@sonde/agent 0.0.0

package/dist/runtime/executor.js

@@ -0,0 +1,89 @@
+import { execFile } from 'node:child_process';
+import { promisify } from 'node:util';
+import { packRegistry } from '@sonde/packs';
+import { buildPatterns, scrubData } from './scrubber.js';
+const execFileAsync = promisify(execFile);
+const AGENT_VERSION = '0.1.0';
+/** Default exec function that shells out to real commands */
+async function defaultExec(command, args) {
+    const { stdout } = await execFileAsync(command, args, {
+        timeout: 30_000,
+        maxBuffer: 1024 * 1024,
+    });
+    return stdout;
+}
+export class ProbeExecutor {
+    packs;
+    exec;
+    scrubPatterns;
+    constructor(packs, exec, scrubPatterns) {
+        this.packs = packs ?? packRegistry;
+        this.exec = exec ?? defaultExec;
+        this.scrubPatterns = scrubPatterns ?? buildPatterns();
+    }
+    /** Get list of loaded packs with status info */
+    getLoadedPacks() {
+        return [...this.packs.values()].map((pack) => ({
+            name: pack.manifest.name,
+            version: pack.manifest.version,
+            status: 'active',
+        }));
+    }
+    /** Get a pack by name */
+    getPackByName(name) {
+        return this.packs.get(name);
+    }
+    /** Execute a probe request and return a probe response */
+    async execute(request) {
+        const start = Date.now();
+        // Find the handler by full probe name (e.g. "system.disk.usage")
+        const probeName = request.probe;
+        const packName = probeName.split('.')[0];
+        if (!packName) {
+            return this.errorResponse(probeName, start, `Invalid probe name: ${probeName}`);
+        }
+        const pack = this.packs.get(packName);
+        if (!pack) {
+            return this.errorResponse(probeName, start, `Pack '${packName}' not loaded`);
+        }
+        const handler = pack.handlers[probeName];
+        if (!handler) {
+            return this.errorResponse(probeName, start, `Unknown probe: ${probeName}`);
+        }
+        try {
+            const rawData = await handler(request.params, this.exec);
+            const data = scrubData(rawData, this.scrubPatterns);
+            return {
+                probe: probeName,
+                status: 'success',
+                data,
+                durationMs: Date.now() - start,
+                metadata: {
+                    agentVersion: AGENT_VERSION,
+                    packName: pack.manifest.name,
+                    packVersion: pack.manifest.version,
+                    capabilityLevel: 'observe',
+                },
+            };
+        }
+        catch (error) {
+            const message = error instanceof Error ? error.message : 'Unknown error';
+            return this.errorResponse(probeName, start, message, pack);
+        }
+    }
+    errorResponse(probe, startMs, message, pack) {
+        return {
+            probe,
+            status: 'error',
+            data: { error: message },
+            durationMs: Date.now() - startMs,
+            metadata: {
+                agentVersion: AGENT_VERSION,
+                packName: pack?.manifest.name ?? 'unknown',
+                packVersion: pack?.manifest.version ?? '0.0.0',
+                capabilityLevel: 'observe',
+            },
+        };
+    }
+}
+//# sourceMappingURL=executor.js.map

package/dist/runtime/executor.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"executor.js","sourceRoot":"","sources":["../../src/runtime/executor.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAA0B,YAAY,EAAE,MAAM,cAAc,CAAC;AAEpE,OAAO,EAAqB,aAAa,EAAE,SAAS,EAAE,MAAM,eAAe,CAAC;AAE5E,MAAM,aAAa,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;AAE1C,MAAM,aAAa,GAAG,OAAO,CAAC;AAE9B,6DAA6D;AAC7D,KAAK,UAAU,WAAW,CAAC,OAAe,EAAE,IAAc;IACxD,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,aAAa,CAAC,OAAO,EAAE,IAAI,EAAE;QACpD,OAAO,EAAE,MAAM;QACf,SAAS,EAAE,IAAI,GAAG,IAAI;KACvB,CAAC,CAAC;IACH,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,MAAM,OAAO,aAAa;IAChB,KAAK,CAA4B;IACjC,IAAI,CAAS;IACb,aAAa,CAAiB;IAEtC,YAAY,KAAiC,EAAE,IAAa,EAAE,aAA8B;QAC1F,IAAI,CAAC,KAAK,GAAG,KAAK,IAAI,YAAY,CAAC;QACnC,IAAI,CAAC,IAAI,GAAG,IAAI,IAAI,WAAW,CAAC;QAChC,IAAI,CAAC,aAAa,GAAG,aAAa,IAAI,aAAa,EAAE,CAAC;IACxD,CAAC;IAED,gDAAgD;IAChD,cAAc;QACZ,OAAO,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;YAC7C,IAAI,EAAE,IAAI,CAAC,QAAQ,CAAC,IAAI;YACxB,OAAO,EAAE,IAAI,CAAC,QAAQ,CAAC,OAAO;YAC9B,MAAM,EAAE,QAAQ;SACjB,CAAC,CAAC,CAAC;IACN,CAAC;IAED,yBAAyB;IACzB,aAAa,CAAC,IAAY;QACxB,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAC9B,CAAC;IAED,0DAA0D;IAC1D,KAAK,CAAC,OAAO,CAAC,OAAqB;QACjC,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAEzB,iEAAiE;QACjE,MAAM,SAAS,GAAG,OAAO,CAAC,KAAK,CAAC;QAChC,MAAM,QAAQ,GAAG,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;QAEzC,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,OAAO,IAAI,CAAC,aAAa,CAAC,SAAS,EAAE,KAAK,EAAE,uBAAuB,SAAS,EAAE,CAAC,CAAC;QAClF,CAAC;QAED,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QACtC,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,OAAO,IAAI,CAAC,aAAa,CAAC,SAAS,EAAE,KAAK,EAAE,SAAS,QAAQ,cAAc,CAAC,CAAC;QAC/E,CAAC;QAED,MAAM,OAAO,GAAG,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;QACzC,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO,IAAI,CAAC,aAAa,CAAC,SAAS,EAAE,KAAK,EAAE,kBAAkB,SAAS,EAAE,CAAC,CAAC;QAC7E,CAAC;QAED,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC;YACzD,MAAM,IAAI,GAAG,SAAS,CAAC,OAAO,EAAE,IAAI,CAAC,aAAa,CAAC,CAAC;YACpD,OAAO;gBACL,KAAK,EAAE,SAAS;gBAChB,MAAM,EAAE,SAAS;gBACjB,IAAI;gBACJ,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK;gBAC9B,QAAQ,EAAE;oBACR,YAAY,EAAE,aAAa;oBAC3B,QAAQ,EAAE,IAAI,CAAC,QAAQ,CAAC,IAAI;oBAC5B,WAAW,EAAE,IAAI,CAAC,QAAQ,CAAC,OAAO;oBAClC,eAAe,EAAE,SAAS;iBAC3B;aACF,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,CAAC;YACzE,OAAO,IAAI,CAAC,aAAa,CAAC,SAAS,EAAE,KAAK,EAAE,OAAO,EAAE,IAAI,CAAC,CAAC;QAC7D,CAAC;IACH,CAAC;IAEO,aAAa,CACnB,KAAa,EACb,OAAe,EACf,OAAe,EACf,IAAW;QAEX,OAAO;YACL,KAAK;YACL,MAAM,EAAE,OAAO;YACf,IAAI,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE;YACxB,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,OAAO;YAChC,QAAQ,EAAE;gBACR,YAAY,EAAE,aAAa;gBAC3B,QAAQ,EAAE,IAAI,EAAE,QAAQ,CAAC,IAAI,IAAI,SAAS;gBAC1C,WAAW,EAAE,IAAI,EAAE,QAAQ,CAAC,OAAO,IAAI,OAAO;gBAC9C,eAAe,EAAE,SAAS;aAC3B;SACF,CAAC;IACJ,CAAC;CACF"}

package/dist/runtime/executor.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=executor.test.d.ts.map

package/dist/runtime/executor.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"executor.test.d.ts","sourceRoot":"","sources":["../../src/runtime/executor.test.ts"],"names":[],"mappings":""}

package/dist/runtime/executor.test.js

@@ -0,0 +1,88 @@
+import { describe, expect, it, vi } from 'vitest';
+import { ProbeExecutor } from './executor.js';
+function createMockPack(overrides) {
+    return {
+        manifest: {
+            name: 'test',
+            version: '1.0.0',
+            description: 'Test pack',
+            requires: { groups: [], files: [], commands: [] },
+            probes: [{ name: 'echo', description: 'Echo test', capability: 'observe', timeout: 5000 }],
+        },
+        handlers: {
+            'test.echo': vi.fn().mockResolvedValue({ message: 'hello' }),
+        },
+        ...overrides,
+    };
+}
+function makeRequest(probe, params) {
+    return {
+        probe,
+        params,
+        timeout: 30_000,
+        requestedBy: 'test',
+    };
+}
+describe('ProbeExecutor', () => {
+    it('executes a probe and returns success response', async () => {
+        const pack = createMockPack();
+        const packs = new Map([['test', pack]]);
+        const executor = new ProbeExecutor(packs);
+        const result = await executor.execute(makeRequest('test.echo'));
+        expect(result.status).toBe('success');
+        expect(result.probe).toBe('test.echo');
+        expect(result.data).toEqual({ message: 'hello' });
+        expect(result.durationMs).toBeGreaterThanOrEqual(0);
+        expect(result.metadata.packName).toBe('test');
+        expect(result.metadata.packVersion).toBe('1.0.0');
+    });
+    it('passes params and exec to handler', async () => {
+        const handler = vi.fn().mockResolvedValue({ ok: true });
+        const mockExec = vi.fn();
+        const pack = createMockPack({ handlers: { 'test.echo': handler } });
+        const packs = new Map([['test', pack]]);
+        const executor = new ProbeExecutor(packs, mockExec);
+        await executor.execute(makeRequest('test.echo', { verbose: true }));
+        expect(handler).toHaveBeenCalledWith({ verbose: true }, mockExec);
+    });
+    it('returns error for unknown pack', async () => {
+        const executor = new ProbeExecutor(new Map());
+        const result = await executor.execute(makeRequest('missing.probe'));
+        expect(result.status).toBe('error');
+        expect(result.data).toEqual({ error: "Pack 'missing' not loaded" });
+    });
+    it('returns error for unknown probe within pack', async () => {
+        const pack = createMockPack();
+        const packs = new Map([['test', pack]]);
+        const executor = new ProbeExecutor(packs);
+        const result = await executor.execute(makeRequest('test.nonexistent'));
+        expect(result.status).toBe('error');
+        expect(result.data).toEqual({ error: 'Unknown probe: test.nonexistent' });
+    });
+    it('returns error when handler throws', async () => {
+        const pack = createMockPack({
+            handlers: {
+                'test.echo': vi.fn().mockRejectedValue(new Error('Command failed')),
+            },
+        });
+        const packs = new Map([['test', pack]]);
+        const executor = new ProbeExecutor(packs);
+        const result = await executor.execute(makeRequest('test.echo'));
+        expect(result.status).toBe('error');
+        expect(result.data).toEqual({ error: 'Command failed' });
+        expect(result.metadata.packName).toBe('test');
+    });
+    it('returns error for invalid probe name', async () => {
+        const executor = new ProbeExecutor(new Map());
+        const result = await executor.execute(makeRequest(''));
+        expect(result.status).toBe('error');
+    });
+    it('reports loaded packs', () => {
+        const pack = createMockPack();
+        const packs = new Map([['test', pack]]);
+        const executor = new ProbeExecutor(packs);
+        const loaded = executor.getLoadedPacks();
+        expect(loaded).toEqual([{ name: 'test', version: '1.0.0', status: 'active' }]);
+    });
+});
+//# sourceMappingURL=executor.test.js.map

package/dist/runtime/executor.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"executor.test.js","sourceRoot":"","sources":["../../src/runtime/executor.test.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAC;AAClD,OAAO,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AAE9C,SAAS,cAAc,CAAC,SAAyB;IAC/C,OAAO;QACL,QAAQ,EAAE;YACR,IAAI,EAAE,MAAM;YACZ,OAAO,EAAE,OAAO;YAChB,WAAW,EAAE,WAAW;YACxB,QAAQ,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE;YACjD,MAAM,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,WAAW,EAAE,WAAW,EAAE,UAAU,EAAE,SAAS,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;SAC3F;QACD,QAAQ,EAAE;YACR,WAAW,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC;SAC7D;QACD,GAAG,SAAS;KACb,CAAC;AACJ,CAAC;AAED,SAAS,WAAW,CAAC,KAAa,EAAE,MAAgC;IAClE,OAAO;QACL,KAAK;QACL,MAAM;QACN,OAAO,EAAE,MAAM;QACf,WAAW,EAAE,MAAM;KACpB,CAAC;AACJ,CAAC;AAED,QAAQ,CAAC,eAAe,EAAE,GAAG,EAAE;IAC7B,EAAE,CAAC,+CAA+C,EAAE,KAAK,IAAI,EAAE;QAC7D,MAAM,IAAI,GAAG,cAAc,EAAE,CAAC;QAC9B,MAAM,KAAK,GAAG,IAAI,GAAG,CAAC,CAAC,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC;QACxC,MAAM,QAAQ,GAAG,IAAI,aAAa,CAAC,KAAK,CAAC,CAAC;QAE1C,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,WAAW,CAAC,WAAW,CAAC,CAAC,CAAC;QAEhE,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QACtC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QACvC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,OAAO,CAAC,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,CAAC;QAClD,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,sBAAsB,CAAC,CAAC,CAAC,CAAC;QACpD,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC9C,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACpD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,mCAAmC,EAAE,KAAK,IAAI,EAAE;QACjD,MAAM,OAAO,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC;QACxD,MAAM,QAAQ,GAAW,EAAE,CAAC,EAAE,EAAE,CAAC;QACjC,MAAM,IAAI,GAAG,cAAc,CAAC,EAAE,QAAQ,EAAE,EAAE,WAAW,EAAE,OAAO,EAAE,EAAE,CAAC,CAAC;QACpE,MAAM,KAAK,GAAG,IAAI,GAAG,CAAC,CAAC,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC;QACxC,MAAM,QAAQ,GAAG,IAAI,aAAa,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;QAEpD,MAAM,QAAQ,CAAC,OAAO,CAAC,WAAW,CAAC,WAAW,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;QAEpE,MAAM,CAAC,OAAO,CAAC,CAAC,oBAAoB,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,EAAE,QAAQ,CAAC,CAAC;IACpE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gCAAgC,EAAE,KAAK,IAAI,EAAE;QAC9C,MAAM,QAAQ,GAAG,IAAI,aAAa,CAAC,IAAI,GAAG,EAAE,CAAC,CAAC;QAE9C,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,WAAW,CAAC,eAAe,CAAC,CAAC,CAAC;QAEpE,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACpC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,OAAO,CAAC,EAAE,KAAK,EAAE,2BAA2B,EAAE,CAAC,CAAC;IACtE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,6CAA6C,EAAE,KAAK,IAAI,EAAE;QAC3D,MAAM,IAAI,GAAG,cAAc,EAAE,CAAC;QAC9B,MAAM,KAAK,GAAG,IAAI,GAAG,CAAC,CAAC,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC;QACxC,MAAM,QAAQ,GAAG,IAAI,aAAa,CAAC,KAAK,CAAC,CAAC;QAE1C,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,WAAW,CAAC,kBAAkB,CAAC,CAAC,CAAC;QAEvE,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACpC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,OAAO,CAAC,EAAE,KAAK,EAAE,iCAAiC,EAAE,CAAC,CAAC;IAC5E,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,mCAAmC,EAAE,KAAK,IAAI,EAAE;QACjD,MAAM,IAAI,GAAG,cAAc,CAAC;YAC1B,QAAQ,EAAE;gBACR,WAAW,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC,IAAI,KAAK,CAAC,gBAAgB,CAAC,CAAC;aACpE;SACF,CAAC,CAAC;QACH,MAAM,KAAK,GAAG,IAAI,GAAG,CAAC,CAAC,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC;QACxC,MAAM,QAAQ,GAAG,IAAI,aAAa,CAAC,KAAK,CAAC,CAAC;QAE1C,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,WAAW,CAAC,WAAW,CAAC,CAAC,CAAC;QAEhE,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACpC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,OAAO,CAAC,EAAE,KAAK,EAAE,gBAAgB,EAAE,CAAC,CAAC;QACzD,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAChD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,sCAAsC,EAAE,KAAK,IAAI,EAAE;QACpD,MAAM,QAAQ,GAAG,IAAI,aAAa,CAAC,IAAI,GAAG,EAAE,CAAC,CAAC;QAE9C,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,CAAC;QAEvD,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACtC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,sBAAsB,EAAE,GAAG,EAAE;QAC9B,MAAM,IAAI,GAAG,cAAc,EAAE,CAAC;QAC9B,MAAM,KAAK,GAAG,IAAI,GAAG,CAAC,CAAC,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC;QACxC,MAAM,QAAQ,GAAG,IAAI,aAAa,CAAC,KAAK,CAAC,CAAC;QAE1C,MAAM,MAAM,GAAG,QAAQ,CAAC,cAAc,EAAE,CAAC;QAEzC,MAAM,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC,CAAC,CAAC;IACjF,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/runtime/privilege.d.ts

@@ -0,0 +1,9 @@
+/** Exit with error if running as root (uid 0) */
+export declare function checkNotRoot(): void;
+/** Check if the 'sonde' system user exists */
+export declare function sondeUserExists(): boolean;
+/** Return group list for the sonde user */
+export declare function getSondeGroups(): string[];
+/** Return the command to add the sonde user to a group */
+export declare function suggestGroupAdd(group: string): string;
+//# sourceMappingURL=privilege.d.ts.map

package/dist/runtime/privilege.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"privilege.d.ts","sourceRoot":"","sources":["../../src/runtime/privilege.ts"],"names":[],"mappings":"AAEA,iDAAiD;AACjD,wBAAgB,YAAY,IAAI,IAAI,CAOnC;AAED,8CAA8C;AAC9C,wBAAgB,eAAe,IAAI,OAAO,CAOzC;AAED,2CAA2C;AAC3C,wBAAgB,cAAc,IAAI,MAAM,EAAE,CAOzC;AAED,0DAA0D;AAC1D,wBAAgB,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAErD"}

package/dist/runtime/privilege.js

@@ -0,0 +1,35 @@
+import { execFileSync } from 'node:child_process';
+/** Exit with error if running as root (uid 0) */
+export function checkNotRoot() {
+    if (process.getuid?.() === 0) {
+        console.error('Error: sonde agent must not run as root.');
+        console.error('Run as the dedicated "sonde" user or a non-root account.');
+        console.error('See: packages/agent/scripts/install.sh');
+        process.exit(1);
+    }
+}
+/** Check if the 'sonde' system user exists */
+export function sondeUserExists() {
+    try {
+        execFileSync('id', ['-u', 'sonde'], { stdio: 'ignore' });
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+/** Return group list for the sonde user */
+export function getSondeGroups() {
+    try {
+        const output = execFileSync('id', ['-Gn', 'sonde'], { encoding: 'utf-8' }).trim();
+        return output ? output.split(/\s+/) : [];
+    }
+    catch {
+        return [];
+    }
+}
+/** Return the command to add the sonde user to a group */
+export function suggestGroupAdd(group) {
+    return `sudo usermod -aG ${group} sonde`;
+}
+//# sourceMappingURL=privilege.js.map

package/dist/runtime/privilege.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"privilege.js","sourceRoot":"","sources":["../../src/runtime/privilege.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAElD,iDAAiD;AACjD,MAAM,UAAU,YAAY;IAC1B,IAAI,OAAO,CAAC,MAAM,EAAE,EAAE,KAAK,CAAC,EAAE,CAAC;QAC7B,OAAO,CAAC,KAAK,CAAC,0CAA0C,CAAC,CAAC;QAC1D,OAAO,CAAC,KAAK,CAAC,0DAA0D,CAAC,CAAC;QAC1E,OAAO,CAAC,KAAK,CAAC,wCAAwC,CAAC,CAAC;QACxD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC;AAED,8CAA8C;AAC9C,MAAM,UAAU,eAAe;IAC7B,IAAI,CAAC;QACH,YAAY,CAAC,IAAI,EAAE,CAAC,IAAI,EAAE,OAAO,CAAC,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,CAAC;QACzD,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,2CAA2C;AAC3C,MAAM,UAAU,cAAc;IAC5B,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,YAAY,CAAC,IAAI,EAAE,CAAC,KAAK,EAAE,OAAO,CAAC,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;QAClF,OAAO,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IAC3C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED,0DAA0D;AAC1D,MAAM,UAAU,eAAe,CAAC,KAAa;IAC3C,OAAO,oBAAoB,KAAK,QAAQ,CAAC;AAC3C,CAAC"}

package/dist/runtime/privilege.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=privilege.test.d.ts.map

package/dist/runtime/privilege.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"privilege.test.d.ts","sourceRoot":"","sources":["../../src/runtime/privilege.test.ts"],"names":[],"mappings":""}

package/dist/runtime/privilege.test.js

@@ -0,0 +1,22 @@
+import { describe, expect, it } from 'vitest';
+import { checkNotRoot, sondeUserExists, suggestGroupAdd } from './privilege.js';
+describe('privilege', () => {
+    it('checkNotRoot does not throw for non-root', () => {
+        // Tests run as non-root, so this should not exit
+        expect(() => checkNotRoot()).not.toThrow();
+    });
+    it('sondeUserExists returns a boolean', () => {
+        const result = sondeUserExists();
+        expect(typeof result).toBe('boolean');
+    });
+    it('suggestGroupAdd returns correct command', () => {
+        expect(suggestGroupAdd('docker')).toBe('sudo usermod -aG docker sonde');
+        expect(suggestGroupAdd('systemd-journal')).toBe('sudo usermod -aG systemd-journal sonde');
+    });
+    it('suggestGroupAdd with different groups', () => {
+        const cmd = suggestGroupAdd('adm');
+        expect(cmd).toContain('adm');
+        expect(cmd).toContain('sonde');
+    });
+});
+//# sourceMappingURL=privilege.test.js.map

package/dist/runtime/privilege.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"privilege.test.js","sourceRoot":"","sources":["../../src/runtime/privilege.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAC;AAC9C,OAAO,EAAE,YAAY,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC;AAEhF,QAAQ,CAAC,WAAW,EAAE,GAAG,EAAE;IACzB,EAAE,CAAC,0CAA0C,EAAE,GAAG,EAAE;QAClD,iDAAiD;QACjD,MAAM,CAAC,GAAG,EAAE,CAAC,YAAY,EAAE,CAAC,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC;IAC7C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,mCAAmC,EAAE,GAAG,EAAE;QAC3C,MAAM,MAAM,GAAG,eAAe,EAAE,CAAC;QACjC,MAAM,CAAC,OAAO,MAAM,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IACxC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yCAAyC,EAAE,GAAG,EAAE;QACjD,MAAM,CAAC,eAAe,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,+BAA+B,CAAC,CAAC;QACxE,MAAM,CAAC,eAAe,CAAC,iBAAiB,CAAC,CAAC,CAAC,IAAI,CAAC,wCAAwC,CAAC,CAAC;IAC5F,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uCAAuC,EAAE,GAAG,EAAE;QAC/C,MAAM,GAAG,GAAG,eAAe,CAAC,KAAK,CAAC,CAAC;QACnC,MAAM,CAAC,GAAG,CAAC,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;QAC7B,MAAM,CAAC,GAAG,CAAC,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;IACjC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/runtime/scrubber.d.ts

@@ -0,0 +1,17 @@
+export interface ScrubPattern {
+    name: string;
+    pattern: RegExp;
+    replacement?: string;
+}
+export declare const DEFAULT_SCRUB_PATTERNS: ScrubPattern[];
+/**
+ * Deep-walk data, applying scrub patterns to all string values.
+ * Also redacts values of object keys that match sensitive key names.
+ */
+export declare function scrubData(data: unknown, patterns: ScrubPattern[]): unknown;
+/**
+ * Build scrub patterns from defaults + optional custom regex strings.
+ * Invalid custom regexes are silently skipped.
+ */
+export declare function buildPatterns(customRegexes?: string[]): ScrubPattern[];
+//# sourceMappingURL=scrubber.d.ts.map

package/dist/runtime/scrubber.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"scrubber.d.ts","sourceRoot":"","sources":["../../src/runtime/scrubber.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,YAAY;IAC3B,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAKD,eAAO,MAAM,sBAAsB,EAAE,YAAY,EAsBhD,CAAC;AAEF;;;GAGG;AACH,wBAAgB,SAAS,CAAC,IAAI,EAAE,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,GAAG,OAAO,CAyB1E;AAYD;;;GAGG;AACH,wBAAgB,aAAa,CAAC,aAAa,CAAC,EAAE,MAAM,EAAE,GAAG,YAAY,EAAE,CAiBtE"}

package/dist/runtime/scrubber.js

@@ -0,0 +1,84 @@
+/** Key names that indicate sensitive values (case-insensitive match) */
+const SENSITIVE_KEY_RE = /(?:SECRET|KEY|TOKEN|PASSWORD|CREDENTIAL|PRIVATE)/i;
+export const DEFAULT_SCRUB_PATTERNS = [
+    {
+        name: 'env-var-secrets',
+        pattern: /\b(\w*(?:SECRET|KEY|TOKEN|PASSWORD|CREDENTIAL|PRIVATE)\w*)\s*[=:]\s*\S+/gi,
+        replacement: '$1=[REDACTED]',
+    },
+    {
+        name: 'connection-strings',
+        pattern: /((?:postgres|postgresql|mysql|mongodb(?:\+srv)?|redis|amqp|mssql):\/\/[^:]+:)[^@]+(@)/gi,
+        replacement: '$1[REDACTED]$2',
+    },
+    {
+        name: 'bearer-tokens',
+        pattern: /(Bearer\s+)\S+/gi,
+        replacement: '$1[REDACTED]',
+    },
+    {
+        name: 'generic-api-keys',
+        pattern: /(api[_-]?key|access[_-]?token|auth[_-]?token)\s*[=:]\s*["']?[\w\-./+=]{16,}["']?/gi,
+        replacement: '$1=[REDACTED]',
+    },
+];
+/**
+ * Deep-walk data, applying scrub patterns to all string values.
+ * Also redacts values of object keys that match sensitive key names.
+ */
+export function scrubData(data, patterns) {
+    if (data === null || data === undefined)
+        return data;
+    if (typeof data === 'boolean' || typeof data === 'number')
+        return data;
+    if (typeof data === 'string') {
+        return scrubString(data, patterns);
+    }
+    if (Array.isArray(data)) {
+        return data.map((item) => scrubData(item, patterns));
+    }
+    if (typeof data === 'object') {
+        const result = {};
+        for (const [key, value] of Object.entries(data)) {
+            if (SENSITIVE_KEY_RE.test(key) && typeof value === 'string') {
+                result[key] = '[REDACTED]';
+            }
+            else {
+                result[key] = scrubData(value, patterns);
+            }
+        }
+        return result;
+    }
+    return data;
+}
+function scrubString(str, patterns) {
+    let result = str;
+    for (const p of patterns) {
+        // Reset lastIndex for global regexes
+        p.pattern.lastIndex = 0;
+        result = result.replace(p.pattern, p.replacement ?? '[REDACTED]');
+    }
+    return result;
+}
+/**
+ * Build scrub patterns from defaults + optional custom regex strings.
+ * Invalid custom regexes are silently skipped.
+ */
+export function buildPatterns(customRegexes) {
+    const patterns = [...DEFAULT_SCRUB_PATTERNS];
+    if (customRegexes) {
+        for (const raw of customRegexes) {
+            try {
+                patterns.push({
+                    name: `custom:${raw}`,
+                    pattern: new RegExp(raw, 'gi'),
+                });
+            }
+            catch {
+                // Invalid regex — skip gracefully
+            }
+        }
+    }
+    return patterns;
+}
+//# sourceMappingURL=scrubber.js.map

package/dist/runtime/scrubber.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"scrubber.js","sourceRoot":"","sources":["../../src/runtime/scrubber.ts"],"names":[],"mappings":"AAMA,wEAAwE;AACxE,MAAM,gBAAgB,GAAG,mDAAmD,CAAC;AAE7E,MAAM,CAAC,MAAM,sBAAsB,GAAmB;IACpD;QACE,IAAI,EAAE,iBAAiB;QACvB,OAAO,EAAE,2EAA2E;QACpF,WAAW,EAAE,eAAe;KAC7B;IACD;QACE,IAAI,EAAE,oBAAoB;QAC1B,OAAO,EACL,yFAAyF;QAC3F,WAAW,EAAE,gBAAgB;KAC9B;IACD;QACE,IAAI,EAAE,eAAe;QACrB,OAAO,EAAE,kBAAkB;QAC3B,WAAW,EAAE,cAAc;KAC5B;IACD;QACE,IAAI,EAAE,kBAAkB;QACxB,OAAO,EAAE,oFAAoF;QAC7F,WAAW,EAAE,eAAe;KAC7B;CACF,CAAC;AAEF;;;GAGG;AACH,MAAM,UAAU,SAAS,CAAC,IAAa,EAAE,QAAwB;IAC/D,IAAI,IAAI,KAAK,IAAI,IAAI,IAAI,KAAK,SAAS;QAAE,OAAO,IAAI,CAAC;IACrD,IAAI,OAAO,IAAI,KAAK,SAAS,IAAI,OAAO,IAAI,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IAEvE,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;QAC7B,OAAO,WAAW,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;IACrC,CAAC;IAED,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;QACxB,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,SAAS,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC,CAAC;IACvD,CAAC;IAED,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;QAC7B,MAAM,MAAM,GAA4B,EAAE,CAAC;QAC3C,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAA+B,CAAC,EAAE,CAAC;YAC3E,IAAI,gBAAgB,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;gBAC5D,MAAM,CAAC,GAAG,CAAC,GAAG,YAAY,CAAC;YAC7B,CAAC;iBAAM,CAAC;gBACN,MAAM,CAAC,GAAG,CAAC,GAAG,SAAS,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;YAC3C,CAAC;QACH,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,WAAW,CAAC,GAAW,EAAE,QAAwB;IACxD,IAAI,MAAM,GAAG,GAAG,CAAC;IACjB,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,qCAAqC;QACrC,CAAC,CAAC,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;QACxB,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,WAAW,IAAI,YAAY,CAAC,CAAC;IACpE,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,aAAa,CAAC,aAAwB;IACpD,MAAM,QAAQ,GAAG,CAAC,GAAG,sBAAsB,CAAC,CAAC;IAE7C,IAAI,aAAa,EAAE,CAAC;QAClB,KAAK,MAAM,GAAG,IAAI,aAAa,EAAE,CAAC;YAChC,IAAI,CAAC;gBACH,QAAQ,CAAC,IAAI,CAAC;oBACZ,IAAI,EAAE,UAAU,GAAG,EAAE;oBACrB,OAAO,EAAE,IAAI,MAAM,CAAC,GAAG,EAAE,IAAI,CAAC;iBAC/B,CAAC,CAAC;YACL,CAAC;YAAC,MAAM,CAAC;gBACP,kCAAkC;YACpC,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/runtime/scrubber.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=scrubber.test.d.ts.map

package/dist/runtime/scrubber.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"scrubber.test.d.ts","sourceRoot":"","sources":["../../src/runtime/scrubber.test.ts"],"names":[],"mappings":""}

package/dist/runtime/scrubber.test.js

@@ -0,0 +1,72 @@
+import { describe, expect, it } from 'vitest';
+import { DEFAULT_SCRUB_PATTERNS, buildPatterns, scrubData } from './scrubber.js';
+const patterns = DEFAULT_SCRUB_PATTERNS;
+describe('scrubData', () => {
+    it('redacts env var secrets like DB_PASSWORD=hunter2', () => {
+        const result = scrubData('DB_PASSWORD=hunter2', patterns);
+        expect(result).toBe('DB_PASSWORD=[REDACTED]');
+    });
+    it('redacts connection strings (keeps user and host, redacts password)', () => {
+        const input = 'postgresql://admin:s3cret@db.host:5432/mydb';
+        const result = scrubData(input, patterns);
+        expect(result).toBe('postgresql://admin:[REDACTED]@db.host:5432/mydb');
+        expect(result).not.toContain('s3cret');
+    });
+    it('redacts Bearer tokens', () => {
+        const input = 'Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.payload.sig';
+        const result = scrubData(input, patterns);
+        expect(result).toContain('Bearer [REDACTED]');
+        expect(result).not.toContain('eyJhbGciOiJIUzI1NiJ9');
+    });
+    it('redacts values of sensitive object keys', () => {
+        const input = { DB_PASSWORD: 'hunter2', host: 'localhost' };
+        const result = scrubData(input, patterns);
+        expect(result).toEqual({ DB_PASSWORD: '[REDACTED]', host: 'localhost' });
+    });
+    it('passes through numbers, booleans, and null unchanged', () => {
+        expect(scrubData(42, patterns)).toBe(42);
+        expect(scrubData(true, patterns)).toBe(true);
+        expect(scrubData(null, patterns)).toBe(null);
+        expect(scrubData(undefined, patterns)).toBe(undefined);
+    });
+    it('handles nested objects and arrays recursively', () => {
+        const input = {
+            config: {
+                secrets: [{ API_KEY: 'abc123xyz', name: 'prod' }, 'SECRET_TOKEN=my-token-value'],
+            },
+        };
+        const result = scrubData(input, patterns);
+        const config = result.config;
+        const secrets = config.secrets;
+        expect(secrets[0].API_KEY).toBe('[REDACTED]');
+        expect(secrets[0].name).toBe('prod');
+        expect(secrets[1]).toBe('SECRET_TOKEN=[REDACTED]');
+    });
+    it('redacts generic API key patterns', () => {
+        const input = 'api_key=abcdef1234567890xx';
+        const result = scrubData(input, patterns);
+        expect(result).toBe('api_key=[REDACTED]');
+    });
+    it('does not modify non-sensitive data', () => {
+        const input = { hostname: 'server-1', uptime: 12345, healthy: true };
+        const result = scrubData(input, patterns);
+        expect(result).toEqual(input);
+    });
+});
+describe('buildPatterns', () => {
+    it('includes default patterns when no custom regexes given', () => {
+        const result = buildPatterns();
+        expect(result.length).toBe(DEFAULT_SCRUB_PATTERNS.length);
+    });
+    it('adds valid custom regex patterns', () => {
+        const result = buildPatterns(['SSN:\\s*\\d{3}-\\d{2}-\\d{4}']);
+        expect(result.length).toBe(DEFAULT_SCRUB_PATTERNS.length + 1);
+        const scrubbed = scrubData('SSN: 123-45-6789', result);
+        expect(scrubbed).toBe('[REDACTED]');
+    });
+    it('skips invalid custom regexes gracefully', () => {
+        const result = buildPatterns(['[invalid-regex']);
+        expect(result.length).toBe(DEFAULT_SCRUB_PATTERNS.length);
+    });
+});
+//# sourceMappingURL=scrubber.test.js.map

package/dist/runtime/scrubber.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"scrubber.test.js","sourceRoot":"","sources":["../../src/runtime/scrubber.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAC;AAC9C,OAAO,EAAE,sBAAsB,EAAE,aAAa,EAAE,SAAS,EAAE,MAAM,eAAe,CAAC;AAEjF,MAAM,QAAQ,GAAG,sBAAsB,CAAC;AAExC,QAAQ,CAAC,WAAW,EAAE,GAAG,EAAE;IACzB,EAAE,CAAC,kDAAkD,EAAE,GAAG,EAAE;QAC1D,MAAM,MAAM,GAAG,SAAS,CAAC,qBAAqB,EAAE,QAAQ,CAAC,CAAC;QAC1D,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,wBAAwB,CAAC,CAAC;IAChD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oEAAoE,EAAE,GAAG,EAAE;QAC5E,MAAM,KAAK,GAAG,6CAA6C,CAAC;QAC5D,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;QAC1C,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,iDAAiD,CAAC,CAAC;QACvE,MAAM,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;IACzC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uBAAuB,EAAE,GAAG,EAAE;QAC/B,MAAM,KAAK,GAAG,wDAAwD,CAAC;QACvE,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;QAC1C,MAAM,CAAC,MAAM,CAAC,CAAC,SAAS,CAAC,mBAAmB,CAAC,CAAC;QAC9C,MAAM,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,sBAAsB,CAAC,CAAC;IACvD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yCAAyC,EAAE,GAAG,EAAE;QACjD,MAAM,KAAK,GAAG,EAAE,WAAW,EAAE,SAAS,EAAE,IAAI,EAAE,WAAW,EAAE,CAAC;QAC5D,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;QAC1C,MAAM,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,EAAE,WAAW,EAAE,YAAY,EAAE,IAAI,EAAE,WAAW,EAAE,CAAC,CAAC;IAC3E,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,sDAAsD,EAAE,GAAG,EAAE;QAC9D,MAAM,CAAC,SAAS,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACzC,MAAM,CAAC,SAAS,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC7C,MAAM,CAAC,SAAS,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC7C,MAAM,CAAC,SAAS,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IACzD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,+CAA+C,EAAE,GAAG,EAAE;QACvD,MAAM,KAAK,GAAG;YACZ,MAAM,EAAE;gBACN,OAAO,EAAE,CAAC,EAAE,OAAO,EAAE,WAAW,EAAE,IAAI,EAAE,MAAM,EAAE,EAAE,6BAA6B,CAAC;aACjF;SACF,CAAC;QACF,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,EAAE,QAAQ,CAA4B,CAAC;QACrE,MAAM,MAAM,GAAG,MAAM,CAAC,MAAiC,CAAC;QACxD,MAAM,OAAO,GAAG,MAAM,CAAC,OAAoB,CAAC;QAC5C,MAAM,CAAE,OAAO,CAAC,CAAC,CAA6B,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QAC3E,MAAM,CAAE,OAAO,CAAC,CAAC,CAA6B,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAClE,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,yBAAyB,CAAC,CAAC;IACrD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,kCAAkC,EAAE,GAAG,EAAE;QAC1C,MAAM,KAAK,GAAG,4BAA4B,CAAC;QAC3C,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;QAC1C,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC;IAC5C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oCAAoC,EAAE,GAAG,EAAE;QAC5C,MAAM,KAAK,GAAG,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;QACrE,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;QAC1C,MAAM,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;IAChC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,eAAe,EAAE,GAAG,EAAE;IAC7B,EAAE,CAAC,wDAAwD,EAAE,GAAG,EAAE;QAChE,MAAM,MAAM,GAAG,aAAa,EAAE,CAAC;QAC/B,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,sBAAsB,CAAC,MAAM,CAAC,CAAC;IAC5D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,kCAAkC,EAAE,GAAG,EAAE;QAC1C,MAAM,MAAM,GAAG,aAAa,CAAC,CAAC,8BAA8B,CAAC,CAAC,CAAC;QAC/D,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,sBAAsB,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;QAE9D,MAAM,QAAQ,GAAG,SAAS,CAAC,kBAAkB,EAAE,MAAM,CAAC,CAAC;QACvD,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IACtC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yCAAyC,EAAE,GAAG,EAAE;QACjD,MAAM,MAAM,GAAG,aAAa,CAAC,CAAC,gBAAgB,CAAC,CAAC,CAAC;QACjD,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,sBAAsB,CAAC,MAAM,CAAC,CAAC;IAC5D,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/system/scanner.d.ts

@@ -0,0 +1,32 @@
+import type { PackManifest } from '@sonde/shared';
+export interface ScanResult {
+    packName: string;
+    detected: boolean;
+    matchedCommands: string[];
+    matchedFiles: string[];
+    matchedServices: string[];
+}
+/** Abstraction for testability */
+export interface SystemChecker {
+    commandExists(cmd: string): boolean;
+    fileExists(path: string): boolean;
+    serviceExists(service: string): boolean;
+}
+/** Real system checker using PATH lookup and fs */
+export declare function createSystemChecker(): SystemChecker;
+/**
+ * Scans the system against pack detect rules.
+ * Returns a ScanResult per manifest with which checks matched.
+ */
+export declare function scanForSoftware(manifests: PackManifest[], checker: SystemChecker): ScanResult[];
+export interface PermissionCheck {
+    satisfied: boolean;
+    missingGroups: string[];
+    missingCommands: string[];
+    missingFiles: string[];
+}
+/**
+ * Checks if the current user has the required permissions for a pack.
+ */
+export declare function checkPackPermissions(manifest: PackManifest, checker: SystemChecker, userGroups: string[]): PermissionCheck;
+//# sourceMappingURL=scanner.d.ts.map

package/dist/system/scanner.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"scanner.d.ts","sourceRoot":"","sources":["../../src/system/scanner.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAe,YAAY,EAAE,MAAM,eAAe,CAAC;AAE/D,MAAM,WAAW,UAAU;IACzB,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,OAAO,CAAC;IAClB,eAAe,EAAE,MAAM,EAAE,CAAC;IAC1B,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,eAAe,EAAE,MAAM,EAAE,CAAC;CAC3B;AAED,kCAAkC;AAClC,MAAM,WAAW,aAAa;IAC5B,aAAa,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;IACpC,UAAU,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC;IAClC,aAAa,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC;CACzC;AAED,mDAAmD;AACnD,wBAAgB,mBAAmB,IAAI,aAAa,CAsBnD;AAED;;;GAGG;AACH,wBAAgB,eAAe,CAAC,SAAS,EAAE,YAAY,EAAE,EAAE,OAAO,EAAE,aAAa,GAAG,UAAU,EAAE,CAqB/F;AAoCD,MAAM,WAAW,eAAe;IAC9B,SAAS,EAAE,OAAO,CAAC;IACnB,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,eAAe,EAAE,MAAM,EAAE,CAAC;IAC1B,YAAY,EAAE,MAAM,EAAE,CAAC;CACxB;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAClC,QAAQ,EAAE,YAAY,EACtB,OAAO,EAAE,aAAa,EACtB,UAAU,EAAE,MAAM,EAAE,GACnB,eAAe,CAajB"}

package/dist/system/scanner.js

@@ -0,0 +1,90 @@
+import { execFileSync } from 'node:child_process';
+import fs from 'node:fs';
+/** Real system checker using PATH lookup and fs */
+export function createSystemChecker() {
+    return {
+        commandExists(cmd) {
+            try {
+                execFileSync('which', [cmd], { stdio: 'ignore' });
+                return true;
+            }
+            catch {
+                return false;
+            }
+        },
+        fileExists(filePath) {
+            return fs.existsSync(filePath);
+        },
+        serviceExists(service) {
+            try {
+                execFileSync('systemctl', ['cat', service], { stdio: 'ignore' });
+                return true;
+            }
+            catch {
+                return false;
+            }
+        },
+    };
+}
+/**
+ * Scans the system against pack detect rules.
+ * Returns a ScanResult per manifest with which checks matched.
+ */
+export function scanForSoftware(manifests, checker) {
+    const results = [];
+    for (const manifest of manifests) {
+        const detect = manifest.detect;
+        if (!detect) {
+            results.push({
+                packName: manifest.name,
+                detected: false,
+                matchedCommands: [],
+                matchedFiles: [],
+                matchedServices: [],
+            });
+            continue;
+        }
+        const result = checkDetectRules(manifest.name, detect, checker);
+        results.push(result);
+    }
+    return results;
+}
+function checkDetectRules(packName, detect, checker) {
+    const matchedCommands = [];
+    const matchedFiles = [];
+    const matchedServices = [];
+    for (const cmd of detect.commands ?? []) {
+        if (checker.commandExists(cmd)) {
+            matchedCommands.push(cmd);
+        }
+    }
+    for (const file of detect.files ?? []) {
+        if (checker.fileExists(file)) {
+            matchedFiles.push(file);
+        }
+    }
+    for (const service of detect.services ?? []) {
+        if (checker.serviceExists(service)) {
+            matchedServices.push(service);
+        }
+    }
+    // Detected if at least one check passed
+    const detected = matchedCommands.length > 0 || matchedFiles.length > 0 || matchedServices.length > 0;
+    return { packName, detected, matchedCommands, matchedFiles, matchedServices };
+}
+/**
+ * Checks if the current user has the required permissions for a pack.
+ */
+export function checkPackPermissions(manifest, checker, userGroups) {
+    const groupSet = new Set(userGroups);
+    const missingGroups = manifest.requires.groups.filter((g) => !groupSet.has(g));
+    const missingCommands = manifest.requires.commands.filter((c) => !checker.commandExists(c));
+    const missingFiles = manifest.requires.files.filter((f) => !checker.fileExists(f));
+    return {
+        satisfied: missingGroups.length === 0 && missingCommands.length === 0 && missingFiles.length === 0,
+        missingGroups,
+        missingCommands,
+        missingFiles,
+    };
+}
+//# sourceMappingURL=scanner.js.map

package/dist/system/scanner.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"scanner.js","sourceRoot":"","sources":["../../src/system/scanner.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,EAAE,MAAM,SAAS,CAAC;AAkBzB,mDAAmD;AACnD,MAAM,UAAU,mBAAmB;IACjC,OAAO;QACL,aAAa,CAAC,GAAW;YACvB,IAAI,CAAC;gBACH,YAAY,CAAC,OAAO,EAAE,CAAC,GAAG,CAAC,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,CAAC;gBAClD,OAAO,IAAI,CAAC;YACd,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;QACD,UAAU,CAAC,QAAgB;YACzB,OAAO,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;QACjC,CAAC;QACD,aAAa,CAAC,OAAe;YAC3B,IAAI,CAAC;gBACH,YAAY,CAAC,WAAW,EAAE,CAAC,KAAK,EAAE,OAAO,CAAC,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,CAAC;gBACjE,OAAO,IAAI,CAAC;YACd,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;KACF,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,eAAe,CAAC,SAAyB,EAAE,OAAsB;IAC/E,MAAM,OAAO,GAAiB,EAAE,CAAC;IAEjC,KAAK,MAAM,QAAQ,IAAI,SAAS,EAAE,CAAC;QACjC,MAAM,MAAM,GAAG,QAAQ,CAAC,MAAM,CAAC;QAC/B,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,OAAO,CAAC,IAAI,CAAC;gBACX,QAAQ,EAAE,QAAQ,CAAC,IAAI;gBACvB,QAAQ,EAAE,KAAK;gBACf,eAAe,EAAE,EAAE;gBACnB,YAAY,EAAE,EAAE;gBAChB,eAAe,EAAE,EAAE;aACpB,CAAC,CAAC;YACH,SAAS;QACX,CAAC;QAED,MAAM,MAAM,GAAG,gBAAgB,CAAC,QAAQ,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC;QAChE,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IACvB,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,SAAS,gBAAgB,CACvB,QAAgB,EAChB,MAAmB,EACnB,OAAsB;IAEtB,MAAM,eAAe,GAAa,EAAE,CAAC;IACrC,MAAM,YAAY,GAAa,EAAE,CAAC;IAClC,MAAM,eAAe,GAAa,EAAE,CAAC;IAErC,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,QAAQ,IAAI,EAAE,EAAE,CAAC;QACxC,IAAI,OAAO,CAAC,aAAa,CAAC,GAAG,CAAC,EAAE,CAAC;YAC/B,eAAe,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC5B,CAAC;IACH,CAAC;IAED,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,KAAK,IAAI,EAAE,EAAE,CAAC;QACtC,IAAI,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;YAC7B,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC1B,CAAC;IACH,CAAC;IAED,KAAK,MAAM,OAAO,IAAI,MAAM,CAAC,QAAQ,IAAI,EAAE,EAAE,CAAC;QAC5C,IAAI,OAAO,CAAC,aAAa,CAAC,OAAO,CAAC,EAAE,CAAC;YACnC,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAChC,CAAC;IACH,CAAC;IAED,wCAAwC;IACxC,MAAM,QAAQ,GACZ,eAAe,CAAC,MAAM,GAAG,CAAC,IAAI,YAAY,CAAC,MAAM,GAAG,CAAC,IAAI,eAAe,CAAC,MAAM,GAAG,CAAC,CAAC;IAEtF,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,eAAe,EAAE,YAAY,EAAE,eAAe,EAAE,CAAC;AAChF,CAAC;AASD;;GAEG;AACH,MAAM,UAAU,oBAAoB,CAClC,QAAsB,EACtB,OAAsB,EACtB,UAAoB;IAEpB,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,CAAC;IACrC,MAAM,aAAa,GAAG,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IAC/E,MAAM,eAAe,GAAG,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,CAAC;IAC5F,MAAM,YAAY,GAAG,QAAQ,CAAC,QAAQ,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC;IAEnF,OAAO;QACL,SAAS,EACP,aAAa,CAAC,MAAM,KAAK,CAAC,IAAI,eAAe,CAAC,MAAM,KAAK,CAAC,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC;QACzF,aAAa;QACb,eAAe;QACf,YAAY;KACb,CAAC;AACJ,CAAC"}

package/dist/system/scanner.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=scanner.test.d.ts.map

package/dist/system/scanner.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"scanner.test.d.ts","sourceRoot":"","sources":["../../src/system/scanner.test.ts"],"names":[],"mappings":""}