@hasna/machines 0.0.44 → 0.0.46

package/dist/index.js

@@ -422,11 +422,11 @@ var require_codegen = __commonJS((exports) => {
       const rhs = this.rhs === undefined ? "" : ` = ${this.rhs}`;
       return `${varKind} ${this.name}${rhs};` + _n;
     }
-    optimizeNames(names, constants) {
+    optimizeNames(names, constants2) {
       if (!names[this.name.str])
         return;
       if (this.rhs)
-        this.rhs = optimizeExpr(this.rhs, names, constants);
+        this.rhs = optimizeExpr(this.rhs, names, constants2);
       return this;
     }
     get names() {
@@ -444,10 +444,10 @@ var require_codegen = __commonJS((exports) => {
     render({ _n }) {
       return `${this.lhs} = ${this.rhs};` + _n;
     }
-    optimizeNames(names, constants) {
+    optimizeNames(names, constants2) {
       if (this.lhs instanceof code_1.Name && !names[this.lhs.str] && !this.sideEffects)
         return;
-      this.rhs = optimizeExpr(this.rhs, names, constants);
+      this.rhs = optimizeExpr(this.rhs, names, constants2);
       return this;
     }
     get names() {
@@ -513,8 +513,8 @@ var require_codegen = __commonJS((exports) => {
     optimizeNodes() {
       return `${this.code}` ? this : undefined;
     }
-    optimizeNames(names, constants) {
-      this.code = optimizeExpr(this.code, names, constants);
+    optimizeNames(names, constants2) {
+      this.code = optimizeExpr(this.code, names, constants2);
       return this;
     }
     get names() {
@@ -544,12 +544,12 @@ var require_codegen = __commonJS((exports) => {
       }
       return nodes.length > 0 ? this : undefined;
     }
-    optimizeNames(names, constants) {
+    optimizeNames(names, constants2) {
       const { nodes } = this;
       let i = nodes.length;
       while (i--) {
         const n = nodes[i];
-        if (n.optimizeNames(names, constants))
+        if (n.optimizeNames(names, constants2))
           continue;
         subtractNames(names, n.names);
         nodes.splice(i, 1);
@@ -606,12 +606,12 @@ var require_codegen = __commonJS((exports) => {
         return;
       return this;
     }
-    optimizeNames(names, constants) {
+    optimizeNames(names, constants2) {
       var _a;
-      this.else = (_a = this.else) === null || _a === undefined ? undefined : _a.optimizeNames(names, constants);
-      if (!(super.optimizeNames(names, constants) || this.else))
+      this.else = (_a = this.else) === null || _a === undefined ? undefined : _a.optimizeNames(names, constants2);
+      if (!(super.optimizeNames(names, constants2) || this.else))
         return;
-      this.condition = optimizeExpr(this.condition, names, constants);
+      this.condition = optimizeExpr(this.condition, names, constants2);
       return this;
     }
     get names() {
@@ -636,10 +636,10 @@ var require_codegen = __commonJS((exports) => {
     render(opts) {
       return `for(${this.iteration})` + super.render(opts);
     }
-    optimizeNames(names, constants) {
-      if (!super.optimizeNames(names, constants))
+    optimizeNames(names, constants2) {
+      if (!super.optimizeNames(names, constants2))
         return;
-      this.iteration = optimizeExpr(this.iteration, names, constants);
+      this.iteration = optimizeExpr(this.iteration, names, constants2);
       return this;
     }
     get names() {
@@ -677,10 +677,10 @@ var require_codegen = __commonJS((exports) => {
     render(opts) {
       return `for(${this.varKind} ${this.name} ${this.loop} ${this.iterable})` + super.render(opts);
     }
-    optimizeNames(names, constants) {
-      if (!super.optimizeNames(names, constants))
+    optimizeNames(names, constants2) {
+      if (!super.optimizeNames(names, constants2))
         return;
-      this.iterable = optimizeExpr(this.iterable, names, constants);
+      this.iterable = optimizeExpr(this.iterable, names, constants2);
       return this;
     }
     get names() {
@@ -725,11 +725,11 @@ var require_codegen = __commonJS((exports) => {
       (_b = this.finally) === null || _b === undefined || _b.optimizeNodes();
       return this;
     }
-    optimizeNames(names, constants) {
+    optimizeNames(names, constants2) {
       var _a, _b;
-      super.optimizeNames(names, constants);
-      (_a = this.catch) === null || _a === undefined || _a.optimizeNames(names, constants);
-      (_b = this.finally) === null || _b === undefined || _b.optimizeNames(names, constants);
+      super.optimizeNames(names, constants2);
+      (_a = this.catch) === null || _a === undefined || _a.optimizeNames(names, constants2);
+      (_b = this.finally) === null || _b === undefined || _b.optimizeNames(names, constants2);
       return this;
     }
     get names() {
@@ -1003,7 +1003,7 @@ var require_codegen = __commonJS((exports) => {
   function addExprNames(names, from) {
     return from instanceof code_1._CodeOrName ? addNames(names, from.names) : names;
   }
-  function optimizeExpr(expr, names, constants) {
+  function optimizeExpr(expr, names, constants2) {
     if (expr instanceof code_1.Name)
       return replaceName(expr);
     if (!canOptimize(expr))
@@ -1018,14 +1018,14 @@ var require_codegen = __commonJS((exports) => {
       return items;
     }, []));
     function replaceName(n) {
-      const c = constants[n.str];
+      const c = constants2[n.str];
       if (c === undefined || names[n.str] !== 1)
         return n;
       delete names[n.str];
       return c;
     }
     function canOptimize(e) {
-      return e instanceof code_1._Code && e._items.some((c) => c instanceof code_1.Name && names[c.str] === 1 && constants[c.str] !== undefined);
+      return e instanceof code_1._Code && e._items.some((c) => c instanceof code_1.Name && names[c.str] === 1 && constants2[c.str] !== undefined);
     }
   }
   function subtractNames(names, from) {
@@ -2930,7 +2930,7 @@ var require_compile = __commonJS((exports) => {
     const schOrFunc = root.refs[ref];
     if (schOrFunc)
       return schOrFunc;
-    let _sch = resolve2.call(this, root, ref);
+    let _sch = resolve4.call(this, root, ref);
     if (_sch === undefined) {
       const schema = (_a = root.localRefs) === null || _a === undefined ? undefined : _a[ref];
       const { schemaId } = this.opts;
@@ -2957,7 +2957,7 @@ var require_compile = __commonJS((exports) => {
   function sameSchemaEnv(s1, s2) {
     return s1.schema === s2.schema && s1.root === s2.root && s1.baseId === s2.baseId;
   }
-  function resolve2(root, ref) {
+  function resolve4(root, ref) {
     let sch;
     while (typeof (sch = this.refs[ref]) == "string")
       ref = sch;
@@ -3487,7 +3487,7 @@ var require_fast_uri = __commonJS((exports, module) => {
     }
     return uri;
   }
-  function resolve2(baseURI, relativeURI, options) {
+  function resolve4(baseURI, relativeURI, options) {
     const schemelessOptions = options ? Object.assign({ scheme: "null" }, options) : { scheme: "null" };
     const resolved = resolveComponent(parse6(baseURI, schemelessOptions), parse6(relativeURI, schemelessOptions), schemelessOptions, true);
     schemelessOptions.skipEscape = true;
@@ -3715,7 +3715,7 @@ var require_fast_uri = __commonJS((exports, module) => {
   var fastUri = {
     SCHEMES,
     normalize,
-    resolve: resolve2,
+    resolve: resolve4,
     resolveComponent,
     equal,
     serialize,
@@ -6563,6 +6563,7 @@ class SqliteAdapter {
   raw;
   constructor(path) {
     this.raw = new Database(path);
+    this.raw.exec("PRAGMA busy_timeout = 5000");
   }
   close() {
     this.raw.close();
@@ -6628,6 +6629,23 @@ function createTables(db) {
       updated_at TEXT NOT NULL
     )
   `);
+  db.exec(`
+    CREATE TABLE IF NOT EXISTS mutation_approval_nonces (
+      nonce_sha256 TEXT PRIMARY KEY,
+      token_sha256 TEXT NOT NULL,
+      surface TEXT NOT NULL,
+      operation TEXT NOT NULL,
+      caller_id TEXT NOT NULL,
+      run_id TEXT NOT NULL,
+      transport TEXT NOT NULL,
+      expires_at INTEGER NOT NULL,
+      used_at INTEGER NOT NULL
+    )
+  `);
+  db.exec(`
+    CREATE INDEX IF NOT EXISTS mutation_approval_nonces_expires_at_idx
+    ON mutation_approval_nonces (expires_at)
+  `);
 }
 function migrateAgentHeartbeats(db) {
   const columns = db.query("PRAGMA table_info(agent_heartbeats)").all();
@@ -12599,12 +12617,24 @@ function getLocalMachineTopology(options = {}) {
 }
 // src/remote.ts
 import { spawnSync as spawnSync2 } from "child_process";
-import { hostname as hostname4 } from "os";
+import { existsSync as existsSync5, mkdtempSync, readFileSync as readFileSync3, rmSync } from "fs";
+import { hostname as hostname4, tmpdir } from "os";
+import { join as join3 } from "path";
 
 // src/commands/ssh.ts
 function shellQuote2(value) {
   return `'${value.replace(/'/g, "'\\''")}'`;
 }
+function validateSshTarget(target) {
+  const trimmed = target.trim();
+  if (!trimmed || trimmed.startsWith("-") || /[\s"'`$\\;&|<>()[\]{}]/.test(trimmed)) {
+    throw new Error(`Unsafe SSH target: ${target}`);
+  }
+  if (!/^(?:[A-Za-z0-9._%+-]+@)?[A-Za-z0-9._:-]+$/.test(trimmed)) {
+    throw new Error(`Unsafe SSH target: ${target}`);
+  }
+  return trimmed;
+}
 function resolveSshTarget(machineId, options = {}) {
   const resolved = resolveMachineRoute(machineId, options);
   if (!resolved.ok || !resolved.target) {
@@ -12615,15 +12645,28 @@ function resolveSshTarget(machineId, options = {}) {
   }
   return {
     machineId: resolved.machine_id ?? machineId,
-    target: resolved.command_target ?? resolved.target,
+    target: validateSshTarget(resolved.command_target ?? resolved.target),
     route: resolved.route,
     confidence: resolved.confidence,
     warnings: resolved.warnings
   };
 }
 function buildSshCommand(machineId, remoteCommand, options = {}) {
+  return buildSshCommandPlan(machineId, remoteCommand, options).shellCommand;
+}
+function buildSshCommandArgs(machineId, remoteCommand, options = {}) {
+  return buildSshCommandPlan(machineId, remoteCommand, options).args;
+}
+function buildSshCommandPlan(machineId, remoteCommand, options = {}) {
   const resolved = resolveSshTarget(machineId, options);
-  return remoteCommand ? `ssh ${resolved.target} ${shellQuote2(remoteCommand)}` : `ssh ${resolved.target}`;
+  const args = remoteCommand ? [resolved.target, remoteCommand] : [resolved.target];
+  const shellCommand2 = `ssh ${args.map(shellQuote2).join(" ")}`;
+  return {
+    ...resolved,
+    command: "ssh",
+    args,
+    shellCommand: shellCommand2
+  };
 }
 
 // src/remote.ts
@@ -12635,35 +12678,233 @@ function machineIsLocal(machineId, localMachineId) {
 }
 function resolveMachineCommand(machineId, command, localMachineId = getLocalMachineId()) {
   if (machineIsLocal(machineId, localMachineId)) {
-    return { source: "local", shellCommand: command };
+    return { source: "local", command: "bash", args: ["-c", command], shellCommand: command, usesShell: true };
   }
   try {
+    const plan = buildSshCommandPlan(machineId, command);
     return {
-      source: resolveSshTarget(machineId).route,
-      shellCommand: buildSshCommand(machineId, command)
+      source: plan.route,
+      command: plan.command,
+      args: plan.args,
+      shellCommand: plan.shellCommand,
+      usesShell: false
     };
   } catch (error) {
     const message = String(error.message ?? error);
     if (message.includes("Machine route not found") || message.includes("Machine not found in manifest")) {
-      return { source: "ssh", shellCommand: `ssh ${shellQuote3(machineId)} ${shellQuote3(command)}` };
+      const target = validateSshTarget(machineId);
+      return {
+        source: "ssh",
+        command: "ssh",
+        args: [target, command],
+        shellCommand: `ssh ${shellQuote3(target)} ${shellQuote3(command)}`,
+        usesShell: false
+      };
     }
     throw error;
   }
 }
-function runMachineCommand(machineId, command) {
+function runMachineCommand(machineId, command, options = {}) {
   const resolved = resolveMachineCommand(machineId, command);
-  const result = spawnSync2("bash", ["-c", resolved.shellCommand], {
+  if (options.timeoutMs && options.timeoutMs > 0 && process.platform !== "win32") {
+    return runMachineCommandWithProcessGroupTimeout(machineId, resolved, options);
+  }
+  const result = spawnSync2(resolved.command, resolved.args, {
     encoding: "utf8",
-    env: process.env
+    env: process.env,
+    timeout: options.timeoutMs,
+    killSignal: "SIGTERM"
   });
+  const timedOut = Boolean(result.error && "code" in result.error && result.error.code === "ETIMEDOUT");
+  const timeoutMessage = timedOut ? `Command timed out after ${options.timeoutMs}ms.` : "";
+  const stderr = [result.stderr || "", timeoutMessage].filter(Boolean).join(result.stderr ? `
+` : "");
   return {
     machineId,
     source: resolved.source,
     stdout: result.stdout || "",
-    stderr: result.stderr || "",
-    exitCode: result.status ?? 1
-  };
+    stderr,
+    exitCode: timedOut ? 124 : result.status ?? 1,
+    timedOut,
+    signal: result.signal
+  };
+}
+function runMachineCommandWithProcessGroupTimeout(machineId, resolved, options) {
+  const timeoutMs = Math.max(1, options.timeoutMs ?? 1);
+  const killGraceMs = Math.max(1, options.killGraceMs ?? 1000);
+  const helperDir = mkdtempSync(join3(tmpdir(), "machines-timeout-helper-"));
+  const pgidFile = join3(helperDir, "pgid");
+  const helper = spawnSync2(process.execPath, ["--eval", PROCESS_GROUP_TIMEOUT_HELPER], {
+    input: JSON.stringify({ command: resolved.command, args: resolved.args }),
+    encoding: "utf8",
+    env: {
+      ...process.env,
+      HASNA_MACHINES_COMMAND_TIMEOUT_MS: String(timeoutMs),
+      HASNA_MACHINES_COMMAND_KILL_GRACE_MS: String(killGraceMs),
+      HASNA_MACHINES_COMMAND_PGID_FILE: pgidFile
+    },
+    timeout: timeoutMs + killGraceMs + 2000,
+    killSignal: "SIGKILL",
+    maxBuffer: 64 * 1024 * 1024
+  });
+  try {
+    const parsed = parseHelperResult(helper.stdout);
+    if (parsed) {
+      return {
+        machineId,
+        source: resolved.source,
+        stdout: parsed.stdout,
+        stderr: parsed.stderr,
+        exitCode: parsed.exitCode,
+        timedOut: parsed.timedOut,
+        signal: parsed.signal
+      };
+    }
+    const helperTimedOut = Boolean(helper.error && "code" in helper.error && helper.error.code === "ETIMEDOUT");
+    if (helperTimedOut)
+      killPublishedProcessGroup(pgidFile);
+    const timeoutMessage = helperTimedOut ? `Command timed out after ${timeoutMs}ms; timeout helper exceeded cleanup grace ${killGraceMs}ms.` : "";
+    const stderr = [helper.stderr || "", timeoutMessage].filter(Boolean).join(helper.stderr ? `
+` : "");
+    return {
+      machineId,
+      source: resolved.source,
+      stdout: "",
+      stderr,
+      exitCode: helperTimedOut ? 124 : helper.status ?? 1,
+      timedOut: helperTimedOut,
+      signal: helper.signal
+    };
+  } finally {
+    rmSync(helperDir, { recursive: true, force: true });
+  }
+}
+function killPublishedProcessGroup(pgidFile) {
+  if (!existsSync5(pgidFile))
+    return;
+  try {
+    const pid = Number.parseInt(readFileSync3(pgidFile, "utf8").trim(), 10);
+    if (!Number.isInteger(pid) || pid <= 1)
+      return;
+    process.kill(-pid, "SIGKILL");
+  } catch {}
+}
+function parseHelperResult(stdout) {
+  if (!stdout)
+    return null;
+  try {
+    const parsed = JSON.parse(stdout);
+    if (typeof parsed.stdout !== "string" || typeof parsed.stderr !== "string" || typeof parsed.exitCode !== "number")
+      return null;
+    return {
+      machineId: "",
+      source: "local",
+      stdout: parsed.stdout,
+      stderr: parsed.stderr,
+      exitCode: parsed.exitCode,
+      timedOut: parsed.timedOut === true,
+      signal: typeof parsed.signal === "string" ? parsed.signal : null
+    };
+  } catch {
+    return null;
+  }
 }
+var PROCESS_GROUP_TIMEOUT_HELPER = `
+	const { spawn } = require("node:child_process");
+	const { readFileSync, writeFileSync } = require("node:fs");
+
+	const plan = JSON.parse(readFileSync(0, "utf8"));
+	const command = String(plan.command || "");
+	const args = Array.isArray(plan.args) ? plan.args.map(String) : [];
+	const timeoutMs = Math.max(1, Number.parseInt(process.env.HASNA_MACHINES_COMMAND_TIMEOUT_MS || "1", 10));
+	const killGraceMs = Math.max(1, Number.parseInt(process.env.HASNA_MACHINES_COMMAND_KILL_GRACE_MS || "1000", 10));
+	const pgidFile = process.env.HASNA_MACHINES_COMMAND_PGID_FILE || "";
+	let stdout = "";
+	let stderr = "";
+	let timedOut = false;
+	let finished = false;
+let timeoutTimer;
+let killTimer;
+let sigkillSent = false;
+let pendingExit = null;
+
+const child = spawn(command, args, {
+  detached: true,
+  stdio: ["ignore", "pipe", "pipe"],
+	  env: process.env,
+	});
+
+	if (pgidFile && child.pid) {
+	  try {
+	    writeFileSync(pgidFile, String(child.pid), { mode: 0o600 });
+	  } catch {}
+	}
+
+function appendText(target, chunk) {
+  return target + String(chunk);
+}
+
+	function killTarget(signal) {
+	  if (!child.pid) return;
+	  if (process.platform === "win32") {
+	    try {
+	      process.kill(child.pid, signal);
+	    } catch {}
+	    return;
+	  }
+	  try {
+	    process.kill(-child.pid, signal);
+	  } catch {}
+	}
+
+	function finish(code, signal) {
+	  if (finished) return;
+  if (timedOut && !sigkillSent) {
+    pendingExit = { code, signal };
+    return;
+  }
+  finished = true;
+  if (timeoutTimer) clearTimeout(timeoutTimer);
+  if (killTimer) clearTimeout(killTimer);
+	  if (timedOut) {
+	    stderr = [stderr, "Command timed out after " + timeoutMs + "ms."].filter(Boolean).join(stderr ? "\\n" : "");
+	  }
+	  const exitCode = timedOut ? 124 : code ?? 1;
+	  process.stdout.write(JSON.stringify({
+	    stdout,
+	    stderr,
+	    exitCode,
+	    timedOut,
+	    signal: signal ?? null,
+	  }), () => process.exit(exitCode));
+	}
+
+	child.stdout.setEncoding("utf8");
+	child.stderr.setEncoding("utf8");
+	child.stdout.on("data", (chunk) => { stdout = appendText(stdout, chunk); });
+	child.stderr.on("data", (chunk) => { stderr = appendText(stderr, chunk); });
+	let childExit = { code: null, signal: null };
+	child.on("error", (error) => {
+	    stderr = [stderr, error instanceof Error ? error.message : String(error)].filter(Boolean).join(stderr ? "\\n" : "");
+	    finish(1, null);
+	});
+	child.on("exit", (code, signal) => {
+	  childExit = { code, signal };
+	});
+	child.on("close", (code, signal) => {
+	  finish(code ?? childExit.code, signal ?? childExit.signal);
+	});
+
+timeoutTimer = setTimeout(() => {
+  timedOut = true;
+  killTarget("SIGTERM");
+  killTimer = setTimeout(() => {
+    sigkillSent = true;
+    killTarget("SIGKILL");
+    if (pendingExit) finish(pendingExit.code, pendingExit.signal);
+  }, killGraceMs);
+}, timeoutMs);
+`;
 function describeMachineCommandFailure(operation, result) {
   const detail = (result.stderr || result.stdout || "").trim();
   const suffix = detail ? `: ${detail}` : "";
@@ -13361,7 +13602,7 @@ function getAgentStatus(machineId, options = {}) {
 }
 // src/commands/backup.ts
 import { homedir as homedir2, hostname as hostname6 } from "os";
-import { join as join3 } from "path";
+import { join as join4 } from "path";
 var MACHINES_BACKUP_BUCKET_ENV = "HASNA_MACHINES_S3_BUCKET";
 var MACHINES_BACKUP_BUCKET_FALLBACK_ENV = "MACHINES_S3_BUCKET";
 var MACHINES_BACKUP_PREFIX_ENV = "HASNA_MACHINES_S3_PREFIX";
@@ -13411,14 +13652,14 @@ function resolveBackupTarget(options = {}) {
 function defaultBackupSources() {
   const home = homedir2();
   return [
-    join3(home, ".hasna"),
-    join3(home, ".ssh"),
-    join3(home, ".secrets")
+    join4(home, ".hasna"),
+    join4(home, ".ssh"),
+    join4(home, ".secrets")
   ];
 }
 function buildBackupPlan(bucket, prefix) {
   const target = resolveBackupTarget({ bucket, prefix });
-  const archivePath = join3(homedir2(), ".hasna", "machines", "backup.tgz");
+  const archivePath = join4(homedir2(), ".hasna", "machines", "backup.tgz");
   const sources = defaultBackupSources();
   const steps = [
     {
@@ -13467,6 +13708,301 @@ function runBackup(bucket, prefix, options = {}) {
     executed
   };
 }
+// src/commands/mutation-approval.ts
+import { createHash, createHmac, randomUUID, timingSafeEqual } from "crypto";
+import { resolve as resolve2 } from "path";
+var MUTATION_APPROVAL_FLAG_ENV = "HASNA_MACHINES_ALLOW_MUTATIONS";
+var LEGACY_MUTATION_APPROVAL_FLAG_ENV = "HASNA_MACHINES_MUTATION_APPROVAL";
+var MUTATION_APPROVAL_TOKEN_ENV = "HASNA_MACHINES_MUTATION_TOKEN";
+var MUTATION_APPROVAL_CALLER_ENV = "HASNA_MACHINES_MUTATION_CALLER_ID";
+var MUTATION_APPROVAL_RUN_ENV = "HASNA_MACHINES_MUTATION_RUN_ID";
+var MUTATION_APPROVAL_REPLAY_PATH_ENV = "HASNA_MACHINES_MUTATION_REPLAY_PATH";
+var TOKEN_PREFIX = "machines-mut-v1";
+var DEFAULT_TOKEN_TTL_MS = 5 * 60 * 1000;
+var MAX_TOKEN_TTL_MS = 5 * 60 * 1000;
+var MAX_CLOCK_SKEW_MS = 30000;
+function isTruthy(value) {
+  return value === "1" || value?.toLowerCase() === "true" || value?.toLowerCase() === "yes";
+}
+function nowMs(now) {
+  if (typeof now === "number")
+    return now;
+  if (now instanceof Date)
+    return now.getTime();
+  return Date.now();
+}
+function signingSecret(env, explicitSecret) {
+  return explicitSecret?.trim() || env[MUTATION_APPROVAL_TOKEN_ENV]?.trim();
+}
+function base64Url(value) {
+  return Buffer.from(value).toString("base64url");
+}
+function hmac(payload, secret) {
+  return createHmac("sha256", secret).update(payload).digest("base64url");
+}
+function sha256Hex(payload) {
+  return createHash("sha256").update(payload).digest("hex");
+}
+function replayDbPath(env) {
+  const configured = env[MUTATION_APPROVAL_REPLAY_PATH_ENV]?.trim();
+  return configured ? resolve2(configured) : undefined;
+}
+function replayNonceKey(claims) {
+  return sha256Hex(JSON.stringify({ nonce: claims.nonce }));
+}
+function recordReplayNonce(env, claims, tokenPayload, now) {
+  const dbPath = replayDbPath(env);
+  if (!dbPath)
+    return;
+  if (!claims.nonce) {
+    return { approved: false, reason: "approval_token nonce claim is required for replay protection." };
+  }
+  try {
+    const db = getDb(dbPath);
+    db.query("DELETE FROM mutation_approval_nonces WHERE expires_at <= ?").run(now);
+    const result = db.query(`
+      INSERT OR IGNORE INTO mutation_approval_nonces (
+        nonce_sha256,
+        token_sha256,
+        surface,
+        operation,
+        caller_id,
+        run_id,
+        transport,
+        expires_at,
+        used_at
+      )
+      VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)
+    `).run(replayNonceKey(claims), sha256Hex(tokenPayload), claims.surface, claims.operation, claims.callerId ?? "", claims.runId ?? "", claims.transport ?? "", claims.expiresAt, now);
+    if (result.changes !== 1) {
+      return { approved: false, reason: "approval_token nonce has already been used." };
+    }
+    return;
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error);
+    return { approved: false, reason: `approval_token replay store is unavailable: ${message}` };
+  }
+}
+function safeEqual(left, right) {
+  const leftBuffer = Buffer.from(left);
+  const rightBuffer = Buffer.from(right);
+  return leftBuffer.length === rightBuffer.length && timingSafeEqual(leftBuffer, rightBuffer);
+}
+function normalizeScope(scope) {
+  return {
+    surface: scope.surface,
+    operation: scope.operation,
+    machineId: scope.machineId || undefined,
+    resourceId: scope.resourceId || undefined,
+    callerId: scope.callerId || undefined,
+    runId: scope.runId || undefined,
+    transport: scope.transport || undefined,
+    argsSha256: scope.argsSha256 || (scope.args === undefined ? undefined : mutationArgsSha256(scope.args))
+  };
+}
+function canonicalizeMutationArg(value, inArray = false) {
+  if (value === undefined)
+    return inArray ? null : undefined;
+  if (value === null || typeof value === "boolean" || typeof value === "string")
+    return value;
+  if (typeof value === "number")
+    return Number.isFinite(value) ? value : null;
+  if (Array.isArray(value)) {
+    return value.map((entry) => canonicalizeMutationArg(entry, true) ?? null);
+  }
+  if (value instanceof Date)
+    return value.toISOString();
+  if (typeof value === "object") {
+    const result = {};
+    for (const key of Object.keys(value).sort()) {
+      if (key === "approval_token" || key === "approvalToken")
+        continue;
+      const canonicalValue = canonicalizeMutationArg(value[key]);
+      if (canonicalValue !== undefined)
+        result[key] = canonicalValue;
+    }
+    return result;
+  }
+  return inArray ? null : undefined;
+}
+function canonicalMutationArgs(value) {
+  return JSON.stringify(canonicalizeMutationArg(value) ?? {});
+}
+function mutationArgsSha256(value) {
+  return sha256Hex(canonicalMutationArgs(value));
+}
+function stripPlanRuntimeFields(value) {
+  if (Array.isArray(value))
+    return value.map(stripPlanRuntimeFields);
+  if (value instanceof Date)
+    return value;
+  if (value && typeof value === "object") {
+    const result = {};
+    for (const [key, entry] of Object.entries(value)) {
+      if (key === "planDigest" || key === "plan_digest" || key === "mode" || key === "executed")
+        continue;
+      result[key] = stripPlanRuntimeFields(entry);
+    }
+    return result;
+  }
+  return value;
+}
+function mutationPlanDigest(plan) {
+  return mutationArgsSha256(stripPlanRuntimeFields(plan));
+}
+function attachMutationPlanDigest(plan) {
+  return {
+    ...plan,
+    planDigest: mutationPlanDigest(plan)
+  };
+}
+function assertMutationPlanDigest(plan, expectedPlanDigest) {
+  if (expectedPlanDigest && mutationPlanDigest(plan) !== expectedPlanDigest) {
+    throw new Error("Approved plan digest does not match the current execution plan.");
+  }
+}
+function createMutationApprovalToken(scope, options = {}) {
+  const env = options.env ?? process.env;
+  const secret = signingSecret(env, options.secret);
+  if (!secret)
+    throw new Error(`${MUTATION_APPROVAL_TOKEN_ENV} is required to sign mutation approval tokens.`);
+  const issuedAt = nowMs(options.now);
+  const claims = {
+    version: 1,
+    ...normalizeScope(scope),
+    callerId: scope.callerId,
+    runId: scope.runId,
+    transport: scope.transport,
+    issuedAt,
+    expiresAt: issuedAt + Math.max(1, options.ttlMs ?? DEFAULT_TOKEN_TTL_MS),
+    nonce: options.nonce ?? randomUUID()
+  };
+  claims.args_sha256 = claims.argsSha256;
+  delete claims.args;
+  delete claims.argsSha256;
+  const payload = base64Url(JSON.stringify(claims));
+  return `${TOKEN_PREFIX}.${payload}.${hmac(payload, secret)}`;
+}
+function parseToken(token) {
+  if (!token)
+    return null;
+  const parts = token.split(".");
+  if (parts.length !== 3 || parts[0] !== TOKEN_PREFIX)
+    return null;
+  try {
+    const claims = JSON.parse(Buffer.from(parts[1] ?? "", "base64url").toString("utf8"));
+    return { payload: parts[1] ?? "", signature: parts[2] ?? "", claims };
+  } catch {
+    return null;
+  }
+}
+function claimMatches(expected, actual) {
+  if (expected === undefined)
+    return actual === undefined;
+  return actual === expected;
+}
+function verifyMutationApprovalToken(options) {
+  const env = options.env ?? process.env;
+  const secret = signingSecret(env);
+  if (!secret)
+    return { approved: false, reason: `${MUTATION_APPROVAL_TOKEN_ENV} is not configured.` };
+  const parsed = parseToken(options.approvalToken);
+  if (!parsed)
+    return { approved: false, reason: "approval_token is not a scoped mutation token." };
+  if (!safeEqual(hmac(parsed.payload, secret), parsed.signature)) {
+    return { approved: false, reason: "approval_token signature is invalid." };
+  }
+  const claims = parsed.claims;
+  if (claims.version !== 1)
+    return { approved: false, reason: "approval_token version is unsupported." };
+  if (!claims.callerId || !claims.runId) {
+    return { approved: false, reason: "approval_token must include caller and run claims." };
+  }
+  if (!claims.transport) {
+    return { approved: false, reason: "approval_token must include a transport claim." };
+  }
+  if (!Number.isFinite(claims.expiresAt) || claims.expiresAt <= nowMs(options.now)) {
+    return { approved: false, reason: "approval_token is expired." };
+  }
+  const now = nowMs(options.now);
+  if (!Number.isFinite(claims.issuedAt) || claims.issuedAt > now + MAX_CLOCK_SKEW_MS) {
+    return { approved: false, reason: "approval_token issue time is invalid." };
+  }
+  if (claims.expiresAt - claims.issuedAt > MAX_TOKEN_TTL_MS) {
+    return { approved: false, reason: "approval_token TTL is too long." };
+  }
+  for (const key of ["surface", "operation", "machineId", "resourceId", "transport"]) {
+    if (!claimMatches(options[key], claims[key])) {
+      return { approved: false, reason: `approval_token ${key} claim does not match this mutation.` };
+    }
+  }
+  for (const key of ["callerId", "runId"]) {
+    if (options[key] !== undefined && options[key] !== claims[key]) {
+      return { approved: false, reason: `approval_token ${key} claim does not match this mutation.` };
+    }
+  }
+  const expectedArgsSha256 = options.argsSha256 || (options.args === undefined ? undefined : mutationArgsSha256(options.args));
+  if (expectedArgsSha256 !== undefined && claims.args_sha256 !== expectedArgsSha256) {
+    return { approved: false, reason: "approval_token args_sha256 claim does not match this mutation." };
+  }
+  const replayDecision = recordReplayNonce(env, claims, parsed.payload, now);
+  if (replayDecision)
+    return replayDecision;
+  return { approved: true, claims };
+}
+function isMutationApproved(options = {}) {
+  const env = options.env ?? process.env;
+  const surface = options.surface ?? "cli";
+  if (surface === "mcp") {
+    if (!options.operation)
+      return false;
+    return verifyMutationApprovalToken({
+      surface,
+      operation: options.operation,
+      machineId: options.machineId,
+      resourceId: options.resourceId,
+      callerId: options.callerId,
+      runId: options.runId,
+      transport: options.transport ?? "mcp",
+      args: options.args,
+      argsSha256: options.argsSha256,
+      approvalToken: options.approvalToken,
+      env,
+      now: options.now
+    }).approved;
+  }
+  if (options.approvalToken) {
+    const decision = options.operation ? verifyMutationApprovalToken({
+      surface,
+      operation: options.operation,
+      machineId: options.machineId,
+      resourceId: options.resourceId,
+      callerId: options.callerId,
+      runId: options.runId,
+      transport: options.transport ?? surface,
+      args: options.args,
+      argsSha256: options.argsSha256,
+      approvalToken: options.approvalToken,
+      env,
+      now: options.now
+    }) : { approved: false };
+    if (decision.approved)
+      return true;
+    if (env[MUTATION_APPROVAL_TOKEN_ENV]?.trim())
+      return false;
+  }
+  return isTruthy(env[MUTATION_APPROVAL_FLAG_ENV]) || isTruthy(env[LEGACY_MUTATION_APPROVAL_FLAG_ENV]);
+}
+function assertMutationApproved(options) {
+  if (isMutationApproved(options)) {
+    return;
+  }
+  const env = options.env ?? process.env;
+  const tokenConfigured = Boolean(env[MUTATION_APPROVAL_TOKEN_ENV]?.trim());
+  const approvalHint = options.surface === "mcp" ? `pass a scoped approval_token signed with ${MUTATION_APPROVAL_TOKEN_ENV}` : tokenConfigured ? `pass a scoped approval_token signed with ${MUTATION_APPROVAL_TOKEN_ENV} or set ${MUTATION_APPROVAL_FLAG_ENV}=1 for a trusted local session` : `set ${MUTATION_APPROVAL_FLAG_ENV}=1 for a trusted local session or configure ${MUTATION_APPROVAL_TOKEN_ENV}`;
+  throw new Error(`Fleet mutation blocked: ${options.surface}.${options.operation} requires operator approval; ${approvalHint}.`);
+}
+
 // src/commands/apps.ts
 function getPackageName(app) {
   return app.packageName || app.name;
@@ -13559,12 +14095,12 @@ function listApps(machineId) {
 }
 function buildAppsPlan(machineId) {
   const machine = resolveMachine(machineId);
-  return {
+  return attachMutationPlanDigest({
     machineId: machine.id,
     mode: "plan",
     steps: buildAppSteps(machine),
     executed: 0
-  };
+  });
 }
 function getAppsStatus(machineId, runner = runMachineCommand) {
   const machine = resolveMachine(machineId);
@@ -13589,8 +14125,12 @@ function diffApps(machineId, runner = runMachineCommand) {
 }
 function runAppsInstall(machineId, options = {}, runner = runMachineCommand) {
   const plan = buildAppsPlan(machineId);
+  return runAppsPlan(plan, options, runner);
+}
+function runAppsPlan(plan, options = {}, runner = runMachineCommand) {
+  assertMutationPlanDigest(plan, options.expectedPlanDigest);
   if (!options.apply)
-    return plan;
+    return attachMutationPlanDigest({ ...plan, mode: "plan", executed: 0 });
   if (!options.yes) {
     throw new Error("App installation requires --yes.");
   }
@@ -13599,29 +14139,29 @@ function runAppsInstall(machineId, options = {}, runner = runMachineCommand) {
     requireMachineCommandSuccess(`App install ${step.id}`, runner(plan.machineId, step.command));
     executed += 1;
   }
-  return {
+  return attachMutationPlanDigest({
     machineId: plan.machineId,
     mode: "apply",
     steps: plan.steps,
     executed
-  };
+  });
 }
 // src/commands/cert.ts
 import { homedir as homedir3, platform as platform4 } from "os";
-import { join as join4 } from "path";
+import { join as join5 } from "path";
 function quote2(value) {
   return `'${value.replace(/'/g, `'\\''`)}'`;
 }
 function certDir() {
-  return join4(homedir3(), ".hasna", "machines", "certs");
+  return join5(homedir3(), ".hasna", "machines", "certs");
 }
 function buildCertPlan(domains) {
   if (domains.length === 0) {
     throw new Error("At least one domain is required.");
   }
   const primary = domains[0];
-  const certPath = join4(certDir(), `${primary}.pem`);
-  const keyPath = join4(certDir(), `${primary}-key.pem`);
+  const certPath = join5(certDir(), `${primary}.pem`);
+  const keyPath = join5(certDir(), `${primary}-key.pem`);
   const steps = [];
   if (platform4() === "darwin") {
     steps.push({
@@ -13684,16 +14224,16 @@ function runCertPlan(domains, options = {}) {
   };
 }
 // src/commands/dns.ts
-import { existsSync as existsSync5, readFileSync as readFileSync3, writeFileSync as writeFileSync2 } from "fs";
-import { join as join5 } from "path";
+import { existsSync as existsSync6, readFileSync as readFileSync4, writeFileSync as writeFileSync2 } from "fs";
+import { join as join6 } from "path";
 function getDnsPath() {
-  return join5(getDataDir(), "dns.json");
+  return join6(getDataDir(), "dns.json");
 }
 function readMappings() {
   const path = getDnsPath();
-  if (!existsSync5(path))
+  if (!existsSync6(path))
     return [];
-  return JSON.parse(readFileSync3(path, "utf8"));
+  return JSON.parse(readFileSync4(path, "utf8"));
 }
 function writeMappings(mappings) {
   const path = getDnsPath();
@@ -13720,16 +14260,16 @@ function renderDomainMapping(domain) {
     hostsEntry: `${entry.targetHost} ${entry.domain}`,
     caddySnippet: `${entry.domain} {
   reverse_proxy 127.0.0.1:${entry.port}
-  tls ${join5(getDataDir(), "certs", `${entry.domain}.pem`)} ${join5(getDataDir(), "certs", `${entry.domain}-key.pem`)}
+  tls ${join6(getDataDir(), "certs", `${entry.domain}.pem`)} ${join6(getDataDir(), "certs", `${entry.domain}-key.pem`)}
 }`,
-    certPath: join5(getDataDir(), "certs", `${entry.domain}.pem`),
-    keyPath: join5(getDataDir(), "certs", `${entry.domain}-key.pem`)
+    certPath: join6(getDataDir(), "certs", `${entry.domain}.pem`),
+    keyPath: join6(getDataDir(), "certs", `${entry.domain}-key.pem`)
   };
 }
 // src/commands/daemon.ts
 import { execFileSync as execFileSync2 } from "child_process";
-import { chmodSync, existsSync as existsSync6, readFileSync as readFileSync4, statSync, mkdirSync as mkdirSync2, writeFileSync as writeFileSync3 } from "fs";
-import { dirname as dirname4 } from "path";
+import { chmodSync, existsSync as existsSync7, readFileSync as readFileSync5, statSync, mkdirSync as mkdirSync2, writeFileSync as writeFileSync3 } from "fs";
+import { delimiter, dirname as dirname4 } from "path";
 import { platform as osPlatform } from "os";
 var DEFAULT_SERVICE_NAME = "machines-agent";
 var DEFAULT_EXECUTABLE = "/usr/local/bin/machines-agent";
@@ -14142,19 +14682,31 @@ WantedBy=${options.mode === "system" ? "multi-user.target" : "default.target"}
 `;
 }
 function daemonProgramArguments(options) {
-  const bunRuntime = siblingBunRuntime(options.executable);
+  const bunRuntime = bunRuntimeForExecutable(options.executable);
   const base = bunRuntime ? [bunRuntime, options.executable] : [options.executable];
   return [...base, "--interval-ms", String(options.intervalMs)];
 }
-function siblingBunRuntime(executable) {
+function bunRuntimeForExecutable(executable) {
   if (!isBunShebangScript(executable))
     return null;
-  const candidate = `${dirname4(executable)}/bun`;
-  return isExecutableFile(candidate) ? candidate : null;
+  for (const candidate of bunRuntimeCandidates(executable)) {
+    if (isExecutableFile(candidate))
+      return candidate;
+  }
+  return null;
+}
+function bunRuntimeCandidates(executable) {
+  const candidates = [
+    `${dirname4(executable)}/bun`,
+    process.env["BUN_INSTALL"] ? `${process.env["BUN_INSTALL"]}/bin/bun` : null,
+    process.env["HOME"] ? `${process.env["HOME"]}/.bun/bin/bun` : null,
+    ...(process.env["PATH"] ?? "").split(delimiter).filter(Boolean).map((entry) => `${entry}/bun`)
+  ].filter((value) => Boolean(value));
+  return [...new Set(candidates)];
 }
 function isBunShebangScript(executable) {
   try {
-    const content = readFileSync4(executable, "utf8").slice(0, 256);
+    const content = readFileSync5(executable, "utf8").slice(0, 256);
     const firstLine2 = content.split(/\r?\n/, 1)[0] ?? "";
     return /^#!.*\bbun\b/.test(firstLine2);
   } catch {
@@ -14162,7 +14714,7 @@ function isBunShebangScript(executable) {
   }
 }
 function isExecutableFile(path) {
-  if (!existsSync6(path))
+  if (!existsSync7(path))
     return false;
   try {
     const stats = statSync(path);
@@ -14340,12 +14892,12 @@ function parseProbe(tool, stdout) {
 }
 function buildClaudeInstallPlan(machineId, tools) {
   const machine = resolveMachine2(machineId);
-  return {
+  return attachMutationPlanDigest({
     machineId: machine.id,
     mode: "plan",
     steps: buildInstallSteps(machine, tools),
     executed: 0
-  };
+  });
 }
 function getClaudeCliStatus(machineId, tools, runner = runMachineCommand) {
   const machine = resolveMachine2(machineId);
@@ -14370,8 +14922,12 @@ function diffClaudeCli(machineId, tools, runner = runMachineCommand) {
 }
 function runClaudeInstall(machineId, tools, options = {}, runner = runMachineCommand) {
   const plan = buildClaudeInstallPlan(machineId, tools);
+  return runClaudeInstallPlan(plan, options, runner);
+}
+function runClaudeInstallPlan(plan, options = {}, runner = runMachineCommand) {
+  assertMutationPlanDigest(plan, options.expectedPlanDigest);
   if (!options.apply)
-    return plan;
+    return attachMutationPlanDigest({ ...plan, mode: "plan", executed: 0 });
   if (!options.yes) {
     throw new Error("Claude CLI installation requires --yes.");
   }
@@ -14380,12 +14936,12 @@ function runClaudeInstall(machineId, tools, options = {}, runner = runMachineCom
     requireMachineCommandSuccess(`AI CLI install ${step.id}`, runner(plan.machineId, step.command));
     executed += 1;
   }
-  return {
+  return attachMutationPlanDigest({
     machineId: plan.machineId,
     mode: "apply",
     steps: plan.steps,
     executed
-  };
+  });
 }
 // src/commands/install-tailscale.ts
 function buildInstallSteps2(machine) {
@@ -14424,17 +14980,21 @@ function buildTailscaleInstallPlan(machineId) {
   if (!machine) {
     throw new Error(`Machine not found in manifest: ${machineId}`);
   }
-  return {
+  return attachMutationPlanDigest({
     machineId: machine.id,
     mode: "plan",
     steps: buildInstallSteps2(machine),
     executed: 0
-  };
+  });
 }
 function runTailscaleInstall(machineId, options = {}, runner = runMachineCommand) {
   const plan = buildTailscaleInstallPlan(machineId);
+  return runTailscaleInstallPlan(plan, options, runner);
+}
+function runTailscaleInstallPlan(plan, options = {}, runner = runMachineCommand) {
+  assertMutationPlanDigest(plan, options.expectedPlanDigest);
   if (!options.apply)
-    return plan;
+    return attachMutationPlanDigest({ ...plan, mode: "plan", executed: 0 });
   if (!options.yes) {
     throw new Error("Tailscale install requires --yes.");
   }
@@ -14443,19 +15003,21 @@ function runTailscaleInstall(machineId, options = {}, runner = runMachineCommand
     requireMachineCommandSuccess(`Tailscale install ${step.id}`, runner(plan.machineId, step.command));
     executed += 1;
   }
-  return {
+  return attachMutationPlanDigest({
     machineId: plan.machineId,
     mode: "apply",
     steps: plan.steps,
     executed
-  };
+  });
 }
 // src/commands/notifications.ts
-import { existsSync as existsSync7, readFileSync as readFileSync5, writeFileSync as writeFileSync4 } from "fs";
+import { accessSync, constants, existsSync as existsSync8, readFileSync as readFileSync6, writeFileSync as writeFileSync4 } from "fs";
+import { delimiter as delimiter2, isAbsolute, join as join7 } from "path";
 var notificationChannelSchema = exports_external.object({
   id: exports_external.string(),
   type: exports_external.enum(["email", "webhook", "command"]),
   target: exports_external.string(),
+  commandArgs: exports_external.array(exports_external.string()).optional(),
   events: exports_external.array(exports_external.string()),
   enabled: exports_external.boolean()
 });
@@ -14464,19 +15026,31 @@ var notificationConfigSchema = exports_external.object({
   updatedAt: exports_external.string().optional(),
   channels: exports_external.array(notificationChannelSchema)
 });
+var trustedNotificationApproval = Symbol("trustedNotificationApproval");
+function createTrustedNotificationApproval() {
+  return { [trustedNotificationApproval]: true };
+}
+function isTrustedNotificationApproval(approval) {
+  return approval?.[trustedNotificationApproval] === true;
+}
 function sortChannels(channels) {
   return [...channels].sort((left, right) => left.id.localeCompare(right.id));
 }
-function shellQuote6(value) {
-  return `'${value.replace(/'/g, `'\\''`)}'`;
-}
 function hasCommand2(binary) {
-  const result = Bun.spawnSync(["bash", "-lc", `command -v ${binary} >/dev/null 2>&1`], {
-    stdout: "ignore",
-    stderr: "ignore",
-    env: process.env
-  });
-  return result.exitCode === 0;
+  return Boolean(resolveExecutable(binary));
+}
+function resolveExecutable(binary) {
+  const trimmed = binary.trim();
+  if (!trimmed)
+    return null;
+  const candidates = isAbsolute(trimmed) ? [trimmed] : (process.env.PATH ?? "").split(delimiter2).filter(Boolean).map((dir) => join7(dir, trimmed));
+  for (const candidate of candidates) {
+    try {
+      accessSync(candidate, constants.X_OK);
+      return candidate;
+    } catch {}
+  }
+  return null;
 }
 function buildNotificationPreview(channel, event, message) {
   if (channel.type === "email") {
@@ -14485,7 +15059,8 @@ function buildNotificationPreview(channel, event, message) {
   if (channel.type === "webhook") {
     return `POST ${channel.target} with payload {"event":"${event}","message":"${message}"}`;
   }
-  return `${channel.target} --event ${event} --message ${JSON.stringify(message)}`;
+  const args = channel.commandArgs?.length ? ` ${channel.commandArgs.join(" ")}` : "";
+  return `${channel.target}${args} with HASNA_MACHINES_NOTIFICATION_* environment`;
 }
 async function dispatchEmail(channel, event, message) {
   const subject = `[${event}] machines notification`;
@@ -14496,7 +15071,7 @@ Content-Type: text/plain; charset=utf-8
 ${message}
 `;
   if (hasCommand2("sendmail")) {
-    const result = Bun.spawnSync(["bash", "-lc", "sendmail -t"], {
+    const result = Bun.spawnSync(["sendmail", "-t"], {
       stdin: new TextEncoder().encode(body),
       stdout: "pipe",
       stderr: "pipe",
@@ -14514,8 +15089,9 @@ ${message}
     };
   }
   if (hasCommand2("mail")) {
-    const command2 = `printf %s ${shellQuote6(message)} | mail -s ${shellQuote6(subject)} ${shellQuote6(channel.target)}`;
-    const result = Bun.spawnSync(["bash", "-lc", command2], {
+    const result = Bun.spawnSync(["mail", "-s", subject, channel.target], {
+      stdin: new TextEncoder().encode(`${message}
+`),
       stdout: "pipe",
       stderr: "pipe",
       env: process.env
@@ -14558,8 +15134,20 @@ async function dispatchWebhook(channel, event, message) {
     detail: `Webhook accepted with HTTP ${response.status}`
   };
 }
-async function dispatchCommand(channel, event, message) {
-  const result = Bun.spawnSync(["bash", "-lc", channel.target], {
+async function dispatchCommand(channel, event, message, options = {}) {
+  if (!isTrustedNotificationApproval(options.trustedApproval)) {
+    assertMutationApproved({
+      surface: "notifications",
+      operation: "dispatch_command",
+      resourceId: channel.id,
+      approvalToken: options.approvalToken
+    });
+  }
+  const executable = resolveExecutable(channel.target);
+  if (!executable) {
+    throw new Error(`Command executable not found or not executable: ${channel.target}`);
+  }
+  const result = Bun.spawnSync([executable, ...channel.commandArgs ?? []], {
     stdout: "pipe",
     stderr: "pipe",
     env: {
@@ -14581,7 +15169,7 @@ async function dispatchCommand(channel, event, message) {
     detail: stdout || "Command completed successfully"
   };
 }
-async function dispatchChannel(channel, event, message) {
+async function dispatchChannel(channel, event, message, options = {}) {
   if (!channel.enabled) {
     return {
       channelId: channel.id,
@@ -14597,7 +15185,7 @@ async function dispatchChannel(channel, event, message) {
   if (channel.type === "webhook") {
     return dispatchWebhook(channel, event, message);
   }
-  return dispatchCommand(channel, event, message);
+  return dispatchCommand(channel, event, message, options);
 }
 function getDefaultNotificationConfig() {
   return {
@@ -14607,10 +15195,10 @@ function getDefaultNotificationConfig() {
   };
 }
 function readNotificationConfig(path = getNotificationsPath()) {
-  if (!existsSync7(path)) {
+  if (!existsSync8(path)) {
     return getDefaultNotificationConfig();
   }
-  return notificationConfigSchema.parse(JSON.parse(readFileSync5(path, "utf8")));
+  return notificationConfigSchema.parse(JSON.parse(readFileSync6(path, "utf8")));
 }
 function writeNotificationConfig(config, path = getNotificationsPath()) {
   ensureParentDir(path);
@@ -14626,11 +15214,20 @@ function writeNotificationConfig(config, path = getNotificationsPath()) {
 function listNotificationChannels() {
   return readNotificationConfig();
 }
-function addNotificationChannel(channel) {
+function addNotificationChannel(channel, options = {}) {
+  if (channel.type === "command" && !isTrustedNotificationApproval(options.trustedApproval)) {
+    assertMutationApproved({
+      surface: "notifications",
+      operation: "add_command_channel",
+      resourceId: channel.id,
+      approvalToken: options.approvalToken
+    });
+  }
   const config = readNotificationConfig();
   const channels = config.channels.filter((entry) => entry.id !== channel.id);
   channels.push({
     ...channel,
+    commandArgs: channel.commandArgs?.map(String),
     events: [...new Set(channel.events)]
   });
   return writeNotificationConfig({ ...config, channels });
@@ -14652,7 +15249,7 @@ async function dispatchNotificationEvent(event, message, options = {}) {
   const deliveries = [];
   for (const channel of channels) {
     try {
-      deliveries.push(await dispatchChannel(channel, event, message));
+      deliveries.push(await dispatchChannel(channel, event, message, { approvalToken: options.approvalToken, trustedApproval: options.trustedApproval }));
     } catch (error) {
       deliveries.push({
         channelId: channel.id,
@@ -14687,7 +15284,7 @@ async function testNotificationChannel(channelId, event = "manual.test", message
   if (!options.yes) {
     throw new Error("Notification test execution requires --yes.");
   }
-  const delivery = await dispatchChannel(channel, event, message);
+  const delivery = await dispatchChannel(channel, event, message, { approvalToken: options.approvalToken, trustedApproval: options.trustedApproval });
   return {
     channelId,
     mode: "apply",
@@ -14753,6 +15350,46 @@ function listPorts(machineId) {
 import { spawnSync as spawnSync4 } from "child_process";
 import { setTimeout as sleep2 } from "timers/promises";
 import { EventsClient } from "@hasna/events";
+function shellQuote6(value) {
+  return `'${value.replace(/'/g, "'\\''")}'`;
+}
+function buildTmuxPaneDiedHookPlan(options = {}) {
+  const tmuxCommand = options.tmuxCommand ?? process.env["HASNA_MACHINES_TMUX_BIN"] ?? "tmux";
+  const machinesCommand = options.machinesCommand ?? "machines";
+  const deliver = options.deliver === true;
+  const approvalToken = options.approvalToken?.trim();
+  const trustedLocalMutation = approvalToken ? false : options.trustedLocalMutation === true;
+  const emitArgs = [
+    "events",
+    "emit",
+    "machines.tmux.pane_died",
+    "--source",
+    "machines",
+    "--subject",
+    "tmux:#{hook_pane}",
+    "--severity",
+    "warning",
+    "--message",
+    "tmux pane died: #{hook_pane}",
+    "--data",
+    '{"target":"#{hook_pane}","session":"#{session_name}","window":"#{window_index}"}'
+  ];
+  if (!deliver)
+    emitArgs.push("--no-deliver");
+  if (approvalToken)
+    emitArgs.push("--approval-token", approvalToken);
+  const command2 = [machinesCommand, ...emitArgs].map(shellQuote6).join(" ");
+  const runShell = trustedLocalMutation ? `HASNA_MACHINES_ALLOW_MUTATIONS=1 ${command2}` : command2;
+  const args = ["set-hook", "-g", "pane-died", `run-shell ${shellQuote6(runShell)}`];
+  return {
+    tmuxCommand,
+    args,
+    shellCommand: [tmuxCommand, ...args].map(shellQuote6).join(" "),
+    eventType: "machines.tmux.pane_died",
+    deliver,
+    trustedLocalMutation
+  };
+}
 function probeTmuxPane(target, tmuxCommand = process.env["HASNA_MACHINES_TMUX_BIN"] || "tmux") {
   const checkedAt = new Date().toISOString();
   const result = spawnSync4(tmuxCommand, ["display-message", "-p", "-t", target, "#{pane_id}"], {
@@ -14838,7 +15475,8 @@ async function emitTmuxEvent(client, type, probe, lastPresent, deliver) {
   return client.emit(input, { deliver });
 }
 // src/commands/serve.ts
-import { EventsClient as EventsClient2, sanitizeChannelsForOutput } from "@hasna/events";
+import { EventsClient as EventsClient2, getEventsDataDir, sanitizeChannelsForOutput } from "@hasna/events";
+import { resolve as resolve3 } from "path";
 
 // src/commands/status.ts
 function parseJsonObject2(value) {
@@ -14893,7 +15531,7 @@ function escapeHtml(value) {
   return value.replaceAll("&", "&amp;").replaceAll("<", "&lt;").replaceAll(">", "&gt;").replaceAll('"', "&quot;").replaceAll("'", "&#39;");
 }
 function getServeInfo(options = {}) {
-  const host = options.host || "0.0.0.0";
+  const host = options.host || "127.0.0.1";
   const port = options.port || 7676;
   return {
     host,
@@ -15096,6 +15734,59 @@ async function parseJsonBody(request) {
 function jsonError(message, status = 400) {
   return Response.json({ error: message }, { status });
 }
+function dashboardResourceId(kind, ...parts) {
+  const values = parts.map((part) => String(part ?? "*").trim()).filter(Boolean).join(":");
+  return values ? `${kind}:${values}` : kind;
+}
+function eventStoreDir() {
+  return resolve3(getEventsDataDir());
+}
+function eventStoreScope() {
+  return { event_store_dir: eventStoreDir() };
+}
+function eventStoreResourceId(kind, ...parts) {
+  return dashboardResourceId(kind, mutationArgsSha256(eventStoreScope()), ...parts);
+}
+function withEventStoreScope(args) {
+  return { event_store_dir: eventStoreDir(), ...args };
+}
+function dashboardMutationCallerId() {
+  return process.env[MUTATION_APPROVAL_CALLER_ENV]?.trim() || "dashboard";
+}
+function dashboardMutationRunId() {
+  return process.env[MUTATION_APPROVAL_RUN_ENV]?.trim() || "dashboard";
+}
+function approvalTokenFromRequest(request, body) {
+  const bodyToken = typeof body["approval_token"] === "string" ? body["approval_token"] : typeof body["approvalToken"] === "string" ? body["approvalToken"] : undefined;
+  if (bodyToken?.trim())
+    return bodyToken;
+  const headerToken = request.headers.get("x-hasna-approval-token")?.trim();
+  if (headerToken)
+    return headerToken;
+  const authorization = request.headers.get("authorization")?.trim();
+  if (authorization?.toLowerCase().startsWith("bearer ")) {
+    return authorization.slice("bearer ".length).trim();
+  }
+  return;
+}
+function requireDashboardMutation(operation, request, body, scope = {}) {
+  const decision = verifyMutationApprovalToken({
+    surface: "dashboard",
+    operation,
+    transport: "dashboard:http",
+    callerId: dashboardMutationCallerId(),
+    runId: dashboardMutationRunId(),
+    resourceId: scope.resourceId,
+    args: scope.args,
+    approvalToken: approvalTokenFromRequest(request, body)
+  });
+  if (decision.approved)
+    return;
+  return jsonError(`Mutation approval denied: ${decision.reason ?? "approval_token is invalid."}`, 403);
+}
+function objectBodyValue(value) {
+  return value && typeof value === "object" && !Array.isArray(value) ? value : {};
+}
 function privateOutputWarnings(requested, allowed) {
   return requested && !allowed ? [PRIVATE_OUTPUT_DENIED_WARNING] : [];
 }
@@ -15107,6 +15798,7 @@ function appendWarnings(payload, warnings) {
 function startDashboardServer(options = {}) {
   const info = getServeInfo(options);
   const events = new EventsClient2;
+  const trustedNotificationApproval2 = createTrustedNotificationApproval();
   return Bun.serve({
     hostname: info.host,
     port: info.port,
@@ -15171,8 +15863,25 @@ function startDashboardServer(options = {}) {
         const severity = typeof body["severity"] === "string" ? body["severity"] : undefined;
         const message = typeof body["message"] === "string" ? body["message"] : undefined;
         const dedupeKey = typeof body["dedupeKey"] === "string" ? body["dedupeKey"] : undefined;
-        const data = body["data"] && typeof body["data"] === "object" && !Array.isArray(body["data"]) ? body["data"] : {};
-        const metadata = body["metadata"] && typeof body["metadata"] === "object" && !Array.isArray(body["metadata"]) ? body["metadata"] : {};
+        const data = objectBodyValue(body["data"]);
+        const metadata = objectBodyValue(body["metadata"]);
+        const denied = requireDashboardMutation("machines_events_emit", request, body, {
+          resourceId: eventStoreResourceId("event", type, subject, dedupeKey),
+          args: withEventStoreScope({
+            event_type: type,
+            source,
+            subject,
+            severity,
+            message,
+            data,
+            metadata,
+            dedupe_key: dedupeKey,
+            deliver: true,
+            dedupe: true
+          })
+        });
+        if (denied)
+          return denied;
         return Response.json(await events.emit({
           source,
           type,
@@ -15215,8 +15924,20 @@ function startDashboardServer(options = {}) {
         const message = typeof body["message"] === "string" ? body["message"] : undefined;
         const apply = body["apply"] === true;
         const yes = body["yes"] === true;
+        const resolvedEvent = event ?? "manual.test";
+        const resolvedMessage = message ?? "machines notification test";
+        const denied = requireDashboardMutation("machines_notifications_test", request, body, {
+          resourceId: dashboardResourceId("notification-test", channelId, resolvedEvent),
+          args: { channel_id: channelId, event: resolvedEvent, message: resolvedMessage, apply, yes }
+        });
+        if (denied)
+          return denied;
         try {
-          return Response.json(await testNotificationChannel(channelId, event, message, { apply, yes }));
+          return Response.json(await testNotificationChannel(channelId, resolvedEvent, resolvedMessage, {
+            apply,
+            yes,
+            trustedApproval: apply ? trustedNotificationApproval2 : undefined
+          }));
         } catch (error) {
           return jsonError(error instanceof Error ? error.message : String(error));
         }
@@ -15231,13 +15952,22 @@ function startDashboardServer(options = {}) {
           return jsonError("channelId is required.");
         }
         const type = typeof body["type"] === "string" ? body["type"] : "events.test";
-        const message = typeof body["message"] === "string" ? body["message"] : undefined;
+        const subject = channelId;
+        const message = typeof body["message"] === "string" ? body["message"] : "Hasna events test delivery";
+        const data = objectBodyValue(body["data"]);
+        const denied = requireDashboardMutation("machines_webhooks_test", request, body, {
+          resourceId: eventStoreResourceId("webhook-test", channelId, type),
+          args: withEventStoreScope({ channel_id: channelId, event_type: type, subject, message, data })
+        });
+        if (denied)
+          return denied;
         try {
           return Response.json(await events.testChannel(channelId, {
             source: "machines",
             type,
-            subject: channelId,
-            message
+            subject,
+            message,
+            data
           }));
         } catch (error) {
           return jsonError(error instanceof Error ? error.message : String(error));
@@ -15385,17 +16115,21 @@ function buildSetupPlan(machineId) {
     workspacePath: `${homedir4()}/workspace`
   };
   const steps = [...buildBaseSteps(target), ...buildPackageSteps(target)];
-  return {
+  return attachMutationPlanDigest({
     machineId: target.id,
     mode: "plan",
     steps,
     executed: 0
-  };
+  });
 }
 function runSetup(machineId, options = {}, runner = runMachineCommand) {
   const plan = buildSetupPlan(machineId);
+  return runSetupPlan(plan, options, runner);
+}
+function runSetupPlan(plan, options = {}, runner = runMachineCommand) {
+  assertMutationPlanDigest(plan, options.expectedPlanDigest);
   if (!options.apply) {
-    return plan;
+    return attachMutationPlanDigest({ ...plan, mode: "plan", executed: 0 });
   }
   if (!options.yes) {
     throw new Error("Setup execution requires --yes.");
@@ -15416,12 +16150,12 @@ function runSetup(machineId, options = {}, runner = runMachineCommand) {
     }
     executed += 1;
   }
-  const summary = {
+  const summary = attachMutationPlanDigest({
     machineId: plan.machineId,
     mode: "apply",
     steps: plan.steps,
     executed
-  };
+  });
   recordSetupRun(plan.machineId, "completed", summary);
   return summary;
 }
@@ -15540,16 +16274,22 @@ function buildScreenEnableCommand(machineId, options = {}) {
   }
   const secretsCommand = options.secretsCommand || "secrets";
   const remoteCommand = buildScreenEnableRemoteCommandFromStdin(credentials.user);
+  const secretsCommandArgs = [secretsCommand, "get", credentials.passwordSecretKey];
+  const sshPlan = buildSshCommandPlan(machineId, remoteCommand, options);
   return {
     machineId: credentials.machineId,
     user: credentials.user,
     passwordSecretKey: credentials.passwordSecretKey,
     remoteCommand,
-    command: `${shellCommand2([secretsCommand, "get", credentials.passwordSecretKey])} | ${buildSshCommand(machineId, remoteCommand, options)}`
+    secretsCommand,
+    secretsCommandArgs,
+    sshCommand: sshPlan.command,
+    sshCommandArgs: sshPlan.args,
+    command: `${shellCommand2(secretsCommandArgs)} | ${sshPlan.shellCommand}`
   };
 }
 // src/commands/sync.ts
-import { existsSync as existsSync8, lstatSync, readFileSync as readFileSync6, symlinkSync, copyFileSync } from "fs";
+import { existsSync as existsSync9, lstatSync, readFileSync as readFileSync7, symlinkSync, copyFileSync } from "fs";
 import { homedir as homedir5 } from "os";
 function quote4(value) {
   return `'${value.replace(/'/g, `'\\''`)}'`;
@@ -15602,15 +16342,15 @@ function detectFileActions(machine) {
     throw new Error(`Remote file sync planning is not supported for ${machine.id}; refusing to inspect or apply local paths as remote state.`);
   }
   return (machine.files || []).map((file, index) => {
-    const sourceExists = existsSync8(file.source);
-    const targetExists = existsSync8(file.target);
+    const sourceExists = existsSync9(file.source);
+    const targetExists = existsSync9(file.target);
     let status = "missing";
     if (sourceExists && targetExists) {
       if (file.mode === "symlink") {
         status = lstatSync(file.target).isSymbolicLink() ? "ok" : "drifted";
       } else {
-        const source = readFileSync6(file.source, "utf8");
-        const target = readFileSync6(file.target, "utf8");
+        const source = readFileSync7(file.source, "utf8");
+        const target = readFileSync7(file.target, "utf8");
         status = source === target ? "ok" : "drifted";
       }
     }
@@ -15640,12 +16380,12 @@ function buildSyncPlan(machineId, runner = runMachineCommand) {
     ...detectPackageActions(target, runner),
     ...detectFileActions(target)
   ];
-  return {
+  return attachMutationPlanDigest({
     machineId: target.id,
     mode: "plan",
     actions,
     executed: 0
-  };
+  });
 }
 function applyFileAction(command2) {
   const [verb, source, target] = command2.split(" ");
@@ -15669,8 +16409,12 @@ function applyFileAction(command2) {
 }
 function runSync(machineId, options = {}, runner = runMachineCommand) {
   const plan = buildSyncPlan(machineId, runner);
+  return runSyncPlan(plan, options, runner);
+}
+function runSyncPlan(plan, options = {}, runner = runMachineCommand) {
+  assertMutationPlanDigest(plan, options.expectedPlanDigest);
   if (!options.apply) {
-    return plan;
+    return attachMutationPlanDigest({ ...plan, mode: "plan", executed: 0 });
   }
   if (!options.yes) {
     throw new Error("Sync execution requires --yes.");
@@ -15697,12 +16441,12 @@ function runSync(machineId, options = {}, runner = runMachineCommand) {
     }
     executed += 1;
   }
-  const summary = {
+  const summary = attachMutationPlanDigest({
     machineId: plan.machineId,
     mode: "apply",
     actions: plan.actions,
     executed
-  };
+  });
   recordSyncRun(plan.machineId, "completed", summary);
   return summary;
 }
@@ -23087,7 +23831,7 @@ class Protocol {
           return;
         }
         const pollInterval = task2.pollInterval ?? this._options?.defaultTaskPollInterval ?? 1000;
-        await new Promise((resolve2) => setTimeout(resolve2, pollInterval));
+        await new Promise((resolve4) => setTimeout(resolve4, pollInterval));
         options?.signal?.throwIfAborted();
       }
     } catch (error2) {
@@ -23099,7 +23843,7 @@ class Protocol {
   }
   request(request, resultSchema, options) {
     const { relatedRequestId, resumptionToken, onresumptiontoken, task, relatedTask } = options ?? {};
-    return new Promise((resolve2, reject) => {
+    return new Promise((resolve4, reject) => {
       const earlyReject = (error2) => {
         reject(error2);
       };
@@ -23177,7 +23921,7 @@ class Protocol {
           if (!parseResult.success) {
             reject(parseResult.error);
           } else {
-            resolve2(parseResult.data);
+            resolve4(parseResult.data);
           }
         } catch (error2) {
           reject(error2);
@@ -23368,12 +24112,12 @@ class Protocol {
         interval = task.pollInterval;
       }
     } catch {}
-    return new Promise((resolve2, reject) => {
+    return new Promise((resolve4, reject) => {
       if (signal.aborted) {
         reject(new McpError(ErrorCode.InvalidRequest, "Request cancelled"));
         return;
       }
-      const timeoutId = setTimeout(resolve2, interval);
+      const timeoutId = setTimeout(resolve4, interval);
       signal.addEventListener("abort", () => {
         clearTimeout(timeoutId);
         reject(new McpError(ErrorCode.InvalidRequest, "Request cancelled"));
@@ -24227,7 +24971,7 @@ class McpServer {
     let task = createTaskResult.task;
     const pollInterval = task.pollInterval ?? 5000;
     while (task.status !== "completed" && task.status !== "failed" && task.status !== "cancelled") {
-      await new Promise((resolve2) => setTimeout(resolve2, pollInterval));
+      await new Promise((resolve4) => setTimeout(resolve4, pollInterval));
       const updatedTask = await extra.taskStore.getTask(taskId);
       if (!updatedTask) {
         throw new McpError(ErrorCode.InternalError, `Task ${taskId} not found during polling`);
@@ -24826,8 +25570,8 @@ var MACHINE_MCP_TOOL_NAMES = [
   "storage_pull",
   "storage_sync"
 ];
-function buildServer(version2 = getPackageVersion()) {
-  return createMcpServer(version2);
+function buildServer(version2 = getPackageVersion(), options = {}) {
+  return createMcpServer(version2, options);
 }
 function privateMetadataAllowed(requested) {
   return requested === true && isPrivateOutputEnabled();
@@ -24841,9 +25585,50 @@ function appendWarnings2(payload, warnings) {
   const currentWarnings = typeof payload === "object" && payload && "warnings" in payload && Array.isArray(payload.warnings) ? payload.warnings : [];
   return { ...payload, warnings: [...currentWarnings, ...warnings] };
 }
-function createMcpServer(version2) {
+var approvalTokenSchema = exports_external.string().optional().describe("Operator mutation approval token");
+function mutationMachineId(machineId) {
+  return machineId?.trim() || "local";
+}
+function mutationResourceId(kind, ...parts) {
+  const values = parts.map((part) => String(part ?? "*").trim()).filter(Boolean).join(":");
+  return values ? `${kind}:${values}` : kind;
+}
+function mutationCallerId() {
+  return process.env["HASNA_MACHINES_MUTATION_CALLER_ID"]?.trim() || "mcp";
+}
+function mutationRunId() {
+  return process.env["HASNA_MACHINES_MUTATION_RUN_ID"]?.trim() || "mcp";
+}
+function assertScopedMcpMutation(operation, approvalToken, scope = {}, transport) {
+  assertMutationApproved({
+    surface: "mcp",
+    operation,
+    transport,
+    callerId: mutationCallerId(),
+    runId: mutationRunId(),
+    machineId: scope.machineId === undefined ? undefined : mutationMachineId(scope.machineId),
+    resourceId: scope.resourceId === undefined || scope.resourceId === null ? undefined : scope.resourceId,
+    args: scope.args,
+    approvalToken
+  });
+}
+function mcpPlanApprovalArgs(args, plan) {
+  return {
+    ...args,
+    plan_digest: mutationPlanDigest(plan)
+  };
+}
+function mcpPlanResourceId(operation, machineId, plan) {
+  return mutationResourceId("plan", operation, machineId, mutationPlanDigest(plan));
+}
+function createMcpServer(version2, options = {}) {
   const server = new McpServer({ name: "machines", version: version2 });
   const events = new EventsClient3;
+  const trustedNotificationApproval2 = createTrustedNotificationApproval();
+  const mutationTransport = options.mutationTransport ?? "mcp:stdio";
+  function requireMcpMutation(operation, approvalToken, scope = {}) {
+    assertScopedMcpMutation(operation, approvalToken, scope, mutationTransport);
+  }
   server.tool("machines_status", "Return local machine fleet status paths and machine identity.", { private_metadata: exports_external.boolean().optional().describe("Include private local paths and machine identifiers") }, async ({ private_metadata }) => {
     const privateMetadata = privateMetadataAllowed(private_metadata);
     const warnings = privateOutputWarnings2(private_metadata, privateMetadata);
@@ -24857,18 +25642,31 @@ function createMcpServer(version2) {
   server.tool("machines_apps_status", "Check installed state for manifest-managed apps.", { machine_id: exports_external.string().optional().describe("Machine identifier") }, async ({ machine_id }) => ({ content: [{ type: "text", text: JSON.stringify(getAppsStatus(machine_id), null, 2) }] }));
   server.tool("machines_apps_diff", "Show missing and installed manifest-managed apps.", { machine_id: exports_external.string().optional().describe("Machine identifier") }, async ({ machine_id }) => ({ content: [{ type: "text", text: JSON.stringify(diffApps(machine_id), null, 2) }] }));
   server.tool("machines_apps_plan", "Preview app install steps for a machine.", { machine_id: exports_external.string().optional().describe("Machine identifier") }, async ({ machine_id }) => ({ content: [{ type: "text", text: JSON.stringify(buildAppsPlan(machine_id), null, 2) }] }));
-  server.tool("machines_apps_apply", "Install manifest-managed apps for a machine.", { machine_id: exports_external.string().optional().describe("Machine identifier"), yes: exports_external.boolean().describe("Confirmation flag for execution") }, async ({ machine_id, yes }) => ({ content: [{ type: "text", text: JSON.stringify(runAppsInstall(machine_id, { apply: true, yes }), null, 2) }] }));
+  server.tool("machines_apps_apply", "Install manifest-managed apps for a machine.", { machine_id: exports_external.string().optional().describe("Machine identifier"), yes: exports_external.boolean().describe("Confirmation flag for execution"), approval_token: approvalTokenSchema }, async ({ machine_id, yes, approval_token }) => {
+    const resolvedMachineId = mutationMachineId(machine_id);
+    const plan = buildAppsPlan(machine_id);
+    requireMcpMutation("machines_apps_apply", approval_token, {
+      machineId: resolvedMachineId,
+      resourceId: mcpPlanResourceId("machines_apps_apply", resolvedMachineId, plan),
+      args: mcpPlanApprovalArgs({ machine_id: resolvedMachineId, yes }, plan)
+    });
+    return { content: [{ type: "text", text: JSON.stringify(runAppsPlan(plan, { apply: true, yes }), null, 2) }] };
+  });
   server.tool("machines_manifest", "Read the current fleet manifest.", {}, async () => ({
     content: [{ type: "text", text: JSON.stringify(manifestList(), null, 2) }]
   }));
   server.tool("machines_manifest_validate", "Validate the current fleet manifest.", {}, async () => ({
     content: [{ type: "text", text: JSON.stringify(manifestValidate(), null, 2) }]
   }));
-  server.tool("machines_manifest_bootstrap", "Detect and upsert the current machine into the fleet manifest.", {}, async () => ({
-    content: [{ type: "text", text: JSON.stringify(manifestBootstrapCurrentMachine(), null, 2) }]
-  }));
+  server.tool("machines_manifest_bootstrap", "Detect and upsert the current machine into the fleet manifest.", { approval_token: approvalTokenSchema }, async ({ approval_token }) => {
+    requireMcpMutation("machines_manifest_bootstrap", approval_token, { resourceId: "manifest:bootstrap", args: {} });
+    return { content: [{ type: "text", text: JSON.stringify(manifestBootstrapCurrentMachine(), null, 2) }] };
+  });
   server.tool("machines_manifest_get", "Read a single machine from the fleet manifest.", { machine_id: exports_external.string().describe("Machine identifier") }, async ({ machine_id }) => ({ content: [{ type: "text", text: JSON.stringify(manifestGet(machine_id), null, 2) }] }));
-  server.tool("machines_manifest_remove", "Remove a single machine from the fleet manifest.", { machine_id: exports_external.string().describe("Machine identifier") }, async ({ machine_id }) => ({ content: [{ type: "text", text: JSON.stringify(manifestRemove(machine_id), null, 2) }] }));
+  server.tool("machines_manifest_remove", "Remove a single machine from the fleet manifest.", { machine_id: exports_external.string().describe("Machine identifier"), approval_token: approvalTokenSchema }, async ({ machine_id, approval_token }) => {
+    requireMcpMutation("machines_manifest_remove", approval_token, { machineId: machine_id, args: { machine_id } });
+    return { content: [{ type: "text", text: JSON.stringify(manifestRemove(machine_id), null, 2) }] };
+  });
   server.tool("machines_agent_status", "List current machine agent heartbeats.", { private_metadata: exports_external.boolean().optional().describe("Include private heartbeat metadata") }, async ({ private_metadata }) => {
     const privateMetadata = privateMetadataAllowed(private_metadata);
     const warnings = privateOutputWarnings2(private_metadata, privateMetadata);
@@ -24920,9 +25718,27 @@ function createMcpServer(version2) {
     }]
   }));
   server.tool("machines_setup_preview", "Preview setup actions for a machine.", { machine_id: exports_external.string().optional().describe("Machine identifier") }, async ({ machine_id }) => ({ content: [{ type: "text", text: JSON.stringify(buildSetupPlan(machine_id), null, 2) }] }));
-  server.tool("machines_setup_apply", "Execute setup actions for a machine.", { machine_id: exports_external.string().optional().describe("Machine identifier"), yes: exports_external.boolean().describe("Confirmation flag for execution") }, async ({ machine_id, yes }) => ({ content: [{ type: "text", text: JSON.stringify(runSetup(machine_id, { apply: true, yes }), null, 2) }] }));
+  server.tool("machines_setup_apply", "Execute setup actions for a machine.", { machine_id: exports_external.string().optional().describe("Machine identifier"), yes: exports_external.boolean().describe("Confirmation flag for execution"), approval_token: approvalTokenSchema }, async ({ machine_id, yes, approval_token }) => {
+    const resolvedMachineId = mutationMachineId(machine_id);
+    const plan = buildSetupPlan(machine_id);
+    requireMcpMutation("machines_setup_apply", approval_token, {
+      machineId: resolvedMachineId,
+      resourceId: mcpPlanResourceId("machines_setup_apply", resolvedMachineId, plan),
+      args: mcpPlanApprovalArgs({ machine_id: resolvedMachineId, yes }, plan)
+    });
+    return { content: [{ type: "text", text: JSON.stringify(runSetupPlan(plan, { apply: true, yes }), null, 2) }] };
+  });
   server.tool("machines_sync_preview", "Preview sync actions for a machine.", { machine_id: exports_external.string().optional().describe("Machine identifier") }, async ({ machine_id }) => ({ content: [{ type: "text", text: JSON.stringify(buildSyncPlan(machine_id), null, 2) }] }));
-  server.tool("machines_sync_apply", "Execute sync actions for a machine.", { machine_id: exports_external.string().optional().describe("Machine identifier"), yes: exports_external.boolean().describe("Confirmation flag for execution") }, async ({ machine_id, yes }) => ({ content: [{ type: "text", text: JSON.stringify(runSync(machine_id, { apply: true, yes }), null, 2) }] }));
+  server.tool("machines_sync_apply", "Execute sync actions for a machine.", { machine_id: exports_external.string().optional().describe("Machine identifier"), yes: exports_external.boolean().describe("Confirmation flag for execution"), approval_token: approvalTokenSchema }, async ({ machine_id, yes, approval_token }) => {
+    const resolvedMachineId = mutationMachineId(machine_id);
+    const plan = buildSyncPlan(machine_id);
+    requireMcpMutation("machines_sync_apply", approval_token, {
+      machineId: resolvedMachineId,
+      resourceId: mcpPlanResourceId("machines_sync_apply", resolvedMachineId, plan),
+      args: mcpPlanApprovalArgs({ machine_id: resolvedMachineId, yes }, plan)
+    });
+    return { content: [{ type: "text", text: JSON.stringify(runSyncPlan(plan, { apply: true, yes }), null, 2) }] };
+  });
   server.tool("machines_topology", "Discover local, manifest, heartbeat, SSH, and Tailscale machine topology.", {
     include_tailscale: exports_external.boolean().optional().describe("Whether to probe tailscale status --json"),
     private_metadata: exports_external.boolean().optional().describe("Include private host/network route fields")
@@ -24977,12 +25793,31 @@ function createMcpServer(version2) {
   server.tool("machines_install_claude_apply", "Execute Claude, Codex, and Gemini CLI install steps for a machine.", {
     machine_id: exports_external.string().optional().describe("Machine identifier"),
     tools: exports_external.array(exports_external.enum(["claude", "codex", "gemini"])).optional().describe("AI CLIs to install"),
-    yes: exports_external.boolean().describe("Confirmation flag for execution")
-  }, async ({ machine_id, tools, yes }) => ({
-    content: [{ type: "text", text: JSON.stringify(runClaudeInstall(machine_id, tools, { apply: true, yes }), null, 2) }]
-  }));
+    yes: exports_external.boolean().describe("Confirmation flag for execution"),
+    approval_token: approvalTokenSchema
+  }, async ({ machine_id, tools, yes, approval_token }) => {
+    const resolvedMachineId = mutationMachineId(machine_id);
+    const plan = buildClaudeInstallPlan(machine_id, tools);
+    requireMcpMutation("machines_install_claude_apply", approval_token, {
+      machineId: resolvedMachineId,
+      resourceId: mcpPlanResourceId("machines_install_claude_apply", resolvedMachineId, plan),
+      args: mcpPlanApprovalArgs({ machine_id: resolvedMachineId, tools, yes }, plan)
+    });
+    return {
+      content: [{ type: "text", text: JSON.stringify(runClaudeInstallPlan(plan, { apply: true, yes }), null, 2) }]
+    };
+  });
   server.tool("machines_install_tailscale_preview", "Preview Tailscale install steps for a machine.", { machine_id: exports_external.string().optional().describe("Machine identifier") }, async ({ machine_id }) => ({ content: [{ type: "text", text: JSON.stringify(buildTailscaleInstallPlan(machine_id), null, 2) }] }));
-  server.tool("machines_install_tailscale_apply", "Execute Tailscale install steps for a machine.", { machine_id: exports_external.string().optional().describe("Machine identifier"), yes: exports_external.boolean().describe("Confirmation flag for execution") }, async ({ machine_id, yes }) => ({ content: [{ type: "text", text: JSON.stringify(runTailscaleInstall(machine_id, { apply: true, yes }), null, 2) }] }));
+  server.tool("machines_install_tailscale_apply", "Execute Tailscale install steps for a machine.", { machine_id: exports_external.string().optional().describe("Machine identifier"), yes: exports_external.boolean().describe("Confirmation flag for execution"), approval_token: approvalTokenSchema }, async ({ machine_id, yes, approval_token }) => {
+    const resolvedMachineId = mutationMachineId(machine_id);
+    const plan = buildTailscaleInstallPlan(machine_id);
+    requireMcpMutation("machines_install_tailscale_apply", approval_token, {
+      machineId: resolvedMachineId,
+      resourceId: mcpPlanResourceId("machines_install_tailscale_apply", resolvedMachineId, plan),
+      args: mcpPlanApprovalArgs({ machine_id: resolvedMachineId, yes }, plan)
+    });
+    return { content: [{ type: "text", text: JSON.stringify(runTailscaleInstallPlan(plan, { apply: true, yes }), null, 2) }] };
+  });
   server.tool("machines_route_resolve", "Resolve the best route for a machine using manifest, heartbeat, SSH, LAN, and Tailscale topology.", {
     machine_id: exports_external.string().describe("Machine identifier"),
     include_tailscale: exports_external.boolean().optional().describe("Whether to probe tailscale status --json"),
@@ -25050,41 +25885,72 @@ function createMcpServer(version2) {
     content: [{ type: "text", text: JSON.stringify(listPorts(machine_id), null, 2) }]
   }));
   server.tool("machines_backup_preview", "Preview backup steps for the current machine.", { bucket: exports_external.string().optional().describe("S3 bucket name; defaults to HASNA_MACHINES_S3_BUCKET or MACHINES_S3_BUCKET"), prefix: exports_external.string().optional().describe("S3 key prefix; defaults to HASNA_MACHINES_S3_PREFIX, MACHINES_S3_PREFIX, or machines") }, async ({ bucket, prefix }) => ({ content: [{ type: "text", text: JSON.stringify(buildBackupPlan(bucket, prefix), null, 2) }] }));
-  server.tool("machines_backup_apply", "Execute backup steps for the current machine.", { bucket: exports_external.string().optional().describe("S3 bucket name; defaults to HASNA_MACHINES_S3_BUCKET or MACHINES_S3_BUCKET"), prefix: exports_external.string().optional().describe("S3 key prefix; defaults to HASNA_MACHINES_S3_PREFIX, MACHINES_S3_PREFIX, or machines"), yes: exports_external.boolean().describe("Confirmation flag for execution") }, async ({ bucket, prefix, yes }) => ({ content: [{ type: "text", text: JSON.stringify(runBackup(bucket, prefix, { apply: true, yes }), null, 2) }] }));
+  server.tool("machines_backup_apply", "Execute backup steps for the current machine.", { bucket: exports_external.string().optional().describe("S3 bucket name; defaults to HASNA_MACHINES_S3_BUCKET or MACHINES_S3_BUCKET"), prefix: exports_external.string().optional().describe("S3 key prefix; defaults to HASNA_MACHINES_S3_PREFIX, MACHINES_S3_PREFIX, or machines"), yes: exports_external.boolean().describe("Confirmation flag for execution"), approval_token: approvalTokenSchema }, async ({ bucket, prefix, yes, approval_token }) => {
+    requireMcpMutation("machines_backup_apply", approval_token, { resourceId: mutationResourceId("backup", bucket, prefix), args: { bucket, prefix, yes } });
+    return { content: [{ type: "text", text: JSON.stringify(runBackup(bucket, prefix, { apply: true, yes }), null, 2) }] };
+  });
   server.tool("machines_cert_preview", "Preview mkcert steps for one or more domains.", { domains: exports_external.array(exports_external.string()).describe("Domains to issue certificates for") }, async ({ domains }) => ({ content: [{ type: "text", text: JSON.stringify(buildCertPlan(domains), null, 2) }] }));
-  server.tool("machines_cert_apply", "Execute mkcert steps for one or more domains.", { domains: exports_external.array(exports_external.string()).describe("Domains to issue certificates for"), yes: exports_external.boolean().describe("Confirmation flag for execution") }, async ({ domains, yes }) => ({ content: [{ type: "text", text: JSON.stringify(runCertPlan(domains, { apply: true, yes }), null, 2) }] }));
-  server.tool("machines_dns_add", "Add or replace a local domain mapping.", { domain: exports_external.string().describe("Domain name"), port: exports_external.number().describe("Target port"), target_host: exports_external.string().optional().describe("Target host") }, async ({ domain, port, target_host }) => ({ content: [{ type: "text", text: JSON.stringify(addDomainMapping(domain, port, target_host), null, 2) }] }));
+  server.tool("machines_cert_apply", "Execute mkcert steps for one or more domains.", { domains: exports_external.array(exports_external.string()).describe("Domains to issue certificates for"), yes: exports_external.boolean().describe("Confirmation flag for execution"), approval_token: approvalTokenSchema }, async ({ domains, yes, approval_token }) => {
+    requireMcpMutation("machines_cert_apply", approval_token, { resourceId: mutationResourceId("cert", domains.join(",")), args: { domains, yes } });
+    return { content: [{ type: "text", text: JSON.stringify(runCertPlan(domains, { apply: true, yes }), null, 2) }] };
+  });
+  server.tool("machines_dns_add", "Add or replace a local domain mapping.", { domain: exports_external.string().describe("Domain name"), port: exports_external.number().describe("Target port"), target_host: exports_external.string().optional().describe("Target host"), approval_token: approvalTokenSchema }, async ({ domain, port, target_host, approval_token }) => {
+    const resolvedTargetHost = target_host ?? "127.0.0.1";
+    requireMcpMutation("machines_dns_add", approval_token, { resourceId: mutationResourceId("dns", domain), args: { domain, port, target_host: resolvedTargetHost } });
+    return { content: [{ type: "text", text: JSON.stringify(addDomainMapping(domain, port, resolvedTargetHost), null, 2) }] };
+  });
   server.tool("machines_dns_list", "List local domain mappings.", {}, async () => ({ content: [{ type: "text", text: JSON.stringify(listDomainMappings(), null, 2) }] }));
   server.tool("machines_dns_render", "Render hosts/proxy configuration for a domain.", { domain: exports_external.string().describe("Domain name") }, async ({ domain }) => ({ content: [{ type: "text", text: JSON.stringify(renderDomainMapping(domain), null, 2) }] }));
   server.tool("machines_notifications_add", "Add or replace a notification channel.", {
     channel_id: exports_external.string().describe("Channel identifier"),
     type: exports_external.enum(["email", "webhook", "command"]).describe("Notification transport"),
-    target: exports_external.string().describe("Email, webhook URL, or shell command"),
+    target: exports_external.string().describe("Email, webhook URL, or command executable"),
+    command_args: exports_external.array(exports_external.string()).optional().describe("Arguments for command transports"),
     events: exports_external.array(exports_external.string()).describe("Events routed to this channel"),
-    enabled: exports_external.boolean().optional().describe("Whether the channel is enabled")
-  }, async ({ channel_id, type, target, events: events2, enabled }) => ({
-    content: [{ type: "text", text: JSON.stringify(addNotificationChannel({ id: channel_id, type, target, events: events2, enabled: enabled ?? true }), null, 2) }]
-  }));
+    enabled: exports_external.boolean().optional().describe("Whether the channel is enabled"),
+    approval_token: approvalTokenSchema
+  }, async ({ channel_id, type, target, command_args, events: events2, enabled, approval_token }) => {
+    const resolvedEnabled = enabled ?? true;
+    const resolvedEvents = [...new Set(events2)];
+    const commandArgs = command_args ?? [];
+    requireMcpMutation("machines_notifications_add", approval_token, { resourceId: mutationResourceId("notification", channel_id), args: { channel_id, type, target, command_args: commandArgs, events: resolvedEvents, enabled: resolvedEnabled } });
+    return {
+      content: [{ type: "text", text: JSON.stringify(addNotificationChannel({ id: channel_id, type, target, commandArgs: type === "command" && commandArgs.length > 0 ? commandArgs : undefined, events: resolvedEvents, enabled: resolvedEnabled }, { trustedApproval: trustedNotificationApproval2 }), null, 2) }]
+    };
+  });
   server.tool("machines_notifications_list", "List notification channels.", {}, async () => ({
     content: [{ type: "text", text: JSON.stringify(listNotificationChannels(), null, 2) }]
   }));
-  server.tool("machines_notifications_test", "Preview or execute a notification test.", { channel_id: exports_external.string().describe("Channel identifier"), event: exports_external.string().optional().describe("Event name"), message: exports_external.string().optional().describe("Message body"), yes: exports_external.boolean().optional().describe("Execute the test when true") }, async ({ channel_id, event, message, yes }) => ({
-    content: [{ type: "text", text: JSON.stringify(await testNotificationChannel(channel_id, event, message, { apply: Boolean(yes), yes }), null, 2) }]
-  }));
-  server.tool("machines_notifications_dispatch", "Dispatch an event to matching notification channels.", { event: exports_external.string().describe("Event name"), message: exports_external.string().describe("Message body"), channel_id: exports_external.string().optional().describe("Limit delivery to one channel") }, async ({ event, message, channel_id }) => ({ content: [{ type: "text", text: JSON.stringify(await dispatchNotificationEvent(event, message, { channelId: channel_id }), null, 2) }] }));
-  server.tool("machines_notifications_remove", "Remove a notification channel.", { channel_id: exports_external.string().describe("Channel identifier") }, async ({ channel_id }) => ({ content: [{ type: "text", text: JSON.stringify(removeNotificationChannel(channel_id), null, 2) }] }));
+  server.tool("machines_notifications_test", "Preview or execute a notification test.", { channel_id: exports_external.string().describe("Channel identifier"), event: exports_external.string().optional().describe("Event name"), message: exports_external.string().optional().describe("Message body"), yes: exports_external.boolean().optional().describe("Execute the test when true"), approval_token: approvalTokenSchema }, async ({ channel_id, event, message, yes, approval_token }) => {
+    if (yes === true)
+      requireMcpMutation("machines_notifications_test", approval_token, { resourceId: mutationResourceId("notification-test", channel_id, event), args: { channel_id, event, message, yes: true } });
+    return {
+      content: [{ type: "text", text: JSON.stringify(await testNotificationChannel(channel_id, event, message, { apply: Boolean(yes), yes, trustedApproval: yes === true ? trustedNotificationApproval2 : undefined }), null, 2) }]
+    };
+  });
+  server.tool("machines_notifications_dispatch", "Dispatch an event to matching notification channels.", { event: exports_external.string().describe("Event name"), message: exports_external.string().describe("Message body"), channel_id: exports_external.string().optional().describe("Limit delivery to one channel"), approval_token: approvalTokenSchema }, async ({ event, message, channel_id, approval_token }) => {
+    requireMcpMutation("machines_notifications_dispatch", approval_token, { resourceId: mutationResourceId("notification-dispatch", channel_id, event), args: { event, message, channel_id } });
+    return { content: [{ type: "text", text: JSON.stringify(await dispatchNotificationEvent(event, message, { channelId: channel_id, trustedApproval: trustedNotificationApproval2 }), null, 2) }] };
+  });
+  server.tool("machines_notifications_remove", "Remove a notification channel.", { channel_id: exports_external.string().describe("Channel identifier"), approval_token: approvalTokenSchema }, async ({ channel_id, approval_token }) => {
+    requireMcpMutation("machines_notifications_remove", approval_token, { resourceId: mutationResourceId("notification", channel_id), args: { channel_id } });
+    return { content: [{ type: "text", text: JSON.stringify(removeNotificationChannel(channel_id), null, 2) }] };
+  });
   server.tool("machines_webhooks_add", "Add or replace a shared event webhook channel.", {
     channel_id: exports_external.string().describe("Channel identifier"),
     url: exports_external.string().url().describe("Webhook URL"),
     event_type: exports_external.string().optional().describe("Optional event type filter, e.g. machines.*"),
     source: exports_external.string().optional().describe("Optional source filter"),
     secret: exports_external.string().optional().describe("Optional HMAC secret"),
-    enabled: exports_external.boolean().optional().describe("Whether the channel is enabled")
-  }, async ({ channel_id, url, event_type, source, secret, enabled }) => {
+    enabled: exports_external.boolean().optional().describe("Whether the channel is enabled"),
+    approval_token: approvalTokenSchema
+  }, async ({ channel_id, url, event_type, source, secret, enabled, approval_token }) => {
+    const resolvedEnabled = enabled ?? true;
+    requireMcpMutation("machines_webhooks_add", approval_token, { resourceId: mutationResourceId("webhook", channel_id), args: { channel_id, url, event_type, source, secret, enabled: resolvedEnabled } });
     const now = new Date().toISOString();
     const channel = await events.addChannel({
       id: channel_id,
-      enabled: enabled ?? true,
+      enabled: resolvedEnabled,
       transport: "webhook",
       filters: event_type || source ? [{ type: event_type, source }] : undefined,
       webhook: { url, secret },
@@ -25096,10 +25962,16 @@ function createMcpServer(version2) {
   server.tool("machines_webhooks_list", "List shared event webhook channels.", {}, async () => ({
     content: [{ type: "text", text: JSON.stringify(sanitizeChannelsForOutput2(await events.listChannels()), null, 2) }]
   }));
-  server.tool("machines_webhooks_test", "Send a test event to one shared event channel.", { channel_id: exports_external.string().describe("Channel identifier"), event_type: exports_external.string().optional().describe("Event type"), message: exports_external.string().optional().describe("Message body") }, async ({ channel_id, event_type, message }) => ({
-    content: [{ type: "text", text: JSON.stringify(await events.testChannel(channel_id, { source: "machines", type: event_type ?? "events.test", message }), null, 2) }]
-  }));
-  server.tool("machines_webhooks_remove", "Remove a shared event channel.", { channel_id: exports_external.string().describe("Channel identifier") }, async ({ channel_id }) => ({ content: [{ type: "text", text: JSON.stringify({ removed: await events.removeChannel(channel_id) }, null, 2) }] }));
+  server.tool("machines_webhooks_test", "Send a test event to one shared event channel.", { channel_id: exports_external.string().describe("Channel identifier"), event_type: exports_external.string().optional().describe("Event type"), message: exports_external.string().optional().describe("Message body"), approval_token: approvalTokenSchema }, async ({ channel_id, event_type, message, approval_token }) => {
+    requireMcpMutation("machines_webhooks_test", approval_token, { resourceId: mutationResourceId("webhook-test", channel_id, event_type), args: { channel_id, event_type, message } });
+    return {
+      content: [{ type: "text", text: JSON.stringify(await events.testChannel(channel_id, { source: "machines", type: event_type ?? "events.test", message }), null, 2) }]
+    };
+  });
+  server.tool("machines_webhooks_remove", "Remove a shared event channel.", { channel_id: exports_external.string().describe("Channel identifier"), approval_token: approvalTokenSchema }, async ({ channel_id, approval_token }) => {
+    requireMcpMutation("machines_webhooks_remove", approval_token, { resourceId: mutationResourceId("webhook", channel_id), args: { channel_id } });
+    return { content: [{ type: "text", text: JSON.stringify({ removed: await events.removeChannel(channel_id) }, null, 2) }] };
+  });
   server.tool("machines_events_emit", "Emit a shared event from machines.", {
     event_type: exports_external.string().describe("Event type"),
     subject: exports_external.string().optional().describe("Event subject"),
@@ -25108,25 +25980,36 @@ function createMcpServer(version2) {
     data: exports_external.record(exports_external.unknown()).optional().describe("Event data"),
     metadata: exports_external.record(exports_external.unknown()).optional().describe("Event metadata"),
     dedupe_key: exports_external.string().optional().describe("Dedupe key"),
-    deliver: exports_external.boolean().optional().describe("Deliver to matching channels")
-  }, async ({ event_type, subject, severity, message, data, metadata, dedupe_key, deliver }) => ({
-    content: [{ type: "text", text: JSON.stringify(await events.emit({
-      source: "machines",
-      type: event_type,
-      subject,
-      severity,
-      message,
-      data: data ?? {},
-      metadata: metadata ?? {},
-      dedupeKey: dedupe_key
-    }, { deliver: deliver !== false }), null, 2) }]
-  }));
+    deliver: exports_external.boolean().optional().describe("Deliver to matching channels"),
+    approval_token: approvalTokenSchema
+  }, async ({ event_type, subject, severity, message, data, metadata, dedupe_key, deliver, approval_token }) => {
+    const resolvedData = data ?? {};
+    const resolvedMetadata = metadata ?? {};
+    const resolvedDeliver = deliver !== false;
+    requireMcpMutation("machines_events_emit", approval_token, { resourceId: mutationResourceId("event", event_type, subject, dedupe_key), args: { event_type, subject, severity, message, data: resolvedData, metadata: resolvedMetadata, dedupe_key, deliver: resolvedDeliver } });
+    return {
+      content: [{ type: "text", text: JSON.stringify(await events.emit({
+        source: "machines",
+        type: event_type,
+        subject,
+        severity,
+        message,
+        data: resolvedData,
+        metadata: resolvedMetadata,
+        dedupeKey: dedupe_key
+      }, { deliver: resolvedDeliver }), null, 2) }]
+    };
+  });
   server.tool("machines_events_list", "List shared events.", {}, async () => ({
     content: [{ type: "text", text: JSON.stringify(await events.listEvents(), null, 2) }]
   }));
-  server.tool("machines_events_replay", "Replay shared events.", { event_id: exports_external.string().optional().describe("Event id"), source: exports_external.string().optional().describe("Source filter"), event_type: exports_external.string().optional().describe("Event type filter"), dry_run: exports_external.boolean().optional().describe("Preview without delivery") }, async ({ event_id, source, event_type, dry_run }) => ({
-    content: [{ type: "text", text: JSON.stringify(await events.replay({ eventId: event_id, source, type: event_type, dryRun: dry_run }), null, 2) }]
-  }));
+  server.tool("machines_events_replay", "Replay shared events.", { event_id: exports_external.string().optional().describe("Event id"), source: exports_external.string().optional().describe("Source filter"), event_type: exports_external.string().optional().describe("Event type filter"), dry_run: exports_external.boolean().optional().describe("Preview without delivery"), approval_token: approvalTokenSchema }, async ({ event_id, source, event_type, dry_run, approval_token }) => {
+    if (dry_run !== true)
+      requireMcpMutation("machines_events_replay", approval_token, { resourceId: mutationResourceId("event-replay", event_id, source, event_type), args: { event_id, source, event_type, dry_run: false } });
+    return {
+      content: [{ type: "text", text: JSON.stringify(await events.replay({ eventId: event_id, source, type: event_type, dryRun: dry_run }), null, 2) }]
+    };
+  });
   server.tool("machines_serve_info", "Preview the dashboard server bind address and routes.", { host: exports_external.string().optional().describe("Host interface"), port: exports_external.number().optional().describe("Port number") }, async ({ host, port }) => ({ content: [{ type: "text", text: JSON.stringify(getServeInfo({ host, port }), null, 2) }] }));
   server.tool("machines_serve_dashboard", "Render the current dashboard HTML.", {}, async () => ({
     content: [{ type: "text", text: renderDashboardHtml() }]
@@ -25134,9 +26017,21 @@ function createMcpServer(version2) {
   server.tool("storage_status", "Show machines storage sync configuration and local sync history.", {}, async () => ({
     content: [{ type: "text", text: JSON.stringify(getStorageStatus(), null, 2) }]
   }));
-  server.tool("storage_push", "Push local machine runtime data to storage PostgreSQL.", { tables: exports_external.array(exports_external.string()).optional().describe("Optional table list to push") }, async ({ tables }) => ({ content: [{ type: "text", text: JSON.stringify(await storagePush(tables ? { tables } : undefined), null, 2) }] }));
-  server.tool("storage_pull", "Pull machine runtime data from storage PostgreSQL to local SQLite.", { tables: exports_external.array(exports_external.string()).optional().describe("Optional table list to pull") }, async ({ tables }) => ({ content: [{ type: "text", text: JSON.stringify(await storagePull(tables ? { tables } : undefined), null, 2) }] }));
-  server.tool("storage_sync", "Bidirectional machines storage sync: pull then push.", { tables: exports_external.array(exports_external.string()).optional().describe("Optional table list to sync") }, async ({ tables }) => ({ content: [{ type: "text", text: JSON.stringify(await storageSync(tables ? { tables } : undefined), null, 2) }] }));
+  server.tool("storage_push", "Push local machine runtime data to storage PostgreSQL.", { tables: exports_external.array(exports_external.string()).optional().describe("Optional table list to push"), approval_token: approvalTokenSchema }, async ({ tables, approval_token }) => {
+    const resolvedTables = resolveTables(tables);
+    requireMcpMutation("storage_push", approval_token, { resourceId: mutationResourceId("storage-push", resolvedTables.join(",")), args: { tables: resolvedTables } });
+    return { content: [{ type: "text", text: JSON.stringify(await storagePush({ tables: resolvedTables }), null, 2) }] };
+  });
+  server.tool("storage_pull", "Pull machine runtime data from storage PostgreSQL to local SQLite.", { tables: exports_external.array(exports_external.string()).optional().describe("Optional table list to pull"), approval_token: approvalTokenSchema }, async ({ tables, approval_token }) => {
+    const resolvedTables = resolveTables(tables);
+    requireMcpMutation("storage_pull", approval_token, { resourceId: mutationResourceId("storage-pull", resolvedTables.join(",")), args: { tables: resolvedTables } });
+    return { content: [{ type: "text", text: JSON.stringify(await storagePull({ tables: resolvedTables }), null, 2) }] };
+  });
+  server.tool("storage_sync", "Bidirectional machines storage sync: pull then push.", { tables: exports_external.array(exports_external.string()).optional().describe("Optional table list to sync"), approval_token: approvalTokenSchema }, async ({ tables, approval_token }) => {
+    const resolvedTables = resolveTables(tables);
+    requireMcpMutation("storage_sync", approval_token, { resourceId: mutationResourceId("storage-sync", resolvedTables.join(",")), args: { tables: resolvedTables } });
+    return { content: [{ type: "text", text: JSON.stringify(await storageSync({ tables: resolvedTables }), null, 2) }] };
+  });
   return server;
 }
 export {
@@ -25145,6 +26040,8 @@ export {
   writeHeartbeatTick,
   writeHeartbeat,
   watchTmuxPane,
+  verifyMutationApprovalToken,
+  validateSshTarget,
   validateManifest,
   upsertHeartbeat,
   testNotificationChannel,
@@ -25154,16 +26051,21 @@ export {
   startDashboardServer,
   setHeartbeatStatus,
   sanitizePublicString,
+  runTailscaleInstallPlan,
   runTailscaleInstall,
+  runSyncPlan,
   runSync,
   runStorageMigrations,
+  runSetupPlan,
   runSetup,
   runSelfTest,
   runDoctor,
   runDaemonServicePlan,
+  runClaudeInstallPlan,
   runClaudeInstall,
   runCertPlan,
   runBackup,
+  runAppsPlan,
   runAppsInstall,
   resolveTables,
   resolveSshTarget,
@@ -25197,6 +26099,8 @@ export {
   probeTmuxPane,
   parseStorageTables,
   parsePortOutput,
+  mutationPlanDigest,
+  mutationArgsSha256,
   markOffline,
   manifestValidate,
   manifestRemove,
@@ -25215,6 +26119,7 @@ export {
   isSensitiveKey,
   isPrivateOutputEnabled,
   isPrivateMetadataEnabled,
+  isMutationApproved,
   getSyncMetaAll,
   getStorageStatus,
   getStoragePg,
@@ -25253,13 +26158,18 @@ export {
   diffApps,
   detectCurrentMachineManifest,
   defaultScreenPasswordSecretKey,
+  createMutationApprovalToken,
   createMcpServer,
   createMachineResolverSnapshot,
   countRuns,
   closeDb,
   checkMachineCompatibility,
+  canonicalMutationArgs,
+  buildTmuxPaneDiedHookPlan,
   buildTailscaleInstallPlan,
   buildSyncPlan,
+  buildSshCommandPlan,
+  buildSshCommandArgs,
   buildSshCommand,
   buildSetupPlan,
   buildServer,
@@ -25277,6 +26187,9 @@ export {
   buildCertPlan,
   buildBackupPlan,
   buildAppsPlan,
+  attachMutationPlanDigest,
+  assertMutationPlanDigest,
+  assertMutationApproved,
   addNotificationChannel,
   addDomainMapping,
   SqliteAdapter,
@@ -25292,6 +26205,11 @@ export {
   PRIVATE_METADATA_ENV,
   PRIVATE_MANIFEST_REF_ENV,
   PRIVATE_MANIFEST_BACKEND_ENV,
+  MUTATION_APPROVAL_TOKEN_ENV,
+  MUTATION_APPROVAL_RUN_ENV,
+  MUTATION_APPROVAL_REPLAY_PATH_ENV,
+  MUTATION_APPROVAL_FLAG_ENV,
+  MUTATION_APPROVAL_CALLER_ENV,
   MACHINE_MCP_TOOL_NAMES,
   MACHINES_STORAGE_TABLES,
   MACHINES_STORAGE_MODE_FALLBACK_ENV,
@@ -25310,6 +26228,7 @@ export {
   MACHINES_BACKUP_PREFIX_ENV,
   MACHINES_BACKUP_BUCKET_FALLBACK_ENV,
   MACHINES_BACKUP_BUCKET_ENV,
+  LEGACY_MUTATION_APPROVAL_FLAG_ENV,
   DOCTOR_OPTIONAL_ADAPTER_DOMAINS,
   DEFAULT_SCREEN_SECRET_NAMESPACE,
   DEFAULT_MACHINE_RESOLVER_TTL_MS,