@hasna/machines 0.0.37 → 0.0.39

package/dist/cli/index.js

@@ -2135,9 +2135,23 @@ function createTables(db) {
       pid INTEGER NOT NULL,
       status TEXT NOT NULL,
       updated_at TEXT NOT NULL,
+      daemon_version TEXT,
+      agent_mode TEXT,
+      platform TEXT,
+      os_version TEXT,
+      os_build TEXT,
+      arch TEXT,
+      uptime_seconds INTEGER,
+      tool_versions_json TEXT,
+      tailscale_json TEXT,
+      storage_sync_status TEXT,
+      storage_sync_last_error TEXT,
+      doctor_summary_json TEXT,
+      private_metadata INTEGER NOT NULL DEFAULT 0,
       PRIMARY KEY (machine_id, pid)
     )
   `);
+  migrateAgentHeartbeats(db);
   db.exec(`
     CREATE TABLE IF NOT EXISTS setup_runs (
       id TEXT PRIMARY KEY,
@@ -2159,6 +2173,15 @@ function createTables(db) {
     )
   `);
 }
+function migrateAgentHeartbeats(db) {
+  const columns = db.query("PRAGMA table_info(agent_heartbeats)").all();
+  const existing = new Set(columns.map((column) => column.name));
+  for (const column of AGENT_HEARTBEAT_COLUMNS) {
+    if (existing.has(column.name))
+      continue;
+    db.exec(`ALTER TABLE agent_heartbeats ADD COLUMN ${column.name} ${column.definition}`);
+  }
+}
 function getAdapter(path = getDbPath()) {
   if (path === ":memory:") {
     const memoryAdapter = new SqliteAdapter(path);
@@ -2187,12 +2210,12 @@ function getLocalMachineId() {
 function listHeartbeats(machineId) {
   const db = getDb();
   if (machineId) {
-    return db.query(`SELECT machine_id, pid, status, updated_at
+    return db.query(`SELECT *
          FROM agent_heartbeats
          WHERE machine_id = ?
          ORDER BY updated_at DESC`).all(machineId);
   }
-  return db.query(`SELECT machine_id, pid, status, updated_at
+  return db.query(`SELECT *
        FROM agent_heartbeats
        ORDER BY updated_at DESC`).all();
 }
@@ -2213,9 +2236,24 @@ function recordSyncRun(machineId, status, actions) {
   db.query(`INSERT INTO sync_runs (id, machine_id, status, actions_json, created_at, updated_at)
      VALUES (?, ?, ?, ?, ?, ?)`).run(crypto.randomUUID(), machineId, status, JSON.stringify(actions), now, now);
 }
-var adapter = null;
+var adapter = null, AGENT_HEARTBEAT_COLUMNS;
 var init_db = __esm(() => {
   init_paths();
+  AGENT_HEARTBEAT_COLUMNS = [
+    { name: "daemon_version", definition: "TEXT" },
+    { name: "agent_mode", definition: "TEXT" },
+    { name: "platform", definition: "TEXT" },
+    { name: "os_version", definition: "TEXT" },
+    { name: "os_build", definition: "TEXT" },
+    { name: "arch", definition: "TEXT" },
+    { name: "uptime_seconds", definition: "INTEGER" },
+    { name: "tool_versions_json", definition: "TEXT" },
+    { name: "tailscale_json", definition: "TEXT" },
+    { name: "storage_sync_status", definition: "TEXT" },
+    { name: "storage_sync_last_error", definition: "TEXT" },
+    { name: "doctor_summary_json", definition: "TEXT" },
+    { name: "private_metadata", definition: "INTEGER NOT NULL DEFAULT 0" }
+  ];
 });
 
 // src/pg-migrations.ts
@@ -2228,9 +2266,36 @@ var init_pg_migrations = __esm(() => {
     pid INTEGER NOT NULL,
     status TEXT NOT NULL,
     updated_at TIMESTAMPTZ NOT NULL,
+    daemon_version TEXT,
+    agent_mode TEXT,
+    platform TEXT,
+    os_version TEXT,
+    os_build TEXT,
+    arch TEXT,
+    uptime_seconds INTEGER,
+    tool_versions_json TEXT,
+    tailscale_json TEXT,
+    storage_sync_status TEXT,
+    storage_sync_last_error TEXT,
+    doctor_summary_json TEXT,
+    private_metadata INTEGER NOT NULL DEFAULT 0,
     PRIMARY KEY (machine_id, pid)
   );
 
+  ALTER TABLE agent_heartbeats ADD COLUMN IF NOT EXISTS daemon_version TEXT;
+  ALTER TABLE agent_heartbeats ADD COLUMN IF NOT EXISTS agent_mode TEXT;
+  ALTER TABLE agent_heartbeats ADD COLUMN IF NOT EXISTS platform TEXT;
+  ALTER TABLE agent_heartbeats ADD COLUMN IF NOT EXISTS os_version TEXT;
+  ALTER TABLE agent_heartbeats ADD COLUMN IF NOT EXISTS os_build TEXT;
+  ALTER TABLE agent_heartbeats ADD COLUMN IF NOT EXISTS arch TEXT;
+  ALTER TABLE agent_heartbeats ADD COLUMN IF NOT EXISTS uptime_seconds INTEGER;
+  ALTER TABLE agent_heartbeats ADD COLUMN IF NOT EXISTS tool_versions_json TEXT;
+  ALTER TABLE agent_heartbeats ADD COLUMN IF NOT EXISTS tailscale_json TEXT;
+  ALTER TABLE agent_heartbeats ADD COLUMN IF NOT EXISTS storage_sync_status TEXT;
+  ALTER TABLE agent_heartbeats ADD COLUMN IF NOT EXISTS storage_sync_last_error TEXT;
+  ALTER TABLE agent_heartbeats ADD COLUMN IF NOT EXISTS doctor_summary_json TEXT;
+  ALTER TABLE agent_heartbeats ADD COLUMN IF NOT EXISTS private_metadata INTEGER NOT NULL DEFAULT 0;
+
   CREATE TABLE IF NOT EXISTS setup_runs (
     id TEXT PRIMARY KEY,
     machine_id TEXT NOT NULL,
@@ -2263,7 +2328,20 @@ function normalizeParams(params) {
   return flat.map((value) => value === undefined ? null : value);
 }
 function sslConfigFor(connectionString) {
-  return connectionString.includes("sslmode=require") || connectionString.includes("ssl=true") ? { rejectUnauthorized: false } : undefined;
+  let url;
+  try {
+    url = new URL(connectionString);
+  } catch {
+    return;
+  }
+  const sslMode = url.searchParams.get("sslmode")?.toLowerCase();
+  const ssl = url.searchParams.get("ssl")?.toLowerCase();
+  if (sslMode === "disable" || ssl === "false")
+    return;
+  if (sslMode === "no-verify" || process.env["HASNA_MACHINES_DATABASE_SSL_REJECT_UNAUTHORIZED"] === "0") {
+    return { rejectUnauthorized: false };
+  }
+  return sslMode || ssl === "true" ? { rejectUnauthorized: true } : undefined;
 }
 
 class PgAdapterAsync {
@@ -2603,7 +2681,7 @@ var {
 
 // src/cli/index.ts
 import { registerEventCommands, registerWebhookCommands } from "@hasna/events/commander";
-import { execFileSync } from "child_process";
+import { execFileSync as execFileSync2 } from "child_process";
 
 // node_modules/chalk/source/vendor/ansi-styles/index.js
 var ANSI_BACKGROUND_OFFSET = 10;
@@ -3095,12 +3173,12 @@ var chalkStderr = createChalk({ level: stderrColor ? stderrColor.level : 0 });
 var source_default = chalk;
 
 // src/version.ts
-import { existsSync, readFileSync } from "fs";
+import { existsSync, readFileSync, realpathSync } from "fs";
 import { dirname, join } from "path";
 import { fileURLToPath } from "url";
 function getPackageVersion() {
   try {
-    const here = dirname(fileURLToPath(import.meta.url));
+    const here = dirname(realpathSync(fileURLToPath(import.meta.url)));
     const candidates = [join(here, "..", "package.json"), join(here, "..", "..", "package.json")];
     const pkgPath = candidates.find((candidate) => existsSync(candidate));
     if (!pkgPath) {
@@ -7095,6 +7173,9 @@ init_paths();
 
 // src/redaction.ts
 var REDACTED_VALUE = "[redacted]";
+var PRIVATE_OUTPUT_ENV = "HASNA_MACHINES_ALLOW_PRIVATE_OUTPUT";
+var PRIVATE_OUTPUT_FALLBACK_ENV = "MACHINES_ALLOW_PRIVATE_OUTPUT";
+var PRIVATE_OUTPUT_DENIED_WARNING = `private_output_denied:set ${PRIVATE_OUTPUT_ENV}=1 to allow private metadata output`;
 var SENSITIVE_KEY_PATTERN = /(password|passwd|token|credential|private[_-]?key|privateKey|api[_-]?key|github.*key|pem|secret)/i;
 var SECRET_REFERENCE_KEY_PATTERN = /(secret(ref(erence)?|key)?|secretRef|secretKey)$/i;
 var SENSITIVE_VALUE_PATTERNS = [
@@ -7105,9 +7186,17 @@ var SENSITIVE_VALUE_PATTERNS = [
   /\bAKIA[0-9A-Z]{16}\b/,
   /\bsk-[A-Za-z0-9_-]{20,}\b/
 ];
+var IPV4_PATTERN = /\b(?:10|127|169\.254|172\.(?:1[6-9]|2\d|3[0-1])|192\.168|100\.(?:6[4-9]|[7-9]\d|1[01]\d|12[0-7]))(?:\.\d{1,3}){2}\b/g;
+var IPV6_PATTERN = /\b(?:fc|fd|fe80)[0-9a-f:]*:[0-9a-f:]+\b/gi;
+var DATABASE_URL_PATTERN = /\b(?:postgres(?:ql)?|mysql|mariadb|redis|mongodb|s3):\/\/[^\s"'<>]+/gi;
+var PRIVATE_HOST_PATTERN = /\b(?:[A-Za-z0-9._%+-]+@)?[A-Za-z0-9-]+(?:\.[A-Za-z0-9-]+)*(?:\.tailnet(?:\.[A-Za-z0-9-]+)*|\.ts\.net|\.private(?:\.[A-Za-z0-9-]+)*|\.internal|\.local)\b/gi;
 function isSensitiveKey(key) {
   return SENSITIVE_KEY_PATTERN.test(key);
 }
+function isPrivateOutputEnabled(env2 = process.env) {
+  const value = env2[PRIVATE_OUTPUT_ENV] ?? env2[PRIVATE_OUTPUT_FALLBACK_ENV];
+  return ["1", "true", "yes", "on", "private"].includes(String(value ?? "").trim().toLowerCase());
+}
 function isSecretReferenceKey(key) {
   return SECRET_REFERENCE_KEY_PATTERN.test(key);
 }
@@ -7120,6 +7209,12 @@ function isRecord(value) {
 function redactPath(value) {
   return value.replace(/\/home\/[^/\s]+/g, "/home/<user>").replace(/\/Users\/[^/\s]+/g, "/Users/<user>").replace(/[A-Za-z]:\\Users\\[^\\\s]+/g, "C:\\Users\\<user>");
 }
+function redactErrorMessage(value) {
+  return redactPath(value).replace(DATABASE_URL_PATTERN, (match) => {
+    const scheme = match.match(/^([a-z][a-z0-9+.-]*:\/\/)/i)?.[1] ?? "";
+    return `${scheme}${REDACTED_VALUE}`;
+  }).replace(IPV4_PATTERN, REDACTED_VALUE).replace(IPV6_PATTERN, REDACTED_VALUE).replace(PRIVATE_HOST_PATTERN, REDACTED_VALUE);
+}
 function redactPrivateRef(value) {
   const trimmed = value.trim();
   const scheme = trimmed.match(/^([a-z][a-z0-9+.-]*:\/\/)/i);
@@ -7589,6 +7684,16 @@ function routeRank(hint) {
 function selectRouteHint(hints) {
   return [...hints].sort((left, right) => routeRank(left) - routeRank(right))[0] ?? null;
 }
+function parseHeartbeatJson(value) {
+  if (!value)
+    return null;
+  try {
+    const parsed = JSON.parse(value);
+    return parsed && typeof parsed === "object" && !Array.isArray(parsed) ? parsed : null;
+  } catch {
+    return null;
+  }
+}
 function buildEntry(input) {
   const manifest = input.manifest;
   const peer = input.peer;
@@ -7611,6 +7716,22 @@ function buildEntry(input) {
     manifest_declared: Boolean(manifest),
     heartbeat_status: input.heartbeat?.status ?? "unknown",
     last_heartbeat_at: input.heartbeat?.updated_at ?? null,
+    agent: {
+      pid: input.heartbeat?.pid ?? null,
+      daemon_version: input.heartbeat?.daemon_version ?? null,
+      mode: input.heartbeat?.agent_mode ?? null,
+      private_metadata: Boolean(input.heartbeat?.private_metadata),
+      platform: input.heartbeat?.platform ?? null,
+      os_version: input.heartbeat?.os_version ?? null,
+      os_build: input.heartbeat?.os_build ?? null,
+      arch: input.heartbeat?.arch ?? null,
+      uptime_seconds: input.heartbeat?.uptime_seconds ?? null,
+      tool_versions: parseHeartbeatJson(input.heartbeat?.tool_versions_json),
+      tailscale: parseHeartbeatJson(input.heartbeat?.tailscale_json),
+      storage_sync_status: input.heartbeat?.storage_sync_status ?? null,
+      storage_sync_last_error: input.heartbeat?.storage_sync_last_error ?? null,
+      doctor_summary: parseHeartbeatJson(input.heartbeat?.doctor_summary_json)
+    },
     tailscale: {
       dns_name: manifest?.tailscaleName ?? peer?.DNSName?.replace(/\.$/, "") ?? null,
       ips: peer?.TailscaleIPs ?? [],
@@ -7670,6 +7791,72 @@ function discoverMachineTopology(options = {}) {
     warnings
   };
 }
+function redactFleetString(value) {
+  if (!value)
+    return value;
+  return redactErrorMessage(value);
+}
+function redactPublicRecord(value) {
+  if (!value)
+    return null;
+  const redacted = {};
+  for (const [key, entry] of Object.entries(value)) {
+    if (/(host|hostname|dns|ip|ips|user|username|serial|address|target|url|token|secret|password|credential)/i.test(key)) {
+      redacted[key] = REDACTED_VALUE;
+      continue;
+    }
+    if (typeof entry === "string") {
+      redacted[key] = redactFleetString(entry);
+    } else if (Array.isArray(entry)) {
+      redacted[key] = entry.map((item) => {
+        if (typeof item === "string")
+          return redactFleetString(item);
+        if (item && typeof item === "object")
+          return redactPublicRecord(item);
+        return item;
+      });
+    } else if (entry && typeof entry === "object") {
+      redacted[key] = redactPublicRecord(entry);
+    } else {
+      redacted[key] = entry;
+    }
+  }
+  return redactSensitiveValue(redacted);
+}
+function redactTopologyForOutput(topology, options = {}) {
+  if (options.privateMetadata)
+    return topology;
+  return {
+    ...topology,
+    local_hostname: REDACTED_VALUE,
+    warnings: topology.warnings.map(redactFleetString),
+    machines: topology.machines.map((machine) => ({
+      ...machine,
+      hostname: machine.hostname ? REDACTED_VALUE : null,
+      user: machine.user ? REDACTED_VALUE : null,
+      tailscale: {
+        ...machine.tailscale,
+        dns_name: machine.tailscale.dns_name ? REDACTED_VALUE : null,
+        ips: machine.tailscale.ips.map(() => REDACTED_VALUE)
+      },
+      ssh: {
+        ...machine.ssh,
+        address: machine.ssh.address ? REDACTED_VALUE : null,
+        command_target: machine.ssh.command_target ? REDACTED_VALUE : null
+      },
+      route_hints: machine.route_hints.map((hint) => ({
+        ...hint,
+        target: REDACTED_VALUE
+      })),
+      agent: {
+        ...machine.agent,
+        tailscale: redactPublicRecord(machine.agent.tailscale),
+        storage_sync_last_error: machine.agent.storage_sync_last_error ? redactFleetString(machine.agent.storage_sync_last_error) : null,
+        doctor_summary: redactPublicRecord(machine.agent.doctor_summary)
+      }
+    }))
+  };
+}
 function normalizeMachineAlias(value) {
   return value.trim().replace(/\.$/, "").toLowerCase();
 }
@@ -7863,6 +8050,20 @@ function resolveMachineRoute(machineId, options = {}) {
     warnings
   };
 }
+function redactRouteForOutput(route, options = {}) {
+  if (options.privateMetadata)
+    return route;
+  return {
+    ...route,
+    target: route.target ? REDACTED_VALUE : null,
+    command_target: route.command_target ? REDACTED_VALUE : null,
+    warnings: route.warnings.map(redactFleetString),
+    evidence: {
+      ...route.evidence,
+      selected_hint: route.evidence.selected_hint ? { ...route.evidence.selected_hint, target: REDACTED_VALUE } : null
+    }
+  };
+}
 function isRecord2(value) {
   return Boolean(value) && typeof value === "object" && !Array.isArray(value);
 }
@@ -9752,6 +9953,16 @@ function runSync(machineId, options = {}, runner = runMachineCommand) {
 // src/commands/status.ts
 init_db();
 init_paths();
+function parseJsonObject(value) {
+  if (!value)
+    return null;
+  try {
+    const parsed = JSON.parse(value);
+    return parsed && typeof parsed === "object" && !Array.isArray(parsed) ? parsed : null;
+  } catch {
+    return null;
+  }
+}
 function getStatus() {
   const manifest = readManifest();
   const heartbeats = listHeartbeats();
@@ -9775,7 +9986,12 @@ function getStatus() {
         platform: declared?.platform,
         manifestDeclared: Boolean(declared),
         heartbeatStatus: heartbeat?.status || "unknown",
-        lastHeartbeatAt: heartbeat?.updated_at
+        lastHeartbeatAt: heartbeat?.updated_at,
+        daemonVersion: heartbeat?.daemon_version ?? null,
+        agentMode: heartbeat?.agent_mode ?? null,
+        storageSyncStatus: heartbeat?.storage_sync_status ?? null,
+        doctorSummary: parseJsonObject(heartbeat?.doctor_summary_json),
+        privateMetadata: Boolean(heartbeat?.private_metadata)
       };
     }),
     recentSetupRuns: countRuns("setup_runs"),
@@ -10361,11 +10577,514 @@ function runDoctor(machineId, options = {}) {
   };
 }
 
+// src/commands/daemon.ts
+import { execFileSync } from "child_process";
+import { chmodSync, mkdirSync as mkdirSync2, writeFileSync as writeFileSync4 } from "fs";
+import { dirname as dirname4 } from "path";
+import { platform as osPlatform } from "os";
+var DEFAULT_SERVICE_NAME = "machines-agent";
+var DEFAULT_EXECUTABLE = "/usr/local/bin/machines-agent";
+var DEFAULT_INTERVAL_MS = 30000;
+var ENV_NAME_PATTERN = /^[A-Z_][A-Z0-9_]*$/;
+var SERVICE_NAME_PATTERN = /^[A-Za-z0-9_.-]+$/;
+function buildDaemonServicePlan(options) {
+  const resolved = resolveDaemonServiceOptions(options);
+  const files = resolved.action === "install" ? [buildServiceFile(resolved)] : [];
+  return {
+    platform: resolved.platform,
+    mode: resolved.mode,
+    action: resolved.action,
+    serviceName: resolved.serviceName,
+    serviceId: resolved.serviceId,
+    executable: resolved.executable,
+    intervalMs: resolved.intervalMs,
+    commands: buildActionCommands(resolved),
+    files,
+    warnings: resolved.warnings,
+    manualSteps: buildManualSteps(resolved, files)
+  };
+}
+function runDaemonServicePlan(plan, options = {}) {
+  const apply = options.apply === true;
+  const allowed = apply && options.yes === true;
+  const warnings = [...plan.warnings];
+  const filesWritten = [];
+  const commands = [];
+  if (apply && !allowed) {
+    warnings.push("apply_requires_yes");
+  }
+  if (allowed) {
+    for (const file of plan.files) {
+      const path = expandShellPath(file.path);
+      let content;
+      try {
+        content = materializePlaceholders(file.content);
+      } catch (error) {
+        warnings.push(error instanceof Error ? error.message : String(error));
+        return {
+          mode: "plan",
+          applied: false,
+          plan,
+          filesWritten,
+          commands: plan.commands.map((commandSpec) => ({
+            id: commandSpec.id,
+            command: renderCommand(commandSpec),
+            skipped: true,
+            exitCode: null,
+            stdout: "",
+            stderr: ""
+          })),
+          warnings
+        };
+      }
+      mkdirSync2(dirname4(path), { recursive: true });
+      writeFileSync4(path, content, "utf8");
+      chmodSync(path, Number.parseInt(file.mode, 8));
+      filesWritten.push(path);
+    }
+  }
+  for (const commandSpec of plan.commands) {
+    const commandLine = renderCommand(commandSpec);
+    if (!allowed) {
+      commands.push({
+        id: commandSpec.id,
+        command: commandLine,
+        skipped: true,
+        exitCode: null,
+        stdout: "",
+        stderr: ""
+      });
+      continue;
+    }
+    const program2 = commandLine[0];
+    const args = commandLine.slice(1);
+    try {
+      const result = execFileSync(program2, args, { encoding: "utf8", stdio: ["ignore", "pipe", "pipe"] });
+      commands.push({
+        id: commandSpec.id,
+        command: commandLine,
+        skipped: false,
+        exitCode: 0,
+        stdout: result,
+        stderr: ""
+      });
+    } catch (error) {
+      const maybe = error;
+      if (commandSpec.allowFailure) {
+        commands.push({
+          id: commandSpec.id,
+          command: commandLine,
+          skipped: false,
+          exitCode: typeof maybe.status === "number" ? maybe.status : 1,
+          stdout: String(maybe.stdout ?? ""),
+          stderr: String(maybe.stderr ?? ""),
+          error: maybe.message ?? String(error)
+        });
+        continue;
+      }
+      commands.push({
+        id: commandSpec.id,
+        command: commandLine,
+        skipped: false,
+        exitCode: typeof maybe.status === "number" ? maybe.status : 1,
+        stdout: String(maybe.stdout ?? ""),
+        stderr: String(maybe.stderr ?? ""),
+        error: maybe.message ?? String(error)
+      });
+      break;
+    }
+  }
+  return {
+    mode: allowed ? "apply" : "plan",
+    applied: allowed,
+    plan,
+    filesWritten,
+    commands,
+    warnings
+  };
+}
+function resolveDaemonServiceOptions(options) {
+  const warnings = [];
+  const serviceName = normalizeServiceName(options.serviceName, warnings);
+  const platform4 = normalizePlatform3(options.platform, warnings);
+  const mode = options.mode ?? "user";
+  const intervalMs = normalizeIntervalMs(options.intervalMs, warnings);
+  const executable = options.executable?.trim() || DEFAULT_EXECUTABLE;
+  if (platform4 === "linux" && !executable.startsWith("/")) {
+    warnings.push("systemd units should use an absolute executable path; install plan keeps the provided path unchanged.");
+  }
+  return {
+    action: options.action,
+    platform: platform4,
+    mode,
+    serviceName,
+    serviceId: serviceName,
+    executable,
+    intervalMs,
+    env: buildEnvironment(serviceName, options, warnings),
+    warnings
+  };
+}
+function normalizeServiceName(value, warnings) {
+  const serviceName = value?.trim() || DEFAULT_SERVICE_NAME;
+  if (SERVICE_NAME_PATTERN.test(serviceName))
+    return serviceName;
+  warnings.push(`Invalid serviceName "${serviceName}"; using ${DEFAULT_SERVICE_NAME}.`);
+  return DEFAULT_SERVICE_NAME;
+}
+function normalizePlatform3(value, warnings) {
+  const raw = value ?? osPlatform();
+  if (raw === "darwin" || raw === "macos")
+    return "macos";
+  if (raw === "linux")
+    return "linux";
+  warnings.push(`Unsupported platform "${raw}"; using linux service planning.`);
+  return "linux";
+}
+function normalizeIntervalMs(value, warnings) {
+  if (value === undefined)
+    return DEFAULT_INTERVAL_MS;
+  if (Number.isInteger(value) && value > 0)
+    return value;
+  warnings.push(`Invalid intervalMs "${String(value)}"; using ${DEFAULT_INTERVAL_MS}.`);
+  return DEFAULT_INTERVAL_MS;
+}
+function buildEnvironment(serviceName, options, warnings) {
+  const env2 = {
+    HASNA_MACHINES_AGENT_MODE: "daemon",
+    HASNA_MACHINES_AGENT_SERVICE: serviceName
+  };
+  if (options.storagePush) {
+    env2["HASNA_MACHINES_AGENT_STORAGE_PUSH"] = "1";
+    env2["HASNA_MACHINES_AGENT_STORAGE_PUSH_BACKOFF_MS"] = "250";
+    env2["HASNA_MACHINES_AGENT_STORAGE_PUSH_RETRIES"] = "2";
+    env2["HASNA_MACHINES_STORAGE_MODE"] = "hybrid";
+    env2["HASNA_MACHINES_DATABASE_URL"] = placeholderForEnv("HASNA_MACHINES_DATABASE_URL");
+    warnings.push("storagePush is represented with env placeholders; no database URL is embedded in the plan.");
+  }
+  if (options.doctorSummary) {
+    env2["HASNA_MACHINES_AGENT_DOCTOR_SUMMARY"] = "1";
+  }
+  if (options.privateMetadata === true) {
+    env2["HASNA_MACHINES_PRIVATE_METADATA"] = "1";
+    warnings.push("privateMetadata=true enables private host/network facts in heartbeat rows; do not share private-mode output publicly.");
+  } else if (Array.isArray(options.privateMetadata)) {
+    addEnvPlaceholders(env2, options.privateMetadata, warnings);
+  }
+  addEnvPlaceholders(env2, options.env ?? [], warnings);
+  return Object.fromEntries(Object.entries(env2).sort(([left], [right]) => left.localeCompare(right)));
+}
+function addEnvPlaceholders(env2, names, warnings) {
+  for (const rawName of names) {
+    const name = rawName.trim();
+    if (!ENV_NAME_PATTERN.test(name)) {
+      warnings.push(`Invalid environment variable name "${rawName}"; skipped.`);
+      continue;
+    }
+    env2[name] = placeholderForEnv(name);
+  }
+}
+function placeholderForEnv(name) {
+  return `<set:${name}>`;
+}
+function buildServiceFile(options) {
+  if (options.platform === "macos") {
+    return {
+      id: "launchd-plist",
+      description: "launchd property list for machines-agent",
+      path: launchdPlistPath(options),
+      mode: "0644",
+      content: launchdPlist(options)
+    };
+  }
+  return {
+    id: "systemd-unit",
+    description: "systemd unit for machines-agent",
+    path: systemdUnitPath(options),
+    mode: "0644",
+    content: systemdUnit(options)
+  };
+}
+function buildActionCommands(options) {
+  if (options.platform === "macos")
+    return buildLaunchdCommands(options);
+  return buildSystemdCommands(options);
+}
+function buildLaunchdCommands(options) {
+  const domain = launchdDomain(options);
+  const serviceTarget = `${domain}/${options.serviceId}`;
+  const plistPath = launchdPlistPath(options);
+  const sudo = options.mode === "system";
+  if (options.action === "install") {
+    return [
+      command("launchd-bootout-existing", "Unload any existing launchd job before bootstrap.", "launchctl", ["bootout", domain, plistPath], sudo, true, true),
+      command("launchd-bootstrap", "Load the planned launchd plist.", "launchctl", ["bootstrap", domain, plistPath], sudo, true),
+      command("launchd-enable", "Enable the launchd service.", "launchctl", ["enable", serviceTarget], sudo, true),
+      command("launchd-kickstart", "Start or restart the launchd service.", "launchctl", ["kickstart", "-k", serviceTarget], sudo, true)
+    ];
+  }
+  if (options.action === "uninstall") {
+    return [
+      command("launchd-bootout", "Unload the launchd job.", "launchctl", ["bootout", domain, plistPath], sudo, true),
+      command("remove-launchd-plist", "Remove the planned launchd plist file.", "rm", ["-f", plistPath], sudo, true)
+    ];
+  }
+  if (options.action === "restart") {
+    return [command("launchd-kickstart", "Restart the launchd service.", "launchctl", ["kickstart", "-k", serviceTarget], sudo, true)];
+  }
+  if (options.action === "status") {
+    return [command("launchd-print", "Print launchd service status.", "launchctl", ["print", serviceTarget], sudo, false)];
+  }
+  return [
+    command("launchd-logs", "Stream logs for machines-agent.", "log", ["stream", "--style", "compact", "--predicate", `process == "${basename(options.executable)}" OR eventMessage CONTAINS "${options.serviceId}"`], false, false)
+  ];
+}
+function buildSystemdCommands(options) {
+  const userFlag = options.mode === "user" ? ["--user"] : [];
+  const sudo = options.mode === "system";
+  const unitName = systemdUnitName(options);
+  const daemonReload = command("systemd-daemon-reload", "Reload systemd unit metadata.", "systemctl", [...userFlag, "daemon-reload"], sudo, true);
+  if (options.action === "install") {
+    return [
+      daemonReload,
+      command("systemd-enable-now", "Enable and start the systemd service.", "systemctl", [...userFlag, "enable", "--now", unitName], sudo, true)
+    ];
+  }
+  if (options.action === "uninstall") {
+    return [
+      command("systemd-disable-now", "Stop and disable the systemd service.", "systemctl", [...userFlag, "disable", "--now", unitName], sudo, true),
+      command("remove-systemd-unit", "Remove the planned systemd unit file.", "rm", ["-f", systemdUnitPath(options)], sudo, true),
+      daemonReload
+    ];
+  }
+  if (options.action === "restart") {
+    return [command("systemd-restart", "Restart the systemd service.", "systemctl", [...userFlag, "restart", unitName], sudo, true)];
+  }
+  if (options.action === "status") {
+    return [command("systemd-status", "Show systemd service status.", "systemctl", [...userFlag, "status", unitName, "--no-pager"], sudo, false)];
+  }
+  return [
+    command("systemd-logs", "Follow journal logs for the service.", "journalctl", [...userFlag, "-u", unitName, "-f", "--no-pager"], sudo, false)
+  ];
+}
+function buildManualSteps(options, files) {
+  const steps = [];
+  if (files[0])
+    steps.push(`Write ${files[0].id} content to ${files[0].path} with mode ${files[0].mode}.`);
+  if (options.mode === "system")
+    steps.push("Run commands marked sudo with root privileges.");
+  if (options.platform === "linux" && options.mode === "user") {
+    steps.push("Run commands as the target user; enable lingering separately if the service must survive logout.");
+  }
+  if (options.action === "logs")
+    steps.push("Stop the log command manually when finished.");
+  return steps;
+}
+function command(id, description, program2, args, sudo, mutates, allowFailure = false) {
+  return { id, description, program: program2, args, sudo, mutates, ...allowFailure ? { allowFailure: true } : {} };
+}
+function renderCommand(commandSpec) {
+  const expanded = [commandSpec.program, ...commandSpec.args].map(expandShellPath);
+  if (commandSpec.sudo)
+    return ["sudo", ...expanded];
+  return expanded;
+}
+function expandShellPath(path) {
+  if (path.startsWith("$HOME/"))
+    return `${process.env["HOME"] ?? ""}/${path.slice("$HOME/".length)}`;
+  return path.replaceAll("$HOME", process.env["HOME"] ?? "").replaceAll("$UID", String(process.getuid ? process.getuid() : ""));
+}
+function materializePlaceholders(content) {
+  return content.replace(/(?:<set:([A-Z_][A-Z0-9_]*)>|&lt;set:([A-Z_][A-Z0-9_]*)&gt;)/g, (_match, rawName, escapedName) => {
+    const name = rawName ?? escapedName ?? "";
+    const value = process.env[name];
+    if (value === undefined || value === "") {
+      throw new Error(`Missing environment variable required for service apply: ${name}`);
+    }
+    if (/[\u0000-\u001f\u007f]/.test(value)) {
+      throw new Error(`Environment variable ${name} contains control characters; refusing to write service file.`);
+    }
+    return escapedName ? xmlEscape(value) : escapeSystemdEnvironmentValue(value);
+  });
+}
+function escapeSystemdEnvironmentValue(value) {
+  return value.replace(/\\/g, "\\\\").replace(/"/g, "\\\"").replace(/%/g, "%%");
+}
+function launchdPlist(options) {
+  const env2 = Object.entries(options.env).map(([name, value]) => `    <key>${xmlEscape(name)}</key>
+    <string>${xmlEscape(value)}</string>`).join(`
+`);
+  return `<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+  <key>Label</key>
+  <string>${xmlEscape(options.serviceId)}</string>
+  <key>ProgramArguments</key>
+  <array>
+    <string>${xmlEscape(options.executable)}</string>
+    <string>--interval-ms</string>
+    <string>${options.intervalMs}</string>
+  </array>
+  <key>EnvironmentVariables</key>
+  <dict>
+${env2}
+  </dict>
+  <key>KeepAlive</key>
+  <true/>
+  <key>RunAtLoad</key>
+  <true/>
+  <key>StandardOutPath</key>
+  <string>${xmlEscape(launchdLogPath(options, "out"))}</string>
+  <key>StandardErrorPath</key>
+  <string>${xmlEscape(launchdLogPath(options, "err"))}</string>
+</dict>
+</plist>
+`;
+}
+function systemdUnit(options) {
+  const env2 = Object.entries(options.env).map(([name, value]) => `Environment=${quoteSystemdEnvironment(name, value)}`).join(`
+`);
+  return `[Unit]
+Description=Hasna machines agent
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=simple
+ExecStart=${quoteSystemdExecArg(options.executable)} --interval-ms ${options.intervalMs}
+Restart=always
+RestartSec=10
+${env2}
+
+[Install]
+WantedBy=${options.mode === "system" ? "multi-user.target" : "default.target"}
+`;
+}
+function launchdDomain(options) {
+  return options.mode === "system" ? "system" : "gui/$UID";
+}
+function launchdPlistPath(options) {
+  if (options.mode === "system")
+    return `/Library/LaunchDaemons/${options.serviceId}.plist`;
+  return `$HOME/Library/LaunchAgents/${options.serviceId}.plist`;
+}
+function launchdLogPath(options, stream) {
+  const fileName = `${options.serviceId}.${stream}.log`;
+  if (options.mode === "system")
+    return `/var/log/${fileName}`;
+  return `$HOME/Library/Logs/${fileName}`;
+}
+function systemdUnitName(options) {
+  return `${options.serviceId}.service`;
+}
+function systemdUnitPath(options) {
+  if (options.mode === "system")
+    return `/etc/systemd/system/${systemdUnitName(options)}`;
+  return `$HOME/.config/systemd/user/${systemdUnitName(options)}`;
+}
+function xmlEscape(value) {
+  return String(value).replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&apos;");
+}
+function quoteSystemdExecArg(value) {
+  if (/^[A-Za-z0-9_@%+=:,./-]+$/.test(value) && !value.includes("%"))
+    return value;
+  return `"${value.replace(/\\/g, "\\\\").replace(/"/g, "\\\"").replace(/%/g, "%%")}"`;
+}
+function quoteSystemdEnvironment(name, value) {
+  return `"${name}=${value.replace(/\\/g, "\\\\").replace(/"/g, "\\\"").replace(/%/g, "%%")}"`;
+}
+function basename(path) {
+  return path.split("/").filter(Boolean).at(-1) || path;
+}
+
 // src/commands/self-test.ts
 init_db();
 
 // src/commands/serve.ts
 import { EventsClient as EventsClient2, sanitizeChannelsForOutput } from "@hasna/events";
+
+// src/agent/runtime.ts
+import { arch as arch3, hostname as hostname6, platform as platform4, release, uptime, version as osVersion } from "os";
+init_db();
+init_storage_sync();
+function parseJsonObject2(value) {
+  if (!value)
+    return null;
+  try {
+    const parsed = JSON.parse(value);
+    return parsed && typeof parsed === "object" && !Array.isArray(parsed) ? parsed : null;
+  } catch {
+    return null;
+  }
+}
+function heartbeatToStatus(heartbeat, options = {}) {
+  const privateMetadata = options.privateMetadata === true;
+  const tailscale = parseJsonObject2(heartbeat.tailscale_json);
+  const doctorSummary = parseJsonObject2(heartbeat.doctor_summary_json);
+  return {
+    machineId: heartbeat.machine_id,
+    pid: heartbeat.pid,
+    status: heartbeat.status,
+    updatedAt: heartbeat.updated_at,
+    daemonVersion: heartbeat.daemon_version,
+    agentMode: heartbeat.agent_mode,
+    platform: heartbeat.platform,
+    osVersion: heartbeat.os_version,
+    osBuild: heartbeat.os_build,
+    arch: heartbeat.arch,
+    uptimeSeconds: heartbeat.uptime_seconds,
+    toolVersions: sanitizeRecord(parseJsonObject2(heartbeat.tool_versions_json) ?? {}, privateMetadata),
+    tailscale: tailscale ? sanitizeRecord(tailscale, privateMetadata) : null,
+    storageSyncStatus: heartbeat.storage_sync_status,
+    storageSyncLastError: heartbeat.storage_sync_last_error ? sanitizeStorageError(heartbeat.storage_sync_last_error, privateMetadata) : null,
+    doctorSummary: doctorSummary ? sanitizeRecord(doctorSummary, privateMetadata) : null,
+    privateMetadata: Boolean(heartbeat.private_metadata)
+  };
+}
+function sanitizePublicString(value, privateMetadata = false) {
+  if (privateMetadata)
+    return value;
+  let redacted = value;
+  const localHostname = hostname6();
+  const localUser = process.env["USER"] || process.env["LOGNAME"] || process.env["USERNAME"];
+  if (localHostname)
+    redacted = redacted.replaceAll(localHostname, "[redacted-host]");
+  if (localUser)
+    redacted = redacted.replaceAll(localUser, "[redacted-user]");
+  return redactErrorMessage(redacted.replace(/[a-z][a-z0-9+.-]*:\/\/[^\s'")]+/gi, (match) => {
+    const scheme = match.match(/^([a-z][a-z0-9+.-]*:\/\/)/i)?.[1] ?? "";
+    return `${scheme}[redacted]`;
+  }).replace(/\b10(?:\.\d{1,3}){3}\b/g, "[redacted-ip]").replace(/\b172\.(?:1[6-9]|2\d|3[01])(?:\.\d{1,3}){2}\b/g, "[redacted-ip]").replace(/\b192\.168(?:\.\d{1,3}){2}\b/g, "[redacted-ip]").replace(/\b100\.(?:6[4-9]|[7-9]\d|1[01]\d|12[0-7])(?:\.\d{1,3}){2}\b/g, "[redacted-ip]").replace(/\b(password|passwd|token|secret|api[_-]?key)=([^&\s]+)/gi, "$1=[redacted]"));
+}
+function sanitizeValue(value, privateMetadata) {
+  if (typeof value === "string")
+    return sanitizePublicString(value, privateMetadata);
+  if (Array.isArray(value))
+    return value.map((entry) => sanitizeValue(entry, privateMetadata));
+  if (value && typeof value === "object")
+    return sanitizeRecord(value, privateMetadata);
+  return value;
+}
+function sanitizeRecord(value, privateMetadata) {
+  const sanitized = {};
+  for (const [key, entry] of Object.entries(value)) {
+    if (!privateMetadata && /(hostname|hostName|user|username|serial|dnsName|ip|ips|databaseUrl|url|token|secret|password|credential)/i.test(key)) {
+      sanitized[key] = "[redacted]";
+      continue;
+    }
+    sanitized[key] = sanitizeValue(entry, privateMetadata);
+  }
+  return sanitized;
+}
+function sanitizeStorageError(message, privateMetadata) {
+  return privateMetadata ? message : redactErrorMessage(message);
+}
+function getAgentStatus(machineId, options = {}) {
+  return listHeartbeats(machineId).map((heartbeat) => heartbeatToStatus(heartbeat, options));
+}
+
+// src/commands/serve.ts
 function escapeHtml(value) {
   return value.replaceAll("&", "&amp;").replaceAll("<", "&lt;").replaceAll(">", "&gt;").replaceAll('"', "&quot;").replaceAll("'", "&#39;");
 }
@@ -10380,6 +11099,9 @@ function getServeInfo(options = {}) {
       "/",
       "/health",
       "/api/status",
+      "/api/topology",
+      "/api/routes",
+      "/api/daemon/status",
       "/api/manifest",
       "/api/notifications",
       "/api/webhooks",
@@ -10397,6 +11119,7 @@ function getServeInfo(options = {}) {
 }
 function renderDashboardHtml() {
   const status = getStatus();
+  const topology = discoverMachineTopology();
   const manifest = manifestList();
   const notifications = listNotificationChannels();
   const doctor = runDoctor();
@@ -10435,17 +11158,20 @@ function renderDashboardHtml() {
         <section class="card"><div>Heartbeats</div><div class="stat">${status.heartbeatCount}</div></section>
         <section class="card"><div>Notification channels</div><div class="stat">${notifications.channels.length}</div></section>
         <section class="card"><div>Doctor warnings</div><div class="stat">${doctor.checks.filter((entry) => entry.status !== "ok").length}</div></section>
+        <section class="card"><div>Tailscale routes</div><div class="stat">${topology.machines.filter((machine) => machine.ssh.route === "tailscale").length}</div></section>
       </div>
 
       <section class="card" style="margin-top:16px">
         <h2>Machines</h2>
         <table>
-          <thead><tr><th>ID</th><th>Platform</th><th>Status</th><th>Last heartbeat</th></tr></thead>
+          <thead><tr><th>ID</th><th>Platform</th><th>Status</th><th>Agent</th><th>Storage</th><th>Last heartbeat</th></tr></thead>
           <tbody>
             ${status.machines.map((machine) => `<tr>
               <td><code>${escapeHtml(machine.machineId)}</code></td>
               <td>${escapeHtml(machine.platform || "unknown")}</td>
               <td><span class="badge ${escapeHtml(machine.heartbeatStatus)}">${escapeHtml(machine.heartbeatStatus)}</span></td>
+              <td>${escapeHtml(machine.agentMode || "unknown")} ${escapeHtml(machine.daemonVersion || "")}</td>
+              <td>${escapeHtml(machine.storageSyncStatus || "unknown")}</td>
               <td>${escapeHtml(machine.lastHeartbeatAt || "\u2014")}</td>
             </tr>`).join("")}
           </tbody>
@@ -10489,6 +11215,14 @@ function renderDashboardHtml() {
     <script>
       // Auto-refresh dashboard data every 15s
       const REFRESH_INTERVAL = 15000;
+      function escapeHtml(value) {
+        return String(value ?? "")
+          .replaceAll("&", "&amp;")
+          .replaceAll("<", "&lt;")
+          .replaceAll(">", "&gt;")
+          .replaceAll('"', "&quot;")
+          .replaceAll("'", "&#39;");
+      }
       async function refreshData() {
         try {
           const [statusRes, doctorRes] = await Promise.all([
@@ -10509,10 +11243,12 @@ function renderDashboardHtml() {
             tbody.innerHTML = status.machines
               .map((m) =>
                 "<tr>" +
-                "<td><code>" + m.machineId + "</code></td>" +
-                "<td>" + (m.platform || "unknown") + "</td>" +
-                '<td><span class="badge ' + m.heartbeatStatus + '">' + m.heartbeatStatus + '</span></td>' +
-                "<td>" + (m.lastHeartbeatAt || "\\u2014") + "</td>" +
+                "<td><code>" + escapeHtml(m.machineId) + "</code></td>" +
+                "<td>" + escapeHtml(m.platform || "unknown") + "</td>" +
+                '<td><span class="badge ' + escapeHtml(m.heartbeatStatus) + '">' + escapeHtml(m.heartbeatStatus) + '</span></td>' +
+                "<td>" + escapeHtml(m.agentMode || "unknown") + " " + escapeHtml(m.daemonVersion || "") + "</td>" +
+                "<td>" + escapeHtml(m.storageSyncStatus || "unknown") + "</td>" +
+                "<td>" + escapeHtml(m.lastHeartbeatAt || "\\u2014") + "</td>" +
                 "</tr>"
               )
               .join("");
@@ -10524,9 +11260,9 @@ function renderDashboardHtml() {
             doctorTbody.innerHTML = doctor.checks
               .map((c) =>
                 "<tr>" +
-                "<td>" + c.summary + "</td>" +
-                '<td><span class="badge ' + c.status + '">' + c.status + '</span></td>' +
-                '<td class="muted">' + c.detail + "</td>" +
+                "<td>" + escapeHtml(c.summary) + "</td>" +
+                '<td><span class="badge ' + escapeHtml(c.status) + '">' + escapeHtml(c.status) + '</span></td>' +
+                '<td class="muted">' + escapeHtml(c.detail) + "</td>" +
                 "</tr>"
               )
               .join("");
@@ -10556,6 +11292,14 @@ async function parseJsonBody(request) {
 function jsonError(message, status = 400) {
   return Response.json({ error: message }, { status });
 }
+function privateOutputWarnings(requested, allowed) {
+  return requested && !allowed ? [PRIVATE_OUTPUT_DENIED_WARNING] : [];
+}
+function appendWarnings(payload, warnings) {
+  if (warnings.length === 0)
+    return payload;
+  return { ...payload, warnings: [...payload.warnings ?? [], ...warnings] };
+}
 function startDashboardServer(options = {}) {
   const info = getServeInfo(options);
   const events = new EventsClient2;
@@ -10566,12 +11310,34 @@ function startDashboardServer(options = {}) {
       const url = new URL(request.url);
       const machineId = url.searchParams.get("machine") || undefined;
       const tools = url.searchParams.get("tools")?.split(",").map((value) => value.trim()).filter(Boolean);
+      const privateMetadataRequested = url.searchParams.get("privateMetadata") === "true" || url.searchParams.get("private_metadata") === "true";
+      const privateMetadata = privateMetadataRequested && isPrivateOutputEnabled();
+      const privateWarnings = privateOutputWarnings(privateMetadataRequested, privateMetadata);
       if (url.pathname === "/health") {
         return Response.json({ ok: true, ...getServeInfo(options) });
       }
       if (url.pathname === "/api/status") {
         return Response.json(getStatus());
       }
+      if (url.pathname === "/api/topology") {
+        const topology = discoverMachineTopology({ includeTailscale: url.searchParams.get("tailscale") !== "false" });
+        return Response.json(appendWarnings(redactTopologyForOutput(topology, { privateMetadata }), privateWarnings));
+      }
+      if (url.pathname === "/api/routes") {
+        const topology = discoverMachineTopology({ includeTailscale: url.searchParams.get("tailscale") !== "false" });
+        return Response.json({
+          generated_at: topology.generated_at,
+          routes: topology.machines.map((machine) => redactRouteForOutput(resolveMachineRoute(machine.machine_id, { topology }), { privateMetadata })),
+          ...privateWarnings.length > 0 ? { warnings: privateWarnings } : {}
+        });
+      }
+      if (url.pathname === "/api/daemon/status") {
+        return Response.json({
+          generated_at: new Date().toISOString(),
+          agents: getAgentStatus(machineId, { privateMetadata }),
+          ...privateWarnings.length > 0 ? { warnings: privateWarnings } : {}
+        });
+      }
       if (url.pathname === "/api/manifest") {
         return Response.json(manifestList());
       }
@@ -10715,7 +11481,7 @@ function runSelfTest() {
 // src/commands/clipboard.ts
 init_paths();
 import { createHash } from "crypto";
-import { existsSync as existsSync8, readFileSync as readFileSync6, rmSync, writeFileSync as writeFileSync4 } from "fs";
+import { existsSync as existsSync8, readFileSync as readFileSync6, rmSync, writeFileSync as writeFileSync5 } from "fs";
 import { join as join6 } from "path";
 var DEFAULT_CONFIG = {
   version: 1,
@@ -10755,7 +11521,7 @@ function readConfig(configPath) {
 function writeConfig(config, configPath) {
   const path = resolveConfigPath(configPath);
   ensureParentDir(path);
-  writeFileSync4(path, `${JSON.stringify(config, null, 2)}
+  writeFileSync5(path, `${JSON.stringify(config, null, 2)}
 `, "utf8");
 }
 function readHistory(historyPath) {
@@ -10772,7 +11538,7 @@ function readHistory(historyPath) {
 function writeHistory(entries, historyPath) {
   const path = resolveHistoryPath(historyPath);
   ensureParentDir(path);
-  writeFileSync4(path, `${JSON.stringify(entries, null, 2)}
+  writeFileSync5(path, `${JSON.stringify(entries, null, 2)}
 `, "utf8");
 }
 function computeHash(content) {
@@ -10798,7 +11564,7 @@ function getOrCreateClipboardKey() {
   }
   const key = createHash("sha256").update(crypto.randomUUID()).digest("hex").slice(0, 32);
   ensureParentDir(keyPath);
-  writeFileSync4(keyPath, `${key}
+  writeFileSync5(keyPath, `${key}
 `, "utf8");
   return key;
 }
@@ -10849,7 +11615,7 @@ function getClipboardStatus(historyPath) {
 
 // src/commands/clipboard-daemon.ts
 init_paths();
-import { readFileSync as readFileSync8, writeFileSync as writeFileSync5 } from "fs";
+import { readFileSync as readFileSync8, writeFileSync as writeFileSync6 } from "fs";
 import { join as join7 } from "path";
 import { createHash as createHash3 } from "crypto";
 
@@ -10859,12 +11625,12 @@ import { createServer } from "http";
 import { createHash as createHash2 } from "crypto";
 import { readFileSync as readFileSync7 } from "fs";
 function readLocalClipboardSync() {
-  const platform4 = process.platform;
-  if (platform4 === "darwin") {
+  const platform5 = process.platform;
+  if (platform5 === "darwin") {
     const result = Bun.spawnSync(["pbpaste"], { stdout: "pipe", stderr: "pipe" });
     return result.exitCode === 0 ? result.stdout.toString("utf8").trim() : "";
   }
-  if (platform4 === "linux") {
+  if (platform5 === "linux") {
     if (hasCommand3("wl-paste")) {
       const result = Bun.spawnSync(["wl-paste"], { stdout: "pipe", stderr: "pipe" });
       return result.exitCode === 0 ? result.stdout.toString("utf8").trim() : "";
@@ -10878,12 +11644,12 @@ function readLocalClipboardSync() {
   return "";
 }
 function writeLocalClipboardSync(content) {
-  const platform4 = process.platform;
-  if (platform4 === "darwin") {
+  const platform5 = process.platform;
+  if (platform5 === "darwin") {
     const result = Bun.spawnSync(["pbcopy"], { stdin: new TextEncoder().encode(content), stdout: "ignore", stderr: "ignore" });
     return result.exitCode === 0;
   }
-  if (platform4 === "linux") {
+  if (platform5 === "linux") {
     if (hasCommand3("wl-copy")) {
       const result = Bun.spawnSync(["wl-copy"], { stdin: new TextEncoder().encode(content), stdout: "ignore", stderr: "ignore" });
       return result.exitCode === 0;
@@ -11010,12 +11776,12 @@ function handleGetClipboard(response, config) {
 // src/commands/clipboard-daemon.ts
 var DAEMON_PID_PATH = join7(getDataDir(), "clipboard-daemon.pid");
 function readLocalClipboardSync2() {
-  const platform4 = process.platform;
-  if (platform4 === "darwin") {
+  const platform5 = process.platform;
+  if (platform5 === "darwin") {
     const result = Bun.spawnSync(["pbpaste"], { stdout: "pipe", stderr: "pipe" });
     return result.exitCode === 0 ? result.stdout.toString("utf8").trim() : "";
   }
-  if (platform4 === "linux") {
+  if (platform5 === "linux") {
     if (hasCommand4("wl-paste")) {
       const result = Bun.spawnSync(["wl-paste"], { stdout: "pipe", stderr: "pipe" });
       return result.exitCode === 0 ? result.stdout.toString("utf8").trim() : "";
@@ -11076,7 +11842,7 @@ function loadSharedSecret2() {
   }
 }
 function writePid(pid) {
-  writeFileSync5(DAEMON_PID_PATH, `${pid}
+  writeFileSync6(DAEMON_PID_PATH, `${pid}
 `);
 }
 function readPid() {
@@ -11171,7 +11937,7 @@ async function discoverPeers() {
       }
     }
   } catch {}
-  const knownPeers = ["100.82.44.120", "100.100.226.69", "100.71.123.34", "100.85.234.92"];
+  const knownPeers = (process.env["HASNA_MACHINES_CLIPBOARD_PEERS"] || "").split(",").map((peer) => peer.trim()).filter(Boolean);
   for (const ip of knownPeers) {
     if (!peers.some((p) => p.host === ip)) {
       peers.push({ host: ip, port: config.port });
@@ -11182,7 +11948,7 @@ async function discoverPeers() {
 
 // src/commands/heal.ts
 init_paths();
-import { existsSync as existsSync9, readFileSync as readFileSync9, writeFileSync as writeFileSync6 } from "fs";
+import { existsSync as existsSync9, readFileSync as readFileSync9, writeFileSync as writeFileSync7 } from "fs";
 import { join as join8 } from "path";
 var DEFAULT_THRESHOLDS = {
   reconnect: 3,
@@ -11247,7 +12013,7 @@ function readHealConfig(path) {
 function writeHealConfig(config, path) {
   const p = path || getHealConfigPath();
   ensureParentDir(p);
-  writeFileSync6(p, `${JSON.stringify(config, null, 2)}
+  writeFileSync7(p, `${JSON.stringify(config, null, 2)}
 `, "utf8");
 }
 function readHealState(path) {
@@ -11263,7 +12029,7 @@ function readHealState(path) {
 function writeHealState(state, path) {
   const p = path || getHealStatePath();
   ensureParentDir(p);
-  writeFileSync6(p, `${JSON.stringify(state, null, 2)}
+  writeFileSync7(p, `${JSON.stringify(state, null, 2)}
 `, "utf8");
 }
 function evaluateHealth(probe, config, state) {
@@ -11468,7 +12234,7 @@ function executeAction(action, config) {
 
 // src/commands/heal-daemon.ts
 init_paths();
-import { existsSync as existsSync10, readFileSync as readFileSync10, writeFileSync as writeFileSync7 } from "fs";
+import { existsSync as existsSync10, readFileSync as readFileSync10, writeFileSync as writeFileSync8 } from "fs";
 import { join as join9 } from "path";
 var DAEMON_PID_PATH2 = join9(getDataDir(), "heal-daemon.pid");
 var SERVICE_PATH = "/etc/systemd/system/machines-heal.service";
@@ -11511,7 +12277,7 @@ function runHealOnce(config, opts = {}) {
   return result;
 }
 function writePid2(pid) {
-  writeFileSync7(DAEMON_PID_PATH2, `${pid}
+  writeFileSync8(DAEMON_PID_PATH2, `${pid}
 `);
 }
 function readPid2() {
@@ -11602,7 +12368,7 @@ ${key}=${value}
   };
   set("RuntimeWatchdogSec", "20s");
   set("RebootWatchdogSec", "2min");
-  writeFileSync7(SYSTEM_CONF, conf);
+  writeFileSync8(SYSTEM_CONF, conf);
   sh2("systemctl daemon-reexec");
   log2.push("hardware watchdog: RuntimeWatchdogSec=20s RebootWatchdogSec=2min");
   return log2;
@@ -11647,7 +12413,7 @@ Environment=PATH=${binDir}:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sb
 [Install]
 WantedBy=multi-user.target
 `;
-  writeFileSync7(SERVICE_PATH, unit);
+  writeFileSync8(SERVICE_PATH, unit);
   sh2("systemctl daemon-reload");
   sh2("systemctl enable --now machines-heal.service");
   log2.push(`installed + enabled ${SERVICE_PATH} (ExecStart=${exec} heal daemon)`);
@@ -11828,18 +12594,18 @@ function checkSecretPresence(secretsCommand, key) {
   };
 }
 function parseCommandSpec(value) {
-  const [command, expectedVersion] = value.split(":");
+  const [command2, expectedVersion] = value.split(":");
   return {
-    command,
+    command: command2,
     expectedVersion: expectedVersion || undefined,
     required: true
   };
 }
 function parsePackageSpec(value) {
-  const [name, command, expectedVersion] = value.split(":");
+  const [name, command2, expectedVersion] = value.split(":");
   return {
     name,
-    command: command || undefined,
+    command: command2 || undefined,
     expectedVersion: expectedVersion || undefined,
     required: true
   };
@@ -11930,17 +12696,54 @@ function renderFleetStatus(status) {
       ["sync runs", String(status.recentSyncRuns)]
     ]),
     "",
-    ...status.machines.map((machine) => `${machine.machineId.padEnd(18)} ${machine.platform || "unknown"} ${machine.heartbeatStatus} ${machine.lastHeartbeatAt || "\u2014"}`)
+    ...status.machines.map((machine) => `${machine.machineId.padEnd(18)} ${machine.platform || "unknown"} ${machine.heartbeatStatus} ${machine.agentMode || "agent:unknown"} ${machine.storageSyncStatus || "storage:unknown"} ${machine.lastHeartbeatAt || "\u2014"}`)
+  ].join(`
+`);
+}
+function renderShellCommand(command2) {
+  const parts = command2.sudo ? ["sudo", command2.program, ...command2.args] : [command2.program, ...command2.args];
+  return parts.map((part) => /^[A-Za-z0-9_@%+=:,./$-]+$/.test(part) ? part : JSON.stringify(part)).join(" ");
+}
+function renderDaemonPlan(plan) {
+  const files = plan.files.map((file) => `${file.path} (${file.mode})`);
+  const commands = plan.commands.map((command2) => `${command2.mutates ? "apply" : "read"} ${command2.id}: ${renderShellCommand(command2)}`);
+  return [
+    renderKeyValueTable([
+      ["action", plan.action],
+      ["platform", plan.platform],
+      ["mode", plan.mode],
+      ["service", plan.serviceName],
+      ["executable", plan.executable],
+      ["interval", `${plan.intervalMs}ms`],
+      ["warnings", plan.warnings.join(", ") || "none"]
+    ]),
+    renderList("files", files),
+    renderList("commands", commands),
+    renderList("manual steps", plan.manualSteps)
   ].join(`
 `);
 }
+function parseDaemonOptions(action, options) {
+  return {
+    action,
+    platform: options.platform,
+    mode: options.mode,
+    serviceName: options.serviceName,
+    executable: options.executable,
+    intervalMs: options.intervalMs ? parseIntegerOption(options.intervalMs, "interval-ms", { min: 1 }) : undefined,
+    storagePush: options.storagePush,
+    doctorSummary: options.doctorSummary,
+    privateMetadata: options.privateMetadata,
+    env: options.env
+  };
+}
 program2.name("machines").description("Machine fleet management CLI + MCP for developers").version(getPackageVersion()).option("-q, --quiet", "Suppress non-essential output");
 var manifestCommand = program2.command("manifest").description("Manage the fleet manifest");
 var appsCommand = program2.command("apps").description("Manage installed applications per machine");
 var notificationsCommand = program2.command("notifications").description("Manage fleet alert delivery channels");
 var eventWebhooksCommand = registerWebhookCommands(program2, { source: "machines" });
 eventWebhooksCommand.description("Manage shared event webhook subscriptions");
-var webhookTestCommand = eventWebhooksCommand.commands.find((command) => command.name() === "test");
+var webhookTestCommand = eventWebhooksCommand.commands.find((command2) => command2.name() === "test");
 var webhookOptions = webhookTestCommand?.options ?? [];
 var webhookMessageOption = webhookOptions.find((option) => option.long === "--message");
 if (webhookMessageOption) {
@@ -11951,6 +12754,23 @@ eventsCommand.description("Emit, list, and replay shared events");
 var runtimeCommand = program2.command("runtime").description("Watch runtime conditions and emit shared events");
 var clipboardCommand = program2.command("clipboard").description("Real-time clipboard sync across fleet machines");
 var installClaudeCommand = program2.command("install-claude").description("Install or inspect Claude, Codex, and Gemini CLIs");
+var daemonCommand = program2.command("daemon").description("Install and inspect the machines-agent fleet daemon service");
+function addDaemonLifecycleCommand(action, description) {
+  daemonCommand.command(action).description(description).option("--platform <platform>", "Service platform to plan for (macos, linux)").option("--mode <mode>", "Service mode (user, system)", "user").option("--service-name <name>", "Service name/label", "machines-agent").option("--executable <path>", "Absolute machines-agent executable path").option("--interval-ms <ms>", "Heartbeat interval in milliseconds").option("--storage-push", "Configure daemon to push heartbeat rows to storage", false).option("--doctor-summary", "Configure daemon to include lightweight doctor summaries", false).option("--private-metadata", "Opt in to private host/network metadata in heartbeat rows", false).option("--env <name...>", "Environment variable names to include as placeholders").option("--apply", "Write service files and run planned commands", false).option("--yes", "Confirm execution when using --apply", false).option("-j, --json", "Print JSON output", false).action((options) => {
+    const plan = buildDaemonServicePlan(parseDaemonOptions(action, options));
+    const result = runDaemonServicePlan(plan, { apply: options.apply, yes: options.yes });
+    if (options.json || options.apply) {
+      console.log(JSON.stringify(result, null, 2));
+      return;
+    }
+    console.log(renderDaemonPlan(plan));
+  });
+}
+addDaemonLifecycleCommand("install", "Plan or install the machines-agent daemon service");
+addDaemonLifecycleCommand("uninstall", "Plan or uninstall the machines-agent daemon service");
+addDaemonLifecycleCommand("restart", "Plan or restart the machines-agent daemon service");
+addDaemonLifecycleCommand("status", "Plan a daemon service status command");
+addDaemonLifecycleCommand("logs", "Plan a daemon service log command");
 manifestCommand.command("init").description("Create an empty fleet manifest").action(() => {
   console.log(manifestInit());
 });
@@ -12055,8 +12875,9 @@ program2.command("sync").description("Reconcile a machine against the fleet mani
   const result = options.apply ? runSync(options.machine, { apply: true, yes: options.yes }) : buildSyncPlan(options.machine);
   console.log(JSON.stringify(result, null, 2));
 });
-program2.command("topology").description("Discover local, manifest, heartbeat, SSH, and Tailscale machine topology").option("--no-tailscale", "Skip tailscale status probing").option("-j, --json", "Print JSON output", false).action((options) => {
-  const topology = discoverMachineTopology({ includeTailscale: options.tailscale !== false });
+program2.command("topology").description("Discover local, manifest, heartbeat, SSH, and Tailscale machine topology").option("--no-tailscale", "Skip tailscale status probing").option("--private-metadata", "Print private host/network route fields", false).option("-j, --json", "Print JSON output", false).action((options) => {
+  const rawTopology = discoverMachineTopology({ includeTailscale: options.tailscale !== false });
+  const topology = redactTopologyForOutput(rawTopology, { privateMetadata: options.privateMetadata });
   if (options.json) {
     console.log(JSON.stringify(topology, null, 2));
     return;
@@ -12296,11 +13117,12 @@ program2.command("install-tailscale").description("Install Tailscale on a machin
   const result = options.apply ? runTailscaleInstall(options.machine, { apply: true, yes: options.yes }) : buildTailscaleInstallPlan(options.machine);
   console.log(JSON.stringify(result, null, 2));
 });
-program2.command("route").description("Resolve the best route for a machine").requiredOption("--machine <id>", "Machine identifier").option("--no-tailscale", "Skip tailscale status probing").option("--cmd <command>", "Remote command to run").option("-j, --json", "Print JSON output", false).action((options) => {
+program2.command("route").description("Resolve the best route for a machine").requiredOption("--machine <id>", "Machine identifier").option("--no-tailscale", "Skip tailscale status probing").option("--private-metadata", "Print private route targets", false).option("--cmd <command>", "Remote command to run").option("-j, --json", "Print JSON output", false).action((options) => {
   const topology = discoverMachineTopology({ includeTailscale: options.tailscale !== false });
   const resolved = resolveMachineRoute(options.machine, { topology });
-  const command = resolved.ok && resolved.target ? resolved.route === "local" ? options.cmd ?? null : buildSshCommand(options.machine, options.cmd, { topology }) : null;
-  const payload = { ...resolved, command };
+  const publicResolved = redactRouteForOutput(resolved, { privateMetadata: options.privateMetadata });
+  const command2 = resolved.ok && resolved.target ? resolved.route === "local" ? options.cmd ?? null : buildSshCommand(options.machine, options.cmd, { topology }) : null;
+  const payload = { ...publicResolved, command: options.privateMetadata ? command2 : command2 ? "[redacted]" : null };
   if (options.json) {
     console.log(JSON.stringify(payload, null, 2));
     return;
@@ -12310,7 +13132,7 @@ program2.command("route").description("Resolve the best route for a machine").re
     process.exitCode = 1;
     return;
   }
-  console.log(command ?? `${resolved.route}:${resolved.target}`);
+  console.log(options.privateMetadata ? command2 ?? `${resolved.route}:${resolved.target}` : `${publicResolved.route}:${publicResolved.target ?? "unresolved"}`);
 });
 program2.command("ssh").description("Choose the best SSH route for a machine").requiredOption("--machine <id>", "Machine identifier").option("--cmd <command>", "Remote command to run").option("-j, --json", "Print JSON output", false).action((options) => {
   if (options.json) {
@@ -12338,7 +13160,7 @@ program2.command("screen").description("Open Screen Sharing (VNC) to a machine u
     for (const r of results) {
       if (r.ok && r.url) {
         if (!options.print)
-          execFileSync("open", [r.url], { stdio: "ignore" });
+          execFileSync2("open", [r.url], { stdio: "ignore" });
         console.log(`${r.ok ? "\u2713" : "\u2717"} ${r.machine.padEnd(14)} ${r.url ?? r.error}`);
       } else {
         console.log(`\u2717 ${r.machine.padEnd(14)} ${r.error}`);
@@ -12361,7 +13183,7 @@ program2.command("screen").description("Open Screen Sharing (VNC) to a machine u
     console.log(resolved.url);
     return;
   }
-  execFileSync("open", [resolved.url], { stdio: "ignore" });
+  execFileSync2("open", [resolved.url], { stdio: "ignore" });
   console.log(`Opening Screen Sharing \u2192 ${resolved.url} (route: ${resolved.route})`);
 });
 program2.command("screen-credentials").description("Inspect screen-sharing user and password secret references without printing secrets").option("--machine <id>", "Machine identifier").option("--all", "Inspect every discovered machine", false).option("--check-secret", "Check whether the password secret exists in the local secrets vault", false).option("--secrets-command <command>", "Secrets CLI command to inspect", "secrets").option("--no-tailscale", "Skip tailscale status probing").option("-j, --json", "Print JSON output", false).action((options) => {