@sanctuary-framework/mcp-server 1.1.2 → 1.1.4

package/dist/cli.cjs

@@ -13357,7 +13357,7 @@ function renderDashboardV11Html(options = {}) {
     streamUrl,
     identityId,
     fortressId
-  });
+  }).replace(/</g, "\\u003c");
   const clientBlock = embedClient ? `<script type="module">${getClientScript()}</script>` : `<!-- client script omitted by render option -->`;
   return `<!doctype html>
 <html lang="en">
@@ -13388,7 +13388,7 @@ function renderDashboardV11Html(options = {}) {
     <aside class="fortress" id="fortress"><p class="muted">Loading fortress column.</p></aside>
   </div>
   <div id="toast-host" aria-live="polite"></div>
-  <script id="dashboard-config" type="application/json">${escHtml3(config)}</script>
+  <script id="dashboard-config" type="application/json">${config}</script>
   ${clientBlock}
 </body>
 </html>`;
@@ -27536,14 +27536,14 @@ var init_generator2 = __esm({
     ]);
   }
 });
-function printRecoveryKeyBanner(recoveryKey, filePath, output = process.stderr) {
+function printSecretBanner(secret, filePath, copy, output = process.stderr) {
   const lines = [
-    "SANCTUARY: First Run, Recovery Key Generated",
+    copy.bannerHeader,
     "",
-    `Recovery Key: ${recoveryKey}`,
+    `${copy.bannerSecretLabel}: ${secret}`,
     "",
-    "SAVE THIS KEY. It will not be shown again.",
-    "Without it, your encrypted state is unrecoverable.",
+    copy.bannerSaveLine,
+    copy.bannerLossLine,
     "",
     "Plaintext copy written to:",
     `  ${filePath}`,
@@ -27562,8 +27562,8 @@ ${bottom}
 
 `);
 }
-async function writeRecoveryKeyFile(opts) {
-  const filePath = path.join(opts.storagePath, RECOVERY_KEY_FILENAME);
+async function writeSecretFile(opts) {
+  const filePath = path.join(opts.storagePath, opts.copy.fileName);
   try {
     await promises.access(filePath, promises.constants.F_OK);
     return { filePath, written: false };
@@ -27573,54 +27573,47 @@ async function writeRecoveryKeyFile(opts) {
   const now = (opts.now ?? (() => /* @__PURE__ */ new Date()))().toISOString();
   const fortressLine = opts.fortressId ? `Fortress: ${opts.fortressId}
 ` : "";
-  const content = `SANCTUARY RECOVERY KEY \u2014 DO NOT COMMIT, DO NOT EMAIL, MOVE OFF-HOST IMMEDIATELY.
+  const content = `${opts.copy.fileWarningHeader}
 Generated: ${now}
 ` + fortressLine + `
-Recovery key:
-${opts.recoveryKey}
-
-This file was created on first init. Sanctuary will NOT regenerate this file on
-subsequent runs and will NOT display the key again. After moving this file off
-the host (encrypted backup, password manager, paper safe), delete it from the
-fortress directory. Do NOT keep it in the fortress; the recovery key bypasses
-the cocoon passphrase by design.
-`;
+${opts.copy.fileSecretLabel}
+${opts.secret}
+
+` + opts.copy.fileBody;
   await promises.writeFile(filePath, content, { mode: 384 });
   return { filePath, written: true };
 }
-async function confirmRecoveryKeySaved(io) {
+async function confirmSecretSaved(copy, declinedError, nonInteractiveError, io) {
   const input = io?.input ?? process.stdin;
   const output = io?.output ?? process.stderr;
   const realStdin = !io && process.stdin.isTTY !== true;
   if (realStdin) {
-    throw new RecoveryKeyConfirmationNonInteractiveError();
+    throw new nonInteractiveError();
   }
   const rl = promises$1.createInterface({ input, output });
   try {
     const answer = await rl.question(
-      "Have you saved the recovery key? [y/N] "
+      `Have you saved the ${copy.promptLabel}? [y/N] `
     );
     const normalized = answer.trim().toLowerCase();
     if (normalized !== "y" && normalized !== "yes") {
-      throw new RecoveryKeyConfirmationDeclinedError();
+      throw new declinedError();
     }
   } finally {
     rl.close();
   }
 }
-async function discloseRecoveryKey(opts) {
+async function discloseSecret(opts, copy, declinedError, nonInteractiveError) {
   const mode = opts.mode ?? "interactive";
-  const fileResult = await writeRecoveryKeyFile({
+  const writeOpts = {
     storagePath: opts.storagePath,
-    recoveryKey: opts.recoveryKey,
-    ...opts.fortressId !== void 0 ? { fortressId: opts.fortressId } : {},
-    ...opts.now !== void 0 ? { now: opts.now } : {}
-  });
-  printRecoveryKeyBanner(
-    opts.recoveryKey,
-    fileResult.filePath,
-    opts.io?.output
-  );
+    secret: opts.secret,
+    copy
+  };
+  if (opts.fortressId !== void 0) writeOpts.fortressId = opts.fortressId;
+  if (opts.now !== void 0) writeOpts.now = opts.now;
+  const fileResult = await writeSecretFile(writeOpts);
+  printSecretBanner(opts.secret, fileResult.filePath, copy, opts.io?.output);
   if (mode === "no-confirm" || mode === "stdio-server") {
     return {
       filePath: fileResult.filePath,
@@ -27628,17 +27621,72 @@ async function discloseRecoveryKey(opts) {
       confirmed: false
     };
   }
-  await confirmRecoveryKeySaved(opts.io);
+  await confirmSecretSaved(copy, declinedError, nonInteractiveError, opts.io);
   return {
     filePath: fileResult.filePath,
     fileWritten: fileResult.written,
     confirmed: true
   };
 }
-var RECOVERY_KEY_FILENAME, RecoveryKeyConfirmationDeclinedError, RecoveryKeyConfirmationNonInteractiveError;
+async function discloseRecoveryKey(opts) {
+  const internalOpts = {
+    secret: opts.recoveryKey,
+    storagePath: opts.storagePath
+  };
+  if (opts.fortressId !== void 0) internalOpts.fortressId = opts.fortressId;
+  if (opts.mode !== void 0) internalOpts.mode = opts.mode;
+  if (opts.now !== void 0) internalOpts.now = opts.now;
+  if (opts.io !== void 0) internalOpts.io = opts.io;
+  return discloseSecret(
+    internalOpts,
+    RECOVERY_KEY_COPY,
+    RecoveryKeyConfirmationDeclinedError,
+    RecoveryKeyConfirmationNonInteractiveError
+  );
+}
+async function disclosePassphrase(opts) {
+  const internalOpts = {
+    secret: opts.passphrase,
+    storagePath: opts.storagePath
+  };
+  if (opts.fortressId !== void 0) internalOpts.fortressId = opts.fortressId;
+  if (opts.mode !== void 0) internalOpts.mode = opts.mode;
+  if (opts.now !== void 0) internalOpts.now = opts.now;
+  if (opts.io !== void 0) internalOpts.io = opts.io;
+  return discloseSecret(
+    internalOpts,
+    PASSPHRASE_BACKUP_COPY,
+    PassphraseConfirmationDeclinedError,
+    PassphraseConfirmationNonInteractiveError
+  );
+}
+var RECOVERY_KEY_FILENAME, PASSPHRASE_BACKUP_FILENAME, RECOVERY_KEY_COPY, PASSPHRASE_BACKUP_COPY, RecoveryKeyConfirmationDeclinedError, RecoveryKeyConfirmationNonInteractiveError, PassphraseConfirmationDeclinedError, PassphraseConfirmationNonInteractiveError;
 var init_recovery_key_disclosure = __esm({
   "src/cocoon/recovery-key-disclosure.ts"() {
     RECOVERY_KEY_FILENAME = "recovery-key.txt";
+    PASSPHRASE_BACKUP_FILENAME = "passphrase-backup.txt";
+    RECOVERY_KEY_COPY = {
+      fileName: RECOVERY_KEY_FILENAME,
+      bannerHeader: "SANCTUARY: First Run, Recovery Key Generated",
+      bannerSecretLabel: "Recovery Key",
+      bannerSaveLine: "SAVE THIS KEY. It will not be shown again.",
+      bannerLossLine: "Without it, your encrypted state is unrecoverable.",
+      fileWarningHeader: "SANCTUARY RECOVERY KEY, DO NOT COMMIT, DO NOT EMAIL, MOVE OFF-HOST IMMEDIATELY.",
+      fileSecretLabel: "Recovery key:",
+      fileBody: "This file was created on first init. Sanctuary will NOT regenerate this file on\nsubsequent runs and will NOT display the key again. After moving this file off\nthe host (encrypted backup, password manager, paper safe), delete it from the\nfortress directory. Do NOT keep it in the fortress; the recovery key bypasses\nthe cocoon passphrase by design.\n",
+      promptLabel: "recovery key"
+    };
+    PASSPHRASE_BACKUP_COPY = {
+      fileName: PASSPHRASE_BACKUP_FILENAME,
+      bannerHeader: "SANCTUARY: First Run, Passphrase Generated",
+      bannerSecretLabel: "Passphrase",
+      bannerSaveLine: "SAVE THIS PASSPHRASE. It will not be shown again.",
+      bannerLossLine: "Without it, your encrypted state is unrecoverable.",
+      fileWarningHeader: "SANCTUARY PASSPHRASE, DO NOT COMMIT, DO NOT EMAIL, MOVE OFF-HOST IMMEDIATELY.",
+      fileSecretLabel: "Passphrase:",
+      fileBody: "This file was created on first wrap when Sanctuary generated the passphrase.\nSanctuary will NOT regenerate this file on subsequent runs and will NOT display\nthe passphrase again. After moving this file off the host (encrypted backup,\npassword manager, paper safe), delete it from the fortress directory. Do NOT\nkeep it in the fortress; the keychain copy is recoverable only while the host\nand its OS keyring are intact.\n",
+      promptLabel: "passphrase"
+    };
     RecoveryKeyConfirmationDeclinedError = class extends Error {
       constructor() {
         super(
@@ -27655,6 +27703,22 @@ var init_recovery_key_disclosure = __esm({
         this.name = "RecoveryKeyConfirmationNonInteractiveError";
       }
     };
+    PassphraseConfirmationDeclinedError = class extends Error {
+      constructor() {
+        super(
+          "Passphrase confirmation declined. Save the passphrase (printed above and written to passphrase-backup.txt) before re-running wrap."
+        );
+        this.name = "PassphraseConfirmationDeclinedError";
+      }
+    };
+    PassphraseConfirmationNonInteractiveError = class extends Error {
+      constructor() {
+        super(
+          "Passphrase confirmation requires an interactive terminal. Re-run with --no-open for scripted use, or run from a TTY."
+        );
+        this.name = "PassphraseConfirmationNonInteractiveError";
+      }
+    };
   }
 });
 
@@ -31443,6 +31507,27 @@ async function runWrap(options, deps = {}) {
     );
   }
   await promises.mkdir(storagePath, { recursive: true, mode: 448 });
+  if (passphraseSource === "generated" && passphraseValue !== void 0) {
+    try {
+      await disclosePassphrase({
+        passphrase: passphraseValue,
+        storagePath,
+        fortressId: fortressIdFromStoragePath(storagePath),
+        // --no-open (CI / scripted) or non-TTY stdin both skip the prompt
+        // the same way init's --no-confirm does. Operator who scripted the
+        // call still gets the banner + the file; they will not see a hang.
+        mode: options.noOpen || process.stdin.isTTY !== true ? "no-confirm" : "interactive"
+      });
+    } catch (err) {
+      if (err instanceof PassphraseConfirmationDeclinedError || err instanceof PassphraseConfirmationNonInteractiveError) {
+        console.error(`
+  Sanctuary wrap: ${err.message}
+`);
+        process.exit(2);
+      }
+      throw err;
+    }
+  }
   const profile = createWrapProfile(upstreamServers);
   const profilePath = path.join(storagePath, "cocoon-profile.json");
   await promises.writeFile(profilePath, JSON.stringify(profile, null, 2), {
@@ -31903,6 +31988,7 @@ var init_cli2 = __esm({
     init_config();
     init_paths();
     init_runtime();
+    init_recovery_key_disclosure();
     COCOON_GOVERNOR_DEFAULTS = {
       volume_limit: 200,
       rate_limit_per_tool: 20,