@hasna/machines 0.0.45 → 0.0.46

package/dist/cli/index.js

@@ -2123,6 +2123,7 @@ class SqliteAdapter {
   raw;
   constructor(path) {
     this.raw = new Database(path);
+    this.raw.exec("PRAGMA busy_timeout = 5000");
   }
   close() {
     this.raw.close();
@@ -2172,6 +2173,23 @@ function createTables(db) {
       updated_at TEXT NOT NULL
     )
   `);
+  db.exec(`
+    CREATE TABLE IF NOT EXISTS mutation_approval_nonces (
+      nonce_sha256 TEXT PRIMARY KEY,
+      token_sha256 TEXT NOT NULL,
+      surface TEXT NOT NULL,
+      operation TEXT NOT NULL,
+      caller_id TEXT NOT NULL,
+      run_id TEXT NOT NULL,
+      transport TEXT NOT NULL,
+      expires_at INTEGER NOT NULL,
+      used_at INTEGER NOT NULL
+    )
+  `);
+  db.exec(`
+    CREATE INDEX IF NOT EXISTS mutation_approval_nonces_expires_at_idx
+    ON mutation_approval_nonces (expires_at)
+  `);
 }
 function migrateAgentHeartbeats(db) {
   const columns = db.query("PRAGMA table_info(agent_heartbeats)").all();
@@ -2689,8 +2707,15 @@ var {
 } = import__.default;
 
 // src/cli/index.ts
-import { registerEventCommands, registerWebhookCommands } from "@hasna/events/commander";
+import {
+  EventsClient as EventsClient3,
+  getEventsDataDir as getEventsDataDir2,
+  sanitizeChannelForOutput,
+  sanitizeChannelsForOutput as sanitizeChannelsForOutput2
+} from "@hasna/events";
 import { execFileSync as execFileSync2 } from "child_process";
+import { existsSync as existsSync13, readFileSync as readFileSync13, rmSync as rmSync3 } from "fs";
+import { join as join12, resolve as resolve4 } from "path";
 
 // node_modules/chalk/source/vendor/ansi-styles/index.js
 var ANSI_BACKGROUND_OFFSET = 10;
@@ -7521,10 +7546,271 @@ function manifestValidate() {
 import { homedir as homedir2 } from "os";
 init_db();
 
+// src/commands/mutation-approval.ts
+init_db();
+import { createHash, createHmac, randomUUID, timingSafeEqual } from "crypto";
+import { resolve as resolve2 } from "path";
+var MUTATION_APPROVAL_FLAG_ENV = "HASNA_MACHINES_ALLOW_MUTATIONS";
+var LEGACY_MUTATION_APPROVAL_FLAG_ENV = "HASNA_MACHINES_MUTATION_APPROVAL";
+var MUTATION_APPROVAL_TOKEN_ENV = "HASNA_MACHINES_MUTATION_TOKEN";
+var MUTATION_APPROVAL_CALLER_ENV = "HASNA_MACHINES_MUTATION_CALLER_ID";
+var MUTATION_APPROVAL_RUN_ENV = "HASNA_MACHINES_MUTATION_RUN_ID";
+var MUTATION_APPROVAL_REPLAY_PATH_ENV = "HASNA_MACHINES_MUTATION_REPLAY_PATH";
+var TOKEN_PREFIX = "machines-mut-v1";
+var DEFAULT_TOKEN_TTL_MS = 5 * 60 * 1000;
+var MAX_TOKEN_TTL_MS = 5 * 60 * 1000;
+var MAX_CLOCK_SKEW_MS = 30000;
+function isTruthy(value) {
+  return value === "1" || value?.toLowerCase() === "true" || value?.toLowerCase() === "yes";
+}
+function nowMs(now) {
+  if (typeof now === "number")
+    return now;
+  if (now instanceof Date)
+    return now.getTime();
+  return Date.now();
+}
+function signingSecret(env2, explicitSecret) {
+  return explicitSecret?.trim() || env2[MUTATION_APPROVAL_TOKEN_ENV]?.trim();
+}
+function hmac(payload, secret) {
+  return createHmac("sha256", secret).update(payload).digest("base64url");
+}
+function sha256Hex(payload) {
+  return createHash("sha256").update(payload).digest("hex");
+}
+function replayDbPath(env2) {
+  const configured = env2[MUTATION_APPROVAL_REPLAY_PATH_ENV]?.trim();
+  return configured ? resolve2(configured) : undefined;
+}
+function replayNonceKey(claims) {
+  return sha256Hex(JSON.stringify({ nonce: claims.nonce }));
+}
+function recordReplayNonce(env2, claims, tokenPayload, now) {
+  const dbPath = replayDbPath(env2);
+  if (!dbPath)
+    return;
+  if (!claims.nonce) {
+    return { approved: false, reason: "approval_token nonce claim is required for replay protection." };
+  }
+  try {
+    const db = getDb(dbPath);
+    db.query("DELETE FROM mutation_approval_nonces WHERE expires_at <= ?").run(now);
+    const result = db.query(`
+      INSERT OR IGNORE INTO mutation_approval_nonces (
+        nonce_sha256,
+        token_sha256,
+        surface,
+        operation,
+        caller_id,
+        run_id,
+        transport,
+        expires_at,
+        used_at
+      )
+      VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)
+    `).run(replayNonceKey(claims), sha256Hex(tokenPayload), claims.surface, claims.operation, claims.callerId ?? "", claims.runId ?? "", claims.transport ?? "", claims.expiresAt, now);
+    if (result.changes !== 1) {
+      return { approved: false, reason: "approval_token nonce has already been used." };
+    }
+    return;
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error);
+    return { approved: false, reason: `approval_token replay store is unavailable: ${message}` };
+  }
+}
+function safeEqual(left, right) {
+  const leftBuffer = Buffer.from(left);
+  const rightBuffer = Buffer.from(right);
+  return leftBuffer.length === rightBuffer.length && timingSafeEqual(leftBuffer, rightBuffer);
+}
+function canonicalizeMutationArg(value, inArray = false) {
+  if (value === undefined)
+    return inArray ? null : undefined;
+  if (value === null || typeof value === "boolean" || typeof value === "string")
+    return value;
+  if (typeof value === "number")
+    return Number.isFinite(value) ? value : null;
+  if (Array.isArray(value)) {
+    return value.map((entry) => canonicalizeMutationArg(entry, true) ?? null);
+  }
+  if (value instanceof Date)
+    return value.toISOString();
+  if (typeof value === "object") {
+    const result = {};
+    for (const key of Object.keys(value).sort()) {
+      if (key === "approval_token" || key === "approvalToken")
+        continue;
+      const canonicalValue = canonicalizeMutationArg(value[key]);
+      if (canonicalValue !== undefined)
+        result[key] = canonicalValue;
+    }
+    return result;
+  }
+  return inArray ? null : undefined;
+}
+function canonicalMutationArgs(value) {
+  return JSON.stringify(canonicalizeMutationArg(value) ?? {});
+}
+function mutationArgsSha256(value) {
+  return sha256Hex(canonicalMutationArgs(value));
+}
+function stripPlanRuntimeFields(value) {
+  if (Array.isArray(value))
+    return value.map(stripPlanRuntimeFields);
+  if (value instanceof Date)
+    return value;
+  if (value && typeof value === "object") {
+    const result = {};
+    for (const [key, entry] of Object.entries(value)) {
+      if (key === "planDigest" || key === "plan_digest" || key === "mode" || key === "executed")
+        continue;
+      result[key] = stripPlanRuntimeFields(entry);
+    }
+    return result;
+  }
+  return value;
+}
+function mutationPlanDigest(plan) {
+  return mutationArgsSha256(stripPlanRuntimeFields(plan));
+}
+function attachMutationPlanDigest(plan) {
+  return {
+    ...plan,
+    planDigest: mutationPlanDigest(plan)
+  };
+}
+function assertMutationPlanDigest(plan, expectedPlanDigest) {
+  if (expectedPlanDigest && mutationPlanDigest(plan) !== expectedPlanDigest) {
+    throw new Error("Approved plan digest does not match the current execution plan.");
+  }
+}
+function parseToken(token) {
+  if (!token)
+    return null;
+  const parts = token.split(".");
+  if (parts.length !== 3 || parts[0] !== TOKEN_PREFIX)
+    return null;
+  try {
+    const claims = JSON.parse(Buffer.from(parts[1] ?? "", "base64url").toString("utf8"));
+    return { payload: parts[1] ?? "", signature: parts[2] ?? "", claims };
+  } catch {
+    return null;
+  }
+}
+function claimMatches(expected, actual) {
+  if (expected === undefined)
+    return actual === undefined;
+  return actual === expected;
+}
+function verifyMutationApprovalToken(options) {
+  const env2 = options.env ?? process.env;
+  const secret = signingSecret(env2);
+  if (!secret)
+    return { approved: false, reason: `${MUTATION_APPROVAL_TOKEN_ENV} is not configured.` };
+  const parsed = parseToken(options.approvalToken);
+  if (!parsed)
+    return { approved: false, reason: "approval_token is not a scoped mutation token." };
+  if (!safeEqual(hmac(parsed.payload, secret), parsed.signature)) {
+    return { approved: false, reason: "approval_token signature is invalid." };
+  }
+  const claims = parsed.claims;
+  if (claims.version !== 1)
+    return { approved: false, reason: "approval_token version is unsupported." };
+  if (!claims.callerId || !claims.runId) {
+    return { approved: false, reason: "approval_token must include caller and run claims." };
+  }
+  if (!claims.transport) {
+    return { approved: false, reason: "approval_token must include a transport claim." };
+  }
+  if (!Number.isFinite(claims.expiresAt) || claims.expiresAt <= nowMs(options.now)) {
+    return { approved: false, reason: "approval_token is expired." };
+  }
+  const now = nowMs(options.now);
+  if (!Number.isFinite(claims.issuedAt) || claims.issuedAt > now + MAX_CLOCK_SKEW_MS) {
+    return { approved: false, reason: "approval_token issue time is invalid." };
+  }
+  if (claims.expiresAt - claims.issuedAt > MAX_TOKEN_TTL_MS) {
+    return { approved: false, reason: "approval_token TTL is too long." };
+  }
+  for (const key of ["surface", "operation", "machineId", "resourceId", "transport"]) {
+    if (!claimMatches(options[key], claims[key])) {
+      return { approved: false, reason: `approval_token ${key} claim does not match this mutation.` };
+    }
+  }
+  for (const key of ["callerId", "runId"]) {
+    if (options[key] !== undefined && options[key] !== claims[key]) {
+      return { approved: false, reason: `approval_token ${key} claim does not match this mutation.` };
+    }
+  }
+  const expectedArgsSha256 = options.argsSha256 || (options.args === undefined ? undefined : mutationArgsSha256(options.args));
+  if (expectedArgsSha256 !== undefined && claims.args_sha256 !== expectedArgsSha256) {
+    return { approved: false, reason: "approval_token args_sha256 claim does not match this mutation." };
+  }
+  const replayDecision = recordReplayNonce(env2, claims, parsed.payload, now);
+  if (replayDecision)
+    return replayDecision;
+  return { approved: true, claims };
+}
+function isMutationApproved(options = {}) {
+  const env2 = options.env ?? process.env;
+  const surface = options.surface ?? "cli";
+  if (surface === "mcp") {
+    if (!options.operation)
+      return false;
+    return verifyMutationApprovalToken({
+      surface,
+      operation: options.operation,
+      machineId: options.machineId,
+      resourceId: options.resourceId,
+      callerId: options.callerId,
+      runId: options.runId,
+      transport: options.transport ?? "mcp",
+      args: options.args,
+      argsSha256: options.argsSha256,
+      approvalToken: options.approvalToken,
+      env: env2,
+      now: options.now
+    }).approved;
+  }
+  if (options.approvalToken) {
+    const decision = options.operation ? verifyMutationApprovalToken({
+      surface,
+      operation: options.operation,
+      machineId: options.machineId,
+      resourceId: options.resourceId,
+      callerId: options.callerId,
+      runId: options.runId,
+      transport: options.transport ?? surface,
+      args: options.args,
+      argsSha256: options.argsSha256,
+      approvalToken: options.approvalToken,
+      env: env2,
+      now: options.now
+    }) : { approved: false };
+    if (decision.approved)
+      return true;
+    if (env2[MUTATION_APPROVAL_TOKEN_ENV]?.trim())
+      return false;
+  }
+  return isTruthy(env2[MUTATION_APPROVAL_FLAG_ENV]) || isTruthy(env2[LEGACY_MUTATION_APPROVAL_FLAG_ENV]);
+}
+function assertMutationApproved(options) {
+  if (isMutationApproved(options)) {
+    return;
+  }
+  const env2 = options.env ?? process.env;
+  const tokenConfigured = Boolean(env2[MUTATION_APPROVAL_TOKEN_ENV]?.trim());
+  const approvalHint = options.surface === "mcp" ? `pass a scoped approval_token signed with ${MUTATION_APPROVAL_TOKEN_ENV}` : tokenConfigured ? `pass a scoped approval_token signed with ${MUTATION_APPROVAL_TOKEN_ENV} or set ${MUTATION_APPROVAL_FLAG_ENV}=1 for a trusted local session` : `set ${MUTATION_APPROVAL_FLAG_ENV}=1 for a trusted local session or configure ${MUTATION_APPROVAL_TOKEN_ENV}`;
+  throw new Error(`Fleet mutation blocked: ${options.surface}.${options.operation} requires operator approval; ${approvalHint}.`);
+}
+
 // src/remote.ts
 init_db();
 import { spawnSync as spawnSync2 } from "child_process";
-import { hostname as hostname4 } from "os";
+import { existsSync as existsSync5, mkdtempSync, readFileSync as readFileSync3, rmSync } from "fs";
+import { hostname as hostname4, tmpdir } from "os";
+import { join as join3 } from "path";
 
 // src/topology.ts
 init_db();
@@ -8498,6 +8784,16 @@ function resolveMachineWorkspace(options) {
 function shellQuote2(value) {
   return `'${value.replace(/'/g, "'\\''")}'`;
 }
+function validateSshTarget(target) {
+  const trimmed = target.trim();
+  if (!trimmed || trimmed.startsWith("-") || /[\s"'`$\\;&|<>()[\]{}]/.test(trimmed)) {
+    throw new Error(`Unsafe SSH target: ${target}`);
+  }
+  if (!/^(?:[A-Za-z0-9._%+-]+@)?[A-Za-z0-9._:-]+$/.test(trimmed)) {
+    throw new Error(`Unsafe SSH target: ${target}`);
+  }
+  return trimmed;
+}
 function resolveSshTarget(machineId, options = {}) {
   const resolved = resolveMachineRoute(machineId, options);
   if (!resolved.ok || !resolved.target) {
@@ -8508,15 +8804,25 @@ function resolveSshTarget(machineId, options = {}) {
   }
   return {
     machineId: resolved.machine_id ?? machineId,
-    target: resolved.command_target ?? resolved.target,
+    target: validateSshTarget(resolved.command_target ?? resolved.target),
     route: resolved.route,
     confidence: resolved.confidence,
     warnings: resolved.warnings
   };
 }
 function buildSshCommand(machineId, remoteCommand, options = {}) {
+  return buildSshCommandPlan(machineId, remoteCommand, options).shellCommand;
+}
+function buildSshCommandPlan(machineId, remoteCommand, options = {}) {
   const resolved = resolveSshTarget(machineId, options);
-  return remoteCommand ? `ssh ${resolved.target} ${shellQuote2(remoteCommand)}` : `ssh ${resolved.target}`;
+  const args = remoteCommand ? [resolved.target, remoteCommand] : [resolved.target];
+  const shellCommand2 = `ssh ${args.map(shellQuote2).join(" ")}`;
+  return {
+    ...resolved,
+    command: "ssh",
+    args,
+    shellCommand: shellCommand2
+  };
 }
 
 // src/remote.ts
@@ -8528,35 +8834,233 @@ function machineIsLocal(machineId, localMachineId) {
 }
 function resolveMachineCommand(machineId, command, localMachineId = getLocalMachineId()) {
   if (machineIsLocal(machineId, localMachineId)) {
-    return { source: "local", shellCommand: command };
+    return { source: "local", command: "bash", args: ["-c", command], shellCommand: command, usesShell: true };
   }
   try {
+    const plan = buildSshCommandPlan(machineId, command);
     return {
-      source: resolveSshTarget(machineId).route,
-      shellCommand: buildSshCommand(machineId, command)
+      source: plan.route,
+      command: plan.command,
+      args: plan.args,
+      shellCommand: plan.shellCommand,
+      usesShell: false
     };
   } catch (error) {
     const message = String(error.message ?? error);
     if (message.includes("Machine route not found") || message.includes("Machine not found in manifest")) {
-      return { source: "ssh", shellCommand: `ssh ${shellQuote3(machineId)} ${shellQuote3(command)}` };
+      const target = validateSshTarget(machineId);
+      return {
+        source: "ssh",
+        command: "ssh",
+        args: [target, command],
+        shellCommand: `ssh ${shellQuote3(target)} ${shellQuote3(command)}`,
+        usesShell: false
+      };
     }
     throw error;
   }
 }
-function runMachineCommand(machineId, command) {
+function runMachineCommand(machineId, command, options = {}) {
   const resolved = resolveMachineCommand(machineId, command);
-  const result = spawnSync2("bash", ["-c", resolved.shellCommand], {
+  if (options.timeoutMs && options.timeoutMs > 0 && process.platform !== "win32") {
+    return runMachineCommandWithProcessGroupTimeout(machineId, resolved, options);
+  }
+  const result = spawnSync2(resolved.command, resolved.args, {
     encoding: "utf8",
-    env: process.env
+    env: process.env,
+    timeout: options.timeoutMs,
+    killSignal: "SIGTERM"
   });
+  const timedOut = Boolean(result.error && "code" in result.error && result.error.code === "ETIMEDOUT");
+  const timeoutMessage = timedOut ? `Command timed out after ${options.timeoutMs}ms.` : "";
+  const stderr = [result.stderr || "", timeoutMessage].filter(Boolean).join(result.stderr ? `
+` : "");
   return {
     machineId,
     source: resolved.source,
     stdout: result.stdout || "",
-    stderr: result.stderr || "",
-    exitCode: result.status ?? 1
+    stderr,
+    exitCode: timedOut ? 124 : result.status ?? 1,
+    timedOut,
+    signal: result.signal
   };
 }
+function runMachineCommandWithProcessGroupTimeout(machineId, resolved, options) {
+  const timeoutMs = Math.max(1, options.timeoutMs ?? 1);
+  const killGraceMs = Math.max(1, options.killGraceMs ?? 1000);
+  const helperDir = mkdtempSync(join3(tmpdir(), "machines-timeout-helper-"));
+  const pgidFile = join3(helperDir, "pgid");
+  const helper = spawnSync2(process.execPath, ["--eval", PROCESS_GROUP_TIMEOUT_HELPER], {
+    input: JSON.stringify({ command: resolved.command, args: resolved.args }),
+    encoding: "utf8",
+    env: {
+      ...process.env,
+      HASNA_MACHINES_COMMAND_TIMEOUT_MS: String(timeoutMs),
+      HASNA_MACHINES_COMMAND_KILL_GRACE_MS: String(killGraceMs),
+      HASNA_MACHINES_COMMAND_PGID_FILE: pgidFile
+    },
+    timeout: timeoutMs + killGraceMs + 2000,
+    killSignal: "SIGKILL",
+    maxBuffer: 64 * 1024 * 1024
+  });
+  try {
+    const parsed = parseHelperResult(helper.stdout);
+    if (parsed) {
+      return {
+        machineId,
+        source: resolved.source,
+        stdout: parsed.stdout,
+        stderr: parsed.stderr,
+        exitCode: parsed.exitCode,
+        timedOut: parsed.timedOut,
+        signal: parsed.signal
+      };
+    }
+    const helperTimedOut = Boolean(helper.error && "code" in helper.error && helper.error.code === "ETIMEDOUT");
+    if (helperTimedOut)
+      killPublishedProcessGroup(pgidFile);
+    const timeoutMessage = helperTimedOut ? `Command timed out after ${timeoutMs}ms; timeout helper exceeded cleanup grace ${killGraceMs}ms.` : "";
+    const stderr = [helper.stderr || "", timeoutMessage].filter(Boolean).join(helper.stderr ? `
+` : "");
+    return {
+      machineId,
+      source: resolved.source,
+      stdout: "",
+      stderr,
+      exitCode: helperTimedOut ? 124 : helper.status ?? 1,
+      timedOut: helperTimedOut,
+      signal: helper.signal
+    };
+  } finally {
+    rmSync(helperDir, { recursive: true, force: true });
+  }
+}
+function killPublishedProcessGroup(pgidFile) {
+  if (!existsSync5(pgidFile))
+    return;
+  try {
+    const pid = Number.parseInt(readFileSync3(pgidFile, "utf8").trim(), 10);
+    if (!Number.isInteger(pid) || pid <= 1)
+      return;
+    process.kill(-pid, "SIGKILL");
+  } catch {}
+}
+function parseHelperResult(stdout) {
+  if (!stdout)
+    return null;
+  try {
+    const parsed = JSON.parse(stdout);
+    if (typeof parsed.stdout !== "string" || typeof parsed.stderr !== "string" || typeof parsed.exitCode !== "number")
+      return null;
+    return {
+      machineId: "",
+      source: "local",
+      stdout: parsed.stdout,
+      stderr: parsed.stderr,
+      exitCode: parsed.exitCode,
+      timedOut: parsed.timedOut === true,
+      signal: typeof parsed.signal === "string" ? parsed.signal : null
+    };
+  } catch {
+    return null;
+  }
+}
+var PROCESS_GROUP_TIMEOUT_HELPER = `
+	const { spawn } = require("node:child_process");
+	const { readFileSync, writeFileSync } = require("node:fs");
+
+	const plan = JSON.parse(readFileSync(0, "utf8"));
+	const command = String(plan.command || "");
+	const args = Array.isArray(plan.args) ? plan.args.map(String) : [];
+	const timeoutMs = Math.max(1, Number.parseInt(process.env.HASNA_MACHINES_COMMAND_TIMEOUT_MS || "1", 10));
+	const killGraceMs = Math.max(1, Number.parseInt(process.env.HASNA_MACHINES_COMMAND_KILL_GRACE_MS || "1000", 10));
+	const pgidFile = process.env.HASNA_MACHINES_COMMAND_PGID_FILE || "";
+	let stdout = "";
+	let stderr = "";
+	let timedOut = false;
+	let finished = false;
+let timeoutTimer;
+let killTimer;
+let sigkillSent = false;
+let pendingExit = null;
+
+const child = spawn(command, args, {
+  detached: true,
+  stdio: ["ignore", "pipe", "pipe"],
+	  env: process.env,
+	});
+
+	if (pgidFile && child.pid) {
+	  try {
+	    writeFileSync(pgidFile, String(child.pid), { mode: 0o600 });
+	  } catch {}
+	}
+
+function appendText(target, chunk) {
+  return target + String(chunk);
+}
+
+	function killTarget(signal) {
+	  if (!child.pid) return;
+	  if (process.platform === "win32") {
+	    try {
+	      process.kill(child.pid, signal);
+	    } catch {}
+	    return;
+	  }
+	  try {
+	    process.kill(-child.pid, signal);
+	  } catch {}
+	}
+
+	function finish(code, signal) {
+	  if (finished) return;
+  if (timedOut && !sigkillSent) {
+    pendingExit = { code, signal };
+    return;
+  }
+  finished = true;
+  if (timeoutTimer) clearTimeout(timeoutTimer);
+  if (killTimer) clearTimeout(killTimer);
+	  if (timedOut) {
+	    stderr = [stderr, "Command timed out after " + timeoutMs + "ms."].filter(Boolean).join(stderr ? "\\n" : "");
+	  }
+	  const exitCode = timedOut ? 124 : code ?? 1;
+	  process.stdout.write(JSON.stringify({
+	    stdout,
+	    stderr,
+	    exitCode,
+	    timedOut,
+	    signal: signal ?? null,
+	  }), () => process.exit(exitCode));
+	}
+
+	child.stdout.setEncoding("utf8");
+	child.stderr.setEncoding("utf8");
+	child.stdout.on("data", (chunk) => { stdout = appendText(stdout, chunk); });
+	child.stderr.on("data", (chunk) => { stderr = appendText(stderr, chunk); });
+	let childExit = { code: null, signal: null };
+	child.on("error", (error) => {
+	    stderr = [stderr, error instanceof Error ? error.message : String(error)].filter(Boolean).join(stderr ? "\\n" : "");
+	    finish(1, null);
+	});
+	child.on("exit", (code, signal) => {
+	  childExit = { code, signal };
+	});
+	child.on("close", (code, signal) => {
+	  finish(code ?? childExit.code, signal ?? childExit.signal);
+	});
+
+timeoutTimer = setTimeout(() => {
+  timedOut = true;
+  killTarget("SIGTERM");
+  killTimer = setTimeout(() => {
+    sigkillSent = true;
+    killTarget("SIGKILL");
+    if (pendingExit) finish(pendingExit.code, pendingExit.signal);
+  }, killGraceMs);
+}, timeoutMs);
+`;
 function describeMachineCommandFailure(operation, result) {
   const detail = (result.stderr || result.stdout || "").trim();
   const suffix = detail ? `: ${detail}` : "";
@@ -8671,17 +9175,17 @@ function buildSetupPlan(machineId) {
     workspacePath: `${homedir2()}/workspace`
   };
   const steps = [...buildBaseSteps(target), ...buildPackageSteps(target)];
-  return {
+  return attachMutationPlanDigest({
     machineId: target.id,
     mode: "plan",
     steps,
     executed: 0
-  };
+  });
 }
-function runSetup(machineId, options = {}, runner = runMachineCommand) {
-  const plan = buildSetupPlan(machineId);
+function runSetupPlan(plan, options = {}, runner = runMachineCommand) {
+  assertMutationPlanDigest(plan, options.expectedPlanDigest);
   if (!options.apply) {
-    return plan;
+    return attachMutationPlanDigest({ ...plan, mode: "plan", executed: 0 });
   }
   if (!options.yes) {
     throw new Error("Setup execution requires --yes.");
@@ -8702,19 +9206,19 @@ function runSetup(machineId, options = {}, runner = runMachineCommand) {
     }
     executed += 1;
   }
-  const summary = {
+  const summary = attachMutationPlanDigest({
     machineId: plan.machineId,
     mode: "apply",
     steps: plan.steps,
     executed
-  };
+  });
   recordSetupRun(plan.machineId, "completed", summary);
   return summary;
 }
 
 // src/commands/backup.ts
 import { homedir as homedir3, hostname as hostname5 } from "os";
-import { join as join3 } from "path";
+import { join as join4 } from "path";
 var MACHINES_BACKUP_BUCKET_ENV = "HASNA_MACHINES_S3_BUCKET";
 var MACHINES_BACKUP_BUCKET_FALLBACK_ENV = "MACHINES_S3_BUCKET";
 var MACHINES_BACKUP_PREFIX_ENV = "HASNA_MACHINES_S3_PREFIX";
@@ -8764,14 +9268,14 @@ function resolveBackupTarget(options = {}) {
 function defaultBackupSources() {
   const home = homedir3();
   return [
-    join3(home, ".hasna"),
-    join3(home, ".ssh"),
-    join3(home, ".secrets")
+    join4(home, ".hasna"),
+    join4(home, ".ssh"),
+    join4(home, ".secrets")
   ];
 }
 function buildBackupPlan(bucket, prefix) {
   const target = resolveBackupTarget({ bucket, prefix });
-  const archivePath = join3(homedir3(), ".hasna", "machines", "backup.tgz");
+  const archivePath = join4(homedir3(), ".hasna", "machines", "backup.tgz");
   const sources = defaultBackupSources();
   const steps = [
     {
@@ -8823,20 +9327,20 @@ function runBackup(bucket, prefix, options = {}) {
 
 // src/commands/cert.ts
 import { homedir as homedir4, platform as platform3 } from "os";
-import { join as join4 } from "path";
+import { join as join5 } from "path";
 function quote3(value) {
   return `'${value.replace(/'/g, `'\\''`)}'`;
 }
 function certDir() {
-  return join4(homedir4(), ".hasna", "machines", "certs");
+  return join5(homedir4(), ".hasna", "machines", "certs");
 }
 function buildCertPlan(domains) {
   if (domains.length === 0) {
     throw new Error("At least one domain is required.");
   }
   const primary = domains[0];
-  const certPath = join4(certDir(), `${primary}.pem`);
-  const keyPath = join4(certDir(), `${primary}-key.pem`);
+  const certPath = join5(certDir(), `${primary}.pem`);
+  const keyPath = join5(certDir(), `${primary}-key.pem`);
   const steps = [];
   if (platform3() === "darwin") {
     steps.push({
@@ -8901,16 +9405,16 @@ function runCertPlan(domains, options = {}) {
 
 // src/commands/dns.ts
 init_paths();
-import { existsSync as existsSync5, readFileSync as readFileSync3, writeFileSync as writeFileSync2 } from "fs";
-import { join as join5 } from "path";
+import { existsSync as existsSync6, readFileSync as readFileSync4, writeFileSync as writeFileSync2 } from "fs";
+import { join as join6 } from "path";
 function getDnsPath() {
-  return join5(getDataDir(), "dns.json");
+  return join6(getDataDir(), "dns.json");
 }
 function readMappings() {
   const path = getDnsPath();
-  if (!existsSync5(path))
+  if (!existsSync6(path))
     return [];
-  return JSON.parse(readFileSync3(path, "utf8"));
+  return JSON.parse(readFileSync4(path, "utf8"));
 }
 function writeMappings(mappings) {
   const path = getDnsPath();
@@ -8937,10 +9441,10 @@ function renderDomainMapping(domain) {
     hostsEntry: `${entry.targetHost} ${entry.domain}`,
     caddySnippet: `${entry.domain} {
   reverse_proxy 127.0.0.1:${entry.port}
-  tls ${join5(getDataDir(), "certs", `${entry.domain}.pem`)} ${join5(getDataDir(), "certs", `${entry.domain}-key.pem`)}
+  tls ${join6(getDataDir(), "certs", `${entry.domain}.pem`)} ${join6(getDataDir(), "certs", `${entry.domain}-key.pem`)}
 }`,
-    certPath: join5(getDataDir(), "certs", `${entry.domain}.pem`),
-    keyPath: join5(getDataDir(), "certs", `${entry.domain}-key.pem`)
+    certPath: join6(getDataDir(), "certs", `${entry.domain}.pem`),
+    keyPath: join6(getDataDir(), "certs", `${entry.domain}-key.pem`)
   };
 }
 
@@ -9077,12 +9581,12 @@ function listApps(machineId) {
 }
 function buildAppsPlan(machineId) {
   const machine = resolveMachine(machineId);
-  return {
+  return attachMutationPlanDigest({
     machineId: machine.id,
     mode: "plan",
     steps: buildAppSteps(machine),
     executed: 0
-  };
+  });
 }
 function getAppsStatus(machineId, runner = runMachineCommand) {
   const machine = resolveMachine(machineId);
@@ -9105,10 +9609,10 @@ function diffApps(machineId, runner = runMachineCommand) {
     installed: status.apps.filter((app) => app.installed).map((app) => app.name)
   };
 }
-function runAppsInstall(machineId, options = {}, runner = runMachineCommand) {
-  const plan = buildAppsPlan(machineId);
+function runAppsPlan(plan, options = {}, runner = runMachineCommand) {
+  assertMutationPlanDigest(plan, options.expectedPlanDigest);
   if (!options.apply)
-    return plan;
+    return attachMutationPlanDigest({ ...plan, mode: "plan", executed: 0 });
   if (!options.yes) {
     throw new Error("App installation requires --yes.");
   }
@@ -9117,12 +9621,12 @@ function runAppsInstall(machineId, options = {}, runner = runMachineCommand) {
     requireMachineCommandSuccess(`App install ${step.id}`, runner(plan.machineId, step.command));
     executed += 1;
   }
-  return {
+  return attachMutationPlanDigest({
     machineId: plan.machineId,
     mode: "apply",
     steps: plan.steps,
     executed
-  };
+  });
 }
 
 // src/commands/install-claude.ts
@@ -9184,12 +9688,12 @@ function parseProbe(tool, stdout) {
 }
 function buildClaudeInstallPlan(machineId, tools) {
   const machine = resolveMachine2(machineId);
-  return {
+  return attachMutationPlanDigest({
     machineId: machine.id,
     mode: "plan",
     steps: buildInstallSteps(machine, tools),
     executed: 0
-  };
+  });
 }
 function getClaudeCliStatus(machineId, tools, runner = runMachineCommand) {
   const machine = resolveMachine2(machineId);
@@ -9212,10 +9716,10 @@ function diffClaudeCli(machineId, tools, runner = runMachineCommand) {
     installed: status.tools.filter((tool) => tool.installed).map((tool) => tool.tool)
   };
 }
-function runClaudeInstall(machineId, tools, options = {}, runner = runMachineCommand) {
-  const plan = buildClaudeInstallPlan(machineId, tools);
+function runClaudeInstallPlan(plan, options = {}, runner = runMachineCommand) {
+  assertMutationPlanDigest(plan, options.expectedPlanDigest);
   if (!options.apply)
-    return plan;
+    return attachMutationPlanDigest({ ...plan, mode: "plan", executed: 0 });
   if (!options.yes) {
     throw new Error("Claude CLI installation requires --yes.");
   }
@@ -9224,12 +9728,12 @@ function runClaudeInstall(machineId, tools, options = {}, runner = runMachineCom
     requireMachineCommandSuccess(`AI CLI install ${step.id}`, runner(plan.machineId, step.command));
     executed += 1;
   }
-  return {
+  return attachMutationPlanDigest({
     machineId: plan.machineId,
     mode: "apply",
     steps: plan.steps,
     executed
-  };
+  });
 }
 
 // src/commands/install-tailscale.ts
@@ -9269,17 +9773,17 @@ function buildTailscaleInstallPlan(machineId) {
   if (!machine) {
     throw new Error(`Machine not found in manifest: ${machineId}`);
   }
-  return {
+  return attachMutationPlanDigest({
     machineId: machine.id,
     mode: "plan",
     steps: buildInstallSteps2(machine),
     executed: 0
-  };
+  });
 }
-function runTailscaleInstall(machineId, options = {}, runner = runMachineCommand) {
-  const plan = buildTailscaleInstallPlan(machineId);
+function runTailscaleInstallPlan(plan, options = {}, runner = runMachineCommand) {
+  assertMutationPlanDigest(plan, options.expectedPlanDigest);
   if (!options.apply)
-    return plan;
+    return attachMutationPlanDigest({ ...plan, mode: "plan", executed: 0 });
   if (!options.yes) {
     throw new Error("Tailscale install requires --yes.");
   }
@@ -9288,21 +9792,23 @@ function runTailscaleInstall(machineId, options = {}, runner = runMachineCommand
     requireMachineCommandSuccess(`Tailscale install ${step.id}`, runner(plan.machineId, step.command));
     executed += 1;
   }
-  return {
+  return attachMutationPlanDigest({
     machineId: plan.machineId,
     mode: "apply",
     steps: plan.steps,
     executed
-  };
+  });
 }
 
 // src/commands/notifications.ts
-import { existsSync as existsSync6, readFileSync as readFileSync4, writeFileSync as writeFileSync3 } from "fs";
+import { accessSync, constants, existsSync as existsSync7, readFileSync as readFileSync5, writeFileSync as writeFileSync3 } from "fs";
+import { delimiter, isAbsolute, join as join7 } from "path";
 init_paths();
 var notificationChannelSchema = exports_external.object({
   id: exports_external.string(),
   type: exports_external.enum(["email", "webhook", "command"]),
   target: exports_external.string(),
+  commandArgs: exports_external.array(exports_external.string()).optional(),
   events: exports_external.array(exports_external.string()),
   enabled: exports_external.boolean()
 });
@@ -9311,19 +9817,31 @@ var notificationConfigSchema = exports_external.object({
   updatedAt: exports_external.string().optional(),
   channels: exports_external.array(notificationChannelSchema)
 });
+var trustedNotificationApproval = Symbol("trustedNotificationApproval");
+function createTrustedNotificationApproval() {
+  return { [trustedNotificationApproval]: true };
+}
+function isTrustedNotificationApproval(approval) {
+  return approval?.[trustedNotificationApproval] === true;
+}
 function sortChannels(channels) {
   return [...channels].sort((left, right) => left.id.localeCompare(right.id));
 }
-function shellQuote5(value) {
-  return `'${value.replace(/'/g, `'\\''`)}'`;
-}
 function hasCommand2(binary) {
-  const result = Bun.spawnSync(["bash", "-lc", `command -v ${binary} >/dev/null 2>&1`], {
-    stdout: "ignore",
-    stderr: "ignore",
-    env: process.env
-  });
-  return result.exitCode === 0;
+  return Boolean(resolveExecutable(binary));
+}
+function resolveExecutable(binary) {
+  const trimmed = binary.trim();
+  if (!trimmed)
+    return null;
+  const candidates = isAbsolute(trimmed) ? [trimmed] : (process.env.PATH ?? "").split(delimiter).filter(Boolean).map((dir) => join7(dir, trimmed));
+  for (const candidate of candidates) {
+    try {
+      accessSync(candidate, constants.X_OK);
+      return candidate;
+    } catch {}
+  }
+  return null;
 }
 function buildNotificationPreview(channel, event, message) {
   if (channel.type === "email") {
@@ -9332,7 +9850,8 @@ function buildNotificationPreview(channel, event, message) {
   if (channel.type === "webhook") {
     return `POST ${channel.target} with payload {"event":"${event}","message":"${message}"}`;
   }
-  return `${channel.target} --event ${event} --message ${JSON.stringify(message)}`;
+  const args = channel.commandArgs?.length ? ` ${channel.commandArgs.join(" ")}` : "";
+  return `${channel.target}${args} with HASNA_MACHINES_NOTIFICATION_* environment`;
 }
 async function dispatchEmail(channel, event, message) {
   const subject = `[${event}] machines notification`;
@@ -9343,7 +9862,7 @@ Content-Type: text/plain; charset=utf-8
 ${message}
 `;
   if (hasCommand2("sendmail")) {
-    const result = Bun.spawnSync(["bash", "-lc", "sendmail -t"], {
+    const result = Bun.spawnSync(["sendmail", "-t"], {
       stdin: new TextEncoder().encode(body),
       stdout: "pipe",
       stderr: "pipe",
@@ -9361,8 +9880,9 @@ ${message}
     };
   }
   if (hasCommand2("mail")) {
-    const command = `printf %s ${shellQuote5(message)} | mail -s ${shellQuote5(subject)} ${shellQuote5(channel.target)}`;
-    const result = Bun.spawnSync(["bash", "-lc", command], {
+    const result = Bun.spawnSync(["mail", "-s", subject, channel.target], {
+      stdin: new TextEncoder().encode(`${message}
+`),
       stdout: "pipe",
       stderr: "pipe",
       env: process.env
@@ -9405,8 +9925,20 @@ async function dispatchWebhook(channel, event, message) {
     detail: `Webhook accepted with HTTP ${response.status}`
   };
 }
-async function dispatchCommand(channel, event, message) {
-  const result = Bun.spawnSync(["bash", "-lc", channel.target], {
+async function dispatchCommand(channel, event, message, options = {}) {
+  if (!isTrustedNotificationApproval(options.trustedApproval)) {
+    assertMutationApproved({
+      surface: "notifications",
+      operation: "dispatch_command",
+      resourceId: channel.id,
+      approvalToken: options.approvalToken
+    });
+  }
+  const executable = resolveExecutable(channel.target);
+  if (!executable) {
+    throw new Error(`Command executable not found or not executable: ${channel.target}`);
+  }
+  const result = Bun.spawnSync([executable, ...channel.commandArgs ?? []], {
     stdout: "pipe",
     stderr: "pipe",
     env: {
@@ -9428,7 +9960,7 @@ async function dispatchCommand(channel, event, message) {
     detail: stdout || "Command completed successfully"
   };
 }
-async function dispatchChannel(channel, event, message) {
+async function dispatchChannel(channel, event, message, options = {}) {
   if (!channel.enabled) {
     return {
       channelId: channel.id,
@@ -9444,7 +9976,7 @@ async function dispatchChannel(channel, event, message) {
   if (channel.type === "webhook") {
     return dispatchWebhook(channel, event, message);
   }
-  return dispatchCommand(channel, event, message);
+  return dispatchCommand(channel, event, message, options);
 }
 function getDefaultNotificationConfig() {
   return {
@@ -9454,10 +9986,10 @@ function getDefaultNotificationConfig() {
   };
 }
 function readNotificationConfig(path = getNotificationsPath()) {
-  if (!existsSync6(path)) {
+  if (!existsSync7(path)) {
     return getDefaultNotificationConfig();
   }
-  return notificationConfigSchema.parse(JSON.parse(readFileSync4(path, "utf8")));
+  return notificationConfigSchema.parse(JSON.parse(readFileSync5(path, "utf8")));
 }
 function writeNotificationConfig(config, path = getNotificationsPath()) {
   ensureParentDir(path);
@@ -9473,11 +10005,20 @@ function writeNotificationConfig(config, path = getNotificationsPath()) {
 function listNotificationChannels() {
   return readNotificationConfig();
 }
-function addNotificationChannel(channel) {
+function addNotificationChannel(channel, options = {}) {
+  if (channel.type === "command" && !isTrustedNotificationApproval(options.trustedApproval)) {
+    assertMutationApproved({
+      surface: "notifications",
+      operation: "add_command_channel",
+      resourceId: channel.id,
+      approvalToken: options.approvalToken
+    });
+  }
   const config = readNotificationConfig();
   const channels = config.channels.filter((entry) => entry.id !== channel.id);
   channels.push({
     ...channel,
+    commandArgs: channel.commandArgs?.map(String),
     events: [...new Set(channel.events)]
   });
   return writeNotificationConfig({ ...config, channels });
@@ -9499,7 +10040,7 @@ async function dispatchNotificationEvent(event, message, options = {}) {
   const deliveries = [];
   for (const channel of channels) {
     try {
-      deliveries.push(await dispatchChannel(channel, event, message));
+      deliveries.push(await dispatchChannel(channel, event, message, { approvalToken: options.approvalToken, trustedApproval: options.trustedApproval }));
     } catch (error) {
       deliveries.push({
         channelId: channel.id,
@@ -9534,7 +10075,7 @@ async function testNotificationChannel(channelId, event = "manual.test", message
   if (!options.yes) {
     throw new Error("Notification test execution requires --yes.");
   }
-  const delivery = await dispatchChannel(channel, event, message);
+  const delivery = await dispatchChannel(channel, event, message, { approvalToken: options.approvalToken, trustedApproval: options.trustedApproval });
   return {
     channelId,
     mode: "apply",
@@ -9603,6 +10144,46 @@ function listPorts(machineId) {
 import { spawnSync as spawnSync4 } from "child_process";
 import { setTimeout as sleep } from "timers/promises";
 import { EventsClient } from "@hasna/events";
+function shellQuote5(value) {
+  return `'${value.replace(/'/g, "'\\''")}'`;
+}
+function buildTmuxPaneDiedHookPlan(options = {}) {
+  const tmuxCommand = options.tmuxCommand ?? process.env["HASNA_MACHINES_TMUX_BIN"] ?? "tmux";
+  const machinesCommand = options.machinesCommand ?? "machines";
+  const deliver = options.deliver === true;
+  const approvalToken = options.approvalToken?.trim();
+  const trustedLocalMutation = approvalToken ? false : options.trustedLocalMutation === true;
+  const emitArgs = [
+    "events",
+    "emit",
+    "machines.tmux.pane_died",
+    "--source",
+    "machines",
+    "--subject",
+    "tmux:#{hook_pane}",
+    "--severity",
+    "warning",
+    "--message",
+    "tmux pane died: #{hook_pane}",
+    "--data",
+    '{"target":"#{hook_pane}","session":"#{session_name}","window":"#{window_index}"}'
+  ];
+  if (!deliver)
+    emitArgs.push("--no-deliver");
+  if (approvalToken)
+    emitArgs.push("--approval-token", approvalToken);
+  const command = [machinesCommand, ...emitArgs].map(shellQuote5).join(" ");
+  const runShell = trustedLocalMutation ? `HASNA_MACHINES_ALLOW_MUTATIONS=1 ${command}` : command;
+  const args = ["set-hook", "-g", "pane-died", `run-shell ${shellQuote5(runShell)}`];
+  return {
+    tmuxCommand,
+    args,
+    shellCommand: [tmuxCommand, ...args].map(shellQuote5).join(" "),
+    eventType: "machines.tmux.pane_died",
+    deliver,
+    trustedLocalMutation
+  };
+}
 function probeTmuxPane(target, tmuxCommand = process.env["HASNA_MACHINES_TMUX_BIN"] || "tmux") {
   const checkedAt = new Date().toISOString();
   const result = spawnSync4(tmuxCommand, ["display-message", "-p", "-t", target, "#{pane_id}"], {
@@ -9789,17 +10370,23 @@ function buildScreenEnableCommand(machineId, options = {}) {
   }
   const secretsCommand = options.secretsCommand || "secrets";
   const remoteCommand = buildScreenEnableRemoteCommandFromStdin(credentials.user);
+  const secretsCommandArgs = [secretsCommand, "get", credentials.passwordSecretKey];
+  const sshPlan = buildSshCommandPlan(machineId, remoteCommand, options);
   return {
     machineId: credentials.machineId,
     user: credentials.user,
     passwordSecretKey: credentials.passwordSecretKey,
     remoteCommand,
-    command: `${shellCommand2([secretsCommand, "get", credentials.passwordSecretKey])} | ${buildSshCommand(machineId, remoteCommand, options)}`
+    secretsCommand,
+    secretsCommandArgs,
+    sshCommand: sshPlan.command,
+    sshCommandArgs: sshPlan.args,
+    command: `${shellCommand2(secretsCommandArgs)} | ${sshPlan.shellCommand}`
   };
 }
 
 // src/commands/sync.ts
-import { existsSync as existsSync7, lstatSync, readFileSync as readFileSync5, symlinkSync, copyFileSync } from "fs";
+import { existsSync as existsSync8, lstatSync, readFileSync as readFileSync6, symlinkSync, copyFileSync } from "fs";
 import { homedir as homedir5 } from "os";
 init_paths();
 init_db();
@@ -9854,15 +10441,15 @@ function detectFileActions(machine) {
     throw new Error(`Remote file sync planning is not supported for ${machine.id}; refusing to inspect or apply local paths as remote state.`);
   }
   return (machine.files || []).map((file, index) => {
-    const sourceExists = existsSync7(file.source);
-    const targetExists = existsSync7(file.target);
+    const sourceExists = existsSync8(file.source);
+    const targetExists = existsSync8(file.target);
     let status = "missing";
     if (sourceExists && targetExists) {
       if (file.mode === "symlink") {
         status = lstatSync(file.target).isSymbolicLink() ? "ok" : "drifted";
       } else {
-        const source = readFileSync5(file.source, "utf8");
-        const target = readFileSync5(file.target, "utf8");
+        const source = readFileSync6(file.source, "utf8");
+        const target = readFileSync6(file.target, "utf8");
         status = source === target ? "ok" : "drifted";
       }
     }
@@ -9892,12 +10479,12 @@ function buildSyncPlan(machineId, runner = runMachineCommand) {
     ...detectPackageActions(target, runner),
     ...detectFileActions(target)
   ];
-  return {
+  return attachMutationPlanDigest({
     machineId: target.id,
     mode: "plan",
     actions,
     executed: 0
-  };
+  });
 }
 function applyFileAction(command) {
   const [verb, source, target] = command.split(" ");
@@ -9919,10 +10506,10 @@ function applyFileAction(command) {
     symlinkSync(sourcePath, targetPath);
   }
 }
-function runSync(machineId, options = {}, runner = runMachineCommand) {
-  const plan = buildSyncPlan(machineId, runner);
+function runSyncPlan(plan, options = {}, runner = runMachineCommand) {
+  assertMutationPlanDigest(plan, options.expectedPlanDigest);
   if (!options.apply) {
-    return plan;
+    return attachMutationPlanDigest({ ...plan, mode: "plan", executed: 0 });
   }
   if (!options.yes) {
     throw new Error("Sync execution requires --yes.");
@@ -9949,12 +10536,12 @@ function runSync(machineId, options = {}, runner = runMachineCommand) {
     }
     executed += 1;
   }
-  const summary = {
+  const summary = attachMutationPlanDigest({
     machineId: plan.machineId,
     mode: "apply",
     actions: plan.actions,
     executed
-  };
+  });
   recordSyncRun(plan.machineId, "completed", summary);
   return summary;
 }
@@ -10589,8 +11176,8 @@ function runDoctor(machineId, options = {}) {
 
 // src/commands/daemon.ts
 import { execFileSync } from "child_process";
-import { chmodSync, existsSync as existsSync8, readFileSync as readFileSync6, statSync, mkdirSync as mkdirSync2, writeFileSync as writeFileSync4 } from "fs";
-import { delimiter, dirname as dirname4 } from "path";
+import { chmodSync, existsSync as existsSync9, readFileSync as readFileSync7, statSync, mkdirSync as mkdirSync2, writeFileSync as writeFileSync4 } from "fs";
+import { delimiter as delimiter2, dirname as dirname4 } from "path";
 import { platform as osPlatform } from "os";
 var DEFAULT_SERVICE_NAME = "machines-agent";
 var DEFAULT_EXECUTABLE = "/usr/local/bin/machines-agent";
@@ -10998,13 +11585,13 @@ function bunRuntimeCandidates(executable) {
     `${dirname4(executable)}/bun`,
     process.env["BUN_INSTALL"] ? `${process.env["BUN_INSTALL"]}/bin/bun` : null,
     process.env["HOME"] ? `${process.env["HOME"]}/.bun/bin/bun` : null,
-    ...(process.env["PATH"] ?? "").split(delimiter).filter(Boolean).map((entry) => `${entry}/bun`)
+    ...(process.env["PATH"] ?? "").split(delimiter2).filter(Boolean).map((entry) => `${entry}/bun`)
   ].filter((value) => Boolean(value));
   return [...new Set(candidates)];
 }
 function isBunShebangScript(executable) {
   try {
-    const content = readFileSync6(executable, "utf8").slice(0, 256);
+    const content = readFileSync7(executable, "utf8").slice(0, 256);
     const firstLine2 = content.split(/\r?\n/, 1)[0] ?? "";
     return /^#!.*\bbun\b/.test(firstLine2);
   } catch {
@@ -11012,7 +11599,7 @@ function isBunShebangScript(executable) {
   }
 }
 function isExecutableFile(path) {
-  if (!existsSync8(path))
+  if (!existsSync9(path))
     return false;
   try {
     const stats = statSync(path);
@@ -11062,7 +11649,8 @@ function basename(path) {
 init_db();
 
 // src/commands/serve.ts
-import { EventsClient as EventsClient2, sanitizeChannelsForOutput } from "@hasna/events";
+import { EventsClient as EventsClient2, getEventsDataDir, sanitizeChannelsForOutput } from "@hasna/events";
+import { resolve as resolve3 } from "path";
 
 // src/agent/runtime.ts
 import { arch as arch3, hostname as hostname6, platform as platform4, release, uptime, version as osVersion } from "os";
@@ -11149,7 +11737,7 @@ function escapeHtml(value) {
   return value.replaceAll("&", "&amp;").replaceAll("<", "&lt;").replaceAll(">", "&gt;").replaceAll('"', "&quot;").replaceAll("'", "&#39;");
 }
 function getServeInfo(options = {}) {
-  const host = options.host || "0.0.0.0";
+  const host = options.host || "127.0.0.1";
   const port = options.port || 7676;
   return {
     host,
@@ -11352,6 +11940,59 @@ async function parseJsonBody(request) {
 function jsonError(message, status = 400) {
   return Response.json({ error: message }, { status });
 }
+function dashboardResourceId(kind, ...parts) {
+  const values = parts.map((part) => String(part ?? "*").trim()).filter(Boolean).join(":");
+  return values ? `${kind}:${values}` : kind;
+}
+function eventStoreDir() {
+  return resolve3(getEventsDataDir());
+}
+function eventStoreScope() {
+  return { event_store_dir: eventStoreDir() };
+}
+function eventStoreResourceId(kind, ...parts) {
+  return dashboardResourceId(kind, mutationArgsSha256(eventStoreScope()), ...parts);
+}
+function withEventStoreScope(args) {
+  return { event_store_dir: eventStoreDir(), ...args };
+}
+function dashboardMutationCallerId() {
+  return process.env[MUTATION_APPROVAL_CALLER_ENV]?.trim() || "dashboard";
+}
+function dashboardMutationRunId() {
+  return process.env[MUTATION_APPROVAL_RUN_ENV]?.trim() || "dashboard";
+}
+function approvalTokenFromRequest(request, body) {
+  const bodyToken = typeof body["approval_token"] === "string" ? body["approval_token"] : typeof body["approvalToken"] === "string" ? body["approvalToken"] : undefined;
+  if (bodyToken?.trim())
+    return bodyToken;
+  const headerToken = request.headers.get("x-hasna-approval-token")?.trim();
+  if (headerToken)
+    return headerToken;
+  const authorization = request.headers.get("authorization")?.trim();
+  if (authorization?.toLowerCase().startsWith("bearer ")) {
+    return authorization.slice("bearer ".length).trim();
+  }
+  return;
+}
+function requireDashboardMutation(operation, request, body, scope = {}) {
+  const decision = verifyMutationApprovalToken({
+    surface: "dashboard",
+    operation,
+    transport: "dashboard:http",
+    callerId: dashboardMutationCallerId(),
+    runId: dashboardMutationRunId(),
+    resourceId: scope.resourceId,
+    args: scope.args,
+    approvalToken: approvalTokenFromRequest(request, body)
+  });
+  if (decision.approved)
+    return;
+  return jsonError(`Mutation approval denied: ${decision.reason ?? "approval_token is invalid."}`, 403);
+}
+function objectBodyValue(value) {
+  return value && typeof value === "object" && !Array.isArray(value) ? value : {};
+}
 function privateOutputWarnings(requested, allowed) {
   return requested && !allowed ? [PRIVATE_OUTPUT_DENIED_WARNING] : [];
 }
@@ -11363,6 +12004,7 @@ function appendWarnings(payload, warnings) {
 function startDashboardServer(options = {}) {
   const info = getServeInfo(options);
   const events = new EventsClient2;
+  const trustedNotificationApproval2 = createTrustedNotificationApproval();
   return Bun.serve({
     hostname: info.host,
     port: info.port,
@@ -11427,8 +12069,25 @@ function startDashboardServer(options = {}) {
         const severity = typeof body["severity"] === "string" ? body["severity"] : undefined;
         const message = typeof body["message"] === "string" ? body["message"] : undefined;
         const dedupeKey = typeof body["dedupeKey"] === "string" ? body["dedupeKey"] : undefined;
-        const data = body["data"] && typeof body["data"] === "object" && !Array.isArray(body["data"]) ? body["data"] : {};
-        const metadata = body["metadata"] && typeof body["metadata"] === "object" && !Array.isArray(body["metadata"]) ? body["metadata"] : {};
+        const data = objectBodyValue(body["data"]);
+        const metadata = objectBodyValue(body["metadata"]);
+        const denied = requireDashboardMutation("machines_events_emit", request, body, {
+          resourceId: eventStoreResourceId("event", type, subject, dedupeKey),
+          args: withEventStoreScope({
+            event_type: type,
+            source,
+            subject,
+            severity,
+            message,
+            data,
+            metadata,
+            dedupe_key: dedupeKey,
+            deliver: true,
+            dedupe: true
+          })
+        });
+        if (denied)
+          return denied;
         return Response.json(await events.emit({
           source,
           type,
@@ -11471,8 +12130,20 @@ function startDashboardServer(options = {}) {
         const message = typeof body["message"] === "string" ? body["message"] : undefined;
         const apply = body["apply"] === true;
         const yes = body["yes"] === true;
+        const resolvedEvent = event ?? "manual.test";
+        const resolvedMessage = message ?? "machines notification test";
+        const denied = requireDashboardMutation("machines_notifications_test", request, body, {
+          resourceId: dashboardResourceId("notification-test", channelId, resolvedEvent),
+          args: { channel_id: channelId, event: resolvedEvent, message: resolvedMessage, apply, yes }
+        });
+        if (denied)
+          return denied;
         try {
-          return Response.json(await testNotificationChannel(channelId, event, message, { apply, yes }));
+          return Response.json(await testNotificationChannel(channelId, resolvedEvent, resolvedMessage, {
+            apply,
+            yes,
+            trustedApproval: apply ? trustedNotificationApproval2 : undefined
+          }));
         } catch (error) {
           return jsonError(error instanceof Error ? error.message : String(error));
         }
@@ -11487,13 +12158,22 @@ function startDashboardServer(options = {}) {
           return jsonError("channelId is required.");
         }
         const type = typeof body["type"] === "string" ? body["type"] : "events.test";
-        const message = typeof body["message"] === "string" ? body["message"] : undefined;
+        const subject = channelId;
+        const message = typeof body["message"] === "string" ? body["message"] : "Hasna events test delivery";
+        const data = objectBodyValue(body["data"]);
+        const denied = requireDashboardMutation("machines_webhooks_test", request, body, {
+          resourceId: eventStoreResourceId("webhook-test", channelId, type),
+          args: withEventStoreScope({ channel_id: channelId, event_type: type, subject, message, data })
+        });
+        if (denied)
+          return denied;
         try {
           return Response.json(await events.testChannel(channelId, {
             source: "machines",
             type,
-            subject: channelId,
-            message
+            subject,
+            message,
+            data
           }));
         } catch (error) {
           return jsonError(error instanceof Error ? error.message : String(error));
@@ -11541,9 +12221,9 @@ function runSelfTest() {
 
 // src/commands/clipboard.ts
 init_paths();
-import { createHash } from "crypto";
-import { existsSync as existsSync9, readFileSync as readFileSync7, rmSync, writeFileSync as writeFileSync5 } from "fs";
-import { join as join6 } from "path";
+import { createHash as createHash2 } from "crypto";
+import { existsSync as existsSync10, readFileSync as readFileSync8, rmSync as rmSync2, writeFileSync as writeFileSync5 } from "fs";
+import { join as join8 } from "path";
 var DEFAULT_CONFIG = {
   version: 1,
   enabled: true,
@@ -11561,7 +12241,7 @@ var DEFAULT_CONFIG = {
 function resolveConfigPath(configPath) {
   if (configPath)
     return configPath;
-  return join6(getDataDir(), "clipboard-config.json");
+  return join8(getDataDir(), "clipboard-config.json");
 }
 function resolveHistoryPath(historyPath) {
   if (historyPath)
@@ -11573,10 +12253,10 @@ function getDefaultConfig() {
 }
 function readConfig(configPath) {
   const path = resolveConfigPath(configPath);
-  if (!existsSync9(path)) {
+  if (!existsSync10(path)) {
     return getDefaultConfig();
   }
-  const parsed = JSON.parse(readFileSync7(path, "utf8"));
+  const parsed = JSON.parse(readFileSync8(path, "utf8"));
   return { ...getDefaultConfig(), ...parsed };
 }
 function writeConfig(config, configPath) {
@@ -11587,11 +12267,11 @@ function writeConfig(config, configPath) {
 }
 function readHistory(historyPath) {
   const path = resolveHistoryPath(historyPath);
-  if (!existsSync9(path)) {
+  if (!existsSync10(path)) {
     return [];
   }
   try {
-    return JSON.parse(readFileSync7(path, "utf8"));
+    return JSON.parse(readFileSync8(path, "utf8"));
   } catch {
     return [];
   }
@@ -11603,7 +12283,7 @@ function writeHistory(entries, historyPath) {
 `, "utf8");
 }
 function computeHash(content) {
-  return createHash("sha256").update(content).digest("hex").slice(0, 16);
+  return createHash2("sha256").update(content).digest("hex").slice(0, 16);
 }
 function shouldSkipContent(content, skipPatterns) {
   const lower = content.toLowerCase();
@@ -11620,10 +12300,10 @@ function sanitizeClipboardForRead(content, maxSizeBytes, skipPatterns) {
 }
 function getOrCreateClipboardKey() {
   const keyPath = getClipboardKeyPath();
-  if (existsSync9(keyPath)) {
-    return readFileSync7(keyPath, "utf8").trim();
+  if (existsSync10(keyPath)) {
+    return readFileSync8(keyPath, "utf8").trim();
   }
-  const key = createHash("sha256").update(crypto.randomUUID()).digest("hex").slice(0, 32);
+  const key = createHash2("sha256").update(crypto.randomUUID()).digest("hex").slice(0, 32);
   ensureParentDir(keyPath);
   writeFileSync5(keyPath, `${key}
 `, "utf8");
@@ -11660,8 +12340,8 @@ function addClipboardEntry(entry, historyPath) {
 }
 function clearClipboardHistory(historyPath) {
   const path = resolveHistoryPath(historyPath);
-  if (existsSync9(path)) {
-    rmSync(path);
+  if (existsSync10(path)) {
+    rmSync2(path);
   }
 }
 function getClipboardStatus(historyPath) {
@@ -11676,15 +12356,15 @@ function getClipboardStatus(historyPath) {
 
 // src/commands/clipboard-daemon.ts
 init_paths();
-import { readFileSync as readFileSync9, writeFileSync as writeFileSync6 } from "fs";
-import { join as join7 } from "path";
-import { createHash as createHash3 } from "crypto";
+import { readFileSync as readFileSync10, writeFileSync as writeFileSync6 } from "fs";
+import { join as join9 } from "path";
+import { createHash as createHash4 } from "crypto";
 
 // src/commands/clipboard-server.ts
 init_paths();
 import { createServer } from "http";
-import { createHash as createHash2 } from "crypto";
-import { readFileSync as readFileSync8 } from "fs";
+import { createHash as createHash3 } from "crypto";
+import { readFileSync as readFileSync9 } from "fs";
 function readLocalClipboardSync() {
   const platform5 = process.platform;
   if (platform5 === "darwin") {
@@ -11730,7 +12410,7 @@ function hasCommand3(binary) {
 function loadSharedSecret() {
   const keyPath = getClipboardKeyPath();
   try {
-    return readFileSync8(keyPath, "utf8").trim();
+    return readFileSync9(keyPath, "utf8").trim();
   } catch {
     return "";
   }
@@ -11744,7 +12424,7 @@ function authenticate(request) {
   const secret = loadSharedSecret();
   if (!secret)
     return false;
-  return createHash2("sha256").update(token).digest("hex") === createHash2("sha256").update(secret).digest("hex");
+  return createHash3("sha256").update(token).digest("hex") === createHash3("sha256").update(secret).digest("hex");
 }
 function jsonResponse(response, status, data) {
   response.writeHead(status, { "content-type": "application/json" });
@@ -11784,7 +12464,7 @@ function startClipboardServer(options = {}) {
     server,
     port,
     close: async () => {
-      await new Promise((resolve2) => server.close(() => resolve2()));
+      await new Promise((resolve4) => server.close(() => resolve4()));
     }
   };
 }
@@ -11835,7 +12515,7 @@ function handleGetClipboard(response, config) {
 }
 
 // src/commands/clipboard-daemon.ts
-var DAEMON_PID_PATH = join7(getDataDir(), "clipboard-daemon.pid");
+var DAEMON_PID_PATH = join9(getDataDir(), "clipboard-daemon.pid");
 function readLocalClipboardSync2() {
   const platform5 = process.platform;
   if (platform5 === "darwin") {
@@ -11893,11 +12573,11 @@ function hasDisplayServer() {
   return false;
 }
 function computeHash2(content) {
-  return createHash3("sha256").update(content).digest("hex").slice(0, 16);
+  return createHash4("sha256").update(content).digest("hex").slice(0, 16);
 }
 function loadSharedSecret2() {
   try {
-    return readFileSync9(getClipboardKeyPath(), "utf8").trim();
+    return readFileSync10(getClipboardKeyPath(), "utf8").trim();
   } catch {
     return "";
   }
@@ -11908,7 +12588,7 @@ function writePid(pid) {
 }
 function readPid() {
   try {
-    const pid = Number.parseInt(readFileSync9(DAEMON_PID_PATH, "utf8").trim());
+    const pid = Number.parseInt(readFileSync10(DAEMON_PID_PATH, "utf8").trim());
     return Number.isFinite(pid) ? pid : null;
   } catch {
     return null;
@@ -12009,8 +12689,8 @@ async function discoverPeers() {
 
 // src/commands/heal.ts
 init_paths();
-import { existsSync as existsSync10, readFileSync as readFileSync10, writeFileSync as writeFileSync7 } from "fs";
-import { join as join8 } from "path";
+import { existsSync as existsSync11, readFileSync as readFileSync11, writeFileSync as writeFileSync7 } from "fs";
+import { join as join10 } from "path";
 var DEFAULT_THRESHOLDS = {
   reconnect: 3,
   nmRestart: 7,
@@ -12054,16 +12734,16 @@ function defaultHealState() {
   };
 }
 function getHealConfigPath() {
-  return process.env["HASNA_MACHINES_HEAL_CONFIG_PATH"] || join8(getDataDir(), "heal-config.json");
+  return process.env["HASNA_MACHINES_HEAL_CONFIG_PATH"] || join10(getDataDir(), "heal-config.json");
 }
 function getHealStatePath() {
-  return process.env["HASNA_MACHINES_HEAL_STATE_PATH"] || join8(getDataDir(), "heal-state.json");
+  return process.env["HASNA_MACHINES_HEAL_STATE_PATH"] || join10(getDataDir(), "heal-state.json");
 }
 function readHealConfig(path) {
   const p = path || getHealConfigPath();
-  if (!existsSync10(p))
+  if (!existsSync11(p))
     return { ...DEFAULT_HEAL_CONFIG, thresholds: { ...DEFAULT_THRESHOLDS } };
-  const parsed = JSON.parse(readFileSync10(p, "utf8"));
+  const parsed = JSON.parse(readFileSync11(p, "utf8"));
   return {
     ...DEFAULT_HEAL_CONFIG,
     ...parsed,
@@ -12079,10 +12759,10 @@ function writeHealConfig(config, path) {
 }
 function readHealState(path) {
   const p = path || getHealStatePath();
-  if (!existsSync10(p))
+  if (!existsSync11(p))
     return defaultHealState();
   try {
-    return { ...defaultHealState(), ...JSON.parse(readFileSync10(p, "utf8")) };
+    return { ...defaultHealState(), ...JSON.parse(readFileSync11(p, "utf8")) };
   } catch {
     return defaultHealState();
   }
@@ -12209,7 +12889,7 @@ function sh(cmd, timeoutMs = 8000) {
 }
 function getCurrentBootId() {
   try {
-    return readFileSync10("/proc/sys/kernel/random/boot_id", "utf8").trim();
+    return readFileSync11("/proc/sys/kernel/random/boot_id", "utf8").trim();
   } catch {
     return "";
   }
@@ -12295,9 +12975,9 @@ function executeAction(action, config) {
 
 // src/commands/heal-daemon.ts
 init_paths();
-import { existsSync as existsSync11, readFileSync as readFileSync11, writeFileSync as writeFileSync8 } from "fs";
-import { join as join9 } from "path";
-var DAEMON_PID_PATH2 = join9(getDataDir(), "heal-daemon.pid");
+import { existsSync as existsSync12, readFileSync as readFileSync12, writeFileSync as writeFileSync8 } from "fs";
+import { join as join11 } from "path";
+var DAEMON_PID_PATH2 = join11(getDataDir(), "heal-daemon.pid");
 var SERVICE_PATH = "/etc/systemd/system/machines-heal.service";
 var SYSTEM_CONF = "/etc/systemd/system.conf";
 function log(msg) {
@@ -12343,7 +13023,7 @@ function writePid2(pid) {
 }
 function readPid2() {
   try {
-    const pid = Number.parseInt(readFileSync11(DAEMON_PID_PATH2, "utf8").trim());
+    const pid = Number.parseInt(readFileSync12(DAEMON_PID_PATH2, "utf8").trim());
     return Number.isFinite(pid) ? pid : null;
   } catch {
     return null;
@@ -12415,9 +13095,9 @@ function applyDeterminism(config) {
 }
 function enableHardwareWatchdog() {
   const log2 = [];
-  if (!existsSync11(SYSTEM_CONF))
+  if (!existsSync12(SYSTEM_CONF))
     return ["/etc/systemd/system.conf not found; skipping hardware watchdog"];
-  let conf = readFileSync11(SYSTEM_CONF, "utf8");
+  let conf = readFileSync12(SYSTEM_CONF, "utf8");
   const set = (key, value) => {
     const re = new RegExp(`^#?\\s*${key}=.*$`, "m");
     if (re.test(conf))
@@ -12447,7 +13127,7 @@ function binPath() {
     candidates.push(`${home}/.bun/bin/machines`);
   candidates.push("/root/.bun/bin/machines", "/usr/local/bin/machines");
   for (const c of candidates) {
-    if (c && existsSync11(c))
+    if (c && existsSync12(c))
       return c;
   }
   return "machines";
@@ -12483,7 +13163,7 @@ WantedBy=multi-user.target
 function uninstallHealService() {
   const log2 = [];
   sh2("systemctl disable --now machines-heal.service 2>/dev/null || true");
-  if (existsSync11(SERVICE_PATH)) {
+  if (existsSync12(SERVICE_PATH)) {
     sh2(`rm -f ${SERVICE_PATH}`);
     sh2("systemctl daemon-reload");
     log2.push(`removed ${SERVICE_PATH}`);
@@ -12494,7 +13174,7 @@ function uninstallHealService() {
 }
 function healServiceStatus() {
   return {
-    installed: existsSync11(SERVICE_PATH),
+    installed: existsSync12(SERVICE_PATH),
     active: sh2("systemctl is-active machines-heal.service").out === "active",
     enabled: sh2("systemctl is-enabled machines-heal.service 2>/dev/null").out === "enabled"
   };
@@ -12533,8 +13213,6 @@ ${items.map((item) => `- ${item}`).join(`
 }
 
 // src/cli/index.ts
-import { rmSync as rmSync2 } from "fs";
-import { readFileSync as readFileSync12 } from "fs";
 var program2 = new Command;
 function printJsonOrText(data, text, json = false) {
   if (json || program2.opts().quiet) {
@@ -12802,23 +13480,307 @@ program2.name("machines").description("Machine fleet management CLI + MCP for de
 var manifestCommand = program2.command("manifest").description("Manage the fleet manifest");
 var appsCommand = program2.command("apps").description("Manage installed applications per machine");
 var notificationsCommand = program2.command("notifications").description("Manage fleet alert delivery channels");
-var eventWebhooksCommand = registerWebhookCommands(program2, { source: "machines" });
-eventWebhooksCommand.description("Manage shared event webhook subscriptions");
-var webhookTestCommand = eventWebhooksCommand.commands.find((command2) => command2.name() === "test");
-var webhookOptions = webhookTestCommand?.options ?? [];
-var webhookMessageOption = webhookOptions.find((option) => option.long === "--message");
-if (webhookMessageOption) {
-  webhookMessageOption.defaultValue = "Shared events test delivery";
-}
-var eventsCommand = registerEventCommands(program2, { source: "machines" });
-eventsCommand.description("Emit, list, and replay shared events");
+var eventWebhooksCommand = program2.command("webhooks").description("Manage shared event webhook subscriptions");
+var eventsCommand = program2.command("events").description("Emit, list, and replay shared events");
 var runtimeCommand = program2.command("runtime").description("Watch runtime conditions and emit shared events");
 var clipboardCommand = program2.command("clipboard").description("Real-time clipboard sync across fleet machines");
 var installClaudeCommand = program2.command("install-claude").description("Install or inspect Claude, Codex, and Gemini CLIs");
 var daemonCommand = program2.command("daemon").description("Install and inspect the machines-agent fleet daemon service");
+var trustedNotificationApproval2 = createTrustedNotificationApproval();
+function cliMachineId(machineId) {
+  return machineId?.trim() || "local";
+}
+function cliResourceId(kind, ...parts) {
+  const values = parts.map((part) => String(part ?? "*").trim()).filter(Boolean).join(":");
+  return values ? `${kind}:${values}` : kind;
+}
+function cliMutationCallerId() {
+  return process.env["HASNA_MACHINES_MUTATION_CALLER_ID"]?.trim() || "cli";
+}
+function cliMutationRunId() {
+  return process.env["HASNA_MACHINES_MUTATION_RUN_ID"]?.trim() || "cli";
+}
+function requireCliMutation(operation, approvalToken, scope = {}) {
+  assertMutationApproved({
+    surface: "cli",
+    operation,
+    transport: "cli",
+    callerId: cliMutationCallerId(),
+    runId: cliMutationRunId(),
+    machineId: scope.machineId === undefined ? undefined : cliMachineId(scope.machineId),
+    resourceId: scope.resourceId === undefined || scope.resourceId === null ? undefined : scope.resourceId,
+    args: scope.args,
+    approvalToken
+  });
+}
+function cliPlanApprovalArgs(args, plan) {
+  return {
+    ...args,
+    plan_digest: mutationPlanDigest(plan)
+  };
+}
+function cliPlanResourceId(operation, machineId, plan) {
+  return cliResourceId("plan", operation, machineId, mutationPlanDigest(plan));
+}
+function createEventsClient() {
+  return new EventsClient3;
+}
+function eventStoreDir2() {
+  return resolve4(getEventsDataDir2());
+}
+function eventStoreScope2() {
+  return { event_store_dir: eventStoreDir2() };
+}
+function eventStoreResourceId2(kind, ...parts) {
+  return cliResourceId(kind, mutationArgsSha256(eventStoreScope2()), ...parts);
+}
+function withEventStoreScope2(args) {
+  return { event_store_dir: eventStoreDir2(), ...args };
+}
+function readJsonArrayFile(path) {
+  if (!existsSync13(path))
+    return [];
+  const raw = readFileSync13(path, "utf8").trim();
+  if (!raw)
+    return [];
+  const parsed = JSON.parse(raw);
+  if (!Array.isArray(parsed))
+    throw new Error(`Expected ${path} to contain a JSON array.`);
+  return parsed;
+}
+function readEventChannelsWithoutInit() {
+  return readJsonArrayFile(join12(eventStoreDir2(), "channels.json"));
+}
+function readEventsWithoutInit() {
+  return readJsonArrayFile(join12(eventStoreDir2(), "events.json"));
+}
+function filterEventsForReplay(events, options) {
+  return events.filter((event) => {
+    if (options.id && event.id !== options.id)
+      return false;
+    if (options.source && event.source !== options.source)
+      return false;
+    if (options.type && event.type !== options.type)
+      return false;
+    return true;
+  });
+}
+function collectOptionValues(value, previous = []) {
+  previous.push(value);
+  return previous;
+}
+function parseNumberOption(value) {
+  const parsed = Number(value);
+  if (!Number.isFinite(parsed))
+    throw new Error(`Expected a finite number, got ${value}`);
+  return parsed;
+}
+function parseJsonObjectOption(value, fallback) {
+  if (value === undefined)
+    return fallback;
+  const parsed = JSON.parse(value);
+  if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+    throw new Error("Expected a JSON object.");
+  }
+  return parsed;
+}
+function parseHeaderOptions(values) {
+  if (!values?.length)
+    return;
+  const headers = {};
+  for (const value of values) {
+    const separator = value.indexOf("=");
+    if (separator === -1)
+      throw new Error(`Invalid header, expected name=value: ${value}`);
+    headers[value.slice(0, separator)] = value.slice(separator + 1);
+  }
+  return headers;
+}
+function buildEventFilter(options) {
+  const filter = {};
+  if (options.source)
+    filter.source = options.source;
+  if (options.type)
+    filter.type = options.type;
+  if (options.subject)
+    filter.subject = options.subject;
+  if (options.severity)
+    filter.severity = options.severity;
+  return Object.keys(filter).length > 0 ? [filter] : undefined;
+}
+function wantsCommandJson(options, command2) {
+  return Boolean(options.json || command2.optsWithGlobals?.().json || command2.parent?.optsWithGlobals?.().json || program2.opts().quiet);
+}
+function printCommandResult(data, text, json) {
+  if (json || program2.opts().quiet) {
+    console.log(JSON.stringify(data, null, 2));
+    return;
+  }
+  console.log(text);
+}
+function runtimeTmuxCommand() {
+  return process.env["HASNA_MACHINES_TMUX_BIN"]?.trim() || "tmux";
+}
+function runtimeTmuxEventTypes(once) {
+  return once ? ["machines.tmux.pane_missing"] : ["machines.tmux.pane_died"];
+}
+eventWebhooksCommand.command("add").description("Add or replace a webhook or command subscription").argument("<target>", "Webhook URL or command binary").requiredOption("--id <id>", "Subscription/channel identifier").option("--transport <kind>", "Transport kind: webhook or command", "webhook").option("--name <name>", "Display name").option("--type <pattern>", "Event type filter, e.g. todos.task.*").option("--source <pattern>", "Event source filter").option("--subject <pattern>", "Event subject filter").option("--severity <pattern>", "Event severity filter").option("--secret <secret>", "Webhook HMAC secret").option("--header <name=value...>", "Webhook header", collectOptionValues, []).option("--arg <arg...>", "Command argument", collectOptionValues, []).option("--timeout-ms <ms>", "Transport timeout in milliseconds", parseNumberOption).option("--retry-attempts <n>", "Maximum delivery attempts", parseNumberOption).option("--retry-backoff-ms <ms>", "Initial retry backoff in milliseconds", parseNumberOption).option("--redact <path...>", "Event field path to redact before delivery", collectOptionValues, []).option("--disabled", "Create channel disabled", false).option("--approval-token <token>", "Scoped mutation approval token").option("-j, --json", "Print JSON output", false).action(async (target, options, command2) => {
+  const headers = parseHeaderOptions(options.header);
+  const commandArgs = options.arg ?? [];
+  const redactPaths = options.redact ?? [];
+  const enabled = !options.disabled;
+  const filter = buildEventFilter(options);
+  const channel = {
+    id: options.id,
+    name: options.name,
+    enabled,
+    transport: options.transport,
+    filters: filter,
+    retry: options.retryAttempts || options.retryBackoffMs ? { maxAttempts: options.retryAttempts, backoffMs: options.retryBackoffMs } : undefined,
+    redact: redactPaths.length > 0 ? { paths: redactPaths } : undefined
+  };
+  if (options.transport === "webhook") {
+    channel.webhook = { url: target, secret: options.secret, headers, timeoutMs: options.timeoutMs };
+  } else if (options.transport === "command") {
+    channel.command = { command: target, args: commandArgs, timeoutMs: options.timeoutMs };
+  } else {
+    throw new Error(`Transport ${options.transport} is reserved for future use and cannot be added yet`);
+  }
+  requireCliMutation("machines_webhooks_add", options.approvalToken, {
+    resourceId: eventStoreResourceId2("webhook", options.id),
+    args: withEventStoreScope2({
+      channel_id: options.id,
+      target,
+      transport: options.transport,
+      name: options.name,
+      event_type: options.type,
+      source: options.source,
+      subject: options.subject,
+      severity: options.severity,
+      secret: options.secret,
+      headers,
+      args: commandArgs,
+      timeout_ms: options.timeoutMs,
+      retry_attempts: options.retryAttempts,
+      retry_backoff_ms: options.retryBackoffMs,
+      redact: redactPaths,
+      enabled
+    })
+  });
+  const saved = await createEventsClient().addChannel(channel);
+  printCommandResult(sanitizeChannelForOutput(saved), `Added ${saved.transport} channel ${saved.id}`, wantsCommandJson(options, command2));
+});
+eventWebhooksCommand.command("list").description("List configured subscriptions").option("-j, --json", "Print JSON output", false).action(async (options, command2) => {
+  const channels = readEventChannelsWithoutInit();
+  if (wantsCommandJson(options, command2)) {
+    console.log(JSON.stringify(sanitizeChannelsForOutput2(channels), null, 2));
+    return;
+  }
+  if (!channels.length) {
+    console.log("No channels configured.");
+    return;
+  }
+  for (const channel of channels) {
+    console.log(`${channel.id}	${channel.enabled ? "enabled" : "disabled"}	${channel.transport}	${channel.webhook?.url ?? channel.command?.command ?? channel.transport}`);
+  }
+});
+eventWebhooksCommand.command("remove").description("Remove a subscription").argument("<id>", "Subscription/channel identifier").option("--approval-token <token>", "Scoped mutation approval token").option("-j, --json", "Print JSON output", false).action(async (id, options, command2) => {
+  requireCliMutation("machines_webhooks_remove", options.approvalToken, {
+    resourceId: eventStoreResourceId2("webhook", id),
+    args: withEventStoreScope2({ channel_id: id })
+  });
+  const removed = await createEventsClient().removeChannel(id);
+  printCommandResult({ removed }, removed ? `Removed ${id}` : `Channel not found: ${id}`, wantsCommandJson(options, command2));
+});
+eventWebhooksCommand.command("test").description("Send a test event to one subscription").argument("<id>", "Subscription/channel identifier").option("--type <type>", "Event type", "events.test").option("--subject <subject>", "Event subject").option("--message <message>", "Event message", "Shared events test delivery").option("--data <json>", "Event data JSON object").option("--approval-token <token>", "Scoped mutation approval token").option("-j, --json", "Print JSON output", false).action(async (id, options, command2) => {
+  const data = parseJsonObjectOption(options.data, { test: true });
+  const subject = options.subject ?? id;
+  requireCliMutation("machines_webhooks_test", options.approvalToken, {
+    resourceId: eventStoreResourceId2("webhook-test", id, options.type),
+    args: withEventStoreScope2({ channel_id: id, event_type: options.type, subject, message: options.message, data })
+  });
+  const result = await createEventsClient().testChannel(id, {
+    source: "machines",
+    type: options.type,
+    subject,
+    message: options.message,
+    data
+  });
+  printCommandResult(result, `${result.status}: ${result.channelId}`, wantsCommandJson(options, command2));
+});
+eventsCommand.command("emit").description("Emit an event from this app").argument("<type>", "Event type").option("--source <source>", "Event source override").option("--subject <subject>", "Event subject").option("--severity <severity>", "Event severity", "info").option("--message <message>", "Event message").option("--dedupe-key <key>", "Dedupe key").option("--data <json>", "Event data JSON object").option("--metadata <json>", "Event metadata JSON object").option("--no-deliver", "Record without delivering").option("--no-dedupe", "Allow duplicate id/dedupeKey events").option("--approval-token <token>", "Scoped mutation approval token").option("-j, --json", "Print JSON output", false).action(async (type, options, command2) => {
+  const source = options.source ?? "machines";
+  const data = parseJsonObjectOption(options.data, {});
+  const metadata = parseJsonObjectOption(options.metadata, {});
+  requireCliMutation("machines_events_emit", options.approvalToken, {
+    resourceId: eventStoreResourceId2("event", type, options.subject, options.dedupeKey),
+    args: withEventStoreScope2({
+      event_type: type,
+      source,
+      subject: options.subject,
+      severity: options.severity,
+      message: options.message,
+      data,
+      metadata,
+      dedupe_key: options.dedupeKey,
+      deliver: options.deliver,
+      dedupe: options.dedupe
+    })
+  });
+  const result = await createEventsClient().emit({
+    source,
+    type,
+    subject: options.subject,
+    severity: options.severity,
+    message: options.message,
+    dedupeKey: options.dedupeKey,
+    data,
+    metadata
+  }, { deliver: options.deliver, dedupe: options.dedupe });
+  printCommandResult(result, `${result.deduped ? "Deduped" : "Emitted"} ${result.event.id} to ${result.deliveries.length} channel(s)`, wantsCommandJson(options, command2));
+});
+eventsCommand.command("list").description("List recorded events").option("--source <source>", "Filter by source").option("--type <type>", "Filter by type").option("--limit <n>", "Limit results", parseNumberOption).option("-j, --json", "Print JSON output", false).action(async (options, command2) => {
+  let rows = readEventsWithoutInit();
+  if (options.source)
+    rows = rows.filter((event) => event.source === options.source);
+  if (options.type)
+    rows = rows.filter((event) => event.type === options.type);
+  if (options.limit)
+    rows = rows.slice(-options.limit);
+  if (wantsCommandJson(options, command2)) {
+    console.log(JSON.stringify(rows, null, 2));
+    return;
+  }
+  if (!rows.length) {
+    console.log("No events recorded.");
+    return;
+  }
+  for (const event of rows) {
+    console.log(`${event.time}	${event.id}	${event.source}	${event.type}	${event.severity}`);
+  }
+});
+eventsCommand.command("replay").description("Replay recorded events").option("--id <id>", "Replay one event id").option("--source <source>", "Filter by source").option("--type <type>", "Filter by type").option("--dry-run", "Preview without delivery", false).option("--approval-token <token>", "Scoped mutation approval token").option("-j, --json", "Print JSON output", false).action(async (options, command2) => {
+  if (options.dryRun !== true) {
+    requireCliMutation("machines_events_replay", options.approvalToken, {
+      resourceId: eventStoreResourceId2("event-replay", options.id, options.source, options.type),
+      args: withEventStoreScope2({ event_id: options.id, source: options.source, event_type: options.type, dry_run: false })
+    });
+  }
+  const result = options.dryRun === true ? { events: filterEventsForReplay(readEventsWithoutInit(), options), deliveries: [] } : await createEventsClient().replay({
+    eventId: options.id,
+    source: options.source,
+    type: options.type,
+    dryRun: options.dryRun
+  });
+  printCommandResult(result, `Replayed ${result.events.length} event(s), ${result.deliveries.length} delivery result(s)`, wantsCommandJson(options, command2));
+});
 function addDaemonLifecycleCommand(action, description) {
-  daemonCommand.command(action).description(description).option("--platform <platform>", "Service platform to plan for (macos, linux)").option("--mode <mode>", "Service mode (user, system)", "user").option("--service-name <name>", "Service name/label", "machines-agent").option("--executable <path>", "Absolute machines-agent executable path").option("--interval-ms <ms>", "Heartbeat interval in milliseconds").option("--storage-push", "Configure daemon to push heartbeat rows to storage", false).option("--doctor-summary", "Configure daemon to include lightweight doctor summaries", false).option("--private-metadata", "Opt in to private host/network metadata in heartbeat rows", false).option("--env <name...>", "Environment variable names to include as placeholders").option("--apply", "Write service files and run planned commands", false).option("--yes", "Confirm execution when using --apply", false).option("-j, --json", "Print JSON output", false).action((options) => {
-    const plan = buildDaemonServicePlan(parseDaemonOptions(action, options));
+  daemonCommand.command(action).description(description).option("--platform <platform>", "Service platform to plan for (macos, linux)").option("--mode <mode>", "Service mode (user, system)", "user").option("--service-name <name>", "Service name/label", "machines-agent").option("--executable <path>", "Absolute machines-agent executable path").option("--interval-ms <ms>", "Heartbeat interval in milliseconds").option("--storage-push", "Configure daemon to push heartbeat rows to storage", false).option("--doctor-summary", "Configure daemon to include lightweight doctor summaries", false).option("--private-metadata", "Opt in to private host/network metadata in heartbeat rows", false).option("--env <name...>", "Environment variable names to include as placeholders").option("--apply", "Write service files and run planned commands", false).option("--yes", "Confirm execution when using --apply", false).option("--approval-token <token>", "Scoped mutation approval token").option("-j, --json", "Print JSON output", false).action((options) => {
+    const planOptions = parseDaemonOptions(action, options);
+    const plan = buildDaemonServicePlan(planOptions);
+    if (options.apply) {
+      requireCliMutation(`daemon_${action}`, options.approvalToken, { resourceId: cliResourceId("daemon", action, options.serviceName), args: planOptions });
+    }
     const result = runDaemonServicePlan(plan, { apply: options.apply, yes: options.yes });
     if (options.json || options.apply) {
       console.log(JSON.stringify(result, null, 2));
@@ -12832,7 +13794,8 @@ addDaemonLifecycleCommand("uninstall", "Plan or uninstall the machines-agent dae
 addDaemonLifecycleCommand("restart", "Plan or restart the machines-agent daemon service");
 addDaemonLifecycleCommand("status", "Plan a daemon service status command");
 addDaemonLifecycleCommand("logs", "Plan a daemon service log command");
-manifestCommand.command("init").description("Create an empty fleet manifest").action(() => {
+manifestCommand.command("init").description("Create an empty fleet manifest").option("--approval-token <token>", "Scoped mutation approval token").action((options) => {
+  requireCliMutation("manifest_init", options.approvalToken, { resourceId: "manifest:init", args: {} });
   console.log(manifestInit());
 });
 manifestCommand.command("path").description("Print the manifest path").action(() => {
@@ -12844,7 +13807,8 @@ manifestCommand.command("list").description("Print the fleet manifest").action((
 manifestCommand.command("validate").description("Validate the fleet manifest").action(() => {
   console.log(JSON.stringify(manifestValidate(), null, 2));
 });
-manifestCommand.command("bootstrap").description("Detect and upsert the current machine into the manifest").action(() => {
+manifestCommand.command("bootstrap").description("Detect and upsert the current machine into the manifest").option("--approval-token <token>", "Scoped mutation approval token").action((options) => {
+  requireCliMutation("manifest_bootstrap", options.approvalToken, { resourceId: "manifest:bootstrap", args: {} });
   console.log(JSON.stringify(manifestBootstrapCurrentMachine(), null, 2));
 });
 manifestCommand.command("get").description("Print a single machine from the manifest").argument("<id>", "Machine identifier").action((id) => {
@@ -12856,18 +13820,20 @@ manifestCommand.command("get").description("Print a single machine from the mani
   }
   console.log(JSON.stringify(machine, null, 2));
 });
-manifestCommand.command("remove").description("Remove a machine from the manifest").argument("<id>", "Machine identifier").action((id) => {
+manifestCommand.command("remove").description("Remove a machine from the manifest").argument("<id>", "Machine identifier").option("--approval-token <token>", "Scoped mutation approval token").action((id, options) => {
+  requireCliMutation("manifest_remove", options.approvalToken, { machineId: id, args: { machine_id: id } });
   console.log(JSON.stringify(manifestRemove(id), null, 2));
 });
-manifestCommand.command("add").description("Add or replace a machine in the fleet manifest").option("--id <id>", "Machine identifier").option("--platform <platform>", "linux | macos | windows").option("--workspace-path <path>", "Primary workspace path").option("--hostname <hostname>", "Machine hostname").option("--ssh-address <sshAddress>", "Machine SSH address").option("--tailscale-name <tailscaleName>", "Machine Tailscale DNS name").option("--connection <connection>", "local | ssh | tailscale").option("--bun-path <path>", "Bun executable directory").option("--tag <tag...>", "Machine tags").option("--package <name...>", "Desired packages").option("--app <spec...>", "Desired apps as name[:manager[:packageName]]").option("--file <spec...>", "File sync spec source:target[:copy|symlink]").option("--metadata <json>", "Machine metadata as JSON").option("--from-stdin", "Read the full MachineManifest JSON from stdin").action((options) => {
+manifestCommand.command("add").description("Add or replace a machine in the fleet manifest").option("--id <id>", "Machine identifier").option("--platform <platform>", "linux | macos | windows").option("--workspace-path <path>", "Primary workspace path").option("--hostname <hostname>", "Machine hostname").option("--ssh-address <sshAddress>", "Machine SSH address").option("--tailscale-name <tailscaleName>", "Machine Tailscale DNS name").option("--connection <connection>", "local | ssh | tailscale").option("--bun-path <path>", "Bun executable directory").option("--tag <tag...>", "Machine tags").option("--package <name...>", "Desired packages").option("--app <spec...>", "Desired apps as name[:manager[:packageName]]").option("--file <spec...>", "File sync spec source:target[:copy|symlink]").option("--metadata <json>", "Machine metadata as JSON").option("--from-stdin", "Read the full MachineManifest JSON from stdin").option("--approval-token <token>", "Scoped mutation approval token").action((options) => {
   const fromStdin = Boolean(options["fromStdin"] || options["from-stdin"]);
   if (fromStdin) {
     if (process.stdin.isTTY) {
       console.error("error: --from-stdin requires piped input");
       process.exit(1);
     }
-    const input = readFileSync12(0, "utf8");
+    const input = readFileSync13(0, "utf8");
     const machine2 = JSON.parse(input);
+    requireCliMutation("manifest_add", typeof options["approvalToken"] === "string" ? options["approvalToken"] : undefined, { machineId: machine2.id, args: machine2 });
     console.log(JSON.stringify(manifestAdd(machine2), null, 2));
     return;
   }
@@ -12906,6 +13872,7 @@ manifestCommand.command("add").description("Add or replace a machine in the flee
     apps,
     files
   };
+  requireCliMutation("manifest_add", typeof options["approvalToken"] === "string" ? options["approvalToken"] : undefined, { machineId: machine.id, args: machine });
   console.log(JSON.stringify(manifestAdd(machine), null, 2));
 });
 appsCommand.command("list").description("List manifest-managed apps for a machine").option("--machine <id>", "Machine identifier").option("-j, --json", "Print JSON output", false).action((options) => {
@@ -12924,16 +13891,47 @@ appsCommand.command("plan").description("Preview app install steps for a machine
   const result = buildAppsPlan(options.machine);
   console.log(JSON.stringify(result, null, 2));
 });
-appsCommand.command("apply").description("Install manifest-managed apps for a machine").option("--machine <id>", "Machine identifier").option("--yes", "Confirm execution", false).action((options) => {
-  const result = runAppsInstall(options.machine, { apply: true, yes: options.yes });
+appsCommand.command("apply").description("Install manifest-managed apps for a machine").option("--machine <id>", "Machine identifier").option("--yes", "Confirm execution", false).option("--approval-token <token>", "Scoped mutation approval token").action((options) => {
+  const resolvedMachineId = cliMachineId(options.machine);
+  const plan = buildAppsPlan(options.machine);
+  requireCliMutation("apps_apply", options.approvalToken, {
+    machineId: resolvedMachineId,
+    resourceId: cliPlanResourceId("apps_apply", resolvedMachineId, plan),
+    args: cliPlanApprovalArgs({ machine_id: resolvedMachineId, yes: options.yes }, plan)
+  });
+  const result = runAppsPlan(plan, { apply: true, yes: options.yes });
   console.log(JSON.stringify(result, null, 2));
 });
-program2.command("setup").description("Prepare a machine from the fleet manifest").option("--machine <id>", "Machine identifier").option("--apply", "Execute provisioning commands instead of previewing the plan", false).option("--yes", "Confirm execution when using --apply", false).option("-j, --json", "Print JSON output", false).action((options) => {
-  const result = options.apply ? runSetup(options.machine, { apply: true, yes: options.yes }) : buildSetupPlan(options.machine);
+program2.command("setup").description("Prepare a machine from the fleet manifest").option("--machine <id>", "Machine identifier").option("--apply", "Execute provisioning commands instead of previewing the plan", false).option("--yes", "Confirm execution when using --apply", false).option("--approval-token <token>", "Scoped mutation approval token").option("-j, --json", "Print JSON output", false).action((options) => {
+  if (options.apply) {
+    const resolvedMachineId = cliMachineId(options.machine);
+    const plan = buildSetupPlan(options.machine);
+    requireCliMutation("setup_apply", options.approvalToken, {
+      machineId: resolvedMachineId,
+      resourceId: cliPlanResourceId("setup_apply", resolvedMachineId, plan),
+      args: cliPlanApprovalArgs({ machine_id: resolvedMachineId, yes: options.yes }, plan)
+    });
+    const result2 = runSetupPlan(plan, { apply: true, yes: options.yes });
+    console.log(JSON.stringify(result2, null, 2));
+    return;
+  }
+  const result = buildSetupPlan(options.machine);
   console.log(JSON.stringify(result, null, 2));
 });
-program2.command("sync").description("Reconcile a machine against the fleet manifest").option("--machine <id>", "Machine identifier").option("--apply", "Execute reconciliation commands instead of previewing the plan", false).option("--yes", "Confirm execution when using --apply", false).option("-j, --json", "Print JSON output", false).action((options) => {
-  const result = options.apply ? runSync(options.machine, { apply: true, yes: options.yes }) : buildSyncPlan(options.machine);
+program2.command("sync").description("Reconcile a machine against the fleet manifest").option("--machine <id>", "Machine identifier").option("--apply", "Execute reconciliation commands instead of previewing the plan", false).option("--yes", "Confirm execution when using --apply", false).option("--approval-token <token>", "Scoped mutation approval token").option("-j, --json", "Print JSON output", false).action((options) => {
+  if (options.apply) {
+    const resolvedMachineId = cliMachineId(options.machine);
+    const plan = buildSyncPlan(options.machine);
+    requireCliMutation("sync_apply", options.approvalToken, {
+      machineId: resolvedMachineId,
+      resourceId: cliPlanResourceId("sync_apply", resolvedMachineId, plan),
+      args: cliPlanApprovalArgs({ machine_id: resolvedMachineId, yes: options.yes }, plan)
+    });
+    const result2 = runSyncPlan(plan, { apply: true, yes: options.yes });
+    console.log(JSON.stringify(result2, null, 2));
+    return;
+  }
+  const result = buildSyncPlan(options.machine);
   console.log(JSON.stringify(result, null, 2));
 });
 program2.command("topology").description("Discover local, manifest, heartbeat, SSH, and Tailscale machine topology").option("--no-tailscale", "Skip tailscale status probing").option("--private-metadata", "Print private host/network route fields", false).option("-j, --json", "Print JSON output", false).action((options) => {
@@ -12999,7 +13997,19 @@ workspaceCommand.command("doctor").description("Diagnose repo and open-files wor
   if (result.diagnostics.some((entry) => entry.severity === "fail") && !options.json)
     process.exitCode = 1;
 });
-workspaceCommand.command("repair").description("Preview or write explicit manifest path mappings for inferred workspace roots").requiredOption("--machine <id>", "Machine identifier").requiredOption("--project <id>", "Canonical project id").option("--repo <name>", "Repository name; defaults to project id").option("--open-files-repo <name>", "Open-files repository name", "open-files").option("--workspace-root <path>", "Override the machine workspace root for resolution").option("--project-root <path>", "Explicit project root to write").option("--open-files-root <path>", "Explicit open-files root to write").option("--apply", "Write the mappings into the manifest", false).option("--allow-untrusted", "Allow writing mappings for machines not marked trusted", false).option("--no-tailscale", "Skip tailscale status probing").option("-j, --json", "Print JSON output", false).action((options) => {
+workspaceCommand.command("repair").description("Preview or write explicit manifest path mappings for inferred workspace roots").requiredOption("--machine <id>", "Machine identifier").requiredOption("--project <id>", "Canonical project id").option("--repo <name>", "Repository name; defaults to project id").option("--open-files-repo <name>", "Open-files repository name", "open-files").option("--workspace-root <path>", "Override the machine workspace root for resolution").option("--project-root <path>", "Explicit project root to write").option("--open-files-root <path>", "Explicit open-files root to write").option("--apply", "Write the mappings into the manifest", false).option("--allow-untrusted", "Allow writing mappings for machines not marked trusted", false).option("--no-tailscale", "Skip tailscale status probing").option("--approval-token <token>", "Scoped mutation approval token").option("-j, --json", "Print JSON output", false).action((options) => {
+  if (options.apply)
+    requireCliMutation("workspace_repair", options.approvalToken, { machineId: options.machine, args: {
+      machine: options.machine,
+      project: options.project,
+      repo: options.repo,
+      openFilesRepo: options.openFilesRepo,
+      workspaceRoot: options.workspaceRoot,
+      projectRoot: options.projectRoot,
+      openFilesRoot: options.openFilesRoot,
+      allowUntrusted: options.allowUntrusted,
+      tailscale: options.tailscale
+    } });
   const result = repairWorkspaceManifestMappings({
     machineId: options.machine,
     projectId: options.project,
@@ -13020,18 +14030,26 @@ program2.command("diff").description("Show manifest differences between two mach
   const result = diffMachines(options.left, options.right);
   console.log(JSON.stringify(result, null, 2));
 });
-program2.command("backup").description("Create and optionally upload a machine backup archive").option("--bucket <name>", "S3 bucket name; defaults to HASNA_MACHINES_S3_BUCKET or MACHINES_S3_BUCKET").option("--prefix <prefix>", "S3 key prefix; defaults to HASNA_MACHINES_S3_PREFIX, MACHINES_S3_PREFIX, or machines").option("--apply", "Execute backup commands instead of previewing the plan", false).option("--yes", "Confirm execution when using --apply", false).option("-j, --json", "Print JSON output", false).action((options) => {
+program2.command("backup").description("Create and optionally upload a machine backup archive").option("--bucket <name>", "S3 bucket name; defaults to HASNA_MACHINES_S3_BUCKET or MACHINES_S3_BUCKET").option("--prefix <prefix>", "S3 key prefix; defaults to HASNA_MACHINES_S3_PREFIX, MACHINES_S3_PREFIX, or machines").option("--apply", "Execute backup commands instead of previewing the plan", false).option("--yes", "Confirm execution when using --apply", false).option("--approval-token <token>", "Scoped mutation approval token").option("-j, --json", "Print JSON output", false).action((options) => {
+  if (options.apply) {
+    const target = resolveBackupTarget({ bucket: options.bucket, prefix: options.prefix });
+    requireCliMutation("backup_apply", options.approvalToken, { resourceId: cliResourceId("backup", target.bucket, target.prefix), args: { bucket: target.bucket, prefix: target.prefix, yes: options.yes } });
+  }
   const result = options.apply ? runBackup(options.bucket, options.prefix, { apply: true, yes: options.yes }) : buildBackupPlan(options.bucket, options.prefix);
   console.log(JSON.stringify(result, null, 2));
 });
 var certCommand = program2.command("cert").description("Manage mkcert-based local SSL certificates");
-certCommand.command("issue").description("Plan or issue certificates for one or more domains").argument("<domains...>", "Domains to include in the certificate").option("--apply", "Execute certificate commands instead of previewing them", false).option("--yes", "Confirm execution when using --apply", false).option("-j, --json", "Print JSON output", false).action((domains, options) => {
+certCommand.command("issue").description("Plan or issue certificates for one or more domains").argument("<domains...>", "Domains to include in the certificate").option("--apply", "Execute certificate commands instead of previewing them", false).option("--yes", "Confirm execution when using --apply", false).option("--approval-token <token>", "Scoped mutation approval token").option("-j, --json", "Print JSON output", false).action((domains, options) => {
+  if (options.apply)
+    requireCliMutation("cert_apply", options.approvalToken, { resourceId: cliResourceId("cert", domains.join(",")), args: { domains, yes: options.yes } });
   const result = options.apply ? runCertPlan(domains, { apply: true, yes: options.yes }) : buildCertPlan(domains);
   console.log(JSON.stringify(result, null, 2));
 });
 var dnsCommand = program2.command("dns").description("Manage local domain mappings");
-dnsCommand.command("add").description("Add or replace a local domain mapping").requiredOption("--domain <domain>", "Domain name").requiredOption("--port <port>", "Target port").option("--target-host <host>", "Target host", "127.0.0.1").option("-j, --json", "Print JSON output", false).action((options) => {
-  const result = addDomainMapping(options.domain, parseIntegerOption(options.port, "port", { min: 1, max: 65535 }), options.targetHost);
+dnsCommand.command("add").description("Add or replace a local domain mapping").requiredOption("--domain <domain>", "Domain name").requiredOption("--port <port>", "Target port").option("--target-host <host>", "Target host", "127.0.0.1").option("--approval-token <token>", "Scoped mutation approval token").option("-j, --json", "Print JSON output", false).action((options) => {
+  const port = parseIntegerOption(options.port, "port", { min: 1, max: 65535 });
+  requireCliMutation("dns_add", options.approvalToken, { resourceId: cliResourceId("dns", options.domain), args: { domain: options.domain, port, target_host: options.targetHost } });
+  const result = addDomainMapping(options.domain, port, options.targetHost);
   console.log(JSON.stringify(result, null, 2));
 });
 dnsCommand.command("list").description("List saved local domain mappings").option("-j, --json", "Print JSON output", false).action(() => {
@@ -13040,43 +14058,91 @@ dnsCommand.command("list").description("List saved local domain mappings").optio
 dnsCommand.command("render").description("Render hosts/proxy configuration for a domain").argument("<domain>", "Domain name").option("-j, --json", "Print JSON output", false).action((domain) => {
   console.log(JSON.stringify(renderDomainMapping(domain), null, 2));
 });
-notificationsCommand.command("add").description("Add or replace a notification channel").requiredOption("--id <id>", "Channel identifier").requiredOption("--type <type>", "email | webhook | command").requiredOption("--target <target>", "Email, webhook URL, or shell command").option("--event <event...>", "Events routed to this channel", ["setup_failed", "sync_failed"]).option("--disabled", "Create the channel in disabled state", false).option("-j, --json", "Print JSON output", false).action((options) => {
+notificationsCommand.command("add").description("Add or replace a notification channel").requiredOption("--id <id>", "Channel identifier").requiredOption("--type <type>", "email | webhook | command").requiredOption("--target <target>", "Email, webhook URL, or command executable").option("--arg <arg...>", "Command argument for command transports", collectOptionValues, []).option("--event <event...>", "Events routed to this channel", ["setup_failed", "sync_failed"]).option("--disabled", "Create the channel in disabled state", false).option("--approval-token <token>", "Operator mutation approval token for command transports").option("-j, --json", "Print JSON output", false).action((options) => {
+  const enabled = !options.disabled;
+  const events = [...new Set(options.event)];
+  const commandArgs = options.arg ?? [];
+  requireCliMutation("notifications_add", options.approvalToken, { resourceId: cliResourceId("notification", options.id), args: { id: options.id, type: options.type, target: options.target, args: commandArgs, event: events, enabled } });
   const result = addNotificationChannel({
     id: options.id,
     type: options.type,
     target: options.target,
-    events: options.event,
-    enabled: !options.disabled
-  });
+    commandArgs: options.type === "command" && commandArgs.length > 0 ? commandArgs : undefined,
+    events,
+    enabled
+  }, { trustedApproval: trustedNotificationApproval2 });
   printJsonOrText(result, renderNotificationConfigResult(result), options.json);
 });
 notificationsCommand.command("list").description("List configured notification channels").option("-j, --json", "Print JSON output", false).action((options) => {
   const result = listNotificationChannels();
   printJsonOrText(result, renderNotificationConfigResult(result), options.json);
 });
-notificationsCommand.command("test").description("Preview or execute a notification test").requiredOption("--channel <id>", "Channel identifier").option("--event <name>", "Event name", "manual.test").option("--message <message>", "Test message", "machines notification test").option("--apply", "Execute the notification test instead of previewing it", false).option("--yes", "Confirm execution when using --apply", false).option("-j, --json", "Print JSON output", false).action(async (options) => {
+notificationsCommand.command("test").description("Preview or execute a notification test").requiredOption("--channel <id>", "Channel identifier").option("--event <name>", "Event name", "manual.test").option("--message <message>", "Test message", "machines notification test").option("--apply", "Execute the notification test instead of previewing it", false).option("--yes", "Confirm execution when using --apply", false).option("--approval-token <token>", "Operator mutation approval token for command transports").option("-j, --json", "Print JSON output", false).action(async (options) => {
+  if (options.apply)
+    requireCliMutation("notifications_test", options.approvalToken, { resourceId: cliResourceId("notification-test", options.channel, options.event), args: { channel: options.channel, event: options.event, message: options.message, yes: options.yes } });
   const result = await testNotificationChannel(options.channel, options.event, options.message, {
     apply: options.apply,
-    yes: options.yes
+    yes: options.yes,
+    trustedApproval: options.apply === true ? trustedNotificationApproval2 : undefined
   });
   printJsonOrText(result, renderNotificationTestResult(result), options.json);
 });
-notificationsCommand.command("dispatch").description("Dispatch an event to matching notification channels").requiredOption("--event <name>", "Event name").requiredOption("--message <message>", "Message body").option("--channel <id>", "Limit delivery to one channel").option("-j, --json", "Print JSON output", false).action(async (options) => {
-  const result = await dispatchNotificationEvent(options.event, options.message, { channelId: options.channel });
+notificationsCommand.command("dispatch").description("Dispatch an event to matching notification channels").requiredOption("--event <name>", "Event name").requiredOption("--message <message>", "Message body").option("--channel <id>", "Limit delivery to one channel").option("--approval-token <token>", "Operator mutation approval token for command transports").option("-j, --json", "Print JSON output", false).action(async (options) => {
+  requireCliMutation("notifications_dispatch", options.approvalToken, { resourceId: cliResourceId("notification-dispatch", options.channel, options.event), args: { event: options.event, message: options.message, channel: options.channel } });
+  const result = await dispatchNotificationEvent(options.event, options.message, { channelId: options.channel, trustedApproval: trustedNotificationApproval2 });
   printJsonOrText(result, renderNotificationDispatchResult(result), options.json);
 });
-notificationsCommand.command("remove").description("Remove a notification channel").argument("<id>", "Channel identifier").option("-j, --json", "Print JSON output", false).action((id, options) => {
+notificationsCommand.command("remove").description("Remove a notification channel").argument("<id>", "Channel identifier").option("--approval-token <token>", "Scoped mutation approval token").option("-j, --json", "Print JSON output", false).action((id, options) => {
+  requireCliMutation("notifications_remove", options.approvalToken, { resourceId: cliResourceId("notification", id), args: { id } });
   const result = removeNotificationChannel(id);
   printJsonOrText(result, renderNotificationConfigResult(result), options.json);
 });
-runtimeCommand.command("tmux-watch").description("Watch a tmux pane and emit machines.tmux.pane_died if it disappears").argument("<target>", "tmux pane target, for example %1 or session:window.pane").option("--interval-ms <ms>", "Polling interval in milliseconds", "5000").option("--max-checks <n>", "Stop after N checks instead of watching forever").option("--once", "Probe once and emit machines.tmux.pane_missing when absent", false).option("--no-deliver", "Record the event without webhook delivery").option("-j, --json", "Print JSON output", false).action(async (target, options) => {
+runtimeCommand.command("tmux-hook-plan").description("Print a tmux pane-died hook command that emits machines events").option("--machines-command <command>", "machines CLI executable", "machines").option("--tmux-command <command>", "tmux executable").option("--deliver", "Deliver webhooks from the hook instead of recording only", false).option("--approval-token <token>", "Scoped mutation token for the generated events emit command").option("--trusted-local-mutation", "Include process-local trusted mutation env when no approval token is supplied", false).option("-j, --json", "Print JSON output", false).action((options) => {
+  if (!options.approvalToken && options.trustedLocalMutation !== true) {
+    throw new Error("tmux-hook-plan requires --approval-token or explicit --trusted-local-mutation.");
+  }
+  const result = buildTmuxPaneDiedHookPlan({
+    machinesCommand: options.machinesCommand,
+    tmuxCommand: options.tmuxCommand,
+    deliver: options.deliver,
+    approvalToken: options.approvalToken,
+    trustedLocalMutation: options.trustedLocalMutation
+  });
+  printJsonOrText(result, result.shellCommand, options.json);
+});
+runtimeCommand.command("tmux-watch").description("Watch a tmux pane and emit machines.tmux.pane_died if it disappears").argument("<target>", "tmux pane target, for example %1 or session:window.pane").option("--interval-ms <ms>", "Polling interval in milliseconds", "5000").option("--max-checks <n>", "Stop after N checks instead of watching forever").option("--once", "Probe once and emit machines.tmux.pane_missing when absent", false).option("--no-deliver", "Record the event without webhook delivery").option("--approval-token <token>", "Scoped mutation approval token for event delivery").option("-j, --json", "Print JSON output", false).action(async (target, options) => {
+  const normalizedTarget = target.trim();
+  if (!normalizedTarget)
+    throw new Error("tmux pane target is required");
+  const intervalMs = parseIntegerOption(options.intervalMs ?? "5000", "interval-ms", { min: 0 });
   const maxChecks = options.once ? 1 : options.maxChecks ? parseIntegerOption(options.maxChecks, "max-checks", { min: 1 }) : undefined;
+  const once = Boolean(options.once);
+  const deliver = options.deliver !== false;
+  const tmuxCommand = runtimeTmuxCommand();
+  const eventTypes = runtimeTmuxEventTypes(once);
+  const scopedIntervalMs = once ? undefined : intervalMs;
+  if (deliver) {
+    requireCliMutation("machines_runtime_tmux_watch_deliver", options.approvalToken, {
+      resourceId: eventStoreResourceId2("runtime-tmux-watch", normalizedTarget, eventTypes.join(",")),
+      args: withEventStoreScope2({
+        target: normalizedTarget,
+        event_types: eventTypes,
+        interval_ms: scopedIntervalMs,
+        max_checks: maxChecks,
+        once,
+        emit_initial_missing: once,
+        deliver: true,
+        tmux_command: tmuxCommand
+      })
+    });
+  }
   const result = await watchTmuxPane({
-    target,
-    intervalMs: parseIntegerOption(options.intervalMs ?? "5000", "interval-ms", { min: 0 }),
+    target: normalizedTarget,
+    intervalMs,
     maxChecks,
-    emitInitialMissing: Boolean(options.once),
-    deliver: options.deliver !== false,
+    emitInitialMissing: once,
+    deliver,
+    tmuxCommand,
     onProbe: options.json ? undefined : (probe) => {
       const status = probe.exists ? source_default.green("present") : source_default.yellow("missing");
       console.error(`tmux ${probe.target}: ${status}${probe.paneId ? ` ${probe.paneId}` : ""}`);
@@ -13145,7 +14211,7 @@ clipboardCommand.command("clear-history").description("Clear clipboard sync hist
 });
 clipboardCommand.command("key").description("Show or rotate the shared secret key").option("--rotate", "Generate a new key", false).option("-j, --json", "Print JSON output", false).action((options) => {
   if (options.rotate) {
-    rmSync2(getClipboardKeyPath(), { force: true });
+    rmSync3(getClipboardKeyPath(), { force: true });
   }
   const key = getOrCreateClipboardKey();
   printJsonOrText({ key }, key, options.json);
@@ -13170,12 +14236,31 @@ installClaudeCommand.command("plan").description("Preview CLI install steps").op
   const result = buildClaudeInstallPlan(options.machine, options.tool);
   console.log(JSON.stringify(result, null, 2));
 });
-installClaudeCommand.command("apply").description("Install or update the requested CLIs").option("--machine <id>", "Machine identifier").option("--tool <name...>", "CLI tools to install (claude, codex, gemini)").option("--yes", "Confirm execution when using apply", false).option("-j, --json", "Print JSON output", false).action((options) => {
-  const result = runClaudeInstall(options.machine, options.tool, { apply: true, yes: options.yes });
+installClaudeCommand.command("apply").description("Install or update the requested CLIs").option("--machine <id>", "Machine identifier").option("--tool <name...>", "CLI tools to install (claude, codex, gemini)").option("--yes", "Confirm execution when using apply", false).option("--approval-token <token>", "Scoped mutation approval token").option("-j, --json", "Print JSON output", false).action((options) => {
+  const resolvedMachineId = cliMachineId(options.machine);
+  const plan = buildClaudeInstallPlan(options.machine, options.tool);
+  requireCliMutation("install_claude_apply", options.approvalToken, {
+    machineId: resolvedMachineId,
+    resourceId: cliPlanResourceId("install_claude_apply", resolvedMachineId, plan),
+    args: cliPlanApprovalArgs({ machine_id: resolvedMachineId, tools: options.tool, yes: options.yes }, plan)
+  });
+  const result = runClaudeInstallPlan(plan, { apply: true, yes: options.yes });
   console.log(JSON.stringify(result, null, 2));
 });
-program2.command("install-tailscale").description("Install Tailscale on a machine").option("--machine <id>", "Machine identifier").option("--apply", "Execute installation commands instead of previewing the plan", false).option("--yes", "Confirm execution when using --apply", false).option("-j, --json", "Print JSON output", false).action((options) => {
-  const result = options.apply ? runTailscaleInstall(options.machine, { apply: true, yes: options.yes }) : buildTailscaleInstallPlan(options.machine);
+program2.command("install-tailscale").description("Install Tailscale on a machine").option("--machine <id>", "Machine identifier").option("--apply", "Execute installation commands instead of previewing the plan", false).option("--yes", "Confirm execution when using --apply", false).option("--approval-token <token>", "Scoped mutation approval token").option("-j, --json", "Print JSON output", false).action((options) => {
+  if (options.apply) {
+    const resolvedMachineId = cliMachineId(options.machine);
+    const plan = buildTailscaleInstallPlan(options.machine);
+    requireCliMutation("install_tailscale_apply", options.approvalToken, {
+      machineId: resolvedMachineId,
+      resourceId: cliPlanResourceId("install_tailscale_apply", resolvedMachineId, plan),
+      args: cliPlanApprovalArgs({ machine_id: resolvedMachineId, yes: options.yes }, plan)
+    });
+    const result2 = runTailscaleInstallPlan(plan, { apply: true, yes: options.yes });
+    console.log(JSON.stringify(result2, null, 2));
+    return;
+  }
+  const result = buildTailscaleInstallPlan(options.machine);
   console.log(JSON.stringify(result, null, 2));
 });
 program2.command("route").description("Resolve the best route for a machine").requiredOption("--machine <id>", "Machine identifier").option("--no-tailscale", "Skip tailscale status probing").option("--private-metadata", "Print private route targets", false).option("--cmd <command>", "Remote command to run").option("-j, --json", "Print JSON output", false).action((options) => {
@@ -13327,28 +14412,34 @@ storageCommand.command("status").description("Show storage sync status").option(
     ["tables", status.tables.join(", ")]
   ]), options.json);
 });
-storageCommand.command("push").description("Push local machine runtime data to storage PostgreSQL").option("--tables <tables>", "Comma-separated table names").option("-j, --json", "Print JSON output", false).action(async (options) => {
+storageCommand.command("push").description("Push local machine runtime data to storage PostgreSQL").option("--tables <tables>", "Comma-separated table names").option("--approval-token <token>", "Scoped mutation approval token").option("-j, --json", "Print JSON output", false).action(async (options) => {
   try {
-    const { parseStorageTables: parseStorageTables2, storagePush: storagePush2 } = await Promise.resolve().then(() => (init_storage(), exports_storage));
-    const results = await storagePush2({ tables: parseStorageTables2(options.tables) });
+    const { parseStorageTables: parseStorageTables2, resolveTables: resolveTables2, storagePush: storagePush2 } = await Promise.resolve().then(() => (init_storage(), exports_storage));
+    const tables = resolveTables2(parseStorageTables2(options.tables));
+    requireCliMutation("storage_push", options.approvalToken, { resourceId: cliResourceId("storage-push", tables.join(",")), args: { tables } });
+    const results = await storagePush2({ tables });
     printStorageResults(results, options.json);
   } catch (error) {
     printStorageError(error);
   }
 });
-storageCommand.command("pull").description("Pull machine runtime data from storage PostgreSQL to local SQLite").option("--tables <tables>", "Comma-separated table names").option("-j, --json", "Print JSON output", false).action(async (options) => {
+storageCommand.command("pull").description("Pull machine runtime data from storage PostgreSQL to local SQLite").option("--tables <tables>", "Comma-separated table names").option("--approval-token <token>", "Scoped mutation approval token").option("-j, --json", "Print JSON output", false).action(async (options) => {
   try {
-    const { parseStorageTables: parseStorageTables2, storagePull: storagePull2 } = await Promise.resolve().then(() => (init_storage(), exports_storage));
-    const results = await storagePull2({ tables: parseStorageTables2(options.tables) });
+    const { parseStorageTables: parseStorageTables2, resolveTables: resolveTables2, storagePull: storagePull2 } = await Promise.resolve().then(() => (init_storage(), exports_storage));
+    const tables = resolveTables2(parseStorageTables2(options.tables));
+    requireCliMutation("storage_pull", options.approvalToken, { resourceId: cliResourceId("storage-pull", tables.join(",")), args: { tables } });
+    const results = await storagePull2({ tables });
     printStorageResults(results, options.json);
   } catch (error) {
     printStorageError(error);
   }
 });
-storageCommand.command("sync").description("Bidirectional storage sync: pull then push").option("--tables <tables>", "Comma-separated table names").option("-j, --json", "Print JSON output", false).action(async (options) => {
+storageCommand.command("sync").description("Bidirectional storage sync: pull then push").option("--tables <tables>", "Comma-separated table names").option("--approval-token <token>", "Scoped mutation approval token").option("-j, --json", "Print JSON output", false).action(async (options) => {
   try {
-    const { parseStorageTables: parseStorageTables2, storageSync: storageSync2 } = await Promise.resolve().then(() => (init_storage(), exports_storage));
-    const result = await storageSync2({ tables: parseStorageTables2(options.tables) });
+    const { parseStorageTables: parseStorageTables2, resolveTables: resolveTables2, storageSync: storageSync2 } = await Promise.resolve().then(() => (init_storage(), exports_storage));
+    const tables = resolveTables2(parseStorageTables2(options.tables));
+    requireCliMutation("storage_sync", options.approvalToken, { resourceId: cliResourceId("storage-sync", tables.join(",")), args: { tables } });
+    const result = await storageSync2({ tables });
     if (options.json) {
       console.log(JSON.stringify(result, null, 2));
       return;
@@ -13373,7 +14464,7 @@ program2.command("self-test").description("Run local package smoke checks").opti
   const result = runSelfTest();
   printJsonOrText(result, renderSelfTestResult(result), options.json);
 });
-program2.command("serve").description("Serve a local fleet dashboard and JSON API").option("--host <host>", "Host interface to bind", "0.0.0.0").option("--port <port>", "Port to bind", "7676").option("-j, --json", "Print serve config and exit", false).action((options) => {
+program2.command("serve").description("Serve a local fleet dashboard and JSON API").option("--host <host>", "Host interface to bind", "127.0.0.1").option("--port <port>", "Port to bind", "7676").option("-j, --json", "Print serve config and exit", false).action((options) => {
   const info = getServeInfo({ host: options.host, port: parseIntegerOption(options.port, "port", { min: 1, max: 65535 }) });
   if (options.json) {
     console.log(JSON.stringify(info, null, 2));