npm - @onklave/agent-cli - Versions diffs - 0.1.10 → 0.1.12 - Mend

@onklave/agent-cli 0.1.10 → 0.1.12

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/main.js +742 -18
package/package.json +1 -1

package/main.js CHANGED Viewed

@@ -510,7 +510,7 @@ var PlatformClient = class {
   async respondToGate(sessionId, decision, value) {
     await this.request(
       "POST",
-      `/api/v1/agent/sessions/${sessionId}/gate`,
+      `/api/v1/agent/sessions/${sessionId}/respond`,
       {
         decision,
         message: value
@@ -569,6 +569,17 @@ var PlatformClient = class {
   async unregisterMachine() {
     await this.request("POST", "/api/v1/runner/unregister");
   }
+  /*
+   * Update an already-registered machine's configuration. Used by
+   * `onklave register --refresh` to push freshly-detected capabilities.
+   */
+  async updateMachine(machineId, patch) {
+    await this.request(
+      "PATCH",
+      `/api/v1/runner/machines/${machineId}`,
+      patch
+    );
+  }
   /*
    * List all registered machines.
    */
@@ -593,8 +604,8 @@ var PlatformClient = class {
   /*
    * Make an authenticated HTTP request to the platform.
    */
-  async request(method, path6, body) {
-    const url = `${this.baseUrl}${path6}`;
+  async request(method, path7, body) {
+    const url = `${this.baseUrl}${path7}`;
     const headers = {
       Authorization: `Bearer ${this.token}`,
       "Content-Type": "application/json",
@@ -642,12 +653,19 @@ var CommsClient = class {
   }
   /*
    * Connect to the Onklave comms service via Socket.IO.
+   * Pass `machineId` so the server can route inbound runner events
+   * (e.g. `assignment:claim-available`) to this specific runner.
    */
-  async connect(platformUrl, token) {
+  async connect(platformUrl, token, extra) {
     return new Promise((resolve3, reject) => {
       const commsUrl = platformUrl.replace(/\/+$/, "");
-      this.socket = io(`${commsUrl}/agent`, {
-        auth: { token },
+      this.socket = io(`${commsUrl}/agent-cli`, {
+        auth: {
+          token,
+          machineId: extra?.machineId,
+          deviceToken: extra?.deviceToken,
+          orgId: extra?.orgId
+        },
         transports: ["websocket", "polling"],
         reconnection: true,
         reconnectionAttempts: this.maxReconnectAttempts,
@@ -713,10 +731,13 @@ var CommsClient = class {
     this.socket?.emit("agent:audit", event);
   }
   /*
-   * Emit a heartbeat to the platform.
+   * Emit a heartbeat to the platform. The comms namespace expects the
+   * `runner:heartbeat` event and the RunnerHeartbeatPayload shape; the
+   * primary heartbeat path is HTTP via HeartbeatService, this socket path
+   * is reserved for the future daemon-with-open-socket flow.
    */
   emitHeartbeat(data) {
-    this.socket?.emit("agent:heartbeat", data);
+    this.socket?.emit("runner:heartbeat", data);
   }
   /*
    * Listen for approval responses from the platform.
@@ -738,6 +759,15 @@ var CommsClient = class {
   onSpawnRequest(handler) {
     this.socket?.on("agent:spawn", handler);
   }
+  /*
+   * Listen for assignment:claim-available events from the platform.
+   * The daemon mode (V6-CLI-002, deferred) will consume these to claim
+   * work items. For now this stays as a registerable listener so
+   * non-daemon use is unaffected.
+   */
+  onAssignmentAvailable(handler) {
+    this.socket?.on("assignment:claim-available", handler);
+  }
 };
 // _apps/@onklave/agent-cli/src/services/session-manager.ts
@@ -762,6 +792,12 @@ var SessionManager = class {
     if (config.allowedTools && config.allowedTools.length > 0) {
       args.push("--allowedTools", config.allowedTools.join(","));
     }
+    if (config.deniedTools && config.deniedTools.length > 0) {
+      args.push("--disallowedTools", config.deniedTools.join(","));
+    }
+    if (config.addDirs && config.addDirs.length > 0) {
+      args.push("--add-dir", ...config.addDirs);
+    }
     if (config.systemPromptAppend) {
       args.push("--append-system-prompt", config.systemPromptAppend);
     }
@@ -872,6 +908,20 @@ var SessionManager = class {
   }
 };
+// _apps/@onklave/agent-cli/src/types/events.types.ts
+var DAEMON_AUDIT_ACTIONS = {
+  STARTED: "daemon.started",
+  ONLINE: "daemon.online",
+  DRAINING: "daemon.draining",
+  STOPPED: "daemon.stopped",
+  FORCE_STOPPED: "daemon.force_stopped",
+  DRAIN_TIMEOUT_EXCEEDED: "daemon.drain_timeout_exceeded",
+  AUTH_WARNING: "daemon.auth_warning",
+  AUTH_EXPIRED: "daemon.auth_expired",
+  HEARTBEAT_FAILED: "daemon.heartbeat_failed",
+  RESOURCE_LIMIT_BREACHED: "daemon.resource_limit_breached"
+};
 // _apps/@onklave/agent-cli/src/services/state-publisher.ts
 var StatePublisher = class {
   constructor(commsClient) {
@@ -1178,6 +1228,69 @@ var GuardrailEnforcer = class {
   }
 };
+// _apps/@onklave/agent-cli/src/services/heartbeat.service.ts
+var DEFAULT_INTERVAL_MS = 3e4;
+var HeartbeatService = class {
+  constructor(opts) {
+    this.opts = opts;
+    this.timer = null;
+    this.intervalMs = opts.intervalMs ?? DEFAULT_INTERVAL_MS;
+    this.onError = opts.onError ?? ((err) => console.error(`[heartbeat] ${err.message}`));
+  }
+  start() {
+    if (this.timer) return;
+    void this.emit();
+    this.timer = setInterval(() => {
+      void this.emit();
+    }, this.intervalMs);
+    if (typeof this.timer.unref === "function") {
+      this.timer.unref();
+    }
+  }
+  stop() {
+    if (this.timer) {
+      clearInterval(this.timer);
+      this.timer = null;
+    }
+  }
+  /**
+   * Single heartbeat emission. Exposed for tests and one-shot diagnostics
+   * (`onklave doctor`).
+   */
+  async emit() {
+    const body = {
+      machineId: this.opts.machineId,
+      status: "online",
+      activeSessionCount: this.opts.getActiveSessionCount(),
+      resourceUsage: this.opts.getResourceUsage?.()
+    };
+    try {
+      const response = await fetch(
+        `${this.opts.platformUrl}/api/v1/runner/heartbeat`,
+        {
+          method: "POST",
+          headers: {
+            "Content-Type": "application/json",
+            Accept: "application/json",
+            "x-device-token": this.opts.deviceToken
+          },
+          body: JSON.stringify(body),
+          signal: AbortSignal.timeout(1e4)
+        }
+      );
+      if (!response.ok) {
+        this.onError(
+          new Error(
+            `heartbeat failed: ${response.status} ${response.statusText}`
+          )
+        );
+      }
+    } catch (err) {
+      this.onError(err instanceof Error ? err : new Error(String(err)));
+    }
+  }
+};
 // _apps/@onklave/agent-cli/src/tui/render.tsx
 import { render } from "ink";
@@ -1764,6 +1877,21 @@ async function runCommand(args) {
     resolvedConfig.platformUrl,
     creds.token
   );
+  const sessionManager = new SessionManager();
+  let heartbeat = null;
+  if (creds.machineId && creds.deviceToken) {
+    heartbeat = new HeartbeatService({
+      platformUrl: resolvedConfig.platformUrl,
+      deviceToken: creds.deviceToken,
+      machineId: creds.machineId,
+      getActiveSessionCount: () => sessionManager.getActiveSessionIds().length
+    });
+    heartbeat.start();
+    const stopHeartbeat = () => heartbeat?.stop();
+    process.once("SIGTERM", stopHeartbeat);
+    process.once("SIGINT", stopHeartbeat);
+    process.once("beforeExit", stopHeartbeat);
+  }
   let sessionId;
   try {
     console.log("Creating agent session on Onklave platform...");
@@ -1788,7 +1916,11 @@ async function runCommand(args) {
   const auditStreamer = new AuditStreamer(commsClient);
   try {
     console.log("Connecting to Onklave comms service...");
-    await commsClient.connect(resolvedConfig.platformUrl, creds.token);
+    await commsClient.connect(resolvedConfig.platformUrl, creds.token, {
+      machineId: creds.machineId,
+      deviceToken: creds.deviceToken,
+      orgId: creds.orgId
+    });
     console.log("Connected.");
   } catch (err) {
     console.warn(
@@ -1817,13 +1949,27 @@ async function runCommand(args) {
       );
     }
   }
-  const _guardrailEnforcer = new GuardrailEnforcer({
+  const guardrailEnforcer = new GuardrailEnforcer({
     rules: resolvedConfig.guardrails,
     allowedTools: resolvedConfig.allowedTools,
     deniedTools: resolvedConfig.deniedTools,
     readablePaths: resolvedConfig.readablePaths,
     writablePaths: resolvedConfig.writablePaths
   });
+  for (const tool of resolvedConfig.allowedTools) {
+    const verdict = guardrailEnforcer.checkToolCall(tool, {});
+    if (!verdict.allowed) {
+      console.warn(
+        `Warning: allowed tool "${tool}" is also denied by guardrails \u2014 Claude will reject this tool.`
+      );
+    }
+  }
+  const addDirs = [
+    .../* @__PURE__ */ new Set([
+      ...resolvedConfig.writablePaths,
+      ...resolvedConfig.readablePaths
+    ])
+  ];
   const sessionConfig = {
     task: resolvedConfig.task,
     context: resolvedConfig.context,
@@ -1834,12 +1980,25 @@ async function runCommand(args) {
     guardrails: resolvedConfig.guardrails,
     allowedTools: resolvedConfig.allowedTools,
     deniedTools: resolvedConfig.deniedTools,
+    addDirs,
     apiKey: resolvedConfig.apiKey,
     headless: resolvedConfig.headless,
     platformUrl: resolvedConfig.platformUrl,
     orgId: resolvedConfig.orgId,
     systemPromptAppend: personaSystemPrompt ?? resolvedConfig.systemPromptAppend
   };
+  auditStreamer.record({
+    sessionId,
+    type: "state_change" /* STATE_CHANGE */,
+    action: "guardrails_applied",
+    details: {
+      ruleCount: resolvedConfig.guardrails.length,
+      allowedTools: resolvedConfig.allowedTools,
+      deniedTools: resolvedConfig.deniedTools,
+      addDirs
+    },
+    outcome: "success"
+  });
   statePublisher.publishSessionStarted(sessionId, sessionConfig);
   auditStreamer.record({
     sessionId,
@@ -1849,7 +2008,6 @@ async function runCommand(args) {
     outcome: "success"
   });
   const useTui = flags["tui"] === true || process.stdout.isTTY === true && !resolvedConfig.headless && flags["tui"] !== false;
-  const sessionManager = new SessionManager();
   if (useTui) {
     const tuiInstance = renderTui({
       sessionId,
@@ -2568,11 +2726,14 @@ async function configCommand(args) {
 import * as os3 from "os";
 async function registerCommand(args) {
   const { flags } = parseArgs(args);
+  const refresh = flags["refresh"] === true;
   const linkingToken = flags["token"];
-  if (typeof linkingToken !== "string" || !linkingToken) {
-    console.error("Error: --token is required.\n");
-    console.log("Usage: onklave register --token <linking-token>\n");
-    console.log("To obtain a linking token:");
+  if (!refresh && (typeof linkingToken !== "string" || !linkingToken)) {
+    console.error("Error: --token is required (or pass --refresh).\n");
+    console.log("Usage:");
+    console.log("  onklave register --token <linking-token>");
+    console.log("  onklave register --refresh        # re-detect capabilities");
+    console.log("\nTo obtain a linking token:");
     console.log("  1. Log in to the Onklave Portal");
     console.log("  2. Navigate to Settings > Machines");
     console.log('  3. Click "Register Machine" to generate a linking token');
@@ -2586,6 +2747,28 @@ async function registerCommand(args) {
     process.exitCode = 1;
     return;
   }
+  const platformClient = new PlatformClient(creds.platformUrl, creds.token);
+  if (refresh) {
+    if (!creds.machineId) {
+      console.error(
+        "Error: --refresh requires a previously-registered machine. Run `onklave register --token <linking-token>` first."
+      );
+      process.exitCode = 1;
+      return;
+    }
+    const capabilities = detectCapabilities();
+    console.log("Re-detecting capabilities for this machine...");
+    console.log(`  Capabilities: ${capabilities.join(", ") || "(none)"}`);
+    try {
+      await platformClient.updateMachine(creds.machineId, { capabilities });
+      console.log(`
+Machine ${creds.machineId} updated successfully.`);
+    } catch (err) {
+      console.error(`Refresh failed: ${err.message}`);
+      process.exitCode = 1;
+    }
+    return;
+  }
   const metadata = {
     hostname: os3.hostname(),
     os: `${os3.platform()} ${os3.release()}`,
@@ -2593,14 +2776,19 @@ async function registerCommand(args) {
     nodeVersion: process.version,
     capabilities: detectCapabilities()
   };
-  const platformClient = new PlatformClient(creds.platformUrl, creds.token);
   try {
     console.log("Registering machine with Onklave platform...");
     console.log(`  Hostname: ${metadata.hostname}`);
     console.log(`  OS: ${metadata.os}`);
     console.log(`  Arch: ${metadata.arch}`);
     console.log(`  Node: ${metadata.nodeVersion}`);
-    const result = await platformClient.registerMachine(linkingToken, metadata);
+    console.log(
+      `  Capabilities: ${metadata.capabilities?.join(", ") || "(none)"}`
+    );
+    const result = await platformClient.registerMachine(
+      linkingToken,
+      metadata
+    );
     await authService.saveDeviceToken(result.deviceToken, result.machineId);
     console.log(`
 Machine registered successfully.`);
@@ -2610,6 +2798,9 @@ Machine registered successfully.`);
       `
 This machine can now receive remote agent session requests.`
     );
+    console.log(
+      `Tip: after installing new tools (e.g. Docker), run \`onklave register --refresh\` to update capabilities.`
+    );
   } catch (err) {
     console.error(`Registration failed: ${err.message}`);
     process.exitCode = 1;
@@ -2669,6 +2860,538 @@ async function logsCommand(args) {
   }
 }
+// _apps/@onklave/agent-cli/src/commands/daemon.command.ts
+import * as fs6 from "fs";
+// _apps/@onklave/agent-cli/src/services/daemon-comms.service.ts
+var DaemonCommsService = class {
+  constructor(opts, client) {
+    this.disconnectedAt = null;
+    this.stopRequested = false;
+    this.client = client ?? new CommsClient();
+    this.opts = opts;
+    this.sleep = opts.sleep ?? defaultSleep;
+    this.onRetry = opts.onRetry ?? ((attempt, delayMs, err) => console.warn(
+      `[daemon-comms] reconnect attempt ${attempt} after ${delayMs}ms (${err.message})`
+    ));
+  }
+  /**
+   * Opens the socket connection. Retries indefinitely with jittered
+   * exponential backoff until either (a) a connect succeeds or (b)
+   * `stop()` is called. Throws only if `stop()` is invoked before any
+   * successful connect.
+   */
+  async connect() {
+    let attempt = 0;
+    while (!this.stopRequested) {
+      try {
+        await this.client.connect(this.opts.platformUrl, this.opts.token, {
+          machineId: this.opts.machineId,
+          deviceToken: this.opts.deviceToken,
+          orgId: this.opts.orgId
+        });
+        this.disconnectedAt = null;
+        return;
+      } catch (err) {
+        attempt += 1;
+        const delay = this.computeBackoff(attempt);
+        this.onRetry(attempt, delay, err);
+        if (this.disconnectedAt == null) this.disconnectedAt = /* @__PURE__ */ new Date();
+        await this.sleep(delay);
+      }
+    }
+    throw new Error("daemon-comms: stop() called before any connect succeeded");
+  }
+  /**
+   * Signal that no further reconnect should be attempted and close the
+   * underlying socket cleanly. Idempotent.
+   */
+  disconnect() {
+    this.stopRequested = true;
+    this.client.disconnect();
+  }
+  inner() {
+    return this.client;
+  }
+  isConnected() {
+    return this.client.isConnected();
+  }
+  /**
+   * Continuous-disconnect duration in ms (null if currently connected).
+   * Per spec §3.3, when this exceeds 120s the daemon's `status` output
+   * should report `offline` — the platform will have done so via
+   * heartbeat staleness anyway.
+   */
+  disconnectedForMs() {
+    if (!this.disconnectedAt) return null;
+    return Date.now() - this.disconnectedAt.getTime();
+  }
+  computeBackoff(attempt) {
+    const max = this.opts.maxBackoffMs ?? 6e4;
+    const base = Math.min(max, 1e3 * 2 ** (attempt - 1));
+    const j = this.opts.jitter ?? 0.2;
+    const swing = base * j;
+    return Math.round(base + (Math.random() * 2 - 1) * swing);
+  }
+};
+function defaultSleep(ms) {
+  return new Promise((resolve3) => setTimeout(resolve3, ms));
+}
+// _apps/@onklave/agent-cli/src/services/daemon-state.service.ts
+import * as fs5 from "fs";
+import * as path6 from "path";
+import * as os4 from "os";
+var VALID_TRANSITIONS = {
+  installing: ["registered"],
+  registered: ["starting"],
+  starting: ["online", "stopping"],
+  online: ["draining", "stopping"],
+  draining: ["stopping"],
+  stopping: ["stopped"],
+  stopped: ["starting"]
+};
+function defaultStateFilePath() {
+  return path6.join(os4.homedir(), ".config", "onklave", "daemon.state.json");
+}
+function defaultPidFilePath() {
+  return path6.join(os4.homedir(), ".config", "onklave", "daemon.pid");
+}
+var DaemonStateError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "DaemonStateError";
+  }
+};
+var DaemonStateService = class {
+  constructor(stateFile = defaultStateFilePath(), initial = "registered", machineId) {
+    this.stateFile = stateFile;
+    this.machineId = machineId;
+    this.listeners = [];
+    this.current = initial;
+    this.enteredAt = /* @__PURE__ */ new Date();
+  }
+  /**
+   * Read the persisted state from disk, if any. Used by `daemon status`
+   * when the daemon process is not running. Returns null on missing or
+   * malformed file rather than throwing so the caller can decide.
+   */
+  static readPersisted(stateFile = defaultStateFilePath()) {
+    try {
+      if (!fs5.existsSync(stateFile)) return null;
+      const raw = fs5.readFileSync(stateFile, "utf8");
+      const parsed = JSON.parse(raw);
+      if (!parsed.state || !parsed.enteredAt) return null;
+      return parsed;
+    } catch {
+      return null;
+    }
+  }
+  getCurrent() {
+    return this.current;
+  }
+  getEnteredAt() {
+    return this.enteredAt;
+  }
+  /**
+   * Subscribe to transitions. Listeners are awaited sequentially in
+   * registration order. If a listener throws, the transition is treated
+   * as failed — the state is rolled back and the error propagates so the
+   * caller can decide. (Audit emission listeners that fail must therefore
+   * fail the transition — that is the constitutional `audit-fails-action`
+   * coupling described in spec §1.4.)
+   */
+  onTransition(cb) {
+    this.listeners.push(cb);
+  }
+  /**
+   * Attempt a transition. Throws DaemonStateError on illegal transition
+   * (current → next not in VALID_TRANSITIONS). Throws whatever a listener
+   * throws if any listener fails; in that case state is rolled back to
+   * `prev` and is not persisted.
+   */
+  async transition(next, opts = {}) {
+    const prev = this.current;
+    const allowed = VALID_TRANSITIONS[prev];
+    if (!allowed.includes(next)) {
+      throw new DaemonStateError(`illegal daemon transition ${prev} \u2192 ${next}`);
+    }
+    this.current = next;
+    this.enteredAt = /* @__PURE__ */ new Date();
+    try {
+      for (const listener of this.listeners) {
+        await listener(next, prev, opts.reason);
+      }
+      this.persist(opts.reason);
+    } catch (err) {
+      this.current = prev;
+      throw err;
+    }
+  }
+  persist(reason) {
+    const dir = path6.dirname(this.stateFile);
+    fs5.mkdirSync(dir, { recursive: true });
+    const payload = {
+      state: this.current,
+      enteredAt: this.enteredAt.toISOString(),
+      pid: process.pid,
+      ...this.machineId ? { machineId: this.machineId } : {},
+      ...reason ? { reason } : {}
+    };
+    const tmp = `${this.stateFile}.tmp`;
+    fs5.writeFileSync(tmp, JSON.stringify(payload, null, 2));
+    fs5.renameSync(tmp, this.stateFile);
+  }
+  /**
+   * Remove the persisted state file. Called on terminal `stopped` once
+   * the daemon process is exiting cleanly so `daemon status` reports
+   * "registered — daemon not running" instead of stale "stopped".
+   */
+  clearPersisted() {
+    try {
+      fs5.unlinkSync(this.stateFile);
+    } catch {
+    }
+  }
+};
+// _apps/@onklave/agent-cli/src/services/unit-file-emitters.ts
+var SYSTEMD_UNIT = `[Unit]
+Description=Onklave Agent CLI Daemon
+Documentation=https://docs.onklave.app/cli/daemon
+After=network-online.target
+Wants=network-online.target
+[Service]
+Type=simple
+User=onklave
+Group=onklave
+Environment="NODE_ENV=production"
+Environment="ONKLAVE_CONFIG_DIR=/var/lib/onklave"
+Environment="ONKLAVE_LOG_DIR=/var/log/onklave"
+ExecStart=/usr/local/bin/onklave daemon
+ExecStop=/usr/local/bin/onklave daemon drain --timeout 1800
+Restart=on-failure
+RestartSec=10s
+StartLimitIntervalSec=300
+StartLimitBurst=5
+KillMode=mixed
+KillSignal=SIGTERM
+TimeoutStopSec=1830s
+# Hardening
+NoNewPrivileges=true
+ProtectSystem=strict
+ProtectHome=true
+PrivateTmp=true
+ReadWritePaths=/var/lib/onklave /var/log/onklave
+[Install]
+WantedBy=multi-user.target
+`;
+var LAUNCHD_PLIST = `<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <key>Label</key>
+    <string>app.onklave.daemon</string>
+    <key>ProgramArguments</key>
+    <array>
+        <string>/usr/local/bin/onklave</string>
+        <string>daemon</string>
+    </array>
+    <key>RunAtLoad</key>
+    <true/>
+    <key>KeepAlive</key>
+    <dict>
+        <key>SuccessfulExit</key>
+        <false/>
+        <key>Crashed</key>
+        <true/>
+    </dict>
+    <key>ThrottleInterval</key>
+    <integer>10</integer>
+    <key>EnvironmentVariables</key>
+    <dict>
+        <key>NODE_ENV</key>
+        <string>production</string>
+        <key>ONKLAVE_CONFIG_DIR</key>
+        <string>/Users/Shared/onklave</string>
+    </dict>
+    <key>StandardOutPath</key>
+    <string>/Users/Shared/onklave/logs/daemon.out.log</string>
+    <key>StandardErrorPath</key>
+    <string>/Users/Shared/onklave/logs/daemon.err.log</string>
+    <key>ProcessType</key>
+    <string>Background</string>
+</dict>
+</plist>
+`;
+var NSSM_SCRIPT = `@echo off
+REM Onklave Agent CLI \u2014 NSSM service install script
+REM Run this as Administrator.
+set NSSM=nssm.exe
+set SERVICE=OnklaveDaemon
+set NODE_EXE=%ProgramFiles%\\nodejs\\node.exe
+set ONKLAVE_CLI=%AppData%\\npm\\node_modules\\@onklave\\agent-cli\\dist\\bin\\onklave.js
+%NSSM% install %SERVICE% "%NODE_EXE%" "%ONKLAVE_CLI%" daemon
+%NSSM% set %SERVICE% DisplayName "Onklave Agent CLI Daemon"
+%NSSM% set %SERVICE% Description "Long-running agent worker for the Onklave platform"
+%NSSM% set %SERVICE% Start SERVICE_AUTO_START
+%NSSM% set %SERVICE% AppEnvironmentExtra NODE_ENV=production ONKLAVE_CONFIG_DIR=%ProgramData%\\Onklave
+%NSSM% set %SERVICE% AppStdout %ProgramData%\\Onklave\\logs\\daemon.out.log
+%NSSM% set %SERVICE% AppStderr %ProgramData%\\Onklave\\logs\\daemon.err.log
+%NSSM% set %SERVICE% AppRotateFiles 1
+%NSSM% set %SERVICE% AppRotateOnline 1
+%NSSM% set %SERVICE% AppRotateBytes 10485760
+%NSSM% set %SERVICE% AppExit Default Restart
+%NSSM% set %SERVICE% AppRestartDelay 10000
+%NSSM% start %SERVICE%
+`;
+function emitUnitFile(flavour) {
+  switch (flavour) {
+    case "systemd":
+      return SYSTEMD_UNIT;
+    case "launchd":
+      return LAUNCHD_PLIST;
+    case "nssm":
+      return NSSM_SCRIPT;
+  }
+}
+// _apps/@onklave/agent-cli/src/commands/daemon.command.ts
+var UNIT_FLAGS = {
+  "--emit-systemd-unit": "systemd",
+  "--emit-launchd-plist": "launchd",
+  "--emit-nssm-script": "nssm"
+};
+async function daemonCommand(args) {
+  for (const arg of args) {
+    const flavour = UNIT_FLAGS[arg];
+    if (flavour) {
+      process.stdout.write(emitUnitFile(flavour));
+      return;
+    }
+  }
+  const [sub] = args;
+  if (sub === "status") return daemonStatus();
+  if (sub === "stop" || sub === "drain") return daemonStop();
+  if (sub && !sub.startsWith("--")) {
+    console.error(`Unknown subcommand: ${sub}`);
+    console.error(
+      "Usage: onklave daemon [status|stop|drain] | --emit-systemd-unit | --emit-launchd-plist | --emit-nssm-script"
+    );
+    process.exitCode = 1;
+    return;
+  }
+  return daemonStart();
+}
+async function daemonStart() {
+  const authService = new AuthService();
+  const creds = await authService.getCredentials();
+  if (!creds?.deviceToken || !creds?.machineId) {
+    console.error(
+      "Error: machine is not registered. Run: onklave register --token <bootstrap>"
+    );
+    process.exitCode = 1;
+    return;
+  }
+  const pidFile = defaultPidFilePath();
+  if (isPidAlive(pidFile)) {
+    console.error(`Daemon already running (pid ${readPid(pidFile)}).`);
+    process.exitCode = 1;
+    return;
+  }
+  const stateService = new DaemonStateService(
+    defaultStateFilePath(),
+    "registered",
+    creds.machineId
+  );
+  const platformUrl = await authService.getPlatformUrl();
+  const comms = new DaemonCommsService({
+    platformUrl,
+    token: creds.token,
+    machineId: creds.machineId,
+    deviceToken: creds.deviceToken,
+    orgId: creds.orgId
+  });
+  const auditStreamer = new AuditStreamer(comms.inner());
+  stateService.onTransition(async (next, prev, reason) => {
+    const action = transitionToAction(next);
+    if (!action) return;
+    const event = {
+      sessionId: creds.machineId,
+      type: "daemon_lifecycle" /* DAEMON_LIFECYCLE */,
+      action,
+      details: { from: prev, to: next, ...reason ? { reason } : {} },
+      outcome: next === "stopped" && reason ? "failure" : "success"
+    };
+    auditStreamer.record(event);
+  });
+  let activeSessions = 0;
+  let shuttingDown = false;
+  let sigintCount = 0;
+  let sigintTimer = null;
+  const heartbeat = new HeartbeatService({
+    platformUrl,
+    deviceToken: creds.deviceToken,
+    machineId: creds.machineId,
+    getActiveSessionCount: () => activeSessions
+  });
+  const drainAndExit = async (reason) => {
+    if (shuttingDown) return;
+    shuttingDown = true;
+    heartbeat.stop();
+    try {
+      if (stateService.getCurrent() === "online") {
+        await stateService.transition("draining", { reason });
+      }
+      while (activeSessions > 0) {
+        await new Promise((r) => setTimeout(r, 200));
+      }
+      await stateService.transition("stopping", { reason });
+      auditStreamer.flush();
+      comms.disconnect();
+      await stateService.transition("stopped");
+    } finally {
+      removePid(pidFile);
+      stateService.clearPersisted();
+      process.exit(0);
+    }
+  };
+  process.on("SIGTERM", () => {
+    void drainAndExit("SIGTERM");
+  });
+  process.on("SIGINT", () => {
+    sigintCount += 1;
+    if (sigintCount >= 2) {
+      console.error("\nForce-stop requested. Exiting immediately.");
+      removePid(pidFile);
+      process.exit(1);
+    }
+    if (!sigintTimer) {
+      sigintTimer = setTimeout(() => {
+        sigintCount = 0;
+        sigintTimer = null;
+      }, 5e3);
+      sigintTimer.unref?.();
+    }
+    console.log(
+      "\nSIGINT received. Draining (Ctrl-C again within 5s to force stop)\u2026"
+    );
+    void drainAndExit("SIGINT");
+  });
+  await stateService.transition("starting");
+  writePid(pidFile);
+  console.log("Connecting to Onklave comms service...");
+  try {
+    await comms.connect();
+  } catch (err) {
+    console.error(
+      `Comms connect aborted: ${err.message}. Shutting down.`
+    );
+    removePid(pidFile);
+    stateService.clearPersisted();
+    process.exit(1);
+  }
+  console.log("Connected.");
+  await stateService.transition("online");
+  heartbeat.start();
+  console.log(
+    `Daemon online. machineId=${creds.machineId} pid=${process.pid}. Press Ctrl-C to drain.`
+  );
+  await new Promise(() => void 0);
+}
+async function daemonStatus() {
+  const persisted = DaemonStateService.readPersisted();
+  if (!persisted) {
+    console.log("registered \u2014 daemon not running");
+    return;
+  }
+  const alive = persisted.pid ? isProcessAlive(persisted.pid) : false;
+  if (!alive) {
+    console.log(
+      `${persisted.state} \u2014 daemon process not running (last entered ${persisted.enteredAt})`
+    );
+    return;
+  }
+  console.log(`State:          ${persisted.state}`);
+  if (persisted.machineId)
+    console.log(`Machine ID:     ${persisted.machineId}`);
+  if (persisted.pid) console.log(`PID:            ${persisted.pid}`);
+  console.log(`Entered state:  ${persisted.enteredAt}`);
+  if (persisted.reason) console.log(`Reason:         ${persisted.reason}`);
+}
+async function daemonStop() {
+  const pidFile = defaultPidFilePath();
+  const pid = readPid(pidFile);
+  if (!pid || !isProcessAlive(pid)) {
+    console.log("No daemon running.");
+    removePid(pidFile);
+    return;
+  }
+  try {
+    process.kill(pid, "SIGTERM");
+    console.log(`Sent SIGTERM to daemon (pid ${pid}).`);
+  } catch (err) {
+    console.error(`Failed to signal daemon: ${err.message}`);
+    process.exitCode = 1;
+  }
+}
+function transitionToAction(next) {
+  switch (next) {
+    case "starting":
+      return DAEMON_AUDIT_ACTIONS.STARTED;
+    case "online":
+      return DAEMON_AUDIT_ACTIONS.ONLINE;
+    case "draining":
+      return DAEMON_AUDIT_ACTIONS.DRAINING;
+    case "stopped":
+      return DAEMON_AUDIT_ACTIONS.STOPPED;
+    default:
+      return null;
+  }
+}
+function readPid(pidFile) {
+  try {
+    const raw = fs6.readFileSync(pidFile, "utf8").trim();
+    const parsed = Number.parseInt(raw, 10);
+    return Number.isFinite(parsed) && parsed > 0 ? parsed : null;
+  } catch {
+    return null;
+  }
+}
+function writePid(pidFile) {
+  const dir = pidFile.replace(/\/[^/]+$/, "");
+  fs6.mkdirSync(dir, { recursive: true });
+  fs6.writeFileSync(pidFile, String(process.pid), { mode: 384 });
+}
+function removePid(pidFile) {
+  try {
+    fs6.unlinkSync(pidFile);
+  } catch {
+  }
+}
+function isPidAlive(pidFile) {
+  const pid = readPid(pidFile);
+  if (pid == null) return false;
+  return isProcessAlive(pid);
+}
+function isProcessAlive(pid) {
+  try {
+    process.kill(pid, 0);
+    return true;
+  } catch (err) {
+    if (err.code === "EPERM") {
+      return true;
+    }
+    return false;
+  }
+}
 // _apps/@onklave/agent-cli/src/commands/index.ts
 var COMMANDS = {
   login: loginCommand,
@@ -2687,7 +3410,8 @@ var COMMANDS = {
   init: (_args) => initCommand(),
   config: configCommand,
   register: registerCommand,
-  logs: logsCommand
+  logs: logsCommand,
+  daemon: daemonCommand
 };
 // _apps/@onklave/agent-cli/src/main.ts

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@onklave/agent-cli",
-  "version": "0.1.10",
+  "version": "0.1.12",
   "description": "Onklave Agent CLI — local agent runner with cloud orchestration",
   "bin": {
     "onklave": "./main.js"