@sonde/agent 0.0.0

package/src/runtime/scrubber.test.ts

@@ -0,0 +1,84 @@
+import { describe, expect, it } from 'vitest';
+import { DEFAULT_SCRUB_PATTERNS, buildPatterns, scrubData } from './scrubber.js';
+
+const patterns = DEFAULT_SCRUB_PATTERNS;
+
+describe('scrubData', () => {
+  it('redacts env var secrets like DB_PASSWORD=hunter2', () => {
+    const result = scrubData('DB_PASSWORD=hunter2', patterns);
+    expect(result).toBe('DB_PASSWORD=[REDACTED]');
+  });
+
+  it('redacts connection strings (keeps user and host, redacts password)', () => {
+    const input = 'postgresql://admin:s3cret@db.host:5432/mydb';
+    const result = scrubData(input, patterns);
+    expect(result).toBe('postgresql://admin:[REDACTED]@db.host:5432/mydb');
+    expect(result).not.toContain('s3cret');
+  });
+
+  it('redacts Bearer tokens', () => {
+    const input = 'Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.payload.sig';
+    const result = scrubData(input, patterns);
+    expect(result).toContain('Bearer [REDACTED]');
+    expect(result).not.toContain('eyJhbGciOiJIUzI1NiJ9');
+  });
+
+  it('redacts values of sensitive object keys', () => {
+    const input = { DB_PASSWORD: 'hunter2', host: 'localhost' };
+    const result = scrubData(input, patterns);
+    expect(result).toEqual({ DB_PASSWORD: '[REDACTED]', host: 'localhost' });
+  });
+
+  it('passes through numbers, booleans, and null unchanged', () => {
+    expect(scrubData(42, patterns)).toBe(42);
+    expect(scrubData(true, patterns)).toBe(true);
+    expect(scrubData(null, patterns)).toBe(null);
+    expect(scrubData(undefined, patterns)).toBe(undefined);
+  });
+
+  it('handles nested objects and arrays recursively', () => {
+    const input = {
+      config: {
+        secrets: [{ API_KEY: 'abc123xyz', name: 'prod' }, 'SECRET_TOKEN=my-token-value'],
+      },
+    };
+    const result = scrubData(input, patterns) as Record<string, unknown>;
+    const config = result.config as Record<string, unknown>;
+    const secrets = config.secrets as unknown[];
+    expect((secrets[0] as Record<string, unknown>).API_KEY).toBe('[REDACTED]');
+    expect((secrets[0] as Record<string, unknown>).name).toBe('prod');
+    expect(secrets[1]).toBe('SECRET_TOKEN=[REDACTED]');
+  });
+
+  it('redacts generic API key patterns', () => {
+    const input = 'api_key=abcdef1234567890xx';
+    const result = scrubData(input, patterns);
+    expect(result).toBe('api_key=[REDACTED]');
+  });
+
+  it('does not modify non-sensitive data', () => {
+    const input = { hostname: 'server-1', uptime: 12345, healthy: true };
+    const result = scrubData(input, patterns);
+    expect(result).toEqual(input);
+  });
+});
+
+describe('buildPatterns', () => {
+  it('includes default patterns when no custom regexes given', () => {
+    const result = buildPatterns();
+    expect(result.length).toBe(DEFAULT_SCRUB_PATTERNS.length);
+  });
+
+  it('adds valid custom regex patterns', () => {
+    const result = buildPatterns(['SSN:\\s*\\d{3}-\\d{2}-\\d{4}']);
+    expect(result.length).toBe(DEFAULT_SCRUB_PATTERNS.length + 1);
+
+    const scrubbed = scrubData('SSN: 123-45-6789', result);
+    expect(scrubbed).toBe('[REDACTED]');
+  });
+
+  it('skips invalid custom regexes gracefully', () => {
+    const result = buildPatterns(['[invalid-regex']);
+    expect(result.length).toBe(DEFAULT_SCRUB_PATTERNS.length);
+  });
+});

package/src/runtime/scrubber.ts

@@ -0,0 +1,96 @@
+export interface ScrubPattern {
+  name: string;
+  pattern: RegExp;
+  replacement?: string;
+}
+
+/** Key names that indicate sensitive values (case-insensitive match) */
+const SENSITIVE_KEY_RE = /(?:SECRET|KEY|TOKEN|PASSWORD|CREDENTIAL|PRIVATE)/i;
+
+export const DEFAULT_SCRUB_PATTERNS: ScrubPattern[] = [
+  {
+    name: 'env-var-secrets',
+    pattern: /\b(\w*(?:SECRET|KEY|TOKEN|PASSWORD|CREDENTIAL|PRIVATE)\w*)\s*[=:]\s*\S+/gi,
+    replacement: '$1=[REDACTED]',
+  },
+  {
+    name: 'connection-strings',
+    pattern:
+      /((?:postgres|postgresql|mysql|mongodb(?:\+srv)?|redis|amqp|mssql):\/\/[^:]+:)[^@]+(@)/gi,
+    replacement: '$1[REDACTED]$2',
+  },
+  {
+    name: 'bearer-tokens',
+    pattern: /(Bearer\s+)\S+/gi,
+    replacement: '$1[REDACTED]',
+  },
+  {
+    name: 'generic-api-keys',
+    pattern: /(api[_-]?key|access[_-]?token|auth[_-]?token)\s*[=:]\s*["']?[\w\-./+=]{16,}["']?/gi,
+    replacement: '$1=[REDACTED]',
+  },
+];
+
+/**
+ * Deep-walk data, applying scrub patterns to all string values.
+ * Also redacts values of object keys that match sensitive key names.
+ */
+export function scrubData(data: unknown, patterns: ScrubPattern[]): unknown {
+  if (data === null || data === undefined) return data;
+  if (typeof data === 'boolean' || typeof data === 'number') return data;
+
+  if (typeof data === 'string') {
+    return scrubString(data, patterns);
+  }
+
+  if (Array.isArray(data)) {
+    return data.map((item) => scrubData(item, patterns));
+  }
+
+  if (typeof data === 'object') {
+    const result: Record<string, unknown> = {};
+    for (const [key, value] of Object.entries(data as Record<string, unknown>)) {
+      if (SENSITIVE_KEY_RE.test(key) && typeof value === 'string') {
+        result[key] = '[REDACTED]';
+      } else {
+        result[key] = scrubData(value, patterns);
+      }
+    }
+    return result;
+  }
+
+  return data;
+}
+
+function scrubString(str: string, patterns: ScrubPattern[]): string {
+  let result = str;
+  for (const p of patterns) {
+    // Reset lastIndex for global regexes
+    p.pattern.lastIndex = 0;
+    result = result.replace(p.pattern, p.replacement ?? '[REDACTED]');
+  }
+  return result;
+}
+
+/**
+ * Build scrub patterns from defaults + optional custom regex strings.
+ * Invalid custom regexes are silently skipped.
+ */
+export function buildPatterns(customRegexes?: string[]): ScrubPattern[] {
+  const patterns = [...DEFAULT_SCRUB_PATTERNS];
+
+  if (customRegexes) {
+    for (const raw of customRegexes) {
+      try {
+        patterns.push({
+          name: `custom:${raw}`,
+          pattern: new RegExp(raw, 'gi'),
+        });
+      } catch {
+        // Invalid regex — skip gracefully
+      }
+    }
+  }
+
+  return patterns;
+}

package/src/system/scanner.test.ts

@@ -0,0 +1,154 @@
+import type { PackManifest } from '@sonde/shared';
+import { describe, expect, it } from 'vitest';
+import { type SystemChecker, checkPackPermissions, scanForSoftware } from './scanner.js';
+
+function createMockChecker(overrides: Partial<SystemChecker> = {}): SystemChecker {
+  return {
+    commandExists: () => false,
+    fileExists: () => false,
+    serviceExists: () => false,
+    ...overrides,
+  };
+}
+
+const dockerManifest: PackManifest = {
+  name: 'docker',
+  version: '0.1.0',
+  description: 'Docker probes',
+  requires: { groups: ['docker'], files: [], commands: ['docker'] },
+  probes: [],
+  detect: { commands: ['docker'] },
+};
+
+const systemdManifest: PackManifest = {
+  name: 'systemd',
+  version: '0.1.0',
+  description: 'systemd probes',
+  requires: { groups: [], files: [], commands: ['systemctl'] },
+  probes: [],
+  detect: { files: ['/run/systemd/system'] },
+};
+
+const noDetectManifest: PackManifest = {
+  name: 'custom',
+  version: '0.1.0',
+  description: 'No detect rules',
+  requires: { groups: [], files: [], commands: [] },
+  probes: [],
+};
+
+describe('scanForSoftware', () => {
+  it('detects software when command exists', () => {
+    const checker = createMockChecker({
+      commandExists: (cmd) => cmd === 'docker',
+    });
+
+    const results = scanForSoftware([dockerManifest], checker);
+
+    expect(results).toHaveLength(1);
+    expect(results[0]?.detected).toBe(true);
+    expect(results[0]?.matchedCommands).toEqual(['docker']);
+  });
+
+  it('detects software when file exists', () => {
+    const checker = createMockChecker({
+      fileExists: (p) => p === '/run/systemd/system',
+    });
+
+    const results = scanForSoftware([systemdManifest], checker);
+
+    expect(results).toHaveLength(1);
+    expect(results[0]?.detected).toBe(true);
+    expect(results[0]?.matchedFiles).toEqual(['/run/systemd/system']);
+  });
+
+  it('marks as not detected when no checks pass', () => {
+    const checker = createMockChecker();
+
+    const results = scanForSoftware([dockerManifest], checker);
+
+    expect(results[0]?.detected).toBe(false);
+    expect(results[0]?.matchedCommands).toEqual([]);
+  });
+
+  it('handles manifests without detect rules', () => {
+    const checker = createMockChecker();
+
+    const results = scanForSoftware([noDetectManifest], checker);
+
+    expect(results[0]?.detected).toBe(false);
+  });
+
+  it('scans multiple manifests', () => {
+    const checker = createMockChecker({
+      commandExists: (cmd) => cmd === 'docker',
+      fileExists: () => false,
+    });
+
+    const results = scanForSoftware([dockerManifest, systemdManifest, noDetectManifest], checker);
+
+    expect(results).toHaveLength(3);
+    expect(results[0]?.detected).toBe(true);
+    expect(results[1]?.detected).toBe(false);
+    expect(results[2]?.detected).toBe(false);
+  });
+});
+
+describe('checkPackPermissions', () => {
+  it('returns satisfied when all requirements met', () => {
+    const checker = createMockChecker({
+      commandExists: () => true,
+      fileExists: () => true,
+    });
+
+    const result = checkPackPermissions(dockerManifest, checker, ['docker']);
+
+    expect(result.satisfied).toBe(true);
+    expect(result.missingGroups).toEqual([]);
+    expect(result.missingCommands).toEqual([]);
+  });
+
+  it('reports missing groups', () => {
+    const checker = createMockChecker({
+      commandExists: () => true,
+    });
+
+    const result = checkPackPermissions(dockerManifest, checker, []);
+
+    expect(result.satisfied).toBe(false);
+    expect(result.missingGroups).toEqual(['docker']);
+  });
+
+  it('reports missing commands', () => {
+    const checker = createMockChecker({
+      commandExists: () => false,
+    });
+
+    const result = checkPackPermissions(dockerManifest, checker, ['docker']);
+
+    expect(result.satisfied).toBe(false);
+    expect(result.missingCommands).toEqual(['docker']);
+  });
+
+  it('reports missing files', () => {
+    const manifest: PackManifest = {
+      name: 'test',
+      version: '0.1.0',
+      description: 'Test',
+      requires: { groups: [], files: ['/etc/special.conf'], commands: [] },
+      probes: [],
+    };
+    const checker = createMockChecker({ fileExists: () => false });
+
+    const result = checkPackPermissions(manifest, checker, []);
+
+    expect(result.satisfied).toBe(false);
+    expect(result.missingFiles).toEqual(['/etc/special.conf']);
+  });
+
+  it('returns satisfied for packs with no requirements', () => {
+    const result = checkPackPermissions(noDetectManifest, createMockChecker(), []);
+
+    expect(result.satisfied).toBe(true);
+  });
+});

package/src/system/scanner.ts

@@ -0,0 +1,133 @@
+import { execFileSync } from 'node:child_process';
+import fs from 'node:fs';
+import type { DetectRules, PackManifest } from '@sonde/shared';
+
+export interface ScanResult {
+  packName: string;
+  detected: boolean;
+  matchedCommands: string[];
+  matchedFiles: string[];
+  matchedServices: string[];
+}
+
+/** Abstraction for testability */
+export interface SystemChecker {
+  commandExists(cmd: string): boolean;
+  fileExists(path: string): boolean;
+  serviceExists(service: string): boolean;
+}
+
+/** Real system checker using PATH lookup and fs */
+export function createSystemChecker(): SystemChecker {
+  return {
+    commandExists(cmd: string): boolean {
+      try {
+        execFileSync('which', [cmd], { stdio: 'ignore' });
+        return true;
+      } catch {
+        return false;
+      }
+    },
+    fileExists(filePath: string): boolean {
+      return fs.existsSync(filePath);
+    },
+    serviceExists(service: string): boolean {
+      try {
+        execFileSync('systemctl', ['cat', service], { stdio: 'ignore' });
+        return true;
+      } catch {
+        return false;
+      }
+    },
+  };
+}
+
+/**
+ * Scans the system against pack detect rules.
+ * Returns a ScanResult per manifest with which checks matched.
+ */
+export function scanForSoftware(manifests: PackManifest[], checker: SystemChecker): ScanResult[] {
+  const results: ScanResult[] = [];
+
+  for (const manifest of manifests) {
+    const detect = manifest.detect;
+    if (!detect) {
+      results.push({
+        packName: manifest.name,
+        detected: false,
+        matchedCommands: [],
+        matchedFiles: [],
+        matchedServices: [],
+      });
+      continue;
+    }
+
+    const result = checkDetectRules(manifest.name, detect, checker);
+    results.push(result);
+  }
+
+  return results;
+}
+
+function checkDetectRules(
+  packName: string,
+  detect: DetectRules,
+  checker: SystemChecker,
+): ScanResult {
+  const matchedCommands: string[] = [];
+  const matchedFiles: string[] = [];
+  const matchedServices: string[] = [];
+
+  for (const cmd of detect.commands ?? []) {
+    if (checker.commandExists(cmd)) {
+      matchedCommands.push(cmd);
+    }
+  }
+
+  for (const file of detect.files ?? []) {
+    if (checker.fileExists(file)) {
+      matchedFiles.push(file);
+    }
+  }
+
+  for (const service of detect.services ?? []) {
+    if (checker.serviceExists(service)) {
+      matchedServices.push(service);
+    }
+  }
+
+  // Detected if at least one check passed
+  const detected =
+    matchedCommands.length > 0 || matchedFiles.length > 0 || matchedServices.length > 0;
+
+  return { packName, detected, matchedCommands, matchedFiles, matchedServices };
+}
+
+export interface PermissionCheck {
+  satisfied: boolean;
+  missingGroups: string[];
+  missingCommands: string[];
+  missingFiles: string[];
+}
+
+/**
+ * Checks if the current user has the required permissions for a pack.
+ */
+export function checkPackPermissions(
+  manifest: PackManifest,
+  checker: SystemChecker,
+  userGroups: string[],
+): PermissionCheck {
+  const groupSet = new Set(userGroups);
+  const missingGroups = manifest.requires.groups.filter((g) => !groupSet.has(g));
+  const missingCommands = manifest.requires.commands.filter((c) => !checker.commandExists(c));
+  const missingFiles = manifest.requires.files.filter((f) => !checker.fileExists(f));
+
+  return {
+    satisfied:
+      missingGroups.length === 0 && missingCommands.length === 0 && missingFiles.length === 0,
+    missingGroups,
+    missingCommands,
+    missingFiles,
+  };
+}

package/src/tui/installer/InstallerApp.tsx

@@ -0,0 +1,86 @@
+import type { PackManifest } from '@sonde/shared';
+import { Box, Text } from 'ink';
+import { useState } from 'react';
+import type { ScanResult } from '../../system/scanner.js';
+import { StepComplete } from './StepComplete.js';
+import { StepHub } from './StepHub.js';
+import { StepPacks } from './StepPacks.js';
+import { StepPermissions } from './StepPermissions.js';
+import { StepScan } from './StepScan.js';
+
+type Step = 'hub' | 'scan' | 'packs' | 'permissions' | 'complete';
+
+export interface HubConfig {
+  hubUrl: string;
+  apiKey: string;
+  agentName: string;
+}
+
+const STEP_LABELS: Record<Step, string> = {
+  hub: 'Hub Connection',
+  scan: 'System Scan',
+  packs: 'Pack Selection',
+  permissions: 'Permissions',
+  complete: 'Complete',
+};
+
+interface InstallerAppProps {
+  initialHubUrl?: string;
+}
+
+export function InstallerApp({ initialHubUrl }: InstallerAppProps): JSX.Element {
+  const [step, setStep] = useState<Step>('hub');
+  const [hubConfig, setHubConfig] = useState<HubConfig>({ hubUrl: '', apiKey: '', agentName: '' });
+  const [scanResults, setScanResults] = useState<ScanResult[]>([]);
+  const [selectedPacks, setSelectedPacks] = useState<PackManifest[]>([]);
+
+  return (
+    <Box flexDirection="column" borderStyle="round" borderColor="cyan" paddingX={1}>
+      <Box marginBottom={1}>
+        <Text bold color="cyan">
+          Sonde Installer
+        </Text>
+        <Text color="gray"> — {STEP_LABELS[step]}</Text>
+      </Box>
+
+      {step === 'hub' && (
+        <StepHub
+          initialHubUrl={initialHubUrl}
+          onNext={(config) => {
+            setHubConfig(config);
+            setStep('scan');
+          }}
+        />
+      )}
+
+      {step === 'scan' && (
+        <StepScan
+          onNext={(results) => {
+            setScanResults(results);
+            setStep('packs');
+          }}
+        />
+      )}
+
+      {step === 'packs' && (
+        <StepPacks
+          scanResults={scanResults}
+          onNext={(packs) => {
+            setSelectedPacks(packs);
+            setStep('permissions');
+          }}
+        />
+      )}
+
+      {step === 'permissions' && (
+        <StepPermissions
+          selectedPacks={selectedPacks}
+          onNext={() => setStep('complete')}
+          onBack={() => setStep('packs')}
+        />
+      )}
+
+      {step === 'complete' && <StepComplete hubConfig={hubConfig} selectedPacks={selectedPacks} />}
+    </Box>
+  );
+}

package/src/tui/installer/StepComplete.tsx

@@ -0,0 +1,94 @@
+import type { PackManifest } from '@sonde/shared';
+import { Box, Text, useApp, useInput } from 'ink';
+import Spinner from 'ink-spinner';
+import { useEffect, useState } from 'react';
+import { type AgentConfig, saveConfig } from '../../config.js';
+import { enrollWithHub } from '../../runtime/connection.js';
+import { ProbeExecutor } from '../../runtime/executor.js';
+import type { HubConfig } from './InstallerApp.js';
+
+interface StepCompleteProps {
+  hubConfig: HubConfig;
+  selectedPacks: PackManifest[];
+}
+
+export function StepComplete({ hubConfig, selectedPacks }: StepCompleteProps): JSX.Element {
+  const { exit } = useApp();
+  const [enrolling, setEnrolling] = useState(true);
+  const [agentId, setAgentId] = useState('');
+  const [error, setError] = useState('');
+
+  useEffect(() => {
+    const config: AgentConfig = {
+      hubUrl: hubConfig.hubUrl,
+      apiKey: hubConfig.apiKey,
+      agentName: hubConfig.agentName,
+    };
+    saveConfig(config);
+
+    const executor = new ProbeExecutor();
+
+    enrollWithHub(config, executor)
+      .then(({ agentId: id }) => {
+        config.agentId = id;
+        saveConfig(config);
+        setAgentId(id);
+        setEnrolling(false);
+      })
+      .catch((err: Error) => {
+        setError(err.message);
+        setEnrolling(false);
+      });
+  }, [hubConfig]);
+
+  useInput(() => {
+    if (!enrolling) {
+      exit();
+    }
+  });
+
+  if (enrolling) {
+    return (
+      <Box>
+        <Text color="cyan">
+          <Spinner type="dots" />
+        </Text>
+        <Text> Enrolling with hub at {hubConfig.hubUrl}...</Text>
+      </Box>
+    );
+  }
+
+  if (error) {
+    return (
+      <Box flexDirection="column">
+        <Text color="red">Enrollment failed: {error}</Text>
+        <Box marginTop={1}>
+          <Text color="gray">Press any key to exit.</Text>
+        </Box>
+      </Box>
+    );
+  }
+
+  return (
+    <Box flexDirection="column">
+      <Text color="green" bold>
+        Enrollment successful!
+      </Text>
+      <Box marginTop={1} flexDirection="column">
+        <Text> Agent ID: {agentId}</Text>
+        <Text> Hub URL: {hubConfig.hubUrl}</Text>
+        <Text> Name: {hubConfig.agentName}</Text>
+        <Text>
+          {'  '}Packs: {selectedPacks.map((p) => p.name).join(', ') || '(none)'}
+        </Text>
+      </Box>
+      <Box marginTop={1} flexDirection="column">
+        <Text bold>Next steps:</Text>
+        <Text color="cyan"> sonde start</Text>
+      </Box>
+      <Box marginTop={1}>
+        <Text color="gray">Press any key to exit.</Text>
+      </Box>
+    </Box>
+  );
+}