@hasna/machines 0.0.26 → 0.0.28

package/dist/index.js

@@ -13427,6 +13427,526 @@ function listPorts(machineId) {
     listeners: parsePortOutput(result.stdout, format)
   };
 }
+// node_modules/@hasna/events/dist/index.js
+import { chmod, mkdir, readFile, rename, writeFile } from "fs/promises";
+import { existsSync as existsSync7 } from "fs";
+import { homedir as homedir4 } from "os";
+import { join as join6 } from "path";
+import { createHmac, timingSafeEqual } from "crypto";
+import { randomUUID } from "crypto";
+import { spawn } from "child_process";
+import { randomUUID as randomUUID2 } from "crypto";
+function getPathValue(input, path) {
+  return path.split(".").reduce((value, part) => {
+    if (value && typeof value === "object" && part in value) {
+      return value[part];
+    }
+    return;
+  }, input);
+}
+function wildcardToRegExp(pattern) {
+  const escaped = pattern.replace(/[|\\{}()[\]^$+?.]/g, "\\$&").replace(/\*/g, ".*");
+  return new RegExp(`^${escaped}$`);
+}
+function matchString(value, matcher) {
+  if (matcher === undefined)
+    return true;
+  if (value === undefined)
+    return false;
+  const matchers = Array.isArray(matcher) ? matcher : [matcher];
+  return matchers.some((item) => wildcardToRegExp(item).test(value));
+}
+function matchRecord(input, matcher) {
+  if (!matcher)
+    return true;
+  return Object.entries(matcher).every(([path, expected]) => {
+    const actual = getPathValue(input, path);
+    if (typeof expected === "string" || Array.isArray(expected)) {
+      return matchString(actual === undefined ? undefined : String(actual), expected);
+    }
+    return actual === expected;
+  });
+}
+function eventMatchesFilter(event, filter) {
+  return matchString(event.source, filter.source) && matchString(event.type, filter.type) && matchString(event.subject, filter.subject) && matchString(event.severity, filter.severity) && matchRecord(event.data, filter.data) && matchRecord(event.metadata, filter.metadata);
+}
+function channelMatchesEvent(channel, event) {
+  if (!channel.enabled)
+    return false;
+  if (!channel.filters || channel.filters.length === 0)
+    return true;
+  return channel.filters.some((filter) => eventMatchesFilter(event, filter));
+}
+var HASNA_EVENTS_DIR_ENV = "HASNA_EVENTS_DIR";
+var HASNA_EVENTS_HOME_ENV = "HASNA_EVENTS_HOME";
+function getEventsDataDir(override) {
+  return override || process.env[HASNA_EVENTS_DIR_ENV] || process.env[HASNA_EVENTS_HOME_ENV] || join6(homedir4(), ".hasna", "events");
+}
+
+class JsonEventsStore {
+  dataDir;
+  channelsPath;
+  eventsPath;
+  deliveriesPath;
+  constructor(dataDir = getEventsDataDir()) {
+    this.dataDir = dataDir;
+    this.channelsPath = join6(dataDir, "channels.json");
+    this.eventsPath = join6(dataDir, "events.json");
+    this.deliveriesPath = join6(dataDir, "deliveries.json");
+  }
+  async init() {
+    await mkdir(this.dataDir, { recursive: true, mode: 448 });
+    await chmod(this.dataDir, 448).catch(() => {
+      return;
+    });
+    await this.ensureArrayFile(this.channelsPath);
+    await this.ensureArrayFile(this.eventsPath);
+    await this.ensureArrayFile(this.deliveriesPath);
+  }
+  async addChannel(channel) {
+    await this.init();
+    const channels = await this.readJson(this.channelsPath, []);
+    const index = channels.findIndex((item) => item.id === channel.id);
+    if (index >= 0) {
+      channels[index] = { ...channel, createdAt: channels[index].createdAt, updatedAt: new Date().toISOString() };
+    } else {
+      channels.push(channel);
+    }
+    await this.writeJson(this.channelsPath, channels);
+    return index >= 0 ? channels[index] : channel;
+  }
+  async listChannels() {
+    await this.init();
+    return this.readJson(this.channelsPath, []);
+  }
+  async getChannel(id) {
+    const channels = await this.listChannels();
+    return channels.find((channel) => channel.id === id);
+  }
+  async removeChannel(id) {
+    await this.init();
+    const channels = await this.readJson(this.channelsPath, []);
+    const next = channels.filter((channel) => channel.id !== id);
+    await this.writeJson(this.channelsPath, next);
+    return next.length !== channels.length;
+  }
+  async appendEvent(event) {
+    await this.init();
+    const events = await this.readJson(this.eventsPath, []);
+    events.push(event);
+    await this.writeJson(this.eventsPath, events);
+    return event;
+  }
+  async listEvents() {
+    await this.init();
+    return this.readJson(this.eventsPath, []);
+  }
+  async findEventByIdentity(identity) {
+    const events = await this.listEvents();
+    return events.find((event) => identity.id !== undefined && event.id === identity.id || identity.dedupeKey !== undefined && event.dedupeKey === identity.dedupeKey);
+  }
+  async appendDelivery(result) {
+    await this.init();
+    const deliveries = await this.readJson(this.deliveriesPath, []);
+    deliveries.push(result);
+    await this.writeJson(this.deliveriesPath, deliveries);
+    return result;
+  }
+  async listDeliveries() {
+    await this.init();
+    return this.readJson(this.deliveriesPath, []);
+  }
+  async exportData() {
+    return {
+      channels: await this.listChannels(),
+      events: await this.listEvents(),
+      deliveries: await this.listDeliveries()
+    };
+  }
+  async ensureArrayFile(path) {
+    if (!existsSync7(path)) {
+      await writeFile(path, `[]
+`, { encoding: "utf-8", mode: 384 });
+    }
+    await chmod(path, 384).catch(() => {
+      return;
+    });
+  }
+  async readJson(path, fallback) {
+    try {
+      const raw = await readFile(path, "utf-8");
+      if (!raw.trim())
+        return fallback;
+      return JSON.parse(raw);
+    } catch (error) {
+      if (error.code === "ENOENT")
+        return fallback;
+      throw error;
+    }
+  }
+  async writeJson(path, value) {
+    const tempPath = `${path}.${process.pid}.${Date.now()}.tmp`;
+    await writeFile(tempPath, `${JSON.stringify(value, null, 2)}
+`, { encoding: "utf-8", mode: 384 });
+    await rename(tempPath, path);
+    await chmod(path, 384).catch(() => {
+      return;
+    });
+  }
+}
+var DEFAULT_SIGNATURE_TOLERANCE_MS = 5 * 60 * 1000;
+function buildSignatureBase(timestamp, body) {
+  return `${timestamp}.${body}`;
+}
+function signPayload(secret, timestamp, body) {
+  const digest = createHmac("sha256", secret).update(buildSignatureBase(timestamp, body)).digest("hex");
+  return `sha256=${digest}`;
+}
+function now() {
+  return new Date().toISOString();
+}
+function truncate(value, max = 4096) {
+  return value.length > max ? `${value.slice(0, max)}...` : value;
+}
+function buildWebhookRequest(event, channel) {
+  if (!channel.webhook)
+    throw new Error(`Channel ${channel.id} has no webhook config`);
+  const body = JSON.stringify(event);
+  const timestamp = event.time;
+  const headers = {
+    "Content-Type": "application/json",
+    "User-Agent": "@hasna/events",
+    "X-Hasna-Event-Id": event.id,
+    "X-Hasna-Event-Type": event.type,
+    "X-Hasna-Timestamp": timestamp,
+    ...channel.webhook.headers
+  };
+  if (channel.webhook.secret) {
+    headers["X-Hasna-Signature"] = signPayload(channel.webhook.secret, timestamp, body);
+  }
+  return { body, headers };
+}
+async function dispatchWebhook2(event, channel, options = {}) {
+  if (!channel.webhook)
+    throw new Error(`Channel ${channel.id} has no webhook config`);
+  const startedAt = now();
+  const { body, headers } = buildWebhookRequest(event, channel);
+  const controller = new AbortController;
+  const timeout = setTimeout(() => controller.abort(), channel.webhook.timeoutMs ?? 15000);
+  try {
+    const response = await (options.fetchImpl ?? fetch)(channel.webhook.url, {
+      method: "POST",
+      headers,
+      body,
+      signal: controller.signal
+    });
+    const responseBody = truncate(await response.text());
+    return {
+      attempt: 1,
+      status: response.ok ? "success" : "failed",
+      startedAt,
+      completedAt: now(),
+      responseStatus: response.status,
+      responseBody,
+      error: response.ok ? undefined : `Webhook returned HTTP ${response.status}`
+    };
+  } catch (error) {
+    return {
+      attempt: 1,
+      status: "failed",
+      startedAt,
+      completedAt: now(),
+      error: error instanceof Error ? error.message : String(error)
+    };
+  } finally {
+    clearTimeout(timeout);
+  }
+}
+async function dispatchCommand2(event, channel) {
+  if (!channel.command)
+    throw new Error(`Channel ${channel.id} has no command config`);
+  const startedAt = now();
+  const eventJson = JSON.stringify(event);
+  const env = {
+    ...process.env,
+    ...channel.command.env,
+    HASNA_CHANNEL_ID: channel.id,
+    HASNA_EVENT_ID: event.id,
+    HASNA_EVENT_TYPE: event.type,
+    HASNA_EVENT_SOURCE: event.source,
+    HASNA_EVENT_SUBJECT: event.subject ?? "",
+    HASNA_EVENT_SEVERITY: event.severity,
+    HASNA_EVENT_TIME: event.time,
+    HASNA_EVENT_DEDUPE_KEY: event.dedupeKey ?? "",
+    HASNA_EVENT_SCHEMA_VERSION: event.schemaVersion,
+    HASNA_EVENT_JSON: eventJson
+  };
+  return new Promise((resolve2) => {
+    const child = spawn(channel.command.command, channel.command.args ?? [], {
+      cwd: channel.command.cwd,
+      env,
+      stdio: ["pipe", "pipe", "pipe"]
+    });
+    let stdout = "";
+    let stderr = "";
+    const timeout = setTimeout(() => child.kill("SIGTERM"), channel.command.timeoutMs ?? 15000);
+    child.stdin.end(eventJson);
+    child.stdout.on("data", (chunk) => {
+      stdout += chunk.toString();
+    });
+    child.stderr.on("data", (chunk) => {
+      stderr += chunk.toString();
+    });
+    child.on("error", (error) => {
+      clearTimeout(timeout);
+      resolve2({
+        attempt: 1,
+        status: "failed",
+        startedAt,
+        completedAt: now(),
+        stdout: truncate(stdout),
+        stderr: truncate(stderr),
+        error: error.message
+      });
+    });
+    child.on("close", (code, signal) => {
+      clearTimeout(timeout);
+      const success = code === 0;
+      resolve2({
+        attempt: 1,
+        status: success ? "success" : "failed",
+        startedAt,
+        completedAt: now(),
+        stdout: truncate(stdout),
+        stderr: truncate(stderr),
+        error: success ? undefined : `Command exited with ${signal ? `signal ${signal}` : `code ${code}`}`
+      });
+    });
+  });
+}
+async function dispatchChannel2(event, channel, options = {}) {
+  if (channel.transport === "webhook")
+    return dispatchWebhook2(event, channel, options);
+  if (channel.transport === "command")
+    return dispatchCommand2(event, channel);
+  return {
+    attempt: 1,
+    status: "skipped",
+    startedAt: now(),
+    completedAt: now(),
+    error: `Unsupported transport: ${channel.transport}`
+  };
+}
+function createDeliveryResult(event, channel, attempts) {
+  const status = attempts.some((attempt) => attempt.status === "success") ? "success" : attempts.every((attempt) => attempt.status === "skipped") ? "skipped" : "failed";
+  return {
+    id: randomUUID(),
+    eventId: event.id,
+    channelId: channel.id,
+    transport: channel.transport,
+    status,
+    attempts,
+    createdAt: attempts[0]?.startedAt ?? now(),
+    completedAt: attempts.at(-1)?.completedAt ?? now()
+  };
+}
+function createEvent(input) {
+  return {
+    id: input.id ?? randomUUID2(),
+    source: input.source,
+    type: input.type,
+    time: normalizeTime(input.time),
+    subject: input.subject,
+    severity: input.severity ?? "info",
+    data: input.data ?? {},
+    message: input.message,
+    dedupeKey: input.dedupeKey,
+    schemaVersion: input.schemaVersion ?? "1.0",
+    metadata: input.metadata ?? {}
+  };
+}
+
+class EventsClient {
+  store;
+  redactors;
+  transportOptions;
+  constructor(options = {}) {
+    this.store = options.store ?? new JsonEventsStore(options.dataDir);
+    this.redactors = options.redactors ?? [];
+    this.transportOptions = { fetchImpl: options.fetchImpl };
+  }
+  async addChannel(input) {
+    const timestamp = new Date().toISOString();
+    return this.store.addChannel({
+      ...input,
+      createdAt: input.createdAt ?? timestamp,
+      updatedAt: input.updatedAt ?? timestamp
+    });
+  }
+  async listChannels() {
+    return this.store.listChannels();
+  }
+  async removeChannel(id) {
+    return this.store.removeChannel(id);
+  }
+  async emit(input, options = {}) {
+    const event = options.redactSensitiveData === false ? createEvent(input) : redactSensitiveKeys(createEvent(input));
+    if (options.dedupe !== false) {
+      const existing = await this.store.findEventByIdentity({ id: input.id, dedupeKey: event.dedupeKey });
+      if (existing) {
+        return { event: existing, deliveries: [], deduped: true };
+      }
+    }
+    await this.store.appendEvent(event);
+    const deliveries = options.deliver === false ? [] : await this.deliver(event);
+    return { event, deliveries, deduped: false };
+  }
+  async listEvents() {
+    return this.store.listEvents();
+  }
+  async listDeliveries() {
+    return this.store.listDeliveries();
+  }
+  async deliver(event) {
+    const channels = await this.store.listChannels();
+    const selected = channels.filter((channel) => channelMatchesEvent(channel, event));
+    const deliveries = [];
+    for (const channel of selected) {
+      const eventForChannel = await this.applyRedaction(event, channel);
+      const result = await this.deliverWithRetry(eventForChannel, channel);
+      await this.store.appendDelivery(result);
+      deliveries.push(result);
+    }
+    return deliveries;
+  }
+  async testChannel(id, input = {}) {
+    const channel = await this.store.getChannel(id);
+    if (!channel)
+      throw new Error(`Channel not found: ${id}`);
+    const event = createEvent({
+      source: input.source ?? "hasna.events",
+      type: input.type ?? "events.test",
+      subject: input.subject ?? id,
+      severity: input.severity ?? "info",
+      data: input.data ?? { test: true },
+      message: input.message ?? "Hasna events test delivery",
+      dedupeKey: input.dedupeKey,
+      schemaVersion: input.schemaVersion,
+      metadata: input.metadata,
+      time: input.time,
+      id: input.id
+    });
+    const eventForChannel = await this.applyRedaction(event, channel);
+    const result = await this.deliverWithRetry(eventForChannel, channel);
+    await this.store.appendDelivery(result);
+    return result;
+  }
+  async replay(options = {}) {
+    const events = (await this.store.listEvents()).filter((event) => {
+      if (options.eventId && event.id !== options.eventId)
+        return false;
+      if (options.source && event.source !== options.source)
+        return false;
+      if (options.type && event.type !== options.type)
+        return false;
+      return true;
+    });
+    if (options.dryRun)
+      return { events, deliveries: [] };
+    const deliveries = [];
+    for (const event of events) {
+      deliveries.push(...await this.deliver(event));
+    }
+    return { events, deliveries };
+  }
+  async applyRedaction(event, channel) {
+    let next = redactPaths(event, channel.redact?.paths ?? [], channel.redact?.replacement ?? "[REDACTED]");
+    for (const redactor of this.redactors) {
+      next = await redactor(next, channel);
+    }
+    return next;
+  }
+  async deliverWithRetry(event, channel) {
+    const policy = normalizeRetryPolicy(channel.retry);
+    const attempts = [];
+    for (let index = 0;index < policy.maxAttempts; index += 1) {
+      const attempt = await dispatchChannel2(event, channel, this.transportOptions);
+      attempt.attempt = index + 1;
+      if (attempt.status === "failed" && index + 1 < policy.maxAttempts) {
+        attempt.nextBackoffMs = Math.round(policy.backoffMs * policy.multiplier ** index);
+      }
+      attempts.push(attempt);
+      if (attempt.status !== "failed")
+        break;
+      if (attempt.nextBackoffMs)
+        await Bun.sleep(attempt.nextBackoffMs);
+    }
+    return createDeliveryResult(event, channel, attempts);
+  }
+}
+function redactPaths(event, paths, replacement = "[REDACTED]") {
+  if (paths.length === 0)
+    return event;
+  const copy = structuredClone(event);
+  for (const path of paths) {
+    setPath(copy, path, replacement);
+  }
+  return copy;
+}
+function sanitizeChannelForOutput(channel) {
+  const copy = structuredClone(channel);
+  if (copy.webhook?.secret)
+    copy.webhook.secret = "[REDACTED]";
+  if (copy.command?.env) {
+    copy.command.env = Object.fromEntries(Object.entries(copy.command.env).map(([key, value]) => [key, shouldRedactKey(key) ? "[REDACTED]" : value]));
+  }
+  return copy;
+}
+function sanitizeChannelsForOutput(channels) {
+  return channels.map(sanitizeChannelForOutput);
+}
+function redactSensitiveKeys(event, replacement = "[REDACTED]") {
+  return redactValue(event, replacement);
+}
+function shouldRedactKey(key) {
+  return /secret|token|password|api[_-]?key|authorization/i.test(key);
+}
+function redactValue(value, replacement) {
+  if (Array.isArray(value))
+    return value.map((item) => redactValue(item, replacement));
+  if (!value || typeof value !== "object")
+    return value;
+  return Object.fromEntries(Object.entries(value).map(([key, item]) => [
+    key,
+    shouldRedactKey(key) ? replacement : redactValue(item, replacement)
+  ]));
+}
+function setPath(input, path, replacement) {
+  const parts = path.split(".");
+  let cursor = input;
+  for (const part of parts.slice(0, -1)) {
+    const next = cursor[part];
+    if (!next || typeof next !== "object")
+      return;
+    cursor = next;
+  }
+  const last = parts.at(-1);
+  if (last && last in cursor)
+    cursor[last] = replacement;
+}
+function normalizeTime(value) {
+  if (!value)
+    return new Date().toISOString();
+  return value instanceof Date ? value.toISOString() : value;
+}
+function normalizeRetryPolicy(policy) {
+  return {
+    maxAttempts: Math.max(1, policy?.maxAttempts ?? 1),
+    backoffMs: Math.max(0, policy?.backoffMs ?? 250),
+    multiplier: Math.max(1, policy?.multiplier ?? 2)
+  };
+}
+
 // src/commands/status.ts
 function getStatus() {
   const manifest = readManifest();
@@ -13476,13 +13996,16 @@ function getServeInfo(options = {}) {
       "/api/status",
       "/api/manifest",
       "/api/notifications",
+      "/api/webhooks",
+      "/api/events",
       "/api/doctor",
       "/api/self-test",
       "/api/apps/status",
       "/api/apps/diff",
       "/api/install-claude/status",
       "/api/install-claude/diff",
-      "/api/notifications/test"
+      "/api/notifications/test",
+      "/api/webhooks/test"
     ]
   };
 }
@@ -13649,6 +14172,7 @@ function jsonError(message, status = 400) {
 }
 function startDashboardServer(options = {}) {
   const info = getServeInfo(options);
+  const events = new EventsClient;
   return Bun.serve({
     hostname: info.host,
     port: info.port,
@@ -13668,6 +14192,42 @@ function startDashboardServer(options = {}) {
       if (url.pathname === "/api/notifications") {
         return Response.json(listNotificationChannels());
       }
+      if (url.pathname === "/api/webhooks") {
+        if (request.method !== "GET") {
+          return jsonError("Use GET for webhook channel listing.", 405);
+        }
+        return Response.json(sanitizeChannelsForOutput(await events.listChannels()));
+      }
+      if (url.pathname === "/api/events") {
+        if (request.method === "GET") {
+          return Response.json(await events.listEvents());
+        }
+        if (request.method !== "POST") {
+          return jsonError("Use GET or POST for events.", 405);
+        }
+        const body = await parseJsonBody(request);
+        const type = typeof body["type"] === "string" ? body["type"] : undefined;
+        if (!type) {
+          return jsonError("type is required.");
+        }
+        const source = typeof body["source"] === "string" ? body["source"] : "machines";
+        const subject = typeof body["subject"] === "string" ? body["subject"] : undefined;
+        const severity = typeof body["severity"] === "string" ? body["severity"] : undefined;
+        const message = typeof body["message"] === "string" ? body["message"] : undefined;
+        const dedupeKey = typeof body["dedupeKey"] === "string" ? body["dedupeKey"] : undefined;
+        const data = body["data"] && typeof body["data"] === "object" && !Array.isArray(body["data"]) ? body["data"] : {};
+        const metadata = body["metadata"] && typeof body["metadata"] === "object" && !Array.isArray(body["metadata"]) ? body["metadata"] : {};
+        return Response.json(await events.emit({
+          source,
+          type,
+          subject,
+          severity,
+          message,
+          dedupeKey,
+          data,
+          metadata
+        }));
+      }
       if (url.pathname === "/api/doctor") {
         return Response.json(runDoctor(machineId));
       }
@@ -13705,6 +14265,28 @@ function startDashboardServer(options = {}) {
           return jsonError(error instanceof Error ? error.message : String(error));
         }
       }
+      if (url.pathname === "/api/webhooks/test") {
+        if (request.method !== "POST") {
+          return jsonError("Use POST for webhook tests.", 405);
+        }
+        const body = await parseJsonBody(request);
+        const channelId = typeof body["channelId"] === "string" ? body["channelId"] : undefined;
+        if (!channelId) {
+          return jsonError("channelId is required.");
+        }
+        const type = typeof body["type"] === "string" ? body["type"] : "events.test";
+        const message = typeof body["message"] === "string" ? body["message"] : undefined;
+        try {
+          return Response.json(await events.testChannel(channelId, {
+            source: "machines",
+            type,
+            subject: channelId,
+            message
+          }));
+        } catch (error) {
+          return jsonError(error instanceof Error ? error.message : String(error));
+        }
+      }
       return new Response(renderDashboardHtml(), {
         headers: {
           "content-type": "text/html; charset=utf-8"
@@ -13744,7 +14326,7 @@ function runSelfTest() {
   };
 }
 // src/commands/setup.ts
-import { homedir as homedir4 } from "os";
+import { homedir as homedir5 } from "os";
 function quote3(value) {
   return `'${value.replace(/'/g, `'\\''`)}'`;
 }
@@ -13814,7 +14396,7 @@ function buildSetupPlan(machineId) {
   const target = selected || {
     id: currentMachineId,
     platform: "linux",
-    workspacePath: `${homedir4()}/workspace`
+    workspacePath: `${homedir5()}/workspace`
   };
   const steps = [...buildBaseSteps(target), ...buildPackageSteps(target)];
   return {
@@ -13859,15 +14441,32 @@ function runSetup(machineId, options = {}) {
   return summary;
 }
 // src/commands/screen.ts
+var DEFAULT_SCREEN_SECRET_NAMESPACE = "hasna/xyz/opensource/machines/prod";
 function shellQuote7(value) {
   return `'${value.replace(/'/g, "'\\''")}'`;
 }
+function shellCommand2(command) {
+  return command.map(shellQuote7).join(" ");
+}
+function metadataString2(metadata, keys) {
+  if (!metadata)
+    return null;
+  for (const key of keys) {
+    const value = metadata[key];
+    if (typeof value === "string" && value.trim())
+      return value.trim();
+  }
+  return null;
+}
 function splitTarget(target) {
   const at = target.indexOf("@");
   if (at === -1)
     return [null, target];
   return [target.slice(0, at), target.slice(at + 1)];
 }
+function defaultScreenPasswordSecretKey(machineId) {
+  return `${DEFAULT_SCREEN_SECRET_NAMESPACE}/screen-${machineId}-vnc-password`;
+}
 function resolveScreenTarget(machineId, options = {}) {
   const resolved = resolveMachineRoute(machineId, options);
   if (!resolved.ok || !resolved.target) {
@@ -13893,6 +14492,30 @@ function resolveScreenTarget(machineId, options = {}) {
     warnings: resolved.warnings
   };
 }
+function resolveScreenCredentials(machineId, options = {}) {
+  const topology = options.topology ?? discoverMachineTopology(options);
+  const screen = resolveScreenTarget(machineId, { ...options, topology });
+  const entry = topology.machines.find((machine) => machine.machine_id === screen.machineId);
+  const metadata = entry?.metadata;
+  const metadataUser = metadataString2(metadata, ["screenUser", "screen_user", "user", "username"]);
+  const metadataPasswordSecret = metadataString2(metadata, [
+    "screenPasswordSecret",
+    "screen_password_secret",
+    "screenVncPasswordSecret",
+    "screen_vnc_password_secret",
+    "vncPasswordSecret",
+    "vnc_password_secret"
+  ]);
+  const user = options.user ?? screen.user ?? metadataUser;
+  const passwordSecretKey = options.passwordSecretKey ?? metadataPasswordSecret ?? defaultScreenPasswordSecretKey(screen.machineId);
+  return {
+    machineId: screen.machineId,
+    user: user ?? null,
+    userSource: options.user ? "option" : screen.user ? "route" : metadataUser ? "metadata" : "missing",
+    passwordSecretKey,
+    passwordSecretSource: options.passwordSecretKey ? "option" : metadataPasswordSecret ? "metadata" : "default"
+  };
+}
 function buildScreenCommand(machineId, options = {}) {
   const resolved = resolveScreenTarget(machineId, options);
   return `open ${resolved.url}`;
@@ -13907,9 +14530,40 @@ function buildScreenEnableRemoteCommand(user, vncPassword) {
   ];
   return lines.join(" && ");
 }
+function buildScreenEnableRemoteCommandFromStdin(user) {
+  const kickstart = "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart";
+  const script = [
+    "set -euo pipefail",
+    'user="$1"',
+    "IFS= read -r vnc_pw",
+    'if [ -z "$vnc_pw" ]; then echo "missing VNC password on stdin" >&2; exit 1; fi',
+    `kickstart=${shellQuote7(kickstart)}`,
+    'dseditgroup -o edit -a "$user" -t user com.apple.access_screensharing 2>/dev/null || true',
+    "defaults write /Library/Preferences/com.apple.RemoteManagement AllowSRPForNetworkNodes -bool true",
+    '"$kickstart" -configure -clientopts -setvnclegacy -vnclegacy yes -setvncpw -vncpw "$vnc_pw"',
+    '"$kickstart" -activate -configure -access -on -users "$user" -privs -all -restart -agent -menu'
+  ].join(`
+`);
+  return `sudo -n -p '' /bin/bash -c ${shellQuote7(script)} -- ${shellQuote7(user)}`;
+}
+function buildScreenEnableCommand(machineId, options = {}) {
+  const credentials = resolveScreenCredentials(machineId, options);
+  if (!credentials.user) {
+    throw new Error(`No screen-sharing user known for ${machineId}; pass --user <name> or set metadata.user in the manifest.`);
+  }
+  const secretsCommand = options.secretsCommand || "secrets";
+  const remoteCommand = buildScreenEnableRemoteCommandFromStdin(credentials.user);
+  return {
+    machineId: credentials.machineId,
+    user: credentials.user,
+    passwordSecretKey: credentials.passwordSecretKey,
+    remoteCommand,
+    command: `${shellCommand2([secretsCommand, "get", credentials.passwordSecretKey])} | ${buildSshCommand(machineId, remoteCommand, options)}`
+  };
+}
 // src/commands/sync.ts
-import { existsSync as existsSync7, lstatSync, readFileSync as readFileSync5, symlinkSync, copyFileSync } from "fs";
-import { homedir as homedir5 } from "os";
+import { existsSync as existsSync8, lstatSync, readFileSync as readFileSync5, symlinkSync, copyFileSync } from "fs";
+import { homedir as homedir6 } from "os";
 function quote4(value) {
   return `'${value.replace(/'/g, `'\\''`)}'`;
 }
@@ -13957,8 +14611,8 @@ function detectPackageActions(machine) {
 }
 function detectFileActions(machine) {
   return (machine.files || []).map((file, index) => {
-    const sourceExists = existsSync7(file.source);
-    const targetExists = existsSync7(file.target);
+    const sourceExists = existsSync8(file.source);
+    const targetExists = existsSync8(file.target);
     let status = "missing";
     if (sourceExists && targetExists) {
       if (file.mode === "symlink") {
@@ -13986,7 +14640,7 @@ function buildSyncPlan(machineId) {
   const target = selected || {
     id: currentMachineId,
     platform: "linux",
-    workspacePath: `${homedir5()}/workspace`
+    workspacePath: `${homedir6()}/workspace`
   };
   const actions = [
     ...detectPackageActions(target),
@@ -23160,6 +23814,13 @@ var MACHINE_MCP_TOOL_NAMES = [
   "machines_notifications_test",
   "machines_notifications_dispatch",
   "machines_notifications_remove",
+  "machines_webhooks_add",
+  "machines_webhooks_list",
+  "machines_webhooks_test",
+  "machines_webhooks_remove",
+  "machines_events_emit",
+  "machines_events_list",
+  "machines_events_replay",
   "machines_serve_info",
   "machines_serve_dashboard",
   "storage_status",
@@ -23172,6 +23833,7 @@ function buildServer(version2 = getPackageVersion()) {
 }
 function createMcpServer(version2) {
   const server = new McpServer({ name: "machines", version: version2 });
+  const events = new EventsClient;
   server.tool("machines_status", "Return local machine fleet status paths and machine identity.", {}, async () => ({
     content: [{ type: "text", text: JSON.stringify(getStatus(), null, 2) }]
   }));
@@ -23314,8 +23976,8 @@ function createMcpServer(version2) {
     target: exports_external.string().describe("Email, webhook URL, or shell command"),
     events: exports_external.array(exports_external.string()).describe("Events routed to this channel"),
     enabled: exports_external.boolean().optional().describe("Whether the channel is enabled")
-  }, async ({ channel_id, type, target, events, enabled }) => ({
-    content: [{ type: "text", text: JSON.stringify(addNotificationChannel({ id: channel_id, type, target, events, enabled: enabled ?? true }), null, 2) }]
+  }, async ({ channel_id, type, target, events: events2, enabled }) => ({
+    content: [{ type: "text", text: JSON.stringify(addNotificationChannel({ id: channel_id, type, target, events: events2, enabled: enabled ?? true }), null, 2) }]
   }));
   server.tool("machines_notifications_list", "List notification channels.", {}, async () => ({
     content: [{ type: "text", text: JSON.stringify(listNotificationChannels(), null, 2) }]
@@ -23325,6 +23987,60 @@ function createMcpServer(version2) {
   }));
   server.tool("machines_notifications_dispatch", "Dispatch an event to matching notification channels.", { event: exports_external.string().describe("Event name"), message: exports_external.string().describe("Message body"), channel_id: exports_external.string().optional().describe("Limit delivery to one channel") }, async ({ event, message, channel_id }) => ({ content: [{ type: "text", text: JSON.stringify(await dispatchNotificationEvent(event, message, { channelId: channel_id }), null, 2) }] }));
   server.tool("machines_notifications_remove", "Remove a notification channel.", { channel_id: exports_external.string().describe("Channel identifier") }, async ({ channel_id }) => ({ content: [{ type: "text", text: JSON.stringify(removeNotificationChannel(channel_id), null, 2) }] }));
+  server.tool("machines_webhooks_add", "Add or replace a shared Hasna event webhook channel.", {
+    channel_id: exports_external.string().describe("Channel identifier"),
+    url: exports_external.string().url().describe("Webhook URL"),
+    event_type: exports_external.string().optional().describe("Optional event type filter, e.g. machines.*"),
+    source: exports_external.string().optional().describe("Optional source filter"),
+    secret: exports_external.string().optional().describe("Optional HMAC secret"),
+    enabled: exports_external.boolean().optional().describe("Whether the channel is enabled")
+  }, async ({ channel_id, url, event_type, source, secret, enabled }) => {
+    const now2 = new Date().toISOString();
+    const channel = await events.addChannel({
+      id: channel_id,
+      enabled: enabled ?? true,
+      transport: "webhook",
+      filters: event_type || source ? [{ type: event_type, source }] : undefined,
+      webhook: { url, secret },
+      createdAt: now2,
+      updatedAt: now2
+    });
+    return { content: [{ type: "text", text: JSON.stringify(sanitizeChannelForOutput(channel), null, 2) }] };
+  });
+  server.tool("machines_webhooks_list", "List shared Hasna event webhook channels.", {}, async () => ({
+    content: [{ type: "text", text: JSON.stringify(sanitizeChannelsForOutput(await events.listChannels()), null, 2) }]
+  }));
+  server.tool("machines_webhooks_test", "Send a test event to one shared Hasna event channel.", { channel_id: exports_external.string().describe("Channel identifier"), event_type: exports_external.string().optional().describe("Event type"), message: exports_external.string().optional().describe("Message body") }, async ({ channel_id, event_type, message }) => ({
+    content: [{ type: "text", text: JSON.stringify(await events.testChannel(channel_id, { source: "machines", type: event_type ?? "events.test", message }), null, 2) }]
+  }));
+  server.tool("machines_webhooks_remove", "Remove a shared Hasna event channel.", { channel_id: exports_external.string().describe("Channel identifier") }, async ({ channel_id }) => ({ content: [{ type: "text", text: JSON.stringify({ removed: await events.removeChannel(channel_id) }, null, 2) }] }));
+  server.tool("machines_events_emit", "Emit a shared Hasna event from machines.", {
+    event_type: exports_external.string().describe("Event type"),
+    subject: exports_external.string().optional().describe("Event subject"),
+    severity: exports_external.enum(["debug", "info", "notice", "warning", "error", "critical"]).optional().describe("Event severity"),
+    message: exports_external.string().optional().describe("Message body"),
+    data: exports_external.record(exports_external.unknown()).optional().describe("Event data"),
+    metadata: exports_external.record(exports_external.unknown()).optional().describe("Event metadata"),
+    dedupe_key: exports_external.string().optional().describe("Dedupe key"),
+    deliver: exports_external.boolean().optional().describe("Deliver to matching channels")
+  }, async ({ event_type, subject, severity, message, data, metadata, dedupe_key, deliver }) => ({
+    content: [{ type: "text", text: JSON.stringify(await events.emit({
+      source: "machines",
+      type: event_type,
+      subject,
+      severity,
+      message,
+      data: data ?? {},
+      metadata: metadata ?? {},
+      dedupeKey: dedupe_key
+    }, { deliver: deliver !== false }), null, 2) }]
+  }));
+  server.tool("machines_events_list", "List shared Hasna events.", {}, async () => ({
+    content: [{ type: "text", text: JSON.stringify(await events.listEvents(), null, 2) }]
+  }));
+  server.tool("machines_events_replay", "Replay shared Hasna events.", { event_id: exports_external.string().optional().describe("Event id"), source: exports_external.string().optional().describe("Source filter"), event_type: exports_external.string().optional().describe("Event type filter"), dry_run: exports_external.boolean().optional().describe("Preview without delivery") }, async ({ event_id, source, event_type, dry_run }) => ({
+    content: [{ type: "text", text: JSON.stringify(await events.replay({ eventId: event_id, source, type: event_type, dryRun: dry_run }), null, 2) }]
+  }));
   server.tool("machines_serve_info", "Preview the dashboard server bind address and routes.", { host: exports_external.string().optional().describe("Host interface"), port: exports_external.number().optional().describe("Port number") }, async ({ host, port }) => ({ content: [{ type: "text", text: JSON.stringify(getServeInfo({ host, port }), null, 2) }] }));
   server.tool("machines_serve_dashboard", "Render the current dashboard HTML.", {}, async () => ({
     content: [{ type: "text", text: renderDashboardHtml() }]
@@ -23362,6 +24078,7 @@ export {
   resolveTables,
   resolveSshTarget,
   resolveScreenTarget,
+  resolveScreenCredentials,
   resolveMachineWorkspace,
   resolveMachineRoute,
   resolveBackupTarget,
@@ -23425,6 +24142,7 @@ export {
   diffClaudeCli,
   diffApps,
   detectCurrentMachineManifest,
+  defaultScreenPasswordSecretKey,
   createMcpServer,
   createMachineResolverSnapshot,
   countRuns,
@@ -23435,7 +24153,9 @@ export {
   buildSshCommand,
   buildSetupPlan,
   buildServer,
+  buildScreenEnableRemoteCommandFromStdin,
   buildScreenEnableRemoteCommand,
+  buildScreenEnableCommand,
   buildScreenCommand,
   buildClaudeInstallPlan,
   buildCertPlan,
@@ -23465,6 +24185,7 @@ export {
   MACHINES_BACKUP_PREFIX_ENV,
   MACHINES_BACKUP_BUCKET_FALLBACK_ENV,
   MACHINES_BACKUP_BUCKET_ENV,
+  DEFAULT_SCREEN_SECRET_NAMESPACE,
   DEFAULT_MACHINE_RESOLVER_TTL_MS,
   DEFAULT_BACKUP_PREFIX,
   CROSSREFS_KEY