@onklave/agent-cli 0.1.11 → 0.1.13

package/main.js

@@ -96,7 +96,7 @@ var AuthService = class {
   /*
    * Save the device token received during machine registration.
    */
-  async saveDeviceToken(deviceToken, machineId) {
+  async saveDeviceToken(deviceToken, machineId, deviceTokenExpiresAt) {
     this.ensureConfigDir();
     const existing = await this.getCredentials();
     if (!existing) {
@@ -107,7 +107,8 @@ var AuthService = class {
     const credentials = {
       ...existing,
       deviceToken,
-      machineId
+      machineId,
+      ...deviceTokenExpiresAt ? { deviceTokenExpiresAt } : {}
     };
     fs.writeFileSync(
       this.credentialsPath,
@@ -554,13 +555,41 @@ var PlatformClient = class {
    * Register this machine as an agent runner.
    */
   async registerMachine(linkingToken, metadata) {
+    return this.request("POST", "/api/v1/runner/register", {
+      linkingToken,
+      metadata
+    });
+  }
+  /*
+   * V6-CLI-002 Phase 6 — refresh the device token without re-running
+   * the linking-token flow. Caller authenticates with the current
+   * device token; backend issues a fresh one with extended expiry.
+   */
+  async refreshDeviceToken(currentDeviceToken) {
+    return this.request("POST", "/api/v1/runner/register/refresh", void 0, {
+      "x-device-token": currentDeviceToken
+    });
+  }
+  /*
+   * V6-CLI-002 Phase 5b — claim an assignment as the registered runner.
+   */
+  async claimAssignment(assignmentId, machineId, deviceToken) {
     return this.request(
       "POST",
-      "/api/v1/runner/register",
-      {
-        linkingToken,
-        metadata
-      }
+      `/api/v1/runner/assignments/${assignmentId}/claim`,
+      { machineId },
+      { "x-device-token": deviceToken }
+    );
+  }
+  /*
+   * V6-CLI-002 Phase 5c — release a previously claimed assignment.
+   */
+  async releaseAssignment(assignmentId, machineId, reason, deviceToken) {
+    return this.request(
+      "POST",
+      `/api/v1/runner/assignments/${assignmentId}/release`,
+      { machineId, reason },
+      { "x-device-token": deviceToken }
     );
   }
   /*
@@ -604,12 +633,13 @@ var PlatformClient = class {
   /*
    * Make an authenticated HTTP request to the platform.
    */
-  async request(method, path6, body) {
-    const url = `${this.baseUrl}${path6}`;
+  async request(method, path7, body, extraHeaders) {
+    const url = `${this.baseUrl}${path7}`;
     const headers = {
       Authorization: `Bearer ${this.token}`,
       "Content-Type": "application/json",
-      Accept: "application/json"
+      Accept: "application/json",
+      ...extraHeaders ?? {}
     };
     const options = {
       method,
@@ -908,6 +938,26 @@ var SessionManager = class {
   }
 };
 
+// _apps/@onklave/agent-cli/src/types/events.types.ts
+var DAEMON_AUDIT_ACTIONS = {
+  STARTED: "daemon.started",
+  ONLINE: "daemon.online",
+  DRAINING: "daemon.draining",
+  STOPPED: "daemon.stopped",
+  FORCE_STOPPED: "daemon.force_stopped",
+  DRAIN_TIMEOUT_EXCEEDED: "daemon.drain_timeout_exceeded",
+  AUTH_WARNING: "daemon.auth_warning",
+  AUTH_EXPIRED: "daemon.auth_expired",
+  HEARTBEAT_FAILED: "daemon.heartbeat_failed",
+  RESOURCE_LIMIT_BREACHED: "daemon.resource_limit_breached",
+  SESSION_CLAIMED: "daemon.session_claimed",
+  SESSION_COMPLETED: "daemon.session_completed",
+  SESSION_FAILED: "daemon.session_failed",
+  UPDATE_AVAILABLE: "daemon.update_available",
+  UPDATE_APPLIED: "daemon.update_applied",
+  UPDATE_FAILED: "daemon.update_failed"
+};
+
 // _apps/@onklave/agent-cli/src/services/state-publisher.ts
 var StatePublisher = class {
   constructor(commsClient) {
@@ -2775,7 +2825,11 @@ Machine ${creds.machineId} updated successfully.`);
       linkingToken,
       metadata
     );
-    await authService.saveDeviceToken(result.deviceToken, result.machineId);
+    await authService.saveDeviceToken(
+      result.deviceToken,
+      result.machineId,
+      result.deviceTokenExpiresAt
+    );
     console.log(`
 Machine registered successfully.`);
     console.log(`  Machine ID: ${result.machineId}`);
@@ -2846,6 +2900,1292 @@ async function logsCommand(args) {
   }
 }
 
+// _apps/@onklave/agent-cli/src/commands/daemon.command.ts
+import * as fs6 from "fs";
+
+// _apps/@onklave/agent-cli/src/services/daemon-comms.service.ts
+var DaemonCommsService = class {
+  constructor(opts, client) {
+    this.disconnectedAt = null;
+    this.stopRequested = false;
+    this.client = client ?? new CommsClient();
+    this.opts = opts;
+    this.sleep = opts.sleep ?? defaultSleep;
+    this.onRetry = opts.onRetry ?? ((attempt, delayMs, err) => console.warn(
+      `[daemon-comms] reconnect attempt ${attempt} after ${delayMs}ms (${err.message})`
+    ));
+  }
+  /**
+   * Opens the socket connection. Retries indefinitely with jittered
+   * exponential backoff until either (a) a connect succeeds or (b)
+   * `stop()` is called. Throws only if `stop()` is invoked before any
+   * successful connect.
+   */
+  async connect() {
+    let attempt = 0;
+    while (!this.stopRequested) {
+      try {
+        await this.client.connect(this.opts.platformUrl, this.opts.token, {
+          machineId: this.opts.machineId,
+          deviceToken: this.opts.deviceToken,
+          orgId: this.opts.orgId
+        });
+        this.disconnectedAt = null;
+        return;
+      } catch (err) {
+        attempt += 1;
+        const delay = this.computeBackoff(attempt);
+        this.onRetry(attempt, delay, err);
+        if (this.disconnectedAt == null) this.disconnectedAt = /* @__PURE__ */ new Date();
+        await this.sleep(delay);
+      }
+    }
+    throw new Error("daemon-comms: stop() called before any connect succeeded");
+  }
+  /**
+   * Signal that no further reconnect should be attempted and close the
+   * underlying socket cleanly. Idempotent.
+   */
+  disconnect() {
+    this.stopRequested = true;
+    this.client.disconnect();
+  }
+  inner() {
+    return this.client;
+  }
+  isConnected() {
+    return this.client.isConnected();
+  }
+  /**
+   * Continuous-disconnect duration in ms (null if currently connected).
+   * Per spec §3.3, when this exceeds 120s the daemon's `status` output
+   * should report `offline` — the platform will have done so via
+   * heartbeat staleness anyway.
+   */
+  disconnectedForMs() {
+    if (!this.disconnectedAt) return null;
+    return Date.now() - this.disconnectedAt.getTime();
+  }
+  computeBackoff(attempt) {
+    const max = this.opts.maxBackoffMs ?? 6e4;
+    const base = Math.min(max, 1e3 * 2 ** (attempt - 1));
+    const j = this.opts.jitter ?? 0.2;
+    const swing = base * j;
+    return Math.round(base + (Math.random() * 2 - 1) * swing);
+  }
+};
+function defaultSleep(ms) {
+  return new Promise((resolve3) => setTimeout(resolve3, ms));
+}
+
+// _apps/@onklave/agent-cli/src/services/daemon-claim-handler.service.ts
+var DaemonClaimHandler = class {
+  constructor(opts) {
+    this.activeSessions = 0;
+    this.machineId = opts.machineId;
+    this.audit = opts.audit;
+    this.maxConcurrentSessions = opts.maxConcurrentSessions ?? 2;
+    this.spawnRunner = opts.spawnRunner ?? defaultSpawnStub;
+    this.platformClient = opts.platformClient;
+    this.deviceToken = opts.deviceToken;
+    this.resourceSampler = opts.resourceSampler;
+    this.maxCpuPercent = opts.maxCpuPercent ?? 80;
+    this.maxMemoryBytes = opts.maxMemoryBytes;
+  }
+  /**
+   * Wire up the inbound event subscriptions. Call after the socket has
+   * connected — CommsClient `onSpawnRequest` / `onAssignmentAvailable`
+   * register handlers via `this.socket?.on(...)` which is a no-op when
+   * the socket is null.
+   */
+  attachToSocket(comms) {
+    comms.onSpawnRequest((req) => {
+      void this.handleSpawn(req);
+    });
+    comms.onAssignmentAvailable((event) => {
+      void this.handleAssignmentAvailable(event);
+    });
+  }
+  getActiveSessionCount() {
+    return this.activeSessions;
+  }
+  getMaxConcurrentSessions() {
+    return this.maxConcurrentSessions;
+  }
+  canAcceptNew() {
+    if (this.activeSessions >= this.maxConcurrentSessions) return false;
+    const breach = this.checkResourceLimits();
+    return breach == null;
+  }
+  /**
+   * Returns the resource limit that would be breached by accepting a
+   * new claim, or null if all limits are within bounds. Exposed so
+   * `daemon status` can surface which limit is the active gate.
+   */
+  checkResourceLimits() {
+    if (!this.resourceSampler) return null;
+    const snap = this.resourceSampler.snapshot();
+    if (snap.sampleCount === 0) return null;
+    if (snap.cpuPercent > this.maxCpuPercent) {
+      return {
+        limit: "cpu",
+        current: snap.cpuPercent,
+        max: this.maxCpuPercent
+      };
+    }
+    if (this.maxMemoryBytes != null && snap.memoryRssBytes > this.maxMemoryBytes) {
+      return {
+        limit: "memory",
+        current: snap.memoryRssBytes,
+        max: this.maxMemoryBytes
+      };
+    }
+    return null;
+  }
+  /**
+   * Test-and-runtime hook: process an `agent:spawn` payload as if it had
+   * arrived over the socket. Exposed for unit tests and for the
+   * future re-emit-after-claim path; the live wiring is in the
+   * constructor's `onSpawnRequest` registration.
+   */
+  async handleSpawn(req) {
+    if (this.activeSessions >= this.maxConcurrentSessions) {
+      this.emitResourceLimitBreached(req.sessionId, "agent:spawn", {
+        limit: "sessions",
+        current: this.activeSessions,
+        max: this.maxConcurrentSessions
+      });
+      return;
+    }
+    const resourceBreach = this.checkResourceLimits();
+    if (resourceBreach) {
+      this.emitResourceLimitBreached(
+        req.sessionId,
+        "agent:spawn",
+        resourceBreach
+      );
+      return;
+    }
+    this.activeSessions += 1;
+    this.audit.record({
+      sessionId: req.sessionId,
+      type: "daemon_lifecycle" /* DAEMON_LIFECYCLE */,
+      action: DAEMON_AUDIT_ACTIONS.SESSION_CLAIMED,
+      details: {
+        machineId: this.machineId,
+        orgId: req.orgId,
+        task: truncate2(req.task, 120)
+      },
+      outcome: "success"
+    });
+    try {
+      await this.spawnRunner(req);
+      this.audit.record({
+        sessionId: req.sessionId,
+        type: "daemon_lifecycle" /* DAEMON_LIFECYCLE */,
+        action: DAEMON_AUDIT_ACTIONS.SESSION_COMPLETED,
+        details: { machineId: this.machineId },
+        outcome: "success"
+      });
+    } catch (err) {
+      this.audit.record({
+        sessionId: req.sessionId,
+        type: "daemon_lifecycle" /* DAEMON_LIFECYCLE */,
+        action: DAEMON_AUDIT_ACTIONS.SESSION_FAILED,
+        details: {
+          machineId: this.machineId,
+          error: err.message
+        },
+        outcome: "failure"
+      });
+    } finally {
+      this.activeSessions -= 1;
+    }
+  }
+  async handleAssignmentAvailable(event) {
+    if (this.activeSessions >= this.maxConcurrentSessions) {
+      this.emitResourceLimitBreached(
+        event.assignmentId,
+        "assignment:claim-available",
+        {
+          limit: "sessions",
+          current: this.activeSessions,
+          max: this.maxConcurrentSessions
+        }
+      );
+      return;
+    }
+    const resourceBreach = this.checkResourceLimits();
+    if (resourceBreach) {
+      this.emitResourceLimitBreached(
+        event.assignmentId,
+        "assignment:claim-available",
+        resourceBreach
+      );
+      return;
+    }
+    if (!this.platformClient || !this.deviceToken) {
+      console.log(
+        `[daemon] assignment:claim-available assignmentId=${event.assignmentId} (platformClient not wired \u2014 Phase 5b config missing)`
+      );
+      return;
+    }
+    try {
+      const result = await this.platformClient.claimAssignment(
+        event.assignmentId,
+        this.machineId,
+        this.deviceToken
+      );
+      this.audit.record({
+        sessionId: event.assignmentId,
+        type: "daemon_lifecycle" /* DAEMON_LIFECYCLE */,
+        action: DAEMON_AUDIT_ACTIONS.SESSION_CLAIMED,
+        details: {
+          machineId: this.machineId,
+          orgId: event.orgId,
+          workItemId: event.workItemId,
+          claimedAt: result.claimedAt,
+          via: "assignment:claim-available"
+        },
+        outcome: "success"
+      });
+    } catch (err) {
+      this.audit.record({
+        sessionId: event.assignmentId,
+        type: "daemon_lifecycle" /* DAEMON_LIFECYCLE */,
+        action: DAEMON_AUDIT_ACTIONS.SESSION_FAILED,
+        details: {
+          machineId: this.machineId,
+          phase: "claim",
+          error: err.message
+        },
+        outcome: "failure"
+      });
+    }
+  }
+  /**
+   * Phase 5c — release a previously claimed assignment when the
+   * daemon cannot proceed (e.g. drain interrupted, capacity check
+   * failed mid-flight). Best-effort: failures here are logged but
+   * the daemon's local state already moved on.
+   */
+  async releaseClaim(assignmentId, reason) {
+    if (!this.platformClient || !this.deviceToken) return;
+    try {
+      await this.platformClient.releaseAssignment(
+        assignmentId,
+        this.machineId,
+        reason,
+        this.deviceToken
+      );
+    } catch (err) {
+      console.warn(
+        `[daemon] release ${assignmentId} failed: ${err.message}`
+      );
+    }
+  }
+  emitResourceLimitBreached(refId, trigger, breach) {
+    this.audit.record({
+      sessionId: refId,
+      type: "daemon_lifecycle" /* DAEMON_LIFECYCLE */,
+      action: DAEMON_AUDIT_ACTIONS.RESOURCE_LIMIT_BREACHED,
+      details: {
+        machineId: this.machineId,
+        trigger,
+        limit: breach.limit,
+        current: breach.current,
+        max: breach.max,
+        activeSessions: this.activeSessions,
+        maxConcurrentSessions: this.maxConcurrentSessions
+      },
+      outcome: "failure"
+    });
+  }
+};
+async function defaultSpawnStub(request) {
+  console.log(
+    `[daemon] STUB: would spawn session ${request.sessionId} for task: ${truncate2(request.task, 80)}`
+  );
+  await new Promise((r) => setTimeout(r, 100));
+}
+function truncate2(s, n) {
+  if (!s) return s;
+  return s.length <= n ? s : `${s.slice(0, n - 1)}\u2026`;
+}
+
+// _apps/@onklave/agent-cli/src/services/daemon-resource-sampler.service.ts
+import * as os4 from "os";
+var DEFAULT_SAMPLE_INTERVAL_MS = 5e3;
+var DEFAULT_WINDOW_MS = 6e4;
+var DaemonResourceSampler = class {
+  constructor(opts = {}) {
+    this.samples = [];
+    this.timer = null;
+    this.sampleIntervalMs = opts.sampleIntervalMs ?? DEFAULT_SAMPLE_INTERVAL_MS;
+    this.windowMs = opts.windowMs ?? DEFAULT_WINDOW_MS;
+    this.cpuSource = opts.cpuSource ?? defaultCpuPercent;
+    this.memorySource = opts.memorySource ?? defaultMemoryRss;
+  }
+  /**
+   * Start the periodic sampler. Idempotent — second start is a no-op.
+   * The timer is `unref()`'d so a daemon that has nothing else to do
+   * (no in-flight sessions, no inbound events) does not stay alive only
+   * because of the sampler.
+   */
+  start() {
+    if (this.timer) return;
+    this.sample();
+    this.timer = setInterval(() => this.sample(), this.sampleIntervalMs);
+    this.timer.unref?.();
+  }
+  stop() {
+    if (this.timer) {
+      clearInterval(this.timer);
+      this.timer = null;
+    }
+  }
+  /**
+   * Returns the windowed average of CPU% and the latest memory RSS.
+   * Memory is *not* averaged — the RSS at sample time is what matters
+   * for "can we fit another session right now".
+   */
+  snapshot() {
+    if (this.samples.length === 0) {
+      return {
+        cpuPercent: 0,
+        memoryRssBytes: 0,
+        sampleCount: 0,
+        windowMs: this.windowMs
+      };
+    }
+    const cpuAvg = this.samples.reduce((sum, s) => sum + s.cpuPercent, 0) / this.samples.length;
+    const memLatest = this.samples[this.samples.length - 1].memoryRssBytes;
+    return {
+      cpuPercent: cpuAvg,
+      memoryRssBytes: memLatest,
+      sampleCount: this.samples.length,
+      windowMs: this.windowMs
+    };
+  }
+  /** Take one sample now. Exposed for tests; called internally by start. */
+  sample() {
+    const now = Date.now();
+    this.samples.push({
+      at: now,
+      cpuPercent: this.cpuSource(),
+      memoryRssBytes: this.memorySource()
+    });
+    const cutoff = now - this.windowMs;
+    while (this.samples.length > 0 && this.samples[0].at < cutoff) {
+      this.samples.shift();
+    }
+  }
+};
+function defaultCpuPercent() {
+  const cpus2 = os4.cpus().length || 1;
+  const load1m = os4.loadavg()[0];
+  return load1m / cpus2 * 100;
+}
+function defaultMemoryRss() {
+  return process.memoryUsage().rss;
+}
+
+// _apps/@onklave/agent-cli/src/services/daemon-spawner.service.ts
+var DaemonSpawner = class {
+  constructor(opts) {
+    this.sessionManager = opts.sessionManager ?? new SessionManager();
+    this.platformUrl = opts.platformUrl;
+  }
+  async runSpawnRequest(req) {
+    const config = {
+      task: req.task,
+      context: req.context,
+      persona: req.persona,
+      workflow: req.workflow,
+      model: req.model,
+      timeout: req.timeout,
+      guardrails: [],
+      allowedTools: [],
+      deniedTools: [],
+      apiKey: req.apiKey ?? null,
+      headless: true,
+      platformUrl: this.platformUrl,
+      orgId: req.orgId,
+      systemPromptAppend: null
+    };
+    return new Promise((resolve3, reject) => {
+      void this.sessionManager.spawnSession(req.sessionId, config, {
+        onStdout: (data) => {
+          process.stdout.write(data);
+        },
+        onStderr: (data) => {
+          process.stderr.write(data);
+        },
+        onExit: (code, signal) => {
+          if (code === 0) {
+            resolve3();
+          } else {
+            reject(
+              new Error(
+                `session ${req.sessionId} exited with code=${code} signal=${signal}`
+              )
+            );
+          }
+        }
+      });
+    });
+  }
+};
+
+// _apps/@onklave/agent-cli/src/services/daemon-token-observer.service.ts
+var WARNING_THRESHOLD_DAYS = 30;
+var DaemonTokenObserver = class {
+  constructor(opts) {
+    this.warningEmitted = false;
+    this.expiredEmitted = false;
+    this.machineId = opts.machineId;
+    this.audit = opts.audit;
+    this.expiresAt = opts.deviceTokenExpiresAt ? new Date(opts.deviceTokenExpiresAt) : null;
+    this.now = opts.now ?? (() => /* @__PURE__ */ new Date());
+  }
+  /**
+   * Update the tracked expiry after a successful refresh. Resets the
+   * one-shot emitted flags so a future warning / expiry can re-emit.
+   */
+  updateExpiry(newExpiresAt) {
+    this.expiresAt = new Date(newExpiresAt);
+    this.warningEmitted = false;
+    this.expiredEmitted = false;
+  }
+  /**
+   * Snapshot the current expiry status. Idempotent — does not emit audit
+   * events. Use {@link emitIfNeeded} for the side-effectful check.
+   */
+  status() {
+    if (!this.expiresAt || Number.isNaN(this.expiresAt.getTime())) {
+      return {
+        state: "unknown",
+        message: "device token expiry not recorded \u2014 re-register to refresh"
+      };
+    }
+    const msRemaining = this.expiresAt.getTime() - this.now().getTime();
+    if (msRemaining <= 0) {
+      return { state: "expired", expiresAt: this.expiresAt.toISOString() };
+    }
+    const daysRemaining = Math.floor(msRemaining / (24 * 60 * 60 * 1e3));
+    if (daysRemaining <= WARNING_THRESHOLD_DAYS) {
+      return {
+        state: "warning",
+        daysRemaining,
+        expiresAt: this.expiresAt.toISOString()
+      };
+    }
+    return {
+      state: "ok",
+      daysRemaining,
+      expiresAt: this.expiresAt.toISOString()
+    };
+  }
+  /**
+   * Emit audit events for state changes (warning crossed, expiry hit).
+   * Emits at most one warning and one expired event per observer
+   * instance — repeated calls are silent until process restart.
+   */
+  emitIfNeeded() {
+    const status = this.status();
+    if (status.state === "expired" && !this.expiredEmitted) {
+      this.audit.record({
+        sessionId: this.machineId,
+        type: "daemon_lifecycle" /* DAEMON_LIFECYCLE */,
+        action: DAEMON_AUDIT_ACTIONS.AUTH_EXPIRED,
+        details: { machineId: this.machineId, expiresAt: status.expiresAt },
+        outcome: "failure"
+      });
+      this.expiredEmitted = true;
+    } else if (status.state === "warning" && !this.warningEmitted) {
+      this.audit.record({
+        sessionId: this.machineId,
+        type: "daemon_lifecycle" /* DAEMON_LIFECYCLE */,
+        action: DAEMON_AUDIT_ACTIONS.AUTH_WARNING,
+        details: {
+          machineId: this.machineId,
+          daysRemaining: status.daysRemaining,
+          expiresAt: status.expiresAt
+        },
+        outcome: "success"
+      });
+      this.warningEmitted = true;
+    }
+    return status;
+  }
+  /** True iff the token has expired right now. */
+  isExpired() {
+    return this.status().state === "expired";
+  }
+};
+
+// _apps/@onklave/agent-cli/src/services/daemon-token-refresher.service.ts
+var REFRESH_THRESHOLD_DAYS = 7;
+var DaemonTokenRefresher = class {
+  constructor(opts) {
+    this.opts = opts;
+    this.inFlight = false;
+    this.lastAttemptAt = null;
+  }
+  /**
+   * Idempotent tick — call from the heartbeat / runtime publisher loop.
+   * Does nothing if the token is healthy (>7 days remaining), if the
+   * token's expiry is unknown, or if a refresh is already in flight.
+   */
+  async maybeRefresh() {
+    if (this.inFlight) return;
+    const status = this.opts.observer.status();
+    if (status.state === "unknown") return;
+    if (status.state === "expired") return;
+    if (status.daysRemaining > REFRESH_THRESHOLD_DAYS) return;
+    this.inFlight = true;
+    this.lastAttemptAt = /* @__PURE__ */ new Date();
+    try {
+      const currentToken = this.opts.getDeviceToken();
+      const result = await this.opts.platformClient.refreshDeviceToken(
+        currentToken
+      );
+      await this.opts.authService.saveDeviceToken(
+        result.deviceToken,
+        this.opts.machineId,
+        result.deviceTokenExpiresAt
+      );
+      this.opts.observer.updateExpiry(result.deviceTokenExpiresAt);
+      this.opts.onTokenRefreshed?.(
+        result.deviceToken,
+        result.deviceTokenExpiresAt
+      );
+    } catch (err) {
+      console.warn(
+        `[daemon] device-token refresh failed: ${err.message} (will retry)`
+      );
+    } finally {
+      this.inFlight = false;
+    }
+  }
+  /** Most recent refresh-attempt time, or null if never tried. */
+  getLastAttemptAt() {
+    return this.lastAttemptAt;
+  }
+};
+
+// _apps/@onklave/agent-cli/src/services/daemon-update-checker.service.ts
+var REGISTRY_URL = "https://registry.npmjs.org";
+var PACKAGE_NAME = "@onklave/agent-cli";
+var DaemonUpdateChecker = class {
+  constructor(opts) {
+    this.latestVersion = null;
+    this.lastCheckedAt = null;
+    this.emittedForVersion = null;
+    this.currentVersion = opts.currentVersion;
+    this.audit = opts.audit;
+    this.registryFetcher = opts.registryFetcher ?? defaultRegistryFetcher;
+  }
+  /**
+   * Hit the registry. On success, sets latestVersion and (if newer than
+   * current) emits `daemon.update_available` — exactly once per version,
+   * even across repeated checks. On failure, logs and returns; the next
+   * tick can retry.
+   */
+  async check() {
+    try {
+      const latest = await this.registryFetcher(PACKAGE_NAME);
+      this.latestVersion = latest;
+      this.lastCheckedAt = /* @__PURE__ */ new Date();
+      if (isNewerVersion(latest, this.currentVersion) && this.emittedForVersion !== latest) {
+        this.audit.record({
+          sessionId: this.currentVersion,
+          type: "daemon_lifecycle" /* DAEMON_LIFECYCLE */,
+          action: DAEMON_AUDIT_ACTIONS.UPDATE_AVAILABLE,
+          details: {
+            currentVersion: this.currentVersion,
+            latestVersion: latest
+          },
+          outcome: "success"
+        });
+        this.emittedForVersion = latest;
+      }
+    } catch (err) {
+      console.warn(
+        `[daemon] update check failed: ${err.message} (will retry)`
+      );
+    }
+  }
+  info() {
+    return {
+      currentVersion: this.currentVersion,
+      latestVersion: this.latestVersion,
+      updateAvailable: !!this.latestVersion && isNewerVersion(this.latestVersion, this.currentVersion),
+      checkedAt: this.lastCheckedAt?.toISOString() ?? null
+    };
+  }
+};
+async function defaultRegistryFetcher(packageName) {
+  const url = `${REGISTRY_URL}/${encodeURIComponent(packageName)}/latest`;
+  const response = await fetch(url, {
+    method: "GET",
+    headers: { Accept: "application/json" },
+    signal: AbortSignal.timeout(1e4)
+  });
+  if (!response.ok) {
+    throw new Error(`registry ${response.status} ${response.statusText}`);
+  }
+  const body = await response.json();
+  if (!body.version) throw new Error("registry response missing version");
+  return body.version;
+}
+function isNewerVersion(a, b) {
+  const pa = parseSemverNumeric(a);
+  const pb = parseSemverNumeric(b);
+  if (!pa || !pb) return false;
+  for (let i = 0; i < 3; i += 1) {
+    if (pa[i] > pb[i]) return true;
+    if (pa[i] < pb[i]) return false;
+  }
+  return false;
+}
+function parseSemverNumeric(v) {
+  const match = /^(\d+)\.(\d+)\.(\d+)/.exec(v);
+  if (!match) return null;
+  return [
+    Number.parseInt(match[1], 10),
+    Number.parseInt(match[2], 10),
+    Number.parseInt(match[3], 10)
+  ];
+}
+
+// _apps/@onklave/agent-cli/src/services/daemon-state.service.ts
+import * as fs5 from "fs";
+import * as path6 from "path";
+import * as os5 from "os";
+var VALID_TRANSITIONS = {
+  installing: ["registered"],
+  registered: ["starting"],
+  starting: ["online", "stopping"],
+  online: ["draining", "stopping"],
+  draining: ["stopping"],
+  stopping: ["stopped"],
+  stopped: ["starting"]
+};
+function defaultStateFilePath() {
+  return path6.join(os5.homedir(), ".config", "onklave", "daemon.state.json");
+}
+function defaultPidFilePath() {
+  return path6.join(os5.homedir(), ".config", "onklave", "daemon.pid");
+}
+var DaemonStateError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "DaemonStateError";
+  }
+};
+var DaemonStateService = class {
+  constructor(stateFile = defaultStateFilePath(), initial = "registered", machineId) {
+    this.stateFile = stateFile;
+    this.machineId = machineId;
+    this.listeners = [];
+    this.latestRuntime = null;
+    this.current = initial;
+    this.enteredAt = /* @__PURE__ */ new Date();
+  }
+  /**
+   * Read the persisted state from disk, if any. Used by `daemon status`
+   * when the daemon process is not running. Returns null on missing or
+   * malformed file rather than throwing so the caller can decide.
+   */
+  static readPersisted(stateFile = defaultStateFilePath()) {
+    try {
+      if (!fs5.existsSync(stateFile)) return null;
+      const raw = fs5.readFileSync(stateFile, "utf8");
+      const parsed = JSON.parse(raw);
+      if (!parsed.state || !parsed.enteredAt) return null;
+      return parsed;
+    } catch {
+      return null;
+    }
+  }
+  getCurrent() {
+    return this.current;
+  }
+  getEnteredAt() {
+    return this.enteredAt;
+  }
+  /**
+   * Subscribe to transitions. Listeners are awaited sequentially in
+   * registration order. If a listener throws, the transition is treated
+   * as failed — the state is rolled back and the error propagates so the
+   * caller can decide. (Audit emission listeners that fail must therefore
+   * fail the transition — that is the constitutional `audit-fails-action`
+   * coupling described in spec §1.4.)
+   */
+  onTransition(cb) {
+    this.listeners.push(cb);
+  }
+  /**
+   * Attempt a transition. Throws DaemonStateError on illegal transition
+   * (current → next not in VALID_TRANSITIONS). Throws whatever a listener
+   * throws if any listener fails; in that case state is rolled back to
+   * `prev` and is not persisted.
+   */
+  async transition(next, opts = {}) {
+    const prev = this.current;
+    const allowed = VALID_TRANSITIONS[prev];
+    if (!allowed.includes(next)) {
+      throw new DaemonStateError(`illegal daemon transition ${prev} \u2192 ${next}`);
+    }
+    this.current = next;
+    this.enteredAt = /* @__PURE__ */ new Date();
+    try {
+      for (const listener of this.listeners) {
+        await listener(next, prev, opts.reason);
+      }
+      this.persist(opts.reason);
+    } catch (err) {
+      this.current = prev;
+      throw err;
+    }
+  }
+  persist(reason) {
+    const dir = path6.dirname(this.stateFile);
+    fs5.mkdirSync(dir, { recursive: true });
+    const payload = {
+      state: this.current,
+      enteredAt: this.enteredAt.toISOString(),
+      pid: process.pid,
+      ...this.machineId ? { machineId: this.machineId } : {},
+      ...reason ? { reason } : {},
+      ...this.latestRuntime ? { runtime: this.latestRuntime } : {}
+    };
+    const tmp = `${this.stateFile}.tmp`;
+    fs5.writeFileSync(tmp, JSON.stringify(payload, null, 2));
+    fs5.renameSync(tmp, this.stateFile);
+  }
+  /**
+   * Publish the latest runtime snapshot. Persists to the state file
+   * so `daemon status` from another process can read it. Idempotent —
+   * no transition is fired.
+   */
+  publishRuntime(snapshot) {
+    this.latestRuntime = snapshot;
+    this.persist();
+  }
+  /**
+   * Remove the persisted state file. Called on terminal `stopped` once
+   * the daemon process is exiting cleanly so `daemon status` reports
+   * "registered — daemon not running" instead of stale "stopped".
+   */
+  clearPersisted() {
+    try {
+      fs5.unlinkSync(this.stateFile);
+    } catch {
+    }
+  }
+};
+
+// _apps/@onklave/agent-cli/src/services/unit-file-emitters.ts
+var SYSTEMD_UNIT = `[Unit]
+Description=Onklave Agent CLI Daemon
+Documentation=https://docs.onklave.app/cli/daemon
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=simple
+User=onklave
+Group=onklave
+Environment="NODE_ENV=production"
+Environment="ONKLAVE_CONFIG_DIR=/var/lib/onklave"
+Environment="ONKLAVE_LOG_DIR=/var/log/onklave"
+ExecStart=/usr/local/bin/onklave daemon
+ExecStop=/usr/local/bin/onklave daemon drain --timeout 1800
+Restart=on-failure
+RestartSec=10s
+StartLimitIntervalSec=300
+StartLimitBurst=5
+KillMode=mixed
+KillSignal=SIGTERM
+TimeoutStopSec=1830s
+
+# Hardening
+NoNewPrivileges=true
+ProtectSystem=strict
+ProtectHome=true
+PrivateTmp=true
+ReadWritePaths=/var/lib/onklave /var/log/onklave
+
+[Install]
+WantedBy=multi-user.target
+`;
+var LAUNCHD_PLIST = `<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <key>Label</key>
+    <string>app.onklave.daemon</string>
+    <key>ProgramArguments</key>
+    <array>
+        <string>/usr/local/bin/onklave</string>
+        <string>daemon</string>
+    </array>
+    <key>RunAtLoad</key>
+    <true/>
+    <key>KeepAlive</key>
+    <dict>
+        <key>SuccessfulExit</key>
+        <false/>
+        <key>Crashed</key>
+        <true/>
+    </dict>
+    <key>ThrottleInterval</key>
+    <integer>10</integer>
+    <key>EnvironmentVariables</key>
+    <dict>
+        <key>NODE_ENV</key>
+        <string>production</string>
+        <key>ONKLAVE_CONFIG_DIR</key>
+        <string>/Users/Shared/onklave</string>
+    </dict>
+    <key>StandardOutPath</key>
+    <string>/Users/Shared/onklave/logs/daemon.out.log</string>
+    <key>StandardErrorPath</key>
+    <string>/Users/Shared/onklave/logs/daemon.err.log</string>
+    <key>ProcessType</key>
+    <string>Background</string>
+</dict>
+</plist>
+`;
+var NSSM_SCRIPT = `@echo off
+REM Onklave Agent CLI \u2014 NSSM service install script
+REM Run this as Administrator.
+
+set NSSM=nssm.exe
+set SERVICE=OnklaveDaemon
+set NODE_EXE=%ProgramFiles%\\nodejs\\node.exe
+set ONKLAVE_CLI=%AppData%\\npm\\node_modules\\@onklave\\agent-cli\\dist\\bin\\onklave.js
+
+%NSSM% install %SERVICE% "%NODE_EXE%" "%ONKLAVE_CLI%" daemon
+%NSSM% set %SERVICE% DisplayName "Onklave Agent CLI Daemon"
+%NSSM% set %SERVICE% Description "Long-running agent worker for the Onklave platform"
+%NSSM% set %SERVICE% Start SERVICE_AUTO_START
+%NSSM% set %SERVICE% AppEnvironmentExtra NODE_ENV=production ONKLAVE_CONFIG_DIR=%ProgramData%\\Onklave
+%NSSM% set %SERVICE% AppStdout %ProgramData%\\Onklave\\logs\\daemon.out.log
+%NSSM% set %SERVICE% AppStderr %ProgramData%\\Onklave\\logs\\daemon.err.log
+%NSSM% set %SERVICE% AppRotateFiles 1
+%NSSM% set %SERVICE% AppRotateOnline 1
+%NSSM% set %SERVICE% AppRotateBytes 10485760
+%NSSM% set %SERVICE% AppExit Default Restart
+%NSSM% set %SERVICE% AppRestartDelay 10000
+
+%NSSM% start %SERVICE%
+`;
+function emitUnitFile(flavour) {
+  switch (flavour) {
+    case "systemd":
+      return SYSTEMD_UNIT;
+    case "launchd":
+      return LAUNCHD_PLIST;
+    case "nssm":
+      return NSSM_SCRIPT;
+  }
+}
+
+// _apps/@onklave/agent-cli/src/commands/daemon.command.ts
+var UNIT_FLAGS = {
+  "--emit-systemd-unit": "systemd",
+  "--emit-launchd-plist": "launchd",
+  "--emit-nssm-script": "nssm"
+};
+async function daemonCommand(args) {
+  for (const arg of args) {
+    const flavour = UNIT_FLAGS[arg];
+    if (flavour) {
+      process.stdout.write(emitUnitFile(flavour));
+      return;
+    }
+  }
+  const [sub] = args;
+  if (sub === "status") return daemonStatus();
+  if (sub === "stop" || sub === "drain") return daemonStop();
+  if (sub === "update") return daemonUpdate();
+  if (sub && !sub.startsWith("--")) {
+    console.error(`Unknown subcommand: ${sub}`);
+    console.error(
+      "Usage: onklave daemon [status|stop|drain|update] | --emit-systemd-unit | --emit-launchd-plist | --emit-nssm-script"
+    );
+    process.exitCode = 1;
+    return;
+  }
+  return daemonStart();
+}
+async function daemonStart() {
+  const authService = new AuthService();
+  const creds = await authService.getCredentials();
+  if (!creds?.deviceToken || !creds?.machineId) {
+    console.error(
+      "Error: machine is not registered. Run: onklave register --token <bootstrap>"
+    );
+    process.exitCode = 1;
+    return;
+  }
+  const pidFile = defaultPidFilePath();
+  if (isPidAlive(pidFile)) {
+    console.error(`Daemon already running (pid ${readPid(pidFile)}).`);
+    process.exitCode = 1;
+    return;
+  }
+  const stateService = new DaemonStateService(
+    defaultStateFilePath(),
+    "registered",
+    creds.machineId
+  );
+  const platformUrl = await authService.getPlatformUrl();
+  const comms = new DaemonCommsService({
+    platformUrl,
+    token: creds.token,
+    machineId: creds.machineId,
+    deviceToken: creds.deviceToken,
+    orgId: creds.orgId
+  });
+  const auditStreamer = new AuditStreamer(comms.inner());
+  stateService.onTransition(async (next, prev, reason) => {
+    const action = transitionToAction(next);
+    if (!action) return;
+    const event = {
+      sessionId: creds.machineId,
+      type: "daemon_lifecycle" /* DAEMON_LIFECYCLE */,
+      action,
+      details: { from: prev, to: next, ...reason ? { reason } : {} },
+      outcome: next === "stopped" && reason ? "failure" : "success"
+    };
+    auditStreamer.record(event);
+  });
+  const spawner = new DaemonSpawner({ platformUrl });
+  const platformClient = new PlatformClient(platformUrl, creds.token);
+  const resourceSampler = new DaemonResourceSampler();
+  const claimHandler = new DaemonClaimHandler({
+    machineId: creds.machineId,
+    audit: auditStreamer,
+    spawnRunner: (req) => spawner.runSpawnRequest(req),
+    platformClient,
+    deviceToken: creds.deviceToken,
+    resourceSampler,
+    maxCpuPercent: 80
+    // spec §8.1 default
+  });
+  const tokenObserver = new DaemonTokenObserver({
+    machineId: creds.machineId,
+    audit: auditStreamer,
+    deviceTokenExpiresAt: creds.deviceTokenExpiresAt
+  });
+  const updateChecker = new DaemonUpdateChecker({
+    currentVersion: readPackageVersion() ?? "0.0.0",
+    audit: auditStreamer
+  });
+  let currentDeviceToken = creds.deviceToken;
+  const tokenRefresher = new DaemonTokenRefresher({
+    machineId: creds.machineId,
+    observer: tokenObserver,
+    platformClient,
+    authService,
+    getDeviceToken: () => currentDeviceToken,
+    onTokenRefreshed: (newToken) => {
+      currentDeviceToken = newToken;
+    }
+  });
+  const initialTokenStatus = tokenObserver.emitIfNeeded();
+  if (initialTokenStatus.state === "expired") {
+    console.error(
+      `Device token expired (${initialTokenStatus.expiresAt}). Re-register: onklave register --token <bootstrap>`
+    );
+    removePid(pidFile);
+    stateService.clearPersisted();
+    process.exit(1);
+  }
+  if (initialTokenStatus.state === "warning") {
+    console.warn(
+      `\u26A0 Device token expires in ${initialTokenStatus.daysRemaining} days (${initialTokenStatus.expiresAt}).`
+    );
+  }
+  let shuttingDown = false;
+  let sigintCount = 0;
+  let sigintTimer = null;
+  let runtimePublisher = null;
+  let updateCheckTimer = null;
+  const heartbeat = new HeartbeatService({
+    platformUrl,
+    deviceToken: creds.deviceToken,
+    machineId: creds.machineId,
+    getActiveSessionCount: () => claimHandler.getActiveSessionCount()
+  });
+  const drainAndExit = async (reason) => {
+    if (shuttingDown) return;
+    shuttingDown = true;
+    heartbeat.stop();
+    resourceSampler.stop();
+    if (runtimePublisher) clearInterval(runtimePublisher);
+    if (updateCheckTimer) clearInterval(updateCheckTimer);
+    try {
+      if (stateService.getCurrent() === "online") {
+        await stateService.transition("draining", { reason });
+      }
+      while (claimHandler.getActiveSessionCount() > 0) {
+        await new Promise((r) => setTimeout(r, 200));
+      }
+      await stateService.transition("stopping", { reason });
+      auditStreamer.flush();
+      comms.disconnect();
+      await stateService.transition("stopped");
+    } finally {
+      removePid(pidFile);
+      stateService.clearPersisted();
+      process.exit(0);
+    }
+  };
+  process.on("SIGTERM", () => {
+    void drainAndExit("SIGTERM");
+  });
+  process.on("SIGINT", () => {
+    sigintCount += 1;
+    if (sigintCount >= 2) {
+      console.error("\nForce-stop requested. Exiting immediately.");
+      removePid(pidFile);
+      process.exit(1);
+    }
+    if (!sigintTimer) {
+      sigintTimer = setTimeout(() => {
+        sigintCount = 0;
+        sigintTimer = null;
+      }, 5e3);
+      sigintTimer.unref?.();
+    }
+    console.log(
+      "\nSIGINT received. Draining (Ctrl-C again within 5s to force stop)\u2026"
+    );
+    void drainAndExit("SIGINT");
+  });
+  await stateService.transition("starting");
+  writePid(pidFile);
+  console.log("Connecting to Onklave comms service...");
+  try {
+    await comms.connect();
+  } catch (err) {
+    console.error(
+      `Comms connect aborted: ${err.message}. Shutting down.`
+    );
+    removePid(pidFile);
+    stateService.clearPersisted();
+    process.exit(1);
+  }
+  console.log("Connected.");
+  claimHandler.attachToSocket(comms.inner());
+  await stateService.transition("online");
+  heartbeat.start();
+  resourceSampler.start();
+  const publishSnapshot = () => {
+    void tokenRefresher.maybeRefresh();
+    const tokenStatus = tokenObserver.emitIfNeeded();
+    const disconnectedMs = comms.disconnectedForMs();
+    const resourceSnap = resourceSampler.snapshot();
+    stateService.publishRuntime({
+      snapshotAt: (/* @__PURE__ */ new Date()).toISOString(),
+      activeSessions: claimHandler.getActiveSessionCount(),
+      maxConcurrentSessions: claimHandler.getMaxConcurrentSessions(),
+      socketConnected: comms.isConnected(),
+      ...disconnectedMs != null ? { socketDisconnectedForMs: disconnectedMs } : {},
+      ...resourceSnap.sampleCount > 0 ? {
+        cpuPercent: resourceSnap.cpuPercent,
+        memoryRssBytes: resourceSnap.memoryRssBytes
+      } : {},
+      updateInfo: updateChecker.info(),
+      tokenStatus: tokenStatus.state === "unknown" ? { state: "unknown" } : tokenStatus.state === "expired" ? { state: "expired", expiresAt: tokenStatus.expiresAt } : {
+        state: tokenStatus.state,
+        daysRemaining: tokenStatus.daysRemaining,
+        expiresAt: tokenStatus.expiresAt
+      }
+    });
+  };
+  publishSnapshot();
+  runtimePublisher = setInterval(publishSnapshot, 3e4);
+  runtimePublisher.unref?.();
+  void updateChecker.check();
+  updateCheckTimer = setInterval(() => {
+    void updateChecker.check();
+  }, 60 * 60 * 1e3);
+  updateCheckTimer.unref?.();
+  console.log(
+    `Daemon online. machineId=${creds.machineId} pid=${process.pid}. Press Ctrl-C to drain.`
+  );
+  await new Promise(() => void 0);
+}
+async function daemonStatus() {
+  const persisted = DaemonStateService.readPersisted();
+  if (!persisted) {
+    console.log("registered \u2014 daemon not running");
+    return;
+  }
+  const alive = persisted.pid ? isProcessAlive(persisted.pid) : false;
+  if (!alive) {
+    console.log(
+      `${persisted.state} \u2014 daemon process not running (last entered ${persisted.enteredAt})`
+    );
+    return;
+  }
+  console.log(`State:          ${persisted.state}`);
+  if (persisted.machineId)
+    console.log(`Machine ID:     ${persisted.machineId}`);
+  if (persisted.pid) console.log(`PID:            ${persisted.pid}`);
+  console.log(`Entered state:  ${persisted.enteredAt}`);
+  if (persisted.reason) console.log(`Reason:         ${persisted.reason}`);
+  if (persisted.runtime) {
+    const rt = persisted.runtime;
+    console.log(
+      `Active sessions: ${rt.activeSessions} / ${rt.maxConcurrentSessions}`
+    );
+    const socketStatus = rt.socketConnected ? "connected" : rt.socketDisconnectedForMs != null ? `disconnected ${Math.round(rt.socketDisconnectedForMs / 1e3)}s` : "disconnected";
+    console.log(`Comms socket:   ${socketStatus}`);
+    if (rt.cpuPercent != null) {
+      console.log(`CPU (60s avg):  ${rt.cpuPercent.toFixed(1)}%`);
+    }
+    if (rt.memoryRssBytes != null) {
+      const mb = rt.memoryRssBytes / (1024 * 1024);
+      console.log(`Memory (RSS):   ${mb.toFixed(1)} MB`);
+    }
+    if (rt.updateInfo) {
+      const u = rt.updateInfo;
+      const versionLine = u.updateAvailable ? `${u.currentVersion} \u2192 ${u.latestVersion} available (run: onklave daemon update)` : `${u.currentVersion}${u.latestVersion ? " (latest)" : ""}`;
+      console.log(`Daemon version: ${versionLine}`);
+    }
+    if (rt.tokenStatus) {
+      if (rt.tokenStatus.state === "expired") {
+        console.log(`Device token:   EXPIRED (${rt.tokenStatus.expiresAt})`);
+      } else if (rt.tokenStatus.state === "warning") {
+        console.log(
+          `Device token:   \u26A0 ${rt.tokenStatus.daysRemaining} days remaining (${rt.tokenStatus.expiresAt})`
+        );
+      } else if (rt.tokenStatus.state === "ok") {
+        console.log(
+          `Device token:   ${rt.tokenStatus.daysRemaining} days remaining`
+        );
+      } else {
+        console.log("Device token:   expiry unknown \u2014 re-register to refresh");
+      }
+    }
+    console.log(`Snapshot age:   ${snapshotAge(rt.snapshotAt)}`);
+  }
+}
+function snapshotAge(iso) {
+  const ms = Date.now() - new Date(iso).getTime();
+  if (ms < 0) return "just now";
+  if (ms < 6e4) return `${Math.round(ms / 1e3)}s ago`;
+  if (ms < 36e5) return `${Math.round(ms / 6e4)}m ago`;
+  return `${Math.round(ms / 36e5)}h ago`;
+}
+async function daemonUpdate() {
+  console.log("To update the Onklave agent CLI, run as the install owner:");
+  console.log("");
+  console.log("    npm install -g @onklave/agent-cli@latest");
+  console.log("");
+  console.log(
+    "Then restart the supervisor: `systemctl restart onklave-daemon` (Linux),"
+  );
+  console.log("`launchctl kickstart -k system/app.onklave.daemon` (macOS), or");
+  console.log("`nssm restart OnklaveDaemon` (Windows).");
+  console.log("");
+  console.log(
+    "Self-replace via npm provenance verification (spec \xA76.3) is deferred \u2014 see V6-CLI-002 Phase 7 in the kanban."
+  );
+}
+async function daemonStop() {
+  const pidFile = defaultPidFilePath();
+  const pid = readPid(pidFile);
+  if (!pid || !isProcessAlive(pid)) {
+    console.log("No daemon running.");
+    removePid(pidFile);
+    return;
+  }
+  try {
+    process.kill(pid, "SIGTERM");
+    console.log(`Sent SIGTERM to daemon (pid ${pid}).`);
+  } catch (err) {
+    console.error(`Failed to signal daemon: ${err.message}`);
+    process.exitCode = 1;
+  }
+}
+function transitionToAction(next) {
+  switch (next) {
+    case "starting":
+      return DAEMON_AUDIT_ACTIONS.STARTED;
+    case "online":
+      return DAEMON_AUDIT_ACTIONS.ONLINE;
+    case "draining":
+      return DAEMON_AUDIT_ACTIONS.DRAINING;
+    case "stopped":
+      return DAEMON_AUDIT_ACTIONS.STOPPED;
+    default:
+      return null;
+  }
+}
+function readPid(pidFile) {
+  try {
+    const raw = fs6.readFileSync(pidFile, "utf8").trim();
+    const parsed = Number.parseInt(raw, 10);
+    return Number.isFinite(parsed) && parsed > 0 ? parsed : null;
+  } catch {
+    return null;
+  }
+}
+function writePid(pidFile) {
+  const dir = pidFile.replace(/\/[^/]+$/, "");
+  fs6.mkdirSync(dir, { recursive: true });
+  fs6.writeFileSync(pidFile, String(process.pid), { mode: 384 });
+}
+function removePid(pidFile) {
+  try {
+    fs6.unlinkSync(pidFile);
+  } catch {
+  }
+}
+function isPidAlive(pidFile) {
+  const pid = readPid(pidFile);
+  if (pid == null) return false;
+  return isProcessAlive(pid);
+}
+function readPackageVersion() {
+  try {
+    const candidates = [
+      // dist layout (bin/onklave.js → ../package.json)
+      `${__dirname}/../../package.json`,
+      // src layout during dev
+      `${__dirname}/../../../package.json`
+    ];
+    for (const p of candidates) {
+      if (fs6.existsSync(p)) {
+        const pkg = JSON.parse(fs6.readFileSync(p, "utf8"));
+        if (pkg.name === "@onklave/agent-cli" && pkg.version)
+          return pkg.version;
+      }
+    }
+  } catch {
+  }
+  return null;
+}
+function isProcessAlive(pid) {
+  try {
+    process.kill(pid, 0);
+    return true;
+  } catch (err) {
+    if (err.code === "EPERM") {
+      return true;
+    }
+    return false;
+  }
+}
+
 // _apps/@onklave/agent-cli/src/commands/index.ts
 var COMMANDS = {
   login: loginCommand,
@@ -2864,7 +4204,8 @@ var COMMANDS = {
   init: (_args) => initCommand(),
   config: configCommand,
   register: registerCommand,
-  logs: logsCommand
+  logs: logsCommand,
+  daemon: daemonCommand
 };
 
 // _apps/@onklave/agent-cli/src/main.ts

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@onklave/agent-cli",
-  "version": "0.1.11",
+  "version": "0.1.13",
   "description": "Onklave Agent CLI — local agent runner with cloud orchestration",
   "bin": {
     "onklave": "./main.js"