@ouro.bot/cli 0.1.0-alpha.44 → 0.1.0-alpha.441

package/dist/heart/daemon/interactive-repair.js

@@ -0,0 +1,307 @@
+"use strict";
+/**
+ * Interactive repair flow for degraded agents detected during `ouro up`.
+ *
+ * Examines each degraded agent's errorReason and fixHint to detect common
+ * issue patterns and prompt the user for repair actions.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.hasRunnableInteractiveRepair = hasRunnableInteractiveRepair;
+exports.isAffirmativeAnswer = isAffirmativeAnswer;
+exports.runInteractiveRepair = runInteractiveRepair;
+const runtime_1 = require("../../nerves/runtime");
+const identity_1 = require("../identity");
+function isCredentialIssue(degraded) {
+    const reason = degraded.errorReason.toLowerCase();
+    const hint = degraded.fixHint.toLowerCase();
+    return reason.includes("credentials") || hint.includes("ouro auth");
+}
+function isVaultUnlockIssue(degraded) {
+    const text = `${degraded.errorReason}\n${degraded.fixHint}`.toLowerCase();
+    return /ouro vault unlock|credential vault is locked|vault(?: is)? locked/.test(text);
+}
+function isConfigError(degraded) {
+    return degraded.fixHint.length > 0 && !isVaultUnlockIssue(degraded) && !isCredentialIssue(degraded);
+}
+function hasRunnableInteractiveRepair(degraded) {
+    if (degraded.issue?.actions.some((action) => typedActionToRunnable(degraded, action) !== undefined)) {
+        return true;
+    }
+    return isVaultUnlockIssue(degraded) || isCredentialIssue(degraded);
+}
+function isAgentProvider(value) {
+    return Object.prototype.hasOwnProperty.call(identity_1.PROVIDER_CREDENTIALS, value);
+}
+function extractProviderFromFixHint(fixHint) {
+    const provider = fixHint.match(/--provider\s+([a-z0-9-]+)/)?.[1]
+        ?? fixHint.match(/providers\.([a-z0-9-]+)/)?.[1];
+    if (!provider || !isAgentProvider(provider))
+        return undefined;
+    return provider;
+}
+function escapeRegExp(value) {
+    return value.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+function cleanExtractedCommand(command) {
+    const cleaned = command?.trim().replace(/[`'",;:.)]+$/g, "").trim();
+    return cleaned && cleaned.length > 0 ? cleaned : undefined;
+}
+function extractRepairCommand(fixHint, commandPrefix) {
+    const escapedPrefix = escapeRegExp(commandPrefix);
+    const commandBody = `${escapedPrefix}(?=\\s|$)[^\`'"]*`;
+    const quoted = fixHint.match(new RegExp(`[\`'"](${commandBody})[\`'"]`, "i"))?.[1];
+    const unquoted = fixHint.match(new RegExp(`(${escapedPrefix}(?=\\s|$)[^\\n,;.]+)`, "i"))?.[1];
+    return cleanExtractedCommand(quoted) ?? cleanExtractedCommand(unquoted);
+}
+function authCommandFor(degraded) {
+    const command = extractRepairCommand(degraded.fixHint, "ouro auth");
+    return command && command.length > 0 ? command : `ouro auth --agent ${degraded.agent}`;
+}
+function vaultUnlockCommandFor(degraded) {
+    const command = extractRepairCommand(degraded.fixHint, "ouro vault unlock");
+    return command && command.length > 0 ? command : `ouro vault unlock --agent ${degraded.agent}`;
+}
+function isAffirmativeAnswer(answer) {
+    return /^(y|yes)$/i.test(answer.trim());
+}
+function uniqueCommands(commands) {
+    const seen = new Set();
+    const unique = [];
+    commands.forEach((command) => {
+        if (!command)
+            return;
+        if (seen.has(command))
+            return;
+        seen.add(command);
+        unique.push(command);
+    });
+    return unique;
+}
+function fallbackCommandsFor(degraded, primaryCommand) {
+    const issueCommands = degraded.issue?.actions.map((action) => action.command) ?? [];
+    return uniqueCommands([
+        primaryCommand,
+        ...issueCommands,
+        extractRepairCommand(degraded.fixHint, "ouro vault replace"),
+        extractRepairCommand(degraded.fixHint, "ouro vault recover"),
+        extractRepairCommand(degraded.fixHint, "ouro use"),
+    ]);
+}
+function renderRepairChoices(prefix, commands) {
+    return commands.map((command, index) => `  ${index === 0 ? prefix : "or"}: ${command}`);
+}
+function renderRepairQueueSummaryLines(degraded) {
+    const repairable = degraded
+        .map((entry) => ({ entry, action: runnableRepairActionFor(entry) }))
+        .filter((item) => item.action !== undefined);
+    if (repairable.length < 2)
+        return [];
+    const lines = [
+        "Repair queue",
+        `${repairable.length} agents need attention before startup can finish.`,
+        "",
+    ];
+    repairable.forEach(({ entry, action }, index) => {
+        lines.push(`${entry.agent} - ${action.label}`);
+        lines.push(`  ${action.command}`);
+        if (index < repairable.length - 1)
+            lines.push("");
+    });
+    return lines;
+}
+function renderActionPromptLines(agent, action) {
+    const lines = [
+        `${agent}`,
+        `  needs: ${action.label}`,
+        `  run:   ${action.command}`,
+    ];
+    if (action.kind === "vault-unlock") {
+        lines.push("  note:  use the saved vault unlock secret");
+    }
+    return lines;
+}
+function renderDeferredRepair(agent, commands) {
+    return [
+        `Leaving ${agent} for later.`,
+        ...renderRepairChoices("next", commands),
+    ].join("\n");
+}
+function renderManualRepairHint(agent, fixHint) {
+    return [
+        `${agent}`,
+        "  needs manual attention",
+        `  next: ${fixHint}`,
+    ].join("\n");
+}
+function renderUnknownRepair(agent, errorReason) {
+    return [
+        `${agent}`,
+        `  ${errorReason}`,
+    ].join("\n");
+}
+function writeDeclinedRepair(degraded, command, deps) {
+    deps.writeStdout(renderDeferredRepair(degraded.agent, fallbackCommandsFor(degraded, command)));
+}
+function runnableRepairActionFor(degraded) {
+    const typedAction = degraded.issue?.actions
+        .map((action) => typedActionToRunnable(degraded, action))
+        .find((action) => action !== undefined);
+    if (typedAction)
+        return typedAction;
+    if (isVaultUnlockIssue(degraded)) {
+        return { kind: "vault-unlock", label: "vault unlock", command: vaultUnlockCommandFor(degraded) };
+    }
+    if (isCredentialIssue(degraded)) {
+        return {
+            kind: "provider-auth",
+            label: "provider auth",
+            command: authCommandFor(degraded),
+            provider: extractProviderFromFixHint(degraded.fixHint),
+        };
+    }
+    return undefined;
+}
+function typedActionToRunnable(degraded, action) {
+    if (action.executable === false || action.command.includes("<"))
+        return undefined;
+    if (action.kind === "vault-unlock") {
+        return { kind: "vault-unlock", label: "vault unlock", command: action.command };
+    }
+    if (action.kind === "provider-auth") {
+        return {
+            kind: "provider-auth",
+            label: "provider auth",
+            command: action.command || `ouro auth --agent ${degraded.agent}`,
+            provider: action.provider,
+        };
+    }
+    return undefined;
+}
+function writeRepairQueueSummary(degraded, deps) {
+    const lines = renderRepairQueueSummaryLines(degraded);
+    if (lines.length > 0)
+        deps.writeStdout(lines.join("\n"));
+}
+async function attemptVaultUnlock(entry, action, deps) {
+    deps.writeStdout(renderActionPromptLines(entry.agent, action).join("\n"));
+    const answer = await deps.promptInput(`Unlock ${entry.agent}'s vault now? [y/N] `);
+    if (!isAffirmativeAnswer(answer)) {
+        writeDeclinedRepair(entry, action.command, deps);
+        return { succeeded: false, attempted: false };
+    }
+    try {
+        if (!deps.runVaultUnlock) {
+            deps.writeStdout(renderManualRepairHint(entry.agent, entry.fixHint));
+            return { succeeded: false, attempted: false };
+        }
+        await deps.runVaultUnlock(entry.agent);
+        return { succeeded: true, attempted: true };
+    }
+    catch (error) {
+        const msg = error instanceof Error ? error.message : String(error);
+        deps.writeStdout(`Vault unlock did not finish for ${entry.agent}.\n  ${msg}`);
+        (0, runtime_1.emitNervesEvent)({
+            level: "error",
+            component: "daemon",
+            event: "daemon.interactive_repair_vault_unlock_error",
+            message: `vault unlock failed for ${entry.agent}`,
+            meta: { agent: entry.agent, error: msg },
+        });
+        return { succeeded: false, attempted: true };
+    }
+}
+async function attemptProviderAuth(entry, action, deps) {
+    deps.writeStdout(renderActionPromptLines(entry.agent, action).join("\n"));
+    const answer = await deps.promptInput(`Open the auth flow for ${entry.agent} now? [y/N] `);
+    if (!isAffirmativeAnswer(answer)) {
+        writeDeclinedRepair(entry, action.command, deps);
+        return { succeeded: false, attempted: false };
+    }
+    try {
+        if (action.provider) {
+            await deps.runAuthFlow(entry.agent, action.provider);
+        }
+        else {
+            await deps.runAuthFlow(entry.agent);
+        }
+        return { succeeded: true, attempted: true };
+    }
+    catch (error) {
+        const msg = error instanceof Error ? error.message : String(error);
+        deps.writeStdout(`Auth did not finish for ${entry.agent}.\n  ${msg}`);
+        (0, runtime_1.emitNervesEvent)({
+            level: "error",
+            component: "daemon",
+            event: "daemon.interactive_repair_auth_error",
+            message: `auth flow failed for ${entry.agent}`,
+            meta: { agent: entry.agent, error: msg },
+        });
+        return { succeeded: false, attempted: true };
+    }
+}
+async function processEntry(entry, deps) {
+    let current = entry;
+    while (current) {
+        const action = runnableRepairActionFor(current);
+        let outcome;
+        if (action?.kind === "vault-unlock") {
+            outcome = await attemptVaultUnlock(current, action, deps);
+        }
+        else if (action?.kind === "provider-auth") {
+            outcome = await attemptProviderAuth(current, action, deps);
+        }
+        else if (isConfigError(current)) {
+            deps.writeStdout(renderManualRepairHint(current.agent, current.fixHint));
+            return { attempted: false };
+        }
+        else {
+            deps.writeStdout(renderUnknownRepair(current.agent, current.errorReason));
+            return { attempted: false };
+        }
+        if (!outcome.succeeded || !deps.recheckAgent) {
+            return { attempted: outcome.attempted };
+        }
+        // Re-evaluate the agent after successful repair
+        const recheckResult = await deps.recheckAgent(current.agent);
+        if (recheckResult === null) {
+            deps.writeStdout(`${current.agent} recovered.`);
+            return { attempted: true };
+        }
+        // Agent still degraded with a new error -- loop to present the new action
+        current = recheckResult;
+    }
+    /* v8 ignore next -- unreachable: loop always returns from within @preserve */
+    return { attempted: false };
+}
+async function runInteractiveRepair(degraded, deps) {
+    (0, runtime_1.emitNervesEvent)({
+        level: "info",
+        component: "daemon",
+        event: "daemon.interactive_repair_start",
+        message: "interactive repair flow started",
+        meta: { degradedCount: degraded.length },
+    });
+    if (degraded.length === 0) {
+        return { repairsAttempted: false };
+    }
+    let repairsAttempted = false;
+    if (!deps.skipQueueSummary) {
+        writeRepairQueueSummary(degraded, deps);
+    }
+    for (const entry of degraded) {
+        const result = await processEntry(entry, deps);
+        if (result.attempted)
+            repairsAttempted = true;
+    }
+    if (repairsAttempted) {
+        deps.writeStdout("Repair flow complete.");
+    }
+    (0, runtime_1.emitNervesEvent)({
+        level: "info",
+        component: "daemon",
+        event: "daemon.interactive_repair_end",
+        message: "interactive repair flow completed",
+        meta: { repairsAttempted },
+    });
+    return { repairsAttempted };
+}

package/dist/heart/daemon/launchd.js

@@ -35,6 +35,7 @@ var __importStar = (this && this.__importStar) || (function () {
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.DAEMON_PLIST_LABEL = void 0;
 exports.generateDaemonPlist = generateDaemonPlist;
+exports.writeLaunchAgentPlist = writeLaunchAgentPlist;
 exports.installLaunchAgent = installLaunchAgent;
 exports.uninstallLaunchAgent = uninstallLaunchAgent;
 exports.isDaemonInstalled = isDaemonInstalled;
@@ -44,6 +45,9 @@ exports.DAEMON_PLIST_LABEL = "bot.ouro.daemon";
 function plistFilePath(homeDir) {
     return path.join(homeDir, "Library", "LaunchAgents", `${exports.DAEMON_PLIST_LABEL}.plist`);
 }
+function userLaunchDomain(userUid) {
+    return `gui/${userUid}`;
+}
 function generateDaemonPlist(options) {
     (0, runtime_1.emitNervesEvent)({
         component: "daemon",
@@ -65,15 +69,43 @@ function generateDaemonPlist(options) {
         `    <string>--socket</string>`,
         `    <string>${options.socketPath}</string>`,
         `  </array>`,
+        `  <key>RunAtLoad</key>`,
+        `  <true/>`,
         `  <key>KeepAlive</key>`,
         `  <true/>`,
     ];
+    if (options.envPath) {
+        lines.push(`  <key>EnvironmentVariables</key>`, `  <dict>`, `    <key>PATH</key>`, `    <string>${options.envPath}</string>`, `  </dict>`);
+    }
     if (options.logDir) {
-        lines.push(`  <key>StandardOutPath</key>`, `  <string>${path.join(options.logDir, "ouro-daemon-stdout.log")}</string>`, `  <key>StandardErrorPath</key>`, `  <string>${path.join(options.logDir, "ouro-daemon-stderr.log")}</string>`);
+        // PR 1 decision: we no longer emit `StandardErrorPath` for the daemon.
+        // The daemon's structured nerves ndjson pipeline (rotated + gzipped via
+        // createNdjsonFileSink) is the source of truth for diagnostics. Writing
+        // raw process stderr to an unrotated file grew to 366 MB in the wild;
+        // dropping the key lets launchd forward stray stderr to the system log
+        // where it gets rotated by the OS.
+        lines.push(`  <key>StandardOutPath</key>`, `  <string>${path.join(options.logDir, "ouro-daemon-stdout.log")}</string>`);
     }
     lines.push(`</dict>`, `</plist>`, ``);
     return lines.join("\n");
 }
+function writeLaunchAgentPlist(deps, options) {
+    const launchAgentsDir = path.join(deps.homeDir, "Library", "LaunchAgents");
+    deps.mkdirp(launchAgentsDir);
+    if (options.logDir) {
+        deps.mkdirp(options.logDir);
+    }
+    const fullPath = plistFilePath(deps.homeDir);
+    const xml = generateDaemonPlist(options);
+    deps.writeFile(fullPath, xml);
+    (0, runtime_1.emitNervesEvent)({
+        component: "daemon",
+        event: "daemon.launchd_plist_written",
+        message: "daemon launch agent plist written",
+        meta: { plistPath: fullPath, entryPath: options.entryPath, socketPath: options.socketPath },
+    });
+    return fullPath;
+}
 function installLaunchAgent(deps, options) {
     (0, runtime_1.emitNervesEvent)({
         component: "daemon",
@@ -81,23 +113,27 @@ function installLaunchAgent(deps, options) {
         message: "installing launch agent",
         meta: { entryPath: options.entryPath, socketPath: options.socketPath },
     });
-    const launchAgentsDir = path.join(deps.homeDir, "Library", "LaunchAgents");
-    deps.mkdirp(launchAgentsDir);
     const fullPath = plistFilePath(deps.homeDir);
+    const domain = userLaunchDomain(deps.userUid);
     // Unload existing (best effort) for idempotent re-install
     if (deps.existsFile(fullPath)) {
         try {
-            deps.exec(`launchctl unload "${fullPath}"`);
+            deps.exec(`launchctl bootout ${domain} "${fullPath}"`);
         }
         catch { /* best effort */ }
     }
-    const xml = generateDaemonPlist(options);
-    deps.writeFile(fullPath, xml);
-    deps.exec(`launchctl load "${fullPath}"`);
+    writeLaunchAgentPlist(deps, options);
+    // Bootstrap the plist so launchd manages crash recovery via KeepAlive.
+    // This is safe because ouro up calls this AFTER the daemon is already running,
+    // so launchd sees the existing process and just registers for KeepAlive.
+    try {
+        deps.exec(`launchctl bootstrap ${domain} "${fullPath}"`);
+    }
+    catch { /* already loaded */ }
     (0, runtime_1.emitNervesEvent)({
         component: "daemon",
         event: "daemon.launchd_installed",
-        message: "launch agent installed",
+        message: "launch agent installed with KeepAlive",
         meta: { plistPath: fullPath },
     });
 }
@@ -109,9 +145,10 @@ function uninstallLaunchAgent(deps) {
         meta: {},
     });
     const fullPath = plistFilePath(deps.homeDir);
+    const domain = userLaunchDomain(deps.userUid);
     if (deps.existsFile(fullPath)) {
         try {
-            deps.exec(`launchctl unload "${fullPath}"`);
+            deps.exec(`launchctl bootout ${domain} "${fullPath}"`);
         }
         catch { /* best effort */ }
         deps.removeFile(fullPath);

package/dist/heart/daemon/log-tailer.js

@@ -37,39 +37,103 @@ exports.discoverLogFiles = discoverLogFiles;
 exports.readLastLines = readLastLines;
 exports.formatLogLine = formatLogLine;
 exports.tailLogs = tailLogs;
-const os = __importStar(require("os"));
 const path = __importStar(require("path"));
+const zlib = __importStar(require("zlib"));
 const nerves_1 = require("../../nerves");
 const runtime_1 = require("../../nerves/runtime");
+const identity_1 = require("../identity");
 const LEVEL_COLORS = {
     debug: "\x1b[2m",
     info: "\x1b[36m",
     warn: "\x1b[33m",
     error: "\x1b[31m",
 };
+/**
+ * Parse a log filename into a (streamBase, generationRank) tuple.
+ *
+ * - `daemon.ndjson`          → { streamBase: "daemon", rank: 0 }   (active, newest)
+ * - `daemon.1.ndjson.gz`     → { streamBase: "daemon", rank: 1 }
+ * - `daemon.5.ndjson.gz`     → { streamBase: "daemon", rank: 5 }   (oldest)
+ * - Anything else            → null (not a log file).
+ *
+ * Higher rank = older. Used to sort so the oldest generation is read first
+ * and the active stream is read last, producing chronological output.
+ */
+function parseLogFilename(name) {
+    if (name.endsWith(".ndjson.gz")) {
+        // e.g. daemon.1.ndjson.gz → base "daemon.1", strip ".gz" then ".ndjson" then ".<n>"
+        const withoutGz = name.slice(0, -".gz".length); // daemon.1.ndjson
+        const withoutNdjson = withoutGz.slice(0, -".ndjson".length); // daemon.1
+        const genMatch = withoutNdjson.match(/^(.+)\.(\d+)$/);
+        if (!genMatch)
+            return null;
+        return { streamBase: genMatch[1], rank: parseInt(genMatch[2], 10) };
+    }
+    if (name.endsWith(".ndjson")) {
+        const withoutNdjson = name.slice(0, -".ndjson".length);
+        // Active file: daemon.ndjson → base "daemon", rank 0
+        // Legacy numeric gen: daemon.1.ndjson → base "daemon", rank 1 (treat same as gzipped)
+        const legacyMatch = withoutNdjson.match(/^(.+)\.(\d+)$/);
+        if (legacyMatch) {
+            return { streamBase: legacyMatch[1], rank: parseInt(legacyMatch[2], 10) };
+        }
+        return { streamBase: withoutNdjson, rank: 0 };
+    }
+    return null;
+}
 function discoverLogFiles(options) {
     /* v8 ignore start -- integration: default DI stubs for real OS @preserve */
-    const homeDir = options.homeDir ?? os.homedir();
     const existsSync = options.existsSync ?? (() => false);
     const readdirSync = options.readdirSync ?? (() => []);
     /* v8 ignore stop */
-    const logDir = path.join(homeDir, ".agentstate", "daemon", "logs");
-    const files = [];
+    const logDir = options.homeDir
+        ? path.join(options.homeDir, "AgentBundles", `${options.agentName ?? "slugger"}.ouro`, "state", "daemon", "logs")
+        : (0, identity_1.getAgentDaemonLogsDir)(options.agentName);
+    const entries = [];
     if (existsSync(logDir)) {
         for (const name of readdirSync(logDir)) {
-            if (!name.endsWith(".ndjson"))
+            const parsed = parseLogFilename(name);
+            if (!parsed)
                 continue;
             if (options.agentFilter && !name.includes(options.agentFilter))
                 continue;
-            files.push(path.join(logDir, name));
+            entries.push({ name, parsed });
         }
     }
-    return files.sort();
+    // Sort chronologically: for each stream, oldest generation first, active last.
+    // Across streams, sort alphabetically by streamBase so output is stable.
+    entries.sort((a, b) => {
+        if (a.parsed.streamBase !== b.parsed.streamBase) {
+            return a.parsed.streamBase < b.parsed.streamBase ? -1 : 1;
+        }
+        // Same stream: higher rank = older = read first.
+        return b.parsed.rank - a.parsed.rank;
+    });
+    return entries.map((e) => path.join(logDir, e.name));
+}
+/**
+ * Read a log file as a string, transparently handling gzipped rotations.
+ *
+ * For `.ndjson.gz` files we read the raw bytes via `fs.readFileSync` (ignoring
+ * any caller-supplied DI `readFileSync`, since that stub returns a `string`
+ * and would corrupt gzip bytes) and then `zlib.gunzipSync` to recover the
+ * original text. For plain `.ndjson` files we defer to the DI stub so tests
+ * can keep mocking fs.
+ */
+function readNdjsonFileContents(filePath, readFileSync) {
+    if (filePath.endsWith(".gz")) {
+        // Binary path: tests can mock readFileSync to return a Buffer (typed as
+        // string) via `as unknown as string` — we accept both Buffer and Uint8Array.
+        const raw = readFileSync(filePath);
+        const buf = typeof raw === "string" ? Buffer.from(raw, "binary") : Buffer.from(raw);
+        return zlib.gunzipSync(buf).toString("utf-8");
+    }
+    return readFileSync(filePath, "utf-8");
 }
 function readLastLines(filePath, count, readFileSync) {
     let content;
     try {
-        content = readFileSync(filePath, "utf-8");
+        content = readNdjsonFileContents(filePath, readFileSync);
     }
     catch {
         return [];
@@ -99,12 +163,17 @@ function tailLogs(options = {}) {
     const files = discoverLogFiles(options);
     (0, runtime_1.emitNervesEvent)({ component: "daemon", event: "daemon.log_tailer_started", message: "log tailer started", meta: { fileCount: files.length, follow: !!options.follow } });
     const fileSizes = new Map();
-    // Read initial lines
+    // Read initial lines from each discovered file (oldest gz → newest gz → active).
+    // Gzipped files are historical and never tailed in follow mode.
     for (const file of files) {
         const lines = readLastLines(file, lineCount, readFileSync);
         for (const line of lines) {
             writer(`${formatLogLine(line)}\n`);
         }
+        if (file.endsWith(".gz")) {
+            // Historical rotation — skip size tracking, never followed.
+            continue;
+        }
         try {
             const content = readFileSync(file, "utf-8");
             fileSizes.set(file, content.length);
@@ -113,9 +182,10 @@ function tailLogs(options = {}) {
             fileSizes.set(file, 0);
         }
     }
-    // Follow mode
+    // Follow mode: only the active (non-gzipped) stream is watched.
     if (options.follow && watchFile && unwatchFile) {
-        for (const file of files) {
+        const activeFiles = files.filter((f) => !f.endsWith(".gz"));
+        for (const file of activeFiles) {
             watchFile(file, () => {
                 let content;
                 try {
@@ -137,7 +207,7 @@ function tailLogs(options = {}) {
             });
         }
         return () => {
-            for (const file of files) {
+            for (const file of activeFiles) {
                 unwatchFile(file);
             }
         };

package/dist/heart/daemon/logs-prune.js

@@ -0,0 +1,105 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.pruneDaemonLogs = pruneDaemonLogs;
+const fs_1 = require("fs");
+const path_1 = require("path");
+const crypto_1 = require("crypto");
+const nerves_1 = require("../../nerves");
+const runtime_1 = require("../../nerves/runtime");
+const identity_1 = require("../identity");
+function pruneDaemonLogs(options = {}) {
+    /* v8 ignore next -- defensive: tests always pass logsDir to avoid prod paths @preserve */
+    const logsDir = options.logsDir ?? (0, identity_1.getAgentDaemonLogsDir)(options.agentName);
+    const maxSizeBytes = options.maxSizeBytes ?? nerves_1.DEFAULT_MAX_LOG_SIZE_BYTES;
+    const maxGenerations = options.maxGenerations ?? nerves_1.DEFAULT_MAX_GENERATIONS;
+    const traceId = (0, crypto_1.randomUUID)();
+    (0, runtime_1.emitNervesEvent)({
+        component: "nerves",
+        event: "nerves.logs_prune_start",
+        trace_id: traceId,
+        message: "pruning daemon logs",
+        meta: { logsDir, maxSizeBytes, maxGenerations },
+    });
+    let completed = false;
+    try {
+        if (!(0, fs_1.existsSync)(logsDir)) {
+            completed = true;
+            (0, runtime_1.emitNervesEvent)({
+                component: "nerves",
+                event: "nerves.logs_prune_end",
+                trace_id: traceId,
+                message: "daemon logs dir does not exist",
+                meta: { logsDir, filesCompacted: 0, bytesFreed: 0 },
+            });
+            return { filesCompacted: 0, bytesFreed: 0 };
+        }
+        let filesCompacted = 0;
+        let bytesFreed = 0;
+        // Enumerate and rotate each active .ndjson stream. We explicitly skip
+        // .gz and other files — only the active stream can be a rotation
+        // candidate. Legacy .N.ndjson uncompressed files are handled inside
+        // rotateIfNeeded's generation-shift step, so we skip them here to
+        // avoid double-rotating.
+        for (const name of (0, fs_1.readdirSync)(logsDir)) {
+            if (!name.endsWith(".ndjson"))
+                continue;
+            // Skip legacy generation files like daemon.1.ndjson; rotateIfNeeded
+            // will migrate them on the next rotation of their parent stream.
+            if (/\.\d+\.ndjson$/.test(name))
+                continue;
+            const filePath = (0, path_1.join)(logsDir, name);
+            let sizeBefore;
+            try {
+                sizeBefore = (0, fs_1.statSync)(filePath).size;
+                /* v8 ignore start -- defensive: file disappears between readdir and stat @preserve */
+            }
+            catch {
+                continue;
+            }
+            /* v8 ignore stop */
+            if (sizeBefore < maxSizeBytes)
+                continue;
+            // rotateIfNeeded returns true because we pre-checked sizeBefore >=
+            // maxSizeBytes above. The false branch of `if (rotated)` is defensive
+            // and unreachable under normal flow; we skip it from coverage so a
+            // future refactor that weakens the pre-check still reports correct
+            // counts without needing a contrived test.
+            const rotated = (0, nerves_1.rotateIfNeeded)(filePath, {
+                maxSizeBytes,
+                maxGenerations,
+                compress: true,
+            });
+            /* v8 ignore next 3 -- defensive: pre-check guarantees rotated=true @preserve */
+            if (!rotated) {
+                continue;
+            }
+            filesCompacted += 1;
+            bytesFreed += sizeBefore;
+        }
+        completed = true;
+        (0, runtime_1.emitNervesEvent)({
+            component: "nerves",
+            event: "nerves.logs_prune_end",
+            trace_id: traceId,
+            message: "daemon logs pruned",
+            meta: { logsDir, filesCompacted, bytesFreed },
+        });
+        return { filesCompacted, bytesFreed };
+    }
+    catch (err) {
+        /* v8 ignore next -- defensive: completed=true only reached after try returns @preserve */
+        if (!completed) {
+            /* v8 ignore next -- defensive: rotation always throws real Errors @preserve */
+            const reason = err instanceof Error ? err.message : String(err);
+            (0, runtime_1.emitNervesEvent)({
+                component: "nerves",
+                event: "nerves.logs_prune_error",
+                trace_id: traceId,
+                level: "error",
+                message: "daemon logs prune failed",
+                meta: { logsDir, error: reason },
+            });
+        }
+        throw err;
+    }
+}