@hasna/machines 0.0.26 → 0.0.28

package/dist/cli/index.js

@@ -2082,34 +2082,34 @@ var require_commander = __commonJS((exports) => {
 });
 
 // src/paths.ts
-import { existsSync as existsSync2, mkdirSync } from "fs";
-import { dirname as dirname2, join as join2, resolve } from "path";
+import { existsSync as existsSync3, mkdirSync } from "fs";
+import { dirname as dirname2, join as join3, resolve } from "path";
 function homeDir() {
   return process.env["HOME"] || process.env["USERPROFILE"] || "~";
 }
 function getDataDir() {
-  return process.env["HASNA_MACHINES_DIR"] || join2(homeDir(), ".hasna", "machines");
+  return process.env["HASNA_MACHINES_DIR"] || join3(homeDir(), ".hasna", "machines");
 }
 function getDbPath() {
-  return process.env["HASNA_MACHINES_DB_PATH"] || join2(getDataDir(), "machines.db");
+  return process.env["HASNA_MACHINES_DB_PATH"] || join3(getDataDir(), "machines.db");
 }
 function getManifestPath() {
-  return process.env["HASNA_MACHINES_MANIFEST_PATH"] || join2(getDataDir(), "machines.json");
+  return process.env["HASNA_MACHINES_MANIFEST_PATH"] || join3(getDataDir(), "machines.json");
 }
 function getNotificationsPath() {
-  return process.env["HASNA_MACHINES_NOTIFICATIONS_PATH"] || join2(getDataDir(), "notifications.json");
+  return process.env["HASNA_MACHINES_NOTIFICATIONS_PATH"] || join3(getDataDir(), "notifications.json");
 }
 function getClipboardKeyPath() {
-  return process.env["HASNA_MACHINES_CLIPBOARD_KEY_PATH"] || join2(getDataDir(), "clipboard.key");
+  return process.env["HASNA_MACHINES_CLIPBOARD_KEY_PATH"] || join3(getDataDir(), "clipboard.key");
 }
 function getClipboardHistoryPath() {
-  return process.env["HASNA_MACHINES_CLIPBOARD_HISTORY_PATH"] || join2(getDataDir(), "clipboard-history.json");
+  return process.env["HASNA_MACHINES_CLIPBOARD_HISTORY_PATH"] || join3(getDataDir(), "clipboard-history.json");
 }
 function ensureParentDir(filePath) {
   if (filePath === ":memory:")
     return;
   const dir = dirname2(resolve(filePath));
-  if (!existsSync2(dir)) {
+  if (!existsSync3(dir)) {
     mkdirSync(dir, { recursive: true });
   }
 }
@@ -2203,15 +2203,15 @@ function countRuns(table) {
 }
 function recordSetupRun(machineId, status, details) {
   const db = getDb();
-  const now = new Date().toISOString();
+  const now2 = new Date().toISOString();
   db.query(`INSERT INTO setup_runs (id, machine_id, status, details_json, created_at, updated_at)
-     VALUES (?, ?, ?, ?, ?, ?)`).run(crypto.randomUUID(), machineId, status, JSON.stringify(details), now, now);
+     VALUES (?, ?, ?, ?, ?, ?)`).run(crypto.randomUUID(), machineId, status, JSON.stringify(details), now2, now2);
 }
 function recordSyncRun(machineId, status, actions) {
   const db = getDb();
-  const now = new Date().toISOString();
+  const now2 = new Date().toISOString();
   db.query(`INSERT INTO sync_runs (id, machine_id, status, actions_json, created_at, updated_at)
-     VALUES (?, ?, ?, ?, ?, ?)`).run(crypto.randomUUID(), machineId, status, JSON.stringify(actions), now, now);
+     VALUES (?, ?, ?, ?, ?, ?)`).run(crypto.randomUUID(), machineId, status, JSON.stringify(actions), now2, now2);
 }
 var adapter = null;
 var init_db = __esm(() => {
@@ -2479,7 +2479,7 @@ function upsertSqlite(db, table, columns, rows) {
 }
 function recordSyncMeta(db, direction, results) {
   ensureSyncMetaTable(db);
-  const now = new Date().toISOString();
+  const now3 = new Date().toISOString();
   const statement = db.query(`
     INSERT INTO _machines_sync_meta (table_name, last_synced_at, direction)
     VALUES (?, ?, ?)
@@ -2488,7 +2488,7 @@ function recordSyncMeta(db, direction, results) {
   for (const result of results) {
     if (result.errors.length > 0)
       continue;
-    statement.run(result.table, now, direction);
+    statement.run(result.table, now3, direction);
   }
 }
 function ensureSyncMetaTable(db) {
@@ -2601,6 +2601,684 @@ var {
   Help
 } = import__.default;
 
+// node_modules/@hasna/events/dist/commander.js
+import { chmod, mkdir, readFile, rename, writeFile } from "fs/promises";
+import { existsSync } from "fs";
+import { homedir } from "os";
+import { join } from "path";
+import { createHmac, timingSafeEqual } from "crypto";
+import { randomUUID } from "crypto";
+import { spawn } from "child_process";
+import { randomUUID as randomUUID2 } from "crypto";
+function getPathValue(input, path) {
+  return path.split(".").reduce((value, part) => {
+    if (value && typeof value === "object" && part in value) {
+      return value[part];
+    }
+    return;
+  }, input);
+}
+function wildcardToRegExp(pattern) {
+  const escaped = pattern.replace(/[|\\{}()[\]^$+?.]/g, "\\$&").replace(/\*/g, ".*");
+  return new RegExp(`^${escaped}$`);
+}
+function matchString(value, matcher) {
+  if (matcher === undefined)
+    return true;
+  if (value === undefined)
+    return false;
+  const matchers = Array.isArray(matcher) ? matcher : [matcher];
+  return matchers.some((item) => wildcardToRegExp(item).test(value));
+}
+function matchRecord(input, matcher) {
+  if (!matcher)
+    return true;
+  return Object.entries(matcher).every(([path, expected]) => {
+    const actual = getPathValue(input, path);
+    if (typeof expected === "string" || Array.isArray(expected)) {
+      return matchString(actual === undefined ? undefined : String(actual), expected);
+    }
+    return actual === expected;
+  });
+}
+function eventMatchesFilter(event, filter) {
+  return matchString(event.source, filter.source) && matchString(event.type, filter.type) && matchString(event.subject, filter.subject) && matchString(event.severity, filter.severity) && matchRecord(event.data, filter.data) && matchRecord(event.metadata, filter.metadata);
+}
+function channelMatchesEvent(channel, event) {
+  if (!channel.enabled)
+    return false;
+  if (!channel.filters || channel.filters.length === 0)
+    return true;
+  return channel.filters.some((filter) => eventMatchesFilter(event, filter));
+}
+var HASNA_EVENTS_DIR_ENV = "HASNA_EVENTS_DIR";
+var HASNA_EVENTS_HOME_ENV = "HASNA_EVENTS_HOME";
+function getEventsDataDir(override) {
+  return override || process.env[HASNA_EVENTS_DIR_ENV] || process.env[HASNA_EVENTS_HOME_ENV] || join(homedir(), ".hasna", "events");
+}
+
+class JsonEventsStore {
+  dataDir;
+  channelsPath;
+  eventsPath;
+  deliveriesPath;
+  constructor(dataDir = getEventsDataDir()) {
+    this.dataDir = dataDir;
+    this.channelsPath = join(dataDir, "channels.json");
+    this.eventsPath = join(dataDir, "events.json");
+    this.deliveriesPath = join(dataDir, "deliveries.json");
+  }
+  async init() {
+    await mkdir(this.dataDir, { recursive: true, mode: 448 });
+    await chmod(this.dataDir, 448).catch(() => {
+      return;
+    });
+    await this.ensureArrayFile(this.channelsPath);
+    await this.ensureArrayFile(this.eventsPath);
+    await this.ensureArrayFile(this.deliveriesPath);
+  }
+  async addChannel(channel) {
+    await this.init();
+    const channels = await this.readJson(this.channelsPath, []);
+    const index = channels.findIndex((item) => item.id === channel.id);
+    if (index >= 0) {
+      channels[index] = { ...channel, createdAt: channels[index].createdAt, updatedAt: new Date().toISOString() };
+    } else {
+      channels.push(channel);
+    }
+    await this.writeJson(this.channelsPath, channels);
+    return index >= 0 ? channels[index] : channel;
+  }
+  async listChannels() {
+    await this.init();
+    return this.readJson(this.channelsPath, []);
+  }
+  async getChannel(id) {
+    const channels = await this.listChannels();
+    return channels.find((channel) => channel.id === id);
+  }
+  async removeChannel(id) {
+    await this.init();
+    const channels = await this.readJson(this.channelsPath, []);
+    const next = channels.filter((channel) => channel.id !== id);
+    await this.writeJson(this.channelsPath, next);
+    return next.length !== channels.length;
+  }
+  async appendEvent(event) {
+    await this.init();
+    const events = await this.readJson(this.eventsPath, []);
+    events.push(event);
+    await this.writeJson(this.eventsPath, events);
+    return event;
+  }
+  async listEvents() {
+    await this.init();
+    return this.readJson(this.eventsPath, []);
+  }
+  async findEventByIdentity(identity) {
+    const events = await this.listEvents();
+    return events.find((event) => identity.id !== undefined && event.id === identity.id || identity.dedupeKey !== undefined && event.dedupeKey === identity.dedupeKey);
+  }
+  async appendDelivery(result) {
+    await this.init();
+    const deliveries = await this.readJson(this.deliveriesPath, []);
+    deliveries.push(result);
+    await this.writeJson(this.deliveriesPath, deliveries);
+    return result;
+  }
+  async listDeliveries() {
+    await this.init();
+    return this.readJson(this.deliveriesPath, []);
+  }
+  async exportData() {
+    return {
+      channels: await this.listChannels(),
+      events: await this.listEvents(),
+      deliveries: await this.listDeliveries()
+    };
+  }
+  async ensureArrayFile(path) {
+    if (!existsSync(path)) {
+      await writeFile(path, `[]
+`, { encoding: "utf-8", mode: 384 });
+    }
+    await chmod(path, 384).catch(() => {
+      return;
+    });
+  }
+  async readJson(path, fallback) {
+    try {
+      const raw = await readFile(path, "utf-8");
+      if (!raw.trim())
+        return fallback;
+      return JSON.parse(raw);
+    } catch (error) {
+      if (error.code === "ENOENT")
+        return fallback;
+      throw error;
+    }
+  }
+  async writeJson(path, value) {
+    const tempPath = `${path}.${process.pid}.${Date.now()}.tmp`;
+    await writeFile(tempPath, `${JSON.stringify(value, null, 2)}
+`, { encoding: "utf-8", mode: 384 });
+    await rename(tempPath, path);
+    await chmod(path, 384).catch(() => {
+      return;
+    });
+  }
+}
+var DEFAULT_SIGNATURE_TOLERANCE_MS = 5 * 60 * 1000;
+function buildSignatureBase(timestamp, body) {
+  return `${timestamp}.${body}`;
+}
+function signPayload(secret, timestamp, body) {
+  const digest = createHmac("sha256", secret).update(buildSignatureBase(timestamp, body)).digest("hex");
+  return `sha256=${digest}`;
+}
+function now() {
+  return new Date().toISOString();
+}
+function truncate(value, max = 4096) {
+  return value.length > max ? `${value.slice(0, max)}...` : value;
+}
+function buildWebhookRequest(event, channel) {
+  if (!channel.webhook)
+    throw new Error(`Channel ${channel.id} has no webhook config`);
+  const body = JSON.stringify(event);
+  const timestamp = event.time;
+  const headers = {
+    "Content-Type": "application/json",
+    "User-Agent": "@hasna/events",
+    "X-Hasna-Event-Id": event.id,
+    "X-Hasna-Event-Type": event.type,
+    "X-Hasna-Timestamp": timestamp,
+    ...channel.webhook.headers
+  };
+  if (channel.webhook.secret) {
+    headers["X-Hasna-Signature"] = signPayload(channel.webhook.secret, timestamp, body);
+  }
+  return { body, headers };
+}
+async function dispatchWebhook(event, channel, options = {}) {
+  if (!channel.webhook)
+    throw new Error(`Channel ${channel.id} has no webhook config`);
+  const startedAt = now();
+  const { body, headers } = buildWebhookRequest(event, channel);
+  const controller = new AbortController;
+  const timeout = setTimeout(() => controller.abort(), channel.webhook.timeoutMs ?? 15000);
+  try {
+    const response = await (options.fetchImpl ?? fetch)(channel.webhook.url, {
+      method: "POST",
+      headers,
+      body,
+      signal: controller.signal
+    });
+    const responseBody = truncate(await response.text());
+    return {
+      attempt: 1,
+      status: response.ok ? "success" : "failed",
+      startedAt,
+      completedAt: now(),
+      responseStatus: response.status,
+      responseBody,
+      error: response.ok ? undefined : `Webhook returned HTTP ${response.status}`
+    };
+  } catch (error) {
+    return {
+      attempt: 1,
+      status: "failed",
+      startedAt,
+      completedAt: now(),
+      error: error instanceof Error ? error.message : String(error)
+    };
+  } finally {
+    clearTimeout(timeout);
+  }
+}
+async function dispatchCommand(event, channel) {
+  if (!channel.command)
+    throw new Error(`Channel ${channel.id} has no command config`);
+  const startedAt = now();
+  const eventJson = JSON.stringify(event);
+  const env = {
+    ...process.env,
+    ...channel.command.env,
+    HASNA_CHANNEL_ID: channel.id,
+    HASNA_EVENT_ID: event.id,
+    HASNA_EVENT_TYPE: event.type,
+    HASNA_EVENT_SOURCE: event.source,
+    HASNA_EVENT_SUBJECT: event.subject ?? "",
+    HASNA_EVENT_SEVERITY: event.severity,
+    HASNA_EVENT_TIME: event.time,
+    HASNA_EVENT_DEDUPE_KEY: event.dedupeKey ?? "",
+    HASNA_EVENT_SCHEMA_VERSION: event.schemaVersion,
+    HASNA_EVENT_JSON: eventJson
+  };
+  return new Promise((resolve) => {
+    const child = spawn(channel.command.command, channel.command.args ?? [], {
+      cwd: channel.command.cwd,
+      env,
+      stdio: ["pipe", "pipe", "pipe"]
+    });
+    let stdout = "";
+    let stderr = "";
+    const timeout = setTimeout(() => child.kill("SIGTERM"), channel.command.timeoutMs ?? 15000);
+    child.stdin.end(eventJson);
+    child.stdout.on("data", (chunk) => {
+      stdout += chunk.toString();
+    });
+    child.stderr.on("data", (chunk) => {
+      stderr += chunk.toString();
+    });
+    child.on("error", (error) => {
+      clearTimeout(timeout);
+      resolve({
+        attempt: 1,
+        status: "failed",
+        startedAt,
+        completedAt: now(),
+        stdout: truncate(stdout),
+        stderr: truncate(stderr),
+        error: error.message
+      });
+    });
+    child.on("close", (code, signal) => {
+      clearTimeout(timeout);
+      const success = code === 0;
+      resolve({
+        attempt: 1,
+        status: success ? "success" : "failed",
+        startedAt,
+        completedAt: now(),
+        stdout: truncate(stdout),
+        stderr: truncate(stderr),
+        error: success ? undefined : `Command exited with ${signal ? `signal ${signal}` : `code ${code}`}`
+      });
+    });
+  });
+}
+async function dispatchChannel(event, channel, options = {}) {
+  if (channel.transport === "webhook")
+    return dispatchWebhook(event, channel, options);
+  if (channel.transport === "command")
+    return dispatchCommand(event, channel);
+  return {
+    attempt: 1,
+    status: "skipped",
+    startedAt: now(),
+    completedAt: now(),
+    error: `Unsupported transport: ${channel.transport}`
+  };
+}
+function createDeliveryResult(event, channel, attempts) {
+  const status = attempts.some((attempt) => attempt.status === "success") ? "success" : attempts.every((attempt) => attempt.status === "skipped") ? "skipped" : "failed";
+  return {
+    id: randomUUID(),
+    eventId: event.id,
+    channelId: channel.id,
+    transport: channel.transport,
+    status,
+    attempts,
+    createdAt: attempts[0]?.startedAt ?? now(),
+    completedAt: attempts.at(-1)?.completedAt ?? now()
+  };
+}
+function createEvent(input) {
+  return {
+    id: input.id ?? randomUUID2(),
+    source: input.source,
+    type: input.type,
+    time: normalizeTime(input.time),
+    subject: input.subject,
+    severity: input.severity ?? "info",
+    data: input.data ?? {},
+    message: input.message,
+    dedupeKey: input.dedupeKey,
+    schemaVersion: input.schemaVersion ?? "1.0",
+    metadata: input.metadata ?? {}
+  };
+}
+
+class EventsClient {
+  store;
+  redactors;
+  transportOptions;
+  constructor(options = {}) {
+    this.store = options.store ?? new JsonEventsStore(options.dataDir);
+    this.redactors = options.redactors ?? [];
+    this.transportOptions = { fetchImpl: options.fetchImpl };
+  }
+  async addChannel(input) {
+    const timestamp = new Date().toISOString();
+    return this.store.addChannel({
+      ...input,
+      createdAt: input.createdAt ?? timestamp,
+      updatedAt: input.updatedAt ?? timestamp
+    });
+  }
+  async listChannels() {
+    return this.store.listChannels();
+  }
+  async removeChannel(id) {
+    return this.store.removeChannel(id);
+  }
+  async emit(input, options = {}) {
+    const event = options.redactSensitiveData === false ? createEvent(input) : redactSensitiveKeys(createEvent(input));
+    if (options.dedupe !== false) {
+      const existing = await this.store.findEventByIdentity({ id: input.id, dedupeKey: event.dedupeKey });
+      if (existing) {
+        return { event: existing, deliveries: [], deduped: true };
+      }
+    }
+    await this.store.appendEvent(event);
+    const deliveries = options.deliver === false ? [] : await this.deliver(event);
+    return { event, deliveries, deduped: false };
+  }
+  async listEvents() {
+    return this.store.listEvents();
+  }
+  async listDeliveries() {
+    return this.store.listDeliveries();
+  }
+  async deliver(event) {
+    const channels = await this.store.listChannels();
+    const selected = channels.filter((channel) => channelMatchesEvent(channel, event));
+    const deliveries = [];
+    for (const channel of selected) {
+      const eventForChannel = await this.applyRedaction(event, channel);
+      const result = await this.deliverWithRetry(eventForChannel, channel);
+      await this.store.appendDelivery(result);
+      deliveries.push(result);
+    }
+    return deliveries;
+  }
+  async testChannel(id, input = {}) {
+    const channel = await this.store.getChannel(id);
+    if (!channel)
+      throw new Error(`Channel not found: ${id}`);
+    const event = createEvent({
+      source: input.source ?? "hasna.events",
+      type: input.type ?? "events.test",
+      subject: input.subject ?? id,
+      severity: input.severity ?? "info",
+      data: input.data ?? { test: true },
+      message: input.message ?? "Hasna events test delivery",
+      dedupeKey: input.dedupeKey,
+      schemaVersion: input.schemaVersion,
+      metadata: input.metadata,
+      time: input.time,
+      id: input.id
+    });
+    const eventForChannel = await this.applyRedaction(event, channel);
+    const result = await this.deliverWithRetry(eventForChannel, channel);
+    await this.store.appendDelivery(result);
+    return result;
+  }
+  async replay(options = {}) {
+    const events = (await this.store.listEvents()).filter((event) => {
+      if (options.eventId && event.id !== options.eventId)
+        return false;
+      if (options.source && event.source !== options.source)
+        return false;
+      if (options.type && event.type !== options.type)
+        return false;
+      return true;
+    });
+    if (options.dryRun)
+      return { events, deliveries: [] };
+    const deliveries = [];
+    for (const event of events) {
+      deliveries.push(...await this.deliver(event));
+    }
+    return { events, deliveries };
+  }
+  async applyRedaction(event, channel) {
+    let next = redactPaths(event, channel.redact?.paths ?? [], channel.redact?.replacement ?? "[REDACTED]");
+    for (const redactor of this.redactors) {
+      next = await redactor(next, channel);
+    }
+    return next;
+  }
+  async deliverWithRetry(event, channel) {
+    const policy = normalizeRetryPolicy(channel.retry);
+    const attempts = [];
+    for (let index = 0;index < policy.maxAttempts; index += 1) {
+      const attempt = await dispatchChannel(event, channel, this.transportOptions);
+      attempt.attempt = index + 1;
+      if (attempt.status === "failed" && index + 1 < policy.maxAttempts) {
+        attempt.nextBackoffMs = Math.round(policy.backoffMs * policy.multiplier ** index);
+      }
+      attempts.push(attempt);
+      if (attempt.status !== "failed")
+        break;
+      if (attempt.nextBackoffMs)
+        await Bun.sleep(attempt.nextBackoffMs);
+    }
+    return createDeliveryResult(event, channel, attempts);
+  }
+}
+function redactPaths(event, paths, replacement = "[REDACTED]") {
+  if (paths.length === 0)
+    return event;
+  const copy = structuredClone(event);
+  for (const path of paths) {
+    setPath(copy, path, replacement);
+  }
+  return copy;
+}
+function sanitizeChannelForOutput(channel) {
+  const copy = structuredClone(channel);
+  if (copy.webhook?.secret)
+    copy.webhook.secret = "[REDACTED]";
+  if (copy.command?.env) {
+    copy.command.env = Object.fromEntries(Object.entries(copy.command.env).map(([key, value]) => [key, shouldRedactKey(key) ? "[REDACTED]" : value]));
+  }
+  return copy;
+}
+function sanitizeChannelsForOutput(channels) {
+  return channels.map(sanitizeChannelForOutput);
+}
+function redactSensitiveKeys(event, replacement = "[REDACTED]") {
+  return redactValue(event, replacement);
+}
+function shouldRedactKey(key) {
+  return /secret|token|password|api[_-]?key|authorization/i.test(key);
+}
+function redactValue(value, replacement) {
+  if (Array.isArray(value))
+    return value.map((item) => redactValue(item, replacement));
+  if (!value || typeof value !== "object")
+    return value;
+  return Object.fromEntries(Object.entries(value).map(([key, item]) => [
+    key,
+    shouldRedactKey(key) ? replacement : redactValue(item, replacement)
+  ]));
+}
+function setPath(input, path, replacement) {
+  const parts = path.split(".");
+  let cursor = input;
+  for (const part of parts.slice(0, -1)) {
+    const next = cursor[part];
+    if (!next || typeof next !== "object")
+      return;
+    cursor = next;
+  }
+  const last = parts.at(-1);
+  if (last && last in cursor)
+    cursor[last] = replacement;
+}
+function normalizeTime(value) {
+  if (!value)
+    return new Date().toISOString();
+  return value instanceof Date ? value.toISOString() : value;
+}
+function normalizeRetryPolicy(policy) {
+  return {
+    maxAttempts: Math.max(1, policy?.maxAttempts ?? 1),
+    backoffMs: Math.max(0, policy?.backoffMs ?? 250),
+    multiplier: Math.max(1, policy?.multiplier ?? 2)
+  };
+}
+function parseJsonObject(value, fallback) {
+  if (!value)
+    return fallback;
+  const parsed = JSON.parse(value);
+  if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+    throw new Error("Expected a JSON object");
+  }
+  return parsed;
+}
+function parseHeaders(values) {
+  if (!values?.length)
+    return;
+  const headers = {};
+  for (const value of values) {
+    const separator = value.indexOf("=");
+    if (separator === -1)
+      throw new Error(`Invalid header, expected name=value: ${value}`);
+    headers[value.slice(0, separator)] = value.slice(separator + 1);
+  }
+  return headers;
+}
+function parseFilter(options) {
+  const filter2 = {};
+  if (options.source)
+    filter2.source = options.source;
+  if (options.type)
+    filter2.type = options.type;
+  if (options.subject)
+    filter2.subject = options.subject;
+  if (options.severity)
+    filter2.severity = options.severity;
+  return Object.keys(filter2).length > 0 ? [filter2] : undefined;
+}
+function createClient(options) {
+  if (options.createClient)
+    return options.createClient();
+  return new EventsClient({ store: new JsonEventsStore(options.dataDir) });
+}
+function print(value, json, text) {
+  if (json)
+    console.log(JSON.stringify(value, null, 2));
+  else
+    console.log(text);
+}
+function registerWebhookCommands(program2, options) {
+  const webhooks = program2.command(options.webhooksCommandName ?? "webhooks").description("Manage Hasna event webhook subscriptions");
+  webhooks.command("add").description("Add or replace a webhook or command subscription").argument("<target>", "Webhook URL or command binary").requiredOption("--id <id>", "Subscription/channel identifier").option("--transport <kind>", "Transport kind: webhook or command", "webhook").option("--name <name>", "Display name").option("--type <pattern>", "Event type filter, e.g. todos.task.*").option("--source <pattern>", "Event source filter").option("--subject <pattern>", "Event subject filter").option("--severity <pattern>", "Event severity filter").option("--secret <secret>", "Webhook HMAC secret").option("--header <name=value...>", "Webhook header", collectValues, []).option("--arg <arg...>", "Command argument", collectValues, []).option("--timeout-ms <ms>", "Transport timeout in milliseconds", parseNumber).option("--retry-attempts <n>", "Maximum delivery attempts", parseNumber).option("--retry-backoff-ms <ms>", "Initial retry backoff in milliseconds", parseNumber).option("--redact <path...>", "Event field path to redact before delivery", collectValues, []).option("--disabled", "Create channel disabled", false).option("-j, --json", "Print JSON output", false).action(async (target, actionOptions) => {
+    const timestamp = new Date().toISOString();
+    const channel = {
+      id: actionOptions.id,
+      name: actionOptions.name,
+      enabled: !actionOptions.disabled,
+      transport: actionOptions.transport,
+      filters: parseFilter(actionOptions),
+      retry: actionOptions.retryAttempts || actionOptions.retryBackoffMs ? { maxAttempts: actionOptions.retryAttempts, backoffMs: actionOptions.retryBackoffMs } : undefined,
+      redact: actionOptions.redact?.length ? { paths: actionOptions.redact } : undefined,
+      createdAt: timestamp,
+      updatedAt: timestamp
+    };
+    if (actionOptions.transport === "webhook") {
+      channel.webhook = { url: target, secret: actionOptions.secret, headers: parseHeaders(actionOptions.header), timeoutMs: actionOptions.timeoutMs };
+    } else if (actionOptions.transport === "command") {
+      channel.command = { command: target, args: actionOptions.arg ?? [], timeoutMs: actionOptions.timeoutMs };
+    } else {
+      throw new Error(`Transport ${actionOptions.transport} is reserved for future use and cannot be added yet`);
+    }
+    const saved = await createClient(options).addChannel(channel);
+    print(sanitizeChannelForOutput(saved), Boolean(actionOptions.json), `Added ${saved.transport} channel ${saved.id}`);
+  });
+  webhooks.command("list").description("List configured subscriptions").option("-j, --json", "Print JSON output", false).action(async (actionOptions) => {
+    const channels = await createClient(options).listChannels();
+    if (actionOptions.json) {
+      console.log(JSON.stringify(sanitizeChannelsForOutput(channels), null, 2));
+      return;
+    }
+    if (!channels.length) {
+      console.log("No channels configured.");
+      return;
+    }
+    for (const channel of channels) {
+      console.log(`${channel.id}	${channel.enabled ? "enabled" : "disabled"}	${channel.transport}	${channel.webhook?.url ?? channel.command?.command ?? channel.transport}`);
+    }
+  });
+  webhooks.command("remove").description("Remove a subscription").argument("<id>", "Subscription/channel identifier").option("-j, --json", "Print JSON output", false).action(async (id, actionOptions) => {
+    const removed = await createClient(options).removeChannel(id);
+    print({ removed }, Boolean(actionOptions.json), removed ? `Removed ${id}` : `Channel not found: ${id}`);
+  });
+  webhooks.command("test").description("Send a test event to one subscription").argument("<id>", "Subscription/channel identifier").option("--type <type>", "Event type", "events.test").option("--subject <subject>", "Event subject").option("--message <message>", "Event message", "Hasna events test delivery").option("--data <json>", "Event data JSON object").option("-j, --json", "Print JSON output", false).action(async (id, actionOptions) => {
+    const result = await createClient(options).testChannel(id, {
+      source: options.source,
+      type: actionOptions.type,
+      subject: actionOptions.subject ?? id,
+      message: actionOptions.message,
+      data: parseJsonObject(actionOptions.data, { test: true })
+    });
+    print(result, Boolean(actionOptions.json), `${result.status}: ${result.channelId}`);
+  });
+  return webhooks;
+}
+function registerEventCommands(program2, options) {
+  const events = program2.command(options.eventsCommandName ?? "events").description("Emit, list, and replay Hasna events");
+  events.command("emit").description("Emit an event from this app").argument("<type>", "Event type").option("--source <source>", "Event source override").option("--subject <subject>", "Event subject").option("--severity <severity>", "Event severity", "info").option("--message <message>", "Event message").option("--dedupe-key <key>", "Dedupe key").option("--data <json>", "Event data JSON object").option("--metadata <json>", "Event metadata JSON object").option("--no-deliver", "Record without delivering").option("--no-dedupe", "Allow duplicate id/dedupeKey events").option("-j, --json", "Print JSON output", false).action(async (type, actionOptions) => {
+    const result = await createClient(options).emit({
+      source: actionOptions.source ?? options.source,
+      type,
+      subject: actionOptions.subject,
+      severity: actionOptions.severity,
+      message: actionOptions.message,
+      dedupeKey: actionOptions.dedupeKey,
+      data: parseJsonObject(actionOptions.data, {}),
+      metadata: parseJsonObject(actionOptions.metadata, {})
+    }, { deliver: actionOptions.deliver, dedupe: actionOptions.dedupe });
+    print(result, Boolean(actionOptions.json), `${result.deduped ? "Deduped" : "Emitted"} ${result.event.id} to ${result.deliveries.length} channel(s)`);
+  });
+  events.command("list").description("List recorded events").option("--source <source>", "Filter by source").option("--type <type>", "Filter by type").option("--limit <n>", "Limit results", parseNumber).option("-j, --json", "Print JSON output", false).action(async (actionOptions) => {
+    let rows = await createClient(options).listEvents();
+    if (actionOptions.source)
+      rows = rows.filter((event) => event.source === actionOptions.source);
+    if (actionOptions.type)
+      rows = rows.filter((event) => event.type === actionOptions.type);
+    if (actionOptions.limit)
+      rows = rows.slice(-actionOptions.limit);
+    if (actionOptions.json) {
+      console.log(JSON.stringify(rows, null, 2));
+      return;
+    }
+    if (!rows.length) {
+      console.log("No events recorded.");
+      return;
+    }
+    for (const event of rows)
+      console.log(`${event.time}	${event.id}	${event.source}	${event.type}	${event.severity}`);
+  });
+  events.command("replay").description("Replay recorded events").option("--id <id>", "Replay one event id").option("--source <source>", "Filter by source").option("--type <type>", "Filter by type").option("--dry-run", "Preview without delivery", false).option("-j, --json", "Print JSON output", false).action(async (actionOptions) => {
+    const result = await createClient(options).replay({
+      eventId: actionOptions.id,
+      source: actionOptions.source,
+      type: actionOptions.type,
+      dryRun: actionOptions.dryRun
+    });
+    print(result, Boolean(actionOptions.json), `Replayed ${result.events.length} event(s), ${result.deliveries.length} delivery result(s)`);
+  });
+  return events;
+}
+function registerEventsCommands(program2, options) {
+  registerWebhookCommands(program2, options);
+  registerEventCommands(program2, options);
+}
+function parseNumber(value) {
+  const parsed = Number(value);
+  if (!Number.isFinite(parsed))
+    throw new Error(`Expected a number, got ${value}`);
+  return parsed;
+}
+function collectValues(value, previous) {
+  previous.push(value);
+  return previous;
+}
+
 // src/cli/index.ts
 import { execFileSync } from "child_process";
 
@@ -3094,14 +3772,14 @@ var chalkStderr = createChalk({ level: stderrColor ? stderrColor.level : 0 });
 var source_default = chalk;
 
 // src/version.ts
-import { existsSync, readFileSync } from "fs";
-import { dirname, join } from "path";
+import { existsSync as existsSync2, readFileSync } from "fs";
+import { dirname, join as join2 } from "path";
 import { fileURLToPath } from "url";
 function getPackageVersion() {
   try {
     const here = dirname(fileURLToPath(import.meta.url));
-    const candidates = [join(here, "..", "package.json"), join(here, "..", "..", "package.json")];
-    const pkgPath = candidates.find((candidate) => existsSync(candidate));
+    const candidates = [join2(here, "..", "package.json"), join2(here, "..", "..", "package.json")];
+    const pkgPath = candidates.find((candidate) => existsSync2(candidate));
     if (!pkgPath) {
       return "0.0.0";
     }
@@ -3112,8 +3790,8 @@ function getPackageVersion() {
 }
 
 // src/manifests.ts
-import { existsSync as existsSync3, readFileSync as readFileSync2, writeFileSync } from "fs";
-import { arch, homedir, hostname, platform, userInfo } from "os";
+import { existsSync as existsSync4, readFileSync as readFileSync2, writeFileSync } from "fs";
+import { arch, homedir as homedir2, hostname, platform, userInfo } from "os";
 import { dirname as dirname3 } from "path";
 
 // node_modules/zod/v3/external.js
@@ -7127,7 +7805,7 @@ var fleetSchema = exports_external.object({
   machines: exports_external.array(machineSchema)
 });
 function detectWorkspacePath() {
-  const home = homedir();
+  const home = homedir2();
   if (platform() === "darwin") {
     return `${home}/Workspace`;
   }
@@ -7151,7 +7829,7 @@ function getDefaultManifest() {
   };
 }
 function readManifest(path = getManifestPath()) {
-  if (!existsSync3(path)) {
+  if (!existsSync4(path)) {
     return getDefaultManifest();
   }
   const raw = JSON.parse(readFileSync2(path, "utf8"));
@@ -7232,7 +7910,7 @@ function manifestValidate() {
 }
 
 // src/commands/setup.ts
-import { homedir as homedir2 } from "os";
+import { homedir as homedir3 } from "os";
 init_db();
 function quote(value) {
   return `'${value.replace(/'/g, `'\\''`)}'`;
@@ -7303,7 +7981,7 @@ function buildSetupPlan(machineId) {
   const target = selected || {
     id: currentMachineId,
     platform: "linux",
-    workspacePath: `${homedir2()}/workspace`
+    workspacePath: `${homedir3()}/workspace`
   };
   const steps = [...buildBaseSteps(target), ...buildPackageSteps(target)];
   return {
@@ -7349,8 +8027,8 @@ function runSetup(machineId, options = {}) {
 }
 
 // src/commands/backup.ts
-import { homedir as homedir3, hostname as hostname3 } from "os";
-import { join as join3 } from "path";
+import { homedir as homedir4, hostname as hostname3 } from "os";
+import { join as join4 } from "path";
 var MACHINES_BACKUP_BUCKET_ENV = "HASNA_MACHINES_S3_BUCKET";
 var MACHINES_BACKUP_BUCKET_FALLBACK_ENV = "MACHINES_S3_BUCKET";
 var MACHINES_BACKUP_PREFIX_ENV = "HASNA_MACHINES_S3_PREFIX";
@@ -7398,16 +8076,16 @@ function resolveBackupTarget(options = {}) {
   };
 }
 function defaultBackupSources() {
-  const home = homedir3();
+  const home = homedir4();
   return [
-    join3(home, ".hasna"),
-    join3(home, ".ssh"),
-    join3(home, ".secrets")
+    join4(home, ".hasna"),
+    join4(home, ".ssh"),
+    join4(home, ".secrets")
   ];
 }
 function buildBackupPlan(bucket, prefix) {
   const target = resolveBackupTarget({ bucket, prefix });
-  const archivePath = join3(homedir3(), ".hasna", "machines", "backup.tgz");
+  const archivePath = join4(homedir4(), ".hasna", "machines", "backup.tgz");
   const sources = defaultBackupSources();
   const steps = [
     {
@@ -7458,21 +8136,21 @@ function runBackup(bucket, prefix, options = {}) {
 }
 
 // src/commands/cert.ts
-import { homedir as homedir4, platform as platform2 } from "os";
-import { join as join4 } from "path";
+import { homedir as homedir5, platform as platform2 } from "os";
+import { join as join5 } from "path";
 function quote3(value) {
   return `'${value.replace(/'/g, `'\\''`)}'`;
 }
 function certDir() {
-  return join4(homedir4(), ".hasna", "machines", "certs");
+  return join5(homedir5(), ".hasna", "machines", "certs");
 }
 function buildCertPlan(domains) {
   if (domains.length === 0) {
     throw new Error("At least one domain is required.");
   }
   const primary = domains[0];
-  const certPath = join4(certDir(), `${primary}.pem`);
-  const keyPath = join4(certDir(), `${primary}-key.pem`);
+  const certPath = join5(certDir(), `${primary}.pem`);
+  const keyPath = join5(certDir(), `${primary}-key.pem`);
   const steps = [];
   if (platform2() === "darwin") {
     steps.push({
@@ -7537,14 +8215,14 @@ function runCertPlan(domains, options = {}) {
 
 // src/commands/dns.ts
 init_paths();
-import { existsSync as existsSync4, readFileSync as readFileSync3, writeFileSync as writeFileSync2 } from "fs";
-import { join as join5 } from "path";
+import { existsSync as existsSync5, readFileSync as readFileSync3, writeFileSync as writeFileSync2 } from "fs";
+import { join as join6 } from "path";
 function getDnsPath() {
-  return join5(getDataDir(), "dns.json");
+  return join6(getDataDir(), "dns.json");
 }
 function readMappings() {
   const path = getDnsPath();
-  if (!existsSync4(path))
+  if (!existsSync5(path))
     return [];
   return JSON.parse(readFileSync3(path, "utf8"));
 }
@@ -7573,10 +8251,10 @@ function renderDomainMapping(domain) {
     hostsEntry: `${entry.targetHost} ${entry.domain}`,
     caddySnippet: `${entry.domain} {
   reverse_proxy 127.0.0.1:${entry.port}
-  tls ${join5(getDataDir(), "certs", `${entry.domain}.pem`)} ${join5(getDataDir(), "certs", `${entry.domain}-key.pem`)}
+  tls ${join6(getDataDir(), "certs", `${entry.domain}.pem`)} ${join6(getDataDir(), "certs", `${entry.domain}-key.pem`)}
 }`,
-    certPath: join5(getDataDir(), "certs", `${entry.domain}.pem`),
-    keyPath: join5(getDataDir(), "certs", `${entry.domain}-key.pem`)
+    certPath: join6(getDataDir(), "certs", `${entry.domain}.pem`),
+    keyPath: join6(getDataDir(), "certs", `${entry.domain}-key.pem`)
   };
 }
 
@@ -7628,7 +8306,7 @@ import { hostname as hostname5 } from "os";
 
 // src/topology.ts
 init_db();
-import { existsSync as existsSync5 } from "fs";
+import { existsSync as existsSync6 } from "fs";
 import { arch as arch2, hostname as hostname4, platform as platform3, userInfo as userInfo2 } from "os";
 import { spawnSync } from "child_process";
 init_paths();
@@ -7819,7 +8497,7 @@ function buildEntry(input) {
   };
 }
 function discoverMachineTopology(options = {}) {
-  const now = options.now ?? new Date;
+  const now2 = options.now ?? new Date;
   const runner = options.runner ?? defaultRunner;
   const warnings = [];
   const manifest = readManifest();
@@ -7851,11 +8529,11 @@ function discoverMachineTopology(options = {}) {
       version: getPackageVersion()
     },
     capabilities: getMachinesConsumerCapabilities(),
-    generated_at: now.toISOString(),
+    generated_at: now2.toISOString(),
     local_machine_id: localMachineId,
     local_hostname: hostname4(),
     current_platform: normalizePlatform2(),
-    manifest_path_known: existsSync5(getManifestPath()),
+    manifest_path_known: existsSync6(getManifestPath()),
     machines,
     warnings
   };
@@ -7974,11 +8652,11 @@ function cacheability(input) {
   };
 }
 function resolveMachineRoute(machineId, options = {}) {
-  const now = options.now ?? new Date;
+  const now2 = options.now ?? new Date;
   const topology = options.topology ?? discoverMachineTopology(options);
   const warnings = [...topology.warnings];
   const { machine, matchedBy } = findRouteMachine(topology, machineId);
-  const generatedAt = now.toISOString();
+  const generatedAt = now2.toISOString();
   if (!machine) {
     warnings.push(`machine_not_found:${machineId}`);
     return {
@@ -8004,8 +8682,8 @@ function resolveMachineRoute(machineId, options = {}) {
       },
       cacheability: cacheability({
         ok: false,
-        observedAt: now,
-        now,
+        observedAt: now2,
+        now: now2,
         ttlMs: options.resolverTtlMs,
         authority: "unresolved",
         confidence: "none",
@@ -8042,8 +8720,8 @@ function resolveMachineRoute(machineId, options = {}) {
     },
     cacheability: cacheability({
       ok,
-      observedAt: now,
-      now,
+      observedAt: now2,
+      now: now2,
       ttlMs: options.resolverTtlMs,
       authority: routeAuthority({ machine, selectedHint, matchedBy }),
       confidence,
@@ -8130,7 +8808,7 @@ function canCheckPathForMachine(machine, localMachineId) {
 function checkedPathExists(path, check) {
   if (!path || !check)
     return null;
-  return existsSync5(path);
+  return existsSync6(path);
 }
 function repairHint(input) {
   const command = [
@@ -8345,11 +9023,11 @@ function metadataKeysForDiagnostics(metadata) {
   return Object.keys(metadata).filter((key) => !/(secret|token|key|password|credential)/i.test(key)).sort();
 }
 function resolveMachineWorkspace(options) {
-  const now = options.now ?? new Date;
+  const now2 = options.now ?? new Date;
   const topology = options.topology ?? discoverMachineTopology(options);
   const warnings = [...topology.warnings];
   const { machine, matchedBy } = findRouteMachine(topology, options.machineId);
-  const generatedAt = now.toISOString();
+  const generatedAt = now2.toISOString();
   const repoName = options.repoName ?? options.projectId;
   const openFilesRepoName = options.openFilesRepoName ?? "open-files";
   if (!machine) {
@@ -8378,8 +9056,8 @@ function resolveMachineWorkspace(options) {
       },
       cacheability: cacheability({
         ok: false,
-        observedAt: now,
-        now,
+        observedAt: now2,
+        now: now2,
         ttlMs: options.resolverTtlMs,
         authority: "unresolved",
         confidence: "none",
@@ -8451,8 +9129,8 @@ function resolveMachineWorkspace(options) {
     },
     cacheability: cacheability({
       ok: workspaceOk,
-      observedAt: now,
-      now,
+      observedAt: now2,
+      now: now2,
       ttlMs: options.resolverTtlMs,
       authority: workspaceAuthority(workspacePaths),
       confidence: workspaceOk ? "medium" : "none",
@@ -8850,7 +9528,7 @@ function runTailscaleInstall(machineId, options = {}) {
 }
 
 // src/commands/notifications.ts
-import { existsSync as existsSync6, readFileSync as readFileSync4, writeFileSync as writeFileSync3 } from "fs";
+import { existsSync as existsSync7, readFileSync as readFileSync4, writeFileSync as writeFileSync3 } from "fs";
 init_paths();
 var notificationChannelSchema = exports_external.object({
   id: exports_external.string(),
@@ -8933,7 +9611,7 @@ ${message}
   }
   throw new Error("No local email transport available. Install sendmail or mail.");
 }
-async function dispatchWebhook(channel, event, message) {
+async function dispatchWebhook2(channel, event, message) {
   const response = await fetch(channel.target, {
     method: "POST",
     headers: {
@@ -8958,7 +9636,7 @@ async function dispatchWebhook(channel, event, message) {
     detail: `Webhook accepted with HTTP ${response.status}`
   };
 }
-async function dispatchCommand(channel, event, message) {
+async function dispatchCommand2(channel, event, message) {
   const result = Bun.spawnSync(["bash", "-lc", channel.target], {
     stdout: "pipe",
     stderr: "pipe",
@@ -8981,7 +9659,7 @@ async function dispatchCommand(channel, event, message) {
     detail: stdout || "Command completed successfully"
   };
 }
-async function dispatchChannel(channel, event, message) {
+async function dispatchChannel2(channel, event, message) {
   if (!channel.enabled) {
     return {
       channelId: channel.id,
@@ -8995,9 +9673,9 @@ async function dispatchChannel(channel, event, message) {
     return dispatchEmail(channel, event, message);
   }
   if (channel.type === "webhook") {
-    return dispatchWebhook(channel, event, message);
+    return dispatchWebhook2(channel, event, message);
   }
-  return dispatchCommand(channel, event, message);
+  return dispatchCommand2(channel, event, message);
 }
 function getDefaultNotificationConfig() {
   return {
@@ -9007,7 +9685,7 @@ function getDefaultNotificationConfig() {
   };
 }
 function readNotificationConfig(path = getNotificationsPath()) {
-  if (!existsSync6(path)) {
+  if (!existsSync7(path)) {
     return getDefaultNotificationConfig();
   }
   return notificationConfigSchema.parse(JSON.parse(readFileSync4(path, "utf8")));
@@ -9052,7 +9730,7 @@ async function dispatchNotificationEvent(event, message, options = {}) {
   const deliveries = [];
   for (const channel of channels) {
     try {
-      deliveries.push(await dispatchChannel(channel, event, message));
+      deliveries.push(await dispatchChannel2(channel, event, message));
     } catch (error) {
       deliveries.push({
         channelId: channel.id,
@@ -9087,7 +9765,7 @@ async function testNotificationChannel(channelId, event = "manual.test", message
   if (!options.yes) {
     throw new Error("Notification test execution requires --yes.");
   }
-  const delivery = await dispatchChannel(channel, event, message);
+  const delivery = await dispatchChannel2(channel, event, message);
   return {
     channelId,
     mode: "apply",
@@ -9153,15 +9831,32 @@ function listPorts(machineId) {
 }
 
 // src/commands/screen.ts
+var DEFAULT_SCREEN_SECRET_NAMESPACE = "hasna/xyz/opensource/machines/prod";
 function shellQuote6(value) {
   return `'${value.replace(/'/g, "'\\''")}'`;
 }
+function shellCommand2(command) {
+  return command.map(shellQuote6).join(" ");
+}
+function metadataString2(metadata, keys) {
+  if (!metadata)
+    return null;
+  for (const key of keys) {
+    const value = metadata[key];
+    if (typeof value === "string" && value.trim())
+      return value.trim();
+  }
+  return null;
+}
 function splitTarget(target) {
   const at = target.indexOf("@");
   if (at === -1)
     return [null, target];
   return [target.slice(0, at), target.slice(at + 1)];
 }
+function defaultScreenPasswordSecretKey(machineId) {
+  return `${DEFAULT_SCREEN_SECRET_NAMESPACE}/screen-${machineId}-vnc-password`;
+}
 function resolveScreenTarget(machineId, options = {}) {
   const resolved = resolveMachineRoute(machineId, options);
   if (!resolved.ok || !resolved.target) {
@@ -9187,20 +9882,65 @@ function resolveScreenTarget(machineId, options = {}) {
     warnings: resolved.warnings
   };
 }
-function buildScreenEnableRemoteCommand(user, vncPassword) {
+function resolveScreenCredentials(machineId, options = {}) {
+  const topology = options.topology ?? discoverMachineTopology(options);
+  const screen = resolveScreenTarget(machineId, { ...options, topology });
+  const entry = topology.machines.find((machine) => machine.machine_id === screen.machineId);
+  const metadata = entry?.metadata;
+  const metadataUser = metadataString2(metadata, ["screenUser", "screen_user", "user", "username"]);
+  const metadataPasswordSecret = metadataString2(metadata, [
+    "screenPasswordSecret",
+    "screen_password_secret",
+    "screenVncPasswordSecret",
+    "screen_vnc_password_secret",
+    "vncPasswordSecret",
+    "vnc_password_secret"
+  ]);
+  const user = options.user ?? screen.user ?? metadataUser;
+  const passwordSecretKey = options.passwordSecretKey ?? metadataPasswordSecret ?? defaultScreenPasswordSecretKey(screen.machineId);
+  return {
+    machineId: screen.machineId,
+    user: user ?? null,
+    userSource: options.user ? "option" : screen.user ? "route" : metadataUser ? "metadata" : "missing",
+    passwordSecretKey,
+    passwordSecretSource: options.passwordSecretKey ? "option" : metadataPasswordSecret ? "metadata" : "default"
+  };
+}
+function buildScreenEnableRemoteCommandFromStdin(user) {
   const kickstart = "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart";
-  const lines = [
-    `dseditgroup -o edit -a ${shellQuote6(user)} -t user com.apple.access_screensharing 2>/dev/null || true`,
+  const script = [
+    "set -euo pipefail",
+    'user="$1"',
+    "IFS= read -r vnc_pw",
+    'if [ -z "$vnc_pw" ]; then echo "missing VNC password on stdin" >&2; exit 1; fi',
+    `kickstart=${shellQuote6(kickstart)}`,
+    'dseditgroup -o edit -a "$user" -t user com.apple.access_screensharing 2>/dev/null || true',
     "defaults write /Library/Preferences/com.apple.RemoteManagement AllowSRPForNetworkNodes -bool true",
-    `${kickstart} -configure -clientopts -setvnclegacy -vnclegacy yes -setvncpw -vncpw ${shellQuote6(vncPassword)}`,
-    `${kickstart} -activate -configure -access -on -users ${shellQuote6(user)} -privs -all -restart -agent -menu`
-  ];
-  return lines.join(" && ");
+    '"$kickstart" -configure -clientopts -setvnclegacy -vnclegacy yes -setvncpw -vncpw "$vnc_pw"',
+    '"$kickstart" -activate -configure -access -on -users "$user" -privs -all -restart -agent -menu'
+  ].join(`
+`);
+  return `sudo -n -p '' /bin/bash -c ${shellQuote6(script)} -- ${shellQuote6(user)}`;
+}
+function buildScreenEnableCommand(machineId, options = {}) {
+  const credentials = resolveScreenCredentials(machineId, options);
+  if (!credentials.user) {
+    throw new Error(`No screen-sharing user known for ${machineId}; pass --user <name> or set metadata.user in the manifest.`);
+  }
+  const secretsCommand = options.secretsCommand || "secrets";
+  const remoteCommand = buildScreenEnableRemoteCommandFromStdin(credentials.user);
+  return {
+    machineId: credentials.machineId,
+    user: credentials.user,
+    passwordSecretKey: credentials.passwordSecretKey,
+    remoteCommand,
+    command: `${shellCommand2([secretsCommand, "get", credentials.passwordSecretKey])} | ${buildSshCommand(machineId, remoteCommand, options)}`
+  };
 }
 
 // src/commands/sync.ts
-import { existsSync as existsSync7, lstatSync, readFileSync as readFileSync5, symlinkSync, copyFileSync } from "fs";
-import { homedir as homedir5 } from "os";
+import { existsSync as existsSync8, lstatSync, readFileSync as readFileSync5, symlinkSync, copyFileSync } from "fs";
+import { homedir as homedir6 } from "os";
 init_paths();
 init_db();
 function quote4(value) {
@@ -9250,8 +9990,8 @@ function detectPackageActions(machine) {
 }
 function detectFileActions(machine) {
   return (machine.files || []).map((file, index) => {
-    const sourceExists = existsSync7(file.source);
-    const targetExists = existsSync7(file.target);
+    const sourceExists = existsSync8(file.source);
+    const targetExists = existsSync8(file.target);
     let status = "missing";
     if (sourceExists && targetExists) {
       if (file.mode === "symlink") {
@@ -9279,7 +10019,7 @@ function buildSyncPlan(machineId) {
   const target = selected || {
     id: currentMachineId,
     platform: "linux",
-    workspacePath: `${homedir5()}/workspace`
+    workspacePath: `${homedir6()}/workspace`
   };
   const actions = [
     ...detectPackageActions(target),
@@ -9836,6 +10576,526 @@ function runDoctor(machineId = getLocalMachineId()) {
 // src/commands/self-test.ts
 init_db();
 
+// node_modules/@hasna/events/dist/index.js
+import { chmod as chmod2, mkdir as mkdir2, readFile as readFile2, rename as rename2, writeFile as writeFile2 } from "fs/promises";
+import { existsSync as existsSync9 } from "fs";
+import { homedir as homedir7 } from "os";
+import { join as join7 } from "path";
+import { createHmac as createHmac2, timingSafeEqual as timingSafeEqual2 } from "crypto";
+import { randomUUID as randomUUID3 } from "crypto";
+import { spawn as spawn2 } from "child_process";
+import { randomUUID as randomUUID22 } from "crypto";
+function getPathValue2(input, path) {
+  return path.split(".").reduce((value, part) => {
+    if (value && typeof value === "object" && part in value) {
+      return value[part];
+    }
+    return;
+  }, input);
+}
+function wildcardToRegExp2(pattern) {
+  const escaped = pattern.replace(/[|\\{}()[\]^$+?.]/g, "\\$&").replace(/\*/g, ".*");
+  return new RegExp(`^${escaped}$`);
+}
+function matchString2(value, matcher) {
+  if (matcher === undefined)
+    return true;
+  if (value === undefined)
+    return false;
+  const matchers = Array.isArray(matcher) ? matcher : [matcher];
+  return matchers.some((item) => wildcardToRegExp2(item).test(value));
+}
+function matchRecord2(input, matcher) {
+  if (!matcher)
+    return true;
+  return Object.entries(matcher).every(([path, expected]) => {
+    const actual = getPathValue2(input, path);
+    if (typeof expected === "string" || Array.isArray(expected)) {
+      return matchString2(actual === undefined ? undefined : String(actual), expected);
+    }
+    return actual === expected;
+  });
+}
+function eventMatchesFilter2(event, filter) {
+  return matchString2(event.source, filter.source) && matchString2(event.type, filter.type) && matchString2(event.subject, filter.subject) && matchString2(event.severity, filter.severity) && matchRecord2(event.data, filter.data) && matchRecord2(event.metadata, filter.metadata);
+}
+function channelMatchesEvent2(channel, event) {
+  if (!channel.enabled)
+    return false;
+  if (!channel.filters || channel.filters.length === 0)
+    return true;
+  return channel.filters.some((filter) => eventMatchesFilter2(event, filter));
+}
+var HASNA_EVENTS_DIR_ENV2 = "HASNA_EVENTS_DIR";
+var HASNA_EVENTS_HOME_ENV2 = "HASNA_EVENTS_HOME";
+function getEventsDataDir2(override) {
+  return override || process.env[HASNA_EVENTS_DIR_ENV2] || process.env[HASNA_EVENTS_HOME_ENV2] || join7(homedir7(), ".hasna", "events");
+}
+
+class JsonEventsStore2 {
+  dataDir;
+  channelsPath;
+  eventsPath;
+  deliveriesPath;
+  constructor(dataDir = getEventsDataDir2()) {
+    this.dataDir = dataDir;
+    this.channelsPath = join7(dataDir, "channels.json");
+    this.eventsPath = join7(dataDir, "events.json");
+    this.deliveriesPath = join7(dataDir, "deliveries.json");
+  }
+  async init() {
+    await mkdir2(this.dataDir, { recursive: true, mode: 448 });
+    await chmod2(this.dataDir, 448).catch(() => {
+      return;
+    });
+    await this.ensureArrayFile(this.channelsPath);
+    await this.ensureArrayFile(this.eventsPath);
+    await this.ensureArrayFile(this.deliveriesPath);
+  }
+  async addChannel(channel) {
+    await this.init();
+    const channels = await this.readJson(this.channelsPath, []);
+    const index = channels.findIndex((item) => item.id === channel.id);
+    if (index >= 0) {
+      channels[index] = { ...channel, createdAt: channels[index].createdAt, updatedAt: new Date().toISOString() };
+    } else {
+      channels.push(channel);
+    }
+    await this.writeJson(this.channelsPath, channels);
+    return index >= 0 ? channels[index] : channel;
+  }
+  async listChannels() {
+    await this.init();
+    return this.readJson(this.channelsPath, []);
+  }
+  async getChannel(id) {
+    const channels = await this.listChannels();
+    return channels.find((channel) => channel.id === id);
+  }
+  async removeChannel(id) {
+    await this.init();
+    const channels = await this.readJson(this.channelsPath, []);
+    const next = channels.filter((channel) => channel.id !== id);
+    await this.writeJson(this.channelsPath, next);
+    return next.length !== channels.length;
+  }
+  async appendEvent(event) {
+    await this.init();
+    const events = await this.readJson(this.eventsPath, []);
+    events.push(event);
+    await this.writeJson(this.eventsPath, events);
+    return event;
+  }
+  async listEvents() {
+    await this.init();
+    return this.readJson(this.eventsPath, []);
+  }
+  async findEventByIdentity(identity) {
+    const events = await this.listEvents();
+    return events.find((event) => identity.id !== undefined && event.id === identity.id || identity.dedupeKey !== undefined && event.dedupeKey === identity.dedupeKey);
+  }
+  async appendDelivery(result) {
+    await this.init();
+    const deliveries = await this.readJson(this.deliveriesPath, []);
+    deliveries.push(result);
+    await this.writeJson(this.deliveriesPath, deliveries);
+    return result;
+  }
+  async listDeliveries() {
+    await this.init();
+    return this.readJson(this.deliveriesPath, []);
+  }
+  async exportData() {
+    return {
+      channels: await this.listChannels(),
+      events: await this.listEvents(),
+      deliveries: await this.listDeliveries()
+    };
+  }
+  async ensureArrayFile(path) {
+    if (!existsSync9(path)) {
+      await writeFile2(path, `[]
+`, { encoding: "utf-8", mode: 384 });
+    }
+    await chmod2(path, 384).catch(() => {
+      return;
+    });
+  }
+  async readJson(path, fallback) {
+    try {
+      const raw = await readFile2(path, "utf-8");
+      if (!raw.trim())
+        return fallback;
+      return JSON.parse(raw);
+    } catch (error) {
+      if (error.code === "ENOENT")
+        return fallback;
+      throw error;
+    }
+  }
+  async writeJson(path, value) {
+    const tempPath = `${path}.${process.pid}.${Date.now()}.tmp`;
+    await writeFile2(tempPath, `${JSON.stringify(value, null, 2)}
+`, { encoding: "utf-8", mode: 384 });
+    await rename2(tempPath, path);
+    await chmod2(path, 384).catch(() => {
+      return;
+    });
+  }
+}
+var DEFAULT_SIGNATURE_TOLERANCE_MS2 = 5 * 60 * 1000;
+function buildSignatureBase2(timestamp, body) {
+  return `${timestamp}.${body}`;
+}
+function signPayload2(secret, timestamp, body) {
+  const digest = createHmac2("sha256", secret).update(buildSignatureBase2(timestamp, body)).digest("hex");
+  return `sha256=${digest}`;
+}
+function now2() {
+  return new Date().toISOString();
+}
+function truncate2(value, max = 4096) {
+  return value.length > max ? `${value.slice(0, max)}...` : value;
+}
+function buildWebhookRequest2(event, channel) {
+  if (!channel.webhook)
+    throw new Error(`Channel ${channel.id} has no webhook config`);
+  const body = JSON.stringify(event);
+  const timestamp = event.time;
+  const headers = {
+    "Content-Type": "application/json",
+    "User-Agent": "@hasna/events",
+    "X-Hasna-Event-Id": event.id,
+    "X-Hasna-Event-Type": event.type,
+    "X-Hasna-Timestamp": timestamp,
+    ...channel.webhook.headers
+  };
+  if (channel.webhook.secret) {
+    headers["X-Hasna-Signature"] = signPayload2(channel.webhook.secret, timestamp, body);
+  }
+  return { body, headers };
+}
+async function dispatchWebhook3(event, channel, options = {}) {
+  if (!channel.webhook)
+    throw new Error(`Channel ${channel.id} has no webhook config`);
+  const startedAt = now2();
+  const { body, headers } = buildWebhookRequest2(event, channel);
+  const controller = new AbortController;
+  const timeout = setTimeout(() => controller.abort(), channel.webhook.timeoutMs ?? 15000);
+  try {
+    const response = await (options.fetchImpl ?? fetch)(channel.webhook.url, {
+      method: "POST",
+      headers,
+      body,
+      signal: controller.signal
+    });
+    const responseBody = truncate2(await response.text());
+    return {
+      attempt: 1,
+      status: response.ok ? "success" : "failed",
+      startedAt,
+      completedAt: now2(),
+      responseStatus: response.status,
+      responseBody,
+      error: response.ok ? undefined : `Webhook returned HTTP ${response.status}`
+    };
+  } catch (error) {
+    return {
+      attempt: 1,
+      status: "failed",
+      startedAt,
+      completedAt: now2(),
+      error: error instanceof Error ? error.message : String(error)
+    };
+  } finally {
+    clearTimeout(timeout);
+  }
+}
+async function dispatchCommand3(event, channel) {
+  if (!channel.command)
+    throw new Error(`Channel ${channel.id} has no command config`);
+  const startedAt = now2();
+  const eventJson = JSON.stringify(event);
+  const env2 = {
+    ...process.env,
+    ...channel.command.env,
+    HASNA_CHANNEL_ID: channel.id,
+    HASNA_EVENT_ID: event.id,
+    HASNA_EVENT_TYPE: event.type,
+    HASNA_EVENT_SOURCE: event.source,
+    HASNA_EVENT_SUBJECT: event.subject ?? "",
+    HASNA_EVENT_SEVERITY: event.severity,
+    HASNA_EVENT_TIME: event.time,
+    HASNA_EVENT_DEDUPE_KEY: event.dedupeKey ?? "",
+    HASNA_EVENT_SCHEMA_VERSION: event.schemaVersion,
+    HASNA_EVENT_JSON: eventJson
+  };
+  return new Promise((resolve2) => {
+    const child = spawn2(channel.command.command, channel.command.args ?? [], {
+      cwd: channel.command.cwd,
+      env: env2,
+      stdio: ["pipe", "pipe", "pipe"]
+    });
+    let stdout = "";
+    let stderr = "";
+    const timeout = setTimeout(() => child.kill("SIGTERM"), channel.command.timeoutMs ?? 15000);
+    child.stdin.end(eventJson);
+    child.stdout.on("data", (chunk) => {
+      stdout += chunk.toString();
+    });
+    child.stderr.on("data", (chunk) => {
+      stderr += chunk.toString();
+    });
+    child.on("error", (error) => {
+      clearTimeout(timeout);
+      resolve2({
+        attempt: 1,
+        status: "failed",
+        startedAt,
+        completedAt: now2(),
+        stdout: truncate2(stdout),
+        stderr: truncate2(stderr),
+        error: error.message
+      });
+    });
+    child.on("close", (code, signal) => {
+      clearTimeout(timeout);
+      const success = code === 0;
+      resolve2({
+        attempt: 1,
+        status: success ? "success" : "failed",
+        startedAt,
+        completedAt: now2(),
+        stdout: truncate2(stdout),
+        stderr: truncate2(stderr),
+        error: success ? undefined : `Command exited with ${signal ? `signal ${signal}` : `code ${code}`}`
+      });
+    });
+  });
+}
+async function dispatchChannel3(event, channel, options = {}) {
+  if (channel.transport === "webhook")
+    return dispatchWebhook3(event, channel, options);
+  if (channel.transport === "command")
+    return dispatchCommand3(event, channel);
+  return {
+    attempt: 1,
+    status: "skipped",
+    startedAt: now2(),
+    completedAt: now2(),
+    error: `Unsupported transport: ${channel.transport}`
+  };
+}
+function createDeliveryResult2(event, channel, attempts) {
+  const status = attempts.some((attempt) => attempt.status === "success") ? "success" : attempts.every((attempt) => attempt.status === "skipped") ? "skipped" : "failed";
+  return {
+    id: randomUUID3(),
+    eventId: event.id,
+    channelId: channel.id,
+    transport: channel.transport,
+    status,
+    attempts,
+    createdAt: attempts[0]?.startedAt ?? now2(),
+    completedAt: attempts.at(-1)?.completedAt ?? now2()
+  };
+}
+function createEvent2(input) {
+  return {
+    id: input.id ?? randomUUID22(),
+    source: input.source,
+    type: input.type,
+    time: normalizeTime2(input.time),
+    subject: input.subject,
+    severity: input.severity ?? "info",
+    data: input.data ?? {},
+    message: input.message,
+    dedupeKey: input.dedupeKey,
+    schemaVersion: input.schemaVersion ?? "1.0",
+    metadata: input.metadata ?? {}
+  };
+}
+
+class EventsClient2 {
+  store;
+  redactors;
+  transportOptions;
+  constructor(options = {}) {
+    this.store = options.store ?? new JsonEventsStore2(options.dataDir);
+    this.redactors = options.redactors ?? [];
+    this.transportOptions = { fetchImpl: options.fetchImpl };
+  }
+  async addChannel(input) {
+    const timestamp = new Date().toISOString();
+    return this.store.addChannel({
+      ...input,
+      createdAt: input.createdAt ?? timestamp,
+      updatedAt: input.updatedAt ?? timestamp
+    });
+  }
+  async listChannels() {
+    return this.store.listChannels();
+  }
+  async removeChannel(id) {
+    return this.store.removeChannel(id);
+  }
+  async emit(input, options = {}) {
+    const event = options.redactSensitiveData === false ? createEvent2(input) : redactSensitiveKeys2(createEvent2(input));
+    if (options.dedupe !== false) {
+      const existing = await this.store.findEventByIdentity({ id: input.id, dedupeKey: event.dedupeKey });
+      if (existing) {
+        return { event: existing, deliveries: [], deduped: true };
+      }
+    }
+    await this.store.appendEvent(event);
+    const deliveries = options.deliver === false ? [] : await this.deliver(event);
+    return { event, deliveries, deduped: false };
+  }
+  async listEvents() {
+    return this.store.listEvents();
+  }
+  async listDeliveries() {
+    return this.store.listDeliveries();
+  }
+  async deliver(event) {
+    const channels = await this.store.listChannels();
+    const selected = channels.filter((channel) => channelMatchesEvent2(channel, event));
+    const deliveries = [];
+    for (const channel of selected) {
+      const eventForChannel = await this.applyRedaction(event, channel);
+      const result = await this.deliverWithRetry(eventForChannel, channel);
+      await this.store.appendDelivery(result);
+      deliveries.push(result);
+    }
+    return deliveries;
+  }
+  async testChannel(id, input = {}) {
+    const channel = await this.store.getChannel(id);
+    if (!channel)
+      throw new Error(`Channel not found: ${id}`);
+    const event = createEvent2({
+      source: input.source ?? "hasna.events",
+      type: input.type ?? "events.test",
+      subject: input.subject ?? id,
+      severity: input.severity ?? "info",
+      data: input.data ?? { test: true },
+      message: input.message ?? "Hasna events test delivery",
+      dedupeKey: input.dedupeKey,
+      schemaVersion: input.schemaVersion,
+      metadata: input.metadata,
+      time: input.time,
+      id: input.id
+    });
+    const eventForChannel = await this.applyRedaction(event, channel);
+    const result = await this.deliverWithRetry(eventForChannel, channel);
+    await this.store.appendDelivery(result);
+    return result;
+  }
+  async replay(options = {}) {
+    const events = (await this.store.listEvents()).filter((event) => {
+      if (options.eventId && event.id !== options.eventId)
+        return false;
+      if (options.source && event.source !== options.source)
+        return false;
+      if (options.type && event.type !== options.type)
+        return false;
+      return true;
+    });
+    if (options.dryRun)
+      return { events, deliveries: [] };
+    const deliveries = [];
+    for (const event of events) {
+      deliveries.push(...await this.deliver(event));
+    }
+    return { events, deliveries };
+  }
+  async applyRedaction(event, channel) {
+    let next = redactPaths2(event, channel.redact?.paths ?? [], channel.redact?.replacement ?? "[REDACTED]");
+    for (const redactor of this.redactors) {
+      next = await redactor(next, channel);
+    }
+    return next;
+  }
+  async deliverWithRetry(event, channel) {
+    const policy = normalizeRetryPolicy2(channel.retry);
+    const attempts = [];
+    for (let index = 0;index < policy.maxAttempts; index += 1) {
+      const attempt = await dispatchChannel3(event, channel, this.transportOptions);
+      attempt.attempt = index + 1;
+      if (attempt.status === "failed" && index + 1 < policy.maxAttempts) {
+        attempt.nextBackoffMs = Math.round(policy.backoffMs * policy.multiplier ** index);
+      }
+      attempts.push(attempt);
+      if (attempt.status !== "failed")
+        break;
+      if (attempt.nextBackoffMs)
+        await Bun.sleep(attempt.nextBackoffMs);
+    }
+    return createDeliveryResult2(event, channel, attempts);
+  }
+}
+function redactPaths2(event, paths, replacement = "[REDACTED]") {
+  if (paths.length === 0)
+    return event;
+  const copy = structuredClone(event);
+  for (const path of paths) {
+    setPath2(copy, path, replacement);
+  }
+  return copy;
+}
+function sanitizeChannelForOutput2(channel) {
+  const copy = structuredClone(channel);
+  if (copy.webhook?.secret)
+    copy.webhook.secret = "[REDACTED]";
+  if (copy.command?.env) {
+    copy.command.env = Object.fromEntries(Object.entries(copy.command.env).map(([key, value]) => [key, shouldRedactKey2(key) ? "[REDACTED]" : value]));
+  }
+  return copy;
+}
+function sanitizeChannelsForOutput2(channels) {
+  return channels.map(sanitizeChannelForOutput2);
+}
+function redactSensitiveKeys2(event, replacement = "[REDACTED]") {
+  return redactValue2(event, replacement);
+}
+function shouldRedactKey2(key) {
+  return /secret|token|password|api[_-]?key|authorization/i.test(key);
+}
+function redactValue2(value, replacement) {
+  if (Array.isArray(value))
+    return value.map((item) => redactValue2(item, replacement));
+  if (!value || typeof value !== "object")
+    return value;
+  return Object.fromEntries(Object.entries(value).map(([key, item]) => [
+    key,
+    shouldRedactKey2(key) ? replacement : redactValue2(item, replacement)
+  ]));
+}
+function setPath2(input, path, replacement) {
+  const parts = path.split(".");
+  let cursor = input;
+  for (const part of parts.slice(0, -1)) {
+    const next = cursor[part];
+    if (!next || typeof next !== "object")
+      return;
+    cursor = next;
+  }
+  const last = parts.at(-1);
+  if (last && last in cursor)
+    cursor[last] = replacement;
+}
+function normalizeTime2(value) {
+  if (!value)
+    return new Date().toISOString();
+  return value instanceof Date ? value.toISOString() : value;
+}
+function normalizeRetryPolicy2(policy) {
+  return {
+    maxAttempts: Math.max(1, policy?.maxAttempts ?? 1),
+    backoffMs: Math.max(0, policy?.backoffMs ?? 250),
+    multiplier: Math.max(1, policy?.multiplier ?? 2)
+  };
+}
+
 // src/commands/serve.ts
 function escapeHtml(value) {
   return value.replaceAll("&", "&amp;").replaceAll("<", "&lt;").replaceAll(">", "&gt;").replaceAll('"', "&quot;").replaceAll("'", "&#39;");
@@ -9853,13 +11113,16 @@ function getServeInfo(options = {}) {
       "/api/status",
       "/api/manifest",
       "/api/notifications",
+      "/api/webhooks",
+      "/api/events",
       "/api/doctor",
       "/api/self-test",
       "/api/apps/status",
       "/api/apps/diff",
       "/api/install-claude/status",
       "/api/install-claude/diff",
-      "/api/notifications/test"
+      "/api/notifications/test",
+      "/api/webhooks/test"
     ]
   };
 }
@@ -10026,6 +11289,7 @@ function jsonError(message, status = 400) {
 }
 function startDashboardServer(options = {}) {
   const info = getServeInfo(options);
+  const events = new EventsClient2;
   return Bun.serve({
     hostname: info.host,
     port: info.port,
@@ -10045,6 +11309,42 @@ function startDashboardServer(options = {}) {
       if (url.pathname === "/api/notifications") {
         return Response.json(listNotificationChannels());
       }
+      if (url.pathname === "/api/webhooks") {
+        if (request.method !== "GET") {
+          return jsonError("Use GET for webhook channel listing.", 405);
+        }
+        return Response.json(sanitizeChannelsForOutput2(await events.listChannels()));
+      }
+      if (url.pathname === "/api/events") {
+        if (request.method === "GET") {
+          return Response.json(await events.listEvents());
+        }
+        if (request.method !== "POST") {
+          return jsonError("Use GET or POST for events.", 405);
+        }
+        const body = await parseJsonBody(request);
+        const type = typeof body["type"] === "string" ? body["type"] : undefined;
+        if (!type) {
+          return jsonError("type is required.");
+        }
+        const source = typeof body["source"] === "string" ? body["source"] : "machines";
+        const subject = typeof body["subject"] === "string" ? body["subject"] : undefined;
+        const severity = typeof body["severity"] === "string" ? body["severity"] : undefined;
+        const message = typeof body["message"] === "string" ? body["message"] : undefined;
+        const dedupeKey = typeof body["dedupeKey"] === "string" ? body["dedupeKey"] : undefined;
+        const data = body["data"] && typeof body["data"] === "object" && !Array.isArray(body["data"]) ? body["data"] : {};
+        const metadata = body["metadata"] && typeof body["metadata"] === "object" && !Array.isArray(body["metadata"]) ? body["metadata"] : {};
+        return Response.json(await events.emit({
+          source,
+          type,
+          subject,
+          severity,
+          message,
+          dedupeKey,
+          data,
+          metadata
+        }));
+      }
       if (url.pathname === "/api/doctor") {
         return Response.json(runDoctor(machineId));
       }
@@ -10082,6 +11382,28 @@ function startDashboardServer(options = {}) {
           return jsonError(error instanceof Error ? error.message : String(error));
         }
       }
+      if (url.pathname === "/api/webhooks/test") {
+        if (request.method !== "POST") {
+          return jsonError("Use POST for webhook tests.", 405);
+        }
+        const body = await parseJsonBody(request);
+        const channelId = typeof body["channelId"] === "string" ? body["channelId"] : undefined;
+        if (!channelId) {
+          return jsonError("channelId is required.");
+        }
+        const type = typeof body["type"] === "string" ? body["type"] : "events.test";
+        const message = typeof body["message"] === "string" ? body["message"] : undefined;
+        try {
+          return Response.json(await events.testChannel(channelId, {
+            source: "machines",
+            type,
+            subject: channelId,
+            message
+          }));
+        } catch (error) {
+          return jsonError(error instanceof Error ? error.message : String(error));
+        }
+      }
       return new Response(renderDashboardHtml(), {
         headers: {
           "content-type": "text/html; charset=utf-8"
@@ -10124,8 +11446,8 @@ function runSelfTest() {
 // src/commands/clipboard.ts
 init_paths();
 import { createHash } from "crypto";
-import { existsSync as existsSync8, readFileSync as readFileSync6, rmSync, writeFileSync as writeFileSync4 } from "fs";
-import { join as join6 } from "path";
+import { existsSync as existsSync10, readFileSync as readFileSync6, rmSync, writeFileSync as writeFileSync4 } from "fs";
+import { join as join8 } from "path";
 var DEFAULT_CONFIG = {
   version: 1,
   enabled: true,
@@ -10143,7 +11465,7 @@ var DEFAULT_CONFIG = {
 function resolveConfigPath(configPath) {
   if (configPath)
     return configPath;
-  return join6(getDataDir(), "clipboard-config.json");
+  return join8(getDataDir(), "clipboard-config.json");
 }
 function resolveHistoryPath(historyPath) {
   if (historyPath)
@@ -10155,7 +11477,7 @@ function getDefaultConfig() {
 }
 function readConfig(configPath) {
   const path = resolveConfigPath(configPath);
-  if (!existsSync8(path)) {
+  if (!existsSync10(path)) {
     return getDefaultConfig();
   }
   const parsed = JSON.parse(readFileSync6(path, "utf8"));
@@ -10169,7 +11491,7 @@ function writeConfig(config, configPath) {
 }
 function readHistory(historyPath) {
   const path = resolveHistoryPath(historyPath);
-  if (!existsSync8(path)) {
+  if (!existsSync10(path)) {
     return [];
   }
   try {
@@ -10202,7 +11524,7 @@ function sanitizeClipboardForRead(content, maxSizeBytes, skipPatterns) {
 }
 function getOrCreateClipboardKey() {
   const keyPath = getClipboardKeyPath();
-  if (existsSync8(keyPath)) {
+  if (existsSync10(keyPath)) {
     return readFileSync6(keyPath, "utf8").trim();
   }
   const key = createHash("sha256").update(crypto.randomUUID()).digest("hex").slice(0, 32);
@@ -10242,7 +11564,7 @@ function addClipboardEntry(entry, historyPath) {
 }
 function clearClipboardHistory(historyPath) {
   const path = resolveHistoryPath(historyPath);
-  if (existsSync8(path)) {
+  if (existsSync10(path)) {
     rmSync(path);
   }
 }
@@ -10259,7 +11581,7 @@ function getClipboardStatus(historyPath) {
 // src/commands/clipboard-daemon.ts
 init_paths();
 import { readFileSync as readFileSync8, writeFileSync as writeFileSync5 } from "fs";
-import { join as join7 } from "path";
+import { join as join9 } from "path";
 import { createHash as createHash3 } from "crypto";
 
 // src/commands/clipboard-server.ts
@@ -10417,7 +11739,7 @@ function handleGetClipboard(response, config) {
 }
 
 // src/commands/clipboard-daemon.ts
-var DAEMON_PID_PATH = join7(getDataDir(), "clipboard-daemon.pid");
+var DAEMON_PID_PATH = join9(getDataDir(), "clipboard-daemon.pid");
 function readLocalClipboardSync2() {
   const platform4 = process.platform;
   if (platform4 === "darwin") {
@@ -10591,8 +11913,8 @@ async function discoverPeers() {
 
 // src/commands/heal.ts
 init_paths();
-import { existsSync as existsSync9, readFileSync as readFileSync9, writeFileSync as writeFileSync6 } from "fs";
-import { join as join8 } from "path";
+import { existsSync as existsSync11, readFileSync as readFileSync9, writeFileSync as writeFileSync6 } from "fs";
+import { join as join10 } from "path";
 var DEFAULT_THRESHOLDS = {
   reconnect: 3,
   nmRestart: 7,
@@ -10636,14 +11958,14 @@ function defaultHealState() {
   };
 }
 function getHealConfigPath() {
-  return process.env["HASNA_MACHINES_HEAL_CONFIG_PATH"] || join8(getDataDir(), "heal-config.json");
+  return process.env["HASNA_MACHINES_HEAL_CONFIG_PATH"] || join10(getDataDir(), "heal-config.json");
 }
 function getHealStatePath() {
-  return process.env["HASNA_MACHINES_HEAL_STATE_PATH"] || join8(getDataDir(), "heal-state.json");
+  return process.env["HASNA_MACHINES_HEAL_STATE_PATH"] || join10(getDataDir(), "heal-state.json");
 }
 function readHealConfig(path) {
   const p = path || getHealConfigPath();
-  if (!existsSync9(p))
+  if (!existsSync11(p))
     return { ...DEFAULT_HEAL_CONFIG, thresholds: { ...DEFAULT_THRESHOLDS } };
   const parsed = JSON.parse(readFileSync9(p, "utf8"));
   return {
@@ -10661,7 +11983,7 @@ function writeHealConfig(config, path) {
 }
 function readHealState(path) {
   const p = path || getHealStatePath();
-  if (!existsSync9(p))
+  if (!existsSync11(p))
     return defaultHealState();
   try {
     return { ...defaultHealState(), ...JSON.parse(readFileSync9(p, "utf8")) };
@@ -10701,7 +12023,7 @@ function evaluateHealth(probe, config, state) {
   return { healthy: localOk && quorumOk, remoteScore, reasons };
 }
 function decideAction(input) {
-  const { healthy, now, gpuBusy, config, currentBootId } = input;
+  const { healthy, now: now3, gpuBusy, config, currentBootId } = input;
   const s = { ...input.state };
   const t = config.thresholds;
   if (s.bootId !== currentBootId) {
@@ -10712,13 +12034,13 @@ function decideAction(input) {
   if (healthy) {
     s.failCount = 0;
     if (s.bootHealthySince === null)
-      s.bootHealthySince = now;
-    if (now - s.bootHealthySince >= config.healthyWindowSec) {
+      s.bootHealthySince = now3;
+    if (now3 - s.bootHealthySince >= config.healthyWindowSec) {
       s.failedBootRecoveries = 0;
       s.rebootSuppressUntil = 0;
       s.pendingRebootRecovery = false;
     }
-    if (s.degradedUntil > 0 && now >= s.degradedUntil) {
+    if (s.degradedUntil > 0 && now3 >= s.degradedUntil) {
       s.degradedUntil = 0;
       return { action: "restore_preferred", state: s };
     }
@@ -10736,8 +12058,8 @@ function decideAction(input) {
   else if (s.failCount >= t.reconnect)
     tier = "reconnect";
   const tryReconnect = (reason) => {
-    if (now - s.lastReconnect >= config.reconnectMinIntervalSec) {
-      s.lastReconnect = now;
+    if (now3 - s.lastReconnect >= config.reconnectMinIntervalSec) {
+      s.lastReconnect = now3;
       return { action: "reconnect_wifi", suppressedReason: reason, state: s };
     }
     return { action: "none", suppressedReason: reason, state: s };
@@ -10746,15 +12068,15 @@ function decideAction(input) {
     case "reconnect":
       return tryReconnect();
     case "nmRestart":
-      if (now - s.lastNmRestart >= config.nmRestartMinIntervalSec) {
-        s.lastNmRestart = now;
+      if (now3 - s.lastNmRestart >= config.nmRestartMinIntervalSec) {
+        s.lastNmRestart = now3;
         return { action: "restart_nm", state: s };
       }
       return tryReconnect();
     case "fallback":
-      if (now - s.lastFallback >= config.fallbackWindowSec) {
-        s.lastFallback = now;
-        s.degradedUntil = now + config.fallbackWindowSec;
+      if (now3 - s.lastFallback >= config.fallbackWindowSec) {
+        s.lastFallback = now3;
+        s.degradedUntil = now3 + config.fallbackWindowSec;
         return { action: "fallback_ssid", state: s };
       }
       return tryReconnect();
@@ -10762,22 +12084,22 @@ function decideAction(input) {
       let reason = null;
       if (!config.allowReboot)
         reason = "disabled";
-      else if (now < s.rebootSuppressUntil)
+      else if (now3 < s.rebootSuppressUntil)
         reason = "loop";
       else if (config.gpuJobGuard && gpuBusy)
         reason = "gpu";
-      else if (now - s.lastRebootAttempt < config.rebootMinIntervalSec)
+      else if (now3 - s.lastRebootAttempt < config.rebootMinIntervalSec)
         reason = "rate";
       if (reason)
         return tryReconnect(reason);
       if (s.pendingRebootRecovery) {
         s.failedBootRecoveries += 1;
         if (s.failedBootRecoveries >= config.maxFailedBootRecoveries) {
-          s.rebootSuppressUntil = now + config.bootBackoffSec;
+          s.rebootSuppressUntil = now3 + config.bootBackoffSec;
           return tryReconnect("loop");
         }
       }
-      s.lastRebootAttempt = now;
+      s.lastRebootAttempt = now3;
       s.pendingRebootRecovery = true;
       return { action: "reboot", state: s };
     }
@@ -10877,9 +12199,9 @@ function executeAction(action, config) {
 
 // src/commands/heal-daemon.ts
 init_paths();
-import { existsSync as existsSync10, readFileSync as readFileSync10, writeFileSync as writeFileSync7 } from "fs";
-import { join as join9 } from "path";
-var DAEMON_PID_PATH2 = join9(getDataDir(), "heal-daemon.pid");
+import { existsSync as existsSync12, readFileSync as readFileSync10, writeFileSync as writeFileSync7 } from "fs";
+import { join as join11 } from "path";
+var DAEMON_PID_PATH2 = join11(getDataDir(), "heal-daemon.pid");
 var SERVICE_PATH = "/etc/systemd/system/machines-heal.service";
 var SYSTEM_CONF = "/etc/systemd/system.conf";
 function log(msg) {
@@ -10997,7 +12319,7 @@ function applyDeterminism(config) {
 }
 function enableHardwareWatchdog() {
   const log2 = [];
-  if (!existsSync10(SYSTEM_CONF))
+  if (!existsSync12(SYSTEM_CONF))
     return ["/etc/systemd/system.conf not found; skipping hardware watchdog"];
   let conf = readFileSync10(SYSTEM_CONF, "utf8");
   const set = (key, value) => {
@@ -11027,7 +12349,7 @@ function binPath() {
   const home = process.env["HOME"] || "/home/hasna";
   candidates.push(`${home}/.bun/bin/machines`, "/home/hasna/.bun/bin/machines", "/root/.bun/bin/machines", "/usr/local/bin/machines");
   for (const c of candidates) {
-    if (c && existsSync10(c))
+    if (c && existsSync12(c))
       return c;
   }
   return "machines";
@@ -11063,7 +12385,7 @@ WantedBy=multi-user.target
 function uninstallHealService() {
   const log2 = [];
   sh2("systemctl disable --now machines-heal.service 2>/dev/null || true");
-  if (existsSync10(SERVICE_PATH)) {
+  if (existsSync12(SERVICE_PATH)) {
     sh2(`rm -f ${SERVICE_PATH}`);
     sh2("systemctl daemon-reload");
     log2.push(`removed ${SERVICE_PATH}`);
@@ -11074,7 +12396,7 @@ function uninstallHealService() {
 }
 function healServiceStatus() {
   return {
-    installed: existsSync10(SERVICE_PATH),
+    installed: existsSync12(SERVICE_PATH),
     active: sh2("systemctl is-active machines-heal.service").out === "active",
     enabled: sh2("systemctl is-enabled machines-heal.service 2>/dev/null").out === "enabled"
   };
@@ -11221,6 +12543,19 @@ function renderSelfTestResult(result) {
   ].join(`
 `);
 }
+function checkSecretPresence(secretsCommand, key) {
+  const result = Bun.spawnSync([secretsCommand, "get", key], {
+    stdout: "pipe",
+    stderr: "pipe",
+    env: process.env
+  });
+  const stdout = result.stdout.toString().trim();
+  return {
+    checked: true,
+    present: result.exitCode === 0 && stdout.length > 0,
+    error: result.exitCode === 0 ? undefined : result.stderr.toString().trim() || `secrets get exited ${result.exitCode}`
+  };
+}
 function parseCommandSpec(value) {
   const [command, expectedVersion] = value.split(":");
   return {
@@ -11332,6 +12667,7 @@ program2.name("machines").description("Machine fleet management CLI + MCP for de
 var manifestCommand = program2.command("manifest").description("Manage the fleet manifest");
 var appsCommand = program2.command("apps").description("Manage installed applications per machine");
 var notificationsCommand = program2.command("notifications").description("Manage fleet alert delivery channels");
+registerEventsCommands(program2, { source: "machines" });
 var clipboardCommand = program2.command("clipboard").description("Real-time clipboard sync across fleet machines");
 var installClaudeCommand = program2.command("install-claude").description("Install or inspect Claude, Codex, and Gemini CLIs");
 manifestCommand.command("init").description("Create an empty fleet manifest").action(() => {
@@ -11727,23 +13063,58 @@ program2.command("screen").description("Open Screen Sharing (VNC) to a machine u
   execFileSync("open", [resolved.url], { stdio: "ignore" });
   console.log(`Opening Screen Sharing \u2192 ${resolved.url} (route: ${resolved.route})`);
 });
-program2.command("screen-enable").description("Enable Remote Management / Screen Sharing on a macOS machine over SSH").requiredOption("--machine <id>", "Machine identifier").option("--user <user>", "macOS user to grant screen-sharing (overrides manifest)").option("--vnc-password <pw>", "Legacy VNC password (<=8 chars honored)", "").option("--print", "Print the remote command instead of running it", false).action((options) => {
-  const screen = resolveScreenTarget(options.machine);
-  const user = options.user ?? screen.user;
-  if (!user) {
-    console.error(`No SSH user known for ${options.machine}; pass --user <name> or set metadata.user in the manifest.`);
+program2.command("screen-credentials").description("Inspect screen-sharing user and password secret references without printing secrets").option("--machine <id>", "Machine identifier").option("--all", "Inspect every discovered machine", false).option("--check-secret", "Check whether the password secret exists in the local secrets vault", false).option("--secrets-command <command>", "Secrets CLI command to inspect", "secrets").option("--no-tailscale", "Skip tailscale status probing").option("-j, --json", "Print JSON output", false).action((options) => {
+  const topology = discoverMachineTopology({ includeTailscale: options.tailscale !== false });
+  const machineIds = options.all ? topology.machines.map((machine) => machine.machine_id) : [options.machine].filter((machine) => Boolean(machine));
+  if (machineIds.length === 0) {
+    console.error("Provide --machine <id> or --all");
     process.exitCode = 1;
     return;
   }
-  const vncPw = (options.vncPassword || "").slice(0, 8);
-  const remoteCmd = buildScreenEnableRemoteCommand(user, vncPw);
-  const sshCmd = buildSshCommand(options.machine, `sudo -p '' bash -c ${JSON.stringify(remoteCmd)}`);
+  const results = machineIds.map((machineId) => {
+    try {
+      const credentials = resolveScreenCredentials(machineId, { topology });
+      const secret = options.checkSecret ? checkSecretPresence(options.secretsCommand, credentials.passwordSecretKey) : { checked: false, present: null };
+      return { ok: true, ...credentials, passwordSecret: secret };
+    } catch (error) {
+      return { ok: false, machineId, error: error instanceof Error ? error.message : String(error) };
+    }
+  });
+  const hasFailures = results.some((result) => !result.ok || result.ok && result.passwordSecret.checked && !result.passwordSecret.present);
+  if (options.json) {
+    console.log(JSON.stringify(results, null, 2));
+    if (hasFailures)
+      process.exitCode = 1;
+    return;
+  }
+  for (const result of results) {
+    if (!result.ok) {
+      console.log(`\u2717 ${result.machineId.padEnd(14)} ${result.error}`);
+      continue;
+    }
+    const secret = result.passwordSecret.checked ? result.passwordSecret.present ? source_default.green("present") : source_default.red("missing") : source_default.yellow("unchecked");
+    console.log(`${result.machineId.padEnd(14)} user=${result.user ?? "(missing)"} passwordSecret=${result.passwordSecretKey} (${secret})`);
+  }
+  if (hasFailures)
+    process.exitCode = 1;
+});
+program2.command("screen-enable").description("Enable Remote Management / Screen Sharing on a macOS machine over SSH").requiredOption("--machine <id>", "Machine identifier").option("--user <user>", "macOS user to grant screen-sharing (overrides manifest)").option("--vnc-password-secret <key>", "Secret key containing the legacy VNC password").option("--secrets-command <command>", "Secrets CLI command to read the password", "secrets").option("--vnc-password <pw>", "Deprecated: use --vnc-password-secret instead", "").option("--print", "Print the remote command instead of running it", false).action((options) => {
+  if (options.vncPassword) {
+    console.error("Direct --vnc-password values are not accepted. Store the password with `secrets set` and pass --vnc-password-secret.");
+    process.exitCode = 1;
+    return;
+  }
+  const plan = buildScreenEnableCommand(options.machine, {
+    user: options.user,
+    passwordSecretKey: options.vncPasswordSecret,
+    secretsCommand: options.secretsCommand
+  });
   if (options.print) {
-    console.log(sshCmd);
+    console.log(plan.command);
     return;
   }
-  console.log(`Run this to enable Screen Sharing on ${options.machine} (will prompt for sudo on the target):`);
-  console.log(`  ${sshCmd}`);
+  console.log(`Run this to enable Screen Sharing on ${options.machine} (password comes from ${plan.passwordSecretKey}):`);
+  console.log(`  ${plan.command}`);
 });
 program2.command("ports").description("List listening ports on a machine").option("--machine <id>", "Machine identifier").option("-j, --json", "Print JSON output", false).action((options) => {
   const result = listPorts(options.machine);