@hasna/machines 0.0.9 → 0.0.11

package/dist/cli/index.js

@@ -5,43 +5,25 @@ var __getProtoOf = Object.getPrototypeOf;
 var __defProp = Object.defineProperty;
 var __getOwnPropNames = Object.getOwnPropertyNames;
 var __hasOwnProp = Object.prototype.hasOwnProperty;
-function __accessProp(key) {
-  return this[key];
-}
-var __toESMCache_node;
-var __toESMCache_esm;
 var __toESM = (mod, isNodeMode, target) => {
-  var canCache = mod != null && typeof mod === "object";
-  if (canCache) {
-    var cache = isNodeMode ? __toESMCache_node ??= new WeakMap : __toESMCache_esm ??= new WeakMap;
-    var cached = cache.get(mod);
-    if (cached)
-      return cached;
-  }
   target = mod != null ? __create(__getProtoOf(mod)) : {};
   const to = isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target;
   for (let key of __getOwnPropNames(mod))
     if (!__hasOwnProp.call(to, key))
       __defProp(to, key, {
-        get: __accessProp.bind(mod, key),
+        get: () => mod[key],
         enumerable: true
       });
-  if (canCache)
-    cache.set(mod, to);
   return to;
 };
 var __commonJS = (cb, mod) => () => (mod || cb((mod = { exports: {} }).exports, mod), mod.exports);
-var __returnValue = (v) => v;
-function __exportSetter(name, newValue) {
-  this[name] = __returnValue.bind(null, newValue);
-}
 var __export = (target, all) => {
   for (var name in all)
     __defProp(target, name, {
       get: all[name],
       enumerable: true,
       configurable: true,
-      set: __exportSetter.bind(all, name)
+      set: (newValue) => all[name] = () => newValue
     });
 };
 var __require = import.meta.require;
@@ -6780,15 +6762,15 @@ var __getProtoOf2 = Object.getPrototypeOf;
 var __defProp2 = Object.defineProperty;
 var __getOwnPropNames2 = Object.getOwnPropertyNames;
 var __hasOwnProp2 = Object.prototype.hasOwnProperty;
-function __accessProp2(key) {
+function __accessProp(key) {
   return this[key];
 }
-var __toESMCache_node2;
-var __toESMCache_esm2;
+var __toESMCache_node;
+var __toESMCache_esm;
 var __toESM2 = (mod, isNodeMode, target) => {
   var canCache = mod != null && typeof mod === "object";
   if (canCache) {
-    var cache = isNodeMode ? __toESMCache_node2 ??= new WeakMap : __toESMCache_esm2 ??= new WeakMap;
+    var cache = isNodeMode ? __toESMCache_node ??= new WeakMap : __toESMCache_esm ??= new WeakMap;
     var cached = cache.get(mod);
     if (cached)
       return cached;
@@ -6798,7 +6780,7 @@ var __toESM2 = (mod, isNodeMode, target) => {
   for (let key of __getOwnPropNames2(mod))
     if (!__hasOwnProp2.call(to, key))
       __defProp2(to, key, {
-        get: __accessProp2.bind(mod, key),
+        get: __accessProp.bind(mod, key),
         enumerable: true
       });
   if (canCache)
@@ -6806,9 +6788,9 @@ var __toESM2 = (mod, isNodeMode, target) => {
   return to;
 };
 var __commonJS2 = (cb, mod) => () => (mod || cb((mod = { exports: {} }).exports, mod), mod.exports);
-var __returnValue2 = (v) => v;
-function __exportSetter2(name, newValue) {
-  this[name] = __returnValue2.bind(null, newValue);
+var __returnValue = (v) => v;
+function __exportSetter(name, newValue) {
+  this[name] = __returnValue.bind(null, newValue);
 }
 var __export2 = (target, all) => {
   for (var name in all)
@@ -6816,7 +6798,7 @@ var __export2 = (target, all) => {
       get: all[name],
       enumerable: true,
       configurable: true,
-      set: __exportSetter2.bind(all, name)
+      set: __exportSetter.bind(all, name)
     });
 };
 var __esm = (fn, res) => () => (fn && (res = fn(fn = 0)), res);
@@ -17959,6 +17941,28 @@ function readHistory(historyPath) {
     return [];
   }
 }
+function writeHistory(entries, historyPath) {
+  const path = resolveHistoryPath(historyPath);
+  ensureParentDir(path);
+  writeFileSync5(path, `${JSON.stringify(entries, null, 2)}
+`, "utf8");
+}
+function computeHash(content) {
+  return createHash("sha256").update(content).digest("hex").slice(0, 16);
+}
+function shouldSkipContent(content, skipPatterns) {
+  const lower = content.toLowerCase();
+  return skipPatterns.some((pattern) => lower.includes(pattern.toLowerCase()));
+}
+function sanitizeClipboardForRead(content, maxSizeBytes, skipPatterns) {
+  if (Buffer.byteLength(content, "utf8") > maxSizeBytes) {
+    return { ok: false, reason: "content exceeds size limit" };
+  }
+  if (shouldSkipContent(content, skipPatterns)) {
+    return { ok: false, reason: "content matches skip pattern" };
+  }
+  return { ok: true };
+}
 function getOrCreateClipboardKey() {
   const keyPath = getClipboardKeyPath();
   if (existsSync8(keyPath)) {
@@ -17985,6 +17989,20 @@ function writeClipboardConfig(config, configPath) {
 function readClipboardHistory(historyPath) {
   return readHistory(historyPath);
 }
+function addClipboardEntry(entry, historyPath) {
+  const entries = readHistory(historyPath);
+  const existing = entries.find((e) => e.hash === entry.hash);
+  if (existing) {
+    existing.timestamp = entry.timestamp;
+  } else {
+    entries.unshift(entry);
+  }
+  const config = readConfig();
+  if (entries.length > config.maxHistory) {
+    entries.length = config.maxHistory;
+  }
+  writeHistory(entries, historyPath);
+}
 function clearClipboardHistory(historyPath) {
   const path = resolveHistoryPath(historyPath);
   if (existsSync8(path)) {
@@ -18001,6 +18019,813 @@ function getClipboardStatus(historyPath) {
   };
 }
 
+// src/commands/clipboard-daemon.ts
+import { readFileSync as readFileSync9, writeFileSync as writeFileSync6 } from "fs";
+import { join as join10 } from "path";
+import { createHash as createHash3 } from "crypto";
+
+// src/commands/clipboard-server.ts
+import { createServer } from "http";
+import { createHash as createHash2 } from "crypto";
+import { readFileSync as readFileSync8 } from "fs";
+function readLocalClipboardSync() {
+  const platform4 = process.platform;
+  if (platform4 === "darwin") {
+    const result = Bun.spawnSync(["pbpaste"], { stdout: "pipe", stderr: "pipe" });
+    return result.exitCode === 0 ? result.stdout.toString("utf8").trim() : "";
+  }
+  if (platform4 === "linux") {
+    if (hasCommand2("wl-paste")) {
+      const result = Bun.spawnSync(["wl-paste"], { stdout: "pipe", stderr: "pipe" });
+      return result.exitCode === 0 ? result.stdout.toString("utf8").trim() : "";
+    }
+    if (hasCommand2("xclip")) {
+      const result = Bun.spawnSync(["xclip", "-selection", "clipboard", "-o"], { stdout: "pipe", stderr: "pipe" });
+      return result.exitCode === 0 ? result.stdout.toString("utf8").trim() : "";
+    }
+    return "";
+  }
+  return "";
+}
+function writeLocalClipboardSync(content) {
+  const platform4 = process.platform;
+  if (platform4 === "darwin") {
+    const result = Bun.spawnSync(["pbcopy"], { stdin: new TextEncoder().encode(content), stdout: "ignore", stderr: "ignore" });
+    return result.exitCode === 0;
+  }
+  if (platform4 === "linux") {
+    if (hasCommand2("wl-copy")) {
+      const result = Bun.spawnSync(["wl-copy"], { stdin: new TextEncoder().encode(content), stdout: "ignore", stderr: "ignore" });
+      return result.exitCode === 0;
+    }
+    if (hasCommand2("xclip")) {
+      const result = Bun.spawnSync(["xclip", "-selection", "clipboard"], { stdin: new TextEncoder().encode(content), stdout: "ignore", stderr: "ignore" });
+      return result.exitCode === 0;
+    }
+    return false;
+  }
+  return false;
+}
+function hasCommand2(binary) {
+  const result = Bun.spawnSync(["bash", "-lc", `command -v ${binary} >/dev/null 2>&1`], { stdout: "ignore", stderr: "ignore", env: process.env });
+  return result.exitCode === 0;
+}
+function loadSharedSecret() {
+  const keyPath = getClipboardKeyPath();
+  try {
+    return readFileSync8(keyPath, "utf8").trim();
+  } catch {
+    return "";
+  }
+}
+function authenticate(request) {
+  const authHeader = request.headers["authorization"];
+  if (!authHeader || !authHeader.startsWith("Bearer ")) {
+    return false;
+  }
+  const token = authHeader.slice(7);
+  const secret = loadSharedSecret();
+  if (!secret)
+    return false;
+  return createHash2("sha256").update(token).digest("hex") === createHash2("sha256").update(secret).digest("hex");
+}
+function jsonResponse(response, status, data) {
+  response.writeHead(status, { "content-type": "application/json" });
+  response.end(JSON.stringify(data));
+}
+var currentContentHash = null;
+function getCurrentContentHash() {
+  return currentContentHash;
+}
+function setCurrentContentHash(hash) {
+  currentContentHash = hash;
+}
+function startClipboardServer(options = {}) {
+  const config = options.config || readClipboardConfig();
+  const port = options.port || config.port;
+  const server = createServer(async (request, response) => {
+    if (!authenticate(request)) {
+      return jsonResponse(response, 401, { error: "unauthorized" });
+    }
+    const url = new URL(request.url || "/", `http://${request.headers.host || "localhost"}`);
+    if (url.pathname === "/clipboard" && request.method === "POST") {
+      return handleReceiveClipboard(request, response, config);
+    }
+    if (url.pathname === "/clipboard" && request.method === "GET") {
+      return handleGetClipboard(response, config);
+    }
+    if (url.pathname === "/health" && request.method === "GET") {
+      return jsonResponse(response, 200, { ok: true, machineId: process.env["HASNA_MACHINES_MACHINE_ID"] || "unknown" });
+    }
+    jsonResponse(response, 404, { error: "not found" });
+  });
+  server.listen(port, "0.0.0.0", () => {});
+  server.on("error", (error) => {
+    console.error(`clipboard server error: ${error.message}`);
+  });
+  return {
+    server,
+    port,
+    close: async () => {
+      await new Promise((resolve2) => server.close(() => resolve2()));
+    }
+  };
+}
+function handleReceiveClipboard(request, response, config) {
+  let body = "";
+  request.on("data", (chunk) => {
+    body += chunk;
+  });
+  request.on("end", () => {
+    try {
+      const parsed = JSON.parse(body);
+      const content = parsed.content || "";
+      const contentType = parsed.contentType || "text";
+      const sourceMachine = parsed.sourceMachine || "unknown";
+      if (!content) {
+        return jsonResponse(response, 400, { error: "empty content" });
+      }
+      const hash = computeHash(content);
+      if (hash === currentContentHash) {
+        return jsonResponse(response, 200, { received: false, reason: "loop detected" });
+      }
+      const check2 = sanitizeClipboardForRead(content, config.maxSizeBytes, config.skipPatterns);
+      if (!check2.ok) {
+        return jsonResponse(response, 200, { received: false, reason: check2.reason });
+      }
+      writeLocalClipboardSync(content);
+      currentContentHash = hash;
+      addClipboardEntry({
+        hash,
+        content,
+        contentType,
+        sourceMachine,
+        timestamp: new Date().toISOString()
+      });
+      return jsonResponse(response, 200, { received: true, hash });
+    } catch {
+      return jsonResponse(response, 400, { error: "invalid JSON" });
+    }
+  });
+}
+function handleGetClipboard(response, config) {
+  const content = readLocalClipboardSync();
+  if (!content) {
+    return jsonResponse(response, 200, { content: "", hash: null });
+  }
+  const hash = computeHash(content);
+  return jsonResponse(response, 200, { content, hash, contentType: "text" });
+}
+
+// src/commands/clipboard-daemon.ts
+var DAEMON_PID_PATH = join10(getDataDir(), "clipboard-daemon.pid");
+function readLocalClipboardSync2() {
+  const platform4 = process.platform;
+  if (platform4 === "darwin") {
+    const result = Bun.spawnSync(["pbpaste"], { stdout: "pipe", stderr: "pipe" });
+    return result.exitCode === 0 ? result.stdout.toString("utf8").trim() : "";
+  }
+  if (platform4 === "linux") {
+    if (hasCommand3("wl-paste")) {
+      const result = Bun.spawnSync(["wl-paste"], { stdout: "pipe", stderr: "pipe" });
+      return result.exitCode === 0 ? result.stdout.toString("utf8").trim() : "";
+    }
+    if (hasCommand3("xclip")) {
+      const result = Bun.spawnSync(["xclip", "-selection", "clipboard", "-o"], { stdout: "pipe", stderr: "pipe" });
+      return result.exitCode === 0 ? result.stdout.toString("utf8").trim() : "";
+    }
+    return "";
+  }
+  return "";
+}
+function hasCommand3(binary) {
+  const result = Bun.spawnSync(["bash", "-lc", `command -v ${binary} >/dev/null 2>&1`], { stdout: "ignore", stderr: "ignore", env: process.env });
+  return result.exitCode === 0;
+}
+function hasDisplayServer() {
+  const display = process.env["DISPLAY"] || "";
+  const wayland = process.env["WAYLAND_DISPLAY"] || "";
+  if (display || wayland)
+    return true;
+  if (process.platform === "darwin")
+    return true;
+  if (process.platform === "linux") {
+    try {
+      const result = Bun.spawnSync(["loginctl", "list-sessions", "--no-legend"], { stdout: "pipe", stderr: "pipe", env: process.env, timeout: 2000 });
+      if (result.exitCode === 0) {
+        const sessions = result.stdout.toString("utf8").trim();
+        if (sessions) {
+          for (const line of sessions.split(`
+`)) {
+            const sessionId = line.trim().split(/\s+/)[0];
+            if (sessionId) {
+              const typeResult = Bun.spawnSync(["loginctl", "show-session", sessionId, "-p", "Type", "--value"], { stdout: "pipe", stderr: "pipe", env: process.env, timeout: 2000 });
+              if (typeResult.exitCode === 0) {
+                const sessionType = typeResult.stdout.toString("utf8").trim();
+                if (sessionType === "wayland" || sessionType === "x11") {
+                  return true;
+                }
+              }
+            }
+          }
+        }
+      }
+    } catch {}
+    return false;
+  }
+  return false;
+}
+function computeHash2(content) {
+  return createHash3("sha256").update(content).digest("hex").slice(0, 16);
+}
+function loadSharedSecret2() {
+  try {
+    return readFileSync9(getClipboardKeyPath(), "utf8").trim();
+  } catch {
+    return "";
+  }
+}
+function writePid(pid) {
+  writeFileSync6(DAEMON_PID_PATH, `${pid}
+`);
+}
+function readPid() {
+  try {
+    const pid = Number.parseInt(readFileSync9(DAEMON_PID_PATH, "utf8").trim());
+    return Number.isFinite(pid) ? pid : null;
+  } catch {
+    return null;
+  }
+}
+function isProcessRunning(pid) {
+  try {
+    process.kill(pid, 0);
+    return true;
+  } catch {
+    return false;
+  }
+}
+function stopClipboardDaemon() {
+  const pid = readPid();
+  if (pid && isProcessRunning(pid)) {
+    process.kill(pid, "SIGTERM");
+    return { stopped: true, pid };
+  }
+  return { stopped: false, pid };
+}
+function startClipboardDaemon(port) {
+  const config = readClipboardConfig();
+  const daemonPort = port || config.port;
+  const { server, close } = startClipboardServer({ port: daemonPort });
+  server.on("listening", () => {
+    console.log(`clipboard daemon started on port ${daemonPort} (pid ${process.pid})`);
+    writePid(process.pid);
+  });
+  const secret = loadSharedSecret2();
+  const machineId = process.env["HASNA_MACHINES_MACHINE_ID"] || "unknown";
+  const hasDisplay = hasDisplayServer();
+  if (!hasDisplay) {
+    console.log("clipboard daemon running in receive-only mode (no display server)");
+  }
+  setInterval(async () => {
+    if (!hasDisplay)
+      return;
+    const content = readLocalClipboardSync2();
+    if (!content)
+      return;
+    const hash = computeHash2(content);
+    const currentContentHash2 = getCurrentContentHash();
+    if (hash === currentContentHash2)
+      return;
+    setCurrentContentHash(hash);
+    const peers = await discoverPeers();
+    for (const peer of peers) {
+      try {
+        const res = await fetch(`http://${peer.host}:${peer.port}/clipboard`, {
+          method: "POST",
+          headers: {
+            "content-type": "application/json",
+            authorization: `Bearer ${secret}`
+          },
+          body: JSON.stringify({
+            content,
+            contentType: "text",
+            sourceMachine: machineId
+          }),
+          signal: AbortSignal.timeout(2000)
+        });
+        if (res.ok) {
+          const data = await res.json();
+          if (data["received"] === true) {
+            console.log(`clipboard sent to ${peer.host}`);
+          }
+        }
+      } catch {}
+    }
+  }, 500);
+}
+async function discoverPeers() {
+  const config = readClipboardConfig();
+  const peers = [];
+  try {
+    const result = Bun.spawnSync(["tailscale", "status", "--json"], { stdout: "pipe", stderr: "pipe", env: process.env });
+    if (result.exitCode === 0) {
+      const status = JSON.parse(result.stdout.toString("utf8"));
+      const peers_map = status["Peer"] || {};
+      for (const [, peerInfo] of Object.entries(peers_map)) {
+        for (const ip of peerInfo.TailscaleIPs) {
+          if (ip.includes(".") && !ip.endsWith(".1")) {
+            peers.push({ host: ip, port: config.port });
+          }
+        }
+      }
+    }
+  } catch {}
+  const knownPeers = ["100.82.44.120", "100.100.226.69", "100.71.123.34", "100.85.234.92"];
+  for (const ip of knownPeers) {
+    if (!peers.some((p) => p.host === ip)) {
+      peers.push({ host: ip, port: config.port });
+    }
+  }
+  return peers;
+}
+
+// src/commands/heal.ts
+import { existsSync as existsSync9, readFileSync as readFileSync10, writeFileSync as writeFileSync7 } from "fs";
+import { join as join11 } from "path";
+var DEFAULT_THRESHOLDS = {
+  reconnect: 3,
+  nmRestart: 7,
+  fallback: 12,
+  reboot: 15
+};
+var DEFAULT_HEAL_CONFIG = {
+  version: 1,
+  enabled: true,
+  wifiInterface: "",
+  preferredSsid: "",
+  fallbackSsid: "",
+  internetUrl: "https://1.1.1.1",
+  tailscaleAnchors: [],
+  quorumRequired: 2,
+  intervalSec: 60,
+  thresholds: { ...DEFAULT_THRESHOLDS },
+  rebootMinIntervalSec: 1800,
+  nmRestartMinIntervalSec: 1800,
+  reconnectMinIntervalSec: 120,
+  healthyWindowSec: 300,
+  maxFailedBootRecoveries: 2,
+  bootBackoffSec: 21600,
+  fallbackWindowSec: 600,
+  gpuJobGuard: true,
+  allowReboot: true
+};
+function defaultHealState() {
+  return {
+    failCount: 0,
+    bootId: "",
+    bootHealthySince: null,
+    lastRebootAttempt: 0,
+    lastNmRestart: 0,
+    lastReconnect: 0,
+    lastFallback: 0,
+    degradedUntil: 0,
+    pendingRebootRecovery: false,
+    failedBootRecoveries: 0,
+    rebootSuppressUntil: 0
+  };
+}
+function getHealConfigPath() {
+  return process.env["HASNA_MACHINES_HEAL_CONFIG_PATH"] || join11(getDataDir(), "heal-config.json");
+}
+function getHealStatePath() {
+  return process.env["HASNA_MACHINES_HEAL_STATE_PATH"] || join11(getDataDir(), "heal-state.json");
+}
+function readHealConfig(path) {
+  const p = path || getHealConfigPath();
+  if (!existsSync9(p))
+    return { ...DEFAULT_HEAL_CONFIG, thresholds: { ...DEFAULT_THRESHOLDS } };
+  const parsed = JSON.parse(readFileSync10(p, "utf8"));
+  return {
+    ...DEFAULT_HEAL_CONFIG,
+    ...parsed,
+    thresholds: { ...DEFAULT_THRESHOLDS, ...parsed.thresholds || {} },
+    tailscaleAnchors: parsed.tailscaleAnchors ?? []
+  };
+}
+function writeHealConfig(config, path) {
+  const p = path || getHealConfigPath();
+  ensureParentDir(p);
+  writeFileSync7(p, `${JSON.stringify(config, null, 2)}
+`, "utf8");
+}
+function readHealState(path) {
+  const p = path || getHealStatePath();
+  if (!existsSync9(p))
+    return defaultHealState();
+  try {
+    return { ...defaultHealState(), ...JSON.parse(readFileSync10(p, "utf8")) };
+  } catch {
+    return defaultHealState();
+  }
+}
+function writeHealState(state, path) {
+  const p = path || getHealStatePath();
+  ensureParentDir(p);
+  writeFileSync7(p, `${JSON.stringify(state, null, 2)}
+`, "utf8");
+}
+function evaluateHealth(probe, config, state) {
+  const reasons = [];
+  const inDegraded = state.degradedUntil > 0;
+  const acceptableSsid = probe.associatedSsid === config.preferredSsid || config.fallbackSsid !== "" && inDegraded && probe.associatedSsid === config.fallbackSsid;
+  if (!acceptableSsid)
+    reasons.push(`wrong-ssid:${probe.associatedSsid ?? "none"}`);
+  if (!probe.gatewayReachable)
+    reasons.push("gateway-unreachable");
+  let remoteScore = 0;
+  for (const [anchor, ok] of Object.entries(probe.anchorsReachable)) {
+    if (ok)
+      remoteScore += 1;
+    else
+      reasons.push(`anchor-down:${anchor}`);
+  }
+  if (probe.internetReachable)
+    remoteScore += 1;
+  else
+    reasons.push("internet-down");
+  const localOk = acceptableSsid && probe.gatewayReachable;
+  const quorumOk = remoteScore >= config.quorumRequired;
+  if (!quorumOk)
+    reasons.push(`quorum:${remoteScore}/${config.quorumRequired}`);
+  return { healthy: localOk && quorumOk, remoteScore, reasons };
+}
+function decideAction(input) {
+  const { healthy, now, gpuBusy, config, currentBootId } = input;
+  const s = { ...input.state };
+  const t = config.thresholds;
+  if (s.bootId !== currentBootId) {
+    s.bootId = currentBootId;
+    s.bootHealthySince = null;
+    s.failCount = 0;
+  }
+  if (healthy) {
+    s.failCount = 0;
+    if (s.bootHealthySince === null)
+      s.bootHealthySince = now;
+    if (now - s.bootHealthySince >= config.healthyWindowSec) {
+      s.failedBootRecoveries = 0;
+      s.rebootSuppressUntil = 0;
+      s.pendingRebootRecovery = false;
+    }
+    if (s.degradedUntil > 0 && now >= s.degradedUntil) {
+      s.degradedUntil = 0;
+      return { action: "restore_preferred", state: s };
+    }
+    return { action: "none", state: s };
+  }
+  s.failCount += 1;
+  s.bootHealthySince = null;
+  let tier = "none";
+  if (s.failCount >= t.reboot)
+    tier = "reboot";
+  else if (s.failCount >= t.fallback && config.fallbackSsid !== "")
+    tier = "fallback";
+  else if (s.failCount >= t.nmRestart)
+    tier = "nmRestart";
+  else if (s.failCount >= t.reconnect)
+    tier = "reconnect";
+  const tryReconnect = (reason) => {
+    if (now - s.lastReconnect >= config.reconnectMinIntervalSec) {
+      s.lastReconnect = now;
+      return { action: "reconnect_wifi", suppressedReason: reason, state: s };
+    }
+    return { action: "none", suppressedReason: reason, state: s };
+  };
+  switch (tier) {
+    case "reconnect":
+      return tryReconnect();
+    case "nmRestart":
+      if (now - s.lastNmRestart >= config.nmRestartMinIntervalSec) {
+        s.lastNmRestart = now;
+        return { action: "restart_nm", state: s };
+      }
+      return tryReconnect();
+    case "fallback":
+      if (now - s.lastFallback >= config.fallbackWindowSec) {
+        s.lastFallback = now;
+        s.degradedUntil = now + config.fallbackWindowSec;
+        return { action: "fallback_ssid", state: s };
+      }
+      return tryReconnect();
+    case "reboot": {
+      let reason = null;
+      if (!config.allowReboot)
+        reason = "disabled";
+      else if (now < s.rebootSuppressUntil)
+        reason = "loop";
+      else if (config.gpuJobGuard && gpuBusy)
+        reason = "gpu";
+      else if (now - s.lastRebootAttempt < config.rebootMinIntervalSec)
+        reason = "rate";
+      if (reason)
+        return tryReconnect(reason);
+      if (s.pendingRebootRecovery) {
+        s.failedBootRecoveries += 1;
+        if (s.failedBootRecoveries >= config.maxFailedBootRecoveries) {
+          s.rebootSuppressUntil = now + config.bootBackoffSec;
+          return tryReconnect("loop");
+        }
+      }
+      s.lastRebootAttempt = now;
+      s.pendingRebootRecovery = true;
+      return { action: "reboot", state: s };
+    }
+    default:
+      return { action: "none", state: s };
+  }
+}
+function sh(cmd, timeoutMs = 8000) {
+  const r = Bun.spawnSync(["bash", "-lc", cmd], { stdout: "pipe", stderr: "pipe", env: process.env, timeout: timeoutMs });
+  return { ok: r.exitCode === 0, out: r.stdout.toString("utf8").trim() };
+}
+function getCurrentBootId() {
+  try {
+    return readFileSync10("/proc/sys/kernel/random/boot_id", "utf8").trim();
+  } catch {
+    return "";
+  }
+}
+function detectWifiInterface() {
+  const r = sh(`nmcli -t -f DEVICE,TYPE device status 2>/dev/null | awk -F: '$2=="wifi"{print $1; exit}'`);
+  return r.ok ? r.out : "";
+}
+function detectGateway() {
+  const r = sh(`ip route 2>/dev/null | awk '/^default/{print $3; exit}'`);
+  return r.ok ? r.out : "";
+}
+function getAssociatedSsid() {
+  const r = sh(`iwgetid -r 2>/dev/null || nmcli -t -f active,ssid dev wifi 2>/dev/null | awk -F: '/^yes/{print $2; exit}'`);
+  return r.ok && r.out ? r.out : null;
+}
+function pingHost(host) {
+  if (!host)
+    return false;
+  return sh(`ping -c1 -W2 ${host} >/dev/null 2>&1 && echo ok`, 5000).out === "ok";
+}
+function internetReachable(url) {
+  return sh(`curl -sf -m5 -o /dev/null ${url} && echo ok`, 8000).out === "ok";
+}
+function tailscalePing(host) {
+  return sh(`timeout 8 tailscale ping --until-direct=false ${host} 2>/dev/null | grep -q pong && echo ok`, 1e4).out === "ok";
+}
+function gpuBusy() {
+  const r = sh(`command -v nvidia-smi >/dev/null 2>&1 && nvidia-smi --query-compute-apps=pid --format=csv,noheader 2>/dev/null | grep -q . && echo busy`, 6000);
+  return r.out === "busy";
+}
+function discoverAnchors() {
+  const r = sh(`tailscale status --json 2>/dev/null`);
+  if (!r.ok)
+    return [];
+  try {
+    const status = JSON.parse(r.out);
+    const anchors = [];
+    for (const peer of Object.values(status.Peer || {})) {
+      const name = peer.HostName || (peer.DNSName || "").split(".")[0];
+      if (name)
+        anchors.push(name);
+    }
+    return anchors;
+  } catch {
+    return [];
+  }
+}
+function probeHealth(config) {
+  const gw = config.wifiInterface ? detectGateway() : detectGateway();
+  const anchors = config.tailscaleAnchors.length > 0 ? config.tailscaleAnchors : discoverAnchors().slice(0, 3);
+  const anchorsReachable = {};
+  for (const a of anchors)
+    anchorsReachable[a] = tailscalePing(a);
+  return {
+    associatedSsid: getAssociatedSsid(),
+    gatewayReachable: pingHost(gw),
+    anchorsReachable,
+    internetReachable: internetReachable(config.internetUrl)
+  };
+}
+function executeAction(action, config) {
+  const iface = config.wifiInterface || detectWifiInterface();
+  switch (action) {
+    case "reconnect_wifi":
+      sh(`nmcli connection up "${config.preferredSsid}" 2>&1; tailscale up 2>&1 || true`, 30000);
+      return `reconnected wifi to ${config.preferredSsid}`;
+    case "restart_nm":
+      sh(`systemctl restart NetworkManager 2>&1; sleep 5; nmcli connection up "${config.preferredSsid}" 2>&1; tailscale up 2>&1 || true`, 40000);
+      return "restarted NetworkManager";
+    case "fallback_ssid":
+      sh(`nmcli connection modify "${config.fallbackSsid}" connection.autoconnect yes 2>&1; nmcli connection up "${config.fallbackSsid}" 2>&1; tailscale up 2>&1 || true`, 30000);
+      return `switched to degraded fallback ${config.fallbackSsid}`;
+    case "restore_preferred":
+      sh(`nmcli connection modify "${config.fallbackSsid}" connection.autoconnect no 2>&1; nmcli connection up "${config.preferredSsid}" 2>&1; tailscale up 2>&1 || true`, 30000);
+      return `restored preferred ${config.preferredSsid}`;
+    case "reboot":
+      sh(`systemctl reboot 2>&1 || reboot 2>&1`, 1e4);
+      return "reboot issued";
+    default:
+      return "no action";
+  }
+}
+
+// src/commands/heal-daemon.ts
+import { existsSync as existsSync10, readFileSync as readFileSync11, writeFileSync as writeFileSync8 } from "fs";
+import { join as join12 } from "path";
+var DAEMON_PID_PATH2 = join12(getDataDir(), "heal-daemon.pid");
+var SERVICE_PATH = "/etc/systemd/system/machines-heal.service";
+var SYSTEM_CONF = "/etc/systemd/system.conf";
+function log(msg) {
+  console.log(`${new Date().toISOString()} [machines-heal] ${msg}`);
+}
+function runHealOnce(config, opts = {}) {
+  const state = readHealState();
+  const probe = probeHealth(config);
+  const health = evaluateHealth(probe, config, state);
+  const busy = config.gpuJobGuard ? gpuBusy() : false;
+  const decision = decideAction({
+    state,
+    healthy: health.healthy,
+    now: Math.floor(Date.now() / 1000),
+    gpuBusy: busy,
+    config,
+    currentBootId: getCurrentBootId()
+  });
+  let executed = "skipped (dry-run)";
+  if (!opts.dryRun) {
+    writeHealState(decision.state);
+    if (decision.action !== "none")
+      executed = executeAction(decision.action, config);
+    else
+      executed = "no action";
+  }
+  const result = {
+    healthy: health.healthy,
+    action: decision.action,
+    suppressedReason: decision.suppressedReason,
+    reasons: health.reasons,
+    remoteScore: health.remoteScore,
+    failCount: decision.state.failCount,
+    executed
+  };
+  const sup = decision.suppressedReason ? ` suppressed=${decision.suppressedReason}` : "";
+  log(health.healthy ? `healthy (quorum ${health.remoteScore}) action=${decision.action} ${executed}` : `UNHEALTHY [${health.reasons.join(",")}] fails=${decision.state.failCount} action=${decision.action}${sup} -> ${executed}`);
+  return result;
+}
+function writePid2(pid) {
+  writeFileSync8(DAEMON_PID_PATH2, `${pid}
+`);
+}
+function readPid2() {
+  try {
+    const pid = Number.parseInt(readFileSync11(DAEMON_PID_PATH2, "utf8").trim());
+    return Number.isFinite(pid) ? pid : null;
+  } catch {
+    return null;
+  }
+}
+function isProcessRunning2(pid) {
+  try {
+    process.kill(pid, 0);
+    return true;
+  } catch {
+    return false;
+  }
+}
+function stopHealDaemon() {
+  const pid = readPid2();
+  if (pid && isProcessRunning2(pid)) {
+    process.kill(pid, "SIGTERM");
+    return { stopped: true, pid };
+  }
+  return { stopped: false, pid };
+}
+function startHealDaemon() {
+  const config = readHealConfig();
+  if (!config.preferredSsid) {
+    log("refusing to start: preferredSsid is not configured (run `machines heal config --set ...`)");
+    process.exit(1);
+  }
+  writePid2(process.pid);
+  log(`daemon started (pid ${process.pid}) interval=${config.intervalSec}s preferred=${config.preferredSsid}`);
+  const tick = () => {
+    try {
+      runHealOnce(config);
+    } catch (err) {
+      log(`tick error: ${err.message}`);
+    }
+  };
+  tick();
+  setInterval(tick, Math.max(10, config.intervalSec) * 1000);
+}
+function sh2(cmd, timeoutMs = 15000) {
+  const r = Bun.spawnSync(["bash", "-lc", cmd], { stdout: "pipe", stderr: "pipe", env: process.env, timeout: timeoutMs });
+  return { ok: r.exitCode === 0, out: `${r.stdout.toString("utf8")}${r.stderr.toString("utf8")}`.trim() };
+}
+function applyDeterminism(config) {
+  const iface = config.wifiInterface || detectWifiInterface();
+  const log2 = [];
+  if (!config.preferredSsid)
+    return ["no preferredSsid configured; skipping determinism"];
+  sh2(`nmcli connection modify "${config.preferredSsid}" connection.autoconnect yes connection.autoconnect-priority 10 802-11-wireless.powersave 2`);
+  log2.push(`pinned ${config.preferredSsid} (autoconnect, priority 10, powersave off)`);
+  const profiles = sh2(`nmcli -t -f NAME,TYPE connection show 2>/dev/null | awk -F: '$2 ~ /wireless/{print $1}'`).out.split(`
+`).filter(Boolean);
+  for (const p of profiles) {
+    if (p === config.preferredSsid)
+      continue;
+    if (p === config.fallbackSsid) {
+      sh2(`nmcli connection modify "${p}" connection.autoconnect no`);
+      log2.push(`disabled autoconnect on fallback ${p}`);
+      continue;
+    }
+    sh2(`nmcli connection modify "${p}" connection.autoconnect no`);
+    log2.push(`disabled autoconnect on ${p}`);
+  }
+  if (iface) {
+    sh2(`iw dev ${iface} set power_save off 2>/dev/null || true`);
+    log2.push(`power_save off on ${iface}`);
+  }
+  return log2;
+}
+function enableHardwareWatchdog() {
+  const log2 = [];
+  if (!existsSync10(SYSTEM_CONF))
+    return ["/etc/systemd/system.conf not found; skipping hardware watchdog"];
+  let conf = readFileSync11(SYSTEM_CONF, "utf8");
+  const set = (key, value) => {
+    const re = new RegExp(`^#?\\s*${key}=.*$`, "m");
+    if (re.test(conf))
+      conf = conf.replace(re, `${key}=${value}`);
+    else
+      conf += `
+${key}=${value}
+`;
+  };
+  set("RuntimeWatchdogSec", "20s");
+  set("RebootWatchdogSec", "2min");
+  writeFileSync8(SYSTEM_CONF, conf);
+  sh2("systemctl daemon-reexec");
+  log2.push("hardware watchdog: RuntimeWatchdogSec=20s RebootWatchdogSec=2min");
+  return log2;
+}
+function binPath() {
+  const r = sh2("command -v machines");
+  return r.ok && r.out ? r.out.split(`
+`)[0].trim() : "machines";
+}
+function installHealService() {
+  const log2 = [];
+  const exec = binPath();
+  const unit = `[Unit]
+Description=Hasna machines self-healing network watchdog
+After=network.target NetworkManager.service tailscaled.service
+Wants=network.target
+
+[Service]
+Type=simple
+ExecStart=${exec} heal daemon
+Restart=always
+RestartSec=10
+# Persisted state/config live in root's data dir.
+Environment=HOME=/root
+
+[Install]
+WantedBy=multi-user.target
+`;
+  writeFileSync8(SERVICE_PATH, unit);
+  sh2("systemctl daemon-reload");
+  sh2("systemctl enable --now machines-heal.service");
+  log2.push(`installed + enabled ${SERVICE_PATH} (ExecStart=${exec} heal daemon)`);
+  return log2;
+}
+function uninstallHealService() {
+  const log2 = [];
+  sh2("systemctl disable --now machines-heal.service 2>/dev/null || true");
+  if (existsSync10(SERVICE_PATH)) {
+    sh2(`rm -f ${SERVICE_PATH}`);
+    sh2("systemctl daemon-reload");
+    log2.push(`removed ${SERVICE_PATH}`);
+  } else {
+    log2.push("service not installed");
+  }
+  return log2;
+}
+function healServiceStatus() {
+  return {
+    installed: existsSync10(SERVICE_PATH),
+    active: sh2("systemctl is-active machines-heal.service").out === "active",
+    enabled: sh2("systemctl is-enabled machines-heal.service 2>/dev/null").out === "enabled"
+  };
+}
+
 // src/cli-utils.ts
 function parseIntegerOption(value, label, constraints = {}) {
   const parsed = Number.parseInt(value, 10);
@@ -18032,7 +18857,7 @@ ${items.map((item) => `- ${item}`).join(`
 
 // src/cli/index.ts
 import { rmSync as rmSync2 } from "fs";
-import { readFileSync as readFileSync8 } from "fs";
+import { readFileSync as readFileSync12 } from "fs";
 var program2 = new Command;
 function printJsonOrText(data, text, json = false) {
   if (json || program2.opts().quiet) {
@@ -18179,7 +19004,7 @@ manifestCommand.command("add").description("Add or replace a machine in the flee
       console.error("error: --from-stdin requires piped input");
       process.exit(1);
     }
-    const input = readFileSync8(0, "utf8");
+    const input = readFileSync12(0, "utf8");
     const machine2 = JSON.parse(input);
     console.log(JSON.stringify(manifestAdd(machine2), null, 2));
     return;
@@ -18358,6 +19183,14 @@ clipboardCommand.command("key").description("Show or rotate the shared secret ke
   const key = getOrCreateClipboardKey();
   printJsonOrText({ key }, key, options.json);
 });
+clipboardCommand.command("start").description("Start clipboard sync daemon").option("--port <port>", "Port to listen on").action((options) => {
+  const port = options.port ? Number(options.port) : undefined;
+  startClipboardDaemon(port);
+});
+clipboardCommand.command("stop").description("Stop clipboard sync daemon").action(() => {
+  const result = stopClipboardDaemon();
+  console.log(result.stopped ? `daemon stopped (pid ${result.pid})` : "daemon not running");
+});
 installClaudeCommand.command("status").description("Check installed state for Claude, Codex, and Gemini CLIs").option("--machine <id>", "Machine identifier").option("--tool <name...>", "CLI tools to inspect (claude, codex, gemini)").option("-j, --json", "Print JSON output", false).action((options) => {
   const result = getClaudeCliStatus(options.machine, options.tool);
   printJsonOrText(result, renderClaudeStatusResult(result), options.json);
@@ -18410,4 +19243,98 @@ program2.command("serve").description("Serve a local fleet dashboard and JSON AP
   const server = startDashboardServer({ host: info.host, port: info.port });
   console.log(source_default.green(`machines dashboard listening on http://${server.hostname}:${server.port}`));
 });
+var healCommand = program2.command("heal").description("Self-healing network watchdog: keeps a Wi-Fi node reachable (SSID pinning + peer-reachability + gated reboot)");
+function requireRoot() {
+  const uid = process.getuid ? process.getuid() : 1;
+  if (uid !== 0) {
+    console.error(source_default.red("error: this command must run as root (try: sudo machines heal install)"));
+    return false;
+  }
+  return true;
+}
+healCommand.command("config").description(`View or update self-healing config (e.g. --set '{"preferredSsid":"X81ND","fallbackSsid":"DIGI-s2N5"}')`).option("--set <json>", "Merge a JSON object into the config").option("-j, --json", "Print JSON output", false).action((options) => {
+  if (options.set) {
+    const current = readHealConfig();
+    const partial = JSON.parse(options.set);
+    writeHealConfig({
+      ...current,
+      ...partial,
+      thresholds: { ...current.thresholds, ...partial.thresholds || {} }
+    });
+  }
+  const config = readHealConfig();
+  printJsonOrText(config, renderKeyValueTable([
+    ["enabled", String(config.enabled)],
+    ["preferredSsid", config.preferredSsid || source_default.yellow("(unset)")],
+    ["fallbackSsid", config.fallbackSsid || "(none)"],
+    ["anchors", config.tailscaleAnchors.length ? config.tailscaleAnchors.join(", ") : "(auto-discover)"],
+    ["quorumRequired", String(config.quorumRequired)],
+    ["intervalSec", String(config.intervalSec)],
+    ["thresholds", `reconnect=${config.thresholds.reconnect} nm=${config.thresholds.nmRestart} fallback=${config.thresholds.fallback} reboot=${config.thresholds.reboot}`],
+    ["allowReboot", String(config.allowReboot)],
+    ["gpuJobGuard", String(config.gpuJobGuard)]
+  ]), options.json);
+});
+healCommand.command("check").description("Run one health + decision tick read-only (no side effects)").option("-j, --json", "Print JSON output", false).action((options) => {
+  const result = runHealOnce(readHealConfig(), { dryRun: true });
+  printJsonOrText(result, renderList("heal check", [
+    `health: ${result.healthy ? source_default.green("HEALTHY") : source_default.red("UNHEALTHY")} (remote quorum ${result.remoteScore})`,
+    `reasons: ${result.reasons.length ? result.reasons.join(", ") : "none"}`,
+    `would do: ${result.action}${result.suppressedReason ? ` (reboot suppressed: ${result.suppressedReason})` : ""}`,
+    `consecutive fails: ${result.failCount}`
+  ]), options.json);
+});
+healCommand.command("status").description("Show watchdog service status and last persisted state").option("-j, --json", "Print JSON output", false).action((options) => {
+  const svc = healServiceStatus();
+  const state = readHealState();
+  const config = readHealConfig();
+  printJsonOrText({ service: svc, state, config }, renderKeyValueTable([
+    ["service installed", svc.installed ? source_default.green("yes") : "no"],
+    ["service active", svc.active ? source_default.green("yes") : source_default.yellow("no")],
+    ["service enabled", svc.enabled ? "yes" : "no"],
+    ["preferredSsid", config.preferredSsid || source_default.yellow("(unset)")],
+    ["consecutive fails", String(state.failCount)],
+    ["pending reboot recovery", String(state.pendingRebootRecovery)],
+    ["failed boot recoveries", String(state.failedBootRecoveries)]
+  ]), options.json);
+});
+healCommand.command("daemon").description("Run the watchdog loop in the foreground (used by systemd)").action(() => {
+  startHealDaemon();
+});
+healCommand.command("stop").description("Stop a foreground daemon started via `heal daemon`").action(() => {
+  const r = stopHealDaemon();
+  console.log(r.stopped ? `stopped heal daemon (pid ${r.pid})` : "heal daemon not running");
+});
+healCommand.command("determinism").description("Pin the preferred SSID, disable other autoconnects, turn off Wi-Fi power save").action(() => {
+  const log2 = applyDeterminism(readHealConfig());
+  console.log(renderList("determinism", log2));
+});
+healCommand.command("install").description("Install the watchdog: determinism + hardware watchdog + systemd service (requires root)").option("--no-determinism", "Skip SSID pinning / power-save changes").option("--no-watchdog", "Skip enabling the systemd hardware watchdog").option("--no-service", "Skip installing the systemd service").action((options) => {
+  if (!requireRoot()) {
+    process.exitCode = 1;
+    return;
+  }
+  const config = readHealConfig();
+  if (!config.preferredSsid) {
+    console.error(source_default.red(`error: set preferredSsid first: machines heal config --set '{"preferredSsid":"X81ND"}'`));
+    process.exitCode = 1;
+    return;
+  }
+  const out = [];
+  if (options.determinism !== false)
+    out.push(...applyDeterminism(config));
+  if (options.watchdog !== false)
+    out.push(...enableHardwareWatchdog());
+  if (options.service !== false)
+    out.push(...installHealService());
+  console.log(renderList("install", out));
+  console.log(source_default.green("self-healing watchdog installed"));
+});
+healCommand.command("uninstall").description("Remove the systemd watchdog service (requires root)").action(() => {
+  if (!requireRoot()) {
+    process.exitCode = 1;
+    return;
+  }
+  console.log(renderList("uninstall", uninstallHealService()));
+});
 await program2.parseAsync(process.argv);