@sanctuary-framework/mcp-server 1.2.0 → 1.2.2

package/dist/index.cjs

@@ -710,19 +710,40 @@ function assertSanctuaryConfigShape(c) {
 
 // src/storage/filesystem.ts
 init_random();
+var SAFE_CHARS = /[^A-Za-z0-9_.\-]/g;
+function bijectiveEncode(name) {
+  return name.replace(
+    SAFE_CHARS,
+    (ch) => "!" + ch.charCodeAt(0).toString(16).padStart(2, "0").toUpperCase()
+  );
+}
+function legacyNamespaceSanitize(name) {
+  return name.replace(/[^a-zA-Z0-9_-]/g, "_");
+}
+function legacyKeySanitize(name) {
+  return name.replace(/[^a-zA-Z0-9_.-]/g, "_");
+}
 var FilesystemStorage = class {
   basePath;
   constructor(basePath) {
     this.basePath = basePath;
   }
   entryPath(namespace, key) {
-    const safeNamespace = namespace.replace(/[^a-zA-Z0-9_-]/g, "_");
-    const safeKey = key.replace(/[^a-zA-Z0-9_.-]/g, "_");
+    const safeNamespace = bijectiveEncode(namespace);
+    const safeKey = bijectiveEncode(key);
     return path.join(this.basePath, safeNamespace, `${safeKey}.enc`);
   }
   namespacePath(namespace) {
-    const safeNamespace = namespace.replace(/[^a-zA-Z0-9_-]/g, "_");
-    return path.join(this.basePath, safeNamespace);
+    return path.join(this.basePath, bijectiveEncode(namespace));
+  }
+  // Legacy on-disk paths produced by the pre-#41 sanitizer. Returned for
+  // ENOENT-fallback in read/exists/delete; never written to.
+  legacyEntryPath(namespace, key) {
+    return path.join(
+      this.basePath,
+      legacyNamespaceSanitize(namespace),
+      `${legacyKeySanitize(key)}.enc`
+    );
   }
   async write(namespace, key, data) {
     const dirPath = this.namespacePath(namespace);
@@ -731,7 +752,13 @@ var FilesystemStorage = class {
     await promises.writeFile(filePath, data, { mode: 384 });
   }
   async read(namespace, key) {
-    const filePath = this.entryPath(namespace, key);
+    const buf = await this.readAtPath(this.entryPath(namespace, key));
+    if (buf !== null) return buf;
+    const legacy = this.legacyEntryPath(namespace, key);
+    if (legacy === this.entryPath(namespace, key)) return null;
+    return this.readAtPath(legacy);
+  }
+  async readAtPath(filePath) {
     try {
       const buf = await promises.readFile(filePath);
       return new Uint8Array(buf.buffer, buf.byteOffset, buf.byteLength);
@@ -743,7 +770,13 @@ var FilesystemStorage = class {
     }
   }
   async delete(namespace, key, secureOverwrite = true) {
-    const filePath = this.entryPath(namespace, key);
+    const newPath = this.entryPath(namespace, key);
+    if (await this.deleteAtPath(newPath, secureOverwrite)) return true;
+    const legacy = this.legacyEntryPath(namespace, key);
+    if (legacy === newPath) return false;
+    return this.deleteAtPath(legacy, secureOverwrite);
+  }
+  async deleteAtPath(filePath, secureOverwrite) {
     try {
       if (secureOverwrite) {
         const fileStat = await promises.stat(filePath);
@@ -789,12 +822,19 @@ var FilesystemStorage = class {
     }
   }
   async exists(namespace, key) {
-    const filePath = this.entryPath(namespace, key);
+    const newPath = this.entryPath(namespace, key);
     try {
-      await promises.stat(filePath);
+      await promises.stat(newPath);
       return true;
     } catch {
-      return false;
+      const legacy = this.legacyEntryPath(namespace, key);
+      if (legacy === newPath) return false;
+      try {
+        await promises.stat(legacy);
+        return true;
+      } catch {
+        return false;
+      }
     }
   }
   async totalSize() {
@@ -4780,6 +4820,32 @@ function canonicalizeForSigning(body) {
 // src/shr/generator.ts
 init_identity();
 init_encoding();
+
+// src/mesh/constants.ts
+var PROTOCOL_VERSION = "0.1";
+var SIGNATURE_SCHEME_V1 = "ed25519-v1";
+var RESERVED_EVENT_TYPE_PREFIXES = [
+  "EXTENSION_",
+  "cross_fortress_",
+  "multi_master_"
+];
+function isReservedEventType(s) {
+  return RESERVED_EVENT_TYPE_PREFIXES.some((p) => s.startsWith(p));
+}
+var RESERVED_EXTENSION_ENVELOPE_KEYS = [
+  "cross_fortress_read_grant",
+  "cross_fortress_read_query",
+  "cross_fortress_read_response",
+  "multi_master_policy_merge",
+  "audit_replication_full_n_way",
+  "auto_promote_canonical_audit",
+  "agent_live_migration"
+];
+function isReservedExtensionKey(k) {
+  return RESERVED_EXTENSION_ENVELOPE_KEYS.includes(k);
+}
+
+// src/shr/generator.ts
 var DEFAULT_VALIDITY_MS = 60 * 60 * 1e3;
 var DEFAULT_FRESHNESS_WINDOW_DAYS = 30;
 var DEFAULT_LOW_TIER_DOMINANCE_THRESHOLD = 0.6;
@@ -4930,6 +4996,7 @@ function generateSHR(identityId, opts) {
   return {
     body,
     signed_by: identity.public_key,
+    signature_scheme: SIGNATURE_SCHEME_V1,
     signature: toBase64url(signatureBytes)
   };
 }
@@ -7166,14 +7233,14 @@ function generateDashboardHTML(options) {
       // cookie (set by /auth/session and sent automatically by the
       // browser) or as a ?session= query parameter, both of which Stack
       // A's checkAuth honours. Loopback callers also bypass auth via the
-      // v0.10.2 _autoAuthLocalhost path, which is the path moltbook
+      // v0.10.2 _autoAuthLocalhost path, which is the path Mini1
       // hits when the dashboard is auto-opened on 127.0.0.1.
       //
       // The endpoint itself is /events \u2014 Stack A's route table mounts it
       // there, and the previous /api/events URL was a 404 in every real
       // boot from v0.10.0 through v0.10.4. The retry loop that result
       // produced is exactly the "status bar flashing blue continuously"
-      // moltbook reported on v0.10.4.
+      // Mini1 reported on v0.10.4.
       const eventSource = new EventSource(API_BASE + '/events');
 
       eventSource.addEventListener('init', (e) => {
@@ -9985,10 +10052,8 @@ var CHANNEL_TEMPLATE_IDS = [
   "read-then-report",
   "scheduled-digest",
   "plan-draft-only",
-  "fortress-relay",
-  "concierge-loop"
+  "fortress-relay"
 ];
-var COUNTERPARTY_WILDCARD = "*";
 var BUDGET_UNITS = ["tokens", "usd"];
 
 // src/templates/registry.ts
@@ -10156,8 +10221,12 @@ function lintOnboarding(_name, content) {
 function resolveTemplatesDir() {
   const thisFile = url.fileURLToPath((typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__filename).href : (_documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === 'SCRIPT' && _documentCurrentScript.src || new URL('index.cjs', document.baseURI).href)));
   const thisDir = path.dirname(thisFile);
-  if (thisDir.includes("/dist/")) {
-    return thisDir.replace("/dist/templates", "/src/templates");
+  if (thisDir.includes("/dist")) {
+    const templatesSubdir = path.join(thisDir, "templates");
+    const candidateDir = fs.existsSync(path.join(thisDir, TEMPLATE_NAMES[0])) ? thisDir : fs.existsSync(path.join(templatesSubdir, TEMPLATE_NAMES[0])) ? templatesSubdir : null;
+    if (candidateDir) return candidateDir;
+    const srcFallback = thisDir.endsWith("/templates") ? thisDir.replace("/dist/templates", "/src/templates") : path.join(thisDir.replace("/dist", "/src"), "templates");
+    return srcFallback;
   }
   return thisDir;
 }
@@ -10426,23 +10495,6 @@ var fortressRelay = (params) => {
   setRetentionDays(p, 90);
   return p;
 };
-var conciergeLoop = (params) => {
-  const p = basePolicy(params);
-  p.source_english = "Bidirectional Q&A with the operator. Reads local fortress state; never writes outward.";
-  grantOn(p, "memory", {
-    counterparty: params.counterparty,
-    action: "read",
-    scope: { local_fortress_state_only: true, ...params.scope ?? {} }
-  });
-  grantOn(p, "outputs", {
-    counterparty: params.counterparty || COUNTERPARTY_WILDCARD,
-    action: "read",
-    scope: { operator_chat_only: true, ...params.scope ?? {} }
-  });
-  p.egress = { allowlist: [] };
-  setRetentionDays(p, 14);
-  return p;
-};
 function allowedHostsFromScope(scope) {
   const raw = scope?.allowed_hosts;
   if (!Array.isArray(raw)) return [];
@@ -10483,13 +10535,6 @@ var REGISTRY = {
     label: "Fortress relay",
     description: "Routes signed events between peer fortresses. Commits bind only when both sides sign.",
     factory: fortressRelay
-  },
-  "concierge-loop": {
-    id: "concierge-loop",
-    severity: "LOW",
-    label: "Concierge loop",
-    description: "Bidirectional Q&A with the operator. Reads local fortress state; never writes outward.",
-    factory: conciergeLoop
   }
 };
 function applyChannelTemplate(id, params) {
@@ -10563,8 +10608,14 @@ function encode(value) {
 }
 function encodeArray(arr) {
   const parts = [];
-  for (const item of arr) {
-    parts.push(item === void 0 ? "null" : encode(item));
+  for (let i = 0; i < arr.length; i++) {
+    const item = arr[i];
+    if (item === void 0) {
+      throw new MeshCanonicalJsonError(
+        `canonicalize(): undefined is not a valid JSON value at array index ${i}`
+      );
+    }
+    parts.push(encode(item));
   }
   return "[" + parts.join(",") + "]";
 }
@@ -10869,29 +10920,6 @@ function encodePolicyBlob(policy) {
 init_encoding();
 init_random();
 
-// src/mesh/constants.ts
-var PROTOCOL_VERSION = "0.1";
-var RESERVED_EVENT_TYPE_PREFIXES = [
-  "EXTENSION_",
-  "cross_fortress_",
-  "multi_master_"
-];
-function isReservedEventType(s) {
-  return RESERVED_EVENT_TYPE_PREFIXES.some((p) => s.startsWith(p));
-}
-var RESERVED_EXTENSION_ENVELOPE_KEYS = [
-  "cross_fortress_read_grant",
-  "cross_fortress_read_query",
-  "cross_fortress_read_response",
-  "multi_master_policy_merge",
-  "audit_replication_full_n_way",
-  "auto_promote_canonical_audit",
-  "agent_live_migration"
-];
-function isReservedExtensionKey(k) {
-  return RESERVED_EXTENSION_ENVELOPE_KEYS.includes(k);
-}
-
 // src/mesh/trust-root.ts
 init_encoding();
 init_identity();
@@ -12112,7 +12140,7 @@ async function api(path, opts) {
   // /policies, /activity responses on subsequent GETs even when the
   // server-side state has changed (e.g. recent-failures buffer cleared
   // on substrate flip). The pre-rc.5 client used bare fetch with no
-  // cache control, which on moltbook Safari produced a stale view of
+  // cache control, which on Mini1 Safari produced a stale view of
   // server state and made the operator-visible badge color stick to
   // its prior value across substrate changes. Belt + suspenders:
   // cache: "no-store" turns off the response cache; the _t query
@@ -12274,12 +12302,6 @@ const CHANNEL_TEMPLATES = [
     severity: "MEDIUM",
     title: "Fortress relay",
     description: "Routes signed events between peer fortresses. Commits bind only when both sides sign."
-  },
-  {
-    id: "concierge-loop",
-    severity: "LOW",
-    title: "Concierge loop",
-    description: "Bidirectional Q&A with the operator. Reads local fortress state; never writes outward."
   }
 ];
 
@@ -12326,6 +12348,24 @@ function setRoute(route) {
   renderFortress();
 }
 
+// Renders the global attestation badge (Q1 layer 1, persistent across
+// surfaces). Tone is driven by state.topbarPills.attestation. Pending
+// state shows a dashed seal ring; verified shows solid; degraded shows
+// outlined core; unverified shows the broken-seal mark. Observation
+// language only; Castle Layer 1 enforcement ships in WP-V1.x-CASTLE-WALL.
+function renderTopbarAttestationBadge(stateName) {
+  const valid = stateName === "verified" || stateName === "degraded" || stateName === "unverified" || stateName === "pending";
+  const cls = valid ? stateName : "pending";
+  const ringDashed = cls === "pending" ? " dashed" : "";
+  return '<span class="att-global ' + cls + '" data-pill="attestation" title="Fortress attestation">' +
+    '<span class="seal">' +
+      '<span class="seal-ring' + ringDashed + '"></span>' +
+      '<span class="seal-core"></span>' +
+    '</span>' +
+    '<span class="label">' + escHtml(cls) + '</span>' +
+  '</span>';
+}
+
 function renderTopbar() {
   const pillEl = document.getElementById("topbar-pills");
   if (!pillEl) return;
@@ -12342,7 +12382,7 @@ function renderTopbar() {
     versionPill,
     '<span class="pill" data-pill="deployment">deployment: ' + escHtml(state.topbarPills.deployment) + '</span>',
     '<span class="pill" data-pill="mode">mode: ' + escHtml(state.topbarPills.mode) + '</span>',
-    '<span class="pill tone-' + escHtml(state.topbarPills.attestation) + '" data-pill="attestation">attestation: ' + escHtml(state.topbarPills.attestation) + '</span>'
+    renderTopbarAttestationBadge(state.topbarPills.attestation)
   ].join("");
   // Lockdown button three-state UX (binding addendum 3).
   const btn = document.getElementById("btn-lockdown");
@@ -12438,6 +12478,7 @@ function renderMain() {
     case "agent-detail": nextHtml = renderAgentDetail(); break;
     case "policy": nextHtml = renderPolicyCenter(); break;
     case "intelligence": nextHtml = renderIntelligenceCenter(); break;
+    case "attestation": nextHtml = renderAttestation(); break;
     case "privacy": nextHtml = renderPrivacyPage(); break;
     case "coordination": nextHtml = renderCoordinationPage(); break;
     case "health": nextHtml = renderHealthPage(); break;
@@ -12516,9 +12557,9 @@ function renderMain() {
 //   "Concierge unavailable; substrate not configured") sourced from the
 //   last response's served_by + display_label.
 const CONCIERGE_SUGGESTIONS = [
-  { id: "summarize-hour", label: "summarize the last hour", query: "Summarize what happened in this fortress in the last hour." },
-  { id: "agent-touched", label: "what has each agent touched today", query: "What has each wrapped agent done today? Group by agent." },
-  { id: "open-approvals", label: "any open approvals?", query: "Are there any open Tier 1 approvals or pending inbox items I should look at?" }
+  { id: "summarize-hour", category: "Summarize", label: "summarize the last hour", query: "Summarize what happened in this fortress in the last hour." },
+  { id: "agent-touched", category: "Inspect", label: "what has each agent touched today", query: "What has each wrapped agent done today? Group by agent." },
+  { id: "open-approvals", category: "Approvals", label: "any open approvals?", query: "Are there any open Tier 1 approvals or pending inbox items I should look at?" }
 ];
 
 // Direct-agent chat surface was removed in the v1.2 reshape; the
@@ -12535,59 +12576,316 @@ function renderDashboardConcierge() {
   const badge = c.badge && c.badge.displayLabel
     ? '<span class="pill mono concierge-badge" title="Substrate that served the most recent response">' + escHtml(c.badge.displayLabel) + '</span>'
     : '<span class="pill muted concierge-badge">Concierge: substrate not yet contacted</span>';
-  const messages = c.messages.length
+  const sendDisabled = c.sending ? ' disabled' : '';
+  const sendLabel = c.sending ? 'Sending...' : 'Send';
+  // Sprint Piece 2 PR 2: empty state lives INSIDE the concierge-history
+  // container so the DDD e2e selector .concierge-history matches both
+  // empty and active state. The container's flex layout hosts a single
+  // .concierge-empty child that fills the available height with a serif
+  // headline and a 3-up suggest grid; the grid replaces the v1.2 bottom
+  // chip row, which is retired with this polish.
+  const emptyState =
+    '<div class="concierge-empty">' +
+      '<div class="concierge-empty-headline">' +
+        '<h2>Where would you like to begin.</h2>' +
+        '<p>Ask anything about your fortress. Sanctuary holds your context, your agents, your policy. It will answer plainly, or hand you to the right surface.</p>' +
+      '</div>' +
+      '<div class="concierge-suggest-grid">' +
+        CONCIERGE_SUGGESTIONS.map(function (s) {
+          return '<button class="concierge-suggest" data-action="concierge-suggestion" data-suggestion-id="' + escHtml(s.id) + '"' + sendDisabled + '>' +
+            '<span class="label">' + escHtml(s.category || '') + '</span>' +
+            escHtml(s.label) +
+            '</button>';
+        }).join("") +
+      '</div>' +
+    '</div>';
+  const messagesHtml = c.messages.length
     ? c.messages.map(function (m) {
         const cls = m.role === "operator" ? "concierge-msg-operator" : "concierge-msg-concierge";
-        const author = m.role === "operator" ? "you" : "Sanctuary Fortress concierge";
+        const authorLabel = m.role === "operator" ? "you" : "sanctuary";
+        const metaParts = [];
+        if (m.created_at) metaParts.push(escHtml(shortTime(m.created_at)));
+        if (m.role === "concierge" && m.served_by) metaParts.push('substrate: ' + escHtml(m.served_by));
+        const meta = metaParts.length
+          ? '<div class="concierge-msg-meta"><span>' + metaParts.join(' · ') + '</span></div>'
+          : '';
         return '<div class="concierge-msg ' + cls + '">' +
-          '<div class="concierge-msg-author muted">' + escHtml(author) + ' · ' + escHtml(shortTime(m.created_at)) + '</div>' +
+          '<span class="concierge-msg-author">' + escHtml(authorLabel) + '</span>' +
           '<div class="concierge-msg-body">' + escHtml(m.body) + '</div>' +
+          meta +
           '</div>';
       }).join("\n")
-    : '<p class="muted concierge-empty">No messages yet. Ask the concierge anything about your fortress: it can summarize agent activity, surface open approvals, or describe the current policy.</p>';
+    : emptyState;
   const errorBanner = c.error
     ? '<div class="banner banner-warn">' + escHtml(c.error) + '</div>'
     : "";
-  const sendDisabled = c.sending ? ' disabled' : '';
-  const sendLabel = c.sending ? 'Sending...' : 'Send';
-  const chips = CONCIERGE_SUGGESTIONS.map(function (s) {
-    return '<button class="btn chip" data-action="concierge-suggestion" data-suggestion-id="' + escHtml(s.id) + '"' + sendDisabled + '>' + escHtml(s.label) + '</button>';
-  }).join("\n");
   const activeChatsPanel = renderActiveChatsPanel();
   return [
-    '<h1>Chat <span class="muted">/ This fortress</span></h1>',
-    activeChatsPanel,
-    '<div class="card concierge-card">',
-      '<div class="concierge-header">',
-        '<div class="concierge-persona"><strong>Sanctuary Fortress concierge</strong> <span class="muted">read-only over fortress state</span></div>',
-        badge,
+    '<div class="concierge-wrap">',
+      '<div class="page-head"><div>',
+        '<p class="eyebrow">Concierge</p>',
+        '<h1>Talk to your fortress.</h1>',
+        '<p class="sub">A direct line to Sanctuary, routed through the substrate you chose. Nothing leaves without your hand on it.</p>',
+      '</div></div>',
+      activeChatsPanel,
+      '<div class="card concierge-card">',
+        '<div class="concierge-header">',
+          '<div class="concierge-persona">',
+            '<div class="glyph-ring"></div>',
+            '<div class="concierge-persona-text"><strong>Sanctuary Fortress concierge</strong><small>read-only over fortress state</small></div>',
+          '</div>',
+          '<div class="concierge-meta">' + badge + '</div>',
+        '</div>',
+        errorBanner,
+        '<div class="concierge-history" id="concierge-history">' + messagesHtml + '</div>',
+        '<form class="concierge-composer" data-action="concierge-submit">',
+          '<div class="input-wrap">',
+            '<input type="text" name="concierge-input" placeholder="Type to Sanctuary. Enter to send." value="' + escHtml(c.composer) + '" data-action="concierge-input"' + sendDisabled + ' autocomplete="off">',
+            '<span class="composer-meta">Enter</span>',
+          '</div>',
+          '<button type="submit" class="btn btn-primary" data-action="concierge-send"' + sendDisabled + '>' + escHtml(sendLabel) + '</button>',
+        '</form>',
+        '<p class="muted concierge-foot">First time? <a href="#intelligence">Pick a substrate</a> to enable concierge replies.</p>',
       '</div>',
-      errorBanner,
-      '<div class="concierge-history" id="concierge-history">' + messages + '</div>',
-      '<form class="concierge-composer" data-action="concierge-submit">',
-        '<input type="text" name="concierge-input" placeholder="Ask the concierge about this fortress..." value="' + escHtml(c.composer) + '" data-action="concierge-input"' + sendDisabled + ' autocomplete="off">',
-        '<button type="submit" class="btn btn-primary" data-action="concierge-send"' + sendDisabled + '>' + escHtml(sendLabel) + '</button>',
-      '</form>',
-      '<div class="concierge-chips">' + chips + '</div>',
-      '<p class="muted concierge-foot">First time? <a href="#intelligence">Pick a substrate</a> to enable concierge replies.</p>',
     '</div>'
   ].join("");
 }
 
 // ── Render: agents list / detail ───────────────────────────────────────
+//
+// Sprint Piece 2 PR 4 polish: empty state uses .agents-empty with the
+// concentric icon-frame + a terminal-block CTA. Populated state uses the
+// .agents-layout grid with the .agents-list 4-column table (Agent /
+// State / Attestation / Last seen). The empty-state branch keeps the
+// literal '<h1>Agents</h1>' start and the "No wrapped agents yet." copy
+// because agents-empty-state-canary.test.ts pins both.
+function agentInitials(agentId) {
+  const tail = String(agentId || "").split(":").pop() || "";
+  const cleaned = tail.replace(/[^a-zA-Z0-9]/g, "");
+  return (cleaned.slice(0, 2) || "??").toUpperCase();
+}
+function agentStateClass(status) {
+  if (status === "active") return "live";
+  if (status === "locked_down" || status === "error") return "off";
+  return "idle";
+}
+// Per-agent attestation badge (Q1 layer 2). Square chip beside each
+// agent: a bounded glyph beside a bounded entity. Color and fill pattern
+// carry meaning together so the badge reads even monochrome. The "locked"
+// status maps to the unverified visual (rust + hatched mark) since a
+// locked-down agent has no current attestation; the inspect-pane copy
+// explains the distinction. Pure visual surface; no state derivation.
+function renderAgentAttestationBadge(status) {
+  let cls;
+  let label;
+  if (status === "active") { cls = "verified"; label = "verified"; }
+  else if (status === "locked_down") { cls = "unverified"; label = "locked"; }
+  else if (status === "error") { cls = "unverified"; label = "unverified"; }
+  else { cls = "degraded"; label = "degraded"; }
+  return '<span class="att-agent ' + cls + '" title="Agent attestation"><span class="mark"></span>' + escHtml(label) + '</span>';
+}
+// Per-action attestation tick (Q1 layer 3). Tiny inline shape on every
+// timeline row. Two-byte signature fragment is enough at low resolution;
+// the full signature is one click away. Neutral state shows a circle
+// instead of a tick when the signer was unreachable; the action is still
+// recorded. Visual surface only.
+function renderActionAttestationBadge(stateName, sig) {
+  const valid = stateName === "verified" || stateName === "degraded" || stateName === "unverified" || stateName === "neutral";
+  const cls = valid ? stateName : "neutral";
+  const sigText = sig ? String(sig) : "--";
+  return '<span class="att-action ' + cls + '" title="Action attestation">' +
+    '<span class="tick"></span>' +
+    '<span>' + escHtml(sigText) + '</span>' +
+  '</span>';
+}
+// Attestation gallery surface (Q1 four classes: global / per-agent /
+// per-action / per-transaction custody-provenance stub). Reference for
+// operators: shows what each badge looks like across verified, degraded,
+// unverified, and (where applicable) pending or neutral states. Pure
+// visual; no derivation, no live data. Castle Layer 3 cooperative-MCP UX
+// surface; Castle Layer 1 enforcement ships in WP-V1.x-CASTLE-WALL.
+function renderAttestation() {
+  return '<div class="att-gallery">' +
+    '<div class="page-head"><div>' +
+      '<p class="eyebrow">Attestation</p>' +
+      '<h1>Four classes of badge.</h1>' +
+      '<p class="sub">A signature you can see. From the whole fortress, down to a single action. Degrade, never destroy: a failed signature becomes neutral with a tooltip; the surface keeps working.</p>' +
+    '</div></div>' +
+    // Global
+    '<div class="att-section">' +
+      '<div class="att-section-head"><div>' +
+        '<h2>Global. The fortress itself.</h2>' +
+        '<p>Lives in the topbar. Visible on every surface. Tells you the fortress identity is currently signed and matches the binary you installed.</p>' +
+      '</div><span class="label">topbar</span></div>' +
+      attRow(renderTopbarAttestationBadge("verified"), "Verified", "Identity matches. Binary matches. Default state for a healthy fortress.") +
+      attRow(renderTopbarAttestationBadge("degraded"), "Degraded", "The signature is older than the staleness window, or one of two co-signers is unreachable. The fortress keeps running.") +
+      attRow(renderTopbarAttestationBadge("unverified"), "Unverified", "The signature did not validate. The surface still works; lockdown is still available; the badge tells you to investigate.") +
+      attRow(renderTopbarAttestationBadge("pending"), "Pending", "First-run state. Fortress is signing for the first time. Settles in seconds.") +
+    '</div>' +
+    // Per-agent
+    '<div class="att-section">' +
+      '<div class="att-section-head"><div>' +
+        '<h2>Per-agent. In the agents list and inspect pane.</h2>' +
+        '<p>A square chip beside each agent. Square because an agent is bounded; the fortress (a circle) contains it.</p>' +
+      '</div><span class="label">agents view</span></div>' +
+      '<div class="att-row">' +
+        '<div class="demo" style="display:flex; gap:8px; flex-wrap:wrap;">' +
+          renderAgentAttestationBadge("active") +
+          renderAgentAttestationBadgeForState("degraded", "degraded") +
+          renderAgentAttestationBadgeForState("unverified", "unverified") +
+        '</div>' +
+        '<div class="desc"><strong>Verified, degraded, unverified</strong>' +
+          '<small>Color and the fill pattern carry meaning together. A solid square reads "attested" at a glance; a hatched square reads "trouble" at a glance, even monochrome.</small>' +
+        '</div>' +
+      '</div>' +
+    '</div>' +
+    // Per-action
+    '<div class="att-section">' +
+      '<div class="att-section-head"><div>' +
+        '<h2>Per-action. Inline in the activity timeline.</h2>' +
+        '<p>Each entry in any timeline carries a small signature fragment. Hover to expand. A tick instead of a fill keeps the row visually quiet at low resolution.</p>' +
+      '</div><span class="label">timeline</span></div>' +
+      '<div class="att-row">' +
+        '<div class="demo" style="display:flex; gap:10px; flex-wrap:wrap; align-items:center;">' +
+          '<span style="font-size:13px; color:var(--ink-2);">14:22:08 doc-reviewer summarized intake.pdf</span>' +
+          renderActionAttestationBadge("verified", "9c7d..2a") +
+        '</div>' +
+        '<div class="desc"><strong>Verified action</strong>' +
+          '<small>The most common shape. Two-byte signature fragment is enough; the full signature is one click away.</small>' +
+        '</div>' +
+      '</div>' +
+      '<div class="att-row">' +
+        '<div class="demo" style="display:flex; gap:10px; align-items:center;">' +
+          '<span style="font-size:13px; color:var(--ink-2);">14:11:47 privacy filter redacted payload</span>' +
+          renderActionAttestationBadge("degraded", "b440..71") +
+        '</div>' +
+        '<div class="desc"><strong>Degraded action</strong>' +
+          '<small>The action signed, but the signature class was less than the policy preferred. Useful when a substrate is still warming up.</small>' +
+        '</div>' +
+      '</div>' +
+      '<div class="att-row">' +
+        '<div class="demo" style="display:flex; gap:10px; align-items:center;">' +
+          '<span style="font-size:13px; color:var(--ink-2);">14:09:02 agent attempted external link</span>' +
+          renderActionAttestationBadge("neutral", "--") +
+        '</div>' +
+        '<div class="desc"><strong>Neutral. Degrade, not destroy.</strong>' +
+          '<small>The signer was unreachable. Rather than hide the action, the badge becomes neutral and a tooltip explains. The action is still recorded.</small>' +
+        '</div>' +
+      '</div>' +
+    '</div>' +
+    // Custody stub
+    '<div class="att-section">' +
+      '<div class="att-section-head"><div>' +
+        '<h2>Custody. Stub for v1.x.</h2>' +
+        '<p>A fourth class, surfaced conservatively. Reserved for forthcoming custody-provenance signatures (x402 payment receipts, ERC-8004 identity assertions). Visible, dashed, clearly stubbed.</p>' +
+      '</div><span class="label">stub</span></div>' +
+      '<div class="att-row">' +
+        '<div class="demo">' +
+          '<span class="att-custody" title="Custody-provenance, v1.x">' +
+            '<span class="seal-stub"></span>' +
+            '<span class="stub-tag">custody. stub</span>' +
+          '</span>' +
+        '</div>' +
+        '<div class="desc"><strong>Custody. Stub.</strong>' +
+          '<small>Dashed border signals "shape reserved, content pending." Will populate when custody signatures land in a future release. Cannot be confused with a verified badge at any zoom level.</small>' +
+        '</div>' +
+      '</div>' +
+    '</div>' +
+    // Tooltip
+    '<div class="att-section">' +
+      '<div class="att-section-head"><div>' +
+        '<h2>Tooltip on failure.</h2>' +
+        '<p>A failed badge is never silent. The tooltip explains in plain language, suggests one action, and confirms the surface is still working.</p>' +
+      '</div><span class="label">degrade not destroy</span></div>' +
+      '<div class="att-row">' +
+        '<div class="demo">' +
+          '<span class="att-tooltip">The signer at sig.fortress.local did not respond in 4s. Your fortress kept working. Try: open Health to see the signer status.</span>' +
+        '</div>' +
+        '<div class="desc"><strong>Plain-language tooltip</strong>' +
+          '<small>Three lines, in order: what happened, what did not break, what to do. No jargon, no stack trace.</small>' +
+        '</div>' +
+      '</div>' +
+    '</div>' +
+  '</div>';
+}
+function attRow(demoHtml, strong, smallText) {
+  return '<div class="att-row">' +
+    '<div class="demo">' + demoHtml + '</div>' +
+    '<div class="desc"><strong>' + escHtml(strong) + '</strong>' +
+      '<small>' + escHtml(smallText) + '</small>' +
+    '</div>' +
+  '</div>';
+}
+// Gallery-only variant: render a per-agent badge for a given visual state
+// (verified / degraded / unverified) without going through the agent
+// status mapping. Used by renderAttestation to show all three states
+// side by side as design reference.
+function renderAgentAttestationBadgeForState(cls, label) {
+  return '<span class="att-agent ' + escHtml(cls) + '" title="Agent attestation"><span class="mark"></span>' + escHtml(label) + '</span>';
+}
+function relTimeFromIso(iso) {
+  if (!iso) return "";
+  const d = new Date(iso);
+  if (isNaN(d.getTime())) return iso;
+  const diffMs = Date.now() - d.getTime();
+  const diffSec = Math.max(0, Math.floor(diffMs / 1000));
+  if (diffSec < 60) return diffSec + "s ago";
+  const diffMin = Math.floor(diffSec / 60);
+  if (diffMin < 60) return diffMin + "m ago";
+  const diffHr = Math.floor(diffMin / 60);
+  if (diffHr < 24) return diffHr + "h ago";
+  const diffDay = Math.floor(diffHr / 24);
+  return diffDay + "d ago";
+}
 function renderAgentsList() {
-  if (!state.agents.length) return '<h1>Agents</h1><p class="muted">No wrapped agents yet. Run <code>sanctuary wrap</code> to wrap a harness.</p>';
+  if (!state.agents.length) return '<h1>Agents</h1>' +
+    '<div class="agents-empty">' +
+      '<div class="icon-frame"><div class="core"></div></div>' +
+      '<h2>No wrapped agents yet.</h2>' +
+      '<p>Wrap an agent to give it a portable identity, a charter, and approval gates. Run <code>sanctuary wrap</code> in any project where your agent lives.</p>' +
+      '<div class="terminal-block"><span class="cmd"><span class="prompt">$</span>sanctuary wrap</span></div>' +
+    '</div>';
+  const count = state.agents.length;
+  const subCopy = count + ' wrapped. Click one to inspect its activity, policy, and pending approvals.';
   const rows = state.agents.map(function (a) {
     const map = STATUS_MAP[a.status] || STATUS_MAP.unknown;
-    const reason = a.status_reason_class ? (REASON_LABELS[a.status_reason_class] || "") : "";
-    return '<div class="row">' +
-      '<span class="glyph ' + map.glyph + '"></span>' +
-      '<div class="grow"><strong>' + escHtml(a.agent_id) + '</strong> <span class="muted mono">' + escHtml(a.harness) + '</span></div>' +
-      '<span class="pill" title="' + escHtml(reason) + '">' + escHtml(map.label) + '</span>' +
-      '<button class="btn" data-action="open-agent" data-agent-id="' + escHtml(a.agent_id) + '">Open</button>' +
+    const dotCls = agentStateClass(a.status);
+    const initials = agentInitials(a.agent_id);
+    const role = escHtml(a.harness) + (a.model_provider && a.model_provider.model_id ? ' · ' + escHtml(a.model_provider.model_id) : '');
+    const isSelected = state.selectedAgentId === a.agent_id;
+    return '<div class="agent-row' + (isSelected ? ' selected' : '') + '" data-action="open-agent" data-agent-id="' + escHtml(a.agent_id) + '" role="button" tabindex="0" title="Open inspect panel for ' + escHtml(a.agent_id) + '">' +
+      '<div class="agent-identity">' +
+        '<div class="agent-glyph">' + escHtml(initials) + '</div>' +
+        '<div class="agent-name">' +
+          '<strong>' + escHtml(a.agent_id) + '</strong>' +
+          '<small>' + role + '</small>' +
+        '</div>' +
+      '</div>' +
+      '<span class="agent-state">' +
+        '<span class="state-dot ' + dotCls + '"></span>' +
+        escHtml(map.label) +
+      '</span>' +
+      renderAgentAttestationBadge(a.status) +
+      '<span class="agent-last">' + escHtml(relTimeFromIso(a.last_activity_at)) + '</span>' +
       '</div>';
   }).join("\n");
-  return '<h1>Agents</h1><div class="card">' + rows + '</div>';
+  return '<div class="agents-wrap">' +
+    '<div class="page-head">' +
+      '<div>' +
+        '<p class="eyebrow">Agents</p>' +
+        '<h1>Agents.</h1>' +
+        '<p class="sub">' + escHtml(subCopy) + '</p>' +
+      '</div>' +
+    '</div>' +
+    '<div class="agents-layout">' +
+      '<div class="agents-list">' +
+        '<div class="agents-list-head">' +
+          '<span>Agent</span><span>State</span><span>Attestation</span><span>Last seen</span>' +
+        '</div>' +
+        rows +
+      '</div>' +
+    '</div>' +
+  '</div>';
 }
 
 function renderAgentDetail() {
@@ -12598,7 +12896,10 @@ function renderAgentDetail() {
   const timeline = events.length
     ? events.map(function (e) {
         const t = renderTemplate(e.display_template_id, e.display_template_args);
-        return '<div class="row"><span class="muted">' + escHtml(shortTime(e.emitted_at)) + '</span><span>' + escHtml(t) + '</span></div>';
+        const badgeHtml = e.attestation
+          ? ' ' + renderActionAttestationBadge(e.attestation.state, e.attestation.fragment)
+          : '';
+        return '<div class="row"><span class="muted">' + escHtml(shortTime(e.emitted_at)) + '</span><span>' + escHtml(t) + badgeHtml + '</span></div>';
       }).join("\n")
     : '<p class="muted">No activity yet.</p>';
   // WP-V1.2 reshape click-to-inspect surface. Clicking "Open inspect
@@ -12642,53 +12943,99 @@ function renderAgentInspectPanel(agent) {
     : "";
 
   // State 2: panel loaded.
+  // Sprint Piece 2 PR 4 polish: outer wrapper combines .card with
+  // .inspect-pane (sticky right rail, internal scroll, sectioned body).
+  // The .card class is preserved so the rendered surface keeps its
+  // shared card chrome; .inspect-pane overrides .card padding so the
+  // inspect-head and inspect-body control their own spacing per design.
   if (panel) {
+    const dotCls = agentStateClass(agent.status);
+    const stateMap = STATUS_MAP[agent.status] || STATUS_MAP.unknown;
     const activity = (panel.recent_activity || []).slice(0, 20);
     const activityHtml = activity.length
-      ? activity.map(function (e) {
+      ? '<div class="timeline">' +
+        activity.map(function (e) {
           const t = renderTemplate(e.display_template_id, e.display_template_args);
-          return '<div class="row"><span class="muted mono">' + escHtml(shortTime(e.emitted_at)) + '</span><span>' + escHtml(t) + '</span></div>';
-        }).join("\n")
+          const badgeHtml = e.attestation
+            ? renderActionAttestationBadge(e.attestation.state, e.attestation.fragment)
+            : '';
+          return '<div class="timeline-item ok">' +
+            '<div class="ts">' + escHtml(shortTime(e.emitted_at)) + '</div>' +
+            '<div class="what">' + escHtml(t) + '</div>' +
+            (badgeHtml ? '<div class="att">' + badgeHtml + '</div>' : '') +
+            '</div>';
+        }).join("") +
+        '</div>'
       : '<p class="muted">No recent activity for this agent.</p>';
 
     const approvals = panel.pending_approvals || [];
     const approvalsHtml = approvals.length
       ? approvals.map(function (item) {
           const promptText = renderTemplate(item.display_template_id, item.display_template_args);
-          return '<div class="row">' +
-            '<span class="pill tone-info">' + escHtml(item.tier || "tier1") + '</span>' +
-            '<div class="grow">' + escHtml(promptText) + '</div>' +
-            '<button class="btn btn-primary" data-action="inbox-approve" data-item-id="' + escHtml(item.item_id) + '">Approve</button>' +
-            '<button class="btn" data-action="inbox-deny" data-item-id="' + escHtml(item.item_id) + '">Deny</button>' +
+          return '<div class="approval-row">' +
+            '<div class="what">' +
+              '<span class="pill tone-degraded">' + escHtml(item.tier || "tier1") + '</span>' +
+              escHtml(promptText) +
+            '</div>' +
+            '<div class="actions">' +
+              '<button class="btn" data-action="inbox-deny" data-item-id="' + escHtml(item.item_id) + '">Deny</button>' +
+              '<button class="btn btn-primary" data-action="inbox-approve" data-item-id="' + escHtml(item.item_id) + '">Approve once</button>' +
+            '</div>' +
             '</div>';
-        }).join("\n")
+        }).join("")
       : '<p class="muted">No pending approvals routed through this agent.</p>';
 
-    const policyLine = panel.policy_summary
-      ? '<dt>Policy</dt><dd class="mono">' + escHtml(panel.policy_summary.display_label || panel.policy_summary.policy_id) + '</dd>' +
+    const policySection = panel.policy_summary
+      ? '<div class="policy-line"><span class="k">Policy</span><span class="v">' + escHtml(panel.policy_summary.display_label || panel.policy_summary.policy_id) + '</span></div>' +
         (panel.policy_summary.channel_template_id
-          ? '<dt>Template</dt><dd class="mono">' + escHtml(panel.policy_summary.channel_template_id) + '</dd>'
+          ? '<div class="policy-line"><span class="k">Template</span><span class="v">' + escHtml(panel.policy_summary.channel_template_id) + '</span></div>'
           : '') +
-        '<dt>Bound</dt><dd class="mono">' + escHtml(shortTime(panel.policy_summary.bound_at)) + '</dd>'
-      : '<dt>Policy</dt><dd class="muted">No bound policy yet.</dd>';
-
-    return '<div class="card">' +
-      '<div class="concierge-header">' +
-        '<div class="concierge-persona"><strong>Inspect ' + escHtml(agent.agent_id) + '</strong> ' +
-          '<span class="muted">opened ' + escHtml(shortTime(panel.opened_at)) + '</span></div>' +
-        '<button class="btn" data-action="agent-inspect-open" data-agent-id="' + escHtml(agent.agent_id) + '">Refresh</button>' +
+        '<div class="policy-line"><span class="k">Bound</span><span class="v">' + escHtml(shortTime(panel.policy_summary.bound_at)) + '</span></div>'
+      : '<div class="policy-line"><span class="k">Policy</span><span class="v">No bound policy yet.</span></div>';
+
+    const modelLine = agent.model_provider
+      ? '<div class="policy-line"><span class="k">Model</span><span class="v">' + escHtml(agent.model_provider.vendor) + ' / ' + escHtml(agent.model_provider.model_id) + '</span></div>'
+      : '';
+
+    return '<div class="card inspect-pane">' +
+      '<div class="inspect-head">' +
+        '<div class="row1">' +
+          '<div class="agent-glyph">' + escHtml(agentInitials(agent.agent_id)) + '</div>' +
+          '<h3>' + escHtml(agent.agent_id) + '</h3>' +
+          '<span style="margin-left:auto;">' + renderAgentAttestationBadge(agent.status) + '</span>' +
+        '</div>' +
+        '<div class="meta">' +
+          '<span class="pill ' + (dotCls === "live" ? "tone-verified" : "tone-degraded") + '"><span class="state-dot ' + dotCls + '" style="margin-right:4px;"></span>' + escHtml(stateMap.label) + '</span>' +
+          '<span class="pill">opened ' + escHtml(shortTime(panel.opened_at)) + '</span>' +
+          '<button class="btn btn-quiet" data-action="agent-inspect-open" data-agent-id="' + escHtml(agent.agent_id) + '" title="Refresh inspect panel">Refresh</button>' +
+        '</div>' +
+      '</div>' +
+      '<div class="inspect-body">' +
+        errorBanner +
+        '<div class="inspect-section">' +
+          '<h4>Pending approvals' + (approvals.length ? ' <span class="count">' + approvals.length + '</span>' : '') + '</h4>' +
+          approvalsHtml +
+        '</div>' +
+        '<div class="inspect-section">' +
+          '<h4>Recent activity</h4>' +
+          activityHtml +
+        '</div>' +
+        '<div class="inspect-section">' +
+          '<h4>Policy summary</h4>' +
+          policySection +
+        '</div>' +
+        '<div class="inspect-section">' +
+          '<h4>Identity</h4>' +
+          '<div class="policy-line"><span class="k">Agent id</span><span class="v">' + escHtml(agent.agent_id) + '</span></div>' +
+          '<div class="policy-line"><span class="k">Harness</span><span class="v">' + escHtml(agent.harness) + '</span></div>' +
+          modelLine +
+          '<div class="policy-line"><span class="k">Wrapped at</span><span class="v">' + escHtml(shortTime(agent.wrapped_at)) + '</span></div>' +
+        '</div>' +
+        '<p class="muted" style="margin-top:10px;font-size:12px;">' +
+          '<a href="#activity?agent=' + escHtml(agent.agent_id) + '">View full activity</a> · ' +
+          '<a href="#policy">Edit policy</a>' +
+        '</p>' +
       '</div>' +
-      errorBanner +
-      '<h3>Pending approvals</h3>' +
-      approvalsHtml +
-      '<h3 style="margin-top:14px;">Recent activity</h3>' +
-      activityHtml +
-      '<h3 style="margin-top:14px;">Policy</h3>' +
-      '<dl class="kv">' + policyLine + '</dl>' +
-      '<p class="muted" style="margin-top:10px;font-size:12px;">' +
-        '<a href="#activity?agent=' + escHtml(agent.agent_id) + '">View full activity</a> · ' +
-        '<a href="#policy">Edit policy</a>' +
-      '</p>' +
     '</div>';
   }
 
@@ -12837,6 +13184,16 @@ function statusDotClass(status) {
   return "red";
 }
 
+// Card-grid polish (Sprint Piece 2 PR 3) maps the badge dot class onto
+// the shaped glyph token. Sage circle for ok, ochre triangle for warn,
+// rust diamond for fail. Keep aligned with .status-glyph rules in
+// html.ts and the .intel-card-status modifier classes.
+function statusGlyphClass(dotClass) {
+  if (dotClass === "green") return "ok";
+  if (dotClass === "yellow") return "warn";
+  return "fail";
+}
+
 function statusLabel(health) {
   if (health === "ok") return "Working";
   if (health === "degraded") return "Degraded";
@@ -12876,13 +13233,18 @@ function renderIntelligenceCenter() {
   }
   const status = state.intelligence.status;
   const config = state.intelligence.config || {};
-  const surfaceRows = SURFACES_ORDER.map(function (surfaceId) {
+  const surfaceCards = SURFACES_ORDER.map(function (surfaceId) {
     const surfaceStatus = (status.surfaces || []).find(function (s) { return s.surface === surfaceId; });
     if (!surfaceStatus) {
-      return '<div class="intel-row"><div class="intel-row-name">' + escHtml(SURFACE_LABELS[surfaceId] || surfaceId) +
-        '<small>' + escHtml(surfaceId) + '</small></div>' +
-        '<div class="intel-row-body muted">No status reported.</div>' +
-        '<div></div></div>';
+      return '<div class="intel-row intel-card" data-intel-surface="' + escHtml(surfaceId) + '">' +
+        '<div class="intel-card-head">' +
+          '<div class="intel-card-name">' +
+            '<strong>' + escHtml(SURFACE_LABELS[surfaceId] || surfaceId) + '</strong>' +
+            '<small>' + escHtml(surfaceId) + '</small>' +
+          '</div>' +
+        '</div>' +
+        '<div class="muted">No status reported.</div>' +
+      '</div>';
     }
     const substrate = surfaceStatus.chosen;
     const localPick = (config.local_model_picks || {})[surfaceId];
@@ -12900,41 +13262,62 @@ function renderIntelligenceCenter() {
       if (provider) currentBadge = currentBadge + " (" + (FRONTIER_PROVIDER_LABELS[provider] || provider) + ")";
     }
     const dotClass = statusDotClass((surfaceStatus.badge || {}).status || "red");
+    const glyphClass = statusGlyphClass(dotClass);
     const failures = surfaceStatus.recentFailures || [];
     const expanded = !!state.intelligence.expandedFailures[surfaceId];
-    let failuresBlock = "";
+
+    // Card foot. The failures toggle is the load-bearing affordance for
+    // the rc.6 ZZ test (button[data-action="intel-failures-toggle"] with
+    // text "recent failures (N)"). Pluralization is "failures" regardless
+    // of N for backward compatibility with the seeded test contract.
+    // Surface zero-failure state as a quiet mono note so the card still
+    // has visual rhythm in its foot row.
+    let footHtml;
     if (failures.length > 0) {
       const toggleLabel = (expanded ? "Hide" : "View") + " recent failures (" + failures.length + ")";
-      const list = expanded
-        ? '<ul class="intel-row-failures-list">' +
-            failures.slice().reverse().map(function (f) {
-              return '<li><span class="muted mono">' + escHtml(shortTime(f.ts)) + '</span> ' +
-                '<span class="pill warn">' + escHtml(f.failureClass) + '</span> ' +
-                '<span class="muted">' + escHtml(f.snippet) + '</span></li>';
-            }).join("") +
-          '</ul>'
-        : '';
-      failuresBlock =
-        '<div class="intel-row-failures">' +
-          '<button class="btn btn-link" data-action="intel-failures-toggle" data-intel-surface="' + escHtml(surfaceId) + '">' +
-            escHtml(toggleLabel) +
-          '</button>' +
-          list +
+      footHtml =
+        '<button class="intel-failures-toggle' + (expanded ? ' open' : '') + '" data-action="intel-failures-toggle" data-intel-surface="' + escHtml(surfaceId) + '">' +
+          '<span class="caret"></span>' +
+          escHtml(toggleLabel) +
+        '</button>';
+    } else {
+      footHtml = '<span class="muted mono" style="font-size: 11px;">no recent failures</span>';
+    }
+
+    let failuresBlock = "";
+    if (failures.length > 0 && expanded) {
+      const rows = failures.slice().reverse().map(function (f) {
+        return '<div class="intel-failure-row">' +
+          '<span class="ts">' + escHtml(shortTime(f.ts)) + '</span>' +
+          '<div>' +
+            '<div class="err-class">' + escHtml(f.failureClass) + '</div>' +
+            '<div>' + escHtml(f.snippet) + '</div>' +
+          '</div>' +
         '</div>';
+      }).join("");
+      failuresBlock = '<div class="intel-failures">' + rows + '</div>';
     }
-    return '<div class="intel-row" data-intel-surface="' + escHtml(surfaceId) + '">' +
-      '<div class="intel-row-name">' + escHtml(SURFACE_LABELS[surfaceId] || surfaceId) +
-        '<small>' + escHtml(surfaceId) + '</small></div>' +
-      '<div class="intel-row-body">' +
-        '<div class="intel-row-current">' +
-          '<span class="intel-status-dot ' + dotClass + '" title="' + escHtml(statusLabel(surfaceStatus.health)) + '"></span>' +
-          '<span class="pill">' + escHtml(currentBadge) + '</span>' +
-          '<span class="muted mono">' + escHtml(statusLabel(surfaceStatus.health)) + '</span>' +
+
+    return '<div class="intel-row intel-card" data-intel-surface="' + escHtml(surfaceId) + '">' +
+      '<div class="intel-card-head">' +
+        '<div class="intel-card-name">' +
+          '<strong>' + escHtml(SURFACE_LABELS[surfaceId] || surfaceId) + '</strong>' +
+          '<small>' + escHtml(surfaceId) + '</small>' +
         '</div>' +
-        '<div class="intel-row-tradeoff">' + escHtml(substrateTradeoff(substrate)) + '</div>' +
-        failuresBlock +
+        '<span class="intel-card-status ' + glyphClass + '" title="' + escHtml(statusLabel(surfaceStatus.health)) + '">' +
+          '<span class="status-glyph ' + glyphClass + '"></span>' +
+          escHtml(statusLabel(surfaceStatus.health)) +
+        '</span>' +
       '</div>' +
-      '<div><button class="btn" data-action="intel-picker-open" data-intel-surface="' + escHtml(surfaceId) + '">Change</button></div>' +
+      '<div class="intel-substrate">' +
+        '<div class="sub-line primary">' +
+          '<span>' + escHtml(currentBadge) + '</span>' +
+          '<button class="btn-quiet" data-action="intel-picker-open" data-intel-surface="' + escHtml(surfaceId) + '">Change</button>' +
+        '</div>' +
+      '</div>' +
+      '<div class="intel-row-tradeoff">' + escHtml(substrateTradeoff(substrate)) + '</div>' +
+      '<div class="intel-card-foot">' + footHtml + '</div>' +
+      failuresBlock +
     '</div>';
   }).join("\n");
 
@@ -12946,11 +13329,15 @@ function renderIntelligenceCenter() {
 
   const modal = state.intelligence.picker.open ? renderIntelligencePicker() : "";
 
-  return '<section class="intel-center">' +
-    '<p class="eyebrow">INTELLIGENCE</p>' +
-    '<h1>Intelligence Substrate</h1>' +
-    '<p class="intel-subtitle">Choose how Sanctuary thinks. Tradeoffs visible per surface. Multi-option framing is preserved: no single substrate is the right answer.</p>' +
-    '<section class="intel-panel"><h2>Surfaces</h2>' + surfaceRows + '</section>' +
+  return '<section class="intel-wrap">' +
+    '<div class="page-head">' +
+      '<div>' +
+        '<p class="eyebrow">Intelligence</p>' +
+        '<h1>Substrate routing.</h1>' +
+        '<p class="sub">Six surfaces, six choices. Each surface picks where its thinking happens. Local for privacy. Hosted for capability. Hybrid for both.</p>' +
+      '</div>' +
+    '</div>' +
+    '<div class="intel-grid">' + surfaceCards + '</div>' +
     '<section class="intel-panel"><h2>Host capability</h2>' +
       '<dl class="intel-hardware">' +
         '<dt>Total RAM</dt><dd>' + escHtml(hardware.totalRamGb || "?") + ' GB</dd>' +
@@ -13743,6 +14130,13 @@ document.addEventListener("click", function (ev) {
   const intelLocalModel = tgt.getAttribute("data-intel-local-model");
   const intelFrontierProvider = tgt.getAttribute("data-intel-frontier-provider");
   if (action === "lockdown") return void onLockdownClick();
+  if (action === "theme-toggle") {
+    const isDark = document.documentElement.getAttribute("data-theme") === "dark";
+    const next = isDark ? "light" : "dark";
+    sessionStorage.setItem(THEME_KEY, next);
+    applyTheme(next);
+    return;
+  }
   if (action === "intel-reload") { return void fetchIntelligenceState().then(rerender); }
   if (action === "intel-picker-open" && intelSurface) return void onIntelPickerOpen(intelSurface);
   if (action === "intel-picker-close") return onIntelPickerClose();
@@ -13896,12 +14290,30 @@ document.addEventListener("input", function (ev) {
 // then the dashboard view renders a static welcome card with no form
 // inputs that could be confused for a working command surface.
 
-// Theme: system preference only at v1.1.
+// Theme: explicit operator preference (sessionStorage) overrides system
+// pref. The toggle button in the topbar dispatches data-action
+// "theme-toggle" which writes the chosen theme and updates the
+// [data-theme] attribute. When no explicit choice exists, fall back to
+// system preference and track changes so dark-mode-at-sunset behavior
+// keeps working on macOS / Windows.
+const THEME_KEY = "sanctuary-v11-theme";
+function applyTheme(theme) {
+  if (theme === "dark") document.documentElement.setAttribute("data-theme", "dark");
+  else document.documentElement.removeAttribute("data-theme");
+}
+const explicitTheme = sessionStorage.getItem(THEME_KEY);
 const mq = window.matchMedia ? window.matchMedia("(prefers-color-scheme: dark)") : null;
-if (mq && mq.matches) document.documentElement.setAttribute("data-theme", "dark");
+if (explicitTheme === "dark" || explicitTheme === "light") {
+  applyTheme(explicitTheme);
+} else if (mq && mq.matches) {
+  applyTheme("dark");
+}
 if (mq) mq.addEventListener("change", function (e) {
-  if (e.matches) document.documentElement.setAttribute("data-theme", "dark");
-  else document.documentElement.removeAttribute("data-theme");
+  // Only honor system pref changes when the operator has not made an
+  // explicit choice. Once they toggle, the choice sticks for the
+  // session.
+  if (sessionStorage.getItem(THEME_KEY)) return;
+  applyTheme(e.matches ? "dark" : "light");
 });
 
 // Boot.
@@ -13937,6 +14349,26 @@ var STYLES = String.raw`:root {
   --rad: 6px;
   --rad-lg: 10px;
   --shadow: 0 1px 2px rgba(0,0,0,0.04), 0 0 0 1px rgba(0,0,0,0.02);
+  /* Type scale. Names are size-relative, not semantic, so refactors do
+     not need to invent new names. Existing rules used these literal px
+     values; tokens make future polish a one-line change. */
+  --text-xs: 11px;
+  --text-sm: 12px;
+  --text-base: 13px;
+  --text-md: 14px;
+  --text-lg: 16px;
+  --text-xl: 22px;
+  --text-display: 36px;
+  /* Spacing scale (4px multiples). Layout-specific magic numbers
+     (220px sidebar, 360px fortress rail, concierge-card heights) stay
+     as literals because the token system is for component padding /
+     margin / gap, not grid track sizing. */
+  --space-1: 4px;
+  --space-2: 8px;
+  --space-3: 12px;
+  --space-4: 16px;
+  --space-5: 24px;
+  --space-6: 32px;
 }
 [data-theme="dark"] {
   --paper: #121210;
@@ -13963,7 +14395,7 @@ var STYLES = String.raw`:root {
 html, body { margin: 0; padding: 0; }
 body {
   font-family: var(--sans);
-  font-size: 14px;
+  font-size: var(--text-md);
   background: var(--paper);
   color: var(--ink);
   line-height: 1.45;
@@ -13984,20 +14416,27 @@ body {
     "sidebar main";
 }
 .sidebar { grid-area: sidebar; background: var(--paper-2); border-right: 1px solid var(--rule); padding: 12px 8px; }
-.sidebar h1 { font-family: var(--serif); font-size: 16px; margin: 4px 8px 16px; }
+.sidebar h1 { font-family: var(--serif); font-size: var(--text-lg); margin: 4px 8px 16px; }
 .sidebar nav { display: flex; flex-direction: column; gap: 2px; }
 .sidebar nav a {
-  display: block; padding: 6px 10px; border-radius: var(--rad);
-  color: var(--ink-2); text-decoration: none; font-size: 13px;
+  display: flex; align-items: center; gap: var(--space-2);
+  padding: 6px 10px; border-radius: var(--rad);
+  color: var(--ink-2); text-decoration: none; font-size: var(--text-base);
+}
+.sidebar nav a svg {
+  flex-shrink: 0; width: 16px; height: 16px;
+  color: var(--ink-3);
 }
 .sidebar nav a:hover { background: var(--paper-3); }
+.sidebar nav a:hover svg { color: var(--ink-2); }
 .sidebar nav a.active { background: var(--surface); color: var(--ink); border: 1px solid var(--rule); }
-.topbar { grid-area: topbar; display: flex; align-items: center; gap: 12px; padding: 0 16px; border-bottom: 1px solid var(--rule); background: var(--surface); }
-.topbar .brand { font-family: var(--serif); font-size: 14px; }
+.sidebar nav a.active svg { color: var(--ink); }
+.topbar { grid-area: topbar; display: flex; align-items: center; gap: var(--space-3); padding: 0 16px; border-bottom: 1px solid var(--rule); background: var(--surface); }
+.topbar .brand { font-family: var(--serif); font-size: var(--text-md); }
 .topbar .pills { display: flex; gap: 6px; flex: 1; }
 .pill {
   display: inline-flex; align-items: center; gap: 4px;
-  padding: 2px 8px; border-radius: 12px; font-size: 11px;
+  padding: 2px 8px; border-radius: 12px; font-size: var(--text-xs);
   font-family: var(--mono); border: 1px solid var(--rule);
   background: var(--surface-2); color: var(--ink-2);
 }
@@ -14009,7 +14448,7 @@ body {
   display: inline-flex; align-items: center; gap: 4px;
   padding: 4px 10px; border-radius: var(--rad);
   background: var(--surface); border: 1px solid var(--rule);
-  font-family: var(--sans); font-size: 12px; color: var(--ink);
+  font-family: var(--sans); font-size: var(--text-sm); color: var(--ink);
   cursor: pointer;
 }
 .btn:hover:not(:disabled) { background: var(--surface-2); }
@@ -14019,21 +14458,30 @@ body {
 .btn.btn-danger { background: var(--rust-bg); color: var(--rust); border-color: var(--rust); }
 .btn.tier1-pending { background: var(--ochre-bg); color: var(--ochre); border-color: var(--ochre); }
 .btn.tier1-engaged { background: var(--rust-bg); color: var(--rust); border-color: var(--rust); }
+.btn.btn-icon {
+  padding: 4px 6px;
+  display: inline-flex; align-items: center; justify-content: center;
+  color: var(--ink-2);
+}
+.btn.btn-icon svg { width: 16px; height: 16px; }
+.btn.btn-icon .icon-sun { display: none; }
+[data-theme="dark"] .btn.btn-icon .icon-moon { display: none; }
+[data-theme="dark"] .btn.btn-icon .icon-sun { display: inline; }
 .main { grid-area: main; overflow-y: auto; padding: 16px 24px; }
-.fortress { grid-area: fortress; overflow-y: auto; border-left: 1px solid var(--rule); background: var(--paper-2); padding: 12px; display: flex; flex-direction: column; gap: 10px; }
+.fortress { grid-area: fortress; overflow-y: auto; border-left: 1px solid var(--rule); background: var(--paper-2); padding: var(--space-3); display: flex; flex-direction: column; gap: 10px; }
 .app.route-full .fortress { display: none; }
 .card {
   background: var(--surface); border: 1px solid var(--rule);
-  border-radius: var(--rad); padding: 12px;
+  border-radius: var(--rad); padding: var(--space-3);
 }
-.card h3 { margin: 0 0 8px; font-size: 13px; font-weight: 600; color: var(--ink); }
+.card h3 { margin: 0 0 8px; font-size: var(--text-base); font-weight: 600; color: var(--ink); }
 .muted { color: var(--ink-3); }
-.mono { font-family: var(--mono); font-size: 12px; }
-.row { display: flex; align-items: center; gap: 8px; padding: 6px 0; border-bottom: 1px dashed var(--rule); }
+.mono { font-family: var(--mono); font-size: var(--text-sm); }
+.row { display: flex; align-items: center; gap: var(--space-2); padding: 6px 0; border-bottom: 1px dashed var(--rule); }
 .row:last-child { border-bottom: 0; }
 .row .grow { flex: 1; min-width: 0; }
 .agent-row { flex-direction: column; align-items: stretch; gap: 6px; }
-.agent-row-head { display: flex; align-items: center; gap: 8px; min-width: 0; }
+.agent-row-head { display: flex; align-items: center; gap: var(--space-2); min-width: 0; }
 .agent-row-head .grow { flex: 1; min-width: 0; overflow: hidden; text-overflow: ellipsis; white-space: nowrap; }
 .agent-row-actions { display: flex; flex-wrap: wrap; gap: 4px; }
 /* Click-to-inspect affordance: the head sub-row of a fortress-column
@@ -14043,7 +14491,7 @@ body {
 .agent-row-head[data-action="agent-row-inspect-open"] { cursor: pointer; border-radius: var(--rad); padding: 4px 6px; margin: -4px -6px; }
 .agent-row-head[data-action="agent-row-inspect-open"]:hover { background: var(--paper-3); }
 .agent-row-head[data-action="agent-row-inspect-open"]:focus-visible { outline: 2px solid var(--ink-3); outline-offset: 1px; }
-.kv { display: grid; grid-template-columns: max-content 1fr; gap: 4px 12px; font-size: 12px; }
+.kv { display: grid; grid-template-columns: max-content 1fr; gap: 4px 12px; font-size: var(--text-sm); }
 .kv dt { color: var(--ink-3); }
 .kv dd { margin: 0; color: var(--ink); }
 .glyph { display: inline-block; width: 8px; height: 8px; border-radius: 50%; background: var(--ink-4); }
@@ -14054,74 +14502,74 @@ body {
 .toast {
   position: fixed; bottom: 16px; right: 16px;
   background: var(--ink); color: var(--paper); padding: 8px 12px;
-  border-radius: var(--rad); font-size: 12px; z-index: 1000;
+  border-radius: var(--rad); font-size: var(--text-sm); z-index: 1000;
   max-width: 360px;
 }
 .toast.error { background: var(--rust); color: var(--paper); }
-.layer-card { background: var(--surface-2); border: 1px solid var(--rule); border-radius: var(--rad); padding: 8px; }
-.layer-card h4 { margin: 0 0 4px; font-size: 12px; font-weight: 600; }
-.layer-card p { margin: 0; font-size: 11px; color: var(--ink-3); }
-.chat-thread { display: flex; flex-direction: column; gap: 8px; padding-bottom: 12px; }
+.layer-card { background: var(--surface-2); border: 1px solid var(--rule); border-radius: var(--rad); padding: var(--space-2); }
+.layer-card h4 { margin: 0 0 4px; font-size: var(--text-sm); font-weight: 600; }
+.layer-card p { margin: 0; font-size: var(--text-xs); color: var(--ink-3); }
+.chat-thread { display: flex; flex-direction: column; gap: var(--space-2); padding-bottom: 12px; }
 .chat-msg { padding: 8px 10px; border-radius: var(--rad); border: 1px solid var(--rule); background: var(--surface); max-width: 78%; }
-.chat-msg.system { background: var(--paper-3); color: var(--ink-3); font-size: 12px; max-width: 100%; }
+.chat-msg.system { background: var(--paper-3); color: var(--ink-3); font-size: var(--text-sm); max-width: 100%; }
 .chat-msg.agent { align-self: flex-start; }
 .chat-msg.operator { align-self: flex-end; background: var(--ink); color: var(--paper); }
 .chat-msg .meta { font-size: 10px; color: var(--ink-4); margin-top: 4px; }
-.composer { display: flex; gap: 8px; padding: 8px; border-top: 1px solid var(--rule); }
+.composer { display: flex; gap: var(--space-2); padding: var(--space-2); border-top: 1px solid var(--rule); }
 .composer input { flex: 1; padding: 6px 8px; border: 1px solid var(--rule); border-radius: var(--rad); font-family: var(--sans); }
 .wizard-step { padding: 10px; border: 1px solid var(--rule); border-radius: var(--rad); margin-bottom: 8px; background: var(--surface); }
 .wizard-step.active { border-color: var(--ink); }
 .wizard-step.done { background: var(--sage-bg); border-color: var(--sage); }
-.code-block { font-family: var(--mono); background: var(--paper-3); padding: 8px; border-radius: var(--rad); font-size: 12px; overflow-x: auto; }
+.code-block { font-family: var(--mono); background: var(--paper-3); padding: var(--space-2); border-radius: var(--rad); font-size: var(--text-sm); overflow-x: auto; }
 .policy-center { max-width: 980px; margin: 0 auto; }
-.policy-center .eyebrow { margin: 0 0 6px; color: var(--ink-3); font-family: var(--mono); font-size: 12px; letter-spacing: 0; }
-.policy-center h1 { font-family: var(--serif); font-size: 36px; line-height: 1.08; font-weight: 400; margin: 0 0 10px; }
+.policy-center .eyebrow { margin: 0 0 6px; color: var(--ink-3); font-family: var(--mono); font-size: var(--text-sm); letter-spacing: 0; }
+.policy-center h1 { font-family: var(--serif); font-size: var(--text-display); line-height: 1.08; font-weight: 400; margin: 0 0 10px; }
 .policy-subtitle { max-width: 860px; color: var(--ink-2); font-size: 15px; margin: 0 0 24px; }
 .policy-panel { background: var(--surface); border: 1px solid var(--rule); border-radius: var(--rad-lg); padding: 20px; margin: 18px 0; }
-.policy-panel h2 { font-family: var(--serif); font-size: 22px; font-weight: 400; margin: 0 0 14px; }
-.template-grid { display: grid; grid-template-columns: repeat(2, minmax(0, 1fr)); gap: 12px; }
+.policy-panel h2 { font-family: var(--serif); font-size: var(--text-xl); font-weight: 400; margin: 0 0 14px; }
+.template-grid { display: grid; grid-template-columns: repeat(2, minmax(0, 1fr)); gap: var(--space-3); }
 .template-card { background: var(--surface-2); border: 1px solid var(--rule); border-radius: var(--rad); padding: 14px; min-height: 132px; }
-.template-card-head { display: flex; justify-content: space-between; align-items: center; gap: 8px; margin-bottom: 12px; }
-.severity { border-radius: 999px; padding: 2px 9px; font-family: var(--mono); font-size: 11px; font-weight: 700; }
+.template-card-head { display: flex; justify-content: space-between; align-items: center; gap: var(--space-2); margin-bottom: 12px; }
+.severity { border-radius: 999px; padding: 2px 9px; font-family: var(--mono); font-size: var(--text-xs); font-weight: 700; }
 .severity.low { color: var(--sage); background: var(--sage-bg); }
 .severity.medium { color: var(--ochre); background: var(--ochre-bg); }
 .template-id { background: var(--paper-3); border-radius: var(--rad); padding: 2px 7px; color: var(--ink-3); }
-.template-card h3 { font-size: 16px; margin: 0 0 6px; }
-.template-card p { color: var(--ink-3); margin: 0; font-size: 14px; }
+.template-card h3 { font-size: var(--text-lg); margin: 0 0 6px; }
+.template-card p { color: var(--ink-3); margin: 0; font-size: var(--text-md); }
 .rules-scroll { overflow-x: auto; }
 .rules-table { width: 100%; border-collapse: collapse; min-width: 760px; }
-.rules-table th { text-align: left; color: var(--ink-3); font-family: var(--mono); font-size: 12px; letter-spacing: 0; padding: 8px 10px; border-bottom: 1px solid var(--rule); }
+.rules-table th { text-align: left; color: var(--ink-3); font-family: var(--mono); font-size: var(--text-sm); letter-spacing: 0; padding: 8px 10px; border-bottom: 1px solid var(--rule); }
 .rules-table td { padding: 12px 10px; border-bottom: 1px solid var(--rule); vertical-align: top; }
 .link-btn, .template-cell { border: 0; background: transparent; color: var(--ink); padding: 0; cursor: pointer; font: inherit; text-align: left; }
 .template-cell { font-family: var(--mono); max-width: 180px; overflow-wrap: anywhere; }
 .template-picker { position: absolute; z-index: 20; margin-top: 8px; width: min(420px, calc(100vw - 80px)); background: var(--surface); border: 1px solid var(--rule-2); border-radius: var(--rad); box-shadow: var(--shadow); padding: 10px; }
 .template-picker-options { display: grid; gap: 6px; max-height: 320px; overflow-y: auto; }
-.template-option { display: grid; grid-template-columns: 18px 1fr; gap: 8px; padding: 8px; border: 1px solid var(--rule); border-radius: var(--rad); background: var(--surface-2); }
+.template-option { display: grid; grid-template-columns: 18px 1fr; gap: var(--space-2); padding: var(--space-2); border: 1px solid var(--rule); border-radius: var(--rad); background: var(--surface-2); }
 .template-option small { display: block; color: var(--ink-3); margin-top: 2px; }
-.template-picker-actions { display: flex; justify-content: flex-end; gap: 8px; margin-top: 10px; }
+.template-picker-actions { display: flex; justify-content: flex-end; gap: var(--space-2); margin-top: 10px; }
 .allow-count { color: var(--sage); font-weight: 700; }
 .block-count { color: var(--rust); }
 .toggle-on { display: inline-block; width: 28px; height: 16px; border-radius: 999px; background: var(--sage); position: relative; }
 .toggle-on::after { content: ""; position: absolute; right: 2px; top: 2px; width: 12px; height: 12px; border-radius: 50%; background: var(--surface); }
 .error-text { color: var(--rust); margin: 8px 0 0; }
 .intel-center { max-width: 980px; margin: 0 auto; }
-.intel-center .eyebrow { margin: 0 0 6px; color: var(--ink-3); font-family: var(--mono); font-size: 12px; letter-spacing: 0; }
-.intel-center h1 { font-family: var(--serif); font-size: 36px; line-height: 1.08; font-weight: 400; margin: 0 0 10px; }
+.intel-center .eyebrow { margin: 0 0 6px; color: var(--ink-3); font-family: var(--mono); font-size: var(--text-sm); letter-spacing: 0; }
+.intel-center h1 { font-family: var(--serif); font-size: var(--text-display); line-height: 1.08; font-weight: 400; margin: 0 0 10px; }
 .intel-subtitle { max-width: 860px; color: var(--ink-2); font-size: 15px; margin: 0 0 24px; }
 .intel-panel { background: var(--surface); border: 1px solid var(--rule); border-radius: var(--rad-lg); padding: 20px; margin: 18px 0; }
-.intel-panel h2 { font-family: var(--serif); font-size: 22px; font-weight: 400; margin: 0 0 14px; }
-.intel-row { display: grid; grid-template-columns: 200px 1fr auto; gap: 16px; padding: 14px 0; border-bottom: 1px solid var(--rule); align-items: start; }
+.intel-panel h2 { font-family: var(--serif); font-size: var(--text-xl); font-weight: 400; margin: 0 0 14px; }
+.intel-row { display: grid; grid-template-columns: 200px 1fr auto; gap: var(--space-4); padding: 14px 0; border-bottom: 1px solid var(--rule); align-items: start; }
 .intel-row:last-child { border-bottom: 0; }
 .intel-row-name { font-weight: 600; }
-.intel-row-name small { display: block; color: var(--ink-3); font-weight: 400; font-size: 12px; margin-top: 2px; font-family: var(--mono); }
+.intel-row-name small { display: block; color: var(--ink-3); font-weight: 400; font-size: var(--text-sm); margin-top: 2px; font-family: var(--mono); }
 .intel-row-body { display: flex; flex-direction: column; gap: 6px; min-width: 0; }
-.intel-row-current { display: flex; gap: 8px; align-items: center; flex-wrap: wrap; }
-.intel-row-tradeoff { color: var(--ink-2); font-size: 13px; line-height: 1.5; }
+.intel-row-current { display: flex; gap: var(--space-2); align-items: center; flex-wrap: wrap; }
+.intel-row-tradeoff { color: var(--ink-2); font-size: var(--text-base); line-height: 1.5; }
 .intel-status-dot { display: inline-block; width: 10px; height: 10px; border-radius: 50%; }
 .intel-status-dot.green { background: var(--sage); }
 .intel-status-dot.yellow { background: var(--ochre); }
 .intel-status-dot.red { background: var(--rust); }
-.intel-hardware { display: grid; grid-template-columns: max-content 1fr; gap: 4px 16px; font-size: 13px; }
+.intel-hardware { display: grid; grid-template-columns: max-content 1fr; gap: 4px 16px; font-size: var(--text-base); }
 .intel-hardware dt { color: var(--ink-3); font-family: var(--mono); }
 .intel-hardware dd { margin: 0; }
 .intel-modal-backdrop {
@@ -14134,33 +14582,162 @@ body {
   box-shadow: 0 8px 32px rgba(0,0,0,0.18); padding: 24px;
   width: 100%; max-width: 640px;
 }
-.intel-modal h2 { font-family: var(--serif); font-size: 22px; font-weight: 400; margin: 0 0 8px; }
-.intel-modal-subtitle { color: var(--ink-3); margin: 0 0 18px; font-size: 13px; }
+.intel-modal h2 { font-family: var(--serif); font-size: var(--text-xl); font-weight: 400; margin: 0 0 8px; }
+.intel-modal-subtitle { color: var(--ink-3); margin: 0 0 18px; font-size: var(--text-base); }
 .intel-option {
-  border: 1px solid var(--rule); border-radius: var(--rad); padding: 12px;
+  border: 1px solid var(--rule); border-radius: var(--rad); padding: var(--space-3);
   margin-bottom: 10px; background: var(--surface-2); cursor: pointer;
   display: grid; grid-template-columns: 18px 1fr; gap: 10px; align-items: start;
 }
 .intel-option.selected { border-color: var(--ink); background: var(--surface); }
-.intel-option-body strong { display: block; font-size: 14px; margin-bottom: 4px; }
-.intel-option-body small { display: block; color: var(--ink-3); font-size: 12px; line-height: 1.5; }
+.intel-option-body strong { display: block; font-size: var(--text-md); margin-bottom: 4px; }
+.intel-option-body small { display: block; color: var(--ink-3); font-size: var(--text-sm); line-height: 1.5; }
 .intel-suboptions { margin-top: 10px; padding: 10px; background: var(--paper-3); border-radius: var(--rad); }
-.intel-suboptions label { display: block; margin: 6px 0; font-size: 13px; }
+.intel-suboptions label { display: block; margin: 6px 0; font-size: var(--text-base); }
 .intel-suboptions input[type="text"], .intel-suboptions input[type="password"] {
   width: 100%; padding: 6px 8px; border: 1px solid var(--rule); border-radius: var(--rad);
-  font-family: var(--mono); font-size: 12px; box-sizing: border-box;
+  font-family: var(--mono); font-size: var(--text-sm); box-sizing: border-box;
+}
+.intel-modal-actions { display: flex; justify-content: flex-end; gap: var(--space-2); margin-top: 18px; }
+/*
+ * Intelligence panel polish (Sprint Piece 2 PR 3). Card grid layout
+ * replaces the legacy 3-col row visual. The legacy .intel-row and
+ * .intel-status-dot rules above are retained for the e2e selector
+ * contract (.intel-row[data-intel-surface="..."]) and as the responsive
+ * fallback. Cards render as a flex column with a substrate inset,
+ * status badge with shaped glyph, and a recent-failures toggle in the
+ * card foot.
+ */
+.intel-wrap { max-width: 1000px; margin: 0 auto; }
+.intel-grid {
+  display: grid;
+  grid-template-columns: repeat(2, minmax(0, 1fr));
+  gap: 12px;
+}
+.intel-card {
+  background: var(--surface);
+  border: 1px solid var(--rule);
+  border-radius: var(--rad-lg);
+  padding: 16px;
+  display: flex; flex-direction: column;
+  gap: 12px;
+}
+.intel-card-head {
+  display: flex; align-items: flex-start; justify-content: space-between;
+  gap: 10px;
+}
+.intel-card-name {
+  display: flex; flex-direction: column; gap: 2px;
+  min-width: 0;
+}
+.intel-card-name strong {
+  font-family: var(--serif); font-weight: 500;
+  font-size: 15px; letter-spacing: 0.005em;
+}
+.intel-card-name small {
+  color: var(--ink-3); font-size: 11px; font-family: var(--mono);
+}
+.intel-card-status {
+  display: inline-flex; align-items: center; gap: 6px;
+  font-family: var(--mono); font-size: 11px;
+  padding: 3px 9px; border-radius: 999px;
+  border: 1px solid var(--rule); background: var(--surface-2);
+  flex-shrink: 0;
+}
+.intel-card-status.ok { color: var(--sage); border-color: var(--sage); background: var(--sage-bg); }
+.intel-card-status.warn { color: var(--ochre); border-color: var(--ochre); background: var(--ochre-bg); }
+.intel-card-status.fail { color: var(--rust); border-color: var(--rust); background: var(--rust-bg); }
+.status-glyph {
+  width: 10px; height: 10px;
+  position: relative; flex-shrink: 0;
 }
-.intel-modal-actions { display: flex; justify-content: flex-end; gap: 8px; margin-top: 18px; }
+.status-glyph.ok::before {
+  content: ""; position: absolute; inset: 0;
+  border-radius: 50%; background: currentColor;
+}
+.status-glyph.warn::before {
+  content: ""; position: absolute; inset: 0;
+  background: currentColor;
+  clip-path: polygon(50% 0%, 100% 100%, 0% 100%);
+}
+.status-glyph.fail::before {
+  content: ""; position: absolute; inset: 1px;
+  background: currentColor;
+  clip-path: polygon(50% 0, 100% 50%, 50% 100%, 0 50%);
+}
+.intel-substrate {
+  display: flex; flex-direction: column; gap: 4px;
+  padding: 10px 12px;
+  background: var(--paper-2);
+  border: 1px solid var(--rule);
+  border-radius: var(--rad);
+}
+.intel-substrate .sub-line {
+  display: flex; justify-content: space-between; align-items: center;
+  gap: 10px; font-size: 12px;
+}
+.intel-substrate .sub-line.primary {
+  font-family: var(--mono); font-size: 13px; color: var(--ink);
+}
+.intel-substrate .sub-line.secondary { color: var(--ink-3); font-size: 11px; }
+.intel-card-foot {
+  display: flex; align-items: center; justify-content: space-between;
+  gap: 8px; padding-top: 4px;
+}
+.intel-failures-toggle {
+  display: inline-flex; align-items: center; gap: 6px;
+  font-size: 12px; font-family: var(--mono);
+  color: var(--ink-3);
+  background: transparent; border: 0; padding: 0;
+  cursor: pointer;
+}
+.intel-failures-toggle:hover { color: var(--ink); }
+.intel-failures-toggle .caret {
+  display: inline-block; width: 0; height: 0;
+  border-left: 4px solid transparent;
+  border-right: 4px solid transparent;
+  border-top: 5px solid currentColor;
+  transition: transform 160ms ease;
+}
+.intel-failures-toggle.open .caret { transform: rotate(180deg); }
+.intel-failures {
+  border-top: 1px solid var(--rule);
+  padding-top: 12px;
+  display: flex; flex-direction: column;
+  gap: 8px;
+}
+.intel-failure-row {
+  display: grid; grid-template-columns: 88px 1fr; gap: 12px;
+  font-size: 12px; padding: 8px 10px;
+  border-radius: var(--rad);
+  background: var(--paper-2);
+  border: 1px solid var(--rule);
+}
+.intel-failure-row .ts {
+  font-family: var(--mono); font-size: 11px; color: var(--ink-3);
+}
+.intel-failure-row .err-class {
+  font-family: var(--mono); font-size: 10px;
+  letter-spacing: 0.04em; text-transform: uppercase;
+  color: var(--rust); margin-bottom: 2px;
+}
+.btn-quiet {
+  background: transparent; border: 1px solid var(--rule);
+  padding: 2px 6px; font-size: 11px;
+  border-radius: var(--rad); cursor: pointer;
+  color: var(--ink-2); font-family: var(--sans);
+}
+.btn-quiet:hover { background: var(--surface-2); color: var(--ink); }
 .banner-warn {
   background: var(--ochre-bg); color: var(--ochre); border: 1px solid var(--ochre);
-  border-radius: var(--rad); padding: 8px 12px; margin: 8px 0; font-size: 13px;
+  border-radius: var(--rad); padding: 8px 12px; margin: 8px 0; font-size: var(--text-base);
 }
 .banner-info {
   background: var(--indigo-bg); color: var(--indigo); border: 1px solid var(--indigo);
-  border-radius: var(--rad); padding: 8px 12px; margin: 8px 0; font-size: 13px;
+  border-radius: var(--rad); padding: 8px 12px; margin: 8px 0; font-size: var(--text-base);
 }
 .btn.chip {
-  border-radius: 999px; padding: 4px 12px; font-size: 12px;
+  border-radius: 999px; padding: 4px 12px; font-size: var(--text-sm);
   background: var(--surface-2); border-color: var(--rule);
 }
 .btn.chip:hover:not(:disabled) { background: var(--paper-3); }
@@ -14177,85 +14754,210 @@ body {
  * dynamically, but the input box is below the fold, so I still have
  * to scroll." rc.5 closes that with a structural layout fix.
  */
+/* Sprint Piece 2 PR 2 (2026-05-03): concierge surface polish.
+ * Translates Claude Design references at
+ * server/docs/design-refs/sprint-piece-2/surface-concierge.jsx and the
+ * Surface 1 block of surfaces.css. The bounded-card layout above is
+ * preserved verbatim because rc.5 and the DDD e2e suite depend on it;
+ * the Claude Design reference uses height: 720px for the card, but
+ * production keeps the calc-based bounded height so the card adapts
+ * to the operator viewport. The polish lands the persona glyph-ring,
+ * mono uppercase author labels, paper-2 background for concierge
+ * replies, suggest-grid empty-state cards, and the composer input-wrap
+ * with the keyboard-shortcut pill.
+ */
+.concierge-wrap { max-width: 880px; margin: 0 auto; }
+.page-head {
+  display: flex; align-items: flex-end; justify-content: space-between;
+  gap: var(--space-4);
+  margin-bottom: 18px; padding-bottom: 14px;
+  border-bottom: 1px solid var(--rule);
+}
+.page-head .eyebrow {
+  font-family: var(--mono); font-size: var(--text-xs);
+  letter-spacing: 0.08em; text-transform: uppercase;
+  color: var(--ink-3);
+  margin: 0 0 6px;
+}
+.page-head h1 {
+  font-family: var(--serif); font-weight: 400;
+  font-size: 28px; letter-spacing: -0.01em;
+  margin: 0 0 4px;
+}
+.page-head .sub {
+  color: var(--ink-3); margin: 0;
+  font-size: var(--text-base); max-width: 60ch;
+}
 .concierge-card {
   display: flex; flex-direction: column;
   height: calc(100vh - 180px);
   max-height: calc(100vh - 180px);
   min-height: 360px;
-  padding: 16px 18px;
+  padding: 18px 22px 14px;
   gap: 0;
 }
 .concierge-header {
   display: flex; align-items: center; justify-content: space-between;
-  gap: 12px; padding-bottom: 12px; border-bottom: 1px solid var(--rule);
+  gap: var(--space-3); padding-bottom: 14px;
+  border-bottom: 1px solid var(--rule);
   flex-wrap: wrap;
   flex-shrink: 0;
 }
-.concierge-persona {
-  display: flex; align-items: baseline; gap: 8px;
-  font-size: 14px;
+.concierge-persona { display: flex; align-items: center; gap: 10px; }
+.concierge-persona .glyph-ring {
+  width: 26px; height: 26px;
+  border: 1.5px solid var(--ink-2);
+  border-radius: 50%;
+  position: relative;
+  flex-shrink: 0;
+}
+.concierge-persona .glyph-ring::after {
+  content: ""; position: absolute; inset: 5px;
+  border-radius: 50%; background: var(--ink-2);
+}
+.concierge-persona-text { display: flex; flex-direction: column; }
+.concierge-persona-text strong {
+  font-family: var(--serif); font-weight: 500;
+  font-size: 15px; letter-spacing: 0.005em;
+}
+.concierge-persona-text small {
+  color: var(--ink-3); font-size: var(--text-xs);
+  font-family: var(--mono);
+}
+.concierge-meta {
+  display: flex; gap: 6px; align-items: center; flex-wrap: wrap;
 }
-.concierge-persona strong { font-size: 14px; }
 .concierge-badge { white-space: nowrap; }
 .concierge-history {
   flex: 1 1 auto;
   min-height: 0;
   overflow-y: auto;
-  padding: 14px 4px;
-  display: flex; flex-direction: column; gap: 14px;
+  padding: 18px 4px 6px;
+  display: flex; flex-direction: column; gap: 18px;
 }
 .concierge-msg {
-  display: flex; flex-direction: column; gap: 4px;
-  max-width: 80%;
+  display: flex; flex-direction: column; gap: 5px;
+  max-width: 78%;
 }
 .concierge-msg-author {
-  font-size: 11px;
+  font-size: 10px;
+  font-family: var(--mono);
+  letter-spacing: 0.04em;
+  text-transform: uppercase;
+  color: var(--ink-4);
 }
 .concierge-msg-body {
-  padding: 10px 14px; border-radius: 12px;
-  border: 1px solid var(--rule); background: var(--surface);
-  white-space: pre-wrap; word-wrap: break-word;
-  font-size: 14px; line-height: 1.5;
+  padding: 11px 14px;
+  border-radius: 12px;
+  border: 1px solid var(--rule);
+  background: var(--surface);
+  font-size: var(--text-md);
+  line-height: 1.55;
+  white-space: pre-wrap;
+  word-wrap: break-word;
 }
 .concierge-msg-concierge { align-self: flex-start; }
+.concierge-msg-concierge .concierge-msg-body {
+  background: var(--paper-2);
+}
 .concierge-msg-operator { align-self: flex-end; align-items: flex-end; }
 .concierge-msg-operator .concierge-msg-body {
   background: var(--ink); color: var(--paper); border-color: var(--ink);
 }
+.concierge-msg-meta {
+  display: flex; gap: 6px;
+  font-size: 10px;
+  color: var(--ink-4);
+  font-family: var(--mono);
+}
 .concierge-empty {
-  padding: 24px 8px; text-align: left;
-  font-size: 13px; line-height: 1.6;
+  flex: 1 1 auto;
+  display: flex; flex-direction: column; gap: 22px;
+  justify-content: center;
+  padding: 24px 12px;
+}
+.concierge-empty-headline { max-width: 52ch; }
+.concierge-empty-headline h2 {
+  font-family: var(--serif); font-weight: 400;
+  font-size: var(--text-xl); margin: 0 0 6px;
+  letter-spacing: -0.005em;
+}
+.concierge-empty-headline p {
+  color: var(--ink-3); margin: 0;
+  font-size: var(--text-md); line-height: 1.55;
+}
+.concierge-suggest-grid {
+  display: grid;
+  grid-template-columns: repeat(3, minmax(0, 1fr));
+  gap: 10px;
+}
+.concierge-suggest {
+  background: var(--surface);
+  border: 1px solid var(--rule);
+  border-radius: var(--rad);
+  padding: 12px 14px;
+  font-size: var(--text-base);
+  cursor: pointer;
+  display: flex; flex-direction: column;
+  gap: 6px;
+  text-align: left;
+  font-family: var(--sans);
+  color: var(--ink);
+}
+.concierge-suggest:hover:not(:disabled) {
+  background: var(--surface-2);
+  border-color: var(--rule-2);
+}
+.concierge-suggest:disabled {
+  cursor: not-allowed; color: var(--ink-4); opacity: 0.7;
+}
+.concierge-suggest .label {
+  font-family: var(--mono);
+  font-size: 10px;
+  letter-spacing: 0.06em;
+  text-transform: uppercase;
+  color: var(--ink-3);
 }
 .concierge-composer {
   display: flex; gap: 10px; align-items: center;
-  padding: 12px 0 8px;
+  padding: 12px 0 4px;
   border-top: 1px solid var(--rule);
   flex-shrink: 0;
 }
+.concierge-composer .input-wrap {
+  flex: 1;
+  display: flex; align-items: center; gap: var(--space-2);
+  padding: 8px 12px;
+  border: 1px solid var(--rule);
+  border-radius: var(--rad);
+  background: var(--surface);
+}
+.concierge-composer .input-wrap:focus-within {
+  border-color: var(--ink-3);
+}
 .concierge-composer input {
   flex: 1; min-width: 0;
-  padding: 10px 14px;
-  border: 1px solid var(--rule); border-radius: var(--rad);
-  font-family: var(--sans); font-size: 14px;
-  background: var(--surface); color: var(--ink);
+  padding: 4px 0;
+  border: 0;
+  background: transparent;
+  color: var(--ink);
+  font-family: var(--sans);
+  font-size: var(--text-md);
+  outline: none;
 }
-.concierge-composer input:focus {
-  outline: none; border-color: var(--ink-3);
+.concierge-composer input::placeholder { color: var(--ink-4); }
+.concierge-composer .composer-meta {
+  font-family: var(--mono);
+  font-size: 10px;
+  color: var(--ink-4);
+  letter-spacing: 0.04em;
 }
 .concierge-composer .btn-primary {
-  padding: 8px 18px; font-size: 13px; flex-shrink: 0;
-}
-.concierge-chips {
-  display: flex; flex-wrap: wrap; gap: 6px;
-  padding: 10px 0 0;
-}
-.concierge-chips::before {
-  content: "Try:"; color: var(--ink-3); font-size: 12px;
-  align-self: center; margin-right: 4px;
+  padding: 8px 18px; font-size: var(--text-base); flex-shrink: 0;
 }
 .concierge-foot {
   margin: 12px 0 0; padding-top: 10px; border-top: 1px dashed var(--rule);
-  font-size: 12px;
+  font-size: var(--text-sm);
 }
 .concierge-foot a { color: var(--ink-2); }
 .tier1-approval-card {
@@ -14263,20 +14965,532 @@ body {
   border-radius: var(--rad); padding: 14px 16px; margin: 12px 0;
 }
 .tier1-approval-card h3 {
-  margin: 0 0 8px; color: var(--ochre); font-size: 14px;
+  margin: 0 0 8px; color: var(--ochre); font-size: var(--text-md);
 }
-.tier1-approval-card p { margin: 0 0 12px; font-size: 13px; }
+.tier1-approval-card p { margin: 0 0 12px; font-size: var(--text-base); }
 .tier1-approval-card .actions {
-  display: flex; gap: 8px; flex-wrap: wrap;
+  display: flex; gap: var(--space-2); flex-wrap: wrap;
+}
+/* Sprint Piece 2 PR 4 (2026-05-04): Agents view + Inspect pane polish.
+ * Translates Claude Design references at
+ * server/docs/design-refs/sprint-piece-2/surface-agents.jsx and the
+ * Surface 3 block of surfaces.css. The fortress-column .agent-row,
+ * .agent-row-head, and .agent-row-actions rules above are kept verbatim
+ * because Finding DD tests pin them; the new Agents-view list scopes
+ * its grid layout under .agents-list (descendant selector) so the
+ * fortress-column rules are unaffected. The inspect pane combines the
+ * existing .card surface with .inspect-pane structure (sticky right
+ * rail, internal scroll, sectioned body) for the agent-detail view.
+ */
+.agents-wrap { max-width: 1080px; margin: 0 auto; }
+.agents-layout {
+  display: grid;
+  grid-template-columns: 1fr 420px;
+  gap: 20px;
+  align-items: start;
+}
+.agents-list {
+  background: var(--surface);
+  border: 1px solid var(--rule);
+  border-radius: var(--rad-lg);
+  overflow: hidden;
+}
+.agents-list-head {
+  display: grid;
+  grid-template-columns: minmax(0, 1fr) 110px 120px 88px;
+  gap: 12px;
+  padding: 10px 16px;
+  border-bottom: 1px solid var(--rule);
+  background: var(--paper-2);
+  font-family: var(--mono);
+  font-size: 10px;
+  letter-spacing: 0.06em;
+  text-transform: uppercase;
+  color: var(--ink-3);
+}
+.agents-list .agent-row {
+  display: grid;
+  grid-template-columns: minmax(0, 1fr) 110px 120px 88px;
+  gap: 12px;
+  padding: 14px 16px;
+  border-bottom: 1px solid var(--rule);
+  align-items: center;
+  cursor: pointer;
+  transition: background 120ms ease;
+}
+.agents-list .agent-row:last-child { border-bottom: 0; }
+.agents-list .agent-row:hover { background: var(--paper-2); }
+.agents-list .agent-row.selected {
+  background: var(--paper-2);
+  box-shadow: inset 3px 0 0 var(--ink);
+}
+.agent-identity { display: flex; align-items: center; gap: 10px; min-width: 0; }
+.agent-glyph {
+  width: 28px; height: 28px;
+  border-radius: var(--rad);
+  background: var(--paper-3);
+  border: 1px solid var(--rule);
+  display: grid; place-items: center;
+  flex-shrink: 0;
+  font-family: var(--mono);
+  font-size: 11px;
+  color: var(--ink-2);
+  font-weight: 600;
+}
+.agent-name {
+  display: flex; flex-direction: column; min-width: 0;
+}
+.agent-name strong {
+  font-size: var(--text-base); font-weight: 500;
+  white-space: nowrap; overflow: hidden; text-overflow: ellipsis;
+}
+.agent-name small {
+  font-family: var(--mono); font-size: var(--text-xs); color: var(--ink-3);
+  white-space: nowrap; overflow: hidden; text-overflow: ellipsis;
+  display: block;
+}
+.agent-state {
+  display: inline-flex; align-items: center; gap: 6px;
+  font-size: var(--text-xs);
+  font-family: var(--mono);
+}
+.state-dot {
+  width: 7px; height: 7px; border-radius: 50%;
+  background: var(--ink-4);
+}
+.state-dot.live { background: var(--sage); animation: pulse-soft 2.4s ease-in-out infinite; }
+.state-dot.idle { background: var(--ochre); }
+.state-dot.off { background: var(--ink-4); }
+@keyframes pulse-soft {
+  0%, 100% { box-shadow: 0 0 0 0 currentColor; opacity: 1; }
+  50% { box-shadow: 0 0 0 4px transparent; opacity: 0.7; }
+}
+.agent-last {
+  font-family: var(--mono); font-size: var(--text-xs); color: var(--ink-3);
+}
+/* Inspect pane (combined with .card outer wrapper for the
+ * renderAgentInspectPanel return-shape regex anchored in
+ * dashboard-welcome.test.ts:152). The .inspect-pane modifier overrides
+ * .card padding so internal sections control their own spacing.
+ */
+.inspect-pane {
+  padding: 0;
+  display: flex; flex-direction: column;
+  position: sticky;
+  top: 20px;
+  max-height: calc(100vh - 100px);
+  overflow: hidden;
+}
+.inspect-head {
+  padding: 16px 18px;
+  border-bottom: 1px solid var(--rule);
+  display: flex; flex-direction: column; gap: 10px;
+}
+.inspect-head .row1 {
+  display: flex; align-items: center; gap: 10px;
+}
+.inspect-head h3 {
+  font-family: var(--serif); font-weight: 500;
+  font-size: 17px; margin: 0;
+}
+.inspect-head .meta {
+  display: flex; gap: 6px; flex-wrap: wrap;
+}
+.inspect-body {
+  overflow-y: auto;
+  padding: 4px 18px 18px;
+}
+.inspect-section {
+  padding: 14px 0;
+  border-bottom: 1px solid var(--rule);
+}
+.inspect-section:last-child { border-bottom: 0; }
+.inspect-section h4 {
+  font-family: var(--mono);
+  font-size: 10px;
+  letter-spacing: 0.08em;
+  text-transform: uppercase;
+  color: var(--ink-3);
+  margin: 0 0 10px;
+  display: flex; align-items: center; justify-content: space-between;
+}
+.inspect-section h4 .count {
+  font-family: var(--mono);
+  background: var(--paper-3);
+  border-radius: 999px;
+  padding: 1px 7px;
+  color: var(--ink-2);
+  font-size: 10px;
+}
+.approval-row {
+  background: var(--ochre-bg);
+  border: 1px solid var(--ochre);
+  border-radius: var(--rad);
+  padding: 10px 12px;
+  margin-bottom: 8px;
+  display: flex; flex-direction: column; gap: 8px;
+}
+.approval-row .what { font-size: var(--text-base); color: var(--ink); }
+.approval-row .what .pill { margin-right: 6px; }
+.approval-row .why {
+  font-size: var(--text-sm); color: var(--ink-2);
+  padding-left: 10px;
+  border-left: 2px solid var(--ochre);
+}
+.approval-row .actions { display: flex; gap: 6px; justify-content: flex-end; }
+.timeline {
+  display: flex; flex-direction: column; gap: 0;
+  position: relative;
+  padding-left: 14px;
+}
+.timeline::before {
+  content: "";
+  position: absolute;
+  left: 4px; top: 6px; bottom: 6px;
+  width: 1px;
+  background: var(--rule);
+}
+.timeline-item {
+  position: relative;
+  padding: 6px 0 10px;
+  font-size: var(--text-sm);
+}
+.timeline-item::before {
+  content: "";
+  position: absolute;
+  left: -14px; top: 11px;
+  width: 8px; height: 8px;
+  border-radius: 50%;
+  background: var(--surface);
+  border: 1.5px solid var(--ink-4);
+}
+.timeline-item.ok::before { border-color: var(--sage); }
+.timeline-item.warn::before { border-color: var(--ochre); }
+.timeline-item.fail::before { border-color: var(--rust); }
+.timeline-item .ts {
+  font-family: var(--mono); font-size: 10px;
+  color: var(--ink-3);
+  letter-spacing: 0.02em;
+}
+.timeline-item .what {
+  margin-top: 2px; color: var(--ink); font-size: var(--text-base);
+}
+.timeline-item .att {
+  margin-top: 4px;
+  display: inline-flex;
+}
+.policy-line {
+  display: flex; justify-content: space-between; align-items: center;
+  padding: 5px 0; font-size: var(--text-base);
+  border-bottom: 1px dashed var(--rule);
+}
+.policy-line:last-child { border-bottom: 0; }
+.policy-line .k { color: var(--ink-3); }
+.policy-line .v { font-family: var(--mono); font-size: var(--text-sm); color: var(--ink); }
+/* Empty-state block for when no agents are wrapped. The
+ * renderAgentsList empty-state branch begins with the literal
+ * '<h1>Agents</h1>' (regex-pinned in agents-empty-state-canary.test.ts)
+ * and the "No wrapped agents yet." copy is preserved verbatim.
+ */
+.agents-empty {
+  background: var(--surface);
+  border: 1px dashed var(--rule-2);
+  border-radius: var(--rad-lg);
+  padding: 56px 40px;
+  text-align: center;
+  max-width: 720px;
+  margin: 32px auto;
+}
+.agents-empty .icon-frame {
+  width: 64px; height: 64px;
+  margin: 0 auto 18px;
+  border: 1px solid var(--rule);
+  border-radius: 50%;
+  display: grid; place-items: center;
+  position: relative;
+}
+.agents-empty .icon-frame::before,
+.agents-empty .icon-frame::after {
+  content: "";
+  position: absolute;
+  border: 1px solid var(--rule);
+  border-radius: 50%;
+}
+.agents-empty .icon-frame::before { inset: -8px; opacity: 0.6; }
+.agents-empty .icon-frame::after { inset: -16px; opacity: 0.3; }
+.agents-empty .icon-frame .core {
+  width: 22px; height: 22px;
+  background: var(--ink);
+  border-radius: 50%;
+}
+.agents-empty h2 {
+  font-family: var(--serif);
+  font-weight: 400;
+  font-size: var(--text-xl);
+  margin: 0 0 8px;
+}
+.agents-empty p {
+  color: var(--ink-3);
+  margin: 0 0 20px;
+  font-size: var(--text-md);
+  line-height: 1.55;
+  max-width: 50ch;
+  margin-left: auto; margin-right: auto;
+}
+.terminal-block {
+  text-align: left;
+  background: var(--paper-3);
+  border: 1px solid var(--rule);
+  border-radius: var(--rad);
+  padding: 14px 16px;
+  font-family: var(--mono);
+  font-size: var(--text-base);
+  margin: 0 auto 16px;
+  max-width: 480px;
+  display: flex; align-items: center; justify-content: space-between;
+}
+.terminal-block .cmd { color: var(--ink); }
+.terminal-block .cmd .prompt { color: var(--ink-3); margin-right: 8px; user-select: none; }
+.copy-btn {
+  background: transparent; border: 0;
+  color: var(--ink-3); cursor: pointer;
+  font-family: var(--mono); font-size: var(--text-xs);
+  padding: 2px 6px;
+  border-radius: var(--rad);
+}
+.copy-btn:hover { color: var(--ink); background: var(--paper-2); }
+
+/* Surface 5. Attestation badge gallery. */
+.att-gallery {
+  display: flex; flex-direction: column; gap: 24px;
+  max-width: 1000px;
+  margin: 0 auto;
 }
+.att-section {
+  background: var(--surface);
+  border: 1px solid var(--rule);
+  border-radius: var(--rad-lg);
+  padding: 22px 24px;
+}
+.att-section-head {
+  display: flex; justify-content: space-between; align-items: baseline;
+  gap: 12px;
+  margin-bottom: 16px;
+  padding-bottom: 12px;
+  border-bottom: 1px solid var(--rule);
+}
+.att-section-head h2 {
+  font-family: var(--serif);
+  font-weight: 400;
+  font-size: 19px;
+  margin: 0 0 4px;
+}
+.att-section-head p {
+  color: var(--ink-3);
+  margin: 0;
+  font-size: 13px;
+  line-height: 1.5;
+  max-width: 64ch;
+}
+.att-section-head .label {
+  font-family: var(--mono);
+  font-size: 10px;
+  letter-spacing: 0.08em;
+  text-transform: uppercase;
+  color: var(--ink-3);
+}
+.att-row {
+  display: grid;
+  grid-template-columns: 240px 1fr;
+  gap: 24px;
+  padding: 14px 0;
+  border-bottom: 1px dashed var(--rule);
+  align-items: center;
+}
+.att-row:last-child { border-bottom: 0; }
+.att-row .demo {
+  display: flex; align-items: center; justify-content: flex-start;
+  padding: 12px 16px;
+  background: var(--paper-2);
+  border: 1px solid var(--rule);
+  border-radius: var(--rad);
+  min-height: 56px;
+}
+.att-row .desc strong {
+  font-size: 13px; display: block; margin-bottom: 3px;
+}
+.att-row .desc small {
+  color: var(--ink-3); font-size: 12px;
+  line-height: 1.5;
+}
+
+/* Global persistent badge. Lives in the topbar across every surface. */
+.att-global {
+  display: inline-flex; align-items: center;
+  gap: 8px;
+  padding: 4px 10px 4px 6px;
+  border: 1px solid var(--rule);
+  border-radius: 999px;
+  background: var(--surface-2);
+  font-family: var(--mono);
+  font-size: 11px;
+  color: var(--ink-2);
+}
+.att-global.verified { border-color: var(--sage); background: var(--sage-bg); color: var(--sage); }
+.att-global.degraded { border-color: var(--ochre); background: var(--ochre-bg); color: var(--ochre); }
+.att-global.unverified { border-color: var(--rust); background: var(--rust-bg); color: var(--rust); }
+.att-global .seal {
+  width: 18px; height: 18px;
+  position: relative;
+  flex-shrink: 0;
+}
+.att-global .seal-ring {
+  position: absolute; inset: 0;
+  border: 1.5px solid currentColor;
+  border-radius: 50%;
+}
+.att-global .seal-ring.dashed { border-style: dashed; }
+.att-global .seal-core {
+  position: absolute; inset: 4px;
+  background: currentColor;
+  border-radius: 50%;
+  opacity: 0.85;
+}
+.att-global.degraded .seal-core { background: transparent; border: 1px solid currentColor; }
+.att-global.unverified .seal-core {
+  background: transparent;
+  border: 1px solid currentColor;
+}
+.att-global.unverified .seal-core::after {
+  content: ""; position: absolute; inset: 0;
+  background: currentColor; opacity: 0.4;
+  clip-path: polygon(0 0, 100% 100%, 100% 90%, 10% 0);
+}
+.att-global .label {
+  font-family: var(--mono);
+  font-size: 11px;
+  letter-spacing: 0.02em;
+  text-transform: uppercase;
+}
+.att-global .hash {
+  font-family: var(--mono);
+  font-size: 10px;
+  opacity: 0.7;
+  border-left: 1px solid currentColor;
+  padding-left: 8px;
+  margin-left: 2px;
+}
+
+/* Per-agent badge. Square chip beside each agent. */
+.att-agent {
+  display: inline-flex; align-items: center;
+  gap: 6px;
+  padding: 3px 7px;
+  border-radius: var(--rad);
+  border: 1px solid var(--rule);
+  background: var(--surface);
+  font-family: var(--mono);
+  font-size: 10px;
+  color: var(--ink-2);
+}
+.att-agent .mark {
+  width: 10px; height: 10px;
+  border: 1.5px solid currentColor;
+  border-radius: 2px;
+  position: relative;
+}
+.att-agent.verified { color: var(--sage); border-color: var(--sage); background: var(--sage-bg); }
+.att-agent.verified .mark { background: currentColor; }
+.att-agent.degraded { color: var(--ochre); border-color: var(--ochre); background: var(--ochre-bg); }
+.att-agent.unverified { color: var(--rust); border-color: var(--rust); background: var(--rust-bg); }
+.att-agent.unverified .mark {
+  background: repeating-linear-gradient(
+    45deg, currentColor, currentColor 1px,
+    transparent 1px, transparent 3px
+  );
+}
+
+/* Per-action badge. Tiny inline tick on timeline rows. */
+.att-action {
+  display: inline-flex; align-items: center; gap: 4px;
+  font-family: var(--mono);
+  font-size: 10px;
+  color: var(--ink-3);
+  padding: 1px 6px;
+  border-radius: 4px;
+  background: var(--paper-3);
+  border: 1px solid transparent;
+}
+.att-action .tick {
+  width: 6px; height: 6px;
+  border-radius: 1px;
+  background: currentColor;
+}
+.att-action.verified { color: var(--sage); }
+.att-action.degraded { color: var(--ochre); }
+.att-action.unverified { color: var(--rust); }
+.att-action.neutral .tick { background: var(--ink-4); border-radius: 50%; }
+
+/* Custody-provenance badge stub (v1.x). Visibly stubbed with dashed border. */
+.att-custody {
+  display: inline-flex; align-items: center; gap: 8px;
+  padding: 4px 10px 4px 6px;
+  border-radius: var(--rad);
+  border: 1px dashed var(--rule-2);
+  background: var(--paper-3);
+  color: var(--ink-3);
+  font-family: var(--mono);
+  font-size: 10px;
+}
+.att-custody .seal-stub {
+  width: 16px; height: 16px;
+  border: 1px dashed var(--ink-4);
+  border-radius: 50%;
+  position: relative;
+  flex-shrink: 0;
+}
+.att-custody .seal-stub::after {
+  content: ""; position: absolute; inset: 4px;
+  border: 1px dashed var(--ink-4);
+  border-radius: 50%;
+}
+.att-custody .stub-tag {
+  letter-spacing: 0.06em;
+  text-transform: uppercase;
+}
+
+/* Tooltip surface for badges. */
+.att-tooltip {
+  background: var(--ink);
+  color: var(--paper);
+  font-family: var(--mono);
+  font-size: 11px;
+  padding: 8px 10px;
+  border-radius: var(--rad);
+  max-width: 280px;
+  line-height: 1.5;
+  display: inline-block;
+}
+[data-theme="dark"] .att-tooltip {
+  background: var(--paper-3);
+  color: var(--ink);
+}
+
 @media (max-width: 1100px) {
   .app, .app.route-full { grid-template-columns: 56px 1fr; grid-template-areas: "sidebar topbar" "sidebar main"; }
   .fortress { display: none; }
   .sidebar h1, .sidebar nav a span { display: none; }
+  .sidebar nav a { justify-content: center; padding: 8px 6px; }
   .template-grid { grid-template-columns: 1fr; }
   .policy-center h1 { font-size: 30px; }
   .intel-center h1 { font-size: 30px; }
   .intel-row { grid-template-columns: 1fr; }
+  .intel-grid { grid-template-columns: 1fr; }
+  .intel-failure-row { grid-template-columns: 1fr; }
+  .agents-layout { grid-template-columns: 1fr; }
+  .agents-list-head, .agents-list .agent-row { grid-template-columns: minmax(0, 1fr) 90px 90px; }
+  .agents-list-head span:nth-child(4), .agents-list .agent-row > .agent-last { display: none; }
+  .inspect-pane { position: static; max-height: none; }
 }
 `;
 var NAV_ITEMS = [
@@ -14284,11 +15498,26 @@ var NAV_ITEMS = [
   { id: "agents", label: "Agents" },
   { id: "policy", label: "Policy" },
   { id: "intelligence", label: "Intelligence" },
+  { id: "attestation", label: "Attestation" },
   { id: "privacy", label: "Privacy" },
   { id: "coordination", label: "Coordination" },
   { id: "health", label: "Health" },
   { id: "exit-drill", label: "Exit drill" }
 ];
+var NAV_ICON_PATHS = {
+  dashboard: '<rect x="2" y="2" width="5" height="5" rx="1"/><rect x="9" y="2" width="5" height="5" rx="1"/><rect x="2" y="9" width="5" height="5" rx="1"/><rect x="9" y="9" width="5" height="5" rx="1"/>',
+  agents: '<circle cx="6" cy="5.5" r="2.3"/><path d="M2 13.5c0-2.2 1.8-4 4-4s4 1.8 4 4"/><circle cx="11.5" cy="6" r="1.8"/><path d="M14 12.5c0-1.7-1.1-2.7-2.5-3"/>',
+  policy: '<path d="M4 2h5l3 3v9H4z"/><path d="M9 2v3h3"/><path d="M6 9h4M6 11.5h4"/>',
+  intelligence: '<rect x="3.5" y="3.5" width="9" height="9" rx="0.5"/><rect x="6" y="6" width="4" height="4"/><path d="M6 1.5v2M10 1.5v2M6 12.5v2M10 12.5v2M1.5 6h2M1.5 10h2M12.5 6h2M12.5 10h2"/>',
+  attestation: '<circle cx="8" cy="8" r="5.5"/><circle cx="8" cy="8" r="2.2"/><path d="M8 1.5v1.5M8 13v1.5M1.5 8h1.5M13 8h1.5"/>',
+  privacy: '<path d="M8 1.5L3 3v4.5c0 3 2.2 5.4 5 7 2.8-1.6 5-4 5-7V3z"/><path d="M6 8l1.5 1.5L10.5 6"/>',
+  coordination: '<circle cx="4" cy="3.5" r="1.4"/><circle cx="4" cy="12.5" r="1.4"/><circle cx="12" cy="8" r="1.4"/><path d="M4 4.9V11.1M4 5c0 3 3 3 6.7 3"/>',
+  health: '<path d="M2 8h2.5l1.5-4 3 8 1.5-4H14"/>',
+  "exit-drill": '<path d="M9.5 2H3v12h6.5"/><path d="M11 5l3 3-3 3"/><path d="M14 8H6.5"/>'
+};
+var SVG_OPEN = '<svg viewBox="0 0 16 16" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true">';
+var THEME_ICON_MOON = SVG_OPEN + '<path d="M13 9.5A5.5 5.5 0 0 1 6.5 3 5.5 5.5 0 1 0 13 9.5z"/></svg>';
+var THEME_ICON_SUN = SVG_OPEN + '<circle cx="8" cy="8" r="2.5"/><path d="M8 1.5v2M8 12.5v2M1.5 8h2M12.5 8h2M3.2 3.2l1.4 1.4M11.4 11.4l1.4 1.4M3.2 12.8l1.4-1.4M11.4 4.6l1.4-1.4"/></svg>';
 function escHtml2(value) {
   if (value == null) return "";
   return String(value).replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#039;");
@@ -14301,9 +15530,11 @@ function renderDashboardV11Html(options = {}) {
   const fortressId = options.fortressId ?? "fortress";
   const sanctuaryVersion = options.sanctuaryVersion ?? SANCTUARY_VERSION;
   const embedClient = options.embedClient !== false;
-  const nav = NAV_ITEMS.map(
-    (n) => `<a href="#${n.id}" data-route="${n.id}"><span>${escHtml2(n.label)}</span></a>`
-  ).join("\n        ");
+  const nav = NAV_ITEMS.map((n) => {
+    const iconPath = NAV_ICON_PATHS[n.id] ?? "";
+    const icon = iconPath ? SVG_OPEN + iconPath + "</svg>" : "";
+    return `<a href="#${n.id}" data-route="${n.id}">${icon}<span>${escHtml2(n.label)}</span></a>`;
+  }).join("\n        ");
   const config = JSON.stringify({
     authToken,
     hubApiBase,
@@ -14335,8 +15566,12 @@ function renderDashboardV11Html(options = {}) {
         <span class="pill" data-pill="version">v${escHtml2(sanctuaryVersion)}</span>
         <span class="pill" data-pill="deployment">deployment: local</span>
         <span class="pill" data-pill="mode">mode: solo</span>
-        <span class="pill" data-pill="attestation">attestation: pending</span>
+        <span class="att-global pending" data-pill="attestation" title="Fortress attestation"><span class="seal"><span class="seal-ring dashed"></span><span class="seal-core"></span></span><span class="label">pending</span></span>
       </div>
+      <button class="btn btn-icon" id="btn-theme-toggle" data-action="theme-toggle" aria-label="Toggle theme" title="Toggle theme">
+        <span class="icon-moon">${THEME_ICON_MOON}</span>
+        <span class="icon-sun">${THEME_ICON_SUN}</span>
+      </button>
       <button class="btn btn-danger" id="btn-lockdown" data-action="lockdown">Lockdown</button>
     </header>
     <main class="main" id="main"><p class="muted">Loading dashboard.</p></main>
@@ -17669,8 +18904,8 @@ function verifySHR(shr, now) {
   const errors = [];
   const warnings = [];
   const currentTime = now ?? /* @__PURE__ */ new Date();
-  if (!shr.body || !shr.signed_by || !shr.signature) {
-    errors.push("Missing required SHR fields (body, signed_by, or signature)");
+  if (!shr.body || !shr.signed_by || !shr.signature || !shr.signature_scheme) {
+    errors.push("Missing required SHR fields (body, signed_by, signature_scheme, or signature)");
     return {
       valid: false,
       errors,
@@ -17683,6 +18918,9 @@ function verifySHR(shr, now) {
   if (shr.body.shr_version !== "1.0") {
     errors.push(`Unsupported SHR version: ${shr.body.shr_version}`);
   }
+  if (shr.signature_scheme !== SIGNATURE_SCHEME_V1) {
+    errors.push(`Unsupported SHR signature_scheme: ${String(shr.signature_scheme)}`);
+  }
   const expiresAt = new Date(shr.body.expires_at);
   if (isNaN(expiresAt.getTime())) {
     errors.push("Invalid expires_at timestamp");
@@ -28740,8 +29978,6 @@ function aggregateInbox(sources, store) {
   }
   return store.list();
 }
-
-// src/hub/activity-feed.ts
 var LIFECYCLE_VERBS = [
   "wrap",
   "unwrap",
@@ -28800,18 +30036,30 @@ function extractAgentIdHint(entry) {
   const value = details.agent_id;
   return typeof value === "string" && value.length > 0 ? value : void 0;
 }
+function deriveAttestationFragment(entryId) {
+  const hash2 = crypto.createHash("sha256").update(entryId).digest("hex");
+  return `${hash2.slice(0, 4)}..${hash2.slice(4, 6)}`;
+}
+function deriveAttestationState(entry) {
+  return entry.result === "success" ? "verified" : "degraded";
+}
 function projectEntry(entry) {
   const agentIdHint = extractAgentIdHint(entry);
   const category = categorizeOperation(entry.layer, entry.operation);
+  const entryId = `${entry.timestamp}|${entry.operation}|${entry.identity_id}`;
   return {
     version: "1.1",
-    entry_id: `${entry.timestamp}|${entry.operation}|${entry.identity_id}`,
+    entry_id: entryId,
     emitted_at: entry.timestamp,
     ...agentIdHint ? { agent_id: agentIdHint } : {},
     identity_id: entry.identity_id,
     category,
     display_template_id: templateIdFor(category, entry.operation),
-    display_template_args: buildTemplateArgs(entry, agentIdHint)
+    display_template_args: buildTemplateArgs(entry, agentIdHint),
+    attestation: {
+      state: deriveAttestationState(entry),
+      fragment: deriveAttestationFragment(entryId)
+    }
   };
 }
 async function aggregateActivity(sources, filter = {}) {
@@ -31760,7 +33008,7 @@ var MemoryStorage = class {
 };
 
 // src/contracts/v1.1/constants.ts
-var SIGNATURE_SCHEME_V1 = "ed25519-v1";
+var SIGNATURE_SCHEME_V12 = "ed25519-v1";
 var EXIT_BUNDLE_MANIFEST_VERSION = "SANCTUARY_EXIT_BUNDLE_V1";
 var EXIT_BUNDLE_ARTIFACT_KINDS = [
   "public_identity",
@@ -31785,6 +33033,12 @@ var EXIT_BUNDLE_PATH_MAX_BYTES = 256;
 // src/exit/verifier.ts
 init_encoding();
 init_hashing();
+var InvalidExitBundleError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "InvalidExitBundleError";
+  }
+};
 var PRIVATE_MATERIAL_KEYS = /* @__PURE__ */ new Set([
   "private_key",
   "privatekey",
@@ -31967,7 +33221,7 @@ function verifyReputationArtifact(reputationArtifact, publicKeysByDid) {
     unverifiable_attestations: unverifiable
   };
 }
-async function verifyExitBundle(bundleDir) {
+async function verifyExitBundle(bundleDir, options = {}) {
   const root = path.resolve(bundleDir);
   let manifest;
   let manifestBytes;
@@ -31976,7 +33230,9 @@ async function verifyExitBundle(bundleDir) {
     manifestBytes = new Uint8Array(raw.buffer, raw.byteOffset, raw.byteLength);
     manifest = JSON.parse(Buffer.from(raw).toString("utf8"));
   } catch {
-    return fail(root, null, "other", ["manifest.json is missing or unreadable"]);
+    throw new InvalidExitBundleError(
+      `Not a valid SANCTUARY_EXIT_BUNDLE_V1 directory: manifest.json missing at ${path.join(root, "manifest.json")}`
+    );
   }
   const warnings = [];
   const unsupportedArtifacts = [];
@@ -31984,7 +33240,7 @@ async function verifyExitBundle(bundleDir) {
   if (!body || body.manifest_version !== EXIT_BUNDLE_MANIFEST_VERSION) {
     return fail(root, manifest, "manifest_unknown_version", warnings, unsupportedArtifacts);
   }
-  if (body.signature_scheme !== SIGNATURE_SCHEME_V1) {
+  if (body.signature_scheme !== SIGNATURE_SCHEME_V12) {
     return fail(
       root,
       manifest,
@@ -32144,9 +33400,16 @@ async function verifyExitBundle(bundleDir) {
   }
   const reputationFailed = reputation?.bundle_signature_valid === false || (reputation?.invalid_attestations ?? 0) > 0;
   const identityFailed = identity ? !identity.signature_valid : false;
+  const unverifiableCount = reputation?.unverifiable_attestations ?? 0;
+  const unverifiableFailed = unverifiableCount > 0 && !options.acceptUnverifiableAttestations;
+  if (unverifiableFailed) {
+    warnings.push(
+      `${unverifiableCount} reputation attestation(s) have unknown signer public keys; pass --accept-unverifiable-attestations to import anyway`
+    );
+  }
   return {
     version: "1.1",
-    passed: !reputationFailed && !identityFailed,
+    passed: !reputationFailed && !identityFailed && !unverifiableFailed,
     verified_at: (/* @__PURE__ */ new Date()).toISOString(),
     manifest_path: path.join(root, "manifest.json"),
     manifest_hash: sha256Hex2(manifestBytes),
@@ -32163,7 +33426,7 @@ async function verifyExitBundle(bundleDir) {
     identity,
     audit,
     reputation,
-    failure_class: reputationFailed || identityFailed ? "other" : void 0
+    failure_class: reputationFailed || identityFailed || unverifiableFailed ? "other" : void 0
   };
 }
 
@@ -32176,6 +33439,14 @@ var EXIT_POLICY_SETS_NAMESPACE = "_exit_policy_sets";
 var EXIT_COMMITMENTS_NAMESPACE = "_exit_commitments";
 var EXIT_PLACEHOLDER_METADATA_NAMESPACE = "_exit_placeholder_metadata";
 var PRIVACY_PLACEHOLDER_NAMESPACE = "_privacy_placeholder_vault";
+var ExitBundleImportError = class extends Error {
+  code;
+  constructor(code, message) {
+    super(message);
+    this.name = "ExitBundleImportError";
+    this.code = code;
+  }
+};
 function sha256Hex3(bytes) {
   return Array.from(hash(bytes)).map((b) => b.toString(16).padStart(2, "0")).join("");
 }
@@ -32468,7 +33739,7 @@ async function exportExitBundle(opts) {
     ),
     artifacts_aggregate_hash_alg: "sha256",
     export_approval_audit_id: exportApprovalAuditId,
-    signature_scheme: SIGNATURE_SCHEME_V1
+    signature_scheme: SIGNATURE_SCHEME_V12
   };
   const signature = sign(
     canonicalizeToBytes(body),
@@ -32653,7 +33924,9 @@ async function stageArtifact(storage, namespace, key, value) {
   await storage.write(namespace, key, jsonBytes(value));
 }
 async function importExitBundle(opts) {
-  const verification = await verifyExitBundle(opts.bundleDir);
+  const verification = await verifyExitBundle(opts.bundleDir, {
+    acceptUnverifiableAttestations: opts.acceptUnverifiableAttestations
+  });
   if (!verification.passed) {
     return {
       verified: false,
@@ -32749,6 +34022,23 @@ async function importExitBundle(opts) {
       unsupported_artifacts: verification.unsupported_artifacts
     };
   }
+  if (conflicts.public_identity_exists && !opts.forceRebind) {
+    throw new ExitBundleImportError(
+      "IDENTITY_OVERWRITE_REFUSED",
+      "Importing this bundle would overwrite an existing fortress public identity. Pass forceRebind: true (CLI: --force-rebind) to confirm explicit replacement."
+    );
+  }
+  if (conflicts.public_identity_exists && opts.forceRebind && identityArtifact) {
+    opts.auditLog.append(
+      "l1",
+      "exit_bundle_force_rebind",
+      identityArtifact.json.bundle.identity_id,
+      {
+        manifest_version: manifest.body.manifest_version,
+        fortress_id: manifest.body.identity_binding.fortress_id
+      }
+    );
+  }
   const importId = importIdForManifest(manifest);
   const stagedArtifacts = [];
   if (identityArtifact) {
@@ -32859,7 +34149,7 @@ function exitBundleManifestShape() {
     manifest_version: EXIT_BUNDLE_MANIFEST_VERSION,
     artifacts: [...EXIT_BUNDLE_ARTIFACT_KINDS],
     hash_alg: "sha256",
-    signature_scheme: SIGNATURE_SCHEME_V1,
+    signature_scheme: SIGNATURE_SCHEME_V12,
     required_top_level_file: "manifest.json",
     artifact_paths: [
       "artifacts/public_identity.json",
@@ -32968,6 +34258,11 @@ Options:
   --destination-identity-id <id>    Destination signer for re-keyed state
   --state-namespace <name>          Export a namespace; repeatable
   --conflict <skip|overwrite|version>
+  --force-rebind                    On import: explicitly replace an existing fortress
+                                    public identity (Tier 1 confirmation)
+  --accept-unverifiable-attestations
+                                    On import: accept reputation attestations whose
+                                    signer DID is not in the bundle (Tier 1 confirmation)
   --json
   --yes, -y                         Explicit non-interactive Tier 1 approval
   --help, -h
@@ -32996,7 +34291,22 @@ async function runExitCommand(args) {
         write(err, "Usage: sanctuary exit verify <dir>\n");
         return 2;
       }
-      const result = await verifyExitBundle(dir);
+      let result;
+      try {
+        result = await verifyExitBundle(dir, {
+          acceptUnverifiableAttestations: hasFlag(
+            argv,
+            "--accept-unverifiable-attestations"
+          )
+        });
+      } catch (e) {
+        if (e instanceof InvalidExitBundleError) {
+          write(err, `Error: ${e.message}
+`);
+          return 1;
+        }
+        throw e;
+      }
       if (json) {
         write(out, JSON.stringify(result, null, 2) + "\n");
       } else {
@@ -33074,9 +34384,15 @@ async function runExitCommand(args) {
         return 2;
       }
       const activate = hasFlag(argv, "--activate");
+      const forceRebind = hasFlag(argv, "--force-rebind");
+      const acceptUnverifiableAttestations = hasFlag(
+        argv,
+        "--accept-unverifiable-attestations"
+      );
       if (activate) {
+        const prompt = forceRebind ? "Tier 1 approval required: activate verified imported exit bundle AND replace the existing fortress public identity (force-rebind)?" : "Tier 1 approval required: activate verified imported exit bundle?";
         const approved = await confirmTier1(
-          "Tier 1 approval required: activate verified imported exit bundle?",
+          prompt,
           hasFlag(argv, "--yes") || hasFlag(argv, "-y"),
           stdin,
           err
@@ -33085,6 +34401,18 @@ async function runExitCommand(args) {
           write(err, "Aborted.\n");
           return 1;
         }
+        if (acceptUnverifiableAttestations) {
+          const acceptApproved = await confirmTier1(
+            "Tier 1 approval required: accept unverifiable reputation attestations on import?",
+            hasFlag(argv, "--yes") || hasFlag(argv, "-y"),
+            stdin,
+            err
+          );
+          if (!acceptApproved) {
+            write(err, "Aborted.\n");
+            return 1;
+          }
+        }
       }
       const ctx = await openExitContext(argv, env);
       const conflict = flagValue(argv, "--conflict") ?? "skip";
@@ -33092,19 +34420,31 @@ async function runExitCommand(args) {
         write(err, "--conflict must be skip, overwrite, or version\n");
         return 2;
       }
-      const result = await importExitBundle({
-        bundleDir: dir,
-        storage: ctx.storage,
-        masterKey: ctx.masterKey,
-        identityManager: ctx.identityManager,
-        auditLog: ctx.auditLog,
-        reputationStore: ctx.reputationStore,
-        activate,
-        conflictResolution: conflict,
-        sourcePassphrase: flagValue(argv, "--source-passphrase"),
-        sourceRecoveryKey: flagValue(argv, "--source-recovery-key"),
-        destinationSignerIdentityId: flagValue(argv, "--destination-identity-id")
-      });
+      let result;
+      try {
+        result = await importExitBundle({
+          bundleDir: dir,
+          storage: ctx.storage,
+          masterKey: ctx.masterKey,
+          identityManager: ctx.identityManager,
+          auditLog: ctx.auditLog,
+          reputationStore: ctx.reputationStore,
+          activate,
+          forceRebind,
+          acceptUnverifiableAttestations,
+          conflictResolution: conflict,
+          sourcePassphrase: flagValue(argv, "--source-passphrase"),
+          sourceRecoveryKey: flagValue(argv, "--source-recovery-key"),
+          destinationSignerIdentityId: flagValue(argv, "--destination-identity-id")
+        });
+      } catch (e) {
+        if (e instanceof InvalidExitBundleError) {
+          write(err, `Error: ${e.message}
+`);
+          return 1;
+        }
+        throw e;
+      }
       if (json) write(out, JSON.stringify(result, null, 2) + "\n");
       else {
         write(out, `verified: ${result.verified}
@@ -33334,7 +34674,7 @@ async function createSanctuaryServer(options) {
       const hasKeyParams = existingNamespaces.some((e) => e.key === "key-params");
       if (hasKeyParams) {
         throw new Error(
-          "Sanctuary: Found existing key derivation parameters but no recovery key hash.\nThis indicates a corrupted or incomplete installation.\nIf you previously used a passphrase, set SANCTUARY_PASSPHRASE to start."
+          "Sanctuary: passphrase required.\n\nThe fortress at this path uses passphrase-mode key derivation.\nSet SANCTUARY_PASSPHRASE in your environment, or run\n'sanctuary export-passphrase' to retrieve it from the macOS Keychain."
         );
       }
       masterKey = generateRandomKey();
@@ -33927,6 +35267,7 @@ exports.CommitmentStore = CommitmentStore;
 exports.ContextGateEnforcer = ContextGateEnforcer;
 exports.ContextGatePolicyStore = ContextGatePolicyStore;
 exports.DashboardApprovalChannel = DashboardApprovalChannel;
+exports.ExitBundleImportError = ExitBundleImportError;
 exports.FederationRegistry = FederationRegistry;
 exports.FilesystemStorage = FilesystemStorage;
 exports.HERO_COPY = HERO_COPY;