@hasna/machines 0.0.28 → 0.0.29

package/dist/cli/index.js

@@ -9830,1272 +9830,1362 @@ function listPorts(machineId) {
   };
 }
 
-// src/commands/screen.ts
-var DEFAULT_SCREEN_SECRET_NAMESPACE = "hasna/xyz/opensource/machines/prod";
-function shellQuote6(value) {
-  return `'${value.replace(/'/g, "'\\''")}'`;
+// src/commands/runtime.ts
+import { spawnSync as spawnSync4 } from "child_process";
+import { setTimeout as sleep } from "timers/promises";
+
+// node_modules/@hasna/events/dist/index.js
+import { chmod as chmod2, mkdir as mkdir2, readFile as readFile2, rename as rename2, writeFile as writeFile2 } from "fs/promises";
+import { existsSync as existsSync8 } from "fs";
+import { homedir as homedir6 } from "os";
+import { join as join7 } from "path";
+import { createHmac as createHmac2, timingSafeEqual as timingSafeEqual2 } from "crypto";
+import { randomUUID as randomUUID3 } from "crypto";
+import { spawn as spawn2 } from "child_process";
+import { randomUUID as randomUUID22 } from "crypto";
+function getPathValue2(input, path) {
+  return path.split(".").reduce((value, part) => {
+    if (value && typeof value === "object" && part in value) {
+      return value[part];
+    }
+    return;
+  }, input);
 }
-function shellCommand2(command) {
-  return command.map(shellQuote6).join(" ");
+function wildcardToRegExp2(pattern) {
+  const escaped = pattern.replace(/[|\\{}()[\]^$+?.]/g, "\\$&").replace(/\*/g, ".*");
+  return new RegExp(`^${escaped}$`);
 }
-function metadataString2(metadata, keys) {
-  if (!metadata)
-    return null;
-  for (const key of keys) {
-    const value = metadata[key];
-    if (typeof value === "string" && value.trim())
-      return value.trim();
-  }
-  return null;
+function matchString2(value, matcher) {
+  if (matcher === undefined)
+    return true;
+  if (value === undefined)
+    return false;
+  const matchers = Array.isArray(matcher) ? matcher : [matcher];
+  return matchers.some((item) => wildcardToRegExp2(item).test(value));
 }
-function splitTarget(target) {
-  const at = target.indexOf("@");
-  if (at === -1)
-    return [null, target];
-  return [target.slice(0, at), target.slice(at + 1)];
+function matchRecord2(input, matcher) {
+  if (!matcher)
+    return true;
+  return Object.entries(matcher).every(([path, expected]) => {
+    const actual = getPathValue2(input, path);
+    if (typeof expected === "string" || Array.isArray(expected)) {
+      return matchString2(actual === undefined ? undefined : String(actual), expected);
+    }
+    return actual === expected;
+  });
 }
-function defaultScreenPasswordSecretKey(machineId) {
-  return `${DEFAULT_SCREEN_SECRET_NAMESPACE}/screen-${machineId}-vnc-password`;
+function eventMatchesFilter2(event, filter) {
+  return matchString2(event.source, filter.source) && matchString2(event.type, filter.type) && matchString2(event.subject, filter.subject) && matchString2(event.severity, filter.severity) && matchRecord2(event.data, filter.data) && matchRecord2(event.metadata, filter.metadata);
 }
-function resolveScreenTarget(machineId, options = {}) {
-  const resolved = resolveMachineRoute(machineId, options);
-  if (!resolved.ok || !resolved.target) {
-    throw new Error(`Machine route not found: ${machineId}`);
+function channelMatchesEvent2(channel, event) {
+  if (!channel.enabled)
+    return false;
+  if (!channel.filters || channel.filters.length === 0)
+    return true;
+  return channel.filters.some((filter) => eventMatchesFilter2(event, filter));
+}
+var HASNA_EVENTS_DIR_ENV2 = "HASNA_EVENTS_DIR";
+var HASNA_EVENTS_HOME_ENV2 = "HASNA_EVENTS_HOME";
+function getEventsDataDir2(override) {
+  return override || process.env[HASNA_EVENTS_DIR_ENV2] || process.env[HASNA_EVENTS_HOME_ENV2] || join7(homedir6(), ".hasna", "events");
+}
+
+class JsonEventsStore2 {
+  dataDir;
+  channelsPath;
+  eventsPath;
+  deliveriesPath;
+  constructor(dataDir = getEventsDataDir2()) {
+    this.dataDir = dataDir;
+    this.channelsPath = join7(dataDir, "channels.json");
+    this.eventsPath = join7(dataDir, "events.json");
+    this.deliveriesPath = join7(dataDir, "deliveries.json");
   }
-  if (resolved.route === "unknown") {
-    throw new Error(`Machine route is not reachable for screen sharing: ${machineId}`);
+  async init() {
+    await mkdir2(this.dataDir, { recursive: true, mode: 448 });
+    await chmod2(this.dataDir, 448).catch(() => {
+      return;
+    });
+    await this.ensureArrayFile(this.channelsPath);
+    await this.ensureArrayFile(this.eventsPath);
+    await this.ensureArrayFile(this.deliveriesPath);
   }
-  let [user, host] = splitTarget(resolved.target);
-  if (!user) {
-    const topology = options.topology ?? discoverMachineTopology(options);
-    const entry = topology.machines.find((m) => m.machine_id === (resolved.machine_id ?? machineId));
-    user = entry?.user ?? null;
+  async addChannel(channel) {
+    await this.init();
+    const channels = await this.readJson(this.channelsPath, []);
+    const index = channels.findIndex((item) => item.id === channel.id);
+    if (index >= 0) {
+      channels[index] = { ...channel, createdAt: channels[index].createdAt, updatedAt: new Date().toISOString() };
+    } else {
+      channels.push(channel);
+    }
+    await this.writeJson(this.channelsPath, channels);
+    return index >= 0 ? channels[index] : channel;
   }
-  const url = user ? `vnc://${user}@${host}` : `vnc://${host}`;
-  return {
-    machineId: resolved.machine_id ?? machineId,
-    user,
-    host,
-    url,
-    route: resolved.route,
-    confidence: resolved.confidence,
-    warnings: resolved.warnings
-  };
-}
-function resolveScreenCredentials(machineId, options = {}) {
-  const topology = options.topology ?? discoverMachineTopology(options);
-  const screen = resolveScreenTarget(machineId, { ...options, topology });
-  const entry = topology.machines.find((machine) => machine.machine_id === screen.machineId);
-  const metadata = entry?.metadata;
-  const metadataUser = metadataString2(metadata, ["screenUser", "screen_user", "user", "username"]);
-  const metadataPasswordSecret = metadataString2(metadata, [
-    "screenPasswordSecret",
-    "screen_password_secret",
-    "screenVncPasswordSecret",
-    "screen_vnc_password_secret",
-    "vncPasswordSecret",
-    "vnc_password_secret"
-  ]);
-  const user = options.user ?? screen.user ?? metadataUser;
-  const passwordSecretKey = options.passwordSecretKey ?? metadataPasswordSecret ?? defaultScreenPasswordSecretKey(screen.machineId);
-  return {
-    machineId: screen.machineId,
-    user: user ?? null,
-    userSource: options.user ? "option" : screen.user ? "route" : metadataUser ? "metadata" : "missing",
-    passwordSecretKey,
-    passwordSecretSource: options.passwordSecretKey ? "option" : metadataPasswordSecret ? "metadata" : "default"
-  };
-}
-function buildScreenEnableRemoteCommandFromStdin(user) {
-  const kickstart = "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart";
-  const script = [
-    "set -euo pipefail",
-    'user="$1"',
-    "IFS= read -r vnc_pw",
-    'if [ -z "$vnc_pw" ]; then echo "missing VNC password on stdin" >&2; exit 1; fi',
-    `kickstart=${shellQuote6(kickstart)}`,
-    'dseditgroup -o edit -a "$user" -t user com.apple.access_screensharing 2>/dev/null || true',
-    "defaults write /Library/Preferences/com.apple.RemoteManagement AllowSRPForNetworkNodes -bool true",
-    '"$kickstart" -configure -clientopts -setvnclegacy -vnclegacy yes -setvncpw -vncpw "$vnc_pw"',
-    '"$kickstart" -activate -configure -access -on -users "$user" -privs -all -restart -agent -menu'
-  ].join(`
-`);
-  return `sudo -n -p '' /bin/bash -c ${shellQuote6(script)} -- ${shellQuote6(user)}`;
-}
-function buildScreenEnableCommand(machineId, options = {}) {
-  const credentials = resolveScreenCredentials(machineId, options);
-  if (!credentials.user) {
-    throw new Error(`No screen-sharing user known for ${machineId}; pass --user <name> or set metadata.user in the manifest.`);
+  async listChannels() {
+    await this.init();
+    return this.readJson(this.channelsPath, []);
   }
-  const secretsCommand = options.secretsCommand || "secrets";
-  const remoteCommand = buildScreenEnableRemoteCommandFromStdin(credentials.user);
-  return {
-    machineId: credentials.machineId,
-    user: credentials.user,
-    passwordSecretKey: credentials.passwordSecretKey,
-    remoteCommand,
-    command: `${shellCommand2([secretsCommand, "get", credentials.passwordSecretKey])} | ${buildSshCommand(machineId, remoteCommand, options)}`
-  };
-}
-
-// src/commands/sync.ts
-import { existsSync as existsSync8, lstatSync, readFileSync as readFileSync5, symlinkSync, copyFileSync } from "fs";
-import { homedir as homedir6 } from "os";
-init_paths();
-init_db();
-function quote4(value) {
-  return `'${value.replace(/'/g, `'\\''`)}'`;
-}
-function packageCheckCommand(machine, packageName, manager = machine.platform === "macos" ? "brew" : "apt") {
-  if (manager === "bun") {
-    return `bun pm ls -g --all | grep -F ${quote4(packageName)}`;
+  async getChannel(id) {
+    const channels = await this.listChannels();
+    return channels.find((channel) => channel.id === id);
   }
-  if (manager === "brew") {
-    return `brew list --versions ${quote4(packageName)}`;
+  async removeChannel(id) {
+    await this.init();
+    const channels = await this.readJson(this.channelsPath, []);
+    const next = channels.filter((channel) => channel.id !== id);
+    await this.writeJson(this.channelsPath, next);
+    return next.length !== channels.length;
   }
-  if (manager === "apt") {
-    return `dpkg -s ${quote4(packageName)} >/dev/null 2>&1`;
+  async appendEvent(event) {
+    await this.init();
+    const events = await this.readJson(this.eventsPath, []);
+    events.push(event);
+    await this.writeJson(this.eventsPath, events);
+    return event;
   }
-  return `command -v ${quote4(packageName)} >/dev/null 2>&1`;
-}
-function packageInstallCommand(machine, packageName, manager = machine.platform === "macos" ? "brew" : "apt") {
-  if (manager === "bun") {
-    return `bun install -g ${quote4(packageName)}`;
+  async listEvents() {
+    await this.init();
+    return this.readJson(this.eventsPath, []);
   }
-  if (manager === "brew") {
-    return `brew install ${quote4(packageName)}`;
+  async findEventByIdentity(identity) {
+    const events = await this.listEvents();
+    return events.find((event) => identity.id !== undefined && event.id === identity.id || identity.dedupeKey !== undefined && event.dedupeKey === identity.dedupeKey);
   }
-  if (manager === "apt") {
-    return `sudo apt-get install -y ${quote4(packageName)}`;
+  async appendDelivery(result) {
+    await this.init();
+    const deliveries = await this.readJson(this.deliveriesPath, []);
+    deliveries.push(result);
+    await this.writeJson(this.deliveriesPath, deliveries);
+    return result;
   }
-  return packageName;
-}
-function detectPackageActions(machine) {
-  return (machine.packages || []).map((pkg, index) => {
-    const manager = pkg.manager || (machine.platform === "macos" ? "brew" : "apt");
-    const check = Bun.spawnSync(["bash", "-lc", packageCheckCommand(machine, pkg.name, manager)], {
-      stdout: "ignore",
-      stderr: "ignore",
-      env: process.env
-    });
-    const installed = check.exitCode === 0;
+  async listDeliveries() {
+    await this.init();
+    return this.readJson(this.deliveriesPath, []);
+  }
+  async exportData() {
     return {
-      id: `package-${index + 1}`,
-      title: `${installed ? "Package present" : "Install package"} ${pkg.name}`,
-      command: packageInstallCommand(machine, pkg.name, manager),
-      status: installed ? "ok" : "missing",
-      kind: "package"
+      channels: await this.listChannels(),
+      events: await this.listEvents(),
+      deliveries: await this.listDeliveries()
     };
-  });
-}
-function detectFileActions(machine) {
-  return (machine.files || []).map((file, index) => {
-    const sourceExists = existsSync8(file.source);
-    const targetExists = existsSync8(file.target);
-    let status = "missing";
-    if (sourceExists && targetExists) {
-      if (file.mode === "symlink") {
-        status = lstatSync(file.target).isSymbolicLink() ? "ok" : "drifted";
-      } else {
-        const source = readFileSync5(file.source, "utf8");
-        const target = readFileSync5(file.target, "utf8");
-        status = source === target ? "ok" : "drifted";
-      }
-    }
-    const command = file.mode === "symlink" ? `ln -sfn ${quote4(file.source)} ${quote4(file.target)}` : `cp ${quote4(file.source)} ${quote4(file.target)}`;
-    return {
-      id: `file-${index + 1}`,
-      title: `${status === "ok" ? "File in sync" : "Reconcile file"} ${file.target}`,
-      command,
-      status,
-      kind: "file"
-    };
-  });
-}
-function buildSyncPlan(machineId) {
-  const manifest = readManifest();
-  const currentMachineId = getLocalMachineId();
-  const selected = machineId ? manifest.machines.find((machine) => machine.id === machineId) : manifest.machines.find((machine) => machine.id === currentMachineId);
-  const target = selected || {
-    id: currentMachineId,
-    platform: "linux",
-    workspacePath: `${homedir6()}/workspace`
-  };
-  const actions = [
-    ...detectPackageActions(target),
-    ...detectFileActions(target)
-  ];
-  return {
-    machineId: target.id,
-    mode: "plan",
-    actions,
-    executed: 0
-  };
-}
-function applyFileAction(command) {
-  const [verb, source, target] = command.split(" ");
-  if (verb === "cp" && source && target) {
-    ensureParentDir(target);
-    copyFileSync(source.slice(1, -1), target.slice(1, -1));
-    return;
   }
-  if (verb === "ln" && source && target) {
-    const sourcePath = command.match(/ln -sfn '(.+)' '(.+)'/)?.[1];
-    const targetPath = command.match(/ln -sfn '(.+)' '(.+)'/)?.[2];
-    if (!sourcePath || !targetPath) {
-      throw new Error(`Unable to parse symlink command: ${command}`);
+  async ensureArrayFile(path) {
+    if (!existsSync8(path)) {
+      await writeFile2(path, `[]
+`, { encoding: "utf-8", mode: 384 });
     }
-    ensureParentDir(targetPath);
-    try {
-      Bun.file(targetPath).delete();
-    } catch {}
-    symlinkSync(sourcePath, targetPath);
-  }
-}
-function runSync(machineId, options = {}) {
-  const plan = buildSyncPlan(machineId);
-  if (!options.apply) {
-    return plan;
-  }
-  if (!options.yes) {
-    throw new Error("Sync execution requires --yes.");
+    await chmod2(path, 384).catch(() => {
+      return;
+    });
   }
-  let executed = 0;
-  for (const action of plan.actions) {
-    if (action.status === "ok")
-      continue;
-    if (action.kind === "file") {
-      applyFileAction(action.command);
-    } else {
-      const result = Bun.spawnSync(["bash", "-lc", action.command], {
-        stdout: "pipe",
-        stderr: "pipe",
-        env: process.env
-      });
-      if (result.exitCode !== 0) {
-        recordSyncRun(plan.machineId, "failed", {
-          executed,
-          failedAction: action,
-          stderr: result.stderr.toString()
-        });
-        throw new Error(`Sync action failed (${action.id}): ${result.stderr.toString().trim()}`);
-      }
+  async readJson(path, fallback) {
+    try {
+      const raw = await readFile2(path, "utf-8");
+      if (!raw.trim())
+        return fallback;
+      return JSON.parse(raw);
+    } catch (error) {
+      if (error.code === "ENOENT")
+        return fallback;
+      throw error;
     }
-    executed += 1;
   }
-  const summary = {
-    machineId: plan.machineId,
-    mode: "apply",
-    actions: plan.actions,
-    executed
-  };
-  recordSyncRun(plan.machineId, "completed", summary);
-  return summary;
+  async writeJson(path, value) {
+    const tempPath = `${path}.${process.pid}.${Date.now()}.tmp`;
+    await writeFile2(tempPath, `${JSON.stringify(value, null, 2)}
+`, { encoding: "utf-8", mode: 384 });
+    await rename2(tempPath, path);
+    await chmod2(path, 384).catch(() => {
+      return;
+    });
+  }
 }
-
-// src/commands/status.ts
-init_db();
-init_paths();
-function getStatus() {
-  const manifest = readManifest();
-  const heartbeats = listHeartbeats();
-  const heartbeatByMachine = new Map(heartbeats.map((heartbeat) => [heartbeat.machine_id, heartbeat]));
-  const machineIds = new Set([
-    ...manifest.machines.map((machine) => machine.id),
-    ...heartbeats.map((heartbeat) => heartbeat.machine_id)
-  ]);
-  return {
-    machineId: getLocalMachineId(),
-    manifestPath: getManifestPath(),
-    dbPath: getDbPath(),
-    notificationsPath: getNotificationsPath(),
-    manifestMachineCount: manifest.machines.length,
-    heartbeatCount: heartbeats.length,
-    machines: [...machineIds].sort().map((machineId) => {
-      const declared = manifest.machines.find((machine) => machine.id === machineId);
-      const heartbeat = heartbeatByMachine.get(machineId);
-      return {
-        machineId,
-        platform: declared?.platform,
-        manifestDeclared: Boolean(declared),
-        heartbeatStatus: heartbeat?.status || "unknown",
-        lastHeartbeatAt: heartbeat?.updated_at
-      };
-    }),
-    recentSetupRuns: countRuns("setup_runs"),
-    recentSyncRuns: countRuns("sync_runs")
-  };
+var DEFAULT_SIGNATURE_TOLERANCE_MS2 = 5 * 60 * 1000;
+function buildSignatureBase2(timestamp, body) {
+  return `${timestamp}.${body}`;
 }
-
-// src/commands/workspace.ts
-init_paths();
-function isRecord2(value) {
-  return Boolean(value) && typeof value === "object" && !Array.isArray(value);
+function signPayload2(secret, timestamp, body) {
+  const digest = createHmac2("sha256", secret).update(buildSignatureBase2(timestamp, body)).digest("hex");
+  return `sha256=${digest}`;
 }
-function cloneMetadata(metadata) {
-  return isRecord2(metadata) ? { ...metadata } : {};
+function now2() {
+  return new Date().toISOString();
 }
-function mappedPath(metadata, field, key) {
-  const container = metadata[field];
-  if (!isRecord2(container))
-    return null;
-  const value = container[key];
-  if (typeof value === "string" && value.trim())
-    return value.trim();
-  if (isRecord2(value)) {
-    const nested = value["path"] ?? value["root"] ?? value["workspacePath"] ?? value["workspace_path"];
-    if (typeof nested === "string" && nested.trim())
-      return nested.trim();
-  }
-  return null;
+function truncate2(value, max = 4096) {
+  return value.length > max ? `${value.slice(0, max)}...` : value;
 }
-function writeMappedPath(metadata, field, key, path) {
-  const existing = metadata[field];
-  const container = isRecord2(existing) ? { ...existing } : {};
-  container[key] = path;
-  metadata[field] = container;
+function buildWebhookRequest2(event, channel) {
+  if (!channel.webhook)
+    throw new Error(`Channel ${channel.id} has no webhook config`);
+  const body = JSON.stringify(event);
+  const timestamp = event.time;
+  const headers = {
+    "Content-Type": "application/json",
+    "User-Agent": "@hasna/events",
+    "X-Hasna-Event-Id": event.id,
+    "X-Hasna-Event-Type": event.type,
+    "X-Hasna-Timestamp": timestamp,
+    ...channel.webhook.headers
+  };
+  if (channel.webhook.secret) {
+    headers["X-Hasna-Signature"] = signPayload2(channel.webhook.secret, timestamp, body);
+  }
+  return { body, headers };
 }
-function buildPatch(input) {
-  const previous = mappedPath(input.metadata, input.field, input.key);
-  if (!input.path) {
+async function dispatchWebhook3(event, channel, options = {}) {
+  if (!channel.webhook)
+    throw new Error(`Channel ${channel.id} has no webhook config`);
+  const startedAt = now2();
+  const { body, headers } = buildWebhookRequest2(event, channel);
+  const controller = new AbortController;
+  const timeout = setTimeout(() => controller.abort(), channel.webhook.timeoutMs ?? 15000);
+  try {
+    const response = await (options.fetchImpl ?? fetch)(channel.webhook.url, {
+      method: "POST",
+      headers,
+      body,
+      signal: controller.signal
+    });
+    const responseBody = truncate2(await response.text());
     return {
-      field: input.field,
-      key: input.key,
-      path: null,
-      previous_path: previous,
-      status: "unresolved"
+      attempt: 1,
+      status: response.ok ? "success" : "failed",
+      startedAt,
+      completedAt: now2(),
+      responseStatus: response.status,
+      responseBody,
+      error: response.ok ? undefined : `Webhook returned HTTP ${response.status}`
+    };
+  } catch (error) {
+    return {
+      attempt: 1,
+      status: "failed",
+      startedAt,
+      completedAt: now2(),
+      error: error instanceof Error ? error.message : String(error)
     };
+  } finally {
+    clearTimeout(timeout);
   }
-  const status = previous === input.path ? "unchanged" : input.apply ? "written" : "would_write";
-  return {
-    field: input.field,
-    key: input.key,
-    path: input.path,
-    previous_path: previous,
-    status
-  };
 }
-function upsertMachineMetadata(manifest, machineId, metadata) {
-  return {
-    ...manifest,
-    machines: manifest.machines.map((machine) => machine.id === machineId ? { ...machine, metadata } : machine)
+async function dispatchCommand3(event, channel) {
+  if (!channel.command)
+    throw new Error(`Channel ${channel.id} has no command config`);
+  const startedAt = now2();
+  const eventJson = JSON.stringify(event);
+  const env2 = {
+    ...process.env,
+    ...channel.command.env,
+    HASNA_CHANNEL_ID: channel.id,
+    HASNA_EVENT_ID: event.id,
+    HASNA_EVENT_TYPE: event.type,
+    HASNA_EVENT_SOURCE: event.source,
+    HASNA_EVENT_SUBJECT: event.subject ?? "",
+    HASNA_EVENT_SEVERITY: event.severity,
+    HASNA_EVENT_TIME: event.time,
+    HASNA_EVENT_DEDUPE_KEY: event.dedupeKey ?? "",
+    HASNA_EVENT_SCHEMA_VERSION: event.schemaVersion,
+    HASNA_EVENT_JSON: eventJson
   };
-}
-function repairWorkspaceManifestMappings(options) {
-  const projectId = options.projectId;
-  const repoName = options.repoName ?? projectId;
-  const openFilesRepoName = options.openFilesRepoName ?? "open-files";
-  const apply = options.apply === true;
-  const resolution = resolveMachineWorkspace({
-    machineId: options.machineId,
-    projectId,
-    repoName,
-    openFilesRepoName,
-    projectRoot: options.projectRoot,
-    openFilesRoot: options.openFilesRoot,
-    workspaceRoot: options.workspaceRoot,
-    includeTailscale: options.includeTailscale,
-    now: options.now
+  return new Promise((resolve2) => {
+    const child = spawn2(channel.command.command, channel.command.args ?? [], {
+      cwd: channel.command.cwd,
+      env: env2,
+      stdio: ["pipe", "pipe", "pipe"]
+    });
+    let stdout = "";
+    let stderr = "";
+    const timeout = setTimeout(() => child.kill("SIGTERM"), channel.command.timeoutMs ?? 15000);
+    child.stdin.end(eventJson);
+    child.stdout.on("data", (chunk) => {
+      stdout += chunk.toString();
+    });
+    child.stderr.on("data", (chunk) => {
+      stderr += chunk.toString();
+    });
+    child.on("error", (error) => {
+      clearTimeout(timeout);
+      resolve2({
+        attempt: 1,
+        status: "failed",
+        startedAt,
+        completedAt: now2(),
+        stdout: truncate2(stdout),
+        stderr: truncate2(stderr),
+        error: error.message
+      });
+    });
+    child.on("close", (code, signal) => {
+      clearTimeout(timeout);
+      const success = code === 0;
+      resolve2({
+        attempt: 1,
+        status: success ? "success" : "failed",
+        startedAt,
+        completedAt: now2(),
+        stdout: truncate2(stdout),
+        stderr: truncate2(stderr),
+        error: success ? undefined : `Command exited with ${signal ? `signal ${signal}` : `code ${code}`}`
+      });
+    });
   });
-  const warnings = [...resolution.warnings];
-  const manifest = readManifest();
-  const manifestMachineId = resolution.machine_id ?? options.machineId;
-  const machine = manifest.machines.find((entry) => entry.id === manifestMachineId) ?? null;
-  const trusted = resolution.machine.trust_status === "trusted" || options.allowUntrusted === true;
-  if (!machine) {
-    warnings.push(`manifest_machine_missing:${manifestMachineId}`);
-    return {
-      ok: false,
-      applied: false,
-      manifest_path: getManifestPath(),
-      machine_id: resolution.machine_id,
-      project_id: projectId,
-      repo_name: repoName,
-      open_files_repo_name: openFilesRepoName,
-      trusted,
-      resolution,
-      patches: [],
-      warnings
-    };
-  }
-  const metadata = cloneMetadata(machine.metadata);
-  const patches = [
-    buildPatch({
-      metadata,
-      field: "workspace_paths",
-      key: projectId,
-      path: options.projectRoot ?? resolution.paths.project_root.path,
-      apply
-    }),
-    buildPatch({
-      metadata,
-      field: "open_files_roots",
-      key: projectId,
-      path: options.openFilesRoot ?? resolution.paths.open_files_root.path,
-      apply
-    })
-  ];
-  const hasUnresolved = patches.some((patch) => patch.status === "unresolved");
-  const hasWrites = patches.some((patch) => patch.status === "would_write" || patch.status === "written");
-  if (apply && hasWrites && !trusted) {
-    warnings.push(`manifest_repair_requires_trusted_machine:${manifestMachineId}`);
-    return {
-      ok: false,
-      applied: false,
-      manifest_path: getManifestPath(),
-      machine_id: manifestMachineId,
-      project_id: projectId,
-      repo_name: repoName,
-      open_files_repo_name: openFilesRepoName,
-      trusted,
-      resolution,
-      patches: patches.map((patch) => patch.status === "written" ? { ...patch, status: "would_write" } : patch),
-      warnings
-    };
-  }
-  let applied = false;
-  if (apply && !hasUnresolved && hasWrites) {
-    for (const patch of patches) {
-      if (patch.path && patch.status === "written")
-        writeMappedPath(metadata, patch.field, patch.key, patch.path);
-    }
-    writeManifest(upsertMachineMetadata(manifest, manifestMachineId, metadata));
-    applied = true;
-  }
+}
+async function dispatchChannel3(event, channel, options = {}) {
+  if (channel.transport === "webhook")
+    return dispatchWebhook3(event, channel, options);
+  if (channel.transport === "command")
+    return dispatchCommand3(event, channel);
   return {
-    ok: resolution.ok && !hasUnresolved && (!apply || applied || !hasWrites),
-    applied,
-    manifest_path: getManifestPath(),
-    machine_id: manifestMachineId,
-    project_id: projectId,
-    repo_name: repoName,
-    open_files_repo_name: openFilesRepoName,
-    trusted,
-    resolution,
-    patches,
-    warnings
+    attempt: 1,
+    status: "skipped",
+    startedAt: now2(),
+    completedAt: now2(),
+    error: `Unsupported transport: ${channel.transport}`
   };
 }
-
-// src/compatibility.ts
-init_db();
-var DEFAULT_COMMANDS = [
-  { command: "bun", required: true },
-  { command: "machines", required: true }
-];
-function defaultPackages() {
-  return [{ name: "@hasna/machines", command: "machines", expectedVersion: getPackageVersion(), required: true }];
-}
-function shellQuote7(value) {
-  return `'${value.replace(/'/g, "'\\''")}'`;
-}
-function commandId(value) {
-  return value.replace(/[^a-zA-Z0-9_.@/-]+/g, "-").replace(/^-+|-+$/g, "");
-}
-function packageCommand(name) {
-  if (name === "@hasna/knowledge")
-    return "knowledge";
-  if (name === "@hasna/machines")
-    return "machines";
-  return name.split("/").pop() ?? name;
-}
-function firstLine(value) {
-  return value.trim().split(/\r?\n/).find(Boolean) ?? "";
-}
-function extractVersion(value) {
-  const match = value.match(/\b\d+\.\d+\.\d+(?:[-+][0-9A-Za-z.-]+)?\b/);
-  return match?.[0] ?? null;
-}
-function statusFor(required, ok) {
-  if (ok)
-    return "ok";
-  return required === false ? "warn" : "fail";
+function createDeliveryResult2(event, channel, attempts) {
+  const status = attempts.some((attempt) => attempt.status === "success") ? "success" : attempts.every((attempt) => attempt.status === "skipped") ? "skipped" : "failed";
+  return {
+    id: randomUUID3(),
+    eventId: event.id,
+    channelId: channel.id,
+    transport: channel.transport,
+    status,
+    attempts,
+    createdAt: attempts[0]?.startedAt ?? now2(),
+    completedAt: attempts.at(-1)?.completedAt ?? now2()
+  };
 }
-function makeCheck(input) {
+function createEvent2(input) {
   return {
-    id: input.id,
-    kind: input.kind,
-    status: input.status,
-    target: input.target,
-    expected: input.expected ?? null,
-    actual: input.actual ?? null,
-    detail: input.detail,
-    source: input.source
+    id: input.id ?? randomUUID22(),
+    source: input.source,
+    type: input.type,
+    time: normalizeTime2(input.time),
+    subject: input.subject,
+    severity: input.severity ?? "info",
+    data: input.data ?? {},
+    message: input.message,
+    dedupeKey: input.dedupeKey,
+    schemaVersion: input.schemaVersion ?? "1.0",
+    metadata: input.metadata ?? {}
   };
 }
-function parseKeyValue(stdout) {
-  const result = {};
-  for (const line of stdout.split(/\r?\n/)) {
-    const idx = line.indexOf("=");
-    if (idx <= 0)
-      continue;
-    result[line.slice(0, idx)] = line.slice(idx + 1);
+
+class EventsClient2 {
+  store;
+  redactors;
+  transportOptions;
+  constructor(options = {}) {
+    this.store = options.store ?? new JsonEventsStore2(options.dataDir);
+    this.redactors = options.redactors ?? [];
+    this.transportOptions = { fetchImpl: options.fetchImpl };
   }
-  return result;
-}
-function defaultRunner2(machineId, command) {
-  return runMachineCommand(machineId, command);
-}
-function inspectCommand(machineId, spec, runner) {
-  const command = shellQuote7(spec.command);
-  const versionArgs = spec.versionArgs ?? "--version";
-  const script = [
-    `cmd=${command}`,
-    'path="$(command -v "$cmd" 2>/dev/null || true)"',
-    'printf "path=%s\\n" "$path"',
-    'if [ -n "$path" ]; then version="$("$cmd" ' + versionArgs + ' 2>/dev/null || true)"; printf "version=%s\\n" "$version"; fi'
-  ].join("; ");
-  const result = runner(machineId, script);
-  const parsed = parseKeyValue(result.stdout);
-  return {
-    path: parsed.path || null,
-    version: parsed.version ? firstLine(parsed.version) : null,
-    exitCode: result.exitCode,
-    source: result.source,
-    stderr: result.stderr
-  };
-}
-function fieldCommand(field) {
-  const regex = field === "name" ? String.raw`s/.*"name"[[:space:]]*:[[:space:]]*"\([^"]*\)".*/\1/p` : String.raw`s/.*"version"[[:space:]]*:[[:space:]]*"\([^"]*\)".*/\1/p`;
-  return [
-    `if command -v bun >/dev/null 2>&1; then bun -e "const p=JSON.parse(await Bun.file(process.argv[1]).text()); console.log(p.${field} ?? '')" "$pkg" 2>/dev/null`,
-    `elif command -v node >/dev/null 2>&1; then node -e "const fs=require('fs'); const p=JSON.parse(fs.readFileSync(process.argv[1], 'utf8')); console.log(p.${field} || '')" "$pkg" 2>/dev/null`,
-    `else sed -n '${regex}' "$pkg" | head -n 1`,
-    "fi"
-  ].join("; ");
-}
-function inspectWorkspace(machineId, spec, runner) {
-  const script = [
-    `path=${shellQuote7(spec.path)}`,
-    'printf "exists=%s\\n" "$(test -d "$path" && printf yes || printf no)"',
-    'pkg="$path/package.json"',
-    'printf "package_json=%s\\n" "$(test -f "$pkg" && printf yes || printf no)"',
-    `if [ -f "$pkg" ]; then printf "package_name=%s\\n" "$(${fieldCommand("name")})"; printf "version=%s\\n" "$(${fieldCommand("version")})"; fi`
-  ].join("; ");
-  const result = runner(machineId, script);
-  const parsed = parseKeyValue(result.stdout);
-  return {
-    exists: parsed.exists === "yes",
-    packageJson: parsed.package_json === "yes",
-    packageName: parsed.package_name || null,
-    version: parsed.version || null,
-    source: result.source,
-    stderr: result.stderr
-  };
-}
-function commandCheck(machineId, spec, runner) {
-  const inspection = inspectCommand(machineId, spec, runner);
-  const found = Boolean(inspection.path);
-  const checks = [
-    makeCheck({
-      id: `command:${commandId(spec.command)}:path`,
-      kind: "command",
-      status: statusFor(spec.required, found),
-      target: spec.command,
-      expected: "available",
-      actual: inspection.path ?? "missing",
-      detail: found ? `found at ${inspection.path}` : inspection.stderr || "command missing",
-      source: inspection.source
-    })
-  ];
-  if (spec.expectedVersion) {
-    const actualVersion = extractVersion(inspection.version ?? "");
-    checks.push(makeCheck({
-      id: `command:${commandId(spec.command)}:version`,
-      kind: "command",
-      status: actualVersion === spec.expectedVersion ? "ok" : statusFor(spec.required, false),
-      target: spec.command,
-      expected: spec.expectedVersion,
-      actual: actualVersion ?? inspection.version ?? "missing",
-      detail: actualVersion ? `version output: ${inspection.version}` : "version unavailable",
-      source: inspection.source
-    }));
+  async addChannel(input) {
+    const timestamp = new Date().toISOString();
+    return this.store.addChannel({
+      ...input,
+      createdAt: input.createdAt ?? timestamp,
+      updatedAt: input.updatedAt ?? timestamp
+    });
+  }
+  async listChannels() {
+    return this.store.listChannels();
+  }
+  async removeChannel(id) {
+    return this.store.removeChannel(id);
+  }
+  async emit(input, options = {}) {
+    const event = options.redactSensitiveData === false ? createEvent2(input) : redactSensitiveKeys2(createEvent2(input));
+    if (options.dedupe !== false) {
+      const existing = await this.store.findEventByIdentity({ id: input.id, dedupeKey: event.dedupeKey });
+      if (existing) {
+        return { event: existing, deliveries: [], deduped: true };
+      }
+    }
+    await this.store.appendEvent(event);
+    const deliveries = options.deliver === false ? [] : await this.deliver(event);
+    return { event, deliveries, deduped: false };
+  }
+  async listEvents() {
+    return this.store.listEvents();
+  }
+  async listDeliveries() {
+    return this.store.listDeliveries();
+  }
+  async deliver(event) {
+    const channels = await this.store.listChannels();
+    const selected = channels.filter((channel) => channelMatchesEvent2(channel, event));
+    const deliveries = [];
+    for (const channel of selected) {
+      const eventForChannel = await this.applyRedaction(event, channel);
+      const result = await this.deliverWithRetry(eventForChannel, channel);
+      await this.store.appendDelivery(result);
+      deliveries.push(result);
+    }
+    return deliveries;
+  }
+  async testChannel(id, input = {}) {
+    const channel = await this.store.getChannel(id);
+    if (!channel)
+      throw new Error(`Channel not found: ${id}`);
+    const event = createEvent2({
+      source: input.source ?? "hasna.events",
+      type: input.type ?? "events.test",
+      subject: input.subject ?? id,
+      severity: input.severity ?? "info",
+      data: input.data ?? { test: true },
+      message: input.message ?? "Hasna events test delivery",
+      dedupeKey: input.dedupeKey,
+      schemaVersion: input.schemaVersion,
+      metadata: input.metadata,
+      time: input.time,
+      id: input.id
+    });
+    const eventForChannel = await this.applyRedaction(event, channel);
+    const result = await this.deliverWithRetry(eventForChannel, channel);
+    await this.store.appendDelivery(result);
+    return result;
+  }
+  async replay(options = {}) {
+    const events = (await this.store.listEvents()).filter((event) => {
+      if (options.eventId && event.id !== options.eventId)
+        return false;
+      if (options.source && event.source !== options.source)
+        return false;
+      if (options.type && event.type !== options.type)
+        return false;
+      return true;
+    });
+    if (options.dryRun)
+      return { events, deliveries: [] };
+    const deliveries = [];
+    for (const event of events) {
+      deliveries.push(...await this.deliver(event));
+    }
+    return { events, deliveries };
+  }
+  async applyRedaction(event, channel) {
+    let next = redactPaths2(event, channel.redact?.paths ?? [], channel.redact?.replacement ?? "[REDACTED]");
+    for (const redactor of this.redactors) {
+      next = await redactor(next, channel);
+    }
+    return next;
+  }
+  async deliverWithRetry(event, channel) {
+    const policy = normalizeRetryPolicy2(channel.retry);
+    const attempts = [];
+    for (let index = 0;index < policy.maxAttempts; index += 1) {
+      const attempt = await dispatchChannel3(event, channel, this.transportOptions);
+      attempt.attempt = index + 1;
+      if (attempt.status === "failed" && index + 1 < policy.maxAttempts) {
+        attempt.nextBackoffMs = Math.round(policy.backoffMs * policy.multiplier ** index);
+      }
+      attempts.push(attempt);
+      if (attempt.status !== "failed")
+        break;
+      if (attempt.nextBackoffMs)
+        await Bun.sleep(attempt.nextBackoffMs);
+    }
+    return createDeliveryResult2(event, channel, attempts);
   }
-  return checks;
 }
-function packageCheck(machineId, spec, runner) {
-  const command = spec.command ?? packageCommand(spec.name);
-  const inspection = inspectCommand(machineId, { command, expectedVersion: spec.expectedVersion, required: spec.required }, runner);
-  const found = Boolean(inspection.path);
-  const checks = [
-    makeCheck({
-      id: `package:${commandId(spec.name)}:command`,
-      kind: "package",
-      status: statusFor(spec.required, found),
-      target: spec.name,
-      expected: command,
-      actual: inspection.path ?? "missing",
-      detail: found ? `${command} found at ${inspection.path}` : `${command} command missing`,
-      source: inspection.source
-    })
-  ];
-  if (spec.expectedVersion) {
-    const actualVersion = extractVersion(inspection.version ?? "");
-    checks.push(makeCheck({
-      id: `package:${commandId(spec.name)}:version`,
-      kind: "package",
-      status: actualVersion === spec.expectedVersion ? "ok" : statusFor(spec.required, false),
-      target: spec.name,
-      expected: spec.expectedVersion,
-      actual: actualVersion ?? inspection.version ?? "missing",
-      detail: actualVersion ? `version output: ${inspection.version}` : "version unavailable",
-      source: inspection.source
-    }));
+function redactPaths2(event, paths, replacement = "[REDACTED]") {
+  if (paths.length === 0)
+    return event;
+  const copy = structuredClone(event);
+  for (const path of paths) {
+    setPath2(copy, path, replacement);
   }
-  return checks;
+  return copy;
 }
-function workspaceCheck(machineId, spec, runner) {
-  const inspection = inspectWorkspace(machineId, spec, runner);
-  const target = spec.label ?? spec.path;
-  const checks = [
-    makeCheck({
-      id: `workspace:${commandId(target)}:path`,
-      kind: "workspace",
-      status: statusFor(spec.required, inspection.exists),
-      target,
-      expected: spec.path,
-      actual: inspection.exists ? "exists" : "missing",
-      detail: inspection.exists ? `workspace exists at ${spec.path}` : inspection.stderr || `workspace missing at ${spec.path}`,
-      source: inspection.source
-    })
-  ];
-  if (spec.expectedPackageName) {
-    checks.push(makeCheck({
-      id: `workspace:${commandId(target)}:package-name`,
-      kind: "workspace",
-      status: inspection.packageName === spec.expectedPackageName ? "ok" : statusFor(spec.required, false),
-      target,
-      expected: spec.expectedPackageName,
-      actual: inspection.packageName ?? (inspection.packageJson ? "missing-name" : "missing-package-json"),
-      detail: inspection.packageJson ? "package.json inspected" : "package.json missing",
-      source: inspection.source
-    }));
+function sanitizeChannelForOutput2(channel) {
+  const copy = structuredClone(channel);
+  if (copy.webhook?.secret)
+    copy.webhook.secret = "[REDACTED]";
+  if (copy.command?.env) {
+    copy.command.env = Object.fromEntries(Object.entries(copy.command.env).map(([key, value]) => [key, shouldRedactKey2(key) ? "[REDACTED]" : value]));
   }
-  if (spec.expectedVersion) {
-    checks.push(makeCheck({
-      id: `workspace:${commandId(target)}:version`,
-      kind: "workspace",
-      status: inspection.version === spec.expectedVersion ? "ok" : statusFor(spec.required, false),
-      target,
-      expected: spec.expectedVersion,
-      actual: inspection.version ?? (inspection.packageJson ? "missing-version" : "missing-package-json"),
-      detail: inspection.packageJson ? "package.json inspected" : "package.json missing",
-      source: inspection.source
-    }));
+  return copy;
+}
+function sanitizeChannelsForOutput2(channels) {
+  return channels.map(sanitizeChannelForOutput2);
+}
+function redactSensitiveKeys2(event, replacement = "[REDACTED]") {
+  return redactValue2(event, replacement);
+}
+function shouldRedactKey2(key) {
+  return /secret|token|password|api[_-]?key|authorization/i.test(key);
+}
+function redactValue2(value, replacement) {
+  if (Array.isArray(value))
+    return value.map((item) => redactValue2(item, replacement));
+  if (!value || typeof value !== "object")
+    return value;
+  return Object.fromEntries(Object.entries(value).map(([key, item]) => [
+    key,
+    shouldRedactKey2(key) ? replacement : redactValue2(item, replacement)
+  ]));
+}
+function setPath2(input, path, replacement) {
+  const parts = path.split(".");
+  let cursor = input;
+  for (const part of parts.slice(0, -1)) {
+    const next = cursor[part];
+    if (!next || typeof next !== "object")
+      return;
+    cursor = next;
   }
-  return checks;
+  const last = parts.at(-1);
+  if (last && last in cursor)
+    cursor[last] = replacement;
 }
-function checkMachineCompatibility(options = {}) {
-  const machineId = options.machineId ?? getLocalMachineId();
-  const runner = options.runner ?? defaultRunner2;
-  const commands = options.commands ?? DEFAULT_COMMANDS;
-  const packages = options.packages ?? defaultPackages();
-  const workspaces = options.workspaces ?? [];
-  const checks = [];
-  for (const spec of commands)
-    checks.push(...commandCheck(machineId, spec, runner));
-  for (const spec of packages)
-    checks.push(...packageCheck(machineId, spec, runner));
-  for (const spec of workspaces)
-    checks.push(...workspaceCheck(machineId, spec, runner));
-  const summary = {
-    ok: checks.filter((check) => check.status === "ok").length,
-    warn: checks.filter((check) => check.status === "warn").length,
-    fail: checks.filter((check) => check.status === "fail").length
-  };
+function normalizeTime2(value) {
+  if (!value)
+    return new Date().toISOString();
+  return value instanceof Date ? value.toISOString() : value;
+}
+function normalizeRetryPolicy2(policy) {
   return {
-    schema_version: MACHINES_CONSUMER_CONTRACT_VERSION,
-    package: {
-      name: MACHINES_PACKAGE_NAME,
-      version: getPackageVersion()
-    },
-    capabilities: getMachinesConsumerCapabilities(),
-    ok: summary.fail === 0,
-    machine_id: machineId,
-    source: checks[0]?.source ?? "local",
-    generated_at: (options.now ?? new Date).toISOString(),
-    checks,
-    summary
+    maxAttempts: Math.max(1, policy?.maxAttempts ?? 1),
+    backoffMs: Math.max(0, policy?.backoffMs ?? 250),
+    multiplier: Math.max(1, policy?.multiplier ?? 2)
   };
 }
 
-// src/commands/doctor.ts
-init_db();
-function makeCheck2(id, status, summary, detail) {
-  return { id, status, summary, detail };
-}
-function parseKeyValueOutput(stdout) {
-  return Object.fromEntries(stdout.trim().split(`
-`).map((line) => line.split("=")).filter((parts) => parts.length === 2).map(([key, value]) => [key, value]));
-}
-function buildDoctorCommand() {
-  return [
-    'data_dir="${HASNA_MACHINES_DIR:-$HOME/.hasna/machines}"',
-    'manifest_path="${HASNA_MACHINES_MANIFEST_PATH:-$data_dir/machines.json}"',
-    'db_path="${HASNA_MACHINES_DB_PATH:-$data_dir/machines.db}"',
-    'notifications_path="${HASNA_MACHINES_NOTIFICATIONS_PATH:-$data_dir/notifications.json}"',
-    `printf 'manifest_path=%s\\n' "$manifest_path"`,
-    `printf 'db_path=%s\\n' "$db_path"`,
-    `printf 'notifications_path=%s\\n' "$notifications_path"`,
-    `printf 'manifest_exists=%s\\n' "$(test -e "$manifest_path" && printf yes || printf no)"`,
-    `printf 'db_exists=%s\\n' "$(test -e "$db_path" && printf yes || printf no)"`,
-    `printf 'notifications_exists=%s\\n' "$(test -e "$notifications_path" && printf yes || printf no)"`,
-    `printf 'bun=%s\\n' "$(bun --version 2>/dev/null || printf missing)"`,
-    `printf 'ssh=%s\\n' "$(command -v ssh >/dev/null 2>&1 && printf ok || printf missing)"`,
-    `printf 'machines=%s\\n' "$(command -v machines 2>/dev/null || printf missing)"`,
-    `printf 'machines_agent=%s\\n' "$(command -v machines-agent 2>/dev/null || printf missing)"`,
-    `printf 'machines_mcp=%s\\n' "$(command -v machines-mcp 2>/dev/null || printf missing)"`
-  ].join("; ");
+// src/commands/runtime.ts
+function probeTmuxPane(target, tmuxCommand = process.env["HASNA_MACHINES_TMUX_BIN"] || "tmux") {
+  const checkedAt = new Date().toISOString();
+  const result = spawnSync4(tmuxCommand, ["display-message", "-p", "-t", target, "#{pane_id}"], {
+    encoding: "utf8",
+    timeout: 5000
+  });
+  const stdout = result.stdout?.trim();
+  const stderr = result.stderr?.trim();
+  const exists = result.status === 0 && Boolean(stdout);
+  return {
+    target,
+    exists,
+    paneId: exists ? stdout : undefined,
+    checkedAt,
+    exitCode: result.status,
+    error: result.error?.message,
+    stderr: stderr || undefined
+  };
 }
-function runDoctor(machineId = getLocalMachineId()) {
-  const manifest = readManifest();
-  const commandChecks = runMachineCommand(machineId, buildDoctorCommand());
-  const details = parseKeyValueOutput(commandChecks.stdout);
-  const machineInManifest = manifest.machines.find((machine) => machine.id === machineId);
-  const checks = [
-    makeCheck2("manifest-entry", machineInManifest ? "ok" : "warn", machineInManifest ? "Machine exists in manifest" : "Machine missing from manifest", machineInManifest ? JSON.stringify(machineInManifest) : `No manifest entry for ${machineId}`),
-    makeCheck2("manifest-path", details["manifest_exists"] === "yes" ? "ok" : "warn", "Manifest path check", `${details["manifest_path"] || "unknown"} ${details["manifest_exists"] === "yes" ? "exists" : "missing"}`),
-    makeCheck2("db-path", details["db_exists"] === "yes" ? "ok" : "warn", "DB path check", `${details["db_path"] || "unknown"} ${details["db_exists"] === "yes" ? "exists" : "missing"}`),
-    makeCheck2("notifications-path", details["notifications_exists"] === "yes" ? "ok" : "warn", "Notifications path check", `${details["notifications_path"] || "unknown"} ${details["notifications_exists"] === "yes" ? "exists" : "missing"}`),
-    makeCheck2("bun", details["bun"] && details["bun"] !== "missing" ? "ok" : "fail", "Bun availability", details["bun"] || "missing"),
-    makeCheck2("machines-cli", details["machines"] && details["machines"] !== "missing" ? "ok" : "warn", "machines CLI availability", details["machines"] || "missing"),
-    makeCheck2("machines-agent-cli", details["machines_agent"] && details["machines_agent"] !== "missing" ? "ok" : "warn", "machines-agent availability", details["machines_agent"] || "missing"),
-    makeCheck2("machines-mcp-cli", details["machines_mcp"] && details["machines_mcp"] !== "missing" ? "ok" : "warn", "machines-mcp availability", details["machines_mcp"] || "missing"),
-    makeCheck2("ssh", details["ssh"] === "ok" ? "ok" : "warn", "SSH availability", details["ssh"] || "missing")
-  ];
+async function watchTmuxPane(options) {
+  const target = options.target.trim();
+  if (!target)
+    throw new Error("tmux pane target is required");
+  const intervalMs = Math.max(0, options.intervalMs ?? 5000);
+  const maxChecks = options.maxChecks ?? Number.POSITIVE_INFINITY;
+  const client = options.client ?? new EventsClient2;
+  const probe = options.probe ?? ((paneTarget) => probeTmuxPane(paneTarget, options.tmuxCommand));
+  const wait = options.sleep ?? sleep;
+  let lastPresent;
+  let lastProbe;
+  for (let checks = 1;checks <= maxChecks; checks += 1) {
+    const current = await probe(target);
+    lastProbe = current;
+    options.onProbe?.(current);
+    if (current.exists) {
+      lastPresent = current;
+    } else if (lastPresent) {
+      const emitted = await emitTmuxEvent(client, "machines.tmux.pane_died", current, lastPresent, options.deliver !== false);
+      return { target, checks, status: "died", lastProbe: current, emitted };
+    } else if (options.emitInitialMissing) {
+      const emitted = await emitTmuxEvent(client, "machines.tmux.pane_missing", current, undefined, options.deliver !== false);
+      return { target, checks, status: "missing", lastProbe: current, emitted };
+    }
+    if (checks < maxChecks)
+      await wait(intervalMs);
+  }
+  if (!lastProbe) {
+    lastProbe = {
+      target,
+      exists: false,
+      checkedAt: new Date().toISOString(),
+      error: "No probe executed"
+    };
+  }
   return {
-    machineId,
-    source: commandChecks.source,
-    manifestPath: details["manifest_path"],
-    dbPath: details["db_path"],
-    notificationsPath: details["notifications_path"],
-    checks
+    target,
+    checks: Number.isFinite(maxChecks) ? maxChecks : 0,
+    status: lastProbe.exists ? "present" : "stopped",
+    lastProbe
   };
 }
-
-// src/commands/self-test.ts
-init_db();
-
-// node_modules/@hasna/events/dist/index.js
-import { chmod as chmod2, mkdir as mkdir2, readFile as readFile2, rename as rename2, writeFile as writeFile2 } from "fs/promises";
-import { existsSync as existsSync9 } from "fs";
-import { homedir as homedir7 } from "os";
-import { join as join7 } from "path";
-import { createHmac as createHmac2, timingSafeEqual as timingSafeEqual2 } from "crypto";
-import { randomUUID as randomUUID3 } from "crypto";
-import { spawn as spawn2 } from "child_process";
-import { randomUUID as randomUUID22 } from "crypto";
-function getPathValue2(input, path) {
-  return path.split(".").reduce((value, part) => {
-    if (value && typeof value === "object" && part in value) {
-      return value[part];
+async function emitTmuxEvent(client, type, probe, lastPresent, deliver) {
+  const input = {
+    source: "machines",
+    type,
+    subject: `tmux:${probe.target}`,
+    severity: type === "machines.tmux.pane_died" ? "warning" : "notice",
+    message: type === "machines.tmux.pane_died" ? `tmux pane disappeared: ${probe.target}` : `tmux pane is missing: ${probe.target}`,
+    data: {
+      target: probe.target,
+      paneId: lastPresent?.paneId,
+      lastSeenAt: lastPresent?.checkedAt,
+      checkedAt: probe.checkedAt,
+      exitCode: probe.exitCode,
+      error: probe.error,
+      stderr: probe.stderr
+    },
+    metadata: {
+      monitor: "tmux-pane",
+      runtime: "machines"
     }
-    return;
-  }, input);
+  };
+  return client.emit(input, { deliver });
 }
-function wildcardToRegExp2(pattern) {
-  const escaped = pattern.replace(/[|\\{}()[\]^$+?.]/g, "\\$&").replace(/\*/g, ".*");
-  return new RegExp(`^${escaped}$`);
+
+// src/commands/screen.ts
+var DEFAULT_SCREEN_SECRET_NAMESPACE = "hasna/xyz/opensource/machines/prod";
+function shellQuote6(value) {
+  return `'${value.replace(/'/g, "'\\''")}'`;
 }
-function matchString2(value, matcher) {
-  if (matcher === undefined)
-    return true;
-  if (value === undefined)
-    return false;
-  const matchers = Array.isArray(matcher) ? matcher : [matcher];
-  return matchers.some((item) => wildcardToRegExp2(item).test(value));
+function shellCommand2(command) {
+  return command.map(shellQuote6).join(" ");
 }
-function matchRecord2(input, matcher) {
-  if (!matcher)
-    return true;
-  return Object.entries(matcher).every(([path, expected]) => {
-    const actual = getPathValue2(input, path);
-    if (typeof expected === "string" || Array.isArray(expected)) {
-      return matchString2(actual === undefined ? undefined : String(actual), expected);
-    }
-    return actual === expected;
-  });
+function metadataString2(metadata, keys) {
+  if (!metadata)
+    return null;
+  for (const key of keys) {
+    const value = metadata[key];
+    if (typeof value === "string" && value.trim())
+      return value.trim();
+  }
+  return null;
 }
-function eventMatchesFilter2(event, filter) {
-  return matchString2(event.source, filter.source) && matchString2(event.type, filter.type) && matchString2(event.subject, filter.subject) && matchString2(event.severity, filter.severity) && matchRecord2(event.data, filter.data) && matchRecord2(event.metadata, filter.metadata);
+function splitTarget(target) {
+  const at = target.indexOf("@");
+  if (at === -1)
+    return [null, target];
+  return [target.slice(0, at), target.slice(at + 1)];
 }
-function channelMatchesEvent2(channel, event) {
-  if (!channel.enabled)
-    return false;
-  if (!channel.filters || channel.filters.length === 0)
-    return true;
-  return channel.filters.some((filter) => eventMatchesFilter2(event, filter));
+function defaultScreenPasswordSecretKey(machineId) {
+  return `${DEFAULT_SCREEN_SECRET_NAMESPACE}/screen-${machineId}-vnc-password`;
+}
+function resolveScreenTarget(machineId, options = {}) {
+  const resolved = resolveMachineRoute(machineId, options);
+  if (!resolved.ok || !resolved.target) {
+    throw new Error(`Machine route not found: ${machineId}`);
+  }
+  if (resolved.route === "unknown") {
+    throw new Error(`Machine route is not reachable for screen sharing: ${machineId}`);
+  }
+  let [user, host] = splitTarget(resolved.target);
+  if (!user) {
+    const topology = options.topology ?? discoverMachineTopology(options);
+    const entry = topology.machines.find((m) => m.machine_id === (resolved.machine_id ?? machineId));
+    user = entry?.user ?? null;
+  }
+  const url = user ? `vnc://${user}@${host}` : `vnc://${host}`;
+  return {
+    machineId: resolved.machine_id ?? machineId,
+    user,
+    host,
+    url,
+    route: resolved.route,
+    confidence: resolved.confidence,
+    warnings: resolved.warnings
+  };
+}
+function resolveScreenCredentials(machineId, options = {}) {
+  const topology = options.topology ?? discoverMachineTopology(options);
+  const screen = resolveScreenTarget(machineId, { ...options, topology });
+  const entry = topology.machines.find((machine) => machine.machine_id === screen.machineId);
+  const metadata = entry?.metadata;
+  const metadataUser = metadataString2(metadata, ["screenUser", "screen_user", "user", "username"]);
+  const metadataPasswordSecret = metadataString2(metadata, [
+    "screenPasswordSecret",
+    "screen_password_secret",
+    "screenVncPasswordSecret",
+    "screen_vnc_password_secret",
+    "vncPasswordSecret",
+    "vnc_password_secret"
+  ]);
+  const user = options.user ?? screen.user ?? metadataUser;
+  const passwordSecretKey = options.passwordSecretKey ?? metadataPasswordSecret ?? defaultScreenPasswordSecretKey(screen.machineId);
+  return {
+    machineId: screen.machineId,
+    user: user ?? null,
+    userSource: options.user ? "option" : screen.user ? "route" : metadataUser ? "metadata" : "missing",
+    passwordSecretKey,
+    passwordSecretSource: options.passwordSecretKey ? "option" : metadataPasswordSecret ? "metadata" : "default"
+  };
+}
+function buildScreenEnableRemoteCommandFromStdin(user) {
+  const kickstart = "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart";
+  const script = [
+    "set -euo pipefail",
+    'user="$1"',
+    "IFS= read -r vnc_pw",
+    'if [ -z "$vnc_pw" ]; then echo "missing VNC password on stdin" >&2; exit 1; fi',
+    `kickstart=${shellQuote6(kickstart)}`,
+    'dseditgroup -o edit -a "$user" -t user com.apple.access_screensharing 2>/dev/null || true',
+    "defaults write /Library/Preferences/com.apple.RemoteManagement AllowSRPForNetworkNodes -bool true",
+    '"$kickstart" -configure -clientopts -setvnclegacy -vnclegacy yes -setvncpw -vncpw "$vnc_pw"',
+    '"$kickstart" -activate -configure -access -on -users "$user" -privs -all -restart -agent -menu'
+  ].join(`
+`);
+  return `sudo -n -p '' /bin/bash -c ${shellQuote6(script)} -- ${shellQuote6(user)}`;
 }
-var HASNA_EVENTS_DIR_ENV2 = "HASNA_EVENTS_DIR";
-var HASNA_EVENTS_HOME_ENV2 = "HASNA_EVENTS_HOME";
-function getEventsDataDir2(override) {
-  return override || process.env[HASNA_EVENTS_DIR_ENV2] || process.env[HASNA_EVENTS_HOME_ENV2] || join7(homedir7(), ".hasna", "events");
+function buildScreenEnableCommand(machineId, options = {}) {
+  const credentials = resolveScreenCredentials(machineId, options);
+  if (!credentials.user) {
+    throw new Error(`No screen-sharing user known for ${machineId}; pass --user <name> or set metadata.user in the manifest.`);
+  }
+  const secretsCommand = options.secretsCommand || "secrets";
+  const remoteCommand = buildScreenEnableRemoteCommandFromStdin(credentials.user);
+  return {
+    machineId: credentials.machineId,
+    user: credentials.user,
+    passwordSecretKey: credentials.passwordSecretKey,
+    remoteCommand,
+    command: `${shellCommand2([secretsCommand, "get", credentials.passwordSecretKey])} | ${buildSshCommand(machineId, remoteCommand, options)}`
+  };
 }
 
-class JsonEventsStore2 {
-  dataDir;
-  channelsPath;
-  eventsPath;
-  deliveriesPath;
-  constructor(dataDir = getEventsDataDir2()) {
-    this.dataDir = dataDir;
-    this.channelsPath = join7(dataDir, "channels.json");
-    this.eventsPath = join7(dataDir, "events.json");
-    this.deliveriesPath = join7(dataDir, "deliveries.json");
-  }
-  async init() {
-    await mkdir2(this.dataDir, { recursive: true, mode: 448 });
-    await chmod2(this.dataDir, 448).catch(() => {
-      return;
-    });
-    await this.ensureArrayFile(this.channelsPath);
-    await this.ensureArrayFile(this.eventsPath);
-    await this.ensureArrayFile(this.deliveriesPath);
-  }
-  async addChannel(channel) {
-    await this.init();
-    const channels = await this.readJson(this.channelsPath, []);
-    const index = channels.findIndex((item) => item.id === channel.id);
-    if (index >= 0) {
-      channels[index] = { ...channel, createdAt: channels[index].createdAt, updatedAt: new Date().toISOString() };
-    } else {
-      channels.push(channel);
-    }
-    await this.writeJson(this.channelsPath, channels);
-    return index >= 0 ? channels[index] : channel;
-  }
-  async listChannels() {
-    await this.init();
-    return this.readJson(this.channelsPath, []);
-  }
-  async getChannel(id) {
-    const channels = await this.listChannels();
-    return channels.find((channel) => channel.id === id);
-  }
-  async removeChannel(id) {
-    await this.init();
-    const channels = await this.readJson(this.channelsPath, []);
-    const next = channels.filter((channel) => channel.id !== id);
-    await this.writeJson(this.channelsPath, next);
-    return next.length !== channels.length;
+// src/commands/sync.ts
+import { existsSync as existsSync9, lstatSync, readFileSync as readFileSync5, symlinkSync, copyFileSync } from "fs";
+import { homedir as homedir7 } from "os";
+init_paths();
+init_db();
+function quote4(value) {
+  return `'${value.replace(/'/g, `'\\''`)}'`;
+}
+function packageCheckCommand(machine, packageName, manager = machine.platform === "macos" ? "brew" : "apt") {
+  if (manager === "bun") {
+    return `bun pm ls -g --all | grep -F ${quote4(packageName)}`;
   }
-  async appendEvent(event) {
-    await this.init();
-    const events = await this.readJson(this.eventsPath, []);
-    events.push(event);
-    await this.writeJson(this.eventsPath, events);
-    return event;
+  if (manager === "brew") {
+    return `brew list --versions ${quote4(packageName)}`;
   }
-  async listEvents() {
-    await this.init();
-    return this.readJson(this.eventsPath, []);
+  if (manager === "apt") {
+    return `dpkg -s ${quote4(packageName)} >/dev/null 2>&1`;
   }
-  async findEventByIdentity(identity) {
-    const events = await this.listEvents();
-    return events.find((event) => identity.id !== undefined && event.id === identity.id || identity.dedupeKey !== undefined && event.dedupeKey === identity.dedupeKey);
+  return `command -v ${quote4(packageName)} >/dev/null 2>&1`;
+}
+function packageInstallCommand(machine, packageName, manager = machine.platform === "macos" ? "brew" : "apt") {
+  if (manager === "bun") {
+    return `bun install -g ${quote4(packageName)}`;
   }
-  async appendDelivery(result) {
-    await this.init();
-    const deliveries = await this.readJson(this.deliveriesPath, []);
-    deliveries.push(result);
-    await this.writeJson(this.deliveriesPath, deliveries);
-    return result;
+  if (manager === "brew") {
+    return `brew install ${quote4(packageName)}`;
   }
-  async listDeliveries() {
-    await this.init();
-    return this.readJson(this.deliveriesPath, []);
+  if (manager === "apt") {
+    return `sudo apt-get install -y ${quote4(packageName)}`;
   }
-  async exportData() {
+  return packageName;
+}
+function detectPackageActions(machine) {
+  return (machine.packages || []).map((pkg, index) => {
+    const manager = pkg.manager || (machine.platform === "macos" ? "brew" : "apt");
+    const check = Bun.spawnSync(["bash", "-lc", packageCheckCommand(machine, pkg.name, manager)], {
+      stdout: "ignore",
+      stderr: "ignore",
+      env: process.env
+    });
+    const installed = check.exitCode === 0;
     return {
-      channels: await this.listChannels(),
-      events: await this.listEvents(),
-      deliveries: await this.listDeliveries()
+      id: `package-${index + 1}`,
+      title: `${installed ? "Package present" : "Install package"} ${pkg.name}`,
+      command: packageInstallCommand(machine, pkg.name, manager),
+      status: installed ? "ok" : "missing",
+      kind: "package"
     };
-  }
-  async ensureArrayFile(path) {
-    if (!existsSync9(path)) {
-      await writeFile2(path, `[]
-`, { encoding: "utf-8", mode: 384 });
+  });
+}
+function detectFileActions(machine) {
+  return (machine.files || []).map((file, index) => {
+    const sourceExists = existsSync9(file.source);
+    const targetExists = existsSync9(file.target);
+    let status = "missing";
+    if (sourceExists && targetExists) {
+      if (file.mode === "symlink") {
+        status = lstatSync(file.target).isSymbolicLink() ? "ok" : "drifted";
+      } else {
+        const source = readFileSync5(file.source, "utf8");
+        const target = readFileSync5(file.target, "utf8");
+        status = source === target ? "ok" : "drifted";
+      }
     }
-    await chmod2(path, 384).catch(() => {
-      return;
-    });
+    const command = file.mode === "symlink" ? `ln -sfn ${quote4(file.source)} ${quote4(file.target)}` : `cp ${quote4(file.source)} ${quote4(file.target)}`;
+    return {
+      id: `file-${index + 1}`,
+      title: `${status === "ok" ? "File in sync" : "Reconcile file"} ${file.target}`,
+      command,
+      status,
+      kind: "file"
+    };
+  });
+}
+function buildSyncPlan(machineId) {
+  const manifest = readManifest();
+  const currentMachineId = getLocalMachineId();
+  const selected = machineId ? manifest.machines.find((machine) => machine.id === machineId) : manifest.machines.find((machine) => machine.id === currentMachineId);
+  const target = selected || {
+    id: currentMachineId,
+    platform: "linux",
+    workspacePath: `${homedir7()}/workspace`
+  };
+  const actions = [
+    ...detectPackageActions(target),
+    ...detectFileActions(target)
+  ];
+  return {
+    machineId: target.id,
+    mode: "plan",
+    actions,
+    executed: 0
+  };
+}
+function applyFileAction(command) {
+  const [verb, source, target] = command.split(" ");
+  if (verb === "cp" && source && target) {
+    ensureParentDir(target);
+    copyFileSync(source.slice(1, -1), target.slice(1, -1));
+    return;
   }
-  async readJson(path, fallback) {
-    try {
-      const raw = await readFile2(path, "utf-8");
-      if (!raw.trim())
-        return fallback;
-      return JSON.parse(raw);
-    } catch (error) {
-      if (error.code === "ENOENT")
-        return fallback;
-      throw error;
+  if (verb === "ln" && source && target) {
+    const sourcePath = command.match(/ln -sfn '(.+)' '(.+)'/)?.[1];
+    const targetPath = command.match(/ln -sfn '(.+)' '(.+)'/)?.[2];
+    if (!sourcePath || !targetPath) {
+      throw new Error(`Unable to parse symlink command: ${command}`);
     }
+    ensureParentDir(targetPath);
+    try {
+      Bun.file(targetPath).delete();
+    } catch {}
+    symlinkSync(sourcePath, targetPath);
   }
-  async writeJson(path, value) {
-    const tempPath = `${path}.${process.pid}.${Date.now()}.tmp`;
-    await writeFile2(tempPath, `${JSON.stringify(value, null, 2)}
-`, { encoding: "utf-8", mode: 384 });
-    await rename2(tempPath, path);
-    await chmod2(path, 384).catch(() => {
-      return;
-    });
-  }
-}
-var DEFAULT_SIGNATURE_TOLERANCE_MS2 = 5 * 60 * 1000;
-function buildSignatureBase2(timestamp, body) {
-  return `${timestamp}.${body}`;
 }
-function signPayload2(secret, timestamp, body) {
-  const digest = createHmac2("sha256", secret).update(buildSignatureBase2(timestamp, body)).digest("hex");
-  return `sha256=${digest}`;
+function runSync(machineId, options = {}) {
+  const plan = buildSyncPlan(machineId);
+  if (!options.apply) {
+    return plan;
+  }
+  if (!options.yes) {
+    throw new Error("Sync execution requires --yes.");
+  }
+  let executed = 0;
+  for (const action of plan.actions) {
+    if (action.status === "ok")
+      continue;
+    if (action.kind === "file") {
+      applyFileAction(action.command);
+    } else {
+      const result = Bun.spawnSync(["bash", "-lc", action.command], {
+        stdout: "pipe",
+        stderr: "pipe",
+        env: process.env
+      });
+      if (result.exitCode !== 0) {
+        recordSyncRun(plan.machineId, "failed", {
+          executed,
+          failedAction: action,
+          stderr: result.stderr.toString()
+        });
+        throw new Error(`Sync action failed (${action.id}): ${result.stderr.toString().trim()}`);
+      }
+    }
+    executed += 1;
+  }
+  const summary = {
+    machineId: plan.machineId,
+    mode: "apply",
+    actions: plan.actions,
+    executed
+  };
+  recordSyncRun(plan.machineId, "completed", summary);
+  return summary;
 }
-function now2() {
-  return new Date().toISOString();
+
+// src/commands/status.ts
+init_db();
+init_paths();
+function getStatus() {
+  const manifest = readManifest();
+  const heartbeats = listHeartbeats();
+  const heartbeatByMachine = new Map(heartbeats.map((heartbeat) => [heartbeat.machine_id, heartbeat]));
+  const machineIds = new Set([
+    ...manifest.machines.map((machine) => machine.id),
+    ...heartbeats.map((heartbeat) => heartbeat.machine_id)
+  ]);
+  return {
+    machineId: getLocalMachineId(),
+    manifestPath: getManifestPath(),
+    dbPath: getDbPath(),
+    notificationsPath: getNotificationsPath(),
+    manifestMachineCount: manifest.machines.length,
+    heartbeatCount: heartbeats.length,
+    machines: [...machineIds].sort().map((machineId) => {
+      const declared = manifest.machines.find((machine) => machine.id === machineId);
+      const heartbeat = heartbeatByMachine.get(machineId);
+      return {
+        machineId,
+        platform: declared?.platform,
+        manifestDeclared: Boolean(declared),
+        heartbeatStatus: heartbeat?.status || "unknown",
+        lastHeartbeatAt: heartbeat?.updated_at
+      };
+    }),
+    recentSetupRuns: countRuns("setup_runs"),
+    recentSyncRuns: countRuns("sync_runs")
+  };
 }
-function truncate2(value, max = 4096) {
-  return value.length > max ? `${value.slice(0, max)}...` : value;
+
+// src/commands/workspace.ts
+init_paths();
+function isRecord2(value) {
+  return Boolean(value) && typeof value === "object" && !Array.isArray(value);
 }
-function buildWebhookRequest2(event, channel) {
-  if (!channel.webhook)
-    throw new Error(`Channel ${channel.id} has no webhook config`);
-  const body = JSON.stringify(event);
-  const timestamp = event.time;
-  const headers = {
-    "Content-Type": "application/json",
-    "User-Agent": "@hasna/events",
-    "X-Hasna-Event-Id": event.id,
-    "X-Hasna-Event-Type": event.type,
-    "X-Hasna-Timestamp": timestamp,
-    ...channel.webhook.headers
-  };
-  if (channel.webhook.secret) {
-    headers["X-Hasna-Signature"] = signPayload2(channel.webhook.secret, timestamp, body);
+function cloneMetadata(metadata) {
+  return isRecord2(metadata) ? { ...metadata } : {};
+}
+function mappedPath(metadata, field, key) {
+  const container = metadata[field];
+  if (!isRecord2(container))
+    return null;
+  const value = container[key];
+  if (typeof value === "string" && value.trim())
+    return value.trim();
+  if (isRecord2(value)) {
+    const nested = value["path"] ?? value["root"] ?? value["workspacePath"] ?? value["workspace_path"];
+    if (typeof nested === "string" && nested.trim())
+      return nested.trim();
   }
-  return { body, headers };
+  return null;
 }
-async function dispatchWebhook3(event, channel, options = {}) {
-  if (!channel.webhook)
-    throw new Error(`Channel ${channel.id} has no webhook config`);
-  const startedAt = now2();
-  const { body, headers } = buildWebhookRequest2(event, channel);
-  const controller = new AbortController;
-  const timeout = setTimeout(() => controller.abort(), channel.webhook.timeoutMs ?? 15000);
-  try {
-    const response = await (options.fetchImpl ?? fetch)(channel.webhook.url, {
-      method: "POST",
-      headers,
-      body,
-      signal: controller.signal
-    });
-    const responseBody = truncate2(await response.text());
-    return {
-      attempt: 1,
-      status: response.ok ? "success" : "failed",
-      startedAt,
-      completedAt: now2(),
-      responseStatus: response.status,
-      responseBody,
-      error: response.ok ? undefined : `Webhook returned HTTP ${response.status}`
-    };
-  } catch (error) {
+function writeMappedPath(metadata, field, key, path) {
+  const existing = metadata[field];
+  const container = isRecord2(existing) ? { ...existing } : {};
+  container[key] = path;
+  metadata[field] = container;
+}
+function buildPatch(input) {
+  const previous = mappedPath(input.metadata, input.field, input.key);
+  if (!input.path) {
     return {
-      attempt: 1,
-      status: "failed",
-      startedAt,
-      completedAt: now2(),
-      error: error instanceof Error ? error.message : String(error)
+      field: input.field,
+      key: input.key,
+      path: null,
+      previous_path: previous,
+      status: "unresolved"
     };
-  } finally {
-    clearTimeout(timeout);
   }
+  const status = previous === input.path ? "unchanged" : input.apply ? "written" : "would_write";
+  return {
+    field: input.field,
+    key: input.key,
+    path: input.path,
+    previous_path: previous,
+    status
+  };
 }
-async function dispatchCommand3(event, channel) {
-  if (!channel.command)
-    throw new Error(`Channel ${channel.id} has no command config`);
-  const startedAt = now2();
-  const eventJson = JSON.stringify(event);
-  const env2 = {
-    ...process.env,
-    ...channel.command.env,
-    HASNA_CHANNEL_ID: channel.id,
-    HASNA_EVENT_ID: event.id,
-    HASNA_EVENT_TYPE: event.type,
-    HASNA_EVENT_SOURCE: event.source,
-    HASNA_EVENT_SUBJECT: event.subject ?? "",
-    HASNA_EVENT_SEVERITY: event.severity,
-    HASNA_EVENT_TIME: event.time,
-    HASNA_EVENT_DEDUPE_KEY: event.dedupeKey ?? "",
-    HASNA_EVENT_SCHEMA_VERSION: event.schemaVersion,
-    HASNA_EVENT_JSON: eventJson
+function upsertMachineMetadata(manifest, machineId, metadata) {
+  return {
+    ...manifest,
+    machines: manifest.machines.map((machine) => machine.id === machineId ? { ...machine, metadata } : machine)
   };
-  return new Promise((resolve2) => {
-    const child = spawn2(channel.command.command, channel.command.args ?? [], {
-      cwd: channel.command.cwd,
-      env: env2,
-      stdio: ["pipe", "pipe", "pipe"]
-    });
-    let stdout = "";
-    let stderr = "";
-    const timeout = setTimeout(() => child.kill("SIGTERM"), channel.command.timeoutMs ?? 15000);
-    child.stdin.end(eventJson);
-    child.stdout.on("data", (chunk) => {
-      stdout += chunk.toString();
-    });
-    child.stderr.on("data", (chunk) => {
-      stderr += chunk.toString();
-    });
-    child.on("error", (error) => {
-      clearTimeout(timeout);
-      resolve2({
-        attempt: 1,
-        status: "failed",
-        startedAt,
-        completedAt: now2(),
-        stdout: truncate2(stdout),
-        stderr: truncate2(stderr),
-        error: error.message
-      });
-    });
-    child.on("close", (code, signal) => {
-      clearTimeout(timeout);
-      const success = code === 0;
-      resolve2({
-        attempt: 1,
-        status: success ? "success" : "failed",
-        startedAt,
-        completedAt: now2(),
-        stdout: truncate2(stdout),
-        stderr: truncate2(stderr),
-        error: success ? undefined : `Command exited with ${signal ? `signal ${signal}` : `code ${code}`}`
-      });
-    });
-  });
 }
-async function dispatchChannel3(event, channel, options = {}) {
-  if (channel.transport === "webhook")
-    return dispatchWebhook3(event, channel, options);
-  if (channel.transport === "command")
-    return dispatchCommand3(event, channel);
+function repairWorkspaceManifestMappings(options) {
+  const projectId = options.projectId;
+  const repoName = options.repoName ?? projectId;
+  const openFilesRepoName = options.openFilesRepoName ?? "open-files";
+  const apply = options.apply === true;
+  const resolution = resolveMachineWorkspace({
+    machineId: options.machineId,
+    projectId,
+    repoName,
+    openFilesRepoName,
+    projectRoot: options.projectRoot,
+    openFilesRoot: options.openFilesRoot,
+    workspaceRoot: options.workspaceRoot,
+    includeTailscale: options.includeTailscale,
+    now: options.now
+  });
+  const warnings = [...resolution.warnings];
+  const manifest = readManifest();
+  const manifestMachineId = resolution.machine_id ?? options.machineId;
+  const machine = manifest.machines.find((entry) => entry.id === manifestMachineId) ?? null;
+  const trusted = resolution.machine.trust_status === "trusted" || options.allowUntrusted === true;
+  if (!machine) {
+    warnings.push(`manifest_machine_missing:${manifestMachineId}`);
+    return {
+      ok: false,
+      applied: false,
+      manifest_path: getManifestPath(),
+      machine_id: resolution.machine_id,
+      project_id: projectId,
+      repo_name: repoName,
+      open_files_repo_name: openFilesRepoName,
+      trusted,
+      resolution,
+      patches: [],
+      warnings
+    };
+  }
+  const metadata = cloneMetadata(machine.metadata);
+  const patches = [
+    buildPatch({
+      metadata,
+      field: "workspace_paths",
+      key: projectId,
+      path: options.projectRoot ?? resolution.paths.project_root.path,
+      apply
+    }),
+    buildPatch({
+      metadata,
+      field: "open_files_roots",
+      key: projectId,
+      path: options.openFilesRoot ?? resolution.paths.open_files_root.path,
+      apply
+    })
+  ];
+  const hasUnresolved = patches.some((patch) => patch.status === "unresolved");
+  const hasWrites = patches.some((patch) => patch.status === "would_write" || patch.status === "written");
+  if (apply && hasWrites && !trusted) {
+    warnings.push(`manifest_repair_requires_trusted_machine:${manifestMachineId}`);
+    return {
+      ok: false,
+      applied: false,
+      manifest_path: getManifestPath(),
+      machine_id: manifestMachineId,
+      project_id: projectId,
+      repo_name: repoName,
+      open_files_repo_name: openFilesRepoName,
+      trusted,
+      resolution,
+      patches: patches.map((patch) => patch.status === "written" ? { ...patch, status: "would_write" } : patch),
+      warnings
+    };
+  }
+  let applied = false;
+  if (apply && !hasUnresolved && hasWrites) {
+    for (const patch of patches) {
+      if (patch.path && patch.status === "written")
+        writeMappedPath(metadata, patch.field, patch.key, patch.path);
+    }
+    writeManifest(upsertMachineMetadata(manifest, manifestMachineId, metadata));
+    applied = true;
+  }
   return {
-    attempt: 1,
-    status: "skipped",
-    startedAt: now2(),
-    completedAt: now2(),
-    error: `Unsupported transport: ${channel.transport}`
+    ok: resolution.ok && !hasUnresolved && (!apply || applied || !hasWrites),
+    applied,
+    manifest_path: getManifestPath(),
+    machine_id: manifestMachineId,
+    project_id: projectId,
+    repo_name: repoName,
+    open_files_repo_name: openFilesRepoName,
+    trusted,
+    resolution,
+    patches,
+    warnings
   };
 }
-function createDeliveryResult2(event, channel, attempts) {
-  const status = attempts.some((attempt) => attempt.status === "success") ? "success" : attempts.every((attempt) => attempt.status === "skipped") ? "skipped" : "failed";
+
+// src/compatibility.ts
+init_db();
+var DEFAULT_COMMANDS = [
+  { command: "bun", required: true },
+  { command: "machines", required: true }
+];
+function defaultPackages() {
+  return [{ name: "@hasna/machines", command: "machines", expectedVersion: getPackageVersion(), required: true }];
+}
+function shellQuote7(value) {
+  return `'${value.replace(/'/g, "'\\''")}'`;
+}
+function commandId(value) {
+  return value.replace(/[^a-zA-Z0-9_.@/-]+/g, "-").replace(/^-+|-+$/g, "");
+}
+function packageCommand(name) {
+  if (name === "@hasna/knowledge")
+    return "knowledge";
+  if (name === "@hasna/machines")
+    return "machines";
+  return name.split("/").pop() ?? name;
+}
+function firstLine(value) {
+  return value.trim().split(/\r?\n/).find(Boolean) ?? "";
+}
+function extractVersion(value) {
+  const match = value.match(/\b\d+\.\d+\.\d+(?:[-+][0-9A-Za-z.-]+)?\b/);
+  return match?.[0] ?? null;
+}
+function statusFor(required, ok) {
+  if (ok)
+    return "ok";
+  return required === false ? "warn" : "fail";
+}
+function makeCheck(input) {
   return {
-    id: randomUUID3(),
-    eventId: event.id,
-    channelId: channel.id,
-    transport: channel.transport,
-    status,
-    attempts,
-    createdAt: attempts[0]?.startedAt ?? now2(),
-    completedAt: attempts.at(-1)?.completedAt ?? now2()
+    id: input.id,
+    kind: input.kind,
+    status: input.status,
+    target: input.target,
+    expected: input.expected ?? null,
+    actual: input.actual ?? null,
+    detail: input.detail,
+    source: input.source
   };
 }
-function createEvent2(input) {
+function parseKeyValue(stdout) {
+  const result = {};
+  for (const line of stdout.split(/\r?\n/)) {
+    const idx = line.indexOf("=");
+    if (idx <= 0)
+      continue;
+    result[line.slice(0, idx)] = line.slice(idx + 1);
+  }
+  return result;
+}
+function defaultRunner2(machineId, command) {
+  return runMachineCommand(machineId, command);
+}
+function inspectCommand(machineId, spec, runner) {
+  const command = shellQuote7(spec.command);
+  const versionArgs = spec.versionArgs ?? "--version";
+  const script = [
+    `cmd=${command}`,
+    'path="$(command -v "$cmd" 2>/dev/null || true)"',
+    'printf "path=%s\\n" "$path"',
+    'if [ -n "$path" ]; then version="$("$cmd" ' + versionArgs + ' 2>/dev/null || true)"; printf "version=%s\\n" "$version"; fi'
+  ].join("; ");
+  const result = runner(machineId, script);
+  const parsed = parseKeyValue(result.stdout);
   return {
-    id: input.id ?? randomUUID22(),
-    source: input.source,
-    type: input.type,
-    time: normalizeTime2(input.time),
-    subject: input.subject,
-    severity: input.severity ?? "info",
-    data: input.data ?? {},
-    message: input.message,
-    dedupeKey: input.dedupeKey,
-    schemaVersion: input.schemaVersion ?? "1.0",
-    metadata: input.metadata ?? {}
+    path: parsed.path || null,
+    version: parsed.version ? firstLine(parsed.version) : null,
+    exitCode: result.exitCode,
+    source: result.source,
+    stderr: result.stderr
   };
 }
-
-class EventsClient2 {
-  store;
-  redactors;
-  transportOptions;
-  constructor(options = {}) {
-    this.store = options.store ?? new JsonEventsStore2(options.dataDir);
-    this.redactors = options.redactors ?? [];
-    this.transportOptions = { fetchImpl: options.fetchImpl };
-  }
-  async addChannel(input) {
-    const timestamp = new Date().toISOString();
-    return this.store.addChannel({
-      ...input,
-      createdAt: input.createdAt ?? timestamp,
-      updatedAt: input.updatedAt ?? timestamp
-    });
-  }
-  async listChannels() {
-    return this.store.listChannels();
-  }
-  async removeChannel(id) {
-    return this.store.removeChannel(id);
-  }
-  async emit(input, options = {}) {
-    const event = options.redactSensitiveData === false ? createEvent2(input) : redactSensitiveKeys2(createEvent2(input));
-    if (options.dedupe !== false) {
-      const existing = await this.store.findEventByIdentity({ id: input.id, dedupeKey: event.dedupeKey });
-      if (existing) {
-        return { event: existing, deliveries: [], deduped: true };
-      }
-    }
-    await this.store.appendEvent(event);
-    const deliveries = options.deliver === false ? [] : await this.deliver(event);
-    return { event, deliveries, deduped: false };
-  }
-  async listEvents() {
-    return this.store.listEvents();
-  }
-  async listDeliveries() {
-    return this.store.listDeliveries();
-  }
-  async deliver(event) {
-    const channels = await this.store.listChannels();
-    const selected = channels.filter((channel) => channelMatchesEvent2(channel, event));
-    const deliveries = [];
-    for (const channel of selected) {
-      const eventForChannel = await this.applyRedaction(event, channel);
-      const result = await this.deliverWithRetry(eventForChannel, channel);
-      await this.store.appendDelivery(result);
-      deliveries.push(result);
-    }
-    return deliveries;
-  }
-  async testChannel(id, input = {}) {
-    const channel = await this.store.getChannel(id);
-    if (!channel)
-      throw new Error(`Channel not found: ${id}`);
-    const event = createEvent2({
-      source: input.source ?? "hasna.events",
-      type: input.type ?? "events.test",
-      subject: input.subject ?? id,
-      severity: input.severity ?? "info",
-      data: input.data ?? { test: true },
-      message: input.message ?? "Hasna events test delivery",
-      dedupeKey: input.dedupeKey,
-      schemaVersion: input.schemaVersion,
-      metadata: input.metadata,
-      time: input.time,
-      id: input.id
-    });
-    const eventForChannel = await this.applyRedaction(event, channel);
-    const result = await this.deliverWithRetry(eventForChannel, channel);
-    await this.store.appendDelivery(result);
-    return result;
-  }
-  async replay(options = {}) {
-    const events = (await this.store.listEvents()).filter((event) => {
-      if (options.eventId && event.id !== options.eventId)
-        return false;
-      if (options.source && event.source !== options.source)
-        return false;
-      if (options.type && event.type !== options.type)
-        return false;
-      return true;
-    });
-    if (options.dryRun)
-      return { events, deliveries: [] };
-    const deliveries = [];
-    for (const event of events) {
-      deliveries.push(...await this.deliver(event));
-    }
-    return { events, deliveries };
-  }
-  async applyRedaction(event, channel) {
-    let next = redactPaths2(event, channel.redact?.paths ?? [], channel.redact?.replacement ?? "[REDACTED]");
-    for (const redactor of this.redactors) {
-      next = await redactor(next, channel);
-    }
-    return next;
-  }
-  async deliverWithRetry(event, channel) {
-    const policy = normalizeRetryPolicy2(channel.retry);
-    const attempts = [];
-    for (let index = 0;index < policy.maxAttempts; index += 1) {
-      const attempt = await dispatchChannel3(event, channel, this.transportOptions);
-      attempt.attempt = index + 1;
-      if (attempt.status === "failed" && index + 1 < policy.maxAttempts) {
-        attempt.nextBackoffMs = Math.round(policy.backoffMs * policy.multiplier ** index);
-      }
-      attempts.push(attempt);
-      if (attempt.status !== "failed")
-        break;
-      if (attempt.nextBackoffMs)
-        await Bun.sleep(attempt.nextBackoffMs);
-    }
-    return createDeliveryResult2(event, channel, attempts);
-  }
+function fieldCommand(field) {
+  const regex = field === "name" ? String.raw`s/.*"name"[[:space:]]*:[[:space:]]*"\([^"]*\)".*/\1/p` : String.raw`s/.*"version"[[:space:]]*:[[:space:]]*"\([^"]*\)".*/\1/p`;
+  return [
+    `if command -v bun >/dev/null 2>&1; then bun -e "const p=JSON.parse(await Bun.file(process.argv[1]).text()); console.log(p.${field} ?? '')" "$pkg" 2>/dev/null`,
+    `elif command -v node >/dev/null 2>&1; then node -e "const fs=require('fs'); const p=JSON.parse(fs.readFileSync(process.argv[1], 'utf8')); console.log(p.${field} || '')" "$pkg" 2>/dev/null`,
+    `else sed -n '${regex}' "$pkg" | head -n 1`,
+    "fi"
+  ].join("; ");
 }
-function redactPaths2(event, paths, replacement = "[REDACTED]") {
-  if (paths.length === 0)
-    return event;
-  const copy = structuredClone(event);
-  for (const path of paths) {
-    setPath2(copy, path, replacement);
-  }
-  return copy;
+function inspectWorkspace(machineId, spec, runner) {
+  const script = [
+    `path=${shellQuote7(spec.path)}`,
+    'printf "exists=%s\\n" "$(test -d "$path" && printf yes || printf no)"',
+    'pkg="$path/package.json"',
+    'printf "package_json=%s\\n" "$(test -f "$pkg" && printf yes || printf no)"',
+    `if [ -f "$pkg" ]; then printf "package_name=%s\\n" "$(${fieldCommand("name")})"; printf "version=%s\\n" "$(${fieldCommand("version")})"; fi`
+  ].join("; ");
+  const result = runner(machineId, script);
+  const parsed = parseKeyValue(result.stdout);
+  return {
+    exists: parsed.exists === "yes",
+    packageJson: parsed.package_json === "yes",
+    packageName: parsed.package_name || null,
+    version: parsed.version || null,
+    source: result.source,
+    stderr: result.stderr
+  };
 }
-function sanitizeChannelForOutput2(channel) {
-  const copy = structuredClone(channel);
-  if (copy.webhook?.secret)
-    copy.webhook.secret = "[REDACTED]";
-  if (copy.command?.env) {
-    copy.command.env = Object.fromEntries(Object.entries(copy.command.env).map(([key, value]) => [key, shouldRedactKey2(key) ? "[REDACTED]" : value]));
+function commandCheck(machineId, spec, runner) {
+  const inspection = inspectCommand(machineId, spec, runner);
+  const found = Boolean(inspection.path);
+  const checks = [
+    makeCheck({
+      id: `command:${commandId(spec.command)}:path`,
+      kind: "command",
+      status: statusFor(spec.required, found),
+      target: spec.command,
+      expected: "available",
+      actual: inspection.path ?? "missing",
+      detail: found ? `found at ${inspection.path}` : inspection.stderr || "command missing",
+      source: inspection.source
+    })
+  ];
+  if (spec.expectedVersion) {
+    const actualVersion = extractVersion(inspection.version ?? "");
+    checks.push(makeCheck({
+      id: `command:${commandId(spec.command)}:version`,
+      kind: "command",
+      status: actualVersion === spec.expectedVersion ? "ok" : statusFor(spec.required, false),
+      target: spec.command,
+      expected: spec.expectedVersion,
+      actual: actualVersion ?? inspection.version ?? "missing",
+      detail: actualVersion ? `version output: ${inspection.version}` : "version unavailable",
+      source: inspection.source
+    }));
   }
-  return copy;
+  return checks;
 }
-function sanitizeChannelsForOutput2(channels) {
-  return channels.map(sanitizeChannelForOutput2);
+function packageCheck(machineId, spec, runner) {
+  const command = spec.command ?? packageCommand(spec.name);
+  const inspection = inspectCommand(machineId, { command, expectedVersion: spec.expectedVersion, required: spec.required }, runner);
+  const found = Boolean(inspection.path);
+  const checks = [
+    makeCheck({
+      id: `package:${commandId(spec.name)}:command`,
+      kind: "package",
+      status: statusFor(spec.required, found),
+      target: spec.name,
+      expected: command,
+      actual: inspection.path ?? "missing",
+      detail: found ? `${command} found at ${inspection.path}` : `${command} command missing`,
+      source: inspection.source
+    })
+  ];
+  if (spec.expectedVersion) {
+    const actualVersion = extractVersion(inspection.version ?? "");
+    checks.push(makeCheck({
+      id: `package:${commandId(spec.name)}:version`,
+      kind: "package",
+      status: actualVersion === spec.expectedVersion ? "ok" : statusFor(spec.required, false),
+      target: spec.name,
+      expected: spec.expectedVersion,
+      actual: actualVersion ?? inspection.version ?? "missing",
+      detail: actualVersion ? `version output: ${inspection.version}` : "version unavailable",
+      source: inspection.source
+    }));
+  }
+  return checks;
 }
-function redactSensitiveKeys2(event, replacement = "[REDACTED]") {
-  return redactValue2(event, replacement);
+function workspaceCheck(machineId, spec, runner) {
+  const inspection = inspectWorkspace(machineId, spec, runner);
+  const target = spec.label ?? spec.path;
+  const checks = [
+    makeCheck({
+      id: `workspace:${commandId(target)}:path`,
+      kind: "workspace",
+      status: statusFor(spec.required, inspection.exists),
+      target,
+      expected: spec.path,
+      actual: inspection.exists ? "exists" : "missing",
+      detail: inspection.exists ? `workspace exists at ${spec.path}` : inspection.stderr || `workspace missing at ${spec.path}`,
+      source: inspection.source
+    })
+  ];
+  if (spec.expectedPackageName) {
+    checks.push(makeCheck({
+      id: `workspace:${commandId(target)}:package-name`,
+      kind: "workspace",
+      status: inspection.packageName === spec.expectedPackageName ? "ok" : statusFor(spec.required, false),
+      target,
+      expected: spec.expectedPackageName,
+      actual: inspection.packageName ?? (inspection.packageJson ? "missing-name" : "missing-package-json"),
+      detail: inspection.packageJson ? "package.json inspected" : "package.json missing",
+      source: inspection.source
+    }));
+  }
+  if (spec.expectedVersion) {
+    checks.push(makeCheck({
+      id: `workspace:${commandId(target)}:version`,
+      kind: "workspace",
+      status: inspection.version === spec.expectedVersion ? "ok" : statusFor(spec.required, false),
+      target,
+      expected: spec.expectedVersion,
+      actual: inspection.version ?? (inspection.packageJson ? "missing-version" : "missing-package-json"),
+      detail: inspection.packageJson ? "package.json inspected" : "package.json missing",
+      source: inspection.source
+    }));
+  }
+  return checks;
 }
-function shouldRedactKey2(key) {
-  return /secret|token|password|api[_-]?key|authorization/i.test(key);
+function checkMachineCompatibility(options = {}) {
+  const machineId = options.machineId ?? getLocalMachineId();
+  const runner = options.runner ?? defaultRunner2;
+  const commands = options.commands ?? DEFAULT_COMMANDS;
+  const packages = options.packages ?? defaultPackages();
+  const workspaces = options.workspaces ?? [];
+  const checks = [];
+  for (const spec of commands)
+    checks.push(...commandCheck(machineId, spec, runner));
+  for (const spec of packages)
+    checks.push(...packageCheck(machineId, spec, runner));
+  for (const spec of workspaces)
+    checks.push(...workspaceCheck(machineId, spec, runner));
+  const summary = {
+    ok: checks.filter((check) => check.status === "ok").length,
+    warn: checks.filter((check) => check.status === "warn").length,
+    fail: checks.filter((check) => check.status === "fail").length
+  };
+  return {
+    schema_version: MACHINES_CONSUMER_CONTRACT_VERSION,
+    package: {
+      name: MACHINES_PACKAGE_NAME,
+      version: getPackageVersion()
+    },
+    capabilities: getMachinesConsumerCapabilities(),
+    ok: summary.fail === 0,
+    machine_id: machineId,
+    source: checks[0]?.source ?? "local",
+    generated_at: (options.now ?? new Date).toISOString(),
+    checks,
+    summary
+  };
 }
-function redactValue2(value, replacement) {
-  if (Array.isArray(value))
-    return value.map((item) => redactValue2(item, replacement));
-  if (!value || typeof value !== "object")
-    return value;
-  return Object.fromEntries(Object.entries(value).map(([key, item]) => [
-    key,
-    shouldRedactKey2(key) ? replacement : redactValue2(item, replacement)
-  ]));
+
+// src/commands/doctor.ts
+init_db();
+function makeCheck2(id, status, summary, detail) {
+  return { id, status, summary, detail };
 }
-function setPath2(input, path, replacement) {
-  const parts = path.split(".");
-  let cursor = input;
-  for (const part of parts.slice(0, -1)) {
-    const next = cursor[part];
-    if (!next || typeof next !== "object")
-      return;
-    cursor = next;
-  }
-  const last = parts.at(-1);
-  if (last && last in cursor)
-    cursor[last] = replacement;
+function parseKeyValueOutput(stdout) {
+  return Object.fromEntries(stdout.trim().split(`
+`).map((line) => line.split("=")).filter((parts) => parts.length === 2).map(([key, value]) => [key, value]));
 }
-function normalizeTime2(value) {
-  if (!value)
-    return new Date().toISOString();
-  return value instanceof Date ? value.toISOString() : value;
+function buildDoctorCommand() {
+  return [
+    'data_dir="${HASNA_MACHINES_DIR:-$HOME/.hasna/machines}"',
+    'manifest_path="${HASNA_MACHINES_MANIFEST_PATH:-$data_dir/machines.json}"',
+    'db_path="${HASNA_MACHINES_DB_PATH:-$data_dir/machines.db}"',
+    'notifications_path="${HASNA_MACHINES_NOTIFICATIONS_PATH:-$data_dir/notifications.json}"',
+    `printf 'manifest_path=%s\\n' "$manifest_path"`,
+    `printf 'db_path=%s\\n' "$db_path"`,
+    `printf 'notifications_path=%s\\n' "$notifications_path"`,
+    `printf 'manifest_exists=%s\\n' "$(test -e "$manifest_path" && printf yes || printf no)"`,
+    `printf 'db_exists=%s\\n' "$(test -e "$db_path" && printf yes || printf no)"`,
+    `printf 'notifications_exists=%s\\n' "$(test -e "$notifications_path" && printf yes || printf no)"`,
+    `printf 'bun=%s\\n' "$(bun --version 2>/dev/null || printf missing)"`,
+    `printf 'ssh=%s\\n' "$(command -v ssh >/dev/null 2>&1 && printf ok || printf missing)"`,
+    `printf 'machines=%s\\n' "$(command -v machines 2>/dev/null || printf missing)"`,
+    `printf 'machines_agent=%s\\n' "$(command -v machines-agent 2>/dev/null || printf missing)"`,
+    `printf 'machines_mcp=%s\\n' "$(command -v machines-mcp 2>/dev/null || printf missing)"`
+  ].join("; ");
 }
-function normalizeRetryPolicy2(policy) {
+function runDoctor(machineId = getLocalMachineId()) {
+  const manifest = readManifest();
+  const commandChecks = runMachineCommand(machineId, buildDoctorCommand());
+  const details = parseKeyValueOutput(commandChecks.stdout);
+  const machineInManifest = manifest.machines.find((machine) => machine.id === machineId);
+  const checks = [
+    makeCheck2("manifest-entry", machineInManifest ? "ok" : "warn", machineInManifest ? "Machine exists in manifest" : "Machine missing from manifest", machineInManifest ? JSON.stringify(machineInManifest) : `No manifest entry for ${machineId}`),
+    makeCheck2("manifest-path", details["manifest_exists"] === "yes" ? "ok" : "warn", "Manifest path check", `${details["manifest_path"] || "unknown"} ${details["manifest_exists"] === "yes" ? "exists" : "missing"}`),
+    makeCheck2("db-path", details["db_exists"] === "yes" ? "ok" : "warn", "DB path check", `${details["db_path"] || "unknown"} ${details["db_exists"] === "yes" ? "exists" : "missing"}`),
+    makeCheck2("notifications-path", details["notifications_exists"] === "yes" ? "ok" : "warn", "Notifications path check", `${details["notifications_path"] || "unknown"} ${details["notifications_exists"] === "yes" ? "exists" : "missing"}`),
+    makeCheck2("bun", details["bun"] && details["bun"] !== "missing" ? "ok" : "fail", "Bun availability", details["bun"] || "missing"),
+    makeCheck2("machines-cli", details["machines"] && details["machines"] !== "missing" ? "ok" : "warn", "machines CLI availability", details["machines"] || "missing"),
+    makeCheck2("machines-agent-cli", details["machines_agent"] && details["machines_agent"] !== "missing" ? "ok" : "warn", "machines-agent availability", details["machines_agent"] || "missing"),
+    makeCheck2("machines-mcp-cli", details["machines_mcp"] && details["machines_mcp"] !== "missing" ? "ok" : "warn", "machines-mcp availability", details["machines_mcp"] || "missing"),
+    makeCheck2("ssh", details["ssh"] === "ok" ? "ok" : "warn", "SSH availability", details["ssh"] || "missing")
+  ];
   return {
-    maxAttempts: Math.max(1, policy?.maxAttempts ?? 1),
-    backoffMs: Math.max(0, policy?.backoffMs ?? 250),
-    multiplier: Math.max(1, policy?.multiplier ?? 2)
+    machineId,
+    source: commandChecks.source,
+    manifestPath: details["manifest_path"],
+    dbPath: details["db_path"],
+    notificationsPath: details["notifications_path"],
+    checks
   };
 }
 
+// src/commands/self-test.ts
+init_db();
+
 // src/commands/serve.ts
 function escapeHtml(value) {
   return value.replaceAll("&", "&amp;").replaceAll("<", "&lt;").replaceAll(">", "&gt;").replaceAll('"', "&quot;").replaceAll("'", "&#39;");
@@ -12668,6 +12758,7 @@ var manifestCommand = program2.command("manifest").description("Manage the fleet
 var appsCommand = program2.command("apps").description("Manage installed applications per machine");
 var notificationsCommand = program2.command("notifications").description("Manage fleet alert delivery channels");
 registerEventsCommands(program2, { source: "machines" });
+var runtimeCommand = program2.command("runtime").description("Watch runtime conditions and emit Hasna events");
 var clipboardCommand = program2.command("clipboard").description("Real-time clipboard sync across fleet machines");
 var installClaudeCommand = program2.command("install-claude").description("Install or inspect Claude, Codex, and Gemini CLIs");
 manifestCommand.command("init").description("Create an empty fleet manifest").action(() => {
@@ -12906,6 +12997,26 @@ notificationsCommand.command("remove").description("Remove a notification channe
   const result = removeNotificationChannel(id);
   printJsonOrText(result, renderNotificationConfigResult(result), options.json);
 });
+runtimeCommand.command("tmux-watch").description("Watch a tmux pane and emit machines.tmux.pane_died if it disappears").argument("<target>", "tmux pane target, for example %1 or session:window.pane").option("--interval-ms <ms>", "Polling interval in milliseconds", "5000").option("--max-checks <n>", "Stop after N checks instead of watching forever").option("--once", "Probe once and emit machines.tmux.pane_missing when absent", false).option("--no-deliver", "Record the event without webhook delivery").option("-j, --json", "Print JSON output", false).action(async (target, options) => {
+  const maxChecks = options.once ? 1 : options.maxChecks ? parseIntegerOption(options.maxChecks, "max-checks", { min: 1 }) : undefined;
+  const result = await watchTmuxPane({
+    target,
+    intervalMs: parseIntegerOption(options.intervalMs ?? "5000", "interval-ms", { min: 0 }),
+    maxChecks,
+    emitInitialMissing: Boolean(options.once),
+    deliver: options.deliver !== false,
+    onProbe: options.json ? undefined : (probe) => {
+      const status = probe.exists ? source_default.green("present") : source_default.yellow("missing");
+      console.error(`tmux ${probe.target}: ${status}${probe.paneId ? ` ${probe.paneId}` : ""}`);
+    }
+  });
+  printJsonOrText(result, renderKeyValueTable([
+    ["target", result.target],
+    ["status", result.status],
+    ["checks", String(result.checks)],
+    ["event", result.emitted?.event.type ?? "none"]
+  ]), options.json);
+});
 clipboardCommand.command("init").description("Initialize clipboard sync (generate shared secret)").option("-j, --json", "Print JSON output", false).action((options) => {
   const key = getOrCreateClipboardKey();
   const config = getDefaultClipboardConfig();