@hasna/machines 0.0.48 → 0.0.49

package/dist/cli/index.js

@@ -993,7 +993,7 @@ Expecting one of '${allowedValues.join("', '")}'`);
         this._exitCallback = (err) => {
           if (err.code !== "commander.executeSubCommandAsync") {
             throw err;
-          } else {}
+          }
         };
       }
       return this;
@@ -2283,6 +2283,289 @@ var init_db = __esm(() => {
   ];
 });
 
+// src/commands/mutation-approval.ts
+import { createHash, createHmac, randomUUID, timingSafeEqual } from "crypto";
+import { resolve as resolve2 } from "path";
+function createTrustedSdkMutationApproval() {
+  const approval = {};
+  trustedSdkMutationApprovals.add(approval);
+  return approval;
+}
+function isTrustedSdkMutationApproval(approval) {
+  return typeof approval === "object" && approval !== null && trustedSdkMutationApprovals.has(approval);
+}
+function isTruthy(value) {
+  return value === "1" || value?.toLowerCase() === "true" || value?.toLowerCase() === "yes";
+}
+function nowMs(now) {
+  if (typeof now === "number")
+    return now;
+  if (now instanceof Date)
+    return now.getTime();
+  return Date.now();
+}
+function signingSecret(env2, explicitSecret) {
+  return explicitSecret?.trim() || env2[MUTATION_APPROVAL_TOKEN_ENV]?.trim();
+}
+function hmac(payload, secret) {
+  return createHmac("sha256", secret).update(payload).digest("base64url");
+}
+function sha256Hex(payload) {
+  return createHash("sha256").update(payload).digest("hex");
+}
+function replayDbPath(env2) {
+  const configured = env2[MUTATION_APPROVAL_REPLAY_PATH_ENV]?.trim();
+  return configured ? resolve2(configured) : undefined;
+}
+function replayNonceKey(claims) {
+  return sha256Hex(JSON.stringify({ nonce: claims.nonce }));
+}
+function recordReplayNonce(env2, claims, tokenPayload, now) {
+  const dbPath = replayDbPath(env2);
+  if (!dbPath)
+    return;
+  if (!claims.nonce) {
+    return { approved: false, reason: "approval_token nonce claim is required for replay protection." };
+  }
+  try {
+    const db = getDb(dbPath);
+    db.query("DELETE FROM mutation_approval_nonces WHERE expires_at <= ?").run(now);
+    const result = db.query(`
+      INSERT OR IGNORE INTO mutation_approval_nonces (
+        nonce_sha256,
+        token_sha256,
+        surface,
+        operation,
+        caller_id,
+        run_id,
+        transport,
+        expires_at,
+        used_at
+      )
+      VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)
+    `).run(replayNonceKey(claims), sha256Hex(tokenPayload), claims.surface, claims.operation, claims.callerId ?? "", claims.runId ?? "", claims.transport ?? "", claims.expiresAt, now);
+    if (result.changes !== 1) {
+      return { approved: false, reason: "approval_token nonce has already been used." };
+    }
+    return;
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error);
+    return { approved: false, reason: `approval_token replay store is unavailable: ${message}` };
+  }
+}
+function safeEqual(left, right) {
+  const leftBuffer = Buffer.from(left);
+  const rightBuffer = Buffer.from(right);
+  return leftBuffer.length === rightBuffer.length && timingSafeEqual(leftBuffer, rightBuffer);
+}
+function canonicalizeMutationArg(value, inArray = false) {
+  if (value === undefined)
+    return inArray ? null : undefined;
+  if (value === null || typeof value === "boolean" || typeof value === "string")
+    return value;
+  if (typeof value === "number")
+    return Number.isFinite(value) ? value : null;
+  if (Array.isArray(value)) {
+    return value.map((entry) => canonicalizeMutationArg(entry, true) ?? null);
+  }
+  if (value instanceof Date)
+    return value.toISOString();
+  if (typeof value === "object") {
+    const result = {};
+    for (const key of Object.keys(value).sort()) {
+      if (key === "approval_token" || key === "approvalToken")
+        continue;
+      const canonicalValue = canonicalizeMutationArg(value[key]);
+      if (canonicalValue !== undefined)
+        result[key] = canonicalValue;
+    }
+    return result;
+  }
+  return inArray ? null : undefined;
+}
+function canonicalMutationArgs(value) {
+  return JSON.stringify(canonicalizeMutationArg(value) ?? {});
+}
+function mutationArgsSha256(value) {
+  return sha256Hex(canonicalMutationArgs(value));
+}
+function stripPlanRuntimeFields(value) {
+  if (Array.isArray(value))
+    return value.map(stripPlanRuntimeFields);
+  if (value instanceof Date)
+    return value;
+  if (value && typeof value === "object") {
+    const result = {};
+    for (const [key, entry] of Object.entries(value)) {
+      if (key === "planDigest" || key === "plan_digest" || key === "mode" || key === "executed")
+        continue;
+      result[key] = stripPlanRuntimeFields(entry);
+    }
+    return result;
+  }
+  return value;
+}
+function mutationPlanDigest(plan) {
+  return mutationArgsSha256(stripPlanRuntimeFields(plan));
+}
+function attachMutationPlanDigest(plan) {
+  return {
+    ...plan,
+    planDigest: mutationPlanDigest(plan)
+  };
+}
+function assertMutationPlanDigest(plan, expectedPlanDigest) {
+  if (expectedPlanDigest && mutationPlanDigest(plan) !== expectedPlanDigest) {
+    throw new Error("Approved plan digest does not match the current execution plan.");
+  }
+}
+function parseToken(token) {
+  if (!token)
+    return null;
+  const parts = token.split(".");
+  if (parts.length !== 3 || parts[0] !== TOKEN_PREFIX)
+    return null;
+  try {
+    const claims = JSON.parse(Buffer.from(parts[1] ?? "", "base64url").toString("utf8"));
+    return { payload: parts[1] ?? "", signature: parts[2] ?? "", claims };
+  } catch {
+    return null;
+  }
+}
+function claimMatches(expected, actual) {
+  if (expected === undefined)
+    return actual === undefined;
+  return actual === expected;
+}
+function verifyMutationApprovalToken(options) {
+  const env2 = options.env ?? process.env;
+  const secret = signingSecret(env2);
+  if (!secret)
+    return { approved: false, reason: `${MUTATION_APPROVAL_TOKEN_ENV} is not configured.` };
+  const parsed = parseToken(options.approvalToken);
+  if (!parsed)
+    return { approved: false, reason: "approval_token is not a scoped mutation token." };
+  if (!safeEqual(hmac(parsed.payload, secret), parsed.signature)) {
+    return { approved: false, reason: "approval_token signature is invalid." };
+  }
+  const claims = parsed.claims;
+  if (claims.version !== 1)
+    return { approved: false, reason: "approval_token version is unsupported." };
+  if (!claims.callerId || !claims.runId) {
+    return { approved: false, reason: "approval_token must include caller and run claims." };
+  }
+  if (!claims.transport) {
+    return { approved: false, reason: "approval_token must include a transport claim." };
+  }
+  if (!Number.isFinite(claims.expiresAt) || claims.expiresAt <= nowMs(options.now)) {
+    return { approved: false, reason: "approval_token is expired." };
+  }
+  const now = nowMs(options.now);
+  if (!Number.isFinite(claims.issuedAt) || claims.issuedAt > now + MAX_CLOCK_SKEW_MS) {
+    return { approved: false, reason: "approval_token issue time is invalid." };
+  }
+  if (claims.expiresAt - claims.issuedAt > MAX_TOKEN_TTL_MS) {
+    return { approved: false, reason: "approval_token TTL is too long." };
+  }
+  for (const key of ["surface", "operation", "machineId", "resourceId", "transport"]) {
+    if (!claimMatches(options[key], claims[key])) {
+      return { approved: false, reason: `approval_token ${key} claim does not match this mutation.` };
+    }
+  }
+  for (const key of ["callerId", "runId"]) {
+    if (options[key] !== undefined && options[key] !== claims[key]) {
+      return { approved: false, reason: `approval_token ${key} claim does not match this mutation.` };
+    }
+  }
+  const expectedArgsSha256 = options.argsSha256 || (options.args === undefined ? undefined : mutationArgsSha256(options.args));
+  if (expectedArgsSha256 !== undefined && claims.args_sha256 !== expectedArgsSha256) {
+    return { approved: false, reason: "approval_token args_sha256 claim does not match this mutation." };
+  }
+  const replayDecision = recordReplayNonce(env2, claims, parsed.payload, now);
+  if (replayDecision)
+    return replayDecision;
+  return { approved: true, claims };
+}
+function isMutationApproved(options = {}) {
+  const env2 = options.env ?? process.env;
+  const surface = options.surface ?? "cli";
+  if (surface === "mcp") {
+    if (!options.operation)
+      return false;
+    return verifyMutationApprovalToken({
+      surface,
+      operation: options.operation,
+      machineId: options.machineId,
+      resourceId: options.resourceId,
+      callerId: options.callerId,
+      runId: options.runId,
+      transport: options.transport ?? "mcp",
+      args: options.args,
+      argsSha256: options.argsSha256,
+      approvalToken: options.approvalToken,
+      env: env2,
+      now: options.now
+    }).approved;
+  }
+  if (options.approvalToken) {
+    const decision = options.operation ? verifyMutationApprovalToken({
+      surface,
+      operation: options.operation,
+      machineId: options.machineId,
+      resourceId: options.resourceId,
+      callerId: options.callerId,
+      runId: options.runId,
+      transport: options.transport ?? surface,
+      args: options.args,
+      argsSha256: options.argsSha256,
+      approvalToken: options.approvalToken,
+      env: env2,
+      now: options.now
+    }) : { approved: false };
+    if (decision.approved)
+      return true;
+    if (env2[MUTATION_APPROVAL_TOKEN_ENV]?.trim())
+      return false;
+  }
+  return isTruthy(env2[MUTATION_APPROVAL_FLAG_ENV]) || isTruthy(env2[LEGACY_MUTATION_APPROVAL_FLAG_ENV]);
+}
+function assertMutationApproved(options) {
+  if (isMutationApproved(options)) {
+    return;
+  }
+  const env2 = options.env ?? process.env;
+  const tokenConfigured = Boolean(env2[MUTATION_APPROVAL_TOKEN_ENV]?.trim());
+  const approvalHint = options.surface === "mcp" ? `pass a scoped approval_token signed with ${MUTATION_APPROVAL_TOKEN_ENV}` : tokenConfigured ? `pass a scoped approval_token signed with ${MUTATION_APPROVAL_TOKEN_ENV} or set ${MUTATION_APPROVAL_FLAG_ENV}=1 for a trusted local session` : `set ${MUTATION_APPROVAL_FLAG_ENV}=1 for a trusted local session or configure ${MUTATION_APPROVAL_TOKEN_ENV}`;
+  throw new Error(`Fleet mutation blocked: ${options.surface}.${options.operation} requires operator approval; ${approvalHint}.`);
+}
+function assertSdkMutationApproved(scope, options = {}) {
+  if (isTrustedSdkMutationApproval(options.trustedLocalMutation))
+    return;
+  const decision = verifyMutationApprovalToken({
+    surface: "sdk",
+    operation: scope.operation,
+    machineId: scope.machineId,
+    resourceId: scope.resourceId,
+    callerId: options.callerId,
+    runId: options.runId,
+    transport: "sdk",
+    args: scope.args,
+    argsSha256: scope.argsSha256,
+    approvalToken: options.approvalToken,
+    env: process.env
+  });
+  if (decision.approved)
+    return;
+  throw new Error(`Fleet mutation blocked: sdk.${scope.operation} requires a scoped SDK approval token.`);
+}
+var MUTATION_APPROVAL_FLAG_ENV = "HASNA_MACHINES_ALLOW_MUTATIONS", LEGACY_MUTATION_APPROVAL_FLAG_ENV = "HASNA_MACHINES_MUTATION_APPROVAL", MUTATION_APPROVAL_TOKEN_ENV = "HASNA_MACHINES_MUTATION_TOKEN", MUTATION_APPROVAL_CALLER_ENV = "HASNA_MACHINES_MUTATION_CALLER_ID", MUTATION_APPROVAL_RUN_ENV = "HASNA_MACHINES_MUTATION_RUN_ID", MUTATION_APPROVAL_REPLAY_PATH_ENV = "HASNA_MACHINES_MUTATION_REPLAY_PATH", TOKEN_PREFIX = "machines-mut-v1", DEFAULT_TOKEN_TTL_MS, MAX_TOKEN_TTL_MS, MAX_CLOCK_SKEW_MS = 30000, trustedSdkMutationApprovals;
+var init_mutation_approval = __esm(() => {
+  init_db();
+  DEFAULT_TOKEN_TTL_MS = 5 * 60 * 1000;
+  MAX_TOKEN_TTL_MS = 5 * 60 * 1000;
+  trustedSdkMutationApprovals = new WeakSet;
+});
+
 // src/pg-migrations.ts
 var PG_MIGRATIONS;
 var init_pg_migrations = __esm(() => {
@@ -2354,7 +2637,18 @@ function normalizeParams(params) {
   const flat = params.length === 1 && Array.isArray(params[0]) ? params[0] : params;
   return flat.map((value) => value === undefined ? null : value);
 }
-function sslConfigFor(connectionString) {
+function envFlag(env2, name) {
+  const value = env2[name]?.trim().toLowerCase();
+  return value === "1" || value === "true" || value === "yes" || value === "on";
+}
+function isLoopbackHost(hostname6) {
+  const normalized = hostname6.replace(/^\[|\]$/g, "").toLowerCase();
+  return normalized === "localhost" || normalized === "::1" || normalized === "0:0:0:0:0:0:0:1" || /^127(?:\.\d{1,3}){3}$/.test(normalized);
+}
+function allowsLocalInsecureTls(url, env2) {
+  return isLoopbackHost(url.hostname) && envFlag(env2, MACHINES_DATABASE_ALLOW_INSECURE_TLS_ENV);
+}
+function sslConfigFor(connectionString, env2 = process.env) {
   let url;
   try {
     url = new URL(connectionString);
@@ -2363,12 +2657,21 @@ function sslConfigFor(connectionString) {
   }
   const sslMode = url.searchParams.get("sslmode")?.toLowerCase();
   const ssl = url.searchParams.get("ssl")?.toLowerCase();
-  if (sslMode === "disable" || ssl === "false")
-    return;
-  if (sslMode === "no-verify" || process.env["HASNA_MACHINES_DATABASE_SSL_REJECT_UNAUTHORIZED"] === "0") {
+  const rejectUnauthorizedOverride = env2[MACHINES_DATABASE_SSL_REJECT_UNAUTHORIZED_ENV]?.trim() === "0";
+  if (sslMode === "disable" || ssl === "false") {
+    if (allowsLocalInsecureTls(url, env2))
+      return;
+    throw new Error(`Insecure PostgreSQL TLS mode is rejected for remote storage; use sslmode=require or set ${MACHINES_DATABASE_ALLOW_INSECURE_TLS_ENV}=1 only for loopback development databases.`);
+  }
+  if (sslMode === "no-verify" || rejectUnauthorizedOverride) {
+    if (!allowsLocalInsecureTls(url, env2)) {
+      throw new Error(`PostgreSQL TLS certificate verification cannot be disabled for remote storage; set ${MACHINES_DATABASE_ALLOW_INSECURE_TLS_ENV}=1 only for loopback development databases.`);
+    }
     return { rejectUnauthorized: false };
   }
-  return sslMode || ssl === "true" ? { rejectUnauthorized: true } : undefined;
+  if (sslMode || ssl === "true")
+    return { rejectUnauthorized: true };
+  return isLoopbackHost(url.hostname) ? undefined : { rejectUnauthorized: true };
 }
 
 class PgAdapterAsync {
@@ -2388,6 +2691,7 @@ class PgAdapterAsync {
     await this.pool.end();
   }
 }
+var MACHINES_DATABASE_ALLOW_INSECURE_TLS_ENV = "HASNA_MACHINES_ALLOW_INSECURE_DATABASE_TLS", MACHINES_DATABASE_SSL_REJECT_UNAUTHORIZED_ENV = "HASNA_MACHINES_DATABASE_SSL_REJECT_UNAUTHORIZED";
 var init_remote_storage = () => {};
 
 // src/storage-sync.ts
@@ -2660,15 +2964,14 @@ var init_storage_sync = __esm(() => {
 // src/storage.ts
 var exports_storage = {};
 __export(exports_storage, {
-  storageSync: () => storageSync,
-  storagePush: () => storagePush,
-  storagePull: () => storagePull,
-  runStorageMigrations: () => runStorageMigrations,
+  storageSync: () => storageSync2,
+  storagePush: () => storagePush2,
+  storagePull: () => storagePull2,
+  runStorageMigrations: () => runStorageMigrations2,
   resolveTables: () => resolveTables,
   parseStorageTables: () => parseStorageTables,
   getSyncMetaAll: () => getSyncMetaAll,
   getStorageStatus: () => getStorageStatus,
-  getStoragePg: () => getStoragePg,
   getStorageMode: () => getStorageMode,
   getStorageDatabaseUrl: () => getStorageDatabaseUrl,
   getStorageDatabaseEnvName: () => getStorageDatabaseEnvName,
@@ -2676,7 +2979,6 @@ __export(exports_storage, {
   STORAGE_TABLES: () => STORAGE_TABLES,
   STORAGE_MODE_ENV: () => STORAGE_MODE_ENV,
   STORAGE_DATABASE_ENV: () => STORAGE_DATABASE_ENV,
-  PgAdapterAsync: () => PgAdapterAsync,
   PG_MIGRATIONS: () => PG_MIGRATIONS,
   MACHINES_STORAGE_TABLES: () => MACHINES_STORAGE_TABLES,
   MACHINES_STORAGE_MODE_FALLBACK_ENV: () => MACHINES_STORAGE_MODE_FALLBACK_ENV,
@@ -2684,10 +2986,50 @@ __export(exports_storage, {
   MACHINES_STORAGE_FALLBACK_ENV: () => MACHINES_STORAGE_FALLBACK_ENV,
   MACHINES_STORAGE_ENV: () => MACHINES_STORAGE_ENV
 });
+function storageArgs(options = {}) {
+  return {
+    tables: options.tables?.length ? [...options.tables] : null
+  };
+}
+function storageResourceId(operation, options = {}) {
+  return `storage:${operation}:${mutationArgsSha256(storageArgs(options))}`;
+}
+async function runStorageMigrations2(remote, options = {}) {
+  assertSdkMutationApproved({
+    operation: "machines_storage_migrate",
+    resourceId: "storage:migrations",
+    args: {}
+  }, options);
+  return runStorageMigrations(remote);
+}
+async function storagePush2(options = {}) {
+  assertSdkMutationApproved({
+    operation: "machines_storage_push",
+    resourceId: storageResourceId("push", options),
+    args: storageArgs(options)
+  }, options);
+  return storagePush({ tables: options.tables });
+}
+async function storagePull2(options = {}) {
+  assertSdkMutationApproved({
+    operation: "machines_storage_pull",
+    resourceId: storageResourceId("pull", options),
+    args: storageArgs(options)
+  }, options);
+  return storagePull({ tables: options.tables });
+}
+async function storageSync2(options = {}) {
+  assertSdkMutationApproved({
+    operation: "machines_storage_sync",
+    resourceId: storageResourceId("sync", options),
+    args: storageArgs(options)
+  }, options);
+  return storageSync({ tables: options.tables });
+}
 var init_storage = __esm(() => {
   init_storage_sync();
+  init_mutation_approval();
   init_pg_migrations();
-  init_remote_storage();
 });
 
 // node_modules/commander/esm.mjs
@@ -7432,378 +7774,120 @@ function readManifestWithSource(options = {}) {
         const manifest2 = options.adapter.readManifest({ source, rawRef });
         if (manifest2) {
           return {
-            manifest: fleetSchema.parse(manifest2),
-            info: {
-              source,
-              loadedFrom: "private-ref",
-              warnings
-            }
-          };
-        }
-        warnings.push(`private_manifest_adapter_empty:${redactIdentifier(options.adapter.id)}`);
-      } catch (error) {
-        warnings.push(`private_manifest_adapter_failed:${redactIdentifier(options.adapter.id)}`);
-      }
-    } else {
-      warnings.push("private_manifest_ref_without_adapter");
-    }
-    const fallbackSource = fileSourceRef(path);
-    const manifest = readManifest(path);
-    return {
-      manifest,
-      info: {
-        source,
-        loadedFrom: existsSync3(path) ? "fallback" : "default",
-        fallbackSource,
-        warnings
-      }
-    };
-  }
-  return {
-    manifest: readManifest(path),
-    info: {
-      source,
-      loadedFrom: existsSync3(path) ? "file" : "default",
-      warnings
-    }
-  };
-}
-function validateManifest(path = getManifestPath()) {
-  return readManifest(path);
-}
-function writeManifest(manifest, path = getManifestPath()) {
-  ensureParentDir(path);
-  const payload = {
-    ...manifest,
-    version: 1,
-    generatedAt: new Date().toISOString(),
-    machines: normalizeMachines(manifest.machines)
-  };
-  fleetSchema.parse(payload);
-  writeFileSync(path, `${JSON.stringify(payload, null, 2)}
-`, "utf8");
-  return path;
-}
-function getManifestMachine(machineId, path = getManifestPath()) {
-  return readManifest(path).machines.find((machine) => machine.id === machineId) || null;
-}
-function detectCurrentMachineManifest() {
-  const machineId = process.env["HASNA_MACHINES_MACHINE_ID"] || hostname();
-  const user = userInfo().username;
-  const bunDir = dirname3(process.execPath);
-  return {
-    id: machineId,
-    hostname: hostname(),
-    sshAddress: `${user}@${machineId}`,
-    tailscaleName: machineId,
-    platform: normalizePlatform(),
-    connection: "local",
-    workspacePath: detectWorkspacePath(),
-    bunPath: bunDir,
-    tags: [`arch:${arch()}`],
-    packages: [],
-    files: []
-  };
-}
-
-// src/commands/manifest.ts
-init_paths();
-function manifestInit() {
-  return writeManifest(getDefaultManifest(), getManifestPath());
-}
-function manifestList() {
-  return readManifest();
-}
-function manifestAdd(machine) {
-  const validatedMachine = machineSchema.parse(machine);
-  const manifest = readManifest();
-  const nextMachines = manifest.machines.filter((entry) => entry.id !== validatedMachine.id);
-  nextMachines.push(validatedMachine);
-  const nextManifest = { ...manifest, machines: nextMachines };
-  writeManifest(nextManifest);
-  return nextManifest;
-}
-function manifestBootstrapCurrentMachine() {
-  return manifestAdd(detectCurrentMachineManifest());
-}
-function manifestGet(machineId) {
-  return getManifestMachine(machineId);
-}
-function manifestRemove(machineId) {
-  const manifest = readManifest();
-  const nextManifest = {
-    ...manifest,
-    machines: manifest.machines.filter((machine) => machine.id !== machineId)
-  };
-  writeManifest(nextManifest);
-  return nextManifest;
-}
-function manifestValidate() {
-  return validateManifest(getManifestPath());
-}
-
-// src/commands/setup.ts
-import { homedir as homedir2 } from "os";
-init_db();
-
-// src/commands/mutation-approval.ts
-init_db();
-import { createHash, createHmac, randomUUID, timingSafeEqual } from "crypto";
-import { resolve as resolve2 } from "path";
-var MUTATION_APPROVAL_FLAG_ENV = "HASNA_MACHINES_ALLOW_MUTATIONS";
-var LEGACY_MUTATION_APPROVAL_FLAG_ENV = "HASNA_MACHINES_MUTATION_APPROVAL";
-var MUTATION_APPROVAL_TOKEN_ENV = "HASNA_MACHINES_MUTATION_TOKEN";
-var MUTATION_APPROVAL_CALLER_ENV = "HASNA_MACHINES_MUTATION_CALLER_ID";
-var MUTATION_APPROVAL_RUN_ENV = "HASNA_MACHINES_MUTATION_RUN_ID";
-var MUTATION_APPROVAL_REPLAY_PATH_ENV = "HASNA_MACHINES_MUTATION_REPLAY_PATH";
-var TOKEN_PREFIX = "machines-mut-v1";
-var DEFAULT_TOKEN_TTL_MS = 5 * 60 * 1000;
-var MAX_TOKEN_TTL_MS = 5 * 60 * 1000;
-var MAX_CLOCK_SKEW_MS = 30000;
-function isTruthy(value) {
-  return value === "1" || value?.toLowerCase() === "true" || value?.toLowerCase() === "yes";
-}
-function nowMs(now) {
-  if (typeof now === "number")
-    return now;
-  if (now instanceof Date)
-    return now.getTime();
-  return Date.now();
-}
-function signingSecret(env2, explicitSecret) {
-  return explicitSecret?.trim() || env2[MUTATION_APPROVAL_TOKEN_ENV]?.trim();
-}
-function hmac(payload, secret) {
-  return createHmac("sha256", secret).update(payload).digest("base64url");
-}
-function sha256Hex(payload) {
-  return createHash("sha256").update(payload).digest("hex");
-}
-function replayDbPath(env2) {
-  const configured = env2[MUTATION_APPROVAL_REPLAY_PATH_ENV]?.trim();
-  return configured ? resolve2(configured) : undefined;
-}
-function replayNonceKey(claims) {
-  return sha256Hex(JSON.stringify({ nonce: claims.nonce }));
-}
-function recordReplayNonce(env2, claims, tokenPayload, now) {
-  const dbPath = replayDbPath(env2);
-  if (!dbPath)
-    return;
-  if (!claims.nonce) {
-    return { approved: false, reason: "approval_token nonce claim is required for replay protection." };
-  }
-  try {
-    const db = getDb(dbPath);
-    db.query("DELETE FROM mutation_approval_nonces WHERE expires_at <= ?").run(now);
-    const result = db.query(`
-      INSERT OR IGNORE INTO mutation_approval_nonces (
-        nonce_sha256,
-        token_sha256,
-        surface,
-        operation,
-        caller_id,
-        run_id,
-        transport,
-        expires_at,
-        used_at
-      )
-      VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)
-    `).run(replayNonceKey(claims), sha256Hex(tokenPayload), claims.surface, claims.operation, claims.callerId ?? "", claims.runId ?? "", claims.transport ?? "", claims.expiresAt, now);
-    if (result.changes !== 1) {
-      return { approved: false, reason: "approval_token nonce has already been used." };
-    }
-    return;
-  } catch (error) {
-    const message = error instanceof Error ? error.message : String(error);
-    return { approved: false, reason: `approval_token replay store is unavailable: ${message}` };
-  }
-}
-function safeEqual(left, right) {
-  const leftBuffer = Buffer.from(left);
-  const rightBuffer = Buffer.from(right);
-  return leftBuffer.length === rightBuffer.length && timingSafeEqual(leftBuffer, rightBuffer);
-}
-function canonicalizeMutationArg(value, inArray = false) {
-  if (value === undefined)
-    return inArray ? null : undefined;
-  if (value === null || typeof value === "boolean" || typeof value === "string")
-    return value;
-  if (typeof value === "number")
-    return Number.isFinite(value) ? value : null;
-  if (Array.isArray(value)) {
-    return value.map((entry) => canonicalizeMutationArg(entry, true) ?? null);
-  }
-  if (value instanceof Date)
-    return value.toISOString();
-  if (typeof value === "object") {
-    const result = {};
-    for (const key of Object.keys(value).sort()) {
-      if (key === "approval_token" || key === "approvalToken")
-        continue;
-      const canonicalValue = canonicalizeMutationArg(value[key]);
-      if (canonicalValue !== undefined)
-        result[key] = canonicalValue;
+            manifest: fleetSchema.parse(manifest2),
+            info: {
+              source,
+              loadedFrom: "private-ref",
+              warnings
+            }
+          };
+        }
+        warnings.push(`private_manifest_adapter_empty:${redactIdentifier(options.adapter.id)}`);
+      } catch (error) {
+        warnings.push(`private_manifest_adapter_failed:${redactIdentifier(options.adapter.id)}`);
+      }
+    } else {
+      warnings.push("private_manifest_ref_without_adapter");
     }
-    return result;
+    const fallbackSource = fileSourceRef(path);
+    const manifest = readManifest(path);
+    return {
+      manifest,
+      info: {
+        source,
+        loadedFrom: existsSync3(path) ? "fallback" : "default",
+        fallbackSource,
+        warnings
+      }
+    };
   }
-  return inArray ? null : undefined;
-}
-function canonicalMutationArgs(value) {
-  return JSON.stringify(canonicalizeMutationArg(value) ?? {});
+  return {
+    manifest: readManifest(path),
+    info: {
+      source,
+      loadedFrom: existsSync3(path) ? "file" : "default",
+      warnings
+    }
+  };
 }
-function mutationArgsSha256(value) {
-  return sha256Hex(canonicalMutationArgs(value));
+function validateManifest(path = getManifestPath()) {
+  return readManifest(path);
 }
-function stripPlanRuntimeFields(value) {
-  if (Array.isArray(value))
-    return value.map(stripPlanRuntimeFields);
-  if (value instanceof Date)
-    return value;
-  if (value && typeof value === "object") {
-    const result = {};
-    for (const [key, entry] of Object.entries(value)) {
-      if (key === "planDigest" || key === "plan_digest" || key === "mode" || key === "executed")
-        continue;
-      result[key] = stripPlanRuntimeFields(entry);
-    }
-    return result;
-  }
-  return value;
+function writeManifest(manifest, path = getManifestPath()) {
+  ensureParentDir(path);
+  const payload = {
+    ...manifest,
+    version: 1,
+    generatedAt: new Date().toISOString(),
+    machines: normalizeMachines(manifest.machines)
+  };
+  fleetSchema.parse(payload);
+  writeFileSync(path, `${JSON.stringify(payload, null, 2)}
+`, "utf8");
+  return path;
 }
-function mutationPlanDigest(plan) {
-  return mutationArgsSha256(stripPlanRuntimeFields(plan));
+function getManifestMachine(machineId, path = getManifestPath()) {
+  return readManifest(path).machines.find((machine) => machine.id === machineId) || null;
 }
-function attachMutationPlanDigest(plan) {
+function detectCurrentMachineManifest() {
+  const machineId = process.env["HASNA_MACHINES_MACHINE_ID"] || hostname();
+  const user = userInfo().username;
+  const bunDir = dirname3(process.execPath);
   return {
-    ...plan,
-    planDigest: mutationPlanDigest(plan)
+    id: machineId,
+    hostname: hostname(),
+    sshAddress: `${user}@${machineId}`,
+    tailscaleName: machineId,
+    platform: normalizePlatform(),
+    connection: "local",
+    workspacePath: detectWorkspacePath(),
+    bunPath: bunDir,
+    tags: [`arch:${arch()}`],
+    packages: [],
+    files: []
   };
 }
-function assertMutationPlanDigest(plan, expectedPlanDigest) {
-  if (expectedPlanDigest && mutationPlanDigest(plan) !== expectedPlanDigest) {
-    throw new Error("Approved plan digest does not match the current execution plan.");
-  }
+
+// src/commands/manifest.ts
+init_paths();
+function manifestInit() {
+  return writeManifest(getDefaultManifest(), getManifestPath());
 }
-function parseToken(token) {
-  if (!token)
-    return null;
-  const parts = token.split(".");
-  if (parts.length !== 3 || parts[0] !== TOKEN_PREFIX)
-    return null;
-  try {
-    const claims = JSON.parse(Buffer.from(parts[1] ?? "", "base64url").toString("utf8"));
-    return { payload: parts[1] ?? "", signature: parts[2] ?? "", claims };
-  } catch {
-    return null;
-  }
+function manifestList() {
+  return readManifest();
 }
-function claimMatches(expected, actual) {
-  if (expected === undefined)
-    return actual === undefined;
-  return actual === expected;
+function manifestAdd(machine) {
+  const validatedMachine = machineSchema.parse(machine);
+  const manifest = readManifest();
+  const nextMachines = manifest.machines.filter((entry) => entry.id !== validatedMachine.id);
+  nextMachines.push(validatedMachine);
+  const nextManifest = { ...manifest, machines: nextMachines };
+  writeManifest(nextManifest);
+  return nextManifest;
 }
-function verifyMutationApprovalToken(options) {
-  const env2 = options.env ?? process.env;
-  const secret = signingSecret(env2);
-  if (!secret)
-    return { approved: false, reason: `${MUTATION_APPROVAL_TOKEN_ENV} is not configured.` };
-  const parsed = parseToken(options.approvalToken);
-  if (!parsed)
-    return { approved: false, reason: "approval_token is not a scoped mutation token." };
-  if (!safeEqual(hmac(parsed.payload, secret), parsed.signature)) {
-    return { approved: false, reason: "approval_token signature is invalid." };
-  }
-  const claims = parsed.claims;
-  if (claims.version !== 1)
-    return { approved: false, reason: "approval_token version is unsupported." };
-  if (!claims.callerId || !claims.runId) {
-    return { approved: false, reason: "approval_token must include caller and run claims." };
-  }
-  if (!claims.transport) {
-    return { approved: false, reason: "approval_token must include a transport claim." };
-  }
-  if (!Number.isFinite(claims.expiresAt) || claims.expiresAt <= nowMs(options.now)) {
-    return { approved: false, reason: "approval_token is expired." };
-  }
-  const now = nowMs(options.now);
-  if (!Number.isFinite(claims.issuedAt) || claims.issuedAt > now + MAX_CLOCK_SKEW_MS) {
-    return { approved: false, reason: "approval_token issue time is invalid." };
-  }
-  if (claims.expiresAt - claims.issuedAt > MAX_TOKEN_TTL_MS) {
-    return { approved: false, reason: "approval_token TTL is too long." };
-  }
-  for (const key of ["surface", "operation", "machineId", "resourceId", "transport"]) {
-    if (!claimMatches(options[key], claims[key])) {
-      return { approved: false, reason: `approval_token ${key} claim does not match this mutation.` };
-    }
-  }
-  for (const key of ["callerId", "runId"]) {
-    if (options[key] !== undefined && options[key] !== claims[key]) {
-      return { approved: false, reason: `approval_token ${key} claim does not match this mutation.` };
-    }
-  }
-  const expectedArgsSha256 = options.argsSha256 || (options.args === undefined ? undefined : mutationArgsSha256(options.args));
-  if (expectedArgsSha256 !== undefined && claims.args_sha256 !== expectedArgsSha256) {
-    return { approved: false, reason: "approval_token args_sha256 claim does not match this mutation." };
-  }
-  const replayDecision = recordReplayNonce(env2, claims, parsed.payload, now);
-  if (replayDecision)
-    return replayDecision;
-  return { approved: true, claims };
+function manifestBootstrapCurrentMachine() {
+  return manifestAdd(detectCurrentMachineManifest());
 }
-function isMutationApproved(options = {}) {
-  const env2 = options.env ?? process.env;
-  const surface = options.surface ?? "cli";
-  if (surface === "mcp") {
-    if (!options.operation)
-      return false;
-    return verifyMutationApprovalToken({
-      surface,
-      operation: options.operation,
-      machineId: options.machineId,
-      resourceId: options.resourceId,
-      callerId: options.callerId,
-      runId: options.runId,
-      transport: options.transport ?? "mcp",
-      args: options.args,
-      argsSha256: options.argsSha256,
-      approvalToken: options.approvalToken,
-      env: env2,
-      now: options.now
-    }).approved;
-  }
-  if (options.approvalToken) {
-    const decision = options.operation ? verifyMutationApprovalToken({
-      surface,
-      operation: options.operation,
-      machineId: options.machineId,
-      resourceId: options.resourceId,
-      callerId: options.callerId,
-      runId: options.runId,
-      transport: options.transport ?? surface,
-      args: options.args,
-      argsSha256: options.argsSha256,
-      approvalToken: options.approvalToken,
-      env: env2,
-      now: options.now
-    }) : { approved: false };
-    if (decision.approved)
-      return true;
-    if (env2[MUTATION_APPROVAL_TOKEN_ENV]?.trim())
-      return false;
-  }
-  return isTruthy(env2[MUTATION_APPROVAL_FLAG_ENV]) || isTruthy(env2[LEGACY_MUTATION_APPROVAL_FLAG_ENV]);
+function manifestGet(machineId) {
+  return getManifestMachine(machineId);
 }
-function assertMutationApproved(options) {
-  if (isMutationApproved(options)) {
-    return;
-  }
-  const env2 = options.env ?? process.env;
-  const tokenConfigured = Boolean(env2[MUTATION_APPROVAL_TOKEN_ENV]?.trim());
-  const approvalHint = options.surface === "mcp" ? `pass a scoped approval_token signed with ${MUTATION_APPROVAL_TOKEN_ENV}` : tokenConfigured ? `pass a scoped approval_token signed with ${MUTATION_APPROVAL_TOKEN_ENV} or set ${MUTATION_APPROVAL_FLAG_ENV}=1 for a trusted local session` : `set ${MUTATION_APPROVAL_FLAG_ENV}=1 for a trusted local session or configure ${MUTATION_APPROVAL_TOKEN_ENV}`;
-  throw new Error(`Fleet mutation blocked: ${options.surface}.${options.operation} requires operator approval; ${approvalHint}.`);
+function manifestRemove(machineId) {
+  const manifest = readManifest();
+  const nextManifest = {
+    ...manifest,
+    machines: manifest.machines.filter((machine) => machine.id !== machineId)
+  };
+  writeManifest(nextManifest);
+  return nextManifest;
 }
+function manifestValidate() {
+  return validateManifest(getManifestPath());
+}
+
+// src/commands/setup.ts
+import { homedir as homedir2 } from "os";
+init_db();
+init_mutation_approval();
 
 // src/remote.ts
 init_db();
@@ -9810,6 +9894,7 @@ function diffMachines(leftMachineId, rightMachineId) {
 }
 
 // src/commands/apps.ts
+init_mutation_approval();
 function getPackageName(app) {
   return app.packageName || app.name;
 }
@@ -9950,6 +10035,7 @@ function runAppsPlan(plan, options = {}, runner = runMachineCommand) {
 }
 
 // src/commands/install-claude.ts
+init_mutation_approval();
 var AI_CLI_PACKAGES = {
   claude: "@anthropic-ai/claude-code",
   codex: "@openai/codex",
@@ -10057,6 +10143,7 @@ function runClaudeInstallPlan(plan, options = {}, runner = runMachineCommand) {
 }
 
 // src/commands/install-tailscale.ts
+init_mutation_approval();
 function buildInstallSteps2(machine) {
   if (machine.platform === "macos") {
     return [
@@ -10124,6 +10211,7 @@ function runTailscaleInstallPlan(plan, options = {}, runner = runMachineCommand)
 import { accessSync, constants, existsSync as existsSync8, readFileSync as readFileSync6, writeFileSync as writeFileSync4 } from "fs";
 import { delimiter, isAbsolute, join as join7 } from "path";
 init_paths();
+init_mutation_approval();
 var notificationChannelSchema = exports_external.object({
   id: exports_external.string(),
   type: exports_external.enum(["email", "webhook", "command"]),
@@ -10467,9 +10555,20 @@ import { EventsClient } from "@hasna/events";
 function shellQuote5(value) {
   return `'${value.replace(/'/g, "'\\''")}'`;
 }
+function commandBasename(command) {
+  const withoutArgs = command.trim().split(/\s+/, 1)[0] ?? "";
+  return withoutArgs.split(/[\\/]/).filter(Boolean).at(-1) ?? withoutArgs;
+}
+function assertMachinesCommandSafe(command) {
+  const basename = commandBasename(command);
+  if (basename === "events" || basename === "hasna-events") {
+    throw new Error("tmux-hook-plan machines command must invoke the machines CLI, not dependency-owned @hasna/events bins.");
+  }
+}
 function buildTmuxPaneDiedHookPlan(options = {}) {
   const tmuxCommand = options.tmuxCommand ?? process.env["HASNA_MACHINES_TMUX_BIN"] ?? "tmux";
   const machinesCommand = options.machinesCommand ?? "machines";
+  assertMachinesCommandSafe(machinesCommand);
   const deliver = options.deliver === true;
   const approvalToken = options.approvalToken?.trim();
   const trustedLocalMutation = approvalToken ? false : options.trustedLocalMutation === true;
@@ -10710,6 +10809,7 @@ import { existsSync as existsSync9, lstatSync, readFileSync as readFileSync7, sy
 import { homedir as homedir5 } from "os";
 init_paths();
 init_db();
+init_mutation_approval();
 function quote4(value) {
   return `'${value.replace(/'/g, `'\\''`)}'`;
 }
@@ -11494,6 +11594,9 @@ function runDoctor(machineId, options = {}) {
   };
 }
 
+// src/cli/index.ts
+init_mutation_approval();
+
 // src/commands/daemon.ts
 import { execFileSync } from "child_process";
 import { chmodSync, existsSync as existsSync10, readFileSync as readFileSync8, statSync, mkdirSync as mkdirSync2, writeFileSync as writeFileSync5 } from "fs";
@@ -12053,6 +12156,7 @@ function getAgentStatus(machineId, options = {}) {
 }
 
 // src/commands/serve.ts
+init_mutation_approval();
 function escapeHtml(value) {
   return value.replaceAll("&", "&amp;").replaceAll("<", "&lt;").replaceAll(">", "&gt;").replaceAll('"', "&quot;").replaceAll("'", "&#39;");
 }
@@ -12512,6 +12616,16 @@ function startDashboardServer(options = {}) {
 function check(id, status, summary, detail) {
   return { id, status, summary, detail };
 }
+function summarize(checks) {
+  const counts = checks.reduce((acc, entry) => {
+    acc[entry.status] += 1;
+    return acc;
+  }, { ok: 0, warn: 0, fail: 0 });
+  return {
+    overall: counts.fail > 0 ? "fail" : counts.warn > 0 ? "warn" : "ok",
+    counts
+  };
+}
 function runSelfTest() {
   const version = getPackageVersion();
   const status = getStatus();
@@ -12523,19 +12637,21 @@ function runSelfTest() {
   const apps = listApps(machineId);
   const appsDiff = diffApps(machineId);
   const cliPlan = buildClaudeInstallPlan(machineId);
+  const checks = [
+    check("package-version", version === "0.0.0" ? "fail" : "ok", "Package version resolves", version),
+    check("status", "ok", "Status loads", JSON.stringify({ machines: status.manifestMachineCount, heartbeats: status.heartbeatCount })),
+    check("doctor", doctor.checks.some((entry) => entry.status === "fail") ? "warn" : "ok", "Doctor completed", `${doctor.checks.length} checks`),
+    check("serve-info", "ok", "Dashboard info renders", `${serveInfo.url} routes=${serveInfo.routes.length}`),
+    check("dashboard-html", html.includes("Machines Dashboard") ? "ok" : "fail", "Dashboard HTML renders", html.slice(0, 80)),
+    check("notifications", "ok", "Notifications config loads", `${notifications.channels.length} channels`),
+    check("apps", "ok", "Apps manifest loads", `${apps.apps.length} apps`),
+    check("apps-diff", appsDiff.missing.length === 0 ? "ok" : "warn", "Apps diff computed", `missing=${appsDiff.missing.length} installed=${appsDiff.installed.length}`),
+    check("install-claude-plan", cliPlan.steps.length > 0 ? "ok" : "warn", "Install plan renders", `${cliPlan.steps.length} steps`)
+  ];
   return {
     machineId,
-    checks: [
-      check("package-version", version === "0.0.0" ? "fail" : "ok", "Package version resolves", version),
-      check("status", "ok", "Status loads", JSON.stringify({ machines: status.manifestMachineCount, heartbeats: status.heartbeatCount })),
-      check("doctor", doctor.checks.some((entry) => entry.status === "fail") ? "warn" : "ok", "Doctor completed", `${doctor.checks.length} checks`),
-      check("serve-info", "ok", "Dashboard info renders", `${serveInfo.url} routes=${serveInfo.routes.length}`),
-      check("dashboard-html", html.includes("Machines Dashboard") ? "ok" : "fail", "Dashboard HTML renders", html.slice(0, 80)),
-      check("notifications", "ok", "Notifications config loads", `${notifications.channels.length} channels`),
-      check("apps", "ok", "Apps manifest loads", `${apps.apps.length} apps`),
-      check("apps-diff", appsDiff.missing.length === 0 ? "ok" : "warn", "Apps diff computed", `missing=${appsDiff.missing.length} installed=${appsDiff.installed.length}`),
-      check("install-claude-plan", cliPlan.steps.length > 0 ? "ok" : "warn", "Install plan renders", `${cliPlan.steps.length} steps`)
-    ]
+    ...summarize(checks),
+    checks
   };
 }
 
@@ -13632,6 +13748,7 @@ function renderDoctorResult(report) {
 function renderSelfTestResult(result) {
   return [
     `machine: ${result.machineId}`,
+    `overall: ${result.overall} ok=${result.counts.ok} warn=${result.counts.warn} fail=${result.counts.fail}`,
     ...result.checks.map((check2) => {
       const status = check2.status === "ok" ? source_default.green(check2.status) : check2.status === "warn" ? source_default.yellow(check2.status) : source_default.red(check2.status);
       return `${check2.id.padEnd(20)} ${status} ${check2.detail}`;
@@ -14765,10 +14882,10 @@ storageCommand.command("status").description("Show storage sync status").option(
 });
 storageCommand.command("push").description("Push local machine runtime data to storage PostgreSQL").option("--tables <tables>", "Comma-separated table names").option("--approval-token <token>", "Scoped mutation approval token").option("-j, --json", "Print JSON output", false).action(async (options) => {
   try {
-    const { parseStorageTables: parseStorageTables2, resolveTables: resolveTables2, storagePush: storagePush2 } = await Promise.resolve().then(() => (init_storage(), exports_storage));
+    const { parseStorageTables: parseStorageTables2, resolveTables: resolveTables2, storagePush: storagePush3 } = await Promise.resolve().then(() => (init_storage(), exports_storage));
     const tables = resolveTables2(parseStorageTables2(options.tables));
     requireCliMutation("storage_push", options.approvalToken, { resourceId: cliResourceId("storage-push", tables.join(",")), args: { tables } });
-    const results = await storagePush2({ tables });
+    const results = await storagePush3({ tables, trustedLocalMutation: createTrustedSdkMutationApproval() });
     printStorageResults(results, options.json);
   } catch (error) {
     printStorageError(error);
@@ -14776,10 +14893,10 @@ storageCommand.command("push").description("Push local machine runtime data to s
 });
 storageCommand.command("pull").description("Pull machine runtime data from storage PostgreSQL to local SQLite").option("--tables <tables>", "Comma-separated table names").option("--approval-token <token>", "Scoped mutation approval token").option("-j, --json", "Print JSON output", false).action(async (options) => {
   try {
-    const { parseStorageTables: parseStorageTables2, resolveTables: resolveTables2, storagePull: storagePull2 } = await Promise.resolve().then(() => (init_storage(), exports_storage));
+    const { parseStorageTables: parseStorageTables2, resolveTables: resolveTables2, storagePull: storagePull3 } = await Promise.resolve().then(() => (init_storage(), exports_storage));
     const tables = resolveTables2(parseStorageTables2(options.tables));
     requireCliMutation("storage_pull", options.approvalToken, { resourceId: cliResourceId("storage-pull", tables.join(",")), args: { tables } });
-    const results = await storagePull2({ tables });
+    const results = await storagePull3({ tables, trustedLocalMutation: createTrustedSdkMutationApproval() });
     printStorageResults(results, options.json);
   } catch (error) {
     printStorageError(error);
@@ -14787,10 +14904,10 @@ storageCommand.command("pull").description("Pull machine runtime data from stora
 });
 storageCommand.command("sync").description("Bidirectional storage sync: pull then push").option("--tables <tables>", "Comma-separated table names").option("--approval-token <token>", "Scoped mutation approval token").option("-j, --json", "Print JSON output", false).action(async (options) => {
   try {
-    const { parseStorageTables: parseStorageTables2, resolveTables: resolveTables2, storageSync: storageSync2 } = await Promise.resolve().then(() => (init_storage(), exports_storage));
+    const { parseStorageTables: parseStorageTables2, resolveTables: resolveTables2, storageSync: storageSync3 } = await Promise.resolve().then(() => (init_storage(), exports_storage));
     const tables = resolveTables2(parseStorageTables2(options.tables));
     requireCliMutation("storage_sync", options.approvalToken, { resourceId: cliResourceId("storage-sync", tables.join(",")), args: { tables } });
-    const result = await storageSync2({ tables });
+    const result = await storageSync3({ tables, trustedLocalMutation: createTrustedSdkMutationApproval() });
     if (options.json) {
       console.log(JSON.stringify(result, null, 2));
       return;