@hasna/machines 0.0.35 → 0.0.37

package/README.md

@@ -59,10 +59,21 @@ machines self-test
 `machines setup` is a dry-run plan by default. The generated playbook favors
 idempotent operations (`mkdir -p`, command-existence guards, package-manager
 installs) and only executes when both `--apply` and `--yes` are provided.
+The default plan also adds update-check/download settings without enabling
+automatic OS installation: Linux uses apt periodic download-only settings, and
+macOS uses `softwareupdate`/`defaults` with `AutomaticallyInstallMacOSUpdates`
+left disabled.
 `doctor --json` includes public-safe source/ref diagnostics plus optional
 adapter hook results for secrets, configs, monitors, repos, MCPs, and shield
 checks. When no adapter is configured, those checks report a skipped fallback
 instead of importing private dependencies.
+It also reports noninteractive sudo readiness, SSH certificate support, and
+GitHub App secret-reference readiness without printing credentials or private
+keys.
+
+Apple device management belongs in the private deployment layer. The public
+setup plan can report enrollment status with `profiles status -type enrollment`,
+but it does not enroll devices, install profiles, or publish team identifiers.
 
 ## Topology SDK
 
@@ -168,6 +179,11 @@ machines defaults to
 `machines/screen-sharing/screen-<machine>-vnc-password`, or the namespace set in
 `HASNA_MACHINES_SCREEN_SECRET_NAMESPACE`. The user comes from the manifest
 (`metadata.user`) when present, or `--user`.
+
+For GitHub automation, prefer GitHub App installation tokens over personal user
+tokens. Public manifests and docs should store only opaque secret references
+for the app id/private key material; private adapters or `open-secrets` should
+resolve those references at runtime.
 `screen-credentials` verifies the resolved user and secret key for a machine or
 the full fleet without printing secret values.
 

package/dist/cli/index.js

@@ -8386,6 +8386,13 @@ function buildBaseSteps(machine) {
       manager: "apt",
       privileged: true
     });
+    steps.push({
+      id: "linux-update-downloads",
+      title: "Enable Linux package list refresh and download-only upgrades",
+      command: `printf '%s\\n' 'APT::Periodic::Update-Package-Lists "1";' 'APT::Periodic::Download-Upgradeable-Packages "1";' 'APT::Periodic::Unattended-Upgrade "0";' | sudo tee /etc/apt/apt.conf.d/20auto-upgrades >/dev/null`,
+      manager: "apt",
+      privileged: true
+    });
   } else if (machine.platform === "macos") {
     steps.push({
       id: "brew-base",
@@ -8399,7 +8406,26 @@ function buildBaseSteps(machine) {
       command: "brew install git coreutils",
       manager: "brew"
     });
+    steps.push({
+      id: "macos-update-downloads",
+      title: "Enable macOS update checks and downloads without automatic install",
+      command: "sudo softwareupdate --schedule on && sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -bool true && sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticDownload -int 1 && sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticallyInstallMacOSUpdates -int 0",
+      manager: "custom",
+      privileged: true
+    });
+    steps.push({
+      id: "macos-management-readiness",
+      title: "Report Apple management readiness without enrolling devices",
+      command: "profiles status -type enrollment 2>/dev/null || true",
+      manager: "custom"
+    });
   }
+  steps.push({
+    id: "github-app-auth-readiness",
+    title: "Check GitHub CLI/App auth readiness without printing credentials",
+    command: "command -v gh >/dev/null 2>&1 && gh auth status >/dev/null 2>&1 || true",
+    manager: "custom"
+  });
   return steps;
 }
 function buildPackageSteps(machine) {
@@ -10192,7 +10218,12 @@ function buildDoctorCommand() {
     `printf 'ssh=%s\\n' "$(command -v ssh >/dev/null 2>&1 && printf ok || printf missing)"`,
     `printf 'machines=%s\\n' "$(command -v machines 2>/dev/null || printf missing)"`,
     `printf 'machines_agent=%s\\n' "$(command -v machines-agent 2>/dev/null || printf missing)"`,
-    `printf 'machines_mcp=%s\\n' "$(command -v machines-mcp 2>/dev/null || printf missing)"`
+    `printf 'machines_mcp=%s\\n' "$(command -v machines-mcp 2>/dev/null || printf missing)"`,
+    `printf 'sudo_noninteractive=%s\\n' "$(sudo -n true >/dev/null 2>&1 && printf ok || printf unavailable)"`,
+    `printf 'ssh_cert_support=%s\\n' "$(ssh -Q key-cert 2>/dev/null | grep -q 'ssh-ed25519-cert-v01@openssh.com' && printf ok || printf unavailable)"`,
+    `printf 'gh_cli=%s\\n' "$(command -v gh 2>/dev/null || printf missing)"`,
+    `printf 'gh_auth=%s\\n' "$(gh auth status >/dev/null 2>&1 && printf ok || printf unavailable)"`,
+    "printf 'github_app_ref=%s\\n' \"$(test -n \\\"${HASNA_GITHUB_APP_ID:-}\\\" -a -n \\\"${HASNA_GITHUB_APP_PRIVATE_KEY_REF:-}\\\" && printf configured || printf missing)\""
   ].join("; ");
 }
 function fallbackAdapterCheck(domain) {
@@ -10235,14 +10266,20 @@ function runOptionalAdapterChecks(context, adapters) {
   }
   return checks;
 }
-function runDoctor(machineId = getLocalMachineId(), options = {}) {
+function runDoctor(machineId, options = {}) {
+  const implicitLocalMachine = !machineId;
+  const requestedMachineId = machineId ?? getLocalMachineId();
+  const reportedMachineId = implicitLocalMachine ? "local" : requestedMachineId;
   const now = options.now ?? new Date;
   const { manifest, info: manifestSource } = readManifestWithSource({ adapter: options.manifestAdapter ?? null });
-  const commandChecks = runMachineCommand(machineId, buildDoctorCommand());
+  const commandChecks = runMachineCommand(requestedMachineId, buildDoctorCommand());
   const details = parseKeyValueOutput(commandChecks.stdout);
-  const machineInManifest = manifest.machines.find((machine) => machine.id === machineId);
+  const machineInManifest = manifest.machines.find((machine) => machine.id === requestedMachineId);
+  const diagnosticMachine = machineInManifest ? redactManifestForDiagnostics(machineInManifest) : null;
+  if (implicitLocalMachine && diagnosticMachine)
+    diagnosticMachine.id = reportedMachineId;
   const optionalAdapterChecks = options.includeOptionalAdapters === false ? [] : runOptionalAdapterChecks({
-    machineId,
+    machineId: requestedMachineId,
     manifest,
     manifestSource,
     commandDetails: details,
@@ -10258,10 +10295,10 @@ function runDoctor(machineId = getLocalMachineId(), options = {}) {
       },
       remediation: manifestSource.warnings.length > 0 ? ["Provide a private manifest adapter or unset the private manifest ref to use the local manifest only."] : undefined
     }),
-    makeCheck2("manifest-entry", machineInManifest ? "ok" : "warn", machineInManifest ? "Machine exists in manifest" : "Machine missing from manifest", machineInManifest ? JSON.stringify(redactManifestForDiagnostics(machineInManifest)) : `No manifest entry for ${machineId}`, {
+    makeCheck2("manifest-entry", machineInManifest ? "ok" : "warn", machineInManifest ? "Machine exists in manifest" : "Machine missing from manifest", diagnosticMachine ? JSON.stringify(diagnosticMachine) : `No manifest entry for ${reportedMachineId}`, {
       data: {
         declared: Boolean(machineInManifest),
-        machine: machineInManifest ? redactManifestForDiagnostics(machineInManifest) : null
+        machine: diagnosticMachine
       }
     }),
     makeCheck2("data-dir", details["data_dir_exists"] === "yes" ? "ok" : "warn", "Data directory check", `${redactPath(details["data_dir"] || "unknown")} ${details["data_dir_exists"] === "yes" ? "exists" : "missing"}`, {
@@ -10293,10 +10330,26 @@ function runDoctor(machineId = getLocalMachineId(), options = {}) {
     makeCheck2("machines-agent-cli", details["machines_agent"] && details["machines_agent"] !== "missing" ? "ok" : "warn", "machines-agent availability", details["machines_agent"] || "missing"),
     makeCheck2("machines-mcp-cli", details["machines_mcp"] && details["machines_mcp"] !== "missing" ? "ok" : "warn", "machines-mcp availability", details["machines_mcp"] || "missing"),
     makeCheck2("ssh", details["ssh"] === "ok" ? "ok" : "warn", "SSH availability", details["ssh"] || "missing"),
+    makeCheck2("sudo-noninteractive", details["sudo_noninteractive"] === "ok" ? "ok" : "warn", "Noninteractive sudo availability", details["sudo_noninteractive"] === "ok" ? "sudo -n is available" : "sudo -n unavailable; setup may require user-provided approval or password handling.", {
+      data: { available: details["sudo_noninteractive"] === "ok" },
+      remediation: details["sudo_noninteractive"] === "ok" ? undefined : ["Configure explicit sudo policy or run setup commands manually; do not store sudo passwords in public manifests."]
+    }),
+    makeCheck2("ssh-cert-support", details["ssh_cert_support"] === "ok" ? "ok" : "warn", "SSH certificate support", details["ssh_cert_support"] === "ok" ? "OpenSSH reports ed25519 certificate support" : "OpenSSH certificate support not detected.", {
+      data: { supported: details["ssh_cert_support"] === "ok" },
+      remediation: details["ssh_cert_support"] === "ok" ? undefined : ["Install or update OpenSSH before adopting SSH certificate auth for this machine."]
+    }),
+    makeCheck2("github-app-auth", details["github_app_ref"] === "configured" ? "ok" : "warn", "GitHub App auth references", details["github_app_ref"] === "configured" ? "GitHub App id and private-key reference are configured" : "GitHub App id/private-key reference missing; use secret references, not user tokens or raw private keys.", {
+      data: {
+        gh_cli: details["gh_cli"] && details["gh_cli"] !== "missing",
+        gh_auth: details["gh_auth"] === "ok",
+        app_ref_configured: details["github_app_ref"] === "configured"
+      },
+      remediation: details["github_app_ref"] === "configured" ? undefined : ["Set HASNA_GITHUB_APP_ID plus HASNA_GITHUB_APP_PRIVATE_KEY_REF or provide an equivalent open-secrets adapter."]
+    }),
     ...optionalAdapterChecks
   ];
   return {
-    machineId,
+    machineId: reportedMachineId,
     source: commandChecks.source,
     schemaVersion: 1,
     generatedAt: now.toISOString(),

package/dist/commands/doctor.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"doctor.d.ts","sourceRoot":"","sources":["../../src/commands/doctor.ts"],"names":[],"mappings":"AACA,OAAO,EAA0B,KAAK,qBAAqB,EAAE,MAAM,iBAAiB,CAAC;AAGrF,OAAO,KAAK,EAAE,WAAW,EAAE,YAAY,EAAE,aAAa,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAE9F,eAAO,MAAM,+BAA+B,uEAAwE,CAAC;AAErH,MAAM,MAAM,2BAA2B,GAAG,OAAO,+BAA+B,CAAC,MAAM,CAAC,CAAC;AAEzF,MAAM,WAAW,oBAAoB;IACnC,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,aAAa,CAAC;IACxB,cAAc,EAAE,gBAAgB,CAAC;IACjC,cAAc,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACvC,GAAG,EAAE,IAAI,CAAC;CACX;AAED,MAAM,MAAM,iBAAiB,GAAG,CAAC,OAAO,EAAE,oBAAoB,KAAK,WAAW,GAAG,WAAW,EAAE,GAAG,IAAI,GAAG,SAAS,CAAC;AAElH,MAAM,WAAW,aAAa;IAC5B,EAAE,EAAE,MAAM,CAAC;IACX,MAAM,CAAC,EAAE,OAAO,CAAC,MAAM,CAAC,2BAA2B,EAAE,iBAAiB,CAAC,CAAC,CAAC;CAC1E;AAED,MAAM,WAAW,aAAa;IAC5B,GAAG,CAAC,EAAE,IAAI,CAAC;IACX,eAAe,CAAC,EAAE,qBAAqB,GAAG,IAAI,CAAC;IAC/C,QAAQ,CAAC,EAAE,aAAa,EAAE,CAAC;IAC3B,uBAAuB,CAAC,EAAE,OAAO,CAAC;CACnC;AAkHD,wBAAgB,SAAS,CAAC,SAAS,SAAsB,EAAE,OAAO,GAAE,aAAkB,GAAG,YAAY,CA0IpG"}
+{"version":3,"file":"doctor.d.ts","sourceRoot":"","sources":["../../src/commands/doctor.ts"],"names":[],"mappings":"AACA,OAAO,EAA0B,KAAK,qBAAqB,EAAE,MAAM,iBAAiB,CAAC;AAGrF,OAAO,KAAK,EAAE,WAAW,EAAE,YAAY,EAAE,aAAa,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAE9F,eAAO,MAAM,+BAA+B,uEAAwE,CAAC;AAErH,MAAM,MAAM,2BAA2B,GAAG,OAAO,+BAA+B,CAAC,MAAM,CAAC,CAAC;AAEzF,MAAM,WAAW,oBAAoB;IACnC,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,aAAa,CAAC;IACxB,cAAc,EAAE,gBAAgB,CAAC;IACjC,cAAc,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACvC,GAAG,EAAE,IAAI,CAAC;CACX;AAED,MAAM,MAAM,iBAAiB,GAAG,CAAC,OAAO,EAAE,oBAAoB,KAAK,WAAW,GAAG,WAAW,EAAE,GAAG,IAAI,GAAG,SAAS,CAAC;AAElH,MAAM,WAAW,aAAa;IAC5B,EAAE,EAAE,MAAM,CAAC;IACX,MAAM,CAAC,EAAE,OAAO,CAAC,MAAM,CAAC,2BAA2B,EAAE,iBAAiB,CAAC,CAAC,CAAC;CAC1E;AAED,MAAM,WAAW,aAAa;IAC5B,GAAG,CAAC,EAAE,IAAI,CAAC;IACX,eAAe,CAAC,EAAE,qBAAqB,GAAG,IAAI,CAAC;IAC/C,QAAQ,CAAC,EAAE,aAAa,EAAE,CAAC;IAC3B,uBAAuB,CAAC,EAAE,OAAO,CAAC;CACnC;AAuHD,wBAAgB,SAAS,CAAC,SAAS,CAAC,EAAE,MAAM,EAAE,OAAO,GAAE,aAAkB,GAAG,YAAY,CA6LvF"}

package/dist/commands/setup.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"setup.d.ts","sourceRoot":"","sources":["../../src/commands/setup.ts"],"names":[],"mappings":"AAGA,OAAO,EAAoD,KAAK,oBAAoB,EAAE,MAAM,cAAc,CAAC;AAC3G,OAAO,KAAK,EAAmB,WAAW,EAAa,MAAM,aAAa,CAAC;AAsE3E,wBAAgB,cAAc,CAAC,SAAS,CAAC,EAAE,MAAM,GAAG,WAAW,CAyB9D;AAED,wBAAgB,QAAQ,CACtB,SAAS,CAAC,EAAE,MAAM,EAClB,OAAO,GAAE;IAAE,KAAK,CAAC,EAAE,OAAO,CAAC;IAAC,GAAG,CAAC,EAAE,OAAO,CAAA;CAAO,EAChD,MAAM,GAAE,oBAAwC,GAC/C,WAAW,CAmCb"}
+{"version":3,"file":"setup.d.ts","sourceRoot":"","sources":["../../src/commands/setup.ts"],"names":[],"mappings":"AAGA,OAAO,EAAoD,KAAK,oBAAoB,EAAE,MAAM,cAAc,CAAC;AAC3G,OAAO,KAAK,EAAmB,WAAW,EAAa,MAAM,aAAa,CAAC;AAiG3E,wBAAgB,cAAc,CAAC,SAAS,CAAC,EAAE,MAAM,GAAG,WAAW,CAyB9D;AAED,wBAAgB,QAAQ,CACtB,SAAS,CAAC,EAAE,MAAM,EAClB,OAAO,GAAE;IAAE,KAAK,CAAC,EAAE,OAAO,CAAC;IAAC,GAAG,CAAC,EAAE,OAAO,CAAA;CAAO,EAChD,MAAM,GAAE,oBAAwC,GAC/C,WAAW,CAmCb"}

package/dist/index.js

@@ -13079,7 +13079,12 @@ function buildDoctorCommand() {
     `printf 'ssh=%s\\n' "$(command -v ssh >/dev/null 2>&1 && printf ok || printf missing)"`,
     `printf 'machines=%s\\n' "$(command -v machines 2>/dev/null || printf missing)"`,
     `printf 'machines_agent=%s\\n' "$(command -v machines-agent 2>/dev/null || printf missing)"`,
-    `printf 'machines_mcp=%s\\n' "$(command -v machines-mcp 2>/dev/null || printf missing)"`
+    `printf 'machines_mcp=%s\\n' "$(command -v machines-mcp 2>/dev/null || printf missing)"`,
+    `printf 'sudo_noninteractive=%s\\n' "$(sudo -n true >/dev/null 2>&1 && printf ok || printf unavailable)"`,
+    `printf 'ssh_cert_support=%s\\n' "$(ssh -Q key-cert 2>/dev/null | grep -q 'ssh-ed25519-cert-v01@openssh.com' && printf ok || printf unavailable)"`,
+    `printf 'gh_cli=%s\\n' "$(command -v gh 2>/dev/null || printf missing)"`,
+    `printf 'gh_auth=%s\\n' "$(gh auth status >/dev/null 2>&1 && printf ok || printf unavailable)"`,
+    "printf 'github_app_ref=%s\\n' \"$(test -n \\\"${HASNA_GITHUB_APP_ID:-}\\\" -a -n \\\"${HASNA_GITHUB_APP_PRIVATE_KEY_REF:-}\\\" && printf configured || printf missing)\""
   ].join("; ");
 }
 function fallbackAdapterCheck(domain) {
@@ -13122,14 +13127,20 @@ function runOptionalAdapterChecks(context, adapters) {
   }
   return checks;
 }
-function runDoctor(machineId = getLocalMachineId(), options = {}) {
+function runDoctor(machineId, options = {}) {
+  const implicitLocalMachine = !machineId;
+  const requestedMachineId = machineId ?? getLocalMachineId();
+  const reportedMachineId = implicitLocalMachine ? "local" : requestedMachineId;
   const now = options.now ?? new Date;
   const { manifest, info: manifestSource } = readManifestWithSource({ adapter: options.manifestAdapter ?? null });
-  const commandChecks = runMachineCommand(machineId, buildDoctorCommand());
+  const commandChecks = runMachineCommand(requestedMachineId, buildDoctorCommand());
   const details = parseKeyValueOutput(commandChecks.stdout);
-  const machineInManifest = manifest.machines.find((machine) => machine.id === machineId);
+  const machineInManifest = manifest.machines.find((machine) => machine.id === requestedMachineId);
+  const diagnosticMachine = machineInManifest ? redactManifestForDiagnostics(machineInManifest) : null;
+  if (implicitLocalMachine && diagnosticMachine)
+    diagnosticMachine.id = reportedMachineId;
   const optionalAdapterChecks = options.includeOptionalAdapters === false ? [] : runOptionalAdapterChecks({
-    machineId,
+    machineId: requestedMachineId,
     manifest,
     manifestSource,
     commandDetails: details,
@@ -13145,10 +13156,10 @@ function runDoctor(machineId = getLocalMachineId(), options = {}) {
       },
       remediation: manifestSource.warnings.length > 0 ? ["Provide a private manifest adapter or unset the private manifest ref to use the local manifest only."] : undefined
     }),
-    makeCheck2("manifest-entry", machineInManifest ? "ok" : "warn", machineInManifest ? "Machine exists in manifest" : "Machine missing from manifest", machineInManifest ? JSON.stringify(redactManifestForDiagnostics(machineInManifest)) : `No manifest entry for ${machineId}`, {
+    makeCheck2("manifest-entry", machineInManifest ? "ok" : "warn", machineInManifest ? "Machine exists in manifest" : "Machine missing from manifest", diagnosticMachine ? JSON.stringify(diagnosticMachine) : `No manifest entry for ${reportedMachineId}`, {
       data: {
         declared: Boolean(machineInManifest),
-        machine: machineInManifest ? redactManifestForDiagnostics(machineInManifest) : null
+        machine: diagnosticMachine
       }
     }),
     makeCheck2("data-dir", details["data_dir_exists"] === "yes" ? "ok" : "warn", "Data directory check", `${redactPath(details["data_dir"] || "unknown")} ${details["data_dir_exists"] === "yes" ? "exists" : "missing"}`, {
@@ -13180,10 +13191,26 @@ function runDoctor(machineId = getLocalMachineId(), options = {}) {
     makeCheck2("machines-agent-cli", details["machines_agent"] && details["machines_agent"] !== "missing" ? "ok" : "warn", "machines-agent availability", details["machines_agent"] || "missing"),
     makeCheck2("machines-mcp-cli", details["machines_mcp"] && details["machines_mcp"] !== "missing" ? "ok" : "warn", "machines-mcp availability", details["machines_mcp"] || "missing"),
     makeCheck2("ssh", details["ssh"] === "ok" ? "ok" : "warn", "SSH availability", details["ssh"] || "missing"),
+    makeCheck2("sudo-noninteractive", details["sudo_noninteractive"] === "ok" ? "ok" : "warn", "Noninteractive sudo availability", details["sudo_noninteractive"] === "ok" ? "sudo -n is available" : "sudo -n unavailable; setup may require user-provided approval or password handling.", {
+      data: { available: details["sudo_noninteractive"] === "ok" },
+      remediation: details["sudo_noninteractive"] === "ok" ? undefined : ["Configure explicit sudo policy or run setup commands manually; do not store sudo passwords in public manifests."]
+    }),
+    makeCheck2("ssh-cert-support", details["ssh_cert_support"] === "ok" ? "ok" : "warn", "SSH certificate support", details["ssh_cert_support"] === "ok" ? "OpenSSH reports ed25519 certificate support" : "OpenSSH certificate support not detected.", {
+      data: { supported: details["ssh_cert_support"] === "ok" },
+      remediation: details["ssh_cert_support"] === "ok" ? undefined : ["Install or update OpenSSH before adopting SSH certificate auth for this machine."]
+    }),
+    makeCheck2("github-app-auth", details["github_app_ref"] === "configured" ? "ok" : "warn", "GitHub App auth references", details["github_app_ref"] === "configured" ? "GitHub App id and private-key reference are configured" : "GitHub App id/private-key reference missing; use secret references, not user tokens or raw private keys.", {
+      data: {
+        gh_cli: details["gh_cli"] && details["gh_cli"] !== "missing",
+        gh_auth: details["gh_auth"] === "ok",
+        app_ref_configured: details["github_app_ref"] === "configured"
+      },
+      remediation: details["github_app_ref"] === "configured" ? undefined : ["Set HASNA_GITHUB_APP_ID plus HASNA_GITHUB_APP_PRIVATE_KEY_REF or provide an equivalent open-secrets adapter."]
+    }),
     ...optionalAdapterChecks
   ];
   return {
-    machineId,
+    machineId: reportedMachineId,
     source: commandChecks.source,
     schemaVersion: 1,
     generatedAt: now.toISOString(),
@@ -14233,6 +14260,13 @@ function buildBaseSteps(machine) {
       manager: "apt",
       privileged: true
     });
+    steps.push({
+      id: "linux-update-downloads",
+      title: "Enable Linux package list refresh and download-only upgrades",
+      command: `printf '%s\\n' 'APT::Periodic::Update-Package-Lists "1";' 'APT::Periodic::Download-Upgradeable-Packages "1";' 'APT::Periodic::Unattended-Upgrade "0";' | sudo tee /etc/apt/apt.conf.d/20auto-upgrades >/dev/null`,
+      manager: "apt",
+      privileged: true
+    });
   } else if (machine.platform === "macos") {
     steps.push({
       id: "brew-base",
@@ -14246,7 +14280,26 @@ function buildBaseSteps(machine) {
       command: "brew install git coreutils",
       manager: "brew"
     });
+    steps.push({
+      id: "macos-update-downloads",
+      title: "Enable macOS update checks and downloads without automatic install",
+      command: "sudo softwareupdate --schedule on && sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -bool true && sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticDownload -int 1 && sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticallyInstallMacOSUpdates -int 0",
+      manager: "custom",
+      privileged: true
+    });
+    steps.push({
+      id: "macos-management-readiness",
+      title: "Report Apple management readiness without enrolling devices",
+      command: "profiles status -type enrollment 2>/dev/null || true",
+      manager: "custom"
+    });
   }
+  steps.push({
+    id: "github-app-auth-readiness",
+    title: "Check GitHub CLI/App auth readiness without printing credentials",
+    command: "command -v gh >/dev/null 2>&1 && gh auth status >/dev/null 2>&1 || true",
+    manager: "custom"
+  });
   return steps;
 }
 function buildPackageSteps(machine) {

package/dist/mcp/index.js

@@ -5825,7 +5825,12 @@ function buildDoctorCommand() {
     `printf 'ssh=%s\\n' "$(command -v ssh >/dev/null 2>&1 && printf ok || printf missing)"`,
     `printf 'machines=%s\\n' "$(command -v machines 2>/dev/null || printf missing)"`,
     `printf 'machines_agent=%s\\n' "$(command -v machines-agent 2>/dev/null || printf missing)"`,
-    `printf 'machines_mcp=%s\\n' "$(command -v machines-mcp 2>/dev/null || printf missing)"`
+    `printf 'machines_mcp=%s\\n' "$(command -v machines-mcp 2>/dev/null || printf missing)"`,
+    `printf 'sudo_noninteractive=%s\\n' "$(sudo -n true >/dev/null 2>&1 && printf ok || printf unavailable)"`,
+    `printf 'ssh_cert_support=%s\\n' "$(ssh -Q key-cert 2>/dev/null | grep -q 'ssh-ed25519-cert-v01@openssh.com' && printf ok || printf unavailable)"`,
+    `printf 'gh_cli=%s\\n' "$(command -v gh 2>/dev/null || printf missing)"`,
+    `printf 'gh_auth=%s\\n' "$(gh auth status >/dev/null 2>&1 && printf ok || printf unavailable)"`,
+    "printf 'github_app_ref=%s\\n' \"$(test -n \\\"${HASNA_GITHUB_APP_ID:-}\\\" -a -n \\\"${HASNA_GITHUB_APP_PRIVATE_KEY_REF:-}\\\" && printf configured || printf missing)\""
   ].join("; ");
 }
 function fallbackAdapterCheck(domain) {
@@ -5868,14 +5873,20 @@ function runOptionalAdapterChecks(context, adapters) {
   }
   return checks;
 }
-function runDoctor(machineId = getLocalMachineId(), options = {}) {
+function runDoctor(machineId, options = {}) {
+  const implicitLocalMachine = !machineId;
+  const requestedMachineId = machineId ?? getLocalMachineId();
+  const reportedMachineId = implicitLocalMachine ? "local" : requestedMachineId;
   const now = options.now ?? new Date;
   const { manifest, info: manifestSource } = readManifestWithSource({ adapter: options.manifestAdapter ?? null });
-  const commandChecks = runMachineCommand(machineId, buildDoctorCommand());
+  const commandChecks = runMachineCommand(requestedMachineId, buildDoctorCommand());
   const details = parseKeyValueOutput(commandChecks.stdout);
-  const machineInManifest = manifest.machines.find((machine) => machine.id === machineId);
+  const machineInManifest = manifest.machines.find((machine) => machine.id === requestedMachineId);
+  const diagnosticMachine = machineInManifest ? redactManifestForDiagnostics(machineInManifest) : null;
+  if (implicitLocalMachine && diagnosticMachine)
+    diagnosticMachine.id = reportedMachineId;
   const optionalAdapterChecks = options.includeOptionalAdapters === false ? [] : runOptionalAdapterChecks({
-    machineId,
+    machineId: requestedMachineId,
     manifest,
     manifestSource,
     commandDetails: details,
@@ -5891,10 +5902,10 @@ function runDoctor(machineId = getLocalMachineId(), options = {}) {
       },
       remediation: manifestSource.warnings.length > 0 ? ["Provide a private manifest adapter or unset the private manifest ref to use the local manifest only."] : undefined
     }),
-    makeCheck("manifest-entry", machineInManifest ? "ok" : "warn", machineInManifest ? "Machine exists in manifest" : "Machine missing from manifest", machineInManifest ? JSON.stringify(redactManifestForDiagnostics(machineInManifest)) : `No manifest entry for ${machineId}`, {
+    makeCheck("manifest-entry", machineInManifest ? "ok" : "warn", machineInManifest ? "Machine exists in manifest" : "Machine missing from manifest", diagnosticMachine ? JSON.stringify(diagnosticMachine) : `No manifest entry for ${reportedMachineId}`, {
       data: {
         declared: Boolean(machineInManifest),
-        machine: machineInManifest ? redactManifestForDiagnostics(machineInManifest) : null
+        machine: diagnosticMachine
       }
     }),
     makeCheck("data-dir", details["data_dir_exists"] === "yes" ? "ok" : "warn", "Data directory check", `${redactPath(details["data_dir"] || "unknown")} ${details["data_dir_exists"] === "yes" ? "exists" : "missing"}`, {
@@ -5926,10 +5937,26 @@ function runDoctor(machineId = getLocalMachineId(), options = {}) {
     makeCheck("machines-agent-cli", details["machines_agent"] && details["machines_agent"] !== "missing" ? "ok" : "warn", "machines-agent availability", details["machines_agent"] || "missing"),
     makeCheck("machines-mcp-cli", details["machines_mcp"] && details["machines_mcp"] !== "missing" ? "ok" : "warn", "machines-mcp availability", details["machines_mcp"] || "missing"),
     makeCheck("ssh", details["ssh"] === "ok" ? "ok" : "warn", "SSH availability", details["ssh"] || "missing"),
+    makeCheck("sudo-noninteractive", details["sudo_noninteractive"] === "ok" ? "ok" : "warn", "Noninteractive sudo availability", details["sudo_noninteractive"] === "ok" ? "sudo -n is available" : "sudo -n unavailable; setup may require user-provided approval or password handling.", {
+      data: { available: details["sudo_noninteractive"] === "ok" },
+      remediation: details["sudo_noninteractive"] === "ok" ? undefined : ["Configure explicit sudo policy or run setup commands manually; do not store sudo passwords in public manifests."]
+    }),
+    makeCheck("ssh-cert-support", details["ssh_cert_support"] === "ok" ? "ok" : "warn", "SSH certificate support", details["ssh_cert_support"] === "ok" ? "OpenSSH reports ed25519 certificate support" : "OpenSSH certificate support not detected.", {
+      data: { supported: details["ssh_cert_support"] === "ok" },
+      remediation: details["ssh_cert_support"] === "ok" ? undefined : ["Install or update OpenSSH before adopting SSH certificate auth for this machine."]
+    }),
+    makeCheck("github-app-auth", details["github_app_ref"] === "configured" ? "ok" : "warn", "GitHub App auth references", details["github_app_ref"] === "configured" ? "GitHub App id and private-key reference are configured" : "GitHub App id/private-key reference missing; use secret references, not user tokens or raw private keys.", {
+      data: {
+        gh_cli: details["gh_cli"] && details["gh_cli"] !== "missing",
+        gh_auth: details["gh_auth"] === "ok",
+        app_ref_configured: details["github_app_ref"] === "configured"
+      },
+      remediation: details["github_app_ref"] === "configured" ? undefined : ["Set HASNA_GITHUB_APP_ID plus HASNA_GITHUB_APP_PRIVATE_KEY_REF or provide an equivalent open-secrets adapter."]
+    }),
     ...optionalAdapterChecks
   ];
   return {
-    machineId,
+    machineId: reportedMachineId,
     source: commandChecks.source,
     schemaVersion: 1,
     generatedAt: now.toISOString(),
@@ -6720,6 +6747,13 @@ function buildBaseSteps(machine) {
       manager: "apt",
       privileged: true
     });
+    steps.push({
+      id: "linux-update-downloads",
+      title: "Enable Linux package list refresh and download-only upgrades",
+      command: `printf '%s\\n' 'APT::Periodic::Update-Package-Lists "1";' 'APT::Periodic::Download-Upgradeable-Packages "1";' 'APT::Periodic::Unattended-Upgrade "0";' | sudo tee /etc/apt/apt.conf.d/20auto-upgrades >/dev/null`,
+      manager: "apt",
+      privileged: true
+    });
   } else if (machine.platform === "macos") {
     steps.push({
       id: "brew-base",
@@ -6733,7 +6767,26 @@ function buildBaseSteps(machine) {
       command: "brew install git coreutils",
       manager: "brew"
     });
+    steps.push({
+      id: "macos-update-downloads",
+      title: "Enable macOS update checks and downloads without automatic install",
+      command: "sudo softwareupdate --schedule on && sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -bool true && sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticDownload -int 1 && sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticallyInstallMacOSUpdates -int 0",
+      manager: "custom",
+      privileged: true
+    });
+    steps.push({
+      id: "macos-management-readiness",
+      title: "Report Apple management readiness without enrolling devices",
+      command: "profiles status -type enrollment 2>/dev/null || true",
+      manager: "custom"
+    });
   }
+  steps.push({
+    id: "github-app-auth-readiness",
+    title: "Check GitHub CLI/App auth readiness without printing credentials",
+    command: "command -v gh >/dev/null 2>&1 && gh auth status >/dev/null 2>&1 || true",
+    manager: "custom"
+  });
   return steps;
 }
 function buildPackageSteps(machine) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@hasna/machines",
-  "version": "0.0.35",
+  "version": "0.0.37",
   "description": "Machine fleet management CLI + MCP for developers",
   "type": "module",
   "license": "Apache-2.0",