npm - @sanctuary-framework/mcp-server - Versions diffs - 1.2.2 → 1.2.3 - Mend

@sanctuary-framework/mcp-server 1.2.2 → 1.2.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

package/dist/index.cjs CHANGED Viewed

@@ -4443,13 +4443,23 @@ function parseScalar(value) {
   return value.replace(/^["']|["']$/g, "");
 }
 function validatePolicy(raw) {
+  if (!("tier1_always_approve" in raw)) {
+    throw new Error(
+      "Policy file must include 'tier1_always_approve' as an explicit list (use [] for empty). Remove specific entries instead of removing the whole key."
+    );
+  }
+  if (!("approval_channel" in raw)) {
+    throw new Error(
+      "Policy file must include 'approval_channel' as an explicit object (use {} for defaults). Remove specific entries instead of removing the whole key."
+    );
+  }
   const userTier3 = raw.tier3_always_allow ?? [];
   const mergedTier3 = [
     .../* @__PURE__ */ new Set([...userTier3, ...DEFAULT_POLICY.tier3_always_allow])
   ];
   return {
     version: raw.version ?? 1,
-    tier1_always_approve: raw.tier1_always_approve ?? DEFAULT_POLICY.tier1_always_approve,
+    tier1_always_approve: raw.tier1_always_approve,
     tier2_anomaly: {
       ...DEFAULT_TIER2,
       ...raw.tier2_anomaly ?? {}
@@ -4470,6 +4480,11 @@ function generateDefaultPolicyYaml() {
 # This file controls what your agent can do without asking.
 # Edit this file directly. Your agent cannot modify it.
 # Changes take effect on server restart.
+#
+# Required keys (must be present; use [] or {} for empty):
+#   tier1_always_approve, approval_channel
+# Optional keys (omit to use defaults; new defaults merge automatically):
+#   tier2_anomaly, tier3_always_allow
 version: 1
@@ -11120,10 +11135,11 @@ function initTemplate(params) {
 var DEFAULT_STORAGE_DIR = ".sanctuary";
 var KEYCHAIN_SERVICE_DEFAULT = "sanctuary-passphrase";
 function keychainServiceFor(storagePath, home = os.homedir()) {
-  const defaultPath = path.join(home, DEFAULT_STORAGE_DIR);
-  if (storagePath === defaultPath) return KEYCHAIN_SERVICE_DEFAULT;
-  const digest = sha256.sha256(Buffer.from(storagePath, "utf-8"));
-  const suffix = Buffer.from(digest).toString("hex").slice(0, 12);
+  const defaultPath = path.resolve(path.join(home, DEFAULT_STORAGE_DIR));
+  const canonicalStorage = path.resolve(storagePath);
+  if (canonicalStorage === defaultPath) return KEYCHAIN_SERVICE_DEFAULT;
+  const digest = sha256.sha256(Buffer.from(canonicalStorage, "utf-8"));
+  const suffix = Buffer.from(digest).toString("hex").slice(0, 16);
   return `${KEYCHAIN_SERVICE_DEFAULT}-${suffix}`;
 }
 var RUNTIME_FILE_NAME = "runtime.json";
@@ -11264,7 +11280,7 @@ async function discoverTenants(options = {}) {
   for (const child of children) {
     const childPath = path.join(root, child);
     if (child.startsWith(".")) continue;
-    if (child === "state" || child === "backup" || child === "config") continue;
+    if (child === "state" || child === "backup" || child === "config" || child === "default") continue;
     const s = await promises.stat(childPath).catch(() => null);
     if (!s || !s.isDirectory()) continue;
     const desc = await describeTenant(child, childPath, home);
@@ -11276,6 +11292,17 @@ async function discoverTenants(options = {}) {
     const desc = await describeTenant(path.basename(extra), extra, home);
     if (desc) tenants.push(desc);
   }
+  const seen = /* @__PURE__ */ new Map();
+  for (const t of tenants) {
+    seen.set(t.name, (seen.get(t.name) ?? 0) + 1);
+  }
+  for (const [name, count] of seen) {
+    if (count > 1) {
+      console.error(
+        `[sanctuary] warning: ${count} tenants share the name "${name}". Use --tenant with a unique name or storage path to disambiguate.`
+      );
+    }
+  }
   tenants.sort((a, b) => {
     if (a.name === "default") return -1;
     if (b.name === "default") return 1;
@@ -15644,6 +15671,8 @@ var IntelligenceRouterError = class extends Error {
     this.code = code;
     this.name = "IntelligenceRouterError";
   }
+  statusCode;
+  code;
 };
 function writeJSON3(res, status, payload) {
   res.writeHead(status, {
@@ -16227,7 +16256,7 @@ var DashboardApprovalChannel = class {
       server = http.createServer(handler);
     }
     this.httpServer = server;
-    return new Promise((resolve4, reject) => {
+    return new Promise((resolve6, reject) => {
       const protocol = this.useTLS ? "https" : "http";
       const baseUrl = `${protocol}://${this.config.host}:${this.config.port}`;
       server.listen(this.config.port, this.config.host, () => {
@@ -16252,7 +16281,7 @@ var DashboardApprovalChannel = class {
         if (shouldAutoOpen) {
           this.openInBrowser(sessionUrl);
         }
-        resolve4();
+        resolve6();
       });
       server.on("error", (err) => {
         if (err.code === "EADDRINUSE") {
@@ -16298,8 +16327,8 @@ var DashboardApprovalChannel = class {
     }
     this.rateLimits.clear();
     if (this.httpServer) {
-      return new Promise((resolve4) => {
-        this.httpServer.close(() => resolve4());
+      return new Promise((resolve6) => {
+        this.httpServer.close(() => resolve6());
       });
     }
   }
@@ -16313,7 +16342,7 @@ var DashboardApprovalChannel = class {
       `[Sanctuary] Approval required: ${request.operation} (Tier ${request.tier}) \u2014 open dashboard to respond
 `
     );
-    return new Promise((resolve4) => {
+    return new Promise((resolve6) => {
       const timer = setTimeout(() => {
         this.pending.delete(id);
         const response = {
@@ -16327,12 +16356,12 @@ var DashboardApprovalChannel = class {
           decision: response.decision,
           decided_by: "timeout"
         });
-        resolve4(response);
+        resolve6(response);
       }, this.config.timeout_seconds * 1e3);
       const pending = {
         id,
         request,
-        resolve: resolve4,
+        resolve: resolve6,
         timer,
         created_at: (/* @__PURE__ */ new Date()).toISOString()
       };
@@ -17193,7 +17222,7 @@ var WebhookApprovalChannel = class {
    * Start the callback listener server.
    */
   async start() {
-    return new Promise((resolve4, reject) => {
+    return new Promise((resolve6, reject) => {
       this.callbackServer = http.createServer(
         (req, res) => this.handleCallback(req, res)
       );
@@ -17208,7 +17237,7 @@ var WebhookApprovalChannel = class {
 `
           );
-          resolve4();
+          resolve6();
         }
       );
       this.callbackServer.on("error", reject);
@@ -17228,8 +17257,8 @@ var WebhookApprovalChannel = class {
     }
     this.pending.clear();
     if (this.callbackServer) {
-      return new Promise((resolve4) => {
-        this.callbackServer.close(() => resolve4());
+      return new Promise((resolve6) => {
+        this.callbackServer.close(() => resolve6());
       });
     }
   }
@@ -17242,7 +17271,7 @@ var WebhookApprovalChannel = class {
       `[Sanctuary] Webhook approval sent: ${request.operation} (Tier ${request.tier}) \u2014 awaiting callback
 `
     );
-    return new Promise((resolve4) => {
+    return new Promise((resolve6) => {
       const timer = setTimeout(() => {
         this.pending.delete(id);
         const response = {
@@ -17251,12 +17280,12 @@ var WebhookApprovalChannel = class {
           decided_at: (/* @__PURE__ */ new Date()).toISOString(),
           decided_by: "timeout"
         };
-        resolve4(response);
+        resolve6(response);
       }, this.config.timeout_seconds * 1e3);
       const pending = {
         id,
         request,
-        resolve: resolve4,
+        resolve: resolve6,
         timer,
         created_at: (/* @__PURE__ */ new Date()).toISOString()
       };
@@ -18542,6 +18571,11 @@ var InjectionDetector = class {
   }
 };
+// src/principal-policy/deny-vocabulary.ts
+var AGENT_VISIBLE_DENY_REASONS = {
+  REQUIRES_APPROVAL: "operation requires operator approval",
+  NOT_PERMITTED: "operation not permitted"};
 // src/principal-policy/gate.ts
 var ApprovalGate = class {
   policy;
@@ -18594,10 +18628,16 @@ var ApprovalGate = class {
         });
       }
       if (injectionResult.recommendation === "block") {
+        this.auditLog.append("l2", `gate_injection_block:${operation}`, "system", {
+          tier: 1,
+          operation,
+          injection_confidence: injectionResult.confidence,
+          signal_count: injectionResult.signals.length
+        });
         return {
           allowed: false,
           tier: 1,
-          reason: `Blocked: prompt injection detected in "${operation}" (confidence: ${(injectionResult.confidence * 100).toFixed(0)}%)`,
+          reason: AGENT_VISIBLE_DENY_REASONS.NOT_PERMITTED,
           approval_required: false
         };
       }
@@ -18674,7 +18714,7 @@ var ApprovalGate = class {
     this.auditLog.append("l2", `gate_unclassified:${operation}`, "system", {
       tier: 1,
       operation,
-      warning: "Operation is not classified in any policy tier \u2014 defaulting to Tier 1 (require approval)"
+      warning: "Operation is not classified in any policy tier, defaulting to Tier 1 (require approval)"
     });
     return this.requestApproval(
       operation,
@@ -18803,7 +18843,7 @@ var ApprovalGate = class {
     return {
       allowed: response.decision === "approve",
       tier,
-      reason: response.decision === "approve" ? `Approved by ${response.decided_by}` : `Tier ${tier} operation requires approval`,
+      reason: response.decision === "approve" ? `Approved by ${response.decided_by}` : AGENT_VISIBLE_DENY_REASONS.REQUIRES_APPROVAL,
       approval_required: true,
       approval_response: response
     };
@@ -19373,7 +19413,11 @@ init_identity();
 init_encoding();
 init_random();
 function generateNonce() {
-  return toBase64url(randomBytes(32));
+  const nonce = randomBytes(32);
+  if (!nonce || nonce.length !== 32) {
+    throw new Error("Nonce generation failed: randomBytes returned unexpected length");
+  }
+  return toBase64url(nonce);
 }
 function initiateHandshake(ourSHR) {
   const nonce = generateNonce();
@@ -19484,6 +19528,18 @@ function completeHandshake(response, session, identityManager, masterKey, identi
   return { completion, result };
 }
 function verifyCompletion(completion, session) {
+  if (completion.protocol_version !== "1.0") {
+    return {
+      counterparty_id: "unknown",
+      counterparty_shr: session.our_shr,
+      verified: false,
+      sovereignty_level: "unverified",
+      trust_tier: "unverified",
+      completed_at: completion.completed_at,
+      expires_at: (/* @__PURE__ */ new Date()).toISOString(),
+      errors: [`Unsupported protocol version: ${completion.protocol_version}`]
+    };
+  }
   const errors = [];
   if (!session.their_shr) {
     return {
@@ -21585,6 +21641,9 @@ Inspect the file and either correct the JSON or delete it manually before re-run
     this.cause = cause;
     this.name = "ResetHistoryMalformedError";
   }
+  markerPath;
+  lineNumber;
+  cause;
 };
 function parseResetHistory(content, markerPath) {
   const markerHash = hashToString(stringToBytes(content));
@@ -23826,7 +23885,7 @@ async function runOpenAIPrivacyFilter(text, config) {
   return parsed;
 }
 function runCommand(command, input, timeoutMs) {
-  return new Promise((resolve4, reject) => {
+  return new Promise((resolve6, reject) => {
     const child = child_process.spawn(command, [], {
       stdio: ["pipe", "pipe", "pipe"],
       shell: false
@@ -23857,7 +23916,7 @@ function runCommand(command, input, timeoutMs) {
         ));
         return;
       }
-      resolve4(stdout);
+      resolve6(stdout);
     });
     child.stdin.end(input);
   });
@@ -25678,13 +25737,13 @@ var ProxyRouter = class {
    * Call an upstream tool with a timeout.
    */
   async callWithTimeout(serverName, toolName, args, timeoutMs) {
-    return new Promise((resolve4, reject) => {
+    return new Promise((resolve6, reject) => {
       const timer = setTimeout(() => {
         reject(new Error(`Upstream tool call timed out after ${timeoutMs}ms`));
       }, timeoutMs);
       this.clientManager.callTool(serverName, toolName, args).then((result) => {
         clearTimeout(timer);
-        resolve4(result);
+        resolve6(result);
       }).catch((err) => {
         clearTimeout(timer);
         reject(err);
@@ -30731,6 +30790,33 @@ var CONCIERGE_THREAD_KEY = "_fortress";
 // src/chat/operator-chat-service.ts
 var DEFAULT_CONCIERGE_MAX_TOKENS = 512;
+var SANCTUARY_DOMAIN_REFERENCE = `Castle Architecture (four enforcement layers):
+1. Castle Wall: OS-boundary egress filter enforced at the kernel level. Blocks unauthorized outbound calls even from prompt-injected agents.
+2. Sentinels: internal observation via process introspection. Surfaces anomalies to the operator; does not enforce.
+3. Charter (Cooperative MCP): the sovereignty surface for compliant agents. Policy gates, approval tiers, audit logging, and encrypted state all live here.
+4. Heralds: Concordia receipts and Verascore reputation. Cross-fortress accountability after an action completes.
+Five channel templates (canonical names):
+- request-approve-act: agent proposes an action, operator approves or denies before execution.
+- read-then-report: agent reads outputs from a data source and reports summaries to the operator.
+- scheduled-digest: agent runs on a schedule and delivers a periodic digest.
+- plan-draft-only: agent drafts plans; operator reviews before any execution step.
+- fortress-relay: agent relays messages between fortresses under operator-scoped policy.
+Four canonical policy slots:
+- memory: governs what the agent may persist and retrieve from encrypted state.
+- credentials: governs access to secrets, API keys, and tokens held in the broker.
+- plans: governs the agent's ability to create, modify, or execute plans.
+- outputs: governs what the agent may emit to external surfaces (files, APIs, messages).
+Key concepts:
+- Fortress: the operator-owned sovereignty harness. All state is encrypted at rest under the cocoon.
+- Cocoon: master-key-wrapped storage derived from the operator's passphrase via Argon2id.
+- Identity: Ed25519 keypair with a DID, owned by the operator. Private keys never leave the cocoon.
+- Audit log: append-only encrypted blobs, sequential, recording every gate decision and tool call.
+- Wrapped agent: any agent runtime that connects to Sanctuary as an MCP client. Tier A (native), Tier B (adapter-wrapped), Tier C (escape hatch).
+Note: this is a static reference block (v1.2.x). Dynamic context injection (live template list, policy schema) ships in v1.3.`;
 var OperatorChatService = class {
   store;
   auditLog;
@@ -30875,6 +30961,9 @@ var OperatorChatService = class {
    * than nested structures. Format:
    *
    *   ```
+   *   ## Sanctuary reference
+   *   <static domain reference block>
+   *
    *   ## Recent activity
    *   <recentActivity output>
    *
@@ -30886,15 +30975,28 @@ var OperatorChatService = class {
    *   ```
    */
   async assembleConciergeContext() {
+    const ref = `## Sanctuary reference
+${SANCTUARY_DOMAIN_REFERENCE}`;
     if (!this.contextProviders) {
-      return "## Recent activity\n(no providers wired)\n\n## Wrapped agents\n(no providers wired)\n\n## Open inbox\n(no providers wired)";
+      return `${ref}
+## Recent activity
+(no providers wired)
+## Wrapped agents
+(no providers wired)
+## Open inbox
+(no providers wired)`;
     }
     const [activity, agents, inbox] = await Promise.all([
       this.contextProviders.recentActivity(),
       this.contextProviders.agentInventory(),
       this.contextProviders.openInbox()
     ]);
-    return `## Recent activity
+    return `${ref}
+## Recent activity
 ${activity}
 ## Wrapped agents
@@ -33999,6 +34101,9 @@ async function importExitBundle(opts) {
     reputationArtifact?.json ?? null,
     manifest
   );
+  if (!conflicts.public_identity_exists && identityArtifact?.json && opts.identityManager.getPrimaryIdentityId() !== null && opts.identityManager.getPrimaryIdentityId() !== identityArtifact.json.bundle.identity_id) {
+    conflicts.public_identity_exists = true;
+  }
   if (!opts.activate) {
     return {
       verified: true,
@@ -34025,7 +34130,7 @@ async function importExitBundle(opts) {
   if (conflicts.public_identity_exists && !opts.forceRebind) {
     throw new ExitBundleImportError(
       "IDENTITY_OVERWRITE_REFUSED",
-      "Importing this bundle would overwrite an existing fortress public identity. Pass forceRebind: true (CLI: --force-rebind) to confirm explicit replacement."
+      "Importing this exit bundle would overwrite an existing fortress public identity (either the same identity already imported, or a different identity is currently active). Pass forceRebind: true (CLI: --force-rebind) to confirm explicit replacement."
     );
   }
   if (conflicts.public_identity_exists && opts.forceRebind && identityArtifact) {
@@ -34383,6 +34488,26 @@ async function runExitCommand(args) {
         write(err, "Usage: sanctuary exit import <dir> [--activate]\n");
         return 2;
       }
+      const bundleRoot = path.resolve(dir);
+      try {
+        await promises.access(bundleRoot);
+      } catch {
+        write(err, `Error: bundle directory not found: ${bundleRoot}
+`);
+        return 1;
+      }
+      const manifestPath = path.join(bundleRoot, "manifest.json");
+      try {
+        const raw = await promises.readFile(manifestPath, "utf8");
+        JSON.parse(raw);
+      } catch {
+        write(
+          err,
+          `Error: bundle manifest missing or malformed at ${manifestPath}
+`
+        );
+        return 1;
+      }
       const activate = hasFlag(argv, "--activate");
       const forceRebind = hasFlag(argv, "--force-rebind");
       const acceptUnverifiableAttestations = hasFlag(
@@ -34523,11 +34648,11 @@ async function startDashboardServer(options) {
       }
     }
   });
-  await new Promise((resolve4, reject) => {
+  await new Promise((resolve6, reject) => {
     server.once("error", reject);
     server.listen(port, host, () => {
       server.off("error", reject);
-      resolve4();
+      resolve6();
     });
   });
   const actualPort = (() => {
@@ -34540,8 +34665,8 @@ async function startDashboardServer(options) {
     url,
     port: actualPort,
     host,
-    stop: () => new Promise((resolve4, reject) => {
-      server.close((err) => err ? reject(err) : resolve4());
+    stop: () => new Promise((resolve6, reject) => {
+      server.close((err) => err ? reject(err) : resolve6());
     }),
     publish,
     publishActivity: (entry) => publish({ type: "activity", data: entry }),
@@ -35199,7 +35324,7 @@ Refusing to start the cocoon while the reset-history marker is unreadable.`
       clientManager.configure(enabledServers).catch((err) => {
         console.error(`[Sanctuary] Failed to configure upstream servers: ${err instanceof Error ? err.message : "unknown error"}`);
       });
-      await new Promise((resolve4) => setTimeout(resolve4, 2e3));
+      await new Promise((resolve6) => setTimeout(resolve6, 2e3));
       const proxiedTools = proxyRouter.getProxiedTools();
       if (proxiedTools.length > 0) {
         allTools.push(...proxiedTools);