@sanctuary-framework/mcp-server 1.2.0 → 1.2.2

package/dist/index.d.cts

@@ -1248,6 +1248,18 @@ declare class PolicyStore {
     private persist;
 }
 
+/**
+ * Signature scheme identifier embedded in every AuditEntry and crypto-agility-bearing surface.
+ *
+ * v1.0: only "ed25519-v1" is valid.
+ * v1.x post-quantum migration: "ed25519+ml-dsa-v1" hybrid will be introduced.
+ * v1.0 verifiers MUST reject unknown schemes; the field exists so v1.x can add
+ * hybrid signing without breaking v1.0 readers. Do not optimize this field away.
+ *
+ * Spec: §5.3 (Crypto-agility per thesis §3 L1 PQ note).
+ */
+type SignatureScheme$1 = "ed25519-v1";
+
 /**
  * Sanctuary MCP Server — Sovereignty Health Report (SHR) Types
  *
@@ -1258,6 +1270,7 @@ declare class PolicyStore {
  *
  * SHR version: 1.0
  */
+
 type LayerStatus = "active" | "degraded" | "inactive";
 type DegradationSeverity = "info" | "warning" | "critical";
 type DegradationCode = "NO_TEE" | "PROCESS_ISOLATION_ONLY" | "COMMITMENT_ONLY" | "NO_ZK_PROOFS" | "SELF_REPORTED_ATTESTATION" | "NO_SELECTIVE_DISCLOSURE" | "BASIC_SYBIL_ONLY" | "NO_REPUTATION_HISTORY" | "LOW_TIER_DOMINANCE" | "STALE_REPUTATION" | "DISPUTE_ON_RECORD" | "NO_VERASCORE_LINK";
@@ -1337,6 +1350,7 @@ interface SHRBody {
 interface SignedSHR {
     body: SHRBody;
     signed_by: string;
+    signature_scheme: SignatureScheme$1;
     signature: string;
 }
 interface SHRVerificationResult {
@@ -2925,13 +2939,13 @@ interface PrivacyRehydratedPayload extends PrivacyAuditPayloadHeader {
 type PrivacyAuditPayload = PrivacyFilteredPayload | PrivacyAllowedPayload | PrivacyDeniedPayload | PrivacyErrorPayload | PrivacyRehydratedPayload;
 
 /**
- * Sanctuary v1.1 — Operator Hub Event Contracts
+ * Sanctuary v1.1 Operator Hub Event Contracts
  *
  * Shared shapes for the unified inbox, the activity feed, and the per-agent
  * status panels. The operator hub API workstream (Prompt 5) emits these; the
  * dashboard UI workstream (Prompt 8) consumes them. v1.2 mobile companion
  * planning will evaluate these shapes when it scopes a phone surface, but
- * v1.1 does not commit to mobile compatibility — these contracts are
+ * v1.1 does not commit to mobile compatibility. These contracts are
  * tuned for the local dashboard surface only.
  *
  * Local-only invariant:
@@ -2952,7 +2966,7 @@ type PrivacyAuditPayload = PrivacyFilteredPayload | PrivacyAllowedPayload | Priv
  * accepted; the dashboard rejects rendering on any value outside this union.
  *
  * The renderer treats every value as data to interpolate into a fixed
- * template registered under `template_id` — never as raw content. This
+ * template registered under `template_id`, never as raw content. This
  * defends against secrets, query text, file paths, and client names leaking
  * into inbox cards via stringly-typed display fields.
  */
@@ -3015,7 +3029,7 @@ interface HubInboxItemHeader {
     display_template_id: string;
     /**
      * Typed args interpolated into the template. Every value MUST be a
-     * `HubDisplayTemplateArg` instance — no free-form strings. Renderers
+     * `HubDisplayTemplateArg` instance, no free-form strings. Renderers
      * reject any arg outside this union, which structurally blocks secret
      * leakage via inbox copy.
      */
@@ -3100,7 +3114,7 @@ interface HubBudgetWarningItem extends HubInboxItemHeader {
     used_fraction: number;
 }
 /**
- * Recovery prompt — operator should run a recovery flow (passphrase reset,
+ * Recovery prompt. Operator should run a recovery flow (passphrase reset,
  * keychain rebind, exit drill, etc.).
  */
 interface HubRecoveryPromptItem extends HubInboxItemHeader {
@@ -3146,12 +3160,32 @@ interface HubActivityFeedEntry {
     category: "policy_decision" | "approval" | "denial" | "egress" | "privacy" | "handoff" | "lifecycle" | "config" | "other";
     /**
      * Display template id. Resolved by the dashboard against the activity-feed
-     * template catalog. Backends MUST NOT emit raw summary text — the template
+     * template catalog. Backends MUST NOT emit raw summary text. The template
      * id plus typed args is the only legitimate channel.
      */
     display_template_id: string;
     /** Typed args. Same constraints as `HubInboxItemHeader.display_template_args`. */
     display_template_args: HubDisplayTemplateArg[];
+    /**
+     * Per-action attestation fragment for dashboard timeline rendering.
+     *
+     * Optional; absence means the row renders without a badge.
+     *
+     * `state` drives the `att-action` CSS class on the rendered badge.
+     * `fragment` is a deterministic short hex string derived from the
+     * audit-chain entry id; it gives operators a stable per-row visual hook
+     * the same shape the Sprint Piece 2 attestation gallery shows.
+     *
+     * Important: the fragment is NOT a real per-event Ed25519 signature.
+     * The audit chain itself is tamper-evident at the main-process boundary
+     * (scope-lock §8); the fragment is the visible projection of the entry's
+     * audit-chain identity. Real per-event signatures land post-v1.5+ in the
+     * Crypto Agility Sprint.
+     */
+    attestation?: {
+        state: "verified" | "degraded" | "unverified" | "neutral";
+        fragment: string;
+    };
 }
 /**
  * Per-agent status snapshot returned by the hub API. Mirrors the agent
@@ -3761,6 +3795,27 @@ declare class MemoryStorage implements StorageBackend {
  * - Secure deletion overwrites file content with random bytes before unlinking
  * - Directory creation uses restrictive permissions (0o700)
  * - File creation uses restrictive permissions (0o600)
+ *
+ * Path encoding (bijective, full-sweep #41):
+ *   Distinct (namespace, key) inputs MUST produce distinct on-disk paths;
+ *   otherwise an agent that can choose namespace/key strings within a tenant
+ *   could overwrite or read another namespace by colliding on the sanitized
+ *   form (multi-tenant isolation invariant). The encoder retains the safe
+ *   set [A-Za-z0-9_.-] (so internal namespaces such as `_audit`, `_bridge`,
+ *   etc. preserve their on-disk paths verbatim) and `!`-escapes every other
+ *   character as `!XX` where XX is the upper-hex byte. The escape character
+ *   `!` itself is NOT in the safe set, so a literal `!` in input encodes as
+ *   `!21` and decoding remains unambiguous.
+ *
+ * Legacy fallback (forward compatibility):
+ *   Pre-fix code used `replace(/[^a-zA-Z0-9_-]/g, "_")` for namespaces and
+ *   `replace(/[^a-zA-Z0-9_.-]/g, "_")` for keys; non-bijective. read(),
+ *   exists(), and delete() try the new path first; on ENOENT they fall back
+ *   to the legacy path so existing fortresses with operator-supplied
+ *   namespaces containing non-safe characters keep working. write() always
+ *   uses the new bijective path. list() and totalSize() walk on-disk
+ *   directory names directly and cannot disambiguate legacy collision-class
+ *   pairs; they are forward-only by design.
  */
 
 declare class FilesystemStorage implements StorageBackend {
@@ -3768,9 +3823,12 @@ declare class FilesystemStorage implements StorageBackend {
     constructor(basePath: string);
     private entryPath;
     private namespacePath;
+    private legacyEntryPath;
     write(namespace: string, key: string, data: Uint8Array): Promise<void>;
     read(namespace: string, key: string): Promise<Uint8Array | null>;
+    private readAtPath;
     delete(namespace: string, key: string, secureOverwrite?: boolean): Promise<boolean>;
+    private deleteAtPath;
     list(namespace: string, prefix?: string): Promise<StorageEntryMeta[]>;
     exists(namespace: string, key: string): Promise<boolean>;
     totalSize(): Promise<number>;
@@ -3924,6 +3982,31 @@ interface ImportExitBundleOptions {
     sourceRecoveryKey?: string;
     sourceMasterKey?: Uint8Array;
     destinationSignerIdentityId?: string;
+    /**
+     * v1.0.2 (i) / full-sweep #54. When the destination fortress already has a
+     * staged `public_identity` for the bundle's identity_id, activation is refused
+     * unless the operator passes this flag. The CLI surfaces the flag as
+     * `--force-rebind` and re-prompts Tier 1 confirmation. When `forceRebind` is
+     * true and the rebind triggers, an `exit_bundle_force_rebind` L1 audit entry
+     * records the explicit replacement.
+     */
+    forceRebind?: boolean;
+    /**
+     * v1.0.2 / full-sweep #55. Reputation attestations whose signer DID is not
+     * present in the bundle's published identity material are marked
+     * `unverifiable` by the verifier. By default the verdict is now strict and
+     * an unverifiable attestation fails the bundle. Setting this flag opts the
+     * operator in to an explicit relaxed verdict (Tier 1 confirmation in CLI).
+     */
+    acceptUnverifiableAttestations?: boolean;
+}
+/**
+ * Structured error raised by `importExitBundle` for codes the CLI / hub want
+ * to branch on without parsing free-text messages. v1.0.2 (i) / full-sweep #54.
+ */
+declare class ExitBundleImportError extends Error {
+    readonly code: string;
+    constructor(code: string, message: string);
 }
 interface ExitBundleConflictReport {
     public_identity_exists: boolean;
@@ -3960,14 +4043,6 @@ declare function exportExitBundle(opts: ExportExitBundleOptions): Promise<Export
 declare function importExitBundle(opts: ImportExitBundleOptions): Promise<ImportExitBundleResult>;
 declare function exitBundleManifestShape(): Record<string, unknown>;
 
-/**
- * Sanctuary v1.1 exit-bundle verifier.
- *
- * Verifies the signed SANCTUARY_EXIT_BUNDLE_V1 manifest, every artifact hash,
- * and the exported identity / reputation signatures that are independently
- * verifiable from public material in the bundle.
- */
-
 interface ExitBundleDetailedVerifierResult extends ExitBundleVerifierResult {
     manifest_path: string;
     manifest_hash: string | null;
@@ -3998,7 +4073,19 @@ interface LoadedExitArtifact<T = unknown> {
 }
 declare function readManifest(bundleDir: string): Promise<ExitBundleManifest>;
 declare function loadExitArtifact<T = unknown>(bundleDir: string, manifest: ExitBundleManifest, kind: ExitBundleArtifactKind): Promise<LoadedExitArtifact<T> | null>;
-declare function verifyExitBundle(bundleDir: string): Promise<ExitBundleDetailedVerifierResult>;
+/**
+ * Caller-supplied verifier knobs. v1.0.2 / full-sweep #55.
+ *
+ * `acceptUnverifiableAttestations` flips the bundle verdict from strict-by-default
+ * (any unverifiable attestation fails the bundle) to a relaxed verdict that
+ * tolerates attestations whose signer DID is not in the bundle's published
+ * identity material. Operators opt in explicitly through the CLI
+ * `--accept-unverifiable-attestations` flag (Tier 1 confirmation).
+ */
+interface VerifyExitBundleOptions {
+    acceptUnverifiableAttestations?: boolean;
+}
+declare function verifyExitBundle(bundleDir: string, options?: VerifyExitBundleOptions): Promise<ExitBundleDetailedVerifierResult>;
 
 /**
  * `sanctuary exit` CLI.
@@ -4133,8 +4220,8 @@ type HubInboxAction = (typeof HUB_INBOX_ACTIONS)[number];
 declare const HUB_AGENT_CONTROL_ACTIONS: readonly ["pause", "resume", "restart", "unwrap", "lockdown"];
 type HubAgentControlAction = (typeof HUB_AGENT_CONTROL_ACTIONS)[number];
 
-/** Channel-template identifiers per v1.2 design-canonical starter set. */
-declare const CHANNEL_TEMPLATE_IDS: readonly ["request-approve-act", "read-then-report", "scheduled-digest", "plan-draft-only", "fortress-relay", "concierge-loop"];
+/** Channel-template identifiers per the five-template canonical starter set. */
+declare const CHANNEL_TEMPLATE_IDS: readonly ["request-approve-act", "read-then-report", "scheduled-digest", "plan-draft-only", "fortress-relay"];
 type ChannelTemplateId = (typeof CHANNEL_TEMPLATE_IDS)[number];
 
 /**
@@ -6682,4 +6769,4 @@ declare function createSanctuaryServer(options?: {
     storage?: StorageBackend;
 }): Promise<SanctuaryServer>;
 
-export { ATTESTATION_VERSION, type ActivityEntry, type AggregatorSources, ApprovalGate, type ApprovalHandlers, type AttestationBody, type AttestationVerificationResult, AuditLog, AutoApproveChannel, BaselineTracker, type BridgeAttestationRequest, type BridgeAttestationResult, type BridgeCommitment, type BridgeVerificationResult, TEMPLATES as CONTEXT_GATE_TEMPLATES, CallbackApprovalChannel, ClientManager, CommitmentStore, type ConcordiaOutcome, type ConnectionState, type ContextAction, type ContextFilterResult, ContextGateEnforcer, type ContextGatePolicy, ContextGatePolicyStore, type ContextGateRule, type ContextGateTemplate, DashboardApprovalChannel, type DashboardConfig, type DashboardHandle, type DashboardServerOptions, type DetectionResult, type EnforcerConfig, type ExitAuditReceiptsArtifact, type ExitBundleDetailedVerifierResult, type ExitCommandArgs, type ExitCommitmentsArtifact, type ExitEncryptedStateBundle, type ExitPlaceholderVaultMetadataArtifact, type ExitPolicySetArtifact, type ExitPublicIdentityArtifact, type ExportExitBundleOptions, type ExportExitBundleResult, type FederationCapabilities, type FederationPeer, FederationRegistry, type FieldClassification, type FieldFilterResult, FilesystemStorage, type GateResult, HERO_COPY, type HandshakeChallenge, type HandshakeCompletion, type HandshakeResponse, type HandshakeResult, type ImportExitBundleOptions, type ImportExitBundleResult, InMemoryModelProvenanceStore, InjectionDetector, type InjectionDetectorConfig, type InjectionSignal, type L1Status, type L2Status, type L3Status, type L4Status, type LoadedExitArtifact, MODEL_PRESETS, MemoryStorage, type ModelProvenance, type ModelProvenanceStore, type PedersenCommitment, type PeerTrustEvaluation, type PendingApproval, type PolicyRecommendation, PolicyStore, type PrincipalPolicy, type ProtectionSnapshot, type ProviderCategory, ProxyRouter, type ProxyRouterOptions, type ReputationLookup, ReputationStore, type SHRBody, type SHRGeneratorOptions, type SHRVerificationResult, type SanctuaryConfig, type SanctuaryServer, type SignedAttestation, type SignedSHR, type SovereigntyProfile, SovereigntyProfileStore, type SovereigntyProfileUpdate, type SovereigntyTier, type StartDashboardOptions, StateStore, StderrApprovalChannel, type StreamEvent, TIER_WEIGHTS, type TierMetadata, type TieredAttestation, type UpstreamConnection, type UpstreamServer, type UpstreamTool, WebhookApprovalChannel, type WebhookCallbackPayload, type WebhookConfig, type WebhookPayload, type ZKProofOfKnowledge, type ZKRangeProof, canonicalize, classifyField, completeHandshake, computeWeightedScore, createBridgeCommitment, createDefaultProfile, createPedersenCommitment, createProofOfKnowledge, createRangeProof, createSanctuaryServer, evaluateField, exitBundleManifestShape, exportExitBundle, filterContext, generateAttestation, generateSHR, generateSystemPrompt, getProtectionSnapshot, getTemplate, importExitBundle, initiateHandshake, listTemplateIds, loadConfig, loadExitArtifact, loadPrincipalPolicy, readManifest, recommendPolicy, renderDashboardHTML, resolveTier, respondToHandshake, runExitCommand, signPayload, startDashboard, startDashboardServer, tierDistribution, verifyAttestation, verifyBridgeCommitment, verifyCompletion, verifyExitBundle, verifyPedersenCommitment, verifyProofOfKnowledge, verifyRangeProof, verifySHR, verifySignature };
+export { ATTESTATION_VERSION, type ActivityEntry, type AggregatorSources, ApprovalGate, type ApprovalHandlers, type AttestationBody, type AttestationVerificationResult, AuditLog, AutoApproveChannel, BaselineTracker, type BridgeAttestationRequest, type BridgeAttestationResult, type BridgeCommitment, type BridgeVerificationResult, TEMPLATES as CONTEXT_GATE_TEMPLATES, CallbackApprovalChannel, ClientManager, CommitmentStore, type ConcordiaOutcome, type ConnectionState, type ContextAction, type ContextFilterResult, ContextGateEnforcer, type ContextGatePolicy, ContextGatePolicyStore, type ContextGateRule, type ContextGateTemplate, DashboardApprovalChannel, type DashboardConfig, type DashboardHandle, type DashboardServerOptions, type DetectionResult, type EnforcerConfig, type ExitAuditReceiptsArtifact, type ExitBundleDetailedVerifierResult, ExitBundleImportError, type ExitCommandArgs, type ExitCommitmentsArtifact, type ExitEncryptedStateBundle, type ExitPlaceholderVaultMetadataArtifact, type ExitPolicySetArtifact, type ExitPublicIdentityArtifact, type ExportExitBundleOptions, type ExportExitBundleResult, type FederationCapabilities, type FederationPeer, FederationRegistry, type FieldClassification, type FieldFilterResult, FilesystemStorage, type GateResult, HERO_COPY, type HandshakeChallenge, type HandshakeCompletion, type HandshakeResponse, type HandshakeResult, type ImportExitBundleOptions, type ImportExitBundleResult, InMemoryModelProvenanceStore, InjectionDetector, type InjectionDetectorConfig, type InjectionSignal, type L1Status, type L2Status, type L3Status, type L4Status, type LoadedExitArtifact, MODEL_PRESETS, MemoryStorage, type ModelProvenance, type ModelProvenanceStore, type PedersenCommitment, type PeerTrustEvaluation, type PendingApproval, type PolicyRecommendation, PolicyStore, type PrincipalPolicy, type ProtectionSnapshot, type ProviderCategory, ProxyRouter, type ProxyRouterOptions, type ReputationLookup, ReputationStore, type SHRBody, type SHRGeneratorOptions, type SHRVerificationResult, type SanctuaryConfig, type SanctuaryServer, type SignedAttestation, type SignedSHR, type SovereigntyProfile, SovereigntyProfileStore, type SovereigntyProfileUpdate, type SovereigntyTier, type StartDashboardOptions, StateStore, StderrApprovalChannel, type StreamEvent, TIER_WEIGHTS, type TierMetadata, type TieredAttestation, type UpstreamConnection, type UpstreamServer, type UpstreamTool, type VerifyExitBundleOptions, WebhookApprovalChannel, type WebhookCallbackPayload, type WebhookConfig, type WebhookPayload, type ZKProofOfKnowledge, type ZKRangeProof, canonicalize, classifyField, completeHandshake, computeWeightedScore, createBridgeCommitment, createDefaultProfile, createPedersenCommitment, createProofOfKnowledge, createRangeProof, createSanctuaryServer, evaluateField, exitBundleManifestShape, exportExitBundle, filterContext, generateAttestation, generateSHR, generateSystemPrompt, getProtectionSnapshot, getTemplate, importExitBundle, initiateHandshake, listTemplateIds, loadConfig, loadExitArtifact, loadPrincipalPolicy, readManifest, recommendPolicy, renderDashboardHTML, resolveTier, respondToHandshake, runExitCommand, signPayload, startDashboard, startDashboardServer, tierDistribution, verifyAttestation, verifyBridgeCommitment, verifyCompletion, verifyExitBundle, verifyPedersenCommitment, verifyProofOfKnowledge, verifyRangeProof, verifySHR, verifySignature };

package/dist/index.d.ts

@@ -1248,6 +1248,18 @@ declare class PolicyStore {
     private persist;
 }
 
+/**
+ * Signature scheme identifier embedded in every AuditEntry and crypto-agility-bearing surface.
+ *
+ * v1.0: only "ed25519-v1" is valid.
+ * v1.x post-quantum migration: "ed25519+ml-dsa-v1" hybrid will be introduced.
+ * v1.0 verifiers MUST reject unknown schemes; the field exists so v1.x can add
+ * hybrid signing without breaking v1.0 readers. Do not optimize this field away.
+ *
+ * Spec: §5.3 (Crypto-agility per thesis §3 L1 PQ note).
+ */
+type SignatureScheme$1 = "ed25519-v1";
+
 /**
  * Sanctuary MCP Server — Sovereignty Health Report (SHR) Types
  *
@@ -1258,6 +1270,7 @@ declare class PolicyStore {
  *
  * SHR version: 1.0
  */
+
 type LayerStatus = "active" | "degraded" | "inactive";
 type DegradationSeverity = "info" | "warning" | "critical";
 type DegradationCode = "NO_TEE" | "PROCESS_ISOLATION_ONLY" | "COMMITMENT_ONLY" | "NO_ZK_PROOFS" | "SELF_REPORTED_ATTESTATION" | "NO_SELECTIVE_DISCLOSURE" | "BASIC_SYBIL_ONLY" | "NO_REPUTATION_HISTORY" | "LOW_TIER_DOMINANCE" | "STALE_REPUTATION" | "DISPUTE_ON_RECORD" | "NO_VERASCORE_LINK";
@@ -1337,6 +1350,7 @@ interface SHRBody {
 interface SignedSHR {
     body: SHRBody;
     signed_by: string;
+    signature_scheme: SignatureScheme$1;
     signature: string;
 }
 interface SHRVerificationResult {
@@ -2925,13 +2939,13 @@ interface PrivacyRehydratedPayload extends PrivacyAuditPayloadHeader {
 type PrivacyAuditPayload = PrivacyFilteredPayload | PrivacyAllowedPayload | PrivacyDeniedPayload | PrivacyErrorPayload | PrivacyRehydratedPayload;
 
 /**
- * Sanctuary v1.1 — Operator Hub Event Contracts
+ * Sanctuary v1.1 Operator Hub Event Contracts
  *
  * Shared shapes for the unified inbox, the activity feed, and the per-agent
  * status panels. The operator hub API workstream (Prompt 5) emits these; the
  * dashboard UI workstream (Prompt 8) consumes them. v1.2 mobile companion
  * planning will evaluate these shapes when it scopes a phone surface, but
- * v1.1 does not commit to mobile compatibility — these contracts are
+ * v1.1 does not commit to mobile compatibility. These contracts are
  * tuned for the local dashboard surface only.
  *
  * Local-only invariant:
@@ -2952,7 +2966,7 @@ type PrivacyAuditPayload = PrivacyFilteredPayload | PrivacyAllowedPayload | Priv
  * accepted; the dashboard rejects rendering on any value outside this union.
  *
  * The renderer treats every value as data to interpolate into a fixed
- * template registered under `template_id` — never as raw content. This
+ * template registered under `template_id`, never as raw content. This
  * defends against secrets, query text, file paths, and client names leaking
  * into inbox cards via stringly-typed display fields.
  */
@@ -3015,7 +3029,7 @@ interface HubInboxItemHeader {
     display_template_id: string;
     /**
      * Typed args interpolated into the template. Every value MUST be a
-     * `HubDisplayTemplateArg` instance — no free-form strings. Renderers
+     * `HubDisplayTemplateArg` instance, no free-form strings. Renderers
      * reject any arg outside this union, which structurally blocks secret
      * leakage via inbox copy.
      */
@@ -3100,7 +3114,7 @@ interface HubBudgetWarningItem extends HubInboxItemHeader {
     used_fraction: number;
 }
 /**
- * Recovery prompt — operator should run a recovery flow (passphrase reset,
+ * Recovery prompt. Operator should run a recovery flow (passphrase reset,
  * keychain rebind, exit drill, etc.).
  */
 interface HubRecoveryPromptItem extends HubInboxItemHeader {
@@ -3146,12 +3160,32 @@ interface HubActivityFeedEntry {
     category: "policy_decision" | "approval" | "denial" | "egress" | "privacy" | "handoff" | "lifecycle" | "config" | "other";
     /**
      * Display template id. Resolved by the dashboard against the activity-feed
-     * template catalog. Backends MUST NOT emit raw summary text — the template
+     * template catalog. Backends MUST NOT emit raw summary text. The template
      * id plus typed args is the only legitimate channel.
      */
     display_template_id: string;
     /** Typed args. Same constraints as `HubInboxItemHeader.display_template_args`. */
     display_template_args: HubDisplayTemplateArg[];
+    /**
+     * Per-action attestation fragment for dashboard timeline rendering.
+     *
+     * Optional; absence means the row renders without a badge.
+     *
+     * `state` drives the `att-action` CSS class on the rendered badge.
+     * `fragment` is a deterministic short hex string derived from the
+     * audit-chain entry id; it gives operators a stable per-row visual hook
+     * the same shape the Sprint Piece 2 attestation gallery shows.
+     *
+     * Important: the fragment is NOT a real per-event Ed25519 signature.
+     * The audit chain itself is tamper-evident at the main-process boundary
+     * (scope-lock §8); the fragment is the visible projection of the entry's
+     * audit-chain identity. Real per-event signatures land post-v1.5+ in the
+     * Crypto Agility Sprint.
+     */
+    attestation?: {
+        state: "verified" | "degraded" | "unverified" | "neutral";
+        fragment: string;
+    };
 }
 /**
  * Per-agent status snapshot returned by the hub API. Mirrors the agent
@@ -3761,6 +3795,27 @@ declare class MemoryStorage implements StorageBackend {
  * - Secure deletion overwrites file content with random bytes before unlinking
  * - Directory creation uses restrictive permissions (0o700)
  * - File creation uses restrictive permissions (0o600)
+ *
+ * Path encoding (bijective, full-sweep #41):
+ *   Distinct (namespace, key) inputs MUST produce distinct on-disk paths;
+ *   otherwise an agent that can choose namespace/key strings within a tenant
+ *   could overwrite or read another namespace by colliding on the sanitized
+ *   form (multi-tenant isolation invariant). The encoder retains the safe
+ *   set [A-Za-z0-9_.-] (so internal namespaces such as `_audit`, `_bridge`,
+ *   etc. preserve their on-disk paths verbatim) and `!`-escapes every other
+ *   character as `!XX` where XX is the upper-hex byte. The escape character
+ *   `!` itself is NOT in the safe set, so a literal `!` in input encodes as
+ *   `!21` and decoding remains unambiguous.
+ *
+ * Legacy fallback (forward compatibility):
+ *   Pre-fix code used `replace(/[^a-zA-Z0-9_-]/g, "_")` for namespaces and
+ *   `replace(/[^a-zA-Z0-9_.-]/g, "_")` for keys; non-bijective. read(),
+ *   exists(), and delete() try the new path first; on ENOENT they fall back
+ *   to the legacy path so existing fortresses with operator-supplied
+ *   namespaces containing non-safe characters keep working. write() always
+ *   uses the new bijective path. list() and totalSize() walk on-disk
+ *   directory names directly and cannot disambiguate legacy collision-class
+ *   pairs; they are forward-only by design.
  */
 
 declare class FilesystemStorage implements StorageBackend {
@@ -3768,9 +3823,12 @@ declare class FilesystemStorage implements StorageBackend {
     constructor(basePath: string);
     private entryPath;
     private namespacePath;
+    private legacyEntryPath;
     write(namespace: string, key: string, data: Uint8Array): Promise<void>;
     read(namespace: string, key: string): Promise<Uint8Array | null>;
+    private readAtPath;
     delete(namespace: string, key: string, secureOverwrite?: boolean): Promise<boolean>;
+    private deleteAtPath;
     list(namespace: string, prefix?: string): Promise<StorageEntryMeta[]>;
     exists(namespace: string, key: string): Promise<boolean>;
     totalSize(): Promise<number>;
@@ -3924,6 +3982,31 @@ interface ImportExitBundleOptions {
     sourceRecoveryKey?: string;
     sourceMasterKey?: Uint8Array;
     destinationSignerIdentityId?: string;
+    /**
+     * v1.0.2 (i) / full-sweep #54. When the destination fortress already has a
+     * staged `public_identity` for the bundle's identity_id, activation is refused
+     * unless the operator passes this flag. The CLI surfaces the flag as
+     * `--force-rebind` and re-prompts Tier 1 confirmation. When `forceRebind` is
+     * true and the rebind triggers, an `exit_bundle_force_rebind` L1 audit entry
+     * records the explicit replacement.
+     */
+    forceRebind?: boolean;
+    /**
+     * v1.0.2 / full-sweep #55. Reputation attestations whose signer DID is not
+     * present in the bundle's published identity material are marked
+     * `unverifiable` by the verifier. By default the verdict is now strict and
+     * an unverifiable attestation fails the bundle. Setting this flag opts the
+     * operator in to an explicit relaxed verdict (Tier 1 confirmation in CLI).
+     */
+    acceptUnverifiableAttestations?: boolean;
+}
+/**
+ * Structured error raised by `importExitBundle` for codes the CLI / hub want
+ * to branch on without parsing free-text messages. v1.0.2 (i) / full-sweep #54.
+ */
+declare class ExitBundleImportError extends Error {
+    readonly code: string;
+    constructor(code: string, message: string);
 }
 interface ExitBundleConflictReport {
     public_identity_exists: boolean;
@@ -3960,14 +4043,6 @@ declare function exportExitBundle(opts: ExportExitBundleOptions): Promise<Export
 declare function importExitBundle(opts: ImportExitBundleOptions): Promise<ImportExitBundleResult>;
 declare function exitBundleManifestShape(): Record<string, unknown>;
 
-/**
- * Sanctuary v1.1 exit-bundle verifier.
- *
- * Verifies the signed SANCTUARY_EXIT_BUNDLE_V1 manifest, every artifact hash,
- * and the exported identity / reputation signatures that are independently
- * verifiable from public material in the bundle.
- */
-
 interface ExitBundleDetailedVerifierResult extends ExitBundleVerifierResult {
     manifest_path: string;
     manifest_hash: string | null;
@@ -3998,7 +4073,19 @@ interface LoadedExitArtifact<T = unknown> {
 }
 declare function readManifest(bundleDir: string): Promise<ExitBundleManifest>;
 declare function loadExitArtifact<T = unknown>(bundleDir: string, manifest: ExitBundleManifest, kind: ExitBundleArtifactKind): Promise<LoadedExitArtifact<T> | null>;
-declare function verifyExitBundle(bundleDir: string): Promise<ExitBundleDetailedVerifierResult>;
+/**
+ * Caller-supplied verifier knobs. v1.0.2 / full-sweep #55.
+ *
+ * `acceptUnverifiableAttestations` flips the bundle verdict from strict-by-default
+ * (any unverifiable attestation fails the bundle) to a relaxed verdict that
+ * tolerates attestations whose signer DID is not in the bundle's published
+ * identity material. Operators opt in explicitly through the CLI
+ * `--accept-unverifiable-attestations` flag (Tier 1 confirmation).
+ */
+interface VerifyExitBundleOptions {
+    acceptUnverifiableAttestations?: boolean;
+}
+declare function verifyExitBundle(bundleDir: string, options?: VerifyExitBundleOptions): Promise<ExitBundleDetailedVerifierResult>;
 
 /**
  * `sanctuary exit` CLI.
@@ -4133,8 +4220,8 @@ type HubInboxAction = (typeof HUB_INBOX_ACTIONS)[number];
 declare const HUB_AGENT_CONTROL_ACTIONS: readonly ["pause", "resume", "restart", "unwrap", "lockdown"];
 type HubAgentControlAction = (typeof HUB_AGENT_CONTROL_ACTIONS)[number];
 
-/** Channel-template identifiers per v1.2 design-canonical starter set. */
-declare const CHANNEL_TEMPLATE_IDS: readonly ["request-approve-act", "read-then-report", "scheduled-digest", "plan-draft-only", "fortress-relay", "concierge-loop"];
+/** Channel-template identifiers per the five-template canonical starter set. */
+declare const CHANNEL_TEMPLATE_IDS: readonly ["request-approve-act", "read-then-report", "scheduled-digest", "plan-draft-only", "fortress-relay"];
 type ChannelTemplateId = (typeof CHANNEL_TEMPLATE_IDS)[number];
 
 /**
@@ -6682,4 +6769,4 @@ declare function createSanctuaryServer(options?: {
     storage?: StorageBackend;
 }): Promise<SanctuaryServer>;
 
-export { ATTESTATION_VERSION, type ActivityEntry, type AggregatorSources, ApprovalGate, type ApprovalHandlers, type AttestationBody, type AttestationVerificationResult, AuditLog, AutoApproveChannel, BaselineTracker, type BridgeAttestationRequest, type BridgeAttestationResult, type BridgeCommitment, type BridgeVerificationResult, TEMPLATES as CONTEXT_GATE_TEMPLATES, CallbackApprovalChannel, ClientManager, CommitmentStore, type ConcordiaOutcome, type ConnectionState, type ContextAction, type ContextFilterResult, ContextGateEnforcer, type ContextGatePolicy, ContextGatePolicyStore, type ContextGateRule, type ContextGateTemplate, DashboardApprovalChannel, type DashboardConfig, type DashboardHandle, type DashboardServerOptions, type DetectionResult, type EnforcerConfig, type ExitAuditReceiptsArtifact, type ExitBundleDetailedVerifierResult, type ExitCommandArgs, type ExitCommitmentsArtifact, type ExitEncryptedStateBundle, type ExitPlaceholderVaultMetadataArtifact, type ExitPolicySetArtifact, type ExitPublicIdentityArtifact, type ExportExitBundleOptions, type ExportExitBundleResult, type FederationCapabilities, type FederationPeer, FederationRegistry, type FieldClassification, type FieldFilterResult, FilesystemStorage, type GateResult, HERO_COPY, type HandshakeChallenge, type HandshakeCompletion, type HandshakeResponse, type HandshakeResult, type ImportExitBundleOptions, type ImportExitBundleResult, InMemoryModelProvenanceStore, InjectionDetector, type InjectionDetectorConfig, type InjectionSignal, type L1Status, type L2Status, type L3Status, type L4Status, type LoadedExitArtifact, MODEL_PRESETS, MemoryStorage, type ModelProvenance, type ModelProvenanceStore, type PedersenCommitment, type PeerTrustEvaluation, type PendingApproval, type PolicyRecommendation, PolicyStore, type PrincipalPolicy, type ProtectionSnapshot, type ProviderCategory, ProxyRouter, type ProxyRouterOptions, type ReputationLookup, ReputationStore, type SHRBody, type SHRGeneratorOptions, type SHRVerificationResult, type SanctuaryConfig, type SanctuaryServer, type SignedAttestation, type SignedSHR, type SovereigntyProfile, SovereigntyProfileStore, type SovereigntyProfileUpdate, type SovereigntyTier, type StartDashboardOptions, StateStore, StderrApprovalChannel, type StreamEvent, TIER_WEIGHTS, type TierMetadata, type TieredAttestation, type UpstreamConnection, type UpstreamServer, type UpstreamTool, WebhookApprovalChannel, type WebhookCallbackPayload, type WebhookConfig, type WebhookPayload, type ZKProofOfKnowledge, type ZKRangeProof, canonicalize, classifyField, completeHandshake, computeWeightedScore, createBridgeCommitment, createDefaultProfile, createPedersenCommitment, createProofOfKnowledge, createRangeProof, createSanctuaryServer, evaluateField, exitBundleManifestShape, exportExitBundle, filterContext, generateAttestation, generateSHR, generateSystemPrompt, getProtectionSnapshot, getTemplate, importExitBundle, initiateHandshake, listTemplateIds, loadConfig, loadExitArtifact, loadPrincipalPolicy, readManifest, recommendPolicy, renderDashboardHTML, resolveTier, respondToHandshake, runExitCommand, signPayload, startDashboard, startDashboardServer, tierDistribution, verifyAttestation, verifyBridgeCommitment, verifyCompletion, verifyExitBundle, verifyPedersenCommitment, verifyProofOfKnowledge, verifyRangeProof, verifySHR, verifySignature };
+export { ATTESTATION_VERSION, type ActivityEntry, type AggregatorSources, ApprovalGate, type ApprovalHandlers, type AttestationBody, type AttestationVerificationResult, AuditLog, AutoApproveChannel, BaselineTracker, type BridgeAttestationRequest, type BridgeAttestationResult, type BridgeCommitment, type BridgeVerificationResult, TEMPLATES as CONTEXT_GATE_TEMPLATES, CallbackApprovalChannel, ClientManager, CommitmentStore, type ConcordiaOutcome, type ConnectionState, type ContextAction, type ContextFilterResult, ContextGateEnforcer, type ContextGatePolicy, ContextGatePolicyStore, type ContextGateRule, type ContextGateTemplate, DashboardApprovalChannel, type DashboardConfig, type DashboardHandle, type DashboardServerOptions, type DetectionResult, type EnforcerConfig, type ExitAuditReceiptsArtifact, type ExitBundleDetailedVerifierResult, ExitBundleImportError, type ExitCommandArgs, type ExitCommitmentsArtifact, type ExitEncryptedStateBundle, type ExitPlaceholderVaultMetadataArtifact, type ExitPolicySetArtifact, type ExitPublicIdentityArtifact, type ExportExitBundleOptions, type ExportExitBundleResult, type FederationCapabilities, type FederationPeer, FederationRegistry, type FieldClassification, type FieldFilterResult, FilesystemStorage, type GateResult, HERO_COPY, type HandshakeChallenge, type HandshakeCompletion, type HandshakeResponse, type HandshakeResult, type ImportExitBundleOptions, type ImportExitBundleResult, InMemoryModelProvenanceStore, InjectionDetector, type InjectionDetectorConfig, type InjectionSignal, type L1Status, type L2Status, type L3Status, type L4Status, type LoadedExitArtifact, MODEL_PRESETS, MemoryStorage, type ModelProvenance, type ModelProvenanceStore, type PedersenCommitment, type PeerTrustEvaluation, type PendingApproval, type PolicyRecommendation, PolicyStore, type PrincipalPolicy, type ProtectionSnapshot, type ProviderCategory, ProxyRouter, type ProxyRouterOptions, type ReputationLookup, ReputationStore, type SHRBody, type SHRGeneratorOptions, type SHRVerificationResult, type SanctuaryConfig, type SanctuaryServer, type SignedAttestation, type SignedSHR, type SovereigntyProfile, SovereigntyProfileStore, type SovereigntyProfileUpdate, type SovereigntyTier, type StartDashboardOptions, StateStore, StderrApprovalChannel, type StreamEvent, TIER_WEIGHTS, type TierMetadata, type TieredAttestation, type UpstreamConnection, type UpstreamServer, type UpstreamTool, type VerifyExitBundleOptions, WebhookApprovalChannel, type WebhookCallbackPayload, type WebhookConfig, type WebhookPayload, type ZKProofOfKnowledge, type ZKRangeProof, canonicalize, classifyField, completeHandshake, computeWeightedScore, createBridgeCommitment, createDefaultProfile, createPedersenCommitment, createProofOfKnowledge, createRangeProof, createSanctuaryServer, evaluateField, exitBundleManifestShape, exportExitBundle, filterContext, generateAttestation, generateSHR, generateSystemPrompt, getProtectionSnapshot, getTemplate, importExitBundle, initiateHandshake, listTemplateIds, loadConfig, loadExitArtifact, loadPrincipalPolicy, readManifest, recommendPolicy, renderDashboardHTML, resolveTier, respondToHandshake, runExitCommand, signPayload, startDashboard, startDashboardServer, tierDistribution, verifyAttestation, verifyBridgeCommitment, verifyCompletion, verifyExitBundle, verifyPedersenCommitment, verifyProofOfKnowledge, verifyRangeProof, verifySHR, verifySignature };