@hasna/machines 0.0.48 → 0.0.49

package/README.md

@@ -76,6 +76,8 @@ instead of importing private dependencies.
 It also reports noninteractive sudo readiness, SSH certificate support, and
 GitHub App secret-reference readiness without printing credentials or private
 keys.
+`machines self-test --json` includes `overall` and `counts` fields so agents
+can branch on readiness without scanning every check.
 
 Apple device management belongs in the private deployment layer. The public
 setup plan can report enrollment status with `profiles status -type enrollment`,
@@ -288,6 +290,13 @@ Configure database storage with `HASNA_MACHINES_DATABASE_URL` or fallback
 `HASNA_MACHINES_STORAGE_MODE` or `MACHINES_STORAGE_MODE` with `local`,
 `hybrid`, or `remote`.
 
+Remote PostgreSQL storage is fail-closed for TLS. Non-loopback database hosts
+default to verified TLS, and `sslmode=disable`, `ssl=false`,
+`sslmode=no-verify`, or `HASNA_MACHINES_DATABASE_SSL_REJECT_UNAUTHORIZED=0`
+are rejected. For loopback development databases only, set
+`HASNA_MACHINES_ALLOW_INSECURE_DATABASE_TLS=1` to permit disabled or
+non-verified TLS.
+
 ## Fleet daemon
 
 `machines-agent` can run as a managed heartbeat daemon. The daemon writes local
@@ -444,6 +453,16 @@ back to the tailnet IP. The local machine is skipped. The managed block is delim
 by markers, so re-running `apply` only rewrites that block and leaves the rest of
 `/etc/hosts` untouched.
 
+### Direct @hasna/events bins
+
+`@hasna/events` is a dependency of `@hasna/machines` and publishes its own
+dependency-owned `events` and `hasna-events` binaries. Package managers may
+install those aliases into an application's top-level `node_modules/.bin`, but
+they are not part of the `@hasna/machines` command surface, release scripts,
+daemon plans, MCP tools, or approval model. Use `machines events` and
+`machines webhooks` for machines-scoped event operations; those commands enforce
+machines mutation approval and bind scoped tokens to canonical arguments.
+
 ## Dashboard
 
 ```bash

package/dist/agent/index.js

@@ -992,7 +992,7 @@ Expecting one of '${allowedValues.join("', '")}'`);
         this._exitCallback = (err) => {
           if (err.code !== "commander.executeSubCommandAsync") {
             throw err;
-          } else {}
+          }
         };
       }
       return this;
@@ -12399,6 +12399,8 @@ var defaults = import_lib.default.defaults;
 var esm_default = import_lib.default;
 
 // src/remote-storage.ts
+var MACHINES_DATABASE_ALLOW_INSECURE_TLS_ENV = "HASNA_MACHINES_ALLOW_INSECURE_DATABASE_TLS";
+var MACHINES_DATABASE_SSL_REJECT_UNAUTHORIZED_ENV = "HASNA_MACHINES_DATABASE_SSL_REJECT_UNAUTHORIZED";
 function translatePlaceholders(sql) {
   let index = 0;
   return sql.replace(/\?/g, () => `$${++index}`);
@@ -12407,7 +12409,18 @@ function normalizeParams(params) {
   const flat = params.length === 1 && Array.isArray(params[0]) ? params[0] : params;
   return flat.map((value) => value === undefined ? null : value);
 }
-function sslConfigFor(connectionString) {
+function envFlag(env, name) {
+  const value = env[name]?.trim().toLowerCase();
+  return value === "1" || value === "true" || value === "yes" || value === "on";
+}
+function isLoopbackHost(hostname4) {
+  const normalized = hostname4.replace(/^\[|\]$/g, "").toLowerCase();
+  return normalized === "localhost" || normalized === "::1" || normalized === "0:0:0:0:0:0:0:1" || /^127(?:\.\d{1,3}){3}$/.test(normalized);
+}
+function allowsLocalInsecureTls(url, env) {
+  return isLoopbackHost(url.hostname) && envFlag(env, MACHINES_DATABASE_ALLOW_INSECURE_TLS_ENV);
+}
+function sslConfigFor(connectionString, env = process.env) {
   let url;
   try {
     url = new URL(connectionString);
@@ -12416,12 +12429,21 @@ function sslConfigFor(connectionString) {
   }
   const sslMode = url.searchParams.get("sslmode")?.toLowerCase();
   const ssl = url.searchParams.get("ssl")?.toLowerCase();
-  if (sslMode === "disable" || ssl === "false")
-    return;
-  if (sslMode === "no-verify" || process.env["HASNA_MACHINES_DATABASE_SSL_REJECT_UNAUTHORIZED"] === "0") {
+  const rejectUnauthorizedOverride = env[MACHINES_DATABASE_SSL_REJECT_UNAUTHORIZED_ENV]?.trim() === "0";
+  if (sslMode === "disable" || ssl === "false") {
+    if (allowsLocalInsecureTls(url, env))
+      return;
+    throw new Error(`Insecure PostgreSQL TLS mode is rejected for remote storage; use sslmode=require or set ${MACHINES_DATABASE_ALLOW_INSECURE_TLS_ENV}=1 only for loopback development databases.`);
+  }
+  if (sslMode === "no-verify" || rejectUnauthorizedOverride) {
+    if (!allowsLocalInsecureTls(url, env)) {
+      throw new Error(`PostgreSQL TLS certificate verification cannot be disabled for remote storage; set ${MACHINES_DATABASE_ALLOW_INSECURE_TLS_ENV}=1 only for loopback development databases.`);
+    }
     return { rejectUnauthorized: false };
   }
-  return sslMode || ssl === "true" ? { rejectUnauthorized: true } : undefined;
+  if (sslMode || ssl === "true")
+    return { rejectUnauthorized: true };
+  return isLoopbackHost(url.hostname) ? undefined : { rejectUnauthorized: true };
 }
 
 class PgAdapterAsync {
@@ -12653,12 +12675,12 @@ function summarizeTailscale(privateMetadata) {
   }
   return sanitizeRecord(summary, privateMetadata);
 }
-function envFlag(name) {
+function envFlag2(name) {
   const value = process.env[name]?.trim().toLowerCase();
   return value === "1" || value === "true" || value === "yes" || value === "on";
 }
 function shouldCollectDoctorSummary(value) {
-  return value ?? envFlag("HASNA_MACHINES_AGENT_DOCTOR_SUMMARY");
+  return value ?? envFlag2("HASNA_MACHINES_AGENT_DOCTOR_SUMMARY");
 }
 function collectDoctorSummary(machineId, enabled) {
   if (!enabled)
@@ -12853,7 +12875,7 @@ function getAgentStatus(machineId, options = {}) {
 
 // src/agent/index.ts
 var program2 = new Command;
-function envFlag2(name) {
+function envFlag3(name) {
   const value = process.env[name]?.trim().toLowerCase();
   return value === "1" || value === "true" || value === "yes" || value === "on";
 }
@@ -12862,9 +12884,9 @@ var options = program2.parse(process.argv).opts();
 var parsedIntervalSeconds = options.interval ? Number.parseFloat(options.interval) : NaN;
 var parsedIntervalMs = Number.parseInt(options.intervalMs, 10);
 var intervalMs = Number.isFinite(parsedIntervalSeconds) ? Math.max(1, Math.floor(parsedIntervalSeconds * 1000)) : Number.isFinite(parsedIntervalMs) ? Math.max(1, parsedIntervalMs) : 30000;
-var storagePushEnabled = options.storagePush || envFlag2("HASNA_MACHINES_AGENT_STORAGE_PUSH");
-var privateMetadataEnabled = options.privateMetadata || envFlag2("HASNA_MACHINES_PRIVATE_METADATA") || envFlag2("MACHINES_PRIVATE_METADATA");
-var doctorSummaryEnabled = options.doctorSummary || envFlag2("HASNA_MACHINES_AGENT_DOCTOR_SUMMARY");
+var storagePushEnabled = options.storagePush || envFlag3("HASNA_MACHINES_AGENT_STORAGE_PUSH");
+var privateMetadataEnabled = options.privateMetadata || envFlag3("HASNA_MACHINES_PRIVATE_METADATA") || envFlag3("MACHINES_PRIVATE_METADATA");
+var doctorSummaryEnabled = options.doctorSummary || envFlag3("HASNA_MACHINES_AGENT_DOCTOR_SUMMARY");
 var storagePushRetries = Math.max(0, Number.parseInt(options.storagePushRetries, 10) || 0);
 var storagePushBackoffMs = Math.max(0, Number.parseInt(options.storagePushBackoffMs, 10) || 0);
 async function tick() {