@glassmkr/crucible 0.7.0 → 0.8.0

package/src/collect/smart.ts

@@ -1,72 +0,0 @@
-import { run } from "../lib/exec.js";
-import { readdirSync } from "fs";
-import type { SmartInfo } from "../lib/types.js";
-
-export async function collectSmart(): Promise<SmartInfo[]> {
-  // Find block devices
-  const devices: string[] = [];
-  try {
-    const entries = readdirSync("/sys/block");
-    for (const entry of entries) {
-      if (entry.startsWith("sd") || entry.startsWith("nvme") || entry.startsWith("hd")) {
-        devices.push(`/dev/${entry}`);
-      }
-    }
-  } catch {
-    return [];
-  }
-
-  const results: SmartInfo[] = [];
-  for (const device of devices) {
-    const output = await run("smartctl", ["--json", "--all", device]);
-    if (!output) continue;
-
-    try {
-      const info = parseSmartctlJson(JSON.parse(output), device);
-      results.push(info);
-    } catch {
-      // Failed to parse, skip this device
-    }
-  }
-
-  return results;
-}
-
-export function parseSmartctlJson(data: Record<string, unknown> & {
-  model_name?: string;
-  model_family?: string;
-  smart_status?: { passed?: boolean };
-  temperature?: { current?: number };
-  power_on_time?: { hours?: number };
-  nvme_smart_health_information_log?: { percentage_used?: number; temperature?: number };
-  ata_smart_attributes?: { table?: Array<{ id?: number; name?: string; raw?: { value?: number } }> };
-}, device: string): SmartInfo {
-  const info: SmartInfo = {
-    device,
-    model: data.model_name || data.model_family || "unknown",
-    health: data.smart_status?.passed ? "PASSED" : "FAILED",
-    temperature_c: data.temperature?.current,
-    power_on_hours: data.power_on_time?.hours,
-  };
-
-  // NVMe specific
-  if (data.nvme_smart_health_information_log) {
-    const nvme = data.nvme_smart_health_information_log;
-    info.percentage_used = nvme.percentage_used;
-    info.temperature_c = nvme.temperature;
-  }
-
-  // SATA specific
-  if (data.ata_smart_attributes?.table) {
-    for (const attr of data.ata_smart_attributes.table) {
-      if (attr.id === 5 || attr.name === "Reallocated_Sector_Ct") {
-        info.reallocated_sectors = attr.raw?.value || 0;
-      }
-      if (attr.id === 197 || attr.name === "Current_Pending_Sector") {
-        info.pending_sectors = attr.raw?.value || 0;
-      }
-    }
-  }
-
-  return info;
-}

package/src/collect/system.ts

@@ -1,32 +0,0 @@
-import { hostname } from "os";
-import { readProcFile } from "../lib/parse.js";
-import { run } from "../lib/exec.js";
-import type { SystemInfo } from "../lib/types.js";
-
-// Matches KEY=value with optional surrounding double quotes. Handles both
-// `ID=ubuntu` and `ID="rocky"` styles found in the wild.
-export function readOsReleaseField(osRelease: string, key: string): string | undefined {
-  const m = osRelease.match(new RegExp(`^${key}=("?)(.+?)\\1$`, "m"));
-  return m ? m[2].toLowerCase() : undefined;
-}
-
-export async function collectSystem(): Promise<SystemInfo> {
-  const osRelease = readProcFile("/etc/os-release") || "";
-  const osName = osRelease.match(/PRETTY_NAME="(.+?)"/)?.[1] || "Unknown";
-  const os_id = readOsReleaseField(osRelease, "ID");
-  const os_id_like = readOsReleaseField(osRelease, "ID_LIKE");
-  const kernel = (await run("uname", ["-r"]))?.trim() || "unknown";
-  const uptimeRaw = readProcFile("/proc/uptime") || "0";
-  const uptimeSeconds = Math.floor(parseFloat(uptimeRaw.split(" ")[0]));
-  const ip = (await run("hostname", ["-I"]))?.trim().split(" ")[0] || "unknown";
-
-  return {
-    hostname: hostname(),
-    ip,
-    os: osName,
-    ...(os_id ? { os_id } : {}),
-    ...(os_id_like ? { os_id_like } : {}),
-    kernel,
-    uptime_seconds: uptimeSeconds,
-  };
-}

package/src/collect/systemd.ts

@@ -1,33 +0,0 @@
-import { run } from "../lib/exec.js";
-
-export interface SystemdData {
-  failed_units: string[];
-  failed_count: number;
-}
-
-// Units commonly in failed state by design or misconfiguration
-const DEFAULT_EXCLUDES = [
-  "systemd-networkd-wait-online.service",
-];
-
-export async function collectSystemd(extraExcludes: string[] = []): Promise<SystemdData> {
-  const output = await run("systemctl", [
-    "list-units", "--type=service", "--state=failed", "--no-legend", "--plain",
-  ]);
-
-  if (!output || output.trim() === "") {
-    return { failed_units: [], failed_count: 0 };
-  }
-
-  const excludes = new Set([...DEFAULT_EXCLUDES, ...extraExcludes]);
-  const units: string[] = [];
-
-  for (const line of output.trim().split("\n")) {
-    const unit = line.trim().split(/\s+/)[0];
-    if (unit && unit.endsWith(".service") && !excludes.has(unit)) {
-      units.push(unit);
-    }
-  }
-
-  return { failed_units: units, failed_count: units.length };
-}

package/src/collect/zfs.ts

@@ -1,66 +0,0 @@
-import { run } from "../lib/exec.js";
-import type { ZfsData, ZfsPool } from "../lib/types.js";
-
-export async function collectZfs(): Promise<ZfsData | null> {
-  // Check if zpool is installed
-  const zpoolPath = await run("which", ["zpool"], 3000);
-  if (!zpoolPath || !zpoolPath.trim()) return null;
-
-  const zpoolStatus = await run("zpool", ["status"], 10000);
-  if (!zpoolStatus || !zpoolStatus.trim()) return null;
-
-  const pools = parseZpoolStatus(zpoolStatus);
-  if (pools.length === 0) return null;
-  return { pools };
-}
-
-export function parseZpoolStatus(zpoolStatus: string): ZfsPool[] {
-  const pools: ZfsPool[] = [];
-  let current: ZfsPool | null = null;
-
-  for (const line of zpoolStatus.split("\n")) {
-    const poolMatch = line.match(/^\s*pool:\s*(.+)/);
-    if (poolMatch) {
-      current = {
-        name: poolMatch[1].trim(),
-        state: "UNKNOWN",
-        errors_text: "",
-      };
-      pools.push(current);
-      continue;
-    }
-
-    if (!current) continue;
-
-    const stateMatch = line.match(/^\s*state:\s*(.+)/);
-    if (stateMatch) {
-      current.state = stateMatch[1].trim();
-      continue;
-    }
-
-    const errorsMatch = line.match(/^\s*errors:\s*(.+)/);
-    if (errorsMatch) {
-      current.errors_text = errorsMatch[1].trim();
-      continue;
-    }
-
-    // Parse scrub info
-    if (line.includes("scan:")) {
-      if (line.includes("none requested")) {
-        current.scrub_never_run = true;
-      } else {
-        const repairMatch = line.match(/scrub repaired (\S+) in .* with (\d+) errors/);
-        if (repairMatch) {
-          current.scrub_repaired = repairMatch[1];
-          current.scrub_errors = parseInt(repairMatch[2]) || 0;
-        }
-        const dateMatch = line.match(/on (.+)$/);
-        if (dateMatch) {
-          current.last_scrub_date = dateMatch[1].trim();
-        }
-      }
-    }
-  }
-
-  return pools;
-}

package/src/config.ts

@@ -1,65 +0,0 @@
-import { readFileSync } from "fs";
-import { parse } from "yaml";
-import { z } from "zod";
-
-const ConfigSchema = z.object({
-  server_name: z.string().default("unnamed-server"),
-  collection: z.object({
-    interval_seconds: z.number().min(60).max(3600).default(300),
-    ipmi: z.boolean().default(true),
-    smart: z.boolean().default(true),
-  }).default({}),
-  forge: z.object({
-    enabled: z.boolean().default(false),
-    url: z.string().default("https://forge.glassmkr.com"),
-    api_key: z.string().default(""),
-    tls_pin: z.string().default(""),
-  }).default({}),
-  thresholds: z.object({
-    ram_percent: z.number().default(90),
-    swap_alert: z.boolean().default(true),
-    disk_percent: z.number().default(85),
-    iowait_percent: z.number().default(20),
-    nvme_wear_percent: z.number().default(85),
-    disk_latency_nvme_ms: z.number().default(50),
-    disk_latency_hdd_ms: z.number().default(200),
-    cpu_temp_warning_c: z.number().default(80),
-    cpu_temp_critical_c: z.number().default(90),
-    interface_utilization_percent: z.number().default(90),
-  }).default({}),
-  channels: z.object({
-    telegram: z.object({
-      enabled: z.boolean().default(false),
-      bot_token: z.string().default(""),
-      chat_id: z.string().default(""),
-    }).default({}),
-    email: z.object({
-      enabled: z.boolean().default(false),
-      to: z.string().default(""),
-    }).default({}),
-    slack: z.object({
-      enabled: z.boolean().default(false),
-      webhook_url: z.string().default(""),
-    }).default({}),
-  }).default({}),
-  prometheus: z.object({
-    enabled: z.boolean().default(false),
-    port: z.number().default(9101),
-  }).default({}),
-});
-
-export type Config = z.infer<typeof ConfigSchema>;
-
-export function loadConfig(path: string): Config {
-  try {
-    const raw = readFileSync(path, "utf-8");
-    const parsed = parse(raw);
-    return ConfigSchema.parse(parsed);
-  } catch (err: any) {
-    if (err.code === "ENOENT") {
-      console.log(`[config] No config file at ${path}, using defaults`);
-      return ConfigSchema.parse({});
-    }
-    throw err;
-  }
-}

package/src/index.ts

@@ -1,233 +0,0 @@
-#!/usr/bin/env node
-
-import { readFileSync } from "node:fs";
-import { fileURLToPath } from "node:url";
-import { dirname, join } from "node:path";
-import { parseCliArgs } from "./cli.js";
-
-const __dirname = dirname(fileURLToPath(import.meta.url));
-const PKG_VERSION = (() => {
-  try {
-    const pkg = JSON.parse(readFileSync(join(__dirname, "..", "package.json"), "utf8"));
-    return pkg.version || "0.0.0";
-  } catch {
-    return "0.0.0";
-  }
-})();
-
-// Handle --version, --help, and planned-reboot subcommands before
-// importing collectors, loading config, or starting the Prometheus
-// server. Keeps the CLI responsive even on hosts missing the config
-// file or external tools.
-const { result: cliArgs, output: cliOutput } = parseCliArgs(process.argv.slice(2), PKG_VERSION);
-if (cliArgs.mode === "version" || cliArgs.mode === "help") {
-  console.log(cliOutput);
-  process.exit(0);
-}
-if (cliArgs.mode === "mark-reboot" || cliArgs.mode === "reboot") {
-  const { writeRebootMarker, parseDuration, DEFAULT_TTL_MS } = await import("./lib/reboot-marker.js");
-  const ttlMs = cliArgs.ttl ? parseDuration(cliArgs.ttl) : DEFAULT_TTL_MS;
-  if (ttlMs === null) {
-    console.error(`[mark-reboot] invalid --ttl value: ${cliArgs.ttl}. Use e.g. 10m, 2h, 600s.`);
-    process.exit(2);
-  }
-  try {
-    const { path, expires_at } = writeRebootMarker({
-      reason: cliArgs.reason, ttlMs,
-    });
-    console.log(`[${cliArgs.mode}] marker written: ${path} (expires ${expires_at}${cliArgs.reason ? `, reason: ${cliArgs.reason}` : ""})`);
-  } catch (err: any) {
-    console.error(`[${cliArgs.mode}] failed to write marker: ${err?.message || err}`);
-    console.error(`  Most likely cause: need root privileges to write under /var/lib/crucible/.`);
-    process.exit(1);
-  }
-  if (cliArgs.mode === "reboot") {
-    const { execFileSync } = await import("node:child_process");
-    console.log("[reboot] invoking systemctl reboot");
-    try {
-      execFileSync("systemctl", ["reboot"], { stdio: "inherit" });
-    } catch (err: any) {
-      console.error(`[reboot] systemctl reboot failed: ${err?.message || err}`);
-      process.exit(1);
-    }
-  }
-  process.exit(0);
-}
-
-import { loadConfig } from "./config.js";
-import { checkForUpdates } from "./lib/version-check.js";
-import { startMetricsServer, updateMetrics } from "./metrics-server.js";
-import { collectSystem } from "./collect/system.js";
-import { collectCpu } from "./collect/cpu.js";
-import { collectMemory } from "./collect/memory.js";
-import { collectDisks } from "./collect/disks.js";
-import { collectSmart } from "./collect/smart.js";
-import { collectNetwork } from "./collect/network.js";
-import { collectRaid } from "./collect/raid.js";
-import { collectIpmi } from "./collect/ipmi.js";
-import { collectOsAlerts } from "./collect/os-alerts.js";
-import { evaluateAlerts } from "./alerts/evaluator.js";
-import { updateAlertState } from "./alerts/state.js";
-import { sendTelegram } from "./notify/telegram.js";
-import { sendSlack } from "./notify/slack.js";
-import { sendEmail } from "./notify/email.js";
-import { pushToForge, initForgeAgent } from "./push/forge.js";
-import { collectSecurity, type SecurityData } from "./collect/security.js";
-import { collectZfs } from "./collect/zfs.js";
-import { collectIoErrors } from "./collect/io-errors.js";
-import { collectIoLatency } from "./collect/io-latency.js";
-import { collectConntrack } from "./collect/conntrack.js";
-import { collectSystemd } from "./collect/systemd.js";
-import { collectNtp } from "./collect/ntp.js";
-import { collectFileDescriptors } from "./collect/fd.js";
-import type { Snapshot, IpmiInfo } from "./lib/types.js";
-import { consumeRebootMarker, type PlannedReboot } from "./lib/reboot-marker.js";
-
-// Consume the planned-reboot marker once at startup. If the operator ran
-// `crucible-agent mark-reboot` / `reboot` before this boot, the marker
-// exists, we flag it on the first snapshot, and we delete the file (so
-// subsequent snapshots don't keep claiming the reboot was planned).
-const plannedRebootFlag: PlannedReboot | null = consumeRebootMarker();
-if (plannedRebootFlag) {
-  console.log(`[collector] Planned reboot acknowledged${plannedRebootFlag.reason ? `: ${plannedRebootFlag.reason}` : ""}`);
-}
-let plannedRebootConsumed = false;
-
-const config = loadConfig(cliArgs.configPath);
-
-console.log(`[collector] Starting. Server: ${config.server_name}. Interval: ${config.collection.interval_seconds}s`);
-console.log(`[collector] IPMI: ${config.collection.ipmi ? "enabled" : "disabled"}, SMART: ${config.collection.smart ? "enabled" : "disabled"}`);
-console.log(`[collector] Forge: ${config.forge.enabled ? config.forge.url : "disabled"}`);
-console.log(`[collector] Prometheus: ${config.prometheus.enabled ? `:${config.prometheus.port}/metrics` : "disabled"}`);
-
-// Start Prometheus metrics server if enabled
-if (config.prometheus.enabled) {
-  startMetricsServer(config.prometheus.port);
-}
-
-// Initialize TLS pinning for Forge if configured
-if (config.forge.tls_pin) {
-  initForgeAgent(config.forge.tls_pin);
-  console.log("[collector] TLS pinning enabled for Forge");
-}
-
-const emptyIpmi: IpmiInfo = { available: false, sensors: [], ecc_errors: { correctable: 0, uncorrectable: 0 }, sel_entries_count: 0, sel_events_recent: [], fans: [] };
-
-// Security checks run once per hour (every 12th cycle at 5-min intervals)
-let securityCycleCount = 0;
-let cachedSecurity: SecurityData | undefined;
-
-async function collect() {
-  const startTime = Date.now();
-  console.log(`[collector] Collecting...`);
-
-  const [system, cpu, memory, disks, smart, network, raid, ipmi, osAlerts] = await Promise.all([
-    collectSystem(),
-    collectCpu(),
-    collectMemory(),
-    collectDisks(),
-    config.collection.smart ? collectSmart() : Promise.resolve([]),
-    collectNetwork(),
-    collectRaid(),
-    config.collection.ipmi ? collectIpmi() : Promise.resolve(emptyIpmi),
-    collectOsAlerts(),
-  ]);
-
-  // Security checks: run once per hour, reuse cached data between runs
-  securityCycleCount++;
-  if (securityCycleCount >= 12 || !cachedSecurity) {
-    securityCycleCount = 0;
-    try { cachedSecurity = await collectSecurity(); } catch (err) { console.error("[security] Collection error:", err); }
-  }
-
-  const snapshot: Snapshot = {
-    collector_version: PKG_VERSION,
-    timestamp: new Date().toISOString(),
-    system, cpu, memory, disks, smart, network, raid, ipmi, os_alerts: osAlerts,
-    security: cachedSecurity,
-  };
-
-  // Single-shot: the very first snapshot after a marked reboot carries
-  // the flag, subsequent snapshots do not.
-  if (plannedRebootFlag && !plannedRebootConsumed) {
-    (snapshot as any).expected_reboot = true;
-    if (plannedRebootFlag.reason) (snapshot as any).expected_reboot_reason = plannedRebootFlag.reason;
-    plannedRebootConsumed = true;
-  }
-
-  // ZFS and I/O errors: collect every cycle (lightweight checks)
-  try { snapshot.zfs = await collectZfs() ?? undefined; } catch { /* skip if ZFS not available */ }
-  try { snapshot.io_errors = await collectIoErrors() ?? undefined; } catch { /* skip on error */ }
-  try { snapshot.io_latency = collectIoLatency(); } catch { /* skip on error */ }
-  try { snapshot.conntrack = collectConntrack(); } catch { /* skip on error */ }
-  try { snapshot.systemd = await collectSystemd(); } catch { /* skip on error */ }
-  try { snapshot.ntp = await collectNtp(); } catch { /* skip on error */ }
-  try { snapshot.file_descriptors = collectFileDescriptors(); } catch { /* skip on error */ }
-
-  // Update Prometheus metrics
-  updateMetrics(snapshot);
-
-  // Evaluate alerts
-  const alertResults = evaluateAlerts(snapshot, config.thresholds);
-  const { newAlerts, resolvedAlerts } = updateAlertState(alertResults);
-
-  const elapsed = Date.now() - startTime;
-  console.log(`[collector] Collected in ${elapsed}ms. Alerts: ${alertResults.length} active, ${newAlerts.length} new, ${resolvedAlerts.length} resolved`);
-
-  // Send notifications for new/resolved alerts
-  if (newAlerts.length > 0 || resolvedAlerts.length > 0) {
-    if (config.channels.telegram.enabled && config.channels.telegram.bot_token && config.channels.telegram.chat_id) {
-      await sendTelegram(config.channels.telegram.bot_token, config.channels.telegram.chat_id, newAlerts, resolvedAlerts, config.server_name);
-    }
-    if (config.channels.slack.enabled && config.channels.slack.webhook_url) {
-      await sendSlack(config.channels.slack.webhook_url, newAlerts, resolvedAlerts, config.server_name);
-    }
-    if (config.channels.email.enabled && config.channels.email.to) {
-      await sendEmail(config.channels.email, newAlerts, resolvedAlerts, config.server_name);
-    }
-  }
-
-  // Push to Forge (non-blocking)
-  if (config.forge.enabled && config.forge.api_key) {
-    pushToForge(config.forge.url, config.forge.api_key, snapshot);
-  }
-
-  // Check for updates (every 6 hours, non-blocking)
-  checkForUpdates(config.forge.enabled ? config.forge.url : undefined);
-
-  // Print summary on first run
-  if (firstRun) {
-    firstRun = false;
-    console.log("");
-    console.log("=== First collection complete ===");
-    console.log(`Server: ${system.hostname} (${system.os})`);
-    console.log(`CPU:    ${cpu.user_percent.toFixed(1)}% (load: ${cpu.load_1m})`);
-    const ramPct = memory.total_mb > 0 ? ((memory.used_mb / memory.total_mb) * 100).toFixed(1) : "0";
-    console.log(`RAM:    ${ramPct}% (${memory.used_mb} / ${memory.total_mb} MB)`);
-    if (disks.length > 0) console.log(`Disk:   ${disks[0].percent_used}% (${disks[0].mount})`);
-    console.log(`SMART:  ${smart.length > 0 ? `${smart.length} drive(s) checked` : "not available"}`);
-    console.log(`Network: ${network.map((n) => n.interface).join(", ") || "none detected"}`);
-    console.log(`IPMI:   ${ipmi.available ? "available" : "not available"}`);
-    console.log(`Active alerts: ${alertResults.length}`);
-    console.log(`Forge: ${config.forge.enabled ? "enabled" : "disabled"}`);
-    console.log("");
-  }
-}
-
-let firstRun = true;
-
-// Run immediately
-collect();
-
-// Then on interval
-setInterval(collect, config.collection.interval_seconds * 1000);
-
-process.on("SIGTERM", () => {
-  console.log("[collector] Received SIGTERM, shutting down");
-  process.exit(0);
-});
-
-process.on("SIGINT", () => {
-  console.log("[collector] Received SIGINT, shutting down");
-  process.exit(0);
-});

package/src/lib/__tests__/parse.test.ts

@@ -1,28 +0,0 @@
-import { describe, it, expect } from "vitest";
-import { parseKeyValue, parseKb } from "../parse.js";
-
-describe("parseKeyValue", () => {
-  it("parses colon-delimited key/value lines", () => {
-    const out = parseKeyValue("Name: foo\nVersion: 1.2.3\n");
-    expect(out).toEqual({ Name: "foo", Version: "1.2.3" });
-  });
-  it("ignores lines with no colon", () => {
-    expect(parseKeyValue("no colon here\nA: 1\n")).toEqual({ A: "1" });
-  });
-  it("trims whitespace around keys and values", () => {
-    expect(parseKeyValue("   A   :    1   \n")).toEqual({ A: "1" });
-  });
-});
-
-describe("parseKb", () => {
-  it("parses a numeric kB value", () => {
-    expect(parseKb("16384 kB")).toBe(16384);
-  });
-  it("parses without unit", () => {
-    expect(parseKb("4096")).toBe(4096);
-  });
-  it("returns 0 for undefined/bad input", () => {
-    expect(parseKb(undefined)).toBe(0);
-    expect(parseKb("not a number")).toBe(0);
-  });
-});

package/src/lib/exec.ts

@@ -1,16 +0,0 @@
-import { execFile } from "child_process";
-import { promisify } from "util";
-
-const execFileAsync = promisify(execFile);
-
-export async function run(cmd: string, args: string[], timeoutMs = 10000): Promise<string | null> {
-  try {
-    const { stdout } = await execFileAsync(cmd, args, { timeout: timeoutMs });
-    return stdout;
-  } catch (err: any) {
-    if (err.code === "ENOENT") return null; // command not installed
-    if (err.killed) return null; // timeout
-    if (err.stdout) return err.stdout; // non-zero exit but has output
-    return null;
-  }
-}

package/src/lib/parse.ts

@@ -1,29 +0,0 @@
-import { readFileSync } from "fs";
-
-export function readProcFile(path: string): string | null {
-  try {
-    return readFileSync(path, "utf-8");
-  } catch {
-    return null;
-  }
-}
-
-export function parseKeyValue(raw: string): Record<string, string> {
-  const result: Record<string, string> = {};
-  for (const line of raw.split("\n")) {
-    const idx = line.indexOf(":");
-    if (idx === -1) continue;
-    result[line.slice(0, idx).trim()] = line.slice(idx + 1).trim();
-  }
-  return result;
-}
-
-export function parseKb(val: string | undefined): number {
-  if (!val) return 0;
-  const num = parseInt(val.replace(/\s*kB$/i, ""), 10);
-  return isNaN(num) ? 0 : num;
-}
-
-export function sleep(ms: number): Promise<void> {
-  return new Promise((r) => setTimeout(r, ms));
-}

package/src/lib/reboot-marker.ts

@@ -1,88 +0,0 @@
-// Planned-reboot marker handling.
-//
-// An operator signals "the next reboot is expected, don't page me"
-// by writing a short-lived JSON file to disk BEFORE rebooting. The
-// collector reads and deletes it on agent startup; the first
-// post-boot snapshot then carries `expected_reboot: true` so Forge's
-// unexpected_reboot rule stays quiet.
-//
-// Single-use (deleted on read regardless of validity) and TTL-guarded
-// (default 10 min) so a forgotten marker cannot silence a genuine
-// crash reboot weeks later.
-
-import { existsSync, readFileSync, unlinkSync, writeFileSync, mkdirSync, chmodSync } from "node:fs";
-import { dirname } from "node:path";
-
-export const DEFAULT_MARKER_PATH = "/var/lib/crucible/reboot-expected";
-export const DEFAULT_TTL_MS = 10 * 60 * 1000;
-
-export interface PlannedReboot {
-  expected: true;
-  reason?: string;
-}
-
-export interface RebootMarker {
-  expires_at: string; // ISO timestamp
-  reason?: string;
-}
-
-/**
- * Read and delete the marker at `path`. Returns the resolved reboot flag
- * if the file existed, was parseable JSON, and hasn't expired; otherwise
- * returns null. The file is unlinked in every branch where it existed,
- * so a malformed or stale marker is one-shot (can't linger).
- */
-export function consumeRebootMarker(
-  path: string = DEFAULT_MARKER_PATH,
-  now: Date = new Date(),
-): PlannedReboot | null {
-  if (!existsSync(path)) return null;
-  let raw: string;
-  try { raw = readFileSync(path, "utf-8"); } catch { try { unlinkSync(path); } catch {} return null; }
-  // Always delete after read, regardless of validity.
-  try { unlinkSync(path); } catch {}
-
-  let parsed: RebootMarker;
-  try { parsed = JSON.parse(raw); } catch { return null; }
-  if (!parsed || typeof parsed !== "object" || typeof parsed.expires_at !== "string") return null;
-  const expiresAt = new Date(parsed.expires_at);
-  if (isNaN(expiresAt.getTime())) return null;
-  if (expiresAt.getTime() <= now.getTime()) return null; // stale
-  return { expected: true, reason: parsed.reason };
-}
-
-/**
- * Write a planned-reboot marker. Used by the `mark-reboot` and `reboot`
- * CLI subcommands. `ttlMs` defaults to 10 minutes. Creates the parent
- * directory if needed. Chmod 600 so other users on the host can't read
- * or modify it.
- */
-export function writeRebootMarker(opts: {
-  reason?: string;
-  ttlMs?: number;
-  path?: string;
-  now?: Date;
-}): { path: string; expires_at: string } {
-  const path = opts.path ?? DEFAULT_MARKER_PATH;
-  const now = opts.now ?? new Date();
-  const ttlMs = opts.ttlMs ?? DEFAULT_TTL_MS;
-  const expiresAt = new Date(now.getTime() + ttlMs);
-  const body: RebootMarker = { expires_at: expiresAt.toISOString() };
-  if (opts.reason) body.reason = opts.reason;
-  try { mkdirSync(dirname(path), { recursive: true, mode: 0o700 }); } catch {}
-  writeFileSync(path, JSON.stringify(body), { mode: 0o600 });
-  try { chmodSync(path, 0o600); } catch {}
-  return { path, expires_at: body.expires_at };
-}
-
-/** Parse a duration like "10m", "2h", "600s" into milliseconds. Used by
- *  the CLI for the `--ttl` flag. */
-export function parseDuration(s: string): number | null {
-  const m = /^(\d+)\s*(ms|s|m|h)?$/.exec(s.trim());
-  if (!m) return null;
-  const n = parseInt(m[1], 10);
-  if (!Number.isFinite(n) || n < 0) return null;
-  const unit = m[2] ?? "s";
-  const mult = unit === "ms" ? 1 : unit === "s" ? 1000 : unit === "m" ? 60_000 : 3_600_000;
-  return n * mult;
-}