (Prompt 6), and the exit
+ * bundle workstream (Prompt 7) read these.
+ *
+ * Local-only invariant:
+ * Records describe agents wrapped by a single fortress on a single operator's
+ * machine. Cross-fortress agent discovery is deferred to v1.3.
+ *
+ * No-secret invariant:
+ * Records MUST NOT carry private keys, passphrases, recovery seeds, or raw
+ * provider credentials. Provider identifiers and policy ids are safe;
+ * provider tokens are not.
+ */
+/**
+ * Coarse harness label. Mirrors the README-supported wrap targets at v1.1
+ * ship. Adding a harness requires a new entry here plus harness-compatibility
+ * coverage from Prompt 9.
+ *
+ * `mastra` has a first-class Tier B adapter at
+ * `server/src/agent-contract/adapters/mastra.ts` and is therefore a
+ * first-class kind here. `langgraph` does NOT have a dedicated adapter at
+ * v1.1 ship; LangGraph wraps land via the generic `sanctuary wrap --wrap
+ * <path>` path and surface as `generic_mcp`. When a dedicated LangGraph
+ * adapter ships, add `langgraph` here in the same PR.
+ */
+type LocalHarnessKind = "openclaw" | "hermes" | "claude_code" | "cursor" | "cline" | "mastra" | "generic_mcp" | "other";
+/**
+ * Provider category for the underlying model. Distinct from the privacy
+ * destination category enum because providers and destinations are not 1:1
+ * (one provider can serve multiple destination categories).
+ */
+interface LocalAgentModelProvider {
+    /** Coarse provider label, e.g., "anthropic", "openai", "xai", "local", "other". */
+    vendor: string;
+    /** Concrete model identifier reported by the provider, e.g., "claude-opus-4". */
+    model_id: string;
+    /**
+     * Whether the model runs locally (on-device or LAN) versus a remote provider.
+     * Local models still flow through the privacy filter where applicable.
+     */
+    runs_locally: boolean;
+}
+/**
+ * Budget summary surfaced to the hub. Concrete budget enforcement lives in
+ * the policy engine; this is a read-only snapshot.
+ */
+interface LocalAgentBudgetSummary {
+    /** Daily bucket. */
+    daily?: {
+        /** Allotment unit, e.g., "tokens", "usd". */
+        unit: string;
+        /** Total allotment for the bucket. */
+        cap: number;
+        /** Amount used so far in the bucket window. */
+        used: number;
+        /** Soft-warn threshold fraction (0..1). */
+        soft_warn?: number;
+    };
+    /** Monthly bucket. */
+    monthly?: {
+        unit: string;
+        cap: number;
+        used: number;
+        soft_warn?: number;
+    };
+    /** ISO8601 timestamp of last budget refresh. */
+    last_refreshed_at: string;
+}
+/**
+ * The canonical local agent registry record for v1.1.
+ *
+ * Implementations SHOULD treat this as read-from-storage; mutating fields is
+ * the responsibility of the hub API plus the underlying agent lifecycle owner
+ * (wrap / unwrap / template assignment / lockdown).
+ */
+interface LocalAgentRecord {
+    version: "1.1";
+    /** Stable agent identifier, scoped to this fortress. */
+    agent_id: string;
+    /** Operator identity that owns the agent. */
+    identity_id: string;
+    /** Harness the agent runs under. */
+    harness: LocalHarnessKind;
+    /** Free-text harness version string from the harness, when available. */
+    harness_version?: string;
+    /** Model and provider details. */
+    model_provider: LocalAgentModelProvider;
+    /** Bound policy id (compiled policy artifact). */
+    policy_id: string;
+    /**
+     * Bound channel-template id, when one applies. Template id space is owned
+     * by the policy engine.
+     */
+    channel_template_id?: string;
+    /** Current lifecycle status as surfaced to the hub. */
+    status: HubAgentStatus;
+    /**
+     * Reason class for the current status. Stable enum, not free text.
+     * Present only when status is `locked_down`, `error`, or `restarting`.
+     * The dashboard renders human-readable copy from a template catalog
+     * keyed by this value; backends MUST NOT emit raw reason text.
+     */
+    status_reason_class?: "operator_lockdown" | "policy_breach" | "budget_hard_cap" | "harness_error" | "harness_unreachable" | "passphrase_required" | "config_drift" | "other";
+    /** Budget summary snapshot. */
+    budget_summary: LocalAgentBudgetSummary;
+    /** ISO8601 timestamp of last agent activity. */
+    last_activity_at: string;
+    /** ISO8601 timestamp of wrap. */
+    wrapped_at: string;
+    /**
+     * Capabilities flag set surfaced by the harness. Stable string set;
+     * dashboard renders supported controls based on this set.
+     */
+    capabilities: {
+        can_pause: boolean;
+        can_resume: boolean;
+        can_restart: boolean;
+        can_unwrap: boolean;
+        can_lockdown: boolean;
+        can_chat: boolean;
+        can_change_template: boolean;
+    };
+}
+/**
+ * Note on signing:
+ * `LocalAgentRecord` is a read-from-storage projection of agent registry
+ * state. It is NOT a signed envelope. Signed audit entries that reference
+ * this record (wrap, unwrap, policy change, lockdown, etc.) carry the
+ * signature scheme on the enclosing audit-chain entry, not on the record
+ * itself. Consumers that need to verify a registry change MUST resolve
+ * through the audit chain.
+ */
+/**
+ * Hub-side filter shape used by the registry list API. Workstreams may extend
+ * with additional filters; the canonical fields below are stable.
+ */
+interface LocalAgentRegistryFilter {
+    /** Restrict to one identity id. */
+    identity_id?: string;
+    /** Restrict to one or more harness kinds. */
+    harnesses?: LocalHarnessKind[];
+    /** Restrict to one or more lifecycle statuses. */
+    statuses?: HubAgentStatus[];
+    /**
+     * Maximum records to return. Implementations SHOULD enforce a server-side
+     * upper bound regardless of caller value.
+     */
+    limit?: number;
+    /** Pagination cursor; opaque to the caller. */
+    cursor?: string;
+}
 /**
  * Sanctuary v1.1 — Exit Bundle Manifest Contract
  *
@@ -3680,6 +4099,412 @@ interface SHRGeneratorOptions {
  */
 declare function generateSHR(identityId: string | undefined, opts: SHRGeneratorOptions): SignedSHR | string;
+/**
+ * Sanctuary v1.1 Operator Hub API Constants
+ *
+ * Routes, prefixes, and small enums shared across the hub modules.
+ * The hub API surface is consumed by the v1.1 dashboard UI (Prompt 8).
+ *
+ * Local-only invariant:
+ * Every route here describes activity inside a single fortress on a single
+ * operator's machine. Cross-fortress, fleet, and public-federation routes
+ * are out of scope.
+ */
+/**
+ * Inbox-resolve actions. The router rejects any other action token.
+ */
+declare const HUB_INBOX_ACTIONS: readonly ["approve", "deny", "dismiss"];
+type HubInboxAction = (typeof HUB_INBOX_ACTIONS)[number];
+/**
+ * Agent-control actions surfaced by `POST /api/hub/agents/:id/:action`.
+ *
+ * `pause` / `resume` / `restart` are control-plane operations that the
+ * underlying harness may execute immediately; they are not Tier 1.
+ *
+ * `unwrap` and `lockdown` are Tier 1 operations per the Principal Policy
+ * loader. Hub endpoints for these MUST enqueue an `approval_pending` inbox
+ * item rather than execute directly. Tier 1 approval gates remain in force
+ * from the dashboard. The dashboard never auto-approves Tier 1 work.
+ */
+declare const HUB_AGENT_CONTROL_ACTIONS: readonly ["pause", "resume", "restart", "unwrap", "lockdown"];
+type HubAgentControlAction = (typeof HUB_AGENT_CONTROL_ACTIONS)[number];
+/** Channel-template identifiers per Walkthrough Key 10 LOCKED starter set. */
+declare const CHANNEL_TEMPLATE_IDS: readonly ["read-outputs-only", "bidirectional-sync", "credential-share-scoped", "plan-inspect-read-only", "escrow-handoff"];
+type ChannelTemplateId = (typeof CHANNEL_TEMPLATE_IDS)[number];
+/**
+ * Sanctuary v1.1. Operator Hub API Types
+ *
+ * Service-deps shapes + small payload types not already defined in the
+ * v1.1 contracts. The contract surface (HubInboxItem, LocalAgentRecord,
+ * HubActivityFeedEntry, HubAgentStatusSnapshot) is the source of truth for
+ * everything that crosses the API boundary; types in this file are
+ * implementation glue.
+ */
+/**
+ * Result returned from a synchronous (non-Tier-1) agent control action.
+ */
+interface HubAgentControlResult {
+    agent_id: string;
+    prior_status: HubAgentStatus;
+    new_status: HubAgentStatus;
+    applied_at: string;
+}
+/**
+ * Result returned from a Tier-1 agent control action that has been
+ * deferred to operator approval. The hub returns the inbox item id so the
+ * caller can poll or subscribe; nothing executes until the operator
+ * resolves the inbox item.
+ */
+interface HubTier1ApprovalEnqueuedResult {
+    agent_id: string;
+    inbox_item_id: string;
+    status: "approval_pending";
+    /**
+     * Same enum as
+     * `HubApprovalPendingItem.operation_category`. Surfaced separately so
+     * non-inbox callers (CLI scripts, test harnesses) can act on the
+     * category without a second fetch.
+     */
+    operation_category: HubApprovalPendingItem["operation_category"];
+}
+/**
+ * Result returned from a fortress-scope Tier-1 action that has been
+ * deferred to operator approval. Distinguished from the per-agent shape by
+ * the absence of `agent_id` and the presence of `fortress_scope: true`.
+ * The Tier 1 handler iterates fortress-wide on approval; nothing executes
+ * until the operator resolves the inbox item.
+ */
+interface HubTier1FortressApprovalEnqueuedResult {
+    inbox_item_id: string;
+    status: "approval_pending";
+    operation_category: HubApprovalPendingItem["operation_category"];
+    /** Always true. Distinguishes from the per-agent shape. */
+    fortress_scope: true;
+}
+/**
+ * Result returned from `fortressExportBundle` after a fortress-scope
+ * exit-bundle export approval lands. Surfaced both in the inbox item's
+ * `resolution_payload` and (separately) in an activity feed entry.
+ */
+interface HubFortressExportResult {
+    bundle_dir: string;
+    manifest_hash: string;
+    artifact_count: number;
+}
+/**
+ * Generic capability check delegated to the underlying harness controller.
+ * The hub never performs the harness-side action itself; it asks the
+ * controller to apply a transition and reports the new status back.
+ *
+ * Each callback returns the agent's new status after the action lands.
+ * The controller MUST throw if it cannot apply the action; the hub maps
+ * those throws to HubCapabilityError or HubConflictError.
+ */
+interface HubAgentController {
+    pause(agentId: string): Promise<HubAgentStatus>;
+    resume(agentId: string): Promise<HubAgentStatus>;
+    restart(agentId: string): Promise<HubAgentStatus>;
+    /**
+     * Apply an operator-approved unwrap. Called only after a Tier 1
+     * approval lands through the inbox flow. Implementations SHOULD treat
+     * unwrap as durable (cocoon teardown + registry deregister).
+     */
+    unwrap(agentId: string): Promise<HubAgentStatus>;
+    /**
+     * Apply an operator-approved lockdown. Called only after a Tier 1
+     * approval lands. Implementations SHOULD treat lockdown as a hard-stop
+     * (deny all egress, freeze gates) until explicitly cleared.
+     */
+    lockdown(agentId: string): Promise<HubAgentStatus>;
+    /**
+     * Apply an operator-approved policy bind. Called only after a Tier 1
+     * approval lands.
+     */
+    bindPolicy(agentId: string, policyId: string): Promise<void>;
+    /**
+     * Apply a non-Tier-1 channel-template binding. Channel templates are
+     * compositions over the canonical four slots; binding does not require
+     * Tier 1 approval at v1.1.
+     */
+    bindChannelTemplate(agentId: string, templateId: ChannelTemplateId): Promise<void>;
+}
+/**
+ * Source-side input shapes the inbox aggregator pulls from. Each callback
+ * returns recent occurrences pre-shaped as the underlying contract type;
+ * the aggregator wraps them into HubInboxItem header form.
+ *
+ * Source callbacks are deliberately narrow; the hub does not know how to
+ * compute privacy events or budget thresholds. Other workstreams own those
+ * computations and feed them in through these callbacks.
+ */
+interface HubInboxSources {
+    /**
+     * Currently unresolved Tier 1 / Tier 2 approval requests. Items already
+     * in the hub-side inbox store are deduplicated by `item_id` against these.
+     */
+    listPendingApprovals: () => HubApprovalPendingItem[];
+    /**
+     * Recent egress denials. The hub surfaces each as a blocked-egress inbox
+     * card. The caller is responsible for trimming to the recent window.
+     */
+    listRecentBlockedEgress: () => HubBlockedEgressItem[];
+    /**
+     * Recent privacy events the operator should attend to. The hub does NOT
+     * surface every privacy event; it surfaces the ones that the privacy
+     * core has already promoted to operator attention (denied, error, plus
+     * filtered events flagged by the bound policy).
+     */
+    listRecentPrivacyEvents: () => HubPrivacyEventItem[];
+    /**
+     * Active budget warnings (soft-warn or hard-cap). Closed warnings are
+     * not returned.
+     */
+    listActiveBudgetWarnings: () => HubBudgetWarningItem[];
+    /**
+     * Active recovery prompts (passphrase reset due, exit drill recommended,
+     * keychain rebind required, etc.).
+     */
+    listActiveRecoveryPrompts: () => HubRecoveryPromptItem[];
+    /**
+     * Recent agent-error events.
+     */
+    listRecentAgentErrors: () => HubAgentErrorItem[];
+}
+interface HubActivitySources {
+    /**
+     * Underlying audit log the activity feed projects from.
+     */
+    auditLog: AuditLog;
+    /**
+     * Identity id the dashboard is currently scoped to. Activity entries are
+     * filtered to this identity; v1.1 is single-operator; the parameter is
+     * here so v1.2 can scope per-identity without breaking the API.
+     */
+    identityId: string;
+}
+/**
+ * Lightweight summary of a bound policy. Suitable for UI cards. Raw policy
+ * bytes never appear here.
+ */
+interface HubPolicySummary {
+    policy_id: string;
+    display_label: string;
+    /** ISO8601 timestamp the policy was bound. */
+    bound_at: string;
+    /** Number of agents currently bound to this policy. */
+    agent_count: number;
+    /** Channel template id the policy was compiled from, if applicable. */
+    channel_template_id?: ChannelTemplateId;
+}
+/**
+ * Lightweight summary of a budget bucket. Suitable for UI cards.
+ */
+interface HubBudgetSummary {
+    bucket_id: string;
+    /** Display label drawn from the policy compile step. */
+    display_label: string;
+    unit: string;
+    cap: number;
+    used: number;
+    /** Soft-warn threshold fraction (0..1). */
+    soft_warn?: number;
+    /** ISO8601 timestamp of last refresh. */
+    last_refreshed_at: string;
+}
+interface HubPolicyAndBudgetSources {
+    listPolicySummaries: () => HubPolicySummary[];
+    listBudgetSummaries: () => HubBudgetSummary[];
+}
+/**
+ * Read interface for the local agent registry. The hub does not invent
+ * agent records; it pulls them from this source. Backend implementations
+ * may persist records to disk or recompute them per call.
+ */
+interface HubAgentRegistrySource {
+    list(filter?: LocalAgentRegistryFilter): LocalAgentRecord[];
+    get(agentId: string): LocalAgentRecord | null;
+    /**
+     * Update a single field on a record. The hub uses this to flip status
+     * after a synchronous control action lands. Returns the updated record;
+     * throws if the agent does not exist.
+     */
+    updateStatus(agentId: string, status: HubAgentStatus, statusReasonClass?: LocalAgentRecord["status_reason_class"]): LocalAgentRecord;
+    /**
+     * Bind a different policy on a record. Used after an approved Tier 1
+     * policy_change action lands.
+     */
+    updatePolicyBinding(agentId: string, policyId: string): LocalAgentRecord;
+    /**
+     * Bind a different channel template on a record. Non-Tier-1.
+     */
+    updateChannelTemplateBinding(agentId: string, templateId: ChannelTemplateId): LocalAgentRecord;
+}
+interface HubServiceDeps {
+    /** Operator identity id this hub is scoped to. */
+    identityId: string;
+    /** Stable fortress id. */
+    fortressId: string;
+    /** Local agent registry source. */
+    agentRegistry: HubAgentRegistrySource;
+    /** Inbox aggregation sources. */
+    inboxSources: HubInboxSources;
+    /** Activity feed sources. */
+    activitySources: HubActivitySources;
+    /** Policy + budget summary sources. */
+    policyBudgetSources: HubPolicyAndBudgetSources;
+    /** Underlying agent controller for control endpoints. */
+    agentController: HubAgentController;
+    /**
+     * Optional fortress-scope exit-bundle export callback. Invoked only
+     * after a fortress-scope Tier 1 approval lands. The callback owns its
+     * own dependency wiring (storage, masterKey, identityManager, auditLog,
+     * policy, reputationStore, state namespaces); the hub layer remains
+     * crypto-agnostic. When omitted, the fortress export endpoint returns
+     * `HubCapabilityError`.
+     *
+     * The hub passes the inbox item's id as `approvalAuditId` so the
+     * callback can thread it into `exportExitBundle({ exportApprovalAuditId })`,
+     * tying the manifest's `export_approval_audit_id` to the operator's
+     * actual approval flow rather than an internally-generated value
+     * (closes v1.0.2 backlog item (j)). The argument is optional for
+     * backwards compatibility with existing callbacks.
+     */
+    fortressExportBundle?: (approvalAuditId?: string) => Promise<HubFortressExportResult>;
+    /**
+     * Clock override for deterministic timestamp emission in tests.
+     * Defaults to `() => new Date()` when omitted.
+     */
+    now?: () => Date;
+}
+/**
+ * Sanctuary v1.1. Operator Hub Service
+ *
+ * Public API the router calls. Owns no domain logic: it composes the
+ * agent registry source, the inbox aggregator + store, the activity feed
+ * projection, and the agent controller.
+ *
+ * Tier 1 enforcement contract:
+ * Hub control endpoints for `unwrap`, `lockdown`, and `policy_change` MUST
+ * NOT execute synchronously. The hub enqueues an `approval_pending` inbox
+ * item carrying the operation_category and binds the controller call to
+ * the inbox-store resolution handler. Only operator approval through the
+ * inbox path causes the controller call to fire. The dashboard never
+ * auto-approves Tier 1 work.
+ */
+declare class HubService {
+    private deps;
+    private inboxStore;
+    constructor(deps: HubServiceDeps);
+    private now;
+    private nowIso;
+    listInbox(): HubInboxItem[];
+    resolveInboxItem(itemId: string, action: HubInboxAction): Promise<HubInboxItem>;
+    listAgents(filter?: LocalAgentRegistryFilter): LocalAgentRecord[];
+    getAgent(agentId: string): LocalAgentRecord;
+    getAgentStatusSnapshot(agentId: string): HubAgentStatusSnapshot;
+    controlAgent(agentId: string, action: HubAgentControlAction): Promise<HubAgentControlResult | HubTier1ApprovalEnqueuedResult>;
+    /**
+     * Capability gate. Returns silently when the action is supported by the
+     * harness; throws HubCapabilityError when not.
+     */
+    private assertCapability;
+    /**
+     * Build a Tier 1 inbox item for an unwrap/lockdown/policy_change action
+     * and bind the controller call to its resolution.
+     */
+    private enqueueTier1ControlAction;
+    /**
+     * Bind a different policy on an agent. Tier 1: enqueues an approval
+     * pending inbox item rather than executing synchronously.
+     */
+    bindAgentPolicy(agentId: string, policyId: string): HubTier1ApprovalEnqueuedResult;
+    /**
+     * Bind a different channel template. Not Tier 1; channel templates are
+     * compositions over the four canonical slots and bind synchronously.
+     */
+    bindAgentChannelTemplate(agentId: string, rawTemplateId: unknown): Promise<LocalAgentRecord>;
+    /**
+     * Enqueue a fortress-scope Tier 1 lockdown. One inbox item is created;
+     * on operator approval the handler iterates `agentController.lockdown`
+     * over every wrapped agent for the bound identity, captures partial
+     * failures as per-agent `agent_error` inbox items, and emits a single
+     * `lifecycle` activity entry. Stacked fortress lockdowns are rejected
+     * with `HubConflictError` until the prior pending item resolves.
+     */
+    enqueueFortressLockdown(): HubTier1FortressApprovalEnqueuedResult;
+    /**
+     * Enqueue a fortress-scope Tier 1 exit-bundle export. One inbox item is
+     * created; on operator approval the handler invokes
+     * `fortressExportBundle()` once at fortress scope, attaches
+     * `bundle_dir` + `manifest_hash` + `artifact_count` to the inbox item's
+     * `resolution_payload`, and emits a `lifecycle` activity entry.
+     * Stacked exports are rejected with `HubConflictError`.
+     */
+    enqueueFortressExportBundle(): HubTier1FortressApprovalEnqueuedResult;
+    /**
+     * Reject stacked fortress-scope Tier 1 items. The check scans the inbox
+     * store for an unresolved `approval_pending` item with the same
+     * `operation_category` and no `agent_id` (the fortress-scope marker).
+     */
+    private assertNoPendingFortressTier1;
+    listActivity(filter: {
+        since?: string;
+        limit?: number;
+        agent_id?: string;
+        category?: HubActivityFeedEntry["category"];
+    }): Promise<HubActivityFeedEntry[]>;
+    listPolicySummaries(): HubPolicySummary[];
+    listBudgetSummaries(): HubBudgetSummary[];
+    /**
+     * Validate that a caller-supplied filter does not request cross-fortress
+     * scope; v1.1 hub is single-fortress; the filter rejects fortress-bridging
+     * fields outright; v1.3 federation will introduce an alternate surface.
+     */
+    static assertLocalOnlyFilter(filter: Record<string, unknown> | null): void;
+    /**
+     * Test/inspection helper. Not part of the public service surface.
+     */
+    inboxStoreSize(): number;
+}
+/**
+ * v1.1 Server Wiring (v1.1.1 hotfix)
+ *
+ * v1.1.0 shipped the v1.1 module suite (dashboard / hub API / exit bundle
+ * endpoints / coordination) but no entry-point server imported any of it.
+ * This module builds the canonical HubService construction the dashboard
+ * entry points share so the routes light up at boot without forcing each
+ * caller to know the deps shape.
+ *
+ * The wiring is deliberately minimal at v1.1.1:
+ *
+ *   - Local agent registry starts empty. v1.2 will populate it from
+ *     `discoverTenants()` and the wrapped harness manifest. v1.1.1 ships
+ *     the API surface so existing operator scripts can hit it; the data
+ *     plane is the next conversation.
+ *   - Inbox sources return empty arrays. The privacy chokepoint already
+ *     emits audit events through PR #69 / PR #71; the inbox aggregator is
+ *     the v1.2 work to project those into operator cards.
+ *   - Activity feed reads from the real audit log. This is the one source
+ *     that's already complete in v1.1.0 and just needs to be plugged in.
+ *   - Agent controller errors on every action. v1.1.1 cannot honestly
+ *     pause / unwrap / lockdown anything because no agent registry yet
+ *     exists; the wiring returns `HubCapabilityError` rather than lying
+ *     about what shipped.
+ */
+interface V11Bindings {
+    hubService: HubService;
+    identityId: string;
+    fortressId: string;
+}
 /**
  * Sanctuary MCP Server — Principal Dashboard
  *
@@ -3763,6 +4588,12 @@ declare class DashboardApprovalChannel implements ApprovalChannel {
      * policy change.
      */
     private _autoAuthLocalhost;
+    /**
+     * v1.1 routes (dashboard HTML at /v1.1, hub API at /api/hub/*) are
+     * mounted additively when set. Legacy routes at / continue to serve
+     * regardless. Default route flip is deferred to v1.2.
+     */
+    private v11Bindings;
     constructor(config: DashboardConfig);
     /**
      * Inject dependencies after construction.
@@ -3784,6 +4615,26 @@ declare class DashboardApprovalChannel implements ApprovalChannel {
      * Exposed via /api/status so the frontend can show an appropriate banner.
      */
     setStandaloneMode(standalone: boolean): void;
+    /**
+     * v1.1.1 hotfix: bind the v1.1 dashboard + hub API to this dashboard
+     * instance. After binding, requests to `/v1.1` serve the v1.1 HTML and
+     * requests under `/api/hub/*` route through the hub API. Legacy routes
+     * at `/` and `/api/*` keep their pre-v1.1 behavior (additive mount).
+     *
+     * Pass `null` to detach the bindings (used by tests and during shutdown).
+     */
+    setV11Bindings(bindings: V11Bindings | null): void;
+    /**
+     * v1.1 dispatch entry point. Called from `handleRequest` before the
+     * legacy route table. Returns true when the request was served by v1.1
+     * routes; false to fall through to legacy routing.
+     *
+     * Auth gating: the v1.1 dashboard HTML is served unconditionally (the
+     * client script handles its own auth dance). Hub API routes run through
+     * the same auth contract as legacy `/api/*` routes via the AuthConfig
+     * passed to `handleHubRoute`.
+     */
+    private dispatchV11;
     /**
      * v0.10.2: enable (or disable) the loopback auto-auth fast path. See
      * {@link _autoAuthLocalhost} for the rationale and threat model. Callers
@@ -3859,6 +4710,7 @@ declare class DashboardApprovalChannel implements ApprovalChannel {
      */
     private pruneRateLimits;
     private handleRequest;
+    private handleLegacyRequest;
     /**
      * SEC-012: Exchange a long-lived auth token (in Authorization header)
      * for a short-lived session ID. The session ID can be used in URL
@@ -4643,6 +5495,23 @@ interface DashboardHandle {
      * `agent_id`.
      */
     publishAgentStatus: (snapshot: unknown) => void;
+    /**
+     * v1.1.2 hotfix (Finding V): bind v1.1 hub bindings to this dashboard
+     * instance so /v1.1, /api/hub/*, and /api/identities serve the v1.1
+     * surface. Pass null to detach. PR #82 wired these routes only on the
+     * principal-policy DashboardApprovalChannel; the wrap-auto operator
+     * dashboard (this server) needed the same wiring for the wrap-emitted
+     * URL to expose the v1.1 surfaces the v1.1.1 release notes claim.
+     */
+    setV11Bindings: (bindings: V11Bindings | null) => void;
+    /**
+     * v1.1.2: enable loopback auto-auth for /api/hub/* + /api/identities.
+     * When true, requests from 127.0.0.1 / ::1 bypass the bearer-token
+     * check (mirrors the principal-policy dashboard's _autoAuthLocalhost
+     * flag). Set true when the dashboard binds to a loopback host and the
+     * caller has independently authenticated the operator.
+     */
+    setV11LoopbackAutoAuth: (enabled: boolean) => void;
 }
 declare function startDashboardServer(options: DashboardServerOptions): Promise<DashboardHandle>;