@onklave/agent-cli 0.1.11 → 0.1.12

package/main.js

@@ -604,8 +604,8 @@ var PlatformClient = class {
   /*
    * Make an authenticated HTTP request to the platform.
    */
-  async request(method, path6, body) {
-    const url = `${this.baseUrl}${path6}`;
+  async request(method, path7, body) {
+    const url = `${this.baseUrl}${path7}`;
     const headers = {
       Authorization: `Bearer ${this.token}`,
       "Content-Type": "application/json",
@@ -908,6 +908,20 @@ var SessionManager = class {
   }
 };
 
+// _apps/@onklave/agent-cli/src/types/events.types.ts
+var DAEMON_AUDIT_ACTIONS = {
+  STARTED: "daemon.started",
+  ONLINE: "daemon.online",
+  DRAINING: "daemon.draining",
+  STOPPED: "daemon.stopped",
+  FORCE_STOPPED: "daemon.force_stopped",
+  DRAIN_TIMEOUT_EXCEEDED: "daemon.drain_timeout_exceeded",
+  AUTH_WARNING: "daemon.auth_warning",
+  AUTH_EXPIRED: "daemon.auth_expired",
+  HEARTBEAT_FAILED: "daemon.heartbeat_failed",
+  RESOURCE_LIMIT_BREACHED: "daemon.resource_limit_breached"
+};
+
 // _apps/@onklave/agent-cli/src/services/state-publisher.ts
 var StatePublisher = class {
   constructor(commsClient) {
@@ -2846,6 +2860,538 @@ async function logsCommand(args) {
   }
 }
 
+// _apps/@onklave/agent-cli/src/commands/daemon.command.ts
+import * as fs6 from "fs";
+
+// _apps/@onklave/agent-cli/src/services/daemon-comms.service.ts
+var DaemonCommsService = class {
+  constructor(opts, client) {
+    this.disconnectedAt = null;
+    this.stopRequested = false;
+    this.client = client ?? new CommsClient();
+    this.opts = opts;
+    this.sleep = opts.sleep ?? defaultSleep;
+    this.onRetry = opts.onRetry ?? ((attempt, delayMs, err) => console.warn(
+      `[daemon-comms] reconnect attempt ${attempt} after ${delayMs}ms (${err.message})`
+    ));
+  }
+  /**
+   * Opens the socket connection. Retries indefinitely with jittered
+   * exponential backoff until either (a) a connect succeeds or (b)
+   * `stop()` is called. Throws only if `stop()` is invoked before any
+   * successful connect.
+   */
+  async connect() {
+    let attempt = 0;
+    while (!this.stopRequested) {
+      try {
+        await this.client.connect(this.opts.platformUrl, this.opts.token, {
+          machineId: this.opts.machineId,
+          deviceToken: this.opts.deviceToken,
+          orgId: this.opts.orgId
+        });
+        this.disconnectedAt = null;
+        return;
+      } catch (err) {
+        attempt += 1;
+        const delay = this.computeBackoff(attempt);
+        this.onRetry(attempt, delay, err);
+        if (this.disconnectedAt == null) this.disconnectedAt = /* @__PURE__ */ new Date();
+        await this.sleep(delay);
+      }
+    }
+    throw new Error("daemon-comms: stop() called before any connect succeeded");
+  }
+  /**
+   * Signal that no further reconnect should be attempted and close the
+   * underlying socket cleanly. Idempotent.
+   */
+  disconnect() {
+    this.stopRequested = true;
+    this.client.disconnect();
+  }
+  inner() {
+    return this.client;
+  }
+  isConnected() {
+    return this.client.isConnected();
+  }
+  /**
+   * Continuous-disconnect duration in ms (null if currently connected).
+   * Per spec §3.3, when this exceeds 120s the daemon's `status` output
+   * should report `offline` — the platform will have done so via
+   * heartbeat staleness anyway.
+   */
+  disconnectedForMs() {
+    if (!this.disconnectedAt) return null;
+    return Date.now() - this.disconnectedAt.getTime();
+  }
+  computeBackoff(attempt) {
+    const max = this.opts.maxBackoffMs ?? 6e4;
+    const base = Math.min(max, 1e3 * 2 ** (attempt - 1));
+    const j = this.opts.jitter ?? 0.2;
+    const swing = base * j;
+    return Math.round(base + (Math.random() * 2 - 1) * swing);
+  }
+};
+function defaultSleep(ms) {
+  return new Promise((resolve3) => setTimeout(resolve3, ms));
+}
+
+// _apps/@onklave/agent-cli/src/services/daemon-state.service.ts
+import * as fs5 from "fs";
+import * as path6 from "path";
+import * as os4 from "os";
+var VALID_TRANSITIONS = {
+  installing: ["registered"],
+  registered: ["starting"],
+  starting: ["online", "stopping"],
+  online: ["draining", "stopping"],
+  draining: ["stopping"],
+  stopping: ["stopped"],
+  stopped: ["starting"]
+};
+function defaultStateFilePath() {
+  return path6.join(os4.homedir(), ".config", "onklave", "daemon.state.json");
+}
+function defaultPidFilePath() {
+  return path6.join(os4.homedir(), ".config", "onklave", "daemon.pid");
+}
+var DaemonStateError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "DaemonStateError";
+  }
+};
+var DaemonStateService = class {
+  constructor(stateFile = defaultStateFilePath(), initial = "registered", machineId) {
+    this.stateFile = stateFile;
+    this.machineId = machineId;
+    this.listeners = [];
+    this.current = initial;
+    this.enteredAt = /* @__PURE__ */ new Date();
+  }
+  /**
+   * Read the persisted state from disk, if any. Used by `daemon status`
+   * when the daemon process is not running. Returns null on missing or
+   * malformed file rather than throwing so the caller can decide.
+   */
+  static readPersisted(stateFile = defaultStateFilePath()) {
+    try {
+      if (!fs5.existsSync(stateFile)) return null;
+      const raw = fs5.readFileSync(stateFile, "utf8");
+      const parsed = JSON.parse(raw);
+      if (!parsed.state || !parsed.enteredAt) return null;
+      return parsed;
+    } catch {
+      return null;
+    }
+  }
+  getCurrent() {
+    return this.current;
+  }
+  getEnteredAt() {
+    return this.enteredAt;
+  }
+  /**
+   * Subscribe to transitions. Listeners are awaited sequentially in
+   * registration order. If a listener throws, the transition is treated
+   * as failed — the state is rolled back and the error propagates so the
+   * caller can decide. (Audit emission listeners that fail must therefore
+   * fail the transition — that is the constitutional `audit-fails-action`
+   * coupling described in spec §1.4.)
+   */
+  onTransition(cb) {
+    this.listeners.push(cb);
+  }
+  /**
+   * Attempt a transition. Throws DaemonStateError on illegal transition
+   * (current → next not in VALID_TRANSITIONS). Throws whatever a listener
+   * throws if any listener fails; in that case state is rolled back to
+   * `prev` and is not persisted.
+   */
+  async transition(next, opts = {}) {
+    const prev = this.current;
+    const allowed = VALID_TRANSITIONS[prev];
+    if (!allowed.includes(next)) {
+      throw new DaemonStateError(`illegal daemon transition ${prev} \u2192 ${next}`);
+    }
+    this.current = next;
+    this.enteredAt = /* @__PURE__ */ new Date();
+    try {
+      for (const listener of this.listeners) {
+        await listener(next, prev, opts.reason);
+      }
+      this.persist(opts.reason);
+    } catch (err) {
+      this.current = prev;
+      throw err;
+    }
+  }
+  persist(reason) {
+    const dir = path6.dirname(this.stateFile);
+    fs5.mkdirSync(dir, { recursive: true });
+    const payload = {
+      state: this.current,
+      enteredAt: this.enteredAt.toISOString(),
+      pid: process.pid,
+      ...this.machineId ? { machineId: this.machineId } : {},
+      ...reason ? { reason } : {}
+    };
+    const tmp = `${this.stateFile}.tmp`;
+    fs5.writeFileSync(tmp, JSON.stringify(payload, null, 2));
+    fs5.renameSync(tmp, this.stateFile);
+  }
+  /**
+   * Remove the persisted state file. Called on terminal `stopped` once
+   * the daemon process is exiting cleanly so `daemon status` reports
+   * "registered — daemon not running" instead of stale "stopped".
+   */
+  clearPersisted() {
+    try {
+      fs5.unlinkSync(this.stateFile);
+    } catch {
+    }
+  }
+};
+
+// _apps/@onklave/agent-cli/src/services/unit-file-emitters.ts
+var SYSTEMD_UNIT = `[Unit]
+Description=Onklave Agent CLI Daemon
+Documentation=https://docs.onklave.app/cli/daemon
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=simple
+User=onklave
+Group=onklave
+Environment="NODE_ENV=production"
+Environment="ONKLAVE_CONFIG_DIR=/var/lib/onklave"
+Environment="ONKLAVE_LOG_DIR=/var/log/onklave"
+ExecStart=/usr/local/bin/onklave daemon
+ExecStop=/usr/local/bin/onklave daemon drain --timeout 1800
+Restart=on-failure
+RestartSec=10s
+StartLimitIntervalSec=300
+StartLimitBurst=5
+KillMode=mixed
+KillSignal=SIGTERM
+TimeoutStopSec=1830s
+
+# Hardening
+NoNewPrivileges=true
+ProtectSystem=strict
+ProtectHome=true
+PrivateTmp=true
+ReadWritePaths=/var/lib/onklave /var/log/onklave
+
+[Install]
+WantedBy=multi-user.target
+`;
+var LAUNCHD_PLIST = `<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <key>Label</key>
+    <string>app.onklave.daemon</string>
+    <key>ProgramArguments</key>
+    <array>
+        <string>/usr/local/bin/onklave</string>
+        <string>daemon</string>
+    </array>
+    <key>RunAtLoad</key>
+    <true/>
+    <key>KeepAlive</key>
+    <dict>
+        <key>SuccessfulExit</key>
+        <false/>
+        <key>Crashed</key>
+        <true/>
+    </dict>
+    <key>ThrottleInterval</key>
+    <integer>10</integer>
+    <key>EnvironmentVariables</key>
+    <dict>
+        <key>NODE_ENV</key>
+        <string>production</string>
+        <key>ONKLAVE_CONFIG_DIR</key>
+        <string>/Users/Shared/onklave</string>
+    </dict>
+    <key>StandardOutPath</key>
+    <string>/Users/Shared/onklave/logs/daemon.out.log</string>
+    <key>StandardErrorPath</key>
+    <string>/Users/Shared/onklave/logs/daemon.err.log</string>
+    <key>ProcessType</key>
+    <string>Background</string>
+</dict>
+</plist>
+`;
+var NSSM_SCRIPT = `@echo off
+REM Onklave Agent CLI \u2014 NSSM service install script
+REM Run this as Administrator.
+
+set NSSM=nssm.exe
+set SERVICE=OnklaveDaemon
+set NODE_EXE=%ProgramFiles%\\nodejs\\node.exe
+set ONKLAVE_CLI=%AppData%\\npm\\node_modules\\@onklave\\agent-cli\\dist\\bin\\onklave.js
+
+%NSSM% install %SERVICE% "%NODE_EXE%" "%ONKLAVE_CLI%" daemon
+%NSSM% set %SERVICE% DisplayName "Onklave Agent CLI Daemon"
+%NSSM% set %SERVICE% Description "Long-running agent worker for the Onklave platform"
+%NSSM% set %SERVICE% Start SERVICE_AUTO_START
+%NSSM% set %SERVICE% AppEnvironmentExtra NODE_ENV=production ONKLAVE_CONFIG_DIR=%ProgramData%\\Onklave
+%NSSM% set %SERVICE% AppStdout %ProgramData%\\Onklave\\logs\\daemon.out.log
+%NSSM% set %SERVICE% AppStderr %ProgramData%\\Onklave\\logs\\daemon.err.log
+%NSSM% set %SERVICE% AppRotateFiles 1
+%NSSM% set %SERVICE% AppRotateOnline 1
+%NSSM% set %SERVICE% AppRotateBytes 10485760
+%NSSM% set %SERVICE% AppExit Default Restart
+%NSSM% set %SERVICE% AppRestartDelay 10000
+
+%NSSM% start %SERVICE%
+`;
+function emitUnitFile(flavour) {
+  switch (flavour) {
+    case "systemd":
+      return SYSTEMD_UNIT;
+    case "launchd":
+      return LAUNCHD_PLIST;
+    case "nssm":
+      return NSSM_SCRIPT;
+  }
+}
+
+// _apps/@onklave/agent-cli/src/commands/daemon.command.ts
+var UNIT_FLAGS = {
+  "--emit-systemd-unit": "systemd",
+  "--emit-launchd-plist": "launchd",
+  "--emit-nssm-script": "nssm"
+};
+async function daemonCommand(args) {
+  for (const arg of args) {
+    const flavour = UNIT_FLAGS[arg];
+    if (flavour) {
+      process.stdout.write(emitUnitFile(flavour));
+      return;
+    }
+  }
+  const [sub] = args;
+  if (sub === "status") return daemonStatus();
+  if (sub === "stop" || sub === "drain") return daemonStop();
+  if (sub && !sub.startsWith("--")) {
+    console.error(`Unknown subcommand: ${sub}`);
+    console.error(
+      "Usage: onklave daemon [status|stop|drain] | --emit-systemd-unit | --emit-launchd-plist | --emit-nssm-script"
+    );
+    process.exitCode = 1;
+    return;
+  }
+  return daemonStart();
+}
+async function daemonStart() {
+  const authService = new AuthService();
+  const creds = await authService.getCredentials();
+  if (!creds?.deviceToken || !creds?.machineId) {
+    console.error(
+      "Error: machine is not registered. Run: onklave register --token <bootstrap>"
+    );
+    process.exitCode = 1;
+    return;
+  }
+  const pidFile = defaultPidFilePath();
+  if (isPidAlive(pidFile)) {
+    console.error(`Daemon already running (pid ${readPid(pidFile)}).`);
+    process.exitCode = 1;
+    return;
+  }
+  const stateService = new DaemonStateService(
+    defaultStateFilePath(),
+    "registered",
+    creds.machineId
+  );
+  const platformUrl = await authService.getPlatformUrl();
+  const comms = new DaemonCommsService({
+    platformUrl,
+    token: creds.token,
+    machineId: creds.machineId,
+    deviceToken: creds.deviceToken,
+    orgId: creds.orgId
+  });
+  const auditStreamer = new AuditStreamer(comms.inner());
+  stateService.onTransition(async (next, prev, reason) => {
+    const action = transitionToAction(next);
+    if (!action) return;
+    const event = {
+      sessionId: creds.machineId,
+      type: "daemon_lifecycle" /* DAEMON_LIFECYCLE */,
+      action,
+      details: { from: prev, to: next, ...reason ? { reason } : {} },
+      outcome: next === "stopped" && reason ? "failure" : "success"
+    };
+    auditStreamer.record(event);
+  });
+  let activeSessions = 0;
+  let shuttingDown = false;
+  let sigintCount = 0;
+  let sigintTimer = null;
+  const heartbeat = new HeartbeatService({
+    platformUrl,
+    deviceToken: creds.deviceToken,
+    machineId: creds.machineId,
+    getActiveSessionCount: () => activeSessions
+  });
+  const drainAndExit = async (reason) => {
+    if (shuttingDown) return;
+    shuttingDown = true;
+    heartbeat.stop();
+    try {
+      if (stateService.getCurrent() === "online") {
+        await stateService.transition("draining", { reason });
+      }
+      while (activeSessions > 0) {
+        await new Promise((r) => setTimeout(r, 200));
+      }
+      await stateService.transition("stopping", { reason });
+      auditStreamer.flush();
+      comms.disconnect();
+      await stateService.transition("stopped");
+    } finally {
+      removePid(pidFile);
+      stateService.clearPersisted();
+      process.exit(0);
+    }
+  };
+  process.on("SIGTERM", () => {
+    void drainAndExit("SIGTERM");
+  });
+  process.on("SIGINT", () => {
+    sigintCount += 1;
+    if (sigintCount >= 2) {
+      console.error("\nForce-stop requested. Exiting immediately.");
+      removePid(pidFile);
+      process.exit(1);
+    }
+    if (!sigintTimer) {
+      sigintTimer = setTimeout(() => {
+        sigintCount = 0;
+        sigintTimer = null;
+      }, 5e3);
+      sigintTimer.unref?.();
+    }
+    console.log(
+      "\nSIGINT received. Draining (Ctrl-C again within 5s to force stop)\u2026"
+    );
+    void drainAndExit("SIGINT");
+  });
+  await stateService.transition("starting");
+  writePid(pidFile);
+  console.log("Connecting to Onklave comms service...");
+  try {
+    await comms.connect();
+  } catch (err) {
+    console.error(
+      `Comms connect aborted: ${err.message}. Shutting down.`
+    );
+    removePid(pidFile);
+    stateService.clearPersisted();
+    process.exit(1);
+  }
+  console.log("Connected.");
+  await stateService.transition("online");
+  heartbeat.start();
+  console.log(
+    `Daemon online. machineId=${creds.machineId} pid=${process.pid}. Press Ctrl-C to drain.`
+  );
+  await new Promise(() => void 0);
+}
+async function daemonStatus() {
+  const persisted = DaemonStateService.readPersisted();
+  if (!persisted) {
+    console.log("registered \u2014 daemon not running");
+    return;
+  }
+  const alive = persisted.pid ? isProcessAlive(persisted.pid) : false;
+  if (!alive) {
+    console.log(
+      `${persisted.state} \u2014 daemon process not running (last entered ${persisted.enteredAt})`
+    );
+    return;
+  }
+  console.log(`State:          ${persisted.state}`);
+  if (persisted.machineId)
+    console.log(`Machine ID:     ${persisted.machineId}`);
+  if (persisted.pid) console.log(`PID:            ${persisted.pid}`);
+  console.log(`Entered state:  ${persisted.enteredAt}`);
+  if (persisted.reason) console.log(`Reason:         ${persisted.reason}`);
+}
+async function daemonStop() {
+  const pidFile = defaultPidFilePath();
+  const pid = readPid(pidFile);
+  if (!pid || !isProcessAlive(pid)) {
+    console.log("No daemon running.");
+    removePid(pidFile);
+    return;
+  }
+  try {
+    process.kill(pid, "SIGTERM");
+    console.log(`Sent SIGTERM to daemon (pid ${pid}).`);
+  } catch (err) {
+    console.error(`Failed to signal daemon: ${err.message}`);
+    process.exitCode = 1;
+  }
+}
+function transitionToAction(next) {
+  switch (next) {
+    case "starting":
+      return DAEMON_AUDIT_ACTIONS.STARTED;
+    case "online":
+      return DAEMON_AUDIT_ACTIONS.ONLINE;
+    case "draining":
+      return DAEMON_AUDIT_ACTIONS.DRAINING;
+    case "stopped":
+      return DAEMON_AUDIT_ACTIONS.STOPPED;
+    default:
+      return null;
+  }
+}
+function readPid(pidFile) {
+  try {
+    const raw = fs6.readFileSync(pidFile, "utf8").trim();
+    const parsed = Number.parseInt(raw, 10);
+    return Number.isFinite(parsed) && parsed > 0 ? parsed : null;
+  } catch {
+    return null;
+  }
+}
+function writePid(pidFile) {
+  const dir = pidFile.replace(/\/[^/]+$/, "");
+  fs6.mkdirSync(dir, { recursive: true });
+  fs6.writeFileSync(pidFile, String(process.pid), { mode: 384 });
+}
+function removePid(pidFile) {
+  try {
+    fs6.unlinkSync(pidFile);
+  } catch {
+  }
+}
+function isPidAlive(pidFile) {
+  const pid = readPid(pidFile);
+  if (pid == null) return false;
+  return isProcessAlive(pid);
+}
+function isProcessAlive(pid) {
+  try {
+    process.kill(pid, 0);
+    return true;
+  } catch (err) {
+    if (err.code === "EPERM") {
+      return true;
+    }
+    return false;
+  }
+}
+
 // _apps/@onklave/agent-cli/src/commands/index.ts
 var COMMANDS = {
   login: loginCommand,
@@ -2864,7 +3410,8 @@ var COMMANDS = {
   init: (_args) => initCommand(),
   config: configCommand,
   register: registerCommand,
-  logs: logsCommand
+  logs: logsCommand,
+  daemon: daemonCommand
 };
 
 // _apps/@onklave/agent-cli/src/main.ts

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@onklave/agent-cli",
-  "version": "0.1.11",
+  "version": "0.1.12",
   "description": "Onklave Agent CLI — local agent runner with cloud orchestration",
   "bin": {
     "onklave": "./main.js"