@hasna/machines 0.0.25 → 0.0.27

package/README.md

@@ -130,6 +130,7 @@ machines screen machine005 --print         # print the vnc:// URL instead of ope
 machines screen machine005 --json          # full resolution detail (route, confidence, user)
 machines screen --all                      # open every reachable machine
 machines screen --all --print              # list resolved vnc:// URLs for the whole fleet
+machines screen-credentials --all --check-secret
 ```
 
 Enable Remote Management / Screen Sharing on a fresh macOS machine over SSH
@@ -137,12 +138,20 @@ Enable Remote Management / Screen Sharing on a fresh macOS machine over SSH
 Screen Sharing.app and Apple Remote Desktop):
 
 ```bash
-machines screen-enable --machine machine005 --user jo --vnc-password steaua17
+secrets set hasna/xyz/opensource/machines/prod/screen-machine005-vnc-password "$VNC_PASSWORD" --type password
+machines screen-enable --machine machine005 --user jo \
+  --vnc-password-secret hasna/xyz/opensource/machines/prod/screen-machine005-vnc-password
 machines screen-enable --machine machine005 --user jo --print   # show the SSH command, don't run it
 ```
 
-`--vnc-password` is truncated to 8 characters by the legacy VNC protocol. The
-user comes from the manifest (`metadata.user`) when present, or `--user`.
+The legacy VNC protocol honors only the first 8 password characters. The
+password is read through the `secrets` CLI and piped over SSH stdin; it is not
+embedded in generated command text. If `--vnc-password-secret` is omitted,
+machines defaults to
+`hasna/xyz/opensource/machines/prod/screen-<machine>-vnc-password`. The user
+comes from the manifest (`metadata.user`) when present, or `--user`.
+`screen-credentials` verifies the resolved user and secret key for a machine or
+the full fleet without printing secret values.
 
 Consumers that need repo paths can resolve trust-aware workspace mappings
 without importing the full machines app:

package/dist/cli/index.js

@@ -9153,15 +9153,32 @@ function listPorts(machineId) {
 }
 
 // src/commands/screen.ts
+var DEFAULT_SCREEN_SECRET_NAMESPACE = "hasna/xyz/opensource/machines/prod";
 function shellQuote6(value) {
   return `'${value.replace(/'/g, "'\\''")}'`;
 }
+function shellCommand2(command) {
+  return command.map(shellQuote6).join(" ");
+}
+function metadataString2(metadata, keys) {
+  if (!metadata)
+    return null;
+  for (const key of keys) {
+    const value = metadata[key];
+    if (typeof value === "string" && value.trim())
+      return value.trim();
+  }
+  return null;
+}
 function splitTarget(target) {
   const at = target.indexOf("@");
   if (at === -1)
     return [null, target];
   return [target.slice(0, at), target.slice(at + 1)];
 }
+function defaultScreenPasswordSecretKey(machineId) {
+  return `${DEFAULT_SCREEN_SECRET_NAMESPACE}/screen-${machineId}-vnc-password`;
+}
 function resolveScreenTarget(machineId, options = {}) {
   const resolved = resolveMachineRoute(machineId, options);
   if (!resolved.ok || !resolved.target) {
@@ -9187,15 +9204,60 @@ function resolveScreenTarget(machineId, options = {}) {
     warnings: resolved.warnings
   };
 }
-function buildScreenEnableRemoteCommand(user, vncPassword) {
+function resolveScreenCredentials(machineId, options = {}) {
+  const topology = options.topology ?? discoverMachineTopology(options);
+  const screen = resolveScreenTarget(machineId, { ...options, topology });
+  const entry = topology.machines.find((machine) => machine.machine_id === screen.machineId);
+  const metadata = entry?.metadata;
+  const metadataUser = metadataString2(metadata, ["screenUser", "screen_user", "user", "username"]);
+  const metadataPasswordSecret = metadataString2(metadata, [
+    "screenPasswordSecret",
+    "screen_password_secret",
+    "screenVncPasswordSecret",
+    "screen_vnc_password_secret",
+    "vncPasswordSecret",
+    "vnc_password_secret"
+  ]);
+  const user = options.user ?? screen.user ?? metadataUser;
+  const passwordSecretKey = options.passwordSecretKey ?? metadataPasswordSecret ?? defaultScreenPasswordSecretKey(screen.machineId);
+  return {
+    machineId: screen.machineId,
+    user: user ?? null,
+    userSource: options.user ? "option" : screen.user ? "route" : metadataUser ? "metadata" : "missing",
+    passwordSecretKey,
+    passwordSecretSource: options.passwordSecretKey ? "option" : metadataPasswordSecret ? "metadata" : "default"
+  };
+}
+function buildScreenEnableRemoteCommandFromStdin(user) {
   const kickstart = "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart";
-  const lines = [
-    `dseditgroup -o edit -a ${shellQuote6(user)} -t user com.apple.access_screensharing 2>/dev/null || true`,
+  const script = [
+    "set -euo pipefail",
+    'user="$1"',
+    "IFS= read -r vnc_pw",
+    'if [ -z "$vnc_pw" ]; then echo "missing VNC password on stdin" >&2; exit 1; fi',
+    `kickstart=${shellQuote6(kickstart)}`,
+    'dseditgroup -o edit -a "$user" -t user com.apple.access_screensharing 2>/dev/null || true',
     "defaults write /Library/Preferences/com.apple.RemoteManagement AllowSRPForNetworkNodes -bool true",
-    `${kickstart} -configure -clientopts -setvnclegacy -vnclegacy yes -setvncpw -vncpw ${shellQuote6(vncPassword)}`,
-    `${kickstart} -activate -configure -access -on -users ${shellQuote6(user)} -privs -all -restart -agent -menu`
-  ];
-  return lines.join(" && ");
+    '"$kickstart" -configure -clientopts -setvnclegacy -vnclegacy yes -setvncpw -vncpw "$vnc_pw"',
+    '"$kickstart" -activate -configure -access -on -users "$user" -privs -all -restart -agent -menu'
+  ].join(`
+`);
+  return `sudo -n -p '' /bin/bash -c ${shellQuote6(script)} -- ${shellQuote6(user)}`;
+}
+function buildScreenEnableCommand(machineId, options = {}) {
+  const credentials = resolveScreenCredentials(machineId, options);
+  if (!credentials.user) {
+    throw new Error(`No screen-sharing user known for ${machineId}; pass --user <name> or set metadata.user in the manifest.`);
+  }
+  const secretsCommand = options.secretsCommand || "secrets";
+  const remoteCommand = buildScreenEnableRemoteCommandFromStdin(credentials.user);
+  return {
+    machineId: credentials.machineId,
+    user: credentials.user,
+    passwordSecretKey: credentials.passwordSecretKey,
+    remoteCommand,
+    command: `${shellCommand2([secretsCommand, "get", credentials.passwordSecretKey])} | ${buildSshCommand(machineId, remoteCommand, options)}`
+  };
 }
 
 // src/commands/sync.ts
@@ -11221,6 +11283,19 @@ function renderSelfTestResult(result) {
   ].join(`
 `);
 }
+function checkSecretPresence(secretsCommand, key) {
+  const result = Bun.spawnSync([secretsCommand, "get", key], {
+    stdout: "pipe",
+    stderr: "pipe",
+    env: process.env
+  });
+  const stdout = result.stdout.toString().trim();
+  return {
+    checked: true,
+    present: result.exitCode === 0 && stdout.length > 0,
+    error: result.exitCode === 0 ? undefined : result.stderr.toString().trim() || `secrets get exited ${result.exitCode}`
+  };
+}
 function parseCommandSpec(value) {
   const [command, expectedVersion] = value.split(":");
   return {
@@ -11362,7 +11437,8 @@ manifestCommand.command("remove").description("Remove a machine from the manifes
   console.log(JSON.stringify(manifestRemove(id), null, 2));
 });
 manifestCommand.command("add").description("Add or replace a machine in the fleet manifest").option("--id <id>", "Machine identifier").option("--platform <platform>", "linux | macos | windows").option("--workspace-path <path>", "Primary workspace path").option("--hostname <hostname>", "Machine hostname").option("--ssh-address <sshAddress>", "Machine SSH address").option("--tailscale-name <tailscaleName>", "Machine Tailscale DNS name").option("--connection <connection>", "local | ssh | tailscale").option("--bun-path <path>", "Bun executable directory").option("--tag <tag...>", "Machine tags").option("--package <name...>", "Desired packages").option("--app <spec...>", "Desired apps as name[:manager[:packageName]]").option("--file <spec...>", "File sync spec source:target[:copy|symlink]").option("--metadata <json>", "Machine metadata as JSON").option("--from-stdin", "Read the full MachineManifest JSON from stdin").action((options) => {
-  if (options["from-stdin"]) {
+  const fromStdin = Boolean(options["fromStdin"] || options["from-stdin"]);
+  if (fromStdin) {
     if (process.stdin.isTTY) {
       console.error("error: --from-stdin requires piped input");
       process.exit(1);
@@ -11726,23 +11802,58 @@ program2.command("screen").description("Open Screen Sharing (VNC) to a machine u
   execFileSync("open", [resolved.url], { stdio: "ignore" });
   console.log(`Opening Screen Sharing \u2192 ${resolved.url} (route: ${resolved.route})`);
 });
-program2.command("screen-enable").description("Enable Remote Management / Screen Sharing on a macOS machine over SSH").requiredOption("--machine <id>", "Machine identifier").option("--user <user>", "macOS user to grant screen-sharing (overrides manifest)").option("--vnc-password <pw>", "Legacy VNC password (<=8 chars honored)", "").option("--print", "Print the remote command instead of running it", false).action((options) => {
-  const screen = resolveScreenTarget(options.machine);
-  const user = options.user ?? screen.user;
-  if (!user) {
-    console.error(`No SSH user known for ${options.machine}; pass --user <name> or set metadata.user in the manifest.`);
+program2.command("screen-credentials").description("Inspect screen-sharing user and password secret references without printing secrets").option("--machine <id>", "Machine identifier").option("--all", "Inspect every discovered machine", false).option("--check-secret", "Check whether the password secret exists in the local secrets vault", false).option("--secrets-command <command>", "Secrets CLI command to inspect", "secrets").option("--no-tailscale", "Skip tailscale status probing").option("-j, --json", "Print JSON output", false).action((options) => {
+  const topology = discoverMachineTopology({ includeTailscale: options.tailscale !== false });
+  const machineIds = options.all ? topology.machines.map((machine) => machine.machine_id) : [options.machine].filter((machine) => Boolean(machine));
+  if (machineIds.length === 0) {
+    console.error("Provide --machine <id> or --all");
     process.exitCode = 1;
     return;
   }
-  const vncPw = (options.vncPassword || "").slice(0, 8);
-  const remoteCmd = buildScreenEnableRemoteCommand(user, vncPw);
-  const sshCmd = buildSshCommand(options.machine, `sudo -p '' bash -c ${JSON.stringify(remoteCmd)}`);
+  const results = machineIds.map((machineId) => {
+    try {
+      const credentials = resolveScreenCredentials(machineId, { topology });
+      const secret = options.checkSecret ? checkSecretPresence(options.secretsCommand, credentials.passwordSecretKey) : { checked: false, present: null };
+      return { ok: true, ...credentials, passwordSecret: secret };
+    } catch (error) {
+      return { ok: false, machineId, error: error instanceof Error ? error.message : String(error) };
+    }
+  });
+  const hasFailures = results.some((result) => !result.ok || result.ok && result.passwordSecret.checked && !result.passwordSecret.present);
+  if (options.json) {
+    console.log(JSON.stringify(results, null, 2));
+    if (hasFailures)
+      process.exitCode = 1;
+    return;
+  }
+  for (const result of results) {
+    if (!result.ok) {
+      console.log(`\u2717 ${result.machineId.padEnd(14)} ${result.error}`);
+      continue;
+    }
+    const secret = result.passwordSecret.checked ? result.passwordSecret.present ? source_default.green("present") : source_default.red("missing") : source_default.yellow("unchecked");
+    console.log(`${result.machineId.padEnd(14)} user=${result.user ?? "(missing)"} passwordSecret=${result.passwordSecretKey} (${secret})`);
+  }
+  if (hasFailures)
+    process.exitCode = 1;
+});
+program2.command("screen-enable").description("Enable Remote Management / Screen Sharing on a macOS machine over SSH").requiredOption("--machine <id>", "Machine identifier").option("--user <user>", "macOS user to grant screen-sharing (overrides manifest)").option("--vnc-password-secret <key>", "Secret key containing the legacy VNC password").option("--secrets-command <command>", "Secrets CLI command to read the password", "secrets").option("--vnc-password <pw>", "Deprecated: use --vnc-password-secret instead", "").option("--print", "Print the remote command instead of running it", false).action((options) => {
+  if (options.vncPassword) {
+    console.error("Direct --vnc-password values are not accepted. Store the password with `secrets set` and pass --vnc-password-secret.");
+    process.exitCode = 1;
+    return;
+  }
+  const plan = buildScreenEnableCommand(options.machine, {
+    user: options.user,
+    passwordSecretKey: options.vncPasswordSecret,
+    secretsCommand: options.secretsCommand
+  });
   if (options.print) {
-    console.log(sshCmd);
+    console.log(plan.command);
     return;
   }
-  console.log(`Run this to enable Screen Sharing on ${options.machine} (will prompt for sudo on the target):`);
-  console.log(`  ${sshCmd}`);
+  console.log(`Run this to enable Screen Sharing on ${options.machine} (password comes from ${plan.passwordSecretKey}):`);
+  console.log(`  ${plan.command}`);
 });
 program2.command("ports").description("List listening ports on a machine").option("--machine <id>", "Machine identifier").option("-j, --json", "Print JSON output", false).action((options) => {
   const result = listPorts(options.machine);

package/dist/commands/screen.d.ts

@@ -1,4 +1,5 @@
 import { type MachineRouteOptions, type MachineRouteKind, type MachineRouteConfidence } from "../topology.js";
+export declare const DEFAULT_SCREEN_SECRET_NAMESPACE = "hasna/xyz/opensource/machines/prod";
 export interface ResolvedScreenTarget {
     machineId: string;
     user: string | null;
@@ -8,12 +9,35 @@ export interface ResolvedScreenTarget {
     confidence: MachineRouteConfidence;
     warnings: string[];
 }
+export interface ScreenCredentialResolution {
+    machineId: string;
+    user: string | null;
+    userSource: "option" | "route" | "metadata" | "missing";
+    passwordSecretKey: string;
+    passwordSecretSource: "option" | "metadata" | "default";
+}
+export interface ScreenEnableCommandPlan {
+    machineId: string;
+    user: string;
+    passwordSecretKey: string;
+    remoteCommand: string;
+    command: string;
+}
+export interface ScreenCredentialOptions extends MachineRouteOptions {
+    user?: string;
+    passwordSecretKey?: string;
+}
+export interface ScreenEnableCommandOptions extends ScreenCredentialOptions {
+    secretsCommand?: string;
+}
+export declare function defaultScreenPasswordSecretKey(machineId: string): string;
 /**
  * Resolve the best screen-sharing (VNC) target for a machine.
  * Prefers the live LAN route over Tailscale (lower latency for screen sharing),
  * and always produces a `vnc://user@host` URL when a user is known.
  */
 export declare function resolveScreenTarget(machineId: string, options?: MachineRouteOptions): ResolvedScreenTarget;
+export declare function resolveScreenCredentials(machineId: string, options?: ScreenCredentialOptions): ScreenCredentialResolution;
 /**
  * Build the macOS command that opens Screen Sharing to a machine.
  * `open vnc://user@host` launches Screen Sharing.app pointed at the resolved route.
@@ -32,4 +56,11 @@ export declare function buildScreenCommand(machineId: string, options?: MachineR
  * password or runs under an already-root context).
  */
 export declare function buildScreenEnableRemoteCommand(user: string, vncPassword: string): string;
+/**
+ * Build the remote root command used by secure screen-enable plans.
+ * The VNC password is read from stdin so it is not embedded in shell history,
+ * generated command text, or the SSH remote command arguments.
+ */
+export declare function buildScreenEnableRemoteCommandFromStdin(user: string): string;
+export declare function buildScreenEnableCommand(machineId: string, options?: ScreenEnableCommandOptions): ScreenEnableCommandPlan;
 //# sourceMappingURL=screen.d.ts.map

package/dist/commands/screen.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"screen.d.ts","sourceRoot":"","sources":["../../src/commands/screen.ts"],"names":[],"mappings":"AAAA,OAAO,EAAgD,KAAK,mBAAmB,EAAE,KAAK,gBAAgB,EAAE,KAAK,sBAAsB,EAAE,MAAM,gBAAgB,CAAC;AAE5J,MAAM,WAAW,oBAAoB;IACnC,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;IACpB,IAAI,EAAE,MAAM,CAAC;IACb,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,EAAE,gBAAgB,CAAC;IACxB,UAAU,EAAE,sBAAsB,CAAC;IACnC,QAAQ,EAAE,MAAM,EAAE,CAAC;CACpB;AAgBD;;;;GAIG;AACH,wBAAgB,mBAAmB,CAAC,SAAS,EAAE,MAAM,EAAE,OAAO,GAAE,mBAAwB,GAAG,oBAAoB,CA+B9G;AAED;;;GAGG;AACH,wBAAgB,kBAAkB,CAAC,SAAS,EAAE,MAAM,EAAE,OAAO,GAAE,mBAAwB,GAAG,MAAM,CAG/F;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,8BAA8B,CAAC,IAAI,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,MAAM,CAcxF"}
+{"version":3,"file":"screen.d.ts","sourceRoot":"","sources":["../../src/commands/screen.ts"],"names":[],"mappings":"AACA,OAAO,EAGL,KAAK,mBAAmB,EACxB,KAAK,gBAAgB,EACrB,KAAK,sBAAsB,EAC5B,MAAM,gBAAgB,CAAC;AAExB,eAAO,MAAM,+BAA+B,uCAAuC,CAAC;AAEpF,MAAM,WAAW,oBAAoB;IACnC,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;IACpB,IAAI,EAAE,MAAM,CAAC;IACb,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,EAAE,gBAAgB,CAAC;IACxB,UAAU,EAAE,sBAAsB,CAAC;IACnC,QAAQ,EAAE,MAAM,EAAE,CAAC;CACpB;AAED,MAAM,WAAW,0BAA0B;IACzC,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;IACpB,UAAU,EAAE,QAAQ,GAAG,OAAO,GAAG,UAAU,GAAG,SAAS,CAAC;IACxD,iBAAiB,EAAE,MAAM,CAAC;IAC1B,oBAAoB,EAAE,QAAQ,GAAG,UAAU,GAAG,SAAS,CAAC;CACzD;AAED,MAAM,WAAW,uBAAuB;IACtC,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,EAAE,MAAM,CAAC;IACb,iBAAiB,EAAE,MAAM,CAAC;IAC1B,aAAa,EAAE,MAAM,CAAC;IACtB,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,uBAAwB,SAAQ,mBAAmB;IAClE,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,iBAAiB,CAAC,EAAE,MAAM,CAAC;CAC5B;AAED,MAAM,WAAW,0BAA2B,SAAQ,uBAAuB;IACzE,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AA6BD,wBAAgB,8BAA8B,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM,CAExE;AAED;;;;GAIG;AACH,wBAAgB,mBAAmB,CAAC,SAAS,EAAE,MAAM,EAAE,OAAO,GAAE,mBAAwB,GAAG,oBAAoB,CA+B9G;AAED,wBAAgB,wBAAwB,CAAC,SAAS,EAAE,MAAM,EAAE,OAAO,GAAE,uBAA4B,GAAG,0BAA0B,CAwB7H;AAED;;;GAGG;AACH,wBAAgB,kBAAkB,CAAC,SAAS,EAAE,MAAM,EAAE,OAAO,GAAE,mBAAwB,GAAG,MAAM,CAG/F;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,8BAA8B,CAAC,IAAI,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,MAAM,CAcxF;AAED;;;;GAIG;AACH,wBAAgB,uCAAuC,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAe5E;AAED,wBAAgB,wBAAwB,CAAC,SAAS,EAAE,MAAM,EAAE,OAAO,GAAE,0BAA+B,GAAG,uBAAuB,CAc7H"}

package/dist/index.js

@@ -13859,15 +13859,32 @@ function runSetup(machineId, options = {}) {
   return summary;
 }
 // src/commands/screen.ts
+var DEFAULT_SCREEN_SECRET_NAMESPACE = "hasna/xyz/opensource/machines/prod";
 function shellQuote7(value) {
   return `'${value.replace(/'/g, "'\\''")}'`;
 }
+function shellCommand2(command) {
+  return command.map(shellQuote7).join(" ");
+}
+function metadataString2(metadata, keys) {
+  if (!metadata)
+    return null;
+  for (const key of keys) {
+    const value = metadata[key];
+    if (typeof value === "string" && value.trim())
+      return value.trim();
+  }
+  return null;
+}
 function splitTarget(target) {
   const at = target.indexOf("@");
   if (at === -1)
     return [null, target];
   return [target.slice(0, at), target.slice(at + 1)];
 }
+function defaultScreenPasswordSecretKey(machineId) {
+  return `${DEFAULT_SCREEN_SECRET_NAMESPACE}/screen-${machineId}-vnc-password`;
+}
 function resolveScreenTarget(machineId, options = {}) {
   const resolved = resolveMachineRoute(machineId, options);
   if (!resolved.ok || !resolved.target) {
@@ -13893,6 +13910,30 @@ function resolveScreenTarget(machineId, options = {}) {
     warnings: resolved.warnings
   };
 }
+function resolveScreenCredentials(machineId, options = {}) {
+  const topology = options.topology ?? discoverMachineTopology(options);
+  const screen = resolveScreenTarget(machineId, { ...options, topology });
+  const entry = topology.machines.find((machine) => machine.machine_id === screen.machineId);
+  const metadata = entry?.metadata;
+  const metadataUser = metadataString2(metadata, ["screenUser", "screen_user", "user", "username"]);
+  const metadataPasswordSecret = metadataString2(metadata, [
+    "screenPasswordSecret",
+    "screen_password_secret",
+    "screenVncPasswordSecret",
+    "screen_vnc_password_secret",
+    "vncPasswordSecret",
+    "vnc_password_secret"
+  ]);
+  const user = options.user ?? screen.user ?? metadataUser;
+  const passwordSecretKey = options.passwordSecretKey ?? metadataPasswordSecret ?? defaultScreenPasswordSecretKey(screen.machineId);
+  return {
+    machineId: screen.machineId,
+    user: user ?? null,
+    userSource: options.user ? "option" : screen.user ? "route" : metadataUser ? "metadata" : "missing",
+    passwordSecretKey,
+    passwordSecretSource: options.passwordSecretKey ? "option" : metadataPasswordSecret ? "metadata" : "default"
+  };
+}
 function buildScreenCommand(machineId, options = {}) {
   const resolved = resolveScreenTarget(machineId, options);
   return `open ${resolved.url}`;
@@ -13907,6 +13948,37 @@ function buildScreenEnableRemoteCommand(user, vncPassword) {
   ];
   return lines.join(" && ");
 }
+function buildScreenEnableRemoteCommandFromStdin(user) {
+  const kickstart = "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart";
+  const script = [
+    "set -euo pipefail",
+    'user="$1"',
+    "IFS= read -r vnc_pw",
+    'if [ -z "$vnc_pw" ]; then echo "missing VNC password on stdin" >&2; exit 1; fi',
+    `kickstart=${shellQuote7(kickstart)}`,
+    'dseditgroup -o edit -a "$user" -t user com.apple.access_screensharing 2>/dev/null || true',
+    "defaults write /Library/Preferences/com.apple.RemoteManagement AllowSRPForNetworkNodes -bool true",
+    '"$kickstart" -configure -clientopts -setvnclegacy -vnclegacy yes -setvncpw -vncpw "$vnc_pw"',
+    '"$kickstart" -activate -configure -access -on -users "$user" -privs -all -restart -agent -menu'
+  ].join(`
+`);
+  return `sudo -n -p '' /bin/bash -c ${shellQuote7(script)} -- ${shellQuote7(user)}`;
+}
+function buildScreenEnableCommand(machineId, options = {}) {
+  const credentials = resolveScreenCredentials(machineId, options);
+  if (!credentials.user) {
+    throw new Error(`No screen-sharing user known for ${machineId}; pass --user <name> or set metadata.user in the manifest.`);
+  }
+  const secretsCommand = options.secretsCommand || "secrets";
+  const remoteCommand = buildScreenEnableRemoteCommandFromStdin(credentials.user);
+  return {
+    machineId: credentials.machineId,
+    user: credentials.user,
+    passwordSecretKey: credentials.passwordSecretKey,
+    remoteCommand,
+    command: `${shellCommand2([secretsCommand, "get", credentials.passwordSecretKey])} | ${buildSshCommand(machineId, remoteCommand, options)}`
+  };
+}
 // src/commands/sync.ts
 import { existsSync as existsSync7, lstatSync, readFileSync as readFileSync5, symlinkSync, copyFileSync } from "fs";
 import { homedir as homedir5 } from "os";
@@ -23362,6 +23434,7 @@ export {
   resolveTables,
   resolveSshTarget,
   resolveScreenTarget,
+  resolveScreenCredentials,
   resolveMachineWorkspace,
   resolveMachineRoute,
   resolveBackupTarget,
@@ -23425,6 +23498,7 @@ export {
   diffClaudeCli,
   diffApps,
   detectCurrentMachineManifest,
+  defaultScreenPasswordSecretKey,
   createMcpServer,
   createMachineResolverSnapshot,
   countRuns,
@@ -23435,7 +23509,9 @@ export {
   buildSshCommand,
   buildSetupPlan,
   buildServer,
+  buildScreenEnableRemoteCommandFromStdin,
   buildScreenEnableRemoteCommand,
+  buildScreenEnableCommand,
   buildScreenCommand,
   buildClaudeInstallPlan,
   buildCertPlan,
@@ -23465,6 +23541,7 @@ export {
   MACHINES_BACKUP_PREFIX_ENV,
   MACHINES_BACKUP_BUCKET_FALLBACK_ENV,
   MACHINES_BACKUP_BUCKET_ENV,
+  DEFAULT_SCREEN_SECRET_NAMESPACE,
   DEFAULT_MACHINE_RESOLVER_TTL_MS,
   DEFAULT_BACKUP_PREFIX,
   CROSSREFS_KEY

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@hasna/machines",
-  "version": "0.0.25",
+  "version": "0.0.27",
   "description": "Machine fleet management CLI + MCP for developers",
   "type": "module",
   "license": "Apache-2.0",