@sonde/agent 0.0.0

package/src/cli/packs.ts

@@ -0,0 +1,214 @@
+import type { Pack } from '@sonde/packs';
+import { packRegistry } from '@sonde/packs';
+import type { PackManifest } from '@sonde/shared';
+import {
+  type PermissionCheck,
+  type ScanResult,
+  type SystemChecker,
+  checkPackPermissions,
+  createSystemChecker,
+  scanForSoftware,
+} from '../system/scanner.js';
+
+export interface PackState {
+  /** Packs currently loaded/active on this agent */
+  installed: Map<string, Pack>;
+  /** All available packs from the registry */
+  available: ReadonlyMap<string, Pack>;
+}
+
+export interface PackCommandDeps {
+  state: PackState;
+  checker: SystemChecker;
+  getUserGroups: () => string[];
+  log: (msg: string) => void;
+}
+
+function createDefaultDeps(): PackCommandDeps {
+  return {
+    state: {
+      installed: new Map(packRegistry),
+      available: packRegistry,
+    },
+    checker: createSystemChecker(),
+    getUserGroups: getProcessUserGroups,
+    log: console.log,
+  };
+}
+
+function getProcessUserGroups(): string[] {
+  // On Unix, process.getgroups() returns numeric GIDs
+  // For MVP, we return an empty array — real implementation would
+  // map GIDs to group names via /etc/group
+  try {
+    if (typeof process.getgroups === 'function') {
+      return process.getgroups().map(String);
+    }
+  } catch {
+    // Not available on all platforms
+  }
+  return [];
+}
+
+export function cmdPacksList(deps?: PackCommandDeps): void {
+  const { state, log } = deps ?? createDefaultDeps();
+
+  if (state.installed.size === 0) {
+    log('No packs installed.');
+    return;
+  }
+
+  log('Installed packs:');
+  log('');
+  for (const [name, pack] of state.installed) {
+    const probeCount = pack.manifest.probes.length;
+    log(`  ${name} v${pack.manifest.version} (${probeCount} probes)`);
+    log(`    ${pack.manifest.description}`);
+    for (const probe of pack.manifest.probes) {
+      log(`    - ${name}.${probe.name}: ${probe.description}`);
+    }
+    log('');
+  }
+}
+
+export function cmdPacksScan(deps?: PackCommandDeps): ScanResult[] {
+  const { state, checker, log } = deps ?? createDefaultDeps();
+
+  const manifests = [...state.available.values()].map((p) => p.manifest);
+  const results = scanForSoftware(manifests, checker);
+
+  log('Software scan results:');
+  log('');
+
+  const detected = results.filter((r) => r.detected);
+  const notDetected = results.filter((r) => !r.detected);
+
+  if (detected.length > 0) {
+    log('  Detected:');
+    for (const r of detected) {
+      const installed = state.installed.has(r.packName);
+      const status = installed ? '(installed)' : '(available)';
+      const matches: string[] = [];
+      if (r.matchedCommands.length > 0) matches.push(`commands: ${r.matchedCommands.join(', ')}`);
+      if (r.matchedFiles.length > 0) matches.push(`files: ${r.matchedFiles.join(', ')}`);
+      if (r.matchedServices.length > 0) matches.push(`services: ${r.matchedServices.join(', ')}`);
+      log(`    ${r.packName} ${status} [${matches.join('; ')}]`);
+    }
+    log('');
+  }
+
+  if (notDetected.length > 0) {
+    log('  Not detected:');
+    for (const r of notDetected) {
+      log(`    ${r.packName}`);
+    }
+    log('');
+  }
+
+  return results;
+}
+
+export function cmdPacksInstall(
+  name: string,
+  deps?: PackCommandDeps,
+): { success: boolean; permissions?: PermissionCheck } {
+  const { state, checker, getUserGroups, log } = deps ?? createDefaultDeps();
+
+  const pack = state.available.get(name);
+  if (!pack) {
+    log(`Error: Pack "${name}" not found.`);
+    log(`Available packs: ${[...state.available.keys()].join(', ')}`);
+    return { success: false };
+  }
+
+  if (state.installed.has(name)) {
+    log(`Pack "${name}" is already installed.`);
+    return { success: true };
+  }
+
+  // Check permissions
+  const userGroups = getUserGroups();
+  const permissions = checkPackPermissions(pack.manifest, checker, userGroups);
+
+  if (!permissions.satisfied) {
+    log(`Pack "${name}" requires additional permissions:`);
+    if (permissions.missingGroups.length > 0) {
+      log(`  Missing groups: ${permissions.missingGroups.join(', ')}`);
+      log('  To grant access:');
+      for (const group of permissions.missingGroups) {
+        log(`    sudo usermod -aG ${group} $(whoami)`);
+      }
+    }
+    if (permissions.missingCommands.length > 0) {
+      log(`  Missing commands: ${permissions.missingCommands.join(', ')}`);
+      log('  Install the required software before enabling this pack.');
+    }
+    if (permissions.missingFiles.length > 0) {
+      log(`  Missing files: ${permissions.missingFiles.join(', ')}`);
+    }
+    return { success: false, permissions };
+  }
+
+  state.installed.set(name, pack);
+  log(`Pack "${name}" installed successfully.`);
+  log(`  ${pack.manifest.probes.length} probes now available.`);
+  return { success: true, permissions };
+}
+
+export function cmdPacksUninstall(name: string, deps?: PackCommandDeps): boolean {
+  const { state, log } = deps ?? createDefaultDeps();
+
+  if (!state.installed.has(name)) {
+    log(`Error: Pack "${name}" is not installed.`);
+    return false;
+  }
+
+  state.installed.delete(name);
+  log(`Pack "${name}" uninstalled.`);
+  return true;
+}
+
+export function handlePacksCommand(subArgs: string[]): void {
+  const subcommand = subArgs[0];
+
+  switch (subcommand) {
+    case 'list':
+      cmdPacksList();
+      break;
+    case 'scan':
+      cmdPacksScan();
+      break;
+    case 'install': {
+      const name = subArgs[1];
+      if (!name) {
+        console.error('Usage: sonde packs install <name>');
+        process.exit(1);
+      }
+      const result = cmdPacksInstall(name);
+      if (!result.success) process.exit(1);
+      break;
+    }
+    case 'uninstall': {
+      const name = subArgs[1];
+      if (!name) {
+        console.error('Usage: sonde packs uninstall <name>');
+        process.exit(1);
+      }
+      if (!cmdPacksUninstall(name)) process.exit(1);
+      break;
+    }
+    default:
+      console.log('Usage: sonde packs <command>');
+      console.log('');
+      console.log('Commands:');
+      console.log('  list        Show installed packs and their probes');
+      console.log('  scan        Detect available software, suggest packs');
+      console.log('  install     Load and activate a pack');
+      console.log('  uninstall   Remove a pack');
+      if (subcommand) {
+        console.error(`\nUnknown packs command: ${subcommand}`);
+        process.exit(1);
+      }
+      break;
+  }
+}

package/src/config.ts

@@ -0,0 +1,62 @@
+import fs from 'node:fs';
+import os from 'node:os';
+import path from 'node:path';
+
+export interface AgentConfig {
+  hubUrl: string;
+  apiKey: string;
+  agentName: string;
+  agentId?: string;
+  enrollmentToken?: string;
+  certPath?: string;
+  keyPath?: string;
+  caCertPath?: string;
+  scrubPatterns?: string[];
+}
+
+const CONFIG_DIR = path.join(os.homedir(), '.sonde');
+const CONFIG_FILE = path.join(CONFIG_DIR, 'config.json');
+
+export function getConfigPath(): string {
+  return CONFIG_FILE;
+}
+
+export function loadConfig(): AgentConfig | undefined {
+  try {
+    const raw = fs.readFileSync(CONFIG_FILE, 'utf-8');
+    return JSON.parse(raw) as AgentConfig;
+  } catch {
+    return undefined;
+  }
+}
+
+export function saveConfig(config: AgentConfig): void {
+  fs.mkdirSync(CONFIG_DIR, { recursive: true });
+  fs.writeFileSync(CONFIG_FILE, `${JSON.stringify(config, null, 2)}\n`, 'utf-8');
+}
+
+export function getConfigDir(): string {
+  return CONFIG_DIR;
+}
+
+/** Save cert/key/ca PEM files to ~/.sonde/ and update config paths. */
+export function saveCerts(
+  config: AgentConfig,
+  certPem: string,
+  keyPem: string,
+  caCertPem: string,
+): void {
+  fs.mkdirSync(CONFIG_DIR, { recursive: true });
+
+  const certPath = path.join(CONFIG_DIR, 'cert.pem');
+  const keyPath = path.join(CONFIG_DIR, 'key.pem');
+  const caCertPath = path.join(CONFIG_DIR, 'ca.pem');
+
+  fs.writeFileSync(certPath, certPem, 'utf-8');
+  fs.writeFileSync(keyPath, keyPem, 'utf-8');
+  fs.writeFileSync(caCertPath, caCertPem, 'utf-8');
+
+  config.certPath = certPath;
+  config.keyPath = keyPath;
+  config.caCertPath = caCertPath;
+}

package/src/index.ts

@@ -0,0 +1,218 @@
+#!/usr/bin/env node
+
+import os from 'node:os';
+import { handlePacksCommand } from './cli/packs.js';
+import { type AgentConfig, getConfigPath, loadConfig, saveConfig } from './config.js';
+import { AgentConnection, type ConnectionEvents, enrollWithHub } from './runtime/connection.js';
+import { ProbeExecutor } from './runtime/executor.js';
+import { checkNotRoot } from './runtime/privilege.js';
+import { buildPatterns } from './runtime/scrubber.js';
+
+const args = process.argv.slice(2);
+const command = args[0];
+
+function hasFlag(flag: string): boolean {
+  return args.includes(flag);
+}
+
+function printUsage(): void {
+  console.log('Usage: sonde [command]');
+  console.log('');
+  console.log('Commands:');
+  console.log('  (none)    Launch management TUI (if enrolled)');
+  console.log('  install   Interactive guided setup (enroll + scan + packs)');
+  console.log('  enroll    Enroll this agent with a hub');
+  console.log('  start     Start the agent (TUI by default, --headless for daemon)');
+  console.log('  status    Show agent status');
+  console.log('  packs     Manage packs (list, scan, install, uninstall)');
+  console.log('');
+  console.log('Enroll options:');
+  console.log('  --hub <url>      Hub URL (e.g. http://localhost:3000)');
+  console.log('  --key <key>      API key for authentication');
+  console.log('  --name <name>    Agent name (default: hostname)');
+  console.log('  --token <token>  Enrollment token for mTLS cert issuance');
+  console.log('');
+  console.log('Start options:');
+  console.log('  --headless       Run without TUI (for systemd / background)');
+}
+
+function getArg(flag: string): string | undefined {
+  const idx = args.indexOf(flag);
+  if (idx === -1 || idx + 1 >= args.length) return undefined;
+  return args[idx + 1];
+}
+
+interface Runtime {
+  config: AgentConfig;
+  executor: ProbeExecutor;
+  connection: AgentConnection;
+}
+
+function createRuntime(events: ConnectionEvents): Runtime {
+  checkNotRoot();
+
+  const config = loadConfig();
+  if (!config) {
+    console.error('Error: Agent not enrolled. Run "sonde enroll" first.');
+    process.exit(1);
+  }
+
+  const executor = new ProbeExecutor(undefined, undefined, buildPatterns(config.scrubPatterns));
+  const connection = new AgentConnection(config, executor, events);
+
+  return { config, executor, connection };
+}
+
+async function cmdEnroll(): Promise<void> {
+  const hubUrl = getArg('--hub');
+  const apiKey = getArg('--key');
+  const agentName = getArg('--name') ?? os.hostname();
+  const enrollmentToken = getArg('--token');
+
+  if (!hubUrl || !apiKey) {
+    console.error('Error: --hub and --key are required');
+    console.error('  sonde enroll --hub http://localhost:3000 --key your-api-key');
+    process.exit(1);
+  }
+
+  const config: AgentConfig = { hubUrl, apiKey, agentName };
+  if (enrollmentToken) {
+    config.enrollmentToken = enrollmentToken;
+  }
+  saveConfig(config);
+
+  const executor = new ProbeExecutor();
+  console.log(`Enrolling with hub at ${hubUrl}...`);
+
+  const { agentId, certIssued } = await enrollWithHub(config, executor);
+  config.agentId = agentId;
+  // Clear the one-time token after use
+  config.enrollmentToken = undefined;
+  saveConfig(config);
+
+  console.log('Agent enrolled successfully.');
+  console.log(`  Hub:      ${hubUrl}`);
+  console.log(`  Name:     ${agentName}`);
+  console.log(`  Agent ID: ${agentId}`);
+  console.log(`  Config:   ${getConfigPath()}`);
+  if (certIssued) {
+    console.log('  mTLS:     Client certificate issued and saved');
+  }
+  console.log('');
+  console.log('Run "sonde start" to connect.');
+}
+
+function cmdStart(): void {
+  const { config, connection } = createRuntime({
+    onConnected: (agentId) => {
+      console.log(`Connected to hub (agentId: ${agentId})`);
+    },
+    onDisconnected: () => {
+      console.log('Disconnected from hub, reconnecting...');
+    },
+    onError: (err) => {
+      console.error(`Connection error: ${err.message}`);
+    },
+    onRegistered: (agentId) => {
+      config.agentId = agentId;
+      saveConfig(config);
+    },
+  });
+
+  console.log('Sonde Agent v0.1.0');
+  console.log(`  Name: ${config.agentName}`);
+  console.log(`  Hub:  ${config.hubUrl}`);
+  console.log('');
+
+  connection.start();
+
+  process.on('SIGINT', () => {
+    console.log('\nShutting down...');
+    connection.stop();
+    process.exit(0);
+  });
+}
+
+async function cmdManager(): Promise<void> {
+  const { render } = await import('ink');
+  const { createElement } = await import('react');
+  const { ManagerApp } = await import('./tui/manager/ManagerApp.js');
+  const { waitUntilExit } = render(createElement(ManagerApp, { createRuntime }));
+  await waitUntilExit();
+}
+
+function cmdStatus(): void {
+  const config = loadConfig();
+  if (!config) {
+    console.log('Status: Not enrolled');
+    console.log(`Run "sonde enroll" to get started.`);
+    return;
+  }
+
+  console.log('Sonde Agent Status');
+  console.log(`  Name:     ${config.agentName}`);
+  console.log(`  Hub:      ${config.hubUrl}`);
+  console.log(`  Agent ID: ${config.agentId ?? '(not yet assigned)'}`);
+  console.log(`  Config:   ${getConfigPath()}`);
+}
+
+async function cmdInstall(): Promise<void> {
+  const initialHubUrl = getArg('--hub');
+  const { render } = await import('ink');
+  const { createElement } = await import('react');
+  const { InstallerApp } = await import('./tui/installer/InstallerApp.js');
+  const { waitUntilExit } = render(createElement(InstallerApp, { initialHubUrl }));
+  await waitUntilExit();
+}
+
+switch (command) {
+  case 'install':
+    cmdInstall().catch((err: Error) => {
+      console.error(err.message);
+      process.exit(1);
+    });
+    break;
+  case 'enroll':
+    cmdEnroll().catch((err: Error) => {
+      console.error(`Enrollment failed: ${err.message}`);
+      process.exit(1);
+    });
+    break;
+  case 'start':
+    if (hasFlag('--headless')) {
+      cmdStart();
+    } else {
+      cmdManager().catch((err: Error) => {
+        console.error(err.message);
+        process.exit(1);
+      });
+    }
+    break;
+  case 'status':
+    cmdStatus();
+    break;
+  case 'packs':
+    handlePacksCommand(args.slice(1));
+    break;
+  default:
+    if (command) {
+      printUsage();
+      console.error(`\nUnknown command: ${command}`);
+      process.exit(1);
+    } else {
+      // No command: launch TUI if enrolled, otherwise show usage
+      const config = loadConfig();
+      if (config) {
+        cmdManager().catch((err: Error) => {
+          console.error(err.message);
+          process.exit(1);
+        });
+      } else {
+        printUsage();
+      }
+    }
+    break;
+}
+
+export { createRuntime };
+export type { Runtime };

package/src/runtime/attestation.test.ts

@@ -0,0 +1,69 @@
+import { describe, expect, it } from 'vitest';
+import type { AgentConfig } from '../config.js';
+import { generateAttestation, hashConfig, hashFile } from './attestation.js';
+import { ProbeExecutor } from './executor.js';
+
+function makeConfig(overrides?: Partial<AgentConfig>): AgentConfig {
+  return {
+    hubUrl: 'http://localhost:3000',
+    apiKey: 'test-key',
+    agentName: 'test-agent',
+    ...overrides,
+  };
+}
+
+function makeExecutor(): ProbeExecutor {
+  return new ProbeExecutor(new Map());
+}
+
+describe('generateAttestation', () => {
+  it('returns all required fields', () => {
+    const att = generateAttestation(makeConfig(), makeExecutor());
+    expect(att).toHaveProperty('osVersion');
+    expect(att).toHaveProperty('binaryHash');
+    expect(att).toHaveProperty('installedPacks');
+    expect(att).toHaveProperty('configHash');
+    expect(att).toHaveProperty('nodeVersion');
+  });
+
+  it('osVersion contains platform info', () => {
+    const att = generateAttestation(makeConfig(), makeExecutor());
+    expect(att.osVersion).toContain(process.platform);
+  });
+
+  it('nodeVersion matches process.version', () => {
+    const att = generateAttestation(makeConfig(), makeExecutor());
+    expect(att.nodeVersion).toBe(process.version);
+  });
+
+  it('installedPacks reflects loaded packs', () => {
+    const att = generateAttestation(makeConfig(), makeExecutor());
+    // Empty map → no packs
+    expect(att.installedPacks).toEqual([]);
+  });
+});
+
+describe('hashConfig', () => {
+  it('is deterministic for same config', () => {
+    const cfg = makeConfig();
+    expect(hashConfig(cfg)).toBe(hashConfig(cfg));
+  });
+
+  it('ignores apiKey changes', () => {
+    const a = hashConfig(makeConfig({ apiKey: 'key-a' }));
+    const b = hashConfig(makeConfig({ apiKey: 'key-b' }));
+    expect(a).toBe(b);
+  });
+
+  it('ignores enrollmentToken changes', () => {
+    const a = hashConfig(makeConfig({ enrollmentToken: 'tok-a' }));
+    const b = hashConfig(makeConfig({ enrollmentToken: 'tok-b' }));
+    expect(a).toBe(b);
+  });
+});
+
+describe('hashFile', () => {
+  it('returns empty string for missing file', () => {
+    expect(hashFile('/nonexistent/path/to/file')).toBe('');
+  });
+});

package/src/runtime/attestation.ts

@@ -0,0 +1,36 @@
+import crypto from 'node:crypto';
+import fs from 'node:fs';
+import os from 'node:os';
+import type { AttestationData } from '@sonde/shared';
+import type { AgentConfig } from '../config.js';
+import type { ProbeExecutor } from './executor.js';
+
+/** SHA-256 hex of a file. Returns empty string on any error. */
+export function hashFile(filePath: string): string {
+  try {
+    const data = fs.readFileSync(filePath);
+    return crypto.createHash('sha256').update(data).digest('hex');
+  } catch {
+    return '';
+  }
+}
+
+/** SHA-256 hex of config with sensitive fields stripped, keys sorted for determinism. */
+export function hashConfig(config: AgentConfig): string {
+  const { apiKey: _, enrollmentToken: _t, ...rest } = config;
+  const sorted = JSON.stringify(rest, Object.keys(rest).sort());
+  return crypto.createHash('sha256').update(sorted).digest('hex');
+}
+
+export function generateAttestation(config: AgentConfig, executor: ProbeExecutor): AttestationData {
+  return {
+    osVersion: `${os.platform()} ${os.release()} ${os.arch()}`,
+    binaryHash: hashFile(process.argv[1] ?? ''),
+    installedPacks: executor.getLoadedPacks().map((p) => ({
+      name: p.name,
+      version: p.version,
+    })),
+    configHash: hashConfig(config),
+    nodeVersion: process.version,
+  };
+}

package/src/runtime/audit.test.ts

@@ -0,0 +1,64 @@
+import { describe, expect, it } from 'vitest';
+import { AgentAuditLog } from './audit.js';
+
+describe('AgentAuditLog', () => {
+  it('logs entries and verifies chain', () => {
+    const log = new AgentAuditLog();
+
+    log.log('system.disk.usage', 'success', 10);
+    log.log('system.memory.usage', 'success', 20);
+    log.log('system.cpu.usage', 'error', 30);
+
+    const entries = log.getRecent();
+    expect(entries).toHaveLength(3);
+    expect(entries[0]?.prevHash).toBe('');
+    expect(entries[1]?.prevHash).not.toBe('');
+    expect(log.verifyChain()).toEqual({ valid: true });
+  });
+
+  it('ring buffer cap works', () => {
+    const log = new AgentAuditLog(3);
+
+    log.log('p1', 'success', 1);
+    log.log('p2', 'success', 2);
+    log.log('p3', 'success', 3);
+    log.log('p4', 'success', 4);
+
+    const entries = log.getRecent();
+    expect(entries).toHaveLength(3);
+    expect(entries[0]?.probe).toBe('p2');
+    expect(entries[2]?.probe).toBe('p4');
+  });
+
+  it('empty log is valid', () => {
+    const log = new AgentAuditLog();
+    expect(log.verifyChain()).toEqual({ valid: true });
+  });
+
+  it('getRecent(n) returns last n entries', () => {
+    const log = new AgentAuditLog();
+    log.log('p1', 'success', 1);
+    log.log('p2', 'success', 2);
+    log.log('p3', 'success', 3);
+
+    const last2 = log.getRecent(2);
+    expect(last2).toHaveLength(2);
+    expect(last2[0]?.probe).toBe('p2');
+    expect(last2[1]?.probe).toBe('p3');
+  });
+
+  it('chain after ring buffer eviction still verifies within remaining entries', () => {
+    const log = new AgentAuditLog(2);
+
+    log.log('p1', 'success', 1);
+    log.log('p2', 'success', 2);
+    log.log('p3', 'success', 3);
+
+    // After eviction, the first remaining entry's prevHash won't match empty string
+    // verifyChain checks what's in the buffer, genesis may have non-empty prevHash
+    const result = log.verifyChain();
+    // First entry in buffer (p2) has a prevHash from p1, which is no longer genesis
+    // This is expected: a truncated chain won't verify from genesis
+    expect(result.valid).toBe(false);
+  });
+});