@hasna/machines 0.0.44 → 0.0.46

package/dist/mcp/index.js

@@ -37,6 +37,7 @@ function getPackageVersion() {
 }
 
 // src/mcp/http.ts
+import { timingSafeEqual as timingSafeEqual2 } from "crypto";
 import { createServer } from "http";
 import { StreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/streamableHttp.js";
 
@@ -4459,9 +4460,9 @@ function detectCurrentMachineManifest() {
   };
 }
 
-// src/remote.ts
-import { spawnSync as spawnSync2 } from "child_process";
-import { hostname as hostname5 } from "os";
+// src/commands/mutation-approval.ts
+import { createHash, createHmac, randomUUID, timingSafeEqual } from "crypto";
+import { resolve as resolve2 } from "path";
 
 // src/db.ts
 import { Database } from "bun:sqlite";
@@ -4470,6 +4471,7 @@ class SqliteAdapter {
   raw;
   constructor(path) {
     this.raw = new Database(path);
+    this.raw.exec("PRAGMA busy_timeout = 5000");
   }
   close() {
     this.raw.close();
@@ -4535,6 +4537,23 @@ function createTables(db) {
       updated_at TEXT NOT NULL
     )
   `);
+  db.exec(`
+    CREATE TABLE IF NOT EXISTS mutation_approval_nonces (
+      nonce_sha256 TEXT PRIMARY KEY,
+      token_sha256 TEXT NOT NULL,
+      surface TEXT NOT NULL,
+      operation TEXT NOT NULL,
+      caller_id TEXT NOT NULL,
+      run_id TEXT NOT NULL,
+      transport TEXT NOT NULL,
+      expires_at INTEGER NOT NULL,
+      used_at INTEGER NOT NULL
+    )
+  `);
+  db.exec(`
+    CREATE INDEX IF NOT EXISTS mutation_approval_nonces_expires_at_idx
+    ON mutation_approval_nonces (expires_at)
+  `);
 }
 function migrateAgentHeartbeats(db) {
   const columns = db.query("PRAGMA table_info(agent_heartbeats)").all();
@@ -4609,6 +4628,266 @@ function recordSyncRun(machineId, status, actions) {
      VALUES (?, ?, ?, ?, ?, ?)`).run(crypto.randomUUID(), machineId, status, JSON.stringify(actions), now, now);
 }
 
+// src/commands/mutation-approval.ts
+var MUTATION_APPROVAL_FLAG_ENV = "HASNA_MACHINES_ALLOW_MUTATIONS";
+var LEGACY_MUTATION_APPROVAL_FLAG_ENV = "HASNA_MACHINES_MUTATION_APPROVAL";
+var MUTATION_APPROVAL_TOKEN_ENV = "HASNA_MACHINES_MUTATION_TOKEN";
+var MUTATION_APPROVAL_REPLAY_PATH_ENV = "HASNA_MACHINES_MUTATION_REPLAY_PATH";
+var TOKEN_PREFIX = "machines-mut-v1";
+var DEFAULT_TOKEN_TTL_MS = 5 * 60 * 1000;
+var MAX_TOKEN_TTL_MS = 5 * 60 * 1000;
+var MAX_CLOCK_SKEW_MS = 30000;
+function isTruthy(value) {
+  return value === "1" || value?.toLowerCase() === "true" || value?.toLowerCase() === "yes";
+}
+function nowMs(now) {
+  if (typeof now === "number")
+    return now;
+  if (now instanceof Date)
+    return now.getTime();
+  return Date.now();
+}
+function signingSecret(env, explicitSecret) {
+  return explicitSecret?.trim() || env[MUTATION_APPROVAL_TOKEN_ENV]?.trim();
+}
+function hmac(payload, secret) {
+  return createHmac("sha256", secret).update(payload).digest("base64url");
+}
+function sha256Hex(payload) {
+  return createHash("sha256").update(payload).digest("hex");
+}
+function replayDbPath(env) {
+  const configured = env[MUTATION_APPROVAL_REPLAY_PATH_ENV]?.trim();
+  return configured ? resolve2(configured) : undefined;
+}
+function replayNonceKey(claims) {
+  return sha256Hex(JSON.stringify({ nonce: claims.nonce }));
+}
+function recordReplayNonce(env, claims, tokenPayload, now) {
+  const dbPath = replayDbPath(env);
+  if (!dbPath)
+    return;
+  if (!claims.nonce) {
+    return { approved: false, reason: "approval_token nonce claim is required for replay protection." };
+  }
+  try {
+    const db = getDb(dbPath);
+    db.query("DELETE FROM mutation_approval_nonces WHERE expires_at <= ?").run(now);
+    const result = db.query(`
+      INSERT OR IGNORE INTO mutation_approval_nonces (
+        nonce_sha256,
+        token_sha256,
+        surface,
+        operation,
+        caller_id,
+        run_id,
+        transport,
+        expires_at,
+        used_at
+      )
+      VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)
+    `).run(replayNonceKey(claims), sha256Hex(tokenPayload), claims.surface, claims.operation, claims.callerId ?? "", claims.runId ?? "", claims.transport ?? "", claims.expiresAt, now);
+    if (result.changes !== 1) {
+      return { approved: false, reason: "approval_token nonce has already been used." };
+    }
+    return;
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error);
+    return { approved: false, reason: `approval_token replay store is unavailable: ${message}` };
+  }
+}
+function safeEqual(left, right) {
+  const leftBuffer = Buffer.from(left);
+  const rightBuffer = Buffer.from(right);
+  return leftBuffer.length === rightBuffer.length && timingSafeEqual(leftBuffer, rightBuffer);
+}
+function canonicalizeMutationArg(value, inArray = false) {
+  if (value === undefined)
+    return inArray ? null : undefined;
+  if (value === null || typeof value === "boolean" || typeof value === "string")
+    return value;
+  if (typeof value === "number")
+    return Number.isFinite(value) ? value : null;
+  if (Array.isArray(value)) {
+    return value.map((entry) => canonicalizeMutationArg(entry, true) ?? null);
+  }
+  if (value instanceof Date)
+    return value.toISOString();
+  if (typeof value === "object") {
+    const result = {};
+    for (const key of Object.keys(value).sort()) {
+      if (key === "approval_token" || key === "approvalToken")
+        continue;
+      const canonicalValue = canonicalizeMutationArg(value[key]);
+      if (canonicalValue !== undefined)
+        result[key] = canonicalValue;
+    }
+    return result;
+  }
+  return inArray ? null : undefined;
+}
+function canonicalMutationArgs(value) {
+  return JSON.stringify(canonicalizeMutationArg(value) ?? {});
+}
+function mutationArgsSha256(value) {
+  return sha256Hex(canonicalMutationArgs(value));
+}
+function stripPlanRuntimeFields(value) {
+  if (Array.isArray(value))
+    return value.map(stripPlanRuntimeFields);
+  if (value instanceof Date)
+    return value;
+  if (value && typeof value === "object") {
+    const result = {};
+    for (const [key, entry] of Object.entries(value)) {
+      if (key === "planDigest" || key === "plan_digest" || key === "mode" || key === "executed")
+        continue;
+      result[key] = stripPlanRuntimeFields(entry);
+    }
+    return result;
+  }
+  return value;
+}
+function mutationPlanDigest(plan) {
+  return mutationArgsSha256(stripPlanRuntimeFields(plan));
+}
+function attachMutationPlanDigest(plan) {
+  return {
+    ...plan,
+    planDigest: mutationPlanDigest(plan)
+  };
+}
+function assertMutationPlanDigest(plan, expectedPlanDigest) {
+  if (expectedPlanDigest && mutationPlanDigest(plan) !== expectedPlanDigest) {
+    throw new Error("Approved plan digest does not match the current execution plan.");
+  }
+}
+function parseToken(token) {
+  if (!token)
+    return null;
+  const parts = token.split(".");
+  if (parts.length !== 3 || parts[0] !== TOKEN_PREFIX)
+    return null;
+  try {
+    const claims = JSON.parse(Buffer.from(parts[1] ?? "", "base64url").toString("utf8"));
+    return { payload: parts[1] ?? "", signature: parts[2] ?? "", claims };
+  } catch {
+    return null;
+  }
+}
+function claimMatches(expected, actual) {
+  if (expected === undefined)
+    return actual === undefined;
+  return actual === expected;
+}
+function verifyMutationApprovalToken(options) {
+  const env = options.env ?? process.env;
+  const secret = signingSecret(env);
+  if (!secret)
+    return { approved: false, reason: `${MUTATION_APPROVAL_TOKEN_ENV} is not configured.` };
+  const parsed = parseToken(options.approvalToken);
+  if (!parsed)
+    return { approved: false, reason: "approval_token is not a scoped mutation token." };
+  if (!safeEqual(hmac(parsed.payload, secret), parsed.signature)) {
+    return { approved: false, reason: "approval_token signature is invalid." };
+  }
+  const claims = parsed.claims;
+  if (claims.version !== 1)
+    return { approved: false, reason: "approval_token version is unsupported." };
+  if (!claims.callerId || !claims.runId) {
+    return { approved: false, reason: "approval_token must include caller and run claims." };
+  }
+  if (!claims.transport) {
+    return { approved: false, reason: "approval_token must include a transport claim." };
+  }
+  if (!Number.isFinite(claims.expiresAt) || claims.expiresAt <= nowMs(options.now)) {
+    return { approved: false, reason: "approval_token is expired." };
+  }
+  const now = nowMs(options.now);
+  if (!Number.isFinite(claims.issuedAt) || claims.issuedAt > now + MAX_CLOCK_SKEW_MS) {
+    return { approved: false, reason: "approval_token issue time is invalid." };
+  }
+  if (claims.expiresAt - claims.issuedAt > MAX_TOKEN_TTL_MS) {
+    return { approved: false, reason: "approval_token TTL is too long." };
+  }
+  for (const key of ["surface", "operation", "machineId", "resourceId", "transport"]) {
+    if (!claimMatches(options[key], claims[key])) {
+      return { approved: false, reason: `approval_token ${key} claim does not match this mutation.` };
+    }
+  }
+  for (const key of ["callerId", "runId"]) {
+    if (options[key] !== undefined && options[key] !== claims[key]) {
+      return { approved: false, reason: `approval_token ${key} claim does not match this mutation.` };
+    }
+  }
+  const expectedArgsSha256 = options.argsSha256 || (options.args === undefined ? undefined : mutationArgsSha256(options.args));
+  if (expectedArgsSha256 !== undefined && claims.args_sha256 !== expectedArgsSha256) {
+    return { approved: false, reason: "approval_token args_sha256 claim does not match this mutation." };
+  }
+  const replayDecision = recordReplayNonce(env, claims, parsed.payload, now);
+  if (replayDecision)
+    return replayDecision;
+  return { approved: true, claims };
+}
+function isMutationApproved(options = {}) {
+  const env = options.env ?? process.env;
+  const surface = options.surface ?? "cli";
+  if (surface === "mcp") {
+    if (!options.operation)
+      return false;
+    return verifyMutationApprovalToken({
+      surface,
+      operation: options.operation,
+      machineId: options.machineId,
+      resourceId: options.resourceId,
+      callerId: options.callerId,
+      runId: options.runId,
+      transport: options.transport ?? "mcp",
+      args: options.args,
+      argsSha256: options.argsSha256,
+      approvalToken: options.approvalToken,
+      env,
+      now: options.now
+    }).approved;
+  }
+  if (options.approvalToken) {
+    const decision = options.operation ? verifyMutationApprovalToken({
+      surface,
+      operation: options.operation,
+      machineId: options.machineId,
+      resourceId: options.resourceId,
+      callerId: options.callerId,
+      runId: options.runId,
+      transport: options.transport ?? surface,
+      args: options.args,
+      argsSha256: options.argsSha256,
+      approvalToken: options.approvalToken,
+      env,
+      now: options.now
+    }) : { approved: false };
+    if (decision.approved)
+      return true;
+    if (env[MUTATION_APPROVAL_TOKEN_ENV]?.trim())
+      return false;
+  }
+  return isTruthy(env[MUTATION_APPROVAL_FLAG_ENV]) || isTruthy(env[LEGACY_MUTATION_APPROVAL_FLAG_ENV]);
+}
+function assertMutationApproved(options) {
+  if (isMutationApproved(options)) {
+    return;
+  }
+  const env = options.env ?? process.env;
+  const tokenConfigured = Boolean(env[MUTATION_APPROVAL_TOKEN_ENV]?.trim());
+  const approvalHint = options.surface === "mcp" ? `pass a scoped approval_token signed with ${MUTATION_APPROVAL_TOKEN_ENV}` : tokenConfigured ? `pass a scoped approval_token signed with ${MUTATION_APPROVAL_TOKEN_ENV} or set ${MUTATION_APPROVAL_FLAG_ENV}=1 for a trusted local session` : `set ${MUTATION_APPROVAL_FLAG_ENV}=1 for a trusted local session or configure ${MUTATION_APPROVAL_TOKEN_ENV}`;
+  throw new Error(`Fleet mutation blocked: ${options.surface}.${options.operation} requires operator approval; ${approvalHint}.`);
+}
+
+// src/remote.ts
+import { spawnSync as spawnSync2 } from "child_process";
+import { existsSync as existsSync5, mkdtempSync, readFileSync as readFileSync3, rmSync } from "fs";
+import { hostname as hostname5, tmpdir } from "os";
+import { join as join4 } from "path";
+
 // src/topology.ts
 import { existsSync as existsSync4 } from "fs";
 import { arch as arch2, hostname as hostname4, platform as platform2, userInfo as userInfo2 } from "os";
@@ -5579,6 +5858,16 @@ function resolveMachineWorkspace(options) {
 function shellQuote2(value) {
   return `'${value.replace(/'/g, "'\\''")}'`;
 }
+function validateSshTarget(target) {
+  const trimmed = target.trim();
+  if (!trimmed || trimmed.startsWith("-") || /[\s"'`$\\;&|<>()[\]{}]/.test(trimmed)) {
+    throw new Error(`Unsafe SSH target: ${target}`);
+  }
+  if (!/^(?:[A-Za-z0-9._%+-]+@)?[A-Za-z0-9._:-]+$/.test(trimmed)) {
+    throw new Error(`Unsafe SSH target: ${target}`);
+  }
+  return trimmed;
+}
 function resolveSshTarget(machineId, options = {}) {
   const resolved = resolveMachineRoute(machineId, options);
   if (!resolved.ok || !resolved.target) {
@@ -5589,15 +5878,25 @@ function resolveSshTarget(machineId, options = {}) {
   }
   return {
     machineId: resolved.machine_id ?? machineId,
-    target: resolved.command_target ?? resolved.target,
+    target: validateSshTarget(resolved.command_target ?? resolved.target),
     route: resolved.route,
     confidence: resolved.confidence,
     warnings: resolved.warnings
   };
 }
 function buildSshCommand(machineId, remoteCommand, options = {}) {
+  return buildSshCommandPlan(machineId, remoteCommand, options).shellCommand;
+}
+function buildSshCommandPlan(machineId, remoteCommand, options = {}) {
   const resolved = resolveSshTarget(machineId, options);
-  return remoteCommand ? `ssh ${resolved.target} ${shellQuote2(remoteCommand)}` : `ssh ${resolved.target}`;
+  const args = remoteCommand ? [resolved.target, remoteCommand] : [resolved.target];
+  const shellCommand2 = `ssh ${args.map(shellQuote2).join(" ")}`;
+  return {
+    ...resolved,
+    command: "ssh",
+    args,
+    shellCommand: shellCommand2
+  };
 }
 
 // src/remote.ts
@@ -5609,35 +5908,233 @@ function machineIsLocal(machineId, localMachineId) {
 }
 function resolveMachineCommand(machineId, command, localMachineId = getLocalMachineId()) {
   if (machineIsLocal(machineId, localMachineId)) {
-    return { source: "local", shellCommand: command };
+    return { source: "local", command: "bash", args: ["-c", command], shellCommand: command, usesShell: true };
   }
   try {
+    const plan = buildSshCommandPlan(machineId, command);
     return {
-      source: resolveSshTarget(machineId).route,
-      shellCommand: buildSshCommand(machineId, command)
+      source: plan.route,
+      command: plan.command,
+      args: plan.args,
+      shellCommand: plan.shellCommand,
+      usesShell: false
     };
   } catch (error) {
     const message = String(error.message ?? error);
     if (message.includes("Machine route not found") || message.includes("Machine not found in manifest")) {
-      return { source: "ssh", shellCommand: `ssh ${shellQuote3(machineId)} ${shellQuote3(command)}` };
+      const target = validateSshTarget(machineId);
+      return {
+        source: "ssh",
+        command: "ssh",
+        args: [target, command],
+        shellCommand: `ssh ${shellQuote3(target)} ${shellQuote3(command)}`,
+        usesShell: false
+      };
     }
     throw error;
   }
 }
-function runMachineCommand(machineId, command) {
+function runMachineCommand(machineId, command, options = {}) {
   const resolved = resolveMachineCommand(machineId, command);
-  const result = spawnSync2("bash", ["-c", resolved.shellCommand], {
+  if (options.timeoutMs && options.timeoutMs > 0 && process.platform !== "win32") {
+    return runMachineCommandWithProcessGroupTimeout(machineId, resolved, options);
+  }
+  const result = spawnSync2(resolved.command, resolved.args, {
     encoding: "utf8",
-    env: process.env
+    env: process.env,
+    timeout: options.timeoutMs,
+    killSignal: "SIGTERM"
   });
+  const timedOut = Boolean(result.error && "code" in result.error && result.error.code === "ETIMEDOUT");
+  const timeoutMessage = timedOut ? `Command timed out after ${options.timeoutMs}ms.` : "";
+  const stderr = [result.stderr || "", timeoutMessage].filter(Boolean).join(result.stderr ? `
+` : "");
   return {
     machineId,
     source: resolved.source,
     stdout: result.stdout || "",
-    stderr: result.stderr || "",
-    exitCode: result.status ?? 1
+    stderr,
+    exitCode: timedOut ? 124 : result.status ?? 1,
+    timedOut,
+    signal: result.signal
   };
 }
+function runMachineCommandWithProcessGroupTimeout(machineId, resolved, options) {
+  const timeoutMs = Math.max(1, options.timeoutMs ?? 1);
+  const killGraceMs = Math.max(1, options.killGraceMs ?? 1000);
+  const helperDir = mkdtempSync(join4(tmpdir(), "machines-timeout-helper-"));
+  const pgidFile = join4(helperDir, "pgid");
+  const helper = spawnSync2(process.execPath, ["--eval", PROCESS_GROUP_TIMEOUT_HELPER], {
+    input: JSON.stringify({ command: resolved.command, args: resolved.args }),
+    encoding: "utf8",
+    env: {
+      ...process.env,
+      HASNA_MACHINES_COMMAND_TIMEOUT_MS: String(timeoutMs),
+      HASNA_MACHINES_COMMAND_KILL_GRACE_MS: String(killGraceMs),
+      HASNA_MACHINES_COMMAND_PGID_FILE: pgidFile
+    },
+    timeout: timeoutMs + killGraceMs + 2000,
+    killSignal: "SIGKILL",
+    maxBuffer: 64 * 1024 * 1024
+  });
+  try {
+    const parsed = parseHelperResult(helper.stdout);
+    if (parsed) {
+      return {
+        machineId,
+        source: resolved.source,
+        stdout: parsed.stdout,
+        stderr: parsed.stderr,
+        exitCode: parsed.exitCode,
+        timedOut: parsed.timedOut,
+        signal: parsed.signal
+      };
+    }
+    const helperTimedOut = Boolean(helper.error && "code" in helper.error && helper.error.code === "ETIMEDOUT");
+    if (helperTimedOut)
+      killPublishedProcessGroup(pgidFile);
+    const timeoutMessage = helperTimedOut ? `Command timed out after ${timeoutMs}ms; timeout helper exceeded cleanup grace ${killGraceMs}ms.` : "";
+    const stderr = [helper.stderr || "", timeoutMessage].filter(Boolean).join(helper.stderr ? `
+` : "");
+    return {
+      machineId,
+      source: resolved.source,
+      stdout: "",
+      stderr,
+      exitCode: helperTimedOut ? 124 : helper.status ?? 1,
+      timedOut: helperTimedOut,
+      signal: helper.signal
+    };
+  } finally {
+    rmSync(helperDir, { recursive: true, force: true });
+  }
+}
+function killPublishedProcessGroup(pgidFile) {
+  if (!existsSync5(pgidFile))
+    return;
+  try {
+    const pid = Number.parseInt(readFileSync3(pgidFile, "utf8").trim(), 10);
+    if (!Number.isInteger(pid) || pid <= 1)
+      return;
+    process.kill(-pid, "SIGKILL");
+  } catch {}
+}
+function parseHelperResult(stdout) {
+  if (!stdout)
+    return null;
+  try {
+    const parsed = JSON.parse(stdout);
+    if (typeof parsed.stdout !== "string" || typeof parsed.stderr !== "string" || typeof parsed.exitCode !== "number")
+      return null;
+    return {
+      machineId: "",
+      source: "local",
+      stdout: parsed.stdout,
+      stderr: parsed.stderr,
+      exitCode: parsed.exitCode,
+      timedOut: parsed.timedOut === true,
+      signal: typeof parsed.signal === "string" ? parsed.signal : null
+    };
+  } catch {
+    return null;
+  }
+}
+var PROCESS_GROUP_TIMEOUT_HELPER = `
+	const { spawn } = require("node:child_process");
+	const { readFileSync, writeFileSync } = require("node:fs");
+
+	const plan = JSON.parse(readFileSync(0, "utf8"));
+	const command = String(plan.command || "");
+	const args = Array.isArray(plan.args) ? plan.args.map(String) : [];
+	const timeoutMs = Math.max(1, Number.parseInt(process.env.HASNA_MACHINES_COMMAND_TIMEOUT_MS || "1", 10));
+	const killGraceMs = Math.max(1, Number.parseInt(process.env.HASNA_MACHINES_COMMAND_KILL_GRACE_MS || "1000", 10));
+	const pgidFile = process.env.HASNA_MACHINES_COMMAND_PGID_FILE || "";
+	let stdout = "";
+	let stderr = "";
+	let timedOut = false;
+	let finished = false;
+let timeoutTimer;
+let killTimer;
+let sigkillSent = false;
+let pendingExit = null;
+
+const child = spawn(command, args, {
+  detached: true,
+  stdio: ["ignore", "pipe", "pipe"],
+	  env: process.env,
+	});
+
+	if (pgidFile && child.pid) {
+	  try {
+	    writeFileSync(pgidFile, String(child.pid), { mode: 0o600 });
+	  } catch {}
+	}
+
+function appendText(target, chunk) {
+  return target + String(chunk);
+}
+
+	function killTarget(signal) {
+	  if (!child.pid) return;
+	  if (process.platform === "win32") {
+	    try {
+	      process.kill(child.pid, signal);
+	    } catch {}
+	    return;
+	  }
+	  try {
+	    process.kill(-child.pid, signal);
+	  } catch {}
+	}
+
+	function finish(code, signal) {
+	  if (finished) return;
+  if (timedOut && !sigkillSent) {
+    pendingExit = { code, signal };
+    return;
+  }
+  finished = true;
+  if (timeoutTimer) clearTimeout(timeoutTimer);
+  if (killTimer) clearTimeout(killTimer);
+	  if (timedOut) {
+	    stderr = [stderr, "Command timed out after " + timeoutMs + "ms."].filter(Boolean).join(stderr ? "\\n" : "");
+	  }
+	  const exitCode = timedOut ? 124 : code ?? 1;
+	  process.stdout.write(JSON.stringify({
+	    stdout,
+	    stderr,
+	    exitCode,
+	    timedOut,
+	    signal: signal ?? null,
+	  }), () => process.exit(exitCode));
+	}
+
+	child.stdout.setEncoding("utf8");
+	child.stderr.setEncoding("utf8");
+	child.stdout.on("data", (chunk) => { stdout = appendText(stdout, chunk); });
+	child.stderr.on("data", (chunk) => { stderr = appendText(stderr, chunk); });
+	let childExit = { code: null, signal: null };
+	child.on("error", (error) => {
+	    stderr = [stderr, error instanceof Error ? error.message : String(error)].filter(Boolean).join(stderr ? "\\n" : "");
+	    finish(1, null);
+	});
+	child.on("exit", (code, signal) => {
+	  childExit = { code, signal };
+	});
+	child.on("close", (code, signal) => {
+	  finish(code ?? childExit.code, signal ?? childExit.signal);
+	});
+
+timeoutTimer = setTimeout(() => {
+  timedOut = true;
+  killTarget("SIGTERM");
+  killTimer = setTimeout(() => {
+    sigkillSent = true;
+    killTarget("SIGKILL");
+    if (pendingExit) finish(pendingExit.code, pendingExit.signal);
+  }, killGraceMs);
+}, timeoutMs);
+`;
 function describeMachineCommandFailure(operation, result) {
   const detail = (result.stderr || result.stdout || "").trim();
   const suffix = detail ? `: ${detail}` : "";
@@ -5742,12 +6239,12 @@ function listApps(machineId) {
 }
 function buildAppsPlan(machineId) {
   const machine = resolveMachine(machineId);
-  return {
+  return attachMutationPlanDigest({
     machineId: machine.id,
     mode: "plan",
     steps: buildAppSteps(machine),
     executed: 0
-  };
+  });
 }
 function getAppsStatus(machineId, runner = runMachineCommand) {
   const machine = resolveMachine(machineId);
@@ -5770,10 +6267,10 @@ function diffApps(machineId, runner = runMachineCommand) {
     installed: status.apps.filter((app) => app.installed).map((app) => app.name)
   };
 }
-function runAppsInstall(machineId, options = {}, runner = runMachineCommand) {
-  const plan = buildAppsPlan(machineId);
+function runAppsPlan(plan, options = {}, runner = runMachineCommand) {
+  assertMutationPlanDigest(plan, options.expectedPlanDigest);
   if (!options.apply)
-    return plan;
+    return attachMutationPlanDigest({ ...plan, mode: "plan", executed: 0 });
   if (!options.yes) {
     throw new Error("App installation requires --yes.");
   }
@@ -5782,30 +6279,30 @@ function runAppsInstall(machineId, options = {}, runner = runMachineCommand) {
     requireMachineCommandSuccess(`App install ${step.id}`, runner(plan.machineId, step.command));
     executed += 1;
   }
-  return {
+  return attachMutationPlanDigest({
     machineId: plan.machineId,
     mode: "apply",
     steps: plan.steps,
     executed
-  };
+  });
 }
 
 // src/commands/cert.ts
 import { homedir as homedir3, platform as platform3 } from "os";
-import { join as join4 } from "path";
+import { join as join5 } from "path";
 function quote2(value) {
   return `'${value.replace(/'/g, `'\\''`)}'`;
 }
 function certDir() {
-  return join4(homedir3(), ".hasna", "machines", "certs");
+  return join5(homedir3(), ".hasna", "machines", "certs");
 }
 function buildCertPlan(domains) {
   if (domains.length === 0) {
     throw new Error("At least one domain is required.");
   }
   const primary = domains[0];
-  const certPath = join4(certDir(), `${primary}.pem`);
-  const keyPath = join4(certDir(), `${primary}-key.pem`);
+  const certPath = join5(certDir(), `${primary}.pem`);
+  const keyPath = join5(certDir(), `${primary}-key.pem`);
   const steps = [];
   if (platform3() === "darwin") {
     steps.push({
@@ -5869,16 +6366,16 @@ function runCertPlan(domains, options = {}) {
 }
 
 // src/commands/dns.ts
-import { existsSync as existsSync5, readFileSync as readFileSync3, writeFileSync as writeFileSync2 } from "fs";
-import { join as join5 } from "path";
+import { existsSync as existsSync6, readFileSync as readFileSync4, writeFileSync as writeFileSync2 } from "fs";
+import { join as join6 } from "path";
 function getDnsPath() {
-  return join5(getDataDir(), "dns.json");
+  return join6(getDataDir(), "dns.json");
 }
 function readMappings() {
   const path = getDnsPath();
-  if (!existsSync5(path))
+  if (!existsSync6(path))
     return [];
-  return JSON.parse(readFileSync3(path, "utf8"));
+  return JSON.parse(readFileSync4(path, "utf8"));
 }
 function writeMappings(mappings) {
   const path = getDnsPath();
@@ -5905,10 +6402,10 @@ function renderDomainMapping(domain) {
     hostsEntry: `${entry.targetHost} ${entry.domain}`,
     caddySnippet: `${entry.domain} {
   reverse_proxy 127.0.0.1:${entry.port}
-  tls ${join5(getDataDir(), "certs", `${entry.domain}.pem`)} ${join5(getDataDir(), "certs", `${entry.domain}-key.pem`)}
+  tls ${join6(getDataDir(), "certs", `${entry.domain}.pem`)} ${join6(getDataDir(), "certs", `${entry.domain}-key.pem`)}
 }`,
-    certPath: join5(getDataDir(), "certs", `${entry.domain}.pem`),
-    keyPath: join5(getDataDir(), "certs", `${entry.domain}-key.pem`)
+    certPath: join6(getDataDir(), "certs", `${entry.domain}.pem`),
+    keyPath: join6(getDataDir(), "certs", `${entry.domain}-key.pem`)
   };
 }
 
@@ -5954,8 +6451,8 @@ function diffMachines(leftMachineId, rightMachineId) {
 }
 
 // src/commands/daemon.ts
-import { chmodSync, existsSync as existsSync6, readFileSync as readFileSync4, statSync, mkdirSync as mkdirSync2, writeFileSync as writeFileSync3 } from "fs";
-import { dirname as dirname4 } from "path";
+import { chmodSync, existsSync as existsSync7, readFileSync as readFileSync5, statSync, mkdirSync as mkdirSync2, writeFileSync as writeFileSync3 } from "fs";
+import { delimiter, dirname as dirname4 } from "path";
 import { platform as osPlatform } from "os";
 var DEFAULT_SERVICE_NAME = "machines-agent";
 var DEFAULT_EXECUTABLE = "/usr/local/bin/machines-agent";
@@ -6219,19 +6716,31 @@ WantedBy=${options.mode === "system" ? "multi-user.target" : "default.target"}
 `;
 }
 function daemonProgramArguments(options) {
-  const bunRuntime = siblingBunRuntime(options.executable);
+  const bunRuntime = bunRuntimeForExecutable(options.executable);
   const base = bunRuntime ? [bunRuntime, options.executable] : [options.executable];
   return [...base, "--interval-ms", String(options.intervalMs)];
 }
-function siblingBunRuntime(executable) {
+function bunRuntimeForExecutable(executable) {
   if (!isBunShebangScript(executable))
     return null;
-  const candidate = `${dirname4(executable)}/bun`;
-  return isExecutableFile(candidate) ? candidate : null;
+  for (const candidate of bunRuntimeCandidates(executable)) {
+    if (isExecutableFile(candidate))
+      return candidate;
+  }
+  return null;
+}
+function bunRuntimeCandidates(executable) {
+  const candidates = [
+    `${dirname4(executable)}/bun`,
+    process.env["BUN_INSTALL"] ? `${process.env["BUN_INSTALL"]}/bin/bun` : null,
+    process.env["HOME"] ? `${process.env["HOME"]}/.bun/bin/bun` : null,
+    ...(process.env["PATH"] ?? "").split(delimiter).filter(Boolean).map((entry) => `${entry}/bun`)
+  ].filter((value) => Boolean(value));
+  return [...new Set(candidates)];
 }
 function isBunShebangScript(executable) {
   try {
-    const content = readFileSync4(executable, "utf8").slice(0, 256);
+    const content = readFileSync5(executable, "utf8").slice(0, 256);
     const firstLine = content.split(/\r?\n/, 1)[0] ?? "";
     return /^#!.*\bbun\b/.test(firstLine);
   } catch {
@@ -6239,7 +6748,7 @@ function isBunShebangScript(executable) {
   }
 }
 function isExecutableFile(path) {
-  if (!existsSync6(path))
+  if (!existsSync7(path))
     return false;
   try {
     const stats = statSync(path);
@@ -6529,12 +7038,12 @@ function parseProbe(tool, stdout) {
 }
 function buildClaudeInstallPlan(machineId, tools) {
   const machine = resolveMachine2(machineId);
-  return {
+  return attachMutationPlanDigest({
     machineId: machine.id,
     mode: "plan",
     steps: buildInstallSteps(machine, tools),
     executed: 0
-  };
+  });
 }
 function getClaudeCliStatus(machineId, tools, runner = runMachineCommand) {
   const machine = resolveMachine2(machineId);
@@ -6557,10 +7066,10 @@ function diffClaudeCli(machineId, tools, runner = runMachineCommand) {
     installed: status.tools.filter((tool) => tool.installed).map((tool) => tool.tool)
   };
 }
-function runClaudeInstall(machineId, tools, options = {}, runner = runMachineCommand) {
-  const plan = buildClaudeInstallPlan(machineId, tools);
+function runClaudeInstallPlan(plan, options = {}, runner = runMachineCommand) {
+  assertMutationPlanDigest(plan, options.expectedPlanDigest);
   if (!options.apply)
-    return plan;
+    return attachMutationPlanDigest({ ...plan, mode: "plan", executed: 0 });
   if (!options.yes) {
     throw new Error("Claude CLI installation requires --yes.");
   }
@@ -6569,12 +7078,12 @@ function runClaudeInstall(machineId, tools, options = {}, runner = runMachineCom
     requireMachineCommandSuccess(`AI CLI install ${step.id}`, runner(plan.machineId, step.command));
     executed += 1;
   }
-  return {
+  return attachMutationPlanDigest({
     machineId: plan.machineId,
     mode: "apply",
     steps: plan.steps,
     executed
-  };
+  });
 }
 
 // src/commands/install-tailscale.ts
@@ -6614,17 +7123,17 @@ function buildTailscaleInstallPlan(machineId) {
   if (!machine) {
     throw new Error(`Machine not found in manifest: ${machineId}`);
   }
-  return {
+  return attachMutationPlanDigest({
     machineId: machine.id,
     mode: "plan",
     steps: buildInstallSteps2(machine),
     executed: 0
-  };
+  });
 }
-function runTailscaleInstall(machineId, options = {}, runner = runMachineCommand) {
-  const plan = buildTailscaleInstallPlan(machineId);
+function runTailscaleInstallPlan(plan, options = {}, runner = runMachineCommand) {
+  assertMutationPlanDigest(plan, options.expectedPlanDigest);
   if (!options.apply)
-    return plan;
+    return attachMutationPlanDigest({ ...plan, mode: "plan", executed: 0 });
   if (!options.yes) {
     throw new Error("Tailscale install requires --yes.");
   }
@@ -6633,20 +7142,22 @@ function runTailscaleInstall(machineId, options = {}, runner = runMachineCommand
     requireMachineCommandSuccess(`Tailscale install ${step.id}`, runner(plan.machineId, step.command));
     executed += 1;
   }
-  return {
+  return attachMutationPlanDigest({
     machineId: plan.machineId,
     mode: "apply",
     steps: plan.steps,
     executed
-  };
+  });
 }
 
 // src/commands/notifications.ts
-import { existsSync as existsSync7, readFileSync as readFileSync5, writeFileSync as writeFileSync4 } from "fs";
+import { accessSync, constants, existsSync as existsSync8, readFileSync as readFileSync6, writeFileSync as writeFileSync4 } from "fs";
+import { delimiter as delimiter2, isAbsolute, join as join7 } from "path";
 var notificationChannelSchema = exports_external.object({
   id: exports_external.string(),
   type: exports_external.enum(["email", "webhook", "command"]),
   target: exports_external.string(),
+  commandArgs: exports_external.array(exports_external.string()).optional(),
   events: exports_external.array(exports_external.string()),
   enabled: exports_external.boolean()
 });
@@ -6655,19 +7166,31 @@ var notificationConfigSchema = exports_external.object({
   updatedAt: exports_external.string().optional(),
   channels: exports_external.array(notificationChannelSchema)
 });
+var trustedNotificationApproval = Symbol("trustedNotificationApproval");
+function createTrustedNotificationApproval() {
+  return { [trustedNotificationApproval]: true };
+}
+function isTrustedNotificationApproval(approval) {
+  return approval?.[trustedNotificationApproval] === true;
+}
 function sortChannels(channels) {
   return [...channels].sort((left, right) => left.id.localeCompare(right.id));
 }
-function shellQuote5(value) {
-  return `'${value.replace(/'/g, `'\\''`)}'`;
-}
 function hasCommand2(binary) {
-  const result = Bun.spawnSync(["bash", "-lc", `command -v ${binary} >/dev/null 2>&1`], {
-    stdout: "ignore",
-    stderr: "ignore",
-    env: process.env
-  });
-  return result.exitCode === 0;
+  return Boolean(resolveExecutable(binary));
+}
+function resolveExecutable(binary) {
+  const trimmed = binary.trim();
+  if (!trimmed)
+    return null;
+  const candidates = isAbsolute(trimmed) ? [trimmed] : (process.env.PATH ?? "").split(delimiter2).filter(Boolean).map((dir) => join7(dir, trimmed));
+  for (const candidate of candidates) {
+    try {
+      accessSync(candidate, constants.X_OK);
+      return candidate;
+    } catch {}
+  }
+  return null;
 }
 function buildNotificationPreview(channel, event, message) {
   if (channel.type === "email") {
@@ -6676,7 +7199,8 @@ function buildNotificationPreview(channel, event, message) {
   if (channel.type === "webhook") {
     return `POST ${channel.target} with payload {"event":"${event}","message":"${message}"}`;
   }
-  return `${channel.target} --event ${event} --message ${JSON.stringify(message)}`;
+  const args = channel.commandArgs?.length ? ` ${channel.commandArgs.join(" ")}` : "";
+  return `${channel.target}${args} with HASNA_MACHINES_NOTIFICATION_* environment`;
 }
 async function dispatchEmail(channel, event, message) {
   const subject = `[${event}] machines notification`;
@@ -6687,7 +7211,7 @@ Content-Type: text/plain; charset=utf-8
 ${message}
 `;
   if (hasCommand2("sendmail")) {
-    const result = Bun.spawnSync(["bash", "-lc", "sendmail -t"], {
+    const result = Bun.spawnSync(["sendmail", "-t"], {
       stdin: new TextEncoder().encode(body),
       stdout: "pipe",
       stderr: "pipe",
@@ -6705,8 +7229,9 @@ ${message}
     };
   }
   if (hasCommand2("mail")) {
-    const command2 = `printf %s ${shellQuote5(message)} | mail -s ${shellQuote5(subject)} ${shellQuote5(channel.target)}`;
-    const result = Bun.spawnSync(["bash", "-lc", command2], {
+    const result = Bun.spawnSync(["mail", "-s", subject, channel.target], {
+      stdin: new TextEncoder().encode(`${message}
+`),
       stdout: "pipe",
       stderr: "pipe",
       env: process.env
@@ -6749,8 +7274,20 @@ async function dispatchWebhook(channel, event, message) {
     detail: `Webhook accepted with HTTP ${response.status}`
   };
 }
-async function dispatchCommand(channel, event, message) {
-  const result = Bun.spawnSync(["bash", "-lc", channel.target], {
+async function dispatchCommand(channel, event, message, options = {}) {
+  if (!isTrustedNotificationApproval(options.trustedApproval)) {
+    assertMutationApproved({
+      surface: "notifications",
+      operation: "dispatch_command",
+      resourceId: channel.id,
+      approvalToken: options.approvalToken
+    });
+  }
+  const executable = resolveExecutable(channel.target);
+  if (!executable) {
+    throw new Error(`Command executable not found or not executable: ${channel.target}`);
+  }
+  const result = Bun.spawnSync([executable, ...channel.commandArgs ?? []], {
     stdout: "pipe",
     stderr: "pipe",
     env: {
@@ -6772,7 +7309,7 @@ async function dispatchCommand(channel, event, message) {
     detail: stdout || "Command completed successfully"
   };
 }
-async function dispatchChannel(channel, event, message) {
+async function dispatchChannel(channel, event, message, options = {}) {
   if (!channel.enabled) {
     return {
       channelId: channel.id,
@@ -6788,7 +7325,7 @@ async function dispatchChannel(channel, event, message) {
   if (channel.type === "webhook") {
     return dispatchWebhook(channel, event, message);
   }
-  return dispatchCommand(channel, event, message);
+  return dispatchCommand(channel, event, message, options);
 }
 function getDefaultNotificationConfig() {
   return {
@@ -6798,10 +7335,10 @@ function getDefaultNotificationConfig() {
   };
 }
 function readNotificationConfig(path = getNotificationsPath()) {
-  if (!existsSync7(path)) {
+  if (!existsSync8(path)) {
     return getDefaultNotificationConfig();
   }
-  return notificationConfigSchema.parse(JSON.parse(readFileSync5(path, "utf8")));
+  return notificationConfigSchema.parse(JSON.parse(readFileSync6(path, "utf8")));
 }
 function writeNotificationConfig(config, path = getNotificationsPath()) {
   ensureParentDir(path);
@@ -6817,11 +7354,20 @@ function writeNotificationConfig(config, path = getNotificationsPath()) {
 function listNotificationChannels() {
   return readNotificationConfig();
 }
-function addNotificationChannel(channel) {
+function addNotificationChannel(channel, options = {}) {
+  if (channel.type === "command" && !isTrustedNotificationApproval(options.trustedApproval)) {
+    assertMutationApproved({
+      surface: "notifications",
+      operation: "add_command_channel",
+      resourceId: channel.id,
+      approvalToken: options.approvalToken
+    });
+  }
   const config = readNotificationConfig();
   const channels = config.channels.filter((entry) => entry.id !== channel.id);
   channels.push({
     ...channel,
+    commandArgs: channel.commandArgs?.map(String),
     events: [...new Set(channel.events)]
   });
   return writeNotificationConfig({ ...config, channels });
@@ -6843,7 +7389,7 @@ async function dispatchNotificationEvent(event, message, options = {}) {
   const deliveries = [];
   for (const channel of channels) {
     try {
-      deliveries.push(await dispatchChannel(channel, event, message));
+      deliveries.push(await dispatchChannel(channel, event, message, { approvalToken: options.approvalToken, trustedApproval: options.trustedApproval }));
     } catch (error) {
       deliveries.push({
         channelId: channel.id,
@@ -6878,7 +7424,7 @@ async function testNotificationChannel(channelId, event = "manual.test", message
   if (!options.yes) {
     throw new Error("Notification test execution requires --yes.");
   }
-  const delivery = await dispatchChannel(channel, event, message);
+  const delivery = await dispatchChannel(channel, event, message, { approvalToken: options.approvalToken, trustedApproval: options.trustedApproval });
   return {
     channelId,
     mode: "apply",
@@ -6943,7 +7489,7 @@ function listPorts(machineId) {
 }
 
 // src/commands/serve.ts
-import { EventsClient, sanitizeChannelsForOutput } from "@hasna/events";
+import { EventsClient, getEventsDataDir, sanitizeChannelsForOutput } from "@hasna/events";
 
 // src/agent/runtime.ts
 import { arch as arch3, hostname as hostname6, platform as platform4, release, uptime, version as osVersion } from "os";
@@ -7502,7 +8048,7 @@ function escapeHtml(value) {
   return value.replaceAll("&", "&amp;").replaceAll("<", "&lt;").replaceAll(">", "&gt;").replaceAll('"', "&quot;").replaceAll("'", "&#39;");
 }
 function getServeInfo(options = {}) {
-  const host = options.host || "0.0.0.0";
+  const host = options.host || "127.0.0.1";
   const port = options.port || 7676;
   return {
     host,
@@ -7799,17 +8345,17 @@ function buildSetupPlan(machineId) {
     workspacePath: `${homedir4()}/workspace`
   };
   const steps = [...buildBaseSteps(target), ...buildPackageSteps(target)];
-  return {
+  return attachMutationPlanDigest({
     machineId: target.id,
     mode: "plan",
     steps,
     executed: 0
-  };
+  });
 }
-function runSetup(machineId, options = {}, runner = runMachineCommand) {
-  const plan = buildSetupPlan(machineId);
+function runSetupPlan(plan, options = {}, runner = runMachineCommand) {
+  assertMutationPlanDigest(plan, options.expectedPlanDigest);
   if (!options.apply) {
-    return plan;
+    return attachMutationPlanDigest({ ...plan, mode: "plan", executed: 0 });
   }
   if (!options.yes) {
     throw new Error("Setup execution requires --yes.");
@@ -7830,18 +8376,18 @@ function runSetup(machineId, options = {}, runner = runMachineCommand) {
     }
     executed += 1;
   }
-  const summary = {
+  const summary = attachMutationPlanDigest({
     machineId: plan.machineId,
     mode: "apply",
     steps: plan.steps,
     executed
-  };
+  });
   recordSetupRun(plan.machineId, "completed", summary);
   return summary;
 }
 
 // src/commands/sync.ts
-import { existsSync as existsSync8, lstatSync, readFileSync as readFileSync6, symlinkSync, copyFileSync } from "fs";
+import { existsSync as existsSync9, lstatSync, readFileSync as readFileSync7, symlinkSync, copyFileSync } from "fs";
 import { homedir as homedir5 } from "os";
 function quote4(value) {
   return `'${value.replace(/'/g, `'\\''`)}'`;
@@ -7894,15 +8440,15 @@ function detectFileActions(machine) {
     throw new Error(`Remote file sync planning is not supported for ${machine.id}; refusing to inspect or apply local paths as remote state.`);
   }
   return (machine.files || []).map((file, index) => {
-    const sourceExists = existsSync8(file.source);
-    const targetExists = existsSync8(file.target);
+    const sourceExists = existsSync9(file.source);
+    const targetExists = existsSync9(file.target);
     let status = "missing";
     if (sourceExists && targetExists) {
       if (file.mode === "symlink") {
         status = lstatSync(file.target).isSymbolicLink() ? "ok" : "drifted";
       } else {
-        const source = readFileSync6(file.source, "utf8");
-        const target = readFileSync6(file.target, "utf8");
+        const source = readFileSync7(file.source, "utf8");
+        const target = readFileSync7(file.target, "utf8");
         status = source === target ? "ok" : "drifted";
       }
     }
@@ -7932,12 +8478,12 @@ function buildSyncPlan(machineId, runner = runMachineCommand) {
     ...detectPackageActions(target, runner),
     ...detectFileActions(target)
   ];
-  return {
+  return attachMutationPlanDigest({
     machineId: target.id,
     mode: "plan",
     actions,
     executed: 0
-  };
+  });
 }
 function applyFileAction(command2) {
   const [verb, source, target] = command2.split(" ");
@@ -7959,10 +8505,10 @@ function applyFileAction(command2) {
     symlinkSync(sourcePath, targetPath);
   }
 }
-function runSync(machineId, options = {}, runner = runMachineCommand) {
-  const plan = buildSyncPlan(machineId, runner);
+function runSyncPlan(plan, options = {}, runner = runMachineCommand) {
+  assertMutationPlanDigest(plan, options.expectedPlanDigest);
   if (!options.apply) {
-    return plan;
+    return attachMutationPlanDigest({ ...plan, mode: "plan", executed: 0 });
   }
   if (!options.yes) {
     throw new Error("Sync execution requires --yes.");
@@ -7989,12 +8535,12 @@ function runSync(machineId, options = {}, runner = runMachineCommand) {
     }
     executed += 1;
   }
-  const summary = {
+  const summary = attachMutationPlanDigest({
     machineId: plan.machineId,
     mode: "apply",
     actions: plan.actions,
     executed
-  };
+  });
   recordSyncRun(plan.machineId, "completed", summary);
   return summary;
 }
@@ -8007,7 +8553,7 @@ var DEFAULT_COMMANDS = [
 function defaultPackages() {
   return [{ name: "@hasna/machines", command: "machines", expectedVersion: getPackageVersion(), required: true }];
 }
-function shellQuote6(value) {
+function shellQuote5(value) {
   return `'${value.replace(/'/g, "'\\''")}'`;
 }
 function commandId(value) {
@@ -8058,7 +8604,7 @@ function defaultRunner2(machineId, command2) {
   return runMachineCommand(machineId, command2);
 }
 function inspectCommand(machineId, spec, runner) {
-  const command2 = shellQuote6(spec.command);
+  const command2 = shellQuote5(spec.command);
   const versionArgs = spec.versionArgs ?? "--version";
   const script = [
     `cmd=${command2}`,
@@ -8087,7 +8633,7 @@ function fieldCommand(field) {
 }
 function inspectWorkspace(machineId, spec, runner) {
   const script = [
-    `path=${shellQuote6(spec.path)}`,
+    `path=${shellQuote5(spec.path)}`,
     'printf "exists=%s\\n" "$(test -d "$path" && printf yes || printf no)"',
     'pkg="$path/package.json"',
     'printf "package_json=%s\\n" "$(test -f "$pkg" && printf yes || printf no)"',
@@ -8240,8 +8786,8 @@ function checkMachineCompatibility(options = {}) {
   };
 }
 // src/mcp/server.ts
-function buildServer(version = getPackageVersion()) {
-  return createMcpServer(version);
+function buildServer(version = getPackageVersion(), options = {}) {
+  return createMcpServer(version, options);
 }
 function privateMetadataAllowed(requested) {
   return requested === true && isPrivateOutputEnabled();
@@ -8255,9 +8801,50 @@ function appendWarnings(payload, warnings) {
   const currentWarnings = typeof payload === "object" && payload && "warnings" in payload && Array.isArray(payload.warnings) ? payload.warnings : [];
   return { ...payload, warnings: [...currentWarnings, ...warnings] };
 }
-function createMcpServer(version) {
+var approvalTokenSchema = exports_external.string().optional().describe("Operator mutation approval token");
+function mutationMachineId(machineId) {
+  return machineId?.trim() || "local";
+}
+function mutationResourceId(kind, ...parts) {
+  const values = parts.map((part) => String(part ?? "*").trim()).filter(Boolean).join(":");
+  return values ? `${kind}:${values}` : kind;
+}
+function mutationCallerId() {
+  return process.env["HASNA_MACHINES_MUTATION_CALLER_ID"]?.trim() || "mcp";
+}
+function mutationRunId() {
+  return process.env["HASNA_MACHINES_MUTATION_RUN_ID"]?.trim() || "mcp";
+}
+function assertScopedMcpMutation(operation, approvalToken, scope = {}, transport) {
+  assertMutationApproved({
+    surface: "mcp",
+    operation,
+    transport,
+    callerId: mutationCallerId(),
+    runId: mutationRunId(),
+    machineId: scope.machineId === undefined ? undefined : mutationMachineId(scope.machineId),
+    resourceId: scope.resourceId === undefined || scope.resourceId === null ? undefined : scope.resourceId,
+    args: scope.args,
+    approvalToken
+  });
+}
+function mcpPlanApprovalArgs(args, plan) {
+  return {
+    ...args,
+    plan_digest: mutationPlanDigest(plan)
+  };
+}
+function mcpPlanResourceId(operation, machineId, plan) {
+  return mutationResourceId("plan", operation, machineId, mutationPlanDigest(plan));
+}
+function createMcpServer(version, options = {}) {
   const server = new McpServer({ name: "machines", version });
   const events = new EventsClient2;
+  const trustedNotificationApproval2 = createTrustedNotificationApproval();
+  const mutationTransport = options.mutationTransport ?? "mcp:stdio";
+  function requireMcpMutation(operation, approvalToken, scope = {}) {
+    assertScopedMcpMutation(operation, approvalToken, scope, mutationTransport);
+  }
   server.tool("machines_status", "Return local machine fleet status paths and machine identity.", { private_metadata: exports_external.boolean().optional().describe("Include private local paths and machine identifiers") }, async ({ private_metadata }) => {
     const privateMetadata = privateMetadataAllowed(private_metadata);
     const warnings = privateOutputWarnings(private_metadata, privateMetadata);
@@ -8271,18 +8858,31 @@ function createMcpServer(version) {
   server.tool("machines_apps_status", "Check installed state for manifest-managed apps.", { machine_id: exports_external.string().optional().describe("Machine identifier") }, async ({ machine_id }) => ({ content: [{ type: "text", text: JSON.stringify(getAppsStatus(machine_id), null, 2) }] }));
   server.tool("machines_apps_diff", "Show missing and installed manifest-managed apps.", { machine_id: exports_external.string().optional().describe("Machine identifier") }, async ({ machine_id }) => ({ content: [{ type: "text", text: JSON.stringify(diffApps(machine_id), null, 2) }] }));
   server.tool("machines_apps_plan", "Preview app install steps for a machine.", { machine_id: exports_external.string().optional().describe("Machine identifier") }, async ({ machine_id }) => ({ content: [{ type: "text", text: JSON.stringify(buildAppsPlan(machine_id), null, 2) }] }));
-  server.tool("machines_apps_apply", "Install manifest-managed apps for a machine.", { machine_id: exports_external.string().optional().describe("Machine identifier"), yes: exports_external.boolean().describe("Confirmation flag for execution") }, async ({ machine_id, yes }) => ({ content: [{ type: "text", text: JSON.stringify(runAppsInstall(machine_id, { apply: true, yes }), null, 2) }] }));
+  server.tool("machines_apps_apply", "Install manifest-managed apps for a machine.", { machine_id: exports_external.string().optional().describe("Machine identifier"), yes: exports_external.boolean().describe("Confirmation flag for execution"), approval_token: approvalTokenSchema }, async ({ machine_id, yes, approval_token }) => {
+    const resolvedMachineId = mutationMachineId(machine_id);
+    const plan = buildAppsPlan(machine_id);
+    requireMcpMutation("machines_apps_apply", approval_token, {
+      machineId: resolvedMachineId,
+      resourceId: mcpPlanResourceId("machines_apps_apply", resolvedMachineId, plan),
+      args: mcpPlanApprovalArgs({ machine_id: resolvedMachineId, yes }, plan)
+    });
+    return { content: [{ type: "text", text: JSON.stringify(runAppsPlan(plan, { apply: true, yes }), null, 2) }] };
+  });
   server.tool("machines_manifest", "Read the current fleet manifest.", {}, async () => ({
     content: [{ type: "text", text: JSON.stringify(manifestList(), null, 2) }]
   }));
   server.tool("machines_manifest_validate", "Validate the current fleet manifest.", {}, async () => ({
     content: [{ type: "text", text: JSON.stringify(manifestValidate(), null, 2) }]
   }));
-  server.tool("machines_manifest_bootstrap", "Detect and upsert the current machine into the fleet manifest.", {}, async () => ({
-    content: [{ type: "text", text: JSON.stringify(manifestBootstrapCurrentMachine(), null, 2) }]
-  }));
+  server.tool("machines_manifest_bootstrap", "Detect and upsert the current machine into the fleet manifest.", { approval_token: approvalTokenSchema }, async ({ approval_token }) => {
+    requireMcpMutation("machines_manifest_bootstrap", approval_token, { resourceId: "manifest:bootstrap", args: {} });
+    return { content: [{ type: "text", text: JSON.stringify(manifestBootstrapCurrentMachine(), null, 2) }] };
+  });
   server.tool("machines_manifest_get", "Read a single machine from the fleet manifest.", { machine_id: exports_external.string().describe("Machine identifier") }, async ({ machine_id }) => ({ content: [{ type: "text", text: JSON.stringify(manifestGet(machine_id), null, 2) }] }));
-  server.tool("machines_manifest_remove", "Remove a single machine from the fleet manifest.", { machine_id: exports_external.string().describe("Machine identifier") }, async ({ machine_id }) => ({ content: [{ type: "text", text: JSON.stringify(manifestRemove(machine_id), null, 2) }] }));
+  server.tool("machines_manifest_remove", "Remove a single machine from the fleet manifest.", { machine_id: exports_external.string().describe("Machine identifier"), approval_token: approvalTokenSchema }, async ({ machine_id, approval_token }) => {
+    requireMcpMutation("machines_manifest_remove", approval_token, { machineId: machine_id, args: { machine_id } });
+    return { content: [{ type: "text", text: JSON.stringify(manifestRemove(machine_id), null, 2) }] };
+  });
   server.tool("machines_agent_status", "List current machine agent heartbeats.", { private_metadata: exports_external.boolean().optional().describe("Include private heartbeat metadata") }, async ({ private_metadata }) => {
     const privateMetadata = privateMetadataAllowed(private_metadata);
     const warnings = privateOutputWarnings(private_metadata, privateMetadata);
@@ -8334,9 +8934,27 @@ function createMcpServer(version) {
     }]
   }));
   server.tool("machines_setup_preview", "Preview setup actions for a machine.", { machine_id: exports_external.string().optional().describe("Machine identifier") }, async ({ machine_id }) => ({ content: [{ type: "text", text: JSON.stringify(buildSetupPlan(machine_id), null, 2) }] }));
-  server.tool("machines_setup_apply", "Execute setup actions for a machine.", { machine_id: exports_external.string().optional().describe("Machine identifier"), yes: exports_external.boolean().describe("Confirmation flag for execution") }, async ({ machine_id, yes }) => ({ content: [{ type: "text", text: JSON.stringify(runSetup(machine_id, { apply: true, yes }), null, 2) }] }));
+  server.tool("machines_setup_apply", "Execute setup actions for a machine.", { machine_id: exports_external.string().optional().describe("Machine identifier"), yes: exports_external.boolean().describe("Confirmation flag for execution"), approval_token: approvalTokenSchema }, async ({ machine_id, yes, approval_token }) => {
+    const resolvedMachineId = mutationMachineId(machine_id);
+    const plan = buildSetupPlan(machine_id);
+    requireMcpMutation("machines_setup_apply", approval_token, {
+      machineId: resolvedMachineId,
+      resourceId: mcpPlanResourceId("machines_setup_apply", resolvedMachineId, plan),
+      args: mcpPlanApprovalArgs({ machine_id: resolvedMachineId, yes }, plan)
+    });
+    return { content: [{ type: "text", text: JSON.stringify(runSetupPlan(plan, { apply: true, yes }), null, 2) }] };
+  });
   server.tool("machines_sync_preview", "Preview sync actions for a machine.", { machine_id: exports_external.string().optional().describe("Machine identifier") }, async ({ machine_id }) => ({ content: [{ type: "text", text: JSON.stringify(buildSyncPlan(machine_id), null, 2) }] }));
-  server.tool("machines_sync_apply", "Execute sync actions for a machine.", { machine_id: exports_external.string().optional().describe("Machine identifier"), yes: exports_external.boolean().describe("Confirmation flag for execution") }, async ({ machine_id, yes }) => ({ content: [{ type: "text", text: JSON.stringify(runSync(machine_id, { apply: true, yes }), null, 2) }] }));
+  server.tool("machines_sync_apply", "Execute sync actions for a machine.", { machine_id: exports_external.string().optional().describe("Machine identifier"), yes: exports_external.boolean().describe("Confirmation flag for execution"), approval_token: approvalTokenSchema }, async ({ machine_id, yes, approval_token }) => {
+    const resolvedMachineId = mutationMachineId(machine_id);
+    const plan = buildSyncPlan(machine_id);
+    requireMcpMutation("machines_sync_apply", approval_token, {
+      machineId: resolvedMachineId,
+      resourceId: mcpPlanResourceId("machines_sync_apply", resolvedMachineId, plan),
+      args: mcpPlanApprovalArgs({ machine_id: resolvedMachineId, yes }, plan)
+    });
+    return { content: [{ type: "text", text: JSON.stringify(runSyncPlan(plan, { apply: true, yes }), null, 2) }] };
+  });
   server.tool("machines_topology", "Discover local, manifest, heartbeat, SSH, and Tailscale machine topology.", {
     include_tailscale: exports_external.boolean().optional().describe("Whether to probe tailscale status --json"),
     private_metadata: exports_external.boolean().optional().describe("Include private host/network route fields")
@@ -8391,12 +9009,31 @@ function createMcpServer(version) {
   server.tool("machines_install_claude_apply", "Execute Claude, Codex, and Gemini CLI install steps for a machine.", {
     machine_id: exports_external.string().optional().describe("Machine identifier"),
     tools: exports_external.array(exports_external.enum(["claude", "codex", "gemini"])).optional().describe("AI CLIs to install"),
-    yes: exports_external.boolean().describe("Confirmation flag for execution")
-  }, async ({ machine_id, tools, yes }) => ({
-    content: [{ type: "text", text: JSON.stringify(runClaudeInstall(machine_id, tools, { apply: true, yes }), null, 2) }]
-  }));
+    yes: exports_external.boolean().describe("Confirmation flag for execution"),
+    approval_token: approvalTokenSchema
+  }, async ({ machine_id, tools, yes, approval_token }) => {
+    const resolvedMachineId = mutationMachineId(machine_id);
+    const plan = buildClaudeInstallPlan(machine_id, tools);
+    requireMcpMutation("machines_install_claude_apply", approval_token, {
+      machineId: resolvedMachineId,
+      resourceId: mcpPlanResourceId("machines_install_claude_apply", resolvedMachineId, plan),
+      args: mcpPlanApprovalArgs({ machine_id: resolvedMachineId, tools, yes }, plan)
+    });
+    return {
+      content: [{ type: "text", text: JSON.stringify(runClaudeInstallPlan(plan, { apply: true, yes }), null, 2) }]
+    };
+  });
   server.tool("machines_install_tailscale_preview", "Preview Tailscale install steps for a machine.", { machine_id: exports_external.string().optional().describe("Machine identifier") }, async ({ machine_id }) => ({ content: [{ type: "text", text: JSON.stringify(buildTailscaleInstallPlan(machine_id), null, 2) }] }));
-  server.tool("machines_install_tailscale_apply", "Execute Tailscale install steps for a machine.", { machine_id: exports_external.string().optional().describe("Machine identifier"), yes: exports_external.boolean().describe("Confirmation flag for execution") }, async ({ machine_id, yes }) => ({ content: [{ type: "text", text: JSON.stringify(runTailscaleInstall(machine_id, { apply: true, yes }), null, 2) }] }));
+  server.tool("machines_install_tailscale_apply", "Execute Tailscale install steps for a machine.", { machine_id: exports_external.string().optional().describe("Machine identifier"), yes: exports_external.boolean().describe("Confirmation flag for execution"), approval_token: approvalTokenSchema }, async ({ machine_id, yes, approval_token }) => {
+    const resolvedMachineId = mutationMachineId(machine_id);
+    const plan = buildTailscaleInstallPlan(machine_id);
+    requireMcpMutation("machines_install_tailscale_apply", approval_token, {
+      machineId: resolvedMachineId,
+      resourceId: mcpPlanResourceId("machines_install_tailscale_apply", resolvedMachineId, plan),
+      args: mcpPlanApprovalArgs({ machine_id: resolvedMachineId, yes }, plan)
+    });
+    return { content: [{ type: "text", text: JSON.stringify(runTailscaleInstallPlan(plan, { apply: true, yes }), null, 2) }] };
+  });
   server.tool("machines_route_resolve", "Resolve the best route for a machine using manifest, heartbeat, SSH, LAN, and Tailscale topology.", {
     machine_id: exports_external.string().describe("Machine identifier"),
     include_tailscale: exports_external.boolean().optional().describe("Whether to probe tailscale status --json"),
@@ -8464,41 +9101,72 @@ function createMcpServer(version) {
     content: [{ type: "text", text: JSON.stringify(listPorts(machine_id), null, 2) }]
   }));
   server.tool("machines_backup_preview", "Preview backup steps for the current machine.", { bucket: exports_external.string().optional().describe("S3 bucket name; defaults to HASNA_MACHINES_S3_BUCKET or MACHINES_S3_BUCKET"), prefix: exports_external.string().optional().describe("S3 key prefix; defaults to HASNA_MACHINES_S3_PREFIX, MACHINES_S3_PREFIX, or machines") }, async ({ bucket, prefix }) => ({ content: [{ type: "text", text: JSON.stringify(buildBackupPlan(bucket, prefix), null, 2) }] }));
-  server.tool("machines_backup_apply", "Execute backup steps for the current machine.", { bucket: exports_external.string().optional().describe("S3 bucket name; defaults to HASNA_MACHINES_S3_BUCKET or MACHINES_S3_BUCKET"), prefix: exports_external.string().optional().describe("S3 key prefix; defaults to HASNA_MACHINES_S3_PREFIX, MACHINES_S3_PREFIX, or machines"), yes: exports_external.boolean().describe("Confirmation flag for execution") }, async ({ bucket, prefix, yes }) => ({ content: [{ type: "text", text: JSON.stringify(runBackup(bucket, prefix, { apply: true, yes }), null, 2) }] }));
+  server.tool("machines_backup_apply", "Execute backup steps for the current machine.", { bucket: exports_external.string().optional().describe("S3 bucket name; defaults to HASNA_MACHINES_S3_BUCKET or MACHINES_S3_BUCKET"), prefix: exports_external.string().optional().describe("S3 key prefix; defaults to HASNA_MACHINES_S3_PREFIX, MACHINES_S3_PREFIX, or machines"), yes: exports_external.boolean().describe("Confirmation flag for execution"), approval_token: approvalTokenSchema }, async ({ bucket, prefix, yes, approval_token }) => {
+    requireMcpMutation("machines_backup_apply", approval_token, { resourceId: mutationResourceId("backup", bucket, prefix), args: { bucket, prefix, yes } });
+    return { content: [{ type: "text", text: JSON.stringify(runBackup(bucket, prefix, { apply: true, yes }), null, 2) }] };
+  });
   server.tool("machines_cert_preview", "Preview mkcert steps for one or more domains.", { domains: exports_external.array(exports_external.string()).describe("Domains to issue certificates for") }, async ({ domains }) => ({ content: [{ type: "text", text: JSON.stringify(buildCertPlan(domains), null, 2) }] }));
-  server.tool("machines_cert_apply", "Execute mkcert steps for one or more domains.", { domains: exports_external.array(exports_external.string()).describe("Domains to issue certificates for"), yes: exports_external.boolean().describe("Confirmation flag for execution") }, async ({ domains, yes }) => ({ content: [{ type: "text", text: JSON.stringify(runCertPlan(domains, { apply: true, yes }), null, 2) }] }));
-  server.tool("machines_dns_add", "Add or replace a local domain mapping.", { domain: exports_external.string().describe("Domain name"), port: exports_external.number().describe("Target port"), target_host: exports_external.string().optional().describe("Target host") }, async ({ domain, port, target_host }) => ({ content: [{ type: "text", text: JSON.stringify(addDomainMapping(domain, port, target_host), null, 2) }] }));
+  server.tool("machines_cert_apply", "Execute mkcert steps for one or more domains.", { domains: exports_external.array(exports_external.string()).describe("Domains to issue certificates for"), yes: exports_external.boolean().describe("Confirmation flag for execution"), approval_token: approvalTokenSchema }, async ({ domains, yes, approval_token }) => {
+    requireMcpMutation("machines_cert_apply", approval_token, { resourceId: mutationResourceId("cert", domains.join(",")), args: { domains, yes } });
+    return { content: [{ type: "text", text: JSON.stringify(runCertPlan(domains, { apply: true, yes }), null, 2) }] };
+  });
+  server.tool("machines_dns_add", "Add or replace a local domain mapping.", { domain: exports_external.string().describe("Domain name"), port: exports_external.number().describe("Target port"), target_host: exports_external.string().optional().describe("Target host"), approval_token: approvalTokenSchema }, async ({ domain, port, target_host, approval_token }) => {
+    const resolvedTargetHost = target_host ?? "127.0.0.1";
+    requireMcpMutation("machines_dns_add", approval_token, { resourceId: mutationResourceId("dns", domain), args: { domain, port, target_host: resolvedTargetHost } });
+    return { content: [{ type: "text", text: JSON.stringify(addDomainMapping(domain, port, resolvedTargetHost), null, 2) }] };
+  });
   server.tool("machines_dns_list", "List local domain mappings.", {}, async () => ({ content: [{ type: "text", text: JSON.stringify(listDomainMappings(), null, 2) }] }));
   server.tool("machines_dns_render", "Render hosts/proxy configuration for a domain.", { domain: exports_external.string().describe("Domain name") }, async ({ domain }) => ({ content: [{ type: "text", text: JSON.stringify(renderDomainMapping(domain), null, 2) }] }));
   server.tool("machines_notifications_add", "Add or replace a notification channel.", {
     channel_id: exports_external.string().describe("Channel identifier"),
     type: exports_external.enum(["email", "webhook", "command"]).describe("Notification transport"),
-    target: exports_external.string().describe("Email, webhook URL, or shell command"),
+    target: exports_external.string().describe("Email, webhook URL, or command executable"),
+    command_args: exports_external.array(exports_external.string()).optional().describe("Arguments for command transports"),
     events: exports_external.array(exports_external.string()).describe("Events routed to this channel"),
-    enabled: exports_external.boolean().optional().describe("Whether the channel is enabled")
-  }, async ({ channel_id, type, target, events: events2, enabled }) => ({
-    content: [{ type: "text", text: JSON.stringify(addNotificationChannel({ id: channel_id, type, target, events: events2, enabled: enabled ?? true }), null, 2) }]
-  }));
+    enabled: exports_external.boolean().optional().describe("Whether the channel is enabled"),
+    approval_token: approvalTokenSchema
+  }, async ({ channel_id, type, target, command_args, events: events2, enabled, approval_token }) => {
+    const resolvedEnabled = enabled ?? true;
+    const resolvedEvents = [...new Set(events2)];
+    const commandArgs = command_args ?? [];
+    requireMcpMutation("machines_notifications_add", approval_token, { resourceId: mutationResourceId("notification", channel_id), args: { channel_id, type, target, command_args: commandArgs, events: resolvedEvents, enabled: resolvedEnabled } });
+    return {
+      content: [{ type: "text", text: JSON.stringify(addNotificationChannel({ id: channel_id, type, target, commandArgs: type === "command" && commandArgs.length > 0 ? commandArgs : undefined, events: resolvedEvents, enabled: resolvedEnabled }, { trustedApproval: trustedNotificationApproval2 }), null, 2) }]
+    };
+  });
   server.tool("machines_notifications_list", "List notification channels.", {}, async () => ({
     content: [{ type: "text", text: JSON.stringify(listNotificationChannels(), null, 2) }]
   }));
-  server.tool("machines_notifications_test", "Preview or execute a notification test.", { channel_id: exports_external.string().describe("Channel identifier"), event: exports_external.string().optional().describe("Event name"), message: exports_external.string().optional().describe("Message body"), yes: exports_external.boolean().optional().describe("Execute the test when true") }, async ({ channel_id, event, message, yes }) => ({
-    content: [{ type: "text", text: JSON.stringify(await testNotificationChannel(channel_id, event, message, { apply: Boolean(yes), yes }), null, 2) }]
-  }));
-  server.tool("machines_notifications_dispatch", "Dispatch an event to matching notification channels.", { event: exports_external.string().describe("Event name"), message: exports_external.string().describe("Message body"), channel_id: exports_external.string().optional().describe("Limit delivery to one channel") }, async ({ event, message, channel_id }) => ({ content: [{ type: "text", text: JSON.stringify(await dispatchNotificationEvent(event, message, { channelId: channel_id }), null, 2) }] }));
-  server.tool("machines_notifications_remove", "Remove a notification channel.", { channel_id: exports_external.string().describe("Channel identifier") }, async ({ channel_id }) => ({ content: [{ type: "text", text: JSON.stringify(removeNotificationChannel(channel_id), null, 2) }] }));
+  server.tool("machines_notifications_test", "Preview or execute a notification test.", { channel_id: exports_external.string().describe("Channel identifier"), event: exports_external.string().optional().describe("Event name"), message: exports_external.string().optional().describe("Message body"), yes: exports_external.boolean().optional().describe("Execute the test when true"), approval_token: approvalTokenSchema }, async ({ channel_id, event, message, yes, approval_token }) => {
+    if (yes === true)
+      requireMcpMutation("machines_notifications_test", approval_token, { resourceId: mutationResourceId("notification-test", channel_id, event), args: { channel_id, event, message, yes: true } });
+    return {
+      content: [{ type: "text", text: JSON.stringify(await testNotificationChannel(channel_id, event, message, { apply: Boolean(yes), yes, trustedApproval: yes === true ? trustedNotificationApproval2 : undefined }), null, 2) }]
+    };
+  });
+  server.tool("machines_notifications_dispatch", "Dispatch an event to matching notification channels.", { event: exports_external.string().describe("Event name"), message: exports_external.string().describe("Message body"), channel_id: exports_external.string().optional().describe("Limit delivery to one channel"), approval_token: approvalTokenSchema }, async ({ event, message, channel_id, approval_token }) => {
+    requireMcpMutation("machines_notifications_dispatch", approval_token, { resourceId: mutationResourceId("notification-dispatch", channel_id, event), args: { event, message, channel_id } });
+    return { content: [{ type: "text", text: JSON.stringify(await dispatchNotificationEvent(event, message, { channelId: channel_id, trustedApproval: trustedNotificationApproval2 }), null, 2) }] };
+  });
+  server.tool("machines_notifications_remove", "Remove a notification channel.", { channel_id: exports_external.string().describe("Channel identifier"), approval_token: approvalTokenSchema }, async ({ channel_id, approval_token }) => {
+    requireMcpMutation("machines_notifications_remove", approval_token, { resourceId: mutationResourceId("notification", channel_id), args: { channel_id } });
+    return { content: [{ type: "text", text: JSON.stringify(removeNotificationChannel(channel_id), null, 2) }] };
+  });
   server.tool("machines_webhooks_add", "Add or replace a shared event webhook channel.", {
     channel_id: exports_external.string().describe("Channel identifier"),
     url: exports_external.string().url().describe("Webhook URL"),
     event_type: exports_external.string().optional().describe("Optional event type filter, e.g. machines.*"),
     source: exports_external.string().optional().describe("Optional source filter"),
     secret: exports_external.string().optional().describe("Optional HMAC secret"),
-    enabled: exports_external.boolean().optional().describe("Whether the channel is enabled")
-  }, async ({ channel_id, url, event_type, source, secret, enabled }) => {
+    enabled: exports_external.boolean().optional().describe("Whether the channel is enabled"),
+    approval_token: approvalTokenSchema
+  }, async ({ channel_id, url, event_type, source, secret, enabled, approval_token }) => {
+    const resolvedEnabled = enabled ?? true;
+    requireMcpMutation("machines_webhooks_add", approval_token, { resourceId: mutationResourceId("webhook", channel_id), args: { channel_id, url, event_type, source, secret, enabled: resolvedEnabled } });
     const now = new Date().toISOString();
     const channel = await events.addChannel({
       id: channel_id,
-      enabled: enabled ?? true,
+      enabled: resolvedEnabled,
       transport: "webhook",
       filters: event_type || source ? [{ type: event_type, source }] : undefined,
       webhook: { url, secret },
@@ -8510,10 +9178,16 @@ function createMcpServer(version) {
   server.tool("machines_webhooks_list", "List shared event webhook channels.", {}, async () => ({
     content: [{ type: "text", text: JSON.stringify(sanitizeChannelsForOutput2(await events.listChannels()), null, 2) }]
   }));
-  server.tool("machines_webhooks_test", "Send a test event to one shared event channel.", { channel_id: exports_external.string().describe("Channel identifier"), event_type: exports_external.string().optional().describe("Event type"), message: exports_external.string().optional().describe("Message body") }, async ({ channel_id, event_type, message }) => ({
-    content: [{ type: "text", text: JSON.stringify(await events.testChannel(channel_id, { source: "machines", type: event_type ?? "events.test", message }), null, 2) }]
-  }));
-  server.tool("machines_webhooks_remove", "Remove a shared event channel.", { channel_id: exports_external.string().describe("Channel identifier") }, async ({ channel_id }) => ({ content: [{ type: "text", text: JSON.stringify({ removed: await events.removeChannel(channel_id) }, null, 2) }] }));
+  server.tool("machines_webhooks_test", "Send a test event to one shared event channel.", { channel_id: exports_external.string().describe("Channel identifier"), event_type: exports_external.string().optional().describe("Event type"), message: exports_external.string().optional().describe("Message body"), approval_token: approvalTokenSchema }, async ({ channel_id, event_type, message, approval_token }) => {
+    requireMcpMutation("machines_webhooks_test", approval_token, { resourceId: mutationResourceId("webhook-test", channel_id, event_type), args: { channel_id, event_type, message } });
+    return {
+      content: [{ type: "text", text: JSON.stringify(await events.testChannel(channel_id, { source: "machines", type: event_type ?? "events.test", message }), null, 2) }]
+    };
+  });
+  server.tool("machines_webhooks_remove", "Remove a shared event channel.", { channel_id: exports_external.string().describe("Channel identifier"), approval_token: approvalTokenSchema }, async ({ channel_id, approval_token }) => {
+    requireMcpMutation("machines_webhooks_remove", approval_token, { resourceId: mutationResourceId("webhook", channel_id), args: { channel_id } });
+    return { content: [{ type: "text", text: JSON.stringify({ removed: await events.removeChannel(channel_id) }, null, 2) }] };
+  });
   server.tool("machines_events_emit", "Emit a shared event from machines.", {
     event_type: exports_external.string().describe("Event type"),
     subject: exports_external.string().optional().describe("Event subject"),
@@ -8522,25 +9196,36 @@ function createMcpServer(version) {
     data: exports_external.record(exports_external.unknown()).optional().describe("Event data"),
     metadata: exports_external.record(exports_external.unknown()).optional().describe("Event metadata"),
     dedupe_key: exports_external.string().optional().describe("Dedupe key"),
-    deliver: exports_external.boolean().optional().describe("Deliver to matching channels")
-  }, async ({ event_type, subject, severity, message, data, metadata, dedupe_key, deliver }) => ({
-    content: [{ type: "text", text: JSON.stringify(await events.emit({
-      source: "machines",
-      type: event_type,
-      subject,
-      severity,
-      message,
-      data: data ?? {},
-      metadata: metadata ?? {},
-      dedupeKey: dedupe_key
-    }, { deliver: deliver !== false }), null, 2) }]
-  }));
+    deliver: exports_external.boolean().optional().describe("Deliver to matching channels"),
+    approval_token: approvalTokenSchema
+  }, async ({ event_type, subject, severity, message, data, metadata, dedupe_key, deliver, approval_token }) => {
+    const resolvedData = data ?? {};
+    const resolvedMetadata = metadata ?? {};
+    const resolvedDeliver = deliver !== false;
+    requireMcpMutation("machines_events_emit", approval_token, { resourceId: mutationResourceId("event", event_type, subject, dedupe_key), args: { event_type, subject, severity, message, data: resolvedData, metadata: resolvedMetadata, dedupe_key, deliver: resolvedDeliver } });
+    return {
+      content: [{ type: "text", text: JSON.stringify(await events.emit({
+        source: "machines",
+        type: event_type,
+        subject,
+        severity,
+        message,
+        data: resolvedData,
+        metadata: resolvedMetadata,
+        dedupeKey: dedupe_key
+      }, { deliver: resolvedDeliver }), null, 2) }]
+    };
+  });
   server.tool("machines_events_list", "List shared events.", {}, async () => ({
     content: [{ type: "text", text: JSON.stringify(await events.listEvents(), null, 2) }]
   }));
-  server.tool("machines_events_replay", "Replay shared events.", { event_id: exports_external.string().optional().describe("Event id"), source: exports_external.string().optional().describe("Source filter"), event_type: exports_external.string().optional().describe("Event type filter"), dry_run: exports_external.boolean().optional().describe("Preview without delivery") }, async ({ event_id, source, event_type, dry_run }) => ({
-    content: [{ type: "text", text: JSON.stringify(await events.replay({ eventId: event_id, source, type: event_type, dryRun: dry_run }), null, 2) }]
-  }));
+  server.tool("machines_events_replay", "Replay shared events.", { event_id: exports_external.string().optional().describe("Event id"), source: exports_external.string().optional().describe("Source filter"), event_type: exports_external.string().optional().describe("Event type filter"), dry_run: exports_external.boolean().optional().describe("Preview without delivery"), approval_token: approvalTokenSchema }, async ({ event_id, source, event_type, dry_run, approval_token }) => {
+    if (dry_run !== true)
+      requireMcpMutation("machines_events_replay", approval_token, { resourceId: mutationResourceId("event-replay", event_id, source, event_type), args: { event_id, source, event_type, dry_run: false } });
+    return {
+      content: [{ type: "text", text: JSON.stringify(await events.replay({ eventId: event_id, source, type: event_type, dryRun: dry_run }), null, 2) }]
+    };
+  });
   server.tool("machines_serve_info", "Preview the dashboard server bind address and routes.", { host: exports_external.string().optional().describe("Host interface"), port: exports_external.number().optional().describe("Port number") }, async ({ host, port }) => ({ content: [{ type: "text", text: JSON.stringify(getServeInfo({ host, port }), null, 2) }] }));
   server.tool("machines_serve_dashboard", "Render the current dashboard HTML.", {}, async () => ({
     content: [{ type: "text", text: renderDashboardHtml() }]
@@ -8548,15 +9233,28 @@ function createMcpServer(version) {
   server.tool("storage_status", "Show machines storage sync configuration and local sync history.", {}, async () => ({
     content: [{ type: "text", text: JSON.stringify(getStorageStatus(), null, 2) }]
   }));
-  server.tool("storage_push", "Push local machine runtime data to storage PostgreSQL.", { tables: exports_external.array(exports_external.string()).optional().describe("Optional table list to push") }, async ({ tables }) => ({ content: [{ type: "text", text: JSON.stringify(await storagePush(tables ? { tables } : undefined), null, 2) }] }));
-  server.tool("storage_pull", "Pull machine runtime data from storage PostgreSQL to local SQLite.", { tables: exports_external.array(exports_external.string()).optional().describe("Optional table list to pull") }, async ({ tables }) => ({ content: [{ type: "text", text: JSON.stringify(await storagePull(tables ? { tables } : undefined), null, 2) }] }));
-  server.tool("storage_sync", "Bidirectional machines storage sync: pull then push.", { tables: exports_external.array(exports_external.string()).optional().describe("Optional table list to sync") }, async ({ tables }) => ({ content: [{ type: "text", text: JSON.stringify(await storageSync(tables ? { tables } : undefined), null, 2) }] }));
+  server.tool("storage_push", "Push local machine runtime data to storage PostgreSQL.", { tables: exports_external.array(exports_external.string()).optional().describe("Optional table list to push"), approval_token: approvalTokenSchema }, async ({ tables, approval_token }) => {
+    const resolvedTables = resolveTables(tables);
+    requireMcpMutation("storage_push", approval_token, { resourceId: mutationResourceId("storage-push", resolvedTables.join(",")), args: { tables: resolvedTables } });
+    return { content: [{ type: "text", text: JSON.stringify(await storagePush({ tables: resolvedTables }), null, 2) }] };
+  });
+  server.tool("storage_pull", "Pull machine runtime data from storage PostgreSQL to local SQLite.", { tables: exports_external.array(exports_external.string()).optional().describe("Optional table list to pull"), approval_token: approvalTokenSchema }, async ({ tables, approval_token }) => {
+    const resolvedTables = resolveTables(tables);
+    requireMcpMutation("storage_pull", approval_token, { resourceId: mutationResourceId("storage-pull", resolvedTables.join(",")), args: { tables: resolvedTables } });
+    return { content: [{ type: "text", text: JSON.stringify(await storagePull({ tables: resolvedTables }), null, 2) }] };
+  });
+  server.tool("storage_sync", "Bidirectional machines storage sync: pull then push.", { tables: exports_external.array(exports_external.string()).optional().describe("Optional table list to sync"), approval_token: approvalTokenSchema }, async ({ tables, approval_token }) => {
+    const resolvedTables = resolveTables(tables);
+    requireMcpMutation("storage_sync", approval_token, { resourceId: mutationResourceId("storage-sync", resolvedTables.join(",")), args: { tables: resolvedTables } });
+    return { content: [{ type: "text", text: JSON.stringify(await storageSync({ tables: resolvedTables }), null, 2) }] };
+  });
   return server;
 }
 
 // src/mcp/http.ts
 var DEFAULT_HTTP_PORT = 8821;
 var HTTP_NAME = "machines";
+var DEFAULT_MAX_BODY_BYTES = 1024 * 1024;
 function isHttpMode(args = process.argv.slice(2)) {
   return args.includes("--http") || process.env.MCP_HTTP === "1";
 }
@@ -8586,28 +9284,156 @@ function parsePort(raw) {
 function pathnameFromRequest(req) {
   return new URL(req.url ?? "/", "http://127.0.0.1").pathname;
 }
-async function readRequestBody(req) {
+function isLoopbackHost(host) {
+  const normalized = host.toLowerCase().replace(/^\[|\]$/g, "");
+  return normalized === "localhost" || normalized === "127.0.0.1" || normalized === "::1";
+}
+function resolveHttpSecurityConfig(env = process.env, host = "127.0.0.1") {
+  const allowUnauthenticated = env.MACHINES_ALLOW_UNAUTHENTICATED === "1" && isLoopbackHost(host);
+  const allowedOrigins = (env.MACHINES_HTTP_ALLOWED_ORIGINS ?? "").split(",").map((origin) => origin.trim()).filter(Boolean);
+  const maxBodyBytes = parsePositiveInteger(env.MACHINES_HTTP_MAX_BODY_BYTES, DEFAULT_MAX_BODY_BYTES);
+  return {
+    apiKey: env.MACHINES_API_KEY,
+    allowUnauthenticated,
+    allowedOrigins,
+    maxBodyBytes
+  };
+}
+function parsePositiveInteger(raw, fallback) {
+  if (!raw)
+    return fallback;
+  const parsed = Number.parseInt(raw, 10);
+  return Number.isInteger(parsed) && parsed > 0 ? parsed : fallback;
+}
+function safeTokenEquals(left, right) {
+  const leftBuffer = Buffer.from(left);
+  const rightBuffer = Buffer.from(right);
+  return leftBuffer.length === rightBuffer.length && timingSafeEqual2(leftBuffer, rightBuffer);
+}
+function originValue(req) {
+  const origin = req.headers.origin;
+  if (typeof origin === "string")
+    return origin.trim();
+  return;
+}
+function isTrustedHttpOrigin(origin, host, allowedOrigins = []) {
+  if (!origin)
+    return true;
+  if (allowedOrigins.includes(origin) || allowedOrigins.includes("*"))
+    return true;
+  let parsed;
+  try {
+    parsed = new URL(origin);
+  } catch {
+    return false;
+  }
+  return isLoopbackHost(host) && isLoopbackHost(parsed.hostname);
+}
+function authorizeHttpOrigin(req, host, security) {
+  const origin = originValue(req);
+  if (isTrustedHttpOrigin(origin, host, security.allowedOrigins))
+    return { ok: true };
+  return {
+    ok: false,
+    status: 403,
+    reason: "Untrusted Origin header for machines MCP HTTP request."
+  };
+}
+function requestBearerToken(req) {
+  const authorization = req.headers.authorization;
+  if (typeof authorization === "string") {
+    const match = /^Bearer\s+(.+)$/i.exec(authorization.trim());
+    if (match?.[1])
+      return match[1].trim();
+  }
+  const apiKey = req.headers["x-machines-api-key"];
+  if (typeof apiKey === "string")
+    return apiKey.trim();
+  if (Array.isArray(apiKey))
+    return apiKey[0]?.trim();
+  return;
+}
+function authorizeHttpRequest(req, security) {
+  if (security.allowUnauthenticated)
+    return { ok: true };
+  const expected = security.apiKey?.trim();
+  if (!expected) {
+    return { ok: false, status: 401, reason: "machines MCP HTTP requires MACHINES_API_KEY or loopback-only MACHINES_ALLOW_UNAUTHENTICATED=1." };
+  }
+  const received = requestBearerToken(req);
+  if (received && safeTokenEquals(received, expected))
+    return { ok: true };
+  return { ok: false, status: 401, reason: "Invalid or missing machines MCP HTTP API key." };
+}
+function corsHeaders(req, host, security) {
+  const origin = originValue(req);
+  if (!origin || !isTrustedHttpOrigin(origin, host, security.allowedOrigins))
+    return {};
+  return {
+    "access-control-allow-origin": origin,
+    "access-control-allow-methods": "GET, POST, DELETE, OPTIONS",
+    "access-control-allow-headers": "authorization, content-type, x-machines-api-key, mcp-session-id",
+    "access-control-expose-headers": "mcp-session-id",
+    vary: "Origin"
+  };
+}
+function applyCorsHeaders(req, res, host, security) {
+  for (const [key, value] of Object.entries(corsHeaders(req, host, security))) {
+    res.setHeader(key, value);
+  }
+}
+function writeJson(res, status, payload, headers = {}) {
+  res.writeHead(status, { "content-type": "application/json", ...headers });
+  res.end(JSON.stringify(payload));
+}
+function requestContentLength(req) {
+  const raw = req.headers["content-length"];
+  const value = Array.isArray(raw) ? raw[0] : raw;
+  if (!value)
+    return null;
+  const parsed = Number.parseInt(value, 10);
+  return Number.isFinite(parsed) && parsed >= 0 ? parsed : null;
+}
+
+class HttpRequestError extends Error {
+  status;
+  constructor(status, message) {
+    super(message);
+    this.status = status;
+  }
+}
+async function readRequestBody(req, maxBodyBytes) {
   if (req.method !== "POST" && req.method !== "DELETE") {
     return;
   }
   const chunks = [];
+  let size = 0;
   for await (const chunk of req) {
-    chunks.push(Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk));
+    const buffer = Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk);
+    size += buffer.length;
+    if (size > maxBodyBytes) {
+      throw new HttpRequestError(413, `Request body exceeds ${maxBodyBytes} bytes.`);
+    }
+    chunks.push(buffer);
   }
   const text = Buffer.concat(chunks).toString("utf8");
   if (!text) {
     return;
   }
-  return JSON.parse(text);
+  try {
+    return JSON.parse(text);
+  } catch {
+    throw new HttpRequestError(400, "Invalid JSON request body.");
+  }
 }
-async function handleMcpRequest(req, res) {
-  const server = buildServer();
+async function handleMcpRequest(req, res, maxBodyBytes) {
+  const server = buildServer(undefined, { mutationTransport: "mcp:http" });
   const transport = new StreamableHTTPServerTransport({
     sessionIdGenerator: undefined
   });
   await server.connect(transport);
   try {
-    const body = await readRequestBody(req);
+    const body = await readRequestBody(req, maxBodyBytes);
     await transport.handleRequest(req, res, body);
   } finally {
     res.on("close", () => {
@@ -8624,19 +9450,47 @@ function startHttpServer(options = {}) {
   const host = options.host ?? "127.0.0.1";
   const port = options.port ?? resolveHttpPort();
   const name = options.name ?? HTTP_NAME;
+  const security = options.security ?? resolveHttpSecurityConfig(process.env, host);
   const httpServer = createServer(async (req, res) => {
     const path = pathnameFromRequest(req);
     if (req.method === "GET" && path === "/health") {
-      res.writeHead(200, { "content-type": "application/json" });
-      res.end(JSON.stringify({ status: "ok", name }));
+      writeJson(res, 200, { status: "ok", name });
       return;
     }
     if (path === "/mcp") {
-      await handleMcpRequest(req, res);
+      const origin = authorizeHttpOrigin(req, host, security);
+      if (!origin.ok) {
+        writeJson(res, origin.status, { error: "Forbidden", reason: origin.reason });
+        return;
+      }
+      if (req.method === "OPTIONS") {
+        res.writeHead(204, corsHeaders(req, host, security));
+        res.end();
+        return;
+      }
+      const authorization = authorizeHttpRequest(req, security);
+      if (!authorization.ok) {
+        writeJson(res, authorization.status, { error: "Unauthorized", reason: authorization.reason }, corsHeaders(req, host, security));
+        return;
+      }
+      const contentLength = requestContentLength(req);
+      if (contentLength !== null && contentLength > security.maxBodyBytes) {
+        writeJson(res, 413, { error: "Payload Too Large", reason: `Request body exceeds ${security.maxBodyBytes} bytes.` }, corsHeaders(req, host, security));
+        return;
+      }
+      applyCorsHeaders(req, res, host, security);
+      try {
+        await handleMcpRequest(req, res, security.maxBodyBytes);
+      } catch (error) {
+        if (error instanceof HttpRequestError) {
+          writeJson(res, error.status, { error: error.status === 413 ? "Payload Too Large" : "Bad Request", reason: error.message }, corsHeaders(req, host, security));
+          return;
+        }
+        throw error;
+      }
       return;
     }
-    res.writeHead(404, { "content-type": "application/json" });
-    res.end(JSON.stringify({ error: "Not found" }));
+    writeJson(res, 404, { error: "Not found" });
   });
   httpServer.listen(port, host, () => {
     const address = httpServer.address();