@sanctuary-framework/mcp-server 1.2.2 → 1.2.3

package/dist/index.d.cts

@@ -5181,6 +5181,9 @@ declare class OperatorChatService {
      * than nested structures. Format:
      *
      *   ```
+     *   ## Sanctuary reference
+     *   <static domain reference block>
+     *
      *   ## Recent activity
      *   <recentActivity output>
      *

package/dist/index.d.ts

@@ -5181,6 +5181,9 @@ declare class OperatorChatService {
      * than nested structures. Format:
      *
      *   ```
+     *   ## Sanctuary reference
+     *   <static domain reference block>
+     *
      *   ## Recent activity
      *   <recentActivity output>
      *

package/dist/index.js

@@ -3,7 +3,7 @@ import { gcm } from '@noble/ciphers/aes.js';
 import { sha256 } from '@noble/hashes/sha256';
 import { hmac } from '@noble/hashes/hmac';
 import { RistrettoPoint, ed25519 } from '@noble/curves/ed25519';
-import { readFile, mkdir, writeFile, stat, unlink, readdir, chmod, lstat, realpath, rm, access, constants } from 'fs/promises';
+import { readFile, mkdir, writeFile, stat, unlink, readdir, chmod, lstat, access, realpath, rm, constants } from 'fs/promises';
 import { join, resolve, dirname, sep, basename } from 'path';
 import os, { platform, homedir } from 'os';
 import { createRequire } from 'module';
@@ -4436,13 +4436,23 @@ function parseScalar(value) {
   return value.replace(/^["']|["']$/g, "");
 }
 function validatePolicy(raw) {
+  if (!("tier1_always_approve" in raw)) {
+    throw new Error(
+      "Policy file must include 'tier1_always_approve' as an explicit list (use [] for empty). Remove specific entries instead of removing the whole key."
+    );
+  }
+  if (!("approval_channel" in raw)) {
+    throw new Error(
+      "Policy file must include 'approval_channel' as an explicit object (use {} for defaults). Remove specific entries instead of removing the whole key."
+    );
+  }
   const userTier3 = raw.tier3_always_allow ?? [];
   const mergedTier3 = [
     .../* @__PURE__ */ new Set([...userTier3, ...DEFAULT_POLICY.tier3_always_allow])
   ];
   return {
     version: raw.version ?? 1,
-    tier1_always_approve: raw.tier1_always_approve ?? DEFAULT_POLICY.tier1_always_approve,
+    tier1_always_approve: raw.tier1_always_approve,
     tier2_anomaly: {
       ...DEFAULT_TIER2,
       ...raw.tier2_anomaly ?? {}
@@ -4463,6 +4473,11 @@ function generateDefaultPolicyYaml() {
 # This file controls what your agent can do without asking.
 # Edit this file directly. Your agent cannot modify it.
 # Changes take effect on server restart.
+#
+# Required keys (must be present; use [] or {} for empty):
+#   tier1_always_approve, approval_channel
+# Optional keys (omit to use defaults; new defaults merge automatically):
+#   tier2_anomaly, tier3_always_allow
 
 version: 1
 
@@ -11113,10 +11128,11 @@ function initTemplate(params) {
 var DEFAULT_STORAGE_DIR = ".sanctuary";
 var KEYCHAIN_SERVICE_DEFAULT = "sanctuary-passphrase";
 function keychainServiceFor(storagePath, home = homedir()) {
-  const defaultPath = join(home, DEFAULT_STORAGE_DIR);
-  if (storagePath === defaultPath) return KEYCHAIN_SERVICE_DEFAULT;
-  const digest = sha256(Buffer.from(storagePath, "utf-8"));
-  const suffix = Buffer.from(digest).toString("hex").slice(0, 12);
+  const defaultPath = resolve(join(home, DEFAULT_STORAGE_DIR));
+  const canonicalStorage = resolve(storagePath);
+  if (canonicalStorage === defaultPath) return KEYCHAIN_SERVICE_DEFAULT;
+  const digest = sha256(Buffer.from(canonicalStorage, "utf-8"));
+  const suffix = Buffer.from(digest).toString("hex").slice(0, 16);
   return `${KEYCHAIN_SERVICE_DEFAULT}-${suffix}`;
 }
 var RUNTIME_FILE_NAME = "runtime.json";
@@ -11257,7 +11273,7 @@ async function discoverTenants(options = {}) {
   for (const child of children) {
     const childPath = join(root, child);
     if (child.startsWith(".")) continue;
-    if (child === "state" || child === "backup" || child === "config") continue;
+    if (child === "state" || child === "backup" || child === "config" || child === "default") continue;
     const s = await stat(childPath).catch(() => null);
     if (!s || !s.isDirectory()) continue;
     const desc = await describeTenant(child, childPath, home);
@@ -11269,6 +11285,17 @@ async function discoverTenants(options = {}) {
     const desc = await describeTenant(basename(extra), extra, home);
     if (desc) tenants.push(desc);
   }
+  const seen = /* @__PURE__ */ new Map();
+  for (const t of tenants) {
+    seen.set(t.name, (seen.get(t.name) ?? 0) + 1);
+  }
+  for (const [name, count] of seen) {
+    if (count > 1) {
+      console.error(
+        `[sanctuary] warning: ${count} tenants share the name "${name}". Use --tenant with a unique name or storage path to disambiguate.`
+      );
+    }
+  }
   tenants.sort((a, b) => {
     if (a.name === "default") return -1;
     if (b.name === "default") return 1;
@@ -15637,6 +15664,8 @@ var IntelligenceRouterError = class extends Error {
     this.code = code;
     this.name = "IntelligenceRouterError";
   }
+  statusCode;
+  code;
 };
 function writeJSON3(res, status, payload) {
   res.writeHead(status, {
@@ -16220,7 +16249,7 @@ var DashboardApprovalChannel = class {
       server = createServer$2(handler);
     }
     this.httpServer = server;
-    return new Promise((resolve4, reject) => {
+    return new Promise((resolve6, reject) => {
       const protocol = this.useTLS ? "https" : "http";
       const baseUrl = `${protocol}://${this.config.host}:${this.config.port}`;
       server.listen(this.config.port, this.config.host, () => {
@@ -16245,7 +16274,7 @@ var DashboardApprovalChannel = class {
         if (shouldAutoOpen) {
           this.openInBrowser(sessionUrl);
         }
-        resolve4();
+        resolve6();
       });
       server.on("error", (err) => {
         if (err.code === "EADDRINUSE") {
@@ -16291,8 +16320,8 @@ var DashboardApprovalChannel = class {
     }
     this.rateLimits.clear();
     if (this.httpServer) {
-      return new Promise((resolve4) => {
-        this.httpServer.close(() => resolve4());
+      return new Promise((resolve6) => {
+        this.httpServer.close(() => resolve6());
       });
     }
   }
@@ -16306,7 +16335,7 @@ var DashboardApprovalChannel = class {
       `[Sanctuary] Approval required: ${request.operation} (Tier ${request.tier}) \u2014 open dashboard to respond
 `
     );
-    return new Promise((resolve4) => {
+    return new Promise((resolve6) => {
       const timer = setTimeout(() => {
         this.pending.delete(id);
         const response = {
@@ -16320,12 +16349,12 @@ var DashboardApprovalChannel = class {
           decision: response.decision,
           decided_by: "timeout"
         });
-        resolve4(response);
+        resolve6(response);
       }, this.config.timeout_seconds * 1e3);
       const pending = {
         id,
         request,
-        resolve: resolve4,
+        resolve: resolve6,
         timer,
         created_at: (/* @__PURE__ */ new Date()).toISOString()
       };
@@ -17186,7 +17215,7 @@ var WebhookApprovalChannel = class {
    * Start the callback listener server.
    */
   async start() {
-    return new Promise((resolve4, reject) => {
+    return new Promise((resolve6, reject) => {
       this.callbackServer = createServer$2(
         (req, res) => this.handleCallback(req, res)
       );
@@ -17201,7 +17230,7 @@ var WebhookApprovalChannel = class {
 
 `
           );
-          resolve4();
+          resolve6();
         }
       );
       this.callbackServer.on("error", reject);
@@ -17221,8 +17250,8 @@ var WebhookApprovalChannel = class {
     }
     this.pending.clear();
     if (this.callbackServer) {
-      return new Promise((resolve4) => {
-        this.callbackServer.close(() => resolve4());
+      return new Promise((resolve6) => {
+        this.callbackServer.close(() => resolve6());
       });
     }
   }
@@ -17235,7 +17264,7 @@ var WebhookApprovalChannel = class {
       `[Sanctuary] Webhook approval sent: ${request.operation} (Tier ${request.tier}) \u2014 awaiting callback
 `
     );
-    return new Promise((resolve4) => {
+    return new Promise((resolve6) => {
       const timer = setTimeout(() => {
         this.pending.delete(id);
         const response = {
@@ -17244,12 +17273,12 @@ var WebhookApprovalChannel = class {
           decided_at: (/* @__PURE__ */ new Date()).toISOString(),
           decided_by: "timeout"
         };
-        resolve4(response);
+        resolve6(response);
       }, this.config.timeout_seconds * 1e3);
       const pending = {
         id,
         request,
-        resolve: resolve4,
+        resolve: resolve6,
         timer,
         created_at: (/* @__PURE__ */ new Date()).toISOString()
       };
@@ -18535,6 +18564,11 @@ var InjectionDetector = class {
   }
 };
 
+// src/principal-policy/deny-vocabulary.ts
+var AGENT_VISIBLE_DENY_REASONS = {
+  REQUIRES_APPROVAL: "operation requires operator approval",
+  NOT_PERMITTED: "operation not permitted"};
+
 // src/principal-policy/gate.ts
 var ApprovalGate = class {
   policy;
@@ -18587,10 +18621,16 @@ var ApprovalGate = class {
         });
       }
       if (injectionResult.recommendation === "block") {
+        this.auditLog.append("l2", `gate_injection_block:${operation}`, "system", {
+          tier: 1,
+          operation,
+          injection_confidence: injectionResult.confidence,
+          signal_count: injectionResult.signals.length
+        });
         return {
           allowed: false,
           tier: 1,
-          reason: `Blocked: prompt injection detected in "${operation}" (confidence: ${(injectionResult.confidence * 100).toFixed(0)}%)`,
+          reason: AGENT_VISIBLE_DENY_REASONS.NOT_PERMITTED,
           approval_required: false
         };
       }
@@ -18667,7 +18707,7 @@ var ApprovalGate = class {
     this.auditLog.append("l2", `gate_unclassified:${operation}`, "system", {
       tier: 1,
       operation,
-      warning: "Operation is not classified in any policy tier \u2014 defaulting to Tier 1 (require approval)"
+      warning: "Operation is not classified in any policy tier, defaulting to Tier 1 (require approval)"
     });
     return this.requestApproval(
       operation,
@@ -18796,7 +18836,7 @@ var ApprovalGate = class {
     return {
       allowed: response.decision === "approve",
       tier,
-      reason: response.decision === "approve" ? `Approved by ${response.decided_by}` : `Tier ${tier} operation requires approval`,
+      reason: response.decision === "approve" ? `Approved by ${response.decided_by}` : AGENT_VISIBLE_DENY_REASONS.REQUIRES_APPROVAL,
       approval_required: true,
       approval_response: response
     };
@@ -19366,7 +19406,11 @@ init_identity();
 init_encoding();
 init_random();
 function generateNonce() {
-  return toBase64url(randomBytes(32));
+  const nonce = randomBytes(32);
+  if (!nonce || nonce.length !== 32) {
+    throw new Error("Nonce generation failed: randomBytes returned unexpected length");
+  }
+  return toBase64url(nonce);
 }
 function initiateHandshake(ourSHR) {
   const nonce = generateNonce();
@@ -19477,6 +19521,18 @@ function completeHandshake(response, session, identityManager, masterKey, identi
   return { completion, result };
 }
 function verifyCompletion(completion, session) {
+  if (completion.protocol_version !== "1.0") {
+    return {
+      counterparty_id: "unknown",
+      counterparty_shr: session.our_shr,
+      verified: false,
+      sovereignty_level: "unverified",
+      trust_tier: "unverified",
+      completed_at: completion.completed_at,
+      expires_at: (/* @__PURE__ */ new Date()).toISOString(),
+      errors: [`Unsupported protocol version: ${completion.protocol_version}`]
+    };
+  }
   const errors = [];
   if (!session.their_shr) {
     return {
@@ -21578,6 +21634,9 @@ Inspect the file and either correct the JSON or delete it manually before re-run
     this.cause = cause;
     this.name = "ResetHistoryMalformedError";
   }
+  markerPath;
+  lineNumber;
+  cause;
 };
 function parseResetHistory(content, markerPath) {
   const markerHash = hashToString(stringToBytes(content));
@@ -23819,7 +23878,7 @@ async function runOpenAIPrivacyFilter(text, config) {
   return parsed;
 }
 function runCommand(command, input, timeoutMs) {
-  return new Promise((resolve4, reject) => {
+  return new Promise((resolve6, reject) => {
     const child = spawn(command, [], {
       stdio: ["pipe", "pipe", "pipe"],
       shell: false
@@ -23850,7 +23909,7 @@ function runCommand(command, input, timeoutMs) {
         ));
         return;
       }
-      resolve4(stdout);
+      resolve6(stdout);
     });
     child.stdin.end(input);
   });
@@ -25671,13 +25730,13 @@ var ProxyRouter = class {
    * Call an upstream tool with a timeout.
    */
   async callWithTimeout(serverName, toolName, args, timeoutMs) {
-    return new Promise((resolve4, reject) => {
+    return new Promise((resolve6, reject) => {
       const timer = setTimeout(() => {
         reject(new Error(`Upstream tool call timed out after ${timeoutMs}ms`));
       }, timeoutMs);
       this.clientManager.callTool(serverName, toolName, args).then((result) => {
         clearTimeout(timer);
-        resolve4(result);
+        resolve6(result);
       }).catch((err) => {
         clearTimeout(timer);
         reject(err);
@@ -30724,6 +30783,33 @@ var CONCIERGE_THREAD_KEY = "_fortress";
 
 // src/chat/operator-chat-service.ts
 var DEFAULT_CONCIERGE_MAX_TOKENS = 512;
+var SANCTUARY_DOMAIN_REFERENCE = `Castle Architecture (four enforcement layers):
+1. Castle Wall: OS-boundary egress filter enforced at the kernel level. Blocks unauthorized outbound calls even from prompt-injected agents.
+2. Sentinels: internal observation via process introspection. Surfaces anomalies to the operator; does not enforce.
+3. Charter (Cooperative MCP): the sovereignty surface for compliant agents. Policy gates, approval tiers, audit logging, and encrypted state all live here.
+4. Heralds: Concordia receipts and Verascore reputation. Cross-fortress accountability after an action completes.
+
+Five channel templates (canonical names):
+- request-approve-act: agent proposes an action, operator approves or denies before execution.
+- read-then-report: agent reads outputs from a data source and reports summaries to the operator.
+- scheduled-digest: agent runs on a schedule and delivers a periodic digest.
+- plan-draft-only: agent drafts plans; operator reviews before any execution step.
+- fortress-relay: agent relays messages between fortresses under operator-scoped policy.
+
+Four canonical policy slots:
+- memory: governs what the agent may persist and retrieve from encrypted state.
+- credentials: governs access to secrets, API keys, and tokens held in the broker.
+- plans: governs the agent's ability to create, modify, or execute plans.
+- outputs: governs what the agent may emit to external surfaces (files, APIs, messages).
+
+Key concepts:
+- Fortress: the operator-owned sovereignty harness. All state is encrypted at rest under the cocoon.
+- Cocoon: master-key-wrapped storage derived from the operator's passphrase via Argon2id.
+- Identity: Ed25519 keypair with a DID, owned by the operator. Private keys never leave the cocoon.
+- Audit log: append-only encrypted blobs, sequential, recording every gate decision and tool call.
+- Wrapped agent: any agent runtime that connects to Sanctuary as an MCP client. Tier A (native), Tier B (adapter-wrapped), Tier C (escape hatch).
+
+Note: this is a static reference block (v1.2.x). Dynamic context injection (live template list, policy schema) ships in v1.3.`;
 var OperatorChatService = class {
   store;
   auditLog;
@@ -30868,6 +30954,9 @@ var OperatorChatService = class {
    * than nested structures. Format:
    *
    *   ```
+   *   ## Sanctuary reference
+   *   <static domain reference block>
+   *
    *   ## Recent activity
    *   <recentActivity output>
    *
@@ -30879,15 +30968,28 @@ var OperatorChatService = class {
    *   ```
    */
   async assembleConciergeContext() {
+    const ref = `## Sanctuary reference
+${SANCTUARY_DOMAIN_REFERENCE}`;
     if (!this.contextProviders) {
-      return "## Recent activity\n(no providers wired)\n\n## Wrapped agents\n(no providers wired)\n\n## Open inbox\n(no providers wired)";
+      return `${ref}
+
+## Recent activity
+(no providers wired)
+
+## Wrapped agents
+(no providers wired)
+
+## Open inbox
+(no providers wired)`;
     }
     const [activity, agents, inbox] = await Promise.all([
       this.contextProviders.recentActivity(),
       this.contextProviders.agentInventory(),
       this.contextProviders.openInbox()
     ]);
-    return `## Recent activity
+    return `${ref}
+
+## Recent activity
 ${activity}
 
 ## Wrapped agents
@@ -33992,6 +34094,9 @@ async function importExitBundle(opts) {
     reputationArtifact?.json ?? null,
     manifest
   );
+  if (!conflicts.public_identity_exists && identityArtifact?.json && opts.identityManager.getPrimaryIdentityId() !== null && opts.identityManager.getPrimaryIdentityId() !== identityArtifact.json.bundle.identity_id) {
+    conflicts.public_identity_exists = true;
+  }
   if (!opts.activate) {
     return {
       verified: true,
@@ -34018,7 +34123,7 @@ async function importExitBundle(opts) {
   if (conflicts.public_identity_exists && !opts.forceRebind) {
     throw new ExitBundleImportError(
       "IDENTITY_OVERWRITE_REFUSED",
-      "Importing this bundle would overwrite an existing fortress public identity. Pass forceRebind: true (CLI: --force-rebind) to confirm explicit replacement."
+      "Importing this exit bundle would overwrite an existing fortress public identity (either the same identity already imported, or a different identity is currently active). Pass forceRebind: true (CLI: --force-rebind) to confirm explicit replacement."
     );
   }
   if (conflicts.public_identity_exists && opts.forceRebind && identityArtifact) {
@@ -34376,6 +34481,26 @@ async function runExitCommand(args) {
         write(err, "Usage: sanctuary exit import <dir> [--activate]\n");
         return 2;
       }
+      const bundleRoot = resolve(dir);
+      try {
+        await access(bundleRoot);
+      } catch {
+        write(err, `Error: bundle directory not found: ${bundleRoot}
+`);
+        return 1;
+      }
+      const manifestPath = join(bundleRoot, "manifest.json");
+      try {
+        const raw = await readFile(manifestPath, "utf8");
+        JSON.parse(raw);
+      } catch {
+        write(
+          err,
+          `Error: bundle manifest missing or malformed at ${manifestPath}
+`
+        );
+        return 1;
+      }
       const activate = hasFlag(argv, "--activate");
       const forceRebind = hasFlag(argv, "--force-rebind");
       const acceptUnverifiableAttestations = hasFlag(
@@ -34516,11 +34641,11 @@ async function startDashboardServer(options) {
       }
     }
   });
-  await new Promise((resolve4, reject) => {
+  await new Promise((resolve6, reject) => {
     server.once("error", reject);
     server.listen(port, host, () => {
       server.off("error", reject);
-      resolve4();
+      resolve6();
     });
   });
   const actualPort = (() => {
@@ -34533,8 +34658,8 @@ async function startDashboardServer(options) {
     url,
     port: actualPort,
     host,
-    stop: () => new Promise((resolve4, reject) => {
-      server.close((err) => err ? reject(err) : resolve4());
+    stop: () => new Promise((resolve6, reject) => {
+      server.close((err) => err ? reject(err) : resolve6());
     }),
     publish,
     publishActivity: (entry) => publish({ type: "activity", data: entry }),
@@ -35192,7 +35317,7 @@ Refusing to start the cocoon while the reset-history marker is unreadable.`
       clientManager.configure(enabledServers).catch((err) => {
         console.error(`[Sanctuary] Failed to configure upstream servers: ${err instanceof Error ? err.message : "unknown error"}`);
       });
-      await new Promise((resolve4) => setTimeout(resolve4, 2e3));
+      await new Promise((resolve6) => setTimeout(resolve6, 2e3));
       const proxiedTools = proxyRouter.getProxiedTools();
       if (proxiedTools.length > 0) {
         allTools.push(...proxiedTools);