@hasna/machines 0.0.36 → 0.0.38

package/dist/mcp/index.js

@@ -4160,6 +4160,9 @@ function ensureParentDir(filePath) {
 
 // src/redaction.ts
 var REDACTED_VALUE = "[redacted]";
+var PRIVATE_OUTPUT_ENV = "HASNA_MACHINES_ALLOW_PRIVATE_OUTPUT";
+var PRIVATE_OUTPUT_FALLBACK_ENV = "MACHINES_ALLOW_PRIVATE_OUTPUT";
+var PRIVATE_OUTPUT_DENIED_WARNING = `private_output_denied:set ${PRIVATE_OUTPUT_ENV}=1 to allow private metadata output`;
 var SENSITIVE_KEY_PATTERN = /(password|passwd|token|credential|private[_-]?key|privateKey|api[_-]?key|github.*key|pem|secret)/i;
 var SECRET_REFERENCE_KEY_PATTERN = /(secret(ref(erence)?|key)?|secretRef|secretKey)$/i;
 var SENSITIVE_VALUE_PATTERNS = [
@@ -4170,9 +4173,17 @@ var SENSITIVE_VALUE_PATTERNS = [
   /\bAKIA[0-9A-Z]{16}\b/,
   /\bsk-[A-Za-z0-9_-]{20,}\b/
 ];
+var IPV4_PATTERN = /\b(?:10|127|169\.254|172\.(?:1[6-9]|2\d|3[0-1])|192\.168|100\.(?:6[4-9]|[7-9]\d|1[01]\d|12[0-7]))(?:\.\d{1,3}){2}\b/g;
+var IPV6_PATTERN = /\b(?:fc|fd|fe80)[0-9a-f:]*:[0-9a-f:]+\b/gi;
+var DATABASE_URL_PATTERN = /\b(?:postgres(?:ql)?|mysql|mariadb|redis|mongodb|s3):\/\/[^\s"'<>]+/gi;
+var PRIVATE_HOST_PATTERN = /\b(?:[A-Za-z0-9._%+-]+@)?[A-Za-z0-9-]+(?:\.[A-Za-z0-9-]+)*(?:\.tailnet(?:\.[A-Za-z0-9-]+)*|\.ts\.net|\.private(?:\.[A-Za-z0-9-]+)*|\.internal|\.local)\b/gi;
 function isSensitiveKey(key) {
   return SENSITIVE_KEY_PATTERN.test(key);
 }
+function isPrivateOutputEnabled(env = process.env) {
+  const value = env[PRIVATE_OUTPUT_ENV] ?? env[PRIVATE_OUTPUT_FALLBACK_ENV];
+  return ["1", "true", "yes", "on", "private"].includes(String(value ?? "").trim().toLowerCase());
+}
 function isSecretReferenceKey(key) {
   return SECRET_REFERENCE_KEY_PATTERN.test(key);
 }
@@ -4185,6 +4196,12 @@ function isRecord(value) {
 function redactPath(value) {
   return value.replace(/\/home\/[^/\s]+/g, "/home/<user>").replace(/\/Users\/[^/\s]+/g, "/Users/<user>").replace(/[A-Za-z]:\\Users\\[^\\\s]+/g, "C:\\Users\\<user>");
 }
+function redactErrorMessage(value) {
+  return redactPath(value).replace(DATABASE_URL_PATTERN, (match) => {
+    const scheme = match.match(/^([a-z][a-z0-9+.-]*:\/\/)/i)?.[1] ?? "";
+    return `${scheme}${REDACTED_VALUE}`;
+  }).replace(IPV4_PATTERN, REDACTED_VALUE).replace(IPV6_PATTERN, REDACTED_VALUE).replace(PRIVATE_HOST_PATTERN, REDACTED_VALUE);
+}
 function redactPrivateRef(value) {
   const trimmed = value.trim();
   const scheme = trimmed.match(/^([a-z][a-z0-9+.-]*:\/\/)/i);
@@ -4459,6 +4476,21 @@ class SqliteAdapter {
   }
 }
 var adapter = null;
+var AGENT_HEARTBEAT_COLUMNS = [
+  { name: "daemon_version", definition: "TEXT" },
+  { name: "agent_mode", definition: "TEXT" },
+  { name: "platform", definition: "TEXT" },
+  { name: "os_version", definition: "TEXT" },
+  { name: "os_build", definition: "TEXT" },
+  { name: "arch", definition: "TEXT" },
+  { name: "uptime_seconds", definition: "INTEGER" },
+  { name: "tool_versions_json", definition: "TEXT" },
+  { name: "tailscale_json", definition: "TEXT" },
+  { name: "storage_sync_status", definition: "TEXT" },
+  { name: "storage_sync_last_error", definition: "TEXT" },
+  { name: "doctor_summary_json", definition: "TEXT" },
+  { name: "private_metadata", definition: "INTEGER NOT NULL DEFAULT 0" }
+];
 function createTables(db) {
   db.exec(`
     CREATE TABLE IF NOT EXISTS agent_heartbeats (
@@ -4466,9 +4498,23 @@ function createTables(db) {
       pid INTEGER NOT NULL,
       status TEXT NOT NULL,
       updated_at TEXT NOT NULL,
+      daemon_version TEXT,
+      agent_mode TEXT,
+      platform TEXT,
+      os_version TEXT,
+      os_build TEXT,
+      arch TEXT,
+      uptime_seconds INTEGER,
+      tool_versions_json TEXT,
+      tailscale_json TEXT,
+      storage_sync_status TEXT,
+      storage_sync_last_error TEXT,
+      doctor_summary_json TEXT,
+      private_metadata INTEGER NOT NULL DEFAULT 0,
       PRIMARY KEY (machine_id, pid)
     )
   `);
+  migrateAgentHeartbeats(db);
   db.exec(`
     CREATE TABLE IF NOT EXISTS setup_runs (
       id TEXT PRIMARY KEY,
@@ -4490,6 +4536,15 @@ function createTables(db) {
     )
   `);
 }
+function migrateAgentHeartbeats(db) {
+  const columns = db.query("PRAGMA table_info(agent_heartbeats)").all();
+  const existing = new Set(columns.map((column) => column.name));
+  for (const column of AGENT_HEARTBEAT_COLUMNS) {
+    if (existing.has(column.name))
+      continue;
+    db.exec(`ALTER TABLE agent_heartbeats ADD COLUMN ${column.name} ${column.definition}`);
+  }
+}
 function getAdapter(path = getDbPath()) {
   if (path === ":memory:") {
     const memoryAdapter = new SqliteAdapter(path);
@@ -4518,12 +4573,12 @@ function getLocalMachineId() {
 function listHeartbeats(machineId) {
   const db = getDb();
   if (machineId) {
-    return db.query(`SELECT machine_id, pid, status, updated_at
+    return db.query(`SELECT *
          FROM agent_heartbeats
          WHERE machine_id = ?
          ORDER BY updated_at DESC`).all(machineId);
   }
-  return db.query(`SELECT machine_id, pid, status, updated_at
+  return db.query(`SELECT *
        FROM agent_heartbeats
        ORDER BY updated_at DESC`).all();
 }
@@ -4710,6 +4765,16 @@ function routeRank(hint) {
 function selectRouteHint(hints) {
   return [...hints].sort((left, right) => routeRank(left) - routeRank(right))[0] ?? null;
 }
+function parseHeartbeatJson(value) {
+  if (!value)
+    return null;
+  try {
+    const parsed = JSON.parse(value);
+    return parsed && typeof parsed === "object" && !Array.isArray(parsed) ? parsed : null;
+  } catch {
+    return null;
+  }
+}
 function buildEntry(input) {
   const manifest = input.manifest;
   const peer = input.peer;
@@ -4732,6 +4797,22 @@ function buildEntry(input) {
     manifest_declared: Boolean(manifest),
     heartbeat_status: input.heartbeat?.status ?? "unknown",
     last_heartbeat_at: input.heartbeat?.updated_at ?? null,
+    agent: {
+      pid: input.heartbeat?.pid ?? null,
+      daemon_version: input.heartbeat?.daemon_version ?? null,
+      mode: input.heartbeat?.agent_mode ?? null,
+      private_metadata: Boolean(input.heartbeat?.private_metadata),
+      platform: input.heartbeat?.platform ?? null,
+      os_version: input.heartbeat?.os_version ?? null,
+      os_build: input.heartbeat?.os_build ?? null,
+      arch: input.heartbeat?.arch ?? null,
+      uptime_seconds: input.heartbeat?.uptime_seconds ?? null,
+      tool_versions: parseHeartbeatJson(input.heartbeat?.tool_versions_json),
+      tailscale: parseHeartbeatJson(input.heartbeat?.tailscale_json),
+      storage_sync_status: input.heartbeat?.storage_sync_status ?? null,
+      storage_sync_last_error: input.heartbeat?.storage_sync_last_error ?? null,
+      doctor_summary: parseHeartbeatJson(input.heartbeat?.doctor_summary_json)
+    },
     tailscale: {
       dns_name: manifest?.tailscaleName ?? peer?.DNSName?.replace(/\.$/, "") ?? null,
       ips: peer?.TailscaleIPs ?? [],
@@ -4791,6 +4872,72 @@ function discoverMachineTopology(options = {}) {
     warnings
   };
 }
+function redactFleetString(value) {
+  if (!value)
+    return value;
+  return redactErrorMessage(value);
+}
+function redactPublicRecord(value) {
+  if (!value)
+    return null;
+  const redacted = {};
+  for (const [key, entry] of Object.entries(value)) {
+    if (/(host|hostname|dns|ip|ips|user|username|serial|address|target|url|token|secret|password|credential)/i.test(key)) {
+      redacted[key] = REDACTED_VALUE;
+      continue;
+    }
+    if (typeof entry === "string") {
+      redacted[key] = redactFleetString(entry);
+    } else if (Array.isArray(entry)) {
+      redacted[key] = entry.map((item) => {
+        if (typeof item === "string")
+          return redactFleetString(item);
+        if (item && typeof item === "object")
+          return redactPublicRecord(item);
+        return item;
+      });
+    } else if (entry && typeof entry === "object") {
+      redacted[key] = redactPublicRecord(entry);
+    } else {
+      redacted[key] = entry;
+    }
+  }
+  return redactSensitiveValue(redacted);
+}
+function redactTopologyForOutput(topology, options = {}) {
+  if (options.privateMetadata)
+    return topology;
+  return {
+    ...topology,
+    local_hostname: REDACTED_VALUE,
+    warnings: topology.warnings.map(redactFleetString),
+    machines: topology.machines.map((machine) => ({
+      ...machine,
+      hostname: machine.hostname ? REDACTED_VALUE : null,
+      user: machine.user ? REDACTED_VALUE : null,
+      tailscale: {
+        ...machine.tailscale,
+        dns_name: machine.tailscale.dns_name ? REDACTED_VALUE : null,
+        ips: machine.tailscale.ips.map(() => REDACTED_VALUE)
+      },
+      ssh: {
+        ...machine.ssh,
+        address: machine.ssh.address ? REDACTED_VALUE : null,
+        command_target: machine.ssh.command_target ? REDACTED_VALUE : null
+      },
+      route_hints: machine.route_hints.map((hint) => ({
+        ...hint,
+        target: REDACTED_VALUE
+      })),
+      agent: {
+        ...machine.agent,
+        tailscale: redactPublicRecord(machine.agent.tailscale),
+        storage_sync_last_error: machine.agent.storage_sync_last_error ? redactFleetString(machine.agent.storage_sync_last_error) : null,
+        doctor_summary: redactPublicRecord(machine.agent.doctor_summary)
+      }
+    }))
+  };
+}
 function normalizeMachineAlias(value) {
   return value.trim().replace(/\.$/, "").toLowerCase();
 }
@@ -4984,6 +5131,20 @@ function resolveMachineRoute(machineId, options = {}) {
     warnings
   };
 }
+function redactRouteForOutput(route, options = {}) {
+  if (options.privateMetadata)
+    return route;
+  return {
+    ...route,
+    target: route.target ? REDACTED_VALUE : null,
+    command_target: route.command_target ? REDACTED_VALUE : null,
+    warnings: route.warnings.map(redactFleetString),
+    evidence: {
+      ...route.evidence,
+      selected_hint: route.evidence.selected_hint ? { ...route.evidence.selected_hint, target: REDACTED_VALUE } : null
+    }
+  };
+}
 function isRecord2(value) {
   return Boolean(value) && typeof value === "object" && !Array.isArray(value);
 }
@@ -5783,6 +5944,298 @@ function diffMachines(leftMachineId, rightMachineId) {
   };
 }
 
+// src/commands/daemon.ts
+import { platform as osPlatform } from "os";
+var DEFAULT_SERVICE_NAME = "machines-agent";
+var DEFAULT_EXECUTABLE = "/usr/local/bin/machines-agent";
+var DEFAULT_INTERVAL_MS = 30000;
+var ENV_NAME_PATTERN = /^[A-Z_][A-Z0-9_]*$/;
+var SERVICE_NAME_PATTERN = /^[A-Za-z0-9_.-]+$/;
+function buildDaemonServicePlan(options) {
+  const resolved = resolveDaemonServiceOptions(options);
+  const files = resolved.action === "install" ? [buildServiceFile(resolved)] : [];
+  return {
+    platform: resolved.platform,
+    mode: resolved.mode,
+    action: resolved.action,
+    serviceName: resolved.serviceName,
+    serviceId: resolved.serviceId,
+    executable: resolved.executable,
+    intervalMs: resolved.intervalMs,
+    commands: buildActionCommands(resolved),
+    files,
+    warnings: resolved.warnings,
+    manualSteps: buildManualSteps(resolved, files)
+  };
+}
+function resolveDaemonServiceOptions(options) {
+  const warnings = [];
+  const serviceName = normalizeServiceName(options.serviceName, warnings);
+  const platform4 = normalizePlatform3(options.platform, warnings);
+  const mode = options.mode ?? "user";
+  const intervalMs = normalizeIntervalMs(options.intervalMs, warnings);
+  const executable = options.executable?.trim() || DEFAULT_EXECUTABLE;
+  if (platform4 === "linux" && !executable.startsWith("/")) {
+    warnings.push("systemd units should use an absolute executable path; install plan keeps the provided path unchanged.");
+  }
+  return {
+    action: options.action,
+    platform: platform4,
+    mode,
+    serviceName,
+    serviceId: serviceName,
+    executable,
+    intervalMs,
+    env: buildEnvironment(serviceName, options, warnings),
+    warnings
+  };
+}
+function normalizeServiceName(value, warnings) {
+  const serviceName = value?.trim() || DEFAULT_SERVICE_NAME;
+  if (SERVICE_NAME_PATTERN.test(serviceName))
+    return serviceName;
+  warnings.push(`Invalid serviceName "${serviceName}"; using ${DEFAULT_SERVICE_NAME}.`);
+  return DEFAULT_SERVICE_NAME;
+}
+function normalizePlatform3(value, warnings) {
+  const raw = value ?? osPlatform();
+  if (raw === "darwin" || raw === "macos")
+    return "macos";
+  if (raw === "linux")
+    return "linux";
+  warnings.push(`Unsupported platform "${raw}"; using linux service planning.`);
+  return "linux";
+}
+function normalizeIntervalMs(value, warnings) {
+  if (value === undefined)
+    return DEFAULT_INTERVAL_MS;
+  if (Number.isInteger(value) && value > 0)
+    return value;
+  warnings.push(`Invalid intervalMs "${String(value)}"; using ${DEFAULT_INTERVAL_MS}.`);
+  return DEFAULT_INTERVAL_MS;
+}
+function buildEnvironment(serviceName, options, warnings) {
+  const env = {
+    HASNA_MACHINES_AGENT_MODE: "daemon",
+    HASNA_MACHINES_AGENT_SERVICE: serviceName
+  };
+  if (options.storagePush) {
+    env["HASNA_MACHINES_AGENT_STORAGE_PUSH"] = "1";
+    env["HASNA_MACHINES_AGENT_STORAGE_PUSH_BACKOFF_MS"] = "250";
+    env["HASNA_MACHINES_AGENT_STORAGE_PUSH_RETRIES"] = "2";
+    env["HASNA_MACHINES_STORAGE_MODE"] = "hybrid";
+    env["HASNA_MACHINES_DATABASE_URL"] = placeholderForEnv("HASNA_MACHINES_DATABASE_URL");
+    warnings.push("storagePush is represented with env placeholders; no database URL is embedded in the plan.");
+  }
+  if (options.doctorSummary) {
+    env["HASNA_MACHINES_AGENT_DOCTOR_SUMMARY"] = "1";
+  }
+  if (options.privateMetadata === true) {
+    env["HASNA_MACHINES_PRIVATE_METADATA"] = "1";
+    warnings.push("privateMetadata=true enables private host/network facts in heartbeat rows; do not share private-mode output publicly.");
+  } else if (Array.isArray(options.privateMetadata)) {
+    addEnvPlaceholders(env, options.privateMetadata, warnings);
+  }
+  addEnvPlaceholders(env, options.env ?? [], warnings);
+  return Object.fromEntries(Object.entries(env).sort(([left], [right]) => left.localeCompare(right)));
+}
+function addEnvPlaceholders(env, names, warnings) {
+  for (const rawName of names) {
+    const name = rawName.trim();
+    if (!ENV_NAME_PATTERN.test(name)) {
+      warnings.push(`Invalid environment variable name "${rawName}"; skipped.`);
+      continue;
+    }
+    env[name] = placeholderForEnv(name);
+  }
+}
+function placeholderForEnv(name) {
+  return `<set:${name}>`;
+}
+function buildServiceFile(options) {
+  if (options.platform === "macos") {
+    return {
+      id: "launchd-plist",
+      description: "launchd property list for machines-agent",
+      path: launchdPlistPath(options),
+      mode: "0644",
+      content: launchdPlist(options)
+    };
+  }
+  return {
+    id: "systemd-unit",
+    description: "systemd unit for machines-agent",
+    path: systemdUnitPath(options),
+    mode: "0644",
+    content: systemdUnit(options)
+  };
+}
+function buildActionCommands(options) {
+  if (options.platform === "macos")
+    return buildLaunchdCommands(options);
+  return buildSystemdCommands(options);
+}
+function buildLaunchdCommands(options) {
+  const domain = launchdDomain(options);
+  const serviceTarget = `${domain}/${options.serviceId}`;
+  const plistPath = launchdPlistPath(options);
+  const sudo = options.mode === "system";
+  if (options.action === "install") {
+    return [
+      command("launchd-bootout-existing", "Unload any existing launchd job before bootstrap.", "launchctl", ["bootout", domain, plistPath], sudo, true, true),
+      command("launchd-bootstrap", "Load the planned launchd plist.", "launchctl", ["bootstrap", domain, plistPath], sudo, true),
+      command("launchd-enable", "Enable the launchd service.", "launchctl", ["enable", serviceTarget], sudo, true),
+      command("launchd-kickstart", "Start or restart the launchd service.", "launchctl", ["kickstart", "-k", serviceTarget], sudo, true)
+    ];
+  }
+  if (options.action === "uninstall") {
+    return [
+      command("launchd-bootout", "Unload the launchd job.", "launchctl", ["bootout", domain, plistPath], sudo, true),
+      command("remove-launchd-plist", "Remove the planned launchd plist file.", "rm", ["-f", plistPath], sudo, true)
+    ];
+  }
+  if (options.action === "restart") {
+    return [command("launchd-kickstart", "Restart the launchd service.", "launchctl", ["kickstart", "-k", serviceTarget], sudo, true)];
+  }
+  if (options.action === "status") {
+    return [command("launchd-print", "Print launchd service status.", "launchctl", ["print", serviceTarget], sudo, false)];
+  }
+  return [
+    command("launchd-logs", "Stream logs for machines-agent.", "log", ["stream", "--style", "compact", "--predicate", `process == "${basename(options.executable)}" OR eventMessage CONTAINS "${options.serviceId}"`], false, false)
+  ];
+}
+function buildSystemdCommands(options) {
+  const userFlag = options.mode === "user" ? ["--user"] : [];
+  const sudo = options.mode === "system";
+  const unitName = systemdUnitName(options);
+  const daemonReload = command("systemd-daemon-reload", "Reload systemd unit metadata.", "systemctl", [...userFlag, "daemon-reload"], sudo, true);
+  if (options.action === "install") {
+    return [
+      daemonReload,
+      command("systemd-enable-now", "Enable and start the systemd service.", "systemctl", [...userFlag, "enable", "--now", unitName], sudo, true)
+    ];
+  }
+  if (options.action === "uninstall") {
+    return [
+      command("systemd-disable-now", "Stop and disable the systemd service.", "systemctl", [...userFlag, "disable", "--now", unitName], sudo, true),
+      command("remove-systemd-unit", "Remove the planned systemd unit file.", "rm", ["-f", systemdUnitPath(options)], sudo, true),
+      daemonReload
+    ];
+  }
+  if (options.action === "restart") {
+    return [command("systemd-restart", "Restart the systemd service.", "systemctl", [...userFlag, "restart", unitName], sudo, true)];
+  }
+  if (options.action === "status") {
+    return [command("systemd-status", "Show systemd service status.", "systemctl", [...userFlag, "status", unitName, "--no-pager"], sudo, false)];
+  }
+  return [
+    command("systemd-logs", "Follow journal logs for the service.", "journalctl", [...userFlag, "-u", unitName, "-f", "--no-pager"], sudo, false)
+  ];
+}
+function buildManualSteps(options, files) {
+  const steps = [];
+  if (files[0])
+    steps.push(`Write ${files[0].id} content to ${files[0].path} with mode ${files[0].mode}.`);
+  if (options.mode === "system")
+    steps.push("Run commands marked sudo with root privileges.");
+  if (options.platform === "linux" && options.mode === "user") {
+    steps.push("Run commands as the target user; enable lingering separately if the service must survive logout.");
+  }
+  if (options.action === "logs")
+    steps.push("Stop the log command manually when finished.");
+  return steps;
+}
+function command(id, description, program, args, sudo, mutates, allowFailure = false) {
+  return { id, description, program, args, sudo, mutates, ...allowFailure ? { allowFailure: true } : {} };
+}
+function launchdPlist(options) {
+  const env = Object.entries(options.env).map(([name, value]) => `    <key>${xmlEscape(name)}</key>
+    <string>${xmlEscape(value)}</string>`).join(`
+`);
+  return `<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+  <key>Label</key>
+  <string>${xmlEscape(options.serviceId)}</string>
+  <key>ProgramArguments</key>
+  <array>
+    <string>${xmlEscape(options.executable)}</string>
+    <string>--interval-ms</string>
+    <string>${options.intervalMs}</string>
+  </array>
+  <key>EnvironmentVariables</key>
+  <dict>
+${env}
+  </dict>
+  <key>KeepAlive</key>
+  <true/>
+  <key>RunAtLoad</key>
+  <true/>
+  <key>StandardOutPath</key>
+  <string>${xmlEscape(launchdLogPath(options, "out"))}</string>
+  <key>StandardErrorPath</key>
+  <string>${xmlEscape(launchdLogPath(options, "err"))}</string>
+</dict>
+</plist>
+`;
+}
+function systemdUnit(options) {
+  const env = Object.entries(options.env).map(([name, value]) => `Environment=${quoteSystemdEnvironment(name, value)}`).join(`
+`);
+  return `[Unit]
+Description=Hasna machines agent
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=simple
+ExecStart=${quoteSystemdExecArg(options.executable)} --interval-ms ${options.intervalMs}
+Restart=always
+RestartSec=10
+${env}
+
+[Install]
+WantedBy=${options.mode === "system" ? "multi-user.target" : "default.target"}
+`;
+}
+function launchdDomain(options) {
+  return options.mode === "system" ? "system" : "gui/$UID";
+}
+function launchdPlistPath(options) {
+  if (options.mode === "system")
+    return `/Library/LaunchDaemons/${options.serviceId}.plist`;
+  return `$HOME/Library/LaunchAgents/${options.serviceId}.plist`;
+}
+function launchdLogPath(options, stream) {
+  const fileName = `${options.serviceId}.${stream}.log`;
+  if (options.mode === "system")
+    return `/var/log/${fileName}`;
+  return `$HOME/Library/Logs/${fileName}`;
+}
+function systemdUnitName(options) {
+  return `${options.serviceId}.service`;
+}
+function systemdUnitPath(options) {
+  if (options.mode === "system")
+    return `/etc/systemd/system/${systemdUnitName(options)}`;
+  return `$HOME/.config/systemd/user/${systemdUnitName(options)}`;
+}
+function xmlEscape(value) {
+  return String(value).replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&apos;");
+}
+function quoteSystemdExecArg(value) {
+  if (/^[A-Za-z0-9_@%+=:,./-]+$/.test(value) && !value.includes("%"))
+    return value;
+  return `"${value.replace(/\\/g, "\\\\").replace(/"/g, "\\\"").replace(/%/g, "%%")}"`;
+}
+function quoteSystemdEnvironment(name, value) {
+  return `"${name}=${value.replace(/\\/g, "\\\\").replace(/"/g, "\\\"").replace(/%/g, "%%")}"`;
+}
+function basename(path) {
+  return path.split("/").filter(Boolean).at(-1) || path;
+}
+
 // src/commands/doctor.ts
 var DOCTOR_OPTIONAL_ADAPTER_DOMAINS = ["secrets", "configs", "monitor", "repos", "mcps", "shield"];
 function makeCheck(id, status, summary, detail, extra = {}) {
@@ -5873,14 +6326,20 @@ function runOptionalAdapterChecks(context, adapters) {
   }
   return checks;
 }
-function runDoctor(machineId = getLocalMachineId(), options = {}) {
+function runDoctor(machineId, options = {}) {
+  const implicitLocalMachine = !machineId;
+  const requestedMachineId = machineId ?? getLocalMachineId();
+  const reportedMachineId = implicitLocalMachine ? "local" : requestedMachineId;
   const now = options.now ?? new Date;
   const { manifest, info: manifestSource } = readManifestWithSource({ adapter: options.manifestAdapter ?? null });
-  const commandChecks = runMachineCommand(machineId, buildDoctorCommand());
+  const commandChecks = runMachineCommand(requestedMachineId, buildDoctorCommand());
   const details = parseKeyValueOutput(commandChecks.stdout);
-  const machineInManifest = manifest.machines.find((machine) => machine.id === machineId);
+  const machineInManifest = manifest.machines.find((machine) => machine.id === requestedMachineId);
+  const diagnosticMachine = machineInManifest ? redactManifestForDiagnostics(machineInManifest) : null;
+  if (implicitLocalMachine && diagnosticMachine)
+    diagnosticMachine.id = reportedMachineId;
   const optionalAdapterChecks = options.includeOptionalAdapters === false ? [] : runOptionalAdapterChecks({
-    machineId,
+    machineId: requestedMachineId,
     manifest,
     manifestSource,
     commandDetails: details,
@@ -5896,10 +6355,10 @@ function runDoctor(machineId = getLocalMachineId(), options = {}) {
       },
       remediation: manifestSource.warnings.length > 0 ? ["Provide a private manifest adapter or unset the private manifest ref to use the local manifest only."] : undefined
     }),
-    makeCheck("manifest-entry", machineInManifest ? "ok" : "warn", machineInManifest ? "Machine exists in manifest" : "Machine missing from manifest", machineInManifest ? JSON.stringify(redactManifestForDiagnostics(machineInManifest)) : `No manifest entry for ${machineId}`, {
+    makeCheck("manifest-entry", machineInManifest ? "ok" : "warn", machineInManifest ? "Machine exists in manifest" : "Machine missing from manifest", diagnosticMachine ? JSON.stringify(diagnosticMachine) : `No manifest entry for ${reportedMachineId}`, {
       data: {
         declared: Boolean(machineInManifest),
-        machine: machineInManifest ? redactManifestForDiagnostics(machineInManifest) : null
+        machine: diagnosticMachine
       }
     }),
     makeCheck("data-dir", details["data_dir_exists"] === "yes" ? "ok" : "warn", "Data directory check", `${redactPath(details["data_dir"] || "unknown")} ${details["data_dir_exists"] === "yes" ? "exists" : "missing"}`, {
@@ -5950,7 +6409,7 @@ function runDoctor(machineId = getLocalMachineId(), options = {}) {
     ...optionalAdapterChecks
   ];
   return {
-    machineId,
+    machineId: reportedMachineId,
     source: commandChecks.source,
     schemaVersion: 1,
     generatedAt: now.toISOString(),
@@ -6197,8 +6656,8 @@ ${message}
     };
   }
   if (hasCommand2("mail")) {
-    const command = `printf %s ${shellQuote5(message)} | mail -s ${shellQuote5(subject)} ${shellQuote5(channel.target)}`;
-    const result = Bun.spawnSync(["bash", "-lc", command], {
+    const command2 = `printf %s ${shellQuote5(message)} | mail -s ${shellQuote5(subject)} ${shellQuote5(channel.target)}`;
+    const result = Bun.spawnSync(["bash", "-lc", command2], {
       stdout: "pipe",
       stderr: "pipe",
       env: process.env
@@ -6422,8 +6881,8 @@ function listPorts(machineId) {
   const targetMachineId = machineId || getLocalMachineId();
   const isLocal = targetMachineId === getLocalMachineId();
   const localCommand = "if command -v ss >/dev/null 2>&1; then ss -ltnpH; else lsof -nP -iTCP -sTCP:LISTEN; fi";
-  const command = isLocal ? localCommand : buildSshCommand(targetMachineId, localCommand);
-  const result = spawnSync3("bash", ["-lc", command], { encoding: "utf8" });
+  const command2 = isLocal ? localCommand : buildSshCommand(targetMachineId, localCommand);
+  const result = spawnSync3("bash", ["-lc", command2], { encoding: "utf8" });
   if (result.status !== 0) {
     throw new Error(result.stderr || `Failed to list ports for ${targetMachineId}`);
   }
@@ -6437,1160 +6896,1313 @@ function listPorts(machineId) {
 // src/commands/serve.ts
 import { EventsClient, sanitizeChannelsForOutput } from "@hasna/events";
 
-// src/commands/manifest.ts
-function manifestList() {
-  return readManifest();
-}
-function manifestAdd(machine) {
-  const validatedMachine = machineSchema.parse(machine);
-  const manifest = readManifest();
-  const nextMachines = manifest.machines.filter((entry) => entry.id !== validatedMachine.id);
-  nextMachines.push(validatedMachine);
-  const nextManifest = { ...manifest, machines: nextMachines };
-  writeManifest(nextManifest);
-  return nextManifest;
-}
-function manifestBootstrapCurrentMachine() {
-  return manifestAdd(detectCurrentMachineManifest());
-}
-function manifestGet(machineId) {
-  return getManifestMachine(machineId);
+// src/agent/runtime.ts
+import { arch as arch3, hostname as hostname6, platform as platform4, release, uptime, version as osVersion } from "os";
+
+// src/pg-migrations.ts
+var PG_MIGRATIONS = [
+  `
+  CREATE TABLE IF NOT EXISTS agent_heartbeats (
+    machine_id TEXT NOT NULL,
+    pid INTEGER NOT NULL,
+    status TEXT NOT NULL,
+    updated_at TIMESTAMPTZ NOT NULL,
+    daemon_version TEXT,
+    agent_mode TEXT,
+    platform TEXT,
+    os_version TEXT,
+    os_build TEXT,
+    arch TEXT,
+    uptime_seconds INTEGER,
+    tool_versions_json TEXT,
+    tailscale_json TEXT,
+    storage_sync_status TEXT,
+    storage_sync_last_error TEXT,
+    doctor_summary_json TEXT,
+    private_metadata INTEGER NOT NULL DEFAULT 0,
+    PRIMARY KEY (machine_id, pid)
+  );
+
+  ALTER TABLE agent_heartbeats ADD COLUMN IF NOT EXISTS daemon_version TEXT;
+  ALTER TABLE agent_heartbeats ADD COLUMN IF NOT EXISTS agent_mode TEXT;
+  ALTER TABLE agent_heartbeats ADD COLUMN IF NOT EXISTS platform TEXT;
+  ALTER TABLE agent_heartbeats ADD COLUMN IF NOT EXISTS os_version TEXT;
+  ALTER TABLE agent_heartbeats ADD COLUMN IF NOT EXISTS os_build TEXT;
+  ALTER TABLE agent_heartbeats ADD COLUMN IF NOT EXISTS arch TEXT;
+  ALTER TABLE agent_heartbeats ADD COLUMN IF NOT EXISTS uptime_seconds INTEGER;
+  ALTER TABLE agent_heartbeats ADD COLUMN IF NOT EXISTS tool_versions_json TEXT;
+  ALTER TABLE agent_heartbeats ADD COLUMN IF NOT EXISTS tailscale_json TEXT;
+  ALTER TABLE agent_heartbeats ADD COLUMN IF NOT EXISTS storage_sync_status TEXT;
+  ALTER TABLE agent_heartbeats ADD COLUMN IF NOT EXISTS storage_sync_last_error TEXT;
+  ALTER TABLE agent_heartbeats ADD COLUMN IF NOT EXISTS doctor_summary_json TEXT;
+  ALTER TABLE agent_heartbeats ADD COLUMN IF NOT EXISTS private_metadata INTEGER NOT NULL DEFAULT 0;
+
+  CREATE TABLE IF NOT EXISTS setup_runs (
+    id TEXT PRIMARY KEY,
+    machine_id TEXT NOT NULL,
+    status TEXT NOT NULL,
+    details_json TEXT NOT NULL DEFAULT '[]',
+    created_at TIMESTAMPTZ NOT NULL,
+    updated_at TIMESTAMPTZ NOT NULL
+  );
+
+  CREATE TABLE IF NOT EXISTS sync_runs (
+    id TEXT PRIMARY KEY,
+    machine_id TEXT NOT NULL,
+    status TEXT NOT NULL,
+    actions_json TEXT NOT NULL DEFAULT '[]',
+    created_at TIMESTAMPTZ NOT NULL,
+    updated_at TIMESTAMPTZ NOT NULL
+  );
+  `
+];
+
+// src/remote-storage.ts
+import pg from "pg";
+function translatePlaceholders(sql) {
+  let index = 0;
+  return sql.replace(/\?/g, () => `$${++index}`);
 }
-function manifestRemove(machineId) {
-  const manifest = readManifest();
-  const nextManifest = {
-    ...manifest,
-    machines: manifest.machines.filter((machine) => machine.id !== machineId)
-  };
-  writeManifest(nextManifest);
-  return nextManifest;
+function normalizeParams(params) {
+  const flat = params.length === 1 && Array.isArray(params[0]) ? params[0] : params;
+  return flat.map((value) => value === undefined ? null : value);
 }
-function manifestValidate() {
-  return validateManifest(getManifestPath());
+function sslConfigFor(connectionString) {
+  let url;
+  try {
+    url = new URL(connectionString);
+  } catch {
+    return;
+  }
+  const sslMode = url.searchParams.get("sslmode")?.toLowerCase();
+  const ssl = url.searchParams.get("ssl")?.toLowerCase();
+  if (sslMode === "disable" || ssl === "false")
+    return;
+  if (sslMode === "no-verify" || process.env["HASNA_MACHINES_DATABASE_SSL_REJECT_UNAUTHORIZED"] === "0") {
+    return { rejectUnauthorized: false };
+  }
+  return sslMode || ssl === "true" ? { rejectUnauthorized: true } : undefined;
 }
 
-// src/commands/status.ts
-function getStatus() {
-  const manifest = readManifest();
-  const heartbeats = listHeartbeats();
-  const heartbeatByMachine = new Map(heartbeats.map((heartbeat) => [heartbeat.machine_id, heartbeat]));
-  const machineIds = new Set([
-    ...manifest.machines.map((machine) => machine.id),
-    ...heartbeats.map((heartbeat) => heartbeat.machine_id)
-  ]);
-  return {
-    machineId: getLocalMachineId(),
-    manifestPath: getManifestPath(),
-    dbPath: getDbPath(),
-    notificationsPath: getNotificationsPath(),
-    manifestMachineCount: manifest.machines.length,
-    heartbeatCount: heartbeats.length,
-    machines: [...machineIds].sort().map((machineId) => {
-      const declared = manifest.machines.find((machine) => machine.id === machineId);
-      const heartbeat = heartbeatByMachine.get(machineId);
-      return {
-        machineId,
-        platform: declared?.platform,
-        manifestDeclared: Boolean(declared),
-        heartbeatStatus: heartbeat?.status || "unknown",
-        lastHeartbeatAt: heartbeat?.updated_at
-      };
-    }),
-    recentSetupRuns: countRuns("setup_runs"),
-    recentSyncRuns: countRuns("sync_runs")
-  };
+class PgAdapterAsync {
+  pool;
+  constructor(connectionString) {
+    this.pool = new pg.Pool({ connectionString, ssl: sslConfigFor(connectionString) });
+  }
+  async run(sql, ...params) {
+    const result = await this.pool.query(translatePlaceholders(sql), normalizeParams(params));
+    return { changes: result.rowCount ?? 0 };
+  }
+  async all(sql, ...params) {
+    const result = await this.pool.query(translatePlaceholders(sql), normalizeParams(params));
+    return result.rows;
+  }
+  async close() {
+    await this.pool.end();
+  }
 }
 
-// src/commands/self-test.ts
-function check(id, status, summary, detail) {
-  return { id, status, summary, detail };
+// src/storage-sync.ts
+var STORAGE_TABLES = [
+  "agent_heartbeats",
+  "setup_runs",
+  "sync_runs"
+];
+var MACHINES_STORAGE_ENV = "HASNA_MACHINES_DATABASE_URL";
+var MACHINES_STORAGE_FALLBACK_ENV = "MACHINES_DATABASE_URL";
+var MACHINES_STORAGE_MODE_ENV = "HASNA_MACHINES_STORAGE_MODE";
+var MACHINES_STORAGE_MODE_FALLBACK_ENV = "MACHINES_STORAGE_MODE";
+var STORAGE_DATABASE_ENV = [MACHINES_STORAGE_ENV, MACHINES_STORAGE_FALLBACK_ENV];
+var PRIMARY_KEYS = {
+  agent_heartbeats: ["machine_id", "pid"],
+  setup_runs: ["id"],
+  sync_runs: ["id"]
+};
+function readEnv2(name) {
+  const value = process.env[name]?.trim();
+  return value || undefined;
 }
-function runSelfTest() {
-  const version = getPackageVersion();
-  const status = getStatus();
-  const doctor = runDoctor();
-  const serveInfo = getServeInfo();
-  const html = renderDashboardHtml();
-  const notifications = listNotificationChannels();
-  const apps = listApps(status.machineId);
-  const appsDiff = diffApps(status.machineId);
-  const cliPlan = buildClaudeInstallPlan(status.machineId);
-  return {
-    machineId: getLocalMachineId(),
-    checks: [
-      check("package-version", version === "0.0.0" ? "fail" : "ok", "Package version resolves", version),
-      check("status", "ok", "Status loads", JSON.stringify({ machines: status.manifestMachineCount, heartbeats: status.heartbeatCount })),
-      check("doctor", doctor.checks.some((entry) => entry.status === "fail") ? "warn" : "ok", "Doctor completed", `${doctor.checks.length} checks`),
-      check("serve-info", "ok", "Dashboard info renders", `${serveInfo.url} routes=${serveInfo.routes.length}`),
-      check("dashboard-html", html.includes("Machines Dashboard") ? "ok" : "fail", "Dashboard HTML renders", html.slice(0, 80)),
-      check("notifications", "ok", "Notifications config loads", `${notifications.channels.length} channels`),
-      check("apps", "ok", "Apps manifest loads", `${apps.apps.length} apps`),
-      check("apps-diff", appsDiff.missing.length === 0 ? "ok" : "warn", "Apps diff computed", `missing=${appsDiff.missing.length} installed=${appsDiff.installed.length}`),
-      check("install-claude-plan", cliPlan.steps.length > 0 ? "ok" : "warn", "Install plan renders", `${cliPlan.steps.length} steps`)
-    ]
-  };
+function normalizeStorageMode(value) {
+  const normalized = value?.trim().toLowerCase();
+  if (normalized === "local" || normalized === "hybrid" || normalized === "remote")
+    return normalized;
+  return;
 }
-
-// src/commands/serve.ts
-function escapeHtml(value) {
-  return value.replaceAll("&", "&amp;").replaceAll("<", "&lt;").replaceAll(">", "&gt;").replaceAll('"', "&quot;").replaceAll("'", "&#39;");
+function getStorageDatabaseEnvName() {
+  for (const name of STORAGE_DATABASE_ENV) {
+    if (readEnv2(name))
+      return name;
+  }
+  return null;
 }
-function getServeInfo(options = {}) {
-  const host = options.host || "0.0.0.0";
-  const port = options.port || 7676;
+function getStorageDatabaseEnv() {
+  const name = getStorageDatabaseEnvName();
+  return name ? { name } : null;
+}
+function getStorageDatabaseUrl() {
+  const env = getStorageDatabaseEnv();
+  return env ? readEnv2(env.name) ?? null : null;
+}
+function getStorageMode() {
+  const mode = normalizeStorageMode(readEnv2(MACHINES_STORAGE_MODE_ENV)) ?? normalizeStorageMode(readEnv2(MACHINES_STORAGE_MODE_FALLBACK_ENV));
+  if (mode)
+    return mode;
+  return getStorageDatabaseUrl() ? "hybrid" : "local";
+}
+async function getStoragePg() {
+  const url = getStorageDatabaseUrl();
+  if (!url) {
+    throw new Error("Missing HASNA_MACHINES_DATABASE_URL or MACHINES_DATABASE_URL");
+  }
+  return new PgAdapterAsync(url);
+}
+async function runStorageMigrations(remote) {
+  for (const sql of PG_MIGRATIONS)
+    await remote.run(sql);
+}
+async function storagePush(options) {
+  const remote = await getStoragePg();
+  const db = getDb();
+  try {
+    await runStorageMigrations(remote);
+    const results = [];
+    for (const table of resolveTables(options?.tables)) {
+      results.push(await pushTable(db, remote, table));
+    }
+    recordSyncMeta(db, "push", results);
+    return results;
+  } finally {
+    await remote.close();
+  }
+}
+async function storagePull(options) {
+  const remote = await getStoragePg();
+  const db = getDb();
+  try {
+    await runStorageMigrations(remote);
+    const results = [];
+    for (const table of resolveTables(options?.tables)) {
+      results.push(await pullTable(remote, db, table));
+    }
+    recordSyncMeta(db, "pull", results);
+    return results;
+  } finally {
+    await remote.close();
+  }
+}
+async function storageSync(options) {
+  const pull = await storagePull(options);
+  const push = await storagePush(options);
+  return { pull, push };
+}
+function getSyncMetaAll() {
+  const db = getDb();
+  ensureSyncMetaTable(db);
+  return db.query("SELECT table_name, last_synced_at, direction FROM _machines_sync_meta ORDER BY table_name, direction").all();
+}
+function getStorageStatus() {
+  const activeEnv = getStorageDatabaseEnv();
   return {
-    host,
-    port,
-    url: `http://${host}:${port}`,
-    routes: [
-      "/",
-      "/health",
-      "/api/status",
-      "/api/manifest",
-      "/api/notifications",
-      "/api/webhooks",
-      "/api/events",
-      "/api/doctor",
-      "/api/self-test",
-      "/api/apps/status",
-      "/api/apps/diff",
-      "/api/install-claude/status",
-      "/api/install-claude/diff",
-      "/api/notifications/test",
-      "/api/webhooks/test"
-    ]
+    configured: Boolean(activeEnv),
+    mode: getStorageMode(),
+    env: STORAGE_DATABASE_ENV,
+    activeEnv: activeEnv?.name ?? null,
+    service: "machines",
+    tables: STORAGE_TABLES,
+    sync: getSyncMetaAll()
   };
 }
-function renderDashboardHtml() {
-  const status = getStatus();
-  const manifest = manifestList();
-  const notifications = listNotificationChannels();
-  const doctor = runDoctor();
-  return `<!doctype html>
-<html lang="en">
-  <head>
-    <meta charset="utf-8" />
-    <meta name="viewport" content="width=device-width, initial-scale=1" />
-    <title>Machines Dashboard</title>
-    <style>
-      :root { color-scheme: dark; font-family: Inter, system-ui, sans-serif; }
-      body { margin: 0; background: #0b1020; color: #e5ecff; }
-      main { max-width: 1120px; margin: 0 auto; padding: 32px 20px 48px; }
-      h1, h2 { margin: 0 0 16px; }
-      .grid { display: grid; gap: 16px; grid-template-columns: repeat(auto-fit, minmax(240px, 1fr)); }
-      .card { background: #121933; border: 1px solid #243057; border-radius: 16px; padding: 20px; }
-      .stat { font-size: 32px; font-weight: 700; margin-top: 8px; }
-      table { width: 100%; border-collapse: collapse; }
-      th, td { text-align: left; padding: 10px 8px; border-bottom: 1px solid #243057; vertical-align: top; }
-      code { color: #9ed0ff; }
-      .badge { display: inline-block; border-radius: 999px; padding: 4px 10px; font-size: 12px; }
-      .online, .ok { background: #12351f; color: #74f0a7; }
-      .offline, .fail { background: #3b1a1a; color: #ff8c8c; }
-      .unknown, .warn { background: #2f2b16; color: #ffd76a; }
-      ul { margin: 8px 0 0; padding-left: 18px; }
-      .muted { color: #9fb0d9; }
-      .refresh { font-size: 12px; color: #6b7fa3; margin-left: auto; }
-      .updated { transition: opacity 0.3s; }
-    </style>
-  </head>
-  <body>
-    <main>
-      <h1>Machines Dashboard <span class="refresh" id="last-updated"></span></h1>
-      <div class="grid">
-        <section class="card"><div>Manifest machines</div><div class="stat">${status.manifestMachineCount}</div></section>
-        <section class="card"><div>Heartbeats</div><div class="stat">${status.heartbeatCount}</div></section>
-        <section class="card"><div>Notification channels</div><div class="stat">${notifications.channels.length}</div></section>
-        <section class="card"><div>Doctor warnings</div><div class="stat">${doctor.checks.filter((entry) => entry.status !== "ok").length}</div></section>
-      </div>
-
-      <section class="card" style="margin-top:16px">
-        <h2>Machines</h2>
-        <table>
-          <thead><tr><th>ID</th><th>Platform</th><th>Status</th><th>Last heartbeat</th></tr></thead>
-          <tbody>
-            ${status.machines.map((machine) => `<tr>
-              <td><code>${escapeHtml(machine.machineId)}</code></td>
-              <td>${escapeHtml(machine.platform || "unknown")}</td>
-              <td><span class="badge ${escapeHtml(machine.heartbeatStatus)}">${escapeHtml(machine.heartbeatStatus)}</span></td>
-              <td>${escapeHtml(machine.lastHeartbeatAt || "\u2014")}</td>
-            </tr>`).join("")}
-          </tbody>
-        </table>
-      </section>
-
-      <section class="card" style="margin-top:16px">
-        <h2>Doctor</h2>
-        <table>
-          <thead><tr><th>Check</th><th>Status</th><th>Detail</th></tr></thead>
-          <tbody id="doctor-tbody">
-            ${doctor.checks.map((entry) => `<tr>
-              <td>${escapeHtml(entry.summary)}</td>
-              <td><span class="badge ${escapeHtml(entry.status)}">${escapeHtml(entry.status)}</span></td>
-              <td class="muted">${escapeHtml(entry.detail)}</td>
-            </tr>`).join("")}
-          </tbody>
-        </table>
-      </section>
-
-      <section class="card" style="margin-top:16px">
-        <h2>Apps</h2>
-        <p class="muted">Use <code>/api/apps/status</code> for the full app inventory payload.</p>
-      </section>
-
-      <section class="card" style="margin-top:16px">
-        <h2>AI CLIs</h2>
-        <p class="muted">Use <code>/api/install-claude/status</code> for the full CLI inventory payload.</p>
-      </section>
-
-      <section class="card" style="margin-top:16px">
-        <h2>Self Test</h2>
-        <p class="muted">Use <code>/api/self-test</code> for the full smoke-check payload.</p>
-      </section>
-
-      <section class="card" style="margin-top:16px">
-        <h2>Manifest</h2>
-        <pre id="manifest-json">${escapeHtml(JSON.stringify(manifest, null, 2))}</pre>
-      </section>
-    </main>
-    <script>
-      // Auto-refresh dashboard data every 15s
-      const REFRESH_INTERVAL = 15000;
-      async function refreshData() {
-        try {
-          const [statusRes, doctorRes] = await Promise.all([
-            fetch("/api/status"),
-            fetch("/api/doctor"),
-          ]);
-          const status = await statusRes.json();
-          const doctor = await doctorRes.json();
-
-          // Update stat cards
-          const stats = document.querySelectorAll(".stat");
-          if (stats[0]) stats[0].textContent = status.manifestMachineCount;
-          if (stats[1]) stats[1].textContent = status.heartbeatCount;
-
-          // Update machine table
-          const tbody = document.querySelector("tbody");
-          if (tbody && status.machines) {
-            tbody.innerHTML = status.machines
-              .map((m) =>
-                "<tr>" +
-                "<td><code>" + m.machineId + "</code></td>" +
-                "<td>" + (m.platform || "unknown") + "</td>" +
-                '<td><span class="badge ' + m.heartbeatStatus + '">' + m.heartbeatStatus + '</span></td>' +
-                "<td>" + (m.lastHeartbeatAt || "\\u2014") + "</td>" +
-                "</tr>"
-              )
-              .join("");
-          }
-
-          // Update doctor table
-          const doctorTbody = document.getElementById("doctor-tbody");
-          if (doctorTbody && doctor.checks) {
-            doctorTbody.innerHTML = doctor.checks
-              .map((c) =>
-                "<tr>" +
-                "<td>" + c.summary + "</td>" +
-                '<td><span class="badge ' + c.status + '">' + c.status + '</span></td>' +
-                '<td class="muted">' + c.detail + "</td>" +
-                "</tr>"
-              )
-              .join("");
-          }
-
-          // Update timestamp
-          document.getElementById("last-updated").textContent =
-            "updated " + new Date().toLocaleTimeString();
-        } catch (e) {
-          // Silently ignore fetch errors during page unload
-        }
-      }
-      document.getElementById("last-updated").textContent =
-        "updated " + new Date().toLocaleTimeString();
-      setInterval(refreshData, REFRESH_INTERVAL);
-    </script>
-  </body>
-</html>`;
+function resolveTables(tables) {
+  if (!tables || tables.length === 0)
+    return [...STORAGE_TABLES];
+  const allowed = new Set(STORAGE_TABLES);
+  const requested = tables.map((table) => table.trim()).filter(Boolean);
+  const invalid = requested.filter((table) => !allowed.has(table));
+  if (invalid.length > 0)
+    throw new Error(`Unknown machines storage table(s): ${invalid.join(", ")}`);
+  return requested;
 }
-
-// src/commands/setup.ts
-import { homedir as homedir4 } from "os";
-function quote3(value) {
-  return `'${value.replace(/'/g, `'\\''`)}'`;
+async function pushTable(db, remote, table) {
+  const result = { table, rowsRead: 0, rowsWritten: 0, errors: [] };
+  try {
+    if (!tableExists(db, table))
+      return result;
+    const rows = db.query(`SELECT * FROM ${quoteIdent(table)}`).all();
+    result.rowsRead = rows.length;
+    if (rows.length === 0)
+      return result;
+    const remoteColumns = await getRemoteColumns(remote, table);
+    const columns = filterRemoteColumns(remoteColumns, Object.keys(rows[0]));
+    result.rowsWritten = await upsertPg(remote, table, columns, rows);
+  } catch (error) {
+    result.errors.push(error instanceof Error ? error.message : String(error));
+  }
+  return result;
 }
-function buildBaseSteps(machine) {
-  const steps = [
-    {
-      id: "workspace",
-      title: "Ensure workspace directory exists",
-      command: `mkdir -p ${quote3(machine.workspacePath)}`,
-      manager: "shell"
-    },
-    {
-      id: "bun",
-      title: "Install Bun if missing",
-      command: "command -v bun >/dev/null 2>&1 || curl -fsSL https://bun.sh/install | bash",
-      manager: "shell"
-    }
-  ];
-  if (machine.platform === "linux") {
-    steps.push({
-      id: "apt-base",
-      title: "Install core Linux tooling",
-      command: "sudo apt-get update && sudo apt-get install -y git curl unzip build-essential",
-      manager: "apt",
-      privileged: true
-    });
-    steps.push({
-      id: "linux-update-downloads",
-      title: "Enable Linux package list refresh and download-only upgrades",
-      command: `printf '%s\\n' 'APT::Periodic::Update-Package-Lists "1";' 'APT::Periodic::Download-Upgradeable-Packages "1";' 'APT::Periodic::Unattended-Upgrade "0";' | sudo tee /etc/apt/apt.conf.d/20auto-upgrades >/dev/null`,
-      manager: "apt",
-      privileged: true
-    });
-  } else if (machine.platform === "macos") {
-    steps.push({
-      id: "brew-base",
-      title: "Install Homebrew if missing",
-      command: 'command -v brew >/dev/null 2>&1 || /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"',
-      manager: "brew"
-    });
-    steps.push({
-      id: "brew-core",
-      title: "Install core macOS tooling",
-      command: "brew install git coreutils",
-      manager: "brew"
-    });
-    steps.push({
-      id: "macos-update-downloads",
-      title: "Enable macOS update checks and downloads without automatic install",
-      command: "sudo softwareupdate --schedule on && sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -bool true && sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticDownload -int 1 && sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticallyInstallMacOSUpdates -int 0",
-      manager: "custom",
-      privileged: true
-    });
-    steps.push({
-      id: "macos-management-readiness",
-      title: "Report Apple management readiness without enrolling devices",
-      command: "profiles status -type enrollment 2>/dev/null || true",
-      manager: "custom"
-    });
+async function pullTable(remote, db, table) {
+  const result = { table, rowsRead: 0, rowsWritten: 0, errors: [] };
+  try {
+    if (!tableExists(db, table))
+      return result;
+    const rows = await remote.all(`SELECT * FROM ${quoteIdent(table)}`);
+    result.rowsRead = rows.length;
+    if (rows.length === 0)
+      return result;
+    const columns = filterLocalColumns(db, table, Object.keys(rows[0]));
+    result.rowsWritten = upsertSqlite(db, table, columns, rows);
+  } catch (error) {
+    result.errors.push(error instanceof Error ? error.message : String(error));
   }
-  steps.push({
-    id: "github-app-auth-readiness",
-    title: "Check GitHub CLI/App auth readiness without printing credentials",
-    command: "command -v gh >/dev/null 2>&1 && gh auth status >/dev/null 2>&1 || true",
-    manager: "custom"
+  return result;
+}
+async function getRemoteColumns(remote, table) {
+  const rows = await remote.all("SELECT column_name FROM information_schema.columns WHERE table_schema = 'public' AND table_name = ?", table);
+  return new Set(rows.map((row) => row.column_name));
+}
+function filterRemoteColumns(remoteColumns, columns) {
+  if (remoteColumns.size === 0)
+    return columns;
+  return columns.filter((column) => remoteColumns.has(column));
+}
+function filterLocalColumns(db, table, columns) {
+  const rows = db.query(`PRAGMA table_info(${quoteIdent(table)})`).all();
+  const allowed = new Set(rows.map((row) => row.name));
+  return columns.filter((column) => allowed.has(column));
+}
+async function upsertPg(remote, table, columns, rows) {
+  if (columns.length === 0)
+    return 0;
+  const primaryKeys = PRIMARY_KEYS[table];
+  const columnList = columns.map(quoteIdent).join(", ");
+  const placeholders = columns.map(() => "?").join(", ");
+  const keyList = primaryKeys.map(quoteIdent).join(", ");
+  const updateColumns = columns.filter((column) => !primaryKeys.includes(column));
+  const fallbackKey = primaryKeys[0];
+  const setClause = updateColumns.length > 0 ? updateColumns.map((column) => `${quoteIdent(column)} = EXCLUDED.${quoteIdent(column)}`).join(", ") : `${quoteIdent(fallbackKey)} = EXCLUDED.${quoteIdent(fallbackKey)}`;
+  for (const row of rows) {
+    await remote.run(`INSERT INTO ${quoteIdent(table)} (${columnList}) VALUES (${placeholders})
+       ON CONFLICT (${keyList}) DO UPDATE SET ${setClause}`, ...columns.map((column) => coerceForPg(row[column])));
+  }
+  return rows.length;
+}
+function upsertSqlite(db, table, columns, rows) {
+  if (columns.length === 0)
+    return 0;
+  const primaryKeys = PRIMARY_KEYS[table];
+  const columnList = columns.map(quoteIdent).join(", ");
+  const placeholders = columns.map(() => "?").join(", ");
+  const keyList = primaryKeys.map(quoteIdent).join(", ");
+  const updateColumns = columns.filter((column) => !primaryKeys.includes(column));
+  const fallbackKey = primaryKeys[0];
+  const setClause = updateColumns.length > 0 ? updateColumns.map((column) => `${quoteIdent(column)} = excluded.${quoteIdent(column)}`).join(", ") : `${quoteIdent(fallbackKey)} = excluded.${quoteIdent(fallbackKey)}`;
+  const statement = db.query(`INSERT INTO ${quoteIdent(table)} (${columnList}) VALUES (${placeholders})
+     ON CONFLICT (${keyList}) DO UPDATE SET ${setClause}`);
+  const insert = db.transaction((batch) => {
+    for (const row of batch)
+      statement.run(...columns.map((column) => coerceForSqlite(row[column])));
   });
-  return steps;
+  insert(rows);
+  return rows.length;
 }
-function buildPackageSteps(machine) {
-  return (machine.packages || []).map((pkg, index) => {
-    const manager = pkg.manager || (machine.platform === "macos" ? "brew" : "apt");
-    let command = pkg.name;
-    if (manager === "bun") {
-      command = `bun install -g ${quote3(pkg.name)}`;
-    } else if (manager === "brew") {
-      command = `brew install ${quote3(pkg.name)}`;
-    } else if (manager === "apt") {
-      command = `sudo apt-get install -y ${quote3(pkg.name)}`;
-    }
-    return {
-      id: `package-${index + 1}`,
-      title: `Install package ${pkg.name}`,
-      command,
-      manager,
-      privileged: manager === "apt"
-    };
-  });
+function recordSyncMeta(db, direction, results) {
+  ensureSyncMetaTable(db);
+  const now = new Date().toISOString();
+  const statement = db.query(`
+    INSERT INTO _machines_sync_meta (table_name, last_synced_at, direction)
+    VALUES (?, ?, ?)
+    ON CONFLICT(table_name, direction) DO UPDATE SET last_synced_at = excluded.last_synced_at
+  `);
+  for (const result of results) {
+    if (result.errors.length > 0)
+      continue;
+    statement.run(result.table, now, direction);
+  }
 }
-function buildSetupPlan(machineId) {
-  const manifest = readManifest();
-  const currentMachineId = getLocalMachineId();
-  const selected = machineId ? manifest.machines.find((machine) => machine.id === machineId) : manifest.machines.find((machine) => machine.id === currentMachineId);
-  if (machineId && !selected) {
-    throw new Error(`Machine not found in manifest: ${machineId}`);
+function ensureSyncMetaTable(db) {
+  db.exec(`
+    CREATE TABLE IF NOT EXISTS _machines_sync_meta (
+      table_name TEXT NOT NULL,
+      last_synced_at TEXT,
+      direction TEXT NOT NULL CHECK(direction IN ('push', 'pull')),
+      PRIMARY KEY (table_name, direction)
+    )
+  `);
+}
+function tableExists(db, table) {
+  const row = db.query("SELECT name FROM sqlite_master WHERE type = 'table' AND name = ?").get(table);
+  return Boolean(row);
+}
+function quoteIdent(identifier) {
+  return `"${identifier.replace(/"/g, '""')}"`;
+}
+function coerceForPg(value) {
+  if (value === undefined || value === null)
+    return null;
+  if (value instanceof Date)
+    return value.toISOString();
+  if (Buffer.isBuffer(value) || value instanceof Uint8Array)
+    return value;
+  if (typeof value === "object")
+    return JSON.stringify(value);
+  return value;
+}
+function coerceForSqlite(value) {
+  if (value === undefined || value === null)
+    return null;
+  if (typeof value === "string" || typeof value === "number" || typeof value === "bigint" || typeof value === "boolean")
+    return value;
+  if (value instanceof Date)
+    return value.toISOString();
+  if (Buffer.isBuffer(value) || value instanceof Uint8Array)
+    return value;
+  if (typeof value === "object")
+    return JSON.stringify(value);
+  return String(value);
+}
+
+// src/agent/runtime.ts
+function parseJsonObject(value) {
+  if (!value)
+    return null;
+  try {
+    const parsed = JSON.parse(value);
+    return parsed && typeof parsed === "object" && !Array.isArray(parsed) ? parsed : null;
+  } catch {
+    return null;
   }
-  const target = selected || {
-    id: currentMachineId,
-    platform: "linux",
-    workspacePath: `${homedir4()}/workspace`
-  };
-  const steps = [...buildBaseSteps(target), ...buildPackageSteps(target)];
+}
+function heartbeatToStatus(heartbeat, options = {}) {
+  const privateMetadata = options.privateMetadata === true;
+  const tailscale = parseJsonObject(heartbeat.tailscale_json);
+  const doctorSummary = parseJsonObject(heartbeat.doctor_summary_json);
   return {
-    machineId: target.id,
-    mode: "plan",
-    steps,
-    executed: 0
+    machineId: heartbeat.machine_id,
+    pid: heartbeat.pid,
+    status: heartbeat.status,
+    updatedAt: heartbeat.updated_at,
+    daemonVersion: heartbeat.daemon_version,
+    agentMode: heartbeat.agent_mode,
+    platform: heartbeat.platform,
+    osVersion: heartbeat.os_version,
+    osBuild: heartbeat.os_build,
+    arch: heartbeat.arch,
+    uptimeSeconds: heartbeat.uptime_seconds,
+    toolVersions: sanitizeRecord(parseJsonObject(heartbeat.tool_versions_json) ?? {}, privateMetadata),
+    tailscale: tailscale ? sanitizeRecord(tailscale, privateMetadata) : null,
+    storageSyncStatus: heartbeat.storage_sync_status,
+    storageSyncLastError: heartbeat.storage_sync_last_error ? sanitizeStorageError(heartbeat.storage_sync_last_error, privateMetadata) : null,
+    doctorSummary: doctorSummary ? sanitizeRecord(doctorSummary, privateMetadata) : null,
+    privateMetadata: Boolean(heartbeat.private_metadata)
   };
 }
-function runSetup(machineId, options = {}, runner = runMachineCommand) {
-  const plan = buildSetupPlan(machineId);
-  if (!options.apply) {
-    return plan;
-  }
-  if (!options.yes) {
-    throw new Error("Setup execution requires --yes.");
-  }
-  let executed = 0;
-  for (const step of plan.steps) {
-    const result = runner(plan.machineId, step.command);
-    if (result.exitCode !== 0) {
-      recordSetupRun(plan.machineId, "failed", {
-        executed,
-        failedStep: step,
-        stderr: result.stderr,
-        stdout: result.stdout,
-        exitCode: result.exitCode,
-        source: result.source
-      });
-      throw new Error(describeMachineCommandFailure(`Setup step ${step.id}`, result));
+function sanitizePublicString(value, privateMetadata = false) {
+  if (privateMetadata)
+    return value;
+  let redacted = value;
+  const localHostname = hostname6();
+  const localUser = process.env["USER"] || process.env["LOGNAME"] || process.env["USERNAME"];
+  if (localHostname)
+    redacted = redacted.replaceAll(localHostname, "[redacted-host]");
+  if (localUser)
+    redacted = redacted.replaceAll(localUser, "[redacted-user]");
+  return redactErrorMessage(redacted.replace(/[a-z][a-z0-9+.-]*:\/\/[^\s'")]+/gi, (match) => {
+    const scheme = match.match(/^([a-z][a-z0-9+.-]*:\/\/)/i)?.[1] ?? "";
+    return `${scheme}[redacted]`;
+  }).replace(/\b10(?:\.\d{1,3}){3}\b/g, "[redacted-ip]").replace(/\b172\.(?:1[6-9]|2\d|3[01])(?:\.\d{1,3}){2}\b/g, "[redacted-ip]").replace(/\b192\.168(?:\.\d{1,3}){2}\b/g, "[redacted-ip]").replace(/\b100\.(?:6[4-9]|[7-9]\d|1[01]\d|12[0-7])(?:\.\d{1,3}){2}\b/g, "[redacted-ip]").replace(/\b(password|passwd|token|secret|api[_-]?key)=([^&\s]+)/gi, "$1=[redacted]"));
+}
+function sanitizeValue(value, privateMetadata) {
+  if (typeof value === "string")
+    return sanitizePublicString(value, privateMetadata);
+  if (Array.isArray(value))
+    return value.map((entry) => sanitizeValue(entry, privateMetadata));
+  if (value && typeof value === "object")
+    return sanitizeRecord(value, privateMetadata);
+  return value;
+}
+function sanitizeRecord(value, privateMetadata) {
+  const sanitized = {};
+  for (const [key, entry] of Object.entries(value)) {
+    if (!privateMetadata && /(hostname|hostName|user|username|serial|dnsName|ip|ips|databaseUrl|url|token|secret|password|credential)/i.test(key)) {
+      sanitized[key] = "[redacted]";
+      continue;
     }
-    executed += 1;
+    sanitized[key] = sanitizeValue(entry, privateMetadata);
   }
-  const summary = {
-    machineId: plan.machineId,
-    mode: "apply",
-    steps: plan.steps,
-    executed
-  };
-  recordSetupRun(plan.machineId, "completed", summary);
-  return summary;
+  return sanitized;
+}
+function sanitizeStorageError(message, privateMetadata) {
+  return privateMetadata ? message : redactErrorMessage(message);
+}
+function getAgentStatus(machineId, options = {}) {
+  return listHeartbeats(machineId).map((heartbeat) => heartbeatToStatus(heartbeat, options));
 }
 
-// src/commands/sync.ts
-import { existsSync as existsSync7, lstatSync, readFileSync as readFileSync5, symlinkSync, copyFileSync } from "fs";
-import { homedir as homedir5 } from "os";
-function quote4(value) {
-  return `'${value.replace(/'/g, `'\\''`)}'`;
+// src/commands/manifest.ts
+function manifestList() {
+  return readManifest();
 }
-function packageCheckCommand(machine, packageName, manager = machine.platform === "macos" ? "brew" : "apt") {
-  const quotedPackageName = quote4(packageName);
-  if (manager === "bun") {
-    return `if bun pm ls -g --all 2>/dev/null | grep -F ${quotedPackageName} >/dev/null 2>&1; then printf 'installed=1\\n'; else printf 'installed=0\\n'; fi`;
-  }
-  if (manager === "brew") {
-    return `if brew list --versions ${quotedPackageName} >/dev/null 2>&1; then printf 'installed=1\\n'; else printf 'installed=0\\n'; fi`;
-  }
-  if (manager === "apt") {
-    return `if dpkg -s ${quotedPackageName} >/dev/null 2>&1; then printf 'installed=1\\n'; else printf 'installed=0\\n'; fi`;
-  }
-  return `if command -v ${quotedPackageName} >/dev/null 2>&1; then printf 'installed=1\\n'; else printf 'installed=0\\n'; fi`;
+function manifestAdd(machine) {
+  const validatedMachine = machineSchema.parse(machine);
+  const manifest = readManifest();
+  const nextMachines = manifest.machines.filter((entry) => entry.id !== validatedMachine.id);
+  nextMachines.push(validatedMachine);
+  const nextManifest = { ...manifest, machines: nextMachines };
+  writeManifest(nextManifest);
+  return nextManifest;
 }
-function packageInstallCommand(machine, packageName, manager = machine.platform === "macos" ? "brew" : "apt") {
-  if (manager === "bun") {
-    return `bun install -g ${quote4(packageName)}`;
-  }
-  if (manager === "brew") {
-    return `brew install ${quote4(packageName)}`;
-  }
-  if (manager === "apt") {
-    return `sudo apt-get install -y ${quote4(packageName)}`;
-  }
-  return packageName;
+function manifestBootstrapCurrentMachine() {
+  return manifestAdd(detectCurrentMachineManifest());
 }
-function detectPackageActions(machine, runner) {
-  return (machine.packages || []).map((pkg, index) => {
-    const manager = pkg.manager || (machine.platform === "macos" ? "brew" : "apt");
-    const check2 = runner(machine.id, packageCheckCommand(machine, pkg.name, manager));
-    if (check2.exitCode !== 0) {
-      throw new Error(describeMachineCommandFailure(`Sync package probe ${pkg.name}`, check2));
-    }
-    const installed = check2.stdout.split(`
-`).some((line) => line.trim() === "installed=1");
-    return {
-      id: `package-${index + 1}`,
-      title: `${installed ? "Package present" : "Install package"} ${pkg.name}`,
-      command: packageInstallCommand(machine, pkg.name, manager),
-      status: installed ? "ok" : "missing",
-      kind: "package"
-    };
-  });
+function manifestGet(machineId) {
+  return getManifestMachine(machineId);
 }
-function detectFileActions(machine) {
-  if ((machine.files || []).length > 0 && resolveMachineCommand(machine.id, "true").source !== "local") {
-    throw new Error(`Remote file sync planning is not supported for ${machine.id}; refusing to inspect or apply local paths as remote state.`);
+function manifestRemove(machineId) {
+  const manifest = readManifest();
+  const nextManifest = {
+    ...manifest,
+    machines: manifest.machines.filter((machine) => machine.id !== machineId)
+  };
+  writeManifest(nextManifest);
+  return nextManifest;
+}
+function manifestValidate() {
+  return validateManifest(getManifestPath());
+}
+
+// src/commands/status.ts
+function parseJsonObject2(value) {
+  if (!value)
+    return null;
+  try {
+    const parsed = JSON.parse(value);
+    return parsed && typeof parsed === "object" && !Array.isArray(parsed) ? parsed : null;
+  } catch {
+    return null;
   }
-  return (machine.files || []).map((file, index) => {
-    const sourceExists = existsSync7(file.source);
-    const targetExists = existsSync7(file.target);
-    let status = "missing";
-    if (sourceExists && targetExists) {
-      if (file.mode === "symlink") {
-        status = lstatSync(file.target).isSymbolicLink() ? "ok" : "drifted";
-      } else {
-        const source = readFileSync5(file.source, "utf8");
-        const target = readFileSync5(file.target, "utf8");
-        status = source === target ? "ok" : "drifted";
-      }
-    }
-    const command = file.mode === "symlink" ? `ln -sfn ${quote4(file.source)} ${quote4(file.target)}` : `cp ${quote4(file.source)} ${quote4(file.target)}`;
-    return {
-      id: `file-${index + 1}`,
-      title: `${status === "ok" ? "File in sync" : "Reconcile file"} ${file.target}`,
-      command,
-      status,
-      kind: "file"
-    };
-  });
 }
-function buildSyncPlan(machineId, runner = runMachineCommand) {
+function getStatus() {
   const manifest = readManifest();
-  const currentMachineId = getLocalMachineId();
-  const selected = machineId ? manifest.machines.find((machine) => machine.id === machineId) : manifest.machines.find((machine) => machine.id === currentMachineId);
-  if (machineId && !selected) {
-    throw new Error(`Machine not found in manifest: ${machineId}`);
-  }
-  const target = selected || {
-    id: currentMachineId,
-    platform: "linux",
-    workspacePath: `${homedir5()}/workspace`
+  const heartbeats = listHeartbeats();
+  const heartbeatByMachine = new Map(heartbeats.map((heartbeat) => [heartbeat.machine_id, heartbeat]));
+  const machineIds = new Set([
+    ...manifest.machines.map((machine) => machine.id),
+    ...heartbeats.map((heartbeat) => heartbeat.machine_id)
+  ]);
+  return {
+    machineId: getLocalMachineId(),
+    manifestPath: getManifestPath(),
+    dbPath: getDbPath(),
+    notificationsPath: getNotificationsPath(),
+    manifestMachineCount: manifest.machines.length,
+    heartbeatCount: heartbeats.length,
+    machines: [...machineIds].sort().map((machineId) => {
+      const declared = manifest.machines.find((machine) => machine.id === machineId);
+      const heartbeat = heartbeatByMachine.get(machineId);
+      return {
+        machineId,
+        platform: declared?.platform,
+        manifestDeclared: Boolean(declared),
+        heartbeatStatus: heartbeat?.status || "unknown",
+        lastHeartbeatAt: heartbeat?.updated_at,
+        daemonVersion: heartbeat?.daemon_version ?? null,
+        agentMode: heartbeat?.agent_mode ?? null,
+        storageSyncStatus: heartbeat?.storage_sync_status ?? null,
+        doctorSummary: parseJsonObject2(heartbeat?.doctor_summary_json),
+        privateMetadata: Boolean(heartbeat?.private_metadata)
+      };
+    }),
+    recentSetupRuns: countRuns("setup_runs"),
+    recentSyncRuns: countRuns("sync_runs")
   };
-  const actions = [
-    ...detectPackageActions(target, runner),
-    ...detectFileActions(target)
-  ];
+}
+
+// src/commands/self-test.ts
+function check(id, status, summary, detail) {
+  return { id, status, summary, detail };
+}
+function runSelfTest() {
+  const version = getPackageVersion();
+  const status = getStatus();
+  const doctor = runDoctor();
+  const serveInfo = getServeInfo();
+  const html = renderDashboardHtml();
+  const notifications = listNotificationChannels();
+  const apps = listApps(status.machineId);
+  const appsDiff = diffApps(status.machineId);
+  const cliPlan = buildClaudeInstallPlan(status.machineId);
   return {
-    machineId: target.id,
-    mode: "plan",
-    actions,
-    executed: 0
+    machineId: getLocalMachineId(),
+    checks: [
+      check("package-version", version === "0.0.0" ? "fail" : "ok", "Package version resolves", version),
+      check("status", "ok", "Status loads", JSON.stringify({ machines: status.manifestMachineCount, heartbeats: status.heartbeatCount })),
+      check("doctor", doctor.checks.some((entry) => entry.status === "fail") ? "warn" : "ok", "Doctor completed", `${doctor.checks.length} checks`),
+      check("serve-info", "ok", "Dashboard info renders", `${serveInfo.url} routes=${serveInfo.routes.length}`),
+      check("dashboard-html", html.includes("Machines Dashboard") ? "ok" : "fail", "Dashboard HTML renders", html.slice(0, 80)),
+      check("notifications", "ok", "Notifications config loads", `${notifications.channels.length} channels`),
+      check("apps", "ok", "Apps manifest loads", `${apps.apps.length} apps`),
+      check("apps-diff", appsDiff.missing.length === 0 ? "ok" : "warn", "Apps diff computed", `missing=${appsDiff.missing.length} installed=${appsDiff.installed.length}`),
+      check("install-claude-plan", cliPlan.steps.length > 0 ? "ok" : "warn", "Install plan renders", `${cliPlan.steps.length} steps`)
+    ]
   };
 }
-function applyFileAction(command) {
-  const [verb, source, target] = command.split(" ");
-  if (verb === "cp" && source && target) {
-    ensureParentDir(target);
-    copyFileSync(source.slice(1, -1), target.slice(1, -1));
-    return;
-  }
-  if (verb === "ln" && source && target) {
-    const sourcePath = command.match(/ln -sfn '(.+)' '(.+)'/)?.[1];
-    const targetPath = command.match(/ln -sfn '(.+)' '(.+)'/)?.[2];
-    if (!sourcePath || !targetPath) {
-      throw new Error(`Unable to parse symlink command: ${command}`);
-    }
-    ensureParentDir(targetPath);
-    try {
-      Bun.file(targetPath).delete();
-    } catch {}
-    symlinkSync(sourcePath, targetPath);
-  }
+
+// src/commands/serve.ts
+function escapeHtml(value) {
+  return value.replaceAll("&", "&amp;").replaceAll("<", "&lt;").replaceAll(">", "&gt;").replaceAll('"', "&quot;").replaceAll("'", "&#39;");
 }
-function runSync(machineId, options = {}, runner = runMachineCommand) {
-  const plan = buildSyncPlan(machineId, runner);
-  if (!options.apply) {
-    return plan;
-  }
-  if (!options.yes) {
-    throw new Error("Sync execution requires --yes.");
-  }
-  let executed = 0;
-  for (const action of plan.actions) {
-    if (action.status === "ok")
-      continue;
-    if (action.kind === "file") {
-      applyFileAction(action.command);
-    } else {
-      const result = runner(plan.machineId, action.command);
-      if (result.exitCode !== 0) {
-        recordSyncRun(plan.machineId, "failed", {
-          executed,
-          failedAction: action,
-          stderr: result.stderr,
-          stdout: result.stdout,
-          exitCode: result.exitCode,
-          source: result.source
-        });
-        throw new Error(describeMachineCommandFailure(`Sync action ${action.id}`, result));
-      }
-    }
-    executed += 1;
-  }
-  const summary = {
-    machineId: plan.machineId,
-    mode: "apply",
-    actions: plan.actions,
-    executed
+function getServeInfo(options = {}) {
+  const host = options.host || "0.0.0.0";
+  const port = options.port || 7676;
+  return {
+    host,
+    port,
+    url: `http://${host}:${port}`,
+    routes: [
+      "/",
+      "/health",
+      "/api/status",
+      "/api/topology",
+      "/api/routes",
+      "/api/daemon/status",
+      "/api/manifest",
+      "/api/notifications",
+      "/api/webhooks",
+      "/api/events",
+      "/api/doctor",
+      "/api/self-test",
+      "/api/apps/status",
+      "/api/apps/diff",
+      "/api/install-claude/status",
+      "/api/install-claude/diff",
+      "/api/notifications/test",
+      "/api/webhooks/test"
+    ]
   };
-  recordSyncRun(plan.machineId, "completed", summary);
-  return summary;
 }
+function renderDashboardHtml() {
+  const status = getStatus();
+  const topology = discoverMachineTopology();
+  const manifest = manifestList();
+  const notifications = listNotificationChannels();
+  const doctor = runDoctor();
+  return `<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="utf-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1" />
+    <title>Machines Dashboard</title>
+    <style>
+      :root { color-scheme: dark; font-family: Inter, system-ui, sans-serif; }
+      body { margin: 0; background: #0b1020; color: #e5ecff; }
+      main { max-width: 1120px; margin: 0 auto; padding: 32px 20px 48px; }
+      h1, h2 { margin: 0 0 16px; }
+      .grid { display: grid; gap: 16px; grid-template-columns: repeat(auto-fit, minmax(240px, 1fr)); }
+      .card { background: #121933; border: 1px solid #243057; border-radius: 16px; padding: 20px; }
+      .stat { font-size: 32px; font-weight: 700; margin-top: 8px; }
+      table { width: 100%; border-collapse: collapse; }
+      th, td { text-align: left; padding: 10px 8px; border-bottom: 1px solid #243057; vertical-align: top; }
+      code { color: #9ed0ff; }
+      .badge { display: inline-block; border-radius: 999px; padding: 4px 10px; font-size: 12px; }
+      .online, .ok { background: #12351f; color: #74f0a7; }
+      .offline, .fail { background: #3b1a1a; color: #ff8c8c; }
+      .unknown, .warn { background: #2f2b16; color: #ffd76a; }
+      ul { margin: 8px 0 0; padding-left: 18px; }
+      .muted { color: #9fb0d9; }
+      .refresh { font-size: 12px; color: #6b7fa3; margin-left: auto; }
+      .updated { transition: opacity 0.3s; }
+    </style>
+  </head>
+  <body>
+    <main>
+      <h1>Machines Dashboard <span class="refresh" id="last-updated"></span></h1>
+      <div class="grid">
+        <section class="card"><div>Manifest machines</div><div class="stat">${status.manifestMachineCount}</div></section>
+        <section class="card"><div>Heartbeats</div><div class="stat">${status.heartbeatCount}</div></section>
+        <section class="card"><div>Notification channels</div><div class="stat">${notifications.channels.length}</div></section>
+        <section class="card"><div>Doctor warnings</div><div class="stat">${doctor.checks.filter((entry) => entry.status !== "ok").length}</div></section>
+        <section class="card"><div>Tailscale routes</div><div class="stat">${topology.machines.filter((machine) => machine.ssh.route === "tailscale").length}</div></section>
+      </div>
+
+      <section class="card" style="margin-top:16px">
+        <h2>Machines</h2>
+        <table>
+          <thead><tr><th>ID</th><th>Platform</th><th>Status</th><th>Agent</th><th>Storage</th><th>Last heartbeat</th></tr></thead>
+          <tbody>
+            ${status.machines.map((machine) => `<tr>
+              <td><code>${escapeHtml(machine.machineId)}</code></td>
+              <td>${escapeHtml(machine.platform || "unknown")}</td>
+              <td><span class="badge ${escapeHtml(machine.heartbeatStatus)}">${escapeHtml(machine.heartbeatStatus)}</span></td>
+              <td>${escapeHtml(machine.agentMode || "unknown")} ${escapeHtml(machine.daemonVersion || "")}</td>
+              <td>${escapeHtml(machine.storageSyncStatus || "unknown")}</td>
+              <td>${escapeHtml(machine.lastHeartbeatAt || "\u2014")}</td>
+            </tr>`).join("")}
+          </tbody>
+        </table>
+      </section>
+
+      <section class="card" style="margin-top:16px">
+        <h2>Doctor</h2>
+        <table>
+          <thead><tr><th>Check</th><th>Status</th><th>Detail</th></tr></thead>
+          <tbody id="doctor-tbody">
+            ${doctor.checks.map((entry) => `<tr>
+              <td>${escapeHtml(entry.summary)}</td>
+              <td><span class="badge ${escapeHtml(entry.status)}">${escapeHtml(entry.status)}</span></td>
+              <td class="muted">${escapeHtml(entry.detail)}</td>
+            </tr>`).join("")}
+          </tbody>
+        </table>
+      </section>
+
+      <section class="card" style="margin-top:16px">
+        <h2>Apps</h2>
+        <p class="muted">Use <code>/api/apps/status</code> for the full app inventory payload.</p>
+      </section>
+
+      <section class="card" style="margin-top:16px">
+        <h2>AI CLIs</h2>
+        <p class="muted">Use <code>/api/install-claude/status</code> for the full CLI inventory payload.</p>
+      </section>
+
+      <section class="card" style="margin-top:16px">
+        <h2>Self Test</h2>
+        <p class="muted">Use <code>/api/self-test</code> for the full smoke-check payload.</p>
+      </section>
+
+      <section class="card" style="margin-top:16px">
+        <h2>Manifest</h2>
+        <pre id="manifest-json">${escapeHtml(JSON.stringify(manifest, null, 2))}</pre>
+      </section>
+    </main>
+    <script>
+      // Auto-refresh dashboard data every 15s
+      const REFRESH_INTERVAL = 15000;
+      function escapeHtml(value) {
+        return String(value ?? "")
+          .replaceAll("&", "&amp;")
+          .replaceAll("<", "&lt;")
+          .replaceAll(">", "&gt;")
+          .replaceAll('"', "&quot;")
+          .replaceAll("'", "&#39;");
+      }
+      async function refreshData() {
+        try {
+          const [statusRes, doctorRes] = await Promise.all([
+            fetch("/api/status"),
+            fetch("/api/doctor"),
+          ]);
+          const status = await statusRes.json();
+          const doctor = await doctorRes.json();
+
+          // Update stat cards
+          const stats = document.querySelectorAll(".stat");
+          if (stats[0]) stats[0].textContent = status.manifestMachineCount;
+          if (stats[1]) stats[1].textContent = status.heartbeatCount;
+
+          // Update machine table
+          const tbody = document.querySelector("tbody");
+          if (tbody && status.machines) {
+            tbody.innerHTML = status.machines
+              .map((m) =>
+                "<tr>" +
+                "<td><code>" + escapeHtml(m.machineId) + "</code></td>" +
+                "<td>" + escapeHtml(m.platform || "unknown") + "</td>" +
+                '<td><span class="badge ' + escapeHtml(m.heartbeatStatus) + '">' + escapeHtml(m.heartbeatStatus) + '</span></td>' +
+                "<td>" + escapeHtml(m.agentMode || "unknown") + " " + escapeHtml(m.daemonVersion || "") + "</td>" +
+                "<td>" + escapeHtml(m.storageSyncStatus || "unknown") + "</td>" +
+                "<td>" + escapeHtml(m.lastHeartbeatAt || "\\u2014") + "</td>" +
+                "</tr>"
+              )
+              .join("");
+          }
+
+          // Update doctor table
+          const doctorTbody = document.getElementById("doctor-tbody");
+          if (doctorTbody && doctor.checks) {
+            doctorTbody.innerHTML = doctor.checks
+              .map((c) =>
+                "<tr>" +
+                "<td>" + escapeHtml(c.summary) + "</td>" +
+                '<td><span class="badge ' + escapeHtml(c.status) + '">' + escapeHtml(c.status) + '</span></td>' +
+                '<td class="muted">' + escapeHtml(c.detail) + "</td>" +
+                "</tr>"
+              )
+              .join("");
+          }
 
-// src/agent/runtime.ts
-function getAgentStatus(machineId = getLocalMachineId()) {
-  return listHeartbeats(machineId).map((heartbeat) => ({
-    machineId: heartbeat.machine_id,
-    pid: heartbeat.pid,
-    status: heartbeat.status,
-    updatedAt: heartbeat.updated_at
-  }));
+          // Update timestamp
+          document.getElementById("last-updated").textContent =
+            "updated " + new Date().toLocaleTimeString();
+        } catch (e) {
+          // Silently ignore fetch errors during page unload
+        }
+      }
+      document.getElementById("last-updated").textContent =
+        "updated " + new Date().toLocaleTimeString();
+      setInterval(refreshData, REFRESH_INTERVAL);
+    </script>
+  </body>
+</html>`;
 }
 
-// src/compatibility.ts
-var DEFAULT_COMMANDS = [
-  { command: "bun", required: true },
-  { command: "machines", required: true }
-];
-function defaultPackages() {
-  return [{ name: "@hasna/machines", command: "machines", expectedVersion: getPackageVersion(), required: true }];
-}
-function shellQuote6(value) {
-  return `'${value.replace(/'/g, "'\\''")}'`;
-}
-function commandId(value) {
-  return value.replace(/[^a-zA-Z0-9_.@/-]+/g, "-").replace(/^-+|-+$/g, "");
-}
-function packageCommand(name) {
-  if (name === "@hasna/knowledge")
-    return "knowledge";
-  if (name === "@hasna/machines")
-    return "machines";
-  return name.split("/").pop() ?? name;
-}
-function firstLine(value) {
-  return value.trim().split(/\r?\n/).find(Boolean) ?? "";
-}
-function extractVersion(value) {
-  const match = value.match(/\b\d+\.\d+\.\d+(?:[-+][0-9A-Za-z.-]+)?\b/);
-  return match?.[0] ?? null;
-}
-function statusFor(required, ok) {
-  if (ok)
-    return "ok";
-  return required === false ? "warn" : "fail";
-}
-function makeCheck2(input) {
-  return {
-    id: input.id,
-    kind: input.kind,
-    status: input.status,
-    target: input.target,
-    expected: input.expected ?? null,
-    actual: input.actual ?? null,
-    detail: input.detail,
-    source: input.source
-  };
-}
-function parseKeyValue(stdout) {
-  const result = {};
-  for (const line of stdout.split(/\r?\n/)) {
-    const idx = line.indexOf("=");
-    if (idx <= 0)
-      continue;
-    result[line.slice(0, idx)] = line.slice(idx + 1);
-  }
-  return result;
-}
-function defaultRunner2(machineId, command) {
-  return runMachineCommand(machineId, command);
-}
-function inspectCommand(machineId, spec, runner) {
-  const command = shellQuote6(spec.command);
-  const versionArgs = spec.versionArgs ?? "--version";
-  const script = [
-    `cmd=${command}`,
-    'path="$(command -v "$cmd" 2>/dev/null || true)"',
-    'printf "path=%s\\n" "$path"',
-    'if [ -n "$path" ]; then version="$("$cmd" ' + versionArgs + ' 2>/dev/null || true)"; printf "version=%s\\n" "$version"; fi'
-  ].join("; ");
-  const result = runner(machineId, script);
-  const parsed = parseKeyValue(result.stdout);
-  return {
-    path: parsed.path || null,
-    version: parsed.version ? firstLine(parsed.version) : null,
-    exitCode: result.exitCode,
-    source: result.source,
-    stderr: result.stderr
-  };
-}
-function fieldCommand(field) {
-  const regex = field === "name" ? String.raw`s/.*"name"[[:space:]]*:[[:space:]]*"\([^"]*\)".*/\1/p` : String.raw`s/.*"version"[[:space:]]*:[[:space:]]*"\([^"]*\)".*/\1/p`;
-  return [
-    `if command -v bun >/dev/null 2>&1; then bun -e "const p=JSON.parse(await Bun.file(process.argv[1]).text()); console.log(p.${field} ?? '')" "$pkg" 2>/dev/null`,
-    `elif command -v node >/dev/null 2>&1; then node -e "const fs=require('fs'); const p=JSON.parse(fs.readFileSync(process.argv[1], 'utf8')); console.log(p.${field} || '')" "$pkg" 2>/dev/null`,
-    `else sed -n '${regex}' "$pkg" | head -n 1`,
-    "fi"
-  ].join("; ");
-}
-function inspectWorkspace(machineId, spec, runner) {
-  const script = [
-    `path=${shellQuote6(spec.path)}`,
-    'printf "exists=%s\\n" "$(test -d "$path" && printf yes || printf no)"',
-    'pkg="$path/package.json"',
-    'printf "package_json=%s\\n" "$(test -f "$pkg" && printf yes || printf no)"',
-    `if [ -f "$pkg" ]; then printf "package_name=%s\\n" "$(${fieldCommand("name")})"; printf "version=%s\\n" "$(${fieldCommand("version")})"; fi`
-  ].join("; ");
-  const result = runner(machineId, script);
-  const parsed = parseKeyValue(result.stdout);
-  return {
-    exists: parsed.exists === "yes",
-    packageJson: parsed.package_json === "yes",
-    packageName: parsed.package_name || null,
-    version: parsed.version || null,
-    source: result.source,
-    stderr: result.stderr
-  };
+// src/commands/setup.ts
+import { homedir as homedir4 } from "os";
+function quote3(value) {
+  return `'${value.replace(/'/g, `'\\''`)}'`;
 }
-function commandCheck(machineId, spec, runner) {
-  const inspection = inspectCommand(machineId, spec, runner);
-  const found = Boolean(inspection.path);
-  const checks = [
-    makeCheck2({
-      id: `command:${commandId(spec.command)}:path`,
-      kind: "command",
-      status: statusFor(spec.required, found),
-      target: spec.command,
-      expected: "available",
-      actual: inspection.path ?? "missing",
-      detail: found ? `found at ${inspection.path}` : inspection.stderr || "command missing",
-      source: inspection.source
-    })
+function buildBaseSteps(machine) {
+  const steps = [
+    {
+      id: "workspace",
+      title: "Ensure workspace directory exists",
+      command: `mkdir -p ${quote3(machine.workspacePath)}`,
+      manager: "shell"
+    },
+    {
+      id: "bun",
+      title: "Install Bun if missing",
+      command: "command -v bun >/dev/null 2>&1 || curl -fsSL https://bun.sh/install | bash",
+      manager: "shell"
+    }
   ];
-  if (spec.expectedVersion) {
-    const actualVersion = extractVersion(inspection.version ?? "");
-    checks.push(makeCheck2({
-      id: `command:${commandId(spec.command)}:version`,
-      kind: "command",
-      status: actualVersion === spec.expectedVersion ? "ok" : statusFor(spec.required, false),
-      target: spec.command,
-      expected: spec.expectedVersion,
-      actual: actualVersion ?? inspection.version ?? "missing",
-      detail: actualVersion ? `version output: ${inspection.version}` : "version unavailable",
-      source: inspection.source
-    }));
+  if (machine.platform === "linux") {
+    steps.push({
+      id: "apt-base",
+      title: "Install core Linux tooling",
+      command: "sudo apt-get update && sudo apt-get install -y git curl unzip build-essential",
+      manager: "apt",
+      privileged: true
+    });
+    steps.push({
+      id: "linux-update-downloads",
+      title: "Enable Linux package list refresh and download-only upgrades",
+      command: `printf '%s\\n' 'APT::Periodic::Update-Package-Lists "1";' 'APT::Periodic::Download-Upgradeable-Packages "1";' 'APT::Periodic::Unattended-Upgrade "0";' | sudo tee /etc/apt/apt.conf.d/20auto-upgrades >/dev/null`,
+      manager: "apt",
+      privileged: true
+    });
+  } else if (machine.platform === "macos") {
+    steps.push({
+      id: "brew-base",
+      title: "Install Homebrew if missing",
+      command: 'command -v brew >/dev/null 2>&1 || /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"',
+      manager: "brew"
+    });
+    steps.push({
+      id: "brew-core",
+      title: "Install core macOS tooling",
+      command: "brew install git coreutils",
+      manager: "brew"
+    });
+    steps.push({
+      id: "macos-update-downloads",
+      title: "Enable macOS update checks and downloads without automatic install",
+      command: "sudo softwareupdate --schedule on && sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -bool true && sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticDownload -int 1 && sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticallyInstallMacOSUpdates -int 0",
+      manager: "custom",
+      privileged: true
+    });
+    steps.push({
+      id: "macos-management-readiness",
+      title: "Report Apple management readiness without enrolling devices",
+      command: "profiles status -type enrollment 2>/dev/null || true",
+      manager: "custom"
+    });
   }
-  return checks;
+  steps.push({
+    id: "github-app-auth-readiness",
+    title: "Check GitHub CLI/App auth readiness without printing credentials",
+    command: "command -v gh >/dev/null 2>&1 && gh auth status >/dev/null 2>&1 || true",
+    manager: "custom"
+  });
+  return steps;
 }
-function packageCheck(machineId, spec, runner) {
-  const command = spec.command ?? packageCommand(spec.name);
-  const inspection = inspectCommand(machineId, { command, expectedVersion: spec.expectedVersion, required: spec.required }, runner);
-  const found = Boolean(inspection.path);
-  const checks = [
-    makeCheck2({
-      id: `package:${commandId(spec.name)}:command`,
-      kind: "package",
-      status: statusFor(spec.required, found),
-      target: spec.name,
-      expected: command,
-      actual: inspection.path ?? "missing",
-      detail: found ? `${command} found at ${inspection.path}` : `${command} command missing`,
-      source: inspection.source
-    })
-  ];
-  if (spec.expectedVersion) {
-    const actualVersion = extractVersion(inspection.version ?? "");
-    checks.push(makeCheck2({
-      id: `package:${commandId(spec.name)}:version`,
-      kind: "package",
-      status: actualVersion === spec.expectedVersion ? "ok" : statusFor(spec.required, false),
-      target: spec.name,
-      expected: spec.expectedVersion,
-      actual: actualVersion ?? inspection.version ?? "missing",
-      detail: actualVersion ? `version output: ${inspection.version}` : "version unavailable",
-      source: inspection.source
-    }));
+function buildPackageSteps(machine) {
+  return (machine.packages || []).map((pkg, index) => {
+    const manager = pkg.manager || (machine.platform === "macos" ? "brew" : "apt");
+    let command2 = pkg.name;
+    if (manager === "bun") {
+      command2 = `bun install -g ${quote3(pkg.name)}`;
+    } else if (manager === "brew") {
+      command2 = `brew install ${quote3(pkg.name)}`;
+    } else if (manager === "apt") {
+      command2 = `sudo apt-get install -y ${quote3(pkg.name)}`;
+    }
+    return {
+      id: `package-${index + 1}`,
+      title: `Install package ${pkg.name}`,
+      command: command2,
+      manager,
+      privileged: manager === "apt"
+    };
+  });
+}
+function buildSetupPlan(machineId) {
+  const manifest = readManifest();
+  const currentMachineId = getLocalMachineId();
+  const selected = machineId ? manifest.machines.find((machine) => machine.id === machineId) : manifest.machines.find((machine) => machine.id === currentMachineId);
+  if (machineId && !selected) {
+    throw new Error(`Machine not found in manifest: ${machineId}`);
   }
-  return checks;
+  const target = selected || {
+    id: currentMachineId,
+    platform: "linux",
+    workspacePath: `${homedir4()}/workspace`
+  };
+  const steps = [...buildBaseSteps(target), ...buildPackageSteps(target)];
+  return {
+    machineId: target.id,
+    mode: "plan",
+    steps,
+    executed: 0
+  };
 }
-function workspaceCheck(machineId, spec, runner) {
-  const inspection = inspectWorkspace(machineId, spec, runner);
-  const target = spec.label ?? spec.path;
-  const checks = [
-    makeCheck2({
-      id: `workspace:${commandId(target)}:path`,
-      kind: "workspace",
-      status: statusFor(spec.required, inspection.exists),
-      target,
-      expected: spec.path,
-      actual: inspection.exists ? "exists" : "missing",
-      detail: inspection.exists ? `workspace exists at ${spec.path}` : inspection.stderr || `workspace missing at ${spec.path}`,
-      source: inspection.source
-    })
-  ];
-  if (spec.expectedPackageName) {
-    checks.push(makeCheck2({
-      id: `workspace:${commandId(target)}:package-name`,
-      kind: "workspace",
-      status: inspection.packageName === spec.expectedPackageName ? "ok" : statusFor(spec.required, false),
-      target,
-      expected: spec.expectedPackageName,
-      actual: inspection.packageName ?? (inspection.packageJson ? "missing-name" : "missing-package-json"),
-      detail: inspection.packageJson ? "package.json inspected" : "package.json missing",
-      source: inspection.source
-    }));
+function runSetup(machineId, options = {}, runner = runMachineCommand) {
+  const plan = buildSetupPlan(machineId);
+  if (!options.apply) {
+    return plan;
   }
-  if (spec.expectedVersion) {
-    checks.push(makeCheck2({
-      id: `workspace:${commandId(target)}:version`,
-      kind: "workspace",
-      status: inspection.version === spec.expectedVersion ? "ok" : statusFor(spec.required, false),
-      target,
-      expected: spec.expectedVersion,
-      actual: inspection.version ?? (inspection.packageJson ? "missing-version" : "missing-package-json"),
-      detail: inspection.packageJson ? "package.json inspected" : "package.json missing",
-      source: inspection.source
-    }));
+  if (!options.yes) {
+    throw new Error("Setup execution requires --yes.");
+  }
+  let executed = 0;
+  for (const step of plan.steps) {
+    const result = runner(plan.machineId, step.command);
+    if (result.exitCode !== 0) {
+      recordSetupRun(plan.machineId, "failed", {
+        executed,
+        failedStep: step,
+        stderr: result.stderr,
+        stdout: result.stdout,
+        exitCode: result.exitCode,
+        source: result.source
+      });
+      throw new Error(describeMachineCommandFailure(`Setup step ${step.id}`, result));
+    }
+    executed += 1;
   }
-  return checks;
-}
-function checkMachineCompatibility(options = {}) {
-  const machineId = options.machineId ?? getLocalMachineId();
-  const runner = options.runner ?? defaultRunner2;
-  const commands = options.commands ?? DEFAULT_COMMANDS;
-  const packages = options.packages ?? defaultPackages();
-  const workspaces = options.workspaces ?? [];
-  const checks = [];
-  for (const spec of commands)
-    checks.push(...commandCheck(machineId, spec, runner));
-  for (const spec of packages)
-    checks.push(...packageCheck(machineId, spec, runner));
-  for (const spec of workspaces)
-    checks.push(...workspaceCheck(machineId, spec, runner));
   const summary = {
-    ok: checks.filter((check2) => check2.status === "ok").length,
-    warn: checks.filter((check2) => check2.status === "warn").length,
-    fail: checks.filter((check2) => check2.status === "fail").length
-  };
-  return {
-    schema_version: MACHINES_CONSUMER_CONTRACT_VERSION,
-    package: {
-      name: MACHINES_PACKAGE_NAME,
-      version: getPackageVersion()
-    },
-    capabilities: getMachinesConsumerCapabilities(),
-    ok: summary.fail === 0,
-    machine_id: machineId,
-    source: checks[0]?.source ?? "local",
-    generated_at: (options.now ?? new Date).toISOString(),
-    checks,
-    summary
+    machineId: plan.machineId,
+    mode: "apply",
+    steps: plan.steps,
+    executed
   };
+  recordSetupRun(plan.machineId, "completed", summary);
+  return summary;
 }
 
-// src/pg-migrations.ts
-var PG_MIGRATIONS = [
-  `
-  CREATE TABLE IF NOT EXISTS agent_heartbeats (
-    machine_id TEXT NOT NULL,
-    pid INTEGER NOT NULL,
-    status TEXT NOT NULL,
-    updated_at TIMESTAMPTZ NOT NULL,
-    PRIMARY KEY (machine_id, pid)
-  );
-
-  CREATE TABLE IF NOT EXISTS setup_runs (
-    id TEXT PRIMARY KEY,
-    machine_id TEXT NOT NULL,
-    status TEXT NOT NULL,
-    details_json TEXT NOT NULL DEFAULT '[]',
-    created_at TIMESTAMPTZ NOT NULL,
-    updated_at TIMESTAMPTZ NOT NULL
-  );
-
-  CREATE TABLE IF NOT EXISTS sync_runs (
-    id TEXT PRIMARY KEY,
-    machine_id TEXT NOT NULL,
-    status TEXT NOT NULL,
-    actions_json TEXT NOT NULL DEFAULT '[]',
-    created_at TIMESTAMPTZ NOT NULL,
-    updated_at TIMESTAMPTZ NOT NULL
-  );
-  `
-];
-
-// src/remote-storage.ts
-import pg from "pg";
-function translatePlaceholders(sql) {
-  let index = 0;
-  return sql.replace(/\?/g, () => `$${++index}`);
-}
-function normalizeParams(params) {
-  const flat = params.length === 1 && Array.isArray(params[0]) ? params[0] : params;
-  return flat.map((value) => value === undefined ? null : value);
-}
-function sslConfigFor(connectionString) {
-  return connectionString.includes("sslmode=require") || connectionString.includes("ssl=true") ? { rejectUnauthorized: false } : undefined;
+// src/commands/sync.ts
+import { existsSync as existsSync7, lstatSync, readFileSync as readFileSync5, symlinkSync, copyFileSync } from "fs";
+import { homedir as homedir5 } from "os";
+function quote4(value) {
+  return `'${value.replace(/'/g, `'\\''`)}'`;
 }
-
-class PgAdapterAsync {
-  pool;
-  constructor(connectionString) {
-    this.pool = new pg.Pool({ connectionString, ssl: sslConfigFor(connectionString) });
+function packageCheckCommand(machine, packageName, manager = machine.platform === "macos" ? "brew" : "apt") {
+  const quotedPackageName = quote4(packageName);
+  if (manager === "bun") {
+    return `if bun pm ls -g --all 2>/dev/null | grep -F ${quotedPackageName} >/dev/null 2>&1; then printf 'installed=1\\n'; else printf 'installed=0\\n'; fi`;
   }
-  async run(sql, ...params) {
-    const result = await this.pool.query(translatePlaceholders(sql), normalizeParams(params));
-    return { changes: result.rowCount ?? 0 };
+  if (manager === "brew") {
+    return `if brew list --versions ${quotedPackageName} >/dev/null 2>&1; then printf 'installed=1\\n'; else printf 'installed=0\\n'; fi`;
   }
-  async all(sql, ...params) {
-    const result = await this.pool.query(translatePlaceholders(sql), normalizeParams(params));
-    return result.rows;
+  if (manager === "apt") {
+    return `if dpkg -s ${quotedPackageName} >/dev/null 2>&1; then printf 'installed=1\\n'; else printf 'installed=0\\n'; fi`;
   }
-  async close() {
-    await this.pool.end();
+  return `if command -v ${quotedPackageName} >/dev/null 2>&1; then printf 'installed=1\\n'; else printf 'installed=0\\n'; fi`;
+}
+function packageInstallCommand(machine, packageName, manager = machine.platform === "macos" ? "brew" : "apt") {
+  if (manager === "bun") {
+    return `bun install -g ${quote4(packageName)}`;
+  }
+  if (manager === "brew") {
+    return `brew install ${quote4(packageName)}`;
+  }
+  if (manager === "apt") {
+    return `sudo apt-get install -y ${quote4(packageName)}`;
   }
+  return packageName;
 }
-
-// src/storage-sync.ts
-var STORAGE_TABLES = [
-  "agent_heartbeats",
-  "setup_runs",
-  "sync_runs"
-];
-var MACHINES_STORAGE_ENV = "HASNA_MACHINES_DATABASE_URL";
-var MACHINES_STORAGE_FALLBACK_ENV = "MACHINES_DATABASE_URL";
-var MACHINES_STORAGE_MODE_ENV = "HASNA_MACHINES_STORAGE_MODE";
-var MACHINES_STORAGE_MODE_FALLBACK_ENV = "MACHINES_STORAGE_MODE";
-var STORAGE_DATABASE_ENV = [MACHINES_STORAGE_ENV, MACHINES_STORAGE_FALLBACK_ENV];
-var PRIMARY_KEYS = {
-  agent_heartbeats: ["machine_id", "pid"],
-  setup_runs: ["id"],
-  sync_runs: ["id"]
-};
-function readEnv2(name) {
-  const value = process.env[name]?.trim();
-  return value || undefined;
+function detectPackageActions(machine, runner) {
+  return (machine.packages || []).map((pkg, index) => {
+    const manager = pkg.manager || (machine.platform === "macos" ? "brew" : "apt");
+    const check2 = runner(machine.id, packageCheckCommand(machine, pkg.name, manager));
+    if (check2.exitCode !== 0) {
+      throw new Error(describeMachineCommandFailure(`Sync package probe ${pkg.name}`, check2));
+    }
+    const installed = check2.stdout.split(`
+`).some((line) => line.trim() === "installed=1");
+    return {
+      id: `package-${index + 1}`,
+      title: `${installed ? "Package present" : "Install package"} ${pkg.name}`,
+      command: packageInstallCommand(machine, pkg.name, manager),
+      status: installed ? "ok" : "missing",
+      kind: "package"
+    };
+  });
 }
-function normalizeStorageMode(value) {
-  const normalized = value?.trim().toLowerCase();
-  if (normalized === "local" || normalized === "hybrid" || normalized === "remote")
-    return normalized;
-  return;
+function detectFileActions(machine) {
+  if ((machine.files || []).length > 0 && resolveMachineCommand(machine.id, "true").source !== "local") {
+    throw new Error(`Remote file sync planning is not supported for ${machine.id}; refusing to inspect or apply local paths as remote state.`);
+  }
+  return (machine.files || []).map((file, index) => {
+    const sourceExists = existsSync7(file.source);
+    const targetExists = existsSync7(file.target);
+    let status = "missing";
+    if (sourceExists && targetExists) {
+      if (file.mode === "symlink") {
+        status = lstatSync(file.target).isSymbolicLink() ? "ok" : "drifted";
+      } else {
+        const source = readFileSync5(file.source, "utf8");
+        const target = readFileSync5(file.target, "utf8");
+        status = source === target ? "ok" : "drifted";
+      }
+    }
+    const command2 = file.mode === "symlink" ? `ln -sfn ${quote4(file.source)} ${quote4(file.target)}` : `cp ${quote4(file.source)} ${quote4(file.target)}`;
+    return {
+      id: `file-${index + 1}`,
+      title: `${status === "ok" ? "File in sync" : "Reconcile file"} ${file.target}`,
+      command: command2,
+      status,
+      kind: "file"
+    };
+  });
 }
-function getStorageDatabaseEnvName() {
-  for (const name of STORAGE_DATABASE_ENV) {
-    if (readEnv2(name))
-      return name;
+function buildSyncPlan(machineId, runner = runMachineCommand) {
+  const manifest = readManifest();
+  const currentMachineId = getLocalMachineId();
+  const selected = machineId ? manifest.machines.find((machine) => machine.id === machineId) : manifest.machines.find((machine) => machine.id === currentMachineId);
+  if (machineId && !selected) {
+    throw new Error(`Machine not found in manifest: ${machineId}`);
   }
-  return null;
-}
-function getStorageDatabaseEnv() {
-  const name = getStorageDatabaseEnvName();
-  return name ? { name } : null;
-}
-function getStorageDatabaseUrl() {
-  const env = getStorageDatabaseEnv();
-  return env ? readEnv2(env.name) ?? null : null;
-}
-function getStorageMode() {
-  const mode = normalizeStorageMode(readEnv2(MACHINES_STORAGE_MODE_ENV)) ?? normalizeStorageMode(readEnv2(MACHINES_STORAGE_MODE_FALLBACK_ENV));
-  if (mode)
-    return mode;
-  return getStorageDatabaseUrl() ? "hybrid" : "local";
+  const target = selected || {
+    id: currentMachineId,
+    platform: "linux",
+    workspacePath: `${homedir5()}/workspace`
+  };
+  const actions = [
+    ...detectPackageActions(target, runner),
+    ...detectFileActions(target)
+  ];
+  return {
+    machineId: target.id,
+    mode: "plan",
+    actions,
+    executed: 0
+  };
 }
-async function getStoragePg() {
-  const url = getStorageDatabaseUrl();
-  if (!url) {
-    throw new Error("Missing HASNA_MACHINES_DATABASE_URL or MACHINES_DATABASE_URL");
+function applyFileAction(command2) {
+  const [verb, source, target] = command2.split(" ");
+  if (verb === "cp" && source && target) {
+    ensureParentDir(target);
+    copyFileSync(source.slice(1, -1), target.slice(1, -1));
+    return;
   }
-  return new PgAdapterAsync(url);
-}
-async function runStorageMigrations(remote) {
-  for (const sql of PG_MIGRATIONS)
-    await remote.run(sql);
-}
-async function storagePush(options) {
-  const remote = await getStoragePg();
-  const db = getDb();
-  try {
-    await runStorageMigrations(remote);
-    const results = [];
-    for (const table of resolveTables(options?.tables)) {
-      results.push(await pushTable(db, remote, table));
+  if (verb === "ln" && source && target) {
+    const sourcePath = command2.match(/ln -sfn '(.+)' '(.+)'/)?.[1];
+    const targetPath = command2.match(/ln -sfn '(.+)' '(.+)'/)?.[2];
+    if (!sourcePath || !targetPath) {
+      throw new Error(`Unable to parse symlink command: ${command2}`);
     }
-    recordSyncMeta(db, "push", results);
-    return results;
-  } finally {
-    await remote.close();
+    ensureParentDir(targetPath);
+    try {
+      Bun.file(targetPath).delete();
+    } catch {}
+    symlinkSync(sourcePath, targetPath);
   }
 }
-async function storagePull(options) {
-  const remote = await getStoragePg();
-  const db = getDb();
-  try {
-    await runStorageMigrations(remote);
-    const results = [];
-    for (const table of resolveTables(options?.tables)) {
-      results.push(await pullTable(remote, db, table));
+function runSync(machineId, options = {}, runner = runMachineCommand) {
+  const plan = buildSyncPlan(machineId, runner);
+  if (!options.apply) {
+    return plan;
+  }
+  if (!options.yes) {
+    throw new Error("Sync execution requires --yes.");
+  }
+  let executed = 0;
+  for (const action of plan.actions) {
+    if (action.status === "ok")
+      continue;
+    if (action.kind === "file") {
+      applyFileAction(action.command);
+    } else {
+      const result = runner(plan.machineId, action.command);
+      if (result.exitCode !== 0) {
+        recordSyncRun(plan.machineId, "failed", {
+          executed,
+          failedAction: action,
+          stderr: result.stderr,
+          stdout: result.stdout,
+          exitCode: result.exitCode,
+          source: result.source
+        });
+        throw new Error(describeMachineCommandFailure(`Sync action ${action.id}`, result));
+      }
     }
-    recordSyncMeta(db, "pull", results);
-    return results;
-  } finally {
-    await remote.close();
+    executed += 1;
   }
-}
-async function storageSync(options) {
-  const pull = await storagePull(options);
-  const push = await storagePush(options);
-  return { pull, push };
-}
-function getSyncMetaAll() {
-  const db = getDb();
-  ensureSyncMetaTable(db);
-  return db.query("SELECT table_name, last_synced_at, direction FROM _machines_sync_meta ORDER BY table_name, direction").all();
-}
-function getStorageStatus() {
-  const activeEnv = getStorageDatabaseEnv();
-  return {
-    configured: Boolean(activeEnv),
-    mode: getStorageMode(),
-    env: STORAGE_DATABASE_ENV,
-    activeEnv: activeEnv?.name ?? null,
-    service: "machines",
-    tables: STORAGE_TABLES,
-    sync: getSyncMetaAll()
+  const summary = {
+    machineId: plan.machineId,
+    mode: "apply",
+    actions: plan.actions,
+    executed
   };
+  recordSyncRun(plan.machineId, "completed", summary);
+  return summary;
 }
-function resolveTables(tables) {
-  if (!tables || tables.length === 0)
-    return [...STORAGE_TABLES];
-  const allowed = new Set(STORAGE_TABLES);
-  const requested = tables.map((table) => table.trim()).filter(Boolean);
-  const invalid = requested.filter((table) => !allowed.has(table));
-  if (invalid.length > 0)
-    throw new Error(`Unknown machines storage table(s): ${invalid.join(", ")}`);
-  return requested;
-}
-async function pushTable(db, remote, table) {
-  const result = { table, rowsRead: 0, rowsWritten: 0, errors: [] };
-  try {
-    if (!tableExists(db, table))
-      return result;
-    const rows = db.query(`SELECT * FROM ${quoteIdent(table)}`).all();
-    result.rowsRead = rows.length;
-    if (rows.length === 0)
-      return result;
-    const remoteColumns = await getRemoteColumns(remote, table);
-    const columns = filterRemoteColumns(remoteColumns, Object.keys(rows[0]));
-    result.rowsWritten = await upsertPg(remote, table, columns, rows);
-  } catch (error) {
-    result.errors.push(error instanceof Error ? error.message : String(error));
-  }
-  return result;
+
+// src/compatibility.ts
+var DEFAULT_COMMANDS = [
+  { command: "bun", required: true },
+  { command: "machines", required: true }
+];
+function defaultPackages() {
+  return [{ name: "@hasna/machines", command: "machines", expectedVersion: getPackageVersion(), required: true }];
 }
-async function pullTable(remote, db, table) {
-  const result = { table, rowsRead: 0, rowsWritten: 0, errors: [] };
-  try {
-    if (!tableExists(db, table))
-      return result;
-    const rows = await remote.all(`SELECT * FROM ${quoteIdent(table)}`);
-    result.rowsRead = rows.length;
-    if (rows.length === 0)
-      return result;
-    const columns = filterLocalColumns(db, table, Object.keys(rows[0]));
-    result.rowsWritten = upsertSqlite(db, table, columns, rows);
-  } catch (error) {
-    result.errors.push(error instanceof Error ? error.message : String(error));
-  }
-  return result;
+function shellQuote6(value) {
+  return `'${value.replace(/'/g, "'\\''")}'`;
 }
-async function getRemoteColumns(remote, table) {
-  const rows = await remote.all("SELECT column_name FROM information_schema.columns WHERE table_schema = 'public' AND table_name = ?", table);
-  return new Set(rows.map((row) => row.column_name));
+function commandId(value) {
+  return value.replace(/[^a-zA-Z0-9_.@/-]+/g, "-").replace(/^-+|-+$/g, "");
 }
-function filterRemoteColumns(remoteColumns, columns) {
-  if (remoteColumns.size === 0)
-    return columns;
-  return columns.filter((column) => remoteColumns.has(column));
+function packageCommand(name) {
+  if (name === "@hasna/knowledge")
+    return "knowledge";
+  if (name === "@hasna/machines")
+    return "machines";
+  return name.split("/").pop() ?? name;
 }
-function filterLocalColumns(db, table, columns) {
-  const rows = db.query(`PRAGMA table_info(${quoteIdent(table)})`).all();
-  const allowed = new Set(rows.map((row) => row.name));
-  return columns.filter((column) => allowed.has(column));
+function firstLine(value) {
+  return value.trim().split(/\r?\n/).find(Boolean) ?? "";
 }
-async function upsertPg(remote, table, columns, rows) {
-  if (columns.length === 0)
-    return 0;
-  const primaryKeys = PRIMARY_KEYS[table];
-  const columnList = columns.map(quoteIdent).join(", ");
-  const placeholders = columns.map(() => "?").join(", ");
-  const keyList = primaryKeys.map(quoteIdent).join(", ");
-  const updateColumns = columns.filter((column) => !primaryKeys.includes(column));
-  const fallbackKey = primaryKeys[0];
-  const setClause = updateColumns.length > 0 ? updateColumns.map((column) => `${quoteIdent(column)} = EXCLUDED.${quoteIdent(column)}`).join(", ") : `${quoteIdent(fallbackKey)} = EXCLUDED.${quoteIdent(fallbackKey)}`;
-  for (const row of rows) {
-    await remote.run(`INSERT INTO ${quoteIdent(table)} (${columnList}) VALUES (${placeholders})
-       ON CONFLICT (${keyList}) DO UPDATE SET ${setClause}`, ...columns.map((column) => coerceForPg(row[column])));
-  }
-  return rows.length;
+function extractVersion(value) {
+  const match = value.match(/\b\d+\.\d+\.\d+(?:[-+][0-9A-Za-z.-]+)?\b/);
+  return match?.[0] ?? null;
 }
-function upsertSqlite(db, table, columns, rows) {
-  if (columns.length === 0)
-    return 0;
-  const primaryKeys = PRIMARY_KEYS[table];
-  const columnList = columns.map(quoteIdent).join(", ");
-  const placeholders = columns.map(() => "?").join(", ");
-  const keyList = primaryKeys.map(quoteIdent).join(", ");
-  const updateColumns = columns.filter((column) => !primaryKeys.includes(column));
-  const fallbackKey = primaryKeys[0];
-  const setClause = updateColumns.length > 0 ? updateColumns.map((column) => `${quoteIdent(column)} = excluded.${quoteIdent(column)}`).join(", ") : `${quoteIdent(fallbackKey)} = excluded.${quoteIdent(fallbackKey)}`;
-  const statement = db.query(`INSERT INTO ${quoteIdent(table)} (${columnList}) VALUES (${placeholders})
-     ON CONFLICT (${keyList}) DO UPDATE SET ${setClause}`);
-  const insert = db.transaction((batch) => {
-    for (const row of batch)
-      statement.run(...columns.map((column) => coerceForSqlite(row[column])));
-  });
-  insert(rows);
-  return rows.length;
+function statusFor(required, ok) {
+  if (ok)
+    return "ok";
+  return required === false ? "warn" : "fail";
 }
-function recordSyncMeta(db, direction, results) {
-  ensureSyncMetaTable(db);
-  const now = new Date().toISOString();
-  const statement = db.query(`
-    INSERT INTO _machines_sync_meta (table_name, last_synced_at, direction)
-    VALUES (?, ?, ?)
-    ON CONFLICT(table_name, direction) DO UPDATE SET last_synced_at = excluded.last_synced_at
-  `);
-  for (const result of results) {
-    if (result.errors.length > 0)
+function makeCheck2(input) {
+  return {
+    id: input.id,
+    kind: input.kind,
+    status: input.status,
+    target: input.target,
+    expected: input.expected ?? null,
+    actual: input.actual ?? null,
+    detail: input.detail,
+    source: input.source
+  };
+}
+function parseKeyValue(stdout) {
+  const result = {};
+  for (const line of stdout.split(/\r?\n/)) {
+    const idx = line.indexOf("=");
+    if (idx <= 0)
       continue;
-    statement.run(result.table, now, direction);
+    result[line.slice(0, idx)] = line.slice(idx + 1);
   }
+  return result;
 }
-function ensureSyncMetaTable(db) {
-  db.exec(`
-    CREATE TABLE IF NOT EXISTS _machines_sync_meta (
-      table_name TEXT NOT NULL,
-      last_synced_at TEXT,
-      direction TEXT NOT NULL CHECK(direction IN ('push', 'pull')),
-      PRIMARY KEY (table_name, direction)
-    )
-  `);
+function defaultRunner2(machineId, command2) {
+  return runMachineCommand(machineId, command2);
 }
-function tableExists(db, table) {
-  const row = db.query("SELECT name FROM sqlite_master WHERE type = 'table' AND name = ?").get(table);
-  return Boolean(row);
+function inspectCommand(machineId, spec, runner) {
+  const command2 = shellQuote6(spec.command);
+  const versionArgs = spec.versionArgs ?? "--version";
+  const script = [
+    `cmd=${command2}`,
+    'path="$(command -v "$cmd" 2>/dev/null || true)"',
+    'printf "path=%s\\n" "$path"',
+    'if [ -n "$path" ]; then version="$("$cmd" ' + versionArgs + ' 2>/dev/null || true)"; printf "version=%s\\n" "$version"; fi'
+  ].join("; ");
+  const result = runner(machineId, script);
+  const parsed = parseKeyValue(result.stdout);
+  return {
+    path: parsed.path || null,
+    version: parsed.version ? firstLine(parsed.version) : null,
+    exitCode: result.exitCode,
+    source: result.source,
+    stderr: result.stderr
+  };
 }
-function quoteIdent(identifier) {
-  return `"${identifier.replace(/"/g, '""')}"`;
+function fieldCommand(field) {
+  const regex = field === "name" ? String.raw`s/.*"name"[[:space:]]*:[[:space:]]*"\([^"]*\)".*/\1/p` : String.raw`s/.*"version"[[:space:]]*:[[:space:]]*"\([^"]*\)".*/\1/p`;
+  return [
+    `if command -v bun >/dev/null 2>&1; then bun -e "const p=JSON.parse(await Bun.file(process.argv[1]).text()); console.log(p.${field} ?? '')" "$pkg" 2>/dev/null`,
+    `elif command -v node >/dev/null 2>&1; then node -e "const fs=require('fs'); const p=JSON.parse(fs.readFileSync(process.argv[1], 'utf8')); console.log(p.${field} || '')" "$pkg" 2>/dev/null`,
+    `else sed -n '${regex}' "$pkg" | head -n 1`,
+    "fi"
+  ].join("; ");
 }
-function coerceForPg(value) {
-  if (value === undefined || value === null)
-    return null;
-  if (value instanceof Date)
-    return value.toISOString();
-  if (Buffer.isBuffer(value) || value instanceof Uint8Array)
-    return value;
-  if (typeof value === "object")
-    return JSON.stringify(value);
-  return value;
+function inspectWorkspace(machineId, spec, runner) {
+  const script = [
+    `path=${shellQuote6(spec.path)}`,
+    'printf "exists=%s\\n" "$(test -d "$path" && printf yes || printf no)"',
+    'pkg="$path/package.json"',
+    'printf "package_json=%s\\n" "$(test -f "$pkg" && printf yes || printf no)"',
+    `if [ -f "$pkg" ]; then printf "package_name=%s\\n" "$(${fieldCommand("name")})"; printf "version=%s\\n" "$(${fieldCommand("version")})"; fi`
+  ].join("; ");
+  const result = runner(machineId, script);
+  const parsed = parseKeyValue(result.stdout);
+  return {
+    exists: parsed.exists === "yes",
+    packageJson: parsed.package_json === "yes",
+    packageName: parsed.package_name || null,
+    version: parsed.version || null,
+    source: result.source,
+    stderr: result.stderr
+  };
 }
-function coerceForSqlite(value) {
-  if (value === undefined || value === null)
-    return null;
-  if (typeof value === "string" || typeof value === "number" || typeof value === "bigint" || typeof value === "boolean")
-    return value;
-  if (value instanceof Date)
-    return value.toISOString();
-  if (Buffer.isBuffer(value) || value instanceof Uint8Array)
-    return value;
-  if (typeof value === "object")
-    return JSON.stringify(value);
-  return String(value);
+function commandCheck(machineId, spec, runner) {
+  const inspection = inspectCommand(machineId, spec, runner);
+  const found = Boolean(inspection.path);
+  const checks = [
+    makeCheck2({
+      id: `command:${commandId(spec.command)}:path`,
+      kind: "command",
+      status: statusFor(spec.required, found),
+      target: spec.command,
+      expected: "available",
+      actual: inspection.path ?? "missing",
+      detail: found ? `found at ${inspection.path}` : inspection.stderr || "command missing",
+      source: inspection.source
+    })
+  ];
+  if (spec.expectedVersion) {
+    const actualVersion = extractVersion(inspection.version ?? "");
+    checks.push(makeCheck2({
+      id: `command:${commandId(spec.command)}:version`,
+      kind: "command",
+      status: actualVersion === spec.expectedVersion ? "ok" : statusFor(spec.required, false),
+      target: spec.command,
+      expected: spec.expectedVersion,
+      actual: actualVersion ?? inspection.version ?? "missing",
+      detail: actualVersion ? `version output: ${inspection.version}` : "version unavailable",
+      source: inspection.source
+    }));
+  }
+  return checks;
+}
+function packageCheck(machineId, spec, runner) {
+  const command2 = spec.command ?? packageCommand(spec.name);
+  const inspection = inspectCommand(machineId, { command: command2, expectedVersion: spec.expectedVersion, required: spec.required }, runner);
+  const found = Boolean(inspection.path);
+  const checks = [
+    makeCheck2({
+      id: `package:${commandId(spec.name)}:command`,
+      kind: "package",
+      status: statusFor(spec.required, found),
+      target: spec.name,
+      expected: command2,
+      actual: inspection.path ?? "missing",
+      detail: found ? `${command2} found at ${inspection.path}` : `${command2} command missing`,
+      source: inspection.source
+    })
+  ];
+  if (spec.expectedVersion) {
+    const actualVersion = extractVersion(inspection.version ?? "");
+    checks.push(makeCheck2({
+      id: `package:${commandId(spec.name)}:version`,
+      kind: "package",
+      status: actualVersion === spec.expectedVersion ? "ok" : statusFor(spec.required, false),
+      target: spec.name,
+      expected: spec.expectedVersion,
+      actual: actualVersion ?? inspection.version ?? "missing",
+      detail: actualVersion ? `version output: ${inspection.version}` : "version unavailable",
+      source: inspection.source
+    }));
+  }
+  return checks;
+}
+function workspaceCheck(machineId, spec, runner) {
+  const inspection = inspectWorkspace(machineId, spec, runner);
+  const target = spec.label ?? spec.path;
+  const checks = [
+    makeCheck2({
+      id: `workspace:${commandId(target)}:path`,
+      kind: "workspace",
+      status: statusFor(spec.required, inspection.exists),
+      target,
+      expected: spec.path,
+      actual: inspection.exists ? "exists" : "missing",
+      detail: inspection.exists ? `workspace exists at ${spec.path}` : inspection.stderr || `workspace missing at ${spec.path}`,
+      source: inspection.source
+    })
+  ];
+  if (spec.expectedPackageName) {
+    checks.push(makeCheck2({
+      id: `workspace:${commandId(target)}:package-name`,
+      kind: "workspace",
+      status: inspection.packageName === spec.expectedPackageName ? "ok" : statusFor(spec.required, false),
+      target,
+      expected: spec.expectedPackageName,
+      actual: inspection.packageName ?? (inspection.packageJson ? "missing-name" : "missing-package-json"),
+      detail: inspection.packageJson ? "package.json inspected" : "package.json missing",
+      source: inspection.source
+    }));
+  }
+  if (spec.expectedVersion) {
+    checks.push(makeCheck2({
+      id: `workspace:${commandId(target)}:version`,
+      kind: "workspace",
+      status: inspection.version === spec.expectedVersion ? "ok" : statusFor(spec.required, false),
+      target,
+      expected: spec.expectedVersion,
+      actual: inspection.version ?? (inspection.packageJson ? "missing-version" : "missing-package-json"),
+      detail: inspection.packageJson ? "package.json inspected" : "package.json missing",
+      source: inspection.source
+    }));
+  }
+  return checks;
+}
+function checkMachineCompatibility(options = {}) {
+  const machineId = options.machineId ?? getLocalMachineId();
+  const runner = options.runner ?? defaultRunner2;
+  const commands = options.commands ?? DEFAULT_COMMANDS;
+  const packages = options.packages ?? defaultPackages();
+  const workspaces = options.workspaces ?? [];
+  const checks = [];
+  for (const spec of commands)
+    checks.push(...commandCheck(machineId, spec, runner));
+  for (const spec of packages)
+    checks.push(...packageCheck(machineId, spec, runner));
+  for (const spec of workspaces)
+    checks.push(...workspaceCheck(machineId, spec, runner));
+  const summary = {
+    ok: checks.filter((check2) => check2.status === "ok").length,
+    warn: checks.filter((check2) => check2.status === "warn").length,
+    fail: checks.filter((check2) => check2.status === "fail").length
+  };
+  return {
+    schema_version: MACHINES_CONSUMER_CONTRACT_VERSION,
+    package: {
+      name: MACHINES_PACKAGE_NAME,
+      version: getPackageVersion()
+    },
+    capabilities: getMachinesConsumerCapabilities(),
+    ok: summary.fail === 0,
+    machine_id: machineId,
+    source: checks[0]?.source ?? "local",
+    generated_at: (options.now ?? new Date).toISOString(),
+    checks,
+    summary
+  };
 }
 // src/mcp/server.ts
 function buildServer(version = getPackageVersion()) {
   return createMcpServer(version);
 }
+function privateMetadataAllowed(requested) {
+  return requested === true && isPrivateOutputEnabled();
+}
+function privateOutputWarnings(requested, allowed) {
+  return requested === true && !allowed ? [PRIVATE_OUTPUT_DENIED_WARNING] : [];
+}
+function appendWarnings(payload, warnings) {
+  if (warnings.length === 0)
+    return payload;
+  return { ...payload, warnings: [...payload.warnings ?? [], ...warnings] };
+}
 function createMcpServer(version) {
   const server = new McpServer({ name: "machines", version });
   const events = new EventsClient2;
@@ -7617,16 +8229,69 @@ function createMcpServer(version) {
   }));
   server.tool("machines_manifest_get", "Read a single machine from the fleet manifest.", { machine_id: exports_external.string().describe("Machine identifier") }, async ({ machine_id }) => ({ content: [{ type: "text", text: JSON.stringify(manifestGet(machine_id), null, 2) }] }));
   server.tool("machines_manifest_remove", "Remove a single machine from the fleet manifest.", { machine_id: exports_external.string().describe("Machine identifier") }, async ({ machine_id }) => ({ content: [{ type: "text", text: JSON.stringify(manifestRemove(machine_id), null, 2) }] }));
-  server.tool("machines_agent_status", "List current machine agent heartbeats.", {}, async () => ({
-    content: [{ type: "text", text: JSON.stringify(getAgentStatus(), null, 2) }]
+  server.tool("machines_agent_status", "List current machine agent heartbeats.", { private_metadata: exports_external.boolean().optional().describe("Include private heartbeat metadata") }, async ({ private_metadata }) => {
+    const privateMetadata = privateMetadataAllowed(private_metadata);
+    const warnings = privateOutputWarnings(private_metadata, privateMetadata);
+    const agents = getAgentStatus(undefined, { privateMetadata });
+    return {
+      content: [{ type: "text", text: JSON.stringify(warnings.length > 0 ? { agents, warnings } : agents, null, 2) }]
+    };
+  });
+  server.tool("machines_daemon_status", "List fleet daemon heartbeat status rows.", { private_metadata: exports_external.boolean().optional().describe("Include private heartbeat metadata") }, async ({ private_metadata }) => {
+    const privateMetadata = privateMetadataAllowed(private_metadata);
+    const warnings = privateOutputWarnings(private_metadata, privateMetadata);
+    return {
+      content: [{
+        type: "text",
+        text: JSON.stringify({
+          generated_at: new Date().toISOString(),
+          agents: getAgentStatus(undefined, { privateMetadata }),
+          ...warnings.length > 0 ? { warnings } : {}
+        }, null, 2)
+      }]
+    };
+  });
+  server.tool("machines_daemon_service_plan", "Plan launchd/systemd lifecycle commands for the machines-agent daemon.", {
+    action: exports_external.enum(["install", "uninstall", "restart", "status", "logs"]).describe("Daemon lifecycle action"),
+    platform: exports_external.enum(["macos", "linux"]).optional().describe("Target service platform"),
+    mode: exports_external.enum(["user", "system"]).optional().describe("Service mode"),
+    service_name: exports_external.string().optional().describe("Service name/label"),
+    executable: exports_external.string().optional().describe("machines-agent executable path"),
+    interval_ms: exports_external.number().optional().describe("Heartbeat interval in milliseconds"),
+    storage_push: exports_external.boolean().optional().describe("Configure heartbeat storage push"),
+    doctor_summary: exports_external.boolean().optional().describe("Configure lightweight doctor summaries in heartbeat metadata"),
+    private_metadata: exports_external.boolean().optional().describe("Opt in to private heartbeat metadata"),
+    env: exports_external.array(exports_external.string()).optional().describe("Environment variable names to include as placeholders")
+  }, async ({ action, platform: platform5, mode, service_name, executable, interval_ms, storage_push, doctor_summary, private_metadata, env }) => ({
+    content: [{
+      type: "text",
+      text: JSON.stringify(buildDaemonServicePlan({
+        action,
+        platform: platform5,
+        mode,
+        serviceName: service_name,
+        executable,
+        intervalMs: interval_ms,
+        storagePush: storage_push,
+        doctorSummary: doctor_summary,
+        privateMetadata: private_metadata,
+        env
+      }), null, 2)
+    }]
   }));
   server.tool("machines_setup_preview", "Preview setup actions for a machine.", { machine_id: exports_external.string().optional().describe("Machine identifier") }, async ({ machine_id }) => ({ content: [{ type: "text", text: JSON.stringify(buildSetupPlan(machine_id), null, 2) }] }));
   server.tool("machines_setup_apply", "Execute setup actions for a machine.", { machine_id: exports_external.string().optional().describe("Machine identifier"), yes: exports_external.boolean().describe("Confirmation flag for execution") }, async ({ machine_id, yes }) => ({ content: [{ type: "text", text: JSON.stringify(runSetup(machine_id, { apply: true, yes }), null, 2) }] }));
   server.tool("machines_sync_preview", "Preview sync actions for a machine.", { machine_id: exports_external.string().optional().describe("Machine identifier") }, async ({ machine_id }) => ({ content: [{ type: "text", text: JSON.stringify(buildSyncPlan(machine_id), null, 2) }] }));
   server.tool("machines_sync_apply", "Execute sync actions for a machine.", { machine_id: exports_external.string().optional().describe("Machine identifier"), yes: exports_external.boolean().describe("Confirmation flag for execution") }, async ({ machine_id, yes }) => ({ content: [{ type: "text", text: JSON.stringify(runSync(machine_id, { apply: true, yes }), null, 2) }] }));
-  server.tool("machines_topology", "Discover local, manifest, heartbeat, SSH, and Tailscale machine topology.", { include_tailscale: exports_external.boolean().optional().describe("Whether to probe tailscale status --json") }, async ({ include_tailscale }) => ({
-    content: [{ type: "text", text: JSON.stringify(discoverMachineTopology({ includeTailscale: include_tailscale !== false }), null, 2) }]
-  }));
+  server.tool("machines_topology", "Discover local, manifest, heartbeat, SSH, and Tailscale machine topology.", {
+    include_tailscale: exports_external.boolean().optional().describe("Whether to probe tailscale status --json"),
+    private_metadata: exports_external.boolean().optional().describe("Include private host/network route fields")
+  }, async ({ include_tailscale, private_metadata }) => {
+    const privateMetadata = privateMetadataAllowed(private_metadata);
+    const warnings = privateOutputWarnings(private_metadata, privateMetadata);
+    const topology = redactTopologyForOutput(discoverMachineTopology({ includeTailscale: include_tailscale !== false }), { privateMetadata });
+    return { content: [{ type: "text", text: JSON.stringify(appendWarnings(topology, warnings), null, 2) }] };
+  });
   server.tool("machines_compatibility", "Check remote package, command, and workspace compatibility for open-* consumers.", {
     machine_id: exports_external.string().optional().describe("Machine identifier"),
     commands: exports_external.array(exports_external.object({
@@ -7678,9 +8343,16 @@ function createMcpServer(version) {
   }));
   server.tool("machines_install_tailscale_preview", "Preview Tailscale install steps for a machine.", { machine_id: exports_external.string().optional().describe("Machine identifier") }, async ({ machine_id }) => ({ content: [{ type: "text", text: JSON.stringify(buildTailscaleInstallPlan(machine_id), null, 2) }] }));
   server.tool("machines_install_tailscale_apply", "Execute Tailscale install steps for a machine.", { machine_id: exports_external.string().optional().describe("Machine identifier"), yes: exports_external.boolean().describe("Confirmation flag for execution") }, async ({ machine_id, yes }) => ({ content: [{ type: "text", text: JSON.stringify(runTailscaleInstall(machine_id, { apply: true, yes }), null, 2) }] }));
-  server.tool("machines_route_resolve", "Resolve the best route for a machine using manifest, heartbeat, SSH, LAN, and Tailscale topology.", { machine_id: exports_external.string().describe("Machine identifier"), include_tailscale: exports_external.boolean().optional().describe("Whether to probe tailscale status --json") }, async ({ machine_id, include_tailscale }) => ({
-    content: [{ type: "text", text: JSON.stringify(resolveMachineRoute(machine_id, { includeTailscale: include_tailscale !== false }), null, 2) }]
-  }));
+  server.tool("machines_route_resolve", "Resolve the best route for a machine using manifest, heartbeat, SSH, LAN, and Tailscale topology.", {
+    machine_id: exports_external.string().describe("Machine identifier"),
+    include_tailscale: exports_external.boolean().optional().describe("Whether to probe tailscale status --json"),
+    private_metadata: exports_external.boolean().optional().describe("Include private route targets")
+  }, async ({ machine_id, include_tailscale, private_metadata }) => {
+    const privateMetadata = privateMetadataAllowed(private_metadata);
+    const warnings = privateOutputWarnings(private_metadata, privateMetadata);
+    const route = redactRouteForOutput(resolveMachineRoute(machine_id, { includeTailscale: include_tailscale !== false }), { privateMetadata });
+    return { content: [{ type: "text", text: JSON.stringify(appendWarnings(route, warnings), null, 2) }] };
+  });
   server.tool("machines_workspace_resolve", "Resolve sync-safe repo and open-files roots for an open-* consumer.", {
     machine_id: exports_external.string().describe("Machine identifier"),
     project_id: exports_external.string().describe("Canonical project id"),