npm - @hasna/machines - Versions diffs - 0.0.36 → 0.0.38 - Mend

@hasna/machines 0.0.36 → 0.0.38

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (31) hide show

package/README.md +54 -0
package/dist/agent/index.js +10554 -166
package/dist/agent/runtime.d.ts +33 -3
package/dist/agent/runtime.d.ts.map +1 -1
package/dist/cli/index.js +886 -58
package/dist/commands/daemon.d.ts +76 -0
package/dist/commands/daemon.d.ts.map +1 -0
package/dist/commands/doctor.d.ts.map +1 -1
package/dist/commands/serve.d.ts.map +1 -1
package/dist/commands/status.d.ts.map +1 -1
package/dist/consumer.js +225 -6
package/dist/db.d.ts +29 -1
package/dist/db.d.ts.map +1 -1
package/dist/index.d.ts +1 -0
package/dist/index.d.ts.map +1 -1
package/dist/index.js +1330 -228
package/dist/manifests.d.ts +6 -6
package/dist/mcp/index.js +1755 -1083
package/dist/mcp/server.d.ts +1 -1
package/dist/mcp/server.d.ts.map +1 -1
package/dist/pg-migrations.d.ts.map +1 -1
package/dist/redaction.d.ts +9 -0
package/dist/redaction.d.ts.map +1 -1
package/dist/remote-storage.d.ts +3 -0
package/dist/remote-storage.d.ts.map +1 -1
package/dist/storage.js +116 -7
package/dist/topology.d.ts +21 -0
package/dist/topology.d.ts.map +1 -1
package/dist/types.d.ts +5 -0
package/dist/types.d.ts.map +1 -1
package/package.json +1 -1

package/dist/cli/index.js CHANGED Viewed

@@ -2135,9 +2135,23 @@ function createTables(db) {
       pid INTEGER NOT NULL,
       status TEXT NOT NULL,
       updated_at TEXT NOT NULL,
+      daemon_version TEXT,
+      agent_mode TEXT,
+      platform TEXT,
+      os_version TEXT,
+      os_build TEXT,
+      arch TEXT,
+      uptime_seconds INTEGER,
+      tool_versions_json TEXT,
+      tailscale_json TEXT,
+      storage_sync_status TEXT,
+      storage_sync_last_error TEXT,
+      doctor_summary_json TEXT,
+      private_metadata INTEGER NOT NULL DEFAULT 0,
       PRIMARY KEY (machine_id, pid)
     )
   `);
+  migrateAgentHeartbeats(db);
   db.exec(`
     CREATE TABLE IF NOT EXISTS setup_runs (
       id TEXT PRIMARY KEY,
@@ -2159,6 +2173,15 @@ function createTables(db) {
     )
   `);
 }
+function migrateAgentHeartbeats(db) {
+  const columns = db.query("PRAGMA table_info(agent_heartbeats)").all();
+  const existing = new Set(columns.map((column) => column.name));
+  for (const column of AGENT_HEARTBEAT_COLUMNS) {
+    if (existing.has(column.name))
+      continue;
+    db.exec(`ALTER TABLE agent_heartbeats ADD COLUMN ${column.name} ${column.definition}`);
+  }
+}
 function getAdapter(path = getDbPath()) {
   if (path === ":memory:") {
     const memoryAdapter = new SqliteAdapter(path);
@@ -2187,12 +2210,12 @@ function getLocalMachineId() {
 function listHeartbeats(machineId) {
   const db = getDb();
   if (machineId) {
-    return db.query(`SELECT machine_id, pid, status, updated_at
+    return db.query(`SELECT *
          FROM agent_heartbeats
          WHERE machine_id = ?
          ORDER BY updated_at DESC`).all(machineId);
   }
-  return db.query(`SELECT machine_id, pid, status, updated_at
+  return db.query(`SELECT *
        FROM agent_heartbeats
        ORDER BY updated_at DESC`).all();
 }
@@ -2213,9 +2236,24 @@ function recordSyncRun(machineId, status, actions) {
   db.query(`INSERT INTO sync_runs (id, machine_id, status, actions_json, created_at, updated_at)
      VALUES (?, ?, ?, ?, ?, ?)`).run(crypto.randomUUID(), machineId, status, JSON.stringify(actions), now, now);
 }
-var adapter = null;
+var adapter = null, AGENT_HEARTBEAT_COLUMNS;
 var init_db = __esm(() => {
   init_paths();
+  AGENT_HEARTBEAT_COLUMNS = [
+    { name: "daemon_version", definition: "TEXT" },
+    { name: "agent_mode", definition: "TEXT" },
+    { name: "platform", definition: "TEXT" },
+    { name: "os_version", definition: "TEXT" },
+    { name: "os_build", definition: "TEXT" },
+    { name: "arch", definition: "TEXT" },
+    { name: "uptime_seconds", definition: "INTEGER" },
+    { name: "tool_versions_json", definition: "TEXT" },
+    { name: "tailscale_json", definition: "TEXT" },
+    { name: "storage_sync_status", definition: "TEXT" },
+    { name: "storage_sync_last_error", definition: "TEXT" },
+    { name: "doctor_summary_json", definition: "TEXT" },
+    { name: "private_metadata", definition: "INTEGER NOT NULL DEFAULT 0" }
+  ];
 });
 // src/pg-migrations.ts
@@ -2228,9 +2266,36 @@ var init_pg_migrations = __esm(() => {
     pid INTEGER NOT NULL,
     status TEXT NOT NULL,
     updated_at TIMESTAMPTZ NOT NULL,
+    daemon_version TEXT,
+    agent_mode TEXT,
+    platform TEXT,
+    os_version TEXT,
+    os_build TEXT,
+    arch TEXT,
+    uptime_seconds INTEGER,
+    tool_versions_json TEXT,
+    tailscale_json TEXT,
+    storage_sync_status TEXT,
+    storage_sync_last_error TEXT,
+    doctor_summary_json TEXT,
+    private_metadata INTEGER NOT NULL DEFAULT 0,
     PRIMARY KEY (machine_id, pid)
   );
+  ALTER TABLE agent_heartbeats ADD COLUMN IF NOT EXISTS daemon_version TEXT;
+  ALTER TABLE agent_heartbeats ADD COLUMN IF NOT EXISTS agent_mode TEXT;
+  ALTER TABLE agent_heartbeats ADD COLUMN IF NOT EXISTS platform TEXT;
+  ALTER TABLE agent_heartbeats ADD COLUMN IF NOT EXISTS os_version TEXT;
+  ALTER TABLE agent_heartbeats ADD COLUMN IF NOT EXISTS os_build TEXT;
+  ALTER TABLE agent_heartbeats ADD COLUMN IF NOT EXISTS arch TEXT;
+  ALTER TABLE agent_heartbeats ADD COLUMN IF NOT EXISTS uptime_seconds INTEGER;
+  ALTER TABLE agent_heartbeats ADD COLUMN IF NOT EXISTS tool_versions_json TEXT;
+  ALTER TABLE agent_heartbeats ADD COLUMN IF NOT EXISTS tailscale_json TEXT;
+  ALTER TABLE agent_heartbeats ADD COLUMN IF NOT EXISTS storage_sync_status TEXT;
+  ALTER TABLE agent_heartbeats ADD COLUMN IF NOT EXISTS storage_sync_last_error TEXT;
+  ALTER TABLE agent_heartbeats ADD COLUMN IF NOT EXISTS doctor_summary_json TEXT;
+  ALTER TABLE agent_heartbeats ADD COLUMN IF NOT EXISTS private_metadata INTEGER NOT NULL DEFAULT 0;
   CREATE TABLE IF NOT EXISTS setup_runs (
     id TEXT PRIMARY KEY,
     machine_id TEXT NOT NULL,
@@ -2263,7 +2328,20 @@ function normalizeParams(params) {
   return flat.map((value) => value === undefined ? null : value);
 }
 function sslConfigFor(connectionString) {
-  return connectionString.includes("sslmode=require") || connectionString.includes("ssl=true") ? { rejectUnauthorized: false } : undefined;
+  let url;
+  try {
+    url = new URL(connectionString);
+  } catch {
+    return;
+  }
+  const sslMode = url.searchParams.get("sslmode")?.toLowerCase();
+  const ssl = url.searchParams.get("ssl")?.toLowerCase();
+  if (sslMode === "disable" || ssl === "false")
+    return;
+  if (sslMode === "no-verify" || process.env["HASNA_MACHINES_DATABASE_SSL_REJECT_UNAUTHORIZED"] === "0") {
+    return { rejectUnauthorized: false };
+  }
+  return sslMode || ssl === "true" ? { rejectUnauthorized: true } : undefined;
 }
 class PgAdapterAsync {
@@ -2603,7 +2681,7 @@ var {
 // src/cli/index.ts
 import { registerEventCommands, registerWebhookCommands } from "@hasna/events/commander";
-import { execFileSync } from "child_process";
+import { execFileSync as execFileSync2 } from "child_process";
 // node_modules/chalk/source/vendor/ansi-styles/index.js
 var ANSI_BACKGROUND_OFFSET = 10;
@@ -7095,6 +7173,9 @@ init_paths();
 // src/redaction.ts
 var REDACTED_VALUE = "[redacted]";
+var PRIVATE_OUTPUT_ENV = "HASNA_MACHINES_ALLOW_PRIVATE_OUTPUT";
+var PRIVATE_OUTPUT_FALLBACK_ENV = "MACHINES_ALLOW_PRIVATE_OUTPUT";
+var PRIVATE_OUTPUT_DENIED_WARNING = `private_output_denied:set ${PRIVATE_OUTPUT_ENV}=1 to allow private metadata output`;
 var SENSITIVE_KEY_PATTERN = /(password|passwd|token|credential|private[_-]?key|privateKey|api[_-]?key|github.*key|pem|secret)/i;
 var SECRET_REFERENCE_KEY_PATTERN = /(secret(ref(erence)?|key)?|secretRef|secretKey)$/i;
 var SENSITIVE_VALUE_PATTERNS = [
@@ -7105,9 +7186,17 @@ var SENSITIVE_VALUE_PATTERNS = [
   /\bAKIA[0-9A-Z]{16}\b/,
   /\bsk-[A-Za-z0-9_-]{20,}\b/
 ];
+var IPV4_PATTERN = /\b(?:10|127|169\.254|172\.(?:1[6-9]|2\d|3[0-1])|192\.168|100\.(?:6[4-9]|[7-9]\d|1[01]\d|12[0-7]))(?:\.\d{1,3}){2}\b/g;
+var IPV6_PATTERN = /\b(?:fc|fd|fe80)[0-9a-f:]*:[0-9a-f:]+\b/gi;
+var DATABASE_URL_PATTERN = /\b(?:postgres(?:ql)?|mysql|mariadb|redis|mongodb|s3):\/\/[^\s"'<>]+/gi;
+var PRIVATE_HOST_PATTERN = /\b(?:[A-Za-z0-9._%+-]+@)?[A-Za-z0-9-]+(?:\.[A-Za-z0-9-]+)*(?:\.tailnet(?:\.[A-Za-z0-9-]+)*|\.ts\.net|\.private(?:\.[A-Za-z0-9-]+)*|\.internal|\.local)\b/gi;
 function isSensitiveKey(key) {
   return SENSITIVE_KEY_PATTERN.test(key);
 }
+function isPrivateOutputEnabled(env2 = process.env) {
+  const value = env2[PRIVATE_OUTPUT_ENV] ?? env2[PRIVATE_OUTPUT_FALLBACK_ENV];
+  return ["1", "true", "yes", "on", "private"].includes(String(value ?? "").trim().toLowerCase());
+}
 function isSecretReferenceKey(key) {
   return SECRET_REFERENCE_KEY_PATTERN.test(key);
 }
@@ -7120,6 +7209,12 @@ function isRecord(value) {
 function redactPath(value) {
   return value.replace(/\/home\/[^/\s]+/g, "/home/<user>").replace(/\/Users\/[^/\s]+/g, "/Users/<user>").replace(/[A-Za-z]:\\Users\\[^\\\s]+/g, "C:\\Users\\<user>");
 }
+function redactErrorMessage(value) {
+  return redactPath(value).replace(DATABASE_URL_PATTERN, (match) => {
+    const scheme = match.match(/^([a-z][a-z0-9+.-]*:\/\/)/i)?.[1] ?? "";
+    return `${scheme}${REDACTED_VALUE}`;
+  }).replace(IPV4_PATTERN, REDACTED_VALUE).replace(IPV6_PATTERN, REDACTED_VALUE).replace(PRIVATE_HOST_PATTERN, REDACTED_VALUE);
+}
 function redactPrivateRef(value) {
   const trimmed = value.trim();
   const scheme = trimmed.match(/^([a-z][a-z0-9+.-]*:\/\/)/i);
@@ -7589,6 +7684,16 @@ function routeRank(hint) {
 function selectRouteHint(hints) {
   return [...hints].sort((left, right) => routeRank(left) - routeRank(right))[0] ?? null;
 }
+function parseHeartbeatJson(value) {
+  if (!value)
+    return null;
+  try {
+    const parsed = JSON.parse(value);
+    return parsed && typeof parsed === "object" && !Array.isArray(parsed) ? parsed : null;
+  } catch {
+    return null;
+  }
+}
 function buildEntry(input) {
   const manifest = input.manifest;
   const peer = input.peer;
@@ -7611,6 +7716,22 @@ function buildEntry(input) {
     manifest_declared: Boolean(manifest),
     heartbeat_status: input.heartbeat?.status ?? "unknown",
     last_heartbeat_at: input.heartbeat?.updated_at ?? null,
+    agent: {
+      pid: input.heartbeat?.pid ?? null,
+      daemon_version: input.heartbeat?.daemon_version ?? null,
+      mode: input.heartbeat?.agent_mode ?? null,
+      private_metadata: Boolean(input.heartbeat?.private_metadata),
+      platform: input.heartbeat?.platform ?? null,
+      os_version: input.heartbeat?.os_version ?? null,
+      os_build: input.heartbeat?.os_build ?? null,
+      arch: input.heartbeat?.arch ?? null,
+      uptime_seconds: input.heartbeat?.uptime_seconds ?? null,
+      tool_versions: parseHeartbeatJson(input.heartbeat?.tool_versions_json),
+      tailscale: parseHeartbeatJson(input.heartbeat?.tailscale_json),
+      storage_sync_status: input.heartbeat?.storage_sync_status ?? null,
+      storage_sync_last_error: input.heartbeat?.storage_sync_last_error ?? null,
+      doctor_summary: parseHeartbeatJson(input.heartbeat?.doctor_summary_json)
+    },
     tailscale: {
       dns_name: manifest?.tailscaleName ?? peer?.DNSName?.replace(/\.$/, "") ?? null,
       ips: peer?.TailscaleIPs ?? [],
@@ -7670,6 +7791,72 @@ function discoverMachineTopology(options = {}) {
     warnings
   };
 }
+function redactFleetString(value) {
+  if (!value)
+    return value;
+  return redactErrorMessage(value);
+}
+function redactPublicRecord(value) {
+  if (!value)
+    return null;
+  const redacted = {};
+  for (const [key, entry] of Object.entries(value)) {
+    if (/(host|hostname|dns|ip|ips|user|username|serial|address|target|url|token|secret|password|credential)/i.test(key)) {
+      redacted[key] = REDACTED_VALUE;
+      continue;
+    }
+    if (typeof entry === "string") {
+      redacted[key] = redactFleetString(entry);
+    } else if (Array.isArray(entry)) {
+      redacted[key] = entry.map((item) => {
+        if (typeof item === "string")
+          return redactFleetString(item);
+        if (item && typeof item === "object")
+          return redactPublicRecord(item);
+        return item;
+      });
+    } else if (entry && typeof entry === "object") {
+      redacted[key] = redactPublicRecord(entry);
+    } else {
+      redacted[key] = entry;
+    }
+  }
+  return redactSensitiveValue(redacted);
+}
+function redactTopologyForOutput(topology, options = {}) {
+  if (options.privateMetadata)
+    return topology;
+  return {
+    ...topology,
+    local_hostname: REDACTED_VALUE,
+    warnings: topology.warnings.map(redactFleetString),
+    machines: topology.machines.map((machine) => ({
+      ...machine,
+      hostname: machine.hostname ? REDACTED_VALUE : null,
+      user: machine.user ? REDACTED_VALUE : null,
+      tailscale: {
+        ...machine.tailscale,
+        dns_name: machine.tailscale.dns_name ? REDACTED_VALUE : null,
+        ips: machine.tailscale.ips.map(() => REDACTED_VALUE)
+      },
+      ssh: {
+        ...machine.ssh,
+        address: machine.ssh.address ? REDACTED_VALUE : null,
+        command_target: machine.ssh.command_target ? REDACTED_VALUE : null
+      },
+      route_hints: machine.route_hints.map((hint) => ({
+        ...hint,
+        target: REDACTED_VALUE
+      })),
+      agent: {
+        ...machine.agent,
+        tailscale: redactPublicRecord(machine.agent.tailscale),
+        storage_sync_last_error: machine.agent.storage_sync_last_error ? redactFleetString(machine.agent.storage_sync_last_error) : null,
+        doctor_summary: redactPublicRecord(machine.agent.doctor_summary)
+      }
+    }))
+  };
+}
 function normalizeMachineAlias(value) {
   return value.trim().replace(/\.$/, "").toLowerCase();
 }
@@ -7863,6 +8050,20 @@ function resolveMachineRoute(machineId, options = {}) {
     warnings
   };
 }
+function redactRouteForOutput(route, options = {}) {
+  if (options.privateMetadata)
+    return route;
+  return {
+    ...route,
+    target: route.target ? REDACTED_VALUE : null,
+    command_target: route.command_target ? REDACTED_VALUE : null,
+    warnings: route.warnings.map(redactFleetString),
+    evidence: {
+      ...route.evidence,
+      selected_hint: route.evidence.selected_hint ? { ...route.evidence.selected_hint, target: REDACTED_VALUE } : null
+    }
+  };
+}
 function isRecord2(value) {
   return Boolean(value) && typeof value === "object" && !Array.isArray(value);
 }
@@ -9752,6 +9953,16 @@ function runSync(machineId, options = {}, runner = runMachineCommand) {
 // src/commands/status.ts
 init_db();
 init_paths();
+function parseJsonObject(value) {
+  if (!value)
+    return null;
+  try {
+    const parsed = JSON.parse(value);
+    return parsed && typeof parsed === "object" && !Array.isArray(parsed) ? parsed : null;
+  } catch {
+    return null;
+  }
+}
 function getStatus() {
   const manifest = readManifest();
   const heartbeats = listHeartbeats();
@@ -9775,7 +9986,12 @@ function getStatus() {
         platform: declared?.platform,
         manifestDeclared: Boolean(declared),
         heartbeatStatus: heartbeat?.status || "unknown",
-        lastHeartbeatAt: heartbeat?.updated_at
+        lastHeartbeatAt: heartbeat?.updated_at,
+        daemonVersion: heartbeat?.daemon_version ?? null,
+        agentMode: heartbeat?.agent_mode ?? null,
+        storageSyncStatus: heartbeat?.storage_sync_status ?? null,
+        doctorSummary: parseJsonObject(heartbeat?.doctor_summary_json),
+        privateMetadata: Boolean(heartbeat?.private_metadata)
       };
     }),
     recentSetupRuns: countRuns("setup_runs"),
@@ -10266,14 +10482,20 @@ function runOptionalAdapterChecks(context, adapters) {
   }
   return checks;
 }
-function runDoctor(machineId = getLocalMachineId(), options = {}) {
+function runDoctor(machineId, options = {}) {
+  const implicitLocalMachine = !machineId;
+  const requestedMachineId = machineId ?? getLocalMachineId();
+  const reportedMachineId = implicitLocalMachine ? "local" : requestedMachineId;
   const now = options.now ?? new Date;
   const { manifest, info: manifestSource } = readManifestWithSource({ adapter: options.manifestAdapter ?? null });
-  const commandChecks = runMachineCommand(machineId, buildDoctorCommand());
+  const commandChecks = runMachineCommand(requestedMachineId, buildDoctorCommand());
   const details = parseKeyValueOutput(commandChecks.stdout);
-  const machineInManifest = manifest.machines.find((machine) => machine.id === machineId);
+  const machineInManifest = manifest.machines.find((machine) => machine.id === requestedMachineId);
+  const diagnosticMachine = machineInManifest ? redactManifestForDiagnostics(machineInManifest) : null;
+  if (implicitLocalMachine && diagnosticMachine)
+    diagnosticMachine.id = reportedMachineId;
   const optionalAdapterChecks = options.includeOptionalAdapters === false ? [] : runOptionalAdapterChecks({
-    machineId,
+    machineId: requestedMachineId,
     manifest,
     manifestSource,
     commandDetails: details,
@@ -10289,10 +10511,10 @@ function runDoctor(machineId = getLocalMachineId(), options = {}) {
       },
       remediation: manifestSource.warnings.length > 0 ? ["Provide a private manifest adapter or unset the private manifest ref to use the local manifest only."] : undefined
     }),
-    makeCheck2("manifest-entry", machineInManifest ? "ok" : "warn", machineInManifest ? "Machine exists in manifest" : "Machine missing from manifest", machineInManifest ? JSON.stringify(redactManifestForDiagnostics(machineInManifest)) : `No manifest entry for ${machineId}`, {
+    makeCheck2("manifest-entry", machineInManifest ? "ok" : "warn", machineInManifest ? "Machine exists in manifest" : "Machine missing from manifest", diagnosticMachine ? JSON.stringify(diagnosticMachine) : `No manifest entry for ${reportedMachineId}`, {
       data: {
         declared: Boolean(machineInManifest),
-        machine: machineInManifest ? redactManifestForDiagnostics(machineInManifest) : null
+        machine: diagnosticMachine
       }
     }),
     makeCheck2("data-dir", details["data_dir_exists"] === "yes" ? "ok" : "warn", "Data directory check", `${redactPath(details["data_dir"] || "unknown")} ${details["data_dir_exists"] === "yes" ? "exists" : "missing"}`, {
@@ -10343,7 +10565,7 @@ function runDoctor(machineId = getLocalMachineId(), options = {}) {
     ...optionalAdapterChecks
   ];
   return {
-    machineId,
+    machineId: reportedMachineId,
     source: commandChecks.source,
     schemaVersion: 1,
     generatedAt: now.toISOString(),
@@ -10355,11 +10577,514 @@ function runDoctor(machineId = getLocalMachineId(), options = {}) {
   };
 }
+// src/commands/daemon.ts
+import { execFileSync } from "child_process";
+import { chmodSync, mkdirSync as mkdirSync2, writeFileSync as writeFileSync4 } from "fs";
+import { dirname as dirname4 } from "path";
+import { platform as osPlatform } from "os";
+var DEFAULT_SERVICE_NAME = "machines-agent";
+var DEFAULT_EXECUTABLE = "/usr/local/bin/machines-agent";
+var DEFAULT_INTERVAL_MS = 30000;
+var ENV_NAME_PATTERN = /^[A-Z_][A-Z0-9_]*$/;
+var SERVICE_NAME_PATTERN = /^[A-Za-z0-9_.-]+$/;
+function buildDaemonServicePlan(options) {
+  const resolved = resolveDaemonServiceOptions(options);
+  const files = resolved.action === "install" ? [buildServiceFile(resolved)] : [];
+  return {
+    platform: resolved.platform,
+    mode: resolved.mode,
+    action: resolved.action,
+    serviceName: resolved.serviceName,
+    serviceId: resolved.serviceId,
+    executable: resolved.executable,
+    intervalMs: resolved.intervalMs,
+    commands: buildActionCommands(resolved),
+    files,
+    warnings: resolved.warnings,
+    manualSteps: buildManualSteps(resolved, files)
+  };
+}
+function runDaemonServicePlan(plan, options = {}) {
+  const apply = options.apply === true;
+  const allowed = apply && options.yes === true;
+  const warnings = [...plan.warnings];
+  const filesWritten = [];
+  const commands = [];
+  if (apply && !allowed) {
+    warnings.push("apply_requires_yes");
+  }
+  if (allowed) {
+    for (const file of plan.files) {
+      const path = expandShellPath(file.path);
+      let content;
+      try {
+        content = materializePlaceholders(file.content);
+      } catch (error) {
+        warnings.push(error instanceof Error ? error.message : String(error));
+        return {
+          mode: "plan",
+          applied: false,
+          plan,
+          filesWritten,
+          commands: plan.commands.map((commandSpec) => ({
+            id: commandSpec.id,
+            command: renderCommand(commandSpec),
+            skipped: true,
+            exitCode: null,
+            stdout: "",
+            stderr: ""
+          })),
+          warnings
+        };
+      }
+      mkdirSync2(dirname4(path), { recursive: true });
+      writeFileSync4(path, content, "utf8");
+      chmodSync(path, Number.parseInt(file.mode, 8));
+      filesWritten.push(path);
+    }
+  }
+  for (const commandSpec of plan.commands) {
+    const commandLine = renderCommand(commandSpec);
+    if (!allowed) {
+      commands.push({
+        id: commandSpec.id,
+        command: commandLine,
+        skipped: true,
+        exitCode: null,
+        stdout: "",
+        stderr: ""
+      });
+      continue;
+    }
+    const program2 = commandLine[0];
+    const args = commandLine.slice(1);
+    try {
+      const result = execFileSync(program2, args, { encoding: "utf8", stdio: ["ignore", "pipe", "pipe"] });
+      commands.push({
+        id: commandSpec.id,
+        command: commandLine,
+        skipped: false,
+        exitCode: 0,
+        stdout: result,
+        stderr: ""
+      });
+    } catch (error) {
+      const maybe = error;
+      if (commandSpec.allowFailure) {
+        commands.push({
+          id: commandSpec.id,
+          command: commandLine,
+          skipped: false,
+          exitCode: typeof maybe.status === "number" ? maybe.status : 1,
+          stdout: String(maybe.stdout ?? ""),
+          stderr: String(maybe.stderr ?? ""),
+          error: maybe.message ?? String(error)
+        });
+        continue;
+      }
+      commands.push({
+        id: commandSpec.id,
+        command: commandLine,
+        skipped: false,
+        exitCode: typeof maybe.status === "number" ? maybe.status : 1,
+        stdout: String(maybe.stdout ?? ""),
+        stderr: String(maybe.stderr ?? ""),
+        error: maybe.message ?? String(error)
+      });
+      break;
+    }
+  }
+  return {
+    mode: allowed ? "apply" : "plan",
+    applied: allowed,
+    plan,
+    filesWritten,
+    commands,
+    warnings
+  };
+}
+function resolveDaemonServiceOptions(options) {
+  const warnings = [];
+  const serviceName = normalizeServiceName(options.serviceName, warnings);
+  const platform4 = normalizePlatform3(options.platform, warnings);
+  const mode = options.mode ?? "user";
+  const intervalMs = normalizeIntervalMs(options.intervalMs, warnings);
+  const executable = options.executable?.trim() || DEFAULT_EXECUTABLE;
+  if (platform4 === "linux" && !executable.startsWith("/")) {
+    warnings.push("systemd units should use an absolute executable path; install plan keeps the provided path unchanged.");
+  }
+  return {
+    action: options.action,
+    platform: platform4,
+    mode,
+    serviceName,
+    serviceId: serviceName,
+    executable,
+    intervalMs,
+    env: buildEnvironment(serviceName, options, warnings),
+    warnings
+  };
+}
+function normalizeServiceName(value, warnings) {
+  const serviceName = value?.trim() || DEFAULT_SERVICE_NAME;
+  if (SERVICE_NAME_PATTERN.test(serviceName))
+    return serviceName;
+  warnings.push(`Invalid serviceName "${serviceName}"; using ${DEFAULT_SERVICE_NAME}.`);
+  return DEFAULT_SERVICE_NAME;
+}
+function normalizePlatform3(value, warnings) {
+  const raw = value ?? osPlatform();
+  if (raw === "darwin" || raw === "macos")
+    return "macos";
+  if (raw === "linux")
+    return "linux";
+  warnings.push(`Unsupported platform "${raw}"; using linux service planning.`);
+  return "linux";
+}
+function normalizeIntervalMs(value, warnings) {
+  if (value === undefined)
+    return DEFAULT_INTERVAL_MS;
+  if (Number.isInteger(value) && value > 0)
+    return value;
+  warnings.push(`Invalid intervalMs "${String(value)}"; using ${DEFAULT_INTERVAL_MS}.`);
+  return DEFAULT_INTERVAL_MS;
+}
+function buildEnvironment(serviceName, options, warnings) {
+  const env2 = {
+    HASNA_MACHINES_AGENT_MODE: "daemon",
+    HASNA_MACHINES_AGENT_SERVICE: serviceName
+  };
+  if (options.storagePush) {
+    env2["HASNA_MACHINES_AGENT_STORAGE_PUSH"] = "1";
+    env2["HASNA_MACHINES_AGENT_STORAGE_PUSH_BACKOFF_MS"] = "250";
+    env2["HASNA_MACHINES_AGENT_STORAGE_PUSH_RETRIES"] = "2";
+    env2["HASNA_MACHINES_STORAGE_MODE"] = "hybrid";
+    env2["HASNA_MACHINES_DATABASE_URL"] = placeholderForEnv("HASNA_MACHINES_DATABASE_URL");
+    warnings.push("storagePush is represented with env placeholders; no database URL is embedded in the plan.");
+  }
+  if (options.doctorSummary) {
+    env2["HASNA_MACHINES_AGENT_DOCTOR_SUMMARY"] = "1";
+  }
+  if (options.privateMetadata === true) {
+    env2["HASNA_MACHINES_PRIVATE_METADATA"] = "1";
+    warnings.push("privateMetadata=true enables private host/network facts in heartbeat rows; do not share private-mode output publicly.");
+  } else if (Array.isArray(options.privateMetadata)) {
+    addEnvPlaceholders(env2, options.privateMetadata, warnings);
+  }
+  addEnvPlaceholders(env2, options.env ?? [], warnings);
+  return Object.fromEntries(Object.entries(env2).sort(([left], [right]) => left.localeCompare(right)));
+}
+function addEnvPlaceholders(env2, names, warnings) {
+  for (const rawName of names) {
+    const name = rawName.trim();
+    if (!ENV_NAME_PATTERN.test(name)) {
+      warnings.push(`Invalid environment variable name "${rawName}"; skipped.`);
+      continue;
+    }
+    env2[name] = placeholderForEnv(name);
+  }
+}
+function placeholderForEnv(name) {
+  return `<set:${name}>`;
+}
+function buildServiceFile(options) {
+  if (options.platform === "macos") {
+    return {
+      id: "launchd-plist",
+      description: "launchd property list for machines-agent",
+      path: launchdPlistPath(options),
+      mode: "0644",
+      content: launchdPlist(options)
+    };
+  }
+  return {
+    id: "systemd-unit",
+    description: "systemd unit for machines-agent",
+    path: systemdUnitPath(options),
+    mode: "0644",
+    content: systemdUnit(options)
+  };
+}
+function buildActionCommands(options) {
+  if (options.platform === "macos")
+    return buildLaunchdCommands(options);
+  return buildSystemdCommands(options);
+}
+function buildLaunchdCommands(options) {
+  const domain = launchdDomain(options);
+  const serviceTarget = `${domain}/${options.serviceId}`;
+  const plistPath = launchdPlistPath(options);
+  const sudo = options.mode === "system";
+  if (options.action === "install") {
+    return [
+      command("launchd-bootout-existing", "Unload any existing launchd job before bootstrap.", "launchctl", ["bootout", domain, plistPath], sudo, true, true),
+      command("launchd-bootstrap", "Load the planned launchd plist.", "launchctl", ["bootstrap", domain, plistPath], sudo, true),
+      command("launchd-enable", "Enable the launchd service.", "launchctl", ["enable", serviceTarget], sudo, true),
+      command("launchd-kickstart", "Start or restart the launchd service.", "launchctl", ["kickstart", "-k", serviceTarget], sudo, true)
+    ];
+  }
+  if (options.action === "uninstall") {
+    return [
+      command("launchd-bootout", "Unload the launchd job.", "launchctl", ["bootout", domain, plistPath], sudo, true),
+      command("remove-launchd-plist", "Remove the planned launchd plist file.", "rm", ["-f", plistPath], sudo, true)
+    ];
+  }
+  if (options.action === "restart") {
+    return [command("launchd-kickstart", "Restart the launchd service.", "launchctl", ["kickstart", "-k", serviceTarget], sudo, true)];
+  }
+  if (options.action === "status") {
+    return [command("launchd-print", "Print launchd service status.", "launchctl", ["print", serviceTarget], sudo, false)];
+  }
+  return [
+    command("launchd-logs", "Stream logs for machines-agent.", "log", ["stream", "--style", "compact", "--predicate", `process == "${basename(options.executable)}" OR eventMessage CONTAINS "${options.serviceId}"`], false, false)
+  ];
+}
+function buildSystemdCommands(options) {
+  const userFlag = options.mode === "user" ? ["--user"] : [];
+  const sudo = options.mode === "system";
+  const unitName = systemdUnitName(options);
+  const daemonReload = command("systemd-daemon-reload", "Reload systemd unit metadata.", "systemctl", [...userFlag, "daemon-reload"], sudo, true);
+  if (options.action === "install") {
+    return [
+      daemonReload,
+      command("systemd-enable-now", "Enable and start the systemd service.", "systemctl", [...userFlag, "enable", "--now", unitName], sudo, true)
+    ];
+  }
+  if (options.action === "uninstall") {
+    return [
+      command("systemd-disable-now", "Stop and disable the systemd service.", "systemctl", [...userFlag, "disable", "--now", unitName], sudo, true),
+      command("remove-systemd-unit", "Remove the planned systemd unit file.", "rm", ["-f", systemdUnitPath(options)], sudo, true),
+      daemonReload
+    ];
+  }
+  if (options.action === "restart") {
+    return [command("systemd-restart", "Restart the systemd service.", "systemctl", [...userFlag, "restart", unitName], sudo, true)];
+  }
+  if (options.action === "status") {
+    return [command("systemd-status", "Show systemd service status.", "systemctl", [...userFlag, "status", unitName, "--no-pager"], sudo, false)];
+  }
+  return [
+    command("systemd-logs", "Follow journal logs for the service.", "journalctl", [...userFlag, "-u", unitName, "-f", "--no-pager"], sudo, false)
+  ];
+}
+function buildManualSteps(options, files) {
+  const steps = [];
+  if (files[0])
+    steps.push(`Write ${files[0].id} content to ${files[0].path} with mode ${files[0].mode}.`);
+  if (options.mode === "system")
+    steps.push("Run commands marked sudo with root privileges.");
+  if (options.platform === "linux" && options.mode === "user") {
+    steps.push("Run commands as the target user; enable lingering separately if the service must survive logout.");
+  }
+  if (options.action === "logs")
+    steps.push("Stop the log command manually when finished.");
+  return steps;
+}
+function command(id, description, program2, args, sudo, mutates, allowFailure = false) {
+  return { id, description, program: program2, args, sudo, mutates, ...allowFailure ? { allowFailure: true } : {} };
+}
+function renderCommand(commandSpec) {
+  const expanded = [commandSpec.program, ...commandSpec.args].map(expandShellPath);
+  if (commandSpec.sudo)
+    return ["sudo", ...expanded];
+  return expanded;
+}
+function expandShellPath(path) {
+  if (path.startsWith("$HOME/"))
+    return `${process.env["HOME"] ?? ""}/${path.slice("$HOME/".length)}`;
+  return path.replaceAll("$HOME", process.env["HOME"] ?? "").replaceAll("$UID", String(process.getuid ? process.getuid() : ""));
+}
+function materializePlaceholders(content) {
+  return content.replace(/(?:<set:([A-Z_][A-Z0-9_]*)>|&lt;set:([A-Z_][A-Z0-9_]*)&gt;)/g, (_match, rawName, escapedName) => {
+    const name = rawName ?? escapedName ?? "";
+    const value = process.env[name];
+    if (value === undefined || value === "") {
+      throw new Error(`Missing environment variable required for service apply: ${name}`);
+    }
+    if (/[\u0000-\u001f\u007f]/.test(value)) {
+      throw new Error(`Environment variable ${name} contains control characters; refusing to write service file.`);
+    }
+    return escapedName ? xmlEscape(value) : escapeSystemdEnvironmentValue(value);
+  });
+}
+function escapeSystemdEnvironmentValue(value) {
+  return value.replace(/\\/g, "\\\\").replace(/"/g, "\\\"").replace(/%/g, "%%");
+}
+function launchdPlist(options) {
+  const env2 = Object.entries(options.env).map(([name, value]) => `    <key>${xmlEscape(name)}</key>
+    <string>${xmlEscape(value)}</string>`).join(`
+`);
+  return `<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+  <key>Label</key>
+  <string>${xmlEscape(options.serviceId)}</string>
+  <key>ProgramArguments</key>
+  <array>
+    <string>${xmlEscape(options.executable)}</string>
+    <string>--interval-ms</string>
+    <string>${options.intervalMs}</string>
+  </array>
+  <key>EnvironmentVariables</key>
+  <dict>
+${env2}
+  </dict>
+  <key>KeepAlive</key>
+  <true/>
+  <key>RunAtLoad</key>
+  <true/>
+  <key>StandardOutPath</key>
+  <string>${xmlEscape(launchdLogPath(options, "out"))}</string>
+  <key>StandardErrorPath</key>
+  <string>${xmlEscape(launchdLogPath(options, "err"))}</string>
+</dict>
+</plist>
+`;
+}
+function systemdUnit(options) {
+  const env2 = Object.entries(options.env).map(([name, value]) => `Environment=${quoteSystemdEnvironment(name, value)}`).join(`
+`);
+  return `[Unit]
+Description=Hasna machines agent
+After=network-online.target
+Wants=network-online.target
+[Service]
+Type=simple
+ExecStart=${quoteSystemdExecArg(options.executable)} --interval-ms ${options.intervalMs}
+Restart=always
+RestartSec=10
+${env2}
+[Install]
+WantedBy=${options.mode === "system" ? "multi-user.target" : "default.target"}
+`;
+}
+function launchdDomain(options) {
+  return options.mode === "system" ? "system" : "gui/$UID";
+}
+function launchdPlistPath(options) {
+  if (options.mode === "system")
+    return `/Library/LaunchDaemons/${options.serviceId}.plist`;
+  return `$HOME/Library/LaunchAgents/${options.serviceId}.plist`;
+}
+function launchdLogPath(options, stream) {
+  const fileName = `${options.serviceId}.${stream}.log`;
+  if (options.mode === "system")
+    return `/var/log/${fileName}`;
+  return `$HOME/Library/Logs/${fileName}`;
+}
+function systemdUnitName(options) {
+  return `${options.serviceId}.service`;
+}
+function systemdUnitPath(options) {
+  if (options.mode === "system")
+    return `/etc/systemd/system/${systemdUnitName(options)}`;
+  return `$HOME/.config/systemd/user/${systemdUnitName(options)}`;
+}
+function xmlEscape(value) {
+  return String(value).replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&apos;");
+}
+function quoteSystemdExecArg(value) {
+  if (/^[A-Za-z0-9_@%+=:,./-]+$/.test(value) && !value.includes("%"))
+    return value;
+  return `"${value.replace(/\\/g, "\\\\").replace(/"/g, "\\\"").replace(/%/g, "%%")}"`;
+}
+function quoteSystemdEnvironment(name, value) {
+  return `"${name}=${value.replace(/\\/g, "\\\\").replace(/"/g, "\\\"").replace(/%/g, "%%")}"`;
+}
+function basename(path) {
+  return path.split("/").filter(Boolean).at(-1) || path;
+}
 // src/commands/self-test.ts
 init_db();
 // src/commands/serve.ts
 import { EventsClient as EventsClient2, sanitizeChannelsForOutput } from "@hasna/events";
+// src/agent/runtime.ts
+import { arch as arch3, hostname as hostname6, platform as platform4, release, uptime, version as osVersion } from "os";
+init_db();
+init_storage_sync();
+function parseJsonObject2(value) {
+  if (!value)
+    return null;
+  try {
+    const parsed = JSON.parse(value);
+    return parsed && typeof parsed === "object" && !Array.isArray(parsed) ? parsed : null;
+  } catch {
+    return null;
+  }
+}
+function heartbeatToStatus(heartbeat, options = {}) {
+  const privateMetadata = options.privateMetadata === true;
+  const tailscale = parseJsonObject2(heartbeat.tailscale_json);
+  const doctorSummary = parseJsonObject2(heartbeat.doctor_summary_json);
+  return {
+    machineId: heartbeat.machine_id,
+    pid: heartbeat.pid,
+    status: heartbeat.status,
+    updatedAt: heartbeat.updated_at,
+    daemonVersion: heartbeat.daemon_version,
+    agentMode: heartbeat.agent_mode,
+    platform: heartbeat.platform,
+    osVersion: heartbeat.os_version,
+    osBuild: heartbeat.os_build,
+    arch: heartbeat.arch,
+    uptimeSeconds: heartbeat.uptime_seconds,
+    toolVersions: sanitizeRecord(parseJsonObject2(heartbeat.tool_versions_json) ?? {}, privateMetadata),
+    tailscale: tailscale ? sanitizeRecord(tailscale, privateMetadata) : null,
+    storageSyncStatus: heartbeat.storage_sync_status,
+    storageSyncLastError: heartbeat.storage_sync_last_error ? sanitizeStorageError(heartbeat.storage_sync_last_error, privateMetadata) : null,
+    doctorSummary: doctorSummary ? sanitizeRecord(doctorSummary, privateMetadata) : null,
+    privateMetadata: Boolean(heartbeat.private_metadata)
+  };
+}
+function sanitizePublicString(value, privateMetadata = false) {
+  if (privateMetadata)
+    return value;
+  let redacted = value;
+  const localHostname = hostname6();
+  const localUser = process.env["USER"] || process.env["LOGNAME"] || process.env["USERNAME"];
+  if (localHostname)
+    redacted = redacted.replaceAll(localHostname, "[redacted-host]");
+  if (localUser)
+    redacted = redacted.replaceAll(localUser, "[redacted-user]");
+  return redactErrorMessage(redacted.replace(/[a-z][a-z0-9+.-]*:\/\/[^\s'")]+/gi, (match) => {
+    const scheme = match.match(/^([a-z][a-z0-9+.-]*:\/\/)/i)?.[1] ?? "";
+    return `${scheme}[redacted]`;
+  }).replace(/\b10(?:\.\d{1,3}){3}\b/g, "[redacted-ip]").replace(/\b172\.(?:1[6-9]|2\d|3[01])(?:\.\d{1,3}){2}\b/g, "[redacted-ip]").replace(/\b192\.168(?:\.\d{1,3}){2}\b/g, "[redacted-ip]").replace(/\b100\.(?:6[4-9]|[7-9]\d|1[01]\d|12[0-7])(?:\.\d{1,3}){2}\b/g, "[redacted-ip]").replace(/\b(password|passwd|token|secret|api[_-]?key)=([^&\s]+)/gi, "$1=[redacted]"));
+}
+function sanitizeValue(value, privateMetadata) {
+  if (typeof value === "string")
+    return sanitizePublicString(value, privateMetadata);
+  if (Array.isArray(value))
+    return value.map((entry) => sanitizeValue(entry, privateMetadata));
+  if (value && typeof value === "object")
+    return sanitizeRecord(value, privateMetadata);
+  return value;
+}
+function sanitizeRecord(value, privateMetadata) {
+  const sanitized = {};
+  for (const [key, entry] of Object.entries(value)) {
+    if (!privateMetadata && /(hostname|hostName|user|username|serial|dnsName|ip|ips|databaseUrl|url|token|secret|password|credential)/i.test(key)) {
+      sanitized[key] = "[redacted]";
+      continue;
+    }
+    sanitized[key] = sanitizeValue(entry, privateMetadata);
+  }
+  return sanitized;
+}
+function sanitizeStorageError(message, privateMetadata) {
+  return privateMetadata ? message : redactErrorMessage(message);
+}
+function getAgentStatus(machineId, options = {}) {
+  return listHeartbeats(machineId).map((heartbeat) => heartbeatToStatus(heartbeat, options));
+}
+// src/commands/serve.ts
 function escapeHtml(value) {
   return value.replaceAll("&", "&amp;").replaceAll("<", "&lt;").replaceAll(">", "&gt;").replaceAll('"', "&quot;").replaceAll("'", "&#39;");
 }
@@ -10374,6 +11099,9 @@ function getServeInfo(options = {}) {
       "/",
       "/health",
       "/api/status",
+      "/api/topology",
+      "/api/routes",
+      "/api/daemon/status",
       "/api/manifest",
       "/api/notifications",
       "/api/webhooks",
@@ -10391,6 +11119,7 @@ function getServeInfo(options = {}) {
 }
 function renderDashboardHtml() {
   const status = getStatus();
+  const topology = discoverMachineTopology();
   const manifest = manifestList();
   const notifications = listNotificationChannels();
   const doctor = runDoctor();
@@ -10429,17 +11158,20 @@ function renderDashboardHtml() {
         <section class="card"><div>Heartbeats</div><div class="stat">${status.heartbeatCount}</div></section>
         <section class="card"><div>Notification channels</div><div class="stat">${notifications.channels.length}</div></section>
         <section class="card"><div>Doctor warnings</div><div class="stat">${doctor.checks.filter((entry) => entry.status !== "ok").length}</div></section>
+        <section class="card"><div>Tailscale routes</div><div class="stat">${topology.machines.filter((machine) => machine.ssh.route === "tailscale").length}</div></section>
       </div>
       <section class="card" style="margin-top:16px">
         <h2>Machines</h2>
         <table>
-          <thead><tr><th>ID</th><th>Platform</th><th>Status</th><th>Last heartbeat</th></tr></thead>
+          <thead><tr><th>ID</th><th>Platform</th><th>Status</th><th>Agent</th><th>Storage</th><th>Last heartbeat</th></tr></thead>
           <tbody>
             ${status.machines.map((machine) => `<tr>
               <td><code>${escapeHtml(machine.machineId)}</code></td>
               <td>${escapeHtml(machine.platform || "unknown")}</td>
               <td><span class="badge ${escapeHtml(machine.heartbeatStatus)}">${escapeHtml(machine.heartbeatStatus)}</span></td>
+              <td>${escapeHtml(machine.agentMode || "unknown")} ${escapeHtml(machine.daemonVersion || "")}</td>
+              <td>${escapeHtml(machine.storageSyncStatus || "unknown")}</td>
               <td>${escapeHtml(machine.lastHeartbeatAt || "\u2014")}</td>
             </tr>`).join("")}
           </tbody>
@@ -10483,6 +11215,14 @@ function renderDashboardHtml() {
     <script>
       // Auto-refresh dashboard data every 15s
       const REFRESH_INTERVAL = 15000;
+      function escapeHtml(value) {
+        return String(value ?? "")
+          .replaceAll("&", "&amp;")
+          .replaceAll("<", "&lt;")
+          .replaceAll(">", "&gt;")
+          .replaceAll('"', "&quot;")
+          .replaceAll("'", "&#39;");
+      }
       async function refreshData() {
         try {
           const [statusRes, doctorRes] = await Promise.all([
@@ -10503,10 +11243,12 @@ function renderDashboardHtml() {
             tbody.innerHTML = status.machines
               .map((m) =>
                 "<tr>" +
-                "<td><code>" + m.machineId + "</code></td>" +
-                "<td>" + (m.platform || "unknown") + "</td>" +
-                '<td><span class="badge ' + m.heartbeatStatus + '">' + m.heartbeatStatus + '</span></td>' +
-                "<td>" + (m.lastHeartbeatAt || "\\u2014") + "</td>" +
+                "<td><code>" + escapeHtml(m.machineId) + "</code></td>" +
+                "<td>" + escapeHtml(m.platform || "unknown") + "</td>" +
+                '<td><span class="badge ' + escapeHtml(m.heartbeatStatus) + '">' + escapeHtml(m.heartbeatStatus) + '</span></td>' +
+                "<td>" + escapeHtml(m.agentMode || "unknown") + " " + escapeHtml(m.daemonVersion || "") + "</td>" +
+                "<td>" + escapeHtml(m.storageSyncStatus || "unknown") + "</td>" +
+                "<td>" + escapeHtml(m.lastHeartbeatAt || "\\u2014") + "</td>" +
                 "</tr>"
               )
               .join("");
@@ -10518,9 +11260,9 @@ function renderDashboardHtml() {
             doctorTbody.innerHTML = doctor.checks
               .map((c) =>
                 "<tr>" +
-                "<td>" + c.summary + "</td>" +
-                '<td><span class="badge ' + c.status + '">' + c.status + '</span></td>' +
-                '<td class="muted">' + c.detail + "</td>" +
+                "<td>" + escapeHtml(c.summary) + "</td>" +
+                '<td><span class="badge ' + escapeHtml(c.status) + '">' + escapeHtml(c.status) + '</span></td>' +
+                '<td class="muted">' + escapeHtml(c.detail) + "</td>" +
                 "</tr>"
               )
               .join("");
@@ -10550,6 +11292,14 @@ async function parseJsonBody(request) {
 function jsonError(message, status = 400) {
   return Response.json({ error: message }, { status });
 }
+function privateOutputWarnings(requested, allowed) {
+  return requested && !allowed ? [PRIVATE_OUTPUT_DENIED_WARNING] : [];
+}
+function appendWarnings(payload, warnings) {
+  if (warnings.length === 0)
+    return payload;
+  return { ...payload, warnings: [...payload.warnings ?? [], ...warnings] };
+}
 function startDashboardServer(options = {}) {
   const info = getServeInfo(options);
   const events = new EventsClient2;
@@ -10560,12 +11310,34 @@ function startDashboardServer(options = {}) {
       const url = new URL(request.url);
       const machineId = url.searchParams.get("machine") || undefined;
       const tools = url.searchParams.get("tools")?.split(",").map((value) => value.trim()).filter(Boolean);
+      const privateMetadataRequested = url.searchParams.get("privateMetadata") === "true" || url.searchParams.get("private_metadata") === "true";
+      const privateMetadata = privateMetadataRequested && isPrivateOutputEnabled();
+      const privateWarnings = privateOutputWarnings(privateMetadataRequested, privateMetadata);
       if (url.pathname === "/health") {
         return Response.json({ ok: true, ...getServeInfo(options) });
       }
       if (url.pathname === "/api/status") {
         return Response.json(getStatus());
       }
+      if (url.pathname === "/api/topology") {
+        const topology = discoverMachineTopology({ includeTailscale: url.searchParams.get("tailscale") !== "false" });
+        return Response.json(appendWarnings(redactTopologyForOutput(topology, { privateMetadata }), privateWarnings));
+      }
+      if (url.pathname === "/api/routes") {
+        const topology = discoverMachineTopology({ includeTailscale: url.searchParams.get("tailscale") !== "false" });
+        return Response.json({
+          generated_at: topology.generated_at,
+          routes: topology.machines.map((machine) => redactRouteForOutput(resolveMachineRoute(machine.machine_id, { topology }), { privateMetadata })),
+          ...privateWarnings.length > 0 ? { warnings: privateWarnings } : {}
+        });
+      }
+      if (url.pathname === "/api/daemon/status") {
+        return Response.json({
+          generated_at: new Date().toISOString(),
+          agents: getAgentStatus(machineId, { privateMetadata }),
+          ...privateWarnings.length > 0 ? { warnings: privateWarnings } : {}
+        });
+      }
       if (url.pathname === "/api/manifest") {
         return Response.json(manifestList());
       }
@@ -10709,7 +11481,7 @@ function runSelfTest() {
 // src/commands/clipboard.ts
 init_paths();
 import { createHash } from "crypto";
-import { existsSync as existsSync8, readFileSync as readFileSync6, rmSync, writeFileSync as writeFileSync4 } from "fs";
+import { existsSync as existsSync8, readFileSync as readFileSync6, rmSync, writeFileSync as writeFileSync5 } from "fs";
 import { join as join6 } from "path";
 var DEFAULT_CONFIG = {
   version: 1,
@@ -10749,7 +11521,7 @@ function readConfig(configPath) {
 function writeConfig(config, configPath) {
   const path = resolveConfigPath(configPath);
   ensureParentDir(path);
-  writeFileSync4(path, `${JSON.stringify(config, null, 2)}
+  writeFileSync5(path, `${JSON.stringify(config, null, 2)}
 `, "utf8");
 }
 function readHistory(historyPath) {
@@ -10766,7 +11538,7 @@ function readHistory(historyPath) {
 function writeHistory(entries, historyPath) {
   const path = resolveHistoryPath(historyPath);
   ensureParentDir(path);
-  writeFileSync4(path, `${JSON.stringify(entries, null, 2)}
+  writeFileSync5(path, `${JSON.stringify(entries, null, 2)}
 `, "utf8");
 }
 function computeHash(content) {
@@ -10792,7 +11564,7 @@ function getOrCreateClipboardKey() {
   }
   const key = createHash("sha256").update(crypto.randomUUID()).digest("hex").slice(0, 32);
   ensureParentDir(keyPath);
-  writeFileSync4(keyPath, `${key}
+  writeFileSync5(keyPath, `${key}
 `, "utf8");
   return key;
 }
@@ -10843,7 +11615,7 @@ function getClipboardStatus(historyPath) {
 // src/commands/clipboard-daemon.ts
 init_paths();
-import { readFileSync as readFileSync8, writeFileSync as writeFileSync5 } from "fs";
+import { readFileSync as readFileSync8, writeFileSync as writeFileSync6 } from "fs";
 import { join as join7 } from "path";
 import { createHash as createHash3 } from "crypto";
@@ -10853,12 +11625,12 @@ import { createServer } from "http";
 import { createHash as createHash2 } from "crypto";
 import { readFileSync as readFileSync7 } from "fs";
 function readLocalClipboardSync() {
-  const platform4 = process.platform;
-  if (platform4 === "darwin") {
+  const platform5 = process.platform;
+  if (platform5 === "darwin") {
     const result = Bun.spawnSync(["pbpaste"], { stdout: "pipe", stderr: "pipe" });
     return result.exitCode === 0 ? result.stdout.toString("utf8").trim() : "";
   }
-  if (platform4 === "linux") {
+  if (platform5 === "linux") {
     if (hasCommand3("wl-paste")) {
       const result = Bun.spawnSync(["wl-paste"], { stdout: "pipe", stderr: "pipe" });
       return result.exitCode === 0 ? result.stdout.toString("utf8").trim() : "";
@@ -10872,12 +11644,12 @@ function readLocalClipboardSync() {
   return "";
 }
 function writeLocalClipboardSync(content) {
-  const platform4 = process.platform;
-  if (platform4 === "darwin") {
+  const platform5 = process.platform;
+  if (platform5 === "darwin") {
     const result = Bun.spawnSync(["pbcopy"], { stdin: new TextEncoder().encode(content), stdout: "ignore", stderr: "ignore" });
     return result.exitCode === 0;
   }
-  if (platform4 === "linux") {
+  if (platform5 === "linux") {
     if (hasCommand3("wl-copy")) {
       const result = Bun.spawnSync(["wl-copy"], { stdin: new TextEncoder().encode(content), stdout: "ignore", stderr: "ignore" });
       return result.exitCode === 0;
@@ -11004,12 +11776,12 @@ function handleGetClipboard(response, config) {
 // src/commands/clipboard-daemon.ts
 var DAEMON_PID_PATH = join7(getDataDir(), "clipboard-daemon.pid");
 function readLocalClipboardSync2() {
-  const platform4 = process.platform;
-  if (platform4 === "darwin") {
+  const platform5 = process.platform;
+  if (platform5 === "darwin") {
     const result = Bun.spawnSync(["pbpaste"], { stdout: "pipe", stderr: "pipe" });
     return result.exitCode === 0 ? result.stdout.toString("utf8").trim() : "";
   }
-  if (platform4 === "linux") {
+  if (platform5 === "linux") {
     if (hasCommand4("wl-paste")) {
       const result = Bun.spawnSync(["wl-paste"], { stdout: "pipe", stderr: "pipe" });
       return result.exitCode === 0 ? result.stdout.toString("utf8").trim() : "";
@@ -11070,7 +11842,7 @@ function loadSharedSecret2() {
   }
 }
 function writePid(pid) {
-  writeFileSync5(DAEMON_PID_PATH, `${pid}
+  writeFileSync6(DAEMON_PID_PATH, `${pid}
 `);
 }
 function readPid() {
@@ -11165,7 +11937,7 @@ async function discoverPeers() {
       }
     }
   } catch {}
-  const knownPeers = ["100.82.44.120", "100.100.226.69", "100.71.123.34", "100.85.234.92"];
+  const knownPeers = (process.env["HASNA_MACHINES_CLIPBOARD_PEERS"] || "").split(",").map((peer) => peer.trim()).filter(Boolean);
   for (const ip of knownPeers) {
     if (!peers.some((p) => p.host === ip)) {
       peers.push({ host: ip, port: config.port });
@@ -11176,7 +11948,7 @@ async function discoverPeers() {
 // src/commands/heal.ts
 init_paths();
-import { existsSync as existsSync9, readFileSync as readFileSync9, writeFileSync as writeFileSync6 } from "fs";
+import { existsSync as existsSync9, readFileSync as readFileSync9, writeFileSync as writeFileSync7 } from "fs";
 import { join as join8 } from "path";
 var DEFAULT_THRESHOLDS = {
   reconnect: 3,
@@ -11241,7 +12013,7 @@ function readHealConfig(path) {
 function writeHealConfig(config, path) {
   const p = path || getHealConfigPath();
   ensureParentDir(p);
-  writeFileSync6(p, `${JSON.stringify(config, null, 2)}
+  writeFileSync7(p, `${JSON.stringify(config, null, 2)}
 `, "utf8");
 }
 function readHealState(path) {
@@ -11257,7 +12029,7 @@ function readHealState(path) {
 function writeHealState(state, path) {
   const p = path || getHealStatePath();
   ensureParentDir(p);
-  writeFileSync6(p, `${JSON.stringify(state, null, 2)}
+  writeFileSync7(p, `${JSON.stringify(state, null, 2)}
 `, "utf8");
 }
 function evaluateHealth(probe, config, state) {
@@ -11462,7 +12234,7 @@ function executeAction(action, config) {
 // src/commands/heal-daemon.ts
 init_paths();
-import { existsSync as existsSync10, readFileSync as readFileSync10, writeFileSync as writeFileSync7 } from "fs";
+import { existsSync as existsSync10, readFileSync as readFileSync10, writeFileSync as writeFileSync8 } from "fs";
 import { join as join9 } from "path";
 var DAEMON_PID_PATH2 = join9(getDataDir(), "heal-daemon.pid");
 var SERVICE_PATH = "/etc/systemd/system/machines-heal.service";
@@ -11505,7 +12277,7 @@ function runHealOnce(config, opts = {}) {
   return result;
 }
 function writePid2(pid) {
-  writeFileSync7(DAEMON_PID_PATH2, `${pid}
+  writeFileSync8(DAEMON_PID_PATH2, `${pid}
 `);
 }
 function readPid2() {
@@ -11596,7 +12368,7 @@ ${key}=${value}
   };
   set("RuntimeWatchdogSec", "20s");
   set("RebootWatchdogSec", "2min");
-  writeFileSync7(SYSTEM_CONF, conf);
+  writeFileSync8(SYSTEM_CONF, conf);
   sh2("systemctl daemon-reexec");
   log2.push("hardware watchdog: RuntimeWatchdogSec=20s RebootWatchdogSec=2min");
   return log2;
@@ -11641,7 +12413,7 @@ Environment=PATH=${binDir}:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sb
 [Install]
 WantedBy=multi-user.target
 `;
-  writeFileSync7(SERVICE_PATH, unit);
+  writeFileSync8(SERVICE_PATH, unit);
   sh2("systemctl daemon-reload");
   sh2("systemctl enable --now machines-heal.service");
   log2.push(`installed + enabled ${SERVICE_PATH} (ExecStart=${exec} heal daemon)`);
@@ -11822,18 +12594,18 @@ function checkSecretPresence(secretsCommand, key) {
   };
 }
 function parseCommandSpec(value) {
-  const [command, expectedVersion] = value.split(":");
+  const [command2, expectedVersion] = value.split(":");
   return {
-    command,
+    command: command2,
     expectedVersion: expectedVersion || undefined,
     required: true
   };
 }
 function parsePackageSpec(value) {
-  const [name, command, expectedVersion] = value.split(":");
+  const [name, command2, expectedVersion] = value.split(":");
   return {
     name,
-    command: command || undefined,
+    command: command2 || undefined,
     expectedVersion: expectedVersion || undefined,
     required: true
   };
@@ -11924,17 +12696,54 @@ function renderFleetStatus(status) {
       ["sync runs", String(status.recentSyncRuns)]
     ]),
     "",
-    ...status.machines.map((machine) => `${machine.machineId.padEnd(18)} ${machine.platform || "unknown"} ${machine.heartbeatStatus} ${machine.lastHeartbeatAt || "\u2014"}`)
+    ...status.machines.map((machine) => `${machine.machineId.padEnd(18)} ${machine.platform || "unknown"} ${machine.heartbeatStatus} ${machine.agentMode || "agent:unknown"} ${machine.storageSyncStatus || "storage:unknown"} ${machine.lastHeartbeatAt || "\u2014"}`)
+  ].join(`
+`);
+}
+function renderShellCommand(command2) {
+  const parts = command2.sudo ? ["sudo", command2.program, ...command2.args] : [command2.program, ...command2.args];
+  return parts.map((part) => /^[A-Za-z0-9_@%+=:,./$-]+$/.test(part) ? part : JSON.stringify(part)).join(" ");
+}
+function renderDaemonPlan(plan) {
+  const files = plan.files.map((file) => `${file.path} (${file.mode})`);
+  const commands = plan.commands.map((command2) => `${command2.mutates ? "apply" : "read"} ${command2.id}: ${renderShellCommand(command2)}`);
+  return [
+    renderKeyValueTable([
+      ["action", plan.action],
+      ["platform", plan.platform],
+      ["mode", plan.mode],
+      ["service", plan.serviceName],
+      ["executable", plan.executable],
+      ["interval", `${plan.intervalMs}ms`],
+      ["warnings", plan.warnings.join(", ") || "none"]
+    ]),
+    renderList("files", files),
+    renderList("commands", commands),
+    renderList("manual steps", plan.manualSteps)
   ].join(`
 `);
 }
+function parseDaemonOptions(action, options) {
+  return {
+    action,
+    platform: options.platform,
+    mode: options.mode,
+    serviceName: options.serviceName,
+    executable: options.executable,
+    intervalMs: options.intervalMs ? parseIntegerOption(options.intervalMs, "interval-ms", { min: 1 }) : undefined,
+    storagePush: options.storagePush,
+    doctorSummary: options.doctorSummary,
+    privateMetadata: options.privateMetadata,
+    env: options.env
+  };
+}
 program2.name("machines").description("Machine fleet management CLI + MCP for developers").version(getPackageVersion()).option("-q, --quiet", "Suppress non-essential output");
 var manifestCommand = program2.command("manifest").description("Manage the fleet manifest");
 var appsCommand = program2.command("apps").description("Manage installed applications per machine");
 var notificationsCommand = program2.command("notifications").description("Manage fleet alert delivery channels");
 var eventWebhooksCommand = registerWebhookCommands(program2, { source: "machines" });
 eventWebhooksCommand.description("Manage shared event webhook subscriptions");
-var webhookTestCommand = eventWebhooksCommand.commands.find((command) => command.name() === "test");
+var webhookTestCommand = eventWebhooksCommand.commands.find((command2) => command2.name() === "test");
 var webhookOptions = webhookTestCommand?.options ?? [];
 var webhookMessageOption = webhookOptions.find((option) => option.long === "--message");
 if (webhookMessageOption) {
@@ -11945,6 +12754,23 @@ eventsCommand.description("Emit, list, and replay shared events");
 var runtimeCommand = program2.command("runtime").description("Watch runtime conditions and emit shared events");
 var clipboardCommand = program2.command("clipboard").description("Real-time clipboard sync across fleet machines");
 var installClaudeCommand = program2.command("install-claude").description("Install or inspect Claude, Codex, and Gemini CLIs");
+var daemonCommand = program2.command("daemon").description("Install and inspect the machines-agent fleet daemon service");
+function addDaemonLifecycleCommand(action, description) {
+  daemonCommand.command(action).description(description).option("--platform <platform>", "Service platform to plan for (macos, linux)").option("--mode <mode>", "Service mode (user, system)", "user").option("--service-name <name>", "Service name/label", "machines-agent").option("--executable <path>", "Absolute machines-agent executable path").option("--interval-ms <ms>", "Heartbeat interval in milliseconds").option("--storage-push", "Configure daemon to push heartbeat rows to storage", false).option("--doctor-summary", "Configure daemon to include lightweight doctor summaries", false).option("--private-metadata", "Opt in to private host/network metadata in heartbeat rows", false).option("--env <name...>", "Environment variable names to include as placeholders").option("--apply", "Write service files and run planned commands", false).option("--yes", "Confirm execution when using --apply", false).option("-j, --json", "Print JSON output", false).action((options) => {
+    const plan = buildDaemonServicePlan(parseDaemonOptions(action, options));
+    const result = runDaemonServicePlan(plan, { apply: options.apply, yes: options.yes });
+    if (options.json || options.apply) {
+      console.log(JSON.stringify(result, null, 2));
+      return;
+    }
+    console.log(renderDaemonPlan(plan));
+  });
+}
+addDaemonLifecycleCommand("install", "Plan or install the machines-agent daemon service");
+addDaemonLifecycleCommand("uninstall", "Plan or uninstall the machines-agent daemon service");
+addDaemonLifecycleCommand("restart", "Plan or restart the machines-agent daemon service");
+addDaemonLifecycleCommand("status", "Plan a daemon service status command");
+addDaemonLifecycleCommand("logs", "Plan a daemon service log command");
 manifestCommand.command("init").description("Create an empty fleet manifest").action(() => {
   console.log(manifestInit());
 });
@@ -12049,8 +12875,9 @@ program2.command("sync").description("Reconcile a machine against the fleet mani
   const result = options.apply ? runSync(options.machine, { apply: true, yes: options.yes }) : buildSyncPlan(options.machine);
   console.log(JSON.stringify(result, null, 2));
 });
-program2.command("topology").description("Discover local, manifest, heartbeat, SSH, and Tailscale machine topology").option("--no-tailscale", "Skip tailscale status probing").option("-j, --json", "Print JSON output", false).action((options) => {
-  const topology = discoverMachineTopology({ includeTailscale: options.tailscale !== false });
+program2.command("topology").description("Discover local, manifest, heartbeat, SSH, and Tailscale machine topology").option("--no-tailscale", "Skip tailscale status probing").option("--private-metadata", "Print private host/network route fields", false).option("-j, --json", "Print JSON output", false).action((options) => {
+  const rawTopology = discoverMachineTopology({ includeTailscale: options.tailscale !== false });
+  const topology = redactTopologyForOutput(rawTopology, { privateMetadata: options.privateMetadata });
   if (options.json) {
     console.log(JSON.stringify(topology, null, 2));
     return;
@@ -12290,11 +13117,12 @@ program2.command("install-tailscale").description("Install Tailscale on a machin
   const result = options.apply ? runTailscaleInstall(options.machine, { apply: true, yes: options.yes }) : buildTailscaleInstallPlan(options.machine);
   console.log(JSON.stringify(result, null, 2));
 });
-program2.command("route").description("Resolve the best route for a machine").requiredOption("--machine <id>", "Machine identifier").option("--no-tailscale", "Skip tailscale status probing").option("--cmd <command>", "Remote command to run").option("-j, --json", "Print JSON output", false).action((options) => {
+program2.command("route").description("Resolve the best route for a machine").requiredOption("--machine <id>", "Machine identifier").option("--no-tailscale", "Skip tailscale status probing").option("--private-metadata", "Print private route targets", false).option("--cmd <command>", "Remote command to run").option("-j, --json", "Print JSON output", false).action((options) => {
   const topology = discoverMachineTopology({ includeTailscale: options.tailscale !== false });
   const resolved = resolveMachineRoute(options.machine, { topology });
-  const command = resolved.ok && resolved.target ? resolved.route === "local" ? options.cmd ?? null : buildSshCommand(options.machine, options.cmd, { topology }) : null;
-  const payload = { ...resolved, command };
+  const publicResolved = redactRouteForOutput(resolved, { privateMetadata: options.privateMetadata });
+  const command2 = resolved.ok && resolved.target ? resolved.route === "local" ? options.cmd ?? null : buildSshCommand(options.machine, options.cmd, { topology }) : null;
+  const payload = { ...publicResolved, command: options.privateMetadata ? command2 : command2 ? "[redacted]" : null };
   if (options.json) {
     console.log(JSON.stringify(payload, null, 2));
     return;
@@ -12304,7 +13132,7 @@ program2.command("route").description("Resolve the best route for a machine").re
     process.exitCode = 1;
     return;
   }
-  console.log(command ?? `${resolved.route}:${resolved.target}`);
+  console.log(options.privateMetadata ? command2 ?? `${resolved.route}:${resolved.target}` : `${publicResolved.route}:${publicResolved.target ?? "unresolved"}`);
 });
 program2.command("ssh").description("Choose the best SSH route for a machine").requiredOption("--machine <id>", "Machine identifier").option("--cmd <command>", "Remote command to run").option("-j, --json", "Print JSON output", false).action((options) => {
   if (options.json) {
@@ -12332,7 +13160,7 @@ program2.command("screen").description("Open Screen Sharing (VNC) to a machine u
     for (const r of results) {
       if (r.ok && r.url) {
         if (!options.print)
-          execFileSync("open", [r.url], { stdio: "ignore" });
+          execFileSync2("open", [r.url], { stdio: "ignore" });
         console.log(`${r.ok ? "\u2713" : "\u2717"} ${r.machine.padEnd(14)} ${r.url ?? r.error}`);
       } else {
         console.log(`\u2717 ${r.machine.padEnd(14)} ${r.error}`);
@@ -12355,7 +13183,7 @@ program2.command("screen").description("Open Screen Sharing (VNC) to a machine u
     console.log(resolved.url);
     return;
   }
-  execFileSync("open", [resolved.url], { stdio: "ignore" });
+  execFileSync2("open", [resolved.url], { stdio: "ignore" });
   console.log(`Opening Screen Sharing \u2192 ${resolved.url} (route: ${resolved.route})`);
 });
 program2.command("screen-credentials").description("Inspect screen-sharing user and password secret references without printing secrets").option("--machine <id>", "Machine identifier").option("--all", "Inspect every discovered machine", false).option("--check-secret", "Check whether the password secret exists in the local secrets vault", false).option("--secrets-command <command>", "Secrets CLI command to inspect", "secrets").option("--no-tailscale", "Skip tailscale status probing").option("-j, --json", "Print JSON output", false).action((options) => {