@sonde/agent 0.0.0

package/dist/index.js

@@ -0,0 +1,191 @@
+#!/usr/bin/env node
+import os from 'node:os';
+import { handlePacksCommand } from './cli/packs.js';
+import { getConfigPath, loadConfig, saveConfig } from './config.js';
+import { AgentConnection, enrollWithHub } from './runtime/connection.js';
+import { ProbeExecutor } from './runtime/executor.js';
+import { checkNotRoot } from './runtime/privilege.js';
+import { buildPatterns } from './runtime/scrubber.js';
+const args = process.argv.slice(2);
+const command = args[0];
+function hasFlag(flag) {
+    return args.includes(flag);
+}
+function printUsage() {
+    console.log('Usage: sonde [command]');
+    console.log('');
+    console.log('Commands:');
+    console.log('  (none)    Launch management TUI (if enrolled)');
+    console.log('  install   Interactive guided setup (enroll + scan + packs)');
+    console.log('  enroll    Enroll this agent with a hub');
+    console.log('  start     Start the agent (TUI by default, --headless for daemon)');
+    console.log('  status    Show agent status');
+    console.log('  packs     Manage packs (list, scan, install, uninstall)');
+    console.log('');
+    console.log('Enroll options:');
+    console.log('  --hub <url>      Hub URL (e.g. http://localhost:3000)');
+    console.log('  --key <key>      API key for authentication');
+    console.log('  --name <name>    Agent name (default: hostname)');
+    console.log('  --token <token>  Enrollment token for mTLS cert issuance');
+    console.log('');
+    console.log('Start options:');
+    console.log('  --headless       Run without TUI (for systemd / background)');
+}
+function getArg(flag) {
+    const idx = args.indexOf(flag);
+    if (idx === -1 || idx + 1 >= args.length)
+        return undefined;
+    return args[idx + 1];
+}
+function createRuntime(events) {
+    checkNotRoot();
+    const config = loadConfig();
+    if (!config) {
+        console.error('Error: Agent not enrolled. Run "sonde enroll" first.');
+        process.exit(1);
+    }
+    const executor = new ProbeExecutor(undefined, undefined, buildPatterns(config.scrubPatterns));
+    const connection = new AgentConnection(config, executor, events);
+    return { config, executor, connection };
+}
+async function cmdEnroll() {
+    const hubUrl = getArg('--hub');
+    const apiKey = getArg('--key');
+    const agentName = getArg('--name') ?? os.hostname();
+    const enrollmentToken = getArg('--token');
+    if (!hubUrl || !apiKey) {
+        console.error('Error: --hub and --key are required');
+        console.error('  sonde enroll --hub http://localhost:3000 --key your-api-key');
+        process.exit(1);
+    }
+    const config = { hubUrl, apiKey, agentName };
+    if (enrollmentToken) {
+        config.enrollmentToken = enrollmentToken;
+    }
+    saveConfig(config);
+    const executor = new ProbeExecutor();
+    console.log(`Enrolling with hub at ${hubUrl}...`);
+    const { agentId, certIssued } = await enrollWithHub(config, executor);
+    config.agentId = agentId;
+    // Clear the one-time token after use
+    config.enrollmentToken = undefined;
+    saveConfig(config);
+    console.log('Agent enrolled successfully.');
+    console.log(`  Hub:      ${hubUrl}`);
+    console.log(`  Name:     ${agentName}`);
+    console.log(`  Agent ID: ${agentId}`);
+    console.log(`  Config:   ${getConfigPath()}`);
+    if (certIssued) {
+        console.log('  mTLS:     Client certificate issued and saved');
+    }
+    console.log('');
+    console.log('Run "sonde start" to connect.');
+}
+function cmdStart() {
+    const { config, connection } = createRuntime({
+        onConnected: (agentId) => {
+            console.log(`Connected to hub (agentId: ${agentId})`);
+        },
+        onDisconnected: () => {
+            console.log('Disconnected from hub, reconnecting...');
+        },
+        onError: (err) => {
+            console.error(`Connection error: ${err.message}`);
+        },
+        onRegistered: (agentId) => {
+            config.agentId = agentId;
+            saveConfig(config);
+        },
+    });
+    console.log('Sonde Agent v0.1.0');
+    console.log(`  Name: ${config.agentName}`);
+    console.log(`  Hub:  ${config.hubUrl}`);
+    console.log('');
+    connection.start();
+    process.on('SIGINT', () => {
+        console.log('\nShutting down...');
+        connection.stop();
+        process.exit(0);
+    });
+}
+async function cmdManager() {
+    const { render } = await import('ink');
+    const { createElement } = await import('react');
+    const { ManagerApp } = await import('./tui/manager/ManagerApp.js');
+    const { waitUntilExit } = render(createElement(ManagerApp, { createRuntime }));
+    await waitUntilExit();
+}
+function cmdStatus() {
+    const config = loadConfig();
+    if (!config) {
+        console.log('Status: Not enrolled');
+        console.log(`Run "sonde enroll" to get started.`);
+        return;
+    }
+    console.log('Sonde Agent Status');
+    console.log(`  Name:     ${config.agentName}`);
+    console.log(`  Hub:      ${config.hubUrl}`);
+    console.log(`  Agent ID: ${config.agentId ?? '(not yet assigned)'}`);
+    console.log(`  Config:   ${getConfigPath()}`);
+}
+async function cmdInstall() {
+    const initialHubUrl = getArg('--hub');
+    const { render } = await import('ink');
+    const { createElement } = await import('react');
+    const { InstallerApp } = await import('./tui/installer/InstallerApp.js');
+    const { waitUntilExit } = render(createElement(InstallerApp, { initialHubUrl }));
+    await waitUntilExit();
+}
+switch (command) {
+    case 'install':
+        cmdInstall().catch((err) => {
+            console.error(err.message);
+            process.exit(1);
+        });
+        break;
+    case 'enroll':
+        cmdEnroll().catch((err) => {
+            console.error(`Enrollment failed: ${err.message}`);
+            process.exit(1);
+        });
+        break;
+    case 'start':
+        if (hasFlag('--headless')) {
+            cmdStart();
+        }
+        else {
+            cmdManager().catch((err) => {
+                console.error(err.message);
+                process.exit(1);
+            });
+        }
+        break;
+    case 'status':
+        cmdStatus();
+        break;
+    case 'packs':
+        handlePacksCommand(args.slice(1));
+        break;
+    default:
+        if (command) {
+            printUsage();
+            console.error(`\nUnknown command: ${command}`);
+            process.exit(1);
+        }
+        else {
+            // No command: launch TUI if enrolled, otherwise show usage
+            const config = loadConfig();
+            if (config) {
+                cmdManager().catch((err) => {
+                    console.error(err.message);
+                    process.exit(1);
+                });
+            }
+            else {
+                printUsage();
+            }
+        }
+        break;
+}
+export { createRuntime };
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAEA,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,EAAE,kBAAkB,EAAE,MAAM,gBAAgB,CAAC;AACpD,OAAO,EAAoB,aAAa,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACtF,OAAO,EAAE,eAAe,EAAyB,aAAa,EAAE,MAAM,yBAAyB,CAAC;AAChG,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AACtD,OAAO,EAAE,YAAY,EAAE,MAAM,wBAAwB,CAAC;AACtD,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AAEtD,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;AACnC,MAAM,OAAO,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;AAExB,SAAS,OAAO,CAAC,IAAY;IAC3B,OAAO,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;AAC7B,CAAC;AAED,SAAS,UAAU;IACjB,OAAO,CAAC,GAAG,CAAC,wBAAwB,CAAC,CAAC;IACtC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;IACzB,OAAO,CAAC,GAAG,CAAC,iDAAiD,CAAC,CAAC;IAC/D,OAAO,CAAC,GAAG,CAAC,8DAA8D,CAAC,CAAC;IAC5E,OAAO,CAAC,GAAG,CAAC,0CAA0C,CAAC,CAAC;IACxD,OAAO,CAAC,GAAG,CAAC,qEAAqE,CAAC,CAAC;IACnF,OAAO,CAAC,GAAG,CAAC,+BAA+B,CAAC,CAAC;IAC7C,OAAO,CAAC,GAAG,CAAC,2DAA2D,CAAC,CAAC;IACzE,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC;IAC/B,OAAO,CAAC,GAAG,CAAC,yDAAyD,CAAC,CAAC;IACvE,OAAO,CAAC,GAAG,CAAC,+CAA+C,CAAC,CAAC;IAC7D,OAAO,CAAC,GAAG,CAAC,mDAAmD,CAAC,CAAC;IACjE,OAAO,CAAC,GAAG,CAAC,4DAA4D,CAAC,CAAC;IAC1E,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC;IAC9B,OAAO,CAAC,GAAG,CAAC,+DAA+D,CAAC,CAAC;AAC/E,CAAC;AAED,SAAS,MAAM,CAAC,IAAY;IAC1B,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;IAC/B,IAAI,GAAG,KAAK,CAAC,CAAC,IAAI,GAAG,GAAG,CAAC,IAAI,IAAI,CAAC,MAAM;QAAE,OAAO,SAAS,CAAC;IAC3D,OAAO,IAAI,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC;AACvB,CAAC;AAQD,SAAS,aAAa,CAAC,MAAwB;IAC7C,YAAY,EAAE,CAAC;IAEf,MAAM,MAAM,GAAG,UAAU,EAAE,CAAC;IAC5B,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,OAAO,CAAC,KAAK,CAAC,sDAAsD,CAAC,CAAC;QACtE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,MAAM,QAAQ,GAAG,IAAI,aAAa,CAAC,SAAS,EAAE,SAAS,EAAE,aAAa,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC,CAAC;IAC9F,MAAM,UAAU,GAAG,IAAI,eAAe,CAAC,MAAM,EAAE,QAAQ,EAAE,MAAM,CAAC,CAAC;IAEjE,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,UAAU,EAAE,CAAC;AAC1C,CAAC;AAED,KAAK,UAAU,SAAS;IACtB,MAAM,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,CAAC;IAC/B,MAAM,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,CAAC;IAC/B,MAAM,SAAS,GAAG,MAAM,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,QAAQ,EAAE,CAAC;IACpD,MAAM,eAAe,GAAG,MAAM,CAAC,SAAS,CAAC,CAAC;IAE1C,IAAI,CAAC,MAAM,IAAI,CAAC,MAAM,EAAE,CAAC;QACvB,OAAO,CAAC,KAAK,CAAC,qCAAqC,CAAC,CAAC;QACrD,OAAO,CAAC,KAAK,CAAC,+DAA+D,CAAC,CAAC;QAC/E,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,MAAM,MAAM,GAAgB,EAAE,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC;IAC1D,IAAI,eAAe,EAAE,CAAC;QACpB,MAAM,CAAC,eAAe,GAAG,eAAe,CAAC;IAC3C,CAAC;IACD,UAAU,CAAC,MAAM,CAAC,CAAC;IAEnB,MAAM,QAAQ,GAAG,IAAI,aAAa,EAAE,CAAC;IACrC,OAAO,CAAC,GAAG,CAAC,yBAAyB,MAAM,KAAK,CAAC,CAAC;IAElD,MAAM,EAAE,OAAO,EAAE,UAAU,EAAE,GAAG,MAAM,aAAa,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;IACtE,MAAM,CAAC,OAAO,GAAG,OAAO,CAAC;IACzB,qCAAqC;IACrC,MAAM,CAAC,eAAe,GAAG,SAAS,CAAC;IACnC,UAAU,CAAC,MAAM,CAAC,CAAC;IAEnB,OAAO,CAAC,GAAG,CAAC,8BAA8B,CAAC,CAAC;IAC5C,OAAO,CAAC,GAAG,CAAC,eAAe,MAAM,EAAE,CAAC,CAAC;IACrC,OAAO,CAAC,GAAG,CAAC,eAAe,SAAS,EAAE,CAAC,CAAC;IACxC,OAAO,CAAC,GAAG,CAAC,eAAe,OAAO,EAAE,CAAC,CAAC;IACtC,OAAO,CAAC,GAAG,CAAC,eAAe,aAAa,EAAE,EAAE,CAAC,CAAC;IAC9C,IAAI,UAAU,EAAE,CAAC;QACf,OAAO,CAAC,GAAG,CAAC,iDAAiD,CAAC,CAAC;IACjE,CAAC;IACD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,+BAA+B,CAAC,CAAC;AAC/C,CAAC;AAED,SAAS,QAAQ;IACf,MAAM,EAAE,MAAM,EAAE,UAAU,EAAE,GAAG,aAAa,CAAC;QAC3C,WAAW,EAAE,CAAC,OAAO,EAAE,EAAE;YACvB,OAAO,CAAC,GAAG,CAAC,8BAA8B,OAAO,GAAG,CAAC,CAAC;QACxD,CAAC;QACD,cAAc,EAAE,GAAG,EAAE;YACnB,OAAO,CAAC,GAAG,CAAC,wCAAwC,CAAC,CAAC;QACxD,CAAC;QACD,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;YACf,OAAO,CAAC,KAAK,CAAC,qBAAqB,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;QACpD,CAAC;QACD,YAAY,EAAE,CAAC,OAAO,EAAE,EAAE;YACxB,MAAM,CAAC,OAAO,GAAG,OAAO,CAAC;YACzB,UAAU,CAAC,MAAM,CAAC,CAAC;QACrB,CAAC;KACF,CAAC,CAAC;IAEH,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC;IAClC,OAAO,CAAC,GAAG,CAAC,WAAW,MAAM,CAAC,SAAS,EAAE,CAAC,CAAC;IAC3C,OAAO,CAAC,GAAG,CAAC,WAAW,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC;IACxC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAEhB,UAAU,CAAC,KAAK,EAAE,CAAC;IAEnB,OAAO,CAAC,EAAE,CAAC,QAAQ,EAAE,GAAG,EAAE;QACxB,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC;QAClC,UAAU,CAAC,IAAI,EAAE,CAAC;QAClB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC,CAAC,CAAC;AACL,CAAC;AAED,KAAK,UAAU,UAAU;IACvB,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,MAAM,CAAC,KAAK,CAAC,CAAC;IACvC,MAAM,EAAE,aAAa,EAAE,GAAG,MAAM,MAAM,CAAC,OAAO,CAAC,CAAC;IAChD,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,MAAM,CAAC,6BAA6B,CAAC,CAAC;IACnE,MAAM,EAAE,aAAa,EAAE,GAAG,MAAM,CAAC,aAAa,CAAC,UAAU,EAAE,EAAE,aAAa,EAAE,CAAC,CAAC,CAAC;IAC/E,MAAM,aAAa,EAAE,CAAC;AACxB,CAAC;AAED,SAAS,SAAS;IAChB,MAAM,MAAM,GAAG,UAAU,EAAE,CAAC;IAC5B,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAC,CAAC;QACpC,OAAO,CAAC,GAAG,CAAC,oCAAoC,CAAC,CAAC;QAClD,OAAO;IACT,CAAC;IAED,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC;IAClC,OAAO,CAAC,GAAG,CAAC,eAAe,MAAM,CAAC,SAAS,EAAE,CAAC,CAAC;IAC/C,OAAO,CAAC,GAAG,CAAC,eAAe,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC;IAC5C,OAAO,CAAC,GAAG,CAAC,eAAe,MAAM,CAAC,OAAO,IAAI,oBAAoB,EAAE,CAAC,CAAC;IACrE,OAAO,CAAC,GAAG,CAAC,eAAe,aAAa,EAAE,EAAE,CAAC,CAAC;AAChD,CAAC;AAED,KAAK,UAAU,UAAU;IACvB,MAAM,aAAa,GAAG,MAAM,CAAC,OAAO,CAAC,CAAC;IACtC,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,MAAM,CAAC,KAAK,CAAC,CAAC;IACvC,MAAM,EAAE,aAAa,EAAE,GAAG,MAAM,MAAM,CAAC,OAAO,CAAC,CAAC;IAChD,MAAM,EAAE,YAAY,EAAE,GAAG,MAAM,MAAM,CAAC,iCAAiC,CAAC,CAAC;IACzE,MAAM,EAAE,aAAa,EAAE,GAAG,MAAM,CAAC,aAAa,CAAC,YAAY,EAAE,EAAE,aAAa,EAAE,CAAC,CAAC,CAAC;IACjF,MAAM,aAAa,EAAE,CAAC;AACxB,CAAC;AAED,QAAQ,OAAO,EAAE,CAAC;IAChB,KAAK,SAAS;QACZ,UAAU,EAAE,CAAC,KAAK,CAAC,CAAC,GAAU,EAAE,EAAE;YAChC,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;YAC3B,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC,CAAC,CAAC;QACH,MAAM;IACR,KAAK,QAAQ;QACX,SAAS,EAAE,CAAC,KAAK,CAAC,CAAC,GAAU,EAAE,EAAE;YAC/B,OAAO,CAAC,KAAK,CAAC,sBAAsB,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;YACnD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC,CAAC,CAAC;QACH,MAAM;IACR,KAAK,OAAO;QACV,IAAI,OAAO,CAAC,YAAY,CAAC,EAAE,CAAC;YAC1B,QAAQ,EAAE,CAAC;QACb,CAAC;aAAM,CAAC;YACN,UAAU,EAAE,CAAC,KAAK,CAAC,CAAC,GAAU,EAAE,EAAE;gBAChC,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;gBAC3B,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAClB,CAAC,CAAC,CAAC;QACL,CAAC;QACD,MAAM;IACR,KAAK,QAAQ;QACX,SAAS,EAAE,CAAC;QACZ,MAAM;IACR,KAAK,OAAO;QACV,kBAAkB,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;QAClC,MAAM;IACR;QACE,IAAI,OAAO,EAAE,CAAC;YACZ,UAAU,EAAE,CAAC;YACb,OAAO,CAAC,KAAK,CAAC,sBAAsB,OAAO,EAAE,CAAC,CAAC;YAC/C,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;aAAM,CAAC;YACN,2DAA2D;YAC3D,MAAM,MAAM,GAAG,UAAU,EAAE,CAAC;YAC5B,IAAI,MAAM,EAAE,CAAC;gBACX,UAAU,EAAE,CAAC,KAAK,CAAC,CAAC,GAAU,EAAE,EAAE;oBAChC,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;oBAC3B,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;gBAClB,CAAC,CAAC,CAAC;YACL,CAAC;iBAAM,CAAC;gBACN,UAAU,EAAE,CAAC;YACf,CAAC;QACH,CAAC;QACD,MAAM;AACV,CAAC;AAED,OAAO,EAAE,aAAa,EAAE,CAAC"}

package/dist/runtime/attestation.d.ts

@@ -0,0 +1,9 @@
+import type { AttestationData } from '@sonde/shared';
+import type { AgentConfig } from '../config.js';
+import type { ProbeExecutor } from './executor.js';
+/** SHA-256 hex of a file. Returns empty string on any error. */
+export declare function hashFile(filePath: string): string;
+/** SHA-256 hex of config with sensitive fields stripped, keys sorted for determinism. */
+export declare function hashConfig(config: AgentConfig): string;
+export declare function generateAttestation(config: AgentConfig, executor: ProbeExecutor): AttestationData;
+//# sourceMappingURL=attestation.d.ts.map

package/dist/runtime/attestation.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"attestation.d.ts","sourceRoot":"","sources":["../../src/runtime/attestation.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,eAAe,CAAC;AACrD,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AAChD,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AAEnD,gEAAgE;AAChE,wBAAgB,QAAQ,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,CAOjD;AAED,yFAAyF;AACzF,wBAAgB,UAAU,CAAC,MAAM,EAAE,WAAW,GAAG,MAAM,CAItD;AAED,wBAAgB,mBAAmB,CAAC,MAAM,EAAE,WAAW,EAAE,QAAQ,EAAE,aAAa,GAAG,eAAe,CAWjG"}

package/dist/runtime/attestation.js

@@ -0,0 +1,32 @@
+import crypto from 'node:crypto';
+import fs from 'node:fs';
+import os from 'node:os';
+/** SHA-256 hex of a file. Returns empty string on any error. */
+export function hashFile(filePath) {
+    try {
+        const data = fs.readFileSync(filePath);
+        return crypto.createHash('sha256').update(data).digest('hex');
+    }
+    catch {
+        return '';
+    }
+}
+/** SHA-256 hex of config with sensitive fields stripped, keys sorted for determinism. */
+export function hashConfig(config) {
+    const { apiKey: _, enrollmentToken: _t, ...rest } = config;
+    const sorted = JSON.stringify(rest, Object.keys(rest).sort());
+    return crypto.createHash('sha256').update(sorted).digest('hex');
+}
+export function generateAttestation(config, executor) {
+    return {
+        osVersion: `${os.platform()} ${os.release()} ${os.arch()}`,
+        binaryHash: hashFile(process.argv[1] ?? ''),
+        installedPacks: executor.getLoadedPacks().map((p) => ({
+            name: p.name,
+            version: p.version,
+        })),
+        configHash: hashConfig(config),
+        nodeVersion: process.version,
+    };
+}
+//# sourceMappingURL=attestation.js.map

package/dist/runtime/attestation.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"attestation.js","sourceRoot":"","sources":["../../src/runtime/attestation.ts"],"names":[],"mappings":"AAAA,OAAO,MAAM,MAAM,aAAa,CAAC;AACjC,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,EAAE,MAAM,SAAS,CAAC;AAKzB,gEAAgE;AAChE,MAAM,UAAU,QAAQ,CAAC,QAAgB;IACvC,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,EAAE,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC;QACvC,OAAO,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IAChE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED,yFAAyF;AACzF,MAAM,UAAU,UAAU,CAAC,MAAmB;IAC5C,MAAM,EAAE,MAAM,EAAE,CAAC,EAAE,eAAe,EAAE,EAAE,EAAE,GAAG,IAAI,EAAE,GAAG,MAAM,CAAC;IAC3D,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;IAC9D,OAAO,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AAClE,CAAC;AAED,MAAM,UAAU,mBAAmB,CAAC,MAAmB,EAAE,QAAuB;IAC9E,OAAO;QACL,SAAS,EAAE,GAAG,EAAE,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,OAAO,EAAE,IAAI,EAAE,CAAC,IAAI,EAAE,EAAE;QAC1D,UAAU,EAAE,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QAC3C,cAAc,EAAE,QAAQ,CAAC,cAAc,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YACpD,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,OAAO,EAAE,CAAC,CAAC,OAAO;SACnB,CAAC,CAAC;QACH,UAAU,EAAE,UAAU,CAAC,MAAM,CAAC;QAC9B,WAAW,EAAE,OAAO,CAAC,OAAO;KAC7B,CAAC;AACJ,CAAC"}

package/dist/runtime/attestation.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=attestation.test.d.ts.map

package/dist/runtime/attestation.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"attestation.test.d.ts","sourceRoot":"","sources":["../../src/runtime/attestation.test.ts"],"names":[],"mappings":""}

package/dist/runtime/attestation.test.js

@@ -0,0 +1,59 @@
+import { describe, expect, it } from 'vitest';
+import { generateAttestation, hashConfig, hashFile } from './attestation.js';
+import { ProbeExecutor } from './executor.js';
+function makeConfig(overrides) {
+    return {
+        hubUrl: 'http://localhost:3000',
+        apiKey: 'test-key',
+        agentName: 'test-agent',
+        ...overrides,
+    };
+}
+function makeExecutor() {
+    return new ProbeExecutor(new Map());
+}
+describe('generateAttestation', () => {
+    it('returns all required fields', () => {
+        const att = generateAttestation(makeConfig(), makeExecutor());
+        expect(att).toHaveProperty('osVersion');
+        expect(att).toHaveProperty('binaryHash');
+        expect(att).toHaveProperty('installedPacks');
+        expect(att).toHaveProperty('configHash');
+        expect(att).toHaveProperty('nodeVersion');
+    });
+    it('osVersion contains platform info', () => {
+        const att = generateAttestation(makeConfig(), makeExecutor());
+        expect(att.osVersion).toContain(process.platform);
+    });
+    it('nodeVersion matches process.version', () => {
+        const att = generateAttestation(makeConfig(), makeExecutor());
+        expect(att.nodeVersion).toBe(process.version);
+    });
+    it('installedPacks reflects loaded packs', () => {
+        const att = generateAttestation(makeConfig(), makeExecutor());
+        // Empty map → no packs
+        expect(att.installedPacks).toEqual([]);
+    });
+});
+describe('hashConfig', () => {
+    it('is deterministic for same config', () => {
+        const cfg = makeConfig();
+        expect(hashConfig(cfg)).toBe(hashConfig(cfg));
+    });
+    it('ignores apiKey changes', () => {
+        const a = hashConfig(makeConfig({ apiKey: 'key-a' }));
+        const b = hashConfig(makeConfig({ apiKey: 'key-b' }));
+        expect(a).toBe(b);
+    });
+    it('ignores enrollmentToken changes', () => {
+        const a = hashConfig(makeConfig({ enrollmentToken: 'tok-a' }));
+        const b = hashConfig(makeConfig({ enrollmentToken: 'tok-b' }));
+        expect(a).toBe(b);
+    });
+});
+describe('hashFile', () => {
+    it('returns empty string for missing file', () => {
+        expect(hashFile('/nonexistent/path/to/file')).toBe('');
+    });
+});
+//# sourceMappingURL=attestation.test.js.map

package/dist/runtime/attestation.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"attestation.test.js","sourceRoot":"","sources":["../../src/runtime/attestation.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAC;AAE9C,OAAO,EAAE,mBAAmB,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC7E,OAAO,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AAE9C,SAAS,UAAU,CAAC,SAAgC;IAClD,OAAO;QACL,MAAM,EAAE,uBAAuB;QAC/B,MAAM,EAAE,UAAU;QAClB,SAAS,EAAE,YAAY;QACvB,GAAG,SAAS;KACb,CAAC;AACJ,CAAC;AAED,SAAS,YAAY;IACnB,OAAO,IAAI,aAAa,CAAC,IAAI,GAAG,EAAE,CAAC,CAAC;AACtC,CAAC;AAED,QAAQ,CAAC,qBAAqB,EAAE,GAAG,EAAE;IACnC,EAAE,CAAC,6BAA6B,EAAE,GAAG,EAAE;QACrC,MAAM,GAAG,GAAG,mBAAmB,CAAC,UAAU,EAAE,EAAE,YAAY,EAAE,CAAC,CAAC;QAC9D,MAAM,CAAC,GAAG,CAAC,CAAC,cAAc,CAAC,WAAW,CAAC,CAAC;QACxC,MAAM,CAAC,GAAG,CAAC,CAAC,cAAc,CAAC,YAAY,CAAC,CAAC;QACzC,MAAM,CAAC,GAAG,CAAC,CAAC,cAAc,CAAC,gBAAgB,CAAC,CAAC;QAC7C,MAAM,CAAC,GAAG,CAAC,CAAC,cAAc,CAAC,YAAY,CAAC,CAAC;QACzC,MAAM,CAAC,GAAG,CAAC,CAAC,cAAc,CAAC,aAAa,CAAC,CAAC;IAC5C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,kCAAkC,EAAE,GAAG,EAAE;QAC1C,MAAM,GAAG,GAAG,mBAAmB,CAAC,UAAU,EAAE,EAAE,YAAY,EAAE,CAAC,CAAC;QAC9D,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,SAAS,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IACpD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qCAAqC,EAAE,GAAG,EAAE;QAC7C,MAAM,GAAG,GAAG,mBAAmB,CAAC,UAAU,EAAE,EAAE,YAAY,EAAE,CAAC,CAAC;QAC9D,MAAM,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;IAChD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,sCAAsC,EAAE,GAAG,EAAE;QAC9C,MAAM,GAAG,GAAG,mBAAmB,CAAC,UAAU,EAAE,EAAE,YAAY,EAAE,CAAC,CAAC;QAC9D,uBAAuB;QACvB,MAAM,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;IACzC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,YAAY,EAAE,GAAG,EAAE;IAC1B,EAAE,CAAC,kCAAkC,EAAE,GAAG,EAAE;QAC1C,MAAM,GAAG,GAAG,UAAU,EAAE,CAAC;QACzB,MAAM,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC;IAChD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,wBAAwB,EAAE,GAAG,EAAE;QAChC,MAAM,CAAC,GAAG,UAAU,CAAC,UAAU,CAAC,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC;QACtD,MAAM,CAAC,GAAG,UAAU,CAAC,UAAU,CAAC,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC;QACtD,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACpB,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iCAAiC,EAAE,GAAG,EAAE;QACzC,MAAM,CAAC,GAAG,UAAU,CAAC,UAAU,CAAC,EAAE,eAAe,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC;QAC/D,MAAM,CAAC,GAAG,UAAU,CAAC,UAAU,CAAC,EAAE,eAAe,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC;QAC/D,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACpB,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,UAAU,EAAE,GAAG,EAAE;IACxB,EAAE,CAAC,uCAAuC,EAAE,GAAG,EAAE;QAC/C,MAAM,CAAC,QAAQ,CAAC,2BAA2B,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACzD,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/runtime/audit.d.ts

@@ -0,0 +1,19 @@
+export interface AgentAuditEntry {
+    timestamp: string;
+    probe: string;
+    status: string;
+    durationMs: number;
+    prevHash: string;
+}
+export declare class AgentAuditLog {
+    private entries;
+    private capacity;
+    constructor(capacity?: number);
+    log(probe: string, status: string, durationMs: number): void;
+    getRecent(n?: number): AgentAuditEntry[];
+    verifyChain(): {
+        valid: boolean;
+        brokenAt?: number;
+    };
+}
+//# sourceMappingURL=audit.d.ts.map

package/dist/runtime/audit.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit.d.ts","sourceRoot":"","sources":["../../src/runtime/audit.ts"],"names":[],"mappings":"AAEA,MAAM,WAAW,eAAe;IAC9B,SAAS,EAAE,MAAM,CAAC;IAClB,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAID,qBAAa,aAAa;IACxB,OAAO,CAAC,OAAO,CAAyB;IACxC,OAAO,CAAC,QAAQ,CAAS;gBAEb,QAAQ,SAAmB;IAIvC,GAAG,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,IAAI;IAyB5D,SAAS,CAAC,CAAC,CAAC,EAAE,MAAM,GAAG,eAAe,EAAE;IAKxC,WAAW,IAAI;QAAE,KAAK,EAAE,OAAO,CAAC;QAAC,QAAQ,CAAC,EAAE,MAAM,CAAA;KAAE;CAmBrD"}

package/dist/runtime/audit.js

@@ -0,0 +1,52 @@
+import crypto from 'node:crypto';
+const DEFAULT_CAPACITY = 1000;
+export class AgentAuditLog {
+    entries = [];
+    capacity;
+    constructor(capacity = DEFAULT_CAPACITY) {
+        this.capacity = capacity;
+    }
+    log(probe, status, durationMs) {
+        const prevHash = this.entries.length > 0
+            ? crypto
+                .createHash('sha256')
+                .update(JSON.stringify(this.entries[this.entries.length - 1]))
+                .digest('hex')
+            : '';
+        const entry = {
+            timestamp: new Date().toISOString(),
+            probe,
+            status,
+            durationMs,
+            prevHash,
+        };
+        this.entries.push(entry);
+        // Ring buffer: drop oldest when over capacity
+        if (this.entries.length > this.capacity) {
+            this.entries.shift();
+        }
+    }
+    getRecent(n) {
+        if (n === undefined)
+            return [...this.entries];
+        return this.entries.slice(-n);
+    }
+    verifyChain() {
+        if (this.entries.length === 0)
+            return { valid: true };
+        const first = this.entries[0];
+        if (first && first.prevHash !== '') {
+            return { valid: false, brokenAt: 0 };
+        }
+        for (let i = 1; i < this.entries.length; i++) {
+            const prev = this.entries[i - 1];
+            const curr = this.entries[i];
+            const expectedHash = crypto.createHash('sha256').update(JSON.stringify(prev)).digest('hex');
+            if (curr.prevHash !== expectedHash) {
+                return { valid: false, brokenAt: i };
+            }
+        }
+        return { valid: true };
+    }
+}
+//# sourceMappingURL=audit.js.map

package/dist/runtime/audit.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit.js","sourceRoot":"","sources":["../../src/runtime/audit.ts"],"names":[],"mappings":"AAAA,OAAO,MAAM,MAAM,aAAa,CAAC;AAUjC,MAAM,gBAAgB,GAAG,IAAI,CAAC;AAE9B,MAAM,OAAO,aAAa;IAChB,OAAO,GAAsB,EAAE,CAAC;IAChC,QAAQ,CAAS;IAEzB,YAAY,QAAQ,GAAG,gBAAgB;QACrC,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;IAC3B,CAAC;IAED,GAAG,CAAC,KAAa,EAAE,MAAc,EAAE,UAAkB;QACnD,MAAM,QAAQ,GACZ,IAAI,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC;YACrB,CAAC,CAAC,MAAM;iBACH,UAAU,CAAC,QAAQ,CAAC;iBACpB,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC;iBAC7D,MAAM,CAAC,KAAK,CAAC;YAClB,CAAC,CAAC,EAAE,CAAC;QAET,MAAM,KAAK,GAAoB;YAC7B,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,KAAK;YACL,MAAM;YACN,UAAU;YACV,QAAQ;SACT,CAAC;QAEF,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAEzB,8CAA8C;QAC9C,IAAI,IAAI,CAAC,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,QAAQ,EAAE,CAAC;YACxC,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;QACvB,CAAC;IACH,CAAC;IAED,SAAS,CAAC,CAAU;QAClB,IAAI,CAAC,KAAK,SAAS;YAAE,OAAO,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC,CAAC;QAC9C,OAAO,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IAChC,CAAC;IAED,WAAW;QACT,IAAI,IAAI,CAAC,OAAO,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;QAEtD,MAAM,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;QAC9B,IAAI,KAAK,IAAI,KAAK,CAAC,QAAQ,KAAK,EAAE,EAAE,CAAC;YACnC,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,EAAE,CAAC;QACvC,CAAC;QAED,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YAC7C,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,CAAC,GAAG,CAAC,CAAoB,CAAC;YACpD,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,CAAC,CAAoB,CAAC;YAChD,MAAM,YAAY,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YAC5F,IAAI,IAAI,CAAC,QAAQ,KAAK,YAAY,EAAE,CAAC;gBACnC,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,EAAE,CAAC;YACvC,CAAC;QACH,CAAC;QAED,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;IACzB,CAAC;CACF"}

package/dist/runtime/audit.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=audit.test.d.ts.map

package/dist/runtime/audit.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit.test.d.ts","sourceRoot":"","sources":["../../src/runtime/audit.test.ts"],"names":[],"mappings":""}

package/dist/runtime/audit.test.js

@@ -0,0 +1,53 @@
+import { describe, expect, it } from 'vitest';
+import { AgentAuditLog } from './audit.js';
+describe('AgentAuditLog', () => {
+    it('logs entries and verifies chain', () => {
+        const log = new AgentAuditLog();
+        log.log('system.disk.usage', 'success', 10);
+        log.log('system.memory.usage', 'success', 20);
+        log.log('system.cpu.usage', 'error', 30);
+        const entries = log.getRecent();
+        expect(entries).toHaveLength(3);
+        expect(entries[0]?.prevHash).toBe('');
+        expect(entries[1]?.prevHash).not.toBe('');
+        expect(log.verifyChain()).toEqual({ valid: true });
+    });
+    it('ring buffer cap works', () => {
+        const log = new AgentAuditLog(3);
+        log.log('p1', 'success', 1);
+        log.log('p2', 'success', 2);
+        log.log('p3', 'success', 3);
+        log.log('p4', 'success', 4);
+        const entries = log.getRecent();
+        expect(entries).toHaveLength(3);
+        expect(entries[0]?.probe).toBe('p2');
+        expect(entries[2]?.probe).toBe('p4');
+    });
+    it('empty log is valid', () => {
+        const log = new AgentAuditLog();
+        expect(log.verifyChain()).toEqual({ valid: true });
+    });
+    it('getRecent(n) returns last n entries', () => {
+        const log = new AgentAuditLog();
+        log.log('p1', 'success', 1);
+        log.log('p2', 'success', 2);
+        log.log('p3', 'success', 3);
+        const last2 = log.getRecent(2);
+        expect(last2).toHaveLength(2);
+        expect(last2[0]?.probe).toBe('p2');
+        expect(last2[1]?.probe).toBe('p3');
+    });
+    it('chain after ring buffer eviction still verifies within remaining entries', () => {
+        const log = new AgentAuditLog(2);
+        log.log('p1', 'success', 1);
+        log.log('p2', 'success', 2);
+        log.log('p3', 'success', 3);
+        // After eviction, the first remaining entry's prevHash won't match empty string
+        // verifyChain checks what's in the buffer, genesis may have non-empty prevHash
+        const result = log.verifyChain();
+        // First entry in buffer (p2) has a prevHash from p1, which is no longer genesis
+        // This is expected: a truncated chain won't verify from genesis
+        expect(result.valid).toBe(false);
+    });
+});
+//# sourceMappingURL=audit.test.js.map

package/dist/runtime/audit.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit.test.js","sourceRoot":"","sources":["../../src/runtime/audit.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAC;AAC9C,OAAO,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAE3C,QAAQ,CAAC,eAAe,EAAE,GAAG,EAAE;IAC7B,EAAE,CAAC,iCAAiC,EAAE,GAAG,EAAE;QACzC,MAAM,GAAG,GAAG,IAAI,aAAa,EAAE,CAAC;QAEhC,GAAG,CAAC,GAAG,CAAC,mBAAmB,EAAE,SAAS,EAAE,EAAE,CAAC,CAAC;QAC5C,GAAG,CAAC,GAAG,CAAC,qBAAqB,EAAE,SAAS,EAAE,EAAE,CAAC,CAAC;QAC9C,GAAG,CAAC,GAAG,CAAC,kBAAkB,EAAE,OAAO,EAAE,EAAE,CAAC,CAAC;QAEzC,MAAM,OAAO,GAAG,GAAG,CAAC,SAAS,EAAE,CAAC;QAChC,MAAM,CAAC,OAAO,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QAChC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACtC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAC1C,MAAM,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC,CAAC,OAAO,CAAC,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;IACrD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uBAAuB,EAAE,GAAG,EAAE;QAC/B,MAAM,GAAG,GAAG,IAAI,aAAa,CAAC,CAAC,CAAC,CAAC;QAEjC,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,SAAS,EAAE,CAAC,CAAC,CAAC;QAC5B,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,SAAS,EAAE,CAAC,CAAC,CAAC;QAC5B,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,SAAS,EAAE,CAAC,CAAC,CAAC;QAC5B,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,SAAS,EAAE,CAAC,CAAC,CAAC;QAE5B,MAAM,OAAO,GAAG,GAAG,CAAC,SAAS,EAAE,CAAC;QAChC,MAAM,CAAC,OAAO,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QAChC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACrC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACvC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oBAAoB,EAAE,GAAG,EAAE;QAC5B,MAAM,GAAG,GAAG,IAAI,aAAa,EAAE,CAAC;QAChC,MAAM,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC,CAAC,OAAO,CAAC,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;IACrD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qCAAqC,EAAE,GAAG,EAAE;QAC7C,MAAM,GAAG,GAAG,IAAI,aAAa,EAAE,CAAC;QAChC,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,SAAS,EAAE,CAAC,CAAC,CAAC;QAC5B,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,SAAS,EAAE,CAAC,CAAC,CAAC;QAC5B,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,SAAS,EAAE,CAAC,CAAC,CAAC;QAE5B,MAAM,KAAK,GAAG,GAAG,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;QAC/B,MAAM,CAAC,KAAK,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QAC9B,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACnC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACrC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0EAA0E,EAAE,GAAG,EAAE;QAClF,MAAM,GAAG,GAAG,IAAI,aAAa,CAAC,CAAC,CAAC,CAAC;QAEjC,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,SAAS,EAAE,CAAC,CAAC,CAAC;QAC5B,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,SAAS,EAAE,CAAC,CAAC,CAAC;QAC5B,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,SAAS,EAAE,CAAC,CAAC,CAAC;QAE5B,gFAAgF;QAChF,+EAA+E;QAC/E,MAAM,MAAM,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC;QACjC,gFAAgF;QAChF,gEAAgE;QAChE,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACnC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/runtime/connection.d.ts

@@ -0,0 +1,55 @@
+import type { AgentConfig } from '../config.js';
+import { AgentAuditLog } from './audit.js';
+import type { ProbeExecutor } from './executor.js';
+export interface ConnectionEvents {
+    onConnected?: (agentId: string) => void;
+    onDisconnected?: () => void;
+    onError?: (error: Error) => void;
+    onRegistered?: (agentId: string) => void;
+    onProbeCompleted?: (probe: string, status: string, durationMs: number) => void;
+}
+/**
+ * One-shot enrollment: connect to hub, register, get agentId, disconnect.
+ * If enrollmentToken is set in config, includes it in registration for cert-based enrollment.
+ * Returns { agentId, certIssued } — certIssued is true if certs were saved.
+ */
+export declare function enrollWithHub(config: AgentConfig, executor: ProbeExecutor): Promise<{
+    agentId: string;
+    certIssued: boolean;
+}>;
+export declare class AgentConnection {
+    private config;
+    private executor;
+    private events;
+    private ws;
+    private heartbeatTimer;
+    private reconnectTimer;
+    private reconnectAttempts;
+    private agentId;
+    private running;
+    private privateKeyPem;
+    private caCertPem;
+    private auditLog;
+    constructor(config: AgentConfig, executor: ProbeExecutor, events?: ConnectionEvents);
+    /** Start the connection (connect + auto-reconnect loop) */
+    start(): void;
+    /** Stop the connection cleanly */
+    stop(): void;
+    /** Whether we're currently connected */
+    isConnected(): boolean;
+    /** Get the assigned agent ID (set after registration) */
+    getAgentId(): string | undefined;
+    private connect;
+    private handleMessage;
+    private handleAck;
+    private handleProbeRequest;
+    /** Get the agent-side audit log (for testing/inspection) */
+    getAuditLog(): AgentAuditLog;
+    private sendRegister;
+    private startHeartbeat;
+    private sendError;
+    private send;
+    private scheduleReconnect;
+    private clearTimers;
+}
+//# sourceMappingURL=connection.d.ts.map

package/dist/runtime/connection.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"connection.d.ts","sourceRoot":"","sources":["../../src/runtime/connection.ts"],"names":[],"mappings":"AAWA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AAGhD,OAAO,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAC3C,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AAEnD,MAAM,WAAW,gBAAgB;IAC/B,WAAW,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,KAAK,IAAI,CAAC;IACxC,cAAc,CAAC,EAAE,MAAM,IAAI,CAAC;IAC5B,OAAO,CAAC,EAAE,CAAC,KAAK,EAAE,KAAK,KAAK,IAAI,CAAC;IACjC,YAAY,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,KAAK,IAAI,CAAC;IACzC,gBAAgB,CAAC,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,KAAK,IAAI,CAAC;CAChF;AAQD;;;;GAIG;AACH,wBAAgB,aAAa,CAC3B,MAAM,EAAE,WAAW,EACnB,QAAQ,EAAE,aAAa,GACtB,OAAO,CAAC;IAAE,OAAO,EAAE,MAAM,CAAC;IAAC,UAAU,EAAE,OAAO,CAAA;CAAE,CAAC,CAmFnD;AAwBD,qBAAa,eAAe;IAYxB,OAAO,CAAC,MAAM;IACd,OAAO,CAAC,QAAQ;IAChB,OAAO,CAAC,MAAM;IAbhB,OAAO,CAAC,EAAE,CAA0B;IACpC,OAAO,CAAC,cAAc,CAA+C;IACrE,OAAO,CAAC,cAAc,CAA8C;IACpE,OAAO,CAAC,iBAAiB,CAAK;IAC9B,OAAO,CAAC,OAAO,CAAqB;IACpC,OAAO,CAAC,OAAO,CAAS;IACxB,OAAO,CAAC,aAAa,CAAqB;IAC1C,OAAO,CAAC,SAAS,CAAqB;IACtC,OAAO,CAAC,QAAQ,CAAuB;gBAG7B,MAAM,EAAE,WAAW,EACnB,QAAQ,EAAE,aAAa,EACvB,MAAM,GAAE,gBAAqB;IAoBvC,2DAA2D;IAC3D,KAAK,IAAI,IAAI;IAKb,kCAAkC;IAClC,IAAI,IAAI,IAAI;IASZ,wCAAwC;IACxC,WAAW,IAAI,OAAO;IAItB,yDAAyD;IACzD,UAAU,IAAI,MAAM,GAAG,SAAS;IAIhC,OAAO,CAAC,OAAO;IA6Bf,OAAO,CAAC,aAAa;IA6BrB,OAAO,CAAC,SAAS;YASH,kBAAkB;IA0BhC,4DAA4D;IAC5D,WAAW,IAAI,aAAa;IAI5B,OAAO,CAAC,YAAY;IAgBpB,OAAO,CAAC,cAAc;IActB,OAAO,CAAC,SAAS;IAuBjB,OAAO,CAAC,IAAI;IAUZ,OAAO,CAAC,iBAAiB;IAWzB,OAAO,CAAC,WAAW;CAUpB"}