@hasna/machines 0.0.48 → 0.0.49

package/dist/mcp/index.js

@@ -4637,6 +4637,15 @@ var TOKEN_PREFIX = "machines-mut-v1";
 var DEFAULT_TOKEN_TTL_MS = 5 * 60 * 1000;
 var MAX_TOKEN_TTL_MS = 5 * 60 * 1000;
 var MAX_CLOCK_SKEW_MS = 30000;
+var trustedSdkMutationApprovals = new WeakSet;
+function createTrustedSdkMutationApproval() {
+  const approval = {};
+  trustedSdkMutationApprovals.add(approval);
+  return approval;
+}
+function isTrustedSdkMutationApproval(approval) {
+  return typeof approval === "object" && approval !== null && trustedSdkMutationApprovals.has(approval);
+}
 function isTruthy(value) {
   return value === "1" || value?.toLowerCase() === "true" || value?.toLowerCase() === "yes";
 }
@@ -4881,6 +4890,26 @@ function assertMutationApproved(options) {
   const approvalHint = options.surface === "mcp" ? `pass a scoped approval_token signed with ${MUTATION_APPROVAL_TOKEN_ENV}` : tokenConfigured ? `pass a scoped approval_token signed with ${MUTATION_APPROVAL_TOKEN_ENV} or set ${MUTATION_APPROVAL_FLAG_ENV}=1 for a trusted local session` : `set ${MUTATION_APPROVAL_FLAG_ENV}=1 for a trusted local session or configure ${MUTATION_APPROVAL_TOKEN_ENV}`;
   throw new Error(`Fleet mutation blocked: ${options.surface}.${options.operation} requires operator approval; ${approvalHint}.`);
 }
+function assertSdkMutationApproved(scope, options = {}) {
+  if (isTrustedSdkMutationApproval(options.trustedLocalMutation))
+    return;
+  const decision = verifyMutationApprovalToken({
+    surface: "sdk",
+    operation: scope.operation,
+    machineId: scope.machineId,
+    resourceId: scope.resourceId,
+    callerId: options.callerId,
+    runId: options.runId,
+    transport: "sdk",
+    args: scope.args,
+    argsSha256: scope.argsSha256,
+    approvalToken: options.approvalToken,
+    env: process.env
+  });
+  if (decision.approved)
+    return;
+  throw new Error(`Fleet mutation blocked: sdk.${scope.operation} requires a scoped SDK approval token.`);
+}
 
 // src/remote.ts
 import { spawnSync as spawnSync2 } from "child_process";
@@ -7554,6 +7583,8 @@ var PG_MIGRATIONS = [
 
 // src/remote-storage.ts
 import pg from "pg";
+var MACHINES_DATABASE_ALLOW_INSECURE_TLS_ENV = "HASNA_MACHINES_ALLOW_INSECURE_DATABASE_TLS";
+var MACHINES_DATABASE_SSL_REJECT_UNAUTHORIZED_ENV = "HASNA_MACHINES_DATABASE_SSL_REJECT_UNAUTHORIZED";
 function translatePlaceholders(sql) {
   let index = 0;
   return sql.replace(/\?/g, () => `$${++index}`);
@@ -7562,7 +7593,18 @@ function normalizeParams(params) {
   const flat = params.length === 1 && Array.isArray(params[0]) ? params[0] : params;
   return flat.map((value) => value === undefined ? null : value);
 }
-function sslConfigFor(connectionString) {
+function envFlag(env, name) {
+  const value = env[name]?.trim().toLowerCase();
+  return value === "1" || value === "true" || value === "yes" || value === "on";
+}
+function isLoopbackHost(hostname6) {
+  const normalized = hostname6.replace(/^\[|\]$/g, "").toLowerCase();
+  return normalized === "localhost" || normalized === "::1" || normalized === "0:0:0:0:0:0:0:1" || /^127(?:\.\d{1,3}){3}$/.test(normalized);
+}
+function allowsLocalInsecureTls(url, env) {
+  return isLoopbackHost(url.hostname) && envFlag(env, MACHINES_DATABASE_ALLOW_INSECURE_TLS_ENV);
+}
+function sslConfigFor(connectionString, env = process.env) {
   let url;
   try {
     url = new URL(connectionString);
@@ -7571,12 +7613,21 @@ function sslConfigFor(connectionString) {
   }
   const sslMode = url.searchParams.get("sslmode")?.toLowerCase();
   const ssl = url.searchParams.get("ssl")?.toLowerCase();
-  if (sslMode === "disable" || ssl === "false")
-    return;
-  if (sslMode === "no-verify" || process.env["HASNA_MACHINES_DATABASE_SSL_REJECT_UNAUTHORIZED"] === "0") {
+  const rejectUnauthorizedOverride = env[MACHINES_DATABASE_SSL_REJECT_UNAUTHORIZED_ENV]?.trim() === "0";
+  if (sslMode === "disable" || ssl === "false") {
+    if (allowsLocalInsecureTls(url, env))
+      return;
+    throw new Error(`Insecure PostgreSQL TLS mode is rejected for remote storage; use sslmode=require or set ${MACHINES_DATABASE_ALLOW_INSECURE_TLS_ENV}=1 only for loopback development databases.`);
+  }
+  if (sslMode === "no-verify" || rejectUnauthorizedOverride) {
+    if (!allowsLocalInsecureTls(url, env)) {
+      throw new Error(`PostgreSQL TLS certificate verification cannot be disabled for remote storage; set ${MACHINES_DATABASE_ALLOW_INSECURE_TLS_ENV}=1 only for loopback development databases.`);
+    }
     return { rejectUnauthorized: false };
   }
-  return sslMode || ssl === "true" ? { rejectUnauthorized: true } : undefined;
+  if (sslMode || ssl === "true")
+    return { rejectUnauthorized: true };
+  return isLoopbackHost(url.hostname) ? undefined : { rejectUnauthorized: true };
 }
 
 class PgAdapterAsync {
@@ -8016,6 +8067,16 @@ function getStatus(options = {}) {
 function check(id, status, summary, detail) {
   return { id, status, summary, detail };
 }
+function summarize(checks) {
+  const counts = checks.reduce((acc, entry) => {
+    acc[entry.status] += 1;
+    return acc;
+  }, { ok: 0, warn: 0, fail: 0 });
+  return {
+    overall: counts.fail > 0 ? "fail" : counts.warn > 0 ? "warn" : "ok",
+    counts
+  };
+}
 function runSelfTest() {
   const version = getPackageVersion();
   const status = getStatus();
@@ -8027,19 +8088,21 @@ function runSelfTest() {
   const apps = listApps(machineId);
   const appsDiff = diffApps(machineId);
   const cliPlan = buildClaudeInstallPlan(machineId);
+  const checks = [
+    check("package-version", version === "0.0.0" ? "fail" : "ok", "Package version resolves", version),
+    check("status", "ok", "Status loads", JSON.stringify({ machines: status.manifestMachineCount, heartbeats: status.heartbeatCount })),
+    check("doctor", doctor.checks.some((entry) => entry.status === "fail") ? "warn" : "ok", "Doctor completed", `${doctor.checks.length} checks`),
+    check("serve-info", "ok", "Dashboard info renders", `${serveInfo.url} routes=${serveInfo.routes.length}`),
+    check("dashboard-html", html.includes("Machines Dashboard") ? "ok" : "fail", "Dashboard HTML renders", html.slice(0, 80)),
+    check("notifications", "ok", "Notifications config loads", `${notifications.channels.length} channels`),
+    check("apps", "ok", "Apps manifest loads", `${apps.apps.length} apps`),
+    check("apps-diff", appsDiff.missing.length === 0 ? "ok" : "warn", "Apps diff computed", `missing=${appsDiff.missing.length} installed=${appsDiff.installed.length}`),
+    check("install-claude-plan", cliPlan.steps.length > 0 ? "ok" : "warn", "Install plan renders", `${cliPlan.steps.length} steps`)
+  ];
   return {
     machineId,
-    checks: [
-      check("package-version", version === "0.0.0" ? "fail" : "ok", "Package version resolves", version),
-      check("status", "ok", "Status loads", JSON.stringify({ machines: status.manifestMachineCount, heartbeats: status.heartbeatCount })),
-      check("doctor", doctor.checks.some((entry) => entry.status === "fail") ? "warn" : "ok", "Doctor completed", `${doctor.checks.length} checks`),
-      check("serve-info", "ok", "Dashboard info renders", `${serveInfo.url} routes=${serveInfo.routes.length}`),
-      check("dashboard-html", html.includes("Machines Dashboard") ? "ok" : "fail", "Dashboard HTML renders", html.slice(0, 80)),
-      check("notifications", "ok", "Notifications config loads", `${notifications.channels.length} channels`),
-      check("apps", "ok", "Apps manifest loads", `${apps.apps.length} apps`),
-      check("apps-diff", appsDiff.missing.length === 0 ? "ok" : "warn", "Apps diff computed", `missing=${appsDiff.missing.length} installed=${appsDiff.installed.length}`),
-      check("install-claude-plan", cliPlan.steps.length > 0 ? "ok" : "warn", "Install plan renders", `${cliPlan.steps.length} steps`)
-    ]
+    ...summarize(checks),
+    checks
   };
 }
 
@@ -8785,6 +8848,41 @@ function checkMachineCompatibility(options = {}) {
     summary
   };
 }
+
+// src/storage.ts
+function storageArgs(options = {}) {
+  return {
+    tables: options.tables?.length ? [...options.tables] : null
+  };
+}
+function storageResourceId(operation, options = {}) {
+  return `storage:${operation}:${mutationArgsSha256(storageArgs(options))}`;
+}
+async function storagePush2(options = {}) {
+  assertSdkMutationApproved({
+    operation: "machines_storage_push",
+    resourceId: storageResourceId("push", options),
+    args: storageArgs(options)
+  }, options);
+  return storagePush({ tables: options.tables });
+}
+async function storagePull2(options = {}) {
+  assertSdkMutationApproved({
+    operation: "machines_storage_pull",
+    resourceId: storageResourceId("pull", options),
+    args: storageArgs(options)
+  }, options);
+  return storagePull({ tables: options.tables });
+}
+async function storageSync2(options = {}) {
+  assertSdkMutationApproved({
+    operation: "machines_storage_sync",
+    resourceId: storageResourceId("sync", options),
+    args: storageArgs(options)
+  }, options);
+  return storageSync({ tables: options.tables });
+}
+
 // src/mcp/server.ts
 function buildServer(version = getPackageVersion(), options = {}) {
   return createMcpServer(version, options);
@@ -9236,17 +9334,17 @@ function createMcpServer(version, options = {}) {
   server.tool("storage_push", "Push local machine runtime data to storage PostgreSQL.", { tables: exports_external.array(exports_external.string()).optional().describe("Optional table list to push"), approval_token: approvalTokenSchema }, async ({ tables, approval_token }) => {
     const resolvedTables = resolveTables(tables);
     requireMcpMutation("storage_push", approval_token, { resourceId: mutationResourceId("storage-push", resolvedTables.join(",")), args: { tables: resolvedTables } });
-    return { content: [{ type: "text", text: JSON.stringify(await storagePush({ tables: resolvedTables }), null, 2) }] };
+    return { content: [{ type: "text", text: JSON.stringify(await storagePush2({ tables: resolvedTables, trustedLocalMutation: createTrustedSdkMutationApproval() }), null, 2) }] };
   });
   server.tool("storage_pull", "Pull machine runtime data from storage PostgreSQL to local SQLite.", { tables: exports_external.array(exports_external.string()).optional().describe("Optional table list to pull"), approval_token: approvalTokenSchema }, async ({ tables, approval_token }) => {
     const resolvedTables = resolveTables(tables);
     requireMcpMutation("storage_pull", approval_token, { resourceId: mutationResourceId("storage-pull", resolvedTables.join(",")), args: { tables: resolvedTables } });
-    return { content: [{ type: "text", text: JSON.stringify(await storagePull({ tables: resolvedTables }), null, 2) }] };
+    return { content: [{ type: "text", text: JSON.stringify(await storagePull2({ tables: resolvedTables, trustedLocalMutation: createTrustedSdkMutationApproval() }), null, 2) }] };
   });
   server.tool("storage_sync", "Bidirectional machines storage sync: pull then push.", { tables: exports_external.array(exports_external.string()).optional().describe("Optional table list to sync"), approval_token: approvalTokenSchema }, async ({ tables, approval_token }) => {
     const resolvedTables = resolveTables(tables);
     requireMcpMutation("storage_sync", approval_token, { resourceId: mutationResourceId("storage-sync", resolvedTables.join(",")), args: { tables: resolvedTables } });
-    return { content: [{ type: "text", text: JSON.stringify(await storageSync({ tables: resolvedTables }), null, 2) }] };
+    return { content: [{ type: "text", text: JSON.stringify(await storageSync2({ tables: resolvedTables, trustedLocalMutation: createTrustedSdkMutationApproval() }), null, 2) }] };
   });
   return server;
 }
@@ -9284,12 +9382,12 @@ function parsePort(raw) {
 function pathnameFromRequest(req) {
   return new URL(req.url ?? "/", "http://127.0.0.1").pathname;
 }
-function isLoopbackHost(host) {
+function isLoopbackHost2(host) {
   const normalized = host.toLowerCase().replace(/^\[|\]$/g, "");
   return normalized === "localhost" || normalized === "127.0.0.1" || normalized === "::1";
 }
 function resolveHttpSecurityConfig(env = process.env, host = "127.0.0.1") {
-  const allowUnauthenticated = env.MACHINES_ALLOW_UNAUTHENTICATED === "1" && isLoopbackHost(host);
+  const allowUnauthenticated = env.MACHINES_ALLOW_UNAUTHENTICATED === "1" && isLoopbackHost2(host);
   const allowedOrigins = (env.MACHINES_HTTP_ALLOWED_ORIGINS ?? "").split(",").map((origin) => origin.trim()).filter(Boolean);
   const maxBodyBytes = parsePositiveInteger(env.MACHINES_HTTP_MAX_BODY_BYTES, DEFAULT_MAX_BODY_BYTES);
   return {
@@ -9327,7 +9425,7 @@ function isTrustedHttpOrigin(origin, host, allowedOrigins = []) {
   } catch {
     return false;
   }
-  return isLoopbackHost(host) && isLoopbackHost(parsed.hostname);
+  return isLoopbackHost2(host) && isLoopbackHost2(parsed.hostname);
 }
 function authorizeHttpOrigin(req, host, security) {
   const origin = originValue(req);

package/dist/remote-storage.d.ts

@@ -1,4 +1,7 @@
-export declare function sslConfigFor(connectionString: string): {
+export declare const MACHINES_DATABASE_ALLOW_INSECURE_TLS_ENV = "HASNA_MACHINES_ALLOW_INSECURE_DATABASE_TLS";
+export declare const MACHINES_DATABASE_SSL_REJECT_UNAUTHORIZED_ENV = "HASNA_MACHINES_DATABASE_SSL_REJECT_UNAUTHORIZED";
+type Env = Record<string, string | undefined>;
+export declare function sslConfigFor(connectionString: string, env?: Env): {
     rejectUnauthorized: boolean;
 } | undefined;
 export declare class PgAdapterAsync {
@@ -10,3 +13,4 @@ export declare class PgAdapterAsync {
     all(sql: string, ...params: unknown[]): Promise<unknown[]>;
     close(): Promise<void>;
 }
+export {};

package/dist/sdk-mutations.d.ts

@@ -0,0 +1,54 @@
+import type { MachineCommandRunner } from "./remote.js";
+import type { DaemonServicePlan, DaemonServiceRunOptions, DaemonServiceRunResult } from "./commands/daemon.js";
+import type { NotificationChannel, NotificationConfig, NotificationDispatchSummary, NotificationTestResult, SetupResult, SyncResult } from "./types.js";
+import type { DomainMapping } from "./commands/dns.js";
+import { type RunAppsInstallOptions } from "./commands/apps.js";
+import { type RunClaudeInstallOptions } from "./commands/install-claude.js";
+import { type RunSetupOptions } from "./commands/setup.js";
+import { type RunSyncOptions } from "./commands/sync.js";
+import { type RunTailscaleInstallOptions } from "./commands/install-tailscale.js";
+import { type TrustedNotificationApproval } from "./commands/notifications.js";
+import { type SdkMutationApprovalOptions } from "./commands/mutation-approval.js";
+import type { FleetManifest, MachineManifest } from "./types.js";
+type ApplyOptions = {
+    apply?: boolean;
+    yes?: boolean;
+};
+type SdkApplyOptions<T extends ApplyOptions> = T & SdkMutationApprovalOptions;
+type NotificationSdkOptions = SdkMutationApprovalOptions & {
+    approvalToken?: string;
+    trustedApproval?: TrustedNotificationApproval;
+};
+type NotificationTestSdkOptions = NotificationSdkOptions & ApplyOptions;
+export declare function manifestInit(options?: SdkMutationApprovalOptions): string;
+export declare function manifestAdd(machine: MachineManifest, options?: SdkMutationApprovalOptions): FleetManifest;
+export declare function manifestBootstrapCurrentMachine(options?: SdkMutationApprovalOptions): FleetManifest;
+export declare function manifestRemove(machineId: string, options?: SdkMutationApprovalOptions): FleetManifest;
+export declare function runSetup(machineId?: string, options?: SdkApplyOptions<RunSetupOptions>, runner?: MachineCommandRunner): SetupResult;
+export declare function runSetupPlan(plan: SetupResult, options?: SdkApplyOptions<RunSetupOptions>, runner?: MachineCommandRunner): SetupResult;
+export declare function runSync(machineId?: string, options?: SdkApplyOptions<RunSyncOptions>, runner?: MachineCommandRunner): SyncResult;
+export declare function runSyncPlan(plan: SyncResult, options?: SdkApplyOptions<RunSyncOptions>, runner?: MachineCommandRunner): SyncResult;
+export declare function runAppsInstall(machineId?: string, options?: SdkApplyOptions<RunAppsInstallOptions>, runner?: MachineCommandRunner): SetupResult;
+export declare function runAppsPlan(plan: SetupResult, options?: SdkApplyOptions<RunAppsInstallOptions>, runner?: MachineCommandRunner): SetupResult;
+export declare function runClaudeInstall(machineId?: string, tools?: string[], options?: SdkApplyOptions<RunClaudeInstallOptions>, runner?: MachineCommandRunner): SetupResult;
+export declare function runClaudeInstallPlan(plan: SetupResult, options?: SdkApplyOptions<RunClaudeInstallOptions>, runner?: MachineCommandRunner): SetupResult;
+export declare function runTailscaleInstall(machineId?: string, options?: SdkApplyOptions<RunTailscaleInstallOptions>, runner?: MachineCommandRunner): SetupResult;
+export declare function runTailscaleInstallPlan(plan: SetupResult, options?: SdkApplyOptions<RunTailscaleInstallOptions>, runner?: MachineCommandRunner): SetupResult;
+export declare function addDomainMapping(domain: string, port: number, targetHost?: string, options?: SdkMutationApprovalOptions): DomainMapping[];
+export declare function runCertPlan(domains: string[], options?: SdkApplyOptions<{
+    apply?: boolean;
+    yes?: boolean;
+}>): SetupResult;
+export declare function runBackup(bucket?: string, prefix?: string, options?: SdkApplyOptions<{
+    apply?: boolean;
+    yes?: boolean;
+}>): SetupResult;
+export declare function runDaemonServicePlan(plan: DaemonServicePlan, options?: SdkApplyOptions<DaemonServiceRunOptions>): DaemonServiceRunResult;
+export declare function writeNotificationConfig(config: NotificationConfig, pathOrOptions?: string | SdkMutationApprovalOptions, maybeOptions?: SdkMutationApprovalOptions): NotificationConfig;
+export declare function addNotificationChannel(channel: NotificationChannel, options?: NotificationSdkOptions): NotificationConfig;
+export declare function removeNotificationChannel(channelId: string, options?: SdkMutationApprovalOptions): NotificationConfig;
+export declare function dispatchNotificationEvent(event: string, message: string, options?: NotificationSdkOptions & {
+    channelId?: string;
+}): Promise<NotificationDispatchSummary>;
+export declare function testNotificationChannel(channelId: string, event?: string, message?: string, options?: NotificationTestSdkOptions): Promise<NotificationTestResult>;
+export {};

package/dist/storage.d.ts

@@ -1,4 +1,19 @@
-export { MACHINES_STORAGE_ENV, MACHINES_STORAGE_FALLBACK_ENV, MACHINES_STORAGE_MODE_ENV, MACHINES_STORAGE_MODE_FALLBACK_ENV, MACHINES_STORAGE_TABLES, STORAGE_DATABASE_ENV, STORAGE_MODE_ENV, STORAGE_TABLES, getStorageDatabaseEnv, getStorageDatabaseEnvName, getStorageDatabaseUrl, getStorageMode, getStoragePg, getStorageStatus, getSyncMetaAll, parseStorageTables, resolveTables, runStorageMigrations, storagePull, storagePush, storageSync, } from "./storage-sync.js";
-export type { StorageEnv, StorageMode, StorageStatus, SyncMeta, SyncResult } from "./storage-sync.js";
+import { MACHINES_STORAGE_ENV, MACHINES_STORAGE_FALLBACK_ENV, MACHINES_STORAGE_MODE_ENV, MACHINES_STORAGE_MODE_FALLBACK_ENV, MACHINES_STORAGE_TABLES, STORAGE_DATABASE_ENV, STORAGE_MODE_ENV, STORAGE_TABLES, getStorageDatabaseEnv, getStorageDatabaseEnvName, getStorageDatabaseUrl, getStorageMode, getStorageStatus, getSyncMetaAll, parseStorageTables, resolveTables } from "./storage-sync.js";
+import { type SdkMutationApprovalOptions } from "./commands/mutation-approval.js";
+import type { StorageEnv, StorageMode, StorageStatus, SyncMeta, SyncResult } from "./storage-sync.js";
+export type StorageMutationOptions = SdkMutationApprovalOptions & {
+    tables?: string[];
+};
+export type StorageMigrationAdapter = {
+    run(sql: string, ...params: unknown[]): Promise<unknown>;
+};
+export declare function runStorageMigrations(remote: StorageMigrationAdapter, options?: SdkMutationApprovalOptions): Promise<void>;
+export declare function storagePush(options?: StorageMutationOptions): Promise<SyncResult[]>;
+export declare function storagePull(options?: StorageMutationOptions): Promise<SyncResult[]>;
+export declare function storageSync(options?: StorageMutationOptions): Promise<{
+    pull: SyncResult[];
+    push: SyncResult[];
+}>;
+export { MACHINES_STORAGE_ENV, MACHINES_STORAGE_FALLBACK_ENV, MACHINES_STORAGE_MODE_ENV, MACHINES_STORAGE_MODE_FALLBACK_ENV, MACHINES_STORAGE_TABLES, STORAGE_DATABASE_ENV, STORAGE_MODE_ENV, STORAGE_TABLES, getStorageDatabaseEnv, getStorageDatabaseEnvName, getStorageDatabaseUrl, getStorageMode, getStorageStatus, getSyncMetaAll, parseStorageTables, resolveTables, };
+export type { StorageEnv, StorageMode, StorageStatus, SyncMeta, SyncResult };
 export { PG_MIGRATIONS } from "./pg-migrations.js";
-export { PgAdapterAsync } from "./remote-storage.js";