@sanctuary-framework/mcp-server 1.2.2 → 1.2.3

package/dist/cli.cjs

@@ -4428,13 +4428,23 @@ function parseScalar(value) {
   return value.replace(/^["']|["']$/g, "");
 }
 function validatePolicy(raw) {
+  if (!("tier1_always_approve" in raw)) {
+    throw new Error(
+      "Policy file must include 'tier1_always_approve' as an explicit list (use [] for empty). Remove specific entries instead of removing the whole key."
+    );
+  }
+  if (!("approval_channel" in raw)) {
+    throw new Error(
+      "Policy file must include 'approval_channel' as an explicit object (use {} for defaults). Remove specific entries instead of removing the whole key."
+    );
+  }
   const userTier3 = raw.tier3_always_allow ?? [];
   const mergedTier3 = [
     .../* @__PURE__ */ new Set([...userTier3, ...DEFAULT_POLICY.tier3_always_allow])
   ];
   return {
     version: raw.version ?? 1,
-    tier1_always_approve: raw.tier1_always_approve ?? DEFAULT_POLICY.tier1_always_approve,
+    tier1_always_approve: raw.tier1_always_approve,
     tier2_anomaly: {
       ...DEFAULT_TIER2,
       ...raw.tier2_anomaly ?? {}
@@ -4455,6 +4465,11 @@ function generateDefaultPolicyYaml() {
 # This file controls what your agent can do without asking.
 # Edit this file directly. Your agent cannot modify it.
 # Changes take effect on server restart.
+#
+# Required keys (must be present; use [] or {} for empty):
+#   tier1_always_approve, approval_channel
+# Optional keys (omit to use defaults; new defaults merge automatically):
+#   tier2_anomaly, tier3_always_allow
 
 version: 1
 
@@ -11574,6 +11589,7 @@ __export(passphrase_exports, {
   getOrCreatePassphrase: () => getOrCreatePassphrase,
   isOsKeyringLocation: () => isOsKeyringLocation,
   keychainServiceFor: () => keychainServiceFor,
+  legacyKeychainServiceFor: () => legacyKeychainServiceFor,
   persistUserProvidedPassphrase: () => persistUserProvidedPassphrase,
   readStoredPassphrase: () => readStoredPassphrase
 });
@@ -11587,16 +11603,29 @@ async function getOrCreatePassphrase(opts = {}) {
   const plat = opts.platformOverride ?? os.platform();
   const exec2 = opts.exec ?? defaultExec;
   const derive = opts.deriveMachineKey ?? deriveMachineKey;
+  const legacyService = legacyKeychainServiceFor(storagePath, home);
   if (plat === "darwin") {
     const fromKc = await readFromKeychain(exec2, service);
     if (fromKc) {
       return { value: fromKc, source: "keychain", location: OS_KEYRING_LOCATION_MACOS };
     }
+    if (legacyService !== service) {
+      const fromLegacy = await readFromKeychain(exec2, legacyService);
+      if (fromLegacy) {
+        return { value: fromLegacy, source: "keychain", location: OS_KEYRING_LOCATION_MACOS };
+      }
+    }
   } else if (plat === "linux") {
     const fromSs = await readFromSecretService(exec2, service);
     if (fromSs) {
       return { value: fromSs, source: "keychain", location: OS_KEYRING_LOCATION_LINUX };
     }
+    if (legacyService !== service) {
+      const fromLegacy = await readFromSecretService(exec2, legacyService);
+      if (fromLegacy) {
+        return { value: fromLegacy, source: "keychain", location: OS_KEYRING_LOCATION_LINUX };
+      }
+    }
   }
   const fallback = fallbackFilePath(home, storagePath);
   const fromFile = await readFromFallbackFile(fallback, home, derive);
@@ -11629,6 +11658,7 @@ async function readStoredPassphrase(opts = {}) {
   const home = opts.home ?? os.homedir();
   const storagePath = opts.storagePath ?? resolveStoragePath(process.env, home);
   const service = keychainServiceFor(storagePath, home);
+  const legacyService = legacyKeychainServiceFor(storagePath, home);
   const plat = opts.platformOverride ?? os.platform();
   const exec2 = opts.exec ?? defaultExec;
   const derive = opts.deriveMachineKey ?? deriveMachineKey;
@@ -11637,11 +11667,23 @@ async function readStoredPassphrase(opts = {}) {
     if (fromKc) {
       return { value: fromKc, source: "keychain", location: OS_KEYRING_LOCATION_MACOS };
     }
+    if (legacyService !== service) {
+      const fromLegacy = await readFromKeychain(exec2, legacyService);
+      if (fromLegacy) {
+        return { value: fromLegacy, source: "keychain", location: OS_KEYRING_LOCATION_MACOS };
+      }
+    }
   } else if (plat === "linux") {
     const fromSs = await readFromSecretService(exec2, service);
     if (fromSs) {
       return { value: fromSs, source: "keychain", location: OS_KEYRING_LOCATION_LINUX };
     }
+    if (legacyService !== service) {
+      const fromLegacy = await readFromSecretService(exec2, legacyService);
+      if (fromLegacy) {
+        return { value: fromLegacy, source: "keychain", location: OS_KEYRING_LOCATION_LINUX };
+      }
+    }
   }
   const fallback = fallbackFilePath(home, storagePath);
   const fromFile = await readFromFallbackFile(fallback, home, derive);
@@ -11722,9 +11764,18 @@ async function writeToKeychain(value, exec2, service = KEYCHAIN_SERVICE_DEFAULT)
   }
 }
 function keychainServiceFor(storagePath, home = os.homedir()) {
-  const defaultPath = path.join(home, DEFAULT_STORAGE_DIR);
-  if (storagePath === defaultPath) return KEYCHAIN_SERVICE_DEFAULT;
-  const digest = sha256.sha256(Buffer.from(storagePath, "utf-8"));
+  const defaultPath = path.resolve(path.join(home, DEFAULT_STORAGE_DIR));
+  const canonicalStorage = path.resolve(storagePath);
+  if (canonicalStorage === defaultPath) return KEYCHAIN_SERVICE_DEFAULT;
+  const digest = sha256.sha256(Buffer.from(canonicalStorage, "utf-8"));
+  const suffix = Buffer.from(digest).toString("hex").slice(0, 16);
+  return `${KEYCHAIN_SERVICE_DEFAULT}-${suffix}`;
+}
+function legacyKeychainServiceFor(storagePath, home = os.homedir()) {
+  const defaultPath = path.resolve(path.join(home, DEFAULT_STORAGE_DIR));
+  const canonicalStorage = path.resolve(storagePath);
+  if (canonicalStorage === defaultPath) return KEYCHAIN_SERVICE_DEFAULT;
+  const digest = sha256.sha256(Buffer.from(canonicalStorage, "utf-8"));
   const suffix = Buffer.from(digest).toString("hex").slice(0, 12);
   return `${KEYCHAIN_SERVICE_DEFAULT}-${suffix}`;
 }
@@ -11811,7 +11862,7 @@ function deriveMachineKey(home) {
   return hkdf.hkdf(sha256.sha256, material, void 0, "sanctuary-passphrase-v1", 32);
 }
 async function defaultExec(cmd, args, input) {
-  return new Promise((resolve6, reject) => {
+  return new Promise((resolve8, reject) => {
     const child = child_process.spawn(cmd, args, { stdio: ["pipe", "pipe", "pipe"] });
     let stdout = "";
     let stderr = "";
@@ -11822,7 +11873,7 @@ async function defaultExec(cmd, args, input) {
       stderr += d.toString();
     });
     child.on("error", reject);
-    child.on("close", (code) => resolve6({ stdout, stderr, code }));
+    child.on("close", (code) => resolve8({ stdout, stderr, code }));
     if (input !== void 0) {
       child.stdin.write(input);
     }
@@ -12016,7 +12067,7 @@ async function discoverTenants(options = {}) {
   for (const child of children) {
     const childPath = path.join(root, child);
     if (child.startsWith(".")) continue;
-    if (child === "state" || child === "backup" || child === "config") continue;
+    if (child === "state" || child === "backup" || child === "config" || child === "default") continue;
     const s = await promises.stat(childPath).catch(() => null);
     if (!s || !s.isDirectory()) continue;
     const desc = await describeTenant(child, childPath, home);
@@ -12028,6 +12079,17 @@ async function discoverTenants(options = {}) {
     const desc = await describeTenant(path.basename(extra), extra, home);
     if (desc) tenants.push(desc);
   }
+  const seen = /* @__PURE__ */ new Map();
+  for (const t of tenants) {
+    seen.set(t.name, (seen.get(t.name) ?? 0) + 1);
+  }
+  for (const [name, count] of seen) {
+    if (count > 1) {
+      console.error(
+        `[sanctuary] warning: ${count} tenants share the name "${name}". Use --tenant with a unique name or storage path to disambiguate.`
+      );
+    }
+  }
   tenants.sort((a, b) => {
     if (a.name === "default") return -1;
     if (b.name === "default") return 1;
@@ -16826,6 +16888,8 @@ var init_intelligence_api_router = __esm({
         this.code = code;
         this.name = "IntelligenceRouterError";
       }
+      statusCode;
+      code;
     };
   }
 });
@@ -17102,7 +17166,7 @@ var init_dashboard = __esm({
           server = http.createServer(handler);
         }
         this.httpServer = server;
-        return new Promise((resolve6, reject) => {
+        return new Promise((resolve8, reject) => {
           const protocol = this.useTLS ? "https" : "http";
           const baseUrl = `${protocol}://${this.config.host}:${this.config.port}`;
           server.listen(this.config.port, this.config.host, () => {
@@ -17127,7 +17191,7 @@ var init_dashboard = __esm({
             if (shouldAutoOpen) {
               this.openInBrowser(sessionUrl);
             }
-            resolve6();
+            resolve8();
           });
           server.on("error", (err) => {
             if (err.code === "EADDRINUSE") {
@@ -17173,8 +17237,8 @@ var init_dashboard = __esm({
         }
         this.rateLimits.clear();
         if (this.httpServer) {
-          return new Promise((resolve6) => {
-            this.httpServer.close(() => resolve6());
+          return new Promise((resolve8) => {
+            this.httpServer.close(() => resolve8());
           });
         }
       }
@@ -17188,7 +17252,7 @@ var init_dashboard = __esm({
           `[Sanctuary] Approval required: ${request.operation} (Tier ${request.tier}) \u2014 open dashboard to respond
 `
         );
-        return new Promise((resolve6) => {
+        return new Promise((resolve8) => {
           const timer = setTimeout(() => {
             this.pending.delete(id);
             const response = {
@@ -17202,12 +17266,12 @@ var init_dashboard = __esm({
               decision: response.decision,
               decided_by: "timeout"
             });
-            resolve6(response);
+            resolve8(response);
           }, this.config.timeout_seconds * 1e3);
           const pending = {
             id,
             request,
-            resolve: resolve6,
+            resolve: resolve8,
             timer,
             created_at: (/* @__PURE__ */ new Date()).toISOString()
           };
@@ -18073,7 +18137,7 @@ var init_webhook = __esm({
        * Start the callback listener server.
        */
       async start() {
-        return new Promise((resolve6, reject) => {
+        return new Promise((resolve8, reject) => {
           this.callbackServer = http.createServer(
             (req, res) => this.handleCallback(req, res)
           );
@@ -18088,7 +18152,7 @@ var init_webhook = __esm({
 
 `
               );
-              resolve6();
+              resolve8();
             }
           );
           this.callbackServer.on("error", reject);
@@ -18108,8 +18172,8 @@ var init_webhook = __esm({
         }
         this.pending.clear();
         if (this.callbackServer) {
-          return new Promise((resolve6) => {
-            this.callbackServer.close(() => resolve6());
+          return new Promise((resolve8) => {
+            this.callbackServer.close(() => resolve8());
           });
         }
       }
@@ -18122,7 +18186,7 @@ var init_webhook = __esm({
           `[Sanctuary] Webhook approval sent: ${request.operation} (Tier ${request.tier}) \u2014 awaiting callback
 `
         );
-        return new Promise((resolve6) => {
+        return new Promise((resolve8) => {
           const timer = setTimeout(() => {
             this.pending.delete(id);
             const response = {
@@ -18131,12 +18195,12 @@ var init_webhook = __esm({
               decided_at: (/* @__PURE__ */ new Date()).toISOString(),
               decided_by: "timeout"
             };
-            resolve6(response);
+            resolve8(response);
           }, this.config.timeout_seconds * 1e3);
           const pending = {
             id,
             request,
-            resolve: resolve6,
+            resolve: resolve8,
             timer,
             created_at: (/* @__PURE__ */ new Date()).toISOString()
           };
@@ -19429,12 +19493,25 @@ var init_injection_detector = __esm({
   }
 });
 
+// src/principal-policy/deny-vocabulary.ts
+var AGENT_VISIBLE_DENY_REASONS;
+var init_deny_vocabulary = __esm({
+  "src/principal-policy/deny-vocabulary.ts"() {
+    AGENT_VISIBLE_DENY_REASONS = {
+      REQUIRES_APPROVAL: "operation requires operator approval",
+      NOT_PERMITTED: "operation not permitted",
+      REQUIRES_OPERATOR: "operation requires operator action"
+    };
+  }
+});
+
 // src/principal-policy/gate.ts
 var ApprovalGate;
 var init_gate = __esm({
   "src/principal-policy/gate.ts"() {
     init_loader();
     init_injection_detector();
+    init_deny_vocabulary();
     ApprovalGate = class {
       policy;
       baseline;
@@ -19486,10 +19563,16 @@ var init_gate = __esm({
             });
           }
           if (injectionResult.recommendation === "block") {
+            this.auditLog.append("l2", `gate_injection_block:${operation}`, "system", {
+              tier: 1,
+              operation,
+              injection_confidence: injectionResult.confidence,
+              signal_count: injectionResult.signals.length
+            });
             return {
               allowed: false,
               tier: 1,
-              reason: `Blocked: prompt injection detected in "${operation}" (confidence: ${(injectionResult.confidence * 100).toFixed(0)}%)`,
+              reason: AGENT_VISIBLE_DENY_REASONS.NOT_PERMITTED,
               approval_required: false
             };
           }
@@ -19566,7 +19649,7 @@ var init_gate = __esm({
         this.auditLog.append("l2", `gate_unclassified:${operation}`, "system", {
           tier: 1,
           operation,
-          warning: "Operation is not classified in any policy tier \u2014 defaulting to Tier 1 (require approval)"
+          warning: "Operation is not classified in any policy tier, defaulting to Tier 1 (require approval)"
         });
         return this.requestApproval(
           operation,
@@ -19695,7 +19778,7 @@ var init_gate = __esm({
         return {
           allowed: response.decision === "approve",
           tier,
-          reason: response.decision === "approve" ? `Approved by ${response.decided_by}` : `Tier ${tier} operation requires approval`,
+          reason: response.decision === "approve" ? `Approved by ${response.decided_by}` : AGENT_VISIBLE_DENY_REASONS.REQUIRES_APPROVAL,
           approval_required: true,
           approval_response: response
         };
@@ -20284,7 +20367,11 @@ var init_tools5 = __esm({
 
 // src/handshake/protocol.ts
 function generateNonce() {
-  return toBase64url(randomBytes(32));
+  const nonce = randomBytes(32);
+  if (!nonce || nonce.length !== 32) {
+    throw new Error("Nonce generation failed: randomBytes returned unexpected length");
+  }
+  return toBase64url(nonce);
 }
 function initiateHandshake(ourSHR) {
   const nonce = generateNonce();
@@ -20395,6 +20482,18 @@ function completeHandshake(response, session, identityManager, masterKey, identi
   return { completion, result };
 }
 function verifyCompletion(completion, session) {
+  if (completion.protocol_version !== "1.0") {
+    return {
+      counterparty_id: "unknown",
+      counterparty_shr: session.our_shr,
+      verified: false,
+      sovereignty_level: "unverified",
+      trust_tier: "unverified",
+      completed_at: completion.completed_at,
+      expires_at: (/* @__PURE__ */ new Date()).toISOString(),
+      errors: [`Unsupported protocol version: ${completion.protocol_version}`]
+    };
+  }
   const errors = [];
   if (!session.their_shr) {
     return {
@@ -22681,6 +22780,9 @@ Inspect the file and either correct the JSON or delete it manually before re-run
         this.cause = cause;
         this.name = "ResetHistoryMalformedError";
       }
+      markerPath;
+      lineNumber;
+      cause;
     };
   }
 });
@@ -24839,7 +24941,7 @@ async function runOpenAIPrivacyFilter(text, config) {
   return parsed;
 }
 function runCommand(command, input, timeoutMs) {
-  return new Promise((resolve6, reject) => {
+  return new Promise((resolve8, reject) => {
     const child = child_process.spawn(command, [], {
       stdio: ["pipe", "pipe", "pipe"],
       shell: false
@@ -24870,7 +24972,7 @@ function runCommand(command, input, timeoutMs) {
         ));
         return;
       }
-      resolve6(stdout);
+      resolve8(stdout);
     });
     child.stdin.end(input);
   });
@@ -26746,13 +26848,13 @@ var init_proxy_router = __esm({
        * Call an upstream tool with a timeout.
        */
       async callWithTimeout(serverName, toolName, args, timeoutMs) {
-        return new Promise((resolve6, reject) => {
+        return new Promise((resolve8, reject) => {
           const timer = setTimeout(() => {
             reject(new Error(`Upstream tool call timed out after ${timeoutMs}ms`));
           }, timeoutMs);
           this.clientManager.callTool(serverName, toolName, args).then((result) => {
             clearTimeout(timer);
-            resolve6(result);
+            resolve8(result);
           }).catch((err) => {
             clearTimeout(timer);
             reject(err);
@@ -32088,7 +32190,7 @@ function makeEventId(prefix) {
 function hashOf(input) {
   return hashToString(sha256.sha256(stringToBytes(input)));
 }
-var DEFAULT_CONCIERGE_MAX_TOKENS, OperatorChatService;
+var DEFAULT_CONCIERGE_MAX_TOKENS, SANCTUARY_DOMAIN_REFERENCE, OperatorChatService;
 var init_operator_chat_service = __esm({
   "src/chat/operator-chat-service.ts"() {
     init_hashing();
@@ -32096,6 +32198,33 @@ var init_operator_chat_service = __esm({
     init_operator_chat_audit_events();
     init_operator_chat_types();
     DEFAULT_CONCIERGE_MAX_TOKENS = 512;
+    SANCTUARY_DOMAIN_REFERENCE = `Castle Architecture (four enforcement layers):
+1. Castle Wall: OS-boundary egress filter enforced at the kernel level. Blocks unauthorized outbound calls even from prompt-injected agents.
+2. Sentinels: internal observation via process introspection. Surfaces anomalies to the operator; does not enforce.
+3. Charter (Cooperative MCP): the sovereignty surface for compliant agents. Policy gates, approval tiers, audit logging, and encrypted state all live here.
+4. Heralds: Concordia receipts and Verascore reputation. Cross-fortress accountability after an action completes.
+
+Five channel templates (canonical names):
+- request-approve-act: agent proposes an action, operator approves or denies before execution.
+- read-then-report: agent reads outputs from a data source and reports summaries to the operator.
+- scheduled-digest: agent runs on a schedule and delivers a periodic digest.
+- plan-draft-only: agent drafts plans; operator reviews before any execution step.
+- fortress-relay: agent relays messages between fortresses under operator-scoped policy.
+
+Four canonical policy slots:
+- memory: governs what the agent may persist and retrieve from encrypted state.
+- credentials: governs access to secrets, API keys, and tokens held in the broker.
+- plans: governs the agent's ability to create, modify, or execute plans.
+- outputs: governs what the agent may emit to external surfaces (files, APIs, messages).
+
+Key concepts:
+- Fortress: the operator-owned sovereignty harness. All state is encrypted at rest under the cocoon.
+- Cocoon: master-key-wrapped storage derived from the operator's passphrase via Argon2id.
+- Identity: Ed25519 keypair with a DID, owned by the operator. Private keys never leave the cocoon.
+- Audit log: append-only encrypted blobs, sequential, recording every gate decision and tool call.
+- Wrapped agent: any agent runtime that connects to Sanctuary as an MCP client. Tier A (native), Tier B (adapter-wrapped), Tier C (escape hatch).
+
+Note: this is a static reference block (v1.2.x). Dynamic context injection (live template list, policy schema) ships in v1.3.`;
     OperatorChatService = class {
       store;
       auditLog;
@@ -32240,6 +32369,9 @@ var init_operator_chat_service = __esm({
        * than nested structures. Format:
        *
        *   ```
+       *   ## Sanctuary reference
+       *   <static domain reference block>
+       *
        *   ## Recent activity
        *   <recentActivity output>
        *
@@ -32251,15 +32383,28 @@ var init_operator_chat_service = __esm({
        *   ```
        */
       async assembleConciergeContext() {
+        const ref = `## Sanctuary reference
+${SANCTUARY_DOMAIN_REFERENCE}`;
         if (!this.contextProviders) {
-          return "## Recent activity\n(no providers wired)\n\n## Wrapped agents\n(no providers wired)\n\n## Open inbox\n(no providers wired)";
+          return `${ref}
+
+## Recent activity
+(no providers wired)
+
+## Wrapped agents
+(no providers wired)
+
+## Open inbox
+(no providers wired)`;
         }
         const [activity, agents, inbox] = await Promise.all([
           this.contextProviders.recentActivity(),
           this.contextProviders.agentInventory(),
           this.contextProviders.openInbox()
         ]);
-        return `## Recent activity
+        return `${ref}
+
+## Recent activity
 ${activity}
 
 ## Wrapped agents
@@ -35291,6 +35436,9 @@ async function importExitBundle(opts) {
     reputationArtifact?.json ?? null,
     manifest
   );
+  if (!conflicts.public_identity_exists && identityArtifact?.json && opts.identityManager.getPrimaryIdentityId() !== null && opts.identityManager.getPrimaryIdentityId() !== identityArtifact.json.bundle.identity_id) {
+    conflicts.public_identity_exists = true;
+  }
   if (!opts.activate) {
     return {
       verified: true,
@@ -35317,7 +35465,7 @@ async function importExitBundle(opts) {
   if (conflicts.public_identity_exists && !opts.forceRebind) {
     throw new ExitBundleImportError(
       "IDENTITY_OVERWRITE_REFUSED",
-      "Importing this bundle would overwrite an existing fortress public identity. Pass forceRebind: true (CLI: --force-rebind) to confirm explicit replacement."
+      "Importing this exit bundle would overwrite an existing fortress public identity (either the same identity already imported, or a different identity is currently active). Pass forceRebind: true (CLI: --force-rebind) to confirm explicit replacement."
     );
   }
   if (conflicts.public_identity_exists && opts.forceRebind && identityArtifact) {
@@ -35707,6 +35855,26 @@ async function runExitCommand(args) {
         write(err, "Usage: sanctuary exit import <dir> [--activate]\n");
         return 2;
       }
+      const bundleRoot = path.resolve(dir);
+      try {
+        await promises.access(bundleRoot);
+      } catch {
+        write(err, `Error: bundle directory not found: ${bundleRoot}
+`);
+        return 1;
+      }
+      const manifestPath = path.join(bundleRoot, "manifest.json");
+      try {
+        const raw = await promises.readFile(manifestPath, "utf8");
+        JSON.parse(raw);
+      } catch {
+        write(
+          err,
+          `Error: bundle manifest missing or malformed at ${manifestPath}
+`
+        );
+        return 1;
+      }
       const activate = hasFlag(argv, "--activate");
       const forceRebind = hasFlag(argv, "--force-rebind");
       const acceptUnverifiableAttestations = hasFlag(
@@ -35880,11 +36048,11 @@ async function startDashboardServer(options) {
       }
     }
   });
-  await new Promise((resolve6, reject) => {
+  await new Promise((resolve8, reject) => {
     server.once("error", reject);
     server.listen(port, host, () => {
       server.off("error", reject);
-      resolve6();
+      resolve8();
     });
   });
   const actualPort = (() => {
@@ -35897,8 +36065,8 @@ async function startDashboardServer(options) {
     url,
     port: actualPort,
     host,
-    stop: () => new Promise((resolve6, reject) => {
-      server.close((err) => err ? reject(err) : resolve6());
+    stop: () => new Promise((resolve8, reject) => {
+      server.close((err) => err ? reject(err) : resolve8());
     }),
     publish,
     publishActivity: (entry) => publish({ type: "activity", data: entry }),
@@ -36571,7 +36739,7 @@ Refusing to start the cocoon while the reset-history marker is unreadable.`
       clientManager.configure(enabledServers).catch((err) => {
         console.error(`[Sanctuary] Failed to configure upstream servers: ${err instanceof Error ? err.message : "unknown error"}`);
       });
-      await new Promise((resolve6) => setTimeout(resolve6, 2e3));
+      await new Promise((resolve8) => setTimeout(resolve8, 2e3));
       const proxiedTools = proxyRouter.getProxiedTools();
       if (proxiedTools.length > 0) {
         allTools.push(...proxiedTools);
@@ -37410,8 +37578,8 @@ async function runWrap(options, deps = {}) {
     passphraseValue = process.env.SANCTUARY_PASSPHRASE;
   } else {
     try {
-      const resolve6 = deps.resolvePassphrase ?? (() => getOrCreatePassphrase({ storagePath }));
-      const resolved = await resolve6();
+      const resolve8 = deps.resolvePassphrase ?? (() => getOrCreatePassphrase({ storagePath }));
+      const resolved = await resolve8();
       passphraseLocation = resolved.location;
       passphraseSource = resolved.source;
       passphraseValue = resolved.value;
@@ -37766,12 +37934,12 @@ async function defaultOpenBrowser(url) {
     cmd = "xdg-open";
     args = [url];
   }
-  await new Promise((resolve6) => {
+  await new Promise((resolve8) => {
     const child = child_process.spawn(cmd, args, { stdio: "ignore", detached: true });
-    child.on("error", () => resolve6());
+    child.on("error", () => resolve8());
     child.on("spawn", () => {
       child.unref();
-      resolve6();
+      resolve8();
     });
   });
 }
@@ -38740,32 +38908,32 @@ endstream`;
         const offsets = new Array(totalObjects + 1).fill(0);
         const chunks = [];
         let bytePos = 0;
-        const write2 = (s) => {
+        const write3 = (s) => {
           const buf = Buffer.from(s, "latin1");
           chunks.push(buf);
           bytePos += buf.length;
         };
-        write2("%PDF-1.4\n%\xE2\xE3\xCF\xD3\n");
+        write3("%PDF-1.4\n%\xE2\xE3\xCF\xD3\n");
         for (let i = 1; i <= totalObjects; i++) {
           offsets[i] = bytePos;
-          write2(`${i} 0 obj
+          write3(`${i} 0 obj
 ${objectBodies[i]}
 endobj
 `);
         }
         const xrefPos = bytePos;
-        write2(`xref
+        write3(`xref
 0 ${totalObjects + 1}
 `);
-        write2("0000000000 65535 f \n");
+        write3("0000000000 65535 f \n");
         for (let i = 1; i <= totalObjects; i++) {
-          write2(`${offsets[i].toString().padStart(10, "0")} 00000 n 
+          write3(`${offsets[i].toString().padStart(10, "0")} 00000 n 
 `);
         }
-        write2(`trailer
+        write3(`trailer
 << /Size ${totalObjects + 1} /Root 1 0 R >>
 `);
-        write2(`startxref
+        write3(`startxref
 ${xrefPos}
 %%EOF
 `);
@@ -39100,7 +39268,7 @@ var init_backend_interface = __esm({
   }
 });
 async function runSecurity(args, input) {
-  return new Promise((resolve6, reject) => {
+  return new Promise((resolve8, reject) => {
     const child = child_process.spawn(SECURITY_BIN, args, { stdio: ["pipe", "pipe", "pipe"] });
     let stdout = "";
     let stderr = "";
@@ -39122,7 +39290,7 @@ async function runSecurity(args, input) {
       reject(err);
     });
     child.on("close", (code) => {
-      resolve6({ stdout, stderr, code: code ?? -1 });
+      resolve8({ stdout, stderr, code: code ?? -1 });
     });
     if (input !== void 0) {
       child.stdin.write(input);
@@ -40198,7 +40366,7 @@ async function readValue(stdin, prompt2) {
   return await readFirstLine(stdin);
 }
 async function readFirstLine(stdin) {
-  return new Promise((resolve6, reject) => {
+  return new Promise((resolve8, reject) => {
     const rl = readline.createInterface({ input: stdin });
     let resolved = false;
     const finish = (value) => {
@@ -40209,7 +40377,7 @@ async function readFirstLine(stdin) {
         rl.close();
       } catch {
       }
-      resolve6(value);
+      resolve8(value);
     };
     const deadline = setTimeout(() => {
       finish("");
@@ -40228,7 +40396,7 @@ async function promptSilently(stdin, prompt2) {
   process.stderr.write(`${prompt2}: `);
   stdin.setRawMode?.(true);
   stdin.resume();
-  return await new Promise((resolve6) => {
+  return await new Promise((resolve8) => {
     let buf = "";
     const onData = (chunk) => {
       const s = chunk.toString("utf8");
@@ -40238,7 +40406,7 @@ async function promptSilently(stdin, prompt2) {
           stdin.pause();
           stdin.off("data", onData);
           process.stderr.write("\n");
-          resolve6(buf);
+          resolve8(buf);
           return;
         }
         if (ch === "") {
@@ -40505,13 +40673,179 @@ var init_cli4 = __esm({
     init_discovery();
   }
 });
+
+// src/cli/identity.ts
+var identity_exports2 = {};
+__export(identity_exports2, {
+  runIdentityCommand: () => runIdentityCommand
+});
+function write2(stream, text) {
+  stream.write(text);
+}
+function flagValue2(argv, name) {
+  const index = argv.indexOf(name);
+  if (index === -1) return void 0;
+  return argv[index + 1];
+}
+function hasFlag2(argv, name) {
+  return argv.includes(name);
+}
+function printUsage3(out) {
+  write2(
+    out,
+    `Usage: sanctuary identity <command> [options]
+
+Commands:
+  show           Print the active identity (DID, identity_id, public key).
+
+Options:
+  --fortress <path>   Override the storage path.
+  --passphrase <val>  Passphrase for master-key derivation.
+  --json              Output as JSON.
+  --help, -h          Show this help.
+
+Environment variables:
+  SANCTUARY_PASSPHRASE    Key derivation passphrase.
+  SANCTUARY_STORAGE_PATH  State directory (default: ~/.sanctuary).
+  SANCTUARY_FORTRESS_PATH Operator-friendly alias for STORAGE_PATH.
+  SANCTUARY_RECOVERY_KEY  Recovery key (alternative to passphrase).
+
+Identity data is encrypted at rest. A passphrase or recovery key is
+required to decrypt and display identity information.
+`
+  );
+}
+async function runIdentityCommand(args) {
+  const argv = args.argv;
+  const out = args.out ?? process.stdout;
+  const err = args.err ?? process.stderr;
+  const env = args.env ?? process.env;
+  if (argv.length === 0 || hasFlag2(argv, "--help") || hasFlag2(argv, "-h")) {
+    printUsage3(out);
+    return 0;
+  }
+  const command = argv[0];
+  if (command === "show") {
+    return await cmdShow(argv.slice(1), out, err, env);
+  }
+  write2(err, `Unknown identity command: ${command}
+`);
+  write2(err, `Run "sanctuary identity --help" for usage.
+`);
+  return 2;
+}
+async function cmdShow(argv, out, err, env) {
+  const json = hasFlag2(argv, "--json");
+  const fortressFlag = flagValue2(argv, "--fortress");
+  if (fortressFlag) {
+    process.env.SANCTUARY_STORAGE_PATH = fortressFlag;
+  }
+  const passphrase = flagValue2(argv, "--passphrase") ?? env.SANCTUARY_PASSPHRASE;
+  const recoveryKey = env.SANCTUARY_RECOVERY_KEY;
+  if (!passphrase && !recoveryKey) {
+    write2(
+      err,
+      "Error: sanctuary identity show requires SANCTUARY_PASSPHRASE, --passphrase, or SANCTUARY_RECOVERY_KEY.\n"
+    );
+    return 1;
+  }
+  try {
+    const config = await loadConfig();
+    await promises.mkdir(config.storage_path, { recursive: true, mode: 448 });
+    const stateStoragePath = path.join(config.storage_path, "state");
+    const storage = new FilesystemStorage(stateStoragePath);
+    let masterKey;
+    if (passphrase) {
+      let existingParams;
+      const raw = await storage.read("_meta", "key-params");
+      if (raw)
+        existingParams = JSON.parse(bytesToString(raw));
+      const derived = await deriveMasterKey(passphrase, existingParams);
+      masterKey = derived.key;
+    } else {
+      masterKey = fromBase64url(recoveryKey);
+      if (masterKey.length !== 32) {
+        write2(err, "Error: SANCTUARY_RECOVERY_KEY must decode to 32 bytes.\n");
+        return 1;
+      }
+    }
+    const identityManager = new IdentityManager(storage, masterKey);
+    const loadResult = await identityManager.load();
+    if (loadResult.loaded === 0) {
+      write2(
+        err,
+        loadResult.total > 0 ? "Error: identity files found but none could be decrypted. Wrong passphrase?\n" : "No identities found in this fortress.\n"
+      );
+      return 1;
+    }
+    const primary = identityManager.getDefault();
+    if (!primary) {
+      write2(err, "No primary identity set.\n");
+      return 1;
+    }
+    if (json) {
+      write2(
+        out,
+        JSON.stringify(
+          {
+            identity_id: primary.identity_id,
+            did: primary.did,
+            public_key: primary.public_key,
+            label: primary.label,
+            key_type: primary.key_type,
+            created_at: primary.created_at,
+            storage_path: config.storage_path,
+            total_identities: loadResult.loaded
+          },
+          null,
+          2
+        ) + "\n"
+      );
+    } else {
+      write2(out, `identity_id:      ${primary.identity_id}
+`);
+      write2(out, `did:              ${primary.did}
+`);
+      write2(out, `public_key:       ${primary.public_key}
+`);
+      write2(out, `label:            ${primary.label}
+`);
+      write2(out, `key_type:         ${primary.key_type}
+`);
+      write2(out, `created_at:       ${primary.created_at}
+`);
+      write2(out, `storage_path:     ${config.storage_path}
+`);
+      write2(out, `total_identities: ${loadResult.loaded}
+`);
+    }
+    return 0;
+  } catch (error) {
+    write2(
+      err,
+      error instanceof Error ? `Error: ${error.message}
+` : `Error: ${String(error)}
+`
+    );
+    return 1;
+  }
+}
+var init_identity2 = __esm({
+  "src/cli/identity.ts"() {
+    init_filesystem();
+    init_tools();
+    init_key_derivation();
+    init_encoding();
+    init_config();
+  }
+});
 async function probeTenantDashboard(tenant, options = {}) {
   const rt = tenant.runtime;
   if (!rt) {
     return { running: false, status: null, reason: "no runtime.json" };
   }
   const timeoutMs = options.timeoutMs ?? DEFAULT_TIMEOUT_MS4;
-  return await new Promise((resolve6) => {
+  return await new Promise((resolve8) => {
     const req = http.get(
       {
         host: rt.dashboard_host,
@@ -40523,9 +40857,9 @@ async function probeTenantDashboard(tenant, options = {}) {
         res.resume();
         const status = res.statusCode ?? 0;
         if (status > 0 && status < 500) {
-          resolve6({ running: true, status, reason: null });
+          resolve8({ running: true, status, reason: null });
         } else {
-          resolve6({
+          resolve8({
             running: false,
             status,
             reason: `dashboard returned ${status}`
@@ -40535,10 +40869,10 @@ async function probeTenantDashboard(tenant, options = {}) {
     );
     req.on("timeout", () => {
       req.destroy();
-      resolve6({ running: false, status: null, reason: "timeout" });
+      resolve8({ running: false, status: null, reason: "timeout" });
     });
     req.on("error", (err) => {
-      resolve6({
+      resolve8({
         running: false,
         status: null,
         reason: err.code ?? err.message
@@ -40570,10 +40904,17 @@ function resolveCtx(args) {
   };
 }
 async function runAgentsCommand(args) {
+  const fortressIdx = args.argv.indexOf("--fortress");
+  if (fortressIdx !== -1 && args.argv[fortressIdx + 1]) {
+    args = { ...args, root: args.argv[fortressIdx + 1] };
+    const filtered = [...args.argv];
+    filtered.splice(fortressIdx, 2);
+    args = { ...args, argv: filtered };
+  }
   const ctx = resolveCtx(args);
   const [sub, ...rest] = args.argv;
   if (!sub || sub === "--help" || sub === "-h" || sub === "help") {
-    printUsage3(ctx.out);
+    printUsage4(ctx.out);
     return 0;
   }
   try {
@@ -40581,13 +40922,13 @@ async function runAgentsCommand(args) {
       case "list":
         return await cmdList3(rest, ctx);
       case "show":
-        return await cmdShow(rest, ctx);
+        return await cmdShow2(rest, ctx);
       case "status":
         return await cmdStatus(rest, ctx);
       default:
         ctx.err.write(`Unknown subcommand: ${sub}
 `);
-        printUsage3(ctx.err);
+        printUsage4(ctx.err);
         return 2;
     }
   } catch (e) {
@@ -40597,13 +40938,17 @@ async function runAgentsCommand(args) {
     return 1;
   }
 }
-function printUsage3(s) {
+function printUsage4(s) {
   s.write(`Usage: sanctuary agents <command> [flags]
 
   list [--json]                 List every tenant visible on this host.
   show <tenant> [--json]        Show details for one tenant.
   status [--json]               One-line-per-tenant running/stopped summary.
 
+Options:
+  --fortress <path>             Scope discovery to a specific storage path
+                                instead of scanning ~/.sanctuary.
+
 Tenants are discovered by scanning ~/.sanctuary and any storage paths in
 SANCTUARY_AGENTS_EXTRA_PATHS or ~/.sanctuary/agents-extra.json. Tenant
 creation is done via \`sanctuary wrap\` with SANCTUARY_STORAGE_PATH set.
@@ -40687,7 +41032,7 @@ async function cmdList3(argv, ctx) {
   }
   return 0;
 }
-async function cmdShow(argv, ctx) {
+async function cmdShow2(argv, ctx) {
   const positional = argv.find((a) => !a.startsWith("--"));
   if (!positional) {
     ctx.err.write("Missing tenant. Usage: sanctuary agents show <tenant>\n");
@@ -40838,10 +41183,10 @@ async function runResetPassphraseCommand(args) {
   const plat = args.platformOverride ?? process.platform;
   const parsed = parseArgs2(args.argv);
   if (parsed.help) {
-    printUsage4(out);
+    printUsage5(out);
     return 0;
   }
-  const storagePath = parsed.storage ?? args.storagePath ?? resolveStoragePath(process.env, home);
+  const storagePath = parsed.storage ?? parsed.fortress ?? args.storagePath ?? resolveStoragePath(process.env, home);
   out.write(banner(storagePath));
   const runtimeFile = path.join(storagePath, "runtime.json");
   if (await fileExists4(runtimeFile)) {
@@ -40898,13 +41243,15 @@ function parseArgs2(argv) {
       out.mode = v;
     } else if (a === "--storage" && argv[i + 1]) {
       out.storage = argv[++i];
+    } else if (a === "--fortress" && argv[i + 1]) {
+      out.fortress = argv[++i];
     } else if (a && a.startsWith("--")) {
       throw new Error(`Unknown flag: ${a}`);
     }
   }
   return out;
 }
-function printUsage4(out) {
+function printUsage5(out) {
   out.write(`
 Usage: sanctuary reset-passphrase [options]
 
@@ -40927,9 +41274,9 @@ Recover a fortress whose passphrase has been lost or corrupted. Three modes:
 
 Options:
   --mode <shares|guardian|nuke>   Pick a path non-interactively.
-  --storage <path>                Override the resolved storage path.
-                                  Defaults to SANCTUARY_STORAGE_PATH or
-                                  ~/.sanctuary.
+  --fortress <path>               Override the fortress storage path.
+                                  Consistent with "sanctuary wrap --fortress".
+  --storage <path>                Alias for --fortress.
   --help, -h                      Show this help.
 
 Without --mode, the command surveys which paths are operationally available
@@ -41200,7 +41547,7 @@ async function prompt(lines, err, question) {
   return await lines.next();
 }
 async function defaultExec2(cmd, args) {
-  return await new Promise((resolve6, reject) => {
+  return await new Promise((resolve8, reject) => {
     const child = child_process.spawn(cmd, args, { stdio: ["ignore", "pipe", "pipe"] });
     let stdout = "";
     let stderr = "";
@@ -41211,7 +41558,7 @@ async function defaultExec2(cmd, args) {
       stderr += d.toString();
     });
     child.on("error", reject);
-    child.on("close", (code) => resolve6({ stdout, stderr, code }));
+    child.on("close", (code) => resolve8({ stdout, stderr, code }));
   });
 }
 var LineReader;
@@ -41247,8 +41594,8 @@ var init_reset_passphrase = __esm({
           return Promise.resolve(this.queue.shift());
         }
         if (this.closed) return Promise.resolve("");
-        return new Promise((resolve6) => {
-          this.waiters.push(resolve6);
+        return new Promise((resolve8) => {
+          this.waiters.push(resolve8);
         });
       }
       close() {
@@ -41647,11 +41994,11 @@ async function startMultiDashboardServer(options = {}) {
       }
     }
   });
-  await new Promise((resolve6, reject) => {
+  await new Promise((resolve8, reject) => {
     server.once("error", reject);
     server.listen(port, host, () => {
       server.off("error", reject);
-      resolve6();
+      resolve8();
     });
   });
   const addr = server.address();
@@ -41660,8 +42007,8 @@ async function startMultiDashboardServer(options = {}) {
     url: `http://${host}:${actualPort}`,
     port: actualPort,
     host,
-    stop: () => new Promise((resolve6, reject) => {
-      server.close((err) => err ? reject(err) : resolve6());
+    stop: () => new Promise((resolve8, reject) => {
+      server.close((err) => err ? reject(err) : resolve8());
     })
   };
 }
@@ -42061,7 +42408,7 @@ function formatUpdateMessage(current, latest) {
   return `[Sanctuary] Update available: ${current} \u2192 ${latest}. Run: npx @sanctuary-framework/mcp-server@latest`;
 }
 function fetchLatestVersion(currentVersion) {
-  return new Promise((resolve6) => {
+  return new Promise((resolve8) => {
     const req = https.get(
       REGISTRY_URL,
       {
@@ -42071,7 +42418,7 @@ function fetchLatestVersion(currentVersion) {
       (res) => {
         if (res.statusCode !== 200) {
           res.resume();
-          resolve6(null);
+          resolve8(null);
           return;
         }
         let data = "";
@@ -42080,7 +42427,7 @@ function fetchLatestVersion(currentVersion) {
           data += chunk;
           if (data.length > 32768) {
             res.destroy();
-            resolve6(null);
+            resolve8(null);
           }
         });
         res.on("end", () => {
@@ -42088,20 +42435,20 @@ function fetchLatestVersion(currentVersion) {
             const json = JSON.parse(data);
             const latest = json.version;
             if (typeof latest === "string" && isNewerVersion(currentVersion, latest)) {
-              resolve6(latest);
+              resolve8(latest);
             } else {
-              resolve6(null);
+              resolve8(null);
             }
           } catch {
-            resolve6(null);
+            resolve8(null);
           }
         });
       }
     );
-    req.on("error", () => resolve6(null));
+    req.on("error", () => resolve8(null));
     req.on("timeout", () => {
       req.destroy();
-      resolve6(null);
+      resolve8(null);
     });
   });
 }
@@ -42179,6 +42526,11 @@ async function main() {
     const code = await runTemplateCommand2({ argv: args.slice(1) });
     process.exit(code);
   }
+  if (args[0] === "identity") {
+    const { runIdentityCommand: runIdentityCommand2 } = await Promise.resolve().then(() => (init_identity2(), identity_exports2));
+    const code = await runIdentityCommand2({ argv: args.slice(1) });
+    process.exit(code);
+  }
   if (args[0] === "agents") {
     const { runAgentsCommand: runAgentsCommand2 } = await Promise.resolve().then(() => (init_agents(), agents_exports));
     const code = await runAgentsCommand2({ argv: args.slice(1) });
@@ -42400,6 +42752,9 @@ Subcommands:
                        Use "sanctuary dashboard --help" for options.
                        Pass --multi to render the multi-tenant overview.
 
+  identity             Inspect the active identity (DID, public key).
+                       Use "sanctuary identity --help" for options.
+
   template             Manage policy templates (list, init).
                        Use "sanctuary template --help" for options.